 Okay, welcome back everybody so for for Christian mother's second lecture. So yeah, please go ahead. Okay, thanks everyone. So, at the end of the last talk I saw that there was a question in the chat that was sent to me afterwards about kind of what was was the outline what was the next steps in the lecture series and so I thought it would be good. So just kind of do a little outline here so everybody knows what what we're doing where we're going and just a little reminder of what we talked about in the first in the first lecture. In the first lecture I kind of introduced the basic ideas of cryptography as a field what what are the kind of goals and major primitives talked about the current threat of quantum computers to existing public key crypto crypto systems based on very own math problems and the notion of what what do we mean by a hard math problem in cryptography and the, you know, kind of post quantum crypto systems that are currently being considered. I also explained the importance of hash functions and gave a construction of a cryptographic hash function from expand our graphs and and then gave a particular example of an expander graph which we originally proposed which was called a super singular isogenic graph. So just as a little reminder, I think that I had a slide here which said what the super singular isogenic graphs are so as the sig super singular isogenic graphs. The vertices are isomorphism classes of super singular elliptic curves mod P that each have a representative to find either over FP or FP squared. They're labeled by J invariance. The edges are isogenes between these elliptic curves the isogenes are these birational maps from the geometric point of view but from the algebraic point of view you can think of them as quotienting the group. The group of points of the elliptic curve by some subgroup, and the formulas for computing isogenes for elliptic curves were given in the 1970s by Valu. So that's just kind of a quick recap, and this was the picture that I showed of the super singular isogenic graphs from science magazine from 2008. So now let me tell you what we're going to do in the second and third lectures. So I realized there's quite a few properties which I kind of glossed over very quickly in the end of my last lecture because I was kind of running out of time. So I will feedback from Bjorn that it would be good to write some of the mathematical notation and symbols and things down a little bit more clearly for at least for the things that I feel like are really important to know. And so I'm going to start by explaining a little bit more about expander graphs and the remanogen property there was question about the remanogen property in the chat as well. And then I'd like to talk about another application of super singular isogenic graphs, which is very important, which is key exchange psych super singular isogenic key exchange, which is one of the candidates in the key exchange competition that NIST is currently running. And so if I have time I'll also get to kind of the generic attacks on these systems, because the third lecture, I like to spend tomorrow mostly talking about quaternion algebras and an algorithm for solving this kind of problem this path finding problem on the quaternion side, and a constructive application of that algorithm to constructing digital signatures. Okay, so let me talk start by talking about expander graphs so I mentioned this in my last talk. The notation that we use for graph is this v comma e the set of vertices and edges and we say that it's K regular. If each again I'm only talking about undirected graphs here. This vertex has K edges coming out of it. And expander graph is a graph that has a positive expansion constant C. So also sometimes called the chieger constant, and I just said this in words last time but I've written it down for you here is if you take any subset of the vertices, up to half the graph. And then you look at the boundary of those vertices which are all the neighbors of those of that set, but which are not in the original set. If the size of the neighboring set is at least see times the size of the original set. I would say that it's an expander graph so if C is bigger than one, then this is kind of expanding as you can see. And this expansion constant is important because now so now I'd like to talk about the adjacency matrix for a graph. So adjacency matrix is just the I jth entry is the number of edges from the I for text to the J for text. And so in the L isogenic craft will call this matrix a of L, assuming P is is fixed I didn't put the P down here. So if, as you can see, if the graph is undirected, then this matrix is symmetric because you have the same number of edges going from I to J as you go as you have going from J to I. So for a symmetric adjacency matrix, all its eigenvalues are real. And for a connected K regular graph, it's a fact that the largest eigenvalue is K, and all of the others are strictly smaller. So I'm going to use this notation mu one, mu two, etc, for the eigenvalues in kind of decreasing size. So if K is the largest one, the second largest one we're calling mu one. Sorry about that maybe you think we should call it mu two but we're calling it mu one and this distance between K and mu one so K minus mu one is often called the spectral gap. So this series of eigenvalues is called the kind of the spectra and the distance between the difference between the first two is the spectral