From Newsgroup: sci.crypt
## In this issue
1. [2025/199] Sublinear Proofs over Polynomial Rings
2. [2025/1017] Using the Schur Product to Solve the Code ...
3. [2026/264] WillowFold: Secure Aggregation with a Lightweight ...
4. [2026/268] One Pair to Rule Them All: Towards an Optimal ...
5. [2026/310] Bolt: Faster SNARKs from Sketched Codes
6. [2026/317] Two-Factor Authentication Can Harden Servers ...
7. [2026/344] Area-Efficient LUT-Based Multipliers for AMD Versal ...
8. [2026/422] Threshold Traitor Tracing Revisited: Insider ...
9. [2026/979] Improved Dual Attack and Trapdoor Sampling via ...
10. [2026/983] A formal analysis of FLEX and FLEX2
11. [2026/984] Quantum algorithm for Discrete Gaussian Sampling
12. [2026/993] Format-Preserving Encryption Creates a Privacy ...
13. [2026/994] Super-intelligence Survival Guide: Verification via ...
14. [2026/995] On Local Invariants for Permutation Equivalence
15. [2026/996] Topology-Hiding Computation From Key Agreement in ...
16. [2026/997] Miraidon: MinRank Identification
17. [2026/998] Balanced and Adaptively Secure Asynchronous Common ...
18. [2026/999] Modern Portfolio Theory in the Crypto-Wilderness
19. [2026/1000] Information-Theoretic Optimistic Verifiable Secret ...
20. [2026/1001] Distributed Simon's Algorithm with Less Per-Node ...
21. [2026/1002] On weak keys of POKE
22. [2026/1003] A Blockchain-Based Pre-Verification Access Control ...
23. [2026/1004] PQKryvos: Post-Quantum Secure E-Voting With ...
24. [2026/1005] More from Less: Composable General Multi-Party ...
25. [2026/1006] Current trends in AI-Aided Cryptography
26. [2026/1007] Quantum Circuit Implementation and GroverrCOs Search ...
27. [2026/1008] Unified FPGA Design of Kyber and Dilithium with ...
28. [2026/1009] Constant-Online PVSS from CCA2-Secure Threshold ...
29. [2026/1010] Signal and Ready to MINGLE: In-Band Gossip for Key ...
30. [2026/1011] Can We Tolerate Small Side-Channel Leakages: The ...
31. [2026/1012] Linear self-equivalence of the known families of ...
32. [2026/1013] Sequence-Level Security for Active Weighted ...
33. [2026/1014] Updatable Public-Key Encryption from FESTA
34. [2026/1015] Comments on "Server-Aided Public Key Authenticated ...
35. [2026/1016] Efficient Homomorphic String Search via TFHE
36. [2026/1017] Quantum and Post-Quantum Blockchain: A Systematic ...
37. [2026/1018] Symmetric Attribute-Based Encryption from Minimal ...
38. [2026/1019] On the Security of Public Key Authenticated ...
39. [2026/1020] On the Formal Verification of Authenticated ...
40. [2026/1021] Schnorr-like Proofs of Knowledge for Hidden Oil ...
41. [2026/1022] Thorns in Polynomial Convolution: Correlation, ...
42. [2026/1023] Faster CoeffToSlot and SlotToCoeff for Sparsely ...
43. [2026/1024] Separating the Pebbling Model from the Random ...
44. [2026/1025] Geometric Critical Point Screening: Clustering-Free ...
45. [2026/1026] Sparse Hermite Interpolation Method for Discrete- ...
46. [2026/1027] Computing Asymptotic Bounds for the Automated ...
47. [2026/1028] Collusion-Resistant Asymmetric Anamorphic ...
48. [2026/1029] Towards a Unified Memory-Less Framework for TCitH
49. [2026/1030] Pushforward Problems and Applications to Isogeny- ...
50. [2026/1031] Compact Quaternion Algorithms for SQIsign
51. [2026/1032] When Removing Reductions Goes Wrong: Auditing ...
52. [2026/1033] A New Construction Method for More Efficient ...
## 2025/199
* Title: Sublinear Proofs over Polynomial Rings
* Authors: Mi-Ying Miryam Huang, Xinyu Mao, Jiapeng Zhang
* [Permalink](
https://eprint.iacr.org/2025/199)
* [Download](
https://eprint.iacr.org/2025/199.pdf)
### Abstract
Designing non-interactive proof systems, such as NIZK or SNARKs, for lattice-based protocols is a well-motivated problem with numerous applications including aggregate signatures, verifiable random functions, group signatures, verifiable homomorphic encryption schemes, and others. Although many works have made efforts toward efficient lattice-based protocols, several challenges remain. In particular, a major challenge, as highlighted by Ganesh et al. (Journal of Cryptology 2023) and Zhang et al. (CCS 2025), is the algebraic gap between polynomial rings, which are typically used in lattice-based constructions, and fields, which are commonly used in the constructions of non-interactive proofs.
In this paper, we introduce a novel technique called ring switching, which bridges this gap by transforming proofs over polynomial-ring arithmetic into proofs over finite fields or Galois rings with prime power modulus. Using ring switching, we construct an efficient non-interactive argument of knowledge for Ring-R1CS over $\mathbb{Z}_Q[X]/(X^N+1)$ for arbitrary prime-power moduli $Q$. Our construction achieves sublinear proof size and enables significantly faster verification by eliminating costly ring multiplications. The ring switching framework is compatible with parameter regimes used in practical lattice-based cryptosystems, including NTT-friendly and power-of-two moduli. Subsequent works building on this technique further demonstrate its efficiency, achieving substantial verification time improvements in lattice-based polynomial commitments and verifiable homomorphic encryption schemes.
## 2025/1017
* Title: Using the Schur Product to Solve the Code Equivalence Problem
* Authors: Michele Battagliola, Rocco Mora, Paolo Santini
* [Permalink](
https://eprint.iacr.org/2025/1017)
* [Download](
https://eprint.iacr.org/2025/1017.pdf)
### Abstract
Given two linear codes, the Code Equivalence Problem asks to find (if it exists) an isometry mapping one code into the other. A special case is the Permutation Equivalence Problem (PEP), where the isometry must be a permutation.
The hardness of PEP is crucially dependent on the hull of a code, that is, the intersection between a code and its dual.
Indeed, most of the known algorithms have running time that grows exponentially with the hull dimension.
Since random codes have very small hull with large probability, PEP is deemed easy for random codes.
In this paper we study how the so-called Schur product between linear codes can be employed to solve PEP.
The basic idea is to transform a given PEP instance by computing the square of the given codes.
While it is well known that the square code operation preserves equivalence between linear codes, we show that, regardless of the hull dimension of the starting codes, their square codes have trivial hull with high probability. Furthermore, we show that as long as the code rate is sufficiently low, no additional permutations mapping the square codes exist with high probability. This effectively generates a new pair of equivalent codes with trivial hulls, where the underlying permutation remains identical to that of the original instance. This observation allows us to leverage existing hull-based attacks to recover the permutation for the square codes, and consequently, for the original codes.
Furthermore, we improve this attack by exploiting the structural relationship between hulls: if a permutation maps two codes, the same permutation also maps their respective hulls. We show that by considering the square of the hull as a code in its own right, its hull also becomes trivial with high probability.
This allows for the identification of new weak instances of PEP, leading to an attack whose complexity no longer depends on the initial hull dimension, as it is the case of most known algorithm.
In particular, we show that our attack achieves average polynomial-time complexity (since the square of the hull, when seen as a code, intersects with its dual in a low dimensional space with large probability) as long as $k < \sqrt{2n}$ or $h < \sqrt{2n}$, where $n$, $k$, and $h$ denote the code length, dimension, and hull dimension, respectively.
We corroborate our analysis, which relies on some (plausible) heuristics, with intensive numerical simulations.
As a concrete application, we consider the updatable encryption scheme proposed by Albrecht, Ben-iina, and Lai at Eurocrypt 2025.
All the recommended instances fall into the range of weak PEP instances identified in this paper; hence, they are susceptible to our attack.
As a demonstration, we successfully recover the secret permutation for two of the instances claiming 128 bits of security in about $10$ minutes on average on a laptop.
As a fix, instances with hull dimension $h > \sqrt{2n}$ should be employed.
## 2026/264
* Title: WillowFold: Secure Aggregation with a Lightweight Committee
* Authors: Hossein Hafezi, Kasra Abbaszadeh, Adri|a Gasc||n, Phillipp Schoppmann, Mariana Raykova, Benedikt B|+nz
* [Permalink](
https://eprint.iacr.org/2026/264)
* [Download](
https://eprint.iacr.org/2026/264.pdf)
### Abstract
Secure aggregation enables a server to learn the sum of private inputs of clients, while revealing no additional information beyond the final sum. Recent work, Willow (CRYPTO 2025) achieves one--shot secure aggregation in the single-server model with dynamic client participation. To ensure security under these features, Willow relies on an auxiliary committee to verify the correctness of the aggregation. Although this verification requires no private information---broadening the set of parties eligible to participate in the committee---the committeerCOs total work scales linearly with the number of clients, which poses a challenge for large-scale deployments. This linear committee cost limitation is also shared by other state-of-the-art single-server secure aggregation protocols, including Flamingo (IEEE S&P 2023) and OPA (CRYPTO 2025).
In this paper, we introduce WillowFold, a secure aggregation scheme based on Willow that enables lightweight verification of the aggregation and requires only logarithmic committee cost in the number of clients. Our scheme additionally supports streaming aggregation and reduces per-client server storage to a single ID (4 bytes), rather than storing full contributions as in Willow (1.5 KB), which facilitates distributed execution of the server-side computation. Finally, we close a gap in WillowrCOs security proof by showing that the zero-knowledge proofs underlying the scheme must be simulation extractable in order to rule out correlated ciphertext attacks.
WillowFold employs proof-carrying data (PCD)---a primitive for incremental verification of distributed computations---to achieve a lightweight verification cost. In particular, we present a concretely efficient instantiation of WillowFold using a variant of Spartan+KZH-Fold (CCS 2025) as the underlying PCD scheme. As independent contributions, we show a zero-knowledge variant of Spartan+KZH, which is the SNARK underlying Spartan+KZH-Fold, that uses logarithmic randomness, and we further prove that this variant satisfies the simulation extractability.
We implement and evaluate WillowFold, showing that it supports $8$ million clients with proof size $<60$~KB and verification time under one second--a $10^{5}$-fold improvement over Willow.
## 2026/268
* Title: One Pair to Rule Them All: Towards an Optimal Algorithm for Solving Code Equivalence via Codeword Search
* Authors: Alessandro Budroni, Andre Esser
* [Permalink](
https://eprint.iacr.org/2026/268)
* [Download](
https://eprint.iacr.org/2026/268.pdf)
### Abstract
Two linear codes $\mathcal{C},\mathcal{C}rCO$ over $\mathbb{F}_q$ are linearly equivalent if one can be mapped to the other via a monomial transformation. Recovering this monomial from $\mathcal{C}$ and $\mathcal{C}rCO$ is known as the Linear Code Equivalence (LCE) problem.
