Bitcoin Devs Should Be Learning Isogeny Cryptography

Conduition

2026-03-12

cryptography

In this article I want to convince Bitcoiners that we really ought to be learning more about isogeny based cryptography and contributing to this field like we have contributed to the field of classical elliptic curve cryptography.

I’ll make this argument by showing that many of the problems which bubble up when we consider integrating post-quantum cryptosystems into Bitcoin can be mostly resolved if we use isogeny-based cryptography. This means it will be a naturally strong competitor when Bitcoiners someday seek a more flexible and algebraically structured cryptosystem than the current leading candidate, hash-based signatures.

I’ll start with a bit of background on isogeny crypto - not rigorous, but a high-level overview which I hope will be approachable to anyone with a basic understanding of classical elliptic curve cryptography. In particular, as case studies we will be looking at the cutting edge SQIsign protocol and its NIST submission document (last updated 2025-07), as well as the newer and less well-understood PRISM signature system.

Once we understand the basics of isogenies and how they’re used to build efficient protocols, we can start talking about how isogenies may someday replace common cryptographic tricks which Bitcoin developers think of as forfeit under most PQC schemes, like key-tweaking, BIP32 xpub derivation, and silent payments, all with compact signatures and pubkeys.

Disclaimer

Since this is a technical article, I’m assuming that readers are already familiar with classical elliptic curve cryptography (ECC) and hash functions as they’re used in Bitcoin. If that’s not you, I’m sorry, this might be a touch hard to read. Refer to my ECC resources page for background.

Isogeny Cryptography

An isogeny is (informally) a function which maps points from one elliptic curve to points on another elliptic curve.

Yes, that’s right, we’re using elliptic curves (ECs) again.

wait. aren’t elliptic curves vulnerable to quantum computers?

No. ECs aren’t “vulnerable” to quantum computers or to anything really, because they have no nothing to protect. ECs are just mathematical objects.

Cryptosystems like signatures or key-exchange which are built using elliptic curves can be vulnerable to attack, but it depends on the mathematical assumptions which the cryptosystem relies on.

Classical elliptic curve cryptography (ECC) assumes the Elliptic Curve Discrete Log Problem (ECDLP) is hard, but due to Peter Shor’s namesake algorithm, we now know it can be solved efficiently with a quantum computer.

Isogeny-based cryptography (IBC) assumes the Supersingular Isogeny Path Problem (SIPP) is hard. SIPP asks us:

Given two supersingular elliptic curves and , can you find an isogeny from to ?

As fas as we know, there is no efficient quantum algorithm to solve this problem efficiently. As such, most IBC systems use supersingular elliptic curves to make use of that hardness assumption. I will sidestep the rabbit hole by failing to elaborate on what “supersingular” means, but for now just think of them as “nice” elliptic curves.

High Level

Isogeny-based cryptography (IBC) has the benefit of inheriting a cache of lingo from classical elliptic curve cryptography. Still, the ground rules change. Instead of working with points and scalars, we’re working with ECs and isogenies between them.

	Secret keys	Public Keys
Classical ECC	Scalars modulo a prime	Points on a fixed curve
Isogeny Crypto	Isogenies	Entire elliptic curves

In IBC, we typically start with a well-known base elliptic curve . To generate a keypair, a user would generate a secret isogeny which maps points on to points on some other curve . We write this more succinctly as:

The isogeny is the user’s secret key, and the curve is their public key.

Signatures typically consist of a non-interactive zero-knowledge proof that the user knows the secret isogeny, by computing and revealing some other isogeny which they wouldn’t have otherwise been able to know, in such a way that the revealed isogeny is bound to a message.

Ground Rules

To understand how signing works in the world of isogenies, we must learn about some curious results which mathematicians have discovered about isogenies. You’ll have to take my word for now as we don’t have the required background to fully prove them, but these facts have been proven and are well-known.

