 a short vector in our lattice. And now we need to actually show that it works. So I'll call this Q. This is going to be our target polynomial. So we want to bound the absolute value of the evaluation of Q of R. And we want this to be less than n. So we know that this is less than the L1 norm of the vector that we found in the lattice. And we know that this is less than, say, square root of dimension of the L2 norm of this vector. And then this is going to be less than, OK, there's going to be square root of dimension, which we don't really care about. And there's going to be a 2 to the dimension L. And I'm going to just drop the 1 fourth because I don't really care. And then determine it to the 1 over dimension. And so if, say, square root of dimension 2 to the dimension determinant to the 1 over the dimension, is that if that is strictly less than our modulus n, then we're done. Because then we've established that Q evaluated at any of the roots that we're looking for is going to be 0 over the integers. And then we just solve it. OK. So that means that in order to check whether this works, the only thing that we need to verify is whether the determinant and the dimension of the lattice actually satisfy this bound that we're looking for. So in this explicit computational example, our input polynomial is, all right, we've got our ciphertext c and our approximation to the message a. And so we have f of x is, let me make sure I get this right. x plus a cubed minus c. And I know that if I plug in the root swordfish here, this is going to be 0 mod n. OK. So that's the root I'm looking for. And the basis set of polynomials that I chose is actually just f. So f has degree 3. I chose x squared n. That happens to vanish mod n. x times n, that vanishes mod n. And that totally vanishes mod n. That's my basis. And so the explicit embedding there, sorry, there's a capital X there. And I'm using capital R here, because there's no difference between little x and big x on the. So my embedding is going to be like r cubed and then like, OK, 3 a r squared 3 a squared r a cubed minus c. And then let's see, n times r squared n times r and n. So this is the coefficient embedding of this guy. This is the coefficient embedding of this guy. This is the coefficient embedding of this guy. And this is the coefficient embedding of this guy. So if I want to explicitly compute the determinant, OK, so the dimension is for the determinant. Well, this is conveniently an upper triangular. Oh, is it? Yeah, all the rest are 0's. Yeah, all the rest are 0's. Thanks. 0, 0, 0, 0, 0, 0, 0, 0, there we go. Yeah, thank you. OK, so the determinant is just the product of the diagonals. So we've got r to the sixth n cubed. And I'm going to appeal to 4 being small and say that square root of 4 times 2 to the 4 is not something that we really need to worry about with RSA size number. So I'm just going to drop it. Also, these approximation factors go away in such small dimensions. OK, so I just want to check whether determinant to the one over dimension is less than n to give me approximately whether it'll work. OK, so r to the sixth n cubed to the 1 fourth should be less than n. And all right, so I get like r to the sixth is less than n. So r should be less than n to the 1 sixth. All right, so I have a degree, 3 polynomial, but I got a 1 sixth there. So we didn't quite get all the way to n to the 1 over d, but we did pretty well for dimension 4 lattice, I think. So there's if you want to actually get, OK, so this means that for any root that's less than n to the 1 sixth, this will find it. I'll just be explicit and say that I carefully chose swordfish to have the right length with respect to the modulus. OK, I have to log in again, so I won't do that since I'm almost out of time. But there's two things that you need to do to actually get all the way to the n over 1 and d, and it's a lot more complicated. So first is you need to have your polynomials vanish to a higher multiplicity mod n. So you take powers of this ideal. And then you might take here, I just took degree 3 polynomials, but you're going to want to take much higher degrees. And then there's an annoying optimization problem of how do you set this for the roots and how do you set your total degree, which is going to be the dimension of your lattice. It's also going to be the highest number of possible roots that you could get out of this method since you are going to be finding roots of a polynomial with degree, whatever your bound is. So if you run through the optimization of both of those parameters, that's how you get this n to the 1 over d. So this is super useful because it tells you that basically RSA with bad padding and low exponent is insecure. And so if you're going to use RSA, you'd better be very careful that your adversary can't guess some of your message. So this is why cryptography is hard. So I'll finish just by stating a result. You might ask, can you improve this? And I have a paper from a few years ago with Ted Schenberg, Brett Hemingway, and Zachary Scheer that shows that basically any method that looks like this that's constructing an auxiliary polynomial that preserves all of the algebraic and piatic roots of f in addition to the integer ones, you're not going to be able to do better than n to the 1 over d. So if you want to do better, you're going to need to have some more clever results. So I think our problem session is tomorrow morning. So you get to implement this for your very self. So bring your laptops and be prepared to have more fun with Jupiter. That is all I have, so thank you. OK, are there any questions? Yeah? Then you plug them into f, and you check whether it's 0 mod n. And if it satisfies, then that's a solution to your problem. Sorry, what was that? Oh, it's just a combination of these. So we, let's see, I mean, it's not going to be possible to find a combination of this in this construction that's less than n. And we just showed that any polynomial that is short enough will actually have all of our desired roots as its solution. But yes, it is definitely the case that when you're implementing this, and with all of these lattice-based methods, getting the parameters right is super important, because if you mess up, then the lattice reduction algorithm will find you something potentially not what you're looking for. But here, we have the guarantee that actually any sufficiently short vector is a solution to our problem. OK, are there other questions? So you can use values other than 3, 4, and l, l. Does that change the result we get here at all, like fp, l, l, l, 0.99? So OK, yeah, can you do better by getting a better approximation factor? So one of the cool things about Coppersmith's method is that you only need an exponential approximation factor. There are other variants of this method where getting a better approximation factor does help. So if you start looking at multivariable polynomials, so instead of just one variable you have many, then that's when the approximation factor seems to come in. But yeah, it's cool that this is a polynomial time algorithm, because all you need is l, l, l. And what happens is if you run through the optimization, this 2 to the dimension turns into a factor of 2 in the size of the root that you can find, and then you just brute force like one bid. Yeah, so yeah, it's actually one of the surprising things. It's one of the few lattice methods where you only need an exponential approximation factor. OK, any more questions? OK, let's thank you. Thank you. Thank you very much. Yeah, that's it.