From Newsgroup: sci.crypt

## In this issue
1. [2025/871] Simple and Efficient Lattice Threshold Signatures ...
2. [2025/985] Tighter Quantum Security for Fiat-Shamir-with- ...
3. [2026/177] A Practical Neighborhood Search Attack on Oracle MLWE
4. [2026/252] At-Compromise Security: The Case for Alert Blindness
5. [2026/280] Reducing the Number of Qubits in Quantum Discrete ...
6. [2026/316] GG-GSW: Chosen-Ciphertext Secure Leveled FHE From ...
7. [2026/334] Tripling on Hessian curves via isogeny decomposition
8. [2026/357] Simulating Noisy Leakage with Bounded Leakage: ...
9. [2026/419] Hermine: An Efficient Lattice-based FROST-like ...
10. [2026/664] Expanders Meet Reed-Muller: Easy Instances of Noisy ...
11. [2026/666] Signature Placement in Post-Quantum TLS Certificate ...
12. [2026/668] Cryptographic Implications of Worst-Case Hardness ...
13. [2026/669] Braess Paradox in Layer-2 Blockchain Payment Networks
14. [2026/670] Verification Facade: Masquerading Insecure ...
15. [2026/671] A note on the Unsuitability of LIGA for Linkable ...
16. [2026/672] FLOSS: Fast Linear Online Secret-Shared Shuffling
17. [2026/673] Efficient Merkle-Tree Consistent Accumulator
18. [2026/674] Efficient Batch Threshold Encryption Using Partial ...
19. [2026/675] SoK: DeFi Lending and Yield Aggregation Protocol ...
20. [2026/676] An Efficient Identity-Based Blind Signature Scheme ...
21. [2026/677] SPLASH: SPeculative Leakage-Adaptive Secure Hardware
22. [2026/678] Mergeable SNARGs for Trapdoor Languages and Their ...
23. [2026/679] Compressed Key Exchange Protocol from Orientations ...
24. [2026/680] Open Problems in List Decoding and Correlated Agreement
25. [2026/681] The many faces of Schnorr: a touch-up
26. [2026/682] Witness-Indistinguishable Arguments of Knowledge ...
27. [2026/683] VEIL: Lightweight Zero-Knowledge for Hash-Based ...
28. [2026/684] Zeal: PIR for Non-Cooperative Databases
29. [2026/685] Efficient e = 3 Threshold RSA via Integer ...
30. [2026/686] Secure MSM Outsourcing Computation for Zero- ...
31. [2026/687] High-Throughput Side-Channel-Protected Stream ...
32. [2026/688] Too Far Behind? Narrowing the Gap with a Dual- ...
33. [2026/689] Evaluating PQC KEMs, Combiners, and Cascade ...
34. [2026/690] Multivariate Witness-Hiding Adaptor Signatures
35. [2026/691] PipeSC: A Resource-efficient and Pipelined Hardware ...
36. [2026/692] Efficient Partially Blind Signatures from Isogenies
37. [2026/693] Breaking Optimized HQC: The First Cache-Timing Full ...
38. [2026/694] Proximity Signatures
39. [2026/695] 2G2T: Constant-Size, Statistically Sound MSM ...
40. [2026/696] A Key Schedule Design and Evaluation under Boundary ...
41. [2026/697] Post-Quantum Secure k-Times Traceable Ring Signature
42. [2026/698] Entropy-based Fuzzy Deduplication with Perfect ...
43. [2026/699] HAWK with Hint: Algebraic Key Recovery from Side- ...
44. [2026/700] GRAFHEN is not IND-CPA secure
45. [2026/701] Boolean Arithmetic over $\mathbb{F}_2$ from Group ...
46. [2026/702] A Constructive Treatment of Authentication
47. [2026/703] Quick Draw Queries: Lightweight Searchable Public- ...
48. [2026/704] Fast Isogeny Evaluation on Binary Curves
49. [2026/705] Cross-Paradigm Models of Restricted Syndrome ...
50. [2026/706] Improved Cryptanalysis of the Permuted Kernel ...
51. [2026/707] Alternating Sponge: A Low-Memory Hash Function with ...
52. [2026/708] Block Circulant Codes for Ethereum PeerDAS
53. [2026/709] zkRAG: Efficiently Proving RAG Retrieval in Zero ...
54. [2026/710] Optimizing and Implementing Threshold MAYO
55. [2026/711] Drop-In Masked Modular Reduction for ML-DSA: ...
## 2025/871
* Title: Simple and Efficient Lattice Threshold Signatures with Identifiable Aborts
* Authors: Rafael del Pino, Thomas Espitau, Guilhem Niot, Thomas Prest
* [Permalink](https://eprint.iacr.org/2025/871)
* [Download](https://eprint.iacr.org/2025/871.pdf)
### Abstract
We introduce simple yet efficient lattice-based threshold signatures with identifiable aborts, secure under the MLWE assumption. Central to our construction are novel Distributed Key Generation with Short Shares (sDKG) protocols over lattices, ensuring short shares, small reconstruction coefficients, and linear evaluation of honest shares. This
uniquely realizes the "threshold designer's dream": signature shares double as valid signatures under the corresponding secret key shares. With two concrete instantiations (ramp and replicated secret sharings), our schemes match Threshold Raccoon (del Pino et al. EUROCRYPT 2024)rCOs compact ~10kB size. Further, we unveil 'Death Star Detection', a new algorithm that enhances identifiable aborts by efficiently spotting short vector adversarial correlations, of interest beyond threshold signatures.
## 2025/985
* Title: Tighter Quantum Security for Fiat-Shamir-with-Aborts and Hash-and-Sign-with-Retry Signatures
* Authors: Pouria Fallahpour, Serge Fehr, Yu-Hsuan Huang
* [Permalink](https://eprint.iacr.org/2025/985)
* [Download](https://eprint.iacr.org/2025/985.pdf)
### Abstract
We revisit the quantum security (in the QROM) of digital signature schemes that follow the Fiat-Shamir-with-aborts (FSwA) or the probabilistic hash-and-sign with retry/abort (HSwA) design paradigm. Important examples of such signature schemes are Dilithium, SeaSign, Falcon+ and UOV. In particular, we are interested in the UF-CMA-to-UF-NMA reduction for such schemes. We observe that previous such reductions have a reduction loss that is larger than what one would hope for, or require a more stringent notion of zero-knowledge than one would hope for.
We resolve this matter here by means of a novel UF-CMA-to-UF-NMA reduction that applies to FSwA and HSwA signature schemes simultaneously, and that offers an improved reduction loss (without making the zero-knowledge assumption more stringent).
## 2026/177
* Title: A Practical Neighborhood Search Attack on Oracle MLWE
* Authors: Hongxiao Wang, Muhammed F. Esgin, Ron Steinfeld, Markku-Juhani O. Saarinen, Siu-Ming Yiu
* [Permalink](https://eprint.iacr.org/2026/177)
* [Download](https://eprint.iacr.org/2026/177.pdf)
### Abstract
The Oracle Module Learning with Errors (Oracle MLWE) assumption, recently introduced by Liu et al. (Asiacrypt~2025), strengthens standard (Module) LWE by allowing masked linear leakages of the secret under an adversarially-chosen challenge matrix. This feature is used for the construction of new efficient primitives such as Oracle MLWE-based multi-message multi-recipient KEM/PKE (mmKEM/mmPKE) without requiring public-key well-formedness proofs. In this work, we present a practical cryptanalytic attack on Oracle MLWE, which we call a neighborhood search attack. Our attack exploits adversarially-chosen matrices (or maliciously generated public keys), together with the small ring dimension and small-norm secrets required for correctness, showing that rounding errors can be recovered via a bounded search, leading to recovery of the underlying MLWE secret. To demonstrate the effectiveness of our attack, we apply it against the Oracle MLWE-based mmKEM of Liu et al. (Asiacrypt~2025), proving that its recommended parameter sets do not achieve the claimed security level. We further implement the attack in SageMath and report concrete timings, showing that an adversary controlling a moderate number of recipients can recover other recipients' encapsulated keys within a few seconds on a standard PC under the proposed parameters, which were claimed to achieve a 128-bit security level.
## 2026/252
* Title: At-Compromise Security: The Case for Alert Blindness
* Authors: Martin R. Albrecht, Simone Colombo, Benjamin Dowling, Rikke Bjerg Jensen
* [Permalink](https://eprint.iacr.org/2026/252)
* [Download](https://eprint.iacr.org/2026/252.pdf)
### Abstract
We start from the observation in prior work that cryptography broadly intuits security goals rCo as modelled in games or ideal functionalities rCo while claiming realism. This stands in contrast to cryptographyrCOs attentive approach towards examining assumptions and constructions through cryptanalysis and reductions. To close this gap, we introduce a technique for determining security goals. Given that games and ideal functionalities model specific social relations between various honest and adversarial parties, our methodology is ethnography: a careful social science methodology for studying social relations in their contexts. As a first application of this technique, i.e.-aethnography in cryptography, we study security at-compromise (neither pre- nor post-) and introduce the security goal of alert blindness. Specifically, in our 2024/2025 six-and-a-half-month ethnographic fieldwork with protesters in Kenya, we observed that alert blindness captures a security goal of abducted persons who were taken by Kenyan security forces for their presumed activism. We show this notion is achievable under standard assumptions by providing a construction secure in our model. We discussed both the notion and the construction with some interlocutors in Kenya.
## 2026/280
* Title: Reducing the Number of Qubits in Quantum Discrete Logarithms on Elliptic Curves
* Authors: Cl|-mence Chevignard, Pierre-Alain Fouque, Andr|- Schrottenloher
* [Permalink](https://eprint.iacr.org/2026/280)
* [Download](https://eprint.iacr.org/2026/280.pdf)
### Abstract
Solving the Discrete Logarithm problem on the group of points of an elliptic curve is one of the major cryptographic applications of Shor's algorithm. However, current estimates for the number of qubits required remain relatively high, and notably, higher than the best recent estimates for factoring of RSA moduli. For example, recent work by Gidney (arXiv 2025) estimates 2043 logical qubits for breaking 3072-bit RSA, while previous work by H|nner et al. (PQCrypto 2020) estimates a requirement of 2124 logical qubits for solving discrete logarithm instances on 256-bit elliptic curves over prime fields. Indeed, for an $n$-bit elliptic curve, the most space-optimized optimized implementation by Proos and Zalka (Quant. Inf. Comput. 2003) gives $5n + o(n)$ qubits, as more additional space is required to store the coordinates of points and compute the addition law.