The most efficient algorithms to solve the LCE problem follow a common framework based on finding low-weight codewords. This framework admits a natural lower bound obtained by assuming that among the found low-weight codewords, a single equivalent codeword pair can be identified and used to reconstruct the monomial without overhead.
Whether this lower bound can be achieved by a constructive instantiation has remained an open problem. Existing algorithms all require multiple equivalent pairs for monomial reconstruction, resulting in both concrete and asymptotic gaps to the lower bound.
In this work, we answer the question of whether there exists such an optimal framework instantiation in the affirmative. We introduce a canonical labeling technique, as a generalization of canonical forms, that allows for monomial reconstruction from a single pair of equivalent codewords. Crucially, this labeling procedure, even if not necessarily polynomial-time, can be embedded into the codeword search framework to identify equivalent codewords and perform final monomial recovery without overhead. This gives rise to the first framework instantiation that meets its lower bound both asymptotically and concretely up to negligible tolerance.
For the parameter sets proposed for the LESS signature scheme, a former second-round candidate in the NIST PQC standardization process, our analysis reduces the estimated bit security by up to 15 bits.
## 2026/310
* Title: Bolt: Faster SNARKs from Sketched Codes
* Authors: Kobi Gurkan, Andrija Novakovic, Ron D. Rothblum
* [Permalink](
https://eprint.iacr.org/2026/310)
* [Download](
https://eprint.iacr.org/2026/310.pdf)
### Abstract
We introduce Bolt, a new Multilinear Polynomial Commitment Scheme (MLPCS) designed for high-performance SNARKs. Bolt is geared towards SNARKs for large computations, in which prover speed is paramount but one can afford slightly larger proofs. The construction is based on the code-switching paradigm; our core technical contribution is a new "proof-system friendly" error-correcting code with extremely efficient encoding both asymptotically and concretely.
A theory-oriented instantiation of Bolt achieves a commitment time of approximately (3+\epsilon)*N field additions plus a Merkle Tree hash computation of size (1+\epsilon)*N field elements, where N is the size of the multilinear polynomial and \epsilon>0 is arbitrarily small. The prior state-of-the-art, Blaze (Brehm et al., Eurocrypt 2025) used 8N additions and a 4N size Merkle hash.
Concretely efficient instantiations of Bolt demonstrate that these asymptotic gains translate into substantial real-world speedups. Our benchmarks show that for N=2^{30} over the field GF(2^{32}) Bolt's commitment time is roughly 3-4x faster than Reed-Solomon based schemes, depending on the specific parameterization. In the slower variant, the proof-size is ~2MB. Bolt also offers better commitment time and especially proof size compared to recent linear-time schemes. For example, its commitment time is about 20% faster than Brakedown (Golovnev et al., Crypto 2023) with a 5-15x smaller proof.
## 2026/317
* Title: Two-Factor Authentication Can Harden Servers Against Offline Password Search
* Authors: Xavier Boyen, Stanislaw Jarecki, Phillip Nazarian, Jiayu Xu, Tianyu Zheng
* [Permalink](
https://eprint.iacr.org/2026/317)
* [Download](
https://eprint.iacr.org/2026/317.pdf)
### Abstract
We propose a novel notion of Two-Factor Authenticated Key Exchange (TFA-KE), defined in the universal composability model (UC), which extends asymmetric PAKE (aPAKE) by a 2nd authentication factor in the form of a $t$-bit one-time code computed by a personal device based on a clock or counter. Our notion strengthens the security of standard integration of aPAKE with short authentication codes by additionally slowing down offline brute-force password search in case of server compromise by a factor of $2^t$. In other words, our TFA-KE notion uses $t$-bit authentication codes not only to improve on-line security of password authentication, as is the current practice, but also to strengthen password security on server corruption, whilst retaining the ability of aPAKE to avoid the common but deplorable practice of relying on "secure-channel" encryption for password protection.
We show a generic framework for implementing TFA-KE, with two efficient instantiations. Our key enabling tool is a tight one-way function (TOWF) with an algebraic structure that allows for its evaluation on a secret-shared input. We initiate the study of such functions, and we provide two proposals which we show to be tightly one-way in the Generic Group Model. Tightness means that a function evaluation on an input sampled from domain $\mathcal{X}$ takes $\Omega(|\mathcal{X}|)$ time to invert, which in our application implies that offline password search attacks are slowed to $\Omega(|D|\cdot 2^t)$ for passwords sampled from dictionary $D$.
## 2026/344
* Title: Area-Efficient LUT-Based Multipliers for AMD Versal FPGAs
* Authors: Zetao Miao, Xander Pottier, Jonas Bertels, Wouter Legiest, Ingrid Verbauwhede
* [Permalink](
https://eprint.iacr.org/2026/344)
* [Download](
https://eprint.iacr.org/2026/344.pdf)
### Abstract
AMD Versal FPGAs introduce a new CLB micro-architecture featuring the LOOKAHEAD8 carry structure in place of the legacy CARRY4/8 chains, on which existing area-efficient LUT-based multiplier designs map inefficiently. This paper proposes a LUT-based integer multiplier architecture tailored to the Versal fabric. By jointly exploiting radix-4 modified Booth recoding and the new Versal LUT micro-architecture, only $\mathtt{\sim}n^{2}/4$ LUTs are required to generate the partial-product bit heap for an $n$-bit multiplication. A new heuristic for compressor-tree synthesis further improves the area--delay product by 8--20% over state-of-the-art Versal heuristics. Overall, the proposed multipliers achieve up to 40% LUT reduction relative to AMD LogiCORE IP multipliers at comparable critical-path delay. An open-source Python RTL generator with configurable operand widths and pipeline depths is provided for scalable deployment.
## 2026/422
* Title: Threshold Traitor Tracing Revisited: Insider Attacks and Multi-Traitor Tracing
* Authors: Jan Bormet, Sebastian Faust, Hussien Othman
* [Permalink](
https://eprint.iacr.org/2026/422)
* [Download](
https://eprint.iacr.org/2026/422.pdf)
### Abstract
Threshold traitor tracing [Boneh et al., CryptorCO24] enhances threshold decryption with anti-collusion guarantees via a tracing mechanism. In this model, a set of colluders constructs a decryption box, called a decoder, and sells it to an external buyer. Collusion-resilience is guaranteed by a tracing algorithm that, given only black-box access to the decoder, can identify at least one of the colluders.
Since its introduction, threshold traitor tracing has attracted significant attention, leading to a number of new constructions that have been proven secure within this model [Asiacrypt'25, CiC'25, CCSrCO25, EurocryptrCO26], focusing on optimizing parameter sizes and removing trusted authority.
However, in this paper, we argue that the state-of-the-art definition and constructions are not resilient against natural attacks where the decoder is sold to an insider, i.e., a member of the decryption committee.
Motivated by this gap, we introduce new definitions to model decoder boxes that are sold to insiders. We show that existing threshold traitor tracing techniques are inherently vulnerable to insider attacks. Then, we introduce a novel approach to achieve insider resilience through \emph{multi-traitor tracing}, i.e., identifying multiple traitors.
We present compilers that amplify the number of traitors that can be found, thereby achieving insider-resilience with efficient parameters, in particular, sublinear ciphertext size. These compilers may also be of independent interest.
## 2026/979
* Title: Improved Dual Attack and Trapdoor Sampling via Quantum Rejection Sampling
* Authors: Cong Ling, Hao Yan, Nicholas Zhao
* [Permalink](
https://eprint.iacr.org/2026/979)
* [Download](
https://eprint.iacr.org/2026/979.pdf)
### Abstract
In this work, we revisit the dual attack and GPV trapdoor sampling, focusing on the lattice Gaussian sampling term, which can be a significant bottleneck in the overall complexity. We show that this sampling step can be quantumly accelerated by combining the lower bound underlying Wang and Ling's analysis of Klein's algorithm with the quantum rejection sampling (QRS) framework proposed by Ozols et al. Specifically, this lower bound gives precisely the pointwise domination condition required for quantum rejection sampling when given coherent oracle access to a truncated Klein proposal distribution, which yields a quantum procedure for preparing the truncated dual $q$-ary lattice Gaussian with a quadratic reduction in the sampling complexity. The truncation radius is chosen so that the truncated distribution is negligibly close to the full lattice Gaussian in total variation distance. Substituting this sampler into the dual attack framework results in reduced overall attack-cost estimates. Compared with Pouly and Shen's modern dual attack under the same parameter choices, our estimates reduce the attack cost by \(9\), \(4\), and \(13\) bits for Kyber-512, Kyber-768, and Kyber-1024, respectively. We also report the corresponding estimates with modulus switching. Finally, by replacing the Markov chain Monte Carlo (MCMC) sampler with the QRS algorithm, we achieve a similar quadratic speedup in the GPV signing process.
## 2026/983
* Title: A formal analysis of FLEX and FLEX2
* Authors: Ramses Fernandez
* [Permalink](
https://eprint.iacr.org/2026/983)
* [Download](
https://eprint.iacr.org/2026/983.pdf)
### Abstract
This paper formalizes the cryptographic core of the FLEX protocol and its enhanced variation FLEX2 . The analysis formalizes a minimal ledger abstraction, capturing Taproot, CSV timelocks, and reorg bounds, and defines ideal functionalities implemented as transaction-DAG and state machines. Main contributions include proving on-chain enforceability, CDS secrecy, soundness, leakage-bounded privacy, and universal composability realization under standard assumptions.
## 2026/984
* Title: Quantum algorithm for Discrete Gaussian Sampling
* Authors: Cl|-mence Chevignard, Andr|- Schrottenloher, Yixin Shen
* [Permalink](
https://eprint.iacr.org/2026/984)
* [Download](
https://eprint.iacr.org/2026/984.pdf)
### Abstract
Discrete Gaussian Sampling on lattices is a fundamental problem in lattice-based cryptography. It appears both in basic cryptographic primitives such as digital signatures and as an important cryptanalysis building block for solving hard lattice problems. In this paper, we show a quantum algorithm based on the quantum rejection sampling technique whose complexity is asymptotically quadratically faster than its classical counterpart in [Wang \& Ling, IEEE Trans. Inf. Theory 2019]. Our sampler outputs a quantum state which can either be measured to get the desired distribution or be used directly as such in other quantum algorithms. By doing so, we derive two versions of quantum dual attacks that improve upon the previous ones in [Pouly \& Shen, EUROCRYPT 2024]. The two versions are incomparable, each having distinct advantages (speed vs memory requirement). The second version is particularly interesting as it requires only polynomial classical and quantum memory, excluding the classical memory used in the preprocessing step of the Discrete Gaussian sampler. Our quantum Discrete Gaussian sampler can also be used to speed up the algorithm for solving the Short Integer Solution problem, in any norm, of [Bollauf, Pouly \& Shen, ePrint 2026/225].
