From Newsgroup: sci.crypt
## In this issue
1. [2025/865] UltraProofs: Scalable Reed-Solomon Code Commitment
2. [2026/35] Adaptive NIKE for Unbounded Parties
3. [2026/191] On the Active Security of the PEARL-SCALLOP Group ...
4. [2026/205] Differential-Linear Attacks from New ...
5. [2026/209] Post-Quantum Security of Block Cipher Constructions
6. [2026/359] Cyclo: Lightweight Lattice-based Folding via ...
7. [2026/371] A Modular Approach to Succinct Arguments for QMA
8. [2026/420] FALCON with message recovery, a specification
9. [2026/661] Pseudorandomness of UFLM: A Characterization via ...
10. [2026/712] Public Key Encryption from High-Corruption ...
11. [2026/713] How to construct even faster and indifferentiable ...
12. [2026/714] $\mathsf{Veloz}$: Efficient and Flexible ...
13. [2026/715] Chorus: Secret Recovery with Ephemeral Client ...
14. [2026/716] ISE-supported erasure of residual shares
15. [2026/717] Scalable Registration-Based Encryption from Lattices
16. [2026/718] Zero-Knowledge Proof of Progress: Secure Multi- ...
17. [2026/719] Polynomial-Time Cryptanalytic Extraction of Graph ...
18. [2026/720] ABRA-CAPA-DABRA: Full break of CAPA
19. [2026/721] Improving LatticeFold+ with rao2-norm Checks
20. [2026/722] (Mis)using the Lattice Isomorphism Problem. ...
21. [2026/723] Hint-Free Multi-Signatures
22. [2026/724] Decomposition of Large Look-Up Tables for Fast ...
23. [2026/725] The Cost of Fluidity: Communication Complexity ...
24. [2026/726] Bitsliced Segment-Based Search Technique for Low- ...
25. [2026/727] Automated formal analysis of SignalrCOs Double ...
26. [2026/728] MAGNET: MAsked Gaussian Now Efficient and Table-less
27. [2026/729] Code-based Scalable Collaborative SNARKs
28. [2026/730] Towards Zero Rotation and Beyond: Architecting ...
29. [2026/731] SecDTD: Dynamic Token Drop for Secure Transformers ...
30. [2026/732] Faster Logical Operations from Discrete CKKS
31. [2026/733] Explicit Bounds on the Existence Probability of ...
32. [2026/734] Assessing Geometric Security of AES Neural ...
33. [2026/735] CLAASP-MP: An Automated MILP Framework for Monomial ...
34. [2026/736] Compact Fully Asynchronous Updatable Public Key ...
35. [2026/737] Blind Verifiable Delay Functions
36. [2026/738] SPoCK: Sequential Proofs of Complete Knowledge
37. [2026/739] Additive FFTs for HQC on ARM Cortex-M4, Revisited
38. [2026/741] How to Authenticate a Non-Deterministic ...
## 2025/865
* Title: UltraProofs: Scalable Reed-Solomon Code Commitment
* Authors: Yanpei Guo, Alex Luoyuan Xiong, Wenjie Qu, Jiaheng Zhang
* [Permalink](
https://eprint.iacr.org/2025/865)
* [Download](
https://eprint.iacr.org/2025/865.pdf)
### Abstract
ReedrCoSolomon (RS) codes underpin a wide range of cryptographic protocols, from verifiable secret sharing (VSS) to blockchain data availability (DA).
An RS code commitment enables a prover to distribute codeword fragments among many parties while allowing each recipient to verify that its fragment is consistent with a RS code.
Existing constructions either rely on homomorphic polynomial commitments, which incur redundant commitments and expensive group operations, or use FRI-based interactive proofs, which achieve fast proving but suffer from prohibitively large communication.
We present UltraProofs, a new RS code commitment framework that achieves linear-time proof generation while remaining compatible with any multilinear polynomial commitment.
Our key technical contribution is an evaluation-consolidation protocol that reduces $n$ evaluation proofs at distinct RS points to a single randomized evaluation, eliminating redundant commitments and removing the need for homomorphic structure.
We further design a tailored multilinear PCS, LightLigero, which achieves $O(\lambda \log n)$ proof size and maintains $O(n \log n)$ prover time.
UltraProofs attains asymptotically optimal prover complexity with concrete speedups in practice: in VSS, it reduces prover time by $2.4\times$ and proof size by $4\times$ compared to HydraProofs (S&P'25); in DA, it cuts per-node communication by up to $2{\sim}5\times$ relative to FRIDA (Crypto'24) while retaining similar prover cost.
By decoupling verifiable RS encoding from any specific PCS instantiation, UltraProofs provides a flexible, efficient, and modular foundation for large-scale verifiable storage and distributed cryptographic systems.
## 2026/35
* Title: Adaptive NIKE for Unbounded Parties
* Authors: Shafik Nassar, Brent Waters
* [Permalink](
https://eprint.iacr.org/2026/035)
* [Download](
https://eprint.iacr.org/2026/035.pdf)
### Abstract
This paper presents the first construction of adaptively secure non-interactive key exchange (NIKE) for an unbounded number of parties in the standard model.
While prior unbounded protocols were restricted to static security or required random oracles, this work achieves adaptive security in the standard model.
The proposed scheme supports an unbounded number of honest and malicious users, as well as unbounded party sizes, while tolerating a bounded number of dynamic user corruptions.
The construction is based on sub-exponential indistinguishability obfuscation and sub-exponential fully-homomorphic encryption.
A key technical contribution is a new application of what we call a function-extractable hash function.
This is a variant of a function binding hash function that enables resilient extraction of properties from maliciously hashed digests.
As an additional contribution, we present a compiler in the random oracle model that upgrades any (unbounded) NIKE that does not support dynamic user corruptions at all into a fully adaptive (unbounded) NIKE that supports an unbounded number of dynamic corruptions.
This compiler is completely generic, does not introduce any additional assumptions, and does not rely on sub-exponential hardness.
## 2026/191
* Title: On the Active Security of the PEARL-SCALLOP Group Action
* Authors: Tako Boris Fouotsa, Marc Houben, Gioella Lorenzon, Ryan Rueger, Parsa Tasbihgou
* [Permalink](
https://eprint.iacr.org/2026/191)
* [Download](
https://eprint.iacr.org/2026/191.pdf)
### Abstract
We present an active attack against the PEARL-SCALLOP group action. Modelling Alice as an oracle that outputs the action by a secret ideal class on suitably chosen oriented elliptic curves, we show how to recover the secret using a handful of oracle calls (four for the parameter set targeting a security level equivalent to CSIDH-1024), by reducing to the computation of moderately-sized group action discrete logarithms. The key ingredient to the attack is to employ curves with non-primitive orientations inherent to the PEARL-SCALLOP construction. We provide methods for public-key validation rCo that is, for deciding whether a given orientation is primitive rCo and discuss their practicality.
## 2026/205
* Title: Differential-Linear Attacks from New Distinguishers: the case of SERPENT and PRESENT
* Authors: Thierno Mamoudou Sabaly, Marine Minier
* [Permalink](
https://eprint.iacr.org/2026/205)
* [Download](
https://eprint.iacr.org/2026/205.pdf)
### Abstract
Differential-linear distinguishers have been introduced by Langford and Hellman in 1994. They consist in combining, first, a differential distinguisher and second, a linear distinguisher and then study the bias between plaintexts with a difference and linear approximations of the two ciphertexts to create a differential-linear distinguisher. The original method has been improved by Bar-On et al. in 2019 where the table called the DLCT (Differential Linear Connectivity Table) has been introduced and more recently, in 2024 by Hadipour et al. where, as for the case of boomerang distinguishers, several intermediate tables are used to tune the computation of the middle part of the distinguisher. From a distinguisher, it is thus natural to try to mount some dedicated attacks. This step has been done by Broll et al. in 2021 and in 2022 for the case of SERPENT.
