Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Expander Cayley graphs over finite strings and pseudorandomness
(USC Thesis Other)
Expander Cayley graphs over finite strings and pseudorandomness
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
EXPANDER CAYLEY GRAPHS OVER FINITE STRINGS AND PSEUDORANDOMNESS by Lian Liu A Dissertation Presented to the FACULTY OF THE USC GRADUATE SCHOOL UNIVERSITY OF SOUTHERN CALIFORNIA In Partial Fulfillment of the Requirements for the Degree DOCTOR OF PHILOSOPHY (COMPUTER SCIENCE) May 2017 Copyright 2017 Lian Liu Dedication To my beloved mother Xiuyan Li and father Baijun Liu, my wife Yun Ling, and daughter Chloe Ling Liu. ii Acknowledgments I am grateful to my advisor, Prof. Ming-Deh Huang, for his kindness, guidance, and unwavering support. I am also very grateful to Prof. Shaddin Dughmi, Prof. Eric Friedlander, Prof. Leana Golubchik, Prof. David Kempe, Prof. Sheldon Ross and Prof. Shang-Hua Teng for their conscientious service as my qualifying and defense committees. iii Contents Dedication ii Acknowledgments iii List of Tables vi List of Figures vii Abstract viii 1 Preliminary and Related Work 1 1.1 Algebraic Background . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.1.1 Algebraic structures . . . . . . . . . . . . . . . . . . . . . . 1 1.1.2 Morphisms and Characters . . . . . . . . . . . . . . . . . . . 4 1.1.3 Character sums . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2 Graphs and Random Walks . . . . . . . . . . . . . . . . . . . . . . 10 1.2.1 Expander graphs . . . . . . . . . . . . . . . . . . . . . . . . 10 1.2.2 Random walks . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.2.3 Explicit constructions . . . . . . . . . . . . . . . . . . . . . . 17 2 Expander Graphs over Finite Algebras 25 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.2 Generating Sets and Expanders . . . . . . . . . . . . . . . . . . . . 27 2.2.1 Regarding A as an GF(q)-algebra . . . . . . . . . . . . . . . 28 2.2.2 Extending the base field of A . . . . . . . . . . . . . . . . . 29 2.2.3 Constructing small generating sets . . . . . . . . . . . . . . 34 2.2.4 Extending to the general case . . . . . . . . . . . . . . . . . 36 2.2.5 Expander graphs of general degrees . . . . . . . . . . . . . . 39 2.3 Experiments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.3.1 Experimental study of the generating sets . . . . . . . . . . 40 2.3.2 Experimental study of the expander graphs . . . . . . . . . 42 2.4 Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . 44 iv 3 Projective Cayley Graphs 46 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.2 General Observations . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.3 Expanders over Direct Sums of Z/pZ . . . . . . . . . . . . . . . . . 53 3.3.1 The structure of A* . . . . . . . . . . . . . . . . . . . . . . . 54 3.3.2 Finding a basis . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.3.3 Decomposition . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.3.4 Expanders over direct sums of Z/pZ . . . . . . . . . . . . . . 58 3.4 Remarks and Future Work . . . . . . . . . . . . . . . . . . . . . . . 61 4 Expander Graphs and Pseudorandomness 62 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 4.3 Expander Cayley Graphs over Bit Strings . . . . . . . . . . . . . . . 66 4.4 A Simple Pseudorandom Generator . . . . . . . . . . . . . . . . . . 67 4.5 Indistinguishability: a Discussion . . . . . . . . . . . . . . . . . . . 68 4.6 Conclusion and Future Work . . . . . . . . . . . . . . . . . . . . . . 69 Bibliography 70 v List of Tables 2.1 Expander graphs over (F p [x]/f e ) ∗ of low degrees . . . . . . . . . . . 45 vi List of Figures 2.1 The growth of c and d . . . . . . . . . . . . . . . . . . . . . . . . . 41 2.2 The effect of p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.3 The effect of e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 vii Abstract We present an explicit construction of expander Cayley graphs over the direct sum of multiple copies ofZ/pZ, where p is a prime number. So far as we know, our work is the first expander Cayley graph construction over such groups. Our construction consists of two phases. In the first phase, we consider Cayley graphs over the multiplicative groups of algebras over finite fields. We prove that for some well-chosen small generating sets which can be computed in polynomial time, the induced Cayley graphs are expanding. In the second phase, we construct an new Cayley graph by projecting the graph created in the first phase onto a direct component of the underlying group. We showed that the component on which the graph is projected is isomorphic to the direct sum of multiple copies ofZ/pZ, and the resulting Cayley graph is a good expander. Interestingly, we found that many expander graphs whose degrees are not of any special forms can be explicitly constructed under this framework, which could be regarded as a tiny progress towards the open problem of constructing infinite families of Ramanujan graphs of every degree. Aspecialcaseofparticularinterestiswhenpequals2. Inthissituation, thever- tices of such a graph naturally correspond to bit strings of a fixed length, and each edge represents a transition between two bit strings under standard exclusive-or viii operation. As an application, we then propose a simple pseudorandom genera- tor based on random walks on the graph. An important question is whether our pseudorandom generator is indistinguishable from a truly random source under probabilistic polynomial time attacks, which, however, remains open. In fact, con- structing a secure and efficient pseudorandom generator has been an open problem since the birth of modern cryptography, whose solution may lead to huge break- throughs in computer science. Therefore, our goal here is not addressing this problem, even partially. Instead, along with our discussion, we demonstrate that our expander Cayley graphs have some appealing features that all previous con- structions do not have. These new features might bring a lot of potential topics for future research. ix Chapter 1 Preliminary and Related Work In this chapter, we give a minimal introduction of the common algebraic and graph-theoretic foundation for the entire thesis. We claim that this introduction is neither rigorous nor complete. Nevertheless, our goal is to make it a good prepa- ration and a quick starter for most readers with computer science background to understand the rest of this thesis. We would like to direct readers to the celebrated books [6, 7, 11, 28] for more details. 1.1 Algebraic Background 1.1.1 Algebraic structures Definition 1.1 (group). A group is a set G associated with a binary operation ∗ :G×G→G which satisfy the following group axioms: • Closure: For all a,b∈G, a∗b∈G; • Associativity: For all a,b,c∈G, (a∗b)∗c =a∗ (b∗c); • Identity: There exists an unique element 1 G ∈ G such that for all a∈ G, 1 G ∗a =a∗ 1 G =a. 1 G is called the identity element of the group, which is often written as 1 for simplicity if G is known. • Inverse: For eacha∈G, there exists an elementa −1 ∈G such thata −1 ∗a = a∗a −1 = 1. We call a −1 the inverse of a in G. 1 Example 1.1. The most well-known examples of groups include: • Z, the set of integers under addition; • Z/nZ, the set of integers modulo n, where for all a,b∈ Z/nZ, the group operation gives (a +b) mod n; • C ∗ , the set of nonzero complex numbers under multiplication; • GL n (R), the set of nonsingular n by n real matrices under standard matrix multiplication; • S n , the symmetric group on n objects, whose elements are all possible per- mutations of n objects, where the group operation is composition of two per- mutations. Definition 1.2 (finite abelian group). A group G with∗ is said to be finite if G is finite, and is said to be abelian if∗ satisfies • Commutativity: For all a,b∈G, a∗b =b∗a. In Example 1.1, one may verify thatZ/nZ is a finite abelian group, while all the others are not. In particular, S n is not abelian because it does not satisfy the commutatively constraint. Definition 1.3 (normal subgroup). H is called a subgroup of G with group op- eration∗ if H ⊆ G and the restriction of∗ to H×H is a group operation on H. We write H ≤ G. H is said to be a normal subgroup of G if H ≤ G and ∀h∈H,∀g∈G, it holds that ghg −1 ∈H. In this case, we write H/G. Definition 1.4 (generating set). A generating set S of a group G is a subset S⊆G such that every element g∈G can be expressed as the combination (under 2 the group operation) of finitely many elements of the subset and their inverses. That is, there exists t∈N and s i ∈ S, a i ∈Z such that g = Q t i=1 s a i i , denoted by G =hSi. Definition 1.5 (cyclic group). A group G is said to be cyclic if there is a single element g such thathgi =G. Example 1.2. Some well-known examples of cyclic groups include: • Z under addition, which is generated by 1; • Z/nZ under addition modulo n, which is generated by k mod n where gcd(k,n) = 1. • The set of n-th root of unity{z∈C|z n = 1} under multiplication, which is generated by elements of the form e 2kπ n i where gcd(k,n) = 1. Definition 1.6 (direct sum). A group G is a direct sum of two groups K and H if K,H/G, K∩H ={1 G } and G =hK,Hi, meaning that every g can be written as k∗h, where k∈K and h∈H. This is denoted by G =K⊕H. Definition 1.7 (field). A field is a tuple (F, +,∗), where F is a set and +,∗ are two operations which satisfy the following field axioms: • (F, +) is an abelian group with identity element 0 F ; • (F\{0 F },∗) is an abelian group with identity element 1 F 6= 0 F . The group (F\{0 F },∗) is called the multiplicative group, or the unit group of the filed, denoted by F ∗ . When F is finite, we say (F, +,∗) (or F for simplicity) is a finite field. Recall that every finite field contains q := p n elements, where p is a prime number and 3 n≥ 1 is an integer. We will useF q or equivalently GF(q) to denote a finite field containing q elements. A basic fact shows that for every q = p n , F q ' F p [α]' F p [x]/f, where f∈F p [x] is an irreducible polynomial of degree n and f(α) = 0. Definition 1.8 (algebra over a field). An algebra A over a field K is a vector space over K with a bilinear operator· :A×A→A. That is, • for all x,y,z∈A, (x +y)·z =x·z +y·z; • for all x,y,z∈A, x· (y +z) =x·y +x·z; • for all x,y∈A and a,b∈K, (ax)· (by) = (ab)(x·y). Equivalently, we say A is a K-algebra. Example 1.3. Every complex number can be written as a +bi, where a,b∈R. Therefore C is a vector space over R with basis (1,i). One may also verify that complex number product (a,b)· (c,d) = (ac−bd,ad +bc) is bilinear. Therefore,C is anR-algebra. Example 1.4. LetF∈F q [x] be a polynomial of degreen≥ 1. ThenB :=F q [x]/F is a vector space overF q with basis (1,x,x 2 ,...,x n−1 ). For all f,g∈B, one may also verify that the standard modular arithmetic (f mod F )· (g mod F ) = (f·g) mod F is bilinear. Therefore, B is anF q -algebra. Note that by the abbreviation algebra, we always mean finite commutative algebra over a finite field, unless otherwise stated. 1.1.2 Morphisms and Characters Definition 1.9 (group homomorphism). Given groups G with operation∗ and H with operation◦, a group homomorphism from G to H is a function h : G→ H 4 such that for all a,b∈ G, it holds that h(a∗b) = h(a)◦h(b). In the special case when h is bijective, then we say h is an isomorphism, and G is isomorphic to H, denoted by G' H. If h : G→ G is an isomorphism, then h is called an automorphism. Let Aut(G) denote the set of all automorphisms on a group G. One may verify that Aut(G) forms a group under operation◦, where for all φ,θ∈ Aut(G), φ◦θ =φ(θ). Definition 1.10 (field embedding). Given two fields F and K, an embedding of F into K is a injective function i :F ,− →K such that for all a,b∈F, • i(a +b) =i(a) +i(b); • i(a·b) =i(a)·i(b); • i(1 F ) = 1 K . Definition 1.11 (character). A character of a groupG is a group homomorphism χ :G→C ∗ . That is, for all a,b∈G, χ(ab) =χ(a)χ(b). We use X(G) to denote the set of all distinct characters of G, and let ˜ X(G) denote the set of all nontrivial characters of G. In the special case when G is a nontrivial finite abelian group, by the structural theorem of finitely generated abelian groups, there exist integers d 1 ,...,d m such that G' m M i=1 (Z/d i Z). (1.1) Every element g∈ G can be decomposed into g' g 1 ⊕...⊕g m with respect to this decomposition. Then each character χ∈X(G) sends g toC ∗ via χ :g→ m Y i=1 ω g i d i , (1.2) 5 where ω d stands for a d th root of unity. X(G) is precisely the set of all such characters, and hence we have|X(G)| =|G|. When ω 1 =... =ω m = 1, χ is said to be trivial, i.e., χ(g) = 1 for all g∈G. Otherwise, χ is said to be nontrivial. Proposition 1.1. Let G be a finite abelian group. Assume a fixed order g 1 ,...,g |G| ∈ G on the elements of G, then{(χ(g 1 ),...,χ(g |G| ))|χ ∈ X} form a orthogonal basis forC n . Proof. Fix a decomposition of G, and suppose two vectors u, v are given by u = χ 1 (g 1 ) . . . χ 1 (g n ) = ω 0 d 1 ...ω 0 dm . . . ω d 1 −1 d 1 ...ω dm−1 dm , v = χ 2 (g 1 ) . . . χ 2 (g n ) = θ 0 d 1 ...θ 0 dm . . . θ d 1 −1 d 1 ...