Review Article Cryptographic Accumulator and Its Application: A Survey

. Since the concept of cryptographic accumulators was ﬁrst proposed in 1993, it has received continuous attention from researchers. The application of the cryptographic accumulator is also more extensive. This paper makes a systematic summary of the cryptographic accumulator. Firstly, descriptions and characteristics of cryptographic accumulators are given, and the one-way accumulator, collision-free accumulator, dynamic accumulator, and universal accumulator are introduced, respectively. Cryptographic accumulator can be divided into two types: symmetric accumulator and asymmetric accumulator. In the asymmetric accumulator, three diﬀerent cryptographic accumulator schemes were classiﬁed based on three security assumptions. Finally, this paper summarized the applications of cryptographic accumulators in ring signature, group signature, encrypted data search, anonymous credentials, and cryptographic promise.


Introduction
e concept of cryptographic accumulators was first proposed in 1993 by Benaloh and de Mare [1], who developed a one-way accumulator encryption protocol that could be used for timestamp and membership testing through a hash function with quasi-commutativeness and one-way property. at is to say, for all x ∈ X and y 1 , y 2 ∈ Y, this one-way hash function h: X × Y ⟶ X satisfies the quasicommutativeness: h h x, y 1 , y 2 � h h x, y 2 , y 1 .
(1) e cryptographic accumulator scheme allows the accumulation of elements from a finite set X � x 1 , . . . , x n into a concise value acc X of constant size, known as a cryptographic accumulator. Because the cryptographic accumulator satisfies the characteristic of quasi-commutativeness, the accumulated value acc X does not depend on the order of the accumulated elements. Choose g ∈ G as the base, and the original cryptographic accumulator is defined as acc X � h h h . . . h h h g, x 1 , x 2 , x 3 , . . . , x n−2 , x n−1 , x n . (2) e witness wit x i of each element x i ∈ X in the set is calculated to verify h(wit x i , x i ) � acc X , that is, to effectively prove the membership of element x i . At the same time, it is not feasible to find a membership witness for any unaccumulated element y ∉ X because of the collision resistance of one-way hash function. e cryptographic accumulator has several important characteristics, such as being dynamic, robustness, universality, security assumption, and compactness, as shown in Table 1.
Although cryptographic accumulators have been roughly described in the review of cryptographic accumulators published by Ozcelik et al. [6], the summary of this paper is not comprehensive. erefore, this paper makes a more comprehensive and detailed summary. e roadmap of this paper is organized as follows: Section 2 introduces the descriptions of cryptographic accumulator. Section 3 classifies the cryptographic accumulators into symmetric accumulator and asymmetric accumulator. In Section 4, cryptographic accumulators based on various security assumptions are introduced in detail. Section 5 describes the cryptographic accumulator scheme of hidden order group and known order group. In Section 6, the applications of cryptographic accumulator are introduced. e seventh section gives a summary.

One-Way Accumulators.
e concept of the cryptographic accumulator originated from the one-way accumulator first proposed by Benaloh and Mare [1]. A one-way accumulator is defined as a set of one-way hash functions with quasi-commutativeness.
One-Way Hash Functions [1,7]. A family of one-way hash functions is an infinite sequence of families of functions H λ λ∈N , where H λ � h k : X k × Y k ⟶ Z k (k is a security parameter), with the following properties: (1) For any integer λ and any h k ∈ H λ , h k (., .) is computable in time polynomial in λ.

(2) Any probabilistic, polynomial-time algorithm A satisfies
Pr h k R ⟵ H λ ; x R ⟵ X k ; y ,R ⟵ Y k ; x , ⟵ · A 1 λ , x, y, y , : h k (x, y) � h k x , , y , < negl(λ), where the probability depends on the random selection of h k , x, y, y ′ and random output of A.
From the above description, it is seen that the one-way hash function is computable and one-way; that is, given x and y, the calculation of z � h(x, y) can be completed in polynomial time, and if given x, y, and y ′ , the probability of finding x ′ satisfying h k (x, y) � h k (x ′ , y ′ ) is too small to be ignored; that is, the conflict between the outputs generated by different inputs is very little.