In this paper, we propose a tool that directly searches for the best differential-linear attacks automating the work of Broll et al. using the differential-linear distinguishers proposed by Hadipour et al. More precisely, both searches (distinguishers and attacks) are done in the same step to improve the overall complexity of the differential-linear attack. We apply this tool to the case of SERPENT and PRESENT. The attack against SERPENT reaches 12 rounds with a time complexity equal to $2^{220.9}$ for a data/memory complexity equal to $2^{125.01}$. The attack against PRESENT-80 (PRESENT-128 respectively) reaches 16 (18 respectively) rounds with a time complexity equal to $2^{73.88}$ ($2^{124}$ respectively) for a data/memory complexity equal to $2^{57.88}$ ($2^{63.25}$ respectively).
## 2026/209
* Title: Post-Quantum Security of Block Cipher Constructions
* Authors: Gorjan Alagic, Chen Bai, Christian Majenz, Kaiyan Shi
* [Permalink](
https://eprint.iacr.org/2026/209)
* [Download](
https://eprint.iacr.org/2026/209.pdf)
### Abstract
Block ciphers are versatile cryptographic ingredients that are used in a wide range of applications ranging from secure Internet communications to disk encryption. While post-quantum security of public-key cryptography has received significant attention, the case of symmetric-key cryptography (and block ciphers in particular) remains a largely unexplored topic. In this work, we set the foundations for a theory of post-quantum security for block ciphers and associated constructions. Leveraging our new techniques, we provide the first post-quantum security proofs for the key-length extension scheme FX, the tweakable block ciphers LRW and XEX, and most block cipher encryption and authentication modes. Our techniques can be used for security proofs in both the plain model and the quantum ideal cipher model. Our work takes significant initial steps in establishing a rigorous understanding of the post-quantum security of practical symmetric-key cryptography.
## 2026/359
* Title: Cyclo: Lightweight Lattice-based Folding via Partial Range Checks
* Authors: Albert Garreta, Helger Lipmaa, Urmas Luha|n|nr, Micha+e Osadnik
* [Permalink](
https://eprint.iacr.org/2026/359)
* [Download](
https://eprint.iacr.org/2026/359.pdf)
### Abstract
Folding is a powerful technique for constructing efficient succinct proof systems, especially for computations that are expressed in a streaming fashion.
In this work, we present Cyclo, a new lattice-based folding protocol that improves upon LatticeFold+ [Boneh and Chen '25] in multiple dimensions and which incorporates, among others, the pay-per-bit techniques from Neo when folding constraints expressed over a field $\mathbb{F}_q$ [Nguyen and Setty '25].
Cyclo proposes a new framework for building lattice-based folding schemes that eliminates the need for norm checks \emph{on the accumulator} by adopting an amortized norm-refreshing design, ensuring that the witness norm grows additively per round within a (generously) bounded number of folds. This design simplifies the protocol and reduces prover overhead. In particular, Cyclo only performs range checks on the input \emph{non-accumulated} witness, and when applied to fold constraints over $\mathbb{F}_q$, it does not decompose any witnesses into low-norm chunks within the folding protocol itself.
Cyclo, supporting a complete family of cyclotomic rings, combines two simple building blocks: an extension commitment that reduces the norm of the witness by decomposing it and recommitting, and an $\ell_\infty$ range test via a sum-check protocol.
We demonstrate, by proving communication and runtime estimates, that the construction results in an efficient and proof-size-friendly folding scheme.
We also establish an algebraic connection between $\mathcal{R}_q$ and $\mathbb{F}_q$ using the polynomial evaluation map, enabling efficient reduction from R1CS/CCS over $\mathbb{F}_q$ to a linear relation over $\mathcal{R}_q$, providing a new and simpler formulation of the techniques in [Nguyen and Setty '25].
In practical settings, Cyclo achieves succinct proof sizes on the order of $30$ KB, improving by an order of magnitude over LatticeFold+. Our efficiency benchmarks indicate that our protocol also outperforms LatticeFold+ in practice.
## 2026/371
* Title: A Modular Approach to Succinct Arguments for QMA
* Authors: James Bartusek, Jiahui Liu, Giulio Malavolta
* [Permalink](
https://eprint.iacr.org/2026/371)
* [Download](
https://eprint.iacr.org/2026/371.pdf)
### Abstract
Succinct argument systems are of central importance to modern crytpography, enabling the efficient verification of computational claims. In the classical setting, Kilian (STOC 92) established that any probabilistically checkable proof for NP can be transformed into a succinct argument system for NP using only collision-resistant hash functions. In the quantum setting, recent works have established the feasibility of (classically-verifiable) succinct arguments for QMA, capturing statements that require \emph{quantum} proofs. However, known constructions all rely on the highly structured assumption of learning with errors (LWE), which stands in stark contrast with the unstructured assumptions that suffice for NP.
In this work, we develop a new framework that broadens the cryptographic foundations of succinct arguments for QMA. We assume the existence of (i) an oblivious state preparation (OSP) protocol, which in turn can be constructed from \emph{plain} trapdoor claw-free functions, and (ii) collapsing hash functions, the quantum analogue of collision-resistance. In particular, we obtain the first succinct, classically-verifiable argument system for QMA which does not rely on the hardness of LWE.
Our construction proceeds in two steps. First, we design a \emph{round-efficient} classically-verifiable argument system for QMA based only on the assumption of OSP. Second, we introduce a \emph{generalized communication compression compiler}, which, assuming collapsing hash functions, transforms any $T$-round interactive protocol into one in which the communication size is bounded by $T \cdot \poly(\secp)$ for some fixed $\poly$ independent of the original size of each message. Our compiler extends a quantum rigidity-based communication compression technique of Zhang (QCrypt 25), and may be of independent interest.
## 2026/420
* Title: FALCON with message recovery, a specification
* Authors: Felix G|+nther, Vadim Lyubashevsky, Rolfe Schmidt
* [Permalink](
https://eprint.iacr.org/2026/420)
* [Download](
https://eprint.iacr.org/2026/420.pdf)
### Abstract
FALCON (Prest et al. NIST submission) is a lattice-based digital signature scheme that is intended to be standardized by NIST under the name FN-DSA. This scheme has smaller signature and public key sizes than the "primary" NIST scheme, ML-DSA, but is more complicated to implement due to floating-point requirements. For this reason, NIST has recommended the scheme be used in special situations where smaller key and signature sizes are particularly important.
There are certain situations, where one can make small modifications to FALCON which results in even shorter outputs, which is particularly interesting for FALCON's intended use cases where smaller outputs are important.
In the scenario where one would like to minimize the total public key plus signature length, one could use FALCON in key recovery mode, which is a fairly straight-forward procedure specified in the FALCON document.
In the scenario where one would like to minimize the total signature plus message length, one could use the message recovery mode (which is a somewhat less straight-forward modification) as described in (del Pino et al. SCN 2017). The purpose of this note is to fully specify the details of this latter mode for developers wishing to implement it. The savings of using FALCON in message recovery mode is up to 226 bytes as compared to FALCON-512 and up to 434 bytes compared to FALCON-1024 for the same security levels (i.e. NIST levels 1 and 5, respectively). We also sketch how the same technique can be applied to the ring signature version of FALCON from (Gajland et al. Crypto 2024).
The main algorithmic building blocks of FALCON, such as key generation and trapdoor sampling, remain exactly the same. The only algorithmic changes are in the hashing and parsing of the messages, randomness, and the hash function.
## 2026/661
* Title: Pseudorandomness of UFLM: A Characterization via Its Linear Layer
* Authors: Tingting Guo, Peng Wang, Gang Liu
* [Permalink](
https://eprint.iacr.org/2026/661)
* [Download](
https://eprint.iacr.org/2026/661.pdf)
### Abstract
This paper systematically analyzes the security of the two-branch Unified Feistel Lai Massey (UFLM) structure with independent random round functions under chosen plaintext and chosen ciphertext attacks, focusing on its indistinguishability from a random permutation. UFLM uses an invertible linear layer represented as a $2 \times 2$ block matrix $\varphi$ with blocks $A_{11}, A_{12}, A_{21}, A_{22}$. Previously, Dai et al. proved that when $A_{12}$ is invertible, $4$-round UFLM achieves CCA security and resists up to $\mathcal{O}(2^{n/2})$ queries, where the UFLM input is $2n$ bits.
