Crate qssm_le 

QSSM-LE: (R_q = \mathbb{Z}_q[X]/(X^{256}+1)) with NTT-backed multiply, MLWE commitment (C = A r + \mu), and Lyubashevsky-style Fiat–Shamir proofs (witness-hiding on the wire).

use qssm_le::{
    commit_mlwe, prove_arithmetic, verify_lattice, PublicInstance, VerifyingKey, Witness,
    PUBLIC_DIGEST_COEFFS,
};
let vk = VerifyingKey::from_seed([9u8; 32]);
let public = PublicInstance::digest_coeffs([0u32; PUBLIC_DIGEST_COEFFS]).unwrap();
let witness = Witness::new([0i32; qssm_le::N]);
let ctx = [7u8; 32];
let rng_seed = [42u8; 32]; // deterministic masking seed (from entropy pipeline)
let (commitment, proof) = prove_arithmetic(&vk, &public, &witness, &ctx, rng_seed).unwrap();
assert!(verify_lattice(&vk, &public, &commitment, &proof, &ctx).unwrap());

Structs

Commitment

Commitment as a full ring element (canonical coeffs mod (q)).

CommitmentRandomness

Prover masking randomness sampled per-attempt.

LatticeProof

Witness-hiding proof: masking commitment (t = Ay) and response (z = y + c r) with FS challenge (c).

PublicInstance

RqPoly

ScrubbedPoly

Secret-bearing polynomial wrapper that guarantees drop-time zeroization.

VerifyingKey

Verifying / proving key material (nothing-up-my-sleeve seed).

Witness

Secret witness (prover-only).

Enums

LeError

PublicBinding

Public inputs visible to all verifiers (no secret witness).

Constants

BETA

(\ell_\infty) bound on witness coefficients (rejection sampling threshold).

C_POLY_SIZE

Polynomial challenge coefficient count.

C_POLY_SPAN

Polynomial challenge coefficient span per lane ([-C_POLY_SPAN, C_POLY_SPAN]).

ETA

Masking vector (\ell_\infty) bound (Lyubashevsky-style; rejection if exceeded).

GAMMA

Verifier accepts responses with (|z|_\infty \le \gamma) (centered mod (q)).

LE_FS_PUBLIC_BINDING_LAYOUT_VERSION

Bump when qssm-le fs_challenge_bytes input order or public_binding_fs_bytes serialization changes anything that gadget TranscriptMap / Engine A package JSON must mirror. Shared by qssm-le and qssm-gadget via this crate.

N

Polynomial degree (n = 256) for (R_q = \mathbb{Z}_q[X]/(X^n+1)).

PUBLIC_DIGEST_COEFFS

Number of digest coefficients bound into Engine A public input.

PUBLIC_DIGEST_COEFF_MAX

Maximum per-coefficient value for digest-to-coefficient embedding (4-bit lanes).

Q

Prime modulus with (512 \mid (q-1)) for length-512 NTT.

Functions

commit_mlwe

(C = A r + \mu(public)).

encode_rq_coeffs_le

Concatenate coefficients (LE u32) for Fiat–Shamir binding.

prove_arithmetic

Prove: commit + deterministic Fiat–Shamir proof using a BLAKE3-seeded CSPRNG.

short_vec_to_rq

Map signed short coefficients into (\mathbb{Z}_q) (witness bound (\beta)).

short_vec_to_rq_bound

Map signed coefficients with (\ell_\infty \le \texttt{bound}) into (R_q).

verify_lattice

Witness-free verifier (includes binding_context in FS challenge).

verify_lattice_algebraic

Algebraic verification: (|z|_\infty \le \gamma), recompute (c), check (Az = t + c(C-\mu)). No Witness.