From Newsgroup: sci.crypt
## In this issue
1. [2025/1311] Batch subgroup membership testing on pairing- ...
2. [2025/1818] Simulation-based Security Notion of Correlation ...
3. [2026/173] Eidolon: A Post-Quantum Signature Scheme Based on ...
4. [2026/196] Faster Pseudorandom Correlation Generators via ...
5. [2026/242] Neo and SuperNeo: Post-quantum folding with pay- ...
6. [2026/321] Sliced R|-nyi Pufferfish Privacy: Tractable ...
7. [2026/748] Related-Key Multi-Pair Neural Distinguishers: ...
8. [2026/862] Adaptively-Secure Flexible and Identity-Based ...
9. [2026/1050] Guess-and-Determine Rebound Revisited: Full Quantum ...
10. [2026/1055] Extending FRIDA Beyond Unique Decoding for Free
11. [2026/1056] Multivariate Polynomial Inference in a ...
12. [2026/1057] Computer-Aided Proof for Extended Generalized ...
13. [2026/1058] Efficient MPC-Based Modulus Conversion for ...
14. [2026/1059] Threshold Traitor Tracing with Partial-Insider ...
15. [2026/1060] An Improved Hybrid Dual Attack on LWE with Sparse ...
16. [2026/1061] S4 Is All You Need
17. [2026/1062] Pairing-Based Registered ABE for Boolean Formulas ...
18. [2026/1063] The Cost of Intelligence: Proving Machine Learning ...
19. [2026/1064] Post-Quantum Security of Practical Correlation- ...
20. [2026/1065] Formal Analysis and Verification of DigiLocker with ...
21. [2026/1066] Breaking Slope and Structure Restrictions: ...
22. [2026/1067] GATOR: Group Action AdapTOR Signatures via MPC-in- ...
23. [2026/1068] Self-Guarding Arbitrary Cryptographic Primitives ...
24. [2026/1069] ISAC Privacy: Challenges and Solutions for 6G
25. [2026/1070] Revisiting Security Definitions of Sender- ...
26. [2026/1071] Event Algebras and Applications to Cryptography
27. [2026/1072] Proactive Secret Sharing without Erasures
28. [2026/1073] SoK: Impermanent Loss, An Unavoidable Fee or a ...
29. [2026/1074] Cryptocurrency-Backed Trustless Anonymous Tokens ...
30. [2026/1075] Asymptotically Optimal Distance-Tail Bounds for ...
31. [2026/1076] Decentralizing Traitor Tracing: A Multi-Authority ...
32. [2026/1077] Authenticated and Incremental Single-Server Private ...
33. [2026/1078] Post-Quantum HAWK Signature Acceleration with RISC- ...
34. [2026/1079] Witness Pseudorandom Functions for Vector ...
35. [2026/1080] Pushing the Limit of Memory-efficient Collision ...
36. [2026/1081] From Perfect to Approximate Hints: Efficient LWE ...
37. [2026/1082] Compact Yet Fast: An Efficient d-Order Masked ...
38. [2026/1083] When KGC Meets Curator: New Paradigm of Registered ...
39. [2026/1084] BRaccoon: Concurrently Secure Blind Lattice ...
40. [2026/1085] Autonomous LLM-Orchestrated Side-Channel Extraction ...
41. [2026/1086] A Machine-Checked EUF-CMA Proof for the Hybrid ...
42. [2026/1087] Low-Norm Nullstellensatz Hypothesis for the AND ...
43. [2026/1088] FlipFields-New Building Blocks for Cryptograpic ...
44. [2026/1089] Faster Polynomial Evaluations for SIMD FHEs and ...
45. [2026/1090] How To Track Qubits Through Space and Time (Or: ...
46. [2026/1091] Practical Homomorphic LSTM via Programmable ...
47. [2026/1092] The Equivalence of Two Quadratic Based IBEs
48. [2026/1093] Anonymous yet Verifiable Privacy-preserving Demand ...
49. [2026/1094] Asymmetric Message Franking in the Plain Model: ...
50. [2026/1095] Key Transport over Untrusted QKD Relay Networks
51. [2026/1096] Toward zkSNARK-assisted Isogeny-based Cryptography
52. [2026/1097] Schnorr-like Signatures in the Non-Observable ...
53. [2026/1098] A gentle introduction to lattice-based cryptography
54. [2026/1099] Lynx: Symmetric Primitive for Shorter and Faster ...
55. [2026/1100] Adaptively Secure (Aggregatable) PVSS from Standard ...
56. [2026/1101] Tail-Hammer: Optimized Statistics for Anonymous ...
57. [2026/1102] Finite-Field Arithmetic in CKKS
58. [2026/1103] Jevil: A Catastrophic-Failure-by-Design Signature ...
59. [2026/1104] The ABC of Symmetric Primitives over Integer Rings: ...
60. [2026/1105] Dishonest Majority Multi-Party Arithmetic Garbling ...
## 2025/1311
* Title: Batch subgroup membership testing on pairing-friendly curves
* Authors: Dimitri Koshelev, Youssef El Housni, Georgios Fotiadis
* [Permalink](
https://eprint.iacr.org/2025/1311)
* [Download](
https://eprint.iacr.org/2025/1311.pdf)
### Abstract
A major challenge in elliptic curve cryptosystems consists
in efficiently mitigating the small-subgroup attack. This paper explores
batch subgroup membership testing (SMT) on pairing-friendly curves, particularly for the BarretorCoLynnrCoScott family of embedding degree 12 (BLS12) due to its critical role in modern pairing-based cryptography.
Our research introduces a novel two-step procedure for batch SMT to
rapidly verify multiple points at once, cleverly combining the already
existing tests based on the Tate pairing and a non-trivial curve endo- morphism. We clarify why the invented technique is significantly faster (despite a negligible error probability) than testing each point individu- ally. Moreover, it is applicable to prominent curves like BLS12-381 and BLS12-377 being frequently employed in zero-knowledge applications. Nonetheless, to further enhance the speed (or reduce the error proba-
bility) of the proposed batch point validation, we have generated two
new BLS12 curves that are specifically optimized for this purpose. We
also provide an open-source high-speed software implementation in Go, showcasing significant performance improvements achieved by our work.
## 2025/1818
* Title: Simulation-based Security Notion of Correlation Robust Hashing with Applications to MPC
* Authors: Hongrui Cui, Chun Guo, Xiaojie Guo, Xiao Wang, Kang Yang, Yu Yu
* [Permalink](
https://eprint.iacr.org/2025/1818)
* [Download](
https://eprint.iacr.org/2025/1818.pdf)
### Abstract
This work studies the security and constructions of correlation robust (CR) hash functions in secure multi-party computation (MPC). Existing definitions of CR hashing are all game-based (i.e., no simulator to achieve programmability or extractability), but MPC protocols are proven secure in the simulation-based models including both stand-alone and universal composability models. We found that for some MPC protocols, e.g., TinyOT-like authenticated-triple generation protocols and correlated oblivious transfer (COT) extension protocols, such a mismatch could lead to a gap in security proofs, even for the semi-honest adversary and stand-alone model.
To bridge the gap, we introduce a simulation-based security notion for CR hash functions to allow secure composition. Instead of building from scratch, we introduce such a simulator to a wide class of existing ideal-cipher-based CR hashing constructions, and derive the security bound from their original game-based CR security. This enables us to obtain an efficient CR hashing construction making just one call to a blockcipher, and is much more efficient than the construction from a random oracle used in previous TinyOT-like protocols. We showcase the utility of the new CR notion in easing security proofs and mitigating the risk of errors on two classes of protocols: (1) authenticated-triple generation protocols in the TinyOT family with a countermeasure; (2) COT extension protocols with bootstrapped iterations.
## 2026/173
* Title: Eidolon: A Post-Quantum Signature Scheme Based on k-Colorability in the Age of Graph Neural Networks
* Authors: Asmaa Cherkaoui, Ram||n Flores, Delaram Kahrobaei, Richard C. Wilson * [Permalink](
https://eprint.iacr.org/2026/173)
* [Download](
https://eprint.iacr.org/2026/173.pdf)
### Abstract
We propose Eidolon, a post-quantum signature scheme grounded in the NP-complete $k$-colorability problem. Our construction generalizes the GoldreichrCoMicalirCoWigderson zero-knowledge protocol to arbitrary $k \geq 3$, applies the FiatrCoShamir transform, and uses Merkle-tree commitments to compress signatures from $O(tn)$ to $O(t \log n)$. We generate instances by planting a coloring while aiming to preserve the statistical profile of random graphs. We present an empirical security analysis of such a scheme against both classical solvers (ILP, DSatur) and a custom graph neural network (GNN) attacker. Experiments show that for $n \geq 60$, neither approach is able to recover a valid coloring matching the planted solution, suggesting that well-engineered $k$-coloring instances can resist the considered classical and learning-based cryptanalytic approaches. These experiments indicate that the constructed instances resist the attacks considered in our evaluation.
## 2026/196
* Title: Faster Pseudorandom Correlation Generators via Walsh-Hadamard Transform
* Authors: Zhe Li, Hongqing Liu, Chaoping Xing, Yizhou Yao, Chen Yuan
* [Permalink](
https://eprint.iacr.org/2026/196)
* [Download](
https://eprint.iacr.org/2026/196.pdf)
### Abstract
The past few years have witnessed the growing importance of pseudorandom correlation generators (PCGs) for generating correlated randomness with sublinear communication. To date, quasi-linear time PCGs for oblivious linear evaluation (OLE) over arbitrary finite fields have been constructed under either Ring-LPN or Quasi-Abelian syndrome decoding (QA-SD) assumptions, with a throughput of millions of OLEs per second demonstrated, in particular, for binary field. However, many modern MPC protocols deal with large prime fields, in which existing PCGs suffer from a significant efficiency gap due to a quasi-linear number of {\em multiplications} involved in FFT (Fast Fourier Transform) algorithms. Moreover, FFT typically relies on FFT-friendly fields that contain large smooth multiplicative subgroups, and therefore are not well suited to popular fields, such as Mersenne prime fields.
In this work, we close the gap by leveraging the well-known Walsh-Hadamard transform (WHT) in the context of QA-SD based PCGs. Although WHT is still a quasi-linear time algorithm as normal FFTs, no multiplication is needed rCo addition and subtraction suffice. Since multiplications over a prime field $\mathbb{F}_p$ typically incur an $O(\log{p})$ overhead over additions, our scheme that avoids a large number of multiplications perfectly fits the large prime field setting. Experimental results show that WHT is at least one magnitude faster than FFT over a $64$-bit smooth prime field. Consequently, our PCG achieves $27,000$ OLE per second over a $64$-bit prime field. This is the first full implementation of PCG for OLE over arbitrary large prime fields that we are aware of.
We then build PCG for vector-OLE over arbitrary large prime fields from QA-SD assumptions, and fully implement it using the $\mathsf{libOTe}$ library. We achieve a throughput of over $5$ million vector-OLEs per second over a $64$-bit prime field, roughly four times faster than state-of-the-art PCGs from either expand-accumulate (EA) codes (Boyle et al., CRYPTO 2022), or expand-convolute (EC) codes (Raghuraman et al., CRYPTO 2023).
## 2026/242
* Title: Neo and SuperNeo: Post-quantum folding with pay-per-bit costs over small fields
* Authors: Wilson Nguyen, Srinath Setty
* [Permalink](
https://eprint.iacr.org/2026/242)
* [Download](
https://eprint.iacr.org/2026/242.pdf)
### Abstract
We construct the first folding scheme that simultaneously achieves six desirable properties: plausible post-quantum security, pay-per-bit commitment costs, field-native arithmetic (the sum-check and norm checks run purely over a small field), support for general (non-SIMD) constraint systems, small-field support (e.g., Goldilocks), and low recursion overheads. No existing scheme satisfies all six: group-based schemes (e.g., HyperNova) lack post-quantum security and are tied to large elliptic-curve fields; lattice-based schemes (e.g., LatticeFold) require expensive ring arithmetic, lose pay-per-bit costs, and impose SIMD constraints; and hash-based schemes (e.g., Arc) incur large verifier circuits.
We present two lattice-based folding schemes for CCS rCo an NP-complete relation generalizing R1CS, Plonkish, and AIR rCo called Neo and SuperNeo. Neo satisfies five of the six properties but requires SIMD constraint systems; SuperNeo removes this restriction and satisfies all six. Both run a single invocation of the sum-check protocol over a small field extension and achieve pay-per-bit costs via new folding-friendly instantiations of Ajtai commitments under the Module-SIS assumption. At the core of our constructions are two new norm-preserving embeddings of field vectors into ring vectors that respect an evaluation homomorphism required for folding. We also introduce interactive reductions, a framework that generalizes reductions of knowledge and enables modular security proofs for composed lattice-based protocols.
