New PRISM improvements π₯³
We extended our PRISM paper to present two new variants: one that achieves strong unforgeability, and another that allows for smaller parameters and therefore faster signatures!
eprint.iacr.org/2026/443.pdf
We're organizing a workshop on cryptographic group actions bringing together the isogeny and code communities. The workshop is just before Eurocrypt, a quick train away from Rome in the beautiful Marche.
Early registration ends this week, so grab your spot soon!
magic-workshop.github.io
I am very happy to announce that thanks to the hard work of many people (The "MIKE Team"), we now have a working implementation in SageMath of MIKE (Module Isogeny Key Exchange).
It depends if you interpret the waiting period to apply to the authors or to the paper :)
I think CiC and CHES have some form of this, but it doesn't automatically apply to all rejections: if the reviewers think the paper needs significantly more work, the authors cannot resubmit immediately
A waiting period may not be the best option, but we probably need some kind of pre-review check. Right now, it takes very little work for authors to resubmit the same paper again and again until it gets through, while it takes the 3+ reviewers a considerable amount of work to re-review the paper
The waiting period would be on resubmitting the same paper though, which may be helpful to prevent authors from spamming the same paper over and over again until they get lucky.
The IACR board sent a survey to members last year, and it took us a while to analyze the results and publish findings. You can see them at iacr.org/surveyresults/
1. In the AIM, the Sigma protocol underlying SQIsign is sound without rewinding, which means we can show that SQIsign is provably secure in the QROM.
2. The CDH and DLOG problem for all SIDH-like key exchanges (M-SIDH, MD-SIDH, binSIDH, terSIDH, etc.) are equivalent in the AIM.
New paper out! π
We translate the algebraic group model to the (generic) isogeny setting, generalising previous results that were limited to oriented isogenies (we show that any result that holds in the AGAM also holds in the AIM).
Using this model, we obtain two important results:
It also helps to announce those limits in advance, or communicate them clearly, or NOT delete rebuttals, or...
This makes more sense than it seems: the time change happens at the same time in both time zones, which means in the UK itβs at 1am rather than 2am.
The Isogeny Club Season 7 starts today! At 5pm CEST, Bruno Sterner will talk about finding large smooth twins from short lattice vectors. More details at isogeny.club
Announcing The Isogeny Problems!
A curated list of the seven foremost unsolved problems in isogeny-based cryptography. Solving one of these profound questions would mark a monumental advance, and as a resolver you'd get eternal honor and epic rewards!
Full list: isogeni.es/problems
The EU wants to spend your money to assemble a giant mass surveillance machine with little effect on harm against children. Chat Control is not effective, weakens security for all and does not respect privacy. Contact your EU representatives and let them know.
csa-scientist-open-letter.org/Sep2025
If you're a researcher in cryptography, security, or related areas, please consider signing it too. Signature collection is still open!
More than 500 researchers have signed an open letter against the dangerous EU proposal on chat control.
The proposal remains ineffective, undoes decades of results in E2E encryption, and threatens the privacy of half a billion citizens.
csa-scientist-open-letter.org/Sep2025
New somewhat redesigned, somewhat expanded website at andreabasso.com!
If you find any dead links or things not working properly, please let me know
Abstract. The Learning with Rounding (LWR) problem, introduced as a deterministic variant of Learning with Errors (LWE), has become a promising foundation for post-quantum cryptography. This Systematization of Knowledge (SoK) paper presents a comprehensive survey of the theoretical foundations, algorithmic developments, and practical implementations of LWR-based cryptographic schemes. We introduce LWR within the broader landscape of lattice-based cryptography and post-quantum security, highlighting its advantages such as reduced randomness, improved efficiency, and enhanced side-channel resistance. We explore the evolution of security reductions from LWR to LWE, including recent advances that support practical parameter regimes and address challenges in both bounded and unbounded sample settings. This paper systematically reviews existing LWR-based schemes β including Saber, Lizard, Florete, Espada, Sable, and SMAUG β analyzing their design choices, parameter sets, and performance trade-offs. Furthermore, we examine the impact of LWR on side-channel resistance, failure probabilities, and masking efficiency, demonstrating its suitability for secure and efficient implementations. By consolidating the research spanning theory and practice, this SoK aims to guide future cryptographic design and standardization efforts leveraging LWR.
Image showing part 2 of abstract.
Using Learning with Rounding to Instantiate Post-Quantum Cryptographic Algorithms (Andrea Basso, Joppe W. Bos, Jan-Pieter D'Anvers, Angshuman Karmakar, Jose Maria Bermudo Mera, Joost Renes, Sujoy Sinha Roy, Frederik Vercauteren, Peng Wang, Yuewu Wang, Shicong Zhang, Chenxin Zhong) ia.cr/2025/1382
Well, this horrible idea refuses to die so we should refuse to let it pass and start organizing again.
ec.europa.eu/commission/p...
And for For PhD & advanced MSc students!
π Stipends available for students worldwide β thanks to our sponsors!
π Apply for stipends here: docs.google.com/forms/d/e/1F...
πΌοΈ Consider presenting your work in the Latincrypt poster session!
π More info: ascrypto.org/2025/
A chart for quantum computers, of number of qubits versus error rate, on a logarithmic scale. Broadly it shows a large gap between current quantum computers in the bottom left, and a curve in the top right of the resources they need to break RSA.
An out-of-schedule update to my quantum landscape chart: sam-jaques.appspot.com/quantum_land..., prompted by
@craiggidney.bsky.social 's new paper: arxiv.org/abs/2505.15917.
A startling jump (20x) in how easy quantum factoring can be!
Also: much improved web design!
Iβm afraid not :(
We (finally) published all the material from this course on SQIsign, including lecture slides and exercise sheets for the Sage laboratory. Available here: github.com/andreavico/S...
For any polynomial-time abbiatese A...
(abbiategrassese? abbiatese grasso?)
Every time I'm writing a paper I always have the same question: is the attacker a person? Is the attacker a they or a it?
Really cool post on DH!
Starting in half an hour!
By 2030 we will all be out of jobs
π
A timeline of isogeny-based signatures over the years: 2012 - A signature from group actions: First signature from isogenies in the literature 2014 - SIDH: Also proposes an identification protocol 2016 - GPS: First signature from endomorphism ring knowledge 2018 - SeaSign: First signature based on CSIDH 2020 - SQIsign: Compact and βpractical" signature from endomorphism ring knowledge 2023 - SQIsignHD: HD representations make SQIsign signing much faster 2024 - SQIsign2D: Significantly improved SQIsign signing and verification
Isogeny-based signatures have consistently had a breakthrough every two years! Let's see what 2026 will bring...
(Well, except for SQIsignHD that came a year too late, but that's probably because of Covid)