Our work imposes no restriction on $A_{12}$. We determine the minimal number of rounds for UFLM to achieve CPA and CCA security, fully determined by the parameters $T(A_{12}^{\top}, A_{11}^{\top})$ and $T(A_{12}, A_{22})$. For UFLM with enough rounds to be secure, the query bound is primarily determined by the rank of $A_{12}$. For all UFLM with too few rounds to be secure, we present successful distinguishing attacks that require at most four queries. Our results rigorously show, for the first time, that when $A_{12}$ has full rank, UFLM requires the fewest rounds to achieve CPA and CCA security and attains the highest query bound. Nevertheless, when $A_{12}$ is not full rank, CPA and CCA security can still be achieved by increasing the number of rounds unless $T(A_{12}^{\top}, A_{11}^{\top}) = \infty$ or $T(A_{12}, A_{22}) = \infty$. At last, for involutory $\varphi$, we find UFLM achieves CPA and CCA security if and only if $A_{12}$ has full rank.
## 2026/712
* Title: Public Key Encryption from High-Corruption Constraint Satisfaction Problems
* Authors: Isaac M Hair, Amit Sahai
* [Permalink](
https://eprint.iacr.org/2026/712)
* [Download](
https://eprint.iacr.org/2026/712.pdf)
### Abstract
We give a public key encryption scheme with plausible quasi-exponential security based on the conjectured intractability of two constraint satisfaction problems (CSPs), both of which are instantiated with a corruption rate of $1 - o(1)$. First, we conjecture the hardness of a new large alphabet random predicate CSP (LARP-CSP) defined over an arbitrary but strongly expanding factor graph, where the vast majority of predicate outputs are replaced with random outputs. Second, we conjecture the hardness of the standard $k$XOR problem defined over a random factor graph, again where the vast majority of parity computations are replaced with random bits. In support of our hardness conjecture for LARP-CSPs, we give a variety of lower bounds, ruling out many natural attacks including all known attacks that exploit non-random factor graphs.
Our public key encryption scheme is the first to leverage high corruption CSPs while simultaneously achieving a plausible security level far above quasi-polynomial. At the heart of our work is a new method for planting cryptographic trapdoors based on the label extended factor graph for a CSP.
Along the way to achieving our result, we give the first uniform construction of an error-correcting code that has an expanding, low density generator matrix while simultaneously allowing for efficient decoding from a $1 - o(1)$ fraction of corruptions.
## 2026/713
* Title: How to construct even faster and indifferentiable hash functions from random permutations
* Authors: Liting Zhang, Han Sui, Lei Zhang, Wenling Wu
* [Permalink](
https://eprint.iacr.org/2026/713)
* [Download](
https://eprint.iacr.org/2026/713.pdf)
### Abstract
Designing cryptographic hash functions that simultaneously achieve high throughput and strong provable security remains a fundamental challenge in symmetric cryptography. Traditional constructions, such as the Merkle-Damg\aa rd (MD) and SPONGE paradigms, inherently suffer from structural limitations: they either expose internal chaining values to length-extension attacks or impose a rigid trade-off between security (capacity) and efficiency (rate), bounding their architectural potential.
In this paper, we introduce the \textbf{Compress-then-Randomize} paradigm, a modular design principle that structurally decouples a hash function into two independent components with distinct security objectives: (1) a \emph{variable-input-length} (VIL) compression component optimized for high-speed message absorption, requiring only collision resistance and multiple-preimage resistance; and (2) a \emph{fixed-input-length} (FIL) finalization component utilizing independent random permutations to ensure indifferentiability from a random oracle. This separation enables the VIL component to maximize processing throughput (approaching the full primitive width) while the FIL component provides robust randomness extraction, effectively mitigating length-extension attacks and achieving tight security bounds.
Leveraging this paradigm, we propose the \textbf{Rocket hash family}, comprising two instantiations: \emph{Rocket-JH} (based on the JH iteration structure with wide-pipe design) and \emph{Rocket-DoubleCBC} (utilizing dual parallel Cipher-Block-Chaining lanes). Both constructions employ pairwise distinct round permutations and achieve superior message processing rates compared to conventional SPONGE-based designs, with Rocket-2 delivering more than $2\times$ the throughput of SHA3-512 for large messages.
For practical instantiation without requiring multiple independent cryptographic primitives, we present \textbf{CTR-Perm}, a novel domain-separation technique that derives $2^w$ effectively independent round functions from a single large permutation using a counter-based input diversification. While backward queries introduce a heuristic assumption regarding preimage multiplicity (bounded by a negligible failure probability $\leq 2^{-526}$ for counter size $w \geq 64$ and hash length 512 bits), we prove the construction remains sound for practical message lengths up to $2^{w-8}$ blocks.
Finally, to formalize the security-efficiency trade-off, we propose \textbf{Hash Effectiveness} (H.E.), a scale-invariant heuristic metric defined as the product of normalized security level and normalized processing rate. We demonstrate that conventional Merkle-Damg\aa rd and SPONGE constructions exhibit H.E. values fundamentally bounded by $1/8$, whereas the Rocket constructions achieve H.E. values approaching $1/4$ (specifically, $0.227$ for Rocket-2 with Keccak-$p$[1600]), thereby establishing a new Pareto frontier in hash function design.
## 2026/714
* Title: $\mathsf{Veloz}$: Efficient and Flexible Distribution Framework for Code-Based Polynomial Commitment Scheme
* Authors: Yuanzhuo Yu, Shi-Feng Sun, Yuncong Zhang, Chenhua Fan, Tianyi Ma, Dawu Gu
* [Permalink](
https://eprint.iacr.org/2026/714)
* [Download](
https://eprint.iacr.org/2026/714.pdf)
### Abstract
Polynomial commitment schemes (PCSs) are a fundamental cryptographic primitive that allows a prover to reveal evaluations for a committed polynomial. Motivated by the inefficiency of proof generation for large-scale computations as well as the concerns regarding third-party reliance and quantum threats, a line of recent works has focused on distributing code-based PCS, where the proving workload is distributed among multiple sub-provers to accelerate proof generation, while preserving transparent setup and plausible quantum resilience. However, for $M$ sub-provers generating an evaluation proof for a polynomial of size $N$, existing solutions either require $O(N)$ total communication among sub-provers, or incur an $O(M)$ overhead in proof size.
In this paper, we introduce $\mathsf{Veloz}$, a novel distribution framework for code-based multilinear PCS, which for the first time achieves communication cost sublinear in $N$, and eliminates the dependence of proof size on the number of sub-provers, without compromising proving speed or security. At its core is a customized proof aggregation method from interleaved code that efficiently combines sub-proofs via minimum communication. We further present two instantiations of $\mathsf{Veloz}$: one based on Reed-Solomon code, $\mathsf{Veloz}_{\text{RS}}$, achieves $O(\frac{N}{M}\log{\frac{N}{\log{N}}})$ proving time, $O(\lambda \cdot \frac{\log^{2}{N}}{\log\log{N}} + M\cdot\frac{N}{\log{N}})$ communication, and $O(\lambda \cdot \frac{\log^{2}{N}}{\log\log{N}})$ proof size; the other based on the fast linear code from Brakedown (Golovnev et al., CRYPTO 2023), $\mathsf{Veloz}_{\text{Lin}}$, features $O(\frac{N}{M})$ proving time, $O(\lambda \cdot K + M\cdot\frac{N}{K})$ communication, and $O(\lambda \cdot K)$ proof size for $K \in [\sqrt[3]{N}, \sqrt{N}]$, while enjoying field agnosticity.
We also implement both schemes in Rust and conduct a comprehensive performance evaluation. The experimental results demonstrate their linear scalability with increasing $M$. More specifically, for $N = 2^{30}$ and $M = 8$, $\mathsf{Veloz}_{\text{RS}}$ takes 74.8s for proof generation, achieving a 5.18 $\times$ speedup compared to running a single prover, while $\mathsf{Veloz}_{\text{Lin}}$ generates a proof in 26.9s and achieves a 7.02 $\times$ speedup.
## 2026/715
* Title: Chorus: Secret Recovery with Ephemeral Client Committees
* Authors: Deevashwer Rathee, Emma Dauterman, Allison Li, Raluca Ada Popa
* [Permalink](
https://eprint.iacr.org/2026/715)
* [Download](
https://eprint.iacr.org/2026/715.pdf)
### Abstract
End-to-end encrypted applications protect user data by ensuring that user secrets are only available on client devices. However, if a user loses all of their devices, they need a way to recover their data using only a short password. To realize a password-based secret recovery system resilient to brute-force attacks, prior works relied on secure hardware or a few non-colluding servers.
In this work, we take a conceptually different approach that distributes trust across the many clients already in the system, while using the server only as an orchestrator without relying on it for privacy. To achieve this, we design and implement Chorus, a secret recovery system that employs ephemeral committees, each consisting of approximately a thousand clients, to provide strong privacy with high scalability. Committees change frequently in Chorus, typically on the order of a few minutes, to severely limit an attacker's ability to compromise clients on a committee. We design Chorus for unreliable, resource-constrained clients and show that the per-client overhead decreases as more clients join the system.
Assuming each user performs recovery once a year, the expected per-client overhead in Chorus is under $30$ s of computation on a mobile device and $13.2$ MB of communication, both incurred only once every four months in a configuration with $100$M clients, up to $50$M of which may be offline and at most $10$M may be compromised. To achieve this performance, we contribute two key techniques: (i) a password-based secret recovery scheme that confines expensive committee interactions to infrequent, latency-tolerant operations, and (ii) a non-interactive verifiable secret-sharing scheme that reduces client overhead by two orders of magnitude by delegating computation to the server.
## 2026/716
* Title: ISE-supported erasure of residual shares
* Authors: Hao Cheng, Linus Mainka, Daniel Page, Kostas Papagiannopoulos
* [Permalink](
https://eprint.iacr.org/2026/716)
* [Download](
https://eprint.iacr.org/2026/716.pdf)
### Abstract
Careful management of shares stored in the architectural, general-purpose register file is an important aspect of software-based implementations of masking, because it can impact the associated side-channel leakage. The erasure of residual shares, i.e., shares whose useful lifetime has expired, is one component of such management: erasing them can, for example, prevent subsequent, unintended share recombination. To support effective share erasure, this work makes two contributions. First, we present an analysis of the underlying problem, systematising associated concepts and terminology, and offering a concrete, motivating example. Second, we present the design, implementation, and evaluation of two components which can support solutions of said problem. These are 1) a policy, namely an extended ABI which provides clear semantics regarding the responsibility of caller and/or callee functions to erase shares, and 2) a mechanism for realising said policy, namely an extended ISA (or ISE) which allows more efficient erasure of shares than via the ISA alone. Although generic in nature, we present both components using the RISC-V base ISA; an associated prototype ISE implementation uses Ibex as a base core. Our evaluation results confirm that combined use of the components can eliminate leakage related to residual shares both effectively and efficiently.
## 2026/717
* Title: Scalable Registration-Based Encryption from Lattices
* Authors: Michael Kloo|f, Russell W. F. Lai, Jan Niklas Siemer, Monisha Swarnakar
* [Permalink](
https://eprint.iacr.org/2026/717)
* [Download](
https://eprint.iacr.org/2026/717.pdf)
### Abstract
Registration-Based Encryption (RBE) is a public-key encryption mechanism which allows a user to register their identity (e.g. email address) and self-generated public key with a key curator (e.g. an organisation). The key curator aggregates these keys into a compact digest. Using only this digest and the recipientrCOs identity, anyone can encrypt messages to any registered user. As the key curator is not entrusted with any secrets, RBE presents a solution to the key escrow problem, which impedes the adoption of Identity-Based Encryption. This makes RBE an attractive solution for secure communication with and among members of an organisation while preserving user privacy. Despite recent advances [D||ttling-Kolonelos-Lai-Lin-Malavolta-Rahimi, EUROCRYPTrCO23; Fiore-Kolonelos-de-Perthuis, ASIACRYPTrCO23], practical constructions of RBE are still limited to a small number of registered users (e.g. 1024), lack post-quantum security, or have ciphertext sizes scaling in the order of GB.
The predominant way towards constructing practical RBE is a generic transformation from Laconic Encryption (LE). In this work, we identify an efficiency bottleneck in this transformation and present a new primitive called Batched Laconic Encryption (BLE) which admits a more succinct transformation to RBE. Our resulting RBE scheme is the first post-quantum construction that simultaneously supports a large number of registered users and asymptotically outperforms all comparable RBE schemes. Concretely, for at most $2^{30}$ registered users at 128-bit security, our scheme achieves a ciphertext size of 7 MB, improving on previously reported results by three orders of magnitude. We confirm our results through an open-source prototype implementation demonstrating that all algorithms execute within a few milliseconds. The post-quantum security of our construction is based on the standard Learning with Errors assumption, and our analysis enables several tweaks to significantly reduce ciphertext sizes in practical deployments.
## 2026/718
* Title: Zero-Knowledge Proof of Progress: Secure Multi-Phase Capture-the-Flag Competitions
* Authors: Salam Khanji, Behzad Abdolmaleki, John Clark, Aryan Pasikhani
* [Permalink](
https://eprint.iacr.org/2026/718)
* [Download](
https://eprint.iacr.org/2026/718.pdf)
### Abstract
Existing Capture-the-Flag (CTF) platforms trust a single organizer, offer limited auditability, and are vulnerable to infrastructure-level manipulation. We propose zkrCoMPSFV, a zk-SNARK-based, multi-phase sub-flag verification scheme that replaces centralized scoring with an on-chain, zero-knowledge, publicly verifiable scoreboard. Challenges are decomposed into sub-challenges arranged as a directed acyclic graph (DAG): a team unlocks the next step only after proving completion of all parent nodes. Sub-flags and decryption keys are jointly generated by n organizers and released via an off-chain (t, n) ShamirrCoBLS threshold signature produced through multi-party computation (MPC), preventing any single organizer from leaking oraltering keys. Teams submit zk-PLONK proofs that the contract verifies, timestamps, and records immutably. Under standard assumptions (collision-resistant hashing, SNARK soundness/zero-knowledge, IND-CCA2 ECIES, and at least t honest organizers), we prove that zkrCoMPSFV achieves the stated security goals, including DAG-gated progress, anti-replay, and threshold-robust organizer security, while out-of-band flag sharing remains out of scope. On a three-organizer testbed with 30 simulated teams, setup costs 0.45 ms per sub-flag, proof generation averages 5.34 s on an 8 core system, and on-chain verification costs ree 170k L2 gas on zkSync Era with a median fee of 1.33 |u 10reA6 ETH (about $0.0046 at $3,435 ETH). Stress replays sustain ree 7 proof transactions/s up to 5000 proofs; extrapolating to 50,000 proofs (1000 teams |u 50 submissions) yields ree 0.0665 ETH (about $200rCo$228) and ree 2 hours of settlement time. Overall, zkrCoMPSFV is practical for small- to mid-scale, audit-ready progression CTFs.
## 2026/719
* Title: Polynomial-Time Cryptanalytic Extraction of Graph Neural Networks in the Hard-Label Setting
* Authors: Chun li, Liping Zhuang, Di Li, Yufeng Tang, Zheng Gong
* [Permalink](
https://eprint.iacr.org/2026/719)
* [Download](
https://eprint.iacr.org/2026/719.pdf)
### Abstract
Graph neural network parameters are valuable intellectual property, and high-fidelity extraction enables model stealing, evasion, and downstream abuse. Prior cryptanalytic extraction can recover exact parameters in hard-label settings, yet existing methods focus on feedforward models and do not extend to message-passing graph neural networks. The obstacles include coupled queried nodes, hidden aggregation operators, and sign and scale ambiguities created by message passing. To our knowledge, this is the first cryptanalytic extraction framework for message-passing ReLU graph neural networks in hard-label settings where the oracle returns only the predicted class. We locate dual-point constraints on class-pair decision boundaries and activation hyperplanes, then recover hidden signatures with SVD-based extraction under a fixed ordered two-node query interface. We use ON/OFF distance comparisons to resolve hidden signs, then prove that diagonal scale factors propagate through the recovered prefix and cancel at the output layer. This four-stage recovery chain avoids explicit scale fitting while using only hard-label local queries. On ogbn-arxiv targets with up to 10,660 parameters, the attack achieves 100% prediction fidelity on 8,171 evaluated nodes with 48.68M node queries.
## 2026/720
* Title: ABRA-CAPA-DABRA: Full break of CAPA
* Authors: Paco Azevedo-Oliveira
* [Permalink](
https://eprint.iacr.org/2026/720)
* [Download](
https://eprint.iacr.org/2026/720.pdf)
### Abstract
In a paper presented at CRYPTO18, Reparaz et al. introduce a new model called the ``Tile-Probe-and-Fault-Model''. This model proposes to cover more realistic side-channel attacks by considering so-called ``combined'' attacks, in other words attacks using both side-channel leakage and fault injection. In addition, they introduce CAPA, a combined ``Countermeasure Against Physical Attacks'', which is inspired by an MPC protocol called SPDZ. In this paper, by attacking the original Beaver triples generation described in CAPA, we demonstrate that the CAPA countermeasure is not secure in its model, by breaking the countermeasures with a simple resolution of a linear system.
## 2026/721
* Title: Improving LatticeFold+ with rao2-norm Checks
* Authors: Micha+e Osadnik
* [Permalink](
https://eprint.iacr.org/2026/721)
* [Download](
https://eprint.iacr.org/2026/721.pdf)
### Abstract
Folding schemes enable incremental proving by compressing many relation instances into a small accumulator. Recent lattice-based constructions such as LatticeFold+ [CRYPTO '25] achieve post-quantum security, but prover performance is still dominated by expensive $\ell_\infty$ range checks used to control witness growth during folding and extraction. We present a final $\ell_2$-norm-check design that combines random-projection constraints (in the spirit of Rok and Roll [ASIACRYPT '25]) with an exact shortening step (in the spirit of SALSAA [ePrint 2025/2124]) to recover the original witness $\ell_2$-norm bound at extraction time. Integrated into the LatticeFold+ composition, this gives iterative folding with controlled norm growth, preserved binding and knowledge-soundness goals, and substantially lower prover cost on the dominant norm-check path, while maintaining a similar proof size and verification cost. Our approach is modular and can be applied to other lattice-based folding schemes, providing a practical path for efficient post-quantum folding constructions.
## 2026/722
* Title: (Mis)using the Lattice Isomorphism Problem. Cryptanalysis of the double-LIP and Construction of LIP-Based Blind Signatures
* Authors: Veronika Kuchta, Francesco Sica
* [Permalink](
https://eprint.iacr.org/2026/722)
* [Download](
https://eprint.iacr.org/2026/722.pdf)
### Abstract
We explore the design of blind schemes based on the Lattice Isomorphism Problem (LIP), a recently proposed group-action-based assumption for post-quantum cryptography. Our work highlights both the potential and the limitations of LIP-based constructions. In particular, we analyze the AberCoOkamoto framework and demonstrate that it does not yield a secure instantiation under LIP. We further present an attack on the double LIP problem, allowing from two generic distinct instances of a LIP problem to recover the secret unimodular matrix. Finally, we propose a new blind signature scheme that combines LIP with the Closest Vector Problem (CVP) and a modular version of the Short Integer Solution (SIS) problem, offering a fresh direction for lattice-based blind constructions.
## 2026/723
* Title: Hint-Free Multi-Signatures
* Authors: Dennis Hofheinz, Michael Reichle, Benedikt Wagner
* [Permalink](
https://eprint.iacr.org/2026/723)
* [Download](
https://eprint.iacr.org/2026/723.pdf)
### Abstract
In a (non-interactive) multi-signature scheme, parties independently generate keys and produce signatures on a common message, which can be aggregated into a single signature verifiable with respect to the set of public keys. Existing multi-signature constructions, however, suffer from at least one of two limitations: either (1) aggregate signatures cannot be further aggregated, or (2) verification requires auxiliary information beyond the set of public keys, such as the aggregation topology.
We argue that these limitations significantly restrict the applicability of multi-signatures in large-scale distributed systems, such as proof-of-stake blockchains. To address this gap, we initiate the formal study of hint-free multi-signatures, which support multi-hop aggregation while allowing verification using only the set of public keys.
To the best of our knowledge, the only previously known (folklore) construction that is fully hint-free relies on recursive SNARKs, which introduces unclear heuristics for security (e.g., proving statements about random oracle relations) or inherently limits the depth of the aggregation topology.
We show that hint-free multi-signatures can be realized without proof recursion, in the standard model. At a high level, we show how to publicly normalize BLS multi-signatures so that verification depends only on the set of public keys rather than a multi-set. While our scheme is not practical (it uses indistinguishability obfuscation), it establishes the feasibility of the primitive provides a foundation for future work on practical constructions.
## 2026/724
* Title: Decomposition of Large Look-Up Tables for Fast Homomorphic Evaluation * Authors: Sonia Bela|>d, Nicolas Bon, Matthieu Rivain
* [Permalink](
https://eprint.iacr.org/2026/724)
* [Download](
https://eprint.iacr.org/2026/724.pdf)
### Abstract
TFHE is one of the most promising scheme in the literature for an adoption of Fully Homomorphic Encryption (FHE) in practice. The core reason of its good performances is the powerful Programmable Bootstrapping (PBS) operation, that enables to homomorphically evaluate a Look-Up Table (LUT) on a ciphertext while simultaneously reducing its noise. However, the computational cost of running a PBS degrades severely when the size of the plaintext space increases, making it intractable for precision larger than 8 bits. So, evaluating a LUT larger than 2^8 is not considered possible with the "vanilla'' TFHE scheme.
In this paper, we propose a technique to accelerate LUT evaluation at high precision, that significantly enhances the state of the art. Our method beats the original PBS for spaces larger than 6 bits, and is competitive with the WoP-PBS (the reference of the state of art) while being conceptually simpler. Moreover, our method relies on the standard PBS of TFHE, and therefore does not require the design of new advanced homomorphic operators, which facilitates its integration into larger homomorphic compilation systems.
## 2026/725
* Title: The Cost of Fluidity: Communication Complexity Trade-offs in Fluid MPC * Authors: Shancheng Zhang, Zongyang Zhang, Bernardo Magri
* [Permalink](
https://eprint.iacr.org/2026/725)
* [Download](
https://eprint.iacr.org/2026/725.pdf)
### Abstract
Secure multi-party computation (MPC) enables mutually distrustful parties to jointly evaluate a function on their private inputs. Classic MPC protocols, however, assume a static set of participants in which every party must remain online throughout the entire computation. Recent advances have introduced MPC models with dynamic participation, such as Fluid MPC, in which computation steps are delegated to a sequence of committees that change across epochs. This approach improves robustness, enabling parties to go offline once their roles are complete. Yet, this flexibility comes at a cost: the most efficient dynamic-participation MPC protocols still incur communication overheads exceeding traditional MPC by more than an order of magnitude.
In this work, we formalize the communication complexity of $(d,n)$-threshold secret-sharing-based Fluid MPC. We prove a tight trade-off between communication cost and the adversary's corruption threshold, showing that linear communication complexity $O(n)$ is impossible when the corruption threshold $t$ exceeds a proportion of $d$. Matching this bound, we construct a protocol with a communication cost of $9.3n$ elements per multiplication gate against a semi-honest adversary and $37.3n$ elements against a malicious adversary. A C++ implementation confirms that our approach brings the cost of fluidity within practical limits.
## 2026/726
* Title: Bitsliced Segment-Based Search Technique for Low-Depth and Hardware-Efficient S-Box Circuits
* Authors: Giyoon Kim, Seungjun Baek, Yongjin Jeon, Vedad Had++i-c, Jongsung Kim
* [Permalink](
https://eprint.iacr.org/2026/726)
* [Download](
https://eprint.iacr.org/2026/726.pdf)
### Abstract
In this paper, we propose a new widely applicable technique for constructing low-depth S-box circuits, which we call SLICE (Segmented LowrCadepth Iterative Circuit Exploration). SLICE reduces circuit depth by partitioning circuits into subcircuits and applying bit-level optimizations. To mitigate the optimization cost of subcircuits with large bit-widths or high AND depth, SLICE temporarily reduces their bit-width during the search, making low-depth circuit construction feasible for various S-box sizes. Furthermore, we refine the eBPD algorithm with the aim of minimizing XOR gate count in terms of area, and apply it to the constructed circuits to achieve an additional reduction.
