 Yeah, and basically you would in the extrusion you would take all possible Sets of private keys so you'd get this huge collection of Potential fundamental domains you take the intersection of them And then you'd look at the biggest box that fits in that intersection Okay in practice you can sort of estimate how big it would be But that's an excellent question is also in practice for GGH Okay, so this is what I said you'd leak no information because the Outputs look the same But that's a really good question because it comes if it determines How hard it actually is to find a signature that Alice wants to release But how many times does she do that two through four loop choosing new random things and that depends on how big the box is And it turns out for GGH if you want a box that's okay for sort of most choices of Private keys the box is really really small and your chance of generating even of Alice generating a valid signature is very very small and It becomes totally impractical Or at least highly inefficient You really don't want to generate you know a hundred million Potential signatures to get a good one. I mean a 1% success rates probably okay, because it's pretty fast 50% would be even better So Little Lubyshevsky and others did I mean he didn't just propose this is you could do this with GGH But it's completely pointless. So why bother because it's impractical they actually figured out how to use this in well not GGH, but Another lattice based scheme And interestingly they didn't make the output end up as Uniformly distributed in a box what they did was they made the outputs Normal distributed Gaussian distributed in a certain certain range Which which helped with the practicality it also made it much more complicated because internal to the signatures you have to keep generating Random numbers that are Gaussian distributed While most random number generators give you a uniform distribution output So you kind of have to use rejection sampling in the middle there to turn the uniform distribution into a Gaussian distribution And then you use that to potentially reject your signatures However, they're very clever people and people since then have improved it even more And Falcon the signature scheme I mentioned for NIST in fact does use this Gaussian kind of thing to improve the efficiency and Anyway, it's pretty cool But what I thought I'd do today is try to describe for you a rejection sampling scheme which actually literally is just trying to produce a Uniform distribution so that your signatures and my signatures and Alice's signatures and Bob's signatures The list of signatures all looks the same. It's uniformly distributed in some sort of region And I actually did write out a complete description of the Signature scheme and then a complete description of rejection sampling and how it works and why it works And that would have taken too long so what I'm going to skip is a description of the signature scheme itself I'm just going to tell you what the signatures look like And how you would do the rejection sampling and then we'll prove if you don't do rejection sampling Here's how you can break it and if you do do rejection sampling literally the signatures have no information content about the private key Okay So the scheme again uses The this I usually call this a cyclotomic ring. It's a product of cyclotomic rings so integer coefficient polynomials of degree at most n minus one and You multiply mod x dn minus one so the same the same ring that we were using before As usual we'll write a polynomial as some i equals zero to n minus one with coefficients If it's in the ring R, of course, it has coefficients in z and I'll write absolute sub infinity for the infinity norm or also called the soup norm or the max norm just the maximum of the absolute value of the coefficients Okay And what I want to do is I wanted to find a box in here, right? I mean if you ignore the multiplication structure, but just think of this as a z module This is just z to the n z cross z cross z cross z n times and you're adding vectors by adding coordinates And I want a notation for a box in there where the first coordinates In a certain range the second coordinate and the third coordinate and that's this r square bracket b It's the set of polynomials or if you like the set of vectors whose Largest coordinate is no more than b Okay, so for example if n is 2 So we're in two space. Those are the pictures we saw before this would literally just be a little square Except yeah except these are in R so the integer one so it's it's it's a box in the lattice As an example What's our square bracket one? That's all the polynomials of degree up to n minus one or all these n tuples of integers Such that every integer is less than or equal to one so it's zero one or minus one Okay, people sometimes call these trinary or ternary Vectors or polynomials right by analogy with binary where it's all zeros and ones So trinary or ternary minus one zero and one Okay So here's our prototypical rejection sampling scheme I'm going to set the parameter n which as usual is just my x the n minus one that we mod it out by And an integer k Which is going to k Is going to determine the box where we're willing to release signatures You'll see that in a minute. What's Alice's secret key? Well for concreteness, let's say it's a Polynomial with coefficients one zero and minus one So a ternary polynomial Alice also chooses just a random polynomial whose coefficients are between minus k and k That's what the R Square bracket k is it's polynomials whose coefficients are between minus k and k and when I say random I mean uniformly randomly in this collection And when signing what she also does is she basically she takes her document her public key and the random polynomial y Well, not quite something related to the random polynomial y and she hashes them all together And she gets this Small polynomial see again with coefficients zero one and minus one that comes out of a hash function And that's what I don't want to go through exactly where it comes from So you can kind of think of this kind of magically appears and it's associated to her public key and her document Okay, eventually Alice is going to tell Bob Bob what C is so this will be a public quantity okay Alice's signature Basically just computes this computation and This is not quite right. I didn't mean to do this with integer coefficients. There should be a mod q here Okay, just like we did with n true you do this multiplication of these polynomials that have integer coefficients and then No, I take it back this one doesn't have any reduction my q Does do a rewind to sentences Alice computes this polynomial Which is all just integer coefficients. So there's her private F that had small coefficients The C that came out of the hash function that also has small coefficients the y that she chose randomly that has sort of medium-sized coefficients and Easy enough she computes that and that's the signature s on her document But she doesn't release it yet There's the rejection sampling step if any coefficient of s is bigger than k minus n Remember those are two parameters Then Alice doesn't like that signature. She rejects it. She goes back to step three chooses a new random y And she keeps doing this until eventually all of her coefficients are less than k minus n and Then she publishes her signature, which is this s that's past the rejection sampling step and C that She found in step four Okay, so I want to do two things for you I want to show you first that if Alice skips the rejection step and just at step five she publishes s and She publishes a bunch of these signatures Then that's bad. You actually can recover her private key From that list of signatures Then I'm going to show you that if she does Include the rejection sampling step The transcript contains no information about the private key So here right usually you're trying to prove transcript security you're secure against Attacks on transcripts. I'm going to prove transcript insecurity Suppose Alice publishes a whole list of signatures But she ignored the rejection sampling step a very unwise thing to do Here's the calculation. It looks a little complicated. Let me Step through it step by step each step is not that complicated and the reason for it is not that complicated So what Alice is going to do is she's going to take the signatures She's basically she's going to prove she's going to compute an average of The products of the si times si s1 times c1 s2 times c2 s3 times c3 and so on But there's a slight wrinkle. Remember that the s's are polynomials right in that polynomial and the C's are also She'll multiply si of x times ci Evaluated x to the n minus one instead of it x Remember x to the n is really one Right we're modding up x then minus one so this in the ring. This is actually x inverse It's the inverse of x in that ring if you like Anyway, it's easy enough to compute this in the ring She does it how many times while I use capital T's for that's how many Signatures are in the transcript saying a hundred a thousand a million a lot Even if it's a hundred million, this is perfectly reasonable to compute