## 2026/993
* Title: Format-Preserving Encryption Creates a Privacy Attack Surface for Re-Identification
* Authors: Martin Staal Boesgaard, Markus Larsen
* [Permalink](
https://eprint.iacr.org/2026/993)
* [Download](
https://eprint.iacr.org/2026/993.pdf)
### Abstract
Format-preserving de-identification methods, for example format-
preserving encryption, enable de-identified data to act as an in-place replacement for the original data by retaining syntactic properties.
However, when applied to data types with multiple formats, format
preservation introduces inherent information-theoretic leakage, as the
format itself can reveal non-trivial information about the original data, creating an attack surface that can be realized when appropriate aux-
iliary information is available. We formalize format preservation and
use Shannon entropy to quantify the resulting leakage. To illustrate
the practical impact of this, we document real-world use of format-
preserving de-identification on variable-format data types and apply
the theory to a real-world dataset. Using personal data from Dan-
ish financial institutions, we find that a length and word-preserving transformation has a leakage of 10.12 bits for person names and 3.9
bits for cities, out of a maximum of 17.2 bits. While exploiting this
leakage requires appropriate auxiliary information, such information
is often readily available in practice. In the worst-case scenario, this
can lead to re-identification of some data records; however, even in
less extreme cases, it can significantly narrow down the search space
for re-identification, e.g. by revealing the length of the original data,
or the format of an e-mail domain.
## 2026/994
* Title: Super-intelligence Survival Guide: Verification via Proof-Carrying Output
* Authors: Hillel Avni, Shlomi Dolev, Avraam Yagudaev, Moti Yung
* [Permalink](
https://eprint.iacr.org/2026/994)
* [Download](
https://eprint.iacr.org/2026/994.pdf)
### Abstract
The increasing deployment of large language models (LLMs) in high-stakes domains demands infrastructure to ensure trust in artificial intelligence (AI)-generated outputs and actions. Users often struggle to validate results from LLMs because their reasoning is opaque and possibly beyond human comprehension. This paper introduces proof-carrying output (PCO), a framework in which an AI system returns an answer accompanied by a machine-checkable proof. We define -a-compliance formally (see the compliance definition in the paper): given a decidable predicate -a over signed inputs and AI outputs published by a named authority, a pair (x, y) is -a-compliant iff -a(x, y) = 1. "Compliance" in the rest of the paper refers to this binary, machine-checkable relation, not to organizational assurance practice. The framework is an instance of the producer-verifier-with-audit pattern previously introduced for game-theoretic rational behavior, applied here to regulatory compliance for AI-mediated decisions. Our primary security contribution is a cryptographic accountability layer that binds an AI output, its formal proof, the verifying validator's version, and a trusted timestamp into a non-repudiable commitment recorded on an append-only ledger before the output is acted upon. This layer provides four propertiesrCobinding, hiding, temporal ordering, and audit correctnessrCowhich jointly yield non-repudiation of AI-mediated decisions, a property neither LLM outputs nor formal proofs provide in isolation. These proofs rely on established proof assistants such as Rocq (Coq) (the Coq proof assistant was recently renamed to Rocq; we use "Rocq" throughout the paper, with "Coq" appearing where the historical name is more recognizable) for symbolic reasoning and (linear temporal logic (LTL), signal temporal logic (STL)) for temporal logics prior to output usage. A legal entityrCowhether a human subject to law or an AI agent bound by smart contractsrComust employ independent proof validators to confirm that the inputs (multiple-choice selections and signed documents) correctly lead to the output under published specifications and regulations. After validation and before acting on the output, the legal entity cryptographically commits the query, specification, output, validator version, timestamp, and proof to an append-only ledger. The entity then proceeds based on the output and reveals the proof only during the audit. We demonstrate PCO through three case studies with working Rocq/STL implementations: tax computation, autonomous-vehicle compliance, and recommendation transparency, extending proof-carrying code (PCC) from static programs to dynamic AI outputs. To enable reliable proof generation as an enabling substrate, we propose that regulatory authorities publish specification-coupled small language models (SLMs) trained on canonical scenario-proof pairs; we view this as supporting infrastructure rather than the core security contribution. We explicitly delimit PCO's scope to compliance predicates expressible as decidable first-order logic with bounded quantification or STL over finite-horizon signals; free-form prose, input authenticity, and specification correctness are out of scope and treated as orthogonal problems. PCO complements existing approaches to interpretable and explainable AI by providing machine-verifiable certificates of compliance rather than human-readable rationalizations.
## 2026/995
* Title: On Local Invariants for Permutation Equivalence
* Authors: Benjamin Ben-iina
* [Permalink](
https://eprint.iacr.org/2026/995)
* [Download](
https://eprint.iacr.org/2026/995.pdf)
### Abstract
We give an efficiently computable invariant for the (Signed) Permutation Code Equivalence ((S)PCE) problem we call the square class invariant, that was previously not recognised in coding theory. Our invariant naturally yields a distinguisher for the decision version of (S)PCE as defined at Eurocrypt 2025 by Albrecht, Ben-iina and Lai [ABL25], breaking the hardness assumption that underpins the security of their updatable public-key encryption scheme.
Moreover, we extend a 2023 result by Bruin, Ducas and Gibbons by showing the genus of the Construction A lattice of a code generator matrix with any hull dimension is completely determined by the hull dimension and our square class invariant, and that neither of these genera splits non-trivially into spinor genera (as soon as the lattice dimension is at least \(5\)), implying the genus of the Construction A \(q\)-ary lattice encodes all known efficiently computable coding-theoretic invariants for (S)PCE and vice versa. Thus our distinguisher can be rephrased as comparing the genera of Construction A lattices of the (S)PCE instance in the spirit of the Lattice Isomorphism Problem. We also give a complete description of the genus distribution of uniformly random \(q\)-ary lattices.
This motivates the definition of a genus of a linear code as the genus of the Construction A lattice of any of its generator matrices, and we adapt the sampling algorithm from [ABL25] to sample from a single genus uniformly at random, and can thus restrict their hardness assumption for (S)PCE to a single genus. Restricting PCE to one genus and using our sampling algorithms is then used with a slight modification to the security proof to mend the scheme from [ABL25].
Finally we show that associating to a linear code generator matrix a quadratic space whose geometry is given by the corresponding Gram matrix and computing its Witt decomposition yields the same invariants that define the code genus, implying two \(q\)-ary lattices are locally equivalent if and only if the quadratic spaces associated to their underlying linear codes share a Witt decomposition type.
## 2026/996
* Title: Topology-Hiding Computation From Key Agreement in Diameter-Two Graphs * Authors: D'or Banoun, Elette Boyle, Ran Cohen
* [Permalink](
https://eprint.iacr.org/2026/996)
* [Download](
https://eprint.iacr.org/2026/996.pdf)
### Abstract
Topology-hiding computation (THC) enables a set of parties, communicating over an incomplete network, to execute a secure multiparty computation (MPC) protocol for securely computing a function, while also hiding the network topology from within a given class of graphs. Semi-honest THC can be achieved over arbitrary graph classes, facing an arbitrary number of corruptions, from various assumptions implying oblivious transfer (OT). These assumptions are justified by strong lower bounds, indicating that $2$-secure topology-hiding broadcast (THB) over certain diameter-$3$ graph classes requires OT, as well as $1$-secure THC over certain diameter-$2$ graph classes of variable size.
While THC from weaker assumptions, such as key agreement (KA), is achievable for $t=1$ over fixed-size graphs, the case of multiple corruptions remains unclear, with no known candidate constructions. Even in the simpler, privacy-free case of THB, tolerating $t>1$ corruptions without assuming OT is only known for "friendship" graphs (which are diameter-$2$ graphs of a certain form): in fact, the latter holds information theoretically and for $t<n$.
The state of the art raises two foundational questions: First, considering THC, is OT necessary for protecting against adversaries with multiple points of view in the graph? Second, considering THB, is there a zero-one law for $t>1$, where given a graph class, THB either holds unconditionally or requires OT?
In this work we study these questions over graphs of diameter $2$ (in which the lower bounds requiring OT do not hold) and provide THC protocols for various graph classes supporting many corruptions assuming KA. For some of these results we obtain optimal resilience assuming KA: $t<n$ for THB and $t<n/2$ for THC. We also present new lower bounds, showing that in certain graph classes that support information-theoretic THB for $t=1$, KA is necessary for $t=2$.
## 2026/997
* Title: Miraidon: MinRank Identification
* Authors: Ryann Cartor, Freeman Slaughter
* [Permalink](
https://eprint.iacr.org/2026/997)
* [Download](
https://eprint.iacr.org/2026/997.pdf)
### Abstract
We introduce $\textit{Miraidon}$, a new family of MinRank-based post-quantum signature schemes built from a novel zero-knowledge proof system. Our primary construction, $\textit{Miraidon-S}$, is a digital signature scheme with competitive public key and signature sizes, improved soundness parameters, and security based on the hardness of the MinRank problem. Building on this framework, we further construct $\textit{Miraidon-RS}$, a ring signature scheme, and introduce $\textit{Miraidon-LRS}$, the first linkable ring signature scheme based on the MinRank problem. We present concrete parameters and comparisons with contemporary lattice- and code-based ring and linkable ring signatures, showing that MinRank provides a promising foundation for efficient advanced post-quantum signature primitives.
## 2026/998
* Title: Balanced and Adaptively Secure Asynchronous Common Coin and Byzantine Agreement With Sub-Quadratic Communication
* Authors: Hanwen Feng, Tiancheng Mai, Qiang Tang
* [Permalink](
https://eprint.iacr.org/2026/998)
* [Download](
https://eprint.iacr.org/2026/998.pdf)
### Abstract
Distributed common randomness generation (i.e., the common coin problem) is a cornerstone of randomized distributed computing. While a long line of research has sought scalable solutions, the asynchronous setting remains a challenge. Specifically, while Blum et al. (TCC'21) achieved sub-quadratic communication complexity, their approach lacks ``balance'': certain nodes must still send $\Omega(n)$ messages, creating a scalability bottleneck. Furthermore, their solution only tolerates a $1/3 - \epsilon$ fraction of corrupted nodes, whereas the classic construction by Cachin et al. (PODC'00) tolerates up to $1/2$ under the same setup assumptions.
