From Newsgroup: sci.crypt

## In this issue
1. [2025/1502] CARPOOL: Secure And Reliable Proof of Location
2. [2025/1506] Superposition Attacks Against LPN-Based ...
3. [2025/1830] A New Approach to Improved PNB-based Attacks on ...
4. [2026/10] Third-Party Moderation of Abuse Reports for End-to- ...
5. [2026/175] Implementable Witness Encryption from Arithmetic ...
6. [2026/258] Lightning, Field-Agnostic Super-Efficient ...
7. [2026/312] RISQrypt: Fast, Secure and Agile Hardware-Software ...
8. [2026/369] Issuer-Hiding for BBS Anonymous Credentials via ...
9. [2026/848] PPML Is More Vulnerable to Cryptanalytic Extraction ...
10. [2026/855] Zinc+: SNARKs for Polynomial Rings
11. [2026/856] MERIDIAN: A Toroid-Inspired Permutation Block ...
12. [2026/865] Secret-Key PIR from One-Way Functions
13. [2026/873] Adaptor Signature Schemes with Deniable Presignatures
14. [2026/874] Hybrid PoA on Aztec: Proof of Asset Ownership over ...
15. [2026/875] Comparative Performance Analysis of MILP Solvers ...
16. [2026/876] An AI-Driven Post-Quantum Cryptographically Secure ...
17. [2026/877] Post-Quantum Public-Key Pseudorandom Correlation ...
18. [2026/878] Verifiable Anomaly and Similarity Detection Using ...
19. [2026/879] Accountable Fair Exchange Protocols on Blockchain
20. [2026/880] On the Common Bias of Majorities: Poly-Time Attacks ...
21. [2026/881] Unique SNARGs with Adaptive Security: Constructions ...
22. [2026/882] Abuse Reporting and Enforcement for Third-Party ...
23. [2026/883] Secure Two-Party Quantum Computation with Complete ...
24. [2026/884] Formalizing and Strengthening the Security Proof of ...
25. [2026/885] Optimized Final Exponentiation for Optimal Ate ...
26. [2026/886] From NIZK Arguments to ZAPs, Generically
27. [2026/887] Probabilistic Atomic Swaps for Bitcoin and Friends
28. [2026/888] BlindReview: Anonymous and End-to-End Verifiable ...
29. [2026/889] RingSLIP: Ring Signatures from the Lattice ...
30. [2026/890] Cryptanalysis of Definite and Indefinite Lattice ...
31. [2026/891] Interleaving Stability for Mutual Correlated ...
32. [2026/892] Adaptive Distributed Key Generation for Discrete- ...
33. [2026/893] The Joint Channel Threshold: Selfish Mining Below ...
34. [2026/894] HumBird: Rotating Leader BFT made Simple and Fast
35. [2026/895] On the Properties of HighBits and LowBits Functions ...
36. [2026/896] CORAL Faster Isogeny Group Action for Post-Quantum NIKE
37. [2026/897] SEFA: A Secure, Efficient, and Flexible Algorithm ...
38. [2026/898] Bluestreak: Scaling DAG BFT by Sparsifying Metadata
39. [2026/899] VCVio: Verified Cryptography in Lean via Oracle ...
40. [2026/900] Secure Protocol Composition under Dynamic ...
41. [2026/901] Threshold (T)FHE without smudging by means of ...
42. [2026/902] End-to-End Polynomial-Time Cryptanalytic Extraction ...
43. [2026/903] Magic Pot: Cryptanalysis of full AIM2 in the ...
44. [2026/904] Sponsored Fair Exchange (Extended Abstract)
45. [2026/905] Maintaining Sublinear Locality Over Time: ...
46. [2026/906] An analysis of a weakened version of PRISM
47. [2026/907] Zero-Knowledge Proofs for Gradient Boosted Decision ...
48. [2026/908] Titan: Efficient Polynomial Commitments from IOPs ...
49. [2026/909] On Succinct Non-Interactive Secure Computation with ...
50. [2026/910] UnifOMR: Oblivious Message Retrieval with Near- ...
51. [2026/911] UC4Free! Existing Threshold Signatures are UC Secure
52. [2026/912] Improved TensorPIR: Single-Server PIR with Lower ...
53. [2026/913] Algorithmic Toolkit for Linearization of S-boxes
## 2025/1502
* Title: CARPOOL: Secure And Reliable Proof of Location
* Authors: Sayon Duttagupta, Dave Singel|-e, Xavier Carpent, Takahito Yoshizawa, Farhad Aghili, Aysajan Abidin, Bart Preneel
* [Permalink](https://eprint.iacr.org/2025/1502)
* [Download](https://eprint.iacr.org/2025/1502.pdf)
### Abstract
Multiple authentication solutions are widely deployed, such as OTP/TOTP/HOTP codes, hardware tokens, PINs, or biometrics. However, in practice, one sometimes needs to authenticate not only the user but also their location. The current state-of-the-art secure localisation schemes are either unreliable or insecure, or require additional hardware to reliably prove the user's location. This paper proposes CARPOOL, a novel, secure, and reliable approach to affirm the location of the user by solely relying on location-bounded interactions with commercial off-the-shelf devices. Our solution does not require any additional hardware, leverages devices already present in a given environment, and can be integrated effortlessly with existing security components, such as identity and access control systems. To demonstrate the feasibility of our work and to show that it can be deployed in a realistic closed environment setting, we implemented a proof of concept realisation of CARPOOL on an Android phone and multiple Raspberry Pi boards and integrated CARPOOL with Amazon Web Services (AWS) Cognito.
## 2025/1506
* Title: Superposition Attacks Against LPN-Based Authentication Protocols
* Authors: Carlos Cid, David Elkouss, Manuel Goul|uo
* [Permalink](https://eprint.iacr.org/2025/1506)
* [Download](https://eprint.iacr.org/2025/1506.pdf)
### Abstract
Quantum security most commonly encompasses only offline passive quantum attacks, where a quantum computer is used by an adversary to solve some computationally hard problem, e.g. factoring or discrete logarithm. However, we are witnessing major efforts for the development and deployment of quantum communication networks, and in this environment, cryptographic protocols may also be implemented in quantum devices. In this new setting, a wider range of online active attacks may become possible, for example against targets that may, either deliberately or inadvertently, run a cryptographic scheme in superposition. In this work, we demonstrate that authentication protocols whose security is based on the difficulty of learning linear functions subject to errors may be vulnerable to attacks where adversaries can make queries in superposition rCo that is, under the so-called rCLQ2rCY adversarial model. We do so by describing superposition attacks against a family of symmetric-key authentication protocols based on the LPN problem, a post-quantum cryptography assumption. Our attacks against the HB+ and HB# protocols, both of which have classical proofs of security against active attacks, are based on the Bernstein-Vazirani algorithm, and can efficiently recover the secret key. Despite being conceptually simple, we suggest that our attack techniques might be extended and adapted to also allow for superposition attacks against some modern lattice-based identification and post-quantum signature schemes.
## 2025/1830
* Title: A New Approach to Improved PNB-based Attacks on Reduced-round ChaCha and Salsa
* Authors: Goutam Paul, Anup Kumar Kundu, Sucheta Chakrabarti
* [Permalink](https://eprint.iacr.org/2025/1830)
* [Download](https://eprint.iacr.org/2025/1830.pdf)
### Abstract
ChaCha and Salsa are two ARX based stream ciphers which are widely used in data encryption including TLS v1.3 standard, VPN software etc. Exploiting Probabilistic Neutral Bits (PNB) is one of the most significant cryptanalysis strategies for reduced-round versions of these ciphers. The seminal work using PNB by Aumasson et al. (FSE 2008) claims that the PNB set mostly depends on the output bit difference occurring in the intermediate round. The subsequent works mainly relied on the differential or differential-linear cryptanalysis, or multiple distinct input-output differentials for which the bias is higher than a threshold in the intermediate round. In this paper, we propose a new PNB set construction based on multiple output bit differences with respect to a single input bit difference only. We exploit the differentials to mount key recovery attacks using a multi-step procedure depending on our new PNB set. Our attack achieves a time complexity of $2^{167.90}$ for ChaCha20/7 and $2^{183.54}$ for Salsa20/8 in 256-bit versions, beating all the existing PNB-based attacks on ChaCha20/7 and Salsa20/8 by a significant margin. Further, both our time and data complexities for ChaCha20/7.5 are better than the latest published works by Fl||rez-Guti|-rrez and Todo (Eurocrypt 2025 and Asiacrypt 2025). For 128-bit versions, our attack procedure results in a time complexity of $2^{115.24}$ for ChaCha20/6.5 and $2^{98.40}$ for Salsa20/7.5 respectively. We have also verified our attack experimentally on a published toy version of ChaCha (FSE 2023).
## 2026/10
* Title: Third-Party Moderation of Abuse Reports for End-to-End Encrypted Messaging with Multiple Moderators
* Authors: Matthew Gregoire, Gabriel Schell, Saba Eskandarian
* [Permalink](https://eprint.iacr.org/2026/010)
* [Download](https://eprint.iacr.org/2026/010.pdf)
### Abstract
Abuse reporting tools like message franking allow end-to-end encrypted (E2EE) messaging platforms to verify user-generated abuse reports as part of their platform content moderation policies. While the lightweight message franking protocol deployed by WhatsApp and Meta's Messenger is designed with the assumption that the moderator and the platform processing messages are the same entity, proposals for other message franking-style protocols allow for a separation between the platform and moderator, albeit at a higher cost.
This paper introduces new techniques for third-party moderation on E2EE messaging platforms. First, we develop a simple scheme with near-optimal performance that matches the cost of the deployed scheme on the client side, and we demonstrate the inherent necessity of increased server-side costs.
Next, we introduce new techniques that allow E2EE messaging platforms to work with multiple vetted moderators, giving users options in their choice of moderators for messages they send to their friends. Verifiable abuse reporting in a multi-moderator setting requires new security notions to capture deniability requirements with respect to the platform and other moderators, as well as new privacy requirements with respect to users' choices of moderator(s). We comprehensively study these requirements and propose protocols for verifiable abuse reporting in this setting, offering a range of security and performance tradeoffs for different deployment scenarios. We evaluate the performance of our proposed schemes, showing that in many cases they match or exceed the performance of prior schemes that only support a single moderator.
## 2026/175
* Title: Implementable Witness Encryption from Arithmetic Affine Determinant Programs
* Authors: Lev Soukhanov, Yaroslav Rebenko, Muhammad El Gebali, Mikhail Komarov, Handan Kilinc-Alper, Michel Abdalla, Patrick Towa
* [Permalink](https://eprint.iacr.org/2026/175)
* [Download](https://eprint.iacr.org/2026/175.pdf)
### Abstract
Witness encryption (WE) for general NP remains challenging to realize with practical efficiency.
