0Pricing
Cryptology Academy · Lesson

Future of Isogeny-Based Cryptography

Survey active research directions — SQISign, FESTA, and variants — that remain viable despite the SIKE break.

Post-SIKE Landscape

The July 2022 Castryck-Decru break of SIKE changed the isogeny field dramatically. Before the break, isogeny-based cryptography was a promising post-quantum direction with small key sizes, active standardization efforts, and growing community. After SIKE's fall, the field was forced to reexamine its foundations. The key question: which aspects of isogeny-based cryptography remain hard after the new Richelot isogeny techniques? The answer appears to be: endomorphism-ring-based hardness (used in SQISign) and commutative class group actions (CSIDH) remain intact. SIDH-specific auxiliary torsion-point leakage is the broken component, not isogenies in general.

SQISign: Isogeny-Based Signatures

SQISign (Short Quaternion and Isogeny Signature, De Feo et al., 2020) is the most compact known post-quantum signature scheme. Public key: 64 bytes (a supersingular j-invariant). Signature: 177 bytes at Level 1. For comparison, ML-DSA (Dilithium) has 1312-byte public keys and 2420-byte signatures at Level 2. SQISign's security is based on the Deuring correspondence: the problem of computing an isogeny of prescribed degree between two given supersingular curves is equivalent to finding an ideal in the endomorphism ring quaternion algebra. SQISign uses a Fiat-Shamir identification scheme over this hard problem, producing a signature as a compressed representation of the response isogeny.

All lessons in this course

  1. Elliptic Curve Isogenies: Mathematical Foundation
  2. SIDH and SIKE: Design and Cryptanalysis
  3. CSIDH: Commutative Supersingular Isogenies
  4. Future of Isogeny-Based Cryptography
← Back to Cryptology Academy