(4)
If a one-way hash function satisfies the quasi-commutativeness, first of all, the forward calculation is easy according to the one-way property, while the reverse calculation is difficult. Second, satisfying the quasi-commutativeness means that, under the condition of given initial value (Seeds), the results of multiple hash operations will not change with different calculation order.
A one-way hash function with quasi-commutativeness can be used to verify whether a value y i is in a specified set Y � y i . Specifically, the accumulative results z of Y can be calculated by the one-way accumulative function h ∈ H, using the following formula: e accumulated value (called partial accumulated value) of y i � y|y ∈ Y, y ≠ y i other than y i can also be calculated using a one-way accumulative function: e above conclusion holds because if the attacker does not know y i , according to the description of one-way function, it will face the computational difficulty that constructing y ′ makes z � h(z i , y ′ ) established. Hence, (y i , z i ) can be regarded as a witness of y i ∈ Y. During the following discussion, Z N represents the set of all positive integers, and Z n represents the set of positive integers with length within n.
One-Way Accumulators [1,7]. (y i , z i ) is the witness of y i ∈ Y meaning that it meets the following condition: . (6) However, there is an obvious problem with the above analysis: Assume that the attacker can only randomly select predictive values y ′ in a given set Y. In fact, it is entirely possible for an attack to easily find y ′ satisfying z � h(z i , y ′ ) beyond the value domain set Y, thus destroying the above description of the witness. A strong description is obtained if the attacker's optional range of predictive values is extended beyond the specified set Y.
Strongly One-Way Hash Functions [7]. A family of strongly one-way hash functions is an infinite sequence of families of functions H λ λϵN , where H λ � h k : X k × Y k ⟶ Z k } (k is a security parameter), having the following properties: (1) For any integer λ and any h k ϵH λ , h k (., .) is computable in time polynomial in λ. Characteristics Dynamic [2] e cryptographic accumulator has efficient algorithms for adding, deleting, witnessing, and updating elements.
Robustness [1] e administrator of the cryptographic accumulator does not need to be trusted, and trapdoor information cannot be used to forge witnesses. Universality [3] e cryptographic accumulator can provide not only membership proof but also nonmembership proof. Security assumption [4] Under the premise of security assumption declaration, the member verification function of the cryptographic accumulator is not affected by attackers.
Compactness [5] e cryptographic accumulator can map a large set to accumulation value of a smaller order of magnitude, which is manifested by the small storage space required for accumulated value and witness, as well as the low time complexity of updating algorithm.
(2) Any probabilistic, polynomial-time algorithm A satisfies e probability is taken over the random choice of h k , x, y and random output of A.

Collision-Free Accumulators.
Strongly one-way property does not completely solve the problem of ensuring security in the case of an adversary actively participating in the selection of values to be accumulated (i.e., x and y in the above description are no longer randomly chosen but carefully chosen by the adversary). In order to fill this gap, Baric and Pfitzmann [5] proposed the concept of collisionfree accumulators.
Baric and Pfitzmann [5] proposed that the cryptographic accumulator needs to be more strict when building FSS mechanisms. Under the strongly one-way property, the attacker may still carefully forge the member value (y 1 ′ , y 2 ′ , . . . , y n ′ ) to construct witness accu ′ for y ′ . erefore, a collision-free accumulator is introduced. On the strongly one-way property basis, the member value (y 1 ′ , y 2 ′ , . . . , y n ′ ) does not need to be given.
Cryptographic Accumulator Scheme [5,7]. e scheme of a cryptographic accumulator is a 4-tuple containing 4 polynomial time algorithms (Gen, Eval, Wit, and Ver): (1) Gen (key generation algorithm): it is a probabilistic algorithm for generating initial parameters. Gen receives two parameters: a security variable 1 λ and an accumulator threshold N, an upper bound on the total number of values that can be securely accumulated, and finally returns an accumulator key k, k ∈ k λ,N . (2) Eval (evaluation algorithm): it is a probabilistic algorithm for finding accumulated values. Calculate all accumulated values in the set L � y 1 , y 2 , . . . , y N′ , N ′ ∈ N, where y i ∈ Y k , k ∈ K λ,N . Eval inputs (k, y 1 , y 2 , . . . , y N′ ) and outputs an accumulated value of z ∈ Z k and some auxiliary information of aux, which will be used as an input to other algorithms. Note that Eval outputs the same accumulated value for the same input, and the auxiliary information may be different. (3) Wit (witness extraction algorithm): it is a probabilistic algorithm for generating member witnesses based on relevant information. Wit inputs an accumulator k ∈ k λ,N , a value y i ∈ Y k , and auxiliary information aux outputted by Eval (k, y 1 , y 2 , . . . , y N′ ); if y i is in L, a witness w i ∈ W K is outputted to prove that y i is accumulated within z; otherwise, it returns symbol ⊥. (4) Ver (verification algorithm): it is a deterministic algorithm for verifying the membership of a value by witness. Ver inputs (k, y i , w i , z) to verify that y i is accumulated into z and outputs Yes or No according to witness w i .

N-Times
Collision-Freeness [5,7]. A cryptographic accumulator scheme is said to be N-times collision-free when it satisfies the following property: A cryptographic accumulator scheme is said to be N-times collision-free if, for any integer λ and for any probabilistic, polynomial-time algorithm A, where the probability is taken from random output of Gen, Eval, and A.
Collision-Freeness [5,7]. A cryptographic accumulator scheme is collision-free if it is in all N-times collision-free.

