 So, the set on the second line, the number of elements in that set, is simply the number of C values so that S naught minus C F naught gives a valid Y value, meaning its coefficients are at most K. Okay? So second line to third line is just reinterpreting this count. And now we have to compute this, and this is where the magic happens. So it's not really magic, it's very elementary algebra. How many C's are there, with very small coefficients, remember, such that S naught minus C times F naught has coefficients that aren't too big, that are at most K? Well, it kind of depends on what S naught and C and F naught look like, right? But let's analyze this quantity a little more closely and try to figure out how big its coefficients are. So, what is the largest coefficient of S naught minus C F naught, where S naught is fixed at the beginning, F naught's fixed at the beginning, and C is some polynomial with zero plus minus one coefficients? Well, the largest, the absolute value of the largest coefficient is less than or equal to the sum of the absolute values of the largest, this is a triangle in equality, right? Now, let's think about, and the parameters are important, that's why I set things carefully initially. C, remember, has zero plus one minus one coefficients, right? F naught has zero plus one minus one coefficients, and a coefficient of the product is essentially, you're taking a vector of coefficients and taking the dot product of a vector of coefficients. So if I give you a vector all of whose coefficients are zero one minus one, and another vector all of whose coefficients are zero one minus one, and you take the dot product, what's the absolute biggest it can be would be N, because you're taking, you know, some, you're adding up at most N ones. I mean, it's likely to be much less, this is kind of a random walk, you'd expect it to be more like square root of N, but okay. So I actually did this in two steps, in general the largest coefficient of a product is no more than N times the largest coefficient of the first times the largest coefficient of the second, but C and F naught have coefficients that are at most one. So these two terms are one, and also remember the S naught, remember the rejection sampling step, that's crucial, the only S naughts that get released have coefficients at most N minus K, or K minus N. So the S naught has coefficient at most K minus N, this has coefficient at most N, so the largest coefficient of this difference is at most K, but that means this difference is in this box of size K. In other words, this condition here, the S naught minus C F naught B in the box of size K is vacuous, it's always true, doesn't matter which C you take, it's always true. And that makes this numerator very easy to compute, right, because the condition's not there anymore, it's just a number of elements in R of 1. So the probability we're trying to compute, which I've just repeated this from the previous slide, we found that this condition here is completely irrelevant, because it's always true. So we simply get the number of elements in R of 1 over the denominator, but the number of elements in R of 1 cancels the number of elements in R of 1, and we just get one over the number of elements in R of K, which is 2K plus 1 to some power, if you think, 2K plus 1 to the n, I guess, roughly. In any case, this number doesn't depend on F naught, and it doesn't depend on S naught either. So the probability of getting signature S naught, if your private key is F naught, doesn't depend on your private key. It actually doesn't depend on the S naught either, each S naught has an equal probability of appearing the way we've set it up. And if you go back and look in some sense what this is doing is it's created a common box for every private key, and the signatures that get through rejection sampling are sitting uniformly distributed in this common box, and therefore different keys give the same distribution of signatures. Okay, so the final step, and I'm probably not going to have time to do this in two minutes, right? There's the practicality. If I have to generate a hundred million signatures to get one that I'm willing to use, it's completely impractical. So once I compute the probability, again, if I choose a random C and a random Y, what's the probability that the signature I get is actually less than or equal to K minus N? You know, it's coefficients. Well, you see, the C times F, remember, the coefficients of C times F is the sum of plus or minus ones and zeros, and I said, well, that's no more than N, which is true. But it's normally more, it's almost certainly no more than, say, five square root of N because the plus ones and the minus ones tend to cancel out. If you've taken probability and done random walks, if you take a random walk, 50% chance go left, 50% chance go right. After N steps, you're likely to be roughly twice square root of N, I guess, from the origin. So the probability that Alice finds a signature that's good is bigger than the probability just for the Ys that the coefficients of Y are no more than K minus N, say minus five root N, which is how big this thing is. Again, this is just a triangle inequality. And I can just do, I can compute that as counting the number of good Ys versus all the Ys. The boxes, well, I mean, the denominator, how many polynomials have coefficients between minus K and K? Well, each coefficients between minus K and K, two K plus one choices, N coefficients, two K plus one to the N. So this is actually two K plus one to the N, and this is similarly this quantity to the N. And I simplified it a little bit. And as long as K is bigger than N squared, this will be roughly this. So what one does is one chooses K to be maybe like five N squared or ten N squared. And then this probability will be very, very close to one, this quantity. So that's how you can make the thing practical. Okay. So your final exercise is to recognize the quote at the top of the page here. This is the end of our week's introduction to Lattice's and Lattice-based cryptography. I put a few thank yous here. I want to thank the graduate school organizers, so Jen, Bjorn, and Ashka for inviting me to speak here. And I want to thank PCMI for running this great program. It was an amazing program with this many people. And most of all, I want to thank all of you for coming and listening and asking questions and being inquisitive. So thank you very much.