From Newsgroup: sci.crypt

## In this issue
1. [2025/880] Optimistic Asynchronous Dynamic-committee Proactive ...
2. [2025/1504] On the $\gamma$-Spreadness of Average-Case to ...
3. [2026/189] Threshold linear solving in small fields and ...
4. [2026/202] ZKBoost: Zero-Knowledge Verifiable Training for XGBoost
5. [2026/424] CRISP: Circuit-pRivate Single-Image Steganography ...
6. [2026/863] Conquering Bad Norms in RstOE: Pure-Database ...
7. [2026/922] Generic Construction of CCA-Secure PKE from Key- ...
8. [2026/923] Practical and Verifiable Encrypted Vector Search ...
9. [2026/924] RIC: Randomize Invalid Coefficients to Mitigate ...
10. [2026/925] LogVOLE: Succinct and Efficient Chosen-Input VOLE ...
11. [2026/926] Private Function Evaluation with Linear Complexity
12. [2026/927] Fully Homomorphic Encryption on the Ring of ...
13. [2026/928] Wombat: Post-Quantum Blind Signature from Standard ...
14. [2026/929] On the Statistical vs. Computational Security of ...
15. [2026/930] Improved Quantum Attacks on Iterated Even-Mansour ...
16. [2026/931] Fair Multiparty Coin Tossing from Minimal Assumptions
17. [2026/932] Zephyr: GPU-Efficient Homomorphic Encryption for ...
18. [2026/933] BitVM3: Efficient Bitcoin Bridges via Garbled Circuits
19. [2026/934] First-Order Masked Fine-Shuffling Implementation ...
20. [2026/935] SoK: Private LLM Inference using Approximate ...
21. [2026/936] Efficient and Privacy-preserving Outsourced ...
22. [2026/937] Pseudonymization and reportersrCO protection by ...
23. [2026/938] Storing Less in-the-Head: An Area-Efficient ...
24. [2026/939] More Efficient SNARKs via Quasi-Abelian Codes: ...
25. [2026/940] Efficiently deciding and recovering CCZ and EA ...
26. [2026/941] MAYA: A Short Shuffle Argument With Fast Verification
27. [2026/942] On the Investigation of Variants for Discrete ...
28. [2026/943] Optimized G+G Signature
29. [2026/944] On MPC-friendly Softmax
30. [2026/945] Threshold PRISM Signature Schemes via Graph-Based ...
31. [2026/946] Constant-Round Secure Distributed Decoding and HQC ...
32. [2026/947] Efficient SIMD Implementation of the BLS Signature ...
33. [2026/948] Anamorphic Construction For The Winternitz OTS ...
34. [2026/949] Quantum Circuit Realization and Grover ...
35. [2026/950] Beyond the Anonymous Inbox: Secure Whistleblowing ...
36. [2026/951] Early-stopping Consensus with Adaptive Bit Complexity
37. [2026/952] Formalizing Blockchain PQC Signature Transition: ...
38. [2026/953] Tight Lattice-Based Signatures without Trapdoors ...
39. [2026/954] Black-box validation of Falcon key generation under ...
40. [2026/955] YsPIR: HE-Based Single-Server Private Information ...
41. [2026/956] Efficient Bootstrapping in Fully Homomorphic ...
42. [2026/957] Threshold FHE with Short Decryption Shares without ...
43. [2026/958] Enhancing Blockchain Proof of Stake with Active ...
44. [2026/959] Operationalising PostrCaQuantum TLS: Automated ...
45. [2026/960] On the Communication Complexity of Sleepy Consensus
46. [2026/961] Delving Deep into Security Guarantees against ...
47. [2026/962] rBFT: a Revamped Two-Stage BFT from Delegated Committee
48. [2026/963] Multi-leveled and ISA/IEC 62443-aware Certificate ...
49. [2026/964] Beyond Quadratic: Unlocking Pseudorandomness with ...
50. [2026/965] Device Binding for Anonymous Credentials on Legacy ...
51. [2026/966] A New Multiscalar Multiplication Method Resistant ...
52. [2026/967] Revisiting Linear Subspace Trails in Poseidon
53. [2026/968] Frobenius-UOV: A Very Efficient Multivariate Public ...
54. [2026/969] Icy-DVRF: A Distributed Verifiable Random Function ...
55. [2026/970] Security Analysis on a Blockchain-based Public-Key ...
56. [2026/971] Explicit cost analysis of Toom-4 multiplication for ...
57. [2026/972] Breaking ACDGV MinRank Gabidulin encryption schemes ...
58. [2026/973] Asynchronous Lagrange-Based Threshold FHE with ...
## 2025/880
* Title: Optimistic Asynchronous Dynamic-committee Proactive Secret Sharing
* Authors: Bin Hu, Jianwei Liu, Zhenliang Lu, Qiang Tang, Zhuolun Xiang, Zongyang Zhang
* [Permalink](https://eprint.iacr.org/2025/880)
* [Download](https://eprint.iacr.org/2025/880.pdf)
### Abstract
Dynamic-committee Proactive Secret Sharing (DPSS) has gained increased attention for its ability to dynamically update the shareholder committees and refresh secret shares, even against adversaries that gradually corrupt all nodes. However, existing state-of-the-art asynchronous DPSS protocols suffer from significant $\mathcal{O}(n^3)$ message complexity and $\mathcal{O}(\lambda n^3)$ communication complexity, where $\lambda$ denotes the security parameter and $n$ is the committee size.
In this paper, we distinguish optimistic-case and worst-case scenarios based on node behaviors and network conditions, thus reducing the redundant communication overhead of asynchronous DPSS. Under the trusted setup assumption, we achieved an $\mathcal{O}(n^2)$ message complexity in all scenarios. Additionally, our protocol has an $\mathcal{O}(\lambda n^2)$ communication complexity in the optimistic case, where all nodes are honest and the network is synchronous, and $\mathcal{O}(\lambda n^3)$ communication complexity in the worst case. We also propose two strategies to eliminate the strong trusted setup assumptions, and the asymptotic performance still surpasses the state-of-the-art protocols. For committee sizes of 4 to 400, the estimated concrete communication cost of our DPSS is 19--100x (resp., 8--14x) smaller in the optimistic case (resp., worst case) compared to LongLive (USENIX Security '23). Experiments in AWS show that our DPSS achieves a latency of 1.9--8 seconds for committee sizes from 4 to 64. Single-machine benchmarks reveal a (computational) runtime reduction of up to 44\%.
## 2025/1504
* Title: On the $\gamma$-Spreadness of Average-Case to Worst-Case Transformations
* Authors: Hyun Ji Kwag, Jonghyun Kim, Changmin Lee, Jong Hwan Park
* [Permalink](https://eprint.iacr.org/2025/1504)
* [Download](https://eprint.iacr.org/2025/1504.pdf)
### Abstract
Achieving (at least) a worst-case correctness error is essential for an underlying public-key encryption (PKE) scheme to which the Fujisaki-Okamoto (FO) transformation is applied. There are three average-case to worst-case (ACWC) transformationsrCodenoted as $\mathsf{ACWC}_{0}$, $\mathsf{ACWC}_{1}$ (PKC 2023), and $\mathsf{ACWC}_{2}$ (TIFS 2023)-which generically convert a PKE scheme with an average-case correctness error into one with a worst-case correctness error. However, in these ACWC transformations the $\gamma$-spreadness, a critical factor in determining explicit rejection ($\mathsf{FO}^{\perp}$) or implicit rejection ($\mathsf{FO}^{\not\perp}$), has not been established with rigorous proofs. Existing analyses of $\gamma$-spreadness lack rigorous proofs, include analytical flaws, or fail to achieve the tightest possible bounds. In this work, we reprove the $\gamma$-spreadness of ACWC-transformed PKE schemes by leveraging two key facts: the random oracle is chosen at random and the encoding mechanism used in the ACWC framework is message-hiding. Our new proofs are applied to the previous NTRU-based PKE schemes, called $\mathsf{NTRU}\mbox{-}\mathsf{C}$, $\mathsf{NTRU}\mbox{-}\mathsf{B}$, and $\mathsf{NTRU+}$, giving the corrected $\gamma$-spreadness for those PKE schemes with concrete parameters.
## 2026/189
* Title: Threshold linear solving in small fields and application to UOV
* Authors: Paco Azevedo-Oliveira, Jordan Beraud, Pierre Varjabedian
* [Permalink](https://eprint.iacr.org/2026/189)
* [Download](https://eprint.iacr.org/2026/189.pdf)
### Abstract
Threshold signatures allow multiple parties to sign a common message by collaborating. More specifically, in a $(t,n)-$threshold signature scheme, at least $t$ out of $n$ parties must collaborate to sign a message. In particular, solving linear systems shared among some parties is a problem that naturally arises in threshold cryptography, and this paper proposes three algorithms for a set of parties to solve a shared linear system $Ax = b$ in finite fields of low characteristic.
The first two algorithms securely compute the determinant of a shared matrix using recent theoretical results on Newton's polynomials and by adapting an algorithm by Samuelson and Berkowitz. From these results, two algorithms can be deduced to solve the corresponding linear system. On the other hand, the third is a modification of an existing state-of-the-art algorithm.
Although pre-quantum threshold signature algorithms have been extensively studied, the state of the art in the creation of post-quantum threshold algorithms remains sparse. In particular, few papers have studied the creation of a threshold algorithm based on UOV, despite the simplicity of the scheme. The new algorithms presented in this paper enable other threshold instantiations of UOV and UOV-based schemes.
## 2026/202
* Title: ZKBoost: Zero-Knowledge Verifiable Training for XGBoost
* Authors: Nikolas Melissaris, Antigoni Polychroniadou, Akira Takahashi, Chenkai Weng, Jiayi Xu
* [Permalink](https://eprint.iacr.org/2026/202)
* [Download](https://eprint.iacr.org/2026/202.pdf)
### Abstract
Gradient boosted decision trees, particularly XGBoost, are among the most effective methods for tabular data. As deployment in sensitive settings increases, cryptographic guarantees of model integrity become essential. We present ZKBoost, the first zero-knowledge proof of training (zkPoT) protocol for XGBoost, enabling model owners to prove correct training on a committed dataset without revealing data or model parameters. Naively re-executing XGBoost training in ZK would incur prohibitive costs, primarily due to the oblivious partitioning of training samples and unknown tree splits. Moreover, previous work on ZKP of training and inference had subtle security issues, such as leakage of tree topology and soundness gaps allowing cheating model providers to deviate from the correct execution of training and inference. We make two key contributions to address these challenges: (1) a generic zkPoT template for XGBoost that can be instantiated with any general-purpose ZKP backend, significantly improving prover costs compared to naive re-execution of the training process; and (2) a VOLE-based instantiation that overcomes the security issues of previous ZK proofs of training at minimal costs. To maximize efficiency, we develop a fixed-point version of XGBoost, which is particularly well suited for efficient instantiation of ZKP, and show it matches standard XGBoost accuracy to within 1\% on real-world datasets.
## 2026/424
* Title: CRISP: Circuit-pRivate Single-Image Steganography with Permutations
* Authors: Shahzad Ahmad, Stefan Rass
* [Permalink](https://eprint.iacr.org/2026/424)
* [Download](https://eprint.iacr.org/2026/424.pdf)
### Abstract
We introduce $CRISP (\underline{C}ircuit-p\underline{R}ivate ~Single-\underline{I}mage~ \underline{S}teganography ~with ~\underline{P}ermutations),$ a provably secure homomorphic steganography scheme that addresses key limitations in existing approaches to private outsourced computation. CRISP operates under an explicit threat model: the cloud provider knows steganography is in use, knows the scheme, and knows the channel-assignment permutations; the only secret is the per-execution pixel position. This is the natural model for outsourced computation, where hiding the existence of stego content is logically incompatible with delegating the computation. The security goal is therefore positional and structural hiding under known-presence, not Cachin-style undetectability.
Within this model, current methods suffer from two problems: excessive image overhead and a complete lack of circuit privacy. The wire-per-image architecture used by ProSt requires a separate cover image for each circuit wire, and inadvertently fixes wire roles to specific images, exposing the underlying logical gate structure to an honest-but-curious cloud provider.
