 Okay, and with that, I'll leave you with the experts. Please welcome them with a lot of applause. It's my mic on. Oh, there we go. Thank you all for being here, and I especially appreciate your fortitude in coming to a heavy-duty math talk at 10.15 p.m. on day number two. So we are going to talk about how to use lattices in cryptography. And I encourage you, because we're going to be doing a lot of coding in this talk, we have put all of the code in our slides online at this fine website. So if you want to pull out your laptops and play along with us during the talk and make sure that everything works, you are welcome to do that right now. So you can copy-paste all of our code samples into Sage as we're going along. So, here's some headlines about cryptography. Cryptography appears a lot in the news lately, and every once in a while there's an article that is not about Bitcoin or cryptocurrency or blockchains. So here's a couple examples. And all of these have something in common, these articles, popularizations of cryptography research, and what these have in common is lattices. So this is the topic of our talk for you today. Why are people talking about lattices in cryptography? So there's kind of two things that you can do with lattices in crypto. Number one, we can break stuff, which is super fun. So there's basically every kind of crypto that you can think of, there's probably some way to break it using lattices, including both old public key crypto systems, long broken public key crypto systems and crypto systems that we're still using today and tomorrow's crypto systems. So the other thing that you can do with lattices is make cryptography, including sort of futuristic things like post-quantum cryptography, fully homomorphic encryption. Even people have tried to do things like indistinguishability obfuscation, but maybe that was a bad idea. We'll find out in 20 years. So, okay. So this talk is going to sort of happen in multiple parts. We're going to break stuff, we're gonna make stuff. So if you get lost in one part, maybe you can catch up in another piece. Okay. So what is a lattice? This is not a lattice. This is a lattice. Okay, I apologize to all the non-native English speakers in the room and our translators. Okay, lattice, lattice, not a lattice. Definitely not. Okay, so for the purposes of this talk, there are actually multiple kinds of lattices in mathematics. The kind that we're going to talk about is think of it as a repeating grid of points in n-dimensional space. So we have n-dimensional, euclidean space. Hopefully you can imagine n dimensions and think of a repeating grid of points. Look something like this in two dimensions. This is a lattice of lattices. I just put this in to mess with the translators. So I apologize to our fine translators. But slightly more seriously, you can think of, I mean, we're going to have sort of abstract-looking points, but you can think of the points as actually representing mathematical things like polynomials. So later on in the talk, we're going to see lattices of polynomials. So you can think of each lattice point as representing some kind of mathematical object. Here, a lattice, or maybe something else. All right, joking aside, then all these points, you need to have some structure in place. So for instance, instead of taking a stem which pictures a lattice all over the place, we can also take these two vectors. So imagine there's over here, there's a zero point. And then from there, we have these two vectors going out, two lines. And then these are chosen so that every other dot you can be reached with one of those combinations. So just to get up here, you take it twice, you get over here, you take it twice and subtract this one. So every dot can be reached with those two things. Now these are not unique. This is also the green ones, also former bases, or the blue ones, like very long and stretched. But again, any combinations of B3 and before can reach all the dots. When you think of, when you learned about coordinate systems, then you learned about, say the real numbers, and you had like XY coordinates. Now here the difference is that we only allow integer multiples, only entire copies of this. There's nothing between those dots. You can't take half of B3. If you take half of B3, you land here, there's nothing else. It's like a game plan. You can't stop somewhere. You can only hop to the next dot. And if you want to describe these with more math, then we go for coordinate systems. So for instance, this B1 vector is something like two over and three or four up. So then you would have, this one is two, and this one is 3.4. And then to store those, we put them in the top row. This is the first coordinate. This is the second coordinate. And for the second vector, the same thing. Now, two dimensions is very small, but when you look at something like this, you get this little bit of a tunnel vision. There is somewhere in origin and you can see it goes up to three dimensions. Now in Crupter, we're gonna use those with a few hundred up to a thousand dimensions. We're not gonna do this with pictures. I think we will be totally fine with having coordinates for those. And then just the top row gonna have the thousand entries and they're gonna be thousand such lines. So each other vector will have its own line. So mathematically, there's no problem going beyond four images. We all go back to dimension two. Understand what a lattice is. Why do we care about lattices? What are we gonna do with lattices? So for this talk, most of what we're going to do with lattices is find short vectors in them. So we saw that we could have multiple bases for the same lattice. Some of them might have super long vectors, but we're interested in finding pretty short vectors in some lattice given an arbitrary description of the lattice. So this is called the shortest vector problem. And problem is generally given some description of a lattice, find the shortest vector. So there are a few ways that you can try to compute this. This problem turns out to be pretty hard to solve exactly. So the fastest algorithms that we have to compute the shortest vector exactly in a lattice run an exponential time in the dimension. So two to the n in dimension n. But you can compute an approximation for the shortest vector. So something that's kind of short, but not exactly the shortest vector in polynomial time, which is fast enough for the purposes of computer science. So you have that option also. So hard to solve exactly, easy to solve approximately. That's kind of our setup. And in this talk, the specific algorithm that we'll be using to compute approximate short vectors is called the LLL algorithm, which was named after its inventors, Lenster, Lenster, and Lovas. So the input to this algorithm is some lattice basis and dimensions. The output is a pretty short vector in the lattice, where pretty short means that the length of that vector, if you in sort of Euclidean length is something exponential in the dimension times the length of the actual shortest vector. This doesn't look super impressive. It turns out to be non-trivial to find. And it is good enough for our purposes in breaking a lot of cryptography. So that's the part that we're excited about. So