 Sorry, so we're very happy to have Kristen Lauder here to give her third and final lecture on super-singular misogyny graphs and cryptography. Thanks Jen and let me take this opportunity to thank the organizers. Thank you to Akshay, Bjorn, and Jen, and also to the organizers of PCMI. Organizing these conferences in summer schools is a lot of work and I really appreciate everything you've done and the chance to talk to all of you here. So for my third lecture, if you remember at the end of the second lecture, we started to talk about the quaternion algebras and specifically the quaternion interpretation of the super-singular isogenic graphs. So just to recall, the idea is that for a super-singular elliptic curve, if you associate to it its endomorphism ring, which is a maximal order in a quaternion algebra, you get a different graph which is instead of elliptic curves with isogenes. You have a graph where the vertices are maximal orders in this quaternion algebra and this during correspondence is something that I wanted to explain in more detail but I first needed to start by explaining a little bit about quaternion algebras which is what we started last time. So the quaternion algebras that we'll be working in are quaternion algebras over Q, the rationals, they're rank four vector space over Q and we in particular are interested in definite quaternion algebras which are ramified only at P and infinity and so I started to tell you how we describe and work with these algebras B, P, infinity last time. So we're going to take a basis one i, j, k and it will always be of the form i squared is equal to a, j squared is equal to b and k is equal to i, j which is minus j, i where in general a and b are negative integers and in particular for example if p is congruent to three mod four then a, b can be taken to be minus p minus one and so for other congruence classes of p there's other descriptions of a and b but I didn't write them down here. Okay so then the next thing that we need to know is that we have a norm form on this quaternion algebra. There's a little bit of confusion because in the quaternionic setting we usually talk about the norm well norm and trace actually as reduced norm and reduced trace but throughout the literature in this area you'll see it just referred to as norm so don't be confused by that. Strictly speaking we would call it the reduced norm but throughout this I'm just going to use the term norm which is what everybody says in like for shorthand. So we get the norm by realizing that first of all we have an involution on the quaternion algebra which sends an element which is written in terms of the basis one ijk to basically just negating the ij and k coefficients so I'll call that x star so for example if it's the element if x is the element c plus dj plus fi plus gij then the involution would just be c minus dj minus fi minus gij and then we have a reduced trace and a reduced norm in the space and that is that the reduced trace just takes x plus x star and the norm just takes x minus x star so for example with the basis that I had written went on the previous slide when p is congruent to three mod four then the norm map is just it takes an element that's written in terms of this basis to the element c squared plus d squared plus p times f squared plus g squared so one thing that you should notice which is really important in a lot of other work that I've done in my life is is that p is really large in the cryptographic setting so if you look at this norm form it's you know just c squared plus d squared plus p times f squared plus g squared so if if even if c, d, f, and g are all really small this norm is going to be really large if if f and g are not zero right so what happens is that elements of small norm commute essentially so what what it means is is that if you have an element whose norm is very small compared to p then it means it has no component from the f and g are zero and that means that the the element itself is just an element of a quadratic subfield of the quaternion algebra so that's just kind of an interesting side track that I always like to point out so another thing that's going to be very important for the during correspondence and for the for the relationship between the quaternionic side and the elliptic curve side is that the norm map on quaternions corresponds to the degree map on endomorphisms so I will explain this a little better in the setting of the during correspondence when we go back to that so first of all I think one of the issues is there's a lot there's actually a lot of terminology and a lot of definitions to know and to learn for quaternion algebras and I can't cover all of them here today but just to give you an idea to start with so we say a fractional ideal in the quaternions is actually a rank four z lattice so I've written it as this kind of curly i is going to be the notation for my ideals here so it's a rank four z lattice so it means it's it's written in the form like alpha one z plus alpha two z plus alpha three z plus alpha four z where alpha one alpha two alpha three alpha four form they actually form a basis a q basis for bp infinity so that's what a fractional ideal is but the fact is that a the fractional ideal is not necessarily a and actually a subring of the quaternion algebra and so we say an order oh is a fractional ideal which is also a subring so it's closed under multiplication and I didn't write all this down but like a maximum order is one that's not contained in any other larger order the norm of an ideal is going to be the z module generated by reduced norms of elements in the ideal so another kind of important fact which is very different from the commutative case is that and you can actually you know try to come up with an example of this yourself integral so integral elements do not necessarily form a ring so we have the nice situation like in number fields that if you take the integral elements you get the ring