Keyed hash function from large girth expander graphs
Eustrat Zhupa, Monika K. Polak

TL;DR
This paper introduces a new keyed hash function based on large girth expander graphs, offering flexible output lengths, high efficiency, and strong mixing properties suitable for message authentication.
Contribution
The paper presents a novel MAC construction using expander graphs with large girth, providing flexible output lengths and efficient implementation.
Findings
Achieves 4 operations per input bit.
Outputs are indistinguishable from random bits.
Supports messages of arbitrary length.
Abstract
In this paper we present an algorithm to compute keyed hash function (message authentication code MAC). Our approach uses a family of expander graphs of large girth denoted , where is a natural number bigger than one and is a prime power. Expander graphs are known to have excellent expansion properties and thus they also have very good mixing properties. All requirements for a good MAC are satisfied in our method and a discussion about collisions and preimage resistance is also part of this work. The outputs closely approximate the uniform distribution and the results we get are indistinguishable from random sequences of bits. Exact formulas for timing are given in term of number of operations per bit of input. Based on the tests, our method for implementing DMAC shows good efficiency in comparison to other techniques. 4 operations per bit of input can be achieved. The…
| UTF-8 | UTF-16 | UTF-32 | ||
|---|---|---|---|---|
| bits | ||||
| bits | ||||
| bits | ||||
| bits |
| MAC type | Original Message | Output | IV | |
|---|---|---|---|---|
| DMAC-1 | The sky announced a beautiful day: the setting moon shane pale in an immense field of azure, which, towards the east, mingled itself lightly with the rosy dawn. | 49 a7 df d0 58 51 6a 9d 4e 94 2d 43 2a b9 60 f2 ab 22 5a a8 18 13 20 7d f7 1 5f ad 21 3f 56 45 | hint | [147, 217, 2582, 2976, 1718, 1599, 27, 1083, 471, 1461, 1076, 2255, 2875, 2696, 2793, 1015, 1477, 1271, 2856, 221, 961, 2839, 1789, 1845, 1157, 622, 758, 882, 210, 1846, 3009, 410] |
| The sky … | 2d 48 b6 e4 50 de 8b d2 2e b4 1b d fb 9f b6 63 a1 7b e2 ee 4 e7 b1 ed 88 25 51 ca c4 7d e3 36 | hint | [149, 219, 2582, 2976, 1718, 1599, 27, 1083, 471, 1461, 1076, 2255, 2875, 2696, 2793, 1015, 1477, 1271, 2856, 221, 961, 2839, 1789, 1845, 1157, 622, 758, 882, 210, 1846, 3009, 410] | |
| The sky … | 78 46 b2 50 81 c1 ba b2 c c4 e6 6c 7a 69 b4 fd c6 64 a 69 30 e0 4d 30 1e e7 9c 36 55 e d1 8a | hunt | [147, 217, 2582, 2976, 1718, 1599, 27, 1083, 471, 1461, 1076, 2255, 2875, 2696, 2793, 1015, 1477, 1271, 2856, 221, 961, 2839, 1789, 1845, 1157, 622, 758, 882, 210, 1846, 3009, 410] | |
| Da sky … | 86 f8 16 c5 dd 100 28 d1 91 8f 48 3c ff 3a a6 e2 b1 31 23 91 17 73 64 86 be 6b 81 ad 5e 10 67 56 | hint | [147, 217, 2582, 2976, 1718, 1599, 27, 1083, 471, 1461, 1076, 2255, 2875, 2696, 2793, 1015, 1477, 1271, 2856, 221, 961, 2839, 1789, 1845, 1157, 622, 758, 882, 210, 1846, 3009, 410] | |
| DMAC-2 | The sky announced a beautiful day… | 6f ed d1 fb 2f cf 56 fc a9 5e c8 1d 90 ec f7 4a df 42 1a 1e 3b 16 62 54 90 81 a2 a4 7e 3f 8d db | red | [147, 217, 2582, 2976, 1718, 1599, 27, 1083, 471, 1461, 1076, 2255, 2875, 2696, 2793, 1015, 1477, 1271, 2856, 221, 961, 2839, 1789, 1845, 1157, 622, 758, 882, 210, 1846, 3009, 410] |
| The sky … | 59 9 c2 a b1 ba 88 1b 12 e7 f3 a 65 71 87 7b 25 c4 20 57 38 6e 54 b0 b8 19 74 5b d8 33 46 d | rid | [147, 217, 2582, 2976, 1718, 1599, 27, 1083, 471, 1461, 1076, 2255, 2875, 2696, 2793, 1015, 1477, 1271, 2856, 221, 961, 2839, 1789, 1845, 1157, 622, 758, 882, 210, 1846, 3009, 410] | |
| The sky … | d7 92 60 73 0 dd ef fa 6 3 f2 c6 9b 62 c6 58 e7 59 31 a5 2d 5e 34 67 7d a9 95 30 86 12 9a e0 | red | [149, 221, 2582, 2976, 1718, 1599, 27, 1083, 471, 1461, 1076, 2255, 2875, 2696, 2793, 1015, 1477, 1271, 2856, 221, 961, 2839, 1789, 1845, 1157, 622, 758, 882, 210, 1846, 3009, 410] | |
| Da sky … | 54 c7 8 d3 d9 fc c1 ed 57 18 9d 74 62 d2 5d 35 5a cd 15 3c b7 19 9a 3c 79 1d 4c 68 69 3b d8 6b | red | [147, 217, 2582, 2976, 1718, 1599, 27, 1083, 471, 1461, 1076, 2255, 2875, 2696, 2793, 1015, 1477, 1271, 2856, 221, 961, 2839, 1789, 1845, 1157, 622, 758, 882, 210, 1846, 3009, 410] |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptographic Implementations and Security · DNA and Biological Computing · Coding theory and cryptography
