# RSA accumulator and Bézout coefficients
An RSA accumulator is a cryptographic primitive that allows for efficient verification of set membership. It uses a mathematical function to accumulate a set of elements into a single value, known as the accumulator $A$. The generator $g$ is used to generate the group, and the element $x$ is a prime number that is accumulated into the accumulator $A$. The proof $\pi$ is used to verify that an element is a member of the accumulated set.

The proof of non-membership requires calculating Bézout's Coefficients of the element we’re proving and the product of the accumulator elements in the set.

## RSA
Modulus $N$ is:

$ N=p*q $

with

$q<p<2q$

where size of the group $ \phi(N) $ is:

$ {\phi(N)}=(p−1)(q−1) $

## RSA accumulator
Following notations are used for RSA accumulator:
- $A$ is an accumulator
- $g$ is a generator of the group
- $x$ is an element, which is a prime number.
- $\pi$ represents a proof


### RSA accumulator setup
Let

$A=g^u \pmod N $

where $u$ is the product of the accumulated values $x_i$

$u = \prod_0^{k-1} x_i$

and and all accumulated values $x_i$ are primes

### Bézout’s lemma
Bézout's lemma guarantee existence of integers $(a, b)$ given integers $(x, u)$ to fullfill the linear equation

$ax+bu=GCD(x,u)$ 

### Exclusion proofs 

If $x$ is not accumulated in $A$ then 

$GCD(x,u)=1$.

The Bezout-coefficients say that

$ax+bu=GCD(x,u)=1$ 

it's used to generate a proof 

$\pi=(g^a,b)$

that $x$ is not accumulated in $A$.

The verification of the proof is done by checking:

$(g^a)^x \cdot A^b=g^{ax} \cdot (g^u)^b=g^{ax+ub}=g$

That proofs
$$
\begin{align*}
\boxed{
\begin{array}{rcl}
g^{ax+bu}  \pmod N \equiv g \pmod N
\end{array}
}
\end{align*}
$$

### Proof with Eulers theorem
Show that:

$g^{ax+ub}  \pmod N \equiv g^1 \pmod N$

where $N = pq$ is a product of two different prime numbers, and satisfying $ax +bu \equiv 1 \pmod {\phi(N)}$.

We can write $ax +bu = 1 + h {\phi(N)}$ were the totient function $ {\phi(N)} $ is calculated as $ {\phi(N)}=(p−1)(q−1) $.

$g^{ax+ub} = g^{1 + h {\phi(N)}} = g^{1} g^{ h {\phi(N)}} = g^{1} (g^{{\phi(N)}})^h = g^{1} (1)^h = g^1 \pmod N$

That proofs
$$
\begin{align*}
\boxed{
\begin{array}{rcl}
ax +bu \equiv 1 \pmod {\phi(N)}
\end{array}
}
\end{align*}
$$



Let

$u' = u \pmod {\phi(N)}$

that gives:

$g^{ax+ub} = g^{ax + bu'} = g^1 \pmod N$

## Reference

- https://blog.goodaudience.com/deep-dive-on-rsa-accumulators-230bc84144d9
- https://crypto.stackexchange.com/questions/64083/inclusion-and-exclusion-proofs-in-rsa-accumulators
- https://crypto.stackexchange.com/questions/53991/is-there-a-cryptographic-solution-to-provide-a-proof-of-exclusion
- https://crypto.stackexchange.com/questions/85828/rsa-accumulator-exclusion-proof-without-set
- https://crypto.stackexchange.com/questions/30873/deletion-in-rsa-accumulator
- https://crypto.stackexchange.com/questions/67223/dynamic-accumulator-with-only-non-membership-witness
- https://crypto.stackexchange.com/questions/88227/fake-non-membership-proof-in-rsa-accumulator
- https://research.ijcaonline.org/volume74/number13/pxc3890090.pdf
- https://brilliant.org/wiki/extended-euclidean-algorithm/
- https://brilliant.org/wiki/bezouts-identity/
- https://www.math.cmu.edu/~bkell/21110-2010s/extended-euclidean.html
- https://github.com/oleiba/RSA-accumulator
- https://eprint.iacr.org/2018/1188.pdf
- https://www.youtube.com/watch?t=573&v=90RkQkuiGDc&feature=youtu.be
