From Newsgroup: sci.crypt
## In this issue
1. [2025/998] On the UC-(In)Security of PAKE Protocols Without ...
2. [2025/1309] SoK: Deep Learning-based Physical Side-channel Analysis
3. [2026/187] Hardness of hinted ISIS from the space-time ...
4. [2026/241] Algebraic Attack on Convolutional Neural Networks ...
5. [2026/288] Bypassing the Random-Probing Model in Masking ...
6. [2026/311] Security of the Fischlin Transform in Quantum ...
7. [2026/322] Multi-key Fully Homomorphic Encryption with Non- ...
8. [2026/331] Non-Trivial Zero-Knowledge Implies One-Way Functions
9. [2026/333] A Cryptographic Framework for Proof of Personhood
10. [2026/522] X3DH with Deniable Authentication without Trusted ...
11. [2026/652] Counting and recovering the quadratic relations of ...
12. [2026/747] MDSS-STAR: Private Heavy-Hitters through Multi- ...
13. [2026/750] MCU: An Efficient and Scalable Nonlinear Function ...
14. [2026/872] Privacy Coins Under Viewing Key Compromise
15. [2026/1040] Classical and Quantum Full Plaintext Recovery for ...
16. [2026/1111] Identity-Based Revocable and Linkable Ring Signature
17. [2026/1112] DeepProve: Verifiable End-to-End Large Language ...
18. [2026/1113] HRA-Secure Lattice-based Proxy Re-Encryption ...
19. [2026/1114] Counterexamples to the Low-Norm Nullstellensatz ...
20. [2026/1115] The Fact of the MATTER: Efficient Hardware ...
21. [2026/1116] Fast Difficulty Adjustment in Proof-of-Work Consensus
22. [2026/1117] On the Secrecy of the Encapsulation Coin in ML-KEM
23. [2026/1118] AuditPay: Anonymous Payments with Controlled Oversight
24. [2026/1119] Packed Pre-Constructed PVSS for Randomness ...
25. [2026/1120] Pushing Collision Attacks on SHA-2 to 39 Steps
26. [2026/1121] Security Amplification via Robust ...
27. [2026/1122] Pseudo-Oil Subspaces and the Geometry of ...
28. [2026/1123] Cryptographic Collateralized Loan without Smart ...
29. [2026/1124] New Constructions of Functional Adaptor Signatures: ...
30. [2026/1125] Threshold Signatures in the Head
31. [2026/1126] A correlation duet: Correlation attacks on ...
32. [2026/1127] Verifiable Bootstrapping from Lattice-based Folding
33. [2026/1128] Optimized Point Addition Circuits for Elliptic ...
34. [2026/1129] pSquare-hash: A Family of Tweakable Hash Functions ...
35. [2026/1130] Reassessing the Security of LPN-C and its HHE- ...
36. [2026/1131] Public Key Encryption Secure Against Quantum Leakage
37. [2026/1132] Oblivious Garbling and its Applications
38. [2026/1133] SoK: PIOP-based SNARKs for General Computation
39. [2026/1134] SPIDER: Two Server Functionality for the Cost of Zero
40. [2026/1135] Private Information Retrieval: A Tutorial and Survey
41. [2026/1136] Local Constraints Behind Fourier Analysis of Neural ...
## 2025/998
* Title: On the UC-(In)Security of PAKE Protocols Without the Random Oracle Model
* Authors: Naman Kumar, Jiayu Xu
* [Permalink](
https://eprint.iacr.org/2025/998)
* [Download](
https://eprint.iacr.org/2025/998.pdf)
### Abstract
A Password-Authenticated Key Exchange (PAKE) protocol allows two parties to jointly establish a cryptographic key, where the only information shared in advance is a low-entropy password. The first efficient PAKE protocol whose security does not rely on the random oracle model is the one by Katz, Ostrovsky and Yung (KOY, EUROCRYPT 2001). Unfortunately, the KOY protocol has only been proven secure in the game-based setting, and it is unclear whether KOY is secure in the stronger Universal Composability (UC) framework, which is the current security standard for PAKE.
In this work, we present a thorough study of the UC-security of KOY. Our contributions are two-fold:
1. We formally prove that the KOY protocol is not UC-secure;
2. We then show that the UC-security of KOY holds in the Algebraic Group Model, under the Decisional Square Diffie-Hellman (DSDH) assumption.
Overall, we characterize the exact conditions under which KOY is UC-secure. Interestingly, the DSDH assumption is stronger than DDH under which KOY can be proven game-based secure, which reveals some subtle gaps between the two PAKE security notions that have never been studied.
