Ramanujan Graphs for Post-Quantum Cryptography

Abstract

We introduce a cryptographic hash function based on expander graphs, suggested by Charles et al. ’09, as one prominent candidate in post-quantum cryptography. We propose a generalized version of explicit constructions of Ramanujan graphs, which are seen as an optimal structure of expander graphs in a spectral sense, from the previous works of Lubotzky, Phillips, Sarnak ’88 and Chiu ’92. We also describe the relationship between the security of Cayley hash functions and word problems for group theory. We also give a brief comparison of LPS-type graphs and Pizer’s graphs to draw attention to the underlying hard problems in cryptography.

1 Introduction

In the era of post-quantum cryptography, there exist four dominant research areas: Lattice-based, Code-based, Multivariate-based and Isogeny-based cryptography. Specifically, studies in the area of Isogeny-based cryptography have been numerous in the past decade, mainly due to the difficulty of finding a path in the Isogeny graph of supersingular elliptic curves.

In 2009, Charles et al. (2009a, b) introduced cryptographic hash functions from expander graphs and explained the hardness of problems behind those schemes. They proposed two kinds of hash functions based on two families of Ramanujan graphs. One of their proposals is based on Ramanujan graphs by Lubotzky et al. (1988) (in short, LPS), which are Cayley graphs over the projective group with respect to well-chosen generating sets. The other is based on Ramanujan graphs by Pizer (1990), which are not (expected to be) Cayley graphs. So far, the variants of their proposal still survive against a quantum attack except the only known exponential complexity attack (Biasse et al. 2014).

In this article, we focus on not only the background of the families of LPS’s graphs and their generalization (LPS-type Jo et al. 2018, 2020) with respect to the security of their Cayley-based hash functions, but also on the relationship between the families of LPS-type graphs and Pizer’s graphs.

This article is organized as follows: In Sect. 2, we present some required preliminaries of expander graphs and Ramanujan graphs, and also of quaternion algebra theory. We summarize the security on Cayley hash functions and their cryptanalysis (variants of lifting attacks) related to solving word problems in group theory. In Sect. 3, we explain a way to generalize the explicit constructions of LPS and Chiu’s Ramanujan graphs, and give a proof of the Ramanujan-ness of our graphs in the special case of “\(P=13\)”. In Sect. 4, we describe the relationship between the families of LPS-type graphs and Pizer’s graphs. In Sect. 5, we summarize the arguments in this article and expound upon some unclarified problems and the relationships between explicit families of Ramanujan graphs.

2 Ramanujan Graphs and Their Cryptographic Applications

An expander graph is well known as a ubiquitous object in various research areas, especially in computer science for designing communication networks. It is said to be a sparse, but highly connected graph. The quality of the network on expander graphs is considered as the expanding ratio. Throughout this article, we assume that all graphs are finite, undirected, simple (i.e. no loops or multi-edges) and connected. Suppose that \(X=(V,E)\) is a k-regular graph, composed of a vertex set \(V=V(X)\) with n vertices and an edge set \(E=E(X)\). For a subset T of V, the boundary \(\partial T\) of T is defined as

$$\begin{aligned} \partial T = \{ (x,y) \in E | x \in T \text { and } y \in V \setminus T \}, \end{aligned}$$

where \(V \setminus T\) is the complement of T in V. The expanding constant h(X) of X, which is defined as below, is a discrete analogue of the Cheeger constant in differential geometry (Lubotzky 1994):

$$\begin{aligned} h(X) = \min _{T \subset V \atop 0< |T| \le n/2 } \frac{|\partial T|}{|T|}. \end{aligned}$$

We give the definition of an expander graph.

Definition 1

A family of k-regular graphs \((X_j)_{j \ge 1}\) such that \(|V(X_j)| \rightarrow +\infty \) as \(j \rightarrow +\infty \) is called an expander family if there is an \(\epsilon >0\) such that the expanding constant \(h(X_j)\) satisfies \(h(X_j) \ge \epsilon \) for all j.

For analysis of graphs, the adjacency matrix A of the graph X plays an important role; it is a square matrix indexed by pairs of vertices u, v whose (u, v)-entry \(A_{u,v}\) is the number of edges between u and v. Since we assume that X has n vertices, A is an n-by-n, symmetric (0, 1)-matrix without diagonal entries (i.e. \(A_{u,u}=0\)). For such a graph X, the adjacency matrix A of X has the spectrum \(k=\lambda _0 > \lambda _1 \ge \dots \ge \lambda _{n-1}\). It is known (Alon and Milman 1985; Dodziuk 1984) that

$$\begin{aligned} \frac{k-\lambda _1}{2} \le h(X) \le \sqrt{2k(k-\lambda _1)}. \end{aligned}$$

If the spectral gap \(k-\lambda _1\) is larger, the quality of the network of X is getting better as well. However, it is shown by Alon-Boppana as follows that it cannot be too large.

Theorem 1

Let \((X_j)_{j \ge 1}\) be a family of k-regular graphs with \(|V(X_j)| \rightarrow +\infty \) as \(j \rightarrow +\infty \). Then

$$\begin{aligned} \liminf _{j \rightarrow +\infty } \lambda _1 (X_j) \ge 2 \sqrt{k-1}. \end{aligned}$$

This fact motivates the definition of a Ramanujan graph.

Definition 2

A k-regular graph X is Ramanujan if, for every member \(\lambda \) of the spectrum of the adjacency matrix of X other than \(\pm k\), one has \(|\lambda | \le 2 \sqrt{k-1}.\) We call \(2\sqrt{k-1}\) the Ramanujan bound (\(\mathrm {RB}\)).

For a more detailed exposition of the theory, see Davidoff et al. (2003), Lubotzky (1994), Terras (2010). In order to explain how to construct explicit Ramanujan graphs in the style of LPS, Chiu, LPS-type and Pizer, we recall basic facts and terminologies of quaternion algebras Vignéras (1980).

Let F be a field and \(F^{\times }\) its unit group. Let \(\mathcal {A}=\mathcal {A}_F\) be a quaternion algebra over F, i.e. a central simple algebra of dimension 4 over F. In this article, we always assume that F is not of characteristic 2. Then, there exist \(a,b\in F^{\times }\) such that it can be written as \(\mathcal {A}=\mathcal {A}_F(a,b)=\{\alpha =x+yi+zj+wk\,|\,x,y,z,w\in F\}\), where i, j, k satisfy \(i^2=a\), \(j^2=b\) and \(ij=-ji=k\) (and hence \(k^2=-ab\)). For \(\alpha =x+yi+zj+wk\in \mathcal {A}\), its conjugate, the reduced trace and the reduced norm are defined by \(\overline{\alpha }=x-yi-zj-wk\), \(T(\alpha )=\alpha +\overline{\alpha }=2x\in F\) and \(N(\alpha )=\alpha \overline{\alpha }=\overline{\alpha }\alpha =x^2-ay^2-bz^2+abw^2\in F\), respectively.

Quaternion algebras over \(\mathbb {F}_q\)

Throughout this article, we denote by \(\mathbb {P}\) the set of all prime numbers. For a prime \(p \in \mathbb {P}\) and \(d \in \mathbb {N}\), let \(\mathbb {F}_{p^d}\) be the field of \(p^d\) elements. Let us fix \(q\in \mathbb {P}\setminus \{2\}\). It is known that, for any \(a,b\in \mathbb {F}^{\times }_q\), the quaternion algebra \(\mathcal {A}=\mathcal {A}_{\mathbb {F}_q}(a,b)\) is isomorphic to the matrix algebra \(\mathrm {M}_2(\mathbb {F}_q)\) of the 2-by-2 matrices over \(\mathbb {F}_q\). Let \(\bigl (\frac{\cdot }{\cdot }\bigr )\) be the Kronecker symbol. When \(\bigl (\frac{a}{q}\bigr )=\bigl (\frac{-b}{q}\bigr )=1\), that is, \(\sqrt{a},\sqrt{-b}\in \mathbb {F}_q\), one has the following isomorphism.