CRISP resolves these by embedding all three Fredkin gate inputs into the RGB channels of a \emph{single} cover image at a secret pixel position $(\mathit{row},\mathit{col})$, with all three outputs written to a single output image. Two independently sampled permutations control channel-to-role assignment: $\pi_{\mathrm{in}}$ before embedding and $\pi_{\mathrm{out}}$ after Fredkin computation. Both are public; circuit privacy comes from $\pi_{\mathrm{out}}$ being resampled independently per gate, which breaks the per-channel LSB-correlation attack that the Fredkin gate's control-bit pass-through would otherwise enable.
Our security analysis demonstrates that the adversary's advantage in inferring the embedded secret decays as $\Theta\!\left(1/(h{\times}w)\right)$, where $h{\times}w$ is the image resolution. We give a self-contained Bayesian proof of this bound, an explicit refutation of the na\"ive ``concatenate all LSBs'' attack, and a precise scope statement for the circuit privacy guarantee. Per gate, CRISP uses two images versus ProSt's six, a $3\times$ per-gate reduction. At the circuit level, the un-obfuscated 14-gate benchmark uses $33$ images versus ProSt's $47$ ($1.42\times$); the 17-gate obfuscated form uses $44$ versus $61$ ($1.39\times$). Larger circuits achieve higher reduction ratios as the source-image overhead amortises. Correctness, security, and efficiency are formally proved and experimentally validated.
## 2026/863
* Title: Conquering Bad Norms in RstOE: Pure-Database Substitution and Early-Defense
* Authors: Shuping Mao, Zhiyu Zhang, Peng Wang, Lei Hu, Luying Li, Ying Chen
* [Permalink](https://eprint.iacr.org/2026/863)
* [Download](https://eprint.iacr.org/2026/863.pdf)
### Abstract
The Recording Standard Oracle with Errors (RstOE) technique is a quantum-security proof technique that provides a structured framework for analyzing adversarial capabilities in quantum settings. For example, it can be applied to prove the quantum security of compressing pseudorandom functions. However, against adaptive quantum chosen-plaintext adversaries, traditional RstOE-based proofs may suffer from the ''trivialization of norm'' problem. In the RstOE analyses considered in this paper, this issue can be traced to three recurring causes: delayed evaluation of bad events, the presence of unrecorded external variables, and unconstrained independence among intermediate variables. To address this obstacle, we propose two refinements of the RstOE methodology, namely Pure-Database Substitution and Early-Defense. Pure-Database Substitution algebraically eliminates unrecorded external variables and reformulates collision constraints in terms of internal database records. Building on this substitution, Early-Defense moves the collision check to the point at which a new internal variable is sampled. Because the bad event then depends on this freshly generated quantum randomness, only a negligible fraction of the $2^n$ superposition branches satisfy the collision constraint. This reduces the amplitude of transitions into the bad subspace and avoids the $O(1)$ norm collapse. We demonstrate the method on TNT as a case study and outline extensions to EDMQ, EDMDQ, LRWQ, and QPMAC.
## 2026/922
* Title: Generic Construction of CCA-Secure PKE from Key-Insulated and Privacy-Preserving Signatures with Publicly Derived Public Key
* Authors: Ryo Mizuno, Keita Emura
* [Permalink](https://eprint.iacr.org/2026/922)
* [Download](https://eprint.iacr.org/2026/922.pdf)
### Abstract
To enhance the security of stealth addresses and protect user privacy, Liu et al. (EuroS&P 2019) proposed a Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Keys (PDPKS). In this scheme, the payee generates a master public/secret key pair, and the payer derives a public key from the payee's master public key and binds the cryptocurrency asset to the resulting derived public key. The payee then verifies, using the master secret key, whether the derived public key has been correctly generated from the master public key. In this paper, we show that a public-key encryption (PKE) scheme secure against chosen-ciphertext attacks (CCA) can be generically constructed from PDPKS. Specifically, we utilize unlinkability, which hides the master public key from which a derived public key originates, to conceal plaintext information from ciphertexts. We also simulate the decryption oracle by leveraging the derived public key checking algorithm. In addition, to guarantee the correctness of the proposed PKE scheme, we rely on the consistency of PDPKS introduced by Emura (IACR CiC 2025). Given the motivation behind PDPKS, namely the construction of stealth addresses in a provably secure manner, unlinkability is regarded as the core security property of PDPKS. Our result shows that achieving this core security property essentially requires CCA-secure PKE, or cryptographic primitives of equivalent strength, and that such primitives are indispensable for constructing PDPKS.
## 2026/923
* Title: Practical and Verifiable Encrypted Vector Search for Retrieval-Augmented Generation
* Authors: Xiangyu Hui, Xingliang Yuan, Olga Ohrimenko, Sid Chi-Kin Chau
* [Permalink](https://eprint.iacr.org/2026/923)
* [Download](https://eprint.iacr.org/2026/923.pdf)
### Abstract
Retrieval-augmented generation (RAG) systems critically depend on a vector-retrieval stage that selects relevant documents from a large
embedding database. When this stage is outsourced to a RAG-as-a-Service provider, query embeddings can reveal sensitive user intent,
the outsourced index can leak proprietary corpus information, and a malicious provider can silently manipulate retrieval results. This motivates privacy-preserving
verifiable retrieval. The client must be able to confirm that the
returned top-$k$ identifiers were produced by faithfully executing
an agreed approximate nearest neighbor (ANN) algorithm on a
committed encrypted index, while leaking no non-public database
information beyond the functional baseline induced by the returned
top-$k$ identifiers.
We present VeriANN, the \emph{first} encrypted ANN retrieval
framework, to our knowledge, that simultaneously achieves \emph{query privacy}, \emph{database confidentiality}, and \emph{verifiability of retrieval results} against malicious servers, under a
two-server non-colluding trust model. VeriANN couples distributed-point-function--based PIR over locality-sensitive
hashing indexes with authenticated garbled circuits, so that the
entire top-$k$ pipeline---bucket decryption, Merkle-root
reconstruction, frequency counting, and top-$k$ selection---is
executed obliviously and with end-to-end integrity. Making this
integration practical requires three new techniques: (i) a
sort-based hierarchical oblivious frequency-counting algorithm that
enables a distance-free post-processing stage, reducing top-$k$
aggregation from quadratic to quasi-linear complexity; (ii) an end-to-end authenticated verification design that binds
the full retrieval pipeline against selective-failure attacks while
reducing client-side verification to a single hash check against
the published Merkle root; and (iii) a modular state-pool design with an authenticated state-transfer mechanism that dynamically composes precomputed garbled states across query parameters while preserving cross-circuit verifiability. On million-scale corpora, VeriANN achieves second-scale end-to-end latency with KB-scale client-to-server communication, while adding minimal online
overhead over a non-verifiable baseline.
## 2026/924
* Title: RIC: Randomize Invalid Coefficients to Mitigate Side-Channel Assisted Chosen-Ciphertext Attacks on ML-KEM
* Authors: Junichi Sakamoto, Kentaro Imafuku
* [Permalink](https://eprint.iacr.org/2026/924)
* [Download](https://eprint.iacr.org/2026/924.pdf)
### Abstract
Module lattice-based key encapsulation mechanisms (ML-KEM) are susceptible to side-channel-assisted chosen-ciphertext attacks (SCA-CCAs) that exploit leakage from the re-encryption process during decapsulation.
These attacks enable adversaries to recover secret keys with hundreds to thousands of oracle accesses, thereby posing a critical threat to the practical deployment of post-quantum cryptography.
This paper presents RandInvalidCoeff, a novel and lightweight countermeasure that introduces randomness into the decryption function to mitigate SCA-CCAs.
By randomizing invalid coefficients in the decrypted message polynomial, RandInvalidCoeff injects probabilistic errors into side-channel observations, significantly reducing the attackerrCOs ability to perform reliable key recovery.
This randomization slightly increases the decryption failure rate (DFR). Nevertheless, our analysis shows that strong resistance can be achieved with an acceptable DFR of approximately $2^{-80}$.
We provide information-theoretic and statistical analyses of the countermeasure to quantify the reduction in information leakage for plaintext-checking (PC) and decryption-failure (DF) oracle attacks.
Furthermore, we performed PC- and DF-oracle attacks on an implementation with RandInvalidCoeff to validate the theoretical analysis, confirming that the proposed method achieves the expected countermeasure effect.
The results demonstrate that the number of observations required for successful key recovery increases by a factor of more than eight, with only a few percent performance overhead compared to unprotected implementations.
## 2026/925
* Title: LogVOLE: Succinct and Efficient Chosen-Input VOLE for ZK and Beyond
* Authors: Lucien K. L. Ng, Peter Rindal, Akash Shah
* [Permalink](https://eprint.iacr.org/2026/925)
* [Download](https://eprint.iacr.org/2026/925.pdf)
### Abstract
Random Vector Oblivious Linear Evaluation (VOLE) correlations are a widely used backend for zero-knowledge proofs and secure computation, and can now be generated with strong concrete efficiency. Many applications, however, need correlations on the receiverrCOs actual input. They therefore start from random VOLE and send a linear-size derandomization vector, which remains a main communication bottleneck.
We study chosen-input VOLE (CI-VOLE), where the receiver privately chooses a large vector \(\mathbf{x}\), the sender fixes \(\Delta\), and the parties obtain shares of \(\mathbf{x} \cdot \Delta\) without communicating a linear-size object. This work presents \(\textsf{LogVole}\), a concretely efficient CI-VOLE protocol with polylogarithmic end-to-end communication under Ring-LWE. The construction uses a recursive shrink/expand design: it authenticates short digests of the chosen input and then uses a succinct telescope to expand those relations back to the full vector. The protocol has \(O(\lambda \log^2(|\mathbf{x}| + m_{\mathrm{msg}}))\) one-time setup and query communication and \(O(|\mathbf{x}|/n)\) ring operations. Here, \(n\) is the underlying ring degree, \(\lambda\) is the computational security parameter, and \(m_{\mathrm{msg}}\) is the size of the shares.
\(\textsf{LogVole}\) also supports a public-key non-interactive mode: for a fixed \(\Delta\), the sender publishes reusable parameters, and a receiver sends one compact \(\mathbf{x}\)-dependent message to obtain the matching VOLE shares. This gives a route to non-interactive VOLE-based ZK with polylogarithmic communication for arbitrary circuits. We also give a malicious-security extension in the random oracle model.
Using \(\textsf{LogVole}\), we obtain the first concretely efficient VOLE-based ZK protocol with polylogarithmic communication for arbitrary circuits. At 128-bit computational and 40-bit statistical security, our implementation reaches 12.9 million \(\mathbb{Z}_p\) inputs/s, 9.0 million ZK multiplication gates/s on a 16-core machine, and proves \(1024 \times 1024\) matrix multiplication in about 4s with single-thread computation and 226 KB communication.
## 2026/926
* Title: Private Function Evaluation with Linear Complexity
* Authors: Shuaishuai Li, Cong Zhang, Anyu Wang, Xiaoyun Wang
* [Permalink](https://eprint.iacr.org/2026/926)
* [Download](https://eprint.iacr.org/2026/926.pdf)
### Abstract
We present new frameworks for secure function evaluation (SFE) and private function evaluation (PFE) that support both Boolean and arithmetic circuits. While SFE requires multiple parties to jointly compute a \textit{public} circuit, PFE generalizes SFE by allowing one party to keep the circuit \textit{private}. Our work achieves the first linear-complexity PFE protocol with respect to both the number of parties $n$ and circuit size $m$, significantly improving upon prior PFE constructions that require $O(mn^2)$ complexity and are limited to Boolean circuits.
## 2026/927
* Title: Fully Homomorphic Encryption on the Ring of Gaussian Periods
* Authors: Yimeng He, San Ling, Yimin Shi, Benjamin Hong Meng Tan, Huaxiong Wang, Allen Siwei Yang
* [Permalink](https://eprint.iacr.org/2026/927)
* [Download](https://eprint.iacr.org/2026/927.pdf)
### Abstract
In Geelen and Vercauteren~(Eurocrypt 2025), a Generalized BFV~(GBFV) fully homomorphic encryption scheme was proposed. Here, a plaintext space of form $\mathbb{Z}[x]/(\Phi(x),t(x))$ was utilized to reduce the number of Single Instruction Multiple Data (SIMD) slots within the initial BFV plaintext space. This lowered its dimension and thus enabled lower latencies as well as greater flexibility in parameter selection. However, to obtain slots of degree $1$, the methods of Geelen and Vercauteren limit the choice of plaintext modulus to that of large primes, which can be unnecessary for various use cases.
