rsa-accumulator 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6b5bb2ad698c4440d30bdbd29b3be321a3829b78bad6e188d06b351e8d81f337
+  data.tar.gz: e9270d41f253c25b4f2a44ca51d4fd03bc8ff323a173b8fff845ba5c8af5ef3c
+SHA512:
+  metadata.gz: 3bf39ed19c73847ec804b63032d940e55595f38f6b3e4abce3aba7bceb7524f06bc7a7b015264309e4b2c0123b22c999a110d08bb5982a16790deee658b00bc7
+  data.tar.gz: b91fac654230b7f9e5837eb4249881f71e915e3f7911dd63e7bf4065ce8b7daa50bdd8beb0c3ff59283b39ff73972afec66bb4558824ac75918e0b43c1580761

data/.github/workflows/ruby.yml

@@ -0,0 +1,22 @@
+name: Ruby
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby: ['2.5.x', '2.6.x']
+    steps:
+    - uses: actions/checkout@v1
+    - name: Set up Ruby environment
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Build and test with Rake
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        bundle exec rake

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/Gemfile.lock
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.ruby-gemset

@@ -0,0 +1 @@
+rsa-accumulator

data/.ruby-version

@@ -0,0 +1 @@
+2.6.3

data/.travis.yml

@@ -0,0 +1,9 @@
+language: ruby
+addons:
+  apt:
+    packages:
+      - libsodium-dev
+rvm:
+  - 2.5.5
+  - 2.6.3
+  - 2.7.0

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at azuchi@chaintope.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,6 @@
+source "https://rubygems.org"
+
+git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in rsa-acc.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 azuchi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,68 @@
+# RSA Accumulator for Ruby [![Build Status](https://travis-ci.org/chaintope/rsa-accumulatorrb.svg?branch=master)](https://travis-ci.org/chaintope/rsa-accumulatorrb) [![Gem Version](https://badge.fury.io/rb/rsa-accumulator.svg)](https://badge.fury.io/rb/rsa-accumulator) [![MIT License](http://img.shields.io/badge/license-MIT-blue.svg?style=flat)](LICENSE)
+
+
+Cryptographic accumulator based on the strong RSA assumption [BBF18](https://eprint.iacr.org/2018/1188.pdf) in Ruby.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rsa-accumulator'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install rsa-accumulator
+
+## Usage
+
+### Setup accumulator
+
+First, initialize the accumulator. Since the accumulator uses groups of unknown order, it can be generated in following ways:
+
+    require 'rsa-accumulator'
+    
+    # using RSA modulus published by RSA Laboratory
+    acc = RSA::Accumulator.generate_rsa2048
+
+    # using Random RSA modulus with a specified bit length(default value is )
+    acc = RSA::Accumulator.generate_random(2048)
+
+### Adding elements and membership proof
+
+You can add arbitrary String data to the accumulator.
+
+    acc.add('a', 'b')
+    proof = acc.add('c')
+
+You can use inclusion proof to prove that an element exists in an accumulator.
+
+    acc.member?(proof)
+
+### Non membership proof
+
+You can generate non-membership proof and prove that the elements does not exist in the accumulator.
+
+    members = %w(a b)
+    non_members = %w(c, d)
+    acc.add(*members)
+    proof = acc.prove_non_membership(members, non_members)
+    acc.non_member?(non_members, proof)
+    => true
+
+### Delete element from accumulator
+
+You can remove elements from the accumulator by providing the inclusion proof.
+
+    acc.add('a', 'b')
+    proof = acc.add('c')
+    acc.delete(proof)
+    
+    acc.member?(proof)
+    => false
+    

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rsa/accumulator"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rsa/acc.rb

@@ -0,0 +1,12 @@
+require "rsa/acc/version"
+require 'rsa/acc/ext'
+require 'rsa/acc/functions'
+require 'rsa/acc/proof'
+require 'rsa/acc/poe'
+require 'rsa/acc/poke2'
+
+module RSA
+  module ACC
+    class Error < StandardError; end
+  end
+end

data/lib/rsa/acc/ext.rb

@@ -0,0 +1,20 @@
+# Extending an existing class
+module RSA
+  module ACC
+
+    module Ext
+
+      refine Integer do
+        def pow(*several_variants)
+          return super(*several_variants) if several_variants.size == 1
+          return super(*several_variants) unless several_variants.first.negative?
+          exp = several_variants.first
+          inv = self.to_bn.mod_inverse(several_variants[1]).to_i
+          inv.pow(-exp, several_variants[1])
+        end
+      end
+
+    end
+
+  end
+end

