 Our third lecture series is by Kristen Lauder from Facebook Research, and she will be telling us about a field that she's done a great deal of important work in super singular isogenic graphs in cryptography. Thank you, Kristen. Great. Well, thank you so much. Thank you all for joining. I'd like to start by introducing Yana Sotakova, who's the TA for the course, who's prepared excellent exercises and a lot of kind of supplementary content, which will be hopefully very useful and a lot of fun for you to engage with. So let me start right away, because I definitely have more than 50 minutes of content, so I might need to be cut off at some point if I'm going too long, but I will try to compress it. So in order to talk about super singular isogenic graphs in cryptography, there's a lot of words there to specify and get into more detail. And I'm going to start at the end. I'm going to start a little bit about cryptography and then explain about the graphs and the in particular, super singular isogenic graphs. So just so that everyone is on the same page, I'm sure some of you already know quite a bit about cryptography, but this is the motivation for the topic. So I thought it would be silly to start without giving the motivation. So in general, the cryptography is the science of keeping secrets, but it's more than that. It's also used for besides confidentiality. It's also used to assure authenticity. And the main tools besides encryption, decryption, which is probably the main thing that you know about are digital signatures and key exchange and digital signatures and key exchange are right now the topic of an ongoing NIST competition. So NIST is the National Institute of Standards and Technology Government Agency in the US, but they run international competitions to select cryptographic primitives and often these the standards that they establish are used around the world and the NIST is currently running a five year post quantum cryptography competition and they are focused on choosing new key exchange primitives and new digital signature primitives. And so what I wanted to make sure that you all kind of know the context here and that is that that these main building blocks key exchange is really just to a protocol for two parties to agree upon a common secret using only publicly exchanged information. Signatures allow parties to authenticate themselves and obviously encryption allows you to preserve the confidentiality of data. So the common public key crypto systems in use around the world today in industry and in you know all kinds of systems on the internet are RSA, Diffie Hellman, Elliptic Curve, Diffie Hellman digital signatures, which is DSA and Elliptic Curve DSA. So you may be familiar with this already, but if not, I mean, you're using these systems every day in your in your daily life, starting from, you know, secure browser sessions whenever you want to buy something online, which is governed by the standards for the HTTPS standards for secure socket layer SSL or the modernized version of that, which is TLS, there are standards which define how to do encrypted signed encrypted email, which is Esmime. Unfortunately, Esmime is not very widely used. So most people are generally not using signed encrypted email, although maybe that's changing a little bit. Virtual private networking is governed by standards for IP SAC and authentication of messages and content is generally done via certificates, which in the US is governed by the ITU section of the UN ITU X509 certificates. So what you can hope I know that was like a lot of a lot of random names if you're not familiar with cryptographic standards, but the point that you should get out of this slide is that the way that mathematics ends up getting into use in practice is through a complicated interaction of government agencies, academic researchers, researchers in government and researchers in industry working together. And in the case of these systems that I've mentioned, all of this has happened over the last three or four decades to make sure that these systems, RSA and EC elliptic curve based systems are used. But so so far I haven't really said, sorry, I'm going to exchange the order of these two slides. The way that the mathematics is used here is that the security of these crypto systems is based on hard problems in mathematics, such as factoring large integers. So the RSA system is based on the difficulty of factoring large integers. Diffie-Hellman systems are usually based, they have to be based on some kind of essentially a cyclic abelian group. So you can use the discrete logarithm problem in Z mod PZ star. I haven't said what the discrete logarithm problem is. I'll say that in just a minute. There is another cyclic abelian group that we can use for the discrete logarithm problem, and that is elliptic curve groups. And I'll tell you about that in just a second. And then there's another thing which we don't talk about as much. It's more recent and it's not as widely deployed. And that is pairing based systems, which are using the vay pairing on elliptic curves or variants of the of the vay pairing. So since one of the main objectives in this lecture is to talk about graphs that involve elliptic curves and a lot of the exercise that Yana have prepared involve elliptic curves. I wanted to at least just kind of present the basics here. So I'm sure that many of you do already know a lot about elliptic curves. But if you don't, I'm just presenting just just one slide. This is not a whole, you know, graduate course in elliptic curves. But so you can have kind of the basics. And this is honestly the way that cryptographers really think about elliptic curves. So, you know, when I was in graduate school, I learned about, you know, schemes and sheaves and studied, you know, you know, EGA and SGA and all of these