LLL algorithm. All right, we're gonna use some examples with Sage, which is a lot like Python plus a bunch of functions that you might not have seen before, which is kind of like Python itself, is Python with a lot of functions you might not have seen before. Some of them are pretty obvious and the same as in Python, like you type two times three, it tells you six, oops, wrong way. If you do two and then a carrot symbol, which is like shift six for the Americans, or maybe it's to the left of one for the Germans, that is not exclusive or that's exponentiation, which people who type mathematics in the tech language or late tech, they use this exponentiation. So two to the three is eight. There's all sorts of functions which do what you might expect, like if you factor an integer or a polynomial, then x squared minus nine is x plus three times x minus three, or you can ask for roots of a polynomial, x squared minus nine has minus three and three. What are those ones doing there? That's the power, like the multiplicity, the number of times that a root shows up. So if you factored x squared, it would tell you that, well, that's x minus zero with multiplicity two. And there's various other functions that gets more and more complicated. There's some useful functions like generating random primes. This is generating, well, it's like random range, but it gives you a random prime number and goes up to two to the 512. Again, that exponentiation, it's two to the 512 power. And then if you have two prime numbers like this P and Q, you could multiply them together, get a big number N, and hey, suddenly we're doing the RSA cryptosystem. And then choose some exponent for RSA, like exponent three, and then you can encrypt a message. You can do some message, which is an integer modulo N and compute pow. Now that actually is a Python function. You can use pow in Python itself, the random prime you need sage, or you have to implement it itself, implement it yourself. But pow you can do in straight up Python, and that gives you message to the power E modulo N, and that's your ciphertext. For instance, the third power of a message modulo N. And then there's some slightly more complicated procedure for figuring out the exponent that you need to decrypt using the same pow function again. Lots of warnings that we should be giving about how to implement RSA don't do exactly this for RSA. Maybe some of the warnings you'll actually see later from some attacks, but there's many, many more warnings if you're actually gonna do a crypto library, then you should do something which has a lot more protections than what we're showing you. We're just gonna do the kind of math details and not get into all sorts of other attacks that are out there. So the thing that we want to get from the previous slide is that we care somehow about factoring. So we want RSA to be secure so that we have a secure internet which means that it should be hard to factor this modulus N. So how hard is factoring? I don't know, it seems pretty hard. Let's build the internet. Sounds good. And so for this next section, we're gonna talk about how to factor with lattices. So we care about factoring for the purposes of proving the security of RSA or at least establishing the security of RSA. So how hard is factoring really? Okay, some of you may have seen our talk a few years ago. All right, let's explore kind of the parameter space of this problem. Now I have say our modulus N which I've colored purple and say two primes P and Q and P times Q equals N. That's kind of the setup. So if I give you P times Q and N and P and Q and N, then you know how to factor N because I gave you the factors. So then the problem is easy, right? Okay, we're good with that part. All right, if I give you N and one of the factors P then you can still factor N because you can use division to get Q, then you're done. All right, so still we're in good territory. If I give you neither of the factors P and Q, but I just give you N, then I hope this problem is hard because otherwise the internet is broken. The currently sort of the best algorithm that we have for factoring in this case is sub-exponential time in the length of the modulus N. Current record, nobody's factored the RSA 1024 challenge in public yet. Maybe the NSA has factored numbers of this size. I don't know. If you're super excited about this topic, you can see our talk at 29C3 for more information. So this is somewhat hard. Let's do something a little bit more exciting. What if I give you something like this, like half the bits of P and half the bits of Q? If they happen to be arranged like this, this turns out to be really easy. You can sort of divide and rearrange a couple of bits and then just recover both P and Q. It's a little surprising, but there's no real situation in which you can imagine this being relevant to your daily life, right? Let's make this a little bit more exciting. What about this? This easier or hard? This is halfway in between something that's easy and halfway in between something that's hard. Where do we stand? This is more exciting. All right, so it turns out that this, with this kind of information, if I give you half of the bits of P, like say the most significant half of bits of P, although it doesn't really matter which half of bits of P I give you, then you can factor N in polynomial time. Even though the remaining half of bits of P that you don't know is gigantic, you can't brute force that. So we're doing something super interesting here. And it turns out that the way that you do this is with lattices, hence the subject of our talk. So let's see how this works. So this is a little cryptographic magic trick. This is all sage code that you guys can run. So if you don't believe me that this works, you can totally run this yourself and verify that it works. So I'm gonna do my little magic trick here. So I generate 512 bit primes, P and Q. Totally legitimate, nothing up my sleeve. These are honest primes, whatever sage does to generate a prime. I multiply them together to get N as a product. And then I generate this value A, which is like most of the bits of P except for the least significant 86 bits. So if I look at this value A in hexadecimal, there's a bunch of zeros in the least significant bits. That's because I've deleted the least significant bits. So I learn most of A but not all of it. And 86 bits is enough that I definitely shouldn't be able to brute force this on my laptop. And I wouldn't even be able to run like a square root thing on my laptop in feasible time to get this done in time for the talk, okay? So what I want to do is recover my factorization of the RSA modulus N here with only this partial information about the key, not the full key. So how do I do that? I construct a matrix. So we talked about matrices and lattices being somehow connected. And my matrix contains my value A, which is like the bits of P that I'm allowed to know and N and some other things that are also public. And then I run my magic LLL algorithm on it, okay? So here comes the magic trick. Now I take the output of the LLL algorithm. I construct a polynomial somehow from the vector that I got from LLL. And if I compute the roots of that polynomial, I magically recovered P. Magic. The