In this section, we define statistically hiding and extractable binding vector commitments, describe a construction, and prove the construction secure. This construction is the basis for our performance improvements that we achieve with our new storage architecture presented in Section 4.
Definition
A vector commitment scheme allows to commit to a vector of messages (m1,…,mn). It is extractable binding, if the message vector can be extracted from the commitment and the state of the committer, and it is hiding under partial opening if an adversary cannot infer any valuable information about unopened messages, even if some of the committed messages have been opened. Our vector commitments are reminiscent of the vector commitments introduced by Catalano and Fiore [6]. However, neither do they require their commitments to be extractable binding, nor do they consider their hiding property.
Definition 1
(Vector commitment scheme) A vector commitment scheme is a sextuple \((L,{\mathcal {M}},\allowbreak {\mathsf {Setup}},{\mathsf {Commit}}, {\mathsf {Open}},{{\mathsf {Verify}}})\), where \(L\in {\mathbb {N}}\) is the maximum vector length, \({\mathcal {M}}\)is the message space, and Setup,Commit,Open, and Verify are algorithms with the following properties. Setup→k: This algorithm generates a public key k. Commit(k,(m1,…,mn))→(c,D): On input key k and message vector \(\left (m_{1},\ldots,m_{n}\right)\in {\mathcal {M}}^{n}\), where n∈[L], this algorithm generates a commitment c and a vector decommitment D. Open(k,D,i)→d: On input key k, vector decommitment D, and index i, this algorithm outputs a decommitment d for the ith message corresponding to D. Verify(k,m,c,d,i)→b: On input key k, message m, commitment c, decommitment d, and an index i, this algorithm outputs b=1, if d is a valid decommitment from position i of c to m, and otherwise outputs b=0.
A vector commitment scheme is correct, if a decommitment produced by Commit and Open will always verify for the corresponding commitment and message.
Definition 2
(Correctness) A vector commitment scheme \((L,{\mathcal {M}},\allowbreak {\mathsf {Setup}},{\mathsf {Commit}},{\mathsf {Open}},{{\mathsf {Verify}}})\) is correct, if for all \(n \in [L], M \in {\mathcal {M}}^{n}, k \in {\mathsf {Setup}}, i \in [n]\),
$${}\Pr \left[\begin{array}{cccc} {{\mathsf {Verify}}}(k,M_{i},c,d)=1:\\ {\mathsf{Commit}}(k,M) \to (c,D), {\mathsf {Open}}(k,D,i) \to d \end{array}\right]=1. $$
A vector commitment scheme is statistically hiding under selective opening, if the distribution of commitments and openings does not depend on the unopened messages.
Definition 3
(Statistically hiding (under selective opening)) Let \(S=(L,{\mathcal {M}},{\mathsf {Setup}},\allowbreak {\mathsf {Commit}},\allowbreak {\mathsf {Open}},{{\mathsf {Verify}}})\) be a vector commitment scheme. For \(n\in [L], I \subseteq [n], M\in {\mathcal {M}}^{n}, k\in {\mathsf {Setup}}\), we denote by CDk(M,I) the random variable \((c,\bar {D}_{I})\), where (c,D)←Commit(k,M) and \(\bar {D} \gets ({\mathsf {Open}}(D,i))_{i\in [n]}\). Let ε∈[0,1]. We say S is ε-statistically hiding, if for all \(n \in {\mathbb {N}}, I \subseteq [n], M_{1},M_{2}\in {\mathcal {M}}^{n}\) with (M1)I=(M2)I,k∈Setup,
$$\Delta\left({\mathsf{CD}}_{k}(M_{1},I),{\mathsf{CD}}_{k}(M_{2},I)\right) \leq \epsilon {.} $$
A vector commitment scheme is extractable binding, if for every efficient committer, there exists an efficient extractor, such that for any efficient decommitter, if the committer gives a commitment that can be opened by a decommitter, then the extractor can already extract the corresponding messages from the committer at the time of the commitment.
Definition 4
(extractable binding) Let \(\epsilon :{\mathbb {N}}^{3} \to [0,1]\). We say a vector commitment scheme \((L,{\mathcal {M}},{\mathsf {Setup}},{\mathsf {Commit}},{\mathsf {Open}},{{\mathsf {Verify}}})\) is ε-extractable-binding, if for all t1-bounded algorithms \({\mathcal {A}}_{1}, t_{{\mathcal {E}}}\)-bounded algorithms \({\mathcal {E}}\), and t2-bounded algorithms \({\mathcal {A}}_{2}\),
$$\Pr\! \left[\!\!\begin{array}{cccc} {{\mathsf {Verify}}}(p,m,c,d,i)=1 \land m_{i} \neq m : \\ {\mathsf {Setup}}() \to k, {\mathcal{A}}_{1}(k) \to_{r} c,\\ {\mathcal{E}}(k,r) \to \left(m_{1},m_{2},\ldots\right), {\mathcal{A}}_{2}(k,r) \to (m,c,d,i)\!\!\! \end{array}\right] \!\!\leq\! \epsilon(t_{1},t_{{\mathcal{E}}},t_{2}) \text{.} $$
Construction: extractable binding
In the following, we show that the Merkle hash tree construction [18] can be casted into a vector commitment scheme and that this construction is extractable binding if the used hash function is extractable binding.
