From Newsgroup: sci.crypt
## In this issue
1. [2025/977] A Novel Leakage Model in OpenSSLrCOs Miller-Rabin ...
2. [2025/1292] Key Attack on the ACDGV Matrix Encryption Scheme
3. [2025/1804] HERDS: : Multi-Key Fully Homomorphic Encryption ...
4. [2025/1826] Proofs of No Intrusion
5. [2025/1838] Fault to Forge: Fault Assisted Forging Attacks on ...
6. [2026/192] Verification Theatre: False Assurance in Formally ...
7. [2026/235] Optimized Implementations of Keccak, Kyber, and ...
8. [2026/271] Defining Quantum-Secure Message Authentication
9. [2026/364] SPRINT: New Isogeny Proofs of Knowledge and ...
10. [2026/405] Group Encryption with Oblivious Traceability
11. [2026/407] On the Binding Security of KEMs based on RSA and DH
12. [2026/425] Committing Security of BBB Secure MACs
13. [2026/426] Post-Quantum Security of Keyed Sum of Permutations ...
14. [2026/427] StarHuntersrCo Secure Hybrid Post-Quantum KEMs From ...
15. [2026/428] Defending Against Backdoor Attacks in ...
16. [2026/429] Efficient Private Range Queries on Public Data
17. [2026/430] An attack on the CFS scheme and on TII McEliece ...
18. [2026/431] Revisiting the Security of Sparkle
19. [2026/432] Finite Field Arithmetic for ML-KEM Using Zech's ...
20. [2026/433] Round-Optimal Threshold Blind Signatures without ...
21. [2026/434] Secure Cloud Storage: Modularization, Network ...
22. [2026/435] Information-Theoretic Strong Traceable Secret ...
23. [2026/436] Post-Quantum Anonymous Signatures from the Lattice ...
24. [2026/437] Efficient Single-Server Stateful PIR Using Format- ...
25. [2026/438] Updatable Private Set Intersection from Symmetric- ...
26. [2026/439] The OCH Authenticated Encryption Scheme
27. [2026/440] Performance Analysis of a Thread Pool-Based ...
28. [2026/441] Fuzzy Private Set Intersection for Real-World Datasets
29. [2026/442] Memory-Efficient Implementation of SMAUG-T and HAETAE
30. [2026/443] PRISM with a pinch of salt: Simple, Efficient and ...
31. [2026/444] Leakage-Diagrams, Importance Sampling, and ...
32. [2026/445] Implementation of a post-quantum hybrid group key ...
33. [2026/446] Survey of isogeny-based signature schemes resistant ...
34. [2026/447] Trace: Complete Client-Side Account Access Logging
35. [2026/448] Interactive Proofs for Batch Polynomial Evaluation
36. [2026/449] Short Signatures from DDH without Pairings or ...
37. [2026/450] A flexible and polynomial framework for integer ...
38. [2026/451] Oblivious Single Access Machines are Concretely ...
39. [2026/452] On the CCA security properties of a class of group- ...
40. [2026/453] A Quantum-Safe Private Group System for Signal from ...
41. [2026/454] The principal ideal problem for endomorphism rings ...
42. [2026/455] Asynchronous MPC with Abort
43. [2026/456] Libra: Pattern-Scheduling Co-Optimization for ...
44. [2026/457] Adaptively Secure, Universally Composable ...
45. [2026/458] The Art of Linearization: From a KZGrCOs Trick to a ...
46. [2026/459] Naor-Yung Transform for IND-CCA Probing Security ...
47. [2026/460] A Resource-Efficient Hardware Accelerator for ...
48. [2026/461] Compact HQC with new (un)balance
49. [2026/462] Semigroup Action Problems and Their Uses in Post- ...
50. [2026/463] Icefish: Practical zk-SNARKs for Verifiable Genomics
51. [2026/464] Model Extraction of Convolutional Neural Networks ...
52. [2026/465] Advanced cryptography from lattice isomorphismrConew ...
53. [2026/466] Hashing in Generic Groups: Completing the AGM-to- ...
54. [2026/467] A Note on the Equivalence Between Zero-knowledge ...
55. [2026/468] Tighter Proofs for PKE-to-KEM Transformations under ...
56. [2026/469] A Note on ``Linear-Communication ACSS with ...
57. [2026/470] Byzantine Consensus in the Partially Authenticated ...
58. [2026/471] Lookup Arguments over Rings and Applications to ...
59. [2026/472] Descent into Broken Trust: Uncovering ML-DSA ...
60. [2026/473] PIKE: Faster Isogeny-Based Public Key Encryption ...
61. [2026/474] Scalable Compliant Privacy on Starknet
62. [2026/475] Scaling Fully Secure MPC via Robust Recursive ...
63. [2026/476] Duty-Free Bits: Projectivizing Garbling Schemes
64. [2026/477] DAC-PRE: Practical Anonymous Data Access Scheme ...
65. [2026/478] A Hardware/Software Co-Optimization of HQC Using ...
66. [2026/479] Strong Efficiency Lower Bounds for Byzantine Agreement
67. [2026/480] CHOPIN: Optimal Pairing-Based Multilinear ...
68. [2026/481] Remise: Authorized Anonymous Communication Systems
69. [2026/482] Cryptanalysis of Two Alternating Moduli Weak PRFs
70. [2026/483] Debt-Aware Bonding Curves: Non-Decreasing Floor ...
71. [2026/484] Signal Lost (Integrity): The Signal App is More ...
## 2025/977
* Title: A Novel Leakage Model in OpenSSLrCOs Miller-Rabin Primality Test
* Authors: Xiaolin Duan, Fan Huang, Yaqi Wang, Honggang Hu
* [Permalink](
https://eprint.iacr.org/2025/977)
* [Download](
https://eprint.iacr.org/2025/977.pdf)
### Abstract
At CRYPTO 2009, Heninger and Shacham presented a branch-and-prune algorithm for reconstructing an RSA private key given a random fraction of its private components. This method has been widely adopted in side-channel attacks, and its complexity is closely related to the specific leakage pattern encountered. In this work, we propose a new leakage model that enables efficient key reconstruction by exploiting a vulnerability in the modular exponentiation invoked by OpenSSL's implementation of Miller-Rabin primality test. This vulnerability reveals the least significant $b$ bits of each window. Through our proposed model, these bits form new leakage patterns, which we term aligned and misaligned. In particular, the misaligned case includes previously undocumented scenarios where full key recovery is achievable without branching. Then we analyze the global and local behavior of key reconstruction under these patterns. Our evaluation demonstrates that they yield more efficient key reconstruction and maintain this advantage even in the presence of additional erasures. Moreover, in specific scenarios, successful reconstruction remains practical even if the bits obtained are less than 50\%. Finally, we conducted a series of experiments to confirm the practicality of our work, successfully recovering the lower 4 bits from each 6-bit window and demonstrating efficient key reconstruction under our model.
## 2025/1292
* Title: Key Attack on the ACDGV Matrix Encryption Scheme
* Authors: Anmoal Porwal, Antonia Wachter-Zeh, Pierre Loidreau
* [Permalink](
https://eprint.iacr.org/2025/1292)
* [Download](
https://eprint.iacr.org/2025/1292.pdf)
### Abstract
We present an exponential-time key recovery attack on the public-key encryption scheme using matrix codes proposed by Aragon et al. at Asiacrypt 2024. The secret key is a Gabidulin code expanded using an $\mathbb{F}_q$-basis of $\mathbb{F}_{q^m}$ to obtain a matrix code, which is then hidden by appending random rows and columns and by left- and right-multiplication with invertible matrices. Our attack does not rely on the Gabidulin structure and hence applies to most $\mathbb{F}_{q^m}$-linear codes hidden by their transform. Its complexity is better than the previously best-known distinguisher and significantly better than the naive key recovery algorithm. Our attack breaks some of their proposed parameters. For example, a parameter set targeting 192-bit security is reduced to about 161 bits, and a 256-bit set to about 223 bits.
## 2025/1804
* Title: HERDS: : Multi-Key Fully Homomorphic Encryption with Sublinear Bootstrapping
* Authors: Binwu Xiang, Seonhong Min, Intak Hwang, Zhiwei Wang, Haoqi He, Yuanju Wei, Kang Yang, Jiang Zhang, Yi Deng, Yu Yu
* [Permalink](
https://eprint.iacr.org/2025/1804)
* [Download](
https://eprint.iacr.org/2025/1804.pdf)
### Abstract
Multi-key fully homomorphic encryption (MK-FHE) enables secure computation over ciphertexts under different keys, but its practicality is hindered by inefficient bootstrapping.
In this work, we propose \ours, a new MK-FHE scheme with highly efficient bootstrapping.
Our bootstrapping framework improves upon the best-known complexity, reducing it from ${O}(dkn)$ to ${O}(kn)$, and further to ${O}(\sqrt{kn})$ under parallelization, where $d$ is the gadget length (typically scaling with the number of parties $k$) and $n$ is the LWE dimension.
The framework consists of two main components: (i) a ciphertext conversion algorithm that transforms a multi-key LWE ciphertext into $k$ vectorized RLWE ciphertexts via $k$ optimized blind rotations and $dk$ key-switching operations, and (ii) a hybrid accumulator that aggregates these into a single multi-key RLWE ciphertext.
We implemented HERDS on both CPU and GPU platforms to demonstrate its practicality. For $k=16$, we achieve $3.3\times$ and $7.2\times$ improvements on CPU, compared to the state-of-the-art schemes by Kwak et al. (PKC 2024) and by Xiang et al. (ASIACRYPT 2024), respectively. We further achieve a $195\times$ GPU acceleration, compared to our CPU runtime.
As a byproduct, we design a new distributed-decryption protocol, which allows us to obtain a ciphertext with a small noise bound, and thus does not blow up the parameters.
## 2025/1826
* Title: Proofs of No Intrusion
* Authors: Vipul Goyal, Justin Raizes
* [Permalink](
https://eprint.iacr.org/2025/1826)
* [Download](
https://eprint.iacr.org/2025/1826.pdf)
### Abstract
A central challenge in data security is not just preventing theft, but detecting whether it has occurred. Classically, this is impossible because a perfect copy leaves no evidence. Quantum mechanics, on the other hand, forbids general duplication, opening up new possibilities.
We introduce Proofs of No Intrusion, which enable a classical client to remotely test whether a quantum server has been hacked and the client's data stolen. Crucially, the test does not destroy the data being tested, avoiding the need to store a backup elsewhere. We define and construct proofs of no intrusion for ciphertexts assuming fully homomorphic encryption. Additionally, we show how to equip several constructions of unclonable primitives with proofs of non-intrusion, such as unclonable decryption keys and signature tokens. Conceptually, proofs of non-intrusion can be defined for essentially any unclonable primitive.
At the heart of our techniques is a new method for non-destructively testing coset states with classical communication. It can be viewed as a non-destructive proof of knowledge of a measurement result of the coset state.
## 2025/1838
* Title: Fault to Forge: Fault Assisted Forging Attacks on LESS Signature Scheme
* Authors: Puja Mondal, Suparna Kundu, Hikaru Nishiyama, Supriya Adhikary, Daisuke Fujimoto, Yuichi Hayashi, Angshuman Karmakar
* [Permalink](
https://eprint.iacr.org/2025/1838)
* [Download](
https://eprint.iacr.org/2025/1838.pdf)
### Abstract
LESS is a digital signature scheme that is currently in the second round of the National Institute of Standards and TechnologyrCOs (NISTrCOs) ongoing call for standardization of additional post-quantum signature schemes. Recently, the ZKfault attack by Mondal et al. (Asiacrypt 2024) showed several attack surfaces on the first version of LESS (LESS-v1) that can be exploited using different fault attacks. However, the designers of LESS have updated the scheme in the second round to improve efficiency and signature size. The fault attacks in ZKfault are not directly applicable to this new version of LESS (LESS-v2). The physical security of LESS-v2 is still unexplored.
In this work, we analyze the new structure of the LESS-v2 signature scheme and propose a method for universal forgery. One crucial observation is that, for LESS-v2, an adversary does not require the full signing key, but some other secret-related information, namely, a permutation of secret monomial matrices. We assume an adversary can use execution interruption techniques, such as fault attacks, to recover this extra information. We have analyzed multiple such attack surfaces in the design of LESS-v2, and using fault injection, we can recover secret-related information. We showed the average number of required faults for two particular fault models to recover the secret equivalent component and observed that, for most parameters, we need only 1 faulted signature, and at most 1088. Our attacks rely on simple and standard fault models. We demonstrated these using both simulation and a simple experimental setup.
## 2026/192
* Title: Verification Theatre: False Assurance in Formally Verified Cryptographic Libraries
* Authors: Nadim Kobeissi
* [Permalink](
https://eprint.iacr.org/2026/192)
* [Download](
https://eprint.iacr.org/2026/192.pdf)
### Abstract
Every formally verified system embeds a verification boundary: the interface between code with machine-checked proofs and code that is trusted without them.
We study what happens when this boundary is not communicated clearly.
Through a case study of Cryspen's libcrux and hpke-rs cryptographic libraries, we present thirteen vulnerabilities that escaped formal verification.
Nine reside in unverified code, including a cross-backend endianness bug that caused real decryption failures in Signal's post-quantum ratchet, a missing mandatory X25519 validation, nonce reuse via integer overflow, and two FIPS~204 specification violations in the ML-DSA verifier.
Four reside in formally verified specification and proof code: in ML-KEM, a wrong decompression constant, a missing inverse NTT, and a false serialization proof; in ML-DSA, a wrong multiplication specification that renders axiomatized AVX2 proofs unsound.
From these findings, we develop a taxonomy of five verification boundary failure types, a lightweight auditing methodology for detecting them, and a comparative analysis with AWS's verified libcrypto.
The same failure types arise in both projects, but their management---through systematic documentation, proof execution in CI, and clear scope communication---varies significantly.
We call the gap between verification claims and verification reality "verification theatre", and propose concrete practices for closing it.
## 2026/235
* Title: Optimized Implementations of Keccak, Kyber, and Dilithium on the MSP430 Microcontroller
* Authors: DongHyun Shin, YoungBeom Kim, Ayesha Khalid, M|iire O'Neill, Seog Chung Seo
* [Permalink](
https://eprint.iacr.org/2026/235)
* [Download](
https://eprint.iacr.org/2026/235.pdf)
### Abstract
Post-Quantum cryptography (PQC) typically requires more memory and computational power than conventional public-key cryptography. Until now, most active research in PQC optimization for embedded devices has focused on 32-bit and 64-bit ARM architectures, specifically Cortex-M0/M3/M4 and ARMv8. To enable a smooth migration of PQC algorithms in Internet of Things environments, optimization research is also required for devices with lower computational capabilities. To address this gap, we present the optimized implementation methodologies of CRYSTALSrCoKyber and CRYSTALSrCoDilithium, the National Institute of Standards and Technology (NIST) standardized key-encapsulation mechanism (KEM) and digital signature algorithm (DSA), on a widely used 16-bit MSP430 microcontroller. We review the current state-of-the-art implementation methodologies for Keccak, Kyber, and Dilithium, and carefully redesign them to suit the MSP430 architecture. For Number-Theoretic Transform (NTT)-based polynomial multiplication, we redesign optimal modular arithmetic, layer merging, and point-wise multiplication by taking full advantage of the characteristics of the MSP430. As a result, compared with the reference implementations in C, the optimized 16-bit NTT achieves performance improvements of 134%, 249%, and 210% for NTT, inverse NTT, and point-wise multiplication, respectively, while the optimized 32-bit NTT achieves performance improvements of 91%, 96%, and 56% for NTT, inverse NTT, and point-wise multiplication, respectively. Furthermore, for Keccak, we propose twisting and zig-zag techniques tailored to the MSP430, aimed at optimizing memory accesses. As a result, compared with the reference implementation in C, the optimized Keccak achieves a performance improvement of 57%. Moreover, compared with the reference implementations in C, our Kyber and Dilithium implementations achieve performance improvements of 46.1%rCo51.3%, 45.6%rCo60.0%, and 46.2%rCo62.3% for key generation (KeyGen), encapsulation (Encaps), and decapsulation (Decaps), respectively, and 44.5%rCo48.3%, 57.5%rCo65.0%, and 46.1%rCo50.0% improvements for key generation (KeyGen), signing (Sign), and verifying (Verify), respectively.
## 2026/271
* Title: Defining Quantum-Secure Message Authentication
* Authors: Ashwin Jha, Mustafa Khairallah, Jannis Leuther, Stefan Lucks
* [Permalink](
https://eprint.iacr.org/2026/271)
* [Download](
https://eprint.iacr.org/2026/271.pdf)
### Abstract
The classical EUF-CMA notion for the security of message authentication codes (MACs) is based on "freshness": messages chosen by the adversary are authenticated, and then the adversary has to authenticate a fresh message on its own. In a quantum setting, where classical messages are authenticated but adversaries can make queries in superposition, "freshness" is undefinable. Instead of requiring the adversary to be unable to forge a fresh message, one can require "stability" (the adversary cannot authenticate more messages than queried before), or "exclusiveness" (the adversary cannot authenticate a message from a subset of messages it did not query before). The "plus-one" security definition, proposed by Boneh and Zhandry at Eurocrypt 2013, maintains stability, but fails at exclusiveness. The "blind unforgeability" notion from Alagic et al. (Eurocrypt 2020) maintains exclusiveness, but it is unknown if it maintains stability.
This paper proposes a new security definition: "splitting unforgeability" (SU). A MAC is SU-secure, if it maintains both stability and exclusiveness. Against classical adversaries, SU is equivalent to EUF-CMA. Against quantum adversaries, SU implies both plus-one security and blind unforgeability. With respect to $q$-query adversaries, $(2q-1)$-wise independent functions do not suffice for SU, but $(3q+1)$-wise independent functions do, as does a qPRF. Boneh and Zhandry's "Quantum Carter-Wegman MAC" (BZq-MAC), which combines a qPRF and an $\epsilon$-AXU hash function, is SU-secure up to the quantum birthday bound.
We additionally analyse the security of different instantiations of the Hash-then-MAC composition of a SU-secure MAC $F$ and a hash function $H$ which is either collapsing or Bernoulli-preserving.
## 2026/364
* Title: SPRINT: New Isogeny Proofs of Knowledge and Isogeny-Based Signatures
* Authors: Thomas den Hollander, Shai Levin, Marzio Mula, Robi Pedersen, Daniel Slamanig, Sebastian A. Spindler
* [Permalink](
https://eprint.iacr.org/2026/364)
* [Download](
https://eprint.iacr.org/2026/364.pdf)
### Abstract
Zero-knowledge proofs of knowledge are a fundamental building block in many isogeny-based cryptographic protocols, such as signature schemes based on identification-to-signature transformations, or multi-party ceremonies that avoid a trusted setup, in particular for generating supersingular elliptic curves with unknown endomorphism rings.
In this paper, we construct SPRINT, an efficient polynomial IOP-based proof system that encodes the radical $2$-isogeny formulas into a system of multivariate polynomials. When combined with the recent polynomial commitment scheme (PCS) DeepFold, our construction yields substantial improvements over state-of-the-art isogeny proofs of knowledge. For the SQIsign prime $p=5 \cdot 2^{248}-1$ (giving NIST security level I), our implementation takes only a few milliseconds for proving and verification, with proof sizes around 80 kB. Compared to previous works, we achieve a $1.1$-$8\times$ speedup for the prover, a $4.4$-$24\times$ speedup for verification, and proof sizes that are $1.2$-$2.3\times$ smaller across different parameter sets.
Moreover, we study the weak simulation extractability of our proof system, which we can use as a starting point for a modular construction of signatures. We show that any FiatrCoShamir compiled interactive proof with a so-called canonical simulator is weakly simulation-extractable. We expect this general result to be widely applicable to other post-quantum proof systems and thus of independent interest.
Building on SPRINT and our wSE result, we introduce a new family of signature schemes whose security solely relies on the $\ell$-isogeny path problem, a foundational problem in isogeny-based cryptography. As a concrete instantiation, we construct a signature scheme using DeepFold as the PCS. Across the different NIST security levels, a prototype implementation of our scheme achieves performance on par with the highly optimized NIST specification for SQIsign. Even though our signatures are relatively large, our scheme relies on weaker assumptions and our framework offers flexibility for tradeoffs and optimizations rCo both within a given PCS and by switching to alternative PCS constructions. In particular, it will naturally inherit efficiency gains from future advances in plausibly post-quantum secure PCS constructions.
## 2026/405
* Title: Group Encryption with Oblivious Traceability
* Authors: Khoa Nguyen, Yanhong Xu, Nam Tran, Willy Susilo, Huaxiong Wang
* [Permalink](
https://eprint.iacr.org/2026/405)
* [Download](
https://eprint.iacr.org/2026/405.pdf)
### Abstract
We revisit Group Encryption (GE)rCoan encryption analogue of group signatures introduced by Kiayias et al. (Asiacrypt 2007). A GE system simultaneously provides anonymity and traceability for receivers who are certified group members, enabling a range of privacy-preserving applications. While prior work has extensively addressed \emph{how} to trace receivers in GE, the question of \emph{why} a ciphertext should be traceable remains unexplored. Unlike group signatures, where opening can be justified by the signed content, tracing in GE poses a dilemma because the underlying plaintext is confidential.
To address this gap, we introduce Group Encryption with Oblivious Traceability (GEOT), an enhanced form of GE in which the traceability of a ciphertext $\psi$ intended for receiver $\mathsf{id}$ and containing message $\mathbf{w}$ is governed by a public tracing policy $P(\mathsf{id},\mathbf{w}) \in {0,1}$. Here, $P(\mathsf{id},\mathbf{w})=0$ denotes traceability, whereas $P(\mathsf{id},\mathbf{w})=1$ ensures non-traceability. The traceability status is known to the sender but remains hidden from all parties except the opening authority, which learns nothing about $\mathsf{id}$ in the non-traceable case. GEOT further supports message filtering and dynamic membership, following Nguyen et al. (PKC 2021). Filtering enforces that valid ciphertexts satisfy a public policy $F(\mathbf{w})=1$, while dynamicity enables users to join and leave the system over time.
We formalize GEOT with concise syntax and rigorous security notions, and present a modular construction based on standard cryptographic primitives: signatures, public-key encryption, and non-interactive zero-knowledge proofs. We also give a concrete instantiation from code-based assumptions supporting arbitrary tracing and filtering policies represented by polynomial-size Boolean circuits. In addition to expressive filtering and tracing functionalities, our scheme achieves significant efficiency improvements over existing post-quantum GE constructions.
## 2026/407
* Title: On the Binding Security of KEMs based on RSA and DH
* Authors: Juliane Kr|nmer, Maximiliane Weish|nupl, Stefan Winderl
* [Permalink](
https://eprint.iacr.org/2026/407)
* [Download](
https://eprint.iacr.org/2026/407.pdf)
### Abstract
Motivated by new attack vectors against KEMs, a framework for binding security has recently been introduced and has since been widely used for analyzing post-quantum schemes. However, KEMs based on classical schemes have not been analyzed yet. NIST recently published SP 800-227, where they illustrate how KEMs can be built from classical cryptographic schemes such as Diffie-Hellman (DH) or RSA. Following their descriptions, we analyze the binding security of the resulting KEMs based on (elliptic-curve) Diffie-Hellman, X25519, RSA, and RSA-OAEP. Due to structural similarities to the other DH schemes and since it has not been analyzed so far, we also include the post-quantum scheme CSIDH. Our analysis yields mixed results for the KEMs under consideration, with both binding attacks as well as proofs. Where possible, we propose minor modifications to the schemes, which improve their binding security. Further, we conclude from our results whether hybrid schemes, i.e., KEMs obtained by combining a classical and a post-quantum scheme, need to add the classical ciphertext in the key-derivation function to achieve IND-CCA security.
## 2026/425
* Title: Committing Security of BBB Secure MACs
* Authors: Sougata Mandal, Hrithik Nandi, Amlan Sinha
* [Permalink](
https://eprint.iacr.org/2026/425)
* [Download](
https://eprint.iacr.org/2026/425.pdf)
### Abstract
Committing security has recently emerged as an essential property for message authentication codes (MACs), driven by applications such as abuse reporting in end-to-end encrypted messaging systems. Traditional notions, such as unforgeability or pseudorandomness, are insufficient in these contexts, prompting the introduction of stronger security notions. Bhaumik et al. (CRYPTO'24) initiated this line of research by formalizing the notions of commitment and context-discovery for MACs and analyzing several standardized birthday-bound secure constructions. We extend this line of work to beyond-birthday-bound (BBB) secure MACs. In particular, we examine the class of constructions identified by Chen et al. (ASIACRYPT'21), which employ two block ciphers and a single block hash function, together with well-studied BBB MACs from the DbHtS paradigm. Our findings depict a heterogeneous picture: while several constructions succumb to simple attacks, others exhibit some resilience, highlighting that committing and context-discovery security for BBB MACs depends strongly on structural design choices.
## 2026/426
* Title: Post-Quantum Security of Keyed Sum of Permutations and Its Siblings
* Authors: Nilanjan Datta, Avijit Dutta, Sougata Mandal, Hrithik Nandi, Amlan Sinha
* [Permalink](
https://eprint.iacr.org/2026/426)
* [Download](
https://eprint.iacr.org/2026/426.pdf)
### Abstract
The rapid advancement of quantum computing poses significant challenges to the security of existing cryptographic constructions. Several constructions that are provably secure in the classical setting, e.g., the $3$-round LubyrCoRackoff, EvenrCoMansour, Keyed Sum of Permutations, become vulnerable when the adversary is granted quantum oracle access (the Q2 model). In contrast, when the adversary is restricted to classical oracle queries while retaining the ability to perform quantum computations locally (the Q1 model), such attacks no longer apply. In this paper, we investigate the Q1 security of the Keyed Sum of Permutations construction and two closely related variants - one employing identical permutations and another using a single key. We prove that all three constructions achieve $n/3$-bit security in the Q1 model. In addition, for the same-key variant, we exhibit a key-recovery attack with matching complexity, thereby establishing the tightness of our security bound. For the remaining two constructions, we derive key-recovery attacks with complexity $2^{2n/3}$.
## 2026/427
* Title: StarHuntersrCo Secure Hybrid Post-Quantum KEMs From IND-CCA2 PKEs
* Authors: Deirdre Connolly, Mike Ounsworth, Sophie Schmieg, Douglas Stebila
* [Permalink](
https://eprint.iacr.org/2026/427)
* [Download](
https://eprint.iacr.org/2026/427.pdf)
### Abstract
This paper formally specifies and analyzes the CK hybrid key encapsulation mechanism (KEM) construction from the IRTF CFRGrCOs recent draft on hybrid (post-quantum/traditional) KEMs CK combines two KEMs using a PRF to produce a hybrid KEM. Unlike the QSF framework of Barbosa et al., which combines an IND-CCA KEM with a nominal group (Diffie-Hellman-style), CK combines a C2PRI-secure post-quantum-secure KEM with an IND-CCA traditionlly-secure KEM constructed from an IND-CCA2 public key encryption (PKE) scheme, such as RSA-OAEP. We additionally show how to securely promote an IND-CCA2 PKE into an IND-CCA KEM. We perform two complementary security analyses of CK in the standard model: the first shows CK is IND-CCA assuming the traditional KEM is IND-CCA, the post-quantum KEM is C2PRI, and the KDF is a secure PRF; the second shows CK is IND-CCA assuming the post-quantum KEM is IND-CCA and the KDF is a secure PRF, even if the traditional KEM is completely broken. Neither proof requires the random oracle model.
## 2026/428
* Title: Defending Against Backdoor Attacks in Homomorphically Encrypted Federated Learning
* Authors: Ikhlas Mastour, Imane Haidar, Layth Sliman, Raoudha Ben Djemaa
* [Permalink](
https://eprint.iacr.org/2026/428)
* [Download](
https://eprint.iacr.org/2026/428.pdf)
### Abstract
The distributed nature of federated learning systems makes them vulnerable to backdoor attacks in which malicious clients manipulate local training data using trigger-dependent behaviors to cause targeted misclassification. Although homomorphic encryption preserves the privacy of model updates during aggregation, it limits the application of conventional defenses that require access to plaintext updates. Moreover, distinguishing poisoned models from benign variations becomes more challenging under non-independent and identically distributed (non-IID) data distributions.To address this challenge, we introduce a defense strategy that operates at inference time by identifying abnormal internal activation patterns within the aggregated global model, rather than filtering encrypted individual updates during training. The proposed approach analyzes neurons that exhibit low activation on clean inputs, referred to as "dormant" neurons, but become disproportionately active in the presence of trigger patterns. By constructing a statistical activation baseline using a small clean dataset, we derive class-specific thresholds that serve as decision boundaries to detect and reject suspicious predictions. Since the proposed method relies on global model behavior at inference time instead of inspecting individual client updates, it does not introduce additional training overhead and remains robust under non-IID data settings. Our approach maintains a strong balance between privacy, security, and accuracy by defending against backdoor attacks without requiring access to client updates. Experimental results demonstrate that even with a 99% attack success rate and 90% main-task accuracy, the proposed defense method successfully detects 100% poisoned images.
## 2026/429
* Title: Efficient Private Range Queries on Public Data
* Authors: Pranav Shriram Arunachalaramanan, Ananya Appan, David Heath, Ling Ren
* [Permalink](
https://eprint.iacr.org/2026/429)
* [Download](
https://eprint.iacr.org/2026/429.pdf)
### Abstract
Range queries can filter, aggregate, and retrieve database entries that lie in a specified multi-dimensional rectangle.
Private range queries allow a client to query a server's public database while keeping the client's multi-dimensional rectangle hidden.
We construct RangeR, a constant-round private range query scheme that supports any associative aggregation function (e.g., SUM, MAX, TOP-K) and works with any number of servers. In the single-server setting, RangeR is orders of magnitude faster and uses 50%-90% less communication than HADES (VLDB 2025), a prior single-server private range query scheme that only supports linear aggregation functions.
We describe how RangeR can be used to implement a privacy-preserving map application that can return the highest-rated restaurants near a user. Using data from $\mathtt{OpenStreetMaps}$, we estimate that a user can find the highest-rated restaurants within one kilometer of their location within $2$ seconds, while revealing only that the user is somewhere in the USA.
## 2026/430
* Title: An attack on the CFS scheme and on TII McEliece challenges
* Authors: Magali Bardet, Axel Lemoine, Jean-Pierre Tillich
* [Permalink](
https://eprint.iacr.org/2026/430)
* [Download](
https://eprint.iacr.org/2026/430.pdf)
### Abstract
It has been a very long standing open question whether the CFS signature scheme whose security is basically that of a McEliece scheme based on very high rate binary Goppa codes could be attacked or not. There was a first cryptanalytic result by Faug|?re et al in 2011 consisting in finding a distinguisher for the binary Goppa codes used in this scheme showing that these codes can be distinguished in polynomial time from a random binary linear code. However despite numerous cryptanalytic attempts and even if the original distinguisher has been significantly improved, no attack on the McEliece scheme based on binary Goppa codes has been found so far except for very peculiar Goppa codes of degree $2$. We show here that the Pfaffian modeling used in the distinguishing attack of Couvreur, Mora and Tillich of Asiacrypt 2023 can actually be used together with a shortening trick and looking for squares in the corresponding ideal to find a polynomial attack on the CFS scheme based on very high rate binary Goppa codes.This breaks this 25 years old signature scheme. We demonstrate the effectiveness of this approach by recovering the key of TII McEliece challenges with a claimed key security of up to 210 bits.
## 2026/431
* Title: Revisiting the Security of Sparkle
* Authors: Ojaswi Acharya, Georg Fuchsbauer, Adam O'Neill, Marek Sefranek
* [Permalink](
https://eprint.iacr.org/2026/431)
* [Download](
https://eprint.iacr.org/2026/431.pdf)
### Abstract
We revisit the three-round threshold Schnorr signature scheme Sparkle of Crites, Komlo, and Maller (CRYPTO 2023), as well as its variant Sparkle+. While Sparkle+ was accompanied by a claim of full adaptive security, subsequent work identified a gap in the analysis. Moreover, the originalrCoand simpler and more efficientrCoSparkle scheme has so far lacked even a proof of static security.
We resolve this state of affairs by giving the first proof of static security for Sparkle and then, as our main result, a tight proof of full adaptive security in the pure random oracle model, i.e. without relying on the algebraic group model. The core obstacle is that, in the fully adaptive setting for Sparkle, rewinding arguments fundamentally break down. To address this, our proof is based on a new Vandermonde circular discrete-logarithm (VCDL) assumption, an interactive strengthening of the circular discrete-logarithm assumption of Cho et al. (CRYPTO 2025), originally introduced to prove tight security of basic Schnorr signatures. In particular, circular-style assumptions eliminate the need for rewinding. Beyond tightness, our analysis highlights circular-style assumptions as a general approach to achieving security in settingsrCosuch as full adaptive securityrCowhere rewinding is inherently problematic.
We justify VCDL by reducing it to the low-dimensional vector representation (LDVR) problem of Crites et al. (CRYPTO 2025) in the elliptic-curve generic group model; conversely, VCDL implies LDVR in the standard model. Finally, we generalize VCDL (and similarly LDVR) by abstracting away the specific choice of Vandermonde vectors. As an application, we identify a different assumption within this framework that yields a tight proof of adaptive multi-user security for the basic Schnorr signature scheme, a result of independent interest.
## 2026/432
* Title: Finite Field Arithmetic for ML-KEM Using Zech's Logarithm
* Authors: Masaaki Shirase
* [Permalink](
https://eprint.iacr.org/2026/432)
* [Download](
https://eprint.iacr.org/2026/432.pdf)
### Abstract
The processing of ML-KEM (formerly CRYSTALS-Kyber), a key encapsulation mechanism with post-quantum security, is performed by multiplication, addition, and subtraction of polynomials whose coefficients lie in the finite field ${\mathbb F}_{3329}$. To reduce the number of such operations, it is common to use the Number Theoretic Transform (NTT). This paper focuses on arithmetic over ${\mathbb F}_{3329}$ and proposes the use of a logarithmic representation with respect to a primitive element $\alpha$ of ${\mathbb F}_{3329}^*$ for implementing multiplication, addition, and subtraction over ${\mathbb F}_{3329}$. In this representation, multiplication in ${\mathbb F}_{3329}^*$ can be reduced to addition in $\mathbb{Z}_{3328}$. Furthermore, addition and subtraction in ${\mathbb F}_{3329}^*$ can be computed in the logarithmic domain by using Zech's logarithm. However, special treatment is required when $0 \in {\mathbb F}_{3329}$ is involved in the operations. This paper proposes a new implementation method of the logarithmic representation for arithmetic over ${\mathbb F}_{3329}$, including the handling of such exceptional cases.
## 2026/433
* Title: Round-Optimal Threshold Blind Signatures without Random Oracles
* Authors: Georg Fuchsbauer, Fabian Regen, Hoeteck Wee
* [Permalink](
https://eprint.iacr.org/2026/433)
* [Download](
https://eprint.iacr.org/2026/433.pdf)
### Abstract
This paper presents the first round-optimal threshold blind signature without random oracles. Our construction achieves security in the algebraic group model (AGM) for asymmetric pairing groups, and tolerates adaptive corruption of up to $t-1$ signers, where $t$ is the threshold. We improve upon the recent threshold blind signatures of Lehmann, Nazarian and |uzbay (EUROCRYPT 2025) and Jarecki and Nazarian (ASIACRYPT 2025) in two ways: we eliminate both the reliance on random oracles and the need for $q$-type assumptions in the AGM. As a core building block, we introduce a new pairing-based round-optimal blind signature without random oracles, based on the $2$-DL assumption in the AGM. Both blind signature schemes achieve communication and computation costs only twice that of the celebrated blind BLS signature.
## 2026/434
* Title: Secure Cloud Storage: Modularization, Network Adversaries and Adaptive Corruptions
* Authors: Jonas Janneck, Doreen Riepel
* [Permalink](
https://eprint.iacr.org/2026/434)
* [Download](
https://eprint.iacr.org/2026/434.pdf)
### Abstract
End-to-end cloud storage solutions are deployed at large scale, yet recent works have demonstrated severe attacks against their confidentiality and integrity. Motivated by this, a first formal treatment of secure cloud storage was given at CRYPTO 2024 by Backendal, Davis, G|+nther, Haller and Paterson (BDGHP). They define syntax and security notions, capturing client-to-client security of cloud storage schemes with respect to a password distribution. They also give an eN4acient construction using the Two-Hash DiN4ae-Hellman (2HDH) OPRF and standard cryptographic building blocks, which they prove secure under selective corruptions in the random oracle model. However, several aspects of practical security guarantees remain open.
We extend and refine the work of BDGHP along multiple dimensions, advancing the analysis of secure cloud storage schemes. First, we prove that their construction can be proven secure against adaptive corruptions (with a slight modification), circumventing technical challenges posed by file sharing. Second, we modularize the scheme further by introducing an abstraction for the authentication procedure. This allows us to identify the concrete role of 2HDH and alternative instantiations. Third, we introduce a weaker model that captures adversaries who can arbitrarily control the network, except during registration. This allows us to prove concrete guarantees about online password guessing attacks, whereas the stronger model inherently allows for oN4aine guessing. Finally, we formalize and prove explicit authentication, relying on the security of our new authentication abstraction and the MAC scheme, where the latter was previously not used in the security analysis.
## 2026/435
* Title: Information-Theoretic Strong Traceable Secret Sharing Schemes
* Authors: Oriol Farr|as, Miquel Guiot
* [Permalink](
https://eprint.iacr.org/2026/435)
* [Download](
https://eprint.iacr.org/2026/435.pdf)
### Abstract
Traceable secret sharing complements traditional schemes by enabling the identification of parties who sell their shares. Recently, two independent works extended traceable secret sharing to general access structures.
Goyal, Jain, and Partap [EC'26] introduced a model in which a reconstruction box is augmented with a label $I \subseteq [n]$ and is only required to distinguish between two secrets when queried with the shares of parties in $I$. Based on how this label relates to the corrupted set $J$ that built the box, they defined two notions of traceability. If $I \cap J = \emptyset$, the model is called $\emptyset$-strong traceability, for which they presented a construction based on indistinguishability obfuscation (iO). Otherwise, their model is calledstrong traceability, for which they proved an impossibility result.
Farr|as and Guiot [EC'26] proposed a different model, which we call hiding traceability, where the reconstruction box has no label and the access structure is hidden from the parties.
In this work, we improve traceable secret sharing for general access structures in three directions. First, we present a fully information-theoretic scheme for the $\emptyset$-strong traceability model, eliminating the need for strong cryptographic assumptions. This resolves an open question posed by Goyal, Jain, and Partap, who asked what are the minimal assumptions needed in the $\emptyset$-strong traceability model.
Second, motivated by the impossibility of strong traceability, we introduce a relaxed notion calledhidden mildly strong traceability. This model is relevant in practice and bridges the strong and hidden models. For this setting, we present an information-theoretic scheme for general access structures.
Finally, we consider the more general model of stateful traceability, where reconstruction boxes may keep state across queries, and we prove an impossibility result for this setting.
## 2026/436
* Title: Post-Quantum Anonymous Signatures from the Lattice Isomorphism Group Action
* Authors: Chris van Noorden, Paola de Perthuis
* [Permalink](
https://eprint.iacr.org/2026/436)
* [Download](
https://eprint.iacr.org/2026/436.pdf)
### Abstract
Post-quantum assumptions may not rely on the difficulty of finding secret subgroups as many classical schemes did. Instead, several assumptions make use of more general group actions, with the belief that quantum algorithms are not helpful in this less structured setting. Famously, some isogeny constructions use the action of an ideal class group on elliptic curves, but equivalence problems in error-correcting codes and lattices also exhibit such structures.
Previous works hence presented anonymity-preserving constructions in a generic group action framework; however, they were not general enough to encompass the group action underlying the Lattice Isomorphism Problem (LIP), for which the acting group is infinite (in fact, not even compact) and non-commutative.
We bridge this gap by, from zero-knowledge proofs of OR statements, building generic blind signature and strong designated-verifier signature with non-delegability constructions from standard assumptions corresponding to a generalised group action inverse problem.
## 2026/437
* Title: Efficient Single-Server Stateful PIR Using Format-Preserving Encryption
* Authors: Pranav Shriram Arunachalaramanan, Ling Ren
* [Permalink](
https://eprint.iacr.org/2026/437)
* [Download](
https://eprint.iacr.org/2026/437.pdf)
### Abstract
Recently, Stateful Private Information Retrieval (PIR) has emerged as a promising new paradigm of PIR. Despite significant recent progress, state-of-the-art single-server schemes in this paradigm still suffer from practical inefficiencies in communication, computation, and/or client storage. In this work, we construct a new single-server stateful PIR scheme called HarmonyPIR that achieves efficient communication, computation, and client storage. From a technical standpoint, we build on the recent work of Wang and Ren (EUROCRYPT 25) and propose a new hint organization that uses only a single random permutation. The random permutation can be instantiated using either AES or the recently standardized FF1 Format-Preserving Encryption, yielding two variants of HarmonyPIR. Our new scheme achieves up to two orders of magnitude better amortized computation and up to five times better amortized communication than state-of-the-art schemes.
## 2026/438
* Title: Updatable Private Set Intersection from Symmetric-Key Techniques
* Authors: Junxin Liu, Peihan Miao, Mike Rosulek, Xinyi Shi, Jifeng Wang
* [Permalink](
https://eprint.iacr.org/2026/438)
* [Download](
https://eprint.iacr.org/2026/438.pdf)
### Abstract
Private set intersection (PSI) has become extremely practical, in large part due to the fact that modern protocols rely almost exclusively on cheap, symmetric-key cryptography. The same cannot be said for the variant of PSI called updatable PSI (UPSI; Badrinarayanan et al., PoPETS 2022), where partiesrCO input sets evolve over time, and the cost of re-computing the intersection depends only on the changes to their sets. In existing UPSI protocols, the number of public-key operations scales with the number of items.
In this work, we introduce the first UPSI protocol that largely avoids public-key operations. In fact, our protocol uses mostly the same protocol tools/techniques that have been so successful in making (plain) PSI truly practical. By leveraging symmetric-key primitives, our implementation achieves orders-of-magnitude improvements over prior work.
Additionally, we observe that existing UPSI security proofs do not consider an adversary who can choose protocol inputs adaptively (i.e., choose which items to add to the set the current epoch based on the adversaryrCOs view in previous epochs). We observe that several existing UPSI protocols are trivially broken by such adaptive input selection (even with semi-honest corruption). Several variants of our protocol are secure in the presence of adaptively chosen inputs.
Along the way, we also introduce a new and cleaner abstraction for a common idiom of using an oblivious key-value store (OKVS; Garimella et al., Crypto 2021) to represent a set of items. Our new abstraction, called affine set encoding, may be of independent interest.
## 2026/439
* Title: The OCH Authenticated Encryption Scheme
* Authors: Sanketh Menda, Mihir Bellare, Viet Tung Hoang, Julia Len, Thomas Ristenpart
* [Permalink](
https://eprint.iacr.org/2026/439)
* [Download](
https://eprint.iacr.org/2026/439.pdf)
### Abstract
We specify OCH, the first authenticated encryption with associated data scheme built to provide 128-bit multi-user AE security, 128-bit context commitment security, and 256-bit nonces with optional nonce privacy. It therefore addresses pressing limitations of currently widely-deployed schemes. We construct and formally analyze the security of OCH in a modular fashion, with transforms that are of broader applicability. On Intel Raptor Lake CPUs, OCH using the Areion permutation family has a peak encryption speed of 0.62 cycles per byte (cpb), not far off from AES128-GCM (0.38cpb) and outperforming both ChaCha20/Poly1305 (1.63cpb) and TurboSHAKE128-Wrap (3.52cpb).
## 2026/440
* Title: Performance Analysis of a Thread Pool-Based Parallel Execution Model for Hybrid Post-Quantum TLS 1.3 Handshakes
* Authors: Si-Woo Eum, Min-Ho Song, Hwa-Jeong Seo
* [Permalink](
https://eprint.iacr.org/2026/440)
* [Download](
https://eprint.iacr.org/2026/440.pdf)
### Abstract
The transition to post-quantum cryptography (PQC) significantly increases the computational cost of TLS~1.3 handshakes.
In particular, hybrid handshakes incur even greater overhead, as they require performing both classical and PQC algorithms for key exchange and authentication.
This paper systematically analyzes the performance of hybrid PQC TLS~1.3 handshakes using a POSIX thread pool-based parallel execution model.
We evaluate a total of 135 combinations comprising 3 classical KEMs, 3 ML-KEM variants, 3 classical DSAs, and 5 PQC DSAs.
Sequential execution times range from 429.2 to 1,907.0~$\mu$s, while parallel execution times range from 356.7 to 1,380.8~$\mu$s, achieving speedups of 1.08$\times$ to 1.40$\times$ across all combinations.
The highest speedup is observed in P-384-based configurations, where the overlap between classical and PQC operations is most pronounced.
Furthermore, we recommend both throughput-oriented combinations based on FN-DSA and currently standardized ML-DSA combinations for each NIST security level.
These results provide practical design guidance for mitigating performance degradation in hybrid PQC TLS deployments.
## 2026/441
* Title: Fuzzy Private Set Intersection for Real-World Datasets
* Authors: Satvinder Singh, Yanxue Jia, Aniket Kate
* [Permalink](
https://eprint.iacr.org/2026/441)
* [Download](
https://eprint.iacr.org/2026/441.pdf)
### Abstract
Private Set Intersection (PSI) allows two mutually distrusting parties to compute the intersection of their private sets without revealing any additional information. Fuzzy PSI, an approximate variant of PSI, allows the receiver to learn points of the sender that are ``close" to its points. More formally, the receiver learns all $y$ in the sender's set that satisfy $dist(x,y)< \delta$ for some element $x$ in the receiver's set and threshold parameter $\delta$. Recently, there has been significant progress on Fuzzy PSI, as it allows us to realize several important applications such as password matching, facial recognition, and contact tracing in a privacy-preserving manner. However, existing Fuzzy PSI constructions make strong assumptions on the input sets, such as receiver set disjointedness or projected disjointedness. In this work, we analyze those strong assumptions from a practical viewpoint and observe a gap between theory and practice, i.e., real-world data sets do not abide to those assumptions.
To bridge the gap, we first define a new relaxed and weaker assumption based on the low density of sets, demonstrate the assumption to be practical, and build a compiler that converts constructions under the strong assumption to those under the new, practical assumption. At the core of our transformation is a novel idea involving higher-dimensional lifting and coloring. Combining our transformation with current Fuzzy PSI protocols under the strong assumption yields efficient and practical Fuzzy PSI protocols. We also concretely analyze the run-time and overhead of our transformed protocols for parameters for illustrative applications, such as password matching.
## 2026/442
* Title: Memory-Efficient Implementation of SMAUG-T and HAETAE
* Authors: Yulim Hyoung, Subeen Cho, Uijae Kim, Minwoo Lee, Hwajeong Seo, Minjoo Sim
* [Permalink](
https://eprint.iacr.org/2026/442)
* [Download](
https://eprint.iacr.org/2026/442.pdf)
### Abstract
SMAUG-T and HAETAE, designated as target algorithms for national standardization via the Korean Post-Quantum Cryptography (KpqC) competition, run efficiently on general-purpose platforms. On ARM Cortex-M4 class microcontrollers, however, peak stack usage becomes a key constraint: while SMAUG-T can be executed on typical Cortex-M4 boards, the baseline HAETAE implementation exceeds the available SRAM (e.g., 91{,}176\,B stack for signing), motivating dedicated memory optimization.
To address this problem, we propose a suite of memory optimization techniques for SMAUG-T and HAETAE that enable their practical operation within the strict memory budget of the Cortex-M4. Experimental results demonstrate that, compared to the KpqClean\_ver2 baseline, peak stack usage was reduced by 73--83~\% for SMAUG-T5 (e.g., 24{,}300\,B$\rightarrow$4{,}240\,B in decapsulation) and by about 90~\% for HAETAE5 (e.g., 91{,}176\,B$\rightarrow$8{,}092\,B in signing). Furthermore, a branchless constant-time design was applied throughout to ensure that the optimized implementations remain robust against side-channel threats such as timing attacks. This work provides a practical methodology for deploying KpqC lattice-based cryptography in memory-constrained embedded environments.
## 2026/443
* Title: PRISM with a pinch of salt: Simple, Efficient and Strongly Unforgeable Signatures from Isogenies
* Authors: Andrea Basso, Giacomo Borin, Wouter Castryck, Maria Corte-Real Santos, Riccardo Invernizzi, Antonin Leroux, Luciano Maino, Frederik Vercauteren, Benjamin Wesolowski
* [Permalink](
https://eprint.iacr.org/2026/443)
* [Download](
https://eprint.iacr.org/2026/443.pdf)
### Abstract
The problem of computing an isogeny of large prime degree from a supersingular elliptic curve of unknown endomorphism ring is assumed to be hard both for classical as well as quantum computers. In this work, we first build a two-round identification protocol whose security reduces to this problem. The challenge consists of a random large prime $q$ and the prover simply replies with an efficient representation of an isogeny of degree $q$ from its public key. Using the hash-and-sign paradigm, we then derive a signature scheme with a very simple and flexible signing procedure and prove its security in the standard model. The most efficient variant of our signature schemes features a signing which is $1.4\times$ to $1.6\times$ faster than the most recent implementaion of SQIsign, whereas verification ranges from $1.2\times$ slower to $1.01\times$ faster depending on the security level. The sizes of public key and signature are comparable to existing schemes.
## 2026/444
* Title: Leakage-Diagrams, Importance Sampling, and Composition in the Random Probing Model
* Authors: Vahid Jahandideh, Bart Mennink, Lejla Batina
* [Permalink](
https://eprint.iacr.org/2026/444)
* [Download](
https://eprint.iacr.org/2026/444.pdf)
### Abstract
Security evaluation of masking in low-noise regimes remains poorly understood: increasing the masking order does not automatically translate into higher concrete resistance once many correlated intermediates are processed by a full implementation.
A common approach is to reduce noisy side-channel leakage to the random probing model (RPM), but existing reductions can be too loose to yield meaningful leakage rates in practice, and current RPM analyses often rely on costly simulations or numerically propagated bounds.
This work develops analytic and algorithmic tools for estimating and upper-bounding RPM security of masked gadgets and their compositions.
First, for noisy Hamming-weight leakage over $\mathbb{F}_{2^u}$ we compute concrete RPM leakage-rate parameters for a tighter $\mathbb{F}_2$-linear reduction based on binary inner products, providing a tangible link between SNR and probing rate.
Second, for $\mathbb{F}_q$-linear circuits we leverage a vector-space representation to characterize RPM leakage as an erasure event, yielding a direct connection to local metrics such as advantage and implying global simulability for refreshed, block-separated executions.
Third, we improve Monte Carlo estimation of rare leakage events using importance sampling, enabling evaluation in low-rate/high-order regimes that are infeasible with naive sampling.
Finally, we revisit the leakage-diagram technique and derive explicit bounds for refresh gadgets, and we apply the same viewpoint to composition through \emph{bridges}, showing that SNIrCowhile sufficient for threshold probing model (TPM)rCodoes not capture the RPM phenomenon governing refresh boundaries.
We implement our methods in \textsf{LAPSE}, a tool that compiles gadget descriptions into linear-algebraic representations and supports exact computation as well as Monte Carlo/importance-sampling estimation of RPM security parameters.
## 2026/445
* Title: Implementation of a post-quantum hybrid group key exchange protocol
* Authors: Tom|i+i Fab+ii-i, Samuel Klement, Zolt|in Raffay, Pavol Zajac
* [Permalink](
https://eprint.iacr.org/2026/445)
* [Download](
https://eprint.iacr.org/2026/445.pdf)
### Abstract
Post-quantum cryptography focuses on research of
cryptographic primitives, including public key encryption and
signatures, that can resist the attacks mounted by an adversary
with an access to a quantum computer. An alternative is to
employ quantum cryptography to protect communication links
by employing principles of quantum physics to protect security of
the key exchange. Recently, a group key establishment protocol
that combines these approaches in a secure way was presented
by Steinwandt and Gonzales Vasco. We have successfully imple-
mented and employed this protocol in a prototype application.
In this article we describe the overall architecture and specific
details of the implementation that can be of interest for scientific
community. We conclude with a discussion of specific challenges,
options and open problems that can accompany similar imple-
mentation task.
## 2026/446
* Title: Survey of isogeny-based signature schemes resistant to CastryckrCoDecru attack
* Authors: J. S. Bobrysheva, A. S. Zelenetsky, V. V. Davydov
* [Permalink](
https://eprint.iacr.org/2026/446)
* [Download](
https://eprint.iacr.org/2026/446.pdf)
### Abstract
In 2022, Castryck and Decru introduced an attack that broke several isogeny-based schemes, including SIKE, which had advanced to the final round of the NIST Post-Quantum Cryptography Standardization Competition. Despite this attack, research on isogeny-based cryptography has continued, primarily due to the compact key sizes offered by these schemes compared to other post-quantum approaches. There are now many isogeny-based schemes that are resistant to the Castryck-Decru attack. These schemes typically involve advanced mathematical structures that may require significant time and effort to study.
In this paper, we provide a structured survey of isogeny-based signature schemes that are resistant to the Castryck-Decru attack, aiming to facilitate an understanding of the current landscape and the most practically relevant schemes in this area. We categorize these signature schemes into two main classes: those based on the CSIDH group action and the SQIsign family. For each class, we discuss their fundamental design principles, security assumptions, and specific constructions. We also compare their performance and compactness. Additionally, we describe one representative scheme from each class that is particularly relevant in practice due to its efficiency or compactness. In conclusion, we compare the performance of the schemes discussed in this work with other post-quantum signature schemes.
## 2026/447
* Title: Trace: Complete Client-Side Account Access Logging
* Authors: Paul Gerhart, Carolina Ortega P|-rez, Thomas Ristenpart
* [Permalink](
https://eprint.iacr.org/2026/447)
* [Download](
https://eprint.iacr.org/2026/447.pdf)
### Abstract
Despite improvements to authentication mechanisms, account compromise remains frequent and users need a trustworthy way to determine what devices have accessed their accounts. Doing so, however, is in tension with privacy goals on the modern web, which mandate that web services not learn static device identifiers.
Recent work aims to address this tension via client-side encrypted access logging (CSAL), but their approach does not allow retrieving all log entries and users may miss information about adversarial accesses.
We present Trace, a new CSAL system that achieves complete logging while preserving privacy. Trace records verifiable evidence of each authentication in an encrypted log stored by an independent logging service, ensuring that only the user can inspect it. The web service remains unaware of the logging, preserving backward compatibility with existing authentication infrastructures. Unlike prior approaches, Trace simultaneously achieves verifiable device attribution, backward compatibility, and formally-analyzed security against malicious adversaries. Our prototype implementation reaches over 10 K authentications per second on a single core, suggesting it can scale efficiently for large services.
