本集简介
双语字幕
仅展示文本字幕,不包含中文音频;想边听边看,请使用 Bayt 播客 App。
欢迎来到零知识领域。
Welcome to Zero Knowledge.
我是主持人安娜·罗斯。
I'm your host, Anna Rose.
在本播客中,我们将探索零知识研究的最新进展、去中心化网络,以及那些有望改变我们在线互动和交易方式的新范式。
In this podcast, we will be exploring the latest in Zero Knowledge research and the decentralized web, as well as new paradigms that promise to change the way we interact and transact online.
本周,我和尼科将与IBM研究院安全组的密码学家瓦迪姆·卢巴舍夫斯基进行对话。
This week, Nico and I chat with Vadim Lubashevsky, a cryptographer in the security group at IBM Research.
本期节目中,我们将深入探讨基于格的零知识系统。
In this episode, we dive into lattice based ZK systems.
我们讨论了瓦迪姆最初对这一领域的兴趣、他如何参与其中、格密码学的发展历程,以及基于格的零知识系统的最新技术现状。
We discuss Vadim's initial interest in the space, how he got involved, the evolution of lattices, as well as the state of the art in lattice based ZK systems.
我们了解到将格密码直接映射到现有SNARK结构中所面临的挑战。
We learn about the challenges of mapping lattices directly into existing SNARC constructions.
格密码与现有优化技术的运作差异,以及研究人员为何经常需要开发专门的格密码技术,才能构建出高效且具有实用价值的SNARK系统。
How lattices work differently from existing optimization techniques, and how instead researchers often need to develop new lattice specific techniques in order to achieve interesting and efficient SNARC systems.
现在,我们正式开始前,我想告诉大家第十三届零知识峰会将于5月12日在多伦多举行。
Now, we kick off, I just want to let you know that ZK Summit thirteen is happening on May 12 in Toronto.
活动即将临近。
The event is coming up fast.
如果你还没购买门票,我们建议你尽快行动。
And if you haven't yet bought your ticket, we do encourage you to do so.
此外,我们还有一些学生票仍有剩余。
Also, we do have some student tickets still available.
如果你想申请学生折扣,可以访问我们的网站zksummit.com办理。
So if you would like to apply for a student discount, you can do so over on our website, zksummit.com.
期待在那里见到你。
Hope to see you there.
现在塔尼亚将简要介绍本周的赞助商。
Now Tanya will share a little bit about this week's sponsor.
你可能已经知道零知识职位公告板,这是团队向我们社区分享开放职位的地方。
You might already know the ZK Jobs Board, a place where teams can share open roles with our community.
但在关键岗位招聘时,要在我们这个细分领域找到合适人选可能很困难。
But when it comes to key hires, finding the right fit in our niche space can be difficult.
这就是Missing Link的用武之地。
That's where Missing Link comes in.
他们是专为Web3时代打造的人才团队,帮助整个生态系统的项目在正确的时间连接合适的候选人。
They're a talent team built for the web three era, helping projects across the ecosystem connect with the right candidates at the right time.
他们合作过的都是知名机构:以太坊基金会、Matter Labs、Lido、MENA、Web3基金会等等,为这些团队填补推动发展的关键岗位。
They've worked with names you'll recognize, Ethereum Foundation, Matter Labs, Lido, MENA, Web three Foundation, and many more, filling critical roles that drive these teams forward.
无论你是成熟项目需要填补高级领导职位,还是初创企业寻找专业人才来优化产品市场匹配度,MissingLink都能提供帮助。
Whether you're an established project looking to fill a senior leadership role or a start up searching for specialized talent to refine your product market fit, MissingLink can help.
他们已为业内一些顶级团队完成招聘,现在也能帮助你快速找到合适人才。
They've done it for some of the biggest teams in the space, helping them, and now you, find the right people fast.
更多详情请查看节目说明并访问他们的网站missing-link.io。
For more details, check out the show notes and visit their website at missing-link.io.
再次感谢Missing Link。
So thanks again, Missing Link.
现在请收听我们的节目。
And now here's our episode.
今天,Nico和我有幸邀请到IBM Research Europe安全组的密码学家Vadim Lubashevsky。
Today, Nico and I are here with Vadim Lubashevsky, a cryptographer in the security group at IBM Research Europe.
欢迎来到节目,Vadim。
Welcome to the show, Vadim.
谢谢Anna和Nico。
Thanks, Anna and Nico.
很高兴来到这里。
Nice to be here.
你好,Nico。
Hello, Nico.
最近怎么样?
How are you doing?
你好。
Hello.
你好。
Hello.
一切都好。
All good.
谢谢。
Thanks.
所以,Nico,我们想做这期关于格密码的节目已经有一段时间了。
So, Nico, we've wanted to do this episode on lattices for a while now.
我记得是在去年年底的收官节目里。
Like, I think it was the end of last year in our closing year end episode.
我们当时好像预言过会做这个主题。
We kind of, like, predicted we're gonna do it.
是啊。
Yeah.
结果花了我们四个月时间。
It's taken us four months.
我们终于把它安排上了日程。
We finally set it on course.
这个话题在我11月和Dan Bonnet做的一期节目中出现过。
This topic came up in an episode I did in November with Dan Bonnet.
他提到他简要介绍了一些最近关于基于格的SNARC系统的工作。
He mentioned he sort of covered briefly some of the recent work on lattice based SNARC systems.
是的,这确实激起了我们的兴趣。
And, yeah, it's it's sort of piqued our interest.
瓦迪姆,能邀请到你真是太让我兴奋了。
So I'm very excited to have you on, Vadim.
能有机会和你深入探讨这个话题,我无比期待。
I'm so excited we're gonna get a chance to dig into this with you.
我很高兴来到这里回答你们的所有问题。
I'm very happy to be here and answer all your questions.
太棒了。
Cool.
我认为作为一个起点,了解你是如何对密码学产生兴趣的会非常棒,就是回溯到最初,特别是格密码学吸引你的原因。
I think actually as a starting point, it would be really great to understand what got you interested in cryptography, kind of back to the beginning, and specifically what got you excited about Lattices.
是啊。
Yeah.
所以如果你期待听到什么深刻的回答,比如我热爱隐私或痴迷密码学
So if you're expecting some deep answer about me loving privacy or loving cryptography
你一直想成为一名密码学家。
You've always wanted to be a cryptographer.
对。
Yeah.
不。
No.
不是。
No.
可惜完全不是那么回事。
Nothing like unfortunately, like that.
我作为研究生来到加州大学圣地亚哥分校时,那里有位Daniele Michantio教授,他是格密码学领域的专家之一。
I arrived as a grad student at UC San Diego and there was a professor there, Daniele Michantio, who was one of the experts on lattice cryptography.
嗯。
Mhmm.
这就是我们最终从事的方向。
And that's just what we ended up doing.
后来发现,嘿,其实我非常喜欢这个领域,尤其喜欢其中更偏实践的部分,当时在实践和理论方面都有许多尚未解决的开放性问题。
It turns out later that hey, actually I do enjoy it very much, I do enjoy the the parts of it that are that are more practice oriented, and there was a lot of open problems in terms of practice and theoretical stuff that that were not answered yet.
这是个非常年轻的领域。
It was a very young field.
是的,我就是这样一路走来的。
And yeah, I just took it from there.
非常酷。
Very cool.
格(lattice)作为一种数学概念,我猜这个领域的应用范围应该比密码学更广泛吧?
Lattice, sort of lattices as a concept, that's a, I'm I'm assuming this is a field that's broader than just cryptography.
密码学是它的一个应用领域。
Cryptography is like an application for it.
但你能分享一下这个领域的历史吗?
But can you share a little bit about the history of that field?
比如,在它与密码学结合之前的情况?
Like, maybe even before it joins forces with cryptography?
好的。
Yeah.
当然。
Sure.
从数学角度来说,我想是在二十世纪初,闵可夫斯基开创了这个被称为'数的几何'的领域。
So mathematically, it was, I guess, in the nineteen hundreds, it was Minkowski who created this field called the geometry of numbers.
他意识到,如果你观察某些数域——这些本质上非常代数化的对象——
So he realized that actually if you look at some number fields, you can actually look at them, which which are very algebraic in nature.
你实际上可以从几何角度来研究它们,通过观察它们的几何性质来获得相关结论。
You can actually look at them geometrically and you can get results on them by looking at their geometry.
这引起了数学家们的兴趣。
So that was that drew the interest of mathematicians.
然后到了二十世纪八十年代,格点成为了密码分析工具。
And then, let's say in the nineteen eighties, lattices became a cryptanalytic tool.
著名的LLL算法(由Loewas、Lenstra和Lenstra提出)被用来攻击某些提出的密码系统。
So the famous LLL algorithm by Loewas, Lenstra, and Lenstra was used to attack certain proposed crypto systems.
直到今天,这个算法及其衍生算法仍被用于攻击RSA等密码系统。
And even to this day, that algorithm and its descendants are used to attack things like RSA.
所以在八十年代它是一种密码分析工具。
So it was a cryptanalytic tool in the in the eighties.
基本上是因为你能在格点中找到短向量——虽然不是很短,但短到足以引起密码分析的兴趣。
Basically, because you could find short vectors in lattices, you know, not very short, but short enough to be interesting cryptanalytically.
但到了九十年代,它开始被用于密码学。实际上是Miklos Eitai提出:'嘿,最短向量问题其实是NP难问题'——因为人们之前甚至不知道这一点。
But then in the nineties, it was began to use for cryptography because and actually it was so Miklos Eitai, he said, hey, actually, the shortest vector problem is NP hard because people didn't even know that.
我的意思是,这对密码学来说还不够,但就连这一点之前也无人知晓。
I mean, that's not enough for cryptography, but even that was not known before.
实际上存在这种有趣的随机分布,其难度与某些格问题相当,这引起了许多人对密码学的兴趣。
And actually there is this interesting random distribution which is as hard as some lattice problems, and this got a lot of people interested in cryptography.
我显然应该提到Mikhail Shaitay也在IBM研究院工作,哦,哇。
And I I should obviously say Mikhail Shaitay was at IBM Research as well Oh, wow.
在Almaden。
In Almaden.
是的。
Yeah.
这很有趣。
This is interesting.
所以格最初被用来攻击系统,然后他们意识到某些特性可以在系统内部使用,我猜。
So like lattices were first used to attack systems, and then they realized some of the characteristics could be used within systems, I guess.
