{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,9]],"date-time":"2026-01-09T03:56:31Z","timestamp":1767930991588,"version":"3.49.0"},"reference-count":65,"publisher":"International Association for Cryptologic Research","issue":"4","license":[{"start":{"date-parts":[[2025,7,2]],"date-time":"2025-07-02T00:00:00Z","timestamp":1751414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IACR CiC"],"accepted":{"date-parts":[[2025,12,1]]},"abstract":"This work expands the machinery we have for isogeny-based cryptography in genus 2 by developing a toolbox of several essential algorithms for Kummer surfaces, the dimension-2 analogue of x-only arithmetic on elliptic curves. Kummer surfaces have been suggested in hyper-elliptic curve cryptography since at least the 1980s and recently these surfaces have reappeared to efficiently compute (2,2)-isogenies. We construct several essential analogues of techniques used in one-dimensional isogeny-based cryptography, such as pairings, deterministic point sampling and point compression and give an overview of (2,2)-isogenies on Kummer surfaces. We furthermore show how Scholten's construction can be used to transform isogeny-based cryptography over elliptic curves over Fp2 into protocols over Kummer surfaces over Fp.<\/jats:p>\n As an example of this approach, we demonstrate that SQIsign verification can be performed completely on Kummer surfaces, and, therefore, that one-dimensional SQIsign verification can be viewed as a two-dimensional isogeny between products of elliptic curves,<\/jats:p>","DOI":"10.62056\/a0zogyl7s","type":"journal-article","created":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:39:47Z","timestamp":1767915587000},"update-policy":"https:\/\/doi.org\/10.62056\/adfjwm02dj","source":"Crossref","is-referenced-by-count":0,"title":["Return of the Kummer: a Toolbox for Genus-2 Cryptography"],"prefix":"10.62056","volume":"2","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2651-8951","authenticated-orcid":false,"given":"Maria","family":"Santos","sequence":"first","affiliation":[{"id":[{"id":"https:\/\/ror.org\/02jx3x895","id-type":"ROR","asserted-by":"publisher"}],"name":"University College London","place":["United Kingdom"]},{"id":[{"id":"https:\/\/ror.org\/04zmssz18","id-type":"ROR","asserted-by":"publisher"}],"name":"\u00c9cole Normale Sup\u00e9rieure de Lyon","place":["France"]}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-8015-399X","authenticated-orcid":false,"given":"Krijn","family":"Reijnders","sequence":"additional","affiliation":[{"id":[{"id":"https:\/\/ror.org\/016xsfp80","id-type":"ROR","asserted-by":"publisher"}],"name":"Radboud University Nijmegen","place":["Netherlands"]},{"id":[{"id":"https:\/\/ror.org\/05f950310","id-type":"ROR","asserted-by":"publisher"}],"name":"COSIC, KU Leuven","place":["Belgium"]}]}],"member":"48349","published-online":{"date-parts":[[2026,1,8]]},"reference":[{"key":"ref1:pohlig","doi-asserted-by":"publisher","first-page":"106","DOI":"10.1109\/TIT.1978.1055817","article-title":"An improved algorithm for computing logarithms over GF(p)\n and its cryptographic significance (Corresp.)","volume":"24","author":"Stephen C. Pohlig","year":"1978","journal-title":"IEEE Trans. Inf. Theory"},{"key":"ref2:SQIsignHD","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"3","DOI":"10.1007\/978-3-031-58716-0_1","article-title":"SQIsignHD: New Dimensions in Cryptography","volume":"14651","author":"Pierrick Dartois","year":"2024"},{"key":"ref3:Cassels_Flynn_1996","series-title":"London Mathematical Society Lecture Note Series","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511526084","volume-title":"Prolegomena to a Middlebrow Arithmetic of Curves of Genus\n 2","author":"J. W. S. Cassels","year":"1996"},{"key":"ref4:bruin","doi-asserted-by":"publisher","first-page":"323","DOI":"10.5802\/jtnb.764","article-title":"The Tate pairing for abelian varieties over finite\n