Keyed hash function from large girth expander graphs
Eustrat Zhupa
University of Rochester
500 Joseph C. Wilson Blvd.
Rochester, NY 14627, USA
Monika K. Polak
Rochester Institute of Technology
102 Lomb Memorial Dr
Rochester, NY 14623, USA
Abstract
In this paper we present an algorithm to compute keyed hash function (message authentication code MAC). Our approach uses a family of expander graphs of large girth denoted , where is a natural number bigger than one and is a prime power. Expander graphs are known to have excellent expansion properties and thus they also have very good mixing properties. All requirements for a good MAC are satisfied in our method and a discussion about collisions and preimage resistance is also part of this work. The outputs closely approximate the uniform distribution and the results we get are indistinguishable from random sequences of bits. Exact formulas for timing are given in term of number of operations per bit of input. Based on the tests, our method for implementing DMAC shows good efficiency in comparison to other techniques. 4 operations per bit of input can be achieved. The algorithm is very flexible and it works with messages of any length. Many existing algorithms output a fixed length tag, while our constructions allow generation of an arbitrary length output, which is a big advantage.
1 Introduction
Our work is motivated by the work of Charles, Goren and Lauter, [6]. They proposed the construction of collision resistant hash function from expander graphs. The family of graphs they used were Ramanujan graphs constructed by Lubotzky, Philips and Sarnak (see [18]) and Pizer’s Ramanujan graphs, [23]. Hash functions from LPS require 7 field multiplications per bit of input, but the field size may need to be bigger (1024 bit prime p instead of 256 bits, for example), and the output is bits. When the hash function from Pizer’s graph , for , requires field multiplications per bit of input, which is quite inefficient (the authors propose to use a graph of cryptographic size ). The output of this hash function is bits. The idea presented in [6] is very good, but collisions for this hash were found (see [26]). However, expander graphs can be used to produce keyed hash function (message authentication code). When secret parameters are involved (like colouring and initial vertex) the adversary cannot find collision with mentioned method.
We propose a construction of message authentication code based on another family of expander graphs of large girth, [16]. The most important advantages are: the output can have arbitrary length (like in case of variants of SHA-3: SHAKE128 and SHAKE256), max message size is unlimited and the performance is very good (4 field operations per bit of input can be achieved). Another advantage of our construction is that graphs from the family have a nice representation by vectors and incidence relations are described by system of multivariate equations, which is very easy to implement. From the other side such systems of nonlinear equations are used for multivariate cryptography that is considered to be a good candidate for a post-quantum cryptography, [10].
The basics about hash function and keyed hash function (message authentication code; MAC) can be found in [25]. A hash function accepts a message as input and produces a fixed-size hash value . Hash functions are often used to determine whether or not data has changed. In general terms, the main goal of a hash function is to ensure data integrity.However it can be also used for authentication, to create one way password files, as a source of pseudorandom numbers (bits) or for intrusion and virus detection. A cryptographic hash function is a function that is acceptable for security applications. It means that it shall be computationally infeasible to find
i
a that is the preimage of for a hash value (one way property),
ii
two data objects , for which (the collision-free property).
