Skip to main content
SpringerLink
Log in

Chainable Functional Commitments for Unbounded-Depth Circuits

  • Conference paper
  • First Online:
Theory of Cryptography (TCC 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14371))

Included in the following conference series:

Abstract

A functional commitment (FC) scheme allows one to commit to a vector \(\boldsymbol{x}\) and later produce a short opening proof of \((f, f(\boldsymbol{x}))\) for any admissible function f. Since their inception, FC schemes supporting ever more expressive classes of functions have been proposed.

In this work, we introduce a novel primitive that we call chainable functional commitment (CFC), which extends the functionality of FCs by allowing one to 1) open to functions of multiple inputs \(f(\boldsymbol{x}_1, \ldots , \boldsymbol{x}_m)\) that are committed independently, 2) while preserving the output also in committed form. We show that CFCs for quadratic polynomial maps generically imply FCs for circuits. Then, we efficiently realize CFCs for quadratic polynomials over pairing groups and lattices, resulting in the first FC schemes for circuits of unbounded depth based on either pairing-based or lattice-based falsifiable assumptions. Our FCs require fixing a-priori only the maximal width of the circuit to be evaluated, and have opening proof size depending only on the circuit depth. Additionally, our FCs feature other nice properties such as being additively homomorphic and supporting sublinear-time verification after offline preprocessing.

Using a recent transformation that constructs homomorphic signatures (HS) from FCs, we obtain the first pairing- and lattice-based realisations of HS for bounded-width, but unbounded-depth, circuits. Prior to this work, the only HS for general circuits is lattice-based and requires bounding the circuit depth at setup time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Looking ahead, our pairing-based instantiation supports arithmetic circuits over \(\mathbb {Z}_q\), while our lattice-based instantiation supports arithmetic circuits over cyclotomic rings \(\mathbb {Z}[\zeta ]\) where wires carry values of bounded norm.

  2. 2.

    Note, when used for a circuit of depth d these solutions may have efficiency doubly exponential in d since in general \(\delta \approx 2^{d}\).

  3. 3.

    One can recover the standard notion of committing to \(\boldsymbol{x}\) and opening to f via universal evaluators.

  4. 4.

    This means that our FCs satisfy compactness as defined in [23] for subvector and linear map commitments.

  5. 5.

    In our model we assume wlog arithmetic circuits where every gate is a quadratic polynomial of unbounded fan-in.

  6. 6.

    Following Theorem 2, this gives a proof size of \(\mathcal {O}({d^3})\) for our pairing-based FC and \(\mathcal {O}({d^2 \cdot \textsf{polylog}(d\cdot w)})\) for our lattice-based FC for circuits of depth d and width w. Nevertheless, the proof size can be reduced by a factor of d in both cases, as we show in Table 1. We refer to Sects. 6 and 7 for details.

  7. 7.

    In our constructions, we often omit r from the inputs; in such a case we assume either that r is randomly sampled or that the commitment algorithm is deterministic.

  8. 8.

    This can be assumed without loss of generality. If we have an output \(x^{(h)}_i\) at level \(h<d\), we can introduce a linear gate at level d that takes \(x^{(h)}_i\) and some arbitrary \(x^{(d-1)}_j\) as input, and outputs \(x^{(d)}_k = x^{(h)}_i + 0\cdot x^{(d-1)}_j\).

  9. 9.

    This representation is not unique as \(\boldsymbol{x}^{(h)} \otimes \boldsymbol{x}^{(h')}\) contains repeated entries, but this can be solved by agreeing on appropriately placing zero coefficients.

  10. 10.

    We use \(k\text {-}R\text {-}\textsf{ISIS} \) to refer to both the ring and module version. In [1], the module version is given the name \(k\text {-}M\text {-}\textsf{ISIS}\).

  11. 11.

    We refer to the attack strategies discussed in [1, Section 4.1]. There, the authors discussed two (they gave three, but the third generalises the second) attacks: 1) Direct SIS attack: Finding a short vector in the kernel of \((\textbf{A} | -\boldsymbol{t} \cdot g^*(\boldsymbol{v}))\). 2) Find a (not necessarily short) linear combination \((z_1, \ldots , z_k)\) so that \(s^* \cdot g^*(\boldsymbol{v}) = \sum _i z_i \cdot g_i(\boldsymbol{v})\) and \(\boldsymbol{u}_{g^*} = \sum _i z_i \cdot \boldsymbol{u}_{g_i}\) is short. There seems to be no obvious way that either attack can take advantage of the two-slotted structure in the twin-kMISIS assumption.

