From Newsgroup: sci.crypt
## In this issue
1. [2025/1810] BitGC Made (More) Efficient
2. [2025/1907] Introducing GRAFHEN: GRoup-bAsed Fully Homomorphic ...
3. [2026/68] From Matrix to Polynomial NTRU FHE: Enabling ...
4. [2026/193] On the Use of Atkin and Weber Modular Polynomials ...
5. [2026/199] zkAgent: Verifiable LLM Agent Execution via One- ...
6. [2026/206] MPSpeed: Implementing and Optimizing MPC-in-the- ...
7. [2026/248] Lightweight PQ KEM and Hybrid MQTT Protocol for ...
8. [2026/298] Key Recovery Attacks on UOV Using p^l-truncated ...
9. [2026/802] A Primer on Dependency in Polynomial Product: ...
10. [2026/803] X24 Down: Cryptanalysis of Hankel-based ...
11. [2026/804] Verifying Provenance of Digital Media: Security ...
12. [2026/805] Pairing-Based Verifiable Shuffles with Logarithmic- ...
13. [2026/806] Spectre Without Dependent Load
14. [2026/807] When Data Movement Becomes the Bottleneck in Modern ...
15. [2026/808] New Techniques for Communication-Efficient Secure ...
16. [2026/809] Formal Verification, Integration and Physical ...
17. [2026/810] Decomposing Multiplication: A Vertical Packing ...
18. [2026/811] Efficient Bootstrapping of Matrices in FHE
19. [2026/812] Mosaic: Practical Malicious Security for Garbled ...
20. [2026/813] Practical Post-Quantum Secure Publicly Verifiable ...
21. [2026/814] Threshold Signatures as-a-Service: Achieving ...
22. [2026/815] Non-Adaptive Programmable PRFs and Applications to ...
23. [2026/816] From Rerandtopia to Interceptopia, the Anamorphic ...
24. [2026/817] SOLMAE: Lightweight Post-Quantum Signature based on ...
25. [2026/819] Topology-Driven Symbolic Verification of Post- ...
26. [2026/820] Improving Correlation Power Analysis on Masked ...
27. [2026/821] A spectral approach to arithmetic correlations for ...
28. [2026/822] Maliciously Secure Exact Fixed-Point Multiplication ...
29. [2026/823] TieredOMap: Skewness-Aware Oblivious Map
30. [2026/824] Better Usability: Leakage-Resistant AEADs from ...
31. [2026/825] Scalable Secure Biometric Authentication without ...
32. [2026/826] Efficient Implementation of ARIA on ARMv8 via ...
33. [2026/827] A Post-Quantum Accountable Sanitizable Signature ...
34. [2026/828] ZEE200: Zero Knowledge for Everything and Everyone ...
35. [2026/829] Beyond Binary: crosscorrelation of Quartic and ...
36. [2026/830] DY* Unchained: Now with Composable Security Proofs ...
37. [2026/831] LockMeld: A Privacy-Preserving Cross-Chain Protocol ...
38. [2026/832] Private Delegation of (Non-)Membership Proof ...
39. [2026/833] Scale, Round, Break: Simple Leakage Attacks on ...
40. [2026/834] Detecting Post-Quantum and Hybrid TLS Deployments ...
41. [2026/835] Fault Injection Attacks Against zkSTARKs
42. [2026/836] Privacy-Preserving Aggregate-Signatures: Generic ...
43. [2026/837] Trident: Efficient FPGA Acceleration of XMSS Tree ...
44. [2026/838] On the Resilience Order of Weightwise Almost ...
45. [2026/839] Efficient Non-Interactive Key Refresh with Multiple ...
46. [2026/840] All You Need Is Addition
47. [2026/841] HAKE: Efficient Hardware Accelerator for Key ...
48. [2026/842] Secure Integrated Sensing and Communication: ...
49. [2026/843] Toward Practical Fair Data Exchange: Eliminating ...
## 2025/1810
* Title: BitGC Made (More) Efficient
* Authors: Wenhao Zhang, Hanlin Liu, Kang Yang, Wen-jie Lu, Yu Yu, Xiao Wang, Chenkai Weng
* [Permalink](
https://eprint.iacr.org/2025/1810)
* [Download](
https://eprint.iacr.org/2025/1810.pdf)
### Abstract
Garbled circuits with one-bit-per-gate communication were recently introduced by Liu et al. (BitGC, Eurocrypt 2025), Meyer et al. (Crypto 2025), and Ishai et al. (Crypto 2025). However, these works focus primarily on the theoretical communication complexity, leaving open questions about practical computational efficiency. In this paper, we present a set of optimizations that substantially improve its practical efficiency. First, we eliminate key barriers to enable SIMD support for BitGC, leading to a substantial speedup in its homomorphic operations. Second, we demonstrate that XOR gates can be garbled without any communication, improving both efficiency and simplicity. Finally, we present a computationally efficient garbling scheme that requires zero communication for XOR gates and only 5 bits per AND gate. When applied to an AES-128 circuit, our fastest garbling scheme generates a garbled circuit of just 4 KB in 2 minutes on a single CPU core.
## 2025/1907
* Title: Introducing GRAFHEN: GRoup-bAsed Fully Homomorphic Encryption without Noise
* Authors: Pierre Guillot, Auguste Hoang Duc, Michel Koskas, Florian M|-hats
* [Permalink](
https://eprint.iacr.org/2025/1907)
* [Download](
https://eprint.iacr.org/2025/1907.pdf)
### Abstract
We present GRAFHEN, a new cryptographic scheme which offers Fully Homomorphic Encryption without the need for bootstrapping (or in other words, without noise). Building on the work of Nuida and others, we achieve this using encodings in groups.
The groups are represented on a machine using rewriting systems. In this
way the subgroup membership problem, which an attacker would have to solve in order to break the scheme, becomes maximally hard, while performance is preserved. In fact we include a simple benchmark demonstrating that our implementation runs several orders of magnitude faster than existing standards.
We review many possible attacks against our protocol and explain how to protect the scheme in each case.
## 2026/68
* Title: From Matrix to Polynomial NTRU FHE: Enabling Amortized Bootstrapping via Sparse Keys
* Authors: Wun-Ting Lin, Ja-Ling Wu
* [Permalink](
https://eprint.iacr.org/2026/068)
* [Download](
https://eprint.iacr.org/2026/068.pdf)
### Abstract
Fully homomorphic encryption (FHE) enables computation on encrypted data and is a fundamental building block for privacy-preserving applications. Recent work has shown that FHE schemes can be constructed under the NTRU assumption, leveraging its inherently compact ciphertexts. However, existing NTRU-based FHE constructions rely on matrix representations, which obscure the underlying polynomial-ring structure and prevent the direct adoption of modern amortized bootstrapping techniques.
In this work, we bridge this gap by reformulating the matrix-based NTRU construction into a standard polynomial-ring setting. We show that NTRU decryption can be decomposed into inner products compatible with FHEW-style accumulators while fully preserving the required polynomial structure. Building on this formulation, we adapt a recent amortized bootstrapping approachrCobased on monomial-by-polynomial multiplicationrCoto the NTRU setting with sparse secret keys. To ensure concrete security, our parameter selection is rigorously guided by recent analyses of NTRU fatigue and the Lattice Estimator for vulnerabilities in sparse-key settings, and is complemented by a comprehensive noise analysis.
The resulting scheme combines NTRU's compact-ciphertext advantage with highly efficient amortized bootstrapping, reducing both the asymptotic computational cost and the bootstrapping key size for low-Hamming-weight secrets. Rather than relying solely on a theoretical proof of concept, we present a highly optimized C++ implementation using Intel HEXL. Our evaluation shows that the proposed amortized approach yields a near 40x speedup compared to the native NTRU baseline at ring dimension $n=8192$. Furthermore, our implementation achieves a significant performance advantage over FINAL, the leading NTRU-based FHE framework, establishing its competitive potential against mainstream bitwise FHE schemes under conservative security parameters.
## 2026/193
* Title: On the Use of Atkin and Weber Modular Polynomials in Isogeny Proofs of Knowledge
* Authors: Thomas den Hollander, Marzio Mula, Daniel Slamanig, Sebastian A. Spindler
* [Permalink](
https://eprint.iacr.org/2026/193)
* [Download](
https://eprint.iacr.org/2026/193.pdf)
### Abstract
Zero-knowledge proofs of knowledge of isogenies constitute a key building block in the design of isogeny-based signature schemes and have numerous other practical applications. A recent line of work investigated such proofs based on generic proof systems, e.g., zk-SNARKs, along with a suitable arithmetization and in particular rank-1 constraint systems (R1CS). Cong, Lai and Levin (ACNS'23) considered proving the knowledge of an isogeny of degree $2^k$ between supersingular elliptic curves via modular polynomial relations. Recently, den Hollander et al. (CRYPTO'25) have shown that the use of canonical modular polynomials instead of the classical ones allows to improve on the number of constraints for the same types of isogenies, and further allows to extend this approach to isogenies of higher (though limited) degrees. Another recent work by Levin and Pedersen (ASIACRYPT'25) showed that switching from modular polynomials to radical isogeny formulas also leads to significant improvements (at least for the case of the prime $\ell=2$).
A natural question that remained open is whether sticking with the modular polynomial-based approach, but switching to other candidates of modular polynomials, and in particular Atkin and Weber polynomials, is possible and gives improvements and flexibility. In this paper we show that the use of the Atkin modular polynomials enables the use of degrees not covered by existing works and improves the number of constraints for $\ell > 2$ by up to $27\%$, while the Weber polynomials allow up to $39\%$ sparser constraint systems than the current state of the art. As in our prior work on canonical modular polynomials, the adaption of well-known results to the Atkin and Weber modular polynomials also requires some technical work, especially when going to positive characteristic. To this end we expand and optimize our previous resultant-based methodology, resulting in much simpler proofs for our multiplicity theorems.
## 2026/199
* Title: zkAgent: Verifiable LLM Agent Execution via One-Shot Transcript Proofs * Authors: Lizheng Wang, Hancheng Lou, Chongrong Li, Yu Yu, Yuncong Hu
* [Permalink](
https://eprint.iacr.org/2026/199)
* [Download](
https://eprint.iacr.org/2026/199.pdf)
### Abstract
LLM-based agents, which interleave large language model inference with external tool calls, are increasingly deployed in high-stakes settings. In real-world deployments, each model inference and provider-hosted tool execute behind the provider's API. Even when the agent loop runs on the user's device, these provider-executed steps still remain opaque to the user. This opacity creates an end-to-end integrity gap: a malicious provider may substitute the advertised model or fabricate tool observations to steer subsequent agent behavior. Existing zero-knowledge proof systems for LLMs prove only the Transformer computation of a single inference, leaving the rest of the inference pipeline, long-form autoregressive generation, and external tool interactions outside the proof.