Our proposed method is simple yet powerful, especially in practical applications. This work focuses on three practically deployed cases, namely the AES, Ascon S-box circuits and DillonrCOs 6-bit APN S-box used in FIDES, and additionally considers the cube $x^3$ S-box. For the AES S-box, we present 14-, 13- and 12-depth circuits, whereas the previous lowest depth was 14. Notably, the 12-depth design sets a new overall depth record for AES S-box circuits, while the 13-depth design records the most hardware-efficient circuit in terms of the area$\times$delay metric (ADP). For the Ascon S-box, we present the first 4-depth circuit. For Dillon's S-box and the cube $x^3$ S-box, we also derive new low-depth circuits that improve upon the best previously known depths. All of our proposed S-box circuits achieve better ADPs than previous designs. We believe that SLICE will be useful for evaluating both existing and novel S-box designs.
## 2026/727
* Title: Automated formal analysis of SignalrCOs Double Ratchet: attacks, fixes and security proofs
* Authors: Vincent Cheval, Charlie Jacomme, Jessica Richards
* [Permalink](
https://eprint.iacr.org/2026/727)
* [Download](
https://eprint.iacr.org/2026/727.pdf)
### Abstract
The Double Ratchet (DR) protocol is a core security component of several end-to-end encrypted communications services, primarily Signal Messenger, WhatsApp, and Facebook Messenger, servicing billions of users. In this work, we provide the first formal analysis of the DR covering all of its features, including out-of-order message arrivals. This analysis is highly automated, allows for all possible key compromises and notably proves Post-Compromise Security (PCS). We also provide partial results for the security of more complex protocol variants, these being the extension of the DR with encrypted headers, and composition with PQXDH as the initial key-exchange.
Our analysis uncovered three attacks on the protocol, two of which we confirmed to be present in the main implementation, and a third which exists in the specification. Each of these attacks weakened or broke Forward Secrecy, and are to the best of our knowledge the first such known attacks. In each case, the issues were reported to the Signal developers and subsequently fixed. Overall, our analysis provides new guarantees of the security of Signal Messenger, and demonstrates the high level of security provided by the DR under a variety of strong threat models.
## 2026/728
* Title: MAGNET: MAsked Gaussian Now Efficient and Table-less
* Authors: Mert Yassi, Soundes Marzougui, Raymond K. Zhao, Muhammed F. Esgin, Amin Sakzad, Ron Steinfeld
* [Permalink](
https://eprint.iacr.org/2026/728)
* [Download](
https://eprint.iacr.org/2026/728.pdf)
### Abstract
Discrete Gaussian sampling (DGS) is a fundamental method for generating random noise in various post-quantum cryptographic key generation and signature schemes. However, DGS has been shown to be highly susceptible to side-channel analysis, and several countermeasures have been developed. Masking, a robust countermeasure, is widely employed to secure these schemes against side-channel attacks. Due to the non-linear arithmetic operations involved, DGS has traditionally been considered unsuitable for efficient masked implementations. In this work, we propose $\textsf{MAGNET}$: an efficient masking design for the novel discrete Gaussian sampler based on Boolean circuits introduced by Wei et al. at ACM CCS 2023. With $\textsf{MAGNET}$, we demonstrate that DGS can be implemented in a masking-friendly manner. Previous masked DGS approaches in the literature have relied on computation-intensive floating point operations or table-lookup-based techniques using Cumulative Distribution Tables (CDT). In contrast, we show that DGS can be efficiently masked for moderate orders without relying on heavy computation or precomputed large lookup tables. In addition to delivering good performance at a small standard deviation $\sigma$, the efficiency of $\textsf{MAGNET}$ becomes increasingly significant in large $\sigma$ settings. $\textsf{MAGNET}$ achieves up to $17\times$ speed-up at $\sigma = 256$, and $56\times$ speed-up at $\sigma = 1024$ over the CDT-based sampler of G|-rard and Rossi (2019). We provide an arbitrary-order C implementation and a first-order ARM Cortex-M4 implementation of $\textsf{MAGNET}$. We validate the practical security of the first-order implementation through Test Vector Leakage Assessment (TVLA) and systematic hardening of gadgets that exhibit side-channel leakage.
## 2026/729
* Title: Code-based Scalable Collaborative SNARKs
* Authors: Christodoulos Pappas, Dimitrios Papadopoulos, Charalampos Papamanthou
* [Permalink](
https://eprint.iacr.org/2026/729)
* [Download](
https://eprint.iacr.org/2026/729.pdf)
### Abstract
We propose the first collaborative SNARK based on error-correcting codes that is scalable, i.e., the proof computation overhead is distributed among the $N$ provers. As a starting point, we introduce the notion of $(t,l)$-zero-knowledge collaborative codes that ensure that, when collaboratively computing a codeword over a distributed message, no coalition of up to $t$ corrupted parties learns any additional information about the message, even having queried up to $l$ codeword positions. We show that tensor codes consisting of the composition of two Reed-Solomon codes satisfy our definition, while also being foldable. We then propose a collaborative interactive oracle proof of proximity (coIOPP) for testing codeword closeness in our code, show how it can be made a zero-knowledge IOPP using randomness logarithmic in the size of the message (as opposed to linear with prior approaches), and we use it to construct a coIOPP for multi-linear polynomial evaluation. To compile our coIOPPs into non-interactive arguments, we prove that a natural extension of the compiler of Ben-Sasson-Chiesa-Spooner~(TCC 2016) in the collaborative setting preserves round-by-round (knowledge) soundness against quantum adversaries, which may be of independent interest for future work in collaborative SNARKs. Finally, we use an optimized collaborative version of the Spartan PIOP to build the first transparent and post-quantum secure scalable collaborative SNARK. Our experimental evaluation demonstrates that our scheme consistently outperforms the best existing (non-post-quantum secure) scalable collaborative SNARKs, both in end-to-end prover time and in total communication among provers, for all tested configurations.
## 2026/730
* Title: Towards Zero Rotation and Beyond: Architecting Neural Networks for Fast Secure Inference with Homomorphic Encryption
* Authors: Yifei Cai, Yizhou Feng, Qiao Zhang, Chunsheng Xin, Hongyi Wu
* [Permalink](
https://eprint.iacr.org/2026/730)
* [Download](
https://eprint.iacr.org/2026/730.pdf)
### Abstract
Privacy-preserving deep learning addresses privacy concerns in Machine Learning as a Service (MLaaS) using Homomorphic Encryption (HE) for linear computations. Nevertheless, the high computational cost remains a challenge. While prior work has attempted to improve the efficiency, most are built upon models originally designed for plaintext inference. These models are inherently limited by architectural inefficiencies when adapted to HE settings. We argue that substantial efficiency improvements can be achieved by designing networks specifically tailored to the unique computational characteristics of HE, rather than retrofitting existing plaintext models. Our design comprises two main components: the building block and the overall architecture. The first, StriaBlock, targets the most expensive HE operationrCoRotation. It integrates ExRot-Free Convolution and a novel Cross Kernel, completely eliminating the need for external Rotation and requiring only 19% of the internal Rotation operations compared to plaintext models. The second component, the architectural principle, includes the Focused Constraint Principle, which limits cost-sensitive factors while preserving flexibility in others, and the Channel Packing-Aware Scaling Principle, which dynamically adapts bottleneck ratios based on ciphertext channel capacity that varies with network depth. These strategies efficiently control the local and overall HE cost, enabling a balanced architecture for HE settings. The resulting network, StriaNet, is comprehensively evaluated. While prior works primarily focus on small-scale datasets such as CIFAR-10, we conduct an extensive evaluation of StriaNet across datasets of varying scales, including large-scale (ImageNet), medium-scale (Tiny ImageNet), and small-scale (CIFAR-10) benchmarks. At comparable accuracy levels, StriaNet achieves speedups of 9.78 times, 6.01 times, and 9.24 times on ImageNet, Tiny ImageNet, and CIFAR-10, respectively.