Lemma 1

Assume that \(\bigl (\frac{a}{q}\bigr )=\bigl (\frac{-b}{q}\bigr )=1\). Then, the map \(\psi _q:\mathcal {A}\rightarrow \mathrm {M}_2(\mathbb {F}_q)\) defined by

$$ \psi _q(x+yi+zj+wk) = \left[ \begin{matrix} x+y\sqrt{a} &{} \sqrt{-b}(z+w\sqrt{a}) \\ -\sqrt{-b}(z-w\sqrt{a}) &{} x-y\sqrt{a} \end{matrix} \right] $$

is an isomorphism satisfying \(\det (\psi _q(\alpha ))=N(\alpha )\) and \(\psi _q\left( \overline{\alpha }\right) =\overline{\psi _q(\alpha )}\) for \(\alpha \in \mathcal {A}\). Here, \(\overline{\left[ \begin{matrix} s &{} t \\ u &{} v\end{matrix}\right] } =\left[ \begin{matrix} v &{} -t \\ -u &{} s\end{matrix}\right] \) for \(\left[ \begin{matrix} s &{} t \\ u &{} v\end{matrix}\right] \in \mathrm {M}_2(\mathbb {F}_q)\).

For a ring R, we denote by \(R^{\times }\) the group of units of R. Let \(\mathrm {GL}_2 (\mathbb {F}_q)=\mathrm {M}_2(\mathbb {F}_q)^{\times }\) and \(\mathrm {SL}_2 (\mathbb {F}_q)=\{A\in \mathrm {GL}_2 (\mathbb {F}_q)\,|\,\det A=1\}\). Moreover, let \(\mathrm {PGL}_2 (\mathbb {F}_q)=\mathrm {GL}_2 (\mathbb {F}_q)/Z(\mathrm {GL}_2 (\mathbb {F}_q))\) and \(\mathrm {PSL}_2 (\mathbb {F}_q)=\mathrm {SL}_2 (\mathbb {F}_q)/Z(\mathrm {SL}_2 (\mathbb {F}_q))\). Here, for a group G, we denote by Z(G) the center of G. We can naturally see that \(\mathrm {PSL}_2 (\mathbb {F}_q)\) is a subgroup of \(\mathrm {PGL}_2 (\mathbb {F}_q)\) of index 2 because now q is odd. Additionally, we remark that \(|\mathrm {PGL}_2 (\mathbb {F}_q)| = q(q^2-1)\) and \(|\mathrm {PSL}_2 (\mathbb {F}_q)| = \frac{q(q^2-1)}{2}\). Since \(\mathcal {A}\simeq \mathrm {M}_2(\mathbb {F}_q)\), we have \(\mathcal {A}^{\times }\simeq \mathrm {GL}_2 (\mathbb {F}_q)\) via (the restriction of) \(\psi _q\) and hence obtain the isomorphism \(\beta _q:\mathcal {A}^{\times }/Z(\mathcal {A}^{\times }) \rightarrow \mathrm {PGL}_2 (\mathbb {F}_q)\).

We need the following lemma later.

Lemma 2

(Davidoff et al. 2003, Chap. 3) Assume that \(\bigl (\frac{a}{q}\bigr )=\bigl (\frac{-b}{q}\bigr )=1\). Let \(\alpha \in \mathcal {A}\) with \(N(\alpha )=p\in \mathbb {P}\setminus \{q\}\), which implies that \(\alpha \in \mathcal {A}^{\times }\). Then, \(\beta _q(\alpha \mathbb {F}^{\times }_q)\in \mathrm {PSL}_2 (\mathbb {F}_q)\) if and only if \(\bigl (\frac{p}{q}\bigr )=1\).

Quaternion algebras over \(\mathbb {Q}\)

Let \(a,b\in \mathbb {Z}\setminus \{0\}\) and \(\mathcal {A}=\mathcal {A}_{\mathbb {Q}}(a,b)\) be a quaternion algebra over \(\mathbb {Q}\). A place v of \(\mathbb {Q}\) is said to be split in \(\mathcal {A}\) if \(\mathcal {A}_v:=\mathcal {A}\otimes _{\mathbb {Q}} \mathbb {Q}_{v}\simeq \mathrm {M}_2(\mathbb {Q}_v)\), where \(\mathbb {Q}_v\) is the v-adic completion of \(\mathbb {Q}\) and is said to be ramified if \(\mathcal {A}_v\) is a division algebra. We denote by \(\mathrm {Ram}(\mathcal {A})\) the set of all places which are ramified in \(\mathcal {A}\). Notice that \(\mathrm {Ram}(\mathcal {A})\) is a finite set, has an even cardinality, and determines an isomorphism class of quaternion algebras over \(\mathbb {Q}\). The product of all primes (\(=\) finite places) in \(\mathrm {Ram}(\mathcal {A})\) is called the discriminant of \(\mathcal {A}\) and is denoted by \(\mathfrak {D}\). From now on, we assume that \(\mathcal {A}\) is definite, that is, the infinite place \(\infty \) is ramified in \(\mathcal {A}\), whence there are an odd number of primes which are ramified in \(\mathcal {A}\). Notice that \(\mathcal {A}=\mathcal {A}_{\mathbb {Q}}(a,b)\) is definite if and only if \(a<0\) and \(b<0\).

A lattice \(\mathcal {I}\subset \mathcal {A}\) is a free \(\mathbb {Z}\)-submodule of \(\mathcal {A}\) of rank 4. A lattice \(\mathcal {O}\subset \mathcal {A}\) is called an order if it is a ring with unity. In particular, it is called maximal if it is not properly contained in any other order. Notice that, if \(\mathcal {O}\) is an order of \(\mathcal {A}\), then \(\mathcal {O}\otimes _{\mathbb {Z}}\mathbb {Z}_p\) is an order of \(\mathcal {A}_p\) for \(p\in \mathbb {P}\). Here, \(\mathbb {Z}_p\) is the ring of p-adic integers. Let \(\mathcal {O}\) be an order of \(\mathcal {A}\). We call a lattice \(\mathcal {I}\) of \(\mathcal {A}\) a left (resp. right) \(\mathcal {O}\)- ideal if \(\mathcal {O}_L(\mathcal {I})=\mathcal {O}\) (resp. \(\mathcal {O}_R(\mathcal {I})=\mathcal {O}\)), where \(\mathcal {O}_L(\mathcal {I})=\{\alpha \in \mathcal {A}\,|\,\alpha \mathcal {I}\subset \mathcal {I}\}\) (resp. \(\mathcal {O}_R(\mathcal {I})=\{\alpha \in \mathcal {A}\,|\,\mathcal {I}\alpha \subset \mathcal {I}\}\)). We say that two left (resp. right) \(\mathcal {O}\)-ideals \(\mathcal {I}\) and \(\mathcal {J}\) are equivalent, if there exists \(\alpha \in \mathcal {A}^{\times }\) such that \(\mathcal {I}=\mathcal {J}\alpha \) (resp. \(\mathcal {I}=\alpha \mathcal {J}\)). This is an equivalence relation. We denote by \(H(\mathcal {O})\) the number of equivalence classes, which is shown to be finite, independent on left or right. We call \(H(\mathcal {O})\) the class number of \(\mathcal {O}\).

