Paper 2024/028

Lattice-Based Functional Commitments: Fast Verification and Cryptanalysis

Hoeteck Wee, NTT Research, École Normale Supérieure - PSL
David J. Wu, The University of Texas at Austin
Abstract

A functional commitment allows a user to commit to an input $\mathbf{x} \in \{0,1\}^\ell$ and later open up the commitment to a value $y = f(\mathbf{x})$ with respect to some function $f$. In this work, we focus on schemes that support fast verification. Specifically, after a preprocessing step that depends only on $f$, the verification time as well as the size of the commitment and opening should be sublinear in the input length $\ell$, We also consider the dual setting where the user commits to the function $f$ and later, opens up the commitment at an input $\mathbf{x}$. In this work, we develop two (non-interactive) functional commitments that support fast verification. The first construction supports openings to constant-degree polynomials and has a shorter CRS for a broad range of settings compared to previous constructions. Our second construction is a dual functional commitment for arbitrary bounded-depth Boolean circuits. Both schemes are lattice-based and avoid non-black-box use of cryptographic primitives or lattice sampling algorithms. Security of both constructions rely on the $\ell$-succinct short integer solutions (SIS) assumption, a falsifiable $q$-type generalization of the SIS assumption (Preprint 2023). In addition, we study the challenges of extending lattice-based functional commitments to extractable functional commitments, a notion that is equivalent to succinct non-interactive arguments (when considering openings to quadratic relations). We describe a general methodology that heuristically breaks the extractability of our construction and provides evidence for the implausibility of the knowledge $k$-$R$-$\mathsf{ISIS}$ assumption of Albrecht et al. (CRYPTO 2022) that was used in several constructions of lattice-based succinct arguments. If we additionally assume hardness of the standard inhomogeneous SIS assumption, we obtain a direct attack on a variant of the extractable linear functional commitment of Albrecht et al.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A major revision of an IACR publication in ASIACRYPT 2023
Keywords
functional commitmentsuccinct non-interactive argumentlatticescryptanalysis
Contact author(s)
wee @ di ens fr
dwu4 @ cs utexas edu
History
2024-01-08: approved
2024-01-08: received
See all versions
Short URL
https://ia.cr/2024/028
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/028,
      author = {Hoeteck Wee and David J. Wu},
      title = {Lattice-Based Functional Commitments: Fast Verification and Cryptanalysis},
      howpublished = {Cryptology ePrint Archive, Paper 2024/028},
      year = {2024},
      note = {\url{https://eprint.iacr.org/2024/028}},
      url = {https://eprint.iacr.org/2024/028}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.