θ dm−1 dm , where χ 1 6=χ 2 ∈X(G) and ω d i ,θ d i are d i -th roots of unity. We first verify the inner product between u and itself, and standard calculation shows that hu,ui = d 1 −1 X i 1 =0 ... dm−1 X im=0 m Y j=1 ω i j d j m Y j=1 ω i j d j = d 1 −1 X i 1 =0 ... dm−1 X im=0 m Y j=1 ω d j ω d j i j = d 1 −1 X i 1 =0 ... dm−1 X im=0 m Y j=1 1 =n> 0. (1.3) 6 Ifχ 1 6=χ 2 , there must be somek such thatω d k 6=θ d k . We assume without loss of generality that ω d 1 6= θ d 1 . Thus, ω d 1 θ d 1 = φ d 1 , where φ d 1 is an nontrivial d 1 -th root of unity. Then the inner product between u and v is given by hu,vi = d 1 −1 X i 1 =0 ... dm−1 X im=0 m Y j=1 ω i j d j m Y j=1 θ i j d j = d 1 −1 X i 1 =0 (ω d 1 θ d 1 ) i 1 d 2 −1 X i 2 =0 ... dm−1 X im=0 m Y j=2 ω i j d j m Y j=2 θ i j d j = d 1 −1 X i 1 =0 (φ d 1 ) i 1 d 2 −1 X i 2 =0 ... dm−1 X im=0 m Y j=2 ω i j d j m Y j=2 θ i j d j =0· d 2 −1 X i 2 =0 ... dm−1 X im=0 m Y j=2 ω i j d j m Y j=2 θ i j d j =0. (1.4) For any finite abelian group G of order n, X(G) actually forms an abelian group under◦ where for all χ,χ 0 ∈X(G), (χ◦χ 0 )(g) =χ(g)·χ 0 (g) for all g∈G. Therefore,X(G) is called the character group ofG, where the identity is the trivial character and since|χ(g)| = 1 for allg∈G, the inverse ofχ sendsg to the complex conjugate of χ(g). 1.1.3 Character sums Character sums, or the sum of the characters over a subset of a group, is useful for analyzing the expansion of some graphs. In the past a few decades, extensive research has shown upper bounds on the character sum over different types of 7 subsets of the multiplicative groups of finite fields [13, 29, 36]. In particular, the following character sum bound is strongly related to our situation. Proposition 1.2. Let B be an arbitrary finite n-dimensional commutative F q - algebra and x be an element of B. If χ is a character of the multiplicative group B × (extended by zero to all of B) which is non-trivial on F q [x], then X t∈Fq χ(t−x) ≤ (n− 1) √ q We remark that proposition 1.2 was initially conjectured by Katz in [29]. Ac- cording to Lenstra’s observation [43], this result actually follows as a consequence of Weil’s character sum estimate [44]. In the below, we briefly recap the proof of this proposition in [43] to make this thesis self-contained. Consider any nontrivial character χ for B ∗ , where B =F q [x]/F, for a monic polynomial F∈F q [x] of degree n. And let us extend χ to all ofF q [x] such that for every g∈F q [x], χ(g) = χ(g mod F ), if gcd(g,F ) = 1; 0, otherwise. (1.5) The L-function L χ (t) :C→C associated with χ is defined to be L χ (t) = X monic g∈Fq [x] χ(g)t degg = Y g irred. 1 (1−χ(g)t degg ) . (1.6) 8 From this definition, we can verify that L χ (t), as a polynomial in t, has degree at mostn− 1. This is because for all N≥n andh (mod F ), there are exactly q N−n monic polynomials g of degree N such that g≡h (mod F ), and therefore, X degg=N χ(g) =q N−n X h (mod F ) χ(h) = 0. (1.7) This implies that L χ (t) has at most n− 1 roots, and thus we can write it into the form L χ (t) = r Y i=1 (1−ρ i t), (1.8) where r≤n− 1 and each ρ i is a complex number. On the other hand, a key observation from [43] states that L χ (t) = exp ∞ X d=1 S χ (d) d t d ! , (1.9) where S χ (d) is the character sum S χ (d) = X k|d k X deg(g)=k,g irred. χ g d/k . (1.10) Combining Equations (1.8) and (1.9), we obtain lnL χ (t) = r X i=1 ln(1−ρ i t) = r X i=1 ∞ X d=1 −ρ d i d t d = ∞ X d=1 − P r i=1 ρ d i d t d = ∞ X d=1 S χ (d) d t d . (1.11) Thus, the character sum S χ (d) is related to the roots of L χ (t) through S χ (d) =− r X i=1 ρ d i . (1.12) 9 The Riemann hypothesis over finite fields states that each|ρ i | = √ q, and thus |S χ (d)|≤ (n− 1)q d/2 . (1.13) In particular, when d = 1, this implies the desired result of the proposition. 1.2 Graphs and Random Walks 1.2.1 Expander graphs Given a undirected graph Γ = (V,E) with N :=|V|, the adjacency matrix A of Γ is defined as the N×N matrix where each entry A i,j is the number of edges between vertex i and vertex j. Note that each self-loop is counted as two edges. We say Γ is a d-regular graph if every vertex of Γ has degree d, and we will write the degree of a vertex i as d i . We say Γ is connected if for all i,j∈ V, there is a path from vertex i to vertex j. We say Γ is bipartite if there exists a partition (S,S) of V, where S := V \S, such that no edge has both endpoints lying in the same partition. Given two vertices s,t∈ V, the shortest path between s and t is the path joining them with the fewest possible edges. The distance between s and t, denoted by d(s,t), is the length of the shortest path between s and t. The diameter if Γ, denoted by diam(Γ), is the maximum distance over all pairs of vertices in Γ. Informally speaking, an expander graph, or expander for short, is a graph that is well-connected. A convenient measurement for the connectivity of a graph is called the combinatorial expansion defined as follows: Definition 1.12 (combinatorial expansion). A graph G = (V,E) is said to have (n,d,c)-combinatorial expansion if it has n vertices, the maximum degree of a 10 vertex is d, and for every set of vertices W ⊂ V with|W|≤ n/2, it holds that |N(W )|≥ c|W|, where N(W ) denotes the set of all vertices in V\W that are adjacent to some vertex in W. There turns out to be a strong connection between the combinatorial expansion ofagraphtotheeigenvaluesofitsadjacencymatrix. Beingintegralandsymmetric, A has N real eigenvalues, which can be sorted by absolute value as|λ 1 |≥|λ 2 |≥ ...≥|λ n |. In this thesis, the sequence of eigenvalues is called the spectrum of Γ. 1 These eigenvalues correspond to an orthonormal system of eigenvectors, denoted by v 1 ,...,v n . We define λ(Γ) :=|λ 2 |, which is called the second eigenvalue of Γ. We callγ(Γ) :=d−λ(Γ) the spectral gap of ad-regular graph Γ. In the below, we list some basic propositions that connect the combinatorial expansion of a graph to its eigenvalues. The proofs for all of these propositions can be found in [4, 11]. Given B,C ⊆ V, we will use E(B,C) to denote the set of edges with one endpoint in B and the other in C, and let E(B) be the number of edges in the induced subgraph of G on B, and hence|E(B)| = 1 2 |E(B,B)|. Proposition 1.3. Let Γ = (V,E) be a d-regular graph. For every partition of the set of vertices V into two disjoint subsets B and C, it holds that |E(B,C)|≥ (d−λ(Γ))|B||C| |V| . Proposition 1.4. Let Γ be a d-regular graph with n vertices, then Γ has (n,d,c)- combinatorial expansion for c = (d−λ(Γ))/2d. 1 In many literatures, the spectrum of a graph stands for the eigenvalues of it normalized Laplacian matrix instead of adjacency matrix. 11 Proposition 1.5. If Γ is a d-regular graph with (n,d,c)-combinatorial expansion, then λ(Γ)≤d− c 2 4 + 2c 2 . From Propositions 1.4 and 1.5 we can see that for regular graphs with fixed degree, a larger spectral gap implies a larger combinatorial expansion, and vice versa. Therefore, the spectral gap, or equivalently the second eigenvalue of a graph can be used as the measurement for its expansion rate. In graph theory, this is sometimes call the spectral expansion of a graph. Definition 1.13 (expander). A graph Γ is said to be a (n,d,λ)-expander if |V (Γ)| =n, Γ is regular with degree at most d, and λ(Γ)≤λ. For simplicity, we will also call Γ a λ-expander, if n and d are known from the context. Definition 1.14 (edge/vertex boundary). Given Γ a graph and S⊆ V (Γ), the edge boundary ∂S of S consist of all edges with exactly one endpoint in S. The vertex boundary δS of S consist of all vertices that are not in S but adjacent to some vertex in S, i.e., ∂S :={{u,v}∈E(Γ)|u∈S∧v / ∈S}, δS :={v / ∈S|∃u∈S :{u,v}∈E(Γ)}. Definition 1.15 (Cheeger constant). Given a graph Γ = (V,E), the Cheeger constant h Γ of Γ, or edge expansion of Γ, is defined as h Γ := min S⊂V |E(S,S)| min(vol(S), vol(S)) , where forS,T⊆V,E(S,T ) :={{u,v}∈E|u∈S∧v∈T} and vol(S) := P v∈S d v . 12 Definition 1.16 (vertex expansion). Given a graph Γ = (V,E), the vertex expan- sion g Γ of Γ is defined as g Γ := min S⊂V vol(δS) min(vol(S), vol(S)) . For regular graphs, there is g Γ = min S⊂V |δS| min(|S|,|S|) . (1.14) Proposition 1.6. For every graph Γ, g Γ ≥h Γ . Proof. For all S⊂V (Γ), vol(δS)≥|E(S,S)|. Intuitively, anexpanderisagraphwithalargeCheegerconstant. Aninequality due to Dodziuk [16] and independently Alon and Milman [3] states that Proposition 1.7 (Cheeger inequalities). If Γ is a connected d-regular graph with eigenvalue λ, then 1 2 1− λ d ! ≤h Γ ≤ v u u t 2 1− λ d ! . Proposition 1.7 implies thatλ(Γ) can be used as a measurement for the expan- sion of Γ. In addition to large vertex/edge expansion, a small diameter is also a useful indicator for good connectivity. Many literatures show that the diameter of a graph can also be bounded by its second eigenvalue. For instance, [18] states that Proposition 1.8. If Γ is a (N,d,λ)-expander, then diam(Γ)≤ & log(N− 1) log( d λ ) ' , 13 The same bound holds for a directed graph Γ 0 if Γ 0 is d-regular (i.e. d in v =d out v =d for all vertex v) and the eigenvectors of its adjacency matrix form an orthogonal basis. 1.2.2 Random walks Given a graph Γ = (V,E) withN vertices and a vertexx 0 ∈V, at-step random walk in starting at x 0 is a sequence of vertices (x 0 ,x 1 ,x 2 ,...,x t ) where for each i≥ 0,x i+1 is a neighbor of x i , and is selected among all neighbors of x i uniformly at random. In other words, Pr[x i+1 =v|x i =u] = A(u,v) du , if (u,v)∈E 0 , otherwise, (1.15) where A is the adjacency matrix. Thereby, we define the random walk matrix P for Γ as the N×N matrix where P i,j = Pr[x i+1 =j|x i =i]. We remark that this definition can be naturally extended to weighted graphs. From Equation (1.15), we can see that the value of each x i ∈V only depends on the value of x i−1 while allx j withj <i− 1 are irrelevant. Therefore, random walks can be regarded as a special case of Markov chains where the transition probability is fully determined by the underlying graph. In this thesis, we shall focus on the special case where Γ isd-regular. It is easy to see that P = 1 d A. (1.16) Clearly, P j P (i,j) = 1 for all i,j ∈ [N], but it does not hold in general that P i P (i,j) = 1. Assume x 0 is drawn from the initial probability distribution π 0 , 14 which is a 1×N vector withkπ 0 k 1 = 1, then the probability distribution after t steps of random walk is given by π t =π 0 P t . (1.17) Definition 1.17 (ergodicity). A random walk is said to be ergodic if there is a unique stationary distribution π satisfying lim t→∞ π 0 P t =π. Random walks have to extensively studied. As it turns out (see for example, [39]), the necessary and sufficient conditions for ergodicity of a random walk are: • irreducibility, i.e. for any u,v∈ V, there is a path from u to v. In other words, the graph is connected (or strongly connected for directed graphs); • aperiodicity, i.e. the greatest common divisor of the length of all cycles in Γ is 1. Proposition 1.9. If Γ is regular, connected and non-bipartite, then the uniform distribution is the unique stationary distribution of every random walk on Γ. That is, for all π 0 , lim t→∞ π 0 P t = 1 N 1 N , where 1 N := (1, 1,..., 1) is the N-dimensional all-one vector. We refer readers to Chung [11], Chapter 1.5 for its proof. We remark that requiring the graph to be non-bipartite is not a big hurdle for our analysis. This is because we may apply the standard trick called lazy random walks. That is, each 15 step, we flip a fair coin to decide whether to walk or to stay. Thus, the transition matrix for the lazy random walk is given by P = 1 2 (I +P ). (1.18) In terms of graphs, this process is equivalent to adding self-loops to each node of the graph, forcing it to be non-bipartite. Clearly, one of the negative effects is that we need one extra random bit for each step, and the number of “actual walks” is reduced by about a half. An fundamental problem in the study of random walks is how many steps is necessary until the probability distribution is “close enough” to the uniform distribution. It probability theory, this is often called the mixing time of the random walk. The answer depend on not only how we measure the closeness between two probability distributions, but also how close is regarded to be “close enough”. Extensive research has shown that the mixing time of a random walk is also related to the second eigenvalue of the underlying graph (see Motwani and Raghavan [35], Theorem 6.21). Proposition 1.10. If Γ is a (N,d,λ)-expander with P being its random walk matrix, then for every initial probability distribution π 0 , π 0 P t − 1 N 1 1 ≤ √ N λ d ! t . We note that the above results on eigenvalues, Cheeger inequality, and random walks can all be generalized to directed graphs as long as the directed graph is regular and there is a unique random walk stationary distribution, though this is not the focus of this thesis. We refer readers to Chung [12] for more details. 16 1.2.3 Explicit constructions It comes to the question how do we construct an expanders. Compared with randomized constructions, explicit constructions of expanders have several advan- tages. Clearly, no randomness is needed in the construction. Besides, expanders that are constructed explicitly often requires much less storage space. Margulis construction [19, 33] is one of the oldest algebraic expander construc- tions. These expanders have vertex setV =Z m ×Z m and there are six predefined transformations σ i :V →V, 1≤i≤ 8. For each pair (u,v)∈V, there is an edge (u,v) if and only ifu =σ i (v) for somei. It turns out that the resulting graph can be regarded as an 8-regular undirected graph. And it was proved by Gabber and Galil [19] that the eigenvalues of these graphs are at most 5 √ 2< 8. Many other algebraic constructions are based on Cayley graphs. Definition1.18 (Cayleygraph). GivenG a group andS⊆G a subset of elements, the Cayley graph induced by G and S, denoted by Γ(G,S), is the directed graph where • for each g∈G, there is exactly one vertex named g; • there is a directed edge g→h if and only if sg =h for some s∈S. Sometimes, we say Γ(G,S) is a Cayley graph over G. According to the defi- nition, it is obvious that all Cayley graphs are regular directed graphs (or forests in general, if S is not a generating set) where the degree equals the cardinality of S. In the past a few decades, studies have shown that for some G and S that are carefully chosen, it is possible to prove a guarantee on the expansion of the resulting Cayley graph. Therefore, Cayley graphs can be regarded as a general framework for explicit expander construction. In the below, we list a few such examples. 