In this paper, we propose an alternative approach to the computation of point multiplication in Shor's algorithm (on input $k$, computing $k P$ where $P$ is a fixed point). Instead of computing the point multiplication explicitly, we use a Residue Number System to compute directly the projective coordinates of $k P$ with low space usage. Then, to avoid performing any modular inversion, we compress the result to a single bit using a Legendre symbol.
This strategy allows us to obtain the most space-efficient polynomial-time algorithm for the ECDLP to date, with only $3.12n + o(n)$ qubits, at the expense of an increase in gate count, from $\mathcal{O}(n^3)$ to $\widetilde{\mathcal{O}}(n^4)$. For $n = 256$ we estimate that 1098 qubits would be necessary, with 22 independent runs, using $2^{38.10}$ Toffoli gates each. This represents a much higher gate count than the previous estimate by H|nner et al. (roughly $2^{30}$), but half of the corresponding number of qubits (2124).
## 2026/316
* Title: GG-GSW: Chosen-Ciphertext Secure Leveled FHE From Gadget Trapdoors
* Authors: J|-r||me Nguyen
* [Permalink](https://eprint.iacr.org/2026/316)
* [Download](https://eprint.iacr.org/2026/316.pdf)
### Abstract
We build a leveled fully homomorphic encryption (FHE) scheme that achieves IND-CCA1 security under the learning with errors (LWE) assumption in the standard model. It is the first scheme of this kind that does not rely on succinct non-interactive arguments of knowledge (SNARK) to obtain security against active adversaries. Instead, we use the gadget lattice trapdoors introduced by Micciancio and Peikert [Eurocrypt 2012] in combination with a dual version of the GSW FHE scheme [Gentry, Sahai, Waters, Crypto 2013]. Instead of proving the integrity of a ciphertext with a SNARK, we use the gadget trapdoor to recover the LWE noise of a ciphertext. This ensures IND-CCA1 security because it allows us to determine whether a ciphertext queried to the decryption oracle will reveal information about the secret key to an adversary.
Our scheme is fully compact, multi-hop and requires very few changes to the original GSW scheme beyond the key generation and decryption algorithm. In particular, the homomorphic operations remain unchanged. We also follow ideas from Bourse et al. [Crypto 2016] to obtain IND-CPA-D security almost for free, without requiring correctness.
## 2026/334
* Title: Tripling on Hessian curves via isogeny decomposition
* Authors: Thomas Decru, Sabrina Kunzweiler
* [Permalink](https://eprint.iacr.org/2026/334)
* [Download](https://eprint.iacr.org/2026/334.pdf)
### Abstract
We provide a new interpretation of the arithmetic on Hessian Kummer lines using level-3 theta structures. This allows us to break the record for tripling on elliptic curves and their Kummer lines, requiring only 4 multiplications and 4 squarings per tripling for well-chosen curve parameters.
## 2026/357
* Title: Simulating Noisy Leakage with Bounded Leakage: Simpler, Better, Faster * Authors: Julien B|-guinot, Ananta Mukherjee, Maciej Obremski, Jo|uo Ribeiro, Lawrence Roy, Fran|oois-Xavier Standaert, Daniele Venturi
* [Permalink](https://eprint.iacr.org/2026/357)
* [Download](https://eprint.iacr.org/2026/357.pdf)
### Abstract
Theoretical treatments of leakage-resilient cryptography typically work under the assumption that the leakage learned by the adversary (e.g., about an n-bit secret key) is arbitrary but bounded, in the sense that the leakage is an l-bit string for some threshold l significantly smaller than n. On the other hand, real-world side-channel attacks on physical implementations of cryptographic protocols produce leakage transcripts that are much longer than n. However, unlike the bounded leakage model, these transcripts are inherently noisy. We would like to generically claim that cryptographic schemes resilient to bounded leakage are also resilient to realistic noisy leakages. This boils down to showing that noisy leakages can be simulated using only one bounded leakage query. Prior work (EUROCRYPT 2021 and CRYPTO 2024) made important progress on this problem. Yet, barriers to applicability and interpretability remain, such as the need for large noise levels, the difficulty to estimate the necessary parameters of the leakage distributions, undesirable independence assumptions, and inefficient simulation in certain regimes. In this work, we resolve (or make progress towards resolving) these shortcomings:
1. We show that simple modifications to the simulation strategies in prior work simultaneously allow a cheaper computation of simulation parameters and better parameters than previous results.
2. Leveraging the first item, we obtain a reduction whose amount of extra bounded leakage to simulate correlated signals only increase very mildly. This captures the limited incentive for an adversary to oversample a side-channel signal leading to correlated signal, improving previous results treating these samples as independent.
3. We establish a new ``bounded leakage vs.\ simulation efficiency'' tradeoff, roughly trading $\mathcal{O}(\Delta)$ bits leaked by the bounded leakage query for a $\frac{2^{\Delta}}{\mathrm{poly}(\Delta)}$-factor reduction in simulation complexity. This widens the applicability of our results in the context of computational security, as former simulators were only efficient when simulating from $\mathcal{O}(\log \lambda)$ bits of bounded leakage, with $\lambda$ the security parameter.
## 2026/419
* Title: Hermine: An Efficient Lattice-based FROST-like Threshold Signature
* Authors: Giacomo Borin, Sof|!a Celi, Rafael del Pino, Thomas Espitau, Shuichi Katsumata, Guilhem Niot, Thomas Prest, Kaoru Takemure
* [Permalink](https://eprint.iacr.org/2026/419)
* [Download](https://eprint.iacr.org/2026/419.pdf)
### Abstract
Threshold signatures have regained a strong interest recently, driven by applications in cryptocurrencies and NIST's ongoing call for threshold schemes. Among them, FROST - a classical threshold Schnorr signature scheme already in real-world deployment - stands out. Its appeal lies in three core features: partially non-interactive signing, non-interactive identifiable abort (IA), and proactive security. In contrast, while post-quantum (PQ) threshold signatures have seen significant advances in recent years, no existing scheme simultaneously provides even two of these features. Considering the imminent need to migrate to PQ cryptography, this state-of-the-art remains unsatisfactory.
In this work, we propose Hermine, a lattice-based threshold signature that offers the full feature set of FROST under standard lattice assumptions. Hermine is designed to efficiently support the Medium scale of parties ($N \le 64$) as defined in the NIST threshold call, producing a small \Raccoon signature of size $11$ KB. Our main technical contribution is introducing an everywhere-short secret sharing, which splits a short secret vector $\mathbf{s} \in R_q^\ell$ into short shares and admits a short linear reconstruction algorithm. While the resulting construction appears intuitive, its security proof requires a non-trivial, fine-grained analysis of the information on $\mathbf{s}$ that is inherently leaked by the short shares. Furthermore, we formalize game-based unforgeability and IA definitions with proactive security, which may be of independent interest.
## 2026/664
* Title: Expanders Meet Reed-Muller: Easy Instances of Noisy k-XOR
* Authors: Jaros+eaw B+easiok, Paul Lou, Alon Rosen, Madhu Sudan
* [Permalink](https://eprint.iacr.org/2026/664)
* [Download](https://eprint.iacr.org/2026/664.pdf)
### Abstract
In the noisy $k$-XOR problem, one is given $y \in \mathbb F_2^M$ and must distinguish between the case where $y$ is uniform and the case where $y = Ax + e$, where $A$ is the adjacency matrix of a $k$-left-regular bipartite graph with $N$ variables and $M$ constraints, $x \in \mathbb F_2^N$ is random, and $e$ is noise with rate $\eta$. Lower bounds in restricted computational models such as Sum-of-Squares and low-degree polynomials are closely tied to the expansion of the underlying constraint graph, leading to conjectures that expansion implies hardness. We show that such conjectures are false by constructing an explicit family of graphs with near-optimal expansion for which noisy $k$-XOR is solvable in polynomial time.
Our construction combines two powerful directions of work in pseudorandomness and coding theory that have not been previously put together. Specifically, our graphs are based on the lossless expanders of Guruswami, Umans and Vadhan (JACM 2009). Our key insight is that by an appropriate interpretation of the vertices of their graphs, the noisy XOR problem turns into the problem of decoding Reed-Muller codes from random errors. Then we build on a powerful body of work from the 2010s correcting from large amounts of random errors. Putting these together yields our construction.
Concretely, we obtain explicit families for which noisy $k$-XOR is solvable in polynomial time at constant noise rate $\eta = 1/3$, with graphs satisfying $M = 2^{O(\log^2 N)}$, $k = (\log N)^{O(1)}$, and $(N^{1-\alpha}, 1-o(1))$-expansion. Under standard conjectures on Reed--Muller codes over the binary erasure channel, this extends to families with $M = N^{O(1)}$, $k = (\log N)^{O(1)}$, $(N^{1-\alpha}, 1-o(1))$-expansion, and polynomial-time algorithms at noise rate $\eta = N^{-c}$.
## 2026/666
* Title: Signature Placement in Post-Quantum TLS Certificate Hierarchies: An Experimental Study of ML-DSA and SLH-DSA in TLS 1.3 Authentication
* Authors: Jos|- Luis Delgado
* [Permalink](https://eprint.iacr.org/2026/666)
* [Download](https://eprint.iacr.org/2026/666.pdf)
### Abstract
Post-quantum migration in TLS 1.3 should not be understood as a flat substitution problem in which one signature algorithm is replaced by another and the resulting deployment cost is read directly from primitive-level benchmarks. In certificate-based authentication, the practical effect of a signature family depends on where it appears in the certification hierarchy, how much of that hierarchy is exposed during the handshake, and how the resulting cryptographic burden is distributed across client and server roles. This makes post-quantum TLS migration a problem of cryptographic design in authenticated key establishment, rather than merely a matter of algorithm selection.
This paper presents a local experimental study of TLS 1.3 authentication strategies built on OpenSSL 3 and oqsprovider. Using a reproducible laboratory, it compares ML-DSA and SLH-DSA across multiple certificate placements, hierarchy depths, and key-exchange modes, including classical, hybrid, and pure post-quantum configurations. The analysis is organized around four complementary campaigns: a leaf-only comparison, a full hierarchy strategy matrix, a depth comparison, and a key-exchange exploration.
