 All right. Thank you. So again, this is our paper, Building an Efficient Let Us Gadget Toolkit, Sub-Gaussian Sampling and More. This is joint work with Daniele Machancho and your Paliakoff, and this was funded by DARPA. So a quick overview of the talk. First, I'm going to go over some backgrounds. Then I'll talk about our efficient Sub-Gaussian Sampling algorithms or randomized BD compositions. Then I'll talk about our efficient CRT gadgets and the associated sampling algorithms that come along with them. And finally, I'll talk about our implementation in Palisade. So before we can define a gadget, we have to talk about some lattice-based functions. We design these gadgets so these functions are always easy to invert. So these should look familiar. The first function is the SIS function. It is parametrized by matrix A that's short and fat with entries modulo Q. And the domain is the set of short integer vectors with small entries. Now, it's important to note here that the solutions to AX equals 0 mod Q form a lattice. And we call these lattices curial lattices because they contain all multiples of Q. And also to note that the modulus Q is usually much larger than the entries in X. Now, whereas we were treating A as a parity check matrix in SIS, the LW function is given A and a noisy code word. You want to return the code word here. And it's important to note that the lattice corresponding to the LW function is the scale dual of the SIS lattice. Okay. So, as I mentioned, a gadget is any matrix such that we can efficiently invert the SIS and LW functions. Now, we'll mostly be focused on the SIS function. And our notation here is going to be that X is going to be sampled from G inverse of U, where U is a Q factor in ZQ of the N. Now, it's important to note here that G inverse is not a matrix. It's a function. And oftentimes it's randomized, so we'll be sampling a distribution over the solution set. And we call the SIS lattice associated to this to the gadget, the G lattice. So, a quick example of how these could be useful in the GSW FHG scheme, if, say, I have two ciphertexts where I don't have the secret key, I can easily come up with the ciphertext corresponding to the plaintext multiplication by taking the inverse of one ciphertext and multiplying it with the other. Okay. So, gadget matrices originally appeared in lattice schemes through lattice trap doors. This is where we want to generate a random matrix A and keep some secret short vectors in the SIS lattice. These secret short vectors help us allow us to efficiently invert the SIS and other RW functions. And also, in the form of key switching in FHE, this is where gadgets also came about, always as a bit decomposition. Now, today, it seems like nearly every lattice scheme with advanced thermomorphic capabilities has some underlying gadget operation included in it. So, this includes FHE, ABE, constraint hiding, constrained PRFs, and everything else that's built off of the GGH 15 scheme. Okay. So, all of our gadgets are going to have this, the same structure. It's going to be this block diagonal matrix where the non-zero blocks are these power of B row vectors. And if there's too many parameters here, you can always think of B as two. This corresponds exactly to a bit decomposition. Now, what this does is it reduces inverting on the large matrix G to and parallel instances of inverting on the small row vector G. So, now our notation is going to be X is going to be sampled from the small G inverse. And now the input is going to be a number module OQ, integer module OQ. Okay. So, it's important to keep in mind that whenever we use gadgets, we can design them for our efficiency needs. So, lately, in CCS 17 and African Crypt 18, we've seen these CRT-based gadgets. And what these correspond to is for a certain set of modular with small prime factors. And here, the small prime factors is important because the width of the distribution that, say, if we were to sample over the distribution set would depend on the prime factors. And I also want to point out that a similar method was used in the LOL library. Great. So, before I talk about our contribution, I'm going to go over the state of the art before our paper. So, the first rigorous study of these G lattices or gadget lattices was done in MP12. And there, they give a discrete Gaussian sampling with linear time and space, only for a modulus which is a power of B or power of two for simplicity. And then last year, we came up with a way to extend this for arbitrary modulus, so prime modulus. Again, only for these power of B gadgets. So, then, AP 14, well, I haven't defined what a sub-Gaussian inversion is, but we can think of it as an over-randomized bit decomposition. And AP 14, again, they use the algorithms from MP12. So, again, they only have an efficient algorithm when Q is this power of B. And the aforementioned