A natural approach is to combine WE with SNARKs to obtain succinct witnesses; however, embedding general-purpose SNARK verification into existing WE constructions leads to prohibitive overhead. We introduce arithmetic affine determinant programs (AADPs), a variant of affine determinant programs designed to natively support arithmetic constraint systems. This enables direct expression of SNARK verification. To address security challenges in the arithmetic setting, we define projectively safe constraint systems and develop algebraic gadgets that preserve this property.
Using these components, we construct a WE scheme for all NP languages based on AADPs, instantiated with a tailored SNARK. Our estimates indicate ciphertext sizes on the order of hundreds of
terabytes at 100-bit security, which, to the best of our knowledge, is the most efficient instantiation of WE for general NP.
## 2026/258
* Title: Lightning, Field-Agnostic Super-Efficient Polynomial Commitment Scheme * Authors: Wenjie Qu, Yanpei Guo, Jiaheng Zhang
* [Permalink](https://eprint.iacr.org/2026/258)
* [Download](https://eprint.iacr.org/2026/258.pdf)
### Abstract
Polynomial commitment schemes (PCS) are a fundamental building block of modern zkSNARKs.
In this paper, we propose \emph{Lightning}, a new coding-based PCS that achieves state-of-the-art prover efficiency.
Our main technical contribution is a new linear code family, the \emph{Lightning code}, which can be instantiated from any base code with constant relative distance.
Compared to the base code, Lightning code significantly reduces encoding cost by trading off relative distance.
We integrate Lightning code into the standard coding-based PCS framework of Ligero and Brakedown.
Experimental results show that Lightning PCS reduces prover commitment time by up to $2.3\times$ compared to the fastest prover configuration of Brakedown, at the cost of a $2.1\times$ increase in proof size.
Overall, Lightning provides a practical mechanism for trading proof size for prover efficiency in coding-based PCS constructions.
## 2026/312
* Title: RISQrypt: Fast, Secure and Agile Hardware-Software Co-Design for Post-Quantum Cryptography
* Authors: Tolun Tosun, At-#l Utku Ay, Quinten Norga, Suparna Kundu, Melik Yaz-#c-#, Erkay Sava+f, Ingrid Verbauwhede
* [Permalink](https://eprint.iacr.org/2026/312)
* [Download](https://eprint.iacr.org/2026/312.pdf)
### Abstract
In this paper, we present RISQrypt, the first unified architecture in the literature that implements Kyber (ML-KEM) and Dilithium (ML-DSA), standardized lattice-based Post-Quantum Cryptography (PQC) algorithms, with masking. RISQrypt is a hardwarerCosoftware co-design framework that integrates dedicated cryptographic accelerators to speed up polynomial arithmetic, hashing, and mask-conversion operations, the latter being one of the primary bottlenecks in masked implementations of lattice-based PQC. Our design achieves low latency while providing both theoretical and practical side-channel security, as validated through experimental evaluation. Specifically, the masked decapsulation of Kyber768 requires 109K clock cycles, while masked signing of Dilithium3 requires 1230K clock cycles on average. These results demonstrate 11.3x time-performance improvement over existing masked implementations. Our time performance results for unprotected functions also outperform the existing work; achieving speed-ups of 10.64x and 8.94x for Kyber's encapsulation and decapsulation algorithms, respectively, and 1.14x and 2.23x or DilithiumrCOs signature generation and verification algorithms, respectively, when compared to existing designs with similar resource usage. In addition, prior designs are more limited in scope, generally supporting only a single scheme and lacking either the side-channel protection or the unified, crypto-agile framework that enables support for both Kyber and Dilithium as in our architecture. Leveraging the HW/SW co-design approach, our proposed architecture can be readily extended to support other PQC standards such as Falcon and SPHINCS+, as well as algorithms sharing similar computational building blocks, through firmware reprogramming.
## 2026/369
* Title: Issuer-Hiding for BBS Anonymous Credentials via Randomizable Keys
* Authors: Andrea Flamini, Karla Friedrichs, Anja Lehmann
* [Permalink](https://eprint.iacr.org/2026/369)
* [Download](https://eprint.iacr.org/2026/369.pdf)
### Abstract
Anonymous credentials (AC) equip users with credentials on attested attributes, which enable them to prove verifiable yet data-minimizing statements over their attributes. However, in standard ACs, each credential presentation reveals the credential issuer, which could be more information than intended and necessary, e.g., when merely proving age or personhood. Issuer-Hiding Anonymous Credentials (IHAC) address this limitation and hide the issuer in the presentation. That is, they only reveal that the user has a credential from an issuer within a certain trust set, referred to as the policy. Recent works by Sanders and
Traor|-, and Katz and Sefranek show how to add issuer-hiding to PS- and BBS-based credentials while keeping presentations compact, i.e., not scaling in the number of issuers. However, both constructions require the verifier to generate dedicated policy key pairs, turning verification into a secret key operation. Managing these verifier-specific keys introduces additional complexity and affects the resulting practical privacy and security guarantees. In this work, we propose two IHAC schemes from BBS signatures that achieve compact presentations without the need of such verifier-specific keys. At the core of our schemes is a technique to randomize BBS public keys and adapt the signatures accordingly, which we believe to be of independent interest.
## 2026/848
* Title: PPML Is More Vulnerable to Cryptanalytic Extraction Attacks
* Authors: Wen Zhang, Bingsheng Zhang, Tianpei Lu, Kui Ren
* [Permalink](https://eprint.iacr.org/2026/848)
* [Download](https://eprint.iacr.org/2026/848.pdf)
### Abstract
With the expansion of Machine Learning as a Service (MLaaS), Secure Multi-Party Computation (MPC) is widely used to protect the privacy of both proprietary models and client data during inference.
To achieve practical performance, these protocols typically rely on fixed-point arithmetic over finite rings. However, this design choice introduces a unique arithmetic vulnerability: silent modular wraparound.
In this paper, we propose a novel model extraction attack that actively exploits this behavior to accurately recover neural network parameters.
Unlike existing methods that heavily rely on the non-differentiable points of piecewise linear activation functions (e.g., ReLU [CRYPTO 20, EUROCRYPT 25]), our attack leverages the discontinuous jumps triggered by modular wraparound. We successfully extract parameters from networks employing smooth activation functions (e.g., Swish, GELU) and effectively handle expansive network architectures where previous differential attacks fail.
We present polynomial-time algorithms for recovering neuron signatures, norms, and signs, demonstrating that our approach remains highly robust even in restricted black-box scenarios where only top-1 label and probability are available to the attacker.
Rigorous theoretical proofs and signal-to-interference ratio (SIR) analyses confirm that our sign recovery method significantly outperforms existing neuron wiggle techniques [EUROCRYPT24].
## 2026/855
* Title: Zinc+: SNARKs for Polynomial Rings
* Authors: Alexander Abdugafarov, Albert Garreta, Amit Kumar, Micha+e Osadnik, Psi Vesely, Ilia Vlasov, Kai Zhe Zheng
* [Permalink](https://eprint.iacr.org/2026/855)
* [Download](https://eprint.iacr.org/2026/855.pdf)
### Abstract
Nearly all succinct proof systems express computations as algebraic constraints over a finite field. Operations not native to this field, such as bitwise manipulation, modular arithmetic, and lattice-ring operations, require an arithmetization step that can inflate the witness size by one or more orders of magnitude.
We introduce Universal Constraint Systems (UCS) and Zinc$+$. The first is a relation that can express the above constraints with minimal overhead. The second is a framework for building SNARKs for UCS. Concretely, UCS consists of algebraic constraints and ideal membership predicates over multiple polynomial rings simultaneously, such as $\mathbb{F}_q[X], \mathbb{Q}[X], \mathbb{Z}[X]$, etc.
Zinc$+$ SNARKs are built from 1) a PIOP for UCS, and 2) a hash-based IOPP for multilinear polynomials over $R=\mathbb{Q}[X]$ or $R=\mathbb{F}_q[X]$. For 1), we provide a general compiler that takes standard finite-field PIOPs and turns them into a PIOP for UCS. The IOPP in 2) depends on $R$: for $R=\mathbb{F}_q[X]$, we construct it via a black-box lift of any existing IOPP for $\mathbb{F}_q$, and for $R=\mathbb{Q}[X]$, we present a novel tensor IOPP design, instantiated with the new code family below.
We introduce Integer Pseudo-Reed Solomon (IPRS) codes, a new family of MDS codes over $\mathbb{Q}$ and $\mathbb{Q}[X]$. While not Reed-Solomon codes, these codes have optimal MDS relative minimal distance, support efficient FFT-based encoding, and have bounded norm growth when encoding (unlike a na|>ve lift of Reed-Solomon codes to the integers).
Our unoptimized, open-source, implementation proves 7 SHA-256 compressions followed by the multi-scalar multiplication (MSM) part of an ECDSA verification (the bulk of the work), with the following performance, benchmarked on a MacBook Air M4, without zero-knowledge:
Prover time: 40.6 ms, Verifier time: 7.0 ms, Proof size: 198 KB.
Zinc$+$ can be instantiated end-to-end or as a lightweight extension to any existing hash-based SNARK over~$\mathbb{F}_q$.
## 2026/856
* Title: MERIDIAN: A Toroid-Inspired Permutation Block Cipher for Constrained Environments
* Authors: Basker Palaniswamy, Paolo Palmieri, Ashok Kumar Das, Ruei-Hau Hsu
* [Permalink](https://eprint.iacr.org/2026/856)
* [Download](https://eprint.iacr.org/2026/856.pdf)
### Abstract
We introduce MERIDIAN, a 128-bit block cipher designed for resource-constrained environments as a lightweight alternative to AES-128. MERIDIAN retains the AES-128 interface, including a 128-bit block, 128-bit key, and 4|u4 byte state, while reusing the standard AES S-box. This enables compatibility with existing AES-128 modes such as ECB, CBC, CFB, OFB, CTR, XTS, CMAC, CCM, and GCM, and allows implementations to reuse established S-box ROMs and GF(28) inverse circuits. The cipher is based on three round operations: Directional Substitution (DS), Meridian Diffusion (MD), and Admittance Mixing (AM), followed by a round constant. Its state is represented over the discrete torus Z4 |u Z4. The MD layer combines two orthogonal byte
permutations, meridian and parallel, with column mixing to obtain full byte diffusion within three rounds without requiring MDS multiplication. MERIDIAN uses twelve rounds and avoids an expanded key schedule. We present MILP-verified differential and linear bounds, including exact active-S-box counts up to eleven rounds and a sub-additive bound for twelve rounds. We also provide AES-aligned cryptanalysis covering differential, linear, integral, biclique, slide, related-key, invariant-subspace, fault, meet-in-the-middle, and algebraic attacks. A reproducible fifteen-experiment benchmark suite compares MERIDIAN directly with AES-128, including key agility, cold-start latency, energy, masking cost, memory, throughput, and hardware complexity. Empirical results show that MERIDIAN reaches strict avalanche behavior in three rounds, matches AES-128 in entropy and NIST SP 800-22 fitness, reduces unrolled gate count, lowers RAM usage, and improves constrained-device efficiency. MERIDIAN is proposed as a research prototype for further public cryptanalysis.
