From Newsgroup: sci.crypt
## In this issue
1. [2025/1308] Efficient High-Order Masking of FrodoKEMrCOs CDT- ...
2. [2026/226] Round-Optimal Identity-Based Blind Signature from ...
3. [2026/275] PhantomCrypt: Second-Order Deniable Encryption with ...
4. [2026/297] CipherSkip: Efficient Sparse Matrix Multiplication ...
5. [2026/301] Cross-Algorithm Deep Learning-based Non-Profiled ...
6. [2026/349] Multipath PA-PUFs generate all Boolean functions
7. [2026/754] BTX: Simple and Efficient Batch Threshold Encryption
8. [2026/755] ACTS: Attestations of Contents in TLS Sessions
9. [2026/756] Integral Attack on Reduced-Round Kalyna
10. [2026/757] Integral Distinguishers and a 4-Round Key-Recovery ...
11. [2026/758] Incentivizing Geographic Diversity for ...
12. [2026/759] A Scalable Fault Countermeasure for SLH-DSA: Trade- ...
13. [2026/760] A Simple Batched Threshold Encryption Scheme
14. [2026/761] Improved Garbled RAM via Garbled Merge
15. [2026/762] The Sum-Check Protocol over the Monomial Basis, and ...
16. [2026/763] LEAH: Lightweight and Efficient Hardware ...
17. [2026/764] CEDAR: A Compact and Efficient Decoder Architecture ...
18. [2026/765] MBU: Scalable and Constant-Round Evaluation of Non- ...
19. [2026/766] Dynamic Group Time-based One-time Passwords
20. [2026/767] Cryptanalysis of the SharafirCoDaghigh digital ...
21. [2026/768] Towards More Efficient Registration-Based ...
22. [2026/769] High-Order Masking for MQOM v2.1 Signing
23. [2026/770] Cryptanalysis of Hecke-KE: A Linear-Algebra Attack ...
24. [2026/771] Vector-Input Hashing Modes for Collision-Resistant ...
25. [2026/772] Lattice-based Ring Verifiable Random Functions
26. [2026/773] Practical Attacks on Session Messenger and Oxen ...
27. [2026/774] Provably Secure Hybrid Inner Product and Boolean ...
28. [2026/775] Differential and Linear Cryptanalysis of Modular ...
29. [2026/776] SCOUT-CT: Sound Constant-Time Outcome with ...
30. [2026/777] How Strong is the FO-Calypse, Really? Instantiating ...
31. [2026/778] Cobra: All-in-one for full-fledged defense rCo a ...
32. [2026/779] And TLS lived happily ever after
33. [2026/780] Montgomery Multiplication in Signed Redundant ...
34. [2026/781] Panther: Robust Hybrid KEM Combiners via Structural ...
35. [2026/782] Failure of proximity gaps close to capacity
36. [2026/783] Batch-Puncturing Circuit CP-ABE (and More) from ...
37. [2026/784] Secure and Updatable Single Password Authentication
38. [2026/785] Neural LeakagerCobased Cryptanalysis of LowMC with ...
39. [2026/786] Integral Resistance and Degree Bounds for Complex ...
40. [2026/787] Efficient Construction of Threshold BBS+ Signatures ...
41. [2026/788] Secret-Carrying Puzzles and Garbled Circuits ...
42. [2026/789] Foundations of Verifiably Encrypted (Blind) Signatures
43. [2026/790] Towards a Field-Informed Risk-Based Framework for ...
44. [2026/791] Experimental Validation of AUX scheme for Quantum ...
45. [2026/792] Equivocal Broadcast Encryption: Adaptively-Secure ...
46. [2026/793] Oriole: Adaptively Secure Partially Non-Interactive ...
47. [2026/794] sigma-rs: A Modular Approach for Keyed-Verification ...
48. [2026/795] On the Decoding Failure Rate of HQC
49. [2026/796] Masking Ordering Failures in BFT SMR via Proactive ...
50. [2026/797] Factorisation-Based Multivariate Schemes: ...
51. [2026/798] Implementing CCZ Gates with Variation of Gate ...
52. [2026/799] EQuADiSE: Efficient Quantum-safe Adaptive ...
53. [2026/800] Deploying decryption oracles for fun and non- ...
54. [2026/801] Outsourced Private Set Intersection for Pairwise ...
## 2025/1308
* Title: Efficient High-Order Masking of FrodoKEMrCOs CDT-Based Gaussian Sampler
* Authors: Elie Eid, Aur|-lien Greuet, Nathan Reboud, Rina Zeitoun
* [Permalink](
https://eprint.iacr.org/2025/1308)
* [Download](
https://eprint.iacr.org/2025/1308.pdf)
### Abstract
FrodoKEM is a conservative lattice-based KEM based on the Learning With Errors problem. While it was not selected for NIST standardization, it remains a strong candidate for high-security applications and is recommended by several national agencies, including BSI, ANSSI, and the EUCC. Its reliance on CDT-based
Gaussian sampling presents a significant challenge for side-channel secure implementations.
While recent work by G|-rard and Guerreau [GG25] has shown that masking FrodoKEM is feasible, the Gaussian sampler remains a major bottleneck, accounting for between 34% and 65% of the execution time. In this work, we introduce a new high-order masking gadget for CDT sampling, provably secure in the ISW probing model and significantly more efficient than previous approaches. We instantiate and evaluate our design on a real-world setup to assess its side-channel resistance
in the context of FrodoKEM, using a complete first-order masked implementation on Cortex-M3, which reflects the most relevant practical threat model. Compared with [GG25] at first order, the cost of the sampler is reduced by at least 82% and the number of random generations by at least 69%. Higher-order security is also fully supported through a generic C implementation, with some selected gadgets hand-optimized in assembly to improve efficiency.
## 2026/226
* Title: Round-Optimal Identity-Based Blind Signature from Module Lattice Assumptions
* Authors: Arup Mazumder, Mrittika Nandi, Shashank Singh
* [Permalink](
https://eprint.iacr.org/2026/226)
* [Download](
https://eprint.iacr.org/2026/226.pdf)
### Abstract
This work presents a round optimal identity-based blind signature scheme based on module lattices. Our construction extends Fischlin's two-round blind signature framework [CRYPTO'06] to the identity-based setting. The construction uses the GPV signature scheme based on Micciancio and Peikert's G-trapdoor techniques and NIZK proofs [CRYPTO'22] in the random oracle model. The scheme is secure under the MLWE and MSIS assumptions. The optimised parameters are also provided targeting $128$-bit security. To the best of our knowledge, this scheme is the first-round optimal identity-based blind signature scheme whose security relies on module lattice problems.
## 2026/275
* Title: PhantomCrypt: Second-Order Deniable Encryption with Post-Quantum Security
* Authors: Shahzad Ahmad, Stefan Rass, Zahra Seyedi
* [Permalink](
https://eprint.iacr.org/2026/275)
* [Download](
https://eprint.iacr.org/2026/275.pdf)
### Abstract
Traditional deniable encryption focuses on denying the $content$ of secret communications by allowing plausible alternative plaintexts under coercion. However, the recognizable use of deniable encryption may itself defeat its purpose: any revealed plaintext becomes suspicious if the coercer detects that a non-standard encryption tool was used. We introduce $second-order~deniability$: the property that the use of a deniability mechanism is itself deniable. We formalize this notion via game-based security definitions for $content~deniability$ (CD) and $existence~deniability$ (ED), prove that CD and ED are logically independent, and show that their conjunction suffices to achieve second-order deniability. We present PhantomCrypt, a concrete construction composing False-Bottom Encryption (for CD) with Invisible Encryption (for ED) under a hybrid encryption envelope, and prove that this composition preserves both security properties with an explicit security bound. A proof-of-concept implementation demonstrates practical feasibility, achieving encryption of a 32-byte message with three decoys in under 10ms on commodity hardware.
## 2026/297
* Title: CipherSkip: Efficient Sparse Matrix Multiplication with FHE
* Authors: Wujie Xiong, Hao Zhou, Yutong Ye, Ruoming Jin, Lei Xu
* [Permalink](
https://eprint.iacr.org/2026/297)
* [Download](
https://eprint.iacr.org/2026/297.pdf)
### Abstract
Sparse General MatrixrCoMatrix Multiplication (SpGEMM) is a fundamental but computationally intensive operation that underpins many scientific workloads, including numerous AI applications. With the increasing demands for data security, privacy-preserving computation techniques, such as Fully Homomorphic Encryption (FHE), have gained significant attention for their ability to process sensitive data without decryption. Nonetheless, executing SpGEMM within the framework of FHE presents significant challenges. The most effective SpGEMM algorithms exploit matrix sparsity to minimize computational costs; however, FHE obscures both the data values and the sparsity structures. Prior FHErCabased privacyrCapreserving computation frameworks either ignore the inherent sparsity of matrices and rely on dense General MatrixrCoMatrix Multiplication (GEMM), incurring substantial overhead from redundant homomorphic multiplications, or they attempt to exploit sparsity by encrypting only the nonrCazero values, which inadvertently exposes sensitive positional information.
To address this gap and achieve a better balance between efficiency and privacy, we propose Cipherskip, an efficient FHE-compatible SpGEMM framework that enables oblivious data and position processing under a Single Instruction Multiple Data (SIMD) scheme. Moreover, we extend our method to support an arbitrary number of sparse matrices (FHE-SpGEMCM).The efficiency analysis shows that our method achieves an average homomorphic computation cost of $(n_An_B)^2/n^2N$, where $n_A$ and $n_B$ represent the number of nonzero elements in $A$ and $B$ respectively, $n$ is the shared inner dimension of the multiplication, and $N$ denotes the batch size used in FHE. Experimental results demonstrate that for square matrices of scale $2^9$, our scheme achieves an average speedup of $439.25\times$ and a 10.68$\times$ reduction in memory consumption compared to state-of-the-art baselines that ignore sparsity. Furthermore, when the scale increases to $2^{13}$, our method yields up to a $1201.77\times$ speedup over baselines that only exploit the sparsity of a single matrix.
## 2026/301
* Title: Cross-Algorithm Deep Learning-based Non-Profiled Side-Channel Attacks Exploiting Symmetric Leakage
* Authors: Jintong Yu, Yuxuan Wang, Zixin He, Yihan Nie, Yubo Zhao, Zhiliang An, Yipeng Shi, Pei Cao, Chi Zhang, Dawu Gu
* [Permalink](
https://eprint.iacr.org/2026/301)
* [Download](
https://eprint.iacr.org/2026/301.pdf)
### Abstract
Deep Learning-based Non-profiled Side-Channel Analysis (DL-NSCA) enables automatic feature extraction without a profiling device, but existing approaches mainly target non-linear operations, requiring prior knowledge of the algorithm's unique non-linear structure and computable non-linear intermediate values. These limit applicability in analyzing proprietary or undisclosed implementations and in settings where plaintext/ciphertext are masked by unknown randomness (e.g., tweaks or nonces).