rabbit appeared again. I don't know where it came from. What just happened? You guys, I hope you're confused because you should be confused. But I hope you believe this works. Like somehow magic has happened and I have factored very efficiently. Okay, so this is an example of what's called Coppersmith's method. So Coppersmith is one of the greatest crypt analysts of the 20th century and probably one of the greatest crypt analysts of the 21st century, except we don't really know because he works for the US government now. But hopefully we'll find out in 50 years. I'm super excited. So. Anyway, I mean, like, yeah, all of his work is amazing, at least the stuff we know about in public. So, and actually like his original paper from 1996 that describes sort of the generalization of this method is pretty hard to read. So what I'm gonna present is kind of a simplification which is due to Howgrave Graham several years later. But of course, the simplification still has multiple steps and it looks very confusing. So that's sort of the state of crypt analysis. So I will explain what's going on in English and this will probably still look like magic. So what I just did in English step by step is I wrote down some polynomial. In this case, it's a linear polynomial. A plus X, X is gonna be my unknown that has a pretty small root mod P. I don't even know P. I know that P divides N. I know N, but I don't know P. But somehow this fact still helps me. I constructed a lattice basis from the coefficients of some polynomials that I could just write down that I knew that vanished mod P if I evaluated them at R. You know, A plus X, A plus X squared and sounds good, throw them in the lattice basis. Run LLL on this lattice basis. It gives me a short vector and then I turn that short vector into polynomial again and then compute its roots and magically the piece of the prime that I was looking for is one of the roots of this polynomial. And I can prove that this is the case. But this is like magic. The lattice is doing something. At this point, I expect you're all kind of like, at this point, you know, then a miracle occurs where the miracle is somehow LLL. Like you throw some crypto keys into LLL and like magically private keys fall out. I don't know what happens. I mean, you know, even like mathematicians who've been studying this stuff for years, we still feel like this because LLL works way better than it's supposed to. We don't really know why. So there you go. So yeah, you can, if you don't believe us, we have fully weaponized code on the website. You can try it out and, you know, see what you can get from it. So when I got into crypto, there was a lot of these studies. I mean, Coppersmiths had published a paper in Hougarff game. We had made it comprehensible. And there are lots of grad students publishing a paper. What if you know not this piece of pee, but that piece of pee or this piece or some chunks or some something. There were lots of theoretical papers, but would anybody be so stupid and give you a whole chunk of pee? I mean, Nadja was artificially cutting off the last 86 bits. This is nothing that you would see in practice. Now, 2012, we had the first encounter with Coppersmiths in the wild. This was just after 2093 when we gave our talk here that a friend of ours said, by the way, if you factored some Taiwanese smart card keys and they look kind of funny. Now, fast forward until this year, there was a great paper at this year's USINIX conference on a group of tech researchers. And they had noticed that some cards by Infineon. So it's a big German chip manufacturer. And if you have some of those external PGP drives or such, they might be having such a chip. So they termed it Roka, return of Coppersmiths and went the news sometime this fall. And they had noticed that Infineon is generating their primes in a very strange way. This is not how you generate primes. I mean, you can search for a whole bunch of those things and you'll get a prime, but why? So what was known here was this M. And with a lot of massaging and searching around, they had managed to get this A, this little exponent A there. Oh, the G is also known. They had managed to get this A into a sufficiently small set that you could search it. So then pick one of those As, compute G to A mod M, and use Coppersmiths attack to get K. You get a number, then probably it's a factor, test. You don't get a number, well, too bad. So just try this for each of those. These look the same like the Nadias, let us say Nadias talk part, just not dimension three, but somewhat large dimensions. And in the paper, they go through lots of variations of how we can trade off the number of AC of the tribe for the dimension of the ladders. So there's a lot of trade-offs, but this actually factored 1024-bit and 2048-bit RSA keys that were used in real life. RSA, of course, is in much more trouble. You have any reasonable size, and the size of the built-in A4? Sure. Then Shor's algorithm is going to factor RSA 1024, RSA 2048, RSA 4096, it's gonna be a nightmare. When is this gonna happen? Well, that's not entirely clear. There's some predictions. For instance, back in 2015, when we gave the PQC hacks talk, Mike Mosca, the deputy director of the Institute for Quantum Computing at the University of Waterloo said, half chance of factoring RSA 2048 by 2031. And then just this year, Dario Gill, this is somebody who's the head of, it's a vice president at IBM, the head of IBM Q. Now, with a name like Q, thinking about the James Bond films, this must be something cool, and it is. This is IBM's quantum computer, dare I say, weaponization division. This is their commercial quantum computer division. They're actually working on building a useful quantum computer that they can sell. And he says, we're gonna look back in history and say that the five year period starting last year is like the real start of quantum technology, not just research as a scientific field. And he was advertising their 50 Q-bit quantum processor. Now, how does this compare to what you need for Shor's algorithm? Well, the usual estimate is that Shor's algorithm needs two times the number of bits in your RSA modulus, well somebody else's RSA modulus, that would be illegal. Your own test RSA modulus that you're trying to factor, you need twice that number of Q-bits for Shor's algorithm to run. And Q-bits are these quantum bits inside a quantum computer. So how does that compare to maybe five Q-bits last year, 17, 49 Q-bits this year, 200 Q-bits next year? It sounds like within a few years we'll be up to 4,096 Q-bits, and that's the end for RSA 2048. Except, well, it's actually a little less to panic about. It's gonna be a few years further because Shor's algorithm needs 4,096 perfect Q-bits. And what's being built are Q-bits that only last a little while and then they degrade. And you have to do some sort of error correction. And it's not like normal error correction, you say the same thing three times, three times, three times. And if somebody only heard it once, they'll figure it out. If they heard it twice with an error, they'll figure it out. For quantum bits you need like 1,000 quantum bits, 1,000 times your size of your computation to simulate one good Q-bit. Assuming that