things. And I don't think I ever saw an equation for a curve ever. But in fact, in the in the industry and, you know, especially computer scientists using mathematical objects such as elliptic curves and mathematicians that work at the interface of computer science, you can simply think of an elliptic curve as being defined by an equation. So what you first do is you specify your underlying base field. And for cryptography, it's always going to be a finite field. In general, for elliptic curve cryptography, it's going to be a large prime field. So we're going to specify a large prime P. I've tried to put the mathematical notion in a notation in green here and to italicize it. And the large prime is going to define the base base field Fp. So I'm sorry, my PowerPoint skills did not include being able to put a bar over an Fp. So Fp bar is mean means the algebraic closure of Fp. And so an elliptic curve over Fp or Fp bar, when P is very large and in other words, greater than three, like if P is not equal to two or three, then you can convert the general virus stress equation for an elliptic curve into a short virus stress equation. So it's just given by two coefficients, these constants, A and B, which come from the base field and y squared equals x cube plus Ax plus B defines the curve and the points on the curve are just the x comma y, which satisfy this equation. Now, this is just an affine equation for the curve. And it does not tell you the whole picture. What you should really do is think of like a homogenized version of this equation in projective space. So you would add a variable Z and homogenize this. And then you could see that there's also a point at infinity. And there's a group law on this on this curve. And again, I'm because I don't have a lot of time and the group law is not as important for the application I'm going to talk about. I'm not showing you the usual picture of the cord cord and tangent method, which is how you can see the group law on this algebraic curve. So the nice thing about the elliptic curves is that they have both this geometric aspect, which is they're given by an equation and they have the algebraic side, which is that they have a group law and you couldn't do cryptography on these objects if you didn't have the group law. So like I said, the group law is just, you know, this cord and tangent method, which takes two points on the curve and passes a line through it and looks for the third point of intersection. And the basically in more fancy language, you could say that in the divisor class group, the divisor of this line is the these three points of intersection. And so that is zero in the divisor class group. So that means that the sum of the two points must be minus the third point. So now we have these elliptic curves, they're given by an equation. They have a group. They have a group law. So there's two other things that I would like you to know about elliptic curves for the purpose of this lecture and this the focus of this kind of short course. And that is that elliptic curves are very convenient for cryptography because they have a very nice compact label, which is called the J invariant. So the J invariant is simply a rational function in the coefficients that define the curve. So you can see A and B. So it's 1728 times 4A cubed in the numerator and 4A cubed plus 27B squared in the denominator. And this is actually in an isomorphism invariant of elliptic curves over Fp bar. So just a little just a little note here. I noticed something in the exercises that Yana prepared. And so I was just going to give you a little heads up or a little highlight a fact. And that is is that so two elliptic curves will have the same J invariant if they're isomorphic over Fp bar. And it can be the case you can have two elliptic curves defined over Fp and they're not isomorphic over Fp. So but they could have the same they could be isomorphic over Fp bar. So that's because you're allowing isomorphism that are defined over the larger field. So another thing I wanted to call out is that super singular elliptic curves. A lot of times I'll be using the word super singular. And the funny thing is, is that in the applications in in the cryptographic world these days with super singular isogenic graphs, a lot of people are able to implement and work on these graphs without even ever knowing what the word super singular means, because actually once the graphs are there and the elliptic curves are there, you kind of don't need to really think about it. But all of the mathematics behind these graphs depends on the fact that we're going to be thinking about super singular elliptic curves. So if you read Silverman's beautiful text on elliptic curves, you'll see, you know, multiple definitions of super singular and shows the equivalence between different definitions. I'm just going to give you one, which is the kind of the easiest to state is, is that elliptic curve modulo p like over some finite field of characteristic p, it is super singular if there are no p torsion points, not all not over the field of definition, nor over any extension field. So no, no p torsion. And so another fact that we kind of need is, is that the isomorphism class and the fp bar isomorphism class of any super singular elliptic curve contains a representative, which is defined over fp or fp squared. So that means that in shorthand, you may hear me say like super singular elliptic curves are defined over fp or fp bar that that's not exactly right. What it means is, is that every super singular elliptic curve has an equivalent, you know, has a representative in its equivalence class, which is defined over fp or fp or fp squared. And then finally, the last fact, which we're going to use, and this is what we'll get into more in the second and third lectures is that the endomorphism