Advertisement · 728 × 90

Posts by

Workshop on Algebraic Methods in Post-Quantum Cryptography 2026

Looking forward to AM-PQC 2026, the Workshop on Algebraic Methods in Post-Quantum Cryptography this August in Macedonia! pqcrypto.cs.ru.nl/ampqc/

Stipends for students are available. Apply before May 4th!

1 week ago 8 4 0 0

Thomas and I looked at directed isogeny graphs!

In dim 1, we often ignore directedness, as there are only 2 "problematic" curves. Not so in dim 2: we analyze the action of automorphisms on level structures and the resulting directed graphs.

Crucial: Directed (2,2)-graphs looks Ramanujan after all!

1 month ago 8 4 1 0
Abstract. We describe a Las Vegas algorithm for the principal ideal problem in matrix rings M_(g)(O) for g ≥ 2, over maximal orders O in the rational quaternion algebra B_(p, ∞) ramified at ∞ and a prime number p. Under plausible heuristic assumptions, the method has expected polynomial runtime. An implementation in SageMath shows that it runs very efficiently in practice, with compact output. Our main auxiliary result is a method for finding endomorphisms of superspecial abelian varieties (i.e., powers of supersingular elliptic curves) with a prescribed kernel.

Abstract. We describe a Las Vegas algorithm for the principal ideal problem in matrix rings M_(g)(O) for g ≥ 2, over maximal orders O in the rational quaternion algebra B_(p, ∞) ramified at ∞ and a prime number p. Under plausible heuristic assumptions, the method has expected polynomial runtime. An implementation in SageMath shows that it runs very efficiently in practice, with compact output. Our main auxiliary result is a method for finding endomorphisms of superspecial abelian varieties (i.e., powers of supersingular elliptic curves) with a prescribed kernel.

The principal ideal problem for endomorphism rings of superspecial abelian varieties (Wouter Castryck, Jonathan Komada Eriksen, Riccardo Invernizzi, Frederik Vercauteren) ia.cr/2026/454

1 month ago 5 3 0 1

New PRISM improvements 🥳

We extended our PRISM paper to present two new variants: one that achieves strong unforgeability, and another that allows for smaller parameters and therefore faster signatures!

eprint.iacr.org/2026/443.pdf

1 month ago 9 5 1 1
PrivCrypt 2026

I am co-organising (with @drl3c7er.bsky.social and Lucjan Hanzlik) a workshop on Privacy-Enhancing Cryptography in Rome on May 10 as an affiliated event to IACR Eurocrypt. Submit your best PEC-work (3-page extended abstract) for presentation by February 25th: privcryptworkshop.github.io

2 months ago 11 9 1 0
School: Introduction to Isogeny-based Cryptography (TSVP-TP25IC) Title: "Introduction to Isogeny-based Cryptography" Abstract: Isogeny-based cryptography is a fast-moving field, and recent developments have introduced several new techniques, making the barrier of e...

Bit of a last-minute announcement: school on isogenies 9 - 13 Feb at Okinawa Institute of Science and Technology (OIST)
groups.oist.jp/tsvp/event/s...
Registration deadline is tomorrow (15 Jan).

3 months ago 2 5 0 0
Abstract. We study a new pairing, beyond the Weil and Tate pairing. The Weil pairing is a non-degenerate pairing E[m] × E[m] → μ_(m), which operates on the kernel of [m]. Similarly, when μ_(m) ⊆ 𝔽_(q)^(*), the Tate pairing is a non-degenerate pairing E[m](𝔽_(q)) × E(𝔽_(q))/[m]E(𝔽_(q)) → μ_(m), which connects the kernel and the rational cokernel of [m]. We define a pairing
⟨  ⟩_(m) : E(𝔽_(q))/[m]E(𝔽_(q)) × E(𝔽_(q))/[m]E(𝔽_(q)) → μ_(m)
on the rational cokernels of [m], filling the gap left by the Weil and Tate pairing. When E[m] ⊆ E(𝔽_(q)), this pairing is non-degenerate, and can be computed using three Tate pairings, and two discrete logarithms in μ_(m), assuming a basis for E[m]. For m = ℓ prime, this pairing allows us to study E(𝔽_(q))/[ℓ]E(𝔽_(q)) directly and to simplify the computation for a basis of E[ℓ^(k)], and more generally the Sylow ℓ-torsion. This finds natural applications in isogeny-based cryptography when computing ℓ^(k)-isogenies.

