Practically secure linear-map vector commitment and its applications

Abstract

The primitive of vector commitment scheme allows a user to commit to an ordered sequence of messages (i.e., a vector) and later open the commitment at any position subset of the vector. The most important and desirable feature of vector commitment schemes is that the size of the opening proof is sublinear in the length of the committed vector. The original vector commitment scheme has now been extended to support several new functionalities like aggregation, updatability and homomorphism, and has applications ranging from verifiable data streaming to stateless cryptocurrency. Among these extensions, the linear-map vector commitment (LVC) scheme enables a user to open a general linear map evaluated on the committed vector, rather than those messages of the committed vector as in the original vector commitment scheme. However, the existing LVC schemes are only proved to be secure under the idealized assumptions, i.e., using the algebraic group model, which might be unpractical in the real world. To this end, we eliminate the use of algebraic group model, and propose a practically secure LVC construction. Our construction achieves practical security by additionally generating degree proofs for polynomials that enable a verifier to check the degree of polynomials publicly. We prove the security of the proposed LVC construction in the standard model under a q-type complexity assumption over bilinear groups. Moreover, we demonstrate how to use the proposed LVC scheme to construct maintainable vector commitments and verifiable data streaming protocols. The theoretical comparison and experimental results indicate that our proposal provides stronger security guarantee, while being competitive in terms of efficiency.