Across the experimental matrix, the clearest discontinuity appears when SLH-DSA is placed in the server leaf certificate. In that configuration, handshake latency and server-side compute cost increase by orders of magnitude, while strategies that confine SLH-DSA to upper trust layers and preserve ML-DSA in the interactive leaf remain within a substantially more plausible operational range. The results further show that transport size alone does not explain the heavy regime: outside leaf-SLH scenarios, transferred bytes and observed chain size track latency closely, but once SLH-DSA reaches the leaf, server-side cryptographic cost becomes dominant.
The paper therefore argues that post-quantum TLS migration is best evaluated as a problem of certificate-hierarchy design, chain exposure, and cryptographic cost concentration during live authentication. In practical terms, signature placement matters at least as much as signature-family choice.
## 2026/668
* Title: Cryptographic Implications of Worst-Case Hardness of Time-Bounded Kolmogorov Complexity
* Authors: Yanyi Liu, Noam Mazor, Rafael Pass
* [Permalink](https://eprint.iacr.org/2026/668)
* [Download](https://eprint.iacr.org/2026/668.pdf)
### Abstract
We consider the worst-case hardness of the gap version of the classic time-bounded Kolmogorov complexity problemrCo$Gap_pMK^tP[s_1,s_2]$rCowhere the goal is to determine whether for a given string x, $K^t(x) rens_1(n)$ or $K^{p(t)}(x) > s_2(n)$, where $K^t(x)$ denotes the t-bounded Kolmogorov complexity of x. As shown by Hirahara (STOCrCO18), if $Gap_pMK^tP[s_1,s_2] \notin prBPP$ for every polynomial p, then (under appropriate derandomization assumption) $Gap_pMK^tP$ is errorless average-case hard with respect to BPP heuristics. The notion of errorless average-case hardness, however, is seemingly insufficient for cryptographic applications where one needs to consider average-case hardness against attacks that simply may err with some probability (i.e., two-sided error hardness).
In this work, we present several new consequences of the assumption that $Gap_pMK^tP[s_1,s_2]\notin
P/poly$ for all polynomials p, for appropriate choices of $s_1$,$s_2$, and under appropriate (worst-case) derandomization assumptions. In particular, we show that this assumption implies:
- The existence of an (inefficient-prover) zero-knowledge proof system for NP with a non-uniform simulator w.r.t. adversaries with a-priori bounded-length auxiliary-input.
- The existence of a hard disjoint NP pair, defined as a promise problem $(Y,N)$ where both $Y,N\in NP$; this provides a barrier towards showing that $Gap_pMK^tP$ is NP-complete.
The above results are proven via first showing that the above assumption implies the existence of a so-called conditional PRGrCoroughly speaking, a cryptographic PRG where indistinguishability only needs to hold for some (potentially not efficiently sampleable) distribution over the seed to
the PRG. (In fact, this notion of a PRG also almost directly implies average-case hardness of $Gap_pMK^tP$, and as such, this provides a modular explanation to HirahararCOs results.)
Finally, we show that for the results on conditional PRGs and Zero-knowledge Proofs, unconditional results can be obtained (that is, without making any derandomization assumptions),
if considering an appropriate version of $Gap_pMK^tP$ concerning randomized $K^t$.
## 2026/669
* Title: Braess Paradox in Layer-2 Blockchain Payment Networks
* Authors: Arad Kotzer, Ori Rottenstreich
* [Permalink](https://eprint.iacr.org/2026/669)
* [Download](https://eprint.iacr.org/2026/669.pdf)
### Abstract
Payment channel networks (PCNs) are a leading method to deal with the scalability limitations of blockchain networks. PCNs allow users to execute transactions without committing them to the blockchain by relying on predefined payment channels. Transactions between pairs of users without a connecting channel are also supported through a path of multiple channels. Serving such transactions involves fees paid to intermediate users. In this paper, we uncover the potential existence of the Braess paradox in payment networks: Sometimes, establishing a new payment channel can increase the fees paid for serving some fixed transactions. We study conditions for the paradox to appear under two different models of fees: Liquidity-based fees as a function of the transaction value jointly with the channel liquidity values and proportional fees which are based only on the transaction value. We also provide indications for the appearance of the paradox based on real data from Lightning, a popular payment channel network of Bitcoin. Last, we discuss methods to mitigate the paradox upon establishing a new payment channel.
## 2026/670
* Title: Verification Facade: Masquerading Insecure Cryptographic Implementations as Verified Code
* Authors: Nadim Kobeissi
* [Permalink](https://eprint.iacr.org/2026/670)
* [Download](https://eprint.iacr.org/2026/670.pdf)
### Abstract
Hax is a verification pipeline that translates a subset of Rust into F*, enabling machine-checked proofs of panic freedom and functional correctness for cryptographic implementations being developed in partnership with Google and tested in Signal's post-quantum protocol.
We study whether hax's translation preserves the security properties it claims to verify. Through a structural analysis of its 35-phase transformation engine, F* proof libraries, and specification API, we identify three classes of semantic gap between the Rust source and the F* verification target: translation infidelity, where pipeline transformations distort security-relevant semantics; unverifiable trust boundaries, where operations are axiomatized without postconditions; and specification gaming, where escape hatches inject unproven facts into the verification context.
We demonstrate each class through five proof-of-concept exploits against ML-DSA (FIPS 204), ML-KEM (FIPS 203), Ed25519 (FIPS 186-5), and ChaCha20 (RFC 8439). Every exploit meets a strict criterion: the Rust code compiles, passes functional tests, and extracts to F* without warnings, while harboring a security gap invisible to testing.
We distinguish three gradations: facade gaps where the F* model actively diverges from Rust semantics, a conditional gap dependent on the compilation mode, and a scope gap where the model is faithful but cannot cover a critical property. We call the resulting phenomenon a verification facade: verification that is performed but covers less than it appears to cover.
## 2026/671
* Title: A note on the Unsuitability of LIGA for Linkable Ring Signatures: The perils of non-commutativity
* Authors: I|#igo Diaz Iribarnegaray, V|iclav Gregor, Florian LrCO|-cu Leal
* [Permalink](https://eprint.iacr.org/2026/671)
* [Download](https://eprint.iacr.org/2026/671.pdf)
### Abstract
In this work, we study the proposal for a linkable ring signature (LRS) in [KTS+24]. It is instantiated from the group action based
framework described in [BKP20], using the Lattice Isomorphism
Group Action (LIGA), meaning that the security of the signature rests on the famous Lattice Isomorphism Problem (LIP).
We will show that this signature does not in fact fit the requirements to be a linkable ring signature, despite the guarantees of the [BKP20] framework, due to it straying from that framework by using a non-commutative group for the
group actions. More specifically, we will show that the signature from [KTS+24] satisfies neither the property of correctness nor
linkability, which are required of a LRS.
This further damages the signature, as it was already shown in
[BCF25] that the linkable anonymity property of [KTS24+]
isn't satisfied.
The group used in LIGA is the group of invertible integer matrices: $\mathrm{GL}_n(\mathbb{Z})$. As the main obstacle in successfully applying the framework mentioned
above to construct a LRS based on LIP is the fact that this group
is non-commutative, we try fixing the signature by restricting
the secret key space to a commutative subgroup of $\mathrm{GL}_n(\mathbb{Z})$. However, we will see that finding a commutative subgroup of $\mathrm{GL}_n(\mathbb{Z})$ that
maintains the hardness of the underlying LIP, and that at the same time
is realistic to use is not as easy as it may seem.
## 2026/672
* Title: FLOSS: Fast Linear Online Secret-Shared Shuffling
* Authors: Ian Chang, Sela Navot, Alex Ozdemir, Nirvan Tyagi
* [Permalink](https://eprint.iacr.org/2026/672)
* [Download](https://eprint.iacr.org/2026/672.pdf)
### Abstract
Randomly permuting secret data vectors is a core building block in many privacy-preserving protocols, including those for analytics, advertising, and communication.
Existing approaches either rely on computation-heavy public key cryptography and zero-knowledge proofs or scale poorly for large vectors due to use of a quasilinear-sized permutation network. This work presents a preprocessing approach to enable fast linear-time online shuffles in the malicious-secure two-party computation (2PC) setting. We propose FLOSS, a 2PC protocol for securely computing any interactive arithmetic permutation circuit, a notion we introduce to capture how higher level protocols are built on secret-shared field arithmetic and permutations. We show how secret-shared sorting (a subprotocol in data analytics) can be described as an arithmetic permutation circuit, and can thus be compiled to an efficient online 2PC protocol using FLOSS. Our implementation and evaluation confirm FLOSS performs online shuffles fast: shuffling $2^{20}$ elements in under 500ms, greater than $800\times$ faster than state-of-the-art alternatives.
## 2026/673
* Title: Efficient Merkle-Tree Consistent Accumulator
* Authors: Anna Mendonca, Hudson Shi, Triet (PJ) Huynh, Ivan Pryvalov, Amir Herzberg
* [Permalink](https://eprint.iacr.org/2026/673)
* [Download](https://eprint.iacr.org/2026/673.pdf)
### Abstract
A consistent accumulator computes a digest for a
dynamically-growing set of elements, with a proof of consistency of
the new digest with the previous digests. Consistent accumulators
are in wide use, in particular, by Certificate Transparency (CT),
which is part of the Web PKI, and in blockchains.
We present a significantly more efficient design for a consistent
accumulator. Our design is compatible with the CT specifications;
similarly to the widely-used, open-source CT implementation,
it uses a Merkle tree, but much more efficiently. We provide
open source implementation, security analysis and experimental
evaluation showing the performance improvements.
## 2026/674
* Title: Efficient Batch Threshold Encryption Using Partial Fraction Techniques * Authors: Dan Boneh, Rohit Nema, Arnab Roy, Ertem Nusret Tas
* [Permalink](https://eprint.iacr.org/2026/674)
* [Download](https://eprint.iacr.org/2026/674.pdf)
### Abstract
Batch encryption enables a holder of the secret key to publish a succinct pre-decryption key for a set of ciphertexts, such that exactly that set can be decrypted while other ciphertexts remain secret. Existing constructions either rely on epochs or, when epochless, suffer from large public parameters (quadratic in the batch size) and are vulnerable to censorship. In this work, we present an epochless, censorship-resistant batch encryption scheme with linear-sized public parameters, constant-sized pre-decryption keys and ciphertexts, and efficient batch decryption. Our construction extends the partial fraction techniques of Jutla, Nema, and Roy's threshold encryption scheme: we exploit partial fraction decomposition such that publishing a single group element as the pre-decryption key lets the decryptor decrypt all ciphertexts in the batch. We prove CCA security of our scheme, and show how to thresholdize it. Our results directly benefit applications such as encrypted mempools for MEV mitigation and time-lock encrypted storage.