data/lib/rsa/acc/functions.rb

@@ -0,0 +1,84 @@
+require 'rbnacl'
+
+module RSA
+  module ACC
+    module Functions
+
+      using RSA::ACC::Ext
+
+      # Convert element to prime number.
+      # @param [Array[String] elements an element to be converted.
+      # @return [Integer] prime number.
+      def hash_to_prime(element)
+        nonce = 0
+        loop do
+          candidate = RbNaCl::Hash.blake2b(element + even_hex(nonce)).unpack("C*")
+          candidate[-1] |= 1
+          candidate = candidate.pack('c*').unpack("H*").first.to_i(16)
+          if candidate.to_bn.prime?
+            return candidate
+          end
+          nonce += 1
+        end
+      end
+
+      # Converts a list of elements to an product of prime numbers.
+      # @param [Array[String]] elements a list of element.
+      # @return [Integer] an product of prime numbers
+      def elements_to_prime(elements)
+        elements.map{|e|hash_to_prime(e)}.inject(:*)
+      end
+
+      # Computes (xy) th root of g given xth and yth roots of g. x and y is co-prime.
+      # (a, b) ← Bezout(x, y)
+      #
+      # @param [Integer] w1 first witness.
+      # @param [Integer] w2 second witness.
+      # @param [Integer] x
+      # @param [Integer] y
+      # @return [Integer] w1^b * w2^a
+      def shamir_trick(w1, w2, x, y, modulus)
+        raise ArgumentError, 'w1^x != w2^y' unless w1.pow(x, modulus) == w2.pow(y, modulus)
+        a, b = egcd(x, y)
+        raise ArgumentError, 'Inputs does not co-prime.' unless a * x + b * y == 1
+        (w1.pow(b, modulus) * w2.pow(a, modulus)) % modulus
+      end
+
+      # Computes Bezout coefficients.
+      # see: https://github.com/dryruby/rsa.rb/blob/b1366970d31dba0078fd06d9f5d3ddd4952fb087/lib/rsa/math.rb#L143
+      # @param [Integer] x
+      # @param [Integer] y
+      # @return [Array[Integer, Integer]] Bezout coefficients
+      def egcd(x, y)
+        return [0, 1] if x.modulo(y).zero?
+        a, b = egcd(y, x.modulo(y))
+        [b, a - b * x.div(y)]
+      end
+
+      # Computes a challenge from +params+.
+      # @param [Array[Integer]] params
+      # @return [Integer] prime number of challenge.
+      def compute_challenge(*params)
+        hash_to_prime(params.map{|p|even_hex(p)}.join)
+      end
+
+      # Computes hash value from +params+.
+      # @param [Array[Integer]] params
+      # @return [Integer] hash value.
+      def blake2_hash(*params)
+        RbNaCl::Hash.blake2b(params.map{|p|even_hex(p)}.join).unpack("H*").first.to_i(16)
+      end
+
+      private
+
+      # Convert +num+ to even hex string.
+      # @param [Integer] num
+      # @return [String] hex string.
+      def even_hex(num)
+        hex = num.to_s(16)
+        hex.rjust((hex.length / 2.0).ceil * 2, '0')
+      end
+
+    end
+  end
+end

data/lib/rsa/acc/poe.rb

@@ -0,0 +1,41 @@
+module RSA
+  module ACC
+
+    # Non-Interactive Proof of Exponentiation
+    module PoE
+
+      using RSA::ACC::Ext
+
+      include RSA::ACC::Functions
+      extend RSA::ACC::Functions
+
+      module_function
+
+      # Computes a proof +base+ ^ H(+exp+) was performed to derive +result+.
+      # @param [Integer] base The known base.
+      # @param [Integer] exp The exponentiation.
+      # @param [Integer] result such as result = base^exp.
+      # @param [Integer] modulus modulus using computation.
+      def prove(base, exp, result, modulus)
+        l = compute_challenge(base, exp, result)
+        q = exp / l
+        base.pow(q, modulus)
+      end
+
+      # Verifies that base^exp = result using the given proof to avoid computation.
+      # @param [Integer] base The known base.
+      # @param [Integer] exp The exponentiation.
+      # @param [Integer] result such as result = base^exp.
+      # @param [Integer] proof an proof.
+      # @param [Integer] modulus modulus using computation.
+      def verify(base, exp, result, proof, modulus)
+        l = compute_challenge(base, exp, result)
+        r = exp % l
+        w = (proof.pow(l, modulus) * base.pow(r, modulus)) % modulus
+        w == result
+      end
+
+    end
+
+  end
+end