ring of a super singular elliptic curve is actually isomorphic to a maximum order in a definite quaternion algebra and we'll talk about that more in subsequent lectures. So endomorphism ring just means the set of basically rational maps on the elliptic curve and elliptic curves because they have a group law are very nice. They have multiplication by an integer. So Z, the integers is automatically in the endomorphism ring of an elliptic curve because you can take any integer, you know, just let's take the integer three, you can multiply a point by three, that just means adding the point to itself three times p plus p, p plus p. And there's also the notion of negation. You can see that even geometrically. So you've got the integers in the endomorphism ring. And over a finite field, you always have Frobenius. So if I call Frobenius pi, Frobenius is just the map that takes the coordinate, coordinate Ys, X comma Y goes to X to the p comma Y to the p. So you always have the Frobenius map for elliptic curves. But in addition, if it's super singular, you have extra automorphisms that turns this into a rank for a Z module. And like I said, we'll get into that a little bit more later. OK, so there's one other notion that I really wanted to talk about before introducing super singular isogenic graphs and some of the hard problems here. So when I said systems that are deployed today around the world that use on the internet that use hard mathematical problems, I gave you some examples. I just throw these words out there, hard mathematical problems. Yeah, so what does that mean? Well, I realized after giving this kind of lecture for a while that a lot of very famous mathematicians actually really had no idea what I meant by that. And that's because in mathematics, a lot of times we think, what does it mean to be a hard mathematical problem? Well, we think that it means that there's a conjecture that no one has proved yet. That's what people generally mean by hard mathematical problem. That's not at all what we mean by hard mathematical problem in cryptography. So I realized that would be very important to specify this. What we mean by hard mathematical problem is that you set up some system and you specify how many bits does it take you to represent elements in this system. So let's say your input is represented by n m bits. I've got the m in green here, little m. So that as an example, in the previous system, I just talked about elliptic curve cryptography. A and B were from a finite field Fp. And both p and a and b can be represented in roughly log p bits. So that would be m would be log p in that case. Down at the bottom of this slide, you see from the RSA system where you have a large, large integer little n, which is actually the product of two primes, p and q. All the elements in your system are integers, modulo n, and they all take you m bits to represent where m is log n. So then what we mean by hard mathematical problem is that the best known attack on the system runs in exponential time. So to compare, I've written, sorry, the sentence doesn't make a lot of sense the way it is. The best known attacks should run in exponential time, but I've also written here, what does it mean to run in exponential time? What does it mean to run in sub exponential time or polynomial time? So exponential time basically means it's o of some power of m, like some exponential function in m, like 2 to the m. The o notation, if you're not familiar with it, it just means that whatever the actual running time is, it's proportional to the time that I've got written in the parentheses here. And so sub exponential, so polynomial should be pretty clear. That means that the running time of the best known attack is polynomial in m. And so the middle case here, the sub exponential formula is a little bit more complicated to write down, but it's basically the exponent is just like a fractional power of m, where the fraction is between 0 and 1. So exponential time is like 2 to the m. And what we're trying to get is this asymmetry between the number of bits that it takes you to write stuff down and communicate. And the amount of time it takes an attacker to attack you. So that's what we're trying to capture with this notation, exponential time. And that's because basically, people want privacy and security, but they don't want to pay for it. They don't want to pay for it in time that they wait for a system to give them the outcome that they're looking for. And they don't want to pay for it in overhead, in bandwidth, in compute cost, all of these things. And the time and compute cost and bandwidth are all proportional to the size of the inputs. So you want your input size to be small and you want your running time for your attacker to be large. So that's why we quantify it. So that's what we mean by hard mathematical problem. We don't mean that you have to prove the Riemann hypothesis. OK, so at the risk of going over time, let's see, so I've been talking for about 20 minutes, I'm going to very briefly talk about the context of quantum computers and quantum algorithms. So the issue for all of these systems that I've mentioned, these public key crypto systems that are in use around the world today, is that they will all be broken once we have a full-scale quantum computer that it can be realized and do computation at scale. So the reason for that is that in the mid-90s, Shor introduced an algorithm for factoring that runs on a quantum computer. So we call them quantum algorithms. And this quantum algorithm is polynomial time for factoring. So it's a quantum polynomial time algorithm. And for an M bit input, so if M is log N and N is the modulus for RSA, it runs in roughly 4M cubed time and it requires 2M qubits. So the point is that in today's classical world, minimum size for, I'll just pause for one second. Does