Every isogeny has a kernel, which is some finite set of points that the isogeny maps to infinity on its codomain (output curve). Isogenies can be almost-uniquely identified by their kernel, and the kernel itself can typically be represented efficiently using a pair of torsion basis points (not going that deep yet).
Every isogeny has a dual (denoted by a little hat), which you can think of as an inverse, though it’s not exactly that. can be efficiently computed knowing only .
An isogeny from an elliptic curve back to itself is called an endomorphism. Any elliptic curve defined over a finite field has some finite (but very large) set of possible endomorphisms.
The endomorphisms of an EC form a structured group, specifically a ring, if you compose and add them together (as polynomial functions). The endomorphism ring of a curve is denoted .
Some supersingular elliptic curves have well-known and friendly endomorphism rings. One such curve is
Computing given only is generally a very hard problem, now dubbed the endomorphism ring problem.
The endomorphism ring problem is equivalent to the isogeny path problem. Specifically:
- Given curves and and their endomorphism rings , , we can efficiently compute an isogeny (or ).
- Given curves and , one endomorphism ring and an isogeny , we can efficiently compute the endomorphism ring .

With a secret key , we can make use of our knowledge of to compute . Now we have some new powers which nobody else in the universe, hopefully even quantum-enabled attackers, can do:

if given an isogeny , we can efficiently compute an isogeny
if given an isogeny , we can efficiently compute an isogeny

Naive (Unsafe) Signing

From here, knowing the basic rules of isogenies, maybe you can already see how a signature scheme might work.

Hash the public key curve and a message to generate a pseudorandom challenge isogeny which maps the public key to an arbitrary challenge curve
Use knowledge of and to compute the challenge curve’s endomorphism ring
Use knowledge of and to compute a response isogeny
The signature is . The verifier recomputes and checks that is indeed an isogeny mapping

This results in very succinct keys and signatures. Keys are simply elliptic curves, which have very compact representations (as small as one scalar), and signatures are simply isogenies, which as I mentioned earlier can be compressed down to two elliptic curve points, which themselves can be compressed further if the isogeny has smooth degree.

Take care though, this naive scheme will be insecure. On one hand, yes, this procedure does prove the signer knew - She would’ve never been able to compute otherwise. In cryptographic parlance, the proof is sound.

However, it is not zero-knowledge. By revealing the response isogeny , the signer also revealed her secret key.

The attacker presumably knows since it is a fixed parameter of the scheme.
Knowing and , the attacker can compute
A verifier must know the message and public key , and so can compute
From the attacker can compute its dual
Knowing and , the attacker can compute (uh oh)
The attacker can now forge signatures using .

Let’s see how SQIsign fixes this naive scheme and turns it into a secure signature scheme which can be proven to be both sound and zero-knowledge.

SQIsign

SQIsign (pronounced “ski-sign”) is the leading isogeny-based signature protocol, developed in collaboration by several dozen researchers, many of them renowned experts in the field of isogenies. It is currently in the running for NIST’s PQC signature standardization competition.

SQIsign Size

SQIsign should be of special interest to Bitcoiners, as it provides by far the smallest key+signature sizes of any post-quantum signature protocol under consideration by NIST.

Parameter Set	Security Level (bits)	Public Key	Signature	Pk+Sig
NIST I	128 bit	65 bytes	148 bytes	213 bytes
NIST III	192 bit	97 bytes	224 bytes	321 bytes
NIST V	256 bit	129 bytes	292 bytes	421 bytes

Minimizing pubkey+sig size is crucial for blockchain-based cryptocurrencies like Bitcoin, because this metric directly affects the transaction throughput of the entire system, as we typically need at least one pubkey+signature pair for every UTXO spent.

Compare this to the next smallest non-trivial signature scheme SNOVA (NIST-I level), whose pubkey+sig size at NIST-I level alone is 1264 bytes. SNOVA has been weakened by many attacks - The next smallest scheme which has some degree of public confidence in its design is Falcon-512, with a pubkey+sig size of 1563 bytes.

To compare other PQC schemes, see Thom Wigger’s PQC Zoo.

