Skip to main content
Springer Nature Link
Log in

Lattice-Based Functional Commitments: Fast Verification and Cryptanalysis

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2023 (ASIACRYPT 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14442))

  • 822 Accesses

Abstract

A functional commitment allows a user to commit to an input \(\textbf{x}\in \{0,1\}^\ell \) and later open up the commitment to a value \(y = f(\textbf{x})\) with respect to some function f. In this work, we focus on schemes that support fast verification. Specifically, after a preprocessing step that depends only on f, the verification time as well as the size of the commitment and opening should be sublinear in the input length \(\ell \), We also consider the dual setting where the user commits to the function f and later, opens up the commitment at an input \(\textbf{x}\).

In this work, we develop two (non-interactive) functional commitments that support fast verification. The first construction supports openings to constant-degree polynomials and has a shorter CRS for a broad range of settings compared to previous constructions. Our second construction is a dual functional commitment for arbitrary bounded-depth Boolean circuits that supports fast verification with security from falsifiable assumptions. Both schemes are lattice-based and avoid non-black-box use of cryptographic primitives or lattice sampling algorithms. Security of both constructions rely on the \(\ell \)-succinct short integer solutions (SIS) assumption, a falsifiable q-type generalization of the SIS assumption (Preprint 2023).

In addition, we study the challenges of extending lattice-based functional commitments to extractable functional commitments, a notion that is equivalent to succinct non-interactive arguments (when considering openings to quadratic relations). We describe a general methodology that heuristically breaks the extractability of our construction and provides evidence for the implausibility of the knowledge k-R-\(\textsf{ISIS}\) assumption of Albrecht et al. (CRYPTO 2022) that was used in several constructions of lattice-based succinct arguments. If we additionally assume hardness of the standard inhomogeneous SIS assumption, we obtain a direct attack on a variant of the extractable linear functional commitment of Albrecht et al.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    In the full version of this paper, we provide the formal description and analysis of [WW23] using the \(\ell \)-succinct SIS assumption.

  2. 2.

    In the syntax of [Wee23], the ABE ciphertext is essentially \(\textbf{s}^{\scriptscriptstyle \textsf{T}}[\textbf{A}\mid \textbf{W}_0 + (\textbf{x}\otimes \textbf{I}_n) \textbf{W}] + \textsf{error}\) and the secret key is a short Gaussian pre-image of \([\textbf{A}~|~ \textbf{B}_f]\) where \(\textbf{B}_f\) is derived from \(\textbf{B}\) via homomorphic evaluation [GSW13, BGG+14] of f on \(\textbf{B}\).

  3. 3.

    Technically, there is a polylogarithmic dependence on \(\ell \) since \(\log q\) scales with \(\textsf{poly}(\log \ell )\).

  4. 4.

    After communicating the attack to the authors of [ACL+22], Albrecht implemented and confirmed the attack [Alb23].

  5. 5.

    Note that \(\textbf{T}\) does not (and cannot) have full rank over \(\mathbb {Z}_q\).

  6. 6.

    The difference in target binding vs. evaluation binding is due to the soundness properties of the underlying RAM delegation scheme. We refer to [KLVW23, Remark 6.1] for more discussion on the different security definitions for RAM delegation.

  7. 7.

    A functional commitment scheme for homogeneous polynomials implies one for non-homogeneous polynomial by padding the input with a constant-value 1. See also Remark 3.4.

  8. 8.

    Our construction also supports the setting where \(\textbf{f}_1, \ldots , \textbf{f}_T\) have different degrees \(d_1, \ldots , d_T \le {d_{\textrm{max}}}\). For simplicity of exposition, we just describe the case where they have equal degree \(d \le {d_{\textrm{max}}}\).

  9. 9.

    Note that \(\bar{\textbf{T}}\) does not (and cannot) have full rank over \(\mathbb {Z}_q\).