## 2026/448
* Title: Interactive Proofs for Batch Polynomial Evaluation
* Authors: Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, Eylon Yogev
* [Permalink](
https://eprint.iacr.org/2026/448)
* [Download](
https://eprint.iacr.org/2026/448.pdf)
### Abstract
Polynomials are a fundamental mathematical object underlying virtually all of theoretical computer science. In proof systems, a common task for the verifier is to evaluate a polynomial of degree $d$ at $m$ distinct points. The best known algorithm for this problem performs $O((m + d) \cdot \log^2(m + d))$ field operations.
We present a concretely efficient $\mathsf{MA}$ protocol for this problem in which the verifier runs in \emph{linear time}: the prover sends a single message consisting of $d - 1$ field elements, and the verifier performs only $O(m + d)$ field operations. We further extend our protocol to handle the more general setting of evaluating multiple polynomials at multiple points, and for this problem, we construct an $\mathsf{AMA}$ protocol.
Our protocols improve the verifier time in several interactive proofs. Most notably are the sumcheck protocol over a large summation domain and protocols that rely on polynomial quotienting. In particular, by a straightforward application of our results, we reduce the verifier's runtime in the STIR protocol (CRYPTO 2024) to match that of WHIR (EUROCRYPT 2025), despite WHIR being highly optimized for verification time.
As an additional application, we show that any univariate polynomial commitment schemes (PCS) can be transformed, in a black-box manner, into a new scheme that efficiently supports batch openings at multiple points. In particular, opening $m$ points incurs only a constant overhead compared to opening a single point.
## 2026/449
* Title: Short Signatures from DDH without Pairings or Random Oracles
* Authors: Dario Catalano, Valentina Frasca, Emanuele Giunta
* [Permalink](
https://eprint.iacr.org/2026/449)
* [Download](
https://eprint.iacr.org/2026/449.pdf)
### Abstract
We present two constructions of short signature schemes based on the polynomial hardness decisional Diffie Hellman. Our simplest scheme guarantees selective security (i.e. the adversary has to commit to the forged message ahead of time) while the second one realizes full fledged existential unforgeability. Remarkably, our schemes can be implemented over standard prime order groups (no pairings needed) and can be proven secure without resorting to the random oracle heuristic.
## 2026/450
* Title: A flexible and polynomial framework for integer arithmetic in CKKS
* Authors: Lorenzo Rovida
* [Permalink](
https://eprint.iacr.org/2026/450)
* [Download](
https://eprint.iacr.org/2026/450.pdf)
### Abstract
A new paradigm, called \emph{discrete}-CKKS, proposes to restrict the plaintext space of the homomorphic encryption CKKS scheme from $\mathbb{C}$ to a discrete subset of it (e.g., $\{0, 1\}$). While sacrificing approximate computations, this allows one to express an arithmetic similar to that available in exact schemes, but with significantly larger parallelism and flexibility due to SIMD computations and the underlying complex arithmetic, which remains available internally. A significant example is the recent work by Boneh and Kim (Crypto '25), where they present a method to operate on extremely large encrypted integers.
In this work, we build a simple computational device that handles integers, decomposed as binary vectors, by evaluating standard mod 2 arithmetic operations using polynomials only. Since we do not resort to the modular reductions based on the functional bootstrapping proposed by Kim and Noh (CIC '25), this yields a more flexible parameterization, consistent with standard CKKS configurations, e.g., leveled supporting roughly 13 multiplicative levels before bootstrapping. This means that one can use CKKS in $\mathbb{R}$ and then switch to $\mathbb{Z}$ with the same set of parameters -- we will refer to this as \emph{domain-switching}. Experiments show that our solution has lower latency on all operations (i.e., additions, multiplications, comparisons and logical shifts) by roughly three times, with respect to the current state of the art, although we have smaller throughput due to how data is represented.
## 2026/451
* Title: Oblivious Single Access Machines are Concretely Efficient
* Authors: Sage Pia, Ananya Appan, Maryam Rezapour, Amey Shukla, Nikhil Date, Benjamin Fuller, Ling Ren, David Heath
* [Permalink](
https://eprint.iacr.org/2026/451)
* [Download](
https://eprint.iacr.org/2026/451.pdf)
### Abstract
Oblivious algorithms allow a space-constrained client program to securely outsource storage to an untrusted server. Any program can be compiled to an oblivious form via Oblivious RAM (ORAM), but this is asymptotically and concretely expensive. Recent work (Appan et al., CCSrCO24) proposed a weakening of ORAM called the Oblivious Single Access Machine (OSAM) model, which offers asymptotically-improved
oblivious compilation for many programs, including those that manipulate graph data structures. While of theoretical interest, OSAM graph algorithms were worse than generic ORAM, even for large graphs (tested on graphs of size up to $2^{24}$).
This work improves the concrete costs of OSAM-based oblivious algorithms. In short, the original work on OSAM proposed algorithms for manipulating objects with pointers to other objects. Pointers and objects can be naturally used to instantiate arbitrary graphs, but the OSAMrCOs underlying management of pointers involves non-trivial and concretely-expensive algorithms. Our work greatly simplifies and improves the efficiency of OSAM-based pointer handling by co-designing (1) pointer-friendly modifications to the underlying Path ORAM algorithm (Stefanov et al., CCSrCO13) and (2) new algorithms for managing pointers.
We implemented the original OSAM algorithms and our approach. Naturally-written graph algorithms can now be automatically compiled to an oblivious form while enjoying up to a $4$|u improvement in performance as compared to when using generic Path ORAM (and at least $8$|u as compared to the original OSAM). In sum, our work provides generic and easy-to-use oblivious tools while concretely improving over prior generic state-of-the-art tools.
## 2026/452
* Title: On the CCA security properties of a class of group-based linearly homomorphic encryption schemes
* Authors: Duong Hieu Phan, Renaud Sirdey, Jean Vacher
* [Permalink](
https://eprint.iacr.org/2026/452)
* [Download](
https://eprint.iacr.org/2026/452.pdf)
### Abstract
In a seminal paper at Eurocrypt'25, B. Libert solved the long-standing open question of the CCA1 security of the Damgard-ElGamal scheme under standard assumptions. That paper also further showed that several other schemes, including a variant of Paillier-ElGamal with plaintext zero-padding, are CCA1 secure under falsifiable assumptions. However, all these schemes are only somewhat linearly homomorphic.
In this paper, we first tackle the fundamental question of designing efficient "truly" linearly homomorphic encryption schemes achieving CCA1 security under standard and falsifiable assumptions. We generalize Libert's approach to a large class of group-based PKE, that covers the aforementioned schemes, the Cramer-Shoup Lite scheme as well as new ones. In particular, we use our framework to show that a new variant of Paillier-ElGamal, which we call Damgard-Paillier-ElGamal (DPEG) as its design follows a Knowledge-of-Exponent pattern, achieves CCA1 security solely under the standard DCR assumption. To the best of our knowledge, DPEG is the first "truly" linearly homomorphic encryption scheme that is proven CCA1 secure under a standard assumption. Furthermore, DPEG can be extended to support one level of multiplication while still preserving its CCA1 security under the same assumption.
Second, we show that DPEG also achieves Manulis&Nguyen's stronger notion of vCCA security under a non-falsifiable linear-only homomorphism assumption. We then connect vCCA security to a no-go Theorem of Gentry&Wichs and show that, under mild assumptions, vCCA security cannot be established from any falsifiable assumption. This explains why all currently known vCCA secure constructions, including ours, rely on non-falsifiable assumptions.
## 2026/453
* Title: A Quantum-Safe Private Group System for Signal from Key Re-Randomizable Signatures
* Authors: Graeme Connell, Sebastian Faller, Felix G|+nther, Julia Hesse, Vadim Lyubashevsky, Rolfe Schmidt
* [Permalink](
https://eprint.iacr.org/2026/453)
* [Download](
https://eprint.iacr.org/2026/453.pdf)
### Abstract
Instant messaging services are an integral part of today's communication and their privacy has wide societal implications. Major messengers deploy end-to-end encryption, hiding message contents from the service provider. Group messaging, however, creates the challenge of also keeping the group membership list private.
The Signal messenger currently implements private group management using techniques inspired by Chase, Perrin, and Zaverucha (CCS 2020). Transitioning this system to quantum-safe turns out to be challenging: While one-to-one messaging can often adopt the newly standardized KEMs and signatures in a relatively direct way, private group management is more complex. SignalrCOs existing design heavily relies on the discrete-log structure to combine anonymous credentials, verifiable encryption, and oblivious PRFs for privacy and functionality. Quantum-safe versions of these components are unfortunately, typically far less efficient, requiring heavy zero-knowledge proofs and large communication per group operation. As a result, simply "swapping in" quantum-safe primitives is unlikely to yield an optimal protocol.
This paper reconsiders the design of the entire group system from the ground-up. Our result is a scheme that possesses the same strong privacy guarantees, but is built in a more modular way using simpler underlying cryptographic building blocks that permit a more efficient quantum-safe instantiation. The modularity of our protocol further allows for gradual migration to quantum-safe: we can immediately transition components vulnerable to harvest-now-decrypt-later attacks (such as classical public-key encryption, computationally hiding commitments, etc.) while deferring the transition of other building blocks, such as authentication.
We prove our design secure in an extended security model that more comprehensively captures the rich feature set of Signal's group messaging system.
## 2026/454
* Title: The principal ideal problem for endomorphism rings of superspecial abelian varieties
* Authors: Wouter Castryck, Jonathan Komada Eriksen, Riccardo Invernizzi, Frederik Vercauteren
* [Permalink](
https://eprint.iacr.org/2026/454)
* [Download](
https://eprint.iacr.org/2026/454.pdf)
### Abstract
We describe a Las Vegas algorithm for the principal ideal problem in matrix rings $M_g(O)$ for $g \geq 2$, over maximal orders $O$ in the rational quaternion algebra $B_{p, \infty}$ ramified at $\infty$ and a prime number $p$. Under plausible heuristic assumptions, the method has expected polynomial runtime. An implementation in SageMath shows that it runs very efficiently in practice, with compact output. Our main auxiliary result is a method for finding endomorphisms of superspecial abelian varieties (i.e., powers of supersingular elliptic curves) with a prescribed kernel.
## 2026/455
* Title: Asynchronous MPC with Abort
* Authors: Ananya Appan, David Heath, Ling Ren
* [Permalink](
https://eprint.iacr.org/2026/455)
* [Download](
https://eprint.iacr.org/2026/455.pdf)
### Abstract
Most prior works on secure Multi-Party Computation (MPC) in asynchronous networks study Guaranteed Output Delivery (GOD), meaning that all parties learn the function output. Asynchronous MPC protocols with GOD necessarily tolerate only t < n/3 corruptions, and they necessarily allow the adversary to exclude the inputs of up to t honest parties from the computation, a phenomenon referred to as input loss. Seeking improvements to threshold/input loss, we consider weakening GOD to security with abort, a standard notion studied in the context of synchronous networks. Unfortunately we show that, when these standard notions are applied in asynchrony, it is not possible to improve the corruption threshold or the input loss.
We therefore study relaxations of these standard notions under which protocols can be improved. In particular, we propose a relaxation of the standard notion of correctness for asynchronous MPC protocols. Our relaxed notion requires only that parties obtain the correct output when all parties are honest and when at most a threshold A of the parties are asynchronous. We present several impossibility and feasibility results that completely characterize what is possible in the context of our relaxed correctness. For instance, it is possible to achieve selective abort even when t < n parties are corrupt if (and only if) A < (n-t)/2, but it is impossible to achieve unanimous abort unless t < n/3, even when A=0. We additionally propose a new notion of identifiable abort for asynchronous networks (aIA), and we show that we can achieve fair MPC with aIA and min(A,t) input loss.
## 2026/456
* Title: Libra: Pattern-Scheduling Co-Optimization for Cross-Scheme FHE Code Generation over GPGPU
* Authors: Song Bian, Yintai Sun, Zian Zhao, Haowen Pan, Mingzhe Zhang, Zhenyu Guan
* [Permalink](
https://eprint.iacr.org/2026/456)
* [Download](
https://eprint.iacr.org/2026/456.pdf)
### Abstract
We propose Libra, a compiler framework that automates efficient code generation for cross-scheme fully homomorphic encryption (FHE) on highly parallel computing architectures. While it is known that leveraging multiple FHE schemes in a single application can improve the overall efficiency, the exact mapping of cross-scheme FHE operators onto high-performance architectures, such as general-purpose graphic processing units (GPGPUs), remains challenging. To address such challenge, Libra integrates both the FHE computational patterns and hardware-aware scheduling strategies to establish an algorithm-hardware co-optimization framework. Specifically, Libra defines a novel cross-scheme representation for FHE that abstracts common program patterns for each of the FHE schemes. Then, we dynamically optimize the output FHE program based on the combined execution costs of FHE primitives derived from multiple scheme switching patterns. Next, to accelerate inter-operator execution on GPUs, Libra introduces a computational scheduling strategy that bridges high-level computation characteristics with low-level execution plans. Through the proposed pattern-scheduling co-optimization process, Libra generates efficient codes for cross-scheme high-precision FHE computations on GPGPUs. Experiment results show that Libra achieves up to 270$\times$ speedup on microbenchmarks and 19$\times$ on the applications compared to state-of-the-art cross-scheme, while improving compute unit and memory bandwidth utilization by $44\%$ and $36.1\%$.
## 2026/457
* Title: Adaptively Secure, Universally Composable Distributed Generation of Discrete-Logarithm Based Keys
* Authors: Hanna Ek, Kelsey Melissaris, Lawrence Roy
* [Permalink](
https://eprint.iacr.org/2026/457)
* [Download](
https://eprint.iacr.org/2026/457.pdf)
### Abstract
Distributed key generation (DKG) protocols enable a set of parties to distributively generate a threshold-shared key pair \((\mathsf{pk}, \mathsf{sk})\), such that at least \(t\) parties must participate to reconstruct the secret. We introduce the first DKG protocol for discrete-logarithm based keys that are both universally composable and adaptively secure without erasure, inconsistent players, interactive assumptions, or oracle-aided simulation.
Our contributions are as follows:
(1) an adaptively secure and universally composable DKG that achieves guaranteed output delivery in three rounds assuming an honest majority,
(2) an adaptively secure and universally composable committed DKG that realizes our novel committed DKG functionality, tolerates a full corruption threshold, and achieves identifiable abort in two rounds,
(3) an adaptively secure and universally composable committed DKG that achieves guaranteed output in three rounds assuming an honest majority,
(4) as an application, an incredibly simple threshold Schnorr protocol in the committed DKG-hybrid model--implying an adaptively secure and universally composable threshold Schnorr protocol tolerating a full corruption threshold with identifiable abort in three rounds, and an adaptively secure and universally composable threshold Schnorr protocol for an honest majority with guaranteed output in four rounds.
Most importantly, our DKG constructions are secure in the random oracle model under the DDH assumption. Our output guarantees are proven under the assumption of synchrony. All existing synchronous DKG protocols for discrete-logarithm based keys satisfy weaker security notions or require stronger assumptions.
## 2026/458
* Title: The Art of Linearization: From a KZGrCOs Trick to a General Commitment Framework
* Authors: Janno Siim
* [Permalink](
https://eprint.iacr.org/2026/458)
* [Download](
https://eprint.iacr.org/2026/458.pdf)
### Abstract
A useful linearization technique (or a trick) was introduced in the Marlin and Plonk SNARKs, which significantly reduces the number of KZG polynomial commitment openings a SNARK prover has to send. Subsequently, many other KZG-based protocols have taken advantage of it.
We revisit and formalize this technique:
rCo We define a Linearization Polynomial Commitment Scheme (LPCS) that abstracts their linearization technique.
rCo We formalize LinKZG, a LPCS version of the KZG commitment scheme, and show that it achieves a weak form of extractability under a target group version of the ARSDH assumption. We show that Plonk is secure under the same assumption in the ROM.
rCo We show how to construct LPCSs from any homomorphic polynomial commitment scheme. Thus, enabling the linearization technique also for those polynomial commitment schemes, and potentially improving the efficiency of many other SNARKs.
## 2026/459
* Title: Naor-Yung Transform for IND-CCA Probing Security with Lattice Instantiations
* Authors: Katharina Boudgoust, Laurent Imbert, Lo|>c Masure, Laz Panard
* [Permalink](
https://eprint.iacr.org/2026/459)
* [Download](
https://eprint.iacr.org/2026/459.pdf)
### Abstract
In this work, we propose novel security notions for encryption schemes that simulate an adversary in the black-box model equipped with additional side-channel power. More concretely, the adversary is allowed to probe values of the secret-key sensitive algorithms, i.e. key generation and decryption. We then prove a generalization of the well-known Naor-Yung (NY) transform, generically lifting IND-CPA secure encryption schemes to IND-CCA ones in this new probing context. Moreover, we instantiate the resulting framework from lattices, constructing Rutile, a masking-friendly IND-CPA encryption scheme inspired by Kyber, and then Topaz its IND-CCA secure extension. In our proposal, the masking-unfriendly parts of Kyber, namely the central binomial distributions and the FO-transform, are replaced by masking-friendly counterparts (sum of uniforms and the aforementioned NY-transform).
## 2026/460
* Title: A Resource-Efficient Hardware Accelerator for Large-Size NTT via AlgorithmrCoArchitecture Co-Design
* Authors: Kaixuan Wang, Yifan Yanggong, Xiaoyu Yang, Chenti Baixiao, Lei Wang * [Permalink](
https://eprint.iacr.org/2026/460)
* [Download](
https://eprint.iacr.org/2026/460.pdf)
### Abstract
Large-size Number Theoretic Transforms (NTTs) are key operations in modern Zero-Knowledge Proofs (ZKPs), where the NTT size often reaches millions of points and the arithmetic is over wide prime fields. To handle such NTTs on hardware, prior designs commonly rely on the decomposition algorithm, which makes large-size NTTs feasible by streaming sub-NTTs through limited on-chip buffers. However, in practical implementations, decomposition alone is insufficient to ensure high efficiency. Since coefficients and twiddle factors remain off-chip, performance tends to depend on data movement across the memory hierarchy and delivery to the processing elements (PEs). To address these remaining issues, we present RENTT, a resource-efficient accelerator for large-size NTTs with decomposition-oriented data movement schemes and memory hierarchy design.
First, we design a precomputation-based twiddle factor management scheme that feeds multiple PEs without conflicts, both reducing on-chip twiddle factor storage and avoiding on-the-fly twiddle factor generation. Second, we develop a burst-optimized transpose method that fuses coefficient reordering into the element-wise twiddle-multiplication pass, reducing the latency of off-chip accesses for the subsequent NTTs. Third, we design a decoupled, multi-banked on-chip memory hierarchy that sustains high PE utilization under off-chip streaming, while remaining configurable across PE counts and maximum supported NTT sizes. We implement RENTT on an FPGA and experimentally verify that RENTT supports NTT sizes up to $N=2^{28}$ over 256-bit fields and completes a $2^{28}$-point NTT in 1.52 seconds with 16 processing elements. Compared with the state-of-the-art FPGA baseline SAM, RENTT provides $2.64\times$ speedup (1.52s vs. 4.02s), reduces 46.4% DSP usage (3629 vs. 6776 DSPs), and achieves a $3.58\times$ lower area-time product.
## 2026/461
* Title: Compact HQC with new (un)balance
* Authors: Chaofeng Guan, Lan Luo, Haodong Jiang, Jianhua Hou, Tong Yu, Hong Wang, Kangquan Li, Longjiang Qu
* [Permalink](
https://eprint.iacr.org/2026/461)
* [Download](
https://eprint.iacr.org/2026/461.pdf)
### Abstract
Hamming Quasi-Cyclic (HQC) is a leading code-based key-encapsulation mechanism (KEM), recently selected by NIST for standardization, whose bandwidth and efficiency are balanced with the concrete cost of information-set decoding (ISD) attacks.
However, the current balance relies on (1) the decryption-failure-rate (DFR) is directly configured to be less than $2^{-\lambda}$ ($\lambda$ is the security parameter), rather than carefully determined by choosing conservative parameters to resist known attacks as the Kyber team did in the design of NIST FIPS 203; (2) the error distribution in the underlying quasi-cyclic syndrome decoding problem is restricted to be balanced.
In this paper, we show how to quantitatively and conservatively evaluate the impact of removing the aforementioned two restrictions on the complexities of known attacks, and thus find a new balance among bandwidth, efficiency, and security for HQC.
In detail, we first formalize the best-known decryption-failure attack against HQC, and derive an upper bound on the probability that an adversary triggers a decryption-failure event under realistic query and time limits, enabling an attack-aware upper bound on the secure DFR.
Second, we quantify how the weight distribution of $(\mathbf{r}_1, \mathbf{r}_2, \mathbf{e})$ (the random low-weight polynomials used in encryption) affects the concrete cost of ISD attacks and DFR. This yields an \emph{unbalanced} weight strategy that strictly lowers the DFR without sacrificing the targeted bit security, leading to a new variant called \emph{Unbalanced HQC (UHQC)}.
By combining these analyses, we provide optimized parameters for UHQC. Across all NIST security levels, UHQC reduces bandwidth by 10-12% and improves runtime by 6-8%.
## 2026/462
* Title: Semigroup Action Problems and Their Uses in Post-Quantum Cryptography * Authors: Joachim Rosenthal, Silvia Sconza
* [Permalink](
https://eprint.iacr.org/2026/462)
* [Download](
https://eprint.iacr.org/2026/462.pdf)
### Abstract
This survey article provides an overview of the Semigroup Action Problem (SAP) as a pivotal generalization of the Discrete Logarithm Problem (DLP), tracing its theoretical evolution from foundational algebraic cryptography in the early 2000s to its application in the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process. We examine the mathematical framework of semigroup actions, contrasting them with classical group-theoretic assumptions, and detail the generalizations of Diffie-Hellman and ElGamal protocols within this broader context. Finally, the paper investigates the renaissance of group and semigroup actions in the design of next-generation digital signatures, providing a detailed algebraic analysis of candidates in the current NIST competition.
## 2026/463
* Title: Icefish: Practical zk-SNARKs for Verifiable Genomics
* Authors: Alexander Frolov, Maurice Shih, Rob Patro, Ian Miers
* [Permalink](
https://eprint.iacr.org/2026/463)
* [Download](
https://eprint.iacr.org/2026/463.pdf)
### Abstract
Individual genomic data is a uniquely sensitive type of user data. While many papers have considered using Multi-Party Computation (MPC) or Fully Homomorphic Encryption (FHE) to allow collaborators to study combined genomic datasets they cannot share, few have considered verifying the results of genomic computations, either in research studies or in the emerging area of personalized genetic therapies.
In this paper, we initiate the first systematic study of zero-knowledge proofs for verifiable genomics, providing both building blocks for verifying common operations in computational genomics, such as sequence alignment, and exploring two end-to-end applications:
Verifiable Genome-Wide Association Studies: A Genome-Wide Association Study (GWAS) study operates over a repository of genomic data, identifying statistical correlations between genetic variations and observed traits or medical conditions. Our system enables third parties to verify that research was honestly computed over an authenticated, untampered database, ensuring both the integrity of the underlying data set and the correctness of the resulting science. We achieve practical performance (<20 minutes proving time) for studies of sizes equal to those in the existing genomics literature.
Verifiable CRISPR Eligibility: We propose using zk-SNARKs in the context of gene engineering (e.g. CRISPR). To our knowledge, this is a new use case for zk-SNARKs. We implement and optimize models for detecting rCLon-targetrCY and rCLoff-targetrCY sites for a CRISPR probe in zk-SNARKs, so users can, for example, demonstrate eligibility for a therapy or trial without having to reveal their own DNA sequence.
In support of these applications, we develop new building blocks, like zero-knowledge proofs of sequence alignment that are 30x faster than the prior state of the art, and storage-efficient indexes for Merkle trees for large scale genomic data that asymptotically reduce storage costs.
## 2026/464
* Title: Model Extraction of Convolutional Neural Networks with Max-Pooling
* Authors: Haolin Liu, Adrien Siproudhis, Christina Boura, Thomas Peyrin
* [Permalink](
https://eprint.iacr.org/2026/464)
* [Download](
https://eprint.iacr.org/2026/464.pdf)
### Abstract
Model extraction attacks aim to recover the internal parameters of neural networks through black-box queries. While significant progress has been achieved for fully connected ReLU networks, far less is known about structured architectures such as Convolutional Neural Networks (CNNs), which are widely used in practice. In particular, convolutional layers introduce locality and weight sharing, while max-pooling operations leak only relative activation information, both of which require rethinking and extending existing extraction techniques. In this work, we study the extraction of CNNs combining ReLU activations and max-pooling layers in the soft-label setting. We first demonstrate that max-pooling can be understood as a natural extension of the ReLU non-linear operation and classify the different types of critical points observed in this setting. We show that max-pooling critical points capture the difference between two convolutional neurons and that the local structure of convolution allows us to determine the shift between them and reconstruct the underlying convolutional kernel. We also introduce optimizations that take advantage of the specific structure of CNNs: by using receptive-field analysis, we design efficient methods to filter noise and localize critical points. These improvements significantly reduce the computational cost compared to a naive reduction to a large sparse fully connected network. Finally, we validate our approach experimentally on a compact VGG-style convolutional neural network trained on CIFAR-10. The results show that our methods permit accurate weight extraction in CNNs in practice, while correctly localizing critical points in convolutional layers.
## 2026/465
* Title: Advanced cryptography from lattice isomorphismrConew constructions of IBE and FHE
* Authors: Huck Bennett, Zhengnan Lai, Noah Stephens-Davidowitz
* [Permalink](
https://eprint.iacr.org/2026/465)
* [Download](
https://eprint.iacr.org/2026/465.pdf)
### Abstract
We show how to translate some of the more advanced techniques used in LWE-based cryptography to the setting of lattice-isomorphism-based cryptography, which was recently introduced by Ducas and van Woerden [Eurocrypt, 2022]. In particular, we show constructions of two powerful cryptographic primitives, identity-based encryption (IBE) and fully homomorphic encryption (FHE). We then prove their security under the assumption that a suitable version of the Lattice Isomorphism Problem is hard.
Our constructions use quite general and modular techniques, and we expect them to have other applications. Specifically, we show that the now-ubiquitous techniques introduced by Gentry, Peikert, and Vaikuntanathan [STOC, 2008] to build IBE and Gentry, Sahai, and Waters [Crypto, 2013] to build FHE can be made to work in our setting using any sufficiently "nice" lattice.
## 2026/466
* Title: Hashing in Generic Groups: Completing the AGM-to-GGM Transfer
* Authors: Taiyu Wang, Cong Zhang, Hong-Sheng Zhou, Xin Wang, Keyu Ji, Zhihong Jia, Li Lin, Changzheng Wei, Ying Yan, Kui Ren, Chun Chen
* [Permalink](
https://eprint.iacr.org/2026/466)
* [Download](
https://eprint.iacr.org/2026/466.pdf)
### Abstract
The algebraic group model (AGM), formalized by Fuchsbauer, Kiltz, and Loss (Crypto 2018), has recently garnered significant attention. Notably, Katz, Zhang, and Zhou (Asiacrypt 2022) challenged a widely held belief: that hardness results proven in the AGM imply corresponding results in the generic group model (GGM). They showed that this implication fails under Shoup's GGM framework. In response, Jaeger and Mohan (Crypto 2024) proposed an alternative interpretation based on Maurer's GGM and proved that, under this interpretation, the implication indeed holds.