## 2026/321
* Title: Sliced R|-nyi Pufferfish Privacy: Tractable Privatization Mechanism and Private Learning with Gradient Clipping
* Authors: Tao Zhang, Yevgeniy Vorobeychik
* [Permalink](
https://eprint.iacr.org/2026/321)
* [Download](
https://eprint.iacr.org/2026/321.pdf)
### Abstract
We study the design of a privatization mechanism and privacy accounting in the Pufferfish Privacy (PP) family. Specifically, motivated by the curse of dimensionality and lack of practical composition tools for iterative learning in the recent R|-nyi Pufferfish Privacy (RPP) framework, we propose Sliced R|-nyi Pufferfish Privacy (SRPP). SRPP preserves PP/RPP semantics (customizable secrets with probability-aware secretrCodataset relationships) while replacing high-dimensional R|-nyi divergence with projection-based quantification via two sliced measures, Average SRPP and Joint SRPP. We develop sliced Wasserstein mechanisms, yielding sound SRPP certificates and closed-form Gaussian noise calibration. For iterative learning systems, we introduce an SRPP-SGD scheme with gradient clipping and new accountants based on History-Uniform Caps (HUC) and a subsampling-aware variant (sa-HUC), enabling decompose-then-compose privatization and additive composition under a common slicing geometry. Experiments on static and iterative privatization show that the proposed framework exhibits favorable privacyrCoutility trade-offs, as well as practical scalability.
## 2026/748
* Title: Related-Key Multi-Pair Neural Distinguishers: Analysis and Applications to Lightweight Block Ciphers
* Authors: Thanh-Phong Nguyen, Nguyen Tan Cam, Van-Than Huynh, Hieu-Minh Nguyen * [Permalink](
https://eprint.iacr.org/2026/748)
* [Download](
https://eprint.iacr.org/2026/748.pdf)
### Abstract
Neural differential cryptanalysis has recently been extended to related-key and multi-pair settings, enabling neural distinguishers to aggregate weak statistical biases across multiple ciphertext pairs. However, the statistical origin of the exploited signal remains insufficiently understood. In this work, we present a signal-centric analysis of related-key, multi-pair neural distinguishers across four block ciphers: PRESENT-80, SIMECK-32/64, LEA-128, and HIGHT.
We characterize ciphertext distributions using model-independent geometric metrics derived from Principal Component Analysis (PCA) embeddings and silhouette scores, and relate these data-level measurements to neural distinguishing performance under varying levels of aggregation. Across all evaluated ciphers, multi-pair aggregation amplifies weak ciphertext-level statistical biases through variance reduction, thereby extending distinguishability beyond the single-pair setting.
However, this effect is inherently limited by the progressive decay of ciphertext-level signal as the number of rounds increases, leading to well-defined difficulty boundaries where both geometric separability and neural performance collapse. In low-signal regimes, aggregation enables measurable, albeit limited, accuracy, indicating the presence of residual statistical structure. Generalization experiments further show that neural distinguishers fail to maintain predictive capability beyond the empirical boundary, with performance rapidly converging to the random baseline.
These findings suggest that neural distinguishing performance is fundamentally constrained by the underlying ciphertext-level signal rather than model capacity. Overall, this study provides a unified interpretation of the capabilities and limitations of multi-pair neural cryptanalysis.
## 2026/862
* Title: Adaptively-Secure Flexible and Identity-Based Broadcast Encryption from Decomposed LWE
* Authors: Rishab Goyal, Saikumar Yadugiri
* [Permalink](
https://eprint.iacr.org/2026/862)
* [Download](
https://eprint.iacr.org/2026/862.pdf)
### Abstract
Broadcast encryption (BE) allows a sender to succinctly encrypt a message to any dynamically chosen subset of recipients. The gold-standard for BE is optimal succinctness (parameters independent of the number of users) and adaptive security, and attaining both from falsifiable post-quantum assumptions has been a central open problem. Recently, Goyal and Yadugiri (GY) gave the first adaptively-secure and optimally-succinct slotted distributed BE under a falsifiable lattice assumption, but their techniques inherently require an a-priori bound on the number of users and a slotted user structure. Two highly-sought-after generalizations thus remained open: flexible BE (FBE), where users asynchronously sample and register their own keys; and identity-based BE (IBBE), where a trusted authority issues keys for identities drawn from a super-polynomially large space.
In this work, we present the first adaptively-secure FBE and IBBE schemes with all parameter sizes independent of the number of users, both under the same falsifiable lattice assumption (decomposed LWE) and in the same model (Random Oracle Model) as the prior state-of-the-art for slotted distributed BE. Our FBE additionally enjoys a transparent setup, in line with the trustless ethos motivating distributed and flexible BE. At the technical heart of our results, we extend the equivocal encryption framework of GY to capture unbounded and dynamic broadcast systems, and introduce Equivocal Matrix Commitments---a strengthening of matrix commitments that supports adaptive equivocation of the committed matrix. We expect this new abstraction to find broader applications in designing adaptively-secure trustless lattice-based encryption.
## 2026/1050
* Title: Guess-and-Determine Rebound Revisited: Full Quantum Collision Attack on AES-256 in DM Hash Mode
* Authors: Liyuan Tang, Lingyue Qin, Shiqi Hou, Xiaoyang Dong
* [Permalink](
https://eprint.iacr.org/2026/1050)
* [Download](
https://eprint.iacr.org/2026/1050.pdf)
### Abstract
At CRYPTO 2025, Qin et al. introduced the guess-and-determine (GD) rebound attack, which integrates the guess-and-determine approach by Bouillaguet, Derbez, and Fouque and the rebound attack by Mendel et al. Taking the GD rebound as a building block, this paper introduces several classical and quantum models to convert the semi-free-start (SFS) collision attack or free-start (FS) collision attack into collision attacks on DM hashing mode with AES.
As an application, the first full quantum collision attack on AES-256-DM is proposed. Despite numerous round-reduced quantum or classical attacks proposed against the three popular hash modes MMO/MP/DM with AES over the past two decades, this is the first full attack that targets one of the three fundamental security requirements: collision, (2nd) preimage resistance. Our full attack on AES-256-DM improves the best previous attack by Taiyama et al. at ASIACRYPT 2024 by 5 rounds. Besides, some improved results on AES-128-DM and AES-192-DM are also given, which have been verified partially or fully by experiments.
## 2026/1055
* Title: Extending FRIDA Beyond Unique Decoding for Free
* Authors: Nicolas Mohnblatt, Benedikt Wagner
* [Permalink](
https://eprint.iacr.org/2026/1055)
* [Download](
https://eprint.iacr.org/2026/1055.pdf)
### Abstract
Hall-Andersen, Simkin and Wagner (CiC 1:4) show how to construct data availability sampling schemes from code commitments. Later, in FRIDA (CRYPTO'24), the same authors describe a compiler that takes an interactive oracle proof of proximity (IOPP) for a code and produces a secure code commitment. Chaining both results allows to construct efficient data availability sampling schemes from IOPPs.
In this short note, we give a novel security analysis that extends the results of FRIDA beyond the unique decoding radius of the code being used. This strict improvement leads to data availability sampling schemes with smaller commitments.
Towards our novel analysis, we define a variant of the opening-consistency property introduced in FRIDA, which we name opening-consistency with assign. Crucially, our new property does not depend on the unique decoding radius of the code. We then show that the FRIDA compiler can be applied to IOPPs that have opening-consistency with assign to produce secure code commitments. Finally, we show that under mutual correlated agreement, the batched FRI protocol (FOCS'20) satisfies opening-consistency with assign. This latter result is enabled by a recent analysis of FRI by Garreta, Mohnblatt and Wagner (ePrint 2025/1993).
## 2026/1056
* Title: Multivariate Polynomial Inference in a Cryptographic Setting
* Authors: Ramona Corbeanu, Diana Maimut, George Teseleanu
* [Permalink](
https://eprint.iacr.org/2026/1056)
* [Download](
https://eprint.iacr.org/2026/1056.pdf)
### Abstract
In this paper, we generalize to the multivariate setting the current state-of-the-art methods in the literature for the inference of bivariate polynomials constructed recursively, by means of repeated additions and multiplications. We present two main approaches: the first one based on polynomial interpolation and the second one relying on lattice-based techniques for solving modular knapsack-type problems. Both the directions yield natural and practical generalizations, supported by detailed analyses of the underlying mathematical structures. Our methods can be useful for analysing the security of cryptographic algorithms, given their connection to basic operations serving as building blocks, for example in fully homomorphic encryption schemes.
## 2026/1057
* Title: Computer-Aided Proof for Extended Generalized Feistel Networks
* Authors: Yuchao Chen, Chun Guo, Muzhou Li, Shuo Peng, Hao Lei, Guang Zeng, Meiqin Wang
* [Permalink](
https://eprint.iacr.org/2026/1057)
* [Download](
https://eprint.iacr.org/2026/1057.pdf)
### Abstract
(Multi-branch) Generalized Feistel Network~(GFN) enables the construction of block ciphers from non-linear components with small domains, and has been adopted in various block ciphers. Berger et al. (SAC 2013) introduced the Extended Generalized Feistel Network~(EGFN), which unified and extended existing Feistel-like structures by using a matrix representation.
Given an arbitrary matrix, it is typically difficult to determine how many EGFN rounds are sufficient for pseudorandom permutation (PRP) and strong PRP (SPRP) security. Remarkably, security proofs for structures with a larger number of branches have to analyze a huge amount of collision events, which is overly complicated and prone to errors.
To remedy this situation, we present AutoEGFN, a computer-aided proof tool that determines the number of rounds sufficient for PRP and SPRP security for various variants of EGFN. The tool operates by calculating three parameters: $r_1$, $r_2$, and $r_3$. The validity and soundness of AutoEGFN are formally established by a detailed security proof. To demonstrate the effectiveness of AutoEGFN, we have applied it to multiple structures such as Type-1/2 GFN (Zheng et al., CRYPTO 1989), YI11's Type-1 GFN (Yanagihara and Iwata, CANS 2011), DFLM19's GFN (Derbez et al., FSE 2019), DDGP22's GFN (Delaune et al., INDOCRYPT 2022), Type-1.x GFN (Yanagihara and Iwata, IEICE 2014), SH/TH GFN (Yanagihara and Iwata, CANS 2011), Nyberg's GFN (Nyberg, ASIACRYPT 1996), SM's GFN (Suzaki and Minematsu, FSE 2010), and BMT's EGFN (Berger et al., SAC 2013). As a result, we provide a systematic analysis of the (S)PRP security for Type-1 and Type-2 structures for different numbers of branches. Our tool efficiently determines the concrete number of rounds required to ensure PRP and SPRP security for EGFNs with different branch numbers. For comparison, previous work only proved the (S)PRP security for 8- and 16-branch BMT's EGFN. Our tool completes the proof within several minutes, even for variants with $32$ branches. Meanwhile, for the other structures, we provide the first concrete (S)PRP security proofs without any restrictions on their permutation layers. Furthermore, AutoEGFN will significantly contribute to the enhancement of EGFN designs and implementations in various cryptographic applications.
## 2026/1058
* Title: Efficient MPC-Based Modulus Conversion for Threshold FHE Decryption
* Authors: Ivan Damg|Nrd, Sebastian Kolby, Claudio Orlandi, Stanislas Pawlak
* [Permalink](
https://eprint.iacr.org/2026/1058)
* [Download](
https://eprint.iacr.org/2026/1058.pdf)
### Abstract
We present new techniques for converting secret-shared values between different moduli in arithmetic MPC, without relying on bit decomposition. More concretely, our protocols convert a sharing \([x]_q\) over a source modulus \(q\) into a sharing \([x]_t\) over a target modulus \(t\), under a mild bound on the size of \(x\). We give three variants: a particularly simple protocol for power-of-two moduli, a protocol for arbitrary source modulus and prime target modulus, and a general protocol for arbitrary target modulus via an intermediate prime modulus. All variants use only a constant number of openings and a small amount of preprocessing. We present them in the arithmetic black box model, so they can be instantiated on top of any MPC protocol supporting basic modular arithmetic.
As a main application, we use these techniques to construct efficient threshold decryption protocols for lattice-based fully homomorphic encryption (FHE), including BFV, BGV, and related schemes. The resulting protocols are special-purpose MPC protocols with a small constant number of rounds. They avoid noise flooding, allowing the parameters of the underlying FHE scheme to be chosen without making room for additional decryption noise.
The resulting protocols achieve statistical UC security against malicious adversaries.
We improve substantially on previous work on MPC-based threshold FHE decryption: as a concrete example, the state-of-the-art protocol by Zyskind et al. (ACM CCS 2025) implements decryption of the BFV scheme (with ciphertext modulus $2^{64}$), using about 17.000 bits of preprocessed correlated randomness, while we need only 63.
## 2026/1059
* Title: Threshold Traitor Tracing with Partial-Insider Resilience
* Authors: Jan Bormet, Hussien Othman
* [Permalink](
https://eprint.iacr.org/2026/1059)
* [Download](
https://eprint.iacr.org/2026/1059.pdf)
### Abstract
Threshold traitor tracing (Boneh et al. Crypto'24) addresses collusion in threshold encryption by tracing parties who collude to build illegal decryption devices called decoders.
However, the original definition does not capture settings where adversaries can access partial decryptions published during normal system operation.
In such settings, decoders sold to external buyers could depend on inputting additional partial decryptions from honest parties. Moreover, colluders may exploit observed partial decryptions when constructing a decoder to evade tracing, or even frame honest parties. Recently, Bormet et al. (EPrint'26) addressed this by introducing threshold traitor tracing in the presence of partial insiders. Their construction, however, works only in a weaker model, where decoders are assumed to output the full decryption, and colluders are assumed to observe only partial decryptions of valid ciphertexts. Additionally, they use a trusted dealer for key generation.
In this work, we present the first construction resilient against partial insiders in the stronger model of distinguishing decoders. Furthermore, our construction does not rely on a trusted dealer and remains traceable when colluders have access to a partial decryption oracle.
As part of this, we show how to generically lift traceability under a partial decryption oracle for valid ciphertexts to traceability under a partial decryption oracle for arbitrary ciphertexts using NIZK-PoKs. This transform is of independent interest, directly strengthening prior results that consider only valid-ciphertext partial decryption oracles, and allowing future analyses to focus on the simpler valid-ciphertext setting.
## 2026/1060
* Title: An Improved Hybrid Dual Attack on LWE with Sparse Secrets and its Application to FHE
* Authors: Lei Bi, Yijian Liu, Xianhui Lu, Junjie Luo, Kunpeng Wang
* [Permalink](
https://eprint.iacr.org/2026/1060)
* [Download](
https://eprint.iacr.org/2026/1060.pdf)
### Abstract
The Learning with Errors (LWE) problem serves as a cornerstone of modern cryptography, underlying advanced schemes such as Fully Homomorphic Encryption (FHE). Many FHE schemes adopt LWE instances with sparse ternary secrets, leaving them vulnerable to attacks. In 2022, Bi-Lu-Luo-Wang [ACISP 2022] proposed a hybrid dual attack that combines May's Meet-in-the-Middle (MITM) algorithm [Crypto 2021] with a dual attack and shows that it outperforms other attacks in a large range of FHE-type parameters. However, their attack suffers from two main efficiency bottlenecks: the costly enumeration of error entries and the large number of hash function labels.
In this work, we conduct a systematic analysis of several variants of May's MITM algorithm equipped with different list constructions and hash functions. Based on this, we propose a new hybrid dual attack that incorporates the most efficient variant, effectively mitigating both bottlenecks. We further enhance the attack by adopting a better hypothesis testing algorithm for FHE settings. Addressing recent concerns raised by Ducas-Pulles [Crypto 2023] regarding the independence heuristic in dual attacks, we provide a rigorous theoretical and
empirical analysis. We demonstrate that, for typical FHE parameters, our attack does not rely on the problematic independence heuristic and lies outside the contradictory regime. Finally, we compare our attack with previous hybrid attacks, showing consistent and significant improvements across all evaluated cases. In particular, our results invalidate the accelerated BGV scheme in [EUROCRYPT 2024] by reducing its bit-security below the claimed security level, with the most extreme case being 18 bits lower.
## 2026/1061
* Title: S4 Is All You Need
* Authors: Donald Beaver
* [Permalink](
https://eprint.iacr.org/2026/1061)
* [Download](
https://eprint.iacr.org/2026/1061.pdf)
### Abstract
A fully shuffled permutation of four cards suffices to implement 1-of-2 Oblivious Transfer at a rate of one transfer per shuffle. After dealing two cards to Alice and one to Bob, Alice deterministically selects item from a threefold partition of the edges of a tetrahedron, at which point OT is established. Unlike decades of 2-player computation results employing restricted permutations (as in den Boer's groundbreaking Five Card Trick) and artificial decks with repeated symbols, the "Tetrahedral OT" is the first to achieve two-party secret computations using a fully-shuffled set of unique elements. New "tenancy" and "narrowing" techniques are developed. Design patterns and protocol generation parameters are presented, along with some insightful but less efficient choices. The geometric symmetries behind the Tetrahedral OT protocol open up connections from Oblivious Transfer to Secret Key Exchange protocols as well. Decoupling information-theoretic permutations from computational one-wayness provides systematic access to broader and novel MPC protocol design, insight and simplification.
## 2026/1062
* Title: Pairing-Based Registered ABE for Boolean Formulas with a Linear-Size CRS
* Authors: Roy Stracovsky, Brent Waters, David J. Wu
* [Permalink](
https://eprint.iacr.org/2026/1062)
* [Download](
https://eprint.iacr.org/2026/1062.pdf)
### Abstract
Registered attribute-based encryption (ABE) is a generalization of ABE that replaces the central trusted key-issuer with an untrusted key curator. In registered (ciphertext-policy) ABE, users generate their own public keys and there is a transparent aggregation process that takes the public keys of the users together with their attributes and aggregates them into a short master public key that functions as the public key for a standard ABE scheme.
A sequence of works has focused on improving the efficiency and expressivity of pairing-based registered ABE. Today, all constructions of pairing-based registered ABE rely on a structured common reference string (CRS) whose size scales with the total number of users in the system $N$. While the first pairing-based constructions needed a CRS of size $O(N^2)$, a recent line of work has shown how to reduce it to $N^{1 + o(1)}$ in the case of general policies (albeit with extremely large constant factors), and to $O(N)$ if we restrict the policy family to conjunctions and DNFs (earlier schemes could support general monotone Boolean formulas) and if we analyze security in the generic group model (earlier schemes could be proven secure in the plain model).
In this work, we give the first pairing-based registered ABE scheme with a linear-size CRS that supports general policies (i.e., monotone span programs which include monotone Boolean formulas as well as threshold policies). We can show static security based on a $q$-type assumption in the plain model and adaptive security if we instead work in the random oracle model. Our scheme is also the first pairing-based construction where users can be identified by arbitrary strings (e.g., identities) rather than by integers from a polynomial-size range. This directly enables registered ABE with stateless key-generation. Namely, users in our system can sample their key independently of the current state of the system. Previous approaches require users either to first retrieve the current state of the system before they could generate their key or to generate multiple public keys to avoid collisions.
## 2026/1063
* Title: The Cost of Intelligence: Proving Machine Learning Inference with Zero-Knowledge
* Authors: Ryan Cao, Nick Cosby, Vishruti Ganesh, Ende Shen, Daniel Shorr, Benjamin Wilson
* [Permalink](
https://eprint.iacr.org/2026/1063)
* [Download](
https://eprint.iacr.org/2026/1063.pdf)
### Abstract
Zero-Knowledge (ZK) scaling solutions have seen wide adoption recently in emerging technologies, such as cryptocurrencies. Yet, the concrete limits of current ZK proof systems are not well understood for an emerging class of particularly compute-heavy operations -- artificial intelligence algorithms.
To that end, this technical whitepaper explores the current limits of constructing proofs for machine learning computation. We do this by benchmarking a common suite of multi-layer perceptrons (MLPs) across a set of zero-knowledge proof systems, including Groth16, Gemini, Winterfell, Halo2, Plonky2, and zkCNN. We showcase comparisons of proof time and memory consumption between the aforementioned proof systems, and how each scales with increasingly large and deep MLPs, examining bottlenecks for both proof time and memory consumption for each proof system. We conclude by examining the performance needed for production grade use-cases, motivating future work in a custom prover.
## 2026/1064
* Title: Post-Quantum Security of Practical Correlation-Robust Hashing
* Authors: Akinori Hosoyamada, Haruhisa Kosuge, Keita Xagawa
* [Permalink](
https://eprint.iacr.org/2026/1064)
* [Download](
https://eprint.iacr.org/2026/1064.pdf)
### Abstract
Correlation-robust (CR) hashing and its variants are central components in efficient secure-computation protocols, including OT extension, garbled-circuit optimizations such as Free-XOR and half-gates, and GGM-style tree constructions.
In practice, these hashes are typically instantiated from block ciphers, such as AES.
The most commonly analyzed constructions are the Matyas-Meyer-Oseas (MMO) construction and its variants, such as \(\widehat{\mathsf{MMO}}\).
Existing analyses of such constructions, however, are classical and do not justify security against quantum adversaries that can make superposition queries to the underlying random permutation or ideal cipher.
We analyze the post-quantum security of these block-cipher-based correlation-robust hashes.
In the quantum ideal cipher model (QICM), we prove multi-user tweakable correlation robustness with leakage (mTCRL) for the MMO construction, and multi-user tweakable circular correlation robustness with leakage (mTCCRL) for two MMO variants, the \(\widehat{\mathsf{MMO}}\) and $\mathsf{EncFF}$ (Encryption with Feed-Forward) constructions.
These results also imply the corresponding leakage-free and single-user guarantees: CR and TCR for MMO, and CR, CCR, TCR, and TCCR for \(\widehat{\mathsf{MMO}}\) and \(\mathsf{EncFF}\).
They also yield security in the quantum random permutation model (QRPM) as a special case.
Consequently, CR-type hash functions used in various existing protocol analyses can be instantiated with the covered MMO-type constructions while preserving the corresponding hash-replacement arguments against quantum adversaries in the QICM/QRPM.
This applies to representative analyses of OT extension, (correlated) GGM trees, certain distributed point/comparison function constructions, and half-gates garbling.
When the remaining components are post-quantum secure or are modeled as ideal functionalities, this yields post-quantum security of the resulting protocol instantiations under the corresponding composition theorem.
Thus, our results provide post-quantum justification for practical block-cipher-based correlation-robust hashing in many efficient secure computation protocols.
Technically, our proof reduces CR-type security to the multi-key security of an Even-Mansour-like tweakable block cipher and then analyzes it using reprogramming-and-resampling techniques building on the work of Alagic et al.~(Eurorcrypt 2022).
To handle adaptive key leakage, we introduce the conditional min-entropy with leakage (cmel) advantage, a quantity that isolates the information-theoretic entropy loss caused by leakage from the quantum ideal-cipher analysis.
Without leakage, our bounds guarantee security up to roughly \(q_E,q_C \ll 2^{\rho/3}\), where \(q_E\) and \(q_C\) are the numbers of primitive and construction queries and \(\rho\) is the min-entropy of the secret shift; this query complexity is tight.
## 2026/1065
* Title: Formal Analysis and Verification of DigiLocker with Tamarin
* Authors: Nayan Kakade, Aditya Mundada, Raghvendra Rohit
* [Permalink](
https://eprint.iacr.org/2026/1065)
* [Download](
https://eprint.iacr.org/2026/1065.pdf)
### Abstract
Digilocker is a key component of India's Digital Public Infrastructure, enabling secure digital storage, retrieval, and sharing of government-issued documents. Given its large-scale deployment and reliance on protocols such as OAuth 2.0 with PKCE, HMAC-based API authentication, digital signatures, and encrypted storage, rigorous security assurance is essential which can not be be ensured through conventional testing alone. In this work, we present a formal modeling and verification of DigiLockerrCOs authentication and document-handling workflows using the Tamarin Prover. We model the OAuth 2.0 authorization code flow with PKCE, issuer-based document retrieval mechanisms (PullURI and PullDoc), document push workflows, and self-upload with encrypted storage under the DolevrCoYao adversary model. We formally specify and verify key security properties, including token secrecy, authorization code uniqueness, PKCE binding, document authenticity, integrity, confidentiality, and key management. Our results show that DigiLockerrCOs protocol design satisfies these properties under ideal assumptions. However, controlled credential-leak scenarios demonstrate that compromise of sensitive values such as API keys or digilockerids can lead to exploitable attack traces. This study highlights the value of formal verification in strengthening security guarantees for large-scale e-governance systems.