对。
Right.
所以它被用来攻击,但那些问题仍然足够难,你无法完全解决它们。
So it was used to attack and but then the problems were still hard enough that you couldn't solve them completely.
因此你可以基于那些可解决的更复杂版本的问题来构建密码学体系。
So then you can base cryptography on the kind of harder versions of the problems that you could solve.
所以,是的,这种双重性确实挺有意思的。
So, yeah, it is kind of interesting that it's both.
我们在零知识领域也看到了类似的配对现象。
We saw the same with pairings that were quite familiar in our, like, ZK landscape.
起初它是攻击基于离散对数系统的方法,后来我们开始用它构建新东西。
Like, at first, it's a way to attack discrete log based systems, and then we start using them to build, like, new stuff.
没错。
Right.
这并不罕见。
And this is not so uncommon.
比如在IBM同事研究的同源曲线领域,他们使用的签名方案中,算法的重要部分原本是针对其加密方案的攻击手段。
For example, in isogenies now, something my colleagues work at IBM on, the signature scheme they're using, they like a big part of the algorithm was an attack against their encryption scheme.
确实如此。
So this is yeah.
这种情况经常发生。
This this happens a lot.
对吧?
Right?
我也不知道为什么,但就是这样。
And I don't know why, but it just yeah.
所以,我是说,你刚才稍微谈到了你的学术工作。
So after I mean, you sort of talked a little bit about your academic work.
是什么促使你加入IBM工作的?
What led you to work at IBM?
当然,搬到苏黎世有一些个人原因,但我也非常喜欢那里既有学术氛围,又比纯学术更紧迫的工作环境。
So of course, there were some personal reasons for moving to Zurich, but also I I really enjoyed that there is this academic yet a bit more urgent than academic Mhmm.
就像IBM这样的工业研究实验室的视角。
Outlook in in the industrial research lab like IBM.
所以你可以从事研究工作,但同时也要确保你的研究具有中期实际应用价值?
So you're allowed to work on research, but you're also encouraged to make sure your research has some middle term Practical applications?
是的。
Yeah.
没错。
Yeah.
大概五年左右吧。
So something like five years.
这正是我最享受的部分。
And this is this is what I really enjoy the most.
这种五到十年的窗口期,让你既能思考研究有趣的问题,又能看到成果被实际应用。
Like, it allows you, like, this five to ten year, you know, window allows you to kind of think of in work on interesting problems, but also something that you can actually you you actually can see people use.
我想这与IBM近年来的标准化工作方向很契合。
I guess that ties in nicely with IBM's efforts in recent standardizations from this.
对吧?
Right?
对。
Right.
没错。
Right.
所以我们在2016年左右NIST标准化进程开始时,与其他合作者一起提出了一些算法。
So we we did, along with other collaborators, propose some algorithms at the start of the NIST standardization process in around 2016.
NIST希望创建新一代密码学套件,以取代基于离散对数、因数分解和椭圆曲线的方法。
So NIST wanted to create the next cryptographic suite to replace the discrete log and factoring and elliptic curve based methods.
然后经历了所有这些,具体我也说不清。
And So it went through all this, I don't know.
NIST不愿称之为竞赛,但不管怎样,这就是整个流程。
NIST didn't wanna call it a competition, but whatever it was, this process.
是的。
And yeah.
我们提交的两项方案被选为主要标准,它们都是基于格密码学的。
So the two things that we submitted were chosen as the primary standards, and they are based on lattices.
从那时起,这类格密码学方案可以说真正进入了主流视野。
So the kind of lattices from that point on, I think it became much more mainstream.
人们说,嘿,至少对于加密签名来说,这是我们能做到的最高效的方案。
People said, hey, this is the most efficient thing we can do, at least for encryption for signatures.
你知道,这里面有很多权衡取舍。
You know, there's lots of trade offs.
而且这方面的研究似乎已经相当深入了。
And it seems to be pretty well studied.
嗯。
Mhmm.
所以这可能会是未来的方向,当然我们还需要继续观察。
So this could be the future where we have we have to see of course.
我觉得我们一直在用'基于格''基于格'这样的术语,但对于不熟悉格概念的听众来说,或许该解释下格到底是什么?
I think we're just we're sort of just using the term like lattice based lattice based, but maybe it would help the listener who isn't familiar with lattices in general to describe kind of like what are they?
它们是什么样子的?
What do they look like?
它们看起来像什么?
What do they seem like?
它们是如何构建的?
How are they how are they constructed?
或许我们可以先从一个更基础的版本开始理解,这样我们有个切入点,之后能更好地理解它的应用。
And maybe I mean, we can think of a more basic version of of one, maybe just so that we can start somewhere, and then we'll understand more how it's being applied.
好的。
Okay.
每当有人问我这个问题——什么是格问题?
So whenever people ask me this question, like what is a lattice problem?
实际上我不会直接给他们讲格问题。
I actually don't give them a lattice problem.
甚至不会解释格是什么。
Don't even explain what a lattice is.
我只给你一个更容易理解的问题,暂时忽略你无法通过这个问题了解格是什么这个事实。
I just give you problem that is much easier to understand, and kind of ignore the fact that you won't know what a lattice is from this problem.
这就是所谓的背包问题。
So this is called the knapsack problem.
这个问题可以追溯到上世纪六七十年代,实际上这是优化领域人们想要解决的实际问题。
So this is something that dates from the seventies, the sixties, and this is actually a problem that optimization people wanna solve in practice.
比如说,我给你一千个随机数字。
So let's say I give you, I don't know, a thousand numbers, a random number.
我生成一千个随机数,每个数有一千位数。
So I generate a thousand random numbers, and each has a thousand digits.
然后我随机选取其中的500个数字,把它们相加。
And then I pick 500 of them at random, and I sum them up.
对吧?
Right?
我把这个总和告诉你。
And I give you the sum.
然后我问你:我加的是哪500个数字?
And then I ask you, which 500 numbers did I sum up?
或者如果存在多组500个数字的组合,随便找出一组符合条件的500个数字组合就行,我不在乎具体是哪组。
Or maybe if there's, you know, more than one set of 500 numbers, find any set of 500 numbers, I don't care.
这就是背包问题。
This is the knapsack problem.
明白吗?
Okay?
这实际上也是一个格问题,因为该问题的解是格中的最短向量,我会定义这个格。
And this is actually also a lattice problem because a solution to this problem is a shortest vector in a lattice, and I'll define the lattice.
这就是我所说的数之几何的含义。
And this is what I mean by this geometry of numbers thing.
所以我给你的这个背包问题,看起来完全是个组合问题。
So what I gave you, this knapsack problem, seems like a completely combinatorial problem.
嗯。
Mhmm.
但它实际上是个几何问题,可以用LLL算法来解决。
Yet it's actually a geometric problem that that is solved using this LLL algorithm, for example.
格是由基向量生成的无限网格。
So a lattice is an infinite grid, you know, generated by a basis.
我给你几个向量,比如向量三一和四二。
So I give you a few vectors, let's say the vector three one and you know four two.
嗯。
Mhmm.
我说,好吧,这两个向量的所有组合,它们生成了我的格。
And I say okay, all combinations of these two vectors, they they generate my lattice.
嗯。
Mhmm.
对吧?
Right?
现在从这两个向量出发,你会说,好吧。
And now from these two vectors, well, you say, okay, fine.
那是一个无限网格。
So that's an infinite grid.
现在我可以问你,这两个向量的什么线性组合能给出最小的可能向量?
Now I can ask you, okay, so what linear combination of these two vectors will give you the smallest possible vector?
也许,我不知道,或许你可以用某种方式将它们组合起来,得到一个比三一或四二短得多的向量,比如一一。
So maybe, I don't know, is maybe you can somehow combine them together to get something much shorter than three one or four two, maybe like one one.
我不知道你是否能做到,但无所谓。
I don't know if you can, but whatever.
对吧?
Right?
所以在二维情况下,这是个简单问题,但如果是在一千维空间里,假设有一千个基向量,这就变成了一个难题。
And so in two dimensions, okay, it's an easy problem, but now if it's in a thousand dimensions with a thousand, let's say, vectors in this basis, now it becomes a hard problem.
对吧?
Right?
实际上,如果你能解决这个问题,你就能解决这个背包问题。
And actually, if you can solve that problem, then you can solve this knapsack problem.
因为背包问题本质上是一个线性组合,其总和恰好等于那个特定数字,而且这个组合本身非常短。
Because the knapsack problem is a linear combination that is actually that sums up to that number, that is actually quite short.
因为你知道,这是个零一选择问题——我选了500个数字,要么选它,要么不选。
Because, you know, it's a zero one, because I chose 500 numbers, right, so I either picked it or didn't.
所以这些就是零或一。
So these are the zero or one.
实际上,你可以将这个问题重新表述为一个格问题。
And that actually, you can reformulate that problem as a as a as a lattice problem.
当你把它当作一个难题时,比如,你试图在那个格中找到什么东西?
When you're using it as a hard problem though, like, you trying to find something in that lattice?
对。
Yeah.
一个短向量。
A short vector.
不一定是最短的,但得是较短的。
Doesn't have to be the shortest, but something short.
对吧?
Right?
所以当我给你一堆基向量时,就像我之前给的例子,四二和三一可能不是个好例子。
So when I give you a bunch of basis vectors, right, like when I gave you, maybe four two and three one wasn't a bet good example.
比如137和1249这样的数字。
Maybe like a hundred thirty seven and twelve forty nine.
对吧?
Right?
给我找一个短向量,明白吗,
Find me a short vector, right,
在这个格中。
in this lattice.
这个问题被称为什么?
And how is this problem known?
这个问题的名称是什么?
Like, what's the name of this problem?
这就是最短向量问题。
So this is the shortest sector problem.
这个名字非常缺乏创意,但事实就是如此。
It is a very uncreative name, but that's that's that's what it is.
对吧?
Right?
我们拥有它,它名副其实。
We have It says what it does.
正是。
Exactly.
不。
No.
对。
Yeah.
那么这个问题是大多数基于格的密码学的基础吗?
And so is this problem the basis of most lattice based cryptography?
是的。
Yeah.
所以最短向量或者近似向量问题,有时候我可能会说,别给我找最短向量,你可以把它想象成找一个接近原点的短向量。
So shortest vector or perhaps a close vector problem, sometimes I may say, okay, don't find me because the shortest vector you can think of it as finding a short, like a vector close to the origin.