gap. The spectral gap is important in when considering expander graphs because the expansion constant can be expressed in terms of the eigenvalues and the spectral gap. So this is I wrote down this one bound here. But I also was looking, there's, I used to have more detailed slides on this topic. There's, for example, like the Elan-Millman theorem that gives you other kind of variants of these bounds. But the basic idea is that the bigger the spectral gap, the bigger the expansion constant. So that means the more the graph is expanding and that means that the smaller the eigenvalue mu one is the better the expansion is. So now let's tie this to the Ramanujan property what does this have to do what is what is a Ramanujan graph and what does this have to do with the expansion constant. There's this general theorem approved by Elan Bopana, which looks at families of graphs asymptotically so if you have an infinite family of connected k regular graphs, with the number of vertices, tending to infinity, then they prove that the limb ends of this mu one is going to be greater than or equal to the square root two times the square root of k minus one. So that motivates so it's saying that the tendency is going to be that the limb limb ends is going to be greater than or equal to this to square root k minus one so you can think of it like you know could be tending towards k for example like the spectral gap is going to zero. But a Ramanujan graph is saying, like, oh, let's have a graph where mu one is actually bounded by this to square root of k minus one, so that it's kind of like bounded away from k, and it's making this spectral gap basically as big as it can be like in the limit. Now one thing that's always kind of bothering me about this definition and I've seen a little bit of variation in the literature in terms of how people talk about this, but is is that the first theorem on my slides here is an asymptotic result. And it's saying it's saying something about what happens in the limit of a family of graphs to the eigenvalues, whereas when we talk about a Ramanujan graph, or a construction of a particular Ramanujan graph. We're talking about its second eigenvalue and its spectral gap and so there's nothing that says that, you know, the spectral gap, you know, can't be can't be bigger just for a particular example. But we say that if the mu one is less than or equal to two times the square root of k minus one, then we say that this is a Ramanujan graph. And so what you'll see is in the literature and this process over to the computer science field. There are people that talk about that work on expander graphs and theorems and expander graphs, they actually have a very different terminology. And it's actually the notation is a big barrier and that's one of the reasons that I actually often try to give talks through I explain things without using any notation, because I find that people in different fields that talk about the same thing using a different notation make it really hard for each other to understand each other across fields, and that's within mathematics. So imagine how bad it is within between mathematics and computer science which is where I'm almost always working at the interface of math and computer science. So, the, a lot of the papers in the, the, the expansion properties of these kind of expander graphs are written in the terminology of computer science can make them a little bit hard to read. But then hopefully I've gotten across here is that if you have a Ramanujan graph where you have basically optimal optimally large spectral gap. That means that translates into having very good expansion properties and the expansion constant is related to the extent to which you approximate the uniform distribution with a short walk. So, I'm going to say something about the Ramanujan property and then I'm going to talk a little bit about these short walks approximating the uniform distribution. So, there was a question about the, the piezer graphs or the, the super singular isogenic graphs, you know why are they Ramanujan and Bjorn put a comment in the discord server for me about the general case so you see the the link on the bottom of my slide here for the higher dimensional analog which includes the dimension one elliptic curve case. But I was thinking, oh, what about just the dimension one case and they're a nicer easier way to explain the Ramanujan property. So, indeed, Bjorn might have also mentioned this paper by master la metode graph which I actually found in English translation by William Stein, I put the link here. And la metode graph paper is by master shows that the action of the hecka operator TL on a certain space of vector space of modular forms which is S2 of p the vector space of weight to cusp forms of level P that the action of the hecka operator is actually given by the brand matrix which is equal to this adjacency matrix that I defined on the previous slide. So what you have is now a relationship between what we're saying is is that the eigenvalues of the heck operator are just equal to the eigenvalues of this adjacency matrix for the way the way I defined the adjacency matrix for the super singular isogenic graph, which is a very beautiful and deep connection if you think about it on the one hand, I defined the super singular isogenic graph to be a collection of super singular elliptic curves with L you know L isogenes between them. On the other hand you have this