**Mathematics for Industry 33**

Tsuyoshi Takagi · Masato Wakayama · Keisuke Tanaka · Noboru Kunihiro · Kazufumi Kimoto · Yasuhiko Ikematsu Editors

International Symposium on Mathematics, Quantum Theory, and Cryptography Proceedings of MQC 2019

## Mathematics for Industry

Volume 33

#### Aims & Scope

The meaning of "Mathematics for Industry" (sometimes abbreviated as MI or MfI) is different from that of "Mathematics in Industry" (or of "Industrial Mathematics"). The latter is restrictive: it tends to be identified with the actual mathematics that specifically arises in the daily management and operation of manufacturing. The former, however, denotes a new research field in mathematics that may serve as a foundation for creating future technologies. This concept was born from the integration and reorganization of pure and applied mathematics in the present day into a fluid and versatile form capable of stimulating awareness of the importance of mathematics in industry, as well as responding to the needs of industrial technologies. The history of this integration and reorganization indicates that this basic idea will someday find increasing utility. Mathematics can be a key technology in modern society.

The series aims to promote this trend by 1) providing comprehensive content on applications of mathematics, especially to industry technologies via various types of scientific research, 2) introducing basic, useful, necessary and crucial knowledge for several applications through concrete subjects, and 3) introducing new research results and developments for applications of mathematics in the real world. These points may provide the basis for opening a new mathematics-oriented technological world and even new research fields of mathematics.

To submit a proposal or request further information, please use the PDF Proposal Form or contact directly: Swati Meherishi, Executive Editor (swati.meherishi@springer.com).

#### Editor-in-Chief

Masato Wakayama, Kyushu University, Fukuoka, Japan

#### Series Editors

Robert S. Anderssen, Commonwealth Scientific and Industrial Research Organisation, Canberra, ACT, Australia

Yuliy Baryshnikov, Department of Mathematics, University of Illinois at Urbana-Champaign, Urbana, IL, USA Heinz H. Bauschke, University of British Columbia, Vancouver, BC, Canada

Philip Broadbridge, School of Engineering and Mathematical Sciences, La Trobe University, Melbourne, VIC, Australia

Jin Cheng, Department of Mathematics, Fudan University, Shanghai, China

Monique Chyba, Department of Mathematics, University of Hawaii at Mānoa, Honolulu, HI, USA

Georges-Henri Cottet, Joseph Fourier University, Grenoble, Isère, France

José Alberto Cuminato, University of São Paulo, São Paulo, Brazil

Shin-ichiro Ei, Department of Mathematics, Hokkaido University, Sapporo, Japan

Yasuhide Fukumoto, Kyushu University, Nishi-ku, Fukuoka, Japan

Jonathan R. M. Hosking, IBM T.J. Watson Research Center, Scarsdale, NY, USA

Alejandro Jofré, University of Chile, Santiago, Chile

Masato Kimura, Faculty of Mathematics & Physics, Kanazawa University, Kanazawa, Japan

Kerry Landman, The University of Melbourne, Victoria, Australia

Robert McKibbin, Institute of Natural and Mathematical Sciences, Massey University, Palmerston North, Auckland, New Zealand

Andrea Parmeggiani, Dir Partenariat IRIS, University of Montpellier 2, Montpellier, Hérault, France Jill Pipher, Department of Mathematics, Brown University, Providence, RI, USA

Konrad Polthier, Free University of Berlin, Berlin, Germany

Osamu Saeki, Institute of Mathematics for Industry, Kyushu University, Fukuoka, Japan

Wil Schilders, Department of Mathematics and Computer Science, Eindhoven University of Technology, Eindhoven, The Netherlands

Zuowei Shen, Department of Mathematics, National University of Singapore, Singapore, Singapore Kim Chuan Toh, Department of Analytics and Operations, National University of Singapore, Singapore,

Singapore, Singapore

Evgeny Verbitskiy, Mathematical Institute, Leiden University, Leiden, The Netherlands Nakahiro Yoshida, The University of Tokyo, Meguro-ku, Tokyo, Japan

More information about this series at http://www.springer.com/series/13254

Tsuyoshi Takagi • Masato Wakayama • Keisuke Tanaka • Noboru Kunihiro • Kazufumi Kimoto • Yasuhiko Ikematsu Editors

# International Symposium on Mathematics, Quantum Theory, and Cryptography

Proceedings of MQC 2019

Editors Tsuyoshi Takagi Department of Mathematical Informatics University of Tokyo Tokyo, Japan

Keisuke Tanaka Department of Mathematical and Computing Science Tokyo Institute of Technology Tokyo, Japan

Kazufumi Kimoto University of the Ryukyus Okinawa, Japan

Masato Wakayama Institute of Mathematics for Industry Kyushu University Fukuoka, Japan

Noboru Kunihiro Department of Computer Science University of Tsukuba Ibaraki, Japan

Yasuhiko Ikematsu Institute of Mathematics for Industry Kyushu University Fukuoka, Japan

ISSN 2198-350X ISSN 2198-3518 (electronic) Mathematics for Industry ISBN 978-981-15-5190-1 ISBN 978-981-15-5191-8 (eBook) https://doi.org/10.1007/978-981-15-5191-8

© The Editor(s) (if applicable) and The Author(s) 2021. This book is an open access publication. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore

## Foreword

It is a great honor and pleasure for me to write some words for the book of extended abstracts of "International Symposium on Mathematics, Quantum Theory, and Cryptography (MQC 2019)".

I am currently supervising the CREST program "Modeling Methods allied with Modern Mathematics" funded by Japan Science and Technology Agency (JST). This program has 11 research teams, and Professor Tsuyoshi Takagi is directing one of them, the CREST CRYPTO-MATH team with the project titled "Mathematical Modelling for Next-Generation Cryptography". Hereby, we are pleased to support this symposium partly through the project of Professor Takagi. We are also happy to find speakers from several other teams of our CREST program.

Nowadays, it is a common understanding that cryptography is very important for sustaining society. And, as we all know, the modern cryptography is based on mathematics. Here "we" includes of course all the participants of this symposium, and I sincerely hope that "we" becomes most of the population partly through the activity of our program.

I am a geometer working on the structures on manifolds, but I gave from time to time lectures on the RSA cryptosystem to high school students. It was always easy to get the students excited about the beautiful mathematics used in the RSA cryptosystem.

I learned from the CREST CRYPTO-MATH team, however, that cryptography based on hardness of the integer factorization problem or the discrete logarithm problem faces a probable crisis because of advances in quantum computing. In fact, in these years there are already several companies planning to realize executing the quantum-based algorithm to attack the actual system of cryptography. They seem to demonstrating some part.

Of course, there are always questions on the cost and we should not overestimate or underestimate the probable effect which will happen in the next decade because of quantum computing. After all, it is really necessary to understand scientifically current theoretical achievement as well as current technical achievement. Here, I would like to share with all the participants from a vast area of research fields the fact that mathematics is the key for understanding.

As I learned that this symposium deals with all technical aspects of mathematical cryptography secure in the era of quantum computers, I sincerely hope that the participants would share the achievement from multiple aspects and would have the advantage to progress their research from this base. I strongly believe these research efforts will help people to enjoy a safer and sustainable society, not only at the national level, but also in the global prospective as well.

I hope to see a lot of exciting presentations as well as extensive and fruitful discussions where this book of extended abstracts would help, which will contribute to the success of this symposium.

Fukuoka, Japan September 2019 Takashi Tsuboi

## Preface

MQC 2019, the International Symposium on Mathematics, Quantum Theory, and Cryptography, was held at the IMI auditorium of Kyushu University in Fukuoka, Japan, during September 25–27, 2019. The symposium was organized by the CREST CRYPTO-MATH Project: "Mathematical Modelling for Next-Generation Cryptography", which was supported by Japan Science and Technology Agency (JST) to construct mathematical modeling of next-generation cryptography using wide-range mathematical theories. This symposium was held to mainly express the culmination of our project for these five years.

The symposium introduced new mathematical results in order to strengthen information security, simultaneously making fresh insights and developing the respective areas of mathematics. The symposium consists of 3 keynote addresses and 16 invited talks. The keynote addresses were given by Daniel Braak (Max Planck Institute), Johannes Buchmann (Technische Universitat Darmstadt), and Kouichi Semba (National Institute of Information and Communications Technology, NICT).

These proceedings consist of the papers/surveys selected from the talks of MQC 2019. Original research papers/surveys on all technical aspects of mathematical cryptography secure in the era of quantum computers were solicited. The topics include: (1) Mathematics and quantum theory for the next-generation cryptography such as number theory, algebraic geometry, lattice theory, representation theory, multivariate polynomial theory, quantum computation, mathematical physics, and probability theory; (2) Cryptosystems that have the potential to be safe against quantum computers such as hash-based signature schemes, lattice-based cryptosystems, multivariate cryptosystems, and quantum cryptographic schemes. There were 13 papers selected for publication. In addition, these proceedings contain 5 resumes corresponding to the remaining talks.

Many people contributed to the success of MQC 2019. We are very grateful to all of the Program Committee members as well as the external reviewers for their fruitful comments and discussions on their areas of expertise. We would also like to thank the students who supported to hold MQC 2019 smoothly.

Finally, we would like to express our gratitude to our partners and sponsors: JST CREST (Grant Number JPMJCR14D6), Kyushu University, Tokyo Institute of Technology, The University of Tokyo, and Advanced Innovation powered by Mathematics Platform (AIMaP).

Fukuoka, Japan Tsuyoshi Takagi September 2019 Masato Wakayama Keisuke Tanaka Noboru Kunihiro Kazufumi Kimoto Yasuhiko Ikematsu

## Contents



## About the Editors

Prof. Tsuyoshi Takagi received his B.Sc. and M.Sc. degrees in mathematics from Nagoya University in 1993 and 1995, respectively. He was engaged in research on network security at NTT Laboratories from 1995 to 2001. He received his Ph.D. from Technical University of Darmstadt in 2001. He is currently a Professor in the Graduate School of Information Science and Technology at University of Tokyo. His current research interests are information security and cryptography. He received DOCOMO Mobile Science Award in 2013, IEICE Achievement Award in 2013, and JSPS Prize in 2014. Dr. Takagi was a Program Chair of the 7th International Conference on Post-Quantum Cryptography, PQCrypto 2016.

Prof. Masato Wakayama is a Professor of Mathematics, Vice President at Tokyo University of Science (TUS) and Principal Fellow at Center for Research and Development Strategy, Japan Science and Technology Agency (CRDS/JST). He is also Professor Emeritus at Kyushu University. He obtained Ph.D. from Hiroshima University in 1985. His research interests include Representation Theory, Number Theory and Mathematical Physics, and has published over 100 referred research papers. He has contributed his experience and expertise to both academic works and university administration. His current appointments include Chair of Asia Pacific Consortium of Mathematics for Industry (2014–). He is the Editor-in-Chief of the Springer series "Mathematics for Industry". e-mail: wakayama@rs.tus.ac.jp

Prof. Keisuke Tanaka is a Professor in the School of Computing at Tokyo Institute of Technology. He received his B.S. from Yamanashi University in 1992, and his M.S. and Ph.D. in Computer Science from Japan Advanced Institute of Science and Technology in 1994 and 1997, respectively. Before joining Tokyo Institute of Technology, he was Research Engineer at NTT Information Platform Laboratories. His research interests include theory of cryptography, cryptocurrency and blockchain technology, and cybersecurity.

Prof. Noboru Kunihiro received his B.E., M.E. and Ph.D. in Mathematical Engineering and Information Physics from the University of Tokyo in 1994, 1996 and 2001, respectively. He has been a professor of University of Tsukuba since 2019. He was a researcher of NTT Communication Science Laboratories from 1996 to 2002. He was an associate professor of the University of Electro-Communications from 2002 to 2008. He was an associate professor of the University of Tokyo from 2008 to 2019. His research interest includes cryptography, information security.

Prof. Kazufumi Kimoto received his Ph.D. in Mathematics from Kyushu University in 2003. He was an assistant professor of the University of the Ryukyus from October 2003 to December 2010. He was an associate professor of the University of the Ryukyus from January 2011 to March 2015. He has been a professor of the University of the Ryukyus since April 2015. His research interest includes representation theory, number theory, and combinatorics.

Prof. Yasuhiko Ikematsu received his Ph.D. in Mathematics in 2016 from Kyushu University. He was a research fellow at the Institute of Mathematics for Industry, Kyushu University from 2016 to 2018 and in Department of Mathematical Informatics, University of Tokyo from April to December in 2018. He is currently an assistant professor in Institute of Mathematics for Industry, Kyushu University. His research interests include number theory and multivariate cryptography.

## **Keynote**

## **Sustainable Cryptography**

**Johannes Buchmann**

**Abstract** Cryptography is a fundamental tool for cybersecurity and privacy which must be protected for long periods of time. However, the security of most cryptographic algorithms relies on complexity assumptions that may become invalid over time. In this talk I discuss how sustainable cybersecurity and privacy can be achieved in this situation.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

J. Buchmann (B)

© The Author(s) 2021

Technical University of Darmstadt, Hochschulstr. 10, 64289 Darmstadt, Germany e-mail: johannes.buchmann@tu-darmstadt.de

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_1

## **What Kind of Insight Provide Analytical Solutions of Quantum Models?**

**Daniel Braak**

**Abstract** There are several concepts of what constitutes the analytical solution of a quantum model, as opposed to the mere "numerically exact" one. This applies even if one considers only the determination of the discrete spectrum of the corresponding Hamiltonian, setting aside such important questions as the asymptotic dynamics for long times. In the simplest case, the spectrum can be given in closed form, the eigenvalues *E <sup>j</sup>, j* = 0*,..., N* ≤ ∞ read *E <sup>j</sup>* = *f (j,*{*pk* }*)*, where *f* is a known function of the label *<sup>j</sup>* <sup>∈</sup> <sup>N</sup><sup>0</sup> and the {*pk* } are a set of numbers parameterizing the Hamilton operator. This kind of solution exists only in cases where the classical limit of the model is Liouville-integrable. Some quantum-mechanical many-body systems allow the determination of the spectrum in terms of auxiliary parameters [{*k <sup>j</sup>*}*,*{*nl*}] as *E(*{*nl*}*)* = *f (*{*k <sup>j</sup>(*{*nl*}*)*}*)* where the {*k <sup>j</sup>(*{*nl*}*)*} satisfy a coupled set of transcendental equations, following from a certain ansatz for the eigenfunctions. These systems (integrable in the sense of Yang-Baxter (Eckle 2019)) may have a Hilbert space dimension growing exponentially with the system size L, i.e., *N* ∼ *e<sup>L</sup>* . The simple enumeration of the energies with the label *j* is replaced by the multi-index {*nl*}. Although no priori knowledge about the spectrum is available, its statistical properties can be computed exactly (Berry and Tabor 1977). Other integrable and also non-integrable models exist where *N* depends polynomially on *L* and the energies *E <sup>j</sup>* are the zeroes of an analytically computable transcendental function, the so-called *G*-function *G(E,*{*pk* }*)* (Braak 2013a, 2016), which is proportional to the spectral determinant. Although no closed formula for *E <sup>j</sup>* as function of the index *j* exists, detailed qualitative insight into the distribution of the eigenvalues can be obtained (Braak 2013b). Possible applications of these concepts to information compression and cryptography are outlined.

D. Braak (B)

Max Planck Institute for Solid State Research, Heisenbergstraße 1, 70569 Stuttgart, Germany e-mail: d.braak@fkf.mpg.de

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_2


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Emerging Ultrastrong Coupling Between Light and Matter Observed in Circuit Quantum Electrodynamics**

**Kouichi Semba**

**Abstract** The strength of the coupling between an atom and a single electromagnetic field mode is defined as the ratio of the vacuum Rabi frequency to the Larmor frequency, and is determined by a small dimensionless physical constant, the fine structure constant α = *Z*v*ac*/2*RK* . On the other hand, the quantum circuit including Josephson junctions behaving as artificial atoms and it can be coupled to the electromagnetic field with arbitrary strength (Devoret et al. 2007). Therefore, the circuit quantum electrodynamics (circuit QED) is extremely suitable for studying much stronger light-matter interaction.

We have used a Josephson junction atom, a flux qubit, harmonic oscillator coupled system. This circuit is well described by the Hamiltonian shown in Eq. (1).

$$\mathcal{H}\_{\text{total}} = -\frac{\hbar}{2}(\Delta\sigma\_x + \varepsilon\sigma\_z) + \hbar\omega\_o(\hat{a}^\dagger\hat{a} + \frac{1}{2}) + \hbar g\sigma\_z(\hat{a} + \hat{a}^\dagger). \tag{1}$$

The first, second, and third terms represent the energy of the qubit, the energy of the harmonic oscillator, and the interaction energy, respectively. If the coupling strength g becomes as large as the atomic and cavity frequencies ( and ω*o*, respectively), the energy eigenstates including the ground state are predicted to be highly entangled (Hepp and Lieb 1973; Ashhab and Nori 2010). We have experimentally achieved this deep strong coupling using a superconducting-flux-qubit LC-oscillator system (Yoshihara et al. 2017). By carefully designing a superconducting persistent-current qubit interacting with an LC harmonic oscillator that has a large zero-point fluctuation current via a large shared Josephson inductance, we have realized circuits with *g* <sup>ω</sup>*<sup>o</sup>* ranging from 0.72 to 1.34 and *<sup>g</sup>* - 1. From the transmission spectroscopy, we have observed unconventional transition spectra and selection rules which can be interpreted using predicted energy levels which are well described by Schrödingercat-like entangled states between persistent-current states and displaced vacuum or Fock states of the oscillator (Yoshihara et al. 2017). By using two-tone spectroscopy, the energies of the six lowest levels of each circuit have been determined. We have

K. Semba (B)

National Institute of Information and Communications Technology, 4-2-1 Nukui-Kitamachi, Koganei, Tokyo 184-8795, Japan e-mail: semba@nict.go.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_3

observed huge light shifts, i.e., Lamb shifts, qubit energy shift due to coupling to vacuum field, that exceed 90% of the bare qubit frequencies and Stark shifts, inversions of the qubits' ground and excited states when there are only a few photons in the oscillator (Yoshihara et al. 2018). We have also observed collective coupling between an engineered 4300 ensemble of flux qubits and a superconducting resonator (Kakuyanagi et al. 2016), and considered the condition for observing generation of superradiant ground state in the presence of parameter fluctuations (Ashhab and Semba 2017).

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Summary**

## **Verified Numerical Computations and Related Applications**

**Shin'ichi Oishi**

**Abstract** The author has been engaged in the study of numerical computations with result verification starting from 1990.

#### **Summary**

The author has been engaged in the study of numerical computations with result verification starting from 1990. As a result, the following results have been obtained:

	- a. Finite dimensional linear equations including extremely ill-conditioned problems.
	- b. Matrix eigenvalue problems.
	- a. Calculation of ill-conditioned definite integrals.
	- b. Boundary value problems for nonlinear differential equations based on invention of methods for eigenvalue evaluation of associated linearized problems.

In this talk, we will review some of these results and will mention possible applications for cryptography.

S. Oishi (B)

Waseda University, 3-4-1 Okubo, Tokyo, Shinjuku-ku 169-8555, Japan e-mail: oishi@waseda.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_4

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **A Review of Secret Key Distribution Based on Bounded Observability**

**Jun Muramatsu**

**Abstract** Secret key distribution is a technique for a sender and a receiver to share a secret key, which is not known by any eavesdropper, when they share no common secret information in advance. By using this technique, the sender and the receiver can transmit a message securely in the sense that the message remains secret from any eavesdropper. We introduced a secret key distribution based on the Bounded Observability (Muramatsu et al. 2010, 2013, 2015), which provides a necessary and sufficient condition for the possibility of secret key distribution. This condition describes limits on the information obtained by observation of a random object, and models the practical difficulty of completely observing random physical phenomena.

**Keywords** Secret key distribution · Information-theoretic security · Secret key agreement · Bounded observability

## **References**


J. Muramatsu (B)

© The Author(s) 2021

NTT Communication Science Laboratories, NTT Corporation, 2-4, Seika-cho, Soraku-gun, Hikaridai, Kyoto 619-0237, Japan e-mail: jun.muramatsu@ieee.org

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_5

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Quantum Computing and Information Theory**

## **Quantum Random Numbers Generated by a Cloud Superconducting Quantum Computer**

**Kentaro Tamura and Yutaka Shikano**

**Abstract** A cloud quantum computer is similar to a random number generator in that its physical mechanism is inaccessible to its users. In this respect, a cloud quantum computer is a black box. In both devices, its users decide the device condition from the output. A framework to achieve this exists in the field of random number generation in the form of statistical tests for random number generators. In the present study, we generated random numbers on a 20-qubit cloud quantum computer and evaluated the condition and stability of its qubits using statistical tests for random number generators. As a result, we observed that some qubits were more biased than others. Statistical tests for random number generators may provide a simple indicator of qubit condition and stability, enabling users to decide for themselves which qubits inside a cloud quantum computer to use.

**Keywords** Cloud quantum computer · Random number generator · NIST SP 800-22 · Stability

## **1 Introduction**

Given a coin with an unknown probability distribution, there are two approaches to decide whether the coin is fair (Tamura and Shikano 2019). The first approach is to examine the coin itself; one expects an evenly shaped coin to yield fair results. The

K. Tamura (B)

3-14-1 Hiyoshi, Kohoku, Yokohama 223-8522, Japan

Y. Shikano Quantum Computing Center, Keio University, 3-14-1 Hiyoshi, Kohoku, Yokohama 223-8522, Japan e-mail: yutaka.shikano@keio.jp

© The Author(s) 2021 T. Takagi et al. (eds.), *International Symposium on Mathematics, Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_6

Department of Applied Physics and Physico-Informatics, Keio University,

e-mail: cicero@keio.jp

Institute for Quantum Studies, Chapman University, 1 University Dr., Orange, CA 92866, USA

second approach is to actually toss the coin a number of times to see if the output is sound. In this approach, the coin is treated as a black box. A random number generator is similar to a coin in that it is expected to produce unbiased and independent 0s and 1s. Unlike a coin, however, the physical mechanism of a random number generator is often inaccessible to its users. Therefore, users rely on statistical tests to decide the fairness of the device from its output.

Random number generators play an important role in cryptography, particularly in the context of key generation. For example, the security of the RSA cryptosystem is based on keys that are determined by random choices of two large prime numbers (Boneh 1999). If the choices of prime numbers are not random, an adversary could predict future keys and hence compromise the security of the system. Randomness in cryptography derives from what is called the seed. The seed is provided by physical random number generators (Schindler and Killmann 2003; Ugajin et al. 2017). It is required that the physical mechanism of a physical random number generator remains a black box for the seed to be unpredictable. Given that the measurement outcomes are theoretically unpredictable in quantum mechanics, random number generators based on quantum phenomena are a promising source of unpredictability (Pironio et al. 2010; Ma et al. 2016; Herrero-Collantes and Garcia-Escartin 2017).

Cloud quantum computers are quantum computers that are accessed online (Srivastava et al. 2016; Gibney 2017; Castelvecchi 2017; Xin et al. 2018; Yamamoto et al. 2019; National Academies of Sciences, Engineering, and Medicine 2019). In order to use a cloud quantum computer, users are required to send programs specifying the quantum circuit to be executed and the number of times the circuit should be run (LaRose 2019). When a user's turn arrives, the quantum computer executes the program and returns the results (Preskill 2018). A similarity between random number generators and cloud quantum computers is that its users do not have direct access to the physical mechanism of the device. So, as far as the users are concerned, both random number generators and cloud quantum computers are black boxes. In the field of random number generation, much research has been done on how to characterize the device from its output. This leads to the creation of statistical tests for random number generators. The present study aims to introduce the idea of statistical tests for random number generators to the field of cloud quantum computing. This aim is supported by three points. Firstly, the cloud quantum computer is a black box to its users, which is also the case with random number generators. Secondly, quantum computers become random number generators when given certain programs. Finally, the cloud quantum computer lacks a simple benchmark that would enable its users to decide the condition of the device.

The rest of this article is organized as follows. In Sect. 2, statistical tests for random number generators are generally explained. In Sect. 3, a group of statistical tests called the NIST SP 800-22 is reviewed. In Sect. 4, we present the results of the statistical analysis of random number samples obtained from the cloud quantum computer, IBM 20Q Poughkeepsie, and the test results of the eight statistical tests from the NIST SP 800-22. Finally, Sect. 5 is devoted to the conclusion. In the appendix, a measure of uniformity often employed in the field of cryptography, the min-entropy, is explained.

#### **2 Statistical Tests for Random Number Generators**

Statistical tests for random number generators are necessary to confirm that a random number generator is suitable for use in encryption processes (Demirhan and Bitirim 2016). Random number generators used in this context are required to have unpredictability. This means that given any subset of a sequence produced by the device, no adversary can predict the rest of the sequence, including the output from the past. Statistical tests aim to detect random number generators that produce sequences with a significant bias and/or correlation.

When subjected to statistical tests, a random number generator is considered a black box. This means that the only information available is its output. Under the null hypothesis that the generator is unbiased and independent, one expects its output to have certain characteristics. The characteristics of the output are quantified by the test statistic, whose probability distribution is known. From the test statistic, the probability that a true random number generator produces an output with a worse test statistic value is calculated. This probability is called the p-value. If the p-value is below the level of significance α, the generator fails the test, and the null hypothesis that the generator is unbiased and independent is rejected. Since statistical tests for random number generators merely rule out significantly biased and/or correlated generators, these tests do not verify that a device is the ideal random number generator. Nevertheless, a generator that passes the tests is more reliable than a generator that doesn't. This is why statistical tests are usually organized in the form of test suites, so as to be comprehensive. Some well known test suites are the NIST SP 800-22 (Bassham 2010), TestU01 (L'ecuyer and Simard 2007), and the Dieharder test.

Because statistical tests are designed to check for statistical anomalies under the hypothesis that the generator is unbiased, a biased random number generator would naturally fail the tests. This can be a problem when testing quantum random number generators, as they can be biased and unpredictable at the same time. Given that statistically faulty generators can still be unpredictable, the framework of statistical tests fails to capture the essence of randomness: unpredictability. There have been attempts to assure the presence of unpredictability by exploiting quantum inequalities, but they have not reached the point of replacing statistical tests altogether.

#### **3 NIST SP 800-22**

The NIST SP 800-22 is a series of statistical tests for cryptographic random number generators provided by the National Institute of Standards and Technology (Bassham 2010). Random number generators for cryptographic purposes are required to have unpredictability, which is not strictly necessary in other applications such as simulation and modeling, but is a crucial element of randomness. The test suite contains 16 tests, each test with a different test statistic to characterize deviations of binary sequences from randomness. The entire testing procedure of the NIST SP 800-22 is divided into three steps. The first step is to subject all samples to the 16 tests. For each sample, each test returns the probability that the sample is obtained from an unbiased and independent RNG. This probability, which is called the p-value, is then compared


**Table 1** The minimum length *n* required for each test in order to obtain meaningful results. The tests not employed in the present study are shaded in gray. Note that the tests will be referred to by their test number in Sect. 4

to the level of significance α = 0.01. If the p-value is under the level of significance, the sample fails the test. The second step involves the proportion of passed samples for each test. Under the level of significance α = 0.01, 1% of samples obtained from an unbiased and independent RNG is expected to fail each test. If the proportion of passed samples is too high or too low, the RNG fails the test. Finally, p-value uniformity is checked for each test. Suppose one tested 100 binary samples. This yields 100 p-values per test. If the samples are independent, the p-values should be uniformly distributed for all tests. The distribution of p-values is checked via the chi-squared test.

In the following sections, eight tests from the NIST SP 800-22 are explained (Table 1). The input sequence will be denoted by ε=ε1ε<sup>2</sup> ··· ε*n*, and the *i*th element by ε*<sup>i</sup>* .

#### *3.1 Frequency Test*

The frequency test aims to test whether a sequence contains a reasonable proportion of 0s and 1s. If the probability of obtaining the sequence from an independent and unbiased random number generator is lower than 1%, it follows that the random number generator is not "independent and unbiased". The minimum sample length required for this test is 100.


Quantum Random Numbers Generated by a Cloud … 21


$$\text{erfc}(z) = \frac{2}{\sqrt{\pi}} \int\_z^{\infty} e^{-u^2} du. \tag{1}$$

5. Compare p-value to 0.01. If p-value ≥ 0.01, then the sequence passes the test. Otherwise, the sequence fails.

Example: ε = 1001100010, length *n* = 10. 1. 1, 0, 0, 1, 1, 0, 0, 0, 1, 0 → +1, −1, −1, +1, +1, −1, −1, −1, +1, −1. 2. *S*<sup>10</sup> = 1 − 1 − 1 + 1 + 1 − 1 − 1 − 1 + 1 − 1 = −2. 3. *s*obs =|− 2|/ <sup>√</sup><sup>10</sup> <sup>≈</sup> <sup>0</sup>.632455. 4. P-value = erfc(*s*obs/ <sup>√</sup>2) <sup>≈</sup> <sup>0</sup>.527089. 5. P-value = 0.527089 > 0.01 → the sequence passes the test.

This test is equivalent to testing the histogram for bias. Because the test only considers the proportion of 1s, sequences such as 0000011111 or 0101010101 would pass the test. Failing this test means that the sample is overall biased.

#### *3.2 Frequency Test Within a Block*

Firstly, the sequence is divided into *N* blocks of size *M*. The frequency test is then applied to the respective blocks. As a result, one obtains *N* p-values. The second part of this test aims to check whether the variance of the p-values is by chance or not. This is called the chi-squared (χ2) test. For meaningful results, a sample with a length of at least 100 is required. The following is the test description.

#### **Test Description**


$$
\pi\_i = \frac{\sum\_{j=1}^{M} \varepsilon\_{(i-1)M+j}}{M}. \tag{2}
$$

3. Compute χ<sup>2</sup> statistic χ<sup>2</sup> obs <sup>=</sup> <sup>4</sup>*<sup>M</sup> <sup>N</sup> i*=1 <sup>π</sup>*<sup>i</sup>* <sup>−</sup> <sup>1</sup> 2 2 . 4. Compute p-value <sup>=</sup> <sup>1</sup> <sup>−</sup> igamc *<sup>N</sup>* <sup>2</sup> , <sup>χ</sup><sup>2</sup> obs 2 . Note that igamc stands for the incomplete gamma function.

$$
\Gamma(z) = \int\_0^\infty t^{z-1} e^{-t} \tag{3}
$$

$$\text{igamc}(a, x) \equiv \frac{1}{\Gamma(a)} \int\_0^x e^{-t} t^{(a-1)} dt \tag{4}$$

5. Compare p-value to 0.01. If p-value ≥ 0.01, then the sequence passes the test. Otherwise, the sequence fails.

Example: ε = 1001100010, length: *n* = 10.


This test divides the sequence into blocks and checks each block for bias. Depending on the block size, samples such as 001100110011 or 101010101010 could pass the test. Failing this test means that certain sections of the sequence are biased.

#### *3.3 Runs Test*

The proportion of 0s and 1s does not suffice to identify a random sequence. A run, which is an uninterrupted sequence of identical bits, is also a factor to be taken into account. The runs test determines whether the lengths and oscillation of runs in a sequence are as expected from a random sequence. A minimum sample length of 100 is required for this test. The following is the test description.


Quantum Random Numbers Generated by a Cloud … 23


.

Example: ε = 1010110001, length *n* = 10. 1. <sup>π</sup> <sup>=</sup> <sup>5</sup> <sup>10</sup> = 0.5. 2. |π − 0.5| = 0 < <sup>√</sup> 2 *<sup>n</sup>* = <sup>√</sup> 2 <sup>10</sup> = 0.63 → test is applicable. 3. *V*10(obs) = (1 + 1 + 1 + 1 + 0 + 1 + 0 + 0 + 1) + 1 = 7. 4. P-value <sup>=</sup> erfc <sup>|</sup>7−2×10×0.5×(1−0.5)<sup>|</sup> 2× <sup>√</sup>2×10×0.5×(1−0.5) = 0.21.

5. P-value = 0.21 ≥ 0.01, so sequence passes the test.

#### *3.4 The Longest Run of Ones Within a Block Test*

This test determines whether the longest runs of ones 111 ··· within blocks of size M is consistent with what would be expected in a random sequence. The possible values of M for this test are limited to three values, namely, 8, 128, and 10,000, depending on the length of the sequence to be tested.


**Table 2** Choices of M for the longest runs of ones within a block test


**Table 3** Classifications of each block

#### **Test Description**


Example: *n* = 10000




**Table 5** Values of π*<sup>i</sup>* corresponding to *K* and *M*

$$\mathbf{3.}$$

$$\begin{split} \chi^2(\text{obs}) &= \frac{(6 - 49 \times 0.1174)^2}{49 \times 0.1174} + \frac{(10 - 49 \times 0.2430)^2}{49 \times 0.2430} \\ &+ \frac{(10 - 49 \times 0.2493)^2}{49 \times 0.2493} + \frac{(7 - 49 \times 0.1752)^2}{49 \times 0.1752} \\ &+ \frac{(7 - 49 \times 0.1027)^2}{49 \times 0.1027} + \frac{(9 - 49 \times 0.1124)^2}{49 \times 0.1124} \\ &= 3.994459. \end{split}$$

$$4. \text{ P-value} = 1 - \text{igamc}\left(\frac{5}{2}, \frac{3.99449}{2}\right) = 0.550214.\\ 5. \text{ P-value} = 0.550214 \ge 0.01, \text{ so the sequence passes the test.}$$

#### *3.5 Discrete Fourier Transform Test*

This test checks for periodic patterns in the sequence by performing a discrete Fourier transform (DFT). The minimum sample length required for this test is 1000. The following is the test description.


This test checks for periodic features. Samples with periodic features may look like 0110011001100110 or 010010100101001 among various other possibilities. Failing this test suggests that the sample has periodic patterns. It is noted that the probability distribution of the test statistic *d* should be rectified as it does not converge to the standard normal distribution (Hamano 2005).

Example: ε = 1001010011, length *n* = 10. 1. *X* = 2ε<sup>1</sup> − 1, 2ε<sup>2</sup> − 1,..., 2ε*<sup>n</sup>* − 1 = 1, −1, −1, 1, −1, 1, −1, −1, 1, 1. 2. *N*(ideal) = 4.75. 3. *N*(obs) = 4. 4. *d* = √ (4.75−4) <sup>10</sup>·0.95·0.05· <sup>1</sup> 4 = 2.147410. 5. P-value <sup>=</sup> erfc |2.147410<sup>|</sup> √2 = 0.031761. 6. P-value = 0.031761 ≥ 0.01, so the sequence passes the test.

### *3.6 Approximate Entropy Test*

The approximate entropy test compares the frequency of *m*-bit overlapping patterns with that of (*m* + 1)-bit patterns in the sequence. It checks whether the relation of two frequencies is what is expected from an unbiased and independent RNG. The level of significance is α = 0.01. This test can be applied to samples with lengths equal to or larger than 64. The test description is below.


Example: ε = 1011010010, length *n* = 10, *m* = 3. 1. ε = 1011010010 → 101101001010. 2. 101101001010 → 101, 011, 110, 101, 010, 100, 001, 010, 101, 010. 3. "000" : 0, "001" : 1, "010" : 3, "011" : 1, "100" : 1, "101" : 3, "110" : 1, "111" : 0. 4. "000" : 0, "001" : 0.1log*e*(0.1), "010" : 0.3 log*e*(0.3), "011" : 0.1log*e*(0.1), "100" : 0.1log*e*(0.1), "101" : 0.3log*e*(0.3), "110" : 0.1log*e*(0.1), "111" : 0. 5. ϕ<sup>3</sup> = −1.643418 6. ϕ<sup>3</sup>+<sup>1</sup> = −2.025326. 7. obs = 2 × 10 × (log*e*(10) − (−1.643418 − (−2.025326))) = 6.224774. 8. P-value = 1 − igamc(2(3−1) , 6.224774/2) = 0.622069.

9. P-value = 0.622069 ≥ 0.01. The sequence passes the test.

The approximate entropy test checks for correlation between the number of *m*bit patterns and (*m* + 1)-bit patterns in the sequence. The difference between the number of possible *m*-bit patterns and the number of possible (*m* + 1)-bit patterns in the sequence is computed, and if this difference is too small or too large, the two patterns are correlated.

#### *3.7 Cumulative Sums Test*

The cumulative sums test is basically a random walk test. It checks how far from 0 the sum of the sequence in terms of ±1 reaches. For a sequence that contains uniform and independent 0s and 1s, the sum should be close to 0. This test requires a minimum sample length of 100.


$$\text{P-value} = 1 - \sum\_{k=\left(\frac{-n}{\bar{z}} + 1\right)/4}^{\left(\frac{n}{\bar{z}} - 1\right)/4} \left[ \Phi\left(\frac{(4k+1)z}{\sqrt{n}}\right) - \Phi\left(\frac{(4k-1)z}{\sqrt{n}}\right) \right]$$

$$+\sum\_{k=\left(\frac{\pi\mathbb{I}-\mathfrak{I}}{\mathfrak{I}}\right)/4}^{\left(\frac{\mathfrak{a}}{\mathfrak{z}}-1\right)/4} \left[\Phi\left(\frac{(4k+3)z}{\sqrt{n}}\right) - \Phi\left(\frac{(4k+1)z}{\sqrt{n}}\right)\right].\tag{5}$$

5. Compare p-value to α = 0.01. If p-value ≥ 0.01, the result is pass. Otherwise, the sequence fails the test.

Example: ε = 1011010010, length *n* = 10. 1. ε = 1011010010 → *X* = 1, −1, 1, 1, −1, 1, −1, −1, 1, −1. 2. Forward mode: *S*<sup>1</sup> = 1, *S*<sup>2</sup> = 1 + (−1) = 0, *S*<sup>3</sup> = 1 + (−1) + 1 = 2, *S*<sup>4</sup> = 1 + (−1) + 1 + 1, *S*<sup>5</sup> = 1 + (−1) + 1 + 1 + (−1) = 1, *S*<sup>6</sup> = 1 + (−1) + 1 + 1 + (−1) + 1 = 2, *S*<sup>7</sup> = 1 + (−1) + 1 + 1 + (−1) + 1 + (−1) = 1, *S*<sup>8</sup> = 1 + (−1) + 1 + 1 + (−1) + 1 + (−1) + 1 = 2, *S*<sup>9</sup> = 1 + (−1) + 1 + 1 + (−1) + 1 + (−1) + 1 + (−1) = 1. 3. In forward mode, the maximum value is *z* = 2. 4. P-value = 0.941740 for both forward and backward.

5. P-value = 0.941740 ≥ 0.01. The sequence passes the test.

Once the p-value has been calculated for all tests and samples, the proportion of samples that passed the test is computed for each test. Let us consider a case where 1000 samples were subjected to each of the 15 tests. This results in 1000 p-values per test. For example, if 950 out of 1000 samples passed the frequency test, the proportion of passed samples is 0.95. If the proportion of passed samples falls within the following range for all 15 tests, the samples pass the second step of the NIST SP 800-22. The acceptable range of proportion is calculated with

$$(1 - \alpha) \pm 3\sqrt{\frac{\alpha(1 - \alpha)}{m}},\tag{6}$$

where α stands for the level of significance and *m* the sample size. It is noted that it is controversial whether the coefficient should be 3. A suggestion that the coefficient should be 2.6 exists (Marek et al. 2015). In the case of the current example, Eq. (6) can be calculated using α = 0.01 and *m* = 1000 as

$$(1 - 0.01) \pm 3\sqrt{\frac{0.01(1 - 0.01)}{1000}} = 0.99 \pm 0.0094.\tag{7}$$

From the fact that 0.95 is not within the acceptable range, it follows that the samples fail the frequency test. The same process is done with all 16 tests, and unless the samples pass all tests, the result is that the hypothesis that the RNG is unbiased and independent is rejected.

The final step of the NIST SP 800-22 is to evaluate the p-value uniformity of each test. In order to perform the chi-squared (χ2) test, the p-value is divided into 10 regions: [*k*, *k* + 0.1) for *k* = 0, 1,..., 9. The test statistic is given by

$$\chi^2 = \sum\_{i=1}^{10} \frac{(\text{number of samples in } i \text{th region} - \text{sample size}/10)^2}{\text{sample size}/10}.\tag{8}$$

When the number of samples in each region is 2, 8, 10, 13, 17, 17, 13, 10, 8, 2, the test statistic (8) is calculated as χ<sup>2</sup> = 25.200000. From χ2, the p-value is

$$\text{p-value} = \text{igamc}\left(\frac{9}{2}, \frac{\chi^2}{2}\right). \tag{9}$$

Therefore, in the current example where χ<sup>2</sup> = 25.200000, the p-value is 0.002758. The level of significance for the p-value uniformity is α = 0.0001. So when the pvalue is 0.002758, it follows that the p-value distribution is uniform. The p-value uniformity test requires at least 55 samples. As mentioned before, it is remarked that passing the NIST SP 800-22 does not ensure a sequence to be truly random (Kim et al. 2020; Fan et al. 2014; Haramoto and Matsumoto 2019).

## **4 Quantum Random Number Generation on the Cloud Quantum Computer**

According to quantum mechanics, the measurement outcomes of the superposition state (|0+|<sup>1</sup> )/√2 along the computational basis ideally form random number sequences. This means that the resulting sequences are expected to pass the statistical tests for RNGs explained previously. Here, the computational basis, |0 and |1 , spans the two-dimensional Hilbert space. In a quantum computer, the desired state (|0+|<sup>1</sup> )/√2 is generated from the initial state <sup>|</sup><sup>0</sup> by applying the Hadamard gate to a single quantum bit (qubit). Note that in this process, the initial state is always the same. Unlike classical random number generators and pseudorandom number generators that require random seeds to produce independent sequences, quantum random number generators are capable of producing independent sequences with the same seed. This reduces the risk of the output of a random number generator being predicted from the seed, because all possible outputs come from the same seed.

In the present study, the cloud superconducting quantum computer, IBM 20Q Poughkeepsie, was used. The device was given the circuit in Fig. 1a and was repeatedly instructed to execute the circuit 8192 times without interruption from 2019/05/09 11:24:27 GMT. Because the quantum computer has multiple users across the globe, interruption between jobs occur (Aleksandrowicz et al. 2019). 8192 is the maximum number of uninterrupted executions (shots) available. Running the circuit with 8192 shots yields a binary sequence with a length of 8192 per qubit. This process was

**Fig. 1 a**: QRNG quantum circuit using the Hadamard gate. **b**: Device topology of IBM 20Q Poughkeepsie provided by Qiskit

**Table 6** The correspondence between calibration start/end time and time of job sent. All dates and times are in GMT


automatically repeated across calibrations. The device goes through calibration once in a day as seen in Table 6.

As a result, 579 samples were obtained from the IBM 20Q Poughkeepsie device. Note that each qubit produced 579 samples, each with a length of 8192. The samples were subjected to the eight tests from the NIST SP 800-22, which are: the frequency test, frequency within a block test, runs test, longest runs within a block test, DFT test, approximate entropy test, and the cumulative sums test (forward, backward). The p-value of each test corresponding to the respective samples was computed. For each test, the proportion of passed samples was checked. The acceptable range of the proportion of passed samples for 579 samples under the level of significance α = 0.01 is >0.977595.

By constantly running the IBM 20Q Poughkeepsie device for five days, we obtained 579 samples for each of the 20 qubits. In theory, these samples should qualify as the output of an ideal random number generator. In random number generation, the output sequences are checked for two properties: bias and patterns. When the sequences show signs of bias or patterns, the device is not in ideal condition. The same logic applies to the cloud quantum computer. We also simulated the same quantum circuit on the simulator with the obtained noise parameters such as the T1 and T2 time, the coherent error, the single-qubit error, and the readout error, all of

which are updated. The simulator is referred to as the noisy simulator in the following. The noisy simulator program was also provided by IBM (Aleksandrowicz et al. 2019).

In the present section, the random number output of each qubit inside the IBM 20Q Poughkeepsie device is analyzed. The qubits that are connected by arrows in Fig. 1b represent the pairs of qubits on which the controlled NOT gate can operate. The controlled NOT gate is a two-qubit gate.

The min-entropy, whose definition and properties are seen in the Appendix, was computed for each qubit from the 579 samples. This resulted in 579 min-entropy transition plots for 20 qubits. Figure 2 is organized to form the topology of the IBM 20Q Poughkeepsie. The min-entropy takes values from 0 to 1 depending on the highest probability of the probability distribution. When the probability distribution is uniform, the min-entropy is 1. Figure 2 shows how each qubit has a unique tendency for min-entropy. Qubit [17], for example, shows a sudden drop in min-entropy at around 60 h. This does not occur in simulation. A sudden drop in min-entropy suggests that the measurement results can vary depending on when the cloud quantum computer executes a circuit. Overall, the noisy simulator tends to have a higher minentropy compared to the actual device. According to Aleksandrowicz et al. (2019), the readout error that IBM provides does not reflect the asymmetry between the error output 1 on the state |0 and the error output 0 on the state |1 . The discrepancy between the min-entropy of the actual device and the simulator suggests that readout asymmetry exists.

Next, the samples were checked for bias. Each qubit produced 579 samples with a length of 8192, which form 4,743,168-bit sequences when chronologically connected. Figure 2 demonstrates the proportion of 1s in the entire sequence output by each qubit. Under the level of significance α = 0.01, the proportion of 1s of a 4,743,168-bit sequence should fall between the red lines. The result is that none of the qubits produced acceptable proportions of 1s as seen in Fig. 3. Furthermore, Fig. 4 shows that the actual device failed to pass the eight statistical tests, which indicates that the current quantum computing device does not have the statistical properties of a uniform random number generator.

The problem with histograms as seen in Fig. 3 is that they fail to detect certain anomalies. For example, a sequence consisting of all 0s for the former half and all 1s for the latter half yields a perfect histogram. However, such a sequence is clearly not random. To compensate for this flaw, we focused on the transition of the number of 1s in the sequence. Ideally, the number of 1s in a random number sequence should always be roughly half of the sequence length. The difference between the ideal number of 1s and the observed number of 1s for the 4,743,168-bit sequence of each qubit is examined in Fig. 5. Note that here, too, the figures are aligned topologically. Figure 5 shows the stability of each qubit in terms of the proportion of 1s in its output; a linear plot suggests that the qubit is being stably operated. While qubit[7] is more biased than qubit[17] overall, the line representing qubit[7] shows more stability than that of qubit[17]. Furthermore, the noisy simulator does not capture the trend of the qubits. Therefore, the discrepancy between the output of the actual device and the

noisy simulator may not only be a result of readout asymmetry, but also time-varying parameters.

#### **5 Conclusion**

We characterized the qubits in a cloud quantum computer by using statistical tests for random number generators to provide a potential indicator of the device's condition. The IBM 20Q Poughkeepsie device was repeatedly run for a period of five days, and 579 samples with a length of 8192 were obtained for each of the 20 qubits. For comparison, the noise parameters obtained in the experiment were used to run the noisy simulator. Samples from both the actual device and the simulator were statistically analyzed for bias and patterns. To evaluate the uniformity of each sample, the min-entropy was computed. The transition of min-entropy showed that the qubits have unique characteristics. We identified a sudden drop of min-entropy in qubit [17]. The histogram of the proportion of 1s in the 4,743,168-bit sequences produced by each qubit revealed that, overall, none of the qubits produced acceptable proportions of 1s. However, we evaluated each qubit's stability from the time-series data of the proportion of 1s and found that qubits [0] and [12] were relatively stable. Finally, eight tests from the NIST SP 800-22 were applied to the 529 samples of the 20 qubits. None of the qubits cleared the standards of the test suite. However, the test results showed that qubits[0] and [12] were the closest to the ideal in terms of the proportion of passed samples for each test.

As is the case with random number generators, a cloud quantum computer is a black box to its users. Therefore, users are required to decide for themselves when to use a cloud quantum computer and which qubits to choose. Statistical tests for random number generators are a potential candidate for a simple indicator of qubit condition and stability inside a cloud quantum computer (Shikano et al. 2020).

**Acknowledgements** The authors thank Hidetoshi Okutomi, Atsushi Iwasaki, Shumpei Uno, and Rudy Raymond for valuable discussions. This work is partially supported by JSPS KAKENHI (Grant Nos. 17K05082 and 19H05156) and 2019 IMI Joint Use Research Program Short-term Joint

**Fig. 4** The proportion of passed samples for each test. The test names corresponding to the test numbers can be found in Table 1. The acceptable range providedby the NIST is above the red line marking the proportion 0.977595. The blue plots are the experimental results and the red plots the noisy simulation results.The figure has been rotated 90◦

Research "Mathematics for quantum walks as quantum simulators". The results presented in this paper were obtained in part using an IBM Q quantum computing system as part of the IBM Q Network. The views expressed are those of the authors and do not reflect the official policy or position of IBM or the IBM Q team.

#### **Appendix: Min-entropy**

Among various entropy measures for uniformity, the min-entropy is often used in the context of cryptography. The min-entropy for a random variable *X* is defined as follows:

$$\mathcal{H}\_{\infty}(X) = -\log\_2\left(\max\_{x \in \{0,1\}} \Pr[X = x]\right). \tag{10}$$

On the other hand, Shannon's entropy, which is also a measure for uniformity, is defined as follows:

$$\operatorname{H}\_{\mathfrak{sl}}(X) = -\sum\_{x \in \{0, 1\}} \operatorname{Pr}[X = x] \log\_2 \operatorname{Pr}[X = x]. \tag{11}$$

Both measures (10) and (11) take values ranging from 0 to 1 for a random variable on {0, 1}. The reason why the min-entropy is more appropriate in the context of cryptography is that it is more sensitive than Shannon's entropy. This is apparent from Fig. 6. Figure 6 compares the min-entropy and Shannon's entropy corresponding to the probability of *X* yielding 1. The min-entropy provides a clearer distinction of probability distributions close to uniform than Shannon's entropy.

The min-entropy also indicates the probability that an adversary with knowledge of the probability distribution of *X* predicts the outcome of *X* correctly (Zhang et al. 2016). Here, the adversary predicts the value that appears with the highest probability. For this reason, the min-entropy considers the maximum probability of *X*.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Quantum Factoring Algorithm: Resource Estimation and Survey of Experiments**

**Noboru Kunihiro**

**Abstract** It is known that Shor's algorithm can break many cryptosystems such as RSA encryption, provided that large-scale quantum computers are realized. Thus far, several experiments for the factorization of the small composites such as 15 and 21 have been conducted using small-scale quantum computers. In this study, we investigate the details of quantum circuits used in several factoring experiments. We then indicate that some of the circuits have been constructed under the condition that the order of an element modulo a target composite is known in advance. Because the order must be unknown in the experiments, they are inappropriate for designing the quantum circuit of Shor's factoring algorithm. We also indicate that the circuits used in the other experiments are constructed by relying considerably on the target composite number to be factorized.

**Keywords** RSA · Quantum computer · Shor's quantum factoring algorithm · Oversimplified Shor's algorithm · Physical experiment

## **1 Introduction**

It is crucial to evaluate the security of cryptosystems in order to securely use cryptographic technology. The security of RSA cryptosystems (Rivest et al. 1977), which are currently used widely, is based on the difficulty of factoring problem, and the evaluating the difficulty of the factoring problem is essential. Based on the security analysis, a 2048-bit composite number is widely used as a standard at present. It is known that prime factorization is possible in quantum polynomial time on the

N. Kunihiro (B)

© The Author(s) 2021

Faculty of Engineering, Information and Systems, University of Tsukuba, 1-1-1 Tennodai, Tsukuba, Ibaraki 305-8573, Japan e-mail: kunihiro@cs.tsukuba.ac.jp

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_7

bit length of the composite number using the Shor's algorithm (Shor 1997). Hence, almost all the currently used public-key cryptosystems will be broken if large-scale quantum computers are realized. Therefore, to prepare for the realization of quantum computers, quantum-resistant cryptography is researched actively at present (NIST 2020).

From the theoretical viewpoint, it has been evaluated how much resources are needed for the prime factorization of composite number of the currently used sizes (1024-bit, 2048-bit) (Häner 2017; Kunihiro 2005). However, from the experimental viewpoint, several experiments have been performed for the prime factorization of small composite numbers such as 15 and 21 (Lucero et al. 2012; Martin-Lopez et al. 2012; Monz et al. 2016; Politi 2009; Vandersypen 2001). In addition, commercial services for small-scale quantum computers such as IBM Q (2020) are beginning to be launched, and it is expected that the Noisy Intermediate-Scale Quantum (NISQ) technology might be available in the near future (Preskill 2018).

This paper presents a detailed survey of actual quantum experiments for prime factorization based on Shor's algorithm (Lucero et al. 2012; Martin-Lopez et al. 2012; Monz et al. 2016; Politi 2009; Vandersypen 2001). We give a detailed explanation of the circuits used in the experiments. We also indicate that some of them are problematic because they use a secret information in the circuit construction.

## **2 Outline of Shor's Quantum Factoring Algorithm (Shor 1997)**

#### *2.1 Quantum Computation*

This subsection provides the basic facts about quantum gates (Nielsen and Chuang 2000). For the other information about quantum gates and circuits, refer to Nielsen and Chuang (2000).

We first explain a quantum bit, or *qubit*. A qubit has two possible states |0 and |1-. We represent a single-qubit state as α |0- + β |1-, where α, β <sup>∈</sup> <sup>C</sup> and <sup>|</sup>α<sup>|</sup> <sup>2</sup> + |β| <sup>2</sup> = 1. The gate that maps this state into α |1- + β |0is called the NOT gate. The following matrix form is convenient for representing the NOT gate. Let a matrix *X* be

$$\mathbf{x} = \begin{pmatrix} 0 \ 1 \\ 1 \ 0 \end{pmatrix}.$$

Suppose that the quantum state α |0- + β |1is written in the vector form as

$$
\begin{pmatrix} \alpha \\ \beta \end{pmatrix}.
$$

where the first entry corresponds to the amplitude for |0 and the second entry to the amplitude for |1-. The corresponding output from the NOT gate is given by

$$\mathbf{x}\begin{pmatrix}\alpha\\\beta\end{pmatrix}=\begin{pmatrix}\beta\\\alpha\end{pmatrix}.$$

The quantum gates on a single qubit can be described, in general, using 2 × 2 matrices. Furthermore, the matrix must be unitary. In fact, *X*†*X* = *I* should hold, where *X*† denotes the adjoint of *X* and *I* an identity matrix.

We then show the other important single-qubit gates, namely, the *Z* and *H* gates, in addition to the NOT gate. The matrix forms for the *Z* and *H* gates are given as follows.

$$Z = \begin{pmatrix} 1 & 0 \\ 0 & -1 \end{pmatrix}, \quad H = \frac{1}{\sqrt{2}} \begin{pmatrix} 1 & 1 \\ 1 & -1 \end{pmatrix}.$$

The *H* gate is usually referred to as the Hadamard gate. The Hadamard gate turns the state |0 into (|0-+ |1-)/√2 and the state <sup>|</sup>1 into (|0-− |1-)/√2 because

$$H\begin{pmatrix} 1\\0 \end{pmatrix} = \begin{pmatrix} 1/\sqrt{2} \\ 1/\sqrt{2} \end{pmatrix} \quad \text{and} \quad H\begin{pmatrix} 0 \\ 1 \end{pmatrix} = \begin{pmatrix} 1/\sqrt{2} \\ -1/\sqrt{2} \end{pmatrix}.$$

Furthermore, employing the Hadamard gate, we can construct the flat superposition from the state |0-.

We now discuss multiple-qubit gates. The first gate is the Controlled-NOT (C-NOT) gate, which has two input qubits. The action of the C-NOT gate can be described as

$$|0\rangle\ |0\rangle \to |0\rangle\ |0\rangle,\ |0\rangle\ |1\rangle \to |0\rangle\ |1\rangle,\ |1\rangle\ |0\rangle \to |1\rangle\ |1\rangle,\ \text{and}\ |1\rangle\ |1\rangle \to |1\rangle\ |0\rangle.$$

Equivalently, we can describe the action as

$$|a\rangle|b\rangle \to |a\rangle|b \oplus a\rangle,$$

where ⊕ denotes the exclusive OR.

The second one is the Toffoli gate, which has three input qubits. The action of the Toffoli gate can be described as

$$|a\rangle|b\rangle|c\rangle \to |a\rangle|b\rangle|c \oplus (a \wedge b)\rangle,$$

where ∧ denotes the logical operator AND. The first two qubits are the *control* qubits and the third one is the *target* qubit.

We can consider the *generalized* version of the Toffoli gate as follows.

$$|\langle c\_1 \rangle|c\_2\rangle \cdots |c\_n\rangle|t\rangle \to |c\_1\rangle|c\_2\rangle \cdots \cdot |c\_n\rangle|t \oplus (c\_1 \wedge c\_2 \wedge \cdots \wedge c\_n)|\ldots$$

In this case, the first *n* qubits are the *control* qubits, and the last qubit is the target qubit. It is well known that the generalized Toffoli gate can be decomposed into several Toffoli gates (Nielsen and Chuang 2000).

We then explain the controlled circuit. We denote a unitary operation by *U*. The action of the control-*U* circuit (C-*U* circuit) is described as

$$|0\rangle|\mathbf{x}\rangle \to |0\rangle|\mathbf{x}\rangle, \quad |1\rangle|\mathbf{x}\rangle \to |1\rangle U|\mathbf{x}\rangle.$$

Or, equivalently, the action can be described as

$$|c\rangle|x\rangle \to |c\rangle U^c |x\rangle.$$

We explain the Quantum Fourier Transformation (QFT). The QFT on a basis |0-, |1-,..., |*N* − 1 is defined to be a linear operation with the following action on the states:

$$|j\rangle \rightarrow \frac{1}{\sqrt{N}} \sum\_{k=0}^{N-1} \exp\left(\frac{2\pi \text{i} jk}{N}\right) |k\rangle.$$

The circuit for the QFT is constructed with the Hadamard gates and the controlled rotation gates. For the details, see the Sect. 5 in Nielsen and Chuang (2000). The inverse QFT is defined to be the *inverse* operation of QFT.

#### *2.2 Shor's Quantum Factoring Algorithm*

Let *N* denote a target composite to be factored, and *n* denote a bit length of *N*. To simplify the discussion, hereafter, we assume that *p* are *q* are distinct prime integers and that *N* is the product of *p* and *q*. Let *a* denote a positive integer coprime to *N*. The final goal of Shor's algorithm is to find the prime factors *p* and *q*. However, before doing so, the algorithm will find a positive integer *r* such that *a<sup>r</sup>* mod *N* = 1 as a subgoal. This positive integer *r* is called an order. If we know the order *r*, we can easily find the prime factors *p* and *q* of *N* with high probability.

We will now explain Shor's factoring algorithm in detail. Letting *m* = 2*n*, we first prepare the initialized state as follows:

$$\underbrace{|0\rangle}\_{m\text{-qubit }n\text{-qubit}},$$

where the first register (referred to as the control register in Martin-Lopez et al. 2012 or the period register in Monz et al. 2016) is of *m* qubits and the second register (referred to as the work register in Martin-Lopez et al. 2012 or the computational register in Monz et al. 2016) is of *n* qubits. We may use ancilla in the calculation if required. Applying the Hadamard gate to the first register, we obtain the flat super-

**Fig. 1** Shor's quantum factoring algorithm for the case of *m* = 4

position as follows:

$$\frac{1}{2^{m/2}}\sum\_{x=0}^{2^m-1} \underbrace{|x\rangle}\_{m\text{-qubit }n\text{-qubit}}\cdot\underbrace{|\cdot|}\_{n\text{-qubit}}\cdot\underbrace{|\cdot|}\_{0}$$

Subsequently, we apply the modular exponentiation to this superposition to obtain the following state:

$$\frac{1}{2^{m/2}}\sum\_{\mathbf{x}=0}^{2^m-1} \underbrace{|\mathbf{x}\rangle}\_{m\text{-qubit}} \underbrace{|a^x \text{ mod } N\rangle}\_{n\text{-qubit}}.\text{}$$

We then apply the inverse of the Quantum Fourier Transformation to this state. At the last step, we obtain some value by measuring the first register. Using the measured value, we calculate the order *r* with the help of the continued fraction algorithm and then we find the prime factors of *N* by classical computers.

Here, the modular exponentiation is operated by sequentially applying C–*Ua*, C– *Ua*<sup>2</sup> , C–*Ua*<sup>4</sup> , C–*Ua*<sup>2</sup> *<sup>j</sup>* , and C–*Ua*2*m*−<sup>1</sup> circuits, as shown in Fig. 1. Note that the action of the *Ub* operator is described as |*x*-→|*bx* mod *N*-.

Suppose that we can find the order*r* of *a* modulo *N*. For simplicity, let us assume *r* to be even. By computing gcd(*a<sup>r</sup>*/<sup>2</sup> − 1 mod *N*, *N*), we can find the prime factors of *N* with high probability.

Hereafter, we do not discuss the part of the Hadamard transformation and the part of the inverse of Quantum Fourier Transformation because the circuit complexity of both these parts can be ignored compared with that of the modular exponentiation part. Hereafter, we focus on the discussion of the resources necessary for modular exponentiation.


**Table 1** Number of qubits and elementary gates (Kunihiro 2005)

## *2.3 Circuit Construction and Resource Estimation for Shor's Quantum Factoring Algorithm*

The modular exponentiation can be executed by performing *O*(*n*<sup>3</sup>) gate operations for the standard construction of circuit. Kunihiro gave three construction types for modular exponentiation (Kunihiro 2005). These constructions adopt different types of addition circuits. In Kunihiro (2005), the number of qubits and the number of gates for Shor's factoring circuit were evaluated precisely. It was also shown that 3*n* + 2 qubits and 270*n*<sup>3</sup> + *O*(*n*<sup>2</sup>) Toffoli gates are required for modular exponentiation if the addition circuit similar to the classical addition is adapted. This result implies that we require 6146 qubits and 3.04 × 10<sup>12</sup> Toffoli gates for factoring a 2048-bit composite. Table 1 presents the resource estimation of *n*-bit composite for quantum factoring. Table 2 shows those of 768-bit composite and 2048-bit composite. Note that the current world record for factoring is 768-bit composite (Kleinjung 2010) and the current recommendation of RSA composite is with 2048-bit.

In addition to the classical addition-based circuits (referred to as R-ADD in Table 1), (Kunihiro 2005) also gave a resource estimation, which was derived from both the circuits based on the Generalized Toffoli gate and circuits based on the Quantum Addition (referred to as GT-ADD and Q-ADD in Table 1, respectively). The circuits based on the Generalized Toffoli gate require 2*<sup>n</sup>* <sup>+</sup> 4 qubits and <sup>16</sup> <sup>3</sup> *n*<sup>5</sup> Toffoli gate and those based on the Quantum Addition requires 2*n* + 3 qubits and 20*n*<sup>4</sup> C–NOT gates and 37*n*<sup>4</sup> single-qubit gates. Takahashi and Kunihiro proposed the circuit construction that works even for 2*n* + 2 qubits for the necessary qubits (Takahashi and Kunihiro 2006). Häner et al. also presented a similar result (Häner 2017).

The resource estimation for solving the elliptic curve discrete logarithm problem was presented in Roetteler et al. (2017), and further improvement is provided in Kurama and Kunihiro (2019).

#### *2.4 Survey of Quantum Experiments for Factoring*

In 2001, a research group of IBM performed an experiment for factoring 15 by implementing Shor's algorithm by using Nuclear Magnetic Resonance (NMR) (Van-


**Table 2** Number of qubits and elementary gates for 768 and 2048 bits (Kunihiro 2005)

**Table 3** Summary of quantum experiments for factoring


dersypen 2001). Since the group's pioneering work, several experiments based on Shor's algorithm have been conducted. Table 3 summarizes five of these experiments, of which four experiments dealt with the factorization of 15, and the fifth one with the factorization of 21.

Because the bit length of composite 15 is 4, it requires at least 14 qubits with standard construction based on the usual addition (R-ADD) and 10 qubits with the construction based on Takahashi and Kunihiro (2006) to factorize 15. As can be seen, all of the experiments employed fewer qubits than those in the above-mentioned construction for general composites. We can say that the circuits for factoring are customized to factor the target composites such as 15 and 21, and are not based on the general construction. In Sect. 3, we describe the detailed circuits without using the order information based on Lucero et al. (2012), Monz et al. (2016), and Vandersypen (2001). Though their circuits do not use any secret information, they are applicable to specific composite such as 2*<sup>n</sup>* − 1 for an even integer *n*, which are never used for RSA composite. In Sect. 4, we describe the detailed circuits by using the order information based on Martin-Lopez et al. (2012) and Politi (2009). These circuit constructions are inappropriate since the order information must be secret.

**Fig. 2** Shor's factoring algorithm for *N* = 15

#### **3 Quantum Circuits Without Using the Order Information**

Before describing the details of each quantum circuits for factoring 15, we explain a common strategy for factoring 15. The positive integers relatively coprime to 15 are given by 2, 4, 7, 8, 11, 13, and 14. Their order modulo 15 are given by 4, 2, 4, 4, 2, 4, and 2, respectively. Clearly, the elements with order 4 are 2, 7, 8, and 13. In many cases, we consider using them as *a*. Note that *a*<sup>2</sup> mod 15 = 4 for *a* = 2, 7, 8, and 13.

For the element *a* with the order 4, *a*2*<sup>k</sup>* mod 15 is always 1 for integers *k* ≥ 2. Hence, *Ua*2*<sup>k</sup>* for *k* ≥ 2 becomes an identity operation and they can be ignored in the calculation. On the basis of the above-mentioned observation, it is sufficient to implement C–*Ua* and C–*Ua*<sup>2</sup> mod 15 circuits for the modular exponentiation. Here, *a*<sup>2</sup> mod 15 = 4 and the necessary operation can be simplified into C–*Ua* and C– *U*4. Hence, while constructing the quantum circuits, it is sufficient to consider a multiplication circuit by employing *a* as *a* = 2, 4, 7, 8, and 13. From the abovementioned discussion, the general form for factoring *N* = 15 is given by Fig. 2 under the condition that the element of order 4 element is used.

## *3.1 Quantum Factoring Experiment Shown in Vandersypen (2001)*

The literature (Vandersypen 2001) shows an experiment of factoring *N* = 15 using NMR. The experiment uses *a* = 7 as a chosen element. The order of 7 modulo 15 is given by 4.

As described previously, it is sufficient to construct multiplication circuits with 7 and 4. The multiplication circuit with 4 will be constructed by using the following strategy. Here, we denote a 4-bit nonnegative integer by (*y*<sup>3</sup> *y*<sup>2</sup> *y*<sup>1</sup> *y*0)2. By multiplying it with 4, we have (*y*<sup>3</sup> *y*<sup>2</sup> *y*<sup>1</sup> *y*000)2. By calculating the residue by 15, we have (*y*<sup>1</sup> *y*<sup>0</sup> *y*<sup>3</sup> *y*2)2. In summary, the multiplication of (*y*<sup>3</sup> *y*<sup>2</sup> *y*<sup>1</sup> *y*0)<sup>2</sup> by 4 modulo 15 is given by (*y*<sup>1</sup> *y*<sup>0</sup> *y*<sup>3</sup> *y*2)2. It is sufficient to construct a circuit transferring |*y*<sup>3</sup> *y*<sup>2</sup> *y*<sup>1</sup> *y*0- into |*y*<sup>1</sup> *y*<sup>0</sup> *y*<sup>3</sup> *y*2 instead of directly implementing the multiplication circuit. From the above-mentioned discussion, it is sufficient to swap the first and the third qubits and swap the second and the fourth qubits for multiplication with 4 and taking modulo

**Fig. 3** Quantum Circuit for Factoring 15 in Vandersypen (2001)

**Fig. 4** Experiment for *a* = 4 and *N* = 15 in Lucero et al. (2012)

15. The swap operation can be executed without using ancilla qubits. Furthermore, the controlled–SWAP can be divided into one Toffoli gate and two C–NOT gates.

Subsequently, we explain the multiplication circuit with 7. Their shown circuit does not directly implement the multiplication with 7. We can easily verify that it is sufficient that |0- |1 is mapped to |0- |1 and |1- |1 is mapped to |1-|7 for multiplication with 7 in this situation. This operation can be executed via controlledaddition with 6. In this experiment, the controlled-addition with 6 is implemented by using two controlled-NOT gates.

On the basis of the above-mentioned idea, the authors of Vandersypen (2001) implemented the circuit as depicted in Fig. 3. Note that no ancilla qubit was used in applying *Ua* and *U*4, and consequently only six qubits were involved in the implementation.

## *3.2 Quantum Factoring Experiment Shown in Lucero et al. (2012)*

This experiment involves the factorization of 15 and uses *a* = 4 as the chosen element. Note that the order of 4 is 2. Hence, it is sufficient to implement *U*<sup>4</sup> for the experiment. In the circuit shown in Lucero et al. (2012), the circuit for multiplication with 4 is not implemented directly. It is sufficient to implement the circuit that transforms |0- |1-→ |0- |1 and |1- |1-→ |1-|4-. This operation can be executed via controlled-addition with 3. In this experiment, the controlled-addition with 3 is implemented by using two C-NOT gates. Summing up the above discussion, the authors in Lucero et al. (2012) presented the circuit depicted in Fig. 4.

Note that no ancilla qubit was used in applying *U*<sup>4</sup> and consequently only three qubits were involved in the implementation.

## *3.3 Quantum Factoring Experiment Shown in Monz et al. (2016)*

The authors presented the circuits not only for *a* = 7 but also for several other *a*'s in the experiments. Concretely, the authors showed the circuit for *a* = 2, 7, 8, 11, and 13, and *a*<sup>2</sup> mod 15 = 4 for these *a*'s. Hence, it is sufficient to construct the *Ua* circuit and *U*<sup>4</sup> circuits. As shown in Sect. 3.1, the *U*<sup>4</sup> circuit can be constructed using SWAP. In Monz et al. (2016), the authors showed that the multiplication circuit *Ua* can also be constructed using SWAP and NOT gate.

We first present the multiplication circuit for *a* = 2. We denote the binary representation of *a* by (*a*3*a*2*a*1*a*0)<sup>2</sup> as previously. The double of *a* modulo 15 is given by (*a*2*a*1*a*0*a*3)<sup>2</sup> in the binary representation. The state |*a*2*a*1*a*0*a*3 can be obtained from |*a*3*a*2*a*1*a*0 using the following three sequential SWAP operations: SWAP between the first and second qubits, SWAP between the second and third qubits, and then SWAP between the third and fourth qubits. We can verify its correctness by following transition: |*a*3*a*2*a*1*a*0-→|*a*2*a*3*a*1*a*0-→|*a*2*a*0*a*3*a*0-→|*a*2*a*0*a*0*a*3-.

We then consider the multiplication circuit for *a* = 8. The multiplication of *a* with 8 is given by (*a*0*a*3*a*2*a*1)<sup>2</sup> in the binary representation. The state |*a*0*a*3*a*2*a*1 can be obtained from |*a*3*a*2*a*1*a*0 using the following three sequential SWAP operations: SWAP between the third and fourth qubits, SWAP between the second and third qubits, and then SWAP between the first and second qubits.

We, thus, know that we can implement the multiplication with 2, 4, and 8 by using only the SWAP circuit.

We then implement the multiplication with *a* = 7, 11, and 13; the values of 15 − *a* for them are given by *a* = 8, 4, and 2, respectively. To construct the multiplication circuits with 7, 11, and 13, we will use the above-mentioned property. For the multiplication with *a* = 13, we first apply the multiplication with 2, and we then apply the NOT gate for all of the four qubits. Figure 5 depicts the concrete multiplication circuit with them. We can also obtain the multiplication circuits for *a* = 7, 11 in a similar manner.

**Fig. 5** Unitary operations *U*2, *U*<sup>13</sup> and the circuit for C–SWAP

## **4 Quantum Circuits with Explicitly Using the Order information**

This section presents two experiments that explicitly use the order information. We want to emphasize that these experiments are inappropriate for employing in factoring algorithms because the purpose of Shor's algorithm is to find the order of a given element.

## *4.1 Quantum Factoring Experiment of N* **= 15** *Shown in Politi (2009)*

The authors of Politi (2009) conducted an experiment that factorized 15 with an element *a* = 7. The order of *a* = 7 is given by 4. Because the order is 4, the only four values, namely, 1, 7, 4, and 13 can appear in the second register, and the authors utilized this property. The authors represented these four values by using two bits. Concretely speaking, they adopted the following encoding: 1 → 0(= 00)2, 7 → 1(= 01)2, 4 → 2(= 10)2, 13 → 3(= 11)2.

As described previously, it is sufficient to implement the multiplication circuits with 7 and 4. The multiplication with 7 corresponds to the addition with +1 under the encoding and the multiplication with 4 corresponds to addition with +2. These operations can be implemented using only one C–NOT gate. Summing up the abovementioned discussion, the entire circuit is depicted in Fig. 6.

**Fig. 6** Quantum circuit for *N* = 15 in Politi (2009)

**Fig. 7** Unitary operations *U*<sup>+</sup> and *U*<sup>−</sup>

## *4.2 Quantum Factoring Experiment of N* **= 21** *Shown in Martin-Lopez et al. (2012)*

The target of this experiment is 21. In this experiment, *a* is set to *a* = 4. Because *a*<sup>3</sup> mod 21 = 1, the order of *a* modulo 21 is given by 3. Note that the purpose of Shor's algorithm is to obtain the order 3. The only three elements, namely, 1, 4, and 16 can appear in the second register.

It is sufficient to construct the quantum circuits *U*42*<sup>k</sup>* mod 21 for *k* = 0, 1, 2,... for the modular exponentiation. Note that 4<sup>2</sup>*<sup>k</sup>* mod 21 <sup>=</sup> 4 for even *<sup>k</sup>* and 4<sup>2</sup>*<sup>k</sup>* mod 21 = 16 for odd *k*. Then, it is sufficient to apply the unitary operation *U*<sup>4</sup> for even *k* and *U*<sup>16</sup> for odd *k*.

In the experiment of Martin-Lopez et al. (2012), the following encoding is adapted as in the case of *N* = 15.

$$1 \to 0, \ 4 \to 1, \ \ 16 \to 24$$

We consider the multiplication with 4 and 16 under the aforementioned encoding. The multiplication with 4 is mapped into addition with +1, and the multiplication with 16 is mapped into addition with +2 or, equivalently, −1.

The experiment in Martin-Lopez et al. (2012) utilized a *qutrit*, which takes three quantum states instead of qubits, as the second register. We denote the unitary operations by

$$U\_+ \colon |\mathbf{x}\rangle \mapsto |\mathbf{x} + \mathbf{l} \bmod \mathfrak{Z}\rangle, \quad U\_- \colon |\mathbf{x}\rangle \mapsto |\mathbf{x} - \mathbf{l} \bmod \mathfrak{Z}\rangle.$$

The operations *U*<sup>+</sup> and *U*<sup>−</sup> act on the quantum states as depicted in Fig. 7.

**Fig. 8** Quantum circuit for *N* = 21 in Martin-Lopez et al. (2012)

Using the above-mentioned notation, Fig. 8 depicts the quantum circuit for factoring *N* = 21 described in Martin-Lopez et al. (2012). Here, in the circuit construction, the so-called qubit-recycling technique is employed to reduce the number of qubits. For the details of the qubit-recycling technique, refer to Martin-Lopez et al. (2012).

#### *4.3 Oversimplified Shor's Algorithm (Smolin et al. 2013)*

As described previously, the purpose of Shor's algorithm is to find the order of a given element. Hence, the circuit that explicitly utilizes the order information is inappropriate for (even the simplified version of) Shor's factoring algorithm. If we can use the order information, we can, in principle, factorize any large composite. We will explain the details of this fact by following the description provided in Smolin et al. (2013).

The modular exponentiation part in Shor's algorithm constructs the quantum superposition as follows:

$$\frac{1}{2^{m/2}}\sum\_{x=0}^{2^m-1} |x\rangle |a^x \bmod N\rangle$$

from the flat superposition <sup>1</sup> 2*m*/<sup>2</sup> <sup>2</sup>*m*−<sup>1</sup> *<sup>x</sup>*=<sup>0</sup> |*x*- |1-.

However, the circuits described in this section constructs the quantum superposition as follows:

$$\frac{1}{2^{m/2}}\sum\_{\mathbf{x}=\mathbf{0}}^{2^m-1}|\mathbf{x}\rangle|\mathbf{x}\text{ mod }r\rangle$$

from the flat superposition <sup>1</sup> 2*m*/<sup>2</sup> <sup>2</sup>*m*−<sup>1</sup> *<sup>x</sup>*=<sup>0</sup> |*x*- |0-.

In this discussion, the following encoding is employed:

$$a^x \bmod N \mapsto x \bmod r.$$

This encoding includes the encodings described in Sects. 4.1 (*r* = 4) and 4.2 (*r* = 3) as a special case. This discussion is mathematically correct, but, it is inappropriate from the computational viewpoint because finding the order*r* is strongly believed to be infeasible in the classical polynomial time.

This circuit is constructed on the basis of the knowledge of the order *r*. Under this encoding, the operation *Ua*<sup>2</sup> *<sup>j</sup>* is transformed into the addition operation with 2*<sup>j</sup>* mod *r*. Assume that *r* = 4. The unitary operation *Ua*<sup>2</sup> *<sup>j</sup>* for *j* = 0 corresponds to the addition with 1; that for *j* = 1 corresponds to the addition with 2; that for *j* ≥ 2 corresponds to an identity operation. Next, we assume that *r* = 3. The unitary operation *Ua*<sup>2</sup> *<sup>j</sup>* for even *j* corresponds to the addition with 1; that for odd *j* corresponds to the addition with 2 or, equivalently, −1. Note that all the addition is performed under the modulo 3.

To indicate that this kind of circuit that explicitly utilizes the order information is meaningless for the implementations of Shor's factoring algorithm, Smolin et al. (2013) presented the factoring circuits by using an element with order 2. Because the order *r* is 2, it is sufficient to construct the superposition as follows:

$$\frac{1}{\sqrt{2}}\sum\_{\mathbf{x}=0}^{1}|\mathbf{x}\rangle\langle 0| \mapsto \frac{1}{\sqrt{2}}\sum\_{\mathbf{x}=0}^{1}|\mathbf{x}\rangle|\mathbf{x}\rangle = \frac{1}{\sqrt{2}}(|00\rangle + |11\rangle).$$

Figure 9 depicts the entire circuit described in Smolin et al. (2013).

We can find the element with order 2 for a large composite *N* using the following algorithm.

**Input:** *<sup>k</sup>* <sup>∈</sup> <sup>Z</sup>

**Output:** a 2*k*-bit composite *N* and an element *a* with order 2 modulo *N*


**Step2-1:** Calculate *q*¯ = *q*−<sup>1</sup> mod *p*. **Step2-2:** Calculate *a* = −1 + 2*qq*¯ .

Furthermore, we provide a SageMath (2020) code for the above-mentioned algorithm with 2048-bit RSA.

```
1 k=1024
2 p=random_prime(2^k-1, false, 2^(k-1))
3 q=random_prime(2^k-1, false, 2^(k-1))
4 N=p*q
5 a= crt(1, -1, p, q)
```
We can easily verify that it holds that *a* = +1 mod *p* and *a* = −1 mod *q*. Because *a*<sup>2</sup> ≡ 1 (mod *p*) and *a*<sup>2</sup> ≡ 1 (mod *q*), we have *a*<sup>2</sup> ≡ 1 (mod *N*), and the order of *a* is a divisor of 2, implying that the order is 1 or 2. Because *a* ≡ 1 (mod *N*), we


**Table 4** Level of quantum experiments for factoring

can assert that the order of *a* is exactly 2. Furthermore, as gcd(*a*2/<sup>2</sup> − 1, *N*) = *p*, we can find a prime factor *p* of *N*.

In Smolin et al. (2013), the authors presented the prime factorization of a 20, 000 bit composite, showing that this kind of oversimplification is meaningless for the implementation of Shor's factoring algorithm.

#### **5 Summary and Concluding Remarks**

We reviewed the resource estimation of quantum factoring based on Shor's algorithm. We then presented a survey of the state-of-the-art circuit construction. We also indicated some of them as inappropriate for factoring circuits because the order information was embedded in the circuits (Sect. 4). The others considerably utilized the property of the target composite, and hence, they have no extensibility to the general composite (Sect. 3).

More experiments on factoring based on Shor's algorithm will be conducted using various devices. As we mentioned in this paper, we have to carefully analyze the circuit construction.

Based on the current status of quantum experiments for factoring, we introduce the following three levels of circuit construction for quantum factoring.


Table 4 presents the levels for quantum factoring circuits shown in this paper. As can be seen, there is no experiment with Level 3.

**Acknowledgements** This research was partially supported by JST CREST Grant Number JPMJCR14D6, Japan and JSPS KAKENHI Grant Number JP16H02780. The authors thank Dr. Tetsuya Izu, who gave the information about quantum factoring circuits. They also thank Prof. Naoki Yamamoto and Prof. Yutaka Shikano for helpful discussions.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Towards Constructing Fully Homomorphic Encryption without Ciphertext Noise from Group Theory**

**Koji Nuida**

**Abstract** In CRYPTO 2008, 1 year earlier than Gentry's pioneering "bootstrapping" technique for the first fully homomorphic encryption (FHE) scheme, Ostrovsky and Skeith III had suggested a completely different approach towards achieving FHE. They showed that the NAND operator can be realized in some *non-commutative* groups; consequently, homomorphically encrypting the elements of the group will yield an FHE scheme, without ciphertext noise to be bootstrapped. However, no observations on how to homomorphically encrypt the group elements were presented in their paper, and there have been no follow-up studies in the literature. The aim of this paper is to exhibit more clearly what is sufficient and what seems to be effective for constructing FHE schemes based on their approach. First, we prove that it is sufficient to find a surjective homomorphism π : *G* - → *G* between finite groups for which bit operators are realized in *G* and the elements of the kernel of π are indistinguishable from the general elements of *G* -. Secondly, we propose new methodologies to realize bit operators in some groups *G*. Thirdly, we give an observation that a naive approach using matrix groups would never yield secure FHE due to an attack utilizing the "linearity" of the construction. Then we propose an idea to avoid such "linearity" by using combinatorial group theory. Concretely realizing FHE schemes based on our proposed framework is left as a future research topic.

**Keywords** Fully homomorphic encryption · Non-commutative group · Combinatorial group theory

National Institute of Advanced Industrial Science and Technology (AIST), Tokyo, Japan

K. Nuida (B)

Graduate School of Information Science and Technology, The University of Tokyo, Tokyo, Japan e-mail: nuida@mist.i.u-tokyo.ac.jp

<sup>©</sup> The Author(s) 2021 T. Takagi et al. (eds.), *International Symposium on Mathematics, Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_8

### **1 Introduction**

Until the pioneering work by Gentry (2009) in 2009, it had been a long-standing open problem to construct *fully homomorphic encryption* (*FHE*) that enables arbitrary "computation on encrypted data" via "homomorphic" operations on the ciphertexts. After Gentry's work, studies of FHE to improve the efficiency (e.g. Chillotti et al. 2016; Ducas and Micciancio 2015; Gentry et al. 2012; Stehlé and Steinfeld 2010) and to give various frameworks of construction (e.g. Brakerski and Vaikuntanathan 2011; Cheon and Stehlé 2015; van Dijk et al. 2010; Gentry and Halevi 2011; Nuida and Kurosawa 2015) have been one of the main research topics in cryptology (see, e.g. Silverberg 2013 for a survey). Here we emphasize that all the previous FHE schemes in the literature rely on Gentry's "bootstrapping" framework. Namely, ciphertexts for these FHE schemes involve "noise" terms to conceal plaintexts, and the noise is increased by homomorphic operations and will finally collapse the ciphertext; hence the increased noise must be cancelled before the collapse. The bootstrapping, which is the additional procedure for noise cancellation, is a major bottleneck for efficiency improvement, makes the syntax of FHE less analogical to the classical homomorphic encryption, and causes somewhat unclear treatments regarding socalled circular security.