SQIsigning

SQIsign fixes the naive scheme we drew up earlier by adding a couple extra steps to the signing algorithm:

Hash the public key curve and a message to generate a pseudorandom challenge isogeny which maps the public key to an arbitrary challenge curve
Use knowledge of and to compute the challenge curve’s endomorphism ring
Generate a random secret commitment isogeny mapping to an arbitrary commitment curve .
Use knowledge of and to compute the commitment curve’s endomorphism ring
Use knowledge of and to compute a response isogeny
The signature is . The verifier recomputes and checks that is indeed an isogeny mapping

Note how adding created a kind of buffer separating the base curve from the response isogeny . Since the attacker doesn’t know , they cannot find an isogeny path from to . This step lets us prove zero-knowledge of the signature scheme, making it fully secure.

The commitment isogeny and its codomain must be unique for every signature, and never reused. Think of it playing a similar role to a nonce in classical Schnorr signatures: If we reuse a commitment for two distinct signatures, we reveal a non-trivial endomorphism of , which can be used to extract the full endomorphism ring of .

There are plenty of details and important steps I glossed over, especially the whole Deurring Correspondence thing and the relationship between supersingular elliptic curves and quaternion algebras, but this is the high-level view of SQIsign’s protocol. By far the best description I’ve read comes from the SQIsign NIST submission document (page 5), which I duplicated here with some aesthetic changes and omissions. In the NIST submission, the authors describe SQIsign as a sigma protocol which they convert into a non-interactive signature scheme using the Fiat-Shamir transform.

However, those details are not necessary to understand the rest of this article. If you want to learn more about SQIsign, maybe also check out their original paper, their reference implementation, or this blog.

PRISM

SQIsign is awesome, but even its authors will admit the scheme is incredibly complex and difficult to implement. PRISM is a new-kid-on-the-block scheme which offers a much simpler implementation with compact pubkeys and signatures, and performance comparable to SQIsign.

Parameter Set	Security Level (bits)	Public Key	Signature	Pk+Sig
NIST I	128 bit	66 bytes	189 bytes	255 bytes
NIST III	192 bit	98 bytes	288 bytes	386 bytes
NIST V	256 bit	130 bytes	388 bytes	518 bytes

The PRISM authors note in page 26 of their paper that signatures can be compressed even more (about 20%) using a pairing function (SQIsign does this), at the cost of extra complexity and slower performance.

Like SQIsign, PRISM’s secret key is also a secret isogeny . A PRISM signature is also an isogeny which only the holder of could’ve created. PRISM even uses the same finite field as SQIsign and borrows their key-generation algorithm. This compatibility curiously means that a SQIsign key can be used to create or verify PRISM signatures, and vice-versa.

However PRISM uses an additional security assumption beyond those of SQIsign. SQIsign depends mainly on the supersingular isogeny path problem (and equivalently, the endomorphism ring problem). In addition to SIPP, PRISM also depends on the assumption that given a supersingular elliptic curve and a large prime , it is hard to find an isogeny of degree with domain (input curve) .

What is the "degree" of an isogeny?

An isogeny can be thought of as a pair of rational polynomials which act on a curve point's

and

coordinates:

Where:

, , , are polynomials
and are coprime
and are coprime
and have the same roots

The degree of an isogeny , denoted is simply:

An isogeny’s degree is also related to its kernel, but let’s leave that discussion for later.

We know this problem can be easily solved if you know . While the PRISM authors make decent arguments that finding prime-degree isogenies is likely hard without knowing , there is no rigorous reduction of this problem to the SIPP or ERP. A new assumption is necessary, and a new oracle must be instantiated for the security proof to work.

Risks aside, if this assumption holds we can create a very simple hash-and-sign signature scheme.

Construct a hash function which hashes binary input into large prime numbers.
Given a message and public key , compute a prime
The signer uses her knowledge of to find an isogeny such that
The signature is . The verifier checks that

This is much simpler to implement and reason with than SQIsign, but its security is clearly harder to prove conclusively. It is also a newer protocol, with new attacks always a possibility.

