A short disclaimer as a pinned tweet. 1) I hate twitter, I only use it because I hate facebook even more and I want to keep contact with old friends. Don't expect me to post much. 2) To try to go around twitter's echo chamber, I also follow people with different opinions than me.

@JDHamkins @gro_tsen Thanks for keeping us informed! Interesting because 2007 is also the date of Boban's exam I picked it up from.

RT @BenjWeso: Random walks in number-theoretic cryptology: on Thursday (Aug. 29, 2pm CEST) I'll be defending my "habilitation". I'll presen…

@gro_tsen @JDHamkins Thanks @gro_tsen for recovering the discussion! The link is no longer available, but I actually had saved the pdf. Here it is (in French): This is Exercice 4.

@JDHamkins @gro_tsen of the professor either. I was looking at it for the same reason as you: I was seeing this problem popping up in different places (@gro_tsen mentioned his blog, I also saw it in this blog post: , and I was trying to recover the logic exam I saw it first.

@gro_tsen @JDHamkins I remember I first saw it on a M2 logic exam, around 2005 I would guess

@asanso And invited talks by Wouter Castryck, Céline Maistret, Claus Fieker, Jordan Ellenberg and Katherine Stange. An awesome list of speakers!

RT @isogenies: New work on improving SQIsign using two dimensional isogenies. A post-quantum signature scheme with compact public keys, sig…

@kutasp @durumcrustulum @isogenies @bwesterb Not quite because we currently use the smallest response possible, of degree ≈ \sqrt{p}, for the verification. To have a hope to compute the response in dim 1, we would need to find a 2^n-isogeny, and we can only find one of degree ≈ p, so twice as big. So we could hope for x2.

@isogenies @durumcrustulum @bwesterb Yes, we definitively don't claim our current implementation is optimal. There are a lot of different trade offs / potential improvements we did not have time to explore. Still quite proud of the current version :)

@bwesterb @isogenies In the other direction, we could replace a matrix by explicit Kummer points, this would save the scalar multiplications (around 25% of our verification time), but add 64B to the signature size.

@isogenies @durumcrustulum @bwesterb But I don't see a way for dim 2 to reach better than x4 dim 1 unless we find completely new ideas, and even x4 will be difficult. So at best we could hope for a 25% speed up on this part, which takes 50% of the verification time...

@gloupin Are you sure? :)

(I stopped posting on twitter for obvious reasons, but could not resist this time :-))