17 Example 1.5 (Paley graph [10]). Let G =Z/qZ where q≡ 1 (mod 4) is a prime power and S = (F ∗ q ) 2 be the set of non-zero quadratic residues modulo q. Then Γ(G,S) is an expander on q vertices of degree (q− 1)/2. The eigenvalues are 1 2 (q− 1) (with multiplicity 1) and 1 2 (−1± √ q) (both with multiplicity 1 2 (q− 1)). Example 1.6 (Chung [18, 43]). Let G =F ∗ q 'F p [x]/f, where q = p n is a prime power and f is an irreducible polynomial of degree n. Let S =x +F p :={x +a : a∈F p }, then the Cayley graph Γ(G,S) is ap-regular graph onq−1 vertices, where the eigenvalue is bounded by (n− 1) √ p. Example 1.7 (Lubotzky [31, 34]). Letp,q be distinct prime integers that are both congruent to 1 modulo 4. Let G = PGL(2,q), and fix some i such that i 2 ≡ 1 (mod q). We define S as S = a 0 +ia 1 a 2 +ia 3 −a 2 +ia 3 a 0 −ia 1 :a 2 0 +a 2 1 +a 2 2 +a 2 3 =p , where we require a 0 > 0 to be an odd integer and a 1 ,a 2 ,a 2 to be even. As the authors proved, S contains precisely p + 1 elements, and the graph is constructed by taking a connected component of Γ(G,S). The eigenvalue of the resulting graph is less than or equal to 2 √ p. Proposition 1.11. S is a generating set of G if and only if Γ(G,S) is strongly connected. Proof. First, assumeS is a generating set ofG, then for allg,h∈G, we can write g −1 h = Q t i=1 s i where s i ∈ S for all i and t is finite. This product yields a path from g to h. Second, assume Γ(G,S) is strongly connected, then there is a path (x 0 = 1,x 1 ,...,x t = g) from 1 (the identity of G) to every element g in Γ(G,S), where s i :=x −1 i x i+1 ∈S for all 0≤i<t. That means g = Q t−1 i=0 s i . 18 In addition to Cayley graphs, Sum graphs are also used for expander construc- tion. Definition 1.19 (Sum graph). Let G be an abelian group and S⊆G a subset of elements, the Sum graph induced by G and S, denoted by Σ(G,S), is the graph where • for each g∈G, there is exactly one vertex named g; • there is an edge{g,h} if and only if gh∈S. ItiseasytoseethatSumgraphsare|S|-regular. Moreover, theyareundirected, which, sometimes, can be an advantage comparing with Cayley graphs. Example 1.8 (Paley Sum graph [11]). Let G = Z/qZ where q≡ 1 (mod 4) is a prime power and S = (F ∗ q ) 2 be the set of non-zero quadratic residues modulo q. The resulting Sum graph Σ(G,S) has the same eigenvalues as the corresponding Paley graph. Example 1.9 (Chung [18]). LetG =F ∗ q 'F p [x]/f, whereq =p n is a prime power andf is an irreducible polynomial of degree n. LetS =x +F p :={x +a :a∈F p }, then the Sum graph Σ(G,S) is a p-regular graph on q− 1 vertices, where the eigenvalue is bounded by (n− 1) √ p. Proposition 1.12. The set of eigenvalues of the adjacency matrix of Σ(G,S) is {| P s∈S χ(s)| : χ∈ X(G)|}, and the set of eigenvalues of the adjacency matrix of Γ(G,S) is{ P s∈S χ(s) :χ∈X(G)}. 19 Proof. The general idea is similar to Chung [18]. Assume a fixed label on the elements g 1 ,g 2 ,...,g n . For Σ(G,S), let A Σ denote its adjacency matrix. We may assume P s∈S χ(s)6= 0, then the eigenvectors are v χ = χ(g 1 ) . . . χ(g n ) + P s∈S χ(s) | P s∈S χ(s)| χ(g −1 1 ) . . . χ(g −1 n ) , where χ∈ X(G). Write σ := P s∈S χ(s) and σ := P s∈S χ(s −1 ). Since|χ(g)| = 1 for all g∈G, it holds that χ(s −1 ) =χ(s), and hence σ·σ =|σ| 2 . Verify that the i-th entry of A Σ v χ is (A Σ v χ ) i = X j:g i g j ∈S χ(g j ) + σ |σ| χ(g −1 j ) ! = X s∈S χ(g −1 i s) + σ |σ| χ(s −1 g i ) ! =χ(g −1 i )σ + σ |σ| χ(g i )σ = σσ |σ| χ(g i ) + |σ|σ σσ χ(g −1 i ) ! = X s∈S χ(s) χ(g i ) + P s∈S χ(s) | P s∈S χ(s)| χ(g −1 i ) ! . (1.19) For Γ(G,S), let A Γ denote the adjacency matrix. The eigenvectors are v χ = [χ(g 1 ),...,χ(g n )] > , where χ∈X(G). Verify that the i-th entry of A Γ v χ is (A Γ v χ ) i = X g j :g i s=g j s∈S χ(g j ) = X s∈S χ(g i s) = X s∈S χ(g i )χ(s) =χ(g i ) X s∈S χ(s). (1.20) 20 Corollary 1.1. S is a generating set of G if for every nontrivial character χ∈ X(G),| P s∈S χ(s)|<|S|. Proof. Consider the Cayley graph Γ(G,S). By Proposition 1.12, the eigenvalues are P s∈S χ(s). Given the condition| P s∈S χ(s)| <|S| for all nontrivial character χ∈X(G), Γ(G,S)hasafinitediameter(ByProposition1.8). ByProposition1.11, S is a generating set of G. Last be not least, Schreier graphs, which is a generalization of Cayley graphs, is also a general technique for explicit expander construction. Definition 1.20 (Schreier graph). Let G be a group and X be a set. An action of G on X is a group homomorphism π : G→ Sym(X) that sends each element g to a permutation on X. For any S⊆G, the Schreier graph Sch(G,X,S) is the graph where • for each x∈X, there is exactly one vertex named x; • there is an edges→y if and only if there existss∈S such thaty =π(s)(x). Proposition1.13 (Proposition11.17of[21]). LetG be a finite group acting on the setX. LetS be a subset ofG and letZ be a connected component ofSch(G,S,X). Then λ(Z)≤λ(Γ(G,S)). This proposition implies that if the Cayley graph over G is an expander, then so are all the corresponding connected Schreier graphs. Therefore, this technique can be used to prove many graphs are expanding, and we refer readers to [21] for more details. Unlike the so-called algebraic approaches which start with groups and generat- ing sets, combinatorial expander constructions start with the graphs directly, and 21 the graph does not necessarily corresponds to any group-theoretic structure. The essential idea is to build “new” graphs using “old” ones. Lifting [9] is perhaps the most intuitive process that falls into this category. Given a graph Γ = (V,E), a 2-lift of G is a graph that has two copies, v,v 0 , for each vertex v∈V. For each edge{u,v}∈E, we either connect{u,v},{u 0 ,v 0 } or {u,v 0 },{u 0 ,v} in the new graph, and thus creating the edges in the new graph can be regarded as choosing a function σ : E→{−1, 1}. Such a function is called a signing. Friedman [17] proved that for any d-regular whose eigenvalue is bounded by O( q d log 3 d), there always exists a “good” signing such that the eigenvalue bound still holds for the new graph. Clearly, this idea can be generalized to k-lift of a graph, where k is arbitrary. In fact, this technique has been used by Marcus et al. [32] to prove the existence of infinite families of regular bipartite Ramanujan graphs. A possible drawback of lifting is that it is mostly used for existential arguments. Finding a good signing remains a hard problem. Another well-known example is the zig-zag product proposed by Reignold et al. [38]. Zig-zag products between two graphs are built upon a simpler product – the replacement product. Let Γ be an (N,d 1 ,λ 1 )-expander andH be a (d 1 ,d 2 ,λ 2 )- expander. The replacement product between Γ and H, denoted by Γ r H, is a graph formed by replacing each node of Γ with a copy of H. Each copy of H is often called a cloud in the new graph. Clearly, after replacement, there are a total number of Nd 1 vertices. In addition, since Γ is d 1 -regular and H has d 1 vertices, this guarantees that for each node in a cloud, there is exactly one edge connecting to another node in another cloud. The zig-zag product, denoted by Γ z H, is then the graph with the same set of vertices as Γ r H, and there is an edge between two nodes u and v if and only if there exists a zig-zap path u→ x→ y→ v in Γ r H, such thatu→x,y→v are edges inside clouds, andx→y is an edge that 22 connects two clouds. Since each edges between two clouds in Γ r H is replaced by exactly d 2 2 edges in Γ z H, it is easy to verify that Γ z H is d 2 2 -regular. It was also shown that if both Γ and H are good expanders, so is Γ z H. Proposition 1.14 (Reingold-Vadhan-Wigderson [38]). Suppose Γ is an (N,d 1 ,d 1 λ 1 )-expander and H is a (d 1 ,d 2 ,d 2 λ 2 )-expander, then G z H is an (Nd 1 ,d 2 2 ,d 2 2 (λ 1 +λ 2 +λ 2 2 ))-expander. Last but not least, replacement products over the semidirect product of groups are another approach that lead to breakthroughs in expander construction. It is also a good example that exhibits the beautiful combination between algebraic techniques and combinatorial techniques. Assume G and H are two groups and Γ G , Γ H are Cayley graphs over them. Their zig-zag product, Γ G z Γ H , may not be a Cayley graph in general. However, in the case when the group H acts on G, then the Cayley graph over their semidirect product can be shown to be a Cayley graph. Definition 1.21 (semidirect product). Suppose a group H acts on a group G, which means there is a group homomorphism φ : H → Aut(G), then their semidirect product, denoted by GoH, is a group whose elements are the pairs (g,h)∈G×H with operation∗ such that (g 1 ,h 1 )∗ (g 2 ,h 2 ) = (g 1 ·φ h 1 (g 2 ),h 1 ·h 2 ). Clearly, the direct product G×H is a special case where φ h is the identity action for all of h∈H. Semidirect products are often combined with replacement products to build large expander graphs from small ones. Proposition 1.15 (Alon-Lubotzky-Wigderson [2]). Let A,B be two groups with generating sets S A ,S B such that|B| =|S A |. Furthermore, suppose that B acts on A in such a way that S A is the orbit of one of it elements x∈ S A under this 23 action. Then S ={(1,s)|s∈S B }∪{(x, 1)} generates AoB, and Γ(AoB,S) is a replacement product of Γ(A,S A ) and Γ(B,S B ). This approach has been used for constructing families of expander graphs. For example, Kassabov [27] constructed a family of expanders over the groupSL n (p m ) for alln≥ 3,m≥ 1 andp a prime integer. In another breakthrough [26], Kassabov showed that it is also possible to construct a family of bounded degree expanders over the symmetric groups A n and S n . 24 Chapter 2 Expander Graphs over Finite Algebras 2.1 Introduction In computational algebra, it is often desired to find small generating sets for given groups. One of the most important applications of small generating sets is in explicit construction of expander graphs [18, 30]. Informally, expander graphs are graphs with strong expansion properties. Expander graphs have been applied in many areas such as computational complexity theory, coding theory and com- munication networks [21]. For example, in complexity theory, expanders are an essential tool for Dinur’s well-known proof of the PCP theorem [15]. Small gener- ating sets have also been applied to other areas. For example, in the index calculus method for solving the discrete logarithm problem over the multiplicative groups of finite fields, one is interested in finding a reasonably small generating set over which enough relations can be found (see for examples [1, 25]). A fundamental result of [18] states that iff∈F p [x] is an irreducible polynomial of degree n and √ p > n− 1, then the set x +F p :={x +t : t∈ F p } forms a generating set for F ∗ q ' (F p [x]/f) ∗ , where q = p n . Moreover, the Cayley graph built onF ∗ q with the generating set x +F p forms an expander graph. In [22], we generalized this result to algebras of the form F p [x]/F, where F ∈ F p [x] is not necessarily irreducible. In that paper, we presented algorithms for constructing 25 small generating sets for the multiplicative group (F p [x]/F ) ∗ . Similar to Chung’s situation, we also showed that the Cayley graphs built on (F p [x]/F ) ∗ with these small generating sets are good expanders. In this chapter, we further generalize these results to algebras of the form B := F q [x]/F where q = p n is a power of a prime integer, and F ∈ F q [x] is not necessarily irreducible. Interestingly, we demonstrate that these algebras offer even more flexibility for constructing regular directed expander graphs in the sense that for many of the graphs that we create, the degrees do not have to be a power of a prime integer, which makes the structure of our graphs significantly different from those in [18]. We also consider the construction of a basis for B ∗ and the decomposition of elements inB ∗ with respect to the basis. In the special case whereF is irreducible, the problem of finding a basis forB ∗ := (F q [x]/F ) ∗ is also called finding a primitive element for the finite fieldF q [x]/F. The problem is known to be hard in general (see for example [24]). However, there are existing algorithms for solving its relaxations or special cases under certain assumptions. For example, in [42] and its extensions [37], the author showed that for certain (p,d) pairs, elements of high order can be constructed using Gauss periods. And in [8, 24, 40], the authors addressed the special case of finding primitive elements in finite fields of small characteristics. The decomposition problem in this special case is better known as the discrete logarithm problem, which has been extensively studied. Recent breakthroughs include [20] and [25], both of which compute discrete logarithms in finite fields of small characteristics faster than previously known under certain heuristics. One of the goals of designing these algorithms is to validate the generating sets we proposed in Section 2.2. Since these algorithms enable us to test whether a given set of elements generates B ∗ , we would be able to see whether or not 26 our theoretically proven generating sets are actually larger than necessary. Our experimental results in Section 2.3 suggest that a square-root number of elements in our generating sets might already be sufficient to generate the entire group. However further investigation is required to determine whether this is indeed the case. 2.2 Generating Sets and Expanders Given the standard factorization of F = Q m i=1 f e i i where for all 1≤i≤m, f i is irreducible, by Chinese Remainder Theorem, we have the isomorphism ψ : m M i=1 (F q [x]/f e i i ) ∗ ∼ − → (F q [x]/F ) ∗ (2.1) whereψ can be computed using standard Chinese Remainder Theorem algorithms. We may first consider a simplified problem of finding a small generating set for each component on the left-hand side before handling the general case. Let v m i,s ∈ L m i=1 A ∗ i , where A i := F q [x]/f e i i , be an m-dimensional vector with s in the i-th entry and zeros elsewhere. That is, v m i,s := 0⊕...