 Alright, so let's take a look at an example of how we might use LLL, yes, and this hack on RSA. So to keep this example reasonably comprehensible, we'll use an exponent, public exponent of E equal to 3, and a public modulus of this number, and assume that our message is of the form 51, 80 plus x, where x is the number between 0 and 9, and suppose we've intercepted a ciphertext that looks like this. Again, you can think about our messages as being, well, in this case, it's a four-digit number, where you know the first three digits, and the only question is what that last digit is going to be. So the problem of recovering the original plaintext message corresponds to solving the congruent ciphertext, congruent to 51, 80 plus x, to power 3 mod that. And so if I were to expand and simplify, if I could solve this congruence, then I can recover what the value of x is. Well, again, if that were an equality, this would be no problem. The problem is that it's a congruent. So I'll hit this with a lattice method. So I have my congruence. I know that x has a maximum possible value of 9. I know the modulus. So what can I do here? Well, I'll take a look at the lattice that corresponds to this equation, congruent, and so that lattice is going to have basis. First vector is going to be the modulus n with all zeros after that. Second basis vector, zero maximum times the modulus, and then zeros in the remaining places. Third vector, again, we could think about this as constant coefficient, linear coefficient, square coefficient. So that's going to be m squared, maximum squared times our modulus, zero in the remaining possession. And our last vector is going to be the coefficients of our polynomial, multiplied by the appropriate power of our maximum value. So I have my constant term. I have my linear term times the maximum. I have my square term times the square of the maximum. And then I have my cubic term, cubic coefficient, times the cube of the maximum value. And so now I have a lattice that's going to be spanned by this set of four vectors. And the key here is that every point in this lattice corresponds to an equation that is associated with, not the same as because we've done the scaling, but is associated with this particular congruent. And some place in this lattice is an equation whose solution will also be the solution to this. Now, we can then try to apply the shortest vector problem, we can then try to solve the shortest vector problem for this lattice. And in that case, under the right conditions, we'll then be able to recover a solution to this. Now, we won't go into the details of what those right conditions are here, but notice that the maximum possible value of x is much smaller than any of the coefficients or components of our different vectors in our lattice basis. So I have my lattice basis. I apply LLL to get my new lattice basis of quasi-orthogonal vectors. And the only one I actually need, I get the entire set, but the only one I actually need is that first basis vector because that first basis vector is going to give us an approximate solution to the shortest vector problem. And if I find that my first lattice basis vector looks like this, and so from here I can reconstruct a polynomial whose roots will hopefully give me some insight into these solutions to the original congruence. So what does that polynomial look like? Well, again, we can think about this as linear component, linear coefficient, x coefficient, x squared coefficient, x cubed coefficient. Now, since we've scaled our equations by this factor m, 9, the maximum value of x, maximum possible value of x, we have to scale them back. So my actual coefficients are going to be cubic coefficient over m cubed, which we then reduced, and that's our cubic coefficient. So again, constant linear square coefficient. So that's our square coefficient over the square of our maximum value, our linear coefficient over the maximum value. Again, this is a scale factor that represents the largest possible value of x for our solution. And then finally our constant term. And I have this nice equation, and because it is an equation, not a congruence, I can solve this in any number of ways. The most useful is I can apply some numerical analysis to it, and I find three solutions which look like that. Now, remember that x has to be a positive integer in the interval 0 to 9. So the only one that none of these are integers, obviously, but my rounded value, this gives me an integer in this interval 0 to 9. And so I'm going to take x equals 8 as a potential solution to my original congruence. Now, some quick notes about this. Remember that while this v1 is an approximate solution to the shortest vector problem, it's not guaranteed to be a good solution, which means we have to verify our actual solution. What that translates to in this case is that we find that if x is 8, then this does in fact satisfy our congruence. So our candidate solution, x equals 8, is actually the correct solution because it gives us the correct encrypted value. Again, while we solve the polynomial equations, we might not get whole numbers, and this is not a problem. We'll use our rounded values as our potential solutions. And finally, one last note, the exponent e corresponds to the number of basis vectors for our lattice. And so that we can apply the approach any time that we can solve the corresponding shortest vector problem. Now, again, LLL works fairly effectively for lattices with up to about 100 basis vectors. So this will give us potential solutions for e less than about 100 or so, which is why this is known as a low exponent attack. If your exponent is low on the order of about 100 or so, then this could conceivably work against it. So what do you do with an RSA system? Well, you use a high exponent so you don't have to worry about this type of threat.