 Hello everyone, my name is Maxime Plançon and in this video I will be presenting the paper entitled Exactly Sampling from Mangaussian Distributions, which is joint work with Thomas Prest. Okay, let's begin. So, yeah, we're interested in the following problem. We want, we're given a description of a lattice, which I can think of as a basis, and we want to sample from a distribution D, whose support is a subset of the lattice L, that is in demand of the basis. So, for an algorithm to be a good solution to this problem, we also require that it's possible to sample from a narrow distribution with respect to the input description of the lattice. Second, we want it to be possible to shift the distribution by any chosen target vector in the space. Okay, so there are already lattice samplers, the two main ones being GPV, also the next line sampler, and the second one being PyCAD sampler. So, both of these algorithms, they sample from the discrete Gaussian distribution with an expected norm of the output being about root n times some value that represents, that represents the length of the basis that you use. I won't go into the detail about what length of the basis means, but it's written on the slides if you're interested. Okay, so the discrete Gaussian distribution I just mentioned is defined as the discretization of the usual Gaussian distribution where the discretization process is as follows. So, you have a distribution D of density F over Rn, and the discretization of D over L is defined as follows. So, its density is the restriction of F normalized on the lattice. Okay, so now why this problem? Well, sampling distribution analysis is a useful tool for many constructions in lattice cryptography, so you have your short list of applications of such algorithms. Okay, so now it's not always mandatory to have the sample distribution to be Gaussian for the applications in cryptography, and Gaussian comes with a fair share of problems regarding implementations and so on. So, we think that it could be interesting to have various distributions and various techniques to sample our lattices, and this is the point of the framework that we have constructed. Okay, and just for example, Gaussians, they're suited to Euclidean norm, but one may need sample from a distribution that's suitable to the L1 norm, the L infinity norm, and that's where our framework can become really useful. Okay, so the question is, can we sample efficiently from fairly narrow non-Gaussian distributions on lattices? And the answer is pretty much yes, depending on your definition of efficient and fairly narrow. So, basically our framework offers a trade-off between time and width of the sample distribution, and you can somewhat have both, meaning both efficiency and a distribution that's quite concentrated on the target, but I'll come back to that later. Okay, so just a quick note on the round-off algorithm, since it will play an important role for the exposition of our techniques. So, the algorithm works as follows. It takes its input to basis B in a vector x, and you want to compute a lattice point that is close to x. So, first you compute y, the coordinates of x in the basis B, then you round them, and you return the lattice point that corresponds to these coordinates in the basis B. Okay, so now, geometrically, this algorithm can be seen as follows. So, the algorithm splits the space Rn into a tessellation, as shown in the picture, made of parallel pipettes spanned by the basis B. And if you want to compute the round-off of some vector x, then you return the unique lattice point that is within the same parallel pipettes x. And so, as you can see, the preimage of any lattice point is the parallel pipettes surrounding it, which will be important in the following. Okay, so now, this is where I move on to describing what is the idea behind our framework. So, I will use the simplest instantiation that we have, which is using the round-off algorithm to sample uniform distribution of our hypercube. So, first, I'll start with a quote from GPV, where the authors describe a strategy that has been used to sample discrete gaussians. So, the strategy goes as follows. If you want to sample from the discrete gaussian, you first sample from the continuous, the usual continuous gaussian, and then you round these samples to the lattice using the round-off algorithm and you get some distribution defined on the lattice. So, they mention and they explain that if one wants the output distribution to be close to the discrete gaussian, then you have to take a somewhat large standard deviation. And yeah, this is because this procedure samples from the so-called rounded gaussian, and it's different from the discrete gaussian that we are actually aiming for, and increasing the parameters decreases the error. Increasing the standard deviation decreases the error and therefore asymptotically somehow it's working not so well for gaussian distributions. So, now let's see what happens if we use this exact method to sample from the uniform distribution on the lattice restricted to a hypercube. So, yeah, this is what we want to do is to use this method to sample uniform distribution over the big black dots here in the example in dimension 2. Okay, so let's try the naive adaptation of this method. So, first we sample from the continuous uniform distribution over the hypercube here of radius r. Then we round the samples and now we get a picture like this where the support of the distribution we get is the big black dots. So, as you can see, there are black dots outside of the hypercube and this is because a point we have a non-zero probability whenever it's parallel to a pipette, the parallel pipette surrounding it is intersecting the hypercube. So, yeah, we see that there are two problems arising. The first one, which I'll call the green dot problem, is that the green dot here on the picture on the right is outside of the support of the distribution we want to sample, but it has a non-zero probability because it's parallel pipette is intersecting the hypercube