 Thank you for the introduction. So I want to start with a few words of motivation. And in the last decade or so, or 1.5 decades, latest-based crypto has become very popular. And if you search for reasons of why that is, people usually say you'll see a combination of the same reasons, which is usually a combination of the following. On the one hand, lettuces are very powerful. They allow us to construct things that we don't know how to do otherwise, for example, for your momorphic encryption and IBEs and things like that. Furthermore, they are at least up to this point believed to be post-quantum secure. Finally, they also enjoy some very strong guarantees in terms of average case security, which stems from worst case to average case reductions. And they also allow for simple and efficient implementations because in the end, it's just usually matrix vector multiplications over relatively small integers. And if you go to the ring setting, you might have to multiply ring elements, but still the arithmetic is usually over small integers and fairly simple. Well, there's a caveat here. And this caveat is the discrete Gaussian sampling, which is an operation that is part of many lattice-based crypto schemes. And when it comes to discrete Gaussian sampling, I would say you can have either simple or efficient, but not really both. And this is what our work addresses. Before going into detail about how we do that and what we do exactly, I want to quickly define what the discrete Gaussian sampling is. So discrete Gaussian sampling is our algorithm that samples from a specific distribution. And this distribution is a discrete Gaussian. First, we define the Gaussian function as e to the minus p x squared. That is the standard Gaussian function. And you can define a scaled and shifted version of it by defining or giving a parameter c and a noise parameter s. So c is called the center. S is usually the noise parameter. And you just shift and scale the distribution, the function. And the discrete Gaussian is then simply a distribution that is proportional to this Gaussian function but restricted to a discrete set. In our case, it's going to be mostly the integers, but you can have other sets there. And I've visualized this distribution here, like these are your elements, right, on the x-axis. And every dot corresponds to the probability of each of these elements. And you get your typical bulk curve here. Note that the center does not have to be an integer even if the distribution is restricted to the integers. And in fact, you can view discrete Gaussian sampling as a rounding procedure that rounds the center to a nearby integer corresponding to these probabilities. Now, where do we encounter the discrete Gaussian in that space crypto? Well, it usually comes to us in one of two settings. And one setting, which we call the fixed setting, the parameters of the distribution are fixed. So the center S and the noise parameters, the center C and the noise parameter S are fixed once and for all throughout the system. And this is used in most LWE-based schemes where the center is zero. If you are familiar with LWE, learning with errors problems, the errors usually follow this distribution, the center discrete Gaussian with a fixed parameter S. Now, in the other setting, which we call the generic setting, both parameters, the center and the noise parameter, can be variable. So they vary per query. So when I asked for, when I asked the algorithm for a sample, I specify the center and the noise parameter and I want to get back a sample from that specific distribution. Yeah, from this distribution that is defined by this C and this S. And the most prominent application of that, of that setting is lattice trapdoor sampling. And lattice trapdoor sampling are very popular in more advanced schemes of lattice-based crypto, usually for encryptions in the, for CCA secure encryptions or signature secure in the standard model or IBE schemes, etc. So this is where lattice trapdoor sampling comes in most of the time. And we have actually quite a few algorithms for the fixed setting. So in the fixed setting, there are several algorithms that achieve different time memory trade-offs. And they usually achieve that by doing pre-computation based on this, the center and noise parameter, which are fixed, right? They are fixed. So you can do pre-computation and you can store information about this. And the most efficient algorithms, for example, they store all the probabilities for every element in your support of this distribution in a table. And then your sampling just becomes some sort of randomized lookup into that table, right? And so they store information that is linear in the noise parameter. So this is good for small distributions. As the distributions grow wide, this becomes impractical. But there are different algorithms that achieve different trade-offs. In the variable or the generic setting, we don't really have that up to this point. And you can see kind of why, because if you don't know the center and the noise parameter of your distribution, then what are you going to pre-compute, right? And in our work now, what we actually do is we reduce the generic setting to the fixed setting. So we'll exploit algorithm for the fixed setting in order to generate samples from arbitrary distributions. And before I go more into detail about how we achieve this, I want to go over the structure of the algorithm and tell you about why we think that is a good idea. So the high-level overview of the algorithm is going to be that we start with two fixed samplers. Here, we're taking samplers over 2Z with a center 0 and 1. Alternatively, you can think about them as being samplers over Z with a center 0 and 1-1-2. It doesn't really make a difference. And these don't get input. They just produce samples from their fixed distribution. And then our algorithm is, oh wait, no, yes, sorry. Our algorithm just takes these samples, gets us input the center and the noise parameter, and then cleverly combines these samples from the fixed distribution in a way to