Abstract
A functional commitment scheme enables a user to concisely commit to a function from a specified family, then later concisely and verifiably reveal values of the function at desired inputs. Useful special cases, which have seen applications across cryptography, include vector commitments and polynomial commitments.
To date, functional commitments have been constructed (under falsifiable assumptions) only for functions that are essentially linear, with one recent exception that works for arbitrarily complex functions. However, that scheme operates in a strong and non-standard model, requiring an online, trusted authority to generate special keys for any opened function inputs.
In this work, we give the first functional commitment scheme for nonlinear functions—indeed, for all functions of any bounded complexity—under a standard setup and a falsifiable assumption. Specifically, the setup is “transparent,” requiring only public randomness (and not any trusted entity), and the assumption is the hardness of the standard Short Integer Solution (SIS) lattice problem. Our construction also has other attractive features, including: stateless updates via generic composability; excellent asymptotic efficiency for the verifier, and also for the committer in important special cases like vector and polynomial commitments, via preprocessing; and post-quantum security, since it is based on SIS.
L. de Castro and C. Peikert—Some of this work was done while at Algorand, Inc.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Some works consider a dual notion, in which the user commits to some data x and then can open various functions f of it. Our present formulation is a natural one for most specific purposes of interest. Moreover, assuming a sufficiently expressive scheme of either form, its dual notion can be achieved by swapping “code” and “data” using a universal function; see Sect. 4.3 for details.
- 2.
- 3.
The work of [PPS21] actually uses the dual formulation of functional commitments, where data x is committed and then functions f of the data are opened. However, the construction easily adapts to our present formulation of functional commitments.
- 4.
We caution that some works on polynomial commitment schemes (e.g., [BDFG21]) consider additional requirements, e.g., that the committed function is indeed a polynomial of some bounded degree, or even that openings are proofs of knowledge of such a polynomial (which SNARK applications rely upon). These are much stronger properties than originally considered in [KZG10] and in this work, typically requiring strong (often unfalsifiable) assumptions, and our construction does not achieve them. In addition, many works like [BBB+18, VP19, BFS20, BDFG21, Lee21, BNO21, KPV22] allow openings to be interactive proofs, then heuristically (and unfalsifiably) make them noninteractive using a random oracle using Fiat–Shamir [FS86]. Our construction is natively noninteractive without any heuristics.
- 5.
More generally, the scheme works for vector-valued (multi-output) functions, following Remark 3.
- 6.
- 7.
We can make the commitment hide the function f by using circuit-private homomorphic computation, such as from [BPMW16], and retaining the randomness for use in opening.
- 8.
In concert with a function-hiding commitment, we can make the opening reveal nothing more than the single input-output pair (x, f(x)) by giving a zero-knowledge proof (of knowledge) of some \(\textbf{S}_{f,x}\) that satisfies the verifier.
- 9.
In some contexts, compressed commitments and proofs even be computed directly, without first computing uncompressed ones.
- 10.
As mentioned in Sect. 3.2, security for the compressed variant extends to concatenations of \(k'\) functions with small integer outputs, where the additive n term in \(\beta \) is replaced by the maximum \(\ell _{1}\) norm of the difference between two such output vectors.
- 11.
We use decreasing j here simply for consistency with the notation in Sect. 3.1, but any order can work.
- 12.
For convenience of matrix operations, we have swapped the indices of \(\textbf{S}_{x,\bar{x}}\) from the usual \(\textbf{S}_{f,x}\) form.
- 13.
Note that this makes 0 the implicit ‘default’ value for all such keys. If we wish to have a distinguished ‘undefined’ value \(\bot \) for such keys, we can replace \(\mathcal {Y}\) with a larger group like \(\mathcal {Y}' = \mathcal {Y} \times C\) for some nontrivial cycle C, representing each \(y \in \mathcal {Y}\) by \((y,1) \in \mathcal {Y}'\), and letting \(\bot \) be represented by the identity element \((0,0) \in \mathcal {Y}'\). Note that this encoding requires some care regarding updates, because, for example, representing \(y-y = 0\) by \((y,1)-(y,1) = (0,0)\) yields \(\bot \), not the encoding of \(0 \in \mathcal {Y}\). A simple solution is for all insertions and deletions to use 1s in their second components, and for all modifications of existing values to use 0s.
