Optimal Verification of Operations on Dynamic Sets

  • Charalampos Papamanthou
  • Roberto Tamassia
  • Nikos Triandopoulos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6841)


We study the design of protocols for set-operation verification, namely the problem of cryptographically checking the correctness of outsourced set operations performed by an untrusted server over a dynamic collection of sets that are owned (and updated) by a trusted source. We present new authenticated data structures that allow any entity to publicly verify a proof attesting the correctness of primitive set operations such as intersection, union, subset and set difference. Based on a novel extension of the security properties of bilinear-map accumulators as well as on a primitive called accumulation tree, our protocols achieve optimal verification and proof complexity (i.e., only proportional to the size of the query parameters and the answer), as well as optimal update complexity (i.e., constant), while incurring no extra asymptotic space overhead. The proof construction is also efficient, adding a logarithmic overhead to the computation of the answer of a set-operation query. In contrast, existing schemes entail high communication and verification costs or high storage costs. Applications of interest include efficient verification of keyword search and database queries. The security of our protocols is based on the bilinear q-strong Diffie-Hellman assumption.


Security Parameter Inverted Index Subset Condition Oracle Access Extended Euclidean Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Applebaum, B., Ishai, Y., Kushilevitz, E.: From secrecy to soundness: Efficient verification via secure computation. In: Abramsky, S., Gavoille, C., Kirchner, C., Meyer auf der Heide, F., Spirakis, P.G. (eds.) ICALP 2010. LNCS, vol. 6198, pp. 152–163. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Atallah, M.J., Cho, Y., Kundu, A.: Efficient data authentication in an environment of untrusted third-party distributors. In: Int. Conference on Data Engineering (ICDE), pp. 696–704 (2008)Google Scholar
  3. 3.
    Au, M.H., Tsang, P.P., Susilo, W., Mu, Y.: Dynamic universal accumulators for DDH groups and their application to attribute-based anonymous credential systems. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 295–308. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Baeza-Yates, R., Ribeiro-Neto, B.: Modern Information Retrieval. Addison-Wesley Publishing Company, Reading (1999)Google Scholar
  5. 5.
    Bellare, M., Micciancio, D.: A new paradigm for collision-free hashing: Incrementality at reduced cost. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 163–192. Springer, Heidelberg (1997)Google Scholar
  6. 6.
    Benabbas, S., Gennaro, R., Vahlis, Y.: Verifiable delegation of computation over large datasets. In: Int. Cryptology Conference, CRYPTO (2011)Google Scholar
  7. 7.
    Blum, M., Evans, W.S., Gemmell, P., Kannan, S., Naor, M.: Checking the correctness of memories. Algorithmica 12(2/3), 225–244 (1994)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. J. Cryptology 21(2), 149–177 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  9. 9.
    Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  10. 10.
    Canard, S., Gouget, A.: Multiple denominations in E-cash with compact transaction data. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 82–97. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Chung, K.-M., Kalai, Y., Liu, F.-H., Raz, R.: Memory delegation. In: Int. Cryptology Conference, CRYPTO (2011)Google Scholar
  12. 12.
    Chung, K.-M., Kalai, Y., Vadhan, S.: Improved delegation of computation using fully homomorphic encryption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 483–501. Springer, Heidelberg (2010)Google Scholar
  13. 13.
    Damgård, I., Triandopoulos, N.: Supporting non-membership proofs with bilinear-map accumulators. Cryptology ePrint Archive, Report 2008/538 (2008),
  14. 14.
    Dwork, C., Naor, M., Rothblum, G.N., Vaikuntanathan, V.: How efficient can memory checking be? In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 503–520. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: Outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010)Google Scholar
  17. 17.