produce the correct distribution. And why do we think this is a good idea? Well, on the one hand, we can ensure that the noise parameter of these fixed distributions is going to be relatively small, or actually quite small, it's just a constant. And so we can take advantage of the most efficient algorithms for the fixed setting, these are fixed distributions, without spending too much memory. And so this is going to make our algorithm quite efficient. Furthermore, we are not restricted to two samplers. If we have more memories to spend, we can add more samplers, and this will make our combination phase actually much more efficient. So this is where we get a time memory trade-off for the setting of generic sampling. That's actually the first of its kind. Furthermore, we see that these samplers don't get any input. They are completely independent of the C and the S. This means you can split the algorithm up into an offline and an online phase. The offline phase simply produces these samples. You can pre-compute them or store them somewhere, and then the online phase just combines these samples together and using very simple arithmetic. And so the online phase of our algorithm is actually extremely fast. And so this allows you to split this algorithm and, for example, just do pre-computation and store it on a device. For example, if you have a small device, you can just store your samples there. Or, for example, you have a web server that has idle times where you can just produce them and the web server is not doing anything else. Or you can actually separate the algorithms in two separate systems, where this is done, for example, in a hardware module that is specialized to the setting. And we have algorithms that run really fast in hardware for the fixed setting, not so much for the generic setting. And if you do this in parallel, well, then, again, the offline phase is basically for free. And last but not least, this we insure actually, or our algorithm naturally ensures that every output sample of our sampler uses the same amount of base samples. So the input for every query that we give to our sampler, the number of base samples that it consumes is exactly the same amount. And actually, the number of steps is naturally the same amount. So the online phase of our algorithm is sort of naturally constant time. And if you implement the arithmetic operations in the sampler in constant time, you immediately get a constant time online phase and then separating out the offline phase or sampling these in large batches will give you very easily a constant time algorithm without paying a large penalty in efficiency. And that is actually quite unusual for discrete Gaussian sampling, which has been traditionally hard to do in constant time. And yeah, so there you have it. That's the three adjectives that we claim the paper is our sampler is generic. It can be implemented very efficiently. And it can also be implemented in constant time without much, much overhead, hardly any overhead actually. So now I want to talk a bit more about how we actually achieve this and where these time memory tradeoffs and this offline online phase comes from. So our main tool is going to be convolution. And there's a bunch of convolution theorems in the literature. And they all kind of have the same the same flavor. You start out with two or more base distribution. These are fixed. The one and D two and you produce a sample from each of them. And then convolution theorems tell you that you can combine them in specific ways to generate a different distribution. So if you combine the samples from these distributions, your output is going to be a different distribution. And you can see how this like might help us, right? If we have like fixed distributions, if we combine them in the right ways, we get out different distributions. Now, getting out the correct distribution that we actually want is not trivial, but you actually requires a lot of work. Otherwise, this wouldn't be a crypto presentation. But so it's not entirely new, this idea. So it has been used before in the fixed setting. We call that the most efficient algorithms require storage, linear and the noise parameters. So if you have a fixed distribution that has a large noise parameter, you can use this convolution to reduce the memory overhead to produce samples from a from a smaller distribution and then combine them into a big one. And that has been used before. We generalize this idea a little and analyzes in the more general setting. And we use a similar technique to make sure that our base center have small noise, right? And so this shows that we have some leverage with regards to the noise parameter. What I want to focus on in this talk, though, is the second parameter, how we handle how we handle different different centers that we get as input. And for that, we call that the goal of or the view of discrete Gaussian sampling is that you get a center and you try to round it to a nearby integer. But instead of doing that in one step, what we're going to do is we're going to round the center step by step to a coarser and coarser grid until it is in the like an element in the integer. And this is going to be the output sample. And each individual step, we're going to make sure that this every individual step is being rounded by a discrete Gaussian. And then the convolution theorems are actually going to tell us that the final result is actually also going to be a discrete Gaussian with the correct center. So I know this is a little vague, but I unfortunately don't really have time to go much more into detail. This is just to give you a sense of how the algorithm works. And so now the question is how do we do every individual step just using our fixed number of base samples, just using two base samples. And well, the idea is we assume that C, like our center that we're giving the parameter, is an element in Z over 2 to the k. So it has a k bit binary expansion. And our goal is for this step to round it to a center in Z over 2 to the k minus 1. So we want to round just the last