From Newsgroup: sci.crypt

## In this issue
1. [2025/1319] Bridging Usability and Performance: A Tensor ...
2. [2026/171] Spectral Theory of Isogeny Graphs and Quantum ...
3. [2026/203] Impossibility of CPAD security for a class of FHE ...
4. [2026/220] Optimizing Differential Privacy in Federated ...
5. [2026/328] NeuralCPA: A Deep Learning Perspective on Chosen- ...
6. [2026/366] Careful with the Ring: Enhanced Hybrid Decoding ...
7. [2026/404] Ultra short signatures with Dragon $HFE_{LL'}$
8. [2026/523] RISC-V based Vectorization of Classic McEliece Key ...
9. [2026/524] Distance of RAA Codes over Large Finite Fields ...
10. [2026/525] SoK: Understanding zkVM: From Research to Practice
11. [2026/526] Broken By Design: A Longitudinal Analysis of ...
12. [2026/527] QR-UOV without Rejection Sampling: Security ...
13. [2026/528] Full Secret Key Recovery of First-order Masked ...
14. [2026/529] Benchmarking Exported Key Material from Commercial ...
15. [2026/530] Balthazar Wallet: Making Password Authentication ...
16. [2026/531] A Review of IC Logical Reverse Engineering Techniques
17. [2026/532] S-two Whitepaper
18. [2026/533] A Maliciously-Secure Post-Quantum OPRF from Crypto ...
19. [2026/534] Ciphertext-Policy ABE for $\mathsf{NC}^1$ Circuits ...
20. [2026/535] Improved Related-Key Differential Neural ...
21. [2026/536] Exploring the Boundary: Discriminative Model-based ...
22. [2026/537] Cheap Digit Decomposition and Large Plaintext ...
23. [2026/538] Proof-Carrying Data via Holography Accumulation
24. [2026/539] Orca And Dolphin: Efficient Bivariate And ...
25. [2026/540] Ticket to Hide: Private, Practical Proofs of ...
26. [2026/541] Towards Verifiable AI with Lightweight ...
27. [2026/542] VERIDP: Verifiable Differentially Private Training
28. [2026/543] MTSF --- Market-Theoretic Security Framework: A ...
29. [2026/544] HARE: Compact HQC via Distance-Informed Erasure ...
30. [2026/545] Aggregator-Based Voting using proof of Partition
31. [2026/546] Hyperelliptic Gluing Isogeny DiffierCoHellman ...
32. [2026/547] Dialga: A Family of Low-Latency Tweakable Block ...
33. [2026/548] Post-Quantum Cryptography from Quantum Stabilizer ...
34. [2026/549] Look Ahead! Practical CCA-secure Steganography: ...
35. [2026/550] Solving the Linear Code Equivalence Problem from ...
36. [2026/551] Succinct Verification of Lattice-Based Compressed ...
37. [2026/552] NI-DKG: Non-Interactive Distributed Key Generation ...
38. [2026/553] Graph-based Asynchrony with Quasilinear Complexity ...
39. [2026/554] PrivaLean: Low-Latency and High-Accuracy System for ...
40. [2026/555] Improved Issuer Hiding for BBS-based Anonymous ...
41. [2026/556] TP-NTT: Batch NTT Hardware with Application to ...
42. [2026/557] On Post-Quantum Signature with Message Recovery ...
43. [2026/558] Cryptanalysis of four arbitrated quantum signature ...
44. [2026/559] PrivaDE: Privacy-preserving Data Evaluation for ...
45. [2026/560] High-Order Galois Automorphisms for TNFS Linear Algebra
46. [2026/561] SynCirc: Efficient Synthesis of Depth-Optimized ...
47. [2026/562] New Approaches to Zero-Knowledge SNARG Constructions
48. [2026/563] Optimizing FROST for Message Capacity
49. [2026/564] TAPAS: Efficient Two-Server Asymmetric Private ...
50. [2026/565] Zeeperio: Verifying Governmental Elections with ...
51. [2026/566] Secret-Shared Shuffle from Authenticated Correlations
52. [2026/567] Accurate Parameter Estimates for Punctured Key ...
53. [2026/568] Low-Depth Construction of Grover Oracles from Fully ...
54. [2026/569] Hybrid KEM Constructions from Classical PKEs and ...
55. [2026/570] iToken: One-Time-Use Anonymous Token with Issuance ...
56. [2026/571] Playing Tag with Okamoto-Schnorr: Three-Move ...
## 2025/1319
* Title: Bridging Usability and Performance: A Tensor Compiler for Autovectorizing Homomorphic Encryption
* Authors: Edward Chen, Fraser Brown, Wenting Zheng
* [Permalink](https://eprint.iacr.org/2025/1319)
* [Download](https://eprint.iacr.org/2025/1319.pdf)
### Abstract
Homomorphic encryption (HE) offers strong privacy guarantees by enabling computation over encrypted data. However, the performance of tensor operations in HE is highly sensitive to how the plaintext data is packed into ciphertexts. Large tensor programs introduce numerous possible layout assignments, making it both challenging and tedious for users to manually write efficient HE programs.
In this paper, we present Rotom, a compilation framework
that autovectorizes tensor programs into optimized HE programs. Rotom systematically explores a wide range of layout assignments, applies state-of-the-art optimizations, and automatically generates an equivalent, efficient HE program. At its core, Rotom utilizes a novel, lightweight ApplyRoll layout conversion operator to easily modify the underlying data layouts and unlock new avenues for performance gains. Our evaluation demonstrates Rotom scalably compiles all tensor workloads in under 5 minutes, reduces rotations in hand-tuned protocols by up to 3|u, and achieves up to 80|u performance improvement over prior autovectorization systems.
## 2026/171
* Title: Spectral Theory of Isogeny Graphs and Quantum Sampling of Secure Supersingular Elliptic Curves
* Authors: Maher Mamah, Jake Doliskani, David Jao
* [Permalink](https://eprint.iacr.org/2026/171)
* [Download](https://eprint.iacr.org/2026/171.pdf)
### Abstract
In this paper, we study the problem of sampling random supersingular elliptic curves with unknown endomorphism rings. This problem has recently gained considerable attention as many isogeny-based cryptographic protocols require such ``secure'' curves for instantation, while existing methods achieve this only in a trusted-setup setting. We present the first provable quantum polynomial-time algorithms for sampling such curves with high probability, one of which is based on an algorithm of Booher et. al. One variant runs heuristically in $\tilde{O}(\log^{4} p)$ quantum gate complexity, and in $\tilde{O}(\log^{13} p)$ under the Generalized Riemann Hypothesis, and outputs a curve that is provably secure assuming average-case hardness of the endomorphism ring problem. Another variant samples uniform $\mathcal O$-oriented curves with unknown endomorphism rings, for any imaginary quadratic order $\mathcal O$, with security based on the hardness of Vectorization problem. When accompanied by an interactive quantum computation verification protocol our algorithms provide a secure instantiation of the CGL hash function and related primitives.

Our analysis relies on a new spectral delocalization result for supersingular $\ell$-isogeny graphs: we prove the Quantum Unique Ergodicity conjecture and provide numerical evidence for complete eigenvector delocalization. We also prove a stronger $\varepsilon$-separation property for eigenvalues of isogeny graphs than that predicted in the quantum money protocol of Kane, Sharif, and Silverberg, thereby removing a key heuristic assumption in their construction.
## 2026/203
* Title: Impossibility of CPAD security for a class of FHE schemes
* Authors: Marina Checri, Pierre-Emmanuel Clet, Marc Renard, Renaud Sirdey
* [Permalink](https://eprint.iacr.org/2026/203)
* [Download](https://eprint.iacr.org/2026/203.pdf)
### Abstract
In this paper, we focus on the class of at least linearly homomorphic schemes such that their homomorphic addition operator is itself a linear operator over the ciphertext domain. This class of schemes, which we refer to as HELLHO schemes, notably encompasses the basic variant of most practically used FHE schemes such as BFV, BGV, CKKS and TFHE, as long as their mode of operation allows for homomorphic additions not immediately followed by bootstrapping, but also several extensions of them as well as other less mainstream proposals based on other assumptions.
Although the aforementioned specific FHE are known to be CPAD insecure due to the existence of concrete attacks against them in that model, we first show by a simple argument that no HELLHO scheme can achieve CPAD security. Moving one step further, we also establish several counter-intuitive facts for the class of HELLHO schemes: for example that any CCA2 attack can be turned into a CPAD one or that, still only for this class of schemes, CCA1 security is equivalent to CPAD1 security (a strictly weaker ``CCA1-style'' variant of CPAD). Among other practical consequences, the results in this paper notably allow to show that instantiating the Dynamic Error Estimation (DEE) heuristic of Li et al. (Crypto'22) from any ``natural'' (R)LWE-based schemes cannot yield a CPAD secure scheme. As another notable consequence, we further exhibit a practical KRD attack on the DE-CKKS scheme, which is presently supported in OpenFHE. We conclude the paper by experimental results showing that this attack is able to perform a full key recovery on DE-CKKS in a matter of hours on an average laptop PC.
## 2026/220
* Title: Optimizing Differential Privacy in Federated Analytics under Known Input Distributions
* Authors: Ferran Alborch, Andreas Athanasiou, Pascal Reisert
* [Permalink](https://eprint.iacr.org/2026/220)
* [Download](https://eprint.iacr.org/2026/220.pdf)
### Abstract
Differential privacy (DP) is one of the most efficient tools for protecting the privacy of individual data holders under computation. This property guarantees that the computation outputs for every pair of adjacent input sets are statistically indistinguishable with respect to a given parameter +|, which is independent of the likelihood that specific inputs occur or not. While the distribution of input sets is generally unknown, in some use cases (approximate) information about it might be available. If the latter is the case, two adjacent inputs of one individual are sometimes already obfuscated by other inputs and the computation itself (i.e., without any additional noise). For example, if the sum of n independent and identically distributed uniformly random bits outputs approximately n/2, both values for the first bit remain (almost) equally likely for large n.
Based on this observation, we present a new DP mechanism that uses an estimate of the input distribution to reduce the noise addition (compared to standard DP) and hence improves the accuracy of the output. We first explore this idea in the central model, where a single central party collects all data. Then, we provide a new technique (possibly of independent interest) that allows multiple entities to jointly generate reduced noise, using the property of infinite divisibility. This allows each party to individually add noise to their respective inputs, e.g., in Federated Analytics applications.
We apply our theoretical results, both for the single and multi-party setups, to perform data analysis over human resources data from different subsidiaries within a corporate group. Our benchmarks show that our new DP mechanism provides more accurate outputs while retaining the same privacy level as state-of-the-art DP approaches using the geometric mechanism.