We observe that linear operations are fundamental as common cryptographic primitives appearing at the beginning or end of algorithms in conjunction with the secret key, and are widely used to mask sensitive input/output. Motivated by this observation, we propose a new DL-NSCA perspective that targets the outputs of linear operations, referred to as blind leakage, to enable cross algorithm attacks. However, the prior distinguisher in DL-NSCA is designed for non-linear operations, and how to effectively analyze blind leakage within this framework remains an open problem. The main limitation of the prior distinguisher lies in their reliance on a simplistic correspondence between deep learning metrics and side channel information, namely selecting the key guess corresponding to the minimum training loss. This leads to two issues: the effectiveness of the distinguisher varies significantly with the chosen training epoch, and the implicit assumption of a unique correlation maximum adopted by it does not hold for symmetric leakage. To address this, we provide a formal algebraic characterization of the relationship between the structure of the leakage function and the number of correlation maxima for all linear operations. Guided by this theory, we propose a new distinguisher, VS-GBA, an epoch-invariant distinguisher that interprets SCA information from deep learning metrics and approaches the theoretical optimum. It is applicable to both the single-maximum case (asymmetric leakage) and the dual-maximum case (symmetric leakage) through a structure-aware screening criterion. Experiments on a high-noise 32-bit ARM Cortex-M4 device demonstrate that asymmetric leakage analysis fails to recover keys for all three evaluated algorithms at the maximum trace budget ($GE=70$ for masked AES, $GE=27$ for masked PRESENT, $GE=66$ for masked ASCON), whereas VS-GBA targeting symmetric leakage recovers the key with a 100\% success rate in 8,000, 8,500, and 16,000 traces, respectively. Furthermore, we present the first DL-NSCA attack on XTS-AES (NIST SP 800-38E), extending DL-NSCA to scenarios where plaintext/ciphertext is masked by a secret tweak.
## 2026/349
* Title: Multipath PA-PUFs generate all Boolean functions
* Authors: R Radheshwar, Dibyendu Roy, Pantelimon Stanica
* [Permalink](
https://eprint.iacr.org/2026/349)
* [Download](
https://eprint.iacr.org/2026/349.pdf)
### Abstract
In this paper, we propose a generalized model of Priority Arbiter-based Physical Unclonable Function (PA-PUF) with an arbitrary number of paths inside each switch. We first develop a mathematical model for this generalized model. Experimentally, we observed that the class of Boolean functions generated from our model of PA-PUF increases proportionally with the number of paths inside each switch, and that motivated us to attempt one of the open challenges proposed by Kansal et al. [DAM 2024]. We first show that the set of Boolean functions generated from $i$-length PA-PUF with $(i+1)$ number of paths is a proper super set of the set of Boolean functions generated from $i$-length PA-PUF with $i$ number of paths. Based upon that, we show in our main result that we need at least $(n+1)$ numbers of paths inside each switch of an $n$-length PA-PUF to generate all the Boolean functions involving $n$-number of variables. Furthermore, we performed significant software and hardware experimentations to assess the resilience of our model against machine learning based modeling attacks.
## 2026/754
* Title: BTX: Simple and Efficient Batch Threshold Encryption
* Authors: Amit Agarwal, Sourav Das, Babak Poorebrahim Gilkalaye, Peter Rindal, Victor Shoup
* [Permalink](
https://eprint.iacr.org/2026/754)
* [Download](
https://eprint.iacr.org/2026/754.pdf)
### Abstract
Batched threshold encryption (BTE) enables a committee of servers to jointly decrypt any chosen subset of ciphertexts from a large pool, while all remaining ciphertexts stay private. BTE is a key building block for encrypted mempools, where transactions are encrypted until block inclusion to mitigate maximal extractable value (MEV). Existing epochless BTE constructions either require user-chosen ciphertext indices that create coordination and censorship concerns or are computationally inefficient.
In this paper, we present BTX, a simple and concretely efficient BTE construction that is both epochless and collision-free: encryption does not require a user-chosen batch index. Our scheme achieves the shortest ciphertext size among all known BTE constructions having the same size as a standard elgamal ciphertext. By making the scheme amenable to FFT, we reduce the decryption cost to $O(B\log B)$ group exponentiations and $O(B)$ pairings, where $B$ is the size of the dynamically chosen batch of ciphertexts.
We implement BTX and two baselines in a shared, aggressively optimized C++ codebase over BLS12-381 with AVX-512 vectorization, FFT-based backends where applicable, and additional low-level engineering throughout. At batch size $B = 512$, using a single core, BTX requires approximately $598$ ms total for decryption, compared with $1197$ ms for the FFT optimized version of partial-fraction evaluation baseline of Boneh et al., an overall $2.0\times$ improvement.
## 2026/755
* Title: ACTS: Attestations of Contents in TLS Sessions
* Authors: Pierpaolo Della Monica, Ivan Visconti, Andrea Vitaletti, Marco Zecchini
* [Permalink](
https://eprint.iacr.org/2026/755)
* [Download](
https://eprint.iacr.org/2026/755.pdf)
### Abstract
An essential requirement for the large-scale adoption of Web3 is enabling users to benefit from their data even within already deployed systems. This raises an important open question: how can existing, widely adopted software verify that a user has retrieved specific data from a TLS server?
Impressive scientific results (e.g., DECO [CCS20] and the work of Xie et al. [USENIX24]) and industrial products (TLSNotary) have recently made progress in the above challenging direction. However, while they nicely leave TLS servers untouched, the retrieved data is then used in computations with verifiers that are required to run some advanced non-standardized cryptographic schemes (e.g., ZK-SNARKs), which clearly limit the large-scale adoption of the proposed technologies.
In this paper, building on top of previous approaches and relying on the recent concept of Predicate Blind Signatures of Fuchsbauer and Wolf [Eurocrypt24], we bypass the limits of prior work by presenting ACTS, a distributed architecture that, while still leaving TLS servers untouched, it allows a user to show possession of data retrieved from TLS servers simply requiring that the software of the verifier can check a standard signature.
Our contributions include a round-optimal predicate blind signature protocol that produces standard RSA-PSS signatures. We show how this primitive can be integrated into the DECO architecture (and its successors) to certify data retrieved from TLS servers. Furthermore, we have optimized our construction to make it practical on commodity hardware for a large and significant class of policies implemented by the notary (i.e., the actor that is in charge of obliviously certifying TLS data, therefore preserving data confidentiality).
We provide an experimental evaluation on the simple but powerful enough use case of a PDF document downloaded from a TLS server and encoded into an AES-GCM ciphertext. The user will then get a certified PDF through a standard PADES signature added obliviously to the PDF along with some metadata by a notary service. The resulting standard signed PDF document can be transparently verified using off-the-shelf PDF readers. Our experimental validation demonstrates that our architecture is suitable for real-world deployment in concrete scenarios.
## 2026/756
* Title: Integral Attack on Reduced-Round Kalyna
* Authors: Nitish Kumar, Ranit Dutta, Bimal Mandal
* [Permalink](
https://eprint.iacr.org/2026/756)
* [Download](
https://eprint.iacr.org/2026/756.pdf)
### Abstract
We study integral cryptanalysis of the Ukrainian block cipher Kalyna and focus on constructing reduced-round distinguishers and key-recovery attacks with low data, time, and memory complexities. Although Kalyna has an SPN-type round structure, its pre-whitening and post-whitening layers use column-wise addition modulo $2^{64}$, which makes the propagation of integral properties more delicate than in XOR-only designs. By combining carefully chosen input multisets with backward extension through inverse round transformations, we obtain integral distinguishers for Kalyna-128, Kalyna-256, and Kalyna-512 in the standard setting, under weak-key assumptions, and in variants without pre-whitening. These distinguishers require as few as $2^8$ or $2^{16}$ chosen texts, substantially improving the data complexity of previously reported public integral results on Kalyna. We further extend them to key-recovery attacks on reduced-round Kalyna by partial decryption and balancedness tests on suitable intermediate states. For example, we obtain a $5$-round key-recovery attack on Kalyna-128/128 with data complexity $2^9$ chosen plaintexts, time complexity $2^{74}$ encryptions, and negligible memory. To the best of our knowledge, this is the first work to provide integral cryptanalysis of Kalyna-256/256 and Kalyna-512/512. Overall, our results give a unified integral analysis of Kalyna across its standard block sizes and clarify the effect of modular whitening on reduced-round distinguishers and key-recovery attacks.
## 2026/757
* Title: Integral Distinguishers and a 4-Round Key-Recovery Attack on Kuznyechik Without Initial Key Whitening
* Authors: Nitish Kumar, Ranit Dutta, Bimal Mandal
* [Permalink](
https://eprint.iacr.org/2026/757)
* [Download](
https://eprint.iacr.org/2026/757.pdf)
### Abstract
Kuznyechik is a 128-bit block cipher standardized in GOST~R~34.12--2015. In this paper We study Kuznyechik from the viewpoint of integral cryptanalysis, i.e., we track how structured multisets of chosen plaintexts propagate through the round functions. Starting from a first-order structure of $2^8$ plaintexts (one byte takes all $256$ values while the remaining bytes are fixed), we obtain a 2-round distinguisher:
after two rounds, every byte position is balanced, meaning that the XOR-sum over the $256$ texts equals zero. Next, in the setting without initial key-whitening, we extend this distinguisher to three rounds by applying one inverse round to the original structure to construct a new input set. Finally, we turn the 3-round balanced property into a 4-round key-recovery attack by partially inverting the last round and filtering last-round key-byte guesses using the balanced test; multiple independent structures remove false candidates.
## 2026/758
* Title: Incentivizing Geographic Diversity for Decentralized Systems
* Authors: Marc Roeschlin, Evangelos Markakis, Raghav Bhaskar, Aggelos Kiayias * [Permalink](
https://eprint.iacr.org/2026/758)
* [Download](
https://eprint.iacr.org/2026/758.pdf)
### Abstract
Permissionless Decentralized networks, such as blockchains, are typified by self-determined participation. Unfortunately, this has resulted in lack of geographic diversity in several blockchains due to benefits emanating from network proximity between nodes and the higher availability of computing infrastructure in certain areas. Lack of diversity in the resulting network can make it susceptible to eopolitical events, blockchain or cryptocurrency-adverse law-making, and natural disasters. While there exists a growing body of work in verifiable localization in distributed systems, very little exists on mechanisms promoting geographic diversity in distributed systems. Our work sets out to initiate the study of the incentivization of geographic diversity in permissionless distributed systems. We design a family of mechanisms that incentivize network nodes to truthfully declare and diversify their locations. In particular, we provide a game theoretic analysis to derive the conditions under which truthful location reporting is an equilibrium. The conditions relate the offered rewards (for geo-diversity) and the success probability of the underlying localization protocol to detect falsely claimed locations. Our proposed mechanisms assume an underlying secure node localization protocol based solely on round-trip times (RTT) measurements from participants of the protocol. We initiate a formal model to reason about such localization protocols and identify network topologies that are ideal for resisting location spoofing attempts. We evaluate effectiveness of our incentive mechanisms in different scenarios of node placement and underlying network structure. Our validation is based on two RTT data sets we use to derive maximal spoofing distance and attack success rates that adversarial nodes can achieve when operating alone or in collusion with other nodes.