我也可以说,嘿,你能在空间中找到一个接近某个随机点的向量吗?
I can also say, hey, can you find me a vector close to, you know, some random point in the space.
这就是近似向量问题。
So that's the close vector problem.
所以基本上有这两类问题。
So there's basically two of those.
当然存在一些细微差别,比如当承诺非常接近格点时,近似向量问题会变得容易些;而根据距离不同,其计算复杂度也会有所变化,问题难度会相应改变。
There's of course some nuance, know, like the close vector problem becomes easier if if I'm promised to be actually very close to the lattice and it becomes kind of hard, kind of its complexity, you know, computational complexity changes a bit depending on that.
但针对所有这些近似向量、短向量问题——包括有承诺条件下的近似向量问题——目前的最佳算法都是相同的。
But the best algorithm for all of these close vector, short vector, you know, this close vector when you're with a promise, it's all the same.
都是上世纪八十年代LLL算法的延伸发展,虽然经过多次优化改进。
It's all this this extension of this LLL algorithm from the eighties, which has been refined, has been you know, improved upon.
不过确实如此。
But yeah.
所以这就是为什么我说在格密码学中,我们本质上只面对一个问题,或者说至少有一个算法可以攻克这些看似不同却紧密关联的问题。
So that's that's why I say that really in Lattices we have kind of one one problem, or at least we have one algorithm that attacks all these problems that are a little different, but really quite related to each other.
我们还经常听到关于带错误学习问题(LWE)的讨论。
We often also hear about the learning with errors problem, LWE.
这和最短向量问题有关吗?
Is that related to shortest vector?
是的。
Yeah.
它本质上就是近似向量问题,因为带错误学习的标准定义是:你有一个随机矩阵,将其乘以某个向量得到该向量的线性组合,然后再加上一个偏移量。
It's it's really the basically a the close vector problem because so learning with errors, the way it's usually defined is you have a matrix, a random matrix, you multiply this matrix by some vector, so you get a linear combination of this vector, and then you add an offset.
对吧?
Right?
所以基本上,如果我给你一个矩阵与向量相乘的结果,然后问你能否找出我当初乘的那个向量?
So basically if I give you a product of a matrix of a vector and a vector and I ask you, hey, can you find me this vector that I multiplied by?
实际上这在大多数情况下很简单,你知道的,如果这个矩阵是方阵的话,这就是高斯消元法。
That's actually very easy, you know, in most cases because that's Gaussian elimination if this matrix is square, let's say.
没错。
Yep.
对吧?
Right?
所以这不是个难题。
So that's not a hard problem.
但如果你实际用向量相乘后说,好吧,我不会给你精确的乘积结果,而是会稍微偏离一点。
But if you then actually multiply it by a vector, and then say, okay, I'm not gonna give you the exact product, I'm gonna move move myself off from it a little bit.
这就变成了一个难题。
That becomes a hard problem.
而这实际上也是近似向量问题。
And that's actually the close vector problem as well.
对吧?
Right?
因为你并不完全在格点上,而是稍微偏离了一些。
Because you're not quite on the lattice, but you're a little bit off.
很好。
Great.
所以如果我能够消除这个误差,问题就变得简单了。
So if I manage to get this error off, it becomes easy.
是的。
Yeah.
如果你完全正确。
If you Exactly.
完全正确。
Exactly.
所以实际上,寻找格上的最近向量就是这种带误差的学习问题。
So it really is finding the close vector to the lattice is this learning with error problem.
为什么这种结构被认为是后量子或对量子计算机来说难以破解的?
Why is this kind of construction considered post quantum or hard for quantum computers?
比如,我不太明白。
Like like, I don't know.
在你分享的描述中,并没有明确说明为什么它比椭圆曲线密码学或其他方案更难。
In in the description you shared, it doesn't make it clear why it would be harder than elliptic curve cryptography or something else.
是的。
Yeah.
当然,这是个价值百万美元的问题。
Of course, that's the million dollar question.
很多人一直在思考这个问题。
And a lot of people have been thinking about it.
实际上,我认为很多现代格密码学都源自量子领域。
Actually, I I would say that a lot of modern lattice cryptography came from the quantum world.
这个容错学习问题最初由Oded Regev定义,他当时其实是想为这个问题找到一个量子算法。
So this learning with errors problem, it was first defined by Oded Regev who actually wanted to find an algorithm, a quantum algorithm for this problem.
好的。
Okay.
但他没能成功,反而证明了如果能解决这个问题,就存在一种能在所有格中找到某种向量的量子算法。
But he could not, and he actually could show that if you could solve it, then there is a quantum algorithm that can find sort of vectors in all lattices.
对吧?
Right?
然后他说,好吧,这跟Itay解决的那类格问题版本非常相似,于是我们从中得到了密码学应用。
And then he said, okay, this is very similar to what Itay did with his kind of version of a lattice problem, and so that we have we got cryptography out of it.
确实,量子算法领域的许多人一直在尝试解决这个问题。
But yeah, a lot of people in the quantum algorithms world have been trying to solve this problem.
而我们认为它困难的原因正是如此。
And the best answers to why we think it's hard is exactly that.
对吧?
Right?
就是说量子领域有很多人一直在尝试解决这个问题。
It's that a lot of people in the quantum world have been trying to solve this problem.
实际上情况已经发展到他们以这个问题的困难性为前提,构建某些量子结果和量子定理。
They actually it's gotten to the point where they actually base some quantum result quantum theorems based on the assumption that this is hard.
比如他们会说,看,我们可以证明某些东西在进行量子操作——前提是这个问题是困难的。
So for example, yeah, they they say, hey, you know, we we can prove that something is is doing quantum things under the assumption that this this problem is hard.
你知道吗,我们最近刚做了一期关于量子工程的节目。
You know, we we recently did an episode on quantum engineering.
但我仍然不太理解密码学与量子工程的关系,人们是如何推理的,因为这感觉像是在想象一个可能还不存在的量子系统无法攻破的体系。
But I think I still I don't quite understand how cryptography and quantum engineering, like how people reason about it because it feels like you're trying to imagine a system that wouldn't be broken by a quantum system that might not exist yet.
你明白我的意思吗?
You know what I mean?
或者就像你刚才说的,你假设量子系统会按照你认为的方式运作,而这可能基于某种会被破解的理论。
Or or like in what you just said is like you're assuming a quantum system is working in the way you think it's working based on, like a thing that could be broken somehow.
关于量子计算机的关键在于,虽然它们还不存在,但我们知道一旦它们问世后能做什么。
So the thing about quantum computers is while they don't exist yet, we know once they exist what they will do.
比如——嗯。
Like what Mhmm.
如何为它们编写代码,它们能运行什么样的代码。
How to write code for them, what code they will be able to run.
对吧?
Right?
所以我们没有超级计算机,并不意味着我们不了解
So just because we don't have a supercomputer doesn't mean we don't know
它会做什么。
what it's gonna do.
对吧?
Right?
就像比当今超级计算机更强大的超级计算机,不管那意味着什么。
Like a supercomputer that's more powerful than today's supercomputers, whatever that means.
所以一旦量子计算机建成,它不会给我们带来任何意外。
So once a quantum computer is built, it's not gonna give us any surprises.
如果性能足够好,它将能够运行我们期望它运行的算法代码。
Like we will be able to, if it's good enough, it will be able to run the code that the algorithms we expect it to run.
至于为什么...你知道我们为何有信心不会有更好的算法被发明出来?
Now in terms of why, you know, do we have confidence that better algorithms won't be invented?
当然,我们对这方面的信心不如对经典算法,但这只是因为这是个较新的领域,研究量子计算机算法的人更少。
Of course, we have less confidence in that than in classical algorithms, but just because it's a newer field and less less people writing algorithms for quantum computers.
但这大概就是全部了,我觉得...我觉得有趣的是在九十年代或2000年,我听说他们在理论会议上做过调查,问人们是否认为因数分解属于多项式时间问题?
But that's that's kind of all you can say, like, I I think I I think an interesting point is that in the nineties or 2000, so I heard that they did did a survey at theoretical conferences asking people do you think factoring is in is in polynomial time?
50%的人回答是。
And 50% of the people said yes.
这是在数域筛法刚问世的时候,所以分解因数变得越来越容易,人们以为这种趋势可能会一直持续下去。
And this was back when the number field sieve was coming out, so you know, factoring kept getting easier and easier and people thought, maybe it'll never stop.
对吧?
Right?
我的意思是,数域筛法并不是解决这个问题的正确算法。
I mean, the number field sieve is not the right algorithm for it.
未来会发明出更好的算法。
Something better will be invented.
所以总是存在疑虑,这很不幸,但密码学就是这样运作的。
So there there is always doubt, and that's unfortunately how cryptography has to has to work.
公钥密码学不可能建立在信息论硬度假设的基础上。
Public key cryptography cannot exist based on information theoretic hardness assumptions.
对吧?
Right?
因此,在我们证明单向函数存在之前,我们无法对任何密码学假设拥有100%的确定性。
So until we have proof that one way functions exist, we cannot have a 100% certainty of any cryptographic assumption.
对吧?
Right?
我想接着谈谈格密码如何开始与零知识证明结合。
I wanna move on to how lattices start to combine with z k.
这些年来,人们开始用不同的组件和模块来描述SNARKs,比如交互式预言机证明(IOPs)、多项式承诺方案。
Like over the years, people have started to just kind of describe SNARKs in these different components and modules like IOPs, polynomial commitment schemes.
大概就是...嗯...
There's sort of like a yeah.
一种描述方式。
Kind of a description.
我们该怎么称呼这个呢,Nico?
What what do we call this, Nico?
是说构建它们的配方吗?
Recipe of how to build them though?
蓝图?
A blueprint?
是的。
Yeah.
这种说法很巧妙。
That's a nice way of putting it.
但说到格密码,我很好奇它究竟替代了SNARK中的哪个部分?
But when it comes to lattices, I'm sort of curious like which part of the snark are lattices actually replacing?
比如,当你们开始用格密码构建SNARK时,它目前被应用在哪个环节?
Like, are lattices currently being used when you start to build SNARCs using lattices?
它们是用来替代我们通常使用的多项式承诺方案吗?
Are they being used instead of like the polynomial commitment scheme that we usually use?
还是说它们被用作更基础的底层结构——比如所有东西构建其上的那个根本性问题?
Are they being used as like something more fundamental underneath like the underlying, I don't know, like, problem that everything is built on top of?
