 Hello everyone, I'm going to present our work, Integral Matrix Glamour and the Ledges Gaussian Sampler without flow. This is a joint work with Leo Tuka, Stephen Galbraith, and Toma Plerz. I am Yang Yu. This work is about the interaction between the mathematician, black range, and Gauss. Our main result is the Ledges Gaussian Sampler. Compared with the previous algorithm, this sampler does not with floating point arithmetic, and it achieves a similar quality but with less memory and simpler base sampling. Our techniques are some algorithms for the integral gram decomposition problem, that is, given a integral positive definite matrix, sigma, found some integral matrix A such that A-A transpose equals sigma. This can be viewed as an extension of black-range-force-well theorem to matrices. Actually, black-range-force-well theorem corresponds to the case n equals 1 and m equals 4. Okay, let's start with some background. A Ledges is a discrete subgroup in Euclidean space, and it can be expressed by a basis. A Ledges has infinitely many bases, we call a basis consisting of a short vector of good bases. This grid Gaussian is an important distribution of a Ledges. It is specified by three parameters, the Ledges aeol, the synthesis, and the covariance matrix, sigma. For a discrete Gaussian, the probability of each Ledges point is proportional to the value of the Gaussian function. In particular, when sigma is a squared identity matrix, we call the discrete Gaussian spherical, and the parameter A is the width of the spherical Gaussian. With the good bases, we can efficiently resemble from some spherical Gaussian of a relatively small width, but the Gaussian itself makes nothing about the good bases. For this reason, this width Gaussian is widely used in Ledges critical systems, including signatures, IBE, ABE. In these cases, the good basis is given by the Ledges trapdoor, and the target distribution is some spherical Gaussian of an even center. The quality of the used sampler is the minimal Gaussian width it can achieve. Actually, a smaller Gaussian width implies a higher security level, then higher quality of the sampler. Currently, there are two main approaches to do Ledges Gaussian sampling. The first one is the KGPV sampler. It was proposed by Clay, and then first used for Ledges crystal topography by the famous GPV paper. This sampler can be viewed as a randomized version of a Babayi-Laris-Plain algorithm. And the second approach was proposed by Packard. And the Packard sampler can be viewed as a randomized version of a Babayi-Larning-Orth algorithm. Compared with the KGPV sampler, Packard's algorithm has some quality loss, but it is more efficient. In addition, Packard's sampler turns out convenient in Ledges trapdoor setting. In this work, we focus on Packard's sampler. Let's recall it in detail. The high-level idea of Packard's algorithm is Gaussian convolution. Note that with the sampling basis B, it is easy to sample from some discrete Gaussian of covariance BB transpose. Actually, this can be done by first doing some integer Gaussian sampling, and then performing a transformation of B. This Gaussian is non-seferical. To rectify it to a spherical Gaussian, Packard proposed to add some of the perturbation vector of a certain covariance sigma t. And he showed that the sum of these two non-seferical Gaussians can be a spherical one, just like the case of continuous Gaussian. And the sampling of perturbation vector is independent of the input center, so it can be performed in the offline phase. In the online phase, we only need to deal with one-dimensional Gaussian sampling, and that is relatively easy. Indeed, the online sampling can be fully performed over integers. However, the offline sampling's deal heavily relies on floating-point arithmetic. That is because, on the one hand, it requires to do some continuous Gaussian sampling, and on the other, it requires some gram roots A of sigma p. And the only suggested way to compute such A is the charity decomposition, so that A is the square matrix but of high precision. There are many drawbacks of floating-point arithmetic. For example, it requires to do some 10-day numerical stability analysis, and high precision would lead to extra storage and lower efficiency. Moreover, floating-point arithmetic suffers from weak terminalism. That is, even with the same input and the same randomness, the result can be different on different machines. This may be dangerous for some applications like signatures and IPEs. So, we want to get rid of floating-point arithmetic in the whole linear Gaussian sampling. This is the motivation of our work. Our main idea is to use a rectangle but integral gram root to replace the previous square but real charity root. To this end, we formally studied the problem integral gram decomposition problem, IGDP. And the IGDP problem is specified by four parameters, where n is the dimension of the matrix sigma, and b is an upper bound of the spectral norm of sigma. Both n and b are determined by the best crystal system itself. And d is proportional to the final Gaussian weight, so it is mainly in determining the quality of the final Gaussian sampler. And m equals the number of required integer sampling. In our sampler, the integer sampling are centered. Our goal is to solve the IGDP problem with fixed n and b, while keeping d is only slightly larger than b, and m relatively small. We note that, for the case n equals 1, the IGDP problem can be solved by Lagrange-Fortz-Riem theorem with m equals 4. And for general case, our idea is to reduce the IGDP instance of a large dimension to the one of a smaller dimension. And this can be expressed as this reduction. To build such a reduction, we make use of gauge decomposition. Actually, by a gauge decomposition, we can express a vector consisting of large coefficients as the product of a small matrix and the gauge vector g. So, we can first compute a gram matrix according to the