anybody know the minimum size for RSA, module I, that are used today in practice? You don't have to say anything because I don't know if anybody wants to unmute. But I just wanted to give you a time to think about it. If you know, if you've never heard it, then you probably don't know. But it's a trick question because it is on the second part of my slide here on the bottom where it says RSA M equals 2048. So roughly 2,000 bits. That's the minimum size that's in use today. So that means that we're going to need a more than 4,000 bit quantum computer that can handle more than 4,000 qubits in order to break this. But once we have that, it'll be kind of a trivial running time. 4 times M cubed is very small. And same thing for elliptic curve cryptography. So an elliptic curve cryptography will require roughly 6M qubits and roughly 360 times M cubed time. But if you look down on the very bottom of the slide, elliptic curve cryptography uses smaller bit size like M equals 256 or now 384 with the newer guidance. Because for RSA, we do know some classical sub-exponential attacks, whereas for elliptic curve crypto, we only have in the classical world, we only have exponential attacks. And that's why we have a smaller bit size for elliptic curve cryptography. So moving on, the result of this quantum kind of threat is that we need to figure out new systems, kind of new hard problems, mathematical problems to use as a basis of crypto systems for the future when we have quantum computers at scale. So the timing, and this kind of spans my career. I was at Microsoft Research for 22 years. And I worked for my first five years on getting elliptic curve cryptography deployed in Microsoft products. And they started being deployed roughly in 2006 around the time when US government started requiring it for all US government contractors. The Suite B requirements came out and required the use of elliptic curve cryptography and set the bit lengths to be used. Roughly 10 years later, the CNSA document came out and increased the required minimum bit length for ECC from 256 to 384 with no explanation. But we could assume that it had something to do with the progress on building quantum computers. But they also discontinued the mandatory adoption of ECC. And in 2017, and this launched the international competition to select new candidates. So very quickly, I'd love to tell you about all these different new directions for in the NIST PQC competition. But I don't have time given that we want to focus on the super singular isogenic graph. So I'll just mention the different streams, the different areas of mathematics that have been proposed and are being considered actively in this competition. So code-based cryptography was first introduced by McLeese in 1978 based on the hardness of decoding random linear codes. Multivariate cryptosystems first introduced by Matsumoto and MI in 1988, based on the hardness of solving systems of multivariate equations, nonlinear systems. Obviously, otherwise, it would just be linear algebra. Lattice-based cryptography was first introduced by Hoffstein-Pyfer and Silverman in 96 and when they launched the Entrue company based on the hardness of finding short vectors in large dimensional lattices. And then super singular isogenic graphs, which is what I'm going to spend the rest of the time talking about here today, were introduced by myself with Charles and Gorin in 2005 actually at the NIST hash function competition in 2005. So but for all of you thinking about areas to go into for your thesis, there's a lot of material here and there's a lot of urgency too. All of these problems need to be addressed because we have to see first, if there are classical algorithms to attack these things and then whether there are quantum algorithms. So it's kind of double the work. So I highly encourage all of you to look at any or more of these problems that you might be interested in. OK, so now I'd like to shift over for the last basically 25 minutes to super singular isogenic graphs. So the new hard problem that we introduced into cryptography for the NIST hash function competition in 2005 is basically finding paths in these graphs. So think about a graph. A graph just means a set of vertices and edges. So the vertices are connected by edges. And in all in this whole talk and everything I'll be talking about to me, these edges are undirected. That just kind of makes it easy, easier. It just means an edge is something that connects to vertices. But you'll see in the definition that they look to begin with to have a direction, but we can kind of make our graphs undirected with some extra conditions. We also for our proposal of the hash function, we also assume that we're dealing with k regular graphs. So k regular just means that every vertex has k edges coming out of it. And we're also interested in graphs with kind of optimal expansion properties. So that's related to the Ramanujan properties of these graphs. So I'll say a little bit about that in a minute. But as you can see that if you want to use this problem of finding paths in the graph as a hard problem for cryptography, the underlying assumption is that finding those paths is hard, or in other words, there's no known efficient routing algorithm. So I actually I love to just pause and give this little story. At one time, I heard a lovely talk by Ron Graham about graphs that have efficient routing algorithms. And I forgot the formulation of exactly what he was saying. But it's basically saying that graphs that have some kind of an isometry to the hypercube are graphs where you have a good routing algorithm. So when you think of that, so I also I'd like to give the example of a hypercube. I'm not sure if I don't think I have it in my slides here. So I'll just say it. So the hypercube, what is the hypercube when you think