1 Introduction
LPS graphs were introduced by Lubotzky, Philipps and Sarnak [9]. LPS graphs are Ramanujan graphs, namely, they are graphs with optimal expansion properties, and they have many applications in mathematics and computer science [8].
In [2], Charles, Goren and Lauter introduced a cryptographic hash function whose security relied on the presumed computational intractability of computing short paths between arbitrary pairs of vertices in the graph.
Due to the algebraic nature of LPS graphs this problem can also be stated in group-theoretic terms: given the group G=PSL(2,𝔽p) and particular set of generators, and given an element of G, find a short factorization of this element as a product of the generators.
This problem was later solved in [16, 11], leading to a full cryptanalysis of the cryptographic construction.
The quality of a path-finding algorithm is measured by its running time, but also by the lengths of the paths returned. In this paper we are interested in minimizing this length while keeping a polynomial run time complexity.
While the algorithm in [11] returns paths that are a priori optimal up to a constant factor 16/3, we improve this algorithm and decrease this factor down to 7/3 under several plausible heuristic conditions.
Similarly to [11], we first solve the case of diagonal matrices, and then we reduce the general case to this case.
Our algorithm improves both the diagonal case and the reduction, and for the diagonal case, it returns factorizations with lengths very close to the expected minimal.
LPS graphs have recently been suggested for quantum circuit design.
In this setting LPS generators correspond to elementary quantum gates, and they are combined to approximate arbitrary quantum gates on a single qbit.
Interestingly, an algorithm similar to our diagonal algorithm has been independently developed in that context [1, 12]. It was later transposed to our setting [13], resulting in an algorithm very similar to our algorithm in the diagonal case.
It seems very likely that our other improvement (reducing from the general case to the diagonal case) can also be adapted to the problem of quantum circuit design; this will be the purpose of a future paper.
1.1 Outline
The paper is organized as follows.
Section 2 describes LPS graphs and previous path-finding algorithms for these graphs.
Section 3 gives an optimal algorithm when the optimal solution is short. Section 4 describes the diagonal case.
Section 5 gives our new reduction and describe the full algorithm. Section 6 gives experimental support to our heuristic analysis and Section 7 concludes the paper.
2 Path-finding algorithms in LPS Ramanujan graphs
In this section we recall the definition of LPS graphs and we briefly describe previous path-finding algorithms in these graphs. In our exposition we mostly follow [16, 11], and we refer to those papers for details and proofs.
2.1 LPS Ramanujan graphs
In this paper p and ℓ will be two distinct primes congruent to 1 modulo 4 such that ℓ is a quadratic residue modulo p. We think of p and ℓ as being, respectively, “large” and “small” primes, and in fact in our complexity estimates we will assume ℓ=O(1).
We denote the finite field with p elements by 𝔽p.
With an abuse of notation, we will often identify elements of 𝔽p and integers in {0,1,…,p-1}.
For any ring R, we write GL2(R) and PSL2(R), respectively, for the general linear group and the projective special linear group of rank 2 over R.
We define G:=PSL2(𝔽p).
We write I for the identity matrix in any of those matrix groups.
We denote by B=ℚ[i,j] the quaternion algebra over the rationals generated by two elements i and j such that i2=j2=-1 and k:=ij=-ji.
For any q=a+bi+cj+dk∈B, the conjugate of q is q¯:=a-bi-cj-dk and the norm of q is n(q)=qq¯=a2+b2+c2+d2.
Note that the norm is multiplicative: for any q1,q2∈B, we have n(q1q2)=n(q1)n(q2).
With some abuse of notation, we also use the symbol i for the imaginary unit, and we denote the Gaussian integers by ℤ[i].
The map σ:GL2(ℤ[i])→B, defined by
m=(a+bic+di-c+dia-bi)→σ(m)=a+bi+cj+dk,
is an isomorphism of algebras.
Note that we have detm=n(σ(m)), and that both σ and its inverse are efficiently computable.
For any matrix m=(a+bic+di-c+dia-bi)∈GL2(ℤ[i]), we define its conjugate matrix by m¯:=(a-bi-c-dic-dia+bi).
