 That would be great. Thanks. Otherwise, you're good to go. Yeah. He'll figure. OK, everyone. Kristen will continue her lectures from earlier today. Great. Thank you so much. Thank you for coming back for the next installment. So in the first lecture, I introduced, oh, thank you. That's much better. In the first lecture, I introduced super singular isogenic graphs and explained how they could be used to construct a cryptographic hash function. And so the goal in this lecture is to explain a little bit the background and the context of super singular isogenic graphs as what we call expander graphs, and also to explain another application, which is the key exchange application, which is actually the one that's in the standardization process for the NIST PQC competition. So can everybody hear me at the back? Is it good? OK, excellent. Thanks. OK, so let's start by what do we mean by expander graphs. The title of our original 2005 paper introducing super singular isogenic graphs into cryptography was called Cryptographic Hash Functions from Expander Graphs. So it was not just SIG, super singular isogenic graphs, but in general, expander graphs that we were proposing. In particular, the other main graph that we focused on was the LPS, Lubosky-Philip Sarnak graphs. So what is an expander graph? So as I said in the first lecture, the notation that I'm using is G equals V comma E, where V is the set of vertices and E is the set of edges for the graph. And we are concentrating on the case of k regular graphs, where each vertex has k edges coming out of it. So an expander graph that has N vertices, which has expansion constant C, is a graph such that if you take any subset U of the vertices, such that the size of the subset is less than or equal to half of the vertices, then if you take the boundary of U, which means all vertices that are connected to U, but which are not in U, then the boundary of U has to be at least size C times the size of U. So that expansion constant just kind of from an intuitive point of view just gives you how much the any set is growing when you add the boundary to it. So and then you keep adding the boundary to it. And it grows and grows. So that's what we mean by an expander graph with expansion constant C. And so you can get some properties of the graph from actually doing some linear algebra on the adjacency matrix of the graph. And that is actually connected to the expansion constant. So I'm not going into a whole course on graph theory here, but just trying to tell you some of the relevant facts. So the adjacency matrix of a graph, let's call it A with entries Aij, is given by so the ijth entry of the matrix is given by the number of edges from the ith vertex to the jth vertex. So if there's n vertices in the graph, this is an n by n matrix. And so I guess I use the notation A of L just if we're talking about the L isogenic graph. That is the edges are L isogenes of degree L, where in our context L is always coprime to the characteristic. So these are all separable isogenes. So the adjacency matrix of an undirected graph is symmetric because there's no difference between edges from i to j and edges from j to i. So since the matrix is actually symmetric, all of its eigenvalues are real. And so for a connected k regular graph, we have several facts which are very useful, which is that the largest eigenvalue is actually k, where k is the degree of the regular graph. And all of the other eigenvalues are strictly smaller. So if you look at the notation I'm using here, where k is the largest eigenvalue, let's see, I don't have a pointer, but I think the cursor goes there. So this difference between k and the next largest eigenvalue is that difference is usually called the spectral gap. And so when you look at this formula, this next formula, which gives you a lower bound on this expansion constant. So c is greater than or equal to this expression here, two times this spectral gap divided by this quantity here. What you can see is that this spectral gap is related to how good of an expander this graph is. So you'll have a whole, that's a whole area of study thinking about this spectral gap. And in particular, you want this spectral gap to be kind of as large as possible. And so we have what we call Ramanijan graphs, which refer to being optimal in a particular sense. So it's a little bit nuanced. It's not quite as clear cut as that. We don't necessarily have a lower bound on this spectral gap, but what we have is asymptotically the Alon-Bopanatha theorem, which says that if Xm is an infinite family of connected k regular graphs with the number of vertices tending to infinity, then the lim inf of this mu one will be bounded below by two square root of k minus one. So what that means is not that it's always greater than two square root of k minus one, because that would give you an absolute lower bound than on mu one, which gives you an upper bound on the spectral gap. But at least in the limit, it says that this quantity mu one, the second largest eigenvalue is going to be bounded below by two square root of k minus one. So in our case, k is equal to L plus one, where we're looking at the graph with L isogenes. And so what you're looking at is a lower bound on the mu one, which is two times the square root of L. So now what I'd like to do is I definitely am not gonna give you the proof that these graphs are Riemannian, which involves a lot of very sophisticated number theory and theorems. But just to give you the idea of why these, we know that these