## 2026/865
* Title: Secret-Key PIR from One-Way Functions
* Authors: Nir Bitansky, Noam Mazor
* [Permalink](https://eprint.iacr.org/2026/865)
* [Download](https://eprint.iacr.org/2026/865.pdf)
### Abstract
In secret-key private information retrieval (SK-PIR), the client in an offline phase processes the database using a short secret key. In the online phase the client could then use the secret key to make queries to the server, without revealing the entries accessed, and using only sublinear communication $o(N)$ in the database size $N$. While (non-SK) PIR requires public-key cryptography, recent work provides evidence that SK-PIR may not. In particular, Chen, Ishai, Mour, and Rosen (STOC 26) construct SK-PIR with communication $N^{\varepsilon}$, for any $\varepsilon$, from high-noise LPN, which is not known to imply public-key cryptography.
We construct SK-PIR with online communication $\tilde{O}(\sqrt{N)}$, under the minimal assumption of one-way functions. More generally we can achieve client-to-server communication $\tilde{O}(N_c)$ and server-to-client communication $\tilde{O}(N_s)$ as long as $N_c \cdot N_s \geq N$.
Our construction is simple and is based on garbled circuits with an uncorrelated input encoding property, which is satisfied by schemes from the literature.
## 2026/873
* Title: Adaptor Signature Schemes with Deniable Presignatures
* Authors: Adrian Cinal, Oliwer Sobolewski
* [Permalink](https://eprint.iacr.org/2026/873)
* [Download](https://eprint.iacr.org/2026/873.pdf)
### Abstract
An adaptor signature scheme can be seen as committing to a signature using an NP statement, in such a way that (1) the commitment, called a presignature, is verifiable, (2) the corresponding witness enables opening the commitment (adapting the presignature), and (3) seeing a valid commitment-opening (presignature-signature) pair leaks the witness. In the blockchain space, where signatures (signed transactions) must be broadcast to the public to take effect, this last property allows "forcing" a party to leak a witness for possibly multiple presignatures issued for the same NP statement. This then gives rise to many applications such as atomic swaps or payment channels. Importantly, in prevailing adaptor signature schemes, presignatures are already technically signatures, in that they are non-interactive zero-knowledge proofs of knowledge of the signing key. This has a number of consequences, most important being that the presignature constitutes evidence of intent to participate in a protocol based on adaptor signatures. Perhaps surprisingly, however, for practical applications, this strong "binding" of presignatures turns out to be non-essential. In this work, we revisit the definitions of adaptor signature schemes, demonstrating that prevailing security requirements are too strict for practical applications. To this end, we formally define fair signature exchange (FSE) and abandon the assumption implicit in prior work that adaptor-based FSE must be "symmetric" with both parties using the same adaptor signature scheme. The resulting relaxation of security requirements leads us to the notion of presignature deniability, an extension to adaptor signature schemes that we define formally and construct from various assumptions.
## 2026/874
* Title: Hybrid PoA on Aztec: Proof of Asset Ownership over Public and Private Balances via Hierarchical Proof-Carrying Data
* Authors: Rio Kanehiro, Yohei Watanabe, Mitsugu Iwamoto
* [Permalink](https://eprint.iacr.org/2026/874)
* [Download](https://eprint.iacr.org/2026/874.pdf)
### Abstract
Proof of Assets (PoA) protocols enable custodians to prove ownership of digital assets without revealing their account addresses or corresponding balances. While existing PoA protocols focused on either private or public balances, hybrid-state blockchains such as the Aztec Network involve both. In these systems, private balances are managed by encrypted notes that work similarly to the UTXO model, with only commitments stored on-chain. We present a PoA protocol that supports hybrid balances by combining public-state membership proofs with proofs of ownership over private notes. Since a custodian may control multiple accounts and numerous notes, we employ hierarchical proof-carrying data via recursive zk-SNARK, enabling scalable proving and efficient batch verification. We implement our system using the Noir DSL with the UltraHonk proving backend, and evaluate the performance.
## 2026/875
* Title: Comparative Performance Analysis of MILP Solvers for Cryptanalysis
* Authors: Halil -#brahim Kaplan
* [Permalink](https://eprint.iacr.org/2026/875)
* [Download](https://eprint.iacr.org/2026/875.pdf)
### Abstract
This paper provides a performance comparison of five MILP
solvers applied to related-key differential cryptanalysis of ITUbee [10].
We evaluate three open-source solvers (GLPK, HiGHS, SCIP) and two
commercial solvers (Gurobi, CPLEX) using MILP models for 8, 10, and
12-round attacks. As rounds increase, the number of equations and con-
straints grows exponentially. Experiments used an 11th Gen Intel Core
i7-1165G7 processor with 32 GB of RAM. Commercial solvers (Gurobi
and CPLEX) perform better than open-source options, achieving up to
94|u speedup compared to GLPK for the 12-round model. This work
provides guidance for choosing a solver for MILP-based cryptanalysis.
## 2026/876
* Title: An AI-Driven Post-Quantum Cryptographically Secure Workflow for Collaborative Credit Scoring
* Authors: Daniel Aronoff, Nut Chukamphaeng, Phoochit Witchutanon, Samiran Chanseewong, Koravich Sangkaew, Tutanon Sinthupraisth
* [Permalink](https://eprint.iacr.org/2026/876)
* [Download](https://eprint.iacr.org/2026/876.pdf)
### Abstract
Credit scoring plays a critical role in the financial industry, allowing institutions to evaluate the creditworthiness of potential borrowers. Typically, a model is estimated from repositories of attributes of past borrowers linked to their loan and payments performance. The model is then used to compute an applicant's score. The training and customer data are subject to regulations that require privacy of financial records. This creates a tension between the full utilization of available data and the prevention of leakage. Recently, the tension has intensified from, on one hand, improvement in AI methods to utilize data from nontraditional sources to develop prediction models and, on the other hand, increased concern over the vulnerability of encrypted data to penetration from quantum computers. We present a credit score workflow that addresses both issues by using AI methods to estimate a credit score model in a collaborative setting, combined with post-quantum cryptographic methods to protect data. We develop a ``toy'' workflow which can form a base for more complex ``real world'' implementations. We provide links to a code-base.
## 2026/877
* Title: Post-Quantum Public-Key Pseudorandom Correlation Functions for OT
* Authors: Shweta Agrawal, Kaartik Bhushan, Geoffroy Couteau, Mahshid Riahinia * [Permalink](https://eprint.iacr.org/2026/877)
* [Download](https://eprint.iacr.org/2026/877.pdf)
### Abstract
Public-key pseudorandom correlation functions (PK-PCF) are an exciting recent primitive introduced to enable "non-interactive key exchange for secure computation". Despite significant advances in the group-based setting, success in the post-quantum regime has been much more limited. To the best of our knowledge, there does not exist even a single efficient candidate post-quantum PK-PCF for the standard string oblivious transfer (OT) correlation.

In this work, we address this gap by constructing the first efficient lattice-based public-key PCF for the string OT correlation. Our PK-PCF generates a few hundred OTs per second, and requires a large but manageable public key size (a few hundred megabytes). In contrast, the only previous lattice-based non-public-key PCF, proposed in the very recent work of Hasler, Reisert and K|+sters (Asiacrypt 2025), can generate up to 9 OT/s and has key sizes of several gigabytes.

At the heart of our result lie several technical contributions that might be of independent interest. In particular, we introduce the first efficient lattice-based constrained pseudorandom functions for low-degree polynomials, from a new but natural "secret-power" variant of ring learning with errors. Our assumption is non-interactive and falsifiable, and we carefully analyze it for attacks. Additionally, we introduce a new packing mechanism compatible with local rounding of noisy shares from a "truncated" variant of our previous assumption, which allows further efficiency.

We remark that in the pre-quantum regime, the state of art for PK-PCF only two years ago was 1 OT/s, while they now clock at ~30k OT/s. We are optimistic that our construction will follow a similar trajectory.
## 2026/878
* Title: Verifiable Anomaly and Similarity Detection Using Matrix Profile in Private Time-series
* Authors: Xavier Bultel, Charl|?ne Jojon, Benjamin Nguyen, Haoying Zhang
* [Permalink](https://eprint.iacr.org/2026/878)
* [Download](https://eprint.iacr.org/2026/878.pdf)
### Abstract
Analyzing time-series databases in a privacy-preserving manner has gained significant attention, especially when the data contains sensitive personal information such as medical records or spatio-temporal data such as trajectories. Motivated by scenarios where a user must show whether an anomaly (or similarity) is detected in a time series containing sensitive data, we propose a toolkit for proving these properties on (committed) private time series. We leverage Matrix Profile (MP), a state-of-the-art data-mining structure, to detect subsequence anomalies and similarities in time series, in contrast to many works that only detect anomalies and similarities on complete time series. As recent findings have shown, the aggregated data used by MP (such as subsequence distances or MP values) leak critical information about the time series. It is therefore crucial to consider a strong adversary model where all information other than the presence or absence of anomalies/similarities remains protected. To guarantee this, we propose a combination of commitment and zero-knowledge proof systems that ensure both the validity of the proven result and the (unconditional) protection of the time series. The proposed schemes maintain reasonable execution times, even for large real-time time series.
## 2026/879
* Title: Accountable Fair Exchange Protocols on Blockchain
* Authors: Riku Mochizuki, Ryosuke Abe, Shigeya Suzuki
* [Permalink](https://eprint.iacr.org/2026/879)
* [Download](https://eprint.iacr.org/2026/879.pdf)
### Abstract
Fair exchange protocols on blockchain enable atomic exchange of digital goods and cryptocurrency between untrusted parties.
Two prominent protocols, Zero-Knowledge Contingent Payment (ZKCP) and FairSwap, guarantee fairness: either both parties receive the expected items (digital goods and cryptocurrency) or neither does.
However, both protocols lack accountability: when an exchange terminates abnormally, the protocol cannot identify which party caused the failure.
This lack of accountability undermines the applicability of fair exchange protocols in decentralized settings.
To fill this gap, we identify the common accountability issue in both protocols and revise them by adding signature exchange and chaining.
We formally define the revised protocols in the universal composability framework and provide a proof sketch, and measure the computational overhead of the revised protocols in our implementation and experiment.