Construction 1
Let (K,H) denote a keyed hash function and let \(l \in {\mathbb {N}}\). The following is a description of the hash tree scheme by Merkle cast into the definition of vector commitments. We denote the vertices of the tree by hi,j, where i is the level of hi,j within the Merkel tree and j is the index of hi,j in the ith level. Setup()→k: Run K→k and output k. Commit(k,(m1,…,mn))→(c,D): Set \(l \gets \min \left \{i \in {\mathbb {N}} :n \leq 2^{i}\right \}\). For j∈{0,…,n−1}, compute hl,j←H(k,mj+1), and for j∈{n,…,2l−1}, set hl,j←⊥. For i=l−1 to 0, j∈{0,…,2i−1}, set hi,j←H(k,(hi+1,2j,hi+1,2j+1)). Finally, compute c←H(k,(l,h0,0)) and set \(\phantom {\dot {i}\!}D \gets \left (h_{i,j}\right)_{i \in \{0,\ldots,l\}, j \in \{0,\ldots,2^{i}-1\}}\), and output (c,D). Open(k,D,i∗)→d: Let \(\phantom {\dot {i}\!}\left (h_{i,j}\right)_{i \in \{0,\ldots,l\},j \in \{0,\ldots,2^{i}-1\}} \gets D\). Set \(\phantom {\dot {i}\!}a_{l} \gets i^{*}\). For i′=l to 1, set \(\phantom {\dot {i}\!}b_{i'} \gets a_{i'} + 2(a_{i'} \bmod 2)-1, g_{i'} \gets h_{i',b_{i'}}\), and \(a_{i'-1} \gets \lfloor a_{i'}/2\rfloor \phantom {\dot {i}\!}\). Set d=(g1,…,gl) and output d. \(\phantom {\dot {i}\!}{{\mathsf {Verify}}}(k,m,c,d,i^{*}) \to b^{*}\): Let (g1,…,gl)←d. Set \(a_{l} \gets i^{*}\phantom {\dot {i}\!}\) and compute H(k,m)→hl. For i=l to 1, if ai mod 2=0, set \(\phantom {\dot {i}\!}b_{i} \gets \left (h_{i},g_{i}\right)\), and if ai mod 2=1, set \(\phantom {\dot {i}\!}b_{i} \gets \left (g_{i},h_{i}\right)\), and then compute H(k,bi)→hi−1 and set ai−1←⌊ai/2⌋. Finally, compute H(k,(l,h0))→c′ and set b∗←(c==c′). Output b∗.
Theorem 1
The vector commitment scheme described in Construction 1 is correct.
Proof
of Theorem 1. Let \((L,{\mathcal {M}},{\mathsf {Setup}},{\mathsf {Commit}},{\mathsf {Open}}, {{\mathsf {Verify}}})\) be the scheme described in Construction 1. Furthermore, let \(n \in [L], M \in {\mathcal {M}}^{n}, k \in {\mathsf {Setup}}, i \in [n], {\mathsf {Commit}}(k,M)\to (c,D), {\mathsf {Open}}(k,D,i)\to d\), and Verify(k,Mi,c,d)→b. By the definition of algorithms Commit and Open, we observe that d=(g1,…,gl) are the siblings of the nodes in the hash tree \(\phantom {\dot {i}\!}D=\left (h_{i,j}\right)_{i \in \{0,\ldots,l\}, j \in \{0,\ldots,2^{i}-1\}}\) on the path from leaf H(k,Mi) to the root h0,0. We observe that algorithm Verify recomputes this path starting with H(k,Mi). Thus, h0=h0,0=c. It follows that b=1. □
Theorem 2
Let (K,H) be an ε-extractable-binding hash function. The vector commitment scheme described in Construction 1 instantiated with (K,H) is ε′-extractable-binding with \(\epsilon '(t_{1},t_{{\mathcal {E}}},t_{2})=2L*\epsilon (t_{1} + t_{{\mathcal {E}}}/L,t_{{\mathcal {E}}}/L,t_{2})\).