Abstract. We study a new pairing, beyond the Weil and Tate pairing. The Weil pairing is a non-degenerate pairing E[m] × E[m] → μ_(m), which operates on the kernel of [m]. Similarly, when μ_(m) ⊆ 𝔽_(q)^(*), the Tate pairing is a non-degenerate pairing E[m](𝔽_(q)) × E(𝔽_(q))/[m]E(𝔽_(q)) → μ_(m), which connects the kernel and the rational cokernel of [m]. We define a pairing ⟨  ⟩_(m) : E(𝔽_(q))/[m]E(𝔽_(q)) × E(𝔽_(q))/[m]E(𝔽_(q)) → μ_(m) on the rational cokernels of [m], filling the gap left by the Weil and Tate pairing. When E[m] ⊆ E(𝔽_(q)), this pairing is non-degenerate, and can be computed using three Tate pairings, and two discrete logarithms in μ_(m), assuming a basis for E[m]. For m = ℓ prime, this pairing allows us to study E(𝔽_(q))/[ℓ]E(𝔽_(q)) directly and to simplify the computation for a basis of E[ℓ^(k)], and more generally the Sylow ℓ-torsion. This finds natural applications in isogeny-based cryptography when computing ℓ^(k)-isogenies.

The Cokernel Pairing (Krijn Reijnders) ia.cr/2026/001

3 months ago 4 3 0 1

E.g., the CSIDH attack (and now variants), Kuperberg is a dihedral HSP (our pSIDH attack is another good example but probably not well known). But HSP is poly time for example if the subgroup is a normal subgroup or a big enough subgroup, it is just not known to enough cryptographers.

4 months ago 2 0 0 0
Advertisement

This is a weird phrasing and not quite true. Indeed, non-abelian hidden subgroup problems are harder (most likely because their irr. representations are not one-dimensional) but there are several cases where non-abelian HSP can be solved in poly time/subexp time that has been used in cryptanalysis.

4 months ago 2 0 1 0
Preview
Quantum Investment Bros: Have you no shame? Near the end of my last post, I made a little offhand remark: [G]iven the current staggering rate of hardware progress, I now think it’s a live possibility that we’ll have a fault-tolerant quantum …

scottaaronson.blog?p=9344
I think this is an incredibly insightful blogpost, I highly recommend reading it, especially the last paragraph.

4 months ago 1 0 0 0
Preview
Publishing and communicating research in AI/ML is fundamentally broken Why researchers should care, and four proposals for how to fix it

While I can understand how some reviewers in cryptography research are frustrated with the process, I cannot imagine how bad it is in machine learning. ncfrey.substack.com/p/publishing...

5 months ago 2 2 0 0
Preview
PKC 2026 call for papers Public Key Cryptography

The call for papers for PKC 2026 is out: pkc.iacr.org/2026/callfor...

6 months ago 8 10 0 0
Abstract. The long-term success of cryptocurrencies largely depends on the incentive compatibility provided to the validators. Bribery attacks, facilitated trustlessly via smart contracts, threaten this foundation. This work introduces, implements, and evaluates three novel and efficient bribery contracts targeting Ethereum validators. The first bribery contract enables a briber to fork the blockchain by buying votes on their proposed blocks. The second contract incentivizes validators to voluntarily exit the consensus protocol, thus increasing the adversary’s relative staking power. The third contract builds a trustless bribery market that enables the briber to auction off their manipulative power over the RANDAO, Ethereum’s distributed randomness beacon. Finally, we provide an initial game-theoretical analysis of one of the described bribery markets.

Abstract. The long-term success of cryptocurrencies largely depends on the incentive compatibility provided to the validators. Bribery attacks, facilitated trustlessly via smart contracts, threaten this foundation. This work introduces, implements, and evaluates three novel and efficient bribery contracts targeting Ethereum validators. The first bribery contract enables a briber to fork the blockchain by buying votes on their proposed blocks. The second contract incentivizes validators to voluntarily exit the consensus protocol, thus increasing the adversary’s relative staking power. The third contract builds a trustless bribery market that enables the briber to auction off their manipulative power over the RANDAO, Ethereum’s distributed randomness beacon. Finally, we provide an initial game-theoretical analysis of one of the described bribery markets.