## 2025/1309
* Title: SoK: Deep Learning-based Physical Side-channel Analysis
* Authors: Sengim Karayalcin, Marina Krcek, Stjepan Picek
* [Permalink](
https://eprint.iacr.org/2025/1309)
* [Download](
https://eprint.iacr.org/2025/1309.pdf)
### Abstract
Deep learning-based side-channel analysis (DLSCA) represents a powerful paradigm for running side-channel attacks. DLSCA, in a state-of-the-art setting, can break multiple targets with a single attack trace, requiring minimal feature engineering. As such, DLSCA is an extremely active research area for both industry and academia. At the same time, due to domain activity, it becomes more difficult to understand the current trends and challenges.
In this systematization of knowledge, we provide a critical overview of developments in DLSCA over the past years, enabling us to offer concrete suggestions and taxonomies. Moreover, we examine the reproducibility perspective and show that achieving it in full is difficult and requires a careful experimental setup.
## 2026/187
* Title: Hardness of hinted ISIS from the space-time hardness of lattice problems
* Authors: Martin R. Albrecht, Russell W. F. Lai, Eamonn W. Postlethwaite
* [Permalink](
https://eprint.iacr.org/2026/187)
* [Download](
https://eprint.iacr.org/2026/187.pdf)
### Abstract
We initiate the study of basing the hardness of hinted ISIS problems (i.e.-awith trapdoor information, or rCyhintsrCO) on the previously conjectured space-time hardness of lattice problems without hints. We present two main results.
1. If there exists an efficient algorithm for hinted ISIS that outputs solutions a constant factor longer than the hints, then there exists a single-exponential time and polynomial memory zero-centred spherical Gaussian sampler solving hinted SIS with norm a constant factor shorter than the hints.
2. Assume the existence of a chain of algorithms for hinted ISIS each taking as input Gaussian hints whose norms decrease by a constant factor at each step in the chain, then there exists a single-exponential time and polynomial memory algorithm for SIS with norm a quasilinear factor from optimal.
The existence of such hinted ISIS solvers implies single-exponential time and polynomial memory algorithms for worst-case lattice problems, contradicting a conjecture by Lombardi and Vaikuntanathan (CRYPTOrCO20) and all known algorithms. This suggests that hinted ISIS is hard.
Apart from advancing our understanding of hinted lattice problems, an immediate consequence is that signing the same message twice in GPV-style [GentryrCoPeikertrCoVaikuntanathan, STOCrCO08] schemes (without salting or derandomisation) likely does not compromise unforgeability. Also, cryptanalytic attempts on the One-More-ISIS problem [AgrawalrCoKirshanovarCoStehl|--Yadav, CCSrCO22] likely will need to overcome the conjectured space-time hardness of lattices.
## 2026/241
* Title: Algebraic Attack on Convolutional Neural Networks with Max Pooling
* Authors: Zirui Chen, Shi Tang, Zhengchao Gao, Yongjia Su, Lingyue Qin, Xiaoyang Dong
* [Permalink](
https://eprint.iacr.org/2026/241)
* [Download](
https://eprint.iacr.org/2026/241.pdf)
### Abstract
Recovering the weights and biases of deep neural networks (DNNs) via black-box input-output queries --- known as parameter extraction attacks --- has been extensively studied for ReLU-based fully connected neural networks (FCNNs), but remains unexplored for convolutional neural networks (CNNs) with the max pooling function, a core architecture for computer vision and multimedia processing. The key challenge lies in the CNNrCOs max pooling layer, which introduces an additional non-linearity and hides ReLU critical points, rendering existing FCNN extraction methods inapplicable. To address this gap, we propose the first cryptanalytic extraction attack tailored for CNNs with the max pooling function.
First, we establish an algebraic representation of CNNs, formally proving that CNNs are piecewise linear functions --- enabling the extension of linearity-based extraction principles. We then identify two novel types of critical points in CNNs: (1) ReLU-Pooling Critical Points (RPCPs), where a ReLU neuron is at its zero-input critical point and its output is selected by max pooling; and (2) Pooling Switching Points (PSPs), where two neurons within a local receptive field yield identical maximum outputs, triggering a switch in the pooling selection.