We present zkAgent, the first SNARK system for verifiable agent execution. zkAgent proves the complete inference pipeline, from token-to-embedding lookup and positional encoding to Transformer computation and decoding. It further binds each tool observation to an authenticated execution via zkTLS or zkVM subproofs, yielding a single end-to-end proof. To scale beyond per-token proving, we introduce one-shot transcript proving: by exploiting the Transformer's causal attention mask, zkAgent proves an entire multi-step agent transcript in a single forward pass, avoiding the substantial overhead incurred by one-proof-per-token generation. We make this batched proof sound with a weight-dependent quantization scheme that is both input-independent and unconditionally complete.
On GPT-2 with a 512-token transcript, zkAgent achieves a $767\times$ prover speedup over the state of the art (zkGPT, USENIX Security~'25), amortizing to $0.40$s/token, and reduces verification time by $10{,}384\times$ ($0.42$s vs. $4{,}361.09$s). On a real-world coding-assistant execution, zkAgent completes end-to-end proving in $99.74$s with $0.28$s verification, making verifiable agent execution practical.
## 2026/206
* Title: MPSpeed: Implementing and Optimizing MPC-in-the-Head Digital Signatures in Hardware
* Authors: Stelios Manasidis, Quinten Norga, Suparna Kundu, Ingrid Verbauwhede * [Permalink](
https://eprint.iacr.org/2026/206)
* [Download](
https://eprint.iacr.org/2026/206.pdf)
### Abstract
The Multi-Party Computation (MPC)-in-the-Head (MPCitH) framework enables the construction of post-quantum Digital Signature Algorithms (DSAs), offering competitive public key sizes. However, this comes at a cost of high computational complexity, resulting in high signature generation and verification times.
In this work, we propose a compact and efficient hardware accelerator for Mirath, an MPCitH-based DSA and candidate in the ongoing NIST PQC standardization effort. We propose a series of algorithmic and hardware-level optimizations, focusing on Mirath's most critical operations: GGM tree-based polynomial commitments and MPC arithmetic. Firstly, we observe Mirath greatly relies on symmetric primitives (SHA3 & AES) during the GGM tree expansion and typically requires a large amount of memory to store the derived tree nodes. We propose an on-the-fly scheduling for generating and computing the GGM tree, such that a minimal amount of GGM tree nodes are stored in memory and their computations can be performed in parallel. Our methodology enables temporarily storing a minimal (and configurable) set of parent nodes in local buffers, from which the low-level tree nodes can be efficiently derived instead of repeatedly doing so from the root seed. This is achieved through a novel, hardware-friendly tree node indexing scheme, which enables efficient traversal through GGM tree nodes using only left and right shifts to find their closest previously computed ancestor. Secondly, we analyze the MPC arithmetic in Mirath and propose massively parallel and yet area-efficient arithmetic units, capable of exploiting algorithm-level parallelism in the MPCitH operations. This is achieved by analyzing Mirath's proposed parameter sets and identifying the most hardware-friendly parameters, for which we design highly fine-tuned modules. Finally, we implement our unified design, which supports all Mirath operations, on an Artix-7 FPGA and compare its performance against Mirath's AVX2 optimized implementation and state-of-the-art PQC DSA hardware implementations. Compared to an implementation of the MPCitH-based SDitH scheme (TCHES 2024), we reduce on-chip BRAM by up to $81.6\%$ and improve the area-time-product by a factor of $52.7\times$ to $64.8\times$.
Overall, we demonstrate that modern MPCitH constructions can be significantly accelerated in hardware through a combination of algorithmic, architectural and low-level hardware optimizations, in line with real-world performance requirements.
## 2026/248
* Title: Lightweight PQ KEM and Hybrid MQTT Protocol for 8-bit AVR Sensor Nodes * Authors: Yifan Dong, YoungBeom Kim, Jieyu Zheng, Zhichuang Liang, Boyue Fang, Seog Chung Seo, Maire O'Neill, Yunlei Zhao
* [Permalink](
https://eprint.iacr.org/2026/248)
* [Download](
https://eprint.iacr.org/2026/248.pdf)
### Abstract
Most PQC schemes remain too resource-intensive for ultra-constrained 8-bit AVR wireless sensor nodes. In this work, we present a comprehensive approach to practical lightweight PQC for such devices, covering scheme design, implementation optimization, and protocol integration. Our contributions are threefold: (i) We propose CTRU-Light, a lattice-based KEM specifically tailored for IoT sensor nodes. It combines small moduli, low-degree polynomials, and NTT-friendly arithmetic for high efficiency, with ASCON used for lightweight symmetric operations. (ii) We explore NTT-friendly moduli for the first time to accelerate modular multiplication on 8-bit AVR platforms and design optimized variants of Montgomery and Barrett multiplication. We show that K-RED2X multiplication exhibits approximate equivalence to Montgomery multiplication under small NTT-friendly moduli. We apply these optimizations to the latest implementations of Kyber (ASIACCS 2025) and Saber (CHES 2025), achieving significant improvements in both speed and code size. Furthermore, we present a highly optimized AVR assembly implementation of CTRU-Light that delivers high efficiency and low stack usage. (iii) We design a Hybrid KEMrCoMQTT protocol that integrates classical ECDH with post-quantum KEMs. We present the first implementation of this protocol and provide a detailed empirical analysis of its performance. Experiments show that CTRU-Light is the only scheme capable of supporting both pure PQ and hybrid KEMrCoMQTT on 8-bit WSNs, achieving lower handshake latency than Kyber-512 and LightSaber.
## 2026/298
* Title: Key Recovery Attacks on UOV Using p^l-truncated Polynomial Rings
* Authors: Hiroki Furue, Yasuhiko Ikematsu
* [Permalink](
https://eprint.iacr.org/2026/298)
* [Download](
https://eprint.iacr.org/2026/298.pdf)
### Abstract
The unbalanced oil and vinegar signature scheme (UOV) was proposed by Kipnis et al. in 1999 as a multivariate-based scheme. UOV is regarded as one of the most promising candidates for post-quantum cryptography owing to its short signatures and fast performance. Recently, Ran proposed a new key recovery attack on UOV over a field of even characteristic, reducing the security of its proposed parameters. Furthermore, Jin et al. generalized RanrCOs attack to schemes over a field of arbitrary characteristic by exploiting the structure of the symmetric algebra.
In this work, we propose a new framework for recovering the secret subspace of UOV over a finite field $\mathbb{F}_{p^e}$ by generalizing these preceding results. First, we show that a key recovery against UOV can be successfully performed using the XL algorithm by exploiting the structure of the $p$-truncated polynomial ring $R^{(p)}=\mathbb{F}_{p^e}[x_1,\dots,x_n]/ \langle x_1^p,\dots,x_n^p\rangle$. This result simplifies the description of the attacks proposed by Jin et al.\ by formulating them in terms of the polynomial ring, independent of the structure of the symmetric algebra. Second, we generalize this result to the polynomial rings of more general forms, namely, the $p^\ell$-truncated polynomial rings $R^{(p^\ell)}$ for any $1 \le \ell \le e$. This result is due to our description in terms of the polynomial ring and can relax the constraints on the solving degree of the XL algorithm using $R^{(p^\ell)}$ by taking a larger $\ell$. Finally, we consider performing the reconciliation and intersection attacks using the $p^\ell$-truncated polynomial rings against UOV. In particular, we newly take into account the intersection attack using this framework, which has not been considered in previous analyses.
Based on our complexity estimation, we confirm that the optimal complexity of the reconciliation attack using the proposed framework is consistent with that of the symmetric-algebra attack by Jin et al. We further show that the intersection attack using the proposed framework outperforms the reconciliation attack against the proposed parameters of UOV and reduces the security of multiple parameters compared to their claimed security levels. In addition, we show that our complexity estimation of the reconciliation attack using the proposed framework reduces the security of multiple parameters of SNOVA compared to previously known attacks.
## 2026/802
* Title: A Primer on Dependency in Polynomial Product: Identify, Exploit, and Trim
* Authors: Yijian Liu, Jiangxia Ge, Yu Zhang, Jiabo Wang, Xianhui Lu
* [Permalink](
https://eprint.iacr.org/2026/802)
* [Download](
https://eprint.iacr.org/2026/802.pdf)
### Abstract
Many lattice-based encryption schemes allow a negligible but nonzero decryption failure rate (DFR), which is closely tied to both correctness and security through failure-based attacks. Several module-lattice constructions (e.g., LAC (NIST PQC Round-2), DAWN (ASIACRYPT 2025), average-case noise analysis in FHE) estimate DFR from one-coordinate marginals together with an independence approximation across the coefficients of polynomial products, namely, that treats the noise as uniformly distributed on a sphere. In the rare-event regime relevant to concrete security, this approximation can be optimistic because polynomial convolution introduces structured dependencies with no analogue in unstructured lattice settings. Geometrically, the noise spreads towards a cube rather than a sphere due to the inherent dependencies.
To make this effect explicit, we study polynomial products in the power-of-two cyclotomic ring through a norm-wise decomposition. The decomposition separates an outer term (corresponding to the radius of the sphere), which is effectively captured by coefficient-wise models, and an inner term (representing the uneven parts of the spherical surface), which is shown as a diagonal energy term and accounts for the convolution-induced dependencies. This gives an exact explanation for the heavier tails observed in polynomial products and for the resulting gap between independence-based estimates and actual failure behavior.
This perspective has consequences for both attacks and design. On the attack side, it gives a principled proxy criterion for constructing high-DFR candidate ciphertexts in failure-based attacks. In particular, it explains how the attack of Guo et al. (ASIACRYPT 2019) can target LAC even when the Hamming weights are fixed, and it improves failure-finding efficiency by identifying the underlying class of bad randomness pairs beyond pattern-based subsets. On the design side, it motivates trimming high-dependency samples during key generation and encryption. We first give a certified trimmed DFR bound based on conditional spectral control, then isolate a separate labeled three-vector heuristic for calibrated interpretation, and finally validate both layers on exact-support and moderate-dimension experiments. We formalize the resulting approach as the generic frameworks TrimPKE and TrimKEM, prove security in the QROM while accounting for rejection, and instantiate the framework for LAC and DAWN as case studies.