Proof
of Theorem 2. Let (K,H) be an ε-extractable-binding keyed hash function and let the tuple \((L,{\mathcal {M}},{\mathsf {Setup}},{\mathsf {Commit}},\allowbreak {\mathsf {Open}},{{\mathsf {Verify}}})\) be the vector commitment scheme described in Construction 1 instantiated with (K,H). To prove the theorem, we use the extractable-binding property of (K,H) to construct an extractor for the vector commitment scheme.
Fix \(t_{1},t_{{\mathcal {E}}},t_{2} \in {\mathbb {N}}\) and t1-bounded algorithm \({\mathcal {A}}_{1}\). We observe that, because (K,H) is ε-extractable-binding, for any t-bounded algorithm \({\mathcal {A}}\), there exists a \(t_{{\mathcal {E}}}\)-bounded algorithm \({\mathcal {E}}^{H}_{{\mathcal {A}}}\) such that for any t2-bounded algorithm \({\mathcal {A}}_{2}\), for experiment \({\mathcal {A}}(k)\to _{r} h, {\mathcal {A}}_{2}(k,r) \to m\), and \({\mathcal {E}}^{H}_{{\mathcal {A}}}(k,r) \to m'\), we have H(k,m)=h and m≠m′ with probability at most \(\epsilon (t,t_{{\mathcal {E}}},t_{2})\).
Define \({\mathcal {A}}_{0,0}\) as an algorithm that on input k, samples r, computes \({\mathcal {E}}^{H}_{{\mathcal {A}}_{1}}(k,r) \to \left (l,h_{0,0}\right)\phantom {\dot {i}\!}\), and outputs h0,0. Recursively, define \({\mathcal {A}}_{i,j}\) as an algorithm that on input k, samples r, computes \({\mathcal {E}}^{H}_{{\mathcal {A}}_{i-1,\lfloor {j/2}\rfloor }}(k,r) \to \left (h_{0},h_{1}\right)\phantom {\dot {i}\!}\), and outputs hj mod 2.
Now define the vector extraction algorithm \({\mathcal {E}}\) as follows. On input (k,r), first compute \({\mathcal {E}}^{H}_{{\mathcal {A}}_{1}}(k,r)\to _{r'}\left (l,h_{0,0}\right)\). Then, for i∈{0,…,2l−1}, sample ri and compute \({\mathcal {E}}^{H}_{{\mathcal {A}}_{l,i}}\left (k,\left (r,r',r_{i}\right)\right)\to m_{i+1}\). Output \(\left (m_{1},\ldots,m_{2^{l}}\right)\).
We observe that for any t2-bounded algorithm \({\mathcal {A}}_{2}\), for experiment \({\mathcal {A}}_{1}(k)\to _{r} c, {\mathcal {A}}_{2}(k,r) \to (m,d,i)\), and \({\mathcal {E}}(k,r) \to M\), the probability of having Verify(k,m,c,d,i)=1 and Mi≠m is upper-bounded by the probability that at least one of the node extraction algorithms relied on by \({\mathcal {E}}\) fails. As there are at most 2L nodes in the tree, this probability is upper-bounded by \(2L*\epsilon (\max \{t_{1}, t_{{\mathcal {E}}}\},\allowbreak t_{{\mathcal {E}}},\allowbreak t_{2})\).
It follows that Construction 1 is ε′-extractable-binding with \(\epsilon '(t_{1},t_{{\mathcal {E}}},t_{2}) = 2L*\epsilon (t_{1} + t_{{\mathcal {E}}}/L,t_{{\mathcal {E}}}/L,t_{2})\). □
Construction: extractable binding and statistically hiding
We now combine a statistically hiding and extractable binding commitment scheme with the vector commitment scheme from Construction 1 to obtain a statistically hiding (under selective opening) and extractable binding vector commitment scheme. The idea is to first commit with the statistically hiding scheme to each message separately and then produce a vector commitment to these individually generated commitments.
Construction 2
Let COM be a commitment scheme and VC be a vector commitment scheme. Setup()→k: Run COM.Setup()→k1,VC.Setup()→k2, set k←(k1,k2), and output k. Commit(k,(m1,…,mn))→(c,D): Let k→(k1,k2). For i∈{1,…,n}, compute COM.Commit(k1,mi)→(ci,di). Then compute VC.Commit(k2,(c1,…,cn))→(c,D′), set D←(((c1,d1),…,(cn,dn)),D′), and output (c,D). Open(k,D,i)→d: Let k→(k1,k2) and D→(((c1,d1),…,(cn,dn)),D′). Compute VC.Open(k2,D′,i)→d′, set d←(ci,di,d′), and output d. Verify(k,m,c,d,i)→b: Let k→(k1,k2) and d→(c′,d′,d″). Compute COM.Verify(k1,m,c′,d′)→b1 and then compute VC.Verify(k2,c′,c,d″,i)→b2, set b←(b1∧b2), and output b.