In addition, a good hash function has the property that the output looks like random data and even a small change in input causes big changes in the output.
It is possible to use a hash function but no encryption for a message authentication. There are a few techniques to achieve this: use hash function + encryption on the hash, compute a hash value over the concatenation of and (a common secret value) and append the resulting hash value to the message or use keyed hash function. There are many reasons why it is worth to use techniques that avoid encryption [12]. For example, if there is no need to keep message confident but we want to authenticate it, those techniques are faster.
Figure 1 illustrates the mechanism for message authentication using keyed hash function. In order to check the integrity of the message, the keyed hash function is applied to the message and the result is compared with the associated tag. The secret key is known for the receiver and for the sender, so the sender can be easily verified. The MAC approach guarantees data integrity and authenticity.
2 Background
Graphs of large girth
We define the girth of a graph as the length of the shortest cycle. In the analyzed context girth is a very important property of the graph. Let be a family of -regular graphs with increasing order. Let and denote respectively the girth and the order of the graph . A family of graphs with increasing girth is a sequence of graphs such that for . According to the definition introduced in [1], we say that a family of -regular graphs is a family of graphs of large girth if
[TABLE]
for a constant and all .
A nice survey about graphs of large girth is presented in [2]. It is known that (see [5]) is the best possible constant, but there is no explicit construction of such family of graphs for which it can be obtained. This topic started in 1959 when Paul Erdős proved existence of such families with bounded degree and , without providing a construction [7]. There have been numerous investigations of the field by several authors. However, until 2017 the list of major known results is short. The list of explicit constructions is the following:
the first explicit construction of such family with , denoted by , where and are primes was introduced by G. A. Margulis in 1982 [19], 2. 2.
generalisation of the family proposed by M. Morgenstern [22], 3. 3.
constructions for arbitrary with and construction of family of 3-regular graphs with obtained by V. Imrich in 1983 [13], 4. 4.
family of sextet graphs introduced in 1983 by Biggs and Hoare [4] (Alfred Weiss [33] proved that ), 5. 5.
second construction by G. A. Margulis in 1988 [20], 6. 6.
constructions of cubic graphs, presented in a popular article [2], 7. 7.
construction by Lubotzky, Phillips and Sarnak [18] (Biggs and Boshier [3] proved that for this family of graphs), 8. 8.
algebraic graphs given by the nonlinear system of equations over finite field , with , [15] (Furedi [8] proved that for arbitrary prime power : ), 9. 9.
the polarity graphs of (see [17]) has an induced subgraph of degree which is a family of graphs of large girth (it is shown in [31]).
Expander graphs
An important property that a family of graphs must have in order to be a good candidate for a construction of a hash function is to be a family of expander graphs. Cryptographic hash function from expander graphs were presented in works of [27, 35, 6].
Let’s consider a spectrum of a graph with eigenvalues . A family of -regular graphs of increasing order is called a family of Ramanujan graphs if for all ([11], p. 452). If is stable and the limit is the best we can get. Ramanujan graphs are the best expanders.
3 The family of graphs
The family of graphs we use in our construction of a MAC was introduced in 1992 by Lazebnik and Ustimenko, [15]. It is denoted by , and is a prime power. The similar notations that we use appeared later and can be found in [16]. To simplify, we don’t use double notations for coordinates of vectors. The family is special because of a few important properties. The first one is that this is a family of graphs of a large girth, as mentioned in Sec. 2. Secondly, this is a family of very good expander graphs that are close to Ramanujan graphs. The idea of almost Ramanujan graphs was introduced in [28]. We refer to a family of -regular graphs as almost Ramanujan graphs if for all . Graphs , for arbitrary form a family of -regular almost Ramanujan graphs () and thus have excellent mixing properties.
