 It's generally not a good idea to send the same message twice anyway, which remember from last time, messages should have randomness built into them. So even the same message should never be sent exactly the same. Yeah, good question. Okay. So if someone wants to break GGH, they need to solve the closest vector problem. And the L cubed algorithm finds this somewhat orthogonal basis, depending how much time you're willing to spend, you can make it better and better. So you get this competition. How good is L cubed, or block, you know, BKZ L cubed? How good is it at solving the underlying CVP and breaking the system for however much computer time you're willing to devote to it? Right? And it turns out if the dimension for GGH is less than 100, then L cubed is actually really pretty good, and it'll break the system. And even up to N equals 200, you can probably do it. In other words, Eve can probably break the system. But let's think about the practical parts of this. What does a GGH public key look like? Well, it's a bad basis for the lattice. N-dimensional lattice, each vector in the basis has N coordinates, right? So there are N squared numbers there. You can put it in a matrix if you want, it's an N by N matrix. And also, I mean, I haven't even kept track of how big their coordinates are. But in any case, there are N squared numbers there. So the GGH public key is going to be roughly, well, it's going to be at least a multiple of N squared. And N is going to be at least 200 if you want to be secure. And that leads to, well, if you really want to say 500 to 1,000, you're going to have keys in the megabit size. And I say two megabit keys are impractical. I shouldn't really make a definitive statement like that. There may be situations where having keys that are megabits long are fine. Depends how much storage and how much bandwidth you have. OK. So independently of this work of GGH, so Jeff and Jill and I, we're working on this public key crypto system that we ended up calling entry. Although in retrospect, I kind of, we should have used our first names, right, because it would have been JJJ to go with LLL. Anyway, we called it entry. And it solves this issue of having huge key sizes by using a special type of lattice that I'll be describing to you. And it ends up that the public key, instead of having N squared bits, has more like N log N bits. And that's a lot better. OK. And in fact, I mean, GGH really also has a log N there. That's for the size of the coefficients. And I'm lying a little bit here. The N true lattice actually has dimension 2N. But the N that goes in here is just kind of N anyway. So we'll see. But before describing how the crypto system works and the lattice, I want to talk about a bit more math, some constructions. Actually, two very different multiplication structures that are actually the same. But it's helpful to look at both of them and go back and forth. So the first one is I want to just either show you or remind you if you've seen it what a convolution product is in the discrete sense. You may have seen them in analysis. But this is the discrete version. And it's simply with multiplying two n-dimensional vectors and getting another n-dimensional vector. And I gave you a formula here. So I'm going to label the coordinates starting with 0 instead of 1. So the coordinates go a0 to an minus 1 and b0 to bn minus 1. And I want to tell you what the convolution product is. I'll use star for it. That's not standard. I don't know that there is a standard notation. So the convolution product, the k-th coordinate of this, it's essentially a dot product of coordinates of a and coordinates of b, except if you want to sort this, what we've done for the k-th coordinate is we've kind of reversed the order of most of the coordinates of b. And then we've kind of shifted them over k and rolled the other ones back. But anyway, it's just kind of a dot product but with shifted and possibly flipped and then rotated coordinates. And it looks a little messy. And if you're ever teaching abstract algebra and want to give the students an exercise which will test their ability to rearrange algebraic expressions, turns out that this product, which looks kind of messy, makes the vector space, n-dimensional vector space, into a ring, a commutative ring. I mean, is the commutativity even obvious? I mean, it's not hard, but it's not 100% obvious. Associativity is definitely not obvious. The distributive law? Anyway, but it all works out. So vector addition and convolution product makes the set of vectors into a ring. So you've got all the standard things that you want. And here's an alternative way to describe it, which for people who have taken abstract algebra, which all of you have, is much more intuitive. But I've talked about this to cryptographers who basically came up through CS who never really saw quotient rings. Anyway, the idea is to identify the vector of coordinates which is the coefficients of a polynomial of degree n-1. So we can go back and forth. Standard kind of thing, right? You think of polynomials as a vector of its coefficients. But we'll work in the quotient ring where I'm mod out by the ideal generated by x to the n minus 1. So x to the n. Anytime you get x to the n, you replace it by 1. x to the n plus 1 gets x and so on. I mean, you'll recognize this problem. It's essentially the ring of cyclotomic integers, especially if n is prime. It's not quite, almost. I'll talk about that more in a minute. But then, easy enough to check that the convolution product is simply multiplication in this ring. You multiply the two polynomials and mod out by x to the n minus 1 and express the product as a polynomial of degree n minus 1, at most n minus 1. And once you do this identification, of course, then the ring structure is obvious. We're also going to need to reduce the coefficients and mod various primes. So this ring R, the polynomials have integer coefficients. Or I could take, I'll call it R sub q, where instead the coefficients are in the ring z mod qz. And similarly, R sub p, the coefficients would be in z mod pz. Now, in this big ring, most of the elements do not have inverses. The unit group, I mean, there is a unit group, but it's not huge. But in these, if I use mod q coefficients, say, where q is a prime, then, in fact, most of the elements here will have inverses in some appropriate sense. It's a nice exercise, in fact, to figure out how big the unit group is. But roughly, if you take a polynomial a of x in here, as long as a of 1 doesn't equal 1, then it's very likely to have an inverse. And computing inverses in rings like this, it's just the Euclidean algorithm. And again, for lack of time, I'm not to go through that, but you might work out why. Computing inverses is equivalent to the Euclidean algorithm. And the explicit condition to have an inverse is that a of x and x to the n minus 1 are relatively prime in the ring of polynomials with mod q coefficients. And if they're relatively prime, you know how to use the Euclidean algorithm to find an inverse. OK, here's how the entry encryption scheme works. I have to create keys. So there are three public parameters, n, which will more or less be the dimension. Well, it'll be the, in that ring I just talked about, that's the n there, the x to the n minus 1 you're modding out by, n will be prime. p and q normally also are primes that are relatively prime to one another. p is tiny. It's just used at the end for something else I'll show you. And q and n are about the same size. And I realized I didn't put on the slide, but let me just tell you sort of numbers to give you an idea of what these are. These aren't cryptographically sized primes, hundreds of digits. These are small primes. So n might be some prime between 250 and 1,000. OK, that's not the number of bits. That's the actual number. OK, I'm like, OK. And I was going to give you an example of such a prime, but I know if I pick a number in that range, I'm going to get a composite number and embarrass myself. OK, I'll mention in the original paper, two of the things we put, I think it was 251 and 503 were proposals for n. I think those are both primes. P is normally either 2 or 3. Often 3 is the most efficient, it turns out. Anyway, so it's tiny. And q is a prime, usually roughly half the size of n, or maybe around the size of n, or maybe double the size of n, but somewhere in there. OK, so also not very big. Great. Now Alice needs to choose her secret key. And her secret key is two of these two polynomials having small coefficients. OK, usually just 0's, 1's, and minus 1's. So there better be enough of those polynomials in the ring so that Eve can't run through and check all of them.