of integers of the ring and that is not necessarily true in the quaternionic case so integral element is it's reduced norm and trace are in z so it's kind of the same definition as in the commutative case but we don't have the same property of the integral elements being closed okay so now i'm going to talk about a very important concept which is the right order of a fractional ideal so if you have a fractional ideal i this curly curly i the right order will be all of the elements in the quaternion algebra bp infinity such that if you multiply on the right if you multiply the ideal on the right by that element alpha you still get another element in the ideal so that's that's the right order and then i didn't write it down but the left order so i'll use the notation o sub r for the right order and o sub l for the left order the left order would be all the elements such that such all the elements alpha such that if you multiply on the left by alpha you would still be in the ideal so now we come to another very important concept which is called the connecting ideal so given two maximal orders o one and o two the connecting ideal is an ideal which has the property that its right ideal is o one and its left ideal is o two so there is a kind of a linear algebra type of procedure for computing a connecting ideal which was as far as i know first written in a paper of kirchmer kirchmer and void in 2008 but i'm i'm pretty sure that it was known before that it was known for example to david kohl and i think it might have even been implemented by david kohl and magma before that i'm not completely certain about that but in the the kind of quaternion algebra package that david wrote in magma i think he might have even already had the connecting ideal in there um i should i should have said at the beginning of the quaternionic quaternion algebra section that kind of the the bible for quaternion algebras is a book by marie france vigneras and from the from the 80s i think and so that's where i learned quaternion algebras from and it's it's written in french and it's very well written and complete um but uh recently people have written things in english that may be a little bit easier to read so john void um has a book uh with a lot of that material and a lot of other things and a lot of algorithms uh but also um there's a couple of references which i can um i can share later i don't think i have them on my slides but uh which give very nice overview so there were some lectures by uh by pete clark that i found that are in in english that have a really nice description quaternion algebra background okay so with some of that uh background in mind and keep in mind i is just not a complete you know course on on quaternion algebras here uh just to give you kind of the basic uh building blocks uh let's go back to what i mentioned at the end of the lecture last time which is the during correspondence so um a super singular j invariant on the elliptic curve side would now be uh associated with a maximal order in a quaternion algebra on the other side and so how what is this correspondence how will it work so a left ideal of oh uh will be will correspond to an isogeny then as follows uh the isogeny called phi sub i will go from the elliptic curve e to an elliptic curve will call e sub i um and it'll be defined by its kernel and the kernel is going to be all of the points p on the elliptic curve which are basically annihilated by the ideal so such that every element of the ideal and remember this is these are elements which are essentially endomorphisms of the elliptic curve every alpha in the ideal takes the point to zero so for all points that that's true they're annihilated by all the elements of the ideal those will be the points in the kernel that's associated to i so that's this is in theory what the um what the correspondence would be now the problem is actually being able to do this in practice to be able to kind of construct the order which is the endomorphism ring of the elliptic curve in a in a constructive way so that you could actually evaluate endomorphisms and see which points are annihilated that's what you would need to do in order to be able to say what this actual isogeny is in practice so the during correspondence is a one-to-one correspondence if the degree is co-prime the degree of the isogeny is co-prime to p in other words this is a separable isogeny determined by its kernel and then um if you take this ideal which the the left ideal i which corresponds to an isogeny the right order of this ideal would then be the endomorphism ring of the kind of target elliptic curve so now what we've done is at least in theory we've built up this other graph which is the kind of the same graph as the super singular isogeny graph described in terms of elliptic curves is just that the elliptic curves are the maximal orders and then the isogenies are these left ideals whose right ideals are the next maximal order or the next vertex in the in the quaternion graph so let's go back to an example so sticking with the p congruent to three mod four where i gave you a specific description of bp infinity and looking at the elliptic curve e zero which is y squared equals x cubed plus x which is super singular for such p it has j invariant 1728 the endomorphism ring of e zero is a particular maximal order which we're going to call it o zero so throughout the rest of this talk o zero is actually going to be this o zero um so for the algorithms that i'm going to describe we're working in this situation where p is three mod four and this is the um what's often called a special extremal um maximal order o zero so if you i'm not sure if you already started on this in the exercises today but if you're using magma or sage you can actually specify p you can specify a quaternion algebra and then you can even just ask for all the maximal orders and it will compute them at least for small p um it will also if you give it a maximal order it