Clearly, we have m¯¯=m and σ(m¯)=σ(m)¯.
Following [16], for any integer e≥1, we define Ee as the set of 4-tuples (a,b,c,d)∈ℤ4 such that
a2+b2+c2+d2=ℓe,
a>0,a=1mod2,
b=c=d=0mod2.
Up to multiplication by a unit, there are ℓ+1 elements of norm ℓ in B; these correspond to elements of E1.
We also denote by Σ the set of matrices corresponding to E1, and we define
Ω:={(a+bic+di-c+dia-bi)|(a,b,c,d)∈Ee for some integer e>0}.
Note that Σ is symmetric in the sense that for any s∈Σ, there exists s′=s¯∈Σ with ss′=ℓI.
An important observation for the path-finding algorithms below is that matrices in Ω admit essentially unique factorizations in the elements of Σ.
Lemma 2.1 ([16, 9, 5, 15]).
Any matrix in Ω can be expressed in a unique way as a product
M=±ℓrM1M2⋯Me,
where logℓ(det(M))=e+2r and Mi∈Σ and MiMi+1≠ℓI for i=1,…,e-1.
LPS graphs were introduced by Lubotsky, Philips and Sarnak in [9].
Let ι∈𝔽p such that ι2=-1.
Reduction modulo p extends into a group homomorphism ϕ:GL2(ℤ[i])→G defined by
ϕ(a+bic+di-c+dia-bi)=(a+bιc+dι-c+dιa-bι).
Let S={ϕ(s)∣s∈Σ} be the set of images of elements in Σ through the homomorphism ϕ.
The LPS graph for the parameters p and ℓ is the Cayley graph constructed from the group G and the generator set S; in other words it is a graph whose vertices correspond to the elements of G, and such that there is an edge between two vertices corresponding to g1 and g2 if and only if there is an element s∈S such that g2=g1s.
This graph is an undirected (ℓ+1)-regular graph.
For any fixed ℓ and increasing p, LPS graphs form a family of Ramanujan graphs, in other words, they are optimal expander graphs [9, 8].
LPS graphs were used by Charles, Goren and Lauter in [3] to construct families of cryptographic hash functions. The security arguments for the construction relied on the hope that there was no efficient algorithm to solve the following computational problem.
Problem 2.2.
Let p,ℓ,G,S as above, and let m∈G. Write m as a “short” product of elements in S.
The recommended parameters in [3] are ℓ=5 and p a 1024-bit prime.
For practical purposes “short” could be given a concrete value such as 240; in this paper we consider a product as short when it is made of at most L products, where L is a polynomial function of logp.
This is consistent with the definition of Babai’s conjecture on the diameter of simple groups, as formulated by Helfgott in [7].
2.2 Finding paths in LPS graphs
In this paper, we are interested in algorithms to solve Problem 2.2 or, equivalently, to compute short paths between any two vertices in LPS graphs.
Let all notations be as above, and let m be a matrix in G that we want to write as a short product of elements from the set S.
The algorithm of Petit, Lauter and Quisquater [11] first decomposes the matrix m as a product
(2.1)m=λ⋅D1⋅s⋅D2⋅s⋅D3⋅s⋅D4,
where λ∈𝔽p*, the factors Di are diagonal matrices with a non-zero square determinant, and s is a particular (arbitrary) generator in the set S. As the equation is over the projective special linear group, each diagonal matrix can be normalized as Di=(100αi).
Equation (2.1) then amounts to a small polynomial system with four equations and five variables. The algorithm given in [11] to solve this system picks random solutions until all αi are square, and it is heuristically expected to need 16 trials on average.
Petit, Lauter and Quisquater [11] also provide an algorithm to factor any diagonal matrix with square determinant in a short product of the generators S. This algorithm extends a previous algorithm from Tillich and Zémor [16] for the identity matrix.
First the diagonal matrix is lifted into an element of Ω, then a factorization of this element as a product of the elements of Σ is computed. The factorization of the input diagonal matrix in the elements of S=ϕ(Σ) follows by the group homomorphism ϕ.
We now give some details on the first and second step.
