Asiacrypt 2018 was held at QUT in Brisbane, Australia on December 2-6, 2018. It was wonderfully organised by Josef Pieprzyk.

The three plenary invited speakers were:

- Mitsuru Matsui (Mitsubishi) “25 Years of linear cryptanalysis – Early History and Path Search Algorithm”
Professor Matsui was the 2018 IACR Distinguished Lecturer. The talk reviewed the history and development of linear cryptanalysis.

- Melissa Chase (Microsoft) “Picnic: Postquantum signatures from zero-knowledge proofs”
Melissa gave an overview of the Picnic signature scheme, which beautifully combines ideas from multiparty computation and zero knowledge proofs, together with block ciphers and hash functions with low circuit complexity.

- Vanessa Teague (Melbourne) “Democracy, security and evidence: Let’s have all three”
Vanessa gave an overview of online voting schemes, including a detailed discussion of some real-world examples. The main focus of her talk was the problem of verifiable electronic voting.

The most relevant session for this blog was the session on **isogeny crypto** on the final morning. There were three talks:

- Jean Kieffer “Towards practical key exchange from ordinary isogeny graphs” (joint work with Luca De Feo and Benjamin Smith)
The talk presented an implementation of Couveignes’ hard homogeneous spaces concept with ordinary elliptic curves.

- Lorenz Panny “CSIDH: An efficient post-quantum commutative group action” (joint work with Wouter Castryck, Tanja Lange, Chloe Martindale and Joost Renes)
Building on work in the previous talk, the talk explained an implementation of Couveignes’ hard homogeneous spaces concept with supersingular elliptic curves. Using supersingular curves gives a massive performance improvement over the previous talk. Group actions like these have some advantages over SIDH, but are still slower.

- Craig Costello “Computing supersingular isogenies on Kummer surfaces”
The talk explained how to compute (chains of) 2-isogenies on an elliptic curve efficiently by converting them to (chains of) (2,2)-isogenies on the Kummer surface of the Weil restriction of the the elliptic curve.

There were also a number of accepted papers that used pairing-based crypto. To mention two of them: “Compact Multi-Signatures for Smaller Blockchains” by Dan Boneh, Manu Drijvers and Gregory Neven; “Unbounded Inner Product Functional Encryption from Bilinear Maps” by Junichi Tomida and Katsuyuki Takashima.

The Rump Session was superbly and irreverently chaired by Craig Costello, Leo Ducas and Pierre Karpman. One of the interventions perpetrated on the unsuspecting speakers was the introduction of humourous comments on their slides. But the major highlight of the rump session was the launch of the game “Cards against Cryptography”. It is a version of the famous card game “Cards against Humanity”, and has been designed by three anonymous cryptographers (not the rump session chairs). You can find out more by following @CrdsAgnstCrypto on twitter. A copy of this highly collectible and desirable game was awarded to each of the five best rump session talks. To buy extra time, speakers were invited to eat a spoonful of vegemite, or drink a beer. Another highlight of the rump session included the song “Gotta Break Em All” (about the NIST PQ Crypto competition) written by Leo Ducas and his partner Jessica, and performed by Peter Schwabe (on guitar), Chloe Martindale, Lejla Batina, Marcel Keller, Leo and Jessica.

Serious rump session talks included: Bart Preneel on how to steal a Tesla car; Suhri Kim on curve equations for isogenies; Daniel Bernstein on quantum circuits for class group actions (relevant for the analysis of Kuperberg’s algorithm as an attack on CSIDH); Chloe Martindale on choosing appropriate pairings for current security levels; Lorenz Panny on speeding up SeaSign isogeny signatures.

A small group of Asiacrypt attendees then flew to Adelaide for Kangacrypt. The workshop was mostly about cryptanalysis, especially fault attacks and side-channel attacks. But I did give (naturally enough) a talk about Kangaroos (ie., the Pollard kangaroo method for discrete logs and why it doesn’t work for isogenies).

— Steven Galbraith