We next give the definition of Eichler orders. To do that, we first recall the local situations. If \(p\in \mathbb {P}\) is ramified in \(\mathcal {A}\), then \(\mathcal {A}_p\) is a division algebra which has a maximal order \(\mathcal {O}_{p}= \{\alpha \in \mathcal {A}_p\,|\,N(\alpha )\in \mathbb {Z}_p\}\). On the other hand if \(p\in \mathbb {P}\) is split in \(\mathcal {A}\), then \(\mathcal {A}_p\) is isomorphic to \(\mathrm {M}_2(\mathbb {Q}_p)\) and a maximal order of \(\mathcal {A}_p\) is isomorphic to a conjugate of the maximal order \(\mathrm {M}_2(\mathbb {Z}_p) =\left[ \begin{array}{cc} \mathbb {Z}_p &{} \mathbb {Z}_p \\ \mathbb {Z}_p &{} \mathbb {Z}_p \end{array}\right] \) of \(\mathrm {M}_2(\mathbb {Q}_p)\) by an element of \(\mathcal {A}^{\times }_p\).

Let \(\mathfrak {D}\) be the discriminant of \(\mathcal {A}\), and M be a positive square-free integer which is prime to \(\mathfrak {D}\). An order \(\mathcal {O}\) of \(\mathcal {A}\) is called an Eichler order of level \((\mathfrak {D},M)\) if the following local conditions are satisfied: For all \(p\in \mathbb {P}\) being ramified in \(\mathcal {A}\) (i.e., \(p\,|\,\mathfrak {D}\)), \(\mathcal {O}\otimes _{\mathbb {Z}}\mathbb {Z}_p=\mathcal {O}_p\). On the other hand, for all \(p\in \mathbb {P}\) being split in \(\mathcal {A}\) (i.e. \(p\not \mid \mathfrak {D}\)), \(\mathcal {O}\otimes _{\mathbb {Z}}\mathbb {Z}_p\) is isomorphic to a conjugate of the order \(\left[ \begin{array}{cc} \mathbb {Z}_p &{} \mathbb {Z}_p \\ M\mathbb {Z}_p &{} \mathbb {Z}_p \end{array}\right] \) of \(\mathrm {M}_2(\mathbb {Q}_p)\) by an element of \(\mathcal {A}^{\times }_p\). Remark that an Eichler order is maximal when \(M=1\). If \(p\,|\,M\), in this case we call p an Eichler prime. Notice that an Eichler order can be characterized as an order which is the intersection of two maximal orders. It is shown in Pizer (1976) that the class number of an Eichler order depends only on its level. Hence, we write \(H(\mathcal {O})\) as \(H(\mathfrak {D},M)\) when \(\mathcal {O}\) is of level \((\mathfrak {D},M)\). Remark that \(H(\mathfrak {D},1)=1\) if and only if \(\mathfrak {D}=2,3,5,7,13\).

Let G be a group and S a generating set, which is symmetric (i.e. \(S = S^{-1}\)) and does not contain the identity of G. A Cayley graph over G with respect to S is a |S|-regular graph with a vertex set V and an edge set E, where \(V=G\) and E consists of \((g_1, g_2) \in G\times G\) such that \(g_1=g_2s\) for some \(s\in S\).  

The families of LPS’s graphs:

Let p and q (\(\gg 2\sqrt{p}\)) be distinct primes congruent to \(1 \pmod {4}\). In Lubotzky et al. (1988), described how to construct a family of Ramanujan graphs of degree \(p+1\) having \(O(q^3)\) vertices as \(q \rightarrow +\infty \). These graphs are Cayley graphs over the groups \(G=\mathrm {PGL}_2 (\mathbb {F}_q)\) or \(\mathrm {PSL}_2 (\mathbb {F}_q)\) with respect to the generating set \(S_{LPS}\) defined as

$$\begin{aligned} S_{LPS} = \bigg \{&\left[ \begin{matrix} a_0 + i a_1 &{} a_2 + i a_3 \\ -a_2 + i a_3 &{} a_0 - i a_1 \end{matrix}\right] \bigg | {a_0}^2 + {a_1}^2 + {a_2}^2 + {a_3}^2 = p \\&\text {for odd }a_0 >0 \, \text {and even }a_1, a_2, a_3 ~ \nonumber \bigg \}, \end{aligned}$$

(1)

where \(i \in \mathbb {Z}\) such that \(i^2 \equiv -1 \pmod {q}\). The diophantine Eq. (1) originally comes from the norm of their based-algebra \(\mathcal {A}_{\mathbb {Q}} (-1,-1)\), where \(i^2=-1, j^2=-1\) and \(ij=-ji=k\), and is called the Hamiltonian quaternion algebra. By Jacobi’s four-squares theorem Hirschhorn (1987), there are \(8(p+1)\) integer solutions \((a_0, a_1, a_2, a_3) \in \mathbb {Z}^4\) of (1). Since there are 8 units as \(\pm 1, \pm i,\pm j, \pm k\), we see \(|S_{LPS}|=p+1\).

The families of Chiu’s graphs:

In Margulis (1988), independently of LPS, alluded to the existence of essentially the same graphs as shown by LPS, but without an explicit description. In Chiu (1992), described how to construct a family of Ramanujan graphs, and explicitly covered the case of \(p=2\). Since the Hamiltonian quaternion algebra is not split at \(p=2\), Chiu chose a specific quaternion algebra \(\mathcal {A}_{\mathbb {Q}} (-2,-13)\), which is split at 2 and has a maximal order of class number 1. Take a prime \(q \in \mathbb {P}\setminus \{2,13\}\) such that \(\big (\frac{-2}{q}\big )=\big (\frac{13}{q}\big )=1\). Chiu’s cubic graphs are also Cayley graphs over the groups \(G=\mathrm {PGL}_2 (\mathbb {F}_q)\) or \(\mathrm {PSL}_2 (\mathbb {F}_q)\) with respect to the generating set \(S_{C}\) defined as

$$\begin{aligned} S_{C}&= \bigg \{ \left[ \begin{matrix} 1 &{} 0 \\ 0 &{} -1 \end{matrix}\right] , \left[ \begin{matrix} 2 + i' &{} i'j' \\ i'j' &{} 2 - i' \end{matrix}\right] , \left[ \begin{matrix} 2 - i' &{} j'i' \\ j'i' &{} 2 + i' \end{matrix}\right] \bigg \}, \end{aligned}$$

where \(i', j' \in \mathbb {Z}\) such that \(i'^2 \equiv -2, j'^2 \equiv 13 \pmod {q}\), respectively.

The families of Morgenstern’s graphs:

In Morgenstern (1994), described how to construct, for any prime power q, a family of Ramanujan graphs of degree \(q+1\). These graphs are given as Cayley graphs over the groups \(G=\mathrm {PGL}_2 (\mathbb {F}_{q^d})\) or \(\mathrm {PSL}_2 (\mathbb {F}_{q^d})\) for some \(d \in \mathbb {N}\) with respect to the generating set \(S_{M_\mathrm{{odd}}}\) when q is odd and \(S_{M_\mathrm{{even}}}\) when q is even. For an odd prime power q, let \(\epsilon \) be a non-square in \(\mathbb {F}_q\). Let \(g(x) \in \mathbb {F}_q [x]\) be irreducible of even degree d. We realize \(\mathbb {F}_{q^d}\) as \(\mathbb {F}_q [x]/g(x) \mathbb {F}_q [x]\). Let \(\mathrm {i}\in \mathbb {F}_{q^d}\) be such that \(\mathrm {i}^2 =\epsilon \). Then \(S_{M_\mathrm{{odd}}}\) is defined as

$$\begin{aligned} S_{M_\mathrm{{odd}}}&= \bigg \{ \left[ \begin{matrix} 1 &{} a - \mathrm {i} b \\ (a + \mathrm {i} b)(x-1) &{} 1 \end{matrix}\right] \bigg | ~{b}^2 \epsilon - {a}^2 =1 \text { for } a, b \in \mathbb {F}_q\bigg \}. \end{aligned}$$

For an even prime power q, let \(\epsilon \) be a non-square in \(\mathbb {F}_q\). Let \(f(x)=x^2+x+\epsilon \) be irreducible in \(\mathbb {F}_q [x]\). Let \(g(x) \in \mathbb {F}_q [x]\) be irreducible of even degree d. We also realize \(\mathbb {F}_{q^d}\) as \(\mathbb {F}_q [x]/g(x) \mathbb {F}_q [x]\). Let \(\mathrm {i}'\in \mathbb {F}_{q^d}\) be a root of f(x). Then \(S_{M_\mathrm{{even}}}\) is defined as

$$\begin{aligned} S_{M_\mathrm{{even}}}&= \bigg \{ \left[ \begin{matrix} 1 &{} a - \mathrm {i}' b \\ (a + \mathrm {i}' b + b)x &{} 1 \end{matrix}\right] \bigg | ~{a}^2 + {a}{b} + {b}^2 \epsilon =1 \text { for } a, b \in \mathbb {F}_q\bigg \}. \end{aligned}$$

 

2.1 Security on Cayley Hashes and Word Problems

A hash function is a function that accepts a message as an arbitrarily long string of bits and outputs a hash value as a finite, fixed-length string of bits. An efficiency of the hashing process is a basic requirement in a practical point. Such a function should satisfy certain properties such as collision resistant, second preimage resistant and preimage resistant.