Dynamic Accumulators.
e application of member authentication requires that the selected cryptographic accumulator can not only enable the verifier to authenticate efficiently but also ensure the security. When a member set changes (added or deleted), the accumulated value and witness of each member can be updated efficiently; otherwise, whenever members are added or deleted, all members need to recalculate the current accumulated value and their respective witness. When the member set changes dynamically, the cryptographic accumulator cannot operate efficiently to meet the practical application requirements. For this reason, researchers put forward the concept of dynamic accumulator, which can add, delete, and update operations on the basis of the original 4-tuple.
Dynamic Accumulator Scheme [2,7]. A dynamic accumulator scheme is a seven-tuple containing seven polynomial time algorithms (Gen, Eval, Wit, Ver, Add, Del, and Upd), where Gen, Eval, Wit, and Ver are the same as in the cryptographic accumulator scheme: k, an accumulated value z obtained as the accumulation of some set L of less than N elements, where L⊆Y K , z ∈ Z k , and the value y ′ ∈ L to be deleted, it returns a new accumulator value z ′ corresponding to the set L∖ y ′ , along with a witness w ′ ∈ W k for y ′ and some updated information aux Add which will be used by the Upd algorithm.
(2) Del (element deletion algorithm): it is usually a deterministic algorithm. Given an accumulator key k, an accumulated value z obtained as the accumulation of some set L of less than N elements, where L⊆Y K , z ∈ Z k , and the value y ′ ∈ Y k to be added, it returns a new accumulator value z ′ corresponding to the set L ∪ y ′ , along with some update information aux Del which will be used by the Upd algorithm. (3) Upd (witness update algorithm): it is a deterministic algorithm used to update the witness w ∈ W k of each existing element in the set y ∈ Y k after adding or deleting elements in L. Upd takes k, y, w, op, and aux op as input (where op is either Add or Del) and returns an updated witness w ′ to prove that y has been accumulated into z ′ .

Universal Accumulators.
Universal accumulators are dynamic and support (non)membership proofs [3]. Cryptographic accumulators that support membership proof are called positive accumulators, those that support nonmembership proof are called negative accumulators, and those that support both are called universal accumulators [9].
Assuming that k is a security parameter, the safe universal accumulator of the input {χ k } family is a family of functions {F k } with the following properties [3]: (i) Effective generation: there is an effective probabilistic polynomial time algorithm G, which generates a random function F k on input 1 k . Moreover, G also outputs some auxiliary information about f, expressed as aux f . (ii) Efficient evaluation: each f ∈ F k is a polynomial time function, which outputs a value h ∈ g f when inputting (g, x) ∈ g f × χ k , where g f is the input domain of the function f and χ k is the input domain to accumulate the element. (iii) Quasi-commutativity: for all f ∈ F k , all g ∈ g f , and all en, the universal accumulator scheme is safe. Table 2 provides description of different types of cryptographic accumulators.

Symmetrical Accumulators.
e symmetric cryptographic accumulator is a trapdoor-free structure and does not require witness verification. In random oracle models, the existing structures are secure. e symmetric accumulator [14] basically consists of a one-way function f: Y ⟶ X and a vector x ∈ X of length l, initialized to the 0 vector. is set of values y 1 , y 2 , . . . , y n accumulates as vector z: z � x∨f(y 1 )∨f(y 2 )∨ . . . ∨f(y n ), where ∨ is contained by bit. Given the accumulative vector z and values y i , verify that membership in the accumulative vector includes calculating v � f(y i ) and verifying that, ∀k ∈ [[0, l − 1]], v k � 1 means z i � 1. Symmetric accumulator does not need to calculate the witness. But it is stuck with the long output of cryptographic accumulators. Actually, the length of the cryptographic accumulator depends also on the number of values added to the cryptographic accumulator and not only on the security parameters.
Nyberg [15] proposed a symmetric accumulator. e idea is to use the hash function to generate hash values for the values to be accumulated. Each hash value h is considered to consist of r blocks of size d bits h 1 , h 2 , . . . , h r composition. en, by mapping each block to one bit, map such code to an r bit string. Accumulated value z is calculated as the coordinate directional bit product corresponding to the string to be accumulated. To verify the membership, the values y and the corresponding bit string y ′ with r length can be calculated. Check that, for all 1 ≤ i ≤ r, when y i ′ � 0, z i � 0. Bloom filter [16] can be used as a cryptographic accumulator. Furthermore, Yum et al. [17] proved that it is superior to other symmetric accumulators. Secure Bloom filter consists of k hash functions f i : Y ⟶ X . ese functions actually belong to the hash family. Each hash function uniformly returns a vector index. To add a value to the cryptographic accumulator, it is fed to each hash function to get k indexes. e bit of x at these indexes is set to 1. To verify that a given value is accumulated, k hash functions are applied again to obtain the vector index. If any bit of the accumulative vector is 0 at these indexes, then the value is definitely not accumulated. If all the bits at these indexes are 1, then an incorrect positive response may be obtained. Another variant of Bloom filter has been studied in the past, where the hash function is replaced by a hash-based message authentication code (HMAC).
It can be noted that, in the case of symmetric accumulators, the size of l increases as the number of elements in the filter increases or the false positive rate is set as low.