## 2026/759
* Title: A Scalable Fault Countermeasure for SLH-DSA: Trade-offs Between Memory, Performance, and Fault Resilience
* Authors: Melissa Azouaoui, Tobias Schneider, Denise Verbakel
* [Permalink](
https://eprint.iacr.org/2026/759)
* [Download](
https://eprint.iacr.org/2026/759.pdf)
### Abstract
We introduce compressed caching, a scalable and parameterizable countermeasure against grafting tree fault attacks on SLH-DSA. Unlike standard caching,
which entails fully caching the WOTS+ signatures and public keys, compressed caching achieves significant memory savings while maintaining strong fault detection
capabilities. It can be tuned to achieve a trade-off between caching memory size, fault
resilience, and performance, making it well-suited for deployment across devices with
varying resource and security constraints. We provide a security and performance
analysis of compressed caching and show that it can be configured to achieve high fault
detection probability and outperform standard caching, mainly in terms of memory
but also in terms of performance. Additionally, we explore granular variants of both
standard and compressed caching and study on a finer scale the memory-performance
trade-off of both standard and compressed caching. Our results demonstrate that compressed caching is especially advantageous for constrained devices, outperforming
standard caching when less than approximately 256 kB of caching memory is available.
## 2026/760
* Title: A Simple Batched Threshold Encryption Scheme
* Authors: Guru-Vamsi Policharla
* [Permalink](
https://eprint.iacr.org/2026/760)
* [Download](
https://eprint.iacr.org/2026/760.pdf)
### Abstract
In this note, we construct a simple batched threshold encryption scheme that satisfies censorship resistance, does not suffer from epoch restrictions, and has quasi-linear decryption complexity $O(B\log{B})$ in the batch size $B$. Our scheme has a CPA secure ciphertext size of $|\mathbb{G}_1| + |\mathbb{G}_T|$, and a CCA secure ciphertext size of $|\mathbb{G}_1| + 2|\mathbb{F}| + |\mathbb{G}_T|$. Our construction requires an interactive setup phase (involving secure multiplications) and has secret keys that grow linearly with the batch size.
## 2026/761
* Title: Improved Garbled RAM via Garbled Merge
* Authors: Can Liu, Lenny Liu, Ning Luo, David Heath
* [Permalink](
https://eprint.iacr.org/2026/761)
* [Download](
https://eprint.iacr.org/2026/761.pdf)
### Abstract
Consider the problem of merging inside a garbled circuit (GC) two arrays of $w$-bit elements, yielding a single length-$n$ array. This garbled merge problem is core to garbled random access memory (GRAM), a technique that enables efficient garbling of general-purpose programs. We present a novel symmetric-key-based garbled merge that achieves a garbling size of $(w + 1) \cdot n \cdot \lambda$ bits, providing both asymptotic and concrete improvements over the state of the art. By applying our garbled merge, we obtain a symmetric-key GRAM of size $O(n \lg^3 n \cdot \lambda) \cdot \omega(1)$ for a word RAM program that manipulates words of size $\Theta(\lg n)$ bits and halts within $n$ steps, improving over the previous best result (Heath et al., CRYPTO'23) by an $O(\lg \lg n)$ factor. This communication cost was previously only achieved under the public-key-style DDH assumption (Gu et al., CRYPTO'25). We implement our construction, and our evaluation shows that our garbled merge reduces the communication cost over the DDH-based merge by about $3\times$.
## 2026/762
* Title: The Sum-Check Protocol over the Monomial Basis, and Other Optimizations
* Authors: Quang Dao, Ari Biswas, Liam Eagen, Andrew Milson, Shahar Papini, Justin Thaler
* [Permalink](
https://eprint.iacr.org/2026/762)
* [Download](
https://eprint.iacr.org/2026/762.pdf)
### Abstract
The sum-check protocol underpins SNARKs with the fastest known provers. For an $n$-variate polynomial $g$ defined over a finite field $\mathbb{F}$, the protocol enables an untrusted prover to convince a verifier of the sum of all evaluations of $g$ over a product set $H^n$ with $H \subset \mathbb{F}$. The standard choice for $H^n$ is the Boolean hypercube $\{0,1\}^n$, which serves as a natural interpolating set for multilinear polynomials.
We propose a projective variant of the sum-check protocol, obtained by changing the interpolating set from $\{0,1\}^n$ to the infinity hypercube $\{0,\infty\}^n$. Under a suitable notion of evaluation at $\infty$, evaluating a multilinear polynomial at a point in $\{0,\infty\}^n$ directly extracts its corresponding monomial coefficient.
This projective viewpoint is a near-drop-in replacement for applications of sum-check, requiring only local changes to polynomial representations, round identities, and evaluation formulas. It yields a ${\approx}\,10\%$ end-to-end speedup for the sum-check prover on BN254 and on a pseudo-Mersenne 128-bit prime field, against a fair baseline. It eliminates all field subtractions when binding a multilinear polynomial, and for structured polynomials such as equality and less-than, the projective interpolants admit evaluation procedures with fewer field operations. Moreover, the monomial-coefficient form aligns naturally with polynomial commitment schemes like WHIR, removing a basis mismatch that these schemes otherwise need to work around.
Finally, we describe an optimization for sum-check over $\approx 256$-bit prime fields. When targeting $\approx 128$ bits of security, it suffices to sample challenges from a subset of size $\approx 2^{128}$. We show that a suitable choice of this subset, interpreted as upper-limb values in Montgomery form, yields a $1.92\times$ speedup for field multiplication. Combined with the projective binding formula, this gives a $1.82\times$ speedup for sum-check binding (a key component of fast sum-check proving).
## 2026/763
* Title: LEAH: Lightweight and Efficient Hardware Accelerator for Code-based PQC Scheme HQC
* Authors: Yazheng Tu, Jiafeng Xie
* [Permalink](
https://eprint.iacr.org/2026/763)
* [Download](
https://eprint.iacr.org/2026/763.pdf)
### Abstract
The advent of quantum computing poses a significant threat to modern cryptography. To address this challenge, the National Institute of Standards and Technology (NIST) has initiated the Post-Quantum Cryptography (PQC) standardization process, with several algorithms being selected for standardization, including the recent code-based scheme HQC (Hamming Quasi-Cyclic). Meanwhile, a good number of research works in the field have switched to efficient hardware acceleration for PQC schemes. Following this trend, in this paper, we present a novel PQC hardware acceleration work, i.e., a Lightweight and Efficient hardware Accelerator for HQC (LEAH). Our design consists of three innovative hardware architectures for Key Generation, Encapsulation, and Decapsulation of HQC, respectively, while supporting all security levels. In total, we have proposed three layers of contributions, including: (i) dedicated design processes to obtain highly optimized major components for HQC, i.e., sparse polynomial multiplier, sampler, encoder, and decoder; (ii) novel data flow arrangement to design three operational phases of HQC that supports all parameter sets; (iii) a detailed comparison based on Field-Programmable Gate Array (FPGA) implementation to showcase the significant efficiency of the proposed design over the competing ones, e.g., Decapsulation architecture has at least 13.66\% (at most 49.87\%) less Equivalent Area-Delay Product (EADP) than the existing ones. We hope this outcome can facilitate the
deployment of HQC in various applications and impact the ongoing NIST PQC standardization.
## 2026/764
* Title: CEDAR: A Compact and Efficient Decoder Architecture for RS-RM Code in HQC
* Authors: Yazheng Tu, Tianyou Bao, Jiafeng Xie
* [Permalink](
https://eprint.iacr.org/2026/764)
* [Download](
https://eprint.iacr.org/2026/764.pdf)
### Abstract
The rapid development of quantum computing has driven a new wave of cryptographic innovation: Post-Quantum Cryptography (PQC), a class of algorithms that resist quantum attacks. In particular, the National Institute of Standards and Technology (NIST) has initiated the PQC standardization process, selecting five algorithms. Notably, HQC (the newest selection) is a code-based PQC scheme that has not been widely studied in the literature, especially with respect to its hardware acceleration. This paper follows the current trend to design CEDAR, a Compact and Efficient Decoder Architecture for Reed-Solomon Reed-Muller (RS-RM) code in HQC. We have proposed three layers of contributions in total: (i) an optimized RM decoder is designed; (ii) an efficient low-complexity RS decoder is also presented; (iii) a complete HQC decoder is implemented, along with a comprehensive evaluation (it is shown that CEDAR outperforms the existing approach). We hope this outcome will facilitate a more efficient hardware acceleration of HQC and impact the ongoing NIST PQC standardization process.
## 2026/765
* Title: MBU: Scalable and Constant-Round Evaluation of Non-linear Functions in Standard MPC Setting
* Authors: Min Yang, Dongcan Guo, Zihang Zhou, Jinxuan Du, Qingshu Meng
* [Permalink](
https://eprint.iacr.org/2026/765)
* [Download](
https://eprint.iacr.org/2026/765.pdf)
### Abstract
After more than four decades of research, multi-party computation (MPC) has achieved remarkable success in handling 2-variable multiplication and comparison-based functions (e.g., ReLU) with practical efficiency. However, for general non-linear functionsrCosuch as multiplication of many variables, power, exponential, trigonometric functions, sigmoid, softmax, and GeLUrCono native MPC algorithm exists as Beaver-based mutiplication that is constant-round, scalable and exact. Existing solutions rely on either polynomial approximations (trading precision for efficiency), iterative multi-round protocols like Multiplication-to-Addition (M2A) conversion (requiring \(\log_2 k\) rounds for \(k\) parties), or Function Secret Sharing (FSS) with lookup tables (introducing quantization errors and large storage, mainly limited to 2-4 parties). These approaches suffer from fundamental trade-offs among accuracy, communication rounds, and scalability.
In this work, we propose a unified \emph{mask-broadcast-unmask} design pattern that enables constant-round, scalable and \emph{approximation-free} evaluation of a wide range of non-linear functions. Our contributions include:
\begin{itemize}
\item A \textbf{general multiplication} protocol for \(k\) variables in \emph{one round} with optimal \(O(kn)\) communication. When \(k=2\), it reduces to the classic Beaver triple multiplication; when each secret has only one non-zero share and \(k=2\), it becomes the well-known M2A protocol.