Many cryptographic applications analyzed in the AGM also rely on the random oracle model (ROM), which is largely absent from Jaeger and Mohan's framework. Because MaurerrCOs GGM and the ROM are inherently incomparable, Jaeger and Mohan's framework may not capture all AGM-based proofs. To bridge this gap and faithfully translate all known AGM-based proofs into the GGM setting, we make the following contributions:
- Limitations of JM's framework: Jaeger and MohanrCOs framework captures only those primitives that can be instantiated within MaurerrCOs GGM. We identify a primitiverCospecifically, a public-key encryption scheme with short ciphertextsrCowhose security has been analyzed in the AGM, and establish a black-box separation between this primitive and MaurerrCOs GGM, even when combined with the ROM. This result provides concrete evidence that JMrCOs framework cannot encompass all known AGM-based proofs.
- Augmented framework: We propose an augmented framework that integrates MaurerrCOs GGM with a carefully constructed ROM, enabling inputs and outputs to incorporate group elements defined within MaurerrCOs model.
- Transferring all known AGM-based proofs to GGM setting: Building on our augmented framework, we prove the lifting lemma from the AGM to our model, demonstrating that hardness results in the AGM+ROM directly carry over to our setting, thereby justifying all known AGM-based proofs.
## 2026/467
* Title: A Note on the Equivalence Between Zero-knowledge and Quantum CSS Codes * Authors: Noga Ron-Zewi, Mor Weiss
* [Permalink](
https://eprint.iacr.org/2026/467)
* [Download](
https://eprint.iacr.org/2026/467.pdf)
### Abstract
Zero-knowledge codes, introduced by Decatur, Goldreich, and Ron (ePrint 1997), are error-correcting codes in which few codeword symbols reveal no information about the encoded message, and have been extensively used in cryptographic constructions. Quantum CSS codes, introduced by Calderbank and Shor (Phys. Rev. A 1996) and Steane (Royal Society A 1996), are error-correcting codes that allow for quantum error correction, and are also useful for applications in quantum complexity theory.
In this short note, we show that (linear, perfect) zero-knowledge codes and quantum CSS codes are equivalent. We demonstrate the potential of this equivalence by using it to obtain explicit asymptotically-good zero-knowledge locally-testable codes.
## 2026/468
* Title: Tighter Proofs for PKE-to-KEM Transformations under Average-Case Decryption Error and without $\gamma$-Spread
* Authors: Jinrong Chen, Rongmao Chen, Yi Wang, Haodong Jiang, Cong Peng, Xinyi Huang, Debiao He, Xiaofeng Chen
* [Permalink](
https://eprint.iacr.org/2026/468)
* [Download](
https://eprint.iacr.org/2026/468.pdf)
### Abstract
In the NIST post-quantum standardization process, Fujisaki-Okamoto-like (FO-like) transformation has become the de facto paradigm for constructing IND-CCA secure key encapsulation mechanisms (KEMs) from public-key encryption (PKE). However, most post-quantum PKE schemes exhibit decryption error, which poses significant challenges for the security proofs of FO-like PKE-to-KEM transformations, particularly in the quantum-accessible random oracle model (QROM). Hofheinz, H||velmanns, and Kiltz (TCC 2017) gave the first QROM security proofs for PKE-to-KEM transformations under \textit{worst-case} decryption error. To relax this to the more designer-friendly one of \textit{average-case} decryption error, Duman et al. (PKC 2023) presented two transformations, $\mathsf{FOAC}_0$ and $\mathsf{FOAC}$, which are under average-case decryption error but introduce substantial loss in QROM reduction tightness ($\mathcal{O}(q^8)$ for $\mathsf{FOAC}_0$ and $\mathcal{O}(q^6)$ for $\mathsf{FOAC}$) and the need for the $\gamma$-spread assumption on the underlying PKEs. Very recently, Ge et al. (ePrint 2025) removed the $\gamma$-spread assumption for $\mathsf{FOAC}_0$ and improved the QROM reduction tightness to $\mathcal{O}(q^4)$ for both $\mathsf{FOAC}_0$ and $\mathsf{FOAC}$.
In this work, we make further advances by introducing two refined variants: $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$. We provide new security analyses in both the ROM and the QROM, and present the following key contributions: (1) Compared with previous transformations under average-case decryption error, $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$ exhibit tighter security proofs with QROM reduction loss of only $\mathcal{O}(q^2)$ for $\mathsf{FOAC}'_0$ and $\mathcal{O}(q^3)$ for $\mathsf{FOAC'}$ when the underlying PKE is OWrCaCPA secure, and just $\mathcal{O}(q)$ when it is deterministic or INDrCaCPA security; (2) Both $\mathsf{FOAC}'_0$ and $\mathsf{FOAC'}$ eliminate the $\gamma$-spread assumption entirely, further relaxing the requirements on the underlying PKE.
To support our QROM proofs, we provide three new QROM proof techniques that build on Zhandry's compressed oracle technique (CRYPTO 2019). These techniques may be of independent interest and could have broader applicability in post-quantum cryptography.
## 2026/469
* Title: A Note on ``Linear-Communication ACSS with Guaranteed Termination and Lower Amortized Bound''
* Authors: Xiaoyu Ji, Junru Li, Yifan Song
* [Permalink](
https://eprint.iacr.org/2026/469)
* [Download](
https://eprint.iacr.org/2026/469.pdf)
### Abstract
In this note, we demonstrate that the construction of asynchronous complete secret sharing (ACSS) proposed in the recent work by Qin et al., accepted at Eurocrypt 2026, is insecure. In particular, we identify several issues affecting the liveness of their protocol and present attacks that compromise its correctness.
## 2026/470
* Title: Byzantine Consensus in the Partially Authenticated Setting
* Authors: Christoph Lenzen, Julian Loss, Kecheng Shi, Benedikt Wagner
* [Permalink](
https://eprint.iacr.org/2026/470)
* [Download](
https://eprint.iacr.org/2026/470.pdf)
### Abstract
Byzantine Agreement and Broadcast are traditionally studied in one of two extremes: the authenticated setting, where a public key infrastructure (PKI) enables universally verifiable signatures and yields higher fault tolerance, and the unauthenticated setting, where no PKI is available and resilience necessarily drops.
Motivated by Proof-of-Stake blockchains, where only a stable subset of participants (e.g., validators) have registered long-term keys while others do not, we initiate a systematic study of consensus in the \emph{partially authenticated} setting, where a subset of parties are \emph{registered} in a PKI and the remaining parties are \emph{unregistered}.
We provide a nearly complete feasibility characterization of the resilience as a function of the number $s$ of registered parties among $n$ total parties.
First, we show that Byzantine Agreement or Byzantine Broadcast with an \emph{unregistered} sender is possible if and only if $t \le \max\{\lceil s/2\rceil,\lceil n/3\rceil\}-1$, matching a simple protocol and an impossibility bound.
Second, for Byzantine Broadcast with a \emph{registered} sender, we give a deterministic synchronous broadcast protocol tolerating up to $t \le s + \lceil (n-s)/3\rceil - 1$ Byzantine faults (equivalently, $3t<n+2s$); while we present the binary case in the main body for clarity, our techniques extend to an efficient multivalued protocol.
We complement this with a matching lower bound in a strengthened leakage model in which the adversary learns each party's private state at the end of every round, ruling out both deterministic protocols and randomized protocols that rely only on short-lived secrets and the basic signing/verification interface.
## 2026/471
* Title: Lookup Arguments over Rings and Applications to Batch-Verification of RAM Programs
* Authors: Jonathan Bootle, Julia Guskind, Sikhar Patranabis, Katerina Sotiraki * [Permalink](
https://eprint.iacr.org/2026/471)
* [Download](
https://eprint.iacr.org/2026/471.pdf)
### Abstract
Lookup arguments are a key technique in SNARKs for reducing the cost of operations which are rCLarithmetization-unfriendlyrCY, such as range checks and bitwise comparisons. The idea is to encode the valid outputs of the operation in a publicly known table, and then prove that every element of the SNARK witness belongs to the table. Existing constructions for lookup arguments, however, are designed for working over fields, making them incompatible with recent post-quantum lattice-based schemes that operate over rings.
In this work we formalize lookup arguments over rings for tables containing arbitrary ring elements. We bring attention to systematic issues that arise when translating techniques from fields to rings by showing several known lookup arguments are susceptible to attacks. We then extend two central polynomial IOPs, Plookup and LogUp, over the ring $\mathcal{R} = \mathbb{Z}_q[X]/(X^d + 1)$, and show how to compile them with polynomial commitments based on lattice assumptions to get succinct lattice-based lookup arguments. We additionally show how to apply ring lookups to obtain succinct arguments for batch-verification of RAM updates where the RAM entries are arbitrary ring elements.
## 2026/472
* Title: Descent into Broken Trust: Uncovering ML-DSA Subkeys with Scarce Leakage and Local Optimization
* Authors: Carsten Schubert, Niklas Julius M|+ller, Jean-Pierre Seifert, Marian Margraf
* [Permalink](
https://eprint.iacr.org/2026/472)
* [Download](
https://eprint.iacr.org/2026/472.pdf)
### Abstract
ML-DSA (formerly CRYSTALS-Dilithium), the primary NIST post-quantum signature standard, relies on rejection sampling to ensure that released signatures are statistically independent of the secret key. Recent work by Liu et al. and Damm et al. showed that this protection breaks down as soon as an attacker obtains even a single bit of the generated masking randomness per signature, enabling key recovery via linear regression over the resulting noisy linear system. However, this regression approach requires the attacker to collect a large number of such leaky signaturesrCoup to 2.4 million so-called informative relations for ML-DSA-65rCothereby limiting the attackrCOs practical applicability.
We dramatically reduce this cost by reformulating the key recovery as a constraint-satisfaction problem solvable by local optimization. Our approach rests on two contributions. First, we construct a verification routine that checks candidate subkeys using only the collected leakage relations, i.e. without knowledge of the remaining secret-key components or relying on computation-intensive reductions. Second, building on theoretical insights from this verification method, we design a
multi-tier hill-climbing algorithm that iteratively refines candidates by minimizing a scoring function.
In the exact leakage setting, our attack recovers ML-DSA subkeys from as few as 5 000 to 35 000 informative relations across all parameter sets and leakage bit indices the attack is applicable for, constituting a reduction by a factor of 37rCo68|u over the previous state of the art. We further extend the attack to a noisy leakage model, where the leaked bit is flipped independently with error probability p. We demonstrate experimentally that key recovery remains feasible even at noise rates as high as 45%, again with substantially fewer leakage information than prior work.
## 2026/473
* Title: PIKE: Faster Isogeny-Based Public Key Encryption with Pairing-Assisted Decryption
* Authors: Shiping Cai, Mingjie Chen, Yi-Fu Lai, Kaizhan Lin
* [Permalink](
https://eprint.iacr.org/2026/473)
* [Download](
https://eprint.iacr.org/2026/473.pdf)
### Abstract
Recent work at Eurocrypt 2025 by Basso and Maino introduced POK|e, an isogeny-based public key encryption (PKE) scheme. POK|e shows how two parties can derive a shared secret on a higher-dimensional, SIDH-like commutative diagram via basis evaluations, giving the fastest isogeny-based PKE to date with performance comparable to the original SIDH.
In this paper we present PIKE, a new isogeny-based PKE obtained by tweaking the POK|e design. Our key change is to use pairings to derive the shared secret while preserving post-quantum security. This brings two benefits: (i) decryption is directly faster, and (ii) by relaxing the required prime form, we can choose smaller primes, further improving overall runtime.
We provide a proof-of-concept implementation in SageMath. Under the NIST~I setting, our benchmarks show speedups of $1.30\times$ (key generation), $1.24\times$ (encryption), and $1.47\times$ (decryption) over POK|e, while maintaining competitive public key and ciphertext sizes. In addition, we provide a C implementation. The encryption and decryption take 53~Mcycles (23~ms) and 34~Mcycles (15~ms) on an Intel i7 2.3 GHz CPU, respectively.
## 2026/474
* Title: Scalable Compliant Privacy on Starknet
* Authors: Lior Goldberg, Maya Dotan, Ittay Dror, Gideon Kaempfer, Nir Levi, Noa Oved, Arad Reder, Anat Veredgorn, Noa Wolfgor
* [Permalink](
https://eprint.iacr.org/2026/474)
* [Download](
https://eprint.iacr.org/2026/474.pdf)
### Abstract
We present a privacy protocol implemented on Starknet that enables confidential transactions while maintaining regulatory compliance. Transfers hide the sender, receiver, and amount from external observers, with validity enforced by zero-knowledge proofs generated on the client side using the Stwo STARK prover.
The protocol introduces three key innovations: (1) an efficient note discovery mechanism, (2) a practical compliance framework that enables an auditing entity to selectively unshield transactions upon legitimate regulatory request, and (3) anonymous integration with existing Starknet DeFi contracts. The system supports multiple token types in a single pool and leverages Starknet's native account abstraction for transaction authorization. All proof logic and contract code are written in Cairo, providing a unified codebase that simplifies auditing and development.
## 2026/475
* Title: Scaling Fully Secure MPC via Robust Recursive Search and Gap Amplification
* Authors: Matan Hamilis, Ariel Nof
* [Permalink](
https://eprint.iacr.org/2026/475)
* [Download](
https://eprint.iacr.org/2026/475.pdf)
### Abstract
We present a new framework for secure computation of arithmetic circuits with two-thirds honest majority that lifts semi-honest protocols to full malicious security. Our framework works with any linear secret sharing over any finite ring and maintains the type of security of the underlying semi-honest protocol (i.e., computational or information-theoretic). The framework has the following overhead complexity with respect to size \(|C|\) of the computed circuit \(C\): it incurs only logarithmic communication overhead in \(|C|\) over the cost of the semi-honest protocol, the number of additional rounds is independent of the circuit's size, and the computational work per party is \(O(|C|)\) arithmetic operations.
Even when limiting the scope to static adversaries, previous works could only achieve two of these three measures: Either the communication is logarithmic and the computational overhead per party is \(O(|C|)\), but the number of additional rounds grows with the circuit's size, or communication is logarithmic and the number of rounds is \(O(n)\), but the computational overhead is \(O(n\cdot |C|)\). To the best of our knowledge, we are the first to achieve the desired complexity in all three fronts, making the cost of achieving full security in MPC lower than ever.