your Q-bits are the level of reliability that we think is reasonably achievable, which means Shor needs 4,096 times 1,000 Q-bits. And that's several doublings further away. It's gonna be some years, maybe like 2031 before somebody in public is factoring RSA 2048. So what do we do about this? Well, post-quantum cryptography, there's lots of replacements for RSA that we don't know how to break with quantum algorithms, like Shor's algorithm. And NIST a year ago called for submissions of proposals for standardization. And the deadline was the end of last month, they got 82 submissions. And they put up this table, which was classifying these submissions into, there's lattice-based, code-based, multivariate, hash-based, you can see the numbers for encryption and signatures, numbers of submissions. At PQC hacks, we talked about code-based and hash-based because those are the oldest lasting post-quantum proposals. There's some systems from 40 years ago, code-based and hash-based proposals, which seem to survive quantum computers. There are also lots of code-based and hash-based systems that are much newer, but at least there's some that go way back, and if you're willing to pay the expense of them, then it seems that you can get security. What that means is nobody's come up with a quantum algorithm that breaks them. Lattice-based and multivariate, those go back about 20 years. There's some lattice and multivariate proposals that we don't know how to break, even if somebody builds a big quantum computer. And then other, there's things like isogenase, published about 10 years ago. First proposal, somebody came up with a pretty good quantum attack. Now they're super singular isogenase, which have held up for a few years, but maybe they don't continue to hold up. NIST put up a week ago, the list of submissions. So we'll be hearing quite a bit more about these submissions, not in this talk, but over the next few years, as people study the security of these and figure out are these things that we can actually trust to protect our data against a big quantum computer. They only posted 69 instead of the 82 that they received because they said, well, the other 13, we're not complete, not following the rules. So we're down to 69 submissions a week ago. And now we're down to actually somewhat fewer submissions. So there's some that I put in red here, three hours after NIST posted this list of submissions. Guess again is in red there. Lawrence Penny, who might be in the audience, and in any case, he'll be able to see the videotape later. Yeah, he posted a script which retrieves a guess again plain text from a ciphertext. Without the secret key. So that's the end of guess again. And that was, okay, three hours and 10 minutes. So that's good work. Yeah, yeah, all right, Lawrence. RVB, another one there, also broken by somebody named Lawrence Penny. And then let's see. Okay, HK17, that's one that Tanya and I put up a script that breaks. RACCOS, that's one where, that's actually, I should say, the three that I mentioned before, HK17, RVB, guess again, those are other submissions. And there may be not things have been studied so much. What about a code-based submission, like RACCOS, Random Code-Based Signature Scheme? Well, Tanya and I and also Andreas Holzing and also somebody named Lawrence Penny posted a script which, well, completely breaks RACCOS. Actually, we came up with three different attacks and it's maybe it's okay with bigger parameters but not something you should use with the parameters they submitted. And then another example, HeLa5 or what Dutch people in the audience, this is called Helas, this proposal is, well, it's okay if you use it with signatures that stop chosen ciphertext attacks if you have somebody else giving you a signature scheme like in TLS. But the submission claimed chosen ciphertext attack security. And we posted a script. We, well, Tanya and me again and then who wrote brand drink and also somebody named Lawrence Penny. He got to watch out for this guy. All right, so at this point, there's still some submissions left and we'll be hearing more about what gets broken by Lawrence and maybe some other people in the future. Okay, so since we heard so much about breaking stuff, let's break some more RSA just for fun. So I want to show you another variation of how to break RSA with lattices, which is the Coppersmith small public exponent attack. So, all right, this is audience participation time. Here's some code. All right, so I take a message, which is squeamish, assafrage, however you pronounce that. I turn it into an integer by making it base 35. This is just so I can like print it out nicely on the screen. There's nothing really complicated going on here. I generate a perfectly legitimate RSA modulus and it has 1024 bits and I encrypt my message with RSA by cuming it mod n. All right, there's a problem here. What's the problem? It's too small. Thank you, good. Some people in the audience are still following. Okay, we've got a problem, which is that the ciphertext is smaller than n and in fact like the message cubed is going to be smaller than n, so this like modular reduction mod n doesn't do anything and we can just compute cube roots over the integers like easily, so this is not secure RSA encryption. Okay, problem. This is why you use padding schemes for RSA, right? One of the many reasons. Okay, so message is too small, message cubed less than n, modular reduction does nothing. That means you're not actually doing RSA. Here's a variant of this problem, but it's a little bit more complicated. So I made my modulus n a little bit smaller just so the example could fit on the screen, but like that's not going to be the issue here. So I generate a perfectly legitimate RSA modulus, n 300 bits, I'm not going to try to factor it even though it's probably possible. So now I have a message, which is the password for today is swordfish, turned it into an integer in the same ways before, not trying to do anything super complicated. I do textbook RSA encryption by cubing the message mod n. Okay, so since my message is longer and my modulus is smaller, I don't have the same issue as before. If I just try to compute the cube root of the ciphertext, it is not equal to the message. So I've, I'm not broken that way, but there might still be an issue. So maybe like since this message has a particular format, you could imagine that an attacker could guess like the message is the password for today is something and maybe there's like whatever password it is and maybe they know that it has nine characters, but they don't know what it is. So can they compute that? So maybe the attacker has guessed that the message looks like this where they don't know some chunk of the message, but they know the rest of it through some attack. So I have my secret value, or my value A that the attacker has guessed. Here comes the magic trick again. So I construct a matrix. This is gonna be a lot of spaces. From my guess, it's what the message looks like and the ciphertext and the modulus. And then I've just like filled in some zeros for the part of the message that I don't know yet. Okay, so I have a lot of spaces. What do I do with it? I run LLL on it as before. I get some vector. I construct a