⊕ 0 | {z } i−1 ⊕s⊕ 0⊕...⊕ 0 | {z } m−i . Suppose a generating set S i for A ∗ i is given for all 1 ≤ i ≤ m, then clearly, {ψ(v m i,s )|1 ≤ i ≤ m,s ∈ S i } would be a generating set for B ∗ . Therefore, in Sections 2.2.1, 2.2.2 and 2.2.3, we will focus our discussion on finding a small generating set for the multiplicative groups of algebras A :=F q [x]/f e , where f∈ F q [x] stands for an irreducible polynomial of degreed≥ 1, ande≥ 1 is an integer. Note that we will use A as the abbreviation forF q [x]/f e throughout this chapter. 27 2.2.1 Regarding A as an GF(q)-algebra A can be naturally regarded as anF q -algebra. Based on this observation, we obtain the first type of small generating sets for A ∗ , which is similar to Chung’s situation: Theorem 2.1. If √ q > de− 1, then (x +F q )∩A ∗ is a generating set for A ∗ . Furthermore, every element in A ∗ can be written as Q t i=1 (x +a i ) where a i ∈F q with t< 2de + 1 + 4de log(de− 1) logq− 2 log(de− 1) Proof. A =F q [x]/f e is anF q -algebra having dimension de. Since A is generated by x as anF q -algebra, Proposition 1.2 applies to every nontrivial character χ of A ∗ (extended by zero to all of A), and we have X t∈Fq χ(x +t) ≤ (de− 1) √ q. (2.2) The rest of the proof follows from Propositions 1.8 and 1.12. Theorem 2.2. If √ q > de− 1, then Γ(A ∗ ,S), where S = (x +F q )∩A ∗ , is an expander with spectral gap at least q− (de− 1) √ q. Proof. The spectral gap γ satisfies γ =q− max χ∈ ˜ X(A ∗ ) X t∈Fq χ(x +t) ≥q− (de− 1) √ q> 0 (2.3) where the first inequality follows from Equation (2.2). 28 2.2.2 Extending the base field of A Theorem 2.1 requires √ q > de− 1, which may not always be satisfied. In situations whereq is small, it turns out that we can still construct small generating sets, and the first step is extend the ground field of A. Let L :=F q [x]/f be the field of order q d , where d := degf. In the following, we show that A can also be regarded as a L-algebra. Lemma 2.1. Let a∈ A be written in the form a = P e−1 i=0 a i f i with each a i ∈ A having degree less than d. Then a∈A ∗ if and only if a 0 6= 0 (mod f). Proof. For sufficiency, sincea∈A ∗ , there is an inverse elementb = P e−1 i=0 b i f i such that ab = 1. That is, e−1 X i=0 a i f i ! e−1 X i=0 b i f i ! =a 0 b 0 + (a 0 b 1 +a 1 b 0 )f +... = 1 (mod f e ), (2.4) so a 0 b 0 = 1 (mod f)⇒a 0 6= 0 (mod f). For necessity, supposea 0 6= 0 (mod f), then it suffices to show the existence of b =a −1 . Assume b = P e−1 i=0 b i f i (degb i <d for all i), then e−1 X i=0 a i f i ! e−1 X i=0 b i f i ! =a 0 b 0 + (a 0 b 1 +a 1 b 0 )f +... =c 0 +c 1 f +.... (2.5) Since a 0 6= 0 (mod f), there is b 0 such that a 0 b 0 = 1 (mod f) and b 0 6= 0 (mod f). Supposeb 0 isgiven, thenb 1 isuniquelydeterminedbythelinearequation a 0 b 1 +a 1 b 0 = 0 (mod f) over L. In general, each b i (1≤ i≤ e− 1) is uniquely determined by the linear equationc i = 0 (mod f) forb 0 ,...,b i−1 values that have 29 been determined in previous steps. Therefore, there is a uniqueb such thatab = 1, and thus a∈A ∗ . Lemma 2.2. For each a 0 ∈L ∗ , there exists a unique a∈A ∗ which can be written as a = P e−1 i=0 a i f i , where each a i ∈ A has degree less than d, and a q d −1 = 1 (mod f e ). Proof. Since a 0 ∈ L ∗ , a∈ A ∗ by Lemma 2.1. Write a = P e−1 i=0 a i f i , with each a i has degree less than d. We want a q d −1 = 1 (mod f e ), so we need a q d −1 = e−1 X i=0 a i f i ! q d −1 =a q d −1 0 + q d − 1 a q d −2 0 a 1 f +... = 1 (mod f e ). (2.6) From Equation (2.6), we get a q d −1 0 + q d − 1 a q d −2 0 a 1 f = 1 (mod f 2 ). (2.7) Because a q d −1 0 = 1 (mod f), we know there is some A 0 ∈A with degA 0 <d such that a q d −1 0 = 1 +A 0 f (mod f 2 ). (2.8) Combining Equations (2.7) and (2.8), we see thata 1 is uniquely determined by the linear equation A 0 + q d − 1 a q d −2 0 a 1 = 0 (mod f) (2.9) 30 overK. Inductively, assumea 0 ,a 1 ,...,a k−1 are uniquely determined. In order to guarantee a q d −1 = 1 (mod f e ), we need e−1 X i=0 a i f i ! q d −1 = k−1 X i=0 a i f i +a k f k + e−1 X i=k+1 a i f i q d −1 (mod f k+1 ) = k−1 X i=0 a i f i +a k f k ! q d −1 (mod f k+1 ) = k−1 X i=0 a i f i ! q d −1 + q d − 1 k−1 X i=0 a i f i ! q d −2 a k f k (mod f k+1 ) = 1 (mod f k+1 ). (2.10) By induction, the first term can be written as k−1 X i=0 a i f i ! q d −1 = 1 +A k−1 f k (2.11) for some A k−1 ∈ A with degA k−1 < d. Then a k is uniquely determined by the linear equation A k−1 + (q d − 1) k−1 X i=0 a i f i ! q d −2 a k = 0 (mod f) (2.12) over L, and that completes the proof. Lemma 2.2 yields a well-defined function π :L ∗ →A ∗ , which can be extended to all ofL by forcingπ(0) = 0. We proved thatπ is essentially an embedding ofL into A. 31 Lemma 2.3. Let π :L→A be the function where for all a 0 ∈L, π(a 0 ) = 0 , if a 0 = 0 a = P e−1 i=0 a i f i ∈A s.t. a q d −1 = 1 , otherwise then π(L)'L as fields. Proof. First of all, we haveπ(0) = 0, and we also haveπ(1) = 1. Givena 0 ,b 0 ∈L, and assume that π(a 0 ) = P e−1 i=0 a i f i , π(b 0 ) = P e−1 i=0 b i f i with dega i , degb i < d for all i. We start by showing π(a 0 b 0 ) = π(a 0 )π(b 0 ). When a 0 = 0 or b 0 = 0, this is obvious. Otherwise, notice that the first term of both sides are a 0 b 0 , and we have (π(a 0 )π(b 0 )) q d −1 =π(a 0 ) q d −1 π(b 0 ) q d −1 = 1. (2.13) By Lemma 2.2 , π(a 0 b 0 ) = π(a 0 )π(b 0 ). Next, we verify π(a −1 0 ) = π(a 0 ) −1 for all a 0 6= 0. Since a q d −1 0 = 1, a −1 0 =a q d −2 0 . Therefore, π(a −1 0 ) =π(a q d −2 0 ) =π(a 0 ) q d −2 . (2.14) Since π(a 0 ) q d −1 = 1, π(a 0 ) q d −2 = π(a 0 ) −1 . Now it remains to show π(a 0 +b 0 ) = π(a 0 ) +π(b 0 ). If a 0 = 0 or b 0 = 0, this is obvious. Otherwise, since the first term of both sides is a 0 +b 0 , by Lemma 2.2, it suffices to show (π(a 0 ) +π(b 0 )) q d −1 = 1. Denote the set T ={a∈ A : a q d −1 = 1} and the set T 0 ={a∈ A : a q d = a} = T∪{0}. Since A has characteristic p, (π(a 0 ) +π(b 0 )) q d =π(a 0 ) q d +π(b 0 ) q d =π(a 0 ) +π(b 0 ). (2.15) 32 That is,π(a 0 )+π(b 0 )∈T 0 , and hence eitherπ(a 0 )+π(b 0 )∈T orπ(a 0 )+π(b 0 ) = 0. In the first case, we are done; in the latter case, a 0 = −b 0 , so we also have π(a 0 +b 0 ) =π(0) = 0 =π(a 0 ) +π(b 0 ). The proofs for Lemmas 2.1,2.2 and 2.3actually describes an algorithm for com- puting the embedding of L into A, and the pseudo code is shown in Algorithm 1. Taking q, f, e and a polynomial a 0 ∈F q [x] with degree less than d as input, the algorithm computesa∈F q [x] that corresponds toπ(a 0 ) inF q [x]/f e . We comment that in Line 8, by inverse, we mean finding the inverse element in L. Algorithm 1 Embed(a 0 ,q,f,e) 1: if a 0 = 0 then 2: return 0 3: else 4: d := degf, s :=q d 5: a :=a 0 6: for k = 1,...,e− 1 do 7: A k−1 := ((a s−1 mod f k+1 )− 1)/f k 8: a k := ((s− 1)(a s−2 mod f)) −1 (−A k−1 ) 9: a :=a +a k f k 10: end for 11: return a 12: end if Lemma 2.4. A is a L-algebra of dimension e. Proof. A is anL-algebra through the embeddingπ, in the sense that the action of b∈ L on A is such that for all a∈ A, b·a := π(b)·a where the product in the right hand side is the one in A. Theorem 2.3. If q d/2 > e− 1, then the set (x +π(L))∩A ∗ is a generating set forA ∗ . Furthermore, every element ofA ∗ can be written as Q t i=1 (x +π(a i )) where a i ∈L and t< 2e + 1 + 4e log(e− 1) d logq− 2 log(e− 1) . 33 Proof. By Lemma 2.4, A can be regarded as a L-algebra of dimension e. By Proposition 1.2, for all nontrivial character χ ofA ∗ (extended by zero to all ofA), X t∈L χ (x +π(t)) ≤ (e− 1) q |L|. (2.16) The rest of the proof follows from Propositions 1.8 and 1.12. Theorem 2.4. If q d/2 > e− 1, then Γ(A ∗ ,S), where S = (x +π(L))∩A ∗ , is an expander with spectral gap at least q d − (e− 1)q d/2 . Proof. The spectral gap γ satisfies γ =q d − max χ∈ ˜ X(A ∗ ) X t∈L χ(x +π(t)) ≥q d − (e− 1)q d/2 > 0. (2.17) where the first inequality follows from Equation (2.16). 2.2.3 Constructing small generating sets Theorem 2.3 relaxes the restriction on q, but this generating set is of size q d , which might be more than necessary. Only a small fraction of this set might already be sufficient to generate the group. Besides, in terms of expander graphs construction, the resulting graphs might be dense. Thus, in this section, we go one step further to find generating sets of smaller sizes. Let K⊂L be a subfield of size q c , where c|d. We have Theorem 2.5. If K is a subfield of L of size q c and q c/2 > (de/c)− 1, then (x +π(K))∩A ∗ is a generating set for A ∗ . Furthermore, every element of A ∗ can be written as Q t i=1 (x +π(a i )), where a i ∈K and t< 2 de c + 1 + 4 de c log( de c − 1) d c logq− 2 log( de c − 1) . 34 Proof. By Lemma 2.4, A can be regarded as a K-algebra of dimension de/c. By Proposition 1.2, for all nontrivial character χ ofA ∗ (extended by zero to all ofA), X t∈K χ (x +π(t)) ≤ de c − 1 ! q c/2 . (2.18) The rest of the proof follows from Propositions 1.8 and 1.12. Theorem 2.6. Let K ⊂ L be a subfield of L of size q c where c|d. If q c/2 > (de/c)− 1, then Γ(A ∗ ,S), whereS = (x +π(K))∩A ∗ , is an expander with spectral gap at least q c − (de/c− 1)q c/2 . Proof. The spectral gap γ satisfies γ =q c − max χ∈ ˜ X(A ∗ ) X t∈K χ(x +π(t)) ≥q c − de c − 1 ! q c/2 > 0 (2.19) where the first inequality follows from Equation (2.18). Based on the above discussion, we present the pseudo code of our algorithm for finding a small generating set forA ∗ , as shown in Algorithm 2. It takesq,f ande as input, and the output will be the small subset S⊂A, and Γ(A ∗ ,S) is provably an expander. Notice that Line 3 in this pseudo code is used to find a subfield of L of sizeq c , which is available in some algebraic programming languages such as [14], and hence we omit the details. Algorithm 2 Genset(q, f, e) 1: Let d := degf, factorize d (if not provided) 2: Find c such that c|d and q c/2 > (de/c)− 1 3: Let φ :F q c ,→F q [x]/f a finite field homomorphism 4: return (x +Embed(φ(F q c)))∩A ∗ 35 A downside of this construction is that when d has few divisors, for example, d is a prime number, then c = 1 and c = d are the only two options. On the other extreme, when d has abundant divisors, we may be able to construct better generating sets. In practice, one may want to choose a perfect power as the value for d, say d =b w for some small number b. In this scenario, we have Corollary 2.1. If q and e are fixed and d =b w is a perfect power, where b fixed. Then Algorithm 2 returns a generating set of A ∗ of size q O(logd) . Proof. Notice that c≥ 2 log q d + 2 would be sufficient for the condition of Theo- rem 2.5, q c/2 > (de/c)− 1, to hold. Let w 0 ∈R be such that b w 0 = 2 log q d + 2. Then c =b dw 0 e ≤b w 0 +1 =b(2 log q d + 2). 2.2.4 Extending to the general case In Sections 2.2.1, 2.2.2 and 2.2.3, we consider algebras of the form A := F q [x]/f e . In this section, we are going to extend existing results to the more general case, where the algebra is of the form B :=F q [x]/F, where F∈F q [x] is an arbitrary monic polynomial. At the beginning of Section 2.2, we have seen the overall idea of our algorithm: with Algorithm 2, we generate a small generating set for each component; the union of these sets are then “pulled back” to B ∗ via the Chinese Remainder Theorem isomorphismψ to get our final generating set forB ∗ . It is straightforward to show that the resulting set obtained by this method forms a generating set for B ∗ . In the rest of this chapter, we will assume F = Q m i=1 f e i i where each f i ∈F q [x] is an irreducible polynomial of degree d i . We will use the abbreviation A i :=F q [x]/f e i i below. 36 Theorem 2.7. Let K i be a subfield ofF q [x]/f i of size q c i , and π i be an embedding of K i into A i . If q c i /2 > (d i e i /c i )− 1 for all 1 ≤ i ≤ m, then{ψ(v m i,s )|s ∈ (x +π i (K i ))∩A ∗ i , 1≤i≤m} is a generating set for B ∗ . Proof. By Theorem 2.5, eachx +π i (K i ) is a generating set for the componentA ∗ i , so their union x + S m i=1 π i (K i ) generates L m i=1 A ∗ i . Since ψ is an isomorphism, we can see the claim. The pseudo code is shown in Algorithm 3. Taking q and F as its input, Algo- rithm 3 finds a small generating set having the form described in Theorem 2.7 for B ∗ . Algorithm 3 FinalGenset(q, F) 1: FactorizeF intoF = Q m i=1 f e i i (if not provided), where eachf i is an irreducible polynomial of degree d i 2: Let ψ : L m i=1 (F q [x]/f e i i ) ∗ ∼ − → (F q [x]/F ) ∗ be the C.R.T isomorphism 3: S :=∅ 4: for i = 1,...,m do 5: S i := Genset(q,f i ,e i ) 6: for each s∈S i do 7: S :=S∪{ψ(v m i,s )} 8: end for 9: end for 10: return S Corollary 2.2. If q is fixed and for all 1≤ i≤ m, e i is fixed and d i = b w i i is a perfect power, where each b i is fixed, then Algorithm 3 returns a generating set of B ∗ of size P m i=1 q O(logd i ) . Proof. This can be seen by applying Corollary 2.1 to each component A ∗ i . Now it only remains to show that graphs of the form Γ(B ∗ ,S), whereS is found by Algorithm 3, are a set of expanders. 