Let m=(A+Bι00A-Bι)∈G be a diagonal matrix with detm=A2+B2 a square.
The lifting step consists in finding e∈ℕ and λ,w,x,y,z∈ℤ with
(2.2){(Aλ+wp)2+(Bλ+xp)2+4p2(y2+z2)=ℓe,Aλ+wp=1mod2,Bλ+xp=0mod2.
After fixing e large enough, Petit, Lauter and Quisquater solve the norm equation modulo p; as A2+B2 is a square, this gives two possible values for λ and one is picked randomly.
Next, the norm equation is considered modulo p2; this gives a bilinear equation in w and x, and a random solution is selected.
At this point, the norm equation is considered over the integers, and it gives
4(y2+z2)=n,
where
(2.3)n:=(ℓe-(Aλ+wp)2-(Bλ+xp)2)/p2∈ℤ
for λ,x,z chosen as before.
This equation has a solution whenever n/4 is an integer, and all prime factors of n congruent to 3 modulo 4 appear an even number of times in the factorization of n.
To avoid a costly factorization step, Petit, Lauter and Quisquater suggest to pick random solutions for (w,x) until n is 4 times a prime congruent to 1 modulo 4. Suitable values for (y,z) are then computed with Cornacchia’s algorithm [4].
Taking e larger than log8p4≈4logp ensures that n is positive in this algorithm.
Once the integers e,λ,w,x,y,z are found, they give a matrix
m~=((A+wp)+(B+xp)i2yp+2zpi-2yp+2zpi(A+wp)-(B+xp)i)∈Ω,
reducing to m modulo p.
Remember that by Lemma 2.1 factorization is essentially unique in Ω.
Tillich and Zémor showed in [16] how to recover all the factors successively: for any s∈Σ, we have m~=m~′s with m~′∈Ω if and only if m~s-1∈Ω.
Algorithm 1 (Factorization in Ω.).
The correctness and running time of this algorithm are analyzed in the following lemma.
Lemma 2.3.
For any m~∈Ω, Algorithm 1 successively recovers the factorization given by Lemma 2.1, in a time O(logℓ2detm~).
Proof.
Let m~∈Ω and det(m~)≠1.
Then there is a unique s∈Σ such that m~=m~′s with m~′∈Σ, by Lemma 2.1.
Therefore, there is an equally unique s′=s¯∈Σ such that ss′=ℓI and m~′ss′ is divisible by ℓ.
This way, by iterating over Σ, the algorithm always finds the matrix s if det(m~)≠1, adding it to the beginning of the list ℒ, and finishes when det(m~)=1.
In the end, ℒ holds the complete factorization in the right order for m~ on elements of Σ.
As for the running time, one can write all coefficients of m~ in base ℓ in O(logℓdetm~) bit operations, after which step 3 becomes trivial.
The while loop is executed logℓdetm~ times and each iteration requires O(ℓ2)=O(1) multiplications of a O(logℓdetm~) length element by a O(ℓ)=O(1) length element, and each of them requires O(logℓdetm~) bit operations.
∎
The algorithm of this paper will incorporate two crucial improvements over Petit, Lauter and Quisquater’s algorithm to reduce factorization lengths from 16logℓp to (7+o(1))logℓp.
In Section 4 we will reduce the factorization lengths for diagonal matrices from 4logℓp to (3+o(1))logℓp.
In Section 5 we show how to factor arbitrary matrices with two diagonal matrices plus a third matrix with factorization length logℓp.
We will provide an alternative method to reduce the general factorization problem to the factorization of only two diagonal matrices instead of four.
3 Algorithm for short paths
Our first algorithm computes the shortest path between any two matrices when the length of this shortest path is short enough.
This is useful in a cryptanalysis of the Charles–Goren–Lauter hash function assuming short messages are hashed.
The algorithm relies on the following simple observation: when the products are short, then no reduction modulo p occurs and the lifting step required in previous algorithms [11, 16] becomes trivial.
Lemma 3.1.