Graphs are bipartite with set of vertices containing two subsets: , where . Originally the subset of vertices is called a set of points and another set is called a set of lines. Let and be two copies of Cartesian power , where is a integer. Two types of brackets are used in order to distinguish points from lines. We write if and if . The set of vertices of graph (collection of points and lines) can be considered as -dimensional vectors over :
[TABLE]
Coordinates of and are elements of finite field . Because of this we have: and . The vertex (point ) is incident with the vertex (line ) and we write: , if the following relations between their coordinates hold:
[TABLE]
where . The set of edges consists of all pairs for which . This is a family of -regular graphs, which means that each vertex has exactly neighbors. becomes disconnected for . Graphs are edge transitive. It means that their connected components are isomorphic. A connected component of is denoted by . Notice that all connected components of infinite graph are -regular trees. The length of the shortest cycle (the girth) of a graph is given by the formula:
[TABLE]
Graphs were successfully used as a base for symmetric and public key multivariate cryptography (see for example: [32, 14, 24, 31, 30]), error correcting codes (see [9]) and pseudorandom number generator [36]. The related cryptosystems are very good candidates for post quantum cryptography and resistant to linearization attacks. The base of our message authentication code is a stream cipher algorithm where most of the constructions of message authentication functions are based on block ciphers.
4 Keyed hash function
Few notations are used in this work. Let denote the message, the number of bits per block of the and by we represent the number of blocks. So the message can be expressed as . We consider that the message is written in alphabet that corresponds to elements of finite field and by we denote the number of bits needed to represent number (for example UTF-8 uses number field ). Calculations shall be performed in bigger number field than the number field () that is used for the alphabet in order to achieve collection resistance property. Let denote by the number field used for calculations. The choice of determines . Any change in message shall change the hash so different input blocks shall correspond to different edge colouring. To achieve it the following condition shall be satisfied
[TABLE]
It is convenient to choose , where is a prime number. In such case field arithmetic is simply modulo arithmetic.
From now on we denote by the size of output (tag). The input message is used as direction for walking around the graph . We start with initial vertex , which we consider to be a point (). The next visited vertex is obtained by the formula
[TABLE]
[TABLE]
where can be uniquely calculated from equations (1) (see Example 1). Recall that graphs are bipartite: points cannot be incident to points and lines cannot be incident to lines.
Example 1**.**
Let consider graph and .
[TABLE]
Names are assigned for : . Then
[TABLE]
where all operations are in finite field . The calculated neighbor of is .
We propose two approaches to calculate the keyed hash function based on this family of graphs. We named the message authentication codes DMAC, because constructions are based on family of graphs . Keyed hash functions use a secret, which is used to calculate the hash. We propose a secret key to be a pair . is an initial vector of length with coordinates from . is a password of characters from alphabet such that
[TABLE]
In our constructions, after all blocks of a message are processed, we process a password . The details are described in the next subsections.
4.1 Basic construction (DMAC-1)
Fig. 2 illustrates the first type of proposed DMAC’s.
Steps to authenticate the message with DMAC-1:
Agree secret key , which is a pair . 2. 2.
split in blocks of length (add padding if needed) 3. 3.
Process the message. For do
- •
Characters of the block of message are concatenated to obtain a number .
- •
Calculate the vertex which is incident to vertex . So, we calculate the next visited vertex by using operator :
[TABLE]
[TABLE]
where are calculated from equations (1). We start in vertex that is equal to . 4. 4.
Process the password . For a do
- •
Calculate the vertex which is incident to vertex . So, we calculate the next visited vertex by using operator :
[TABLE]
[TABLE]
where are calculated from equations (1). We start in vertex (the last visited vertex in step 3).
4.2 Modified construction (DMAC-2)
For graphs become disconnected. In order to move from one component to another we can use simple modifications presented in Fig. 3. A vectors addition + over is added.
In this case steps to authenticate the message with message authentication code are the same like for DMAC-1 except one additional step. Steps to authenticate the message with DMAC-2:
Agree secret key , which is a pair . 2. 2.
split in blocks of length (add padding if needed) 3. 3.
Process the message. For do
- •
Characters of the block of message are concatenated to obtain the number .
- •
Calculate the vertex which is incident to vertex . So, we calculate the next visited vertex by using operator . We start in vertex that is equal to .
- •
Add vectors and over . 4. 4.
Process the password . For a do
- •
Calculate the vertex which is incident to vertex . So, we calculate the next visited vertex by using operator . We start in vertex (the last visited vertex in step 3).
- •
Add vectors and over .
Example 2**.**
(A toy example) Let’s consider the following example. The alphabet is . We want to calculate DMAC-2 of 15 bits () for a message and a secret key .