polynomial from the coefficients of this vector. I'm, you know, magic. And when I look at the roots of the polynomial, I got the piece of the message that I didn't know back out again. Magic trick. I hope you guys have been scared into never trying to implement RSA on your own, but at this point. So, okay, what's going on? It looks very much like before. So I'm gonna write this in English. I don't expect you to necessarily be able to like prove that this works, but just to like verify that I don't know, like we're doing something. I wrote down some polynomial that has this pretty small root. So in this case, I don't know what swordfish is, but I know that swordfish plus the thing that I guessed for the message is my message. And I know if I cube that mod n, then I get the ciphertext. So, you know, swordfish plus a cubed minus c should be zero mod n. Some polynomial, magic. I construct a lattice of the coefficient vectors of polynomials that vanish mod n. One of them is the thing that I wrote down there. And I don't know, like n times x squared seems good. I called LLL. Magic happens and I wave my hands. And then somehow I got a polynomial out of LLL and my solution swordfish was a root of the corresponding spall polynomial. So this is Coppersmith's small RSA exponent attack and there's a bunch of variants of it. It's super cool. So if I've just freaked you out, here's some countermeasures against Coppersmith's sort of padding attack, small exponent, et cetera. You could, if you're worried about this, don't use RSA, it's one option. If you must use RSA, use a proper padding scheme, RSA, OAP, that kind of thing. If you must use RSA, don't use small exponent E, like use exponent E, at least six, five, three, seven, then this definitely doesn't work. Okay. So we actually didn't come here to, we didn't come here to talk about RSA the whole time. We also wanted to talk about constructive uses of lattices. And Sargon talked about one of the oldest of the lattice-based cryptosystems called NTRU. It's due to Hoftzien, Pyve and Silverman. The publication is 98, there's even some preprints which are now online from 96. And they were looking for just some alternatives for RSA and ECC. They're pretty aggressive in the advertisements and they did manage to get speeds that were faster than elliptic curves and RSA. Compared to ECC, they still had larger key sizes and larger cyber texts, but they were kind of going for it just as a normal competition. They were not so much running the how we might be secure against quantum computers, even though short paper had appeared, this was not so much on the mind of people. Now they did a signature system and an encryption system. And the signature system, multiple signature systems had a bit of a bumpy ride. I remember being at crypto in 2006 when Fongien was giving yet another talk breaking some of the NTRU signature systems and he was like, so who in the audience has not yet broken an NTRU signature system? Well, for the designers it looked a little bit more like that. The encryption system has held up better. That at the beginning a little bit too small parameters, but in principle this was fine. And so there was a bunch of cryptanalysis during the last 20 years, but there wasn't all that much research into how to use it efficiently. And then just because you have a nice math system like RSA, you take M to the three, all the things we've just seen are proper RSA but improperly used. So secure usage is usually a big issue, but not much happened on that. I think partially because the NTRU company had decided to patent this thing and we are all like, why should I spend my time investigating a system which I can't actually freely use afterwards? By now the patent has expired so I'm happy to talk about it and say, well, let's look at how it works and maybe we can break some stuff. First of all, we have to understand how NTRU works. So with RSA you've seen you need pretty large integers. With NTRU we need polynomials. And there's one system parameter which is N, which is the D limit on the degree of these polynomials. These are just integer polynomials so you have coefficients zero, one, two, minus five and whatever and then for the examples we're gonna choose slightly less than 250 like seven or something. If you have two such elements and you want to add them, you can just do this coefficient wise. So the a zero plus b zero is a coefficient of one, a one plus b one is a coefficient of x, and so on till all the way till x to the n minus one which has a minus a sub n minus one and b sub n minus one. We also want to multiply those. Now if you multiply a polynomial of degree three with one of degree four, you're getting something of degree seven. But we won't like to have something of small degree so we need some way of wrapping around and so they define a thing called the cyclic convolution where you basically wrap everything around after n minus one and the rule for this is the coefficient of x to the one for instance, the a i b j, these two indices, they will sum up to one or n plus one. And for the x to the n minus one they will sum up to the n minus one. So n minus one, oops. They will sum up to n minus one. Okay, so this is an explanation with which we can compute, we can work with it, we can teach it to a computer. If you want to know where it comes from, here's the same slide with a little bit more math notation. So what we're actually doing is we work in the polynomial ring, that's just the fancy word of saying polynomial with integer coefficients, and then we reduce modulo x to the n minus one. This is the same kind of function where we say we would use mod seven, where we take every multiple of seven and replace it by zero, here we replace every multiple of x to the n minus one by zero or we take x to the n and replace it by one. And then all the operations just work the same way except we have to write an n minus one there. Well, let's see some numerical examples. All right, so let's have it in here. Starting with a little bit of incomprehensible sage notation for creating a type, a class zx, which is gonna have our polynomial objects. And looking at an example of that, this f here is a polynomial four times x squared plus x plus three. So there's three terms in that, three things being added up, the coefficients are the integers four and one and three that are multiplied by x squared and x and one. This is degree two, that's the biggest power of x that you see there, the exponent in that. If you multiply, then the distributive law says you're supposed to multiply each term that you're adding up by every other term you're adding up. Like if you multiply f times x, you multiply the three times x, get three x, multiply x times x, get x squared and so on. And all the times here it's just built into sage. Another example, multiplying by this other polynomial g, okay, there's a bunch of things, I won't go through all of them, but looking at the last coefficient of f, that three, it gets multiplied, maybe I'll point with them else here. The three in f gets multiplied by the two in g and that gives a six. And the three in f gets multiplied by seven times x, giving 21 times x, wait a minute, 23 times x? Well, there's also a two times x, which adds