space of modular forms with the heck operator, and we're saying that this is a very kind of beautiful and deep theorem that these are the actions of the heck operator is given by the brand matrix which is the adjacency matrix. So, the fact again that the eigenvalues of this matrix satisfy the Ramanujan condition again is another deep theorem so the proof that we gave in our paper for the higher dimensional case depends on the Jack a Langlands correspondence which relates our graphs to spaces of Hilbert modular forms, and the Ramanujan property follows from a theorem of leave today. So in the, in the dimension one case, the Ramanujan property follows from the theorems of Deline and the proof of the vacanjectures. So I'm not going to get into any more detail on that now. It's very important to be able to think about these graphs, these super singular isogenic graphs in terms of the walks around the graph. So, going back to the example I gave where L equals two. So yesterday we are Monday we talked about if L equals two, then you're just quotienting your, your, you have two isogenes for the edges, and you're going to have each elliptic curve by a two torsion point a subgroup of order two. And so that for large P, you know the two torsion on elliptic curve just as an abelian group it just looks like Z mod two cross Z mod two. So you actually have exactly three different two torsion subgroups, and they, you can take a walk. If you want to take a non backtracking walk after you've taken a step, you cannot go backwards along that edge that you came along. So you only have two choices for your next edge. So what that means if you have some starting point in the graph, and you take a walk of length and, and let's say you never like accidentally find a collision because these are optimal expander graphs and if you're taking a walk up to length, you know, log of the size of the graph you're very unlikely to find a collision. So as if n is basically less than log P, although I haven't told you yet about the size of the graph we'll talk about that later it's roughly P over 12. So if n is roughly up to log P, and you take a walk of length and non backtracking you expect to hit about two to the end vertices. So what that means is that for optimal expander graphs we expect the diameter to be roughly log of the size of the graph. So, this is kind of an important point because what it means is that this, this log log of P or log of the size of the graph is a kind of a cut off point in the theory of re monogen graphs, where if you take a walk that's that that's roughly the diameter. And so you, you need walks of that length in order to hit everything and that's just a counting argument that I just gave you. And then if you want to, if you want to say, like, two random points in the graph, are they connected by paths that are much shorter than this. And the answer is no, like the number of paths that you have between random pairs of vertices of a given length is going to like right around the log P cut off point, you'll start to get paths and then the number of paths will go up exponentially but below that you're very likely to have zero paths of a smaller especially like half the diameter. So that's going to be important later in this talk for something that I'd like to explain. So now, for the next kind of section of my talk, I'd like to go back to to the application so in the first talk I talked about the application to cryptographic hash functions that we defined, which was basically just that once you have one of these nice expander graphs in particular or monogen graph where you don't have a good way to find paths. You can use that as a basis for a hash function because you can kind of take a random walk and output the endpoint and then for somebody to find a collision they need to be able to find another path from the starting point to that one. Or to be able to find a preimage they need to be able to find the path that you had from from this from the starting point. So now I'd like to talk about another application important application which is key exchange. So if any of you know about Diffie helman key exchange it basically it's a way for two parties to exchange information publicly and agree on a common secret but with only publicly exchanged information. So the way Diffie helman works either on an elliptic curve or in an abelian group such as Z mod PZ star is that you'll have some generator for the abelian group, and each party will have a random multiple of that generator like they have their own secret party. They also have you know a times P and Bible have B times P, and you can exchange these and the secret will be a B times P, because they each have their own secret, and they each receive a point which they can multiply by their own secret but everyone else will only see a times P and B times P which when they put them together they get a plus B times P. So the idea of the Joe DeFeo plute key exchange is a generalization of this Diffie helman idea. And that is that instead of having a secret multiple of a point what you have is a kind of a secret subgroup in each case you have a secret isogenic Alice has a secret isogenic Bob has a secret isogenic. So these are fee a and fee B those are the secrets so you should think of those as being analogous to like a random integer that was used in the Diffie helman protocol. So now what's going to happen is how do we create a key exchange out of this. So first