## 2026/328
* Title: NeuralCPA: A Deep Learning Perspective on Chosen-Plaintext Attacks
* Authors: Xuanya Zhu, Liqun Chen, Yangguang Tian, Gaofei Wu, Xiatian Zhu
* [Permalink](https://eprint.iacr.org/2026/328)
* [Download](https://eprint.iacr.org/2026/328.pdf)
### Abstract
A Chosen-Plaintext Attack (CPA) is a cryptographic analysis game for encryption, where an adversary queries an encryption oracle with plaintexts and observes the mapping to their ciphertexts. At an arbitrary time, it provides two challenge plaintexts but receives only one ciphertext, and finally guesses which of the two challenge plaintexts has been encrypted. Neural distinguishers, as a powerful representative of Artificial Intelligence (AI) methods, have been recently used in cryptographic analysis methods. However, they cannot directly be applied to perform CPA due to different input requirements and objectives. This work aims to address this gap. We provide the first rigorous and systematic formulation of CPA from a deep learning perspective. Specifically, we introduce NeuralCPA, a novel deep neural network-based method designed for the evaluation of block cipher CPA security as an initial effort for AI-based CPA analysis. We empirically validate its effectiveness across a diverse range of block ciphers, including SIMON, SPECK, LEA, HIGHT, XTEA, TEA, PRESENT, AES, and KATAN. Our experimental results confirm that NeuralCPA consistently achieves significant distinguishing advantages in round-reduced settings. Notably, our attack success rate ranges from 51% to 76.4%.
## 2026/366
* Title: Careful with the Ring: Enhanced Hybrid Decoding Attacks against Module/Ring-LWE
* Authors: Jianhua Hou, Haodong Jiang
* [Permalink](https://eprint.iacr.org/2026/366)
* [Download](https://eprint.iacr.org/2026/366.pdf)
### Abstract
In order to reduce size and improve efficiency, many lattice-based cryptographic schemes adopt structured variants of the Learning With Errors (LWE) problem, such as the Module-LWE and Ring-LWE. Nevertheless, when analyzing the concrete security of lattice-based schemes, these algebraic structures are usually not considered, given the absence of techniques to exploit them for accelerating known attacks.
For the widely-used polynomial ring $\mathbb{Z}_q[X]/(x^N+1)$, we first propose an enhanced hybrid decoding attack against Module/Ring-LWE by leveraging the ring structure to accelerate its guessing and decoding steps. Then, we theoretically show that compared to the prior hybrid decoding attack, our new attack can lead to a complexity improvement by a factor of $O(N)$ in sparse secret setting. Moreover, we implement our new enhanced hybrid decoding attack on the benchmark instances established by [WSM+25, S{\&}P], and achieve several new records. In particular, compared with state-of-the-art methods given by [KKN+26, EC], our approach is 17$\times$ to 114$\times$ faster on the known broken instances. Finally, we show how to estimate the concrete bit security with our new hybrid attack under the same model as in the lattice estimator, and perform the analyses of the latest sparse Ring-LWE parameter sets used in Fully Homomorphic Encryption (FHE) schemes including [JM22, EC], [CCKS23, CCS], [BCKS24, EC], [CHKS25, EC] and [AKP25, C]. The numerical results show that compared to the best-known attack, our enhanced attack can improve the attack complexity by up to 13 bits for all the considered parameter sets. In particular, under our new enhanced hybrid decoding attack, 12 out of the 16 parameter sets fall below the targeted 128-bit security level.
## 2026/404
* Title: Ultra short signatures with Dragon $HFE_{LL'}$
* Authors: Jacques Patarin, Jan Vacek
* [Permalink](https://eprint.iacr.org/2026/404)
* [Download](https://eprint.iacr.org/2026/404.pdf)
### Abstract
We will present in this paper two new (post-Quantum) multivariate signature schemes, one with short signature, called $HFE_{LLrCO}$, and one with even shorter ("ultra-short") signatures, called $D-HFE_{LLrCO}$. These two schemes are variants of the HFE scheme (one of the most studied multivariate schemes) with a new and specific use of the $LLrCO$ perturbation. In the last years, HFE suffered new attacks, specially MinRank attacks, but thanks to our specific $LLrCO$ perturbation, our schemes resist all know attacks.
## 2026/523
* Title: RISC-V based Vectorization of Classic McEliece Key Generation
* Authors: Mahnaz Namazi Rizi, Nusa Zidaric, Lejla Batina, Nele Mentens
* [Permalink](https://eprint.iacr.org/2026/523)
* [Download](https://eprint.iacr.org/2026/523.pdf)
### Abstract
Quantum computers can break or weaken classical cryptography using ShorrCOs and GroverrCOs algorithms. This threat drives the development of post-quantum cryptography (PQC) algorithms, such as the Classic McEliece (CM) algorithm, which resists quantum attacks by relying on hard problems in coding theory. However, the complex computation and large key size make it challenging to implement CM in an efficient way in terms of computational performance. This research is the first to thoroughly explore and implement RISC-V Vector Extensions (RVV) for the acceleration of the CM key generation process. First, an evaluation is done of auto-vectorized and manually vectorized implementations of CM using the RISC-V Vector Extension Version 1.0 (RVV1.0), based on multiple vector register configurations. Further, several new custom RVV instructions are proposed to speed up the implementation even more. The presented work gives insight into the practical implementation capabilities of RVV for the speed-up of CM key generation on an FPGA.
## 2026/524
* Title: Distance of RAA Codes over Large Finite Fields (with Applications in zkSNARKs and PCGs)
* Authors: Pariya Akhiani, Yupeng Zhang
* [Permalink](https://eprint.iacr.org/2026/524)
* [Download](https://eprint.iacr.org/2026/524.pdf)
### Abstract
Error-correcting codes play a central role in modern cryptography, enabling efficient constructions of primitives such as zero knowledge proofs and secure multiparty computations. Among them, repeat-accumulate-accumulate (RAA) codes have recently attracted significant attention due to their linear-time encoding and good distance properties. However, prior work only established provable distance guarantees over the binary field or over finite fields whose size is smaller than the message length. The underlying techniques do not extend to larger fields. This restriction is significant, as many cryptographic constructions based on error-correcting codes operate over large finite fields.
In this paper, we prove that RAA codes achieve constant relative distance $0<\delta\le \frac{1}{2}$ with high probability over large finite fields. Moreover, we resolve an open conjecture by showing for the first time that the distance of RAA codes improves over large fields. We provide both theoretical analysis and empirical evidence demonstrating that, compared to the binary case, large fields yield strictly better distance guarantees with much smaller failure probabilities.
Our empirical evaluation shows that for message length $n=2^{15}$ and repetition factor $r=4$, the RAA code over a 31-bit prime field achieves relative distance $1/2$, except with failure probability $2^{-16}$. This is better than the best provable distance of $\delta = 0.2$ with failure probability $2^{-7}$ over the binary field. Leveraging our improved distance bounds, we obtain a 2.6$\times$ reduction in the proof size of a polynomial commitment scheme based on RAA codes compared to using the binary-field bound, and a 5.4$\times$ reduction compared to a prior construction based on expand-accumulate codes.
## 2026/525
* Title: SoK: Understanding zkVM: From Research to Practice
* Authors: Yunbo Yang, Yuejia Cheng, Haibo Tang, Guomin Yang, Bingsheng Zhang, Kui Ren
* [Permalink](https://eprint.iacr.org/2026/525)
* [Download](https://eprint.iacr.org/2026/525.pdf)
### Abstract
Zero-knowledge virtual machine (zkVM) is a powerful infrastructure for proving the correctness of a program execution with a succinct proof, attracting significant interest from researchers, developers, and users. It has been widely used in applications such as blockchain rollups, privacy-preserving machine learning, and off-chain computation. As the field grows, a wide range of zkVMs have been proposed. However, they adopt different choices in instruction formats, trace layouts, and proving backends, which results in a highly heterogeneous design landscape and makes it difficult to understand the relations among these systems.
To bridge this gap, we provide a comprehensive study of zkVMs that covers both their theoretical foundations and practical implementations. We decompose zkVMs into three layers: (1) the ISA layer, which defines instruction semantics and determines the structure of the execution trace, (2) the VM layer, which captures program execution and organizes constraints through modular circuit components, and (3) the proving layer, which converts execution traces into algebraic constraints and generates the final proofs. This decomposition allows us to isolate the role of each layer while also examining how they interact in real systems. To give readers a more direct understanding of how these design choices affect performance, scalability, and usability, we conduct a comprehensive experimental evaluation of representative zkVMs following this layered framework. Finally, we conclude the paper by summarizing the main observations from our analysis and outlining several potential directions for zkVM design and implementation.
## 2026/526
* Title: Broken By Design: A Longitudinal Analysis of Cryptographic Failures in Alipay Mobile Payment Infrastructure
* Authors: Jiqiang Feng
* [Permalink](https://eprint.iacr.org/2026/526)
* [Download](https://eprint.iacr.org/2026/526.pdf)
### Abstract
We present a systematic security analysis of Alipay's APK signing certificate, issued in 2009 using md5WithRSAEncryption with RSA-1024 and still active in 2026, serving over one billion users. Through 15 reproducible proof-of-concept attacks organized as a complete kill chain, we demonstrate that every layer of Alipay's cryptographic infrastructure is exploitable using known techniques and commodity hardware.
Our analysis spans four attack surfaces: (1) certificate-layer weaknesses including MD5 collision generation in 9 seconds and SHA-1 collision feasibility at $5K-$8K; (2) signature scheme vulnerabilities including Janus (CVE-2017-13156) code injection and five distinct v1 signature bypass techniques; (3) key management failures including hardcoded DES keys with Shannon entropy of 1.75-2.50 bits/byte (vs. 8.0 bits/byte ideal) and RSA key reuse across 69 APK modules; and (4) ecosystem-level PRNG failures evidenced by 8 shared prime factors across 28 RSA keys recovered via batch GCD from TLS server certificates associated with the mobile payment ecosystem.
Our analysis reveals ecosystem-level cryptographic decay: 38 of 123 certificates (30.9%) use RSA-1024, and batch GCD factoring uncovers 8 shared primes across 28 keys. Liveness probing of 5 servers whose RSA private keys were fully recovered confirmed that 3 remain operational with vulnerable TLS configurations. Responsible disclosure to Ant Group on January 15, 2026 received a response classifying all findings as normal functionality on March 10, 2026. We release all proof-of-concept code and an automated APK cryptographic audit tool for independent verification.
## 2026/527
* Title: QR-UOV without Rejection Sampling: Security Analysis and High-Speed Implementation
* Authors: Hiroshi Amagasa, Hiroki Furue, Rei Ueno, Naofumi Homma
* [Permalink](https://eprint.iacr.org/2026/527)
* [Download](https://eprint.iacr.org/2026/527.pdf)
### Abstract
QR-UOV is a multivariate signature scheme derived from UOV that achieves compact public keys by exploiting quotient-ring structure, making it a promising candidate for post-quantum digital signatures. In QR-UOV, most parts of the public map are constructed by extending the public key seed using PRG. This public key expansion for QR-UOV includes rejection sampling to generate coefficients uniformly over $\mathbb{F}_q$, since QR-UOV uses a small odd-prime base field. However, this rejection sampling introduces extra data movement and irregular control flow. For the recommended parameter set, public-key expansion accounts for nearly 90% of the QR-UOV verification time.
In this paper, we propose No Rejection Sampling (NoRS) QR-UOV, which removes rejection sampling from public-key expansion and leaves the generation of secret-dependent coefficients unchanged. Concretely, the rejected value $q$ is deterministically mapped to $0$, which simplifies coefficient generation but introduces a slight bias in the resulting coefficient distribution. We evaluate the security impact of this modification through both theoretical and concrete analyses. Our results indicate that, for the proposed parameter sets, NoRS QR-UOV preserves the claimed security levels.