\item \textbf{Power functions} (\(x^k\)) in one round.
\item \textbf{Trigonometric functions} (\(\sin x, \cos x\)) and \textbf{exponential functions} (\(a^x\)) in 4 rounds.
\item \textbf{Sigmoid, softmax} in 6 rounds.
\end{itemize}
All these protocols are provably secure in the semi-honest model, support arbitrary number of parties, introduce \textbf{no approximation error} beyond plaintext floating-point rounding, and require only constant communication rounds (1rCo6) independent of function complexity. Furthermore, by restricting the random mask to a suitable range (e.g., $0 \le r <2^l-2^{l_x}$), we can reduce the rounds from 1-6 to 1-3. This work fills the long-standing gap for general non-linear functions in standard MPC settings, making privacy-preserving machine learning more practical for modern DNNs.
## 2026/766
* Title: Dynamic Group Time-based One-time Passwords
* Authors: Xuelian Cao, Zheng Yang, Jianting Ning, Chenglu Jin, Zhiming Liu, Jianying Zhou
* [Permalink](
https://eprint.iacr.org/2026/766)
* [Download](
https://eprint.iacr.org/2026/766.pdf)
### Abstract
Group time-based one-time passwords (GTOTP) is a novel lightweight cryptographic primitive for achieving anonymous client authentication, which enables the efficient generation of time-based one-time passwords on behalf of a group without revealing any information about the actual client's identity beyond their group membership. The security properties of GTOTP regarding anonymity and traceability have been formulated in a static group management setting (where all group members should be determined during the group initialization phase), yet, a formal treatment for real-world dynamic groups (i.e., group members may join and leave at any time) is still an open question. It is non-trivial to construct an efficient GTOTP scheme that can provide a lightweight password generation procedure run by group members and support dynamic group management, allowing group members to join and leave without affecting other members' states (non-disruptively).
To address the above challenge, we first define the notion and the security model of dynamic group time-based one-time passwords (DGTOTP) in this work. We then present an efficient DGTOTP construction that can generically transform an asymmetric time-based one-time passwords scheme into a DGTOTP scheme utilizing a chameleon hash function family and a Merkle tree scheme. Within our construction, we particularly tailor an outsourcing solution realizing an issue-first-and-join-later (IFJL) strategy, enabling smooth joining and revocation without disrupting other group members. Moreover, our scheme minimizes symmetric cryptographic operations and maintains constant storage for group members, compared to the linear storage cost that grows rapidly with respect to the lifetime of the GTOTP instance in the previous static GTOTP scheme. Our DGTOTP scheme satisfies stronger security guarantees in a dynamic group management setting without random oracles. Our experimental results confirm the efficiency of our DGTOTP scheme.
## 2026/767
* Title: Cryptanalysis of the SharafirCoDaghigh digital signature scheme
* Authors: Nour-eddine Rahmani, Taoufik Serraj, Abdelmalek Azizi
* [Permalink](
https://eprint.iacr.org/2026/767)
* [Download](
https://eprint.iacr.org/2026/767.pdf)
### Abstract
This paper is devoted to the study of the Ring-LWE-based digital signature scheme proposed by Sharafi and Daghigh, especially, the cryptanalysis of this scheme. The Sharafi and DaghighrCOs scheme is inspired by the LindnerrCoPeikert encryption paradigm and adopts a hash-and-sign approach via the FiatrCoShamir transformation. The security claims rely on the assumed hardness of the Ring LWE and Ring-SIS problems, whose definitions and properties are well studied
in last two decades. We demonstrate that this scheme is not secure and generalise
our analysis to the analogous scheme in the plain-LWE setting.
## 2026/768
* Title: Towards More Efficient Registration-Based Encryption from LWE
* Authors: Toi Tomita
* [Permalink](
https://eprint.iacr.org/2026/768)
* [Download](
https://eprint.iacr.org/2026/768.pdf)
### Abstract
Registration-based encryption (RBE) effectively addresses the key escrow problem in identity-based encryption. However, existing post-quantum RBE schemes suffer from prohibitive ciphertext sizes in the gigabyte range for systems with $2^{10}$ registered users. This poor scalability is a major obstacle to the large-scale implementation of RBE in society. In this work, we propose a framework for constructing efficient RBE schemes that can be instantiated from the learning with errors (LWE) assumption. Specifically, the ciphertext size remains around 221 MB even as the number of registered users increases. The core techniques involve introducing decomposable laconic encryption and integrating it with a refined snapshotting trick. Our work represents an important milestone towards achieving practical post-quantum RBEs.
## 2026/769
* Title: High-Order Masking for MQOM v2.1 Signing
* Authors: Yi-Lin Hung, Jiun-Peng Chen, Ho-Lin Chen, Bo-Yin Yang
* [Permalink](
https://eprint.iacr.org/2026/769)
* [Download](
https://eprint.iacr.org/2026/769.pdf)
### Abstract
This paper presents the first high-order fully-shared masking construction for MQOM v2.1, a candidate in NIST's additional digital signature standardization process. We provide a baseline high-order masked signing design for MQOM v2.1, prove its security in the standard probing leakage model, and validate the implementation through a comprehensive TVLA campaign. To mitigate the online-time bottleneck in masked signing, we further introduce an optional Rijndael LUT-based acceleration mode that decouples offline precomputation from online signing. Although this accelerated mode incurs higher offline time and memory costs, it can run during idle periods and significantly reduce online signing latency. We implement and benchmark all 36 MQOM v2.1 signing variants over GF(2), GF(16), and GF(256), and report comprehensive performance and leakage-evaluation results for both the baseline and accelerated designs.
## 2026/770
* Title: Cryptanalysis of Hecke-KE: A Linear-Algebra Attack via Hecke Eigenbasis Decomposition
* Authors: Xiyao Chen
* [Permalink](
https://eprint.iacr.org/2026/770)
* [Download](
https://eprint.iacr.org/2026/770.pdf)
### Abstract
We give a passive attack on the Hecke-KE key-exchange scheme. The scheme proposes using products of Hecke operators on $S_k(\Gamma_0(N))$ as a one-way function. We show that the Hecke algebra acting on any fixed $S_k(\Gamma_0(N))$ is simultaneously diagonalizable over an explicit number field computable from the public parameters alone, and that this diagonalization reduces shared-key recovery to $d$ scalar divisions over that number field, where $d=\dim S_k(\Gamma_0(N))$. Our main theorem shows that enlarging $d$ does not rescue the scheme. The precomputation is a one-time public computation (eigenbasis of $S_k(\Gamma_0(N))$, costing $\widetilde{O}(B\cdot d^3)$ rational operations, where $B=O(N)$ is the Sturm bound); the per-session attack cost is then $O(d^2)$ field operations, entirely independent of the pool size $r$ and the number of Hecke factors $s$. We verify the attack in SageMath 10.7 against all parameter sets from the paper; in every case the recovered key satisfies $K'=K$. Furthermore, we prove that the attack runs in time polynomial in $d=\dim S_k(\Gamma_0(N))$ for every level $N$ (prime or composite) and every weight $k$, while the honest protocol's public-key size is $\Omega(d)$ rationals. Consequently there is no choice of $(N,k)$ for which Hecke-KE is secure and implementable: the scheme is unfixable within its design framework.
## 2026/771
* Title: Vector-Input Hashing Modes for Collision-Resistant Pseudorandom Function
* Authors: Shoichi Hirose, Tetsu Iwata, Hidenori Kuwakado
* [Permalink](
https://eprint.iacr.org/2026/771)
* [Download](
https://eprint.iacr.org/2026/771.pdf)
### Abstract
This paper presents vector-input keyed hashing modes that construct collision-resistant pseudorandom functions (CR PRFs) using a keyed hash function, where a vector refers to a sequence of variable-length strings. The proposed vector-input keyed hashing modes, VIM1 and VIM2, originate from the intuition that a string-input keyed hashing mode using a compression function results in a vector-input keyed hashing mode by replacing the compression function with a hash function.
Combined with the recently proposed string-input keyed hashing modes KHC1 or KHC2, VIM1 and VIM2 are shown to yield CR PRFs from a compression function satisfying extended collision resistance and being a secure PRF under related-key attacks. Extended collision resistance means that it is intractable to find a distinct input pair whose output difference falls within a small set. This paper also introduces a keyed hashing mode, PVIM, which allows parallel processing of strings in a vector. However, it requires more calls to the underlying keyed hash function than VIM1 and VIM2 do. To the best of our knowledge, this is the first proposal of dedicated vector-input CR PRFs.
## 2026/772
* Title: Lattice-based Ring Verifiable Random Functions
* Authors: Jie Xu, Muhammed F. Esgin, Ron Steinfeld
* [Permalink](
https://eprint.iacr.org/2026/772)
* [Download](
https://eprint.iacr.org/2026/772.pdf)
### Abstract
Verifiable Random Functions (VRFs) provide publicly verifiable pseudorandomness uniquely determined by a secret key and an input. While widely used in decentralized protocols, standard VRF verification reveals the signer's identity, exposing them to targeted adversarial disruption once their eligibility is known.
We study Ring VRFs(RVRFs), which allow a member of a public key set (a ring) to publish a VRF value along with a proof of correct generation while hiding the signer's index within the set. We formalize an algorithmic RVRF interface that binds the ring into the evaluated input to prevent cross-ring reuse and ring grinding (i.e., the malicious selection of a specific ring configuration to manipulate the pseudorandom outcome). Diverging from existing UC-based treatments, we propose a comprehensive suite of game-based security notions tailored to verifiable randomness under anonymity: correctness, anonymity, pseudorandomness, and a novel corruption-aware uniqueness notion called $T$-uniqueness. Our main technical result is a modular compiler that transforms any provable VRF into an RVRF by proving a one-out-of-many statement for the induced ring relation. We instantiate the OR layer via an optimized Fiat--Shamir OR (FS-OR) composition in the random oracle model, where the prover utilizes prover-side simulation for all non-witness branches and completes the witness branch only after a global consistency constraint is fixed. Focusing on post-quantum resilience, we provide concrete instantiations of our RVRF framework based on two state-of-the-art lattice VRFs: the long-term lattice VRF $\mathsf{LaV}$ by Esgin et al. (Crypto'23) and the few-time lattice VRF $\mathsf{LB}\text{-}\mathsf{VRF}$ by Esgin et al. (FC'19). We provide a detailed analysis of concrete parameters across various ring sizes for both constructions and perform a comprehensive side-by-side comparison of their communication costs and security trade-offs. Our instantiations are modular, with their security reducing cleanly to (i) the base VRF's correctness, pseudorandomness, and per-key uniqueness, and (ii) standard FS-OR properties (simulatability and extractability).
