 This is the paper about the simpler lattice sketch toolkit. This is the joint work with Yang Yu. I am Store Zhang. Let's start some background. Lattice-based cryptography is a promising post-quantum alternative. Based on lattice, we can build not only practical efficient encryption and signatures, but also very powerful advanced cryptographic parameters ranging from FHE, ABE, and more. Basic lattice encryption and signatures has been closing to TRS-ready, but advanced lattice schemes still need implementations and evaluations. Many advanced lattice cryptosystems rely on strong lattice chip doors. Architech's function is defined by the metric A that short and fight with uniform entries module Q. And the domain X is a set of short integer vectors with small entries. In Stoke 1996, Architech proved that if this is hard, the function FA is hard to invert. But with the chip door, the function is easy to invert. In the early result, it generated the short lattice species T as a chip door. However, the deterministic process of inversion lacks information about chip door, leading to learning attacks. Then in the GPV framework, the inverting of FA is not deterministic process, but random Gaussian sampling. And the simple pre-image is independent of T, so there is no chip door leakage. Later, Missing through packet framework proposed a new structure, and T is no longer the lattice species. With the help of T, the problem of inverting a random function FA is transformed to the problem of inverting the same type of function FG. But for specific carefully designed gauge matrix G, which admitted much simpler and faster inversion algorithms. Currently, this is the state-of-the-art lattice chip door framework. The G-Metric is a block diagonal metric. The diagonal block is VxRG. The cross-bonding gauge lattice has a good basis S. For the power B modulus, the metric is a lower bi-diagonal metric. And for the arbitrary modulus, the metric has other no zero interest in the last column compared with before. Thanks to the good structure of the short basis of gauge lattice, the inverting of G is simple and fast. Gauge is widely used in lattice schemes. There are four associated algorithms. The most simple one is the digital decomposition, which is typically used in BV and BFV FHE. The second algorithm is LW inversion. It's typically used in LW encryptions. The first two are all deterministic algorithms. They are also to randomize the algorithms. The first algorithm is Gaussian sampling. It is used to sample a pre-mage FG from discrete Gaussian. And it's typically used in the essential package chip door framework. Then the sub-Gaussian sampling is sampling a pre-mage of FG from a related version of Gaussian. It's a sub-Gaussian, which is easier to sample. It's typically used in GSW FHE scheme and in lattice-based ABE. Our main research is on these two randomized gauge algorithms. So before I talk about our contribution, I'm going to go over the previous gauge algorithms. The first gauge lattice algorithm was given in MP12. And there, they gave a discrete Gaussian simpler with linear time in space only for power-OB modulus. For arbitrary modulus, the algorithms need quadratic complexity. Then, Genius Missential came up with a way to sample with linear time for arbitrary modulus, but need using floating-point arithmetic and is more complicated than the special algorithm for power-B modulus in MP12. As for the gauge sub-Gaussian sampling, Genius Missential's work gave a sub-Gaussian sampling with linear time for arbitrary modulus. For the modulus of power-B, they caused key log-B random bits, but for arbitrary modulus, they caused key squared log-B random bits. And the algorithm for arbitrary modulus is more complicated than the one for power-B modulus. So, there existed some gaps between the gauge algorithms. To close these gaps is not only of theoretical interest, but also crucial for practical applications. In fact, for better performance, many lattice-based systems use ring structure. For fuses, beat-up in the ring structure, they often chose prime modulus supporting NGT. In addition, many advanced lattice-based cryptosystems the size of the queue is usually quite large, such as larger than 100-bit. And to be compact with architecture, we usually apply some CRT modulus. And in these cases, queue cannot be power-B. So, we need an algorithm for this. To avoid better compatibility of a gauge toolkit, we present two randomized gauge algorithms for arbitrary modulus. We present a gauge Gaussian simpler that avoids the floating-point arithmetic in existing algorithms. Compared with the previous algorithms, our simpler achieves simple quality and asymptotic complicity, but is simpler and highly parallelizable. We also propose a new gauge sub-Gaussian simpler. It's simpler, faster, and needs asymptotically less randomness. In addition, our simpler is convenient to catch a close even better quality in practice. First, we will show our new gauge Gaussian simpler. The discrete Gaussian is an important probability distribution in lattice. It usually has three elements, the lattice L, the central C, and the positive-defined corrosion-symmetric sigma. For discrete Gaussian, the probability of each lattice point is a proportion to the value of the Gaussian function. In particularly, when the sigma is a scalar metric, we call the discrete Gaussian spherical. The parameter s is the sweet of the Gaussian. Moreover, the smaller s means the higher quality of the Gaussian simpler. With the good lattice space s, we can efficiently sample from the discrete Gaussian. They are two widely used simulators. Clean GPV simpler and packed simpler. The packed simpler is more efficient and widely used EMP tripdoor. It consists of two steps. The offline phrase, simple or perturbation vector of covariance sigma p, the online phrase is an easy sampling over integer. Our main idea is using packet approach