Leveraging these critical points, we design complementary extraction techniques: a pattern matching method for RPCPs to recover partial signatures and signs (exploiting the property that unselected pooling neurons have negative outputs), and an internal differential extraction attack for PSPs --- inspired by cryptographic internal differential analysis --- to recover high-accuracy signatures. Given that PSPs are far more abundant than RPCPs and yield a highly efficient extraction method (verified by experiments), and that RPCPs are indispensable for bias recovery, we integrate both methods: the PSP method enables efficient signature extraction, while a single RPCP recovers the sign and bias. We evaluate our attack on multiple CNN architectures, including modern adaptations of LeNet-5, trained on random data, MNIST, and CIFAR-10. Experimental results demonstrate that our approach achieves high extraction accuracy with polynomial query complexity and runtime, even for deep CNN layers. This work fills a research gap in CNN security.
## 2026/288
* Title: Bypassing the Random-Probing Model in Masking Security Proofs
* Authors: Julien B|-guinot, Gianluca Brian, Lo|>c Masure
* [Permalink](
https://eprint.iacr.org/2026/288)
* [Download](
https://eprint.iacr.org/2026/288.pdf)
### Abstract
Masking, i.e., computing over secret-shared data, is one of the main counter-measures against side-channel analysis, provably secure in the standard noisy-leakage model. However, all the state-of-the-art security proofs rely on a reduction to a more abstract model called random probing (EurocryptrCO14). As a result, the noise requirements of such proofs must scale with the field size of the circuit which, beyond not reflecting real-world physics of target devices, is often prohibitive, especially in the post-quantum era. That is why it is critical to find alternative strategies to the reduction to the random-probing model. In this paper, we establish for the first time a masking security proof bypassing this reduction, answering positively to the above question. Contrary to the common belief that directly working in the noisy-leakage model is not convenient, we show how to reach this goal by leveraging an extension of the Xor lemma. We also show how to leverage the IOS framework (CHESrCO21) in order to derive composable security directly in the noisy-leakage model. As a result, our bound relies on relaxed noise requirements characterized in a weaker metric than the so far state of the art (CryptorCO24, rCO19). Moreover, our new proof strategy allows us to derive a security bound for circuits masked with the first-order ISW compiler, for which the optimal noise requirement scales as \(\Theta\left(\left|\mathbb{F}\right|^{1/2}\right)\), whereas proofs using the random-probing model work in a regime of \(\mathcal{O}\left(\left|\mathbb{F}\right|\right)\). The latter contribution illustrates how some current design choices for masked implementations could be concretely affected: we exhibit two exemplary masked implementations such that the former one is more secure in the (more abstract) random-probing model, whereas the latter one is more secure in the (more realistic) noisy-leakage model.
## 2026/311
* Title: Security of the Fischlin Transform in Quantum Random Oracle Model
* Authors: Christian Majenz, Jaya Sharma
* [Permalink](
https://eprint.iacr.org/2026/311)
* [Download](
https://eprint.iacr.org/2026/311.pdf)
### Abstract
The Fischlin transform yields non-interactive zero-knowledge proofs with straight-line extractability in the classical random oracle model. This is done by forcing a prover to generate multiple accepting transcripts through a proof-of-work mechanism. Whether the Fischlin transform is straight-line extractable against quantum adversaries has remained open due to the difficulty of reasoning about the likelihood of query transcripts in the quantum-accessible random oracle model (QROM), even when using the compressed oracle methodology. In this work, we prove that the Fischlin transform remains straight-line extractable in the QROM, via an extractor based on the compressed oracle. This establishes the post-quantum security of the Fischlin transform, providing a post-quantum straight-line extractable NIZK alternative to PassrCO transform with smaller proof size. Our techniques include tail bounds for sums of independent random variables and for martingales as well as symmetrization, query amplitude and quantum union bound arguments.
## 2026/322
* Title: Multi-key Fully Homomorphic Encryption with Non-Interactive Setup in the Plain Model
* Authors: Seonhong Min, Jeongeun Park, Yongsoo Song
* [Permalink](
https://eprint.iacr.org/2026/322)
* [Download](
https://eprint.iacr.org/2026/322.pdf)
### Abstract
Multi-key fully homomorphic encryption (MKFHE) enables computation over encrypted data under multiple different keys. Constructing MKFHE without any trusted or interactive setup remains an open problem. In the context of MKFHE, a trusted setup is often assumed to mean the use of a common random string (CRS).
In this paper, we present the first MKFHE scheme in the plain model (i.e., without any trusted or interactive setup) based on the RLWE assumption. Specifically, we construct a multi-key somewhat homomorphic encryption based on the RLWE assumption and extend it to a multi-key variant of the Gentry-Sahai-Waters (GSW) scheme with a circular security assumption.