## 2026/731
* Title: SecDTD: Dynamic Token Drop for Secure Transformers Inference
* Authors: Yifei Cai, Zhuoran Li, Yizhou Feng, Qiao Zhang, Hongyi Wu, Danella Zhao, Chunsheng Xin
* [Permalink](
https://eprint.iacr.org/2026/731)
* [Download](
https://eprint.iacr.org/2026/731.pdf)
### Abstract
The rapid adoption of Transformer-based AI has been driven by accessible models such as ChatGPT, which provide API-based services for developers and businesses. However, as these online inference services increasingly handle sensitive inputs, privacy concerns have emerged as a significant challenge. To address this, secure inference frameworks have been proposed, but their high computational and communication overhead often limit practical deployment. In plaintext settings, token drop is an effective technique for reducing inference cost; however, our analysis reveals that directly applying such methods to ciphertext scenarios is suboptimal due to distinct cost distributions in secure computation. We propose SecDTD, a dynamic token drop scheme tailored for secure Transformer inference. SecDTD advances token drop by shifting the dropping to earlier inference stages, effectively reducing the cost of key components such as Softmax. To support this, we introduce two core techniques. Max-Centric Normalization (MCN): A novel, Softmax-independent scoring method that enables early token drop with minimal overhead and improved normalization, supporting more aggressive dropping without accuracy loss. OMSel: A faster, oblivious median selection protocol that securely identifies the median of importance scores to support token drop. Compared to existing sorting-based methods, OMSel achieves a 16.9 times speedup while maintaining security, obliviousness and randomness. We evaluate SecDTD through 48 experiments across eight GLUE datasets under various network settings using the BOLT and BumbleBee frameworks. SecDTD achieves 4.47 times end-to-end inference acceleration without degradation in accuracy.
## 2026/732
* Title: Faster Logical Operations from Discrete CKKS
* Authors: Jaehyung Kim
* [Permalink](
https://eprint.iacr.org/2026/732)
* [Download](
https://eprint.iacr.org/2026/732.pdf)
### Abstract
We study efficient non-arithmetic operations in (G)BFV with arbitrary plaintext modulus. We design scheme conversions between (G)BFV and Discrete CKKS, allowing (G)BFV ciphertexts to use radix-based integer computation in the Discrete CKKS setting. This gives asymptotically faster logical operations: for plaintext modulus $p$, homomorphic comparison runs in $O(\log p \log\log p)$ for BFV and $O(\log\log p)$ for GBFV.
## 2026/733
* Title: Explicit Bounds on the Existence Probability of Random Multivariate Quadratic Systems over Finite Fields
* Authors: Michiya Iwata, Ryomei Sugai, Kosuke Sakata, Tsuyoshi Takagi
* [Permalink](
https://eprint.iacr.org/2026/733)
* [Download](
https://eprint.iacr.org/2026/733.pdf)
### Abstract
The security of multivariate public-key cryptography, a major approach to post-quantum cryptography, is based on the computational hardness of solving systems of multivariate quadratic equations over finite fields (the MQ problem). The MQ problem consists of solving a system of quadratic equations over a finite field of size $q$, with $n$ variables and $m$ polynomials. The existence probability of solutions to the MQ problem plays a central role in analyzing the security of multivariate cryptography. However, explicit bounds for fixed parameters $(q,n,m)$ have not been sufficiently studied. In this work, we evaluate the existence probability for randomly generated MQ systems with fixed parameters by analyzing the coefficient space arising from the MQ system. Using the inclusion--exclusion principle, we obtain a lower bound (approximately $0.625$) and an upper bound (approximately $0.667$) on the existence probability, focusing on the case $m=n$. We also derive upper and lower bounds on the probability that the number of solutions is exactly one in the case $m=n$. Finally, we analyze the existence probability of solutions to the MQ problem in the case $m \neq n$.
## 2026/734
* Title: Assessing Geometric Security of AES Neural Realizations: Linear-Time Key Recovery via Neural Leakage
* Authors: Kwangjo Kim
* [Permalink](
https://eprint.iacr.org/2026/734)
* [Download](
https://eprint.iacr.org/2026/734.pdf)
### Abstract
We investigate the security of AES-128/192/256 when implemented as ReLU-based neural networks via the natural sum-of-corners construction. Although these implementations are bit-exact on Boolean inputs, they extend AES into a continuous piecewise-linear
function over $\mathbb{R}^{128}$. We show that under real-valued oracle access, such neural realizations admit deterministic linear-time master-key recovery. The attack exploits a geometric property
of the natural XOR (AddRoundKey) layer: for corner parameter c < 1, ReLU activations partition the input space into key-dependent linear regions. Using symmetric perturbations,
exactly one key hypothesis preserves linear-region membership, enabling bitwise recovery through simple output-equality tests. We formalize this phenomenon via a local separability
lemma and obtain attack complexity O(128R) neural queries for R rounds. Experiments over 1,000 independent random keys for AES-128, AES-192, and AES-256 achieve 100% recovery success. The vulnerability is independent of key size and round count; it stems
solely from exposing a key-dependent XOR layer inside a continuous neural architecture. Our results reveal a fundamental gap between Boolean security and geometric security in neural implementations of cryptographic primitives.
## 2026/735
* Title: CLAASP-MP: An Automated MILP Framework for Monomial Prediction
* Authors: Emanuele Bellini, Mohamed Rachidi, Sharwan K. Tiwari
* [Permalink](
https://eprint.iacr.org/2026/735)
* [Download](
https://eprint.iacr.org/2026/735.pdf)
### Abstract
We present CLAASP-MP, a monomial prediction (MP) tool based on the three-subset division property without unknown subset (3SDP-woU), integrated into CLAASP, a library for automated analysis of symmetric key cryptographic primitives. The propagation rules of 3SDP-woU are encoded as a Mixed Integer Linear Programming (MILP) model generated directly from the CLAASP component graph, covering the main building blocks used in modern symmetric designs, including S-boxes, linear layers, Boolean word operations, modular addition and multiplication, and linear and nonlinear feedback shift register updates.
Using this model for selected output bits, CLAASP-MP computes algebraic normal form (ANF) (for a small number of rounds), derives superpolies for a chosen cube, and computes a tight upper bound on the algebraic degree with respect to plaintext, key, or IV variables. A monomial is absent if its ANF coefficient is zero, if it does not appear in the superpoly, or if the algebraic degree is too small for it to occur; in all such cases, the output is balanced and yields an integral distinguisher.
We evaluate \name{} on block ciphers, permutations, and stream ciphers implemented in \claasp{}. We introduce an exact bit-level MILP modeling technique for modular multiplication and apply it to provide the first independent algebraic analysis of the MSX block cipher, identifying integral properties that persist up to 7 rounds for MSX-128. Furthermore, we reproduce known distinguishers and identify new cubes for several block ciphers and extend the best-known integral distinguishers of ChaCha and Salsa permutations from 6 and 5 rounds, respectively, to 6.75 rounds. We also discovered new integral distinguishers for Bivium using several 36-dimensional cubes and extended the exact computation of the algebraic degree of Trivium to later initialization clocks while reproducing many published superpolies.
These results show that CLAASP-MP provides a unified and practical MILP-based framework for monomial prediction and algebraic analysis across a wide range of symmetric primitives.
## 2026/736
* Title: Compact Fully Asynchronous Updatable Public Key Encryption Scheme from Hamming Quasi-Cyclic Cryptosystem
* Authors: Sanajit Patra, Ratna Dutta, Jayashree Dey
* [Permalink](
https://eprint.iacr.org/2026/736)
* [Download](
https://eprint.iacr.org/2026/736.pdf)
### Abstract
In this work, we propose the first code-based $\mathsf{uPKE}$ from the hamming quasi-cyclic public key encryption scheme $(\mathsf{hqcPKE})$ of Gaborit et al. by integrating an efficient key-update mechanism utilizing a carefully designed deterministic sampling algorithm. Our sampling algorithm exploits a structured permutation set preserving Hamming weight and satisfying specific algebraic properties that is of independent interest. More positively, our protocol allows unbounded key updates free from the cumulative error issues inheriant to lattice based designs and supports asynchronous key updates, authorizing senders to update the public key independently. We formally establish the security of the proposed construction against indistinguishability under chosen-randomness and chosen-plaintext attack $(\mathsf{IND}\text{-}\mathsf{CR}\text{-}\mathsf{CPA})$ in standard model considering decisional quasi-cyclic syndrome decoding with parity $(\mathsf{DQCSDP})$ assumption. We emphasize that in comparison with existing post-quantum secure asynchronous schemes supporting unbounded updates, our construction achieves in the standard model instead of random oracle model significantly improved storage and communication efficiency, particularly in terms of public key size, ciphertext size and update ciphertext size. From a computational perspective, our design enables a more efficient public key update procedure and exhibits comparable performance for key generation, encryption, decryption and secret key update.