fields","volume":"23","author":"Peter Bruin","year":"2011","journal-title":"Journal de theorie des nombres de Bordeaux"},{"key":"ref5:sqisign-LWXZ","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.2024.3423675","article-title":"A faster software implementation of SQISign","author":"Kaizhan Lin","year":"2024","journal-title":"IEEE Transactions on Information Theory"},{"key":"ref6:mukummer","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1007\/978-3-662-53140-2_15","article-title":"$\\mu$Kummer: efficient hyperelliptic signatures and key\n exchange on microcontrollers","author":"Joost Renes","year":"2016"},{"key":"ref7:EC:HSSI99","doi-asserted-by":"publisher","first-page":"190","DOI":"10.1007\/3-540-48910-X_14","article-title":"Comparing the MOV and FR reductions in elliptic curve\n cryptography","author":"Ryuichi Harasawa","year":"1999"},{"key":"ref8:castryck2020hash","doi-asserted-by":"publisher","first-page":"268","DOI":"10.1515\/JMC-2019-0021","article-title":"Hash functions from superspecial genus-2 curves using\n Richelot isogenies","volume":"14","author":"W. Castryck","year":"2020","journal-title":"Journal of Mathematical Cryptology"},{"key":"ref9:lubiczrobert2016","doi-asserted-by":"publisher","first-page":"130","DOI":"10.1016\/j.ffa.2016.01.009","article-title":"Arithmetic on abelian and Kummer varieties","volume":"39","author":"David Lubicz","year":"2016","journal-title":"Finite Fields Appl."},{"key":"ref10:SQIsign-specs","volume-title":"SQIsign","author":"Marius A. Aardal","year":"2025"},{"key":"ref11:kyber","doi-asserted-by":"publisher","first-page":"353","DOI":"10.1109\/EUROSP.2018.00032","article-title":"CRYSTALS-Kyber: a CCA-secure module-lattice-based\n KEM","author":"Joppe Bos","year":"2018"},{"key":"ref12:DMPR","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"304","DOI":"10.1007\/978-981-96-0891-1_10","volume-title":"Advances in Cryptology - ASIACRYPT 2024 - 30th\n International Conference on the Theory and Application of Cryptology and\n Information Security, Kolkata, India, December 9-13, 2024, Proceedings, Part\n III","volume":"15486","author":"Pierrick Dartois","year":"2024"},{"key":"ref13:falcon","first-page":"1","article-title":"Falcon: Fast-Fourier lattice-based compact signatures over\n NTRU","volume":"36","author":"Pierre-Alain Fouque","year":"2018","journal-title":"Submission to the NIST's post-quantum cryptography\n standardization process"},{"key":"ref14:SQIprime","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"396","DOI":"10.1007\/978-981-96-0891-1_13","article-title":"SQIPrime: A Dimension 2 Variant of SQISignHD with\n Non-smooth Challenge Isogenies","volume":"15486","author":"Max Duparc","year":"2024"},{"key":"ref15:MAGMA","doi-asserted-by":"publisher","first-page":"235","DOI":"10.1006\/jsco.1996.0125","article-title":"The Magma algebra system. I. The user language","volume":"24","author":"W. Bosma","year":"1997","journal-title":"J. Symbolic Comput."},{"key":"ref16:pegasis","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-3-032-01855-7_3","article-title":"PEGASIS: Practical Effective Class Group Action using\n 4-Dimensional Isogenies","author":"Pierrick Dartois","year":"2025"},{"key":"ref17:dmitrii","doi-asserted-by":"publisher","first-page":"125","DOI":"10.1007\/S13389-022-00296-9","article-title":"Subgroup membership testing on elliptic curves via the Tate\n pairing","volume":"13","author":"Dmitrii I. Koshelev","year":"2023","journal-title":"J. Cryptogr. Eng."