Let \(n \in \mathbb {N}\) and let \(\mathcal {H}: \{0,1\}^* \rightarrow \{0,1\}^n;\) \(m \mapsto h = \mathcal {H}(m)\), where \(\{0,1\}^*\) is the set of bit strings of arbitrary length and \(\{0,1\}^n\) is the set of bit strings of a fixed length n. The function \(\mathcal {H}\) is said to be

• Collision resistant if it is computationally infeasible to find \(m, m' \in \{ 0, 1 \}^*, m \ne m'\), such that \(\mathcal {H}(m) = \mathcal {H}(m')\),

• Second preimage resistant if \(m \in \{ 0, 1 \}^*\) is given, it is computationally infeasible to find \(m' \in \{ 0, 1 \}^* \), \(m \ne m'\), such that \(\mathcal {H}(m) = \mathcal {H}(m')\),

• Preimage resistant if \(h \in \{ 0, 1 \}^n\) is given, it is computationally infeasible to find \(m \in \{ 0, 1 \}^*\) such that \(h = \mathcal {H}(m)\).

Let G be a non-commutative group and \(S=\{s_0,\ldots ,s_{r}\} \subset G\) be a generating set for the group G, symmetric and not having the identity. Charles et al. (2009a) and Petit et al. (2007), Petit and Quisquater (2010b) described a definition of Cayley hash functions, by which the input to hash is used as directions for walking around a graph, and the ending vertex is the output of the hash function as depicted in Fig. 1.

Fig. 1

Diffusion from the starting vertex \(g_{ST}\) along Cayley graphs over G with respect to \(S=\{s_0,\ldots ,s_r\}\)

A message m is given as a string \(m_1 \ldots m_\ell \), where \(m_i \in \{0,\dots ,r\}\). Then the resulting hashing value h of m will be obtained as a group product

$$\begin{aligned} h:=\mathcal {H}(m)=g_{ST}s_{m_1} s_{m_2} \ldots s_{m_\ell }, \end{aligned}$$

where \(g_{ST}\) is a fixed starting element in G. (We usually put \(g_{ST}\) as the identity in G.) To dispose a proper sequence of hashing bits inductively, we define a choice function \(\pi \) which assigns a next hashing bit with the bit of the message m and the previous hashing bit, while avoiding a back-tracking (i.e. \(ss^{-1}\) or \(s^{-1}s\) ). We choose a function

$$\begin{aligned} \pi : \{0,\ldots ,r\} \times S \rightarrow S \end{aligned}$$

(2)

such that for any \(s \in S\) the set \(\pi (\{0,\ldots ,r\} \times \{s\} )\) is equal to \(S\setminus \{s^{-1}\}\).

The security of Cayley hash functions lies on the hardness of solving word problems for group theory (Lubotzky 1994; Meier 2008; Petit and Quisquater 2010b), which are one of the most challenging open problems. There are three problems (balance, representation and factorization problems), which are related to the three properties of Cayley hash functions, respectively.

Let \(L \in \mathbb {N}\) be small (approximately, \(\log {|G|}\)). We denote the product of group elements \(s_{m_1}, s_{m_2},\ldots , s_{m_\ell } \) by \(\prod s_{m_i}=s_{m_1}s_{m_2}\ldots s_{m_\ell }\).

• Balance problem : Find an “efficient” algorithm that returns two words \(m_1 \ldots m_\ell \) and \(m'_1 \ldots m'_{\ell '}\) with \(\ell , \ell ' < L\), \(m_i,m'_i \in \{0,\ldots ,r\}\) and \(\prod s_{m_i}=\prod s_{m'_i}\).

• Representation problem : Find an “efficient” algorithm that returns a word \(m_1 \ldots m_\ell \) with \(\ell < L\), \(m_i \in \{0,\ldots ,r\}\) and \(\prod s_{m_i}=1\).

• Factorization problem : Find an “efficient” algorithm that given any element \(g \in G\), returns a word \(m_1 \ldots m_\ell \) with \(\ell < L\), \(m_i \in \{0,\ldots ,r\}\) and \(\prod s_{m_i}=g\).

A Cayley hash function is collision resistant if and only if the balance problem is hard; it is second preimage resistant only if the representation problem is hard; it is preimage resistant if and only if the corresponding factorization problem is hard (as described in Fig. 2).

Fig. 2

Relationship between the properties of Cayley hash functions and the hardness of Group word problems 

The diameter of a Cayley graph over G with respect to S, which naturally came up from the problems above, is defined as the smallest \(\ell \) such that every element of G can be expressed as a word of length at most \(\ell \) in S. Babai and Seress (1992) conjectured that the diameter of any Cayley graph over any non-commutative simple group is polylogarithmic in the size of the group such as \(\exp {((|G| \log {|G|})^{1/2}(1+o(|G|)))}\). Helfgott and Seress (2014) gave a quasipolynomial upper bound \(\exp {(\log {\log {|G|}})^{O(1)}}\), which is the best known upper bound for permutation groups.

Even after more than two decades of research in various areas (pure mathematics, computer sciences, cryptography, etc.), the hardness of the word problems is still difficult to break. For example, since suggested in Petit and Quisquater (2010b) as a challenge, it seems still open to solve the balance/representation/factorization problems for \(G=\mathrm {SL}_2 (\mathbb {F}_{2^n})\) with some specific generating set, which is tweaked from the generating set of Tillich and Zémor (1994). They also mentioned that it is an important challenge that we identify groups and their corresponding specific generating sets for the groups in which the balance, representation and factorization problems are difficult.

2.2 Lifting Attacks

In Zémor (1991), proposed the first scheme of hash functions from Cayley graphs upon \(\mathrm {SL}_2\) over a finite field having a large girth, which is the length of a shortest cycle. Right after the advent, Tillich and Zémor found a way to break Zémor’s scheme by a lifting attack and suggested its improved version with \(\mathrm {SL}_2\) over a finite field of characteristic 2. Tillich–Zémor’s scheme (Tillich and Zémor 1994) in resisted being cryptanalyzed for a decade and a half until Grassl et al. (2010) and Petit et al. (2009), Petit and Quisquater (2010a) found their collisions and even preimages in practical. A critical observation for both attacks is that the hardness of balance/representation/factorization problems does not change if we replace the generators for \(\mathrm {SL}_2(\mathbb {F}_{2^n})\) in order to use the Euclidean algorithm. Even Cayley hash functions based on LPS Ramanujan graphs proposed from Charles et al. (2009a) have been broken by Tillich and Zémor (2008) using a variant of a lifting attack.

