From Newsgroup: sci.crypt
## In this issue
1. [2025/1798] Threshold Blind Signatures from CDH
2. [2026/9] SIR: A Sparse-Interaction Keystream Generator with ...
3. [2026/303] $\mathsf{TalonG}$: Bandwidth-Efficient Two-Round ...
4. [2026/612] Improving ML Attacks on LWE with Data Repetition ...
5. [2026/613] Haechi: Simple Commitment-based Keyless In-person ...
6. [2026/614] Attacks on Sparse LWE and Sparse LPN with new ...
7. [2026/615] On the Security of MPC-in-the-Head Signatures with ...
8. [2026/616] On the properties of arithmetic crosscorrelation ...
9. [2026/617] Scaling of Memory and Bandwidth Requirements of ...
10. [2026/618] CAGP: A Quantum Canary Address Generation Protocol
11. [2026/619] Breaking the One-Way Property of a SHA-3 ...
12. [2026/620] AHAB: Asynchronous, High-throughput, Adaptively- ...
13. [2026/621] Efficient Conflict-Free NTT Hardware Architecture ...
14. [2026/622] Locally Computable High Independence Hashing
15. [2026/623] Bad Benchmarks and a Fourier-Analytic Framework for ...
16. [2026/624] Weak-key cryptanalysis of Blink
17. [2026/625] Securing Elliptic Curve Cryptocurrencies against ...
18. [2026/626] Deep Learning-Assisted Improved Differential Fault ...
19. [2026/627] Efficient and Parallel Implementation of Isogeny- ...
20. [2026/628] Fast and Compact Lattice-Based Registration-Based ...
21. [2026/629] Towards Formal Security Proofs of MQOM
22. [2026/630] Asymptotic Analysis of Ternary Sparse LWE
23. [2026/631] Rethinking r-PKP: a New Formulation for the Relaxed ...
24. [2026/632] A tight security analysis of the FIPS-205 standard ...
25. [2026/633] Progressive Sieving-Style Information-Set Decoding ...
26. [2026/634] PlasmaBlind: A Private Layer 2 With Instant Client- ...
27. [2026/635] Low-Stack HAETAE for Memory-Constrained ...
28. [2026/636] From LFSRs to LFGs: Periodicity and Structural ...
29. [2026/637] VeriRAG: Efficient Zero-Knowledge Proofs for ...
30. [2026/638] THED: Threshold Dilithium from FHE
31. [2026/639] Synchronous BFT with Provability and Fast Path for ...
32. [2026/640] MIKE (Module Isogeny Key Exchange): An b+#-c++-i-e ...
33. [2026/641] HyperVerITAS: Verifying Image Transformations at ...
34. [2026/642] SoK: The Weakest-Link Principle in Public Key ...
35. [2026/643] FOVA: Fast One-Shot Verifiable Aggregation for ...
36. [2026/644] Ordered Multi-Signatures from the DL Assumption
37. [2026/645] Toward Provable Security in Anamorphic Extension: ...
38. [2026/646] On Optimal Information-Theoretic Security in ...
39. [2026/647] SSLE-DAG: A High-Throughput Proof-of-Stake ...
40. [2026/648] Synthesis of RTL-based Characterization Programs ...
41. [2026/649] Perils of Parallelism: Transaction Fee Mechanisms ...
## 2025/1798
* Title: Threshold Blind Signatures from CDH
* Authors: Michael Reichle, Zo|- Reinke
* [Permalink](
https://eprint.iacr.org/2025/1798)
* [Download](
https://eprint.iacr.org/2025/1798.pdf)
### Abstract
Blind signatures are a versatile cryptographic primitive with many applications, especially in privacy-preserving technologies. Threshold blind signature schemes (TBS) enhance blind signatures with a signing procedure distributed among up to n signers to reduce the risk attached to the compromise of the secret key. So far, TBS constructions over groups rely on strong assumptions, e.g., the algebraic group model (AGM) or interactive assumptions. In this work, we propose two TBS based on the computational Diffie-Hellman assumption (CDH) in the ROM:
rCo The first TBS over pairing-free groups without the AGM.
rCo The first round-optimal TBS over pairing-based groups that does not rely on interactive assumptions.
The starting point for both constructions is the pairing-based signature scheme derived from Boneh-Boyen IBE (EurocryptrCO04), and their recent blind signature variants by Katsumata et al. (AsiacryptrCO23) and Kloo|f et al. (AsiacryptrCO24) based on the decisional Diffie-Hellman assumption (DDH).
We first remove the reliance on DDH in their schemes, then provide careful adaptations to the threshold setting.
## 2026/9
* Title: SIR: A Sparse-Interaction Keystream Generator with a Hardware-Oriented Architecture
* Authors: W.A. Susantha Wijesinghe
* [Permalink](
https://eprint.iacr.org/2026/009)
* [Download](
https://eprint.iacr.org/2026/009.pdf)
### Abstract
Lightweight keystream generators are widely used in resource-constrained digital systems, where implementation efficiency in area, power, and logic structure is a primary design concern. Conventional designs predominantly employ shift-register-based state propagation, in which diffusion is inherently coupled with sequential data movement. This work investigates an alternative architectural approach in which state mixing is achieved through sparse interaction among state variables, enabling a decoupling between diffusion and register propagation. We present \emph{SIR}, a sparse-interaction keystream generator with a 128-bit internal state composed of a nonlinear 64-bit primary state and a 64-bit auxiliary linear state. The primary state is updated using a compact four-input Boolean function applied over a fixed sparse neighbourhood, while the auxiliary state provides lightweight round-dependent perturbation. This structure realizes diffusion through parallel combinational interaction, leading to a distinct hardware profile characterized by reduced reliance on sequential storage and increased distributed logic. The architectural behaviour is evaluated through diffusion and statistical experiments, showing rapid propagation of local perturbations across the state within 14--15 rounds and no observable low-order dependence between internal state variables and output in the tested regime. Hardware implementation on a Xilinx Artix-7 FPGA requires 183 LUTs and 177 flip-flops, while ASIC synthesis using a 45\,nm standard-cell library results in an area of 3079 gate equivalents. Comparative evaluation with Grain-128, Trivium, and Espresso under identical implementation conditions demonstrates that the proposed architecture provides a competitive trade-off between combinational logic and sequential resources. The results indicate that sparse-interaction-based state evolution constitutes a viable architectural alternative for lightweight keystream generation, particularly in hardware-oriented and FPGA-based design settings.
## 2026/303
* Title: $\mathsf{TalonG}$: Bandwidth-Efficient Two-Round Threshold Signatures from Lattices
* Authors: Liming Gao, Guofeng Tang, Dingding Jia, Yijian Liu, Bingqian Liu, Xianhui Lu, Kunpeng Wang, Yongjian Yin
* [Permalink](
https://eprint.iacr.org/2026/303)
* [Download](
https://eprint.iacr.org/2026/303.pdf)
### Abstract
Threshold signatures split the secret key among $n$ parties, where any subset of at least $t$ parties can collaboratively produce a valid signature. They have been widely deployed in applications such as blockchain systems. Lattice-based threshold signatures have also attracted considerable attention due to their post-quantum security guarantees. However, existing lattice-based constructions still face significant efficiency challenges, particularly when the number of parties becomes large. Recent lattice-based threshold signatures such as TRaccoon (EurocryptrCO24) and Ringtail (S\&PrCO25) support large thresholds, but they either require three interaction rounds or incur heavy communication costs in the two-round setting, limiting their practicality.
In this paper, we present $\mathsf{TalonG}$, a novel two-round lattice-based threshold signature that overcomes these limitations via a new trapdoor semi-commitment technique. This variant of commitment relaxes the standard binding requirement to a weaker form, allowing an efficient instantiation from the NTRU assumption and enabling a compact two-round signing protocol with low communication.
For $t=1024$ and 128-bit security, $\mathsf{TalonG}$ achieves significant improvements among existing lattice-based threshold signatures: its total communication per party and public key size are both minimal, at 26.9 KB and 2.0 KB, respectively. While the resulting signature size is larger (17.7 KB), it remains practical and highly competitive. $\mathsf{TalonG}$ is thus well-suited for real-world large-scale deployments where both round efficiency and communication load are critical.