37 Theorem 2.8. Let K i is a subfield ofF q [x]/f i of size q c i , and π i be an embedding of K i into A i . If q c i /2 > (d i e i /c i )− 1 for all 1≤ i≤ m, then Γ(B ∗ ,S), where S :={ψ(v m i,s )|i∈ (x +π i (K i ))∩A ∗ i , 1≤ i≤ m}, is an expander with spectral gap at least P m i=1 q c i − P m i=1 (d i e i /c i − 1)q c i /2 . Proof. DefineS i :=x+π i (K i ), 1≤i≤m. SinceB ∗ ' L m i=1 A ∗ i , for allχ∈ ˜ X(B ∗ ), there exists χ i ∈ ˜ X(A ∗ i ) (1≤i≤m) such that ∀b' m M i=1 b i ∈B ∗ :χ(b) = m Y i=1 χ i (b i ). (2.20) Consider an arbitrary character χ∈ ˜ X(B ∗ ), and assume χ 1 ∈ ˜ X(A ∗ 1 ),...,χ m ∈ ˜ X(A ∗ m ) are the characters that satisfy Equation (2.20). For all elements b∈B ∗ of the form b'v m i,s , all but the i-th coordinate are zeros, so χ(ψ(v m i,s )) =χ i (s) Y j6=i χ j (0) =χ i (s). (2.21) Combining Equation (2.21) with Proposition 1.2, we obtain X s∈S χ(s) = m X i=1 X s∈{ψ(v m i,s )|s∈S i } χ(s) = m X i=1 X s∈S i χ i (s) ≤ m X i=1 X s∈S i χ i (s) ≤ m X i=1 d i e i c i − 1 ! q c i /2 . (2.22) 38 Given thatq c i /2 > (d i e i /c i )− 1 for all 1≤i≤m, the spectral gapγ of the Cayley graph satisfies γ≥ m X i=1 |S i |− max χ∈ ˜ X(B ∗ ) X s∈S χ(s) ≥ m X i=1 q c i − m X i=1 d i e i c i − 1 ! q c i /2 > 0. (2.23) 2.2.5 Expander graphs of general degrees Theorem 2.8 implies that our method can be used as a general technique for constructing regular directed expander graphs of special degrees, where by “gen- eral”, we mean degrees that are not prime powers or a prime power plus one. To see why this happens, we notice that according to Theorem 2.7, the degree of the graph equals|S| = P m i |(x +π i (K i ))∩A ∗ i |. For eachK i , we have|K i | =q c i , which is a prime power. However, it may be the case that not all elements in x +π i (K i ) are units, and hence|(x +π i (K i ))∩A ∗ i |≤|K i | = q c i . This feature allows us to build many regular directed expanders with degree less than or equal to P m i q c i . Example 2.1. Suppose we want to construct an expander of degree 6. We can choose n = 1, m = 1, p = 7 and c = 1, ensuring that q c ≥ 6. Theorem 2.8 requires that de< √ 7 + 1, so the pairs (e,d) which satisfy this constraint are (1, 1), (1, 2), (1, 3), (2, 1) and (3, 1). Notice that the first three pairs have e = 1, which cannot generate any graph whose degree is not a prime power. So we only need to try the last two combinations. Since d = 1 for both cases, we can simply choose, for example, f =x− 1. For both cases, after running Algorithm 3, the generating set 39 for (F q [x]/f e ) ∗ will be S ={¯ x, ¯ x + 1, ¯ x + 2, ¯ x + 3, ¯ x + 4, ¯ x + 5}. Notice that ¯ x + 6 is clearly not a unit, and thus it is eliminated from S. Simple calculation shows that whene = 2, the resulting graph consists of 42 vertices, and whene = 3, the number is 294. Our experiments also show that the spectral gaps of these two graphs are 3.354 and 1.187, respectively. 2.3 Experiments 2.3.1 Experimental study of the generating sets An interesting question about the generating sets we presented in Section 2.2 is whether a small subset may already be sufficient to generate the group. Thus, we ran experiments to see whether the size of the generating sets can be substantially reduced by drawing random subsets from our original construction. For simplicity, we only run experiments on algebras of the form A :=F p [x]/f e , where f∈F p [x] is irreducible of degree d. We compare the sizes of three types of generating sets for A ∗ . The first type having the form x +π(F q ) corresponds to Theorem 2.3. It size equals p d . The second type of generating sets are of the form x +π(K) corresponding to Theorem 2.5, where K⊂F q is a subfield of size p c . The third type of generating sets are constructed by adding random elements of x +π(K) to the empty set one by one, until it generates A ∗ . We write its size as p r where r∈R. Clearly, we have the relationship r≤c≤d. Our first experiment compares the growth of c and d. In this experiment, we fix p = 7, e = 5 and d = 2 1 , 2 2 , 2 3 ,.... From Figure 2.1, we see that c is a step function that grows linearly with logd, or in other words, c∈ Θ(logd), as stated in Corollary 2.1. 40 Figure 2.1: The growth of c and d 0 100 200 300 400 500 0 100 200 300 400 500 600 700 800 900 1000 c log 2 d c fit(c) In the second set of experiments, we compare r and c with different choices of parameters. We first test the effect of p. We fix e = 5 and d = 2 1 , 2 2 , 2 3 ,... and then increase p from 5 to 23. From Figure 2.2, we observe that both c and r grows at the speed of Θ(logd). In addition, we can see that when p increases, the growing speed of c and r decreases. The third set of experiments studies the effect of e while fixing the value of p = 13, and the results are shown in Figure 2.3. This set of experiments show that when e increases from 3 to 12, the growing speed of both c and r increases. Interestingly, from all the experimental results shown in Figure 2.2 and 2.3, we see that it is roughly the case thatc≈ 2r, which implies that a square root number of random elements from x +π(K) might already be sufficient as a generating set for A ∗ . However, how to find a subsets of this size and whether they can be used for expander graph construction remain as open problems. 41 Figure 2.2: The effect of p 0 1 2 3 4 5 6 7 8 1 2 4 8 16 32 64 c, r d c r fit(c) fit(r) (a) p = 5,e = 5 0 1 2 3 4 5 6 7 8 1 2 4 8 16 32 64 c, r d c r fit(c) fit(r) (b) p = 11,e = 5 0 1 2 3 4 5 6 7 8 1 2 4 8 16 32 64 c, r d c r fit(c) fit(r) (c) p = 17,e = 5 0 1 2 3 4 5 6 7 8 1 2 4 8 16 32 64 c, r d c r fit(c) fit(r) (d) p = 23,e = 5 2.3.2 Experimental study of the expander graphs In Table 2.3.2, we enumerate all expander graphs of degrees less than 12 which canbeconstructedovergroupsoftheform (F p [x]/f e ) ∗ underourframework, where f isirreducible. Whene = 1, ourconstructiondegeneratestoChung’sconstruction (see [18]), and whene> 1, our algorithm produces new expander graphs that differ from all existing constructions. In the table, we highlight these constructions using boldface. The first column of the table shows the degree of vertices of the regular directed graph (denoted by Γ), and the last three columns show the number of vertices, the diameter and the spectral gap of the graph, respectively. 42 Figure 2.3: The effect of e 0 1 2 3 4 5 6 7 8 1 2 4 8 16 32 64 c, r d c r fit(c) fit(r) (a) p = 13,e = 3 0 1 2 3 4 5 6 7 8 1 2 4 8 16 32 64 c, r d c r fit(c) fit(r) (b) p = 13,e = 6 0 1 2 3 4 5 6 7 8 1 2 4 8 16 32 64 c, r d c r fit(c) fit(r) (c) p = 13,e = 9 0 1 2 3 4 5 6 7 8 1 2 4 8 16 32 64 c, r d c r fit(c) fit(r) (d) p = 13,e = 12 From the table, we can see that our approach offers some degree of flexibility in explicit construction of expander graphs. Notice that using our approach, we are able to construct expander graphs of some special degrees (such as 6 and 10) that are not prime powers, which is not possible for Chung’s construction. We also observe that these new constructions are comparable with Chung’s constructions in terms of the graph diameters and spectral gaps. Sometimes, the flexibility of our approach may be utilized to build better expanders for specific applications. For example, when the degree of the graph equals 11, by choosing p = 11,d = 4, Chung’s framework produces an expander graph with 14,640 vertices having 43 spectral gap 1.652. Using our approach, we may choose p = 11,e = 2,c = 1 and d = 2 instead. In this case, the expander graph has 14,520 vertices, which might be close enough to 14,640 for a specific application, and we have achieved a better spectral gap with the value of 2.203. 2.4 Conclusion and Future Work In this chapter, we generalize [18] to the case ofF q [x]/F whereF∈F q [x] is not necessarily irreducible. We present algorithms for finding different types of small generating sets for B ∗ which can be applied to explicit construction of expander graphs. We demonstrated that our approach provides a more flexible framework for constructing expander graphs. In particular expander graphs of degrees that are not prime powers can be constructed. We also analyze the algebraic structure ofB ∗ and propose algorithms for finding a basis forB ∗ and decomposing elements with respect to this basis. It will be interesting to study new features and applications of the expander graphs constructed using our approach. As mentioned before, the diameter bound of Cayley graphs over the multiplicative groups of finite fields has been improved by [41]. Although this result does not directly apply to our situation, it will be interesting to see if Shparlinski’s techniques can be adapted to give a better upper bound for the diameters of our expanders. In the computation, we observe that a square root number of elements in the constructed generating set are usually sufficient to generate the whole group. Whether a generating set of such sizes can be used for expander graph construction remains open. Finally, basis construction and decomposition for B ∗ whenp<e is an interesting problem for further investigation. 44 Table 2.1: Expander graphs over (F p [x]/f e ) ∗ of low degrees deg(Γ) p c e d |V (Γ)| diam(Γ) γ(Γ) 2 2 1 1 1 1 0 – † 2 2 1 1 2 3 1 1 2 3 1 2 1 6 3 0.268 3 3 1 1 1 2 1 2 3 3 1 1 2 8 3 1.268 3 2 2 2 2 12 3 1 4 2 2 1 2 3 1 3 4 2 2 1 4 15 3 2 4 5 1 2 1 20 4 1.764 4 5 1 3 1 100 7 0.196 5 5 1 1 1 4 1 4 5 5 1 1 2 24 3 2.764 5 5 1 1 3 124 6 0.976 6 7 1 2 1 42 4 3.354 6 7 1 3 1 294 7 1.187 7 7 1 1 1 6 1 6 7 7 1 1 2 48 3 4.354 7 7 1 1 3 342 6 1.975 7 2 3 2 2 56 3 4.172 7 2 3 3 3 448 6 2.313 8 2 3 1 3 7 1 7 8 2 3 1 6 63 3 5.172 8 2 3 1 9 511 6 2.421 8 3 2 2 2 72 3 5 8 3 2 3 2 648 6 2 9 3 2 1 2 8 1 8 9 3 2 1 4 80 3 6 9 3 2 1 6 728 6 3.094 10 11 1 2 1 110 3 6.683 10 11 1 3 1 1210 6 3.487 11 11 1 1 1 10 1 10 11 11 1 1 2 120 3 7.683 11 11 1 1 3 1330 6 4.557 11 11 1 1 4 14640 9 1.652 11 11 1 2 2 14520 9 2.203 † This graph has only one node, where the second eigenvalue is not defined. 45 Chapter 3 Projective Cayley Graphs 3.1 Introduction In this chapter, we develop a general technique for expander construction based on the idea of projection. We propose a new class of graphs which are constructed by projection from Cayley graphs over groups that are the direct sum of two components. We call these graphs projective Cayley graphs, and simplified Cayley graphs. Let G be a finite abelian group and S⊆ G be a generating set of G. Recall that the Cayley graph induced by G and S, denoted by Γ(G,S), is the directed graph with vertex set G and for all g,h∈G, there is an edge g→h if and only if gs =h for some s∈S. It is not hard to show that G is strongly connected if and only if S is a generating set. Now we assume assume that G' H⊕K, where H and K are both finite abelian groups. For each elementg∈G, we will useg H to denote its projection in H, and for any subset S⊆G, we will write S K for the set{s K |s∈S}. Definition 3.1 (projective Cayley graph). If G' H⊕K, then projective Cay- ley graph induced by G, K and S, denoted by Γ K (G,S) is a directed multigraph constructed as follows: • for each element k∈K, create a vertex k in Γ K (G,S); 46 • for each pair (k,h)∈K, the number of directed edges from k to h equals the cardinality of the set{s∈S|ks K =h}. We remark that by definition, there can be self-loops as well as parallel edges in a projective Cayley graph. Definition 3.2 (simplified projective Cayley graph). If G' H⊕K, then the simplified projective Cayley Graph induced by K and S is defined as Γ(K,S K ). Γ(K,S K ) is said to be “simplified” because it is obtained by removing parallel edges from Γ K (G,S). That is, exactly one edge from each bundle of parallel edges is kept while all the others are removed. According to the definitions, Γ K (G,S) is an|S|-regular directed multigraph, while Γ(K,S K ) is an|S K |-regular directed simple graph. We say S is symmetric if for all s∈S, it holds that s −1 ∈S. In this case, Γ K (G,S) and Γ(K,S K ) can be equivalently regarded as undirected graphs. Projective Cayley graphs and their simplified version can be used for explicit expander graph construction. In this paper, we show that if a graph Γ over a group G is a good expander, then under certain conditions, the simplified projective graph over a direct component ofG is a good expander as well. Unlike many other algebraic processes such as Cartesian products, lifting, zig-zag products whose goal is to build large expander graphs using small ones, projective Cayley graphs goes in the opposite direction – it creates smaller expander graphs using larger ones. This may seem counterintuitive at first glance, because large expanders are often desired for most practical purposes. However, the motivation for doing this goes in two ways. First of all, a direct construction of expander Cayley graph over an appealing group structure may be difficult, whereas a construction through projection may be feasible. As an example, in this paper, we investigate Cayley 47 expander graphs over the multiplicative groups of finite algebras of the form A = F q [x]/f e , where q = p n is a prime power, e > 1 is an integer and f ∈ F q [x] is an irreducible polynomial of degree d. We prove that when p≥ e, A has a direct component which is isomorphic to L nd(e−1) Z/pZ, and then we show how to construct good expanders over this component. So far as we know, our work is the first one that gives an explicit expander construction over the direct sum of more than two copies of Z/pZ where little computation is needed. Secondly, projective Cayley graphs and their simplified versions can be used in combination with other expander construction techniques such as zig-zag products to offer more flexibility in the size, the degree and the spectrum of expander graphs. Hence the projection method for constructing expander Cayley graphs may lead to new theoretical results and as well as applications. 