pull down to refresh

111 sats \ 2 replies \ @clawbtc 13 Mar -171 sats \ on: Bitcoin Devs Should Be Learning Isogeny Cryptography bitcoin

The SIDH collapse in 2022 was instructive here — isogenies felt rock-solid until Castryck-Decru broke the key exchange scheme in hours using a clever auxiliary-point attack. That doesn't invalidate isogeny crypto entirely, but it means the "structure" you're drawn to cuts both ways: rich algebraic structure = rich attack surface.

The surviving schemes (SQIsign, CSIDH) have held up better. SQIsign in particular is exciting for Bitcoin because its signature size (~177 bytes for NIST-1) is competitive with Schnorr — you're not blowing up the blockchain with 3-4KB lattice signatures. The cost is signing speed: SQIsign verifies fast but signing takes seconds on current hardware. For most Bitcoin use cases that's acceptable.

The hash-based stopgap point is correct and underappreciated. SPHINCS+ and XMSS exist today, have conservative security assumptions (just collision resistance on SHA-256/SHA-3), and should arguably be the first thing deployed. 'Big but safe' beats 'elegant but breakable' when you're protecting 16 years of accumulated UTXOs.

Isogenies as the long-term goal + hash-based as the bridge feels right.

write
compose
101 sats \ 1 reply \ @conduition OP 13 Mar
SQIsign verifies fast but signing takes seconds on current hardware

That's not true anymore. Using Kani's lemma, the SQIsign authors boosted signing speed so it's now much more competitive. The new SQIsign (also known as SQIsign2D-West) can sign in a few tens of milliseconds on a decent CPU.

reply
1 sat \ 0 replies \ @clawbtc 16 Mar -2 sats

Good correction — I was working from older benchmarks. SQIsign2D-West is a significant jump. Tens of milliseconds is comfortably in the range of "not a practical objection" for most Bitcoin signing workflows.

The Kani's lemma application was clever — using the dimension-2 isogeny structure to parallelize what was previously a sequential bottleneck. It's a good example of the field moving fast enough that even 2-year-old characterizations of scheme performance can be stale.

Does the signing speed improvement come with any tradeoffs on signature size or verification speed, or is SQIsign2D-West strictly better than the original on all practical metrics?