sigma. And then, adding this gram matrix on sigma, we can clean out the element in the first row and the corner. And this remaining diagonal element can be dealt with by the fourth square decomposition. And this lower red block actually corresponds to the IGDP instance of a dimension m minus 1. So, we get this reduction. Repeating this reduction, we can finally compute an integral gram ring A or matrix EI minus sigma. And the resulting matrix A has a regular structure like this. Indeed, the core number of A can be much larger than m. But the interesting fact here is that such a rectangle matrix A can be efficiently stored and the overall storage is independent of the core number. That is because for large pyramid K, the gauge base B would be small. So, the off-diagonal elements here are small. So far, we have solved some IGDP instances. But the initial decomposition only applies to some large pyramid D. This implies a significant overhead on the final gosh week. To overcome this issue, we also consider another reduction called item value reduction. This reduction allows us to reduce the IGDP instance for large matrix to the one for small matrix. And to build it, our idea is simple. We pre-compute some more approximate square root of matrix EI minus sigma. Then, to decompose the matrix EI minus sigma, we only need to decompose the matrix D minus B times I minus sigma prime. And the spectrum norm of sigma prime is much less than the spectrum norm of sigma. Note that the overhead is only related to the small matrix sigma prime. So it can be negligible compared with the original pyramid B. And this leads to a negligible overhead on the final gosh week. Combining the item value reduction and the initial decomposition, we get our final decomposition. In some advanced applications like H-I-B-E, A-B-E, the spectrum norm of matrix can be very large. And in such a setting, the final decomposition could be like this. We first perform the item value reduction once, and then we apply the initial decomposition with K equals 3. The resulting integral gram root will have a core number 9A. And this method applies to some B, it's only slightly larger than B. With such an integral gram root, we can adapt the cactus sampler to an integer version. This is the comparison between our sampler and the cactus one. We can see our algorithm achieves a symmetrically better storage. That is because impactors sampler is required to store Choritz's root. And the coefficient in this matrix requires a precision about lambda B. Here, lambda is the security parameter, that is often said as big OA. Also, the basic sampling in our algorithm is easy to implement, and no float is used in our algorithm. The quality of the final gosh is almost the same as the one in the cactus approach. So, we have seen the sampling algorithm for generic integer matrix. For better performance, actually many less criticisms are built in the ring setting. The previous algorithms can indeed apply to the ring setting by simply viewing the ring element as its matrix form. However, the decomposition algorithm would break the underlying ring structure, so that it would lose the efficiency improvement of the ring. To maintain the ring advantage in the ring setting, we want the integral gram root to preserve the underlying structure. Driven by this, we formally studied the problem IGDP problem over the ring. Here, we introduced the underlying ring as new parameters. In this work, we focused on the case of the power of the atomic ring. To solve the generalized IGDP problem over the ring, we followed a similar idea of projecting the problem into smaller dimensions. But this time, we required to decompose some polynomial in the ring setting. To do so, we need to include a reduction on the underlying ring. And by this reduction chain, we can write a polynomial D minus A as the sum of a theory of the polynomial AI AF star. Here, the star denotes the complex conjugation. And note that the matrix form of A star is actually the transport of the matrix form of A. And here D is the integer. So, this can be viewed as an analog of a four-quad decomposition for the power of two-sector atomic ring. To build such a reduction on the underlying ring, we developed a new tool called the ring gauge. Let's recall some simple facts. First, a polynomial A can be expressed by two sub-ring elements, Fe and f-quad, where Fe corresponds to the even part and f-quad corresponds to the odd part of A. Second, when the polynomial A is self-adjoint, that is, f equals f star, then this odd part actually is the sum of some polynomial and its complex conjugation. To project the problem onto a sub-ring, we only need to clean out the odd part of some polynomial. And this can be done by simply adding some polynomial A as star on f. And we note that this projection is also compatible with the gauge decomposition. Instead of adding one polynomial A as star, we can first compute the theory of A i according to gauge decomposition. And then adding the sum of A i as star. So we call the combination of gauge decomposition and projection as a ring gauge. And by the ring gauge, we can build the reduction on the underlying ring. Okay, with an integral gram root over ring, we can adapt the previous algorithm as a ring-based Gaussian sampler. Compared with the previous generic solution, the ring-based sampler achieves a quasi-linear improvement in both storage and running time. But the cost is that it requires more basic sampling. Because the resulting gram root in the ring setting has an even larger core number than the generic solution. Okay, to conclude, in this work, we formally studied the IGDP problem, integral gram decomposition problem. This can be viewed as an extension of a large-range 4-square theorem to matrices. As an application, we propose a large Gaussian sampler. It does not rely on closing point arithmetic. And it can be truly performed over integer. That is my talk. Thank you.