或许我们可以反向提问:为什么构建基于格密码的零知识证明如此困难?
Maybe we can formulate the question in the negative of why is it hard to make lattice based zero knowledge proofs?
比如,为什么我们不能直接把椭圆曲线领域的所有知识直接移植到格密码领域呢?
Like, why can we not just port everything we know from elliptic curve land to lattice land?
好的。
Okay.
这是个很好的问题。
So that's that's a good question.
首先,我要说明的是,我会从零知识证明最初的定义开始回答这个问题。
So first, let me just say that I will start answering this question by using zero knowledge proof in the original meaning of zero knowledge proof.
即不透露任何见证信息的证明。
So a proof that does not reveal any information about the witness.
明白吗?
Okay?
哪怕是最基础的零知识证明。
So even the very very basic zero knowledge proof.
那么现存最基础的零知识证明是什么?
So what's the most basic zero knowledge proof that exists?
我会说是Schnorr签名。
I would say a Schnorr signature.
对吧?
Right?
在Schnorr签名中,你只是证明了对某个指数的认知。
So a Schnorr signature, you're just proving knowledge of an exponent.
那么为什么格密码不行呢?如果我们想要一个基于格的签名,为什么不能直接移植过来?
And so why can't lattice so if we want a lattice based signature, why can't we just port that?
事实证明这相当复杂。
It turns out that this is quite messy.
原因在于,格问题可以表述为一个背包问题,就像我之前做的那样。
So the reason is, so a lattice problem, you can formulate it as as I did a knapsack problem.
这里还有另一种简单的表述方式:假设给我一个随机矩阵。
Here's another simple way to formulate it, is I'm given a random matrix.
比如说这是一个500行1000列的矩阵,随便什么尺寸。
Let's say it's a matrix with 500 rows and a thousand columns, whatever.
然后我将这个矩阵乘以一个零一向量。
And then I multiply this matrix by us, let's say, a zero one vector.
对吧?
Right?
然后我把结果给你。
And I give you the the result.
对吧?
Right?
所以现在的难题就是找出这个零一向量。
So now the the hard problem is to find the zero one vector.
你可以这样理解,这几乎就像背包问题,只不过我不是在加整数,而是在加向量。
So now you can think of it, it's it's almost like the knapsack problem except instead of adding integers, I'm adding vectors.
对吧?
Right?
我选择的是向量的子集,而不是整数的子集。
I chose a subset of vectors instead of subset of integer.
明白吗?
Okay?
所以这个单向函数的作用,就类似于经典密码学中的离散对数函数。
So this is the one way function that plays the same role as, let's say, the discrete log function in classical cryptography.
那为什么不能直接证明你已知一个零一向量呢?
So now why not just be able to prove that you know a zero one vector.
对吧?
Right?
问题的症结恰恰就在于这个'短小性'的限制。
So the problem comes in exactly because of this restriction of smallness.
我必须证明的不仅是知道一个向量s使得as等于t,还必须证明s是短小的。
That I have to prove, not just prove to you that I know a vector s, so that a s equals t, I actually have to prove that s is short.
这与离散对数的情况截然不同——离散对数只需证明某种代数关系,而这里既要证明代数关系,还要证明这个几何特性(即向量短小)。
And this is very different than in discrete log, where you just have to prove some sort of algebraic relation, whereas here you have to prove an algebraic relation, and the fact this this geometric thing that something is small.
当然要证明某物短小,这本质上就变成了一个高阶方程问题。
And of course to prove that something is small, it becomes kind of a higher degree equation.
你可以这样想:要证明某物是零一的,可以证明x乘以(1减x)等于零。
You can think of it if prove something is zero one, can prove that x times, you know, one minus x is zero.
对吧?
Right?
所以现在变得更困难了。
So now it becomes more difficult.
也许这又回到了为什么量子计算机不能破解这个,这与离散对数配对有何不同?
And maybe this also comes back to why can't why how is this different than all these discrete log pairing things that why can't quantum computers break this?
量子计算机确实能处理这些代数问题,但这里的几何部分似乎让它们绊住了脚。
Well, quantum computers, they can do, let's say these algebraic things, but there's this geometric part in here that seems to stumble them.
但这也同样困扰着协议设计者。
But it also stumbles, you know, is a stumbling For protocol designers.
是啊。
Yeah.
对协议设计者来说。
For protocol designers.
展开剩余字幕(还有 480 条)
对吧?
Right?
所以即使是基于格的签名,这也是最近被NIST标准化为MLDSA的东西,之前它被称为delithium。
So even a lattice based signature, this is the thing that got standardized by by NIST recent MLDSA, so before it was called delithium.
它比简单的Schnorr协议要混乱得多。
It is so much more messy than just the snore protocol.
你做了类似Schnorr的事情,然后说,啊,但现在向量太大了,所以我们不发送全部,然后就是等等等等。
So you do kind of the snore thing, then you say, ah, but now the vectors are too big, so let's not send all of them, and then you know yada yada yada.
这里有一大堆乱七八糟的东西。
There's a there's a big mess.
即便如此,即使是签名,它们也没有完全证明我们所知道的。
And even then, even the signatures, right, they don't quite prove what we know.
在Schnorr中,你知道一个x,g的x次方等于y,你证明我知道x,所以g的x次方等于y。
So in Schnorr, you know an x, the g to the x equals y, you prove that I know x, so that g to the x equals y.
而在格空间签名中,我知道一个x使得a乘以x等于y。
That's Here in the in the Lattice Space signatures, I know an x so that a x equals y.
我并没有证明x是例如0-1系数的向量。
I don't prove an x is a zero one coefficients for example.
我没有向你证明x具有0-1系数。
I don't prove to you that x has zero one coefficients.
我向你证明的是存在某个小x,其系数可能高达一千。
I prove to you that there is a some small x maybe with coefficients that are up to a thousand.
这是一个宽松得多的条件。
So much more relaxed thing.
甚至我都没有向你证明a乘x等于y。
And not even I don't even prove to you that a x equals y.
我向你证明的是a乘x是y的某个倍数。
I prove to you that a x is some multiple of y.
所以我们证明的是一个弱得多的命题。
So we're proving something much much weaker.
而当你想要做零知识证明时,当你实际需要证明0-1性质时。
And now when you wanna do zero knowledge, when you act, you know, zero knowledge proofs, when you actually do care about proving the zero one.
对吧?
Right?
比如说我想为零知识证明提供证据,比如我钱包里有多少钱,或者那22美元的总和,我需要一个确切的数字。
Like let's say I'm trying to give a zero knowledge proof of, I don't know, how much I have in my wallet or something that that sum of $22 amount is I need I need an exact thing.
我不能说,嗯,大概是这么多。
I can't say, well, it's approximately this.
然后事情就变得非常非常复杂了。
And then it becomes much much more complicated.
即便是这个最基础的东西——仅仅证明这个单向函数,直到大约七年前,这个证明本身(我们还没用到任何SNARK技术),根本不算什么。
And this is something that even this basic basic thing, just proving this one way function, up until let's say seven years ago, this, just the proof itself, you know, we're not doing any snark, this is nothing.
我们只是要求一个线性大小的证明,它就已经长达数兆字节了。
We're just asking for a linear size proof, it was already, you know, megabytes long.
哦。
Oh.
直到最近我们才意识到,其实还有很多其他技术手段可以采用。
And then only only recently we said, okay, there's lots of other techniques that we can do.
我们可以应用并发明一些方法,将这些兆字节的数据缩减到现在仅需几千字节的量级。
We can apply, we can kind of invent that will allow us to you know, reduce these megabytes to something on the order of kilobytes now.
所以回到你关于格密码能做什么、替代什么的问题,我真正喜欢的是我们必须采用特定技术而非通用方案。
And so the thing that I I really like, kind of goes back to your question of what what do lattices do, what do they replace, is that we have to instead of applying generic techniques.
当然我们可以说,哦,格密码就是个哈希函数。
So we could of course say, oh, lattices is just a hash function.
对。
Yeah.
它就是个取代了
It's just commitment scheme replaces the
默克尔树之类的方案。
Merkle Yeah, fry or something.
没错。
Yeah.
正是如此。
Exactly.
取代了Merkle树等等之类的结构。
Replaces the Merkle tree and blah blah blah.
好的。
Okay.
显然你可以这么做,而且这确实是我们最初尝试的第一步,就想看看能否实现。
You can obviously do that, and you know, this is something that we did do as a first step saying, hey, can we do it?
但这种通用方法永远无法得到最优解。
But this generic thing never results in something optimal.
嗯。
Mhmm.
所以我喜欢这样思考:你必须真正运用一些格理论特有的技术,才能充分发挥格密码的潜力。
So like what I what I like, I like to think that, hey, you have to actually use some, I don't know, lattice y techniques to to kinda get the most out of lattices.
这正是近年来格构造和零知识证明取得诸多突破的原因。
And this is what led to a lot of recent improvements in lattice constructions and zero knowledge proof.
这么说吧,直到三四年前,我们还几乎无法高效生成线性规模的证明。
So let's say up until three or four years ago, we could barely do linear sized proofs with any sort of efficiency.
现在我们能实现SNARKs了。
And now we can do SNARKs.
有意思。
Interesting.
好的。
Okay.
所以从你的话中我理解到,我们看待SNARKs的方式有点像即插即用。
So what I'm hearing from you is like the way we think of SNARKs, where there's this sort of like plug in plug out.
就像你可以选择一种加密技术。
Like there's you sort of choose a type of cryptography.
比如你可以用Fry或者KZG。
I mean, you could use Fry or you can use KZG.
基本上,你可以用Fry这类东西来替代KZG。
Know, like, basically, you can take things like Fry and that could replace KZG.
是的。
Yes.
你必须调整它,但某种程度上可以适配进去。
You have to alter it, but like you can kind of fit it in.
在Lattice的情况下,听起来你实际上需要在一个更抽象的层面上重新思考你希望通过整个系统实现什么。
In the case of Lattice, it sounds like you actually have to rethink maybe at a more meta level what you're trying to accomplish with the overall system.
这大概是我从你那里得到的理解,就是你无法简单地即插即用。
This is like sort of what I'm getting from you, that you can't necessarily just like plug and play.
所以你可以做到,因为你知道,同样的密码学原语可以从格中获取,当然你可以把它们插入。
So you you can because, you know, the same cryptography, like primitives you can get from lattices, and so of course you can plug them in.