On the other hand, in 2008 (1 year earlier than Gentry 2009), Ostrovsky and Skeith III (2008) had suggested a completely different, group-theoretic approach towards achieving FHE. Namely, they showed that the NAND operator (which is sufficient for constructing arbitrary bit operators) can be realized (in a certain suitable sense) in some *non-commutative* groups. Consequently, if the elements of the underlying group can be homomorphically encrypted, then it will yield an FHE scheme where the ciphertexts involve no noise terms; hence, the bootstrapping procedure will no longer be required. However, no observations on how to homomorphically encrypt the group elements were presented in their paper and, to the author's best knowledge, there have been no follow-up studies in the literature based on their approach. The aim of this paper is to exhibit more clearly what is sufficient and what seems to be effective for constructing "noise-free" FHE schemes based on their approach.

#### *1.1 Our Contributions*

In Sect. 3, we revisit the approach towards constructing FHE suggested in Ostrovsky and Skeith (2008). We give a formalization of "realizations of bit operators in groups" in a slightly generalized manner (e.g. our formalization can also handle probabilistic realizations of bit operators, which were not considered in Ostrovsky and Skeith 2008). Then we reduce the problem of "homomorphically encrypting the elements of a group *G*" to finding a surjective homomorphism π : *G* - → *G* from another finite group *G* - (which plays the role of the ciphertext space) satisfying certain conditions and prove that the resulting FHE scheme is CPA-secure if the elements of the kernel of π (ker π) are indistinguishable from the general elements of *G* even when a certain generating set of ker π is publicly given. This clarifies the problem to be solved from a group-theoretic viewpoint.

In Sect. 4, we propose new methodologies to realize bit operators in some groups, which are different from the previous methodology in Ostrovsky and Skeith (2008) analogous to Barrington's theorem (Barrington 1986) (recalled in Sect. 4.1). Our result enlarges the possibility of the underlying group *G* to find a suitable construction. --

Finally, in Sect. 5, we give some observations and discussions on how to find a suitable homomorphism π : *G* → *G*. In Sect. 5.2, we give an observation that a naive approach to construct the group *G* by using embedding of a matrix group *G* into a larger matrix group and then taking its random conjugate would never yield a secure FHE scheme, due to the existence of a kind of "linear" constraint that separates the elements of ker π from general elements of *G* - (where the "linearity" causes that such a constraint does not disappear even by taking random conjugate). This observation shows an importance of finding a homomorphism π : *G* - → *G* onto a given underlying group *G* without linear constraints for elements of ker π. Towards constructing such a homomorphism π, in Sect. 5.3, we propose another approach using combinatorial group theory, i.e. the properties of presentations of groups in terms of generators and fundamental relations. Then, in Sect. 5.4, we discuss several problems to be resolved in order to realize our proposed approach, many of which would be of independent interest from mathematical viewpoints.

#### **2 Preliminaries**

Let *a* ← X mean that a random variable X takes a value *a*. Let *a* ←*<sup>R</sup> X* mean that an element *a* is chosen uniformly at random from a finite set *X*. The *statistical distance* between two probability distributions X, Y over a finite set *A* is defined by (X, Y) = (1/2) *<sup>z</sup>*∈*<sup>A</sup>* | Pr[*z* ← X] − Pr[*z* ← Y]|. For ε ≥ 0, we say that X is ε*-close* to Y, if (X, Y) ≤ ε. We say that a function ε = ε(λ) ≥ 0 is *negligible*, if ε = λ−ω(1) . We say that ε ∈ [0, 1] is *overwhelming*, if 1 − ε is negligible; and ε is *noticeable*, if there exist integers *n* ≥ 1 and λ<sup>0</sup> > 0 for which we have ε>λ−*<sup>n</sup>* for every λ>λ0.

A *public-key encryption* (*PKE*) scheme consists of the following three algorithms. The *key generation algorithm* Gen(1λ) outputs a pair of a public key pk and a secret key sk. The *encryption algorithm* Enc(*m*) = Encpk(*m*) outputs a ciphertext for a plaintext *m*. The *decryption algorithm* Dec(*c*) = Decsk(*c*) for a ciphertext *c* outputs either a plaintext or a "failure" symbol ⊥. The *correctness* of a PKE scheme means that, for any plaintext *m*, the probability Pr[Decsk(Encpk(*m*)) = *m*] (taken over the internal randomness for the algorithms) is negligible.

For a finite set M, we say that a set F of operators on M is *functionally complete*, if any (multivariate) function with inputs and outputs in M can be computed by combining operators in F . We say that a PKE scheme with plaintext space M is a *fully*


*homomorphic encryption* (*FHE*) scheme, if there exist a functionally complete set F of operators on M and an efficient *homomorphic evaluation algorithm* Eval with the property that, for each, say *<sup>n</sup>*-ary operator *<sup>f</sup>* <sup>∈</sup> <sup>F</sup> ( *<sup>f</sup>* : <sup>M</sup>*<sup>n</sup>* <sup>→</sup> <sup>M</sup>) and for given ciphertexts *ci* for plaintexts *mi* (*i* = 1,..., *n*), the algorithm Evalpk( *f* ; *c*1,..., *cn*) outputs a ciphertext for plaintext *f* (*m*1,..., *mn*) ∈ M with overwhelming probability.

We say that a PKE scheme with plaintext space M is *CPA-secure*, if for any probabilistic polynomial-time (PPT) adversary A, the *advantage* AdvA(λ) = | Pr[*b* = *b*∗] − 1/2| of A is negligible, where Pr[*b* = *b*∗] is the probability that *b* = *b*<sup>∗</sup> holds in the following game:

$$\begin{aligned} (\mathsf{pk}, \mathsf{sk}) &\leftarrow \mathsf{Gen}(1^{\lambda}) \; ; \; (m\_0, m\_1, \mathsf{st}) \leftarrow \mathcal{R}(\mathsf{submit}, \mathsf{l}^{\lambda}, \mathsf{pk}) \; ; \\ b^\* &\leftarrow\_R \{0, 1\} \; ; \; c^\* \leftarrow \mathsf{Enc}\_{\mathsf{pk}}(m\_{b^\*}) \; : \; b \leftarrow \mathcal{R}(\mathsf{guess}, \mathsf{l}^{\lambda}, \mathsf{pk}, \mathsf{st}, c^\*) \; . \end{aligned}$$

The reader may refer to a textbook of group theory (e.g. Robinson 1996) for definitions and basic facts for groups mentioned without explicit references.

#### **3 Our Framework for FHE**

In this section, we describe our framework towards constructing FHE free from ciphertext noise. This can be seen as formalizing a framework suggested in Khamsemanan et al. (2016) and Ostrovsky and Skeith (2008).

#### *3.1 Group-Theoretic Realization of Functions*

Roughly speaking, a group-theoretic realization of a function in a group is emulating the function "by using the group operators only". To formalize it, we prepare some definitions. Let *w* = *w*(*x*1,..., *xn*) be a sequence of finite length over alphabet {*x*1, *<sup>x</sup>*−<sup>1</sup> <sup>1</sup> ,..., *xn*, *x*−<sup>1</sup> *<sup>n</sup>* }, called a *group word* with variables *x*1,..., *xn*. Then one can *substitute* given elements *g*1,..., *gn* of a group into the variables *x*1,..., *xn* in *w*(*x*1,..., *xn*) to yield an element of the same group, denoted by *w*(*g*1,..., *gn*).

Then we define a group-theoretic realization of functions as follows. In comparison to a similar definition in Khamsemanan et al. (2016) that was deterministic with a single component, our formulation here also covers probabilistic situations with multiple components.

**Definition 1** Let *G* be a group and M be a set. Let F be a set of functions of the form *<sup>f</sup>* : <sup>M</sup> *<sup>f</sup>* <sup>→</sup> <sup>M</sup> with *<sup>f</sup>* <sup>≥</sup> 1. We define a *group-theoretic realization* (or simply a *realization*) *of* F *in G* to be a collection of the following objects:

• a polynomially bounded integer *n* ≥ 1, which we call the *degree* of the realization;


satisfying the following condition, where negl is some negligible value: For any *f* ∈ F , any *m*1,..., *m <sup>f</sup>* ∈ M, and any *g<sup>i</sup>* = (*gi*,<sup>1</sup>,..., *gi*,*<sup>n</sup>*) ∈ *Xmi* (*i* = 1,..., *<sup>f</sup>* ), the probability Pr[ *wf* (*g*<sup>1</sup>,..., *g <sup>f</sup>* ,*r*1,...,*rk* ) /∈ *X <sup>f</sup>* (*m*1,...,*m <sup>f</sup>* )]taken over the random choices of values of *r*1,...,*rk* ∈ *G* is not larger than negl.

For each *f* ∈ F , we denote byA *<sup>f</sup>* an algorithm that, for given inputs *g*<sup>1</sup>,..., *g <sup>f</sup>* ∈ *G<sup>n</sup>*, outputs *w <sup>f</sup>* (*g*<sup>1</sup>,..., *g <sup>f</sup>* ,*r*1,...,*rk* ) ∈ *G<sup>n</sup>* where the values of random variables *r*1,...,*rk* are sampled according to the specified distributions.

We note that, in the formulation above, some of the random variables*rh* may take a constant value in *G*. When all the random variables appearing in a realization are constant, we call the realization *deterministic*, or else call it *probabilistic*.


#### *3.2 Lift of Realization of Functions*

Given a group homomorphism *G* → *G* and a realization of functions in the target group *G*, the notion of a "lift" of the realization up to the source group *G* defined below plays a role of homomorphic operations in our proposed framework for FHE. We note that such a notion was not introduced in the previous work (Khamsemanan et al. 2016; Ostrovsky and Skeith 2008). --

**Definition 2** We suppose that a set F of functions on M has a realization in a group *G* as in Definition 1. Let π : *G* → *G* be a surjective group homomorphism. We define a *lift* of the realization up to *G* to be a collection of polynomial-time samplable random variables*r*1,...,*rk* on *G* with the property that each value π(*rh* ) ∈ *G* has the same probability distribution as *rh*. Then for each *f* ∈ F , we denote by A *<sup>f</sup>* an algorithm that outputs *<sup>w</sup> <sup>f</sup>* (*g*1,...,*g f* ,*r*1,...,*rk* ) ∈ (*G* -)*<sup>n</sup>* for given inputs *g*1,...,*g <sup>f</sup>* ∈ (*G* -)*<sup>n</sup>* where the values of random variables *r*1,...,*rk* are sampled according to the specified distributions. -)*<sup>n</sup>* <sup>→</sup> *<sup>G</sup><sup>n</sup>* with π(*g*1,...,-

In the following, we also write as π the map (*G gn*) = (π(*<sup>g</sup>*1), . . . , π(*gn*)). -

**Lemma 1** *In the situation of Definition 2, let f* ∈ F *, m*1,..., *m <sup>f</sup>* ∈ M*, and let g<sup>i</sup>* ∈ (*G* )*<sup>n</sup> satisfy* π(*g<sup>i</sup>*) ∈ *Xmi for each i* = 1,..., *<sup>f</sup> . Then the probability* Pr[π(A *f* (*g*1,...,*g <sup>f</sup>* )) /∈ *X <sup>f</sup>* (*m*1,...,*m <sup>f</sup>* )] *is bounded by the same negligible value* negl *as in Definition 1.*


*Proof* As π : *G* → *G* is a group homomorphism, we have

$$\begin{aligned} & \text{Proof } \text{ As } \pi: \widetilde{G} \to G \text{ is a group homomorphism, we have} \\ & \qquad \pi(\boldsymbol{w}\_{f;i}(\widetilde{\widetilde{\boldsymbol{g}}}\_{1}, \dots, \widetilde{\widetilde{\boldsymbol{g}}}\_{\ell\_{f}}, \widetilde{r}\_{1}, \dots, \widetilde{r}\_{k})) = \boldsymbol{w}\_{f;i}(\pi(\widetilde{\widetilde{\boldsymbol{g}}}\_{1}), \dots, \pi(\widetilde{\widetilde{\boldsymbol{g}}}\_{\ell\_{f}}), \pi(\widetilde{r}\_{1}), \dots, \pi(\widetilde{r}\_{k}))) \\ & \text{for any } i = 1, \dots, \ell\_{f} \text{ and any values of the random variables } \widetilde{r}\_{k}. \text{ By Definition 1, the } i \text{-dimensional invariant is } \widetilde{r}\_{k} \text{ is } \widetilde{r}\_{k} \text{ is } \widetilde{r}\_{k} \text{-dimensional invariant.} \end{aligned}$$

*rh*. By Definition 1, the claim follows from the fact that the probability distribution for each π(*rh*)is identical to *rh*. -

#### *3.3 The Proposed Framework*


Based on the definitions above, here we describe our proposed framework for constructing FHE:


Then output a public key pk consisting of *G* , *r*ker, gen *<sup>m</sup>* for all *m* ∈ M, and the algorithms *A <sup>f</sup>* for all *f* ∈ F appearing in the lift of the realization of F ; and output a secret key sk consisting of *G*, π, and *Xm* for all *m* ∈ M. -


The correctness of Enc is obvious; when *c* = gen *<sup>m</sup>* · *r*ker ← Encpk(*m*), we have

$$\pi(\vec{c}) = \pi(\mathfrak{g\ddot{\mathfrak{e}}\mathfrak{n}\_m) \cdot (\pi(r\_{\ker, 1}), \dots, \pi(r\_{\ker, n})) = \pi(\mathfrak{g\ddot{\mathfrak{e}}\mathfrak{n}\_m) \cdot (1\_G, \dots, 1\_G) = \pi(\mathfrak{g\ddot{\mathfrak{e}}\mathfrak{n}\_m) \in X\_m})$$

as *r*ker,*<sup>i</sup>* ∈ ker π for each *i*. The correctness of Eval is just a restatement of Lemma 1. On the other hand, for the security, we have the following result: **Theorem 1** *In the setting above, suppose that G is a finite group with polynomial-* -

 *time computable group operators, and suppose either n* = 1 *or that the uniform* *distribution over G is polynomial-time samplable. Then, our proposed FHE scheme* - *is CPA-secure if the subgroup membership problem for* ker <sup>π</sup> <sup>⊆</sup> *G with respect to* - *the random variable r*ker *with auxiliary input* pk *is computationally hard, that is, for any PPT adversary* <sup>A</sup>†*, the advantage* AdvA† (λ) = | Pr[*<sup>b</sup>* <sup>=</sup> *<sup>b</sup>*†] − <sup>1</sup>/2<sup>|</sup> *of* <sup>A</sup>† *in the following game is negligible:* (pk, sk) <sup>←</sup> Gen(1λ); *<sup>b</sup>*† <sup>←</sup>*<sup>R</sup>* {0, <sup>1</sup>} ; *<sup>g</sup>*† <sup>←</sup>*<sup>R</sup> G (b* -

$$(\mathsf{pk}, \mathsf{sk}) \leftarrow \mathsf{Gen}(\mathsf{l}^{\lambda}) \; ; \; b^{\uparrow} \leftarrow\_{\mathsf{R}} \; \mathsf{l}\! \mid \; \mathsf{l} \; \begin{cases} \mathsf{g}^{\uparrow} \leftarrow\_{\mathsf{R}} \widetilde{G} \; \; (b^{\uparrow} = \mathsf{l})\\ \mathsf{g}^{\uparrow} \leftarrow r\_{\mathsf{k} \mathsf{r}} \; \; (b^{\uparrow} = 0) \end{cases} \coloneqq \mathsf{g}^{\uparrow}(\mathsf{l}^{\lambda}, \mathsf{pk}, \mathsf{g}^{\uparrow}) \; .$$

*Proof* Let A be any PPT CPA adversary for our scheme. Then we define an adversary <sup>A</sup>† for the subgroup membership problem specified in the statement as follows:


$$\begin{aligned} &c^{b^\*,b^\dagger,i} \\ &= (\mathfrak{gen}\_{m\_{b^\*},1}\rho\_1, \dots, \mathfrak{gen}\_{m\_{b^\*},i-1}\rho\_{i-1}, \mathfrak{gen}\_{m\_{b^\*},i}\mathfrak{g}^\dagger, \mathfrak{gen}\_{m\_{b^\*},i+1}\mu\_{i+1}, \dots, \mathfrak{gen}\_{m\_{b^\*},n}\mu\_n) \end{aligned}$$

with independent random values ρ1,...,ρ*<sup>i</sup>*−<sup>1</sup> of *r*ker and *ui*+<sup>1</sup>,..., *un* ←*<sup>R</sup> G* .

3. The adversary <sup>A</sup>† outputs *<sup>b</sup>* <sup>=</sup> XOR(*b*∗, *<sup>b</sup>* ). 

Note that this adversary <sup>A</sup>† is PPT as well as <sup>A</sup>. Now we have

$$\mathsf{Adv}\_{\mathcal{H}^{\uparrow}}(\lambda) = |\Pr[b=b^{\uparrow}] - 1/2| = \frac{1}{2} \left| \Pr[b=0 \mid b^{\uparrow}=0] + \Pr[b=1 \mid b^{\uparrow}=1] - 1 \right|.$$

and

$$\begin{aligned} \Pr[b=0 \mid b^{\dagger}=0] &= \Pr[b^{\prime}=b^{\*} \mid b^{\dagger}=0] \\ &= \sum\_{i=1}^{n} \frac{1}{n} \Pr[b^{\*} \leftarrow \mathcal{R}(\text{guess}, 1^{\lambda}, \text{pk}, \text{st}, c^{b^{\*},0,i})] \end{aligned}$$

while

$$\begin{aligned} \Pr[b=1 \mid b^\dagger = 1] &= 1 - \Pr[b'=b^\* \mid b^\dagger = 1] \\ &= 1 - \sum\_{i=1}^n \frac{1}{n} \Pr[b^\* \leftarrow \mathcal{R}(\text{guess}, 1^\lambda, \text{pk}, \text{st}, c^{b^\*, 1, i})] \ . \end{aligned}$$

By the choice of *g*†, for each *i* = 1,..., *n* − 1 and any choice of *b*∗, the two tuples *c<sup>b</sup>*∗,0,*<sup>i</sup>* and *c<sup>b</sup>*∗,1,*i*+<sup>1</sup> follow an identical probability distribution. Therefore, we have


$$\begin{split} &\Pr[b=0 \mid b^{\dagger}=0] + \Pr[b=1 \mid b^{\dagger}=1] - 1 \\ &= \frac{1}{n} \Pr[b^{\*} \leftarrow \mathcal{R}(\text{gauss}, \text{l}^{\lambda}, \text{pk}, \text{st}, c^{b^{\*},0,n})] - \frac{1}{n} \Pr[b^{\*} \leftarrow \mathcal{R}(\text{gauss}, \text{l}^{\lambda}, \text{pk}, \text{st}, c^{b^{\*},1,1})] \ . \end{split}$$

Now we have


$$c^{b^{\*,1,1}} = (\mathsf{gGen}\_{m\_{b^{\*}},1} \mathfrak{g}^{\dagger}, \mathsf{gGen}\_{m\_{b^{\*}},2} \mu\_2, \dots, \mathsf{gGen}\_{m\_{b^{\*}},n} \mu\_n)$$

and the element *g*† when *b*† = 1 is a uniformly random and independent element of *G* as well as *u*2,..., *un*. This implies that *cb*∗,1,<sup>1</sup> is uniformly random over (*G* )*n* regardless of the choice of *b*∗; therefore, we have

$$\Pr[b^\* \leftarrow \mathcal{R}(\text{guess}, \mathfrak{l}^\lambda, \mathfrak{pk}, \mathfrak{st}, c^{b^\*, 1, 1}) = \frac{1}{2}]$$

and

$$\mathsf{Adv}\_{\mathcal{H}}(\lambda) = \frac{1}{2n} \left| \Pr[b^\* \leftarrow \mathcal{H}(\text{guess}, 1^{\lambda}, \mathsf{pk}, \mathsf{st}, c^{b^\*, 0, n})] - \frac{1}{2} \right| \quad \lambda$$

Moreover, we have

$$c^{b^{\*,0,n}} = (\mathsf{gen}\_{m\_{b^{\*}},1} \rho\_1, \dots, \mathsf{gen}\_{m\_{b^{\*}},n-1} \rho\_{n-1}, \mathsf{gen}\_{m\_{b^{\*}},n} \mathfrak{g}^{\dagger})$$

and the element *g*† when *b*† = 0 is a random value of *r*ker as well as ρ1,...,ρ*<sup>n</sup>*−1. This implies that *cb*∗,0,*<sup>n</sup>* follows the same probability distribution as Encpk(*mb*<sup>∗</sup> ); therefore, we have 

$$\mathsf{Adv}\_{\mathcal{H}}(\lambda) = \frac{1}{2n} \left| \Pr[b^\* \leftarrow \mathcal{H}(\text{guess}, \text{l}^\lambda, \text{pk}, \text{st}, \mathsf{Enc}\_{\mathsf{pk}}(m\_{b^\*}))] - \frac{1}{2} \right| = \frac{1}{2n} \mathsf{Adv}\_{\mathcal{H}}(\lambda) \; \; \; \; \; $$

As the adversary <sup>A</sup>† is PPT, the assumption in the statement implies that AdvA† (λ) is negligible; therefore, AdvA(λ) is also negligible as *n* is polynomially bounded. This completes the proof of Theorem 1. -

#### **4 Examples of Realizations of Functions in Groups**

#### *4.1 Deterministic Case: Known Result*

The following result (which is restated according to our terminology here) was proved in the previous work (Khamsemanan et al. 2016; Ostrovsky and Skeith 2008) (see, e.g. Theorem 2.1 of Ostrovsky and Skeith 2008).

**Proposition 1** (Khamsemanan et al. 2016; Ostrovsky and Skeith 2008) *Let G be any non-commutative finite simple group. Then there exists a deterministic, degree-*1 *group-theoretic realization of* NAND *in G.*

We note that its proof, utilizing the commutators [*g*, *h*] = *ghg*−1*h*−<sup>1</sup> in a way analogous to Barrington's theorem (Barrington 1986), is in general not constructive. A concrete construction was given in Sect. 6 of Khamsemanan et al. (2016) only for the smallest case *G* = *A*5, where the group word has a length 65.

#### *4.2 Deterministic Case: Proposed Constructions*

Here, we propose a completely different approach, which we call *approximate-thenadjust method*, to obtain deterministic realizations of operators in some small groups. An intuitive explanation is as follows. For example, the operations *b*<sup>1</sup> OR *b*<sup>2</sup> and *b*<sup>1</sup> + *b*<sup>2</sup> mod 3 have equal outputs for all but one input pairs(*b*1, *b*2) = (1, 1)in {0, 1}2, and 1 + 1 mod 3 = 2 (instead of 1 OR 1 = 1) is "overflowed" from the correct output set {0, 1}. As the operation *b*<sup>1</sup> + *b*<sup>2</sup> mod 3 is easily realizable by using a cyclic subgroup of order 3, the problem has been reduced to realize the "adjusting function" 0 → 0, 1 → 1, 2 → 1 in a group.

In fact, by putting σ*<sup>b</sup>* = (1, 2, 3)*<sup>b</sup>* ∈ *S*<sup>5</sup> for *b* ∈ {0, 1, 2} (where *Sk* denotes the symmetric group on *k* letters) and identifying each σ*<sup>b</sup>* with *b*, the adjusting function mentioned above can be realized by a group word

$$\mathbf{w}^{\mathbf{out}}(\mathbf{g}) = (1,5)(2,3,4)\mathbf{g}(2,3,4)\mathbf{g}(3,4)\mathbf{g}^2(2,3)(4,5)\mathbf{g}(2,3,4)\mathbf{g}(3,4)\mathbf{g}^2(1,4,2,5)$$

(formally, the left-hand side is an abbreviation of *w*out(*g*, *y*) where the variables in *y* take constant values over *G* = *S*<sup>5</sup> appearing in the right-hand side). This adjusting function defined by *w*out is also applicable to other operations NAND, XOR, and EQ (= NOT ◦ XOR). Namely, by putting

$$\begin{aligned} \boldsymbol{w}\_{\mathsf{OR}}^{\mathsf{in}}(\mathsf{g}\_{1},\mathsf{g}\_{2}) &= \operatorname{g}\_{1}\mathsf{g}\_{2} \; , \; \boldsymbol{w}\_{\mathsf{NAND}}^{\mathsf{in}}(\mathsf{g}\_{1},\mathsf{g}\_{2}) = \operatorname{g}\_{1}^{-1}\mathsf{g}\_{2}^{-1}\boldsymbol{\sigma}\_{1}^{2} \; , \\ \boldsymbol{w}\_{\mathsf{XOR}}^{\mathsf{in}}(\mathsf{g}\_{1},\mathsf{g}\_{2}) &= \operatorname{g}\_{1}^{-1}\mathsf{g}\_{2} \; , \; \boldsymbol{w}\_{\mathsf{EQ}}^{\mathsf{in}}(\mathsf{g}\_{1},\mathsf{g}\_{2}) = \operatorname{g}\_{1}\mathsf{g}\_{2}\boldsymbol{\sigma}\_{1}^{-1} \; , \; \end{aligned}$$

an output of each *w*in *<sup>f</sup>* for inputs in {σ0, σ1} becomes either equal (via the identification σ*<sup>b</sup>* ↔ *b*) to *f* , or σ<sup>2</sup> (↔ 2) instead of σ<sup>1</sup> (↔ 1). Hence, the composition *w*out(*w*in *<sup>f</sup>* (*g*1, *g*2)) gives a correct group word to realize the operator *f* with *X*<sup>0</sup> = {σ<sup>0</sup> = 1*<sup>S</sup>*<sup>5</sup> } and *X*<sup>1</sup> = {σ1}. We also note that NOT is easily realized with the same *X*<sup>0</sup> and *X*<sup>1</sup> by *w*NOT(*g*) = *g*−<sup>1</sup>σ1.

This method is also applicable to realizing arithmetic operations for F3. We put σ*<sup>b</sup>* = (1, 2, 3)*<sup>b</sup>* ∈ *S*<sup>5</sup> for *b* ∈ {0, 1, 2} again, and set *Xb* = {σ*b*} for each *b*. Then the addition + is easily realized by *w*+(*g*1, *g*2) = *g*1*g*2. For the multiplication ×, the following group word

$$\mathbf{w}\_{\times}^{\text{in}}(\mathbf{g}\_1, \mathbf{g}\_2) = \mathbf{g}\_1((1, 4)(2, 3, 5))^{-1} \mathbf{g}\_2(1, 4)(2, 3, 5)$$

satisfies that *w*in <sup>×</sup>(σ*<sup>b</sup>*<sup>1</sup> , σ*<sup>b</sup>*<sup>2</sup> ) ∈ *X <sup>b</sup>*1×*b*<sup>2</sup> mod 3 for any *b*1, *b*<sup>2</sup> ∈ {0, 1, 2}, where

$$\begin{aligned} X'\_0 &= \{1\_{\mathbb{S}\_{\mathbb{S}}}, (2, 4, \mathbb{S}), (2, \mathbb{S}, 4), (1, 2, \mathbb{S}), (1, 3, 2)\} \\ X'\_1 &= \{(1, 2, 4, \mathbb{S}, \mathbb{S}), (1, 3, 2, \mathbb{S}, 4)\} \\ X'\_2 &= \{(1, 2, \mathbb{S}, 4, \mathbb{S}), (1, 3, 2, 4, \mathbb{S})\} \end{aligned}$$

On the other hand, by putting

$$\begin{aligned} \mathbb{W}\_{1}(\mathbf{g}) &= \mathbf{g}^{\mathfrak{3}}, \; \mathsf{w}\_{2}'(\mathbf{g}) = \mathsf{w}\_{3}'(\mathbf{g}) = (2, 3, 4)^{-1} \mathbf{g}^{-1} (\mathbf{3}, 4, \mathsf{5}) \mathbf{g}^{2} (\mathbf{3}, 4, \mathsf{5})^{-1} \mathbf{g} (\mathbf{2}, \mathbf{3}, 4) \; . \\ \mathsf{w}\_{4}'(\mathbf{g}) &= \mathbf{g} (1, 5, 3, 4, 2) \mathbf{g}^{-1} (1, 5, 3, 4, 2)^{-1} \mathbf{g} (1, 4, 2, 3, 5) \mathbf{g}^{-1} (1, 4, 2, 3, 5)^{-1} \; . \end{aligned}$$

the composed group word *w*out(*g*) = *w* 4(*w* 3(*w* 2(*w* <sup>1</sup>(*g*)))) satisfies that *w*out(*g*) = σ*<sup>b</sup>* for any *b* ∈ {0, 1, 2} and any *g* ∈ *X <sup>b</sup>*. Hence, the group word *w*×(*g*1, *g*2) = *w*out(*w*in <sup>×</sup>(*g*1, *<sup>g</sup>*2)) realizes the operator <sup>×</sup> for <sup>F</sup>3, as desired. We note that the group words in the arguments above are found by heuristic searches; a systematic method to find such group words is a future research topic.

#### *4.3 Preliminaries: On Random Sampling of Group Elements*

In the probabilistic constructions described below, the following result by Dixon (2008) on almost uniform sampling over any finite group *G* would be useful in implementation. We introduce a notation: for any *g*1,..., *gL* ∈ *G*, letSample[*g*1,..., *gL* ] denote the random variable that takes the value *ge*<sup>1</sup> <sup>1</sup> ··· *<sup>g</sup>eL <sup>L</sup>* ∈ *G* with *e*1,..., *eL* ←*<sup>R</sup>* {0, 1}.

**Proposition 2** (Dixon 2008, Theorem 3) *Let G be a finite group, let* 0 ≤ ε < 1*, and let* U *be a random variable over G that is* ε*-close to the uniform random variable on G. Let L be a positive integer, and let h*, *k* ≥ 0*. If*

$$L \ge \frac{\log\_2|G| + h + 2k - 2}{\log\_2(2/(1+\varepsilon))}\ .$$

*then we have* Pr *g*1,...,*gL*←U [Sample[*g*1,..., *gL* ] *is not* <sup>2</sup>−*<sup>k</sup> -close to uniform* ] <sup>&</sup>lt; <sup>2</sup>−*h.*

#### *4.4 Probabilistic Case: "Commutator-Separable" Groups*

We propose a degree-2 probabilistic realization of {NOT,AND} in the following class of groups.

**Definition 3** Let ε > 0. We say that a finite group *G* is ε*-commutator-separable*, if there exists a non-empty subset *Y* of *G* \ {1*G*} satisfying

$$\Pr\_{\mu \leftarrow\_{R} G} \left[ \left\lfloor \log \mu^{-1}, \mathbf{g'} \right\rfloor \notin Y \right] \leq \varepsilon \text{ for any } \mathbf{g}, \mathbf{g'} \in Y \text{ .} \tag{1}$$

Moreover, we say that a family of finite groups *G* = *G*<sup>λ</sup> indexed by the security parameter λ is *commutator-separable*, if there exists a negligible function ε = ε(λ) for which *G* is ε-commutator-separable for any λ.

Let *G* be an ε-commutator-separable group. We put

$$X\_0 = \{ (\text{g1}, \text{g2}) \in G^2 \mid \text{g1} \in Y \text{ , } \text{g2} = 1 \text{g1} \}, \\ X\_1 = \{ (\text{g1}, \text{g2}) \in G^2 \mid \text{g1} \in Y \text{ , } \text{g2} = \text{g1} \} \dots$$

where *Y* ⊆ *G* \ {1*G*} is as in Definition 3. Then NOT is easily realized by the group words (where *g* = (*g*1, *g*2))

$$
\vec{w}\_{\mathsf{NOT}}(\vec{\mathfrak{g}}) = (w\_{\mathsf{NOT},1}(\vec{\mathfrak{g}}), w\_{\mathsf{NOT},2}(\vec{\mathfrak{g}})) = (\mathfrak{g}\_1, \mathfrak{g}\_2^{-1}\mathfrak{g}\_1) \dots
$$

On the other hand, we define the (probabilistic) group words for AND by

$$\begin{split} \vec{w}\_{\mathsf{AND}}(\vec{g}, \vec{g'}) &= (w\_{\mathsf{AND},1}(\vec{g}, \vec{g'}), w\_{\mathsf{AND},2}(\vec{g}, \vec{g'})) \\ &= ([\upprojlim \mathfrak{u}^{-1}, \mathfrak{g'}], [\upproj \mathfrak{u} \mathfrak{g}\_2 \mathfrak{u}^{-1}, \mathfrak{g'}\_2]) \text{ with } \mathfrak{u} \leftarrow\_{\mathsf{R}} G \dots \end{split}$$

For any *g*, *g* ∈ *X*<sup>0</sup> ∪ *X*1, the condition (1) implies that Pr[*w*AND,<sup>1</sup>(*g*, *g* ) /∈ *Y* ] ≤ ε where the probability is taken over the random choice of *u* in *w*AND(*g*, *g* ). Moreover, when *g* ∈ *X*<sup>0</sup> or *g* ∈ *X*0, we have *g*<sup>2</sup> = 1*<sup>G</sup>* or *g* <sup>2</sup> = 1*G*; therefore, *w*AND,<sup>2</sup>(*g*, *g* ) = 1*G*. On the other hand, when *g*, *g* ∈ *X*1, we have *g*<sup>2</sup> = *g*<sup>1</sup> and *g* <sup>2</sup> = *g* 1; therefore, *w*AND,<sup>2</sup>(*g*, *g* ) = *w*AND,<sup>1</sup>(*g*, *g* ). Summarizing, *w*AND(*g*, *g* ) is a realization of AND with error probability ≤ ε.

**Remark 1** Although only the *existence* of such a subset *Y* is concerned in Definition 3, the efficient samplability of an element of *Y* is needed to be used as a part of our proposed framework for FHE. In general, this is at least probabilistically achievable if the ratio |*G* \ *Y* |/|*G*| is negligible; now a uniformly random element of *G* is also an element of *Y* except for a negligible probability.

From now, we show that the groups SL2(F*<sup>q</sup>* ) and PSL2(F*<sup>q</sup>* ) <sup>=</sup> SL2(F*<sup>q</sup>* )/{±*I*} are commutator-separable if the order *q* of the coefficient field F*<sup>q</sup>* satisfies that 1/*q* is negligible. In the following, let *Z <sup>H</sup>* (*g*) = {*h* ∈ *H* | *gh* = *hg*} denote the centralizer of *g* in a group *H*. We note that |*Z <sup>H</sup>* (*g*)|=|*H*|/|*g<sup>H</sup>* | for any *g* ∈ *H*, where *g<sup>H</sup>* = {*hgh*−<sup>1</sup> | *h* ∈ *H*} denotes the conjugacy class of *g* in *H*.

**Lemma 2** *Let H be a finite group, and let X* ⊆ *H. Then for any x*1, *x*<sup>2</sup> ∈ *H, we have*

$$\Pr\_{\mathbf{g}\leftarrow\mathbf{g}H}\mathbb{I}\left[\left.\mathbf{g}\mathbf{x}\_{1}\mathbf{g}^{-1},\mathbf{x}\_{2}\right]\in X\right]\leq\frac{|X|\cdot|Z\_{H}(\mathbf{x}\_{1})|\cdot|Z\_{H}(\mathbf{x}\_{2})|}{|H|}\ .$$

*Proof* For *y* ∈ *X*, we have [*gx*1*g*−1, *x*2] = *y* if and only if(*gx*1*g*−1)*x*2(*gx*1*g*−1)−<sup>1</sup> = *yx*2. As the mapping *h* → *hzh*−<sup>1</sup> is a |*Z <sup>H</sup>* (*z*)|-to-1 mapping for any *z* ∈ *H*, there are at most |*Z <sup>H</sup>* (*x*2)| possibilities of the value of *gx*1*g*−<sup>1</sup> to satisfy the condition (*gx*1*g*−1)*x*2(*gx*1*g*−1)−<sup>1</sup> = *yx*2; and for each of them, there are at most |*Z <sup>H</sup>* (*x*1)| possibilities of the value of *g*. This completes the proof. -

**Lemma 3** *Let* ϕ : *H*<sup>1</sup> → *H*<sup>2</sup> *be a surjective group homomorphism between two finite groups, and let x* ∈ *H*1*. Then we have* |*Z <sup>H</sup>*<sup>2</sup> (ϕ(*x*))|≤|*Z <sup>H</sup>*<sup>1</sup> (*x*)|*.*

*Proof* As ϕ is a surjective homomorphism, it is a (|*H*1|/|*H*2|)-to-1 mapping and we have ϕ(*x <sup>H</sup>*<sup>1</sup> ) = ϕ(*x*)*<sup>H</sup>*<sup>2</sup> . Therefore |*x <sup>H</sup>*<sup>1</sup> | ≤ (|*H*1|/|*H*2|) · |ϕ(*x*)*<sup>H</sup>*<sup>2</sup> |, or equivalently |*H*2|/|ϕ(*x*)*<sup>H</sup>*<sup>2</sup> |≤|*H*1|/|*x <sup>H</sup>*<sup>1</sup> |. Hence the claim holds. - *c d*

**Lemma 4** *For any A* = *a b* <sup>∈</sup> SL2(F*<sup>q</sup>* ) *with A* = ±*I , we have* <sup>|</sup>*Z*SL2(F*<sup>q</sup>* )(*A*)| ≤ 2*q if b* = 0 *or c* = 0*, and* |*Z*SL2(F*<sup>q</sup>* )(*A*)| = *q* − 1 *if b* = *c* = 0*. c d z w*

*Proof* Let *A* = *a b* <sup>∈</sup> SL2(F*<sup>q</sup>* ) with *<sup>A</sup>* = ±*I*, and let *<sup>X</sup>* <sup>=</sup> *x y* ∈ *Z*SL2(F*<sup>q</sup>* ) (*A*); therefore, det(*X*) = 1 and *X A* = *AX*. Then we have

$$xw - yz = 1, \; cy = bz, \; bx + dy = ay + bw, \; az + cw = cx + dz \; . $$

First, suppose that *b* = 0. Then we have *z* = *b*−1*cy* and *w* = *x* + *b*−<sup>1</sup>(*d* − *a*)*y*, therefore *<sup>x</sup>* <sup>2</sup> <sup>+</sup> *<sup>b</sup>*−<sup>1</sup>(*<sup>d</sup>* <sup>−</sup> *<sup>a</sup>*)*x y* <sup>−</sup> *<sup>b</sup>*−1*cy*<sup>2</sup> <sup>=</sup> 1. Now for each *<sup>y</sup>* <sup>∈</sup> <sup>F</sup>*<sup>q</sup>* , the quadratic equation in *x* has at most two solutions, and *z* and *w* are uniquely determined from *x* and *y* by the relations above. This implies that the number of the possible *X* is at most 2*q*. The argument for the case *c* = 0 is similar; *x* and *y* are linear combinations of *<sup>z</sup>* and *<sup>w</sup>*, and *<sup>w</sup>* satisfies a quadratic equation when an element *<sup>z</sup>* <sup>∈</sup> <sup>F</sup> is fixed; therefore, the number of the possible *X* is at most 2*q*.

On the other hand, suppose that *b* = *c* = 0. By the condition det(*A*) = 1, we have *ad* = 1; therefore, *a* = 0 and *d* = 0. Now we have *dy* = *ay* and *az* = *dz*, while the condition *A* = ±*I* implies that *a* = *d*. Therefore, we have *y* = 0 and *z* = 0. This implies that *xw* = 1; therefore, *w* = 0 and *x* = *w*−1. Hence, the number of the possible *X* is *q* − 1. This completes the proof of Lemma 4. -

**Corollary 1** *We have* |*Z*PSL2(F*<sup>q</sup>* )(*A*)| ≤ 2*q for any non-identity element <sup>A</sup>* <sup>∈</sup> PSL2(F*<sup>q</sup>* )*.*

*Proof* Apply Lemma <sup>3</sup> to the natural projection SL2(F*<sup>q</sup>* ) <sup>→</sup> PSL2(F*<sup>q</sup>* ) and use Lemma 4. -

**Theorem 2** *If* 8*q <sup>q</sup>*<sup>2</sup> <sup>−</sup> <sup>1</sup> <sup>≤</sup> <sup>ε</sup>*, or equivalently q* <sup>≥</sup> <sup>4</sup> <sup>+</sup> <sup>√</sup><sup>16</sup> <sup>+</sup> <sup>ε</sup><sup>2</sup> <sup>ε</sup> <sup>≈</sup> <sup>8</sup> ε *, then* SL2(F*<sup>q</sup>* ) *and* PSL2(F*<sup>q</sup>* ) *are* <sup>ε</sup>*-commutator-separable with Y* <sup>=</sup> SL2(F*<sup>q</sup>* ) \ {±*I*} *and Y* <sup>=</sup> PSL2(F*<sup>q</sup>* ) \ {1PSL2(F*<sup>q</sup>* )}*, respectively.*

*Proof* Let *<sup>H</sup>* ∈ {SL2(F*<sup>q</sup>* ), PSL2(F*<sup>q</sup>* )}. First, it is known that <sup>|</sup>*H*| = *<sup>q</sup>*(*q*<sup>2</sup> <sup>−</sup> <sup>1</sup>)/η, where <sup>η</sup> <sup>=</sup> 1 if *<sup>H</sup>* <sup>=</sup> SL2(F*<sup>q</sup>* ) and <sup>η</sup> <sup>=</sup> 2 if *<sup>H</sup>* <sup>=</sup> PSL2(F*<sup>q</sup>* ). We also note that |*H* \ *Y* | = 2/η. Now for any *x*1, *x*<sup>2</sup> ∈ *Y* , Lemma 4 and Corollary 1 imply that |*Z <sup>H</sup>* (*x*1)|, |*Z <sup>H</sup>* (*x*2)| ≤ 2*q*. Therefore, by Lemma 2, we have

$$\Pr\_{\mathbf{g}\leftarrow\mathbf{g}H}[\lceil\log\mathbf{x}\_{1}\mathbf{g}^{-1},\mathbf{x}\_{2}\rceil\notin\mathcal{Y}] \leq \frac{(2/\eta)\cdot 2q\cdot 2q}{q(q^{2}-1)/\eta} = \frac{8q}{q^{2}-1} \leq \varepsilon\_{1}$$

by the condition for *q* in the statement. This completes the proof. -

#### *4.5 Probabilistic Case: Simple Groups*

We also give a variant of the probabilistic realization described in Sect. 4.4. Although the correctness below relies on a heuristic assumption, the underlying group *G* for the realization can be taken as any sufficiently large non-commutative finite simple group.

The realization of NOT is similar to Sect. 4.4. Namely, we put

$$X\_0 = \{ (\text{g1}, \text{g2}) \in G^2 \mid \text{g1} \neq \text{lg2}, \text{ g2} = \text{lg1} \}, \\ X\_1 = \{ (\text{g1}, \text{g2}) \in G^2 \mid \text{g1} \neq \text{lg2}, \text{ g2} = \text{g1} \}$$

and, for *g* = (*g*1, *g*2),

$$\vec{w}\_{\mathsf{NOT}}(\vec{\mathfrak{g}}) = (\mathsf{w}\_{\mathsf{NOT},1}(\vec{\mathfrak{g}}), \mathsf{w}\_{\mathsf{NOT},2}(\vec{\mathfrak{g}})) = (\mathsf{g}\_1, \mathsf{g}\_2^{-1}\mathsf{g}\_1) \dots$$

From now, we consider the realization of AND. First we note that, for any *g* ∈ *G* \ {1*G*}, the normal closure of {*g*} in *G* is equal to the whole *G* as *G* is simple; hence, *G* is generated by the set *g<sup>G</sup>*. Keeping this property in mind, we put the following heuristic assumption:

**Assumption 1** Let ε > 0 be a negligible value, and let *L* be a sufficiently large parameter. We assume that, for any *g* ∈ *G* \ {1*G*}, the probability distribution of the element *u*1*gu*−<sup>1</sup> <sup>1</sup> ··· *uL gu*−<sup>1</sup> *<sup>L</sup>* , where *u*1,..., *uL* ←*<sup>R</sup> G*, is ε-close to the uniform distribution over *G*.

Now we define *w*AND(*g*, *g* ) = (*w*AND,<sup>1</sup>(*g*, *g* ),*w*AND,<sup>2</sup>(*g*, *g* )) by

$$\text{w\_{\textbf{AND}},i}(\vec{\text{g}},\vec{\text{g}}') = [r\_1\mathbf{g}\_i r\_1^{-1} \cdots r\_L\mathbf{g}\_i r\_L^{-1}, r\_{L+1}\mathbf{g}\_i' r\_{L+1}^{-1} \cdots r\_{2L}\mathbf{g}\_i' r\_{2L}^{-1}] \text{ for } i = 1,2.$$

where *r*1,...,*r*2*<sup>L</sup>* ←*<sup>R</sup> G* are common to both *i* = 1, 2. Then an argument similar to Sect. 4.4 implies that, for *g* ∈ *Xb* and *g* ∈ *Xb* , we have *w*AND(*g*, *g* ) ∈ *Xb* AND *<sup>b</sup> provided w*AND,<sup>1</sup>(*g*, *g* ) = 1*G*. To evaluate the latter probability, we use the following result by Guralnick and Robinson (Guralnick and Robinson 2006):

**Proposition 3** (Guralnick and Robinson 2006, Theorem 9)*For any non-commutative finite simple group H, we have*

$$\Pr\_{h\_1, h\_2 \gets\_{\mathcal{R}} H} \left[ \left\lbrack h\_1, h\_2 \right\rbrack = 1\_H \right] \le \left| H \right|^{-1/2} \dots$$

Then we have the following result, implying that *w*AND realizes AND:

**Theorem 3** *Assume that Assumption 1 holds. Then for any g*, *g* ∈ *X*<sup>0</sup> ∪ *X*1*, we have*

$$\Pr\_{r\_1,\ldots,r\_{2L}\leftarrow\_{R} G}[\mathsf{w\_{\mathsf{AND}}},\vec{(\vec{g}\,',r\_1,\ldots,r\_{2L})}=1\_G] \le |G|^{-1/2} + 2\varepsilon\ \ ,\ . $$

*which is negligible when both* 1/|*G*| *and* ε *are negligible.*

*Proof* First, if *<sup>h</sup>*<sup>1</sup> <sup>=</sup> *<sup>r</sup>*1*g*1*r*−<sup>1</sup> <sup>1</sup> ···*rL <sup>g</sup>*1*r*−<sup>1</sup> *<sup>L</sup>* and *h*<sup>2</sup> = *rL*+1*g* 1*r*−<sup>1</sup> *<sup>L</sup>*+<sup>1</sup> ···*r*2*<sup>L</sup> g* 1*r*−<sup>1</sup> <sup>2</sup>*<sup>L</sup>* were uniformly random over *G*, then we would have *w*AND,<sup>1</sup>(*g*, *g* ;*r*1,...,*r*2*<sup>L</sup>* ) = [*h*1, *h*2] = 1*<sup>G</sup>* with probability at most |*G*| <sup>−</sup>1/<sup>2</sup> by Proposition 3. Now note that *g*1, *g* <sup>1</sup> = 1*<sup>G</sup>* as *g*, *g* ∈ *X*<sup>0</sup> ∪ *X*1; therefore Assumption 1 implies that the probability distributions of *h*<sup>1</sup> and *h*<sup>2</sup> are independent and both ε-close to the uniform distribution over *G*. Hence, in fact, we have *w*AND,<sup>1</sup>(*g*, *g* ;*r*1,...,*r*2*<sup>L</sup>* ) = 1*<sup>G</sup>* with probability at most |*G*| <sup>−</sup>1/<sup>2</sup> + 2ε. This completes the proof. -

#### **5 Towards Achieving Secure Lift of Realization**

In this section, we give some observations towards constructing a lift of a realization of operators that will yield a secure FHE scheme based on our framework in Sect. 3; concrete candidates for the secure construction are not yet obtained and are an open problem.

# *5.1 A Remark on the Choice of Random Variables* Here, we give a remark on random variables -

*rh* involved in a lift of a realization of functions. First, for realizations of functions using a uniform random variable on a given target group *G*, such as those in Sects. 4.4 and 4.5, it may happen that sampling a uniformly random element of the source group *G* is not easy even if uniformly random sampling on *G* is easy. In such a case, owing to Proposition 2, a uniform random variable on *G* may be approximated as follows: random elements *g*1,..., *gL* of *G* are chosen at the beginning, and each random sampling on *G* is done by taking *g<sup>e</sup>*<sup>1</sup> <sup>1</sup> ··· *<sup>g</sup>eL <sup>L</sup>* with *e*1,..., *eL* ←*<sup>R</sup>* {0, 1}. Provided *L* is sufficiently large, this approximation will work well except for a negligible probability in choosing *g*1,..., *gL* . Then the corresponding random variable on *G* is easily obtained by first taking elements *g*1,...,*gL* of *G* with π(*gi*) = *gi* for each *i* and then, for each sampling, generating *g*1 *e*1 ···*gL eL* with *e*1,..., *eL* ←*<sup>R</sup>* {0, 1}. -

On the other hand, for the random variable *r*ker used by the algorithm Gen, it may also happen that uniformly random sampling over the subgroup ker π ⊆ *G* seems not easy. In this case, we may choose a large number of elements *g* <sup>1</sup>,..., *g <sup>L</sup>* of ker π first and then sample an element of ker π by randomly multiplying elements from *g* <sup>1</sup>,..., *g <sup>L</sup>* . It is naively expected that the probability distribution of the resulting element of ker π will be significantly random if *L* is sufficiently large.

#### *5.2 Insecurity of a Matrix-Based Naive Construction*

In order to exhibit the difficult point in the problem, here we show an example of an *insecure* construction of a lift of a realization of functions and explain why the resulting FHE scheme based on this construction is not secure. - 

We start with the realization of AND and NOT in *<sup>G</sup>* <sup>=</sup> SL2(F*<sup>q</sup>* ) proposed in Sect. 4.4. We define the corresponding group *G* by -

$$\widetilde{G} = \left\{ T \begin{pmatrix} A \ B \\ 0 \ C \end{pmatrix} T^{-1} \mid A \in \operatorname{SL}\_2(\mathbb{F}\_q), B \in \operatorname{M}\_{2,k}(\mathbb{F}\_q), C \in \operatorname{GL}\_k(\mathbb{F}\_q) \right\},$$

where *<sup>k</sup>* is a parameter and *<sup>T</sup>* <sup>∈</sup> GL*<sup>k</sup>*+<sup>2</sup>(F*<sup>q</sup>* ) is a fixed, randomly chosen matrix that must be secret. Then the group homomorphism π : *G* → *G* is defined as follows: for *g* ∈ *G* , π(*g*) is obtained by first computing the (*k* + 2) × (*k* + 2) matrix *T* <sup>−</sup>1*gT* and then extracting the upper left 2 × 2 block of *T* <sup>−</sup>1*gT* (i.e. *A* in the description of *G* above). The conjugation by the random *T* in the definition of *G* intends to hide the internal block upper triangular structure of elements of *G* -. 

However, this construction is not secure by the following reason (this attack was pointed out by an anonymous reviewer in a previous submission of this work). First, any matrix of the form *A B* 0 *C* with *<sup>A</sup>* <sup>=</sup> *<sup>I</sup>* <sup>∈</sup> SL2(F*<sup>q</sup>* ) satisfies a constraint "the (2, 1)-component is zero", which is a *linear* constraint in terms of matrix components. By taking conjugation by *T* , this constraint is changed to another one, which is unknown but still a *linear* constraint in terms of matrix components. We denote the resulting constraint by "*F*(*g*) = 0", namely, any element *g* of ker π satisfies *F*(*g*) = 0.

Now we consider the linear subspace span(ker π ) generated by the set ker π in the matrix *ring Mk*+2,*k*+<sup>2</sup>(F*<sup>q</sup>* ). By the choice of the *linear* constraint *<sup>F</sup>*, span(ker π ) is a linear subspace of the space *<sup>V</sup>* = {*<sup>g</sup>* <sup>∈</sup> *Mk*+2,*k*+<sup>2</sup>(F*<sup>q</sup>* ) <sup>|</sup> *<sup>F</sup>*(*g*) <sup>=</sup> <sup>0</sup>}. Now by collecting sufficiently many elements *h*1,..., *hL* of ker π, it is expected that span(ker π ) is generated by these *h*1,..., *hL* . In this case, for a given element *g* ∈ *G* -, if *g* ∈ ker π, then adding *g* to the subspace span(*h*1,..., *hL* )(which is now equal to span(ker π )) does not increase the dimension of the subspace. On the other hand, if *g* ∈/ ker π, then the constraint *F*(*g*) = 0 is not satisfied with high probability, and now the dimension


is increased when *g* is added to span(*h*1,..., *hL* ), as span(*h*1,..., *hL* ) ⊆ *V* and *g* ∈/ *V*. This yields a way for an adversary to decide whether a given *g* ∈ *G* belongs to ker π or not (hence to break the proposed FHE) by only comparing the dimensions of span(*h*1,..., *hL* ) and span(*h*1,..., *hL* , *g*), even if the actual constraint *F* is not known to the adversary. This example suggests that the existence of a non-trivial *linear* constraint for the set ker π will yield a powerful tool for the adversary.

#### *5.3 Observation for Avoiding Linear Constraints*

In order to realize group homomorphisms in our framework without linear constraints for the kernel discussed in Sect. 5.2, our idea here is to utilize combinatorial group theory. Roughly speaking, we say that a group *H* has a *presentation X* | *R*, if *X* is a generating set of *H*, *R* is a set of group words with variables in *X*, and *H* is (isomorphic to) the quotient group of the free group generated by *X* modulo the relations "*r*(*x*) = 1" for all words *r*(*x*) ∈ *R*. See, e.g. Johnson (1997) for basics in combinatorial group theory. For example, it is well known that the symmetric group *Sn* on *n* letters admits a presentation of the form *s*1,...,*sn*−<sup>1</sup> | (*sisj*)(*i*,*j*) (*i*, *j* = 1,..., *n* − 1) where each *si* is the adjacent transposition (*i*,*i* + 1) and  is a matrix given by (*i*,*i*) = 1, (*i*,*i* + 1) = (*i* + 1,*i*) = 3, and (*i*, *j*) = 2 when |*i* − *j*| ≥ 2. (This is actually the Coxeter group of type *An*−1; see, e.g. Humphreys 1990 for basic theory of the Coxeter groups.) On the other hand, it is known that for any prime *p* > 3, the groups SL2(F*p*) and PSL2(F*p*) admit "compact" presentations with four generators and eight relations of lengths *O*(log *p*); see Theorem 3.6 and Remark 3.7 of Guralnick et al. (2008).

Our idea is based on the following fact implied by the fundamental theorem on homomorphisms for groups; if two groups *H*<sup>1</sup> and *H*<sup>2</sup> have presentations *X* | *R*1 and *X* | *R*2 with the same generating set *X*, and if every *r* ∈ *R*<sup>1</sup> is also equal to the unit element in *H*2, then the identity map *X* → *X* induces a surjective group homomorphism *H*<sup>1</sup> → *H*2. As this kind of group homomorphism is obtained by a mechanism completely different from linear algebra, it is (naively) expected that such an approach would yield a desired group homomorphism without linear constraints.

Based on the argument above, we propose the following approach towards constructing a secure group homomorphism for our framework for FHE:


In Step 4 of the approach described above, an easiest candidate of the "compact" expressions for the groups *G* <sup>0</sup> and *G* is matrix expressions, i.e. embedding these groups into some matrix group. Now a candidate of the random isomorphism between them is taking the conjugation by a random secret matrix, just as in Sect. 5.2. In this case, due to the argument in Sect. 5.2, the kernel of the homomorphism *G* -<sup>0</sup> <sup>→</sup> *<sup>H</sup>* - *G* must avoid a linear constraint. Here we note that, even though the homomorphism from *G* -<sup>0</sup> = *<sup>X</sup>* <sup>|</sup> *<sup>R</sup>*1 to *<sup>H</sup>* - *G* = *X* | *R*2 is based on the mechanism of combinatorial group theory, this does not always guarantee that the resulting homomorphism is free from linear constraints. -

For example, let *G* <sup>0</sup> be the Coxeter group of type *Bn*, with presentation

$$\langle s\_1, \dots, s\_n \mid (s\_i s\_j)^{\Gamma'(i,j)} \ (i, j = 1, \dots, n) \ \rangle,$$

where  (*i*, *j*) = (*i*, *j*) for *i*, *j* ∈ {1,..., *n* − 1},  (*n*, *n*) = 1,  (*n*, *n* − 1) = (*n* − 1, *n*) = 4, and  (*n*,*i*) =  (*i*, *n*) = 2 for 1 ≤ *i* ≤ *n* − 2. If the value of (*n*, *n* − 1) =  (*n* − 1, *n*) is changed from 4 to 2, then it results in the direct product *Sn* × *H* with *H* = *sn* being the cyclic group of order two. This implies that there is a natural surjective homomorphism *G* -<sup>0</sup> → *Sn* × *H*; hence, we obtain a surjective homomorphism *G* -<sup>0</sup> → *Sn* × *H* → *Sn* = *G*. Now by using the expression of *G* -<sup>0</sup> as a "signed" permutation group (see, e.g. Humphreys 1990), it can be proved that the kernel of *G* -<sup>0</sup> → *G* is an elementary abelian 2-group generated by the elements *sjsj*+<sup>1</sup> ···*sn*−<sup>1</sup>*snsn*−<sup>1</sup> ···*sj*+<sup>1</sup>*sj* with *j* = 1,..., *n*. Moreover, in the standard matrix representation for the Coxeter groups (see, e.g. Humphreys 1990), these elements *sjsj*+<sup>1</sup> ···*sn*−<sup>1</sup>*snsn*−<sup>1</sup> ···*sj*+<sup>1</sup>*sj* are all expressed as lower triangular matrices. Hence, the kernel of the homomorphism above has a linear constraint "upper triangular components are 0", which is not desirable. We also note that, owing to the classification result on finite Coxeter groups (see, e.g. Humphreys 1990), the group of type *Bn* mentioned above is essentially (i.e. without using direct products) the unique choice for a surjective, but not bijective, homomorphism from a finite Coxeter group onto the group *Sn* with *n* ≥ 5. Consequently, the candidates for the group *G* -<sup>0</sup> in the case *G* = *Sn* should be searched from outside the class of the Coxeter groups. Finding a concrete candidate for *G* -<sup>0</sup> in this case is left as an open problem.


#### *5.4 Another Trial Using Tietze Transformations*

Another trial for realizing the approach in Sect. 5.3 is as follows. Recall that, we are supposing that the group *H* - *G* has a presentation of the form *X* | *R*2. When the presentation is constructed naively, it might happen that the natural projection *H* - *G* → *G* is easy to compute by using the presentation of the group. Now the idea is choosing *G* -<sup>0</sup> <sup>=</sup> *<sup>H</sup>* - *G* and constructing the isomorphic group *G* by randomly rewriting the original presentation *X* | *R*2 while keeping the isomorphic class of groups. By letting the rewriting process be a part of the secret key, it is expected to be difficult to compute the map *G* - ∼ <sup>→</sup> *<sup>H</sup>* - *G* → *G* without the secret key, while the secret key enables to compute the map by reversing the rewriting process above.

Such a rewriting of presentations that keeps the group isomorphic can be performed by using *Tietze transformation*. Namely, the following fact is known:

**Lemma 5** (see, e.g. Johnson 1997) *Given a presentation X* | *R of a group, let w be a group word with variables in X and let y be a symbol not belonging to X. Then, the group X* ∪ {*y*} | *R* ∪ {*wy*−1} *is isomorphic to X* | *R where each element of X in the group X* | *R corresponds to the same element in the group X* ∪ {*y*} | *R* ∪ {*wy*−1}*.*

We also have the following result, which utilizes presentations of the trivial group:

**Lemma 6** *Given a presentation X* | *R of a group, let Y* | *T be a presentation of the trivial group (i.e. the group with a single element), and for each y* ∈ *Y , choose an element ry of R. Let T* (*ry* | *y* ∈ *Y* ) *denote the set of words of the form t*(*ry* | *y* ∈ *Y* ) *with t*(*y*) ∈ *T , where t*(*ry* | *y* ∈ *Y* ) *denotes the group word with variables in X obtained by substituting the word ry into the variable y in the word t*(*y*) *for each y* ∈ *Y . Then the subsets R and R* = (*R* \ {*ry* | *y* ∈ *Y* }) ∪ *T* (*ry* | *y* ∈ *Y* ) *have the same normal closure in the free group* Free(*X*) *generated by X ; therefore, X* | *R is isomorphic to X* | *R.*

*Proof* The definition of the words*t*(*ry* | *y* ∈ *Y* )implies that *R* is a subset of the normal closure *R*normal of *R*. To prove the opposite relation *R* ⊆ *R* normal, it suffices to show that*ry* ∈ *R* normal for each *y* ∈ *Y* . Now as *Y* | *T* is a trivial group, *y* is the product of words of the form *u*(*y*)*t*(*y*)*u*(*y*)−<sup>1</sup> with *u*(*y*) ∈ Free(*Y* ) and *t*(*y*) ∈ *T* . By substituting the word *ry* into the variable *y* for each *y* ∈ *Y* , it follows that *ry* is the product of words of the form *u*(*ry* | *y* ∈ *Y* )*t*(*ry* | *y* ∈ *Y* )*u*(*ry* | *y* ∈ *Y* )−<sup>1</sup> with *u*(*ry* | *y* ∈ *Y* ) ∈ Free(*X*) and *t*(*ry* | *y* ∈ *Y* ) ∈ *T* (*ry* | *y* ∈ *Y* ). This implies that *ry* ∈ *R* normal, as desired. This completes the proof. -

We note that the current idea of randomly rewriting the presentation of the group *H* - *G* has (at least) one unsolved problem from the viewpoint of efficiency and two from the viewpoint of security. For the efficiency, we recall that the expression of the resulting group *G* should enable efficient computation for group operators. However, with a randomly chosen presentation *X* | *R* of *G* -, in general, it seems not easy to compute the product of two elements. More precisely, each element -

of *G* is now expressed as a group word on *X*, and the product corresponds to the concatenation of the two words. This concatenation of words increases the length of the word; therefore, the word has to be replaced with a shorter equivalent word by using relations in *R* before the word length becomes too long. However, this process of reducing the word length by using the relations in *R* is not efficient in general. It is an open problem to develop rewriting methods for group presentations while keeping efficiency of group operations.

From the viewpoint of security, first, it has not been evaluated how many random rewriting steps for the presentation of the group are sufficient to securely conceal the structure of the group. On the other hand, even if the sufficient number of the rewriting steps has been estimated, it may still happen that the resulting FHE scheme is not secure when the component *H* in *H* -*G* is not appropriately chosen.

Namely, let *E* = *E*(*g*) be a (deterministic) group word, which we call an "equation" over groups. We suppose that both of the probabilities Pr*<sup>u</sup>*←*<sup>R</sup> <sup>H</sup>* [*E*(*u*) = 1] and Pr*<sup>u</sup>*←*<sup>R</sup> <sup>H</sup>*-*<sup>G</sup>*[*E*(*u*) = 1] are non-negligible and at least one of them is noticeable. Then an adversary can distinguish a random element of ker π *H* (where π : *G* - → *G*) from a random element of *G* - *<sup>H</sup>* - *G* by checking whether a given random element *u* satisfies *E*(*u*) = 1 or not. Hence, it should be difficult to find a non-trivial equation *E* for which Pr*<sup>u</sup>*←*<sup>R</sup> <sup>H</sup>* [*E*(*u*) = 1] is non-negligible.

For example, when the underlying group is the direct product *H* × *G*, it should not be feasible to find a non-identity element *w* of the group for which its *H*-component is an identity element. Indeed, for any such "target" element *w*, it commutes with every element of *H* ⊆ *H* × *G*, while it is likely not commutative with a random element of *H* × *G*. Hence, the equation *E*(*g*) = [*w*, *g*] will satisfy the attacking condition above. In particular, *H* should satisfy |*H*| ≥ 2<sup>2</sup><sup>λ</sup> for security parameter λ due to Birthday Paradox, as a collision in the *H*-components of two elements yields a target element. Moreover, the center of *H* should not be large, as otherwise the commutator [*w*1,*w*2] for random elements *w*1,*w*<sup>2</sup> will yield a target element with high probability.

For a general case of the semidirect product *H* - *G*, a candidate of such an equation *E* is *E*(*g*) = *g<sup>k</sup>* for some fixed value *k*; therefore, it is important to study the distribution of the orders of elements in *H*. For example, suppose that *H* = *A* with ≥ 4. Let *p* be the largest odd prime with *p* ≤ . Then the number of elements of *A* that are cyclic permutations on *<sup>p</sup>* letters is *p* (*p* − 1)! = 2 *p* · ( − *p*)! · |*A*|. This implies that Pr *<sup>u</sup>*←*<sup>R</sup> <sup>H</sup>* [*<sup>u</sup> <sup>p</sup>* <sup>=</sup> <sup>1</sup>] = 2 *p* · ( − *p*)! + 1 |*H*|! . As − *p* is small for reasonable choices of (e.g. − *p* ≤ 6 for ≤ 80), the probability above is significantly high, which is not desirable to avoid the attack above. 

On the other hand, we consider the choice *<sup>H</sup>* <sup>=</sup> SL2(F*<sup>q</sup>* ) for an odd prime *<sup>q</sup>* for which 1/*q* is negligible, and study the element orders in the group. Following the argument in Sect. 5.2 of Fulton and Harris (1991), we choose a generator ζ of the cyclic group (F*<sup>q</sup>* )×. Put *Ai* <sup>=</sup> ζ *<sup>i</sup>* 0 0 ζ <sup>−</sup>*<sup>i</sup>* for *i* = 0, 1,..., *q* − 2. On the other hand, by considering the quadratic extension field <sup>F</sup>*q*<sup>2</sup> of <sup>F</sup>*<sup>q</sup>* , <sup>ζ</sup> has a square root <sup>√</sup><sup>ζ</sup>


**Table 1** The conjugacy classes in SL2(F*<sup>q</sup>* ) for odd prime *q* > 3 (see the text for notations) 

in (F*q*<sup>2</sup> )<sup>×</sup> \ (F*<sup>q</sup>* )<sup>×</sup> (as *<sup>q</sup>* is odd). This yields a bijection <sup>F</sup>*<sup>q</sup>* <sup>×</sup> <sup>F</sup>*<sup>q</sup>* <sup>→</sup> <sup>F</sup>*q*<sup>2</sup> , (*a*, *<sup>b</sup>*) <sup>→</sup> *a* + *b* <sup>√</sup><sup>ζ</sup> . Choose a generator <sup>υ</sup> of the cyclic group (F*q*<sup>2</sup> )×. For *<sup>i</sup>* <sup>=</sup> <sup>0</sup>, <sup>1</sup>,..., *<sup>q</sup>*<sup>2</sup> <sup>−</sup> 2, put *Bi* = *a b b*ζ *a* where *a*, *b* satisfy υ*<sup>i</sup>* = *a* + *b* <sup>√</sup><sup>ζ</sup> . By using these notations, the list of conjugacy classes in SL2(F*<sup>q</sup>* ) is obtained as in Table 1, where the second and the third columns are quoted (with slightly different notations) from Sect. 5.2 of Fulton and Harris (1991).

In Table 1, the ratio to |*H*| of the cardinality of each conjugacy class of type 1 to 6 is at most a negligible value (*q*<sup>2</sup> <sup>−</sup> <sup>1</sup>)/<sup>2</sup> *<sup>q</sup>*(*q*<sup>2</sup> <sup>−</sup> <sup>1</sup>) <sup>=</sup> <sup>1</sup> 2*q* ; therefore, these conjugacy classes can be ignored. On the other hand, for each divisor *k* of *q* − 1, an element *x* of the conjugacy class of type 7-*i* satisfies *x<sup>k</sup>* = 1 if and only if *i* is a multiple of (*q* − 1)/*k*. Therefore, the number of such elements *<sup>x</sup>* is at most (*<sup>q</sup>* <sup>−</sup> <sup>1</sup>)/<sup>2</sup> (*q* − 1)/*k* (*q*<sup>2</sup> <sup>+</sup> *<sup>q</sup>*) <sup>=</sup> *<sup>k</sup>* 2 (*q*<sup>2</sup> <sup>+</sup> *q*), whose ratio to |*H*| = *q*(*q*<sup>2</sup> − 1) is *k* 2(*q* − 1) . To make the ratio non-negligible, one must find a divisor *k* of *q* − 1 which is almost as large as *q* − 1; this is expected to be difficult *provided the size q of the coefficient field* F*<sup>q</sup> is not known*. The same also holds for conjugacy classes of type 8. Summarizing, the attack using the equations of the form *<sup>E</sup>*(*g*) <sup>=</sup> *<sup>g</sup><sup>k</sup>* will be not effective for the group *<sup>H</sup>* <sup>=</sup> SL2(F*<sup>q</sup>* ) provided the

size of the coefficient field F*<sup>q</sup>* is appropriately concealed by the random rewriting of the presentation of the group. A further analysis of attacks using other kind of equations will be a future research topic.

**Acknowledgements** The author thanks members of Shin-Akarui-Angou-Benkyou-Kai for their helpful comments. In particular, the author thanks Shota Yamada for inspiring the author with motivation to this work, and Takashi Yamakawa, Takahiro Matsuda, Keita Emura, Yoshikazu Hanatani, Jacob C. N. Schuldt, and Goichiro Hanaoka for giving many precious comments on the work. The author also thanks the anonymous reviewers of previous submissions of the paper for their careful reviews and valuable comments. This work was supported by JST PRESTO Grant Number JPMJPR14E8, JST CREST Grant Number JPMJCR14D6, and JSPS KAKENHI Grant Number JP19H01804.

#### **References**


D.J.S. Robinson, *A Course in the Theory of Groups*, vol. 80, 2nd edn. (Springer, Berlin, 1996)


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **From the Bloch Sphere to Phase-Space Representations with the Gottesman–Kitaev–Preskill Encoding**

**L. García-Álvarez, A. Ferraro, and G. Ferrini**

**Abstract** In this work, we study the Wigner phase-space representation of qubit states encoded in continuous variables (CV) by using the Gottesman–Kitaev–Preskill (GKP) mapping. We explore a possible connection between resources for universal quantum computation in discrete-variable (DV) systems, i.e. non-stabilizer states, and negativity of the Wigner function in CV architectures, which is a necessary requirement for quantum advantage. In particular, we show that the lowest Wigner logarithmic negativity corresponds to encoded stabilizer states, while the maximum negativity is associated with the most non-stabilizer states, *H*-type and *T* -type quantum states.

**Keywords** Continuous variables quantum computation · Quantum advantage · Wigner function · Wigner logarithmic negativity · Gottesman–Kitaev–Preskill code

## **1 Introduction**

Quantum computers, i.e. quantum devices in which information can be encoded, processed, and read out, are predicted to solve certain computational problems faster than classical computers Shor (1999). Specifically, a problem is said to be hard to solve if its solution requires a number of steps exponential in the size of the input, while polynomial time solutions are called efficient. An example of a problem believed to be hard to solve classically that can be efficiently solved by a quantum computer is factorization. While known classical algorithms factorize integer numbers in a time

L. García-Álvarez (B) · G. Ferrini

Department of Microtechnology and Nanoscience (MC2), Chalmers University of Technology, 412 96 Göteborg, Sweden e-mail: lauraga@chalmers.se

© The Author(s) 2021

79

A. Ferraro Centre for Theoretical Atomic, Molecular and Optical Physics, Queen's University Belfast, Belfast BT7 1NN, UK

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_9

which scales exponentially with the size of the integer to factor, a quantum algorithm exists that only requires a polynomial time.

This technologically appealing property is referred to as *quantum advantage*, and has recently motivated the undertaking of a global effort toward building a quantum computer. However, a conclusive experimental evidence of quantum advantage for computation is still lacking, since it has not yet been possible to build a quantum computer with enough elementary components to practically beat classical machines. Furthermore, the ultimate origin of quantum advantage is still unclear.

The traditional approach to encode information in quantum systems, based on two-level quantum systems with finite-dimensional Hilbert spaces, i.e. qubits, is an example of the discrete-variable (DV) approach. An alternative approach for information encoding uses continuous variables (CVs), i.e. quantized variables with a continuous spectrum, such as the amplitude (*q*) and phase (*p*) quadratures of the quantized electromagnetic field, defined in an infinite-dimensional Hilbert space. Within this approach, one million optical modes have been entangled Yoshikawa et al. (2016), Chen et al. (2014). Beyond the optical realm, new CV implementations are studied in opto-mechanics Aspelmeyer et al. (2014) and with microwaves coupled to superconducting devices Ofek et al. (2016), Wilson et al. (2011), where high-order nonlinearities can be engineered.

A fundamental tool for studying a classical dynamical system is the probability distribution on a phase space in which all possible states of the system are represented. Similarly, quantum systems can be conveniently and unambiguously described with quasi-probability distributions defined on the classical phase space Wigner (1932), Hillery et al. (1984), Gibbons et al. (2004). Although these useful mathematical constructs, such as theWigner function, retain some properties of classical probability distributions, they can take negative values for quantum states.

A series of theorems has progressively narrowed down the characteristics that both DV and CV quantum computing architectures must possess in order to display quantum advantage. In DV quantum information processors, the Gottesman– Knill theorem states that the so-called Clifford circuits, which are composed, for example, of Hadamard, π/2-phase, and CNOT gates, when acting on stabilizer states, i.e. those generated with Clifford gates acting on the initial *n*-qubit register |0-<sup>1</sup> ⊗ |0-<sup>2</sup> ⊗···⊗|0*<sup>n</sup>*, and followed by a Pauli measurement, can be efficiently simulated on a classical computer Gottesman (1999), Aaronson and Gottesman (2004). Non-stabilizer pure states are called magic, and are hence necessary to yield quantum advantage when acted on by Clifford circuits with Pauli measurements Bravyi et al. (2005). In CV quantum computation, it has been shown firstly that circuits with input, evolution, and measurements solely described by Gaussian Wigner functions are efficiently simulatable by classical computers Bartlett et al. (2002). Later it was shown that negativity of the Wigner function is a necessary requirement for quantum advantage, since quantum states and operations with positive Wigner functions (strictly including Gaussian circuits) can be classically efficiently simulated Mari and Eisert (2012). Minimal extensions of positive Wigner function circuits that exhibit quantum advantage, where either the input, or the evolution, or the measurement are described by negative Wigner functions, have been studied Chabaud et al. (2017), Douce et al. (2017), Hamilton et al. (2017), Chakhmakhchyan and Cerf (2017), Douce et al. (2019). Finally, the criteria for efficient classical simulatability have been extended by using other phase-space representations, namely Husimi and Glauber–Sudarshan Rahimi et al. (2016).

A bridge between the DV and the CV worlds is provided by CV-codes, i.e. by sets of CV states that allow for encoding DV states such that orthogonal wavefunctions represent different DV states. One such example is the Gottesman–Kitaev–Preskill (GKP) code, where the qubit logical states are encoded in trains of delta functions at different locations Gottesman et al. (2001). The encoding of discrete quantum information into infinite-dimensional quantum systems is used to get a high-quality qubit protected from environmental noise Menicucci (2014). The GKP code is particularly suitable for our analysis since Clifford gates on the qubit encoded states are given by Gaussian operations, which in principle lead us to an analogy between DV and CV requirements for classical efficient simulatability of quantum operations.

In this manuscript, we analyze the negativity of the Wigner function for any single-qubit state mapped in CV architectures with the GKP code, with the aim of establishing a relation between DV and CV criteria for quantum advantage. In Sect. 2, we review in detail the GKP code that we use in our work. In Sect. 3, we compute the Wigner function of any single-qubit GKP encoded state, and we compare the results for encoded stabilizer and non-stabilizer states. In Sect. 4, we quantify the negativity of the Wigner function for both cases, and we observe that stabilizer encoded states saturate the lower bound of negativity, while the most non-stabilizer states, also known as magic states, show the maximum amount of negativity. We conclude in Sect. 5 with our final remarks.

#### **2 GKP Encoding of Qubit States**

The formal GKP encoding maps a qubit into an oscillator using non-normalizable superpositions of infinitely squeezed states in the position *q* and momentum *p* quadratures of the oscillator Gottesman et al. (2001). We review the GKP qubit states used in this work, which are defined as

$$|0\rangle = \sum\_{s=-\infty}^{\infty} |q=2\sqrt{\pi}s\rangle$$

$$|1\rangle = \sum\_{s=-\infty}^{\infty} |q=\sqrt{\pi}(1+2s)\rangle,\tag{1}$$

for which the wavefunction (*q*) = *q*| is a sum of delta functions, since *q*|*q* = *x*-= δ(*x*).

In practice, the qubit states must be normalizable, and thus are defined approximating the previous expression with finitely squeezed states, and weighting the infinite sum of squeezed states by a Gaussian envelope. The approximated states are quasi-orthogonal states given by

$$|\bar{0}\rangle \propto \sum\_{s=-\infty}^{\infty} \int\_{-\infty}^{\infty} e^{-2\pi\kappa^2 s^2} e^{-\frac{(q-2\sqrt{\pi})^2}{2\sigma^2}} |q\rangle dq$$

$$|\bar{1}\rangle \propto \sum\_{s=-\infty}^{\infty} \int\_{-\infty}^{\infty} e^{-2\pi\kappa^2 s^2} e^{-\frac{(q-(2s+1)\sqrt{\pi})^2}{2\sigma^2}} |q\rangle dq,\tag{2}$$

with κ−1, the width of the Gaussian envelope, and σ, the width of the Gaussian peaks substituting the delta functions. These imperfect GKP states are suitable for numerical computations but introduce a probability of error in the identification of |0¯ and |1¯-. In our calculations, we use the perfect GKP states given in Eq. (1) for obtaining analytical results, and imperfect GKP states in Eq. (2) for numerical results.

## **3 Phase-Space Wigner Representation of GKP Encoded States**

The Wigner function of a pure state |is defined as

$$W(q, p) \equiv \frac{1}{2\pi} \int\_{-\infty}^{\infty} dx e^{ipx} \Psi\left(q + \frac{x}{2}\right)^{\*} \Psi\left(q - \frac{x}{2}\right),\tag{3}$$

with (*x*) = *x*|the wavefunction of the quantum system.

We consider infinitely squeezed GKP states, that is, the ideal logical qubit GKP states | *j* with *j* = 0, 1 given in Eq. (1). The corresponding Wigner function reads Gottesman et al. (2001)

$$W\_j(q, p) = \frac{1}{4\sqrt{\pi}} \sum\_{st} (-1)^{st} \delta\left(p - \frac{\sqrt{\pi}}{2}s\right) \delta\left(q - \sqrt{\pi}j - \sqrt{\pi}t\right). \tag{4}$$

We now take into account arbitrary pure qubit states given by superpositions of GKP states as|-<sup>=</sup> cos <sup>θ</sup> <sup>2</sup> |0-<sup>+</sup> *<sup>e</sup><sup>i</sup>*<sup>φ</sup> sin <sup>θ</sup> <sup>2</sup> |1-, which can be represented in the surface of the Bloch sphere as shown in Fig. 1. The Wigner function for a qubit state depends consequently on the the angles θ,φ of its Bloch sphere representation. It reads

$$\begin{split} W(\theta,\phi;q,p) &= \frac{1}{2\pi} \int\_{-\infty}^{\infty} dx e^{ipx} \Big[ \cos^2\frac{\theta}{2} \Psi\_0\left(q+\frac{x}{2}\right)^\ast \Psi\_0\left(q-\frac{x}{2}\right) \\ &+ \sin^2\frac{\theta}{2} \Psi\_1\left(q+\frac{x}{2}\right)^\ast \Psi\_1\left(q-\frac{x}{2}\right) \\ &+ \cos\frac{\theta}{2} \sin\frac{\theta}{2} e^{i\phi} \Psi\_0\left(q+\frac{x}{2}\right)^\ast \Psi\_1\left(q-\frac{x}{2}\right) \\ &+ \cos\frac{\theta}{2} \sin\frac{\theta}{2} e^{-i\phi} \Psi\_1\left(q+\frac{x}{2}\right)^\ast \Psi\_0\left(q-\frac{x}{2}\right) \Big], \tag{5} \end{split}$$

with *<sup>i</sup>* , *i* = 0, 1, the wavefunctions corresponding to the GKP states |*i*-, *i* = 0, 1. A detailed derivation can be found in Appendix 1. Explicitly, we have

$$\begin{split} W(\theta,\phi;q,p) &= \cos^2\frac{\theta}{2}W\_0(q,p) + \sin^2\frac{\theta}{2}W\_1(q,p) \\ &+ \frac{\sin\theta}{4\sqrt{\pi}}\sum\_{st}(-1)^{st}\cos\left(\phi+s\frac{\pi}{2}\right)\delta\left(q-\frac{\sqrt{\pi}}{2}(1+2t)\right)\delta\left(p-\frac{s\sqrt{\pi}}{2}\right), \end{split} \tag{6}$$

which can be pictured in a grid of square cells of *<sup>q</sup>* <sup>=</sup> *<sup>p</sup>* <sup>=</sup> <sup>√</sup><sup>π</sup> <sup>2</sup> . By analyzing Eqs. (4) and (6), we thus observe that the Wigner function consists of a sum of delta functions positioned at all the sites of the lattice in phase space with coordinates (*l*, *m*) ≡ (*q* = *l* <sup>√</sup><sup>π</sup> <sup>2</sup> , *p* = *m* <sup>√</sup><sup>π</sup> <sup>2</sup> ) for *l* and *m* integer numbers. The coefficients for each site are given by

$$w\_{lm}(\theta,\phi) = \begin{cases} \frac{1}{4\sqrt{\pi}} \left(\cos^{2}\frac{\theta}{2} + \sin^{2}\frac{\theta}{2}\right) \text{ for } l \text{ even, } m \text{ even} \\\\ \frac{1}{4\sqrt{\pi}} \left(\cos^{2}\frac{\theta}{2} - \sin^{2}\frac{\theta}{2}\right) \text{ for } l = 4u, \text{ m odd} \\\\ \frac{1}{4\sqrt{\pi}} \left(\sin^{2}\frac{\theta}{2} - \cos^{2}\frac{\theta}{2}\right) \text{ for } l = 4u + 2, \text{ m odd} \\\\ \frac{1}{4\sqrt{\pi}} \sin\theta \cos\phi & \text{ for } \begin{cases} l = 4u + 3, \ m = 4v \\\\ l = 4u + 1, \ m = 4v \end{cases} \\\\ \frac{-1}{4\sqrt{\pi}} \sin\theta \cos\phi & \text{ for } \begin{cases} l = 4u + 3, \ m = 4v + 2 \\\\ l = 4u + 1, \ m = 4v + 3 \end{cases} \\\\ \frac{1}{4\sqrt{\pi}} \sin\theta \sin\phi & \text{ for } \begin{cases} l = 4u + 3, \ m = 4v + 1 \\\\ l = 4u + 1, \ m = 4v + 1 \end{cases} \end{cases} \end{cases} (7)$$

with *u* and *v* integer numbers.