To resolve this, we propose a generalized method to perform FHE based on a subring of the plaintext polynomial ring. We utilize the decomposition ring $\mathcal{O}_{\mathbf{K}}$, with which when taking quotient with a rational prime $p$, already factors into residual fields of dimension $1$. From here, we develop methods to perform FHE on subrings of the decomposition ring $\mathcal{O}_{\mathbf{K}}$, which we refer to as the decomposition subring $\mathcal{O}_{\mathbf{M}}$. We introduce novel methods to enable both encoding and decoding maps within the decomposition subring $\mathcal{O}_{\mathbf{M}} \subset \mathcal{O}_{\mathbf{K}}$. By utilizing $\mathcal{O}_{\mathbf{M}}$, we further lower the dimension of the underlying ring, improving upon efficiency while retaining sufficient security. In experiments, we provide a proof-of-concept implementation, demonstrating up to a $5.06 \times$ improvement in the latency of operations for selected parameters. This approach offers enhanced flexibility in the selection of parameters for FHE with the subring dimension being any suitable divisor of $r$. This direction also represents the first generalization of the subring approach for FHE.
## 2026/928
* Title: Wombat: Post-Quantum Blind Signature from Standard Group Action Assumptions and More
* Authors: Lucjan Hanzlik, Yi-Fu Lai, Eugenio Paracucchi, Edoardo Persichetti
* [Permalink](https://eprint.iacr.org/2026/928)
* [Download](https://eprint.iacr.org/2026/928.pdf)
### Abstract
A recent work by Hanzlik et al.~(Asiacrypt'25) introduced Tanuki, a family of blind-signature frameworks based on non-commutative cryptographic group actions. Tanuki develops new techniques to obtain concurrently secure blind signatures, and admits compact instantiations in two distinct regimes: (i) an isogeny-based instantiation from the CSI-FiSh group action with signatures of about 4.5 KB, and (ii) a code-based instantiation from LESS and the code-equivalence group action with signatures around 64 KB. To the best of our knowledge, these are the first efficient blind-signature constructions in the isogeny- and code-based settings that support concurrent executions.
Despite this advance, the Tanuki frameworks rely on a non-standard and interactive assumption, namely the so-called ``one more'' vectorization assumption. Given several structural attacks and vulnerabilities discovered in various group action instantiations, relying on non-standard assumptions can raise concerns.
In this work we present a new framework building upon Tanuki's techniques that achieves concurrent security while achieving better performance, and relying only on the standard group action hardness assumption, the vectorization problem (also known as the group action inversion problem). For the LESS instantiation, we apply dedicated code-based techniques to reduce signature sizes by a factor of 14.5. These improvements come with rigorous reductions to the standard problem, do not weaken the security claims, and are directly applicable to the LESS instantiations of Tanuki. As a result, our isogeny-based and code-based instantiations yield signature sizes of 8.89 and 8.84 KB, respectively, and retain concurrent security under the standard group-action inversion assumption.
## 2026/929
* Title: On the Statistical vs. Computational Security of the DKLs23 Multiparty ECDSA Protocol
* Authors: Gil Segev
* [Permalink](https://eprint.iacr.org/2026/929)
* [Download](https://eprint.iacr.org/2026/929.pdf)
### Abstract
The DKLs23 protocol (Doerner, Kondi, Lee and shelat, IEEE S&P '24) is a state-of-the-art multiparty ECDSA signing protocol. Due to its exceptional combination of simplicity, efficiency, and statistical UC security within an elegant hybrid model providing access to standard ideal functionalities, it is rapidly seeing widespread adoption.
We provide a comprehensive security analysis of the DKLs23 protocol, showing that although it is not statistically secure as originally claimed, it is nevertheless computationally secure, and can be made statistically secure via a lightweight refinement. Our contributions are as follows:
-- Statistical insecurity: Within the hybrid model utilized for the original analysis, we construct a computationally-unbounded "split-view" adversary that successfully attacks the protocol by causing two or more honest parties to output different valid signatures on the same message (specifically, signatures with independent nonces). Considering any ideal ECDSA signing functionality that outputs a single signature per session, such an attack cannot be simulated in the ideal model, and thus the protocol is not statistically secure.
-- Computational security: We prove that the protocol is nevertheless computationally secure based on the assumption that ECDSA is strongly unforgeable up to sign (i.e., up to the trivial $(r, \pm s)$ malleability), as defined by Groth and Shoup (EUROCRYPT '22). Specifically, complementing our split-view attack, we show that any adversary for which the protocol's execution is distinguishable from its ideal-model simulation can be efficiently transformed into an algorithm that breaks the strong unforgeability up to sign of ECDSA.
-- A refined statistically-secure protocol: Identifying the root cause of our split-view attack, we present a refined protocol that is statistically secure. Our refinement incorporates a lightweight consistency check, where each party sends a single group element as part of the protocol's third-round message. Our refinement additionally introduces a relaxed zero-sharing functionality that serves as a drop-in replacement for the original protocol's zero-sharing functionality. We show that this relaxed functionality can be unconditionally realized by a simple one-round protocol (executed in parallel with the first round of signing) without a dedicated setup or pre-shared seeds. Consequently, when paired with a compatible (e.g., Paillier-based) VOLE instantiation, this eliminates the need for long-term secure pairwise storage across the entire signing protocol.
## 2026/930
* Title: Improved Quantum Attacks on Iterated Even-Mansour Ciphers with Classical Queries
* Authors: Mathieu Degr|-, Alis|-e Lafontaine, Aurel Pichollet--Mugnier, Andr|- Schrottenloher
* [Permalink](https://eprint.iacr.org/2026/930)
* [Download](https://eprint.iacr.org/2026/930.pdf)
### Abstract
The Even-Mansour cipher is a construction of a keyed pseudorandom permutation from a random unkeyed permutation. Its generalization to multiple rounds, known as iterated Even-Mansour or key-alternating cipher, is an important abstraction in block cipher design. Yet, while the security of single-round Even-Mansour is tight in the quantum setting (with attacks matching security proofs), much less is known on multi-round versions.
In this paper we study the quantum security of iterated Even-Mansour ciphers with two keys (the key-schedule alternates between two independent keys), which model concrete block ciphers like LED. We give the first quantum attacks improving asymptotically over exhaustive key search for 4 to 6 rounds.
On 4 rounds, we present three attacks: two using collision search and one using a quantum version of the multibridge attack of Dinur, Dunkelman, Keller and Shamir (ASIACRYPT 2014), which relies on a quantum walk. The latter reaches up to a quantum time $2^{7n/9}$ where $n$ is the block size, compared to $2^n$ of exhaustive key search.
On 6 rounds, we present an attack of quantum time $2^{n} / \sqrt{\log n}$, adapting classical attacks based on multicollisions. In both cases, our new attacks require only classical known-plaintext queries.
## 2026/931
* Title: Fair Multiparty Coin Tossing from Minimal Assumptions
* Authors: Marshall Ball, Miranda Christ, Yevgeniy Dodis, Rachit Garg
* [Permalink](https://eprint.iacr.org/2026/931)
* [Download](https://eprint.iacr.org/2026/931.pdf)
### Abstract
Coin flipping in the presence of a dishonest majority is a fundamental cryptographic primitive whose requirements lack a clean characterization. Recent work (Bonneau et al., Eurocrypt 2025) showed a lower bound that fair dishonest-majority coin-flipping implies delay functions. However, until now known upper bounds exhibited a significant gap: All existing protocols rely on assumptions that we do not know how to instantiate in the plain model.
In this work, we close this gap. Specifically, we show that fair $n$-party coin flipping in the presence of up to $n-1$ malicious corruptions follows from the minimal assumption of delay functions. This completes the equivalence between delay functions and fair dishonest-majority coin-flipping protocols.
## 2026/932
* Title: Zephyr: GPU-Efficient Homomorphic Encryption for Privacy-Preserving Transformer Inference
* Authors: Sieun Seo, Chohong Min
* [Permalink](https://eprint.iacr.org/2026/932)
* [Download](https://eprint.iacr.org/2026/932.pdf)
### Abstract
Privacy-preserving machine learning (PPML) enables inference over sensitive data without exposing raw inputs, with CKKS being a widely adopted scheme for approximate arithmetic. However, existing CKKS implementations are primarily based on 64-bit residue number system (RNS) representations, creating a mismatch with modern GPUs optimized for 32-bit integer arithmetic. This mismatch introduces substantial computational overhead, limiting the practicality of encrypted transformer inference.
In this work, we present Zephyr, a GPU-efficient framework for homomorphic transformer inference via 32-bit arithmetic and grafting. Zephyr revisits the design of CKKS under GPU constraints and introduces a grafting-based representation that decouples scale management from the modulus chain. By constructing the RNS basis entirely with 30-bit primes and managing scale through auxiliary graft structures, Zephyr enables flexible rescaling while remaining compatible with efficient 32-bit GPU execution.
Compared to Cheddar (Choi et al., ASPLOSrCO26), a representative GPU-oriented CKKS design based on fixed 25-30 prime systems, our approach simplifies modulus management and enables more flexible operations across different levels, while reducing rescaling overhead at the cost of additional convolution overhead.
We further optimize ciphertext-ciphertext matrix multiplication (CCMM), a major bottleneck in encrypted transformer inference, by eliminating redundant linear transformations and merging overlapping rotation patterns in attention computation. Our theoretical and empirical analysis demonstrates that grafting-based 32-bit CKKS provides a practical and flexible design point for GPU-accelerated PPML inference.
## 2026/933
* Title: BitVM3: Efficient Bitcoin Bridges via Garbled Circuits
* Authors: Robin Linus Woll, Ioannis Alexopoulos, Lukas Aumayr, Zeta Avarikioti, Matteo Maffei, David Tse
* [Permalink](https://eprint.iacr.org/2026/933)
* [Download](https://eprint.iacr.org/2026/933.pdf)
### Abstract
Bitcoin bridges, protocols that lock BTC on Bitcoin and represent it on a secondary system, underpin much of Bitcoin's application layer, yet remain poorly secured. Deployed bridges rely on federated custody with honest-majority assumptions, while BitVM2, the state of the art in trust-minimized bridging, incurs worst-case dispute costs of approximately \$16,000, requiring large operator bonds and deposits that restrict participation to well-capitalized parties.
We present BitVM3-BRIDGE, a trust-minimized bridge architecture from Bitcoin to (i) chains with finality certificates, such as Ethereum, and (ii) Bitcoin rollups. Our main contribution is an end-to-end bridge construction that makes trust-minimized Bitcoin bridging practical at scale. The bridge is powered by BitVM3-CORE, a modular abstraction for permissionless off-chain computation on Bitcoin using garbled circuits. In BitVM3-CORE, a challenger evaluates a garbled circuit entirely off-chain and obtains a fraud-proof witness if and only if the operator's claim is incorrect. This paradigm reduces total on-chain costs to approximately \$9, with the challenge transaction itself costing just \$0.20. This nearly 1000|u cost reduction enables smaller bonds, broader operator participation, and smaller deposit sizes.
Beyond the bridge itself, we make two additional contributions. First, we formalize BitVM3-CORE as a sound and complete on-chain proof system under standard cryptographic assumptions. Prior GC-based proposals typically provide either informal security arguments or construction-specific formalizations; by contrast, our framework captures existing constructions within a uniform model and gives a generic treatment based on axiomatized security and functional assumptions. Second, we introduce an on-chain Bitcoin light client secure in the variable-difficulty setting, enabling permissionless chain introspection on Bitcoin and thereby the rollup variant of BitVM3-BRIDGE.