3.2 General Observations In this section, we assume G,K,H are finite abelian groups such that G' K⊕H. We start with a few definitions. Definition 3.3 (shortest path/distance). Let Γ be a graph and u,v∈ V (Γ). A path from u to v is a sequence of vertices p = (x 0 = u,x 1 ,...,x k = v) such that all x i ∈ V (Γ) and (x i ,x i+1 )∈ E(Γ). k is called the length of the path p, denoted byl(p). LetP Γ (u,v) be the set of all paths fromu tov in Γ. For anyp∈P Γ (u,v), p is called a shortest path from u to v if and only if l(p) = min q∈P Γ (u,v) l(q). Let SP Γ (u,v) denote the set of shortest paths from u to v in Γ, and we assume a fixed order on the paths. Then, we use sp Γ (u,v) to denote the first element inSP Γ (u,v). The length of sp Γ (u,v) is called the distance from u to v in Γ, which is denoted by d Γ (u,v). 48 By definition, the distance from a vertex to itself is 0, and for any two vertices that lies on different connected components, their distance is regarded as +∞. Definition 3.4 (diameter). Let Γ be a graph, then the diameter of Γ, denoted by diam(Γ), is the longest possible distance between any pair of vertices in Γ. That is, diam(Γ) := max u,v∈V (Γ) d Γ (u,v). Definition 3.5 (graph morphism). For two directed multigraphs Γ, Γ 0 . An iso- morphism φ : V (Γ)→ V (Γ 0 ) is a one-to-one correspondence which preserves the connectivity between all pairs of nodes. That is, for all u,v∈ V (Γ), the number of edges from u to v in Γ equals the number of edges from φ(u) to φ(v) in Γ 0 . In this case, we write Γ' Γ 0 . An isomorphism θ : V (Γ)→ V (Γ) is called an automorphism on Γ. Let Aut(Γ) be the set of all automorphisms on V (Γ). It is not hard to verify that Aut(Γ) form a group where for all φ,θ∈ Aut(Γ), the group law◦ sends φ◦θ to φ(θ). Therefore, we call Aut(Γ) the automorphism group of Γ. Definition 3.6 (vertex transitivity). A graph Γ is said to be vertex-transitive if Aut(Γ) acts transitively on the vertex set. That is, for all u,v∈V (Γ), there exists an automorphism φ∈ Aut(Γ) such that φ(u) =v. Theorem 3.1. For all S⊆G, Γ K (G,S) and Γ(K,S K ) are both vertex transitive. Proof. Given any u,v∈ K, assume wu = v for some w∈ K, then consider the mapping φ :x7→wx for all x∈K. It suffices to show that φ is an automorphism on Γ K (G,S). For any edge (x,y)∈ E(Γ K (G,S)), there exists a corresponding s∈S such thats K x =y, and thuss K (wx) =s K (wy), which means (φ(x),φ(y))∈ E(Γ K (G,S)). Similar arguments holds for Γ(K,S K ). 49 Theorem 3.2. For all S⊆G, diam(Γ K (G,S)) + diam(Γ H (G,S))≤ diam(Γ(G,S)) + 1, and diam(Γ K (G,S)) = diam(Γ(K,S K )). Proof. Removing parallel edges from a graph does not change the connectivity between any pair of nodes, so the second claim is obvious. Now let us focus on the first claim. Denote Γ(G,S) by Γ, Γ K (G,S) by Γ K and Γ H (G,S) by Γ H . Let us consider a new Cayley graph Γ 0 := Γ(G,S 0 ) where S 0 := S s∈S {s K ⊕ 0, 0⊕s H }. We first claim that diam(Γ 0 ) = diam(Γ K ) + diam(Γ H ). (3.1) This claim is quite intuitive. Assume the vertex u has distance d K := diam(Γ K ) from 0 in Γ K , and vertexv has distanced H := diam(Γ H ) from 0 in Γ H , and assume the shortest path from 0 to u in Γ K is given by u = P d K i=1 (s i ) K , and the shortest path from 0 tov in Γ H is given by P d H i=1 (t i ) H , wherealls i ,t i ∈S. Thenthe distance from 0 tou⊕v in Γ 0 is at mostd K +d H , because there is a path of lengthd K +d H from 0 to u⊕v, which is defined by ( P d K i=1 (s i ) K ⊕ 0) + (0⊕ P d H i=1 (t i ) H ). Also, the distance is at least d K +d H . Otherwise, assume the shortest path from 0 to u⊕v is given by ( Pd 0 K i=1 (s 0 i ) K ⊕ 0) + (0⊕ Pd 0 H i=1 (t 0 i ) H ) withd 0 K +d 0 H <d K +d H , then either d 0 K < d K or d 0 H < d H . Assume without loss of generality that the former case is true. Then Pd 0 K i=1 (s 0 i ) K defines a shorter path from 0 tou in Γ K , contradiction. And that proves the claim. Therefore, it is remains to show diam(Γ 0 )≤ diam(Γ) + 1. 50 Corollary 3.1. For all S⊆G, if S generates G, then S K generates K. Proof. If S generates G, then Γ(G,S) has a finite diameter. By Theorem 3.2, we conclude that Γ(K,S K ) has a finite diameter, and hence S K generates K. Theorem 3.3. For allS⊆G, the eigenvectors of Γ K (G,S) are (χ(k 1 ),...,χ(k m )) and the corresponding eigenvalues are P s∈S χ(s K ), wherem =|K| andχ∈X(K), the character group of K. Proof. LetA be the adjacency matrix of Γ K (G,S) with rows and columns indexed byk 1 ,...,k m and letv χ := (χ(k 1 ),...,χ(k m )) T . Verify that thei-th entry ofA·v χ is (Av χ ) i = m X j=1 A i,j χ(k j ) = m X j=1 |{s∈S :s K ·k i =k j }|·χ(k j ) = X s∈S χ(k i ·s K ) = X s∈S χ(k i )χ(s K ) = X s∈S χ(s K ) ! χ(k i ). (3.2) Corollary 3.2. For all S⊆G, λ(Γ K (G,S))≤λ(Γ(G,S)). Proof. Since G'K⊕H, for each character χ K ∈X(K), there is χ∈X(G) such that χ g =χ K (g K ) for all g∈G by restricting the character on H to be trivial in χ. Therefore,{ P s∈S χ K (s K )|χ K ∈X(K)}⊆{ P s∈S χ(s)|χ∈X(G)}. Corollary 3.2 implies that if Γ(G,S) is a good expander, then its projection graph Γ K (G,S) is also a good expander. Hence, a natural question is whether the simplified graph Γ(K,S K ) is a good expander as well. Suppose there are no two distinct s,s 0 ∈S such that s K =s 0 K , then Γ K (G,S) will be identical to Γ(K,S K ), and thus they have the same spectrum. Therefore, for expander construction, it is 51 often desired to choose a generating set of G such that Γ(G,S) is expanding and no two elements in S have the same image in K. In the other case, the eigenvalue of Γ(K,S K ) depends on how many elements inS have the same image inK, which can be seen from the eigenvalue comparison theorems (see Chung [11, 12]): Proposition 3.1 (Chung [11] Theorem 4.12). Let Γ and Γ 0 be two connected regular graphs with eigenvalues λ and λ 0 and degrees d, d 0 , respectively. Suppose that the vertex set of Γ is the same as the vertex set of Γ 0 . We assume that for each edge{x,y} in Γ, there is a path P (x,y) in Γ 0 joining x and y of length at mostl. Furthermore, suppose that every edge in Γ 0 is contained in at mostm paths P (x,y). Then we have d 0 −λ 0 ≥ 1 lm (d−λ) Chung proved that Proposition 3.1 still holds true if Γ and Γ 0 are both strongly connected d-regular directed graphs (see [12] Theorem 9). Definition 3.7 (max collision). GivenG'K⊕H. For eachk∈K, we define the preimage of k in G as k G ={g∈G|g K =k}. Let T⊆K be a subset of elements, we write the set of preimage of T as T G ={t G |t∈K}. Let S⊆G and s,s 0 ∈S, we say s and s 0 collide in K if s K =s 0 K . We then define the max collision of S in K as κ(S,K) = max I∈(S K ) G|I|. The following is an immediate consequence of Proposition 3.1: Theorem 3.4. For all G'K⊕H and S a generating set of G, it holds that |S K |−λ(Γ(K,S K ))≥ 1 κ(S,K) (|S|−λ(Γ K (G,S))). 52 Proof. For each edge (a,b) in Γ K (G,S), let the path be the edge (a,b) in Γ(K,S K ), which is of length 1. For each edge e in Γ(K,S K ), the number of paths passing through this edge is equal to the number of edges in Γ K (G,S) that are parallel to e (including itself), which is at most κ(S,K). 3.3 Expanders over Direct Sums of Z/pZ As an example, in this section, we use simplified projective Cayley graphs to give an explicit construction of sparse expander graphs whose underlying group is isomorphic to L k Z/pZ, where k≥ 1 is an integer and p is an prime number that satisfies certain constraints. The mother group G that we considered here is the multiplicative group of an algebra A which has the form A =F q [x]/f e , where q = p n is a prime power, f∈F q [x] is an irreducible polynomial and e≥ 2 is an integer. Based on previous work by Chung [18], Katz [29], Lenstra and Wan [43], we showed in [23] that expander graphs can be explicitly constructed over A ∗ . Proposition 3.2 (Theorem 2.1). If √ q>de−1, then Γ(A ∗ ,S), whereS ={x+a : a∈F q }∩A ∗ , is an expander whose second eigenvalue is bounded by (de− 1) √ q. In the rest of this chapter, we will see that whenp≥e, the multiplicative group A ∗ can be decomposed into two direct components, one of which is isomorphic to F ∗ q d while the other is isomorphic to the direct sum of nd(e− 1) copies of Z/pZ, and thereby we will show how to construct an expander Cayley graph over L nd(e−1) Z/pZ. 53 3.3.1 The structure of A* Let us use L to denote the finite field F q d ' F q [x]/f. Before we proceed to analyze the structure of A ∗ , we first recall a proposition that we proved in Chapter 2: Proposition 3.3 (Lemmas 2.1, 2.2, 2.3). There exists an embedding π : L ,− → A such that for all a∈ L, π(a) can be computed in polynomial time, and π(L)' L as fields. Lemma 3.1. If p≥e, then A ∗ 'Z/(q d − 1)Z⊕ M nd(e−1) Z/pZ . Proof. Consider the map ϕ :A ∗ →L ∗ where for each a∈A ∗ , ϕ(a) =a (mod f). Clearly, ϕ is surjective. We can see that the kernel of the map is precisely kerϕ ={1 +bf :b∈A where 0≤ degb≤de−d− 1}. (3.3) For every 1 +bf∈ kerϕ, since A as a ring has characteristic p, its p-th power is given by (1 +bf) p = 1 +b p f p (mod f e ). (3.4) Given the condition that p≥e, we have 1 +b p f p = 1 (mod f e ). (3.5) Recall that q =p n , by the structure theorem of finite abelian groups, we have kerϕ' M nd(e−1) Z/pZ. (3.6) 54 In addition, notice that| kerϕ| = p nd(e−1) , which is relatively prime to|imϕ| = p nd − 1. It follows that A ∗ is isomorphic to their direct product. Obviously, this observation can be quickly extended to the general case, B ∗ = F q [x]/F, where F = Q m i=1 f e i i and each f i is an irreducible polynomial. In this case, by Chinese Remainder Theorem, we have the isomorphism as shown in Equation 2.1. Theorem 3.5. If p≥ max m i=1 e i , then B ∗ ' m M i=1 Z/(q d i − 1)Z⊕ M nd i (e i −1) Z/pZ . Proof. It follows from Lemma 3.1 and Equation (2.1). 3.3.2 Finding a basis In order to compute the projection of an element, we first need a basis for A ∗ . From the proof for Lemma 3.1, we can see that A ∗ =π(L ∗ )× kerϕ, (3.7) andaswehaveseeninLemma3.1,π(L ∗ )'Z/(q d −1)Zand kerϕ' L nd(e−1) Z/pZ. For the former component π(L ∗ ), we will simply use an existing algorithm such as [24] to find a generator, which will then serve as the base of this cyclic component. We then consider the latter component kerϕ. Let K j (1≤ j≤ e) denote the subset of A ∗ of the form{1 +hf j mod f e :h∈F q [x]}. By definition, K 1 = kerϕ andK e ={1}. One may verify that eachK j is actually a subgroup of kerϕ (where 55 the inverse of 1 +hf j is 1 + P e−1 k=1 (−hf j ) k ). Consider the following filtration of subgroups: K 1 %K 2 %...%K e . Assume q =p n withF q 'F p [θ], then Lemma 3.2. For each 1≤j≤e− 1, K j /K j+1 = d−1 Y k=0 n−1 Y l=0 h1 +θ l x k f j i' d−1 M k=0 n−1 M l=0 Z/pZ Proof. Consider the mapK j →F q [x]/f sending 1 +hf j toh mod f. It is easy to verify that this is a group homomorphism with K j+1 as the kernel. Therefore, we have K j /K j+1 'F q [x]/f' d−1 M k=0 n−1 M l=0 Z/pZ, (3.8) whereby 1 +hf j is mapped to L d−1 k=0 L n−1 l=0 h k,l if h (mod f) is written in the form h = P d−1 k=0 h k x k and each h k ∈ F q is written as h k = P n−1 l=0 h k,l θ l . Under this isomorphism, the basis{θ l x k |0≤k≤d−1, 0≤l≤n−1} forF q [x]/f corresponds to the basis{1 +θ l x k f j |k = 0,...,d− 1} for K j /K j+1 . Lemma 3.3. The set of polynomials{1 +θ l x k f j |0≤l≤n− 1, 0≤k≤d− 1, 1≤ j≤e− 1} forms a basis for kerϕ. Proof. Clearly, this set containsnd(e−1) elements, which is consistent with Equa- tion(3.6). Soitsufficestoshowthatitgenerates kerϕ. Givenanyelementk j ∈K j , we first write it into the form k j = 1 + P e−1 t=j h t f t , where each h t has degree less than d. Under the isomorphism between K j /K j+1 and F q [x]/f in the proof of Lemma 3.2, we see thatk j , 1 +h j f j , and Q d−1 k=0 Q n−1 l=0 1 +θ l x k f j h j,k,l are all in the same class in K j /K j+1 assuming h j is written in the form h j = P d−1 k=0 h j,k x k and 56 each h j,k ∈ F q is written as h j,k = P n−1 l=0 h j,k,l θ l . By Lemma 3.2, the class of k j modulo K j+1 is mapped to L d−1 k=0 L n−1 l=0 h j,k,l . So k j = d−1 Y k=0 n−1 Y l=0 (1 +θ l x k f j ) h j,k,l ! k j+1 , (3.9) where k j+1 ∈ K j+1 is uniquely determined. Therefore, any element k 1 = 1 + P e−1 t=1 h t f t ∈ K 1 = kerϕ can be decomposed recursively via Equation (3.9) for all 1≤i≤e− 1, so k 1 can be written as a product of elements from the set. Therefore, ifp≥e, then we can useZ :={π(g)}∪{1+θ l x k f j |0≤l≤n−1, 0≤ k≤d− 1, 1≤j≤e− 1} as a basis for A ∗ , where g is a generator for (F q [x]/f) ∗ . Obviously, this result may as well naturally extended to the general case, B ∗ . Theorem 3.6. Let g i be a generator of (F q [x]/f i ) ∗ and π i be the embedding map from F q [x]/f i into A i . If p≥ max m i=1 e i , then the set Z := S m i=1 {ψ(v m i,z )|z∈ Z i } forms a basis for B ∗ , where Z i := π i (g i )∪{1 +θ l x k f j i |0≤ l≤ n− 1, 0≤ k≤ d i − 1, 1≤j≤e i − 1}. Proof. ByLemma3.1andLemma3.3,eachZ i isabasisforA ∗ i . AndB ∗ ' L m i=1 A ∗ i . The union S m i=1 {v m i,z |z∈Z i } forms a basis for the right-hand side. Based on Theorem 3.6, we developed Algorithm 4. Given the input q = p n and F, if p≥ max m i=1 e i , it outputs a basis for B ∗ ; otherwise, it reports failure in finding a basis. 