let me tell you the setup. So what you're going to need is a super singular elliptic curve E so in general it's defined over at, at most, we're going to take a model defined over at most GFP squared. So let's create P of a special form for this to work. So in general P is going to be something like L. So there's two small primes l sub a and l sub B, but for the purposes of this exposition you can just think of l sub a being equal to two and l sub B being equal to three in practice that's what you'd use. So the point is, is that you need isogenic graphs for two small primes, la is to be is three. And then once you've fixed what are those small primes, you need primes large primes P, which are like la to the M times lb to the n plus one. So there's a key point here, a couple of key points. The, again these integers are these natural numbers M and N are just, they don't have anything to do with any M's or ends you see in other earlier parts of my talks they're just random integers, but they need to be around the same size. And if they are around the same size, then each of them is roughly half log P, as you can see, because two and three are the two base primes they're very close to each other, you're just adding one to the thing. So, you know, log of M is roughly equal to N and log P is basically like two M or two N. So these need to be fairly large because you need a prime of cryptographic size. When I talk about the generic attacks, you'll see that, you know, if you have only exponential attacks on the system, they're like square root attacks, then that allows you to take your system, your prime to be relatively smaller than if you had better attacks like sub exponential attacks. And so, in particular, at least for the hash function, we took P to be a prime of roughly 256 bits. And that was because we only had square root, new of square root attacks on our system, which means the best algorithm rhythms would run in roughly time two to the power 128. In this case, we need to take P to be kind of at least twice as large, because we're dealing with two isogenic graphs that are now like half the bit length of half of log P. So P needs to be bigger for this application, but still like in the range of like 500 bits so that's not too bad. And so that's that's the setup. Now we're going to have a some public parameters that are made public for this key exchange, much like for Diffie-Helman Key Exchange you would have the elliptic curve would be public. And the generating point P would be public. And then the two parties would make their, they would exchange their, their multiples of the point so those would be made public. So our public parameters are going to be A is going to have a write down generators of the L to the LA to the M torsion B is going to write down generators of the LB to the end torsion. And so the reason for picking these special primes, the picking the prime the way we do is so that and that it's super singular so you kind of know the order of the group over Fp and Fp squared is that though these torsion points will now be defined over the base field which is very important because if you have to go to a really large extension field in order to get your, your base points to be defined. That means all your arithmetic in your whole system will have to be done over this very large extension field of the finite field. And you want to avoid that for efficiency reasons. So, for the actual key exchange, the secret parameters like I said, Alice is going to have a secret isogenic. And that really is just like I said for separable isogenes they're completely determined by their kernel. So if it's going to be an L to the M, I might not always say L sub a to the M, but it's LA to the M torsion point generates a some subgroup of the LA to the M torsion on the elliptic curve. So that's just determined by picking two integers m sub a and n sub a taking these multiples of these generators p sub a and q sub a. And so then Alice has her secret subgroup which is generated by this L sub a to the M torsion point. B is going to do the same thing, pick two random integers. Now he has a subgroup, which is, is secret. And, but remember, so going back to this picture. So these are two. These are walks on two different isogenic graphs so you can see my cursor right when I point to the arrow. So the feast of a is on the L sub a isogenic graph. Fesa B is on the L sub B. So it's easier for me to say Alice is walking on the two torsion graph. Bob is walking on the three torsion graph to start with. Okay, and now what's going to happen just spoiler alert is that for the second step. Alice is going to walk on the other graph and Bob is going to walk on the other graph so it's going to it's going to flip. So now, to complete the diamond a computes the points. Fesa a applied to Bob's public points piece of B and Q sub B, and sends these to be, and then, but I'm sorry Alice computes that and then Bob computes the image of Alice's public points under his secret isogenic and sends those to a. So one thing that you might notice here is is that besides the, the, the elliptic curves that have been revealed here so he was the public starting point and now E sub a and E sub B are revealed. There's also this extra information that has now been revealed which is the images under the secret isogenes of the generators for the other torsion. Okay, so now what Alice and Bob can each do is they can use that information that they obtained