In this subsection, we give a brief example of a lifting attack, which was used by Tillich and Zémor (2008). We have conditions on distinct prime numbers p and q that p and q satisfy \(p \equiv q \equiv 1 \pmod {4}\) and \(\bigl ( \frac{p}{q} \bigr )=1\). First, the elements of \(\mathrm {PSL}_2 (\mathbb {F}_q)\) are lifted to elements of \(\mathrm {SL}_2(\mathbb {Z}[\mathfrak {i}])\), where \(\mathfrak {i}\) is the imaginary unit. Even though the lifts of the generators do not generate the whole \(\mathrm {SL}_2(\mathbb {Z}[\mathfrak {i}])\) and only a subset \(\Omega \) of \(\mathrm {SL}_2(\mathbb {Z}[\mathfrak {i}])\) with specific conditions shown in Tillich and Zèmor (2008), the lifting attack still works because \(\Omega \) has a very simple nature as shown below.

\(\Omega =\bigg \{ \left[ \begin{matrix} x + \mathfrak {i} y &{} z + \mathfrak {i} w\\ -z + \mathfrak {i} w &{} x - \mathfrak {i} y \end{matrix}\right] \bigg | (x,y,z,w) \in E_\ell \text { for some integer } \ell >0 \bigg \},\)

where \(E_\ell \) is the set of 4-tuples \((x,y,z,w)\in \mathbb {Z}^4\) such that

\({\left\{ \begin{array}{ll} x^2+ y^2 + z^2 + w^2 = p^\ell &{} \\ x>0, x \equiv 1 &{} \pmod {2}\\ y \equiv z \equiv w \equiv 0 &{} \pmod {2}. \end{array}\right. }\)

Tillich and Zémor solved the representation problem by lifting the identity to \(\Omega \), which amounts to solving the norm equation

$$\begin{aligned} (\lambda + xq)^2 + 4(yq)^2 + 4(zq)^2 + 4(wq)^2 = p^\ell \end{aligned}$$

(3)

with \(\lambda , x, y, z, w \in \mathbb {Z}\) and \(\ell \in \mathbb {N}\) (Once the identity is lifted, reduction by q and factoring become trivial). The equation is solved as follows: we arbitrarily fix \(\ell = 2{\ell '}\) with \(p^{\ell '} > mq^2\) and \(\lambda + xq = p^{\ell '} - 2 m q^2\) for some m. We substitute them for each variable in the norm Eq. (3). The norm equation can be deformed by \(4q^2\), resulting in the equation of the form \(y^2 + z^2 + w^2 = N:=m(p^{\ell '}-mq^2)\).

The last equation is solved by generating random variables for w, checking the right parity to ensure that the resulting equation \(y^2 + z^2 = N' := N - w^2\) has a solution, and we finally solve this equation with the continued fraction method (or with the advanced Euclidean algorithm, Cornacchia’s algorithm, Pell’s equation).

Subsequently, most of the existing Cayley hash functions based on explicit Ramanujan graphs Chiu (1988), Lubotzky (1994), Morgenstern (1992) have been broken by variants of a lifting attack Jo et al. (2008), Petit et al. (2008), Tillich and Zémor (2017) as lifting attacks are able to solve the factorization/representation problems for each case. As we can see in Table 1, when we attack Cayley hash functions, we can apply a lifting attack, which corresponds to a norm equation of their base algebra with a Euclidean algorithm.

Table 1 Norm equations and N to Euclidean algorithm for Cryptanalysis on Cayley hashes

Thus, we want to make explicit Ramanujan graphs which have more various norm equations that use P and Q as coefficients (\(P \in \{2,3,5,7,13\}\) and \(Q \in \mathbb {P}\) satisfying \(Q \equiv 3 \pmod {8}, \big (\frac{-Q}{P}\big )=-1\) unless \(P=2\)). At the very least, for applying variants of a lifting attack, we should set up an attack corresponding to each norm equation. It is also possible to put partial information (P, Q or both) unrevealed during the process of hashing as a private key. From this, we can build the digital signature schemes which mainly resist variants of a lifting attack. This motivates the study of a generalization of LPS’s and Chiu’s Ramanujan graphs.

3 The Families of LPS-Type Graphs

Now we recall Ibukiyama’s construction (Ibukiyama 1982) of maximal orders of definite quaternion algebras over \(\mathbb {Q}\) which is ramified at given primes.

Proposition 1

(Ibukiyama 1982) Let r be an odd positive integer and \(P_1,P_2,\ldots ,P_r\) distinct prime numbers. Set \(M=P_1 P_2\cdots P_r\). Take a prime number Q such that \(Q\equiv 3\) \(\pmod {8}\) and \((\frac{-Q}{P_i})=-1\) for all i except for i with \(P_i=2\). Moreover, take an integer T such that \(T^2\equiv -M\) \(\pmod {Q}\). Then, \(\mathcal {A}_{\mathbb {Q}}(-M,-Q)\) is a definite quaternion algebra which is ramified only at \(\infty , P_1,P_2,\ldots ,P_r\). Moreover, let

$$ \omega _1=\frac{1+j}{2}, \quad \omega _2=\frac{i+k}{2} \quad \text {and} \quad \omega _3=\frac{Tj+k}{Q}. $$

Then, \(\mathcal {O}_{-M,-Q}=\mathbb {Z}+\mathbb {Z}\omega _1+\mathbb {Z}\omega _2+\mathbb {Z}\omega _3\) is a maximal order of \(\mathcal {A}_{\mathbb {Q}}(-M,-Q)\).

In Jo et al. (2018, 2020) a specific recipe for constructing LPS-type graphs is presented, and is shown below:

1. 1.

   Fix a \(p \in \mathbb {P}\).

2. 2.

   Take \(P \in \{2,3,5,7,13\}\) such that \(P \ne p\).

3. 3.

   We take a prime Q satisfying

   $$\begin{aligned} Q \equiv 3 \pmod {8}, \Bigl (\frac{-Q}{P}\Bigr )=-1 \text {~unless~} P=2 \end{aligned}$$

   and an integer T satisfying \(T^2 \equiv -P \pmod {Q}\). By Proposition 1, we have a definite quaternion algebra \(\mathcal {A}_{\mathbb {Q}}(-P,-Q)\) (i.e., \(i^2=-P, j^2=-Q,ij=-ji=k\)) and its maximal order \(\mathcal {O}=\mathcal {O}_{-P,-Q}=\mathbb {Z}+\mathbb {Z}\omega _1 +\mathbb {Z}\omega _2 +\mathbb {Z}\omega _3\) with class number 1, where

   $$\begin{aligned} \omega _1 = \frac{1+j}{2},~ \omega _2 = \frac{i+k}{2}\text { and } \omega _3 = \frac{Tj+k}{Q}. \end{aligned}$$
4. 4.

   Find all elements in \(\mathcal {O}^\times =\{\alpha \in \mathcal {O}\mid N(\alpha )=1\}\).

5. 5.

   Find all elements in \(\{\alpha \in \mathcal {O}\mid N(\alpha )=p \}\). Moreover, seek a suitable complete representative of \(\{\alpha \in \mathcal {O}\mid N(\alpha )=p \}/\mathcal {O}^\times \). Define S by the suitable complete representative. Then |S| is exactly equal to \(p+1\), which follows by the class number 1 condition [Chiu 1992, Proposition 3.4].

6. 6.

   Take a \(q \in \mathbb {P} \setminus \{2\} \) satisfying \(q \ne p, \bigl (\frac{-P}{q}\bigr )=\bigl (\frac{Q}{q}\bigr )=1\) and \(\bigl (\frac{p}{q}\bigr )=1\).

7. 7.

   Via the isomorphism \(\psi _q\) in Lemma 1 and using Lemma 2, we realize S as a subset of \(\mathrm {PSL}_2 (\mathbb {F}_q)\). Write \(S_{JSY}\) for the subset.

8. 8.

   We have a Cayley graph \(X^{(p,q)}_{P,Q}= \mathrm {Cay}(\mathrm {PSL}_2(\mathbb {F}_q), S_{JSY})\).

