 Alright, so let's take a look at one of the more interesting applications of Lattice reduction algorithms, and that's the use of LLL to attack a certain type of RSA encryption. And this emerges as follows. So as I have an RSA system with public exponent E, and suppose I'm using it to encrypt essentially a form letter type message. So for example, a letter that says your password is and here's what it is. Your account number is this, uh, attack at some time, and in general I can think about that plain text message M as consisting of some base portion, which is completely known. We know what this is, we know what this is, we know what this is, whatever, and then we have the significant bits, the part that we don't know that are what distinguishes the form letters. So whatever the password, the account number, the time of the attack, and so on. If I have a low encryption X button, I can use LLL to break this type of encryption. So let our RSA system have a low public exponent E, public modulus N, and assume that I'm using it to send messages of some particular form where T is a known value and X is the significant portion of the message, satisfying 0 between X and M. Now breaking the RSA encryption requires, or can be done, by solving the congruent ciphertext congruent to T plus X to E mod N for my value of X, and I can convert this into a shortest vector problem and then use LLL to solve the corresponding problem. Provided that E is small enough for LLL to give us a good solution and provided some other requirements are met, we can break the RSA encryption in polynomial time. So here's our basic concept. So suppose I have X being some solution to a particular congruent where for whatever reason we know that our value of X is some place between 0 and some minimum value. In other words, we've been able to trap the solution X in some particular interval. Now the idea here is that f of X belongs to some family of polynomials, all equivalent to mod N, and one of these families, one of the members of this family will have a root X equals X0, that's a root in the E quality, so that f of X0 equals 0 where f is the polynomial we're actually looking for, and note that this is an E quality here, which corresponds to a particular congruent mod N. Now what we're going to do is we're going to apply a scaling factor, produce a scaled polynomial, and then our scaled polynomial will have a solution that's in the interval between 0 and 1, and as it turns out, this scaled polynomial will be a solution to the shortest vector problem, and then we can scale it back, define f of X, we could solve the equation for X0, and that will give us a solution to the congruence. And so let's take a slightly more detailed overview. So let's have the actual congruent, so here's a congruence I want to solve, it's some polynomial equation mod N, and I'm going to consider the lattice that's going to be spanned by the following basis vectors, v1 is going to consist of N, the modulus, v2 is going to consist of the maximum value of X times the modulus, v3, 0s, and then M squared times the modulus, and so on, all the way down to vN, which is going to be the all 0s except for the next to last component, the penultimate component if you want to show your every addition, M to power N minus 1 times N, and then the last basis vector of our lattice is going to consist of the coefficients of this polynomial multiplied by the corresponding power of M, and the reason for that is if you go back to the original logic that we were applying is we scaled this polynomial by factor M, and what that means is that all of our coefficients are going to go up by that factor, and then if we wanted to look at all the polynomials that were equivalent to this one, well I can add any multiple of N that I want to, there's my v1, I can add any multiple of M times N to this coefficient, and there's my v2, and so on, so what I have is I have my scaled polynomial, and then if I add any one of these vectors here, or form any linear combination, what I get is a vector that corresponds to a polynomial that is equivalent to this one. Some place in the lattice spanned by all of these is the polynomial that I want, and that someplace turns out to solve the shortest vector problem, so let's find the shortest vector in that lattice, and I'm going to find the solutions to this equation, so if my shortest vector is the lattice, it's going to correspond to a particular polynomial, which is going to be, again, I scaled this polynomial by factor M, I'm going to scale it back by factor 1 over M, and that gives me a new polynomial, which is equality, but I can then try to solve this one, and because I am now working with equalities, I can hit this with everything I have in terms of numerical analysis. I can solve this using Newton's method, or bisection, or whatever I want to, and again, under the right conditions, when I solve this equation, I'll get something that will tell me a solution to the original congrats.