## 2026/1066
* Title: Breaking Slope and Structure Restrictions: Broadening Hard-Label Cryptanalytic Extraction of PReLU Neural Networks
* Authors: Ruijie Ma, Yi Chen, Jiarui Zhang, Hongbo Yu, Xiaoyun Wang
* [Permalink](
https://eprint.iacr.org/2026/1066)
* [Download](
https://eprint.iacr.org/2026/1066.pdf)
### Abstract
This paper studies the problem of model parameter extraction of PReLU neural networks in the hard-label setting, the most challenging setting. Existing attacks on PReLU neural networks suffer from two fundamental restrictions: (1) the learnable slopes in PReLU activations are restricted to smaller than 1, not conforming to the standard definitions of PReLU activations; (2) they do not apply to expansive PReLU neural networks. In this paper, for the first time, we break the two restrictions by proposing a new attack in the hard-label setting.
Our breakthroughs stem from two new techniques and an important finding.
First, we propose a new network isomorphism, called flip-and-scaling, which helps break the slope restriction and build a new extraction framework. Second, we find that there are linear constraints on the internal states of expansive PReLU neural networks, and give the exact number of linear constraints. Third, we propose a new neuron signature recovery method for expansive PReLU neural networks, which overcomes the challenge brought by linear constraints and breaks the structure restriction. The correctness and effectiveness of our work have been fully verified by experiments on several hundred expansive PReLU neural networks. Overall, our work not only overcomes the restrictions of existing attacks but also provides some inspiration for future work.
## 2026/1067
* Title: GATOR: Group Action AdapTOR Signatures via MPC-in-the-Head
* Authors: Nico D||ttling, Manar Mohamed, Riccardo Zanotto
* [Permalink](
https://eprint.iacr.org/2026/1067)
* [Download](
https://eprint.iacr.org/2026/1067.pdf)
### Abstract
Adaptor signatures are a foundational fairness primitive for blockchain applications. They enhance blockchain functionality by enabling applications such as atomic swaps, payment channels, and other fair-exchange protocols. At a high level, they allow a buyer to produce a pre-signature tied to a public statement, which a seller holding a corresponding witness can adapt into a valid signature. Once this signature is posted on-chain, the seller obtains payment, while the buyer can extract the witness from the finalized signature.
Existing practical adaptor signature constructions are predominantly tied to discrete-logarithm-based signatures, such as ECDSA and Schnorr, reflecting their widespread use in current blockchain deployments. However, the threat of Shor's algorithm and the broader transition toward post-quantum cryptography raise the question of whether adaptor functionality can also be realized efficiently for post-quantum signature schemes.
In this work, we answer this question for a broad class of signatures based on cryptographic group actions. Building on efficient MPC-in-the-Head-style group-action signatures, we obtain adaptor functionality through small modifications, yielding a general framework for adaptor signatures from arbitrary group actions.
In particular, our construction supports selling group-action discrete logarithms, which in certain parameter regimes correspond to the secret keys of the underlying signature scheme.
We further discuss concrete instantiations from several group-action families, including those underlying schemes such as CSI-FiSh, LESS, MEDS, and ALTEQ, and present a modular proof-of-concept implementation. We obtain a ~25kB pre-signature with ~100ms pre-signing time for LESS, MEDS and ALTEQ, while a ~4kB pre-signature with ~3.6s pre-signing time for CSI-FiSh.
## 2026/1068
* Title: Self-Guarding Arbitrary Cryptographic Primitives and 2PC Protocols
* Authors: Daniele Friolo, Andrea Reale, Daniele Venturi
* [Permalink](
https://eprint.iacr.org/2026/1068)
* [Download](
https://eprint.iacr.org/2026/1068.pdf)
### Abstract
In IEEE CSF '18, Fischlin and Mazaheri introduced the notion of self-guarding cryptographic protocols as a countermeasure to algorithm substitution attacks. After a trusted initialization phase, a Self-Guarder wraps the user's cryptographic algorithm implementation and sanitizes it in a way that (1) prevents that an adversary can exploit the subverted implementation to exfiltrate user's data and (2) maintain the correctness of the genuine implementation. Whilst the proposed solutions in CSF '18 support a bounded number of executions before requiring a re-initialization phase, we show a universal self-guarder supporting an unbounded number of executions from a single trusted setup. Our self-guarder can be applied to any cryptographic primitive and any two-party computation protocol in the stand-alone setting with the aid of a verifiable-computation-enabling compiler.
## 2026/1069
* Title: ISAC Privacy: Challenges and Solutions for 6G
* Authors: Onur Gunlu, Stefano Tomasin, Joao P. Vilela, Francesco Chiti, Prajnamaya Dass, Angeliki Alexiou, Utz Roedig
* [Permalink](
https://eprint.iacr.org/2026/1069)
* [Download](
https://eprint.iacr.org/2026/1069.pdf)
### Abstract
Integrated sensing and communication (ISAC) is a promising feature of future communication networks. While spatial sensing can improve network performance and enable external services, it also creates privacy challenges that go beyond the confidentiality of communication content. Future networks using millimeter-wave (mmWave) and sub-terahertz (THz) frequencies may collect or infer detailed information about people, devices, bystanders, passive objects, and environments in a sixth-generation (6G) deployment area. Such sensing can reveal location and environment data, support behavioral profiling such as movement or activity recognition, and, in advanced cases, expose physiological information such as breathing frequency or heart-rate-related data. Thus, the capabilities of spatial sensing must be controlled to satisfy privacy requirements. In this work, we organize privacy-sensitive ISAC data into three sensing levels: location and environment data, behavioral data, and physiological data, and use this classification as the organizing principle throughout the paper. Based on this classification, we discuss internal and external ISAC applications, identify privacy challenges related to consent, transparency, data ownership, profiling, bystander exposure, and sensitive sensing data, review representative solution directions, and outline future research directions for privacy-preserving ISAC.
## 2026/1070
* Title: Revisiting Security Definitions of Sender-Anamorphic Encryption
* Authors: Yuichi Tanishita, Takahiro Matsuda, Kanta Matsuura
* [Permalink](
https://eprint.iacr.org/2026/1070)
* [Download](
https://eprint.iacr.org/2026/1070.pdf)
### Abstract
Sender-anamorphic encryption is a cryptographic primitive that allows a sender to covertly embed an alternative message into the ciphertext. This enables the sender to transmit the message they truly wish to send without an authority's knowledge, even if they are coerced into sending a message against their will. The concrete scenario considered here is one where the authority demands that the sender provide the public key, the plaintext, and the internal randomness used to generate the ciphertext, and then requires a proof that the coerced message was indeed encrypted correctly.
Persiano et al. (Eurocrypt 2022) formulated the security of sender-anamorphic encryption to capture this situation. Building on that, Wang et al. (Asiacrypt 2023) proposed $\ell$-sender-anamorphic encryption along with its security definition. However, in the formal security definitions for sender-anamorphic encryption in these existing works, the randomness used to generate the challenge ciphertext is not given to an adversary, and thus, the potential threats are not fully accounted for.
Therefore, in this study, we redefine security for sender-anamorphic encryption so that the randomness used to generate the challenge ciphertext is provided to the adversary. We then investigate whether the existing sender-anamorphic encryption schemes by Persiano et al. and Wang et al. satisfy our refined notions of security.
## 2026/1071
* Title: Event Algebras and Applications to Cryptography
* Authors: Konstantin Gegier, Ueli Maurer
* [Permalink](
https://eprint.iacr.org/2026/1071)
* [Download](
https://eprint.iacr.org/2026/1071.pdf)
### Abstract
Discrete-step models are ubiquitous in many disciplines, in particular in Computer Science (e.g., computer systems, distributed and cryptographic protocols, etc.). The space of possible developments forms a tree (or forest) whose branches correspond to the possible discrete steps. Events are monotone predicates (or downsets) on the tree.
Examples of events are input, output, forgery, consistency failure, or authentication failure events. Statements of interest about events are, for example, that a certain (``bad'') event can not occur.
This paper introduces the concept of event algebras, a specific type of bounded distributive lattice $(E;\preceq,\wedge,\vee,re+,\top,\bot)$ with an additional operation $re+$, and shows that the event algebra axioms capture exactly and minimally the abstract mathematical structure of events in discrete-step models. An event inequality $e\preceq f$ can be read as ``event $e$ can not occur without event $f$ (having occurred).''
The most basic type of event algebra theorems, which are the scope of this paper, are inequalities between algebraic terms, for example, $a re+ b \preceq (a re+ c) \vee (c re+ b)$, which hold universally, i.e., for any choice of the variables and for any event algebra. It is demonstrated that many fundamental statements in cryptography and other fields are direct implications of specific such universal event inequalities. For example, in a nutshell, the theorem stating the security of the well-known Hash-then-Sign paradigm is, in abstract form, the event inequality $e\preceq f\vee g$, where $e$ is the forgery event of the outer signature scheme, $f$ is the forgery event of the inner signature scheme, and $g$ is the (hash) collision event.
The abstract algebraic treatment comes with the usual advantages: (1) generality, i.e., independence of modeling aspects such as computational and communication models or complexity and efficiency notions, (2) natural theorem composition, and (3) purely algebraic, minimal, and even formal proofs (here done in the Lean theorem prover).
## 2026/1072
* Title: Proactive Secret Sharing without Erasures
* Authors: Alexandru Cojocaru, Aggelos Kiayias, Yu Shen, Petros Wallden
* [Permalink](
https://eprint.iacr.org/2026/1072)
* [Download](
https://eprint.iacr.org/2026/1072.pdf)
### Abstract
Proactive secret-sharing (PSS) offers security for shared secrets in a setting of a mobile adversary which, over time, may corrupt the whole shareholder set. This remarkable property is achieved by having parties proactively and in a coordinated manner refresh their shares on a regular basis, while it assumes that the adversary never manages to corrupt more than a threshold number of parties between two consecutive share refresh operations.
A common assumption for achieving PSS is the ability of parties to securely erase their private state once they have performed the refresh operation. Motivated by the difficulty in the real world to ensure secure erasure, we investigate whether it is possible to achieve PSS without erasures. As in the classic model of computation it can be easily shown that PSS without erasures is impossible, we hence ask whether it is possible to achieve PSS via quantum computation, while still requiring only classical communication.
We answer the question in the affirmative by utilizing one-shot signatures and post-quantum classical extractable witness encryption. In the process of developing our result, we define and construct threshold one-shot decryption and make connections to quantum money with classical communication both of which may be of independent interest. Finally, we show how, by combining post-quantum secure functional witness encryption with our PSS, it is possible for the secret to be used without explicitly being reconstructed, something that paves the way towards proactively secure threshold cryptography without erasures.
## 2026/1073
* Title: SoK: Impermanent Loss, An Unavoidable Fee or a Controlled Phenomenon? * Authors: Arad Kotzer, Ori Rottenstreich
* [Permalink](
https://eprint.iacr.org/2026/1073)
* [Download](
https://eprint.iacr.org/2026/1073.pdf)
### Abstract
Decentralized exchanges built on Automated Market Maker (AMM) protocols have become a cornerstone of Decentralized Finance (DeFi), offering token swaps without conventional order-book matching. However, supplying liquidity to these AMM pools exposes participants to distinctive market risks, most notably impermanent loss (IL) - the potential underperformance of a liquidity-provider portfolio relative to simply holding the underlying tokens. This paper presents a comprehensive overview of IL, unifying its main theoretical models, empirical evidence, and mitigation strategies. Our survey spans constant-function and concentrated liquidity market makers, synthesizes findings from leading DeFi protocols, and reviews mitigation methods that include both protocol-level adaptations and financial-engineering approaches. Across these perspectives, we highlight recurring trade-offs, cost, complexity, and security. Finally, we outline open questions for managing IL's systemic effects, keeping decentralized liquidity provision both profitable for participants and sustainable for the broader ecosystem.
## 2026/1074
* Title: Cryptocurrency-Backed Trustless Anonymous Tokens and Their Applications
* Authors: Amit Agarwal, Kushal Babel, Sourav Das, Ari Juels, Peter Rindal, Aayush Yadav
* [Permalink](
https://eprint.iacr.org/2026/1074)
* [Download](
https://eprint.iacr.org/2026/1074.pdf)
### Abstract
Public blockchains like Ethereum deliver transparency, but adding anonymity remains a fundamental challenge. Existing proposals either offer limited anonymity guarantees or rely on heavy cryptographic machinery, e.g., zero-knowledge proofs.
We introduce \emph{Blockchain Anonymous Tokens} (BAT), a system for efficient \emph{sender}-anonymous transactions on transparent blockchains. Building on the observation that \emph{one-time-spendable tokens suffice for many applications}, BAT has a lightweight design using classic anonymous tokens due to Chaum (1983).
Unlike such tokens, though, BAT is designed to work in a transparent decentralized setting, where issuers are untrusted (i.e., any single potentially malicious entity can be the issuer) and spends happen publicly. BAT issuance is compact: A client can receive $\ell$ tokens with just $\mathcal{O}(1)$ on-chain communication and computation.