但你不会得到什么有趣的东西。
But you won't get something that's interesting.
或者高效运作的东西。
Or something that works well, that's efficient.
是啊。
Yeah.
对我来说这两者是一回事。
Well, to me those are the same thing.
举个例子,让我这么说吧。
So like for example, let me say this.
为什么格子在密码学中如此有趣,并能提供像全同态加密(FHE)这样的东西?
Why are lattices in why are they interesting and give you something like FHE?
对吧?
Right?
如果你考虑配对或任何指数运算,你把它看作某种映射,对吧?这个映射将一个数字映射到一个群中。
So if you think about pairings or whatever your exponentiation, you take it you it's at some map, right, that takes a number and and maps it into a group.
对吧?
Right?
配对操作将某物映射到某个群,然后你就基本完成了。
The pairing takes something, maps it to some group, and you're kind of done.
你无法持续进行这个操作。
You cannot keep doing this operation.
而使用格运算,这个ax等于y,我取一个向量,只是将它映射到另一个向量。
Whereas with the with lattice operations, right, this this ax equals y, I'm taking a vector and I'm just mapping it to another vector.
因此,值域的代数结构与定义域的代数结构非常相似。
And so the algebra of the range is pretty similar to the algebra of the domain.
如果你想充分利用格点,就必须利用这一点。
And this is what you have to take advantage of if you want to kinda get the most out of lattices.
因为我认为这是它们的特殊之处。
Because this is I think their special feature.
对吧?
Right?
所以很多构造都是这样完成的。
So this is what a lot of this is what is done in a lot of constructions.
你计算这个函数,这个格点函数,也就是a乘以x。
You compute some that this function, this lattice function, so the a times x x.
现在你得到了另一个向量。
And then now you now you have another vector.
唯一的区别是,现在的系数不再是小的,而是大的。
The only difference is now it's instead of having small coefficients, it has big coefficients.
嗯。
Mhmm.
所以如果你再这样做,现在它就不再是个难题了。
So if you do this again, now it's no longer a hard problem.
我想从验证者的角度来看,我们需要知道组合操作是否正确完成。
I guess from the perspective of a verifier, we need to know that the composition was done correctly.
对吧?
Right?
因此这会增加额外的证明和验证步骤。
And so that would add extra steps of proving and verifying.
是的。
Yeah.
那是正确的。
That that's right.
没关系。
That's okay.
好的。
Okay.
这不算什么大问题。
Like that's not too much of a problem.
对。
Yeah.
因为我们总能进行二进制分解,这只是个线性操作。
Because we can always binary decompose, and that's just a linear operation.
所以只要能证明线性关系和小数性质,我们就能证明这些哈希、二进制分解、哈希、二进制分解的多次操作。
So if we can prove linear relations and smallness, we can prove as many of these hashing, binary decomposition, hashing, binary decomposition.
明白吗?
Okay?
所以这很不错。
So that's that's nice.
另一个好处是,当你映射时因为它保留了代数结构,现在你可以再次进行这些线性操作,可以线性组合所有这些上层结果,或许你能证明它们的线性组合性质而非单个结果。
And the other the other nice thing is that when you map into because it retains its algebraic structure, now you can again do these linear, you can linearly combine all these upper all these results, And maybe you can prove something about the linear combination of them instead of each of individuals.
现在你不需要存储所有内容,只需存储线性组合即可。
Now you don't need to store everything, can just store linear combination.
再次强调,这里输出代数结构与输入的基本相同这一事实确实帮了我们大忙。
And again, this is where the fact that the algebra of the outputs is basically the same, the simple algebra of the input really helps us out.
另外我只是列举了这些——你知道的——我们过去几年里添加到工具箱中的所有方法。
Another thing is I'm just listing all these you know, these things in our that we put into our toolbox in the last in the last couple of years.
好的。
Okay.
所以要证明某个量很小。
So proving that something is small.
明白。
Okay.
就是证明范数很小。
It's proving that the norm is small.
对吧?
Right?
为了提高效率,我们在格密码中工作的环并非整数环。
And the the ring over which we work in lattices for efficiency is not not the integers.
对,而是一个多项式环。
Right, but it's a polynomial ring.
虽然可以在整数上操作,但在多项式环上效率要高得多。
So you can work over the integers, but it's much more efficient over polynomial rings.
所有NIST标准都基于多项式环。
All the NIST standards are over polynomial rings.
关键在于,多项式环上的基本运算正是我们所需的。
And the nice thing is that, hey, over polynomial rings, that's our basic operation.
若要做内积运算,实际上只需看首项系数就是两个多项式的乘积。
If you wanna do inner product, well that's actually the product of two polynomials if you just look at the first coefficient.
嗯。
Mhmm.
只要对它们进行适当的变换。
If you kind of transform them correctly.
因此我们甚至可以将范数——这种格运算所需的基本概念——描述出来。
So we can even describe the norm, the kind of this basic thing that we need as a lattice operation.
对。
Right.
另一件事是,为了证明短性,你可以使用所谓的约翰逊-林登斯特劳斯引理。
Another thing is to prove shortness, you can use something called the Johnson Lindenstrauss Lemma.
对吧?
Right?
它被用于降低数据的维度。
It was used for reducing the dimensionality of, you know, data.
基本上,你有很多高维空间中的点,可以说,我要观察一个线性对数维度的空间,其范数基本上会保持不变。
So basically, you have a lot of points, you know, in high dimensions, you can actually say, hey, I'm gonna look at a linear, you know, I'm gonna look at the like some logarithmic number of dimensions, and it and basically the norm is gonna be preserved.
虽然会有缩放,但会被保持。
You know, it's gonna be scaled but preserved.
我们在格上也能做到类似的事情。
That's something we can do for lattices as well.
我们可以说,看,要证明某个量很小,实际上可以证明当你将这个随机变换应用到更低维空间时,如果结果很小,那么原始量也很小。
We can say, hey, look, to prove that something is small, let's actually prove that when you apply this this random transformation into a much smaller dimensional space, if that's small, then your original thing was small too.
这一点非常关键,如果你的核心论证可能依赖于这个范数的话。
And that's kind of pretty crucial if if your heart probably relies on this norm.
但当然,这也会带来一个问题。
But but of course, this this causes a problem.
我想Dan Bonnet可能提到过,现在如果用这个矩阵做乘法,结果会变得非常冗长。
I think this is something that maybe maybe was mentioned by Dan Bonnet that now if you're multiplying by this matrix, now it's very long.
这样一来验证者就无法高效运作了。
So now the verifier cannot be efficient.
所以如果我们关心验证效率的话,可能不应该这么做,但有时我们可能并不在意验证效率。
So that's, you know, that's something maybe we shouldn't do if we care about efficient verifiers, but maybe sometimes we don't care about efficient verifiers.
因此我们可以这样做。
So we can do that.
这些都是新技术,之前并不存在,因为其他领域并不需要它们。
So these are all these new techniques where which didn't exist, right, for with with anything else just because they weren't needed there.
对吧?
Right?
这些是在结合ZK时引入的,还是在尝试将其融入FHE时引入的?
Are these being introduced in once you combine it with ZK or once you're trying to get it into FHE?
FHE实际上并没有怎么用到那些技术。
So FHE did not really use much of that.
当然,它用的是多项式环,但不是那些。
Of course, it was polynomial rings, but not that.
不过如果你想在ZK里开始证明东西的话...嗯...
But yeah, if you wanna start proving things in ZK Mhmm.
那你就会真正开始关心如何证明简短性了。
Then you you start actually caring about proving shortness.
明白了。
Got it.
是的,所以这些技术与这些证明系统密切相关。
And yeah, so these techniques are very much related to these these proof systems.
它们就是为这个目的开发的。
They were developed for this purpose.
我想再确认一下,因为我最初的问题是关于SNARK的。
I do wanna double check because I think I, you know, my initial question was about a SNARK.
你更多是在讲零知识和格密码,而不一定是SNARK和格密码的关系。
You're talking more about like z k and lattices, but not necessarily snarks and lattices.
没错。
So Right.
但格密码也被用来构建SNARK吗?
But are lattices being used to construct snarks as well?
是的。
Yes.
好的。
Okay.
现在我们工具箱里有了这些技术。
So once we got these these techniques in the toolbox.
对吧?
Right?
然后你可以问,我们还能做什么?
Then you could say, okay, what else can we do?
实际上我们可以得到一些相当像SNARK的东西。
And actually we can get something that is fairly snarky.
所以就有了这个
So there was this
类似于SNARK的那种?
Resembles a snark kind of?
是的。
Yeah.
没错。
Yeah.
对。
Right.
明白了。
Got it.
这也是为什么我们可能不会一对一替换的原因。
And this is why again, maybe we don't replace one to one.
好的。
Okay.
是的。
Yeah.
因为你知道,'snark'对不同人可能有不同含义——有人认为必须要有高效验证器,有人则认为不需要,诸如此类。
So because you know, snark again could means different things to too many to different like some people say it has to have an efficient verifier, some people say it doesn't, things like that.
所以我想说得更准确些,IBM的两位同事曾提出过一个非常高效的方案,叫Labrador。
So yeah, it's I wanna be maybe a little precise so that maybe there was a very efficient scheme proposed by two colleagues at IBM, so Labrador by Yes.
Ward Boilens和Gregor Zeiler。
Ward Boilens and Gregor Zeiler.
这个方案实际上运用了我之前提到的工具箱里的许多技术,来生成非常简短的证明。
And this actually uses a lot of the things that were developed in this this toolbox that I was talking about to come up with very short proofs.
所以验证者的规模仍然是线性的,但证明的大小大约是50千字节。
So the verifier is still linear size, but the proofs are, you know, let's say about 50 kilobytes.
因此它们永远无法超越基于配对的证明,但会优于基于哈希的证明
So they'll never beat pairing based proofs, but they will beat hash based proofs
好的。
Okay.
在大小方面。
In size.
它的渐进复杂度是多少?
What is it asymptotically?
渐进复杂度上,我认为几乎是log log n。
Asymptotically, it's I think it's almost log log n I think.
好的。
Okay.
很棒。
Lovely.
是的,没错。
It is yeah.
如果你看他们的论文,证明的大小几乎不随约束条件的数量增加而增长。
There is if you look at their paper, the size of the proof barely increases with the number of constraints.
可能从一千个约束到十亿个约束,证明大小仅从50增加到55。
Maybe it goes from 50 to 55 as you go from like a thousand to a billion constraints.