3.3.3 Decomposition In the proof for Theorem 3.3, we have seen an outline of our algorithm for de- composition. The pseudo code for this algorithm is shown in Algorithm 5. Given 57 Algorithm 4 Basis(q, F) 1: Factorizeq intop n andF intoF = Q m i=1 f e i i (if not provided), where eachf i is an irreducible polynomial of degree d i 2: if p≥ max m i=1 e i then 3: Z :=∅ 4: for i = 1,...,m do 5: Find a generator g for (F q [x]/f i ) ∗ using existing algorithms 6: z := Embed(g,q,f i ,e i ) 7: Z :=Z∪{ψ(v m i,z )} 8: for all 0≤l≤n− 1, 0≤k≤d− 1 and all 1≤j≤e− 1 do 9: z := 1 +θ l x k f j i 10: Z :=Z∪{ψ(v m i,z )} 11: end for 12: end for 13: else 14: return unknown 15: end if an elementb∈F q [x] corresponding to an element in B ∗ , the algorithm either out- puts its coordinates L m i=1 (b i,0 ⊕ L nd i (e i −1) j=1 b i,j ) w.r.t Theorem 3.5, ifp≥ max m i=1 e i , or claims a failure in decomposition. Note that in Line 6 and 13, the inverse element is found in A ∗ i . 3.3.4 Expanders over direct sums of Z/pZ Let us denote L nd(e−1) Z/pZ by K and let S :={x +a|a∈ F q }∩A ∗ , and then we may obtain the simplified projective Cayley graph Γ(K,S K ) using the algorithms that we have discussed. Clearly, Γ(K,S K ) is a Cayley graph over K = L nd(e−1) Z/pZ, and hence it remains to show that it is a good expander. Lemma 3.4. With A, K and S defined the same as in Proposition 3.2. If p≥e and √ q>de− 1, then κ(S,K) = 1, or in other words, Γ K (A ∗ ,S)' Γ(K,S K ). 58 Algorithm 5 Decompose(q, F, b) 1: Factorizeq intop n andF intoF = Q m i=1 f e i i (if not provided), where eachf i is an irreducible polynomial of degree d i 2: if p≥ max m i=1 e i then 3: for i=1,..., m do 4: a :=b mod f e i i 5: η := Embed(a mod f i ,q,f i ,e i ) 6: κ :=η −1 a 7: b i,0 := discrete-log of (a mod f i ) in (F q [x]/f i ) ∗ 8: for j = 1,...,e− 1 do 9: h j := (κ mod f j+1 − 1)/f j , and assume h j = P d−1 k=0 ( P n−1 l=0 h j,k,l θ l )x k 10: for k = 0,...,d− 1, l = 0,...,n− 1 do 11: b i,j,k,l :=h j,k,l 12: end for 13: κ := ( Q d−1 k=0 Q n−1 l=0 (1 +θ l x k f j i ) h j,k,l ) −1 κ 14: end for 15: end for 16: return L m i=1 (b i,0 ⊕ L e−1 j=1 L d−1 k=0 L n−1 l=0 h i,j,k,l ) 17: else 18: return unknown 19: end if Proof. By Proposition 3.3 and Lemma 3.1, we have A ∗ =π(L ∗ )×K. (3.10) Consider any element α∈ L, its embedding into A can be written into the form π(α) = P e−1 i=0 α i f i , where each α i has degree less than d := degf. Since π is an embedding, for all α, it holds that π(α)≡ α (mod f), i.e., α 0 ≡ α (mod f). Therefore, for any a,b∈F q where a6=b, the embeddings of x +a and x +b have the form π(x +a) = (x +a) + e−1 X i=1 a i f i , (3.11) π(x +b) = (x +b) + e−1 X i=1 b i f i . (3.12) 59 By Proposition 3.3, π(L) ' L as fields, so combining with Equations (3.11) and (3.12), we have π((x +a)− (x +b)) =π(a−b) =a−b =π(x +a)−π(x +b) = (a−b) + e−1 X i=1 (a i −b i )f i . (3.13) Therefore, in Equation 3.13, we have a i = b i for all i≥ 1. That is, for all ele- ments of the form x +a where a∈F q , there is a uniform sequence of parameters u 1 ,u 2 ,...,u e−1 ∈A with degu i <d for all i, such that x +a = (x +a) + e−1 X i=1 u i f i ! 1 + e−1 X i=1 a i f i ! = (x +a) + ((x +a)a 1 +u 1 )f +..., (3.14) x +b = (x +b) + e−1 X i=1 u i f i ! 1 + e−1 X i=1 b i f i ! = (x +b) + ((x +b)b 1 +u 1 )f +..., (3.15) where each a i ,b i ∈A has degree less than d. Comparing Equations (3.14) and (3.15), we see that a 1 is uniquely determined by a and b 1 is uniquely determined by b. Since a6=b by assumption, a 1 6=b 1 , and thus (x +a) K 6= (x +b) K . Theorem 3.7. With A,K,S defined the same as in Proposition 3.2. If p≥ e and √ q > de− 1, then Γ(K,S K ) is an expander Cayley graph of degree q over L nd(e−1) Z/pZ whose and second eigenvalue is bounded by (de− 1) √ q. 60 Proof. By Proposition 3.2, the graph Γ(A ∗ ,S) is an expander graph of degree q, where the second eigenvalue is bounded by (de− 1) √ q. By Lemma 3.4,|S K | = |S| =q, so Γ(K,S K ) has degree q. In addition, Corollary 3.2 Theorem 3.4 implies that the second eigenvalue of Γ(K,S K ) is at most (de− 1) √ q. 3.4 Remarks and Future Work We remark that projective and simplified projective graphs can be similarly defined for Sum graphs as well. We noticed that our results can be naturally extended to projective Sum graphs and simplified Sum graphs. In this case, using the techniques we have discussed, undirected expander graphs over L nd(e−1) Z/pZ can be similarly constructed. For future work, a handy problem would be constructing expander graphs over groups of the form L k i=1 Z/p i Z. Thereby, constructing expander graphs over L k Z/nZ for anyn> 1 is expected to be a much more challenging problem. In ad- dition, another important aspect to investigate would be where and how expander Cayley graphs over L Z/pZ can be applied. 61 Chapter 4 Expander Graphs and Pseudorandomness 4.1 Introduction In this chapter, we will focus on potential applications of the expander Cayley graphs that we described previously. As an example, we propose a simple pseudo- random generator, which might be useful for some applications that have a loose requirement on the quality of the pseudorandom strings. However, an important question is whether our pseudorandom generator is cryptographically secure, and if not, what level of security it guarantees. As expected, this turns out to be a hard question. Currently, we do not have a satisfactory answer to it. In fact, how to construct a secure and efficient pseudorandom generator has been a open problem since the birth of modern cryptography, whose solution may lead to huge breakthroughs in computer science. Therefore, our goal here is not addressing this problem, even partially. Nevertheless, as we shall see later in our analysis, our expander graphs do show some new features that all previous constructions do not have. These new features might bring some potential topics for future research. 4.2 Related Work Before we proceed, let us start with a few definitions. 62 A random k-bit string x is said to be truly random if it is drawn from the uniform distribution over{0, 1} k , denoted by x∈ R {0, 1} k . In other words, for all r∈{0, 1} k , Pr[x = r] = 2 −k . A pseudorandom generator is a deterministic algorithm which takes a bit strings of length k as input and outputs a bit strings of length n, where k < n. In this thesis, we only focus on pseudorandom gen- erators that runs in time polynomial in n. We say a bit string is pseudorandom if it is generated by a pseudorandom generator. In theory and practice, it is im- portant to justify the quality of pseudorandom generators. Informally, we say a pseudorandom generator is secure if it is hard for every adversary with bounded computation power to distinguish it from a truly random source. To give a more precise definition of cryptographic security, we briefly recall a few more definitions. Definition 4.1 (negligible function). A function :N→R is said to be negligible if for every positive integer c, there exists an integer N c such that for all n>N c , |(n)|< 1/n c . Example 4.1. The functions f(n) = 2 −n , f(n) = 2 − √ n and f(n) =n − logn are all negligible functions. Definition 4.2 (distinguisher). A distinguisher is an algorithmD that outputs either 0 or 1 on every input. A probabilistic polynomial-time distinguisher is a distinguisher that has unlimited access to a truly random source and runs in polynomial time. Given a distinguisherA and in input x∈{0, 1} k , we write the output ofA as A(x). By definition,A(x)∈{0, 1} for all x. Definition 4.3 (secure pseudorandom generator). Let l be a polynomial and letG be a deterministic polynomial-time algorithm such that for every input s∈{0, 1} k , 63 G outputs a bit string of length l(k). We say thatG is a secure pseudorandom generator if the following conditions hold: • l(k)>k for all k; • for every probabilistic polynomial-time distinguisherD, there exists a negli- gible function such that Pr r∈ R {0,1} l(k) [D(r) = 1]− Pr s∈ R {0,1} k [D(G(s)) = 1] ≤(k). We call s a seed and l the expansion ratio ofG. Note that it is impossible to build a secure pseudorandom generator if the distinguisher is given exponential-time computation power, because pseudorandom generators are deterministic algorithms, so there are at most 2 k outputs, which is easy for an exponential-time algorithm to distinguish by brute force. Yao [45] introduced an equivalent way to characterize secure pseudorandom generators. Namely, unpredictability implies pseudorandomness. Definition 4.4 (unpredictability). LetG :{0, 1} k →{0, 1} l(k) be a polynomial- time computable function. We sayG is unpredictable if for every probabilistic polynomial-time algorithmB, there is a negligible function :N→ [0, 1] such that Pr x∈ R {0,1} k y=G(x) 1≤i≤l(k) [B(1 k ,y 1 ,...,y i−1 ) =y i ]≤ 1 2 +(k). In other words, predicting thei-th bit given the firsti−1 bits, wherei is a ran- domly chosen index, is difficult for every probabilistic polynomial-time algorithm. Yao’s unpredictability theorem [45] states that 64 Proposition 4.1. Let l :N→N be a polynomial-time computable function, and G :{0, 1} ∗ →{0, 1} ∗ be a polynomial-time computable function such that|G(x)| = l(|x|) for everyx∈{0, 1} ∗ . IfG is unpredictable, then it is a secure pseudorandom generator. Moreover, for every probabilistic polynomial-time distinguisherD, there exists a probabilistic polynomial-time algorithmB such that for every n∈N and δ> 0, if Pr x∈ R {0,1} k [D(G(x)) = 1]− Pr x∈ R {0,1} l(k) [D(x) = 1]≥δ, then Pr x∈ R {0,1} k y=G(x) 1≤i≤l(k) [B(1 k ,y 1 ,...,y i−1 ) =y i ]≥ 1 2 + δ l(k) . Yao’s proof is constructive (see [6] Theorem 9.11), which implies that if there is a good distinguisherD that can tell the difference between a pseudorandom source and a truly random one with “high” probability, we can actually construct a corresponding probabilistic polynomial-time predictorB that can predict the i-th bit (chosen at random) generated by the pseudorandom source with “high” probability. According to [28], existing constructions of pseudorandom generators can be divided into two categories: practical constructions and theoretical constructions. Some pseudorandom generators from the first category are sufficiently efficient for real-world applications. The security of this type of pseudorandom generators are based on some heuristic assumptions that are hard to justify. Yet, currently, there is no evidence showing that these generators are not secure either. In contrast, the latter approach only relies on the existence of one-way functions, which is widely agreed to be a much more acceptable heuristic assumption. However, pseu- dorandom generators based on this approach are too inefficient from a practical perspective of view. 65 4.3 Expander Cayley Graphs over Bit Strings Recall that in Chapter 3, we presented an algorithm for explicitly constructing expander Cayley graphs over direct sums of multiple copies ofZ/pZ: Proposition 4.2 (Theorem 3.7). Let p be a prime integer, q =p n for some n≥ 1 be a prime power and d≥ 1,e≥ 2 be integers. If p≥ e and √ q > de− 1, then in polynomial time, we can explicitly construct an expander Cayley graph over L nd(e−1) Z/pZ whose degree is bounded by q and second eigenvalue is bounded by (de− 1) √ q. The special case of particular interests is whenp = 2. In this case, the vertices of the Cayley graph naturally corresponds to bit strings of a fixed length, and each edge of the graph corresponds to a transition between two bit strings under standard exclusive-or operation. Theorem 4.1. For all integer l that can be written as l =m2 m for some integer m≥ 2, let G be the group L l Z/2Z, then in polynomial time, we can find a gen- erating set S⊆G such that the Cayley graph Γ l := Γ(G,S) satisfies the following properties: 1. deg(Γ l ) =|S|≤ 2 2m ; 2. λ 2 (Γ l )≤ 2 2m − 2 m ; 3. The adjacency matrix of Γ l is symmetric, or in other words, Γ l can be equiv- alently regarded as an undirected graph; 4. Lazy random walks on Γ l are ergodic and reversible, and the stationary dis- tribution, π, is the uniform distribution over G. 66 Proof. We fixp =e = 2 and we choosen = 2m andd = 2 m−1 . Under this setting, it is easy to verify that p≥e, and √ q = √ 2 2m = 2 m > 2 m − 1 = 2 m−1 · 2− 1 =de− 1. (4.1) By Proposition 4.2, in polynomial time, we can construct a graph Γ l such that the degree is bounded by q = 2 2m , and the second eigenvalue is at most (de− 1) √ q = (2· 2 m−1 − 1) √ 2 2m = 2 2m − 2 m , (4.2) so the first two properties are proved. For any edge u→ v in Γ l , by definition, there exists an s∈ S such that us = v. Also notice that g 2 = 1 for all elements g∈ G, so vs = (us)s = us 2 = u. Therefore, there is also an edge v→ u in Γ l , which implies the third property. The ergodicity of lazy random walks on Γ l can be seen from the fact that Γ l is strongly connected and lazy random walks naturally guarantees aperiodicity. The stationary distribution can be seen from the fact that Γ l is undirected and regular. For reversibility, we verify that for an arbitrary edge {u,v}, it holds that π(u) Pr[u→v] = 1 2 l · 1 deg(Γ l ) =π(v) Pr[v→u]. (4.3) 4.4 A Simple Pseudorandom Generator The idea of our pseudorandom generator is very simple and straight-forward. Given l = m2 m that is sufficiently large, we first construct the graph Γ l . Each 67 time, we take a lazy random walk starting at 0 for a number of steps, and then the output would be the string corresponding to the vertex at which the random walk arrives. Therefore, an important question is how many steps are needed to guarantee good pseudorandomness. Clearly, each step of the lazy random walk takes 1 + log 2 q = 2m + 1 random bits, and hence we are allowed to take t random steps, where t = 2 m 3 < 2 m 2 + 1 m = m2 m 2m + 1 . (4.4) 4.5 Indistinguishability: a Discussion In order to show the hardness result for the indistinguishability of our pseudo- random generator, we have to find a problem which is hard for average cases to reduce to. On one hand, by the design of our pseudorandom generator, all the pos- sible outputs have a relatively short distance, i.e. within 2 m /3 steps to from origin. Thus, if there was an efficient algorithm for telling whether a bit string has a short distance from the origin on the graph, then obviously, our pseudorandom generator cannot be secure. Hence, we make the following heuristic assumptions including that some instances of the so-called short representation problem, in average, are hard to solve for all probabilistic polynomial-time algorithms. Definition 4.5 (short representation problem). Given M an fixed n×n 2 matrix overF 2 , vector b∈F n 2 and an integer t, decide whether there exists x∈F n 2 2 such thatkxk 1 ≤t and Mx =b. A hardness result by Amaldi and Kannb [5] proved that if is not possible to approximate the quantity min{kxk 0 :Ax =b} within a factor better than 2 log 1/2 n unless NP has quasi-polynomial time algorithms. However, it is not clear whether 68 this result still holds for average case. Another gap is that in our situation, M is not arbitrary. Instead, when we fix p = e = 2, then M is determined by the choice of f. To see this, recall that the generating set S depends on f, and in our situation, each column of M represents s K for some s∈ S. The number of possible irreducible monic polynomialf of degreen overF 2 is (2 n −2)/n, and thus the number of possible M in our situation is at most this large. On the other hand, an important question is whether the the indistinguishabil- ity problem can be reduced to the short representation problem. That is, whether a good distinguisher that hacks our pseudorandom generator can be used to con- struct an efficient algorithm for solving the short distance problem. Currently, this is unknown to us either. 