to the 21 times x, giving 23 times x, et cetera. And you can multiply all these or just tell sage, do the work for you. All right, what about that multiplication operation with the n coefficient things? Well, this is how you say that in sage, you take two inputs, n coefficient polynomials f and g and multiply them. The percent is mod, just like in C, mod x to the n minus one. For instance, if n is three, then same polynomial f. If you multiply f by x, then you get the same three x and x squared and four x cubed. And what happened to the four x cubed, it turned into four. If you see x to the n, it turns into one. And if you see x to the n plus one, it turns into x and so on. And if you multiply f by x squared, then it rotates the coefficients again. And another example, the same f and g from before. If you do the convolution, you multiply f and g and then replace x cubed with one, which means you add the 29 into the six, producing 35 and so on, leaving you with only n coefficients. All right, back to the description. Okay. They've gotten a little more comfortable with our elements here. So we're gonna continue working with polynomials. But if you saw the last examples by then, if you imagine multiplying, multiplying, or exponentiation, you see that the coefficients get larger and larger. So similar to how RSA, we also need to reduce mod n, else we're gonna see the same scrimmage ossifrage as before. We will need to have some more reduction here. So there will be another system parameter called q. Doesn't have to be prime. It's typically actually a power of two. And it just means we will have our coefficients bounded by at most q. So when you wish q, we reduce mod it. There's one condition that q is not three because we will also have three running around as another thing where we reduce. So we'll have two things to reduce by. We'll have this x to the n minus one. So we'll reduce the degree. And we will reduce the coefficients. So every single coefficient, each of those n coefficients, we will apply reduction mod q or reduction mod three to them. Good. We're now ready to get n true public keys and private keys. What we do is we pick two such polynomials. We're gonna be even more restrictive because we're gonna have them small. So this f and g will only be allowed to have zeros and then a few plus and minus ones. So this is much, much smaller than q. We'll just allow a few ones and a few minus ones. So it's gonna be fixed number of those for f and a fixed number of those for g. And then while in RSA we multiply our two things here, we have a different operations. We will search for an h such that h times f with this cyclic convolution will give three times g. Sometimes it doesn't work, so we have to try again. So if it doesn't work, we have to try with a different f. When you think of the math notation, we're actually dividing by this f. And not all fs are invertible. We can't divide by zero. So some of the fs we had to throw away and try again. So our public key is gonna be this h. And the private key is going to be the f. h and f, from that we can get g. So g is what we don't need to remember it. Some more we're done information. We only computed once because it takes some time. It's gonna be called f3 because it runs around with a reduction of three. And it's such that if I take f times f3, I'm getting one. So there's a polynomial where all the coefficients for all the powers of x are zero, except for the constant term. Okay, I come to the fullest slide in the talk. So this is explaining how to encrypt and how to decrypt except for don't do it this way. I mean, this way you get all the padding attacks and whatever, but this is giving the hard math problem. So this boils it down to something similar to where RSA we say we have to factor. Similarly, here we can distill the entry problem. If you want to use this in practice, you have to be a bit careful how you choose your M. You have to put in some paddings. You should really, well, don't use it this way. So we'll have some more slides of how to use it. But let's get a weight where we plug in a message M, do some stuff, get a ciphertext, do some more stuff and get M back. Ciphertext is gonna be pretty simple. We pick another of those polynomials with very few non-zero coefficients, again, limited to plus and minus one. Let's call this thing R. And then the ciphertext is simply R times this H, which was our public key, again, this multiplication which limits everything to degree less than N. And then we add our message. So we need to somehow get our message into a polynomial which has coefficients in this set plus, minus one and zero. But there's no restriction on the density. This can be totally everything plus one, it can be everything minus one, no restriction. So for instance, you take your message in ternary and then replace powers of three with powers of X. So getting M in there is no big deal and then encryption was easy. Then you have encrypted, you send the ciphertext over. And now it's a question, how we can get this M back. So we basically would like to divide by H. But dividing by H can't be the solution because H is public, anybody could do that. And there is all this M sitting around, so it would be an inexact division. So if we wouldn't have any of the reductions more as X to the N minus one, this would just be divide by H and take the leftover, take the remainder, because we have this reduction to the X to the N minus one, this one is not possible. Now here's the way that we decrypt if we have the secret key. We take our ciphertext, we multiply by F. This was our first secret key. And remember the relation between the public key and the secret key that was H times F is 3G. Okay, we now put in everything. So we, our brave, we plug in C, the ciphertext that was R times H plus M. And then we move things around. I should have said these multiplications are fully so that we can move things around. It's distributive, it's commutative, everything you want. Okay, so we can move this F next to the H and F times H gives you 3G. So then the first term simplifies to R times 3G. And the second term, okay, now we have F times M. We want that M, there still is F running around. But there's now a three in the first term. So if we can now reduce mod three, we don't have to worry about the R times 3G term. And then we have this F3 running around, which if I multiply by it gives me one. So if I have the second part, F times M, because I got rid of the three by reduction, then I have this times F3 gives me F times F3, which is one, times M, so it gives me M. There are a few technicalities I've been kind of glancing over that I need to reduce mod M every once in a while, so partially because else you would see some growth. So that's the important part in the encryption function. And then down here in the decryption function, I need to first reduce mod Q because else this relation, this H times F is 3G only works mod Q. And I also have to move my representation to something specific. Normally if I tell you mod Q, you would want to have zero till Q minus one. And I now shift this to be symmetric to zero. So I'm now going from minus Q over two till Q over two. Let's see how this works. So this is that moment in waterfall software