of it as a graph? So let's fix some bit length. Let's just say n, you've got n bits, zeros and ones. And every vertex in the graph is a bit string of length n. So those are the vertices. And what are the edges? Well, two vertices are connected if they just differ by one bit. So if you can just take the bit string and flip one bit and then the next bit string that you get, that's connected by an edge. If you have to flip two bits, then it's not connected to that one. So that's the hypergraph. And so now I'm going to give you two bit strings, two random bit strings, zeros and ones. And how do you find a path from one to the other? Well, it's very easy. You just go through bit by bit. If it matches, you don't do anything. If it doesn't match, then you flip that bit. And that's one step in your graph because that's an edge, just flipping one bit. And so now you quickly have a path between these two things. You've just flipped the bits that needed to be flipped so that they would match. Well, then the one thing that you could probably see is that you could have flipped those bits where they differed in any order. So there's actually a lot of different paths in that graph and you can find them easily. So this is a terrible idea for a cryptographic system, right? So you would not want to take the hypercube. So what instead we're doing is we're trying to come up with some nice mathematical construction of a graph where it's easy to write down what the graph is or like what the elements of, you don't want to have to write down the whole graph because it's of exponential size, it's really large. But you want to be able to specify vertices and edges in your graph really easily but still have it really hard to find paths between two random vertices. Okay, so hopefully that gives you the idea of what type of graph we want to use for crypto applications. So now I'm going to tell you about the hash function that we proposed, the CGL hash function is, so first of all, let me tell you what a hash function is. All of those protocols that I mentioned in the beginning that are cryptographic protocols for key exchange, for secure browser sessions, for assigned encrypted email, for certificates, everything, all cryptographic protocols use hash functions. So it's an incredibly important building block in cryptography and they're usually modeled as a random oracle, which kind of means like they're magic, like they magically give you some random value and there's no correlation. And so here a hash function maps bit strings of some finite length to bit strings of some other finite length. Very typical will be where little n here is much, much bigger than little m. Sorry, I've used little n and little m in other places in the slides for other meanings here, just two random sizes. And if n is way bigger than little m, then it'll be very, it'll be like efficient or good from the point of view of compressing. Like, so if you've got a large video file and you want some hash of it to be like a little bit of a, oh, I forgot what they call it, a tag or something for the movie, m would be very small, typically like 256 bits, whereas n could be extremely large. So as you can see, if n is extremely large and m is small, then of course there's going to be, it's not gonna be injective, right? There's gonna be a lot of, there are potentially a lot of collisions. And so what you want for a cryptographic hash function is that the function h is public, easy to compute, it's unkeyed, doesn't require a secret key to compute it, but also collision resistant, which doesn't mean that there are no collisions. Like I just said, if n is much larger than m, then definitely there's tons of collisions. It's just that it's really hard to find them. So another thing is, is that you don't really want the output to be biased in these m bits. So that's why it's nice to have a uniformly distributed output. It's not necessarily a cryptographic requirement, but if there is bias, then there will be ways to take advantage of it to compromise the system. So the definition of collision resistance is just that, if it's computationally infeasible to find two inputs, which hash to the same output. So two inputs x and y, such that h of x equals h of y, and a hash function is pre-image resistant. If given any output of the hash function, it's hard to find an input, which hashes to that output. So this cryptographic hash function that we defined based on, in general, based on expander graphs, but in a minute we'll see, in particular on super singular isogenic graphs, is you take a k regular graph, and you have to assume also that every vertex in the graph has a label. You're gonna need labels for your system. And what you do is you take the input to the hash function, it's a long bit string, like I said, of length n, and you divide it into blocks. Each block is used to determine the next step in a walk around the graph. So you'll have some starting point specified, some initial vertex that's specified, and then you read off your bit string, which is the input to the hash function block by block. Each block is used to determine which edge to follow at your next step. And very importantly, no backtracking is allowed. So you're not allowed to take a step, and then your next step go back to the vertex where you were. That's called backtracking, and that's never allowed. So those are the rules for kind of walking around the graph starting at your first initial point. And then when you finish your walk, like when you finish going through the whole bit string, which was the input, then the output of the hash function is the label for the last vertex that you landed on. So that's the definition, a hash function in general. That's the cryptographic hash function from expander graphs. So there's a couple of things to specify here. Or to think