in order to compute the secret isogenic. The elliptic curve E sub AB, which is the J invariant of the curve and the J invariant of that curve E sub AB will be the shared secret. Again, the fact that separable isogenes are determined by their kernels is very important here because the reason that this is a diamond that they end up in the same place is because. In fact, after exchanging this information applying their own secret to the other person's kernel, they actually have both quotient it by the same kernel in the end if you compose the two steps, the two arrows on top and the two arrows on the bottom. So that could be something to kind of check as an exercise, if you want. So now let's talk about the security of this key exchange. So the funny thing is, is that when this was first proposed. And Joe and DeFeo and plus paper in 2011. They talked about the security as being related to about five different hard problems that they stated so and some of which they related to each other, and none of which they actually related to the path finding problem. So the result was that I think for a number of years not many people read in detail what those problems were and how hard they were but it was also just very confusing if you looked at it and read it. And so I think it was pretty well known to those of us working in the field that the hardness of breaking the key exchange relied on the hardness of the path finding problem that we had introduced in the cgl hash function, but it didn't seem to be written down and so as part of our win for project in 2017, we wrote down a security reduction and estimated the probability that if you can, if you can find paths, then the probability is overwhelmingly that you can break the break the key exchange. So the reason for that is because if you can find paths between E and EA. So let's go back to this this diagram, finding a path is essentially finding the secret isogenic. So you might say, like if you can find a path in the two isogenic graph between E and EA or in the three isogenic graph between E and EB. You might say, well, what if you found a different path, not the one that they had used for their secret isogenic. So, that's why let's go back to the discussion that we had earlier about the number of paths of different lengths between pairs of vertices in these isogenic graphs. So, for any two random vertices in the graph, it is extremely unlikely that there would be any path between them of length half the diameter. So that probability would be like P to the to the minus one half. So if P is, you know, like 5 512 bits, the probability of their being a path is like one over two to the power 256 so it's overwhelmingly unlikely that there's that there's no path. If you can find a path, you're overwhelmingly likely to have found the special path that you know exists because they created it when they were making doing the key exchange. So, if you can find paths between these two vertices then you're most overwhelmingly likely to be able to break the key exchange. So, this just kind of quantifies this in terms of the size of LA and LB and N and M, which like I said if N and M are roughly equal in size then is going to be roughly P to the power minus one half. Okay, so I have about, I was hoping that I would. I have about 15 minutes is that right. Okay, good. So, I'm going to do a little bit out of what I had wanted to do for the second for the third lecture because I kind of have too much content for the third lecture so I'm going to kind of keep going into the slides for the third lecture. And then start to talk about the, the attacks on this problem so what do we know about attacking these systems today. So, when we introduced these super singular isogenic graphs, we stated these, this was actually the exact wording of the hard problems that that we stated at the time. The parentheses, so that you, so that you know what I'm talking about it's basically collision cycles and paths like to find. If you read the whole statement it's problem number one is to produce a pair of super singular elliptic curves and two distinct isogenes of degree L to the end between them. The L and P are fixed here. So that would allow you to find collisions in the graph in the, in the hash function. Problem number two is related it's cycle finding in the graph so it given an elliptic curve if you can find an endomorphism of degree L to the two end but which is not the multiplication by L to the end map. And that means it's basically the composition of having walked around the graph like to end steps and gotten back to this to the elliptic curve that you started at which is finding a cycle. And then problem number three is. So, given two super singular elliptic curves find an isogenic of degree L to the end between them. All of these are described problems described in terms of the elliptic curves which are labeled by their J invariance. And on that side of the picture, the best known algorithms that we have today for attacking this system are still the, what we call generic algorithms so generic attacks and cryptography are ones that run. Basically, like as if the underlying object is kind of like a black box so there's nothing really special about the fact that the vertices are actually. We're just treating it as a graph with vertices that have labels. One approach we can take with for a generic, what are called square root attacks is just to simply walk around the graph at