},{"key":"ref18:cryptoeprint:2023\/508","volume-title":"Computing Isogenies of Power-Smooth Degrees Between\n PPAVs","author":"Jes\u00fas-Javier Chi-Dom\u00ednguez","year":"2023"},{"key":"ref19:kummerstrikesback","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"317","DOI":"10.1007\/978-3-662-45611-8_17","article-title":"Kummer Strikes Back: New DH Speed Records","volume":"8873","author":"Daniel J. Bernstein","year":"2014"},{"key":"ref20:SQIsign2D-east","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"272","DOI":"10.1007\/978-981-96-0891-1_9","article-title":"SQIsign2D-East: A New Signature Scheme Using\n 2-Dimensional Isogenies","volume":"15486","author":"Kohei Nakagawa","year":"2024"},{"key":"ref21:qDSA","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"273","DOI":"10.1007\/978-3-319-70697-9_10","article-title":"qDSA: Small and Secure Digital Signatures with Curve-Based\n Diffie-Hellman Key Pairs","volume":"10625","author":"Joost Renes","year":"2017"},{"key":"ref22:li-oort","volume-title":"Moduli of supersingular abelian varieties","volume":"1680","author":"Ke-Zheng Li","year":"1998"},{"key":"ref23:rosenhain","volume-title":"Abhandlung \u00fcber die Functionen zweier Variabler mit vier\n Perioden: welche die Inversen sind der ultra-elliptischen Integrale erster\n Klasse","author":"Georg Rosenhain","year":"1895"},{"key":"ref24:bosfast","doi-asserted-by":"publisher","first-page":"28","DOI":"10.1007\/S00145-014-9188-7","article-title":"Fast cryptography in genus 2","volume":"29","author":"Joppe W Bos","year":"2016","journal-title":"Journal of Cryptology"},{"key":"ref25:CCS17","doi-asserted-by":"publisher","first-page":"465","DOI":"10.1007\/978-3-319-69453-5_25","article-title":"Fast, uniform scalar multiplication for genus 2 Jacobians\n with fast Kummers","author":"Ping Ngai Chung","year":"2017"},{"key":"ref26:hecc2","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1112\/S1461157014000394","article-title":"Hyper-and-elliptic-curve cryptography","volume":"17","author":"Daniel J. Bernstein","year":"2014","journal-title":"LMS J. Comput. Math."},{"key":"ref27:robert-pairings","volume-title":"Fast pairings via biextensions and cubical arithmetic","author":"Damien Robert","year":"2024"},{"key":"ref28:costello18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"428","DOI":"10.1007\/978-3-030-03332-3_16","article-title":"Computing Supersingular Isogenies on Kummer Surfaces","volume":"11274","author":"Craig Costello","year":"2018"},{"key":"ref29:weil","volume-title":"Adeles and algebraic groups: lectures","author":"Andr\u00e9 Weil","year":"1961"},{"key":"ref30:galbraith-landscape","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"108","DOI":"10.1007\/978-3-540-73489-5_7","article-title":"Hyperelliptic Pairings","volume":"4575","author":"Steven D. Galbraith","year":"2007","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540734888"},{"key":"ref31:sphincsplus","series-title":"CCS '19","isbn-type":"print","doi-asserted-by":"publisher","first-page":"2129","DOI":"10.1145\/3319535.3363229","article-title":"The SPHINCS+ Signature Framework","author":"Daniel J. Bernstein","year":"2019","ISBN":"https:\/\/id.crossref.org\/isbn\/9781450367479"},{"key":"ref32:DBLP:journals\/tc\/ZanonSPDB19","doi-asserted-by":"publisher","first-page":"688","DOI":"10.1109\/TC.2018.2878829","article-title":"Faster Key Compression for Isogeny-Based Cryptosystems","volume":"68","author":"Gustavo H. M. Zanon","year":"2019","journal-title":"IEEE Trans. Computers"},{"key":"ref33:lubicz2010efficient","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","first-page":"251","DOI":"10.1007\/978-3-642-14518-6_21","article-title":"Efficient Pairing Computation with Theta Functions","volume":"6197","author":"David Lubicz","year":"2010","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642145179"},{"key":"ref34:ohashi","doi-asserted-by":"publisher","first-page":"102445","DOI":"10.1016\/J.FFA.2024.102445","article-title":"On the Rosenhain forms of superspecial curves of genus two","volume":"97","author":"Ryo Ohashi","year":"2024","journal-title":"Finite Fields Their Appl."