## 2026/880
* Title: On the Common Bias of Majorities: Poly-Time Attacks on THR-XOR PRGs
* Authors: Antonio Giulio DrCOAntona, Pierrick M|-aux, Akin |Lnal
* [Permalink](https://eprint.iacr.org/2026/880)
* [Download](https://eprint.iacr.org/2026/880.pdf)
### Abstract
Pseudorandom Generators (PRGs) based on Threshold-XOR predicates with large locality and high stretches have recently gained traction, since they lend themselves as shallow weak Pseudorandom Functions (PRFs) to fast multiparty computation protocols. In this work, we present novel fast attacks on such PRGs that achieve substantial advantages. Concretely, we break the security levels of most parameters collected by Boura, Couteau, Perrin and Rotella (ToSC'25), as well as those proposed by Fu, Li, Lyu and Liu (EC'26). On the asymptotic side, we prove that our attacks achieve an advantage of $n^{-n/a}$ where $n$ denotes the seed length and $a$ the locality of threshold predicates. As a consequence, when $a \in \Theta(n)$, we get poly-time attacks with noticeable advantage. These results close current gaps on the theoretical study of THR-XOR based Goldreich PRGs.
Additionally, we demonstrate how the attack advantage can be amplified for PRGs with large output lengths (which are common in the context of weak PRFs). Finally, we discuss alternative predicates for Goldreich PRGs that resist all currently known attacks.
## 2026/881
* Title: Unique SNARGs with Adaptive Security: Constructions and Black-Box Separations
* Authors: Cody Freitag, Daniel Wichs
* [Permalink](https://eprint.iacr.org/2026/881)
* [Download](https://eprint.iacr.org/2026/881.pdf)
### Abstract
Succinct non-interactive arguments (SNARGs) for NP allow an efficient prover to convince a verifier that an NP statement is true with a proof that is much shorter than the original NP witness. Gentry and Wichs (STOC rCO11) showed that adaptive soundness of such SNARGs cannot be proven via a black-box reduction from any falsifiable assumption. However, recent works by Waters, Wu and Zhandry (STOC rCO24, CRYPTO rCO24, CRYPTO rCO25) circumvent this negative result by relying on subexponential hardness assumptions and having a long common reference string (CRS) that is longer than the statement size.
In this work, we study unique SNARGs where each statement has at most one accepting proof. The above constructions of adaptively sound SNARGs are not unique and crucially rely on the existence of multiple valid proofs in their security analysis. We explore to what extent this is inherent as follows:
- On the negative side, we give a strengthened Gentry-Wichs style black-box separation for the case of perfectly complete and unique SNARGs for NP with adaptive security. Our black-box separation extends even to reductions that rely on subexponentially hard
falsifiable assumptions and to SNARGs that have an arbitrarily long CRS.
- On the positive side, we construct perfectly unique and adaptively secure SNARGs for NP with a long CRS based on subexponentially hard one-way functions and indistinguishability obfuscation. We do so by relaxing perfect completeness and allowing for a negligible completeness error. This is the first unique SNARG with a proof of adaptive security from falsifiable assumptions, even restricted to P
## 2026/882
* Title: Abuse Reporting and Enforcement for Third-Party Moderators in Private Messaging
* Authors: Matthew Gregoire, Jade Keegan, Saba Eskandarian
* [Permalink](https://eprint.iacr.org/2026/882)
* [Download](https://eprint.iacr.org/2026/882.pdf)
### Abstract
We introduce new techniques for verifiable reporting of abusive messages in private messaging platforms. Our techniques are compatible with both metadata-hiding messaging systems, where the platform does not know who speaks to whom, and with third-party moderation, where the platform is not involved in the process of verifying or judging reported content.
While prior work in this space considers the question of how a moderator would verify reports, prior works do not address the question of how a moderator and platform would collaborate to enforce moderation decisions. In a setting where the platform does not wish to be involved in or responsible for enforcing moderation decisions, or in federated settings where it is not clear who would be responsible for enforcement, this presents an additional challenge.
Our work solves this problem with a lightweight credentialing and revocation mechanism that does not involve the platform in moderation enforcement at all. In order to support this added functionality, we build on Asymmetric Message Franking (Crypto '19) and improve performance over the original scheme, reducing moderator computation and communication costs to verify reports by $6\times$ and $7\times$, respectively.
## 2026/883
* Title: Secure Two-Party Quantum Computation with Complete Fairness without Trusted Third Party
* Authors: Arpita Maitra, Goutam Paul, Asim K. Pal, Asmita Samanta, Hridam Basu * [Permalink](https://eprint.iacr.org/2026/883)
* [Download](https://eprint.iacr.org/2026/883.pdf)
### Abstract
In 1997, Lo proved that if one of the parties is malicious, it is not possible to achieve unconditional security in quantum bit-commitment (Phy. Rev. Lett, 1997) and hence in two-party quantum computation (Phy. Rev. A, 1997). However, restricting the computational power of the adversary, via assumptions like the existence of one-wayness, it has been shown that secure quantum bit-commitment is indeed possible by Dumais et al. (EUROCRYPT 2000). In their paper, they showed that with the assumption of a one-way permutation that is secure against any polynomial-time quantum adversary, one can achieve a secure quantum bit-commitment scheme. Although security is guaranteed, complete fairness remains an issue in quantum two-party computation for the real-world framework.
In this paper, we show for the first time that there are some functions for which secure two-party quantum computation with complete fairness is achievable. This seems in sharp contrast with the impossibility result of Ben-Or et al. (FOCS, 2006). In Ben-Or et al.'s work, they have considered a malicious quantum adversary with unconditional computational power and used a broadcast channel. We have used the hybrid model idea of Gordon et al. (STOC 2008) using a non-simultaneous channel and the idea of composition of multiparty computations by Ran Canetti (Journal of Cryptology, 2000), to achieve complete fairness in the quantum domain, under the assumption of computationally bounded adversary. The functions we study are of two types (similar to Gordon et al.): one is any function without an embedded XOR, and the other is a particular function containing an embedded XOR.
At first, we design secure two-party computation protocols in a hybrid model, using a trusted third party. Then we prove how these protocols achieve complete fairness in the hybrid model. Finally, we construct a secure two-party communication protocol and show how we can use this to remove the trusted third party of the hybrid model, and achieve both security and complete fairness in the real-world model.
## 2026/884
* Title: Formalizing and Strengthening the Security Proof of NTOR
* Authors: Fran|oois Dupressoir, Kristian Gj|+steen, Cameron Low, Charlotte Mylog
* [Permalink](https://eprint.iacr.org/2026/884)
* [Download](https://eprint.iacr.org/2026/884.pdf)
### Abstract
We present a machine-checked security proof for the NTOR
key exchange protocol, which is used to establish connections in the Tor
onion routing system. It was previously studied by Goldberg et al. (DCC
2013), but within a slightly non-standard model that did not explicitly
capture forward secrecy.
Our proof is fully formalized in EasyCrypt, adding to the still small set
of cryptographic protocols verified in the computational model. A key contribution is a systematic treatment of halting reductions involving
failure events expressed as global properties of the execution. In the
course of this work, we also contributed improvements to the EasyCrypt framework itself.
We prove NTOR secure in a new model of unilaterally authenticated
key exchange that captures forward secrecy, and is intentionally close to established bilaterally AKE models (such as eCK). By examining more
carefully how identities and public keys are used in key exchange proto-
cols, we obtain simpler formal arguments and introduce several variants
of our UAKE security model, connected by general reductions that, in
the case of NTOR, are also realized in EasyCrypt. This allows us to
carry out the main proof in a simpler setting and then derive the desired security guarantee for NTOR via these reductions.
## 2026/885
* Title: Optimized Final Exponentiation for Optimal Ate Pairings Using Cyclotomic Cubing
* Authors: Leila Ben Abdelghani, Walid Haddaji
* [Permalink](https://eprint.iacr.org/2026/885)
* [Download](https://eprint.iacr.org/2026/885.pdf)
### Abstract
Pairing-based cryptography relies heavily on the efficiency of bilinear pairings, the computation of which is dominated by the final exponentiation step. This paper describes an efficient cubing operation in the cyclotomic subgroup of $\mathbb{F}_{q^6}$ for $q\equiv1\mod{6}$. As an application, we use existing results for computing Frobenius maps to optimize the cost of the optimal Ate pairing final exponentiation over the SG54 curve. Furthermore, we introduce a novel decomposition for the hard part of the final exponentiation for this curve. Additionally, we apply established methods for cyclotomic cubing to accelerate the final exponentiation for the BLS15 and BLS27 curves. Compared to previous works, our approach achieves efficiency gains of $24\%$ for SG54 and $22\%$ for the BLS15 and BLS27 curves.
## 2026/886
* Title: From NIZK Arguments to ZAPs, Generically
* Authors: Anish Banerjee, Brent Waters, David J. Wu
* [Permalink](https://eprint.iacr.org/2026/886)
* [Download](https://eprint.iacr.org/2026/886.pdf)
### Abstract
Dwork and Naor (FOCS 2000) showed a generic transformation to construct a ZAP (a two-round public-coin witness-indistinguishable proof) from any non-interactive zero-knowledge (NIZK) proof with statistical soundness in the common random string model. In recent years, a number of works have shown how to construct NIZK arguments in the common random string model from a broad range of assumptions including decisional Diffie-Hellman (DDH), learning with errors (LWE), or combinations of multiple assumptions. While a number of previous works have developed specialized tools to build ZAPs using these same assumptions (through a non-trivial adaptation of the underlying NIZK), a natural question is whether we can generically obtain a ZAP from these NIZK arguments |a la Dwork-Naor.
In this work, we introduce the notion of a sometimes-constricting generator and show how to use it to generically upgrade any computational (resp., statistical) NIZK argument in the common random string model into a computational (resp., statistical) ZAP argument. We then show how to build sometimes-constricting generators from either the DDH assumption (over pairing-free groups) or the LWE assumption. Our transformation immediately allows us to recover constructions of ZAPs from assumptions like DDH or LWE, as well as enables new constructions from different combinations of cryptographic assumptions with properties that were not previously attainable. More broadly, our compiler provides a general mechanism to convert any future NIZK construction in the common random string model into a ZAP.
## 2026/887
* Title: Probabilistic Atomic Swaps for Bitcoin and Friends
* Authors: Paul Gerhart, Jay Taylor, Sri Aravinda Krishnan Thyagarajan
* [Permalink](https://eprint.iacr.org/2026/887)
* [Download](https://eprint.iacr.org/2026/887.pdf)
### Abstract
Atomic swaps are a fundamental primitive for the trustless exchange of digital assets across blockchains: they guarantee that either both parties receive the agreed assets or neither party transfers. While this all-or-nothing guarantee is powerful, it also imposes an inherent determinism that rules out exchanges whose intended outcome is probabilistic. As a result, existing atomic swaps cannot realize trustless exchanges in which one party pays for a fixed chance of receiving a larger asset or reward, as in lotteries, randomized allocation mechanisms, and probabilistic cross-chain trades.
We introduce probabilistic swaps, a new cryptographic primitive that extends atomic swaps to the probabilistic setting.
In a probabilistic swap, one party's transfer is executed with a fixed, publicly specified probability embedded in the protocol and cannot be biased by either party.
This yields a trustless mechanism for randomized exchange with verifiable odds and no trusted intermediary.
Our construction combines adaptor signatures with oblivious pseudorandom functions (OPRFs) to realize the desired probabilistic outcome while ensuring that neither party can predict or bias it in advance. Along the way, we introduce a new mechanism for the atomic exchange of OPRF evaluations for payments, which may be of independent interest.
A key feature of our approach is that it preserves the minimal on-chain footprint of modern atomic-swap protocols. The protocol relies only on standard Bitcoin scripts, such as digital signatures and timelocks, and is deployable on any blockchain that already supports atomic swaps. Consequently, probabilistic swaps are indistinguishable from ordinary on-chain transactions, which helps preserve privacy and fungibility.
We provide formal security foundations and demonstrate practicality through a probabilistic swap between the Bitcoin and Litecoin testnets, as well as in the Lightning Network.
## 2026/888
* Title: BlindReview: Anonymous and End-to-End Verifiable Peer Review
* Authors: Xavier Bultel, Ashley Fraser, Elizabeth A. Quaglia
* [Permalink](https://eprint.iacr.org/2026/888)
* [Download](https://eprint.iacr.org/2026/888.pdf)
### Abstract
We introduce BlindReview, an anonymous and end-to-end verifiable peer review system that cryptographically guarantees both privacy and auditability throughout the reviewing process. We formally define these security properties and provide rigorous proofs that BlindReview satisfies them. We also present an implementation demonstrating our protocolrCOs practicality. This work serves as a foundation for verifiable and privacy-preserving peer review, offering a concrete solution to enhance transparency and reduce bias in the academic peer review process.
## 2026/889
* Title: RingSLIP: Ring Signatures from the Lattice Isomorphism Problem
* Authors: Callum London, Daniel Gardham, Constantin Catalin Dragan
* [Permalink](https://eprint.iacr.org/2026/889)
* [Download](https://eprint.iacr.org/2026/889.pdf)
### Abstract
Ring signatures provide authentication over messages, whilst providing anonymity amongst a set of signer-defined public keys. They see active use in cryptocurrencies, e-voting and concurrent signature domains. However, post-quantum constructions typically rely on lattices, specifically utilising the Learning with Errors (LWE) and Short-Integer-Solution (SIS) problems, which cause inefficiencies when compared with classical constructions.
One promising route to circumvent the inherent challenges of these underlying assumptions is the Lattice Isomorphism Problem (LIP), which underpins the HAWK signature scheme by Ducas et. al, currently a second round candidate in the NIST standardisation project Post Quantum Cryptography: Additional Digital Signature Schemes. It offers significant performance improvements over standard lattice assumptions due to its improved decoding, however, the only known construction of a ring signature from LIP has been shown to not satisfy linkability or correctness.
In this paper we propose RingSLIP, a secure linkable ring signature based on LIP, utilising the HAWK signature. The resulting ring signature is logarithmic in the number of ring members, and concretely has size 46KB when targeting 128 bits of security for 4096 ring members, which is competitive with other lattice-based schemes. Furthermore, we observe that our construction also benefits from online/offline computation, resulting in a signature with online signing and verification only requiring $8.54 \times 10^4$ and $1.48 \times 10^5$ CPU cycles respectively, compared to $1.35 \times 10^{11}$ without these optimisations.
## 2026/890
* Title: Cryptanalysis of Definite and Indefinite Lattice Isomorphism Problems With Applications to HAWK and DEFI
* Authors: Markus Kirschmer, Cong Ling, Ali Sadreddin
* [Permalink](https://eprint.iacr.org/2026/890)
* [Download](https://eprint.iacr.org/2026/890.pdf)
### Abstract
We study the Lattice Isomorphism Problem (LIP) for both indefinite and definite quadratic forms, with applications to the signature schemes DEFI and HAWK. By combining arithmetic and algorithmic techniques, we obtain efficient attacks on DEFIv2, an efficient digital signature scheme based on isotropic quadratic forms. Our approach to the Decision/Distinguishing-LIP draws on the arithmetic theory of quadratic forms, with particular emphasis on indefinite forms of dimension at least~$3$. We show that such forms arise naturally in the analysis of DEFI and prove that, under suitable assumptions, the genus, spinor genus, and equivalence class coincide. This structural collapse leads to a classical polynomial-time algorithm for the Decision/Distinguishing-LIP instances obtained from DEFI. In addition, we present a quantum polynomial-time algorithm for recovering the secret key of DEFIv2 and demonstrate practical signature forgeries within minutes using the authors' public challenge instances. Finally, we evaluate t
## 2026/891
* Title: Interleaving Stability for Mutual Correlated Agreement and Curve Decodability
* Authors: Sunghyeon Jo
* [Permalink](https://eprint.iacr.org/2026/891)
* [Download](https://eprint.iacr.org/2026/891.pdf)
### Abstract
We prove that row-wise interleaving does not impose a linear loss on two coding-theoretic soundness properties used in recent IOP/SNARK analyses: generator mutual correlated agreement and curve decodability.
For generator-MCA, let $G:\Omega\to\mathbb{F}_q^\ell$ be a coefficient generator over a finite seed set and let $C$ be an $\mathbb{F}_q$-additive code. For every interleaving width $s$ and distance parameter $\delta$, we show $$
\varepsilon_G(C,\delta)
\le
\varepsilon_G(C^{\equiv s},\delta)
\le
\left(1+\frac1q+\cdots+\frac1{q^{s-1}}\right)\varepsilon_G(C,\delta).
$$
Moreover, if $|\Omega|\le q$, then the transfer is exact:
$$
\varepsilon_G(C^{\equiv s},\delta)=\varepsilon_G(C,\delta).
$$
In particular, affine-line MCA is invariant under row-wise interleaving. This answers the known interleaving-loss question and removes the linear interleaving factor from the affine-line MCA bound. It also implies that polynomial-generator MCA bounds transfer to interleaved codes without an additional interleaving-width factor.
We further establish interleaving stability for curve decodability. We introduce a marked formulation, prove its equivalence to the standard definition for $\mathbb{F}_q$-additive codes and $1\le b\le a\le q$, and use it to transfer curve decodability to row-wise interleavings. If $C$ is $(\ell,\delta,a,b)$-curve-decodable and $\binom{a}{b}\le q$, then
$C^{\equiv s}$ is also $(\ell,\delta,a,b)$-curve-decodable for every $s$. We also give a field-size-weighted variant that transfers larger base-code
witness parameters to smaller interleaved-code witness parameters.
## 2026/892
* Title: Adaptive Distributed Key Generation for Discrete-Log Cryptosystems
* Authors: Ruben Baecker, Paul Gerhart, Stanislaw Jarecki, Phillip Nazarian, Daniel Rausch, Dominique Schr||der
* [Permalink](https://eprint.iacr.org/2026/892)
* [Download](https://eprint.iacr.org/2026/892.pdf)
### Abstract
The security of decentralized asset custody and blockchain consensus increasingly relies on threshold signatures to eliminate single points of failure. In these high-stakes environments, static security models are an insufficient theoretical abstraction. Real-world blockchain deployments demand adaptive security to ensure protocols remain secure against adversaries who reactively compromise participants based on observed network traffic and protocol state.
While the NIST standardization effort and BitcoinrCOs Taproot (BIP340) upgrade have accelerated interest in adaptively secure threshold Schnorr signatures, a threshold system is only as secure as its setup phase. In decentralized settings, this necessitates a Distributed Key Generation (DKG) protocol to eliminate reliance on a trusted dealer. However, a critical gap remains: current DKG protocols are incompatible with the specific key structures required by promising schemes (EUROCRYPT'26). Furthermore, a result from CRYPTO'25 demonstrated that unique key commitments necessitate a non-falsifiable assumption for adaptive security. To avoid non-standard assumptions, DKG protocols must be key-share hiding, a property existing DKGs fail to provide.
We close this gap by proposing two novel DKG protocols that support identifiable abort and tolerate a dishonest majority and prove them secure under new ideal functionalities in the UC framework. Our first protocol achieves optimal round complexity via a single broadcast round at the cost of allowing adversarial bias, while our second protocol eliminates the bias in two rounds. In addition, the protocols provide a proactive key refresh mechanism that allows long-lived decentralized networks to refresh internal key material periodically. This enables the system to recover from transient node compromises without the operational burden of rotating the underlying public key. Our evaluation demonstrates that these constructions are practically efficient, incurring minimal communication and computation overhead for modern high-throughput architectures.
## 2026/893
* Title: The Joint Channel Threshold: Selfish Mining Below 1% Hashrate
* Authors: Fateme Ghasemi, Reyhaneh Ameri, Mohammadreza Meybodi
* [Permalink](https://eprint.iacr.org/2026/893)
* [Download](https://eprint.iacr.org/2026/893.pdf)
### Abstract
The selfish-mining literature has progressively lowered the hashrate
threshold at which a rational Bitcoin miner strictly profits by
deviating from the honest protocol, from Eyal and Sirer's 25% down to
single digits under richer attacker models. Two such models remain unreconciled: Gervais et al. (CCS 2016) parameterize network-layer
adversaries through an eclipse fraction omega and an honest-only
stale rate o, but assume constant block rewards; WeRLman
(IEEE S&P 2023) models fee-rich rewards through a deep-RL solver,
but assumes a network-clean attacker. An adversary that exploits
both surfaces has not been analyzed.
We present the first joint analysis. We formulate a Markov decision
process that integrates Gervais's network-layer channels with
WeRLman's whale-transaction tracking, solve it at a 5.7 x 10^8
state truncation, and anchor the construction by reduction to each
prior model at the appropriate parameter limit.
Our threat model targets a state-level adversary with per-block
routing influence over a meaningful fraction of honest hash power,
not an attacker who eclipses individual nodes. Under this model,
the joint threshold collapses far below either single-channel
result. At L = 3, the F=10 baseline (no network channels) crosses
at alpha = 13.2%; a 10% eclipse fraction alone drops it to 2.6%, a
10% stale rate alone to 4.8%, and both channels together to 1.4%.
At L = 5 the joint configuration drops further to 0.9%, an at least
15x collapse. An analytical lemma accounts for the interaction:
the honest-chain growth probability factors as
(1 - alpha - omega)(1 - o), isolating a cross-term omega * o that is
a property of the joint transition kernel itself. The cross-term is
structural, not a training artifact, and its presence implies that
mitigations targeting only one channel leave the joint contribution structurally present whenever the other channel is non-zero.
## 2026/894
* Title: HumBird: Rotating Leader BFT made Simple and Fast
* Authors: Chenxu Wang, Sisi Duan, Minghui Xu, Huizhong Li, Shichen Wu, Xiuzhen Cheng
* [Permalink](https://eprint.iacr.org/2026/894)
* [Download](https://eprint.iacr.org/2026/894.pdf)
### Abstract
Rotating leader Byzantine fault-tolerant (BFT) protocols, also known as protocols in the leader-speaks-once (LSO) model, have become a topic of interest with the rise of blockchains. Many recent efforts have been made to lower the latency and simplify the design. However, existing works often sacrifice expected latency (latency when failures might occur) to enjoy higher good-case latency.
In this work, we present a generic approach to building rotating leader BFT protocols that are both simple and fast. We present two variants: HumBird-1, a synchronous BFT under the $f<n/2$ assumption; HumBird-2, a partially synchronous BFT under the $f<n/3$ assumption, where $n$ is the number of replicas in the system and $f$ is the number of Byzantine failures. We show that by relaxing LSO to the leader-speaks-twice (LST) model and introducing a special uncle block field, we can significantly reduce both good-case latency and expected latency. Our experimental results show that compared to the state-of-the-art rotating leader BFT, HumBird-1 and HumBird-2 achieve up to 32% lower latency and 70% higher throughput, and 95% lower latency and 140% higher throughput, respectively.
## 2026/895
* Title: On the Properties of HighBits and LowBits Functions and their Applications
* Authors: Alice Pellet-Mary, Michel Seck
* [Permalink](https://eprint.iacr.org/2026/895)
* [Download](https://eprint.iacr.org/2026/895.pdf)
### Abstract
ML-DSA is a lattice-based signature scheme that has recently been standardized by NIST as FIPS 204. Among the many subroutines used by ML-DSA are the high bits (Hb) and low bits (Lb) functions, which, as their name suggest, return only the higher bits or the lower bits of some integer. Recently, Seck and Roux-Langlois (IACR CiC 2025) conjectured that the high bits of a sum of two integers t and r can be expressed as the sum of the high bits of each integer, plus an error term that can take at most seven different values. In this paper, we study the properties of the functions Hb and Lb and we prove that the conjecture of Seck and Roux-Langlois holds. In addition, we provide a complete characterization of the error term. As an application, we explain how these properties can be used to design lattice-based signature schemes with advanced features.
## 2026/896
* Title: CORAL Faster Isogeny Group Action for Post-Quantum NIKE
* Authors: Andrea Basso, Giacomo Borin, Ryan Rueger, Sina Schaeffler
* [Permalink](https://eprint.iacr.org/2026/896)
* [Download](https://eprint.iacr.org/2026/896.pdf)
### Abstract
There are two kinds of cryptographic group actions: restricted and unrestricted.
While unrestricted actions like (qt-)PEGASIS are needed for more advanced constructions, restricted ones like dCTIDH are sufficient for instantiating a NIKE and usually much more efficient.
In this work, we propose CORAL, a significantly faster algorithm to evaluate the same action as (qt-)PEGASIS, but in a restricted fashion; CORAL only computes two-dimensional $2$-isogenies to evaluate the action and outperforms both recent unrestricted (KLaPoTi, (qt-)PEGASIS) and (restricted) CSIDH-based approaches (SQALE, dCTIDH).
In essence, CORAL trades off unrestrictedness for efficiency.
Our unoptimised C implementation evaluates a group-action in 240 ms with a 2032-bit prime. When used to construct a non-interactive key exchange, CORAL yields an actively secure post-quantum NIKE with compact public keys (e.g. 256 bytes for 2032-bit primes).
## 2026/897
* Title: SEFA: A Secure, Efficient, and Flexible Algorithm Design Strategy for Block Ciphers and Sponge Permutations
* Authors: G||k|oe D|+zyol, Nida Fidan, Kamil Otal
* [Permalink](https://eprint.iacr.org/2026/897)
* [Download](https://eprint.iacr.org/2026/897.pdf)
### Abstract
Substitution-permutation networks (SPNs) are the most popular construction method for block ciphers and sponge permutations. Basically, we can divide SPNs into two groups by considering their diffusion layer profiles: bit-wise versus byte-wise (or nibble-wise) diffusion. In this paper, we suitably combine both approaches and present a more efficient and flexible construction that achieves a combination of small S-boxes, linear layers consisting only of XOR operations and bit permutations, and a small number of rounds. As concrete results, we present the family SEFA of several lightweight and flexible block ciphers, AEADs, and cryptographic hash functions, including:
* SEFA-128/256: A TFHE-friendly block cipher with 128-bit block, 256-bit key, using 4-bit S-boxes, through 16 rounds.
* SEFA-512/256: A wide-block AEAD suitable for encrypting 256-bit blocks with 256-bit keys, using 8-bit S-boxes, through 16 and 10 rounds.
* SEFA-1536: A hash function using sponge construction with a 1536-bit state permutation including 8-bit S-boxes and 12 rounds.
We analyze the security from several attack perspectives. Also, we present hardware implementation results, along with comprehensive performance benchmarks, to demonstrate performance and flexibility.
## 2026/898
* Title: Bluestreak: Scaling DAG BFT by Sparsifying Metadata
* Authors: Nikita Polianskii, Ilya Vorobyev, Sebastian Muller
* [Permalink](https://eprint.iacr.org/2026/898)
* [Download](https://eprint.iacr.org/2026/898.pdf)
### Abstract
DAG-based Byzantine fault-tolerant (BFT) consensus protocols achieve
high throughput by allowing many validators to propose concurrently, but scaling them to large committees remains challenging. In a committee of $n$ validators, up to $f$ of which may be Byzantine ($n = 3f{+}1$), dense round-based DAG designs require each block to reference at least $2f{+}1$ blocks from the previous round. This yields $O(n)$ metadata per block, $O(n^2)$ metadata per round, and $O(n^3)$ metadata bytes transmitted per round under all-to-all dissemination, increasing bandwidth and processing costs and making metadata, rather than payload, the latency bottleneck.
We present Bluestreak, a sparse uncertified DAG BFT consensus protocol that keeps non-leader blocks constant-size (in $n$) and concentrates committee-scale ancestry in a single leader block per round, yielding constant \emph{average} metadata per block as committees grow. Bluestreak combines this sparse block format with a new leader commit rule co-designed for the sparse DAG and a new pull-based pacemaker, and we prove safety and liveness under partial synchrony using only collision-resistant hashes and standard digital signatures.
We implement and evaluate Bluestreak under wide-area latency spanning ten geo-distributed regions. Bluestreak scales from 10 to 400 validators on commodity 4-vCPU instances with sub-second WAN latency throughout (${\approx}\,470$ ms at $n{=}10$, ${\approx}\,720$ ms at $n{=}400$), keeping average per-block metadata constant at ${\approx}\,320$ bytes. At $n{=}120$, Bluestreak sustains ${\approx}\,220$k tx/s with LSM-tree storage and ${\approx}\,400$k tx/s with WAL-based storage, both at sub-second latency.
## 2026/899
* Title: VCVio: Verified Cryptography in Lean via Oracle Effects and Handlers
* Authors: Devon Tuma, Quang Dao, James Waters, Alexander Hicks, Nicholas Hopper
* [Permalink](https://eprint.iacr.org/2026/899)
* [Download](https://eprint.iacr.org/2026/899.pdf)
### Abstract
Mechanized cryptographic proofs face a long-standing trade-off between assurance and expressiveness. Existing foundational frameworks, which reduce every proof step to the kernel of a general-purpose proof assistant, offer a small, auditable trusted base, but struggle to model the oracle manipulations and rewinding arguments pervasive in modern cryptography. They also tend to lack the tactic infrastructure of specialized, non-foundational tools like EasyCrypt.
We present VCVio, a foundational framework in Lean 4 that closes both gaps with established ideas from programming-language theory: algebraic effects and handlers on the oracle side, and a modular relational program logic on the tactic side. Concretely, a computation with oracle access is the free monad over the polynomial functor determined by the oracle specification, exposing its interaction history as an explicit syntax tree. Caching, logging, reprogramming, and seed pre-sampling become handler combinators; rewinding reduces to deterministic transcript replay without any internal adversary state.
On top of the oracle core, VCVio provides two reusable layers. We extend the recent Loom framework (POPL 2026) to the relational setting, yielding a single tactic framework that handles both unary and relational probabilistic reasoning. Alongside this, our treatment of state-separating proofs achieves compositional separation by typing, whereas Nominal SSProve recovers it by quotienting locations modulo alpha equivalence.
We exercise this stack on three case studies: a random-oracle commitment scheme; the Bellare--Neven forking lemma, mechanized without the rewindability axioms used in the recent EasyCrypt formalization by Firsov and Jank+>; and the Schnorr signature scheme establishing EUF-CMA security. A significant share of our development used LLM coding agents and external automated proof-search systems; we report on the workflows, successes, and failure modes as a data point in LLM-assisted theorem proving.
## 2026/900
* Title: Secure Protocol Composition under Dynamic Corruption: Scaling Up Symbolic Analysis for Real-World Security Properties
* Authors: Cas Cremers, Erik Pallas, Aleksi Peltonen
* [Permalink](https://eprint.iacr.org/2026/900)
* [Download](https://eprint.iacr.org/2026/900.pdf)
### Abstract
Although automated symbolic protocol verification has proven valuable and effective, current approaches begin to reach their limits: While small protocols can be analyzed automatically, the most complex case studies often require substantial expert time and resources. There have been many attempts to solve this problem by compositional verification, but they rely on unrealistic protocol assumptions and do not support real-world security properties like Forward Secrecy.
In this work, we enable compositional symbolic analysis for real-world security protocols with respect to modern security properties. We develop a composition result in the Applied -C-Calculus that holds even in the presence of attackers capable of dynamic corruption if the protocols satisfy a disjointness requirement.
We demonstrate the applicability and effectiveness of our result on the composition of a data exchange protocol with a Diffie-Hellman key exchange and a compositional analysis of Forward Secrecy in TLS 1.3 within the scope of RFC 8446 and the ECH extension. While monolithic analyses of TLS 1.3 with ECH fail to deliver a result in 10% of cases, all compositional analyses succeed. Additionally, runtime decreases by 71% and memory usage by 86% on average.