## 2026/612
* Title: Improving ML Attacks on LWE with Data Repetition and Stepwise Regression
* Authors: Alberto Alfarano, Eshika Saxena, Emily Wenger, Fran|oois Charton, Kristin Lauter
* [Permalink](
https://eprint.iacr.org/2026/612)
* [Download](
https://eprint.iacr.org/2026/612.pdf)
### Abstract
The Learning with Errors (LWE) problem is a hard math problem in lattice-based cryptography. In the simplest case of binary secrets, it is the subset sum problem, with error. Effective ML attacks on LWE were demonstrated in the case of binary, ternary, and small secrets, succeeding on fairly sparse secrets. The ML attacks recover secrets with up to 3 active bits in the "cruel region" (Nolte et al. 2024) on samples pre-processed with BKZ. We show that using larger training sets and repeated examples enables recovery of denser secrets. Empirically, we observe a power-law relationship between model-based attempts to recover the secrets, dataset size, and repeated examples. We introduce a stepwise regression technique to recover the "cool bits" of the secret.
## 2026/613
* Title: Haechi: Simple Commitment-based Keyless In-person Verifiable Elections * Authors: Jiwon Kim, Michael Naehrig, Olivier Pereira, Josh Benaloh
* [Permalink](
https://eprint.iacr.org/2026/613)
* [Download](
https://eprint.iacr.org/2026/613.pdf)
### Abstract
For decades, verifiable election systems have typically relied on encrypting ballots to maintain voter privacy. Encryption requires keys, and the management of these keys is usually one of the most cumbersome and error-prone components of the system. But in-person electionsrCowhere one or more devices are used to each collect many votesrCocan use cryptographic commitments rather than encryption and completely obviate the need for cryptographic keys, leading to solutions that are much simpler and more robust than the encryption-based approaches.
Currently deployed E2E-verifiable voting systems also produce large election records, which can sometimes become an obstacle to election verification, by increasing the cost of hosting, distributing, and verifying election data. Using modern techniques for compact ZK proofs, Haechi improves on past commitment-based and encryption-based solutions by drastically reducing the size of the election records, leading to improvements of over an order of magnitude compared to several real-world deployments.
## 2026/614
* Title: Attacks on Sparse LWE and Sparse LPN with new Sample-Time tradeoffs
* Authors: Shashwat Agrawal, Amitabha Bagchi, Rajendra Kumar
* [Permalink](
https://eprint.iacr.org/2026/614)
* [Download](
https://eprint.iacr.org/2026/614.pdf)
### Abstract
This paper extends the Kikuchi method to give algorithms for decisional $k$-sparse Learning With Errors (LWE) and $k$-sparse Learning Parity with Noise (LPN) problems for higher moduli $q$. We create a Kikuchi graph for a sparse LWE/LPN instance and use it to give two attacks for these problems. The first attack decides by computing the spectral norm of the adjacency matrix of the Kikuchi graph, which is a generalization of the attack for $q=2$ given by Wein et. al. (Journal of the ACM 2019). The second approach computes non-trivial closed walks of the graph, and then decides by computing a certain polynomial of edge labels in the walks. This is a generalization of the attack for $q=2$ given by Gupta et. al. (SODA 2026). Both the attacks yield new tradeoffs between sample complexity and time complexity of sparse LWE/LPN.
## 2026/615
* Title: On the Security of MPC-in-the-Head Signatures with Correlated GGM Trees
* Authors: Thibauld Feneuil, Matthieu Rivain
* [Permalink](
https://eprint.iacr.org/2026/615)
* [Download](
https://eprint.iacr.org/2026/615.pdf)
### Abstract
Recent MPC-in-the-Head techniques enable the construction of signature schemes with compact signature sizes from various hardness assumptions. These techniques rely on commitments based on GGM trees, which have been optimized to further reduce the signature size with the so-called one-tree or correlated tree optimizations. While the one-tree technique has no incidence on the security of the scheme, this is not obvious for the correlated tree technique, and a formal security analysis of this technique has been missing in the literature.
In this work, we fill this gap and provide the first formal security analysis of MPC-in-the-Head signature schemes based on correlated trees. We first exhibit a potential security flaw of this technique which rules out any hope for a security reduction to the underlying hardness assumption. In particular, we show that recovering the first $\lambda$ bits of the secret witness is sufficient to achieve a full key recovery (where $\lambda$ is the security level). The underlying assumption should hence be such that recovering these $\lambda$ bits is as hard as recovering the full witness. Some state-of-the-art schemes do not satisfy this condition, which prevents a direct application of the correlated tree technique.
We then provide a formal security proof for signature schemes based on the correlated tree technique under this degraded hardness assumption. Our proof comes in several variants, in the random oracle mode or in the ideal cipher model, depending on the specific correlated tree construction. We also introduce a tweak for the instantiation of the leaf seed expansion in the ideal cipher model, which allows us to achieve a tighter security reduction. Our result shows that MPC-in-the-Head signatures based on correlated trees can achieve strong security guarantees and provides the first formal security proof for the MQOM v2 signature scheme, the on-going candidate in the NIST post-quantum standardization process with the shortest signature size in the MPC-in-the-Head family.
## 2026/616
* Title: On the properties of arithmetic crosscorrelation for sequences with coprime periods
* Authors: Feifei Yan, Pinhui Ke
* [Permalink](
https://eprint.iacr.org/2026/616)
* [Download](
https://eprint.iacr.org/2026/616.pdf)
### Abstract
Arithmetic correlation is a critical performance measure for pseudorandom sequences generated by feedback with carry shift registers (FCSRs), extending classical correlation by accounting for carry propagation. Chen et al. proved that for binary sequences with coprime periods, the arithmetic crosscorrelation is constant, and established bounds for Legendre sequences and $m$-sequences. In this paper, we further investigate the arithmetic crosscorrelation of sequences with coprime periods. We derive upper bounds for sequences constructed from the Legendre symbol, which generalize classical Legendre sequences, and for sequences generated by trace functions. In addition, we show that the constant property of arithmetic crosscorrelation extends to non-binary sequences with coprime periods.
## 2026/617
* Title: Scaling of Memory and Bandwidth Requirements of Post-Quantum Signatures with Message Size
* Authors: Falko Strenzke
* [Permalink](
https://eprint.iacr.org/2026/617)
* [Download](
https://eprint.iacr.org/2026/617.pdf)
### Abstract
In this work we analyse the qualitative memory and bandwidth efficiency properties of the currently standardised post-quantum signatures as such and of their protocol integrations mainly in the X.509 context. The term rCLqualitativerCY in this respect refers to how memory and bandwidth requirements scale with the size of the signed message. Specifically, we address the question in how far the algorithms support online-computations, a.k.a streaming, with respect to the signed message in the signing and verification operations. Further, we review the possibilities for the pre-computation of a short message representative outside the cryptographic module responsible for the signing or verification operation of the different signature schemes. We also give a preview on the corresponding cryptographic API of the PKCS#11 standard which introduces numerous PQC signature algorithms in the upcoming version 3.2. We demonstrate that for specific realistic use cases, the qualitative memory and bandwidth efficiency of the PQC signature schemes in protocol use is widely varied and by tendency substantially degraded compared to the traditional signature schemes based on RSA and elliptic curves, which always allow for the pre-computation of a short message representative in the form of a hash value. Our results are relevant to PQC migrations of existing applications using traditional RSA or elliptic curve schemes.
## 2026/618
* Title: CAGP: A Quantum Canary Address Generation Protocol
* Authors: Ghazaleh Keshavarzkalhori, Roger Sala-Mim||, Jordi Herrera-Joancomart|!, Cristina P|-rez-Sol|a
* [Permalink](
https://eprint.iacr.org/2026/618)
* [Download](
https://eprint.iacr.org/2026/618.pdf)
### Abstract
The advent of quantum computing poses a fundamental threat to classical cryptographic assumptions. While algorithms such as RSA and Elliptic-Curve Cryptography are secure against classical adversaries, they would be efficiently broken by a sufficiently powerful quantum adversary. Yet, despite rapid industrial and academic progress, the timeline for achieving a Cryptographically Relevant Quantum Computer (CRQC) remains uncertain and opaque. In this work, we propose a mechanism to monitor quantum capabilities through economic incentives. We introduce CAGP, a trustless distributed protocol for deploying a quantum canary trap. CAGP enables the creation of publicly auditable cryptographic challenges whose solutions would reveal the existence of quantum computers capable of breaking the Elliptic Curve Discrete Logarithm problem. The protocol is decentralized, secure, efficient, and verifiable, featuring adjustable difficulty and native Bitcoin compatibility. A proof-of-concept implementation demonstrates the feasibility of CAGP as a Bitcoin-based early-warning system for the emergence of quantum computational power.
## 2026/619
* Title: Breaking the One-Way Property of a SHA-3 Implementation via Fault Injection: Key Recovery Attacks on Post-Quantum Digital Signatures
* Authors: Mona Sobhani, S||nke Jendral, Elena Dubrova, Mats N|nslund
* [Permalink](
https://eprint.iacr.org/2026/619)
* [Download](
https://eprint.iacr.org/2026/619.pdf)
### Abstract
This paper presents faultrCainjection attacks on six candidates of the RoundrCa2 NIST postrCaquantum digital signatures call: code-based schemes CROSS and LESS, multivariate schemes MAYO, and MPC-in-the-Head schemes Mirath, RYDE, and PERK. These schemes rely on SHArCa3rCabased hash functions to securely embed secret-dependent values in the signature construction. We show that a single instruction skip fault targeting the Keccak-f permutation during the sponge squeezing phase can reveal these secret values and enable full key recovery. The attacks break the onerCaway property of the affected SHArCa3 implementation, as the fault allows recovering the function's input from its output. We experimentally validate the attacks on the optimised pqm4 ARM Cortex-M4 CROSS implementation via instruction-skipping using voltage glitching, and present practical countermeasures.
## 2026/620
* Title: AHAB: Asynchronous, High-throughput, Adaptively-secure, Batched Threshold Schnorr Signatures
* Authors: Victor Shoup
* [Permalink](
https://eprint.iacr.org/2026/620)
* [Download](
https://eprint.iacr.org/2026/620.pdf)
### Abstract
We present AHAB, a suite of protocols for threshold Schnorr signatures in the asynchronous communication setting with guaranteed output delivery (robustness). We build on the AVSS and GoAVSS protocols of ShouprCoSmart and GrothrCoShoup, which allow t < n/3 static corruptions. First, we provide protocol enhancements and a full security proof in the adaptive corruption model with erasures. Second, we introduce a signature production pipeline with a player elimination framework that bounds the damage from actively misbehaving parties: if t* corrupt parties disrupt a presignature batch, the total communication overhead is at most O(t*) times the happy-path cost, and all t* parties are identified and eliminated, after which the system runs at the happy-path rate until further active misbehavior occurs. Third, we present a simplified protocol variant for t < n/4 adaptive corruptions that achieves worst-case linear communication complexity by eliminating the complaint mechanism entirely and using star-finding at the pipeline level to agree on which dealers and receivers to use. Fourth, we present a hiding variant of GoAVSS that yields an unbiased distributed key generation protocol, preventing an adaptive adversary from biasing the signing key. We also give new and more efficient star-finding algorithms, including an ILP-based optimization that should improve the yield of presignatures per batch in practice. For the main protocol (t < n/3), with t=16 and n=49, on a 1 Gbps network with commodity hardware, we estimate a throughput of 100K signatures per second; for the simplified protocol (t < n/4), with t=16 and n=65, the estimate is 160rCo250K signatures per second.
## 2026/621
* Title: Efficient Conflict-Free NTT Hardware Architecture with Single-Port RAMs: Applications to ML-DSA
* Authors: Henrique S. Ogawa, Thales B. Paiva, Marcos A. Simplicio Jr, Syed M. Hafiz, Bahattin Yildiz
* [Permalink](
https://eprint.iacr.org/2026/621)
* [Download](
https://eprint.iacr.org/2026/621.pdf)
### Abstract
We present a Number Theoretic Transform (NTT) hardware architecture based on the Prouhet-Thue-Morse (PTM) code, enabling NTT implementations relying only on single-port RAMs (SPRAMs), rather than using dual-port RAMs (DPRAMs) as usually done in the literature. We show that the PTM code supports a conflict-free, transactional, and streamlined pipeline across all NTT computation stages, as well as scalable parallelism through multiple butterfly units. Using this approach, we design single- and dual-butterfly NTT modules for ML-DSA that are compliant with reference software and can be packaged as a standalone AXI-Stream peripheral, allowing the forward and inverse NTT operations to be offloaded from software via DMA transfers. Experimental results show that the proposed PTM-based NTT designs achieve near one-cycle-per-butterfly and half-cycle-per-butterfly performance for the single- and dual-butterfly configurations, respectively. At the same time, it maintains FPGA resource utilization comparable to state-of-the-art compact NTT implementations relying on mixed SPRAM/DPRAM architectures or SPRAM-only designs requiring coefficient reordering.
## 2026/622
* Title: Locally Computable High Independence Hashing
* Authors: Yevgeniy Dodis, Shachar Lovett, Daniel Wichs
* [Permalink](
https://eprint.iacr.org/2026/622)
* [Download](
https://eprint.iacr.org/2026/622.pdf)
### Abstract
We consider (almost) $k$-wise independent hash functions, whose evaluations on any $k$ inputs are (almost) uniformly random, for very large values of $k$. Such hash functions need to have a large key that grows linearly with $k$. However, it may be possible to evaluate them in sub-linear time by only reading a small subset of $t \ll k$ locations during each evaluation; we call such hash functions $t$-local. Local hash functions were previously studied in several works starting with Siegel (FOCS'89, SICOMP'04). For a hash function with $n$-bit input and output size, we get the following new results:
* There exist (non-constructively) perfectly $k$-wise independent $t$-local hash functions with key size $O(kn)$ and locality of $t = O(n)$ bits. An analogous prior result of Larsen et al. (ICALP '24) had a locality of $t=O(n)$ words consisting of $w= O(n)$ bits each, and hence a suboptimal $O(n^2)$ bits total. Furthermore, we show that such hash functions could be made explicit if we had explicit optimal constructions of unbalanced bipartite lossless expanders. Plugging in currently best known suboptimal explicit expanders yields correspondingly suboptimal hash functions.
* Perfectly $k$-wise independent local hash functions generically yield expanders with corresponding parameters. This is true even if the locations accessed by the hash function can be chosen adaptively and shows that progress on explicit hash functions inherently requires progress on explicit expanders.
* We initiate the study of $\epsilon$-almost $k$-wise independent hash functions, where any $k$ adaptive queries to the hash function are $\epsilon$-statistically indistinguishable from $k$ queries to a random function. We construct an explicit family of such hash functions with optimal key size $O(kn)$ bits, optimal locality $t = O(n)$ bits, and $\epsilon= 2^{-n}$, significantly improving over the best known parameters for explicit perfectly independent hashing.
* More generally, if we consider a word model with larger word size $w$, then we get an explicit, efficient construction of $\epsilon$-almost $k$-wise independent hash functions with key size $O(kn/w)$ words, locality $t = O(n/\sqrt{w})$ words, and statistical distance $\epsilon= 2^{-n}$, which we show to be nearly optimal. Such parameters go beyond what is possible for perfect independence.
We discuss applications to nearly optimal bounded-use information-theoretic cryptography.
## 2026/623
* Title: Bad Benchmarks and a Fourier-Analytic Framework for Characterizing the (Un)Hideability of Combinational-Logic Circuits
* Authors: Animesh Chhotaray, Kollin Labowski, Thomas Shrimpton
* [Permalink](
https://eprint.iacr.org/2026/623)
* [Download](
https://eprint.iacr.org/2026/623.pdf)
### Abstract
Design-hiding (DH) schemes, such as logic locking, aim to protect circuit-design intellectual property (IP) in the integrated-circuit (IC) supply chain. While many practical DH schemes have been proposed over the past 15 years, nearly all have been broken by efficient attacks. Security and efficiency claims for these schemes have been based primarily on evaluations using benchmark circuits from legacy test-suites such as ISCASrCO85 and MCNC. Recent work suggests that some circuits are fundamentally unhideable, as their functionality can be approximately learned using classical blackbox (BB) learning-theoretic (LT) algorithms. In this work, we ask: How prevalent are unhideable circuits in standard DH benchmarks? To answer this, we identify propertiesrCosuch as sparse Fourier spectrarCothat make circuits unhideable. However, since BB Fourier-analytic algorithms are often slow and inaccurate for large-domain circuits, we shift to a whitebox (WB) setting. We develop new, efficient WB variants of Fourier-analytic algorithms that leverage WB access to a circuit and advances in model counting to efficiently evaluate whether the circuit has properties that make it unhideable. Upon applying these algorithms to standard DH benchmarks, we find that most circuits in the ISCAS'85 and MCNC test-suites are fundamentally unhideable, whereas newer benchmarks exhibit stronger resistance to Fourier-analytic algorithms and merit broader use in DH evaluation.
## 2026/624
* Title: Weak-key cryptanalysis of Blink
* Authors: Tim Beyne
* [Permalink](
https://eprint.iacr.org/2026/624)
* [Download](
https://eprint.iacr.org/2026/624.pdf)
### Abstract
This note describes a weak-key attack on the tweakable block cipher Blink, which was recently introduced at FSE 2026. Specifically, it is shown that two rounds of Blink admit several nonlinear invariants. To illustrate that these invariants indeed lead to attacks, we describe a partial key-recovery attack on Blink-64 with data and time complexity $2^{23}$, for a fraction of $2^{-96}$ weak keys or tweaks. There is a trade-off between the fraction of weak keys and the data complexity, e.g., with $2^{56}$ data the fraction of weak keys increases to $2^{-63}$. The attack is based on the same strategy as our attack on Midori-64 from Asiacrypt 2018.
## 2026/625
* Title: Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations
* Authors: Ryan Babbush, Adam Zalcman, Craig Gidney, Michael Broughton, Tanuj Khattar, Hartmut Neven, Thiago Bergamaschi, Justin Drake, Dan Boneh
* [Permalink](
https://eprint.iacr.org/2026/625)
* [Download](
https://eprint.iacr.org/2026/625.pdf)
### Abstract
The expected emergence of cryptographically relevant quantum computers (CRQCs) will represent a singular discontinuity in the history of digital security, with wide ranging impacts. This whitepaper seeks to elucidate specific implications that the capabilities of developing quantum architectures have on blockchain vulnerabilities and potential mitigation strategies. First, we provide new resource estimates for breaking the 256-bit Elliptic Curve Discrete Logarithm Problem over the secp256k1 curve, the core of modern blockchain cryptography. We demonstrate that Shor's algorithm for this problem can execute with either $\leq 1200$ logical qubits and $\leq 90$ million Toffoli gates or $\leq 1450$ logical qubits and $\leq 70$ million Toffoli gates. In the interest of responsible disclosure, we use a zero-knowledge proof to validate these results without disclosing attack vectors. On superconducting architectures with $10^{-3}$ physical error rates and planar connectivity, those circuits can execute in minutes using fewer than half a million physical qubits. We introduce a critical distinction between ``fast-clock'' (such as superconducting and photonic) and ``slow-clock'' (such as neutral atom and ion trap) architectures. Our analysis reveals that the first fast-clock CRQCs would enable ``on-spend'' attacks on public mempool transactions of some cryptocurrencies. We survey major cryptocurrency vulnerabilities through this lens, identifying systemic risks associated with advanced features in some blockchains such as smart contracts, Proof-of-Stake consensus, and Data Availability Sampling mechanism, as well as the enduring concern of ``abandoned'' assets. We argue that technical solutions would benefit from accompanying public policy and discuss various frameworks of ``digital salvage'' to regulate the recovery or destruction of dormant assets while preventing adversarial seizure. We also discuss implications for other digital assets and tokenization as well as challenges and successful examples of the ongoing transition to Post-Quantum Cryptography (PQC). Finally, we urge all vulnerable cryptocurrency communities to join the migration to PQC without delay.
## 2026/626
* Title: Deep Learning-Assisted Improved Differential Fault Attacks on Lightweight Stream Ciphers
* Authors: Kok Ping Lim, Dongyang Jia, Iftekhar Salam
* [Permalink](
https://eprint.iacr.org/2026/626)
* [Download](
https://eprint.iacr.org/2026/626.pdf)
### Abstract
Lightweight cryptographic primitives are widely deployed in resource-constraint environment, particularly in the Internet of Things (IoT) devices. Due to their public accessibility, these devices are vulnerable to physical attacks, especially fault attacks. Recently, deep learningrCobased cryptanalytic techniques have demonstrated promising results; however, their application to fault attacks remains limited, particularly for stream ciphers. In this work, we investigate the feasibility of deep learning assisted differential fault attack on three lightweight stream ciphers, namely ACORNv3, MORUSv2 and ATOM, under a relaxed fault model, where a single-bit bit-flipping fault is injected at an unknown location. We train multilayer perceptron (MLP) models to identify the fault locations. Experimental results show that the trained models achieve high identification accuracies of 0.999880, 0.999231 and 0.823568 for ACORNv3, MORUSv2 and ATOM, respectively, and outperform traditional signature-based methods. For the secret recovery process, we introduce a threshold-based method to optimize the number of fault injections required to recover the secret information. The results show that the initial state of ACORN can be recovered with 21 to 34 faults; while MORUS requires 213 to 248 faults, with at most 6 bits of guessing. Both attacks reduce the attack complexity compared to existing works. For ATOM, the results show that it possesses a higher security margin, as majority of state bits in the Non-linear Feedback Shift Register (NFSR) can only be recovered under a precise control model. To the best of our knowledge, this work provides the first experimental results of differential fault attacks on ATOM.
## 2026/627
* Title: Efficient and Parallel Implementation of Isogeny-based Deterministic Group Actions
* Authors: Weize Wang, Yi-Fu Lai, Kaizhan Lin, Yunlei Zhao
* [Permalink](
https://eprint.iacr.org/2026/627)
* [Download](
https://eprint.iacr.org/2026/627.pdf)
### Abstract
Recent work by Houben (Asiacrypt'25) introduced a new formulation for class group actions on supersingular elliptic curves oriented by an imaginary quadratic order for an arbitrarily large discriminant. The algorithm is not only constant-time but also fully deterministic, dummy-free, and branch-free. As a result, it gives the fastest isogeny-based non-interactive key exchange (NIKE) in theory, referred to as OSIDH-LD in this paper. However, the current proof-of-concept SageMath implementation remains substantially slower than mainstream post-quantum key-exchange candidates.
In this paper, we develop an efficient implementation of OSIDH-LD with several approaches.
First, we provide algorithmic-level optimizations: (i) we develop the ``tail pruning'' approach such that key agreement avoids redundant orientation updates.
This optimization maintains the fully deterministic and dummy-free feature of OSIDH-LD; (ii) we adapt a faster codomain isomorphism identification adapted from the technique used in the SQIsign implementations; and (iii) we present effective isogeny-computation strategies tailored to the cost profile of OSIDH-LD. Second, we adapt the parallelism technique. We apply the fork-join parallel execution model to optimize the class group action performance, and achieve near-perfect parallelism in key generation, as well as improved performance in key agreement.
We provide two kinds of implementations to show the impacts of our improvements. The first one is in C with assembly language for field arithmetic, which verifies the correctness of our optimization techniques targeting OSIDH-LD. The experimental results show that our techniques lead to an overall $1.56\times$ and $1.87\times$ acceleration for key generation and key agreement, respectively.
On an Intel Core i7 CPU, the resulting costs are 12.8~Gcycs (KeyGen) and 10.57~Gcycs (KeyAgree) at a conjectured CSIDH-4096 security strength. Second, we provide parallel implementations that exploit multi-threading and AVX-512 vector extensions, respectively, by batching independent subroutines in the class group action.
In particular, the AVX-512 vectorized implementation is $4.97\times$ faster than the improved C+assembly implementation in key generation, which is close to the theoretical optimum.
## 2026/628
* Title: Fast and Compact Lattice-Based Registration-Based Encryption
* Authors: Tianwei Zhang, Xiuquan Ding, Giulio Malavolta, Nico D||ttling
* [Permalink](
https://eprint.iacr.org/2026/628)
* [Download](
https://eprint.iacr.org/2026/628.pdf)
### Abstract
Registration-based Encryption ($\mathsf{RBE}$) is an emerging paradigm to remove the key escrow problem in identity-based encryption (IBE) systems. $\mathsf{RBE}$ represents a promising alternative to a public-key infrastructure, attaining the best of both worlds between IBE and traditional public-key encryption. Despite a lot of recent progress, existing constructions of $\mathsf{RBE}$ are not yet on-par with other approaches in terms of practical efficiency. To make things worse, all known concretely efficient constructions are based on bilinear pairings and are broken by quantum algorithms.
In this work, we make progress on this problem. We construct a lattice-based, and therefore with plausible post-quantum security, $\mathsf{RBE}$ scheme with compact ciphertexts and fast encryption/decryption algorithms. Compared to the state-of-the-art lattice-based $\mathsf{RBE}$, our scheme reduces ciphertext size to $0.148$\,MB, down from $9$\,MB, for $1000$ users, and improves the encryption/decryption runtime by an order of magnitude. To the best of our knowledge, this is the first lattice-based $\mathsf{RBE}$ construction with ciphertexts well below one megabyte and competitive end-to-end performance, representing a significant step toward the practical adoption of $\mathsf{RBE}$.
## 2026/629
* Title: Towards Formal Security Proofs of MQOM
* Authors: Haruhisa Kosuge, Keita Xagawa
* [Permalink](
https://eprint.iacr.org/2026/629)
* [Download](
https://eprint.iacr.org/2026/629.pdf)
### Abstract
Recent MPC-in-the-Head (MPCitH) signatures increasingly rely on aggressive GGM-tree optimizations to reduce signature size and cost, culminating in _secret-key-root correlated_ GGM tree as used in MQOM (NIST PQC Standardization for Additional Signature Round-2, 2024). While this technique yields substantial compression, it introduces a dependency loop in the proof. The transcript we would like to randomize for simulation is generated by expanding a GGM tree from a root that is part of the secret key, so this randomization must be justified via a reduction to the hardness of recovering the secret key. However, the hiding of the secret key relies on masking randomness that is a part of the transcript derived from the same GGM tree. As a result, justifying the randomization requires hiding, while proving hiding requires the randomization, and standard MPCitH proof templates do not apply directly.
We propose and analyze two variants of MQOM and provide the EUF-CMA security proofs. The first variant makes a minor change to salts and replaces blockcipher-based hash functions in the GGM trees with random functions; we then prove its EUF-CMA security in the (quantum) random oracle model under partial-domain one-wayness or slightly stronger one-wayness assumptions. The second variant also makes a minor change to salts and adjusts security parameters to admit a proof under standard one-wayness in the ideal-cipher and random-oracle models. The proof exploits the H-coefficient technique with one-wayness, which might be of independent interest.
## 2026/630
* Title: Asymptotic Analysis of Ternary Sparse LWE
* Authors: Byoungchan Chi, Nathan Cho, Jiseung Kim, Changmin Lee
* [Permalink](
https://eprint.iacr.org/2026/630)
* [Download](
https://eprint.iacr.org/2026/630.pdf)
### Abstract
We present an asymptotic analysis of the ternary variant of Sparse Learning with Errors (spLWE), a structured LWE variant proposed by Jain--Lin--Saha (CRYPTO'24) in which each equation involves only $k \ll n$ of the $n$ secret coordinates, enabling significantly more efficient computation than dense LWE.
Unlike standard LWE, the small-secret regime of spLWE is not automatically reducible to its large-secret counterpart, leaving asymptotic hardness unclear, particularly when $k$ is very small.
We develop a two-pronged attack framework that depends explicitly on the sparsity parameter $k$. In the geometric regime $q > 3^k$, each sparse row reduces to a short-vector problem in a $k$-dimensional lattice, yielding complexity $2^{0.292k}$ via a sieving algorithm.
In the statistical regime $q \leq 3^k$, we propose a greedy coordinate-recovery attack with running time $O(m \cdot k \cdot 3^k)$, where $m$ is the number of samples.
Heuristically, under mild assumptions, full recovery holds with high probability once the sample size is large enough; the resulting complexity is exponential only in $k$ and otherwise mild (up to polylogarithmic factors), i.e., polynomial in $n$, which makes very small $k$ vulnerable even at large dimensions.
Experiments on toy instances confirm the predicted sharp transition. Complexity comparisons with prior works indicate lower complexity on a few of their parameter sets, while identifying regimes where our method is not applicable.
## 2026/631
* Title: Rethinking r-PKP: a New Formulation for the Relaxed Permuted Kernel Problem
* Authors: Giuseppe D'Alconzo, Andrea Gangemi, Lorenzo Romano, Giuliano Romeo
* [Permalink](
https://eprint.iacr.org/2026/631)
* [Download](
https://eprint.iacr.org/2026/631.pdf)
### Abstract
Among the schemes in the second round of NIST's additional call for Post-Quantum signatures, PERK builds its security on the intractability of the Permuted Kernel Problem (PKP). In its original formulation, this problem asks, on input three matrices $\mathbf H,\mathbf X,\mathbf Y$, to find a permutation matrix $\mathbf P$ such that $\mathbf H \mathbf P \mathbf X = \mathbf Y$. To achieve better performance and smaller signatures, in its first proposal, the PERK signature modified the security assumption in the following way: given a PKP instance, the matrix $\mathbf P$ does not have to verify the exact previous equation but a relaxed one, taking care of a non-null vector $\mathbf v$ such that $(\mathbf H \mathbf P \mathbf X)\mathbf v = \mathbf Y \mathbf v$.
In this work, we rephrase the relaxed problem so that it no longer depends on the PKP instance nor the vector $\mathbf v$. We show that it suffices to find $\mathbf P$ such that $\mathbf H\mathbf P \mathbf X - \mathbf Y$ has rank deficiency. This generalized formulation is easier to model and allows us to design an algebraic attack inspired by those of MinRank and Rank Syndrome Decoding, writing a polynomial system in the entries of $\mathbf P$. Moreover, we can consider it as linear in the minors of $\mathbf P$ and provide some results on them, which may be of independent interest.
## 2026/632
* Title: A tight security analysis of the FIPS-205 standard (SLH-DSA)
* Authors: Dai Chi Do, Quoc Toan Nguyen, Phong Quang Trieu, Ba Danh Vu
* [Permalink](
https://eprint.iacr.org/2026/632)
* [Download](
https://eprint.iacr.org/2026/632.pdf)
### Abstract
The SPHINCS+ framework, recently standardized by NIST as SLH-DSA (FIPS 205), is a leading stateless hash-based signature scheme for the post-quantum era. Concrete-security evaluation of SPHINCS+ faces a trade-off: tight bounds require a conjectural multi-target decisional second-preimage resistance (SM-DSPR), while fully proven bounds incur substantial looseness. In this paper, we refine the concrete security analysis of SPHINCS+ by eliminating this heuristic reliance. In our approach, we analyze the SM-openPRE and SM-PRE properties instead of relying on SM-DSPR. By utilizing a precise probabilistic simulation technique, we restrict the multi-target tightness degradation exclusively to the maximum number of practically revealed targets rather than the total theoretical targets. When applied to the SLH-DSA parameter sets, our conjecture-free approach bridges the theoretical gap, recovering up to 18 bits of classical security and 9 bits of quantum security compared to the NIST loose evaluation.
Our results establish a provable bound for the practical security of SLH-DSA without relying on optimistic multi-target assumptions.
## 2026/633
* Title: Progressive Sieving-Style Information-Set Decoding Algorithm
* Authors: Tong Yu, Haodong Jiang, Hong Wang, Rongmao Chen, Qingfeng Cheng, Xinyi Huang, Yuefei Zhu
* [Permalink](
https://eprint.iacr.org/2026/633)
* [Download](
https://eprint.iacr.org/2026/633.pdf)
### Abstract
Information set decoding (ISD) algorithm is the main tool to estimate the concrete bit security of code-based cryptographic schemes including Classic McEliece, HQC and BIKE. Inspired by sieving methods in lattice-based cryptoanalysis, a new type of ISD algorithm (called sieving-ISD) based on locality sensitive filter (LSF) was recently proposed by Guo, Johansson, and Nguyen [GJN24, TIT], which has been shown to achieve comparable complexity with the BJMM/MMT algorithm when attacking Classic McEliece. At EUROCRYPT 2024, Ducas, Esser, Etinski and Kirshanova extended [GJN24, TIT]'s deterministic LSF to probabilistic LSFs and provided an asymptotic worst-case complexity analysis for sieving-ISD with different LSFs in the full-distance setting, which indicates that the sieving-ISD with probabilistic LSFs can achieve better time complexity than the ones with [GJN24, TIT]'s deterministic LSF.
In this paper, we first propose a generalized sieving-ISD framework (called progressive sieving-ISD), which allows for more freedom in parameter configuration. In particular, we present a concrete complexity analysis for both our progressive sieving-ISD and its ``decoding one out of many'' (DOOM) variant under a binary sieve heuristic, whose validity can be verified via experiments.
Then, by searching the optimal parameter configuration, we show that our progressive sieving-ISD can achieve attack time complexity improvements over the previous non-progressive version by 5-12 bits. In particular, for all the three categories of HQC to be standardized by NIST, we show that the state-of-the-art complexity results can be reduced by 7-9 bits using our progressive sieving-ISD, making their security levels 5.1/2.1/5.7 bits below the NIST requirements (143/207/272 bits). Interestingly, our results show that when considering the concrete security of Classic McEliece/HQC/BIKE, the progressive sieving-ISD with [GJN24, TIT]'s deterministic LSF can achieve a better performance than the ones with probabilistic LSFs in [DEEK24, EC]. Finally, we show the connection between progressive sieving-ISD and BJMM, and hence explain why progressive sieving-ISD can achieve a better time complexity than BJMM.
## 2026/634
* Title: PlasmaBlind: A Private Layer 2 With Instant Client-Side Proving
* Authors: Pierre Daix-Moreux, Chengru Zhang
* [Permalink](
https://eprint.iacr.org/2026/634)
* [Download](
https://eprint.iacr.org/2026/634.pdf)
### Abstract
In this technical note, we discuss a new direction in the design of privacy-preserving and scalable Layer-2 (L2) protocols by presenting a concrete construction, PlasmaBlind.
To minimize the L2 usersrCO overhead for achieving privacy while enabling efficient creation of compact blocks, PlasmaBlind is built upon a novel architecture that leverages folding schemesrCO powerful and flexible properties. On the user side, we utilize their blinding property to shield and prove transaction data without expensive succinct zero-knowledge proofs. On the aggregator side, their low accumulation cost allows efficient aggregation of user instances into a constant size proof of block validity.
We further improve our proof aggregation performance by proposing an optimization technique that efficiently links two different verification tasks with shared input while eliminating the need for cumbersome proof composition of non-uniform circuits, which could be of independent interest.
The practicality of PlasmaBlind is validated by our preliminary benchmarks, which demonstrate that, with consumer hardware, PlasmaBlind achieves sub-100ms proving time on the client side and sub-300ms per-transaction time on the aggregator side.
## 2026/635
* Title: Low-Stack HAETAE for Memory-Constrained Microcontrollers
* Authors: Gustavo Banegas, YoungBeom Kim, Seog Chung Seo, Christine van Vredendaal
* [Permalink](
https://eprint.iacr.org/2026/635)
* [Download](
https://eprint.iacr.org/2026/635.pdf)
### Abstract
We present a low-stack implementation of the module-lattice signature scheme \(\mathrm{HAETAE}\), targeting microcontrollers with \(8\,\mathrm{kB}\)rCo\(16\,\mathrm{kB}\) of available SRAM.
On such devices, peak stack usage is often the binding constraint, and \(\mathrm{HAETAE}\)'s hyperball-based sampler, large transient polynomial vectors, and variable-length signature payloads (hint and high-bits arrays) pose a particular challenge. To address this, we introduce (i) rejection-aware pass decomposition, which isolates encoding to the post-acceptance path; (ii) component-level early rejection, which short-circuits the response computation when a partial norm already exceeds the bound; and (iii) reverse-order streaming entropy coding using range Asymmetric Numeral Systems (rANS), which eliminates full hint and high-bits staging buffers. Combined with streamed matrix generation, a two-pass hyperball sampler with streaming Gaussian backend, and row-streamed verification, these techniques bring signing stack usage from \(71\,\mathrm{kB}\)rCo\(141\,\mathrm{kB}\) in the reference implementation down to \(5.8\,\mathrm{kB}\)rCo\(6.0\,\mathrm{kB}\), key generation to \(4.7\,\mathrm{kB}\)rCo\(5.7\,\mathrm{kB}\), and verification to \(4.7\,\mathrm{kB}\)rCo\(4.8\,\mathrm{kB}\) across all three security levels. Our pure C implementation covers all three security levels (\(\mathrm{HAETAE}\)-2/3/5), whose optimization paths differ due to the public-key domain (\(d > 0\) vs. \(d = 0\)) and rejection structure. We implement our optimization on a Nucleo-L4R5ZI and compare it to the reference `pqm4` implementation (for \(\mathrm{HAETAE}\)-2 and -3) and to a recently published memory-optimized implementation (targeting \(\mathrm{HAETAE}\)-5 only). We reduce \(\mathrm{HAETAE}\)-2, -3, and -5 stack usage by respectively \(75\%\), \(86\%\), and \(8\%\) for key generation, \(92\%\), \(95\%\), and \(24\%\) for signature generation, and \(85\%\), \(91\%\), and \(22\%\) for verification. Depending on the parameter set, this impacts performance by at most a factor of \(1.8\) and \(3.4\) for key generation and signature generation, respectively, while even offering a performance improvement of up to \(18\%\) for verification. Verification at all security levels fits within \(8\,\mathrm{kB}\) of RAM (signature buffer + stack) and is \(2.34\)rCo\(3.34\times\) faster than ML-DSA m4fstack at each comparable security level. We additionally validate portability under RIOT-OS on ARM Cortex-M4 and RISC-V targets.
## 2026/636
* Title: From LFSRs to LFGs: Periodicity and Structural Transformations in Stream Ciphers
* Authors: Shivarama K. N, Susil Kumar Bishoi, Vadiraja Bhatta G. R., Vashek Matyas
* [Permalink](
https://eprint.iacr.org/2026/636)
* [Download](
https://eprint.iacr.org/2026/636.pdf)
### Abstract
Feedback shift registers, such as Linear Feedback Shift Registers (LFSRs), Multi-Recursive Matrix Methods (MRMMs), and Lagged Fibonacci Generators (LFGs), are fundamental components in stream cipher-based cryptographic systems. In this paper, we investigate systems composed of LFSRs under two distinct configurations. First, we study the cascade connection of LFSRs and demonstrate that it represents a special case of the first configuration. Under specific conditions, we derive the exact period of these cascaded systems. Second, we analyze a system comprising two LFSRs in the second configuration, where carry bits are introduced into the feedback computation of the second LFSR. We examine the periodicity of both the carry bits and the overall system. Furthermore, we generalize this construction to word size $m$, and show that an additive LFG can be represented by an equivalent system of LFSRs. This approach enables efficient LFG implementation in resource-constrained environments by using multiple LFSRs and a simple adder, thus eliminating the need for large word sizes.
## 2026/637
* Title: VeriRAG: Efficient Zero-Knowledge Proofs for Verifiable Retrieval-Augmented Generation
* Authors: Chenqi Lin, Yubo Cui, Zhelei Zhou, Cheng Hong, Yufei Wang, Zhaohui Chen, Meng Li
* [Permalink](
https://eprint.iacr.org/2026/637)
* [Download](
https://eprint.iacr.org/2026/637.pdf)
### Abstract
Retrieval-Augmented Generation (RAG) is widely used to enhance Large Language Models (LLMs), yet the "hallucination" characteristic allows malicious providers to bypass retrieval or claim non-existent data quality. To address these challenges, we present VeriRAG, a framework that leverages Zero-Knowledge Proofs (ZKP) to provide efficient integrity guarantees for RAG systems without compromising dataset privacy. Leveraging the robustness of AI inference, our framework supports Approximate Nearest Neighbor Search (ANNS)-based retrieval to avoid exhaustive searches. For the verification of top-$k$ sorting, we propose an innovative protocol that bypasses the intricate verification of sorting processes. To further enhance performance, we introduce a joint optimization leveraging vector lookup and chunk-merging strategies, which collectively drive down verification overhead while maintaining high generation accuracy. Experimental results demonstrate that VeriRAG scales efficiently to a 37GB dataset, achieving a prover time of 96s and a verifier time of 3s.
## 2026/638
* Title: THED: Threshold Dilithium from FHE
* Authors: Jai Hyun Park, Alain Passel|?gue, Damien Stehl|-
* [Permalink](
https://eprint.iacr.org/2026/638)
* [Download](
https://eprint.iacr.org/2026/638.pdf)
### Abstract
We describe THED, a threshold version of the Dilithium signature scheme (ML-DSA), whose issued signatures are valid for the genuine Dilithium verification algorithm. The signing protocol has two rounds of communication, one of which that lends itself to pre-processing. The scheme supports arbitrary number of users and threshold parameter.
The construction consists in running Dilithium's signing algorithm under Threshold Fully Homomorphic Encryption (ThFHE), except for the computation of the signing challenge that happens in clear. Due to the type of operations performed, we rely on the CKKS scheme for homomorphic computations. However, a number of challenges remain, for which we develop new tools. In particular, we describe a CKKS-BFV continuum that helps for modular operations in the context of other non-arithmetic operations, a hybrid-format homomorphic comparison when the input is the sum of a bit-decomposed integer and a small integer, and a modulus-thrifty homomorphic comparison of larger non-bit-decomposed integers. Furthermore, to ensure the protocol is communication efficient, we developed a new threshold decryption method for CKKS providing more compact decryption shares.
Our proof-of-concept implementation of the FHE components of the signing protocol runs in 1.343s on an RTX-5090 GPU, with 23.6KB of communication per party for the NIST level-2 Dilithium variant. Most of it can be run in an offline phase without the message to be signed, the online cost then shrinks to~0.202s and 4.10KB per party. Apart from the two decryption steps, this computation is entirely public and can be delegated to a server with more powerful hardware.
## 2026/639
* Title: Synchronous BFT with Provability and Fast Path for the Age of Blockchains
* Authors: Ittai Abraham, Kartik Nayak, Ling Ren, Ertem Nusret Tas
* [Permalink](
https://eprint.iacr.org/2026/639)
* [Download](
https://eprint.iacr.org/2026/639.pdf)
### Abstract
Synchronous Byzantine fault tolerant (BFT) protocols offer stronger security guarantees, increasing resilience from one third to one half. However, existing constructions suffer from three drawbacks that are critical in blockchain settings.
First, blockchain systems require rotating leaders, but the existing constructions are not optimized for low latency under leader rotation. Second, blockchain systems require provable commitments that can be forwarded to clients or offchain entities. Third, modern blockchains optimize for low latency in the good case, and often further optimize for a fast path under even milder adversarial conditions.
In this work, we formalize and study fast paths in the context of provable synchronous BFT. Our first result is that for $n \le 2t + 2p + c -1$, it is impossible to obtain a provable synchronous BFT protocol that tolerates $t$ Byzantine and $c$ crash faults while also achieving a two round fast path resilient to $p$ Byzantine faults. Guided by this bound, we then present four provable synchronous protocols tailored to two deployment paradigms: optimistic responsivness and fixed view schedules.
For optimistic responsiveness, we present $\Delta$-Sync Simplex and $2\Delta$-Sync Simplex, which for $n = 2t + 2p + c + 1$, produce provable commit certificates in time $2\delta$ under a correct leader when the number of faulty parties $f$ satisfies $f \le p$. $2\Delta$-Sync Simplex also achieves $3\delta$ commit latency when the total number of faulty parties is $f \le \lfloor (p + t)/2 \rfloor$ with Byzantine faults $f_b \le t$ and crash faults $f_c \le c$. Outside these optimistic regimes, the protocols remain safe and live for $t$ Byzantine and $c$ crash faults, and output provable commitments within $2\Delta + 2\delta$ and $1\Delta + 3\delta$, respectively. Under faulty leaders, the protocols guarantee a worst case view length of $6\Delta + \delta$ and $5\Delta + \delta$ respectively.
For fixed view schedules, we present two additional protocols, TenderSync and SyncMint, that trade off commit latency and view duration. They achieve either $3\Delta$ provable commit with $4\Delta$ views, or $4\Delta$ provable commit with $3\Delta$ views. Both protocols obtain a provable commit in $2\delta$ under a correct leader when $f \le p$.
## 2026/640
* Title: MIKE (Module Isogeny Key Exchange): An b+#-c++-i-e introduction
* Authors: Damien Robert
* [Permalink](
https://eprint.iacr.org/2026/640)
* [Download](
https://eprint.iacr.org/2026/640.pdf)
### Abstract
We give a down to earth and elementary introduction to the isogeny based cryptography protocol MIKE.
## 2026/641
* Title: HyperVerITAS: Verifying Image Transformations at Scale on Boolean Hypercubes
* Authors: Garrett Greiner, Toshi Mowery, Pratik Soni
* [Permalink](
https://eprint.iacr.org/2026/641)
* [Download](
https://eprint.iacr.org/2026/641.pdf)
### Abstract
We present $\mathsf{HyperVerITAS}$, a new zero-knowledge proof (ZKP) system for image provenance that enables scalable, efficient, and privacy-preserving verification of image transformations. $\mathsf{HyperVerITAS}$ builds upon the same minimal trust model as $\mathsf{VerITAS}$ (IEEE S&P '25), requiring trust only in the image source device, while treating the editing software as untrusted. Unlike $\mathsf{VerITAS}$, which relies on FFT-intensive SNARKs and suffers from high memory overhead (up to 120 GB), $\mathsf{HyperVerITAS}$ leverages multilinear polynomial encodings over the Boolean hypercube to dramatically reduce both proving time and memory usage. Our design cleanly separates signature verification from image transformation, supports modular integration of multiple polynomial commitment schemes (including post-quantum constructions) and naturally extends to a wide range of affine image transformations.
We implement $\mathsf{HyperVerITAS}$ with two distinct commitment schemes (Brakedown and multilinear KZG) and evaluate it on full-system pipelines involving cropping and grayscaling. On commodity hardware (Apple M3, 36 GB RAM), $\mathsf{HyperVerITAS}$ generates proofs for 33 MP images using only 27 GB of RAM and 6.6 minutes of proving time, whereas $\mathsf{VerITAS}$ fails to scale beyond 4 MP. These results establish $\mathsf{HyperVerITAS}$ as a practical and scalable ZKP system for secure and efficient image provenance.
## 2026/642
* Title: SoK: The Weakest-Link Principle in Public Key Infrastructures and Modern Mitigation Strategies
* Authors: Kertis Mwanza, Carsten K||hn
* [Permalink](
https://eprint.iacr.org/2026/642)
* [Download](
https://eprint.iacr.org/2026/642.pdf)
### Abstract
As digital transformation accelerates, securing communication through hierarchical Public Key Infrastructures (PKIs) is increasingly critical. Yet, this centralized trust architecture remains inherently vulnerable. As a Systematization of Knowledge (SoK), this paper maps the threat landscape of hierarchical PKIs, demonstrating how a compromise at any single node from a Root CA breach to an operational revocation failure can trigger a cascading loss of global trust. Grounded in the Weakest-Link Principle, our analysis reveals that a PKI ecosystem is only as resilient as its least protected vector. Traditional revocation mechanisms, particularly CRLs and OCSP, exhibit significant operational and privacy flaws, and are often rendered ineffective by client-side "soft-fail" policies. To address these vulnerabilities, we advocate for a shift: replacing unconditional trust in individual entities with decentralized,verifiable protocols. We evaluate Certificate Transparency (CT) as a core mitigation strategy, illustrating how append-only Merkle trees make misissuance publicly visible and cryptographically auditable. Finally, we synthesize essential operational hardening measures such as strict key cryptoperiods and procedural policies to ensure long-term ecosystem resilience.
## 2026/643
* Title: FOVA: Fast One-Shot Verifiable Aggregation for Federated Learning
* Authors: Yin Zhu, Junqing Gong, Kai Zhang, Shay Gueron, Haifeng Qian
* [Permalink](
https://eprint.iacr.org/2026/643)
* [Download](
https://eprint.iacr.org/2026/643.pdf)
### Abstract
In federated learning (FL), secure aggregation (SA) allows a server to compute aggregate model updates (gradients) without accessing individual client gradients. SA is intended to protect clientsrCO local dataset from being inferred through individual gradients. However, recent NDSS 2025 work shows that even state-of-the-art SA protocols can be vulnerable, as a malicious server may reconstruct clientsrCO datasets from aggregated gradients. This demonstrates that protecting dataset privacy requires not only gradient confidentiality but also aggregation hiding. Moreover, a malicious server may deviate from the protocol and return manipulated results, making authenticity an additional critical security goal. Supporting one-shot clients, which send a single message per iteration to reduce synchronization overhead, further increases design complexity.
To address these challenges, we propose FOVA, a fast one-shot verifiable aggregation protocol that simultaneously achieves aggregation hiding and authenticity against an actively malicious server. Notably, authenticity, defined under full participation, must be relaxed for dropout robustness due to the indistinguishability between adversarial omissions and legitimate dropout. FOVA is built upon the verifiable linearly homomorphic encryption scheme, for which we give a new construction based solely on the Paillier cryptosystem. This design enables high efficiency and allows FOVA to be integrated into existing Paillier-based FL frameworks with minimal modifications. We implement FOVA on top of an industrial FL framework. Experimental results show that, compared to the most relevant prior protocols, FOVA achieves up to three orders-of-magnitude speedup while providing stronger security guarantees.
## 2026/644
* Title: Ordered Multi-Signatures from the DL Assumption
* Authors: Keisuke Hara, Keisuke Tanaka, Masayuki Tezuka
* [Permalink](
https://eprint.iacr.org/2026/644)
* [Download](
https://eprint.iacr.org/2026/644.pdf)
### Abstract
Ordered multi-signatures allow multiple signers to sign a common message sequentially, and anyone to verify the signing order of signers with a public-key list. Recently, Baum et al. (PKC 2025) proposed an ordered multi-signature scheme over a pairing-free group by modifying the multi-signature scheme MuSig2 by Nick et al. (CRYPTO 2021). The security of their ordered multi-signature scheme was proven under the algebraic one-more discrete logarithm (AOMDL) assumption in the random oracle model (ROM). The AOMDL assumption is stronger than the discrete logarithm (DL) assumption. To strengthen the assurance of security, it is desirable either to prove their scheme under the DL assumption or give a construction whose security is proven under the DL assumption.
In this paper, we give an ordered multi-signature scheme from linear hash function families. Our scheme is obtained by generalizing Baum et al.rCOs scheme via linear hash function families. The security of our scheme is proven under the algebraic one-more preimage resistance (AOMPR) property of a linear hash function in the ROM. There is a linear hash function whose AOMPR property can be proven under the DL assumption. Thus, by using this linear hash function, we obtain the first DL- based ordered multi-signature scheme.