## 2026/675
* Title: SoK: DeFi Lending and Yield Aggregation Protocol Taxonomy, Empirical Measurements, and Security Challenges
* Authors: Arad Kotzer, Tom Azoulay, Yoad Abels, Aviv Yaish, Ori Rottenstreich * [Permalink](https://eprint.iacr.org/2026/675)
* [Download](https://eprint.iacr.org/2026/675.pdf)
### Abstract
Decentralized Finance (DeFi) lending protocols implement programmable credit markets without intermediaries. This paper systematizes the DeFi lending ecosystem, spanning collateralized lending (including over- and under- collateralized designs, and zero-liquidation loans), uncollateralized primitives (e.g., flashloans), and yield aggregation protocols which allocate capital across underlying lending platforms. Beyond a taxonomy of mechanisms and comparing protocols, we provide empirical on-chain measurements of lending activity and user behavior, using Compound V2 and AAVE V2 as case studies, and connect empirical observations to protocol design choices (e.g., interest-rate models and liquidation incentives). We then characterize vulnerabilities that arise due to notable designs, focusing on interest-rate setting mechanisms and time-measurement approaches. Finally, we outline open questions at the intersection of mechanism design, empirical measurement and security for future research.
## 2026/676
* Title: An Efficient Identity-Based Blind Signature Scheme from SM9
* Authors: Zhiwei Wang
* [Permalink](https://eprint.iacr.org/2026/676)
* [Download](https://eprint.iacr.org/2026/676.pdf)
### Abstract
Blind signatures are a fundamental cryptographic primitive enabling privacy-preserving protocols such as e-cash, e-voting, and anonymous authentication. However, achieving both formal security and compatibility with existing national cryptographic standards remains an open challenge. In this paper, we propose an efficient identity-based blind signature (IBBS) scheme constructed directly upon the SM9 Chinese national cryptographic standard (GM/T 0044-2016 / ISO/IEC 14888-3:2018). Our scheme is standard-compatible in the sense that the output signature \((h, S)\) passes the unmodified SM9 verification algorithm without any additional post-processing. We provide a rigorous formal security model encompassing one-more unforgeability and perfect blindness under the random oracle model. One-more unforgeability is reduced to the \(q\)-Strong Bilinear Diffie-Hellman (\(q\)-SBDH) assumption, while perfect blindness holds information-theoretically (i.e., without any computational assumption). We compare our construction against five representative SM9-related and identity-based blind signature schemes, demonstrating a reduction of at least 60\% in pairing operations and approximately 73\% in total signing latency relative to the state-of-the-art multifactor SM9 blind signature of Zhang et al.~\cite{Zhang2025}. Furthermore, we show how our scheme can be naturally extended to support partial blindness, thereby broadening its applicability to auditable e-voting and conditional anonymous credentials.
## 2026/677
* Title: SPLASH: SPeculative Leakage-Adaptive Secure Hardware
* Authors: Huimin Li, Mohamadreza Rostami, Pallavi Borkar, Lichao Wu, Ahmad-Reza Sadeghi
* [Permalink](https://eprint.iacr.org/2026/677)
* [Download](https://eprint.iacr.org/2026/677.pdf)
### Abstract
Modern processors are largely fixed at the time of fabrication, rendering post-silicon security updates infeasible. This lack of flexibility is especially problematic for speculative execution attacks, which exploit microarchitectural optimizations to leak sensitive information through transient execution. However, existing defenses are typically hardwired, narrowly scoped, and non-adaptive.
Once deployed, these defenses lack the flexibility to respond to new attack variants, creating a critical security gap.
This paper presents SPLASH, a novel and adaptive framework for comprehensively mitigating speculative execution vulnerabilities across processor components. SPLASH introduces two primary contributions: (i) we introduce Speculative Information Flow Tracking (SIFT), which enables fine-grained tracking of speculative data propagation throughout the microarchitecture; (ii) the reconfigurable speculative table provides, for the first time, enforceable and fully configurable control over speculative behavior across the processor pipeline. SPLASH is runtime-configurable, allowing dynamic security policy adjustments post-fabrication, such as tuning the speculative window size or selectively protecting specific microarchitectural structures, without requiring hardware redesign.
We implement SPLASH on both the small and medium BOOM processors and evaluate its effectiveness in mitigating speculative leakage vulnerabilities. SPLASH successfully mitigates all types of speculative execution attacks. In terms of computation overhead, SPLASH incurs only 0.05% overhead on small BOOM and 1.23% on medium BOOM on average compared with the baseline.
Compared to the best performing state-of-the-art defenses, SPLASH reduces overhead by 129.2X and 1.2X, respectively, with negligible hardware cost.
## 2026/678
* Title: Mergeable SNARGs for Trapdoor Languages and Their Applications
* Authors: Zvika Brakerski, Maya Farber Brodsky, Omer Paneth, Tomer Solomon
* [Permalink](https://eprint.iacr.org/2026/678)
* [Download](https://eprint.iacr.org/2026/678.pdf)
### Abstract
We present a new method for merging short computationally sound proofs (SNARGs). Intuitively, this means going from short proofs of two statements to a short proof of a statement that is a ``logical consequence'' of the two.
Our work is the first to handle an unbounded polynomial number of recursive merges with arbitrary topology. Unlike prior works, the running time of our security reduction grows only with the depth of the merging process, and not with the associated ``tree size", which could be exponentially larger.
Our method is only applicable to so-called ``trapdoor languages'', where the validity of a statement can be decided in polynomial time given a trapdoor. Importantly, this trapdoor needs not be known for generating or verifying proofs, and is only used in the security reduction. We present constructions from sub-exponential iO and from LWE, where the former yields fully compact proofs, while in the latter the proof size scales with the depth of the merging process.
We show the usefulness of our method by presenting the first CCA1-secure multi-hop fully homomorphic encryption, from either iO or LWE.
We also present the first adaptive multi-hop aggregate signature scheme from LWE.
## 2026/679
* Title: Compressed Key Exchange Protocol from Orientations of Large Discriminant Using AVX-512
* Authors: Yuhao Zheng, Jianming Lin, Yutong Liang, Yanzhen Ren, Huixin Zhang, Chang-An Zhao
* [Permalink](https://eprint.iacr.org/2026/679)
* [Download](https://eprint.iacr.org/2026/679.pdf)
### Abstract
CSIDH (Commutative Supersingular Isogeny Diffie--Hellman) is a class-group-based key-exchange protocol operated on supersingular elliptic curves, which, at the time of its proposal, exhibited several attractive selling points such as non-interactivity. Unfortunately, CSIDH is vulnerable to the sub-exponentiation attack--Kuperberg's algorithm, thereby requiring large parameters to ensure security. A recent work based on oriented elliptic curves with large discriminants, proposed by Houben, allows for a significantly small base field (around 255 bits). We name this protocol CSIDH-LDO. However, the practicality of CSIDH-LDO is currently hindered by the necessity of performing multiple group actions and its huge public-key size.
In this paper, we address these bottlenecks by presenting highly optimized constant-time implementations alongside an effective public-key compression framework for CSIDH-LDO. We combine algorithmic improvements, specifically scalar multiplication by differential addition chains and isogeny computation on the twisted Edwards model, with \textit{limb-slicing} to exploit parallelism via Intel's AVX-512 instructions. To resolve the architectural mismatch when mapping $r \in \{7, 13\}$ group actions to 8-lane SIMD registers, we evaluate two parallel scheduling strategies. While a dummy-based approach allows us to leverage efficient $\mathbb{F}_{p^2}$-arithmetic, our dummy-free strategy systematically exploits internal parallelism to fully saturate the 512-bit vectors without redundant computations. Benchmarks on an Intel Tiger Lake processor demonstrate our parallel implementations achieve speedups of up to 3.40$\times$ (AVX-512F) and 7.30$\times$ (AVX-512IFMA) over an optimized x64 assembly baseline.
Furthermore, we establish a formal framework for public-key compression tailored for CSIDH-LDO. Specifically, we propose two efficient techniques that achieve a compact public key representation of approximately $(r+2)\log_2(p)$ bits, thereby significantly reducing communication bandwidth. To the best of our knowledge, this work is the first to demonstrate the efficacy of SIMD parallelization combined with optimized compression for isogeny-based protocols derived from orientations of large discriminants.
## 2026/680
* Title: Open Problems in List Decoding and Correlated Agreement
* Authors: Gal Arnon, Dan Boneh, Giacomo Fenzi
* [Permalink](https://eprint.iacr.org/2026/680)
* [Download](https://eprint.iacr.org/2026/680.pdf)
### Abstract
The Ethereum Foundation recently announced the Proximity Prize which
aims to resolve some open problems that play an important role in the design of succinct proof systems. This paper reviews the open problems relevant to the Proximity Prize. We focus on some grand challenges relating to list decoding bounds, proximity gaps, correlated agreement, and mutual correlated agreement,as they relate to proof systems and Reed--Solomon codes. Along the way we survey the known results on these topics.
## 2026/681
* Title: The many faces of Schnorr: a touch-up
* Authors: Victor Shoup
* [Permalink](https://eprint.iacr.org/2026/681)
* [Download](https://eprint.iacr.org/2026/681.pdf)
### Abstract
In a previous paper [Shoup 2023], we presented a modular toolkit for analyzing threshold Schnorr signature schemes, built around "enhanced attack modes" in the non-distributed setting. In this note, we revisit the random oracle analysis of the combination of batch randomness extraction with re-randomized presignatures. We make the simulation argument fully explicit --- in particular, giving a careful analysis of what is leaked through the presignatures, the programmed hash values, and the signature values --- and fill in a gap in the treatment of batch re-randomization. We also give a simpler path to tight security bounds in the combined random oracle plus generic group model (ROM+GGM): rather than reducing to somewhat convoluted (if concrete) assumptions about the hash function within the GGM, we reduce in the ROM to an attack on the Schnorr interactive identification scheme, and then observe that the identification scheme is easily seen to be hard in the GGM.
## 2026/682
* Title: Witness-Indistinguishable Arguments of Knowledge and One-Way Functions * Authors: Gal Arnon, Noam Mazor, Rafael Pass, Jad Silbak
* [Permalink](https://eprint.iacr.org/2026/682)
* [Download](https://eprint.iacr.org/2026/682.pdf)
### Abstract
In this paper we study the cryptographic complexity of non-trivial witness-indistinguishable (WI) arguments of knowledge. We establish that:
- Assuming that $NP\not\subseteq P/poly$, the existence of a constant-round computational WI argument of knowledge for $NP$ implies that (infinitely-often) auxiliary-input one-way functions exist.