graphs are Riemannian. So actually this Riemannian property, what you can, since k minus one is equal to L in this case, what we're really just asking is that in order to be Riemannian, that mu one should be less than or equal to two times square root L. So the way this comes about is that if you look at the vector space S2 of P, which is the vector space of weight two cusp forms of level P, it turns out that the action of the Hecker operator, TL, is actually given by the Brant matrix, I'll just call it B of L, but which is actually equal to the adjacency matrix of this graph. So what ends up happening, and behind the scenes what's happening, and we'll talk more about this tomorrow in my next lecture, is that there's an alternate description of this graph. The super singular isogenic graph that we've proposed for use in cryptography has nodes which are elliptic curves, which are representatives of their isomorphism class, and isogenes, which are the edges between them. But we could describe that graph in a different way, which is in terms of the endomorphism rings of these super singular elliptic curves. As I mentioned, the super singular elliptic curves have endomorphism ring, which are maximal orders in a rank four, maximal orders in a definite quaternion algebra. And so if we flip over and we think of our graph instead of being elliptic curves with isogenes, we actually think of it as being maximal orders in quaternion algebra with connecting ideals between them that are of a certain norm, in this case norm L. Then we have a different description of our graph, and we actually have a different way to attack the underlying cryptographic problems. And so unfortunately, or fortunately, one or the other, it's very hard to actually make this correspondence. So we know that these two graphs are the same, but we don't know how to match them up. Because over on this side, we can say a lot about its properties and we can also actually get an attack on this side, which I will explain tomorrow. But so we are actually using the description of the graph over on this side to claim that it's Ramanijan. And these graphs, when we introduced them into cryptography, we called them Pizer graphs. Because Pizer was the one that described them in, I'm sorry, I can't remember, it was the late 80s or early 90s and proved the Ramanijan property when P is congruent to one mod 12. But another name for the graphs, they are often called Mestra graphs. Because Mestra recognized that these graphs, well, he may or may not have recognized that they were Ramanijan. But anyway, he was using them in the theory of modular forms. He introduced what was called the method of graphs for computing bases for spaces of modular forms. So you'll have some people calling them Mestra graphs. Some people calling them Pizer graphs. And then in cryptography, we're calling them super singular isogenic graphs. So the Ramanijan property comes when you recognize this fact that the Brant matrix is actually the same as the adjacency matrix for these graphs. And we have Deline's proof of the vacanjecture that the eigenvalues of this matrix actually satisfy the Ramanijan condition. So you can see there's a lot of deep theorems from number theory going into that to establish that these graphs are Ramanijan. So that being said, honestly, we don't really use the Ramanijan property in cryptography. The fact that these are optimal expander graphs means that the output of this hash function is basically as close as we can get to being uniformly distributed. So that's the main outcome that I want to talk about a little bit next. Just a very side note is that when we first proposed these graphs for use in cryptography in 2005, we were not actually working on the elliptic curve graphs that we use now today. With Yalgorn and Dennis Charles, we were actually working on a higher dimensional analog of the graphs, which you can get from looking at what we called super special abelian varieties and super special orders in abelian varieties. So our construction, which is in a different paper from 2007 is actually constructing families of Ramanijan graphs from higher dimensional abelian varieties. But there were so many problems with making this explicit if you wanted to use this for a hash function construction that we actually just kind of simplified things and went back down to dimension one and looked at elliptic curves for the cryptographic applications. But there's now starting to be more and more interest in the isogenic community in developing higher genus and higher dimensional analogs of these cryptographic constructions. So in particular, genus two. And the problems that we had with our graphs in higher dimension, even dimension two, were that we would be looking at abelian surfaces where we didn't really have good invariance that we could use to label them. So we didn't have, there are igusa invariance, but igusa invariance are pretty hard to compute. Number two, we didn't actually have in 2005 a really good way to compute isogenes between a billion varieties. Since then that problem has also been kind of solved. So there's the AV isogenes package from Damia, Robert and Lercier and their collaborators. So that problem has kind of been solved. But just in terms of efficiency for cryptographic purposes that are very abstract to mention two analog of these graphs is still very unwieldy to work with. And so what we've seen is some newer proposals at least one that I know of, for example, from Florey and Smith's, which proposes to