random, like I'll go back to let's specify problem number three path finding. So if you have two super singular elliptic curves, and you just start walking from each of them so take a random walk from one side take a random walk from the other side. You get the possibility that in roughly square root time, you will they will hit each other so you'll get a collision. And that's often referred to as like a birthday attack or birthday style attack, and the running time is heuristically roughly the square root of the group size. So just to remind you that if the group size if the group as order P that takes you log P bits to represent. So an algorithm that runs in time like Pete roughly P to the one half that's an exponential algorithm. It's exponential in log P which was the number of bits it took you to write down your system. So class or generic attacks are exponential attacks and in in crypto, there's a kind of a convention which is that systems that are proposed are generally known to have generic square root attacks against them. So that that's why you're always going to take like if you want 128 bits of security for elliptic curve crypto, and you have only exponential generic attacks then you set the bit size for your prime to be double that 256 bits. So everybody kind of knows that there's square root attacks on pretty much everything in site. And so a lot of times, we think of systems as being broken if you have better than square root attacks. So for example, that's what is the case for genus three, we have exponential algorithms for genus three Jacobians Diffie homin based on genus three Jacobians, which are better than square root and so everybody talks about them as being broken they're exactly broken in the sense that if you take into account like the constants that are hidden in the, in the big O notation, and some of the actual costs of doing the operations, they might not be strictly speaking running faster than a square root attack, but asymptotically they look worse, they look like they're better attacks than the square root attacks like so in cryptography if you have an attack which is better than square root people often think of the system as being broken. So that's not exactly true though because if you think of RSA RSA is widely deployed around the world, and we have some exponential attacks on, you know, on factoring. So the number fields of is a sub exponential algorithm. And so we don't think of RSA as being really broken. That's why the sub exponential is kind of a middle case in that earlier slide from my first lecture because in the quantum world, I showed you the running time of the polynomial or the the polynomial time quantum algorithms against RSA and then we really say it'll be broken but we live in a world today where our classical algorithms against RSA are sub exponential. And all and that means all that we we do then is to increase the bit size of the of the modulus and that we use for for the RSA attack. So it's not, it's not exactly true to say that it's broken if you have a better than square root attack, but that is kind of the gold standard so I'm giving you some context on generic kind of square root attacks. The next thing to consider is, do we have anything better than that, in our case of the super singular isogenic graphs. So, let me, let me use take this opportunity to start in on the kind of generic description of these graphs which I mentioned was introduced by Pizer. So, given the, the, I think that Yana has some exercises in the exercise sheet that you'll be working on either tomorrow morning or Friday morning that relate to the quaternion size so it's the quaternion side of things so it's not bad that we're starting to talk about this now. The quaternionic interpretation of the sg graphs is as follows. So, I told you several definitions of super the super singular property of elliptic curves we say an elliptic curve is super singular mod p. If it's anamorphism ring is a maximal order in the definite quaternion algebra, BP infinity. So, I'll say a little bit more about what is BP infinity in a minute. But the, I also told you that a lot of times cryptographers that are working on these graphs in practice don't even really need to use the super singular property. But in fact the super singular property is behind a lot of what we've been talking about for example the connection with the theory of modular forms and the remanogen property. I'll follow from the super singular assumption this the size of the graphs is actually also kind of related to that so the Eichler class number is gives you the size of the graph which is the basically the number of level P Eichler orders which is roughly P over 12. And finally also the during correspondence which associates with an elliptic curve. It's a maximal order in a quaternion algebra. So now what that means is is that if just think about if you had an explicit during correspondence. And that would mean that you could, instead of thinking of your graph as being given by elliptic curve, the vertices are super singular elliptic curves labeled by their J invariant. You could think of it as being given by all of the over on the quaternion side, the maximal orders which are actually the endomorphism rings of the super singular elliptic curve. And that motivates why we want to talk about quaternion algebras. So BP infinity is the notation that we use for the definite quaternion algebra which is ramified at P and