## 2026/737
* Title: Blind Verifiable Delay Functions
* Authors: Charlotte Hoffmann, Krzysztof Pietrzak
* [Permalink](
https://eprint.iacr.org/2026/737)
* [Download](
https://eprint.iacr.org/2026/737.pdf)
### Abstract
A verifiable delay function (VDF), introduced by Boneh et al. [CRYPTOrCO18], on input $(x,T)$ produces an output $(y,\pi)$ where computing $y$ requires $T$ inherently sequential steps, and $\pi$ is a proof certifying correctness. VDFs have found numerous applications, and many of these rely on the assumption that honest parties can evaluate the VDF nearly as fast as adversaries.
To support this assumption, significant effort has been invested in developing dedicated VDF hardware (ASICs). However, such devices are expensive and produced in limited quantities, leaving only a small number of parties with access to fast VDF evaluation. A natural workaround is to offer rCLVDFs as a service,rCY where a server equipped with specialized hardware evaluates instances on behalf of clients. This approach, however, is unsuitable when the VDF input must remain private.
In this work, we introduce and construct blind VDFs, enabling secure VDF outsourcing without revealing the input. Inspired by blind signatures, our protocol allows a client to transform an input $x$ into a blinded instance $\alpha$, which is evaluated by the server. The server returns a result $\beta$, from this and its local state, the client can unblind to recover the correct output $(y,\pi)$, while the server learns nothing about $x$.
We realize this notion by constructing a blinded version of PietrzakrCOs VDF [ITCSrCO19]. In the original scheme, computing $y$ requires $T$ sequential steps, while generating the proof $\pi$ can be done in $O(T/S)$ parallel time using $O(S)$ space (e.g., $O(\sqrt{T})$ time and space). In our blind variant, the server performs the $T$ sequential steps and sends $O(S)$ data to the client, who completes the unblinding in $O(T/S)$ time. By allowing slightly more interaction, we obtain a protocol where the clientrCOs work is small, while the server performs essentially the same computation as in the unblinded VDF.
## 2026/738
* Title: SPoCK: Sequential Proofs of Complete Knowledge
* Authors: Antonio Giulio D'Antona, Charlotte Hoffmann, Krzysztof Pietrzak
* [Permalink](
https://eprint.iacr.org/2026/738)
* [Download](
https://eprint.iacr.org/2026/738.pdf)
### Abstract
A proof of knowledge certifies that the prover rCLknowsrCY a secret. This property is established by the existence of an extractor that, given access to the prover, can extract the secret. Unfortunately, this does not imply that a single entity has access to the secret in the clear, as it may be secret-shared among several parties and the proof computed using multiparty computation (MPC), or the secret may be embedded in a trusted execution environment (TEE) that only allows limited access to it.
Often, the ability to encumber a secret in this way breaks the security of a system; vote selling in e-voting schemes is one example. To address this, two recent papers introduced the notions of rCLProofs of Complete KnowledgerCY (PoCK) [Kelkar et al., CCSrCO24] and rCLIndividual CryptographyrCY [Dziembowski et al., CRYPTOrCO23]. While the goals and constructions in those works differ, both rely on the same key idea to prevent encumbrance. To compute a proof, the prover must evaluate a hash function on a huge number of inputs. One then assumes that only a fraction of those can be encumbered, while for the rest the prover must know the inputs in the clear, and these clear inputs are sufficient to extract the secret. Computing a huge number of hashes is a challenge even for an honest prover (who has the secret in the clear), so those works suggest using outdated Bitcoin mining hardware to make the scheme practical.
By forcing the prover to evaluate the hashes in a sequential manner, we could get meaningful security against encumbrance with far fewer hashes, especially against MPC, where round complexity is a major bottleneck.
As a concrete instantiation of this idea, we define and construct Sequential Proofs of Complete Knowledge (SPoCK). Our construction uses the PoCK of Kelkar et al. (which are based on FischlinrCOs straight-line extractable proofs of knowledge). The computation of this PoCK is then embedded into the computation of the Proof of Sequential Work from [Cohen&Pietrzak, EUROCRYPTrCO18]. SPoCK thus have the potential to enable complete-knowledge or individual-cryptography primitives where honest parties can use standard hardware. We also propose a variant of this scheme that requires a large amount of memory throughout the evaluation, providing better security also against TEEs.
## 2026/739
* Title: Additive FFTs for HQC on ARM Cortex-M4, Revisited
* Authors: Ming-Shing Chen, Tun-You Chien, Chun-Ming Chiu, Han-Hsuan Lin, Chun-Tao Peng, Bo-Yin Yang
* [Permalink](
https://eprint.iacr.org/2026/739)
* [Download](
https://eprint.iacr.org/2026/739.pdf)
### Abstract
This paper presents an optimized implementation of the Hamming Quasi-Cyclic (HQC) key encapsulation mechanism, leveraging the additive fast Fourier transform (FFT) for polynomial multiplication. A primary challenge in applying FFT-based multiplication to HQC is that the polynomial degrees slightly exceed powers of two, making standard FFT approaches inefficient. To address this, we propose a new method combining the Frobenius additive FFT (FAFFT) with the Chinese Remainder Theorem (CRT) to efficiently multiply polynomials of these specific degrees. Such a combination is made possible by our new interpretation of FAFFT's Encode step as ring isomorphisms, from which we derive an exact formula for the modulus of any FAFFT-based polynomial multiplier.
In addition to the multiplication algorithm, we replace the Berlekamp-Massey decoder with an Extended Euclidean Algorithm (EEA) based method. The regular data flow of EEA facilitates the use of our highly optimized GF(256) SIMD arithmetic, leading to a faster execution speed.
Benchmarks demonstrate that our FFT-based approach significantly outperforms traditional Toom-Karatsuba methods, even at lower degrees, on the Arm Cortex-M4 platform. Our integrated optimizations result in a 19.5% and 20.4% speedups for the encapsulation and the decapsulation processes compared to the current state-of-the-art HQC-1 implementation.
## 2026/741
* Title: How to Authenticate a Non-Deterministic Computation: Shift-Hiding Functions, Compressed LWE Sampling, Broadcast Encryption, and Obfuscation
* Authors: Damiano Abram, Giulio Malavolta, Lawrence Roy
* [Permalink](
https://eprint.iacr.org/2026/741)
* [Download](
https://eprint.iacr.org/2026/741.pdf)
### Abstract
We propose a new method to construct homomorphic authentication codes supporting the evaluation of *non-deterministic* computations, extending the celebrated homomorphic lattice encodings [Boneh et al., Eurocrypt 2014]. Our approach relies on the hardness of the decomposed learning with errors problem (LWE), a recently introduced modification of Regev's LWE assumption.
We then use this new technical tool to make progress on several open problems in the literature. Specifically, we obtain:
1) A constrained pseudorandom function (PRF), where the evaluation of the PRF on the master key does not depend on the complexity of the constraint, except for its circuit depth.
2) A way to securely compress and re-expand LWE samples in the plain model.
3) An adaptively secure broadcast encryption scheme, with ciphertext and secret keys growing poly-logarithmically with the size of the encrypted set.
4) A pseudorandom obfuscation for all puncturable PRFs, additionally assuming the existence of sub-exponentially secure indistinguishability obfuscation (iO).
None of the above mentioned primitives was known to exist from lattice assumptions.
As a bonus result, we also obtain a conceptually simple and direct heuristic construction of iO based on lattice techniques, which is not based on the function encryption-to-iO paradigm. We provide evidence that this approach can be used to build provably secure obfuscation for simple functionalities such as sampling lattice preimages using a hidden trapdoor.
--- Synchronet 3.21f-Linux NewsLink 1.2