References

  1. Albrecht, M.R., Cini, V., Lai, R.W.F., Malavolta, G., Thyagarajan, S.A.: Lattice-based SNARKs: publicly verifiable, preprocessing, and recursively composable. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13508, pp. 102–132. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15979-4_4

  2. Ajtai, M.. Generating hard instances of lattice problems (extended abstract). In: STOC (1996)

    Google Scholar 

  3. Albrecht, M.: Knowledge K-M-ISIS is false (2023). https://gist.github.com/malb/7c8b86520c675560be62eda98dab2a6f

  4. Agrawal, S., Raghuraman, S.: KVaC: key-value commitments for blockchains and beyond. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 839–869. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_28

  5. Bitansky, N., Chiesa, A.: Succinct arguments from multi-prover interactive proofs and their efficiency benefits. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 255–272. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_16

  6. Balbás, D., Catalano, D., Fiore, D., Lai, R.W.F.: Functional commitments for circuits from falsifiable assumptions. IACR Cryptol. ePrint Arch. (2022)

    Google Scholar 

  7. Bitansky, N., Chiesa, A., Ishai, Y., Paneth, O., Ostrovsky, R.: Succinct non-interactive arguments via linear interactive proofs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 315–333. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_18

  8. Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30

  9. Brakerski, Z., Holmgren, J., Kalai, Y.T.: Non-interactive delegation and batch NP verification from standard computational assumptions. In: STOC (2017)

    Google Scholar 

  10. Boneh, D., Nguyen, W., Ozdemir, A.: How to commit to private functions. In: IACR Cryptol. ePrint Arch, Efficient Functional Commitments (2021)

    Google Scholar 

  11. Brakerski, Z., Tsabary, R., Vaikuntanathan, V., Wee, H.: Private constrained PRFs (and more) from LWE. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 264–302. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_10

  12. Brakerski, Z., Vaikuntanathan, V.: Constrained key-homomorphic PRFs from standard lattice assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 1–30. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_1

  13. Catalano, D., Fiore, D.: Vector commitments and their applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 55–72. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_5

  14. Campanelli, M., Fiore, D., Greco, N., Kolonelos, D., Nizzardo, L.: Incrementally aggregatable vector commitments and applications to verifiable decentralized storage. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 3–35. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_1

  15. Choudhuri, A.R., Jain, A., Jin, Z.: SNARGs for \(\cal{P}\) from LWE. In: FOCS (2021)

    Google Scholar 

  16. Cini, V., Lai, R.W.F., Malavolta, G.: Lattice-based succinct arguments from vanishing polynomials: (extended abstract). In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14082, pp. 72–105. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_3

  17. de Castro, L., Peikert, C.: Functional commitments for all functions, with transparent setup and from SIS. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14006, pp. 287–320. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_10

  18. Fisch, B., Liu, Z., Vesely, P.: Orbweaver: succinct linear functional commitments from lattices. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023. LNCS, vol. 14082, pp. 106–131. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38545-2_4

  19. Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37

  20. Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_11

  21. Gorbunov, S., Reyzin, L., Wee, H., Zhang, Z.: Aggregating proofs for multiple vector commitments. In: ACM CCS, Pointproofs (2020)

    Google Scholar 

  22. Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. CRYPTO 2013. LNCS, vol. 8042, pp. 75–92. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_5

  23. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. In: STOC (2013)

    Google Scholar 

  24. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25

  25. Gorbunov, S., Vaikuntanathan, V., Wichs, D.: Leveled fully homomorphic signatures from standard lattices. In: STOC (2015)

    Google Scholar 

  26. Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC (2011)

    Google Scholar 

  27. Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Efficient arguments without short PCPs. In: CCC (2007)

    Google Scholar 

  28. Kilian, J.: A note on efficient zero-knowledge proofs and arguments (extended abstract). In: STOC (1992)

    Google Scholar 

  29. Kalai, Y., Lombardi, A., Vaikuntanathan, V., Wichs, D.: Boosting batch arguments and RAM delegation. In: STOC (2023)

    Google Scholar 

  30. Kalai, Y., Paneth, O.: Delegating RAM computations. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 91–118. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_4

  31. Kalai, Y.T., Paneth, O., Yang, L.: How to delegate computations publicly. In: STOC (2019)

    Google Scholar 

  32. Kalai, Y.T., Vaikuntanathan, V., Zhang, R.Y.: Somewhere statistical soundness, post-quantum security, and SNARGs. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13042, pp. 330–368. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90459-3_12