and therefore it has a non-zero probability, but it shouldn't. So, yeah, this is the first problem and the second problem is what I will call the blue dot problem where the blue dot is is not getting the same probability as the black dots within the hypercube because the probability of the blue dot is a probability that some point is sampled within its center parallel pipette but the intersection of this parallel pipette and the red hypercube is not full. The parallel pipette is not a subset of this hypercube and therefore its probability is going to be lower than the probability of the black dots for which the parallel pipette is completely a subset of the hypercube and so this is not going to be uniform and so this is not going to be the distribution we are aiming for. Okay, so we bring two modifications to tackle these two side effects. So it's pretty much one-to-one since the solutions we have do not interfere much. So yeah, the first thing we do is we sample we are aiming for the uniform distribution in the red hypercube and we sample in the blue hypercube on the picture on the left which is a little bit wider and this is so the blue dot from the last picture has its parallel pipette completely within the continuous support. Okay, now we run the samples just like before and we see that there are a lot of green dot problems around there because there are a lot of points outside of the red hypercube that are big black dots and so what we do is we just discard them. This is the last step the rejection sampling since they should have zero probability we just discard them and that's it. Now, as you can see the support of the distribution is there for the lattice intersected with the red hypercube and and all of these points their probability is the probability that the continuous sample was in the parallel pipette around this lattice point and therefore they all have the same and its uniform and it's the distribution we wanted. Okay, so now about the framework based on this example the the contribution of this framework is to generalize the previous process on two components. The first one being the rounding operation where we use the round off algorithm and the second one being target distribution. Okay, so first the rounding operation how do we generalize it? We introduce the following definition of regular algorithm so we say that some algorithm A is regular when A of X plus Y is A of X plus Y, Y outside of the argument if Y is the last point. So you may recognize that the round off algorithm is a regular algorithm and there are other examples such as the nearest plane algorithm and any exact TDP solver. So why did this definition? It's because we have the following interesting property for L regular algorithms that is if you define T to be the pre-image of zero by this algorithm and you take all the translations by lattice points of this style then you get a periodic tessellation of the space. So I'll just take an example. If you take the round off T is going to be the center of parallel pipettes spanned by the bases and its translations is going to give the first picture here and so this covers the whole space and there's no tessellation between the parallel pipettes therefore it's tessellation okay. Now the second picture is the tessellation induced by the nearest plane algorithm and the third picture is the tessellation induced by an exact TDP solver so known as the Voronoi tessellation. Okay so this is what we wanted from the rounding process for the first component and now we move on to the second component which is target distribution. So we'll deal with the density of the target distribution by introducing these quadratic functions. Okay so we're given a prototype T and a function omega in Rn from omega in Rn to Rn and we say that the function f is t square modic if for all x for which this equation will make sense we have that the mean value of f over t plus x is f of x so in particular if you take x is 0 the mean value of f over t is going to be f of 0 and this should be true for any translation of of t. So yeah this may remind the definition of harmonic function where harmonic function are supposed to verify the mean value property over L2 balls for any center or any radius and yeah okay I'll just move on to illustration of square modicity what it means geometrically so okay you have here two pictures of graphs of square modic functions and as you can see there the blue dot is laying on the graph of the function and it takes a specific okay so the x and y coordinates of the blue dot is invariant of the tile where the tile is the red square so the mean value of the function over the red square is the z component of the blue dot and wherever you move around the red square it's always going to be the value of the mean value of the function on this tile is always going to be the z component of the blue dot okay so now I move on to some examples of square modic functions so first we have this very interesting property that follows from the linearity of the integral where the set of square modic functions for given prototype t is a vector space and this will be useful so examples the first example is quite trivial it's constant functions since the mean value of the constant is a constant and the value in a specific point is always constant so yeah this is quite a trivial example but it means that uniform distributions are square modic and this is the example I gave in the beginning so yeah now I move on to the next example where we have linear forms t square modic for any symmetrical tile which geometrically makes sense since its graph is a hyperplane and if you take the mean value over a symmetrical tile it's going to be the value in the middle of the tile and therefore this is going to be square modic and as it's a vector space you can add a linear form and a constant function and you get the density of what we call a find of what we call a fine distributions okay the next two examples are not really geometrically meaningful so I'll just summarize we have four types of