所以它很简短。
So it's it's short.
但有趣的是,能否让验证过程更高效?
But the interesting thing is, okay, can you make the verifier efficient?
现在有些新思路可能采用了更传统的零知识技巧。
So now there's these other ideas that maybe are using more traditional zero knowledge tricks.
折叠?
Folding?
对,折叠。
Fold folding.
是的。
Yeah.
对。
Right.
对。
Right.
还有递归组合。
Recursive composition as well.
正是如此。
Exactly.
正是如此。
Exactly.
直到最近,研究这些阶梯性事物和零知识证明的确实是两个不同的群体。
Until recently, it's really been two different groups of people that were working on these laddicy things and the zero knowledge thing.
现在它们正逐渐融合。
And now they're being slowly merged.
我认为,零知识领域的人正在学习格密码技术,而格密码领域的人也在学习零知识技术。
And I think you you have the zero knowledge people learning the lattice techniques and you have the lattice people learning the zero knowledge techniques.
这样应该能够实现更高效的技术方案。
And and you you should be able to get things that are more efficient.
以我自己为例,我认为甚至在研究SNARKs之前,就有许多有趣的事情可以做。
So for myself, for example, I think even before getting to snarks, there's a lot of interesting things that one can do.
例如,所有不需要SNARKs——或者至少不需要高效验证者的匿名凭证和身份解决方案。
For example, all the anonymous credentials and identity solutions thing that doesn't require snarks or at least doesn't require efficient verifiers.
因为这些声明的长度并不长。
Because the the statements are not very long.
它确实需要简短的证明,因为你不想输出太多内容,但高效的验证者在这里并不是关键。
It does require small proofs because you don't wanna output too much, but efficient verifiers is not something crucial there.
是的。
Yeah.
仅仅因为我们还没遇到大问题。
Simply because we don't get to big problems.
对吧?
Right?
确实如此。
So Right.
这无关紧要。
It doesn't matter.
对。
Right.
没错。
Right.
所以用格密码可以完成所有事情。
So so you can do everything with lattices.
唯一的问题是,能否高效实现?
The only question is, can you do it efficiently?
是的。
Yeah.
它比目前正在使用的方法更好吗?
And is it better than what already is being used there?
是的。
Yeah.
是的。
Yeah.
实际上,你提到了我现在想询问的两件事。
Actually, you've touched on two things that I now wanted to inquire about.
一个是效率问题。
It's efficiency.
具体来说,这些方法与基于离散对数的系统相比如何?
Like, actually, how do these things compare to discrete log based systems?
从实际应用角度,我们该如何部署这类系统,以及如何编写这类证明?
And practically, like, how do we deploy these kind of systems, and how do we write these sort of proofs?
好的。
Okay.
在底层实现上,我认为格密码应该比其他任何方案都高效得多,包括传统方案。
So at a at a low level, I would say that lattices should be a lot more efficient than anything else, even the classical stuff.
举个例子,在NIST竞赛中,最终选定的现行标准MLChem,其速度超过其他所有加密方案。
So as an example, so so in the NIST competition, right, so we so we have the the current standard that that was chosen, MLChem, it is faster than any other encryption scheme.
就计算规模而言,它可能快几个数量级,因为这些多项式运算非常快,尤其当你能利用硬件并行性时。
So in terms of computation size, it is maybe orders of magnitude faster just because these polynomial operations are so fast and especially if you can take advantage of the parallel parallelism in in hardware.
对吧?
Right?
而这确实可以实现。
Which which you can.
对吗?
Right?
现在的AVX2或AVX-512指令集,这些都给我们带来了巨大帮助。
This AVX two or AVX five twelve now, so this this all helps us enormously.
不过它体积更大。
It's bigger though.
所以如果传输是个问题,那么现在你得权衡哪种方式更节省资源,是本地计算的高效率还是传输效率。
So if you if transmission is an issue, then then now you have to kinda count what saves you more, the high efficiency of your local computation versus the transmission.
对吧?
Right?
就这一点而言,格基密码非常出色。
So in terms of that, lattices are are great.
我刚才问的是效率问题,同时也对实用性感到好奇,比如我们如何部署这些证明?
I was asking about efficiency, was also curious about practicality, like how do we deploy these proofs?
我们如何编写使用格基密码学的匿名凭证系统?
How do we write anonymous credentials, systems that use lattice based cryptography?
嗯。
Mhmm.
是的。
Yeah.
这确实很难。
This is this is hard.
对吧?
Right?
这些证明,可以说并不简单。
These proofs are, let's say not trivial.
这些东西的基础构建模块相当混乱。
The the building blocks are quite messy of these things.
我和这里的同事们一直在尝试编写这些基础构建模块,然后提供一个友好的接口供人们使用。
Something that I've been trying to do with my colleagues here is to actually write these these basic building blocks, and then have a nice interface so people can use them.
所以我们开发了这个名为laser的库。
So this is so we we have this laser library that we've been working on.
它允许你在零知识条件下证明某些关系,在Python中,你只需调用这些格操作和证明,用大约50到100行简单的Python代码,就能编写匿名凭证、盲签名、聚合签名等。
So it allows you to prove some relations in zero knowledge, and then the the you in Python, you can just call these call these lattice operations, call these proofs, and let's say in let's say 50 to a 100 lines of simple Python, you can actually write your anonymous credentials, your blind signatures, things like that, your aggregate signatures.
但我认为很多研究——也许这与零知识无关——一旦涉及加密和签名之外的领域,大量研究应该聚焦于可验证性。
But I I would say a lot of the research, and maybe this is not even like zero knowledge related, but once you get to anything past encryption and signatures, I feel like a lot of research should be on verifiability.
对吧?
Right?
你需要一些代码或逻辑系统来验证你所写的内容确实是正确的。
You need you need some code or some logical system to verify that what you've written is actually correct.
因为这些系统非常非常复杂。
Because these systems are are very very complicated.
那么明确一下,你指的是某种形式化验证
So just to be clear here, you mean like some kind of formal verification
的代码。
of the code.
是的。
Yeah.
没错。
Exactly.
正是如此。
Exactly.
我认为形式化验证是密码学中更重要的领域之一,因为现在英语国家与非英语国家之间存在争论。
So formal verification is I think one of the more important areas of cryptography because there's an argument now between kind of the English speaking countries and non English speaking countries.
我不明白为何会演变成这样,但这就是争论的焦点。
I don't know why it broke down this way, but that's the argument.
这就是边界当初被划分的方式。
That's how that's how the borders were drawn.
在新的量子安全密码学领域,一旦开始采用这些量子安全方案,是否还需要与传统方案结合使用?嗯。
That in the new quantum safe cryptography world, once you start using these quantum safe schemes, do you use them in conjunction with the classical ones Mhmm.
采用混合模式吗?
In hybrid mode?
还是干脆认为传统方案无关紧要,我们对量子安全方案有信心,直接单独使用量子安全方案?
Or do you just say, look, the classical ones we don't care about, we are confident in the quantum safe ones, let's just use the quantum safe ones.
比方说非英语国家阵营——这个观点完全合理——他们认为:我们曾信任这些传统方案,
So the let's say the non English speaking world, and this is a perfectly valid argument, say, hey look, we trusted these classical schemes.
继续将它们与更新的量子安全方案并行使用并不会造成危害。
It doesn't harm anyone to keep using them in parallel with the quantum safe, the newer quantum safe ones.
而另一方则认为:尽管理论上结合两者很简单,但现实中所有错误恰恰都发生在这种结合环节。
The the other side is saying, hey, look, actually combining the two, even though it's trivial, like theoretically, actually that's where all the mistakes happen in the real world.
对吧?
Right?
所以即便是像简单组合两种加密方案这样的小事,人们也担心会出错。
So so even for something so trivial as just combining two schemes together, people are afraid that mistakes will be made.
因此,如果连这种小事都让人担忧,那么对于那些正在部署的极其复杂的软件——老实说没多少人在仔细检查的——我会更加担心。
So even if that that is kind of a worry, then I I would worry a lot about these extremely complicated pieces of software being rolled out that, let's say, not many people are looking at to to be to be honest.
对吧?
Right?
有多少人会去检查这些十万行代码呢?
How many people look at these 100,000 line
哦,你说的是那些编写了数十亿行代码却无人审查的程序员群体...确实,这里有很多需要检查的地方。
Oh, you're talking at a community of people who writes billions of lines of code and no one's looking at it, and we But, love yeah, there's a lot to to be checked here.
是的。
Yeah.
不过我认为验证可能是更紧迫的研究领域。
But but I would say that that's maybe verification is the more urgent research area.
对吧?
Right?
因为我们有很多密码学技术。
Because we we have a lot of cryptography.
对吧?
Right?
我们掌握密码学,能用它实现一切。
We we cryptography, we can do everything with it.
但我们有足够的密码学或攻击技术吗?
But do we have enough cryptology or attack techniques?
正是如此。
Exactly.
攻击。
Attack.
攻击吗?
Attacking?
是的。
Yeah.
这个领域确实需要更多研究,需要更多人投身其中,还需要形式化验证。
That that's an area that that needs to needs a lot more research, needs a lot more people to go into it, and formal verification.
对。
Yeah.
但这些...我不太确定。
So but but those are not the I don't know.
这些不是最酷的领域,也不是最吸引人的方向。
These are not the the cool areas, not the sexy areas.
对吧?
Right?
大家都想设计高效的SNARKs。
You wanna be designing efficient snarks.
大家都想做这类工作。
You wanna be doing this.
而且没人愿意做这个,你知道,几乎就是审计工作。
And no one wants to do this, you know, this auditing almost.
是啊。
Yeah.
如果你对吧?
If you right?
这这确实是个问题,但情况一直如此。
This is this is a bit of an issue, but that's it's been like that all the time.
嗯哼。
So mhmm.
我想稍微退一步,回到我们之前讨论的一些技术点。
I wanna go back just one step to some of the techniques that you were that we were talking about.
我记得我们开始讨论查找参数时,提到目前这方面还没有太多探索。
I think we got we started talking about lookup arguments, are not something that's being explored right now.
但你确实提到了折叠技术,还有递归组合。
But you did mention folding, and you mentioned so, Nico, you mentioned recursive composition.
我只是觉得我们在对话中有点偏离了这个话题。
I just I I feel like we kinda moved away from that in the conversation.
实际上,我想我们可能会在未来的节目中更详细地讨论这个问题。
And actually, I think we might be covering this on a future episode in more detail.
