 row vectors, so he's kind of converted me to be a row vector person. So we'll take the rows of this rather than the columns, okay? So each row is a vector, and I'm taking the two-end dimensional lattice that they span. And here's another way to describe it, which is convenient if you're doing sort of theoretical computations. It's if I identify the polynomial ages with a vector with n coordinates and saying b has n coordinates, then L sub h is the sub lattice of z to the 2n consisting of pairs a and b, where a convolution product with Alice's public key is congruent to b mod q. Nice exercise to show that these give the same lattice. Essentially this matrix here is embedding what convolution product looks like with these shifts. Alright, well what does an entry public-private key pair look like? Remember Alice's public key, h, fits into this equation. Little f and little g are small, and h was g times f inverse. So moving to the other side, f times h is g mod q. That should look very familiar from the previous line. We're looking at all the solutions to something times h equals something. It's the exact same equation except with f and g instead of a and b. So that tells me that the vector whose first n coordinates are the coordinates of f and the second n coordinates are the coordinates of g is actually in this lattice L sub h. And remember eve knows L sub h. H is the public key. She can create that lattice because it just depended on h's or there's some q's in it. So eve knows a lattice that contains this very short vector. So she breaks the system by solving the shortest vector problem if she can do that. And I put in a few equations. Basically if you want to see why fg is in the lattice in terms of the row vectors, this is how you create a vector. So you take f0 times the first row, f1 times the second row, and then u0 times the n plus first row were used created in a certain way. And if you multiply it all out, again you'll see that the vector with the f and g coordinates is actually in this lattice L. And given the time, this, let me just do this really quickly, it turns out that, well I just showed you how you can solve the shortest vector problem to find the private key. Alternatively if you have Bob's cipher text, you can find the plain text by solving a closest vector problem, similar kind of thing. And this is the details of it. I'll let you look at it and it's in a slightly different lattice. But in any case the conclusion is that recovering the plain text is equivalent to solving a closest vector problem here. That's a similar calculation. Okay, so here are a few notes about n true. First I said that lattice contains the short vector f, g. It actually contains a whole bunch of short vectors because if you multiply the polynomials f and g by the same power of x, it'll still be in the lattice. So there's actually this n dimensional subspace spanned by short vectors in this two n dimensional space. And a fun exercise is to show that using the private key, using the little f that Alice knows by the little g, you can phrase decryption, which I phrased using multiplication of the polynomial ring. You can phrase it as solving a CVP problem in this n dimensional subspace. And the method, the decryption method is pretty much Babai's method, but translated over using ring multiplication. And I'll mention you should always take n to be prime. Okay, your polynomials should always, the ring should be modded out by x dn minus 1. Otherwise you can solve a lower dimensional problem, it turns out. In particular, for example, if n is even, there's a lattice problem of half the dimension, which will break it. So you certainly don't want n to be even. And actually, I probably should have put it up here. That observation at the bottom was by a cryptographer named Alex May. Okay, there are many variants of n true. A lot of people have kind of objected that I, I mean, x dn minus 1 factors, even if n's prime, right? It's got an x minus 1 in it. And that means there's a tiny leakage of information and dealing with it is a little bit of a nuisance. So people suggested using x dn plus 1 instead, but they wanted that to be irreducible over q. And as you all probably know, it's irreducible over q if and only if n is a power of 2. And then it's the 2 to the k-th cyclatomic polynomial. So people use n true like systems where they mod out by x dn plus 1 and they take n to be a power of 2. Okay, not, not 8 or 16. That dimension's too small, but you take n, you know, 128 or 256 or 512. Honestly, in terms of practical security, there's very little difference between these. But in terms of theoretical, trying to write down proofs that breaking the system is equivalent to solving this lattice problem, it's, it's, it's easier using the cyclatomic polynomial. And people also have considered, instead of using a cyclatomic polynomial at all or a product of them, just using an arbitrary polynomial with small coefficients. The problem is it all gets less efficient. The more complicated the polynomial is you mod out by. But for example, people often use x dn, x dn minus x minus 1. So x dn minus x minus 1. And there are a lot of n's where that's irreducible. And it's still very small coefficients. It's actually quite an interesting problem to theoretically of how can you find trinomials. In other words, polynomials with only three non-zero coefficients that are irreducible. Interesting number theory problem. And then one looks at, well basically one does the same thing. The key to the construction, though, is that whatever polynomial you mod out by, it needs to have small coefficients. And the reason is so that when you multiply two small polynomials and then take the remainder modulo p of x, you still want relatively small coefficients. And that will happen provided p of x itself has small coefficients. That's a lie. It's sort of true. But what's really important is how big the roots of phi of x are. And a cyclotomic polynomial like these two, the roots are roots of unity. They have absolute value one. And the other polynomial will have at least one root whose absolute value is bigger than one, but you want a polynomial that's not too much bigger. Okay? So it's, you know, I said the average coefficient size, yeah, so it depends on the size of the roots of phi of x. And really it depends on the size of the biggest root. Okay. All right. Oops. Good. Okay. That was all that was in there. Yeah. Okay. So this is sort of what I would call vanilla and true. The RSA that I showed you last time, that's vanilla RSA and vanilla El Gamal. If you implement these in software exactly as I presented them to you, they will almost certainly have problems, various insecurity problems. Okay. So there's all sorts of sort of subtleties. But this is a basic underlying idea. And the NIST finalists for these post-quantum things, NIST chose one public key cryptosystem and three digital signature schemes. One of the digital signature schemes is based very closely on this. One of the other signature schemes and the public key cryptosystem are use sort of related lattices. Okay. So a lot of this can be traced back to that. And I don't say that to try to get credit to myself. What I really want to do is the initial idea and the initial development and it was really a brilliant idea of using these quotient rings to get more efficiency is due to Jeff Hofstein. And he really deserves a lot of credit for that. And his name is, he's one of the people on one of the NIST finalists, the digital signature scheme, which, you know, people gave names to their schemes, some of which are better than others. But the one that Jeff was involved with is called Falcon, which I really like. Okay. So it's like 920. So I think I'll stop there and open the floor for questions. And you were gonna have to speak really loudly, but I would love to hear questions. Can I see the mic? Great question. The question is, the cyclatomic lattices that I would, that we're using, or equivalent modding out by x to the n minus one, have a lot of symmetry. And can those be exploited? They can be very slightly exploited. And maybe you can, it's relatively easy, I guess, to pick up a speed factor of n. But that's just a few bits of security. So the real answer