References

  1. Albrecht, M.R., Cini, V., Lai, R.W.F., Malavolta, G., Thyagarajan, S.A.K.: Lattice-based SNARKs: Publicly verifiable, preprocessing, and recursively composable - (extended abstract). In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part II. LNCS, vol. 13508, pp. 102–132. Springer, Heidelberg (Aug 2022). https://doi.org/10.1007/978-3-031-15979-4_4

  2. Albrecht, M.R., Lai, R.W.F.: Subtractive sets over cyclotomic rings - limits of Schnorr-like arguments over lattices. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 519–548. Springer, Heidelberg, Virtual Event (Aug 2021). https://doi.org/10.1007/978-3-030-84245-1_18

  3. Balbás, D., Catalano, D., Fiore, D., Lai, R.W.F.: Chainable functional commitments for unbounded-depth circuits. Cryptology ePrint Archive, Paper 2022/1365 (2022). https://eprint.iacr.org/2022/1365,https://eprint.iacr.org/2022/1365

  4. Boneh, D., Freeman, D.M.: Homomorphic signatures for polynomial functions. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 149–168. Springer, Heidelberg (May 2011). https://doi.org/10.1007/978-3-642-20465-4_10

  5. de Castro, L., Peikert, C.: Functional commitments for all functions, with transparent setup and from SIS. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology – EUROCRYPT 2023, Part III. LNCS, vol. 14006, pp. 287–320. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_10

  6. Catalano, D., Fiore, D.: Vector commitments and their applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 55–72. Springer, Heidelberg (Feb/Mar 2013). https://doi.org/10.1007/978-3-642-36362-7_5

  7. Catalano, D., Fiore, D., Messina, M.: Zero-knowledge sets with short proofs. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 433–450. Springer, Heidelberg (Apr 2008). https://doi.org/10.1007/978-3-540-78967-3_25

  8. Catalano, D., Fiore, D., Tucker, I.: Additive-homomorphic functional commitments and applications to homomorphic signatures. In: Agrawal, S., Lin, D. (eds.) Advances in Cryptology – ASIACRYPT 2022, Part IV. LNCS, vol. 13794, pp. 159–188. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_6

  9. Catalano, D., Fiore, D., Warinschi, B.: Homomorphic signatures with efficient verification for polynomial functions. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 371–389. Springer, Heidelberg (Aug 2014). https://doi.org/10.1007/978-3-662-44371-2_21

  10. Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (Aug 2013). https://doi.org/10.1007/978-3-642-40084-1_8

  11. Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 174–203. Springer, Heidelberg (Apr/May 2018). https://doi.org/10.1007/978-3-319-78381-9_7

  12. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press (May 2008). https://doi.org/10.1145/1374376.1374407

  13. Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (Aug 2013). https://doi.org/10.1007/978-3-642-40041-4_5

  14. Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, pp. 99–108. ACM Press (Jun 2011). https://doi.org/10.1145/1993636.1993651

  15. Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 113–122. ACM Press (May 2008). https://doi.org/10.1145/1374376.1374396

  16. González, A., Ràfols, C.: Shorter pairing-based arguments under standard assumptions. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 728–757. Springer, Heidelberg (Dec 2019). https://doi.org/10.1007/978-3-030-34618-8_25

  17. González, A., Zacharakis, A.: Fully-succinct publicly verifiable delegation from constant-size assumptions. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part I. LNCS, vol. 13042, pp. 529–557. Springer, Heidelberg (Nov 2021). https://doi.org/10.1007/978-3-030-90459-3_18

  18. Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th ACM STOC, pp. 469–477. ACM Press (Jun 2015). https://doi.org/10.1145/2746539.2746576

  19. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (Apr 2008). https://doi.org/10.1007/978-3-540-78967-3_24

  20. Johnson, R., Molnar, D., Song, D.X., Wagner, D.: Homomorphic signature schemes. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 244–262. Springer, Heidelberg (Feb 2002). https://doi.org/10.1007/3-540-45760-7_17