但我确实想简单和你聊聊折叠技术如何与格结构结合使用。
But I did wanna just briefly talk to you about how is folding being used alongside lattices.
格结构是否具有某些特性使其特别容易进行折叠操作?
Do lattices have certain qualities that make them like extra easy to fold?
是的。
Yes.
我认为由于格的代数结构特性,它们非常容易进行折叠操作。
I think lattices are very easy to fold because of their algebraic structure.
就像我说的,如果你直接应用格函数,这个a x等于y。
Like I said, if you just apply the lattice function, this a x equals y.
对吧?
Right?
现在你可以把x分成两部分,嗯哼。
Now you can just break up your x into two parts Uh-huh.
线性组合它们。
Linearly combine them.
这基本上就是你的折叠操作。
That's basically your folding.
对吧?
Right?
所以为了证明你已知的这个y,你只需将x分成两部分,线性组合它们,而且因为我们所有的函数都是线性的
So to to prove that you know this y, you can just break up x into two parts, linearly combine them, and because all our functions are just linear
嗯哼。
Uh-huh.
这本质上就是折叠。
It's it's essentially folded.
对吧?
Right?
不错。
Nice.
困难的部分总是证明微小性。
The hard part is always proving smallness.
麻烦的部分总是证明微小性。
The messy part is always proving smallness.
对吧?
Right?
你甚至可以自己尝试这个实验。
So you can even try this as an experiment yourself.
比如,假设难题在于不涉及微小性,你不需要证明微小性。
Like, let's pretend that the hard problem is there's no smallness involved, you don't have to prove smallness.
明白吗?
Okay?
我认为设计这些SNARK会很简单。
I think I think these snarks will be trivial to design.
对吧?
Right?
所以你可能只是因为折叠功能如此自然地融入其中,我甚至可以告诉你们格雷戈尔和沃德在拉布拉多工作时的故事。
So you could be just because it it lends itself so naturally to folding, I could even tell us that the story when when Gregor and Ward were working in Labrador.
我是说,他们最初的草稿版本,你知道的,是在研究防弹证明的工作
I mean, their first kind of drafts, they were, you know, work working of bulletproofs
哦,是的。
Oh, yeah.
并试图从中实现折叠功能。
And trying to get the the folding from there.
然后,你知道,他们尝试过——我们当时也在尝试,这在我之前参与的某篇理论论文中也有涉及,我们当时就说好吧,我们要试着模仿防弹证明。
And then, you know, they were try we they were trying, and this is something I was involved in before as well in some theoretical paper, and we kind said, okay, we're gonna, you know, try to mimic bulletproofs.
对吧?
Right?
这就像你之前说的,你们尝试过这些技术吗?
And this is kind of what you were saying before, like, have you tried these techniques?
我当时说,我希望尝试过格点相关的方法。
And I was saying, I wish tried the lattice y things.
对吧?
Right?
所以在尝试将格点理论融入防弹证明时
So when trying to to put lattices into the bulletproofs
构造。
Construction.
鸽巢原理之类的。
Pigeonhole or whatever.
构造。
Construction.
对。
Yeah.
没错。
Yeah.
这项技术。
The technique.
是啊。
Yeah.
你能得到一些东西。
You could get something.
对吧?
Right?
但最终他们意识到,嘿,这种折叠对格结构来说太自然了。
But then eventually they realize, hey, this this folding is just so natural to lattices.
我们根本不需要这些。
We don't need any of it.
我们甚至在做的时候都不需要考虑防弹证明。
We don't even need to think about bulletproofs when we do it.
现在回想起来,这种线性组合的做法几乎显而易见。
Just this linear combination thing is, in retrospect, almost obvious.
我认为这基本上就是所有这些其他论文中也在使用的方法。
And I think that's what's being used kind of in all these these other papers as well.
就像我说的,难点在于如何证明微小性。
And like I said, the hard part is how do you prove smallness.
我很高兴现在有很多不同的技术来证明微小性,有很多想法。
I I I like that there's a lot of different techniques now for proving smallness, lots of ideas.
你知道,有Szymczek的方法,有我们采用的Lyndon Johnson Lindenstrauss的方法。
You know, there's the Szymczek way, there's the the way we were doing the Lyndon Johnson Lindenstrauss way.
有趣的是它具有非常好的可组合性。
And the interesting thing is that it is very nicely composable.
对吧?
Right?
所以你可以从一个技术开始。
So you could because you could start with one technique.
对吧?
Right?
你得到的结果可以说导向了一个高效的验证器,然后转而采用另一种技术,实际上这能产生简洁的证明。
You get which is, let's say leads to an efficient verifier, and you switch to the other technique which actually leads to efficient it's small proofs.
对吧?
Right?
因为在第一步之后,你就不再需要关心高效验证器了。
Because after the first step, you don't care about efficient verifier anymore.
对吧?
Right?
我认为这种可组合性——我的预测是——这将成为处理格点问题的方法。
And I think the this composability is my prediction is this is the way it's gonna be done with Lattices.
我们将从一种技术开始,然后可能逐步转向类似Labrador的方法作为收尾。
We're gonna start with one technique and then move move over to possibly something like Labrador at the end.
你大致强调了格点结构带来的几个优势。
You kind of highlighted a few things that lattices bring.
我们讨论过它们具有后量子时代的特性。
We talked about like they're post quantum.
在某些情况下,它们的性能可能更优。
They in certain cases can perform better.
但我确实好奇,我记得第一次听说基于格的零知识证明,实际上是在全同态加密(FHE)的背景下。
But I did wonder I I think the first time I heard about lattice based ZK was actually in the context of FHE.
使用格密码的另一个好处是否在于,可以更轻松地实现全同态加密与零知识证明的结合?
Would another benefit of using lattices just be that you could then start to do like combined FHE and ZK in an easier way?
因为底层使用了一些相同的数学原理?
Like, because you're using some of the same maths underneath?
确实如此。
For sure.
确实如此。
For sure.
这一点在设计高效方案时相当重要,你需要保持代数结构的一致性。
This is this is something that that is pretty important for designing efficient schemes, that you want the algebraic structure to be the same.
对吧?
Right?
举个例子,这就是为什么在设计匿名凭证时,我们希望证明某些格关系,并且使用基于格的零知识证明来验证这些关系是合理的,因为它们的代数结构是兼容的。
So for example, this is why when designing anonymous credentials, we wanna prove some lattice relations because and it makes sense to use lattice based zero knowledge proofs to prove these relations because the the algebra is compatible.
对吧?
Right?
所以这绝对是有帮助的。
So that that absolutely helps.
是的。
Yeah.
当然,你也可以使用Fry来证明某些格关系。
You you could of course do you know, you can just use fry, right, to prove some lattice relation.
虽然有人尝试过,但效率极低。
And people have tried it, but it's extremely inefficient.
明白了。
Okay.
只是因为代数结构需要转换——当然,如果你使用的FHE本质上采用了相同的环结构,嗯。
Just because the algebra, you have to convert one So of the and it doesn't yes, of course, if if you have FHE which uses which is basically using the same ring structure Mhmm.
可能是更大的环,但环结构相同,当你想证明相关性质时,使用LiveSpace零知识技术会非常合理
Maybe bigger rings, but the ring structure is the same, and you wanna prove something about it, it makes a lot of sense that you will use LiveSpace ZK techniques
这很酷。
That's cool.
来证明它。
To to prove it.
所以这绝对会有所帮助。
So that should definitely help.
不错。
Nice.
有个问题我一直想问,虽然我们在节目中已经涉及了不同技术和协议,但我想了解目前格基解密和格基简洁证明的最新技术进展如何?
One thing I I did want to ask, and we sort of touched upon different techniques and different protocols throughout the episode, but I wanted to ask what does the state of the art look like for lattice based decay and lattice based succinct proofs?
好的。
Okay.
我认为我们仍处于简洁证明技术的非常早期阶段。
So I would say we're still in a very very early stage of succinct proofs.
就目前最先进的技术而言,如果只关注证明尺寸的简洁性,那么Labrador方案大约能实现50KB的任意规模证明。
So currently the state of the art, if you just care about succinctness in terms of proof size, then it's the Labrador scheme, which is, I would say about 50 kilobytes for arbitrary sized proofs.
如果关注验证者的简洁性,这方面已有大量研究成果。
Then if you care about succinct verifiers, there's now been a lot of work on this.
大约两年前出现了Labrador的Greyhound扩展方案。
There's the kind of Greyhound addition to to Labrador, which came out maybe two years ago.
是的。
Yeah.
现在还有Lattice Fold、Lattice Fold Plus等等方案
Now there's Lattice Fold, Lattice Fold Plus, you know, and it's
很多折叠操作啊。
A lot of folding.
虽然不确定保密程度如何,但作为密码学会议委员会成员,我看到有大量关于ZK格基NorX的论文投稿。
I don't know if it's how confidential it is, and I'm I'm on the committee for the crypto conference, and you know there's tons of papers being submitted about ZK lattice based NorX.
可以看出部分研究来自格密码学界,也有部分来自零知识证明社区尝试学习格密码的内容。
And you can see that it's really some of it is by lattice community, but some of it is by the zero knowledge community trying to learn lattices.
你可以看到他们在文献研究上还不太到位,就像格密码研究者对零知识证明文献也不太熟悉,但这让我感到非常有希望。
And you you see that they're not quite there on the literature, just like the lattice people are probably not quite there on the ZK literature, but it's very hopeful to me.
我非常高兴看到这一点,这显然是一个会快速发展的领域,就像哈希系统的发展历程一样。
I'm I'm very happy to see this that the that it's clearly an area that's gonna grow, like hash based systems, for example.
我是说,它们已经有二十年的先发优势了。
I mean, they've had a twenty twenty year head start Yeah.
也许吧。
Perhaps.
所以我相当乐观,如果我们再投入五到十年,格证明的效率会比现在更高。
So I'm quite quite optimistic that if we spend another five, ten years, Lattice proofs will be even more efficient than they are now.
酷。
Cool.
你刚才提到了哈希系统这方面。
You just mentioned the hash based side of things.
你在谈论格密码时提到,它们具有后量子特性,能抵御量子计算机攻击。
When you were talking about lattices, you know, they're post quantum, they're quantum like secure against quantum computers.
但至少基于哈希的SNARKs也应该能抵御量子计算机的攻击。
But hash based SNARKs, at least, are also supposed to be safe against quantum computers.
