Deletion in RSA Accumulator

Question

I am studying RSA Dynamic Accumulators and I have a question: why is it simpler to calculate the new accumulator value after a deletion if the secret $\phi(N)$ is known? Is possible to calculate the deletion only with the RSA modulus $N$?

Answer 1

I'm assuming you are talking about the typical dynamic RSA accumulator from "Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials", by Camenicsh and Lysyanskaya (see PDF here).

First, recall that the accumulator over prime elements $x_1, x_2, \dots, x_n$ is computed in $O(n)$ time as: \begin{align*} A &= g^{x_1 x_2 \cdots x_n} \end{align*}

Second, recall that after removing some $x_i$ from the accumulator $A$, we end up with a new accumulator $A'$: \begin{align*} A' &= g^{x_1 x_2 \cdots x_{i-1} x_i \cdots x_n} \end{align*}

To answer your first question,

Why is it simpler to calculate the new accumulator value after a deletion if the secret $\phi(N)$ is known?

Because knowing $\phi(N)$ allows us to easily compute $A'$ from $A$ as follows: \begin{align*} A' &= A^{{x_i}^{-1} \bmod \phi(N)} \end{align*}

To understand this, recall that additions and multiplications are reduced modulo $\phi(N)$ "in the exponent." Also recall that numbers that are coprime with $\phi(N)$ (e.g., $x_i$) have multiplicative inverses $\bmod \phi(N)$ [1].

Note that you can compute $A'$ from $A$ directly, without needing to know the other accumulated elements $x_j, j\ne i$.

To answer your second question,

Is possible to calculate the deletion only with the RSA modulus $N$?

I'm assuming you mean "calculate the new accumulator." The answer is "yes," and you can probably see why. Remember that, just like we can compute $A$ in $O(n)$ time, we can also compute $A'$ in $O(n)$ time (i.e., by repeated exponentiations): \begin{align*} A' &= ((((((g^{x_1})^{x_2}) \cdots)^{x_{i-1}})^{x_i})\cdots)^{x_n}\\ &= g^{x_1 x_2 \cdots x_{i-1} x_i \cdots x_n} \end{align*}

Later edit: As @Maeher nicely pointed out, without the trapdoor you need to know the other elements $x_j, j\ne i$ in order to remove $x_i$, since removing is just recomputing the accumulator without $x_i$.

If you are interested in an accumulator where you can both add and remove without knowing the other elements, you can read the elegant work by Papamanthou et al on "Streaming Authenticated Data Structures" from EUROCRYPT'13 (PDF here). Computing new witnesses requires knowing at least part of the accumulated elements, since the construction is merely a different kind of Merkle tree. However, unlike a Merkle tree, existing witnesses can be updated given just the added/deleted elements (no need for additional sibling paths). Currently, this accumulator is based on lattices and will be less efficient.

Still, Qian et al implemented it in "Streaming Authenticated Data Structures: Abstraction and Implementation" at CCSW'14 (PDF behind paywall).

Hope this helps 2 years later :)