Let m be a product of at most ⌊2logl(p/2)⌋ matrices in Σ. Then there exist integers A,B,C,D∈[-⌈p2⌉,⌊p2⌋] such that m=(A+BiC+Di-C+DiA-Bi).
Proof.
Let m=m1⋯mk=(A+BiC+Di-C+DiA-Bi) be a product of k matrices in Σ. Then, we know that
detm=A2+B2+C2+D2=ℓk.
If we choose k to be at most 2logl(p/2), then
A2+B2+C2+D2=ℓk≤ℓ2logl(p/2)=p24.
This implies that A,B,C,D∈[-⌈p2⌉,⌊p2⌋].
∎
More generally, let m1,m2∈G such that there exists a product m of at most ⌊2logl(p/2)⌋ matrices in ϕ(Σ) such that m2=m1m. For every possible length e up to ⌊2logl(p/2)⌋, Algorithm 2 normalizes the matrix to ensure its determinant is ℓe.
Then it writes the result in the form (a+bιc+dι-c+dιa-bι) and it checks whether a,b,c,d are small enough to be lifted directly to Ω. When the correct factorization length is identified the algorithm then proceeds as in the Tillich–Zémor algorithm to compute all the factors.
Algorithm 2 (Short path algorithm.).
We remark that there is at most one value of e≤⌊logl(p)⌋ so that the algorithm succeeds: indeed, the girth of LPS graphs is larger than 2logℓp when ℓ is a quadratic residue modulo p, see [9].
Lemma 3.2 below gives the complexity of this algorithm.
Lemma 3.2.
Let m1,m2∈G such that m2-1m1 has a factorization of length e≤⌊2logℓ(p/2)⌋ in the elements of ϕ(Σ). Then Algorithm 2 returns the smallest such factorization using O~(logℓ2p) bit operations.
Proof.
Step 2 requires to compute a determinant, a square root modulo p and a division modulo p.
One can also precompute the square root of ℓ modulo p and the matrix mℓ between steps 2 and 3, and compute mℓe in step 4 as ℓ⋅(mℓe-2).
Given the matrix mℓe=(ABCD), one can complete step 4 by computing
a=A+D2modp, b=A-D2i=-iA-D2, etc.
This requires a few divisions by 2 and a few full multiplications modulo p.
As the cost of a square root is O(logp) multiplications, and as multiplying and dividing by small integers requires a few additions, the cost of the whole algorithm up to step 8 is bounded by O(logp) multiplications, which is O~(log2p) bit operations.
By Lemma 2.3 the last step is faster than this, so the whole algorithm costs O~(log2p) bit operations.
∎
4 Improved algorithm for diagonal matrices
We now turn to diagonal matrices, and improve the algorithm of Petit, Lauter and Quisquater [11] to return factorizations of length (3+o(1))logp instead of 4logp. A similar algorithm was independently suggested in [13].
Let m=(A+Bι00A-Bι)∈G be a diagonal matrix with determinant (A2+B2) a quadratic residue modulo p.
If B=0 then m is the identity matrix and it admits a trivial factorization. So we now assume B≠0.
Our algorithm follows the lines of Petit, Lauter and Quisquater’s algorithm sketched in Section 2.2. Recall that in this algorithm we need e≈4logp to ensure that the value n defined by equation (2.3) is positive. In their algorithm (w,x) is chosen as a random solution to the norm equation modulo p2 such that n is of a form that makes Cornacchia’s algorithm efficient.
Our main idea for the algorithm of this section is to choose (w,x) not randomly but
to minimize the value (Aλ+wp)2+(Bλ+xp)2,
while keeping n=(ℓe-(Aλ+wp)2-(Bλ+xp)2)/p2 of a form that makes Cornacchia’s algorithm efficient.
We now show how to model the minimization problem as a variant of a closest vector problem in a two-dimensional lattice, which can then be solved using classical techniques such as lattice reduction, the Euclidean algorithm, or equivalently continued fractions.
Let e be a positive integer (to be fixed later) and let λ∈ℤ such that λ2(A2+B2)=ℓemodp. Let w0=1 if Aλ is even and w0=0 otherwise. Similarly, let x0=0 if Bλ is even and x0=1 otherwise.