    Goodrich, M.T., Tamassia, R., Hasic, J.: An efficient dynamic and distributed cryptographic accumulator. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 372–388. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Goodrich, M.T., Tamassia, R., Schwerin, A.: Implementation of an authenticated dictionary with skip lists and commutative hashing. In: DARPA Information Survivability Conference and Exposition II (DISCEX II), pp. 68–82 (2001)Google Scholar
  19. 19.
    Goodrich, M.T., Tamassia, R., Triandopoulos, N.: Super-efficient verification of dynamic outsourced databases. In: Malkin, T. (ed.) CT-RSA 2008. LNCS, vol. 4964, pp. 407–424. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Goodrich, M.T., Tamassia, R., Triandopoulos, N.: Efficient authenticated data structures for graph connectivity and geometric search problems. Algorithmica 60(3), 505–552 (2011)zbMATHCrossRefGoogle Scholar
  21. 21.
    Kratsch, D., McConnell, R.M., Mehlhorn, K., Spinrad, J.P.: Certifying algorithms for recognizing interval graphs and permutation graphs. In: Symposium on Discrete Algorithms (SODA), pp. 158–167 (2003)Google Scholar
  22. 22.
    Li, J., Li, N., Xue, R.: Universal accumulators with efficient nonmembership proofs. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 253–269. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Martel, C., Nuckolls, G., Devanbu, P., Gertz, M., Kwong, A., Stubblebine, S.G.: A general model for authenticated data structures. Algorithmica 39(1), 21–41 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  24. 24.
    Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)Google Scholar
  25. 25.
    Minsky, Y., Trachtenberg, A., Zippel, R.: Set reconciliation with nearly optimal communication complexity. IEEE Transactions on Information Theory 49(9), 2213–2218 (2003)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Morselli, R., Bhattacharjee, S., Katz, J., Keleher, P.J.: Trust-preserving set operations. In: Int. Conference on Computer Communications, INFOCOM (2004)Google Scholar
  27. 27.
    Naor, M., Nissim, K.: Certificate revocation and certificate update. In: USENIX Security Symposium, pp. 217–228 (1998)Google Scholar
  28. 28.
    Nguyen, L.: Accumulators from bilinear pairings and applications. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    Pang, H., Tan, K.-L.: Authenticating query results in edge computing. In: Int. Conference on Data Engineering (ICDE), pp. 560–571 (2004)Google Scholar
  30. 30.
    Papamanthou, C., Tamassia, R.: Time and space efficient algorithms for two-party authenticated data structures. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 1–15. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  31. 31.
    Papamanthou, C., Tamassia, R.: Cryptography for efficiency: Authenticated data structures based on lattices and parallel online memory checking. In: Cryptology ePrint Archive, Report 2011/102 (2011),
  32. 32.
    Papamanthou, C., Tamassia, R., Triandopoulos, N.: Authenticated hash tables. In: Int. Conference on Computer and Communications Security (CCS), pp. 437–448 (2008)Google Scholar
  33. 33.
    Papamanthou, C., Tamassia, R., Triandopoulos, N.: Optimal authenticated data structures with multilinear forms. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 246–264. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  34. 34.
    Preparata, F.P., Sarwate, D.V.: Computational complexity of Fourier transforms over finite fields. Mathematics of Computation 31(139), 740–751 (1977)MathSciNetzbMATHCrossRefGoogle Scholar
  35. 35.
    Preparata, F.P., Shamos, M.I.: Computational Geometry: An Introduction. Springer, New York (1985)Google Scholar
  36. 36.
    Tamassia, R.: Authenticated data structures. In: Di Battista, G., Zwick, U. (eds.) ESA 2003. LNCS, vol. 2832, pp. 2–5. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  37. 37.
    Tamassia, R., Triandopoulos, N.: Certification and authentication of data structures. In: Alberto Mendelzon Workshop on Foundations of Data Management (2010)Google Scholar
  38. 38.
    Yang, Y., Papadias, D., Papadopoulos, S., Kalnis, P.: Authenticated join processing in outsourced databases. In: Int. Conf. on Management of Data (SIGMOD), pp. 5–18 (2009)Google Scholar
  39. 39.
    Yiu, M.L., Lin, Y., Mouratidis, K.: Efficient verification of shortest path search via authenticated hints. In: Int. Conference on Data Engineering (ICDE), pp. 237–248 (2010)Google Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Charalampos Papamanthou
    • 1
  • Roberto Tamassia
    • 1
  • Nikos Triandopoulos
    • 2
    • 3
  1. 1.Brown UniversityUSA
  2. 2.RSA LaboratoriesCambridgeUSA
  3. 3.Boston UniversityBostonUSA

Personalised recommendations