- Assuming that $ NP\nsubseteq P^{Sam}/poly$, there is no black-box construction of a constant-round (unbounded-verifier) statistical WI argument of knowledge from one-way permutations. Here, $Sam$ is the collision finder oracle of Haitner, Hoch, Reingold, and Segev [FOCS '07].
Moreover, we identify a natural class of knowledge extractors for which stronger versions of the above implications hold (e.g., even if the protocols have many rounds).
## 2026/683
* Title: VEIL: Lightweight Zero-Knowledge for Hash-Based Multilinear Proof Systems
* Authors: Rahul Dalal, Tamir Hemo, Eugene Rabinovich, Ron Rothblum
* [Permalink](https://eprint.iacr.org/2026/683)
* [Download](https://eprint.iacr.org/2026/683.pdf)
### Abstract
As efficient proof systems mature rapidly, more practical use cases that require zero-knowledge (ZK) guarantees are arising. Adding ZK typically requires either composing the non-zk base system with an expensive zk one that proves correctness of the cryptographic hashes performed by the base verifier, or alternatively making tightly coupled modifications to every component of the base protocol.
We introduce VEIL, a lightweight and non-intrusive compiler for hash-based multilinear proof systems. VEIL achieves ZK without these drawbacks. Our approach decouples the protocol's algebraic interactions from the cryptographic hashing and applies a ZK wrapper solely to the algebraic components. This results in a simple, plausibly post-quantum, protocol that achieves a minimal prover overhead of $(1+o(1))$, while maintaining the architectural integrity of the base proof system.
Our proof-of-concept implementation demonstrates that, over a $31$-bit base prime field, for a trace of $2^{29}$ field elements, compared to the non-zk proof system, VEIL has a prover overhead of about $3\%$, verifier overhead of $22\%$ and proof-size overhead of $12\%$.
## 2026/684
* Title: Zeal: PIR for Non-Cooperative Databases
* Authors: Javin Zipkin, Ofir Dvir, Divyakant Agrawal, Trinabh Gupta, Soamar Homsi
* [Permalink](https://eprint.iacr.org/2026/684)
* [Download](https://eprint.iacr.org/2026/684.pdf)
### Abstract
Private Information Retrieval (PIR), a set of techniques from the literature on cryptography, enables the retrieval of data from a public database while concealing the intent of those querying it, even when the database itself is untrusted. While the scalability of PIR has improved in recent years, its applicability remains limited due to the assumption that databases cooperate with users. PIR schemes usually require the database or website administrators to perform costly operations beyond servicing requests, which they have little incentive to do. In this paper, we introduce a new direction of PIR research that eliminates requirement of any special cooperation from the database and assumes the presence of a strong adversary that controls not only the database but also any third parties involved in the system. We present Zeal, the first `non-cooperative' PIR scheme that defends against a strong adversary. We also implement Zeal on AWS and evaluate its performance. Zeal has roughly three to four minutes of latency for a database with one million records, improving upon the latency of a naive solution by a factor of 50. We also prove and quantify Zeal's security using a differential privacy guarantee.
## 2026/685
* Title: Efficient e = 3 Threshold RSA via Integer Coordinates for Intel SGX
* Authors: Sam Ng, Jason Lau
* [Permalink](https://eprint.iacr.org/2026/685)
* [Download](https://eprint.iacr.org/2026/685.pdf)
### Abstract
Threshold RSA signatures face a fundamental obstacle: reconstructing the private exponent from Shamir shares requires Lagrange coefficients whose computation involves modular division by values tied to $\phi(N)$, which must remain hidden. This obstacle is particularly acute for critical deployments such as Intel SGX code signing, which mandates $e=3$. Existing $e=3$-compatible approaches incur substantial overhead, increased share sizes, or sacrifice security properties such as perfect secrecy. This work introduces the integer coordinate framework, achieving $e=3$ support with EUF-CMA security under the standard RSA assumption alone. By carefully selecting interpolation coordinates that yield integer-valued Lagrange coefficients, we eliminate all modular inversions modulo $\phi(N)$, requiring only standard integer arithmetic and modular exponentiation. The framework achieves $O(\kappa)$-bit share sizes, perfect secrecy, and computational efficiency previously unattained for $e=3$-compatible schemes.
Although we currently lack an efficient general algorithm for constructing coordinate sets for arbitrary $(t,n)$rCoa challenging open problem for future workrCothe coordinate families found via heuristic search achieve coverage for $2 \leq t \leq n \leq 9$ and selected $n=10$ configurations, sufficient for small boardroom-size deployments. The resulting online protocol is extremely simple and immediately enables practical $e=3$ threshold RSA for Intel SGX and similar applications.
## 2026/686
* Title: Secure MSM Outsourcing Computation for Zero-knowledge Proof Generation * Authors: Wujie Xiong, Arefeh Rahaei, Sangwon Shin, Xinxin Fan, Taeweon Suh, Veronika Kuchta, Sica Francesco, Weidong Shi, Lei Xu
* [Permalink](https://eprint.iacr.org/2026/686)
* [Download](https://eprint.iacr.org/2026/686.pdf)
### Abstract
Zero-knowledge proof (ZKP) schemes enable a prover to convince a verifier of the validity of a statement without revealing the underlying secret. These schemes have found extensive applications in secure communications, privacy-preserving transactions and blockchain technologies. However, the computational cost of proof generation remains a major obstacle to practical deployment. Although various acceleration techniques have been proposed, they often rely on specialized hardware that may not be locally available. A promising yet underexplored alternative is to offload computation to a more powerful third party, such as a cloud server, in a secure and efficient manner. Rather than outsourcing the entire proof generation process, selectively offloading the most computationally intensive operations offers greater flexibility and simplicity. In this work, we propose a secure outsourcing scheme for multi-scalar multiplication (MSM), which is the most computationally expensive operation in many widely used ZKP protocols. Our scheme enables users to delegate MSM computations to a server while preserving the confidentiality of the secret inputs (i.e., the scalars) and allowing verification of the serverrCOs output. Our performance analysis shows that the proposed scheme significantly reduces the computational burden on the user while imposing only minimal overhead on the server.
## 2026/687
* Title: High-Throughput Side-Channel-Protected Stream Cipher Hardware for 6G Systems
* Authors: Yuluan Cao, Cankun Zhao, Bohan Yang, Wenping Zhu, Hanning Wang, Min Zhu, Leibo Liu
* [Permalink](https://eprint.iacr.org/2026/687)
* [Download](https://eprint.iacr.org/2026/687.pdf)
### Abstract
Emerging 6G communication systems impose unprecedented requirements on cryptographic primitives, demanding ultra-high throughput, low latency, and strong resistance to implementation-level attacks. LOL2.0 is a recently proposed stream cipher framework that achieves high software efficiency and strong security in post-quantum settings. While several stream ciphers have been proposed to address performance demands, side-channel-protected hardware implementations capable of sustaining 6G-class throughput remain largely unexplored.
In this work, we present the first side-channel-protected hardware implementation that meets the 6G-class throughput demand. Focusing on the LOL2.0 stream cipher framework, we leverage Time Sharing Masking to achieve first-order security under the glitch-extended probing model. This design realizes full-phase protection covering initialization, keystream generation, and tag generation. To address diverse deployment requirements, we design two masked architectures: a compact variant optimized for area and randomness efficiency, and a fast variant targeting the maximum achievable throughput.
The proposed fast implementations achieve peak throughputs of 183 Gbps and 142 Gbps for the unmasked and masked configurations, respectively. Meanwhile, the compact architecture reduces hardware cost by achieving areas as low as 23.25 kGE and 141.98 kGE in unmasked and masked designs, respectively, while still maintaining competitive throughput. Security is validated through practical side-channel evaluations using Test Vector Leakage Assessment on FPGA platforms. Across up to 100 million measured power traces, no statistically significant first-order leakage is observed for any protected configuration.
Overall, this work realizes side-channel-protected stream cipher hardware that sustains ultra-high throughput, providing a concrete path toward secure cryptographic deployment in future 6G communication systems.
## 2026/688
* Title: Too Far Behind? Narrowing the Gap with a Dual-Enhanced Two-Stage Algebraic Framework for LWE
* Authors: Rui-Jie Wang, Hong-Sen Yang, Zhong-Xiao Wang, Qun-Xiong Zheng
* [Permalink](https://eprint.iacr.org/2026/688)
* [Download](https://eprint.iacr.org/2026/688.pdf)
### Abstract
The Learning with Errors (LWE) problem forms the foundation for numerous post-quantum cryptographic schemes, such as the NIST-selected CRYSTALS-KYBER and CRYSTALS-DILITHIUM. Algebraic analysis on LWE traditionally relies on solving the Arora-Ge system via Gr||bner bases, yet its performance is far from satisfactory when only a limited number of samples is available. Meanwhile, recent dual attacks have proven highly effective against concrete LWE-based algorithms. This gap motivates us to investigate whether integrating the technique from dual attacks into algebraic analysis can have a positive effect.
We propose a novel, two-stage algebraic algorithm for LWE. First, dual lattice reduction is applied to transform the original samples into a reduced dimension. From an algebraic perspective, this stage reduces the number of variables at the cost of increasing the noise. Second, instead of solving the classic Arora-Ge system, we introduce a new polynomial construction that exploits the error distribution and solves it via a resultant-based method. When given \(m = n\) samples, our two-stage algorithm yields better complexity estimates for CRYSTALS-KYBER than Gr||bner bases reported in SteinerrCOs work (Eurocrypt~2024). As an independent contribution, we show that for LWE with a small secret, applying the resultant-based method directly to the Arora-Ge system provides a provable complexity estimate that achieves an exponential speed-up over the proven bounds established by Steiner.
Finally, we show how various forms of side information---namely, perfect hints, modular hints, and approximate hints---can be systematically incorporated into our two-stage algorithm.
## 2026/689
* Title: Evaluating PQC KEMs, Combiners, and Cascade Encryption via Adaptive IND-CPA Testing Using Deep Learning
* Authors: Simon Calderon, Niklas Johansson, Onur G|+nl|+
* [Permalink](https://eprint.iacr.org/2026/689)
* [Download](https://eprint.iacr.org/2026/689.pdf)
### Abstract
Ensuring ciphertext indistinguishability is fundamental to cryptographic security, but empirically validating this property in real implementations and hybrid settings presents practical challenges. The transition to post-quantum cryptography (PQC), with its hybrid constructions combining classical and quantum-resistant primitives, makes empirical validation approaches increasingly valuable. By modeling indistinguishability under chosen-plaintext attack (IND-CPA) games as binary classification tasks and training on labeled ciphertext data with binary cross-entropy loss, we study deep neural network (DNN) distinguishers for ciphertext indistinguishability. We apply this methodology to PQC key encapsulation mechanisms (KEMs). We specifically test the public-key encryption (PKE) schemes used to construct examples such as ML-KEM, BIKE, and HQC. Moreover, a novel extension of this DNN modeling for empirical distinguishability testing of hybrid KEMs is presented. We implement and test this on combinations of PQC KEMs with unpadded RSA, RSA-OAEP, and plaintext. Finally, methodological generality is illustrated by applying the DNN IND-CPA classification framework to cascade symmetric encryption, where we test combinations of AES-CTR, AES-CBC, AES-ECB, ChaCha20, and DES-ECB. In our experiments on PQC algorithms, KEM combiners, and cascade encryption, no algorithm or combination of algorithms demonstrates a significant advantage (evaluated via two-sided binomial tests with significance level $\alpha = 0.01$), consistent with theoretical guarantees that hybrids including at least one IND-CPA-secure component preserve indistinguishability, and with the absence of exploitable patterns under the considered DNN adversary model. These illustrate the potential of using deep learning as an adaptive, practical, and versatile empirical estimator for indistinguishability in more general IND-CPA settings, allowing data-driven validation of implementations and compositions and complementing the analytical security analysis.
## 2026/690
* Title: Multivariate Witness-Hiding Adaptor Signatures
* Authors: Ayush Meshram, Ayush Banerjee
* [Permalink](https://eprint.iacr.org/2026/690)
* [Download](https://eprint.iacr.org/2026/690.pdf)
### Abstract
Adaptor signatures extend digital signatures with conditional disclosure capabilities, enabling atomic swaps, payment channels, and other advanced blockchain protocols. Although post-quantum adaptor signatures have been explored under lattice, isogeny, and coding-theoretic assumptions, no constructions have yet been realised from the multivariate quadratic (MQ) family of signatures. Classical algebraic adaptor techniques rely on embedding the witness into signing randomness, which is natural for discrete-log-based schemes but does not apply to MQ signatures such as UOV and MAYO: to the best of our knowledge, MQ signing randomness lacks the algebraic structure needed for witness embedding, and no such algebraic adaptor construction is currently known. This motivates a different approach. We propose MWAS, the first commitment-based adaptor-style construction for MQ signatures, specifically UOV and MAYO from the NIST PQC process, implemented via the Open Quantum Safe library. Our construction uses a lightweight HMAC-SHA256 commitment and a concatenation-based adaptation, supporting a hash-preimage witness relation. We prove correctness, witness hiding, and witness extractability in the ROM under MQ-hardness and PRF assumptions. A prototype implementation on a Raspberry Pi~5 shows pre-signature generation under 0.4~ms for UOV and 0.5--3.3~ms for MAYO across 128--256-bit security levels, with throughput up to 710~ops/s and public key sizes of 1.4~KB (MAYO) to 1.2~MB (UOV). These results indicate that commitment-based MQ adaptor signatures are a viable post-quantum option for settings where hash-preimage witness relations are appropriate.
## 2026/691
* Title: PipeSC: A Resource-efficient and Pipelined Hardware Accelerator for Sumcheck Protocol
* Authors: Kaixuan Wang, Yifan Yanggong, Xiaoyu Yang, Chenti Baixiao, Lei Wang * [Permalink](https://eprint.iacr.org/2026/691)
* [Download](https://eprint.iacr.org/2026/691.pdf)
### Abstract
Zero-knowledge Succinct Non-interactive Arguments of Knowledge (zk-SNARKs) are cryptographic protocols that allow a prover to convince verifiers of the correctness of a statement without revealing any additional information.
Recent zk-SNARK constructions have shifted from univariate to multivariate polynomial-based designs, reducing the proving complexity from quasilinear to linear by avoiding costly univariate polynomial interpolation.
This shift, however, makes the sumcheck protocolrCoa core primitive for verifying polynomial relations over the Boolean hypercuberCothe dominant component in the proverrCOs workload.
Consequently, the iterative nature and intensive intermediate data movement of the sumcheck protocol introduce severe performance bottlenecks in CPU- and GPU-based implementations, especially for large-scale multivariate polynomials.
In this paper, we present PipeSC, a resource-efficient, ASIC-based accelerator for sumcheck.
PipeSC combines deep pipelining, modular-multiplier reuse, and a finite-state machine-based dependency scheduler to sustain high utilization of computational resources across phases of the protocol.
In addition, we introduce an Equality-MLE generation module that employs hierarchical scheduling and multiplier reuse, yielding a unified hardware substrate shared by multiple proving subroutines.
Against state-of-the-art CPU, GPU, and ASIC implementations,
PipeSC delivers up to \textbf{5.02$\times$} speedup over the GPU implementation and up to \textbf{2756.2$\times$} speedup over the CPU implementation, while improving the arearCotime product (ATP) by up to \textbf{3.68$\times$} compared with the ASIC design.
These results show that careful hardwarerCoalgorithm co-design and conflict-free scheduling substantially accelerate sumcheck, paving the way for fully integrated zk-SNARK hardware pipelines.
## 2026/692
* Title: Efficient Partially Blind Signatures from Isogenies
* Authors: Dung Hoang Duong, Chunpeng Ge, Xuan Thanh Khuc, Willy Susilo
* [Permalink](https://eprint.iacr.org/2026/692)
* [Download](https://eprint.iacr.org/2026/692.pdf)
### Abstract
(Partially) blind signatures are foundational cryptographic primitives that enable privacy-preserving authentication in digital systems. Blind signatures allow a user to obtain a signature on a message without revealing its content, while partially blind signatures permit the controlled inclusion of agreed-upon public information into the signed message. These primitives are central to applications such as electronic voting, anonymous credentials, and digital cash.
The first isogeny-based construction of (partially) blind signatures, CSIOtter, were proposed by Katsumata et al. at CRYPTO'23. However, its concurrent security was later broken by Katsumata et al. (CRYPTO'24) and Do et al. (EUROCRYPT'24). These findings imply that CSI-Otter is secure only in sequential settings. Recently, Hanzlik et al. (ASIACRYPT'25) has proposed a novel framework for concurrently secure blind signatures which can be instantiated from isogenies with smaller signature size (but larger public key and secret key size). It is not known yet whether their construction can be extended to partially blind signatures.
In this paper, we present a new and efficient construction of partially blind signatures based on isogenies with substantially smaller signature and public key sizes than CSI-Otter. This makes our construction the most compact post-quantum partially blind signature scheme known to date. As similar to CSIOtter, our scheme uses small challenge space resulting in only achieving sequential concurrent security. Our design follows the Abe-Okamoto paradigm in the group action setting, building upon the framework introduced by Tessaro and Zhu (EUROCRYPT'22), whose security is based on the Discrete Logarithm Problem. We rigorously prove the security of our scheme in the Algebraic Group Action Model and the Random Oracle Model, under the hardness assumption of the Group Action Discrete Logarithm Problem.
## 2026/693
* Title: Breaking Optimized HQC: The First Cache-Timing Full Decryption Oracle Key-Recovery Attack in Post-Quantum Cryptography
* Authors: Haiyue Dong, Qian Guo
* [Permalink](https://eprint.iacr.org/2026/693)
* [Download](https://eprint.iacr.org/2026/693.pdf)
### Abstract
Hamming Quasi-Cyclic (HQC) has been selected by NIST for standardization in the post-quantum landscape. As deployment approaches, implementation security becomes as critical as mathematical hardness. In this work, we demonstrate that source-level constant-time coding is not a standalone guarantee: the compiled binary must inherently preserve this behavior.
We identify a severe compiler-induced vulnerability within the official AVX2-optimized implementation of HQC, despite its claims of being constant-time. Although the C source code relies on secure, mask-based conditional selection, certain compiler optimizations rewrite this logic systematically. This transformation silently introduces secret-dependent control flow into the inner Reed-Muller decoding process, resulting in secret-dependent cache access patterns.
Exploiting this vulnerability, we mount, to the best of our knowledge, the first cache-timing Full-Decryption-style oracle attack against a post-quantum cryptosystem. Using Flush+Reload on shared libraries, an unprivileged co-located adversary can extract fine-grained predicates of the decoder's internal state. To achieve full key recovery, we develop a novel, reliability-aware Soft Information Set Decoding (Soft-ISD) post-processing framework. Leveraging a GPU-accelerated meet-in-the-middle strategy optimized for heterogeneous platforms (including Apple Silicon), we demonstrate end-to-end secret key recovery for hqc-1 with less than 10 seconds of online trace collection.
## 2026/694
* Title: Proximity Signatures
* Authors: Guillermo Angeris, Kobi Gurkan
* [Permalink](https://eprint.iacr.org/2026/694)
* [Download](https://eprint.iacr.org/2026/694.pdf)
### Abstract
In this note we introduce the concept of proximity signatures, where verifiers who can only access a small part of some data would like a guarantee that (a) this data is rCLcloserCY to a uniquely decodable message (so the message can be decoded from the data via error decoding) and (b) the uniquely decodable message is signed by an associated secret key. This is useful in situations where the message is very large but the verifiers are small devices who only need the guarantee that the message was signed by some specific secret key or set of keys. As a motivating example, we consider the data availability problem. There, users submit large signed pieces of data that together form a larger data matrix. The signatures and integrity of this data must then be checked by nodes who can only download a small proportion of this matrix. We present a construction inspired by linear subspace signatures.
## 2026/695
* Title: 2G2T: Constant-Size, Statistically Sound MSM Outsourcing
* Authors: Majid Khabbazian
* [Permalink](https://eprint.iacr.org/2026/695)
* [Download](https://eprint.iacr.org/2026/695.pdf)
### Abstract
Multi-scalar multiplication (MSM), $MSM(\vec{P},\vec{x})=\sum_{i=1}^n x_i P_i$, is a dominant computational kernel in discrete-logarithmrCobased cryptography and often becomes a bottleneck for verifiers and other resource-constrained clients. We present 2G2T, a simple protocol for verifiably outsourcing MSM to an untrusted server. 2G2T is efficient for both parties: the server performs only two MSM computations and returns only two group elements to the client, namely the claimed result $A=MSM(\vec{P},\vec{x})$ and an auxiliary group element $B$. Client-side verification consists of a single length-$n$ field inner product and only three group operations (two scalar multiplications and one group addition). In our Ristretto255 implementation, verification is up to $\sim 300\times$ faster than computing the MSM locally using a highly optimized MSM routine (for $n$ up to $2^{18}$). Moreover, 2G2T enables latency-hiding verification: nearly all verifier work can be performed while waiting for the server's response, so once $(A,B)$ arrives the verifier completes the check with only one scalar multiplication and one group addition (both independent of $n$). Finally, despite its simplicity and efficiency, we prove that 2G2T achieves statistical soundness: for any (even unbounded) adversarial server, the probability of accepting an incorrect result is at most $1/q$ per query, and at most $e/q$ over $e$ adaptive executions, in a prime-order group of size $q$.
## 2026/696
* Title: A Key Schedule Design and Evaluation under Boundary Round-Key Leakage * Authors: Yu Morishima, Hideki Yoshikawa, Masahiro Kaminaga
* [Permalink](https://eprint.iacr.org/2026/696)
* [Download](https://eprint.iacr.org/2026/696.pdf)
### Abstract
We study key-schedule design under boundary round-key leakage, namely leakage of the first round key, the last round key, or both end round keys. We propose the nonlinear key-schedule $\mathrm{RK}_i = K \oplus F\bigl(K \oplus T(i)\bigr)$, where $K$ is the master key, $T(i)$ is a public domain separation value, and $F$ is a public SPN-based permutation parameterized by its round count $N_F$.
Under the boundary-leakage model considered in this paper, leakage of one end round key yields an instance of the equation $Z=U\oplus F(U)$, whereas leakage of both end round keys yields a differential constraint of the form $F(U)\oplus F(U\oplus\Delta)=\Gamma$, where $\Delta$ is determined by the two end indices and $\Gamma$ is derived from the two leaked round-key values. These reductions clarify the nonlinear systems induced by boundary leakage and the absence of a linear elimination route to the master key.
We also evaluate reduced variants of the resulting systems through Gr\"obner basis experiments, and further examine them by SAT-based key-recovery experiments and right-censored runtime analysis via a Weibull AFT model. Within the tested range, we do not observe degree collapse or unusually strong linear bias. These results provide heuristic support for the view that, under the boundary-leakage model considered here, the tested instantiations of the proposed key-schedule family do not admit an obvious efficient inversion route.
## 2026/697
* Title: Post-Quantum Secure k-Times Traceable Ring Signature
* Authors: Vishal Pareek, Aditi Kar Gangopadhyay, Sugata Gangopadhyay
* [Permalink](https://eprint.iacr.org/2026/697)
* [Download](https://eprint.iacr.org/2026/697.pdf)
### Abstract
Ring signatures are cryptographic primitives that enable a user to sign a message on behalf of a group of users in an anonymous manner. The anonymity of the signer is the fundamental security property of ring signatures. However, unrestricted anonymity can be misused, as a malicious signer could use it to send spam or excessive messages. To address this issue, a controlled restriction on signer anonymity is required, which makes such schemes more practical.
In this paper, we propose a k-times traceable ring signature scheme that allows the public key of the signer to be traced publicly if the signer exceeds a predetermined signing limit k. The novelty of our construction lies in its reliance on lattice-based assumptions, which ensure post-quantum security. Consequently, the proposed scheme is well-suited for practical deployment in the presence of emerging quantum threats. Our approach achieves competitive performance while providing stronger security guarantees, making it an appropriate candidate for modern cryptographic applications. We also present efficiency analysis and compare our scheme with existing constructions.
## 2026/698
* Title: Entropy-based Fuzzy Deduplication with Perfect Resistance to Key Recovery Attack
* Authors: Zehui Tang, Shengke Zeng, Minfeng Shao
* [Permalink](https://eprint.iacr.org/2026/698)
* [Download](https://eprint.iacr.org/2026/698.pdf)
### Abstract
Deduplication for encrypted data reduces the storage costs of server while keeping the sensitive data secure. Fuzzy deduplication is developing for the multimedia data for its similarity not exact equality, hence it has better storage space saving capabilities than exact deduplication. However, the most of existing works face the security threat such as brute-force guessing attacks, key recovery attacks and so on. We conduct research on fuzzy deduplication from the fundamental layer for these security goals. In this work, the data similarity is novelty defined based on information entropy theory so that the similarity verification by cloud is without online clients assistance. Moreover, the parameter robustness verification is firstly proposed to be against the key recovery attacks and guessing attacks fundamentally. The simulation experiments show that our scheme can save approximately 87% of storage space while maintaining a tamper detection success rate of no less than 97%.
## 2026/699
* Title: HAWK with Hint: Algebraic Key Recovery from Side-Channel Leakage
* Authors: Byoungchan Chi, Changmin Lee, Inhun Lee
* [Permalink](https://eprint.iacr.org/2026/699)
* [Download](https://eprint.iacr.org/2026/699.pdf)
### Abstract
Quantum computing threatens classical public key systems and has motivated NISTrCOs PQC standardization, and within this process HAWK has been submitted as a lattice-based signature scheme. While prior analyses focused on mathematical security, the consequences of side-channel leakage in practical HAWK implementations are less systematically understood. We address this gap by formalizing discrete Gaussian sampler leakage as HAWK with Hint and studying three leakage categories: (i) full coefficient recovery, (ii) sign-only recovery, and (iii) noisy sign recovery. For each category, including (i) which has been covered in prior work, we design algebraic key recovery algorithms that derive explicit linear relations between leaked information and the secret basis and solve the resulting structured linear systems in polynomial time.
For HAWK-1024, we obtain the following results under the stated threat models. With full coefficient leakage, a single signature suffices for secret key recovery by directly solving the induced linear system, improving prior work that required two signatures under the same conditions. With sign-only leakage, the secret key is recovered using 14 signatures in approximately 100 seconds. With noisy sign leakage, we achieve key recovery using 400 signatures within about 30 seconds at a 10% bit-error rate, and still succeed with roughly 7,000 signatures within about one minute even when the bit-error rate increases to 40%. We implement all attacks and empirically validate them, clarifying how measurement noise affects the required number of signatures.
## 2026/700
* Title: GRAFHEN is not IND-CPA secure
* Authors: Remi Geraud-Stewart
* [Permalink](https://eprint.iacr.org/2026/700)
* [Download](https://eprint.iacr.org/2026/700.pdf)
### Abstract
GRAFHE is a recently proposed noise-free fully homomorphic encryption scheme based on rewriting systems in symmetric groups. We provide an
efficiently computable distinguisher, breaking IND-CPA security.
## 2026/701
* Title: Boolean Arithmetic over $\mathbb{F}_2$ from Group Commutators
* Authors: Marc Joye
* [Permalink](https://eprint.iacr.org/2026/701)
* [Download](https://eprint.iacr.org/2026/701.pdf)
### Abstract
This paper studies efficient realizations of arithmetic over the binary field $\mathbb{F}_2$ in nonabelian groups using only intrinsic group operations, namely multiplication and inversion. The constructions rely on commutators to implement Boolean computation within the group structure. Two complementary approaches are presented: a realization of a universal Boolean gate (NAND) and direct realizations of the field operations XOR and AND. These approaches apply to finite nonabelian simple groups and can be implemented using a small number of group operations. Explicit realizations are provided in the alternating groups $A_5$ and $A_6$. For the smallest nonabelian simple group $A_5$, these constructions achieve state-of-the-art efficiency in the number of group operations.
## 2026/702
* Title: A Constructive Treatment of Authentication
* Authors: Christopher Battarbee
* [Permalink](https://eprint.iacr.org/2026/702)
* [Download](https://eprint.iacr.org/2026/702.pdf)
### Abstract
We review the traditional techniques of message authentication from the perspective of Constructive Cryptography, one of the major composable security frameworks. For each of the 'textbook' means of message authentication, known results are compiled, and various gaps are addressed. We also point out areas of remaining study, and obstacles to demonstrating composability in those cases. The results can be thought of as a toolkit showing how to realise composable authentication with various cryptographic primitives, with precise statements on the security guarantees and set-up requirements.
## 2026/703
* Title: Quick Draw Queries: Lightweight Searchable Public-key Ciphertexts with Hidden Structures via Non-Interactive Key Exchange
* Authors: Keita Emura, Toshihiro Ohigashi, Nobuyuki Sugio
* [Permalink](https://eprint.iacr.org/2026/703)
* [Download](https://eprint.iacr.org/2026/703.pdf)
### Abstract
Basically, public-key searchable encryption schemes require a linear search time with respect to the total number of ciphertexts. Xu, Wu, Wang, Susilo, Domingo-Ferrer, and Jin (IEEE Transactions on Information Forensics and Security, 2015) introduced Searchable Public-Key Ciphertexts with Hidden Structure (SPCHS). In SPCHS, ciphertexts associated with the same keyword are linked through a hidden structure that can be revealed using a trapdoor. This enables efficient extraction of matching ciphertexts and achieves optimal asymptotic search efficiency by traversing only the result set. However, a drawback of the SPCHS scheme and its subsequent works is that they are all pairing-based or rely on identity-based encryption (IBE) as a foundational component. To improve efficiency, this paper proposes a generic construction of SPCHS. Our core building block is Non-Interactive Key Exchange (NIKE), and the remaining components are symmetric-key primitives, namely secret-key encryption and a pseudorandom function (PRF). In particular, our search algorithm depends solely on these symmetric-key primitives and is independent of any public-key primitives. We implement the most efficient instantiation of the generic construction using Diffie-Hellman NIKE, an HMAC-based PRF, and AES. Our evaluation demonstrates that the search time of the DH-based instantiation is over 250 times faster than that of the asymmetric pairing-based scheme by Wang et al. (IEEE Transactions on Industrial Informatics, 2020). Moreover, we reduce the ciphertext size by a factor of approximately 20. In addition to this practical contribution of significantly improving efficiency, the proposed generic construction also makes a theoretical contribution by enabling the realization of the first set of post-quantum SPCHS schemes based on lattices, isogenies, and codes.
## 2026/704
* Title: Fast Isogeny Evaluation on Binary Curves
* Authors: Gustavo Banegas, Nicolas Sarkis, Benjamin Smith
* [Permalink](https://eprint.iacr.org/2026/704)
* [Download](https://eprint.iacr.org/2026/704.pdf)
### Abstract
We give efficient formulas to evaluate isogenies of ordinary elliptic curves over finite fields of characteristic $2$, extending the odd-characteristic techniques of Hisil--Costello and Renes to binary fields. For odd prime degree $\ell = 2s+1$, our affine product evaluation computes the image $x$-coordinate using $5s\mathbf{M}$ field multiplications, or $4s\mathbf{M}$ when the kernel points are normalized. We derive an inversion-free variant that evaluates the $x$-map in projective and twisted Kummer coordinates, allowing carried points to remain projective across successive isogeny steps. Over $\mathbb{F}_{2^{511}}$, microbenchmarks show that the inversion-free projective and twisted variants are faster than V|-lu-style $x$-evaluation when outputs are kept in projective/twisted form, while the affine one-inversion variant is about $4.2\times$ faster.
## 2026/705
* Title: Cross-Paradigm Models of Restricted Syndrome Decoding with Application to CROSS
* Authors: |etienne Burle, Aleksei Udovenko
* [Permalink](https://eprint.iacr.org/2026/705)
* [Download](https://eprint.iacr.org/2026/705.pdf)
### Abstract
Restricted Syndrome Decoding (ResSD) is a variant of linear code decoding problem where each of the error's entries must belong to a fixed small set of values. This problem underlies the security of CROSS, a post-quantum signature scheme that is one of the Round~2 candidates of NIST's ongoing additional signatures call. We show that solutions to this problem can be deduced from vectors of a particular structure and a small norm in newly constructed codes, in both Hamming and Euclidean metrics. This allows us to reduce Restricted Syndrome Decoding to both code-based (Regular Syndrome Decoding) and lattice-based problems (Closest Vector Problem, List of Short/Close Vectors), increasing the attack surface and providing new insights into the security of ResSD. We evaluate our attacks on CROSS instances both theoretically and experimentally on reduced parameters.
## 2026/706
* Title: Improved Cryptanalysis of the Permuted Kernel Problem with Applications to PERK v2.2.0, SUSHSYFISH and PKP-DSS
* Authors: Abul Kalam, Sudeshna Karmakar, Arindam Mukherjee, Soumya Sahoo, Santanu Sarkar
* [Permalink](https://eprint.iacr.org/2026/706)
* [Download](https://eprint.iacr.org/2026/706.pdf)
### Abstract
The Permuted Kernel Problem (PKP), introduced by Shamir, is a computationally hard problem underlying recent post-quantum signature schemes such as PERK, SUSHSYFISH and PKP-DSS. Among these, PERK is a second-round candidate in NIST's Additional Digital Signature Schemes post-quantum standardization process, SUSHSYFISH appeared at EUROCRYPT~2020, and PKP-DSS was one of the finalists in the CACR competition. The best known attacks on PKP rely on combinatorial meet-in-the-middle techniques, notably the algorithms of Koussa, Macario-Rat, and Patarin (KMP) and Santini, Baldi, and Chiaraluce (SBC), whose complexities remain super-exponential, with memory requirements of the same order as their time complexities.
In this work, we obtain improved cryptanalytic results for PKP that strictly outperform all previously known attacks. In particular, although no parameter sets of PERK~v2.2.0 fall below the NIST security levels, we provide the first evidence that secret vector recovery for all PERK~v2.2.0 parameter sets can be achieved with complexity below their estimated bit-security levels. We additionally obtain improved bit-complexity estimates for the SUSHSYFISH and PKP-DSS parameter sets. We further introduce a Schroeppel--Shamir style timerComemory trade-off in the PKP setting. Although PKP does not admit square-root memory as in the classical subset-sum problem, our adaptation achieves substantial memory reductions while keeping the time complexity close to the best known attacks. Overall, our results provide improved cryptanalytic insight into PKP and refine the current understanding of the concrete security of
PKP-based signature schemes.
## 2026/707
* Title: Alternating Sponge: A Low-Memory Hash Function with Beyond-Birthday-Bound Security
* Authors: Ziyang Luo, Yaobin Shen, Hailun Yan, Lei Wang, Dawu Gu
* [Permalink](https://eprint.iacr.org/2026/707)
* [Download](https://eprint.iacr.org/2026/707.pdf)
### Abstract
An improved low-memory hash function scheme called Alternating Sponge (ASP) is proposed to achieve the beyond-birthday-bound security with respect to the capacity $c$. The scheme redesigns the state layout and permutation mechanism of double sponge construction, effectively reducing the total state space from $2r+2c$ bits to $2r+c$ bits and increasing the number of bits squeezed per round from $r$ to $2r$. The scheme introduces a two-phase serial permutation sequence to update the shared state, achieving a complete state transition without increasing the input size of the permutation function. A security proof is provided within the indifferentiability framework, demonstrating that the scheme can achieve security comparable to the double sponge construction, while operating with a reduced state size and an increased number of squeezed bits. Overall, the design ensures the compactness and diffusion of each round of processing through layered absorption and alternating permutations, providing a solution for deploying high-security hash functions in memory-constrained environments.
## 2026/708
* Title: Block Circulant Codes for Ethereum PeerDAS
* Authors: Birenjith Sasidharan, Emanuele Viterbo, Dankrad Feist
* [Permalink](https://eprint.iacr.org/2026/708)
* [Download](https://eprint.iacr.org/2026/708.pdf)
### Abstract
In this report, we describe how block circulant (BC) codes can serve as an alternative to one-dimensional (1D) and two-dimensional (2D) ReedrCoSolomon (RS) codes in the Ethereum PeerDAS protocol. We begin by reviewing the implementation of 1D RS codes in PeerDAS and then present efficient encoding and reconstruction algorithms for BC codes, developed within the same implementation framework as the respective 1D RS algorithms. The proposed encoding algorithm also permits a graceful integration of KZG commitment scheme. Finally, we evaluate and compare the performance of BC codes in terms of code rate, stopping rate, and the size of the local codes they contain, against both 1D and 2D RS codes.
## 2026/709
* Title: zkRAG: Efficiently Proving RAG Retrieval in Zero Knowledge
* Authors: Yanze Jiang, Xinyang Yang, Xuanming Liu, Yanpei Guo, Jiaheng Zhang
* [Permalink](https://eprint.iacr.org/2026/709)
* [Download](https://eprint.iacr.org/2026/709.pdf)
### Abstract
Retrieval-augmented generation (RAG) systems critically depend on a vector-retrieval stage that selects relevant documents from a large embedding database. In a RAG-as-a-Service setting, however, clients have no visibility into the server's proprietary embeddings and index structures, and thus cannot distinguish faithful execution from arbitrary deviations. This motivates service consistency for retrieval: the returned results must be consistent with executing an agreed approximate nearest neighbor search (ANNS) algorithm on a fixed, committed database together with a fixed, committed ANNS index, while revealing nothing beyond the outputs themselves.
We present the first polynomial interactive oracle proof (PIOP) tailored to the widely deployed HNSW ANNS algorithm. Building on this PIOP, we introduce zkRAG, a zero-knowledge, succinct, non-interactive argument for RAG retrieval that enables practical verification. Our design achieves asymptotically optimal online prover efficiency, with prover time linear in the HNSW search trace length, while keeping verification succinct. We introduce several new techniques that may be of independent interest, including a hybrid lookup argument, a highly efficient checker-based PIOP for checking priority-queue updates, and an efficient checker for membership selector vectors. For a benchmark with $10^6$ vectors of dimension $128$, single-thread zkRAG proves a typical HNSW query in $50$ seconds-over $1000\times$ faster than existing baselines--while keeping verification lightweight, demonstrating the feasibility of efficient zero-knowledge service-consistent RAG retrieval.
## 2026/710
* Title: Optimizing and Implementing Threshold MAYO
* Authors: Diego F. Aranha, Giacomo Borin, Sofia Celi, Guilhem Niot
* [Permalink](https://eprint.iacr.org/2026/710)
* [Download](https://eprint.iacr.org/2026/710.pdf)
### Abstract
Threshold signatures distribute trust across multiple parties, eliminating single points of failure and reducing insider and key-exfiltration risksrCoproperties that are increasingly important for high-assurance deployments and recently emphasized by NISTrCOs Multi-Party Threshold Cryptography (MPTC) initiative. We present a practical t-out-of-n threshold variant and emulation of MAYO, a post-quantum signature candidate to NISTrCOs call for additional signatures. Our proposal builds
upon the threshold MAYO design of Celi, Escudero and Niot (PQCrypto2025), which we significantly refine to achieve practical performance. To this end, we introduce two algorithmic modifications to MAYO tailored for the distributed setting: (1) Explicit-Salt MAYO, which allows for pre-determined salts to enable a single-round online phase; and (2) Depth-Reduced MAYO, which restructures the signing algorithm to minimize the depth of secret-dependent operations. We then propose a unified protocol framework that integrate these techniques, plus other MPC specific optimizations, with the goal of minimizing online latency. Finally, we provide a concrete instantiation and local emulation in the dishonest majority setting, secure against active adversaries. Our emulation shows that threshold signing is practical at typical threshold sizes and amenable to deployment. By releasing an open-source implementation and reporting end-to-end performance, this work offers a concrete reference for the thresholdization of post-quantum signatures. Clearly the aforementioned framework is not limited to MAYO, and can be applied to the UOV family of signatures more generally.
## 2026/711
* Title: Drop-In Masked Modular Reduction for ML-DSA: Cutting Side-Channel Cost in the Root-of-Trust
* Authors: Merve Karabulut, Reza Azarderakhsh
* [Permalink](https://eprint.iacr.org/2026/711)
* [Download](https://eprint.iacr.org/2026/711.pdf)
### Abstract
Masking is an effective defense against side-channel attacks, yet it remains costly under hardware constraints. The Caliptra Root-of-Trust is a representative case, where its masked ML-DSA implementation incurs about 6|u area overhead. We propose a novel first-order masking solution that optimizes Caliptra, achieving significant improvements in arearCodelay efficiency. Compared to CaliptrarCOs ML-DSA reduction, our design achieves a 12.1|u speedup, reducing LUTs by 86.7% and FFs by 94.5%, while improving arearCodelay efficiency by 91|u. TVLA, with over 1,000,000 traces, shows no first-order leakage, satisfies CaliptrarCOs security requirements, and significantly improves implementation efficiency.
--- Synchronet 3.21f-Linux NewsLink 1.2