should also give you all of the left ideals of that maximal order and then what you could do is you could actually ask for each of those left ideals you could ask for the right order of those ideals and then you'll um get all the kind of neighbors uh of the of the uh order that you started with um okay oh i'm sorry i realized i forgot a kind of an important point in the elliptic curve graph on the elliptic curve side uh we restrict to l isogenes for l equal to some prime which is usually very small like two or three and the um the prime p is extremely large like of cryptographic size so on the quaternion side if we want to build up the that's the that same graph what we need to do is we need to restrict to ideals of norm l so that's the an analog of the degree l isogeny so uh but one of the things that i think is causes a little bit of confusion in this area and we tried to we tried to clarify this um in our in our urocrypt paper in 2018 uh with isentrager haugrin morson and pete is that you can talk about an endomorphism ring of an elliptic curve in a lot of different ways so right now i'm talking about it as being a maximal order in a quaternion algebra so i i wrote down this o zero equals z you know the z module generated by these four elements here one i one plus k over two and i plus j over two but the fact is is that like that's that might not be all that helpful for actually evaluating an endomorphism on the elliptic curve so just below that what i'm showing you is um an actual representation of the endomorphism ring in terms of actual endomorphisms so i think i might have mentioned in my first lecture that um you know we have some endomorphism clearly we have the probanius endomorphism whenever we have an elliptic curve over a finite field um and so that's described here by pi pi is probanius and then in this case we have this special endomorphism which is very nice phi i guess we've forgotten all my greek letters here phi takes x y to minus x comma i y where i squared is minus one so this is an explicit description of the endomorphism ring in terms of actual endomorphisms um and the way to connect it to this o zero i've kind of written written down the map here is like um you know i get sent to phi oh sorry i have a different script here for phi i get sent to phi j gets sent to pi k gets sent to pi phi okay so this is like the best possible scenario where you have a description you have you know kind of all all three things you have an elliptic curve you know what its endomorphism ring is in terms of actual maps in terms of endomorphisms that generate a rank four z module and how they act on the curve and then you also know a description in terms of the quaternion algebra which is a maximal order with its basis and this is a beautiful setup which gives you a lot of advantages in computation but unfortunately or maybe fortunately for the security of our cryptosystems this is not the case for general super singular elliptic curves so i think in the exercises you've been uh you've taken some hopefully done the examples where you you fix a prime and then you use magma or sage to generate all the super singular elliptic curves well you know one way to do that is there's a function that's implemented there so you can just call that function but uh behind the scenes it will um in in the general case it will take and use the Hilbert class polynomial for an imaginary quadratic field where p is inert and then it will take the roots of that polynomial mod p and and or sorry not exactly take the roots just factor it mod p and it'll have linear factors and quadratic factors which correspond to the roots of those correspond to the j invariance of the super singular elliptic curves over fp and fp squared so if you use that function or you follow that procedure and you and you're you got a super singular elliptic curve the problem is you have no idea what its endomorphism ring is you can use that j invariant to write down an equation of the elliptic curve except except for in some very special cases of like characteristic two and three which were which were not in here so you can take the j invariant you can get an elliptic curve and so you'll have some model for your elliptic curve but you have no idea what the endomorphism ring is what the super singular elliptic uh the maximal order in the quaternion algebra or the the the rank four z module in terms of endomorphisms and so that's kind of um uh essentially the very hard problem in this area is is that we don't know how to compute endomorphism rings so um I'll come back to that in a minute um the fact is is that if you knew how to compute endomorphism rings what for general super singular elliptic curves what you could do is you could pass from the elliptic curve description of the graph over to the quaternion side by replacing an elliptic curve in its j invariant with a maximal order in a quaternion algebra and then you could apply an algorithm which we developed and published in ants in 2014 this was with coal and petite and tin yaw which actually can find paths on the quaternion side so in the quaternion in the quaternion version of the graph we can find uh find paths so the way this works is um given two maximal orders 01 and 02 uh you can find the connecting ideal and then um basically at least heuristically you can replace it with you can find a an l power uh an ideal of l power norm which is um which is equivalent to the connecting ideal um so I'm not giving a lot of details here this would take more time to to go into the details but um the connecting ideal uh let me just go back to this reference to Kirchner and Voight um I haven't said exactly how to uh compute this but you can you can compute mu and n such that if you have an ideal of of norm n such that you write the connecting ideal in this form um and then once you have that connecting ideal let's call that i uh you can find an equivalent norm which has um prime prime norm because of the