Looking forward to AM-PQC 2026, the Workshop on Algebraic Methods in Post-Quantum Cryptography this August in Macedonia! pqcrypto.cs.ru.nl/ampqc/
Stipends for students are available. Apply before May 4th!
Thomas and I looked at directed isogeny graphs!
In dim 1, we often ignore directedness, as there are only 2 "problematic" curves. Not so in dim 2: we analyze the action of automorphisms on level structures and the resulting directed graphs.
Crucial: Directed (2,2)-graphs looks Ramanujan after all!
Abstract. We describe a Las Vegas algorithm for the principal ideal problem in matrix rings M_(g)(O) for g ≥ 2, over maximal orders O in the rational quaternion algebra B_(p, ∞) ramified at ∞ and a prime number p. Under plausible heuristic assumptions, the method has expected polynomial runtime. An implementation in SageMath shows that it runs very efficiently in practice, with compact output. Our main auxiliary result is a method for finding endomorphisms of superspecial abelian varieties (i.e., powers of supersingular elliptic curves) with a prescribed kernel.
The principal ideal problem for endomorphism rings of superspecial abelian varieties (Wouter Castryck, Jonathan Komada Eriksen, Riccardo Invernizzi, Frederik Vercauteren) ia.cr/2026/454
New PRISM improvements 🥳
We extended our PRISM paper to present two new variants: one that achieves strong unforgeability, and another that allows for smaller parameters and therefore faster signatures!
eprint.iacr.org/2026/443.pdf
I am co-organising (with @drl3c7er.bsky.social and Lucjan Hanzlik) a workshop on Privacy-Enhancing Cryptography in Rome on May 10 as an affiliated event to IACR Eurocrypt. Submit your best PEC-work (3-page extended abstract) for presentation by February 25th: privcryptworkshop.github.io
Bit of a last-minute announcement: school on isogenies 9 - 13 Feb at Okinawa Institute of Science and Technology (OIST)
groups.oist.jp/tsvp/event/s...
Registration deadline is tomorrow (15 Jan).
![Abstract. We study a new pairing, beyond the Weil and Tate pairing. The Weil pairing is a non-degenerate pairing E[m] × E[m] → μ_(m), which operates on the kernel of [m]. Similarly, when μ_(m) ⊆ 𝔽_(q)^(*), the Tate pairing is a non-degenerate pairing E[m](𝔽_(q)) × E(𝔽_(q))/[m]E(𝔽_(q)) → μ_(m), which connects the kernel and the rational cokernel of [m]. We define a pairing
⟨ ⟩_(m) : E(𝔽_(q))/[m]E(𝔽_(q)) × E(𝔽_(q))/[m]E(𝔽_(q)) → μ_(m)
on the rational cokernels of [m], filling the gap left by the Weil and Tate pairing. When E[m] ⊆ E(𝔽_(q)), this pairing is non-degenerate, and can be computed using three Tate pairings, and two discrete logarithms in μ_(m), assuming a basis for E[m]. For m = ℓ prime, this pairing allows us to study E(𝔽_(q))/[ℓ]E(𝔽_(q)) directly and to simplify the computation for a basis of E[ℓ^(k)], and more generally the Sylow ℓ-torsion. This finds natural applications in isogeny-based cryptography when computing ℓ^(k)-isogenies.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:fwa55bujvdrwlwlwgqmmxmuf/bafkreibl542dwky563ijtb47nfbrttztnwtvnfd2k5s7hibtzsg6iv5fqa)
Abstract. We study a new pairing, beyond the Weil and Tate pairing. The Weil pairing is a non-degenerate pairing E[m] × E[m] → μ_(m), which operates on the kernel of [m]. Similarly, when μ_(m) ⊆ 𝔽_(q)^(*), the Tate pairing is a non-degenerate pairing E[m](𝔽_(q)) × E(𝔽_(q))/[m]E(𝔽_(q)) → μ_(m), which connects the kernel and the rational cokernel of [m]. We define a pairing ⟨ ⟩_(m) : E(𝔽_(q))/[m]E(𝔽_(q)) × E(𝔽_(q))/[m]E(𝔽_(q)) → μ_(m) on the rational cokernels of [m], filling the gap left by the Weil and Tate pairing. When E[m] ⊆ E(𝔽_(q)), this pairing is non-degenerate, and can be computed using three Tate pairings, and two discrete logarithms in μ_(m), assuming a basis for E[m]. For m = ℓ prime, this pairing allows us to study E(𝔽_(q))/[ℓ]E(𝔽_(q)) directly and to simplify the computation for a basis of E[ℓ^(k)], and more generally the Sylow ℓ-torsion. This finds natural applications in isogeny-based cryptography when computing ℓ^(k)-isogenies.
The Cokernel Pairing (Krijn Reijnders) ia.cr/2026/001
E.g., the CSIDH attack (and now variants), Kuperberg is a dihedral HSP (our pSIDH attack is another good example but probably not well known). But HSP is poly time for example if the subgroup is a normal subgroup or a big enough subgroup, it is just not known to enough cryptographers.
