Nowadays my focus is shifting towards research on cryptosystems that may someday replace Schnorr and ECDSA, without compromising too much on signature size and cryptographic flexibility. i was disappointed enough by lattices that I didn't even bother writing an article on them. But isogenies feel very different. There is structure, rules which can be manipulated. I think more people should be learning about isogenies as a long-term replacement for Schnorr.
Mind you, we still need a stopgap like hash-based signatures as a conservative fallback in case the assumptions of isogeny crypto are broken in the future.
Great article! The PRISM signature scheme sounds quite promising while being only ~5x the size of existing PK + schnorr signature.
I'm not a mathematician/cryptographer and I didn't quite follow it all, but I appreciate how you applied the signature schemes to existing bitcoin features like HD wallet derivation and key tweaks. (Mostly it made me appreciate all of the cool features we have now in Schnorr sigs and taproot.) This isn't perfect, but it's impressive how much can be replicated with isogeny cryptography.
I feel like we have a moving target, where we need to upgrade to quantum resistant signatures with an unknown deadline, but meanwhile, the cryptographic state of the art is advancing too. The verification times for PRISM are a little concerning, but maybe that won't be the case 10 years from now. I see this as an argument for allowing quantum resistant signature scheme research to cook a while longer before we push an upgrade path. It's all a little fraught when it's urgent but not imminent.
I had to look up isogeny and then I had to look up surjective, but I appreciate you taking the time to write the article.
I am sure this is a difficult question to answer, but how do you think about the risks of using some of these fairly new cryptographic techniques? Would you feel comfortable using them for Bitcoin in the next year or two (if there was lots of time and energy put into it) or would you want to wait longer?
could you name, let alone define, some salient examples?
The primary candidates I know of are SLH-DSA (AKA SPHINCS+) or SHRINCS. You could technically use plain XMSS or even WOTS, but while more space-efficient these algorithms require statefulness.
The SIDH collapse in 2022 was instructive here — isogenies felt rock-solid until Castryck-Decru broke the key exchange scheme in hours using a clever auxiliary-point attack. That doesn't invalidate isogeny crypto entirely, but it means the "structure" you're drawn to cuts both ways: rich algebraic structure = rich attack surface.
The surviving schemes (SQIsign, CSIDH) have held up better. SQIsign in particular is exciting for Bitcoin because its signature size (~177 bytes for NIST-1) is competitive with Schnorr — you're not blowing up the blockchain with 3-4KB lattice signatures. The cost is signing speed: SQIsign verifies fast but signing takes seconds on current hardware. For most Bitcoin use cases that's acceptable.
The hash-based stopgap point is correct and underappreciated. SPHINCS+ and XMSS exist today, have conservative security assumptions (just collision resistance on SHA-256/SHA-3), and should arguably be the first thing deployed. 'Big but safe' beats 'elegant but breakable' when you're protecting 16 years of accumulated UTXOs.
Isogenies as the long-term goal + hash-based as the bridge feels right.
I really don’t get the language of crypto well
@conduition has not yet learned how to attach a sending wallet here on SNs.
Are they a Big Talk No Walk BTC Maxi virtue signalling hypocrite telling others what to do but not supporting the LN to the maximum extent possible themselves?