## 2026/773
* Title: Practical Attacks on Session Messenger and Oxen Blockchain
* Authors: Tingfeng Yu, Thomas Haines
* [Permalink](
https://eprint.iacr.org/2026/773)
* [Download](
https://eprint.iacr.org/2026/773.pdf)
### Abstract
Session is a decentralised secure (anonymous) messenger that combines onion routing with the Oxen Proof-of-Stake blockchain to provide metadata-private communication. Our study presents the first comprehensive analysis of Session's messaging protocol and its integration with the Oxen blockchain. In analysing Session and the underlying Oxen blockchain, we uncovered seven vulnerabilities.
Most notably we discovered flaws in the Oxen consensus protocol which could allow network takeover in a realistic setting, thereby undermining the integrity guarantees on which Session's anonymity layer depends. We also discovered serious vulnerabilities in Version 1 of Session's group chat protocol. We conducted extensive simulations to analyse the impact of these vulnerabilities and provide recommendations to reinforce both the Oxen protocol and the Session client to mitigate these attacks.
## 2026/774
* Title: Provably Secure Hybrid Inner Product and Boolean Masking via Composable Conversion
* Authors: Jaeseung Han, Dong-Guk Han
* [Permalink](
https://eprint.iacr.org/2026/774)
* [Download](
https://eprint.iacr.org/2026/774.pdf)
### Abstract
Masking is a representative side-channel countermeasure that provides provable security. Among masking schemes, Boolean masking (BM) is widely adopted due to its simple sharing structure, while inner product masking (IPM) and code-based masking (CM) have been studied as alternatives that achieve a higher security order with the same number of shares---a property known as security order amplification in the bit-probing model. Recent work by Gaspoz and Dhooghe (TCHES 2025) proposed an IPM multiplication gadget and CM gadgets with provable bit-level security; however, the overhead of CM gadgets for linear operations, the overhead of IPM multiplication, and the lack of a complete provably secure implementation exploiting IPM security order amplification remain open challenges.
In this paper, we address all three challenges. First, we propose BM-to-IPM and IPM-to-BM conversion gadgets satisfying bit $t$-MIMO-SNI in the bit-probing model, enabling composable and provably secure interoperation between the two masking domains. Second, we optimize the TCHES 2025 IPM multiplication gadget via Row Packing and Reduction in Rows, reducing the fresh random bit requirement from $\frac{1}{2}t(n^2-1)k^2(k+1)$ to $tk(n-1)(kn+W)$ bits with a proportional reduction in XOR gates, while maintaining bit $t$-SNI security. Third, we present a hybrid IPM-BM framework in which multiplications are performed in IPM with fewer shares and all Boolean linear operations are handled share-wise in BM at no additional randomness cost, and show that this hybrid approach requires significantly fewer gates and random bits than a pure CM approach. As a concrete instantiation, we implement a second-order masked AES-128 with a 2-share IPM / 3-share BM hybrid architecture, prove that the implementation satisfies bit 2-PINI, and evaluate its practical side-channel security via first- and second-order TVLA on an ARM Cortex-M4 with up to one million traces. To the best of our knowledge, this is the first end-to-end cryptographic implementation that provably preserves IPM's security order amplification in the bit-probing model.
## 2026/775
* Title: Differential and Linear Cryptanalysis of Modular Addition
* Authors: Halil -#brahim Kaplan, Ali Do-fan, G||k|oe Yeti+fer
* [Permalink](
https://eprint.iacr.org/2026/775)
* [Download](
https://eprint.iacr.org/2026/775.pdf)
### Abstract
This paper presents a comprehensive analysis of modular addition from a cryptanalytic perspective, focusing on both linear and differential cryptanalysis techniques. We examine the probability distribution of carry bits in modular addition operations and demonstrate how these probabilities affect linear approximations. The paper provides detailed algorithms for constructing Linear Approximation Tables (LAT) and Difference Distribution Tables (DDT) for modular addition operations, along with theoretical proofs and practical examples. Our analysis reveals that the probability of carry bits approaches 1/2 as the bit position increases, which significantly impacts the effectiveness of linear cryptanalysis. Furthermore, we demonstrate how to extend DDTs for larger bit sizes by leveraging smaller tables and carry bit relationships. The findings have direct implications for the cryptanalysis of ARX ciphers.
## 2026/776
* Title: SCOUT-CT: Sound Constant-Time Outcome with Uncertainty Tracking using multi-taint analysis
* Authors: Damien Maier, Jean-Fran|oois Pasche, Maxim Golay, Alexandre Duc
* [Permalink](
https://eprint.iacr.org/2026/776)
* [Download](
https://eprint.iacr.org/2026/776.pdf)
### Abstract
Side-channel attacks are an important class of security exploits, in which an attacker gains access to confidential data by observing information inadvertently leaked by a system.
Writing constant-time code is a common defense against time-based and microarchitectural side-channel attacks.
Many approaches have been proposed to automatically verify that a program is constant-time.
Sound methods can detect all information leaks but, to efficiently analyze large programs, most of them rely on overapproximation which can yield false alarms (i.e., reports of non-existent information leaks).
Each finding produced by such analyses therefore requires manual inspection. Additionally, most existing approaches do not perform binary-level analysis and thus miss vulnerabilities introduced by compilation.
In this paper, we present a novel sound analysis for detecting information leaks under the constant-time threat model.
Compared with existing work, our technique improves taint analysis by systematically tracking precision loss to determine whether a detected information leak could be caused by overapproximation.
Findings for which no precision loss is detected are reported as confirmed; as long as they do not arise from dead code, confirmed findings are guaranteed to be true and thus do not require significant manual inspection.
Only findings with detected precision loss need classical human verification. Our analysis operates directly on binary executables.
We instantiate our technique within the abstract interpretation framework and provide a proof of correctness.
We implemented our approach in a prototype tool, SCOUT-CT, and evaluated it on a benchmark of constant-time and non-constant-time programs, including real-world cryptographic implementations.
Our results show that SCOUT-CT is effective: our tool detected all 98 timing leaks in the benchmark and automatically classified 97 as confirmed findings that do not require significant manual inspection.
## 2026/777
* Title: How Strong is the FO-Calypse, Really? Instantiating Plaintext-Checking Oracles against Masked Software Implementations of ML-KEM
* Authors: Brieuc Balon, Ga|2tan Cassiers, Thibaud Schoenauen, Fran|oois-Xavier Standaert
* [Permalink](
https://eprint.iacr.org/2026/777)
* [Download](
https://eprint.iacr.org/2026/777.pdf)
### Abstract
Side-channel attacks exploiting Plaintext-Checking Oracles (PCOs) instantiated thanks to the leakage of the re-encryption step taking place during decapsulation are a well-known weakness of ML-KEM. An already wide literature investigated how to efficiently exploit such oracles, leading to easy (full) key recoveries. Somewhat surprisingly, the investigation of how to best instantiate PCOs against ML-KEM's most leaking operations is less investigated, in particular when it comes to quantitative evaluations against concrete masked implementations. In this paper, we first remedy this lack by systematically instantiating PCOs against three open source masked software implementations of the Keccak function used in ML-KEM, based on different masking techniques and programming styles. We evaluate the accuracy of PCOs for increasing number of shares using state-of-the-art profiled attacks against ARM Cortex-M4 implementations, and succeed obtaining high accuracy for up to 7 shares by leveraging the leakage of approximately 50 ML-KEM executions only. Doing so, we confirm the ``computing more implies leaking more'' adage and conclude that enforcing high security levels on such platforms will not be affordable. Next, we consolidate recent solutions for exploiting PCOs.
For this purpose, we start by introducing a simple, concrete and re-usable model for PCOs targeting
masked implementations of Keccak. We follow by clarifying that approaches based on hard decisions are suboptimal compared to soft (probabilistic) ones. We finally open a study of how to best exploit the adversary's computational power in a security evaluation.
We show that (even naive) lattice based attacks are a promising approach for this purpose,
leaving the design of a generic estimator that could efficiently leverage physical (side-channel) information as an interesting research direction.
## 2026/778
* Title: Cobra: All-in-one for full-fledged defense rCo a hybrid nested KEM
* Authors: Basker Palaniswamy, Paolo Palmieri, Ashok Kumar Das, Chun-I Fan
* [Permalink](
https://eprint.iacr.org/2026/778)
* [Download](
https://eprint.iacr.org/2026/778.pdf)
### Abstract
The transition to post-quantum cryptography (PQC) is constrained by the limited cryptanalytic history of individual PQC algorithms. Hybrid constructions, which combine several primitives so that breaking the hybrid requires breaking each component, address this concern directly. This paper presents Cobra, a hybrid Key Encapsulation Mechanism (KEM)
that integrates FrodoKEM (unstructured LWE), ML-KEM (FIPS 203 module-LWE), HQC (code-based), and a Dummy KEM for agility, and analyses all 15 mathematically distinct composition methods spanning parallel, cascading, multi-stage, and nested topologies. We prove that every Cobra method achieves IND-CCA2 security within the MarketTheoretic Security Framework (MTSF), which subsumes and strictly extends both Universal Composability and the Random Oracle Model. An explicit 10-round bidding-round chain per method yields post-quantum ask prices of approximately 2reA127 at NIST Level 1 together
with composability under arbitrary TLS 1.3 embeddings, per-session CNF auditing, and unbounded-session security via pinging. Although all fifteen methods are security-equivalent, encapsulation latency varies by 3.2|u (1.2rCo3.8 ms) and Theorem 7.1 reduces deployment
selection to a Pareto-optimal set of five archetypes. Three real-world TLS 1.3 case studies (financial, healthcare, government) confirm the prediction, with infrastructure overhead
clustering at 15rCo22% across sectors.
## 2026/779
* Title: And TLS lived happily ever after
* Authors: Michael Scott, Gora Adj, Francisco Rodr|!guez-Henr|!quez
* [Permalink](
https://eprint.iacr.org/2026/779)
* [Download](
https://eprint.iacr.org/2026/779.pdf)
### Abstract
The plausible threat of a Cryptographically Relevant Quantum Computer (CRQC) has rightly stimulated a move away from traditional methods of asymmetric cryptography to new post-quantum secure equivalents. Digital signature is the cryptographic primitive that authenticates an internet serverrCOs identity by signing each certificate in an X.509 certificate chain. A suggested response to the CRQC threat is to deploy a hybrid classical/post-quantum digital signature, combining a traditional tried-and-tested scheme with a post-quantum alternative, where certificates are signed using both methods. Here we propose a fused signature scheme that adopts the same approach, but introduces minimal friction into existing TLS architectures
## 2026/780
* Title: Montgomery Multiplication in Signed Redundant Representations
* Authors: Thomas Pornin
* [Permalink](
https://eprint.iacr.org/2026/780)
* [Download](
https://eprint.iacr.org/2026/780.pdf)
### Abstract
In this paper, we explore the use of Montgomery multiplication with a multi-limb redundant representation of integers, in particular in combination with signed reduction factors. We develop techniques that are particularly suited to software platforms on which carry propagation is expensive, in particular RISC-V CPUs which lack hardware support for carries. We also show how to perform a whole-primitive range analysis that demonstrates that overflows are not possible, thus allowing liberal use of unreduced limb-wise additions and subtractions, which are small and fast. The implementation and analysis techniques are illustrated in a codegolfing exercise, to produce size-optimized implementations of ECDSA signature verification over NIST curve P-256; use of a virtual CPU with a custom instruction set with byte-size encoding ("bytecode") allows the production of an implementation as small as 848 bytes on x86 CPUs (in 64-bit mode); RISC-V (984 bytes), Armv8-A (1136 bytes) and portable C implementations (about 2200 to 2800 bytes) are also provided. In the process, an AI is utterly discomfited.
## 2026/781
* Title: Panther: Robust Hybrid KEM Combiners via Structural Splicing
* Authors: Basker Palaniswamy, Paolo Palmieri, Ashok Kumar Das, Chun-I Fan
* [Permalink](
https://eprint.iacr.org/2026/781)
* [Download](
https://eprint.iacr.org/2026/781.pdf)
### Abstract
We present Panther, a family of six robust hybrid key encapsulation mechanism (KEM) combiners that pair FrodoKEM (unstructured LWE) with ML-KEM (module-LWE, FIPS 203) so that IND-CCA2 security holds whenever either assumption is hard. The family includes five hardened variants of the textbook combinersrCoparallel HKDF, SHAKE256 splitkey, sequential chaining, XOR, and nestedrCoeach made to satisfy a uniform robustness predicate (transcript binding, domain separation, implicit rejection, length normalisation, re?-security), together with a novel structural-splicing construction Panther-SS that interleaves the constituent ciphertexts and binds the cut-positions via a structural tag. Every combiner admits a systematic Market-Theoretic Security Framework proof in which each bidding round is documented by
its purpose, the scheme component it replaces, and its complexity cost; the framework extends cleanly to correctness, unbounded session security, QROM security, and quantitative side-channel
resistance.
We complement the theory with extensive benchmarks on liboqs-backed reference implementations, including a head-to-head comparison of Panther combiners against the keyencapsulation candidates that appeared in NIST PQC Rounds 1rCo4 (Kyber/ML-KEM, FrodoKEM,
NTRU, SABER, NTRU Prime, Classic McEliece, BIKE, HQC). The experiments cover keygen/encaps/decaps latency, throughput, memory footprint, ciphertext and key sizes, scaling with query count, CPU-cycle counts, security-vs-performance Pareto analysis, and an attack-vsdefence matrix against published side-channel attacks on both constituents. The results confirm that hybrid robustness is essentially free over the slower constituent, that Panther-SS uniquely achieves full robustness with combiner-only overhead below half a percent of total latency, and
that the Panther family sits on the Pareto frontier of post-quantum KEM candidates.
## 2026/782
* Title: Failure of proximity gaps close to capacity
* Authors: Dmitry Krachun, Stepan Kazanin, Ulrich Hab||ck
* [Permalink](
https://eprint.iacr.org/2026/782)
* [Download](
https://eprint.iacr.org/2026/782.pdf)
### Abstract
We give a simple counterexample which shows that, for Reed--Solomon codes over multiplicative subgroups of prime fields, proximity gaps do not hold near capacity, at least not as conjectured by Ben-Sasson, et al., in BCIKS20.
For relative distance $\theta = 1-\rho-\eta$, where $\rho$ is the rate of the code, and positive $\eta = \Theta_\rho(1/\log n)$, where $n$ is the length of the code, we construct an affine line that is not entirely $\theta$-close to the code but still contains $2^{\Omega_\rho(1/\eta)}$ such points. The same construction gives a slightly stronger list-decoding lower bound. The proof uses a new additive-combinatorics lemma on sums of roots of unity.
## 2026/783
* Title: Batch-Puncturing Circuit CP-ABE (and More) from Lattices
* Authors: Yongkang Lang, Fangguo Zhang, Jianghong Wei, Xinyi Huang, Xiaofeng Chen
* [Permalink](
https://eprint.iacr.org/2026/783)
* [Download](
https://eprint.iacr.org/2026/783.pdf)
### Abstract
Puncturable attribute-based encryption ($\mathsf{PABE}$) not only supports fine-grained access control over encrypted data, but also enables users to revoke the decryption capability for specific messages by puncturing tags, thereby achieving fine-grained forward security. It finds wide applications in scenarios such as sharing government classified documents and personal health records. However, existing $\mathsf{PABE}$ schemes only support tag-by-tag puncturing, where each puncturing operation is done through key delegation, which causes the key size to grow with the number of punctured tags. This inefficiency makes $\mathsf{PABE}$ impractical in scenarios that require frequent puncturing or mass revocations. To address this limitation, it is crucial to support batch puncturing of tags, i.e., the decryption capability for messages associated with multiple tags can be revoked simultaneously via a single puncture.
In this work, we construct a ciphertext-policy attribute-based encryption ($\mathsf{CPABE}$) scheme for circuits with batch-puncturing. Notably, the size of the punctured key in our scheme is independent of the number of punctured tags, as well as the size and depth of the circuits. This is achieved by leveraging the evasive learning with errors ($\mathsf{LWE}$) and tensor $\mathsf{LWE}$ assumptions. In addition, we observe that puncturable $\mathsf{CPABE}$ can be re-stated by dual-policy $\mathsf{ABE}$ ($\mathsf{DPABE}$) with key delegation, and generalize batch-puncturing $\mathsf{CPABE}$ to provide the first lattice-based construction of $\mathsf{DPABE}$ for circuits. Moreover, inspired by the observation of Agrawal and Yamada (Eurocrypt '20), we introduce the puncturing property into optimal broadcast encryption ($\mathsf{BE}$), capturing a new primitive called puncturable $\mathsf{BE}$, which allows the receiver to securely erase sensitive messages without communicating with the authority.
## 2026/784
* Title: Secure and Updatable Single Password Authentication
* Authors: Devri+f -#+RLER, HamidReza Saadi Dadmarzi, Alptekin K|+p|o|+
* [Permalink](
https://eprint.iacr.org/2026/784)
* [Download](
https://eprint.iacr.org/2026/784.pdf)
### Abstract
Passwords remain the dominant authentication method despite weaknesses such as offline dictionary attacks and password reuse. Single Password Authentication (SPA) mitigates these risks by protecting high entropy secrets under one memorable password and distributing them across untrusted storage providers. However, existing SPA schemes cannot prevent preemption and overwrite attacks by storage providers, and they lack secure, efficient support for secret and password updates.
We present UpSPA, an efficient, secure, and updatable threshold SPA that addresses both limitations without requiring changes on the login server. UpSPA prevents preemption through a storage provider specific high entropy identifier secret, supports secret updates via implicit authentication, and enables password updates via explicit authentication using a password protected signing key. We prove security in the ideal real paradigm, including resistance to offline dictionary attacks under standard static threshold corruption assumptions. Our evaluation shows low overhead and competitive performance compared to a prior SPA scheme that does not support updates.
## 2026/785
* Title: Neural LeakagerCobased Cryptanalysis of LowMC with Linear Complexity
* Authors: Kwangjo Kim
* [Permalink](
https://eprint.iacr.org/2026/785)
* [Download](
https://eprint.iacr.org/2026/785.pdf)
### Abstract
MPC-in-the-Head protocols enable post-quantum digital signatures based solely on symmetric primitives, with PICNIC being a prominent example built on the LowMC block cipher. While existing analyses assume exact Boolean circuit semantics, recent advances in neural representations suggest that piecewise-linear implementations may introduce activation boundary leakage. In this work, we investigate whether such leakage can be exploited in the context of LowMC and MPC-in-the-Head transcripts. We propose a perturbation-based probing methodology that models neural leakage and reduces round-key recovery to independent binary hypothesis tests via majority voting. Exploiting the linear structure of the LowMC key schedule, we demonstrate that recovery of the first-round key enables efficient reconstruction of the master key with linear complexity. Experimental results confirm successful recovery of 128-, 192-, and 256-bit keys under the proposed model, highlighting a new dimension in symmetric cryptanalysis and the need to consider learning-based leakage in future designs.
## 2026/786
* Title: Integral Resistance and Degree Bounds for Complex Linear Layers: Application to PRINCE and Lower-Latency Alternatives
* Authors: Simon Gerhalter, Maria Eichlseder
* [Permalink](
https://eprint.iacr.org/2026/786)
* [Download](
https://eprint.iacr.org/2026/786.pdf)
### Abstract
The integral-resistance property provides strong arguments against integral distinguishers. Recently, Zeng and Tian proposed a new method to show this property for AES. In this paper, we provide a generalized framework and tool called intres to extend and apply this method to other ciphers with complex linear layers. We derive properties that a cipher must fulfill in order for the method to be applicable. Furthermore, we introduce a degree propagation model which helps us determine the valid key masks for the integral-resistance matrix. The degree model can also be used to upper-bound the algebraic degree of cipher constructions. This allows us to provide tighter upper bounds for the degree of Rijndael-256. We propose algorithmic improvements to substantially decrease the runtime of the offline phase with the intres framework. As a result, we are able to show the integral-resistance property for 7 rounds of PRINCE and 6 rounds of Beanie. Finally, we develop a heuristic MILP-based approach to search for lower-latency alternatives to the MixColumns matrices of PRINCE while maintaining integral resistance. After showing that using this new matrix we still achieve 7-round integral resistance, we validate our method with SAT-based trail counting. While using a MixColumns matrix only optimized for integral resistance might affect security against other types of attacks, we believe these lower-latency matrices have their place in constructions similar to ZIP-ciphers, where integral resistance is particularly critical.
## 2026/787
* Title: Efficient Construction of Threshold BBS+ Signatures and its Extensions * Authors: Yang Heng, Mengling Liu, Xingye Lu, Haiyang Xue, Zijian Bao, Man Ho Au
* [Permalink](
https://eprint.iacr.org/2026/787)
* [Download](
https://eprint.iacr.org/2026/787.pdf)
### Abstract
BBS+ signatures are widely adopted in privacy-preserving systems such as anonymous credentials and Direct Anonymous Attestation (DAA). To strengthen key security and eliminate single points of failure, threshold variants of BBS+ signatures have become increasingly important. However, existing constructions suffer from notable inefficiencies: some entail excessive communication overhead (e.g., DKL+23, S&P 2023), while others impose substantial computational costs and require additional interaction rounds (e.g., WMC24, NDSS 2024).