Our design yields a 2-round multi-party computation (MPC) in the plain model against semi-malicious adversaries. Moreover, it can be applied to transform existing FHE schemes that rely on RGSW in their construction into a multi-key variant. We also provide concrete conversions for widely-used FHE schemes, including BGV, BFV, CKKS, FHEW, TFHE, and Carousel.
Finally, we implement our scheme and present experimental results for the expansion algorithm from a single-key ciphertext to a multi-key ciphertext and the multi-key homomorphic multiplication algorithm.
## 2026/331
* Title: Non-Trivial Zero-Knowledge Implies One-Way Functions
* Authors: Suvradip Chakraborty, James Hulett, Dakshita Khurana, Kabir Tomer
* [Permalink](
https://eprint.iacr.org/2026/331)
* [Download](
https://eprint.iacr.org/2026/331.pdf)
### Abstract
A recent breakthrough [Hirahara and Nanashima, STOCrCO2024] established that if $\mathsf{NP} \not \subseteq \mathsf{ioP/poly}$, the existence of zero-knowledge (ZK) with negligible errors for $\mathsf{NP}$ implies the existence of one-way functions (OWFs). This work obtains a characterization of one-way functions from the worst-case complexity of zero-knowledge in the high-error regime.
Assuming $\mathsf{NP} \not \subseteq \mathsf{ioP/poly}$, we show that any non-trivial, constant-round public-coin ZK argument for NP implies the existence of OWFs, and therefore also (standard) four-message zero-knowledge arguments for $\mathsf{NP}$. Here, we call a ZK argument non-trivial if the sum of its completeness, soundness and zero-knowledge errors is bounded away from 1.
As a special case, we also prove that non-trivial non-interactive ZK (NIZK) arguments for $\mathsf{NP}$ imply the existence of OWFs. Using known amplification techniques, this also provides an unconditional transformation from weak to standard NIZK proofs for all meaningful error parameters. Prior work [Chakraborty, Hulett and Khurana, CRYPTOrCO2025] was limited to NIZKs with constant zero-knowledge error $\varepsilon_{\mathsf{zk}}$ and soundness error $\varepsilon_{\mathsf{s}}$ satisfying $\varepsilon_{\mathsf{zk}} + \sqrt{\varepsilon_{\mathsf{s}}} < 1$.
## 2026/333
* Title: A Cryptographic Framework for Proof of Personhood
* Authors: Arka Rai Choudhuri, Sanjam Garg, Keewoo Lee, Hart Montgomery, Guru Vamsi Policharla, Rohit Sinha
* [Permalink](
https://eprint.iacr.org/2026/333)
* [Download](
https://eprint.iacr.org/2026/333.pdf)
### Abstract
We initiate study on how to build a rigorous, cryptographic foundation for *proofs of personhood* - convincing, privacy-preserving evidence that a digital participant is a real, unique, and reputable human, optionally with authenticated attributes such as age or institutional affiliation. Towards this goal, we introduce a framework based on two types of credentials: *personhood credentials* (PHCs), issued by trusted authorities to attest to uniqueness and basic attributes, and *verifiable relationship credentials* (VRCs), issued peer-to-peer to capture reputation and real-world interactions.
We formalize ideal functionalities that capture desirable security and privacy notions for proofs of personhood, including Sybil-resistance, authenticated personhood, and unlinkability across contexts. Finally, we then give efficient cryptographic constructions that realize these functionalities by combining PHCs, VRCs, and zero-knowledge proofs. Our results suggest that a scalable, Sybil-resistant, and decentralized proof-of-personhood layer can serve as a reusable trust substrate for a wide range of online economic, social, and civic applications.
## 2026/522
* Title: X3DH with Deniable Authentication without Trusted Third Parties
* Authors: Stanislaw Jarecki, Phillip Nazarian, Apurva Rai
* [Permalink](
https://eprint.iacr.org/2026/522)
* [Download](
https://eprint.iacr.org/2026/522.pdf)
### Abstract
Message Authentication in the Short Authenticated String model (SAS-MA) allows Alice and Bob to establish a secure channel without trust in any third party, as long as they can exchange short authenticated strings, e.g. 20 bits. In a recent paper, Gu et al. [17] showed a SAS-MA scheme based on Verifiable Random Functions (VRF), which can utilize the ephemeral keys sent in the X3DH Authenticated Key Exchange (AKE), allowing for extending X3DH to SAS-MA with minimal round complexity and no changes to X3DH key distribution. X3DH is used in many messaging apps, including WhatsApp and Signal, and a SAS-MA extension of X3DH would allow app users to authenticate their connections without trust in PKI or the apprCOs Key Distribution Center (KDC), as long as they can exchange short authenticated strings (SAS), using out of band authenticated channels.