## 2026/803
* Title: X24 Down: Cryptanalysis of Hankel-based Multivariate Signatures
* Authors: Alexandre Camelin, Thai Hung Le, Brice Minaud, Phong Q. Nguyen, Florian Tousnakhoff
* [Permalink](
https://eprint.iacr.org/2026/803)
* [Download](
https://eprint.iacr.org/2026/803.pdf)
### Abstract
The X24 multivariate signature scheme was introduced by Di Muzio, Feussner, and Semaev at PQCrypto 2026. It offers remarkably short signatures, together with a new design approach for multivariate signatures that departs from the typical UOV and HFE frameworks.
In this work, we present an efficient cryptanalysis of X24.
Our attack recovers the secret key from the public key in time $O(q \cdot \mathsf{poly}(n))$, where $n$ is the number of field elements in the signature, and $q$ is the order of the finite field. An implementation of the attack recovers the secret key in a few minutes on the full X24 parameters.
The attack makes essential use of the exterior algebra, and shows a different way of using that algebra for multivariate cryptanalysis, compared to the wedge attack introduced by Ran at Eurocrypt 2026. Another notable feature of the attack is that it eventually reduces the cryptanalysis of X24 to the cryptanalysis of a McEliece variant using Generalized Reed-Solomon codes, drawing an unexpected connection between multivariate and code-based cryptanalysis.
## 2026/804
* Title: Verifying Provenance of Digital Media: Security Analysis of C2PA and its Implementation
* Authors: Enis Golaszewski, Neal Krawetz, Alan T. Sherman, Edward Zieglar, Sai K. Matukumalli, Roberto Yus, Carson L. Kegley, Michael Barthel, William Bowman, Bharg Barot, Kaur Kullman
* [Permalink](
https://eprint.iacr.org/2026/804)
* [Download](
https://eprint.iacr.org/2026/804.pdf)
### Abstract
Generative AI and advanced editing tools enable malicious actors
to create high-quality fake images that can facilitate fraud, attack reputations, and manipulate elections. We analyze security proper-
ties of the Coalition for Content Provenance and Authenticity (C2PA)
digital provenance system. C2PA binds cryptographic assertions
of provenance to a digital asset, with the goal of assisting users
to judge the assetrCOs provenance. When generating or modifying
a digital asset, a C2PA claim generator (e.g., camera) creates and
signs provenance data. Using a trusted timestamping authority
the generator optionally timestamps them and places them into a
manifest of claims.
We analyze three C2PA components: specifications (Version 2.2),
selected claim validator implementations, and conformance pro-
gram (Version 0.1). For the specifications, we state the security goals specified by C2PA (i.e., tamper-evidence of claims and weak file
integrity) and identify additional essential goals that should be re-
quired (i.e., timestamp agreement, validator consistency, and strong
file integrity). We review major policies (e.g., validation logic, certifi- cate revocation), examine the protocolrCOs composition with RFC 3161
trusted timestamps, and carry out the first formal-methods analysis
of the core protocol. For the implementations, we identify security
flaws through validation experiments using public C2PA assets and
ones we created. For the conformance program, we review avail-
able public conformance documents and assess two conforming
validators: Adobe Inspect and Verifieddit.
We show that the C2PA specifications and their conforming im-
plementations fail to achieve their claimed security goals. Further-
more, they also fail to achieve essential additional goals, which all
such provenance systems require for trustworthy deployment. First,
our formal-methods analysis shows that C2PA claim generators and
validators fail to agree on the claim signaturerCOs trusted timestamp. Consequently, a claim may exist with competing, fraudulent times-
tamps, which cast doubt on the related assetrCOs provenance. Second,
we show that the specificationrCOs inadequate certificate revocation
policies result in serious vulnerabilities, violating all security goals.
As a result, public validators, including Adobe Inspect, accept C2PA
manifests signed by known, compromised Nikon certificates. Third,
our experiments reveal inconsistencies among current conforming
validator implementations. For some assets, implementations fail to
produce the same validation result: users who rely on these imple-
mentations may arrive at contradictory conclusions regarding an
assetrCOs provenance. Fourth, we discuss implications of the specifica- tionrCOs rCLexclusion range,rCY which identifies portions of the content
and manifest that are not protected by the cryptographic signature,
allowing undetectable alterations which can mislead analysts. Fifth,
the C2PA conformance program certifies products without carrying
out a technical review of the product, including the source code, and
without defining security requirements for conforming validators.
Our results show that the specifications and the current imple-
mented C2PA ecosystem do not yet provide the guarantees required
for reliable deployment or standards adoption. We suggest ways
to strengthen C2PA, including a verified improvement to the core
protocolrCOs timestamping. The Pixel 10 Pro and Version 2.3 of the specifications implemented some of our suggestions.
## 2026/805
* Title: Pairing-Based Verifiable Shuffles with Logarithmic-Size Proofs
* Authors: Yuxi Xue, Xingye Lu, Man Ho Au
* [Permalink](
https://eprint.iacr.org/2026/805)
* [Download](
https://eprint.iacr.org/2026/805.pdf)
### Abstract
A verifiable shuffle proves that a list of output ciphertexts is a rerandomized permutation of a list of input ciphertexts, without revealing either the permutation or the rerandomization factors. Verifiable shuffles are a core primitive in mix-nets and are deployed in national electronic voting systems and blockchain-based anonymization protocols. Existing deployed verifiable shuffles typically have proof size $O(N)$ or $O(\sqrt{N})$ in the number of ciphertexts $N$, making shuffle proofs a primary bandwidth cost. The only prior construction with $O(\log N)$ proof size (Hoffmann et al., CCS 2019) requires roughly $30N$ prover and $10N$ verifier group exponentiations, with a proof consisting of $6\log N + 8$ group elements and 4 field elements.
In this paper, we present a new verifiable shuffle for ElGamal ciphertexts whose proof consists of $2\log N + 8$ group elements and 8 field elements, reducing the prover and verifier costs of Hoffmann et al. to $15N$ and $6N$ group exponentiations, respectively.
Our protocol is public-coin, non-interactive via the Fiat-Shamir transform, and relies on an updatable structured reference string generated once in a powers-of-tau ceremony and reusable across applications.
We implement the protocol and, to the best of our knowledge, provide the first benchmarks for a verifiable shuffle with logarithmic proof size.
At \(N = 2^{20}\) (about one million ciphertexts), the proof is only \(2.5\,\mathrm{KB}\), compared with hundreds of kilobytes for the best \(O(\sqrt{N})\)-size scheme and hundreds of megabytes for representative \(O(N)\)-size schemes.
## 2026/806
* Title: Spectre Without Dependent Load
* Authors: Can Aknesil, Andreas Lindner, Roberto Guanciale, Hamed Nemati
* [Permalink](
https://eprint.iacr.org/2026/806)
* [Download](
https://eprint.iacr.org/2026/806.pdf)
### Abstract
Transient execution attacks that disclose arbitrary memory commonly assume a multi-stage read-then-transmit gadget: a transient load to fetch secret data and a subsequent operation to leak that data into an observable side channel. We show that this assumption does not hold under electromagnetic (EM) observations, by verifying that a single transient load already produces value-dependent EM leakage without any explicit follow-up transmission instruction or relying on prefetching. Our results expand the set of exploitable gadgets and show that even simple processors like the Cortex-A53 are vulnerable.
## 2026/807
* Title: When Data Movement Becomes the Bottleneck in Modern Workloads: Compute-in-Transit as an Architectural Model
* Authors: Flavio Bergamaschi
* [Permalink](
https://eprint.iacr.org/2026/807)
* [Download](
https://eprint.iacr.org/2026/807.pdf)
### Abstract
In modern computing workloads, performance is increasingly constrained not by computation, but by the cost of moving data. This shift reflects both the scale and structure of contemporary applications, in which large data sets are subjected to repeated transformations across memory hierarchies, interconnects and distributed systems. A similar pattern appears across domains including fully homomorphic encryption, post-quantum cryptography and artificial intelligence: intermediate representations are repeatedly transformed and exchanged, and their movement rather than the arithmetic itself is what governs system efficiency.
This paper examines Compute-in-Transit as an architectural model in which computation is applied during data movement, embedding transformations along the data path rather than at discrete processing nodes. Rather than treating communication and computation as separate processes, this model aligns computation with dataflow, reducing the need for intermediate storage and repeated transfers. While the underlying idea has been explored in prior work, its practical realisation has been constrained by electronic architectures. Photonics provides a distinct approach, enabling transformations to be performed directly on signals in transit and offering a path toward systems in which computation is applied as data moves rather than after it is transported.
## 2026/808
* Title: New Techniques for Communication-Efficient Secure Comparison Protocols * Authors: Koji Nuida, Satsuya Ohata
* [Permalink](
https://eprint.iacr.org/2026/808)
* [Download](
https://eprint.iacr.org/2026/808.pdf)
### Abstract
Secure comparison is a fundamental building block frequently employed in various applications of secure multiparty computation, such as secure machine learning. Such protocols based on secret sharing (SS) typically excel in throughput compared to garbled circuits (GC), but they historically suffer from higher (online) round complexity: while GC-based comparison ends in two rounds, the state-of-the-art SS-based (plaintext) comparison protocol requires three rounds (Lu et al., USENIX Security 2025). To break the barrier, in this paper we propose the first SS-based comparison protocol, built upon "round absorption'' via multi-fan-in gates, to match the two-round complexity of GC with online bit complexity $O(n \log n)$ significantly lower than GC-based $O(\lambda n)$. We also propose the second two-round protocol, built upon a new optimization technique for multiplication, that addresses the drawback of $O(n^3)$ offline bit complexity in our first protocol and reduces it to $O(n^2)$ at the cost of increasing the online bit complexity to also $O(n^2)$.
Furthermore, for the purpose of optimization in bandwidth, we propose the third (not constant-round) protocol with asymptotically $6n$ online bit complexity, which is significantly lower than asymptotically $8n$ bits of the state-of-the-art protocol (Couteau, ACNS 2018). Our protocol adopts the framework based on ternary trees and quaternary integers of CrypTFlow2 (ACM CCS 2020) and its followers, but departs from their oblivious-transfer-based computation at each input digit. Instead, we use a Boolean-circuit-based approach driven by a new custom-tailored formula for processing quaternary integers and a specialized multiplication protocol. The latter technique of "multiplication involving an auxiliary input held by a single party'' may be of independent interest.