[TABLE]
A–BEAUTIFUL–DAY corresponds to the vector
.AY corresponds to the vector
In this case bits. We shall use that satisfies: . Hence . If we set bits then each block has 5 characters and we decide to use . We use graph . We have 3 blocks () total and the last block is padded:
[TABLE]
[TABLE]
[TABLE]
[TABLE]
because
[TABLE]
[TABLE] 2. 2.
[TABLE]
because
[TABLE]
[TABLE] 3. 3.
[TABLE]
because
[TABLE]
[TABLE] 4. 4.
5. 5.
6. 6.
[TABLE]
4.3 Properties of DMACs
A cryptographic hash function must work as follows: a small change in the input drastically changes the output. This is called avalanche effect. DMAC-1 and DMAC-2 were implemented and tested in Python. Our DMACs are the case of a high-quality keyed hash functions (see Table 2). Results presented in table are for the following parameters: graph , , . Output of the presented keyed hash functions passed the well known Diehard tests, developed by George Marsaglia, for measuring the quality of random number generators, [21].
As defined above is the number of bits of the output (tag). Popular size of tags are bits, bits, bits and bits. When for most of commonly used algorithms the size of tag is fixed (for example: SHA-3-224 and SHA-3-256), in our approach the tag can have arbitrary length. The size of block length can be chosen quite arbitrarily but it has to be much smaller than the size of the message and . The longer the size of block, the more efficient the algorithm. Notice that if then message is encoded character by character and it becomes a kind of ’string’ algorithm.
The parameters of graph that is used depend on the block size and the size of tag . The paramater is chosen to satisfy the property the inequality and the parameter is chosen as the smallest possible that satisfies the inequality
[TABLE]
The most commonly used encodings are UTF-8 (), UTF-16 (), UTF-32 (). The Table 1 presents example values of when and alphabet () are fixed.
Example 3**.**
Let’s consider a message of 2000 characters writen in UTF-8 (alphabet ; ) parameter of 10 characters . We want to divide the message on blocks of 4 characters ( bits) and compute a tag of length bits for this message.
Parameter can be computed from the formula :
[TABLE]
Then we choose a prime power such that
[TABLE]
Thus we use graph. The length of the shortest cycle in this graph is and the order of the graph is .
5 Collision resistance and one way property
Recall that, the family of graphs is a family of graphs of large girth and . Hence there are no cycles shorter than and therefore for numer of blocks smaller than no collisions can be find. First, we consider the following problems.
Problem 1**.**
Find a cycle in graph that passes through vertex and .
Problem 2**.**
Find a path between vertex and in graph , that contains a subpath defined by that ends in .
First of all we shall notice that the secret key is a pair . For an adversary that doesn’t know the secret key those problems are not defined precisely. The problem of collision resistance is essentially the problem of finding a shortest cycle in the graph (similarly as it was considered in [6] for other graphs). We have the following theorem.
Theorem 1**.**
Finding a collision in DMACs is a solution to Problem 1.
Proof.
If we set to be zero vector then DMAC-1 and DMAC-2 are exactly the same functions. Finding a collision in DMAC-2 cannot be easier than finding a collision in DMAC-1. Therefore, without lost of generalisation we can consider collision resistance of DMAC-1.
To compute a hash DMAC-1 we start a walk in vertex and an input (message ) gives us directions how to walk in this graph. Each vertex is -regular and so different blocks correspond to different edges incydet to a given vertex. To find a collision we have to find two different inputs , which hash to the same output . To calculate output first we have to calculate vertex and then using secret we can walk to vertex that corresponds to . If then such that: would lead us to different and ( denotes the length of the shortest cycle in graph). Hence, to find a collision we have to find two different inputs , which leads us to one vertex . Two paths in graph, that start and end in the same vertices form a cycle. ∎
Graphs form a family of a simple graphs. In this case time is required to find a cycle in an -vertex graph, that starts in a given vertex. However here so the complexity becomes exponential. Then is a time required requaired to find any cycle. In our case we are looking for a specific cycle that contains also .
The family of graphs is a family of graphs of large girth and . Therefore, the problem of finding a shortest cycle in graphs cannot be easier than the general problem of finding the shortest path in a regular graph, which is considered to be hard.
Theorem 2**.**
Finding a preimage of is a solution to Problem 2.
Proof.