In this work, we close these gaps by presenting the first balanced asynchronous common coin protocol with sub-quadratic communication complexity. In our construction, the communication cost of every honest node is bounded by $\widetilde{O}(\sqrt{n})$. Our protocol supports an adaptive adversary corrupting up to $1/2 - \epsilon$ nodes. Beyond these asymptotic improvements, our solution avoids the heavy cryptographic machinery (such as fully homomorphic encryption) required by Blum et al. and terminates in just two deterministic rounds, compared to the dozens of expected rounds in prior work.
At the heart of our construction are explicit and efficient sampler constructions. These samplers partition a population with a $1/2 + \epsilon$ honest majority into $O(\sqrt{n})$ communities, ensuring that a majority of these communities maintain a ``forever-honest'' majority. By leveraging how communities are allocated, we design mechanisms that allow each community to collectively emulate a single ``virtual node'' in Cachin et al.'s protocol. Reducing the number of participants from $n$ physical nodes to $O(\sqrt{n})$ virtual nodes drives the total communication complexity to a sub-quadratic level.
Finally, we extend our methodology to Asynchronous Binary Byzantine Agreement (ABA), yielding the first balanced ABA protocol with sub-quadratic communication complexity that tolerates up to $1/3 - \epsilon$ adaptive corruptions.
## 2026/999
* Title: Modern Portfolio Theory in the Crypto-Wilderness
* Authors: Ivan Vynyavskyy, Stefan Kitzler, Bernhard Haslhofer, Aviv Yaish
* [Permalink](
https://eprint.iacr.org/2026/999)
* [Download](
https://eprint.iacr.org/2026/999.pdf)
### Abstract
Modern portfolio theory (MPT) prescribes how to maximise the return of an asset portfolio for a given level of risk. The optimal trade-off between return and variance defines the efficient frontier. Whether actual cryptoasset portfolios approximate this prescription and whether proximity to the frontier translates into realised performance remain difficult to test at large scale in traditional markets due to their opaque nature and the inaccessibility of data. As we show, public blockchains make these questions measurable: every token transfer is recorded, thus enabling complete portfolio reconstruction for every account at any point in time. We leverage this transparency to reconstruct cryptoasset portfolios for over 116 M Ethereum accounts across the full chain history (2015-2025), measure their distance to the constrained efficient frontier, and quantify how deviations translate into realised performance. Here we show that market entry timing, not allocation choice, is the dominant predictor of realised cryptoasset returns. On-chain wealth is highly concentrated and portfolios are pervasively under-diversified, with single-asset holdings accounting for 83.35% of accounts. Two-asset portfolios sit closest to the efficient frontier defined by their held assets, a proximity that reflects the narrowness of their opportunity set rather than deliberate optimisation. Passive market-capitalisation weighting outperforms every MPT optimisation strategy in median realised return, and entry month alone explains 70-79% of the variance in returns, far exceeding the contribution of allocation choice. Mean-variance optimisation therefore appears neither descriptive of observed behaviour nor prescriptively useful in the cryptoasset domain, even if MPT retains its value as a normative benchmark.
## 2026/1000
* Title: Information-Theoretic Optimistic Verifiable Secret Sharing
* Authors: Martin Hirt, Chen-Da Liu-Zhang, Emanuele Marsicano
* [Permalink](
https://eprint.iacr.org/2026/1000)
* [Download](
https://eprint.iacr.org/2026/1000.pdf)
### Abstract
Verifiable secret sharing (VSS) is a fundamental primitive for secure computation and its round complexity has been well studied. The works of Gennaro et al. [STOC'01] and Fitzi et al. [TCC'06] settled the landscape in the perfect-security setting, showing that for the optimal corruption threshold $t<n/3$, the exact round complexity is three, and for the sub-optimal corruption threshold $t<n/4$ it is two rounds. Similarly, Patra et al. [CRYPTO'09] and Kumaresan et al. [ASIACRYPT'10] settled the landscape in the statistical setting, showing that for $t<n/2$ (resp. $t<n/3$), the exact round complexity is three (resp. two).
Current protocols with optimal resilience incur three rounds even when the actual number of corruptions $f$ is sub-optimal. Fix corruption threshold parameters $0\le k \le t$. We ask whether it is possible to obtain a VSS protocol that incurs two rounds when $f\le k$, and three rounds when $k<f\le t$. We show matching feasibility and impossibility results demonstrating that this is possible if and only if $3t+k < n$ for perfect security, and $2t+k < n$ for statistical security.
## 2026/1001
* Title: Distributed Simon's Algorithm with Less Per-Node Qubit Overhead and Its Application to Cryptanalysis
* Authors: Zhenqiang Li, Xiaofan Zhen, Shuqin Fan, Yonglin Hao, Fei Gao
* [Permalink](
https://eprint.iacr.org/2026/1001)
* [Download](
https://eprint.iacr.org/2026/1001.pdf)
### Abstract
Distributed quantum computing (DQC) enables multi-device collaboration to reduce per-node circuit depth and solve larger-scale problems beyond the processing capability of a single quantum device. In 2022, Tan et al. proposed a distributed Simon's algorithm via a concatenation-type periodic function.
In comparison with the standard version, the distributed Simon's algorithm has a lower per-node quantum query complexity resulting in not only a reduced per-node circuit depth but a higher per-node qubit requirement as well. This paper proposes a new distributed Simon's algorithm by constructing an XOR-type periodic function, which can reduce both the per-node quantum query complexity and the per-node qubit requirement. Specifically, the per-node quantum query complexity is reduced to $2c(n-t)$ ($c>3$), matching that of Tan et al.'s scheme; furthermore, the per-node qubit requirement is diminished significantly from Tan et al.'s $2^{t+1}m$ to $m+n-t$, which is an exponential reduction with respect to $t$. Here, $n$ and $m$ respectively denote the input and output lengths of the periodic function while $t$ is an integer satisfying $n/2<t<n$.
Given the scale limitations of current quantum hardware, our distributed algorithm makes it feasible to tackle larger-scale problems that cannot be solved on a single quantum device. Based on this new algorithm, we propose distributed quantum key-recovery attacks on the SoEM22 construction.
Compared with state-of-the-art non-distributed quantum attacks based on the standard Simon's algorithm, our attack requires notably lower per-node qubit overhead, while retaining comparable time complexity in both the classical and quantum query models.
## 2026/1002
* Title: On weak keys of POKE
* Authors: Tomoki Moriya
* [Permalink](
https://eprint.iacr.org/2026/1002)
* [Download](
https://eprint.iacr.org/2026/1002.pdf)
### Abstract
POKE is an isogeny-based public-key encryption (PKE) scheme proposed by Basso and Maino. Among existing isogeny-based PKE schemes, POKE is known to achieve relatively high performance. However, the security of POKE relies on certain ad hoc assumptions, and its security analysis may not yet be fully comprehensive.
In this work, we investigate the security of POKE.
We show that POKE admits weak keys that reduce the complexity of certain attacks. In the POKE-2D setting, these weak keys do not significantly affect the overall security, since the probability that such keys occur is sufficiently small. In contrast, we demonstrate that POKE-4D is threatened by the presence of these weak keys.
Finally, we suggest novel parameters for POKE-4D in order to mitigate the aforementioned weak-key attack. The resulting parameter sizes are comparable to those of POKE-2D. Consequently, the principal advantages of POKE-4D in terms of performance - namely, a more compact prime size and a more efficient encryption algorithm - are no longer preserved.
## 2026/1003
* Title: A Blockchain-Based Pre-Verification Access Control Scheme with Vector Commitments and Bulletproofs
* Authors: Yuanshao Liang, Hui Li, Wenhui Hu, Baocheng Yan, Kedan Li, Naixing Wu
* [Permalink](
https://eprint.iacr.org/2026/1003)
* [Download](
https://eprint.iacr.org/2026/1003.pdf)
### Abstract
Blockchain-enabled data sharing provides public verifiability and auditability for access control in Internet of Things environments. However, before formal authorization is granted, efficiently verifying whether a data requester satisfies a hidden access policy remains challenging. Existing schemes may expose user attributes, access policies, or matching relationships during on-chain verification, while pairing-based operations, decryption tests, or general zero-knowledge circuits often introduce high verification overhead or strong trust assumptions.
To address these issues, this paper proposes a privacy-preserving pre-verification access control scheme based on attribute vector commitments and Bulletproofs. The proposed scheme encodes user attributes and access policies into vector forms and uses vector commitments to hide authenticated user attributes. Access eligibility verification is then transformed into a hidden inner-product relation, allowing a data requester to prove policy satisfaction without revealing its real attributes or the policy contents. The pre-verification process is pairing-free and does not require trusted setup, making it suitable for smart-contract-based public verification. In addition, proxy re-encryption is integrated to support controlled data access after successful pre-verification.
Security analysis shows that the proposed scheme achieves pre-verification completeness, knowledge soundness, zero-knowledge, attribute privacy, policy privacy, and collusion resistance. Performance analysis and experimental results demonstrate that the proposed scheme reduces on-chain verification overhead, communication cost, and deployment complexity compared with existing access control schemes, making it practical for privacy-preserving data sharing in blockchain-assisted Internet of Things environments.
## 2026/1004
* Title: PQKryvos: Post-Quantum Secure E-Voting With Flexible Ballot Formats and Public Tally-Hiding
* Authors: Nicolas Huber, Pascal Reisert, Ralf Kuesters
* [Permalink](
https://eprint.iacr.org/2026/1004)
* [Download](
https://eprint.iacr.org/2026/1004.pdf)
### Abstract
Fair and free elections are the foundation of democracies and democratic processes. They require voting protocols that guarantee the integrity and verifiability of the result, as well as the private choice of each voter.
Currently deployed e-voting protocols rely on traditional hardness assumptions, like the discrete logarithm problem, to provide these security guarantees.
They are not post-quantum secure (pq-secure).
While first proposals for pq-secure protocols exist, they are limited in the variety of voting scenarios they can support and/or in terms of efficiency.
In this work, we therefore propose PQKryvos, an efficient and flexible pq-secure homomorphic e-voting protocol that can be instantiated for a wide variety of election methods and ballot formats.
Our construction efficiently combines homomorphic lattice-based commitments with hash-based general-purpose proofs (GPZKPs) to ensure ballot correctness.
As a pq-secure instantiation of the Kryvos framework introduced by Huber et al. (CCS 2022), PQKryvos not only provides voter privacy and (public) verifiability of the result, but additionally allows for the stronger privacy notion of public tally-hiding. Public tally-hiding ensures that only the intended election result (such as the full vote count or only the winner) is publicly revealed, while no additional information is leaked. This further improves the privacy for both voters and election candidates.
PQKryvos is the first homomorphic pq-secure e-voting protocol to generically support arbitrary ballot formats and the first to provide public tally-hiding.
Our implementation and evaluation of PQKryvos demonstrate that it achieves practical performance for diverse election schemes and outperforms the original pre-quantum Kryvos instantiation in some settings.