## 2026/645
* Title: Toward Provable Security in Anamorphic Extension: New Constructions and Analysis
* Authors: Nabanita Chakraborty, Ratna Dutta
* [Permalink](
https://eprint.iacr.org/2026/645)
* [Download](
https://eprint.iacr.org/2026/645.pdf)
### Abstract
In a dictatorial setting where the receiverrCOs secret key may be exposed to an adversary, anamorphic encryption enables secure communication. Since its introduction in 2022, anamorphic cryptography has attracted considerable attention in the cryptographic literature. Anamorphic extension (AE) strengthens this paradigm by providing deniability: although the receiver can participate in covert communication, it can plausibly deny the existence of such communication to the dictator. The security of an AE of a public key encryption (PKE) is captured by the indistinguishability between its normal and anamorphic modes of operation, formalized by the IND-NA notion. In this paper, we have introduced two concrete constructions of AE from the number-theoretic assumptions-based indistinguishability against chosen plaintext attack (IND-CPA)-secure Goldwasser-Micali PKE and Benaloh PKE. We have proved the IND-NA security of our proposed AEs assuming the existence of secure pseudo-random function (PRF). To the best of our knowledge, our proposed Goldwasser-Micali based construction is the first AE that achieves natural robustness, attains bandwidth rate 1 and has small key-sizes where bandwidth rate is determined by the ratio of the covert and normal plaintext. The bandwidth rate of the Benaloh PKE-based construction is >> 1. Our proposed AEs are efficient due to small key size, low computation costs mostly involving computations of PRF and modular operations, high bandwidth rate, low anamorphic ciphertext expansion rate (ratio of the ciphertext size and the covert plaintext size) and deniability.
## 2026/646
* Title: On Optimal Information-Theoretic Security in Symmetric Encryption under Low-Entropy Keys
* Authors: Haibo Cheng, Haijie Su, Dongyi Li, Wenting Li, Ping Wang
* [Permalink](
https://eprint.iacr.org/2026/646)
* [Download](
https://eprint.iacr.org/2026/646.pdf)
### Abstract
We study the achievable level of information-theoretic security for symmetric encryption under low-entropy keys (e.g., passwords and biometrics), where classical notions such as perfect secrecy and entropic security are usually unattainable. We consider a model in which messages $M$ and keys $K$ are drawn independently from distributions $(p_\mathrm{m}, p_\mathrm{k})$. Prior work on homophonic ciphers (HC) and honey encryption (HE) suggests that randomized encryption tailored to $p_\mathrm{m}$ can improve security. We ask what the optimal achievable level is among all symmetric encryption schemes, and which necessary and/or sufficient conditions on encryption schemes characterize when this level can be achieved.
For key confidentiality (KC), we show that the optimal achievable level is $I(K;C)=\mathsf{negl}(|C|)$, i.e., the ciphertext reveals only negligible information about the key. Moreover, this holds if and only if, informally, decrypting under any key induces sampling of messages according to $p_\mathrm{m}$. HC and HE following this principle achieve this level, whereas $p_\mathrm{m}$-agnostic schemes do not in general.
For message confidentiality (MC) against message-recovery attacks, we show that the optimal bound on the adversaryrCOs success probability is $p_{\max}+\mathsf{negl}(|C|)$, where $p_{\max}$ is the baseline success probability of guessing the most likely message or key under $(p_\mathrm{m}, p_\mathrm{k})$. We construct a scheme $\mathsf{OE}$ tailored to $(p_\mathrm{m}, p_\mathrm{k})$ that attains $p_{\max}+O(2^{-|C|})$, and prove that $p_\mathrm{k}$-agnostic schemes (including HC and HE) cannot in general achieve this bound.
Our results on necessary and/or sufficient conditions characterize fundamental principles governing the use of randomness in probabilistic encryption.
The main technical challenge is to handle a discretization-induced negligible error that must be propagated throughout the derivation of our bounds and necessary and/or sufficient conditions. To facilitate the analysis, we introduce a continuous-ciphertext framework that separates structural constraints from discretization error.
## 2026/647
* Title: SSLE-DAG: A High-Throughput Proof-of-Stake Consensus Protocol Combining an Adaptive DAG with a Single Secret Leader Election
* Authors: Tomas Hladky, Martin Peresini, Juraj Mariani, Ivan Homoliak
* [Permalink](
https://eprint.iacr.org/2026/647)
* [Download](
https://eprint.iacr.org/2026/647.pdf)
### Abstract
SSLE-DAG Proof-of-Stake (PoS) blockchains with publicly visible leader schedules expose future proposers to targeted Denial-of-Service (DoS) attacks. Single Secret Leader Election (SSLE) techniques address this problem by hiding the leader's identity until block publication. However, existing SSLE techniques are difficult to integrate with high-throughput Directed Acyclic Graph (DAG)-based Proof-of-Stake consensus protocols. We introduce SSLE-DAG, a PoS consensus protocol that combines a zk-SNARK-based SSLE commitment scheme with the adaptive DAG-based consensus protocol that splits or merges parallel chains (and thus regulates throughput) upon transaction demand. The commitment scheme uses EdDSA signatures, MiMC hashing, and Merkle proofs to guarantee uniqueness, fairness, and unpredictability while keeping leader identities private. We implement SSLE-DAG in Go (gnark) and evaluate it in a geo-distributed simulation using real-world latency traces. In a 60-node network, we achieve about 990 TPS, and in a 40-node network with shorter rounds, we reach about 1,600 TPS with low variance in block rewards.
## 2026/648
* Title: Synthesis of RTL-based Characterization Programs for Fault Injection
* Authors: Jonah Alle Monne, Guillaume Bouffard, Damien Courouss|-, Mathieu Jan * [Permalink](
https://eprint.iacr.org/2026/648)
* [Download](
https://eprint.iacr.org/2026/648.pdf)
### Abstract
Fault injection attacks pose a significant threat
to the security of embedded devices. While their effects are
commonly modeled as instruction skips or data corruption,
characterizing these faults requires programs that expose
software-visible faulty behavior.
However, many fault effects originate from microarchitectural
elements, making them difficult to identify using existing
approaches. On one hand, Register Transfer Level (RTL)
analyses provide fine-grained insights but rely on abstract
models that may not fully reflect the physical circuit. On the
other hand, empirical characterization captures real faults but
requires extensive experimentation and often reveals multiple
fault models simultaneously, complicating precise identification.
To address this gap, we propose an automated methodology
that synthesizes characterization programs specifically designed
to expose targeted microarchitectural fault models using a
model-checking algorithm. Our methodology also assesses
additional fault models revealed by these programs.
Applied to two RISC-V processor cores, CV32E40P and Ibex,
our methodology synthesizes programs that expose bit-flip faults
for approximately 70 % of microarchitectural signals, using
two days of computation on 10 parallel cores. For 25 % of the
control signals in CV32E40P, we synthesize programs enabling
the precise attribution of a bit-flip to a targeted signal. Such
programs could facilitate the use of fault injection to deduce the
placement of microarchitectural elements and help design more
effective countermeasures.
To the best of our knowledge, this work represents the first
systematic methodology for building fault characterization pro-
grams, marking a significant step beyond empirical approaches.
## 2026/649
* Title: Perils of Parallelism: Transaction Fee Mechanisms under Execution Uncertainty
* Authors: Sarisht Wadhwa, Aviv Yaish, Fan Zhang, Kartik Nayak
* [Permalink](
https://eprint.iacr.org/2026/649)
* [Download](
https://eprint.iacr.org/2026/649.pdf)
### Abstract
Modern blockchains increasingly rely on parallel execution to improve throughput. We show several industry and academic transaction fee mechanisms (TFMs) struggle to simultaneously account for execution parallelism while remaining performant and fair. First, if parallelism affects fees, adversarial protocol manipulations that offset possible benefits to throughput by introducing fake transactions become rational: users can insert functionally useless parallel transactions solely to reduce fees, and schedulers can create useless sequential transactions to increase revenue. Execution contingency, a core feature of expressive programming languages, both exacerbates the aforementioned threats and introduces new ones:
(1) users may overpay for unused resources, and
(2) scheduler revenue is harmed when reserved scheduling slots go unused due to contingency.
We introduce a framework for this challenging setting, and prove an impossibility, highlighting an inherent tension: both parallelism and contingency involve a trade-off between minimizing risks for users and schedulers, as favoring one comes at the expense of the other. To complete the picture, we introduce a fee mechanisms and prove that they achieve the boundaries of this trade-off. Our results provide rigorous foundations for evaluating designs advanced by notable blockchains, such as Sui and Monad.
--- Synchronet 3.21f-Linux NewsLink 1.2