  33. Kate, A., Zaverucha, G.M., Goldberg, I.: Constant-size commitments to polynomials and their applications. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 177–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_11

  34. Lai, R.W.F., Malavolta, G.: Subvector commitments with application to succinct arguments. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 530–560. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_19

  35. Lipmaa, H., Pavlyk, K.: Succinct functional commitment for a large class of arithmetic circuits. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12493, pp. 686–716. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_23

  36. Libert, B., Ramanna, S.C., Yung, M.: From polynomial commitments to pairing-based accumulators from simple assumptions. In: ICALP, Functional Commitment Schemes (2016)

    Google Scholar 

  37. Libert, B., Yung, M.: Concise mercurial vector commitments and independent zero-knowledge sets with short proofs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 499–517. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_30

  38. Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_32

  39. Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)

    Google Scholar 

  40. Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41

  41. Nitulescu, A.: SoK: Vector Commitments (2021). https://www.di.ens.fr/~nitulesc/files/vc-sok.pdf

  42. Parno, B., Howell, J., Gentry, C., Raykova, M: Nearly practical verifiable computation. In: IEEE Symposium on Security and Privacy, Pinocchio (2013)

    Google Scholar 

  43. Peikert, C., Pepin, Z., Sharp, C.: Vector and functional commitments from lattices. In: Nissim, K., Waters, B. (eds.) TCC 2021. LNCS, vol. 13044, pp. 480–511. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90456-2_16

  44. Papamanthou, C., Shi, E., Tamassia, R., Yi, K.: Streaming authenticated data structures. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 353–370. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_22

  45. Tomescu, A., et al.: Aggregatable subvector commitments for stateless cryptocurrencies. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 45–64. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_3

  46. Tsabary, R.: Candidate witness encryption from lattice techniques. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022. LNCS, vol. 13507, pp. 535–559. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15802-5_19

  47. Tomescu, A., Xia, Y., Newman, Z.: Authenticated dictionaries with cross-incremental proof (dis)aggregation. IACR Cryptol. ePrint Arch. (2020)

    Google Scholar 

  48. Vaikuntanathan, V., Wee, H., Wichs, D.: Witness encryption and null-IO from evasive LWE. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022. LNCS, vol. 13791, pp. 195–221. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22963-3_7

  49. Wee, H.: Optimal broadcast encryption and CP-ABE from evasive lattice assumptions. In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022. LNCS, vol. 13276, pp. 217–241. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07085-3_8

  50. Wee, H.: Circuit ABE with small ciphertexts and keys from lattices (2023). Manuscript

    Google Scholar 

  51. Wee, H., Wu, D.J.: Succinct vector, polynomial, and functional commitments from lattices. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023. LNCS, vol. 14006, pp. 385–416. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_13

  52. Waters, B., Wee, H., Wu, D.J.: Multi-authority ABE from lattices without random oracles. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, vol. 13747, pp. 651–679. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22318-1_23

Download references

Acknowledgments

We thank Martin Albrecht for helpful discussions about the cryptanalysis of the k-R-\(\textsf{ISIS}\) assumption and Daniel Wichs for helpful insights on functional commitments and RAM delegation. David J. Wu is supported in part by NSF CNS-2151131, CNS-2140975, CNS-2318701, a Microsoft Research Faculty Fellowship, and a Google Research Scholar award.

Author information

Authors and Affiliations

  1. NTT Research, Sunnyvale, CA, USA

    Hoeteck Wee

  2. ENS, Paris, France

    Hoeteck Wee

  3. University of Texas at Austin, Austin, TX, USA

    David J. Wu

Authors
  1. Hoeteck Wee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. David J. Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David J. Wu .

Editor information

Editors and Affiliations

  1. Nanyang Technological University, Singapore, Singapore

    Jian Guo

  2. Monash University, Melbourne, VIC, Australia

    Ron Steinfeld

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wee, H., Wu, D.J. (2023). Lattice-Based Functional Commitments: Fast Verification and Cryptanalysis. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14442. Springer, Singapore. https://doi.org/10.1007/978-981-99-8733-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8733-7_7

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8732-0

  • Online ISBN: 978-981-99-8733-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics