This year at Asiacrypt a total of 7 papers on isogenybased cryptography were presented. For those who couldn’t attend, I’ve briefly described each paper. I also give links to the papers and corresponding talks (on YouTube) for more details.
SQISign: Compact Post Quantum signatures from Quaternions and Isogenies
Winning the best paper award, De Feo, Kohel, Leroux, Petit and Wesolowski introduce a new signature scheme from isogeny graphs of supersingular elliptic curves. This paper builds on work by Galbraith, Petit and Silva (GPS) ^{1} who proposed a signature scheme constructed from the KLPT algorithm ^{2}. We note that the KLPT algorithm solves the quaternion analog of the $l$isogeny path problem under the Deuring correspondence. The GPS scheme was mainly theoretical and was not implemented (to the best of my knowledge).
In the SQISign paper, a new generic KLPT algorithm is presented, which produces a smaller output than the original algorithm. Using this, the authors construct a new interactive zero knowledge identification protocol, resulting in an unforgeable signature scheme. New algorithms for efficient instantiation of the protocol, parameters targeting NIST1 level postquantum security and a complete implementation of the signature scheme in both C and Magma are also given in the paper.
Cryptographic Group Actions and Applications
In my opinion this paper tackles two issues with isogenybased cryptography:

For someone without a strong Maths background, who for example doesn’t know what an isogeny is, it’s quite a difficult to get into this field and develop cryptographic primitives based on isogenies.

Isogenies are not as expressive as lattices, so it is harder (and maybe not even possible) to construct certain primitives with isogenies. However, having primitives with postquantum instantiations based only on lattice assumptions is dangerous as an attack on the underlying hardness problems for lattices may be found in the future.
This paper by Alamati, De Feo, Montgomery and Patranabis proposes a new framework based on group actions that enables the use of isogenybased assumptions, even for those who aren’t extremely familiar with the underlying maths. The authors achieve this by abstracting the group action and hardness assumptions in CSIDH ^{3} and CSIFiSh ^{4}. This new framework can be leveraged to construct several primitives not previously known from isogenybased assumptions, such as smooth projective hashing, dualmode PKE and a NaorRaingold style PRF.
In addition, they introduce a new assumption over group actions, called the Linear Hidden Shift assumption. This can be used to obtain symmetric KDMsecure encryption, which in turn enables the construction of many other primitives.
BSIDH: Supersingular Isogeny DiffieHellman Using Twisted Torsion
In SIDH, a prime $p = 2^m3^n  1$ is used and Alice and Bob represent each isomorphism class by a supersingular curve $E/\mathbb{F}_{p^2}$ with group order #$E(\mathbb{F}_{p^2}) = (p+1)^2 = (2^m3^n)^2$. This choice was made by Jao and De Feo to allow full $\mathbb{F}_{p^2}$rational $2^m$torsion and full $\mathbb{F}_{p^2}$rational $3^n$torsion. This means that the corresponding isogeny computations are also $\mathbb{F}_{p^2}$rational, and so can be done efficiently.
However, Costello observes that there are in general two choices of $\mathbb{F}_{p^2}$rational elliptic curve groups corresponding to every node in the supersingular isogeny graph: those whose group orders are $(p+1)^2$ and those whose groups orders are $(p1)^2$. Elliptic curves from these two sets are not isomorphic over $\mathbb{F}_{p^2}$, but they are isomorphic over $\mathbb{F}_{p^4}$ and so have the same $j$invariant.
Using this, a variant of SIDH, called BSIDH, is constucted. An important fact shown by Costello is that we can still work over $\mathbb{F}_{p^2}$ while using both curves. The use of both curves unlocks a wealth of tradeoffs. For example, BSIDH can give significantly smaller key sizes with no known loss of security. Adj, ChiDomínguez and RodríguezHenríquez present a concrete analysis of BSIDH’s efficiency ^{5}, showing BSIDH outperforms any CSIDH instantiation. However, it is still less efficient than SIDH. Techniques developed in eSIDH ^{6} could also be used to introduce parallelisation and facilitate computations.
The search for smooth parameters that will give a reasonably efficient BSIDH protocol is nontrivial and is a key focus of the paper, as well as a topic of subsequent research ^{7}. With respect to security, as at least one of Alice or Bob must now perform walks comprised of steps in multiple $l$isogeny graphs, the underlying hardness assumption is slightly different. However, there is no reason to believe this modification makes the problem easier as long as the number of destination nodes remains roughly the same size as in SIDH.
Calamari and Falafl: Logarithmic (Linkable) Ring Signatures from Isogenies and Lattices
This paper constructs concretely efficient logarithmic ring signatures and linkable ring signatures from isogenybased and latticebased hardness assumptions, giving Calamari and Falafl respectively. First, Beullens, Katsumata and Pintore construct a (linkable) ring signature scheme based on a group action that satisfies certain cryptographic propoerties and then instantiate with the CSIDH group action or a MLWEbsaed group action.
A key advantage of this scheme is that the signature scheme scales well with the ring size $N$ compared to other logarithmic (linkable) ring signatures. Indeed, the term in the signature size that depends on $\log N$ is independent of the SIDH or lattice parameters. Instead, it is due to to the signatures containing a small number of paths in Merkle trees of depth $\log N$.
For the isogeny istantiation, they consider the CSIDH512 parameter set used in CSIFiSh ^{4}. The authors then give an estimate for the signature size: $\log N + 3.5$ KB, and a signing time of 79s for $N = 8$. As is usually the case, we get smaller signatures but longer signing time compared to the latticebased instantiation.
Radical Isogenies
This paper is mainly concerned with improving the efficiency of isogeny computations. Castryck, Decru, and Vercauteren introduce a new approach called ‘radical isogenies’ and a corresponding method to compute chains of $N$isogenies, which is very efficient for small $N$. Indeed, compared to the stateoftheart, their method results in an order of magnitude speedup for $N \leq 13$. When applied to CSIDH, it gives a speedup of about 19\% over the implementation in ^{8} for the CSURF512 parameters ^{9}.
Oblivious Pseudorandom Functions from Isogenies
In this paper, Boneh, Kogan and Woo construct an oblivious PRF (OPRF) and a verifiable OPRF from isognies. The first construction uses isogenies of supersingular curves over $\mathbb{F}_{p^2}$ and adapted the DiffieHellman OPRF to this setting. In order to overcome the attack due to Galbraith, Petit, Shani and Ti presented at Asiacrypt 2016 ^{10}, they develop two zeroknowledge protocols to convince each party they were sent valid messages. This construction results in an OPRF in the SIDH setting. The second construction is a NaorReingoldlike PRF in the CSIDH setting.
SiGamal: A Supersingular IsogenyBased PKE and Its Application to a PRF
SiGamal is a PKE scheme, similar to ElGamal, which is based on CSIDH and provides INDCPA security without using hash functions. The paper also constructs a compressed version of SiGamal called CSiGamal. The security is based on decisional problem closely related to that of CSIDH, which arises from the assumed difficulty of computing the image of a given point under a hidden isogeny.
There is, however, a tradeoff with efficiency. The computational costs of group actions in SiGamal512 sending 256bit plaintexts are around $2.6 \times$ that of a group action in CSIDH512. Furthermore, SiGamal is not INDCCA secure. Increasing efficiency and finding a PKE scheme that achieves INDCCA security without the use of hash functions are possible directions of future research.
In the paper, Moriya, Onuki and Takagi also propose a NaorReingold type PRF based on SiGamal. They defined a new hardness assumption and show their proposed function is a PRF provided it holds. This new assumption guarantees the security of CSIDH that uses a prime $p$ in the setting of SiGamal. The authors also estimate the computational costs of the group actions needed to compute the PRF.

‘Identification Protocols and Signature Schemes Based on Supersingular Isogeny Problems’ by Steven D. Galbraith, Christophe Petit and Javier Silva. ePrint ↩

‘On the quaternion ‘$l$isogeny path problem’ by David Kohel, Kristin Lauter, Christophe Petit and JeanPierre Tignol. ePrint ↩

‘CSIDH: An Efficient PostQuantum Commutative Group Action’ by Wouter Castryck, Tanja Lange, Chloe Martindale, Lorenz Panny and Joost Renes. ePrint ↩

‘CSIFiSh: Efficient Isogeny based Signatures through Class Group Computations’ by Ward Beullens and Thorsten Kleinjung and Frederik Vercauteren. ePrint ↩ ↩^{2}

‘On new Velu’s formulae and their applications to CSIDH and BSIDH constanttime implementations’ by Gora Adj, JesúsJavier ChiDomínguez and Francisco RodríguezHenríquez. ePrint ↩

‘eSIDH: the revenge of the SIDH’ by Daniel CervantesVázquez Eduardo OchoaJiménez, Francisco and RodríguezHenríquez. ePrint ↩

‘Sieving for twin smooth integers with solutions to the ProuhetTarryEscott problem’ by Carig Costello, Michael Meyer and Michael Naehrig. ePrint ↩

‘Faster computation of isogenies of large prime degree’ by Daniel J. Bernstein and Luca De Feo and Antonin Leroux and Benjamin Smith. ePrint ↩

‘CSIDH on the surface’ by Wouter Castryck and Thomas Decru. ePrint ↩

‘On the Security of Supersingular Isogeny Cryptosystems’ by Steven D. Galbraith and Christophe Petit and Barak Shani and Yan Bo Ti. ePrint ↩