Asymmetric Accumulators.
e first cryptographic accumulator proposed is asymmetric and requires witness verification [1].
is construct takes the modulus f (x, y) � x y mod N as a one-way and quasi-commutative function because it satisfies For power operations for one-way accumulators, the module is chosen as the product of two safe prime numbers p and q of equal size. If (p − 1)/2 is also a prime, prime p is safe. Malicious attacker who knows the accumulated value z may forge witness w for the randomly selected value y by finding the initial value x verifying x y mod N � z. However, this is not feasible under the RSA assumption. Table 3 shows the development of symmetric and asymmetric accumulators. Table 4 shows the evolution of different types of security assumptions.

Accumulator Based on Hash Tree
Hash tree, in cryptography and computer science, is a tree data structure in which every leaf node is labeled with the hash of the data block, while the node other than the leaf node is labeled with the encrypted hash of its child node label. Hash trees can efficiently and securely validate the contents of large data structures. A prime resolution algorithm is selected to build a hash tree [20].
Consecutive primes starting at 2 are selected to build a tenlevel hash tree. e node of the first layer is the root node, and there are two nodes under the root node. e second layer has three nodes under each node, and so on; that is, the number of children of each node layer is a continuous prime number. By the tenth level, there are 29 nodes under each node. e children of the same node, from left to right, Table 2: Descriptions of the cryptographic accumulator.

Description
One-way accumulator [10] One-way hash function [11] A family of one-way hash functions is an infinite sequence of families of functions H λ λϵN , where H λ h k : X k × Y k ⟶ Z k , with the following properties: ① For any integer λ and any h k ϵH λ , h k (., .) is computable in polynomial time in λ; ② for any probabilistic, polynomial-time algorithm A, (3) is satisfied, where the probability is taken over the random choice of h k , x, y, y , and the random coins of A. (4) is satisfied.
One-way accumulator A one-way accumulator is defined as a family of one-way hash functions with quasicommutativeness. is description is elegant and simple, but, in order to clarify the basic function of the security cryptographic accumulator, the ability to intuitively accumulate set L as a small value can be proved only for element y ∈ L. In fact, the oneway property imposed by the second requirement is often too weak for applications where the attacker can choose some value to accumulate.

Strongly one-way hash function
A family of strongly one-way hash functions is an infinite sequence of families of functions H λ λϵN , where H λ � h k : X k × Y k ⟶ Z k , having the following properties: ① For any integer λ and any h k ϵH λ , h k (., .) is computable in polynomial time in λ; ② for any probabilistic, polynomial-time algorithm A, (7) is satisfied, where the probability is taken over the random choice of h k , x, y, y , and the random coins of A.
Collision-free accumulator [5] Cryptographic accumulator scheme e cryptographic accumulator scheme is a 4-tuple of polynomial-time algorithm (Gen, Eval, Wit, and Ver)

N-times collision-freeness
A cryptographic accumulator scheme is said to be N-times collision-free if, for any integer λ and for any probabilistic, polynomial-time algorithm A, probability is taken from Gen, Eval, and random coins of A.
Collision-free When a cryptographic accumulator scheme is N-times collision-free for any value of N polynomial in λ, it is called collision-free. Dynamic accumulator [12] Dynamic accumulators include polynomial-time algorithms (Gen, Eval, Wit, Ver, Add, Del, and Upd) for 7-tuples. Universal accumulator [13] Universal accumulators are dynamic and support membership and nonmembership proofs.
Security and Communication Networks 5 represent different remainder results. For example, the second layer node has three children. So, from left to right, 0 is divided by 3, 1 is divided by 3, and 2 is divided by 3. e remainder of the mod operation on a prime number determines the path of processing.

Accumulator Based on Hash
Tree. In a hash tree, values are associated with the leaves of a binary tree. e value of the sibling node is hash in order to calculate the value associated with its parent node, and so on, until the value of the tree root is obtained. e root value of the tree is defined as the cryptographic accumulator of the set of values associated with the leaves of the tree [20]. e hash tree cannot be directly used to obtain the functions of general and dynamic accumulators. In fact, cumulative sets need to add and remove elements (tree node values if a hash tree is used), while generating nonmembership proof. So, instead of associating values with the leaves of the tree, a pair of continuously accumulated set elements are associated. To prove that element x is not in the accumulative set, it is now equivalent to indicating that a pair (x ∝ , x β ) (where x ∝ < x < x β ) belongs to the tree, but pairs (x ∝ , x) and (x, x β ) do not belong to the tree.

Development Process of the Accumulator Based on
Hash Tree. Buldas et al. [18,19] proposed the first universal dynamic accumulator satisfying nonrepudiation (called the nonrepudiable certifier and formalized in the context of the cryptographic accumulator). Its construction is based on collision-resistant hashes and hash trees. en, a universal accumulator structure based on hash tree is proposed, which satisfies the concept similar to nonrepudiation (the scheme is called strong universal accumulator). Recently, another cryptographic accumulator based on hash tree has been introduced, which uses the promise of modular operations on RSA composite modules based on binary polynomials as a collision-resistant hash function.