Theorem 3
The vector commitment scheme described in Construction 2 is correct if COM and VC are correct.
Proof
of Theorem 3. Let \((L,{\mathcal {M}},{\mathsf {Setup}},{\mathsf {Commit}},{\mathsf {Open}}, {{\mathsf {Verify}}})\) be the scheme described in Construction 2. Let \(n \in [L], M \in {\mathcal {M}}^{n}, k \in {\mathsf {Setup}}, i \in [n], {\mathsf {Commit}}(k,M)\to (c,D), {\mathsf {Open}}(k,D,i)\to d\), and Verify(k,Mi,c,d)→b. We observe that D=((ci,di)i∈[n],D′) and furthermore d∈VC.Open(k2,D′,i). By the correctness of COM, it follows that COM.Verify(k1,Mi,ci,di)=1, and by the correctness of VC, it follows that HT.VC(k2,ci,c,d,i)=1. Thus, Verify(k,Mi,c,d,i)=1. □
Theorem 4
The vector commitment scheme described in Construction 2 is Lε-statistically hiding (under selective opening) if the commitment scheme COM is ε-statistically hiding.
We prove Theorem 4 in Appendix B.
Theorem 5
If COM and VC of Construction 2 are ε-extractable-binding, Construction 2 is an ε′-extractable-binding vector commitment scheme with \(\epsilon '\left (t_{1},t_{{\mathcal {E}}},t_{2}\right)=L*\epsilon \left (t_{1} + t_{{\mathcal {E}}}/L,t_{{\mathcal {E}}}/L,t_{2}\right)\).
Proof
of Theorem 5. Let \(t_{1},t_{{\mathcal {E}}},t_{2} \in {\mathbb {N}}\) and fix any t1-bounded algorithm \({\mathcal {A}}_{1}\) that on input k outputs c.
We observe that because VC is ε-extractable-binding that there exists a \(t_{{\mathcal {E}}}\)-bounded extraction algorithm \({\mathcal {E}}_{0}\) such that for any t2-bounded algorithm \({\mathcal {A}}_{2}\), for experiment \({\mathsf {Setup}} \to k, {\mathcal {A}}_{1}(k)\to _{r} c, {\mathcal {A}}_{2}(k,r) \to (c_{i},d,i)\), and \({\mathcal {E}}_{0}(k,r) \to C\), we have VC.Verify(k2,ci,c,d,i)=1 and Ci≠ci with probability at most \(\epsilon \left (t_{1},t_{{\mathcal {E}}},t_{2}\right)\).
Define \({\mathcal {A}}_{i}\) as an algorithm that on input k, samples r, computes \({\mathcal {E}}_{0}(k,r) \to C\), and outputs Ci.
For i>0, define \({\mathcal {E}}_{i}\) as a \(t_{{\mathcal {E}}}\)-bounded extraction algorithm such that for any t2-bounded algorithm \({\mathcal {A}}_{2}\), for experiment \(K \to k, {\mathcal {A}}_{i}(k) \to _{r} c_{i}, {\mathcal {E}}_{i}(k,r) \to m_{i}', {\mathcal {A}}_{2}(k,r) \to (m_{i},d_{i})\), we have COM.Verify(k1,mi,ci,di)=1 and mi≠mi′ with probability at most \(\epsilon \left (t_{{\mathcal {E}}},t_{{\mathcal {E}}},t_{2}\right)\).
Now, we define a message vector extraction algorithm \({\mathcal {E}}\) as follows. On input (k,r), first compute \({\mathcal {E}}_{1}(k,r)\to _{r'}C\). Then, for i∈[|C|], compute \({\mathcal {E}}_{i}\left (k,\left (r,r'\right)\right)\to m_{i}\). Output (m1,…,m|C|).
We observe that for any t2-bounded algorithm \({\mathcal {A}}_{2}\), for experiment \({\mathcal {A}}_{1}(k)\to _{r} c, {\mathcal {A}}_{2}(k,r) \to (m,d,i)\), and \({\mathcal {E}}(k,r) \to M\), we have Verify(k,m,c,d,i)=1 and Mi≠m with probability at most \(L*\epsilon (t_{1} + t_{{\mathcal {E}}},t_{{\mathcal {E}}},t_{2})\).
It follows that the vector commitment scheme described in Construction 2 is ε′-extractable-binding with \(\epsilon '\left (t_{1},t_{{\mathcal {E}}},t_{2}\right) = L*\epsilon \left (t_{1} + t_{{\mathcal {E}}}/L,t_{{\mathcal {E}}}/L,t_{2}\right)\). □