In particular, we consider the six single-qubit stabilizer pure states, corresponding to the eigenvectors of the Pauli matrices σ*<sup>x</sup>* , σ*<sup>y</sup>* , and σ*z*,

$$\begin{aligned} \sigma\_x: \qquad |+\rangle &= \frac{1}{\sqrt{2}}(|0\rangle + |1\rangle) & |-\rangle &= \frac{1}{\sqrt{2}}(|0\rangle - |1\rangle), \\ \sigma\_y: \qquad |i\rangle &= \frac{1}{\sqrt{2}}(|0\rangle + i|1\rangle) & |-i\rangle &= \frac{1}{\sqrt{2}}(|0\rangle - i|1\rangle), \\ \sigma\_z: \qquad |0\rangle & & |1\rangle. \end{aligned}$$

The Wigner functions of single-qubit stabilizer states mapped in CV via the GKP code are shown in Fig. 2. We observe a similar pattern repeated periodically and isotropically in the whole phase space, with one quarter of negative delta functions with respect to the total amount of peaks. It is possible to obtain from the initial state |0 all stabilizer states with Clifford operations, which for a single qubit are generated in DV by the Hadamard *H*, and <sup>π</sup> <sup>2</sup> -phase gates *R*<sup>π</sup> 2 ,

$$H \quad : \qquad |0\rangle \to |+\rangle, \qquad |1\rangle \to |-\rangle,$$

$$\mathcal{R}\_{\frac{\pi}{2}} \,:\qquad |0\rangle \to |0\rangle, \qquad |1\rangle \to e^{i\frac{\pi}{2}} |1\rangle. \tag{9}$$

With the GKP encoding, these gates in CV correspond to the Fourier transform *F*, and the π/2-phase gate *P*, which are the symplectic transformations

$$\begin{array}{ll} F: & q \to p, & p \to -q, \\ P: & q \to q, & p \to p - q. \end{array} \tag{10}$$

Let us consider now the single-qubit magic states |*T* and |*H*-,

$$|T\rangle = \cos\frac{\theta}{2}|0\rangle + \sin\frac{\theta}{2}e^{i\frac{\pi}{4}}|1\rangle \quad \text{with} \quad \theta = \arccos\left(\frac{1}{\sqrt{3}}\right)$$

$$|H\rangle = \frac{1}{\sqrt{2}}\left(|0\rangle + e^{i\frac{\pi}{4}}|1\rangle\right), \tag{11}$$

which are the maximal non-stabilizer states in the Bloch sphere and in the equatorial plane of the Bloch sphere, respectively Bravyi et al. (2005). There are 8 *T* -type magic states and 12 *H*-type magic states, which can be obtained from the states in Eq. (11) with Clifford transformations (see Fig. 4).

The Wigner function of the quantum states |*T* and |*H* mapped in CV via the GKP code are shown in Fig. 3. Both the numerical computations and the analytical expression indicate that the number of negative peaks increases with respect to the Wigner function of stabilizer states, although the proportion remains as before: one quarter of negative delta functions and three quarters of positive ones. As one can observe comparing Figs. 2 and 3, it is not possible to obtain a non-stabilizer Wigner function pattern from a stabilizer one with single-qubit Clifford GKP encoded operations as those given in Eq. (10).

**Fig. 2** Wigner function of qubit GKP encoded stabilizer states. The function acquires nonzero values on the dark and white peaks, where it has a negative value (dark) and positive value (white), respectively. We consider finitely squeezed states as in Eq. (2), with σ = κ = 0.2

**Fig. 3** Wigner function of qubit GKP encoded magic states. The function acquires nonzero values on the dark and white peaks, where it has a negative value (dark) and positive value (white), respectively. We consider finitely squeezed states as in Eq. (2), with σ = κ = 0.2. **a** |*H* state, and **b** |*T* state, both given in Eq. (11)

## **4 Quantification of Negativity of the Wigner Function for GKP Encoded States**

We now aim at quantifying the volume of the negative part of the Wigner function for the different types of states that we have introduced. The quantification of the volume of the negative part of the Wigner function in CV is related to the monotone *Wigner logarithmic negativity* (WLN) Kenfack et al. (2004), Albarelli et al. (2018), defined as

$$\mathcal{W}(\rho) = \log\_2 \left( \int dq \, dp \, |W(q, p)| \right), \tag{12}$$

with *W*(*q*, *p*) the Wigner function of the state or operator ρ. The WLN has allowed for the derivation of a bound in the number of necessary copies of an input state for the conversion to a target state Albarelli et al. (2018).

As we have already mentioned, the proportion of negative delta functions compared to positive ones in the Wigner function of both stabilizer and magic encoded states is one quarter. However, we observe in Figs. 2 and 3 that the Wigner function of non-stabilizer states is composed of more peaks in the phase space, resulting in a higher number of negative delta peaks. We now use the WLN for analyzing the differences in both kinds of states, since it tracks the amount of negativity instead of the proportion.

We consider the Wigner function of perfect GKP states in Eq. (6). The negativity takes an infinite value since the Wigner function has support in the whole phase space R2, but the delta functions are periodically arranged following symmetric patterns that are repeated along the two axes in a similar way for each qubit superposition state. Therefore, we may consider the same square unit cell of dimension ( *q*, *p*) = (2 <sup>√</sup>π , <sup>2</sup> <sup>√</sup>π ) for all cases, and compare the negativity within the same finite area in phase space. We choose the unit cell corresponding to *s* = *t* = 0 in Eq. (7), which contains sixteen delta functions given by *l* and *m* with values in the set {0, 1, 2, 3}.

Explicitly, the Wigner function in the unit cell domain *q* ∈ [0, 2 <sup>√</sup>π ) and *<sup>p</sup>* <sup>∈</sup> [0, 2 <sup>√</sup>π ) is given by

$$W\_{\rm cell}(\theta,\phi;q,p) = \sum\_{l,m=0}^{3} w\_{lm}(\theta,\phi)\delta\left(q - l\frac{\sqrt{\pi}}{2}\right)\delta\left(p - m\frac{\sqrt{\pi}}{2}\right),\tag{13}$$

where the coefficients correspond to those defined in Eq. (7). The absolute value of the Wigner function for the unit cell can be taken as the absolute value of the summands, since for any coordinate (*qi*, *pi*) in the domain only one of the terms is different from zero due to the properties of the delta functions. Thus,

$$|W\_{\rm cell}(\theta,\phi;q,p)| = \sum\_{l,m=0}^{3} |w\_{lm}(\theta,\phi)| \delta\left(q - l\frac{\sqrt{\pi}}{2}\right) \delta\left(p - m\frac{\sqrt{\pi}}{2}\right). \tag{14}$$

As a result, the WLN corresponding to a unit cell in the phase space for any pure qubit GKP encoded state |-<sup>=</sup> cos <sup>θ</sup> <sup>2</sup> |0-<sup>+</sup> *<sup>e</sup>i*<sup>φ</sup> sin <sup>θ</sup> <sup>2</sup> |1 characterized in the Bloch sphere by angles (θ , φ) is given by

$$\begin{split} \mathcal{W}\_{\text{cell}}(\theta,\phi) &= \log\_2\left(\int dq \, dp \, |W\_{\text{cell}}(\theta,\phi;q,p)| \right) \\ &= \log\_2 \sum\_{l,m=0}^3 |w\_{lm}(\theta,\phi)| \left( \int dq \, dp \delta\left(q - \frac{l\sqrt{\pi}}{2}\right) \delta\left(p - \frac{m\sqrt{\pi}}{2}\right) \right) \\ &= \log\_2 \sum\_{l,m=0}^3 |w\_{lm}(\theta,\phi)|. \end{split} \tag{15}$$

Explicitly, the WLN per cell of a qubit state is then given by

$$\mathcal{W}\_{\text{cell}}(\theta,\phi) = \log\_2\left[\frac{1}{\sqrt{\pi}} \left[1 + \left|\cos^2\frac{\theta}{2} - \sin^2\frac{\theta}{2}\right| + |\sin\theta\cos\phi| + |\sin\theta\sin\phi|\right]\right].\tag{16}$$

Now, we compare the finite WLN per cell, *W*cell, for different magic and stabilizer states by analyzing for simplicity the integral over a unit cell of the absolute value of the Wigner function *dqdp*|*W*cell|, i.e. the argument of the logarithm in Eq. (15). The corresponding values are provided in Table 1. We observe that the WLN per cell for GKP encoded qubit stabilizer states is lower than for non-stabilizer states. Since all GKP encoded qubit states have a proportion of one quarter of negative delta functions, the WLN is different from zero for all of them. This Wigner negativity is intrinsic to the use of the GKP encoding, that is, it is only attributed to the fact that we are using an encoding where even the stabilizer states are represented by non-Gaussian


**Table 1** Integral over a unit cell of the absolute value of the Wigner function for stabilizer states and magic states

wavefunctions exhibiting Wigner negativity. This intrinsic Wigner negativity in GKP states might be sufficient to promote Gaussian quantum circuits to universal quantum computation Baragiola et al. (2019).

We now compute the lower bound of this intrinsic negativity by considering

$$\int dqdp \left| W\_{\rm cell}(\theta, \phi; q, p) \right| \geq \left| \int dqdp \, W\_{\rm cell}(\theta, \phi; q, p) \right| = \frac{2}{\sqrt{\pi}}.\tag{17}$$

We observe that stabilizer states saturate the lower bound of the integral over a unit cell of the absolute value of the Wigner function, |*W*cell|, and therefore they are the least negative qubit GKP encoded states.

We show in Fig. <sup>4</sup> the function <sup>√</sup><sup>π</sup> <sup>|</sup>*W*cell(θ , φ; *<sup>q</sup>*, *<sup>p</sup>*)|*dqdp*, which is proportional to the argument of the logarithm in the WLN. It is computed for all qubit states, characterized in the Bloch sphere with (θ , φ), with θ ∈ [0,π) and φ ∈ [0, 2π ). We observe that the stabilizer states are the least negative, whereas the maxima appears for |*T* qubit states, which are the most non-stabilizer single-qubit states. On the equatorial plane of the Bloch sphere (see Fig. 1), <sup>θ</sup> <sup>=</sup> <sup>π</sup> <sup>2</sup> , the maxima appears for |*H*- states, which are the most non-stabilizer states on that plane.

#### **5 Conclusions**

In this work, we use CV tools as the Wigner phase-space representation for studying DV single-qubit states encoded in infinite Hilbert spaces with the GKP mapping. We give an analytical expression for the Wigner function of any GKP encoded qubit state, and quantify the amount of negativity with the WLN. All qubit states have nonzero WLN, and therefore we cannot distinguish which states and processes are classically efficiently simulatable with current criteria for quantum advantage in CV systems. On the other hand, our quantitative analysis of the WLN for GKP encoded states shows differences for stabilizer and non-stabilizer states, since the first ones are the least negative, saturating the lower bound of negativity. The most nonstabilizer states, *H*-type and *T* -type quantum states, reach the maximum negativity. Our results suggest a possible connection between a DV characterization of resources for universal quantum computation and CV necessary criteria for quantum advantage.

**Fig. 4 a** Representation of single-qubit states on the Bloch sphere. Stabilizer states correspond to the vertices of an octahedron embedded in the sphere. The most non-stabilizer states are those projected on the surface of the sphere from the middle points of the edges of the octahedron, *H*type magic states (circle), and perpendicularly from the center of the faces, *T* -type magic states (diamond), as indicated by the arrows (Bravyi et al. 2005). **b** Quantification of negativity of the Wigner function of qubit GKP encoded states with <sup>√</sup><sup>π</sup> <sup>|</sup>*W*cell|. We consider all qubit states, described by the angles (θ , φ), with θ ∈ [0,π) and φ ∈ [0, 2π )

A natural perspective stemming from this work is to explore the relation between different states with nonzero WLN and the computational complexity of quantum circuits including these states.

**Acknowledgements** We thank P. Milman and A. Ketterer for sharing with us a Mathematica code that was useful in the explorative stage of this project. L. G.-Á. and G. F. acknowledge support from the Wallenberg Center for Quantum Technology (WACQT), and G. F. acknowledges financial support from the Swedish Research Council through the VR project QUACVA.

#### **Appendix 1**

A detailed derivation of Eq. (6) is provided here. Firstly, we can conveniently rewrite the Wigner function in Eq. (5) as follows:

$$\begin{split} W(\theta,\phi;q,p) &= \frac{1}{2\pi} \int\_{-\infty}^{\infty} dx e^{ipx} \bigg[ \cos^2\frac{\theta}{2} \Psi\_0 \left(q + \frac{x}{2}\right)^\* \Psi\_0 \left(q - \frac{x}{2}\right) \\ &+ \sin^2\frac{\theta}{2} \Psi\_1 \left(q + \frac{x}{2}\right)^\* \Psi\_1 \left(q - \frac{x}{2}\right) \\ &+ \cos\frac{\theta}{2} \sin\frac{\theta}{2} e^{i\phi} \Psi\_0 \left(q + \frac{x}{2}\right)^\* \Psi\_1 \left(q - \frac{x}{2}\right) \end{split}$$

$$+\cos\frac{\theta}{2}\sin\frac{\theta}{2}e^{-i\phi}\Psi\_1\left(q+\frac{x}{2}\right)^{\*}\Psi\_0\left(q-\frac{x}{2}\right)$$

$$=\cos^2\frac{\theta}{2}W\_0(q,p)+\sin^2\frac{\theta}{2}W\_1(q,p)+\frac{1}{2\pi}\cos\frac{\theta}{2}\sin\frac{\theta}{2}e^{i\phi}\widetilde{W}\_{01}(q,p)$$

$$+\frac{1}{2\pi}\cos\frac{\theta}{2}\sin\frac{\theta}{2}e^{-i\phi}\widetilde{W}\_{10}(q,p),\tag{18}$$

where we have defined the cross terms as follows:

$$\tilde{W}\_{jk}(q,p) \equiv \int\_{-\infty}^{\infty} dx e^{ipx} \Psi\_j\left(q + \frac{x}{2}\right)^\* \Psi\_k\left(q - \frac{x}{2}\right). \tag{19}$$

We simplify the cross terms as follows:

$$
\begin{split}
\widehat{W}\_{jk}(q,p) &= \int dx \, e^{ipx} \left[\sum\_{s} \delta\left(q - \sqrt{\pi}(j+2s) + \frac{\epsilon}{2}\right)\right] \left[\sum\_{t} \delta\left(q - \sqrt{\pi}(k+2t) - \frac{\epsilon}{2}\right)\right] \\ &= \sum\_{st} \epsilon^{j/2p\left[q - \sqrt{\pi}(k+2t) + 2t\right]} \delta\left(q - \frac{\sqrt{\pi}}{2}(j+k+2s+2t)\right) \\ &= \sum\_{st} \epsilon^{j/2p\left[q - \sqrt{\pi}(k+2t-2s)\right]} \delta\left(q - \frac{\sqrt{\pi}}{2}(j+k+2t)\right) \\ &= \sum\_{st} \epsilon^{j/2p\sqrt{\pi}2s} \epsilon^{jp\sqrt{\pi}(j-k-2t)} \delta\left(q - \frac{\sqrt{\pi}}{2}(j+k+2t)\right) \\ &= \frac{\sqrt{\pi}}{2} \sum\_{st} \epsilon^{jp\sqrt{\pi}(j-k-2t)} \delta\left(p - s\frac{\sqrt{\pi}}{2}\right) \delta\left(q - \frac{\sqrt{\pi}}{2}(j+k+2t)\right) \\ &= \frac{\sqrt{\pi}}{2} \sum\_{st} (-1)^{\frac{j}{2}(j-k-2t)} \delta\left(p - s\frac{\sqrt{\pi}}{2}\right) \delta\left(q - \frac{\sqrt{\pi}}{2}(j+k+2t)\right). \tag{20}
\end{split}
$$

Now, combining Eqs. (18) and (20), we have

$$\begin{split} W(\theta,\phi;q,p) &= \cos^2\frac{\theta}{2}W\_0(q,p) + \sin^2\frac{\theta}{2}W\_1(q,p) + \frac{1}{4\sqrt{\pi}}\cos\frac{\theta}{2}\sin\frac{\theta}{2} \\ &\quad \times \left[ e^{i\phi}\sum\_{st}(-1)^{\frac{\xi}{2}(-1-2t)}\delta\left(p - s\frac{\sqrt{\pi}}{2}\right)\delta\left(q - \frac{\sqrt{\pi}}{2}(1+2t)\right) \right. \\ &\quad \left. + e^{-i\phi}\sum\_{st}(-1)^{\frac{\xi}{2}(1-2t)}\delta\left(p - s\frac{\sqrt{\pi}}{2}\right)\delta\left(q - \frac{\sqrt{\pi}}{2}(1+2t)\right) \right] \\ &= \cos^2\frac{\theta}{2}W\_0(q,p) + \sin^2\frac{\theta}{2}W\_1(q,p) \\ &\quad + \frac{1}{8\sqrt{\pi}}\sin\theta\sum\_{st}(-1)^{st}\left(e^{i\phi}(-1)^{\frac{\xi}{2}} + e^{-i\phi}(-1)^{-\frac{\xi}{2}}\right) \\ &\quad \times \delta\left(q - \frac{\sqrt{\pi}}{2}(1+2t)\right)\delta\left(p - s\frac{\sqrt{\pi}}{2}\right). \end{split} \tag{21}$$

Then, it follows that the Wigner function for arbitrary superpositions of GKP states is given by Eq. (6) in the main text.

### **Appendix 2**

The table below summarizes the estimated climate footprint of this work, including air travel for collaboration purposes. Estimations have been calculated using the examples of ScientificCO2nduct https://scientific-conduct.github.io/.


#### **References**

https://scientific-conduct.github.io/


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Quantum Interactions**

## **Number Theoretic Study in Quantum Interactions**

**Masato Wakayama**

**Abstract** The quantum interaction models, with the quantum Rabi model as a distinguished representative, are recently appearing ubiquitously in various quantum systems including cavity and circuit quantum electrodynamics, quantum dots and artificial atoms, with potential applications in quantum information technologies including quantum cryptography and quantum computing (Haroche and Raimond 2008; Yoshihara et al. 2018). In this extended abstract, based on the contents of the talk at the conference, we describe shortly certain number theoretical aspects arising from the *non-commutative harmonic oscillators* (NCHO: see Parmeggiani and Wakayama 2001; Parmeggiani 2010) and *quantum Rabi model* (QRM: see Braak 2011 for the integrability) through their respective spectral zeta functions.

The quantum interaction models, with the quantum Rabi model as a distinguished representative, are recently appearing ubiquitously in various quantum systems including cavity and circuit quantum electrodynamics, quantum dots and artificial atoms, with potential applications in quantum information technologies including quantum cryptography and quantum computing (Haroche and Raimond 2008; Yoshihara et al. 2018). In this extended abstract, based on the contents of the talk at the conference, we describe shortly certain number theoretical aspects arising from the *non-commutative harmonic oscillators*(NCHO: see Parmeggiani and Wakayama 2001; Parmeggiani 2010) and *quantum Rabi model* (QRM: see Braak 2011 for the integrability) through their respective spectral zeta functions.

In physics, given a quantum interaction model, one of the main interests is to know the heat kernel (or equivalently the evolution operator) since, among other reasons, the heat kernel gives the partition function by taking the trace. With partition function of the model, we may also get the analytic properties of the spectral zeta function

M. Wakayama (B)

e-mail: wakayama@rs.tus.ac.jp; wakayama@imi.kyushu-u.ac.jp

Department of Mathematics, Tokyo University of Science, 1-3 Kagura-zaka, Shinjyuku-ku, Tokyo 162-8601, Japan

Institute of Mathematics for Industry, Kyushu University, 744 Motooka, Nishi-ku Fukuoka 819-0395, Japan

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_10

by means of the Mellin transform. A spectral zeta function is defined, in general, as the Dirichlet series formed by the spectrum (eigenvalues) of the corresponding Hamiltonian (Ichinose and Wakayama 2005; Sugiyama 2018). Notice that knowing the spectral zeta function is essentially equivalent to knowing the partition function in any quantum system.

In the case of the NCHO, the Hamiltonian is given by

$$\mathcal{Q} = \begin{pmatrix} \alpha \ 0 \\ 0 \ \beta \end{pmatrix} \left( -\frac{1}{2} \frac{d^2}{dx^2} + \frac{1}{2} x^2 \right) + \begin{pmatrix} 0 \\ 1 & 0 \end{pmatrix} \left( x \frac{d}{dx} + \frac{1}{2} \right),$$

with α, β > 0 and αβ > 1 (the condition for having only a discrete spectrum with positive eigenvalues), and the spectral zeta function by

$$\zeta\_{\mathcal{Q}}(\mathfrak{s}) := \sum\_{n=1}^{\infty} \lambda\_n^{-s} \quad (\mathfrak{R}(\mathfrak{s}) > 1),$$

where (0 <)λ<sup>1</sup> < λ<sup>2</sup> ≤ λ<sup>3</sup> ≤ ...( ∞) are the eigenvalues of NCHO. Note that the lowest eigenstate is multiplicity free (Hiroshima and Sasaki 2014) and the multiplicity of general eigenstate is less than or equal to two (Wakayama 2016). The function ζ*Q*(*s*) is meromorphically continued to the whole complex plane with a unique simple pole at *s* = 1 and has trivial zeros at the even non-positive integers (Ichinose and Wakayama 2005). Although our study is very much influenced by the classical algebro-geometric work on Apéry numbers for the Riemann zeta function in Beukers (1987) and its subsequent developments, since the family of generating functions for *Apéry-like numbers* (Kimoto and Wakayama 2006) arising via the NCHO possesses a remarkable hierarchical structure, there is a decisive difference between these two (Ichinose and Wakayama 2005; Kimoto and Wakayama 2019).

For instance, there are congruence properties of the (normalized) Apéry-like numbers that have arisen naturally from the special values ζ*Q*(2) at*s* = 2. This can be seen by the same idea that guided the studies for the Apéry numbers for ζ (2)(= π<sup>2</sup>/6) in Beukers (1985). These congruence properties led us further to observe that the generating function w<sup>2</sup> of the Apéry-like numbers for ζ*Q*(2) is interpreted as a (2) modular form of weight 1 (Kimoto and Wakayama 2007) in the same way as in a pioneering study by Beukers (1983, 1987) for the Apéry numbers. It is worth mentioning that the recurrence equation of these Apéry-like numbers defined in Kimoto and Wakayama (2006) provides one of the particular examples listed in Zagier (2009) (it gives #19 in the list).<sup>1</sup> Also, recently, certain congruence relations among these Apéry-like numbers conjectured in Kimoto and Wakayama (2006) resembling Rodriguez–Villegas type congruences (Mortenson 2003) were proved in Long et al. (2016). It is, however, hard in general to obtain precise information, in the same level of ζ*Q*(2), of the higher special values of ζ*Q*(*n*) (*n* > 2). Thus, we introduce the Apéry-like numbers *Jk* (*n*) (*k* = 0, 1, 2, . . .) for each *n* defined through

<sup>1</sup>Although the terminology "*Apéry-like*" is the identical, the usage/definition of the name in the current paper is different from the one in the title of Zagier (2009).

the *first anomaly* of ζ*Q*(*n*) (*n* > 2) (Kimoto and Wakayama 2019) (see also Kimoto (2016)). These Apéry-like numbers share the properties of the one for ζ*Q*(2), e.g. satisfy a similar recurrence relation as in the case of ζ*Q*(2) and hence the ordinary differential equation satisfied by the generating function follows from the recurrence relation. Remarkably, the homogeneous part of each of the differential equations is identified with a (*n* dependent) power of the homogeneous part of the one corresponding to ζ*Q*(2). Further, we observe that the meta-generating functions of Apéry-like numbers *Jk* (*n*) are described explicitly by the modular Mahler measures studied by Rodriguez–Villegas in Rodriguez (1999). Through this relation, we may find an interesting aspect of a discrete dynamical system behind NCHO defined by a certain limit of finite abelian group via *(weighted) Cayley graphs* studied in Dasbach and Lalin (2009). Moreover, we note here (Kimoto and Wakayama 2012, 2019) that the generating function w2*<sup>n</sup>* of Apéry-like numbers corresponding to the first anomaly in ζ*Q*(2*n*) when *n* = 2 is given by an automorphic integral with a rational period function in the sense of Knopp (1978). This is obviously a generalization of our earlier result (Kimoto and Wakayama 2007) showing that w<sup>2</sup> is interpreted as a (2)-modular form of weight 1.

Furthermore, we show certain congruence relations among these normalized Apéry-like numbers which are the generalization of the results in Kimoto and Wakayama (2006). A possible generalization of the results in Liu (2018) seems very interesting.We also conjecture much stronger results based on numerical experiments in Kimoto and Wakayama (2019).

The Hamiltonian *H*Rabi of the QRM is precisely given by

$$H\_{\text{Rabi}} := a a^\dagger a + \Delta \sigma\_z + g(a + a^\dagger) \sigma\_x.$$

Here, *a*† and *a* are the creation and annihilation operators of the single bosonic mode ([*a*, *a*†] = 1), σ*<sup>x</sup>* , σ*<sup>z</sup>* are the Pauli matrices (sometimes written as σ<sup>1</sup> and σ3, but since there is no risk of confusion with the variable *x* to appear below in the heat kernel, we use the usual notations), 2 is the energy difference between the two levels, and *g* denotes the coupling strength between the two-level system and the bosonic mode with frequency ω (subsequently, we set ω = 1 without loss of generality). The integrability of the QRM was established in Braak (2011) using the well-known Z2-symmetry of the Hamiltonian *H*Rabi, usually called parity.

In the case of QRM, we recently obtained the (analytic formula of) heat kernel (Reyes and Wakayama 2019) using the Trotter–Kato product formula by extensive discussions of combinatorics and graph theory including quantum Fourier transform.

Concretely, the heat kernel *K*Rabi(*t*, *x*, *y*) of the QRM is given by

$$K\_{\text{Rabi}}(t, \mathbf{x}, \mathbf{y}) = \widetilde{K}\_0(\mathbf{x}, \mathbf{y}, \mathbf{g}, t) \sum\_{\lambda=0}^{\infty} (t\Delta)^{\lambda} \Phi\_{\lambda}(\mathbf{x}, \mathbf{y}, \mathbf{g}, t).$$

Here the 2 × 2 matrix-valued function λ(*g*, *t*) for λ ≥ 0 is given by

**Fig. 1** From the NCHO to QRM (Heun's Pictures)

$$\begin{aligned} \Phi\_{\lambda}(\mathbf{x}, \mathbf{y}, \mathbf{g}, t) &= \int \cdots \int \limits\_{0 \le \mu\_1 \le \cdots \le \mu\_\lambda \le 1} e^{\phi(\mu\_\lambda, t) + \xi\_\lambda(\mu\_\lambda, t)} \begin{bmatrix} (-1)^\lambda \cosh \left( -1 \right)^{\lambda + 1} \sinh \mathbf{h} \\ - \sinh \mathbf{h} \end{bmatrix} \\ &\qquad \times \left( \theta\_\lambda(\mathbf{x}, \mathbf{y}, \mu\_\lambda, t) \right) d\mu\_\lambda, \end{aligned}$$

where *μλ* = (μ1, μ2, ··· , μλ) and *dμλ* = *d*μ1*d*μ<sup>2</sup> ··· *d*μλ with *μ***<sup>0</sup>** = 0 and *dμ***<sup>0</sup>** = 1. For the definition of the functions φ,ξλ, θλ and *K* 0, (Mehler's kernel) the reader is directed to Reyes and Wakayama (2019).

This is the first time an explicit determination of the heat kernel is obtained for an interacting system (though certain partial results have been discussed, e.g. in Legget 1987 for the Spin-Boson model and Anderson et al. 1970; Chakravarty 1995 for the Kondo effect using the Feynman–Kac formula.) The heat kernel formula allows us to have the contour integral representation of the spectral zeta function of the QRM (Sugiyama 2018) and open the study of the special values of negative integral points using it (Reyes and Wakayama 2019).

Further, although NCHO is not confirmed as a practical physical model, it may be considered as a "*covering*" model of QRM through the respective Heun ODE pictures (Wakayama 2016) (Fig. 1). Thus, in addition to the study of the respective number theoretical aspects of the models independently, the comparison of the number theoretic objects appearing from each model is an interesting and significant problem.

In addition to the number theoretic structure described above, we remark here that there appear certain algebraic curves, including elliptic and super elliptic curves, in the description of degenerations of the eigenstates for the asymmetric QRM with an integral perturbation parameter (Wakayama 2017; Kimoto et al. 2020; Reyes and Wakayama 2017). This shows another mathematical structure behind the asymmetric and symmetric QRM.

The following figure (Fig. 2) illustrates the position of this extended abstract from our whole interest. Particularly, the talk focused on the special values of such zeta

**Fig. 2** Non-commutative harmonic oscillator and (asymmetric and symmetric) quantum Rabi models

functions (Ichinose and Wakayama 2005; Ochiai 2008; Kimoto and Wakayama 2006, 2007, 2012; Long et al. 2016; Liu 2018; Kimoto and Wakayama 2019). We note that special values of zetas may be considered as the moments of the partition function of the corresponding model.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **A Data Concealing Technique with Random Noise Disturbance and a Restoring Technique for the Concealed Data by Stochastic Process Estimation**

**Tomohiro Fujii and Masao Hirokawa**

**Abstract** We propose a technique to conceal data on a physical layer by disturbing them with some random noises, and moreover, a technique to restore the concealed data to the original ones by using the stochastic process estimation. Our concealingrestoring system manages the data on the physical layer from the data link layer. In addition to these proposals, we show the simulation result and some applications of our concealing-restoring technique.

**Keywords** Concealing-restoring system · OSI · Physical layer · Data link layer · Noise-disturbance · Stochastic process estimation · Noise-filtering · Kalman filter · Particle filter

## **1 Introduction**

Micro-device technology in the near future realizes the remote control of microprocessor chips in several things such as household electric appliances, informationprocessing equipment, and even brain–computer/brain–machine interfaces from the outside through wireless communications or the so-called IoT (i.e., Internet of Things). Moreover, it enables the automatic operation of such things with the remote control. They are going to infiltrate society and play several important roles in every area of society. We then have to establish the data security for them (Youm 2017; Román-Castro et al. 2018; Lin et al. 2018; Clausen et al. 2017). In particular, we have to stem the hacking of the remote control and the wiretapping of the data of communication. We are interested in a data concealing technique with disturbance on a physical layer and a restoring technique for those concealed data. Here, the

T. Fujii (B) · M. Hirokawa (B)

M. Hirokawa

Graduate School of Engineering, Hiroshima University, Hiroshima, Japan e-mail: fujii@amath.hiroshima-u.ac.jp

Graduate School of ISEE, Kyushu University, Fukuoka, Japan e-mail: hirokawa@inf.kyushu-u.ac.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_11

physical layer is the lowest layer of the open systems interconnection (OSI) (Kain and Agrawala 1992) (see Fig. 1). OSI is a reference model to grasp and analyze how data are sent and received over a computation or communication network. Some methods using disturbance have been presented to conceal data for storage and communication. For instance, chaotic cryptology (Cuomo and Oppenheim 1993; Grassi and Mascolo 1999; Lenug and Lam 1997; Wu and Chua 1993) uses chaos to make the disturbance. The method using cryptographic hash functions for the disturbance has lately been gaining a practical position (Merkle 1979, 1989; Damgård 1989; Schneier 2015). There have been some endeavors for the concealing technique on physical layers: the chaos multiple-input multiple-output (Okamoto and Iwanami 2006; Zheng 2009; Okamoto 2011; Okamoto and Inaba 2015; Ito et al. 2019). Meanwhile, it is noteworthy that the secured telecommunication using noises has been actively studied (Wyner 1975; Hero 2003; Goel and Negi 2008; Swindlehurst 2009; Mukherjee and Swindlehurst 2011). In that technique, we send some noises from interference antennas to the signal on a carrier wave sent from an antenna; we have the signal interfering with the noises and make it an interference wave. There, however, may be a way to remove the noises from the interference wave and to wiretap the original signal (Ohno et al. 2012).

We take interest in how to conceal data on a physical layer using some random noise disturbances and how to restore those concealed data applying a stochastic filtering theory to maintain the safety of data over a proper period of time, which is different from the interference wave method. Thus, our concealing-restoring system should be installed on a data link layer above the physical layer (see Fig. 1). Although we employ the disturbance by random noises instead of the chaotic one, we can design our concealing-restoring system so that it includes the chaotic disturbance (Fujii and Hirokawa 2020). The idea of the concealing-restoring system was primarily originated in keeping security for the data processed on the physical layer of our developing quantum-sensing equipment over a necessary period. This equipment detects and handles some ultimate personal information. Since we must remove several noises on the physical layer in any case, we make our concealing-restoring system coexist with the denoising system of the equipment. We then consider the information concealing method for qubits (i.e., quantum bits) using the random noises in classical physics. The qubits |0 and |1 are represented by spin states |↑ and |↓-, namely, |0- = |↑- = (1, 0) and |1- = |↓- = (0, 1). A general qubit |*q* can be described with the superposition of the qubits |0 and |1-: |*q*- = α|0- + β|1 for some complex numbers α and β with |α| <sup>2</sup> + |β| <sup>2</sup> = 1. Thus, the qubit can have the representation, |*q*- = (α, α, β, β), and an information sequence of qubits, |*q*1-, |*q*2-,..., |*q*<sup>ν</sup> -, is expressed with a finite sequence,

α<sup>1</sup> α<sup>1</sup> β<sup>1</sup> β<sup>1</sup> α<sup>2</sup> α<sup>2</sup> β<sup>2</sup> β<sup>2</sup> ... αν αν βν βν .

We transform it into an electrical signal *Xt* , 0 ≤ *t* ≤ 4ν, using linear interpolation. We process the electrical signal in a microprocessor, made by some semiconductors, of our quantum-sensing equipment. Since the microprocessor is for the conventional computation (i.e., not quantum computation), we need to transport the electrical

**Fig. 1** The left picture shows that the OSI consists of 7 layers. The encryption and decryption are usually done on one out of layers between Layer 3 and Layer 7, typically on the presentation layer. The right picture shows what we aim our concealing-restoring system at

signal to memory or register according to a microarchitecture. To keep the security for the electric signal *Xt* while processing, storing, and saving it, we employ a mathematical idea to conceal it using the noise disturbance. In this paper, we introduce that mathematical idea for more general signals on the physical layer and more broad applications.

As some applications derive therefrom, we first establish a mathematical technique for concealing data by the disturbance with randomness of the noises, and moreover, a mathematical technique for restoring the concealed data by the stochastic process estimation. In addition to these establishments, we show the simulation result and some applications for the two techniques. The idea of our method to conceal data comes from an image of the scene when we conceal a treasure map, and it is so simple as follows:


In this paper, we mathematically realize c1 and c2, and make their implementation on conventional computers. In addition to c1 and c2, we can consider that

(c3) we tear the muddled map by c1 and c2, and split it into several pieces, though we do not make its implementation in this paper.

We are planning that we use the concealed data for saving them in memory or for sending them for telecommunication. We expect to use our methods in the situation where the physical layer is under restrictions in the implementation space due to a small consumed electric power, a small arithmetic capacity, a small line capacity, and a bad access environment. Concretely, we hope to apply the implementation of our techniques to the remote control of drones and devices on them, and to the security of some data sent from those devices. Moreover, we suppose the situation where it is too harsh to make a remote maintenance of the physical layer, for example, in outerspace development or seafloor development.

### **2 Mathematical Setups**

We first explain the outline of how to make our concealing-restoring system for data *Xt* , *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>. The concealing-restoring system is given by a simultaneous equation system (SES). This SES consists of some stochastic differential equations (SDEs), linear equations, and a nonlinear equation (NLE). The data *Xt* is input as the initial data of the SES. We prepare *N* functionals *Fi* , *i* = 1, 2,..., *N*, making the SDEs. We suppose that each form of the individual functional *Fi* is known only by those who conceal the original data *Xt* and restore the concealed data. We use the forms of the functionals as well as the composition of the SES for secret keys or common keys. We prepare 2*N* random noises *W <sup>j</sup>*,*<sup>i</sup> <sup>t</sup>* , *j* = 1, 2; *i* = 1, 2,..., *N*, for the SDEs, and a nonlinear bijection *f* for the NLE. The SDEs for processes *X<sup>i</sup> <sup>t</sup>* , *i* = 1, 2,..., *N*, and the NLE for the process *X <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* are used to introduce the noise disturbance in our concealing-restoring system. We also use the means, variances, and distributions of the random noises as well as the nonlinear bijection as secret keys. As shown below, we obtain *N* + 1 concealed data, *U<sup>i</sup> <sup>t</sup>* , *i* = 1, 2,..., *N*, *N* + 1, using the SDEs and the NLE. We use them as the data for saving in a digital memory such as a semiconductor memory or an analog memory such as a magnetic tape. We may also put the concealed data on a carrier wave and send them. This is the outline of the data concealing. Meanwhile, the data restoration is done in the following. Using the stochastic filtering theory and the inverse function *f* <sup>−</sup>1, we remove the random noises from every concealed data *U<sup>i</sup> <sup>t</sup>* , and we estimate the process *X<sup>i</sup> <sup>t</sup>* . We denote the estimate by -*Xi <sup>t</sup>* , and call it *estimated data* for the process *X<sup>i</sup> <sup>t</sup>* . We regard the estimate -*X*1 *<sup>t</sup>* as the *restoration* of the original data *Xt* . We denote it by -*Xt* .

We here explain how to make the data *Xt* from binary data. We use the low/highsignal for the binary data in this paper though there are many other ways. Thus, we represent 'low' by 0 and 'high' by 1. For *n* + 1 bits, *a*0, *a*1,..., *an* ∈ {0, 1}, we concatenate them and make a word *a*0*a*<sup>1</sup> ... *an*. We employ the following linear interpolation as a simple digital–analog (D/A) transformation. We first define *Xi* by 

$$X\_i = \begin{cases} +1 & \text{if } a\_i = 1, \\ -1 & \text{if } a\_i = 0, \end{cases} \quad i = 0, 1, \dots, n.$$

We connect *Xi* and *Xi*+<sup>1</sup> with a straight line for each *i* = 0, 1,..., *n*−1, and we have a polygonal line *Xt* , 0 ≤ *t* ≤ *n*. When the data *Xt* are made from the binary word *a*0*a*<sup>1</sup> ... *an*, we call *Xt* a *binary pulse* for the word *a*0*a*<sup>1</sup> ... *an*. As for the restoration of the word, we use the simple analog–digital (A/D) transformation to seek the character *ai* ∈ {0, <sup>1</sup>} for each *<sup>i</sup>* <sup>=</sup> <sup>0</sup>, <sup>1</sup>,..., *<sup>n</sup>*, and make a word *a*0*a*1 ...*an* for the original word *a*0*a*<sup>1</sup> ... *an* in the following. We determine a threshold in advance between those who conceal the binary pulse and restore its concealed data to it. The threshold is basically determined taking into account the mean and variance of the random noises when used for concealing data. For each *i* = 0, 1,..., *n*, we define the character *ai* by

A Data Concealing Technique with Random Noise Disturbance … 107 -

$$
\widehat{a}\_i = \begin{cases} 1 & \text{if } \widehat{X}\_i > \text{threshold}, \\ 0 & \text{if } \widehat{X}\_i > \text{threshold}, \end{cases}
$$

$$
\widehat{a}\_n \text{ stored word from } \widehat{X}\_t.
$$

We call the word *a*0*a*1 ...-*Xt* . We note that the mean and the variance play important roles to define a threshold between 'low' and 'high' of signals, in particular, when we use ν-adic numbers such as octal numbers and hexadecimal numbers instead of binary numbers.

From now on, we explain mathematical details for our data concealing technique and restoring technique. We give our secret SES by

$$F\_i(X\_t^i, \dot{X}\_t^i, U\_t^i, W\_t^{1,i}) = 0, \qquad i = 1, 2, \dots, N,\tag{1}$$

$$X\_{t}^{i+1} = c^i X\_t^i + W\_t^{2,i}, \qquad i = 1, 2, \ldots, N,\tag{2}$$

$$U\_t^{N+1} = f\left(X\_t^{N+1}\right). \tag{3}$$

In the above system, *X*˙ *<sup>i</sup> <sup>t</sup>* stands for the time derivative *d X<sup>i</sup> <sup>t</sup>* /*dt* of the process *X<sup>i</sup> t* , and *c<sup>i</sup>* is a constant. The initial data *X*<sup>1</sup> *<sup>t</sup>* is given by *X*<sup>1</sup> *<sup>t</sup>* = *Xt* . The concealed data *Ui <sup>t</sup>* , *i* = 1, 2,..., *N*, *N* + 1, are directly defined by Eqs. (1) and (3), not Eq. (2). That is, we can hide the linear part of our system because we do not have to make an interference wave. This is the point of our method that is different from that of telecommunication using noises (Wyner 1975; Hero 2003; Goel and Negi 2008; Swindlehurst 2009; Mukherjee and Swindlehurst 2011). Introducing functionals, *Gi* , *i* = 1, 2,..., *N*, and using them for Eq. (2), we can introduce the chaotic disturbance in our concealing-restoring system (Fujii and Hirokawa 2020).

Equations (1) and (3) are the mathematical realization of c1. The repetition of Eq. (1) from *i* = 1 to *i* = *N* with the help of Eq. (2) is for the realization of c2. We can mathematically realize c3 as follows: Take numbers *r*, = 1, 2,..., *M*, with *M* =<sup>1</sup> *r* = 0, and define 

$$U\_t^\ell = \frac{1}{M} \left( U\_t^i + r\_\ell U\_t^j \right), \quad \ell = 1, 2, \dots, M,$$

where *i* = *j*. Then, we can split the data *U<sup>i</sup> <sup>t</sup>* into the data *U <sup>t</sup>* , = 1, 2,..., *M*. In the case *M* = 2, for instance, we generate a random number *r* with *r* = 0, and set *r*<sup>1</sup> and *r*<sup>2</sup> as *r*<sup>1</sup> = *r* and *r*<sup>2</sup> = −*r*. From the split data, *U <sup>t</sup>* , = 1, 2,..., *M*, we can restore the data *U <sup>t</sup>* to the data *U<sup>i</sup> <sup>t</sup>* and *<sup>U</sup> <sup>j</sup> <sup>t</sup>* by 

$$\begin{aligned} U\_t^\ell &\text{ to the data } U\_t^i \text{ and } U\_t^j \text{ by} \\\\ U\_t^i &= \sum\_{\ell=1}^M U\_t^\ell \qquad \text{and} \qquad U\_t^j = r\_\ell^{-1} \left(MU\_t^\ell - U\_t^i\right) \end{aligned}$$

for an satisfying *r* = 0. We can also use the sequence, *r*1,*r*2,...,*rM* , as a secret or common key. ⎛⎞

We note that the last stochastic process appearing in Eq. (3) has the form, ⎝⎠

$$\text{If the last stochastic process appearing in Eq.}\\
(3)\text{ has the form,}\\
X\_t^{N+1} = c^1 \cdot \cdots \cdot c^N X\_t + \sum\_{i=1}^{N-1} \left(\prod\_{j=i+1}^N c^j\right) W\_t^{2,i} + W\_t^{2,N}.\tag{4}$$

#### *2.1 How to Conceal Data*

We take the original data *Xt* as initial data,

$$X\_t^1 = X\_t.$$

Inputting it into Eq. (1) with the noise *W*1,<sup>1</sup> *<sup>t</sup>* , we conceal it by the SDE,

$$F\_1(X\_t^1, \dot{X}\_t^1, U\_t^1, W\_t^{1,1}) = 0.$$

We seek *U*<sup>1</sup> *<sup>t</sup>* in the above and obtain a concealed data *U*<sup>1</sup> *<sup>t</sup>* . By Eq. (2),

$$X\_t^2 = c^1 X\_t^1 + W\_t^{2,1},$$

we have data *X*<sup>2</sup> *<sup>t</sup>* for the next step. These data *X*<sup>2</sup> *<sup>t</sup>* consist of the superposition (i.e., linear combination) of *X*<sup>1</sup> *<sup>t</sup>* and *<sup>W</sup>*2,<sup>1</sup> *<sup>t</sup>* , and thus, there is a possibility that a wiretapper removes the noise *W*2,<sup>1</sup> *<sup>t</sup>* and wiretap *X*<sup>1</sup> *<sup>t</sup>* . Thus, to improve the security with another noise-disturbance, we have the same procedure again. We input the data *X*<sup>2</sup> *<sup>t</sup>* into Eq. (1) with the noise *W*1,<sup>2</sup> *<sup>t</sup>* ,

$$F\_2(X\_t^2, \dot{X}\_t^2, U\_t^2, W\_t^{1,2}) = 0.$$

We then obtain the concealed data *U*<sup>2</sup> *<sup>t</sup>* . Repeating the same procedures, we obtain the concealed data, *U*<sup>1</sup> *<sup>t</sup>* , *U*<sup>2</sup> *<sup>t</sup>* ,..., *U <sup>N</sup> <sup>t</sup>* , and hide the data, *X*<sup>1</sup> *<sup>t</sup>* , *X*<sup>2</sup> *<sup>t</sup>* ,..., *X <sup>N</sup> t* .

At last, input the concealed data *X <sup>N</sup> <sup>t</sup>* into Eq. (2) and get the data *X <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* . We input this into Eq. (3) and hide it. We then obtain the last concealed data *U <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* . In this way, the sequence of the concealed data, *U*<sup>1</sup> *<sup>t</sup>* , *U*<sup>2</sup> *<sup>t</sup>* ,..., *U <sup>N</sup> <sup>t</sup>* , *U <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* , is created.

In the case where the original data are digital, and they give the binary pulse *Xt* , the concealed data, *U<sup>i</sup> <sup>t</sup>* , *i* = 1, 2,..., *N*, *N* + 1, merely become analog data. So, a wiretapper has to know A/D transformation to obtain the original digital data as getting the concealed data. Therefore, the D/A and A/D transformations play an important role for the concealing-restoring system for some digital data. We can also use them as secret or common keys.

#### *2.2 How to Restore Data*

Since the nonlinear function *f* is bijective, we can restore the concealed data *U <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* to the data *X <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* by *<sup>X</sup> <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* <sup>=</sup> *<sup>f</sup>* <sup>−</sup><sup>1</sup>

$$X\_{\iota}^{N+1} = f^{-1}\left(U\_{\iota}^{N+1}\right).$$

In the light of the stochastic filtering theory, Eqs. (1) and (2) are the state equation and the observation equation, respectively, and they make the system of the noisefiltering. Inputting the above *X <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* into Eq. (2), and the concealed data *U <sup>N</sup> <sup>t</sup>* into Eq. (1), we have simultaneous equations to seek the data *X <sup>N</sup> t* ,

$$\begin{aligned} F\_N(X\_t^N, \dot{X}\_t^N, U\_t^N, W\_t^{1,N}) &= 0, \\ X\_t^{N+1} &= c^N X\_t^N + W\_t^{2,N}. \end{aligned}$$

Since we cannot completely restore the noises to the original ones, *W*1,*<sup>N</sup> <sup>t</sup>* and *W*2,*<sup>N</sup> <sup>t</sup>* , we cannot completely seek the stochastic process *X <sup>N</sup> <sup>t</sup>* . Thus, we estimate it with the help of a proper stochastic filtering theory to remove the random noises. We then obtain the estimated data -*X <sup>N</sup> t* . Inputting the estimated data -

*X <sup>N</sup> <sup>t</sup>* into the slot of *X <sup>N</sup> <sup>t</sup>* of Eq. (2), and the concealed data *U <sup>N</sup>*−<sup>1</sup> *<sup>t</sup>* into Eq. (1), we reach simultaneous equations to seek the data *X <sup>N</sup>*−<sup>1</sup> *<sup>t</sup>* , -

$$\begin{aligned} F\_{N-1}(X\_t^{N-1}, \dot{X}\_t^{N-1}, U\_t^{N-1}, W\_t^{1, N-1}) &= 0, \\ \widehat{X}\_t^N &= c^{N-1} X\_t^{N-1} + W\_t^{2, N-1}. \end{aligned}$$

In the same way as in the above, the stochastic filtering theory gives us the next estimated data -*<sup>X</sup> <sup>N</sup>*−<sup>1</sup> *<sup>t</sup>* . We repeat this procedure, and obtain the estimated data, -*X <sup>N</sup> t* , -*<sup>X</sup> <sup>N</sup>*−<sup>1</sup> *<sup>t</sup>* ,..., -*X*2 *t* , -*X*1 *<sup>t</sup>* , by turns, and we pick up the last estimate -*X*1 *<sup>t</sup>* . This is the restoration -*Xt* of the original data *Xt* .

#### **3 Example of Functionals and Simulation**

As for how to determine each functional, *Fi* , *i* = 1, 2,..., *N*, any definition of it is fine so long as a noise-filtering theory is established for the system with *Fi* . To restore the concealed data, *U*<sup>1</sup> *<sup>t</sup>* , *U*<sup>2</sup> *<sup>t</sup>* ,..., *U <sup>N</sup> <sup>t</sup>* , *U <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* , generally speaking, we have to know the concrete forms of the functionals, and the noise-filtering theory. Therefore, we must hide both for securing the original data. In this paper, however, we disclose one of examples of the concrete definition of the functionals and one of examples of the noise-filterings, which should actually be supposed to be in secret. We point out that the example of concealing-restoring system introduced in this section is not valid for other functionals. In particular, it is not tolerant of nonlinearity. See Sect. 5.

#### *3.1 An Example of the Set of Functionals*

We release an example of functionals in this section. We determine functions *Ai* (*t*), *v<sup>i</sup>* (*t*), and non-zero constants *b<sup>i</sup> <sup>u</sup>* , *b<sup>i</sup>* in secret. Here *v<sup>i</sup>* (*t*) can be a random noise. For instance, we often make *v<sup>i</sup>* (*t*) by the linear interpolation based on normal random numbers. Namely, we first assign a normal random number with *N*(0, σ<sup>2</sup> *<sup>v</sup>* ) to *vi* (*k*) for each *i* and *k*, and then, connect them by linear interpolation. Here, *N*(0, σ<sup>2</sup> *v* ) means the normal distribution whose mean and standard deviation are, respectively, 0 and σ*v*. We give each functional *Fi* such that it makes a SDE, *t* = 

$$dX\_t^i = \left(A^i\left(t\right) - 1\right)X\_t^i dt + b\_u^i U\_t^i dt + b^i \nu^i(t) dt - b\_u^i dB\_t^i,\tag{5}$$

for *i* = 1, 2,..., *N*. That is,

$$\begin{cases} \dot{X}^i = \dot{X}^i + \dot{Y}^i \end{cases}, \quad \text{i.e.}$$

$$\begin{cases} \dot{X}^i\_t = \left( A^i(t) - 1 \right) X^i\_t + b^i\_u U^i\_t + b^i \nu^i(t) - b^i\_u W^{1,i}\_t. \end{cases} \tag{6}$$

Here, *W*1,*<sup>i</sup> <sup>t</sup>* and *W*2,*<sup>i</sup> <sup>t</sup>* are Gaussian white noises whose mean *m <sup>j</sup>*,*<sup>i</sup>* and variance *V <sup>j</sup>*,*<sup>i</sup>* are, respectively, 0 and (σ*<sup>i</sup> <sup>j</sup>*)2. *B<sup>i</sup> <sup>t</sup>* is the Brownian motion given by *<sup>W</sup>*1,*<sup>i</sup> <sup>t</sup>* <sup>=</sup> *d B<sup>i</sup> <sup>t</sup>* /*dt*, *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>,..., *<sup>N</sup>*. We assume that the noises *<sup>W</sup>*1,*<sup>i</sup> <sup>t</sup>* and *<sup>W</sup>*2,*<sup>i</sup> <sup>t</sup>* are independent for each *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>,..., *<sup>N</sup>*, but the noises *<sup>W</sup>*2,*<sup>i</sup> <sup>t</sup>* , *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>,..., *<sup>N</sup>*, are not always independent. Thus, in the case where they are not independent, the linear combination of white noises appearing in Eq. (4) is not always white noise.

We regard the functions *A<sup>i</sup>* (*t*), the constants *b<sup>i</sup> <sup>u</sup>* , *b<sup>i</sup>* , and the mean *m <sup>j</sup>*,*<sup>i</sup>* and variance *<sup>V</sup> <sup>j</sup>*,*<sup>i</sup>* <sup>=</sup> (σ*<sup>i</sup> j*)<sup>2</sup> of the white noises as secret keys which are known only by the administrator of our concealing-restoring system. We use functions *v<sup>i</sup>* (*t*) as common keys. Since Eqs. (5) and (2), respectively, play the individual roles of the state equation and observation equation in the stochastic filtering theory, we employ the linear Kalman filtering theory (Kalman 1960; Kallianpur 1980; Bain and Crisan 2009; Grewal and Andrews 2015) to obtain the restoration -*Xt* . 

Using Eq. (6) we give the concealed data *U<sup>i</sup> <sup>t</sup>* , *i* = 1, 2,..., *N*, by

to obtain the restoration  $X\_t$ .

\*\*0\*\* we give the connected data  $U\_t^i$ ,  $i = 1, 2, \dots, N$ , by

$$U\_t^i = \frac{1}{b\_u^i} \left\{ dX\_t^i + \left(1 - A^i(t)\right) X\_t^i - b^i \nu^i(t) \right\} + dB\_t^i. \tag{7}$$

In addition to these concealed data, we give the last concealed data *U <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* by Eq. (3). Conversely, since we obtain the data *X <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* by *X <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* = *f* <sup>−</sup><sup>1</sup>(*U <sup>N</sup>*+<sup>1</sup> *<sup>t</sup>* ), we can estimate the data, *X <sup>N</sup> <sup>t</sup>* , *X <sup>N</sup>*−<sup>1</sup> *<sup>t</sup>* , ..., *X*<sup>1</sup> *<sup>t</sup>* , from the concealed data, *U <sup>N</sup> <sup>t</sup>* , *U <sup>N</sup>*−<sup>1</sup> *<sup>t</sup>* , ..., *U*<sup>1</sup> *<sup>t</sup>* , using the linear Kalman filtering theory.

## *3.2 Simulation of Concealing and Restoring Data on Physical Layer*

In our simulation of concealing and restoring data on the physical layer, we employ the message digest (Rivest 1991, 1992a, b; Suhaili and Watanabe 2017; MessageDigest 2020) to check the coincidence of the original word *a*0*a*<sup>1</sup> ... *an* and its restored word *a*0*a*1 ...*an* though the message digest works on upper layers. Moreover, we can use the message digest to detect any falsification of the concealed data. We take the original word *a*0*a*<sup>1</sup> ... *an* as a message, and then, produce its digest. We also produce the digest for the restored word *a*0*a*1 ...*an*. Comparing hash values of the two digests, we can make the check of the coincidence and the detection of the falsification at the same time. The check and detection should be performed on a layer out of layers between Layer 3 and Layer 7. In our simulation, we employ SHA-256 to make the hash values (Secure Hash Standard 2015).

To make the estimation in the simulation, we employ the linear Kalman filtering theory under the following conditions. We make Eqs. (1)–(3) for *N* = 2 with *A<sup>i</sup>* (*t*) = 0.1 (constant function), *b<sup>i</sup>* = 1, *b<sup>i</sup> <sup>u</sup>* = 1, and *c<sup>i</sup>* = 1 for each *i* = 1, 2. We define the common key *v<sup>i</sup>* (*t*) by the linear interpolation based on a normal random number with *N*(0, 12). We assume that the means of white noises are all 0. The standard deviation of the white noise *W <sup>j</sup>*,<sup>1</sup> *<sup>t</sup>* is σ<sup>1</sup> *<sup>j</sup>* <sup>=</sup> <sup>0</sup>.1, and that of the white noise *<sup>W</sup> <sup>j</sup>*,<sup>2</sup> *<sup>t</sup>* is σ2 *<sup>j</sup>* = 1. The length of the word *a*0*a*<sup>1</sup> ... *an* is 100, and therefore, *n* = 99.

Our original word *a*1*a*<sup>2</sup> ... *a*<sup>99</sup> is given by Eq. (8). We here note that we remove the character *a*<sup>0</sup> because we cannot estimate the first bit in our concealing-restoring system.

### 00001100100111001000100000101110111111111001000110 1010011110111101100101010100010110111100110111001. (8)

Then, we get its binary pulse *Xt* as in Fig. 2. The hash value of the digest made from the original word (8) is

#### 979bca61579e002c9097c78088740e9fdaf21535d6a5c5876bd8623a86185292.

(9)

We make the concealed data, *U*<sup>1</sup> *<sup>t</sup>* and *U*<sup>2</sup> *<sup>t</sup>* , by Eq. (7) with the help of the linear equation given in Eq. (2). We finally make the concealed data *U*<sup>3</sup> *<sup>t</sup>* using the nonlinear equation given in Eq. (3) with *f* (ξ ) = ξ 3. Their graphs are in Figs. 3 and 4. Following the Kalman filtering theory, we remove the white noises, and estimate the binary pulse *Xt* . Then, we obtain the restoration -*Xt* as in Fig. 5. The concrete algorithm to seek the restoration -*Xt* comes out in Ref. Fujii and Hirokawa (2020). Let us take 0 as the

**Fig. 3** The concealed data, *U*<sup>1</sup> *<sup>t</sup>* (left) and *U*<sup>2</sup> *<sup>t</sup>* (right), for the binary pulse *Xt* in Fig. 2

threshold. Then, we obtain the restored word *a*1*a*2 ...*a*<sup>99</sup> and the hash value of its digest made from the restoration -*Xt* . We can achieve positive results that they are the same as Eqs. (8) and (9), respectively.

We note that the graphs in Figs. 3 and 4 say that the concealed data, *U*<sup>1</sup> *<sup>t</sup>* , *U*<sup>2</sup> *t* , and *U*<sup>3</sup> *<sup>t</sup>* , are merely analog data. If a wiretapper becomes aware that the concealed data are for digital ones and knows our A/D transformation in some way, then the wiretapper gets a binary word from the concealed data as follows:

*Xt* (Fig. 5) from the above of the left 2 graphs. *U*<sup>1</sup> *<sup>t</sup>* (Fig. 3), *U*<sup>2</sup> *<sup>t</sup>* (Fig. 3), and *U*<sup>3</sup> *<sup>t</sup>* (Fig. 4) from the above of the right 3 graphs. Here *t* ∈ [0, 99]

### 00111011000111011000111000001001101011111001101100 11011111101001111000010111100101101011000111100110

for *U*<sup>1</sup> *t* ,

### 00011011000111011010110000100100111001111011001010 01011001001001111010010111110101000010001110110110

for *U*<sup>2</sup> *<sup>t</sup>* , and

### 10000000000010110101110000010001001100111100100100 00000101100111110101100010100010000001000111011001

for *U*<sup>3</sup> *<sup>t</sup>* . Here, since the wiretapper does not know that we removed the first bit, every concealed data *U<sup>i</sup> <sup>t</sup>* makes the word consisting of 100 characters. In Fig. <sup>6</sup> we show the comparison of the original binary pulse *Xt* , its restoration -

*Xt* , and the concealed data *U<sup>i</sup> <sup>t</sup>* , *i* = 1, 2, 3.

## **4 Application to Data on Physical Layer and Presentation Layer**

#### *4.1 Binary Data of Pictorial Image*

We now apply the technology of our mathematical method to the binary data of a pictorial image. We use digital data of a pictorial image in the ORL Database of

**Fig. 7** The original pictorial image (left) with the digital data, and its binary pulse *Xt* (right) only for *t* ∈ [0, 200]

**Fig. 8** The concealed data, *U*<sup>1</sup> *<sup>t</sup>* (left) and *U*<sup>2</sup> *<sup>t</sup>* (right), for the binary pulse *Xt* in Fig. 7. Here *t* ∈ [0, 200] only

Faces, an archive of AT&T Laboratories Cambridge (The ORL Database of Faces 2020). The data have the grayscale value of 256 gradations (8bit/pixel). We set our parameters as *A* = *A<sup>i</sup>* = 0.1, *b* = *b<sup>i</sup>* = 1, *bu* = *b<sup>i</sup> <sup>u</sup>* <sup>=</sup> 1, *<sup>c</sup>* <sup>=</sup> *<sup>c</sup><sup>i</sup>* <sup>=</sup> 1, <sup>σ</sup><sup>1</sup> <sup>=</sup> <sup>σ</sup>*<sup>i</sup>* <sup>1</sup> = 0.1, and <sup>σ</sup><sup>2</sup> <sup>=</sup> <sup>σ</sup>*<sup>i</sup>* <sup>2</sup> = 1. We determine the common key *v<sup>i</sup>* (*t*)in the same way as in Sect. 3.2 with σ*<sup>v</sup>* = 2. The original pictorial image and its binary pulse *Xt* are obtained as in Fig. 7. Here, the upper bound of *t* is 92 × 112 = 10304 and *t* runs over [0, 10304]. We obtain the concealed data, *U*<sup>1</sup> *<sup>t</sup>* and *U*<sup>2</sup> *<sup>t</sup>* , by Eq. (7) as in Fig. 8, and the concealed data *U*<sup>3</sup> *<sup>t</sup>* by Eq. (3) as in Fig. 9. The restoration -*Xt* and the restored pictorial image from it are in Fig. 10.

If a wiretapper tries to get the original pictorial image from the concealed data *Ui <sup>t</sup>* , *i* = 1, 2, 3, since the concealed data are analog as in Figs. 8 and 9, the wiretapper has to know our A/D transformation, and our transformation from the digital data to a pictorial image as well as some keys used in SES. The latter transformation should be done on upper layers. We now assume that the wiretapper can know the transformations. Then, each pictorial image of the concealed data, *U<sup>i</sup> <sup>t</sup>* , *i* = 1, 2, 3, is in Fig. 11. The format of the pictorial image of Fig. 7 is PGM (i.e., portable gray map). In fact, we cannot restore the PGM header from the concealed data, that is, the header of the PGM is completely broken. Thus, the wiretapper has to realize that

**Fig. 9** The concealed data *U*<sup>3</sup> *<sup>t</sup>* for the binary pulse *Xt* in Fig. 7. Here *t* ∈ [0, 200] only

*Xt* for the binary pulse *Xt* in Fig. 7 only for *t* ∈ [0, 200] (right) and the restored pictorial image (left) of -*Xt*

**Fig. 11** From the left, pictorial images of the concealed data, *U*<sup>1</sup> *<sup>t</sup>* , *U*<sup>2</sup> *<sup>t</sup>* in Fig. 8, and *U*<sup>3</sup> *<sup>t</sup>* in Fig. 9, for the binary pulse *Xt* in Fig. 7. Here (σ*v*)<sup>2</sup> <sup>=</sup> <sup>4</sup>

the concealed data are for PGM in some way, and he/she has to write the header by himself/herself to restore the pictorial image.

As for the role of the common key *v<sup>i</sup>* (*t*), comparing Fig. 12 with Fig. 11, we can realize the effect of the variance of the common key *v<sup>i</sup>* (*t*) and the nonlinear function

**Fig. 12** From the left, pictorial images of the concealed data, *U*<sup>1</sup> *<sup>t</sup>* , *U*<sup>2</sup> *<sup>t</sup>* in Fig. 8, and *U*<sup>3</sup> *<sup>t</sup>* in Fig. 9, for the binary pulse *Xt* in Fig. 7. Here (σ*v*)<sup>2</sup> <sup>=</sup> <sup>1</sup>

*Xt* (Fig. 10) from the above of the left 2 graphs. *U*<sup>1</sup> *<sup>t</sup>* (Fig. 8), *U*<sup>2</sup> *<sup>t</sup>* (Fig. 8), and *U*<sup>3</sup> *<sup>t</sup>* (Fig. 9) from the above of the right 3 graphs. Here *t* ∈ [0, 200] only

*f* (ξ ). The variance of the common key *v<sup>i</sup>* (*t*) is smaller in Fig. 12 than it is in Fig. 11, that is, (σ*v*)<sup>2</sup> = 4 for Fig. 11 and (σ*v*)<sup>2</sup> = 1 for Fig. 12, though other parameters for Fig. 12 are the same as for Fig. 11. The contour of the face in the pictorial image of *U*<sup>1</sup> *<sup>t</sup>* in Fig. 12 stands out more clearly than in Fig. 11. Meanwhile, the nonlinearity conceals the contour as in the pictorial image of *U*<sup>3</sup> *<sup>t</sup>* in Fig. 12. In Fig. <sup>13</sup> we show the comparison of the original binary pulse *Xt* , its restoration -

*Xt* , and the concealed data *U<sup>i</sup> <sup>t</sup>* , *i* = 1, 2, 3.

#### *4.2 Analog Data of Pictorial Image*

We use analog data of a pictorial image in the Olivetti faces database (The Olivetti Faces Database 2020), where the data of pictorial images are transformed to analog data from the original ones in the ORL Database of Faces, an archive of AT&T

**Fig. 14** The original pictorial image (left) with the analog data, and the analog data *Xt* only for *t* ∈ [0, 200] (right)

**Fig. 15** The concealed data, *U*<sup>1</sup> *<sup>t</sup>* (left) and *U*<sup>2</sup> *<sup>t</sup>* (right), for the analog data *Xt* in Fig. 14. Here, *t* ∈ [0, 200] only

Laboratories Cambridge (The ORL Database of Faces 2020). The data have the grayscale value of 256 gradations (8bit/pixel). Our parameters are *A* = *A<sup>i</sup>* = 0.1, *b* = *b<sup>i</sup>* = 1, *bu* = *b<sup>i</sup> <sup>u</sup>* <sup>=</sup> 1, *<sup>c</sup>* <sup>=</sup> *<sup>c</sup><sup>i</sup>* <sup>=</sup> 1, <sup>σ</sup><sup>1</sup> <sup>=</sup> <sup>σ</sup>*<sup>i</sup>* <sup>1</sup> <sup>=</sup> <sup>0</sup>.1, and <sup>σ</sup><sup>2</sup> <sup>=</sup> <sup>σ</sup>*<sup>i</sup>* <sup>2</sup> = 1 again. We also use the common key *v<sup>i</sup>* (*t*) in the same way as in Sect. 3.2 with σ*<sup>v</sup>* = 2. The original analog data *Xt* and their pictorial image are in Fig. 14. Here, the upper bound of *t* is 64 × 64 = 4096 and *t* runs over [0, 4096]. The concealed data, *U*<sup>1</sup> *<sup>t</sup>* and *U*<sup>2</sup> *t* , defined by Eq. (7) are in Fig. 15, and the concealed data *U*<sup>3</sup> *<sup>t</sup>* defined by Eq. (3) are in Fig. 16. We can restore the pictorial image with the restoration -*Xt* as in Fig. 17. If a wiretapper becomes aware of our method to make a pictorial image from analog data, then the wiretapper gets pictorial images from the concealed data *U<sup>i</sup> <sup>t</sup>* , *i* = 1, 2, 3, as in Fig. 18. In Fig. <sup>19</sup> we show the comparison of the original binary pulse *Xt* , its restoration -

*Xt* , and the concealed data *U<sup>i</sup> <sup>t</sup>* , *i* = 1, 2, 3.

**Fig. 16** The concealed data *U*<sup>3</sup> *<sup>t</sup>* for the analog data *Xt* , *t* ∈ [0, 200]⊂[0, 4096], in Fig. 14

*Xt* (right) for the analog data *Xt* in Fig. 14 only for *t* ∈ [0, 200], and the pictorial image (left) of -*Xt*

**Fig. 18** From the left, pictorial images of the concealed data, *U*<sup>1</sup> *<sup>t</sup>* (Fig. 15), *U*<sup>2</sup> *<sup>t</sup>* (Fig. 15), and *U*<sup>3</sup> *t* (Fig. 16)

*Xt* (Fig. 17) from the above of the left 2 graphs. *U*<sup>1</sup> *<sup>t</sup>* (Fig. 15), *U*<sup>2</sup> *<sup>t</sup>* (Fig. 15), and *U*<sup>3</sup> *<sup>t</sup>* (Fig. 16) from the above of the right 3 graphs. Here *t* ∈ [0, 200] only

#### **5 Conclusion and Future Work**

We have proposed a mathematical technique for concealing data on the physical layer of the OSI reference model by using random noise disturbance, and moreover, a mathematical technique for restoring the concealed data by using the stochastic process estimation. In this concealing-restoring system, the functionals determining SDEs play a role of secret or common keys. Then, the proper noise-filtering theory forms a nucleus to restore the concealed data. In addition, we have showed the simulation result for the data on physical layer and some applications of the two techniques to the pictorial images. We have opened one of examples of the functionals. Then, we have showed how to conceal the data by using the noise-disturbance, and have demonstrated how to restore the data by removing the noises. Here, the significant point to be emphasized is that any composition of the SES and any form of the individual functional will do so long as a proper noise-filtering method is established for them. We make briefly some comments about it at the tail end of this section.

We have used the scalar-valued processes, and thus, prepared just one common key for one SDE. We can prepare some common keys for one SDE by using the vector-valued processes.

Although we have employed the message digest to make the check of the coincidence of the binary word and the detection of the falsification at the same time, we are now developing a method with low complexity so that we can make them for data on the physical layer.

**Fig. 20** From the left, the original pictorial image, the individual pictorial images of the concealed data *U*<sup>1</sup> *<sup>t</sup>* and *U*<sup>2</sup> *<sup>t</sup>* , and the pictorial image of the restored data. The original pictorial image is a bitmap image, and the parameter *t* of the original data *Xt* runs over [0, 90123byte]

**Fig. 21** Comparison between the pictorial images of*U*<sup>2</sup> *<sup>t</sup>* with nonlinearity (left) and *X*<sup>2</sup> *<sup>t</sup>* <sup>=</sup> *<sup>f</sup>* <sup>−</sup>1(*U*<sup>2</sup> *t* ) without nonlinearity (right)

According to our several experiments including the concrete examples in Sect. 4, we think that the nonlinearity enhances the noise-disturbance. For instance, the pictorial images in Fig. 20 are the case *N* = 1. Comparing the pictorial images of *U*<sup>2</sup> *t* and *X*<sup>2</sup> *<sup>t</sup>* = *f* <sup>−</sup><sup>1</sup>(*U*<sup>2</sup> *<sup>t</sup>* ) in Fig. 21, we can say that the enhancement of noise-disturbance appears with the black color. We will study the roles of several parameters including the nonlinearity. We here introduce the effect coming from the nonlinearity beforehand. The state space determined by Eq. (5) is constructed by the linear Gaussian model, and thus, we used the linear Kalman filtering theory in Sects. 3 and 4. We can make it more general: nonlinear, non-Gaussian state space. Then, we should employ another noise-filtering theory such as the particle filtering theory (Bain and Crisan 2009). In fact, putting a concrete nonlinearity *NA* or another nonlinearity *NB* in the functional *Fi* of Eq. (1), we have concealed data *<sup>U</sup> <sup>A</sup>*,*<sup>i</sup> <sup>t</sup>* or *<sup>U</sup> <sup>B</sup>*,*<sup>i</sup> <sup>t</sup>* , *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>, 3, different from those in this paper. Then, the linear Kalman filtering theory is not useful any longer. For instance, we respectively conceal the data in Figs. 7 and 14 using such functionals with the nonlinearity *NA* or *NB*. Then, we cannot estimate the data from the concealed ones by the linear Kalman filter to our satisfaction. See Figs. 22, 23, 24, and 25. The difference between the restorations in Figs. 22 and 23 or between those in Figs. 24 and 25 depends on the degree of nonlinearity. We show the restoring system using the particle filter in Ref. Fujii and Hirokawa (2020).

*Xt* , 0 <sup>≤</sup> *<sup>t</sup>* <sup>≤</sup> 200, from the concealed data, *<sup>U</sup> <sup>A</sup>*,*<sup>i</sup> <sup>t</sup>* , *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>, 3, with the nonlinearity *NA* using the Kalman filtering. The right picture is the pictorial image restored from such a restoration -*Xt*

*Xt* , 0 <sup>≤</sup> *<sup>t</sup>* <sup>≤</sup> 200, from the concealed data, *<sup>U</sup> <sup>B</sup>*,*<sup>i</sup> <sup>t</sup>* , *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>, 3, with the nonlinearity *NB* using the linear Kalman filtering. The right picture is the pictorial image restored from such a restoration -*Xt*

*Xt* , 0 <sup>≤</sup> *<sup>t</sup>* <sup>≤</sup> 200, from the concealed data, *<sup>U</sup> <sup>A</sup>*,*<sup>i</sup> <sup>t</sup>* , *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>, 3, with the nonlinearity *NA* using the linear Kalman filtering. The right picture is the pictorial image restored from such a restoration -*Xt*

*Xt* , 0 <sup>≤</sup> *<sup>t</sup>* <sup>≤</sup> 200, from the concealed data, *<sup>U</sup> <sup>B</sup>*,*<sup>i</sup> <sup>t</sup>* , *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>, 3, with the nonlinearity *NB* using the Kalman filtering. The right picture is the pictorial image restored from such a restoration -*Xt*

**Acknowledgements** This work is partially based on Fujii's bachelor thesis at Hiroshima University in March, 2019. For useful comments and discussion, the authors thank the following: Kirill Morozov (University of North Texas), Shuichi Ohno (Hiroshima University), Kouichi Sakurai (Kyushu University), Takeshi Takagi (Hiroshima University), and Tatsuya Tomaru (Hitachi, Ltd.).

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Quantum Optics with Giant Atoms—the First Five Years**

**Anton Frisk Kockum**

**Abstract** In quantum optics, it is common to assume that atoms can be approximated as point-like compared to the wavelength of the light they interact with. However, recent advances in experiments with artificial atoms built from superconducting circuits have shown that this assumption can be violated. Instead, these artificial atoms can couple to an electromagnetic field at multiple points, which are spaced wavelength distances apart. In this chapter, we present a survey of such systems, which we call *giant atoms*. The main novelty of giant atoms is that the multiple coupling points give rise to interference effects that are not present in quantum optics with ordinary, small atoms. We discuss both theoretical and experimental results for single and multiple giant atoms, and show how the interference effects can be used for interesting applications. We also give an outlook for this emerging field of quantum optics.

**Keywords** Quantum optics · Giant atoms · Waveguide QED · Relaxation rate · Lamb shift · Superconducting qubits · Surface acoustic waves · Cold atoms

## **1 Introduction**

Natural atoms are so small (radius *r* ≈ 10−<sup>10</sup> m) that they can be considered pointlike when they interact with light at optical frequencies (wavelength λ ≈ 10−6– 10−<sup>7</sup> m) (Leibfried et al. 2003). If the atoms are excited to high Rydberg states, they can reach larger sizes (*r* ≈ 10−8–10−<sup>7</sup> m), but quantum-optics experiments with such atoms have them interact with microwave radiation, which has much longer wavelength (λ ≈ 10−2–10−<sup>1</sup> m) (Haroche 2013). It has thus been well justified in theoretical treatments of quantum optics to assume *r* λ, called the *dipole approximation*,

A. Frisk Kockum (B)

Wallenberg Centre for Quantum Technology, Chalmers University of Technology, 412 96 Gothenburg, Sweden e-mail: anton.frisk.kockum@chalmers.se

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_12

which simplifies the description of the interaction between light and matter (Walls and Milburn 2008).

In recent years, experimental investigations of quantum optics have expanded to systems with *artificial atoms*, i.e., engineered quantum systems such as quantum dots (Hanson et al. 2007) and superconducting quantum bits (qubits) (You and Nori 2011; Xiang et al. 2013; Gu et al. 2017; Kockum and Nori 2019), which emulate essential aspects of natural atoms. The circuits making up superconducting qubits can be large, reaching sizes up to *r* ≈ 10−4–10−<sup>3</sup> m, but this is still small when compared with the wavelength of the microwave fields they interact with.

In 2014, one experiment (Gustafsson et al. 2014) forced quantum opticians to reconsider the dipole approximation. In that experiment, a superconducting transmon qubit (Koch et al. 2007) was coupled to surface acoustic waves (SAWs) (Datta 1986; Morgan 2007). Due to the low propagation velocity of SAWs, their wavelength was λ ≈ 10−<sup>6</sup> m, and the qubit, due to its layout with an interdigitated capacitance, coupled to the SAWs at multiple points, which were spaced λ/4 apart.

Motivated by this experiment, theoretical investigations on *giant atoms* were initiated (Kockum et al. 2014). The main finding was that the multiple coupling points lead to interference effects, e.g., the coupling of the giant atom to its environment becomes frequency-dependent (Kockum et al. 2014).

These initial experimental and theoretical works on giant atoms were published 5 years ago, at the time of writing for this book chapter. In this chapter, we give a brief survey of the developments in the field of quantum optics with giant atoms that have followed since. We begin in Sect. 2 with theory for giant atoms, looking first at the properties of a single giant atom (Sect. 2.1), including what happens when the coupling points are extremely far apart (Sect. 2.2), and then at multiple giant atoms (Sect. 2.3). In Sect. 3, we survey the different experimental systems where giant atoms have been implemented or proposed. We conclude with an outlook (Sect. 4) for future work on giant atoms, pointing to several areas where interesting results can be expected.

#### **2 Theory for Giant Atoms**

The experimental setup where giant atoms were first implemented (Gustafsson et al. 2014) falls into the category of waveguide quantum electrodynamics (QED). In waveguide QED (Gu et al. 2017; Roy et al. 2017), a continuum of bosonic modes can propagate in a one-dimensional (1D) waveguide and interact with atoms coupled to this waveguide. As reviewed in Gu et al. (2017), Roy et al. (2017), there is an abundance of theoretical papers dealing with one, two, or more atoms coupled to a 1D waveguide, but they almost all assume that the dipole approximation is valid, or, in other words, that the atoms are "small".

The difference between small and giant atoms is illustrated in Fig. 1. While a small atom, because of its diminutive extent, can be described as being connected to the waveguide at a single point, a giant atom couples to the waveguide at multiple

**Fig. 1** The difference between a small atom and a giant atom. **a** A small atom (two levels) couples to the 1D waveguide (grey) at a single point (red, coordinate *x*1). **b** A giant atom couples to the waveguide at multiple points (labelled *k*, coordinates *xk* ). The distance between two coupling points *k* and *n*, |*xk* − *xn*|, is *not* negligible compared to the wavelength of the modes in the waveguide that the atom interacts with

points, and the distance between these points *cannot* be neglected in comparison to the wavelength of the modes in the waveguide that couple to the atom. The relevant wavelength λ to compare with is set by the (angular) transition frequency ω<sup>a</sup> of the atom and the propagation velocity *v* in the waveguide: λ = 2π*v*/ωa.

#### *2.1 One Giant Atom*

Quantum optics with a single giant atom was first studied theoretically in Kockum et al. (2014), prompted by the experiment in Gustafsson et al. (2014) (discussed in Sect. 3.1). For a small atom coupled to a continuum of modes, like in Fig. 1a, standard quantum-optics procedure is to derive a master equation by assuming that the coupling to the modes is relatively weak and tracing out the modes (Carmichael 1999; Gardiner and Zoller 2004; Walls and Milburn 2008). When considering whether the same procedure can be applied to a giant atom, there is a new timescale to take into account: the time it takes to travel in the waveguide between coupling points. In Kockum et al. (2014), this time was assumed small compared to the time it takes for an excitation in the atom to relax into the waveguide. With this assumption, the system is *Markovian*, i.e., the time evolution of the atom only depends on the present state of the system, not on the past (for the non-Markovian case, see Sect. 2.2). Thus, the standard master-equation derivation from quantum optics with small atoms can be applied here as well.

#### **2.1.1 Master Equation for a Giant Atom**

The derivation of a master equation for a giant atom starts from the total system Hamiltonian (we use units where -= 1 throughout this chapter),

$$H = H\_\text{a} + H\_\text{wg} + H\_\text{l},\tag{1}$$

with the bare atomic Hamiltonian

$$H\_{\mathfrak{a}} = \sum\_{m} \alpha\_{m} \left| m \right\rangle \langle m \vert \,,\tag{2}$$

the bare waveguide Hamiltonian

$$H\_{\rm wg} = \sum\_{j} \alpha\_{j} \left( a\_{\mathbb{R}j}^{\dagger} a\_{\mathbb{R}j} + a\_{\mathbb{L}j}^{\dagger} a\_{\mathbb{L}j} \right), \tag{3}$$

and the interaction Hamiltonian

$$\begin{split} H\_{\mathrm{I}} &= \sum\_{j,k,m} \mathsf{g}\_{jkm} \left( \sigma\_{-}^{(m)} + \sigma\_{+}^{(m)} \right) \\ &\times \left( a\_{\mathbb{R}j} e^{-i\boldsymbol{a}\_{j} \mathbf{x}\_{k}/\mathbf{v}} + a\_{\mathbb{L}j} e^{i\boldsymbol{a}\_{j} \mathbf{x}\_{k}/\mathbf{v}} + a\_{\mathbb{R}j}^{\dagger} e^{i\boldsymbol{a}\_{j} \mathbf{x}\_{k}/\mathbf{v}} + a\_{\mathbb{L}j}^{\dagger} e^{-i\boldsymbol{a}\_{j} \mathbf{x}\_{k}/\mathbf{v}} \right). \end{split} \tag{4}$$

Here, the atomic levels are labelled *m* = 0, 1, 2,..., have energies ω*m*, and are connected through lowering and raising operators σ(*m*) <sup>−</sup> <sup>=</sup> <sup>|</sup>*m<sup>m</sup>* <sup>+</sup> <sup>1</sup><sup>|</sup> and <sup>σ</sup>(*m*) <sup>+</sup> = |*m* + 1*m*|. The bosonic modes in the waveguide are labelled with indices *j* and with an index R (L) for right-moving (left-moving) modes. The corresponding annihilation and creation operators are *a* and *a*†, respectively. The difference to the case of a small atom is the sum over coupling points labelled by *k* in Eq. (4). The phase factors *e*±*i*ω*<sup>j</sup> xk*/*<sup>v</sup>* are not present for a small atom. These phase factors give rise to interference effects. Note that the coupling strengths *gjkm* can depend on both *j*, *k*, and *m*.

Following the standard master-equation derivation using the Born-Markov approximation, the resulting master equation becomes

$$\dot{\rho} = -i \left[ \sum\_{m} \left( \omega\_{m} + \Delta\_{m} \right) \left| m \right\rangle \langle m \right| \,, \rho \right] + \sum\_{m} \Gamma\_{m+1,m} \mathcal{D} \left[ \sigma\_{-}^{(m)} \right] \rho \,, \tag{5}$$

where <sup>ρ</sup> is the density matrix for the atom, <sup>D</sup> [*X*] <sup>ρ</sup> <sup>=</sup> *<sup>X</sup>*ρ*X*† <sup>−</sup> <sup>1</sup> <sup>2</sup> *<sup>X</sup>*†*X*<sup>ρ</sup> <sup>−</sup> <sup>1</sup> <sup>2</sup>ρ*X*†*X* is the Lindblad superoperator describing relaxation (Lindblad 1976), and we have assumed negligible temperature *T* , i.e., ω*<sup>m</sup> kB T* . The relaxation rates for the atomic transitions |*m* + 1 → |*m* are

$$
\Gamma\_{m+1,m} = 4\pi J \left( \omega\_{m+1,m} \right) \left| A\_m \left( \omega\_{m+1,m} \right) \right|^2,\tag{6}
$$

where ω*<sup>a</sup>*,*<sup>b</sup>* = ω*<sup>a</sup>* − ω*b*, *J* (ω)is the density of states at frequency ω in the waveguide, and we have defined

$$A\_m\left(\boldsymbol{\omega}\_j\right) = \sum\_k \mathbf{g}\_{jkm} e^{i\boldsymbol{\omega}\_j \cdot \mathbf{x}\_k/\mathbf{v}}.\tag{7}$$

The frequency shifts *<sup>m</sup>* of the atomic energy levels are Lamb shifts (Lamb and Retherford 1947; Bethe 1947) given by

Quantum Optics with Giant Atoms—the First Five Years 129

$$\Delta\_{\mathfrak{m}} = 2\mathcal{P} \int\_0^\infty \mathrm{d}\omega \frac{J(\omega)}{\omega} \left( \frac{\left| A\_m(\omega) \right|^2 \alpha\_{m+1,m}}{\omega + \alpha\_{m+1,m}} - \frac{\left| A\_{m-1}(\omega) \right|^2 \alpha\_{m,m-1}}{\omega - \alpha\_{m,m-1}} \right) . \tag{8}$$

Both the relaxation rates and the Lamb shifts acquire a strong dependence on the atomic transition frequencies, encoded in the factor *Am* ω*j* . For the case of a small atom, *Am* ω*j* = *gjm*, which is a constant provided that *gjm* does not depend strongly on *j*. The effect of this frequency dependence for giant atoms can be seen clearly if one considers the simple case of an atom with two coupling points *x*<sup>1</sup> and *x*<sup>2</sup> [compare Fig. 1b] having equally strong coupling to the waveguide. If the two points are half a wavelength apart, i.e., |*x*<sup>1</sup> − *x*2| = π*v*/ω*<sup>m</sup>*+1,*<sup>m</sup>*, there will be destructive interference between emission from the two points, and the relaxation for the corresponding atomic transition is completely suppressed: *<sup>m</sup>*+1,*<sup>m</sup>* = 0. If the two points are one wavelength apart, there is instead constructive interference and the relaxation rate is enhanced.