This is a weird phrasing and not quite true. Indeed, non-abelian hidden subgroup problems are harder (most likely because their irr. representations are not one-dimensional) but there are several cases where non-abelian HSP can be solved in poly time/subexp time that has been used in cryptanalysis.
scottaaronson.blog?p=9344
I think this is an incredibly insightful blogpost, I highly recommend reading it, especially the last paragraph.
While I can understand how some reviewers in cryptography research are frustrated with the process, I cannot imagine how bad it is in machine learning. ncfrey.substack.com/p/publishing...
Abstract. The long-term success of cryptocurrencies largely depends on the incentive compatibility provided to the validators. Bribery attacks, facilitated trustlessly via smart contracts, threaten this foundation. This work introduces, implements, and evaluates three novel and efficient bribery contracts targeting Ethereum validators. The first bribery contract enables a briber to fork the blockchain by buying votes on their proposed blocks. The second contract incentivizes validators to voluntarily exit the consensus protocol, thus increasing the adversary’s relative staking power. The third contract builds a trustless bribery market that enables the briber to auction off their manipulative power over the RANDAO, Ethereum’s distributed randomness beacon. Finally, we provide an initial game-theoretical analysis of one of the described bribery markets.
Bribers, Bribers on The Chain, Is Resisting All in Vain? Trustless Consensus Manipulation Through Bribing Contracts (Bence Soóki-Tóth, István András Seres, Kamilla Kara, Ábel Nagy, Balázs Pejó, Gergely Biczók) ia.cr/2025/1719
TL;DR: we solve norm equations in a better way and get around a 2x improvement to IdealToIsogeny routines crucial in both SQIsign and PRISM.
1, I don't think that's true. 2, MLDSA is a lot worse in terms of public key+ signature size. So I am not sure that is a fair comparison. I think since Luca made this joke there has been several other speed-ups (as the joke was before the HD versions).
Abstract. The main building block in isogeny-based cryptography is an algorithmic version of the Deuring correspondence, called IdealToIsogeny. This algorithm takes as input left ideals of the endomorphism ring of a supersingular elliptic curve and computes the associated isogeny. Building on ideas from QFESTA, the Clapoti framework by Page and Robert reduces this problem to solving a certain norm equation. The current state of the art is however unable to efficiently solve this equation, and resorts to a relaxed version of it instead. This impacts not only the efficiency of the IdealToIsogeny procedure, but also its success probability. The latter issue has to be mitigated with complex and memory-heavy rerandomization procedures, but still leaves a gap between the security analysis and the actual implementation of cryptographic schemes employing IdealToIsogeny as a subroutine. For instance, in SQIsign the failure probability is still 2⁻⁶⁰ which is not cryptographically negligible. The main contribution of this paper is a very simple and efficient algorithm called Qlapoti which approaches the norm equation from Clapoti directly, solving all the aforementioned problems at once. First, it makes the IdealToIsogeny subroutine between 2.2 and 2.6 times faster. This signigicantly improves the speed of schemes using this subroutine, including notably SQIsign and . On top of that, Qlapoti has a cryptographically negligible failure probability. This eliminates the need for rerandomization, drastically reducing memory consumption, and allows for cleaner security reductions.
Image showing part 2 of abstract.
Qlapoti: Simple and Efficient Translation of Quaternion Ideals to Isogenies (Giacomo Borin, Maria Corte-Real Santos, Jonathan Komada Eriksen, Riccardo Invernizzi, Marzio Mula, Sina Schaeffler, Frederik Vercauteren) ia.cr/2025/1604
I spent a semester here as a student, I really love Strasbourg and Alsace in general!
Ok maybe someone should send them a message explaining the situation then. To be fair this list is not as useful as hoped as detecting a predatory journal is trivial and the list contains a lot of false positives (TCHES being a prime example).
Can someone provide me with an explanation how TCHES ended up on some Norwegian list for predatory journals?
Proud moment at #CRYPTO 2025!
“KLPT²: Algebraic Pathfinding in Dimension Two and Applications” received the Best Paper Award. 🏆
Co-authored by COSIC’s Wouter Castryck & Thomas Decru (presenter).
Read it here: eprint.iacr.org/2025/372
Very sad news
This exactly. And it's not just theoretical, it can happen for real. "The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations." www.darkreading.com/cyber-risk/s...
Yessss!!!
Reminder that the MSCA postdoctoral program exists. If you have a PhD and want to work in a European lab, you have until September to apply. Just contact them now.
ec.europa.eu/info/funding...
![Abstract. In this paper we study supersingular elliptic curves primitively oriented by an imaginary quadratic order, where the orientation is determined by an endomorphism that factors through the Frobenius isogeny. In this way, we partly recycle one of the main features of CSIDH, namely the fact that the Frobenius orientation can be represented for free. This leads to the most efficient family of ideal-class group actions in a range where the discriminant is significantly larger than the field characteristic p. Moreover, if we orient with a non-maximal order $\mathcal{O} \subset \mathbb{Q}(\sqrt{-p})$ and we assume that it is feasible to compute the ideal-class group of the maximal order, then also the ideal-class group of 𝒪 is known and we recover the central feature of SCALLOP-like constructions.