## 2026/934
* Title: First-Order Masked Fine-Shuffling Implementation Against Side-Channel Attacks with Application to ML-KEM
* Authors: Noura Ait Manssour, Souhayl Ben El Haj Soulami, Sylvain Duquesne, Guillaume Fumaroli
* [Permalink](https://eprint.iacr.org/2026/934)
* [Download](https://eprint.iacr.org/2026/934.pdf)
### Abstract
In 2020, Ravi et al. [23] published three shuffling variants with each offering a different performance-security trade-off for protecting the Numeric theoretic Transform (NTT). Among them, the fine-shuffling was proposed as the lightweight variant. The idea is to randomise the order of loading and storing the operands of the butterfly computation using conditional swapping based on random control bit. However, as noted by the authors themselves, basic fine-shuffling implementation suffered from an obvious attack on the conditional swapping mask. So they introduced the bitwise-fine-shuffling to fix this issue. In this paper, we break this implementation using a template attack. The idea is to aggregate the leakage from the 16 bitwise AND operations used to construct the swap mask. The attack has been performed both on simulation and on a STM32F303 target. Then, we propose a masked fine-shuffling variant to protect the fine-shuffling operation. The idea is to mask the secret-dependent memory accesses and apply the swap mask over its boolean sharing instead. The implementation is proven secure against first-order attacks in the probing model. The implementation has been benchmarked on an ARM-Cortex-M4 processor and incurs a total overhead of 25% on the entire ML-KEM768 decapsulation algorithm, compared with 51% overhead for the defeated bitwise-fine-shuffling of[23].
## 2026/935
* Title: SoK: Private LLM Inference using Approximate Homomorphic Encryption
* Authors: Ahmad Al Badawi, Andreea Alexandru, Yuriy Polyakov, Vinod Vaikuntanathan
* [Permalink](https://eprint.iacr.org/2026/935)
* [Download](https://eprint.iacr.org/2026/935.pdf)
### Abstract
Although recent surveys on privacy-enhancing technologies concluded that FHE cannot feasibly evaluate non-linear activation functions in modern ML architectures, 20 CKKS-based frameworks have since demonstrated end-to-end private inference of LLMs with up to 8B parameters. However, as the field grows rapidly, the literature has become fragmented. Frameworks differ in ciphertext packing layouts, model fidelity, software and hardware stacks, and reported metrics, which hinder direct comparison and reproducibility. This paper presents the first systematization of knowledge for non-interactive, CKKS-based private LLM inference. We categorize the design space across two axes: a model-level axis (packing layout for linear blocks and model preservation for non-linear blocks) and a system-level axis (covering hardware, compilers, bootstrapping management, and hybrid execution). To standardize reporting framework configurations and results among researchers, we propose a Private LLM Card System (PLCS). Furthermore, we introduce POLARIS, a model-preserving reference framework for CKKS-based private LLM inference and provide it as an open-source proof-of-concept. In its current version, POLARIS supports encrypted inference for BERT-Tiny and BERT-Mini and leverages GPU acceleration for enhanced performance.
Our analysis suggests that only about 20% of surveyed implementations are model-preserving, that is, they evaluate standard, unmodified LLMs without retraining or architectural substitutions. We also show that model-preserving CKKS approximations maintain high downstream task accuracy from BERT-Tiny up to Llama-3-8B. We identify a runtime gap of roughly four orders of magnitude between encrypted and plaintext inference as the primary barrier to practical use. While our analysis confirms that CKKS-based inference is now algorithmically feasible for non-linear functions and large models, we conclude that it remains operationally impractical for many human-facing applications until the efficiency gap is narrowed. We outline promising research directions to close this gap.
## 2026/936
* Title: Efficient and Privacy-preserving Outsourced Training of Decision Tree Models Based on (Leveled) Fully Homomorphic Encryption
* Authors: Tongyu Xu, Jun Wang, Honglian Liang, Shiwei Xu
* [Permalink](https://eprint.iacr.org/2026/936)
* [Download](https://eprint.iacr.org/2026/936.pdf)
### Abstract
Training machine learning models is computationally intensive, making cloud-based outsourcing an attractive solution to alleviate local resource constraints. However, untrusted cloud environments pose serious privacy risks to both training data and resulting models. Existing works primarily rely on multi-party computation (MPC) or lattice-based Homomorphic Encryption (HE), which often incur high communication or computation overheads. To address these challenges, we propose an efficient privacy-preserving scheme for outsourced decision tree training. Specifically, we leverage Symmetric Homomorphic Encryption (SHE) to achieve faster training speed. However, since SHE only supports integer-based homomorphic operations, we propose a Modified Gini Impurity Index (MGII) to adapt to this restriction and use Single Instruction Multiple Data (SIMD) packing to accelerate processing. Experimental results demonstrate that our scheme significantly reduces overall execution time compared to related works and achieves comparable (and for deeper trees, better) accuracy, while security analysis confirms that data and model confidentiality are preserved.
## 2026/937
* Title: Pseudonymization and reportersrCO protection by design in the EU whistleblower directive
* Authors: Miros+eaw Kuty+eowski, Gabriel Wechta
* [Permalink](https://eprint.iacr.org/2026/937)
* [Download](https://eprint.iacr.org/2026/937.pdf)
### Abstract
The EU Whistleblower Directive aims to create a framework where the persons reporting breaches of EU law are protected against retaliation. In contrast to GDPR, it is mainly based on trust assumptions and not on the concept of privacy and security by design. As we are explicitly dealing with problems of unlawful behavior, this is a critical issue. In this paper, we analyze the role of pseudonymization, the main technical tool promoted in the GDPR, within the Whistleblower Directive. To see the real impact of the Directive, we analyze how these issues are reflected in the national law in Germany and Poland. We show that the current law does not take advantage of the opportunities given by pseudonymization and does not create a clear legal framework that can be converted to problem-relevant technical requirements. Even worse, it allows the Member States to ban anonymous reports. On the other hand, we show that so far, no pseudonymization tool developed within official ID management frameworks addresses all threats to reporting systems.
## 2026/938
* Title: Storing Less in-the-Head: An Area-Efficient Hardware Architecture for SDitH-v2
* Authors: Stef Halmans, Niklas H||her, Dina Hesse, Sanjay Deshpande, Jakub Szefer, Tim G|+neysu
* [Permalink](https://eprint.iacr.org/2026/938)
* [Download](https://eprint.iacr.org/2026/938.pdf)
### Abstract
In 2022, the National Institute of Standards and Technology (NIST) initiated a second call for post-quantum digital signature proposals to broaden algorithmic diversity beyond the already standardized schemes based on structured lattices and hashes. Among the 14 candidates, five are built on the MPC-in-the-Head paradigm. While theoretically promising, available results on their implementation costs imply a reduced applicability to resource-constrained embedded devices.
In this work we analyze the revised second version of the Syndrome Decoding in the Head (SDitH) signature scheme based on the VOLE-in-the-Head framework and showcase that these issues are not inherent to the family of algorithms. We propose an area-efficient hardware design including highly optimized variants of both Batch Line Commitment (BLC) and Polynomial Interactive Oracle Proof (PIOP) routines. As a result, we manage to reduce memory requirements by an order of magnitude compared to hardware implementations of other MPCitH and code-based signature schemes. Most notably, with respect to the previous hardware implementation of SDitH-v1 we improve SRAM usage by a factor of 82 to 104, while still achieving competitive runtimes. Furthermore, many of our proposed techniques are similarly applicable in order to reduce memory usage of software implementations.
During the design process, we determined nine significant discrepancies between the specification and reference implementation of SDitH-v2, with a subset of them breaking test vector compatibility. In addition to addressing these issues, we suggest a set of possible specification changes which can help to further reduce resource usage on embedded targets without compromising security assumptions.
## 2026/939
* Title: More Efficient SNARKs via Quasi-Abelian Codes: Faster, Smaller, and Field-Agnostic
* Authors: Zhe Li, Hongqing Liu, Chaoping Xing, Yizhou Yao, Chen Yuan
* [Permalink](https://eprint.iacr.org/2026/939)
* [Download](https://eprint.iacr.org/2026/939.pdf)
### Abstract
Linear error-correcting codes play a crucial role in building practical non-interactive arguments of knowledge (SNARKs) with transparent setup, and plausible post-quantum security. Basically, the key to practical efficiency is a linear code with a concretely fast encoding and a high minimum distance. However, to date, none of the candidate codes achieves the best of the two worlds: codes with provable high minimum distance, e.g., Reed-Solomon codes, suffer from quasi-linear time encoding, while linear-time encodable codes, e.g., Spielman's code, have low provable minimum distance.
In this work, we resolve this problem by explicitly constructing a family of Quasi-Abelian (QA) codes over {\em arbitrarily} large prime fields with concretely high minimum distance and practically efficient encoding algorithms. At the heart of our technical contribution is a fine-grained analysis on the concrete minimum distance of random QA codes of rank $1$ and index $c$ over group ring $\mathbb{F}_p[\mathbb{Z}_2^n]$. We show that in practical regimes it attains the well-known Gilbert-Varshamov bound up to a small constant gap $n/(c\log_2{p})$. Concretely, with probability $\ge1-2^{-127}$, our random QA code over a $128$-bit sized prime field with $n=20$, achieves relative minimum distance at least $0.4142,0.6070,0.7040$ for code rate $1/2,1/3,1/4$, respectively.
In comparison, Spielman's code only achieves a minimum distance $0.1$ for code rate $1/2$ in the same setting by the state-of-the-art analyses.
We give practically efficient encoding algorithms for QA code over $\mathbb{F}_p[\mathbb{Z}_2^n]$ by leveraging Walsh-Hadamard Transform. Specifically, for code length $c\cdot 2^n$ and rate $1/c$, our encoding only needs $cn\cdot 2^n$ additions/subtractions and $(c-1)\cdot 2^n$ multiplications over $\Fp$, which turns out to be concretely faster than Spielman's code. For encoding a message of length $2^{20}$ over a $256$-bit prime field, our QA code with rate $1/2$ only takes $250$ ms, while Spielman's code with rate $0.65, 1/2$ needs $410$ ms, $890$ ms, respectively.
We then follow the framework of Brakedown (CRYPTO 2023) to build SNARKs over large prime fields from QA codes. For proving ECDSA verification over the scalar field of Curve25519 ($\approx 2^{16}$ constraints), our SNARK needs only $1.44$ second in proving, $0.08$ second in verification, and a proof size of $3.2$ MB. In comparison, Brakedown needs $1.6$ second, $0.24$ second, and $7.48$ MB, respectively.
## 2026/940
* Title: Efficiently deciding and recovering CCZ and EA equivalence for arbitrary vectorial Boolean functions using the partition refinement framework
* Authors: Nikolay Kaleyski, Joakim Sunde
* [Permalink](https://eprint.iacr.org/2026/940)
* [Download](https://eprint.iacr.org/2026/940.pdf)
### Abstract
We propose an algorithm based on the partition refinement framework for testing and recovering CCZ and EA equivalence between a pair of vectorial Boolean functions. In contrast to existing approaches, our method can be used for any pair of functions regardless of their algebraic degree, image size and other properties, and it outperforms all currently known algorithms in terms of time and memory. The algorithm can also compute the automorphism group of the functions efficiently. Our implementation is available at https://github.com/zskiley/CCZ-EA-equivalence
## 2026/941
* Title: MAYA: A Short Shuffle Argument With Fast Verification
* Authors: Thi Van Thao Doan, Olivier Pereira, Thomas Peters
* [Permalink](https://eprint.iacr.org/2026/941)
* [Download](https://eprint.iacr.org/2026/941.pdf)
### Abstract
Shuffle arguments account for the largest part of the audit data of end-to-end verifiable elections when simple homomorphic tallying cannot be applied. The mixnets that have been deployed in government or public elections (e.g., in Australia, Estonia, Israel, Norway, Spain or Switzerland), generate proofs with a size that scales linearly with the number of ciphertexts, and account for GB of data when millions of ciphertexts need to be shuffled.
We present MAYA, a shuffle argument with O(log n) communication complexity and a transparent setup requiring no trusted parameters, making the currently dominant cost of the shuffle argument a small fraction of the audit data size and verification time. Our construction instantiates a commitment-consistent shuffle framework using a succinct argument based on generalized k-ary folding that efficiently supports an arbitrary number of ciphertexts, while preserving the aggregation structure used in operational mixnet deployments.
We implement MAYA in Rust and compare it with Verificatum, the current state-of-the-art and heavily-optimized mixnet implementation. For n = 10^6 ciphertexts, our implementation produces arguments whose length is .002% of those of Verificatum, have a similar computation time, and require only 12% of the Verificatum argument verification time. Overall, MAYA considerably reduces the cost of hosting election verification data and speeds-up the election verification process, supporting effective election verification.