about, and that is, so what does it mean to be collision resistant in this? So I'm just drew a little piece of one of these graphs here. And like I said, you don't ever want to have to actually write down the whole graph, because they're exponentially large, they're too large. But as you're walking along, I have shown you some arrows here, and I don't mean that this is a directed graph. I'm sorry if that's confusing. I just mean that this is the direction that I'm walking in. So I'm gonna start up here and let's say it's a three regular graph and that undirected. And that as we walk along this, as we take this input, you see this input up at the top one, one, zero, that's the input to the hash function. You read the hash function off bit by bit for a three regular graph. Why? Because no backtracking is allowed, other than the very first step is a little bit of an issue, but no backtracking is allowed. So that means you can never go back to where you came from. So at every point, you only have two choices for where to go. And two choices is specified by one bit. So as you go through the input to the hash function, you just go through it bit by bit. So the blocks are size one here. So for example, for the first bit, it's a one. So we're gonna go along the edge labeled one. The second bit is a one. So we're gonna go along the next edge labeled one and then the third bit is a zero. And then the output would be the label of this final vertex. So that's how the hash function works. And so then what does it mean to have a collision? A collision would mean that there were two paths that kind of ended up at the same endpoint. And so if you had, and this is undirected, what that would mean is that if they weren't the same path, then that means that there would be some cycle. You would have found a cycle in this graph. So the other thing, I think I've kind of covered this slide already and I only have, yeah, 10 minutes left. So I guess I still wanna, I just wanna comment. This idea of taking a random walk around an expander graph is a very standard idea in computer science. This is not an idea that we introduced. It's an idea that's used throughout computer science for randomized algorithms. And the only thing that's really different here and also which leads us to consider super singularisogenic graphs is that we want to have the extra property that it's hard to invert these walks. So the walks, random walks themselves on expander graphs are a well-known way to generate a roughly uniformly distributed output. So because of time, I had to skip all of my slides about expander graphs, but expander graphs are basically, just think of them as being like k regular undirected graphs where there's an expansion constant C that means that whenever you take any subset of the graph, which is like up to half of the vertices of the graph and you look at all of its neighbors that are not already in the subset, that the number of new neighbors that you get will be proportional to like C times the size of the graph. So you get some constant factor of expansion from every set. So expander graphs, there's a lot of beautiful theorems about their behavior and how they're related to like the adjacency matrix for the expander graph, which I might mention later in the number theoretic context. But here, the main thing that's different from the general philosophy in computer science of using random walks on expander graphs is that we want expander graphs where routing is hard, finding collisions and finding paths is hard. So we're monitoring graphs or graphs that we have beautiful constructions from number theory four and that are optimal expander graphs in some kind of asymptotic sense. So I'm not sure if we'll have time to come back to the actual definition there, but the, I'm gonna just skip over, I already kind of told you about collisions, but this brings us to a construction of the Rondigian graphs from number theory, which is very beautiful and which is the kind of foundation for our crypto system. So these graphs are often attributed to either Pizer or Mestra, depending on what kind of number theory you like. Pizer introduced them in the context of quaternion algebras, Mestra, in the context of modular forms. There's beautiful connections to both of those areas. So hopefully it won't be a fight over whose name you should associate. So the vertices of the graphs that we proposed, so now I'm finally getting to explain my title, super singular isogenic graphs. The vertices are going to be isomorphism classes of super singular elliptic curves, mod P, meaning like over FP bar. And as I said, there's a theorem which assures that each isomorphism class will have a representative defined over FP or FP squared. And so that means that when you take the J invariant, all the J invariants will either be an FP or an FP squared. So they take what basically log P or two log P bits to represent. And that's important because you have to actually implement these systems. And so you want to have like a finite, you had one to know how many computer words you need in order to represent your labels for your vertices. Okay, so secondly, the edge, the isogenes are gonna be the edges. So the vertices are isomorphism classes of super singular elliptic curves and the edges are gonna be isogenes. So what is an isogenic? So isogenes are basically birational maps between these elliptic curves, but I'm gonna cheat a little bit and I'm going to kind of flip over to the algebraic side here. So an elliptic curve in addition to being a geometric object, it's also just, it's a group. It's the group of points on the elliptic curve or an abelian group. So if you wanna take an abelian group and map to another abelian group, one way to do that is to just take a subgroup and quotient by that subgroup. So isogenes are basically, you should