For any couple (x,y) that is part of a solution to system (2.2), there corresponds a couple of integers (w′,x′) such that w=w0+2w′ and x=x0+2x′.
Moreover, we have
(Aλ+(w0+2w′)p)2+(Bλ+(x0+2x′)p)2=ℓemodp2,
or equivalently
(4.1)αw′+x′=βmodp,
where we defined
α:=A/Bmodp,β:=(ℓe-λ2(A2+B2)p-2λ(Aw0+Bx0))/4λBmodp.
We observe that the solutions to equation (4.1) are obtained by translation of a certain lattice.
Lemma 4.1.
The set of solutions (w′,x′)∈Z2 to equation (4.1) is the set L+(0,β)={v+(0,β)∣v∈L}, where L is the two-dimensional lattice generated by the vectors (1,-α) and (0,p).
We then re-write the norm we want to minimize as the distance between a particular element in the Euclidean plane and a lattice element:
(Aλ+(w0+2w′)p)2+(Bλ+(x0+2x′)p)2=4p2∥v-t∥2,
where v:=(w′,x′)-(0,β) is a lattice point and t:=(-Aλ+w0p2p,-Bλ+x0p2p-β).
Minimizing this norm is an instance of the closest vector problem for which standard algorithmic solutions exist [10].
We adapt these solutions to incorporate the additional requirement that n:=ℓe-4p2∥v-t∥2 is of a form that makes Cornacchia’s algorithm efficient.
Our strategy is to first compute a minimal basis for the lattice, namely, two vectors that generate the lattice and have minimal norms.
This can be done using Gauss reduction, or equivalently the Euclidean algorithm.
We then write t as a linear combination of the two short vectors, and we round the coefficients to obtain a lattice vector v that is close to t. Finally, we add small lattice vectors to v and compute the corresponding value of n, until it is of a suitable form.
Once we find n of a suitable form, we compute the values of w and x and we apply Cornacchia’s algorithm to compute y and z.
In our algorithm we start with an a priori sufficient value e=3logℓp+loglogℓp, determined by our complexity analysis below, and then we increase e during the course of the algorithm if no n value of a suitable form can be found.
This strategy is described in Algorithm 3.
Algorithm 3 (Diagonal matrix algorithm.).
While the algorithm of Petit, Lauter and Quisquater returns factorizations of length 4logℓp, we expect our algorithm to return factorizations of length (3+o(1))logℓp.
Our analysis in the proof of the following lemma relies on the probability that the number n generated by the algorithm is a prime. We approximate this by the probability that random numbers of the same size are prime. The analysis also relies on the so-called “Gaussian heuristic”: the two vectors in a minimal basis are expected to be of norm roughly detℒ.
This will be true for most inputs, but for exceptional inputs one of these vectors may be significantly larger than the other one, in which case the best achievable bound is (4+o(1))logℓp.
We refer to [13] for a more thorough analysis on a very similar algorithm, and to [14] for some progress on the heuristic assumptions involved in this analysis.
Lemma 4.2.
Let m∈G be a diagonal matrix, not equal to the identity. Then under plausible heuristic assumptions Algorithm 3 requires O~(log3p) bit operations and for most inputs it returns factorizations of lengths e=(3+o(1))logℓp.
Proof.
The Correctness of the algorithm follows from our description above; we therefore focus on expected length and running time.
The lattice ℒ has discriminant p, therefore, by the Gaussian heuristic, we can expect that it contains a basis of vectors of length approximately p1/2.
As a result, the minimal value of (Aλ+wp)2-(Bλ+xp)2 satisfying the norm equation modulo p2 is of size approximately p3, and we must take e at least 3logℓp.
This minimal value, however, may not lead to an n of the correct form for Cornacchia’s algorithm, so our algorithm tries other short vectors in the lattice. Following estimates given by the prime number theorem, we heuristically expect that O(logp3)=O(logp) trials will be necessary and sufficient. As a result we can correct our estimate for (Aλ+wp)2-(Bλ+xp)2 to approximately p3logp, and expect that e≈3logℓp+loglogℓp will be sufficient.