On the implementation side, we develop a high-speed implementation of NoRS QR-UOV for x86 processors with AES-NI and AVX2. Benchmark results on a Skylake platform show that NoRS consistently accelerates QR-UOV at all security levels, with the largest gain in signature verification.
For the AES-128-based implementation, the verification cost is reduced from $0.43$ to $0.30$ Mcycles at security level I, with similar improvements at levels III and V, corresponding to about $1.4\times$ speedup. Overall, the results suggest that relaxing coefficient uniformity in public-key expansion is a practical and effective design choice for QR-UOV.
## 2026/528
* Title: Full Secret Key Recovery of First-order Masked Crystals-Kyber implementation using multiple distinct chosen-ciphertexts
* Authors: Souhayl Ben El Haj Soulami, Yann Connan, Sylvain Duquesne
* [Permalink](https://eprint.iacr.org/2026/528)
* [Download](https://eprint.iacr.org/2026/528.pdf)
### Abstract
Abstract. We present a novel side-channel attack on first-order masked implementations of Crystals-Kyber. It deploys a new distinguisher in the context of post-quantum cryptography. It relies on combining the in
formation from several instances of the same distinguisher via multiple ciphertexts decryption requests. The attack has been performed on simu
lation and illustrated on the masked implementation of Bronchain et al..
This attack is instantiated in a very noisy environment (Signal-to-Noise
Ratio (SNR) of 0.67) and provides a success rate of 95% with 75000
traces for full secret key recovery.
## 2026/529
* Title: Benchmarking Exported Key Material from Commercial QKD Systems Using SENTRY-Q: A Model-Based Output Validator
* Authors: Darshit Suratwala, Matvey Romanowski, Orr Dunkelman, Elham Amini, Jean-Pierre Seifert
* [Permalink](https://eprint.iacr.org/2026/529)
* [Download](https://eprint.iacr.org/2026/529.pdf)
### Abstract
Quantum Key Distribution (QKD) enables two par-
ties to establish fresh cryptographic key material with information-
theoretic security guarantees, given an authenticated classical
channel and appropriate device and threat models. As QKD
deployments mature from laboratory settings into production-
grade field infrastructure, a practical gap emerges: protocol-level
metrics such as quantum bit error rate (QBER) and secret key
rate (SKR) characterise the quantum link but do not directly
specify how exported key blocks as consumed by downstream
key management systems (KMS) and cryptographic applications
should be validated for stable, anomaly-free behaviour at the
delivery interface. This paper addresses that operational gap. We
present an anonymised benchmark study of three commercial
QKD systems using SENTRY-Q, a reproducible measurement
workflow that computes five block-level indicators Hamming
weight balance, min-entropy proxy, LempelrCoZiv complexity, Borel
normality deviation, and serial correlation complemented by
a long-stream NIST SP 800-22 sanity check applied to the
concatenated key pool. The study covers N =10,000 exported 256-
bit keys per system, spanning a laboratory DV-QKD link (System-
1,re+20 km), a dark-fibre field DV-QKD deployment (System-2,
re+100 km), and a laboratory CV-QKD system (System-3). We scope
the contribution as model-based output benchmarking, not as a
proof of conditional secrecy. Within that scope, all three systems
exhibit block-level distributions consistent with unbiased reference expectations with Hamming weight medians of exactly 128.0 bits
and min-entropy medians of 241.85 bits across all systems however,
the NIST long-stream sanity check reveals system-differentiated
anomalies: a Non-Overlapping Template Matching failure in
System-2 and an Overlapping Template Matching failure with
borderline Binary Matrix Rank in System-3, that are invisible
to block-level analysis. These anomalies do not constitute proven
security vulnerabilities; rather, they represent operationally signif-
icant signals that warrant engineering investigation. Critically, the block-level and long-stream analysis layers detect fundamentally
different failure classes and cannot substitute for one another,
both are necessary components of a complete key-delivery-pipeline
benchmarking workflow. We discuss deployment implications and
provide a standardised regression-testing artefact suitable for
acceptance and longitudinal monitoring workflows.
## 2026/530
* Title: Balthazar Wallet: Making Password Authentication Practical on Web3 via OPAQUE and Privacy-Preserving Smart Contracts
* Authors: Tomas Krajci, Samuel Oleksak, Ivan Homoliak
* [Permalink](https://eprint.iacr.org/2026/530)
* [Download](https://eprint.iacr.org/2026/530.pdf)
### Abstract
Username & password is the most common authentication method in Web2 because of its high usability and efficient protection against brute-force attacks by applying rate limits on the server. In contrast, Web3 wallets cannot securely support password-derived keys. Passwords typically have low entropy, and because blockchain environments are public and impose no rate limits on brute-force attempts, attackers can repeatedly test guesses offline until the private key is recovered.
In this work, we present a novel password-based blockchain wallet that enables secure management of private keys (of any blockchain type) within a privacy-preserving smart contract platform (PPP). To store the keys, we adapt the OPAQUE protocol to fit the decentralized environment of blockchains and leverage the properties of TEE within PPP. Our design consists of the client, relay, and smart contract deployed at PPP. To this end, we propose the user enrollment protocol and private key retrieval protocol that require knowledge of the username and password and apply blockchain-enforced rate limits on guessing attempts.
Our implementation is based on the Oasis Sapphire confidential EVM as an instance of PPP. Our system implements OPAQUErCOs Oblivious Pseudorandom Function (OPRF) inside a smart contract, allowing the contract to act as the protocolrCOs server while keeping the long-term OPRF key protected within the enclave. During authentication, the client performs a blinded OPRF interaction so that neither the password nor its derivatives are revealed to the relay, blockchain, or the public.
Experiments show that a single authentication attempt requires approximately 500k and 300k gas for 2048-bit and 1024-bit numbers within finite-field DLP, respectively, while one-time registration costs approximately 270k gas.
## 2026/531
* Title: A Review of IC Logical Reverse Engineering Techniques
* Authors: Kevin Xu, Lucas Daudt Franck, Samuel Pagliarini
* [Permalink](https://eprint.iacr.org/2026/531)
* [Download](https://eprint.iacr.org/2026/531.pdf)
### Abstract
In the modern, globalized supply chain for application specific integrated circuits (ASICs), reverse engineering (RE) techniques can be employed for malicious and benign reasons. This survey defines the specific problem of logical RE from a hardware security perspective, examines the earliest RE-adjacent techniques, organizes contemporary RE works by both objective and methodology, and summarizes publication trends and the evolution of logical RE over the years. We review existing techniques, tracing their evolution from manual evaluation and structural analysis to graph theory and machine learning-based solutions. In addition, the survey identifies common trends and evaluation practices, discussing the strengths and drawbacks of the current literature. We also present a set of unique unaddressed problems, highlighting areas that have not been sufficiently explored as well as completely novel problems in ASIC RE. In conclusion, our findings provide a valuable foundation for researchers interested in RE and the future of the field.
## 2026/532
* Title: S-two Whitepaper
* Authors: Dan Carmon, Lior Goldberg, Ulrich Hab||ck, Leonardo Lerer, Ilya Lesokhin
* [Permalink](https://eprint.iacr.org/2026/532)
* [Download](https://eprint.iacr.org/2026/532.pdf)
### Abstract
This whitepaper describes S-two, a circle STARK (Hab||ck, Levit, Papini 2024) over the Mersenne prime field with modulus $p =2^{31} -1$.
We formalize the "flat AIR" circuit model, a modern arithmetization paradigm used by several contemporary zero-knowledge virtual machines, and we provide an in-depth security analysis of our proof of proximity for flat AIRs.
For the latter, we highlight the importance of "cross-domain correlated agreement", a notion which is crucial for taming the soundness error of multi-table proofs. We show that multi-table circle FRI satisfies this notion up to the Johnson bound of the code, and we discuss two plausible conjectures on the list-decodability and line-decodability of Reed-Solomon codes, which are in alignment with the recent progress on proximity gaps.
## 2026/533
* Title: A Maliciously-Secure Post-Quantum OPRF from Crypto Dark Matter
* Authors: Diego F. Aranha, Aron van Baarsen, Adam Blatchley Hansen, Kent Nielsen, Peter Scholl
* [Permalink](https://eprint.iacr.org/2026/533)
* [Download](https://eprint.iacr.org/2026/533.pdf)
### Abstract
We construct protocols for oblivious pseudorandom functions (OPRFs) based on alternating moduli assumptions in the "Crypto Dark Matter" paradigm (Boneh et al, TCC 2016). Prior OPRFs based on this type of assumption were only secure against a semi-honest adversary. We show how to obtain maliciously secure protocols, by leveraging new cut-and-choose techniques for generating correlated randomness based on vector oblivious linear evaluation (VOLE), which allow efficient conversions between different moduli in zero-knowledge and secure two-party computation.
Compared with the state-of-the-art GOLD OPRF (Yang et al, S\&P 2025), our construction has a faster online phase in all settings, as well as overall better efficiency in the small-batch setting. Furthermore, our construction supports obtaining a secret-shared output, and can be extended to handle secret-shared inputs. This opens up additional applications in variants of private set intersection and secure database operations.
## 2026/534
* Title: Ciphertext-Policy ABE for $\mathsf{NC}^1$ Circuits with Constant-Size Ciphertexts from Succinct LWE
* Authors: Jiaqi Liu, Yuanyi Zhang, Fang-Wei Fu
* [Permalink](https://eprint.iacr.org/2026/534)
* [Download](https://eprint.iacr.org/2026/534.pdf)
### Abstract
We construct a lattice-based ciphertext-policy attribute-based encryption (CP-ABE) scheme for $\mathsf{NC}^1$ access policies with constant-size ciphertexts. Let $\lambda$ be the security parameter. For an $\mathsf{NC}^1$ circuit of depth $d$ and size $s$ on $\ell$-bit inputs, our scheme has the public-key and ciphertext sizes $O(1)$ (independent of $d$), and secret-key size $O(\ell)$, where the $O(\cdot)$ hides $\operatorname{poly}(\lambda)$ factors. As an application, we obtain a broadcast encryption scheme for $N$ users with ciphertext size $\operatorname{poly}(\lambda)$ independent of $\log N$ and key sizes $\operatorname{poly}(\lambda,\log N)$. Our construction is selectively secure in the standard model under the $\operatorname{poly}(\lambda)$-succinct LWE assumption introduced by Wee (CRYPTO 2024).