In this work, we present a novel and efficient three-round threshold BBS+ signature scheme from the CastagnosrCoLaguillaumie (CL) cryptosystem. Our construction achieves best communicationrCocomputation trade-offs than previous works. Specifically, compared to the four-round WMC24 scheme, our protocol reduces communication by $77.4\%$ and demonstrates faster computation, with benchmarks indicating speedups of $10.6$--$16.6\times$ in single-threading and $3.3$--$5.4\times$ in multi-threading. Against the three-round protocol DKL+23, our scheme exhibits an asymptotic slowdown factor of $4\times$, but enhances communication by two orders of magnitude.
We further extend our techniques to threshold BBS signatures, Dodis-Yampolskiy verifiable random functions (DY VRFs), and multiplication protocols (DNP25 and LLZ+25, CCS'25). This yields: (1) a three-round threshold protocol for the original BBS scheme; (2) two-round threshold protocols for both DY VRFs (focusing on its oblivious variant) and the AGM-secure BBS variant; and (3) one fewer group element in broadcasts for the multiplication protocol with reduced ZKP costs via simplified relations.
## 2026/788
* Title: Secret-Carrying Puzzles and Garbled Circuits Optimized for Zero-knowledge Proofs
* Authors: Debasish Ray Chawdhuri, Manoj Prabhakaran
* [Permalink](
https://eprint.iacr.org/2026/788)
* [Download](
https://eprint.iacr.org/2026/788.pdf)
### Abstract
In this work, we introduce the concept of Obliviously Checkable
Secret-Carrying Puzzles (OxSP) and build proof-friendly Garbled Circuits
(GCs) to enable their practical implementation. OxSPs allow one to publicly pose
puzzles and verify purported solutions received in response, keeping
the desired parts of the puzzles and the responses hidden.
We show how OxSPs can be based on Garbled Circuits (GCs). However, this requires ZK-SNARK proofs of correctness of garbling. We note that combining existing GC and ZK-SNARK constructions results in very large computational costs for the OxSP solvers. Our main technical contribution is to design a
new proof-friendly GC construction which cuts down the cost of generating a proof of correct garbling to almost a third, without resorting to
non-standard cryptographic assumptions.
Beyond its use in OxSP, we expect our proof-friendly GCs to be of significant independent interest, as a tool for auditable secure 2-party computation.
## 2026/789
* Title: Foundations of Verifiably Encrypted (Blind) Signatures
* Authors: Diego Castejon-Molina, Erkan Tairi, Dimitrios Vasilopoulos, Pedro Moreno-Sanchez
* [Permalink](
https://eprint.iacr.org/2026/789)
* [Download](
https://eprint.iacr.org/2026/789.pdf)
### Abstract
Many blockchain-based applications can be seen as instances of fair exchange of two signatures. Adaptor signatures (AS) and, more concretely, their extractability property, are commonly combined with blockchain-based economic incentives to achieve fairness in the exchange of two signatures in the blockchain. Certain blockchain applications require unique signatures (e.g., BLS), but it is formally impossible to build AS from unique signatures. Other applications need blind signatures, however, we found a tension between extractability and blindness. To address these limitations, we observe that fair exchange protocols based on AS only require extractability for one of the two exchanged signatures. This observation allows the other AS to be replaced with a primitive that provides similar security guarantees without inheriting the limitations of AS with respect to unique and blind signatures. A natural candidate is verifiably encrypted signatures (VES), introduced by Boneh et al. (Eurocrypt'03). However, this primitive predates blockchain systems and relies on a trusted party, the adjudicator.
Our first contribution is to eliminate the need for an adjudicator by shifting trust to the blockchain and redefining the VES security model accordingly. We introduce two new security notions and prove that our notions imply existing guarantees. We revisit classical VES constructions by Boneh et al. (Eurocrypt'03) for unique signatures and by Hanser et al. (ESORICS'15) for probabilistic signatures, and show that they satisfy our new definitions. Furthermore, we compare our new notions with AS, and conclude that our revised VES is equivalent in terms of security to AS without extractability. Our second contribution extends VES to support blind and non-interactive blind signatures, introducing a new primitive: Verifiably Encrypted Blind Signatures (VEBS). We present a novel construction for non-interactive blind signatures and prove its security. We implement our construction and demonstrate its practical efficiency: encryption requires 3 ms, verification 6 ms, and decryption 13 ms, with a communication cost of 912 bytes. Finally, we discuss how VES/VEBS apply to diverse use cases, including anonymous credentials, contingent payments, atomic swaps, intermediated payments, coin mixing, and applications involving blind signatures.
## 2026/790
* Title: Towards a Field-Informed Risk-Based Framework for PQC Migration in Legacy Systems
* Authors: Paul CHAMMAS, Khalil HARISS, Carole BASSIL, Maroun CHAMOUN
* [Permalink](
https://eprint.iacr.org/2026/790)
* [Download](
https://eprint.iacr.org/2026/790.pdf)
### Abstract
Ongoing advances in quantum computing represent a growing risk to modern cryptography (potentially threatening both asymmetric and symmetric encryption protocols), thereby challenging the foundations of digital security. In response, global cybersecurity communities, led by standardization bodies such as NIST and ETSI, launched initiatives to establish migration pathways toward post-quantum cryptography (PQC).
However, the migration of legacy systems to quantum-safe cryptography presents many challenges that have not yet been addressed due to their limited cryptographic agility, outdated infrastructure, and regulatory constraints. These legacy environments, even though they rely on aging technologies and constrained hardware, are still vital to major sectors (such as finance, energy, healthcare, and government).
This paper explores some obstacles to the implementation of PQC in these environments, such as hard-coded cryptographic functions, outdated programming languages, hardware limitations, vendor lock-in, interoperability constraints, and certification issues. This shows that, in contrast to contemporary systems, legacy systems cannot be readily modified or easily re-engineered.
A critical review of existing standards and academic publications revealed key limitations: their focus on algorithms specifications, the abstract guidance provided without operational depth, the lack of empirical validations, and the insufficient risk modeling and attention to legacy constraints. These gaps prevent effective planning and secure execution of the PQC migration in legacy systems.
Consequently, this position paper argues that existing deliverables remain insufficient to address the specific challenges of PQC migration in legacy systems. It proposes the elaboration of a field-informed risk-based framework for PQC Migration in Legacy Systems to guide this transition. This proposed framework combines three interdepedent layers: a diagnostic characterization of legacy system constraints, a qualitative risk assessment grounded in those constraints, and a quantitative evaluation of migration options through an ROI-based analysis to support decision-making. Unlike existing approaches that treat legacy as generic labels, this framework begins by exploring what makes each system legacy in its specific context before applying the risk model. Its development is informed by an empirical survey conducted among large organizations across critical sectors, ensuring relevance beyond theoretical assumptions.
Future work will focus on elaborating the framework through applied research, tool development, and real-world case studies in collaboration with financial institutions and critical infrastructure operators. In addition, continued engagement with cyber authorities and standardization bodies will help us ensure alignment with emerging regulations.
## 2026/791
* Title: Experimental Validation of AUX scheme for Quantum Homomorphic Encryption on IBM Quantum Platforms
* Authors: Gia Phat Dang, Weisheng Si, Belal Alsinglawi, Jim Basilakis
* [Permalink](
https://eprint.iacr.org/2026/791)
* [Download](
https://eprint.iacr.org/2026/791.pdf)
### Abstract
Quantum Homomorphic Encryption (QHE) addresses Quantum Cloud Computing (QCC) security concerns by ensuring the privacy of a clientrCOs data and algorithms when outsourced to untrusted third-party quantum servers. However, current QHE schemes face significant challenges: scaling computational resources introduces overhead and hardware noise, degrading accuracy and compromising security. This paper imple- ments and analyses a non-interactive AUX-QHE scheme that employs pre-generated auxiliary states for universal computation. We identify three critical computational bottlenecks: exponential growth in auxiliary state count, complex homomorphic evaluation, and extensive symbolic key updates. Through experimental evaluation on IBM Quantum hardware, we quantify the impact of NISQ noise on AUX-QHE performance and establish practical resource thresholds for deployment. Our results bridge the gap between theoretical QHE frameworks and their practical implementation on noisy quantum devices, providing concrete benchmarks for future noise mitigation efforts.
## 2026/792
* Title: Equivocal Broadcast Encryption: Adaptively-Secure Optimal Distributed Broadcast Encryption from Lattices
* Authors: Rishab Goyal, Saikumar Yadugiri
* [Permalink](
https://eprint.iacr.org/2026/792)
* [Download](
https://eprint.iacr.org/2026/792.pdf)
### Abstract
We present the first Distributed Broadcast Encryption (DBE) scheme from falsifiable lattice assumptions that achieves adaptive security with optimal parameters (short public/secret keys and ciphertexts). Our construction enjoys transparent setup and offers flexible instantiation: we achieve a succinct CRS in the Random Oracle Model, or a long CRS in the standard model. Previously, no lattice-based DBE simultaneously achieved adaptivity and optimal parameters in either setting.
To achieve this, we introduce a new methodology for proving adaptive security: $\textit{Equivocal Encryption Systems}$. This framework operates in two indistinguishable modes: a 'real' mode utilizing standard algorithms, and a 'fake' mode where keys and ciphertexts are jointly sampled with auxiliary trapdoors, enabling the dynamic equivocation of ciphertexts to arbitrary challenge values. While our approach is technically distinct from the celebrated Dual System Encryption (Waters, CRYPTO'09), we believe it could serve as a similarly powerful paradigm for realizing adaptive security across a broad class of lattice-based encryption systems.
## 2026/793
* Title: Oriole: Adaptively Secure Partially Non-Interactive Threshold Signatures from Lattices
* Authors: Kaijie Jiang, Hoeteck Wee, Chenzhi Zhu
* [Permalink](
https://eprint.iacr.org/2026/793)
* [Download](
https://eprint.iacr.org/2026/793.pdf)
### Abstract
We present the first lattice-based, partially non-interactive threshold signature scheme that tolerates the adaptive corruption of up to $T-1$ signers, where $T$ is the signing threshold. Our construction relies on the MSIS and MLWE assumptions, and has two rounds, of which only the second is message-dependent. We substantially improve upon prior adaptively secure lattice-based schemes (CRYPTO '24 and EUROCRYPT '26), which require at least two message-dependent rounds. Compared to prior lattice-based partially non-interactive assumptions (CRYPTO '24, S\&P '25, CRYPTO '25), we achieve better communication complexity in addition to stronger security guarantees.