We now analyze the running time of the algorithm.
As argued above, we only expect to test O(1) values for e.
The main complexity parts come from the lattice reduction algorithm, O(logp) pseudoprimality tests (on numbers that we heuristically assume to behave like random numbers of the same size), one execution of Cornacchia’s algorithm and one execution of Algorithm 1.
The lattice reduction in dimension 2 and Cornacchia’s algorithm are both variants of the Euclidean algorithm and require O~(log2p) bit operations. The primality tests can be done using the Miller–Rabin pseudo-primality test; this requires O(1) modular exponentiations for most random numbers and O(logp) modular exponentiations for prime numbers, in other words, O~(log3p) operations in total.
This dominates the cost of Algorithm 3, as the cost of Algorithm 1 is less than that.
∎
Note that paths of length about 3logℓp are expected to be necessary and sufficient for random matrices in G (since G is of size roughly p3/2). We therefore expect that the factorizations we compute are close to optimal ones unless diagonal matrices are particularly close to the identity in LPS graphs, which there is no reason to believe a priori.
5 Improved algorithm in the general case
We now consider the case of arbitrary matrices in G. In [11] Petit, Lauter and Quisquater showed how to factor general matrices with four diagonal matrices, for a total factorization length of 16logℓp. Here we factor general matrices with just two diagonal matrices and one matrix in Ω, for a total expected length of (7+o(1))logp.
Let J:=(01-10).
We will use the following lemma.
Lemma 5.1.
Let a,b,c,d∈Z.
We have
(a+bic+di-c+dia-bi)=(a+bi00a-bi)+(c+di00c-di)J,
J(a+bi00a-bi)=(a-bi00a+bi)J.
These properties
are of course preserved by reduction modulo p through the homomorphism ϕ.
For any diagonal matrix D=(a+bi00a-bi), we define its conjugate D¯=(a-bi00a+bi), which is equal to D-1 up to a scalar factor.
Let m∈G. Our strategy is to find a matrix m2∈Ω and two diagonal matrices m1,m3∈G such that
(5.1)m1m=ϕ(m2)m3,
and then to use the factorization algorithms for Ω elements and diagonal matrices to compute a factorization of m.
(Note that since the inverse of any element in Σ is also in Σ a factorization of m1, it will also give a factorization of m1-1.)
Following Lemma 5.1, we write m=D+EJ, with D,E diagonal matrices in G, and similarly we write m2=X2+Y2J, with X2,Y2 matrices of the form (w+xi00w-xi).
We also define X1:=m1 and X3:=m3 to highlight that they are diagonal matrices.
Equation (5.1) and the requirement that m2 is in Ω then lead to the following system:
(5.2){X1D=ϕ(X2)X3,X1E=ϕ(Y2)X3¯.
Taking the determinants of both equations and dividing one by another, we deduce
detDdetE=detX2detY2modp.
Since we require m2∈Ω, we also have
detX2+detY2=ℓe
for some positive integer e.
These last two equations together fix the determinants of X2 and Y2 up to a multiple of p, for each value of e:
(5.3)detX2=detDdetm⋅ℓemodp,detY2=detEdetm⋅ℓemodp.
Given the determinant d of a matrix of the form (w+xi00w-xi), we can recover suitable values for w and x by solving the Diophantine equation w2+x2=d; this can be done efficiently as long as a factorization of d is known and all prime factors congruent to 3 modulo 4 appear an even number of times.
In our algorithm (Algorithm 4 below), we will fix e a priori to ⌈logℓp⌉, then try every possible value of detX2<ℓe consistent with its value modulo p, and deduce detY2=ℓe-detX2, until both detX2 and detY2 are a power of 2 times a prime congruent to 1 modulo 4. As in previous algorithms, this restriction may lead to suboptimal factorization lengths but it allows to avoid a costly factorization step.
Once the condition is satisfied, we apply Cornacchia’s algorithm on both detX2 and detY2 to obtain X2 and Y2, and we deduce the matrix m2. If no suitable values for detX2 and detY2 are found, we simply increase e and try again.
Let us now assume that X2 and Y2 are fixed as above.
