Libert, Benoît ;
Ramanna, Somindu C. ;
Yung, Moti
Functional Commitment Schemes: From Polynomial Commitments to PairingBased Accumulators from Simple Assumptions
Abstract
We formalize a cryptographic primitive called functional commitment (FC) which can be viewed as a generalization of vector commitments (VCs), polynomial commitments and many other special kinds of commitment schemes. A noninteractive functional commitment allows committing to a message in such a way that the committer has the flexibility of only revealing a function of the committed message during the opening phase. We provide constructions for the functionality of linear functions, where messages consist of vectors over some domain and commitments can later be opened to a specific linear function of the vector coordinates. An opening for a function thus generates a witness for the fact that the function indeed evaluates to a given value for the committed message. One security requirement is called function binding and requires that no adversary be able to open a commitment to two different evaluations for the same function.
We propose a construction of functional commitment for linear functions based on constantsize assumptions in composite order groups endowed with a bilinear map. The construction has commitments and openings of constant size (i.e., independent of n or function description) and is perfectly hiding  the underlying message is information theoretically hidden. Our security proofs build on the Déjà Q framework of Chase and Meiklejohn (Eurocrypt 2014) and its extension by Wee (TCC 2016) to encryption primitives, thus relying on constantsize subgroup decisional assumptions. We show that FC for linear functions are sufficiently powerful to solve four open problems. They, first, imply polynomial commitments, and, then, give cryptographic accumulators (i.e., an algebraic hash function which makes it possible to efficiently prove that some input belongs to a hashed set). In particular, specializing our FC construction leads to the first pairingbased polynomial commitments and accumulators for large universes known to achieve security under simple assumptions. We also substantially extend our pairingbased accumulator to handle subset queries which requires a nontrivial extension of the Déjà Q framework.
BibTeX  Entry
@InProceedings{libert_et_al:LIPIcs:2016:6309,
author = {Benoît Libert and Somindu C. Ramanna and Moti Yung},
title = {{Functional Commitment Schemes: From Polynomial Commitments to PairingBased Accumulators from Simple Assumptions}},
booktitle = {43rd International Colloquium on Automata, Languages, and Programming (ICALP 2016)},
pages = {30:130:14},
series = {Leibniz International Proceedings in Informatics (LIPIcs)},
ISBN = {9783959770132},
ISSN = {18688969},
year = {2016},
volume = {55},
editor = {Ioannis Chatzigiannakis and Michael Mitzenmacher and Yuval Rabani and Davide Sangiorgi},
publisher = {Schloss DagstuhlLeibnizZentrum fuer Informatik},
address = {Dagstuhl, Germany},
URL = {http://drops.dagstuhl.de/opus/volltexte/2016/6309},
URN = {urn:nbn:de:0030drops63096},
doi = {10.4230/LIPIcs.ICALP.2016.30},
annote = {Keywords: Cryptography, commitment schemes, functional commitments, accumulators, provable security, pairingbased, simple assumptions.}
}
2016
Keywords: 

Cryptography, commitment schemes, functional commitments, accumulators, provable security, pairingbased, simple assumptions. 
Seminar: 

43rd International Colloquium on Automata, Languages, and Programming (ICALP 2016)

Issue date: 

2016 
Date of publication: 

2016 