Future of Isogeny-Based Cryptography
Survey active research directions — SQISign, FESTA, and variants — that remain viable despite the SIKE break.
Post-SIKE Landscape
The July 2022 Castryck-Decru break of SIKE changed the isogeny field dramatically. Before the break, isogeny-based cryptography was a promising post-quantum direction with small key sizes, active standardization efforts, and growing community. After SIKE's fall, the field was forced to reexamine its foundations. The key question: which aspects of isogeny-based cryptography remain hard after the new Richelot isogeny techniques? The answer appears to be: endomorphism-ring-based hardness (used in SQISign) and commutative class group actions (CSIDH) remain intact. SIDH-specific auxiliary torsion-point leakage is the broken component, not isogenies in general.
SQISign: Isogeny-Based Signatures
SQISign (Short Quaternion and Isogeny Signature, De Feo et al., 2020) is the most compact known post-quantum signature scheme. Public key: 64 bytes (a supersingular j-invariant). Signature: 177 bytes at Level 1. For comparison, ML-DSA (Dilithium) has 1312-byte public keys and 2420-byte signatures at Level 2. SQISign's security is based on the Deuring correspondence: the problem of computing an isogeny of prescribed degree between two given supersingular curves is equivalent to finding an ideal in the endomorphism ring quaternion algebra. SQISign uses a Fiat-Shamir identification scheme over this hard problem, producing a signature as a compressed representation of the response isogeny.
All lessons in this course
- Elliptic Curve Isogenies: Mathematical Foundation
- SIDH and SIKE: Design and Cryptanalysis
- CSIDH: Commutative Supersingular Isogenies
- Future of Isogeny-Based Cryptography