#### **2.1.2 Frequency-Dependent Relaxation Rate**

To further understand the frequency-dependence of the relaxation rates and the Lamb shifts, consider the case of a two-level atom coupled to the waveguide at *N* equidistant points with equal coupling strength at each point. In this case, introducing the notation ϕ = ω<sup>1</sup>,<sup>0</sup>(*x*<sup>2</sup> − *x*1)/*v*, we obtain (Kockum et al. 2014)

$$\Gamma\_{1,0} = \mathcal{V} \frac{\sin^2\left(\frac{N}{2}\varphi\right)}{\sin\left(\frac{1}{2}\varphi\right)} = \mathcal{V} \frac{1-\cos\left(N\varphi\right)}{1-\cos\left(\varphi\right)},\tag{9}$$

$$
\Delta\_1 = \chi \frac{N \sin \left( \varphi \right) - \sin \left( N \varphi \right)}{2 \left[ 1 - \cos \left( \varphi \right) \right]}, \tag{10}
$$

where γ is the relaxation rate that the atom would have had if it was coupled to the waveguide only at a single point. To obtain the Lamb shift, we have also made the simplifying assumption that *J* (ω) is constant, that the lower limit of the integral in Eq. (8) can be extended down to −∞, and that only the dominating second term in that integral contributes. Since <sup>0</sup> = 0 with these assumptions, Eq. (10) gives the full frequency shift for the two-level atom. In fact, the relaxation rate and the Lamb shift are related through a Hilbert transform due to Kramers–Kronig relations (Cohen-Tannoudji et al. 1998).

The relaxation rates and Lamb shifts in Eqs. (9)–(10) are plotted for two values of *N* in Fig. 2. The central peak corresponds to the distance between neighbouring coupling points being one wavelength. Note that the frequency dependence becomes sharper when more coupling points are added; in frequency units, the width of the central peak is approximately ω<sup>1</sup>,<sup>0</sup>/2π *N*. This sharpness can be used to determine when the Markovian approximation underlying the master-equation derivation breaks down, which happens roughly when the relaxation rate changes noticeably within the linewidth of the atom, i.e., when <sup>1</sup>,<sup>0</sup> ≈ ω<sup>1</sup>,<sup>0</sup>/2π *N*. Interestingly, this is

**Fig. 2** Relaxation rates and Lamb shifts for a giant two-level atom with symmetrically spaced coupling points all having the same coupling strength. Red curves: *N* = 3 coupling points. Blue curves: *N* = 10 coupling points. Solid curves: Relaxation rates 1,0. Dashed curves: Lamb shifts 1. The relaxation rates and Lamb shifts are scaled to the maximum relaxation rate max for each *N*. Figure adapted from Kockum et al. (2014) with permission

approximately the same condition as when the travelling time between the outermost coupling points, 2π(*N* − 1)/ω<sup>1</sup>,0, becomes comparable to the relaxation time 1/ <sup>1</sup>,0.

An attractive feature of giant atoms is that the frequency-dependence of their relaxation rates (and Lamb shifts) can be *designed* (Kockum et al. 2014). The frequency dependence is directly determined by Eq. (7), which simply is a discrete Fourier transform of the coupling-point coordinates, weighted by the coupling strength in each point. With *N* coupling points, an experimentalist thus has 2*N* − 1 knobs to turn (the translational invariance of the setup removes one degree of freedom). With enough coupling points, the curves in Fig. 2 can be moulded into any shape. Note that although the coupling-point coordinates and coupling strengths will be fixed in an experiment, superconducting qubits offer the possibility to tune the atomic frequency widely in situ (Gu et al. 2017; Kockum and Nori 2019), making it possible to move between regions with high and low relaxation rates during an experiment.

If we consider more than two atomic levels, other interesting applications of the frequency-dependent relaxation rate open up. As illustrated in Fig. 3, if the atomic transition frequencies ω<sup>1</sup>,<sup>0</sup> = ω<sup>2</sup>,1, it is possible to engineer the relaxation rates such that <sup>2</sup>,<sup>1</sup> is at a maximum when <sup>1</sup>,<sup>0</sup> is at a minimum. At that point, one can then create population inversion, and thus lasing, by driving the transition from |0 to |2 (Kockum et al. 2014). Recent experiments have been making use of this possibility to control the ratio of relaxation rates to enable electromagnetically induced transparency (EIT) (Andersson et al. 2020; Vadiraj et al. 2020).

**Fig. 3** Engineering population inversion in a giant atom. The blue curve and the red curve are the relaxation rates 1,<sup>0</sup> and 2,1, respectively, as a function of transition frequency ω1,0. The plot assumes *N* = 10 equally spaced coupling points, with equal coupling strengths at all points, and an anharmonicity ω2,<sup>1</sup> − ω1,<sup>0</sup> = −0.1 × 2π*v*/(*x*<sup>2</sup> − *x*1). The inset shows the level structure with the relaxation rates and a drive of strength <sup>d</sup> on the |0 ↔ |2 transition. Figure adapted from Kockum et al. (2014) with permission

#### **2.1.3 Comparison with an Atom in Front of a Mirror**

It is possible to engineer frequency-dependent relaxation rates and Lamb shifts also for small atoms. This can be achieved by placing a small atom in front of a mirror instead of in an open waveguide, a setup which has been considered in several theoretical (Meschede et al. 1990; Dorner and Zoller 2002; Beige et al. 2002; Dong et al. 2009; Koshino and Nakamura 2012; Wang et al. 2012; Tufarelli et al. 2013; Fang and Baranger 2015; Shi et al. 2015; Pichler and Zoller 2016) and experimental works (Eschner et al. 2001; Wilson et al. 2003; Dubin et al. 2007; Hoi et al. 2015; Wen et al. 2018, 2019). Here, the atomic relaxation can be enhanced or suppressed by interference with the mirror image of the atom. This setup is equivalent to a giant atom with two coupling points in a unidirectional waveguide.

However, this is the limit with a small atom in front of a mirror. In such a setup, it is not possible to increase the number of coupling points, or to have different coupling strengths at different coupling points, which means that the frequency dependence cannot be designed like for a giant atom. Furthermore, since propagation is unidirectional, it is not possible to have more advanced scattering, possible with a giant atom, where both reflection and transmission are influenced by interference between coupling points.

#### **2.1.4 Coupling a Giant Atom to a Cavity**

By introducing reflective boundary conditions at both ends of the waveguide in Fig. 1, a multimode cavity will be formed. The coupling of a giant atom to such a cavity has yet to be explored as thoroughly as the open-waveguide case. We can see that similar interference effects as in the open waveguide will come into play. It will thus, for example, be possible to arrange the coupling points such that the giant atom couples strongly to some modes of the cavity and is decoupled from other modes. This can to some extent already be achieved with a small atom, whose single coupling point can be at a node for some modes and at an antinode for others. However, we note that a recent theory proposal (Ciani and DiVincenzo 2017) uses a superconducting qubit with tunable coupling connected at multiple points to two resonators to cancel certain unwanted interaction terms while keeping desired interaction terms; it is shown that this would not have been possible with a small atom.

#### *2.2 One Giant Atom with Time Delay*

Consider a giant atom with two coupling points spaced such that it takes a time τ for light (or sound) to travel between them. In the previous section, it was assumed that τ was small compared to the relaxation time 1/ . When this no longer is the case, the giant atom enters the non-Markovian regime, where the time evolution of the system can depend on what the system state was at an earlier time. In a giant atom, this non-Markovianity can manifest itself in revivals of the atomic population if energy is sent out from the atom at one coupling point and later is reabsorbed at another coupling point.

Four theoretical studies (Guo et al. 2017; Ask et al. 2019a; Guo et al. 2019, 2020) have explored this regime (the latter three considering more than two coupling points). In Ask et al. (2019a), it was shown that τ = 1 constitutes a sharp border for when time-delay effects become visible. When the system transitions from τ < 1 to τ > 1, the response of the giant atom to a weak coherent probe goes from showing one resonance to showing two. This is similar to the appearance of a vacuum Rabi splitting when an atom becomes strongly coupled to a cavity (the mathematical condition for the appearance of the splitting is actually exactly the same as for an atom in a multimode cavity Ask et al. 2019a; Krimer et al. 2014). In the case of the giant atom, the multiple coupling points act as a cavity when the coupling becomes strong enough or the travelling time becomes long enough.

In Guo et al. (2017), the cases τ> and τ were studied in more detail. As τ increases, an initially excited giant atom exhibits more and more revivals of its population. In the limit of large τ , it turns out that the total energy stored in the giant atom and between its coupling points no longer decays exponentially with time *t*, as for a small atom, but instead decays polynomially (∝ 1/ <sup>√</sup>*t*). Furthermore, the timescale for this decay is no longer set by the decay rate , but by the travel time τ . These predictions for a giant atom with time delay were recently confirmed in an experiment (Andersson et al. 2019) (see Sect. 3.1 for more on the experimental platform used).

In Guo et al. (2019), it was shown that extending the setup from Guo et al. (2017) to more three or more coupling points enables qualitatively different phenomena: oscillating bound states. These oscillating bound states do not decay into the waveguide, but the energy oscillates persistently between the atom and the waveguide modes in-between the outermost coupling points of the atom. This result appears connected to that of Ask et al. (2019a) discussed above, and similar results have been obtained in Guo et al. (2020).

There are similarities between a giant atom with time delay and the previously studied (Dorner and Zoller 2002; Tufarelli et al. 2013; Pichler and Zoller 2016) setup with a small atom placed far from a mirror. However, in the giant-atom case scattering processes will involve both reflection and transmission, and the secondorder correlation functions for these signals, calculated in Guo et al. (2017), exhibit oscillations between bunching and anti-bunching on a timescale set by τ .

#### *2.3 Multiple Giant Atoms*

When multiple small atoms are coupled to a waveguide, they can be spaced wavelength distances apart, which leads to interference effects influencing the collective behaviour of the atoms (Gu et al. 2017; Roy et al. 2017; Lehmberg 1970b, a; Lalumière et al. 2013; Zheng and Baranger 2013). Well-known examples include superand sub-radiance (Dicke 1954; Lalumière et al. 2013), i.e., increased and decreased emission rates due to collective decay, and an effective coupling (sometimes called collective Lamb shift) between pairs of atoms, mediated by virtual photons in the transmission line (Friedberg et al. 1973; Scully and Svidzinsky 2010; Wen et al. 2019). Given this, one might wonder whether there is something left to set multiple giant atoms apart from multiple small atoms. After all, it was mainly the interference effects that separated a single giant atom from a single small atom.

In Kockum et al. (2018), the properties of multiple giant atoms were studied thoroughly and compared to those of multiple small atoms. The simplest cases considered are pictured in Fig. 4. For each of these setups, a master equation of the same form can be derived, assuming again that the travel time between coupling points is negligible:

$$\begin{split} \dot{\rho} &= -i \left[ \omega\_a^{\prime} \frac{\sigma\_z^a}{2} + \omega\_b^{\prime} \frac{\sigma\_z^b}{2} + \mathfrak{g} \left( \sigma\_-^a \sigma\_+^b + \sigma\_+^a \sigma\_-^b \right), \rho \right] \\ &+ \Gamma\_a \mathcal{D} \left[ \sigma\_-^a \right] \rho + \Gamma\_b \mathcal{D} \left[ \sigma\_-^b \right] \rho + \Gamma\_{\text{coll}} \left[ \left( \sigma\_-^a \rho \sigma\_+^b - \frac{1}{2} \left\{ \sigma\_+^a \sigma\_-^b, \rho \right\} \right) + \text{H.c.} \right], \end{split} \tag{11}$$

where ω *<sup>j</sup>* is the transition frequency of atom *j* (we label the left atom *a* and the right atom *b*) including Lamb shifts, *g* is the strength of the exchange interaction mediated by the waveguide between the atoms, *<sup>j</sup>* is the individual relaxation rate of atom *j*, coll is the collective relaxation rate, and H.c. denotes Hermitian conjugate.

**Fig. 4** Setups for two small and two giant atoms. **a** Two small atoms in an open waveguide. **b** Two small atoms in a waveguide terminated by a mirror on the left. **c** Two "separate" giant atoms, where the rightmost coupling point of the left atom is left of the leftmost coupling point of the right atom. **d** Two "braided" giant atoms, where each atom has a coupling point that lies in between the two coupling points of the other atom. **e** Two "nested" giant atoms, where the coupling points of one atom all lie in-between the coupling points of the other atom. Figure adapted from Kockum et al. (2018) with permission

Assuming that the atoms couple to the waveguide with equal strength at each coupling point, and that the distances between neigbouring coupling points are equal, corresponding to a phase shift ϕ, the coefficients *g*, *<sup>j</sup>* , and coll in Eq. (11) have simple expressions as functions of ϕ (Kockum et al. 2018). These functions are plotted in Fig. 5 for all the setups in Fig. 4. Looking at the individual relaxation rates (dashed curves), we see that they are always non-zero for small atoms in an open waveguide, but for setups with giant atoms there are points where *<sup>j</sup>* = 0, as we know from the discussion of single giant atoms in Sect. 2.1. Furthermore, at the points where *<sup>j</sup>* = 0, the collective relaxation rate coll also goes to zero. It is thus clear that setups with multiple giant atoms can be completely protected from relaxation into the waveguide.

The most remarkable feature in Fig. 5 is found when looking at the behaviour of the exchange interaction *g* at the points where the relaxation rates are zero. One might think that since interference effects at these points prevent the atoms from relaxing into the waveguide, it should not be possible for the waveguide to mediate interaction between the atoms. However, it turns out that *g* can be *non-zero* here for one of the three giant-atom setups: the braided giant atoms. This effect has recently been confirmed in experiment (Kannan et al. 2020) (see Sect. 3.2 for more on the experimental platform used).

One way to understand this protected interaction is to note that *<sup>j</sup>* = 0 when the phase between the coupling points of atom *j* is an odd integer multiple of π. The

**Fig. 5** Exchange interaction *g* (solid curves), individual relaxation rates *<sup>j</sup>* (dashed curves), and collective relaxation rates coll (dotted curves) as a function of ϕ for the setups in Fig. 4. The colours of the curves denote the ordering of coupling points: *ab* [small atoms, Fig. 4a, black], *aabb* [separate giant atoms, Fig. 4c, blue], *abab* [braided giant atoms, Fig. 4d, green], and *abba* [nested giant atoms, Fig. 4e, red]. The last case is qualitatively equivalent to small atoms in front of a mirror [Fig. 4b]. For this case, there are two dashed curves (red), one for *a* and one for *b*. Figure adapted from Kockum et al. (2018) with permission

collective relaxation is due to interference between emission from coupling points of different atoms, but the sum total of these contributions is zero if the emissions from the two coupling points of one of the atoms interfere destructively. The exchange interaction arises due to emission from coupling points of one atom being absorbed at coupling points of the other atom. If the giant atoms are in the separate or nested configurations, the emissions from the two coupling points of atom*b* cancel if*<sup>b</sup>* = 0, but in the case of *braided* giant atoms, the two inner coupling points are placed in-between the coupling points of the other atom, so there is no condition forcing the contributions from the two coupling points of the other atom to interfere destructively.

We note that the protected interaction with braided giant atoms is reminiscent of the interaction between two small atoms in a waveguide with a bandgap (Kurizki 1990; Lambropoulos et al. 2000; Sundaresan et al. 2019). In that case, a bound state of photons forms around each atom that has a frequency in the bandgap, where propagation in the waveguide is impossible. The extension of these bound states decays exponentially with distance, but if two bound states overlap, the atoms can interact without decaying into the waveguide.

It is shown in Kockum et al. (2018) that the above conclusions about relations between relaxation rates and exchange interactions in giant atoms remain true even for the most general setups, with an arbitrary number of giant atoms, each having an arbitrary number of coupling points at arbitrary coordinates and with different coupling strength at each coupling point. This opens up interesting possibilities for constructing larger setups with protected exchange interaction between many giant atoms (Kockum et al. 2018).

It is also interesting that the case of two small atoms in front of a mirror, equivalent to nested giant atoms (red curves in Fig. 5), allows interaction even if one (but not both) of the atoms is prevented from relaxing into the waveguide. This has recently been confirmed in an experiment (Wen et al. 2019) with superconducting qubits in a transmission-line waveguide, and expanded upon in a connected theoretical study (Lin et al. 2019).

Finally, we note that a recent theoretical study (Karg et al. 2019) extended the treatment from giant atoms to arbitrary quantum systems, e.g., harmonic oscillators, interacting with a waveguide at multiple points. The study took into account losses in the waveguide and also considered the impact of time delays, and showed how these factors can affect the protected interaction that is possible with a nested setup.

#### **3 Experiments with Giant Atoms**

Waveguide QED can be implemented in several experimental systems (Gu et al. 2017; Roy et al. 2017), e.g., with quantum dots coupled to photonic crystal waveguides (Arcari et al. 2014), with quantum emitters coupled to plasmons in nanowires (Akimov et al. 2007; Huck and Andersen 2016), and with natural atoms coupled to optical fibres (Bajcsy et al. 2009), but the most versatile platform at the moment appears to be superconducting qubits coupled to transmission lines (Gu et al. 2017; Astafiev et al. 2010a, b; Hoi et al. 2011, 2012; van Loo et al. 2013; Hoi et al. 2013, 2015; Liu and Houck 2017; Forn-Díaz et al. 2017; Wen et al. 2018; Mirhosseini et al. 2018, 2019; Sundaresan et al. 2019; Wen et al. 2019). There are thus many systems where giant atoms could be implemented. So far, as reviewed in this section, experiments have been conducted exclusively with superconducting qubits, coupled to either surface acoustic waves (SAWs, Sect. 3.1) or transmission lines (Sect. 3.2). A theoretical proposal exists for an implementation with cold atoms in optical lattices (Sect. 3.3), and we expect that experiments will eventually be performed using more platforms.

#### *3.1 Superconducting Qubits and Surface Acoustic Waves*

Superconducting qubits (You and Nori 2011; Xiang et al. 2013; Gu et al. 2017; Kockum and Nori 2019) are electrical circuits with capacitances, inductances, and Josephson junctions (which function as non-linear inductances) that can emulate properties of natural atoms, e.g., energy-level structures and coupling to an electromagnetic field. These circuits usually have resonance frequencies ω on the order of

**Fig. 6** Experimental implementation of a giant atom with a superconducting qubit coupled to SAWs. **a** Sketch of the experimental setup. The IDT on the left is used both to send out SAWs to the right towards the qubit and to convert reflected SAW signals from the qubit into a voltage signal that can be read out. The qubit on the right has its capacitance formed like an IDT to interact with the SAWs. The two islands of the capacitance are also connected through two Josephson junctions (boxes with crosses), which function as a non-linear inductance, making the qubit essentially an anharmonic *LC* oscillator. The qubit can also be driven electrically through a gate on the top. **b** False-colour image of the experimental sample. The blue parts are the IDT to the right and the qubit to the left. The yellow parts are ground planes and the electrodes connecting to the IDT. The aspect ratio of the IDT, with fingers being much longer than they are wide, collimates the SAW beam such that it travels straight towards the qubit (and also in the opposite direction). Figure from Aref et al. (2016) with permission

GHz and are cooled to low temperatures *<sup>T</sup>* ω/*k*<sup>B</sup> to prevent the thermal fluctuations interfering with quantum properties.

In 2014, an experiment (Gustafsson et al. 2014) managed to couple a superconducting qubit of the transmon type (Koch et al. 2007) to SAWs, which are vibrations that propagate on the surface of a substrate (Datta 1986; Morgan 2007). The experimental setup is shown in Fig. 6. The substrate on which the SAWs propagate is piezoelectric, which means that the vibrations acquire an electromagnetic component. Vibrations can be induced by applying an oscillating voltage across two electrodes, in the form of an interdigitated transducer (IDT), placed on the surface. If the spacing between fingers in the electrode matches the wavelength of SAWs at the frequency of the applied signal, the induced SAWs add up coherently. Conversely, propagating SAWs that arrive at the transducer induce charge on the fingers such that the vibrations are converted into a voltage signal. The crucial invention in Gustafsson et al. (2014) was to let the capacitance in the transmon qubit double as an IDT to mediate a direct coupling between qubit and SAWs. Because of the slow propagation speed of SAWs, *v* ≈ 3000 m/s, the IDT finger spacing was on the order of *d* ≈ 1µm to match the resonance frequency around ω ≈ 5 GHz. As can be seen in the figure, many fingers were used in the qubit IDT, which corresponded to tens of wavelengths, making this a truly giant atom.

This first experiment with a giant atom could only probe the atom around a single frequency, since the IDT used to convert signals had a narrow bandwidth. The frequency-dependence of the qubit coupling (see Sect. 2.1.2) could therefore not be tested. However, the experimental platform with SAWs and qubits, called circuit quantum acoustodynamics (QAD) (Gustafsson et al. 2014; Aref et al. 2016; Manenti et al. 2017), has been adopted in several research groups. In their experiments (Manenti et al. 2017; Noguchi et al. 2017; Moores et al. 2018; Satzinger et al. 2018; Bolgar et al. 2018; Sletten et al. 2019; Bienfait et al. 2019), the qubit is coupled to a resonator for the SAW modes. Since the resonator is long, it has a narrow free spectral range, and the frequency-dependent coupling of the qubit is evident from how it couples with different strength to different modes. This selective coupling to modes has been used in a clever way to read out the number of phonons in a mode via the qubit (Sletten et al. 2019).

A particular advantage of the SAWs is that their slow propagation speed makes it possible to engineer a giant atom with a very long distance between coupling points. In the experiment of Andersson et al. (2019), distances exceeding 400 wavelengths were realized, corresponding to τ ≈ 14, i.e., well in the non-Markovian regime discussed in Sect. 2.2.

Another recent experiment (Andersson et al. 2020) with a superconducting transmon qubit and SAWs used the possibility to engineer the relaxation rates of the first two transitions of the transmon (see Sec. 2.1.2) to enable EIT. This appears to be the first time that EIT of a propagating mechanical mode has been demonstrated.

## *3.2 Superconducting Qubits and Microwave Transmission Lines*

Superconducting qubits are usually coupled to microwave transmission lines, or *LC* resonators, instead of SAWs. Also the setup with a transmission line can be used to implement giant atoms, as proposed in Kockum et al. (2014). One simply couples the transmission line to the qubit at one point, meanders the transmission line back and forth on the chip until a wavelength distance has been reached, and then connects the transmission line to the qubit once more. Due to size limitations, this approach will not allow for distances between coupling points on the order of hundreds of wavelengths or more, as is possible with SAWs. However, with the transmission line it is possible to engineer the coupling at each point and the distance between coupling points with great precision, which can be crucial for demonstrating the interference effects that lie at the heart of giant atoms.

Two recent experiments have followed this approach to implement one (Vadiraj et al. 2020) and two (Kannan et al. 2020) giant atoms. In the experiment with one giant atom, the frequency-dependent coupling shown in Fig. 2 was measured and the ability to manipulate the relaxation rates in a multilevel atom as in Fig. 3 was shown. In the experiment with two giant atoms, the decoherence-free interaction discussed in Sect. 2.3 was demonstrated.

This opens up interesting possibilities for preparing entangled many-body states in waveguide QED with many atoms, which otherwise is difficult due to the dissipation into the waveguide which always is present for small atoms (Kannan et al. 2020).

#### *3.3 Cold Atoms in Optical Lattices*

All experiments with giant atoms so far have taken place in 1D geometries at microwave frequencies and used superconducting qubits. A recent theory proposal (González-Tudela et al. 2019) shows how giant atoms instead could be implemented in higher dimensions on another platform for quantum-optics simulation: cold atoms in optical lattices. Here, one would use atoms with two internal states, each of which couples to a different optical lattice, realized by counter-propagating lasers. In one state, the atom mimics a photon moving in a lattice; in the other state, the atom mimics an atom trapped in a specific site. By rapidly modulating the relative positions of the two lattices, it is possible to engineer an effective interaction where the atomic state couples to the photonic state at multiple points (González-Tudela et al. 2019). It may be possible to achieve a similar effect with superconducting qubits coupled to several sites in a 2D lattice of superconducting resonators. While such lattices have been analysed and realized previously (Koch et al. 2010; Houck et al. 2012; Underwood et al. 2016), to the best of our knowledge it has not been suggested previously to couple one qubit to several lattice sites in such a setup.

The proposed setup with cold atoms displays rich physics with the giant atoms coupled to 2D photonic environments that have a band structure. It is possible to construct interference such that a single giant atom relaxes by only emitting its energy in certain directions. It is also possible to decouple giant atoms completely from the environment, but still have them interact by exchange interactions, like in Sect. 2.3. While this interference was possible with just two coupling points per atom in 1D, the 2D case requires at least four coupling points.

#### **4 Conclusion and Outlook**

Giant atoms are emerging as a new, interesting field of quantum optics. Following the first experimental realization and theoretical study in 2014, the field has grown quickly in the past 5 years. Theoretical investigations have been extended from one to multiple giant atoms, from 1D to higher-dimensional environments coupling to the atoms, and from the Markovian to the non-Markovian regime, where time delays between coupling points matter. These investigations have revealed remarkable properties of giant atoms, including frequency-dependent couplings and decoherence-free interactions, which are hard or impossible to realize with small atoms.

In parallel, the experimental platform for giant atoms, with SAWs coupled to superconducting qubits, has been further developed. There are now also experiments with superconducting qubits coupled to microwave transmission lines, and an experimental platform with cold atoms in optical lattices has been proposed. The experiments have confirmed many of the theoretical predictions, and also contributed with new ideas for applications of giant atoms.

Looking towards the future, we can formulate a long research agenda for giant atoms. At the heart of this agenda is the fact that giant atoms mainly differ from small atoms by the interference effects introduced by the multiple coupling points, which already has been shown to lead to new effects. It therefore seems prudent to revisit many well-known quantum-optics phenomena to see if giant atoms can enhance them or enable new physics. Below, we give a list of such projects:


yet clear if this can be implemented in experiments with giant atoms, it seems interesting to study chiral quantum optics with giant atoms theoretically. A related question is whether interference between light propagating in a waveguide, and light taking the "shortcut" between two coupling points through a giant atom, can be used to realize an effective chiral coupling.

This was recently answered affirmatively for a setup with two atoms that are both directly coupled to each other and each coupled at its own single point to a waveguide (∼ λ/4 apart) (Guimond et al 2020).

**Acknowledgements** AFK acknowledges support from the Swedish Research Council (grant number 2019-03696), and from the Knut and Alice Wallenberg Foundation through the Wallenberg Centre for Quantum Technology (WACQT).

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Topics in Mathematics**

## **Extended Divisibility Relations for Constraint Polynomials of the Asymmetric Quantum Rabi Model**

**Cid Reyes-Bustos**

**Abstract** The quantum Rabi model (QRM) is widely regarded as one of the fundamental models of quantum optics. One of its generalizations is the asymmetric quantum Rabi model (AQRM), obtained by introducing a symmetry-breaking term depending on a parameter <sup>ε</sup> <sup>∈</sup> <sup>R</sup> to the Hamiltonian of the QRM. The AQRM was shown to possess degeneracies in the spectrum for values <sup>∈</sup> <sup>1</sup>/2<sup>Z</sup> via the study of the divisibility of the so-called constraint polynomials. In this article, we aim to provide further insight into the structure of Juddian solutions of the AQRM by extending the divisibility properties and the relations between the constraint polynomials with the solution of the AQRM in the Bargmann space. In particular we discuss a conjecture proposed by Masato Wakayama.

**Keywords** Quantum Rabi models · Degenerate eigenvalues · Constraint polynomials · Juddian solutions

### **1 Introduction**

The *quantum Rabi model* (QRM) is one of the basic models in quantum optics, describing the interaction between a two-level atom and a light field. Its Hamiltonian *H*Rabi is given by

$$H\_{\text{Rabi}} = a a^\dagger a + g(a + a^\dagger) \sigma\_x + \Delta \sigma\_z,$$

where *a*† and *a* are the creation and annihilation operators of the quantum harmonic oscillator, σ*<sup>x</sup>* , σ*<sup>z</sup>* are the Pauli matrices

C. Reyes-Bustos (B)

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_13

Department of Mathematical and Computing Science, School of Computing, Tokyo Institute of Technology, 2-12-1 Ookayama, Meguro-ku, Tokyo 152-8550, Japan e-mail: reyes@c.titech.ac.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

$$
\sigma\_x = \begin{bmatrix} 0 \ 1 \\ 1 \ 0 \end{bmatrix}, \qquad \sigma\_z = \begin{bmatrix} 1 & 0 \\ 0 & -1 \end{bmatrix},
$$

ω > 0 is the classical frequency of light field (modeled by a quantum harmonic oscillator), 2 > 0 is the energy difference of the two-level system and *g* > 0 is the interaction strength between the two systems. In our discussion we have set - <sup>=</sup> 1 with no loss of generality. The QRM has a <sup>Z</sup>/2Z-symmetry that allows a decomposition *H*Rabi = *H*+ ⊕ *H*− for Hamiltonians *H*± acting on appropriate subspaces of the Hilbert space in which *H*Rabi acts. Degeneracies are then found to naturally appear between one eigenvalue of *H*+ and one eigenvalue of *H*−. The parameters (*g*,,ω) of the QRM are classified into *parameter regimes* according to the static and dynamic properties of the resulting energy levels and their solutions (see Xie et al. 2017 for discussion on parameter regimes).

Recent developments in experimental physics (Maissen et al. 2014, Yoshihara et al. 2017) have managed to realize parameter regimes (including the nonperturbative ultrastrong coupling and the deep strong coupling regimes) where approximated models, such as the Jaynes–Cummings model, can no longer describe the physical properties of the QRM. These developments, along with the prospect of applications to areas such as quantum information technologies (see Haroche and Raimond 2008; Yoshihara et al. 2017) have made the study of the properties of the QRM and its spectrum an important topic in physics. At the same time, there has been interest in the research of the mathematical aspects of the QRM and its generalizations (see, for example, Reyes-Bustos and Wakayama 2017; Sugiyama 2018; Wakayama 2017).

The *asymmetric quantum Rabi model* (AQRM) is one of these generalizations. The Hamiltonian of the AQRM is obtained by introducing a nontrivial interaction term that breaks the Z/2Z-symmetry in the Hamiltonian of the QRM. Concretely, its Hamiltonian is given by

$$H\_{\rm Rabi}^{\varepsilon} = \alpha a^{\dagger}a + \Delta \sigma\_{\varepsilon} + g\sigma\_{x}(a^{\dagger} + a) + \varepsilon \sigma\_{x},$$

with <sup>ε</sup> <sup>∈</sup> <sup>R</sup>. In general, this model loses the <sup>Z</sup>/2Z-symmetry of the QRM making the presence of degeneracies a nontrivial question and, in particular, there appears to be no way to define invariant subspaces (called parity subspaces in the case of the QRM) whose solutions constitute degeneracies (or crossings).

However, and contrary to this intuition, degenerate states were discovered in numerical experiments for the case <sup>ε</sup> <sup>=</sup> <sup>1</sup> <sup>2</sup> by Li and Batchelor in (2015). Later, Masato Wakayama in (2017) proved the existence in general for the case <sup>ε</sup> <sup>=</sup> <sup>1</sup> <sup>2</sup> and conjectured the existence of degenerate states for the general half-integer ε case in terms of divisibility of constraint polynomials. The conjecture was recently proved affirmatively for the general case by Kazufumi Kimoto, Masato Wakayama and the author in (2017). The presence of degenerate solutions for half-integer parameter hints at the possibility of a hidden symmetry in the AQRM, as it has been discussed in Semple and Kollar (2017), Wakayama (2017).

In order to describe how the degeneracies in the spectrum of the AQRM appear, we introduce the constraint polynomials.

**Definition 1** Let *<sup>N</sup>* <sup>∈</sup> <sup>Z</sup>≥0. The polynomials *<sup>P</sup>*(*N*,ε) *<sup>k</sup>* (*x*, *<sup>y</sup>*) of degree *<sup>k</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup> are defined recursively by

$$\begin{aligned} P\_0^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y}) &= 1, & P\_1^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y}) &= \mathbf{x} + \mathbf{y} - 1 - 2\varepsilon, \\ P\_k^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y}) &= (k\mathbf{x} + \mathbf{y} - k(k + 2\varepsilon)) P\_{k-1}^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y}) - k(k - 1)(N - k + 1)\mathbf{x} P\_{k-2}^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y}). \end{aligned}$$

The polynomial *P*(*N*,ε) *<sup>N</sup>* (*x*, *y*)is called *constraint polynomial* and its defining property is that if the parameters *g*,> 0 satisfy the *constraint equation*

$$P\_N^{(N, \varepsilon)}((2\mathfrak{g})^2, \Delta^2) = 0,$$

then λ = *N* + ε − *g*<sup>2</sup> is an eigenvalue of *H*<sup>ε</sup> Rabi. Any eigenvalue of the AQRM arising from the zeros of the constraint polynomials in this way is called *Juddian eigenvalue.*

The original conjecture proposed in Wakayama (2017) is summarized in the following theorem.

**Theorem 2** (Kimoto et al. 2017) *For N*, <sup>∈</sup> <sup>Z</sup>≥0*, we have*

$$P\_{N+\ell}^{(N+\ell,-\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) = A\_N^{(\ell)}(\mathbf{x},\mathbf{y}) P\_N^{(N,\frac{\ell}{2})}(\mathbf{x},\mathbf{y}),\tag{1}$$

*for a polynomial A*() *<sup>N</sup>* (*x*, *<sup>y</sup>*) <sup>∈</sup> <sup>Z</sup>[*x*, *<sup>y</sup>*]*. In addition, for* , *<sup>N</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup> *the polynomial A*() *<sup>N</sup>* (*x*, *y*) *has no zeros for x*, *y* > 0*.*

In other words, since the constraint polynomials at both sides of (1) correspond to the same eigenvalue, we see that any Juddian eigenvalue of the AQRM is degenerate when the parameter ε is half-integer. The proof of Theorem 2 is done by studying certain determinant expressions satisfied by the constraint polynomials.

In the same paper Wakayama (2017) (see also Reyes-Bustos and Wakayama 2017), a second conjecture was presented. This time the polynomials involved are not the constraint polynomials, but the intermediate polynomials *P*(*N*,ε) *<sup>k</sup>* (*x*, *y*). Since these polynomials are also related to solutions of the eigenvalue problem of the QRM, the study of this conjecture may provide some new insight into the relation between solutions of the QRM.

**Conjecture 3** (Wakayama 2017) *Let N*, , *<sup>k</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup>*. There are polynomials A*(*N*,) *<sup>k</sup>* (*x*, *<sup>y</sup>*) *and B*(*N*,) *<sup>k</sup>* (*x*, *<sup>y</sup>*) *in* <sup>Z</sup>[*x*, *<sup>y</sup>*] *such that*

$$P\_{k+\ell}^{(N+\ell,-\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) = A\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})P\_k^{(N,\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) + B\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})$$

*with B*(*N*,) *<sup>N</sup>* (*x*, *<sup>y</sup>*) <sup>=</sup> *<sup>B</sup>*(*N*,) <sup>0</sup> <sup>=</sup> <sup>0</sup>*. Furthermore, we have A*(*N*,) *<sup>k</sup>* (*x*, *y*) > 0 *for x*, *y* > 0*.*

It is important to notice that the way it was described in Wakayama (2017), the conjecture has not a unique solution. We discuss the issue in Sect. 3 and by extending the divisibility properties of the constraint polynomials, we give a candidate solution to the conjecture above. In addition, we describe the relation of the constraint polynomials with the coefficient solutions of the eigenvalue problem of AQRM in the Bargmann space picture.

Finally, we remark that there have been recent efforts to define regime parameters of the QRM using information from the energy levels of the solutions and not just the dynamic properties (see Rossatto et al. 2017). This approach is based on knowledge on the parameters for which exceptional solutions appear (for instance, the zeros of constraint polynomials). We expect that the results given here for constraint polynomials may provide some further insight for the studies in this direction.

## **2 The Confluent Picture of the Asymmetric Quantum Rabi Model**

In this section we introduce the asymmetric quantum Rabi model (AQRM) and the realization of its eigenvalue problem in the Bargmann space, equivalent to a system of linear confluent Heun differential equations. After that we see that the coefficients of the solutions of the AQRM are expressed in terms of the constraint polynomials and other related polynomials. A good reference for Bargmann space methods is Schweber (1967).

The Bargmann space HB is the space of complex functions *<sup>f</sup>* : <sup>C</sup> <sup>→</sup> <sup>C</sup> holomorphic everywhere in the complex plane satisfying

$$\|f\|\_{\mathcal{B}} = \left(\frac{1}{\pi} \int\_{\mathcal{C}} |f(z)|^2 e^{-|z|^2} dx dy\right)^{1/2} < \infty$$

for *<sup>z</sup>* <sup>=</sup> *<sup>x</sup>* <sup>+</sup> *iy* and where *dxdy* is the Lebesgue measure in <sup>C</sup> <sup>R</sup>2.

An important property of the Bargmann space is that it contains entire functions *f* having asymptotic expansion of the form

$$f(z) = e^{a\_1 z} z^{-a\_0} (c\_0 + c\_1 z^{-1} + c\_2 z^{-2} + \cdots),\tag{2}$$

as*z* → ∞(see Braak 2011b). In particular, normal solutions of differential equations having an unramified singular point of rank 2 at infinity are included.

The Bargmann space HB is seen to be a Hilbert space unitarily equivalent to *L*<sup>2</sup>(R) and the realization of the creation and annihilation operators is given by

$$a \to \partial\_z, \qquad a^\dagger \to z,$$

where we use ∂*<sup>z</sup>* to denote <sup>∂</sup> ∂*z* . Recall that the Hamiltonian *H*<sup>ε</sup> Rabi of the AQRM is given by

$$H\_{\text{Rabi}}^{\varepsilon} = \alpha a^{\uparrow}a + \Delta \sigma\_{\varepsilon} + g\sigma\_{x}(a^{\uparrow} + a) + \varepsilon \sigma\_{x} \,. \tag{3}$$

Without loss of generality, we set ω = 1 for the remainder of the paper. Thus, when *H*<sup>ε</sup> Rabi is realized as an operator acting on HB <sup>⊗</sup> <sup>C</sup>2, the Hamiltonian *<sup>H</sup>*<sup>ε</sup> Rabi is given by

$$
\tilde{H}^{\varepsilon}\_{\text{Rabi}} := \begin{bmatrix}
z \, \partial\_z + \Delta & \mathbf{g} \, (z + \partial\_z) + \varepsilon \\
\mathbf{g} \, (z + \partial\_z) + \varepsilon & z \, \partial\_z - \Delta
\end{bmatrix} \cdot \mathbf{J}
$$

Then, the time-independent Schrödinger equation *H*<sup>ε</sup> Rabi<sup>ϕ</sup> <sup>=</sup> λϕ (λ <sup>∈</sup> <sup>R</sup>)is equivalent to the system of first-order differential equations

$$
\tilde{H}\_{\text{Rabi}}^{\varepsilon}\psi = \lambda\psi,\quad \psi = \begin{bmatrix} \psi\_1(z) \\ \psi\_2(z) \end{bmatrix},
$$

where eigenfunctions of *H*<sup>ε</sup> Rabi associated with a given eigenvalue <sup>λ</sup> <sup>∈</sup> <sup>R</sup> correspond to solutions ψ*<sup>i</sup>* ∈ HB, *i* = 1, 2.

The eigenvalue problem of the AQRM is then reduced to finding entire functions ψ1, ψ<sup>2</sup> ∈ HB, and real number λ satisfying

$$\begin{cases} (z\partial\_z + \Delta)\psi\_1 + (g(z + \partial\_z) + \varepsilon)\psi\_2 = \lambda\psi\_1, \\ (g(z + \partial\_z) + \varepsilon)\psi\_1 + (z\partial\_z - \Delta)\psi\_2 = \lambda\psi\_2. \end{cases}$$

Now, by setting φ<sup>±</sup> = ψ<sup>1</sup> ± ψ2, we get

$$\begin{cases} (z+g)\frac{d}{dz}\phi\_+ + (gz+\varepsilon-\lambda)\phi\_+ + \Delta\phi\_- = 0, \\ (z-g)\frac{d}{dz}\phi\_- - (gz+\varepsilon+\lambda)\phi\_- + \Delta\phi\_+ = 0. \end{cases} \tag{4}$$

We note that the system (4) is equivalent to a second-order confluent Heun differential equation with an (unramified) irregular singular point at *z* = ∞ in addition to regular singular points at *z* = ±*g* (c.f. Braak 2016). Therefore, by the discussion above and (2), any entire solution <sup>ψ</sup> of (4) is actually <sup>ψ</sup> <sup>∈</sup> HB <sup>⊗</sup> <sup>C</sup>2. This is a key property used to prove the integrability in Braak (2011a).

Notice also that by applying the substitution *z* → −*z*, we obtain the alternative system

$$\begin{cases} (z+g)\frac{d}{dz}\bar{\phi}\_- + (gz+\varepsilon-\lambda)\bar{\phi}\_- + \Delta\bar{\phi}\_+ = 0, \\ (z-g)\frac{d}{dz}\bar{\phi}\_+ - (gz+\varepsilon+\lambda)\bar{\phi}\_+ + \Delta\bar{\phi}\_- = 0 \end{cases} \tag{5}$$

where φ¯±(*z*) = φ±(−*z*). Furthermore, the two systems are equivalent under the transformation ε → −ε.

Setting *<sup>x</sup>* <sup>=</sup> <sup>λ</sup> <sup>+</sup> *<sup>g</sup>*2, the solutions around the singularity *<sup>z</sup>* <sup>=</sup> *<sup>g</sup>* (for *<sup>x</sup>* <sup>±</sup> ε /<sup>∈</sup> <sup>Z</sup>) are given by

$$\phi\_+(z) = e^{-gz} \sum\_{n=0}^{\infty} \frac{\Delta K\_n^-}{x - \varepsilon - n} (z + g)^n, \qquad \phi\_-(z) = e^{-gz} \sum\_{n=0}^{\infty} K\_n^- (z + g)^n, \tag{6}$$

and by the symmetry mentioned above, the other set of solutions is given by

$$\bar{\phi}\_{-}(z) = e^{\mathrm{gz}} \sum\_{n=0}^{\infty} \frac{\Delta K\_{n}^{+}}{x - \varepsilon - n} (z + \mathrm{g})^{n}, \qquad \bar{\phi}\_{+}(z) = e^{\mathrm{gz}} \sum\_{n=0}^{\infty} K\_{n}^{+} (z + \mathrm{g})^{n}, \tag{7}$$

related by <sup>φ</sup>+(*z*) <sup>=</sup> <sup>φ</sup>¯+(−*z*) and <sup>φ</sup>−(*z*) <sup>=</sup> <sup>φ</sup>¯−(−*z*). For *<sup>n</sup>* <sup>∈</sup> <sup>Z</sup>≥0, define the functions *f* ± *<sup>n</sup>* = *f* <sup>±</sup> *<sup>n</sup>* (*x*, *g*, , ε) by

$$f\_n^{\pm}(\mathbf{x}, \mathbf{g}, \Delta, \varepsilon) = 2\mathbf{g} + \frac{1}{2\mathbf{g}} \left( n - \mathbf{x} \pm \varepsilon + \frac{\Delta^2}{\mathbf{x} - n \pm \varepsilon} \right). \tag{8}$$

The coefficients *K* <sup>±</sup> *<sup>n</sup>* (*x*) = *K* <sup>±</sup> *<sup>n</sup>* (*x*, *g*, , ε) are then given by the recurrence relation

$$nK\_n^{\pm}(\mathbf{x}) = f\_{n-1}^{\pm}(\mathbf{x}, \mathbf{g}, \Delta, \varepsilon)K\_{n-1}^{\pm}(\mathbf{x}) - K\_{n-2}^{\pm}(\mathbf{x}) \quad (n \ge 1) \tag{9}$$

with initial condition *K* <sup>±</sup> <sup>−</sup><sup>1</sup> = 0 and *K* <sup>±</sup> <sup>0</sup> = 1.

The solutions (6) (resp. (7)) in general do not represent entire solutions. The condition for the solutions to be entire is given by the *G*-function. Next, we recall the definition of the *G*-function and refer the reader to Braak (2011a, 2011b) for the full details.

**Definition 4** The *G*-function for the Hamiltonian *H*<sup>ε</sup> Rabi is defined as

$$G\_{\varepsilon}(\mathbf{x}; \mathbf{g}, \Delta) := \Delta^2 \bar{\tilde{R}}^+(\mathbf{x}; \mathbf{g}, \Delta, \varepsilon) \bar{\tilde{R}}^-(\mathbf{x}; \mathbf{g}, \Delta, \varepsilon) - \bar{R}^+(\mathbf{x}; \mathbf{g}, \Delta, \varepsilon) \bar{R}^-(\mathbf{x}; \mathbf{g}, \Delta, \varepsilon)$$

where

$$R^{\pm}(\mathbf{x}; \mathbf{g}, \Delta, \varepsilon) = \sum\_{n=0}^{\infty} K\_n^{\pm}(\mathbf{x}) \mathbf{g}^n \quad \text{and} \quad \bar{R}^{\pm}(\mathbf{x}; \mathbf{g}, \Delta, \varepsilon) = \sum\_{n=0}^{\infty} \frac{K\_n^{\pm}(\mathbf{x})}{x - n \pm \varepsilon} \mathbf{g}^n,\tag{10}$$

whenever *<sup>x</sup>* <sup>∓</sup> ε /<sup>∈</sup> <sup>Z</sup>≥0, respectively.

The main property of the *G*-function (see, for example, Braak 2011a) is that for a fixed tuple of parameters (*g*, , ε), the zeros *xn* of *G*ε(*x*; *g*, ) correspond to eigenvalues λ*<sup>n</sup>* = *xn* − *g*<sup>2</sup> of *H*<sup>ε</sup> Rabi with *xn* <sup>=</sup> *<sup>N</sup>* <sup>±</sup> <sup>ε</sup> for any integer *<sup>N</sup>* <sup>∈</sup> <sup>Z</sup>. Any such eigenvalue is called a *regular eigenvalue* of the QRM. More precisely, if *x*

is a zero of the *G*-function, the solutions (6) can be analytically continued to the whole plane, and thus constitute solutions of the eigenvalue problem for the given eigenvalue λ = *x* − *g*2.

In general, not every eigenvalue of the AQRM is regular. An eigenvalue that is not regular is called *exceptional eigenvalue*. Equivalently, exceptional eigenvalues are those of the form λ = *N* ± ε − *g*2. If the power series in the solution for an exceptional eigenvalue is terminating (i.e., is a polynomial), it is called *Juddian*, otherwise it is called *non-Juddian exceptional* eigenvalue. We recall from the introduction that Juddian eigenvalues are those that arise from zeros of the constraint polynomials. We also remark that the exceptional eigenvalues are closely related to the poles of the *G*-function, and refer the reader to Kimoto et al. (2017), Li and Batchelor (2015) for more information on exceptional eigenvalues.

After the preparations, we relate the coefficients of the solutions (resp. the *G*function), with constraint polynomials. For brevity, we set *c* (ε) *<sup>k</sup>* = *k*(*k* + 2ε) and <sup>λ</sup>*<sup>k</sup>* <sup>=</sup> *<sup>k</sup>*(*<sup>k</sup>* <sup>−</sup> <sup>1</sup>)(*<sup>N</sup>* <sup>−</sup> *<sup>k</sup>* <sup>+</sup> <sup>1</sup>). Then the polynomial *<sup>P</sup>*(*N*,ε) *<sup>k</sup>* (*x*, *y*) is the determinant of a *k* × *k* tridiagonal matrix

$$P\_k^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y}) = \det(\mathbf{I}\_k \mathbf{y} + \mathbf{A}\_k^{(N)} \mathbf{x} + \mathbf{U}\_k^{(\varepsilon)}) \tag{11}$$

where **I***<sup>k</sup>* is the identity matrix of size *k* and

$$\mathbf{A}\_{k}^{(N)} = \text{tridiag}\begin{bmatrix} i & 0\\ \lambda\_{i+1} & \end{bmatrix}\_{1 \le i \le k}, \quad \mathbf{U}\_{k}^{(\boldsymbol{\epsilon})} = \text{tridiag}\begin{bmatrix} -c\_{i}^{(\boldsymbol{\epsilon})} \ 1\\ 0 \end{bmatrix}\_{1 \le i \le k},$$

where we use the notation

$$\text{triddiag}\begin{bmatrix}a\_{i}&b\_{i}\\c\_{i}&b\_{i}\end{bmatrix}\_{1\le i\le n}:=\begin{bmatrix}a\_{1}&b\_{1}&0&0&\cdots&0\\c\_{1}&a\_{2}&b\_{2}&0&\cdots&0\\0&c\_{2}&a\_{3}&b\_{3}&\cdots&0\\\vdots&\ddots&\ddots&\ddots&\ddots&\vdots\\0&\cdots&0&c\_{n-2}&a\_{n-1}&b\_{n-1}\\0&\cdots&0&0&c\_{n-1}&a\_{n}\end{bmatrix}.$$

The relation between the *N*th coefficient of the *G*-function and the constraint polynomials is seen in the next lemma.

**Lemma 5** (Kimoto et al. 2017) *Let N* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup>*. For g* <sup>&</sup>gt; <sup>0</sup>*, the relation*

$$(N!)^2 (2\mathbf{g})^N K\_N^-(N+\varepsilon; \mathbf{g}, \Delta, \varepsilon) = P\_N^{(N,\varepsilon)}((2\mathbf{g})^2, \Delta^2) \tag{12}$$

*holds. In addition, if* <sup>ε</sup> <sup>=</sup> /<sup>2</sup> ( <sup>∈</sup> <sup>Z</sup>)*, it also holds that*

$$((N+\ell)!)^2(2g)^{N+\ell}K\_{N+\ell}^+(N+\ell/2; \,\mathrm{g}, \,\Delta, \,\ell/2) = P\_{N+\ell}^{(N+\ell,-\ell/2)}((2g)^2, \Delta^2).$$

From this point of view, the constraint polynomials are multiples of the coefficients of the solutions of the associated equation system of differential equations for *x* = *N* + ε. This fact is important since it allows us to relate the residues at the poles of the *G*-function with the presence or absence of exceptional solutions (see Kimoto et al. 2017, Propositions 5.3, 5.5 and 5.6).

We proceed to generalize the result above to all the coefficients of the *G*-function. First, we note a simple but important relation between the coefficients *K* <sup>−</sup> *<sup>n</sup>* (*N* + ε; *g*, , ε) and *K* <sup>−</sup> *<sup>n</sup>* (*n* + ε; *g*, , ε) of the *G*-functions and the corresponding relation between constraint polynomials.

**Lemma 6** *For N*, *<sup>n</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup> *with n* <sup>≤</sup> *N,*

$$K\_n^-(N+\varepsilon; \mathbf{g}, \Delta, \varepsilon) = K\_n^-(n+\varepsilon; \mathbf{g}, \Delta, \varepsilon) + q\_0(\mathbf{g}, \Delta, \varepsilon, n, N),$$

*where* (2*g*)*nq*0(*g*, , ε, *<sup>n</sup>*, *<sup>N</sup>*) <sup>∈</sup> <sup>Z</sup>[*g*, , ε, *<sup>n</sup>*, *<sup>N</sup>*] *and*

$$q\_0(\mathbf{g}, \Delta, \varepsilon, N, N) = q\_0(\mathbf{g}, \Delta, \varepsilon, n, n) = 0.$$

*Moreover,*

$$P\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) = P\_k^{(k,\varepsilon)}(\mathbf{x}, \mathbf{y}) + \bar{q}\_0(\mathbf{g}, \Delta, \varepsilon, n, N),$$

*where <sup>q</sup>*¯0(*g*, , ε, *<sup>n</sup>*, *<sup>N</sup>*) <sup>∈</sup> <sup>Z</sup>[*g*, , ε, *<sup>n</sup>*, *<sup>N</sup>*] *and <sup>q</sup>*¯0(*g*, , ε, *<sup>N</sup>*, *<sup>N</sup>*) = ¯*q*<sup>0</sup> (*g*, , ε, *n*, *n*) = 0*.*

*Proof* We give the proof for the polynomials *P*(*N*,ε) *<sup>k</sup>* (*x*, *y*) as the proof for the coefficients *K* <sup>−</sup> *<sup>n</sup>* (*N* + ε; *g*, , ε)is done in a completely analogous way. In the determinant expression (11) for *P*(*N*,ε) *<sup>k</sup>* (*x*, *y*), in each term λ*<sup>i</sup>* = *i*(*i* − 1)(*N* − *i* + 1), we write *N* = *k* + (*N* − *k*) and then factor out the terms including *N* − *k* by the multilinearity of the determinant. This gives the result.

Next, we relate the coefficients of the solutions at *x*¯ = *N* + ε with the constraint polynomials *<sup>P</sup>*(*n*,ε) *<sup>n</sup>* (*x*, *<sup>y</sup>*). In the lemma below, for *<sup>a</sup>* <sup>∈</sup> <sup>C</sup> and *<sup>n</sup>* <sup>∈</sup> <sup>Z</sup>≥0, (*a*)*<sup>n</sup>* <sup>=</sup> *<sup>a</sup>*(*<sup>a</sup>* <sup>+</sup> 1)···(*a* + *n* − 1) is the Pochhammer symbol.

**Lemma 7** *For N*, *<sup>n</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup> *with n* <sup>≤</sup> *N, we have*

$$n!(N-n+1)\_n(\mathfrak{Z}g)^n K\_n^-(N+\varepsilon; \,\mathfrak{g}, \,\Delta, \,\varepsilon) = P\_n^{(n,\varepsilon)}((\mathfrak{Z}g)^2, \,\Delta^2) + q\_1(\mathfrak{x}, \,\mathfrak{y}; N, n, \varepsilon),$$

*with q*1(*x*, *<sup>y</sup>*; *<sup>N</sup>*, *<sup>n</sup>*, ε) <sup>∈</sup> <sup>Z</sup>[*x*, *<sup>y</sup>*, *<sup>N</sup>*, *<sup>n</sup>*, ε] *such that q*1(*x*, *<sup>y</sup>*; *<sup>N</sup>*, *<sup>N</sup>*, ε) <sup>=</sup> *<sup>q</sup>*1(*x*, *<sup>y</sup>*; *<sup>n</sup>*, *n*, ε) = 0*.*

*Proof* For *<sup>n</sup>* <sup>≤</sup> *<sup>N</sup>*, define the auxiliary polynomials *<sup>P</sup>*(*N*,*n*,ε) *<sup>k</sup>* (*x*, *y*) by the three-term recurrence relation

$$P\_k^{(N,n,\varepsilon)}(\mathbf{x},\mathbf{y}) = ((N-n+k)\mathbf{x}+\mathbf{y}-(N-n+k)^2 -2(N-n+k)\varepsilon)P\_{k-1}^{(N,n,\varepsilon)}(\mathbf{x},\mathbf{y})$$

$$-(N-n+k)(N-n+k-1)(n-k+1)\mathbf{x}P\_{k-2}^{(N,n,\varepsilon)},\tag{13}$$

with initial conditions *P*(*N*,*n*,ε) <sup>0</sup> (*x*, *y*) = 1 and

$$P\_1^{(N,n,\varepsilon)}(\mathbf{x}, \mathbf{y}) = (N - n + 1)\mathbf{x} + \mathbf{y} - (N - n + 1)^2 - 2(N - n + 1)\varepsilon.$$

Note that setting *<sup>n</sup>* <sup>=</sup> *<sup>N</sup>* gives *<sup>P</sup>*(*N*,*N*,ε) *<sup>k</sup>* (*x*, *<sup>y</sup>*) <sup>=</sup> *<sup>P</sup>*(*N*,ε) *<sup>k</sup>* (*x*, *y*).

Next, the determinant form (or continuant) of the three-term recurrence relation for the coefficients *K* <sup>−</sup> *<sup>n</sup>* (*x*; *g*, , ε) is given by

$$K\_n^-(\mathbf{x}; \mathbf{g}, \Delta, \varepsilon) = \frac{1}{n!} \det \begin{pmatrix} f\_{n-1}^-(\mathbf{x}) & 1 & 0 & \cdots \ 0 & 0\\ n-1 & f\_{n-2}^-(\mathbf{x}) & 1 & \cdots \ 0 & 0\\ \vdots & \vdots & \ddots & \vdots & \vdots\\ 0 & 0 & 0 & \cdots & 1 & f\_0^-(\mathbf{x}) \end{pmatrix},$$

where we factored <sup>1</sup> *<sup>k</sup>* from each of the rows. Next, we see that

$$\begin{aligned} f\_k^-(N+\varepsilon) &= 2g + \frac{1}{2g} \left( k - N - 2\varepsilon + \frac{\Delta^2}{N-k} \right) \\ &= \frac{1}{(2g)(N-k)} \left( (2g)^2 (N-k) - (N-k)^2 - 2\varepsilon (N-k) + \Delta^2 \right) \\ &= \frac{1}{(2g)(N-k)} h(k, g, \Delta), \end{aligned}$$

with *h*(*k*, *g*, ) defined implicitly. Thus, we obtain the expression

$$\begin{aligned} K\_n^-(N+\varepsilon; \mathbf{g}, \Delta, \varepsilon) &= \frac{1}{n!(2\mathbf{g})^2(N-n+1)\_n} \\ &\times \text{tridiag}\begin{bmatrix} h(n-i, \mathbf{g}, \Delta) & (2\mathbf{g})^2(N-n+i)(N-n+i+1)(n-i) \\ 1 & & \end{bmatrix}\_{1 \le i \le n}, \end{aligned}$$

and we verify that the three-term recurrence relation corresponding to this determinant is exactly the one defining the polynomials *P*(*N*,*n*,ε) *<sup>k</sup>* (*x*, *y*) above, with *x* = (2*g*)<sup>2</sup> and *y* = 2. Thus, we have proved that

$$n!(N-n+1)\_n(2g)^n K\_n^{-}(N+\varepsilon; \,\mathrm{g}, \,\Delta, \,\varepsilon) = P\_n^{(N,n,\varepsilon)}((2\mathrm{g})^2, \,\Delta^2).$$

The result then follows by factoring out the elements containing *N* − *n* from the determinant associated with the three-term recurrence relation (13).

From Lemmas 6 and 7, we immediately have the following Corollary giving several expressions for the coefficients in terms of the polynomials *P*(*N*,ε) *<sup>n</sup>* (*x*, *y*).

**Corollary 8** *For N*, *<sup>n</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup> *with n* <sup>≤</sup> *N, we have*

$$P\_n^{(N, \varepsilon)}((2g)^2, \Delta^2) = (n!)^2 (2g)^n K\_n^-(N+\varepsilon; \mathbf{g}, \Delta, \varepsilon) + q\_2(g^2, \Delta^2, n, N),$$

*where q*2(*g*2, 2, *<sup>n</sup>*, *<sup>N</sup>*) <sup>∈</sup> <sup>Z</sup>[*g*2, 2, *<sup>N</sup>*, *<sup>n</sup>*, ε] *such that*

$$q\_2(\mathbf{g}^2, \Delta^2, n, n) = q\_2(\mathbf{g}^2, \Delta^2, N, N) = 0.1$$

*Furthermore, we have*

$$P\_n^{(N, \varepsilon)}(\left(\mathfrak{Z}g\right)^2, \Delta^2) = (n!)^2 (\mathfrak{Z}g)^n K\_n^-(n+\varepsilon; \mathfrak{g}, \Delta, \varepsilon) + \bar{q}\_2(\mathfrak{g}^2, \Delta^2, n, N),$$

*with q*¯2(*g*<sup>2</sup>, <sup>2</sup>, *n*, *N*) *satisfying the same properties as q*2(*g*<sup>2</sup>, <sup>2</sup>, *n*, *N*)

Using the results above, we can give an expression of the solutions of the confluent picture of the AQRM in terms of constraint polynomials. To see this, we notice that for *<sup>n</sup>* <sup>∈</sup> <sup>Z</sup>≥0, the following identity holds

$$P\_n^{(\mathbf{x},\mathbf{z})}((2\mathbf{g})^2,\Delta^2) = (n!)(\mathbf{x}-n+1)\_n(2\mathbf{g})^n K\_n^{-}(\mathbf{x}+\mathbf{z};\mathbf{g},\Delta,\boldsymbol{\varepsilon}) + (\mathbf{x}-n)q\_n(\mathbf{g}^2,\Delta^2,\mathbf{x}),\tag{14}$$

where *<sup>x</sup>* <sup>∈</sup>/ <sup>Z</sup>≥<sup>0</sup> and *qn*(*g*<sup>2</sup>, <sup>2</sup>, *<sup>x</sup>*) is a polynomial with integer coefficients.

Next, we see that the solutions (6), (7) or the functions *R*±, *R*¯± appearing in the definition of the *G*-function can be expressed in terms of constraint polynomials. For instance, we have

$$\mathcal{R}^{-}(\mathbf{x}+\boldsymbol{\varepsilon};\mathbf{g},\boldsymbol{\Delta},\boldsymbol{\varepsilon}) = \sum\_{n=0}^{\infty} \frac{P\_{n}^{(\mathbf{x},\boldsymbol{\varepsilon})}((2\mathbf{g})^{2},\boldsymbol{\Delta}^{2})}{(n!)(\mathbf{x}-n+1)\_{n}(2\mathbf{g})^{n}} + \sum\_{n=0}^{\infty} \frac{(\mathbf{x}-n)q\_{n}(\mathbf{g}^{2},\boldsymbol{\Delta}^{2},\mathbf{x})}{(n!)(\mathbf{x}-n+1)\_{n}(2\mathbf{g})^{n}}.$$

From this expression (and the corresponding ones for *R*+, *R*¯±) it is possible to give an alternate method for computing the residues at the poles of the *G*-function to the one in Kimoto et al. (2017).

## **3 Extended Divisibility Properties for Constraint and Related Polynomials**

In this section we return to Conjecture 3, originally presented in Wakayama (2017) (see also Reyes-Bustos and Wakayama 2017). As mentioned in the introduction, in its current form, the conjecture may not have a unique solution. Indeed, let *A*(*N*,ε) *<sup>k</sup>* (*x*, *<sup>y</sup>*), *<sup>B</sup>*(*N*,ε) *<sup>k</sup>* (*x*, *<sup>y</sup>*) and *<sup>A</sup>*¯(*N*,ε) *<sup>k</sup>* (*x*, *<sup>y</sup>*), *<sup>B</sup>*¯ (*N*,ε) *<sup>k</sup>* (*x*, *y*) be two pairs of polynomials satisfying the conditions of the conjecture. Moreover, if the coefficients of 1 2 *A*(*N*,ε) *<sup>k</sup>* (*x*, *<sup>y</sup>*) <sup>+</sup> *<sup>A</sup>*¯(*N*,ε) *<sup>k</sup>* (*x*, *y*) and <sup>1</sup> 2 *B*(*N*,ε) *<sup>k</sup>* (*x*, *<sup>y</sup>*) <sup>+</sup> *<sup>B</sup>*¯ (*N*,ε) *<sup>k</sup>* (*x*, *y*) are integers, then these polynomials also satisfy the conditions of the conjecture as long as the polynomial <sup>1</sup> 2 *A*(*N*,ε) *<sup>k</sup>* (*x*, *<sup>y</sup>*) <sup>+</sup> *<sup>A</sup>*¯(*N*,ε) *<sup>k</sup>* (*x*, *y*) has the positivity condition.

To get a better understanding of the divisibility structure, we extend some of the results given in Kimoto et al. (2017) and give a proposal for a solution of the conjecture that is compatible with the case of the constraint polynomials. In particular, we show how to obtain a family of solutions to the conjecture by using a method related to the one discussed above.

First, we recall a simple lemma on diagonalization that we use in the proofs below.

**Lemma 9** (Kimoto et al. 2017) *For* <sup>1</sup> <sup>≤</sup> *<sup>k</sup>* <sup>≤</sup> *N, the eigenvalues of* **<sup>A</sup>**(*N*) *<sup>k</sup> are* {1, 2,..., *k*} *and the eigenvectors are given by the columns of the lower triangular matrix* **E**(*N*) *<sup>k</sup> given by*

$$(\mathbf{E}\_k^{(N)})\_{i,j} = (-1)^{i-j} \binom{i}{j} \frac{(i-1)!(N-j)!}{(j-1)!(N-i)!},$$

*for* 1 ≤ *i*, *j* ≤ *k.*

*Proof* We have to check that(**A**(*N*) *<sup>k</sup>* **<sup>E</sup>**(*N*) *<sup>k</sup>* )*<sup>i</sup>*,*<sup>j</sup>* <sup>=</sup> *<sup>j</sup>*(**E**(*N*) *<sup>k</sup>* )*<sup>i</sup>*,*<sup>j</sup>* for every *i*, *j*. By definition, we see that

$$\begin{aligned} (\mathbf{A}\_k^{(N)} \mathbf{E}\_k^{(N)})\_{i,j} = j(\mathbf{E}\_k^{(N)})\_{i,j} &\iff (j-i)(\mathbf{E}\_k^{(N)})\_{i,j} = \lambda\_i (\mathbf{E}\_k^{(N)})\_{i-1,j} \\ &\iff (j-i)\binom{i}{j} = -i\binom{i-1}{j}, \end{aligned}$$

and the last equality is easily verified.

Next, we see that in general the polynomials *P*(*N*,ε) *<sup>k</sup>* (*x*, *y*) are expressed as the determinant of a tridiagonal matrix plus a rank-one matrix.

**Proposition 10** *Let k* <sup>∈</sup> <sup>Z</sup>≥0*, then*

$$P\_k^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y}) = \det \left( \mathbf{I}\_k \mathbf{y} + \mathbf{D}\_k \mathbf{x} + \mathbf{C}\_k^{(N, \varepsilon)} + \mathbf{e}\_k \mathbf{z}^T \mathbf{u}\_k^{(N)} \right),$$

*where* **<sup>I</sup>***<sup>k</sup> is the identity matrix,* **<sup>D</sup>***<sup>k</sup>* <sup>=</sup> diag(1, <sup>2</sup>,..., *<sup>k</sup>*)*, and* **<sup>C</sup>**(*N*,ε) *<sup>k</sup> is the tridiagonal matrix given by*

$$\mathbf{C}\_{k}^{(N,\varepsilon)} = \text{triding}\begin{bmatrix} -i(2(N-i)+1+2\varepsilon) & 1\\ i(i+1)c\_{N-i}^{(\varepsilon)} & \\ \end{bmatrix}\_{1\le i\le k},$$

**<sup>e</sup>***<sup>k</sup>* <sup>∈</sup> <sup>R</sup>*<sup>k</sup> is the kth standard basis vector, and* **<sup>u</sup>**(*N*) *<sup>k</sup>* <sup>∈</sup> <sup>R</sup>*<sup>k</sup> is given entrywise by*

$$\left(\mathbf{u}\_k^{(N)}\right)\_j = (-1)^{k-j+2} \binom{k+1}{j} \frac{k!(N-j)!}{(j-1)!(N-k-1)!}$$

*Proof* By Lemma 9, the eigenvalues of **A**(*N*) *<sup>k</sup>* are {1, 2,..., *k*} and the eigenvectors are given by the columns of the lower triangular matrix **E**(*N*) *<sup>k</sup>* given by

$$(\mathbf{E}\_k^{(N)})\_{i,j} = (-1)^{i-j} \binom{i}{j} \frac{(i-1)!(N-j)!}{(j-1)!(N-i)!}.$$

$$\square$$

.

Then, it suffices to verify that

$$\mathbf{U}\_k^{(\varepsilon)} \mathbf{E}\_k^{(N)} = \mathbf{E}\_k^{(N)} \mathbf{C}\_k^{(N,\varepsilon)} + \mathbf{E}\_k^{(N)} \mathbf{e}\_k{}^T \mathbf{u}\_k^{(N)}.\tag{15}$$

Note that the *k*th column of **E**(*N*) *<sup>k</sup>* is **e***<sup>k</sup>* , therefore the last summand reduces to **e***<sup>k</sup> <sup>T</sup>* **u**(*N*) *<sup>k</sup>* . For *i*, *j* ≤ *k*, set

$$d\_{ij} = (-1)^{i-j} \binom{i}{j} \frac{(i-1)!(N-j)!}{(j-1)!(N-i)!},$$

then, by using the elementary identities

$$j(j+1)c\_{N-j}^{(\varepsilon)}d\_{i,j+1} = -(i-j)(N-j+2\varepsilon)d\_{ij},$$

$$d\_{i+1,j} - d\_{i,j-1} = (i^2 + j^2 + ij - j - iN - jN)d\_{ij},$$

we see that

$$\begin{aligned} 0 &= c\_i^{(\boldsymbol{\varepsilon})} d\_{ij} + d\_{i+1,j} + j(2(N-j) + 1 + 2\varepsilon) d\_{ij} - d\_{i,j-1} - j(j+1)c\_{N-j}^{(\boldsymbol{\varepsilon})} d\_{i,j+1} = 0. \\ \text{For } i, j &\le k \text{, we have } d\_{ij} = (\mathbf{E\_k^{(\mathbf{N}, \boldsymbol{\varepsilon})}})\_{i,j} \text{ and (16) directly gives (15) for } 1 \le j \le k \text{ and } \\ 1 &\le j \le k \text{ and } 1 \le j \le k \text{ and } \end{aligned} \tag{16}$$

1 ≤ *i* ≤ *k* − 1. For *i* = *k*, equation (16) reads

$$(\mathbf{U}\_k^{(\varepsilon)}\mathbf{E}\_k^{(N)} - \mathbf{E}\_k^{(N)}\mathbf{C}\_k^{(N,\varepsilon)})\_{k,j} = -d\_{k+1,j},$$

and the right-hand side is equal to the *i*th entry of **u**(*N*) *<sup>k</sup>* , as desired.

Note that when *<sup>k</sup>* <sup>=</sup> *<sup>N</sup>*, by the definition of the entries, the vector **<sup>u</sup>**(*N*) *<sup>k</sup>* is equal to the zero vector, and the proposition above reduces to Proposition 4.2 of Kimoto et al. (2017).

**Corollary 11** *Let k* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup>*, then*

$$P\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) = \det\left(\mathbf{I}\_k \mathbf{y} + \mathbf{D}\_k \mathbf{x} + \mathbf{C}\_k^{(N,\varepsilon)}\right) + R\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}),$$

*for a polynomial R*(*N*,ε) *<sup>k</sup>* <sup>∈</sup> <sup>R</sup>[*x*, *<sup>y</sup>*] *with R*(*N*,ε) *<sup>N</sup>* (*x*, *y*) = 0*.*

Note that the polynomial *R*(*N*,ε) *<sup>k</sup>* satisfies the condition expected to be satisfied by the polynomial *B*(*N*,) *<sup>k</sup>* (*x*, *y*) of the conjecture. Moreover, the polynomials described by the determinant expression of a tridiagonal matrix

$$\det\left(\mathbf{I}\_k \mathbf{y} + \mathbf{D}\_k \mathbf{x} + \mathbf{C}\_k^{(N, \varepsilon)}\right)$$

are exactly the polynomials *Q*(*N*,ε) *<sup>k</sup>* (*x*, *y*) of Remark 3.6 of Kimoto et al. (2017).

$$\mathbf{u}$$

*Proof* It is well-known that if **A** is a square matrix, then

$$\det(\mathbf{A} + \mathbf{v}^T \mathbf{u}\_k^{(N)}) = \det(\mathbf{A}) + {}^T \mathbf{v} \, \text{adj}(\mathbf{A}) \mathbf{u}\_k^{(N)},$$

where adj(*A*) is the adjugate matrix, the transpose of the matrix of cofactors of *A*. Applying this result along with Proposition 10, we get the determinant expression. Furthermore, we see that

$$\mathcal{R}\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) = \prescript{T}{}{\mathbf{e}}\_k \operatorname{adj} \left( \mathbf{I}\_k \mathbf{y} + \mathbf{D}\_k \mathbf{x} + \mathbf{C}\_k^{(N,\varepsilon)} \right) \mathbf{u}\_k^{(N)}$$

is a polynomial, since det **<sup>I</sup>***<sup>k</sup> <sup>y</sup>* <sup>+</sup> **<sup>D</sup>***<sup>k</sup> <sup>x</sup>* <sup>+</sup> **<sup>C</sup>**(*N*,ε) *k* is clearly a polynomial. As mentioned above, **u**(*N*) *<sup>k</sup>* = 0 when *N* = *k*, and thus the second claim follows.

**Remark 12** The polynomial *R*(*N*,ε) *<sup>k</sup>* (*x*, *y*) is given explicitly by

$$R\_k^{(N,\varepsilon)}(\mathbf{x},\mathbf{y}) = -\sum\_{j=0}^{k-1} (-1)^{k-j} \binom{k+1}{j+1} \frac{k!(N-(j+1))!}{j!(N-(k+1))!} P\_j^{(N,\varepsilon)}(\mathbf{x},\mathbf{y}).$$

In particular, this expression can be interpreted as the Fourier expansion of the polynomial *R*(*N*,ε) *<sup>k</sup>* (*x*, *y*) with respect to the family of generalized orthogonal polynomials *P*(*N*,ε) *<sup>k</sup>* (*x*, *y*) *k*≥0 (compare with Remark 7.2 in Kimoto et al. 2017). Here, generalized orthogonal polynomials (with respect to the variable *y*) are used in the sense of Brezinski (1980).

It also follows that

$$\mathcal{Q}\_k^{(N,\varepsilon)}(\mathbf{x},\mathbf{y}) = \sum\_{j=0}^k (-1)^{k-j} \binom{k+1}{j+1} \frac{k!(N-(j+1))!}{j!(N-(k+1))!} P\_j^{(N,\varepsilon)}(\mathbf{x},\mathbf{y}),\tag{17}$$

and since *Q*(*N*,ε) *<sup>k</sup>* (*x*, *y*) are polynomials given by the determinant of a tridiagonal matrix, we immediately see that the right-hand side of (17) satisfy the three-term recurrence relation

$$\begin{aligned} \mathcal{Q}\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) &= (k\mathbf{x} + \mathbf{y} - k(2(N+1-k) - 1 + 2\varepsilon)) \mathcal{Q}\_{k-1}^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) \\ &- k(k-1)(N+1-k)(N+1-k+2\varepsilon) \mathcal{Q}\_{k-2}^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}), \end{aligned}$$

which should be contrasted with Definition 1.

We note one more interesting consequence of equation (17). Setting vectors

$$\begin{aligned} \,^T \mathcal{P}\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) &= (P\_0^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}), P\_1^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}), \dots, P\_{k-1}^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y})) \\ \,^T \mathcal{Q}\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) &= (\mathcal{Q}\_0^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}), \mathcal{Q}\_1^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}), \dots, \mathcal{Q}\_{k-1}^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y})), \end{aligned}$$

.

we verify that

$$
\mathcal{Q}\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) = \mathbf{E}\_k^{(N)} P\_k^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}),
$$

where**E**(*N*) *<sup>k</sup>* is the matrix of Lemma 9. These identities and the relation with orthogonal polynomials are part of a forthcoming paper by the author Reyes-Bustos (2019).

For completeness, we note the case *k* = *N* of the corollary above, which reduces to the result given in Kimoto et al. (2017), is used to show, among other things, that for a fixed *<sup>x</sup>* <sup>∈</sup> <sup>R</sup> (resp. *<sup>y</sup>* <sup>∈</sup> <sup>R</sup>) all the roots with respect to *<sup>y</sup>* (resp. *<sup>x</sup>*) of the constraint polynomial *P*(*N*,ε) *<sup>N</sup>* (*x*, *y*) are real when ε > −1/2 (see Theorem 3.6 of Kimoto et al. 2017).

**Corollary 13** *Let N* <sup>∈</sup> <sup>Z</sup>≥0*. We have*

$$P\_N^{(N,\varepsilon)}(\mathbf{x}, \mathbf{y}) = \det\left(\mathbf{I}\_N \mathbf{y} + \mathbf{D}\_N \mathbf{x} + \mathbf{S}\_N^{(N,\varepsilon)}\right),$$

*where* **D***<sup>N</sup> is the diagonal matrix of Proposition 10 and* **S**(*N*,ε) *<sup>N</sup> is the symmetric matrix given by*

$$\mathbf{S}\_{N}^{(N,\varepsilon)} = \text{triding}\begin{bmatrix} -i(2(N-i)+1+2\varepsilon)\sqrt{i(i+1)c\_{N-i}^{(\varepsilon)}}\\\sqrt{i(i+1)c\_{N-i}^{(\varepsilon)}} \end{bmatrix}\_{1 \le i \le N}$$

*Proof* Consider the case *k* = *N* in Proposition 10. Notice that the matrices **I***<sup>N</sup> y* + **<sup>D</sup>***<sup>N</sup> <sup>x</sup>* <sup>+</sup> **<sup>C</sup>**(*N*,ε) *<sup>N</sup>* and **<sup>I</sup>***<sup>N</sup> <sup>y</sup>* <sup>+</sup> **<sup>D</sup>***<sup>N</sup> <sup>x</sup>* <sup>+</sup> **<sup>S</sup>**(*N*,ε) *<sup>N</sup>* are tridiagonal. By comparing the off diagonal elements, we see that the two determinants are equal.

Similar to the case *N* = *k*, when the parameter ε is half-integer, we have special divisibility properties for the polynomials *P*(*N*,ε) *<sup>k</sup>* (*x*, *y*) obtained by factoring the determinant expression.

**Proposition 14** *Let* , *<sup>k</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup>*, then*

$$P\_{k+\ell}^{(N+\ell,-\frac{\ell+N-k}{2})}(\mathbf{x},\mathbf{y}) = \bar{A}\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})P\_k^{(N,\frac{\ell+N-k}{2})}(\mathbf{x},\mathbf{y}) + \bar{B}\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})$$

*with B*¯ (*N*,) *<sup>N</sup>* (*x*, *<sup>y</sup>*) <sup>=</sup> <sup>0</sup>*. Moreover, the polynomial <sup>A</sup>*¯(*N*,) *<sup>k</sup>* (*x*, *y*) *is given by*

$$\bar{A}\_k^{(N,\ell)}(\mathbf{x},\mathbf{y}) = \frac{(k+\ell)!}{k!} \det \text{tridiag} \begin{bmatrix} \mathbf{x} + \frac{\mathbf{y}}{k+i} + 2i - 1 + k - N - \ell & 1\\ c\_{-i}^{(\frac{N+\ell-k}{2})} & \end{bmatrix}\_{1 \le i \le \ell} \dots$$

As can be easily seen from the definition, and as we have already considered above in (14), the variable *N* in the constraint polynomial can be taken to assume real values, in other words, we can assume that it is a free variable. In this way, this result, along with Theorem 16 below, can be interpreted as divisibility modulo *N* − *k*, that is,

$$P\_{k+\ell}^{(N+\ell,-\frac{\ell+N-k}{2})}(\mathbf{x},\mathbf{y}) \equiv \bar{A}\_k^{(N,\ell)}(\mathbf{x},\mathbf{y}) P\_k^{(N,\frac{\ell+N-k}{2})}(\mathbf{x},\mathbf{y}) \pmod{N-k}.$$

We make this assumption in the remainder of this section to simplify the proofs.

*Proof* We begin with the determinant expression of Corollary 11 for the polynomial *<sup>P</sup>*(*N*+,<sup>−</sup> +*N*−*<sup>k</sup>* <sup>2</sup> ) *<sup>k</sup>*+ (*x*, *y*), that is

$$P\_{k+\ell}^{(N+\ell,-\frac{\ell+N-k}{2})}(\mathbf{x},\mathbf{y}) = \det\left(\mathbf{I}\_{k+\ell}\mathbf{y} + \mathbf{D}\_{k+\ell}\mathbf{x} + \mathbf{C}\_{k+\ell}^{(N+\ell,-\frac{\ell+N-k}{2})}\right) + q\_{k+\ell}(\mathbf{x},\mathbf{y}),$$

where *qk*+(*x*, *y*) is a polynomial divisible by *N* − *k*. The tridiagonal matrix **<sup>C</sup>**(*N*+,<sup>−</sup> +*N*−*<sup>k</sup>* <sup>2</sup> ) *<sup>k</sup>*+ is given by

$$\mathbf{C}\_{k+\ell}^{(N+\ell,-\frac{\ell+N-k}{2})} = \text{tridag}\begin{bmatrix} -i(-2i+1+\ell+N+k) & 1\\ i(i+1)(N+\ell-i)(k-i) & \end{bmatrix}\_{1\le i\le k+\ell}$$

Note that when *i* = *k*, the off-diagonal element *i*(*i* + 1)(*N* + − *i*)(*k* − *i*) vanishes and det **<sup>I</sup>***k*+ *<sup>y</sup>* <sup>+</sup> **<sup>D</sup>***k*+*<sup>x</sup>* <sup>+</sup> **<sup>C</sup>**(*N*+,<sup>−</sup> +*N*−*<sup>k</sup>* <sup>2</sup> ) *k*+ can be computed as the product of the determinant of a *k* × *k* matrix and the determinant of an × matrix.

Let us first consider the determinant of the × -matrix factor. It is given by

$$\text{det}\,\text{triding}\begin{bmatrix}\mathbf{y} + (k+i)\mathbf{x} - (k+i)(-2(k+i) + 1 + \ell + N + k) & \mathbf{I} \\ (k+i)(k+i+1)(N+\ell-k-i)(-i) & \end{bmatrix}\_{1\le i\le\ell}$$

which is easily seen to be equal to

$$\bar{A}\_{k}^{(N,\ell)}(\mathbf{x},\mathbf{y}) = \frac{(k+\ell)!}{k!} \det \text{tridiag} \begin{bmatrix} \mathbf{x} + \frac{\mathbf{y}}{k+i} + 2i - 1 + k - N - \ell \\ c\_{-i}^{(\frac{N+\ell-k}{2})} \end{bmatrix}\_{1 \le i \le \ell} \dots$$

Let us denote by *q*(*x*, *y*; *N*, , *k*) the remaining factor, that is,

$$q(\mathbf{x}, \mathbf{y}; N, \ell, k) = \det \text{triding} \begin{bmatrix} i\mathbf{x} + \mathbf{y} - i(-2i + 1 + \ell + N + k) & 1 \\ i(i+1)(N + \ell - i)(k - i) & \end{bmatrix}\_{1 \le i \le k}.$$

By Corollary 11, we have

$$\begin{aligned} \left[P\_k^{(N, \frac{\ell+N-k}{2})}(x, y) - R\_k^{(N, \frac{\ell+N-k}{2})}\right] \\ = \det \text{tridiag} \begin{bmatrix} ix+y-i(3N-2i+1+\ell-k) & 1\\ i(i+1)(N-i)(2N-i+\ell-k) & \end{bmatrix}\_{1 \le i \le k}, \end{aligned}$$

the right-hand side can be written as

.

$$\text{det tridiag}\begin{bmatrix} i\mathbf{x} + \mathbf{y} - i(-2\mathbf{i} + \mathbf{l} + \mathbf{l} + \mathbf{N} + \mathbf{k} + 2(N - k)) & \mathbf{1} \\ i(i+1)(\mathbf{k} - \mathbf{i} + (N - k))(\mathbf{N} + \mathbf{\ell} - \mathbf{i} + (N - k)) & \mathbf{1}\_{1 \le i \le k} \end{bmatrix}\_{1 \le j \le k},$$

and noticing that entrywise, the entries of the matrix of the determinant differ to those in the determinant expression of *q*(*x*, *y*; *N*, , *k*) only by factors of *N* − *k*, we obtain

$$q(\mathbf{x}, \mathbf{y}; N, \ell, k) = P\_k^{(N, \frac{\ell + N - k}{2})}(\mathbf{x}, \mathbf{y}) + q'(\mathbf{x}, \mathbf{y}; N, \ell, k)$$

for a polynomial *q* (*x*, *y*; *N*, , *k*) satisfying *q* (*x*, *y*; *N*, , *N*) = 0. This completes the proof.