## 2026/809
* Title: Formal Verification, Integration and Physical Evaluation of Prime-Field Masking on Silicon
* Authors: Ga|2tan Cassiers, Thorben Moos, Amir Moradi, Nicolai M|+ller, Fran|oois-Xavier Standaert
* [Permalink](
https://eprint.iacr.org/2026/809)
* [Download](
https://eprint.iacr.org/2026/809.pdf)
### Abstract
The resistance of provably secure masked circuits to physical attacks depends in part on the underlying algebraic group and recombination function. Masking over finite fields of odd prime order has been demonstrated, both in theory and in practice, to provide increased natural resistance to side-channel and fault attacks. Its instantiation with a simple additive encoding and implementation-friendly prime modulus was suggested to lead to favorable tradeoffs between security and performance in prior works. To most efficiently leverage these advantages, a family of lightweight Tweakable Block Ciphers (TBCs) called Feistel for Prime Masking (FPM) has been introduced by Grassi et al. at Eurocrypt'24, together with a first hardware-oriented instance called small-pSquare. Yet, barriers for the use and further development of prime-field masking continue to exist and include the lack of automated verification tools compatible with arithmetic over Fp, as well as efficient methods for constant-time generation of uniformly distributed randomness over the field. In this work we tackle these barriers and present our findings from formally verifying, securely integrating and physically evaluating higher-order masked implementations of small-pSquare as an exemplary case study. Our integration includes the tape-out of an Application-Specific Integrated Circuit (ASIC) manufactured in 65 nm technology and a custom Printed Circuit Board (PCB). We demonstrate how to securely verify prime-field masked circuits with existing tools such as SILVER, MATCHI and PROLEAD and certify the glitch+transition robustness of our concrete implementations. Along the way we discover and solve a 0-issue originating from incomplete modulo reductions which is present in public source codes of masked prime-field ciphers but has never been discussed. We also introduce Privium, a Bivium-inspired primitive, to efficiently produce random values uniformly distributed over Fp without the need for rejection sampling. We then describe our efficient serialized pipelined small-pSquare architecture enabling an attractive tradeoff between area and latency and compare its pre- and post-layout implementation figures. Finally, we experimentally demonstrate the strong leakage resistance of our formally verified circuits on real silicon.
## 2026/810
* Title: Decomposing Multiplication: A Vertical Packing Approach for Faster TFHE
* Authors: Rostin Shokri, Nektarios Georgios Tsoutsos
* [Permalink](
https://eprint.iacr.org/2026/810)
* [Download](
https://eprint.iacr.org/2026/810.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) enables private data processing on untrusted servers. However, FHE performance remains a critical bottleneck for applications like machine learning, which heavily rely on both non-linear operations (e.g., comparisons) and numerous ciphertext-ciphertext (CxC) and ciphertext-plaintext (CxP) multiplications. While modern FHE schemes like TFHE efficiently handle non-linear operations, their multiplication time complexity remains a significant performance limitation.
This paper introduces novel algorithms for CxC and CxP multiplication, as well as the dot-product, a critical kernel in machine learning inference (e.g., convolution). Our method leverages Vertical Packing, decomposing multiplication into a series of efficient, precision-dependent lookup table operations. We evaluate our algorithms and their parallelized variants against the default implementation in TFHE-rs and a recent state-of-the-art work. Our results demonstrate several times faster execution time, significantly accelerating FHE for practical applications.
## 2026/811
* Title: Efficient Bootstrapping of Matrices in FHE
* Authors: Rostin Shokri, Nektarios Georgios Tsoutsos
* [Permalink](
https://eprint.iacr.org/2026/811)
* [Download](
https://eprint.iacr.org/2026/811.pdf)
### Abstract
In recent years, Fully Homomorphic encryption (FHE) has proven to be a practical solution to various privacy preserving applications such as neural network inference, private information retrieval, and genome analysis. Industries have started to utilize FHE to enable private computation of user's sensitive data, to protect user privacy.
Out of all FHE applications, deep learning inference has been the most popular field of research among FHE researchers and practitioners, as it is incredibly challenging to do encrypted inference under FHE.
Matrix multiplication is the fundamental operation that is used in deep learning, and is notoriously challenging to implement efficiently in FHE. Many works utilize CKKS, SotA FHE scheme for deep learning. They introduce novel encoding strategies to enable matrix multiplication, but they require very large evaluation keys, high execution time, and matrix dimension limitations. Fortunately, a recent FHE scheme proposed by Gentry and Lee, called the GL scheme, supports matrix multiplication as a native operation, whilst supporting every operation in CKKS. While very promising, the unique ring structure of the scheme requires prime NTT transforms, 3D DFT encoding of the message, which are not researched enough. Additionally, there is no efficient bootstrapping algorithm introduced by this scheme, as bootstrapping is needed to enable deep computations that is required by large deep learning models. In this work, we introduce the first unique and efficient bootstrapping algorithm of the GL scheme.
## 2026/812
* Title: Mosaic: Practical Malicious Security for Garbled Circuits on Bitcoin
* Authors: Nakul Khambhati, Mukesh Tiwari, Azz, Sapin Bajracharya, Manish Bista, Liam Eagen, Christian Lewe, Aaron Feickert
* [Permalink](
https://eprint.iacr.org/2026/812)
* [Download](
https://eprint.iacr.org/2026/812.pdf)
### Abstract
Bitcoin's scripting language cannot verify arbitrary computation natively, yet applications such as trust-minimized bridges depend on this capability. Recent techniques employ garbled circuits: the prover commits off chain to a garbled circuit encoding a verifier, designed so that evaluating it on an invalid witness reveals a secret. Posting that secret on chain serves as a fraud proof, allowing the verifier to claim the prover's stake without any on-chain computation. To evaluate the garbled circuit and recover the secret, the verifier needs the prover's input labels, which the prover must post on chain. Since Bitcoin charges permanently for block space, minimizing this on-chain footprint is a primary design concern. Achieving malicious security via cut-and-choose compounds this: the prover must produce multiple independently garbled copies of the circuit, requiring one set of labels per copy.
We present Mosaic, a protocol that achieves malicious security via cut-and-choose but reduces the on-chain footprint so that it is independent of the number of garbled copies. The key technique, first introduced by Eagen (Glock, 2025) in this setting, is polynomial label correlation: labels across all $N$ garbled copies are arranged as evaluations of a degree-$t$ polynomial, so the $t$ shares revealed during cut-and-choose fall one short of the reconstruction threshold. We use adaptor signatures to arrange that the prover's on-chain witness commitment reveals the missing share as a byproduct; the evaluator then reconstructs labels for all unchallenged copies by interpolation. We sketch why Mosaic is secure against a malicious prover and verifier and instantiate it for trust-minimized Bitcoin bridging with a Groth16 verifier circuit, a full protocol specification, and a Rust implementation.
## 2026/813
* Title: Practical Post-Quantum Secure Publicly Verifiable Secret Sharing and Applications
* Authors: Aniket Kate, Pratyay Mukherjee, Hamza Saleem, Pratik Sarkar, Rohit Sinha
* [Permalink](
https://eprint.iacr.org/2026/813)
* [Download](
https://eprint.iacr.org/2026/813.pdf)
### Abstract
We present a new framework for constructing practically efficient publicly verifiable secret sharing(PVSS) with non-interactive dealers, in that the dealer may go offline after sending a single message, and is not involved in the share verification process. We use identity-based encryption (IBE) and commitments as the main ingredients and avoid expensive zero-knowledge proofs. Instantiating them with post-quantum secure schemes, a lattice-based IBE and a hash-based commitment, we obtain our first construction - a post-quantum secure PVSS with non-interactive dealers that outperform the prior lattice-based practical construction, Gentry et al. [Eurocrypt 2022] by two orders of magnitude.
However, to enable the aggregation of PVSS transcripts (which facilitates many additional applications such as secure voting), we propose our second construction by replacing hash-based commitments with Pedersen's homomorphic commitments. While this does not achieve full-fledged post-quantum security (as Pedersen's scheme is not quantum safe), it still provides privacy against a post-quantum adversary. We prove the security of this construction in a new model, which we call long-lasting security. This model guarantees that the protocol is secure in the present (pre-quantum era) while maintaining privacy in the long term (post-quantum era). This new model is of independent interest for constructing efficient schemes that are resilient to harvest-now-decrypt-later line of attacks. In this model, we propose a blockchain-compatible secure voting scheme using our PVSS scheme.
Our PVSS schemes demonstrate practical efficiency: our post-quantum PVSS shares a secret among $1024$ receivers in $692$~ms and verifies the dealing in $128$ ms, and communicates $4$MB, overall yielding a two orders of magnitude improvement over the state of the art [Gentry et al., Eurocrypt 2022].
## 2026/814
* Title: Threshold Signatures as-a-Service: Achieving Threshold ML-DSA in One Online Round
* Authors: Matthieu Rambaud, Sascha Roth, Antoine Urban
* [Permalink](
https://eprint.iacr.org/2026/814)
* [Download](
https://eprint.iacr.org/2026/814.pdf)
### Abstract
We formally define Threshold Signatures as-a-Service (TSaaS), in which the honest parties performing the threshold signature respond only to the signing requests of a designated client. This model captures the mainstream industrial use case of threshold signatures which is to implement Wallets as-a-Service.
This new model allows for optimizations of existing threshold signature schemes, in particular in the lattice setting. As a particularly relevant case study, we describe a TSaaS variant of the Threshold ML-DSA scheme from [Celi et al., USENIX'26], called ML-DSaaS, which combines the first two rounds into a single message-independent round that can be pre-processed before the message is known.
We first describe a simple version of ML-DSaaS in a model where the client is semi honest. We then upgrade the construction to withstand a possibly corrupt client, by leveraging existence of a coordinating machine which is present in all real-life deployments of TSaaS. This machine, dubbed the Relayer, filters the requests of the client to the parties and centralizes the communications between them.
We provide an implementation of our scheme together with experimental benchmarks. The online phase of our scheme is two to three times faster than the one of [Celi et al., USENIX'26].
Our modification carries over unchanged to many similar threshold signature schemes, provided they are used in the TSaaS setting.
## 2026/815
* Title: Non-Adaptive Programmable PRFs and Applications to Stacked Garbling
* Authors: Vipul Goyal, David Heath, Abhishek Jain, Yibin Yang
* [Permalink](
https://eprint.iacr.org/2026/815)
* [Download](
https://eprint.iacr.org/2026/815.pdf)
### Abstract
Garbled circuits are a fundamental primitive in cryptography. While the size of garbled circuits in Yao's original scheme grows linearly with the circuit size, a recent line of work on stacked garbling (SGC) [Heath-Kolesnikov, CRYPTO'20] has achieved near-sublinear size for branching computations, based only on one-way functions. Specifically, these schemes achieve garbled size growing only with the size of a single branch and the total input length to all the branches. Due to the latter dependence, these results are best suited to "small" input settings.
