Damien Robert

Abstract. In a recent preprint, Grigoriev, Monico, and Shpilrain proposed a digital signature protocol based on the use of matrices over the tropical integer semiring. We show some design flaws of the proposed scheme, together with an efficient attack to forge signatures for an arbitrary message, and a key-recovery attack when given access to a list of honest signatures.

Breaking digital signatures from tropical matrix semirings (Alessandro Sferlazza) ia.cr/2026/327

Anyway, we (in the isogeny community) won't have the algorithmic maturity needed to handle these kinds of objects anytime soon. I can only dream of some sort of "derived isogeny protocols" in the far future...

Part 4 (and final part): Speculations bsky.app/profile/dami...

Part 3: MIKE bsky.app/profile/dami...

Part 2: SIDH bsky.app/profile/dami...

Except that I have no idea what kind of geometric objects we could expect on the right? Some sort of derived schemes?? If we 1-truncate the animated modules, it kinda make me think about Deligne 1-motives...

So this makes me think that the module action above ought to be upgraded to some sort of derived/animated module action $M \to Hom_R(M, A)$ where this time we use the internal Hom of the ∞-topos of animated fppf modules.

(Maybe with some kind of looping/delooping thrown in?)

Likewise, like I try to argue in bsky.app/profile/dami... a polarisation λ on A should be thought as a "derived" bilinear map with values in BG_m. But on the module side, λ corresponds to a standard Hermitian form with value in R.

Notice the shift with respect to modules: to $A$ correspond the torsion free module $M$, for which the dual is $Hom(M,R)$ and not $Ext^1(M,R)$. While to $K$ corresponds a torsion module $T$, for which the dual is $Ext^1(T,R)$.

A very similar phenomena appears for abelian varieties. If $K \subset A$ is a finite subgroup of an abelian variety $A$, the correct notion of dual for $K$ is the Cartier dual $K^\vee=Hom(K, G_m)$. But for $A$ the correct notion of dual is $A^\vee = Pic^0(A, G_m)=Hom(A, BG_m)=Ext^1_fppf(A,G_m)$.

The difference being that in the torsion free case $M^{\vee}$ will be concentrated in degree 0, while in the torsion case $T^{\vee}$ in degree 1. For an arbitrary module we will have a complex concentrated in degree [0,1].

Notice that if $M$ is torsion free, it is $Hom_R(M, K/R)$ which is $0$!

One can unify both notion of duals by noticing that $Hom_R(M, K/R)=Ext^1_R(M, R)$, and in both case we can thus define the dual of $M$ as the truncated derived dual $\tau_{\leq 1} RHom(M, R)$.

Another reason is due to duality. For torsion free modules $M$, the dual is $M^{\vee}=Hom_R(M, R)$. But if $T$ is of torsion, $Hom_R(T,R)=0$ is not the correct notion of dual; instead we need to use $Hom_R(T, K/R)$ where $K$ is the fraction field of $R$.

But of course torsion modules behave badly with respect to tensor products since they are not flat. To solve this it would indeed be nice to work in the derived category instead.

In fact, in MIKE we do already use the action of torsion modules to build the kernels of the isogenies that allow us to compute our abelian varieties.

First, it can actually also be useful to consider the action of torsion modules, or more generally non torsion free modules. For instance $R/nR . A = A[n]$. And in some isogeny based protocols we really like to keep track of some level structure.

I have actually been thinking about this, for two reasons...

Now people in category theory are going to chime in and say that 1-topos are usually only a pale truncation of an underlying ∞-topos, and that rather than embedding everything into the fppf topos I should embed into the ∞-topos of animated fppf sheafs of R-modules. (or maybe module spectra?)

(One needs to be careful to not take this analogy too far; Hom(M_1, M_2) is not really a division $M_2/M_1$, but something that behaves a bit like a division).

The idea is that we can compute these "divisions" by $M_i$ (and like I said the sheafs $E_0/M_i$ are even represented by nice abelian varieties), but not the "division" by $E_0$.

Then the key exchange is simply to send "$E_0/M_1$" and "$E_0/M_2$", and the shared secret is "$E_0/(M_1.M_2)$".

So in some sense, MIKE is like if we were doing a DH style key exchange in some sort of "field", exactly like the original DH (which in our case rather than F_p would be the closed symmetric monoidal category of fppf sheafs of R-modules)

But I want to point out that the category of (fppf sheafs of) R-module is very nice, it is a categorified version of a rig (ring without negative). In some sense, because of the internal Hom, we even have "divisions": $Hom(M_1, M_2) "= M_2/M_1"$

But to be an abelian variety we need some extra conditions on M, notably to be torsion free (although this is not quite always sufficient).

What is not obvious from this description is that $M.A$ is still represented by an abelian variety and is not just an fppf-sheaf. It is not too hard to see that it is always represented by a commutative proper group scheme.

It is a bit trickier to define the converse map. A one sentence description of the module action $M.A$ for $A/F_p$ a supersingular abelian variety is to embed everything (R-modules and abelian varieties over F_p) into the fppf topos over F_p, and to define the action $M.A$ as $Hom_{R-fppf}(M, A)$.

As I mentioned, MIKE and the module action crucially relies on an anti-equivalence of categories $A \mapsto Hom_{F_p}(A, E_0)$.

Ok, and now for some wild speculations!
(Warning, from this point on I will speak about notions beyond my expertise, so probably will say wrong things.)

Continuation and end of the thread started here: bsky.app/profile/dami...

# Part 4: Speculations

Previously:
- Part 1: CSIDH bsky.app/profile/dami...
- Part 2: SIDH bsky.app/profile/dami...
- Part 3: MIKE bsky.app/profile/dami...

The DLOG itself is the isogeny path problem for supersingular abelian surfaces over F_p (resp. supersingular elliptic curves over F_{p^2}); which is the standard security assumption in isogeny based cryptography.