Bribers, Bribers on The Chain, Is Resisting All in Vain? Trustless Consensus Manipulation Through Bribing Contracts (Bence Soóki-Tóth, István András Seres, Kamilla Kara, Ábel Nagy, Balázs Pejó, Gergely Biczók) ia.cr/2025/1719

7 months ago 1 1 0 0

TL;DR: we solve norm equations in a better way and get around a 2x improvement to IdealToIsogeny routines crucial in both SQIsign and PRISM.

7 months ago 12 5 2 0

1, I don't think that's true. 2, MLDSA is a lot worse in terms of public key+ signature size. So I am not sure that is a fair comparison. I think since Luca made this joke there has been several other speed-ups (as the joke was before the HD versions).

7 months ago 2 0 0 0
Advertisement
Abstract. The main building block in isogeny-based cryptography is an algorithmic version of the Deuring correspondence, called IdealToIsogeny. This algorithm takes as input left ideals of the endomorphism ring of a supersingular elliptic curve and computes the associated isogeny. Building on ideas from QFESTA, the Clapoti framework by Page and Robert reduces this problem to solving a certain norm equation. The current state of the art is however unable to efficiently solve this equation, and resorts to a relaxed version of it instead. This impacts not only the efficiency of the IdealToIsogeny procedure, but also its success probability. The latter issue has to be mitigated with complex and memory-heavy rerandomization procedures, but still leaves a gap between the security analysis and the actual implementation of cryptographic schemes employing IdealToIsogeny as a subroutine. For instance, in SQIsign the failure probability is still 2⁻⁶⁰ which is not cryptographically negligible.

The main contribution of this paper is a very simple and efficient algorithm called Qlapoti which approaches the norm equation from Clapoti directly, solving all the aforementioned problems at once. First, it makes the IdealToIsogeny subroutine between 2.2 and 2.6 times faster. This signigicantly improves the speed of schemes using this subroutine, including notably SQIsign and . On top of that, Qlapoti has a cryptographically negligible failure probability. This eliminates the need for rerandomization, drastically reducing memory consumption, and allows for cleaner security reductions.

Abstract. The main building block in isogeny-based cryptography is an algorithmic version of the Deuring correspondence, called IdealToIsogeny. This algorithm takes as input left ideals of the endomorphism ring of a supersingular elliptic curve and computes the associated isogeny. Building on ideas from QFESTA, the Clapoti framework by Page and Robert reduces this problem to solving a certain norm equation. The current state of the art is however unable to efficiently solve this equation, and resorts to a relaxed version of it instead. This impacts not only the efficiency of the IdealToIsogeny procedure, but also its success probability. The latter issue has to be mitigated with complex and memory-heavy rerandomization procedures, but still leaves a gap between the security analysis and the actual implementation of cryptographic schemes employing IdealToIsogeny as a subroutine. For instance, in SQIsign the failure probability is still 2⁻⁶⁰ which is not cryptographically negligible. The main contribution of this paper is a very simple and efficient algorithm called Qlapoti which approaches the norm equation from Clapoti directly, solving all the aforementioned problems at once. First, it makes the IdealToIsogeny subroutine between 2.2 and 2.6 times faster. This signigicantly improves the speed of schemes using this subroutine, including notably SQIsign and . On top of that, Qlapoti has a cryptographically negligible failure probability. This eliminates the need for rerandomization, drastically reducing memory consumption, and allows for cleaner security reductions.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

Qlapoti: Simple and Efficient Translation of Quaternion Ideals to Isogenies (Giacomo Borin, Maria Corte-Real Santos, Jonathan Komada Eriksen, Riccardo Invernizzi, Marzio Mula, Sina Schaeffler, Frederik Vercauteren) ia.cr/2025/1604

7 months ago 6 4 0 2

I spent a semester here as a student, I really love Strasbourg and Alsace in general!