## 2026/535
* Title: Improved Related-Key Differential Neural Distinguishers for SPN Block Ciphers
* Authors: Chuchu Ge, Qichun Wang
* [Permalink](https://eprint.iacr.org/2026/535)
* [Download](https://eprint.iacr.org/2026/535.pdf)
### Abstract
Related-key differential neural distinguishers have recently attracted increasing attention in block-cipher cryptanalysis, yet their construction still relies heavily on cipher-specific manual design. In this paper, we study the systematic construction of related-key differential neural distinguishers for lightweight substitutionrCopermutation network (SPN) block ciphers and propose a unified framework covering difference selection, dataset construction, network architecture, and training and evaluation. Within this framework, we develop a feature-enhancement method that exploits the invertibility of SPN components to derive representations more informative about the final-round internal state, and a sample-enhancement method that reuses each plaintext pair across related keys to derive multiple ciphertext-pair relations, thereby enriching each sample without increasing the plaintext budget. We validate the proposed framework on SKINNY-64/64 and PRESENT-64/80. Experimental results demonstrate that the proposed method can effectively construct multi-round related-key differential neural distinguishers, with accuracy improving consistently as the number of plaintext pairs per sample increases. In particular, for SKINNY-64/64, the single-pair setting achieves classification accuracies of 100.0%, 68.2%, and 59.3% for 7, 8, and 9 rounds, respectively, providing, to the best of our knowledge, the first experimental results on related-key differential neural distinguishers for this cipher. For PRESENT-64/80, under the four-pair setting, the proposed method achieves competitive distinguishing performance up to 9 rounds, with accuracies of 95.6%, 72.0%, and 53.7% for 7, 8, and 9 rounds, respectively.
## 2026/536
* Title: Exploring the Boundary: Discriminative Model-based Parameter Search for Fault Injection
* Authors: Ju-Hwan Kim, Dong-Guk Han
* [Permalink](https://eprint.iacr.org/2026/536)
* [Download](https://eprint.iacr.org/2026/536.pdf)
### Abstract
Fault Injection (FI) attacks are physical attacks designed to induce specific malfunctions in target devices. The reliable induction of intended faults requires precise tuning of fault parameters. However, existing parameter search strategies typically suffer from an imbalance between exploration and exploitation. This limitation frequently leads to premature convergence to local optima or inadequate investigation of high-potential regions. In this paper, we propose a novel parameter search framework that employs an ensemble of discriminative models to efficiently generate parameter candidates with high success probabilities. Our approach integrates a regression model to explore the boundary between normal and mute verdicts-leveraging the boundary hypothesis-and a classification model to exploit discovered intended fault samples. Furthermore, we introduce the Refining Successive Halving Algorithm (RSHA) to efficiently identify the global optimum among the discovered fault parameters with statistical confidence. Extensive validation across eight scenarios, involving Voltage Glitching (VG) and Electromagnetic Fault Injection (EMFI), demonstrates that our method consistently outperforms state-of-the-art techniques. Specifically, it identifies up to $42.2\times$ more unique intended fault parameters and improves success rates by up to 20.3 percentage points compared to the best-performing baseline.
## 2026/537
* Title: Cheap Digit Decomposition and Large Plaintext Spaces in FHEW using Phase Splitting
* Authors: Leonard Schild, Aysajan Abidin, Bart Preneel
* [Permalink](https://eprint.iacr.org/2026/537)
* [Download](https://eprint.iacr.org/2026/537.pdf)
### Abstract
Fully homomorphic encryption algorithms enable users to perform computation on encrypted data. Since the first candidate scheme was proposed in 2009 by Gentry, schemes have rapidly improved in all metrics, be it computational complexity or memory efficiency. The class of accumulator based schemes which include FHEW and TFHE are designed to operate on small data, usually ranging between 4 and 5 bits. Yet, schemes can be effectively leveraged in practice and enable lifting of small data to larger plaintext domains through the use of so-called programmable bootstrapping, the ability to evaluate arbitrary functions on an encrypted datum with time independent of the function.
In this work, we present novel methods for homomorphic digit decomposition, the task of efficiently breaking up a large encrypted datum, vastly exceeding the conventional plaintext domain size, into a radix representation for a chosen basis. Our approach relies on a computationally inexpensive decomposition of a ciphertext into chunks that can be assembled into the original message, without requiring that such chunks correspond to actual digits. Asymptotically, our approach doubles the performance compared to prior work and practically is 90% faster than the state of the art by Liu et al. As a direct consequence of our digit decomposition, we describe how to increase the size of the plaintext domain by a large factor, while only doubling the computational complexity and not causing a super-polynomial slowdown. Although concurrent works on functional bootstrapping reach similar improvements regarding the plaintext domain, our approach shines through its conceptual simplicity and flexibility.
## 2026/538
* Title: Proof-Carrying Data via Holography Accumulation
* Authors: Nikitas Paslis, Carla R|afols, Alexandros Zacharakis
* [Permalink](https://eprint.iacr.org/2026/538)
* [Download](https://eprint.iacr.org/2026/538.pdf)
### Abstract
Succinct non-interactive arguments of knowledge (SNARKs) enable the verification of complex computations via short proofs. Recursive proof composition allows long-running or distributed computations to be verified incrementally, but existing approaches exhibit a fundamental trade-off. Folding-based schemes achieve highly efficient recursion but require provers to maintain and communicate large private state, while stateless approaches such as full SNARK recursion and atomic accumulation incur higher prover costs due to the need to produce and verify a full SNARK proof at each step. We introduce holography accumulation, a framework for stateless recursive proving for SNARKs based on the lincheck or checkable subspace arguments. These SNARKs admit a natural decomposition of verification into witness-dependent checks and public polynomial evaluations encoding the computation. We show that the latter, which we call holographic checks, can be accumulated efficiently across recursive steps. To formalize this idea, we introduce generalized bilinear forms (GBF), a linear-algebraic abstraction capturing the holographic verification procedures of several modern SNARKs. Using this abstraction, we construct generic PCD schemes compatible with both univariate and multivariate polynomial commitment schemes, and present an efficient decider that collapses the accumulated checks to a single polynomial evaluation.
## 2026/539
* Title: Orca And Dolphin: Efficient Bivariate And Multilinear Polynomial Commitment Schemes Under Standard Assumptions
* Authors: Helger Lipmaa
* [Permalink](https://eprint.iacr.org/2026/539)
* [Download](https://eprint.iacr.org/2026/539.pdf)
### Abstract
Most polynomial commitment schemes have either superlinear prover time or superconstant argument size. Recently, Ganesh, Patranabis, and Singh introduced SamaritanPCS, and Eagen and Gabizon proposed Mercury. Both build on efficient univariate polynomial IOPs that lift univariate polynomial commitment schemes (PCSs) to the multilinear setting, enabling sum-check-based multilinear polynomial IOPs for prover-efficient zk-SNARKs with small communication. Since multilinear PCSs are fundamental building blocks of zk-SNARKs, they must be secure under minimal assumptions while remaining maximally efficient. However, SamaritanPCS and Mercury achieve knowledge soundness only in the joint random-oracle and algebraic-group model. We introduce Orca and Dolphin, optimized bivariate and multilinear PCSs, respectively. We prove that their interactive evaluation protocols have computational special soundness in the standard model, assuming that KZG satisfies binding and interpolation binding (both secure under ARSDH). Thus, they have knowledge soundness in the random oracle model. Both schemes can have a more efficient evaluation protocol that is knowledge sound in the joint random-oracle and algebraic-group model. Dolphin's evaluation phase is more efficient than either SamaritanPCS's or Mercury's.
## 2026/540
* Title: Ticket to Hide: Private, Practical Proofs of Provenance for TLS
* Authors: Ryan Little, Daniel S. Roche, Mayank Varia
* [Permalink](https://eprint.iacr.org/2026/540)
* [Download](https://eprint.iacr.org/2026/540.pdf)
### Abstract
When using Transport Layer Security (TLS), web users can connect to a server and trust that they are sending and receiving data with the intended web server. This guarantee, however, is not transferable: there is no immediate way for a client to convince an external party that a transcript or message originated from a particular server. Beginning with the DECO protocol of Zhang et al., there has been a line of work on "TLS oracles"rCocryptographic protocols that allow a client to commit to, prove provenance, and disclose arbitrary properties of TLS application data to a verifier party. TLS oracles only require the server to run standard TLS, making them compatible with existing real-world web servers.
In this work we introduce Ticket to Hide, a new TLS oracle protocol for TLS 1.3. We operate in the multi-server setting, previously explored in the DiStefano protocol by Celi et al., in which the client additionally wishes to hide the identity of the server they are communicating with among a set of $N$ publicly known servers. We leverage new features of TLS 1.3 in surprising ways to yield performance and security benefits, resulting in a protocol that is both faster and more private than previous work. Additionally, we are the first TLS oracle protocol to be compatible with post-quantum secure TLS key agreement and certificates. Our implementation, which builds on top of the Garble-then-Prove framework of Xie et al., scales to $N=100$ servers in less than 3 seconds of end-to-end time in a WAN settingrCoonly 3.5$\times$ the latency of a regular TLS 1.3 interaction.
## 2026/541
* Title: Towards Verifiable AI with Lightweight Cryptographic Proofs of Inference
* Authors: Pranay Anchuri, Matteo Campanelli, Paul Cesaretti, Rosario Gennaro, Tushar M. Jois, Hasan S. Kayman, Tugce Ozdemir
* [Permalink](https://eprint.iacr.org/2026/541)
* [Download](https://eprint.iacr.org/2026/541.pdf)
### Abstract
When large AI models are deployed as cloud-based services, clients have no guarantee that responses are correct or were produced by the intended model. Rerunning inference locally is infeasible for large models, and existing cryptographic proof systemsrCowhile providing strong correctness guaranteesrCointroduce prohibitive prover overhead (e.g., hundreds of seconds per query for billion-parameter models). We present a verification framework and protocol that replaces full cryptographic proofs with a lightweight, sampling-based approach grounded in statistical properties of neural networks. We formalize the conditions under which trace separation between functionally dissimilar models can be leveraged to argue the security of verifiable inference protocols. The prover commits to the execution trace of inference via Merkle-tree-based vector commitments and opens only a small number of entries along randomly sampled paths from output to input. This yields a protocol that trades soundness for efficiency, a tradeoff well-suited to auditing, large-scale deployment settings where repeated queries amplify detection probability, and scenarios
with rationally incentivized provers who face penalties upon detection. Our approach reduces proving times by several orders of magnitude compared to state-of-the-art cryptographic proof systems, going from the order of minutes to the order of milliseconds, with moderately larger proofs. Experiments on ResNet-18 classifiers and Llama-2-7B confirm that common architectures exhibit the statistical properties our protocol requires, and that natural adversarial strategies (gradient-descent re-construction, inverse transforms, logit swapping) fail to produce traces that evade detection. We additionally present a protocol in the refereed delegation model, where two competing servers enable correct output identification in a logarithmic number of rounds.
## 2026/542
* Title: VERIDP: Verifiable Differentially Private Training
* Authors: Behzad Abdolmaleki, Amir R. Asadi, Vahid R. Asadi, Stefan K||psell, Bhavish Mohee, Nahid Roustaeifar, Maryam Zarezadeh
* [Permalink](https://eprint.iacr.org/2026/542)
* [Download](https://eprint.iacr.org/2026/542.pdf)
### Abstract
Stochastic Gradient Descent (SGD) is the foundation of modern machine learning (ML). In privacy-sensitive settings, gradients can reveal details about individual data points. Differential Privacy (DP) protects sensitive data during ML training by clipping gradients and adding calibrated Gaussian noise. However, existing frameworks assume semi-honest participants, which fails in adversarial or federated environments where malicious actors can bypass or alter the noise addition process, breaking privacy guarantees.