## 2026/942
* Title: On the Investigation of Variants for Discrete Logarithm Problems in Abelian Groups: An Algebraic Structure Approach
* Authors: Denis Wong Chee Keong, Low Lik How
* [Permalink](https://eprint.iacr.org/2026/942)
* [Download](https://eprint.iacr.org/2026/942.pdf)
### Abstract
In this work, we investigate variants of the discrete logarithm problem (DLP) based on different algebraic group properties. We demonstrate that within abelian groupsrCoparticularly cyclic groupsrCothe problems $\text{DLP}^2$ and, more generally, $\text{DLP}^n$
are polynomially reducible to solving multiple instances of the classical DLP. This result confirms that multi-generator variants in abelian settings inherit the vulnerabilities of the conventional DLP and therefore provide no additional resistance against quantum attacks such as ShorrCOs algorithm.
Motivated by this limitation, we propose that $\text{DLP}^n$ should instead be formulated in non-abelian groups.
Specifically, let $G$ be a non-abelian group. Given generators $g_1, g_2, \dots , g_n \in G$ of cyclic subgroups $H_1, H_2, \dots, H_n$ of $G$, respectively, and an element $A \in G$, the problem is to find $(\alpha_1, \alpha_2, \dots , \alpha_n)$ such that $A = \prod_{i=1}^n g_i^{\alpha_i}$, where $0 \leq \alpha_i <|H_i|$.
This formulation leverages the non-commutative structure of
$G$, which may obstruct reductions that trivialize multi-generator variants in abelian groups. Our findings strongly motivate the exploration of quantum-resistant cryptographic primitives in non-commutative algebraic structures, as these settings may evade known quantum attacks and provide new hardness assumptions for post-quantum security.
## 2026/943
* Title: Optimized G+G Signature
* Authors: Renjie Jin, Shuoqu Jian, Longjiang Qu
* [Permalink](https://eprint.iacr.org/2026/943)
* [Download](https://eprint.iacr.org/2026/943.pdf)
### Abstract
At ASIACRYPT 2023, Devevey, Passel|?gue and Stehl|- proposed the G+G signature, which is designed based on the Fiat-Shamir transform without rejection sampling technique. However, the optimization of the G+G signature have not been studied as extensively as those of Lyubashevsky-type signatures.
The contribution of this work is the integration of the Asymmetric Learning with Errors (ALWE) problem into the key generation phase of the G+G signature. We present a more precise estimation method for the largest singular value of the secret key and introduce a new non-spherical Gaussian distribution to characterize the signature distribution. Experimental results demonstrate that, under parameters ensuring the same security level, our optimized G+G variant reduces the signature size by approximately 25%.
## 2026/944
* Title: On MPC-friendly Softmax
* Authors: Marcel Keller, Ke Sun
* [Permalink](https://eprint.iacr.org/2026/944)
* [Download](https://eprint.iacr.org/2026/944.pdf)
### Abstract
Softmax is widely used in deep learning to map some representation to a probability distribution. As it is based on the exponential function, which is relatively expensive in multi-party computation, Mohassel and Zhang (S&P, 2017) proposed a simpler replacement based on ReLU (the maximum of the input and zero) to be used in secure computation. Later works (e.g., Wagh et al., PETS 2019 and 2021) used the softmax replacement not for computing the output probability distribution but for approximating the gradient in backpropagation. In this work, we analyze the two uses of the replacement and compare them to softmax, both in terms of accuracy and cost in multi-party computation. We found that the replacement only provides a significant speed-up for a one-layer network, while it always reduces accuracy, sometimes significantly. Thus, we conclude that its usefulness is limited, and one should use the original softmax function instead. We also present a novel protocol for secure exponentiation that reduces communication up to fourfold while preserving accuracy when used for softmax.
## 2026/945
* Title: Threshold PRISM Signature Schemes via Graph-Based Threshold Access Structures
* Authors: Hyeonhak Kim, Won Kim, Changmin Lee
* [Permalink](https://eprint.iacr.org/2026/945)
* [Download](https://eprint.iacr.org/2026/945.pdf)
### Abstract
Threshold signatures for distributed systems require compact public keys and signatures to reduce communication overhead by avoiding packet fragmentation.
However, with existing post-quantum threshold signatures, either the public key or the signature no longer fits within a single unfragmented network packet.
In this work, we present Threshold PRISM, an isogeny-based post-quantum threshold signature scheme whose public keys and signatures both fit within a single unfragmented network packet at every NIST security level.
To the best of our knowledge, Threshold PRISM is the first post-quantum threshold signature scheme to do so, with arbitrary number of parties.
While isogeny-based signatures such as SQIsign and PRISM are known for exceptionally compact public keys and signatures, their algebraic structure makes thresholdization for general number of parties highly nontrivial.
We address this challenge by introducing a novel graph-based threshold access structure tailored to the isogeny setting.
Across our various parameter choices with trade-off between signing speed and size of public key and signature, at NIST security levels I/III/V, our constructions achieve public keys of 65-129/97-193/129-257 bytes and signatures of 159-222/239-335/319-447 bytes, respectively.
Among the schemes submitted to the NIST MPTC (Multi-Party Threshold Cryptography) Round-1 call whose public keys fit within a single unfragmented network packet, our constructions achieve the smallest signature sizes.
We also provide a proof-of-concept implementation of Threshold PRISM.
## 2026/946
* Title: Constant-Round Secure Distributed Decoding and HQC Threshold Decryption
* Authors: Pascal Giorgi, Fabien Laguillaumie, Lucas Ottow, Damien Vergnaud
* [Permalink](https://eprint.iacr.org/2026/946)
* [Download](https://eprint.iacr.org/2026/946.pdf)
### Abstract
Threshold public-key encryption schemes enable decryption only with the participation of enough partial secret key holders. In this article, we propose the first dedicated protocol for distributed decryption of HQC ciphertexts. This protocol is perfectly correct and does not leak any information about the shared secret key. This leads to the first threshold cryptosystem based on HQC. To this end, we present protocols for securely decoding shared erroneous words of both Reed-Muller and Reed-Solomon codes. Such decodings require to develop novel techniques for specific multiparty computations in fields of characteristic 2. For distributed Reed-Muller decoding, we develop a majority computing protocol. For distributed Reed-Solomon decoding, we propose a novel protocol for securely solving Pad|- approximants over shared polynomials. Beyond their immediate application to HQC, our results enable new techniques in secure distributed computation over structured algebraic objects, and may find independent applications in advanced cryptographic protocols.
## 2026/947
* Title: Efficient SIMD Implementation of the BLS Signature Scheme Using Intel AVX-512
* Authors: Ganqin Liu, Hao Cheng, Georgios Fotiadis, Jipeng Zhang, Johann Gro|fsch|ndl
* [Permalink](https://eprint.iacr.org/2026/947)
* [Download](https://eprint.iacr.org/2026/947.pdf)
### Abstract
The BLS digital signature scheme, in particular its instantiation with the BLS12-381 curve, has become a cornerstone of modern blockchain protocols such as Ethereum Proof-of-Stake, due to its unique and attractive characteristics (e.g., support for non-interactive signature aggregation). Recently, Cheng et al. (CHES 2025) demonstrated that the enormous Single-Instruction-Multiple-Data (SIMD) computing power of the Intel AVX-512 extensions, when combined with carefully-designed vectorization strategies, can be effectively leveraged to speed up the computation of the optimal ate pairing on BLS12-381, a major component of BLS. This naturally raises the question of whether such SIMD-parallel processing can be exploited more extensively to benefit the entire BLS signature scheme. The present paper answers this question positively by presenting a highly SIMD-optimized BLS implementation using Intel AVX-512, especially the AVX-512IFMA instructions. In order to harness AVX-512 more efficiently for the performance-critical operations of BLS, we explored a wide range of optimization options, including various formulas and vectorization granularities for elliptic curve arithmetic operations, scalar multiplication, and hash-to-curve, as well as the fine-tuning and flexible use of different implementations of the finite-field arithmetic. Benchmarking results collected on an Intel Core i3-1005G1 ("Ice Lake") CPU show that our vectorized BLS software using AVX-512 is at least 1.57 times faster than an x64 assembly implementation of the widely-used blst library.
## 2026/948
* Title: Anamorphic Construction For The Winternitz OTS Scheme Family
* Authors: Lucas Mayr, Jo|uo Gabriel Feres, Bruno Bianchi Pagani, Ricardo Cust||dio
* [Permalink](https://eprint.iacr.org/2026/948)
* [Download](https://eprint.iacr.org/2026/948.pdf)
### Abstract
The Winternitz One-Time Signature~(WOTS) scheme is a fundamental primitive in post-quantum cryptography that relies solely on the security of its hash function, has been standardized, and serves as a critical building block for standardized hash-based signatures such as XMSS, LMS, and SPHINCS. However, schemes are traditionally analyzed under the assumption that their private keys are correctly utilized and kept secure. This assumption is broken when facing an adversary with high surveillance capabilities that can order the disclosure of users' private keys. Anamorphic cryptography is a branch of covert communication research that investigates how cryptography operates in such adversarial settings. In this article, we propose the first anamorphic constructions for the WOTS family of signature schemes and show that these constructions are indistinguishable from their traditional counterparts. We formalize these constructions within a game-based framework and prove their security under standard anamorphic assumptions, showing that the resulting schemes satisfy anamorphic indistinguishability. Lastly, we briefly discuss and compare the anamorphic length capabilities and the characteristics of each construction method. Our results show that WOTS and its variants can support an anamorphic covert channel that is resilient in highly adversarial environments.
## 2026/949
* Title: Quantum Circuit Realization and Grover Cryptanalysis of the Hybrid ARX-SPN Cipher GFSPX
* Authors: Ibrahim Ulgen, Hasan Ozgur Cildiroglu, O-fuz Yayla
* [Permalink](https://eprint.iacr.org/2026/949)
* [Download](https://eprint.iacr.org/2026/949.pdf)
### Abstract
The security of classical symmetric-key primitives is fundamentally challenged by
the emergence of quantum computing, necessitating a rigorous evaluation of their
post-quantum resilience. This paper presents a comprehensive quantum circuit realization and Grover cryptanalysis of GFSPX, a lightweight block cipher featuring a 64-bit data block and a 128-bit secret key. GFSPX utilizes a unique hybrid
architecture that integrates a 4-branch generalized Feistel structure with both Addition-Rotation-XOR (ARX) and Substitution-Permutation Network (SPN) components. Our quantum implementation optimizes resource distribution by exploiting the inherent reversibility of the Feistel network and employing a compact ripple-carry adder for the ARX layers. The proposed architecture achieves
a qubit-optimized footprint of 209 qubits with a baseline quantum cost of 32,498
and a circuit depth of 7,617. To evaluate the cipherrCOs resistance against quantum
adversaries, we construct a parallelized Grover oracle using three plaintextciphertext pairs to eliminate spurious matches. Our analysis reveals that the
total quantum cost of a key-recovery attack on GFSPX is 1.12 |u 2^{159} quantum gates. Although this cost falls below the NIST Level 1 security threshold of 2^{170},
the hybrid ARX-SPN design demonstrates a higher quantum attack resistance
among other lightweight designs. These findings provide critical insights into the
balance between classical efficiency and quantum resilience in next-generation cryptographic designs for resource-constrained environments.
## 2026/950
* Title: Beyond the Anonymous Inbox: Secure Whistleblowing for All
* Authors: Gabriel Wechta, Miros+eaw Kuty+eowski, Tomasz Lizurej, Ewa Syta
* [Permalink](https://eprint.iacr.org/2026/950)
* [Download](https://eprint.iacr.org/2026/950.pdf)
### Abstract
Directive (EU) 2019/1937 mandates reporting channels that do substantially more than accept a one-shot anonymous report submission. A compliant system must protect the confidentiality of the report and the reporting person, restrict submission to entitled persons, enforce prescribed workflows under statutory deadlines, and maintain auditable records of the reporting process. Existing whistleblowing tools typically address only fragments of these requirements, often reducing the problem to an anonymous inbox or web form. To our knowledge, no existing system addresses whistleblowing's full procedural and security requirements within a single integrated design.
We adopt a compliance-driven approach in which the Directive is treated as a normative source of system requirements rather than as background motivation. From Directive-mandated procedures, assets, and threats we derive, we propose a threat model, a set of security goals tailored to directive-compliant whistleblowing, and formalize the whistleblowing process.
We then propose a concrete Whistleblowing System architecture that separates enrollment from reporting and builds on an Auditable Log Service (ALS) with an Identity Management Component (IMC). Our design supports report pseudonyms tied to entitled persons, controlled identity disclosure, and confidential yet accountable communication. It enforces an auditable workflow that separates procedural handling from merits-based processing and enables a practical deployment model deployable at both state and organization level that distributes trust across multiple entities, lowers adoption barriers through shared infrastructure, and supports two-level auditing of both procedural compliance and merits-based handling for dispute resolution.
## 2026/951
* Title: Early-stopping Consensus with Adaptive Bit Complexity
* Authors: Erica Blum, Christoph Lenzen, Julian Loss
* [Permalink](https://eprint.iacr.org/2026/951)
* [Download](https://eprint.iacr.org/2026/951.pdf)
### Abstract
Protocols for Byzantine agreement are known to be constrained by relatively strong lower bounds on their optimal resilience, round complexity, and communication complexity. Crucially, though, these lower bounds do not immediately rule out the possibility of protocols that are faster and use less communication when the actual number of faults $f$ is less than the maximum number of faults $t$ that can be sustained. Early-stopping protocols terminate in a number of rounds proportional to $f$ (rather than $t$); likewise, protocols with adaptive communication incur asymptotically less communication when $f$ is less than $t$. We present a randomized, early-stopping Byzantine agreement protocol with adaptive communication complexity that terminates in $O(f+1)$ rounds with bit complexity $O((f+1)n\kappa)$ for a failure probability of $2^{-\kappa}$ in a synchronous network with $t<n/2$ faults, assuming a Public Key Infrastructure (PKI). This is achieved against a strongly adaptive adversary, i.e., the attacker can observe all messages in round $r$, then choose which parties to corrupt in round $r$, and then remove or alter the round-$r$ messages of corrupted parties.
## 2026/952
* Title: Formalizing Blockchain PQC Signature Transition: How to Outpace Quantum Adversaries
* Authors: Kigen Fukuda, ShinrCOichiro Matsuo
* [Permalink](https://eprint.iacr.org/2026/952)
* [Download](https://eprint.iacr.org/2026/952.pdf)
### Abstract
It is getting widely recognized that quantum computers pose a fundamental threat to blockchain security. The transaction signature transition to Post-quantum cryptography (PQC) is therefore an urgent challenge. However, it remains unclear how much quantum computing power would be sufficient to compromise blockchain security and, consequently, by when the transition should be completed. To address these questions theoretically, we first formalize the signature transition process and the quantum adversary based on the well-known Bitcoin backbone protocol framework. We then establish a threshold for the chain's tolerable quantum adversary capability. Specifically, we prove that a security property migration liveness holds with overwhelming probability if and only if
$$
\Delta_{\mathrm{eff}} \;\geq\; \left\lceil \frac{4}{(1 - \epsilon)f} \right\rceil,
$$
where $\Delta_{\mathrm{eff}}$ is the number of rounds the quantum adversary needs to produce a forged transaction after the broadcast of a migration transaction, $f$ is the honest mining success probability, and $\epsilon$ is the concentration quality of the underlying random variables. We further generalize the analysis to derive a relationship between the transition process and the tolerable quantum adversary capability, providing a theoretical basis for designing secure signature transition plans.
## 2026/953
* Title: Tight Lattice-Based Signatures without Trapdoors from Search LWE
* Authors: Rutchathon Chairattana-Apirom, Nico D||ttling, Julian Loss, Stefano Tessaro, Benedikt Wagner
* [Permalink](https://eprint.iacr.org/2026/953)
* [Download](https://eprint.iacr.org/2026/953.pdf)
### Abstract
The study of digital signatures with tight reductions has attracted considerable attention over the past two decades, as such schemes inherit essentially the same quantitative hardness as the underlying computational problem. In the context of lattice-based cryptography, the GPV approach (Gentry, Peikert, and Vaikuntanathan, STOC rCO08) admits a simple tight reduction from the SIS problem, but relies on preimage sampling via trapdoors, which often leads to complex and brittle implementations. By contrast, tight proofs for trapdoor-free constructions, following the FiatrCoShamir paradigm, necessarily rely on decisional assumptions, most notably the decisional LWE assumption. From the perspective of concrete security, however, reliance on a search assumption is preferable, as known search-to-decision reductions for LWE provide only weak quantitative guarantees.
This paper presents the first efficient lattice-based signature scheme with a tight reduction to a search assumption (namely, the hardness of the search LWE problem) that does not require any trapdoor in the scheme itself (but merely uses, instead, a trapdoor in the proof). Our construction follows the Fiat-Shamir paradigm and can be viewed as a lattice analogue of ChevallierrCoMames signatures (CRYPTO rCO05). Establishing security in the lattice setting, however, requires overcoming significant technical obstacles: in particular, our proof develops several new techniques to cope with the inherently weak soundness guarantees of lattice-based interactive proofs.
## 2026/954
* Title: Black-box validation of Falcon key generation under numerical instability
* Authors: Maxime Bros, Christopher Celi, Pierre Ciadoux, Ray Perlner
* [Permalink](https://eprint.iacr.org/2026/954)
* [Download](https://eprint.iacr.org/2026/954.pdf)
### Abstract
Falcon is a lattice-based digital signature scheme offering excellent performance and key sizes, and it has been selected for standardization by the National Institute of Standards and Technology (NIST) as part of their post-quantum standardization project. However, the use of floating-point and/or fixed-point arithmetic in Falcon presents unique challenges. One such challenge is the lack of reproducibility, which can arise due to the inexact representation of fractional numbers. Traditionally, implementations are validated for correctness using Known Answer Tests (KATs), but this approach requires exact reproducibility.
We propose a novel alternate procedure for validating the correctness of FalconrCOs key generation. Our procedure never rejects correct implementations of Falcon that vary due to the numerical instability of floating and fixed-point arithmetic. It is still strict enough to guarantee that differences in generated keys due to these variations will not create security problems, although like all black-box testing methods, it does not rule out security problems due to other implementation characteristics, such as side channels. Combined with black-box conformance testing on signing and verification, this provides a path for validating the correctness of Falcon implementations on defined platforms. We further study FalconrCOs keys by defining and computing perfect keys that are generated using infinite precision. Last, we estimate the total number of valid keys that could be generated from a single seed. Our work is based on extensive experiments for which the code is available.
## 2026/955
* Title: YsPIR: HE-Based Single-Server Private Information Retrieval with Low Communication Cost and High Throughput
* Authors: Yingchu Lv, Yanbin Pan, Huaxiong Wang
* [Permalink](https://eprint.iacr.org/2026/955)
* [Download](https://eprint.iacr.org/2026/955.pdf)
### Abstract
We introduce YsPIR, a single-server private information retrieval (PIR) protocol that improves upon the state-of-the-art KsPIR protocol by Luo, Liu, and Wang (CCS 2024) in server response time and offline communication. YsPIR is built on a new first-dimension folding technique, which reduces online computation time and decreases the public-key material required in the offline phase.
Our approach has three main advantages. First, it enables the most resource-intensive computations to be preprocessed offline, thereby reducing online response time. Second, its offline communication is independent of the database size and remains small. Third, it maintains low communication cost even under high-throughput settings.
We conduct comprehensive experiments to evaluate the concrete performance of YsPIR. The results show that YsPIR achieves approximately 1.64x higher online throughput and reduces offline communication by about 3.09x compared with KsPIR.
## 2026/956
* Title: Efficient Bootstrapping in Fully Homomorphic Encryption for Matrix Arithmetic
* Authors: Eric Crockett, Craig Gentry, Hyojun Kim, Yeongmin Lee, Yongwoo Lee
* [Permalink](https://eprint.iacr.org/2026/956)
* [Download](https://eprint.iacr.org/2026/956.pdf)
### Abstract
Recently, Gentry and Lee (GL) proposed a fully homomorphic encryption (FHE) scheme optimized for matrix arithmetic. In this paper, we propose an efficient bootstrapping technique for the GL scheme. Our core idea leverages the linearity of the slot--coefficient transformations, namely CtS and StC: we formulate these operations as ciphertext--plaintext matrix multiplications, which are natively supported by the GL scheme. As a result, the proposed method reduces the number of key-switching operations per step to a small constant. To enable this, we first generalize the GL scheme to matrices of non-power-of-two dimensions by introducing a generalized definition of the trace over commutative rings and proving that it commutes with decryption. Our bootstrapping adopts the CKKS paradigm: ModRaise, CtS, EvalMod and StC. Typically, CtS/StC and EvalMod dominate runtime and depth, respectively; our optimization shifts the bottleneck to EvalMod for both. A proof-of-concept implementation shows that linear transformations account for 20.1% of the total bootstrapping time, compared to 54.9-71.7% in prior CKKS bootstrapping, and that, despite lacking low-level optimizations, our amortized CtS runtime is still about 3 times faster than the well-optimized library (Lattigo).
## 2026/957
* Title: Threshold FHE with Short Decryption Shares without a Semi-trusted Server
* Authors: Hiroki Okada, Tsuyoshi Takagi
* [Permalink](https://eprint.iacr.org/2026/957)
* [Download](https://eprint.iacr.org/2026/957.pdf)
### Abstract
Threshold fully homomorphic encryption (ThFHE) enables decryption by collecting decryption shares from any T-out-of-N parties. A major drawback of previous ThFHE schemes is that they require a super-polynomial modulus (or are subject to other limitations), resulting in long ciphertexts, keys, and decryption shares. Passel`egue and Stehl-|e (Asiacrypt 2024) proposed a ThFHE scheme in which a semi-trusted server rounds the input ciphertexts to produce polynomially short ciphertexts and sends them to the parties, thereby making the rest of the decryption process efficient. Although the input ciphertexts are still super-polynomially large, the communication cost of sending them from the parties to the server can be reduced to polynomial size via the transciphering technique; as a result, an entirely low-communication ThFHE is achieved. However, if even a single party colludes with the server (contrary to the assumption), the secret key can be efficiently recovered. Such a risky scenario would be unsuitable for practical deployment.
In this paper, we tackle this issue. We propose two serverless ThFHE schemes with polynomially short decryption shares. The core idea is to let the parties directly round the decryption shares, rather than rely on the semi-trusted server to round the ciphertexts. We can also achieve low-communication ThFHE by reducing the communication required to send input ciphertexts to the parties to polynomial size via transciphering. Our first scheme, based on binary coefficient linear secret sharing ({0,1}-LSS), strictly improves upon Boneh et al. (CRYPTO 2018), achieving short decryption shares without any trade-offs. Our second scheme, based on Shamir secret sharing, adapts the technique of Okada and Takagi (Asiacrypt 2025) to eliminate the $O(N^{4.3})$ overhead in share size of our first scheme, further reducing communication costs.
## 2026/958
* Title: Enhancing Blockchain Proof of Stake with Active Weighted Signatures: The ADAPT Framework
* Authors: Jae Hyun Choi, Hobin Jang, Ik Rae Jeong, Changmin Lee
* [Permalink](https://eprint.iacr.org/2026/958)
* [Download](https://eprint.iacr.org/2026/958.pdf)
### Abstract
Proof of Stake (PoS) blockchain systems require weighted threshold signatures where participantsrCO voting powers reflect their stakes. As stakes change dynamically through deposits and withdrawals, efficient weight and threshold adjustments are essential for maintaining system security and availability without downtime. However, existing approaches face critical limitations: (1) virtualization-based schemes require $O(w)$ operations (signatures) per participant with weight w; (2) dynamic threshold / paricipants schemes do not support weighted participants; (3) schemes with both properties require trusted dealers or $O(n^2)$ re-setup, causing temporary unavailability.
This paper introduces Active Weighted Signature (AWS), enabling dynamic adjustments without trusted dealers or re-setup. We propose Generalized Lagrange Interpolation (GLI), encoding weights as polynomial derivatives rather than virtualized participants, and instantiate AWS through ADAPT by applying GLI to the Schnorr-based threshold signature FROST. Our implementation shows that ADAPT achieves comparable efficiency to FROST for key generation, while weight and threshold adjustments complete in 4.1-22.3% of re-setup time. For uneven weight distributions, ADAPT achieves sub-linear scaling: 49|u weight difference requires only 3.29|u computation versus 49|u in virtualization.