data/lib/rsa/acc/poke2.rb

@@ -0,0 +1,71 @@
+module RSA
+  module ACC
+
+    class PoKE2Proof
+
+      using RSA::ACC::Ext
+
+      attr_reader :z
+      attr_reader :q
+      attr_reader :r
+
+      def initialize(z, q, r)
+        @z = z
+        @q = q
+        @r = r
+      end
+
+      # Check whether same proof.
+      # @param [RSA::ACC::PoKE2Proof] other other proof.
+      # @return [Boolean] whether same proof.
+      def ==(other)
+        return false unless other.is_a?(RSA::ACC::PoKE2Proof)
+        z == other.z && q == other.q && r == other.r
+      end
+
+    end
+
+    # Non-Interactive Proof of knowledge of exponent2.
+    module PoKE2
+
+      using RSA::ACC::Ext
+
+      include RSA::ACC::Functions
+      extend RSA::ACC::Functions
+
+      module_function
+
+      # Computes a proof that you know +exp+ s.t. +base+ ^ +exp+ = +result+.
+      # @param [Integer] base
+      # @param [Integer] exp
+      # @param [Integer] result
+      # @param [Integer] modulus
+      # @return [RSA::ACC::PoKE2Proof] a proof.
+      def prove(base, exp, result, modulus)
+        g = RSA::Accumulator::RSA2048_UNKNOWN_ELEM
+        z = g.pow(exp, modulus)
+        l = compute_challenge(base, result, z)
+        alpha = blake2_hash(base, result, z, l)
+        q, r = exp.divmod(l)
+        RSA::ACC::PoKE2Proof.new(z, ((base * g.pow(alpha, modulus)) % modulus).pow(q, modulus), r)
+      end
+
+      # Verifies that the prover knows +exp+ s.t. +base+ ^ +exp+ = +result+
+      # @param [Integer] base
+      # @param [Integer] result
+      # @param [RSA::ACC::PoKE2Proof] proof
+      # @param [Integer] modulus
+      # @return [Boolean] Returns true for successful verification, false otherwise.
+      def verify(base, result, proof, modulus)
+        g = RSA::Accumulator::RSA2048_UNKNOWN_ELEM
+        l = compute_challenge(base, result, proof.z)
+        alpha = blake2_hash(base, result, proof.z, l)
+        lhs = (proof.q.pow(l, modulus) * ((base * g.pow(alpha, modulus) % modulus)).pow(proof.r, modulus)) % modulus
+        rhs = (result * proof.z.pow(alpha, modulus) % modulus)
+        lhs == rhs
+      end
+
+    end
+
+  end
+end

data/lib/rsa/acc/proof.rb

@@ -0,0 +1,51 @@
+module RSA
+  module ACC
+
+    # Proof of membership of the element's inclusion in the accumulator.
+    class MembershipProof
+
+      include Functions
+
+      # witness^H(element) == acc
+      attr_reader :element
+      attr_reader :witness
+      attr_reader :acc_value
+      attr_reader :proof # prof calculated by PoE
+
+      def initialize(element, witness, acc_value, proof)
+        @element = element
+        @witness = witness
+        @acc_value = acc_value
+        @proof = proof
+      end
+
+      # Convert element to prime number.
+      # @return [Integer] prime number of element.
+      def element_prime
+        return nil if element.nil?
+        element.is_a?(Array) ? elements_to_prime(element) : hash_to_prime(element)
+      end
+
+    end
+
+    # Proof of non-membership of the element's not inclusion in the accumulator.
+    class NonMembershipProof
+
+      attr_reader :d            # d = g^b
+      attr_reader :v            # v = A(current acc)^a
+      attr_reader :gv_inv       # gv_inv = v^{-1}
+      attr_reader :poke2_proof  # NI-PoKE2(A, v, a)
+      attr_reader :poe_proof    # NI-PoE(d, x, g*v^{-1})
+
+      def initialize(d, v, gv_inv, poke2_proof, poe_proof)
+        @d = d
+        @v = v
+        @gv_inv = gv_inv
+        @poke2_proof = poke2_proof
+        @poe_proof = poe_proof
+      end
+
+    end
+
+  end
+end