engineering where they've just dropped the hundred pages of documentation on your desk and said implement this. This is what the designers have done. All right, all right, let's see if it actually works. Let's see if we can get the computer doing it. So this will be with smaller n's and Q's and D's and well D is a number of coefficients in F and so on. Smaller parameters than you can use, but at least we'll fit on the slide. So there's one of the functions you can find online is random D poly. This is not a Sage function. This is something which takes this global variable D and also n and gives you a polynomial that has, well D in this case five plus and minus one coefficients out of well a maximum of it goes up to x to the n minus one. So at most x to the six and there's some random polynomial and then there's another function that we put up called invert mod prime. And that is doing this come up with F3, F sub three, which well what is this F3 supposed to do? Let's check this. What it's supposed to do is that if you multiply F by F3, when I say multiply, it's always this convolution operation. When you multiply F by F3, it's supposed to be something that's one mod three. If you look at this and ignore all the multiples of three like three and minus three, then all you're left with is one. So think of this as F times F3 is one. All right, there's also some inversion mod Q that was for computing H, H the public key was, well some formula with some Gs and threes and divide by F at some point. Well FQ is something that if you multiply it by F, you can involve it with F, then you get one mod Q, Q is 256 in this example. And yeah, 257 mod 256 is one and these multiples of 256 all go away. All right, and then G is another secret and the public key is three times the one over F times G modulo Q and there's a weird thing that happens here which is this minus sign. Now, if you're accustomed to mod in C or lower level languages, then it'll give you negative outputs if you give it a negative input mod something unless it gives you zero. If you have a multiple of Q, you'll get zero when you say mod Q. If you have a negative number, you'll get something between minus one and minus of Q minus one. If you have a positive number, you get a positive result which can actually be a real problem for crypto leaking whether that input was positive or negative. In the math description of Entru, there was some footnote in some part of the design document going, yeah, make sure you only release a range of exactly Q numbers between zero and Q minus one or, well, okay, she said between something like minus Q over two and Q over two minus one and then if you leak, well, whether the input was positive or negative that's actually maybe a security problem. So instead of that, we have a function online which is balanced mod which always gives a result which is, well, it's like a normal signed character, a signed byte, it's between minus 128 and 127 if Q was 256. All right, and that's the public key, no more leakage of whether the original input was positive or negative. And to check what this FQ was supposed to do, the whole point of H is that if you multiply H by F, multiply the public key by this important part of the secret key, modulo Q, then you get the same thing as three times the random G that was come up with as another secret. All right, let's see if we can encrypt. Here's a message, just a bunch of random one zeros minus ones and then another random R that was showing up in the encryption and then the cipher text C is you take H times the public key and then add M to it that's this convolution of H and R, add M and then reduce mod Q and that gives again some random looking bytes, seven random looking bytes and now decryption was multiply the cipher text by the secret F, reduce mod Q, and then Tanya mentioned that, well, this is gonna be the same as three times G times R plus F times M and then, well, multiplying that by the F3 and reducing mod three finally gives exactly the same as the original input message. So this system actually works, it has successfully decrypted a message from the cipher text. Okay, this shouldn't actually work. Didn't somebody tell you that you can't just reduce mod three and mod Q? I mean, if you take something like this expression and you hope that there is a three that is running around there, let's assume our Q is five and we have six, six is beautiful to be divisible by three, but then we reduce it mod five and we left with one which is not a multiple of three. So in principle, this shouldn't work. Now, the reason that it still works or depending on the parameters, how you choose them works most of the time is that the parameters are chosen such that the numbers are small enough. So this only works if this mod Q on the right-hand side doesn't actually take away the three. So if there's actually no need to compute mod Q, so if this thing on the right-hand side is by itself smaller than Q. So this is where everything comes in that we said at the beginning, oh, you're only allowed to choose a few of the coefficients to be non-zero. You're only allowed to choose plus and minus ones because this r times three g, r has only small coefficients, g has only small coefficients and okay, then we have the three running around. So the maximum coefficient we get at every moment is if a plus one of r hits a plus one of g and then multiply and then we sum this up n times. But there can't be n such things. There's only d coefficients that are non-zero. So the worst coefficient of this product will be d times a perfect match of plus one, plus one and perfect match of minus one, minus one. So if they really conspire to always add up to the maximum, we can see something like 3d for the first part and then similarly, well there was no weight restriction on m but there was a weight restriction on f. So when a coefficient of f of which we only have d hits a non-zero coefficient of m, we get a summed. So the maximum we can see in any coefficient is gonna be four times d. Now our choice will be that we want to have that Q over two is larger than 4d. So let's choose our Q large enough, say large power of two, then this reduction will not make any problems. Okay, now what's this actually have to do with lattices? I promised at the beginning that this is a lattice based cryptosystem and then I start the talking about polynomials. Now yes, we have seen in Nadia's part of the talk that you can take your copies missing and put polynomials in as basis vectors. But I first have to still explain how to translate the entry problem, the problem of finding f into a problem of finding a short vector in a lattice. So first of all, here is how I set up the same matrix. So for setting up the matrix, I'm only allowed to use public information. I don't know the f, I don't know the g, but I do know this h. And now in this matrix, this capital H block there. That is going to be a block which is n columns and n rows. And then above it there is a identity matrix so that has Q entries that are all equal to one on the diagonal, then there's another matrix which has just ones on the diagonal, everything is zero up here. But this h is the interesting part. H, I've been putting in each row all the coefficients