  21. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (Dec 2010). https://doi.org/10.1007/978-3-642-17373-8_11

  22. Katsumata, S., Nishimaki, R., Yamada, S., Yamakawa, T.: Designated verifier/prover and preprocessing NIZKs from Diffie-Hellman assumptions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part II. LNCS, vol. 11477, pp. 622–651. Springer, Heidelberg (May 2019). https://doi.org/10.1007/978-3-030-17656-3_22

  23. Lai, R.W.F., Malavolta, G.: Subvector commitments with application to succinct arguments. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 530–560. Springer, Heidelberg (Aug 2019). https://doi.org/10.1007/978-3-030-26948-7_19

  24. Libert, B., Ramanna, S.C., Yung, M.: Functional commitment schemes: from polynomial commitments to pairing-based accumulators from simple assumptions. In: Chatzigiannakis, I., Mitzenmacher, M., Rabani, Y., Sangiorgi, D. (eds.) ICALP 2016. LIPIcs, vol. 55, pp. 30:1–30:14. Schloss Dagstuhl (Jul 2016). https://doi.org/10.4230/LIPIcs.ICALP.2016.30

  25. Libert, B., Yung, M.: Concise mercurial vector commitments and independent zero-knowledge sets with short proofs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 499–517. Springer, Heidelberg (Feb 2010). https://doi.org/10.1007/978-3-642-11799-2_30

  26. Lipmaa, H., Pavlyk, K.: Succinct functional commitment for a large class of arithmetic circuits. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 686–716. Springer, Heidelberg (Dec 2020). https://doi.org/10.1007/978-3-030-64840-4_23

  27. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (Apr 2012). https://doi.org/10.1007/978-3-642-29011-4_41

  28. Morillo, P., Ràfols, C., Villar, J.L.: The kernel matrix Diffie-Hellman assumption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016, Part I. LNCS, vol. 10031, pp. 729–758. Springer, Heidelberg (Dec 2016). https://doi.org/10.1007/978-3-662-53887-6_27

  29. Peikert, C., Pepin, Z., Sharp, C.: Vector and functional commitments from lattices. In: Nissim, K., Waters, B. (eds.) TCC 2021, Part III. LNCS, vol. 13044, pp. 480–511. Springer, Heidelberg (Nov 2021). https://doi.org/10.1007/978-3-030-90456-2_16

  30. Wee, H., Wu, D.J.: Succinct vector, polynomial, and functional commitments from lattices. In: Hazay, C., Stam, M. (eds.) Advances in Cryptology – EUROCRYPT 2023, Part III. LNCS 14006, pp. 385–416. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_13

Download references

Acknowledgements

This work is supported by the PICOCRYPT project that has received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation programme (Grant agreement No. 101001283), partially supported by projects PRODIGY (TED2021-132464B-I00) and ESPADA (PID2022-142290OB-I00) funded by MCIN/AEI/10.13039/501100011033/ and the European Union NextGenerationEU/PRTR, and partially funded by Ministerio de Universidades (FPU21/00600). This research has been supported in part by the Programma ricerca di ateneo UNICT 35 2020-22 linea 2 and by research gifts from Protocol Labs.

Author information

Authors and Affiliations

  1. IMDEA Software Institute, Madrid, Spain

    David Balbás & Dario Fiore

  2. Universidad Politécnica de Madrid, Madrid, Spain

    David Balbás

  3. University of Catania, Catania, Italy

    Dario Catalano

  4. Aalto University, Espoo, Finland

    Russell W. F. Lai

Authors
  1. David Balbás
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dario Catalano
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dario Fiore
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Russell W. F. Lai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Balbás .

Editor information

Editors and Affiliations

  1. Apple, Cupertino, CA, USA

    Guy Rothblum

  2. NTT Research, Sunnyvale, CA, USA

    Hoeteck Wee

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Balbás, D., Catalano, D., Fiore, D., Lai, R.W.F. (2023). Chainable Functional Commitments for Unbounded-Depth Circuits. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14371. Springer, Cham. https://doi.org/10.1007/978-3-031-48621-0_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-48621-0_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-48620-3

  • Online ISBN: 978-3-031-48621-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation