 Okay, so there's a set that needs to be big enough. So she picks these two small polynomials. I'm gonna say, I keep saying small polynomial, which is a misnomer, that means a polynomial with small coefficients. And small here will take the mean zeroes ones and minus ones for coefficients. Okay. And she computes the inverse of the little f in the mod q ring and the mod p ring. Okay. Well, what happens if those inverses don't exist? I said they usually exist. Well, if they don't exist, she just goes back and picks a different f. It won't take her very long to find one that works. And then her public key is little g, this small polynomial, multiplied not by little f, but by the inverse of little f mod q. And that computation, again, is done where the coefficients of the polynomials are mod q coefficients. Okay. And now her public key is h. Her private key is this little polynomial, small coefficient polynomial, little f. She might wanna save this f sub p also. It'll make decryption quicker. But she can always just recompute it, right? As long as she knows little f. And the nice thing here, you may notice, the public key is a single polynomial. It's a single vector. So rather than being a whole basis for a lattice, it's like giving one vector that'll be a basis for an n dimensional lattice. Actually a two n dimensional lattice it'll turn out. Okay. And that's why the public keys are so much smaller. Okay. Onward. How does Bob send Alice a message? Well, his plain text or his message is a polynomial, again, with pretty small coefficients, namely mod p. Remember p was a really small prime? And I said take p to be three. And if you take, for example, p to be three, then Bob's plain text is just a polynomial whose coefficients could also be zeros ones and minus ones. Because those are the numbers mod three. They could use zero one and two instead. Okay. And as in, as we've seen most crypto systems, there's some randomness introduced. So he also picks a small polynomial r. Again, say random polynomial with zero one minus one coefficients. And he forms this quantity and I, yeah. And I've kind of switched, I've been using dot for multiplication in the quotient ring and star for convolution product, they're the same. So you could write this convolution product if you prefer. Anyway, he takes the random small polynomial and multiplies it by h in that quotient ring. He also multiplies every coefficient by p. p is just a scaler, so you just multiply all the coefficients by p. And then he adds on his message, his plain text, which is a small polynomial, and reduces all the coefficients mod q. This is a very, very fast operation. It's essentially just one multiplication in that quotient ring, plus some additions and some reductions mod q. We're doing pretty fine, not so good. Okay. How does decryption work? Well, the first thing Alice does is he takes Bob's ciphertext, his e, and she multiplies it by her private small f. And she reduces the coefficients mod q. Okay. But there's some ambiguity there when you reduce mod q, right? You could, there are lots of coset representatives for integers when you do mod q. So it turns out that there's a particular interval of length q that she should reduce the coefficients into. It depends on the other parameters. If you set things up properly, then she should reduce the, she should take the coefficients of a between minus q over two and q over two. So sort of in a symmetric interval. I think there's a question. You'll have to speak much louder, I can't hear you. No, just asking, is m meant to be defined over z mod p or z mod q? I still can't understand. Sorry. It's fine. I think it's a typo. No, no, actually, if you want to take your mask off for two seconds, I think that's the problem with it. I was just asking, is m meant to be defined over the field with p elements or with q elements? M, this m? Yes. The m is, has mod p coefficients. There are n coefficients there, it's a vector. Yes, but then how is e defined? E? What is the image of it? Oh, here's my, well, yeah. Good point, really, yes, good point, thank you. M, I said, has mod p coefficients and then lift them to integers. You might as well lift them to integers between minus p over two and p over two. It won't matter in the end, but you have to lift them to something. Yeah, thanks. Yeah, thank you, okay. Okay, so to reiterate, so Alice has multiplied the ciphertext by her private f to get and reduce mod q, but then she lifts the coefficients to integers in a particular interval. So now a is actually a polynomial with integer coefficients. She multiplies it by this capital F sub p, which you'll remember was the inverse of little f mod p and reduces the coefficients mod p and lo and behold, she'll get m back. Why? Here's why it works. Just briefly, so what is the a that Alice is computing? Well, she first, she does e times f mod q. That was the first step, but what was e? Remember, this is how Bob created e was p times r times h plus m, so I just substituted that in here, right? And now let's just multiply the f through using the distributive law. So I get m times f, that's fine, but h times f is g mod q. Because remember, h was little g times the inverse of little f mod q. This is where, this is why I put that inverse in. So the capital F sub q times little f cancel. They're one mod q. So we just get p times r times g plus m times f, but, and this is where the smallness comes in. The coefficients of all of the polynomials in this expression are small, okay? As integers, so when I multiply it all out, I still just get small coefficients. So even though in principle, Alice only knows this quantity mod q, the coefficients are so small, she can pick the interval where they lie, and she can actually recover this exactly with integer coefficients. So the a that she creates equals this polynomial exactly, not mod q anymore. So she's, for example, she could reduce this mod p and get rid of that. And that's essentially what the decryption is. I did it sort of in fewer steps, but let me say it in words here. What she does is she reduces the a mod p, this goes away, and then she multiplies by the inverse of little f mod p. And that recovers little m mod p, but remember m was, its coefficients were mod p anyway, so she knows what m is. Okay. What in the world does that have to do with lattices? And by the way, this was the observation of Bjorn's, how to convert this into a lattice problem. There's a question there. And Bjorn, could you give her the microphone? Really, can I hear it? How do you choose the interval? How do you choose the interval? If you choose sort of everything symmetrically about the origin, then you can simply choose it between minus q over two and q over two. So if you take the r coefficients to be half ones and half minus ones or third ones, okay. But if you, the short answer is it's a little messy, but it just depends on which sets you're choosing the m from, the r from, the little f from, the little g from. And usually people choose them symmetrically about the origin and then you would just choose it symmetrically about the origin, between minus q over two and q over two. You're welcome. Okay. So, remember, Alice's public key is this single polynomial h whose coefficients are h zero, h one, h two, six. So I'm gonna form this huge two n by two n matrix. And it's actually not that complicated. It's got four blocks. That's the identity matrix in the upper left. Even easier, the lower left is the zero matrix. The lower right is also the identity matrix, except I'm, well, it's not multiplied by q. So it's a diagonal matrix with q's. And even the upper right here, I mean this is messier, but it's not complicated. The first row is the coefficients of h. The second row, I simply shift the entries one to the right and then the h n minus one flips over to the front. And then you just keep doing these barrel shifts. So by the last row, h zero's gotten pushed all the way to the right and everything else has gotten pushed in. Okay. So it's a sort of a convolution kind of matrix. So easy enough. And what I'm gonna do is look at the lattice that's spanned by the rows of this matrix. I actually prefer to write lattices using column vectors, but Jeff really likes rows.