## 2026/901
* Title: Threshold (T)FHE without smudging by means of correct threshold additive HE
* Authors: Antonina Bondarchuk, Renaud Sirdey, Aymen Boudguiga, Olive Chakraborty
* [Permalink](https://eprint.iacr.org/2026/901)
* [Download](https://eprint.iacr.org/2026/901.pdf)
### Abstract
Designing threshold lattice-based FHE schemes remains challenging due to the noise leakage that may occur during distributed decryption. The mainstream approach to avoid this consists of relying on noise flooding or smudging techniques. However, using these techniques comes at the cost of the much larger parameters required to ensure reliable decryption, and they are not easily applicable to schemes with smaller ciphertext moduli such as TFHE. In this paper, we demonstrate that smudging can be avoided for LWE-based FHE schemes, such as TFHE, by using a correct Linear Homomorphic Encryption (LHE) scheme, like Paillier, to encrypt the $b$-term of an LWE pair obtained after completing a homomorphic computation and sanitizing the resulting ciphertext. The key intuition is that, because the b-term of the LWE pair is not revealed to the decrypting parties, noise leakage is no longer an issue (with sanitization ensuring noise/message independence). We then instantiate this approach using TFHE as the baseline LWE scheme as well as the Tiresias threshold variant of Paillier. We prove the resulting construction, denoted thPLWE, is IND-CPA secure under static corruption and adaptive queries (Scor-Adp-IND-CPA) under the assumption that Tiresias achieves the same. We then provide experimental results to assess the practicality of the approach and compare it to other recent works.
## 2026/902
* Title: End-to-End Polynomial-Time Cryptanalytic Extraction of Convolutional Neural Networks in the Hard-Label Setting
* Authors: Chun Li, Zheng Gong, Di Li, Liping Zhuang, Yufeng Tang, Yin Lv, Xingfu Yan
* [Permalink](https://eprint.iacr.org/2026/902)
* [Download](https://eprint.iacr.org/2026/902.pdf)
### Abstract
Convolutional neural network parameters are valuable intellectual property, yet many APIs expose only top-1 labels and assume hidden logits limit parameter recovery.
Prior cryptanalytic extraction can recover functionally equivalent ReLU MLPs, but CNNs introduce weight sharing, parallel critical hyperplanes, coupled spatial perturbations, and channel-sign ambiguity.
This paper presents an end-to-end hard-label extraction attack for known-architecture ReLU CNN classifiers with average pooling.
The main algorithmic contribution is channel-level recovery with SVGR-guided retained-candidate discrete optimization under a retained-candidate assumption.
The attack locates dual points on decision and activation boundaries, recovers shared channel signatures with SVD, resolves channel signs, and peels layers while absorbing ReLU scale factors into later linear layers.
Across evaluated 1D MNIST, 2D MNIST, and RGB CIFAR-10 variants, extraction reaches 100% prediction fidelity.
Moreover, the evaluation demonstrates downstream security implications: extracted watermarked CNNs preserve behavior-level ownership evidence.
Furthermore, the recovered models can be wrapped with deterministic triggers without erasing retained watermark signals, creating risk for both owners and downstream users.
These results demonstrate that hiding logits alone does not protect parameters for this CNN family once architecture information is available.
The anonymous artifact is available for review at https://anonymous.4open.science/r/cnn_hard_label_extraction-83F4.
## 2026/903
* Title: Magic Pot: Cryptanalysis of full AIM2 in the standard and related-/reused-key settings using new elimination framework
* Authors: Alex Biryukov, Pablo Garc|!a Fern|indez, Aleksei Udovenko
* [Permalink](https://eprint.iacr.org/2026/903)
* [Download](https://eprint.iacr.org/2026/903.pdf)
### Abstract
In this work, we cryptanalyse the post-quantum signature scheme AIMer v2.1, which is one of the winners of the Korean Post-Quantum Cryptography competition (KpqC), and whose earlier version was a candidate in the US NIST's additional post-quantum digital signatures call. We show that AIM2, the underlying symmetric-key primitive, is not secure up to the claimed level by developing and applying a new algebraic attack framework based on extended linearization over a univariate polynomial ring and a novel algorithm for finding a null vector of a polynomial matrix. In particular misuse scenarios, such as reused-key or related-key settings, our attacks become practically feasible, allowing experimental verification and benchmarking. We also evaluate the approach on the RAIN block cipher used in the Rainier post-quantum signature scheme and obtain improved attacks, although not threatening its claimed security.
## 2026/904
* Title: Sponsored Fair Exchange (Extended Abstract)
* Authors: Serge Vaudenay
* [Permalink](https://eprint.iacr.org/2026/904)
* [Download](https://eprint.iacr.org/2026/904.pdf)
### Abstract
We propose a costless platform for fair exchange based on smart contracts to favor economic inclusion. Our smart contract is minimal, as most of communication is done offchain. The smart contract costs are covered by incentivized sponsors. Our protocol is a knowledge-coin exchange: it allows to exchange a digital item, characterized by an automatically verifiable description, against a payment in cryptocurrency. The exchange is fair in the sense that either both parties receive what they expect (the exchange completes) or both parties lose nothing (the exchange is canceled). We ensure a costless transaction in cancelation cases, and a transaction with pre-determined fee if it completes. We also ensure privacy of the transaction. Our protocol offers an improvement compared to OptiSwap: we can work with any description function. The complexity is never higher and sometimes significantly smaller. Namely, the worst case complexity is logarithmic instead of being linear. Furthermore, we introduce sponsoring as an enabler for economic inclusion.
## 2026/905
* Title: Maintaining Sublinear Locality Over Time: Adaptively Secure MPC on a Reusable Hidden Graph
* Authors: Elette Boyle, Ran Cohen, Pierre Meyer
* [Permalink](https://eprint.iacr.org/2026/905)
* [Download](https://eprint.iacr.org/2026/905.pdf)
### Abstract
Communication locality of an $n$-party protocol measures the maximum degree of the communication graph induced by the protocol execution.
While secure multi-party computation (MPC) with small, sublinear locality exists in the static-corruption setting, this goal seems nearly paradoxical in the adaptive-corruption setting: Even against fail-stop adversaries, small neighbour sets of honest parties lie vulnerable to identification and corruption.
Surprisingly, Chandran et al. [ITCS '15] showed that for a single MPC execution, sublinear locality and adaptive security can be simultaneously achieved, assuming honest-to-honest channels are hidden from the adversary.
Their solution works in the ``hidden-graph model,'' where a fresh, initially hidden, low-degree graph is being used in each round. In turn, the combined degree grows with every round---inherently limiting the approach to a single-shot MPC execution, and sublinear total rounds. This raises the following question, which is the focus of our work:
Is it possible to maintain sublinear locality over an unbounded number of executions facing adaptive adversaries?
In this work, we provide an affirmative answer in two settings:
First, we consider semi-honest adversaries and information-theoretic security, and construct reusable MPC with polylog($n$) locality.
Second, we consider fail-stop adversaries and computational security, and construct reusable MPC with $\tilde O(n^{2/3})$ locality.
Our results are obtained by devising low-locality protocols while hiding important information about the graph topology, enabling the parties to reuse a single hidden graph. As an independent contribution, this serves as new results for adaptively secure topology-hiding computation (Moran, Orlov, Richelson [TCC '15]).
## 2026/906
* Title: An analysis of a weakened version of PRISM
* Authors: Jolijn Cottaar, Steven D. Galbraith, Luciano Maino, Monika Trimoska * [Permalink](https://eprint.iacr.org/2026/906)
* [Download](https://eprint.iacr.org/2026/906.pdf)
### Abstract
PRISM (PKC25) is a hash-and-sign signature scheme whose security relies on the hardness of computing large-prime-degree isogenies originating from a curve of unknown endomorphism ring. In PRISM, the degree of such isogenies is obtained by hashing messages onto a set of large odd integers that pass a primality test.
In this work, we investigate the impact of the choice of primality test on the security of PRISM. We first show that when a weak primality test is used, the assumption underlying the security proof in the standard model does not hold. We then extend our analysis to the assumption used in the security proof in the (quantum) random oracle model. In this setting, we argue that the Miller-Rabin test suffices and estimate the minimal number of iterations required for PRISM to achieve the desired security level, thus minimising signing costs.
## 2026/907
* Title: Zero-Knowledge Proofs for Gradient Boosted Decision Trees
* Authors: Jiacheng Gao, Wenjie Qu, Yuan Zhang, Sheng Zhong, Jiaheng Zhang
* [Permalink](https://eprint.iacr.org/2026/907)
* [Download](https://eprint.iacr.org/2026/907.pdf)
### Abstract
Gradient boosted decision trees (GBDTs) are among the most effective models for tabular data and are widely used in domains such as finance, healthcare, and risk assessment. As these models are increasingly trained and served by external providers, clients need a way to check that a prediction or a model update was produced by the claimed training pipeline. At the same time, the provider may need to keep the training data and model parameters private. This makes zero-knowledge proofs for GBDT training and inference a natural tool for accountable machine learning.
Existing constructions for proving GBDT training typically rely on generic ZKP compilers. They build a certification circuit that checks the forest against the training data, and then prove the circuit execution. This leads to high prover cost. On the other hand, a more direct approach to decompose proof of training into algebraic constraints inevitably introduces many auxiliary witnesses to assist proving. Proving these constraints separately could result in a huge amount of independent auxiliary commitments, whose committing and opening could dominate both proof size and prover time. Batching these constraints is also difficult because they come from different stages of training and have potentially different witness shapes and sizes, which are committed over different domains.
We present \textsc{Terrae}, a zero-knowledge proof system for quantized GBDT training and inference based on KZG polynomial commitments. \textsc{Terrae} avoids both dependency on proving circuit computation and proving each constraint separately by leveraging the structure of GBDT training and novelly batching the constraints. We introduce two batching techniques: domain-lifting batching for linear constraints and interleaving batching for non-linear constraints. Both techniques work over differently-sized domains and reduce many constraints to a single claim without introducing extra polynomial commitments. We also design a histogram proof that proves the correctness of converting sample-wise data into its frequency representation, which may be of independent interest. Our evaluation shows that, compared with prior approaches, \textsc{Terrae} significantly reduces proof-generation time while adding only a small proof-size overhead.
## 2026/908
* Title: Titan: Efficient Polynomial Commitments from IOPs over Groups
* Authors: Chethan Kamath, Ravi Prakash, Samipa Samanta, Sruthi Sekar, Nitin Singh
* [Permalink](https://eprint.iacr.org/2026/908)
* [Download](https://eprint.iacr.org/2026/908.pdf)
### Abstract
In this paper, we propose Titan, an efficient polynomial commitment scheme (PCS) with transparent setup. It achieves commitment time of $O(n)$, evaluation time of $O(\sqrt{n})$ while the proof size and verification scales as $O(\sqrt[4]{n})$. Titan features an order of magnitude smaller proof sizes than hash based PCS, while featuring a significantly more efficient prover and verifier compared to state of the art group based schemes like Dory and Hyrax. To achieve this balance, Titan borrows two-tiered commitments from Dory, and realizes outer commitment using interactive protocols of proximity (IOPP) over groups, specifically WHIR, instead of expensive bilinear pairings. This allows Titan to be instantiated over general curves with discrete-log hardness such as Pasta Curves, instead of requiring pairing friendly curves.
