It works!! . Here's a @sagemath implementation of the SIDH Key Recovery attack of Castryck and Decru. Huge thanks to @oudomphe. Their insights allowed us to directly compute the image of points in the Jacobian through divisors. No Gröbner needed!.

This week I have been working on some rust code to develop a library for isogeny based cryptography. As a first project, I have implemented SQIsign verification following the round 2 NIST spec.

RT @DD_Baumann: I am retiring from teaching GR. Here is the final course material (lecture notes including all problem sets and exams). Hop….

We find 2, 4 and 8-radical isogeny formula in dim 1, 2 and 3. For higher genus, the more complex l-isogeny graph allows us to use a smaller base field. The bottleneck of the radical isogenies are roots, which get cheaper as the prime shrinks, improving performance of the hash

New paper with lots of my friends on computing isogeny-based hash functions using the theta model. Was fun to implement something which benchmarked at the micro rather than millisecond timescale for a change!. 🍄.

RT @BenjWeso: Random walks in number-theoretic cryptology: on Thursday (Aug. 29, 2pm CEST) I'll be defending my "habilitation". I'll presen….

kyber-py and dilithium-py have both been updated to match the finalised FIPS specifications 203 and 204. They also both pass the test vectors supplied by usnistgov/ACVP-Server. I hope these are useful tools to learn PQ crypto 🍄.

RT @asanso: Hey class groups lovers. Back from holiday and started reading ANTS XVI papers. Apart the obvious Selfridge prize winner 'Fast….

We now support the Ascon XOFs too!.

Main takeaway from this project though was how easy pyO3 is to use and maturin made uploading the package trivial too. Definitely inspired to use python bindings for rust code to solve projects more often now.

Here's a side by side of hashlib vs xoflib which shows the issues which people have when the required use of the algorithm is streaming byte after byte (this is exactly what is done for polynomial creation for ML-KEM and ML-DSA)

The motivation for this comes from ML-KEM and ML-DSA which both which require an XOF for the sampling of pseudorandom bytes. hashlib includes Shake, but for some reason has no streaming API for them, meaning most people hack something together which has huge memory costs.

This weekend I made xoflib with my friends Robin Jadoul and @_tritoke. xoflib is a Python package for the Shake extendable-output functions (XOFs) written using pyO3 bindings to the sha3 Rust crate.

So it turns out all my Dilithium hint confusion was very carefully written about in the. Dilithium spec. I added a small discussion in the README of the Python implementation too with some links to the source code as well:

Fixed :).

Bug was with my understanding of an optimisation, not with the code or FIPS 204 document. Everything works as expected. Discussion here: .

I can't find an implementation which implements following FIPS 204 exactly, but I can find other implementations which seem to need to use the Dilithium version.

I also have a silly bug somewhere, if you fix it that would be cool!.

I implemented ML-DSA following draft FIPS 204 to follow the work earlier this week with ML-KEM. Hopefully this is interesting to people learning about the protocol.

I've been looking at my old Dilithium implementation in Python to add an additional file for ML-DSA and I have an old bug I forgot about and can't squish with the make_hint() method. 🐛. Any advice?.

The PR for was a bit of a rabbit hole, but we finally removed the 100x slowdown of int(k) * P versus ZZ(k) * P for elliptic curve scalar multiplication.