Table 2 Numerical results on the Ramanujan-ness of LPS-type graphs \(X=X^{(p,q)}_{P,Q}\)

In Table 2, we present some numerical results by Magma and MATLAB which show the Ramanujan-ness of our constructions. Actually, we will show in the next subsection that our LPS-type graphs are Ramanujan when \(P=13\), which is the only choice of \(P\in \{2,3,5,7,13\}\) such that \(\mathcal {O}^{\times }\) is equal to \(\{\pm 1\}\). For the cases of \(P\in \{2,3,5,7\}\), at present, we have no ideas to prove or disprove the Ramanujan-ness of our graphs.

3.1 Proof of the Ramanujan-Ness of Graphs \(X_{P,Q}^{(p,q)}\) when \(P=13\)

We show that our graph \(X^{(p,q)}_{P,Q}\) constructed as above is Ramanujan when \(P=13\). Let \(\mathcal {O}=\mathbb {Z}+\mathbb {Z}\omega _1+\mathbb {Z}\omega _2+\mathbb {Z}\omega _3\) be the maximal order we constructed as above for a fixed p, P, Q, T. Then, \(\mathcal {O}\) has the class number 1.

Take a complete representative \(S_{JSY}=\{\alpha _1,\ldots ,\alpha _{s}\}\cup \{\bar{\alpha }_1,\ldots ,\bar{\alpha }_{s}\}\cup \{\beta _1,\ldots ,\beta _{t}\}\) of \(\{\alpha \in \mathcal {O}\mid N(\alpha )=p \}/\mathcal {O}^\times \) so that \(\bar{\beta }_j = \epsilon _j\beta _j\) for some \(\epsilon _j \in \mathcal {O}^\times \) for every j. In this case, \(p+1=2s+t\). In the same way as [Coan and Perng 2012, Theorem 4.8] and [Lubotzky 1988, Lemma 3.1], we have the following:

Lemma 3

Any \(\alpha \in \mathcal {O}\) with \(N(\alpha )=p^k\) for some \(k\in \mathbb {N}\) is uniquely decomposed into the product

$$\alpha =\epsilon p^r R(\alpha _1,\ldots ,\alpha _s, \bar{\alpha }_1,\ldots ,\bar{\alpha }_{s}, \beta _1,\ldots ,\beta _t),$$

where \(\epsilon \in \mathcal {O}^\times \), \(r \in \mathbb {N}\) and \(R(\alpha _1,\ldots ,\alpha _s, \bar{\alpha }_1,\ldots ,\bar{\alpha }_{s}, \beta _1,\ldots ,\beta _t)\) is a reduced word of \(\alpha _1,\ldots ,\alpha _s, \bar{\alpha }_1,\ldots ,\bar{\alpha }_{s}, \beta _1,\ldots , \beta _t\) with length \(m=k-2r\).

The unit group \(\mathcal {O}^\times \) is \(\{\pm 1\}\) only when \(P=13\). In such a case, we can prove the Ramanujan-ness of our graph \(X_{P,Q}^{(p,q)}\) in the same way as Lubotzky (1988). For the variable \(v = {}^{}(x,y,z,w)\), we set

$$\begin{aligned} Q_{q}(v) = \,&x^2+qxy+q^2\left( \frac{1+Q}{4}\right) y^2+q^2Tyz \\&+q^2P\left( \frac{1+Q}{4}\right) z^2+q^2Pzw+q^2\left( \frac{P+T^2}{Q}\right) w^2. \end{aligned}$$

It is a positive-definite quadratic form of order 4 corresponding to the reduced norm on \(\mathcal {O}\). Let \(A_{q}\) be the symmetric matrix such that \(Q_{q}(v) = \frac{1}{2}{}^{t}vA_{q}v\), i.e.

$$A_{q}=\left[ \begin{matrix} 2 &{} q &{} 0 &{} 0 \\ q &{} \frac{q^2(1+Q)}{2} &{} 0 &{} q^2T \\ 0 &{} 0 &{} \frac{q^2P(1+Q)}{2} &{} q^2P \\ 0 &{} q^2T &{} q^2P &{} 2q^2\frac{P+T^2}{Q} \end{matrix}\right] .$$

Hence, \(A_q\) is an even matrix, i.e. \(A_q \in \mathrm{M}_4(\mathbb {Z})\) and every diagonal component is contained in \(2\mathbb {Z}\). The level of \(Q_q\) is defined as the smallest positive integer N such that \(NA_q^{-1}\) is an even matrix (cf. Schoeneberg 2012, Chap. IX). By \(\det (A_q) = P^2q^6\) and

$$A_q^{-1}= \frac{1}{P^2q^6} \left[ \begin{matrix} q^6\frac{1+Q}{2}P(\frac{P+T^2}{Q}) &{} -q^5P\left( \frac{P+T^2}{Q}+T^2 \right) &{} -q^5PT &{} q^5PT\frac{1+Q}{2} \\ -q^5P\left( \frac{P+T^2}{Q}+T^2 \right) &{} 2q^4P(\frac{P+T^2}{Q}+T^2) &{} 2q^4PT &{} -q^4PT(1+Q) \\ -q^5PT &{} 2q^4PT &{} 2q^4P &{} -PQq^4 \\ q^5PT\frac{1+Q}{2} &{} -q^4PT(1+Q) &{} -PQq^4 &{} q^4PQ\frac{(1+Q)}{2} \end{matrix}\right] ,$$

the level of \(Q_q\) is equal to \(Pq^2\).

Set \(r_{Q_q}(n):= |\{\alpha \in \mathcal {O}\ | N(\alpha )=n \}|\) for \(n \in \mathbb {N}\). Then, the theta series \(\Theta _{Q_q}(z) := \sum _{n=0}^{\infty }r_{Q_q}(n)e^{2\pi i n z} = \sum _{v\in \mathbb {Z}^4}e^{2\pi i Q_q(v)z}\) for \(z \in \mathbb {C}\) with \(\mathrm{Im}(z)>0\) is absolutely and locally uniformly convergent by [Schoeneberg 2012, Chap. IX, Sect. 1.1]. Referring to [Schoeneberg 2012, Chap. IX, Theorem 4] and [Schoeneberg 2012, Chap. IX, Theorem 5] for \(\mathbf {h}=\mathbf{0}\), the theta series \(\Theta _{Q_q}(z)\) is a holomorphic modular form of weight 2 and level \(\Gamma _0(Pq^2)\) with trivial nebentypus. Here, \(\Gamma _0(Pq^2)\) is the Hecke congruence subgroup of level \(P q^2\). We remark that \(Q_q, A_q, \Theta _{Q_q}\), are valid for a general \(q \in \mathbb {N}\).

Assume \(P=13\). Let \(\Lambda '\) be the set of all \(\alpha \in \mathcal {O}\) such that \(N(\alpha )=p^k\) for some \(k\in \mathbb {N}\). We define an equivalence relation on \(\Lambda \) so that \(\alpha \sim \beta \) means \(\alpha =\epsilon p^n\beta \) for some \(\epsilon \in \mathcal {O}^\times \) and \(n \in \mathbb {Z}\). Since \(\mathcal {O}^\times =\{\pm 1\}\) holds, the quotient set \(\Lambda :={\Lambda '/\sim } =\{ [\alpha ] \ | \ \alpha \in \Lambda '\}\) has a natural group structure by \([\alpha ][\beta ]=[\alpha \beta ]\). By Lemma 3, it is generated by \(S_{JSY}\), a complete representative of \(\{\alpha \in \mathcal {O}\mid N(\alpha )=p \}/\mathcal {O}^\times \), and \(\mathrm {Cay}(\Lambda , S_{JSY})\) is a \((p+1)\)-regular tree. The homomorphism \(\Lambda \rightarrow \mathrm {PSL}_2(\mathbb {F}_q)\) as a restriction of \(\psi _q\) of Lemma 1 induces \(\Lambda /\Lambda (q) \rightarrow \mathrm {PSL}_2(\mathbb {F}_q)\) with \(\Lambda (q)=\ker (\psi _q|_\Lambda )\). This homomorphism \(\Lambda /\Lambda (q) \rightarrow \mathrm {PSL}_2(\mathbb {F}_q)\) is surjective as in the theory of quadratic diophantine equations applied to the quadratic form \(Q_1\) (cf. Lubotzky et al. 1988, p. 267; Malishev 1962). Then our graph \(X_{13,Q}^{(p,q)} = \mathrm {Cay}(\mathrm {PSL}_2(\mathbb {F}_q), S_{JSY})\) is identified with \(\Lambda /\Lambda (q)\) as a graph.