of little h, well actually divided by three, but okay. Such that if I take any vector taken as a polynomial, say this first vector there, this 1, 0, 0, 0 would be the constant one. The other one would be the constant three. Such that it corresponds to multiplication by the polynomial h. So let's do an example. I have this long length to n vector. I have a two n by two n matrix sitting here. And I now take the first part, that's nice, it's just a unit vector. So that will take from the top part of the matrix just the Q times identity. So that just gets me a Q there. Rest is zeros. Then the second part is this 3, 0, 0, 0. And I said h should be such that if I multiply by anything, it's like multiplication by the polynomial. So this will grab exactly one times this polynomial h. So that tells you how you write this polynomial h there. And then you would have, say the next coefficient would get this one, but rotated. This one rotated times two. So this is how you write your matrix. And now what is the short vector in this lattice? To get any vector in the lattice, that means you're taking integer multiples of these vectors. That means we're taking some polynomial combinations or integer polynomial combinations of this. The reason why I'm getting g comma f out of this is, well, I don't know what it looks like, but there is a polynomial k. And there is a polynomial f that I know, such that k comma f times this matrix is giving me g comma f. And g and f are small. That means they have very few non-zero entries and the entries are very small. They're only plus or minus one. So if I'm right about this, and I'll walk through the steps in a moment, then this vector in the lattice is very likely to be the shortest vector at all. So then I can use something to actually get this vector. So if you run through this, well, this mod q just means there is some sort of multiple of q so that h times f is 3g, that's mod q. So there's times k times q. And that's the k I'm stuffing in there. Again, don't trust me, just implement this, see how it works. Just implement, she says. Doesn't she realize how hard this is? All right, so we pull out sage and first thing is just a little conversion of h into h divided by 3 mod q. I think since we're a little low on time, I'll skip that part. And just say what happens when you multiply, yeah, yeah, a lot of big polynomials. What's happening here is that h3, which is h divided by 3, that's being multiplied by x and x squared and x cubed and so on as convolution, which means it's rotating the coefficients around. If you look at each line of numbers, 58, 210, 54, you see that on the next line, rotated around one position to the left, the 58 has gone to the end and so on. Okay, so here's a bunch of polynomials and what matters about these polynomials is that some combination of these, if you add up some of these and subtract some of these, you're gonna get g, modulo q. Because remember, f is a bunch of one x, x squared and so on added and subtracted in some way. And if you multiply that by h, you get 3g. And this h3 is, well, you multiply by, let's say h over 3, that's gonna give you g. So g is gonna be, add and subtract, whichever of these polynomials you get for corresponding to, you wrote f in the first place, the secret f was a sum and difference of some of these x squared. All right, I'm gonna just show you the matrix that comes up at the end of this. Here's this two n by two n matrix where on the bottom left are the same numbers that we were just looking at with some 58s and so on. And then down the diagonal, there's some q's and ones. All right, and then we pull out the Nadia to give us our short vectors in the lattice and okay, there's LLL results and suddenly there's much shorter results. These are all, LLL's giving you not just one short vector but a bunch of short vectors, a short, kind of short basis and in this case you see super short vectors up at the top. The first row is a very short combination of the original vectors. All right, if you extract the second half, m dot LLL bracket zero is taking the first row and then the bracket n colon is taking from positions n to n through two n minus one of that first row and that gives you five non-zero coefficients, two more zero coefficients. Converting those into a polynomial is exactly the secret f, well with a minus sign but that doesn't affect the decryption. So if you run for this f that the attacker found just from the public key, setting up a matrix, running LLL on this polynomial lattice, then you break entry. You can decrypt any message you want. Now you have to scale this up to get real security. Of course seven dimensions is not enough. If you go up to say 150 dimensions and 101 non-zero terms in f and so on and q scale that up to two to the 32 then there's gonna be more than two to the 200 choices of the secret f. You try the attack again and the attack does not find plus and minus ones. It still finds a kinda short polynomial. LLL it's not necessarily the shortest but it's sorta short and it still breaks the system which is kinda scary. What you need to do, the reason this still breaks the system is that q is actually too big. You don't always have crypto parameters being more secure if they're bigger. When q is really big, that allows this kinda big f to decrypt because the whole decryption procedure needed that there wasn't some wraparound modulo q. If q is smaller it actually gets more secure and then this f does not break the system anymore. And then well for good security also need n to be somewhat bigger. All right so when you do this there's a whole bunch of text to take into account. Shoes smaller n, shoes smaller q, shoes larger n. There are all the crypto attacks I mentioned at the beginning but close on a positive note. Take this and try this at home, am I on? Okay, if you want to try this at home everything that we talked about. So there are plenty of things that you can do. You probably don't wanna use lattices yourself right now. So every NIST submission to the post quantum crypto competition has a reference implementation which is available online. More than 90% of them have survived a week of crypto analysis. So you too can go and analyze these implementations, break them, prove their security, whatever you like. So this is what the world needs. If you're interested in integration of quantum safe computing or quantum safe crypto into actual protocols there is a project called the open quantum safe project which has a bunch of implementations of schemes and integrations into things like open SSL. You may not want to use this right now because schemes may become obsolete due to crypt analytic advances like the ones we've seen. There's a lot of work at every level to break stuff, analyze proposals, look at implementations, all sorts of things needed. And if you really feel inspired to turn on post quantum cryptography in your own projects we would recommend using a hybrid approach with elliptic cryptography and not using bare post quantum schemes right now. So Google did this for example this past year with a post quantum key exchange and it did a hybrid approach with elliptic curves. So that is all we have, so thank you very much and we hope to see more broken schemes.