In order to consider the result for the desired parameter ε = /2, we need the following lemma.

**Lemma 15** *Let k* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup> *and* <sup>δ</sup> <sup>∈</sup> <sup>R</sup>*. Then, we have*

$$P\_k^{(N, \varepsilon + \delta)}(\mathbf{x}, \mathbf{y}) = P\_k^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y}) + 2\delta q\_k^{(N, \varepsilon)}(\mathbf{x}, \mathbf{y})$$

*for some polynomial q*(*<sup>N</sup>*,ε)(*x*, *<sup>y</sup>*) <sup>∈</sup> <sup>R</sup>[*x*, *<sup>y</sup>*]*.*

*Proof* It is clear that *q*(*N*,ε) <sup>0</sup> (*x*, *<sup>y</sup>*) <sup>=</sup> 0 and *<sup>q</sup>*(*N*,ε) <sup>1</sup> (*x*, *y*) = 1. Then, assume that it holds for all *<sup>i</sup>* <sup>≤</sup> *<sup>k</sup>* for some *<sup>k</sup>* <sup>∈</sup> <sup>Z</sup>≥0. We have,

$$\begin{aligned} P\_k^{(N,\epsilon+a)}(\mathbf{x},\mathbf{y}) &= (k\mathbf{x} + \mathbf{y} - c\_k^{(\epsilon+a)})P\_{k-1}^{(N,\epsilon+a)}(\mathbf{x},\mathbf{y}) - \lambda\_k \mathbf{x} P\_{k-2}^{((N,\epsilon+a))}(\mathbf{x},\mathbf{y}) \\ &= P\_k^{(N,\epsilon)}(\mathbf{x},\mathbf{y}) - 2kaP\_{k-1}^{(N,\epsilon)}(\mathbf{x},\mathbf{y}) + 2a(k\mathbf{x} + \mathbf{y} - c\_k^{(\epsilon+a)})q\_{k-1}^{(N,\epsilon)} \\ &\quad - 2a\lambda\_k \mathbf{x} \, q\_{k-2}^{(N,\epsilon)}(\mathbf{x},\mathbf{y}) \\ &= P\_k^{(N,\epsilon)}(\mathbf{x},\mathbf{y}) + 2aqq\_k^{(N,\epsilon)}(\mathbf{x},\mathbf{y}) \end{aligned}$$

and the result follows by induction.

Finally, we give a particular solution to Conjecture 3.

**Theorem 16** *Let* , *<sup>k</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup>*, then*

$$P\_{k+\ell}^{(N+\ell,-\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) = A\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})P\_k^{(N,\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) + B\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})$$

*with B*(*N*,) *<sup>N</sup>* (*x*, *<sup>y</sup>*) <sup>=</sup> <sup>0</sup>*. Moreover, the polynomial A*(*N*,) *<sup>k</sup>* (*x*, *y*) *is given by*

$$A\_k^{(N, \ell)}(\mathbf{x}, \mathbf{y}) = \frac{(k+\ell)!}{k!} \det \text{triding} \begin{bmatrix} \mathbf{x} + \frac{\mathbf{y}}{k+i} + 2i - 1 - \ell & 1\\ c\_{-i}^{(\frac{\ell}{2})} & \end{bmatrix}\_{1 \le i \le \ell}$$

Note that the polynomial *A*(*N*,) *<sup>k</sup>* (*x*, *y*) does not depend on the parameter *N*. Because of this, positivity follows trivially from the result for the polynomials *A*() *<sup>k</sup>* (*x*, *<sup>y</sup>*) given in Kimoto et al. (2017). That is, we have *<sup>A</sup>*(*N*,) *<sup>k</sup>* (*x*, *y*) > 0 for *x*, *y* > 0.

$$\square$$

.

*Proof* First, by using Lemma 15 above on the polynomials at both sides of Proposition 14, it is easy to see that

$$P\_{k+\ell}^{(N+\ell,-\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) = \bar{A}\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})P\_k^{(N,\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) + \bar{C}\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})$$

for some polynomial *C*¯ (*N*,) *<sup>k</sup>* (*x*, *<sup>y</sup>*) satisfying *<sup>C</sup>*¯ (*N*,) *<sup>N</sup>* (*x*, *y*) = 0. Note that the matrices in the determinant expressions of *A*¯(*N*,) *<sup>k</sup>* (*x*, *<sup>y</sup>*) and *<sup>A</sup>*(*N*,) *<sup>k</sup>* (*x*, *y*) differ entrywise at most by factor of *N* − *k*, therefore

$$A\_k^{(N,\ell)}(\mathbf{x}, \mathbf{y}) = \bar{A}\_k^{(N,\ell)}(\mathbf{x}, \mathbf{y}) + (N - k)q^{(N,\ell)}(\mathbf{x}, \mathbf{y})$$

for some polynomial *<sup>q</sup>*(*<sup>N</sup>*,)(*x*, *<sup>y</sup>*) <sup>∈</sup> <sup>Z</sup>[*x*, *<sup>y</sup>*] completing the proof.

It is important to mention that Theorem 16 may be proved by defining directly

$$B\_k^{(N,\ell)}(\mathbf{x},\mathbf{y}) = P\_{k+\ell}^{(N+\ell,-\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) - A\_k^{(\ell)}(\mathbf{x},\mathbf{y}) P\_k^{(N,\frac{\ell}{2})}(\mathbf{x},\mathbf{y}),$$

and appealing to the results of Kimoto et al. (2017). However, in the proof above we wanted to emphasize how the polynomial *A*() *<sup>k</sup>* (*x*, *y*) appears naturally by extending the main results of Kimoto et al. (2017).

Let us now return to the discussion on Conjecture 3 started at the beginning of the section. For an arbitrary (nonzero) polynomial *p*(*x*, *y*), by setting

$$
\hat{A}\_k^{(\ell)}(\mathbf{x}, \mathbf{y}) = A\_k^{(\ell)}(\mathbf{x}, \mathbf{y}) + k(N - k)p(\mathbf{x}, \mathbf{y}),
$$

we verify the relation

$$P\_{k+\ell}^{(N+\ell,-\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) = \hat{A}\_k^{(N,\ell)}(\mathbf{x},\mathbf{y})P\_k^{(N,\frac{\ell}{2})}(\mathbf{x},\mathbf{y}) + \hat{B}\_k^{(N,\ell)}(\mathbf{x},\mathbf{y}),$$

with

$$
\hat{B}\_k^{(N,\ell)}(\mathbf{x}, \mathbf{y}) = B\_k^{(N,\ell)}(\mathbf{x}, \mathbf{y}) - k(N - k)p(\mathbf{x}, \mathbf{y}) P\_k^{(N,\frac{\ell}{2})}(\mathbf{x}, \mathbf{y}),
$$

giving another solution to the conjecture as long as

$$
\hat{A}\_k^{(\ell)}(\mathbf{x}, \mathbf{y}) > 0
$$

for *x*, *y* > 0 and 0 ≤ *k* ≤ *N*. Therefore, this method gives a family of solutions of the conjecture related to the particular solution *A*() *<sup>k</sup>* (*x*, *y*). It would be desirable to consider the problem of characterizing all the solutions to the problem posed in Conjecture 3 or in other words to consider the problem of finding the solutions with minimal degree for *B*ˆ (*N*,) *<sup>k</sup>* (*x*, *<sup>y</sup>*) (or *<sup>A</sup>*ˆ() *<sup>k</sup>* (*x*, *y*)) while retaining the condition of positivity of *A*ˆ() *<sup>k</sup>* (*x*, *y*). We note that the method for showing the positivity of the

polynomial *A*() *<sup>k</sup>* (*x*, *y*) in Kimoto et al. (2017) cannot be extended in general to the polynomial *A*ˆ() *<sup>k</sup>* (*x*, *y*) described here.

As a conclusion, we leave the question of Conjecture 3 open, but change the problem from one of existence to one of characterization of solutions according to the discussion above.

**Problem 17** Characterize all pairs of solutions *A*(*N*,) *<sup>k</sup>* (*x*, *<sup>y</sup>*) and *<sup>B</sup>*(*N*,) *<sup>k</sup>* (*x*, *y*) of Conjecture 3. Alternatively, describe the "minimal" solutions according to certain criteria (e.g., degree).

### **4 Open Problems**

To complement Problem 17, in this section we describe some open problems related with constraint polynomials and Juddian solutions of the AQRM and the QRM.

#### *4.1 Number of Exceptional Solutions of the AQRM*

For fixed > 0 and *<sup>N</sup>* <sup>∈</sup> <sup>Z</sup>≥0, the number of values of *<sup>g</sup>* <sup>&</sup>gt; 0 such that <sup>λ</sup> <sup>=</sup> *<sup>N</sup>* <sup>±</sup> ε − *g*<sup>2</sup> is a Juddian solution is, by the results in Li and Batchelor (2015) (see also Kimoto et al. 2017), exactly *N* − *k*, where *k* is the integer satisfying

$$k(k+2\varepsilon) \le \Delta^2 < (k+1)(k+1+2\varepsilon).$$

This gives a complete answer to the problem of counting the number of Juddian solutions for fixed when *g* is allowed to vary. From the *G*-functions for non-Juddian exceptional eigenvalues (called *T* -function in Kimoto et al. 2017), it is not difficult to obtain a condition on for the existence solution for non-Juddian exceptional solutions for the case of the QRM, but such an estimate provides no information on the exact number of non-Juddian exceptional solutions and no further results in this direction are known.

A different problem in the same line is to determine, for a fixed *g*,> 0, the number of exceptional solutions present in the spectrum of *H*<sup>ε</sup> Rabi. For the case of Juddian eigenvalues, it corresponds to finding all the *<sup>N</sup>* <sup>∈</sup> <sup>Z</sup>≥<sup>0</sup> such that

$$P\_N^{(N, \varepsilon)}((2\mathfrak{g})^2, \Delta^2) = 0,$$

for a given *g*,> 0. We recall here that since the polynomials *P*(*N*,ε) *<sup>N</sup>* ((2*g*)<sup>2</sup>, <sup>2</sup>) do not constitute a family of orthogonal polynomials in the usual sense (i.e., with respect to the variables *x* = (2*g*)<sup>2</sup> or *y* = 2) with the exception of the case = 0, there is almost no information known about the relation between their zeros. The same problem can be posed for non-Juddian exceptional eigenvalues but as in the Juddian case, there are no results in this direction.

#### *4.2 Classification of Parameter Regimes*

The parameter regimes for the QRM are defined according to different observed properties of the QRM, specially its dynamic properties, and whether the model can be approximated by simpler models (like the Jaynes–Cummings models). However, as remarked in Rossatto et al. (2017), the characterization of the coupling regimes is not universally agreed and there is a need for a more specific criterion.

In the same paper, the authors give a new proposal for characterization on the coupling regimes of the QRM that depends not only on the parameters of the system but also on the energy levels of the system. This new classification is based on the study of approximate exceptional solutions of eigenvalue problem of the QRM. The new classification has the advantage of giving precise differentiation between the coupling regimes based on observations made by the authors on the statical and dynamical properties of the QRM in these regimes.

For instance, in this proposal the *perturbative ultrastrong coupling regime* (pUSC) roughly corresponds to combinations of parameters *g*,ω, and eigenvalues λ lying to the left of the first Juddian solution in the spectral curve graph. The *perturbative deep strong coupling regime* (pDSC) is similarly defined by the combination of parameters *g*,ω, and eigenvalues λ lying past a boundary curve (in the (λ, *g*) plane) after the last Juddian solution (or the first non-Juddian solution). The *nonperturbative ultrastrong-deep strong coupling regime* (npUSC-DSC) would then correspond to the remaining region in the (λ, *g*)-plane.

Thus, it is important to estimate the parameters corresponding to the first and last Juddian solution for each level *N*, and also the first non-Juddian exceptional solution for the level *N*, in order to describe the boundaries between the parameter regimes in an effective way. In a more general sense, it would be interesting to have an estimate for the distribution of the zeros of constraint polynomials and constraint functions for non-Juddian exceptional eigenvalues.

**Acknowledgements** This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. The author would like to thank the anonymous referee for some crucial comments related to the proposed solution of Conjecture 3.

#### **References**


*for Industry 2014*, vol. 11, Mathematics for Industry, ed. by R. Anderssen, et al. (Springer, Berlin, 2016), pp. 75–92


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Generalized Group–Subgroup Pair Graphs**

**Kazufumi Kimoto**

**Abstract** A regular finite graph is called a Ramanujan graph if its zeta function satisfies an analog of the Riemann Hypothesis. Such a graph has a small second eigenvalue so that it is used to construct cryptographic hash functions. Typically, explicit family of Ramanujan graphs are constructed by using Cayley graphs. In the paper, we introduce a generalization of Cayley graphs called generalized group– subgroup pair graphs, which are a generalization of group–subgroup pair graphs defined by Reyes-Bustos. We study basic properties, especially spectra of them.

**Keywords** Cayley graphs · Spectra of graphs · Group–subgroup pair graphs · Group actions · Homogeneity · Representation theory · Characters

## **1 Introduction**

A *k*-regular finite graph is called a *Ramanujan graph* if its zeta function satisfies an analog of the *Riemann hypothesis*. This condition is equivalent to say that every nontrivial (i.e. -= ±*k*) eigenvalue of the graph is less than or equal to 2√*<sup>k</sup>* <sup>−</sup> 1. Thus the second largest eigenvalue in absolute value of a Ramanujan graph is small, and this means that it has a large isoperimetric constant (i.e. it is an *expander graph*), so that random walks on such a graph rapidly converge to the uniform distribution as the number of walk steps tends to infinity. Consequently, as an application to cryptography, Ramanujan graphs can be used to construct cryptographic hash functions (see Charles et al. (2009), in which hash functions are constructed from LPS graphs Lubotzky et al. (1988) and Pizer graphs (1990)).

In order to construct (a family of) Ramanujan graphs, the *Cayley graphs* are an important tool; a Cayley graph is a graph whose vertex set is a finite group, and the adjacency of vertices is described in terms of the multiplication of the group. In fact,

K. Kimoto (B)

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_14

Department of Mathematical Sciences, Faculty of Science,

University of the Ryukyus, 1 Senbaru Nishihara, cho Okinawa 903-0213, Japan e-mail: kimoto@math.u-ryukyu.ac.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

most of the known explicit constructions of infinite families of Ramanujan graphs are given as Cayley graphs, and the construction is based on deep results in number theory associated with the group (for instance, the construction of the LPS graphs due to Lubotzky et al. (1988) is based on the Ramanujan–Petersson conjecture on automorphic forms).

Thus it is natural to consider the generalization of Cayley graphs to enlarge the possibility to produce Ramanujan graphs and/or expander families. *Group–subgroup pair graphs* (or pair graph for short) Reyes-Bustos (2016), which are defined for a triplet (*G*, *H*, *S*) of a finite group *G*, a subgroup *H* ⊂ *G* and a suitable subset *S* ⊂ *G*, are one of such attempts. A pair graph is regular in special cases and provides interesting examples of Ramanujan graphs. However, we can construct regular pair graphs only when [*G* : *H*] ≤ 2. The purpose of this paper is to give a generalization of group–subgroup pair graphs, which can provide Ramanujan graph even when [*G* : *H*] > 2. A generalized pair graph is a graph defined for a pair (*G*, *H*) of a group and its subgroup together with a suitable family S of subsets in *G*. We study basic properties, especially spectra of them.

Here is the brief description on the organization of the paper: In Sect. 2, we recall basic conventions on graphs. In Sect. 3, we recall the definitions of Cayley graphs and group–subgroup pair graphs, and give several examples of them. In Sect. 4, we introduce the notion of homogeneity of a graph. In Sect. 5, we give a generalization of group–subgroup pair graphs. In Sect. 6, we describe the spectra of generalized group–subgroup pair graphs.

#### *1.1 Conventions*

For a matrix *A*, *A*<sup>∗</sup> is the transposed complex conjugate of *A*, and Tr(*A*) is the trace of *A*. The *n* by *n* identity matrix is denoted by *In*.

For a group *G*, we use the symbol *e* to indicate the identity element of *G*. We denote by χ<sup>ρ</sup> the *character* of a given representation ρ of *G*: χρ(*x*) = Tr(ρ(*x*)) for *x* ∈ *G*. The *unitary dual* of *G* (i.e. the set of all equivalence classes of unitary irreducible representations of *G*) is denoted by *G* -. The *dual group* of *G* is defined to be *<sup>G</sup>*<sup>∗</sup> <sup>=</sup> Hom(*G*, <sup>C</sup>×). We often identify *<sup>G</sup>*<sup>∗</sup> with the subset - -

$$\{\pi \in \widehat{G} \mid \deg \pi = 1\} \subset \widehat{G}$$


consisting of 1-dimensional representations of *G* via the bijection π → χ<sup>π</sup> . When *G* is abelian, we have *G*<sup>∗</sup> = *G* . We denote by **1** the trivial character of *G* (i.e. **1**(*x*) = 1, *x* ∈ *G*).

### **2 Preliminaries**

In what follows, a graph is always assumed to be *finite*, *undirected* and *simple* otherwise stated.

Let *X* = (*V*, *E*) be a graph. The number of vertices |*V*| and edges |*E*| are called the *order* and *size* of the graph, respectively. We often write *x* ∼ *y* to indicate that two vertices *x* and *y* are adjacent, i.e. *xy* ∈ *E*. We denote by N(*x*) the *neighborhood* of *<sup>x</sup>*: <sup>N</sup>(*x*) <sup>=</sup> *y* ∈ *V x* ∼ *y* . The *degree* deg(*x*) of a vertex *x* is the number of edges incident to *x*. If *X* is simple, then deg(*x*) is equal to |N(*x*)|.

We call *X* a *k-regular* graph if deg(*x*) = *k* for every *x* ∈ *V*. We introduce two generalizations of this notion for later use. Suppose that *V* has a partition *V* = *V*<sup>1</sup> ··· *Vm*.


$$d\_{ij} := \left| \{ \mathbf{y} \in V\_j \: \mid \: x \sim \mathbf{y} \} \right| \quad (\mathbf{x} \in V\_i)$$

depends only on *i* and *j*, then we say *X* is a *D-regular* graph, where *D* = (*di j*)<sup>1</sup>≤*i*,*j*≤*<sup>m</sup>*. Notice that if 

\* and  $f$ , then we say  $A$  is a  $D$ -regular,  $f$  e that if

$$\sum\_{i=1}^{m} d\_{ir} = \sum\_{j=1}^{m} d\_{rj} =: d\_r \quad (r = 1, \dots, m),$$

then *X* is (*d*1,..., *dm*)-regular (deg(*x*) = *di* for any *x* ∈ *Vi*).

Numbering the vertices, say *V* = {*v*1,..., *vN* } (*N* = |*V*|), we define the *adjacency matrix* A = A*<sup>X</sup>* of *X* by 

$$\mathcal{A} = (a\_{ij})\_{1 \le i,j \le N}, \quad a\_{ij} = \begin{cases} 1 & \nu\_i \sim \nu\_j, \\ 0 & \text{otherwise}. \end{cases}$$

A depends on the choice of numbering of *V*, however, it is uniquely determined up to conjugation by permutation matrices. An eigenvalue of A is called an eigenvalue of the graph *X*. We denote by Spec(*X*) the multiset consisting of eigenvalues of *X*. If *X* is *k*-regular, then *k* is the largest eigenvalue of *X*, and every eigenvalue of *X* lies in the interval [−*k*, *k*]. We put λ(*X*) := max 

$$\lambda(X) := \max\left\{ |\lambda| \: \mid \: \lambda \in \text{Spec}(X), \: \lambda \neq \pm k \right\} \dots$$

*X* is called a *Ramanujan graph* if

$$
\lambda(X) \le 2\sqrt{k-1}.
$$

**Remark 1** This condition λ(*X*) ≤ 2 <sup>√</sup>*<sup>k</sup>* <sup>−</sup> 1 is equivalent to the analog of the Riemann hypothesis

$$(\xi\_X(q^{-s})^{-1} = 0 \quad (q = k - 1) \implies \text{Re}(s) = \frac{1}{2}$$

for the Ihara zeta function

$$\zeta\_X(u) = \prod\_{\{P\}} (1 - u^{v(P)})^{-1}$$

of *X*, where [*P*] runs over all the "primes" in *X*, and ν(*P*) is the "length" of *P*. See, for example, Terras (2011) for detail.

**Remark 2** It is known that the second largest eigenvalue λ<sup>1</sup> of *X* satisfies

$$
\lambda\_1 > 2\sqrt{k-1} - \frac{2\sqrt{k-1}-1}{m}
$$

when diam(*X*) ≥ 2*m* + 2 ≥ 4, where diam(*X*) denotes the diameter of *X* Nilli (1991).

**Remark 3** The notion of Ramanujan graphs is extended to non-regular graphs in several cases. For instance, a (*p*, *q*)-regular bipartite graph *X* is called *Ramanujan bigraph* if *p* − 1 − <sup>≤</sup> λ(*X*) <sup>≤</sup> *<sup>p</sup>* <sup>−</sup> <sup>1</sup> <sup>+</sup> 

$$\left|\sqrt{p-1} - \sqrt{q-1}\right| \le \lambda(X) \le \sqrt{p-1} + \sqrt{q-1}.$$

See, for example, Feng and Li (1996), Hashimoto (1989).

**Example 1** The cycle graph *Cn* of order *n* is a 2-regular graph, and its eigenvalues are given by 2 cos <sup>2</sup> *<sup>j</sup>*<sup>π</sup> *<sup>n</sup>* (*j* = 0, 1,..., *n* − 1), which are all less than or equal to 2 = 2 <sup>√</sup><sup>2</sup> <sup>−</sup> 1. Hence *Cn* is Ramanujan for any *<sup>n</sup>* <sup>≥</sup> 3.

#### **3 Cayley Graphs and Group–Subgroup Pair Graphs**

We briefly recall the basics of the Cayley graphs and group–subgroup pair graphs. We refer to Fulton and Harris (1991) for basic facts on representation theory.

#### *3.1 Cayley Graphs*

**Definition 1** Let *G* be a group and *S* ⊂ *G* be a symmetric generating set, that is, *S*−<sup>1</sup> = *S* and *S* = *G*. The *Cayley graph* Cay(*G*, *S*) is a graph whose vertex set is *G* and two vertices *x*, *y* ∈ *G* are adjacent if and only if *y* = *xs* for some *s* ∈ *S*.

Let R be the *left regular representation* of *G*, which is the permutation representation induced from the left translation. Explicitly, if we index the elements in *G* as *G* = {*g*1,..., *gN* } (*N* = |*G*|), then R(*g*) (*g* ∈ *G*) can be realized as a matrix whose (*i*, *j*)-entry is δ(*g*−<sup>1</sup> *<sup>i</sup> ggj*), where δ(*x*) is 1 if *x* = *e* and 0 otherwise. Then the adjacency matrix A of Cay(*G*, *S*) is given by A =

$$\mathcal{A} = \sum\_{s \in \mathcal{S}} \mathcal{R}(s).$$

Since the irreducible decomposition of R is given by

$$
\mathbb{R}^{\infty}
$$

$$
\text{tion of } \mathbb{R} \text{ is given}
$$

$$
\mathbb{R} \sim \bigoplus\_{\pi \in \widehat{G}} \pi^{\oplus \deg \pi},
$$

there exists a certain unitary matrix *U* such that

$$\mathbb{T}^{\llcorner}$$

$$\text{y matrix } U \text{ such that}$$

$$U^\* \mathcal{R}(\mathfrak{g}) U = \bigoplus\_{\pi \in \widehat{G}} \pi(\mathfrak{g})^{\oplus \deg \pi}.$$

It follows that

$$
\widehat{\mathbb{C}}^{\mathcal{L}} = \bigoplus\_{\pi \in \widehat{G}} \widehat{\mathbb{C}}^{\mathcal{L}}
$$

$$
U^\*AU = \bigoplus\_{\pi \in \widehat{G}} \left( \sum\_{s \in S} \pi(s) \right)^{\oplus \deg \pi(s)}
$$

,

 

and hence the characteristic polynomial of the adjacency matrix A is written as

$$\widehat{\text{hartacteristic polynomial of the adjacency matrix } \mathcal{A} \subset \mathbb{R}}$$

$$\det(\mathbf{x}|I\_N - \mathcal{A}) = \prod\_{\pi \in \widehat{G}} \det\left(\mathbf{x}|I\_{\deg \pi} - \sum\_{\pi \in S} \pi(\mathbf{s})\right)^{\deg \pi} \mathcal{A}$$

When *G* is abelian, every irreducible representation of *G* is 1-dimensional and we have 

$$\operatorname{Spec}(\operatorname{Cay}(G,\mathcal{S})) = \left\{ \sum\_{s \in \mathcal{S}} \varphi(s) \; \middle| \; \varphi \in G^\* \right\}.$$

**Example 2** Let *G* = *Dn* = *s*, *t* be the dihedral group of degree 2*n* (*s<sup>n</sup>* = *t* <sup>2</sup> = *e*, *tst* = *s*−1). Take a symmetric generating subset *S* = {*s*,*s*−<sup>1</sup>, *t*}. Then the Cayley graph Cay(*G*, *S*) is a 3-regular graph which is isomorphic to the Cartesian product of the path graph *P*<sup>1</sup> of length 1 and the cycle graph *Cn* of length *n* (Fig. 1). The following are the pictures of Cay(*G*, *S*) for *n* = 5, 6, 7, 8:

The eigenvalues of Cay(*G*, *S*) are given by

$$2\cos\frac{2j\pi}{n} \pm 1 \quad (j = 0, 1, \ldots, n-1).$$

We see that Cay(*G*, *S*) is no longer Ramanujan if 2 cos <sup>2</sup><sup>π</sup> *<sup>n</sup>* + 1 > 2 <sup>√</sup>2 or *<sup>n</sup>* <sup>≥</sup> 16.

**Fig. 1** Cay(*Dn*, *S*) for *n* = 5, 6, 7, 8

#### *3.2 Group–Subgroup Pair Graphs*

**Definition 2** (Reyes-Bustos (2016)) Let *G* be a group, *H* a subgroup of *G* and *<sup>S</sup>* <sup>⊂</sup> *<sup>G</sup>* such that *<sup>S</sup>*<sup>0</sup> <sup>=</sup> *<sup>S</sup>* <sup>∩</sup> *<sup>H</sup>* is symmetric (i.e. *<sup>S</sup>*−<sup>1</sup> <sup>0</sup> = *S*0). The *group–subgroup pair graph* (or *pair graph* for short) G(*G*, *H*, *S*) is a graph whose vertex set is *G* and two vertices *x*, *y* ∈ *G* are adjacent if and only if there exist *h* ∈ *H* and *s* ∈ *S* such that {*x*, *y*}={*h*, *hs*}.

**Remark 4** If *G* = *H* = *S*, then G(*G*, *G*, *S*) = Cay(*G*, *S*). If [*G* : *H*] = 2 and *<sup>S</sup>*<sup>0</sup> <sup>=</sup> <sup>∅</sup>, then <sup>G</sup>(*G*, *<sup>H</sup>*, *<sup>S</sup>*) is bipartite.

**Example 3** If *H* = {*e*} and *S* = *G* \ {*e*}, then G(*G*, *H*, *S*) is the *star graph K*1,*<sup>k</sup>* (with <sup>|</sup>*G*<sup>|</sup> <sup>=</sup> *<sup>k</sup>* <sup>+</sup> 1). For instance, the pair graph for *<sup>G</sup>* <sup>=</sup> <sup>Z</sup><sup>8</sup> <sup>=</sup> <sup>Z</sup>/8Z, *<sup>H</sup>* = {0} and *<sup>S</sup>* <sup>=</sup> <sup>Z</sup><sup>8</sup> \ {0} is

Here we summarize several elementary facts on pair graphs (see Reyes-Bustos (2016) for the proof). Assume that *H* is a subgroup of *G* with index *k* + 1 and order *n*. Put *N* = |*G*| = (*k* + 1)*n* for short. Fix a set {*x*<sup>0</sup> = *e*, *x*1, *x*2,..., *xk* } of representatives of the right cosets in *G* modulo *H*:

$$\begin{array}{ll} \text{ $K \gets 1$ / $n$  non sonu. r.x. a. s.}\\ \text{cosets in  $G$  modulo  $H$ :}\\\\ G = \bigsqcup\_{i=0}^{k} V\_{i}, \qquad V\_{i} := Hx\_{i}, \end{array}$$

and put *Si* = *H xi* ∩ *S*. We also put *di* = |*Si*| and *d* = |*S*|. We denote by A the adjacency matrix for G(*G*, *H*, *S*), and by λ*<sup>i</sup>* (*i* = 0, 1,..., *N* − 1) the eigenvalues of G(*G*, *H*, *S*) which are ordered in decreasing order: λ<sup>0</sup> ≥ λ<sup>1</sup> ≥···≥ λ*<sup>N</sup>*−1. 

• We have

$$\deg(\nu) = \begin{cases} d & \nu \in V\_0 = H, \\ d\_i & \nu \in V\_i \quad (i = 1, \dots, k). \end{cases}$$

In particular, <sup>G</sup>(*G*, *<sup>H</sup>*, *<sup>S</sup>*) is regular if and only if *<sup>k</sup>* <sup>=</sup> 0 or *<sup>k</sup>* <sup>=</sup> 1 and *<sup>S</sup>*<sup>0</sup> <sup>=</sup> <sup>∅</sup>. ⎛⎞

• G(*G*, *H*, *S*) is a *D*-regular graph for ⎜⎜

$$D = \begin{pmatrix} d\_0 \ d\_1 \ \dots \ d\_k \\ d\_1 \\ \vdots \\ d\_k \end{pmatrix}.$$

⎟

⎟


$$
\mu\_{\pm} = \frac{1}{2} \Big( d\_0 \pm \left( d\_0^2 + 4 \sum\_{i=1}^k d\_i^2 \right)^{1/2} \Big) \cdot
$$

μ<sup>+</sup> is the largest eigenvalue, and it is simple if G(*G*, *H*, *S*) is connected. For any eigenvalue λ of G(*G*, *H*, *S*) other than ±λ0, we have |λ| < λ0.

• When [*G* : *H*] = 2, G(*G*, *H*, *S*) is Ramanujan if |*S*| ≥ *n* + 2 − 2 <sup>√</sup>*n*.

When the subgroup *H* is *abelian*, the eigenvalues of G(*G*, *H*, *S*) can be expressed in terms of *group characters* of *H* as follows.

**Theorem 1** (Kimoto, 2018, Theorem 3) *If H is abelian, then the eigenvalues of* G(*G*, *H*, *S*) *are given by* 21/2 

$$\lambda\_{\varphi,\pm} = \frac{1}{2} \left( \sum\_{h \in H\_0} \varphi(h) \pm \left( \left( \sum\_{h \in H\_0} \varphi(h) \right)^2 + 4 \sum\_{j=1}^k \left| \sum\_{h \in H\_i} \varphi(h) \right|^2 \right)^{1/2} \right) \quad (\varphi \in H^\*) $$

*and zeros whose multiplicity is at least* (*<sup>k</sup>* <sup>−</sup> <sup>1</sup>)*n. Here Hi* := *Si <sup>x</sup>*−<sup>1</sup> *<sup>i</sup>* ⊂ *H.*

#### **4 Homogeneity**

We introduce a simple notion concerning the symmetry of a graph. Let *X* = (*V*, *E*) be a graph. Assume that a group *G* acts on *V*. We say that *X* is *G-homogeneous* if *x* ∼ *y* implies *gx* ∼ *gy* for any *g* ∈ *G*. This is equivalent to say that *G* is embedded in the *graph automorphism group* Aut(*X*) of the graph *X*. We see that N(*gx*) = *g*N(*x*) and hence deg(*x*) <sup>=</sup> deg(*gx*) for any *<sup>x</sup>* <sup>∈</sup> *<sup>V</sup>* and *<sup>g</sup>* <sup>∈</sup> *<sup>G</sup>*. In particular, if *<sup>G</sup> <sup>V</sup>* is transitive (i.e. for any *x*, *y* ∈ *V*, we can find *g* ∈ *G* such that *y* = *gx*), then *X* is regular.

**Remark 5** *X* is Aut(*X*)-homogeneous.

**Remark 6** A *G*-homogeneous graph *X* is vertex-transitive (i.e. for any *x*, *y* ∈ *V*, there exists a graph isomorphism *<sup>f</sup>* such that *<sup>y</sup>* <sup>=</sup> *<sup>f</sup>* (*x*)) if *<sup>G</sup> <sup>V</sup>* is transitive.

**Example 4** A Cayley graph *X* = Cay(*G*, *S*) is *G*-homogeneous by the natural left translation (*g*, *<sup>x</sup>*) → *gx*. *<sup>X</sup>* is *<sup>G</sup>* <sup>×</sup> *<sup>G</sup>*-homogeneous via ((*g*1, *<sup>g</sup>*2), *<sup>x</sup>*) → *<sup>g</sup>*1*xg*−<sup>1</sup> <sup>2</sup> if and only if *S* is *normal* or *G*-conjugate invariant (i.e. *gSg*−<sup>1</sup> = *S* for all *g* ∈ *G*) or *S* is a union of several conjugacy classes of *G*. In such a case, we have 

and only if  $S$  is normal or  $G$ -conjugate invariant (i.e.  $g \mathcal{S} g^{-1} = S$  for  $S$  is a union of several conjugacy classes of  $G$ . In such a case, we have 
$$\det(\mathbf{x} \mid I\_N - \mathcal{A}) = \prod\_{\pi \in \widehat{G}} \left( \mathbf{x} - \frac{1}{\deg \pi} \sum\_{s \in S} \chi^{\pi}(s) \right)^{(\deg \pi)^2}$$
 By Schur's lemma since  $\sum\_{s \in S} \pi(s)$  commutes with every  $\pi(g)$  ( $g$ )

*<sup>s</sup>*∈*<sup>S</sup>* π(*s*) commutes with every π(*g*) (*g* ∈ *G*) for each π ∈ *G* . Here χ<sup>π</sup> is the character of π.

**Example 5** A pair graph *X* = G(*G*, *H*, *S*) is *H*-homogeneous.

**Proposition 1** *Let X* <sup>=</sup> (*V*, *<sup>E</sup>*) *be a graph with a group action G V which is free* (*i.e. stabilizer of any v* ∈ *V is trivial*) *and transitive. Then X* ∼= Cay(*G*, *S*) *for a certain S* ⊂ *G.* 

*Proof* We have N(*gv*) = *g*N(*v*) for each *g* ∈ *G* and *s* ∈ *S*. There exists *S* ⊂ *G* such that <sup>N</sup>(*v*) <sup>=</sup> *sv s* ∈ *S* . It is straightforward to check that *X* ∼= Cay(*G*, *S*). -

We roughly observe that the spectra Spec(*X*) of a graph *X* tends to be simple if *X* is equipped with a large symmetry. Pair graphs can be regarded as a class of graphs which have weakened but nontrivial symmetry (or homogeneity) compared to Cayley graphs.

In the following section, we introduce a generalization of pair graphs, which are free but non-transitive *H*-homogeneous graphs.

#### **5 Generalized Group–Subgroup Pair Graph**

#### *5.1 Definition*

Let *G* be a finite group and *H* its subgroup of index *k* + 1. For later use, we put *N* = |*G*|, *n* = |*H*|(hence we have *N* = (*k* + 1)*n*). Fix a collection of representatives {*x*<sup>0</sup> = *e*, *x*1,..., *xk* } of *H*\*G* and put *Vi* = *H xi* (*i* = 0, 1,..., *k*). Let S = {*Si j*} *k i*,*j*=0 be a family of subsets in *G* such that

(1) *Si j* <sup>⊂</sup> *<sup>V</sup>* <sup>−</sup><sup>1</sup> *<sup>i</sup> Vj* <sup>=</sup> *<sup>x</sup>*−<sup>1</sup> *<sup>i</sup> H x <sup>j</sup>* , (2) *e* ∈/ *Si j* , (3) *S*−<sup>1</sup> *i j* = *Sji* .


For two vertices *x*, *y* ∈ *G*, we connect these two by an edge if and only if *y* = *xs* for some *s* ∈ *Si j* when *x* ∈ *Vi* and *y* ∈ *Vj* (*i*, *j* = 0, 1,..., *k*). We denote this graph by G(*G*, *H*, S), and call such a graph a *generalized group–subgroup pair graph*, or simply *generalized pair graph*. Put ⎛⎜⎜⎞⎟⎟

$$D = \begin{pmatrix} d\_{00} \ d\_{01} \ \dots \ d\_{0k} \\ d\_{10} \ d\_{11} \ \dots \ d\_{1k} \\ \vdots \ \vdots \ \ddots \ \vdots \\ d\_{k0} \ d\_{k1} \ \dots \ d\_{kk} \end{pmatrix}.$$

with *di j* = *Si j* . Notice that *D* is symmetric. We also put

$$\begin{aligned} \text{Since that } D \text{ is symmetric. We also put} \\\\ d\_{\mathbf{s}} = \sum\_{j=0}^{k} d\_{\mathbf{s}j} = \sum\_{i=0}^{k} d\_{\mathbf{s}i} \quad (\mathbf{s} = 0, 1, \dots, k). \end{aligned}$$

Then G(*G*, *H*, S) is a *D*-regular and (*d*0, *d*1,..., *dk* )-regular graph. Thus, if every row sum and column sum of *D* is equal to *d*, then G(*G*, *H*, S) is *d*-regular. By the definition, we readily see that the following lemma holds.

**Lemma 1** G(*G*, *H*, S) *is H-homogeneous, that is, x* ∼ *y implies hx* ∼ *hy for any x*, *y* ∈ *G and h* ∈ *H.*

When *<sup>k</sup>* <sup>=</sup> 1 or [*<sup>G</sup>* : *<sup>H</sup>*] = 2, *<sup>H</sup>* is normal and *<sup>G</sup>*/*<sup>H</sup>* ∼= <sup>Z</sup>/2Z, and hence it follows that

$$\mathcal{S}\_{00}, \mathcal{S}\_{11} \subset \mathcal{V}\_0, \quad \mathcal{S}\_{01}, \mathcal{S}\_{10} \subset \mathcal{V}\_1.$$

In this case, G(*G*, *H*, S) is (*d*0, *d*1)-biregular, and it is regular if |*S*00| = |*S*11|.

**Remark 7** When *Sii* <sup>=</sup> <sup>∅</sup> (*<sup>i</sup>* <sup>=</sup> <sup>0</sup>, <sup>1</sup>,..., *<sup>k</sup>*), then <sup>G</sup>(*G*, *<sup>H</sup>*, <sup>S</sup>) is a *multi-partite graph*.

#### *5.2 Examples*

**Example 6** Let *X* = (*V*, *E*) be a graph of order *k* + 1 with *V* = {0, 1,..., *k*}, and A = (*ai j*)<sup>0</sup>≤*i*,*j*≤*<sup>k</sup>* be its adjacency matrix. Take a group *G* = {*x*0, *x*1,..., *xk* } of order *k* + 1, and put *H* = {*e*} and 

$$\mathcal{S}\_{ij} = \begin{cases} \mathcal{B} & a\_{ij} = 0, \\ \{ \boldsymbol{x}\_i^{-1} \boldsymbol{x}\_j \} & a\_{ij} = 1. \end{cases}$$

Then G(*G*, *H*, S) ∼= *X*. Thus any finite graph is captured in the framework of generalized pair graphs (with trivial symmetry).

**Example 7** Let *G* be a finite group, *H* its subgroup of index *k* + 1 and *S* ⊂ *G* a subset such that *S* ∩ *H* is symmetric. Fix a collection of representatives {*x*<sup>0</sup> = *e*, *x*1,..., *xk* } of *H*\*G* and put *Vi* = *H xi* (*i* = 0, 1,..., *k*). Define

$$\begin{aligned} S\_{0i} &= S \cap V\_i, \ S\_{i0} = S\_{0i}^{-1} \quad (i = 0, 1, \ldots, k), \\ S\_{ij} &= \mathcal{Q} \quad (i \neq 0, \, j \neq 0). \end{aligned}$$

Then G(*G*, *H*, S) is reduced to the original group–subgroup pair graph G(*G*, *H*, *S*).

**Example 8** Let *G* = *Dn* = *s*, *t* be the dihedral group of degree 2*n*. We take *H* = *s* and *x*<sup>0</sup> = *e*, *x*<sup>1</sup> = *t*. Put

$$\mathcal{S}\_{00} = \{\mathbf{s}, \mathbf{s}^{-1}\}, \quad \mathcal{S}\_{01} = \mathcal{S}\_{10} = \{\mathbf{t}\}, \quad \mathcal{S}\_{11} = \{\mathbf{s}^2, \mathbf{s}^{-2}\}.$$

Then <sup>G</sup>(*G*, *<sup>H</sup>*, <sup>S</sup>) is a 2 1 1 2 -regular graph (and hence it is 3-regular). The following are the pictures of G(*G*, *H*, S) for *n* = 5, 6, 7, 8 (Fig. 2): when *n* = 5, G(*G*, *H*, S) is isomorphic to the Petersen graph (the leftmost one in the picture above). These four examples are Ramanujan graphs: ⎧⎪⎪⎪⎨

$$\det(\mathbf{x}\,I-\mathcal{A})=\begin{cases}(\mathbf{x}-\mathbf{3})(\mathbf{x}-1)^{5}(\mathbf{x}+2)^{4} & n=5, \\ (\mathbf{x}-\mathbf{3})(\mathbf{x}-1)\mathbf{x}^{2}(\mathbf{x}+2)^{2}(\mathbf{x}^{2}-\mathbf{5})(\mathbf{x}^{2}-2)^{2} & n=6, \\ (\mathbf{x}-\mathbf{3})(\mathbf{x}-1)(\mathbf{x}^{6}+2\mathbf{x}^{5}-6\mathbf{x}^{4}-10\mathbf{x}^{3}+10\mathbf{x}^{2}+11\mathbf{x}-1)^{2} & n=7, \\ (\mathbf{x}-\mathbf{3})(\mathbf{x}-1)(\mathbf{x}^{2}-\mathbf{5})(\mathbf{x}^{2}+2\mathbf{x}-1)^{2}(\mathbf{x}^{4}-4\mathbf{x}^{2}+1)^{2} & n=8 \end{cases}$$

and

$$
\lambda(X) \approx \begin{cases} 2 & n = 5, \\ 2.2361 & n = 6, \\ 2.3319 & n = 7, \\ 2.4142 & n = 8, \\ \end{cases}
$$

which are less than 2√<sup>2</sup> <sup>≈</sup> <sup>2</sup>.8284. In general, the eigenvalues of <sup>G</sup>(*G*, *<sup>H</sup>*, <sup>S</sup>) are given by 

$$\cos\frac{2\pi j}{n} + \cos\frac{4\pi j}{n} \pm \sqrt{\left(\cos\frac{2\pi j}{n} - \cos\frac{4\pi j}{n}\right)^2 + 1} \quad (j = 0, 1, \dots, n - 1).$$

G(*G*, *H*, S) is Ramanujan whenever *n* ≤ 23, and is not Ramanujan when *n* ≥ 24.

**Example 9** Let *G* = *Dn* be the dihedral group of degree 2*n*, and we take *H* = *s* and *x*<sup>0</sup> = *e*, *x*<sup>1</sup> = *t*. Put

**Fig. 2** G(*G*, *H*, S) for *n* = 5, 6, 7, 8

$$S\_{00} = \{ \mathbf{s}, \mathbf{s}^{-1} \}, \ S\_{01} = S\_{10} = \{ \mathbf{s}t, \mathbf{s}^{-1}t \}, \ S\_{11} = \{ \mathbf{s}^2, \mathbf{s}^{-2} \}.$$

Then <sup>G</sup>(*G*, *<sup>H</sup>*, <sup>S</sup>) is a 2 2 2 2 -regular graph (and hence it is 4-regular). The following are the pictures of G(*G*, *H*, S) for *n* = 5, 6, 7, 8 (Fig. 3): these four examples are Ramanujan graphs: ⎧⎪⎪⎪⎨

$$\det(\mathbf{x}\,\,I-\mathcal{A})=\begin{cases} \mathbf{x}(\mathbf{x}-4)(\mathbf{x}^{4}+2\mathbf{x}^{3}-4\mathbf{x}^{2}-5\mathbf{x}+\mathbf{S})^{2} & n=5, \\\mathbf{x}^{3}(\mathbf{x}-4)(\mathbf{x}+2)^{2}(\mathbf{x}^{2}-8)(\mathbf{x}^{2}-2)^{2} & n=6, \\\mathbf{x}(\mathbf{x}-4)(\mathbf{x}^{6}+2\mathbf{x}^{5}-8\mathbf{x}^{4}-15\mathbf{x}^{3}+14\mathbf{x}^{2}+28\mathbf{x}+7)^{2} & n=7, \\\mathbf{x}^{3}(\mathbf{x}-4)(\mathbf{x}+2)^{2}(\mathbf{x}^{2}-8)(\mathbf{x}^{4}-6\mathbf{x}^{2}+4)^{2} & n=8 \end{cases}$$

and

$$
\lambda(X) \approx \begin{cases}
2.4667 & n = 5, \\
2.8284 & n = 6, \\
2.6377 & n = 7, \\
2.8284 & n = 8, \\
\end{cases}
$$

which are less than 2√<sup>3</sup> <sup>≈</sup> <sup>3</sup>.4641. In general, the eigenvalues of <sup>G</sup>(*G*, *<sup>H</sup>*, <sup>S</sup>) are given by 

$$\cos\frac{2\pi j}{n} + \cos\frac{4\pi j}{n} \pm \sqrt{\left(\cos\frac{2\pi j}{n} - \cos\frac{4\pi j}{n}\right)^2 + 4\cos^2\frac{2\pi j}{n}} \quad (j = 0, 1, \dots, n - 1).$$

G(*G*, *H*, S) is Ramanujan whenever *n* ≤ 15, and is not Ramanujan when *n* ≥ 16.

In general, when [*<sup>G</sup>* : *<sup>H</sup>*] = 2, take *<sup>S</sup>*<sup>00</sup> <sup>⊂</sup> *<sup>H</sup>* <sup>=</sup> *H x*<sup>0</sup> such that *<sup>S</sup>*−<sup>1</sup> <sup>00</sup> = *S*<sup>00</sup> and *S*<sup>01</sup> ⊂ *H x*1. We also take a nontrivial group automorphism *f* of *H*. Put *S*<sup>11</sup> = *f* (*S*00) and *<sup>S</sup>*<sup>10</sup> <sup>=</sup> *<sup>S</sup>*−<sup>1</sup> <sup>01</sup> . Then we get a regular graph G(*G*, *H*, S).

**Fig. 3** G(*G*, *H*, S) for *n* = 5, 6, 7, 8

#### **6 Spectra of G***(G, H,* **S***)*

#### *6.1 Adjacency Matrix of* **G***(G, H,* **S***)*

Let A be the adjacency matrix of G(*G*, *H*, S). For a concrete description of A, we write *H* = {*h*0,..., *hn*−1} with *h*<sup>0</sup> = *e*, and put *gni*<sup>+</sup> *<sup>j</sup>* = *h <sup>j</sup> xi* for *i* = 0,..., *k* and *j* = 0,..., *n* − 1. Thus we have *G* = {*g*0, *g*1,..., *gN*−1}. Then A is of the form ⎛⎜⎜⎞⎟⎟

$$\mathcal{A} = \begin{pmatrix} \mathcal{A}\_{00}\mathcal{A}\_{01}\dots\mathcal{A}\_{0k} \\ \mathcal{A}\_{10}\mathcal{A}\_{11}\dots\mathcal{A}\_{1k} \\ \vdots & \vdots & \ddots & \vdots \\ \mathcal{A}\_{k0}\mathcal{A}\_{k1}\dots\mathcal{A}\_{kk} \end{pmatrix},$$

where each block A*pq* (0 ≤ *p*, *q* ≤ *k*) is given by

$$(\mathcal{A}\_{pq})\_{ij} = \begin{cases} 1 & h\_i^{-1}h\_j \in H\_{pq} := \mathcal{x}\_p \mathcal{S}\_{pq} \mathcal{x}\_q^{-1}, \\ 0 & \text{otherwise.} \end{cases}$$

We notice that we can express each A*pq* as

$$\begin{aligned} & \text{each } \mathcal{A}\_{pq} \text{ as} \\ & \mathcal{A}\_{pq} = \sum\_{s \in H\_{pq}} \mathcal{R}\_H(s), \end{aligned}$$

where R*<sup>H</sup>* is the left regular representation of *H*.

#### *6.2 When H is abelian*

If *H* is *abelian*, then R*<sup>H</sup>* is a direct sum of all inequivalent 1-dimensional (irreducible) representations of *H*, that is, there exists a certain unitary matrix *U* such that

$$\begin{aligned} \text{Ir graphs} \\\\ U^\* \mathcal{R}\_H(h) U &\sim \bigoplus\_{\varphi \in H^\*} \varphi(h). \end{aligned}$$

Hence

$$
\Box^\* \mathcal{A}^{H(\mu) \Box^\*} \bigoplus\_{\varphi \in H^\*} \varphi(\mu).
$$

$$
U^\* \mathcal{A}\_{pq} U = \sum\_{s \in H\_{pq}} \bigoplus\_{\varphi \in H^\*} \varphi(s).
$$

Since {*U*∗A*pqU*}*<sup>p</sup>*,*<sup>q</sup>* commutes with each other, we have the following theorem.

**Theorem 2** *Assume that H is an abelian subgroup of G. The adjacency matrix* A *of the generalized pair graph* G(*G*, *H*, S) *is given by* det(*x IN* <sup>−</sup> <sup>A</sup>) <sup>=</sup>

$$\det(\mathbf{x}|I\_N - \mathcal{A}) = \prod\_{\varphi \in H^\*} \det(\mathbf{x}|I\_{k+1} - \mathcal{A}\_{\varphi}),$$

*where* A<sup>ϕ</sup> *with* ϕ ∈ *H*<sup>∗</sup> *is given by*

$$\mathcal{A}\_{\boldsymbol{\varphi}} = \left(\sum\_{\boldsymbol{s}\in H\_{\boldsymbol{\ell}}} \varphi(\boldsymbol{s})\right)\_{0\le i,j\le k}.$$

**Remark 8** When *H* = {*e*}, we see that *H*<sup>∗</sup> = {**1**} and A**<sup>1</sup>** = A. Thus the theorem above is trivial.

**Remark 9** Notice that A**<sup>1</sup>** = *D*. It follows that the eigenvalues of *D* are also eigenvalues of G(*G*, *H*, S) if *H* is abelian. It is natural to ask the relation between Spec(A) and Spec(*D*) when *H* is non-abelian. We leave this as a future problem.

**Remark 10** When G(*G*, *H*, S) is a pair graph, that is, A*i j* = *O* if *i* -= 0 and *j* -= 0, we have det(*x IN* <sup>−</sup> <sup>A</sup>) <sup>=</sup> *<sup>x</sup>*(*k*−1)*<sup>n</sup>* det *<sup>x</sup>* <sup>2</sup> *In* <sup>−</sup> *<sup>x</sup>* <sup>A</sup><sup>00</sup> <sup>−</sup>

$$\det(\mathbf{x}\,I\_N - \mathcal{A}) = \mathbf{x}^{(k-1)n} \det\left(\mathbf{x}^2 I\_n - \mathbf{x}\,\mathcal{A}\_{00} - \sum\_{j=1}^k \mathcal{A}\_{0j}\mathcal{A}\_{j0}\right)$$

without any assumption on *H*. If *H* is abelian, then Theorem 1 follows immediately from the equation above.

#### *6.3 Petersen Extension*

Let *G* be a group, *H* be a subgroup of *G* with index 2 and *X* := Cay(*H*, *S*) be a *k*-regular Cayley graph. Assume that *G* = *H* ∪ *Hw* with *w* ∈ *G*. Take a group endomorphism σ ∈ End(*H*). Notice that *X* := Cay(*H*,σ(*S*)) ∼= *X* if σ is an *automorphism*. Put

$$S\_{00} = S, \quad S\_{11} = \sigma(S), \quad S\_{01} = \{\boldsymbol{w}\}, \quad S\_{10} = \{\boldsymbol{w}^{-1}\}.$$

 

Then *<sup>X</sup>* <sup>=</sup> <sup>G</sup>(*G*, *<sup>H</sup>*, <sup>S</sup>) is a (*<sup>k</sup>* <sup>+</sup> <sup>1</sup>)-regular *<sup>H</sup>*-homogeneous graph. We call this the *Petersen extension* of Cay(*H*, *<sup>S</sup>*). The adjacency matrix <sup>A</sup> of *<sup>X</sup>* is given by 

$$
\stackrel{\circ}{\text{The adjacency}}
$$

$$
\widetilde{\mathcal{A}} = \begin{pmatrix} \mathcal{A} \ I\_n \\ I\_n \ \mathcal{A}' \end{pmatrix},
$$

where A and A are the adjacency matrices of *X* and *X* , and it follows that

$$\mathcal{A}' \text{ are the adjacency matrices of } X \text{ and } X' \text{, and it follows}$$

$$\det(\mathbf{x} \, I\_{2n} - \widetilde{\mathcal{A}}) = \det(\mathbf{x}^2 I\_n - \mathbf{x}(\mathcal{A} + \mathcal{A}') + \mathcal{A}\mathcal{A}' - I\_n).$$

**Example 10** When *G* = *D*<sup>5</sup> = *s*, *t*, *H* = *s*, *S* = {*s*,*s*−1},*w* = *t* and σ ∈ Aut(*H*) is given by σ (*h*) = *h*<sup>2</sup> (*h* ∈ *H*), the Petersen extension G(*G*, *H*, S) of Cay(*H*, *S*) is the *Petersen graph* (Fig. 4).

**Remark 11** If σ is the identity map of *H* (i.e. *X* = *X*), then the Petersen extension G(*G*, *H*, S) of Cay(*H*, *S*) is just a Cartesian product of Cay(*H*, *S*) and the path graph *P*<sup>1</sup> = . In general, it is not true that the Petersen extension *<sup>X</sup>* of *<sup>X</sup>* <sup>=</sup> Cay(*H*, *<sup>S</sup>*) is

Ramanujan when *X* is Ramanujan. Thus we propose the following problem.

**Problem 1** Characterize the quintuple (*G*, *H*, *S*,*w*,σ) such that both Cay(*H*, *S*) and its Petersen extension with *w* and σ are Ramanujan.

#### **6.3.1 Examples: Dihedral case**

We look at the case where *G* = *Dn* = *s*, *t*, *H* = *s* and *w* = *t*, for instance. In this case, an endomorphism <sup>σ</sup> of *<sup>H</sup>* is given by σ (*h*) <sup>=</sup> *<sup>h</sup><sup>l</sup>* for certain *<sup>l</sup>* <sup>∈</sup> <sup>Z</sup>, and σ ∈ Aut(*H*) if and only if gcd(*n*,*l*) = 1. We also notice that *wSw*−<sup>1</sup> = *tSt* = *S* for any symmetric generating subset *S* of *H*.

Let *Xn*,*<sup>l</sup>* := G(*G*, *H*, S) be the Petersen extension of Cay(*H*, *S*) defined by *w* and σ : *H h* → *h<sup>l</sup>* ∈ *H*. Then, the family S is given by *<sup>S</sup>*<sup>00</sup> <sup>=</sup> *<sup>S</sup>*, *<sup>S</sup>*<sup>01</sup> <sup>=</sup> *<sup>S</sup>*<sup>10</sup> = {*t*}, *<sup>S</sup>*<sup>11</sup> <sup>=</sup> *sl* 

$$S\_{00} = S, \quad S\_{01} = S\_{10} = \{t\}, \quad S\_{11} = \{s^t \mid s \in \mathcal{S}\} \dots$$

For each character ϕ ∈ *H*∗, define

$$\begin{aligned} H^\*, \text{ define} \\\\ \alpha\_{\varphi} &:= \sum\_{s \in S} \varphi(s), \quad \beta\_{\varphi} := \sum\_{s \in S} \varphi(s^l). \end{aligned}$$

By Theorem 2, we see that

an 2, we see that

$$\det(\mathbf{x}\ I\_{2n} - \mathcal{A}) = \prod\_{\wp \in H^\*} \det(\mathbf{x}\ I\_2 - \mathcal{A}\_{\wp}), \qquad \mathcal{A}\_{\wp} = \begin{pmatrix} \alpha\_{\wp} & 1 \\ 1 & \beta\_{\wp} \end{pmatrix},$$

where A is the adjacency matrix of *Xn*,*<sup>l</sup>* . Hence the eigenvalues of *Xn*,*<sup>l</sup>* are given by

$$\begin{aligned} \text{Every matrix of } X\_{n,l}. \text{ Hence the eigenvalues:}\\ \frac{\alpha\_{\varphi} + \beta\_{\varphi} \pm \sqrt{(\alpha\_{\varphi} - \beta\_{\varphi})^2 + 4}}{2} \quad (\varphi \in H^\*). \end{aligned}$$

**Example 11** If *n* ≥ 3 and *S* = {*s*,*s*−1}, then

$$\begin{aligned} \alpha\_{\varphi} &= e^{\frac{2\pi ij}{s}} + e^{-\frac{2\pi ij}{s}} = 2\cos\frac{2\pi j}{n}, \\ \beta\_{\varphi} &= e^{\frac{2l\pi ij}{s}} + e^{-\frac{2l\pi ij}{s}} = 2\cos\frac{2l\pi j}{n} \end{aligned}$$

for ϕ ∈ *H*<sup>∗</sup> given by ϕ(*s*) = *e* 2π*i j <sup>n</sup>* . Thus the eigenvalues of *Xn*,*<sup>l</sup>* are calculated as 

$$\cos \frac{2\pi j}{n} + \cos \frac{2l\pi j}{n} \pm \sqrt{\left(\cos \frac{2\pi j}{n} - \cos \frac{2l\pi j}{n}\right)^2 + 1} \quad (j = 0, 1, \dots, n - 1).$$

We can numerically check that


When *n* is *odd* and gcd(*n*,*l*) = 1 (i.e. σ ∈ Aut(*H*)), then we see that


**Example 12** If *n* = 2*m* ≥ 4 is *even* and *S* = {*s*,*s<sup>m</sup>*,*s*−<sup>1</sup>}, then

$$\begin{aligned} \alpha\_{\varphi} &= e^{\frac{2\pi ij}{n}} + e^{\frac{2m\pi ij}{n}} + e^{-\frac{2\pi ij}{n}} = (-1)^j + 2\cos\frac{2\pi j}{n}, \\ \beta\_{\varphi} &= e^{\frac{2l\pi ij}{n}} + e^{\frac{2l\pi ij}{n}} + e^{-\frac{2l\pi ij}{n}} = (-1)^{lj} + 2\cos\frac{2l\pi j}{n}. \end{aligned}$$

for ϕ ∈ *H*<sup>∗</sup> given by ϕ(*s*) = *e* 2π*i j <sup>n</sup>* . We can numerically check that (1) if *m* ≤ 29 (*n* ≤ 58), then there exists *l* such that *Xn*,*<sup>l</sup>* is Ramanujan, (2) if *m* ≥ 30 (*n* ≥ 60), then *Xn*,*<sup>l</sup>* is not Ramanujan for any choice of *l*.

**Example 13** If *n* ≥ 5 and *S* = {*s*,*s*2,*s*−1,*s*−<sup>2</sup>}, then

$$\begin{aligned} \alpha\_{\psi} &= e^{\frac{2\pi ij}{n}} + e^{\frac{4\pi ij}{n}} + e^{-\frac{2\pi ij}{n}} + e^{-\frac{4\pi ij}{n}} = 2\cos\frac{2\pi j}{n} + 2\cos\frac{4\pi j}{n}, \\ \beta\_{\psi} &= e^{\frac{2l\pi ij}{n}} + e^{\frac{4l\pi ij}{n}} + e^{-\frac{2l\pi ij}{n}} + e^{-\frac{4l\pi ij}{n}} = 2\cos\frac{2l\pi j}{n} + 2\cos\frac{4l\pi j}{n} \end{aligned}$$

for ϕ ∈ *H*<sup>∗</sup> given by ϕ(*s*) = *e* 2π*i j <sup>n</sup>* . We can numerically check that

(1) if *n* ≤ 33, then there exists *l* such that *Xn*,*<sup>l</sup>* is Ramanujan,

(2) if *n* ≥ 34, then *Xn*,*<sup>l</sup>* is not Ramanujan for any choice of *l*.

**Remark 12** In the paper, we discuss the construction of graphs when a finite group *G* and its subgroup *H* are given. It would be also interesting to consider the situation where finite groups *G*, *H* and an epimorphism *p* : *G H* are given (i.e. *H* is a quotient group of *G*).

**Acknowledgements** This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. The author would like to thank the anonymous reviewer for his/her comments and suggestions.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Post-Quantum Cryptography**

## **A Survey of Solving SVP Algorithms and Recent Strategies for Solving the SVP Challenge**

**Masaya Yasuda**

**Abstract** Recently, lattice-based cryptography has received attention as a candidate of post-quantum cryptography (PQC). The essential security of lattice-based cryptography is based on the hardness of classical lattice problems such as the shortest vector problem (SVP) and the closest vector problem (CVP). A number of algorithms have been proposed for solving SVP exactly or approximately, and most of them are useful also for solving CVP. In this paper, we give a survey of typical algorithms for solving SVP from a mathematical point of view. We also present recent strategies for solving the Darmstadt SVP challenge in dimensions higher than 150.

**Keywords** Shortest vector problem (SVP) · Enumeration · Sieve · Lattice basis reduction · LLL · BKZ · Random sampling · Sub-sieving

## **1 Introduction**

There has recently been a substantial amount of research for large-scale quantum computers. On the other hand, if such computers were built, they could break currently used public-key cryptosystems such as the RSA cryptosystem and the elliptic curve cryptography. (See Shor 1994 for Shor's quantum algorithms.) In order to prepare information security systems to be able to resist quantum computing, the US National Institute of Standards and Technology (NIST) began a process to develop new standards for PQC in 2015 and called for proposals in 2016. It has rapidly accelerated to research lattice-based cryptography as a candidate of PQC. Specifically, at the submission deadline of the end of November 2017 for the call, NIST received more than 20 proposals of lattice-based cryptosystems. Among them, more than 10 proposals were allowed for Round 2 submissions around the end of January 2019. (See the web page of NIST 2016.) The security of such proposals relies on the hard-

M. Yasuda (B)

Institute of Mathematics for Industry, Kyushu University, 744 Motooka, Nishi-ku Fukuoka 819–0395, Japan e-mail: yasuda@imi.kyushu-u.ac.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_15

ness of cryptographic lattice problems such as learning with errors (LWE) and NTRU. Such problems are reduced to approximate-SVP or approximate-CVP. (For example, see Albrecht et al. 2018 for details.) Therefore, it is becoming more important to understand classical lattice problems for evaluating the security of lattice-based PQC candidates.

For a positive integer *n*, a (full-rank) *lattice L* in R*<sup>n</sup>* is the set of all integral linear combinations of linearly independent vectors **b**1,..., **b***<sup>n</sup>* in R*<sup>n</sup>*. (The set of the **b***i*'s is called a *basis* of *L*.) Given a basis of a lattice *L*, SVP asks to find the non-zero shortest vector in *L*. In this paper, we give a survey of typical algorithms for solving SVP from a mathematical point of view. These algorithms can be classified into two categories, depending on whether they solve SVP exactly or approximately. Exact-SVP algorithms perform an exhaustive search for an integer combination of the basis vectors **b***i*'s to find the non-zero shortest lattice vector **v** = *n <sup>i</sup>*=<sup>1</sup> *vi***b***<sup>i</sup>* ∈ *L*, and their cost is expensive. In contrast, approximate-SVP algorithms are much faster than exact algorithms, but they find short lattice vectors, not necessarily the shortest ones. However, exact- and approximate-SVP algorithms are complementary. For example, exact algorithms apply an approximation algorithm as a preprocessing to reduce their expensive cost, while several approximate-SVP algorithms call many times an exact algorithm in low dimension as a subroutine to find a very short lattice vector. In this paper, we also introduce recent strategies for solving the Darmstadt SVP challenge Darmstadt (2010), in which sample lattice bases are presented in order to test algorithms solving SVP. In particular, these strategies combine approximate- and exact-SVP algorithms to efficiently solve SVP in high dimensions such as *n* ≥ 150.

**Notation.** The symbols Z, Q, and R denote the ring of integers, the field of rational numbers, and the field of real numbers, respectively. Let *z* denote the rounding integer of an integer *z*. We represent all vectors in *column format*. For **<sup>a</sup>** <sup>=</sup> (*a*1,..., *an*) <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, let **a** denote its Euclidean norm. For **<sup>a</sup>** <sup>=</sup> (*a*1,..., *an*) and **b** = (*b*1,..., *bn*), let **a**, **b** denote the inner product *n <sup>i</sup>*=<sup>1</sup> *aibi* . Denote by *Vn*(*R*)the volume of the *n*-dimensional ball of radius *R* > 0 centered at the origin. In particular, we let ν*<sup>n</sup>* = *Vn*(1) denote the volume of the unit ball. Then *Vn*(*R*) = ν*<sup>n</sup> R<sup>n</sup>* and

$$\nu\_n = \frac{\pi^{n/2}}{\Gamma(1+n/2)} \sim \frac{1}{\sqrt{\pi n}} \left(\frac{2\pi e}{n}\right)^{n/2}$$

using Stirling's formula, where (*s*) = <sup>∞</sup> <sup>0</sup> *t<sup>s</sup>*−<sup>1</sup>*e*−*<sup>t</sup> dt* denotes the Gamma function.

#### **2 Mathematical Background**

In this section, we introduce basic definitions and properties on lattices, and present famous lattice problems whose hardness ensures the essential security of latticebased cryptography. (For example, see Galbraith 2012, Part IV or Nguyen 2009 for more details.)

#### *2.1 Lattices and Their Bases*

For a positive integer *n*, let **b**1,..., **b***<sup>n</sup>* be *n* linearly independent (column) vectors in R*<sup>n</sup>*. The set of all integral linear combinations of the **b***i*'s is a (full-rank) *lattice*

$$L = \mathcal{L}(\mathbf{b}\_1, \dots, \mathbf{b}\_n) = \left\{ \sum\_{i=1}^n \nu\_i \mathbf{b}\_i \, : \, \nu\_i \in \mathbb{Z} \text{ for all } 1 \le i \le n \right\}$$

of dimension *<sup>n</sup>* with basis **<sup>B</sup>** <sup>=</sup> (**b**1,..., **<sup>b</sup>***n*) <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*×*<sup>n</sup>*. (A basis is regarded not only as a set of vectors, but also as a matrix whose column vectors span a lattice.) Every lattice has infinitely many bases if *n* ≥ 2; if two bases **B**<sup>1</sup> and **B**<sup>2</sup> span the same lattice, then there exists an *<sup>n</sup>* <sup>×</sup> *<sup>n</sup>* unimodular matrix **<sup>U</sup>** <sup>∈</sup> GL*n*(Z) with **<sup>B</sup>**<sup>1</sup> <sup>=</sup> **<sup>B</sup>**2**U**. The *volume* of *L* is defined as vol(*L*) = | det(**B**)|, independent of the choice of bases.

The *Gram–Schmidt orthogonalization* for an (ordered) basis **B** is the orthogonal family **B**<sup>∗</sup> = (**b**<sup>∗</sup> <sup>1</sup>,..., **b**<sup>∗</sup> *<sup>n</sup>*) <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*×*<sup>n</sup>*, recursively defined by **<sup>b</sup>**<sup>∗</sup> <sup>1</sup> = **b**<sup>1</sup> and for 2 ≤ *i* ≤ *n*

$$\mathbf{b}\_{i}^{\*} = \mathbf{b}\_{i} - \sum\_{j=1}^{i-1} \mu\_{i,j} \mathbf{b}\_{j}^{\*}, \text{ where } \mu\_{i,j} = \frac{\langle \mathbf{b}\_{i}, \mathbf{b}\_{j}^{\*} \rangle}{\|\mathbf{b}\_{j}^{\*}\|^{2}} \text{ for } 1 \le j < i \le n.$$

Notice that the Gram–Schmidt vectors **b**<sup>∗</sup> *<sup>i</sup>* 's depend on the order of basis vectors in **B**. For convenience, set<sup>μ</sup> <sup>=</sup> (μ*<sup>i</sup>*,*<sup>j</sup>*) <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*×*<sup>n</sup>* where letμ*<sup>i</sup>*,*<sup>j</sup>* <sup>=</sup> 0 for all *<sup>i</sup>* <sup>&</sup>lt; *<sup>j</sup>* andμ*<sup>k</sup>*,*<sup>k</sup>* <sup>=</sup> <sup>1</sup> for all *<sup>k</sup>*. Then **<sup>B</sup>** <sup>=</sup> **<sup>B</sup>**∗μ, and thus vol(*L*) <sup>=</sup> *<sup>n</sup> <sup>i</sup>*=<sup>1</sup> **b**<sup>∗</sup> *<sup>i</sup>* from the orthogonality of Gram–Schmidt vectors. For 2 ≤ ≤ *n*, let π denote the orthogonal projection over the orthogonal supplement of the <sup>R</sup>-vector space **b**1,..., **<sup>b</sup>**−<sup>1</sup> <sup>R</sup> as

$$\pi\_{\ell}: \mathbb{R}^{n} \longrightarrow \langle \mathbf{b}\_{1}, \dots, \mathbf{b}\_{\ell-1} \rangle\_{\mathbb{R}}^{\perp} = \langle \mathbf{b}\_{\ell}^{\*}, \dots, \mathbf{b}\_{n}^{\*} \rangle\_{\mathbb{R}}, \ \pi\_{\ell}(\mathbf{x}) = \sum\_{i=\ell}^{n} \frac{\langle \mathbf{x}, \mathbf{b}\_{i}^{\*} \rangle}{\|\mathbf{b}\_{i}^{\*}\|^{2}} \mathbf{b}\_{i}^{\*}.$$

Every projection map depends on a basis. We also set π<sup>1</sup> = id for convenience.

## *2.2 Successive Minima, Hermite's Constants, and Gaussian Heuristic*

For every 1 ≤ *i* ≤ *n*, the *i*th *successive minimum* of an *n*-dimensional lattice *L*, denoted by λ*i*(*L*), is defined as the minimum of max1<sup>≤</sup> *<sup>j</sup>*≤*<sup>i</sup>* **v***j* over all *i* linearly independent vectors **v**1,..., **v***<sup>i</sup>* ∈ *L*. In particular, the first minimum λ1(*L*) is the norm of the shortest non-zero vector in *L*. We clearly have λ1(*L*) ≤ λ2(*L*) ≤···≤ λ*n*(*L*) by definition. Moreover, for any basis **B** = (**b**1,..., **b***n*) of *L*, its Gram–Schmidt vectors satisfy λ*i*(*L*) ≥ min*<sup>i</sup>*<sup>≤</sup> *<sup>j</sup>*≤*<sup>n</sup>* **b**<sup>∗</sup> *<sup>j</sup>* for every 1 ≤ *i* ≤ *n*. (See Bremner 2011, Proposition 3.14 for proof.)

Hermite (1850) first proved that the quantity <sup>λ</sup>1(*L*)<sup>2</sup> vol(*L*)2/*<sup>n</sup>* is upper bounded over all lattices *L* of dimension *n*. Its supremum over all lattices of dimension *n* is called *Hermite's constant* of dimension *<sup>n</sup>*, denoted by <sup>γ</sup>*n*. This implies <sup>λ</sup>1(*L*) <sup>≤</sup> <sup>√</sup>γ*n*vol(*L*)1/*<sup>n</sup>* for any lattice *L* of dimension *n*. As its extension, it satisfies

$$\left(\prod\_{i=1}^r \lambda\_i(L)\right)^{1/r} \le \sqrt{\gamma\_n} \text{vol}(L)^{1/n} \text{ for } 1 \le r \le n.$$

This is known as Minkowski's second theorem. (See Martinet 2013, Chap. 2 for proof.) It is important to know the value of γ*<sup>n</sup>* in order to obtain an upper bound of <sup>λ</sup>1(*L*); Minkowski's convex body theorem implies <sup>γ</sup>*<sup>n</sup>* <sup>≤</sup> <sup>4</sup>ν<sup>−</sup>2/*<sup>n</sup> <sup>n</sup>* . (See Martinet 2013, Chap. 2 for proof.) This shows that

$$
\lambda\_1(L) \le 2\upsilon\_n^{-1/n} \text{vol}(L)^{1/n} \tag{1}
$$

for any lattice *<sup>L</sup>* of dimension *<sup>n</sup>*. Moreover, it satisfies <sup>γ</sup>*<sup>n</sup>* <sup>≤</sup> <sup>1</sup> <sup>+</sup> *<sup>n</sup>* <sup>4</sup> from well-known formulas for ν*n*. It is very difficult to find the exact value of γ*n*, and such values are known for only a few integers *n*. However, every γ*<sup>n</sup>* is known as essentially linear in *<sup>n</sup>*. It also satisfies Mordell's inequality <sup>γ</sup>*<sup>n</sup>* <sup>≤</sup> <sup>γ</sup> (*n*−1)/(*k*−1) *<sup>k</sup>* for any *n* ≥ *k* ≥ 2. (See Nguyen 2009 for more details on Hermite's constants.)

Given a lattice *L* of dimension *n* and a measurable set *S* in R*<sup>n</sup>*, the *Gaussian Heuristic* predicts that the number of vectors in *L* ∩ *S* is roughly equal to vol(*S*)/vol(*L*). By applying the ball of radius λ1(*L*) centered at the origin in R*<sup>n</sup>*, it leads to the prediction of the norm of the shortest non-zero vector in *L*. Specifically, the expectation of λ1(*L*) according to the Gaussian Heuristic is given by

$$\text{GH}(L) = \nu\_n^{-1/n} \text{vol}(L)^{1/n} \sim \sqrt{\frac{n}{2\pi e}} \text{vol}(L)^{1/n}.$$

This is tight compared to Eq. (1). Note that this is only a heuristic. But for "random" lattices, λ1(*L*)is asymptotically equal to GH(*L*) with overwhelming probability Ajtai (1996).

#### *2.3 Introduction to Lattice Problems*

The most famous lattice problem is given below.

## **• ? The Shortest Vector Problem (SVP)**

Given a basis **B** = (**b**1,..., **b***n*) of a lattice *L*, find the shortest non-zero vector in *L*, that is, a vector **s** ∈ *L* such that **s** = λ1(*L*).

It was proven by Ajtai (1996) that SVP is NP-hard under randomized reductions. SVP can be relaxed by an approximate factor: *Given a basis of a lattice L and an approximation factor f* ≥ 1, *find a non-zero vector* **v** *in L such that* **v** ≤ *f* λ1(*L*). Approximate-SVP is exactly SVP when *f* = 1. It is unlikely that one can efficiently solve approximate-SVP within quasi-polynomial factors in *n*, while approximate-SVP within a factor *n*/ log(*n*) is unlikely to be NP-hard. (See Nguyen 2009 for more details.)

Another famous lattice problem is given below.

## **• ? The Closest Vector Problem (CVP)**

Given a basis **B** = (**b**1,..., **b***n*) of a lattice *L* and a target vector **t**, find a vector in *L* closest to **t**, that is, a vector **v** ∈ *L* such that the distance **t** − **v** is minimized.

CVP is at least as hard as SVP. As in the case of SVP, we can define an approximate variant of CVP by an approximate factor. Approximate-CVP is also at least as hard as approximate-SVP with the same factor. From a practical point of view, both are considered equally hard, due to Kannan's embedding technique Kannan (1987) which can transform approximate-CVP into approximate-SVP. (See also Galbraith 2012 for the embedding.)

The security of modern lattice-based cryptosystems is based on the hardness of cryptographic lattice problems, such as the LWE and the NTRU problems. (For example, see NIST 2016 for NIST post-quantum candidates.) Such lattice problems are reduced to approximate-SVP or approximate-CVP. (For example, see Albrecht et al. 2018 for details.)

#### **3 Solving SVP Algorithms**

In this section, we present typical algorithms for solving SVP. These algorithms can be classified into two categories, depending on whether they solve SVP *exactly* or *approximately*. However, both categories are *complementary*; exact algorithms first apply an approximation algorithm as a preprocessing to reduce their cost, while blockwise algorithms (e.g., the BKZ algorithm presented below) call many times an exact algorithm in low dimension as a subroutine to find a very short lattice vector.

#### *3.1 Exact-SVP Algorithms*

Exact-SVP algorithms find the non-zero shortest lattice vector, but they are expensive. These algorithms perform an exhaustive search of all short vectors, whose number is exponential in the dimension (in the worst case). These algorithms can be split in two categories; polynomial-space algorithms and exponential-space algorithms.

#### **3.1.1 Polynomial-Space Exact Algorithms: Enumeration**

They are based on *enumeration*, which dates back to the early 1980s with work by Pohst (1981), Kannan (1983), and Fincke–Pohst (1985). Enumeration is simply an exhaustive search for an integer combination of the basis vectors such that the lattice vector is the shortest. An enumeration algorithm takes as input an enumeration radius *R* > 0 and a basis **B** = (**b**1,..., **b***n*) of a lattice *L*, and outputs all non-zero vectors **s** in *L* such that **s** ≤ *R* (if exists). The radius *R* is taken as an upper bound of λ1(*L*), like √γ*n*vol(*L*)<sup>1</sup>/*<sup>n</sup>*, to find the shortest non-zero lattice vector. It goes through the enumeration tree formed by all vectors in the projected lattices π*n*(*L*), π*<sup>n</sup>*−<sup>1</sup>(*L*), ··· , π1(*L*) = *L* with norm at most *R*. More precisely, the enumeration tree is a tree of depth *n*, and for each 1 ≤ *k* ≤ *n* + 1, the nodes at depth *n* + 1 − *k* are all the vectors in the projected lattice π*<sup>k</sup>* (*L*) with norm at most *R*. In particular, the root of the tree is the zero vector because π*<sup>n</sup>*+<sup>1</sup>(*L*) = {**0**}. The parent of a node **u** ∈ π*<sup>k</sup>* (*L*) at depth *n* + 1 − *k* is the node π*<sup>k</sup>*+<sup>1</sup>(**u**) at depth *n* − *k*. The child nodes are arranged in order of norms.

Here we introduce the basic idea of the Schnorr–Euchner algorithm Schnorr and Euchner (1994), which is a depth first search of the enumeration tree to find all leaves in practice. (cf. Kannan's algorithm 1983 is asymptotically superior in the running time, but it is not competitive in practice due to a substantial overhead of recursive procedures. See also Micciancio and Walter 2014 for such discussion.) We represent the shortest non-zero vector as **s** = *v*1**b**<sup>1</sup> +···+ *vn***b***<sup>n</sup>* ∈ *L* for some unknown integers *vi*'s. With Gram–Schmidt information of **B**, it is rewritten as

$$\mathbf{s} = \sum\_{i=1}^{n} \mathbf{v}\_i \left( \mathbf{b}\_i^\* + \sum\_{j=1}^{i-1} \mu\_{i,j} \mathbf{b}\_j^\* \right) = \sum\_{j=1}^{n} \left( \mathbf{v}\_j + \sum\_{i=j+1}^{n} \mu\_{i,j} \mathbf{v}\_i \right) \mathbf{b}\_j^\*.$$

Due to the orthogonality of Gram–Schmidt vectors **b**<sup>∗</sup> *j*'s, the squared norms of projections of the vector **s** are given as for every 1 ≤ *k* ≤ *n*

$$\left\|\pi\_{k}(\mathbf{s})\right\|^{2} = \sum\_{j=k}^{n} \left(\nu\_{j} + \sum\_{i=j+1}^{n} \mu\_{i,j}\nu\_{i}\right)^{2} \left\|\mathbf{b}\_{j}^{\*}\right\|^{2}.$$

If **s** is a leaf of the enumeration tree, then its projections all satisfy π*<sup>k</sup>* (**s**)<sup>2</sup> ≤ *R*<sup>2</sup> for all 1 ≤ *k* ≤ *n*. These *n* inequalities together with above equations enable to perform an exhaustive search for the integral coordinates *vn*, *vn*−<sup>1</sup>,..., *v*<sup>1</sup> of **s**:

$$\left(\upsilon\_k + \sum\_{i=k+1}^n \mu\_{i,k}\upsilon\_i\right)^2 \le \frac{R^2 - \sum\_{j=k+1}^n \left(\upsilon\_j + \sum\_{i=j+1}^n \mu\_{i,j}\upsilon\_i\right)^2 \|\mathbf{b}\_j^\*\|^2}{\|\mathbf{b}\_k^\*\|^2} \tag{2}$$

for every 1 <sup>≤</sup> *<sup>k</sup>* <sup>≤</sup> *<sup>n</sup>*. We start with *<sup>k</sup>* <sup>=</sup> *<sup>n</sup>* in Eq. (2), that is, 0 <sup>≤</sup> *vn* <sup>≤</sup> *<sup>R</sup>* **b**<sup>∗</sup> *<sup>n</sup>* , because we can restrict to "positive" nodes due to the symmetry of the enumeration tree. Choosing a candidate of *vn*, we move to the next index *k* = *n* − 1 in Eq. (2), that is, (*vn*−<sup>1</sup> <sup>+</sup> <sup>μ</sup>*<sup>n</sup>*,*n*−<sup>1</sup>*vn*)<sup>2</sup> <sup>≤</sup> *<sup>R</sup>*2−*v*<sup>2</sup> *<sup>n</sup>* **b**<sup>∗</sup> *n* 2 **b**<sup>∗</sup> *<sup>n</sup>*−1<sup>2</sup> to find a candidate of *vn*−1. By repeating this procedure, assume that the integers *vn*,..., *vk*+<sup>1</sup> are found for some 1 < *k* < *n*. Then Eq. (2) enables to compute an interval *Ik* such that *vk* ∈ *Ik* , and thus to perform an exhaustive search for the integer *vk* . A depth first search of the tree corresponds to enumerating the interval from its middle, namely, a zig-zag search like

$$\left| \nu\_{k} = \left\lfloor c\_{k} \right\rceil, \ \left\lfloor c\_{k} \right\rfloor \neq 1, \ \left\lfloor c\_{k} \right\rfloor \neq 2, \ \cdots, \ \left\lfloor$$

where *ck* = −*n <sup>i</sup>*=*k*+<sup>1</sup> μ*<sup>i</sup>*,*<sup>k</sup> vi* . The basic Schnorr–Euchner enumeration algorithm Schnorr and Euchner (1994) is as below (see Gama et al. 2010, Algorithm 2 for the algorithm with some improvements).