just think of them as taking the group of points and quotienting by some subgroup. Now, if P is super large, P is the prime field here and the degree, so the degree of your isogeny is basically gonna be the size of that subgroup that you've quotient by. And if the degree is co-prime to P, if L is gonna be the degree and let's say L is gonna be very small for efficiency reasons like L is equal to two or three. And again, P is very large. If L is co-prime to P, which is always gonna be the situation for us in the crypto applications, then we actually can think of, all the isogenes are separable and we can think of them as being entirely determined by their kernel. So all of these are theorems that are proved like in Silverman's book, if you wanna go and read the theorems and the proofs. But what it means in practice is that even though these birational maps between these algebraic objects, algebraic geometric objects might seem very complicated. In fact, in practice in the applications, all you're gonna be doing is quotienting by a subgroup and it's a small subgroup. And so I'm going to show you the formulas for the subgroup. And again, I'm rushing a little bit because I'm running out of time but I'll make these slides available as well is that the, for example, if you take just a two-torsion point on the elliptic curve, which in a large characteristic is just given by a point Q with X coordinate equal to R and the Y coordinate will be zero because that's what makes it a two-torsion point. And if you take that as the group generated by it is just itself and the identity. And if you take the elliptic curve given by this equation Y squared equals XQ plus AX plus B and you quotient by this point Q by this subgroup generated by Q, you will get the elliptic curve E2 that I've written the formula there for. So you can see how simple it is. You can see how the coefficients of the new curve depend on the coefficients of the previous curve in terms of A and B and then involving R as well, the X coordinate of the two-torsion point. And then you can see what the actual maps are. And these are called Vailou's formulas. I'm not sure if I have the general, no, I don't have the general formula for Vailou because it looks a little complicated in if it's not a two-torsion point but this is Vailou's formulas just for two-torsion points. So in the exercises, I think Yana will have you working on some super singular isogenic graphs for small primes and taking walks around the graph using two-torsion points. So you basically just be using these formulas to kind of compute the new elliptic curve, compute the J invariant of the new elliptic curve, et cetera. And you can see how easy it is to do, like even like on pencil and paper, you'd be able to do this yourself. But in particular, there are, you know, the computer algebra systems, magma and sage have a lot of these functions implemented in them already. And so you can use those functions, those native functions. So hopefully you'll get some experience doing that. So I just wanna end with kind of talking about the properties of these beautiful super singular isogenic graphs. So just to go back to this slide here, there's a couple of things that we assumed in our original paper in 2005. And that is that if you assume that P is congruent to one mod 12, then what happens is that there's no extra automorphisms for any of the elliptic curves. And think of an automorphism in the graph as being kind of a self-loop. It's like an extra little self-loop, which is, you know, kind of annoying when you're talking about regularity and stuff. So if you don't have any of these extra little self-loops, if P is one mod 12, then what you can do is you can collapse edges. So you've got isogenic is quotienting by a subgroup. So it's going out. So it starts at one elliptic curve and it really seems like it's directional, it goes out. But isogenes also have a dual isogenic. And what we can do is we can associate the dual isogenic with the original isogenic and collapse them into one edge. And that's what makes it an undirected graph. So that's kind of always how I think of it. So that's what we mean also when we say L. So L plus one regular. So after you've kind of collapsed these edges, an isogenic with its dual, every one of these elliptic curves, when L is coprime to P, you've got the L torsion is isomorphic to the abelian group Z mod L cross Z mod L. And if L is prime, there are L plus one distinct subgroups of order L of Z mod L cross Z mod L. So that makes this an L plus one regular graph. So for example, if L is equal to two, going back to the example I gave earlier of the hash function, if L is two, this is a three regular graph and you can read off the input bits bit by bit for walking around the graph. So that's what you should always have in mind. Very large P, very small L, in other words, L equals two. The Ramanujan property, we're probably gonna have to talk about some other time. So I'd like to just leave you with this picture. So this is an article that was published in Science Magazine in 2008, so 13 years ago now. And it was written by Dana McKenzie. He heard me talk about these hash functions at one of the AMS joint mathematical meetings. And he wrote this article about the ongoing hash function competition and about our proposal to make hash functions from these super singular isogenic graphs. And so we created, with my co-authors, Dennis Charles and Yael Goren, we created this picture, which is now shown a lot by cryptographers in the area. And so if you didn't pay attention to anything else I was saying about super singular isogenic graphs and you just wanted to keep a picture in your mind, you could keep this picture. So why this picture? So look at, there's a lot of, all the circles here are supposed to be vertices. And I think I took the