Accumulator Based on RSA Assumption
4.2.1. RSA Assumption. RSA hard problem means that, ∀y, z, n ∈ Z 1 n , ∃x ∈ Z n : z � x y mod n is known. e RSA assumption refers to the fact that the RSA assumption is computationally infeasible for all polynomial-time algorithms A [5]; that is, Pr y, z, n ∈ Z n :: ∃x: z � x y mod n ≤ 1 A(n) . (11) According to the RSA hard problem assumption, first, the function z � x y mod n satisfies the one-way property. Second, the function z � x y satisfies the quasi-commutativeness. at is, ∀ y 1, y 2 : z(z(x, y 1, ), When the modulus N is large enough and is generated randomly and the exponential y and value z are given, it is difficult to calculate x satisfying x y mod N � z. However, as informally noted in [1] and later recognized in Nyberg [15], the one-way property imposed in the description may not succeed for applications where certain adversaries have access to the list of values to accumulate. To remedy, a stronger property called strongly one-way property should be considered, where choices do not impose y ′ on the attacker as one-way hash functions.

Strong RSA Assumption.
e strong RSA hard problem means that, ∀z, n ∈ Z s , ∃x ∈ Z p , y: z � x y mod n is known, where Z p is the set of prime numbers. e strong Table 3: Development process.

Symmetric accumulator
Bloom filter constructs an cryptographic accumulator. A symmetric accumulator is proposed to generate hash values for the values to be accumulated hash functions. Asymmetric accumulator e first cryptographic accumulator proposed in 1993 is asymmetric and requires witness validation. 1993 [1] Proposing the first cryptographic accumulator which is asymmetric and requires witness verification.

[20]
A universal accumulator structure based on the hash tree is proposed, which satisfies the concept similar to the nonrepudiation, called a strong universal accumulator.
RSA assumption 1996 [15] Imposing one-way property (applications where some adversaries can access the list of values to accumulate may not succeed).
RSA hard problem assumption means that the strong RSA hard problem is computationally infeasible for all polynomial-time methods A [2]; that is, Pr z ∈ Z n , n ∈ Z s :: ∃x ∈ Z n , y ∈ Z p : z � x y mod n ≤ 1 A(n) .
In contrast to general RSA, the strong RSA hard problem assumption allows free choice of combinations (x, y); that is, the attacker can choose not only the base of the exponential function but also the exponent. In addition, the strong RSA assumption also requires that the exponent be prime, while the general RSA assumption has no special requirement for the exponent. For the strong RSA hard problem assumption, there is no strict proof that it is computationally feasible. Again, there is no rigorous theoretical proof that it works on a computer.
When the modulus N is large enough and randomly generated and given the value z, it is difficult to find x and y that satisfy x y mod N � z as previously demonstrated; impact resistance can be obtained under strong RSA assumptions only if the value to be accumulated is prime.
Cryptographic accumulators without trapdoor should be able to be constructed. Trapdoors are unnecessary in the cryptographic accumulator scheme. e side that provides N during system setup also knows trapdoors p and q. Unfortunately, the side that knows p and q can completely bypass the security of the system. Because by knowing p and q, it is possible to recover the initial value and then independently accumulate additional values and generate false witnesses. A trapdoor-free solution will not rely on trusted online or offline services. en a trapdoor-free accumulator is introduced, which is proved to be safe in the standard model. e authors suggest the use of a generalized RSA module with unknown complete factorization and call it RSA-UFOS. A number N is an RSA-UFO, and if N has at least two large prime factors p and q, then no participant in the union, including those that produce N, will be able to find an N that splits into factors N 1 and N 2 , thus making P|N 1 and q|N 2 . A probabilistic algorithm is also proposed to generate such numbers. Under the standard model, security is proved under a new assumption called "strong RSA-UFO assumption." is assumption is very similar to the strong RSA assumption, with the only difference being that module N is set to RSA-UFO.

Accumulator Based on Strong RSA Assumption.
All schemes in this setting are [1,5] extensions. e accumulator acc x is defined as acc x ⟵ g x∈X x mod N, where N is an RSA modulus consisting of two large safe prime numbers p and g, which is randomly drawn from the cyclic group of the quadratic remainder of N. ere are sk acc , pk acc � (p, q, N) and the witnesses of the value x i given by wit x i ⟵ acc x mod N, then the strong RSA assumption will be broke. Because of the product relation of the accumulated value in the exponent, the domain of the accumulated value is limited to prime number. Note that when a given witness wit a (i.e., wit b ≡ wit c a (mod N)), accumulating a compound number will allow a � b · c derivation of the witness for each of its factors, to accumulate sets from more general domains, an appropriate mapping from these domains to prime numbers will be required (see [27]).
Certain cryptographic accumulator schemes in this setting [2] also provide dynamic functionality. Simply summing the cryptographic accumulator and its witness can add values to the cryptographic accumulator without any secret. On the contrary, if the value x j is to be deleted, the x j − th root of the cryptographic accumulator must be calculated, which is difficult to solve under strong RSA assumptions without sk acc . However, after removing the value, membership witnesses can still be publicly updated using arithmetic techniques. To update the witness acc x/x j of the value x i , find a, b ∈ Z, so that ax i + bx j � 1 and calculate the new witness as wit x i ′ ⟵ wit b x i · acc x/x j mod N and original witness is wit x i .
Moreover, cryptographic accumulator scheme provides general functionality because it supports nonmembership witnesses: acc X is accumulator for set X and y j ∉ X. Now it holds that gcd x∈X x, y j � 1 or equivalently for a, b ∈ Z, a x∈X x + by j � 1. erefore, d ⟵ g − b mod N is calculated, where g is the initial value of the empty cryptographic accumulator and forms a nonmembership witness wit y i ⟵ (a, b).
en, the verification of nonmembership witnesses is completed by checking whether acc a x ≡ d y i · g(mod N) is established. Similar to what is done for membership, nonmembership witnesses can also be publicly updated (see [24]).