#### **Algorithm: The basic Schnorr–Euchner enumeration Schnorr and Euchner (1994)**

**Input:** A basis **B** = (**b**1,..., **b***n*) of a lattice *L* and a radius *R* with λ1(*L*) ≤ *R* **Output:** The shortest non-zero vector **s** = *n <sup>i</sup>*=<sup>1</sup> *vi***b***<sup>i</sup>* in *L* 1: Compute Gram–Schmidt information μ*<sup>i</sup>*,*<sup>j</sup>* and **b**<sup>∗</sup> *<sup>i</sup>* <sup>2</sup> of **B** 2: (ρ1,...,ρ*<sup>n</sup>*+<sup>1</sup>)=**0**,(*v*1,..., *vn*)=(1, 0,..., 0),(*c*1,..., *cn*)=**0**,(*w*1,...,*wn*)= **0** 3: *k* = 1, last\_nonzero = 1 // largest *i* for which *vi* = 0 4: **while** true **do** 5: ρ*<sup>k</sup>* ← ρ*<sup>k</sup>*+<sup>1</sup> + (*vk* − *ck* )<sup>2</sup> · **b**<sup>∗</sup> *<sup>k</sup>*<sup>2</sup> // ρ*<sup>k</sup>* = π*<sup>k</sup>* (**s**)<sup>2</sup> 6: **if** ρ*<sup>k</sup>* ≤ *R*<sup>2</sup> **then** 7: **if** *k* = 1 **then** *R*<sup>2</sup> ← ρ*<sup>k</sup>* , **s** ← *n <sup>i</sup>*=<sup>1</sup> *vi***b***<sup>i</sup>* ; // update the squared radius 8: **else** *k*←*k*−1, *ck* ← −*n <sup>i</sup>*=*k*+<sup>1</sup> μ*<sup>i</sup>*,*<sup>k</sup> vi* , *vk* ← *ck* , *wk* ← 1; 9: **else** 10: *k* ← *k* + 1 // going up the tree 11: **if** *k* = *n* + 1 **then return s**; 12: **if** *k* ≥ last\_nonzero **then** last\_nonzero ← *k*, *vk* ← *vk* + 1; 13: **else** 14: **if** *vk* > *ck* **then** *vk* ← *vk* − *wk* ; **else** *vk* ← *vk* + *wk* ; // zig-zag search 15: *wk* ← *wk* + 1 16: **end if** 17: **end if** 18: **end while**

The running time of the enumeration algorithm fully depends on the total number of tree nodes *N*. An estimate of *N* can be derived from the Gaussian Heuristic. More precisely, the number of nodes at level is exactly half the number of vectors in the projected lattice π*<sup>n</sup>*+1−(*L*) with norm at most *R*. Since vol(π*<sup>n</sup>*+1−(*L*)) =  *<sup>n</sup> <sup>i</sup>*=*n*+1− **b**<sup>∗</sup> *<sup>i</sup>* , the Gaussian Heuristic predicts the number of nodes at level scanned by the Schnorr–Euchner algorithm to be close to

$$H\_{\ell} \approx \frac{1}{2} \cdot \frac{V\_{\ell}(R)}{\prod\_{i=n+1-\ell}^{n} ||\mathbf{b}\_{i}^{\*}||}.$$

Then *N* ≈ *n* =<sup>1</sup> *H*. For a "good" basis (reduced by LLL or BKZ, introduced in the next subsection), we have **b**<sup>∗</sup> *<sup>i</sup>* /**b**<sup>∗</sup> *<sup>i</sup>*+<sup>1</sup> ≈ *q* for some constant *q*. This is called the *geometric series assumption (GSA)*, <sup>1</sup> first introduced by Schnorr (2003). The constant *q* depends on the reduction algorithm. For example, we experimentally have *q* ≈ 1.04 by LLL and *q* ≈ 1.025 by BKZ with blocksize 20 for high-dimensional lattices (see Gama and Nguyen 2008 for details.) Now we take the enumeration radius *<sup>R</sup>* <sup>=</sup> <sup>√</sup>γ*n*vol(*L*)<sup>1</sup>/*<sup>n</sup>*, which is optimal in the worst case. With the constant *<sup>q</sup>*, we estimate

$$H\_{\ell} \approx \frac{q^{(n-\ell)(n-1)/2} V\_{\ell}(\sqrt{\chi\_n})}{2q^{(n-\ell-1)(n-\ell)/2}} = q^{\ell(n-\ell)/2} 2^{O(n)}$$

since we can roughly estimate *V*( <sup>√</sup>γ*n*) <sup>=</sup> <sup>2</sup>*<sup>O</sup>*(*n*) from <sup>√</sup>γ*<sup>n</sup>* <sup>=</sup> √*<sup>n</sup>* Gama et al. (2010). The right-hand term is maximized for <sup>=</sup> *<sup>n</sup>* <sup>2</sup> , and it is less than *<sup>q</sup>n*2/82*<sup>O</sup>*(*n*) . Thus the maximum of *<sup>H</sup>* is super-exponential in *<sup>n</sup>* and is reached for <sup>≈</sup> *<sup>n</sup>* <sup>2</sup> . (See Gama et al. 2010, Fig. 1 for the actual number of nodes, which is very close to this prediction.) Since smaller *q* is obtained for a more reduced basis, it shows that the more reduced the input basis is, the less are the nodes in the enumeration tree, and the cheaper the enumeration cost.

It is possible to obtain substantial speedups using *pruning* techniques by Gama et al. (2010). Their idea is tempting not to enumerate all the tree nodes, by discarding certain branches. (See Aono et al. 2018 for a lower bound of the time complexity of pruned enumeration.) However, it decreases the success probability to find the shortest non-zero lattice vector **s**. For instance, one might intuitively hope that π*<sup>n</sup>*/<sup>2</sup>(**s**)<sup>2</sup> **s**<sup>2</sup>/2, which is more restrictive than the inequality π*<sup>n</sup>*/<sup>2</sup>(**s**)<sup>2</sup> ≤ **s**2. Formally, pruning replaces each of the *n* inequalities π*<sup>k</sup>* (**s**)<sup>2</sup> ≤ *R*<sup>2</sup> by π*<sup>k</sup>* (**s**)<sup>2</sup> ≤ *R*<sup>2</sup> *<sup>n</sup>*+1−*<sup>k</sup>* , where *R*<sup>1</sup> ≤···≤ *Rn* = *R* are *n* real numbers defined by a pruning strategy. A pruning parameter is set in the fplll library The FPLLL development team (2016), and a pruning function for setting *Ri*'s is implemented in the progressive BKZ library Aono et al. (2016).

#### **3.1.2 Exponential-Space Exact Algorithms: Sieve**

These algorithms have a better asymptotic running time, but they all require exponential space 2 (*n*) . The first algorithm of this kind is the randomized sieve algorithm proposed by Ajtai, Kumar, and Sivakumar (AKS) Ajtai et al. (2001). The AKS

<sup>1</sup>This assumption states that for a reduced basis **<sup>B</sup>** <sup>=</sup> (**b**1,..., **<sup>b</sup>***n*), the plots of its Gram–Schmidt log-norms log **b**<sup>∗</sup> *<sup>i</sup>* for 1 ≤ *i* ≤ *n* are on a straight line. (For example, see Schnorr 2003, Fig. 1.)

algorithm outputs the shortest lattice vector with overwhelming probability, and its asymptotic complexity is much better than deterministic enumeration algorithms with 2*<sup>O</sup>*(*n*2) time complexity. The main idea is as follows (see also Nguyen 2008, Sect. 3 or Nguyen 2009): Given a lattice *L* of dimension *n*, consider a ball *S* centered at the origin and of radius *r* with λ1(*L*) ≤ *r* ≤ *O*(λ1(*L*)). Then #(*L* ∩ *S*) = 2*<sup>O</sup>*(*n*) based on the Gaussian Heuristic. If we could perform an exhaustive search for all vectors in *L* ∩ *S*, we could find the shortest lattice vector within 2*<sup>O</sup>*(*n*) polynomialtime operations. Enumeration enables to perform an exhaustive search of *L* ∩ *S*, but it requires to go through all the vectors in the union set *<sup>S</sup>* <sup>=</sup> *<sup>n</sup> <sup>k</sup>*=<sup>1</sup> (π*<sup>k</sup>* (*L*) ∩ *S*), whose total number is much larger than #(*L* ∩ *S*). In contrast, the AKS algorithm performs a randomized sampling of *<sup>L</sup>* <sup>∩</sup> *<sup>S</sup>*, without going through the set *S*. If it was uniformly sampled over *L* ∩ *S*, a short lattice vector would be included in *N* samples with probability close to 1 for *N* #(*L* ∩ *S*). Unfortunately, it is unclear whether the uniform property is satisfied by the AKS sampling. However, it can be shown that there exists a vector **w** ∈ *L* ∩ *S* such that **w** and **w** + **s** can be sampled with non-zero probability for some shortest lattice vector **s**. Thus the shortest lattice vector is obtained by computing the shortest difference of any pairs of the *N* sampled vectors in *L* ∩ *S*.

There are several heuristic variants of the AKS algorithm with time complexity 2*<sup>O</sup>*(*n*) and space complexity exponential in *n* for an *n*-dimensional lattice *L* Baiet al. (2016), Herold and Kirshanova (2017), Micciancio and Voulgaris (2010), Nguyen (2008). Given a basis of *L*, these algorithms build databases of lattice vectors with norms at most *<sup>R</sup>* · GH(*L*) for a small constant *<sup>R</sup>* <sup>&</sup>gt; 0 such as *<sup>R</sup>*<sup>2</sup> <sup>=</sup> <sup>4</sup> <sup>3</sup> . In generic sieves, it is checked whether the sum or the difference of any pair of vectors in databases becomes shorter. The basic sieve algorithm is as below.

#### **Algorithm: The basic sieve**

**Input:** A basis **<sup>B</sup>** <sup>=</sup> (**b**1,..., **<sup>b</sup>***n*) of a lattice *<sup>L</sup>* and a size parameter *<sup>N</sup>* <sup>=</sup> <sup>4</sup> 3 *n*/2+*o*(*n*) **Output:** A database of *N* short vectors in *L* 1: Take a set *D* of *N* random vectors in *L* (with norm at most 2*<sup>n</sup>*vol(*L*)<sup>1</sup>/*<sup>n</sup>*) 2: **while** ∃(**v**, **w**) ∈ *D*<sup>2</sup> such that **v** + **w** < **v** (resp., **v** − **w** < **v**) **do** 3: **v** ← **v** + **w** (resp., **v** ← **v** − **w**) // update vectors in the database *D* 4: **end while** 5: **return** *D*

In Step 1 of the above algorithm, the initialization of the database *D* can be performed by first computing an LLL-reduced basis (see the next subsection for the LLL reduction), and taking random small integral combinations of the basis vectors. (A natural idea is to use a stronger reduction algorithm such as BKZ in order to generate shorter initial vectors.) The Nguyen–Vidick sieve (2008) finds pairs of vectors (**v**1, **v**2) from *D*, whose sum or difference gives a shorter vector, that is, **v**<sup>1</sup> ± **v**2 < max**<sup>v</sup>**∈*<sup>D</sup>* **v**. Once such a pair is found, the longest vector from the database gets replaced by **v**<sup>1</sup> ± **v**2. The database size is a priori fixed to the asymptotic heuristic minimum 20.2075*n*+*O*(*n*) in order to find enough such pairs. The running time is quadratic in the database size. The Gauss sieve (2010) is a variant of the Nguyen– Vidick sieve with substantial improvements; the main improvement is to divide the database into two parts, the so-called "list " part and the "queue" part. Both parts are separately sorted by Euclidean norm in order to make early reduction likely. In updating vectors, the queue part enables to avoid considering the same pair several times. The running time and the database size for the Gauss sieve are asymptotically the same as for the Nguyen–Vidick sieve, but its performance is better in practice. The 3-sieve Baiet al. (2016), Herold and Kirshanova (2017) searches for triples of lattice vectors whose sum gives a shorter vector. (cf. the Nguyen–Vidick and the Gauss algorithms are a kind of 2-sieve.) There are more possible triples than pairs to shorten vectors in the database, but a search for such triples is more costly. (Filtering techniques Herold and Kirshanova 2017 are required to speed up such a search.) Several tricks and techniques have been proposed to improve sieve algorithms, such as the SimHash technique Charikar (2002), Ducas (2018), Fitzpatrick et al. (2014). Several practical sieve algorithms also have been implemented in the fplll library The FPLLL development team (2016).

#### *3.2 Approximate-SVP Algorithms*

These algorithms are much faster than exact algorithms, but they output short lattice vectors, not necessarily the shortest ones.

#### **3.2.1 LLL Reduction**

The first efficient approximate-SVP algorithm is the celebrated algorithm by Lenstra, Lenstra, and Lovász (LLL) Lenstra et al. (1982). Nowadays it is known as the most famous algorithm of *lattice basis reduction*, which finds a lattice basis with short and nearly orthogonal basis vectors. Such a basis is called *reduced* or *good*. We introduce the notion of LLL reduction. Let **B** = (**b**1,..., **b***n*) be a basis of a lattice *L*, and **B**<sup>∗</sup> = (**b**<sup>∗</sup> <sup>1</sup>,..., **b**<sup>∗</sup> *<sup>n</sup>*) its Gram–Schmidt vectors with coefficients μ*<sup>i</sup>*,*<sup>j</sup>* . For a parameter <sup>1</sup> <sup>4</sup> <δ< 1, the basis **B** is called δ-*LLL-reduced* if it satisfies two conditions: (i) (Size-reduction condition) <sup>|</sup>μ*<sup>i</sup>*,*<sup>j</sup>*| ≤ <sup>1</sup> <sup>2</sup> for all 1 ≤ *j* < *i* ≤ *n*. (ii) (Lovász' condition) δ**b**<sup>∗</sup> *<sup>k</sup>*−<sup>1</sup><sup>2</sup> ≤ π*<sup>k</sup>*−<sup>1</sup>(**b***<sup>k</sup>* )<sup>2</sup> for all 2 <sup>≤</sup> *<sup>k</sup>* <sup>≤</sup> *<sup>n</sup>*. This can be rewritten as **b**<sup>∗</sup> *<sup>k</sup>*<sup>2</sup> ≥ (δ − μ<sup>2</sup> *<sup>k</sup>*,*k*−<sup>1</sup>)**b**<sup>∗</sup> *<sup>k</sup>*−<sup>1</sup>2. Any <sup>δ</sup>-LLL-reduced basis satisfies the below properties (see Bremner 2011 for proof):


Given any basis of *L*, the LLL algorithm finds a δ-LLL-reduced basis of *L*. As seen from the above second property, it can solve approximate-SVP with factor α(*n*−1)/2. The basic LLL algorithm is given below (see also Galbraith 2012, Chap. 17 or Nguyen 2009).

#### **Algorithm: The basic LLL Lenstra et al. (1982)**

**Input:** A basis **<sup>B</sup>** <sup>=</sup> (**b**1,..., **<sup>b</sup>***n*) of a lattice *<sup>L</sup>*, and a reduction parameter <sup>1</sup> <sup>4</sup> <δ< 1 **Output:** A δ-LLL-reduced basis **B** of *L* 1: Compute Gram–Schmidt information μ*<sup>i</sup>*,*<sup>j</sup>* and **b**<sup>∗</sup> *<sup>i</sup>* <sup>2</sup> of the input basis **B** 2: *k* ← 2 3: **while** *k* ≤ *n* **do** 4: Size-reduce **B** = (**b**1,..., **b***n*) // At each *k*, we recursively change **b***<sup>k</sup>* ← **b***<sup>k</sup>* − μ*k*,*<sup>j</sup>* **b***<sup>j</sup>* for 1 ≤ *j* ≤ *k* − 1 (e.g., see Galbraith 2012, Algorithm 24) 5: **if** (**b***k*−<sup>1</sup>, **b***<sup>k</sup>* ) satisfies Lovász' condition **then** 6: *k* ← *k* + 1 7: **else** 8: Swap **b***<sup>k</sup>* with **b***k*−1, and update Gram–Schmidt information of **B** 9: *k* ← max(*k* − 1, 2) 10: **end if** 11: **end while**

In the LLL algorithm, a pair of adjacent basis vectors (**b***k*−<sup>1</sup>, **b***<sup>k</sup>* ) is swapped if it does not satisfy Lovász' condition. Thus the output basis is δ-LLL-reduced if the algorithm terminates. The quantity Pot(**B**) <sup>=</sup> *<sup>n</sup>*−<sup>1</sup> *<sup>i</sup>*=<sup>1</sup> **b**<sup>∗</sup> *<sup>i</sup>* 2(*n*−*i*) is called the *potential* of a basis **B**. Every swap in the LLL algorithm decreases the potential of an input basis by a factor at least δ < 1. (cf. the size-reduction procedure does not change the potential.) This guarantees the termination of the LLL algorithm in polynomial time in *n*. Furthermore, the LLL algorithm is applicable also for linearly dependent vectors to remove their linear dependency. (See Bremner 2011, Chap. 6, Cohen 2013, Sect. 2.6.4, Pohst 1987 or Sims 1994, Sect. 8.7 for details.)

#### **3.2.2 Variants of LLL**

LLL with Deep Insertions (DeepLLL)

This variant is a straightforward generalization of LLL, in which *non-adjacent* basis vectors can be changed. Specifically, a basis vector **b***<sup>k</sup>* is inserted between **b***<sup>i</sup>*−<sup>1</sup> and **b***<sup>i</sup>* as σ*<sup>i</sup>*,*<sup>k</sup>* (**B**) = (. . . , **b***<sup>i</sup>*−<sup>1</sup>, **b***<sup>k</sup>* , **b***i*,..., **b***<sup>k</sup>*−<sup>1</sup>, **b***<sup>k</sup>*+<sup>1</sup>,...), called a *deep insertion*, if the so-called deep exchange condition π*i*(**b***<sup>k</sup>* )<sup>2</sup> < δ**b**<sup>∗</sup> *<sup>i</sup>* <sup>2</sup> is satisfied for <sup>1</sup> <sup>4</sup> <δ< 1. In this case, the new GSO vector at the *i*th position is given by π*i*(**b***<sup>k</sup>* ), strictly shorter than the old GSO vector **b**<sup>∗</sup> *<sup>i</sup>* . A basis **B** = (**b**1,..., **b***n*) is called δ-*DeepLLL-reduced* if it satisfies two conditions: (i) it is size-reduced, (ii) π*i*(**b***<sup>k</sup>* )<sup>2</sup> ≥ δ**b**<sup>∗</sup> *<sup>i</sup>* <sup>2</sup> for all 1 ≤ *i* < *k* ≤ *n*. (The case *i* = *k* − 1 is just Lovász' condition.) Any δ-DeepLLL-reduced basis satisfies the below properties Yasuda and Yamaguchi (2019), Theorem 1:


These properties are strictly stronger than the case of LLL. The basic DeepLLL algorithm Schnorr and Euchner (1994) is given below (see also Bremner 2011, Fig. 5.1 or Cohen 2013, Algorithm 2.6.4).

#### **Algorithm: The basic DeepLLL Schnorr and Euchner (1994)**

**Input:** A basis **<sup>B</sup>** <sup>=</sup> (**b**1,..., **<sup>b</sup>***n*) of a lattice *<sup>L</sup>*, and a reduction parameter <sup>1</sup> <sup>4</sup> <δ< 1 **Output:** A δ-DeepLLL-reduced basis **B** of *L*

```
1: Compute Gram–Schmidt information μi,j and b∗
                                              i 2 of the input basis B
2: k ← 2
3: while k ≤ n do
4: Size-reduce B as in LLL
5: C ← bk2, i ← 1
6: while i < k do
7: if C ≥ δb∗
                i 2 then
8: Compute C ← C − μ2
                           k,ib∗
                                i 2 and i ← i + 1 // C = πi(bk )2
9: else
10: B ← σi,k (B) // a deep insertion
11: Update the Gram–Schmidt information of B, and k ← max(i, 2) − 1
12: end if
13: end while
14: k ← k + 1
15: end while
```
Compared with LLL, it is complicated to update the Gram–Schmidt information of **B**after every deep insertion. (See Yamaguchi and Yasuda 2017.) Every deep insertion does not always decrease the potential of an input basis, and thus the complexity of DeepLLL is no longer polynomial-time but potentially super-exponential in the lattice dimension. However, DeepLLL often finds much shorter lattice vectors than LLL in practice Gama and Nguyen (2008).

Block Korkine–Zolotarev (BKZ) Algorithm

Let us first introduce a strong notion of reduction: A basis **B** = (**b**1,..., **b***n*) of a lattice *L* is called *HKZ-reduced* if it is size-reduced and it satisfies **b**<sup>∗</sup> *<sup>i</sup>* = λ1(π*i*(*L*)) for all 1 ≤ *i* ≤ *n*. For 1 ≤ *i* ≤ *j* ≤ *n*, denote by **B**[*i*,*j*] the local projected block (π*i*(**b***i*), π*i*(**b***<sup>i</sup>*+<sup>1</sup>), . . . , π*i*(**b***j*)), and by *L*[*i*,*j*] the lattice spanned by **B**[*i*,*j*]. The notion of BKZ-reduction is a local block version of HKZ-reduction Schnorr (1987), Schnorr (1992), Schnorr and Euchner (1994). For a blocksize 2 ≤ β ≤ *n*, a basis **B** = (**b**1,..., **b***n*) of a lattice *L* is called β-*BKZ-reduced* if it is size-reduced and every local block **B**[*j*,*j*+β−1] is HKZ-reduced for 1 ≤ *j* ≤ *n* − β + 1. The second condition means **b**<sup>∗</sup> *<sup>j</sup>* = λ1(*L*[*j*,*k*]) for 1 ≤ *j* ≤ *n* − 1 with *k* = min(*j* + β − 1, *n*). Every <sup>β</sup>-BKZ-reduced basis satisfies **b**1 ≤ <sup>γ</sup> (*n*−1)/(β−1) <sup>β</sup> λ1(*L*) Schnorr (1992). The BKZ algorithm Schnorr and Euchner (1994) finds a β-BKZ-reduced basis, and it calls LLL to reduce every local block before finding the shortest vector over the block lattice. (As β increases, a shorter lattice vector can be found, but the running time is more costly.)

#### **Algorithm: The basic BKZ Schnorr and Euchner (1994)**

**Input:** A basis **B** = (**b**1,..., **b***n*) of a lattice *L*, a blocksize 2 ≤ β ≤ *n*, and a reduction parameter <sup>1</sup> <sup>4</sup> <δ< 1 of LLL **Output:** A β-DeepBKZ-reduced basis **B** of *L* 1: **B** ← LLL(**B**, δ) // Compute μ*<sup>i</sup>*,*<sup>j</sup>* and **b**<sup>∗</sup> *<sup>j</sup>*<sup>2</sup> of the new basis **B** together 2: *z* ← 0, *j* ← 0 3: **while** *z* < *n* − 1 **do** 4: *j* ← (*j* mod (*n* − 1)) + 1, *k* ← min(*j* + β − 1, *n*), *h* ← min(*k* + 1, *n*) 5: Find **v** ∈ *L* such that π*j*(**v**) = λ1(*L*[*j*,*k*]) by enumeration or sieve 6: **if** π*j*(**v**)<sup>2</sup> < **b**<sup>∗</sup> *<sup>j</sup>*<sup>2</sup> **then** 7: *z* ← 0 and call LLL((**b**1,..., **b***j*−<sup>1</sup>, **v**, **b***j*,..., **b***h*), δ) // Insert **v** ∈ *L* and remove the linear dependency to obtain a new basis 8: **else** 9: *z* ← *z* + 1 and call LLL((**b**1,..., **b***h*), δ) 10: **end if** 11: **end while**

It is customary to terminate the BKZ algorithm after a selected number of calls to an exact-SVP algorithm over block lattices. (See Hanrot et al. 2011 for analysis.) Efficient variants such as BKZ 2.0 Chen (2011) have been proposed, and some of them have been implemented in The FPLLL development team (2016). The *Hermite factor* is a good index to measure the practical output quality of a reduction algorithm. (See Gama and Nguyen <sup>2008</sup> for their experiments.) It is defined by <sup>γ</sup> <sup>=</sup> **v** vol(*L*)1/*<sup>n</sup>* , where **v** is the shortest basis vector output by a reduction algorithm for a basis of a lattice *L* of dimension *n*. Under the Gaussian Heuristic and GSA, a limiting value of the root Hermite factor of BKZ with blocksize β is predicted in Chen (2013) as

$$\lim\_{n \to \infty} \nu^{\frac{1}{n}} = \left(\nu\_{\beta}^{-\frac{1}{\beta}}\right)^{\frac{1}{\beta - 1}} \sim \left(\frac{\beta}{2\pi e} (\pi \beta)^{\frac{1}{\beta}}\right)^{\frac{1}{2(\beta - 1)}}.$$

There are experimental evidences to support this prediction for high blocksizes such as β > 50. (Note that the Gaussian Heuristic holds in practice for random lattices in high dimensions, but unfortunately it is violated in low dimensions.) In a simple form based on the Gaussian Heuristic, the GSA shape of a β-BKZ-reduced basis of volume 1 is predicted as **b**<sup>∗</sup> *<sup>i</sup>* ≈ α *n*−1 <sup>2</sup> −*i* <sup>β</sup> , where αβ = <sup>β</sup> 2π*e* <sup>1</sup>/β . This is reasonably accurate in practice for β > 50 and β *n*. (See Chen 2013, 2011; Yu and Ducas 2017.) Other variants of BKZ have been proposed such as slide reduction Gama and Nguyen (2008), self-dual BKZ Micciancio and Walter (2016), and progressiveBKZ Aono et al. (2016). As a mathematical improvement of BKZ, DeepBKZ was recently proposed in Yamaguchi and Yasuda (2017), in which DeepLLL is called a subroutine alternative to LLL. In particular, DeepBKZ finds a short lattice vector by smaller blocksizes than BKZ in practice. (Dual and self-dual variants of DeepBKZ were also proposed in Yasuda (2018), Yasuda et al. (2018).)

#### **4 The SVP Challenge and Recent Strategies**

To test algorithms solving SVP, sample lattice bases are presented in Darmstadt (2010) for dimensions from 40 up to 200. (The lattices are random in the sense of Goldstein and Mayer Goldstein and Mayer (2003).) For every lattice *L*, any nonzero lattice vector with (Euclidean) norm less than 1.05GH(*L*) can be submitted to the hall of fame in the SVP challenge. To enter the hall of fame, the lattice vector is required to be shorter than a previous one in the same dimension (with possibly different seed). Note that not all lattice vectors in the hall of fame are necessarily the shortest. In this section, we introduce two recent strategies for solving the SVP challenge in high dimensions such as *n* ≥ 150.

#### *4.1 The Random Sampling Strategy*

Early in 2017, a non-zero vector in a lattice *L* of dimension *n* = 150 with norm less than 1.05GH(*L*) was first found by Teruya and Kashiwabara using many highperformance servers. (See Teruya et al. 2018 for their large-scale experiments.) Their strategy is based on the work of Fukase and Kashiwabara (2015), which is an extension of Schnorr's random sampling reduction (RSR) Schnorr (2003). Here we review random sampling (SA) and RSR. For a lattice *L* of dimension *n*, fix 1 ≤ *u* < *n* to be a constant of search space bound. Given a basis **B** = (**b**1,..., **b***n*) of *L*, SA samples a vector **v** = *n <sup>i</sup>*=<sup>1</sup> ν*i***b**<sup>∗</sup> *<sup>i</sup>* in *L* satisfying ν*<sup>i</sup>* ∈ (−1/2, 1/2] for 1 ≤ *i* < *n* − *u*, ν*<sup>i</sup>* ∈ (−1, 1] for *n* − *u* ≤ *i* < *n* and ν*<sup>n</sup>* = 1. Let *Su*,**<sup>B</sup>** denote the set of such lattice vectors. Since the number of candidates for ν*<sup>i</sup>* with |ν*i*| ≤ 1/2 (resp. |ν*i*| ≤ 1) is 1 (resp. 2), there are 2*<sup>u</sup>* lattice vectors in *Su*,**<sup>B</sup>**. By calling SA up to 2*<sup>u</sup>* times, RSR generates **v** satisfying **v**<sup>2</sup> < 0.99**b**1<sup>2</sup> Schnorr (2003), Theorem 1. Two extensions are proposed in Fukase and Kashiwabara (2015) for solving the SVP challenge; the first one is to represent a lattice vector by a sequence of natural numbers via the Gram–Schmidt orthogonalization, and to sample lattice vectors on an appropriate distribution of the representation. The second one is to decrease the sum of the squared Gram–Schmidt lengths SS(**B**) := *n <sup>i</sup>*=<sup>1</sup> **b**<sup>∗</sup> *<sup>i</sup>* <sup>2</sup> to make it easier to sample very short lattice vectors. The effectiveness of their extensions is guaranteed by their statistical analysis on lattices. Specifically, under the randomness assumption (RA),2 they roughly estimate that the distribution of the squared length of a sampled vector **v**<sup>2</sup> = *n <sup>i</sup>*=<sup>1</sup> <sup>ν</sup><sup>2</sup> *<sup>i</sup>* **b**<sup>∗</sup> *<sup>i</sup>* <sup>2</sup> follows the normal distribution *<sup>N</sup>* (μ, σ2) with

$$\mu = \frac{\sum\_{i=1}^{n} \|\mathbf{b}\_i^\*\|^2}{12} \quad \text{and} \quad \sigma = \left(\frac{\sum\_{i=1}^{n} \|\mathbf{b}\_i^\*\|^4}{180}\right)^{1/2}.$$

This implies that *shorter* lattice vectors are sampled as the squared-sum SS(**B**) becomes*smaller*. Then the basic strategy in Fukase and Kashiwabara (2015); Teruya et al. (2018) consists of the following two steps: (i) We reduce an input basis so that it decreases the sum of its squared Gram–Schmidt lengths as small as possible, by using LLL and insertion of sampled lattice vectors like BKZ. (See also Yasuda et al. 2017 for such procedure). (ii) With such reduced basis **B**, we then find a short lattice vector by randomly sampling **v** = - *<sup>i</sup>*=<sup>1</sup> ν*i***b**<sup>∗</sup> *i* .

As a sequential work, Aono and Nguyen (2017) introduced lattice enumeration with discrete pruning to generalize random sampling, and also provided a deep analysis of discrete pruning by using the volume of the intersection of a ball with a box. In particular, under RA, the expectation of the length of a short vector generated by lattice enumeration with discrete pruning from the so-called tag **<sup>t</sup>** <sup>=</sup> (*t*1,..., *tn*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* is roughly given by *E*(**t**) = *n i*=1 *t* 2 *i* <sup>4</sup> <sup>+</sup> *ti* <sup>4</sup> <sup>+</sup> <sup>1</sup> 12 **b**<sup>∗</sup> *<sup>i</sup>* <sup>2</sup>, which is a generalization of the above mean μ. However, it is shown in Aono and Nguyen (2017) that the empirical correlation between *E*(**t**) and the volume of ball-box intersection is negative. This is statistical evidence why decreasing SS(**B**) is important instead of increasing the volume of ball-box intersection. Furthermore, the calculation of the volume presented in Aono and Nguyen (2017) is much less efficient than the computation of SS(**B**). In 2018, Matsuda et al. (2018) investigated the strategy of Fukase and Kashiwabara (2015) by the Gram–Charlier approximation in order to precisely estimate the success probability of sampling short lattice vectors, and also discussed the effectiveness of decreasing SS(**B**) for sampling short lattice vectors.

#### *4.2 The Sub-Sieving Strategy*

Around the end of August 2018, many records for the SVP challenge in dimensions up to 155 had been found by the sub-sieving strategy of Ducas (2018). (See Albrecht et al. 2019 for their experiments report.) The basic idea is to reduce SVP in high dimensions to the *bounded distance decoding (BDD)* problem in low dimensions, a particular case of CVP, in which the target vector is known to be somewhat close to the lattice. It enforces us to find an enormous number of short vectors in projected

<sup>2</sup>RA states that the coefficients <sup>ν</sup>*<sup>i</sup>* of **<sup>v</sup>** <sup>=</sup> *n <sup>i</sup>*=<sup>1</sup> <sup>ν</sup>*i***b**<sup>∗</sup> *<sup>i</sup>* sampled by SA are uniformly distributed in [−1/2, 1/2] for 1 ≤ *i* < *n* − *u* and in [−1, 1] for *n* − *u* ≤ *i* < *n*. It does not hold strictly in practice.

lattices, and the sieve is useful to collect such vectors. In particular, the sieve is performed in projected lattices instead of the full lattice.

The specific strategy is as follows Ducas (2018), Section 3. Given a basis **B** = (**b**1,..., **b***n*) of a lattice *L* of high dimension *n*, we fix an integer *d* with 1 ≤ *d* ≤ *n*, and perform the sieve in the projected lattice π*<sup>d</sup>* (*L*) to obtain a list of short lattice vectors

$$D := \left\{ \mathbf{v} \in \pi\_d(L) \mid \mathbf{v} \neq \mathbf{0} \text{ and } \|\mathbf{v}\| \le \sqrt{\frac{4}{3}} \mathbf{GH} \left( \pi\_d(L) \right) \right\}.$$

We hope that the desired shortest non-zero vector **s** in the full lattice *L* projects to a vector in the above list *D*, that is, it satisfies π*<sup>d</sup>* (**s**) = **0** and π*<sup>d</sup>* (**s**) ≤ 4 <sup>3</sup>GH(π*<sup>d</sup>* (*L*)). (Note that π*<sup>d</sup>* (**s**) = **0** means that the vector **s** is in the sub-lattice *L*(**b**1,..., **b***d*−<sup>1</sup>) of *L*. Here we do not care about the case.) Since π*<sup>d</sup>* (**s**)≤**s** ≈ GH(*L*), the condition

$$\text{GH}(L) \le \sqrt{\frac{4}{3}} \text{GH}\left(\pi\_d(L)\right) \tag{3}$$

is sufficient to satisfy our hope. This condition is not tight, since the projected vector π*<sup>d</sup>* (**s**) becomes shorter than the full vector **s** as the index *d* increases. By exhaustive search over the list *D*, we assume that the projected vector**s***<sup>d</sup>* := π*<sup>d</sup>* (**s**) ∈ *D* is known. We need to recover the full vector **<sup>s</sup>** from **<sup>s</sup>***<sup>d</sup>* . Write **<sup>s</sup>** <sup>=</sup> **Bx** for some **<sup>x</sup>** <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, and split **<sup>x</sup>** as(**x**<sup>1</sup> <sup>|</sup> **<sup>x</sup>**2) with **<sup>x</sup>**<sup>1</sup> <sup>∈</sup> <sup>Z</sup>*<sup>d</sup>*−<sup>1</sup> and **<sup>x</sup>**<sup>2</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*−*d*+1. Then **<sup>s</sup>***<sup>d</sup>* <sup>=</sup> <sup>π</sup>*<sup>d</sup>* (**Bx**) <sup>=</sup> **<sup>B</sup>***<sup>d</sup>* **<sup>x</sup>**<sup>2</sup> and hence **x**<sup>2</sup> is known, where **B***<sup>d</sup>* = (π*<sup>d</sup>* (**b***<sup>d</sup>* ), . . . , π*<sup>d</sup>* (**b***n*)). Now we need to recover **x**<sup>1</sup> so that **s** = **B**1**x**<sup>1</sup> + **B**2**x**<sup>2</sup> is small (or the shortest), where**B** = (**B**<sup>1</sup> | **B**2). This is an easy BDD instance over the *d*-dimensional lattice spanned by **B**<sup>1</sup> for the target vector **B**2**x**2. A sufficient condition to solve this problem using Babai's nearest plane algorithm Babai (1986) is that |**b**<sup>∗</sup> *<sup>i</sup>* ,**s** | ≤ <sup>1</sup> <sup>2</sup> **b**<sup>∗</sup> *<sup>i</sup>* <sup>2</sup> for all 1 ≤ *i* < *d*. (See also Galbraith 2012, Chap. 18 for Babai's algorithms.) Since |**b**<sup>∗</sup> *<sup>i</sup>* ,**s** | ≤ **b**<sup>∗</sup> *<sup>i</sup>* **s**, a further sufficient condition is that GH(*L*) <sup>≤</sup> <sup>1</sup> <sup>2</sup> min*<sup>i</sup>*<*<sup>d</sup>* **b**<sup>∗</sup> *<sup>i</sup>* . This condition is far from tight, and it should not be a serious issue in practice. Indeed, even for a strongly reduced basis, the *d* first Gram–Schmidt lengths won't be much smaller than GH(*L*), say by more than a factor 2. (The BKZ-preprocessing with blocksize <sup>β</sup> <sup>=</sup> *<sup>n</sup>* <sup>2</sup> is assumed in Ducas (2018).) A concrete maximal value of *d* satisfying the condition (3) depends on the shape of a basis **B**. It is estimated in Ducas (2018) that *d* = (*n*/ log *n*) is suitable over a quasi-HKZ-reduced basis.

In 2019, Albrecht et al. (2019) proposed the General Sieve Kernel (G6K), an abstract stateful machine supporting a variety of advanced lattice reductions based on sieving algorithms. They have provided a highly optimized, multi-threaded, and tweakable implementation of G6K as an open-source C++ and Python library. A number of records in the hall of fame for the SVP challenge were found by the sub-sieving strategy on G6K. (In June 2019, the highest dimension to be solved in the SVP challenge is 157, using G6K.) Specifically, their experiments imply that in average *d* = 11.46 + 0.0757*n* is a suitable free dimension of the sub-sieving strategy for the SVP challenge in high dimensions *n*. Furthermore, their solution for the SVP challenge in dimension 151 was found 400 times faster than the times reported for the SVP challenge in dimension 150, which was solved early in 2017 by the random sampling strategy.

**Acknowledgements** This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. A part of this work was also supported by JSPS KAKENHI Grant Number JP16H02830.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Recent Developments in Multivariate Public Key Cryptosystems**

**Yasufumi Hashimoto**

**Abstract** The multivariate signature schemes UOV, Rainbow, and HFEv- have been considered to be secure and efficient enough under suitable parameter selections. In fact, several second round candidates of NIST's standardization project of Post-Quantum Cryptography are based on these schemes. On the other hand, there are few multivariate encryption schemes expected to be practical and despite that, various new schemes have been proposed recently. In the present paper, we summarize multivariate schemes UOV, Rainbow, and (variants of) HFE generating the second round candidates and study the practicalities of several multivariate encryption schemes proposed recently.

**Keywords** Multivariate public key cryptosystem (MPKC) · Post-quantum cryptography

## **1 Introduction**

In 2016, NIST launched the standardization project of Post-Quantum Cryptography (NIST 2020). A lot of schemes were submitted to the first round of its project and 26 of them were chosen as the second round candidates in 2019 (NIST 2020). LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020) and GeMSS (Casanova et al. 2020) are multivariate signature schemes in the second round. These schemes are based on UOV (Kipnis et al. 1999; Patarin 1997), Rainbow (Ding et al. 2005), and HFEv- (Patarin et al. 2001), respectively, which were proposed before or around 2000 and have been still considered to be secure and efficient enough under suitable parameter

Y. Hashimoto (B)

Department of Mathematical Sciences, University of the Ryukyus, Nishihara-cho, Okinawa 903-0213, Japan e-mail: hashimoto@math.u-ryukyu.ac.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_16

selections. On the other hand, there are few practical multivariate encryption schemes and despite that, various new schemes have been proposed in this decade.

The aim of this paper is to describe recent developments of multivariate public key cryptosystems, not yet presented in the previous paper (Hashimoto 2017). We first summarize in Sect. 2 the schemes UOV (Kipnis et al. 1999; Patarin 1997), Rainbow (Ding et al. 2005), and (variants of) HFE (Patarin 1996) with short surveys on the second round candidates LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020), and GeMSS (Casanova et al. 2020). Besides, we study in Sect. 3 the encryption schemes HFERP (Ikematsu et al. 2018), ZHFE (Porras et al. 2020), EFC (Szepieniec et al. 2016), and ABC (Tao et al. 2013) proposed recently, and show that the practicalities of these schemes are not much higher than the HFE variants for encryption, which are already known to be not too practical. Remark that MQDSS (Chen et al. 2016, 2020) is also a second round candidate and has been considered as a multivariate signature scheme since a set of randomly chosen multivariate quadratic forms is used in key generation, signature generation, and signature verification. However, it is based on Fiat–Shamir's transform of the 5-pass identification scheme (Sakumoto et al. 2011) and is far from other multivariate schemes. We then avoid to study MQDSS in this paper.

#### **2 UOV, Rainbow, and Variants of HFE**

In this section, we describe UOV (Kipnis et al. 1999; Patarin 1997), Rainbow (Ding et al. 2005), and variants of HFE (Patarin 1996) and give short surveys on the second round candidates LUOV (Beullens et al. 2020), Rainbow (Ding et al. 2020), and GeMSS (Casanova et al. 2020) of NIST's project (NIST 2020). We first propose the basic constructions of multivariate public key cryptosystems (MPKCS).

## *2.1 Basic Constructions of Multivariate Public Key Cryptosystems*

Let *n*, *m* ≥ 1 be integers, *q* a power of prime, and **F***<sup>q</sup>* a finite field of order *q*. Most MPKCs are described as follows.

**Secret key.** Two invertible affine maps *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* , *T* : **F***<sup>m</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* and a quadratic map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* to be inverted feasibly. **Public key.** The quadratic map *F* := *T* ◦ *G* ◦ *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* .

$$F: \mathbf{F}\_q^n \xrightarrow{S} \mathbf{F}\_q^n \xrightarrow{G} \mathbf{F}\_q^m \xrightarrow{T} \mathbf{F}\_q^m$$

**Encryption scheme.**

**Encryption.** For a plaintext **p** ∈ **F***<sup>n</sup> <sup>q</sup>* , the ciphertext is **c** = *F*(**p**) ∈ **F***<sup>m</sup> q* .

**Decryption.** For a given ciphertext **c** ∈ **F***<sup>m</sup> <sup>q</sup>* , compute **z** := *T* <sup>−</sup>1(**c**) and find **y** ∈ **F***<sup>n</sup> q* with *G*(**y**) = **z**. Then the plaintext is **p** = *S*−1(**y**).

#### **Signature scheme.**

**Signature generation.** For a message **m** ∈ **F***<sup>m</sup> <sup>q</sup>* , compute **z** := *T* <sup>−</sup>1(**m**) and find **y** ∈ **F***<sup>n</sup> <sup>q</sup>* with *G*(**y**) = **z**. Then the signature is **s** = *S*−1(**y**).

**Signature verification.** The signature **s** ∈ **F***<sup>n</sup> <sup>q</sup>* is verified by **m** = *F*(**s**).

**Efficiency.** The encryption and signature verification are done by substituting **p**,**s** ∈ **F***n <sup>q</sup>* into *m* quadratic forms of *n* variables. Their complexities are then *O*(*n*<sup>2</sup>*m*) for most MPKCs under naive implementations. Furthermore, it is known (Hashimoto 2017) that the complexities of encrypting *n* plaintexts and of verifying *n* signatures simultaneously are *O*(*nwm*), where 2 ≤ *w* < 3 is a linear algebra constant. The complexities of decryption and signature generation depend mainly on how to invert *G*. We will discuss them in the individual schemes.

**Security.** There are two types of attacks on MPKCs. One is the *direct attack* to recover the plaintext **p** of a given ciphertext **c** directly by solving a system of *m* quadratic equations *F*(**x**) = ( *f*1(**x**), . . . , *fm*(**x**)) = **c** of *n* variables. The Gröbner basis attack is considered to be the most standard approach, and its complexity depends on the *degree d*reg *of regularity* of the corresponding polynomial system *F*(**x**) − **c**. In general, *d*reg is known to be smaller when the system is more overdefined (*m n*) (Bardet et al. 2005). Furthermore, if *q* is small, the attacker will solve more efficiently by combining with the exhaustive search, which is called a *hybrid method* (Bettale et al. 2012). We also note that, if the system is massively under-defined (*n m*), the attacker can find (at least) one of the solutions more effectively than the case of *n* ∼ *m* (Cheng et al. 2014; Kipnis et al. 1999; Miura et al. 2013; Tomae and Wolf 2012).

The other type is to recover partial information of the secret key (*S*, *T* ) which is enough to invert *F*. In most known key recovery attacks on MPKCs, the attacker uses the property of the coefficient matrices of quadratic forms in *G*. Let *G*1,..., *Gm*, *F*1,..., *Fm* be the coefficient matrices of *g*1(**x**), . . . , *gm*(*x*), *f*1(**x**), . . . , *fm*(**x**), respectively, i.e., *gl*(**x**) = *<sup>t</sup>* **x***Gl***x** + (linear form) and *fl*(**x**) = *<sup>t</sup>* **x***Fl***x** + (linear form) for 1 ≤ *l* ≤ *m*. Since *F*(**x**) = *T* (*G*(*S*(**x**))), it holds

$$
\begin{pmatrix} F\_1 \\ \vdots \\ F\_m \end{pmatrix} = T \begin{pmatrix} \,^t S G\_1 S \\ \vdots \\ \,^t S G\_m S \end{pmatrix} . \tag{1}
$$

This shows that, if *G*1,..., *Gm* have special properties, partial information *S*, *T* will be recovered by the public information *F*1,..., *Fm*. How to recover and the complexity of the attack depend on *G*1,..., *Gm*, and then we discuss them in the individual schemes.

### *2.2 UOV*

Let *o*, *v* ≥ 1 be integers and put *n* := *o* + *v*, *m* := *o*. The quadratic map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***m <sup>q</sup>* is defined by

$$\begin{split} \mathbf{g}\_{j}(\mathbf{x}) &= \sum\_{1 \le i \le o} \mathbf{x}\_{i} \cdot (\text{linear form of } \mathbf{x}\_{o+1}, \dots, \mathbf{x}\_{n}) \\ &+ (\text{quadratic form of } \mathbf{x}\_{o+1}, \dots, \mathbf{x}\_{n}), \end{split} \tag{2}$$

for 1 ≤ *j* ≤ *o*. UOV (Unbalanced Oil and Vinegar signature scheme, Patarin (1997), Kipnis et al. (1999) is constructed as follows.

**Secret key.** An invertible affine map *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* and the quadratic map *G* : **F***<sup>n</sup> q* → **F***m <sup>q</sup>* defined above.

**Public key.** The quadratic map *F* := *G* ◦ *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* .

**Signature generation.** For a message **m** = (*m*1,..., *mo*) ∈ **F***<sup>m</sup> <sup>q</sup>* , choose *u*1,..., *uv* ∈ **F***<sup>q</sup>* randomly and find *y*1,..., *yo* ∈ **F***<sup>q</sup>* such that

$$\mathbf{g}\_1(\mathbf{y}\_1, \dots, \mathbf{y}\_o, \boldsymbol{\mu}\_1, \dots, \boldsymbol{\mu}\_r) = m\_1, \quad \dots \quad , \quad \mathbf{g}\_o(\mathbf{y}\_1, \dots, \mathbf{y}\_o, \boldsymbol{\mu}\_1, \dots, \boldsymbol{\mu}\_r) = m\_o. \tag{3}$$

The signature is **s** = *S*−<sup>1</sup>(*y*1,..., *yo*, *u*1,..., *uv*).

**Signature verification.** The signature **s** ∈ **F***<sup>n</sup> <sup>q</sup>* is verified by **m** = *F*(**s**).

**Complexity of signature generation.** Since (3) is a system of *o* linear equations of *o* variables, we see that the complexity of signature generation of UOV is *O*(*n*<sup>3</sup>).

**Security.** The most important attack on UOV is Kipnis–Shamir's attack (Kipnis et al. 1999; Kipnis and Shamir 1998), which recovers an affine map *S* such that *SS* = ∗*<sup>o</sup>* ∗ 0 ∗*<sup>v</sup>* by using the fact that *G*1,..., *Gm* are matrices having the forms of 0*<sup>o</sup>* ∗ ∗ ∗*<sup>v</sup>* . Its complexity is known to be *O*(*q*max (*v*−*o*,0) · *n*<sup>4</sup>) (Kipnis et al. 1999), and then the parameter *v* must be sufficiently larger than *o*, namely *n* must be sufficiently larger than 2*m*. This causes two inconveniences on UOV; one is that the sizes of keys are relatively large, and the other is that the approaches in Tomae and Wolf (2012), Cheng et al. (2014) weakens the security against the direct attacks a little. The later is easily covered by taking (*n*, *m*) a little larger. For the former, several approaches have been given until now. However, since some of key reduction approaches yield critical vulnerabilities (e.g., Hashimoto 2019; Peng and Tang 2018), the security of such UOVs must be studied quite carefully.

**LUOV.** LUOV (Beullens et al. 2020) is a signature scheme based on UOV and is a second round candidate of NIST's project. It is constructed over a finite field of even characteristic field and the components and coefficients in *S*, *G*, *F* are elements of **F**2. The size of keys is smaller and the security against the direct attack is not too less than the original UOV. Remark that the security against Kipnis–Shamir's attack is *O*(2*<sup>v</sup>*−*<sup>o</sup>* · *n*4) and a new attack on LUOV was quite recently proposed in Ding et al. (2013). Then the parameters *o*, *v* should be taken larger than the original version. See Beullens et al. (2020) for the latest version.

#### *2.3 Rainbow*

Rainbow (Ding et al. 2005) is a multi-layer version of UOV. We now describe the twolayer version. Let *o*1, *o*2, *v* ≥ 1 be integers and put *n* = *o*<sup>1</sup> + *o*<sup>2</sup> + *v*, *m* = *o*<sup>1</sup> + *o*2. Define the quadratic map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* by

$$\begin{aligned} \mathbf{g}\_1(\mathbf{x}), \dots, \mathbf{g}\_{o\_l}(\mathbf{x}) &= \sum\_{1 \le i \le o\_l} x\_i \cdot (\text{linear form of } \mathbf{x}\_{o\_l+1}, \dots, \mathbf{x}\_n) \\ &+ (\text{quadratic form of } \mathbf{x}\_{o\_l+1}, \dots, \mathbf{x}\_n), \\ \mathbf{g}\_{o\_l+1}(\mathbf{x}), \dots, \mathbf{g}\_m(\mathbf{x}) &= \sum\_{o\_l+1 \le i \le m} \mathbf{x}\_i \cdot (\text{linear form of } \mathbf{x}\_{m+1}, \dots, \mathbf{x}\_n) \\ &+ (\text{quadratic form of } \mathbf{x}\_{m+1}, \dots, \mathbf{x}\_n), \end{aligned} \tag{4}$$

Rainbow is constructed as follows.

**Secret key.** Two invertible affine maps *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* , *T* : **F***<sup>m</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* and the quadratic map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* defined above.

**Public key.** The quadratic map *F* := *T* ◦ *G* ◦ *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* .

**Signature generation.** For a message **m** ∈ **F***<sup>m</sup> <sup>q</sup>* to be signed, compute **z** = *<sup>t</sup>* (*z*1,...,*zm*) := *T* <sup>−</sup><sup>1</sup>(**m**) and choose *u*1,..., *uv* ∈ **F***<sup>q</sup>* randomly. Find *yo*1+<sup>1</sup>,..., *ym* ∈ **F***<sup>q</sup>* such that

$$\mathbf{g}\_{o\_1+1}(\mathbf{y}\_1, \dots, \mathbf{y}\_m, \boldsymbol{\mu}\_1, \dots, \boldsymbol{\mu}\_v) = z\_{o\_1+1}, \quad \dots, \quad \mathbf{g}\_m(\mathbf{y}\_1, \dots, \mathbf{y}\_m, \boldsymbol{\mu}\_1, \dots, \boldsymbol{\mu}\_v) = z\_m. \tag{5}$$

After that, find *y*1,..., *yo*<sup>1</sup> ∈ **F***<sup>q</sup>* such that

$$\mathbf{g}\_1(\mathbf{y}\_1, \dots, \mathbf{y}\_m, \mu\_1, \dots, \mu\_r) = \varepsilon\_1, \quad \dots, \quad \mathbf{g}\_{o\_l}(\mathbf{y}\_1, \dots, \mathbf{y}\_m, \mu\_1, \dots, \mu\_r) = \varepsilon\_{o\_l}. \tag{6}$$

The signature is **s** = *S*−<sup>1</sup>(*y*1,..., *ym*, *u*1,..., *uv*). **Signature verification.** The signature **s** ∈ **F***<sup>n</sup> <sup>q</sup>* is verified by **m** = *F*(**s**).

**Complexity of signature generation.** Since (5) is a system of *o*<sup>2</sup> linear equations of *o*<sup>2</sup> variables and (6) is a system of *o*<sup>1</sup> linear equations of *o*<sup>1</sup> variables, we see that the complexity of signature generation is *O*(*n*<sup>3</sup>).

**Security.** Kipnis–Shamir's attack and rank attacks are major attacks on Rainbow. Since *G*1,..., *Go*<sup>1</sup> = 0*<sup>o</sup>*<sup>1</sup> ∗ ∗ ∗*<sup>o</sup>*2+*<sup>v</sup>* and *Go*1+1,..., *Gm* = ⎛ ⎝ 0*<sup>o</sup>*<sup>1</sup> 0 0 0 0*<sup>o</sup>*<sup>2</sup> ∗ 0 ∗ ∗*<sup>v</sup>* ⎞ <sup>⎠</sup>, the

complexity of Kipnis–Shamir's attack (Kipnis et al. 1999; Kipnis and Shamir 1998) on Rainbow is *O*(*q*max(*o*2+*v*−*o*1,0) · *n*4). Furthermore, by checking the ranks of *G*1,..., *Gm*, we see that the complexities of min-rank attack and high-rank attack are *O*(*q<sup>o</sup>*2+*<sup>v</sup>* · *n*4) and *O*(*q<sup>o</sup>*<sup>1</sup> · *n*4), respectively (Yang and Chen 2005). Note that there have been several approaches to improve the efficiency of Rainbow. However, some of improvements are known to be insecure (e.g., Hashimoto 2019; Hashimoto et al. 2018; Peng and Tang 2018; Shim et al. 2017) and then the security of such efficient Rainbows must be studied carefully.

**Rainbow on NIST's project.** Rainbow (Ding et al. 2020) in the second round of NIST's project includes three versions; the standard Rainbow, the cyclic Rainbow, and the compressed Rainbow. The public keys and the numbers of arithmetics for signature verification for the later two Rainbows are smaller than the standard Rainbow. However, it is reported (Ding et al. 2020) that the verifications of the latter two versions are slower than the standard version. We consider that it is because the algorithms for verifications of the latter two versions are more complicated than the naive algorithm for the standard Rainbow. Better implementations are required for these arranged versions.

### *2.4 HFE*

Let *n*, *m*, *d* ≥ 1 be integers with *n* = *m*, *d* < *n*. Define *G* : **F***qn* → **F***qn* by

$$\mathcal{J}(X) := \sum\_{0 \le i \le j \le d} \alpha\_{ij} X^{q^i + q^j} + \sum\_{0 \le i \le d} \beta\_i X^{q^i} + \gamma,$$

where α*i j*, β*i*, γ ∈ **F***qn* and *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* by *G* := φ−<sup>1</sup> ◦ *G* ◦ φ where φ : **F***<sup>n</sup> <sup>q</sup>* → **F***qn* is an **F***<sup>q</sup>* -isomorphism. HFE (Patarin 1996) is constructed as follows.

**Secret key.** Two invertible affine maps *S*, *T* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* and *G* : **F***qn* → **F***qn* defined above.

**Public key.** The quadratic map *F* := *T* ◦ *G* ◦ *S* = *T* ◦ φ−<sup>1</sup> ◦ *G* ◦ φ ◦ *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> q* . **Encryption.** For a plaintext **p** ∈ **F***<sup>n</sup> <sup>q</sup>* , the ciphertext is **c** := *F*(**p**) ∈ **F***<sup>n</sup> q* .

**Decryption.** For a given ciphertext **c**, compute **z** := *T* <sup>−</sup><sup>1</sup>(**c**) and put *Z* := φ(**z**). Find *Y* ∈ **F***qn* with *G* (*Y* ) = *Z* and put **y** := φ−<sup>1</sup>(*Y* ). The plaintext is **p** = *S*−<sup>1</sup>(**z**).

**Complexity of decryption.** Since *G* (*Y* ) = *Z* is a univariate polynomial equation of degree at most 2*q<sup>d</sup>* over **F***qn* , the complexity of finding *Y* is

$$O\left( (\deg \mathcal{G}(X))^3 + n(\deg \mathcal{G}(X))^2 \log q \right) = O(q^{3d} + nq^{2d} \log q)$$

by the Berlekamp algorithm (Berlekamp 1967, 1970). Then the parameter *d* should be *d* = *O*(log*<sup>q</sup> n*).

**Security.** Let {θ1,...,θ*n*} be a basis of **<sup>F</sup>***qn* over **<sup>F</sup>***<sup>q</sup>* and <sup>Θ</sup> := θ *<sup>q</sup>i*−<sup>1</sup> *j* 1≤*i*,*j*≤*n* . It is easy to see that Θ**x** = *<sup>t</sup>* (φ(**x**), φ(**x**)*<sup>q</sup>* ,...,φ(**x**)*<sup>q</sup>n*−<sup>1</sup> ) := *<sup>t</sup>* (*X*, *X<sup>q</sup>* ,..., *X<sup>q</sup>n*−<sup>1</sup> ). Since *F* = (*T* ◦ φ−1) ◦ *G* ◦ (φ ◦ *S*), we have

$$
\begin{pmatrix} F\_1 \\ \vdots \\ F\_n \end{pmatrix} = (T \cdot \Theta^{-1}) \begin{pmatrix} \, \! (\Theta \, \mathbb{S}) \mathcal{G}^{(0)}(\Theta \, \mathbb{S}) \\ \vdots \\ \, \! (\Theta \, \mathbb{S}) \mathcal{G}^{(n-1)}(\Theta \, \mathbb{S}) \end{pmatrix}, \tag{7}
$$

where *<sup>X</sup>*¯ := <sup>Θ</sup>**<sup>x</sup>** and *<sup>G</sup>* (*i*) is an *<sup>n</sup>* <sup>×</sup> *<sup>n</sup>* matrix over **<sup>F</sup>***qn* such that *<sup>G</sup>* (*X*)*<sup>q</sup><sup>i</sup>* = *t X*¯ *G* (*i*)*X*¯ + (linear form of *X*¯). This means that there exist *a*1,..., *an* ∈ **F***qn* such that

$$a\_1 F\_1 + \dots + a\_n F\_n = \,^t(\Theta \, \mathcal{S}) \mathcal{G}^{(0)}(\Theta \, \mathcal{S}) = \,^t(\Theta \, \mathcal{S}) \begin{pmatrix} \*\_{d+1} \\ 0\_{n-d-1} \end{pmatrix} (\Theta \, \mathcal{S}), \tag{8}$$

and then rank(*a*1*F*<sup>1</sup> +···+ *anFn*) ≤ *d* + 1.The *min-rank attack* (Bettale et al. 2013; Kipnis and Shamir 1999) is an attack to recover such (*a*1,..., *an*) and its complexity is estimated by *O*( *<sup>n</sup>*+*d*+<sup>2</sup> *d*+2 *w* ) = *O*(*n*(*d*+2)*<sup>w</sup>*) under the assumption that a variant of Fröberg conjecture holds, where 2 ≤ *w* ≤ 3 is a linear algebra constant. It is not difficult to check that the tuple (*a*1,..., *an*) gives partial information of *T*Θ−<sup>1</sup> and, once such a tuple is recovered, the attacker can recover partial information of Θ*S*, which is enough to decrypt arbitrary ciphertexts by elementary linear algebraic approaches. Since *<sup>d</sup>* <sup>=</sup> *<sup>O</sup>*(log*<sup>q</sup> <sup>n</sup>*), the security of HFE is *<sup>n</sup>O*(log*<sup>q</sup> <sup>n</sup>*) . Then the original HFE has been considered to be impractical. We also note that the security against Gröbner basis attack has been studied well (see e.g., Ding et al. 2011; Dubois and Gamma 2020; Faugère 2003; Granboulan et al. 2020; Huang et al. 2018). It is known that the rank condition (8) gives an upper bound of the degree *d*reg of regularity of the polynomial system *<sup>F</sup>*(**x**) <sup>=</sup> **<sup>c</sup>**, in fact, *<sup>d</sup>*reg <sup>≤</sup> <sup>1</sup> <sup>2</sup> (*q* − 1)(*d* + 2) holds for HFE (Ding et al. 2011).

#### *2.5 Variants of HFE*

There have been various variants of HFE. In this subsection, we describe four major variants "plus (+)", "minus (–)", "vinegar (v)", and "projection (p)".

**Plus (+).** The "plus (+)" is a variant to add several polynomials on *G*. Let *r*<sup>+</sup> ≥ 1 be an integer and *h*1(**x**), . . . , *hr*<sup>+</sup> (**x**) random quadratic forms of **x**. For the map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* of the original scheme, define *G*<sup>+</sup> : **F***<sup>n</sup> <sup>q</sup>* <sup>→</sup> **<sup>F</sup>***<sup>m</sup>*+*r*<sup>+</sup> *<sup>q</sup>* by *G*+(**x**) := *t* (*g*1(**x**), . . . , *gm*(**x**), *h*1(**x**), . . . , *hr*<sup>+</sup> (**x**)). The public key *F*<sup>+</sup> : **F***<sup>n</sup> <sup>q</sup>* <sup>→</sup> **<sup>F</sup>***<sup>m</sup>*+*r*<sup>+</sup> *<sup>q</sup>* of the plus is *<sup>F</sup>*<sup>+</sup> := *<sup>T</sup>*<sup>+</sup> ◦ *<sup>G</sup>*<sup>+</sup> ◦ *<sup>S</sup>* where *<sup>T</sup>*<sup>+</sup> : **<sup>F</sup>***<sup>m</sup>*+*r*<sup>+</sup> *<sup>q</sup>* <sup>→</sup> **<sup>F</sup>***<sup>m</sup>*+*r*<sup>+</sup> *<sup>q</sup>* is an invertible affine map. It is mainly used for encryption when *m* ≥ *n*. The decryption is as follows.

**Decryption.** For the ciphertext **<sup>c</sup>** <sup>∈</sup> **<sup>F</sup>***<sup>m</sup>*+*r*<sup>+</sup> *<sup>q</sup>* , compute **<sup>z</sup>** <sup>=</sup> (*z*1,...,*zm*+*r*<sup>+</sup> ) := *<sup>T</sup>* <sup>−</sup><sup>1</sup> <sup>+</sup> (**c**). Find **y** ∈ **F***<sup>n</sup> <sup>q</sup>* with *G*(**y**) = *<sup>t</sup>* (*z*1,...,*zm*) and verify whether *<sup>t</sup>* (*h*1(**y**), . . . , *hu*<sup>+</sup> (**y**)) <sup>=</sup> *<sup>t</sup>* (*zm*+1,...,*zm*+*r*<sup>+</sup> ). If it holds, the plaintext is **p** = *S*−1(**y**). If not, try it again by another **y**.

**Complexity of decryption.** If *m* ≥ *n*, the number of **y** with *G*(**y**) = **z** is (probably) small. Then the complexity of decryption of "plus" is not much larger than the original scheme.

**Security.** It is easy to see that an equation similar to (8) holds for the "plus" of HFE. Then the complexity of the min-rank attack on HFE+ is similar to the original HFE.

**Minus (–).** The "minus (–)" is to reduce several polynomials in *<sup>F</sup>*. Let *<sup>r</sup>*<sup>−</sup> <sup>≥</sup> 1 be an integer. For the public key *F* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* of the original scheme, the public key *F*<sup>−</sup> : **F***<sup>n</sup> <sup>q</sup>* <sup>→</sup> **<sup>F</sup>***m*−*r*<sup>−</sup> *<sup>q</sup>* of the minus is generated by *F*−(*x*) = *<sup>t</sup>* ( *f*1(*x*), . . . , *fm*−*r*<sup>−</sup> (*x*)). It is mainly used for the signature scheme when *n* ≥ *m*. The signature generation is as follows.

**Signature generation.** For a message **m** = *<sup>t</sup>* (*m*1,..., *mm*−*r*<sup>−</sup> ) <sup>∈</sup> **<sup>F</sup>***m*−*r*<sup>−</sup> *<sup>q</sup>* to be signed, choose *u*1,..., *ur*<sup>−</sup> ∈ **F***<sup>q</sup>* randomly and let **m**¯ := *<sup>t</sup>* (*m*1,..., *mm*−*r*<sup>−</sup> , *u*1,..., *ur*<sup>−</sup> ). Find **s** ∈ **F***<sup>n</sup> <sup>q</sup>* with *F*(**s**) = **m**¯ . If there exists such an **s**, the signature is **s**. If not, change *u*1,..., *ur*<sup>−</sup> and repeat until such an **s** appears.

**Complexities of signature generation.** When *n* ≥ *m*, the probability that **s** does not exist is considered to be not large. Then the complexity of the signature generation of the "minus" is not much larger than the original scheme.

**Security.** For the minus, it is easy to see that there exists an (*n* − *r*−) × *n* matrix *T*<sup>−</sup> such that

$$
\begin{pmatrix} F\_1 \\ \vdots \\ F\_{n-r\_-} \end{pmatrix} = (T\_- \cdot \Theta^{-1}) \begin{pmatrix} (\Theta \, \mathcal{S}) \mathcal{G}^{(0)}(\Theta \, \mathcal{S}) \\ \vdots \\ (\Theta \, \mathcal{S}) \mathcal{G}^{(n-1)}(\Theta \, \mathcal{S}) \end{pmatrix} . \tag{9}
$$

Then one can eliminate the contributions of *n* − *r*<sup>−</sup> − 1 matrices in the right hand side by taking a linear combination of *F*1,..., *Fn*−*r*<sup>−</sup> , namely there exist *a*1,..., *an*−*r*<sup>−</sup> , *b*0,..., *br*<sup>−</sup> ∈ **F***qn* such that

$$\begin{aligned} a\_1 F\_1 + \dots + a\_{n-r\_-} F\_{n-r\_-} &= b\_0^{\prime} (\Theta S) \mathcal{G}^{(0)} (\Theta S) + \dots + b\_{r\_-}^{\prime} (\Theta S) \mathcal{G}^{(r\_-)} (\Theta S) \\ &= ^{\prime} (\Theta S) \begin{pmatrix} \*\_{d+r\_-+1} \\ 0\_{n-d-r\_--1} \end{pmatrix} (\Theta S) .\end{aligned}$$

The min-rank attack is thus available on HFE- and its complexity can be estimated by *O*( *<sup>n</sup>*+*d*+*r*−+<sup>2</sup> *d*+*r*−+2 *w* ) = *O*(*n*(*d*+*r*−+2)*<sup>w</sup>*). This means that the "minus" enhances the security of HFE (see also Vates and Smith-Tone 2017).

**Vinegar (v).** The "vinegar (v)" is to add several variables on *<sup>G</sup>*. Let *<sup>r</sup>*<sup>v</sup> <sup>≥</sup> 1 be an integer. For the map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* of the original scheme, define *G*<sup>v</sup> : **F***<sup>n</sup>*+*r*<sup>v</sup> *<sup>q</sup>* → **F***<sup>m</sup> q*

such that *G*v(*x*1,..., *xn*, *u*1,..., *ur*<sup>v</sup> ) is inverted similarly to *G*(**x**) for any (or most) *u*1,..., *ur*<sup>v</sup> ∈ **F***<sup>q</sup>* . For example, the map *G*<sup>v</sup> of HFEv is given by *G*<sup>v</sup> := φ−<sup>1</sup> ◦ *G*<sup>v</sup> ◦ φv, where φ<sup>v</sup> : **F***<sup>n</sup>*+*r*<sup>v</sup> *<sup>q</sup>* → **F***qn* × **F***<sup>r</sup>*<sup>v</sup> *<sup>q</sup>* is an **F***<sup>q</sup>* -isomorphism and *G*<sup>v</sup> : **F***qn* × **F***<sup>r</sup>*<sup>v</sup> *<sup>q</sup>* → **F***qn* is the following polynomial map.

$$\begin{aligned} \mathcal{H}\_{\mathbf{v}}(X, \mathbf{x}\_{n+1}, \dots, \mathbf{x}\_{n+r\_{\mathbf{v}}}) &= \sum\_{0 \le i,j \le d} a\_{ij} X^{q^i + q^j} + \sum\_{0 \le i \le d} X^{q^i} \cdot (\text{linear form of} \mathbf{x}\_{n+1}, \dots, \mathbf{x}\_{n+r\_{\mathbf{v}}}) \\ &+ (\text{quadratic form of } \mathbf{x}\_{n+1}, \dots, \mathbf{x}\_{n+r\_{\mathbf{v}}}). \end{aligned}$$

The public key *F*<sup>v</sup> : **F***n*+*r*<sup>v</sup> *<sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* of the vinegar is *F*<sup>v</sup> := *T* ◦ *G*<sup>v</sup> ◦ *S*<sup>v</sup> where *S*<sup>v</sup> : **F***n*+*r*<sup>v</sup> *<sup>q</sup>* → **F***n*+*r*<sup>v</sup> *<sup>q</sup>* is an invertible affine map. It is mainly used for signature when *n* ≥ *m*. The signature generation is as follows.

**Signature generation.** For a message **m** ∈ **F***<sup>m</sup> <sup>q</sup>* to be signed, compute **z** := *T* <sup>−</sup><sup>1</sup>(**m**). Choose *u*1,..., *ur*<sup>v</sup> ∈ **F***<sup>q</sup>* randomly, and find **y** ∈ **F***<sup>n</sup> <sup>q</sup>* with *G*v(**y**, *u*1,..., *ur*<sup>v</sup> ) = **z**. If such an **y** does not exist, change *u*1,..., *ur*<sup>v</sup> and try again. The signature is **s** = *S*−<sup>1</sup> <sup>v</sup> (**y**, *u*1,..., *ur*<sup>v</sup> ).

**Complexity of signature generation.** Since **y** is found similarly to the original scheme, the complexity of finding **y** is almost the same as the original scheme. If *n* ≥ *m*, the probability that **y** does not exist is considered to be not too large. Then the complexity of the "vinegar" is not too larger than the original scheme.

**Security.** For HFEv, we see that *G*v(*X*, *xn*+<sup>1</sup>,..., *xn*+*r*<sup>v</sup> ) = *<sup>t</sup> X*¯ v <sup>∗</sup>*d*+<sup>1</sup> <sup>∗</sup> <sup>0</sup>*n*−*d*−<sup>1</sup> ∗ ∗*r*v *X*¯ v + (linear form of *X*¯ <sup>v</sup>), where *X*¯ <sup>v</sup> = *<sup>t</sup>* (*X*,..., *Xqn*−<sup>1</sup> , *xn*+<sup>1</sup>,..., *xn*+*r*<sup>v</sup> ). Then there exist *a*1,..., *an* ∈ **F***qn* such that

$$a\_1 F\_1 + \dots + a\_n F\_n = \left( \left( \begin{smallmatrix} \Theta \\ & I\_{r\_\vee} \end{smallmatrix} \right) S\_\mathbf{v} \right) \left( \frac{\ast\_{d+1}}{\ast}\_{\ast\_{r\_\vee}} \begin{matrix} \ast \\ \ast\_{r\_\vee} \end{matrix} \right) \left( \left( \begin{smallmatrix} \Theta \\ & I\_{r\_\vee} \end{smallmatrix} \right) S\_\mathbf{v} \right) \dots$$

Since the rank of the matrix in the right hand side above is at most *d* + *r*<sup>v</sup> + 1, the security of HFEv against the min-rank attack is estimated by *O*( *<sup>n</sup>*+*d*+*r*v+<sup>2</sup> *d*+*r*−+2 *w* ) = *O*(*n*(*d*+*r*v+2)*<sup>w</sup>*).

**Projection (p).** The "projection" is to reduce several variables of the polynomials in *F*. Let *r*<sup>p</sup> ≥ 1 be an integer and *u*1,..., *ur*<sup>p</sup> ∈ **F***<sup>q</sup>* . For the public key *F* : **F***<sup>n</sup> <sup>q</sup>* → **F***m <sup>q</sup>* of the original scheme, the public key *<sup>F</sup>*<sup>p</sup> : **<sup>F</sup>***<sup>n</sup>*−*r*<sup>p</sup> *<sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* of the projection is generated by *F*p(*x*1,..., *xn*−*r*<sup>p</sup> ) := *F*(*x*1,..., *xn*−*r*<sup>p</sup> , *u*1,..., *ur*<sup>p</sup> ). It is mainly used for encryption when *m* ≥ *n*. The decryption is as follows.

**Decryption.** For the ciphertext **c** ∈ **F***<sup>m</sup> <sup>q</sup>* , find **p** ∈ **F***<sup>n</sup> <sup>q</sup>* with *F*(**p**) = **c** similarly to the original scheme. If **p** = (∗,..., ∗, *u*1,..., *ur*<sup>p</sup> ), the plaintext is **p**˜ := (*p*1,..., *pn*−*r*<sup>p</sup> ) <sup>∈</sup> **<sup>F</sup>***<sup>n</sup>*−*r*<sup>p</sup> *<sup>q</sup>* . If not, try it again by another **p**.

**Complexities of decryption.** If *m* ≥ *n*, the number of **p** with *F*(**p**) = **c** is (probably) not too large. Then the complexity of decryption of the "projection" is not much larger than the original scheme.

**Security.** For the projection of HFE, we see that there exist *a*1,..., *an* ∈ **F***qn* such that

$$a\_1 F\_1 + \dots + a\_n F\_n = \left(\Theta \tilde{S}\right) \begin{pmatrix} \ast\_{d+1} \\ 0\_{n-d-1} \end{pmatrix} (\Theta \tilde{S})\_n$$

where *S*˜ is an *n* × (*n* − *r*p) matrix with *S* = (*S*˜, ∗). Then the min-rank attack is available and its complexity is almost the same as the original scheme.

The most successful variant of HFE is probably the signature scheme **HFEv-** (Patarin et al. 2001), a combination of "minus" and "vinegar" of HFE, since the security against the min-rank attack is enhanced drastically without slowing down the signature generation. In fact, **GeMSS** (Casanova et al. 2020) based on HFEv- was chosen as a second round candidate of NIST's project (NIST 2020). There are three kinds of GeMSS, called GeMSS, BlueGeMSS, and RedGeMSS, The major difference among these three GeMSSs is the degree of *G*v; the degrees are 513(= 2<sup>9</sup> + 1), 129(= 2<sup>7</sup> + 1), 17(= 2<sup>4</sup> + 1), i.e., *d*'s are 10, 8, 5, respectively. Of course, the signature generation of RedGeMSS is fastest and the BlueGeMSS is the next. Furthermore, the securities against the min-rank attack are enough if *r*−,*r*<sup>v</sup> are sufficiently large. On the other hand, as pointed out in Hashimoto (2018) for HMFEv (Petzoldt et al. 2017) (the vinegar of multi-HFE (Chen et al. 2020), the minus and the vinegar do not enhance the security against the high-rank attack. Though critical vulnerabilities of HFE variants against the high-rank attack have not been reported until now, we consider that an HFEv- with smaller *d* has a higher risk against the high-rank attack.

We recall that **Sflash** (Akkar et al. 2003) (a minus of Matsumoto–Imai's scheme (Matsumoto and Imai 1988) is a signature scheme selected by NESSIE (Preneel 2020) and broken by a differential attack (Fouque et al. 2005). Recently, its projections called **Pflash** (Cartor and Smith-Tone 2017; Smith-Tone et al. 2015) and **Eflash** (Cartor and Smith-Tone 2018) were proposed. Pflash is a signature scheme with *r*<sup>p</sup> < *r*<sup>−</sup> and Eflash is an encryption scheme with *r*<sup>p</sup> > *r*−. The complexities of signature generation and decryption are about *q*min (*r*p,*r*−) times of Matsumoto–Imai's scheme (Matsumoto and Imai 1988) and then we should take *r*−,*r*<sup>p</sup> by min (*r*p,*r*−) = *O*(log*<sup>q</sup> n*). It has been considered that the differential attack is not available on these schemes, and the security against the min-rank attack highly depends on *r*−. The security of Eflash is thus *n<sup>O</sup>*(log*<sup>q</sup> <sup>n</sup>*) . Similarly for the encryption scheme HFEp- with *r*<sup>p</sup> > *r*−, it is easy to see that the complexity of decryption is about *q<sup>r</sup>*<sup>−</sup> times of the original HFE and the complexity of the min-rank attack is roughly estimated by *O*(*n*(3*d*+*r*−+2)*<sup>w</sup>*). Since 3*<sup>d</sup>* <sup>+</sup> *<sup>r</sup>*<sup>−</sup> <sup>=</sup> *<sup>O</sup>*(log*<sup>q</sup> <sup>n</sup>*), its security is also *<sup>n</sup><sup>O</sup>*(log*<sup>q</sup> <sup>n</sup>*) .

#### **3 New Encryption Schemes**

In this section, we study the encryption schemes HFERP (Ikematsu et al. 2018), ZHFE (Porras et al. 2020), EFC (Szepieniec et al. 2016), and ABC (Tao et al. 2013, 2015) proposed recently.

#### *3.1 HFERP*

HFERP (Ikematsu et al. 2018) is an encryption scheme constructed by a "plus" and "projection" of a combination of HFE and Rainbow. We first describe a one-layer version HFERP without "plus" and "projection".

Let *v*, *o*,*l*, *d*<sup>0</sup> ≥ 1 be integers, *n* := *v* + *o* and *m* := *v* + *o* + *l*. Define the map *G*<sup>0</sup> : **F***qv* → **F***qv* by

$$\mathcal{G}\_0(X) := \sum\_{0 \le i \le j \le d\_0} \alpha\_{ij} X^{q^i + q^j} + \sum\_{0 \le i \le d\_0} \beta\_i X^{q^i} + \chi,$$

where α*i j*, β*i*, γ ∈ **F***qv* . The quadratic map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* is given as follows.

$$\begin{aligned} \mathbf{x}'(\mathbf{g}\_1(\mathbf{x}), \dots, \mathbf{g}\_v(\mathbf{x})) &= (\boldsymbol{\phi}\_0^{-1} \circ \boldsymbol{\vartheta}\_0 \circ \boldsymbol{\phi}\_0)(\mathbf{x}\_0), \\ \mathbf{g}\_{v+1}(\mathbf{x}), \dots, \mathbf{g}\_m(\mathbf{x}) &= \sum\_{v+1 \le i \le n} \mathbf{x}\_i \cdot (\text{linear form of } \mathbf{x}\_0) + (\text{quadratic form of } \mathbf{x}\_0), \end{aligned}$$

where φ<sup>0</sup> : **F***<sup>v</sup> <sup>q</sup>* → **F***qv* is an **F***<sup>q</sup>* -isomorphism and **x**<sup>0</sup> = *<sup>t</sup>* (*x*1,..., *xv*). HFERP (without "plus", "projection") is constructed as follows.

**Secret key.** Two invertible affine maps *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* , *T* : **F***<sup>m</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* and the quadratic map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* .

**Public key.** The quadratic map *F* := *T* ◦ *G* ◦ *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* .

**Encryption.** For a plaintext **p** ∈ **F***<sup>n</sup> <sup>q</sup>* , the ciphertext is **c** = *F*(**p**) ∈ **F***<sup>m</sup> q* .

**Decryption.** For a given ciphertext **c**, compute **z** = *<sup>t</sup>* (*z*1,...,*zm*) := *T* <sup>−</sup><sup>1</sup>(**c**). Let *Z*<sup>0</sup> := φ0(*z*1,...,*zv*) ∈ **F***qv* and find *Y*<sup>0</sup> ∈ **F***qv* such that *G*0(*Y*0) = *Z*0. Put (*y*1,..., *yv*) := <sup>φ</sup><sup>−</sup><sup>1</sup> <sup>0</sup> (*Y*0) ∈ **F***<sup>v</sup> <sup>q</sup>* and find *yv*+<sup>1</sup>,..., *yn* ∈ **F***<sup>q</sup>* with

$$\mathbf{g}\_{\nu+1}(\mathbf{y}\_1, \dots, \mathbf{y}\_{\nu}, \mathbf{y}\_{\nu+1}, \dots, \mathbf{y}\_n) = \mathbf{z}\_{\nu+1}, \quad \dots, \quad \mathbf{g}\_m(\mathbf{y}\_1, \dots, \mathbf{y}\_{\nu}, \mathbf{y}\_{\nu+1}, \dots, \mathbf{y}\_n) = \mathbf{z}\_m. \tag{10}$$

The plaintext is **p** = *S*−<sup>1</sup>(*y*1,..., *yn*).

**Complexity of decryption.** Since the degree of *G*0(*X*)is at most 2*q<sup>d</sup>*<sup>0</sup> , the complexity of finding *Y*<sup>0</sup> is *O*(*q*<sup>3</sup>*d*<sup>0</sup> + *vq*<sup>2</sup>*d*<sup>0</sup> log *q*) by Berlekamp's algorithm. We see that (10) is a system of *o* + *l* linear equations of *o* variables. We thus conclude that the total complexity of decryption is *O*(*q*3*d*<sup>0</sup> + *vq*2*d*<sup>0</sup> log *q* + *n*3). The parameter *d*<sup>0</sup> should be taken by *d*<sup>0</sup> = *O*(log*<sup>q</sup> n*).

**Security.** Let {θ1,...,θ*v*} be a basis of **<sup>F</sup>***qv* over **<sup>F</sup>***<sup>q</sup>* and <sup>Θ</sup><sup>0</sup> := θ *<sup>q</sup>i*−<sup>1</sup> *j* 1≤*i*,*j*≤*v* . By the definition of *G*, *F*, we see that

$$\begin{pmatrix} F\_1 \\ \vdots \\ F\_m \end{pmatrix} = T \cdot \begin{pmatrix} \Theta\_0^{-1} \\ & I\_{o+l} \end{pmatrix} \begin{pmatrix} \,^t S \begin{pmatrix} ^{\ell\_{\Theta\_0 \mid \mathcal{G}\_0^{(0)} \in \mathcal{O}\_0}}{\cdot \,^t S} \end{pmatrix} S \\ \vdots \\ \,^t S \begin{pmatrix} ^{\ell\_{\Theta\_0 \mid \mathcal{G}\_0^{(\nu-1)} \in \mathcal{O}\_0}}{\cdot \,^t S \begin{pmatrix} \,^{\ast \ast} \,^\* S \end{pmatrix}} S \\ \vdots \\ \,^t S \begin{pmatrix} \,^{\ast \ast} \,^\* S \end{pmatrix} S \end{pmatrix} \end{pmatrix}$$

and then there exist *a*1,..., *am* ∈ **F***qv* such that

$${}^{t}R\_{1} \begin{pmatrix} {}^{t}I\_{1} + \cdots + {}^{t}a\_{m}F\_{m} \\ \end{pmatrix} {}^{t}\begin{pmatrix} {}^{t}\Theta\_{0} {}^{\theta}{}\_{0} \\ \end{pmatrix} {}^{t}\Theta\_{0} \\ = {}^{t}S \left( \begin{pmatrix} {}^{\Theta\_{0}} \\ \\ \end{pmatrix} {}^{\theta} \begin{pmatrix} {}^{\star}a\_{0} + \\ 0 \\ -a\_{0} - 1 \\ \end{pmatrix} \begin{pmatrix} {}^{\Theta\_{0}} \\ \\ 0 \\ \end{pmatrix} {}^{t}\delta .$$

The min-rank attack is thus available on HFERP and its complexity can be estimated by *O*( *<sup>m</sup>*+*d*0+<sup>2</sup> *d*0+2 *w* ) = *O*(*m*(*d*0+2)*<sup>w</sup>*) (Ikematsu et al. 2018). This situation is similar for its plus and projection. Since *<sup>d</sup>*<sup>0</sup> <sup>=</sup> *<sup>O</sup>*(log*<sup>q</sup> <sup>n</sup>*), the security of HFERP is *<sup>n</sup>O*(log*<sup>q</sup> <sup>n</sup>*) , which is almost the same as HFE. For the minus, we can easily check that the complexity of decryption is at most *qr*<sup>−</sup> times of the original HFERP and the security against the min-rank attack is *O*( *<sup>m</sup>*+*d*0+<sup>2</sup> *d*0+*r*−+2 *w* ) = *O*(*m*(*d*0+*r*−+2)*<sup>w</sup>*). This means that the security of HFERP- is also *nO*(log*<sup>q</sup> <sup>n</sup>*) .

#### *3.2 ZHFE*

ZHFE (Porras et al. 2020) is an encryption scheme constructed by two univariate polynomials over an extension field. In this subsection, we study the simplest version of ZHFE since the structure of the original version is not far from the simplest version.

