Reread: Bad Agent:

Inserting and Activating Backdoor Attacks in LLM Agents

References: https://github.com/DPamK/BadAgent

keyword ⛵ : Backdoor Attacks; LLM Agents; Data Poisoning; ASR; FSR; Mind2Web

Reading: Peikert’s survey as the wide-angle frame[^peikert-survey], Albrecht-Player-Scott for concrete-LWE attack modeling[^aps], Chen-Nguyen for BKZ quality heuristics[^cn11], the Homomorphic Encryption Standard for published parameter-table practice[^he-standard], and the LWE Estimator for the operational interface between these papers and actual numbers[^estimator].

Parts 0-3 fixed the geometric vocabulary: bases, reduced bases, SVP/CVP, cosets, and short modular witnesses. A deployed lattice scheme then adds concrete parameters such as dimension, modulus, secret distribution, error distribution, and sample count. None of those symbols, by itself, proves that one parameter set costs an attacker $2^{128}$ steps. That last sentence is not a theorem output. It is an attacker model layered on top of the theorem.

So this chapter stays on the attacker side of the interface. The real objects are primal attacks, dual attacks, BKZ block size, root-Hermite factor, and the estimator-style chain that turns $(n,q,\chi,k,m)$ into a work factor only after a long list of modeling decisions has been fixed.

This chapter therefore separates asymptotic hardness claims from concrete parameter-setting practice. It defines primal and dual attack viewpoints clearly, then uses concrete security estimation and attack-cost modeling to map parameter choices to attack-cost estimates.

In that exact sense, the goal is to connect BKZ quality assumptions to concrete lattice-scheme security reasoning rather than to repeat a security badge from the reduction side.

From lattice trapdoors to identity-derived keys, hierarchical delegation, attribute policies, and function-restricted decryption.

Reading: PAE

Trustworthy deep learning.

Reading: Peikert’s wide-angle survey for the lattice backbone[^peikert], Brakerski’s FHE survey for the leveled-to-full control argument[^brakerski-survey], and the Gentry / BGV / BV / GSW / FV papers for the actual mechanism[^gentry][^bgv][^bv][^gsw][^fv]. Beyond Parts 0-3, the only extra objects needed here are introduced locally: noisy LWE-style decryptions, structured ring or module arithmetic, gadget bases, and evaluation keys. Part 7 is where those objects become one controlled evaluation procedure.

The procedure fails at a very specific point. Addition keeps decryption inside the same noisy linear relation. Multiplication does not. It lifts the decryption equation from a linear secret-key basis to a higher-degree basis, enlarges the ciphertext object, and spends decoding margin at the same time. If FHE is to support general evaluation, it needs a control layer exactly at that break.

That control layer is gadget decomposition plus evaluation keys. Once that interface is explicit, key switching becomes a noisy basis change, relinearization becomes the special case that removes post-multiplication secret-key degree, and the leveled-versus-fully-homomorphic split becomes a question of whether the noise budget can be managed forever or only up to a fixed depth.[^brakerski-survey]

从拉格朗日插值法到 FFT. Part-1.

It was listed by the Science magazine as one of the ten greatest algorithms in the 20th century

从 FT 开始加速多项式乘法。主要记录了笔者学习傅里叶变换这一特殊线性变换时的笔记。