Moreover, we demonstrate that by utilizing GPZKPs, existing pq-secure e-voting protocols can support additional ballot formats, can be enhanced in their tallying phase, and can be extended to publicly tally-hiding protocols.
## 2026/1005
* Title: More from Less: Composable General Multi-Party Computation with Global Public Verifiability from a Single Enclave Only
* Authors: Saskia Bayreuther, Robin Berger, Felix D||rre, Eva Hetzel, Yufan Jiang, Christian Martin, Jeremias Mechler, J||rn M|+ller-Quade
* [Permalink](
https://eprint.iacr.org/2026/1005)
* [Download](
https://eprint.iacr.org/2026/1005.pdf)
### Abstract
Trusted Execution Environments (TEEs), also known as secure enclaves, such as Intel SGX, Intel TDX or AMD SEV are seeing widespread use to perform computations on highly sensitive data. To analyze the security of cryptographic protocols using TEEs, several formal models exist, notably the one by Pass et al. (EUROCRYPT 2017) for attested computations in the Generalized UC framework. Using this model and the proposed global ideal functionality $\mathcal{G}_{\mathrm{att}}^{\mathrm{PST}}$, provably secure multi-party computations with practical efficiency are possible.
Attested computations are achieved by having enclave outputs signed with a key pair held by $\mathcal{G}_{\mathrm{att}}^{\mathrm{PST}}$, together with the enclave's code. Being a global functionality, the verification key can be obtained by any party. Perhaps surprisingly, this model does not give rise to a meaningful notion of public verifiability, i. e. the ability of external parties to plausibly verify results, even though some commercially available enclaves allow exactly that. We formalize this intuition in the form of an impossibility result and propose a novel simulation technique where equivocation is not handled by the simulator resp. adversary anymore, but in a coordinated effort between our new functionality $\mathcal{G}_{\mathrm{att}}$ and a (local) ideal functionality $\mathcal{F}$ that is realized with public verifiability. To this end, several technical problems need to be solved, in particular to ensure that this new mechanism cannot be abused. While unconventional, this approach is, to the best of our knowledge, the first to achieve a general variant of public verifiability a) even when all protocol parties are corrupted and $\mathcal{F}$ is probabilistic and b) where guarantees of honest (external) verifiers are not affected by simulation at all. We call the latter property global public verifiability.
We also address a second impossibility result of Pass et al., namely the requirement that every protocol party needs a TEE (even in a setting without public verifiability), unless an additional (global) setup is used. We address this impossibility result by introducing designated-verifier attestations that are only valid for a single party in a single protocol execution, akin to what is possible with real-world enclaves.
Using our improved model, we propose protocols for (globally publicly verifiable) composable general MPC and prove their security under the notion of Universal Composition with Global Subroutines (Badertscher et al., TCC 2020) and static malicious corruptions.
## 2026/1006
* Title: Current trends in AI-Aided Cryptography
* Authors: Tobias H||bbel, Sebastian Kavalir, Gero Knoblauch, Alexander Wiesmaier
* [Permalink](
https://eprint.iacr.org/2026/1006)
* [Download](
https://eprint.iacr.org/2026/1006.pdf)
### Abstract
Research at the intersection of artificial intelligence (AI) and cryptography is expanding, but existing surveys often focus on specific techniques or provide only high-level overviews without cross-domain comparison. This paper presents a trend analysis across major subfields of AI-aided cryptography. We review 90 publications from 2021rCo2025 and complement them with call for papers from journals, conferences, and public tenders. The results show uneven coverage: cryptanalysis and hashing dominate, while protocols, encryption, and post-quantum cryptography are less explored. We outline emerging gaps and likely growth areas to support future research prioritization.
## 2026/1007
* Title: Quantum Circuit Implementation and GroverrCOs Search on the Lightweight Block Cipher KLEIN Family
* Authors: Indranil Mukherjee, Ranit Dutta, Bhupendra Singh, Lexy Alexandar, Bimal Mandal
* [Permalink](
https://eprint.iacr.org/2026/1007)
* [Download](
https://eprint.iacr.org/2026/1007.pdf)
### Abstract
The advent of quantum computing is expected to transform the landscape of cryptographic security, making many classical algorithms vulnerable to quantum attacks such as GroverrCOs exhaustive key search. In this study, we present an efficient quantum circuit implementation of the lightweight block cipher KLEIN for all variants. Each functional component of the cipher, such as key addition, substitution, RotateNibbles, MixNibbles, and key scheduling, is implemented. The
complete quantum design involves gates such as CCNOT, CNOT, and Pauli-X. Furthermore, we provide a comprehensive resource estimate for executing GroverrCOs search algorithm on the proposed quantum circuits, highlighting their resilience and practicality in post-quantum cryptographic contexts.
## 2026/1008
* Title: Unified FPGA Design of Kyber and Dilithium with Provable Fault Tolerance
* Authors: Siddhartha Chowdhury, Nimish Mishra, Sarani Bhattacharya, Debdeep Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2026/1008)
* [Download](
https://eprint.iacr.org/2026/1008.pdf)
### Abstract
Efficient and secure hardware implementations of post-quantum cryptographic schemes are critical for real-world adoption. In this work, we propose a unified FPGA-based architecture for Kyber and Dilithium that combines flexibility, lightweight design, and fault tolerance. The architecture adopts a microcoded, programmable datapath supporting both schemes with minimal area overhead, enabling seamless integration of modules such as SHAKE, sampling, and coefficient rounding. To enhance resilience against propagation-based fault attacksrCowhich exploit effective/ineffective fault behavior in public-domain computationsrCowe embed a probabilistic verification mechanism using rejection sampling. This countermeasure transforms deterministic operations into cryptographically constrained probabilistic processes that remain efficient under normal conditions while significantly degrading under adversarial faults. The result is a robust and compact design that not only supports both a lattice-based KEM and signature scheme, but also provides the first unified fault countermeasure architecture for Kyber and Dilithium, maintaining low retry counts and minimal performance degradation in fault-free environments.
## 2026/1009
* Title: Constant-Online PVSS from CCA2-Secure Threshold Encryption: A Generic Framework
* Authors: Liang Zhang, Dongliang Cai, Haibin Kan, Jiheng Zhang, Moti Yung
* [Permalink](
https://eprint.iacr.org/2026/1009)
* [Download](
https://eprint.iacr.org/2026/1009.pdf)
### Abstract
Publicly Verifiable Secret Sharing (PVSS) is widely used in distributed systems. Existing schemes usually incur at least $O(n)$ online cost: the dealer encrypts, proves, and publishes $n$ shareholder-dependent objects, which public verification must process. In this work, we present a generic framework that transforms publicly verifiable CCA2-secure threshold encryption (CCATE) into \emph{constant-online} PVSS, with distribution and public- verification costs independent of the number of shareholders. The framework moves the share-generation work into a reusable setup phase: once threshold keys and public verification material are fixed, online sharing amounts to a single publicly verifiable threshold encryption. We instantiate the framework with two CCATE constructions:
1) a pairing-free instantiation using standard Threshold ElGamal encryption under a committee-based setup assumption; and
2) a silent-setup scheme leveraging non-interactive key generation via a Power-of-Tau ceremony, eliminating inter-party coordination during setup.
Furthermore, we discuss epoch-based membership updates under the corresponding setup assumptions, clarifying the security boundary of reconfiguration. The resulting schemes incur higher setup costs, but the critical online distribution and public-verification phases are constant-size and constant-time. This trade-off is particularly useful when setup can be amortized over many PVSS instances, as in blockchain and distributed-system deployments.
## 2026/1010
* Title: Signal and Ready to MINGLE: In-Band Gossip for Key Transparency Split-View Detection in E2EE Messengers
* Authors: Edona Fasllija, Lena Heimberger, Kevin Paul
* [Permalink](
https://eprint.iacr.org/2026/1010)
* [Download](
https://eprint.iacr.org/2026/1010.pdf)
### Abstract
End-to-end encrypted (E2EE) messengers such as Signal, WhatsApp and iMessage increasingly deploy Key Transparency (KT) to make malicious key substitution detectable. Yet KT only delivers its intended protection if users are anchored to the same global append-only KT history. A malicious operator can break this condition by equivocating, presenting incompatible views of the KT directory to different clients. Current deployments delegate detection to a small set of third-party auditors, creating a centralized trust bottleneck that can be pressured, compromised, or fail to audit continuously.
We ask whether clients can detect equivocation themselves, without dedicated infrastructure, simply by comparing KT state as they communicate. We introduce MINGLE, an opportunistic in-band gossip protocol for end-to-end encrypted messengers. MINGLE piggybacks compact KT commitments on a subset of ordinary messages before encryption, keeping gossip indistinguishable from regular application data while requiring no external services or overlay network. Rather than asking users to manually verify safety numbers or relying on a small set of auditors, MINGLE distributes the consistency check across the entire communication graph: an adversary wishing to sustain a split view must permanently isolate targeted clients from the rest of the network, preventing any cross-partition message from ever being delivered, a requirement that grows increasingly difficult to maintain covertly as the social graph densifies.
MINGLE inherits the Trust-on-First-Use (TOFU) assumption standard in E2EE messengers: equivocation that begins at registration evades immediate detection, though the append-only log ensures it remains retroactively exposable once any cross-partition gossip event occurs. Using a temporal communication model, we show that under eventual cross-partition connectivity, conflicting KT views yield publicly verifiable evidence.
We prototype MINGLE in the Signal Android client using Signal's KT Server implementation, incurring a payload overhead of 119 bytes per gossip-carrying message without UI changes.
Simulations under realistic messaging patterns show that MINGLE achieves high reliability and fast evidence generation without aggressive gossip flooding.
MINGLE yields evidence of a targeted split view in a \(12000\)-client deployment within about \(5\) minutes when only \(20\%\) of clients participate and gossip is attached to roughly \(5\%\) of messages, suggesting that ordinary client communication can serve as a practical audit layer for KT.
## 2026/1011
* Title: Can We Tolerate Small Side-Channel Leakages: The Role of Registers in Glitch-Stopping Circuits
* Authors: Artemii Ovchinnikov, Jelle Biesmans, Kris Myny, Ventzislav Nikov, Svetla Nikova
* [Permalink](
https://eprint.iacr.org/2026/1011)
* [Download](
https://eprint.iacr.org/2026/1011.pdf)
### Abstract
Research on cryptographic algorithms implemented in hardware and protected against side-channel attacks has advanced rapidly in recent years. Generalized masking schemes, such as Threshold Implementations (TI) and Domain-Oriented Masking (DOM), currently provide a solid theoretical security foundation. Security models, including the probing model and its various extensions, enable formal verification of these guarantees. In addition, established guidelines for designing securely composable gadgets, along with tools for the automatic generation of masked designs, have further advanced the field. Experimental security assessment approaches, such as the Test Vector Leakage Assessment (TVLA) complement these efforts. Consequently, the primary focus of the research community has shifted toward optimizing existing techniques and bridging the gap between theoretical and practical security models.