- 14.
See Footnote 13 for how insertions/deletions can be handled separately from additions/subtractions, when using an encoding that has a distinguished ‘undefined’ value \(\bot \) that is separate from 0.
- 15.
More generally, the treatment is essentially the same for polynomials whose coefficients come from some \(\mathcal {R}\)-module.
- 16.
Our treatment also adapts straightforwardly to polynomials of bounded total degree. We use individual degree because it follows more naturally from the univariate case.
References
Albrecht, M.R., Cini, V., Lai, R.W.F., Malavolta, G., Thyagarajan, S.A.K.: Lattice-based SNARKs: publicly verifiable, preprocessing, and recursively composable. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO, vol. 13508, pp. 102–132. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_4
Ajtai, M.: Generating hard instances of lattice problems. Quaderni di Matematica 13, 1–32 (2004). Preliminary version in STOC 1996
Alperin-Sheriff, J., Peikert, C.: Faster bootstrapping with polynomial error. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 297–314. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_17
Agrawal, S., Raghuraman, S.: KVaC: key-value commitments for blockchains and beyond. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 839–869. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_28
Barrington, D.A.M.: Bounded-width polynomial-size branching programs recognize exactly those languages in NC\(^1\). J. Comput. Syst. Sci. 38(1), 150–164 (1989). Preliminary version in STOC 1986
Bünz, B., Bootle, J., Boneh, D., Poelstra, A., Wuille, P., Maxwell, G.: Bulletproofs: short proofs for confidential transactions and more. In: IEEE Symposium on Security and Privacy, pp. 315–334 (2018)
Baum, C., Bootle, J., Cerulli, A., del Pino, R., Groth, J., Lyubashevsky, V.: Sub-linear lattice-based zero-knowledge arguments for arithmetic circuits. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 669–699. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_23
Boneh, D., Bünz, B., Fisch, B.: Batching techniques for accumulators with applications to IOPs and stateless blockchains. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 561–586. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_20
Bitansky, N., Chiesa, A.: Succinct arguments from multi-prover interactive proofs and their efficiency benefits. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 255–272. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_16
Balbás, D., Catalano, D., Fiore, D., Lai, R.W.F.: Functional commitments for circuits from falsifiable assumptions. Cryptology ePrint Archive, Paper 2022/1365 (2022). https://eprint.iacr.org/2022/1365
Boneh, D., Drake, J., Fisch, B., Gabizon, A.: Halo Infinite: proof-carrying data from additive polynomial commitments. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 649–680. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_23
Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24
Bünz, B., Fisch, B., Szepieniec, A.: Transparent SNARKs from DARK compilers. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 677–706. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_24
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Benabbas, S., Gennaro, R., Vahlis, Y.: Verifiable delegation of computation over large datasets. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 111–131. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_7
Bootle, J., Lyubashevsky, V., Seiler, G.: Algebraic techniques for short(er) exact lattice-based zero-knowledge proofs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 176–202. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_7
Boneh, D., Nguyen, W., Ozdemir, A.: Efficient functional commitments: How to commit to a private function. Cryptology ePrint Archive, Paper 2021/1342 (2021). https://eprint.iacr.org/2021/1342
Bourse, F., Del Pino, R., Minelli, M., Wee, H.: FHE circuit privacy almost for free. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 62–89. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_3
Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: ITCS, pp. 1–12 (2014)
Campanelli, M., Engelmann, F., Orlandi, C.: Zero-knowledge for homomorphic key-value commitments with applications to privacy-preserving ledgers. In: Galdi, C., Jarecki, S. (eds.) SCN, vol. 13409, pp. 761–784. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-14791-3_33
Catalano, D., Fiore, D.: Vector commitments and their applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 55–72. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_5
Catalano, D., Fiore, D., Tucker, I.: Additive-homomorphic functional commitments and applications to homomorphic signatures. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT, vol. 13794, pp. 159–188. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22972-5_6
Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.: Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract). In: FOCS, pp. 383–395 (1985)
Cook, S.A., Hoover, H.J.: A depth-universal circuit. SIAM J. Comput. 14(4), 833–839 (1985)
Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for P from LWE. In: FOCS, pp. 68–79 (2021)
Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_5
Chepurnoy, A., Papamanthou, C., Srinivasan, S., Zhang, Y.: Edrax: a cryptocurrency with stateless transaction validation. Cryptology ePrint Archive, Report 2018/968 (2018). https://eprint.iacr.org/2018/968
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008)
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5
Ghosal, R., Sahai, A., Waters, B.: Non-interactive publicly-verifiable delegation of committed programs. In: PKC, pp. 1–42 (2023)
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In STOC, pp. 469–477 (2015)
Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108 (2011)
Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Efficient arguments without short PCPs. In: IEEE Conference on Computational Complexity, pp. 278–291 (2007)
Kilian, J.: A note on efficient zero-knowledge proofs and arguments. In: STOC, pp. 723–732 (1992)
Kalai, Y.T., Lombardi, A., Vaikuntanathan, V., Wichs, D.: Boosting batch arguments and RAM delegation. In: STOC, pp. 1–45 (2023)
Kattis, A.A., Panarin, K., Vlasov, A.: RedShift: transparent SNARKs from list polynomial commitments. In: CCS, pp. 1725–1737 (2022)
Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11
Lee, J.: Dory: efficient, transparent arguments for generalised inner products and polynomial commitments. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13043, pp. 1–34. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90453-1_1
Liskov, M.: Updatable zero-knowledge databases. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 174–198. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_10
Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. ICALP 2, 144–155 (2006)
Lyubashevsky, V., Nguyen, N.K., Plançon, M.: Lattice-based zero-knowledge proofs and applications: Shorter, simpler, and more general. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO, vol. 13508, pp. 71–101. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15979-4_3
Lipmaa, H., Pavlyk, K.: Succinct functional commitment for a large class of arithmetic circuits. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 686–716. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_23
Libert, B., Ramanna, S.C., Yung, M.: Functional commitment schemes: from polynomial commitments to pairing-based accumulators from simple assumptions. In: ICALP, pp. 30:1–30:14 (2016)
Libert, B., Yung, M.: Concise mercurial vector commitments and independent zero-knowledge sets with short proofs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 499–517. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_30
Micali, S.: CS proofs. In: FOCS, pp. 436–453 (1994)
Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). Preliminary version in FOCS 2002
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007). Preliminary version in FOCS 2004
Micali, S., Rabin, M.O., Kilian, J.: Zero-knowledge sets. In: FOCS, pp. 80–91 (2003)
Peikert, C., Pepin, Z., Sharp, C.: Vector and functional commitments from lattices. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13044, pp. 480–511. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_16
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Peikert, C., Shiehian, S.: Noninteractive zero knowledge for NP from (plain) learning with errors. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 89–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_4
Papamanthou, C., Shi, E., Tamassia, R.: Signatures of correct computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 222–242. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_13
Papamanthou, C., Shi, E., Tamassia, R., Yi, K.: Streaming authenticated data structures. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 353–370. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_22
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC 2005
Steinfeld, R., Bull, L., Zheng, Y.: Content extraction signatures. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 285–304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45861-1_22
Vlasov, A., Panarin, K.: Transparent polynomial commitment scheme with polylogarithmic communication complexity. Cryptology ePrint Archive, Paper 2019/1020 (2019). https://eprint.iacr.org/2019/1020
Wee, H., Wu, D.: Succinct vector, polynomial, and functional commitments from lattices. In: EUROCRYPT, pp. 1–55 (2023)
Acknowledgments
This material is based upon work supported by NSF Grant No. CCF-2006857 and by DARPA under Agreement No. HR00112020025. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government, the NSF, or DARPA.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
de Castro, L., Peikert, C. (2023). Functional Commitments for All Functions, with Transparent Setup and from SIS. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14006. Springer, Cham. https://doi.org/10.1007/978-3-031-30620-4_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-30620-4_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30619-8
Online ISBN: 978-3-031-30620-4
eBook Packages: Computer ScienceComputer Science (R0)
