 So let's look at a cryptographic system that's based on the mathematics of lattices. So this is known as the GGH cryptosystem after it's three inventors, Goldreich, Goldwasser, and Hallevi. And it's based on the following ideas. First off, what I'm going to do is Alice is going to choose a basis V that's going to consist of K, reasonably orthogonal vectors, and this is going to be the secret basis. She's going to form a new basis V prime, and that's going to consist of K, nearly parallel vectors, and this is going to be the public basis. Now Bob wants to send Alice a message. So what he's going to do is he's going to compute some linear combination of the public basis vectors. And here we can think about that linear combination as having the coefficients that correspond to the message and using the public basis vectors. And here's what the actual cryptography consists of. Bob's going to choose some random vector R. You can think about this as a noise vector. And what he's going to do is he's going to send, as the encrypted message, the linear combination of the actual message values, plus this little bit of noise, and he's going to send that information to Alice. Now Alice then solves the closest vector problem for M prime, and because she's using a reasonably orthogonal basis set, she can actually solve the closest vector problem fairly accurately. And so if she's looking for the vector closest to M prime, she's probably going to find the vector M, and that allows her to then recover the message as the linear combination. On the other hand, let's say Eve tries to figure out what this message is. Well, she has the message M prime, and she uses the public basis, the V prime, the nearly parallel vectors, and tries to find the closest vector to M prime. Because she's using these nearly parallel vectors, it's unlikely that she'll be able to solve the closest vector problem very efficiently. And in fact she's probably going to recover some vector which will very likely not be anywhere close to where M is. And so she might be able to solve this closest vector problem, but she won't be able to actually get a close vector. Well, let's set this up a little bit. The key to the GGH cryptosystem is the noise vector, and the important thing here is that we want to make sure that whatever noise we add to the signal, it should not shift where the nearest point is located. Now, it's worth noting that this is a point of vulnerability of the cryptosystem, and it's going to require somewhat careful choice of our basis vectors. So let's take an example. Suppose I have a lattice that's spanned by two vectors, one 45, 45-1, and I'm going to determine a suitable size for my noise vector. So what I might do is I might consider what my lattice looks like. So here's a meta sketch of what it is. And so I'm going to take some point P in the lattice. And what I want to do is I'm going to add a noise vector. But the important thing is when I add the noise vector, I want to make sure that it doesn't drop me close to any of the other points in the lattice. So I can't make my noise vector too big because then it'll make the closest vector something besides what the actual message is. So let's take a look at those nearby points. The closest points to P are going to be P plus or minus V1, P plus or minus V2, and possibly P plus or minus V1 plus or minus V2. So there's going to be a number of close points in the lattice, and we want P plus whatever our random noise vector is to have nearest point P, which suggests that I want to make sure that in this case because V1 and V2 have magnitude around 45, if I make the magnitude of my noise vector less than 20, that'll situate me closer to P than to any other point. And you can imagine that to be some sort of circle around P, and as long as we're inside the circle, the closest point is going to be P. And again, for convenience, we might actually want to make that circle even smaller, and maybe I'll have my noise vector consist of two components between negative 10 and positive 10. Well, the next thing we have to do is we have to set up a suitable public basis for our lattice, and we want to make sure that the public bases consist of vectors that are more or less parallel. So remember that Pavey's algorithm works best when the basis vectors are nearly orthogonal and it works very badly when they are not. And just a quick check, we may want to verify that our private basis is in fact orthogonal, and it turns out that the cosine of the angle between them is zero and the vectors are in fact orthogonal. Just as a quick note, we don't actually require that the private basis vectors be orthogonal, they just happen to be in this case. Now, I want to find a new basis, and I'm going to form a matrix whose rows consist of the private basis, and I want to multiply this by a matrix with determinant one. And so I might try a matrix, oh, how about this one? So here's a matrix with determinant one, and I can multiply them together to form a new set of basis vectors. So again, the rows of my original matrix are the private basis, the rows of the new matrix are going to be the public basis, and we want to make sure that our public basis vectors are very nearly parallel. So we'll find the dot product, and we find that the cosine of the angle between the public vectors is very close to one, which says that the two vectors are very nearly parallel. And so that says that the rows of our matrix are perfectly good as the public basis for our lattice, and now we have our lattice set up.