use essentially the Rosenhain model for genius two curves as the nodes in the graph and isogenes, but then you don't have as many of the nice properties automatically at least as we have for our graphs, which is being connected, expand our graphs that are optimal in the sense of being Ramanujan. Okay, so that part about the higher dimensional analog was just a little bit of an aside here. So now back to using these objects for cryptographic purposes. So to avoid some kind of bias in the output of these hash functions, it would be nice if the output was kind of uniformly distributed. And the expansion constant for expander graphs gives you a very explicit way to relate how well you approximate the uniform distribution to the expansion constant of the graph. So the better your expansion constant, the more closely you can approximate the uniform distribution in a short number of steps as you take a walk through the graph. So another thing I should have probably said earlier today is that this idea of using expander graphs for doing all kinds of things and proving theorems in complexity theory and number theory is not at all new. So computer scientists have been using walks in expander graphs as a way to approximate uniform or uniformly random outputs for a long time. And so the thing that we did that was different when we introduced these graphs into cryptography was, well, first of all, introducing specific graphs, the isogenic graphs. But second of all, we were really trying to get this cryptographic property that it's hard to find collisions or it's hard to find pre-images. And those are both tied to being able to find a walk, you know, a path in this graph. So, but if you think about it from like the complexity theory point of view, the computer scientist point of view, they have a very different point of view than what a lot of people working in isogenic based crypto do right now. Which is just think about it from a common sense point of view. Let's say you have a three regular graph, like I've told you is our main object of study here, a three regular graph. And once you start your walk, you're not allowed to backtrack. So you cannot go backwards. So every time you get to a node, you only have two choices for your next step. So that means basically if you take n steps, you will visit and you don't have any collisions, like you never hit a repeat. If you take n steps and you don't backtrack and you hit no collisions, then you will have visited two to the n vertices. So what that means is that when you think about the diameter of these graphs, like diameter means it's kind of like the, whatever the maximum over the minimum of, so given any two pairs of points in the graph, what is the minimum distance between them? And then now take the maximum over all pairs. So that's the diameter. Like if you give any two nodes in the graph, then there will be a path, there exists a path which is no bigger than the diameter. So given what I've just said, that if you take a walk of length n, you'll visit two to the n vertices, you can see that roughly speaking, you expect the diameter to be roughly the log of the number of vertices. And so having an optimal expander graph, having this Riemannian property gets you kind of as close as possible to this theoretical understanding. So in general, you'll have the diameter will be somewhere between log of the size of g and two log of the size of g. And I believe that it's still a conjecture that for these graphs that I think this is due to Lubatsky-Philips Arnak, that that expansion constant is between one and four thirds. And actually within our Win Four group, we did a lot of computation. Yana in particular did a lot of computation on this. And it's still hard to see whether the expansion constant is tending towards four thirds or closer to one. So anyway, this is all kind of background about the properties of this graph. And the reason that I focus on this for a few minutes here and a couple of slides is that thinking of SIG, the super singular isogenic graphs abstractly in terms of expander graphs and kind of the more the combinatorial point of view gives you different insight than if you just think of it in terms of elliptic curves. And that's kind of the point of view that I've always had because we started with the point of view of proposing expander graphs in general for cryptography. So now I'd like to move on to the other applications of super singular isogenic graphs. In particular, in 2011, Zhao and Defeo proposed a key exchange from super singular isogenic graphs and encryption in a paper in 2014 with Zhao, Defeo, and Plou. And in 2016, there have been a number of signature schemes that have also been proposed. I just picked out a couple of them here. Galbraith, Patine, Silva proposed a signature scheme in 2016 and then SQ sign is a signature scheme that was proposed in 2020. So I will talk about the signature application tomorrow. But my goal right now is to talk about the key exchange application. So this is the actual scheme that is proposed in the NIST PQC competition, which is now in the fourth round. It's called Psyche, super singular isogenic key exchange based on Zhao, Defeo, and Plou's work and paper. And so the only thing is that in their original paper, which was quite long, you had a lot of different hardness assumptions being introduced, actually five different hardness assumptions, none of which were known previously and they had not been stated previously and they were not related to other known hard problems. So