},{"key":"ref35:MR4909637","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1007\/978-3-031-91826-1_9","article-title":"Radical 2-isogenies and cryptographic hash functions in\n dimensions 1, 2 and 3","volume":"15676","author":"Sabrina Kunzweiler","year":"2025"},{"key":"ref36:husemoller","volume-title":"Elliptic Curves, 2nd edition","author":"Dale Husem\u00f6ller","year":"2004"},{"key":"ref37:scholten","volume-title":"Weil restriction of an elliptic curve over a quadratic\n extension","author":"Jasper Scholten","year":"2003","journal-title":"Preprint"},{"key":"ref38:bernstein-kummer","volume-title":"Elliptic vs. hyperelliptic, part 1","author":"Daniel J. Bernstein","year":"2006"},{"key":"ref39:sagemath","volume-title":"SageMath, the Sage Mathematics Software System\n (Version 9.2)","author":"The Sage Developers","year":"2021"},{"key":"ref40:cosset","volume-title":"Applications of theta functions for hyperelliptic curve\n cryptography","author":"Romain Cosset","year":"2011"},{"key":"ref41:SQIsign","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"64","DOI":"10.1007\/978-3-030-64837-4_3","article-title":"SQISign: Compact Post-quantum Signatures from Quaternions\n and Isogenies","volume":"12491","author":"Luca De Feo","year":"2020"},{"key":"ref42:smith2005explicit","volume-title":"Explicit endomorphisms and correspondences","author":"Benjamin Andrew Smith","year":"2005"},{"key":"ref43:robertnotes","volume-title":"Some notes on algorithms for abelian varieties","author":"Damien Robert","year":"2024"},{"key":"ref44:robert2023geometric","volume-title":"The geometric interpretation of the Tate pairing and its\n applications","author":"Damien Robert","year":"2023"},{"key":"ref45:santos2024efficient","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s40993-024-00600-y","article-title":"Efficient $(3, 3)$-isogenies on fast Kummer surfaces","volume":"11","author":"Maria Corte-Real Santos","year":"2025","journal-title":"Research in Number Theory"},{"key":"ref46:SIDH","doi-asserted-by":"publisher","first-page":"209","DOI":"10.1515\/jmc-2012-0015","article-title":"Towards quantum-resistant cryptosystems from supersingular\n elliptic curve isogenies","volume":"8","author":"Luca De Feo","year":"2014","journal-title":"Journal of Mathematical Cryptology"},{"key":"ref47:SQIsign2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"659","DOI":"10.1007\/978-3-031-30589-4_23","article-title":"New Algorithms for the Deuring Correspondence - Towards\n Practical and Secure SQIsign Signatures","volume":"14008","author":"Luca De Feo","year":"2023"},{"key":"ref48:gaudry2007","doi-asserted-by":"publisher","first-page":"243","DOI":"10.1515\/JMC.2007.012","article-title":"Fast genus 2 arithmetic based on Theta functions","volume":"1","author":"Pierrick Gaudry","year":"2007","journal-title":"Journal of Mathematical Cryptology"},{"key":"ref49:dilithium","doi-asserted-by":"publisher","first-page":"238","DOI":"10.13154\/TCHES.V2018.I1.238-268","article-title":"CRYSTALS-Dilithium: A lattice-based digital signature\n scheme","author":"L\u00e9o Ducas","year":"2018","journal-title":"IACR Transactions on Cryptographic Hardware and Embedded\n Systems"},{"key":"ref50:NIST-call","volume-title":"Call for Additional Digital Signature Schemes for the\n Post-Quantum Cryptography Standardization Process","author":"National Institute of Standards","year":"2022"},{"key":"ref51:apressqi","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-58716-0_3","article-title":"Apr\u00e8sSQI: Extra Fast Verification for SQIsign\n Using Extension-Field Signing","author":"Maria Corte-Real Santos","year":"2024"},{"key":"ref52:costello2017efficient","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"679","DOI":"10.1007\/978-3-319-56620-7_24","article-title":"Efficient Compression of SIDH Public Keys","volume":"10210","author":"Craig Costello","year":"2017"},{"key":"ref53:SIDHatk3","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"472","DOI":"10.1007\/978-3-031-30589-4_17","article-title":"Breaking SIDH in Polynomial Time","volume":"14008","author":"Damien Robert","year":"2023"},{"key":"ref54:C:BKLS02","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"354","DOI":"10.1007\/3-540-45708-9_23","article-title":"Efficient