Let *n*, *m*, *D* ≥ 1 be integers with *m* = 2*n* and define the quadratic forms *G*1(*X*), *G*2(*X*) of *X*¯ = *<sup>t</sup>* (*X*, *X<sup>q</sup>* ,..., *X<sup>q</sup>n*−<sup>1</sup> ) such that the degree of Ψ (*X*) := *X<sup>q</sup>* · *G*1(*X*) + *<sup>X</sup>* · *<sup>G</sup>*2(*X*) is at most *<sup>D</sup>*. It is easy to see that the coefficient matrices *<sup>G</sup>* (0) <sup>1</sup> , *<sup>G</sup>* (0) <sup>2</sup> of *G*1(*X*), *G*2(*X*) as quadratic forms of *X*¯ are

$$\mathcal{G}\_1^{(0)} = \begin{pmatrix} \* & \* & \* \\ \begin{matrix} \* & \* & \* \\ \* & 0 & \* \\ \* & 0 & \* \end{matrix} \\ \vdots & \vdots & \vdots & \vdots \\ \* & \* & 0 \end{pmatrix}, \quad \mathcal{G}\_2^{(0)} = \begin{pmatrix} \* & \* & \* \\ \hline \* & \* & 0 \\ \* & \* & 0 \\ \* & \* & 0 \end{pmatrix}, \tag{11}$$

where *d* := log*<sup>q</sup> D*−*q* <sup>2</sup> . Denote by φ<sup>2</sup> : **F***<sup>m</sup> <sup>q</sup>* → **F**<sup>2</sup> *qn* an **F***<sup>q</sup>* -isomorphism and *G* (*X*) := (*G*1(*X*), *G*2(*X*)). ZHFE is constructed as follows.

**Secret key.** Two invertible affine maps *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* , *T* : **F***<sup>m</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* and the quadratic map *<sup>G</sup>* := <sup>φ</sup><sup>−</sup><sup>1</sup> <sup>2</sup> ◦ *G* ◦ φ : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* . **Public key.** The quadratic map *F* := *T* ◦ *G* ◦ *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* .

**Encryption.** For a plaintext **p** ∈ **F***<sup>n</sup> <sup>q</sup>* , the ciphertext is **c** = *F*(**p**) ∈ **F***<sup>m</sup> q* . **Decryption.** For a given ciphertext **c** ∈ **F***<sup>m</sup> <sup>q</sup>* , compute **z** := *T* <sup>−</sup><sup>1</sup>(**c**). Let (*Z*1, *Z*2) := φ2(*z*) ∈ **F**<sup>2</sup> *qn* , and find *Y* ∈ **F***qn* such that Ψ (*Y* ) − *Y<sup>q</sup>* · *Z*<sup>1</sup> − *Y* · *Z*<sup>2</sup> = 0. Verify whether *G*1(*Y* ) = *Z*1, *G*2(*Y* ) = *Z*<sup>2</sup> hold and put **y** := φ−<sup>1</sup>(*Y* ) ∈ **F***<sup>n</sup> <sup>q</sup>* . The plaintext is **p** = *S*−<sup>1</sup>(**y**).

**Complexity of decryption.** SinceΨ (*Y* ) − *Y<sup>q</sup>* · *Z*<sup>1</sup> − *Y* · *Z*<sup>2</sup> = *Y<sup>q</sup>* · (*G*1(*Y* ) − *Z*1) + *Y* · (*G*2(*Y* ) − *Z*2), at least one of *Y* satisfies *G*1(*Y* ) = *Z*1, *G*2(*Y* ) = *Z*<sup>2</sup> if **z** ∈ *G*(**F***qn* ). The complexity of decryption is *O*(*D*<sup>3</sup> + *n D*<sup>2</sup> log *q*) = *O*(*q*3*<sup>d</sup>* + *nq*2*<sup>d</sup>* log *q*) by Berlekamp's algorithm. The parameter *d* should be *d* = *O*(log*<sup>q</sup> n*).

**Security.** Let {θ1,...,θ*n*} be a basis of **<sup>F</sup>***qn* over **<sup>F</sup>***<sup>q</sup>* and <sup>Θ</sup><sup>2</sup> := θ *<sup>q</sup>i*−<sup>1</sup> *<sup>j</sup>* · *I*<sup>2</sup> 1≤*i*,*j*≤*n* . We can easily check that

$$\begin{pmatrix} F\_1 \\ \vdots \\ F\_m \end{pmatrix} = T \Theta\_2^{-1} \begin{pmatrix} \, ^t(\Theta \, \Omega) \mathcal{G}\_1^{(0)}(\Theta \, \Omega) \\\ ^t(\Theta \, \Omega) \mathcal{G}\_2^{(0)}(\Theta \, \Omega) \\\ ^t(\Theta \, \Omega) \mathcal{G}\_1^{(1)}(\Theta \, \Omega) \\\ \vdots \\\ ^t(\Theta \, \Omega) \mathcal{G}\_2^{(n-1)}(\Theta \, \Omega) \end{pmatrix}$$

and then there exist *a*1,..., *am* ∈ **F***qn* such that

$$a\_1 F\_1 + \dots + a\_m F\_m = {}^t (\Theta \, S) \mathcal{G}\_1^{(0)} (\Theta \, S) \dots$$

Since rank*G* (0) <sup>1</sup> ≤ *d* + 2 due to (11), the min-rank attack is available on ZHFE and its complexity can be estimated by *O*( *<sup>m</sup>*+*d*+<sup>3</sup> *d*+3 *w* ) = *O*(*m*(*d*+3)*<sup>w</sup>*) (Cabarcas et al. 2017; Perlne and Smith-Tone 2016). Since *d* = *O*(log*<sup>q</sup> n*), the security of ZHFE is also *n<sup>O</sup>*(log*<sup>q</sup> <sup>n</sup>*) .

We note that the plus and projection do not enhance the security. For the minus, we see that there exist *a*1,..., *am*−*r*<sup>−</sup> , *b*0,..., *br*<sup>−</sup> ∈ **F***qn* such that

$$\begin{split} &a\_1 F\_1 + \dots + a\_{m-r\_-} F\_{m-r\_-} \\ &= b\_0^{\iota} (\Theta S) \mathcal{G}\_1^{(0)} (\Theta S) + b\_1^{\iota} (\Theta S) \mathcal{G}\_2^{(0)} (\Theta S) + \dots + b\_{r\_-}^{\iota} (\Theta S) \mathcal{G}\_{(r\_- \bmod 2)+1}^{(|r\_-| \bmod 2)} (\Theta S) \\ &= \iota^{\iota} (\Theta S) \begin{pmatrix} \*\_{\lceil \frac{r\_-}{2} \rceil + 1} \* & \* \\ \* & \*\_{d-(r\_- \bmod 2)} 0 \\ \* & 0 & 0 \end{pmatrix} (\Theta S) .\end{split}$$

Since the rank of the matrix above is *d* + *r*<sup>−</sup> + 2, the complexity of the min-rank attack is *O*( *<sup>m</sup>*+*d*+<sup>3</sup> *d*+*r*−+3 *w* ) = *O*((2*n*)(*d*+*r*−+3)*w*). However, the complexity of decryption is at most *qr*<sup>−</sup> times of the original ZHFE, and then the security of ZHFE- is also *nO*(log*<sup>q</sup> <sup>n</sup>*) . Remark that (Perlne and Smith-Tone 2016) proposed a minus of ZHFE without slowing down the decryption by using a singular-type ZHFE. However, by studying the structure of such a ZHFE- carefully, we can easily check that such a minus does not enhance the security against the min-rank attack at all.

#### *3.3 EFC*

EFC (Szepieniec et al. 2016) is an encryption scheme constructed from the fact that an extension field can be expressed by a set of matrices.

Let *n*, *m* ≥ 1 be integers with *m* = 2*n*, *h*(*t*) an irreducible univariate polynomial over **F***<sup>q</sup>* and *H* an *n* × *n* matrix whose characteristic polynomial is *h*(*t*). It is easy to see that *H* := *a*<sup>0</sup> *In* + *a*1*H* +···+ *an*−1*Hn*−<sup>1</sup> | *a*0,..., *an*−<sup>1</sup> ∈ **F***<sup>q</sup>* is isomorphic to **F***<sup>q</sup>* [*t*]/*h*(*t*) **F***qn* . Choose *A*1,..., *Am* ∈ *H* and define the map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* by

$$\begin{aligned} \mathbf{f}^t(\mathbf{g}\_1(\mathbf{x}), \mathbf{g}\_3(\mathbf{x}), \dots, \mathbf{g}\_{m-1}(\mathbf{x})) &= (\mathbf{x}\_1 A\_1 + \mathbf{x}\_2 A\_3 + \dots + \mathbf{x}\_{m-1} A\_n) \mathbf{x}, \\ \mathbf{f}^t(\mathbf{g}\_2(\mathbf{x}), \mathbf{g}\_4(\mathbf{x}), \dots, \mathbf{g}\_m(\mathbf{x})) &= (\mathbf{x}\_1 A\_2 + \mathbf{x}\_2 A\_4 + \dots + \mathbf{x}\_m A\_n) \mathbf{x}. \end{aligned}$$

EFC (Szepieniec et al. 2016) is constructed as follows.

**Secret key.** Two invertible affine maps *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* , *T* : **F***<sup>m</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* and the quadratic map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* (i.e., the matrices *A*1,..., *Am*) defined above. **Public key.** The quadratic map *F* := *T* ◦ *G* ◦ *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* .

**Encryption.** For a plaintext **p** ∈ **F***<sup>n</sup> <sup>q</sup>* , the ciphertext is **c** = *F*(**p**) ∈ **F***<sup>m</sup> q* . **Decryption.** For a given ciphertext **c**, compute **z** = *<sup>t</sup>* (*z*1,...,*zm*) := *T* <sup>−</sup><sup>1</sup>(**c**). Solve a system of linear equations given by

$$\begin{aligned} &(\mathbf{x}\_1 A\_1 + \mathbf{x}\_2 A\_3 + \dots + \mathbf{x}\_n A\_{m-1})^t (\mathbf{z}\_2, \mathbf{z}\_4, \dots, \mathbf{z}\_m) \\ &= (\mathbf{x}\_1 A\_2 + \mathbf{x}\_2 A\_4 + \dots + \mathbf{x}\_n A\_m)^t (\mathbf{z}\_1, \mathbf{z}\_3, \dots, \mathbf{z}\_{m-1}), \end{aligned} \tag{12}$$

and find a solution **y** of (12) satisfying *G*(**y**) = **z**. The plaintext is **p** = *S*−<sup>1</sup>(**y**). **Complexity of decryption.** Since *H* is commutative, it holds

$$\begin{aligned} & (\mathbf{x}\_1 A\_2 + \mathbf{x}\_2 A\_4 + \dots + \mathbf{x}\_n A\_m) \, ^t (\mathbf{g}\_1(\mathbf{x}), \mathbf{g}\_3(\mathbf{x}), \dots, \mathbf{g}\_{m-1}(\mathbf{x})) \\ & = (\mathbf{x}\_1 A\_1 + \mathbf{x}\_2 A\_3 + \dots + \mathbf{x}\_n A\_{m-1}) \, ^t (\mathbf{g}\_2(\mathbf{x}), \mathbf{g}\_4(\mathbf{x}), \dots, \mathbf{g}\_m(\mathbf{x})) .\end{aligned}$$

Then at least one of solutions of (12) satisfies *G*(**y**) = **z** if **z** ∈ *G*(**F***<sup>n</sup> <sup>q</sup>* ). The equation (12) is written by (*z*1*B*<sup>1</sup> +···+ *zm Bm*) **x** = 0 with *n* × *n* matrices *B*1,..., *Bm* are *n* × *n* derived from *A*1,..., *Am*. The complexity of decryption is thus *O*(*n*3).

Note that, since the map *G* in EFC is over-defined, the complexity of the "plus" and the "projection" is almost the same as the original EFC and that of the "minus" is at most *qr*<sup>−</sup> times of the original EFC.

**Security.** It is already known that the original EFC is insecure against the linearization attack (Szepieniec et al. 2016). We now study the security of EFC- against the min-rank attack. Let θ ∈ **F***qn* be a root of *h*(*t*), choose a basis of **F***qn* over **F***<sup>q</sup>* by {θ1,...,θ*n*}={1,θ,θ <sup>2</sup>,...,θ *<sup>n</sup>*−1} and put <sup>Θ</sup> := θ *<sup>q</sup>i*−<sup>1</sup> *j* 1≤*i*,*j*≤*n* . Suppose that *H* is a companion matrix of *h*(*t*). Since *A*1,..., *Am* ∈ *H* , there exist linear forms *L*1(**x**), . . . , *Lm*(**x**) of **x** over **F***<sup>q</sup>* such that

$$\begin{aligned} \mathbf{x}\_1 A\_1 + \mathbf{x}\_2 A\_3 + \dots + \mathbf{x}\_n A\_{m-1} &= L\_1(\mathbf{x}) I\_n + L\_3(\mathbf{x}) H + \dots + L\_{m-1}(\mathbf{x}) H^{n-1}, \\ \mathbf{x}\_1 A\_2 + \mathbf{x}\_2 A\_4 + \dots + \mathbf{x}\_n A\_m &= L\_2(\mathbf{x}) I\_n + L\_4(\mathbf{x}) H + \dots + L\_m(\mathbf{x}) H^{n-1}. \end{aligned}$$

Denote by

$$\begin{aligned} \mathcal{G}\_1(X) &:= \mathcal{g}\_1(\mathbf{x})\theta\_1 + \mathcal{g}\_3(\mathbf{x})\theta\_2 + \dots + \mathcal{g}\_{m-1}(\mathbf{x})\theta\_n, \\ \mathcal{G}\_2(X) &:= \mathcal{g}\_2(\mathbf{x})\theta\_1 + \mathcal{g}\_4(\mathbf{x})\theta\_2 + \dots + \mathcal{g}\_m(\mathbf{x})\theta\_n, \\ \mathcal{L}\_1(X) &:= L\_1(\mathbf{x})\theta\_1 + L\_3(\mathbf{x})\theta\_2 + \dots + L\_{m-1}(\mathbf{x})\theta\_n, \\ \mathcal{L}\_2(X) &:= L\_2(\mathbf{x})\theta\_1 + L\_4(\mathbf{x})\theta\_2 + \dots + L\_m(\mathbf{x})\theta\_n, \end{aligned}$$

where *X* := φ(**x**) = *x*1θ<sup>1</sup> +···+ *xn*θ*n*. It is easy to see that *G*1(*X*), *G*2(*X*) are quadratic forms and *<sup>L</sup>*1(*X*),*L*2(*X*) are linear forms of *<sup>X</sup>*¯ <sup>=</sup> <sup>Θ</sup>**<sup>x</sup>** <sup>=</sup> *<sup>t</sup>* (*X*, *X<sup>q</sup>* ,..., *X<sup>q</sup>n*−<sup>1</sup> ). By the definition of *G*, we see that

$$\begin{split} \Theta^{l}(\mathcal{g}\_{1}(\mathbf{x}), \mathcal{g}\_{3}(\mathbf{x}), \dots, \mathcal{g}\_{m-1}(\mathbf{x})) &= \left(\sum\_{1 \le i \le n} L\_{2i-1}(\mathbf{x}) (\Theta H \Theta^{-1})^{i-1}\right) (\Theta \mathbf{x}), \\ \Theta^{l}(\mathcal{g}\_{2}(\mathbf{x}), \mathcal{g}\_{4}(\mathbf{x}), \dots, \mathcal{g}\_{m}(\mathbf{x})) &= \left(\sum\_{1 \le i \le n} L\_{2i}(\mathbf{x}) (\Theta H \Theta^{-1})^{i-1}\right) (\Theta \mathbf{x}). \end{split} \tag{13}$$

Since Θ*H*Θ−<sup>1</sup> = diag θ,θ *<sup>q</sup>* ,...,θ *<sup>q</sup>n*−<sup>1</sup> (e.g., Horn et al. 1985), we have *G*1(*X*) = *L*1(*X*) · *X*, *G*2(*X*) = *L*2(*X*) · *X* due to (13). This means that the map *G* is written by *<sup>G</sup>* <sup>=</sup> <sup>φ</sup><sup>−</sup><sup>1</sup> <sup>2</sup> ◦ *G* ◦ φ where *G* (*X*) = (*G*1(*X*), *G*2(*X*)) = (*L*1(*X*) · *X*,*L*2(*X*) · *X*), and it holds

$$
\begin{pmatrix} F\_1 \\ \vdots \\ F\_m \end{pmatrix} = T \Theta\_2^{-1} \begin{pmatrix} (\Theta \, \mathcal{S}) \mathcal{G}\_1^{(0)}(\Theta \, \mathcal{S}) \\ (\Theta \, \mathcal{S}) \mathcal{G}\_2^{(0)}(\Theta \, \mathcal{S}) \\ (\Theta \, \mathcal{S}) \mathcal{G}\_1^{(1)}(\Theta \, \mathcal{S}) \\ \vdots \\ (\Theta \, \mathcal{S}) \mathcal{G}\_2^{(n-1)}(\Theta \, \mathcal{S}) \end{pmatrix}.$$

Then, for EFC-, there exist *a*1,..., *am*−*r*<sup>−</sup> , *b*0,..., *br*<sup>−</sup> ∈ **F***qn* such that

$$\begin{split} &a\_1 F\_1 + \dots + a\_{m-r\_-} F\_{m-r\_-} \\ &= b\_0 \, ^t(\Theta S) \mathcal{G}\_1^{(0)}(\Theta S) + b\_1 \, ^t(\Theta S) \mathcal{G}\_2^{(0)}(\Theta S) + \dots + b\_{r\_-} \, ^t(\Theta S) \mathcal{G}\_{\begin{subarray}{c} \left( \lfloor r\_- \bmod 2 \right) + 1 \end{subarray}}^{\left( \lfloor r\_- \rfloor \ge 1 \right)} (\Theta S) \, ^t(\Theta S) \\ &= \, ^t(\Theta S) \begin{pmatrix} \* & \_{1+\lfloor \frac{r\_-}{2} \rfloor} \* \\ \* & 0 \end{pmatrix} (\Theta S) . \end{split}$$

Since the rank of the matrix above is at most 2 *<sup>r</sup>*<sup>−</sup> <sup>2</sup> + 2, the min-rank attack is available on EFC- and its complexity can be estimated by *O*( <sup>2</sup>*n*−*r*−+<sup>2</sup> *<sup>r</sup>*<sup>−</sup> <sup>2</sup> +3 <sup>3</sup>+<sup>2</sup> *<sup>r</sup>*<sup>−</sup> 2 *w* ) = *<sup>O</sup>*((2*n*)(*<sup>r</sup>*−+3)*<sup>w</sup>*). Since *<sup>r</sup>*<sup>−</sup> <sup>=</sup> *<sup>O</sup>*(log*<sup>q</sup> <sup>n</sup>*), the security of EFC- is also *<sup>n</sup>O*(log*<sup>q</sup> <sup>n</sup>*) . This situation is similar to the "plus" and "projection" of EFC-.

#### *3.4 ABC*

ABC (Tao et al. 2013, 2015) is an encryption scheme constructed by three polynomial matrices *<sup>A</sup>*, *<sup>B</sup>*,*C*. Let *<sup>r</sup>*, *<sup>n</sup>*, *<sup>m</sup>* <sup>≥</sup> 1 be integers with *<sup>n</sup>* <sup>=</sup> *<sup>r</sup>* <sup>2</sup>, *<sup>m</sup>* <sup>=</sup> <sup>2</sup>*<sup>r</sup>* 2. For **<sup>x</sup>** <sup>=</sup> *<sup>t</sup>* (*x*1,..., *xn*), define the *r* × *r* matrices *A*(**x**), *B*(**x**),*C*(**x**), *E*1(**x**), *E*2(**x**) by *A*(**x**) := *x <sup>j</sup>*+*r*(*i*−1) <sup>1</sup>≤*i*,*j*≤*<sup>r</sup>*, *<sup>B</sup>*(**x**) := *bi j*(**x**) <sup>1</sup>≤*i*,*j*≤*<sup>r</sup>*, *<sup>C</sup>*(**x**) := *ci j*(**x**) <sup>1</sup>≤*i*,*j*≤*<sup>r</sup>*, *<sup>E</sup>*1(**x**) := *A*(**x**)*B*(**x**) and *E*2(**x**) := *A*(**x**)*C*(**x**), where *bi j*(**x**), *ci j*(**x**) are linear forms of **x**. The quadratic map *G* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* is generated by *E*1(**x**) = *gj*+*r*(*i*−<sup>1</sup>)(**x**) <sup>1</sup>≤*i*,*j*≤*<sup>r</sup>* and *E*2(**x**) = *gn*<sup>+</sup> *<sup>j</sup>*+*r*(*i*−<sup>1</sup>)(**x**) <sup>1</sup>≤*i*,*j*≤*<sup>r</sup>*. The encryption scheme ABC (Tao et al. 2013) is constructed as follows.

**Secret key.** Two invertible affine maps *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>n</sup> <sup>q</sup>* , *T* : **F***<sup>m</sup> <sup>q</sup>* → **F***<sup>m</sup> <sup>q</sup>* and the quadratic map *G* defined above.

**Public key.** The quadratic map *F* := *T* ◦ *G* ◦ *S* : **F***<sup>n</sup> <sup>q</sup>* → **F***<sup>m</sup> q* .

**Encryption.** For a plaintext **p** ∈ **F***<sup>n</sup> <sup>q</sup>* , the ciphertext is **c** = *F*(**p**) ∈ **F***<sup>m</sup> q* . **Decryption.** For a given ciphertext **c**, compute **z** = *<sup>t</sup>* (*z*1,...,*zm*) := *T* <sup>−</sup><sup>1</sup>(**c**) and put *Z*<sup>1</sup> := *zj*+*r*(*i*−1) <sup>1</sup>≤*i*,*j*≤*<sup>r</sup>*, *<sup>Z</sup>*<sup>2</sup> := *zn*<sup>+</sup> *<sup>j</sup>*+*r*(*i*−1) <sup>1</sup>≤*i*,*j*≤*<sup>r</sup>*. Find **<sup>y</sup>** <sup>∈</sup> **<sup>F</sup>***<sup>n</sup> <sup>q</sup>* such that

$$B(\mathbf{y}) = C(\mathbf{y}) Z\_2^{-1} Z\_1. \tag{14}$$

If *Z*<sup>2</sup> is not invertible, replace (14) into *B*(**y**)*Z*−<sup>1</sup> <sup>1</sup> *Z*<sup>2</sup> = *C*(**y**). The plaintext is **p** = *S*−<sup>1</sup>(**y**).

**Complexity of decryption.** The equation (14) yields a system of *n* linear equations of *n* variables. Then the complexity of decryption is *O*(*n*3). Remark that the decryption fails if *A*(*S*(**p**)) is not invertible and its probability is about *q*−1.

**Security.** It is easy to check that the coefficient matrix *G*<sup>1</sup> of the first polynomial *g*1(**x**) in *G*(**x**) is *G*<sup>1</sup> = ∗*<sup>r</sup>* ∗ ∗ 0*<sup>n</sup>*−*<sup>r</sup>* . Then the min-rank attack is available and its complexity is *O*(*q*2*<sup>r</sup>* · *n*4) (Tao et al. 2013). Moody et. al. (Moody et al. 2014, 2017) proposed an asymptotically optimal attack with the complexity *O*(*q<sup>r</sup>*+<sup>2</sup> · *n*<sup>4</sup>) based on the structure of subspace differential invariants. Recently, Liu (Liu et al. 2018) proposed a key recovery attack by solving a system of linear equations derived from the construction of the polynomials, and extended its key recovery attack to the rectangular ABC (Tao et al. 2015) and Cubic ABC (Ding et al. 2014). They claimed that the complexities of these attacks are with the complexity *O*(*n*2*<sup>w</sup>*), which is critical for the security of ABC schemes. On the other hand, one of the anonymous reviewers on the present paper claimed in his/her report that its attack seems doubtful. He/She may present his/her opinion somewhere in the near future.


**Table 1** Signature schemes


**Table 2** Encryption schemes

#### **4 Conclusion**

In Sect. 2, we describe the multivariate schemes UOV, Rainbow, HFE variants and the corresponding second round candidates of NIST's project. In Sect. 3, we discuss the practicalities of several new multivariate encryption schemes proposed recently. Tables 1 and 2 are rough sketches of the complexities of decryption/signature generation and the major attacks for the corresponding schemes. Remark that there are various other attacks concerned for implementations.

Table 1 shows that practical signature schemes can be implemented easily since signatures can be generated in polynomial time and the proposed attacks are in exponential time. On the other hand, Table 2 shows that the issues on the practicality of HFE variants have not been eliminated on the new encryption schemes. While selecting parameters for 80-, 100-, 120-bit securities on such encryption schemes might be possible, they will not be able to follow the future inflation of security levels. Further drastic approaches will be required to construct practical multivariate encryption schemes.

**Acknowledgements** The author would like to thank the anonymous reviewer(s) for reading the previous draft and giving helpful comments. He was supported by JST CREST no.JPMJCR14D6 and JSPS Grant-in-Aid for Scientific Research (C) no. 17K05181.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Ramanujan Graphs for Post-Quantum Cryptography**

**Hyungrok Jo, Shingo Sugiyama, and Yoshinori Yamasaki**

**Abstract** We introduce a cryptographic hash function based on expander graphs, suggested by Charles et al. '09, as one prominent candidate in post-quantum cryptography. We propose a generalized version of explicit constructions of Ramanujan graphs, which are seen as an optimal structure of expander graphs in a spectral sense, from the previous works of Lubotzky, Phillips, Sarnak '88 and Chiu '92. We also describe the relationship between the security of Cayley hash functions and word problems for group theory. We also give a brief comparison of LPS-type graphs and Pizer's graphs to draw attention to the underlying hard problems in cryptography.

**Keywords** Ramanujan graphs · Quaternion algebras · Cayley hash functions · Group word problem

## **1 Introduction**

In the era of post-quantum cryptography, there exist four dominant research areas: Lattice-based, Code-based, Multivariate-based and Isogeny-based cryptography. Specifically, studies in the area of Isogeny-based cryptography have been numerous in the past decade, mainly due to the difficulty of finding a path in the Isogeny graph of supersingular elliptic curves.

S. Sugiyama

Y. Yamasaki Graduate School of Science and Engineering, Ehime University, 2-5 Bunkyo-cho, Matsuyama, Ehime 790-8577, Japan

H. Jo (B)

Faculty of Engineering, Information and Systems, University of Tsukuba, 1-1-1 Tennodai, Tsukuba, Ibaraki 305-8573, Japan e-mail: jo.hyungrok.gb@u.tsukuba.ac.jp

Department of Mathematics, College of Science and Technology, Nihon University, 1-8-14 Suruga-Dai, Kanda, Chiyoda, Tokyo 101-8308, Japan e-mail: s-sugiyama@math.cst.nihon-u.ac.jp

e-mail: yamasaki.yoshinori.mh@ehime-u.ac.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics, Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_17

In 2009, Charles et al. (2009a, 2009b) introduced cryptographic hash functions from expander graphs and explained the hardness of problems behind those schemes. They proposed two kinds of hash functions based on two families of Ramanujan graphs. One of their proposals is based on Ramanujan graphs by Lubotzky et al. (1988) (in short, LPS), which are Cayley graphs over the projective group with respect to well-chosen generating sets. The other is based on Ramanujan graphs by Pizer (1990), which are not (expected to be) Cayley graphs. So far, the variants of their proposal still survive against a quantum attack except the only known exponential complexity attack (Biasse et al. 2014).

In this article, we focus on not only the background of the families of LPS's graphs and their generalization (LPS-type Jo et al. 2020, 2018) with respect to the security of their Cayley-based hash functions, but also on the relationship between the families of LPS-type graphs and Pizer's graphs.

This article is organized as follows: In Sect. 2, we present some required preliminaries of expander graphs and Ramanujan graphs, and also of quaternion algebra theory. We summarize the security on Cayley hash functions and their cryptanalysis (variants of lifting attacks) related to solving word problems in group theory. In Sect. 3, we explain a way to generalize the explicit constructions of LPS and Chiu's Ramanujan graphs, and give a proof of the Ramanujan-ness of our graphs in the special case of "*P* = 13". In Sect. 4, we describe the relationship between the families of LPS-type graphs and Pizer's graphs. In Sect. 5, we summarize the arguments in this article and expound upon some unclarified problems and the relationships between explicit families of Ramanujan graphs.

## **2 Ramanujan Graphs and Their Cryptographic Applications**

An expander graph is well known as a ubiquitous object in various research areas, especially in computer science for designing communication networks. It is said to be a sparse, but highly connected graph. The quality of the network on expander graphs is considered as the expanding ratio. Throughout this article, we assume that all graphs are finite, undirected, simple (i.e. no loops or multi-edges) and connected. Suppose that *X* = (*V*, *E*) is a *k*-regular graph, composed of a vertex set *V* = *V*(*X*) with *n* vertices and an edge set *E* = *E*(*X*). For a subset *T* of *V*, the *boundary* ∂*T* of *T* is defined as

$$
\partial T = \{ (\mathbf{x}, \mathbf{y}) \in E | \mathbf{x} \in T \text{ and } \mathbf{y} \in V \nmid T \},
$$

where *V* \ *T* is the complement of *T* in *V*. The *expanding constant h*(*X*) of *X*, which is defined as below, is a discrete analogue of the Cheeger constant in differential geometry (Lubotzky 1994):

$$h(X) = \min\_{T \subset V \atop 0 < |T| \le n/2} \frac{|\partial T|}{|T|}.$$

We give the definition of an *expander graph*.

**Definition 1** A family of *k*-regular graphs (*X <sup>j</sup>*)*<sup>j</sup>*≥<sup>1</sup> such that |*V*(*X <sup>j</sup>*)| → +∞ as *j* → +∞ is called an *expander family* if there is an > 0 such that the expanding constant *h*(*X <sup>j</sup>*) satisfies *h*(*X <sup>j</sup>*) ≥ for all *j*.

For analysis of graphs, the *adjacency matrix A* of the graph *X* plays an important role; it is a square matrix indexed by pairs of vertices *u*, *v* whose (*u*, *v*)-entry *Au*,*<sup>v</sup>* is the number of edges between *u* and *v*. Since we assume that *X* has *n* vertices, *A* is an *n*-by-*n*, symmetric (0, 1)-matrix without diagonal entries (i.e. *Au*,*<sup>u</sup>* = 0). For such a graph *X*, the adjacency matrix *A* of *X* has the spectrum *k* = λ<sup>0</sup> > λ<sup>1</sup> ≥···≥ λ*n*−1. It is known (Alon and Milman 1985; Dodziuk 1984) that

$$\frac{k - \lambda\_1}{2} \le h(X) \le \sqrt{2k(k - \lambda\_1)}.$$

If the spectral gap *k* − λ<sup>1</sup> is larger, the quality of the network of *X* is getting better as well. However, it is shown by Alon-Boppana as follows that it cannot be too large.

**Theorem 1** *Let* (*X <sup>j</sup>*)*<sup>j</sup>*≥<sup>1</sup> *be a family of k-regular graphs with* |*V*(*X <sup>j</sup>*)| → +∞ *as j* → +∞*. Then*

$$\liminf\_{j \to +\infty} \lambda\_1(X\_j) \ge 2\sqrt{k-1}.$$

This fact motivates the definition of a *Ramanujan graph*.

**Definition 2** A *k*-regular graph *X* is *Ramanujan* if, for every member λ of the spectrum of the adjacency matrix of *X* other than ±*k*, one has |λ| ≤ 2 <sup>√</sup>*<sup>k</sup>* <sup>−</sup> <sup>1</sup>. We call 2√*<sup>k</sup>* <sup>−</sup> 1 the *Ramanujan bound* (RB).

For a more detailed exposition of the theory, see Davidoff et al. (2003), Lubotzky (1994), Terras (2010). In order to explain how to construct explicit Ramanujan graphs in the style of LPS, Chiu, LPS-type and Pizer, we recall basic facts and terminologies of quaternion algebras Vignéras (1980).

Let *F* be a field and *F*<sup>×</sup> its unit group. Let A = A*<sup>F</sup>* be a *quaternion algebra* over *F*, i.e. a central simple algebra of dimension 4 over *F*. In this article, we always assume that *F* is not of characteristic 2. Then, there exist *a*, *b* ∈ *F*<sup>×</sup> such that it can be written as A = A*<sup>F</sup>* (*a*, *b*) = {α = *x* + *yi* + *zj* + *wk* | *x*, *y*,*z*,*w* ∈ *F*}, where *i*, *j*, *k* satisfy *i* <sup>2</sup> = *a*, *j* <sup>2</sup> = *b* and *i j* = − *ji* = *k* (and hence *k*<sup>2</sup> = −*ab*). For α = *x* + *yi* + *zj* + *wk* ∈ A, its *conjugate*, the *reduced trace* and the *reduced norm* are defined by α = *x* − *yi* − *zj* − *wk*, *T* (α) = α + α = 2*x* ∈ *F* and *N*(α) = αα = αα = *x* <sup>2</sup> − *ay*<sup>2</sup> − *bz*<sup>2</sup> + *abw*<sup>2</sup> ∈ *F*, respectively.

## **Quaternion algebras over** F*<sup>q</sup>*

Throughout this article, we denote by <sup>P</sup> the set of all prime numbers. For a prime *<sup>p</sup>* <sup>∈</sup> <sup>P</sup>and *<sup>d</sup>* <sup>∈</sup> <sup>N</sup>, letF*pd* be the field of *<sup>p</sup><sup>d</sup>* elements. Let us fix *<sup>q</sup>* <sup>∈</sup> <sup>P</sup> \ {2}. It is known that, for any *<sup>a</sup>*, *<sup>b</sup>* <sup>∈</sup> <sup>F</sup><sup>×</sup> *<sup>q</sup>* , the quaternion algebra A = A<sup>F</sup>*<sup>q</sup>* (*a*, *b*) is isomorphic to the matrix algebra M2(F*<sup>q</sup>* ) of the 2-by-2 matrices over F*<sup>q</sup>* . Let · · be the Kronecker symbol. When *<sup>a</sup> q* <sup>=</sup> <sup>−</sup>*<sup>b</sup> q* <sup>=</sup> 1, that is, <sup>√</sup>*a*, √−*<sup>b</sup>* <sup>∈</sup> <sup>F</sup>*<sup>q</sup>* , one has the following isomorphism. **Lemma 1** *Assume that <sup>a</sup> q* <sup>=</sup> <sup>−</sup>*<sup>b</sup> q* <sup>=</sup> <sup>1</sup>*. Then, the map* <sup>ψ</sup>*<sup>q</sup>* : <sup>A</sup> <sup>→</sup> M2(F*<sup>q</sup>* ) *defined by*

$$
\psi\_q(\mathbf{x} + \mathbf{y}i + zj + \mathbf{w}k) = \begin{bmatrix}
\mathbf{x} + \mathbf{y}\sqrt{a} & \sqrt{-b}(z + \mathbf{w}\sqrt{a}) \\
\end{bmatrix}
$$

*is an isomorphism satisfying* det(ψ*<sup>q</sup>* (α)) = *N*(α) *and* ψ*<sup>q</sup>* (α) = ψ*<sup>q</sup>* (α) *for* α ∈ A*. Here, s t u v* = *v* −*t* <sup>−</sup>*u s for s t u v* <sup>∈</sup> M2(F*<sup>q</sup>* )*.*

For a ring *<sup>R</sup>*, we denote by *<sup>R</sup>*<sup>×</sup> the group of units of *<sup>R</sup>*. Let GL2(F*<sup>q</sup>* ) <sup>=</sup> M2(F*<sup>q</sup>* )<sup>×</sup> and SL2(F*<sup>q</sup>* ) = {*<sup>A</sup>* <sup>∈</sup> GL2(F*<sup>q</sup>* )<sup>|</sup> det *<sup>A</sup>* <sup>=</sup> <sup>1</sup>}. Moreover, let PGL2(F*<sup>q</sup>* ) <sup>=</sup> GL2(F*<sup>q</sup>* )/*Z*(GL2(F*<sup>q</sup>* )) and PSL2(F*<sup>q</sup>* ) <sup>=</sup> SL2(F*<sup>q</sup>* )/*Z*(SL2(F*<sup>q</sup>* )). Here, for a group *G*, we denote by *Z*(*G*) the *center* of *G*. We can naturally see that PSL2(F*<sup>q</sup>* ) is a subgroup of PGL2(F*<sup>q</sup>* ) of index 2 because now *q* is odd. Additionally, we remark that <sup>|</sup>PGL2(F*<sup>q</sup>* )| = *<sup>q</sup>*(*q*<sup>2</sup> <sup>−</sup> <sup>1</sup>) and <sup>|</sup>PSL2(F*<sup>q</sup>* )| = *<sup>q</sup>*(*q*2−1) <sup>2</sup> . Since <sup>A</sup> M2(F*<sup>q</sup>* ), we have <sup>A</sup><sup>×</sup> GL2(F*<sup>q</sup>* ) via (the restriction of) <sup>ψ</sup>*<sup>q</sup>* and hence obtain the isomorphism <sup>β</sup>*<sup>q</sup>* : <sup>A</sup><sup>×</sup>/*Z*(A<sup>×</sup>) <sup>→</sup> PGL2(F*<sup>q</sup>* ).

We need the following lemma later.

**Lemma 2** (Davidoff et al. 2003, Chap. 3) *Assume that <sup>a</sup> q* <sup>=</sup> <sup>−</sup>*<sup>b</sup> q* = 1*. Let* α ∈ A *with N*(α) <sup>=</sup> *<sup>p</sup>* <sup>∈</sup> <sup>P</sup> \ {*q*}*, which implies that* <sup>α</sup> <sup>∈</sup> <sup>A</sup><sup>×</sup>*. Then,* <sup>β</sup>*<sup>q</sup>* (αF<sup>×</sup> *<sup>q</sup>* ) <sup>∈</sup> PSL2(F*<sup>q</sup>* ) *if and only if <sup>p</sup> q* = 1*.*

#### **Quaternion algebras over** Q

Let *<sup>a</sup>*, *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup> \ {0} and <sup>A</sup> <sup>=</sup> <sup>A</sup><sup>Q</sup>(*a*, *<sup>b</sup>*) be a quaternion algebra over <sup>Q</sup>. A place *<sup>v</sup>* of <sup>Q</sup> is said to be *split* in <sup>A</sup> if <sup>A</sup>*<sup>v</sup>* := <sup>A</sup> <sup>⊗</sup><sup>Q</sup> <sup>Q</sup>*<sup>v</sup>* M2(Q*v*), where <sup>Q</sup>*<sup>v</sup>* is the *<sup>v</sup>*-adic completion of <sup>Q</sup> and is said to be *ramified* if <sup>A</sup>*<sup>v</sup>* is a division algebra. We denote by Ram(A) the set of all places which are ramified in A. Notice that Ram(A) is a finite set, has an even cardinality, and determines an isomorphism class of quaternion algebras over <sup>Q</sup>. The product of all primes (<sup>=</sup> finite places) in Ram(A) is called the *discriminant* of A and is denoted by D. From now on, we assume that A is definite, that is, the infinite place ∞ is ramified in A, whence there are an odd number of primes which are ramified in A. Notice that A = A<sup>Q</sup>(*a*, *b*) is definite if and only if *a* < 0 and *b* < 0.

<sup>A</sup> *lattice* <sup>I</sup> <sup>⊂</sup> <sup>A</sup> is a free <sup>Z</sup>-submodule of <sup>A</sup> of rank 4. A lattice <sup>O</sup> <sup>⊂</sup> <sup>A</sup> is called an *order* if it is a ring with unity. In particular, it is called *maximal* if it is not properly contained in any other order. Notice that, if <sup>O</sup> is an order of <sup>A</sup>, then <sup>O</sup> <sup>⊗</sup><sup>Z</sup> <sup>Z</sup>*<sup>p</sup>* is an order of <sup>A</sup>*<sup>p</sup>* for *<sup>p</sup>* <sup>∈</sup> <sup>P</sup>. Here, <sup>Z</sup>*<sup>p</sup>* is the ring of *<sup>p</sup>*-adic integers. Let <sup>O</sup> be an order of <sup>A</sup>. We call a lattice I of A a *left* (resp.*right*) O- *ideal* if O*<sup>L</sup>* (I) = O (resp. O*R*(I) = O), where O*<sup>L</sup>* (I) = {α ∈ A | αI ⊂ I} (resp. O*R*(I) = {α ∈ A | Iα ⊂ I}). We say that two left (resp. right) O-ideals I and J are equivalent, if there exists α ∈ A<sup>×</sup> such that I = Jα (resp. I = αJ). This is an equivalence relation. We denote by *H*(O) the number of equivalence classes, which is shown to be finite, independent on left or right. We call *H*(O) the *class number* of O.

We next give the definition of Eichler orders. To do that, we first recall the local situations. If *<sup>p</sup>* <sup>∈</sup> <sup>P</sup> is ramified in <sup>A</sup>, then <sup>A</sup>*<sup>p</sup>* is a division algebra which has a maximal order <sup>O</sup>*<sup>p</sup>* = {<sup>α</sup> <sup>∈</sup> <sup>A</sup>*<sup>p</sup>* <sup>|</sup> *<sup>N</sup>*(α) <sup>∈</sup> <sup>Z</sup>*p*}. On the other hand if *<sup>p</sup>* <sup>∈</sup> <sup>P</sup> is split in <sup>A</sup>, then <sup>A</sup>*<sup>p</sup>* is isomorphic to M2(Q*p*) and a maximal order of <sup>A</sup>*<sup>p</sup>* is isomorphic to a conjugate of the maximal order M2(Z*p*) <sup>=</sup> Z*<sup>p</sup>* Z*<sup>p</sup>* Z*<sup>p</sup>* Z*<sup>p</sup>* of M2(Q*p*) by an element of A<sup>×</sup> *p* .

Let D be the discriminant of A, and *M* be a positive square-free integer which is prime to D. An order O of A is called an *Eichler order* of level (D, *M*) if the following local conditions are satisfied: For all *<sup>p</sup>* <sup>∈</sup> <sup>P</sup> being ramified in <sup>A</sup> (i.e., *<sup>p</sup>* <sup>|</sup> <sup>D</sup>), <sup>O</sup> <sup>⊗</sup><sup>Z</sup> <sup>Z</sup>*<sup>p</sup>* <sup>=</sup> <sup>O</sup>*p*. On the other hand, for all *<sup>p</sup>* <sup>∈</sup> <sup>P</sup> being split in <sup>A</sup> (i.e. *<sup>p</sup>* - D), <sup>O</sup> <sup>⊗</sup><sup>Z</sup> <sup>Z</sup>*<sup>p</sup>* is isomorphic to a conjugate of the order <sup>Z</sup>*<sup>p</sup>* <sup>Z</sup>*<sup>p</sup> M*Z*<sup>p</sup>* Z*<sup>p</sup>* of M2(Q*p*) by an element of A<sup>×</sup> *<sup>p</sup>* . Remark that an Eichler order is maximal when *M* = 1. If *p* | *M*, in this case we call *p* an *Eichler prime*. Notice that an Eichler order can be characterized as an order which is the intersection of two maximal orders. It is shown in Pizer (1976) that the class number of an Eichler order depends only on its level. Hence, we write *H*(O) as *H*(D, *M*) when O is of level (D, *M*). Remark that *H*(D, 1) = 1 if and only if D = 2, 3, 5, 7, 13.

Let *G* be a group and *S* a generating set, which is symmetric (i.e. *S* = *S*−1) and does not contain the identity of *G*. A *Cayley graph* over *G* with respect to *S* is a |*S*|-regular graph with a vertex set *V* and an edge set *E*, where *V* = *G* and *E* consists of (*g*1, *g*2) ∈ *G* × *G* such that *g*<sup>1</sup> = *g*2*s* for some *s* ∈ *S*.

**The families of LPS's graphs** Let *p* and *q* ( 2 √*p*) be distinct primes congruent to 1 (mod 4). In Lubotzky et al. (1988), described how to construct a family of Ramanujan graphs of degree *p* + 1 having *O*(*q*<sup>3</sup>) vertices as *q* → +∞. These graphs are Cayley graphs over the groups *<sup>G</sup>* <sup>=</sup> PGL2(F*<sup>q</sup>* ) or PSL2(F*<sup>q</sup>* ) with respect to the generating set *SLPS* defined as

$$S\_{LPS} = \left\{ \begin{bmatrix} a\_0 + ia\_1 \ a\_2 + ia\_3 \\ -a\_2 + ia\_3 \ a\_0 - ia\_1 \end{bmatrix} \Big| a\_0^2 + a\_1^2 + a\_2^2 + a\_3^2 = p \end{bmatrix} \qquad (1)$$
 
$$\text{for odd } a\_0 > 0 \text{ and even } a\_1, a\_2, a\_3 \ \Big|,$$

where *<sup>i</sup>* <sup>∈</sup> <sup>Z</sup> such that *<sup>i</sup>* <sup>2</sup> ≡ −<sup>1</sup> (mod *<sup>q</sup>*). The diophantine Eq. (1) originally comes from the norm of their based-algebra <sup>A</sup><sup>Q</sup>(−1, <sup>−</sup>1), where *<sup>i</sup>* <sup>2</sup> = −1, *j* <sup>2</sup> = −1 and *i j* = − *ji* = *k*, and is called the *Hamiltonian quaternion algebra*. By Jacobi's four-squares theorem Hirschhorn (1987), there are 8(*p* + 1) integer solutions (*a*0, *<sup>a</sup>*1, *<sup>a</sup>*2, *<sup>a</sup>*3) <sup>∈</sup> <sup>Z</sup><sup>4</sup> of (1). Since there are 8 units as <sup>±</sup>1, <sup>±</sup>*i*, <sup>±</sup> *<sup>j</sup>*, <sup>±</sup>*k*, we see |*SLPS*| = *p* + 1.

**The families of Chiu's graphs** InMargulis (1988), independently of LPS, alluded to the existence of essentially the same graphs as shown by LPS, but without an explicit description. In Chiu (1992), described how to construct a family of Ramanujan graphs, and explicitly covered the case of *p* = 2. Since the Hamiltonian quaternion algebra is not split at *p* = 2, Chiu chose a specific quaternion

algebra AQ(−2, −13), which is split at 2 and has a maximal order of class number 1. Take a prime *<sup>q</sup>* <sup>∈</sup> <sup>P</sup> \ {2, <sup>13</sup>} such that <sup>−</sup><sup>2</sup> *q* <sup>=</sup> <sup>13</sup> *q* = 1. Chiu's cubic graphs are also Cayley graphs over the groups *<sup>G</sup>* <sup>=</sup> PGL2(F*<sup>q</sup>* ) or PSL2(F*<sup>q</sup>* ) with respect to the generating set *SC* defined as

$$\mathbf{S}\_{\mathbf{C}} = \left\{ \begin{bmatrix} 1 & 0\\ 0 & -1 \end{bmatrix}, \begin{bmatrix} 2+i' & i'j'\\ i'j' & 2-i' \end{bmatrix}, \begin{bmatrix} 2-i' & j'i'\\ j'i' & 2+i' \end{bmatrix} \right\}.$$

where *i* , *<sup>j</sup>* <sup>∈</sup> <sup>Z</sup> such that *<sup>i</sup>* <sup>2</sup> ≡ −2, *<sup>j</sup>* <sup>2</sup> <sup>≡</sup> <sup>13</sup> (mod *<sup>q</sup>*), respectively.

**The families of Morgenstern's graphs** In Morgenstern (1994), described how to construct, for any prime power *q*, a family of Ramanujan graphs of degree *q* + 1. These graphs are given as Cayley graphs over the groups *<sup>G</sup>* <sup>=</sup> PGL2(F*qd* ) or PSL2(F*qd* ) for some *<sup>d</sup>* <sup>∈</sup> <sup>N</sup> with respect to the generating set *SM*odd when *<sup>q</sup>* is odd and *SM*even when *q* is even. For an odd prime power *q*, let be a non-square inF*<sup>q</sup>* . Let *<sup>g</sup>*(*x*) <sup>∈</sup> <sup>F</sup>*<sup>q</sup>* [*x*] be irreducible of even degree *<sup>d</sup>*. We realize <sup>F</sup>*qd* as <sup>F</sup>*<sup>q</sup>* [*x*]/*g*(*x*)F*<sup>q</sup>* [*x*]. Let i <sup>∈</sup> <sup>F</sup>*qd* be such that i<sup>2</sup> <sup>=</sup> . Then *SM*odd is defined as

$$\mathcal{L}\_{M\_{\text{odd}}} = \left\{ \left. \begin{bmatrix} 1 & a - \text{i}b \\ (a + \text{i}b)(\text{x} - 1) & 1 \end{bmatrix} \right\vert \, b^2 \epsilon - a^2 = 1 \text{ for } a, b \in \mathbb{F}\_q \right\}.$$

For an even prime power *<sup>q</sup>*, let be a non-square in <sup>F</sup>*<sup>q</sup>* . Let *<sup>f</sup>* (*x*) <sup>=</sup> *<sup>x</sup>* <sup>2</sup> <sup>+</sup> *<sup>x</sup>* <sup>+</sup> be irreducible in <sup>F</sup>*<sup>q</sup>* [*x*]. Let *<sup>g</sup>*(*x*) <sup>∈</sup> <sup>F</sup>*<sup>q</sup>* [*x*] be irreducible of even degree *<sup>d</sup>*. We also realize <sup>F</sup>*qd* as <sup>F</sup>*<sup>q</sup>* [*x*]/*g*(*x*)F*<sup>q</sup>* [*x*]. Let i <sup>∈</sup> <sup>F</sup>*qd* be a root of *<sup>f</sup>* (*x*). Then *SM*even is defined as

$$S\_{M\_{\text{sym}}} = \left\{ \left. \begin{bmatrix} 1 & a - \mathrm{i}'b \\ (a + \mathrm{i}'b + b)\chi & 1 \end{bmatrix} \right| \, a^2 + ab + b^2 \epsilon = 1 \text{ for } a, b \in \mathbb{F}\_q \right\}.$$

#### *2.1 Security on Cayley Hashes and Word Problems*

A *hash function* is a function that accepts a message as an arbitrarily long string of bits and outputs a hash value as a finite, fixed-length string of bits. An efficiency of the hashing process is a basic requirement in a practical point. Such a function should satisfy certain properties such as *collision resistant, second preimage resistant* and *preimage resistant*.

Let *<sup>n</sup>* <sup>∈</sup> <sup>N</sup> and let <sup>H</sup> : {0, <sup>1</sup>}<sup>∗</sup> → {0, <sup>1</sup>}*<sup>n</sup>*; *<sup>m</sup>* → *<sup>h</sup>* <sup>=</sup> <sup>H</sup>(*m*), where {0, <sup>1</sup>}<sup>∗</sup> is the set of bit strings of arbitrary length and {0, 1}*<sup>n</sup>* is the set of bit strings of a fixed length *n*. The function H is said to be


**Fig. 1** Diffusion from the starting vertex *gST* along Cayley graphs over *G* with respect to *S* = {*s*0,...,*sr*}

• **Preimage resistant** if *h* ∈ {0, 1}*<sup>n</sup>* is given, it is *computationally infeasible* to find *m* ∈ {0, 1}<sup>∗</sup> such that *h* = H(*m*).

Let *G* be a non-commutative group and *S* = {*s*0,...,*sr*} ⊂ *G* be a generating set for the group *G*, symmetric and not having the identity. Charles et al. (2009a) and Petit et al. (2007), Petit and Quisquater (2010b) described a definition of Cayley hash functions, by which the input to hash is used as directions for walking around a graph, and the ending vertex is the output of the hash function as depicted in Fig. 1.

A message *m* is given as a string *m*<sup>1</sup> ... *m*, where *mi* ∈ {0,...,*r*}. Then the resulting hashing value *h* of *m* will be obtained as a group product

$$h := \mathcal{H}(m) = \mathcal{g}\_{ST}\mathcal{s}\_{m\_1}\mathcal{s}\_{m\_2}\dots\mathcal{s}\_{m\_\ell},$$

where *gST* is a fixed starting element in *G*. (We usually put *gST* as the identity in *G*.) To dispose a proper sequence of hashing bits inductively, we define a *choice function* π which assigns a next hashing bit with the bit of the message *m* and the previous hashing bit, while avoiding a back-tracking (i.e. *ss*−<sup>1</sup> or *s*−<sup>1</sup>*s* ). We choose a function

$$
\pi: \{0, \dots, r\} \times S \to S \tag{2}
$$

such that for any *s* ∈ *S* the set π({0,...,*r*}×{*s*}) is equal to *S* \ {*s*−<sup>1</sup>}.

The security of Cayley hash functions lies on the hardness of solving *word problems* for group theory (Lubotzky 1994; Meier 2008; Petit and Quisquater 2010b), which are one of the most challenging open problems. There are three problems (*balance, representation and factorization problems*), which are related to the three properties of Cayley hash functions, respectively.

Let *<sup>L</sup>* <sup>∈</sup> <sup>N</sup> be small (approximately, log <sup>|</sup>*G*|). We denote the product of group elements *sm*<sup>1</sup> ,*sm*<sup>2</sup> ,...,*sm* by *smi* = *sm*<sup>1</sup> *sm*<sup>2</sup> ...*sm* .

**Fig. 2** Relationship between the properties of Cayley hash functions and the hardness of Group word problems


A Cayley hash function is collision resistant if and only if the balance problem is hard; it is second preimage resistant only if the representation problem is hard; it is preimage resistant if and only if the corresponding factorization problem is hard (as described in Fig. 2).

The *diameter* of a Cayley graph over *G* with respect to *S*, which naturally came up from the problems above, is defined as the smallest such that every element of *G* can be expressed as a word of length at most in *S*. Babai and Seress (1992) conjectured that the diameter of any Cayley graph over any noncommutative simple group is polylogarithmic in the size of the group such as exp ((|*G*| log |*G*|)<sup>1</sup>/<sup>2</sup>(1 + *o*(|*G*|))). Helfgott and Seress (2014) gave a quasipolynomial upper bound exp (log log |*G*|)*<sup>O</sup>*(1) , which is the best known upper bound for permutation groups.

Even after more than two decades of research in various areas (pure mathematics, computer sciences, cryptography, etc.), the hardness of the word problems is still difficult to break. For example, since suggested in Petit and Quisquater (2010b) as a challenge, it seems still open to solve the balance/representation/factorization problems for *<sup>G</sup>* <sup>=</sup> SL2(F2*<sup>n</sup>* ) with some specific generating set, which is tweaked from the generating set of Tillich and Zémor (1994). They also mentioned that it is an important challenge that we identify groups and their corresponding specific generating sets for the groups in which the balance, representation and factorization problems are difficult.

#### *2.2 Lifting Attacks*

In Zémor (1991), proposed the first scheme of hash functions from Cayley graphs upon SL2 over a finite field having a large *girth*, which is the length of a shortest cycle. Right after the advent, Tillich and Zémor found a way to break Zémor's scheme by a *lifting attack* and suggested its improved version with SL2 over a finite field of characteristic 2. Tillich–Zémor's scheme (Tillich and Zémor 1994) in resisted being cryptanalyzed for a decade and a half until Grassl et al. (2010) and Petit et al. (2009), Petit and Quisquater (2010a) found their collisions and even preimages in practical. A critical observation for both attacks is that the hardness of balance/representation/factorization problems does not change if we replace the generators for SL2(F2*<sup>n</sup>* ) in order to use the Euclidean algorithm. Even Cayley hash functions based on LPS Ramanujan graphs proposed from Charles et al. (2009a) have been broken by Tillich and Zémor (2008) using a variant of a *lifting attack*.

In this subsection, we give a brief example of a lifting attack, which was used by Tillich and Zémor (2008). We have conditions on distinct prime numbers *p* and *q* that *<sup>p</sup>* and *<sup>q</sup>* satisfy *<sup>p</sup>* <sup>≡</sup> *<sup>q</sup>* <sup>≡</sup> <sup>1</sup> (mod 4) and *<sup>p</sup> q* <sup>=</sup> 1. First, the elements of PSL2(F*<sup>q</sup>* ) are lifted to elements of SL2(Z[i]), where <sup>i</sup> is the imaginary unit. Even though the lifts of the generators do not generate the whole SL2(Z[i]) and only a subset of SL2(Z[i]) with specific conditions shown in Tillich and Zèmor (2008), the lifting attack still works because has a very simple nature as shown below.

$$\Omega = \left\{ \begin{bmatrix} \mathbf{x} + \mathbf{i}\mathbf{y} & \mathbf{z} + \mathbf{i}\mathbf{w} \\ -\mathbf{z} + \mathbf{i}\mathbf{w} \ \mathbf{x} - \mathbf{i}\mathbf{y} \end{bmatrix} \Big| \begin{pmatrix} \mathbf{x}, \mathbf{y}, z, \mathbf{w} \end{pmatrix} \in E\_{\ell} \text{ for some integer } \ell > 0 \right\},$$

where *<sup>E</sup>* is the set of 4-tuples (*x*, *<sup>y</sup>*,*z*,*w*) <sup>∈</sup> <sup>Z</sup><sup>4</sup> such that

$$\begin{cases} x^2 + y^2 + z^2 + w^2 = p^\ell \\ x > 0, x \equiv 1 \\ y \equiv z \equiv w \equiv 0 \pmod{2} \end{cases} \pmod{2}$$

Tillich and Zémor solved the *representation problem* by lifting the identity to , which amounts to solving the norm equation

$$\left(\left(\lambda + \chi q\right)^2 + 4\left(\chi q\right)^2 + 4\left(zq\right)^2 + 4\left(\omega q\right)^2 = p^\ell \tag{3}$$

with λ, *<sup>x</sup>*, *<sup>y</sup>*,*z*,*<sup>w</sup>* <sup>∈</sup> <sup>Z</sup> and <sup>∈</sup> <sup>N</sup> (Once the identity is lifted, reduction by *<sup>q</sup>* and factoring become trivial). The equation is solved as follows: we arbitrarily fix = 2 with *p* > *mq*<sup>2</sup> and λ + *xq* = *p* − 2*mq*<sup>2</sup> for some *m*. We substitute them for each variable in the norm Eq. (3). The norm equation can be deformed by 4*q*2, resulting in the equation of the form *y*<sup>2</sup> + *z*<sup>2</sup> + *w*<sup>2</sup> = *N* := *m*(*p* − *mq*<sup>2</sup>).

The last equation is solved by generating random variables for *w*, checking the right parity to ensure that the resulting equation *y*<sup>2</sup> + *z*<sup>2</sup> = *N* := *N* − *w*<sup>2</sup> has a solution, and we finally solve this equation with the continued fraction method (or with the advanced Euclidean algorithm, Cornacchia's algorithm, Pell's equation).

Subsequently, most of the existing Cayley hash functions based on explicit Ramanujan graphs Chiu (1988), Lubotzky (1994), Morgenstern (1992) have been broken by variants of a lifting attack Jo et al. (2008), Petit et al. (2008), Tillich and Zémor (2017) as lifting attacks are able to solve the factorization/representation problems for each case. As we can see in Table 1, when we attack Cayley hash func-


**Table 1** Norm equations and *N* to Euclidean algorithm for Cryptanalysis on Cayley hashes

tions, we can apply a lifting attack, which corresponds to a norm equation of their base algebra with a Euclidean algorithm.

Thus, we want to make explicit Ramanujan graphs which have more various norm equations that use *<sup>P</sup>* and *<sup>Q</sup>* as coefficients (*<sup>P</sup>* ∈ {2, <sup>3</sup>, <sup>5</sup>, <sup>7</sup>, <sup>13</sup>} and *<sup>Q</sup>* <sup>∈</sup> <sup>P</sup> satisfying *<sup>Q</sup>* <sup>≡</sup> <sup>3</sup> (mod 8), <sup>−</sup>*<sup>Q</sup> P* = −1 unless *P* = 2). At the very least, for applying variants of a lifting attack, we should set up an attack corresponding to each norm equation. It is also possible to put partial information (*P*, *Q* or both) unrevealed during the process of hashing as a private key. From this, we can build the digital signature schemes which mainly resist variants of a lifting attack. This motivates the study of a generalization of LPS's and Chiu's Ramanujan graphs.

#### **3 The Families of LPS-Type Graphs**

Now we recall Ibukiyama's construction (Ibukiyama 1982) of maximal orders of definite quaternion algebras over Q which is ramified at given primes.

**Proposition 1** (Ibukiyama 1982) *Let r be an odd positive integer and P*1, *P*2,..., *Pr distinct prime numbers. Set M* = *P*1*P*<sup>2</sup> ··· *Pr. Take a prime number Q such that <sup>Q</sup>* <sup>≡</sup> <sup>3</sup> (mod 8) *and* ( <sup>−</sup>*<sup>Q</sup> Pi* ) = −1 *for all i except for i with Pi* = 2*. Moreover, take an integer T such that T* <sup>2</sup> ≡ −*<sup>M</sup>* (mod *<sup>Q</sup>*)*. Then,* <sup>A</sup><sup>Q</sup>(−*M*, <sup>−</sup>*Q*) *is a definite quaternion algebra which is ramified only at* ∞, *P*1, *P*2,..., *Pr. Moreover, let*

$$\alpha\_1 = \frac{1+j}{2}, \quad \alpha\_2 = \frac{i+k}{2} \quad \text{and} \quad \alpha\_3 = \frac{Tj+k}{\mathcal{Q}}.$$

*Then,* <sup>O</sup>−*M*,−*<sup>Q</sup>* <sup>=</sup> <sup>Z</sup> <sup>+</sup> <sup>Z</sup>ω<sup>1</sup> <sup>+</sup> <sup>Z</sup>ω<sup>2</sup> <sup>+</sup> <sup>Z</sup>ω<sup>3</sup> *is a maximal order of* <sup>A</sup><sup>Q</sup>(−*M*, <sup>−</sup>*Q*)*.*

In Jo et al. (2020, 2018) a specific recipe for constructing LPS-type graphs is presented, and is shown below:

Ramanujan Graphs for Post-Quantum Cryptography 241


$$\mathcal{Q} \equiv 3 \pmod{8}, \left(\frac{-\mathcal{Q}}{P}\right) = -1 \text{ unless } P = 2$$

and an integer *T* satisfying *T* <sup>2</sup> ≡ −*P* (mod *Q*). By Proposition 1, we have a definite quaternion algebra <sup>A</sup><sup>Q</sup>(−*P*, <sup>−</sup>*Q*) (i.e., *<sup>i</sup>* <sup>2</sup> = −*P*, *<sup>j</sup>* <sup>2</sup> = −*Q*,*i j* = − *ji* <sup>=</sup> *<sup>k</sup>*) and its maximal order <sup>O</sup> <sup>=</sup> <sup>O</sup>−*P*,−*<sup>Q</sup>* <sup>=</sup> <sup>Z</sup> <sup>+</sup> <sup>Z</sup>ω<sup>1</sup> <sup>+</sup> <sup>Z</sup>ω<sup>2</sup> <sup>+</sup> <sup>Z</sup>ω<sup>3</sup> with class number 1, where

$$\omega\_1 = \frac{1+j}{2}, \ \omega\_2 = \frac{i+k}{2} \text{ and } \omega\_3 = \frac{Tj+k}{\mathcal{Q}}.$$


In Table 2, we present some numerical results by Magma and MATLAB which show the Ramanujan-ness of our constructions. Actually, we will show in the next subsection that our LPS-type graphs are Ramanujan when *P* = 13, which is the only choice of *P* ∈ {2, 3, 5, 7, 13} such that O<sup>×</sup> is equal to {±1}. For the cases of *P* ∈ {2, 3, 5, 7}, at present, we have no ideas to prove or disprove the Ramanujan-ness of our graphs.


**Table 2** Numerical results on the Ramanujan-ness of LPS-type graphs *<sup>X</sup>* <sup>=</sup> *<sup>X</sup>*(*p*,*q*) *P*,*Q*

#### *3.1 Proof of the Ramanujan-Ness of Graphs X( <sup>p</sup>,q) <sup>P</sup>, <sup>Q</sup> when P* **= 13**

We show that our graph *X*(*p*,*q*) *<sup>P</sup>*,*<sup>Q</sup>* constructed as above is Ramanujan when *P* = 13. Let <sup>O</sup> <sup>=</sup> <sup>Z</sup> <sup>+</sup> <sup>Z</sup>ω<sup>1</sup> <sup>+</sup> <sup>Z</sup>ω<sup>2</sup> <sup>+</sup> <sup>Z</sup>ω<sup>3</sup> be the maximal order we constructed as above for a fixed *p*, *P*, *Q*, *T* . Then, O has the class number 1.

Take a complete representative *SJ SY* = {α1,...,α*s*}∪{¯α1,..., α¯*s*}∪{β1,...,β*t*} of {α ∈ O | *N*(α) = *p*}/O<sup>×</sup> so that β¯*<sup>j</sup>* = *<sup>j</sup>*β*<sup>j</sup>* for some *<sup>j</sup>* ∈ O<sup>×</sup> for every *j*. In this case, *p* + 1 = 2*s* + *t*. In the same way as Coan and Perng (2012, Theorem 4.8) and Lubotzky (1988, Lemma 3.1), we have the following:

**Lemma 3** *Any* <sup>α</sup> <sup>∈</sup> <sup>O</sup> *with N*(α) <sup>=</sup> *<sup>p</sup><sup>k</sup> for some k* <sup>∈</sup> <sup>N</sup> *is uniquely decomposed into the product*

$$\alpha = \epsilon p^r R(\alpha\_1, \dots, \alpha\_s, \bar{\alpha}\_1, \dots, \bar{\alpha}\_s, \beta\_1, \dots, \beta\_t),$$

*where* <sup>∈</sup> <sup>O</sup><sup>×</sup>*, r* <sup>∈</sup> <sup>N</sup> *and R*(α1,...,α*s*, <sup>α</sup>¯ <sup>1</sup>,..., <sup>α</sup>¯*s*, β1,...,β*t*) *is a reduced word of* α1,...,α*s*, α¯ <sup>1</sup>,..., α¯*s*, β1,...,β*<sup>t</sup> with length m* = *k* − 2*r.*

The unit group O<sup>×</sup> is {±1} only when *P* = 13. In such a case, we can prove the Ramanujan-ness of our graph *X*(*p*,*q*) *<sup>P</sup>*,*<sup>Q</sup>* in the same way as Lubotzky (1988). For the variable *v* = (*x*, *y*,*z*,*w*), we set

$$\begin{aligned} \mathcal{Q}\_q(\mathbf{v}) &= \mathbf{x}^2 + q \mathbf{x} \mathbf{y} + q^2 \left(\frac{1+\mathcal{Q}}{4}\right) \mathbf{y}^2 + q^2 T \mathbf{y} \mathbf{z} \\ &+ q^2 P \left(\frac{1+\mathcal{Q}}{4}\right) \mathbf{z}^2 + q^2 P \mathbf{z} \mathbf{w} + q^2 \left(\frac{P+T^2}{\mathcal{Q}}\right) \mathbf{w}^2 .\end{aligned}$$

It is a positive-definite quadratic form of order 4 corresponding to the reduced norm on <sup>O</sup>. Let *Aq* be the symmetric matrix such that *Qq* (*v*) <sup>=</sup> <sup>1</sup> 2 *t v Aq v*, i.e.

$$A\_q = \begin{bmatrix} 2 & q & 0 & 0 \\ q \frac{q^2(1+Q)}{2} & 0 & q^2T \\ 0 & 0 & \frac{q^2P(1+Q)}{2} & q^2P \\ 0 & q^2T & q^2P & 2q^2\frac{P+T^2}{Q} \end{bmatrix}.$$

Hence, *Aq* is an even matrix, i.e. *Aq* <sup>∈</sup> M4(Z) and every diagonal component is contained in 2Z. The *level* of *Qq* is defined as the smallest positive integer *N* such that *N A*−<sup>1</sup> *<sup>q</sup>* is an even matrix (cf. Schoeneberg 2012, Chap. IX). By det(*Aq* ) = *P*<sup>2</sup>*q*<sup>6</sup> and

$$A\_{q}^{-1} = \frac{1}{P^{2}q^{6}} \begin{bmatrix} q^{6}\frac{1+\mathcal{Q}}{2}P(\frac{P+T^{2}}{\mathcal{Q}}) & -q^{5}P\left(\frac{P+T^{2}}{\mathcal{Q}}+T^{2}\right) & -q^{5}PT & q^{5}PT\frac{1+\mathcal{Q}}{2} \\ -q^{5}P\left(\frac{P+T^{2}}{\mathcal{Q}}+T^{2}\right) & 2q^{4}P(\frac{P+T^{2}}{\mathcal{Q}}+T^{2}) & 2q^{4}PT & -q^{4}PT(1+\mathcal{Q}) \\ -q^{5}PT & 2q^{4}PT & 2q^{4}P & -P\mathcal{Q}q^{4} \\ q^{5}PT\frac{1+\mathcal{Q}}{2} & -q^{4}PT(1+\mathcal{Q}) & -P\mathcal{Q}q^{4} & q^{4}P\mathcal{Q}\frac{(1+\mathcal{Q})}{2} \end{bmatrix},$$

the level of *Qq* is equal to *Pq*2.

Set *rQq* (*n*) := |{<sup>α</sup> <sup>∈</sup> <sup>O</sup> <sup>|</sup>*N*(α) <sup>=</sup> *<sup>n</sup>*}| for *<sup>n</sup>* <sup>∈</sup> <sup>N</sup>. Then, the theta series *Qq* (*z*) := <sup>∞</sup> *<sup>n</sup>*=<sup>0</sup> *rQq* (*n*)*e*2π*inz* <sup>=</sup> *<sup>v</sup>*∈Z<sup>4</sup> *<sup>e</sup>*2π*i Qq* (*v*)*<sup>z</sup>* for *<sup>z</sup>* <sup>∈</sup> <sup>C</sup> with Im(*z*) > 0 is absolutely and locally uniformly convergent by Schoeneberg (2012, Chap. IX, Sect. 1.1). Referring to Schoeneberg (2012, Chap. IX, Theorem 4) and Schoeneberg (2012, Chap. IX, Theorem 5) for **h** = **0**, the theta series *Qq* (*z*) is a holomorphic modular form of weight 2 and level <sup>0</sup>(*Pq*2) with trivial nebentypus. Here, <sup>0</sup>(*Pq*2) is the Hecke congruence subgroup of level *Pq*2. We remark that *Qq* , *Aq* , *Qq* , are valid for a general *<sup>q</sup>* <sup>∈</sup> <sup>N</sup>.

Assume *<sup>P</sup>* <sup>=</sup> 13. Let be the set of all <sup>α</sup> <sup>∈</sup> <sup>O</sup> such that *<sup>N</sup>*(α) <sup>=</sup> *<sup>p</sup><sup>k</sup>* for some *<sup>k</sup>* <sup>∈</sup> <sup>N</sup>. We define an equivalence relation on so that <sup>α</sup> <sup>∼</sup> <sup>β</sup> means <sup>α</sup> <sup>=</sup> *p<sup>n</sup>*<sup>β</sup> for some <sup>∈</sup> <sup>O</sup><sup>×</sup> and *<sup>n</sup>* <sup>∈</sup> <sup>Z</sup>. Since <sup>O</sup><sup>×</sup> = {±1} holds, the quotient set := / ∼ = {[α]|α ∈ } has a natural group structure by [α][β]=[αβ]. By Lemma 3, it is generated by *SJ SY* , a complete representative of {α ∈ O | *N*(α) = *p*}/O<sup>×</sup>, and Cay(, *SJ SY* ) is a (*<sup>p</sup>* <sup>+</sup> <sup>1</sup>)-regular tree. The homomorphism <sup>→</sup> PSL2(F*<sup>q</sup>* ) as a restriction of <sup>ψ</sup>*<sup>q</sup>* of Lemma <sup>1</sup> induces /(*q*) <sup>→</sup> PSL2(F*<sup>q</sup>* ) with (*q*) <sup>=</sup> ker(ψ*<sup>q</sup>* <sup>|</sup>). This homomorphism /(*q*) <sup>→</sup> PSL2(F*<sup>q</sup>* ) is surjective as in the theory of quadratic diophantine equations applied to the quadratic form *Q*<sup>1</sup> (cf. Lubotzky et al. 1988, p. 267; Malishev 1962). Then our graph *X*(*p*,*q*) <sup>13</sup>,*<sup>Q</sup>* <sup>=</sup> Cay(PSL2(F*<sup>q</sup>* ), *SJ SY* ) is identified with /(*q*) as a graph.

For proving Ramanujan-ness, let λ<sup>0</sup> = *p* + 1 > λ<sup>1</sup> ≥···≥ λ*<sup>n</sup>*−<sup>1</sup> be the spectrum of the adjacency matrix of *X*(*p*,*q*) <sup>13</sup>,*<sup>Q</sup>* (so we set *<sup>n</sup>* = |*X*(*p*,*q*) <sup>13</sup>,*<sup>Q</sup>* |=|PSL2(F*<sup>q</sup>* )|). Then, we have only to show <sup>θ</sup> *<sup>j</sup>* <sup>∈</sup> <sup>R</sup> for all *<sup>j</sup>* ∈ {1,..., *<sup>n</sup>* <sup>−</sup> <sup>1</sup>}, where <sup>θ</sup> *<sup>j</sup>* <sup>∈</sup> <sup>C</sup> is taken so that λ*<sup>j</sup>* = 2 <sup>√</sup>*<sup>p</sup>* cos <sup>θ</sup> *<sup>j</sup>* for each *<sup>j</sup>* ∈ {0,..., *<sup>n</sup>* <sup>−</sup> <sup>1</sup>}. By the trace formula for a regular graph as in Lubotzky (1988, p. 270–272 and p. 274, Remark 2), we have the expression

$$r\_{\mathcal{Q}\_\theta}(p^k) = \frac{2p^{k/2}}{n} \sum\_{j=0}^{n-1} \frac{\sin(k+1)\theta\_j}{\sin\theta\_j}.$$

Recall that this is the *p<sup>k</sup>* -th Fourier coefficient of the modular form *Qq* . Since the theta series is a sum of a linear combination of cuspidal Hecke eigenforms and that of Eisenstein series of weight 2 and level <sup>0</sup>(*Pq*<sup>2</sup>), we may take a cusp form *f*<sup>1</sup> and a non-cusp form *f*<sup>2</sup> of weight 2 so that *Qq* = *f*<sup>1</sup> + *f*2. Let *a*(*m*) and *C*(*m*) be the *<sup>m</sup>*-th Fourier coefficients of *<sup>f</sup>*<sup>1</sup> and *<sup>f</sup>*<sup>2</sup> at the cusp <sup>∞</sup> for *<sup>m</sup>* <sup>∈</sup> <sup>N</sup>, respectively. Then, *rQq* (*p<sup>k</sup>* ) has the following expression:

$$C(p^k) + a(p^k) = r\_{\mathcal{Q}\_q}(p^k) = \frac{2p^{k/2}}{n} \sum\_{j=0}^{n-1} \frac{\sin(k+1)\theta\_j}{\sin\theta\_j}.$$

By Deligne's bound as a resolution of the Ramanujan–Petersson conjecture (Deligne 1969, 1974), we have |*a*(*p<sup>k</sup>* )| = *O* (*p<sup>k</sup>*(1/2+)). Due to the explicit nature of Fourier coefficients of Eisenstein series, *C*(*m*) can be described as *C*(*m*) = *<sup>d</sup>*|*<sup>m</sup> F*(*d*) for a periodic function *<sup>F</sup>* : <sup>N</sup> <sup>→</sup> <sup>C</sup> (cf. Lubotzky 1988, p. 272). By *<sup>p</sup> q* = 1 and θ<sup>0</sup> = *i* log √*p*, we have

$$C(p^k) = \frac{2}{n} \frac{p^{k+1} - 1}{p - 1} - a(p^k) + o(p^k) = \frac{2}{n} \frac{p^{k+1} - 1}{p - 1} + o(p^k).$$

By the Deligne bound of *<sup>a</sup>*(*p<sup>k</sup>* ) and Lubotzky (1988, Lemma 4.4), we have *<sup>C</sup>*(*p<sup>k</sup>* ) <sup>=</sup> <sup>2</sup> *n <sup>p</sup>k*+1−<sup>1</sup> *<sup>p</sup>*−<sup>1</sup> because of *<sup>p</sup> q* = 1. As a consequence, for any > 0,

$$\frac{2}{n} \sum\_{j=1}^{n-1} \frac{\sin(k+1)\theta\_j}{\sin \theta\_j} = \frac{1}{p^{k/2}} O\_\epsilon(p^{k(1/2+\epsilon)}) = O\_\epsilon(p^{k\epsilon}),$$

which leads us that every θ *<sup>j</sup>* for *j* ∈ {1,..., *n* − 1} is real. Therefore, we obtain |λ*j*| ≤ 2 <sup>√</sup>*<sup>p</sup>* for all *<sup>j</sup>* <sup>=</sup> <sup>1</sup>,..., *<sup>n</sup>* <sup>−</sup> 1, which implies that *<sup>X</sup>*(*p*,*q*) <sup>13</sup>,*<sup>Q</sup>* is a Ramanujan graph.

We remark an adelic approach toward Ramanujan-ness. As we see Costache et al. (2018, Sect. 7.2) (see also Lubotzky 1994, Theorem 7.1.1), we can prove the Ramanujan-ness of *X*(*p*,*q*) *<sup>P</sup>*,*<sup>Q</sup>* for *P* = 13 by using an adelic interpretation as well as by using the Jacquet–Langlands correspondence between automorphic representations of the adelic group GL2(AQ) and those of <sup>A</sup><sup>×</sup>(AQ) <sup>=</sup> (<sup>A</sup> <sup>⊗</sup> <sup>A</sup>Q)×, which is the adelization of the anisotropic inner form A<sup>×</sup> of GL2.

## **4 Relationship Between LPS-Type Graphs and Pizer's Graphs**

While research in the field of Cayley-based cryptography has been declining, research in the field of Isogeny-based cryptography is quite robust, in part due to its key role in post-quantum cryptography.

However, it is also natural to investigate whether attacks on group word problems of Cayley hash functions based on LPS's graphs are related to the problem of finding a path in an isogeny graph of supersingular elliptic curves, which is explained in detail in Charles et al. (2009b).

Costache et al. (2018) described a wide range of usage of Ramanujan graphs in cryptography and also pointed out some different aspects of LPS's graphs and Pizer's graphs with specific features. They presented the construction of LPS's graphs as Cayley graphs, in terms of local double cosets. They used strong approximation (Costache et al. 2018, Sect. 7; Lubotzky 1994, Sect. 6.3) as a main tool to present the connection between local and adelic double cosets for LPS's and Pizer's graphs. They also compared the two types of graphs in an aspect of appearance by restricting the degree of the graphs (i.e. *p* = 5).

In this section, we give some comparisons between LPS-type graphs and Pizer's graphs as Costache et al. did. First, we describe Pizer's Ramanujan graphs referred to in Pizer (1990, 1998), Costache et al. (2018).

**The families of Pizer's graphs** Pizer (1990, 1998) showed how to construct the family of Ramanujan graphs as follows: Let A be the quaternion algebra over <sup>Q</sup> that is ramified exactly at odd *<sup>q</sup>* <sup>∈</sup> <sup>P</sup> and <sup>∞</sup>. We shall consider special orders, which are generalizations of Eichler orders, of level *L* = (*q*, *M*) and *L* = (*q*2, *M*). The vertex set of Pizer's graph *G*(*L*, *p*) shall be in bijection with (a subset of) the isomorphism classes of left ideals of an order. Since the class number of the order depends only on its level, we may write *H*(*L*) for it, which is equal to the size of such a graph. Notice that, by Pizer (1998, Proposition 4.4), we have

$$H(q,M) = \frac{q-1}{12}M \prod\_{d|M} (1+1/d) + \begin{cases} \frac{1}{4} \left(1 - \left(\frac{-4}{q}\right)\right) \prod\_{d|M} \left(1 + \left(\frac{-4}{d}\right)\right) & \text{if } 4 \nmid M \\\\ 0 & 4 \mid M \end{cases}$$

$$+ \begin{cases} \frac{1}{2} \left(1 - \left(\frac{-3}{q}\right)\right) \prod\_{d|M} \left(1 + \left(\frac{-3}{d}\right)\right) & \text{if } 9 \nmid M \\\\ 0 & \text{if } 9 \mid M \end{cases}$$

and

$$H(q^2, M) = \frac{q^2 - 1}{12} M \prod\_{d|M} (1 + 1/d) + \begin{cases} 0 & \text{if } q \ge 5 \\\\ \frac{4}{3} \prod\_{d|M} \left( 1 + \left(\frac{-3}{d}\right) \right) & \text{if } q = 3. \end{cases}$$

Here, the product is over all primes *d* dividing *M*.

We give a definition of a Brandt matrix. Let {*I*1, *I*2,..., *IH* } with *H* = *H*(*L*) be a complete representative of the left ideal classes of O. For each *i* ∈ {1,..., *H*}, let O*<sup>i</sup>* be the right order of the ideal *Ii* , and *ei* be the number of *O*<sup>×</sup> *<sup>i</sup>* . For *<sup>n</sup>* <sup>∈</sup> <sup>N</sup>, the *Brandt matrix B*(*L*; *n*) = *b*(*n*) *i*,*j* associated to an order of level *L* is a square matrix of size *H*(*L*) having (*i*, *j*)-entry

$$b\_{i,j}^{(n)} = e\_j^{-1} \cdot |\{ \alpha \in I\_j^{-1} I\_i \mid N(\alpha)N(I\_j)/N(I\_i) = n \}|,$$

where *N*(*I*) is the norm of an ideal *I* defined as the greatest common divisor of the norms of its nonzero elements. Let *p* be a prime which is coprime to *q M*. If we restrict the parameters *p* and *q*, the edge set of *G*(*L*, *p*) is given by a Brandt matrix *B*(*L*; *p*), namely, the adjacency matrix of *G*(*L*, *p*) is given by *B*(*L*; *p*). By Pizer (1998, Proposition 4.6), we see that *G*(*L*, *p*) is undirected (i.e. *B*(*L*; *p*)is symmetric) when *L* = (*q*, *M*) with *q* ≡ 1 (mod 12) and *L* = (*q*<sup>2</sup>, *M*) with *q* > 3. Moreover, it has no loops if tr*B*(*L*; *p*) = 0 and no multiple edges if tr*B*(*L*; *p*<sup>2</sup>) = *H*(*L*) (Costache et al. 2018; Pizer 1998). The regularity *p* + 1


**Table 3** The families of Pizer's graphs *G*(*L*, *p*)

of *G*(*L*, *p*) and its connectedness can be obtained from using *B*(*L*; *p*) as the adjacency matrix, as shown in Pizer (1998, Proposition 5.1). We summarize the necessary properties of the families of Pizer's graphs *G*(*L*, *p*) in Table 3.

#### *4.1 Similarities and Differences*

As Costache et al. (2018) argued, we explicate the similarities and differences among LPS, LPS-type and Pizer's graphs from a number-theoretic perspective. These families can be viewed as sets of local double cosets, i.e. as graphs of the form

$$
\Gamma \backslash \mathsf{PGL}\_2(\mathbb{Q}\_p) / \mathsf{PGL}\_2(\mathbb{Z}\_p),
$$

where is a discrete cocompact subgroup.

**Discrete local double cosets (LPS-type)** Let *<sup>p</sup>* be a split prime in <sup>A</sup>. For *<sup>N</sup>* <sup>∈</sup> <sup>N</sup>, we set

$$\Gamma(N) := \ker(\mathcal{H}^\times(\mathbb{Z}[p^{-1}]) \to \mathbb{Z}[p^{-1}]^\times \backslash \mathcal{H}^\times(\mathbb{Z}[p^{-1}]/N\mathbb{Z})\ )\ .$$

It is a discrete cocompact subgroup in A<sup>×</sup> *<sup>p</sup>* . We have

$$\operatorname{Cay}(\operatorname{PSL}\_2(\mathbb{F}\_q), \mathbb{S}) \cong \Gamma(q) \backslash \operatorname{PGL}\_2(\mathbb{Q}\_p) / \operatorname{PGL}\_2(\mathbb{Z}\_p).$$

for some suitable *S*.