following so if alpha is an element so step three here if alpha is an element of i you can replace the ideal i with an equivalent one which is i times gamma where gamma is alpha star divided by n and so in order to find an element alpha which has prime norm um what we do is uh we take the um the norm form that I described earlier and search through uh all of the past so remember an element alpha in the basis that I gave you for bp infinity is just specified by four coordinates so you're gonna search through a box of um four you know in basically z to the fourth elements that have four coordinates and you're looking for um uh you're looking for solutions to the norm equation such that the norm is prime and so um actually one way to do that is to just use cornaches algorithm like you fix two of the coordinates and then you look for um solutions that will get you what you want for the other two um but in general I guess this is the part which is the heuristic part of the algorithm like we describe our success probability in terms of the heuristics for the distributions of primes and it's just very likely that you that you will find an element of prime norm very quickly and so then um what what we do is we use the um the equivalent ideal i times gamma that I've written here and this so this is an ideal of prime norm and then we use a um kind of strong approximation technique which I'm also not going to describe here to find an equivalent um ideal without power norm and so this corresponds to this is a procedure that works for um the oh for the connecting ideal between um maximum ideal o1 and the special extremo ideal o0 that I um described in the previous slide and so what you do to try to get um to solve this problem between o1 and o2 is you do this procedure twice so you use o0 in the middle and kind of find an l l path back to o0 from o1 and an l path from um back to o0 from o2 and then you concatenate them and then that's what gives you a path from o1 to o2 so um let me just pause here and say that um like like I said this would be very bad news for cryptography if you can actually find the um maximum orders that are associated to elliptic curves and um that's because you would just take two elliptic curves you would find their maximum orders find their endomorphism rings as maximum orders in the quaternion algebra and then you would apply this algorithm the KLPT algorithm and you would find an ideal which is written as a um an ideal which has a norm l to the n and then you would take that ideal and you would break it down into steps and you would find um the path back from uh the the end point of your walk to the beginning so that pulling pulling the path back is also possible if you know both of the orders of the of the two endpoints but the the problem is so computing the endomorphism rings and again there's always this ambiguity when I say endomorphism rings you could mean computing it as the maximum order in the quaternion algebra or you could mean as computing it in terms of the um actual endomorphisms that you can evaluate and even when we're like doing research in this field we're constantly confusing ourselves because people could mean one or the other of those two things or both ideally of course you know both that's the perfect situation where you have for e zero but um in general you don't know either one of those and um so let's talk about how hard it is to find endomorphism rings of of of a super singular elliptic curve so going back to coles thesis in 96 um he essentially said oh okay well here's uh what we call a generic algorithm or like I talked about yesterday a square root algorithm for finding endomorphism rings you just basically walk around the graph until you come back to yourself and you found a cycle this cycle is now an endomorphism you started out at e you ended up at e it's a map from e to e it's it's non-trivial it's a it's a non-trivial endomorphism so if you do this and you can if you could do this once and you could do it twice and so now you'll presumably have two endomorphisms which uh generate the endomorphism ring um and so that was kind of his um you know algorithm in his thesis so unfortunately that's not exactly um correct and so you'll find in the papers of um let me see the win four paper of eisen traeger at all so um I can't sorry I can't remember all the collaborators on that but that was like eisen traeger um park and uh number of co-authors show that it's only going to generate the endomorphism ring if there isn't um any common edge in those two cycles that you found but just assume you found two disjoint cycles and you would actually get the endomorphism ring um and they've also written a follow-up paper on that which is appeared at ants um this past year so it's not quite finding the endomorphism ring but but it's close but anyway it's an exponential time algorithm right so it basically um the birthday paradox tells you that you will in square root of the graph size you know find find this cycle so that's good for cryptography in the sense that we don't have the that doesn't break anything because it's still exponential time um and then so in 2003 I was working on this endomorphism ring finding problem um with Ken McMurdy and um so we wrote down an algorithm with which was essentially the same algorithm that Cervino found at the same time so you'll find two preprints from about 2003 written independently which is another way to kind of build up the correspondence of um endomorphism rings as maximal orders with their the elliptic curves and that is that you can compute um in a maximal order let's say you have um you know sage or magma just spit out a basis for the maximal orders for you and just take one of those maximum orders with its basis now start computing all the elements of norm n for n equals you know one two three four et cetera so you're uh going through and you could see from the way that the norm form looks um if you construct a norm from form