## 2026/959
* Title: Operationalising PostrCaQuantum TLS: Automated Configuration Profiling and Hybrid PQC Deployment in Financial Infrastructure
* Authors: Harish Balaji, Aarav Varshney, Prasanna Ravi, Sripal Jain, Robin Foe, Jorden Seet, Huaxiong Wang, Kwok-Yan Lam, Anupam Chattopadhyay
* [Permalink](https://eprint.iacr.org/2026/959)
* [Download](https://eprint.iacr.org/2026/959.pdf)
### Abstract
Organisations are upgrading their cryptographic infrastructure to become quantumrCasafe before largerCascale quantum computers materialise. PostrCaquantum cryptography (PQC) standards now exist for keyrCaexchange and digital signatures, but the urgent question for adopters is how to operationalise PQC in complex environments with confidence. In banking, Transport Layer Security (TLS), for example, protects datarCainrCatransit across publicrCafacing channels and internal services, and is terminated at many heterogeneous endpoints (web servers, API gateways, load balancers, reverse proxies), each a potential quantumrCavulnerable component and migration target.
We argue that the bottleneck is operational rather than algorithmic: hybrid key exchanges such as X25519rCaMLrCaKEMrCa768 are already available in mainstream libraries, but security teams lack precise visibility into TLS configurations and repeatable methods for enabling PQCrCacompatible settings across a heterogeneous estate. This paper presents a configurationrCaparsing methodology that automatically extracts and normalises TLS cryptographic posture across dominant enterprise webrCaserver stacks, producing a unified, provenancerCatraced cryptographic inventory as a foundation for migration and compliance. We demonstrate the approach on 8,443 realrCaworld Nginx configurations from public repositories and in a proofrCaofrCaconcept deployment at a financial institution, where MLrCaKEMrCa512 and X25519rCaMLrCaKEMrCa768 are onboarded at TLS termination points (web server and API gateway) securing an internal application, with zero applicationrCalayer changes and manageable performance overhead.
## 2026/960
* Title: On the Communication Complexity of Sleepy Consensus
* Authors: Qiang Tang, Yuchen Ye
* [Permalink](https://eprint.iacr.org/2026/960)
* [Download](https://eprint.iacr.org/2026/960.pdf)
### Abstract
Sleepy consensus allows parties to join and leave execution arbitrarily, which is a fundamental requirement for large-scale distributed systems. Classic longest-chain protocols, such as Bitcoin and its variants, achieve consensus under this model but suffer from inherent long latency. In contrast, recent protocols that build upon the classic view-based BFT paradigm can achieve constant expected latency and short best-case latency under optimal resilience, but they often incur high communication cost. We observe that the high communication overhead stems from the time-shifted quorums, a technique that makes quorum certificates transferable under dynamic participation. However, the technique relies on extensive message forwarding to reconcile parties' inconsistent local views, and thus incurs a cubic communication cost unavoidably.
In this work, we tackle the problem by proposing a novel way to transfer certificates. Building on this, we construct a Byzantine Agreement (BA) protocol secure against the state-of-the-art growing adversary model. Our BA protocol achieves optimal resilience, constant expected round complexity, and an expected communication complexity of $O(nNL+nN\kappa+nN\log N)$, where $n$ is the maximum number of awake parties throughout the execution, $N$ is the total number of eligible parties, $L$ is the input length, and $\kappa$ is the security parameter. We also present an efficient recovery mechanism for our BA, incurring only $O(N\kappa+nL)$ bits per recovering party. Then we extend our BA to an Atomic Broadcast (ABC) protocol that achieves optimal resilience, constant expected latency, and an expected amortized communication complexity of $O(nNL+nN\kappa+nN\log N)$ per input value. The recovery mechanism for our ABC incurs $O(N\kappa+n\ell L+n\ell \kappa)$ bits per recovering party, where $\ell$ is the number of views that the party has slept for. Last but not least, we establish communication lower bounds of $\Omega(N^2L)$ for sleepy BA and ABC. The result shows that our BA and ABC are communication-optimal when $L$ is sufficiently large (i.e., when $L=\Omega(\kappa+\log N)$), and highlights a fundamental limitation of communication efficiency in the sleepy model.
## 2026/961
* Title: Delving Deep into Security Guarantees against Integral Distinguishers with Applications to PRESENT, TWINE and LBLOCK
* Authors: Shuo Peng, Jiahui He, Kai Hu, Meiqin Wang
* [Permalink](https://eprint.iacr.org/2026/961)
* [Download](https://eprint.iacr.org/2026/961.pdf)
### Abstract
Integral attacks pose a significant threat to block cipher security, yet providing guarantees against such attacks for a target block cipher is difficult. At
ASIACRYPT 2021, Hebborn, Lambin, Leander, and Todo proposed the integral resistance property, which offers strong security guarantees for certain SPN and
AND-RX block ciphers, assuming independent round keys. However, limitations remain: they proved a security bound for 13-round Present, while the longest known integral distinguisher covers only 9 rounds. Further, their method cannot tackle complex Feistel structures such as Twine and Lblock. A major challenge in
their method is the difficulty of finding key monomials that lead to odd-number monomial trails. We observe that in the first and last parts of the target cipher,
many interfering monomials exist that always produce interfering trails, which is a critical reason that makes it difficult to find odd-number monomial trails.
Fortunately, we find that these interfering monomials are avoidable by a careful
selection of the key monomials. Using this insight, we successfully prove the security of 11-round Present, improving the previous result by 2 rounds, and provide
a partial analysis for 10-round Present. We also extend their integral-resistance
property to general-Feistel-network (GFN) ciphers Twine and Lblock by proposing an equivalent key transformation method. Through acceleration strategies for
identifying key monomials, we confirm, for the first time, that 20-round Twine (out of 36 rounds) and Lblock (out of 32 rounds) are resistant to integral distinguishers. We believe our observations and strategies provide gains to Hebborn et
al.rCOs security guarantees for block ciphers.
## 2026/962
* Title: rBFT: a Revamped Two-Stage BFT from Delegated Committee
* Authors: Huizhong Li, Shichen Wu, Mingfei Zhang, Yue Huang, Linpeng Jia, Sisi Duan, Yi Sun
* [Permalink](https://eprint.iacr.org/2026/962)
* [Download](https://eprint.iacr.org/2026/962.pdf)
### Abstract
Byzantine fault-tolerant (BFT) protocol from delegated committee is an approach in improving the performance and scalability of blockchains. Notable industrial examples include Delegated Proof-of-Stake (DPoS) by Tron, Polkadot, and Solana, and Proof-of-Staked-Authority (PoSA) by Binance. In these protocols, a subset of nodes is first selected to form a committee, then the committee members reach an agreement and disseminate the results to all nodes. Although these approaches allow the committee members to be rotated periodically, the security of the system is built upon a strong assumption that no committee can have more than certain fraction of faulty nodes (e.g., one-third in a partially synchronous network).
In this paper, we provide a revamped two-stage design to model BFT from delegated committee without making the strong assumption. Namely, the only assumption is that in a partially synchronous network, the entire system does not have more than one-third faulty nodes. We propose rBFT, a practical BFT protocol that has a fast path where only committee members participate and a slow path where all nodes in the system are involved. We show that, not surprisingly, the fast path is extremely fast, and under reasonable assumptions such as alive-but-corrupt nodes and rational nodes, only fast path can be triggered. Meanwhile, even under conventional Byzantine failures where the slow path is triggered, our protocol is still practical enough.
## 2026/963
* Title: Multi-leveled and ISA/IEC 62443-aware Certificate Transparency to Protect the PKI Service Supply Chain of Operational Technology
* Authors: Adrian Reuter, Michael P. Heinl, Maximilian Pursche
* [Permalink](https://eprint.iacr.org/2026/963)
* [Download](https://eprint.iacr.org/2026/963.pdf)
### Abstract
To address the expanding attack surface caused by increasing digitization and interconnection, operators of Industrial Automation and Control Systems (IACS) adopt security measures already established in information technology, such as Public Key Infrastructure (PKI), to Operational Technology (OT). However, operating a PKI proves to be challenging in complex and heterogeneous IACS landscapes. Hence, operators might rely on external PKI service providers, resulting in new trust dependencies and a loss of direct control over critical security components.
In the WebPKI, Certificate Transparency (CT) is leveraged to monitor the certificate issuance of publicly trusted certificate authorities. Since CT's original WebPKI-centric design and trust assumptions do not align with the isolated and constrained nature of IACS environments, we investigate the adaptation of CT to a private IACS-specific PKI infrastructure operated by a service provider.
We propose amendments to CT processes and roles, an IACS operator-controlled CT infrastructure, and a layered approach to align with ISA/IEC 62443. Despite the lack of CT support by crypto libraries intended for OT devices, we demonstrate the feasibility of our approach by a proof-of-concept implementation.
## 2026/964
* Title: Beyond Quadratic: Unlocking Pseudorandomness with Quartic Character
* Authors: Mriganka Dey, Sampa Dey, Sampurna Pal, Subhabrata Samajder, Rana Barua
* [Permalink](https://eprint.iacr.org/2026/964)
* [Download](https://eprint.iacr.org/2026/964.pdf)
### Abstract
We study pseudorandomness arising from quartic Dirichlet characters and obtain results that connect analytic and cryptographic perspectives. From an analytic perspective, and following the framework of Mauduit and S|irk||zy, we define a Boolean function $\psi_\pi$ from the quartic character $\chi_\pi$ modulo a Gaussian prime $\pi$ and analyze sequence $E_{p-1}=(\psi_\pi(1),\ldots,\psi_\pi(p-1))$ for $p=\pi\bar\pi \equiv 1 \bmod{4}$. Using classical character-sum bounds (P||lya-Vinogradov and refinements of Mauduit-S|irk||zy and Oon), we show that $E_{p-1}$ satisfies $W(E_{p-1}) =O(\sqrt{p}\log p)$ and $C_{\mu}(E_{p-1}) \leq 2^{\frac{\mu}{2}+1} \mu \sqrt{p}\log p,$ which imply strong pseudorandomness for small $\mu$. From the cryptographic side, we resolve an open question posed by Damg|Nrd by proving that quartic characters yield the secure pseudorandom generators and weak pseudorandom functions (wPRFs). Adapting similar techniques of Corrigan-Gibbs and Wu, we have shown that distinguishing quartic wPRF implies solving quadratic residuosity, via a chain of polynomial-time reductions. Our results show that under the Quadratic Residuosity Assumption, the quartic character also yields cryptographically secure wPRFs whose one-wayness was assumed in the construction of $\mathsf{Quartapus}$ signature scheme by Brier et al. and the post-quantum secure signature scheme $\mathsf{PorcRoast}_{4}$ by Beullens et al. that are more efficient and secure than legacy schemes based on the Legendre character.
## 2026/965
* Title: Device Binding for Anonymous Credentials on Legacy Phones
* Authors: Anja Lehmann, Alexandros Zacharakis
* [Permalink](https://eprint.iacr.org/2026/965)
* [Download](https://eprint.iacr.org/2026/965.pdf)
### Abstract
Digital identity systems are currently build around the globe, aiming to enable secure, usable, but also privacy-preserving user authentication. Concretely, the EUDI Wallet developed in Europe requires to ensure selective attribute disclosure and unlinkable authentication. This essentially mandates the use of anonymous credentials, that have been developed for this exact purpose over the last 20 years. However, they are not integrated in the current solutions as they lack an essential feature: device binding. That is, binding credentials stored on the users' phones to a secure hardware element therein, in order to prevent credential cloning or sharing. Device binding is typically done through encoding a device public key into the user's credential and requiring a fresh signature under the corresponding and hardware-protected secret key - the proof-of-possession (PoP) - when presenting the credential. While academic solutions exist that realize efficient device binding for anonymous credentials, they are not compatible with the secure hardware currently available in consumer phones. The main challenge lies in the underlying curves: all efficient anonymous credentials, (and their native device binding protocols) require the use of pairing-friendly curves, whereas existing phones are essentially restricted to ECDSA signatures and classic P256 curves.