In this work, we demonstrate a case in which side-channel leakage, caused by glitches, can be concealed during experimental assessment in a setup that is theoretically not robustly secure. This effect arises due to specific patterns of glitch propagation. We investigate whether a particular layout of the complete logic chain can further contribute to a designrCOs resistance to side-channel attacks, potentially reducing latency and area by relaxing glitch-mitigation requirements, such as reducing the number of pipeline registers. To this end, we introduce new adversarial model which further relaxes the model of M|+ller and Moradi, introduced at CHES 2024. To illustrate the practical relevance of our proposal, we provide experimental evidence by modifying a well-known, provably secure AES S-box design by De Cnudde, rendering it insecure under the robust probing model. We conduct TVLA of power consumption for both FPGA-based (physical) and ASIC-like (simulation) implementations of our netlists, demonstrating the absence of detectable leakage, similar to the originally robustly secure version of the algorithm.
## 2026/1012
* Title: Linear self-equivalence of the known families of APN functions: a unified point of view
* Authors: Jules Baudrin, Anne Canteaut, L|-o Perrin
* [Permalink](
https://eprint.iacr.org/2026/1012)
* [Download](
https://eprint.iacr.org/2026/1012.pdf)
### Abstract
The only known solution to the big APN problem was found by exploring the CCZ-equivalence class of a specific quadratic function, the Kim mapping, which is linearly equivalent to various highly-structured functions. For example, one of these functions has a univariate representation with a specific factorisation highlighting its subspace property and that it is a cyclotomic mapping, while another has a bivariate representation corresponding to a $(q,q)$-projective mapping.
In this paper, we show that the properties of this kind all correspond to a type of functions we introduce: multivariate projective mappings. These are multivariate functions whose coordinates are homogeneous. Furthermore, while a function might not have this form, it can still be equivalent to another function that has it. To handle this case, we describe how to identify the presence of a multivariate projective mapping in the linear-equivalence class of a function. We then derive our main result: for almost all known infinite families of APN functions, there exists a multivariate projective mapping, or a function commuting with the Frobenius mapping, that is CCZ-equivalent to them. Despite the widely different initial representations of these families (univariate, bivariate, or trivariate), this pattern holds. We also discuss concrete techniques to detect (or rule out) the presence of a multivariate projective mapping equivalent to a given function.
## 2026/1013
* Title: Sequence-Level Security for Active Weighted Signature Reconfiguration * Authors: Sunghyeon Jo
* [Permalink](
https://eprint.iacr.org/2026/1013)
* [Download](
https://eprint.iacr.org/2026/1013.pdf)
### Abstract
Active weighted threshold signatures support dynamic changes to signer weights, thresholds, and committee membership. We show that local validity of weighted update operations is not a compositional security abstraction: a sequence of individually valid updates can move an initially
sub-threshold coalition into an authorized reachable state. We introduce rank-exposure guards, a compiler that enforces a reconstruction-safety invariant over live, stale, derivative, public, and transient signing material. The compiler wraps ledger-sound one-step update engines with atomic activation and old-epoch digest-bound transition certificates, lifting fixed-state weighted unforgeability and update soundness to sequence-level active unforgeability. We instantiate the compiler as REG-ADAPT, a guarded GLI reconfiguration scheme built around ADAPT-style local updates, and implement it on top of the public ADAPT Go artifact. Our evaluation shows that the artifact detects and rejects unsafe update sequences, while adding only microsecond-scale metadata and rank-audit overhead.
## 2026/1014
* Title: Updatable Public-Key Encryption from FESTA
* Authors: Andrea Basso, Tako Boris Fouotsa, Fatna Kouider, P|-ter Kutas, Luciano Maino, Laurane Marco
* [Permalink](
https://eprint.iacr.org/2026/1014)
* [Download](
https://eprint.iacr.org/2026/1014.pdf)
### Abstract
Updatable public-key encryption (UPKE) is a cryptographic primitive that was proposed for secure messaging to provide forward secrecy in public-key settings.
It extends standard public-key encryption with a key-update mechanism that lets anyone update a receiverrCOs public key and issue a corresponding token for updating the secret key. Unlike traditional forward secrecy where all past messages should remain secure after a key leakage, UPKEs guarantee security only as long as at least one honest update has occurred.
While classically-secure efficient instantiations of UPKE are known from Diffie-Hellman assumptions, constructing an efficient post-quantum secure UPKE scheme with unbounded updates remains an open problem.
In this work, we propose an isogeny-based UPKE that relies on a dimension-four version of the FESTA public-key encryption scheme.
It is practically efficient and supports an unbounded amount of updates. Moreover, we provide a formal security proof based on a problem in isogeny-based cryptography that has received considerable scrutiny.
## 2026/1015
* Title: Comments on "Server-Aided Public Key Authenticated Searchable Encryption With Constant Ciphertext and Constant Trapdoor"
* Authors: Takeshi Yoshida, Keita Emura
* [Permalink](
https://eprint.iacr.org/2026/1015)
* [Download](
https://eprint.iacr.org/2026/1015.pdf)
### Abstract
Cheng and Meng (IEEE Transactions on Information Forensics and Security 2024) introduced server-aided public key authenticated encryption with keyword search (SA-PAEKS). In this short note, we give general attacks that the cloud server (tester) can obtain keyword information from both a ciphertext and a trapdoor.
## 2026/1016
* Title: Efficient Homomorphic String Search via TFHE
* Authors: Shintaro Narisada, Hiroki Okada, Takashi Nishide, Kazuhide Fukushima * [Permalink](
https://eprint.iacr.org/2026/1016)
* [Download](
https://eprint.iacr.org/2026/1016.pdf)
### Abstract
We present a method for secure pattern matching over encrypted texts using TFHE. Our approach realizes a fully secure binary search algorithm by leveraging two operational modes of integer-input TFHE. While the BGV-based method of Bonte and Iliashenko (CCSW '20) requires $O(|P| \cdot |T|)$ secure character comparisons to find a pattern $P$ in a text $T$, our method reduces this to $O(|P|\log |T|)$ comparisons, achieving improved scalability for large texts.
As a result, our method can find a pattern of length 100 in an encrypted text containing genomic data of one million characters in less than 5 minutes, where prior work would require approximately 5 days for the same task. These results highlight the practicality of TFHE and its potential for large-scale secure string search.
## 2026/1017
* Title: Quantum and Post-Quantum Blockchain: A Systematic Survey
* Authors: Ruwanga Konara, Awansika Nimuthumana, Asanka Sayakkara, Anuradha Mahasinghe, Kasun De Zoysa
* [Permalink](
https://eprint.iacr.org/2026/1017)
* [Download](
https://eprint.iacr.org/2026/1017.pdf)
### Abstract
This literature review explores the state-of-the-art advancements in quantum and post-quantum blockchain. The realm of quantum computing is on the rise and will disrupt entire tech industries, including classical cryptography, which is the foundation of blockchain. There has been extensive research on classical cryptosystems (i.e., post-quantum) and their integration with blockchain to create quantum-resistant classical blockchains. We have reviewed the state-of-the-art in these post-quantum blockchains in academic research. But to have forward compatibility with the quantum internet and infrastructure in the future and to have quantum mechanical security, research has been conducted to implement blockchain on quantum technologies and quantum cryptography as well. Consequently, we have explored the current state of research in these quantum solutions, known as quantum blockchains.
## 2026/1018
* Title: Symmetric Attribute-Based Encryption from Minimal Hardness Assumptions * Authors: Riccardo Longo, Enrico Sorbera
* [Permalink](
https://eprint.iacr.org/2026/1018)
* [Download](
https://eprint.iacr.org/2026/1018.pdf)
### Abstract
We present a novel construction that applies the Ciphertext-Policy Attribute-Based Encryption paradigm in an original symmetric framework, where also the encryptor needs to have enough attributes to be able to produce a ciphertext for a given policy.
The scheme is built from minimal assumptions on collision-resistant hash functions and pseudorandom functions, exploiting the properties of linear secret sharing and polynomial interpolation. Thus, it is natively Post-Quantum secure.
We formally define a novel extended form for access trees, that trades a polynomial space expansion for a more predictable topological structure. This structure enhance the arithmetic possibilities of the associated secret sharing primitive.
Moreover, we propose a comprehensive notation for access trees, sharing and interpolation, which may help in the study of these powerful primitives.
## 2026/1019
* Title: On the Security of Public Key Authenticated Encryption with Keyword Search with Sender-independent Search Complexity
* Authors: Takeshi Yoshida, Keita Emura
* [Permalink](
https://eprint.iacr.org/2026/1019)
* [Download](
https://eprint.iacr.org/2026/1019.pdf)
### Abstract
Li et al. (IEEE Transactions on Dependable and Secure Computing 2026) proposed proxy-free public key authenticated encryption with ciphertext update and keyword search (proxy-free PAUKS). In this short note, we demonstrate that keyword information is leaked from updated ciphertexts. We also demonstrate that our attack is effective against the PAUKS scheme proposed by Li et al. (IEEE Transactions on Information Forensics and Security 2023).
## 2026/1020
* Title: On the Formal Verification of Authenticated Encryption of the MQTT Protocol
* Authors: Varsha Jarali, Shashi Kant Pandey
* [Permalink](
https://eprint.iacr.org/2026/1020)
* [Download](
https://eprint.iacr.org/2026/1020.pdf)
### Abstract
The Message Queuing Telemetry Transport (MQTT) protocol is highly preferable for Internet of Things (IoT) environments due to its lightweight architecture, but routing sensitive medical data through a central broker introduces severe privacy risks if the broker is untrusted or compromised. To address this, we propose secure MQTT, a high performance end to end encrypted (E2EE) protocol tailored for constrained devices that renders the broker completely blind to message payloads and incapable of man in the middle (MitM) attacks. Our design utilizes a nested AES-GCM encryption architecture that strictly separates link-level routing metadata from application layer confidentiality. To establish these secure channels efficiently, MQTT integrates MQTT v5.0 enhanced authentication key exchange mechanism via a challenge response embedding one time Broker Nonce into the Schnorr digital signatures version of HMQV key exchange protocol. This provide authenticated end to end session key derivation, that requires only a negligible computational increase over basic ECDH. The security of this proposed model has been rigorously proven using the ProVerif cryptographic verifier under the Dolev-Yao threat model, offering a highly secure, low overhead solution for modern IoT networks.