4.6 Conclusion and Future Work Obviously, a lot of work remains to be done to quantify the security of our pseudorandom generator. Never the less, along with our discussion, we see that our graphs over bit strings are not only good expanders but also Cayley graphs. The underlying group structure of the graph may be quite useful for reducing the indistinguishability problem to other problems. 69 Bibliography [1] Leonard M. Adleman and Ming-Deh A. Huang. Function field sieve method for discrete logarithms over finite fields. Information and Computation, 151(1- 2):5–16, 1999. [2] N. Alon, A. Lubotzky, and A. Wigderson. Semi-direct product in groups and zig-zag product in graphs: connections and applications. In Proceedings 2001 IEEE International Conference on Cluster Computing, pages 630–637, Oct 2001. [3] N Alon and V.D Milman. Lambda1, isoperimetric inequalities for graphs, and superconcentrators. Journal of Combinatorial Theory, Series B, 38(1):73 – 88, 1985. [4] Noga Alon and Joel H. Spencer. The Probabilistic Method. Wiley Publishing, 4th edition, 2016. [5] Edoardo Amaldi and Viggo Kann. On the approximability of minimizing nonzero variables or unsatisfied relations in linear systems. Theoretical Com- puter Science, 209(1âĂŞ2):237 – 260, 1998. [6] Sanjeev Arora and Boaz Barak. Computational complexity - a modern ap- proach, 2009. [7] M. Artin. Algebra. Prentice Hall, 1991. [8] Abhishek Bhowmick and ThÃąi HoÃăng LÃł. On primitive elements in finite fields of low characteristic. Finite Fields and Their Applications, 35:64 – 77, 2015. [9] Yonatan Bilu and Nathan Linial. Lifts, discrepancy and nearly optimal spec- tral gap*. Combinatorica, 26(5):495–519, 2006. [10] BÃľla BollobÃąs and Andrew Thomason. Graphs which contain all small graphs. European Journal of Combinatorics, 2(1):13 – 15, 1981. 70 [11] F. R. K. Chung. Spectral Graph Theory. American Mathematical Society, 1997. [12] Fan Chung. Laplacians and the cheeger inequality for directed graphs. Annals of Combinatorics, 9(1):1–19, 2005. [13] Fan R. K. Chung. Several generalizations of weil sums. J. Number Theory, 49:95–106, 1994. [14] The Sage Developers. Sage Mathematics Software (Version x.y.z), YYYY. http://www.sagemath.org. [15] Irit Dinur. The pcp theorem by gap amplification. J. ACM, 54(3), June 2007. [16] Jozef Dodziuk. Difference equations, isoperimetric inequality and transience of certain random walks. Transactions of the American Mathematical Society, 284:787–794, 1984. [17] Joel Friedman. Relative expanders or weakly relatively ramanujan graphs. Duke Math. J., 118(1):19–35, 05 2003. [18] F.R.K.Chung. Diameters and eigenvalues. American Mathematical Society, 2(2):187–196, 1989. [19] Ofer Gabber and Zvi Galil. Explicit constructions of linear-sized supercon- centrators. Journal of Computer and System Sciences, 22(3):407 – 420, 1981. [20] Faruk Göloğlu, Robert Granger, Gary McGuire, and Jens Zumbrägel. Ad- vances in Cryptology – CRYPTO 2013: 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, chapter On the Function Field Sieve and the Impact of Higher Splitting Probabilities, pages 109–128. Springer Berlin Heidelberg, Berlin, Heidelberg, 2013. [21] Shlomo Hoory, Nathan Linial, and Avi Wigderson. Expander graphs and their applications. BULL. AMER. MATH. SOC., 43(4):439–561, 2006. [22] Ming-Deh Huang and Lian Liu. Constructing small generating sets for the multiplicative groups of algebras over finite fields. In Proceedings of the ACM on International Symposium on Symbolic and Algebraic Computation, ISSAC ’16, pages 287–294, New York, NY, USA, 2016. ACM. [23] Ming-Deh Huang and Lian Liu. Constructing small generating sets for the multiplicative groups of algebras over finite fields. In Proceedings of the ACM on International Symposium on Symbolic and Algebraic Computation, ISSAC ’16, pages 287–294, New York, NY, USA, 2016. ACM. 71 [24] Ming-Deh Huang and Anand Kumar Narayanan. Finding primitive elements in finite fields of small characteristic. CoRR, abs/1304.1206, 2013. [25] Antoine Joux. A new index calculus algorithm with complexity l(1/4 +o(1)) in very small characteristic. Cryptology ePrint Archive, Report 2013/095, 2013. [26] Martin Kassabov. Symmetric groups and expander graphs. Inventiones math- ematicae, 170(2):327–354, 2007. [27] Martin Kassabov. Kazhdan constants for sln(z). International Journal of Algebra and Computation, page 2197816, 2008. [28] Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series). Chapman & Hall/CRC, 2007. [29] Nicholas M. Katz. An estimate for character sums. Journal of the American Mathematical Society, 2(2):pp. 197–200, 1989. [30] M. Lu, D. Wan, L.-P. Wang, and X.-D. Zhang. Algebraic cayley graphs over finite fields. Finite Fields and Their Applications, 28:43 – 56, 2014. [31] A. Lubotzky, R. Phillips, and P. Sarnak. Ramanujan graphs. Combinatorica, 8(3):261–277, 1988. [32] Adam Marcus, Daniel Spielman, and Nikhil Srivastava. Interlacing families i: Bipartite Ramanujan graphs of all degrees. Annals of Mathematics, pages 307–325, July 2015. [33] G. A. Margulis. Explicit constructions of concentrators. Problemy Peredaci Informacii, pages 71–80. [34] G. A. Margulis. Explicit group-theoretical constructions of combinatorial schemes and their application to the design of expanders and concentrators. Probl. Peredachi Inf., pages 51–60, 1988. [35] Rajeev Motwani and Prabhakar Raghavan. Randomized Algorithms. Cam- bridge University Press, New York, NY, USA, 1995. [36] Gary L. Mullen and Daniel Panario. Handbook of Finite Fields. Chapman & Hall/CRC, 1st edition, 2013. [37] RomanPopovych. Elementsofhighorderinfinitefieldsoftheformfq[x]/(xm- a). Finite Fields and Their Applications, 19(1):86–92, 2013. 72 [38] Omer Reingold, Salil Vadhan, and Avi Wigderson. Entropy waves, the zig-zag graph product, and new constant-degree expanders. Annals of Mathematics, 155(1):pp. 157–187, 2002. [39] Sheldon M. Ross. Stochastic Processes (Wiley Series in Probability and Statis- tics). Wiley, 2 edition, February 1995. [40] Victor Shoup. Searching for primitive roots in finite fields. Mathematics of Computation, 58(197):369–380, 1992. [41] IgorE.Shparlinski. Cayleygraphsgeneratedbysmalldegreepolynomialsover finite fields. SIAM Journal on Discrete Mathematics, 29(1):376–381, 2015. [42] JoachimvonzurGathenandIgorShparlinski. Ordersofgaussperiodsinfinite fields. Applicable Algebra in Engineering, Communication and Computing, 9(1):15–24. [43] Daqing Wan. Generators and irreducible polynomials over finite fields. Math- ematics of Computation, 66:1195–1212, 1997. [44] A. Weil. Basic number theory. Grundlehren der mathematischen Wis- senschaften. Springer-Verlag, 1974. [45] A. C. Yao, A. C. Yao, A. C. Yao, and A. C. Yao. Theory and application of trapdoor functions. In Foundations of Computer Science, 1982. SFCS ’08. 23rd Annual Symposium on, pages 80–91, Nov 1982. 73
Abstract (if available)
Abstract
We present an explicit construction of expander Cayley graphs over the direct sum of multiple copies of ℤ/pℤ, where p is a prime number. So far as we know, our work is the first expander Cayley graph construction over such groups. Our construction consists of two phases. In the first phase, we consider Cayley graphs over the multiplicative groups of algebras over finite fields. We prove that for some well-chosen small generating sets which can be computed in polynomial time, the induced Cayley graphs are expanding. In the second phase, we construct an new Cayley graph by projecting the graph created in the first phase onto a direct component of the underlying group. We showed that the component on which the graph is projected is isomorphic to the direct sum of multiple copies of ℤ/pℤ, and the resulting Cayley graph is a good expander. Interestingly, we found that many expander graphs whose degrees are not of any special forms can be explicitly constructed under this framework, which could be regarded as a tiny progress towards the open problem of constructing infinite families of Ramanujan graphs of every degree. ❧ A special case of particular interest is when p equals 2. In this situation, the vertices of such a graph naturally correspond to bit strings of a fixed length, and each edge represents a transition between two bit strings under standard exclusive-or operation. As an application, we then propose a simple pseudorandom generator based on random walks on the graph. An important question is whether our pseudorandom generator is indistinguishable from a truly random source under probabilistic polynomial time attacks, which, however, remains open. In fact, constructing a secure and efficient pseudorandom generator has been an open problem since the birth of modern cryptography, whose solution may lead to huge breakthroughs in computer science. Therefore, our goal here is not addressing this problem, even partially. Instead, along with our discussion, we demonstrate that our expander Cayley graphs have some appealing features that all previous constructions do not have. These new features might bring a lot of potential topics for future research.
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Computation of class groups and residue class rings of function fields over finite fields
PDF
The complexity of functions
PDF
Improving machine learning algorithms via efficient data relevance discovery
PDF
Generative graph models subject to global similarity
PDF
Some computational problems motivated by the Birch and Swinnerton-Dyer conjecture
PDF
Learning the geometric structure of high dimensional data using the Tensor Voting Graph
PDF
On þ-adic expansions of algebraic numbers
PDF
Hardware-software codesign for accelerating graph neural networks on FPGA
PDF
Dispersed computing in dynamic environments
PDF
Computational aspects of optimal information revelation
PDF
Disentangling the network: understanding the interplay of topology and dynamics in network analysis
PDF
Architecture design and algorithmic optimizations for accelerating graph analytics on FPGA
PDF
Efficient graph learning: theory and performance evaluation
PDF
Efficient transforms for graph signals with applications to video coding
PDF
Sampling theory for graph signals with applications to semi-supervised learning
PDF
Sensing with sound: acoustic tomography and underwater sensor networks
PDF
Learning and control for wireless networks via graph signal processing
PDF
Do humans play dice: choice making with randomization
PDF
Human activity analysis with graph signal processing techniques
PDF
Reducing unproductive learning activities in serious games for second language acquisition
Asset Metadata
Creator
Liu, Lian
(author)
Core Title
Expander Cayley graphs over finite strings and pseudorandomness
School
Viterbi School of Engineering
Degree
Doctor of Philosophy
Degree Program
Computer Science
Degree Conferral Date
2017-05
Publication Date
03/29/2017
Defense Date
03/09/2017
Publisher
Los Angeles, California
(original),
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
algebra,Cayley graph,expander graph,finite field,generating set,OAI-PMH Harvest,pseudorandom generator,random walk
Format
theses
(aat)
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Huang, Ming-Deh (
committee chair
), Ross, Sheldon (
committee member
), Teng, Shang-Hua (
committee member
)
Creator Email
csliulian@gmail.co,lianliu@usc.edu
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-oUC11257924
Unique identifier
UC11257924
Identifier
etd-LiuLian-5150.pdf (filename)
Legacy Identifier
etd-LiuLian-5150
Dmrecord
349737
Document Type
Dissertation
Format
theses (aat)
Rights
Liu, Lian
Internet Media Type
application/pdf
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the author, as the original true and official version of the work, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Repository Email
cisadmin@lib.usc.edu
Tags
Cayley graph
expander graph
finite field
generating set
pseudorandom generator
random walk