For proving Ramanujan-ness, let \(\lambda _0=p+1>\lambda _1\ge \cdots \ge \lambda _{n-1}\) be the spectrum of the adjacency matrix of \(X_{13,Q}^{(p,q)}\) (so we set \(n=|X_{13,Q}^{(p,q)}|=|\mathrm {PSL}_2(\mathbb {F}_q)|\)). Then, we have only to show \(\theta _j \in \mathbb {R}\) for all \(j \in \{1, \ldots , n-1\}\), where \(\theta _j \in \mathbb {C}\) is taken so that \(\lambda _j=2\sqrt{p}\cos \theta _j\) for each \(j \in \{0, \ldots , n-1\}\). By the trace formula for a regular graph as in [Lubotzky 1988, p. 270–272 and p. 274, Remark 2], we have the expression

$$r_{Q_q}(p^k) = \frac{2p^{k/2}}{n}\sum _{j=0}^{n-1}\frac{\sin (k+1)\theta _j}{\sin \theta _j}.$$

Recall that this is the \(p^k\)-th Fourier coefficient of the modular form \(\Theta _{Q_q}\). Since the theta series is a sum of a linear combination of cuspidal Hecke eigenforms and that of Eisenstein series of weight 2 and level \(\Gamma _0(Pq^2)\), we may take a cusp form \(f_1\) and a non-cusp form \(f_2\) of weight 2 so that \(\Theta _{Q_q}=f_1+f_2\). Let a(m) and C(m) be the m-th Fourier coefficients of \(f_1\) and \(f_2\) at the cusp \(\infty \) for \(m \in \mathbb {N}\), respectively. Then, \(r_{Q_q}(p^k)\) has the following expression:

$$C(p^k)+a(p^k) = r_{Q_q}(p^k) =\frac{2p^{k/2}}{n}\sum _{j=0}^{n-1}\frac{\sin (k+1)\theta _j}{\sin \theta _j}.$$

By Deligne’s bound as a resolution of the Ramanujan–Petersson conjecture (Deligne 1969, 1974), we have \(|a(p^k)|=O_\epsilon (p^{k(1/2+\epsilon )})\). Due to the explicit nature of Fourier coefficients of Eisenstein series, C(m) can be described as \(C(m) = \sum _{d|m}F(d)\) for a periodic function \(F : \mathbb {N}\rightarrow \mathbb {C}\) (cf. Lubotzky 1988, p. 272). By \(\big (\frac{p}{q}\big )=1\) and \(\theta _0=i\log \sqrt{p}\), we have

$$C(p^k) = \frac{2}{n}\frac{p^{k+1}-1}{p-1}-a(p^k) + o(p^k)=\frac{2}{n}\frac{p^{k+1}-1}{p-1} +o(p^{k}).$$

By the Deligne bound of \(a(p^k)\) and [Lubotzky 1988, Lemma 4.4], we have \(C(p^k)=\frac{2}{n}\frac{p^{k+1}-1}{p-1}\) because of \(\big (\frac{p}{q}\big )=1\). As a consequence, for any \(\epsilon >0\),

$$\frac{2}{n}\sum _{j=1}^{n-1}\frac{\sin (k+1)\theta _j}{\sin \theta _j}=\frac{1}{p^{k/2}}O_\epsilon (p^{k(1/2+\epsilon )})=O_\epsilon (p^{k\epsilon }),$$

which leads us that every \(\theta _j\) for \(j\in \{1,\ldots , n-1\}\) is real. Therefore, we obtain \(|\lambda _j|\le 2\sqrt{p}\) for all \(j =1,\ldots , n-1\), which implies that \(X^{(p,q)}_{13, Q}\) is a Ramanujan graph.

We remark an adelic approach toward Ramanujan-ness. As we see [Costache et al. 2018, Sect. 7.2] (see also Lubotzky 1994, Theorem 7.1.1), we can prove the Ramanujan-ness of \(X_{P, Q}^{(p,q)}\) for \(P=13\) by using an adelic interpretation as well as by using the Jacquet–Langlands correspondence between automorphic representations of the adelic group \(\mathrm {GL}_2(\mathbb {A}_\mathbb {Q})\) and those of \(\mathcal {A}^\times (\mathbb {A}_\mathbb {Q})=(\mathcal {A}\otimes \mathbb {A}_\mathbb {Q})^\times \), which is the adelization of the anisotropic inner form \(\mathcal {A}^\times \) of \(\mathrm {GL}_2\).

4 Relationship Between LPS-Type Graphs and Pizer’s Graphs

While research in the field of Cayley-based cryptography has been declining, research in the field of Isogeny-based cryptography is quite robust, in part due to its key role in post-quantum cryptography.

However, it is also natural to investigate whether attacks on group word problems of Cayley hash functions based on LPS’s graphs are related to the problem of finding a path in an isogeny graph of supersingular elliptic curves, which is explained in detail in Charles et al. (2009b).

Costache et al. (2018) described a wide range of usage of Ramanujan graphs in cryptography and also pointed out some different aspects of LPS’s graphs and Pizer’s graphs with specific features. They presented the construction of LPS’s graphs as Cayley graphs, in terms of local double cosets. They used strong approximation (Costache et al. 2018, Sect. 7; Lubotzky 1994, Sect. 6.3) as a main tool to present the connection between local and adelic double cosets for LPS’s and Pizer’s graphs. They also compared the two types of graphs in an aspect of appearance by restricting the degree of the graphs (i.e. \(p=5\)).

In this section, we give some comparisons between LPS-type graphs and Pizer’s graphs as Costache et al. did. First, we describe Pizer’s Ramanujan graphs referred to in Pizer (1990, 1998), Costache et al. (2018).  

The families of Pizer’s graphs:

Pizer (1990, 1998) showed how to construct the family of Ramanujan graphs as follows: Let \(\mathcal {A}\) be the quaternion algebra over \(\mathbb {Q}\) that is ramified exactly at odd \(q\in \mathbb {P}\) and \(\infty \). We shall consider special orders, which are generalizations of Eichler orders, of level \(L=(q,M)\) and \(L=(q^2, M)\). The vertex set of Pizer’s graph \(G(L,p)\) shall be in bijection with (a subset of) the isomorphism classes of left ideals of an order. Since the class number of the order depends only on its level, we may write \(H(L)\) for it, which is equal to the size of such a graph. Notice that, by [Pizer 1998, Proposition 4.4], we have

$$\begin{aligned} H(q,M)=\frac{q-1}{12} M \prod _{d \mid M} (1+1/d)+ & {} {\left\{ \begin{array}{ll} \frac{1}{4} \Bigl (1-\bigl (\frac{-4}{q}\bigr )\Bigr ) \prod _{d \mid M} \Bigl (1+\bigl (\frac{-4}{d}\bigr )\Bigr ) &{} \text {if~}4 \not \mid M \\[10pt] 0 &{} 4 \mid M \end{array}\right. } \\+ & {} {\left\{ \begin{array}{ll} \frac{1}{3} \Bigl (1-\bigl (\frac{-3}{q}\bigr )\Bigr ) \prod _{d \mid M} \Bigl (1+\bigl (\frac{-3}{d}\bigr )\Bigr ) &{} \text {if~}9 \not \mid M \\[10pt] 0 &{} \text {if~}9 \mid M \end{array}\right. } \end{aligned}$$

and

$$\begin{aligned} H(q^2, M)=\frac{q^2-1}{12} M \prod _{d \mid M} (1+1/d)+ & {} {\left\{ \begin{array}{ll} 0 &{} \text {if~}q \ge 5 \\[10pt] \frac{4}{3} \prod _{d \mid M} \Bigl (1+\bigl (\frac{-3}{d}\bigr )\Bigr ) &{} \text {if~}q=3. \end{array}\right. } \end{aligned}$$

Here, the product is over all primes d dividing M.