to improve simplicity and efficiency. We also use integer-metric factorization to avoid floating-point arithmetic. We used a symmetric factorization shown in genius-essential etching. So our algorithms follow the same step with them. But we implement the step one, perturbation sampling differently. In GM etching, the float-point arithmetic comes from perturbation sampling. They use Kolaski decomposition and sometimes using continuous Gaussian sampling in the implementation. To avoid floating-point arithmetic, we employed this integral-metric decomposition with A and G. The metric G is diagonal. With such an integral decomposition, the perturbation sampling can be done by applying a linear transformation of A on the discrete Gaussian, which is simple, fast, and highly parallelizable. The idea is inspired by the work of Lucas, Galbraith, Prest, and Yu. But the technical difference is that the middle metric G is diagonal, but not identity metric, which allowed to reduce the size of A. That is only k plus two columns, much smaller than the size of the gram root given in DGPY-20. This compact metric greatly improves the sampling efficiency. So as for comparison with genius-essential, I will simply achieve the same quality with the genius-essential one. And genius-essential heavily used floats are only used integers which has better compatibility to constraint devices. In addition, we have storage advantage. As an efficiency, both genius-essential simpler and avers runs in linear times. We implemented our new simpler and compared with the implementation of the genius-essential simpler in the palisade library. This figure shows that basically our algorithms is as fast as the genius-essential simpler implemented in palisade. So next, we introduce our gauge sub-caution simpler. As one would expect, a random variable x over r is sub-caution with paramount alpha if its tail is bounded by the Gaussian of the width alpha. This is an example of sub-caution. We also use sub-caution victors. This is the definition of it. Sub-caution is a relaxed version of a Gaussian. An important property of sub-caution is passcode activity. This is similar to a Gaussian convolution leading to a slow error growth. While simplifying sub-caution is easier than simplifying Gaussian. Genius-essential point is a sub-caution analog to existing gauge Gaussian simpler. Missing packet 12, Genius-essential 18. Specifically, for the keys of power B modulus, GMP 19 runs sub-caution by bias nearest plane on B6S. These algorithms achieve sub-caution paramount B-1 square root of 2pi with k log B random bits. For the arbitrary modulus, it is performing a sub-caution by bias nearest plane algorithms on T and applies a linear transform of T to lift the solution to gauge lattice. Here, S is equal to T times D as in GM 18. In the end, this algorithm requires k squared log B random bits and achieves sub-caution paramount at most B plus 1 square root of 2pi. Our gauge sub-caution simplifying is very different from the GMP 19. Our idea is to convert the simplifying for arbitrary moduli into the easy and fast simpler for power B modulins. There is a simple fact that for a short x, if the inner product of x and g is equal to u mod q power k power of b, the inner product of x and g is in the set of u and u minus b to the k. So, if the inner product of our simpler output x and g is equal to u modula q, we also limit it in the set of u and u minus q. Notably, the value of u and u minus q basically determines the most significant digital x sub-k minus 1. So, our simpler presides in these three steps. First, we chose u prime according to the probability. Then, we simple a sub-caution x prime with a simpler for q equal b to the k minus 1 giving u prime. Finally, we determine the last coefficient xk minus 1 as per u and x prime. Let's talk some details about our simpler. These are the probabilities of selecting branches in the first step. Our algorithm requires this line to q log b random bits. It consists of log q random bits for determining branch in step 1, and q minus 1 log b random bits for simplifying x prime. This is a sub-caution parameter achieved by our new simpler, and this can be proved by the holder inequality. So, next is a comparison with our simpler and general essential point for one. The GMP algorithms use the k squared log b random bits, which was claimed to be almost optimal in their paper. In fact, our algorithms only need k log b random bits. Not only our algorithm for arbitrary modulus needs an asymptotically same amount of randomness with the one for power of b modulus. We therefore believe that it is essentially optimal in randomness requirement. And our simpler is simple and doesn't need a complicated metric. So, we didn't need extra storage and it's easier for implementation and further optimizes. Our algorithms achieved close even better quality for practical pavement. In the worst case, our pavement is about a square root of 2 less than GMP pavement. But when the base is 2, which is common used, our pavement is square root of 2 pi, which is smaller than GMP1. And for the large b, there exist many NGT modulus q such that our pavement is similar to GMP1. More important, our simpler is practically fast. It can be seen in the picture that our sub-caution simpler is greatly faster than the genius-mysenial-poirc improvement in palisade library. Precisely, our algorithm is about 1.3 to 3.2 times faster than the palisade implementation of the genius-mysenial-poirc algorithm. All in all, we proposed two new key algorithms that have some advantage from both implementation and theoretical standpoint. Our key caution simpler gets rid of the reliance on high-precision arithmetic while keeping a good efficiency and quality. And our key sub-caution simpler is simpler, faster, and need asymptotically less randomness compared with the previous result. Thank you for listening to my presentation.