CRT gadgets, which need the modulus to have small prime factors. And then also in MP12, there is a LW gadget decoding algorithm, which is only linear time and space when the modulus is, again, a power of Q of B. Okay. So, as the name of our paper implies, we optimized nearly all of these algorithms. So, for a sub-Gaussian inversion, we can do this in linear time and space for any Q. There's also a trade-off between the how many random bits we need and the actual width of the distribution. For LW decoding, we have a linear time and space decoding algorithm on these power of B gadgets, where the error tolerance is almost optimal. So, Q over 2 times B plus 1. And then we introduce a new class of CRT gadgets, generalizing the AfricaCrypt's 18 solution. For a modulus of this, you can pick these prime factors how you want. And they, sampling G inverse, now reduces to L parallel instances. And it's important here that the width of the distribution is going to be independent of the QIs. Okay. So, in order to make these randomized bitty compositions rigorous, we're going to use sub-Gaussian analysis. And, as one would expect, a sub-Gaussian distribution in RM is going to be any distribution whose tails are dominated by a Gaussian distribution with us. So, in mathematics, these are often used in study random matrices. So, if we were to sample a random matrix with independent sub-Gaussian rows, columns, or entries, we can get tight concentration bounds on the singular values of this matrix. So, unsurprisingly, this is how these sub-Gaussian analysis first came about in lattice cryptography in AP09 when they're optimizing the GPV trapdoors. But then, shortly thereafter in AP14, they realized the potential for a sub-Gaussian bitty composition and while they were coming up with an optimization for the GSW FHE scheme. And, again, for the, they only had efficient algorithms when Q was a power of b and for arbitrary moduli, they had to rely on generic algorithms. And this is an ideal because, again, we get to design these gadgets for our efficiency needs. So, you think there would be either another gadget or another possible algorithm to do this more efficiently. And so, why would this be useful in these FHE schemes? If you were to add, say, L independently sampled sub-Gaussian distributions, the entries would grow with a square root of L compared to linear NL. And we call this Pythagorean Editivity. This is analogous to if you were to convolve L Gaussian distributions. And, as you would expect, a discrete Gaussian is a sub-Gaussian distribution, but oftentimes in implementations, discrete Gaussian sampling is a bottleneck. So, the last thing we want to do is add more bottlenecks into our implementations. And also, there's a slight increase in the width due to the smoothing parameter. So, we want to sample a more efficient, more efficient, we want to sample distribution more efficiently and without this blow-up. So, our solution is going to be very similar to the solution we had last year for the discrete Gaussian sampling on these power of G gadgets. Now here, I'm going to have, or power of B gadgets. Here, I'm going to have BB2. And BQ is the basis of the G lattice. So, what we found last year is that the basis always has this sparse triangular factorization. These QIs are just going to correspond to the binary decomposition of Q. And these DIs are just going to be rational numbers between zero and one that are functions of Q. So, now, just like we did with the discrete Gaussian sampling, to efficiently sample a distribution over the G lattice, we can sample a randomized nearest plane on the lattice generated by D and apply B as a linear transformation. And it's important to note here that B is the G lattice basis when Q is a power of zero. And this matrix here just becomes the identity. So, we can do this efficiently because of the sparsity and the triangular structure in D. And also because of the small numbers in B and the sparsity in B, the width doesn't increase too much. So, the first algorithms are our toolkit. For these power of B gadgets, we have an efficient linear time and space sub-Gaussian sampling algorithm or bit decomposition. And the sub-Gaussian width is this B plus one times square root of two pi. It's important to note here that when Q is a power of B, this plus one gets changed to a minus one. And so, also when B is a power of B, the randomness used is just log two of Q. But arbitrary Q, we have a trade off between the randomness needed to sample a distribution and how wide the distribution is. So, sometimes in the implementations, we'll use a large base, like square root of Q. Then the random bits needed are just two log Q. Or if you want a small distribution, you can have a small base, which is two, and then you have log Q squared bits of randomness. And another important point is that our