We present a stacked garbling scheme for "large" input settings based on one-way functions. The garbled size in our scheme grows only with the size of a single branch and its input length (up to logarithmic factors), plus an additive term in the number of branches (as in prior SGC).
To obtain our result, we uncover a connection between stacked garbling and the notion of (adaptive) programmable pseudorandom functions (apPRFs) [Boneh-Lewi-Wu, PKC'17]. While existing apPRF constructions either rely on stronger assumptions (e.g., learning with errors or indistinguishability obfuscation) or incur noticeable security losses under weaker assumptions, we identify a relaxed notion of non-adaptive programmable PRFs (napPRFs) that suffices for our result, and establish its feasibility based on one-way functions. Interestingly, we build on techniques from the SGC literature to construct napPRFs with our desired efficiency, and then apply napPRFs back to SGC to obtain our main result.
Along the way, as an additional result of independent interest, we provide the first construction of (adaptive) programmable PRFs for polynomial-size domains based on one-way functions.
## 2026/816
* Title: From Rerandtopia to Interceptopia, the Anamorphic Encryption Saga Rises
* Authors: Vincenzo Botta, Dario Catalano, Emanuele Giunta, Francesco Migliaro, Daniele Venturi, Ivan Visconti
* [Permalink](
https://eprint.iacr.org/2026/816)
* [Download](
https://eprint.iacr.org/2026/816.pdf)
### Abstract
Nowadays, governments are world-wide pushing towards building infrastructures to intercept, decrypt and prevent communications among citizens with the goal of catching criminals.
The recent notion of anamorphic encryption proposed by Persiano et al. [Eurocrypt 2022] faces the risks of abuses derived from such infrastructures that could be maliciously leveraged to realize the phantom menace of large-scale mass-surveillance programs.
Several recent papers showed positive results on the existence of anamorphic encryption schemes, mostly confined to basic settings.
In this work we consider extreme scenarios where in addition to obtaining secret keys, the authority actively tries to sanitize ciphertexts removing covert communication.
Despite anamorphic encryption might look impossible to achieve in the above settings, we give new definitions and somewhat surprising positive results in two scenarios: Rerandtopia and Interceptopia.
Our main construction consists of two layers of encryption. Interestingly, when carefully instantiated, our scheme achieves a notion of re-randomizable CCA encryption that outperforms the state of the art in terms of assumptions and efficiency.
## 2026/817
* Title: SOLMAE: Lightweight Post-Quantum Signature based on NTRU lattices with Hybrid Sampling
* Authors: Kwangjo Kim
* [Permalink](
https://eprint.iacr.org/2026/817)
* [Download](
https://eprint.iacr.org/2026/817.pdf)
### Abstract
The paper introduces SOLMAE, a lightweight post-quantum signature scheme that follows the traditional hash-and-sign paradigm of GentryrCoPeikertrCoVaikuntanathan and is instantiated over NTRU lattices using hybrid Gaussian samplers. As a natural successor to earlier designs including Falcon, Mitaka and Antrag, SOLMAE combines the strengths of these approaches. In particular, SOLMAE positions itself as offering a unified framework that achieves improved efficiency and security trade-offs over Falcon, Mitaka, and Antrag, continuing the evolution of efficient lattice-based signatures over structured lattices. SOLMAEleverages the simplicity, speed, and parallelizability of Mitaka while matching the high security and compact key and signature sizes of Falcon. This is achieved through a novel key-generation algorithm that enhances security and removes the rigidity present in Falcon. At the same time, it retains full parameter flexibility and a fast signing procedure. The design is further compatible with recent ellipsoidal Gaussian sampling techniques, enabling even smaller signatures. Altogether, SOLMAE, suitable for resource-constrained environment, establishes a new efficiency point in lattice-based signatures, with remaining implementation considerations deferred to the conclusion.
## 2026/819
* Title: Topology-Driven Symbolic Verification of Post-Quantum Migration Paths Using Tamarin Prover
* Authors: Vishnu Ajith, Mohammed Ibrahim, Muhammed Sihan Haroon
* [Permalink](
https://eprint.iacr.org/2026/819)
* [Download](
https://eprint.iacr.org/2026/819.pdf)
### Abstract
The transition from classical public-key cryptography to post-quantum cryptography introduces protocol-level risks that are not fully addressed
by configuration review, performance benchmarking, or endpoint reachability testing. Under the current abstraction, deployments may appear operationally correct while still permitting secrecy, authentication, or forward-secrecy violations at the protocol level. This paper presents a topology-driven symbolic verification workflow that translates distributed-system
communication graphs into Tamarin models for analysis under the Dolev--Yao adversary model. The workflow derives protocol roles, communication constraints, and migration policies from a graph-based deployment representation, producing .spthy models and associated lemmas for executability, secrecy, authentication, and forward secrecy. A canonical topology representation is used to ensure deterministic model generation
from semantically equivalent graph inputs. Experimental evaluation across
five scenarios indicates that the framework produces discriminative symbolic outcomes rather than uniform failure reports. A registration-only control scenario verifies all reported lemmas, while the remaining scenarios exhibit two distinct falsification patterns: secrecy and forward-secrecy failures in three scenarios, and authentication failure in one scenario. These results indicate that symbolic verification provides a complementary assurance layer for post-quantum migration analysis and can reveal protocol-level risks that are not observable through operational testing alone.
## 2026/820
* Title: Improving Correlation Power Analysis on Masked CRYSTALS-Kyber with Lattice Attack
* Authors: Yen-Ting Kuo, Atsushi Takayasu
* [Permalink](
https://eprint.iacr.org/2026/820)
* [Download](
https://eprint.iacr.org/2026/820.pdf)
### Abstract
Tosun and Savas (IEEE TIFS'23) proposed a non-profiling power analysis attack on masked ML-KEM, or CRYSTALS-Kyber. Their attack can recover a full secret key of Kyber with 7,000 power traces. Later, Tosun et al. (IEEE Access'24) claimed an improvement over the previous attack with only 550 traces, but the result is not convincing. In particular, their attack does not seem to recover a full secret key of masked Kyber; instead, it recovers only the absolute values for every coefficient of a secret key. Unfortunately, Tosun et al. did not provide convincing and efficient ways to recover the signs of every secret coefficient. In this paper, we show that 400 traces are sufficient to recover a full secret key of masked Kyber. This improvement is arguably significant, as the number of traces is only about 5% of a previous full key recovery attack by Tosun and Savas. The key technique for improvement is the use of a lattice embedding method. So far, there have been several known attacks that use Kannan's embedding method to reduce the number of traces for recovering a full secret key of Kyber. Specifically, these attacks recover only a partial secret key through power analysis attack and recover the remaining part by applying the embedding method. In contrast, we use not only recovered partial secret key but also recovered absolute values to recover the remaining part. For this purpose, we utilize an unusual embedding method that is a combination of Kannan's embedding and Bai-Galbraith's embedding. Our technique can also be applied to other post-quantum cryptosystems that use NTT-based multiplication. We demonstrate the applicability of our method to the first-order masking implementations of NTT-based variants of SABER and Dilithium, achieving full key recovery with 150 and 1,000 traces, respectively.
## 2026/821
* Title: A spectral approach to arithmetic correlations for binary FCSR sequences with prime connection integers
* Authors: Feifei Yan, Pinhui Ke, Chenhuang Wu
* [Permalink](
https://eprint.iacr.org/2026/821)
* [Download](
https://eprint.iacr.org/2026/821.pdf)
### Abstract
Arithmetic correlation is an important metric for measuring feedback with carry shift register (FCSR) sequences, and its value should be as small as possible. For binary FCSR sequences with a prime connection integer $p$ and for which $\operatorname{ord}_p(2)$ is odd, where $\operatorname{ord}_p(2)$ is the order of $2$ modulo $p$, the arithmetic correlation can be expressed as the difference between the number of even representatives and the number of odd representatives within the subgroup generated by $2$ and all its cosets. From this perspective, we develop a unified spectral method for arithmetic correlation, derive an upper bound on it, and establish conditions for its with small values. We also analyze cases with a prime connection integer $p$ where the number of cosets is $2$, $4$, or $6$, and characterize when the arithmetic correlation takes small values.
## 2026/822
* Title: Maliciously Secure Exact Fixed-Point Multiplication over Power-of-Two Rings for Replicated 3PC
* Authors: Yutao Sun, Jianguo Xie, Guozhen Shi, Jiale Han, Huiyan Chen, Rongna Xie
* [Permalink](
https://eprint.iacr.org/2026/822)
* [Download](
https://eprint.iacr.org/2026/822.pdf)
### Abstract
Exact fixed-point multiplication over $\mathbb{Z}_{2^k}$ is a fundamental primitive for secure fixed-point arithmetic. However, in the honest-majority, maliciously secure 3PC setting, no prior work simultaneously provides cross-ring compatibility, exact semantics, and malicious security within this efficient framework. In this paper, we address this gap by showing that the core cross-ring bottlenecks, namely exact signed truncation and signed extension, share a unified algebraic structure. Based on this insight, we propose a general \textbf{quotient-correction framework} that reduces complex non-linear cross-ring operations to a highly efficient \textbf{2-bit bounded-quotient extraction} problem. We instantiate this framework to construct maliciously secure protocols for exact truncation and extension. By sequentially composing these primitives with standard in-ring multiplication, we realize the first end-to-end exact fixed-point multiplication protocol that satisfies all aforementioned requirements in the replicated 3PC setting. We also present optimized variants under relaxed guarantees (e.g., 1-ULP error) that offer superior performance trade-offs. We formalize our constructions within the Universal Composability (UC) framework and provide rigorous security proofs. Theoretical analysis and experimental results demonstrate that our approach achieves practical online efficiency while maintaining exact semantics and malicious security, overcoming the limitations of prior baselines regarding security assumptions, input domains, or output precision.
## 2026/823
* Title: TieredOMap: Skewness-Aware Oblivious Map
* Authors: Juan Li, Xinle Cao, Huazhen Yu, Weiqi Feng, Jian Liu
* [Permalink](
https://eprint.iacr.org/2026/823)
* [Download](
https://eprint.iacr.org/2026/823.pdf)
### Abstract
Oblivious map (OMAP) is a fundamental primitive for encrypted databases, yet existing designs largely adhere to a uniform worst-case principle: every record incurs nearly the same time to retrieve, regardless of how often it is queried. Real-world workloads, however, are typically highly skewed, with a small hot set accounting for most requests. We argue that such skewness should be leveraged as a first-class design signal for oblivious retrieval, rather than treated solely as leakage to conceal.
