Damien Robert

Registration for the Leuven Isogeny Days 6 is now open!
📅 10–12 Sept 2025 @ KU Leuven
Morning: research talks
Afternoon: brainstorming sessions
More info: www.esat.kuleuven.be/cosic/projec...
#isogeny #isocrypt #erc #postquantum

We (finally) published all the material from this course on SQIsign, including lecture slides and exercise sheets for the Sage laboratory. Available here: github.com/andreavico/S...

📢 #1MinuteAvec ... ⏰
Alice Pellet-Mary au pays des codes secrets et de la #cryptographie.
Portrait à découvrir de cette chercheuse de l'équipe #Canari du Centre #Inria de l' @univbordeaux.bsky.social qui partage avec nous son #parcours et son #métier !

👉 youtu.be/LKRy8bO5x8E?...

Congrats!

A kind of social variant of the man-in-the-middle attack: 🧵🔽

New work: we explain cubical arithmetic in simple terms to show you how easy it is to compute pairings. Essentially, you only need to know the Montgomery ladder!

As a bonus, pairings from cubical arithmetic are faster than those from Miller's loop for applications in isogeny-based cryptography.

In summary: the strengh of cubical arithmetic are quite different than the strength of Miller's algo. And all pairing based families have been optimised for Miller's algo. My hope is that we'll find new interesting families optimised for cubical arithmetic instead.

In the biextension paper above, we show that cubical pairings are faster than Miller's algo in the case where the embedding degree is odd (so non denominator elimination) and the curve has D=1, so close to a Montgomery model (see Table 4 in the end).

in cubical arithmetic, while this greatly speeds up Miller's algo when the points are in the special subgroups G1, G2.

- When using quartic or sextic twists, we cannot have a Montgomery model on both the curve and its twist. Cubical arithmetic on other models is slower than on Montgomery curve.

Cubical arithmetic works very well on x-only coordinates on Montgomery curves, which makes it ideally suited to pairings applications of isogeny based cryptography.

For pairing based cryptography, there are several drawbacks:
- we don't know how to do denominator elimination [...]

Yes! RWC ❤️ Number Theory.

Congrats to the CADO-NFS team!

Registration to the SQIparty is open, free, and we have a first sketch of a program!

www.cig.udl.cat/SQIparty2025...

Register and plan your travel quickly: the rooms are reserved only until Thursday!

See you in Lleida!

Is there a website by the way?

Canari : une nouvelle équipe Inria au service de la protection de nos données Comment sécuriser un monde numérique qui ne cesse de se densifier et de se complexifier ? C’est le défi que va relever Canari, une nouvelle équipe d’Inria, grâce à la conception d’outils algorithmique...

🔊 Le 19/03 c'est la journée internationale du #Canari 🪶!

Le jour idéal pour vous partager des infos sur notre équipe (du même nom) qui conçoit des #algorithmes pour la sécurité des données au service de la #cryptographie #postquantique 🌐!

↪️ www.inria.fr/fr/canari-pr...
↪️ www.inria.fr/fr/canari

> claims no new results
> adds in a tiny new result anyway
> ???

anyway, enjoy the read!

Cathedral of La Seu Vella in Lleida

Fancy some isogeny crypto?

Join us for a 3-day workshop on isogeny-based cryptography in Lleida, Catalonia, April 28-30

www.cig.udl.cat/icrypto2025_...

Brought to you by ULleida's Cryptography+Graphs group, the SQIsign team and friends!

Registration and program coming soon
Registration is free!

Very cool writeups, thanks for sharing!

GG everyone who played #KalmarCTF 2025!

Writeups for my two challs:

MonoDOOM: jonathke.github.io/monoDOOM
A chal based on a sick sidechannel attack by @damienrobert.bsky.social !

Not-so-complex multiplication: jonathke.github.io/not-so-complex
An easy chal based on complex multiplication.

Absolutely thrilled for season six of the Isogeny Club (isogeny.club) starting February 25th by a talk by Abel Laval!

PRISM: Simple And Compact Identification and Signatures From Large Prime Degree Isogenies The problem of computing an isogeny of large prime degree from a supersingular elliptic curve of unknown endomorphism ring is assumed to be hard both for classical as well as quantum computers. In thi...

Really excited to finally share PRISM, a new isogeny-based signature 🥳 joint work with lots of awesome people.

eprint.iacr.org/2025/135

Sécuriser nos données à l’ère du quantique, un défi de taille À l’occasion de la Journée internationale de la protection des données, coup de projecteur sur les travaux novateurs de l'équipe-projet Canari. Son domaine de recherche : les protocoles et algorithmes...

Pour la Journée internationale de la #protection des #données, coup de projecteur sur les travaux novateurs de l'équipe-projet #Canari.

🧐 Son domaine de recherche ? Les protocoles et #algorithmes de #cryptographie #postquantique !

👉 www.inria.fr/fr/securite-...
cc @damienrobert.bsky.social

Le #logiciel PARI/GP, système de calcul formel pour la théorie des nombres, a reçu le #Prix science ouverte du #logiciel libre 2024 pour la catégorie « communauté ».
👋 à Aurel Page de l'équipe #Canari et aux scientifiques de l' #IMB impliqués !

t.co/oWqHxweG24

cc @damienrobert.bsky.social

Ex: a big diagram which should be commutative by "functoriality", but writing it explicitly is annoying.
(There is a sign error in SGA7 like that, where the diagram is actually anticommutative rather than commutative.)

I may or may not have used this "rethoretical trick" in some of my papers...

My favorite translation of mathematical jargon: "the proof is left as an exercice to the reader", which really means "this result is obviously true but checking it is too tedious, I'll leave someone else do that for me".

In other words, for any non ramified rational point P on the Kummer K_A, there is a unique quadratic twist A' such that the preimage of P by A'-> K_A is given by two rational points \pm Q on A'!

(Of course, we can work with cocycles to prove this result, but the geometric proof is cooler!)

But now we can use G' to build a quadratic twist A' of A, and by the geometric construction above it is immediate to see that the fiber of A'->K_A splits, i.e. has rational points.

then K_A is étale locally isomorphic to [K_A] around P.
In particular, P gives a point of [K_A], and the pullback
of A->K_A by P: k -> K_A gives the étale \mu_2-torsor G' associated to P -> [K_A] (this is just a fancy way of saying that we look at the fiber of A->K_A at P).

As an example: consider A an abelian variety, \mu_2 the group of automorphisms of A given by [-1], and [K_A] the "Kummer stack" [A/\mu_2], with the standard Kummer variety A/\mu_2 simply being the coarse space of [K_A].

If P is a point of K_A which is not ramified under the map A->K_A, ...

Now pulling back [X/G]->BG by p: S->BG rather than the canonical map c: S ->BG gives precisely the twist X' associated to the torsor S'->S.
(via the standard isomorphism that Twists(X) =~ H^1(X, G) =~ G-torsors, X' \mapsto Isom(X',X)).

This gives a geometric construction of twists!

Anyway, apply this to G=Aut(X).
We have canonical maps X -> [X/G] -> BG, and we can reconstruct X as a pullback of [X/G]->BG by c:S->BG.

But we can also change the map [X/G]->BG by applying an isomorphism! Let S'->S be a G-torsor, it corresponds to a new point p:S->BG, which gives an iso BG=~BG.