## 2026/1021
* Title: Schnorr-like Proofs of Knowledge for Hidden Oil Subspaces in UOV
* Authors: Zhiwei Wang
* [Permalink](
https://eprint.iacr.org/2026/1021)
* [Download](
https://eprint.iacr.org/2026/1021.pdf)
### Abstract
A UOV public key hides a distinguished linear subspace: the public-coordinate image of the central oil-coordinate subspace. In central coordinates, the homogeneous quadratic part of each UOV polynomial contains no oil-oil monomials. Consequently, for every honestly generated UOV public key, each public homogeneous quadratic form vanishes when restricted to this hidden oil subspace. We formalize the hidden oil-subspace relation and construct a Schnorr-like Sigma protocol that proves knowledge of such a subspace without revealing it. The witness consists of matrices $B,W$ satisfying $WB=I_o$ and $Q_k(Bz)\equiv 0$ for all public quadratic forms $Q_k$. The prover masks the witness linearly and responds to a challenge $c$ with $Z=A+cB$, $Y=E+cW$, yielding a protocol with computational 3-special soundness and computational honest-verifier zero knowledge. We prove a generic uniqueness theorem: in the random homogeneous UOV model, the hidden oil subspace is, with overwhelming probability, the unique $o$-dimensional common zero subspace. The uniqueness bound is explicit and negligible for UOV-type parameters. This strengthens the interpretation of the protocol as proving knowledge of the unique hidden oil subspace, rather than merely some oil-like subspace. We provide empirical observations on small parameters and discuss applications and limitations.
## 2026/1022
* Title: Thorns in Polynomial Convolution: Correlation, Large Deviations, and Applications
* Authors: Dongshu Cai, Yijian Liu, Jiabo Wang, Xianhui Lu
* [Permalink](
https://eprint.iacr.org/2026/1022)
* [Download](
https://eprint.iacr.org/2026/1022.pdf)
### Abstract
When estimating the decryption failure rate (DFR) of structured lattice-based cryptography, some schemes implicitly assume that the coefficients of the decryption noise are independent. In practice, however, the decryption noise typically contains terms arising from convolutions of small polynomials, which introduce correlations among coefficients. These correlations can create a non-negligible gap between independence-based estimates and empirical failure rates, leading to underestimated DFRs, overestimated security levels, and exploitable attack surfaces. They also obscure the effect of error-correcting mechanisms in structured lattice-based encryption designs. To date, there has been no practical framework for characterizing such correlations.
In this paper, we give the first systematic characterization of correlations among the coefficients of convolved polynomials with Gaussian coefficients, using the canonical embedding as the central viewpoint. We establish large-deviation results for the coefficients of the resulting polynomial. Our analysis shows that, as the norm grows, convolutional polynomials asymptotically concentrate near a finite set of fixed two-dimensional planes. This gives rise to directional tail structures in the n-dimensional joint probability density, which we call thorns.
As a direct application, we prove that existing decryption-failure attacks succeed precisely by forcing the noise to lie on these thorns. This phenomenon endows the noise with extremely strong correlations, ultimately triggering decryption failures. Furthermore, adopting the canonical embedding perspective allows us to comprehensively illustrate how the independence assumption distorts the true noise distribution. We prove that the independence assumption systematically underestimates the noise norm, and we derive an analytic expression for the probability density function of the Euclidean norm of the decryption noise.
## 2026/1023
* Title: Faster CoeffToSlot and SlotToCoeff for Sparsely Packed Ciphertexts with Application to CKKS Bootstrapping
* Authors: Xiaopeng Zheng
* [Permalink](
https://eprint.iacr.org/2026/1023)
* [Download](
https://eprint.iacr.org/2026/1023.pdf)
### Abstract
CKKS bootstrapping is a central tool for restoring the available modulus budget of approximate ciphertexts, thereby enabling homomorphic computations beyond a fixed leveled circuit. A key component is the pair of linear transformations CoeffToSlot and SlotToCoeff, which move data to the slot representation for homomorphic modular reduction and then back to the coefficient representation. In the sparse packing setting of Cheon et al. (EUROCRYPT 2018), the useful data occupy a short effective slot vector that is repeated across the full slot space. Existing methods for this setting mainly use the smaller effective dimension, whereas our approach exploits the repetition pattern itself to obtain simpler and cheaper transformations.
This paper use the repeated slot pattern to improve the efficiency of both CoeffToSlot and SlotToCoeff. Each transform keeps multiplicative depth \(1\) and uses fewer homomorphic operators. Let \(N\) be the ring dimension, let the packed vector have length \(n/2\), and write \(r=N/n\) for the repetition factor. For each transform, when \(n\le r/2\), the cost is one plaintext-ciphertext multiplication and \(O(\log n)\) rotations. When \(n>r/2\), the cost is \(2n/r\) plaintext-ciphertext multiplications and \(O(\sqrt{2n/r}+\log r)\) rotations. We also analyze the auxiliary slots produced by the new \textsf{CoeffToSlot} layout and prove that they satisfy the same sub-Gaussian range bound as the desired coefficient slots. Hence the \textsf{EvalMod} approximation range only needs the usual logarithmic margin from a union bound.
We implement the proposed transforms in OpenFHE and evaluate them as part of the CKKS bootstrapping pipeline. For \(N=2^{16}\) and the tested sparse dimensions \(n/2\le 1024\), our transforms are \(3.53\times\) to \(7.95\times\) faster than OpenFHE's depth \(1\) sparse linear transforms in the sparse secret key setting. This gives a \(1.71\times\) to \(5.28\times\) speedup for the whole bootstrapping procedure. Similar gains are observed in the uniform secret key setting. The gains are largest for \(n/2\le 512\), where our method is also competitive with the depth \(3\) OpenFHE baseline while using four fewer levels. Overall, the results show that slot repetition can be used to reduce the practical cost of CKKS bootstrapping in the sparse packing setting.
## 2026/1024
* Title: Separating the Pebbling Model from the Random Oracle Model
* Authors: Susanna F. de Rezende, David Engstr||m, Leonid Reyzin
* [Permalink](
https://eprint.iacr.org/2026/1024)
* [Download](
https://eprint.iacr.org/2026/1024.pdf)
### Abstract
The security of cryptographic constructions that enforce resource usage, such as Proofs of Work or Proofs of Space, is often shown in the random oracle model. This model restricts the class of possible adversaries, because it assumes that the adversary can access some function RO only as a black box, via queries. When the resource in question is space, the random oracle model is often further idealized by assuming that the outputs of RO are usable only in a black box manner: they are either stored whole or discarded whole by the adversary, and are never computed upon, except when provided as inputs to RO. In this idealization, they are often called "pebbles," and space usage is counted in terms of pebbles stored.
In some cases, it is known that the pebbling model does not add further restrictions on the adversary, because the bit strings that correspond to the pebbles can actually be extracted from the adversary's memory. In other cases, this question has been open for over a decade.
We resolve the open question by showing that the pebbling model does not realistically model adversarial capabilities in two important cases. Specifically, we construct a family of Proofs of Space and a family of Memory-Hard Functions in the pebbling model for which an algorithm that is allowed to treat outputs of RO as bit strings and compute upon them (simply by XORing subsets of them) can be significantly more efficient that an algorithm limited to pebbling.
## 2026/1025
* Title: Geometric Critical Point Screening: Clustering-Free Cryptanalytic Extraction of Neural Network Models
* Authors: Ming Duan, Peiyao Tang
* [Permalink](
https://eprint.iacr.org/2026/1025)
* [Download](
https://eprint.iacr.org/2026/1025.pdf)
### Abstract
Neural network model extraction has recently emerged as a critical security issue. In 2020, Carlini et al. categorized model extraction into signature extraction and sign extraction. In 2024, Canales-Mart|!nez et al. proposed a polynomial-time sign extraction method. In 2026, Liu et al. achieved the first successful model extraction of 8-layer deep neural networks. However, existing signature extraction methods follow an inefficient compute-first, cluster-later paradigm: they first compute signatures for massive candidate critical points of unknown layer provenance, then separate points from different layers via clustering, which incurs prohibitive query and computational overhead.
This paper presents a geometric relationship-based critical point screening method. By searching for critical points on three coplanar parallel lines, we can rapidly separate critical points of first hidden layer neurons with minimal signature extraction, reducing the query complexity of signature extraction from $O(N \log N \cdot d_0)$ to $O(d_1\cdot d_0)$. For neural networks where the input dimension exceeds the first hidden layer dimension, we can further achieve efficient screening of second hidden layer critical points by searching on three coplanar line segments within a fully activated space where all first hidden layer neurons are activated.
Geometric Critical Point Screening only requires computing signatures for a small number of non-target critical points. It offers advantages including low query cost and automatic validation of contaminated critical points. Experiments on a $784-8^{(8)}-1$ network demonstrate that the time required for signature extraction of first and second hidden layer neurons is only 1.7\% and 3.7\% of existing methods, respectively, with query cost reduced to 3.2\% and 0.1\% of state-of-the-art approaches. Furthermore, this method is not limited to ReLU activation and can be extended to other piecewise linear activation functions, providing a fundamental and general lightweight approach for neural network model extraction.
## 2026/1026
* Title: Sparse Hermite Interpolation Method for Discrete-CKKS Functional Bootstrapping
* Authors: Andreea Alexandru, Andrey Kim, Yuriy Polyakov, Hongren Zheng
* [Permalink](
https://eprint.iacr.org/2026/1026)
* [Download](
https://eprint.iacr.org/2026/1026.pdf)
### Abstract
Discrete CKKS is a promising approach for performing high-throughput homomorphic computations over encrypted discrete data. Although it relies on CKKS, an approximate FHE scheme, as the computation engine, discrete CKKS can achieve exact correctness. The core operation of discrete CKKS is functional bootstrapping, a mechanism which enables evaluating an arbitrary function over a bounded discrete domain by representing it as a lookup table and computing it as part of bootstrapping. Simultaneously, the same procedure enables reducing the input ciphertext noise using Hermite interpolation methods. This noise reduction feature is critical for both supporting arbitrary computations and improving the efficiency of their evaluation, by providing more noise budget between bootstrapping invocations.
In this paper, we first show that both state-of-the-art Hermite interpolation noise reduction methods by Bae et al. (ASIACRYPT'24) and Alexandru et al. (CRYPTO'25) have a limited noise reduction ability for distinct structural reasons. We then propose a new method that can efficiently overcome these limitations by using a CKKS-friendly *arbitrary-order* Hermite interpolation. We call this method "sparse" trigonometric Hermite interpolation because both constraints and coefficients have convenient sparsity properties, which allow us to achieve efficiency comparable to the fastest prior method by Alexandru et al., while attaining superior noise reduction. In the process, we develop a metric that measures the noise budget between consecutive functional bootstrapping invocations, and use it to compare all methods on equal footing. We implement our new method in OpenFHE and experimentally demonstrate its noise reduction advantage over prior methods.