data/lib/rsa/acc/version.rb

@@ -0,0 +1,5 @@
+module RSA
+  module ACC
+    VERSION = "0.1.0"
+  end
+end

data/lib/rsa/accumulator.rb

@@ -0,0 +1,141 @@
+require 'rsa/acc'
+require 'openssl'
+require 'securerandom'
+
+module RSA
+  class Accumulator
+
+    using RSA::ACC::Ext
+
+    include RSA::ACC::Functions
+    include RSA::ACC::PoE
+
+    # RSA-2048 modulus(https://en.wikipedia.org/wiki/RSA_numbers#RSA-2048).
+    RSA2048_MODULUS = 25195908475657893494027183240048398571429282126204032027777137836043662020707595556264018525880784406918290641249515082189298559149176184502808489120072844992687392807287776735971418347270261896375014971824691165077613379859095700097330459748808428401797429100642458691817195118746121515172654632282216869987549182422433637259085141865462043576798423387184774447920739934236584823824281198163815010674810451660377306056201619676256133844143603833904414952634432190114657544454178424020924616515723350778707749817125772467962926386356373289912154831438167899885040445364023527381951378636564391212010397122822120720357
+    RSA2048_UNKNOWN_ELEM = 2
+
+    attr_reader :n
+    attr_accessor :value
+    attr_reader :g        # Initial value
+
+    # Generate accumulator using RSA2048 modulus.
+    # @return [RSA::Accumulator]
+    def self.generate_rsa2048
+      new(RSA2048_MODULUS, RSA2048_UNKNOWN_ELEM)
+    end
+
+    # Generate accumulator with random modulus.
+    # @param [Integer] bit_length bit length of accumulator. Default: 3072 bits.
+    # @return [RSA::Accumulator]
+    def self.generate_random(bit_length = 3072)
+      n = OpenSSL::PKey::RSA.generate(bit_length).n.to_i
+      new(n, SecureRandom.random_number(n))
+    end
+
+    # Initialize accumulator
+    # @param [Integer] n modulus
+    # @param [Integer] value initial value
+    # @return [RSA::Accumulator]
+    def initialize(n, value)
+      @n = n
+      @value = value
+      @g = value
+    end
+
+    # Add element to accumulator and get inclusion proof.
+    # @param [Array[String]] elements a list of elements to be added.
+    # @return [RSA::ACC::MembershipProof] inclusion proof.
+    def add(*elements)
+      current_acc = value
+      p = elements_to_prime(elements)
+      @value = value.pow(p, n)
+      RSA::ACC::MembershipProof.new(elements, current_acc, value, RSA::ACC::PoE.prove(current_acc, p, value, n))
+    end
+
+    # Check whether +other+ is same accumulator.
+    # @param [RSA::ACC:Accumulator] other other accumulator.
+    # @return [Boolean] if same acc return true, otherwise return false.
+    def ==(other)
+      return false unless other.is_a?(Accumulator)
+      self.n == other.n && self.value == other.value
+    end
+
+    # Check whether +proof+#element include in accumulator.
+    # @param [RSA::ACC::MembershipProof] proof inclusion proof.
+    # @return [Boolean] If element exist in acc return true, otherwise false.
+    def member?(proof)
+      RSA::ACC::PoE.verify(proof.witness, proof.element_prime, value, proof.proof, n)
+    end
+
+    # Verifies a non-membership proof against the current accumulator and +elements+ whose non-inclusion is being proven.
+    # @param [Array[String]] elements elements whose non-inclusion is being proven.
+    # @param [RSA::ACC::NonMembershipProof] proof non-membership proof.
+    # @return [Boolean]
+    def non_member?(elements, proof)
+      x = elements_to_prime(elements)
+      RSA::ACC::PoKE2.verify(value, proof.v, proof.poke2_proof, n) &&
+          RSA::ACC::PoE.verify(proof.d, x, proof.gv_inv, proof.poe_proof, n)
+    end
+
+    # Generate non-membership proof using set of elements in current acc and non membership elements.
+    # @param [Array[String]] members The entire set of elements contained within this accumulator.
+    # @param [Array[String]] non_members Elements not included in this accumulator that you want to prove non-membership.
+    # @return [RSA::ACC::NonMembershipProof] Non-membership proof.
+    def prove_non_membership(members, non_members)
+      s = elements_to_prime(members)
+      x = elements_to_prime(non_members)
+
+      a, b = egcd(s, x)
+      raise ArgumentError, "Inputs not co-prime." unless a * s + b * x == 1
+
+      v = value.pow(a, n)
+      d = g.pow(b, n)
+      gv_inv = (g * v.pow(-1, n)) % n
+
+      poke2_proof = RSA::ACC::PoKE2.prove(value, a, v, n)
+      poe_proof = RSA::ACC::PoE.prove(d, x, gv_inv, n)
+
+      RSA::ACC::NonMembershipProof.new(d, v, gv_inv, poke2_proof, poe_proof)
+    end
+
+    # Remove the elements in +proofs+ from the accumulator.
+    # @param [RSA::ACC::MembershipProof] proofs proofs including the elements to be removed and the witnesses.
+    # @return [RSA::ACC::MembershipProof] Proof that the accumulator before the remove contained the deleted elements.
+    def delete(*proofs)
+      return RSA::ACC::MembershipProof.new(proofs.map(&:element).flatten, value, value, RSA::ACC::PoE.prove(value, 1, value, n)) if proofs.empty?
+
+      witnesses = proofs.map do |proof|
+        p = proof.element_prime
+        raise RSA::ACC::Error, 'Bad witness.' unless proof.witness.pow(p, n) == value
+        [p, proof.witness]
+      end
+
+      current_value = value
+      proof_product = witnesses.first[0]
+      new_value = witnesses.first[1]
+      if witnesses.size > 1
+        witnesses[1..-1].each do |w|
+          new_value = shamir_trick(new_value, w[1], proof_product, w[0], n)
+          proof_product *= w[0]
+        end
+      end
+
+      @value = new_value
+      RSA::ACC::MembershipProof.new(proofs.map{|p|p.element}.flatten, value, current_value, RSA::ACC::PoE.prove(value, proof_product, current_value, n))
+    end
+
+    # Computes an xi-th root of +y+ for all i = 1, ..., n in total time O(n log(n)).
+    # @param [Array[Integer]] f factorizations of the exponent x = x1, ..., xn.
+    # @return [Array{Integer}] array of xi-th root
+    def root_factor(*f)
+      return [value] if f.size == 1
+      half_n = f.size / 2
+      g_l = RSA::Accumulator.new(n, value.pow(f[0...half_n].map.inject(:*), n))
+      g_r = RSA::Accumulator.new(n, value.pow(f[half_n..-1].map.inject(:*), n))
+      l = g_r.root_factor(*f[0...half_n])
+      r = g_l.root_factor(*f[half_n..-1])
+      [l, r].flatten
+    end
+
+  end
+end