Because of the reason given in the proof of Theorem 1, without lost of generalisation we can consider preimage resistance of DMAC-1. If we have knowledge about then vertex can be computed. An input message gives us directions how to walk in this graph. We start a walk in initial vertex . The second visited vertex is defined by the operator and uniquely determined from equations (1). The next visited vertex is defined by the operator and uniquely determined from equations (1). We repeat the calculations until we deal with all blocks . Graph is -regular and so different gives us different directions. Each corresponds exactly to one edge incidence to a given vertex. There are many different paths from to . Find the preimage is to find the right path from to . Notice that is a part of a secret key. ∎
Composition of operators and gives a nonlinear system of cubic eqations (see Theorem 2 in [34]). Variables are: numbers , character of and coordinates of initial vertex . There is total variables in this system.
In general, solving a set of quadratic equations over a finite field is NP-hard ( problem) for any finite field. There is a conjecture that this is a probabilistically hard problem and Shor’s algorithm cannot be used to speed it up, [10]. Solving a set of cubic equations over a finite field cannot be easier than solving the problem. However, the system related to the set of equations 1 and other systems used for multivariate cryptography are not random, for a large enough parameters it is computationally infeasible to solve them (see [10]).
Brute force attack to completely break the keyed hash function (find secret ) may require to check possibilities ( possible initial vectors and possible passwords of length ), if we consider that the length of the is known. A very efficient algorithm to find the shortest path in a graph is Dijkstra’s algorithm of complexity and it can be adopted to find collisions. In the case of the used graphs it gives and it’s not more efficient than brute force. The complexity is increased because calculations are made over bigger number field , without changing the alphabet for and .
6 Timings
The number of operations per bit of input depend on block length and on the parameter of the graph . The number of field operations in the system of equations 1 is (one step of the walk in the graph costs field operations).
To process one block of input with DMAC-1 we need two additions and one multiplication as specified by operator (to calculate the first coordinate of the neighbor), \mod operation and field operations. After the block is processed we process vector . Therefore, the number of operations per bit of input for DMAC-1 is given by the formula
[TABLE]
where is the length of and is the number of blocks, as specified above.
To process one block of input with DMAC-2 we need to add vectors over number field which require field additions. It gives us the following formula for the number of operations per bit of input when DMAC-2 is used
[TABLE]
If the password is short (not more than 10 characters) and the message, for which we want to calculate the tag, is long (which is true in general when MACs are used) then is very small. Notice that the change of number field doesn’t increase much the number of operations per bit of input (except for the fact that resulting vector has to be divided ).
Example 4**.**
Lets consider data like in Example 3. The length of in bits is . The block length is bits so the number of blocks . In this case the number of field operations per bit of input is
[TABLE]
which is very efficient.
7 Conclusions
A new technique for message authentication was presented in this work. To the best of our knowledge, the family of graphs has never been used before in this context. The algorithms here introduced, for DMAC-1 and DMAC-2 respectively, were implemented in Python and tested with different inputs. The results of our tests and the theoretical base show that the technique we introduce is a very efficient and safe approach to compute message authentication code.
Acknowledgement
The authors would like to express their gratitude to Vasyl Ustimenko for sharing his knowledge about graphs , which made this research possible. Special thanks also to Stanislaw Radziszowski for his useful remarks.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Norman Biggs, Graphs with large girth, Ars Combinatoria, 25C (1987), 73–80 .
- 2[2] Norman Biggs, Constructions for cubic graphs with large girth, The electronic jurnal of Combinatorics Vol. 5 (1998).
- 3[3] N. L. Biggs and A.G Boshier, Note on the girth of Ramanujan graphs, Journal of Combinatorial Theory, Vol. 49 (1990), 190–194.
- 4[4] N. L. Biggs and M. J. Hoare, The sextet construction for cubic graphs, Combinatorica, Vol. 3 (1983), 153–165.
- 5[5] Béla Bollobás, Extremal Graph Theory, Dover Publications, 2004.
- 6[6] Denis X. Charles, Eyal Z. Goren and Kristin E. Lauter, Cryptographic hash functions from expander graphs, Journal of Cryptology, Vol. 22 (2009), 93–113.
- 7[7] Erdős, Paul, Graph Theory and Probability, Modern Birkhauser Classics, Classic Papers in Combinatorics (1987), 276–280.
- 8[8] Z. Furedi and F. Lazebnik and A. Seress and V.A. Ustimenko and A.J. Woldar, Graphs of Prescribed Girth and Bi-Degree, Journal of Combinatorial Theory, Series B, Vol. 64 (1995), 228–239.