Speaking of attacks…

The SIDH Attack

Most people who have heard of isogeny-based cryptography may remember hearing news headlines in 2022 about SIKE/SIDH being “broken with a 10-year-old laptop”. The leading isogeny-based public-key-exchange cryptosystem SIDH (supersingular isogeny Diffie-Helman) was broken with a very devastating attack by Wouter Castryck and Thomas Decru which could be executed quickly and efficiently on a regular old classical computer. Here is an excellent talk by Decru on how the attack works, which I found very approachable without much background.

People often cite this attack as evidence that isogeny-based crypto is too young to be safe for real-world use. While I partially agree, the context matters a lot.

Rediscovering Kani’s Lemma

What Castryck and Decru found was actually a very old result, due to a paper by Ernst Kani in 1997, which had been forgotten by modern isogenists. This 25-year-old paper proved a very important statement, now known as Kani’s Lemma, which is (not in fully generality) that:

Given elliptic curves , , , , and the following commutative* isogenies between them:

…then there exists a higher-dimensional isogeny of degree between the products of elliptic curves:

…which is given by a 2x2 matrix of isogenies:

…with kernel:

Here and are the -torsion subgroups of and respectively.

Understanding torsion subgroups isn’t critical, but an important fact to remember is that isogenies can be uniquely identified by their kernel, and if you know its kernel you can evaluate the isogeny efficiently.

Kani’s lemma showed the world that torsion point images (evaluations) from an isogeny are effectively an expression of that isogeny’s kernel when it is embedded in some higher-dimensional isogeny.

It just so happened that SIDH worked by exchanging torsion point images between participants in the key exchange. I will skip over the details of this now-broken cryptosystem with you - Decru himself does a much better job explaining the details in his talk - but this rediscovery naturally broke the fundamental assumptions of SIDH and allowed efficient attacks by computing high-dimensional isogenies from the torsion point images which peers are required by SIDH to share.

You can read more about Kani’s lemma here and here, in Castryck and Decru’s SIDH attack paper, and in this talk by Decru.

Evolutions

This attack did not endanger most other isogeny-based cryptosystems for the simple reason that most other protocols (unless based on SIDH) did not involve exchanges of torsion point images. Even the similarly-named CSIDH protocol was unaffected because it works by completely different means.

Rather, the 2022 attack by Castryck and Decru massively accelerated the progress of IBC. Much of modern research now involves around clever ways to use Kani’s lemma and higher-dimensional isogenies to create new schemes and accelerate existing schemes.

For example, the SQIsign authors made use of higher-dimensional isogenies to dramatically improve signing and verification performance in the v2 version of the SQIsign protocol. SQIsigning used to take more than a second, and now it takes only a few milliseconds. PRISM would not exist without Kani’s lemma, using it as an efficient means to generate and evaluate prime-degree isogenies. Many other IBC cryptosystems benefited and flourished because of this renaissance.

Old Tricks, New Crypto

While we could spend many hours exploring the inner workings of SQIsign, PRISM, SIDH, and the mathematical proofs underlying isogeny cryptography, this is not essential to the point of this article. Remember: I’m trying to argue that Bitcoiners should be learning about and investing resources in isogeny-based cryptography. We should get to that.

Now we are equipped with some understanding of how isogeny-based keypairs and signature schemes work, we’ve seen how they can be attacked, and how they can be proven secure. We know the ground rules.

We can finally discuss how isogenies can be used to replace existing classical ECC tricks commonly used on Bitcoin.

Rerandomizable Public Keys

Perhaps surprisingly, many higher-level cryptographic constructions used across the Bitcoin ecosystem can be abstracted as one simpler building block, called a rerandomizable public key scheme, which can and has been instantiated with IBC schemes.

A rerandomizable public key scheme is a public key cryptosystem for which we have the following algorithms:

which generates a key pair.
where is a random salt.
where is a random salt.

For correctness of a rerandomizable pubkey scheme, given , we need that:

In plain english: A rerandomized secret key must correctly relate to the rerandomization of its public key.

It’s trivial to construct a correct rerandomizable pubkey scheme. Just define to output a random secret key derived from and , and then define .

But obviously this will not be secure. Any adversary who knows and could re-derive the rerandomized secret key and so sign messages.

