 is, as far as we know, no. If you start with a really symmetric lattice like this, the best algorithms we know to find short vectors are the L cubed and BKZ L cubed algorithms. And you feed this lattice in, and remember what L cubed is doing. It's swapping things and changing. Within just the first few iterations, it has completely messed up the underlying symmetry of the inputs. And it doesn't seem to run faster than more or less random lattices of the same thing. Having said that, cryptographers are very, very conservative. And I left off about 12 varies in that sentence. So people, yes, are worried about having the symmetry. That's one reason, for example, actually, the Falcon, I guess, which is the one I'm most familiar with, recommends using either xtn plus 1 within a power of 2 or xtn minus x minus 1 with some various n values, or maybe plus x plus 1, which gets rid of the cyclotomic symmetries. And it's there not because someone knows how to attack the cyclotomic one better, but simply for caution. And you can even go further than that. I mean, in some sense, GGH should be more secure, maybe, than any of these. These have not, well, I mean, these are based on rings and ideals and rings, and simply having that multiplication structure is extra structure. But again, no one's been able to exploit that significantly. And the learning with errors I mentioned, it's also used in some of the NIST selections. There's a sort of pure learning with errors, but it's not that efficient. And there's a ring learning with errors that has an underlying ring. It's more efficient, but again, people wonder, does that structure? Yeah. I've answered this too long. I actually hate it when someone asks, when I'm in the audience, someone asks a question, and the speaker goes on and on. But I still have one more thing to say, which any time there's symmetry, you need to worry about it and look at it. But no one's found any problems. Any other questions? I'll go in back. I cannot hear. Bjorn's going to come back with a microphone. And I will mention this is partly masks, partly distance, and partly my hearing's not that great at this point. So it's not you. The GGH protocol which relies on CVP. Hold it close to your mouth. The GGH protocol which relies on CVP, it kind of feels like a characteristic zero version of decoding an error-correcting code in order to decrypt. It's very closely related to error-correcting codes, yeah. And there are other quantum secure, as far as public key crystal systems, based purely on error-correcting codes. It's a little bit different. But the decryption process for an error-correcting code, I think, is actually more efficient than this even, or more direct. But yes, they are closely related. And their key sizes are roughly the same size also. They grow like n squared. Yeah. You mentioned that the ITYD work cryptosystem had average case-worst case equivalence. Is there anything similar that could be said about GGH or NTRU? Not my area of expertise, really. But my understanding is that I don't think there are average case-worst case reductions for NTRU or for GGH as it's formulated, or for learning with errors either. There are various sorts of reduction things. So for example, I'm pretty sure like for NTRU, you can prove that someone who can, yeah, maybe you can prove that someone who can decrypt messages actually can recover a usable private key and use it to encrypt also. There are reductions like that. I'm more familiar with those for the signature schemes. Yeah, it's a huge industry, much of it quite interesting, much of it very technical, of trying to say that solving this problem is equivalent to solving that problem or allows you to solve that problem and all sorts of techniques have been used for that. For example, a lot of graph theory and expander graphs and stuff, sometimes you can use to analyze the difficulty of one thing in terms of another. Sure, any questions? Over here. Your convolution product. Good question. So convolution product is the same as the ring moded out by xtn minus 1. If you change to some other quotient ring, yeah, if you change to xtn plus 1, it's essentially a convolution product, but there are a whole bunch of minus signs introduced, as you'd expect. If you change to xtn minus x minus 1, it's not a convolution product at all. It's just a quotient ring product. You can write down the matrix for it, but the matrix for multiplication will be less symmetric. It's usually better to think of it. Well, the general case, it's better to think of the rings. The reason it's useful, thinking of convolution product, if you're using that case is because you can do the multiplications using discrete Fourier transforms, and they get much faster. So the convolution product, you're doing n dot products. Because each coordinate's a dot product. So it sounds like it's n squared multiplications. It's not. It's n log n multiplications, because you can use discrete Fourier transforms, or what's called cart-super multiplication term. OK? Yeah. Yeah. Yes, so you mentioned earlier that we cannot really just naively implement the algorithms as they presented here to reward problems, otherwise they are easily broken. So I'm wondering if you can give maybe just some examples of how the modifications people need to make. OK. Yeah, and when I said easily, I kind of meant that there's potential ways. Yeah. Yeah, I guess the most natural example is if you don't introduce randomness, you remember the thing last time I said you should take a random bit string and then X or the message with the random string and then encrypt that. If you don't do that, if you just send the message. So for example, in RSA, if someone could guess the first half of the bits in your message, it turns out they can then recover the other half of the bits. This is a beautiful construction of Don Coppersmiths. Now that may seem so. I mean, how could someone guess the first half of the bits in your message? But I mean, you might very well start your message. Dear and your friend's name, we had an interesting week. I mean, you can guess what parts of the message. In fact, of course, this is how old style decryption went frequently. You tried to guess a phrase that was in the message. So that's one example of where you need to be careful. For, yeah, for El Gamal, it depends on the discrete log. So you're working in Z mod p, the multiplicative group of Z mod p. Well, it turns out if p minus 1 is a product of fairly small primes, it's easy to solve the discrete log problem. Who knew? It turns out, in the elliptic curve case, there are even a lot more situations where it turns out it's easy to break that particular one. And we don't really have great proof. So for the elliptic curve cryptosystems, basically, the way you pick your elliptic curve in your point is you pick a curve in a point that isn't in one of these categories we know are bad. But we don't know there aren't other bad categories. Yeah, so it's sort of answer your question. OK, sure. OK, so we're at 9.29, so I think we should probably wrap it up for today. And I just want to remind you that today's problem session this morning is also Drew Sutherland's lectures. So he'll be doing that kind of stuff. And tomorrow we'll be back doing crypto stuff in the problem session. OK? So I'll see you everyone tomorrow. Thank you. Thank you. Thank you.