1. 引言
QRL Foundation 和 Geometry Labs合作,发布了以python语言实现的基于lattice的抗量 algebra密码学库。
开源代码见:
也可通过Pypi安装:
pip install lattice-algebra
该库将用于QRL protocol中,用于实现一些新的特性,如:
- lattice-based proof-of-stake signature
- trustless cross-chain atomic swaps(如QRL<->BTC、QRL<->ETH等等)
- 类似闪电网络的支付通道等等。
2. lattice-algebra用途
lattice-algebra库可作为大量不同应用的基石,如signature aggregation、zero-knowledge proof等。
lattice-algebra库的目的在于:
- 减少创建lattice密码学原语的障碍
- 使应用开发者可更专注于高层构建,而不需要实现底层algebra。
lattice-algebra库中实现了不同的方案:
- Ring short integer solution
- Module short integer solution
- Ideal short integer solution
可将lattice-algebra库用于:
- 1)实现类似Schnorr的one-time signature方案
- 2)扩展为实现non-interactive aggregatable one-time signatures
- 3)基于lattice的zero-knowledge arguments of knowledge
- 4)m-of-n multisig wallets with aggregatbale signatures
- 5)NIST竞争者的CRYSTALS-Dilithium signature scheme
3. lattice-algebra的数学背景
许多基于lattice的密码学方案中,其原语都构建自ring R = Z q [ X ] / ( X d + 1 ) R=Z_q[X]/(X^d+1) R=Zq[X]/(Xd+1)的多项式,其中将对prime q q q取模的整数表示为 Z q Z_q Zq,多项式的degree为 d d d,满足 ( q − 1 ) % ( 2 ∗ d ) = 0 (q-1)\% (2*d)=0 (q−1)%(2∗d)=0。
keys通常为:
- vectors from the vector space V = R l V=R^l V=Rl
- 或 matrices with entries from V = R k ∗ l V=R^{k*l} V=Rk∗l for dimensions k 、 l k、l k、l。
如CRYSTALS-Dilithium方案中,设置 q = 2 23 − 2 13 + 1 , d = 256 q=2^{23}-2^{13}+1,d=256 q=223−213+1,d=256,并使用 4 × 4 、 6 × 5 、 8 × 7 4\times4、6\times 5、8\times 7 4×4、6×5、8×7 matrices,具体取决于安全等级。
对于特定的 d , q , l d,q,l d,q,l,认为找到任何足够小的vector(或matrix) x x x,使得 A ∗ x = 0 A*x=0 A∗x=0是很困难的,其中 A A A为suitably random challenge from V V V。基于该hardness假设,由 x ↦ A ∗ x x\mapsto A*x x↦A∗x的map被认为是one-way function。
多项式的infinity-norm是指:
- the absolute maximum coefficient,绝对值最大的系数
多项式的one-norm是指:
- 系数之和的绝对值
多项式的weight是指:
- 非零系数的个数
有one_norm<=infinity_norm * weight。这就意味着bounding the infinity norm and the weight of a polynomial also has the effect of bounding the infinity norm and the one-norm。Taking into account both the infinity norm and the weight of the polynomial (number of non-zero entries) enables tighter inequalities that lead to smaller witnesses. This means we can achieve the same security level with smaller parameters (the CRYSTALS-Dilithium scheme is an exemplary implementation of this technique).
lattice-algebra库中没有限制底层密码学方案所使用的安全假设。Since the library merely handles polynomials from R R R and vectors from V = R l V=R^l V=Rl, schemes based on other hardness assumptions (such as the Ring Learning With Errors assumption) that take place over the same ring can be securely implemented as well.
4. lattice-algebra:为密码学开发者设计
利用lattice-algebra库,开发者可以干净的代码安全地实现基于lattice的密码学协议和应用。
该库:
- 使用了Number Theoretic Transform (NTT)来进行多项式惩罚,time为 O ( 2 d log ( 2 d ) ) O(2d\log (2d)) O(2dlog(2d))。
- 使用了constan-time modular arithmetic来避免时序攻击。
- 包含了hashing to 和 sampling from these “suitably small” polynomials and vectors的工具。
以non-interactive aggregatable one-time signatures 签名方案为例:
签名秘钥 s k = ( s 0 , s 1 ) sk=(s0,s1) sk=(s0,s1)为uniformly sampled from the subset of R l R^l Rl with bounded norm。
调用lattice-algebra库的实现可为:
def sign(sk: Tuple[PolynomialVector, PolynomialVector], m: str) -> PolynomialVector:
c: Polynomial = H_0(m)
return sk[0] ** c + sk[1]
参考资料
[1] Introducing lattice-algebra: An elegant, high-performance post-quantum cryptography library