We formalize the notion for BAT, and provide a concretely efficient construction. Our BAT construction requires no on-chain verification of expensive zero-knowledge proofs; just a signature verification during spends and a single exponentiation on-chain during issuance. We present several applications of BAT in various blockchain contexts.
We prove the security of our BAT scheme assuming hardness of the one-more computational Diffie-Hellman assumption in a bilinear pairing group in the random oracle model and with any secure digital signature scheme.
We implement and evaluate BAT and show that compared to the closest baseline, Zcash transactions, BAT tokens are more than 50$\times$ shorter, 9$\times$ faster to verify, and 7,000$\times$ faster to generate.
## 2026/1075
* Title: Asymptotically Optimal Distance-Tail Bounds for Large-Field RAA Codes * Authors: Majid Khabbazian
* [Permalink](
https://eprint.iacr.org/2026/1075)
* [Download](
https://eprint.iacr.org/2026/1075.pdf)
### Abstract
Repeat-accumulate-accumulate (RAA) codes combine a very simple linear-time encoding procedure with strong distance behavior, making them attractive both in
classical coding theory and in recent cryptographic applications such as code-based polynomial commitments, zkSNARKs, and pseudorandom correlation generators. Existing concrete analyses of RAA codes are strongest over the binary field, while large-field cryptographic applications require distance guarantees over fields whose size grows with the block length. In this regime, the usual binary-field weight-enumerator and union-bound arguments lose the large-field cancellation gains needed to obtain sharp tails.
We give a gap-covering proof of an optimal-tail distance bound for the large-field RAA ensemble \(G=RP_1AP_2A\). For every fixed repetition factor $r\ge9$ and every field size satisfying $q-1\ge(eN)^2$, we prove
\[
Pr[d_{\min}(G)\le \delta N]\le \widetilde O_r(N^{1-r})
\]
for every fixed $0<\delta<1/2$, where $N$ denotes the code length. We also prove
the matching large-field lower bound $\Omega_r(N^{1-r})$, showing that the upper bound is optimal up to polylogarithmic factors.
In addition, we prove a binary-field companion lower bound. In particular, for every fixed $0<\delta<1/2$ and even $r$,
\[
Pr[d_{\min}(G)\le \delta N]
\ge c_{r,\delta}N^{1-r/2}.
\]
For even $r$, together with the improved binary upper bound in the literature, this identifies the binary tail up to polylogarithmic factors, while our large-field result gives the tight tail $\widetilde\Theta_r(N^{1-r})$. Thus the binary and large-field RAA ensembles have genuinely different low-distance tail exponents: the large-field improvement is an actual polynomial separation, not merely a separation between available proof techniques.
## 2026/1076
* Title: Decentralizing Traitor Tracing: A Multi-Authority Approach
* Authors: Rishab Goyal, Alex Snyder, Saikumar Yadugiri
* [Permalink](
https://eprint.iacr.org/2026/1076)
* [Download](
https://eprint.iacr.org/2026/1076.pdf)
### Abstract
Traitor tracing [Chor-Fiat-Naor; CRYPTO'94] has historically been formalized through the lens of a $\textit{single}$ trusted authority that samples the master keys and that, therefore, can read every ciphertext on its own. This $\textit{key escrow}$ problem makes traditional traitor tracing fundamentally incompatible with end-to-end encrypted broadcast networks. In this work, we study introduce $\textit{multi-authority traitor tracing}$ (MA-TT) [Goyal-Yadugiri; ePrint] a new decentralized model for traitor tracing in which the setup is split across $K$ asynchronous and non-interacting authorities, and a user can decrypt only by combining partial keys from $\textit{every}$ authority. We require that semantic security holds even when an arbitrary set of authorities is corrupted (as long as some honest partial key remains hidden for every user), and that traceability never accuses a user for whom an honest partial key remains hidden.
We design MA-TT by combining any multi-authority attribute-based encryption (MA-ABE) scheme with a new primitive that we introduce, distributed mixed functional encryption (DMFE), a careful decentralization of the mixed functional encryption notion [Goyal-Koppula-Waters; STOC'18]. We construct DMFE from LWE via single-key key-homomorphic private constrained PRFs. Plugging in known MA-ABE schemes, we obtain MA-TT from LWE plus pairings with ciphertext size $K \cdot \mathsf{poly}(\lambda, \log N)$. As feasibility, we also give MA-TT from any PKE (with ciphertexts of size $K \cdot N \cdot \mathsf{poly}(\lambda)$) and from any multi-authority functional encryption (with fully succinct parameters).
## 2026/1077
* Title: Authenticated and Incremental Single-Server Private Information Retrieval
* Authors: Pengfei Lu, Zengpeng Li, Mei Wang
* [Permalink](
https://eprint.iacr.org/2026/1077)
* [Download](
https://eprint.iacr.org/2026/1077.pdf)
### Abstract
Authenticated Private Information Retrieval (Authenticated PIR) allows the client to retrieve the desired database entry without revealing any information about the query, while safely aborting if malicious behavior by the server is detected (presented in USENIX '23). However, two key challenges remain: existing single-server authenticated PIR schemes with sublinear online communication have not yet been clearly and fully implemented; incremental updates to the digest introduce unnecessary overhead. In this paper, we implement the previously outlined idea and present two complete and concrete single-server authenticated PIR schemes with $O(\sqrt{N})$ online communication, namely LWE-AuthPIR and DDH-AuthPIR, along with detailed security proofs. Furthermore, we introduce the notion of single-server authenticated and incremental PIR and propose a corresponding concrete construction, LWE-AuthIncPIR. LWE-AuthIncPIR supports immediate updates to individual entries and integrates a communication-efficient row aggregation for periodic update scenarios. When 1\%-8\% of the entries in a 1GB database are modified, LWE-AuthIncPIR reduces offline preprocessing computation by 19-88$\times$ compared to previous incremental update method. In the password breach detection, LWE-AuthIncPIR achieves a 67$\times$ reduction in preprocessing time and a 2.9$\times$ reduction in communication overhead.
## 2026/1078
* Title: Post-Quantum HAWK Signature Acceleration with RISC-V-Based Hardware-Software Co-Design
* Authors: Rishabh Shrivastava, Utsav Banerjee
* [Permalink](
https://eprint.iacr.org/2026/1078)
* [Download](
https://eprint.iacr.org/2026/1078.pdf)
### Abstract
Advances in quantum computing technology have motivated the development of post-quantum cryptography (PQC) algorithms. HAWK is a new post-quantum digital signature scheme and the only lattice-based candidate selected for Round 3 of the "Additional Digital Signatures" phase of the NIST PQC Standardization process. HAWK offers compact key and signature sizes compared to NIST standard ML-DSA (Dilithium), and its simple design avoids the use of floating-point arithmetic unlike NIST standard FN-DSA (FALCON). This makes HAWK very well suited for resource-constrained applications. We perform software runtime profiling of HAWK signature computation and verification on a resource-efficient Vex RISC-V processor core, and identify Keccak permutations and polynomial transformations as the most computationally expensive functions. In this work, we demonstrate light-weight hardware-software co-design of HAWK with these operations accelerated using Vex RISC-V Custom Function Units and accompanying custom instructions. We present multiple design variants with different degrees of acceleration, and our best design achieves $\approx 3 \times$ speedup and $\approx 40\%$ reduction in area-time-product compared to the baseline when implemented on a Xilinx Artix-7 FPGA.
## 2026/1079
* Title: Witness Pseudorandom Functions for Vector Commitments and Applications * Authors: Rishabh Bhadauria, Pedro Branco, Nico D||ttling, Sanjam Garg, Guru-Vamsi Policharla
* [Permalink](
https://eprint.iacr.org/2026/1079)
* [Download](
https://eprint.iacr.org/2026/1079.pdf)
### Abstract
A witness pseudorandom function (WPRF) is a PRF which has an additional mode of public evaluation. Given the public key, it can be evaluated publicly if one provides a valid NP witness for that input, while the output remains pseudorandom to anyone without such a witness. WPRFs are powerful objects, and general-purpose constructions are currently only known from assumptions that imply indistinguishability obfuscation.
In this work, we construct a WPRF for a specific language related to the Libert-Yung vector commitment (TCC 2010). More specifically, public evaluation of the WPRF on an input is possible if a valid local opening for that input is provided. Our construction relies only on standard assumptions on pairing groups and is fully black-box.
We further show that this primitive enables us to solve several open problems in the study of communication-efficient secure computation:
- Rate-1 Laconic Oblivious Transfer. We construct a laconic oblivious transfer protocol with total communication complexity $2k+\mathsf{poly}(\lambda)$ for $k$ executions. Previously, achieving this efficiency required non-falsifiable assumptions such as evasive LWE (Wee, CRYPTO'24).
- Near-optimal Laconic Private Set Intersection. We construct laconic private set intersection for which the amortized communication complexity approaches $\lambda$ bits per element in the sender's set (assuming each set element is represented by $\lambda$ bits) and is independent of the receiver's set. This is within a constant factor of the information-theoretic lower bound.
- Rate-1 Batch Registration-Based Encryption. We construct a registration-based encryption scheme in which, when the encryptor sends multiple messages to multiple receivers, the ciphertext overhead is only two group elements.
## 2026/1080
* Title: Pushing the Limit of Memory-efficient Collision Attack Framework for SHA-2
* Authors: Yingxin Li, Fukang Liu, Gaoli Wang, Jiali Shi
* [Permalink](
https://eprint.iacr.org/2026/1080)
* [Download](
https://eprint.iacr.org/2026/1080.pdf)
### Abstract
The SHA-2 family hash is standardized by NIST and mainly includes two variants, SHA-256 and SHA-512. Due to its widespread deployment, its security has attracted continuous attention from various parties. Although Li et al. have developed open-source SAT/SMT-based tools and proposed new memory-efficient collision attack frameworks for SHA-2 in recent two years, practical collision attacks are only achieved for 31-step SHA-256 and 29-step SHA-512, respectively. To push the limit of such an attack framework for SHA-2, we carefully investigate existing strategies to choose message differences used in 38/39-step semi-free-start collision attacks. We found that by selecting message words $(W_{4+i}, \ldots, W_{8+i}, W_{12+i}, W_{13+i}, W_{20+i}, W_{22+i})_{0\leq i \leq 3}$ to inject differences, and employing the open-source SAT/SMT-based automated tools to search for the corresponding differential characteristics, notable improvement can be achieved for practical and theoretical collision attacks. Specifically, the first practical collision attacks on 35-step SHA-256 and SHA-512 can be achieved for $i=0$, improving the best practical collision attacks on SHA-256 and SHA-512 by 4 and 6 steps, respectively. When $i\in\{1,2\}$, theoretical collision attacks on both SHA-256 and SHA-512 can reach up to 36/37 steps. We have also tried collision attack up to 38 steps by setting $i=3$, but the uncontrolled differential probability is too low to be used for effective attacks.
## 2026/1081
* Title: From Perfect to Approximate Hints: Efficient LWE Secret Recovery Leveraging Low Hamming Weight
* Authors: Minki Hhan, Ga Hee Hong, Jiseung Kim, Changmin Lee, JeongHwan Lee
* [Permalink](
https://eprint.iacr.org/2026/1081)
* [Download](
https://eprint.iacr.org/2026/1081.pdf)
### Abstract
The Learning With Errors (LWE) problem is a cornerstone of lattice-based cryptography and underpins the security of numerous cryptographic schemes. To enhance efficiency, practitioners often employ sparse secrets in LWE, where the secret vector $\mathbf{s}$ has a significantly lower Hamming weight than its dimension $n$. While this approach improves performance, it raises security concerns, particularly against side-channel attacks that can leak partial information, or rCLhints,rCY about the secret key.
In this paper, we revisit the LWE with side information framework on sparse ternary secrets, focusing on approximate/perfect hints of the form $(\mathbf{v}, l)$ satisfying $l = \langle \mathbf{v}, \mathbf{s} \rangle + e$, where $e$ is a small error term, or $l = \langle \mathbf{v}, \mathbf{s} \rangle$. While previous results needed about $n/2$ perfect or modular hints to break LWE in polynomial time, we show empirically, supported by a conservative lower-bound analysis under the Gaussian Approximation Assumption (GAA), that the task can be accomplished with only $O(h \log_2 h)$ hints, where $h$ denotes the Hamming weight of $\mathbf{s}$.
We demonstrate the effectiveness of our algorithm on practical parameter sets used in Fully Homomorphic Encryption (FHE) schemes. For instance, for a sparse-secret FHE bootstrapping regime with $(n, h) = (2^{15}, 32)$, our method requires only 320 approximate/perfect hints to recover the secret key, compared to the $2^{14}$ perfect/modular hints required by previous methods. For the OpenFHE library with $(n, h) = (2^{15}, 192)$, we heuristically confirm secret-key recovery via $O(h \log_2 h)$ perfect hints; approximate hints have not yet been validated in this setting. After collecting the necessary hints, our algorithm recovers the secret key in polynomial time in dimension $n$.
## 2026/1082
* Title: Compact Yet Fast: An Efficient d-Order Masked Implementation of Ascon * Authors: Mattia Mirigaldi, Maurizio Martina, Guido Masera
* [Permalink](
https://eprint.iacr.org/2026/1082)
* [Download](
https://eprint.iacr.org/2026/1082.pdf)
### Abstract
In this work, we present a generic side-channel protected design of Ascon that achieves high efficiency by dynamically reconfiguring the hardware countermeasures during message processing. The resultant implementation is protected and capable of meeting stringent performance requirements whilst minimising resource overhead. The experimental results obtained demonstrate that the implementation meets the required security and achieves superior throughput-to-area ratio across all protection orders.
Ascon, recently selected by NIST as the lightweight cryptography standard, is widely deployed in resource-constrained devices that demand both high performance and resistance against threats such as side-channel analysis (SCA). Exploiting Ascon's mode-level structure, which does not require protection against differential power analysis during bulk operations, we introduce a modified masking gadget with dual functionality: serving as a countermeasure during critical operations, and processing multiple data paths in parallel to accelerate bulk computation. Our architecture supports any configurable security order and instantiates only the minimum hardware resources needed to maximize throughput per round.
We also evaluate an enhanced Ascon architecture based on the Changing of the Guards technique, which eliminates the need for fresh randomness. Security validation is performed using fixed-vs-random t-tests on both first- and second-order masked implementations. Finally, we compare our masked design against state-of-the-art solutions.
## 2026/1083
* Title: When KGC Meets Curator: New Paradigm of Registered ABE and FE
* Authors: Ziqi Zhu, Jun Zhao, Kai Zhang, Junqing Gong, Haifeng Qian
* [Permalink](
https://eprint.iacr.org/2026/1083)
* [Download](
https://eprint.iacr.org/2026/1083.pdf)
### Abstract
Functional encryption (FE) which covers the notion of attribute-based encryption (ABE), is the cryptographic tool to realize fine-grained control on the accessibility of encrypted data. The traditional FE requires a central trusted authority to issue secret keys. It depends on the full-trust model, and is vulnerable to the security issue caused by key-escrow. While the registered FE (Reg-FE) achieves the zero-trust model and addresses the security issue by removing the use of central authority. It allows users to generate secret keys themselves and join the system by registering corresponding public keys to a curator.
This work introduces delegated Reg-FE, which is a primitive with a new registration paradigm. It allows the registration of certain authorities that can issue secret keys for their respective classical FE sub-systems, beyond the prior work of registering plain users. Delegated Reg-FE implements a hybrid trust model within a two-level hierarchy. By redefining key escrow as a functional mechanism rather than a security concern, this model employs a zero-trust upper level which removes key-escrow, while the subsystem of each authority is locally full-trust and retains key-escrow mechanism.
We construct four delegated Reg-FE schemes for functionalities that can be described as the $2\times 2$ combinations of linear function and policy check. Namely, Delegated Reg-IPFE, Delegated Reg-ABE, Reg-IPFE with delegated ABE, and Reg-ABE with delegated IPFE. All concrete schemes support bounded registrations and delegations, and achieve standard adaptive security under MDDH assumption on prime-order bilinear group. Furthermore, these schemes only rely on black-box techniques. Technically, these schemes rely on dual-system techniques as prior registration-based works. And we devise a new "hierarchically invoked dual-system" technique on schemes which have sub-ABE delegation systems.
Furthermore, we present a generic construction of Delegated Reg-FE from the combination of Reg-FE and FE. The instantiations of this generic construction demonstrate the feasibility of delegated Reg-FE, supporting arbitrary functions as well as unbounded numbers of registrations and delegations. However, this approach requires non-black-box techniques and achieves weaker semi-adaptive security without malicious registration, where the semi-adaptive means the adversary claims the challenge after seeing common reference string but before making any query. Its security relies solely on the underlying assumptions of the Reg-FE and FE components.
## 2026/1084
* Title: BRaccoon: Concurrently Secure Blind Lattice Signatures from Raccoon
* Authors: Lucjan Hanzlik, Mark Manulis, Marzio Mula, Alan Pulval-Dady, Tjerand Silde, Daniel Slamanig
* [Permalink](
https://eprint.iacr.org/2026/1084)
* [Download](
https://eprint.iacr.org/2026/1084.pdf)
### Abstract
Blind signatures are a central primitive for privacy-preserving applications such as e-cash, anonymous credentials, and e-voting. In the post-quantum setting, existing constructions typically follow one of two paradigms: either signatures are realized as non-interactive zero-knowledge ($\mathsf{NIZK}$) proofs of valid underlying signatures, or they are obtained from identification schemes via the Fiat--Shamir transform. In both approaches, the resulting signatures deviate syntactically from standard signatures, incurring additional verification overhead and limiting compatibility with existing infrastructures. In contrast, classical constructions such as blind Schnorr yield signatures that are indistinguishable from ordinary ones. Achieving this property in the lattice setting has remained an open problem.
We present $\mathsf{BRaccoon}$, the first lattice-based blind signature scheme that achieves concurrent security while producing signatures that are syntactically identical to those of a standard signature scheme. Our construction builds on the rejection-free lattice signature scheme $\mathsf{Raccoon}$, and extends the ``blind signatures from a signature assumption'' paradigm of Fuchsbauer and Wolf (EUROCRYPT~2024) to lattices. At a high level, we introduce blinding at the commitment stage and enforce correct challenge and response generation via linearly homomorphic encryption combined with $\mathsf{NIZK}$ proofs. As a result, $\mathsf{BRaccoon}$ signatures preserve the algebraic structure of $\mathsf{Raccoon}$ signatures while remaining compact: in an optimized instantiation, signatures are $32$ KB, public keys are $10$ KB, and total communication is $847$ KB for up to $2^{32}$ signatures.
A central technical challenge stems from discrete Gaussian sampling, where blinding induces a non-trivial distributional shift that precludes direct security reductions. To overcome this, we introduce a modified scheme $\mathsf{Raccoon}^\star$ that explicitly captures this shift. We prove that one-more unforgeability of $\mathsf{BRaccoon}$ tightly reduces to the unforgeability of $\mathsf{Raccoon}^\star$, which in turn reduces to that of $\mathsf{Raccoon}$.
For a concrete instantiation, we develop a hybrid proof framework that combines lattice-based zero-knowledge arguments for linear relations with arithmetic zk-SNARKs for hash computations, linked via structured commitments. Our work demonstrates that concurrently secure blind signatures with standard-signature syntax can be achieved in the lattice setting, providing a viable path toward practical and interoperable post-quantum privacy-preserving systems.
## 2026/1085
* Title: Autonomous LLM-Orchestrated Side-Channel Extraction Against Fully Unrolled and Masked Architectures
* Authors: Mani Rupak Gurram, Daniel Ifeoluwa Idowu, Yamini Swetha Nadella, Nouf Nur Nabilah, Sarita Bista, Mohamed Chouikha, Annamalai Annamalai, Akshay rCLAKrCY Raghavendra Kulkarni
* [Permalink](
https://eprint.iacr.org/2026/1085)
* [Download](
https://eprint.iacr.org/2026/1085.pdf)
### Abstract
Unrolled cryptographic hardware architectures are
increasingly deployed to maximize throughput, inherently intro-
ducing massive algorithmic noise floors that frequently thwart
traditional temporal Side-Channel Analysis (SCA). However, the
reliance on structural combinational noise as a standalone coun-
termeasure remains underexplored against adaptive, AI-driven
profiling. This work presents a novel autonomous framework uti-
lizing a Large Language Model (LLM) agent to orchestrate and
execute differential power evaluations against a 161,000-gate fully
unrolled AES-128 core on a target CW305 FPGA. We first estab-
lish a baseline, demonstrating that standard Correlation Power
Analysis (CPA) systematically fails to penetrate the unrolled noise
floor, yielding statistically insignificant correlations (r ree 0.11).
In response to this heuristic failure, the autonomous agent
dynamically pivots to a Zero-State Differential Power Isolation
methodology. By leveraging single-channel baseline subtraction,
the agent mathematically cancels multi-round algorithmic noise
from the global power trace, successfully isolating the target
combinational leakage and achieving peak correlations exceeding
r = 0.318 across all 16 state bytes. Furthermore, by comparing
the extracted physical signatures to the logical target state, the
framework autonomously extracts 16 unique physical-to-logical
routing maps. This demonstrates that while automated Electronic
Design Automation (EDA) synthesis inadvertently introduces
physical bit-level obfuscation, these synthesis optimizations can be systematically reverse-engineered by agentic profiling. Ultimately,
this work proves that unrolled combinational architectures can-
not serve as a robust defense against adaptive, autonomous side-
channel characterization.
## 2026/1086
* Title: A Machine-Checked EUF-CMA Proof for the Hybrid Fiat-Shamir Signature Scheme
* Authors: Sara Zain
* [Permalink](
https://eprint.iacr.org/2026/1086)
* [Download](
https://eprint.iacr.org/2026/1086.pdf)
### Abstract
The FS-FS hybrid signature scheme of Bindel and Hale [12] couples two independent Fiat-Shamir components through a single shared challenge c = H(w1, w2, D(m)), achieving one of the strongest known proof composability and simultaneous verification properties among hybrid designs, but its EUF-CMA security was stated without proof. We present the first machine-checked EUF-CMA security proof of the FS-FS hybrid, formalised in EasyCrypt in the Random Oracle Model and parametrised over abstract sigma-protocol interfaces; the bound applies to any heterogeneous FS-based pair, classical or post-quantum. We prove two symmetric security bounds, one reducing to each component independently, so that security holds whenever either component is EUF-CMA secure; the FS-FS-Schnorr corollary confirms the result is non-vacuous. We further show that the second-preimage-resistance assumption of [12] is subsumed by the ROM guessing term 1/|R|, reducing the effective assumptions from three to two: EUF-CMA of either component under the shared hybrid-hash challenge, and collision resistance of the digest. The mechanisation uncovers two proof obligations invisible at the theorem levelrCoa logging invariant over the shared lazy oracle and a module-restriction framing argument for the abstract digestrCowhich we isolate as reusable EasyCrypt proof patterns.
## 2026/1087
* Title: Low-Norm Nullstellensatz Hypothesis for the AND Code is False
* Authors: Zhengzhong Jin
* [Permalink](
https://eprint.iacr.org/2026/1087)
* [Download](
https://eprint.iacr.org/2026/1087.pdf)
### Abstract
The recent work [Devadas-Hopkins-Kalai-Kothari-Lombardi-Mathialagan, STOC 2026] proposed a low-norm Nullstellensatz hypothesis for the "AND code": every polynomial $f$ vanishing on the "AND-code ideal'' should admit a Nullstellensatz decomposition over the local AND constraints whose total coefficient \(\ell_1\)-norm is only polynomially larger than the \(\ell_1\)-norm of $f$.
We give a counterexample to this conjecture by proving an exponential lower bound on the total coefficient \(\ell_1\)-norm. The core idea of the proof was discovered by ChatGPT 5.5 Pro, and we verified and reorganized the proof to improve its exposition. The proof constructs a dual linear functional, whose analysis leverages the rank of the quadratic forms to bound Fourier correlations.
The counterexample can also be extended to give the first \(\ell_1\)-norm lower bound for Nullstellensatz refutations over the \(\{\pm1\}\)-basis. Previously, \(\ell_1\)-norm lower bounds for Nullstellensatz refutations were known only over the \(\{0,1\}\)-basis, due to Potechin and Zhang [ICALP 2024]. We believe this is of independent interest to proof complexity.
## 2026/1088
* Title: FlipFields-New Building Blocks for Cryptograpic Primitives?
* Authors: Christopher Wolf
* [Permalink](
https://eprint.iacr.org/2026/1088)
* [Download](
https://eprint.iacr.org/2026/1088.pdf)
### Abstract
$1+1 \equiv 0$---while looking strange at first glance, this is certainly true in GF(2). In this paper we propose the two field-like structures \FlipInts\ and \FlipPolys\ as potential alternative building block for crypographic schemes---in particular in the post-quantum setting. Both structures have $2^d$ elements for some positive integer $d$ and are derived from the natural numbers $N$ in the first case and the univariate polynomial ring GF(2)$[t]$ in the second case. We call the generalization of these two structures FlipFields. In addition, we see examples how they can be used for post-quantum cryptography, in particular Unbalanced Oil and Vinegar, Learning with Errors and Saber. There is also a discussion of cryptographic primitives that are most likely not suitable for FlipFields or at least not easy to tweak. As the structures are very new, this paper also includes a list of OpenProblems.