We present TieredOMap, the first skewness-aware framework for OMAP, opening up a new design space for improving OMAP efficiency. TieredOMap separates hot and cold records into separate and independent OMAPs to enable more efficient access to hot records without weakening the security guarantees of standard OMAPs. Moreover, its design naturally supports further performance gains under a small, explicit relaxation of security. To make TieredOMap more practical, we also develop a complete mechanism to support dynamic workloads with evolving hot sets. Overall, our results show that oblivious accesses to records need not be governed solely by uniform worst-case behavior, and that skewness-aware structure represents a promising new direction orthogonal to existing OMAP design principles.
## 2026/824
* Title: Better Usability: Leakage-Resistant AEADs from Single-length Blockciphers
* Authors: Chun Guo, Mustafa Khairallah, Kazuhiko Minematsu
* [Permalink](
https://eprint.iacr.org/2026/824)
* [Download](
https://eprint.iacr.org/2026/824.pdf)
### Abstract
Existing leakage-resistant AEADs are rarely compatible with {\it single-length key} blockciphers (BCs),
i.e., blockciphers with key-length equaling block-length. We present UEDTDM and UEDTMX, two single-length key BC-based
leakage-resistant AEAD constructions. Both of them are one-pass with rate $1/4$, use
``partially fixed-key'' BC to maximize {\it practical} efficiency, and gather the strongest level of
Grade-3 leakage-resistance (a terminology due to Bellizia et al., CRYPTO 2020) with a satisfactory black-box security bound. Their concrete security bounds are comparable with state-of-the-art construction TEDT of Berti et al. (TCHES 2020). Even more, they achieve birthday-bound context-committing security. To prove these claims, we introduce a framework UEDT that generalizes and expands the usability of the EDT construction of Berti et al. (ToSC 2017), prove unified provable security results, and
then derive concrete bounds for the two instances, UEDTDM and UEDTMX. This framework may be of independent interest.
We also demonstrate the performance advantage of our algorithms, especially in software. On x86 architectures where
the AES-NI instructions are supported, our algorithms are twice faster than the closest competitor; LR-BC-3 (Bronchain et al., TCHES 2021). In addition, the ability to use the efficient MJH hash function and to reduce the amount of rekeying makes the algorithms faster across multiple platforms, as well.
## 2026/825
* Title: Scalable Secure Biometric Authentication without Auxiliary Identifiers * Authors: Alexander Bienstock, Daniel Escudero, Antigoni Polychroniadou, Zhen Zeng, Pranav Bhat, Ashok Singal, Prashant Sharma, Manuela Veloso
* [Permalink](
https://eprint.iacr.org/2026/825)
* [Download](
https://eprint.iacr.org/2026/825.pdf)
### Abstract
The prevalence of biometric authentication has been on the rise due to its ease of use and elimination of weak passwords. To date, most biometric authentication systems have been designed for on-device authentication of the device owner (e.g., smartphones and laptops). Recently, biometric authentication systems have started to emerge that are designed to authenticate users against cloud databases storing representations of biometrics for large numbers of users (potentially millions), such as those facilitating biometric payments. However, the use of a large cloud database introduces a significant attack vector, as a breach of the database could lead to the compromise of all enrolled users' sensitive biometric data. Indeed, all such existing systems either do not adequately protect against such a breach, or are impractical to deploy and use due to their high computational overhead. In this work, we present a new biometric authentication system that provides provable security guarantees against data breaches, while remaining scalable and performant. To do so, we marry artificial intelligence with advanced cryptographic techniques in a novel fashion, providing several optimizations along the way. Our work is the first to show that real-world scalable privacy-preserving biometric authentication without auxiliary identifiers is feasible, and we believe that it will spur widespread industrial adoption and further research in this area.
## 2026/826
* Title: Efficient Implementation of ARIA on ARMv8 via Cryptographic Extensions * Authors: Myoungsu Shin, Dongjae Lee
* [Permalink](
https://eprint.iacr.org/2026/826)
* [Download](
https://eprint.iacr.org/2026/826.pdf)
### Abstract
The ARIA block cipher is the Korean national standard (KS X 1213) and an IETF standard (RFC 5794). Despite its widespread use, research on efficient implementation for modern ARMv8 processors has remained limited compared to AES, which benefits from dedicated hardware instructions. The best prior ARMv8 result by Eum et al. reported 0.573 cycles per byte (cpb); however, through direct communication with the authors and independent re-evaluation, we confirmed that this published figure reflects a measurement error and that the actual cost is 5.845 cpb.In this paper, we present an efficient ARIA implementation that processes 16 blocks in parallel on ARMv8 NEON by repurposing the AESE/AESD cryptographic extensions to evaluate all four ARIA S-boxes. While two S-boxes map directly to hardware AES instructions, we realize the remaining two through a nibble-split decomposition using only two permanent NEON registers per S-box. Combined with a byte-sliced data layout and a 64-instruction transposition butterfly, our implementation achieves 1.483 cpb for ARIA-128 on the Apple M1rCoa $3.94\times$ speedup over the corrected prior result. Multi-threaded CTR-mode measurements demonstrate near-linear scalability, reaching 6.67 GB/s with 4 threads on the performance cores and 8.33 GB/s with 8 threads. On the ARM Cortex-A76 (Raspberry Pi 5), the implementation achieves 3.586 cpb and scales to 2.36 GB/s with 4 threads.
## 2026/827
* Title: A Post-Quantum Accountable Sanitizable Signature Scheme Based on Unbalanced Oil and Vinegar
* Authors: Zhiwei Wang
* [Permalink](
https://eprint.iacr.org/2026/827)
* [Download](
https://eprint.iacr.org/2026/827.pdf)
### Abstract
Sanitizable signature schemes~(SSS) allow a designated sanitizer to
modify admissible portions of a signed message while preserving the
validity of the original signer's authorisation. All existing SSS
constructions satisfying the Brzuska et~al.\ security framework rely
on classical number-theoretic assumptions broken by Shor's algorithm.
We present \textsf{UOV-San}, the first sanitizable signature scheme
based entirely on multivariate cryptography. The construction employs
a dual-signature architecture with strict key separation enforced by
a two-message interactive signing protocol: the signer holds only
$\sk_S$ and the public chameleon key~$\ck$; the sanitizer holds $\sk_\mathit{San}$ and the trapdoor key~$\tk$. We introduce a new \textsf{PreColl} (preimage collision) assumption capturing the
hardness of finding distinct inputs to the public quadratic map that
collide under $P$ (not only under $H_2 \circ P$). Combined with the
collision resistance of a random oracle we obtain an implementable
multivariate chameleon hash requiring no random-oracle programming. \textsf{UOV-San} provably achieves \emph{unforgeability},
\emph{immutability}, and \emph{accountability}---including against a
malicious signer---under MQ, OVD, PreColl, and sEUF-CMA in the random
oracle model with classical adversaries. We forgo transparency and
privacy: these properties are structurally incompatible with the
dual-signature architecture and key-separation requirement, and are operationally unnecessary for our target application domains (supply
chain audit, government document redaction, blockchain audit trails). Experimental evaluation confirms practical signing times under
5\,ms and verification times under 2\,ms on commodity hardware.
## 2026/828
* Title: ZEE200: Zero Knowledge for Everything and Everyone @ 200 KHz
* Authors: Sunghyeon Jo, Vladimir Kolesnikov, Yibin Yang
* [Permalink](
https://eprint.iacr.org/2026/828)
* [Download](
https://eprint.iacr.org/2026/828.pdf)
### Abstract
Zero-knowledge execution of high-level programs proceeds by repeatedly evaluating CPU steps. Each such step privately selects and evaluates an instruction (possibly involving memory access) from a rich instruction set. Building on this paradigm, ZEE (Heath et al., S&P'21) realized a full toolchain supporting arbitrary $\texttt{ANSI C}$ programs, demonstrating this capability by proving SIR- and CVE-reported bugs in off-the-shelf Linux programs $\texttt{sed}$ and $\texttt{gzip}$.
We revamp the state of the art by building a new constant-round ZK system ZEE200, which is about $20\text{-}40\times$ faster than ZEE. ZEE200 is built on a novel and convenient cryptographic framework for efficiently proving general statements represented as real-world programs. Our framework integrates several crucial recent advances, such as Tight ZK CPU (Yang et al., CCS'24) and fast ZK RAM (Yang and Heath, USENIX Security'24). We develop better encodings for $\mathbb{Z}_{2^{32}}$ arithmetic, and numerous low-level optimizations.
Compared to ZEE's $\approx 10$ KHz CPU speed on a limited ISA, ZEE200 runs at $\approx 200$ KHz (still on a commodity laptop and a LAN!), while supporting a much richer ISA. For example, we rerun a ZEE's benchmark, proving a SIR-reported vulnerability in off-the-shelf Linux utility $\texttt{sed}$. On a 2021 ThinkPad X1 Carbon Gen 9 under a simulated $1$Gbps LAN (single-threaded), ZEE200 completed the proof in $1.5$ seconds, compared to ZEE's $30.1$ seconds, a $20\times$ improvement.
## 2026/829
* Title: Beyond Binary: crosscorrelation of Quartic and Cubic Character Sequences
* Authors: Mriganka Dey, Sampa Dey, Sampurna Pal, Subhabrata Samajder, Rana Barua
* [Permalink](
https://eprint.iacr.org/2026/829)
* [Download](
https://eprint.iacr.org/2026/829.pdf)
### Abstract
The arithmetic crosscorrelation of pseudorandom sequences is a fundamental measure of their suitability for applications in cryptography and communications.
While prior works have studied this quantity for binary sequences, the non-binary setting has remained largely open.
In this paper, we initiate a systematic study of arithmetic crosscorrelation for non-binary pseudorandom sequences constructed from higher-order multiplicative characters over finite fields.
For two quartic sequences of co-prime periods $P$ and $Q$ defined via polynomials of degree $d$, we establish that
$$\left|C^{A}_{\mathcal{S},\mathcal{T}}(\tau)\right| \ \ll \ dP^{1/2}Q(\log P)^{2},$$
for all shifts $\tau$, using character orthogonality, joint pattern distribution and the Weil bound.
An analogous bound is also derived for cubic character sequences.
To the best of our knowledge, these are the first nontrivial upper bounds on the arithmetic crosscorrelation of non-binary pseudorandom sequences, generalizing prior works of Chen et al. (IEEE IT, 2022) and Yan and Ke (eprint archive, 2026).