For full privacy and security, we also need the properties of unlinkability and unforgeability respectively.

“Unlinkability” means the rerandomized keys are indistinguishable from independently generated random keys, unless you know the salt used to rerandomize the key.
“Unforgeability” means attackers cannot forge signatures for rerandomized public keys unless they also know the (possibly rerandomized) secret key.

Motivation

Rerandomization generalizes the essence of the many cryptographic techniques used in Bitcoin:

Technique	Rerandomized Equivalent
Taproot key tweaking (BIP341)	where is the merkle root of a merkle tree. The rerandomized pubkey is then a hiding & binding commitment to which can be opened by revealing .

Hardened (secret) child key derivation (BIP32)	where is a chaincode (pseudorandom salt) and is a 32-bit integer. The rerandomized secret key is a child key which can only be derived if you know the parent secret key and chaincode .

Unhardened (public) child key derivation (BIP32)	where is a chaincode (pseudorandom salt) and is a 32-bit integer. The rerandomized pubkey is a child key which can only be derived if you know the parent pubkey and chaincode .

Silent Payments (BIP352)	where is a “shared-secret” known by sender Alice and receiver Bob, typically generated with a diffie-helman style key exchange.

This generality of rerandomizable pubkey schemes leads us to conclude: If we can instantiate a correct, unlinkable, and unforgeable rerandomization system using isogenies, then we immediately inherit post-quantum replacements for BIP32, BIP341 key tweaking, and - with some caveats - BIP352 silent payments.

Prior Work

Classical ECC implementations (including in Bitcoin) typically instantiate rerandomization as follows:

Let be a base point of an elliptic curve of prime order
Construct a collision-resistant hash function which maps arbitrary inputs to integers mod .
Given , define
Given and
- Define
- Define

While there has been some work on rerandomizable keys in the post-quantum lattice cryptography context, the technique is always hobbled by the unergonomic structure of lattice-based public keys. Attempts to introduce structure to lattice-based keypairs seem to hinder compactness of keys and signatures. For instance, this recent paper (also see this accompanying blog post) gives a rerandomizable signature scheme and instantiates it for unhardened BIP32 key derivation, but at the cost of 16kb pubkeys and 20kb signatures (more than 8x bigger than ML-DSA).

For lattices, key rerandomization also affects security and requires we impose usage limitations:

Remark 2. Although the construction with Raccoon-G allows public key rerandomization, this increases the noise of the keys and changes the distribution of signatures. This affects the maximum depth at which the signature distribution can be argued to be indistinguishable, which is part of the unlinkability argument. One can instead consider a “hybrid” approach where non-hardened derivations are limited per public key generated with .

Isogeny Rerandomization

We can make efficient and secure post-quantum rerandomization with isogenies.

Let be a secret isogeny mapping the base curve to a public key curve .

Let be a hash function which returns a uniformly random isogeny with domain (input curve) .

To rerandomize a public key curve - without knowing the secret key - given random salt , we derive an isogeny which maps and use the codomain (output) curve as the updated public key. Pretty simple.

To rerandomize the secret key isogeny is more subtle. Given the salt we can rederive the isogeny . Because we know our public key’s endomorphism ring , and an isogeny , we can compute . Knowing by common knowledge as well, we can now find a secret isogeny , which is our new secret key.

_{A useful general fact to know about isogenies: If you know an isogeny path from any curve to any other curve , even if that path involves many intermediate isogenies between other curves it is relatively easy to compute a new succinct isogeny directly from to , as long as you know the endomorphism ring of at least one curve somewhere along the isogeny path, and not necessarily that of the first or last curves.}

Somewhat more concretely:

Define
Define :
- Compute
- Return
Define :
- Compute
- Compute using and
- Compute
- Compute using and
- Compute using and
- Return

It’s easy to see that correctness holds. The public key generated by rerandomizing is the same curve which you can find by rerandomizing the original public key .