bit by a discrete Gaussian. And we do this by sampling our base, or drawing a sample from our base sampler with center defined by the bit, the last bit in the center. And we draw the sample, and then we add the center back to it and scale it by 2 to the k. Now note that x is actually a sample in 2Z. So it's not actually in Z, it's in 2Z. And so x plus bk over 2 to the k, the last bit of the new x is actually going to be also bk. Because x is an even number, so bk is 0, x remains even, if bk is 1, x is a not integer. And then if I scale it by 2 to the k, the last bit is going to be exactly bk. And so if we subtract it from C, the last bit of C is going to be 0. So C is actually now going to be in 2 to the k minus 1, which was exactly the goal. And this is actually a valid discrete Gaussian rounding. And so we do this step by step, and until our C is actually going to be an element in Z, and we get exactly a discrete Gaussian with the correct center. OK, now where do our time memory trade-offs come from? Well, it mostly comes from the fact that you don't have to express C in binary, you can express it in different bases. So for example, if you express it in with regards to base 8, for example, then this means you have a third of the digits. Like every three bits are going to be transformed into one digit in base 8. And then you can round every digit individually, and you're only going to make a third of the steps. But now you need samples not over 2Z, but you need it from 8Z, and more so, you need it for every possible coset of 8Z. So you need 8Z with centers in 0, 1, 2, up to 7. So you need seven samples, eight samples, which you need more memory to store these efficient samples, but your combining algorithm is going to run in the third of the time. So there is a time memory trade-off. The constant time algorithm essentially stems from the fact that no matter which center we get, we need the same number of steps. And this comes from the idea that we can assume that the center has a finite bit expression, no matter which base you use. And the fundamental idea of why we can assume that is that we don't actually need to necessarily produce the correct output distribution, but it's OK if you just approximate the output distribution, the ideal discrete Gaussian. And most algorithms actually do that. Most algorithms don't produce the exact distributions that will produce an approximate distribution. And this is usually good enough. But good enough, you have to kind of quantify, right? So there are several tools out there to quantify the security to approximation trade-off. And the most classical one is the statistical distance, which has been classically used to evaluate how close you need to be to the discrete Gaussian or to preserve security. And the statistical distance is actually a very nice tool to use in the analysis, because it has a simple definition. You can get easy bounds on it. And it is a metric, which makes it very easy to analyze even more complex algorithms that involve a lot of steps that can lose distance to the ideal distribution. So this is very nice. But more recently, the KL divergent has becoming more popular, or other divergences actually. I'm choosing the KL divergent as a more popular tool, but other ones are possible. And KL divergent, as the name says, is not a metric. So it's a little harder to use. But if you do use that, you get actually a much stronger security proof out of it. And one of the killer arguments for the KL divergent is that in many settings, you can get away with just computing with, for example, 50-bit floating point numbers, and you get more than 100-bit security out of it, like a bit level of more than 100 bits. And that is, if you think about current hardware or more, if you think about current computer architectures, that is a very strong argument for using the KL divergent, because that gives you an order of magnitude speed up versus multi arbitrary bit precision numbers, which you would require for 100 bits of security if you were using the statistical distance in order to analyze your distribution. And so we wanted a nice tool to analyze our algorithms, and we also wanted strong security. So what we did, we were hoping to try to get something the best of both worlds. And we ended up defining our own metric, because we didn't find one that suited our needs. And this one has a pretty simple definition. It's just the infinity norm of the difference of the lux of the two distributions. And as it turns out, this is a metric. You can see that because it's just the version of the infinity matrix, or it's an infinity norm of a function of the difference vectors. And then you also get the strong security bound. Actually, we show that in the paper. So showing that this is a metric is actually not that hard. Showing that it has strong security properties is actually a little bit more involved. And we do that in the paper. And then we use this max log distance in order to show that our algorithm actually achieves good approximation even for floating point numbers. And you get strong bounds on the max log distance, because in the regime where they are very small, it's essentially equivalent to the relative error, which is exactly what floating point numbers give you. So if you have a 50-bit floating point number, then you exactly get an approximation error or relative error of 2 to the minus 50. And then your ML distance is also going to be pretty much 2 to the minus 50. OK. This is all I actually planned for. But I have a few more minutes, so allow me a couple of remarks. First, in a follow-up work, actually Thomas Place showed that by relating this max log distance to different divergentines, like runny divergence, that our algorithm actually has much stronger security properties even if you restrict the bit security definition a little bit. And also, if you're interested in our algorithm and more in a practical sense, we do have a reference implementation on my website, Google My Name and UCSD. And you'll find it. OK, now I'm happy to take any questions. Thank you.