data/rsa-accumulatorrb.gemspec

@@ -0,0 +1,31 @@
+
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "rsa/acc/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "rsa-accumulator"
+  spec.version       = RSA::ACC::VERSION
+  spec.authors       = ["azuchi"]
+  spec.email         = ["azuchi@chaintope.com"]
+
+  spec.summary       = %q{RSA accumulator implementation for Ruby.}
+  spec.description   = %q{RSA accumulator implementation for Ruby.}
+  spec.homepage      = "https://github.com/chaintope/rsa-accumulatorrb"
+  spec.license       = "MIT"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "rbnacl"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake", ">= 12.3.3"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

metadata

@@ -0,0 +1,121 @@
+--- !ruby/object:Gem::Specification
+name: rsa-accumulator
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- azuchi
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-06-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.3.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.3.3
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: RSA accumulator implementation for Ruby.
+email:
+- azuchi@chaintope.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/ruby.yml"
+- ".gitignore"
+- ".rspec"
+- ".ruby-gemset"
+- ".ruby-version"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/rsa/acc.rb
+- lib/rsa/acc/ext.rb
+- lib/rsa/acc/functions.rb
+- lib/rsa/acc/poe.rb
+- lib/rsa/acc/poke2.rb
+- lib/rsa/acc/proof.rb
+- lib/rsa/acc/version.rb
+- lib/rsa/accumulator.rb
+- rsa-accumulatorrb.gemspec
+homepage: https://github.com/chaintope/rsa-accumulatorrb
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: RSA accumulator implementation for Ruby.
+test_files: []