 So, let's continue our example of the use of the GGH cryptosystem. And so, we have a cryptographic system, Alice chooses two reasonably, or in this case, perfectly orthogonal vectors, v1 and v2, as the private basis. She then computes two badly orthogonal vectors, very nearly parallel vectors, w1 and w2, as the public basis, and she identifies that a noise vector can have components between negative 10 and positive 10. So, now Bob wants to encrypt a message, 3527, and then we want to show that Alice is able to decrypt it, and Eve is not. So, let's take a look at that. So, again, our message can be, first of all, converted into a linear combination of our public basis vectors. So, that's going to be 35w127w2. So, I'll compute what that is. So, my message vector is going to correspond to this vector, 57941, 10,013. Now, I want to then add in a noise vector, add in some sort of random vector, and again, our components are going to be between negative 10 and 10, and so maybe I'll choose negative 9 too, and so Bob then computes this as the encrypted value. So, Bob sends the same encrypted value out. Now, Alice knows the private basis of nearly orthogonal vectors, and that means that we can apply a Bewey's algorithm to find the closest lattice point. So, she uses her private basis and solves for the point that's closest to this one, and using Bewey's algorithm, we find that a1 is close to 251, and a2 is close to 1282, and so that suggests that the closest lattice point is going to be 251v1 plus 1282v2 is going to be this point here. And what this tells Alice is that Bob must have computed this as a linear combination of the public basis vectors, and there's a noise vector, but she doesn't really need that. She could just ignore that. And now I can solve the linear combination problem a second time by finding the linear combination that's equal to the vector that Bob actually computed, and that allows Alice to recover m equals 31, m2 equals 27, which is the correct original message. Now, what about Eve? Well, again, Bob has sent this encrypted value here, so Eve can try to solve the closest vector problem, but she has to use the public basis to do so. Well, we can still apply Bob's algorithm and try and recover the coefficients of the linear combination that produced something close to this, and so she looks for a linear combination of the public basis vectors that give you the encrypted message, and when she solves that, she finds that m1 is about 38.26, and m2 is 26.59, and this gives her the incorrect decryption of the message, m equals 38, m2 equals 27. So Eve tries to use her device algorithm to find the public basis, but because she's not working with the orthogonal vectors, she does not recover the original message. Now, let's think a little bit about the security of GGH in general. We will see that algorithms do exist for recovering a reasonably orthogonal set of basis vectors, so in general we want to use a large enough vector space, and typically we're talking about more than 300 or so basis vectors. Now, you might say, well, maybe Eve can look at all the points that are close to the encrypted value. She knows this encrypted value is close to the actual message, and she knows what the noise vectors look like, so she knows that the actually computed message vector is going to be plus or minus some amount from here. Well, this isn't actually very feasible, since our noise vector, even in this R2 case, our noise vector adds one of 20 possible integers to each component, and so that says that there's 20 squared, there's 400 points that are close to the encrypted value, and well, it wouldn't be too difficult to compute the corresponding message for each of those 400 points. This is a vector in R2, and we're just using two basis vectors. If I'm using 300 basis vectors, that's going to give me something like 20 to the 300. That's about 10 to the power of 390 nearby points, and it's computationally impractical to look at all those nearby points. This type of lattice system has a very number of very nice features to it. Again, it's very difficult to try and guess what the original value is, because there's too many things that are close by. The other thing that's worth noting is that when Bob tried to encrypt a value, what he had to do was two things. He had to find a vector that was a linear combination whose coefficients were determined by his actual message, and then he picked a random noise vector and added it, and what this means is that this encrypted value is very easy to obtain computationally. Again, it's worth contrasting if you look at something like RSA or El Gamal. Very few people would ever use one of these systems to encrypt a value by hand without access to some technology. Here, we can actually find this encrypted value fairly easily. It'll take us a minute or so to run the computations, but the actual computations are very simple and very easily done by hand, and what this means is that in terms of encrypting a message, GGH is very easy to use. Now, the real work takes place at the back, so Alice has to do a fair bit of work to try and recover Bob's original message, but we might assume that in most cases the person who is encrypting the information has less computational power at their disposal. They're using a cell phone, they're using something that doesn't have a lot of computing power, and if it's easy for them to encrypt information, they're more likely it is more practical for them to do so.