from a particular order it will look slightly different than what I gave you for the general algebra so sorry let me go back a few few slides um to this is kind of an important point so here where I gave you the norm uh form for the algebra you can see that you know cd f and g are all integers this is an integer the norm is an integer and also it is uh positive right so because all these things are squared and p is positive and so this is all positive the fact is though that if you look at um the norm form for let me go to the o zero slide that shows you what o zero is so even for this nice uh special extremal order where the basis is one i one plus k over two one plus j over two um if you uh kind of work out the description of the norm form you'll see that there are denominators so now the norm is not necessarily um even an integer and like I said integral elements are those that have integral norm and integral integral trace but in general um it can also be negative because of the way the norm form will look it doesn't look as nice as it did in the in the for the whole algebra but still you can find a way to basically go through um all the possibilities and find all the elements in the quaternion or algebra that have norm n for small n so like I said for one two three four you know like that and those actually correspond to I mentioned this yesterday in the in the q and a those actually correspond to these representation numbers which are the number of elements of norm n correspond to the coefficients of the modular form and the uh the thing that I mentioned yesterday is is that there's a theorem of ser that says that you can determine the order the order is determined by having square root of p of those coefficients okay so this is also a terrible algorithm so p is super gigantic of cryptographic size and now you would need square root of p of these coefficients of the modular form in order to determine the maximum order completely and that is um ridiculous you won't be able to do that in your lifetime um so this is an algorithm which is also exponentially bad and it and it will just compare the number of elements of norm n in a maximal order with the number of isogenes of degree n uh which are actual endomorphisms so again an exponentially bad algorithm but it's something that you can do for very very small p and you can look and you can use this to match up all the maximal orders with all of the um elliptic curves and that is actually what's done in practice and a lot of examples in the papers that we have today um just to see what the graph looks like and how it corresponds to the graph of of elliptic curves so so far as of today we have no classical sub exponential algorithms or polynomial time algorithms for finding paths in elliptic curves and we have no sub exponential or polynomial time algorithms for finding endomorphism rings of super singular elliptic curves so for the future what you have to think about is okay are we going to find any better classical algorithms for the either of these problems or even if we're going to find if uh quantum algorithm experts might find some quantum algorithms for these things so in order for this to be a good um candidate for the um future of post-quantum cryptography um you know both of those problems will continue to need to be studied in the first lecture on uh monday i mentioned like the four main kind of math candidates that are that were considered in the NIST pqc competition these last um four years it's ongoing it's a five-year competition i mentioned code-based cryptography lattice-based cryptography multivariate cryptography and um super singular isogenic graphs and for each of them i put down essentially the date when it was first proposed and you might have noticed that like um you know all of the others were proposed in the 70s or 80s essentially the hard problem was at least whereas super singular isogenic graphs we proposed in 2005 at the hash function competition so you're looking at a system which is roughly 15 years old instead of roughly 40 years old like 30 to 40 years old at least for the others and so what NIST did in the third round of the competition is that they uh specified psych this uh super singular isogenic key exchange as an alternate candidate um that's and stated that it's a candidate that needs um further study so good motivation to keep studying and keep working on these these problems so it's now an alternate for the final for the next stage of the competition okay so in my last um few minutes what i wanted to do was to talk about uh the sickness situation for signature schemes based on super singular isogenes um so we talked i talked about cryptographic hash function in the first lecture talked about key exchange in the second lecture uh both based on the hardness of path finding um so now uh we have another system which is based on the the hardness of path finding um but in 2016 this was proposed by galbraith petit and silva but not really implemented they didn't find a way to uh kind of efficiently implement this and so i wanted to thank yana for pointing out um this paper um sqi sign or i guess some people are saying ski sign from last year appeared at asia crypt 2020 um which is uh kind of a in some sense a very variant of the gps uh scheme but they had to improve the klpt algorithm in order to make this work so with their improvement of the klpt algorithm they proposed um this signature scheme which i'm going to describe to you uh but the the improvement that they made was they were able to find a quaternionic kind of l l path finding algorithm from 01 to 02 for two maximal orders 01 and 02 without going to 0 0 so for the properties for the zero knowledge properties of the um of the signature scheme they didn't uh they couldn't afford to have to go through so they've improved the klpt algorithm so that they can go directly from 01 to 02 uh two maximal orders okay so the setup for their uh system is again they're