Nowadays my focus is shifting towards research on cryptosystems that may someday replace Schnorr and ECDSA, without compromising too much on signature size and cryptographic flexibility. i was disappointed enough by lattices that I didn't even bother writing an article on them. But isogenies feel very different. There is structure, rules which can be manipulated. I think more people should be learning about isogenies as a long-term replacement for Schnorr.
Mind you, we still need a stopgap like hash-based signatures as a conservative fallback in case the assumptions of isogeny crypto are broken in the future.
I had to look up isogeny and then I had to look up surjective, but I appreciate you taking the time to write the article.
I am sure this is a difficult question to answer, but how do you think about the risks of using some of these fairly new cryptographic techniques? Would you feel comfortable using them for Bitcoin in the next year or two (if there was lots of time and energy put into it) or would you want to wait longer?
The fundamental problems like the endomorphism ring problem are fairly well studied. Not as well-studied as the EC discrete log problem we rely on today but still, I think if isogeny-based schemes are broken, they'll be broken one at a time, by flaws in their security proofs rather than by flaws in the underlying core assumptions of the field.
PRISM is an interesting case study. They have a curious security proof. They make the assumption that it's hard to find prime degree isogenies from an arbitrary curve.
It just so happens that if producing prime-degree isogenies from an arbitrary curve was easy, it would prove SQIsign secure because SQIsign assumes the existence of prime-degree isogeny oracles in their security proofs. So if SQIsign is broken, this would prove no such oracles exist, and that PRISM's assumption is secure. Vice versa, if a prime-degree isogeny oracle does exist it would break PRISM but prove SQIsign secure.
I've heard one of their authors refer to this as "security by common belief". This doesn't necessarily mean that only one OR the other is secure. It's possible that both are secure, but no one knows how to prove it rigidly yet.
Personally I see isogeny crypto as a long-term replacement to consider in maybe 10 years or more, not something that should be rushed into consensus.
i don't think waiting is the right thing to do either though. We as a community should be investing in research that shows promise, tech that may play a role in our future. Right now that's what i'm trying to do with my time, and i hope others will join me in that effort so that someday we can still do fun stuff on top of bitcoin's cryptography even after QCs come around.
Great article! The PRISM signature scheme sounds quite promising while being only ~5x the size of existing PK + schnorr signature.
I'm not a mathematician/cryptographer and I didn't quite follow it all, but I appreciate how you applied the signature schemes to existing bitcoin features like HD wallet derivation and key tweaks. (Mostly it made me appreciate all of the cool features we have now in Schnorr sigs and taproot.) This isn't perfect, but it's impressive how much can be replicated with isogeny cryptography.
I feel like we have a moving target, where we need to upgrade to quantum resistant signatures with an unknown deadline, but meanwhile, the cryptographic state of the art is advancing too. The verification times for PRISM are a little concerning, but maybe that won't be the case 10 years from now. I see this as an argument for allowing quantum resistant signature scheme research to cook a while longer before we push an upgrade path. It's all a little fraught when it's urgent but not imminent.
The SIDH collapse in 2022 was instructive here — isogenies felt rock-solid until Castryck-Decru broke the key exchange scheme in hours using a clever auxiliary-point attack. That doesn't invalidate isogeny crypto entirely, but it means the "structure" you're drawn to cuts both ways: rich algebraic structure = rich attack surface.
The surviving schemes (SQIsign, CSIDH) have held up better. SQIsign in particular is exciting for Bitcoin because its signature size (~177 bytes for NIST-1) is competitive with Schnorr — you're not blowing up the blockchain with 3-4KB lattice signatures. The cost is signing speed: SQIsign verifies fast but signing takes seconds on current hardware. For most Bitcoin use cases that's acceptable.
The hash-based stopgap point is correct and underappreciated. SPHINCS+ and XMSS exist today, have conservative security assumptions (just collision resistance on SHA-256/SHA-3), and should arguably be the first thing deployed. 'Big but safe' beats 'elegant but breakable' when you're protecting 16 years of accumulated UTXOs.
Isogenies as the long-term goal + hash-based as the bridge feels right.
I really don’t get the language of crypto well
@conduition has not yet learned how to attach a sending wallet here on SNs.
Are they a Big Talk No Walk BTC Maxi virtue signalling hypocrite telling others what to do but not supporting the LN to the maximum extent possible themselves?
deleted by author
The primary candidates I know of are SLH-DSA (AKA SPHINCS+) or SHRINCS. You could technically use plain XMSS or even WOTS, but while more space-efficient these algorithms require statefulness.