t-SDH Assumption.
Given a tuple t � (p, G, P), where p is prime, G is a cyclic group generated by P and a tuple in the form of value (P, sP, . . . s t P) in Z/pZ, where s ∈ Z/pZ 0 { } [8]. For any probabilistic polynomial-time algorithm A, the following probabilities can be negligible: Tartary et al. [28] made requirements for the conflict resistance performance of the scheme, thus refuting previous claims against cryptographic accumulators. Attack is based on improperly defined security models in which adversaries have access to functions f and g. e proposed patch includes providing compound functions g (f(.)) to the adversary instead of providing functions f and g, respectively. However, the patches proposed by the authors cannot prevent other types of attacks and have proved the scheme to be unsafe. Camenisch et al. [25] proposed another cryptographic accumulator based on dynamic pairing, which provides a more efficient witness update algorithm.
Fazio and Nicolosi [7] pointed out in their investigation of the cryptographic accumulator that the original structure makes the time to update the witness after m changes the cryptographic accumulator proportional to m. ey raised Security and Communication Networks the question of whether batch updates are possible, that is, whether it is possible to build a cryptographic accumulator where the time to update the witness is independent of the number of changes to the cryptographic accumulator set. Wang et al. [29] designed a cryptographic accumulator with batch processing update and then made improvements to solve the above problems. e scheme is based on the Paillier cipher system and is proven to be secure under a new assumption called the extended strong RSA assumption, which is a variant of the strong RSA assumption with modulus N 2 . However, contrary to this claim, Camacho and Hevia [30] have shown evidence of an attack and further demonstrated that the time to update the witness in the worst case must be at least Ω(m). erefore, this provides impossible results on a cryptographic accumulator with batch update capabilities.
Previous works have produced only membership witnesses, but, in some cases, nonmembership witnesses may be unavoidable. e authors present a dynamic accumulator that supports both membership and nonmembership short witnesses, which they call the universal accumulator. e initial value of the cryptographic accumulator must be public so that nonmembership witnesses can be verified.
is construct is based on the RSA function, so only prime numbers are allowed to accumulate.
Karlof et al. [23] used elliptic curves to construct cryptographic accumulators. To add up the values (scalars), multiply them by the public key (i.e., scalars multiply the base point of the curve). Witness generation follows the same algorithm but does not include corresponding values. Validation is simple; if the product of the witness and the value is equal to the accumulated value, it is necessary to check for equality. [22] proposed a t-bound accumulator. e cryptographic accumulator uses a group G of prime number p generated by g and has bilinear maps e: G × G ⟶ G T . Here, pk acc � (g, g s , g s 2 , . . . , g s t , u) and sk acc � s. e accumulator acc x of set X � x 1 , x 2 , . . . , x n ∈ Z p (n ≤t) is defined as acc x ⟵ g u x∈X (x+s) , and the membership witness

Accumulator Based on t-SDH Assumption. Nguyen
en, check whether acc X contains the value x i by verifying whether eacc x , g � e(g x i g s , wit x i ) is true or not. e scheme allows the public evaluation of cryptographic accumulators; that is, g h(s) is obtained by extending polynomial hx � x∈X (x + s) ∈ Z p [X] and by evaluating it in G through pk acc . e public calculation of the witnesses of x i also works on set X/ x i . Furthermore, these witnesses can be updated at a constant time without knowing the secret key (see [22]).
Nguyen's scheme is extended by nonmembership witnesses, and the random value u is eliminated [31,32]. Previous work also showed how to publicly update nonmembership witnesses within a fixed period of time. Note that these adjustments can also be applied to the latter [31]. e calculation of nonmembership witnesses with value y j ∉ X makes use of the following facts: hx � x∈X (x + X) is divided by the polynomial division remainder of y j + X. Such witnesses take the form of a, b � (g hs− d/y i +s , d) ) and may be validated by eacc x , g ? � ea, g y i , g s e(g, g s )).