We compile a variant of Spartan protocol for R1CS with Titan PCS to realize a new SNARK, which we call TitanSnark. Our construction TitanSnark preserves the prover efficiency of the existing Spartan protocol, while improving proof size and verification quadratically from $O(\sqrt{n})$ to $O(\sqrt[4]{n})$. Concretely, for circuits of size $\geq 2^{22}$ this results in around $3\times$ more efficient proof size and verification.
Our blueprint of combining IOPPs over groups with Pedersen style inner commitments is of independent interest, as are several optimizations towards efficiently realizing WHIR IOPP over prime-order groups.
## 2026/909
* Title: On Succinct Non-Interactive Secure Computation with Malicious Security * Authors: Maya Farber Brodsky, Arka Rai Choudhuri, Abhishek Jain, Omer Paneth * [Permalink](https://eprint.iacr.org/2026/909)
* [Download](https://eprint.iacr.org/2026/909.pdf)
### Abstract
A non-interactive secure computation (NISC) protocol allows a client with input $x$ and a server with input $y$ to compute $f(x,y)$ using a single message from the client and a single response from the server. The protocol is called succinct if the size of the serverrCOs message depends only on the output length and is independent of the size of $y$ and the complexity of $f$. In the semi-honest setting, succinct NISC is known from fully homomorphic encryption (FHE). In contrast, malicious security is currently known only from non-standard assumptions, such as SNARKs for NP.
In this work, we construct maliciously secure succinct NISC protocols for natural and widely studied functionalities from standard assumptions, namely, FHE and batch arguments (BARGs). Our first result is a protocol for private set membership (PSM): the client holds an element $x$, the server holds a large set $S$, and the function outputs $1$ if and only if $x \in S$. We then give several generalizations:
- Dictionary lookup: The server holds a dictionary $D$ of keyrCovalue pairs, the clientrCOs input is a key $k$, and the output is $D[k]$.
- Verifiable dictionary lookup: The serverrCOs dictionary must additionally satisfy a predicate $P$, computable by a read-once machine with small state.
- UP search: The client input is an instance $x$, and the output is $D[w]$, where $w$ is the unique witness for $x$ under some UP relation.
Our protocols achieve split-simulation security against a malicious server and standard security against a malicious client. Split-simulation is a relaxation of the standard real-ideal paradigm, where correctness of the clientrCOs output and indistinguishability of the serverrCOs view are guaranteed separately.
At the heart of our results lies a new simulation technique in which the serverrCOs large input is extracted piece by piece and reconstructed into a coherent input. This reconstruction is enabled by a new monotone coupling argument based on StrassenrCOs theorem.
## 2026/910
* Title: UnifOMR: Oblivious Message Retrieval with Near-optimal Concrete Efficiency
* Authors: Ben Fisch, Zeyu Liu, Eran Tromer, Yunhao Wang
* [Permalink](https://eprint.iacr.org/2026/910)
* [Download](https://eprint.iacr.org/2026/910.pdf)
### Abstract
End-to-end encryption guarantees message confidentiality but does not hide metadata such as communication patterns among senders and recipients, or their identities. Oblivious Message Retrieval (OMR) is a cryptographic protocol that enables servers to assist recipients in retrieving their messages from a database without learning the mapping between messages and recipients, thereby protecting such metadata.
This paper investigates two central questions of OMR: (1) What is the precise relationship between OMR and the better-studied primitive of Private Information Retrieval (PIR)? (2) Can OMR schemes achieve concrete efficiency comparable to state-of-the-art PIR protocols?
We show that OMR with a property we call strong detection-key-unlinkability is at least as hard as PIR, and that existing OMR constructions already satisfy this property. This PIR-to-OMR reduction has low overhead, suggesting that OMR cannot be made substantially more efficient than PIR.
We then present $\mathsf{UnifOMR}$, which achieves $20\times$ to $1080\times$ faster server runtime over the state-of-the-art $\mathsf{SophOMR}$ under practical parameter settings. For $2^{19}$ messages of 612 bytes each, $\mathsf{UnifOMR}$ completes in only ${\sim}25$ seconds with 4 MB of communication, compared to $>1250$ seconds and 260 KB for $\mathsf{SophOMR}$. These gains come with two trade-offs: an asymptotically linear digest size (albeit with small constants), and two rounds of interaction between the detector and the client.
Furthermore, crucially, $\mathsf{UnifOMR}$ uses batch PIR as a black-box component, which in our experiments accounts for $50$--$92\%$ of the server runtime. Thus, $\mathsf{UnifOMR}$ nearly matches the aforementioned lower bound concretely (for databases of $2^{16}$ to $2^{23}$ messages, each with $612$ to $3060$ bytes), given the status quo of batch PIR.
## 2026/911
* Title: UC4Free! Existing Threshold Signatures are UC Secure
* Authors: Jan Bobolz, Elizabeth Crites, Markulf Kohlweiss, Akira Takahashi
* [Permalink](https://eprint.iacr.org/2026/911)
* [Download](https://eprint.iacr.org/2026/911.pdf)
### Abstract
Threshold signatures have received considerable attention in recent years due to ongoing standardization efforts and deployment in real-world systems. In this work, we prove the universal composability of a wide range of threshold signature schemes, including state-of-the-art protocols compatible with standard signatures used in practice, such as BLS and Schnorr signatures, as well as emerging post-quantum solutions. Importantly, we show UC security without any modifications to the existing protocols.
To this end, we design natural game-based definitions to capture different combinations of main threshold signature scheme properties, such as different levels of unforgeability, adaptive corruption, robustness, and different degrees of preprocessing. These definitions generalize prior definitional work, such as Bellare et al. (CRYPTO'22), and cover a wide range of existing schemes. Moreover, we identify and resolve gaps in prior work. We then express these properties in terms of a UC ideal functionality $\mathcal{F}\text{-}\mathtt{TS3}$. We prove that a threshold signature scheme UC-realizes $\mathcal{F}\text{-}\mathtt{TS3}$ if and only if it satisfies our game-based definitions.
This opens up the usage of (existing) threshold signature schemes in a UC setting, enabling scheme designers to formulate their protocols relative to an ideal threshold signature functionality and use the UC composition theorem to argue security given any concrete instantiation. To further support UC scheme designers and to give further guidance on UC modeling for threshold signatures, we provide additional ideal threshold signature functionalities $\mathcal{F}\text{-}\mathtt{TS2}$, $\mathcal{F}\text{-}\mathtt{TS1}$, $\mathcal{F}\text{-}\mathtt{TSSync2}$, and $\mathcal{F}\text{-}\mathtt{TSSync1}$, which capture fewer properties than $\mathcal{F}\text{-}\mathtt{TS3}$ but are more convenient to use. $\mathcal{F}\text{-}\mathtt{TS2}$, $\mathcal{F}\text{-}\mathtt{TS1}$, $\mathcal{F}\text{-}\mathtt{TSSync2}$, $\mathcal{F}\text{-}\mathtt{TSSync1}$ can also be UC-realized by schemes proven secure according to our game-based definitions.
Through this work, we show that composable security does not require sacrificing performance, but it does require rigor when setting up game-based definitions and ideal functionalities.
## 2026/912
* Title: Improved TensorPIR: Single-Server PIR with Lower Communication Cost
* Authors: Yingchu Lv, Yanbin Pan, Huaxiong Wang
* [Permalink](https://eprint.iacr.org/2026/912)
* [Download](https://eprint.iacr.org/2026/912.pdf)
### Abstract
Private Information Retrieval (PIR) is of growing importance in privacy-preserving data access, as it enables users to retrieve information from databases without revealing their query content, thereby aligning with modern data protection and regulatory standards. State-of-the-art schemes, such as HintlessPIR and TensorPIR proposed by Li et al. at CRYPTO 2024, leverage lattice-based cryptography for efficient and privacy-preserving data retrieval. HintlessPIR achieves a communication complexity of $O(N^{1/2})$, which remains suboptimal for large databases. To further reduce communication overhead, the same work introduces TensorPIR, lowering the asymptotic complexity to $O(N^{1/3})$. However, this improvement requires larger parameters and more CRT moduli, leading to a practical communication cost that is not significantly smaller than that of HintlessPIR.
In this work, we propose a new framework that rethinks the encryption strategy for the index, reducing both communication and computation costs through fewer CRT moduli. In experiments on 16 GB, 32 GB, 64 GB, and 128 GB databases, our total communication cost drops to as low as 45.5% of TensorPIR's. Theoretically, as $N$ grows, our query and answer sizes are reduced to 36.9% and 22.2% of TensorPIR's, respectively. Compared with HintlessPIR, our scheme achieves lower theoretical communication complexity, leading to substantially smaller practical communication for large $N$. Moreover, our total online time is reduced to 28.9% to 56.1% of HintlessPIR's.
## 2026/913
* Title: Algorithmic Toolkit for Linearization of S-boxes
* Authors: Alex Biryukov, Philip Ture-iek, Aleksei Udovenko
* [Permalink](https://eprint.iacr.org/2026/913)
* [Download](https://eprint.iacr.org/2026/913.pdf)
### Abstract
Linearization is a cryptanalysis technique in which a nonlinear function (an S-box) is represented by an affine mapping on a certain subset of inputs. Its variants were applied to analyze Keccak, LowMC, RAIN and AIM. In these primitives, the S-boxes are either very small (up to 5 bits) or are very specific monomial functions over a binary field. Linearization of arbitrary S-boxes was never practically explored due to the lack of theoretic, algorithmic, and cryptanalytic understanding.

For the first time, we develop an algorithmic toolkit which allows one to compute strong linearizations of S-boxes, when they exist. For up to $n=8$ bits, our algorithms are able to find provably the best possible approximations, while for larger S-boxes it is feasible to obtain good approximations together with meaningful upper bounds. We apply our algorithms to a variety of S-boxes from existing primitives, to monomial functions, to so-called APN functions, and to 16-bit Super-Sboxes. We obtain interesting results raising many new open questions and open up new research directions, as well as a foundation for developing cryptanalytic attacks.
To advance the cryptanalytic utility of linearization, we study and solve the problem of covering an S-box with multiple approximations. As an application, we derive a generic linearization approach for the CICO problem (constrained-input-constrained-output) over SPN-based permutations (Substitution-Permutation Networks) with general linear layers. This is the first such general cryptanalysis based on the existence of a strong linearization of the S-box.
--- Synchronet 3.22a-Linux NewsLink 1.2