algorithms sample this distribution exactly, so there's no use of floating point numbers. Okay. So, oftentimes onto the CRT gadgets, oftentimes in lattice-based cryptography, we're going to have to use a modulus that's much larger than the 64 bits that's native in modern hardware as arithmetic. And a way to get around that is to use a modulus of the form QI times QO. So, when we do operations, we can do them in parallel through, or when we do scalar operations, we can do them in parallel through the Chinese remainder theorem isomorphism on Z mod QZ. Now, this is especially useful in the ring setting, which we're going to hear a lot about rings in the next talk. But here, we often use, we do something called a double CRT. So, you do a CRT over the coefficients in Z mod QZ. And then each of these QIs, you pick them so they factor into front ideals. Okay. And often in the setting, we're going to want these QIs to be also pretty large, but less than 64 bits. So, the exact problem statement that we're trying to solve is, given an input in the CRT form, how can we either with the existing gadgets or a gadget that we can come up with, sample G inverse without going back to multi-precision numbers? And ideally, we'd want to keep these distributions like sub-Gaussian or discrete Gaussian. We want to keep the width independent of the QIs. Because, again, we usually like them to be pretty large. So, what we're going to do, and this is also what was done in the Africa-Crypt 18 paper, is we're going to take the inverse CRT transformation and make it part of the gadget. So, we generalize these gadgets. And so, we actually come up with them, and then we realize that they were a generalization of these Africa-18 gadgets. Now, the important what allows us to do L parallel inversions is that the gadgets we give, they have a direct sum structure, where each of these GIs are just a power of B gadget that we get to pick. So, if you can have this be, you can have all of these be power of two gadgets, or bitty compositions, and then you can have a very narrow distribution if you'd like to. Lastly, I'm going to talk about our implementation in Palisade. So, in our paper, we implemented a key policy ABE scheme and used our algorithms in this implementation. There are two reasons for doing KP ABE scheme. First, is that this is often used to build on top to make more advanced lattice-based schemes. And also, the implementation uses every algorithm that we describe in the paper. So, when we have our attribute vectors 16 bits, we saw a almost 300 times speed up for ciphertext evaluation. And lastly, I'd like to point out that all of these algorithms are implemented in Palisade. So, they're available for public use, and we ask that you use them, download them, and tell us how they're working. Thank you. Questions? So, I was thinking of the gadget decomposition in the binary case. Both for randomizing and finding better solutions, there is those non-adjacent forms that have been used anywhere in crypto. Is it something compatible with what you're doing to try to optimize things in terms of size, maybe? What was that word? Non-adjacent forms. One more time. Non-adjacent forms. Non-adjacent forms. Could you describe what these are? I haven't seen them. Okay. Any more questions? So, I don't know. So, you presented you the gadgets for lattices, but you... So, I'm not a specialist, but I see that you concentrate on the two particular gadgets. So, I was wondering, I don't know, you can do many things with lattices. Why just these two gadgets? So, I imagine, okay, you have lattices and gadgets. You just do, I don't know, to help you develop applications and stuff like that. So, I don't know, like, why concentrate on this? Yeah, I can answer that. So, the gadgets, they allow us to balance these homomorphic properties while keeping numbers small. And because we picked this queue to be pretty large, it gives us a lot of room to operate while keeping these things small and also keep the algebra we want. We need a microphone. Hold on. So, do they allow... Like you mentioned, you choose the parameter queue and everything. So, is that chosen by you in the gadget or is it like something outside which I can choose as a user? Yeah. So, for functionality, sometimes we... Most schemes, you can pick the queue. Sometimes, if you need some... You might need some special forms because you might need some matrices to be invertible. So, you might need queue to be a prime. So, that's usually fixed. So, you have some set of queue you can pick from and then you get to design the gadget as whatever you need. So, that's why the CRT gadgets, they were specifically for an obfuscation implementation originally, not the ones we did, but the ones we talked about in the previous state of the art and a FHG implementation. Any more questions? So, let's thank our speaker again.