We give a definition of a Brandt matrix. Let \(\{I_1, I_2, \dots , I_{H}\}\) with \(H=H(L)\) be a complete representative of the left ideal classes of \(\mathcal {O}\). For each \(i \in \{1, \ldots , H\}\), let \(\mathcal {O}_i\) be the right order of the ideal \(I_i\), and \(e_i\) be the number of \(O_i^{\times }\). For \(n\in \mathbb {N}\), the Brandt matrix \(B(L;n)=\bigl [b_{i,j}^{(n)}\bigr ]\) associated to an order of level \(L\) is a square matrix of size \(H(L)\) having (i, j)-entry

$$\begin{aligned} b_{i,j}^{(n)} = e_j^{-1} \cdot |\{\alpha \in I_j^{-1} I_i \ | \ N(\alpha ) N(I_j) / N(I_i) =n \}|, \end{aligned}$$

where N(I) is the norm of an ideal I defined as the greatest common divisor of the norms of its nonzero elements. Let p be a prime which is coprime to qM. If we restrict the parameters p and q, the edge set of \(G(L,p)\) is given by a Brandt matrix \(B(L;p)\), namely, the adjacency matrix of \(G(L,p)\) is given by \(B(L;p)\). By [Pizer 1998, Proposition 4.6], we see that \(G(L,p)\) is undirected (i.e. \(B(L;p)\) is symmetric) when \(L=(q,M)\) with \(q\equiv 1 \pmod {12}\) and \(L=(q^2, M)\) with \(q>3\). Moreover, it has no loops if \(\mathrm {tr} B(L;p)=0\) and no multiple edges if \(\mathrm {tr}B(L;p^2)=H(L)\) (Pizer 1998; Costache et al. 2018). The regularity \(p+1\) of \(G(L,p)\) and its connectedness can be obtained from using \(B(L;p)\) as the adjacency matrix, as shown in [Pizer 1998, Proposition 5.1]. We summarize the necessary properties of the families of Pizer’s graphs \(G(L,p)\) in Table 3.

 

Table 3 The families of Pizer’s graphs \(G(L,p)\)

4.1 Similarities and Differences

As Costache et al. (2018) argued, we explicate the similarities and differences among LPS, LPS-type and Pizer’s graphs from a number-theoretic perspective. These families can be viewed as sets of local double cosets, i.e. as graphs of the form

$$ \Gamma \backslash \mathrm {PGL}_2 (\mathbb {Q}_p)/\mathrm {PGL}_2(\mathbb {Z}_p), $$

where \(\Gamma \) is a discrete cocompact subgroup.

Discrete local double cosets (LPS-type) Let p be a split prime in \(\mathcal {A}\). For \(N\in \mathbb {N}\), we set

$$\Gamma (N):=\ker (\mathcal {A}^\times (\mathbb {Z}[p^{-1}]) \rightarrow \mathbb {Z}[p^{-1}]^\times \backslash \mathcal {A}^\times (\mathbb {Z}[p^{-1}]/N\mathbb {Z}) \ ). $$

It is a discrete cocompact subgroup in \(\mathcal {A}_p^\times \). We have

$$\mathrm {Cay}(\mathrm {PSL}_2(\mathbb {F}_q), S) \cong \Gamma (q) \backslash \mathrm {PGL}_2(\mathbb {Q}_p)/ \mathrm {PGL}_2(\mathbb {Z}_p) $$

for some suitable S.

For LPS-type graphs, the local double cosets are also isomorphic to adelic double cosets, but in this case the corresponding set of adelic double cosets is smaller relative to the quaternion algebra and we do not have the same chain of isomorphisms as shown below. On the other hand, Pizer’s graphs, via strong approximation (Costache et al. 2018; Lubotzky 1994), can be viewed as graphs on adelic double cosets which are in turn the set of classes of an order of \(\mathcal {A}\) that is related to a discrete cocompact subgroup \(\Gamma \). Moreover, the class set \(\mathrm {Cl}(\mathcal {O})\) of a maximal order \(\mathcal {O}\) from Pizer’s graph is in bijection with supersingular elliptic curves (Charles et al. 2009b, Sect. 5.3.1) and offers convincing evidence that an isomorphism is obtained with a supersingular isogeny graph (\(\mathrm {SSIG}\)).

The chain of isomorphisms

(LPS)

$$\begin{aligned} \mathrm {Cay}(\mathrm {PSL}_2 (\mathbb {F}_q),S_{LPS}) \cong \Gamma (2q) \backslash \mathrm {PGL}_2(\mathbb {Q}_p) / \mathrm {PGL}_2(\mathbb {Z}_p) \end{aligned}$$

(LPS-type with \(P=13\))

$$\begin{aligned} \mathrm {Cay}(\mathrm {PSL}_2 (\mathbb {F}_q),S_{JSY}) \cong \Gamma (q) \backslash \mathrm {PGL}_2(\mathbb {Q}_p) / \mathrm {PGL}_2(\mathbb {Z}_p) \end{aligned}$$

(Pizer)

$$\begin{aligned} \mathcal {O}[p^{-1}]^\times \backslash \mathrm {GL}_2(\mathbb {Q}_p) / \mathrm {GL}_2(\mathbb {Z}_p) \cong \mathrm {Cl}(\mathcal {O}) \cong \mathrm {SSIG} \end{aligned}$$

Each of the underlying quaternion algebras vary with their own choice of parameters. In the case of LPS’s graphs, we use the Hamiltonian quaternion algebra, ramified at 2 and \(\infty \) and split at p. In the case of LPS-type graphs, we use the definite quaternion algebra, ramified at 13 and \(\infty \) and split at p. Varying the parameter q, we can have different Ramanujan graphs of LPS and LPS-type, depending on the congruence subgroup \(\Gamma (2q)\) and \(\Gamma (q)\), respectively, without changing each of their underlying quaternion algebras. On the other hand, in the case of Pizer’s graphs, we use the definite quaternion algebra, ramified at q and \(\infty \).

5 Open Problems

It is unknown whether the link exists between the hardness of the path-finding problem in Supersingular Isogeny (Pizer) graphs and the the hardness of group word problems in Cayley-type Ramanujan graphs. If it is possible to connect those two problems theoretically or schematically, there are some expected ways to analyze the hardness of the path-finding problem in Pizer’s graphs by employing the approach previously used for Cayley graphs. As a part of these approaches, it is also important to investigate much more general versions of explicit constructions of Ramanujan graphs. It is in the process to construct the family of \((2p+1)\)-regular graphs, where p is an Eichler prime based on the quaternion algebra with an explicit construction of Eichler order having class number 1 in Jo et al. (2020). We now study the Ramanujan-ness of these graphs by similar arguments in LPS-type graphs.

Additionally, even though it is difficult to predict that Pizer’s graph can be represented as a Cayley graph over a group with respect to a suitable generating set (actually, all graphs with a small number of vertices, suggested as examples in Pizer 1998 are not Cayley graphs), it is not clear whether a Pizer’s graph with a sufficiently large number of vertices is a Cayley graph or not.