For LPS-type graphs, the local double cosets are also isomorphic to adelic double cosets, but in this case the corresponding set of adelic double cosets is smaller relative to the quaternion algebra and we do not have the same chain of isomorphisms as shown below. On the other hand, Pizer's graphs, via strong approximation (Costache et al. 2018; Lubotzky 1994), can be viewed as graphs on adelic double cosets which are in turn the set of classes of an order of A that is related to a discrete cocompact subgroup . Moreover, the class set Cl(O) of a maximal order O from Pizer's graph is in bijection with supersingular elliptic curves (Charles et al. 2009b, Sect. 5.3.1) and offers convincing evidence that an isomorphism is obtained with a supersingular isogeny graph (SSIG).

#### **The chain of isomorphisms** (**LPS**)

Cay(PSL2(F*<sup>q</sup>* ), *SLPS*) ∼= (2*q*)\PGL2(Q*p*)/PGL2(Z*p*)

(**LPS-type with** *P* = 13)

Cay(PSL2(F*<sup>q</sup>* ), *SJ SY* ) ∼= (*q*)\PGL2(Q*p*)/PGL2(Z*p*)

(**Pizer**)

$$\mathcal{O}[p^{-1}]^\times \backslash \mathrm{GL}\_2(\mathbb{Q}\_p)/\mathrm{GL}\_2(\mathbb{Z}\_p) \cong \mathrm{Cl}(\mathcal{O}) \cong \mathrm{SSIG}$$

Each of the underlying quaternion algebras vary with their own choice of parameters. In the case of LPS's graphs, we use the Hamiltonian quaternion algebra, ramified at 2 and ∞ and split at *p*. In the case of LPS-type graphs, we use the definite quaternion algebra, ramified at 13 and ∞ and split at *p*. Varying the parameter *q*, we can have different Ramanujan graphs of LPS and LPS-type, depending on the congruence subgroup (2*q*) and (*q*), respectively, without changing each of their underlying quaternion algebras. On the other hand, in the case of Pizer's graphs, we use the definite quaternion algebra, ramified at *q* and ∞.

#### **5 Open Problems**

It is unknown whether the link exists between the hardness of the path-finding problem in Supersingular Isogeny (Pizer) graphs and the the hardness of group word problems in Cayley-type Ramanujan graphs. If it is possible to connect those two problems theoretically or schematically, there are some expected ways to analyze the hardness of the path-finding problem in Pizer's graphs by employing the approach previously used for Cayley graphs. As a part of these approaches, it is also important to investigate much more general versions of explicit constructions of Ramanujan graphs. It is in the process to construct the family of (2*p* + 1)-regular graphs, where *p* is an Eichler prime based on the quaternion algebra with an explicit construction of Eichler order having class number 1 in Jo et al. (2020). We now study the Ramanujan-ness of these graphs by similar arguments in LPS-type graphs.

Additionally, even though it is difficult to predict that Pizer's graph can be represented as a Cayley graph over a group with respect to a suitable generating set (actually, all graphs with a small number of vertices, suggested as examples in Pizer 1998 are not Cayley graphs), it is not clear whether a Pizer's graph with a sufficiently large number of vertices is a Cayley graph or not.

**Acknowledgements** This work was supported by JST CREST Grant Number JPMJCR14D6, Japan. The authors would like to thank Meghan Delaney for pointing out grammatical errors.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Post-Quantum Constant-Round Group Key Exchange from Static Assumptions**

**Katsuyuki Takashima**

**Abstract** We revisit a generic compiler from a two-party key exchange (KE) protocol to a group KE (GKE) one by Just and Vaudenay. We then give two families of GKE protocols from *static* assumptions, which are obtained from the general compiler. The first family of the GKE protocols is a constant-round GKE by using secure key derivation functions (KDFs). As special cases, we have such GKE from *static* Ring-LWE (R-LWE), where "static" means that the parameter size in the R-LWE does not depend on the number of group members, *n*, and also from the standard SI-DDH and CSI-DDH assumptions. The second family consists of two-round GKE protocols from isogenies, which are proven secure from *new* isogeny assumptions, the first (resp. second) of which is based on the SIDH (resp.CSIDH) two-party KE. The underlying new *static* assumptions are based on indistinguishability between *a product value of supersingular invariants* and a random value.

**Keywords** Post-quantum cryptography · Constant-round group key exchange · Static assumptions · Lattice-based cryptography · Isogeny-based cryptography

## **1 Introduction**

## *1.1 Background*

It is well known that widely deployed cryptographic schemes (e.g., RSA and ECC) can be broken by using a large-scale quantum computer (Shor 1997). Hence, we should develop new cryptosystems based on quantum-resistant mathematical problems (called post-quantum cryptography (PQC)).

Group key exchange (GKE) is an important cryptographic primitive, and has been studied for a long time (since the seminal two-party Diffie–Hellman key exchange). In GKE, the number of rounds is a crucial measure for evaluating the efficiency and to obtain a constant-round GKE protocol is considered as a minimum desirable require-

K. Takashima (B)

Mitsubishi Electric, 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan e-mail: Takashima.Katsuyuki@aj.MitsubishiElectric.co.jp

<sup>©</sup> The Author(s) 2021

T. Takagi et al. (eds.), *International Symposium on Mathematics,*

*Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8\_18

ment. Traditionally, the Burmester and Desmedt (BD) KE protocol (Burmester and Desmedt 1994) has been widely known from its simplicity and small round complexity, just two rounds. Subsequently, Just and Vaudenay (JV) (1996) generalized the BD construction in which *any* two-party KE can be used for obtaining GKE. However, their description was sketchy and a *rigorous* security proof was not presented before (see Boyd and Mathuria 2003 also).

In the post-quantum setting, there exist two variants BD-type GKE protocols from lattices (Apon et al. 2019) and isogenies (Furukawa et al. 2018).<sup>1</sup> Apon et al. (2019) proposed a lattice-based BD-type GKE from the Ring-LWE (R-LWE) assumption (in the random oracle model), in which the authors elaborately adjusted the original security proof to their new post-quantum setting. However, since the underlying R-LWE assumption depends on the number of group members, *n*, the size of data also gets large depending on *n*. Furukawa et al. (2018) proposed an isogeny-based BDtype GKE protocol called SIBD. However, the security proof of SIBD (Theorem 4 in Furukawa et al. 2018) is imperfect, and several points remain unclear, for example, on how to simulate some public variables. Applying the JV-type compiler to a postquantum two-party KE is also considered as a reasonable approach, however, we should give a rigorous treatment on its (post-quantum) security proof.

As a result, we lack a post-quantum constant-round GKE protocol with a rigorous and reasonable security proof. We next consider what are reasonable underlying assumptions. The size of a problem instance in the above R-LWE setting is linear in the number of group members, *n*. Traditionally, in pairing-based cryptography, such linear-sized assumptions are called "non-static", "dynamic", or "*q*-type", which are not desirable from efficiency and security viewpoints. And, in a line of researches, we succeeded to replace *q*-type ones to static ones (e.g., Kowalczyk and Wee 2019; Okamoto and Takashima 2010; Takashima 2014) in paring cryptography. Hence, we have the following problem as our target:

#### *Can we obtain (provably secure) post-quantum constant-round group key exchange from static assumptions* ?

Recent cryptography research also considers*tight*security reduction (from a static assumption). In fact, the original BD GKE is proven tightly secure from the standard DDH assumption (Theorem6). For obtaining tight security proof, it is not enough to employ a general form of the JV-type transformation which includes a *general KDF* function to a cyclic group G (denoted KDFG). We need a construction without using (general) KDF<sup>G</sup> functions *for tight security* since KDF<sup>G</sup> breaks mathematical structures in the underlying two-party KE.

<sup>1</sup>Boneh et al. (2018) recently proposed a one-round GKE from isogenies. However, it has a crucial mathematical difficulty so that it cannot be realized yet.

#### *1.2 Our Contributions*

We revisit previous post-quantum BD-type GKE schemes (Apon et al. 2019; Furukawa et al. 2018 and the JV compiler for GKE Boyd and Mathuria 2003; Just and Vaudenay 1996, and reformulate them under a provably secure generic compiler. We have two families of GKE protocols from *static* assumptions.

The first family of GKE protocols obtained from the general compiler is a constantround GKE (from a two-party KE protocol) by using a secure KDF<sup>G</sup> (Theorem3). As special cases, we have such GKE from *static* Ring-LWE (R-LWE), where "static" means that the parameter size in the R-LWE does not depend on the number of group members, *n* (Corollary 1) and the standard SI-DDH and CSI-DDH assumptions (Corollary 2). The first family has a limitation that they cannot have a tight security proof since a general KDF<sup>G</sup> is used.

The second family consists of two-round GKE protocols, which are proven secure from *new* isogeny assumptions, the first (resp. second) of which is based on the SIDH (resp.CSIDH) KE (Theorem4 (resp. Theorem5)). They are called SI-PBD and CSI-PBD GKEs, respectively. The underlying new *static* assumptions are obtained from indistinguishability between a random *product value* of supersingular invariants and a random value (in some appropriate finite field), which seem to have independent interests. They are called DSJP (Decisional Supersingular *j*-invariants Product) and DSMP (Decisional Supersingular Montgomery coefficients Product) assumptions, respectively. As the second family needs no KDFG's, it may have some merits for approaching to tightly secure GKE. (However, we do not yet succeed it.)

Note that we have the Katz–Yung (KY) generic compiler from KE to authenticated KE (AKE) (Katz and Yung 2007), in which a signature scheme is required. Very interestingly, the first *practical* isogeny-based signature scheme, CSI-FiSh, was recently proposed (Beullens et al. 2019). Therefore, we have a practical authenticated GKE (AGKE) by applying the KY compiler to our isogeny-based GKE and CSI-FiSh, both of which are post-quantum from isogenies. (Refer to Bernstein et al. 2019; Peikert 2019 for recent estimates on post-quantum security of CSIDH and CSI-FiSh.) Since we have several lattice-based signatures, e.g., Ducas et al. (2018), Fouque et al. (2017), Akleylek et al. (2017), we also have lattice-based AGKE from our lattice GKE.

#### *1.3 Key Techniques*

Hereafter, the user indices are taken in a cycle: for example, *hn*+<sup>1</sup> := *h*<sup>1</sup> and *h*<sup>0</sup> := *hn*. We first review the BD GKE protocol briefly. It is defined on a cyclic group G of a prime order *<sup>q</sup>* and a generator *<sup>g</sup>* <sup>∈</sup> <sup>G</sup> as follows:

Round-1. Each user *<sup>i</sup>* generates *ai* <sup>←</sup>*<sup>R</sup>* <sup>Z</sup>/*q*Z, *hi* := *<sup>g</sup>ai* and broadcasts *hi* . Round-2. Each user *i* calculates *Ji*−1,*<sup>i</sup>* := (*hi*−<sup>1</sup>)*ai* , *Ji*,*i*+<sup>1</sup> := (*hi*+<sup>1</sup>)*ai* and *ui* :=

*Ji*,*i*+<sup>1</sup> · *<sup>J</sup>* <sup>−</sup><sup>1</sup> *<sup>i</sup>*−1,*<sup>i</sup>* . User *i* broadcasts *ui* .

KeyComp. User*<sup>i</sup>* calculates *Ki* := *<sup>J</sup> <sup>n</sup> <sup>i</sup>*−1,*<sup>i</sup>* · *<sup>u</sup><sup>n</sup>*−<sup>1</sup> *<sup>i</sup>* · *<sup>u</sup><sup>n</sup>*−<sup>2</sup> *<sup>i</sup>*+<sup>1</sup> ··· *ui*−2. Then, *K* := *Ki* = *J*<sup>1</sup>,<sup>2</sup> · *J*<sup>2</sup>,<sup>3</sup> ··· *Jn*,<sup>1</sup> is the shared key among the *n* users.

In the (tight) security proof of the BD key exchange protocol from DDH on G, we should simulate broadcast values (*hi*, *ui*)*<sup>i</sup>*∈[*n*] as well as embed the DDH challenge element into the challenge shared key *K*.

The SIBD protocol (Furukawa et al. 2018) is obtained from the above BD GKE by replacing (*hi*, *Ji*) with invariants of supersingular elliptic curves. Since the invariants are given by elements in finite fields, we also have

$$u\_i := J\_{i,i+1} \cdot J\_{i-1,i}^{-1}, \quad K := K\_i := J\_{i-1,i}^n \cdot u\_i^{n-1} \cdot u\_{i+1}^{n-2} \cdot \cdots u\_{i-2}. \tag{1}$$

We revisit the JV construction (Just and Vaudenay 1996), whose original description was sketchy and the security proof was not given there. Hence, we first give a security proof for JV carefully. Based on the proof, we present our isogeny-based GKE from newly proposed assumptions. Then, as is shown in the proof of Theorem3, if *Ji*−1,*<sup>i</sup>*'s are uniformly and independently distributed in <sup>G</sup>, the *<sup>n</sup>* elements *K*, *u*1,..., *ui*−<sup>1</sup>, *ui*+<sup>1</sup>,..., *un* are also uniformly and independently distributed in <sup>G</sup> for *<sup>i</sup>* ∈ [*n*] (and *ui* is given as *ui* <sup>=</sup> (*u*<sup>1</sup> ··· *ui*−<sup>1</sup> · *ui*+<sup>1</sup> ··· *un*)−1). It means that if *Ji*−1,*<sup>i</sup>*'s are distributed uniformly and independently, the target shared key *K* is changed to a random one *just by using an information-theoretic game transformation*. This is a key lemma on the BD-type encoding (Lemma 6).

However, for the SIBD protocol (Furukawa et al. 2018), since *Ji*−1,*<sup>i</sup>* are given by supersingular *j*-invariants, we have an efficient algorithm for distinguishing between *Ji*−1,*<sup>i</sup>* and a uniformly random element in the finite field (see Sutherland 2012). Hence, for fixing the situation, we introduce new decisional assumptions called *d*-DSJP and *d*-DSMP ones. For simplicity, here we just show the 2-DSJP assumption, in which a product of two *j*-invariants, *J* (1) *<sup>i</sup>*−1,*<sup>i</sup>* and *<sup>J</sup>* (2) *<sup>i</sup>*−1,*<sup>i</sup>* , that is, *<sup>J</sup>* (1) *<sup>i</sup>*−1,*<sup>i</sup>* · *<sup>J</sup>* (2) *<sup>i</sup>*−1,*<sup>i</sup>* , should be indistinguishable from a uniformly random variable. At present, we have *no* efficient algorithm for the problems, and considered them as plausible assumptions.

According to the above ideas, in Sect. 4.1, we give a JV-type generic transformation from KE to GKE based on the BD-type encoding of (*ui*) and *K* from (*Ji*−1,*<sup>i</sup>*) given in Eq. (1). We then consider the following two approaches for obtaining uniformly random *Ji*−1,*<sup>i</sup>*'s:


#### *1.4 Organization*

In Sect. 2, we introduce several preliminary facts: definition of group key exchange, supersingular invariants and underlying assumptions for SIDH and CSIDH. In Sect. 3, our new assumptions on supersingular invariants are presented. In Sect. 4, we propose new PQ GKE, i.e., lattice-based and isogeny-based GKE from static assumptions.

**Notations.** When *A* is a set (resp. a random variable), *y* ←*<sup>R</sup> A* denotes that *y* is uniformly generated from *A* (resp. randomly generated from *A* according to its distribution). We denote the finite field of order *<sup>q</sup>* by <sup>F</sup>*<sup>q</sup>* . We denote the set {1,..., *<sup>n</sup>*} by [*n*].

### **2 Preliminaries**

#### *2.1 Group Key Exchange*

We give definitions of group key exchange, its correctness and security.

**Definition 1** (*Group Key Exchange (GKE)*) An algorithm := *<sup>r</sup>*,*<sup>n</sup>*(λ)is called as a *r*-round *n*-party key exchange protocol if it is composed of probabilistic polynomialtime algorithms (Setup, (Round-*r* ) *r r* <sup>=</sup><sup>1</sup>,KeyComp), where Setup takes a security parameter λ as input, and outputs public parameters params, Round-*r* for each user *i* takes previous all public variables and his/her own secrets and outputs (broadcasts) the *r* th his/her public values, and KeyComp for each user *i* takes all public variables and his/her own secrets and outputs the shared secret value *Ki* .

We call is correct if all (shared) keys *K*1,..., *Kn* are the same values, i.e., *<sup>K</sup>* := *<sup>K</sup>*<sup>1</sup> =···= *Kn*. The key space (or key set) is denoted by <sup>K</sup> := <sup>K</sup>(λ) whose cardinality #K is exponentially large in λ (or has enough entropy).

For a GKE protocol , we let Exec(λ) denote an execution of the protocol, resulting in a transcript of all messages sent during the course of that execution, along with the shared key *K* computed by the parties. We let Adv *<sup>A</sup>* (λ) denote the advantage of a polynomial-time quantum adversary *A* in distinguishing between the following two distribution ensembles:

$$\begin{array}{rcl} \{ (\Psi, K) \;:\; (\Psi, K) \;\leftarrow \!\!\!\!\!\!\!\!\!\!\!\!\!\/\!\!\/\} \{ \}\_{\lambda \in \mathbb{N}} \quad \text{and} \\\{ (\Psi, K') \;:\; (\Psi, K) \;\leftarrow \!\!\!\!\!\!\!\!\!\!\/) \mathbf{E} \mathsf{s} \mathbf{e} \mathbf{c}\_{\Pi}(\lambda), \; K' \leftarrow \!\!\!\!\!\!\!\!\!\!\!\/) \}\_{\lambda \in \mathbb{N}}. \end{array}$$

Protocol is post-quantumly secure ifAdv *<sup>A</sup>* (λ)is negligible in λ for any polynomialtime quantum *A*.

#### *2.2 SIDH and CSIDH Key Exchange*

In this section, we introduce two efficient Diffie–Hellman-type key exchange protocols using isogenies of supersingular elliptic curves: SIDH (Feo et al. 2014) and CSIDH (Castryck et al. 2018).

#### **2.2.1 Supersingular Isogenies and Invariants**

We summarize facts about elliptic curves. For details, see Washington (2008), for example.

Let *p* be a prime greater than 3 and F*<sup>p</sup>* be the finite field with *p* elements. Let F*<sup>p</sup>* be its algebraic closure. Here, an elliptic curve *E* over F*<sup>p</sup>* is given by the Montgomery normal form

$$E: \delta \mathbf{y}^2 = \mathbf{x}^3 + m\mathbf{x}^2 + \mathbf{x} \tag{2}$$

for *<sup>m</sup>* and <sup>δ</sup> <sup>∈</sup> <sup>F</sup>*p*, where the discriminant of the RHS of Eq. (2) and <sup>δ</sup> are nonzero. We denote the point at infinity on *E* by *OE* . Elliptic curves are endowed with a unique algebraic group structure, with *OE* as a neutral element. The *j*-invariant and Montgomery coefficient of *<sup>E</sup>* are given as *<sup>j</sup>*(*E*) := <sup>256</sup>(*m*2−3)<sup>3</sup> *<sup>m</sup>*2−<sup>4</sup> , *<sup>m</sup>*(*E*) := *<sup>m</sup>*. Two elliptic curves over F*<sup>p</sup>* are isomorphic if and only if they have the same *j*-invariant. For *<sup>j</sup>* <sup>∈</sup> <sup>F</sup>*p*, *<sup>E</sup>*(*j*) denotes an elliptic curve whose *<sup>j</sup>*-invariant is *<sup>j</sup>*. For *<sup>N</sup>* <sup>∈</sup> <sup>Z</sup>>0, the *<sup>N</sup>*-torsion points is *<sup>E</sup>*[*N*] := {*<sup>P</sup>* <sup>∈</sup> *<sup>E</sup>*(F*p*)<sup>|</sup> *N P* <sup>=</sup> *OE* }.

Given two elliptic curves *<sup>E</sup>* and *<sup>E</sup>* over <sup>F</sup>*p*, a homomorphism <sup>φ</sup> : *<sup>E</sup>* <sup>→</sup> *<sup>E</sup>* is a morphism of algebraic curves that sends *OE* to *OE* . A nonzero homomorphism is called an isogeny, and a separable isogeny with the cardinality of the kernel is called -isogeny. We consider only separable isogenies in this paper. We compute the -isogeny by using Vélu's formulas (Vélu 1971) for a small prime = 2, 3,.... For explicit formulas, see Jao et al. (2017) for SIDH and see Castryck et al. (2018) for CSIDH.

An elliptic curve *E* over F*<sup>p</sup>* is called supersingular if there are no points of order *<sup>p</sup>*, i.e., *<sup>E</sup>*[*p*]={*OE* }. The *<sup>j</sup>*-invariants of supersingular elliptic curves lie in <sup>F</sup>*p*<sup>2</sup> . We define two sets as below, for SI-DDH and CSI-DDH assumptions.

<sup>J</sup>*p*<sup>2</sup> := {*j*-invariants of supersingular elliptic curves over <sup>F</sup>*p*<sup>2</sup> }, (3)

<sup>M</sup>*<sup>p</sup>* := {Montgomery coefficients of supersingular elliptic curves over <sup>F</sup>*p*}. (4)

#### **2.2.2 SIDH Key Exchange and SI-DDH Assumption (Feo et al. 2014)**

The detailed description of SIDH key exchange, i.e., := SIDH, is given in Appendix 3.1. Here, we summarize necessary facts on SIDH for later sections. Public parameters are given as paramsSIDH := (*p*, *E*; *PA*, *QA*, *PB*, *QB*). All the messages during an execution are also given as transcript *AB* := (paramsSIDH, *EA*, φ*A*(*PB*), φ*A*(*QB*), *EB*, φ*B*(*PA*), φ*B*(*QA*)). Alice's and Bob's shared keys, i.e., *KA* := *j*(*EAB*) and *KB* := *j*(*EB A*), are equal, and the value is denoted by *K*.

**Definition 2** (*Supersingular Isogeny Decision Diffie–Hellman (SI-DDH) assumption* Feo et al. 2014; Fujioka et al. 2018) Let (*AB*, *j*(*EAB*)) ←*<sup>R</sup>* ExecSIDH(λ), where*AB* := - paramsSIDH, *EA*, φ*A*(*PB*), φ*A*(*QB*), *EB*, φ*B*(*PA*), φ*B*(*QA*)). An SI-DDH problem instance is given as (*AB*, *J*<sup>β</sup> ), where

$$J\_0 := j(E\_{AB}), \qquad \begin{array}{ccc} J\_1 & \leftarrow\_R \ \mathbb{J}\_{p^2}, \\ \end{array} \tag{5}$$

<sup>β</sup> <sup>←</sup>*<sup>R</sup>* {0, <sup>1</sup>}, and <sup>J</sup>*p*<sup>2</sup> is defined in Eq. (3). If<sup>|</sup> Pr[*A*(*AB*, *<sup>J</sup>*0) <sup>=</sup> <sup>1</sup>] − Pr[*A*(*AB*, *<sup>J</sup>*1) = 1] | < negl(λ) holds for any polynomial-time quantum algorithm *A*, we say that the SI-DDH assumption holds.

**Theorem 1** (Feo et al. 2014) *The SIDH key exchange is post-quantumly secure under the SI-DDH assumption.*

#### **2.2.3 CSIDH Key Exchange and CSI-DDH Assumption (Castryck et al. 2018)**

The detailed description of CSIDH key exchange, i.e., := CSIDH, is given in Appendix 3.2. Here, we summarize necessary facts on CSIDH. Public parameters are given as params := (*p*, *E*). All the messages during a execution are also given as transcript *AB* := (paramsCSIDH,[a]*E*,[b]*E*). Alice's and Bob's shared keys, i.e., *KA* := *m*([a][b]*E*) and *KB* := *m*([b][a]*E*), are equal, and the value is denoted by *K*.

**Definition 3** (*Commutative Supersingular Isogeny Decisional Diffie–Hellman (CSI-DDH) assumption*) Let (*AB*, *m*([a][b]*E*)) ←*<sup>R</sup>* ExecCSIDH(λ) where *AB* := - paramsCSIDH,[a]*E*,[b]*E* . A CSI-DDH problem instance is given as (*AB*, *M*<sup>β</sup> ), where

$$M\_0 := m([\mathfrak{a}][\mathfrak{b}]E), \qquad M\_1 \dashrightarrow\_R \mathbb{M}\_p,$$

<sup>β</sup> <sup>←</sup>*<sup>R</sup>* {0, <sup>1</sup>}, and <sup>M</sup>*<sup>p</sup>* is defined in Eq. (4). If <sup>|</sup> Pr[*A*(*AB*, *<sup>M</sup>*0) <sup>=</sup> <sup>1</sup>] − Pr[*A*(*AB*, *M*1) = 1] | < negl(λ) holds for any polynomial-time quantum algorithm *A*, we say that the CSI-DDH assumption holds.

**Theorem 2** (Castryck et al. 2018) *The CSIDH key exchange is post-quantumly secure under the CSI-DDH assumption.*

#### **3 New Assumptions on Supersingular Invariants**

#### *3.1 New Assumptions on Supersingular j -Invariants*

**Definition 4** (*Decisional Supersingular j-Invariants Product (d-DSJP) Assumption*) Let (μ) *AB* , *j E*(μ) *AB* μ∈[*d*] be transcripts of *d*-time executions of SIDH with the same paramsSIDH, where (μ) *AB* := paramsSIDH, *E*(μ) *<sup>A</sup>* , φ(μ) *<sup>A</sup>* (*PB*), φ(μ) *<sup>A</sup>* (*QB*), *<sup>E</sup>*(μ) *<sup>B</sup>* ,

φ(μ) *<sup>B</sup>* (*PA*), φ(μ) *<sup>B</sup>* (*QA*) and *AB* := (μ) *AB* μ∈[*d*] . A *d*-DSJP problem instance is given as (*AB*, *J*<sup>β</sup> ), where

$$J\_0 := \prod\_{\mu=1}^d j\left(E\_{AB}^{(\mu)}\right), \qquad \qquad J\_1 \prec\_R \mathbb{F}\_{p^2} \tag{6}$$

and <sup>β</sup> <sup>←</sup>*<sup>R</sup>* {0, <sup>1</sup>}. For any adversary*B*, the advantage of*<sup>B</sup>* is defined asAdv*<sup>d</sup>*-DSJP *<sup>B</sup>* (λ) := | Pr[*B*(*AB*, *J*0) = 1] − Pr[*B*(*AB*, *J*1) = 1] |, and the *d*-DSJP assumption holds if Adv*d*-DSJP *<sup>B</sup>* (λ) is negligible in λ for any polynomial-time quantum adversary *B*. 2

#### **3.1.1 Progressive Weakness Among** *d***-DSJP Assumptions**

The next lemma shows that the (*d* + 1)-DSJP assumption is weaker than the *d*-DSJP one. In other words, a security proof from the (*d* + 1)-DSJP assumption is considered better than that from the *d*-DSJP one.

**Lemma 1** *The d-DSJP assumption is reduced to the* (*d* + 1)*-DSJP assumption.*

*For any adversary A, there is a probabilistic machine B, whose running time is essentially the same as that of A, such that for any security parameter* λ*,* Adv(*d*+1)-DSJP *<sup>A</sup>* (λ) <sup>≤</sup> Adv*d*-DSJP *<sup>B</sup>* (λ).

*Proof B* receives a *d*-DSJP tuple (*AB*, *J*<sup>β</sup> ), where *AB* is defined as in Definition 4. *J*<sup>β</sup> is *<sup>d</sup>* <sup>μ</sup>=<sup>1</sup> *j E*(μ) *AB* when <sup>β</sup> <sup>=</sup> 0 or a random element in <sup>F</sup>*p*<sup>2</sup> when <sup>β</sup> <sup>=</sup> 1. *<sup>B</sup>* generates a new SIDH public key pair *E*(*d*+1) *<sup>A</sup>* , φ(*d*+1) *<sup>A</sup>* (*PB*), φ(*d*+1) *<sup>A</sup>* (*QB*) , *E*(*d*+1) *<sup>B</sup>* , φ(*d*+1) *B* (*PA*), φ(*d*+1) *<sup>B</sup>* (*QA*) and SIDH shared key *j E*(*d*+1) *AB* , then constructs a new tuple *AB* := params, *E*(μ) *<sup>A</sup>* , φ(μ) *<sup>A</sup>* (*PB*), φ(μ) *<sup>A</sup>* (*QB*) , *E*(μ) *<sup>B</sup>* , φ(μ) *<sup>B</sup>* (*PA*), φ(μ) *<sup>B</sup>* (*QA*) μ∈[*d*+1] , and *J* <sup>β</sup> := *J*<sup>β</sup> · *j E*(*d*+1) *AB* . *B* gives a (*d* + 1)-DSJP tuple ( *AB*, *J* <sup>β</sup> )to *A*, and outputs β when *A* outputs β . -

In fact, we show the 1-DSJP problem is efficiently solved (Lemma 2 in Sect. 3.1.2) and the 2-DSJP problem has a specific approach for solving it via modular polynomials (Sect. 3.1.3).

## **3.1.2 Case** *d* **= 1: Relation Between SI-DDH and 1-DSJP Assumptions**

While the value of *J*<sup>0</sup> for SI-DDH in Eq. (5) is the same as that of the 1-DSJP assumption in Eq. (6), the other *J*1's in the two assumptions are distributed in different

<sup>2</sup>Its "sum" version (instead of "product"), Decisional Supersingular *j*-invariants Sum (*d*-DSJS) assumption, seems to be reasonable for *d* ≥ 2, and can be used in security proofs for the "sum" version SI-SBD GKE scheme of SI-PBD GKE in Sect. 4.3. This footnote comment is also applied to the *d*-DSMP assumption and CSI-PBD GKE in Sect. 4.4 in a similar manner.

manners. Namely, the first (resp.the second) is the uniform distribution over J*p*<sup>2</sup> (- F*p*<sup>2</sup> ) (resp.F*p*<sup>2</sup> ). As is shown below, the difference is important.

**Lemma 2** *The* 1*-DSJP problem can be solved in (deterministic) polynomial time except with a negligible error probability.*

*Proof* In the 1-DSJP problem, *J*<sup>0</sup> (resp. *J*1) is uniformly distributed in J*p*<sup>2</sup> (resp.F*p*<sup>2</sup> ). Therefore, by applying supersingular identifying algorithm, e.g., Sutherland (2012), we can solve the problem. -

From the above fact, the direct assumption, decisional (1, 1)-SI-PBD assumption in Definition 6 picks up the target key κ<sup>1</sup> (β = 1 instance) from a uniform distribution in J*p*<sup>2</sup> instead of F*p*<sup>2</sup> .

## **3.1.3 Case** *d* **= 2: An Approach for 2-DSJP via Modular Polynomials**

Lemma 1 shows the 2-DSJP assumption is the strongest among the *d*-DSJP assumptions for *d* ≥ 2. In fact, we have some possible approaches for solving the problem as indicated below. But, the attack is not yet effective at present.

Here, we introduce modular polynomials *<sup>N</sup>* (*X*, *Y* ) := *cik X<sup>i</sup> Y <sup>k</sup>* , which satisfy that *<sup>N</sup>* (*j*, *j* ) = 0 for two *j*-invariants *j* and *j* such that there exists an *N*-isogeny between the associated elliptic curves *E*(*j*) and *E*(*j* ). From the above defining property, it holds that *<sup>N</sup>* (*X*, *Y* ) are symmetric polynomials w.r.t. *X* and *Y* . Hence, if we set *S* := *X* + *Y* and *T* := *XY* ,*<sup>N</sup>* (*X*, *Y* ) are given as*<sup>N</sup>* (*X*, *Y* ) = *<sup>N</sup>* (*S*, *T* ) := γ*ik S<sup>i</sup> T <sup>k</sup>* for a two-variable polynomial *<sup>N</sup>* .

The output *J*<sup>0</sup> of the 2-DSJP problem is given by the product of two supersingular *j*-invariants, i.e., τ := *j* - *E*(1) *j* - *E*(2) . We substitute *T* := τ into *<sup>N</sup>* (*S*, *T* ), which we obtain a one-variable polynomial equation *<sup>N</sup>* (*S*,τ) = 0. If *E*(1) and *E*(2) are *N*isogenous, then σ := *j* - *E*(1) + *j* - *E*(2) satisfies the equation, i.e., *<sup>N</sup>* (σ, τ ) = 0.

Based on this fact, we obtain a possible cryptanalysis for the 2-DSJP problem given as below. The input of the algorithm is a 2-DSJP instance (*AB*, *J*<sup>β</sup> ).


For each *<sup>z</sup>* <sup>∈</sup> *<sup>Z</sup>*, solve the quadratic equation *<sup>W</sup>*<sup>2</sup> <sup>−</sup> *zW* <sup>+</sup> *<sup>J</sup>*<sup>β</sup> <sup>=</sup> 0.


The degree of isogenous curves *E*(1) and *E*(2) above is usually large, therefore, if the security parameter λ is set large, the attack is ineffective. But, the above scenario shows some possible approach to this problem using a specific property on modular polynomials when *d* = 2.

## *3.2 New Assumptions on Supersingular Montgomery Coefficients*

**Definition 5** (*Decisional Supersingular Montgomery Coefficients Product (d-DSMP) Assumption*) Let (μ) *AB* , *m E*(μ) *AB* μ∈[*d*] be transcripts of *d*-time executions of CSIDH with the same paramsCSIDH, where (μ) *AB* := - paramsCSIDH, *E*(μ) *<sup>A</sup>* , *<sup>E</sup>*(μ) *B* and *AB* := (μ) *AB* μ∈[*d*] , where *E*(μ) *<sup>A</sup>* := a(μ) *E*, *E*(μ) *<sup>B</sup>* := b(μ) *E* and *E*(μ) *AB* := a(μ) b(μ) *E*. A *d*-DSMP problem instance is given as (*AB*, *M*<sup>β</sup> ), where

$$M\_0 := \prod\_{\mu=1}^d m\left(E\_{AB}^{(\mu)}\right), \qquad M\_1 \xleftarrow{}\_R \mathbb{F}\_p,$$

and <sup>β</sup> <sup>←</sup>*<sup>R</sup>* {0, <sup>1</sup>}. For any adversary *<sup>B</sup>*, the advantage of *<sup>B</sup>* is defined as Adv*d*-DSMP *B* (λ) := | Pr[*B*(*AB*, *M*0) = 1] − Pr[*B*(*AB*, *M*1) = 1] |, and the *d*-DSMP assumption holds if Adv*d*-DSMP *<sup>B</sup>* (λ) is negligible in λ for any polynomial-time quantum adversary *B*.

For the DSMP assumptions, we have similar results for the DSJP. In particular, we have the following lemmas.

**Lemma 3** *The d-DSMP assumption is reduced to the* (*d* + 1)*-DSMP assumption.*

**Lemma 4** *The* 1*-DSMP problem can be solved in (deterministic) polynomial time except with a negligible error probability.*

### **4 Proposed Post-Quantum Group Key Exchange (GKE)**

## *4.1 A Generic JV-Type Compiler for GKE from Two-Party KE (Just and Vaudenay 1996)*

We describe a generic BD-type GKE compiler from a two-party KE protocol , and the obtained GKE protocol is denoted as BD. Such a generic compiler was first proposed by Just and Vaudenay (1996), Boyd and Mathuria (2003), but, no formal proof was attached yet. By describing the security proof carefully, we also give a security proof for our proposal in Sects. 4.3 and 4.4, and we found a condition for the compiler to work correctly. The number of group members is assumed to be *n* ≥ 3. Assume that we have two-party key exchange with shared keyspace K. We need a map <sup>ϕ</sup> : <sup>K</sup> <sup>→</sup> <sup>G</sup> (called <sup>G</sup>-embedding map), where <sup>G</sup> is a cyclic group of order *<sup>q</sup>* in the BD-type Encoding (BDEnc) as indicated below. We assume that gcd(*n*, *q*) = 1 for the number of group members *n* and the cyclic group order *q*. (Note that we do not assume the intractability of discrete log in G.)

Exec-. Each user *i* runs the protocol with users *i* − 1 and *i* + 1, respectively, and obtains keys κ*<sup>i</sup>*−1,*<sup>i</sup>* and κ*<sup>i</sup>*,*i*+1.


The correctness is shown as the same as the original BD key exchange. The security depends on the map ϕ. Below, we show that it is proven secure assuming that ϕ is a secure KDF (see Appendix 2 for its definition) and the underlying protocol is secure.

**Theorem 3** *The GKE protocol* BD *is (post-quantumly) secure if is (postquantumly) secure,* ϕ *is a (post-quantumly) secure KDF and* gcd(*n*, *q*) = 1 *where q is the order of* G*.*

*For any (quantum) adversary A, there exist (quantum) machines B<sup>l</sup> and C<sup>l</sup> , whose running times are essentially the same as that of A, such that* AdvBD *<sup>A</sup>* (λ) ≤ *l*∈[2*n*] Adv *Bl* (λ) <sup>+</sup> AdvKDF *<sup>C</sup><sup>l</sup>* (λ) + ε(λ)*, where* ε(λ) *is a negligible function in* λ*.*

*Proof* The view of *A* consists of (*u*1,..., *un*, *K*). To prove Theorem3, we consider the following 2*n* + 2 games. An underlined part indicates a variable that is changed in a game from the previous one.

**Game 0:** Original game, which is the same as the first case in Definition 1. The values of *Ji*−1,*<sup>i</sup>*, *ui*, *K* are given as *Ji*−1,*<sup>i</sup>* := ϕ(κ*<sup>i</sup>*−1,*<sup>i</sup>*),

$$u\_i := J\_{i,i+1} \cdot J\_{i-1,i}^{-1} \text{ for } i \in [n], \quad K := J\_{1,2} \cdot J\_{2,3} \cdots J\_{n-1,n} \cdot J\_{n,1}, \tag{7}$$

where κ*<sup>i</sup>*−1,*<sup>i</sup>* is a shared key by running between users *i* − 1 and *i*.

**Game** *<sup>l</sup>* (*<sup>l</sup>* ∈ [*n*]): The *<sup>l</sup>*th output of <sup>ϕ</sup> is *Jl*−1,*<sup>l</sup>* <sup>←</sup>*<sup>R</sup>* <sup>G</sup> (for both of users *<sup>l</sup>* <sup>−</sup> 1 and *l*), all the other *Ji*−1,*<sup>i</sup>*'s for *i* = *l* are generated as in Game *l* − 1, and the view of *A*, i.e., (*u*1,..., *un*, *K*), are generated as in Eq. (7) from all the *Ji*−1,*<sup>i</sup>*'s for *i* ∈ [*n*].

**Game** *<sup>n</sup>* <sup>+</sup> 1: Same as Game *<sup>n</sup>* except that the shared key is *<sup>K</sup>* <sup>←</sup>*<sup>R</sup>* <sup>G</sup>, and all the other variables are generated as in Game *n*. Note that *K* is independent of all the other variables.

**Game** *n* + 1 + *l* (*l* ∈ [*n*]): The *l*th output of ϕ is *Jl*−1,*<sup>l</sup>* := ϕ(κ*<sup>l</sup>*−1,*<sup>l</sup>*) (for both of users *l* − 1 and *l*), all the other *Ji*−1,*<sup>i</sup>*'s for *i* = *l* are generated as in Game *n* + *l*, and (*u*1,..., *un*) are generated as in Eq. (7) from all the *Ji*−1,*<sup>i</sup>*'s for*<sup>i</sup>* ∈ [*n*] and *<sup>K</sup>* <sup>←</sup>*<sup>R</sup>* <sup>G</sup>. Here, note that Game 2*n* + 1 is the same as the second case in Definition 1.

Let Adv(*l*) *<sup>A</sup>* (λ) be the advantage of *A* in Game *l*, respectively.

We will show three lemmas (Lemmas 5–7) that evaluate the gaps between pairs of the advantages in Game 0, ..., Game 2*n* + 1. From these lemmas, we obtainAdvBD *<sup>A</sup>* (λ) ≤ *l*∈[2*n*+1] Adv(*l*−1) *<sup>A</sup>* (λ) <sup>−</sup> Adv(*l*) *<sup>A</sup>* (λ) <sup>≤</sup> *l*∈[2*n*] - Adv *Bl* (λ)+ AdvKDF *<sup>C</sup><sup>l</sup>* (λ) +ε(λ) where ε(λ) := *<sup>l</sup>*∈[2*n*] ε*l*(λ) is a negligible function. This completes the proof of Theorem3. -

**Lemma 5** *For any (quantum) adversary A, there exist (quantum) machines B<sup>l</sup> and <sup>C</sup><sup>l</sup> , whose running times are essentially the same as that ofA, such that* <sup>|</sup>Adv(*l*−1) *<sup>A</sup>* (λ) − Adv(*l*) *<sup>A</sup>* (λ)| ≤ Adv *Bl* (λ) <sup>+</sup> AdvKDF *<sup>C</sup><sup>l</sup>* (λ) + ε*l*(λ) *for l* ∈ [*n*]*, where* ε*l*(λ) *are negligible functions.*

*Proof* For the proof, we define an intermediate game, i.e., Game *l* − 1/2, between Games *<sup>l</sup>* <sup>−</sup> 1 and *<sup>l</sup>*. In Game *<sup>l</sup>* <sup>−</sup> <sup>1</sup>/2, <sup>κ</sup>*<sup>l</sup>*−1,*<sup>l</sup>* <sup>←</sup>*<sup>R</sup>* <sup>K</sup> and *Jl*−1,*<sup>l</sup>* := ϕ(κ*<sup>l</sup>*−1,*<sup>l</sup>*), and the rest of variables are all generated in the same manner as in Game *l* − 1.

By the definition of two-party KE, the difference of the advantages of Games*l* − 1 and *<sup>l</sup>* <sup>−</sup> <sup>1</sup>/2 is bounded by the advantage against the KE protocol , i.e., Adv *Bl* (λ) (except with negligible probability). Since the keyspace K has enough entropy, by the definition of KDF, the difference of the advantages of Games *l* − 1/2 and *l* is bounded by the advantage against KDF, i.e., AdvKDF *<sup>C</sup><sup>l</sup>* (λ) (except with negligible probability). This completes the proof of Lemma 5. -

**Lemma 6** (BDEnc Information-Theoretic Security) *For any (quantum) adversary A, for any security parameter* λ*,* Adv(*n*+1) *<sup>A</sup>* (λ) <sup>=</sup> Adv(*n*) *<sup>A</sup>* (λ)*.*

*Proof* We can set *Ji*−1,*<sup>i</sup>* := *<sup>g</sup>*<sup>α</sup>*i*−<sup>1</sup> for *<sup>i</sup>* ∈ [*n*], where *<sup>g</sup>* <sup>∈</sup> <sup>G</sup> is a generator and <sup>α</sup>*<sup>i</sup>* <sup>←</sup>*<sup>R</sup>* <sup>Z</sup>/*q*Z(which are independent from each other). Then, *ui* := *Ji*,*i*+<sup>1</sup> · *<sup>J</sup>* <sup>−</sup><sup>1</sup> *<sup>i</sup>*−1,*<sup>i</sup>* = *g*<sup>α</sup>*i*−α*i*−<sup>1</sup> . First, we see that *n* elements ( α1, α<sup>2</sup> − α1, α<sup>3</sup> − α2,...,α*<sup>n</sup>* − α*<sup>n</sup>*−<sup>1</sup> ) are uniformly and independently distributed. Since α<sup>1</sup> +···+ α*<sup>n</sup>* = *n*α<sup>1</sup> + (*n* − 1)(α<sup>2</sup> − α1) + (*n* − 2)(α<sup>3</sup> − α2) +···+ (α*<sup>n</sup>* − α*<sup>n</sup>*−<sup>1</sup>) and *n* mod *q* has an inverse element (from the assumption gcd(*n*, *q*) = 1), *n* elements ( α<sup>1</sup> +···+ α*n*, α<sup>2</sup> − α1, α<sup>3</sup> − α2,...,α*<sup>n</sup>* − α*<sup>n</sup>*−<sup>1</sup> ) are also uniformly and independently distributed. Since *K* = *g*<sup>α</sup>1+···+α*<sup>n</sup>* , *K* is independent of all the other variables, i.e., *hi*, *ui* . This completes the proof of Lemma 6. -

**Lemma 7** *For any (quantum) adversary A, there exists (quantum) machines B<sup>n</sup>*+*<sup>l</sup> and C<sup>n</sup>*+*<sup>l</sup> , whose running times are essentially the same as that of A, such that for any security parameter* <sup>λ</sup>*,* <sup>|</sup>Adv(*n*+*l*) *<sup>A</sup>* (λ) <sup>−</sup> Adv(*n*+*l*+1) *<sup>A</sup>* (λ)| ≤ Adv *Bn*+*<sup>l</sup>* (λ) <sup>+</sup> AdvKDF *Cn*+*l* (λ) + ε*<sup>n</sup>*+*<sup>l</sup>*(λ) *for l* ∈ [*n*]*, where* ε*<sup>n</sup>*+*<sup>l</sup>*(λ) *are negligible functions.*

Lemma 7 is proven in a similar manner to Lemma 5.

#### *4.2 Constant-Round GKE from Static Standard Assumptions*

We instantiate the above generic GKE by Apon et al.'s ring LWE based GKE (Apon et al. 2019) by using a two-party KE and some SHA-2 (or SHA-3) based KDF <sup>ϕ</sup>, whose range is <sup>G</sup> := <sup>F</sup><sup>∗</sup> for some finite field <sup>F</sup>. Therefore, we have the following corollary.

**Corollary 1** *There exists a post-quantum constant-round GKE from two-party KE in Apon et al. (2019) and some standard KDF function* ϕ *under the* static *ring LWE assumption.*

Apon et al.'s original GKE is based on the "non-static" or "dynamic" R-LWE assumption. That is, the noise size depends on the number of group members *n*, then the scheme itself gets to large sizes.

**Corollary 2** *There exists a post-quantum constant-round GKE from two-party KE SIDH (resp.CSIDH) and some standard KDF function* ϕ *under the SI-DDH (resp.CSI-DDH) assumption.*

## *4.3 Two-Round Product-BD (PBD) GKE from d-DSJP Assumption*

We modify the SIBD Group Key Exchange proposed in Furukawa et al. (2018) to a provably secure one, called Supersingular Isogeny Product-BD ((*n*, *d*)-SI-PBD) protocol for *n*-parties. In other words, our general(*n*, *d*)-SI-PBD protocol is obtained via our generic compiler (in Sect. 4.1) from two-party (2, *d*)-SI-PBD protocol, where <sup>a</sup> <sup>G</sup>-embedding map <sup>ϕ</sup> is given by the identity map <sup>ϕ</sup> := id<sup>G</sup> : <sup>G</sup> <sup>→</sup> <sup>G</sup>.

#### **4.3.1 Construction**

We consider *n*-party key exchange. Each user is indexed by 1, 2,..., *n*, where *n* is supposed to be even for simplicity. Note that we can easily obtain the protocol for odd *n*. The user indices are taken in a cycle: so *Rn*+<sup>1</sup> := *R*<sup>1</sup> and *R*<sup>0</sup> := *Rn*. We introduce the map ι(*i*) := *i* mod 2 and we will simply write ι instead of writing ι(*i*).


$$J\_{i-1,i} := \prod\_{\mu=1}^d j\left(E\_{i-1,i}^{(\mu)}\right) \text{ and } \ J\_{i,i+1} := \prod\_{\mu=1}^d j\left(E\_{i,i+1}^{(\mu)}\right) \dots$$

The user then computes *ui* := *Ji*,*i*+<sup>1</sup> · *<sup>J</sup>* <sup>−</sup><sup>1</sup> *<sup>i</sup>*−1,*<sup>i</sup>* and set pk<sup>2</sup> *<sup>i</sup>* := *ui* . Finally, the user *i* broadcasts pk<sup>2</sup> *<sup>i</sup>* to the other users.

#### KeyComp. User *i* collects - pk<sup>2</sup> *i i* ∈[*n*] and sk<sup>1</sup> *<sup>i</sup>* and computes *Ki* := *<sup>J</sup> <sup>n</sup> <sup>i</sup>*−1,*<sup>i</sup>* · *<sup>u</sup><sup>n</sup>*−<sup>1</sup> *<sup>i</sup>* · *u<sup>n</sup>*−<sup>2</sup> *<sup>i</sup>*+<sup>1</sup> ····· *<sup>u</sup>*<sup>2</sup> *<sup>i</sup>*−<sup>3</sup> · *ui*−<sup>2</sup>.

We can easily verify that *Ki* = *J*1,<sup>2</sup> · *J*2,<sup>3</sup> ··· *Jn*−1,*<sup>n</sup>* · *Jn*,<sup>1</sup> holds for any *i*.

#### **4.3.2 Warm-Up: Security from a Nonstatic Assumption**

We rephrase security of the (*n*, *d*)-SI-PBD protocol based on Definition 1 as a form of the following assumption (see Lemma 8).

**Definition 6** (*Decisional SI-PBD ((n,d)-SI-PBD) Assumption*) Let (*<sup>n</sup>*,*<sup>d</sup>* , *K*) ←*<sup>R</sup>* Exec(*n*,*d*)-SI-PBD(λ), where *Ji*−1,*<sup>i</sup>* := *<sup>d</sup>* <sup>μ</sup>=<sup>1</sup> *j E*(μ) *i*−1,*i* , *Ji*,*i*+<sup>1</sup> := *<sup>d</sup>* <sup>μ</sup>=<sup>1</sup> *j E*(μ) *i*,*i*+1 , *ui* := *Ji*,*i*+<sup>1</sup> · *<sup>J</sup>* <sup>−</sup><sup>1</sup> *<sup>i</sup>*−1,*<sup>i</sup>* , *n*,*<sup>d</sup>* :=  paramsSIDH, *E*(μ) *<sup>i</sup>* , φ(μ) *<sup>i</sup>* (*P*1−ι), φ(μ) *<sup>i</sup>* (*Q*1−ι) , *ui i*∈[*n*],μ∈[*d*] , and *<sup>K</sup>*:=*<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *Ji*,*i*+1. An (*n*, *d*)-SI-PBD problem instance is given as (*<sup>n</sup>*,*<sup>d</sup>* , κβ ), where

$$
\kappa\_0 := K, \qquad \kappa\_1 \leftarrow\_R \mathbb{F}\_{p^2},
$$

and β ←*<sup>R</sup>* {0, 1}. For any quantum algorithm *B*, the advantage of *B* is defined as Adv(*n*,*d*)-SI-PBD *<sup>B</sup>* (λ) := | Pr[*B*(*<sup>n</sup>*,*<sup>d</sup>* , κ0) = 1] − Pr[*B*(*<sup>n</sup>*,*<sup>d</sup>* , κ1) = 1] |, and the (*n*, *d*)- SI-PBD assumption holds if Adv(*n*,*d*)-SI-PBD *<sup>B</sup>* (λ)is negligible in λ for any polynomialtime quantum adversary *B*.

**Remark 1** We have better security proofs when *d* ≥ 2 for the (*n*, *d*)-SI-PBD GKE (Theorem4). However, the above gives only security proofs for the *d* = 1 case, which is based on nonstatic assumptions. Note that since *n* ≥ 3 and the key *K* is a *n*-time product of *j*-invariants, then we have no efficient distinguishing algorithm between κ<sup>0</sup> and κ1.

**Lemma 8** *The* (*n*, *d*)*-SI-PBD key exchange among n-parties is post-quantumly secure under the* (*n*, *d*)*-SI-PBD assumption.*

*Proof* Lemma 8 is trivially obtained from Definitions 1 and 6. -

If the (*n*, *d*)-SI-PBD problem is quantum resistantly hard, the SI-PBD key exchange among *n*-parties is also quantum resistant. Therefore, we should investigate the post-quantum security of the (*n*, *d*)-SI-PBD assumption in the next section.

Moreover, as is shown in Lemma 1 for the *d*-DSJP assumptions, the family of (*n*, *d*)-SI-PBD assumptions also has natural sequential reductions among them.

**Lemma 9** *The* (*n*, *d*)*-SI-PBD assumption is reduced to the* (*n*, *d* + 1)*-SI-PBD assumption.*

*For any adversary A, there is a (quantum) machine B, whose running time is essentially the same as that of A, such that for any security parameter* λ*,* Adv(*n*,*d*+1)-SI-PBD *<sup>A</sup>* (λ) <sup>≤</sup> Adv(*n*,*d*)-SI-PBD *<sup>B</sup>* (λ)*.*

*Proof* The proof of Lemma 9 is similarly given to that of Lemma 1. -

Lemma 9 shows that (*n*, *d* + 1)-SI-PBD group key exchange is more secure than (*n*, *d*)-SI-PBD one while the former is less efficient than the latter in terms of data sizes and execution times.

## **4.3.3 Security from** *d***-DSJP Assumption for** *d* **≥ 2**

**Theorem 4** *The* (*n*, *d*)*-SI-PBD key exchange among n-parties is post-quantumly secure under the d-DSJP assumption when d* ≥ 2 *and* gcd(*n*, *p*<sup>2</sup> − 1) = 1*. (Note that p*<sup>2</sup> <sup>−</sup> <sup>1</sup> *is the order of cyclic group* <sup>G</sup> := <sup>F</sup><sup>∗</sup> *<sup>p</sup>*<sup>2</sup> *.)*

*For any quantum adversary A, there exist quantum machines B<sup>l</sup> , whose running times are essentially the same as that of A, such that* Adv(*n*,*d*)-SI-PBD *<sup>A</sup>* (λ) ≤ *<sup>l</sup>*∈[2*n*] Adv*<sup>d</sup>*-DSJP *<sup>B</sup><sup>l</sup>* (λ) *when d* ≥ 2*.*

*Proof* The view of *A* consists of (*u*1,..., *un*, *K*). To prove Theorem4, we consider the following 2*n* + 2 games. An underlined part indicates a variable that is changed in a game from the previous one.

**Game 0:** Original game. That is, the values of *Ji*−1,*<sup>i</sup>*, *ui*, *K* are given as *Ji*−1,*<sup>i</sup>* := *<sup>d</sup>* <sup>μ</sup>=<sup>1</sup> *j E*(μ) *i*−1,*i* ,

$$
\mu\_i := J\_{i,i+1} \cdot J\_{i-1,i}^{-1} \text{ for } i \in [n], \quad K := J\_{1,2} \cdot J\_{2,3} \cdots J\_{n-1,n} \cdot J\_{n,1} \tag{8}
$$

**Game** *<sup>l</sup>* (*<sup>l</sup>* ∈ [*n*]): The *<sup>l</sup>*th output of <sup>ϕ</sup> is: *Jl*−1,*<sup>l</sup>* <sup>←</sup>*<sup>R</sup>* <sup>F</sup>*p*<sup>2</sup> (for both of users*<sup>l</sup>* <sup>−</sup> 1 and *l*), all the other *Ji*−1,*<sup>i</sup>*'s for *i* = *l* are generated as in Game *l* − 1, and the view of *A*, i.e., (*u*1,..., *un*, *K*), are generated as in Eq. (8) from all the *Ji*−1,*<sup>i</sup>*'s for *i* ∈ [*n*].

**Game** *<sup>n</sup>* <sup>+</sup> 1: Same as Game *<sup>n</sup>* except that the shared key is *<sup>K</sup>* <sup>←</sup>*<sup>R</sup>* <sup>F</sup>*p*<sup>2</sup> , and all the other variables are generated as in Game *n*. Note that *K* is independent of all the other variables.

**Game** *<sup>n</sup>* <sup>+</sup> <sup>1</sup> <sup>+</sup> *<sup>l</sup>* (*<sup>l</sup>* ∈ [*n*]): The *<sup>l</sup>*th output of <sup>ϕ</sup> is: *Jl*−1,*<sup>l</sup>* := *<sup>d</sup>* <sup>μ</sup>=<sup>1</sup> *j E*(μ) *l*−1,*l* (for both of users *l* − 1 and *l*), all the other *Ji*−1,*<sup>i</sup>*'s for *i* = *l* are generated as in Game *n* + *l*, (*u*1,..., *un*), are generated as in Eq. (8) from all the *Ji*−1,*<sup>i</sup>*'s for *i* ∈ [*n*] and *K* ←*<sup>R</sup>* <sup>F</sup>*p*<sup>2</sup> . Here, note that Game 2*<sup>n</sup>* <sup>+</sup> 1 is the same as the <sup>β</sup> <sup>=</sup> 1 case in Definition 6.

Let Adv(*l*) *<sup>A</sup>* (λ) be the advantage of *A* in Game *i*, respectively.

We will show three lemmas (Lemmas 10–12) that evaluate the gaps between pairs of the advantages in Game 0, ..., Game 2*n* + 1. From these lemmas, we obtain Adv(*n*,*d*)-SI-PBD *<sup>A</sup>* (λ) ≤ *l*∈[2*n*+1] Adv(*l*−1) *<sup>A</sup>* (λ) <sup>−</sup> Adv(*l*) *<sup>A</sup>* (λ) <sup>≤</sup> *<sup>l</sup>*∈[2*n*] Adv*<sup>d</sup>*-DSJP *<sup>B</sup><sup>l</sup>* (λ). This completes the proof of Theorem4. -

**Lemma 10** *For any quantum adversaryA, there exists a quantum machine B<sup>l</sup> , whose running time is essentially the same as that of A, such that for any security parameter* <sup>λ</sup>*,* <sup>|</sup>Adv(*l*−1) *<sup>A</sup>* (λ) <sup>−</sup> Adv(*l*) *<sup>A</sup>* (λ)| ≤ Adv*<sup>d</sup>*-DSJP *<sup>B</sup><sup>l</sup>* (λ) *for l* ∈ [*n*]*.*

$$\begin{split} & \mathbf{Proof} \cdot \mathbb{B} \text{ is given a } d\text{-DSIP instance } (\Psi\_{AB}, J\_{\beta}), \text{ where} \\ & \Psi\_{AB} := \left( \texttt{params}, \left( \left( E\_A^{(\mu)}, \phi\_A^{(\mu)}(P\_B), \phi\_A^{(\mu)}(Q\_B) \right), \left( E\_B^{(\mu)}, \phi\_B^{(\mu)}(P\_A), \phi\_B^{(\mu)}(Q\_A) \right) \right)\_{\mu \in \left[ d\right]} \right). \end{split}$$

*<sup>B</sup>* (implicitly) sets user *<sup>l</sup>* <sup>−</sup> <sup>1</sup> *<sup>A</sup>* and user *l B*, and their public keys *E*(μ) *<sup>l</sup>*−1, φ(μ) *<sup>l</sup>*−1(*P*ι), φ(μ) *<sup>l</sup>*−1(*Q*ι) μ∈[*d*] := *E*(μ) *<sup>A</sup>* , φ(μ) *<sup>A</sup>* (*PB*), φ(μ) *<sup>A</sup>* (*QB*) μ∈[*d*] and *E*(μ) *<sup>l</sup>* , φ(μ) *<sup>l</sup>* (*P*ι−1), φ(μ) *<sup>l</sup>* (*Q*ι−1) μ∈[*d*] := *E*(μ) *<sup>B</sup>* , φ(μ) *<sup>B</sup>* (*PA*), φ(μ) *<sup>B</sup>* (*QA*) μ∈[*d*] , respectively.

*<sup>B</sup>* generates randomly *Ji*−1,*<sup>i</sup>* <sup>←</sup>*<sup>R</sup>* <sup>F</sup>*p*<sup>2</sup> for *<sup>i</sup>* <sup>&</sup>lt; *<sup>l</sup>*, and sets (*<sup>l</sup>* <sup>−</sup> <sup>1</sup>)th *<sup>j</sup>*-invariants product as *Jl*−1,*<sup>l</sup>* := *<sup>J</sup>*<sup>β</sup> . *<sup>B</sup>* generates secret keys *<sup>k</sup>*(μ) *<sup>i</sup>* <sup>←</sup>*<sup>R</sup>* <sup>Z</sup>/ *<sup>e</sup>*<sup>τ</sup> <sup>τ</sup> <sup>Z</sup> for all *<sup>i</sup>* ∈ [*n*] \ {*<sup>l</sup>* <sup>−</sup> <sup>1</sup>,*l*} where <sup>τ</sup> := *<sup>i</sup>* mod *<sup>n</sup>*, and then his/her own public keys *E*(μ) *<sup>i</sup>* , φ(μ) *<sup>i</sup>* (*P*τ−<sup>1</sup>), φ(μ) *<sup>t</sup>* (*Q*<sup>τ</sup>−<sup>1</sup>) . Since*B* has all secret keys except for users*l* − 1,*l*, he can compute

μ∈[*d*] all correct *j*-invariant products *Ji*−1,*<sup>i</sup>* for *i* > *l*.

Using *Ji*−1,*<sup>i</sup>* for *<sup>i</sup>* ∈ [*n*] as defined above, *<sup>B</sup>* computes *ui* := *Ji*,*i*+<sup>1</sup> · *<sup>J</sup>* <sup>−</sup><sup>1</sup> *<sup>i</sup>*−1,*<sup>i</sup>* and *K* := *<sup>i</sup>*∈[*n*] *Ji*−1,*<sup>i</sup>* , and then sends *A* the public keys, (*ui*)*<sup>i</sup>*∈[*n*], and the challenge value *K*.

If *A* outputs β , then *B* also outputs β . We easily see that the distribution generated by *B* is that in Game *l* − 1 when β = 0 and that in Game *i* when β = 1.

This completes the proof of Lemma 10. -

**Lemma 11** *For any (quantum) adversary A, for any security parameter* λ*,* Adv(*n*+1) *<sup>A</sup>* (λ) <sup>=</sup> Adv(*n*) *<sup>A</sup>* (λ)*.*

*Proof* The proof of Lemma 11 is the same as that of Lemma 6 (BDEnc Information Theoretic Security Lemma). -

**Lemma 12** *For any quantum adversary A, there exists a quantum machine B* := *B<sup>n</sup>*+*<sup>l</sup> , whose running time is essentially the same as that of A, such that for any security parameter* <sup>λ</sup>*,* <sup>|</sup>Adv(*n*+*l*) *<sup>A</sup>* (λ) <sup>−</sup> Adv(*n*+*l*+1) *<sup>A</sup>* (λ)| ≤ Adv*d*-DSJP *<sup>B</sup>n*+*<sup>l</sup>* (λ) *for l* ∈ [*n*]*.*

Lemma 12 is proven in a similar manner to Lemma 10.

#### *4.4 Two-Round PBD GKE from d-DSMP Assumption*


$$M\_{i-1,i} := \prod\_{\mu=1}^d m\left(E\_{i-1,i}^{(\mu)}\right) \text{ and } M\_{i,i+1} := \prod\_{\mu=1}^d m\left(E\_{i,i+1}^{(\mu)}\right) \dots$$

The user then computes *ui* := *Mi*,*i*+<sup>1</sup> · *<sup>M</sup>*−<sup>1</sup> *<sup>i</sup>*−1,*<sup>i</sup>* and set pk<sup>2</sup> *<sup>i</sup>* := *ui* . Finally, the user *i* broadcasts pk<sup>2</sup> *<sup>i</sup>* to the other users.

KeyComp. User *i* collects - pk<sup>2</sup> *i i* ∈[*n*] and sk<sup>1</sup> *<sup>i</sup>* and computes *Ki* := *<sup>M</sup><sup>n</sup> <sup>i</sup>*−1,*<sup>i</sup>* · *<sup>u</sup><sup>n</sup>*−<sup>1</sup> *<sup>i</sup>* · *u<sup>n</sup>*−<sup>2</sup> *<sup>i</sup>*+<sup>1</sup> ····· *<sup>u</sup>*<sup>2</sup> *<sup>i</sup>*−<sup>3</sup> · *ui*−2.

We can easily verify that *Ki* = *M*1,<sup>2</sup> · *M*2,<sup>3</sup> ··· *Mn*−1,*<sup>n</sup>* · *Mn*,<sup>1</sup> holds for any *i*. We have the following lemma and theorem as in the case of the SI-PBD key exchange. The (*n*, *d*)-CSI-PBD assumption is defined in Definition 7 in Appendix 4.

**Lemma 13** *The* (*n*, *d*)*-CSI-PBD key exchange among n-parties is secure under the* (*n*, *d*)*-CSI-PBD assumption.*

**Theorem 5** *The* (*n*, *d*)*-CSI-PBD key exchange among n-parties is post-quantumly secure under the d-DSMP assumption when d* ≥ 2 *and* gcd(*n*, *p* − 1) = 1*. (Note that p* <sup>−</sup> <sup>1</sup> *is the order of cyclic group* <sup>G</sup> := <sup>F</sup><sup>∗</sup> *p.)*

*For any quantum adversary A, there exist quantum machines B<sup>i</sup> , whose running times are essentially the same as that of A, such that for any security parameter* λ*,* Adv(*n*,*d*)-CSI-PBD *<sup>A</sup>* (λ) ≤ *<sup>i</sup>*∈[2*n*] Adv*d*-DSMP *<sup>B</sup><sup>i</sup>* (λ)*.*

**Acknowledgements** This research was partially supported by JST CREST Grant Number JPMJCR14D6, Japan. The author would like to thank Tatsuaki Okamoto for his valuable comments on the generic GKE construction given in Sect. 4.1.

## **Appendix 1: BD Group Key Exchange (Burmester and Desmedt 1994)**

We describe the BD Key Exchange among *n* users on a cyclic group G of a prime order *q* and a generator *g*.

Round-1. Each user *<sup>i</sup>* generates *ai* <sup>←</sup>*<sup>R</sup>* <sup>Z</sup>/*q*Z, *hi* := *<sup>g</sup>ai* and broadcasts *hi* . Round-2. Each user *i* calculates *Ji*−1,*<sup>i</sup>* := (*hi*−<sup>1</sup>)*ai* , *Ji*,*i*+<sup>1</sup> := (*hi*+<sup>1</sup>)*ai* and *ui* := *Ji*,*i*+<sup>1</sup> · *<sup>J</sup>* <sup>−</sup><sup>1</sup> *<sup>i</sup>*−1,*<sup>i</sup>* . User *i* broadcasts *ui* .

KeyComp. User *<sup>i</sup>* calculates *Ki* := *<sup>J</sup> <sup>n</sup> <sup>i</sup>*−1,*<sup>i</sup>* · *<sup>u</sup><sup>n</sup>*−<sup>1</sup> *<sup>i</sup>* · *<sup>u</sup><sup>n</sup>*−<sup>2</sup> *<sup>i</sup>*+<sup>1</sup> ··· *ui*−2. Then, *Ki* = *J*<sup>1</sup>,<sup>2</sup> · *J*<sup>2</sup>,<sup>3</sup> ··· *Jn*,<sup>1</sup> is the shared key among the *n* users.

**Theorem 6** (Burmester and Desmedt 1994; Katz and Yung 2007) *The BD group key exchange is tightly secure under the DDH assumption. For any adversary A, there is a probabilistic machine B, whose running time is essentially the same as that of A, such that for any security parameter* λ*,* AdvBD *<sup>A</sup>* (λ) <sup>≤</sup> AdvDDH *<sup>B</sup>* (λ)*.*

*Proof* DDH solver *B* uses an attacker *A* against the BD protocol. Below, we prove the case *n* is even for simplicity. *B* receives a DDH tuple (*g*, *g<sup>a</sup>*, *g<sup>b</sup>*, *T* ) where *T* is *gab* or *g<sup>c</sup>* with random *c*, and should simulate public information (*hi*, *ui*)*<sup>i</sup>*∈[*n*] and the shared key *K*. *B* implicitly sets *a*<sup>1</sup> := *a* and *a*<sup>2</sup> := *b*, and generates random *<sup>a</sup>*˜2, *<sup>a</sup>*˜3,..., *<sup>a</sup>*˜*<sup>n</sup>*−<sup>1</sup> <sup>←</sup> <sup>Z</sup>/*q*Z. *<sup>B</sup>* also implicitly sets relations

$$
\tilde{a}\_2 = a\_2 - a\_n, \ \tilde{a}\_3 = a\_3 - a\_1, \dots, \tilde{a}\_{n-2} = a\_{n-2} - a\_{n-4}, \ \tilde{a}\_{n-1} = a\_{n-1} - a\_{n-3}, \ (9)
$$

which determines *a*3,..., *an*−<sup>1</sup> as linear combinations of *a*(= *a*1), *b*(= *a*2), *a*˜3,..., *a*˜*<sup>n</sup>*−1, that is, *a*<sup>3</sup> := *a*<sup>1</sup> + ˜*a*3,..., *an*−<sup>2</sup> := *an*−<sup>4</sup> + ˜*an*−<sup>2</sup> = *b* + ˜*a*<sup>4</sup> +···+ ˜*an*−2, *an*−<sup>1</sup> := *an*−<sup>3</sup> + ˜*an*−<sup>1</sup> = *a* + ˜*a*<sup>3</sup> +···+ ˜*an*−1, *an* := *a*<sup>2</sup> − ˜*a*2.

Therefore, *B* simulates *hi* as follows: *h*<sup>1</sup> := *g<sup>a</sup>*, *h*<sup>2</sup> := *g<sup>b</sup>*, *h*<sup>3</sup> := *g<sup>a</sup>*1+ ˜*a*<sup>3</sup> = *g<sup>a</sup>* · *g<sup>a</sup>*˜<sup>3</sup> , *h*<sup>4</sup> := *g<sup>a</sup>*2+ ˜*a*<sup>4</sup> = *g<sup>b</sup>* · *g<sup>a</sup>*˜<sup>4</sup> ,..., *hn*−<sup>2</sup> := *g<sup>b</sup>*+ ˜*a*4+···+ ˜*an*−<sup>2</sup> = *g<sup>b</sup>* · *g<sup>a</sup>*˜4+···+ ˜*an*−<sup>2</sup> , *hn*−<sup>1</sup> := *g<sup>a</sup>*+ ˜*a*3+···+ ˜*an*−<sup>1</sup> = *g<sup>a</sup>* · *g<sup>a</sup>*˜3+···+ ˜*an*−<sup>1</sup> , *hn* := *g<sup>a</sup>*2− ˜*a*<sup>2</sup> = *g<sup>b</sup>* · *g*− ˜*a*<sup>2</sup> , and*B* also simulates *ui* as follows using relations (9), *ui* := *<sup>h</sup>a*˜*i*+<sup>1</sup> *<sup>i</sup>* for*i* = 1,..., *n* − 2, *un*−<sup>1</sup> := *h* − *<sup>i</sup>*=1,3,...,*n*−<sup>3</sup> *a*˜*i*+<sup>1</sup> *<sup>n</sup>*−<sup>1</sup> , *un* := *h* − *<sup>i</sup>*=2,4,...,*n*−<sup>2</sup> *a*˜*i*+<sup>1</sup> *<sup>n</sup>* , where *an* − *an*−<sup>2</sup> = (*a*<sup>2</sup> − ˜*a*2) − (*a*<sup>2</sup> + ˜*a*<sup>4</sup> +···+ ˜*an*−<sup>2</sup>) = − *<sup>i</sup>*=1,3,...,*n*−<sup>3</sup> *<sup>a</sup>*˜*i*+<sup>1</sup> and *<sup>a</sup>*<sup>1</sup> <sup>−</sup> *an*−<sup>1</sup> = − *<sup>i</sup>*=2,4,...,*n*−<sup>2</sup> *a*˜*i*+<sup>1</sup> hold. Here, *B*'s simulations of *hi* and *ui* are perfect.

Since the correct *<sup>K</sup>* <sup>=</sup> *<sup>K</sup>*<sup>2</sup> is *<sup>K</sup>*<sup>2</sup> <sup>=</sup> *<sup>J</sup> <sup>n</sup>* <sup>1</sup>,<sup>2</sup> · *<sup>u</sup>n*−<sup>1</sup> <sup>2</sup> · *<sup>u</sup>n*−<sup>2</sup> <sup>3</sup> ··· *un* with *J*1,<sup>2</sup> = *gab*, *B* simulates shared key *<sup>K</sup>* as *<sup>K</sup>* := *<sup>T</sup> <sup>n</sup>* · *<sup>u</sup>n*−<sup>1</sup> <sup>2</sup> · *<sup>u</sup>n*−<sup>2</sup> <sup>3</sup> ··· *un* where *T* is given in the DDH instance and *ui* are calculated as above, and then *B* give it to *A*. When *A* answers to the question whether *K* is correct or random, *B* answers to his problem as the same way as *A*.

If *T* = *gab*, then the simulation is the same as the real game, and if *T* = *g<sup>c</sup>*, then *K* is uniformly random and independently distributed from other variables. -

#### **Appendix 2: Key Derivation Function (KDF)**

Let two-party key exchange denote with shared key space <sup>K</sup>. A map <sup>ϕ</sup> : <sup>K</sup> <sup>→</sup> <sup>G</sup> is called key derivation function (with a rangeG) if two distributions{ ϕ(κ)<sup>|</sup> <sup>κ</sup> <sup>←</sup>*<sup>R</sup>* <sup>K</sup>} and { *<sup>J</sup>* <sup>←</sup>*<sup>R</sup>* <sup>G</sup> } are indistinguishable. Such a KDF function can be obtained from a standard hash function, e.g., SHA-2 or SHA-3. For the details, see Abe et al. (2005), for example.

#### **Appendix 3: SIDH and CSIDH Key Exchange**

#### *Appendix 3.1: SIDH Key Exchange (Feo et al. 2014)*

A supersingular elliptic curve *E* and generators of smooth order rank-2 torsion subgroups are taken as pubic parameters. Alice and Bob set random cyclic subgroups as secret keys, respectively, and calculate isogenies whose kernels are the secret keys by using Vélu's formulas. They publish their public keys, range curves of the isogenies, and images of the generators, respectively. Finally, they calculate isogenies from public keys. The range curves of the isogenies are isomorphic; therefore their *j*-invariants become the same. The detailed protocol is given as follows.

Setup. Let *eA*, *eB* <sup>∈</sup> <sup>Z</sup>, and *<sup>A</sup>*, *<sup>B</sup>* be small primes (e.g., 2, 3), where *eA <sup>A</sup>* and *eB B* are close. Let *p* be a prime which satisfies that *p* = *eA A eB <sup>B</sup> f* ± 1 where *f* is a small positive integer. Let *E* : δ*y*<sup>2</sup> = *x* <sup>3</sup> + α*x* <sup>2</sup> + *x* be a supersingular elliptic curve defined over F*p*<sup>2</sup> , where the cardinality of *E*(F*p*<sup>2</sup> ) is ( *eA A eB <sup>B</sup> f* )2. Let *PA*, *QA* be generators of *E*[ *eA <sup>A</sup>* ], and *PB*, *QB* are generators of *E*[ *eB <sup>B</sup>* ]. Let public parameters be paramsSIDH := (*p*, *E*, *PA*, *QA*, *PB*, *QB*).

Round-1. Alice chooses random numbers *kA* <sup>∈</sup> (Z/ *eA <sup>A</sup>* <sup>Z</sup>)×, and calculates *RA* <sup>=</sup> *PA* + *kAQA*. Here, an order of *RA* is *eA <sup>A</sup>* . Alice calculates an *eA <sup>A</sup>* -isogeny φ*<sup>A</sup>* : *E* → *EA* : = *E*/*RA* and φ*A*(*PB*), φ*A*(*QB*) by using Vélu formulas.

Similarly, Bob chooses random numbers *kB* <sup>∈</sup> (Z/ *eB <sup>B</sup>* <sup>Z</sup>)×, and calculates *RB* <sup>=</sup> *PB* + *kB QB*. Here, an order of *RB* is *eB <sup>B</sup>* . Bob calculates an *eB <sup>B</sup>* -isogeny φ*<sup>B</sup>* : *E* → *EB* : = *E*/*RB* and φ*B*(*PA*), φ*B*(*QA*) by using Vélu formulas.

Alice sends *EA*, φ*A*(*PB*), φ*A*(*QB*) to Bob, and Bob sends *EB*, φ*B*(*PA*), φ*B*(*QA*) to Alice.

KeyComp. Alice calculates *R <sup>A</sup>* = φ*B*(*PA*) + *kA*φ*B*(*QA*). Here, an order of *R <sup>A</sup>* is *eA <sup>A</sup>* . Alice calculates an *eA <sup>A</sup>* -isogeny φ *<sup>A</sup>* : *EB* → *EAB* : = *EB*/*R <sup>A</sup>* and *KA* = *j*(*EAB*) by using Vélu formulas.

Bob calculates *R <sup>B</sup>* = φ*A*(*PB*) + *kB*φ*A*(*QB*). Here, an order of *R <sup>B</sup>* is *eB <sup>B</sup>* . Bob calculates an *eB <sup>B</sup>* -isogeny φ *<sup>B</sup>* : *EA* → *EB A* : = *EA*/*R <sup>B</sup>* and *KB* = *j*(*EB A*) by using Vélu formulas.

It holds that ker (φ *<sup>A</sup>* ◦ φ*B*) = φ*<sup>B</sup>* <sup>−</sup><sup>1</sup>(*<sup>R</sup> <sup>A</sup>*) = *RA*⊕*RB* and ker (φ *<sup>B</sup>* ◦ φ*A*) = φ*<sup>A</sup>* <sup>−</sup><sup>1</sup>(*<sup>R</sup> <sup>B</sup>*) = *RB*⊕*RA*. Hence, *KA* = *KB* holds; therefore, SIDH is correct. The SI-DDH assumption is defined in Definition 2.

**Theorem** 1 (Feo et al. 2014) *The SIDH key exchange is post-quantumly secure under the SI-DDH assumption.*

#### *Appendix 3.2: CSIDH Key Exchange (Castryck et al. 2018)*

CSIDH (Commutative Supersingular Isogeny Diffie–Hellman) was proposed by Castryck et al. in 2018 (Castryck et al. 2018).

Let a prime *p* := 4 · <sup>1</sup> ··· *<sup>s</sup>* − 1, where <sup>1</sup>,..., *<sup>s</sup>* are small distinct odd primes. Let *O* be an order in an imaginary quadratic field, π ∈ *O*, π*<sup>p</sup>* the *p*th power Frobenius endomorphism and *<sup>E</sup> <sup>p</sup>*(*O*,π) the set of <sup>F</sup>*p*-isomorphism classes of <sup>F</sup>*p*rational supersingular elliptic curves whose <sup>F</sup>*p*-endomorphism ring is equal to *<sup>O</sup>* and the Frobenius π*<sup>p</sup>* is given by π ∈ *O*. For CSIDH, we only consider the case that *<sup>O</sup>* ∼= <sup>Z</sup>[π*p*]. CSIDH is based on the action of the ideal class group cl(*O*) on *E <sup>p</sup>*(*O*,π). Alice and Bob generate random elements in cl(*O*) for their secret keys, and calculate the actions on *<sup>E</sup>*/F*<sup>p</sup>* : *<sup>y</sup>*<sup>2</sup> <sup>=</sup> *<sup>x</sup>* <sup>3</sup> <sup>+</sup> *<sup>x</sup>*. They publish the obtained elliptic curves as public keys. Finally, they calculate their secret key actions on the public keys, respectively. The obtained elliptic curves are isomorphic over F*p*, and the Montgomery coefficients are the same. The detailed protocol is given as follows.


By commutativity of cl(*O*) and the uniqueness of the Montgomery coefficient, it holds that *KA* = *KB*; therefore, CSIDH is correct.

The CSI-DDH assumption is defined in Definition 3.

**Theorem** 2 (Castryck et al. 2018) *The CSIDH key exchange is post-quantumly secure under the CSI-DDH assumption.*

## **Appendix 4: Decisional CSI-PBD (***(n, d)***-CSI-PBD) Assumption**

**Definition 7** (*Decisional CSI-PBD (*(*n*, *d*)*-CSI-PBD) Assumption*) Let (*<sup>n</sup>*,*<sup>d</sup>* , *<sup>K</sup>*) <sup>←</sup>*<sup>R</sup>* Exec(*n*,*d*)-CSI-PBD(λ), where *Mi*−1,*<sup>i</sup>* := *<sup>d</sup>* <sup>μ</sup>=<sup>1</sup> *m E*(μ) *i*−1,*i* , *Mi*,*i*+<sup>1</sup> := *<sup>d</sup>* <sup>μ</sup>=<sup>1</sup> *m E*(μ) *i*,*i*+1 , *ui* := *Mi*,*i*+<sup>1</sup> · *<sup>M</sup>*−<sup>1</sup> *<sup>i</sup>*−1,*<sup>i</sup>* , *<sup>n</sup>*,*<sup>d</sup>* := - paramsCSIDH, *E*(μ) *<sup>i</sup>* , *ui i*∈[*n*],μ∈[*d*] , and *<sup>K</sup>* := *<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *Mi*,*i*+1. An (*n*, *d*)-CSI-PBD problem instance is given as (*<sup>n</sup>*,*<sup>d</sup>* , κβ ) where <sup>κ</sup><sup>0</sup> := *<sup>K</sup>*, <sup>κ</sup><sup>1</sup> <sup>←</sup>*<sup>R</sup>* <sup>F</sup>*p*, and <sup>β</sup> <sup>←</sup>*<sup>R</sup>* {0, <sup>1</sup>}. For any quantum algorithm *B*, the advantage of *B* is defined as Adv(*n*,*d*)-CSI-PBD *<sup>B</sup>* (λ) := | Pr[*B*(*<sup>n</sup>*,*<sup>d</sup>* , κ0) = 1] − Pr[*B*(*<sup>n</sup>*,*<sup>d</sup>* , κ1) = 1] |, and the (*n*, *d*)-CSI-PBD assumption holds if Adv(*n*,*d*)-CSI-PBD *<sup>B</sup>* (λ) is negligible in λ for any polynomial-time quantum adversary *B*.

#### **References**


**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

## **Index**

#### **A**

Adjacency matrices, 233 Apéry-like numbers, 96

#### **B**

BKZ algorithm, 193 Bounded observability, 13

#### **C**

Cayley graphs, 169 Cayley hash functions, 232 Cloud quantum computer, 18 Cold atoms, 125 Combinatorial group theory, 59 Concealing-restoring system, 104 Congruence relations, 97 Continuous variables quantum computation, 80

**D** Degenerate eigenvalues, 150

#### **E**

Elliptic curves, 44, 254 Enumeration algorithm, 194 Expander graphs, 232

#### **F**

Fully homomorphic encryption, 58

#### **G**

Giant atoms, 126 Gottesman–Kitaev–Preskill code, 81 Group actions, 176 Group key exchange, 251 Group–subgroup pair graphs, 170 Group word problem, 238

#### **H**

Heat kernel, 95 Heun ODE, 98 Homogeneity of graphs, 170

#### **I**

Information-theoretic security, 13 Isogeny-based cryptography, 252

#### **J**

Juddian solutions, 151

## **K**

Kalman filter, 110

#### **L**

Lamb shift, 128 Lattice-based cryptography, 252 Lattice basis reduction, 198 LLL algorithm, 198 LPS graphs, 232

© The Author(s) 2021 T. Takagi et al. (eds.), *International Symposium on Mathematics, Quantum Theory, and Cryptography*, Mathematics for Industry 33, https://doi.org/10.1007/978-981-15-5191-8

#### **M**

Modular forms, 96 Multivariate public-key cryptography, 210

#### **N**

NIST SP 800-22, 18 Noise disturbance, 104 Noise-filtering, 109 Non-commutative group, 58 Non-commutative harmonic oscillators, 95 Numerical computations, 11

#### **O**

Open Systems Interconnection (OSI), 104 Oversimplified Shor's algorithm, 51

#### **P**

Particle filter, 120 Pizer graphs, 232 Post-Quantum Cryptography (PQC), 189, 209, 231, 251

#### **Q**

Quantum advantage, 80 Quantum computer, 40 Quantum optics, 125

Quantum Rabi Models (QRM), 149 Quaternion algebras, 233

#### **R**

Ramanujan graphs, 232 Random number generator, 18 Random sampling algorithm, 197 Representation theory, 172 RSA cryptosystem, 39

#### **S**

Secret key distribution, 13 Shor's quantum factoring algorithm, 42 Shortest vector problem, 193 Sieve algorithm, 196 Special values, 96 Spectral zeta functions, 96 Spectra of graphs, 170 Static assumptions, 252 Stochastic process estimation, 105 Superconducting qubits, 126 Surface Acoustic Waves (SAWs), 126

#### **W**

Waveguide quantum electrodynamics, 126 Wigner function, 80