A functional commitment (FC) scheme enables committing to a vector \({\textbf{x}}\) and later producing an opening proof \(\pi \) for a function value \(y=f({\textbf{x}})\) with function f in some function set \({\mathcal {F}}\). Everyone can verify the validity of the opening proof \(\pi \) w.r.t. the function f and the function value y. Up to now, the largest function set is the bounded-depth circuits and achieved by FC schemes in [Peikeit et al. TCC 2021, De Castro et al. TCC 2023, Wee et al. Eurocrypt 2023, Wee et al. Asiacrypt 2023] with the help of the homomorphic encoding and evaluation techniques from lattices. In fact, these FC schemes can hardly support circuits of large depth, due to the fast accumulation of noises in the homomorphic evaluations. For example, if the depth of the circuit is linear to the security parameter \(\lambda \), then the underlying \(\textsf {GapSVP}_{\gamma }\) problem will be accompanied with a super-exponentially large parameter \(\gamma >(\lambda \log \lambda )^{\Theta (\lambda )}\) and can be easily solved by the LLL algorithm. In this work, we propose a new FC scheme supporting arbitrary circuits of bounded sizes. We make use of homomorphic encoding and evaluation as well, but we disassemble the circuit gate by gate, process the gates, and reassemble the processed gates to a flattened circuit of logarithm depth \(O(\log \lambda )\). This makes possible for our FC scheme to support arbitrary polynomial-size circuits. Our FC scheme has the common reference string (CRS) growing linear to the size of the circuit. So CRSs of different sizes allow our FC scheme to support circuits of different (bounded) sizes. Just like the recent work on FC schemes [Wee et al. Eurocrypt 2023, Asiacrypt 2023], our FC scheme achieves private opening and target binding based on a falsifiable family of “basis-augmented” SIS assumptions. Our FC scheme has succinct commitment but not succinct opening proof which of course does not support fast verification. To improve the running time of verification, we resort to the non-interactive GKR protocol to outsource the main computation in verification to the proof generation algorithm. As a result, we obtain an improved FC scheme which decreases the computational complexity of verification with a factor \(O(\lambda )\).

功能承诺（FC）方案可以承诺向量\({\textbf{x}}\)并随后为函数值\(y=f({\textbf{x ) 生成开放证明\(\pi \) }})\)与某个函数集\({\mathcal {F}}\)中的函数f 。每个人都可以验证函数f和函数值y的开证明\(\pi \)的有效性。到目前为止，最大的函数集是有界深度电路，并通过[Peikeit et al. 2017]中的FC方案实现。 TCC 2021，德卡斯特罗等人。 TCC 2023，Wee 等人。 Eurocrypt 2023，Wee 等人。 Asiacrypt 2023]借助格的同态编码和评估技术。事实上，由于同态评估中噪声的快速积累，这些FC方案很难支持大深度的电路。例如，如果电路的深度与安全参数\(\lambda \)呈线性关系，那么底层的\(\textsf {GapSVP}_{\gamma }\)问题将伴随着超指数大参数\(\gamma >(\lambda \log \lambda )^{\Theta (\lambda )}\)并且可以通过 LLL 算法轻松求解。在这项工作中，我们提出了一种新的 FC 方案，支持有界尺寸的任意电路。我们也使用同态编码和评估，但我们逐个门地拆卸电路，处理门，并将处理后的门重新组装成对数深度\(O(\log \lambda )\)的扁平电路。这使得我们的 FC 方案能够支持任意多项式大小的电路。我们的 FC 方案的公共参考串 (CRS) 随电路尺寸呈线性增长。 因此，不同大小的 CRS 允许我们的 FC 方案支持不同（有界）大小的电路。就像最近关于 FC 方案的工作一样 [Wee 等人。 Eurocrypt 2023、Asiacrypt 2023]，我们的 FC 方案基于一系列可证伪的“基础增强”SIS 假设实现了私密开放和目标绑定。我们的FC方案有简洁的承诺，但没有简洁的开放证明，当然不支持快速验证。为了提高验证的运行时间，我们采用非交互式 GKR 协议将验证中的主要计算外包给证明生成算法。因此，我们获得了一种改进的 FC 方案，该方案将验证的计算复杂度降低了一个因子\(O(\lambda )\) 。