Accumulator Based on t-DHE Assumption
Diffie-Hellman Exponent (DHE) Assumption. e t-DHE problem in a group G of prime order q is defined as follows: On input {g, g 1 , g 2 , . . ., g t , g t+2 , . . ., g 2t } ∈ G 2t , output g t+1 . e t-DHE assumption states that this problem is hard to solve.
Camenisch et al. [25] gave a scheme of t-bound accumulator based on t-DHE assumption, like the cryptographic accumulator in t-SDH settings, which uses a group G of prime number p generated by g and has bilinear mapping e: G × G ⟶ G T . Besides, it needs a signature scheme with corresponding key pairs (sk sig , pk sig ). Here, sk acc � sk sig , public key is pk acc � g 1 , . . . , g t , g t+2 , . . . , g 2t , z, pk sig � (g c 1 , . . . , g c t , g c t+2 , . . . , g c 2t , e(g, g) c t+1 , pk sig ), and c R ⟵ Z * p . X x 1 , . . . , x m can be accumulated by calculating acc X ⟵ m i�1 g t+1−i and signing g i with x i using sk sig , where m ≤ t, thus assigning the value of x i to g i . e witness wit x j of x j ∈ X is acc X ⟵ m i�1, i ≠ j g t+1−i+j . e membership of x j can be verified by checking whether e g j , acc X � z · e(g, wit x j ) is valid and verifying the signatures of g j and x j under pk sig .
is scheme allows public updates for witnesses and cryptographic accumulators to be deleted, as this requires only pk acc . However, if the value x i is to be added to the cryptographic accumulator, a secret signature key sk acc is required to create signatures on g i and x i to link the value x i to this parameter. erefore, the public addition of the cryptographic accumulator requires that a signature be included for each potential value to be stored in the public parameter. Obviously, this seems impractical except for the small accumulative domain.

Cryptographic Accumulator Schemes in the Hidden Order Group and Known Order Group
Since the introduction of cryptographic accumulator, many cryptographic accumulator schemes with different characteristics have been proposed. Basically, the main work is to construct schemes in hidden order group and known order group [33].

Hidden Order Group.
e original RSA-based schemes have been developed by Baric, which enhance the original concept of collision-free safety. Sander [21] suggested using unknown decomposed RSA modules to construct trapdoorfree accumulators. Camenisch extended the previous scheme to have the ability to dynamically add/delete values to the cryptographic accumulator, which constitutes the first dynamic accumulator scheme. eir plan also supports public updates of existing witnesses, that is, updates without knowing any trapdoor. After that, support for nonmembership witnesses was added, so a universal dynamic accumulator was obtained. ey also proposed an optimization scheme to update the documents of nonmembership witnesses more effectively but later found shortcomings [34,35]. Lipmaa [36] generalized the RSA accumulator to a module over a Euclidean ring. In all the above schemes, the accumulative domain is limited to primes to ensure that there is no conflict. Tsudik and Xu [37] proposed a variant, which allows the accumulation of semiprimes. Assuming that the semiprime used is difficult to decompose and its decomposition is unknown to the public, a collision-free accumulator is obtained. In addition, a cryptographic accumulator scheme is proposed, which allows arbitrary integers to be accumulated and supports batch updates of witnesses. However, the scheme was eventually broken.

Known Order Group.
Nguyen proposed a dynamic accumulator scheme, which is suitable for paired-friendly groups with prime p. It is secure under the t-SDH assumption and allows up to t values to be accumulated from domain Z p . Later, Damgard, Triandopoulos, and Au et al. extended the scheme of Nguyen with general functions. Recently, Acar and Nguyen [38] removed the upper limit t for the number of elements accumulated by the t-SDH accumulator. To do this, they used a set of cryptographic accumulators, each of which contained a subset of the entire set to be accumulated. Camenisch et al. introduced another cryptographic accumulator scheme for pairing-friendly prime arrays. It supports public updates of witnesses and witnesses, and its security depends on the t-DHE assumption. Table 5 shows the development of cryptographic accumulator schemes.

Application of the Cryptographic Accumulator in Digital Signature
6.1.1. Ring Signature. In anonymous authentication on trusted platform, the length of ring signature is positively related to the number of ring members, while large members lead to low efficiency. erefore, Xu et al. [40] proposed a ring signature anonymous authentication method based on the one-way accumulator and constructed its solution in detail. In the signature phase, the length of the ring is determined by a one-way accumulator, which accumulates the information of all members so that the ring is not too large for a considerable number of members. During the verification period, the efficiency is improved, and the hash computing time, encryption computing time, and decryption computing time are reduced. Compared with the typical ring signature, it is shown that the new solution has lower time complexity and space complexity. At the same time, the new solution ensures anonymity and validity, which not only makes up for the weakness of traditional ring signature but also has high efficiency under the premise of security.

Group
Signature. Based on the knowledge of an accumulative composite dynamic accumulator and an effective protocol to prove that the factorization of a submitted value develops a novel, efficient, and provably secure group signature scheme [37], it allows authorization and ownership proof at the same time as factorization based on cumulative synthesis. It enables a group member to perform lightweight authorization proof so that the complexity of proof and verification is independent of the number of current or all deleted members. Using a dynamic accumulator to facilitate authorization, it is required that the group manager propagate certain information such as the value deleted from the cryptographic accumulator whenever a member (or group of members) joins or leaves the group.