We present VERIDP, a framework for verifiable differentially private training that cryptographically enforces and proves the correct execution of differentially private stochastic gradient descent (DP-SGD) in zero knowledge. VERIDP integrates Zero-Knowledge Proofs (ZKPs) with polynomial commitments, sumcheck and GKR-based proofs, and incrementally verifiable computation (IVC) to generate compact proofs of correct gradient computation, clipping, averaging, and Gaussian noise generationrCowithout revealing private data or randomness. Unlike previous systems that only verify the final privacy budget, VERIDP enables per-iteration verifiability of each model update, providing strong privacy assurances even in adversarial settings. This establishes a novel and complete Zero-Knowledge Proof of Differentially Private Stochastic Gradient Descent (ZK-DPSGD), uniting differential privacy and verifiable computation for secure and auditable ML. Our evaluation shows that prover time increases linearly with the number of input samples, while both verifier time (2rCo5 ms) and proof size (3rCo4 KB) remain compact and effectively constant.
## 2026/543
* Title: MTSF --- Market-Theoretic Security Framework: A Unified Paradigm For The Art Of Proving and Disproving Security
* Authors: Basker Palaniswamy, Paolo Palmieri
* [Permalink](https://eprint.iacr.org/2026/543)
* [Download](https://eprint.iacr.org/2026/543.pdf)
### Abstract
Cryptographic security proofs are the invisible backbone of modern digital systems, yet they remain fragmented across multiple paradigmsrCogame-based proofs, Universal Composability (UC), formal verification, and ad hoc insecurity argumentsrCoeach with its own language, assumptions, and limitations. This paper introduces the \textbf{Market-Theoretic Security Framework (MTSF)}, a unified paradigm that reinterprets all security proofs as economic markets. In this view, the defender acts as a seller offering \emph{security goods} (such as confidentiality or unforgeability), while the adversary acts as a buyer bidding computational resources to break them. Security emerges naturally as \emph{market equilibrium}, where no efficient adversary can afford to win, while insecurity is characterized as \emph{market collapse}, where attacks succeed at negligible cost.
For cryptographers, MTSF provides a rigorous and expressive framework that unifies four major proof paradigms into a single formal language. It introduces key technical innovations such as the \textbf{extended difference lemma} for handling multiple simultaneous failure events, \textbf{bidding-based reductions} that explicitly model adversarial strategies, a \textbf{dual methodology that treats proofs and disproofs symmetrically within the same structure}, and a \textbf{session pinging mechanism} for unbounded session verification. The framework seamlessly extends to classical and post-quantum primitives, real-world protocols (including TLS~1.3 and Signal), and even quantum-adversarial settings, while preserving quantitative security bounds and composability guarantees.
MTSF offers an intuitive, accessible, and powerful mental model: security is like a marketplace where attackers try to ``buy'' a break, and defenders ensure the price is prohibitively high. Each proof becomes a sequence of small price adjustments, and each attack corresponds to a failed or successful bid. By combining mathematical rigor with economic intuition, MTSF transforms security proofs from opaque technical artifacts into transparent, auditable, and universally understandable arguments, enabling both experts and practitioners to reason about security with clarity and confidence.
## 2026/544
* Title: HARE: Compact HQC via Distance-Informed Erasure Decoding
* Authors: Tianrui Wang, Qicheng Teng, Anyu Wang, Jun Zhang, Bo Pang, Chunhuan Zhao, Sihuang Hu, Xiaoyun Wang
* [Permalink](https://eprint.iacr.org/2026/544)
* [Download](https://eprint.iacr.org/2026/544.pdf)
### Abstract
We present HARE, a KEM scheme based on the HQC framework with reduced public key and ciphertext sizes. The core idea is to introduce a distance-informed erasure decoding technique for the concatenated code: leveraging distance information from the inner code to identify unreliable blocks and treat them as erasures, which are then corrected by the outer code. By combining this technique with the ciphertext compression method introduced by Bitzer et al. in EUROCRYPT 2026 and refined parameter choices, we achieve a lower decryption failure rate, enabling more compact parameters. Compared to HQC, HARE reduces the combined size of public key and ciphertext by 13.2%, 12.3%, and 13.3% for NIST security levels 1, 3, and 5, respectively.
## 2026/545
* Title: Aggregator-Based Voting using proof of Partition
* Authors: Marius Lombard-Platet, Doron Zarchy
* [Permalink](https://eprint.iacr.org/2026/545)
* [Download](https://eprint.iacr.org/2026/545.pdf)
### Abstract
We present Aggios, a scalable and privacy preserving proxy voting system designed for frequent and large-scale elections such as Decentralized Autonomous Organizations (DAO), when storing votes on the bulletin board is expensive. To this end, Aggios introduces `aggregators': entities to which voters delegate their votes, and who then post their batched proofs on the public ledger. Aggios achieves strong integrity guarantees: only authorized voters can vote, votes are counted correctly, voters are assured their vote is counted.
At the core of Aggios, lies a novel zero-knowledge argument, which we call the Extended Partition Argument (EPA), that allows a prover to demonstrate that a committed vector can be decomposed into multiple disjoint ``subvectors'' forming a partition, each subvector of public (or not) sizes. The argument is compatible with a universal SRS, does not require precomputation, and offers efficient proving and verification complexity. We prove security of the EPA in the algebraic group model.
Our implementation of EPA shows suitability of the argument even for very large vectors.
Using the EPA as the central block to Aggios, we show that our voting scheme is at least 512 times more compact than naive casting of $N$ votes, and can even be size-independent of the number of voters in the optimal case, thus offering a practical route to frequent and privacy-preserving voting at scale.
## 2026/546
* Title: Hyperelliptic Gluing Isogeny DiffierCoHellman (HGIDH): A Genus-2 Gluing Isogeny Key-Exchange
* Authors: Nouhou Abdou Idris, Mustapha Hedabou
* [Permalink](https://eprint.iacr.org/2026/546)
* [Download](https://eprint.iacr.org/2026/546.pdf)
### Abstract
In this work, we propose Hyperelliptic Gluing Isogeny DiffierCo
Hellman (HGIDH), a key-exchange protocol built from gluing isogenies
between the product of two supersingular elliptic curves and the Jacobian
of a genus-2 hyperelliptic curve. The protocol leverages the FreyrCoKani correspondence, using maximal isotropic subgroups of (E1 |u E2)[N] to
construct principally polarized abelian surfaces. Private keys are encoded
as four scalars defining a non-cyclic, two-dimensional kernel, thereby
avoiding the structural weaknesses exploited in SIDH-style attacks.
We formalize the computational tasks underlying attacks on HGIDH
through two intermediate problem formulations, which abstract the recovery of gluing kernels and the computation of genus-2 isogenies. We
show that any efficient adversary solving these problems can be transformed into an algorithm solving standard supersingular isogeny problems, situating the security of HGIDH within the established hardness
landscape. Furthermore, we analyze the resistance of the construction
to known classical and quantum attacks, including torsion-point attacks
and CostellorCoSmith-style meet-in-the-middle strategies.
## 2026/547
* Title: Dialga: A Family of Low-Latency Tweakable Block Ciphers using Multiple Linear Layers (Full Version)
* Authors: Subhadeep Banik, Tatsuya Ishikawa, Takanori Isobe, Ryoma Ito, Kazuhiko Minematsu, Kazuma Nakata, Mostafizar Rahman, Kosei Sakamoto
* [Permalink](https://eprint.iacr.org/2026/547)
* [Download](https://eprint.iacr.org/2026/547.pdf)
### Abstract
In this paper, we propose Dialga, a family of low-latency tweakable block ciphers designed to support 128/256-bit tweaks and 256-bit keys. Dialga achieves significantly small latency by leveraging multiple novel strategies. These include the use of multiple linear layers with efficient cell permutations, which enhance security against differential and linear attacks with negligible hardware overhead. We also identify the optimal choice of S-boxes for these permutations using state-of-the-art evaluation methods by SAT, enabling us to further reduce the delay of the round function. Besides, we design a reflection tweakey schedule that ensures strong security in the related-tweak setting and allows for encryption and decryption without delay overhead, reducing the circuit area.
We conducted comprehensive hardware benchmarks involving Dialga and other primitives. As a result, Dialga achieves nearly half the delay of QARMAv2, while achieving approximately a 40% reduction in area, with the same claimed security.
-aWe also demonstrate that Dialga enables an efficient low-latency TBC-based authenticated encryption instantiation: Flat-+yCB based on Dialga compares favorably with AES-256-GCM in hardware, achieves substantially lower delay than AES-256-GCM.
## 2026/548
* Title: Post-Quantum Cryptography from Quantum Stabilizer Decoding
* Authors: Jonathan Z. Lu, Alexander Poremba, Yihui Quek, Akshar Ramkumar
* [Permalink](https://eprint.iacr.org/2026/548)
* [Download](https://eprint.iacr.org/2026/548.pdf)
### Abstract
Post-quantum cryptography currently rests on a small number of hardness assumptions, posing significant risks should any one of them be compromised. This vulnerability motivates the search for new and cryptographically versatile assumptions that make a convincing case for quantum hardness.
In this work, we argue that decoding random quantum stabilizer codes---a quantum analog of the well-studied LPN problem---is an excellent candidate. This task occupies a unique middle ground: it is inherently native to quantum computation, yet admits an equivalent formulation with purely classical input and output, as recently shown by Khesin et al. (STOC '26). We prove that the average-case hardness of quantum stabilizer decoding implies the core primitives of classical Cryptomania, including public-key encryption (PKE) and oblivious transfer (OT), as well as one-way functions. Our constructions are moreover practical: our PKE scheme achieves essentially the same efficiency as state-of-the-art LPN-based PKE, and our OT is round-optimal. We also provide substantial evidence that stabilizer decoding does not reduce to LPN, suggesting that the former problem constitutes a genuinely new post-quantum assumption.
Our primary technical contributions are twofold. First, we give a reduction from random quantum stabilizer decoding to an average-case problem closely resembling LPN, but which is equipped with additional symplectic algebraic structure. While this structure is essential to the quantum nature of the problem, it raises significant barriers to cryptographic security reductions. Second, we develop a new suit of scrambling techniques for such structured linear spaces, and use them to produce rigorous security proofs for all of our constructions.
## 2026/549
* Title: Look Ahead! Practical CCA-secure Steganography: Cover-Source Switching meets Lattice Gaussian Sampling
* Authors: Russell W. F. Lai, Ivy K. Y. Woo, Hoover H. F. Yin
* [Permalink](https://eprint.iacr.org/2026/549)
* [Download](https://eprint.iacr.org/2026/549.pdf)
### Abstract
Steganography studies methods to not only protect the confidentiality of messages but also to conceal the very act of message transmission. Prior provably secure stegosystems are predominantly constructed based on a rejection sampling technique which achieves an encoding rate inversely proportional to the min-entropy of the cover channel. Furthermore, while replayable chosen-covertext attack (RCCA) secure stegosystems for general channels can be constructed based on standard cryptographic assumptions, it is known [Berndt and Li+ckiewicz, EUROCRYPT'18] that achieving (standard) CCA-security for channels with memory in the so-called non-look-ahead model is in general impossible and the only known CCA-secure construction crucially relies on the channels being memoryless.