Properties

The isogeny-based algorithm is fast and simpler to implement, as we only need to generate a pseudorandom isogeny and compute its codomain, a well-known task with efficient algorithms readily available. Technically we do not even need to evaluate the isogeny.

is much more involved and computationally expensive, though still ultimately polynomial time. I don’t know how fast in real terms, but based on the performance of SQIsign, I could guess it would probably be measured in milliseconds.

Security

This technique has been described in a couple of papers such as this one (page 3), and this one (oriented isogenies only, page 10), though always in an encryption context rather than with a signature scheme. The concept still applies equally well to signing keys as well though.

Proving unlinkability would be a matter of proving that results in an updated curve which is indistinguishable from a uniform random distribution of supersingular elliptic curves. The details will start mattering more here, such as the degree of the isogenies used. While I am not a cryptographer, I believe this is an easy proof if you use facts from supersingular isogeny graph theory. SQIsign already proves similar facts around the distribution of challenge curves. Proving unforgeability would depend on the signature scheme you choose.

Still given this technique’s novelty and relative obscurity in the literature, there is work to be done proving security before this can be relied upon in the real-world. The lack of available implementations means we cannot assess performance. All this is open future work.

Examples

To give examples, let’s consider a world where SQIsign and/or PRISM verification algorithms are standardized in Bitcoin’s consensus.

BIP32 HD Wallets

Hierarchical-deterministic (HD) wallets could function much as they do today, by starting with a single master secret isogeny and master chain code derived from a human-readable seed:

Hardened child keys could be derived by rerandomizing the master key, salted with , a child index , and the secret key itself as in BIP32’s CKDpriv.

Unhardened child keys could be derived by rerandomizing the master key, salted with , a child index , and the public key as in BIP32’s CKDpub.

Observers who have an extended public key can derive unhardened child pubkeys:

The result is an almost exact drop-in replacement for classical BIP32 HD wallets which should be quantum-secure, at the cost of slower key derivation.

BIP341 Key Tweaking

Someday, if have a lot more confidence in isogeny crypto, we could consider a future upgrade which hides an isogeny-based commitment to a script tree inside of bare-pubkey outputs, much like how taproot works today.

A bare pubkey posted on-chain would be an elliptic curve (66 bytes or so). To anyone looking at on-chain, it appears randomly selected and opaque. The keyholder could perform a key-path spend by publishing a signature which validates under : PRISM, SQIsign, or whatever is standardized at the time.

Or, instead of a bare signature, the spender could reveal a second curve which I’ll suggestively call the internal key and a merkle tree root such that

The merkle tree root can now be used to prove the UTXO was also committed to some previously-obscured spending condition like a timelock, multisig, or covenant script, and this would be called a script-path spend. All this is closely analagous to how BIP341 taproot addresses work today.

There are some complications though. There is no isogeny-based equivalent to the Nothing-Up-My-Sleeve (NUMS) points used by some taproot addresses to disable key-path spending. To date, nobody has yet found a transparent algorithm to generate a supersingular elliptic curve with an unknown endomorphism ring - a NUMS curve.

It’s possible the Bitcoin community could do something similar to the Perpetual Powers-of-Tau ceremony run by the Ethereum community to produce some evolving set of semi-trustworthy canonical NUMS curves, which are occasionally committed to the blockchain via something like OpenTimestamps.

If interested parties can interact, they could run a multiparty protocol to generate a NUMS curve by walking from a starting curve to some final curve , each of the parties contributing one intermediate isogeny and - for security - a simple proof that they know . Each party promises to forget their isogeny after the ceremony concludes.

Any honest agent who participated in the setup ceremony should be confident the resulting curve is indeed unspendable, because if even one party did indeed honestly erase their contribution isogeny, then there is exists no known path from to , and so is also unknown. However, this protocol requires all interested parties to participate in the ceremony, even if asynchronously, which can be troublesome in practice.