that made it a little bit weird and a little bit hard to understand the security of this key exchange. And so what I'll explain in this lecture today is that in a fairly intuitive way, you can see that the security of this key exchange also relies on the same hard problem that the hash function relies on, which is the hardness of finding paths in this graph. Okay, so first let me just give you a picture. It's like a diamond here and these arrows are isogenes but they are not a single step in the graph. Each of these arrows is a whole bunch of steps like n steps in one case and m steps in the other and then n and m. So within the graph, each of these top and bottom of this diamond corresponds to n plus m steps in the Li-Sogyny graph. So here's how they propose to do key exchange. For those of you, it's like Diffie-Hellman. So for those of you that know Diffie-Hellman, so each party, they usually say Alice and Bob would pick a secret integer and there will be a known, a publicly known point on the elliptic curve and in the group of points on the elliptic curve, Alice would compute like A times P and Bob would compute B times P not sharing the integers A or B and then they would make it public, basically share with each other. Alice shares A times P and Bob shares B times P and then they each know their own secret. So when they receive this other point from the other person, they can use their secret and multiply times the point they received and in the end, both parties can compute A times B times the point P and any eavesdropper just sees A, P and B, P and all they can do is compute A plus B times P. So Jao de Veilplut's key exchange is very analogous to this but instead, Alice, what Alice is gonna do is going to pick a secret isogeny. So let me see if I can get my cursor here. A secret isogeny, which we're calling phi sub A and Bob is gonna pick a secret isogeny, phi sub B and so what happens is that they each are going to compute this curve, E sub A or E sub B and make that public or share it with each other. We assume when I say make it public, meaning if they share it with each other you can assume there might be an eavesdropper. So it might as well just assume that information is public and then there's gonna be some, actually some auxiliary information. So this is something that can potentially make this problem easier than just the hardness of finding paths but using that auxiliary information both Alice and Bob can compute these other isogenes phi prime sub A and phi prime sub B and they can both compute this other elliptic curve E sub AB and use the J invariant of this final curve E sub AB in order to establish their common secret. And so I like to describe it that way so you can see how it's analogous to Diffie-Hellman key exchange except this time it's with isogenes. So let's be a little more specific about how this works. So the key exchange setup is gonna be, so E is gonna be a starting point. It's a super singular elliptic curve over Fp squared but P has to be of a particular form in order for this to work. So we're gonna assume that P is actually, you have two small primes, LA and LB and these are basically the degree of isogenes in the two isogeny graphs that Alice and Bob are gonna work in. But just to make things easier, you can just assume LA is two and LB is three. That is the most efficient instantiation of this system. So really what you're saying is that P is equal to some large power of two times some large power of three plus one. So and it needs to be prime of course which won't always be the case. But for reasons that I'll explain in a minute these powers M and N also need to be somewhat similar to each other for security reasons. So in order to exchange the key given this setup what they need is they need to work on the torsion points on the elliptic curve. So something that I didn't explain earlier about ECC is that in general for the implementation of classical elliptic curve cryptography you wanna have a curve over a finite field Fp where the curve has either a prime number of points on it or a close to a prime number of points. If the order of your group is smooth then you have a tax which will run in time proportional to the square root of the largest prime factor. So for security reasons you really want the order of the elliptic curve to be prime. And here we have something similar which is that in the so over the base field in the classical elliptic curve case you'll take a generator of that prime sub either prime order group or prime order subgroup the largest prime that divides the order of the group. And that'll be your point P. So you could call that like if the order of that group is M you can call that an M torsion point. Well if you wanna do your operations over the base field and as I explained earlier today I mean the bigger the field the more costly it is to compute in it. If you wanna do it over the base field then you actually need the point to be defined over the base field. And so that's an issue here too and that is that the reason we choose P to be of this form is so that we actually have that LA and LB to these powers divides P minus one. So that's why P is picked to be of this form. So we're going to take points that are P sub A and Q sub A for Alice and P sub B and Q sub B for Bob which actually generate the relevant torsion subgroups for these elliptic curves. So E join like two to the M and E join three to the M three to the N. So now Alice and Bob in order to do their key exchange are going to pick random