We propose two variants of our scheme. In the first one, the orientation is by a suborder of the form $\mathbb{Z}[f\sqrt{-p}]$ for some f coprime to p, so this is similar to SCALLOP. In the second one, inspired by the work of Chenu and Smith, the orientation is by an order of the form $\mathbb{Z}[\sqrt{-dp}]$ where d is square-free and not a multiple of p. We give practical ways of generating parameters, together with a proof-of-concept SageMath implementation of both variants, which shows the effectiveness of our construction.](https://cdn.bsky.app/img/feed_thumbnail/plain/did:plc:fwa55bujvdrwlwlwgqmmxmuf/bafkreibqnnsbrycfnj6lxmqemiovkeexw3n3kfjoj7vw2oybinwvn4xeym)
Abstract. In this paper we study supersingular elliptic curves primitively oriented by an imaginary quadratic order, where the orientation is determined by an endomorphism that factors through the Frobenius isogeny. In this way, we partly recycle one of the main features of CSIDH, namely the fact that the Frobenius orientation can be represented for free. This leads to the most efficient family of ideal-class group actions in a range where the discriminant is significantly larger than the field characteristic p. Moreover, if we orient with a non-maximal order $\mathcal{O} \subset \mathbb{Q}(\sqrt{-p})$ and we assume that it is feasible to compute the ideal-class group of the maximal order, then also the ideal-class group of 𝒪 is known and we recover the central feature of SCALLOP-like constructions. We propose two variants of our scheme. In the first one, the orientation is by a suborder of the form $\mathbb{Z}[f\sqrt{-p}]$ for some f coprime to p, so this is similar to SCALLOP. In the second one, inspired by the work of Chenu and Smith, the orientation is by an order of the form $\mathbb{Z}[\sqrt{-dp}]$ where d is square-free and not a multiple of p. We give practical ways of generating parameters, together with a proof-of-concept SageMath implementation of both variants, which shows the effectiveness of our construction.
Image showing part 2 of abstract.
Orient Express: Using Frobenius to Express Oriented Isogenies (Wouter Castryck, Riccardo Invernizzi, Gioella Lorenzon, Jonas Meers, Frederik Vercauteren) ia.cr/2025/1047
Optimal KLPT would be amazing, I would love that for 2026. Then 2028 could be optimal KLPT^2 :)
Title of the PhD course: Advances in Cryptography and Codes - Part 1: SQIsign Lecturers: Andrea Basso (IBM Research Zurich, CH), Luciano Maino (University of Bristol, UK) The course in short: The course offers a comprehensive and rigorous introduction to SQIsign, an advanced isogeny-based digital signature scheme designed to resist attacks from quantum computers. The course will present the mathematical foundations on which SQIsign is based and the algorithmic background necessary to understand and evaluate the security of SQIsign and other isogeny-based protocols. Complementing the theoretical material, the course also includes a practical laboratory where students will use SageMath to study and implement various aspects of SQIsign. Where (in presence): Department of Mathematics, University of Trento (IT) Via Sommarive, 5, 38123, Trento (online): https://unitn.zoom.us/j/88902079708 (Passcode: 532383) When: From May 19, 2025 to May 28, 2025 Detailed Program: Monday 19/05 10:30 - 12:30 (Room A205) & 14:30 - 16:30 (Room A221) Tuesday 20/05 10:30 - 12:30 (Room A215) & 14:30 - 16:30 (Room A213) Wednesday 21/05 10:30 - 12:30 (Room A218) & 14:30 - 16:30 (Room A215) Thursday 22/05 10:30 - 12:30 (Room A209) & 14:30 - 16:30 (Room A220) Friday 23/05 10:30 - 12:30 (Room A215) & 14:30 - 16:30 (Room A215) Tuesday 27/05 11:30 - 12:30 – Q&A, optional (Room A218) Wednesday 28/05 11:30 - 12:30 – Q&A, optional (Room A218)
Next week @lucianomaino.bsky.social and I will teach a week-long course on SQIsign at the University of Trento.
The course will be both in-person and online: if you're interested, you can tune in Monday morning at 10:30 at unitn.zoom.us/j/88902079708
(details and full schedule in the image below)
CECC 2025 will accept posters, submission deadline is the 23rd May (more details can be found at cecc2025.inf.elte.hu). Also we have great invited speakers (Carla Rafols, Thomas Decru, Stefan Dziembowski), so hope to see you in Budapest!
The SQIparty starts on Monday, but it's still time to register!
We prepared an exciting program for you with a balanced mix of talks, coding sprints, skillshares and other activities!
www.cig.udl.cat/SQIparty2025...
See you in Lleida!
