SQIsign

SQIsign is a post-quantum signature scheme submitted to first round of the post-quantum standardisation process. It is based around a proof of knowledge of an elliptic curve^[a] endomorphism that can be transformed to a signature scheme using the Fiat–Shamir transform.

SQIsign

General
Designers	Jorge Chavez-Saab, Maria Corte-Real Santos, Luca De Feo, Jonathan Komada Eriksen, Basil Hess, David Kohel, Antonin Leroux, Patrick Longa, Michael Meyer, Lorenz Panny, Sikhar Patranabis, Christophe Petit, Francisco Rodríguez Henríquez, Sina Schaeffler, Benjamin Wesolowski[1]
First published	1 June 2023 (23 months ago) (2023-06-01)
Cipher detail
Key sizes	64, 96 or 128 bytes depending on the NIST parameter set[2]
Structure	Supersingular isogeny graph
Best public cryptanalysis
No known attacks. The SQIsign2D-East variant suffers from a specific vulnerability.[3]

It promises small key sizes between 64 and 128 bytes and small signature sizes between 177 and 335 bytes, which outperforms other post-quantum signature schemes that have a trade-off between signature and key sizes. SQIsign, however, has higher signing and verification times.^[4] The original paper concluded that their C implementation takes 0.6 s for key generation, 2.5 s for a sign operation and 0.05 s or 50 ms for a verification operation.^[5]

These times have been improved with new variations like SQIsign-east.^[6]

The name stands for "Short Quaternion and Isogeny Signature" as it makes use of isogenies and quaternions.

Security

SQIsign's security relies on the hardness of the endomorphism ring problem, which is currently considered hard.^[7][8]

The authors also provide a rationale for the chosen parameters in the last chapter of the specification.^[1]

While SQIsign makes use of a similar construction, the weaknesses of SIDH do not translate to it.^[1]

There is a security proof for SQIsign.^[9]

Implementations

There is a reference implementation hosted on GitHub.

SQIsign 2.0

The team behind SQIsign improved the original design in their round 2 submission and incorporated improvements from the SQIsign2D-West variant.^[10]

This has improved the signing time by a factor of 20 and the verification time by a factor of 6 while increasing the security level and reducing the signature size by 14%.^[10]: 6

Variants

There are a couple of variants based on the original SQIsign:^[11]

• SQIsignHD: New dimensions in cryptography^[12]
• SQIsign2D-West: The fast, the small, and the safer^[13]
• SQIsign2D‑East: A new signature scheme using 2-dimensional isogenies^[3]
• SQIPrime: A dimension 2 variant of SQISignHD with non-smooth challenge isogenies^[14]