## 2026/794
* Title: sigma-rs: A Modular Approach for Keyed-Verification Anonymous Credentials
* Authors: Michele Orru, Lindsey Tulloch, Victor Snyder-Graf, Ian Goldberg
* [Permalink](
https://eprint.iacr.org/2026/794)
* [Download](
https://eprint.iacr.org/2026/794.pdf)
### Abstract
We introduce a new software stack in Rust aimed at simplifying
constructions and deployments of protocols based on
modern anonymous credential systems.
The stack, called sigma-rs, through its layered design,
abstracts cryptographic complexity while remaining flexible enough to
support a range of credential schemes, proofs, and access policies.
It emphasizes misuse resistance via type safety, domain separation, and prover-state discipline, and supports side-channel-aware constant-time strategies.
We evaluate practicality through re-implementations of TorrCOs Lox bridge distribution protocols and of user authentication in the Open
Observatory for Network Interference.
## 2026/795
* Title: On the Decoding Failure Rate of HQC
* Authors: Alessandro Annechini, Alessandro Barenghi, Gerardo Pelosi
* [Permalink](
https://eprint.iacr.org/2026/795)
* [Download](
https://eprint.iacr.org/2026/795.pdf)
### Abstract
Cryptography based on error correction codes has gained significant interest due
to its ability to provide security against both classical and quantum adversaries.
In 2025, the U.S. National Institute of Standards and Technology selected
the Hamming Quasi-Cyclic (HQC) key encapsulation mechanism for standardization. A key aspect of HQC is the possibility of decryption failures, which reveal information about the private key. To address this issue, the HQC authors developed
a probabilistic model for the decoding failure rate (DFR) of the underlying error-correcting code, and adjusted the cryptosystem parameters to thwart attacks
based on decryption failures. However, the DFR model relies on the assumption of
independence between coordinates of the error vector, which does not hold in HQC.
This approximation yields conservative DFR estimates in regimes where failure probabilities can be simulated, and it is hypothesized to remains conservative for cryptographic-grade parameter sets.
In this work, we eliminate the independence assumptions and derive a new closed-form DFR model for HQC. We demonstrate that the previous approximation remains conservative in the cryptographic regime and that HQC's current decoding
failure rates are lower than the required ones. We describe optimization techniques
that enable our probabilistic model to serve as a parameter-tuning tool, and demonstrate how the size of HQC public keys and ciphertexts can be slightly reduced
without compromising security.
## 2026/796
* Title: Masking Ordering Failures in BFT SMR via Proactive Pre-Commit Execution
* Authors: Jianting Zhang, Alberto Sonnino, Lefteris Kokoris-Kogias, Aniket Kate
* [Permalink](
https://eprint.iacr.org/2026/796)
* [Download](
https://eprint.iacr.org/2026/796.pdf)
### Abstract
Modern Byzantine fault-tolerant state machine replication (BFT SMR) systems adopt a decoupled BFT consensus process to separate data dissemination from transaction ordering as it enables efficient (asynchronous) dissemination even when ordering fails intermittently under partial synchrony. Nevertheless, they may still suffer from high transaction confirmation latency as the transaction-execution process waits for the ordering process to complete: when the ordering process stalls, the execution process does not proceed even when transactions are disseminated.
We propose Pufferfish, the first BFT SMR system that effectively masks intermittent ordering failures in practice. Pufferfish introduces a pre-commi execution scheme that enables replicas to speculatively execute transactions even during the ordering process stalls. These pre-commit execution results can be directly committed, if correct, when the ordering failures are resolved. To achieve this, Pufferfish builds an adaptive probabilistic speculation mechanism on top of a DAG-based BFT consensus protocol, enabling replicas to predict and speculatively execute transactions ahead of confirmed ordering. Additionally, Pufferfish adopts a commit-aware snapshot mechanism to minimize the overhead of transaction re-execution in cases of speculation failures. To demonstrate the effectiveness of Pufferfish, we implement and evaluate it on a geo-distributed AWS environment. The evaluation results show that Pufferfish achieves faster recovery and 1.36x speedup on the p99 transaction confirmation latency compared to the state-of-the-art BFT SMR in the presence of ordering failures. Even under normal execution, Pufferfish can achieve a 1.58x speedup on transaction confirmation latency under a transaction workload of 80k tps.
## 2026/797
* Title: Factorisation-Based Multivariate Schemes: Structural Properties and New Constructions
* Authors: Borja Gomez
* [Permalink](
https://eprint.iacr.org/2026/797)
* [Download](
https://eprint.iacr.org/2026/797.pdf)
### Abstract
Trapdoor constructions are an active research area in Multivariate Cryptography. The presented work studies trapdoors based on factor decomposition in algebraic structures, with emphasis on polynomial rings over $F_p$. The main contribution is the formulation of a general property: if an algebraic structure admits a hidden factor decomposition then this property can be used as a trapdoor principle. Based on this approach, two constructions are given: one signature scheme and one encryption scheme.
## 2026/798
* Title: Implementing CCZ Gates with Variation of Gate Teleportation for Quantum Homomorphic Encryption on NISQ Platform
* Authors: Gia Phat Dang, Weisheng Si, Belal Alsinglawi, Jim Basilakis
* [Permalink](
https://eprint.iacr.org/2026/798)
* [Download](
https://eprint.iacr.org/2026/798.pdf)
### Abstract
While quantum computing technologies are revolutionising key industries, distributed quantum hard- ware services are dominated by quantum providers such as IBM, Google, and AWS. It raises critical data security concerns across sectors such as banking, defence, and healthcare. To address this issue, Quantum Homomorphic Encryption (QHE) has emerged as a solution that enables computations on encrypted quantum data while preserving privacy. Despite its promise, deploying QHE remains challenging due to circuit complexity and the noise in todayrCOs quantum systems. In this work, we confront these barriers directly by implementing QHE on Noisy Intermediate-scale Quantum (NISQ) devices using the Variation of Gate Teleportation (VGT) scheme. In particular, we focus on implementing the CCZ gate, a key non-Clifford gate that makes a quantum gate set universal when combined with Clifford gates. By leveraging the techniques from the Classical Quantum Circuit (CQC)- QHE framework proposed by Ortega et al. in 2025, our implementation reduces computational cost and improves resource efficiency. As a result, our approach can support 7 qubits and 14 T-gates in the circuit without large errors, improving on existing QHE implementations.
## 2026/799
* Title: EQuADiSE: Efficient Quantum-safe Adaptive Distributed Symmetric-key Encryption
* Authors: Sayani Sinha, Sikhar Patranabis, Debdeep Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2026/799)
* [Download](
https://eprint.iacr.org/2026/799.pdf)
### Abstract
Distributed symmetric-key encryption (DiSE), introduced in CCS' 18 enables threshold versions of traditional (symmetric-key) authenticated encryption. In DiSE, the long-term master secret key is secret-shared among multiple parties following a threshold access structure, and both encryption and decryption are performed in a distributed manner. An adaptively secure DiSE, introduced in INDOCRYPT' 20 tolerates adaptive corruptions of the key-holding parties for arbitrary thresholds, while simultaneously retaining efficient encryption and decryption. Unfortunately, all existing instances of adaptively secure DiSE are either quantum-broken (due to their inherent-reliance on discrete log-hard groups), or incur exponential (in the number of parties) online overheads for encryption/decryption.
In this paper, we present EQuADiSE -- the first practically efficient, adaptively secure, and plausibly post-quantum construction of DiSE based on the Module Learning with Rounding (MLWR) assumption in the Quantum Random Oracle model (QROM). EQuADiSE is the first adaptively secure quantum-safe instance of DiSE that incurs linear (in the number of parties) encryption/decryption overheads. As a core technical tool of independent interest, we introduce an MLWR-based distributed pseudorandom function (DPRF) that enjoys adaptive security in the QROM and practically outperforms all existing adaptively secure DPRF constructions in terms of online evaluation time.
We present experimental evaluations demonstrating that EQuADiSE achieves higher online throughput than all prior realizations of DiSE, including quantum-broken realizations based on discrete log-hard groups.
## 2026/800
* Title: Deploying decryption oracles for fun and non-profit: Backing up with friends and TEEs
* Authors: Kanav Gupta, Gabriel Kaptchuk, Ian Miers
* [Permalink](
https://eprint.iacr.org/2026/800)
* [Download](
https://eprint.iacr.org/2026/800.pdf)
### Abstract
Secure backups are the Achilles' Heel of the E2EE ecosystem if they do not provide the same strong security properties as the E2EE messaging systems they support. They constitute a set of servers that, if compromised, would expose nearly all user messages. Unfortunately, state-of-the-art and deployed secure backup systems fail to consider forward secrecy and post-compromise security of these servers as first-order design constraints. Additionally, some proposals, in limited deployment, implicitly rely on the PKIs of trusted execution environments in order to provide security, creating a small number of keys whose compromise would be catastrophic.
We develop an elegant, efficient, and simple secure backup system that naturally addresses these issues by regularly rotating backup servers, each of which samples independent key material. To make this approach scalable, we design a silent backup procedure, reducing server load compared to state-of-the-art designs while providing improved security.
Our design can be trivially extended to incorporate \emph{social key recovery}, enabling more flexible deployment configurations. We carefully prove the security of our construction and benchmark it to show that it is deployment-ready. Our approach works on commodity hardware making it deployable without the resources needed for WhatsApp or Apple's Encrypted Backups.
## 2026/801
* Title: Outsourced Private Set Intersection for Pairwise Analytics
* Authors: Ferran Alborch, Tangi De Kerdrel, Antonio Faonio, Melek |unen
* [Permalink](
https://eprint.iacr.org/2026/801)
* [Download](
https://eprint.iacr.org/2026/801.pdf)
### Abstract
This paper studies privacy-preserving data analytics in settings where multiple parties hold sensitive datasets and want to compute global statistics without revealing their data. We focus on computing the total number of common elements (cardinality of intersections) across multiple pairs of datasets, while ensuring that only the final aggregated result is disclosed and no intermediate information (such as individual intersections) is leaked. To address this problem, we introduce a new cryptographic primitive called outsourced cardinality private set intersection with secret-shared outputs (CaOPSI-SS). Our solution is extremely simple and uses pseudorandom functions and two non-colluding servers to offload computation, making it suitable for environments with heterogeneous resources. Building on this primitive, we design a protocol for aggregated pairwise analytics that computes the sum of intersection cardinalities across many parties. We apply our framework to a real-world use case: privacy-preserving mail analytics in large organizations with multiple subsidiaries. The system allows useful fine-grained queries over email logs while protecting sensitive HR data. We also extend the solution with differential privacy mechanisms to further protect individual records. Finally, we implement and evaluate the protocol, showing its scalability and practicality for large datasets. Our solution enables parties to obliviously offload their datasets to two non-colluding servers using pseudorandom functions and further execute a circuit-PSI among these two servers to obtain secret shares of the output.
--- Synchronet 3.21f-Linux NewsLink 1.2