In this work, we show how to bridge these two systems, enabling device-binding for pairing-based credentials on legacy phones, i.e., relying solely on standard ECDSA signatures for the PoP. We present three different constructions with different trade-offs in efficiency and in protocol complexity. Our most efficient solution generates unlinkable bridging proofs of size ~1.5KB in less than ~500ms by relying on a (very simple) arithmetic circuit, whereas the most conservative approach (without circuits) takes as well ~500ms and comes with proof size of ~175KB. All our solutions share a common blueprint, and we express them in the reductions of knowledge framework (Crypto 2023) to reflect this is in our protocols' design. This framework allows to modularly construct complex zero-knowledge proofs in an elegant and intuitive manner, greatly facilitating the security analysis and the implementation. This framework has previously been mainly used in a theoretical context, and our work demonstrates that it is a powerful tool to design, analyze and implement complex real-world systems.
## 2026/966
* Title: A New Multiscalar Multiplication Method Resistant to Timing Attacks
* Authors: Abhraneel Dutta, Veronika Kuchta, Francesco Sica
* [Permalink](https://eprint.iacr.org/2026/966)
* [Download](https://eprint.iacr.org/2026/966.pdf)
### Abstract
Multiscalar multiplication (MSM) is a core operation in modern cryptographic systems, commonly used in various applications such as Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge (ZK-SNARKs) and Homomorphic Encryption. In elliptic curverCobased ZK-SNARK constructions, MSM accounts for up to 80rCo90\% of the total proof generation time, making its optimization critical to improving overall protocol performance. Despite significant progress in accelerating MSM through algorithmic techniques such as PippengerrCOs method, existing implementations remain vulnerable to timing attacks due to irregular scalar representations and conditional operations on zero digits.\\
In this paper, we revisit the original PippengerrCOs MSM algorithm, proposing novel modifications that achieve resistance to timing attacks while at the same time increasing its performance by almost 25\%. Our main contribution is a new scalar recoding algorithm that transforms conventional $q$-ary representations containing zero digits into equivalent non-zero representations. This ensures that all scalar digits are processed uniformly, eliminating timing-based side-channel leaks. Building on this recoding technique, we introduce a secure variant of PippengerrCOs bucket method, that avoids zero digits. Finally, we demonstrate that employing an endomorphism-based splitting yields shorter digit expansions and further efficiency gains. To the best of our knowledge, this is the first MSM algorithm explicitly designed to mitigate timing attacks within the Pippenger bucket method framework.
## 2026/967
* Title: Revisiting Linear Subspace Trails in Poseidon
* Authors: Enyan Li, Gaoli Wang
* [Permalink](https://eprint.iacr.org/2026/967)
* [Download](https://eprint.iacr.org/2026/967.pdf)
### Abstract
Poseidon/Poseidon2 and Neptune use sparse S-box activation in internal partial rounds to reduce arithmetization cost. This structure makes linear subspace trails relevant to algebraic attacks. If the initial state is restricted to a suitable linear subspace, then subsequent internal states may remain in prescribed linear subspaces for a number of rounds. The corresponding partial rounds therefore do not increase the degree of the resulting polynomial system. Existing analyses use this property to estimate the complexity of reduced round preimage attacks. It is therefore important to understand how long such linear subspace trails can persist.
We revisit infinite and finite linear subspace trails in Poseidon-like designs. First, we study the invariant subspace conditions on Poseidon that give rise to infinitely long trails. We relate these conditions to the characteristic polynomials of the Cauchy MDS matrices used in Poseidon, and we discuss qualitatively why they are unlikely over fields of large characteristic. Second, we analyze finite linear trails for internal partial rounds in a state of width $t$, where each round activates $s$ S-box coordinates. Under the rank-growth condition stated in this paper, when no such invariant subspace exists, a finite trail has length at most $\lceil t/s\rceil-1$. For Poseidon, $s=1$, this gives at most $t-1$ consecutive linearized internal partial rounds.
Considering preimage attacks in sponge mode with rate $r$, capacity $c$, and digest size $d$, the available extra constraint budget is $Ec=r-\min\{c,d\}$. For Poseidon, the finite trail bound and this constraint budget together determine how many internal partial rounds can be linearized in the corresponding attack model. For Poseidon2 and Neptune, although MDS-based finite trail bound is not claimed, in the common $s=1$ setting the realizable trail length is still bounded by $Ec$.
## 2026/968
* Title: Frobenius-UOV: A Very Efficient Multivariate Public Key Signature Scheme
* Authors: Gilles Macario-Rat
* [Permalink](https://eprint.iacr.org/2026/968)
* [Download](https://eprint.iacr.org/2026/968.pdf)
### Abstract
We present Frobenius-UOV, a multivariate public-key signature scheme in the Unbalanced Oil and Vinegar (UOV) family. The scheme replaces generic quadratic polynomials with a structured subclass based on Frobenius-type quadratic forms, yielding a compressed public-key representation while retaining the efficient UOV signing procedure. We describe the key-generation, signing, and verification algorithms, and we detail the derivation of the public system from a compact secret description. We discuss security in the standard multivariate setting, including direct algebraic attacks and key-recovery approaches, and we formalize the underlying computational problems induced by the proposed structure. Finally, we report implementation results quantifying the costs of key generation, signing, and verification, as well as the resulting public-key and signature sizes.
## 2026/969
* Title: Icy-DVRF: A Distributed Verifiable Random Function based on FROST signatures
* Authors: Ahmet Ramazan A-f-#rta+f, Arda Bu-fra |uzer, Z|+lf|+kar Sayg-#, O-fuz Yayla
* [Permalink](https://eprint.iacr.org/2026/969)
* [Download](https://eprint.iacr.org/2026/969.pdf)
### Abstract
Unbiased and unpredictable randomness is a cornerstone of Web3 security, underpinning everything from consensus protocols to DeFi logic. Although Distributed Verifiable Random Functions (DVRFs) eliminate central points of failure, current designs often have to compromise performance. Most existing protocols are hindered by one of three limitations: proofs that scale linearly with the number of participants, high computational cost of bilinear pairings, or latency introduced by mandatory interactive steps during generation. In this work, we present Icy-DVRF, a protocol that improves DVRFwCP by employing a preprocessing scheme similar to FROST to reduce the number of interaction rounds among participants, by lowering the additional communication cost from $O(n^2 t)$ to $O(t)$ while maintaining constant-size proofs. The downside of our construction is that, relative to DDH-DVRF and GLOW-DVRF, this approach incurs an additional off-chain communication round due to the threshold structure of our non-interactive zero-knowledge proof. This architecture ensures that verification costs remain low, regardless of the set of participants. We evaluate Icy-DVRF against established standards and demonstrate that our protocol achieves a substantial efficiency gain over pairing-based alternatives. While theoretical estimates suggest verification costs of approximately one quarter of those of standard designs, our empirical benchmarks on the Sepolia testnet, utilizing the EIP-2537: Precompile for BLS12-381 curve operations, confirm that Icy-DVRF requires only 88,803 gas for full execution. This represents a significant 43.02\% reduction in total gas consumption compared to existing pairing-based constructions, saving 67,035 gas per on-chain verification.
## 2026/970
* Title: Security Analysis on a Blockchain-based Public-Key Authenticated Searchable Encryption Scheme
* Authors: Hinata Nishino, Keita Emura
* [Permalink](https://eprint.iacr.org/2026/970)
* [Download](https://eprint.iacr.org/2026/970.pdf)
### Abstract
Du et al. (Security and Communication Networks, 2022) proposed a public-key authenticated searchable encryption scheme that employs Bloom filters and blockchain. In their scheme, Bloom filters are used to search encrypted keywords, while blockchain is used to ensure the integrity of search results that guarantees the search result is correct.
In this paper, we demonstrate that Du et al.'s scheme leaks keyword information from ciphertexts. Our analysis focuses on the fact that the Bloom filter is uniquely determined by the keyword to be encrypted and is directly embedded in each ciphertext. We show that the proposed attack succeeds with the probability that no false positives occur in the Bloom filter, and we evaluate the false-positive probability to confirm that the attack achieves a sufficiently high success rate. Furthermore, we examine Du et al.'s security model and their assumed usage scenarios, and we discuss the validity of our attack under those conditions. We also consider a simple modification intended to prevent our attack and demonstrate that our attack, with a slight adaptation, remains effective against the modified scheme. In addition, we show that even when the search results differ, previously generated ciphertexts can still pass verification, indicating that the integrity verification mechanism based on blockchain is insufficient.
## 2026/971
* Title: Explicit cost analysis of Toom-4 multiplication for incomplete NTT in lattice-based cryptography
* Authors: Sakura Oku, Momonari Kudo
* [Permalink](https://eprint.iacr.org/2026/971)
* [Download](https://eprint.iacr.org/2026/971.pdf)
### Abstract
Polynomial multiplication is fundamental in lattice-based cryptography.
While the Number Theoretic Transform (NTT) enables fast multiplication, it imposes constraints on the modulus of the coefficient field.
Hafiz et al.\ (2025) addressed this limitation by analyzing the incomplete NTT, which combines a truncated NTT with conventional multiplication methods.
In this work, we revisit Toom-4 multiplication in the context of incomplete NTT.
Although Toom-4 is asymptotically faster than Karatsuba, its precise cost has not been expressed in a form compatible with the incomplete NTT framework.
We present a concrete Toom-4 implementation and derive explicit operation counts that separate additions/subtractions and multiplications over the coefficient field.
Our analysis based on addition chains yields a simple cost model for incomplete NTT.
Using this model, we analyze hybrid strategies combining Toom-4, Karatsuba, and incomplete NTT.
We identify parameter ranges where Toom-4 is advantageous and validate the predicted behavior experimentally.
## 2026/972
* Title: Breaking ACDGV MinRank Gabidulin encryption schemes over matrix codes * Authors: Thai Hung Le
* [Permalink](https://eprint.iacr.org/2026/972)
* [Download](https://eprint.iacr.org/2026/972.pdf)
### Abstract
Enhanced Gabidulin Matrix Codes (EGMC), introduced by Aragon, Couvreur, Dyseryn, Gaborit, and Vincotte at Asiacrypt 2024, were designed to hide the algebraic structure of Gabidulin matrix codes while enabling very compact McEliece- and Niederreiter-type encryption schemes, with ciphertexts as small as 65 bytes at the claimed 128-bit security level. Their security relies on the assumption that a masked EGMC code is hard to distinguish from a random matrix code. We show that this enhanced construction leaves enough structure for an equivalent code of the secret key to be recovered. Unlike previous cryptanalysis, our attack combines combinatorial and algebraic techniques to recover a Gabidulin-equivalent compressed code. This code can then be extended to a full-length equivalent secret key in polynomial time. As a result, the attack provides both a distinguisher and a key-recovery attack against the EGMC encryption schemes. The attack breaks all 16 proposed EGMC parameter sets by large margins. For example, for the claimed 128-bit parameter set $(2,17,37,4,0)$, it reduces the security level from 186 bits to 35 bits. In our implementation, the equivalent secret key is recovered in less than 10 minutes.
## 2026/973
* Title: Asynchronous Lagrange-Based Threshold FHE with Smaller Modulus Overhead
* Authors: Won Kim, Changmin Lee, JeongHwan Lee, Alain Passel|?gue, Damien Stehl|-
* [Permalink](https://eprint.iacr.org/2026/973)
* [Download](https://eprint.iacr.org/2026/973.pdf)
### Abstract
We study $t$-out-of-$n$ threshold fully homomorphic encryption (ThFHE) based on Shamir secret sharing (SSS) in the asynchronous setting. A central bottleneck for SSS-based ThFHE is that Lagrange reconstruction during distributed decryption can amplify noise, forcing a substantially larger ciphertext modulus to maintain correctness.
In this work, we revisit SSS-based ThFHE and give a rigorous analysis of the correctness and simulation-security constraints that govern parameter choices. We then compare families of Lagrange interpolation points through the lens of these constraints.
Our main contributions are analytic bounds that closely track empirical behavior and significantly reduce the modulus overhead required for distributed decryption. For example, for $n = 512$, our analysis reduces this modulus overhead (in bits) by 30% for $t = n/2$ and by up to 90% for $t$ close to $n$, compared to prior parameterizations.
--- Synchronet 3.22a-Linux NewsLink 1.2