infinity, only at P and infinity. There's a lot of theory and theorems about quaternion algebras which I'm not going to be able to cover here because I'm not going to give a whole course on quaternions. But like one fun fact is that if I'm remembering this correctly, definite quaternion algebras have an even number of places at which they're ramified. So if you're not familiar with this terminology and going back to the way that I learned these things early on was from vase theory of central simple algebras. And so central simple algebras could be either like division algebras or matrix algebras. So we say that a prime is ramified if when you localize at that prime, you get a kind of non trivial algebra in the sense that it's not a matrix algebra. But at most primes you, when you localize or you tensor with like QL or ZL, you'll get the matrix algebra so MT, M2 ZL or M2 QL. But if you get a non trivial division algebra, then you call that a ramified prime. So if that was, I'm sorry I didn't put a reference in here for that background on this topic but I can put some references in for next time if you want to look more at that. So BP infinity is a rank rank for q algebra and it's going to have a one I J K that satisfy the following properties so I squared is a J squared is B and K is I times J, which this is non commutative, which is equal to minus J I where A and B, we have formulas for what A and B should be, depending on the congruence class of P. I'm just giving you one example of them here and that is when P is congruent to three mod for for example, A B should be minus P minus one. So that means we're taking, like, sorry for the notation here because here J is the square root of minus one whereas I is the square root of minus P. So I probably I don't remember why I did the notation that way but it's consistent throughout my slide so I'm just keeping it. What it means is that you have a quaternion algebra, BP infinity that's generated basically by one, and then the square root of minus one and the square root of minus P, and that these two things do not commute. And you can actually realize these as you can think of like square root of minus one, for example, as being a matrix like 0110 with the ones on the off diagonal and that'll be that'll give you a square root of minus one. So that's, I think it's a good way to think about these things as matrix algebras and in fact if you look at a lot of the algorithms in this space, they rely on thinking of these elements as matrices. So now, I'm also giving you an example here of a maximal order, but I haven't really I'm going to start I think next time with all the definitions of the quaternion orders and ideals I haven't really gotten into all of those definitions. But the, the, the, the maximal order and example of a maximal order that I'm giving here I think you have an exercise that relates to this special maximal order. So I just wrote down the sis for it here. So I think I'm a little bit out of time at this point. Basically, for my outline that I gave you at the beginning I we covered the expander graphs and remodeling graphs and the remodeling property of the super singular isogenic graphs, and then related that to the hardness of breaking the key exchange relies on the hardness of the path finding problem. And so now just at the end we started talking about quaternion algebras and again the motivation is because this can give us potentially a better way to attack this path finding problem on elliptic curves by working on the quaternion algebra side. So in the next lecture, I will give more background on the quaternion algebra side and then give our algorithm for attacking the what we call the quaternionic path finding problem, and an application of that algorithm in the to the, to the goal of constructing signature and also for cryptography. Okay, so thank you very much I don't know whether did you want to have questions or just stop at that point. Well, I think the first weekend, we can all you can join me by thanking you for your lecture. And if there are questions yeah you can, you can unmute yourself and ask them or, or you can type in the chat. I mean, I guess we've been, well, maybe you don't want to read the chat right now because it's just been just been a, I mean, most I think most of the questions have been answered. But let's see if there are any specific ones here. I think most of the questions, let's see, does anybody who asked a question, want to ask, ask it to Kristen or, or, or ask a new question. Okay, I can see the chat now I pulled it up. Yeah, but I'm just saying maybe you don't want to read it now because it's most, I mean, I don't know, it's just long. I think most of the questions have already been answered so. Yeah, so I guess no, no for no more questions. Oh, you're sorry, Andrew, you have a question. Yeah, I can have one. Yeah, please go ahead. Yeah. Yeah. So, Christine. So you mentioned this paper from 2007 this is the second one. Which paper I'm sorry. This is one where you generalize the Ramanujan graphs. But in that paper, the graphs. So we're restricted to varieties that have to be some real multiplication. And is there any reason for that or is the you think it's possible, it would be possible to give graphs that don't have that restriction of some real multiplication. I know this is maybe out of the lecture. No, no, that's that's very nice question. So, like, for context. Okay, so first of all, high level. I always