## 2026/1089
* Title: Faster Polynomial Evaluations for SIMD FHEs and Application to BGV in HElib
* Authors: Jiachen Zhao, Jiang Zhang, Binwu Xiang, Songyu Wu, Yi Deng, Dengguo Feng
* [Permalink](
https://eprint.iacr.org/2026/1089)
* [Download](
https://eprint.iacr.org/2026/1089.pdf)
### Abstract
The cost of homomorphic multiplications for existing FHEs to evaluate a degree-$D$ polynomial $f(x)$ at some point $x$ is very expensive. When $x$ is encoded in a plaintext slot having a power-of-two degree $d = 2^\ell$ and $D \leq d$, one can efficiently evaluate $f(x)$ with \(O(\log d)\) multiplications using the heuristic algorithms of Okada et al. (ASIACRYPT 2023). However, neither $d = 2^\ell$ nor $D\leq d$ is satisfied for most practical FHE parameters, and the PatersonrCoStockmeyer (P-S) method with \(O(\sqrt{D})\) multiplications remains the state-of-the-art for $d \neq 2^\ell$ or $D>d$.
In this paper, we first present a polynomial evaluation algorithm with \(O(\log d)\) multiplications for any non-power-of-two $d$ and $D\leq d$, which achieves the same asymptotic complexity as that of Okada et al. Then, we gave a polynomial evaluation algorithm with $O(\sqrt{D/d})$ multiplications for plaintext modulus $p>2$ and $d < D\leq d\log p$, which beats the P-S method by a factor of $\sqrt{d}$ and essentially achieves logarithmic multiplication complexity when $D \leq d \cdot \min(\log^2 D, \log p)$. As a major application, we implement our algorithms in experiment to evaluate the digit extraction polynomials of the BGV bootstrapping with parameter $d$ ranging from $14$ to $45$ in HElib, and obtain a \(1.22-2.16\times\) speedup over the state-of-the-art work of Ma et al. (EUROCRYPT 2024).
## 2026/1090
* Title: How To Track Qubits Through Space and Time (Or: Sailing in a Quantum Boat)
* Authors: James Bartusek, Zikuan Huang, Leo Orshansky, Henry Yuen
* [Permalink](
https://eprint.iacr.org/2026/1090)
* [Download](
https://eprint.iacr.org/2026/1090.pdf)
### Abstract
While quantum position verification aims to certify a prover's location using quantum information, existing security definitions only guarantee that part of the successful adversarial party is in the claimed location. This leaves open the possibility that a distributed team of adversaries can jointly simulate a prover in a way that defeats the intended meaning of ``being at a location'' in position-based cryptography.
We introduce stronger notions of position verification that we call quantum localization, which requires that there is a specified, unclonable state at the verified spacetime point -- and that this state can be found nowhere else. We show that quantum localization leads naturally to a meaningful notion of trajectory verification, in which quantum information is verifiably tracked through space and time. We construct quantum localization and trajectory verification protocols using quantum anchor states, which generalize coset states from unclonable cryptography. The security of our schemes is proven in the classical oracle (i.e. ideal obfuscation) model, which can be heuristically instantiated in the plain model using post-quantum indistinguishability obfuscation.
We also introduce and instantiate the concept of functionality localization, which guarantees that the adversary has the ability to compute a secret function at the verified spacetime point, and this function cannot be computed anywhere else. This raises the intriguing possibility of localizing computational capabilities in space and time.
More broadly, we believe our notions of quantum localization and our feasibility results provide stronger foundations for position-based cryptography.
## 2026/1091
* Title: Practical Homomorphic LSTM via Programmable Bootstrapping
* Authors: Thomas Crasson, Nathan Cassereau, Florian M|-hats
* [Permalink](
https://eprint.iacr.org/2026/1091)
* [Download](
https://eprint.iacr.org/2026/1091.pdf)
### Abstract
While deep learning is ubiquitous, centralized pro-
cessing exposes sensitive sequential datarCosuch as natural lan-
guagerCoto untrusted servers, forcing an unacceptable privacy-
utility trade-off. Fully Homomorphic Encryption (FHE) re-
solves this by computing directly on encrypted data. However,
standard neural networks ported to FHE suffer from severe
latency bottlenecks, particularly because continuous non-linear
activations dominate the computational budget.
To overcome this, we introduce the Blind Spiking LSTM
(BSLSTM), a TFHE-optimized recurrent architecture for
privacy-preserving sequential inference. By co-designing the
network with the cryptographic framework, we replace expen-
sive continuous non-linearities with an efficient multi-threshold
programmable bootstrapping paradigm. Evaluated on stan-
dard NLP tasks, BSLSTM achieves an inference latency of 5.2
seconds for a 128-token sequence, significantly outperform-
ing traditional homomorphic approaches while maintaining
competitive accuracy. Operating at an amortized cost of 211
microseconds per bootstrapping operation, our work demon-
strates the practical viability of low-latency, fully homomorphic
inference for real-world applications.
## 2026/1092
* Title: The Equivalence of Two Quadratic Based IBEs
* Authors: George Teseleanu
* [Permalink](
https://eprint.iacr.org/2026/1092)
* [Download](
https://eprint.iacr.org/2026/1092.pdf)
### Abstract
In this short note, we show that two identity-based encryption schemes, introduced by Joye and Zhao et al., which appear different, are essentially the same scheme. The only difference between them is that one prioritizes speed (Zhao et al.), while the other prioritizes bandwidth (Joye). We also show how to speed-up Joye's scheme at the cost of adding at most one integer to the public key, thereby achieving a better encryption complexity, while having the same bandwidth requirements.
## 2026/1093
* Title: Anonymous yet Verifiable Privacy-preserving Demand Response
* Authors: Rosario Giustolisi, Emad Heydari Beni, Daniele Marletta, Maryam Sheikhi Garjan
* [Permalink](
https://eprint.iacr.org/2026/1093)
* [Download](
https://eprint.iacr.org/2026/1093.pdf)
### Abstract
Demand Response (DR) in energy systems is a flexibility mechanism enabling consumers to modify their electricity demand in response to signals from network operators, designed to ensure power grid reliability.
In particular, incentive-based DR programs, in which consumers provide load reduction in exchange for financial remuneration, have proven more effective than alternative approaches such as price-based programs. However, incentive-based approaches have taken only partial account of privacy considerations, mainly because they require smart meters to disclose user energy baselines and consumption patterns to aggregators in order to determine rewards.
In this paper, we propose a privacy-preserving scheme that supports incentive-based DR programs while ensuring the confidentiality of user data and identities.
We prove that our scheme provides data privacy, participation privacy, and public verifiability, and we present a prototype implementation together with a performance evaluation. Our results show that our construction is practical for real-world DR deployments with considerably large user populations.
## 2026/1094
* Title: Asymmetric Message Franking in the Plain Model: Generic and Efficient Constructions
* Authors: Milan Gonzalez-Thauvin, Keitaro Hashimoto
* [Permalink](
https://eprint.iacr.org/2026/1094)
* [Download](
https://eprint.iacr.org/2026/1094.pdf)
### Abstract
Asymmetric Message Franking (AMF), proposed by Tyagi et al. at CryptorCO19, is a sort of signature scheme that aims to provide privacy-preserving content moderation in secure messaging applications. In this work, we present the first generic construction of AMF using a public-key encryption scheme, a signature scheme, and a ZAP proof system for NP languages. This construction yields the first AMF scheme provably secure in the plain model from standard assumptions, and has tight security. To improve the efficiency of AMF in the plain model, we build a concrete scheme from asymmetric pairing groups based on our idea for the generic construction. It achieves a signature size of 47 group elements, which is significantly smaller than an instantiation of the generic construction. Also, we provide a variant of the generic construction that yields a post-quantum secure AMF scheme in the plain model from a polynomially hard LWE assumption, demonstrating its feasibility.
## 2026/1095
* Title: Key Transport over Untrusted QKD Relay Networks
* Authors: Sebastian Clermont, Antoine Gansel, Patrick Struck
* [Permalink](
https://eprint.iacr.org/2026/1095)
* [Download](
https://eprint.iacr.org/2026/1095.pdf)
### Abstract
Quantum key distribution (QKD) enables the exchange of information-theoretically secure symmetric keys, but is fundamentally limited in range. Existing long-distance QKD networks rely on trusted relay nodes, any one of which can compromise the entire key.
We propose a key-transport protocol that removes this trust assumption by combining proactive secret sharing with one-time pad encryption over pairwise QKD links. At each layer of relay nodes, shares are reshared so that corruptions across different layers cannot be combined; security depends only on the maximum number of corruptions within any single layer, not on the total number of corrupted nodes. We formalize a game-based security model for layered secret transport, identify a cross-layer attack that affects a prior construction, and prove our protocol information-theoretically secure against a semi-honest adversary corrupting up to $t{-}1$ nodes per layer.
## 2026/1096
* Title: Toward zkSNARK-assisted Isogeny-based Cryptography
* Authors: Yi-Fu Lai, Luciano Maino
* [Permalink](
https://eprint.iacr.org/2026/1096)
* [Download](
https://eprint.iacr.org/2026/1096.pdf)
### Abstract
Zero-knowledge proofs are a fundamental building block of modern privacy-preserving systems. In isogeny-based cryptography, existing zero-knowledge proof constructions are either limited to chains of small-degree isogenies or are quite inefficient. As a result, many relations used in recent cryptosystems lack support in generic proof systems.
In this work, we take a step toward making zkSNARKs practically usable for a broader set of isogeny relations beyond the classical isogeny path knowledge language. Leveraging optimized V|-lu-style formulas, we provide an efficient R1CS encoding for $3^m$- and $4^n$-isogenies, along with their masked evaluations. We also present an R1CS for non-smooth isogenies of special degree $q(2^e - q)$, where $q$ is an odd integer, together with their evaluation. This latter encoding is based on the efficient formulas for $(2,2)$-isogenies in the theta model.
Finally, we demonstrate several concrete applications of our tools. We present a compiler that removes the ``one-more'' evaluation assumption in the signature based on DeuringVRF. We also discuss how to eliminate the hint-based assumption in SQISign and explain how to construct a key-validation mechanism for recent public-key encryption designs, such as POK|e on the concept level.
We provide the experimental results with respect to the constraint numbers under various isogeny NIST-1 primes for reference.
Under the setting, the proof sizes considered in this work are bounded by 400 KB by the default setting.
We hope our results will inspire further advances in isogeny-based constructions.
## 2026/1097
* Title: Schnorr-like Signatures in the Non-Observable Random Oracle Model
* Authors: Marian Dietz, Dennis Hofheinz
* [Permalink](
https://eprint.iacr.org/2026/1097)
* [Download](
https://eprint.iacr.org/2026/1097.pdf)
### Abstract
Schnorr's signature scheme and many of its variants are among the most efficient group-based digital signature schemes. Schnorr's scheme has very compact signatures (consisting of only two exponents in its most compact form). However, its security reduction is notoriously non-tight and requires a strong (rCLprogrammablerCY) version of the random oracle model. Variants with a tight(er) security proof in a more realistic model exist, but are less compact and efficient.
In this work, we investigate whether these disadvantages are inherent to Schnorr's signatures and its variants. In particular, we define a family of rCLSchnorr-likerCY signature schemes, which contains group-based signature schemes with verification similar to Schnorr's scheme. To explore the necessity of (heavy) random oracle abstractions for such schemes, we allow only for a very weak (rCLnon-programmable, non-observablerCY) version of a random oracle in the security proof. Our main result is that there is no tight reduction of the security of any such rCLSchnorr-likerCY scheme to any group-based assumption that holds generically.
We also show that this result itself is tight, in the sense that non-tightly secure schemes exist. Similarly, already for a slightly generalized definition of rCLextended Schnorr-likerCY schemes, tightly secure schemes exist.
Our main result employs a meta-reduction with a new rCLfilteringrCY technique that may be of independent interest.
## 2026/1098
* Title: A gentle introduction to lattice-based cryptography
* Authors: Alfred Menezes
* [Permalink](
https://eprint.iacr.org/2026/1098)
* [Download](
https://eprint.iacr.org/2026/1098.pdf)
### Abstract
We present the quantum-safe Kyber key encapsulation mechanism (ML-KEM) and the Dilithium signature scheme (ML-DSA). We also develop the mathematical background on lattices needed to understand why Kyber and Dilithium are regarded as lattice-based cryptosystems, and we provide insight into the computational hardness of the underlying lattice problems. The exposition is intended to be accessible to senior undergraduate students and beginning graduate students.
