Cryptographic Accumulator

A cryptographic accumulator is a primitive that compresses an arbitrarily large set of elements into a single short digest, while preserving the ability to issue compact proofs that a given element is, or is not, a member of that set. Accumulators matter to Bitcoin because they offer a path to representing the entire UTXO set, the part of the chain that grows without bound, in a few kilobytes rather than gigabytes.

Membership without the full set

The core idea is that a verifier who holds only the digest can be convinced of membership by a short witness supplied by a prover, without ever seeing the rest of the set. This is the same trust model as a merkle proof, generalised. A well-designed accumulator also supports efficient updates, adding or removing elements and refreshing the digest, which is essential for a set that changes every block.

The main constructions

Three families dominate. Merkle-tree accumulators give short parameters but membership witnesses of size log(n). RSA-based accumulators, built in a hidden-order group, produce constant-size digests and witnesses regardless of set size. Pairing-based (bilinear) accumulators also offer constant-size proofs but require a trusted setup and larger public parameters. Each trades off proof size, update cost, and setup assumptions differently.

For Bitcoin specifically, hash-based accumulators are favoured because they avoid trusted setup. The most prominent application is the UTXO commitment, and the same logic underlies any merkle proof a lightweight node verifies.