Our result is achieved via a new verification technique based on a robust recursive search that finds and removes cheaters from the computation.
We further improve our result by reducing costs associated with the number of parties~\(n\). While the initial result incurs cubic communication overhead with respect to \(n\) and \(O(n)\) additional rounds in the worst case, we show how to reduce it to \(\sqrt{n^5}\) communication overhead and \(O(\sqrt{n\log\log n})\) additional rounds, without sacrificing the computational overhead, which remains \(O(|C|)\). This is achieved via a novel technique we call gap amplification that accelerates the player elimination process, enabling us to reduce the number of calls to the verification subprotocol. This technique is of independent interest as it is general and can be directly applied to any protocol that relies on player elimination.
## 2026/476
* Title: Duty-Free Bits: Projectivizing Garbling Schemes
* Authors: Nakul Khambhati, Anwesh Bhattacharya, David Heath
* [Permalink](
https://eprint.iacr.org/2026/476)
* [Download](
https://eprint.iacr.org/2026/476.pdf)
### Abstract
Garbling schemes are powerful primitives that enable secure computation between a mutually untrusting garbler and evaluator. A projective garbling scheme is one that encodes the evaluator's input in a simple bit-by-bit manner. Projective schemes, such as the seminal scheme of Yao, are versatile, as they are naturally compatible with other simple tools, such as $1$-out-of-$2$ oblivious transfer (OT). There exist garbling schemes that naturally operate over large finite fields, some of which require only efficient information-theoretic (IT) techniques. However, here the evaluator's input is encoded via an affine function over a large field, so these schemes are not naturally projective, reducing their versatility.
We provide a transformation that efficiently projectivizes such schemes. Consider an arithmetic garbling scheme where the evaluator's input consists of elements from a large prime field. Our symmetric-key-based garbling techniques give a mechanism to translate from Yao-style garbled labels to IT-style garbled labels at cost proportional to the input and output labels: crossing the border is duty-free!
We apply our technique to two problems.
(1) Recent works show that projective garbling schemes solve a problem central to trust-minimized bridges for the Bitcoin blockchain. BABE (Garg et al., 2026) and Argo MAC (Eagen and Lai, 2026) give two different approaches. Both works implicitly construct an efficient IT garbling scheme, then use naive bit-decomposition to achieve projectivity. We construct drop-in replacements for both; we improve BABE's encoding size by $45\times$, and Argo MAC's by $20\times$.
(2) Our technique implies a non-interactive reduction from vector oblivious linear evaluations (VOLEs) over $\mathbb{F}_p$ to $1$-out-of-$2$ OTs. To our knowledge, ours is the state-of-the-art Minicrypt (plus base OTs) protocol for large field VOLE secure against a malicious receiver. It costs only $O((\lambda + n) \lg p)$ bits.
## 2026/477
* Title: DAC-PRE: Practical Anonymous Data Access Scheme Control with Proxy Re-encryption for Implantable Medical Devices
* Authors: Jayaprakash Kar, Xiaoguang Liu, Fagen Li
* [Permalink](
https://eprint.iacr.org/2026/477)
* [Download](
https://eprint.iacr.org/2026/477.pdf)
### Abstract
One of the most important fundamental elements in
guaranteeing data security is data access management. The two primary security components of data access control are typically authorisation and authentication. Data access control is the selective restriction of data access. First, we present an effective data access control mechanism for medical devices that are implanted in this study. Through a signcryption method with proxy reencryption
(DAC-PRE), the protocol guarantees anonymous data
access control and supports the userrCOs anonymity behaviour. The security is proven in oracle model. Our experimental analysis shows the proposed protocol has low computational cost.
## 2026/478
* Title: A Hardware/Software Co-Optimization of HQC Using Tightly-Coupled Accelerators on a 32-bit Ibex Core
* Authors: Seog Chung Seo, YoungBeom Kim
* [Permalink](
https://eprint.iacr.org/2026/478)
* [Download](
https://eprint.iacr.org/2026/478.pdf)
### Abstract
We present Hardware/Software co-optimization of Hamming Quasi-Cyclic (HQC) enabled by tightly coupled accelerators implemented on a 32-bit Ibex RISC-V core. On the hardware side, we propose a unified multiplier capable of efficiently performing carryless multiplication for both polynomial multiplication over F_2[X]/(X^{n}reA1) and multiplication over F_2^{8}. We also design a Keccak permutation accelerator to support efficient randomness sampling. On the software side, we identify the optimal combination of ToomrCoCook and Karatsuba methods for efficient polynomial multiplication on the Ibex core and enhance its performance by minimizing the number of memory accesses during its execution.With our co-optimization strategies, our HQC implementation achieves a performance improvement of several tens of times over the reference implementation.
## 2026/479
* Title: Strong Efficiency Lower Bounds for Byzantine Agreement
* Authors: Cl|-ment Ducros, Julian Loss, Matthieu Rambaud
* [Permalink](
https://eprint.iacr.org/2026/479)
* [Download](
https://eprint.iacr.org/2026/479.pdf)
### Abstract
Understanding the complexity of Byzantine agreement (BA) is a fundamental problem in distributed computing and cryptography. Existing round- or communication lower bounds either restrict the class of protocols they apply to in terms of communication, setup assumptions, or determinism. Another class of lower bounds holds only with respect to a very powerful (arguably unrealistic) adaptive adversary that can delete undelivered messages sent by a newly corrupted party while it was still honest. On the other hand, many popular BA protocols including the consensus protocol underlying the Algorand cryptocurrency assume only a standard adaptive adversary which cannot perform after-the-fact message removals. In this work, we aim to further narrow the gap between existing upper and lower bounds. We first revisit existing communication lower bounds of Abraham et al. (PODC 2019) and Blum et al. (TCC 2020) which show that, under certain conditions, $\Omega(t^2)$ messages are necessary in expectation for randomized BA protocols with security against $t$ adaptive corruptions. We give two new lower bounds on the communication complexity of randomized BA protocols that hold against even a standard adaptive adversary, for previously unexplored settings of practical interest. Our bounds assume a complete network of authenticated communication channels.
Our first bound improves over Abraham et al. when the setup is limited to a common reference string (CRS), and the second one improves the bit complexity of Blum et al since in the authenticated setting, i.e., we allow idealized signatures.
As a technical contribution, we present a new formal model for protocols using idealized signatures, which may be of independent interest. We then turn our attention to the round complexity of randomized BA protocols in which only a subset of parties may speak. We show that such protocols must either rely on erasures or determine whether or not to first speak in the protocol and decide in dependence the parties' inputs.
We discuss in detail how both of these design paradigms have been used in prior work and how they lead to efficiency and design-related issues for practical BA protocols.
## 2026/480
* Title: CHOPIN: Optimal Pairing-Based Multilinear Polynomial Commitments from Bivariate KZG
* Authors: Juraj Belohorec, Pavel Hub|i-iek, Aleksi Kalsta, Krist|+na Ma+ikov|i * [Permalink](
https://eprint.iacr.org/2026/480)
* [Download](
https://eprint.iacr.org/2026/480.pdf)
### Abstract
We present CHOPIN, a pairing-based multilinear polynomial commitment scheme (PCS) achieving constant proof size and a linear-time prover, constructed modularly from a bivariate PCS. CHOPIN generalizes the recent compilers from univariate to multilinear PCS MERCURY (Eagen and Gabizon, ePrint 2025/385) and Samaritan (Ganesh, Patranabis, and Singh, ASIACRYPT 2025). Due to its modular design, we obtain a direct proof of knowledge soundness via a reduction to the knowledge soundness of the underlying bivariate PCS in the standard model. In particular, our analysis avoids idealized models such as the Algebraic Group Model.
When instantiated with the bivariate KZG scheme (Papamanthou, Shi, and Tamassia, TCC 2013), CHOPIN achieves a similar proof size to Mercury and Samaritan while offering a two-fold speedup in the main bottleneck for the prover time, which arises because CHOPIN requires only a single large MSM proportional to the size of the committed multilinear polynomial, in contrast to the two large MSMs required by the prior works, at the cost of one additional pairing for the verifier.
## 2026/481
* Title: Remise: Authorized Anonymous Communication Systems
* Authors: Rohan Ravi, Paritosh Shukla, Adithya Vadapalli
* [Permalink](
https://eprint.iacr.org/2026/481)
* [Download](
https://eprint.iacr.org/2026/481.pdf)
### Abstract
We present Remise, a two-server authorized anonymous
communication system built on Distributed Oblivious
RAM (DORAM). Remise supports two modes of opera-
tion: (i) an anonymous bulletin board, where messages
are publicly revealed at the end of each epoch without
linking senders to messages, and (ii) anonymous commu-
nication channels, where messages remain secret-shared,
and writers selectively grant and revoke read access to
chosen readers. In both modes, the two servers execute
read and write operations without learning which indices
are accessed, which authorization tokens are used, or
which relationships exist between writers and readers,
assuming at least one honest server. A central contri-
bution of Remise is a lightweight and efficient access-
control mechanism. Authorization proofs are maintained
in secret-shared form across the two servers, enabling
oblivious verification while preventing leakage even un-
der clientrCoserver collusion. Unlike prior DPF-based sys-
tems, Remise provides built-in auditing by having the
semi-honest servers generate standard-basis vector shares
internally, eliminating the need for server-side DPF va-
lidity checks. We implement a prototype of Remise and
evaluate it under realistic network conditions. Our ex-
periments show 80|uimprovement in online server time
when compared to PACL (Spectrum) (IEEE S&P 2023)
for databases of size $22^{24}$
## 2026/482
* Title: Cryptanalysis of Two Alternating Moduli Weak PRFs
* Authors: Kai Hu, Gregor Leander, H|Nvard Raddum, Arne Sandrib, Aleksei Udovenko
* [Permalink](
https://eprint.iacr.org/2026/482)
* [Download](
https://eprint.iacr.org/2026/482.pdf)
### Abstract
In this work, we present new cryptanalytic attacks on recently proposed, theory-inspired constructions of weak pseudorandom functions (weak-PRFs). We demonstrate attacks on several such designs, showing that the initial security arguments require significant refinement. Methodologically, our approach relies on novel observations about the structure of cyclic matrices, applications of Wagner's generalized birthday technique, and conversion into polynomial systems over $\mathbb{F}_3$. These findings highlight the need for a more careful analysis of those weak-PRF candidates
## 2026/483
* Title: Debt-Aware Bonding Curves: Non-Decreasing Floor Prices and Non-Liquidatable Borrowing
* Authors: |umer Demirel, Michael Lewkowitz, Tiago Santana
* [Permalink](
https://eprint.iacr.org/2026/483)
* [Download](
https://eprint.iacr.org/2026/483.pdf)
### Abstract
Decentralized lending protocols rely on liquidation mechanisms tied to volatile oracle-derived prices, creating cascading systemic risk during market downturns. We introduce debt-aware discrete bonding curves (DABC)rCopiecewise-linear bonding curves with a distinguished floor segment whose price is provably non-decreasing. A reserve invariant couples the curverCOs collateral to outstanding debt, enabling a credit facility for issuance-native collateral in which borrowing capacity is anchored to the endogenous floor price rather than a market oracle. We prove that no loan originated at or below the floor-anchored LTV can become under-collateralized due to collateral price declinesrCoeliminating protocol-triggered liquidation for this borrowing model. The trade-off: non-repayment results in permanent token lock, not forced sale. By internalizing issuance, trading, and borrowing in a single contract, the mechanism captures fee revenue that would otherwise accrue to external parties, directing it toward floor elevation. A recursive buy-lock-borrow-buy loop enables leveraged positions without liquidation risk; token launches are the most compelling application. To the best of our knowledge, this work provides the first fully formalized treatment in which borrowing safety is derived from a debt-aware reserve invariant and a provably non-decreasing endogenous floor price. We verify the mechanism through stateful fuzz testing and formal verification of a concrete Solidity implementation.
## 2026/484
* Title: Signal Lost (Integrity): The Signal App is More than the Sum of its Protocols
* Authors: Kien Tuong Truong, Noemi Terzo, Kenneth G. Paterson
* [Permalink](
https://eprint.iacr.org/2026/484)
* [Download](
https://eprint.iacr.org/2026/484.pdf)
### Abstract
Signal is a secure messaging app offering end-to-end security for pairwise and group communications. It has tens of millions of users, and has heavily influenced the design of other secure messaging apps (including WhatsApp). Signal has been heavily analysed and, as a result, is rightly regarded as setting the "gold standard" for messaging apps by the scientific community. We present two practical attacks that break the integrity properties of Signal in its advertised threat model. Each attack arises from different features of Signal that are poorly documented and have eluded formal security analyses. The first attack, affecting Android and Desktop, arises from Signal's introduction of identities based on usernames (instead of phone numbers) in early 2022. We show that the protocol for resolving identities based on usernames and on phone numbers introduced a vulnerability that allows a malicious server to inject arbitrary messages into one-to-one conversations under specific circumstances. The injection causes a user-visible alert about a change of safety numbers, but if the users compare their safety numbers, they will be correct. The second attack is even more severe.
It arises from Signal's Sealed Sender (SSS) feature, designed to allow sender identities to be hidden. We show that a combination of two errors in the SSS implementation in Android allows a malicious server to inject arbitrary messages into both one-to-one and group conversations. The errors relate to missing key checks and the loss of context when cryptographic processing is distributed across multiple software components. The attack is undetectable by users and can be mounted at any time, without any preconditions. As far as we can tell, the vulnerability has been present since the introduction of SSS in 2018. We disclosed both attacks to Signal. The vulnerabilities were promptly acknowledged and patched: the first vulnerability was fixed two days after disclosure, while the second one was patched after eight days. Beyond presenting these devastating attacks on Signal's end-to-end security guarantees, we discuss more broadly what can be learned about the challenges of deploying new security features in complex software projects.
--- Synchronet 3.21d-Linux NewsLink 1.2