From system (5.2), we deduce
(5.4){X1=ϕ(X2)X3D-1=ϕ(Y2)X3¯E-1,X3=ϕ(X2)-1X1D=E¯X1¯ϕ(Y2¯)-1.
As diagonal matrices commute, each of these two equations can be rewritten in the form
XiKi=Xi¯
for i=1,3 and some known diagonal matrices Ki.
Moreover, by the way we constructed X2 and Y2, we have detKi=1.
Algorithm 4 (General factorization algorithm.).
If Ki is the identity, then we can take the identity for Xi.
Otherwise, we write Xi=(w+xι00w-xι) and Ki=(w0+x0ι00w0-x0ι) for unknown w,x and known w0,x0, and we deduce the following system:
(w0-1-x0x0w0+1)(wx)=(00).
Moreover, since det(w0-1-x0x0w0+1)=w02+x02-1=detKi-1=0, this system is equivalent to the single equation
(w0-1)w-x0x=0,
where w0-1 and x0 are both non-zero, as otherwise Ki would be the identity.
We can therefore choose w=x0 and x=w0-1, in other words,
Ki=(x0+(w0-1)ι00x0-(w0-1))ι).
In order to call our diagonal matrix factorization algorithm on X1 and X3, we also need their determinants to be quadratic residues modulo p.
By assumption, detm and detm2=ℓe are quadratic residues, so either both detX1 and detX3 are quadratic residues or none of them is.
In our algorithm when they are non-quadratic residues we just search for new values of detX2 and detY2.
In addition to the heuristic involved in Lemma 4.2, Algorithm 4 requires other heuristics related to the probability to find suitable determinants for X2 and Y2 that are not too large, and the probability that both diagonal matrices have square determinant.
Under these heuristics, the runtime complexity and the output of this algorithm are given by the following lemma.
Lemma 5.2.
Let m∈G.
Then, under plausible heuristic assumptions, Algorithm 4 requires O~(log4p) bit operations and it returns factorizations of lengths (7+o(1))logℓp.
Proof.
Taking as definition of “Cornaccia-nice” that the integers are pseudo-primes congruent to 1 modulo 4, the condition is satisfied for both nX and nY with a probability 1/16log2p (here we heuristically assume that these numbers behave like random numbers of the same size).
Using the Miller–Rabin pseudo-primality test,
we will need one modular exponentiation on most couples, and O(logp) modular exponentiations when at least one of the two numbers is prime. In total we will need O(log2p) modular exponentiation until we have a couple (nX,nY) of the correct form, which amount to O~(log4p) bit operations.
Cornacchia’s algorithm itself is more efficient than that, as are all the other parts of the algorithm. Note that to allow enough randomness in the choice of nX and nY, we expect e to grow up to roughly logℓp+loglogℓp, so we expect the while loop to be executed only O(loglogp) times.
The expected length is e plus twice the expected length for Algorithm 3.
∎
Note that paths of length about 3logℓp are expected to be necessary and sufficient for random matrices in G.
The factorizations produced by our algorithm are therefore expected to be a factor 7/3 larger than optimal ones, instead of 16/3 larger than optimal ones for the algorithm of Petit, Lauter and Quisquater [11].
Moreover, the best diameter bound on LPS graphs is 6logp, so in that sense we can expect that our factorizations are only 16% larger than optimal ones in the worst case.
6 Experimental validation
Because of the heuristic nature of our analysis we have experimentally checked our results using the computer algebra package Magma [6]. In our experiments we fixed ℓ=5 and we generated various p such that p=1mod4 and (ℓp)=1. For each such set of parameters, we generated various matrices of square determinant, and we ran Algorithm 4 on them. The resulting factorization lengths are displayed in Figure 1 as functions of the parameter logℓp. The best near square approximation line for the data points has a slope equal to 7.03, confirming our analysis that the lengths are (7+o(1))logℓp.
7 Conclusion
We presented a new algorithm that computes short paths between arbitrary pair of vertices in LPS Ramanujan graphs. Subject to several plausible heuristics, the algorithm is polynomial time and for LPS graphs with parameters p and ℓ, it returns paths of length (7+o(1))logℓp.