going to fix some large prime of cryptographic size um there's going to be a um uh and a super singular elliptic curve E0 which is one of the special ones meaning we know what its endomorphism ring is like extremal endomorphism ring 0 0 um just like my previous slide you could like if p is congruent to 3 mod 4 then you could take the one that i gave there um and then you're going to um select an odd smooth not and specify a small prime l as well you're gonna also select an odd a smooth number d which has log p bits so that means um if you're gonna take a an isogeny of degree d that it's going to have to be at least if you translate that into being a walk it means it's going to have to be a walk of at least essentially the diameter of the graph so um the key generation is going to be for someone who wants to prove knowledge of uh something so this is i'm going to describe the isogeny scheme the general signature scheme can be obtained from that identification protocol via the fiat-chamere uh transformation so a prover is going to want to prove knowledge of something so they're going to prove knowledge of an iso a secret isogeny tau so what they're going to do is e is e0 is fixed and known to everyone now they're going to take a random walk and isogeny walk and come up with their elliptic curve ea so this should sound very familiar to you that's like what we did um for the hash function that's like what we did for the first step of the key exchange alice and bob each did this so they're gonna um publish this elliptic curve e sub a and the secret is tau which is the path and so the public key is going to be ea and the secret is tau and now the way that this um commitment scheme works is that the prover generates a random um secret isogeny walk from e0 to e1 and sends e1 to the verifier then the verifier sends the description of a cyclic isogeny um from e1 to e2 of degree d to the prover um so just as an example it could be like degree dd could be l to the power log p that was kind of what i was uh hinting at in the previous slide and then um the response would be that from the from since the prover knows tau prover can construct this isogeny um fee fee composed with psi composed with um tau duo which goes from ea back to e2 and they know that isogeny sorry and then they can construct a new isogeny from ea to e2 of degree d such that fee hat composed with sigma is cyclic and will send sigma uh to the verifier now the verifier will accept if sigma is an isogeny of degree d um from ea to e2 and um fee hat composed with sigma is cyclic and otherwise they will reject it so i think that's a lot of words but let me show you the picture that they have of their um scheme hopefully this will make it a little bit easier to understand so on the left this dotted arrow going down is the secret key isogeny that I said was chosen in the setup and then the commitment isogeny from the prover is the top uh solid blue arrow um and then it goes from e0 to e1 the challenge isogeny is the red arrow down from from the challenger or the verifier and then um the response isogeny is that you can see since um since the prover knows tau and and tau duo the prover can construct this thick blue arrow on the bottom because they can go backwards up the tau arrow and then compose follow the psi arrow and the fee arrow but if they didn't know um if they didn't know tau then they wouldn't be able to construct the isogeny from um ea to e2 and so um being giving the isogeny sigma then the verifier can check um that that has the right properties that were required so this is uh another very nice uh application of the super singular isogeny uh problems so hopefully I've it actually kind of turned out that the structure of the lectures turned out a little better than I had even thought in the sense that we did from the cryptographic point of view we did on the three lectures we did hash function key exchange and then signatures and then from that kind of mathematical point of view uh we talked about um the description of the super singular isogeny graphs also in the second lecture the the properties in terms of an expander graph as specifically a remonaging graph and then um in the third lecture we talked about the description of that same graph as a quaternion graph and the hardness of going back and forth between those two descriptions of the graph so that was uh pretty good I've left out a lot of a lot of other related topics that I could have included but I think that that was a good um set of topics to focus on I thought I would just share with you I've put a couple of links for references in the slides but for the quaternions I actually found what I thought to be a bunch of useful recent write-ups of quaternions in English that I will put on I'll add another slide which I'll I'll add to the slides before sending them today and so I just wanted to end by talking about some of the other graphs that have been investigated and some of the other ongoing work in this field so this is just I guess I'm like a minute or two over but just to end with some of the other things so in our original paper the cryptographic hash functions from expander graphs the cgl paper from 2006 we also proposed other expander graphs for example the lps graphs which are very simple because they can they're kailey graphs in basically sl2fp but cycles were found very quickly in those graphs an algorithm for finding cycles was found by zemer and tillich and in 2008 at Eurocrypt and also that same year in 2008 we extended their algorithm with with pati and kiskate to find pre-images so those graphs are broken from the cryptographic point of view but an interesting thing is that the algorithm that we gave for path finding finding in those graphs is now being used so it's kind of rediscovered in the setting of quantum arithmetic and it's now being used as a way to do efficient quantum arithmetic arithmetic with us for certain quantum infrastructures so even though the