Black-box accumulation (BBA) is a cryptographic protocol that allows users to accumulate and redeem points, e.g. in payment systems, and offers provable security and privacy guarantees. Loosely speaking, the transactions of users remain unlinkable, while adversaries cannot claim a false amount of points or use points from other users. Attempts to spend the same points multiple times (double spending) reveal the identity of the misbehaving user and an undeniable proof of guilt. Known instantiations of BBA rely on classical number-theoretic assumptions, which are not post-quantum secure. In this work, we propose the first lattice-based instantiation of BBA, which is plausibly post-quantum secure. It relies on the hardness of the Learning with Errors (LWE) and Short Integer Solution (SIS) assumptions and is secure in the Random Oracle Model (ROM).
Our work shows that a lattice-based instantiation of BBA can be realized with a communication cost per transaction of about 199MB if built on the zero-knowledge protocol by (CRYPTO 2019) and the CL-type signature of (ASIACRYPT 2017). Without any zero-knowledge overhead, our protocol requires 1.8 MB communication.