Login
Login

SQIsign

{{Short description|Post-quantum digital signature scheme}}

{{Infobox encryption method

| name = SQIsign

| designers = Jorge Chavez-Saab, Maria Corte-Real Santos, Luca De Feo, Jonathan Komada Eriksen, Basil Hess, David Kohel, Antonin Leroux, Patrick Longa, Michael Meyer, Lorenz Panny, Sikhar Patranabis, Christophe Petit, Francisco Rodríguez Henríquez, Sina Schaeffler, Benjamin Wesolowski{{cite web | title=SQIsign - Algorithm specifications and supporting documentation - Version 1.0 | url=https://sqisign.org/spec/sqisign-20230601.pdf | access-date=2024-11-15}}

| publish date = {{start date and age|2023|6|1|df=y|paren=y}}

| key size = 64, 96 or 128 bytes depending on the NIST parameter set{{cite web | title=SQIsign - Algorithm specifications and supporting documentation - Version 1.0 | url=https://sqisign.org/spec/sqisign-20230601.pdf | page = 4 | access-date=2024-11-15}}

| structure = Supersingular isogeny graph

| cryptanalysis = No known attacks. The SQIsign2D-East variant suffers from a specific vulnerability.

}}

SQIsign is a post-quantum signature scheme submitted to first round of the post-quantum standardisation process. It is based around a proof of knowledge of an elliptic curve{{efn|specifically supersingular elliptic curves}} endomorphism that can be transformed to a signature scheme using the Fiat–Shamir transform.

It promises small key sizes between 64 and 128 bytes and small signature sizes between 177 and 335 bytes, which outperforms other post-quantum signature schemes that have a trade-off between signature and key sizes. SQIsign, however, has higher signing and verification times.{{cite web | last1=Westerbaan | first1=Bas | last2=Larisch | first2=James | last3=Ahmad | first3=Suleman | last4=Fayed | first4=Marwan | last5=Westerbaan | first5=Bas | last6=Valenta | first6=Luke | last7=Krivit | first7=Alex | title=Sizing Up Post-Quantum Signatures | website=The Cloudflare Blog | date=2021-11-08 | url=https://blog.cloudflare.com/sizing-up-post-quantum-signatures/ | access-date=2024-11-15}}

The original paper concluded that their C implementation takes 0.6 s for key generation, 2.5 s for a sign operation and 0.05 s or 50 ms for a verification operation.{{cite journal | last1=Feo | first1=Luca De | last2=Kohel | first2=David | last3=Leroux | first3=Antonin | last4=Petit | first4=Christophe | last5=Wesolowski | first5=Benjamin | title=SQISign: compact post-quantum signatures from quaternions and isogenies | journal=Cryptology ePrint Archive | date=2020 | url=https://eprint.iacr.org/2020/1240 | access-date=2024-11-18 | page=}}

These times have been improved with new variations like SQIsign-east.{{cite journal | last1=Nakagawa | first1=Kohei | last2=Onuki | first2=Hiroshi | title=SQIsign2D-East: A New Signature Scheme Using 2-dimensional Isogenies | journal=Cryptology ePrint Archive | date=2024 | url=https://eprint.iacr.org/2024/771 | access-date=2024-11-15 | page=}}

The name stands for "Short Quaternion and Isogeny Signature" as it makes use of isogenies and quaternions.

Security

SQIsign's security relies on the hardness of the endomorphism ring problem, which is currently considered hard.{{cite journal | last1=Page | first1=Aurel | last2=Wesolowski | first2=Benjamin | title=The supersingular Endomorphism Ring and One Endomorphism problems are equivalent | journal=Cryptology ePrint Archive | date=2023 | url=https://eprint.iacr.org/2023/1399 | access-date=2024-11-15 | page=| arxiv=2309.10432 }}{{cite web | title=THE SUPERSINGULAR ENDOMORPHISM RING PROBLEM GIVEN ONE ENDOMORPHISM | url=https://eprint.iacr.org/2023/1448.pdf | access-date=2024-11-15}}

The authors also provide a rationale for the chosen parameters in the last chapter of the specification.

While SQIsign makes use of a similar construction, the weaknesses of SIDH do not translate to it.

There is a security proof for SQIsign.{{cite journal | last=Aardal | first=Marius A. | last2=Basso | first2=Andrea | last3=Feo | first3=Luca De | last4=Patranabis | first4=Sikhar | last5=Wesolowski | first5=Benjamin | title=A Complete Security Proof of SQIsign | journal=Cryptology ePrint Archive | date=2025 | url=https://eprint.iacr.org/2025/379 | access-date=May 16, 2025 | page=}}

Implementations

There is a [https://github.com/SQISign/the-sqisign reference implementation] hosted on GitHub.

SQIsign 2.0

The team behind SQIsign improved the original design in their round 2 submission and incorporated improvements from the SQIsign2D-West variant.{{cite web | title=SQIsign - Algorithm specifications and supporting documentation - Version 2.0 | url=https://sqisign.org/spec/sqisign-20250205.pdf | access-date=May 16, 2025}}

This has improved the signing time by a factor of 20 and the verification time by a factor of 6 while increasing the security level and reducing the signature size by 14%.{{r|round2|p=6}}

Variants

There are a couple of variants based on the original SQIsign:{{cite web | title=SQIsign | website=SQIsign | date=2023-06-01 | url=https://sqisign.org/ | access-date=2024-11-17}}

  • SQIsignHD: New dimensions in cryptography{{cite journal | last1=Dartois | first1=Pierrick | last2=Leroux | first2=Antonin | last3=Robert | first3=Damien | last4=Wesolowski | first4=Benjamin | title=SQISignHD: New Dimensions in Cryptography | journal=Cryptology ePrint Archive | date=2023 | url=https://eprint.iacr.org/2023/436 | access-date=2024-11-17 | page=}}
  • SQIsign2D-West: The fast, the small, and the safer{{cite journal | last1=Basso | first1=Andrea | last2=Feo | first2=Luca De | last3=Dartois | first3=Pierrick | last4=Leroux | first4=Antonin | last5=Maino | first5=Luciano | last6=Pope | first6=Giacomo | last7=Robert | first7=Damien | last8=Wesolowski | first8=Benjamin | title=SQIsign2D-West: The Fast, the Small, and the Safer | journal=Cryptology ePrint Archive | date=2024 | url=https://eprint.iacr.org/2024/760 | access-date=2024-11-17 | page=}}
  • SQIsign2D‑East: A new signature scheme using 2-dimensional isogenies{{cite journal | last1=Nakagawa | first1=Kohei | last2=Onuki | first2=Hiroshi | title=SQIsign2D-East: A New Signature Scheme Using 2-dimensional Isogenies | journal=Cryptology ePrint Archive | date=2024 | url=https://eprint.iacr.org/2024/771 | access-date=2024-11-17 | page=}}
  • SQIPrime: A dimension 2 variant of SQISignHD with non-smooth challenge isogenies{{cite journal | last1=Duparc | first1=Max | last2=Fouotsa | first2=Tako Boris | title=SQIPrime: A dimension 2 variant of SQISignHD with non-smooth challenge isogenies | journal=Cryptology ePrint Archive | date=2024 | url=https://eprint.iacr.org/2024/773 | access-date=2024-11-17 | page=}}

References

{{Reflist}}

{{notelist}}

{{Cryptography navbox | public-key}}

Category:Asymmetric-key algorithms

Category:Digital signature schemes

{{crypto-stub}}