## 2026/1027
* Title: Computing Asymptotic Bounds for the Automated Coppersmith Method via Linear Programming
* Authors: Zhaopeng Ding, Zhaopeng Dai, Baofeng Wu, Yanshuo Zhang, Kejun Zhang * [Permalink](
https://eprint.iacr.org/2026/1027)
* [Download](
https://eprint.iacr.org/2026/1027.pdf)
### Abstract
Coppersmith's method is a foundational technique for finding small roots of modular polynomial equations, and determining asymptotic bounds for the recoverable roots is a central and challenging part of its analysis. In this paper, we transform the computation of asymptotic bounds for the Automated Coppersmith method, proposed by Meers and Nowakowski (ASIACRYPT 2023), into a linear programming problem, thereby obtaining a provably correct and explicitly computable formula. As applications of our method, we obtain improved asymptotic bounds for five cryptanalytic settings: the Commutative Isogeny Hidden Number Problem, the Modular Inversion Hidden Number Problem, the Elliptic Curve Hidden Number Problem, the Linear Congruential Generators with unknown multiplier, and the Leveled Isogeny Problem with Hints for POKE. We believe that our method could be useful for evaluating the security of a broader range of cryptographic settings.
## 2026/1028
* Title: Collusion-Resistant Asymmetric Anamorphic Encryption: Framework, Generic Construction, and Concrete Instantiations
* Authors: Zhikang Xie, Rupeng Yang, Man Ho Au, Zuoxia Yu, Willy Susilo
* [Permalink](
https://eprint.iacr.org/2026/1028)
* [Download](
https://eprint.iacr.org/2026/1028.pdf)
### Abstract
Anamorphic encryption introduced by Persiano et al. (Eurocrypt'22) enables covert communication through innocent-looking ciphertexts, even under strong censorship where a dictator has the power to compel citizens to surrender their private decryption keys. In this work, we study the asymmetric form of anamorphic encryption proposed by Catalano et al. (Eurocrypt'24), where the covert channel operates in a manner analogous to PKE. However, the commonly considered notion, fully asymmetric anamorphic encryption, fails to address collusion, where the dictator can corrupt a sender to additionally obtain the sender double key for encrypting covert messages.
In this work, we resolve this gap by developing the first general framework for collusion-resistant asymmetric anamorphic encryptions. Our approach introduces a new cryptographic abstraction, witness PRF for PKE, which precisely captures the structure needed to embed secure covert channels under collusion. This abstraction allows us to reduce the construction of asymmetric anamorphic encryption schemes to a single primitive, providing a unified and conceptually clean methodology.
Building on this framework, we obtain a generic construction of asymmetric anamorphic encryption for any PKE scheme with high min-entropy ciphertexts. In contrast to prior generic approaches proposed by Catalano et al. (Eurocrypt'25) which rely on indistinguishability obfuscation, our construction achieves stronger security in the collusion setting under assumptions believed to be weaker, thereby improving both theoretical foundations and feasibility.
Beyond generic viability, we give direct and practical instantiations of our framework for widely deployed schemes, including ElGamal, Regev, and Paillier, without relying on heavy cryptographic mechanisms. These results demonstrate that the collusion-resistant asymmetric anamorphism is not only achievable in general, but also practical in standard encryption systems.
Taken together, this paper establishes the first complete treatment of asymmetric anamorphic encryption under collusion, providing a principled pathway for constructing covert communication mechanisms with rigorous and realistic security guarantees.
## 2026/1029
* Title: Towards a Unified Memory-Less Framework for TCitH
* Authors: Jes||s-Javier Chi-Dom|!nguez, D|-cio Luiz Gazzoni Filho, Marco Palumbi, Luis Rivera-Zamarripa
* [Permalink](
https://eprint.iacr.org/2026/1029)
* [Download](
https://eprint.iacr.org/2026/1029.pdf)
### Abstract
The current on-ramp NIST Competition for Additional Post-Quantum Digital Signature Schemes features two MPCitH variants: TCitH and VOLEitH. While VOLEitH yields shorter signatures and more stack memory, making it less suitable for constrained devices. In this work, we demonstrate that TCitH-based schemes are viable on embedded systems, such as Cortex-M4 devices. We present a simple, unified Zero-Knowledge Proof (ZKP) framework covering all TCitH-based submissions to the NIST competition. Our implementation achieves up to 99% reduction in stack usage over a baseline, with minimal code size overhead and negligible performance overhead. The framework is designed for extensibility: adding new schemes requires only implementing the mathematics of the underlying problem and the polynomial proof procedures. We further contribute a novel constant-time, bitsliced implementation of Rijndael-256 for embedded architectures, targeting the GGM tree Expand, PRG, and Commit functions central to TCitH-based schemes. This is an independent contribution of broader relevance, given NIST's ongoing standardization of Rijndael-256 and its use across MPCitH-based schemes. We believe that such a framework and implementation could help new developers and cryptographers when proposing new TCitH-based schemes.
## 2026/1030
* Title: Pushforward Problems and Applications to Isogeny-based Cryptography
* Authors: Luciano Maino, Christophe Petit
* [Permalink](
https://eprint.iacr.org/2026/1030)
* [Download](
https://eprint.iacr.org/2026/1030.pdf)
### Abstract
Let $E$ and $E'$ be two supersingular elliptic curves and let $\varphi: E\to E'$ be an isogeny of known degree $d$. Given a basis $(P, Q)$ of $E[N]$ together with $(\varphi(P), \varphi(Q))$, it is possible to recover $\varphi$ provided that $N$ is sufficiently large and smooth, and that the torsion basis can be represented over a small extension of the base field.
In this work, we consider the more general setting where the $N$-torsion may not be efficiently representable. To address this setting, we introduce a new framework for encoding torsion information via an oracle that computes pushforwards of $N$-isogenies under $\varphi$. We then show that there exist instances for which access to the pushforward oracle allows for an efficient isogeny recovery.
Beyond their theoretical interest, these instances have direct cryptographic implications. We show a practical attack against the threshold signature scheme recently proposed by Kim, Kim, and Lee. We also identify weak instances for Basso's oblivious pseudorandom function, and we refine the security discussion for Leroux and Rom|-as's updatable encryption scheme.
## 2026/1031
* Title: Compact Quaternion Algorithms for SQIsign
* Authors: Won Kim, Changmin Lee, Hyunwoo Yoo
* [Permalink](
https://eprint.iacr.org/2026/1031)
* [Download](
https://eprint.iacr.org/2026/1031.pdf)
### Abstract
SQIsign is an isogeny-based post-quantum signature scheme whose public keys and signatures are remarkably compact.
However, since SQIsign relies on arithmetic in quaternion algebras over the field of rational numbers, no fixed-precision integer arithmetic for SQIsign had been established until recently, hindering constant-time implementation and deployment on memory-constrained devices.
Recent work by Kim et al. instantiated an SQIsign implementation with fixed-precision integer arithmetic by deriving uniform worst-case bounds for the quaternion algorithms used in key generation and signing.
Nevertheless, the resulting precision budget remains large, exceeding 13~times the public key size.
Consequently, this forces implementations to reserve wide integer buffers throughout the computation.
This increases the memory footprint and reduces the suitability of fixed-precision SQIsign for constrained platforms.
In this work, we present compact quaternion algorithms that substantially reduce the fixed-precision memory requirements of SQIsign.
First, we modify and analyze quaternion algorithms for SQIsign, in which large intermediate integer values appear.
Then, we derive the improved uniform worst-case size bound on integers during the key generation and signing procedures.
As a result, we reduce the required precision budgets from 7026/10713/14150 bits to 1774/2696/3555 bits for the NIST-I/III/V security levels, respectively, corresponding to improvements of 74.75%, 74.83%, and 74.88%.
We also provide a fixed-precision implementation of SQIsign applying these improved precision budgets.
Compared with the previous fixed-precision implementation, our implementation achieves performance improvements of 41.36%/17.49% for key generation and 67.27%/55.26% for signing at the NIST-I/III security levels, respectively.
## 2026/1032
* Title: When Removing Reductions Goes Wrong: Auditing Reduction Placement in Production ML-DSA Implementations
* Authors: Sunwoo Lee, Hyuk Lim, Seunghyun Yoon
* [Permalink](
https://eprint.iacr.org/2026/1032)
* [Download](
https://eprint.iacr.org/2026/1032.pdf)
### Abstract
Implementing post-quantum signatures correctly in production cryptographic libraries remains challenging even after standardization. ML-DSA implementations rely on NTT-based polynomial arithmetic with lazy Montgomery reductions, and omitting a reduction may be either a valid optimization or a latent arithmetic defect. In practice, reduction calls are often removed for performance, memory, or embedded-deployment reasons, but the required correctness condition is inter-procedural: a site that appears redundant locally may be load-bearing for a later InvNTT stage. In this work, we present a certificate-backed audit methodology for reduction placement in production ML-DSA implementations. Starting from the conservative pq-crystals topology, our analysis propagates coefficient bounds across the full signing path and classifies reduction sites as redundant or necessary. The key technical ingredient is an exact-integer recovery result for sparse-challenge products, which tightens post-InvNTT bounds from (-Q,Q) to [--a++, -a++] and separates safe omissions on sparse-product paths from load-bearing dense-product sites. Applying the methodology to eight ML-DSA libraries, we uncover a previously unreported defect in wolfSSL's memory-optimized WOLFSSL-DILITHIUM-SMALL path, where omitted post-matrix-multiplication reductions cause overflow, non-conformant arithmetic, and signing failure while surviving the implementation's existing KAT tests. The site classifications are backed by replayable SMT-LIB2 certificates, with the core integer-bound lemmas cross-checked in an axiom-free Coq development.
## 2026/1033
* Title: A New Construction Method for More Efficient Quadratic One-Time Noisy Multi-Client Functional Encryption Schemes
* Authors: Jasmin Zalonis, Linda Scheu-Hachtel, Frederik Armknecht
* [Permalink](
https://eprint.iacr.org/2026/1033)
* [Download](
https://eprint.iacr.org/2026/1033.pdf)
### Abstract
We introduce a new construction method for one-time multi-client functional encryption schemes that support noisy quadratic functions, are resistant against corruption and allow for labels. Such schemes can be used as building blocks in many practical applications, e.g., privacy preserving machine learning on arbitrarily split data. In contrast to earlier constructions, ours uses a different structural design that allows to make use of less complex, hence more efficient building blocks. The security of our construction relies solely on its underlying building blocks and no additional hardness assumptions, making it more generic than related work. More specifically, the construction itself does not rely on structures given by bilinear groups.
We present a concrete instantiation, dubbed QUILT, and show in a series of experiments that it outperforms existing comparable schemes by far. For example, in the case of private logistic regression training, using QUILT yields a speed-up of 4.8x to 6.8x.
Moreover, in contrast to these schemes, our construction allows for the use of labels. This weakens the one-time restriction, since multiple encryptions are possible, if each ciphertext is tied to a different label.
--- Synchronet 3.22a-Linux NewsLink 1.2