Encrypted Search.
e dynamic accumulator is introduced into the encrypted search scheme [41,42], and the existing search scheme of decentralized storage based on block chain is improved. e new scheme takes advantage of the efficient verifiability of the witness in the dynamic accumulator and the dynamic addition and deletion of elements in the accumulated value and takes into account both efficiency and flexibility. In the encryption search scheme based on CCS'14 Hahn in [43], a dynamic accumulator is introduced and improved for the decentralized storage application scenario based on blockchain.

Revoking Anonymous Credentials.
e dynamic accumulator can be used to revoke normal credentials (and certificates): First, add a unique value to each credential. en, the accumulator value of the unique value of all valid credentials is truly published [44]. Now, users can convince the verifier that the credential is still valid by providing a witness for the unique value contained in their credential. erefore, to check the credential, the verifier must check the publisher's signature to obtain the current accumulator value and use the witness provided by the user to verify that the unique value contained in the credential is included in the accumulator value.
For anonymous credentials, the same method can be used. However, the witnesses and values contained in the cryptographic accumulator can no longer be disclosed to the validator because this completely endangers anonymity. Instead, the user can apply zero-knowledge proof to convince the verifier that the values contained in its credentials are also included in the cryptographic accumulator. erefore, if a valid protocol is found to prove that the values contained in the commitment are also included in the certificate, any anonymous certificate scheme can be effectively revoked.

Cryptographic Accumulator in Vector Commitment.
Catalano and Fiore [45] proposed a black box construction of cryptographic accumulator based on vector commitment.

Security and Communication Networks
Vector commitment allows concise commitment C to be formed for vector X � x 1 , . . . , x n . Here, it is not computationally feasible to open position i of C to a value x i ′ different from that of x i . e accumulative domain in the black box construction is set D � 1, . . . , t { }. e cryptographic accumulator is modeled as a commitment to a binary vector of length t; that is, each bit i represents the existence or nonexistence of element i ∈ D in the cryptographic accumulator. en, the (non)membership of value i can be proved by opening position i that is committed to 1 or 0, respectively.

Other Applications.
e applications of the cryptographic accumulator are shown in Figure 1.
Cryptographic accumulators can be applied to membership testing, distributed signatures, responsible certificate management, and authenticated dictionaries and can also be used as editable, sanitary processing [46,47], homomorphic signatures [48,49], and privacy protection data outsourcing building blocks as for authenticated data structures [50,51]. In addition, the cryptographic accumulator scheme can be used to prove the zero knowledge of (nonmembership) witnesses [52,53], and undisclosed values are now widely Known order group 2005 [22] A dynamic accumulator scheme is proposed, which is suitable for paired-friendly groups with prime p. It is secure under the t-SDH assumption and allows up to t values to be accumulated from the domain. 2008 [32] Extended 2005 scheme with general functions.
Hidden order group e accumulative domain is limited to primes 1997 [5] Improved the original RSA scheme in 1993 and strengthened the original concept of collision-free safety. 1999 [21] It is recommended to use unknown decomposed RSA modules to construct trapdoor-free accumulators.
2002 [2] e scheme in 1997 is extended to have the ability to dynamically add/delete values to the cryptographic accumulator, and the first dynamic accumulator is constructed. 2007 [24] In 2002, support for nonmembership witnesses was increased, so a universal dynamic accumulator was obtained, and an optimization scheme was proposed to update the documents of nonmembership witnesses more effectively. 2012 [34] e RSA accumulator is broadly defined as a module over a Euclidean ring. e accumulative domain is limited to semiprimes 2003 [37] It is allowed to accumulate semiprimes.
2007 [29] e cryptographic accumulator scheme allows arbitrary integers to be accumulated and supports batch updates of witnesses.
2019 [39] Dynamic accumulator based on hash greatly reduces storage space. 2011 [38] e upper limit t for accumulating elements of the t-SDH accumulator is canceled.  used to revoke group signatures and anonymous credentials [54,55]. Recently, cryptographic accumulators are also used in Zerocoin [56,57], and Zerocoin is an anonymous extension of bitcoin cryptocurrencies. erefore, the cryptographic accumulator can be applied to many aspects, and readers can understand the specific applications of the cryptographic accumulator in these aspects by consulting the above literature.

Conclusion
Cryptographic accumulator is a basic and important tool in the field of cryptography, which has been widely used in many aspects.
is paper firstly introduces the types of cryptographic accumulators. Secondly, in the asymmetric accumulators, three different cryptographic accumulators schemes are classified through three security assumptions.
irdly, several cryptographic accumulators based on security assumptions are introduced. Fourthly, this paper presents the cryptographic accumulator scheme under different characteristics. Finally the applications of cryptographic accumulators in different aspects are summarized. With the rapid development of big data security and blockchain, cryptographic accumulators are used more and more widely, and there is still much development space in the future.

Data Availability
All data supporting the findings of this study are included within the article.