In this work, we show that the impossibility on CCA-secure stegosystems can be circumvented, in the random oracle model, by dropping the non-look-ahead restriction and by restricting to a natural class of channels which we call "partially sampleable channels". These capture channels which partly consist of explicitly sampleable distributions, such as Gaussian sensor noise of digital photographs. To achieve a high encoding rate, we extend the formalisation of stegosystems to capture a technique known as "cover-source switching" in the practical steganography literature. This allows us to construct CCA-secure stegosystems for Gaussian channels using Gaussian preimage sampling techniques borrowed from lattice-based cryptography, which can theoretically achieve an embedding rate of $1/\omega(\log \log \lambda)$ regardless of the min-entropy of the channel.
Our prototype implementation suggests that our scheme is practical, achieving an embedding rate of 24.7% in 24-megapixel RAW images in around 1 minute per image.
## 2026/550
* Title: Solving the Linear Code Equivalence Problem from Single Codeword Matching
* Authors: Magali Bardet, Charles Brion, Ayoub Otmani, Mohamed Saeed, Nicolas Sendrier
* [Permalink](https://eprint.iacr.org/2026/550)
* [Download](https://eprint.iacr.org/2026/550.pdf)
### Abstract
In the Linear Code Equivalence (LCE) problem, one seeks the isometry of the Hamming space $\mathbb{F}_q^n$ relating two given linear codes. This problem is considered computationally hard for any alphabet size $q \ge 5$. The matching codewords framework currently serves as the benchmark for evaluating the security of cryptographic schemes whose security relies on the hardness of LCE, such as the LESS signature scheme. The framework operates by identifying multiple low-weight codewords in both target codes until matching codewords are discovered, thereby revealing the underlying isometry.
Recent advancements improved this framework by introducing a new matching algorithm to decide whether two pairs of codewords match. While this technique offers better scalability than previous approaches and has led to enhanced attacks on LESS, it remains computationally intensive for certain parameter ranges.
In this work, we propose a novel method to determine if a single pair of codewords matches. Our approach is based on the Schur product by an inverse vector, $\mathcal{C} \star \mathbf{v}^{-1}$, defined component-wisely. We demonstrate that if the codes $\mathcal{C}_1$ and $\mathcal{C}_2$ are linearly equivalent and the codewords $\mathbf{v}_1$ and $\mathbf{v}_2$ match, then the resulting products $\mathcal{C}_1 \star \mathbf{v}_1^{-1}$ and $\mathcal{C}_2 \star \mathbf{v}_2^{-1}$ are permutation equivalent. Since the permutation equivalence problem is efficiently solvable, this provides a highly effective match-testing algorithm.
By leveraging this idea, we propose several algorithms that improve the asymptotic exponent of LCE solvers for all parameters. Notably, our method reaches the optimal asymptotic exponent of the framework for a wide range of parameters. When applied to LESS, our technique substantially reduces the best-known bit complexity; for instance, reducing the security of LESS-1 from 127 to 120 bits.
## 2026/551
* Title: Succinct Verification of Lattice-Based Compressed $\Sigma$-Protocols via Delegated Proofs of Correct Folding of Cryptographically Generated Public Parameters
* Authors: Anders Kalles|+e
* [Permalink](https://eprint.iacr.org/2026/551)
* [Download](https://eprint.iacr.org/2026/551.pdf)
### Abstract
Inner product arguments are a widely used primitive in cryptography. The bulletproofs framework and subsequently compressed $\Sigma$ protocols provide a powerful folding technique that allows for succinct communication complexity of these. However, their verification complexity remains linear. The linear part of the verification is the folding computation of the CRS for the given vector commitment scheme. We explore a new avenue by which to delegate this folding to the prover via an interactive proof that incorporates the setup function of the commitment scheme in the setting where the CRS is constructed cryptographically from a small seed. We use this proof to construct a succinctly verifiable compressed $\Sigma$ protocol for structured linear forms in the lattice setting.
## 2026/552
* Title: NI-DKG: Non-Interactive Distributed Key Generation Using Blockchain and Zero-Knowledge Proofs
* Authors: Alex Kampa, Pau Escrich, Marta Bell|-s-Mu|#oz, Roger Baig
* [Permalink](https://eprint.iacr.org/2026/552)
* [Download](https://eprint.iacr.org/2026/552.pdf)
### Abstract
We present a non-interactive DKG protocol that eliminates complaint procedures through the systematic use of ZK proofs. The protocol requires a timed public bulletin board with adjoined computing capacity as its coordination layer, a capability realized in practice by smart-contract-enabled blockchains. Existing smart-contract DKGs detect invalid contributions only after submission, requiring dispute phases that introduce timing constraints and attack surfaces. In our protocol, each participant submits a single zk-SNARK proving the correctness of their contribution: polynomial commitment consistency, Feldman verification equations, and correct share encryption. The smart contract rejects any invalid proof, simplifying the protocol to non-interactive phases delimited by block numbers. The protocol relies on standard primitives: Shamir's secret sharing, Feldman commitments, hashed ElGamal encryption, and Chaum-Pedersen discrete-log equality proofs, with on-chain verification via zk-SNARKs. We provide an implementation outline for EVM-compatible chains, including circuit specifications for key generation, threshold decryption, and optional secret key disclosure. We also discuss EVM verifier constraints on the number of public inputs and sketch approaches to address them.
## 2026/553
* Title: Graph-based Asynchrony with Quasilinear Complexity for Any Linear Verifiable Secret Sharing Scheme
* Authors: Hugo Delavenne, Lola-Baie Mallordy
* [Permalink](https://eprint.iacr.org/2026/553)
* [Download](https://eprint.iacr.org/2026/553.pdf)
### Abstract
Verifiable Secret Sharing (VSS) schemes usually consider synchronous communication, which cannot always be the case on real networks where packets can be lost or parties arbitrarily delayed. Allowing asynchrony adds a large overhead complexity cost: the dealer and communication complexity is in $O(n^2\log n)$ in state of the art $n$-parties Asynchronous VSS (AVSS) schemes [ABDM25], whereas there are synchronous schemes with only linear communications. To ensure that all honest parties agree on the same secret and are ready for reconstruction, AVSS schemes essentially perform a protocol similar to Bracha's broadcast [Bra87]. While this immediately bounds the overall communication complexity of the protocol to be at least in $O(n^2)$, this method enables to reach the maximum threshold of malicious parties of $t=n/3$. However, a smaller threshold $t$ may be sufficient for some use cases, and one may want to take advantage of this. We consider a statistical scheme, meaning that the correctness and termination properties are only guaranteed with good probability. We propose a new method to transform any linear VSS scheme into a statistical AVSS. We build a statistical AVSS protocol Bonneval-on-Arc where each party only communicates with $d$ neighbours, a situation that we model by a $d$-regular graph. We obtain quasilinear communication complexity for the dealer, and sublinear complexity for each party, and a corruption threshold $t < n/(d+2)$ as a tradeoff.
## 2026/554
* Title: PrivaLean: Low-Latency and High-Accuracy System for Secure 2PC Inference
* Authors: Jinghao Zhao, Hongwei Yang, Bobo Wang, Lichunxi Yang, Juncheng Li, Xiangrui Zeng, Meng Hao, Desheng Wang, Hui He, Weizhe Zhang
* [Permalink](https://eprint.iacr.org/2026/554)
* [Download](https://eprint.iacr.org/2026/554.pdf)
### Abstract
Secure multi-party computation offers a powerful paradigm for protecting private information. However, its significant computational overhead and high communication latency limit its further application. To address these challenges, we present PrivaLean, an innovative framework designed for low-round and high-accuracy secure two-party inference under the semi-honest model. The core design of PrivaLean focuses on two main dimensions. First, for linear layer evaluation, we propose two distinct optimizations: a local random ciphertext generation mechanism that avoids massive offline interactions to drastically reduce communication rounds, and an intermediate encoding method that significantly minimizes memory overhead for low-memory devices. Second, to conquer non-linear evaluation bottlenecks, we design a co-optimized scheme featuring a novel trigonometric activation protocol and a data-distribution-aware training strategy. The activation requires only a single communication round and avoids expensive online truncation, while the training strategy can adapt to the precise data distribution and mitigate overfitting through knowledge distillation. The final accuracy is even higher than that of the ReLU-based baseline. Comprehensive evaluations on large-scale networks (e.g., MiniONN, ResNet-32/-50) demonstrate that in a Wide Area Network setting, PrivaLean completes a single ResNet-50 inference in 125.02 seconds. Compared to the state-of-the-art system Cheetah, PrivaLean achieves significantly fewer communication rounds and a 50.5% reduction in inference latency.
## 2026/555
* Title: Improved Issuer Hiding for BBS-based Anonymous Credentials
* Authors: Nesrine Kaaniche, Seyni Kane, Maryline Laurent, Jacques Traor|-
* [Permalink](https://eprint.iacr.org/2026/555)
* [Download](https://eprint.iacr.org/2026/555.pdf)
### Abstract
Attribute-based anonymous credential systems often fail to hide the issuerrCOs identity. Recent attempts to address this issue either suffer from efficiency problems or contain critical policy vulnerabilities (where a policy is defined as the set of issuers that relying parties are willing to accept). More precisely, we present several attacks that exploit these vulnerabilities. These attacks allow a malicious user to collaborate with a single authorized issuer and forge credentials for arbitrary attributes. This enables the malicious user to usurp the powers of any trusted issuer.
To address these security and architectural gaps, we propose a novel BBS-based issuer-hiding credential system that adopts a signed-policy approach.
Our construction resolves several open challenges: (1) it is proven secure in the Algebraic Group Model (AGM) rather than the Generic Group Model (GGM), (2) it eliminates the requirement for \textit{secret policy} keys, allowing verification to be performed without secret values; and (3) it enables policy generation to be delegated to a trusted certification authority rather than requiring each relying party to maintain individual policy keys.
Furthermore, we introduce the first pairing-free variant of an issuer-hiding anonymous credential based on algebraic MACs.
The implementation results and formal security proofs confirm that our scheme achieves unforgeability and everlasting issuer-hiding anonymity and establishes our protocol as a practical, secure solution for privacy-preserving credential systems that is suitable for real-world deployment.
## 2026/556
* Title: TP-NTT: Batch NTT Hardware with Application to Relinearization
* Authors: Emre Ko|oer, Tolun Tosun, Beren Aydo-fan, Erkay Sava+f, Furkan Turan, Ingrid Verbauwhede
* [Permalink](https://eprint.iacr.org/2026/556)
* [Download](https://eprint.iacr.org/2026/556.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) enables arbitrary computation on encrypted data without decryption, providing strong privacy guarantees for secure cloud computing, encrypted analytics, and privacy-preserving machine learning. However, practical deployment of FHE remains limited by the high computational cost of polynomial arithmetic over large modular rings. In particular, Number Theoretic Transform (NTT)rCobased polynomial multiplication dominates the execution time of modern lattice-based FHE schemes. In this work, we present TP-NTT, a scalable, throughput-optimized NTT architecture supporting a wide range of ring dimensions used in FHE, from $2^{10}$ to $2^{16}$. Our design applies optimizations at multiple levels, from modular arithmetic to the NTT algorithm itself, including multi-dimensional decomposition without requiring additional multiplication blocks. The decomposition dimensionality is configurable at design time, supporting 2-D, 3-D, and 4-D decompositions, each advantageous in specific scenarios. Furthermore, TP-NTT provides design-time configurable throughput. Combined with its scalable architecture, this enables significant advantages for batch NTT operations compared to other works in the literature. At $n=2^{16}$, it outperforms the best-performing prior design by $8.03\times$ in average latency while achieving $1.26\times$ better arearCotime-product (ATP). To demonstrate its efficiency, we present a case-study on FHE relinearization, focusing on the BFV scheme. We propose a relinearization accelerator that leverages TP-NTTrCOs fast batch NTT capability, achieving a $34.65\times$ speed-up over state-of-the-art software implementations and highlighting TP-NTTrCOs effectiveness in real-world FHE applications.
## 2026/557
* Title: On Post-Quantum Signature with Message Recovery from Hash-and-Sign in QROM
* Authors: Bohang Chen, Shuai Han, Shengli Liu
* [Permalink](https://eprint.iacr.org/2026/557)
* [Download](https://eprint.iacr.org/2026/557.pdf)
### Abstract
Post-quantum signatures have been suffering from their inefficiency compared to traditional signatures. To reduce space consumption, a promising approach is to design signature schemes with message recovery, which can embed part of the message into the signature without increasing its length. A notable example is the PSS-R signature scheme (probabilistic signature scheme with recovery) proposed by Bellare and Rogaway (EUROCRYPT 1996) in the classical ROM (random oracle model). However, there were few works considering post-quantum signature schemes with message recovery.
In this work, we study the design of post-quantum signature scheme with message recovery in the QROM (quantum ROM). Specifically, we adapt the classic PSS-R signature scheme to the post-quantum setting and prove its security in the QROM. Our security proof is conceptually similar to the original proof of PSS-R, but faces challenges in QROM when we need to reprogram two random oracles with correlated inputs/outputs. To address these issues, we extend the tight adaptive reprogramming theorem (Grilo et al., ASIACRYPT 2021) and the measure-and-reprogram theorem (Don et al., CRYPTO 2020) to our setting, to support reprogramming two oracles successively, where the input to one oracle depends on the other oracle's output. With these extended proof techniques, we provide the first security proof of a PSS-R-like signature scheme with message recovery in the QROM.
## 2026/558
* Title: Cryptanalysis of four arbitrated quantum signature schemes
* Authors: Pierre-Alain Jacqmin, Jean Li|-nardy
* [Permalink](https://eprint.iacr.org/2026/558)
* [Download](https://eprint.iacr.org/2026/558.pdf)
### Abstract
Arbitrated quantum signature (AQS) schemes aim at ensuring the authenticity of a message with the help of an arbitrator. Moreover, they aim at preventing repudiation, both from a sender that denies the origin of a message, and from a receiver who disavows its reception. Such protocols use quantum communication and are often designed to protect quantum messages. In this paper, we study four recently submitted AQS schemes and propose attacks on their security.
Firstly, we look at Zhang, Sun, Zhang and Jia's AQS scheme which aims at signing quantum messages with chained CNOT encryption. We show that the sender can repudiate her messages and make false allegation of reception. Moreover, we show that a dishonest receiver can forge signatures.
Secondly, we analyse Ding, Xin, Yang and Sang's AQS protocol to sign classical messages based on GHZ states. We show that both the sender and the receiver have simple repudiation strategies.
Thirdly, we study Lu, Li, Yu and Han's AQS scheme that uses controlled teleportation to protect quantum messages. We expose forgeries, false allegation attacks and the possibility of repudiation by both parties.
Fourthly, we focus on the AQS scheme by Zhang, Xin, Sun, Li and Li designed to sign classical messages without entangled states. We show that one can disavow the reception of messages, and that information-theoretic security is not achieved for other security goals.
## 2026/559
* Title: PrivaDE: Privacy-preserving Data Evaluation for Blockchain-based Data Marketplaces
* Authors: Wan Ki Wong, Sahel Torkamani, Michele Ciampi, Rik Sarkar
* [Permalink](https://eprint.iacr.org/2026/559)
* [Download](https://eprint.iacr.org/2026/559.pdf)
### Abstract
Evaluating the usefulness of data before purchase is essential when obtaining data for high-quality machine learning models, yet both model builders and data providers are often unwilling to reveal their proprietary assets.
We present PrivaDE, a privacy-preserving protocol that allows a model owner and a data owner to jointly compute a utility score for a candidate dataset without fully exposing model parameters, raw features, or labels. PrivaDE provides strong security against malicious behavior and can be integrated into blockchain-based marketplaces, where smart contracts enforce fair execution and payment. To make the protocol practical, we propose optimizations to enable efficient secure model inference, and a model-agnostic scoring method that uses only a small, representative subset of the data while still reflecting its impact on downstream training. Evaluation shows that PrivaDE performs data evaluation effectively, achieving online runtimes within 15 minutes even for models with millions of parameters.
Our work lays the foundation for fair and automated data marketplaces in decentralized machine learning ecosystems.
## 2026/560
* Title: High-Order Galois Automorphisms for TNFS Linear Algebra
* Authors: Haetham Al Aswad, C|-cile Pierrot, Emmanuel Thom|-
* [Permalink](https://eprint.iacr.org/2026/560)
* [Download](https://eprint.iacr.org/2026/560.pdf)
### Abstract
The Number Field Sieve algorithm and its variants are the best known algorithms to solve the discrete logarithm problem in finite fields. When the extension degree is composite, the Tower variant TNFS is the most efficient. Looking at finite fields with composite extension degrees such as $6$ and $12$ is motivated by pairing-based cryptography that does not yet have a good quantum-resistant equivalent.
The two most costly steps in TNFS are the relation collection} and linear algebra steps. Although the use of order $k$ Galois automorphisms allows one to accelerate the relation collection step by a factor of $k$, their use to accelerate the linear algebra step remains an open problem. In previous work, this problem is solved for $k=2$, leveraging a quadratic acceleration factor equal to $4$.
In this article, we bring a solution both for $k=6$ and $k=12$. We propose a new construction that allows the use of an order $6$ (resp. $12$) Galois automorphism in any finite field $\mathbb{F}_{p^6}$ (resp. $\mathbb{F}_{p^{12}}$), thus accelerating the linear algebra step with approximately a factor of $36$ (resp. $144$). Moreover, we provide a SageMath implementation of TNFS and our construction, and validate our findings on small examples.
## 2026/561
* Title: SynCirc: Efficient Synthesis of Depth-Optimized Circuits from High-Level Languages (Extended Version)
* Authors: Arpita Patra, Joachim Schmidt, Thomas Schneider, Ajith Suresh, Hossein Yalame
* [Permalink](https://eprint.iacr.org/2026/561)
* [Download](https://eprint.iacr.org/2026/561.pdf)
### Abstract
Secure Multi-Party Computation (MPC) enables secure computation on private data. Many of today's efficient MPC protocols need a representation of the evaluated function as circuit composed of Boolean or Lookup Tables (LUTs). To improve the practicality of MPC, we present SynCirc, a hardware synthesis framework optimized for MPC applications. Built on Verilog and the open-source tool Yosys-ABC, SynCirc introduces custom libraries and constraints for multi-input AND gates, achieving up to $3\times$ reduction in multiplicative depth and online rounds compared to TinyGMW (Demmler et al., CCS'15).
SynCirc also offers an expanded library of efficient building blocks like comparison, multiplexers, equality checks and incorporates Boolean and LUT circuits. For these building blocks, we achieve improvements in multiplicative depth/online rounds between $22.3\%$ and $66.7\%$ over ShallowCC (B|+scher et al., ESORICS'16). Our evaluation using the FLUTE framework (Br|+ggemann et al., IEEE S&PrCO23) shows that SynCirc has $116\times$ less online communication than the multi-input AND gate protocol of Trifecta (Faraji and Kerschbaum, PETS'23).
SynCirc introduces novel capabilities, including enhanced support for High-Level Synthesis (HLS) with the XLS tool, enabling developers to create secure functions in C/C++ without the need for expertise in hardware definition languages like Verilog. SynCirc is an open-source toolchain that democratizes secure computation, simplifies circuit synthesis and makes advanced privacy-preserving technologies more accessible.
## 2026/562
* Title: New Approaches to Zero-Knowledge SNARG Constructions
* Authors: Chaya Ganesh, Mor Weiss
* [Permalink](https://eprint.iacr.org/2026/562)
* [Download](https://eprint.iacr.org/2026/562.pdf)
### Abstract
Zero-Knowledge Succinct Non-Interactive Arguments (zkSNARGs) are SNARGs in which the proof reveals nothing except the validity of the claim. zkSNARGs for NP can be constructed generically from SNARGs for NP using a Non-interactive Zero-knowledge (NIZK) proof, but this transformation uses either the NIZK or the SNARG in a non-black-box way.
We design a new SNARGs-to-zkSNARGs transformation that is conceptually different from the NIZK+SNARG approach. Our transformation is inspired by the elegant construction of succinct interactive ZK arguments of Ishai, Mahmoody and Sahai (TCC`12) which combines a cryptographic hash function with an information theoretic ZK proof system (specifically, a Probabilistically-Checkable Proof).
Our construction takes a first step towards fully black-box (BB) zkSNARG constructions: it uses the underlying SNARG as a black-box (though the other cryptographic components are used in a non-BB way). Our transformation is applicable to SNARGs for sub-classes of NP: batched NP computations (i.e., BARGs); and languages that have computational non-signaling PCPs, which contains NTISP (non-deterministic bounded space).
As a corollary, we get zkBARGs for NP, and zkSNARGs for NTISP, from the Learning With Errors (LWE) assumption. Thus, our results give a scaled-down version of the zkSNARGs-to-SNARGs reduction for NP, showing that by restricting to a sub-class of NP, the zkSNARG construction can be based on standard assumptions.
A main ingredient underlying our transformation is a new commitment primitive, called Hiding Somewhere-Extractable commitment (HSE), which we introduce and construct based on LWE. This commitment primitive enhances somewhere statistically-binding hash functions (Hub|i-iek and Wichs, ITCS 2015) to also guarantee hiding, and could be of independent interest.
## 2026/563
* Title: Optimizing FROST for Message Capacity
* Authors: Philipp Jovanovic, Ben Riva, Arnab Roy
* [Permalink](https://eprint.iacr.org/2026/563)
* [Download](https://eprint.iacr.org/2026/563.pdf)
### Abstract
The FROST threshold signature scheme achieves round optimal Schnorr signing through a double-nonce construction, but requires two presignatures per signature. Since each presignature demands an expensive distributed key generation (DKG) protocol, this overhead is significant for high-throughput applications. FROST builds on a core presignature protocol (that we call FROST-core) that uses hash-based re-randomization of presignatures. We investigate whether fewer presignatures can be used to sign multiple messages, improving FROST-core's message capacity.
We first show that the natural generalization of using $k$ presignatures for $k$ messages is insecure: an extended ROS attack enables forgery even for $k=2$. However, we prove that using $k+1$ presignatures for $k$ messages achieves security in the Generic Group Model combined with the Random Oracle Model. This improves message capacity from 50% (standard FROST-core) to $\frac{k}{k+1}$, approaching 100% as $k$ grows.