## 2026/830
* Title: DY* Unchained: Now with Composable Security Proofs and Precise Compromise Scenarios
* Authors: Th|-ophile Wallez
* [Permalink](
https://eprint.iacr.org/2026/830)
* [Download](
https://eprint.iacr.org/2026/830.pdf)
### Abstract
Cryptographic protocols are the cornerstone of Internet security, and any flaw in their design would have drastic effects. We can formally prove the absence of such flaws using a variety of automated or semi-automated tools. However, some features of real-world protocols are notoriously hard to analyze using these tools, including unbounded loops, unbounded data structures, and unbounded and dynamic number of protocol participants. The DY* protocol verification framework recently emerged as a tool designed to address these challenges, and it was successfully used to analyze protocols such as Signal, ACME and TreeSync.
However, we note that DY* suffers from two deep limitations: first, security proofs of protocol subcomponents cannot be composed, which hinders the analysis of large protocols; second, the security proofs depend on a simple language to describe compromises, which overly restricts the set of compromise scenarios DY* can reason about.
In this paper, we present a major overhaul of DY* that addresses these limitations. We enable composing security proofs in DY* by developing a framework to define trace invariants modularly, and we improve the precision of compromise scenarios that DY* can prove by fully generalizing the notion of security labels. These improvements are essential to enable the analysis of large protocols. In particular, our new version of DY* was already used by and crucial to the security proofs of the TreeKEM protocol (IEEE S&P 2025).
## 2026/831
* Title: LockMeld: A Privacy-Preserving Cross-Chain Protocol for Confidential, Account-Based Blockchains
* Authors: Hanqing Huang, Chenke Wang, Yu Long, Xian Xu, Dawu Gu
* [Permalink](
https://eprint.iacr.org/2026/831)
* [Download](
https://eprint.iacr.org/2026/831.pdf)
### Abstract
In this paper, we present LockMeld, the first solution for enabling private cross-chain transfers when both underlying chains rely on homomorphic commitments to safeguard transaction amounts. LockMeld tackles the core challenges of ensuring unlinkability without sacrificing availability and accommodating arbitrary transaction amounts. Central to our solution is a batching technique that selectively discloses transaction details to the cross-chain intermediary, preventing any actor from directly correlating a senderrCOs escrow on one chain with the corresponding redemption on the other. Moreover, LockMeld combines additive homomorphic public-key encryption with randomizable signatures over randomizable commitments, ensuring robust on-chain confidentiality while still enabling necessary account management for future transactions. We provide not only a rigorous game-based security analysis but also demonstrate the protocolrCOs resilience against both malicious participants and external adversaries. We also implement and evaluate LockMeld's performance. This empirical validation reveals that LockMeldrCOs privacy guarantees can be achieved in practice without incurring excessive overhead, making it an attractive option for privacy-conscious cross-chain interoperability.
## 2026/832
* Title: Private Delegation of (Non-)Membership Proof Updates in Cryptographic Accumulators
* Authors: Bence So||ki-T||th, Botond Glasz, Alireza Kavousi, Istv|in Andr|is Seres
* [Permalink](
https://eprint.iacr.org/2026/832)
* [Download](
https://eprint.iacr.org/2026/832.pdf)
### Abstract
A universal, dynamic accumulator is a verifiable data structure that compresses a set of elements (e.g., unspent coins, issued public key certificates, etc.) into a succinct digest while supporting addition and deletion of elements alongside efficient proving of (non-)membership in that set. In many applications, valid (non-)membership proofs are a prerequisite to access a service (e.g., send a private payment transaction, establish a TLS connection, etc.). Typically, newly added or deleted elements necessitate updating all existing (non-)membership proofs per update. Thus, intermittently connected clients will possess invalid (non-)membership proofs whenever they reconnect. In this work, we design, implement, and evaluate algorithms for the RSA and bilinear accumulators that allow a resource-constrained client to privately delegate the updates of its (non-)membership proofs to an untrusted server. We define and prove security in a game-based framework under standard assumptions. We also study proof delegation in the batch setting. The online client algorithms are constant-time, i.e., independent of the updated set size $k$ compared to prior $\mathcal{O}(k),\mathcal{O}(\sqrt{k})$ works. The private delegation algorithms for membership proofs incur small concrete computational overhead for the server compared to the non-private membership proof creation algorithms, e.g., $6.99\%$ overhead when $2^{10}$ elements were added in the offline phase to the RSA accumulator.
## 2026/833
* Title: Scale, Round, Break: Simple Leakage Attacks on Secret Sharing Schemes * Authors: Katharina Boudgoust, Mark Simkin
* [Permalink](
https://eprint.iacr.org/2026/833)
* [Download](
https://eprint.iacr.org/2026/833.pdf)
### Abstract
We study the local leakage resilience of $t$-out-of-$n$ threshold secret sharing schemes. We present a remarkably simple, perfectly correct attack that fully breaks any scheme with linear reconstruction over a finite field using $\lg t + \mathcal{O}(1)$ bits of leakage per share. In particular, this yields concretely efficient attacks on additive secret sharing and on ShamirrCOs scheme for arbitrarily large thresholds over arbitrarily large finite fields.
Our key technical idea is an approximately linear scale-and-round function that maps shares from an arbitrarily large field into a much smaller ring, while preserving the distance of well-separated secrets. Our results provides two surprising insights: Bigger finite fields do not necessarily improve leakage resilience and increasing the reconstruction threshold in ShamirrCOs scheme does not help too much either.
## 2026/834
* Title: Detecting Post-Quantum and Hybrid TLS Deployments via Raw TLS Record Inspection
* Authors: Muhammad Ibrahim, Vishnu Ajith, Muhammed Sihan Haroon
* [Permalink](
https://eprint.iacr.org/2026/834)
* [Download](
https://eprint.iacr.org/2026/834.pdf)
### Abstract
The transition to post-quantum cryptography (PQC)
is essential to safeguard networked systems against future
quantum-enabled adversaries. While recent standardisation efforts
have introduced PQC algorithms such as ML-KEM into
protocols like TLS 1.3, verifying their correct deployment in realworld
systems remains a challenge. Existing approaches rely on
configuration-level inspection or high-level cryptographic libraries,
which do not reflect actual runtime behaviour.
This paper presents a novel methodology for detecting postquantum
and hybrid TLS key exchange mechanisms through
direct inspection of raw TLS handshake records. By parsing
ServerHello messages at the byte level and extracting keyshare
group identifiers from the key share extension, the proposed
approach enables accurate classification of endpoints
into CLASSICAL_ONLY, PQC_ONLY, and HYBRID_CONFIRMED
states.
We implement the methodology within a prototype compliance
system and evaluate it across 38 production endpoints and a
controlled three-node cloud testbed spanning two validation
phases. Phase 1 reveals that all three testbed nodes rCo including
a PQC-capable application server rCo are correctly classified
as CLASSICAL_ONLY, exposing an application-layer versus
transport-layer mismatch invisible to configuration auditing.
Phase 2, following an OQS-capable TLS frontend upgrade,
produces a confirmed HYBRID_CONFIRMED result with group
0x11EC (X25519MLKEM768) on the same physical server,
achieving 100% target accuracy across all three nodes. We
further document a critical false positive failure mode in
naive string-matching approaches and validate correct four-state
classification under known ground-truth conditions. Unlike prior
work, this approach provides verifiable, evidence-based assessment
of cryptographic posture, enabling reliable auditing of PQC
readiness.
## 2026/835
* Title: Fault Injection Attacks Against zkSTARKs
* Authors: Alexander Dalton, Markus Schofnegger, Daniel Page
* [Permalink](
https://eprint.iacr.org/2026/835)
* [Download](
https://eprint.iacr.org/2026/835.pdf)
### Abstract
Fault injection attack targetting schemes with Zero-Knowledge (ZK ) properties have been relatively absent in the wider literature. One of the few examples has recently shown a ZK signature scheme to be vulnerable to fault injection attacks. In this paper we detail candidate fault injection attacks against Zero-Knowledge Scalable Transparent Argument of Knowledge (zkSTARK) provers, designed to violate the constructionrCOs zero knowledge capabilities. zkSTARK proving systems are complex, with a huge amount of diversity in implementation specifics. We match the variety within the STARK implementation ecosystem, proposing a variety of ffault injection attacks against different algorithmic primitives. To the best of our knowledge this marks the first exploration of the fault injection surface of zkSTARKs, and of the wider class of general purpose ZK proving systems.
## 2026/836
* Title: Privacy-Preserving Aggregate-Signatures: Generic Constructions and Practical Instantiations
* Authors: Xiaoyang Wei, Shuai Han, Shengli Liu
* [Permalink](
https://eprint.iacr.org/2026/836)
* [Download](
https://eprint.iacr.org/2026/836.pdf)
### Abstract
Aggregate signatures allow a set of signers to compress individual signatures on distinct messages into a short signature, offering significant savings in storage and verification time. However, existing aggregate signatures neither support key aggregation nor achieve strong privacy guarantees for signers. In a very recent work, Nick, Ruffing and Seurin (EUROCRYPTrCO26) proposed DahLIAS, a pairing-free aggregate signature scheme with constant size signatures. Unfortunately, DahLIAS fails to provide aggregated verification and privacy properties. As a side contribution, they also constructed a generic transformation from multi-signatures to aggregate-signatures. However, the transformed schemes cannot satisfy unrestrictedness and privacy.
In this paper, we formally introduce the notion of aggregate signatures with verifiable key aggregation (ASvKA), along with new unforgeability and privacy definitions. We then present a generic transformation that turns any multi-signature (MS) scheme into aggregate signature scheme with verifiable key aggregation and privacy properties, which also lifts weaker unforgeability of the underlying MS to stronger unforgeability of ASvKA. Finally, we instantiate our transformation with two concrete multi-signature schemes. For pairing-free schemes, we propose PP-SpeedyASvKA, a two-round privacy-preserving aggregate signature derived from the multi-signature SpeedyMuSig, achieving the strongest unforgeability and privacy while preserving the efficiency. For pairing-based schemes, we construct PP-BAS-0 and PP-BAS-1 from a BLS multi-signature, offering different trade-offs between unforgeability and privacy.