7 months ago 2 0 0 0

Ok maybe someone should send them a message explaining the situation then. To be fair this list is not as useful as hoped as detecting a predatory journal is trivial and the list contains a lot of false positives (TCHES being a prime example).

7 months ago 0 0 0 0

Can someone provide me with an explanation how TCHES ended up on some Norwegian list for predatory journals?

7 months ago 1 0 1 0
Post image

Proud moment at #CRYPTO 2025!
“KLPT²: Algebraic Pathfinding in Dimension Two and Applications” received the Best Paper Award. 🏆
Co-authored by COSIC’s Wouter Castryck & Thomas Decru (presenter).
Read it here: eprint.iacr.org/2025/372

8 months ago 7 3 0 0

Very sad news

8 months ago 1 0 0 0
Preview
Sat Typhoon APT Subverts Law Enforcement Wiretapping The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations.

This exactly. And it's not just theoretical, it can happen for real. "The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations." www.darkreading.com/cyber-risk/s...

9 months ago 9 2 0 0

Yessss!!!

10 months ago 4 1 0 0
Advertisement

Reminder that the MSCA postdoctoral program exists. If you have a PhD and want to work in a European lab, you have until September to apply. Just contact them now.

ec.europa.eu/info/funding...

10 months ago 30 24 0 0
Abstract. In this paper we study supersingular elliptic curves primitively oriented by an imaginary quadratic order, where the orientation is determined by an endomorphism that factors through the Frobenius isogeny. In this way, we partly recycle one of the main features of CSIDH, namely the fact that the Frobenius orientation can be represented for free. This leads to the most efficient family of ideal-class group actions in a range where the discriminant is significantly larger than the field characteristic p. Moreover, if we orient with a non-maximal order $\mathcal{O} \subset \mathbb{Q}(\sqrt{-p})$ and we assume that it is feasible to compute the ideal-class group of the maximal order, then also the ideal-class group of 𝒪 is known and we recover the central feature of SCALLOP-like constructions.

We propose two variants of our scheme. In the first one, the orientation is by a suborder of the form $\mathbb{Z}[f\sqrt{-p}]$ for some f coprime to p, so this is similar to SCALLOP. In the second one, inspired by the work of Chenu and Smith, the orientation is by an order of the form $\mathbb{Z}[\sqrt{-dp}]$ where d is square-free and not a multiple of p. We give practical ways of generating parameters, together with a proof-of-concept SageMath implementation of both variants, which shows the effectiveness of our construction.

Abstract. In this paper we study supersingular elliptic curves primitively oriented by an imaginary quadratic order, where the orientation is determined by an endomorphism that factors through the Frobenius isogeny. In this way, we partly recycle one of the main features of CSIDH, namely the fact that the Frobenius orientation can be represented for free. This leads to the most efficient family of ideal-class group actions in a range where the discriminant is significantly larger than the field characteristic p. Moreover, if we orient with a non-maximal order $\mathcal{O} \subset \mathbb{Q}(\sqrt{-p})$ and we assume that it is feasible to compute the ideal-class group of the maximal order, then also the ideal-class group of 𝒪 is known and we recover the central feature of SCALLOP-like constructions. We propose two variants of our scheme. In the first one, the orientation is by a suborder of the form $\mathbb{Z}[f\sqrt{-p}]$ for some f coprime to p, so this is similar to SCALLOP. In the second one, inspired by the work of Chenu and Smith, the orientation is by an order of the form $\mathbb{Z}[\sqrt{-dp}]$ where d is square-free and not a multiple of p. We give practical ways of generating parameters, together with a proof-of-concept SageMath implementation of both variants, which shows the effectiveness of our construction.

Image showing part 2 of abstract.

Image showing part 2 of abstract.