integers. So A pick Alice picks M sub A and sub A and Bob picks M sub B and sub B and uses Veluz formulas or there are more efficient ways to compute this isogeny which I'm not gonna talk about but I think that there's some exercises kind of going into this. That A uses Veluz formulas to compute the isogeny which is taking E and quotienting by the subgroup M A times P A plus N A times Q A and then Bob will do the same thing. So what you end up with is that Alice and Bob have each computed their new elliptic curve. They can use Veluz formulas to compute the new J invariant and the model for these curves E A and E B. And then using the knowledge of these points the images of these points like the images of Bob's points under Alice's isogeny and the image of Alice's points under Bob's isogeny that's the auxiliary information which is provided. Now they can each use that to then apply their secret integers to create the next subgroup that they need to quotient by. So E A will be, or Alice will be quotienting E A by subgroup basically M A times phi B of P A plus N A times phi B of Q A, et cetera in order to compute the curve E A B and then Bob will do kind of the analogous thing on his side and they will both end up computing the same curve. So one way that you can see that it's the same curve is by actually just seeing that by quotienting twice again these are a billion groups you're quotienting by two subgroups here that you have actually done the same job on the top and the bottom. You've actually quotiented by the same subgroup and that's why you end up at the same curve. So now let's think about the security of this key exchange. So clearly if you can find the isogeny for example phi A then you can, so I'm sorry if you can find the path between E and E A then you can break the key exchange. So one thing to note is that the walks on each stage of the key exchange here are only roughly half the diameter of the graph. Okay, so let's go back to this expression for P. So P is, think of it as two to the M times three to the N plus one. And so if you, let's say that this were just two the two and three are pretty close to the same size. So just thinking about the size of things. If you just take two to the N plus M plus one, that's roughly P. So if you take the log like the log base two of the size of the graph which I told you was P over 12 the log here is basically M plus N. And I told you that the diameter of these graphs is roughly the log of the total number of vertices. So what we're saying is that in general the length of a path to get from one vertex to another random vertex is going to be M plus N. And if M and N are roughly the same size then in each stage of this diamond you're only going about half the diameter of the graph. And so that's why I said I like to think about these things from a kind of combinatorial point of view and that is that just go back to my description where I said in a three regular graph with no backtracking if you take a walk of length N you only get at most to two to the N new vertices. So if you only take a walk of length half log of the vertices you are not visiting most of the points. You're visiting basically like one over square root of P of the points. And so if P is like two to the 256 or in this application P needs to be bigger if it's 500 bits or 750 bits if you take two random vertices in the graph it's very unlikely that there is a path of length half the diameter between them. So what that means is that if you are given these two points E and EA and if you can find a path between them then it's overwhelmingly likely that it was the path that was used to set up the key exchange. So what that shows you is that path finding is most likely with very, very high probability enough to break this cryptosystem at worst you could just run your algorithm again and try to get another path if that was not the path that was used in the key exchange. So this was formalized as part of a paper in 2017 from my Win 4 group with Anna Kostas, Brooke Feigen, Micah Messer and Anna Puskas. And it's a little bit more formalized here basically saying that if you can do path finding in these graphs, the LA isogenic graph and the LBI isogenic graph, then in either one of those graphs then you will be able to break the key exchange with very high probability. The probability being basically the probability that you failed being basically one over square root of P. So like two to the minus 256, for example. So the nice thing then is that gives us kind of a clean story. It's not maybe quite as clean as that. Certainly path finding has to be hard in order for this key exchange to be secure. If you can find an efficient algorithm for path finding in the two isogenic graph or the three isogenic graphs then you will be able to break the key exchange. However, just like Nadia's comment about the non-equivalence of factoring and breaking RSA, especially in this case, there's some auxiliary information that's given in this protocol which is the image under these isogenes of the public points of your person you're trying to do the key exchange with. So it is possible that there are easier ways to break this key exchange that do not involve finding paths in these graphs. Okay, so just to kind of restate what are the hard problems in the supercyclic singular isogenic graphs that we're relying on. So to avoid collisions where, like the picture I showed this morning very briefly, a collision would be two paths from the same starting point to the same ending point. So