prime to be like something like 25, 21, 2,521. You can check, make sure that that is actually prime, if I'm remembering it right. And what I didn't get into yet is the fact that the size of the graph for a given prime is given by the Eichler class number and it's roughly P over 12. There's the exact formula in silver minutes, greatest integer part of P over 12 plus either zero or one or two. And so if you divide 25, 21 by 12, you get that's a little bit more than 200 vertices. So what you're looking at here is about 200 vertices and all of these lines are the edges and the overwhelming experience that you're supposed to have here as looking at this is that it should look very jumbled. So in other words, it doesn't look like it has any orientation or any pattern or any structure to it. So if you take two random vertices, so I think in this one, we took the vertex one and the vertex like 24. In order to find a path between them, you've got this blue path that kind of goes all over the place, starting from the vertex one, you really, there's no orientation. You wouldn't know what direction to go in to find this other vertex 24. And then the red thing is a cycle. So suppose you wanna find a cycle in the graph, you don't have any real way of going, knowing which direction to go in to find a cycle. And so that is consistent with the property of optimal expander graphs or remodeling graphs. The theorems that we have there say that for expander graphs, as you walk around, if you take some minimum number of steps that is roughly log P, that you should quickly approximate the uniform distribution on the graph. So you don't really have any notion of kind of a better way to go to get to some other random vertex. So I think that my time is up and I will end with that and we'll keep going on the rest of the slides on the next lecture. I'd be happy to make the slides available to, I'll find out from the conference organizers, how to share them with all of you so you can see them. So thanks everybody. Okay, let's thank Kristin for that nice talk. Are there any questions? I have a question. Near the end, you said something about choosing P to be one month 12 in order to make the graph undirected. Could you say something about why it matters that it's one month 12? Yeah, so if you have, if it's, if P is one month 12, then you won't have any extra automorphisms on any of the super singular elliptic curves mod P and an extra automorphism is like a little loop that's like an extra kind of edge in the graph in a sense that you don't really want to be there. So it turns out that like if you look at Pizer's original paper, Ramanuj and graphs from basically like Eichler orders in quaternion algebras, he assumes that P is one month 12. And for this reason, like we also thought it was important and nice, easy way to make the graph undirected, all of that. But in, I didn't get to the key exchange part of this talk, but these days for the psych super singular isogenic key exchange, they're often using primes that are not one month 12. And so I worried a little bit. I was like, well, wait a minute, wouldn't there be extra edges around? And well, you know, could that mess up the system? And Yana actually did some experiments. I mean, she can tell you more about it, but there's very little reason to worry actually, even if you don't have P is one month 12. There might still be some kind of weird attack that we could come up with, but it only affects very small number of the vertices. So if you look at really special super singular elliptic curves like where J equals zero or J equals 1728. So one of them is a curve that you'll be looking at in one of the exercises just like Y squared equals X cubed plus X. You have kind of extra automorphisms there. And, but if you ignore these very few, very small number of vertices where there's an extra automorphism, it seems like it doesn't really matter that they're using, that they're not imposing the condition P is congruent to one month 12 for the key exchange. Okay, there are a couple of other questions in the chat, but it looks like they've been answered by Yana. Any other questions for Kristen? So could I ask again one other question about those automorphism when P is not equal to one month 12? Because if I understand correctly, an automorphism will be an isogenic of degree one. So how are they going to appear on the L isogenic graph? Oh, I'm sorry, you're right. It doesn't appear, but what it does is if you compose it with one of the edges, it'll look like it's different than what it is without being composed with it. So it'll make the graph look like it has double edges. You see what I mean? Yes, it's okay, it would be like a very short circle. Exactly. Thank you. In general, thanks for asking again. So in general, in our original paper, we actually imposed, not just P is covered to one month 12, we proposed that we put many more congruence conditions on P, which will make it impossible to have really short cycles. And that's because if you have a cycle of length two or length three, it corresponds to certain elements with a certain trace and norm. And it will basically ensure that you have a specific imaginary quadratic field embedded into that quaternion algebra. And if you put conditions on P that basically disallow such embeddings, then it means that you cannot have those short cycles for that L and that P. And so this is an example, like we put P congruence to one month 12 and that means no two cycles and then et cetera, et cetera. Unfortunately, the congruence conditions, if you wanna disallow three cycles, four cycles, five cycles, all that, it makes the congruence condition pushes the size of the prime up and up and up very quickly. Okay, if there are no other questions, let's thank Kristin again for her lecture. Thanks everyone, see you Wednesday.