Orient Express: Using Frobenius to Express Oriented Isogenies (Wouter Castryck, Riccardo Invernizzi, Gioella Lorenzon, Jonas Meers, Frederik Vercauteren) ia.cr/2025/1047

10 months ago 5 3 0 0

Optimal KLPT would be amazing, I would love that for 2026. Then 2028 could be optimal KLPT^2 :)

11 months ago 3 0 1 0
Title of the PhD course: Advances in Cryptography and Codes - Part 1: SQIsign

Lecturers: Andrea Basso (IBM Research Zurich, CH),
Luciano Maino (University of Bristol, UK)

The course in short: The course offers a comprehensive and rigorous introduction
to SQIsign, an advanced isogeny-based digital signature scheme designed to resist
attacks from quantum computers. The course will present the mathematical
foundations on which SQIsign is based and the algorithmic background necessary to
understand and evaluate the security of SQIsign and other isogeny-based protocols.
Complementing the theoretical material, the course also includes a practical
laboratory where students will use SageMath to study and implement various
aspects of SQIsign.

Where (in presence): Department of Mathematics, University of Trento (IT)
Via Sommarive, 5, 38123, Trento
(online): https://unitn.zoom.us/j/88902079708 (Passcode: 532383)
When: From May 19, 2025 to May 28, 2025

Detailed Program:
Monday 19/05 10:30 - 12:30 (Room A205) & 14:30 - 16:30 (Room A221)
Tuesday 20/05 10:30 - 12:30 (Room A215) & 14:30 - 16:30 (Room A213)
Wednesday 21/05 10:30 - 12:30 (Room A218) & 14:30 - 16:30 (Room A215)
Thursday 22/05 10:30 - 12:30 (Room A209) & 14:30 - 16:30 (Room A220)
Friday 23/05 10:30 - 12:30 (Room A215) & 14:30 - 16:30 (Room A215)
Tuesday 27/05 11:30 - 12:30 – Q&A, optional (Room A218)
Wednesday 28/05 11:30 - 12:30 – Q&A, optional (Room A218)

Title of the PhD course: Advances in Cryptography and Codes - Part 1: SQIsign Lecturers: Andrea Basso (IBM Research Zurich, CH), Luciano Maino (University of Bristol, UK) The course in short: The course offers a comprehensive and rigorous introduction to SQIsign, an advanced isogeny-based digital signature scheme designed to resist attacks from quantum computers. The course will present the mathematical foundations on which SQIsign is based and the algorithmic background necessary to understand and evaluate the security of SQIsign and other isogeny-based protocols. Complementing the theoretical material, the course also includes a practical laboratory where students will use SageMath to study and implement various aspects of SQIsign. Where (in presence): Department of Mathematics, University of Trento (IT) Via Sommarive, 5, 38123, Trento (online): https://unitn.zoom.us/j/88902079708 (Passcode: 532383) When: From May 19, 2025 to May 28, 2025 Detailed Program: Monday 19/05 10:30 - 12:30 (Room A205) & 14:30 - 16:30 (Room A221) Tuesday 20/05 10:30 - 12:30 (Room A215) & 14:30 - 16:30 (Room A213) Wednesday 21/05 10:30 - 12:30 (Room A218) & 14:30 - 16:30 (Room A215) Thursday 22/05 10:30 - 12:30 (Room A209) & 14:30 - 16:30 (Room A220) Friday 23/05 10:30 - 12:30 (Room A215) & 14:30 - 16:30 (Room A215) Tuesday 27/05 11:30 - 12:30 – Q&A, optional (Room A218) Wednesday 28/05 11:30 - 12:30 – Q&A, optional (Room A218)

Next week @lucianomaino.bsky.social and I will teach a week-long course on SQIsign at the University of Trento.

The course will be both in-person and online: if you're interested, you can tune in Monday morning at 10:30 at unitn.zoom.us/j/88902079708

(details and full schedule in the image below)

11 months ago 18 8 1 2
Central European Conference on Cryptology 2025 Central European Conference on Cryptology 2025

CECC 2025 will accept posters, submission deadline is the 23rd May (more details can be found at cecc2025.inf.elte.hu). Also we have great invited speakers (Carla Rafols, Thomas Decru, Stefan Dziembowski), so hope to see you in Budapest!

11 months ago 3 1 0 0
PQ-OPRF table

This is cool heimberger.xyz/oprfs.html

11 months ago 14 6 0 0

The SQIparty starts on Monday, but it's still time to register!

We prepared an exciting program for you with a balanced mix of talks, coding sprints, skillshares and other activities!

www.cig.udl.cat/SQIparty2025...

See you in Lleida!

11 months ago 9 9 2 0