Algorithms for Pairing-Based Cryptosystems","volume":"2442","author":"Paulo S. L. M. Barreto","year":"2002"},{"key":"ref55:igusa","doi-asserted-by":"publisher","first-page":"612","DOI":"10.2307\/1970233","article-title":"Arithmetic variety of moduli for genus two","volume":"72","author":"Jun-ichi Igusa","year":"1960","journal-title":"Annals of Mathematics"},{"key":"ref56:JC:Joux04","doi-asserted-by":"publisher","first-page":"263","DOI":"10.1007\/S00145-004-0312-Y","article-title":"A one round protocol for tripartite Diffie\u2013Hellman","volume":"17","author":"Antoine Joux","year":"2004","journal-title":"Journal of cryptology"},{"key":"ref57:brock","volume-title":"Superspecial curves of genera two and three","author":"Bradley Wayne Brock","year":"1993"},{"key":"ref58:chudnovskys","doi-asserted-by":"publisher","first-page":"385","DOI":"10.1016\/0196-8858(86)90023-0","article-title":"Sequences of numbers generated by addition in formal groups\n and new primality and factorization tests","volume":"7","author":"David V Chudnovsky","year":"1986","journal-title":"Advances in Applied Mathematics"},{"key":"ref59:selfpairings","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"762","DOI":"10.1007\/978-3-031-38548-3_25","article-title":"Weak Instances of Class Group Action Based Cryptography via\n Self-pairings","volume":"14083","author":"Wouter Castryck","year":"2023"},{"key":"ref60:supersolver","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"285","DOI":"10.1007\/978-3-031-15982-4_10","article-title":"Accelerating the Delfs\u2013Galbraith Algorithm with Fast\n Subfield Root Detection","volume":"13509","author":"Maria Corte-Real Santos","year":"2022"},{"key":"ref61:SIDHatk2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"448","DOI":"10.1007\/978-3-031-30589-4_16","article-title":"A Direct Key Recovery Attack on SIDH","volume":"14008","author":"Luciano Maino","year":"2023"},{"key":"ref62:SQisign2D-west","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"339","DOI":"10.1007\/978-981-96-0891-1_11","article-title":"SQIsign2D-West - The Fast, the Small, and the Safer","volume":"15486","author":"Andrea Basso","year":"2024"},{"key":"ref63:SIDHatk","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"423","DOI":"10.1007\/978-3-031-30589-4_15","article-title":"An Efficient Key Recovery Attack on SIDH","volume":"14008","author":"Wouter Castryck","year":"2023"},{"key":"ref64:DBLP:conf\/pairing\/2007","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-73489-5","volume-title":"Pairing-Based Cryptography - Pairing 2007, First\n International Conference, Tokyo, Japan, July 2-4, 2007, Proceedings","volume":"4575","year":"2007","ISBN":"https:\/\/id.crossref.org\/isbn\/9783540734888"},{"key":"ref65:DBLP:conf\/ants\/2010","series-title":"Lecture Notes in Computer Science","isbn-type":"print","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14518-6","volume-title":"Algorithmic Number Theory, 9th International Symposium,\n ANTS-IX, Nancy, France, July 19-23, 2010. Proceedings","volume":"6197","year":"2010","ISBN":"https:\/\/id.crossref.org\/isbn\/9783642145179"}],"container-title":["IACR Communications in Cryptology"],"original-title":[],"language":"en","deposited":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T23:40:39Z","timestamp":1767915639000},"score":1,"resource":{"primary":{"URL":"https:\/\/cic.iacr.org\/p\/2\/4\/2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,8]]},"references-count":65,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2026,1,8]]}},"URL":"https:\/\/doi.org\/10.62056\/a0zogyl7s","archive":["Internet Archive","Internet Archive"],"relation":{},"ISSN":["3006-5496"],"issn-type":[{"value":"3006-5496","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,8]]},"assertion":[{"value":"2025-07-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}}],"article-number":"cc2-3-24"}}