However, a major motivation behind using X3DH as an AKE is its deniability property, i.e. that an X3DH transcript cannot serve as a proof that either Alice or Bob established a secure connection with each other. The VRF-based SAS-MA extension of X3DH of [17] violates deniability, essentially because a VRF is a signature. We show an alternative SAS-MA scheme which offers the same ease of integration with X3DH as the VRF-based SAS-MA of [17], but it (almost) maintains the deniability of X3DH. The proposal is based on a private VRF (PVRF), which allows only rCydesignated-verifierrCO verification of correctness. We show a low-cost PVRF variant of ECVRF, and we show that X3DH extended by our PVRF-based SAS-MA adds human-centric no-trust-in-KDC authentication to X3DH while preserving the deniability properties of X3DH.
## 2026/652
* Title: Counting and recovering the quadratic relations of a vectorial function
* Authors: Irene Villa
* [Permalink](
https://eprint.iacr.org/2026/652)
* [Download](
https://eprint.iacr.org/2026/652.pdf)
### Abstract
A recent paper by Calderini et al. investigates the use of a CCZ transformation to mask the quadratic central map in a multivariate scheme, providing an instance leading to a system of degree four. A following paper by Caminata et al. presents two methods to reduce the masked system back to a quadratic system. In this work we further study the method based on the quadratic relations between input and output of the masked function, generalizing it and applying to any CCZ transformation (of any quadratic map). Moreover, we study how the existence of these quadratic relations can be used to study whether a function can be CCZ equivalent to a quadratic map and, more generally, to study whether two functions can be CCZ equivalent. In fact, this analysis gives us necessary conditions that can be checked also in relatively large dimensions. Particularly, we completely analyse the cases of vectorial Boolean functions with 1 and 2 output bits.
## 2026/747
* Title: MDSS-STAR: Private Heavy-Hitters through Multi-Dealer Secret Sharing
* Authors: Harry Eldridge, Aditya Hegde, Brennon Brimhall, Gabrielle Beck, Matthew Green
* [Permalink](
https://eprint.iacr.org/2026/747)
* [Download](
https://eprint.iacr.org/2026/747.pdf)
### Abstract
We propose a new private telemetry system for computing t-heavy hitters in the STAR (Davidson et al., CCS 2022) and POPSTAR (Li et al., USENIX 2024) model. In this setting, each client generates a report with the assistance of a lightweight Randomness Server and submits it to a central Aggregation Server, which can then locally compute only the heavy hitters. As compared to STAR and POPSTAR---which reveal either the full (pseudonymized) frequency histogram or a complex function of it---our protocol reduces leakage: the Aggregation Server learns non-heavy-hitter values only if their frequency exceeds a well-defined threshold. Additionally, while STAR and POPSTAR are insecure in the face of an Aggregation Server that colludes with clients, our protocol provides optimal security against such a colluding server. To achieve these privacy guarantees, our protocol efficiently adapts multi-dealer secret sharing (Eldridge et al., USENIX 2024) to the STAR/POPSTAR model and introduces a novel oblivious secret-share sampling protocol to ensure security against a colluding Aggregation Server. We implement and benchmark the performance of our protocol and find that it is practical for a number of use cases. Moreover, we show that it supports a tunable three-way tradeoff between correctness, efficiency and privacy.
## 2026/750
* Title: MCU: An Efficient and Scalable Nonlinear Function Evaluation in MPC without Preprocessing
* Authors: Min Yang, Jinxuan Du, Zihang Zhou, Dongcan Guo, Qingshu Meng
* [Permalink](
https://eprint.iacr.org/2026/750)
* [Download](
https://eprint.iacr.org/2026/750.pdf)
### Abstract
The rapid proliferation of artificial intelligence (AI) applicationsrCofrom large language models to deep neural networksrCohas led to an unprecedented demand for massive training data. This, in turn, has intensified privacy concerns, as sensitive information may be exposed during collaborative model training and inference. Privacy-preserving computing, particularly secure multi-party computation (MPC), offers a rigorous technical solution. Since YaorCOs garbled circuits, nearly four decades of research have brought significant progress, yet MPC still faces fundamental challenges in efficiency and scalability. A handful of efficient and scalable MPC systems exist, but they almost invariably require heavy offline preprocessingrCoa burden that becomes prohibitive for modern TransformerrCabased architectures with hundreds of billions of parameters. Conversely, the few approaches that eliminate preprocessing cover only a limited set of nonlinear functions, leaving a critical gap for realrCaworld machine learning.