Acknowledgements
We thank Gilles Zémor for discussions related to this paper.
References
[1]
A. Blass, A. Bocharov and Y. Gurevich,
Optimal ancilla-free Pauli+V circuits for axial rotations,
preprint (2014),
https://arxiv.org/abs/1412.1033v1.
10.1063/1.4936990Suche in Google Scholar
[2]
D. Charles and K. Lauter,
Computing modular polynomials,
LMS J. Comput. Math. 8 (2005), 195–204.
10.1112/S1461157000000954Suche in Google Scholar
[3]
D. X. Charles, K. E. Lauter and E. Z. Goren,
Cryptographic hash functions from expander graphs,
J. Cryptology 22 (2009), no. 1, 93–113.
10.1007/s00145-007-9002-xSuche in Google Scholar
[4]
G. Cornacchia,
Su di un metodo per la risoluzione in numeri interi dell’ equazione ∑h=0nchxn-hyh=p,
Giornale Mat. Battaglini 46 (1903), 33–90.
Suche in Google Scholar
[5]
G. Davidoff, P. Sarnak and A. Valette,
Elementary Number Theory, Group Theory, and Ramanujan Graphs,
London Math. Soc. Stud. Texts 55,
Cambridge University Press, Cambridge, 2003.
Suche in Google Scholar
[6]
C. Fieker A. Steel, W. Bosma and J. J. Cannon,
Handbook of Magma Functions, edition 2.20,
2013, http://http://magma.maths.usyd.edu.au/magma/.
Suche in Google Scholar
[7]
H. A. Helfgott,
Growth and generation in SL2(ℤ/pℤ),
Ann. of Math. (2) 167 (2008), no. 2, 601–623.
10.4007/annals.2008.167.601Suche in Google Scholar
[8]
S. Hoory, N. Linial and A. Wigderson,
Expander graphs and their applications,
Bull. Amer. Math. Soc. (N.S.) 43 (2006), no. 4, 439–561.
10.1090/S0273-0979-06-01126-8Suche in Google Scholar
[9]
A. Lubotzky, R. Phillips and P. Sarnak,
Ramanujan graphs,
Combinatorica 8 (1988), no. 3, 261–277.
10.1007/BF02126799Suche in Google Scholar
[10]
D. Micciancio and S. Goldwasser,
Complexity of Lattice Problems. A Cryptographic Perspective,
Kluwer Int. Ser. Eng. Comp. Sci. 671,
Kluwer Academic Publishers, Boston, 2002.
10.1007/978-1-4615-0897-7Suche in Google Scholar
[11]
C. Petit, K. Lauter and J.-J. Quisquater,
Full cryptanalysis of LPS and Morgenstern hash functions,
Security and Cryptography for Networks—SCN 2008,
Lecture Notes in Comput. Sci. 5229,
Springer, Berlin (2008), 263–277.
10.1007/978-3-540-85855-3_18Suche in Google Scholar
[12]
N. J. Ross,
Optimal ancilla-free Clifford+V approximation of z-rotations,
preprint (2015),
https://arxiv.org/abs/1409.4355v2.
Suche in Google Scholar
[13]
N. T. Sardari,
Complexity of strong approximation on the sphere,
preprint (2017),
arxiv.org/abs/1703.02709.
10.1093/imrn/rnz233Suche in Google Scholar
[14]
N. T. Sardari,
The least prime number represented by a binary quadratic form,
preprint (2018),
arxiv.org/abs/1803.03218.
Suche in Google Scholar
[15]
P. Sarnak,
Some Applications of Modular Forms,
Cambridge Tracts in Math. 99,
Cambridge University Press, Cambridge, 1990.
10.1017/CBO9780511895593Suche in Google Scholar
[16]
J.-P. Tillich and G. Zémor,
Collisions for the LPS expander graph hash function,
Advances in Cryptology—EUROCRYPT 2008,
Lecture Notes in Comput. Sci. 4965,
Springer, Berlin (2008), 254–269.
10.1007/978-3-540-78967-3_15Suche in Google Scholar