distributions they are square modic the constant functions which give uniform the affine distributions affine product distribution and exponential distributions okay so now I move on to describing the framework probably speaking so we have a lattice L an algorithm A a description of tau of L and distribution D of density F defined on a support omega prime omega subset of omega prime and finally we have a target vector C in space so the sampling goes as follows first you sample from the continuous distribution D which give you a sample Y then you round Y plus C using the algorithm A some point X on the lattice and then there's the rejection sampling step where you reject X if X minus C is not in a omega okay so and we have the following result which is if the four conditions listed here are verified then X follows the distribution D translated by C discretized on the lattice L and this is exactly what we were aiming for so yeah okay so yeah about the conditions now so the first condition basically says that you can sample from D and this is an abduce condition for a first step of the sampling so okay now the second condition is that A is L regular and it induces a dissolution of prototype T we ask that F is T is harmonic for the third condition for the prototype of A and so together the second and the third condition they ensure that the distribution D is such that the rounding of D waving hands the rounding of D is the same as the discretization of D where rounding is taken with respect to A and so this is pretty much a step where this grid goes since D didn't work out so well because they don't verify these things and therefore the something wasn't exact and yeah the didn't work out so well now the fourth step is that the fourth condition is that we ask for omega plus T to be a subset of omega prime and this is a condition that prevents the blue dot problem from happening since all the points within omega so the points that we want to sample from in the discrete in the discrete sampling their tile or their polypiped in the example is within the continuous support so just a quick note about the rejection rate so there's a lot of information here but the main takeaway is that you have a drawing on the left of what the so-called acceptance volume is and the acceptance rate is the probability of this thing for the continuous something and in the example I gave in the beginning this gives something like r to the n divided by r plus the infinity norm of T to the n and this is going to be a constant for n proportional to n and to the infinity norm of T infinity norm of T meaning that it's the maximum infinity norm of a vector in T okay so next slide is a table that summarizes the expected L2 norm for the instantiations so in rows you have regular algorithms in columns you have distributions okay so there are a few things to notice here so first if you take the round of algorithm there's always going to be a factor S1 of B that's going to be the length of the basis factor for this algorithm algorithm sorry for the nearest plane it's going to be S1 of B tilde which is the GSO of B and for the exact CDP it's going to be covering radius okay now in columns pretty much as you can see all but one distributions have a factor n squared in front of the the sides of the basis and yeah this is much bigger than the GV Klein sampler and Piker sampler which had a root n factor but this can somewhat be explained by the fact that we measure we measure the L2 norm of distributions that are more suited to different norms so for example if you take the L infinity norm of the infinity uniform something you get something like n to the 1.5 times S1 of B or S1 of B tilde and well this is still a factor n bigger but only a factor n bigger and you would get something similar for all the instantiations here if you use the appropriate norm for measuring the output okay so there's a few open questions about how this work lives so first about commonicity so the question is given T what are the solutions for F for the squamonic equation so we know that for harmonic functions which verify stronger hypothesis equation it's equivalent to there's infinitely many harmonic functions and we wonder if there's infinitely many solutions infinitely many more distributions to be sampled using this technique and yeah if we find more squamonic functions we find more instantiations and maybe there will be some improvement on the quality of the output yeah the other thing the other open question is about the size of the output so as I said it's a main drawback of the sampler so the question is can we improve the size of the of the output you could think that of many ways to improve it actually so for example what you can do is when you build omega prime omega prime is just a thicker omega maybe you can make it not as wide as we do in which case you would lose the exact something trait but you would improve the size of the output and there may be some tradeoffs like that you can find to improve the size of the output ok so now finally to conclude why is this framework better than pi cut sampler it's not better but it's different in a number of ways so for example pi cut and client sampler they sample from the distribution that is close to the discrete Gaussian whereas we sample from exactly from those non Gaussian distributions instead yeah and also whereas the Gaussian distribution is suitable to the L2 norm we offer distributions that are suitable to different norms just a quick mention there's a way rather involved to sample exactly from the discrete Gaussian which I didn't mention before ok ok next the size of the output is bigger for our sampler than the discrete Gaussian color parts and finally the client pi cut sampler they give a precision with tradeoff so if you increase if you decrease the width you decrease the precision of the sampling we offer a runtime width tradeoff instead so you could sample from a very narrow distribution where you would take exponentially many time to sample ok and that's about it thanks for watching and bye