## 2026/1099
* Title: Lynx: Symmetric Primitive for Shorter and Faster VOLE-in-the-Head Signatures
* Authors: Lin Jiao, Hongsen Yang, Hongrui Cui, Yituo He, Yonglin Hao, Xiaojie Guo, Qunxiong Zheng, Jiang Zhang, Yu Yu, Kang Yang
* [Permalink](
https://eprint.iacr.org/2026/1099)
* [Download](
https://eprint.iacr.org/2026/1099.pdf)
### Abstract
VOLE-in-the-Head (VOLEitH) is one of the most promising frameworks to design post-quantum digital signatures based on symmetric primitives. However, all existing symmetric primitives do not capture the specialized characteristics of the VOLEitH framework and are not VOLEitH-friendly, leaving room for improving the efficiency of VOLEitH-based signatures. In this paper, we propose a VOLEitH-friendly symmetric primitive called Lynx, which is optimal in terms of the number of required VOLE correlations that directly determines the efficiency of VOLEitH-based signature schemes. In particular, Lynx adopts a multi-branch structure featuring a new truncation function: (a) nonlinear components are customized to minimize the witness length and polynomial degree, as well as the number of finite-field multiplications; (b) linear layers are strategically interleaved to strengthen security. The security of Lynx is rigorously validated by covering all possible attacks in the presence of both classical and quantum adversaries. Built upon Lynx, we design a post-quantum signature scheme, Lynxer, in the VOLEitH framework, which is shorter and faster than all known post-quantum signature schemes from symmetric primitives. According to our experimental results, compared to the state-of-the-art symmetric-based signature schemes in the same setting, i.e., Rainier (CCSrCO22), AIMer (CCSrCO23) and FAESTv2 (CryptorCO25), our signature scheme Lynxer reduces the rCLpublic-key size + signature sizerCY by 25% re+ 51%, and improves the signing (resp., verification) time up to 90.6% (resp., 89.3%).
## 2026/1100
* Title: Adaptively Secure (Aggregatable) PVSS from Standard Assumptions
* Authors: Renas Bacho, Yanbo Chen, Julian Loss
* [Permalink](
https://eprint.iacr.org/2026/1100)
* [Download](
https://eprint.iacr.org/2026/1100.pdf)
### Abstract
Publicly verifiable secret sharing (PVSS) is a fundamental primitive in threshold cryptography that allows a dealer to share a secret $S$ among a set of $n$ parties via a publicly verifiable transcript. Any subset of $t+1$ parties can then use their individual shares to reconstruct the full secret $S$, whereas $t$ or fewer shares give no information about $S$. As such, the secret $S$ remains hidden from an adversary that corrupts up to $t$ parties. Recently, Bacho and Loss (CCS 2023) gave the first proof of any PVSS scheme under an adaptive adversary. However, their security proof relies on strong and non-standard assumptions such as the algebraic group model (AGM) and the hardness of the one-more discrete logarithm (OMDL) problem. In particular, any protocol (e.g., distributed randomness beacon or distributed key generation) that makes use of a PVSS scheme either inherits these limitations or is not provably adaptively secure.
In this work, we present for the first time an adaptively secure PVSS scheme from well-established assumptions. In more detail, we provide two PVSS schemes with different properties. Our first scheme works over any pairing-free cyclic group and its security relies on the decisional Diffie-Hellman (DDH) assumption. Our second scheme works over an asymmetric pairing group, its security relies on the DDH and the co-computational Diffie-Hellman (co-CDH) assumption, and has the particularly valuable feature of aggregatability, which allows the aggregation of multiple PVSS transcripts into a single transcript while preserving verifiability. Notably, both our schemes are highly efficient, non-interactive, and work in the established plain public key model. These properties along with their provable adaptive security make them suitable candidates as building block in higher-level distributed protocols that aim to minimize communication.
## 2026/1101
* Title: Tail-Hammer: Optimized Statistics for Anonymous Committees and Applications
* Authors: Bernardo David, Lucia Lavagnino, Elena Pagnin, Paul Stankovski Wagner
* [Permalink](
https://eprint.iacr.org/2026/1101)
* [Download](
https://eprint.iacr.org/2026/1101.pdf)
### Abstract
Techniques to randomly select sets of anonymous parties are ubiquitous in efficient and adaptively secure consensus protocols, as well as in Multi-Party Computation in the YOSO model, where each round is executed by a different random anonymous committee. Anonymous committee selection aims at randomly selecting a set of $n$ parties (the committee), where at most $t$ parties are corrupted (except with negligible probability), drawing from a population of $N \gg n$ parties with at most $T$ corrupted parties. Additionally, each party knows (and can prove) if they belong to the committee, but ignores other members' identities.
A very common and efficient instantiation of anonymous committee selection is to select parties according to a VRF output, this however, leads to committees of probabilistic size ($n$ behaves as a Binomial random variable). Despite wide adoption, only Blum et al. (CCS23) provides an analysis of VRF-based probabilistic anonymous committee selection that estimates the size of committees. This analysis relies on lose bounds (Chernoff) and approximations (Poisson).
In this work, we revisit Blum et al.'s estimates and derive accurate closed-form formulas (based on a tight Binomial approximation), as well as an efficient high-precision library called Tail-Hammer for computing exact parameters. Notably, Tail-Hammer identifies smaller committee sizes (approximately -25% on average) than Blum et al. (CCS23) for the same security level, leading to improved efficiency in protocols relying on random committee selection, also when anonymity is not needed. Our analysis applies to committee selection techniques that employ unbiased (uniformly random), or bounded-bias randomness, to both synchronous and asynchronous communication settings, and it can account for inactive parties.
As a new application, we present a verifiable consistent broadcast protocol that leverages quorums in anonymous committees to achieve efficiency without requiring threshold signatures.
## 2026/1102
* Title: Finite-Field Arithmetic in CKKS
* Authors: Tim Seur|-, Elias Suvanto
* [Permalink](
https://eprint.iacr.org/2026/1102)
* [Download](
https://eprint.iacr.org/2026/1102.pdf)
### Abstract
We propose a CKKS-based technique for evaluating arithmetic over finite fields F_{p^r} with small characteristic p under homomorphic encryption. The core of our approach is a pair of complementary ciphertext representations. In the so-called spectral encoding, ciphertext addition and multiplication realize addition and multiplication in the field F_{p^r}. In another encoding, coefficient encoding, the same operations act as slotwise addition and multiplication in the slot algebra (F_p)^r. We show that one can switch homomorphically between these encodings at cost linear in r, and that F_p-linear maps, such as taking p-th powers in F_{p^r}, can be folded into these switches or applied directly in either representation. We complement the construction with theoretical and practical correctness-management techniques. To support unbounded computations, we integrate our framework with existing CKKS bootstrapping techniques and benchmark it against BGV-based implementations of F_{p^r}-arithmetic, a natural baseline for high-throughput finite-field computation. Across the fields we tested, this yields speedups ranging from 1.7x to 178x in amortized multiplication time when bootstrapping is taken into account. The gains are parameter-dependent: roughly speaking, our advantage over BGV increases as the characteristic p becomes smaller and the extension degree r becomes larger.
## 2026/1103
* Title: Jevil: A Catastrophic-Failure-by-Design Signature Scheme
* Authors: Nadim Kobeissi
* [Permalink](
https://eprint.iacr.org/2026/1103)
* [Download](
https://eprint.iacr.org/2026/1103.pdf)
### Abstract
Few-time signatures cap how many signatures a signer can safely issue. Jevil is, to our knowledge, the first post-quantum and transparent (setup-free) few-time signature scheme with a sharp key-recovery cliff: its cap is enforced by a single sharp threshold rather than a slow slope. Signatures one through $n^{\star}$ are existentially unforgeable at approximately $124$-bit classical security; at the $(n^{\star}+1)$-th the entire secret polynomial becomes publicly recoverable, achieving catastrophic failure as a key design requirement. The cap is founded on a secret polynomial together with the degree-binding of a polynomial commitment, and is intrinsic to any accepted public key: even a malicious signer who chooses $\mathsf{pk}$ adversarially cannot construct one that lets them keep signing past the cliff without the same polynomial becoming publicly recoverable. All prior post-quantum few-time schemes (HORS, FORS, PORS, HORSIC$^{+}$, eBiBa, Syrga$_2$) degrade softly as $(nK/T)^K$; cliff-style behaviour was previously confined either to one-time-only Schnorr/ECDSA nonce reuse (not post-quantum, not designed) or to polynomial-witness constructions that depend on KZG/IPA commitments (not post-quantum, not transparent).
Concretely, Jevil provides $\sim 68$-byte public keys, $32$-byte secret keys, and $40$-$500$KB signatures across signing budgets $n^{\star} \in \{1, 3, 7, 15, \ldots, 2^{14} - 1\}$, the limit imposed by the $2$-adicity of the working field. All primitives are believed to be post-quantum.
## 2026/1104
* Title: The ABC of Symmetric Primitives over Integer Rings: Milk Before Meat
* Authors: Tim Beyne, Lorenzo Grassi, Morten |yygarden, Berenika Richterov|i, Arne Sandrib
* [Permalink](
https://eprint.iacr.org/2026/1104)
* [Download](
https://eprint.iacr.org/2026/1104.pdf)
### Abstract
Designing a secure symmetric-key cipher over a vector space over a field $\mathbb F_{p^n}^t$ is well known and understood by the cryptographic community. Even if the attacks are continuously improving, our current understanding regarding the design and security of the majority of the symmetric-key primitives has not fundamentally changed in the last 20 years.
How does this picture change when we move to an integer ring $\mathbb Z_{p^n}^t$? Although the question is easy to state, it turns out to be far harder to answer. Indeed, there is a significant difference between the arithmetics of $\mathbb F_{p^n}^t$ and $\mathbb Z_{p^n}^t$ and attack vectors do not apply/translate directly between the two. As a case in point, a few ciphers have already been designed over integer rings, yet their initial versions have already been broken.
In this paper, we lay the foundations for a more rigorous approach to designing ciphers over integer rings, noting that this is not only of theoretical interest, but also has concrete applications. We analyze how existing statistical and algebraic attacks will behave for these ciphers and also present new attacks that take into account that not all functions over integer rings admit a polynomial representation. Based on this, we discuss possible design strategies, in which we analyze the security effect of having/not having polynomial S-boxes. In particular, we introduce new properties for the non-polynomial S-boxes that measure their resistance against the attacks presented in this paper. Finally, we discuss how to design such non-polynomial S-boxes, presenting two concrete constructions, and one based on the "digit manipulation".
## 2026/1105
* Title: Dishonest Majority Multi-Party Arithmetic Garbling with Constant Rate * Authors: Tianyao Gu, Hanjun Li, Elaine Shi
* [Permalink](
https://eprint.iacr.org/2026/1105)
* [Download](
https://eprint.iacr.org/2026/1105.pdf)
### Abstract
Minimizing round complexity is a central goal in secure Multi-Party Computation (MPC), particularly for deployment on high-latency networks. While constant-round protocols with concrete efficiency have been constructed, they are typically designed for Boolean circuits and each gate incurs a bandwidth cost linear in the security parameter. Moreover, for arithmetic-heavy applications such as privacy-preserving machine learning and statistical analysis, compiling arithmetic operations into Boolean gates incurs another substantial overhead in circuit size and communication. Conversely, existing arithmetic MPC protocols, such as SPDZ, require interaction rounds proportional to the circuit depth, imposing significant latency.
In this work, we bridge this gap by presenting the first concretely-efficient maliciously-secure MPC protocol that achieves both constant-round and constant-rate communication, where the rate is defined as the bandwidth cost per party divided by the number of gates and the size of the values each gate operates on. Our protocol computes over bounded integers and is secure against a static, malicious adversary corrupting up to $n-1$ parties. The protocol is built upon the arithmetic garbling framework of Ball et al. (Eurocrypt 2023) and follows the BMR template, assuming the Decisional Composite Residuosity for the garbling phase and Learning Parity with Noise for preprocessing.
We evaluate our protocol on matrix-vector multiplication, a fundamental operation for data analysis. For standard computation parameters, we reduce communication bandwidth by $101\times$ to $247\times$ and improves end-to-end runtime by $4.4\times$ to $10.7\times$ compared to state-of-the-art constant-round Boolean MPC baselines, even when accounting for the overhead of a full bit-decomposition on the output vector.
--- Synchronet 3.22a-Linux NewsLink 1.2