那么,格密码是否更胜一筹?
Like, are lattices better?
它们更安全吗?
Are they more safe?
这方面有任何比较数据吗?
Is there any sort of comparative there?
换句话说,至少在这个指标上,是否有理由更倾向于选择格密码?
Like, is there a reason why, at least on that metric lattices would be preferred?
就安全性而言,我认为基于哈希的方案需要假设的前提条件要少得多。
So in terms of safety, I would say the hash based schemes require you to assume much less.
它们只需要假设类似SHA或AES这样的算法是难以破解的。
They just require to assume that something like SHA or AES is is hard.
明白了。
Okay.
要知道,这些问题几乎没有什么结构可言,而我们确实相信SHA和AES是难以攻破的。
And you know, these problems have very little structure and we do believe that SHA and AES are hard.
嗯。
Mhmm.
因此在假设方面,基于哈希的方案显然更胜一筹。
So in terms of assumptions, hash based schemes are definitely preferable there.
而格密码则不同,它们需要依赖某些代数结构,或许量子计算机能利用这种代数或几何结构来破解它们。
Lattices on the other hand, they do require some algebraic structure and you know, maybe there's a way that quantum computers can latch on to some structure, this algebraic or geometric structure to break them.
所以如果要下注的话——任何人都会赌基于哈希的方案被攻破的概率远低于格密码这类方案。
So the assumptions, if I were to bet, if if anyone were to bet, they would of course bet on hash based having a smaller chance of being broken than any thing like lattice based cryptography.
这就是基于哈希方案的优势所在。
So that's where hash based is better.
但由于格密码具有这些代数假设,其背后的数学实现起来相对更容易。
But because lattices have these algebraic assumptions, the the math behind them is is let's say is easier to implement.
哦。
Oh.
所以它们的速度会更快。
So they're going to be faster.
因此我认为,格密码在效率上更胜一筹,而基于哈希的密码则在安全性上占优。
So lattices I believe, will win on efficiency, whereas hash based wins on Security.
你知道,就是被攻破的概率。
You know, the probability of being broken.
有意思。
Interesting.
很难说它们在安全性上更胜一筹。
It's hard to say that they win on security.
对吧?
Right?
因为两者可能同样难以攻破。
Because they both could be equally hard.
好的。
Okay.
对吧?
Right?
只是说如果你要下注,有人告诉你其中一个——你知道,如果有人明确告诉你其中一个肯定被破解了,那多半会是格密码。
It's just that if you're gonna bet and somebody tells you one of them is, you know, someone somebody tells you one of them is definitely broken, well, it's gonna be lattices.
对吧?
Right?
所以,呃
So so
好吧。
Alright.
是不是因为它们出现的时间没那么长?
Is it just because they've been around lot like, not as long?
它们还没经过实战检验?
They haven't been battle tested?
不是。
No.
格。
Lattices.
在这个语境下的格。
Lattices in this context.
哦,不。
Oh, no.
我想说即使是对于经典算法也是如此。
I would I would say even for classical algorithms.
对吧?
Right?
离散对数配对,这些比任何基于哈希的算法更容易被攻破。
Discrete log pairings, those are much more likely to be broken than anything hash based.
这是结构化与非结构化的问题吗?
Is this structure versus unstructured thing?
正是如此。
Exactly.
没错,Nick。
Exactly, Nick.
你说得对。
You're right.
因为格密码和其他离散对数假设都是有结构的,它们有量子计算机可以抓住的特性。
Because lattices and all these other discrete log assumptions, they're all structured, they have something that quantum computers can latch onto.
但这始终关乎效率,而结构正是在这方面有所帮助。
But it's always about the efficiency, and this is where the structure helps.
不过我要稍微搅局一下——我们所有基于哈希的证明都只在随机预言模型中被证明是安全的。
I will throw a little spanner in the works though, which is that all our hash based proofs are only proven secure in the Random Oracle model.
是的。
Yeah.
基于格密码的证明也是如此吗?
Is that also the case with lattice based proofs
或者说,是的。
or Yes.
是的。
Yes.
哦,这也是在随机预言模型中吗?
Oh, it's also a Random Oracle?
所有有趣的东西都会出现在随机预言模型中。
All the anything interesting is going to be in the Random Oracle model.
好的。
Okay.
对。
Yeah.
这非常有趣,因为基于格的证明仍然在随机预言模型中,而对于离散对数和基于配对的证明,我们确实有系统处于结构化参考阅读模型中,完全不涉及随机预言。
That's super interesting that lattice based proofs are still in the random Oracle model because with discrete log and like pairing based proofs, we do have systems that are in the structured reference reading model, but no random oracles involved at all.
明白了。
Okay.
现在我可能要说些非常错误的话,但我认为如果做出一些疯狂假设,或许可以避免使用随机预言。
So now I I could be saying something very wrong, but I think there could be a way to not have random oracles if you make some crazy assumptions.
对。
Right.
在配对密码学领域,至少据我这个可能了解不深的外行所知,还没有出现过这些疯狂假设导致问题的情况。
And in the pairing world, nothing has at least nothing that I know of, as somebody who's maybe not very deep into it, but just an outsider, that has gone wrong with these crazy assumptions.
而在格密码领域,确实出过问题。
Whereas in the lattice world, things have gone wrong.
最近有篇非常有趣的论文揭示了许多知识假设的问题——就是那种'你只有知道这个才能做到那个'的假设。
So all there's been a very interesting recent paper that showed a lot of knowledge assumptions where you say, ah, the only way for you to do this is if you know this.
基本上,如果你知道如何做到这点,那么就有提取器能从你这里提取信息——人们试图在格密码中应用这种假设,结果发现它在量子层面完全失效。
Basically, if you know how to do this, then there is an extractor that can extract this information from you that people try to make about lattices, and it turns out to be completely broken in the quantumly.
有意思。
Interesting.
对吧?
Right?
所以是的,这些知识假设,这些无法证伪的假设,我认为在零知识证明领域相当重要——如果你不想使用随机预言机之类的东西的话。
So yeah, so it is a bit, and these these these knowledge assumptions, these unfalsifiable assumptions, I think they are quite important in the you know, ZK world, if you're gonna not use maybe random oracles or something like that.
但对格密码来说,做出这些假设是危险的。
But they are dangerous to make for lattice.
所以我更倾向于使用随机预言机。
So I would much rather go with random oracles.
我认为它们没什么大问题,总比那些尚未证明自身稳定性的假设要好。
I don't see a big problem with them, rather than these assumption these assumptions which have not shown themselves to be very stable.
是的。
Yep.
有道理。
Fair.
你参与了NIST加密和签名标准的制定工作,我们之前提到过MLChem和MLDSA。
So you've been involved in the development of standards for encryption and signatures for NIST, we've mentioned them a bit earlier, MLChem and MLDSA.
能详细介绍一下它们的工作原理,以及与现有加密签名技术的比较吗?
Can you tell us a bit more about them and how they work and how they compare to existing encryption and signature techniques?
我认为理解格密码与离散对数差异的最佳方式,就是通过密钥交换来思考。
I I think the best way to understand what the difference between lattice and discrete log is to under to just think about the key exchange.
Diffie-Hellman密钥交换。
So Diffie Hellman key exchange.
对吧?
Right?
在Diffie-Hellman中,g的x次方等于,比如g的x1次方等于y1,g的x2次方等于y2,然后g的x1x2次方就是共享的密钥。
So Diffie Hellman, you have g to the x equals, you know, g to the x one equals y one, g to the x two equals y two, and then you have g to the x one x two is the is the shared Yep.
就是这样。
Thing.
而在格密码中,由于g^x的等效形式是LWE函数(即a乘x加误差项),所以无法实现这种交换。
So with lattices, you don't have that because the the equivalent of like g to the x is the LWE function, like a times x plus an error.
对。
Right.
当你得到a乘x加误差项,对方得到x1乘a加误差项时,你们可以进行相应计算。
And now, if you have a times x plus error, and the other guy has like some x one times a plus error, you can do the appropriate thing.
但最终会引入误差项。
But now you end up with errors.
现在你最终还要把误差也乘进去。
You now you end up multiplying by the errors as well.
对。
Right.
我们会出现这些交叉项之类的东西。
We have these cross terms sort of that start appearing.
是的。
Yeah.
没错。
Exactly.
正是。
Exactly.
这些交叉项我们无从得知,因为我不知道你的误差,你不知道我的误差,我们不知道交叉项是什么
These cross terms which you don't know about because I don't know your error, you don't know my error, we don't know what the cross terms
显然我们不能向对方透露自己的误差,否则整个系统就崩溃了。
we obviously cannot reveal our errors to each other, otherwise it's all broken.
确实如此。
Exactly.
完全正确。
Exactly.
所以Diffie-Hellman密钥交换实际上是一种行不通的方案。
So so Diffie Hellman key exchange is actually something that does not work.
这个Nike对实验室来说相当糟糕。
This Nike is quite bad for lab.
你可以调整参数使其大概率能成功,但那样效果会变得非常差。
You can do it, you can set the parameters so that it it works out with high probability, but then it becomes really terrible.
但在公钥加密中情况没那么糟,因为那里涉及一些交互过程。
But with public key encryption it's not so bad, because because there we're we're not there there is some interaction involved.
对吧?
Right?
而这里没有任何交互机制,我们确实可以做些改进。
Whereas in the there's no interaction here, you we can do something.
但这又回到了清除这些错误的问题上。
But it's again about clearing out these errors.
这就是MLChem的实质。
So this is what this is what MLChem is.
就像自然地应用El Gamal算法那样,如何将其转换到格密码上,然后处理其中的误差。
It's like the it's how you naturally apply El Gamal, how you translate El Gamal to lattices, and then you take care of the errors.
而这正是最棘手的部分。
And that's the messy part.
MLDSA,这是我们之前提到过的东西。
The MLDSA, it's this is something we mentioned before.
我说过,好吧,你是在尝试做零知识证明,并且尽可能高效地完成这个证明,证明某些足够好的东西。
I said, okay, you you it's it's you're trying to do the zero knowledge proof and you try to do as efficient as your knowledge proof as possible, proving something that's good enough.
对于签名来说已经足够好了。
It's good enough for signatures.
就是这样。
And this is yeah.
关于 Bayt 播客
Bayt 提供中文+原文双语音频和字幕,帮助你打破语言障碍,轻松听懂全球优质播客。