encourage everyone to try to think of how to propose a like crypto systems based on math objects that are new that haven't been used before or that are more general than what is being used. So that's kind of what you're asking here. So, I didn't talk about this paper of the higher dimensional case here and I wasn't planning on going into the details next time either. But it's basically a generalization of super singular isogenic graphs, but on the quaternion side. And so instead of maximal orders, which are certain type of Eichler orders in the quaternion algebra that I just defined for you, which is a definite quaternion algebra over Q. We instead looked at definite quaternion algebras over totally real fields L. And those totally real fields. I'll also had some extra conditions that we needed, for example, we put they needed to have narrow class number one and just be special for a bunch of really technical reasons. And in that case, what we could show is that the graph that you construct by instead of taking basically, you know, Eichler orders in BP infinity, if you take these quaternion algebras over the totally real field, that you could look at what we called super special orders, and then you could prove that you also get a remanogen graph. Now that doesn't mean that you couldn't do something else so I interpreted your question as meaning like, could you take some other fields L like even totally real but removing the narrow class number one restriction you can kind of see what happens there, or maybe take other number fields or other objects and create other graphs and so I don't, I didn't think about that so I don't know what else could be done in that direction. It just happened to be the kind of the conditions that we needed in order to be able to use the theorem that existed to show that this was another construction of remanogen graphs. In fact, our point was to construct embedded like towers of remanogen graphs because you could take bigger and bigger algebras that were embedded in each other. Yeah, okay. I was asking just because you can take the full graph of super special varieties but then that is too large and has too much structures going on. So that's why my question. Oh, yeah. Well, just to give you an example, going in that direction so more recently, people in cryptography have proposed using genus two curves for doing this kind of, you know, isogenic graph. And at the time we originally proposed the, the CGL all the CGL work. We didn't even have good ways to compute isogenes for higher dimensions so if you have had a dimension to a billion variety and you wanted to compute an isogenic. We didn't have any way to do that but then the AVI package by Damien Robert and his collaborators was released and I don't know probably sometime around 2008 or nine. And so now we can actually compute isogenes on higher dimensional from higher dimensional and being varieties. There's a lot of practical aspects like let's say you just want to make a hash function out of our construction of spooks from super special. Super special orders the generalization of you know the Eichler orders. It's horrible because we don't even have labels. We don't have labels. You can take a basis for them for the order but we don't have any way to tell whether one basis is the same defining the same order as another basis. So as a label, one of the things we thought about is is that you can construct a Hilbert modular form from taking the representation numbers for that basis so you would take the, the, the nth coefficient a n would be the number of elements in this super special order whose norm, it was equal to n and then you could you get this Hilbert modular form. And if you have enough coefficients of the Hilbert, the, the Hilbert modular form is basically encoding the information that comes from the norm form from the order. And if you have enough coefficients of that form you can say oh I got it. I'm, there's no other order that this could have come from. But like in the elliptic curve case the number of coefficients that you need for the analogous thing is square root of P, which is exponential that's horrible. And so that was those are the best ideas for a label that's a horrible idea for a label. And then, and then the next problem was the thing I mentioned about not being able to compute the isogenes and etc etc so there were a lot of problems. So if instead you kind of crossover to genus two curves with a specific model for the curve. So that's more like what I've introduced here as the SIG graphs where you have models for your elliptic curves with J invariance and everything. And genus two curves have really nice. These Richelot isogenes which are to to isogenes and those are very explicit to compute just kind of like Velu is very explicit. And so there's been this proposal, oh well why don't we just use genus two curves with Richelot isogenes. Yeah, but then it's a little bit like what you said with your idea. There's, we can't prove very many theorems about things like whether they're even connected graphs whether they have good, whether they're expander graphs whether they're We know they are connected now. Oh, they are. Yeah, and the sub graph of Jacobians is connected as well. But still no remanage and brotherly. Yeah. I don't see them as a sub, a sub graph of the other I don't know, maybe connected. Okay, there. All right, are there other other quick questions. Okay, well thank you again.