Silent Payments

Silent payments conceptually works as follows:

Bob posts a static silent payment address containing public key somewhere online - social media, github, etc.
Alice sees and wants to send money to Bob without interacting with him.
Alice has a UTXO at an address with pubkey .
Knowing her own secret key , Alice computes a shared secret using a diffie-hellman key exchange between her key and Bob’s key.
Alice rerandomizes Bob’s public key and sends coins to .
Bob scans the blockchain for payments to his silent payment address by brute-force search, computing shared secrets for every transaction which might possibly be a silent-payment to him.
Eventually Bob tests Alice’s transaction, computes the same shared secret , and finds his derived key matches one of the outputs in Alice’s transaction.

While conceptually this is possible to do with isogenies, it is much more difficult than other examples we’ve seen so far. The rerandomization part is possible, as we’ve seen, but agreement on a shared secret is hard to do while preserving privacy of both participants.

Many secure key exchange protocols do exist in the world of IBC - see CSIDH, POKE, QFESTA, and many others - but none of these key-exchanges are directly compatible with SQIsign or PRISM public keys.

To agree on a randomized key which Bob controls, Alice and Bob must exchange information. Bob starts the conversation by communicating his silent payment address. This occurs off-chain, so it could be almost anything we want, and within reason it could be quite large - as long as it fits in a QR code. For instance, this could be a 66 byte PRISM public key and a 64 byte CSIDH-512 public key attached, for a total of 130 bytes.

Alice can easily compute a shared secret once she sees Bob’s CSIDH key, because the CSIDH key exchange is non-interactive. But how does Alice communicate her CSIDH public key to Bob? Without it, Bob cannot compute the shared secret, and cannot identify Alice’s payment.

Alice might attach her 64-byte CSIDH pubkey on-chain, in her payment transaction to Bob, e.g. via OP_RETURN, or an inscription envelope. However this is bad for the privacy of both parties, because now on-chain observers can heuristically identify Alice’s payment as a silent payment transaction - though they can’t prove Bob was the recipient.

Alice could send her CSIDH pubkey to Bob off-chain, but if Alice can communicate with Bob off-chain, why not simply ask Bob for a fresh address of his own choice? This would also endanger Alice’s network-level privacy - Alice may prefer not to connect to Bob over the internet, for fear of Bob tracking her by IP address.

In an ideal world, there would be some way to create a hybrid keypair, such that the key encodes both a valid key-exchange pubkey and a valid signing pubkey. Such systems do exist; There are signature schemes which interoperate with CSIDH keys, however these schemes are typically less performant and produce much larger signatures than SQIsign and PRISM. Here is a cutting edge paper which may help bridge this gap. Alternatively, maybe there could be some way for Alice to embed a CSIDH public key in her signature in a way only Bob could extract. As yet this problem remains elusive.

Another problem is performance. For this system to work at all, Bob must be able to scan every candidate transaction in every block, to identify payments. Much work has gone into optimizing the CSIDH key exchange, but still it takes on the order of tens or hundreds of milliseconds to execute depending on hardware. For the sender Alice this is no biggie - she need only run the key exchange once - but Bob may have to repeat this key exchange thousands of times to identify payments, unless he is given some extraneous hint from senders.

Drawbacks

I would be foolish not to acknowledge the limitations of the IBC state-of-the-art.

First and foremost, verification performance is not great. While it has improved a lot in recent years, SQIsign’s verification algorithm still requires a good deal of computational power and even optimized code takes more than a millisecond to verify a single signature. This could be offset to some extent with parallelization, but is still definitely the Achilles Heel of isogeny crypto generally.

Another thing to note is that SQIsign has malleable signatures:

Note that SQIsign does not target strong unforgeability security, and indeed given a valid signature on a message, one can efficiently produce a second distinct valid signature on the same message by manipulating the auxiliary isogeny. Replacing the auxiliary isogeny with any other isogeny of the same degree yields a valid signature. The role of the auxiliary isogeny in the signature is only to enable a two-dimensional representation of the response, but it does not contribute to the security of the protocol. In other words, two-dimensional representations are inherently not unique: given such a representation, in most instances it is easy to find a different representation of the same isogeny. For this reason, SQIsign cannot achieve strong unforgeability.

- SQIsign NIST submission, page 93

I believe the same is true of PRISM, because PRISM signatures are also represented with a two-dimensional isogeny for compactness.