## 2026/837
* Title: Trident: Efficient FPGA Acceleration of XMSS Tree in Post-Quantum Signature Scheme SLH-DSA
* Authors: Tianyou Bao, Joshua Ennis, Kirill Morozov, Jiafeng Xie
* [Permalink](
https://eprint.iacr.org/2026/837)
* [Download](
https://eprint.iacr.org/2026/837.pdf)
### Abstract
The emergence of quantum computing poses significant threats to conventional cryptographic systems, necessitating the efficient hardware acceleration of Post-Quantum Cryptography (PQC), especially on the Field-Programmable Gate Array (FPGA) platforms. SPHINCS$^+$, recently standardized by NIST (National Institute of Standards and Technology) as SLH-DSA (Stateless Hash-Based Digital Signature Algorithm), represents the only hash-based digital signature scheme. Its practical deployment, however, is restricted by computationally intense operations, particularly in the eXtended Merkle Signature Scheme (XMSS) tree, where WOTS+ (Winternitz One-Time Signature Plus) public key generation consumes the majority of signature generation cycles. With this background, this paper presents Trident, an innovative FPGA-based hardware accelerator that addresses critical performance and resource challenges in XMSS of SLH-DSA. First, we propose a triangle hash unit architecture that enables parallel execution of up to three hash operations simultaneously, directly addressing the computational bottleneck in XMSS tree construction and WOTS+ chain operations. Second, we develop an optimized memory caching scheme that reduces on-chip memory requirements via intermediate value management. Third, we implement the Trident on
FPGAs and comprehensively evaluate it across all parameter sets at multiple security levels, i.e., up to 8.6$\times$ improvement in signature generation and up to 5.4$\times$ speed-up in verification operations. Extended Hypertree evaluation shows a 34.6$\times$ area-delay product (ADP) improvement on UltraScale+ FPGA for SLH-DSA-128s. This Trident represents a significant advancement toward practical SLH-DSA deployment in FPGA environments.
## 2026/838
* Title: On the Resilience Order of Weightwise Almost Perfectly Balanced Functions
* Authors: Martin Grenouilloux, Chunlei Li, Pierrick M|-aux
* [Permalink](
https://eprint.iacr.org/2026/838)
* [Download](
https://eprint.iacr.org/2026/838.pdf)
### Abstract
The recent development of Fully Homomorphic Encryption (FHE) witnessed the emergence of a new generation of tailored cryptographic primitives designed to meet its specific criteria. Among promising candidates for FHE constructions stands out the FLIP cipher, which employs Boolean functions that are evaluated only on specific subsets of $\mathbb{F}_2^n$. In this article, we study Weightwise Almost Perfectly Balanced (WAPB) functions, which are almost balanced on each of these subsets. While WAPB functions have been of great interest for new constructions recently, some aspects, such as resilience remain poorly understood. As such, we take a first step at characterizing the resilience of WAPB functions, through their properties as correctors. We highlight its close connection with the restricted Walsh transform and uncover an algebraic relation between Krawtchouk matrices and Vandermonde matrices, which reduces the problem of determining the corrector order of a WAPB function to a particular instance of the Prouhet-Tarry-Escott problem. This reduction helps us show that for infinitely many integers $n$, WAPB functions in $n$ variables have corrector order tightly upper bounded by the Hamming weight of $n$ minus one. We conjecture that this observation holds for any positive integer $n$, which is verified for $n$ up to $62$.
## 2026/839
* Title: Efficient Non-Interactive Key Refresh with Multiple Independent Refreshers for Threshold Cryptography
* Authors: Dragan Lambi-c
* [Permalink](
https://eprint.iacr.org/2026/839)
* [Download](
https://eprint.iacr.org/2026/839.pdf)
### Abstract
In this paper a novel key refresh architecture using multiple independent third-party refreshers, to eliminate the centralized trust required by single-dealer approaches, is presented. Each refresher independently maintains and refreshes a split of its share, distributing fragments to signing parties asynchronously without coordination. This eliminates the need for coordinated interaction required by committee-based refresh protocols, avoiding substantial communication overhead and synchronization complexity. The architectural separation, where signing parties never participate in refresh and refreshing parties never participate in signing, enables efficient proactive security without disrupting operational availability. The proposed design does not require all refreshers to participate in each refresh operation. Unavailable refreshers are not excluded from the protocol, only malicious ones that deviate from protocol rules. This provides graceful degradation: the system maintains confidentiality even when all refreshers are compromised (requiring only one honest signing party) and achieves proactive security with minimal participation (requiring only one honest refresher between compromise events). This approach extends the period between costly on-chain key rotations by maintaining security through continuous off-chain refresh. Key rotation should be carried out when very few honest refreshers remain. Security under various adversarial scenarios is proven, including malicious refreshers, cross-epoch compromises, and denial-of-service attacks, demonstrating $O(k)$ communication per refresh for k participating refreshers versus $O(n^2)$ for committee-based protocols. The proposed approach is particularly suited for high-availability systems requiring frequent or continuous key refresh, including cryptocurrency wallets and distributed key management.
## 2026/840
* Title: All You Need Is Addition
* Authors: Dimitrios Schoinianakis
* [Permalink](
https://eprint.iacr.org/2026/840)
* [Download](
https://eprint.iacr.org/2026/840.pdf)
### Abstract
A practical acceleration framework for CKKS homomorphic encryption is proposed, in which multiplication-heavy sub-circuits are evaluated by adding encrypted log-magnitudes rather than multiplying ciphertexts. This logarithmic-number-system (LNS) representation consumes no multiplicative levels; a lightweight interactive refresh operation re-enters the linear CKKS domain whenever additive accumulation is required, avoiding bootstrapping entirely. Three execution strategies---an automatic planner, a client-side accumulation variant, and a server-side re-encryption variant---are mechanized in an OpenFHE-based runtime under 128-bit classical security and evaluated on a deep multiplication chain and an attention-like pipeline across three network environments. On the attention pipeline, the linear baseline requires a ring degree of 65,536 and about 2.9 GB of public-context material, whereas LNS operates at a ring degree of 8,192 with about 50 MB---a 58x context reduction yielding 22-36x end-to-end speedup and up to 46x payload reduction. On the multiplication chain the gap widens with depth, from about 10x speedup and 26x payload reduction at L=8 matrices, to 35x and 98x at L=20, because LNS context requirements are decoupled from multiplicative depth while the linear baseline must escalate its ring degree to maintain accuracy and security.
## 2026/841
* Title: HAKE: Efficient Hardware Accelerator for Key Generation of Post-Quantum Signature Scheme PERK
* Authors: Brendan Funk, Tianyou Bao, Lo|>c Bidoux, Jiafeng Xie
* [Permalink](
https://eprint.iacr.org/2026/841)
* [Download](
https://eprint.iacr.org/2026/841.pdf)
### Abstract
The rapid progress in quantum computing has sparked a new wave of cryptosystem innovation, namely, the development of cryptographic schemes that are resistant to quantum attacks, known as Post-Quantum Cryptography (PQC). Notably, the National Institute of Standards and Technology (NIST) has already initiated the PQC standardization process with several algorithms selected. Meanwhile, an additional round of digital signature scheme competition is on-going. Following the standardization efforts, many investigations in the field have gradually switched to the implementation side (especially on the hardware platform aspect). This paper follows this trend by delivering an efficient Hardware Accelerator for Key Generation of the digital signature scheme PERK (HAKE), which is one of the promising candidates in the NIST additional round of digital signature scheme standardization. Apart from that, we have followed the PERK's recent update to design two versions of Key Generation accelerators, one based on the previous PERK specification and another based on the newly released specification. Overall, we have conducted three major efforts to obtain the proposed accelerators. (i) We have broken down the Key Generation process of PERK into three distinct components through detailed algorithmic analysis, and meanwhile, we have proposed innovative methodologies to reduce these components' hardware design complexities. (ii) We have developed dedicated hardware microarchitectures for these components to construct the Key Generation accelerator (HAKE). (iii) We have conducted detailed implementation and comparison to showcase the efficiency of the proposed accelerator. For instance, it is shown that the proposed accelerator (following the previous PERK specification) is found to be 14.3$\times$ faster than the software implemented one and less area-time complexities than other recent NIST-selected SPHINCS$^+$ hardware accelerations. Overall, our design is highly efficient and configurable, and it is the first hardware accelerator for Key Generation of PERK, to the best of our knowledge. This research will be beneficial for the ongoing NIST PQC standardization and hardware acceleration for related schemes, and attract many follow up works in the field.
## 2026/842
* Title: Secure Integrated Sensing and Communication: Information Theory Offers Insights
* Authors: Truman Welling, Onur Gunlu, Aylin Yener
* [Permalink](
https://eprint.iacr.org/2026/842)
* [Download](
https://eprint.iacr.org/2026/842.pdf)
### Abstract
Integrated sensing and communication (ISAC) combines sensing and communication within a shared system framework by using the same transmitted signal for both objectives. ISAC can improve the efficiency of spectrum and hardware use but also gives rise to new security challenges, as users associated with one function may need to be prevented from inferring information related to the other. This paper surveys information-theoretic approaches to secure ISAC with emphasis on formulations, performance metrics, and fundamental limits. We first review the information-theoretic ISAC models that underlie secure formulations. We then organize the secure ISAC literature according to the protected functionality and the adversary model, covering secure communication, sensing security, and active-adversary settings such as jamming. We also discuss formulations in which communication security and sensing security interact more directly, as well as their connections to privacy and covert communication. Throughout, we highlight the main modeling assumptions and the insights they provide on the tradeoffs among communication reliability, sensing performance, and security.
## 2026/843
* Title: Toward Practical Fair Data Exchange: Eliminating In-Circuit Public-Key Operations
* Authors: Dongwook Kim, Jihye Kim, Hyunok Oh
* [Permalink](
https://eprint.iacr.org/2026/843)
* [Download](
https://eprint.iacr.org/2026/843.pdf)
### Abstract
Code-based fair data exchange (FDE) substantially reduces client work by checking only a Fiat--Shamir sample of a redundant Reed--Solomon codeword. The most practical prior construction, VECK\(^{\star}_{\mathrm{EL}}\), still pays a large prover cost because sampled ElGamal consistency is enforced inside the SNARK circuit.
We present a code-based FDE construction that removes these sampled in-circuit ElGamal gadgets. The ciphertext is produced by hash-based masking, sampled consistency with the committed file is certified by KZG commitments, and a small commit-and-prove SNARK checks masking, interpolation, and the key relation \(vk=h^{sk}\). CP-linking is used to bind the hidden opening value \(u_\alpha\) to \(U_\alpha=g_1^{u_\alpha}\).
This change reduces the SNARK constraint count by about \(20\times\) and, in our benchmark instantiation, allows the implementation to use BLS12-381 directly instead of the curve cycle required by VECK\(^{\star}_{\mathrm{EL}}\). For \(2^{20}\) scalar-field elements in that instantiation, our prover time is 3.07 seconds at sample size 512 and 3.8 seconds at sample size 1024, compared with 21.7 and 41 seconds for VECK\(^{\star}_{\mathrm{EL}}\). Verification remains sample-size dependent but file-size independent after the ciphertext transcript is fixed, and takes 10--21 ms in our implementation.
--- Synchronet 3.21f-Linux NewsLink 1.2