We further extend our analysis to a modified FROST-core protocol in which a set of presignatures is generated by different parties and used for signing $k$ messages. Security holds as long as at least $k+1$ presignatures were created by honest parties.
## 2026/564
* Title: TAPAS: Efficient Two-Server Asymmetric Private Aggregation Beyond Prio(+)
* Authors: Harish Karthikeyan, Antigoni Polychroniadou
* [Permalink](https://eprint.iacr.org/2026/564)
* [Download](https://eprint.iacr.org/2026/564.pdf)
### Abstract
PrivacyrCapreserving aggregation is a cornerstone for AI systems that learn from distributed data without exposing individual records, especially in federated learning and telemetry. Existing tworCaserver protocols (e.g., Prio and successors) set a practical baseline by validating inputs while preventing any single party from learning usersrCO values, but they impose symmetric costs on both servers and communication that scales with the perrCaclient input dimension $L$. Modern learning tasks routinely involve dimensionalities $L$ in the tens to hundreds of millions of model parameters.
We present TAPAS, a tworCaserver asymmetric private aggregation scheme that addresses these limitations along four dimensions: (i) no trusted setup or preprocessing, (ii) serverrCaside communication that is independent of $L$ (iii) postrCaquantum security based solely on standard lattice assumptions (LWE, SIS), and (iv) stronger robustness with identifiable abort and full malicious security for the servers. A key design choice is intentional asymmetry: one server bears the $O(L)$ aggregation and verification work, while the other operates as a lightweight facilitator with computation independent of $L$. This reduces total cost, enables the secondary server to run on commodity hardware, and strengthens the nonrCacollusion assumption of the servers. One of our main contributions is a suite of new and efficient lattice-based zero-knowledge proofs; to our knowledge, we are the first to establish privacy and correctness with identifiable abort in the two-server setting.
## 2026/565
* Title: Zeeperio: Verifying Governmental Elections with Ethereum
* Authors: Aikamdeep Malhotra, Aleksander Essex, Jeremy Clark
* [Permalink](https://eprint.iacr.org/2026/565)
* [Download](https://eprint.iacr.org/2026/565.pdf)
### Abstract
Scantegrity II became the first governmental election run with a cryptographic end-to-end election verification (E2E-V) protocol.
E2E-V protocols allow the public to verify proofs that the election was executed correctly, but participation in this important process is largely left as an opt-in, ad hoc exercise. We present Zeeperio, a special purpose zk-SNARK argument (built with application-specific arithmetization) that can issue proofs for Scantegrity elections that can be verified automatically via smart contracts for inexpensive on-chain verification. A Zeeperio verification contract running on Ethereum costs under $30 USD (at time of writing) per election (and the cost is constant in the number of ballots). By not relying on general purpose zk-SNARK toolkits, like circuit or zkVM compilers, Zeeperio's tailor-made argument offers multiple order-of-magnitude improvements to prover efficiency over implementations from the research literature. For example, Zeeperio requires under 5 hours on a commodity laptop for an election with 100,000 ballots to produce a proof in the kilobyte range.
## 2026/566
* Title: Secret-Shared Shuffle from Authenticated Correlations
* Authors: Xiangfu Song, Xiaojian Liang, Ye Dong, Jianli Bai, Pu Duan, Changyu Dong, Tianwei Zhang, Ee-Chien Chang
* [Permalink](https://eprint.iacr.org/2026/566)
* [Download](https://eprint.iacr.org/2026/566.pdf)
### Abstract
Shuffle is a basic primitive for secure computation. Secret-shared shuffle refers to oblivious permutation over secret-shared data, which has broad applications in secret-sharing-based secure computation. Since shuffle is typically used in highly sensitive applications, malicious security is often necessary to provide realistic security guarantees. This paper proposes a new family of two-party maliciously secure secret-shared shuffle protocols with linear communication/computation cost and constant-round communication. Achieving this goal has been proven non-trivial by several recent attempts. We answer this question by proposing a new and simple shuffle paradigm based on authenticated correlations. We start by proposing a simple and efficient protocol template based on authenticated correlations with linear cost and constant-round communication. The protocol can be enhanced to be fully authenticated against a malicious sender, which avoids selective-failure attacks that incur the main overhead in existing solutions. However, our roadmap introduces a consistency issue from a malicious receiver, and the challenge is how to resolve the issue while preserving the expected efficiency property. To this end, we propose new efficiency-preserving consistency checks, enabled by a set of new techniques, optimizations, and analyses. Combining the consistency checks with our framework based on authenticated correlations, we propose two maliciously secure secret-shared shuffle protocols with linear cost and constant-round communication. We have implemented our protocols. Performance evaluation shows that our protocols are faster with lower communication than the state-of-the-art.
## 2026/567
* Title: Accurate Parameter Estimates for Punctured Key Recovery Linear Attacks * Authors: TIm Beyne, Antonio Fl||rez-Guti|-rrez, Yosuke Todo
* [Permalink](https://eprint.iacr.org/2026/567)
* [Download](https://eprint.iacr.org/2026/567.pdf)
### Abstract
At EUROCRYPT 2024, Fl||rez-Guti|-rrez and Todo introduced the puncturing technique for linear key recovery attacks. Puncturing works by modifying the map which evaluates the linear approximation as a function of the plaintext, ciphertext and key by setting carefully chosen coordinates of its Fourier transform to zero. These modifications are intended to reduce the time complexity of the attack at the cost of an increase in data complexity. In this note, we revisit the model which is used to estimate the data complexity, clarify some of its underlying assumptions, and improve its accuracy. This leads to a revision of the cost estimates for several applications of puncturing in the literature, most notably for attacks whose data complexity is close to the full codebook.
## 2026/568
* Title: Low-Depth Construction of Grover Oracles from Fully Functional Quantum Circuits
* Authors: Behzad Abdolmaleki, Jiaqi Gu
* [Permalink](https://eprint.iacr.org/2026/568)
* [Download](https://eprint.iacr.org/2026/568.pdf)
### Abstract
The Grover oracle is the core component of the Grover search algorithm. Instead of constructing a Grover oracle from scratch, we consider the common practice of constructing a Grover oracle from an existing fully functional quantum circuit (FFQC). An FFQC typically performs computations for a primary target and includes ancilla restoration for qubits used as intermediate storage. Although such circuits can be directly integrated into an oracle, we find that this inevitably introduces circuit redundancy. To address this, we propose a low-depth transformation method that converts an existing FFQC into a low-depth Grover oracle. Additionally, our method can further reduce the width while retaining the previously achieved low depth. We analyse an implementation of the AES quantum circuit and further reduce the circuit width from 7280 to 7104.
## 2026/569
* Title: Hybrid KEM Constructions from Classical PKEs and Post-Quantum KEMs
* Authors: Biming Zhou, Yukai Zhang, Haodong Jiang, Yunlei Zhao
* [Permalink](https://eprint.iacr.org/2026/569)
* [Download](https://eprint.iacr.org/2026/569.pdf)
### Abstract
The rapid progress of quantum computing threatens widely deployed
public-key cryptosystems such as RSA and DiffierCoHellman, accelerating
the transition toward post-quantum cryptography (PQC).
During this migration, hybrid key encapsulation mechanisms (KEMs)
that combine classical and post-quantum primitives are strongly
recommended by standardization bodies and cybersecurity agencies.
However, existing hybrid designs mainly focus on combining
post-quantum KEMs with DiffierCoHellmanrCostyle constructions, while the systematic integration of standardized classical public-key encryption
(PKE) schemes with post-quantum KEMs remains largely unexplored.
In this work, we introduce two generic hybrid constructions,
$\mathsf{HybKEM}$ and $\mathsf{HybKEM}^{*}$, that combine a classical
PKE scheme with a post-quantum KEM satisfying ciphertext
second-preimage resistance (C2PRI).
We prove that both constructions achieve IND-CCA security in the
standard model. The refined construction $\mathsf{HybKEM}^{*}$ additionally relies on a
new security notion of the classical PKE scheme, termed
partial ciphertext second-preimage resistance (PC2PRI), which captures second-preimage resistance when a designated ciphertext component is
fixed.
This new property enables shared-key derivation from only a designated PKE ciphertext component in $\mathsf{HybKEM}^{*}$, leading to improved efficiency.
Finally, we provide a systematic analysis of the PC2PRI property for several standardized classical encryption schemes, including ECIES, PSEC, and SM2.
## 2026/570
* Title: iToken: One-Time-Use Anonymous Token with Issuance Hiding
* Authors: Zengpeng Li, Xiangyu Su, Dongfang Wei, Guangyu Liao, Mei Wang
* [Permalink](https://eprint.iacr.org/2026/570)
* [Download](https://eprint.iacr.org/2026/570.pdf)
### Abstract
Privacy-Enhancing Know Your Customer (KYC) integrates one-time-use anonymous tokens (OTATs) into self-sovereign identity frameworks, such as the EU Digital Identity (EUDI) Wallet, ApplerCOs Private Access Tokens, and W3CrCOs Privacy-Preserving Advertising proposals (e.g., Private State Tokens), to enable regulatory compliance while preserving user anonymity. To mitigate targeted denial-of-service (DoS) attacks and prevent token misuse (e.g., farming and replay), this paper designs a new OTAT, iToken, that first achieves issuer hiding not only at verification but also throughout issuance, thereby strengthening both OTATrCOs resilience and user privacy. We introduce a new primitive, a canonical blind ring signature (BRS), that adopts a blind-and-ring pattern, ensuring the ring structure is present from the outset and is initiated by the signer within the interactive blind signing protocol. We also provide two generic constructions, one from a linear function (LF) and homomorphic encryption, and another from an LF and a commit-and-prove sum argument. We finally prototype BRS and iToken, achieving efficient signing bandwidth and competitive computational performance.
## 2026/571
* Title: Playing Tag with Okamoto-Schnorr: Three-Move Pairing-Free Blind Signatures from DDH
* Authors: Rutchathon Chairattana-Apirom, Michael Reichle, Stefano Tessaro
* [Permalink](https://eprint.iacr.org/2026/571)
* [Download](https://eprint.iacr.org/2026/571.pdf)
### Abstract
This paper presents the first blind signature scheme in a pairing-free group with the following properties: (1) the signing protocol consists of only three moves; (2) the proof of one-more unforgeability relies solely on the Decisional Diffie-Hellman (DDH) assumption in the Random Oracle Model (ROM); and (3) the construction makes only black-box use of the underlying group. This resolves a major open problem in the area, as all prior pairing-free blind signatures either additionally relied on the Algebraic Group Model (AGM) or required at least four moves. Moreover, a recent lower bound by Dietz et al. (ePrint, '26) shows that three moves are optimal for such constructions.
Both the communication complexity and the signature size in our scheme consist of a constant number of group elements. Our construction in fact achieves strong one-more unforgeability (which was not known for any of the recent AGM-free constructions requiring four moves), and we also present a partially blind variant. Furthermore, blindness is statistical (in the ROM). Our approach is based on a new construction paradigm that combines a conventional (yet, by itself, not fully secure) blind signature scheme (specifically, the blind Okamoto-Schnorr scheme) with a carefully crafted algebraic MAC.
--- Synchronet 3.21f-Linux NewsLink 1.2