lps graphs are essentially broken there are variations that you can take of them that are not yet broken so the morgan stern graph i've mentioned the higher dimensional analogs that we proposed in 2007 but zooming forward now you know almost 15 years there's a lot of ongoing work so other alternate graphs that were have been considered are like the the seaside graph dimension two analogs signatures that i've mentioned here and other variants ongoing work on attacks like pati has an attack that works by using extra the extra information from the knowledge of the images of the torsion points in the key exchange there's ongoing work on understanding the graph structure better so adventures in super singular and paper with yana and sarah arpin and our other co-authors from last year investigating more the structure of the graph and the relationship between the ordinary volcanoes isogenic graphs which are volcanoes and how they embed into the the graph structure for super singular isogenic graphs so sorry for going a couple minutes over time this is just to give you an idea of a large amount of kind of ongoing work in this in this area a lot of other people that are probably not mentioned on this slide so sorry about that if i didn't put your name here so thank you very much for your attention it's been fun talking with you be happy to answer questions if we have time all right well let's start by thanking christen for her very nice lecture and i don't see anything in the chat but if there are further questions we should ask christen now so and rick has a question christen in the chat or are there implementations of k l p t yeah in the chat yes and no so there were definitely experiments in the original k l p t paper which indicated the feasibility and the confirmed like the heuristic analysis of the algorithm um but um actually not exactly sure how does this there's a paper under confidential review for mathcript which has a which has an implementation um i can't remember if it's a honey print already or not so that's why but it will be public soon it should literally be public like within uh two or three weeks if not so that's that's the other one that i know of i'm thinking that the sq sign paper may have an implementation even of their better algorithm which kind of didn't know about until yana pointed that paper out to me so yana i don't know whether you know do you know if they have an implementation um public for a sq sign uh yes i can uh link the could have repository and help so yeah so they do have an implementation for their algorithm available yeah okay good so i would say that's even better hi there are other questions all right i'm not seeing oh i just saw one in chat um this one's pretty long i'm christin do you want to read it are you able to access the chat oh yeah oh this is a really good question this is a really big sticking point in my opinion so um yeah this is kind of interesting okay so i mentioned how you can generate a super singular elliptic curve i think that yana was planning in the in the ta sessions to talk about another easier way to generate a super singular elliptic curve and that is um if the prime is such that like for example p conger to three mind four where we know a super singular elliptic curve it's sitting right there in front of us um there's that one that's a super singular elliptic curve but if you want to hash you have some bit string and you want to hash into the set of super singular elliptic curve so you want to come up with some other super singular elliptic curve based on your bit string can do basically like we do in the hash function which is just to walk from the starting point and now you end up somewhere so that's you know that's one way to do it and that's an excellent way to do it but there's a problem and that is that it leads to the possibility of a trap door so that's what we actually wrote about this in our 2018 eurocrip paper with um pati and eisen trigger haugrin and morrison that um if somebody knows that secret path and they uh now give you a super singular elliptic curve as if it were some random thing but they know that path then they have information which connects them back to that curve that even you know without k lpt because you don't have to you're not in the quaternion side they know a path that goes back to the super singular elliptic curve where you know the endomorphism ring and then they can kind of drag it we have an algorithm for kind of dragging it along so you can break things so if you generate super sync if you rely on that approach to generate super singular elliptic curves then you will be subject to the possibility of this kind of backdoor backdoor attack so instead the kind of theoretical thing that i mentioned which is is that you take um a random could be large imaginary quadratic field where p is inert but it can't be that large because you need to be able to compute the hilbert class polynomial and the hilbert class polynomials are exponentially large although if you use our kind of explicit crt approach you can generate those hilbert class polynomials directly over fp without computing them first with coefficients in z but if you do that then it's true so you know um so you've taken a root of this hilbert class polynomial to be the j invariant and so now you know that that particular super singular elliptic curve you know has cm by that imaginary quadratic field and that could be there is ongoing work looking at the extent to which that can be um that could be problematic it's um some people call it a an orientation that you know on the on the curve so it's possible that that could be a problem all right thanks christin um and yes it is related okay great um all right so i think um that's all the time we have for today um let's thank christin for her wonderful lecture series this week thanks jen thanks everyone and a big thanks to yana who's done a fantastic job on the exercises and the leading the ta session too