that's a cycle. So that's hardness of finding cycles in these graphs. Finding, so you could state that as either the difficulty of producing a pair of super singular elliptic curves, E1 and E2 and two distinct isogenes of degree L to the N between them, which are, by the way, not equal to just multiplication by L to the N over two. Or you could say it in terms of finding an endomorphism which actually corresponds to going along one path and going back along the other path. So that would be an endomorphism of the initial curve E which has degree L to the two N which is not multiplication by the L to the N map. So those are two different ways to say what is the hard problem in terms of elliptic curves that corresponds to collisions. And then another way to say what the hard problem is that corresponds to finding paths is given two super singular elliptic curves just to find an isogeny of degree L to the N between them. So just as a little side comment, there is a question in the context of the hash function whether you fix the length of the path. Like as I mentioned, the hash function can be generically thought of as a function which maps bit strings of length M to bit strings of length N. And so once you've done that, that pretty much fixes the length of the path. And so that's why I've stated this here as finding an isogeny of degree exactly L to the N. But you could think a little bit more generally about what if you're allowed to find paths of different lengths, not just length N. So that could potentially be an easier problem. Okay, so then the last thing that I want to talk about today it's a little bit late and we've been talking and listening for a long time today. So I think I will try to end a little bit early. But so the last topic I wanted to address is what do generic attacks on this cryptosystem look like? So when we say generic attacks in cryptography or we often call them square root attacks, we're often thinking about the like, Pollard row or baby step, giant step or kind of birthday, basically birthday paradox attacks. And so what we mean by that is that if you kind of just assume that everything is random and you apply these algorithms where you do some kind of either random steps or some kind of deterministic rule even that like approximates random behavior, that you'll end up with these square root attacks which heuristically run in usually the square root of the group size. So because we know of generic attacks for almost everything including this, which I'm just about to tell you, that's what also makes us to set the parameters the way we do. So for the hash function, at the time when we proposed it if we wanted a kind of US government minimum security which is 128 bits, we wanted to set the size of the graph to be basically 256 bits so that the best generic attacks would run in time roughly two to the 128, making it roughly to, that secure two to the 128. So since the number of nodes is like I said the Eichler class number, which is P over 12 roughly that means that that's why we set P to be 256 bits for the hash function. Now what you could see from what I explained about the key exchange is that P needs to be at least like twice as big for the key exchange because the walks, those walks are only half as long, half as long as the diameter. Whereas in the hash function, the walks are length fully the full diameter of the graph. So you can think of basically a birthday attack strategy on this problem which is that you randomly, you have two nodes in the graph, you're trying to find a path between them. So you take a random walk from both sides from both ends until it hits each other. So, and then given the kind of reasoning of the birthday attack, this will run in time roughly square root of the graph size. So in other words, kind of starting from both ends and kind of a meet in the middle kind of attack. So the generic attacks have been known since the beginning and since we first proposed these graphs, we considered a lot of different kind of strategies for attacking them. And the main kind of, I would say most promising strategy that we have today is that instead of thinking of these graphs as being the nodes are the elliptic curves and the edges are the isogenes, if you can somehow move over to the other description of this graph, which is in terms of maximal orders in a quaternion algebra and connecting ideals between them, we actually have an algorithm for a relatively efficient algorithm for attacking the graph in that setting. And so what that leaves us with is the fact that the security of these crypto systems is based on actually being able to do this association of these two graphs, which is called computing the endomorphism ring. So for every node, if you can actually just compute its endomorphism ring as a maximum order in the quaternion algebra, then you'll be able to use the attacks over here on this side and kind of get back an attack on the original problem. So luckily, like I said, luckily or unluckily, the problem of computing the endomorphism ring seems to be just as hard as computing the paths in the original graph so far, anyway. But there's a lot of interesting work in the community going on now on that particular problem. So that will be the topic of my lecture for tomorrow. And so for now, I'd just like to stop and thank you for listening and see if there's any questions. There was somebody that had a question this morning that didn't get to ask it, but they're still here. Okay, I don't see any, so let's thank Kristin again.