lattices
pictures
problems: SVP, CVP
volume/determinant, length of shortest vector
algorithms:
- in dimension 1, Euclidean alg
- in dimension n, LLL

cryptosystems
- GGH trapdoor: pick reduced basis R (trapdoor key),
  generate big basis B of same lattice (public key),
  message is interpreted as a subset of B, trapdoor one-way function
  is sum of the appropriate vectors in B;
  solving CFP in R is easy (hence trapdoor key allows inversion),
  but hard in B (hence secure without knowledge of trapdoor key)
- Ajtai-Dwork:
  private key is vector u from big ball
  public key is w_1,..,w_n,v_1,..,v_{n^3},
    each chosen by picking a vector on big ball orthogonal to u
    and then tweaking it a little bit by a tiny error vector
  w's form a basis for a lattice whose interior parallelepiped is P
  to encrypt 0: pick random sum of v's, and reduce mod P
  to encrypt 1: pick a random point in interior of P
  decryption: compose dot-product of vector with u;
    if it's small, it was a 0, else it was a 1
- GGH hash function: a subset-sum like thing
  public key: basis vectors w_1,..,w_{n^2}, each a n-vector over Z/qZ
  hashing a n^2-bit message:
    take sum of appropriate subset of basis vectors modulo q
  collision-free, since any collision implies a short vector
    l_1,..,l_{n^2} with l_i in {-1,0,1} and \sum_i l_i w_i = 0 mod q,
    hence ||l|| <= n^2

cryptanalysis:
- approximate relations: given vectors v_1,..,v_n over Z,
  find a_1,..,a_n in Z so that \sum_i a_i v_i ~= 0 (or = 0)
  and ||a|| is small
- modular relations: given vectors v_1,..,v_n over Z/mZ,
  find a_1,..,a_n in Z so that \sum_i a_i v_i ~= 0 (mod m) (or = 0 (mod m))
  and ||a|| is small
- knapsack: given v_1,..,v_n,w in Z, find a_1,..,a_n in {0,1}
  so that \sum_i a_i v_i = w
- minimal polynomials
- breaking subset-sum hash
- (breaking truncated LCG's)
- coppersmith's theorem
- hastad's broadcast attack on RSA
- coppersmith's short padding attack on RSA