However, this should not affect 2nd-layer protocols like Lightning, because these days signatures are included only in witness data, which does not affect TXID computation.

While I have been lauding the prospects of IBC’s cryptographic flexibility, one thing still lacking in the IBC landscape is compact multisignature schemes. While some isogeny-based multisignature schemes do exist, such as CSI-SharK, they are not nearly as space-efficient as SQIsign and PRISM.

As discussed before, it seems difficult to generate valid NUMS public keys in an isogeny setting. We can do multiparty setup ceremonies, but still it’d be nice if we could simply hash to find a NUMS supersingular curve like we can today hash into NUMS points on a curve.

Finally, it’s worth acknowledging the approachability problem of IBC. Compared to something more elementary like hash-based signatures, isogeny crypto comes with a very high barrier to entry for anyone who is not a trained mathematician. I am myself a seasoned cryptographic developer and engineer, but without the necessary math background I’ve been struggling to wrap my mind around IBC for the past few months. Hash-based signatures were a cakewalk by comparison.

This problem seems to stem from a lack of beginner-friendly educational resources. Most information I’ve found has been in scholarly papers and hour-long videotaped powerpoint presentations.

Conclusions

Most info about isogeny crypto still lives in the secluded bastions of mathematical academia. I hope this article provides a more accessible and intuitive glimpse into this world.

To any professional isogenists reading: I apologize if I let any inaccuracies slip by. I left some things unsaid to reduce verbosity. Please contact me to correct any grievous errors! I would love to chat with you.

Now that we’ve seen some of what isogeny crypto can do, I hope you’ll understand why I named this article as I did. If you care about the future of Bitcoin after big quantum computers appear, you should be spending at least some fraction of your resources learning about what systems may someday replace classical ECC, and I believe isogenies are ahead of the pack here.

More explicitly, I am arguing that:

Bitcoin businesses which rely on classical ECC features should spend money researching how to replace those features with quantum-safe alternatives. Can you isogenize it?
Bitcoin developers should learn about isogenies so they can write secure software which uses isogeny crypto some day.
Bitcoin layer-two protocol engineers should think longer term. Don’t spend years building ECC-based protocols only for quantum computers to tear it all down in a decade or two. Build something which at least stands a chance to outlive you.
Bitcoin core developers should be thinking about what cryptography we want to use as a basis for long-term scaling and expressibility of future on-chain spending after ECC dies. As many readers know, I love SLH-DSA, I think it is a great fallback and stopgap, but long-term, we can do better.
Bitcoin Venture Capital investors should be thinking about the future of the companies they are funding. Startups bootstrapped in the next few years might be the first generation of pre-IPO Bitcoin companies impacted directly by quantum computing, or at the very least, the first to be majorly hobbled by quantum FUD. If a CEO doesn’t have a solid quantum-readiness plan, you should be skeptical.
Bitcoin custodians like Coinbase, Fidelity, Gemini, Anchorage et al should be funding research into secure post-quantum replacements for their complex offline and multisig custody models. These companies’ wallets will be highest on the hit-list if a CRQC holder decides to start attacking Bitcoin. They have the most to lose, and the most incentive to invest in building scalable PQ-secure wallets.
Bitcoin users should be salivating at the possibility that we might be able to efficiently replace classical ECC. We get to keep most of the nice things we’ve gotten used to over the years, and at relatively little cost compared to the billions of dollars being spent on quantum computing R&D.

As a freelance Bitcoin researcher focused on replacing classical ECC, I realize this may come off as me asking you to buy me lunch, but I’m not talking about myself and my own work necessarily. Though if you’re interested defs contact me.

I’m talking about human brainpower, and the money which incentivizes the focus of many smart people. The Bitcoin industry today is a force to be reckoned with, and as fragmentary as the community may be, our collective resources are enormous. If we bring them to bear and apply pressure where it gives the most leverage, I have every confidence Bitcoin can and will survive coming cryptanalytic breakthroughs.

As we all know, those who invest in novel powerful technologies early take the most risk, but also reap the most reward.