In this paper, we propose MCU (MaskrCaComputerCaUnmask), a novel MPC architecture that directly supports a broad spectrum of nonlinear functions without any offline preprocessing. MCU introduces a semirCahonest, nonrCacolluding helper party (HP) that acts as an active computational engine: parties additively mask their inputs, the HP computes the exact target function on the aggregated masked data, and the parties then unmask using locally known masks. This simple yet powerful paradigm enables a suite of constantrCaround, scalable protocols, including general multiplication (2 rounds), power functions (2 rounds), exponentials and trigonometric functions (4 rounds), and sigmoid and softmax (6 rounds). All protocols achieve simulationrCabased security and rely solely on additive masks and synchronized pseudorandom generatorsrCono preprocessing, no polynomial approximations, and no accuracy loss. MCU effectively overcomes longrCastanding efficiency and scalability barriers in privacyrCapreserving machine learning, offering a practical solution for deploying large models such as Transformers in privacyrCasensitive environments.
## 2026/872
* Title: Privacy Coins Under Viewing Key Compromise
* Authors: Adrian Cinal
* [Permalink](
https://eprint.iacr.org/2026/872)
* [Download](
https://eprint.iacr.org/2026/872.pdf)
### Abstract
Anonymity guarantees of privacy-oriented cryptocurrencies are garnering negative attention from lawmakers who view them as antinomic to accountability. Having recognized their potential for innovation, however, regulators may not want to outright ban privacy coins but instead seek a middle ground where financial oversight is effective, and still a modicum of privacy is maintained. Mature designs, such as Zcash, Monero, or Firo, facilitate this through so-called viewing keys that can be disclosed to third parties for the purpose of supervision. This paper initiates the study of the issues of security, privacy, and fungibility that privacy coins face in the non-custodial setting with the legal obligation on users to surrender their viewing keys to the authorities. In doing so, it fills the gap in provable anonymity guarantees for Zcash and, at the same time, exposes non-trivial gaps for Monero and Firo. Of independent interest is that the naturally defined notion of spend indistinguishability is shown to imply practical anamorphic spending as introduced by Cinal et al. (ESORICS'25), and a novel perspective is presented, framing UTXO-based privacy coins under viewing key compromise as transparent account-based cryptocurrencies instead.
## 2026/1040
* Title: Classical and Quantum Full Plaintext Recovery for Low-Round Feistel-Type Designs
* Authors: Tingting Guo, Peng Wang, Jiwu Jing, Shuping Mao, Gang Liu
* [Permalink](
https://eprint.iacr.org/2026/1040)
* [Download](
https://eprint.iacr.org/2026/1040.pdf)
### Abstract
The Feistel (Luby-Rackoff) structure underlies numerous block-cipher and mode-of-operation designs, whose security is traditionally assessed via indistinguishability. For low-round Feistel constructions, a variety of classical and quantum distinguishing attacks are known. In this work, we show that such distinguishing attacks can be systematically upgraded to full plaintext recovery with essentially the same query complexity. We establish classical recovery attacks on the $2$-round Feistel under CPA and the $3$-round Feistel under CCA using only three queries, and introduce quantum-assisted forward/backward extension techniques based on SimonrCOs algorithm that yield recovery attacks on the $3$-round Feistel under qCPA and the $4$-round Feistel under qCCA. We further prove that the attacks extend to the Unified Feistel-Lai-Massey (UFLM) framework and therefore apply to a broad class of two-branch constructions. As a consequence, we obtain plaintext-recovery attacks on $4/5/6$-round Feistel-FK and on several practical enciphering schemes, including AEZ-core, FMix, OleF, double-decker, and docked-double-decker. Overall, our results reveal a fundamental connection between distinguishing and full plaintext recovery in low-round two-branch Feistel-type designs,
in both classical and quantum settings.
## 2026/1111
* Title: Identity-Based Revocable and Linkable Ring Signature
* Authors: Muyuan Wang
* [Permalink](
https://eprint.iacr.org/2026/1111)
* [Download](
https://eprint.iacr.org/2026/1111.pdf)
### Abstract
Revocable and linkable ring signatures ($\mathsf{RLRS}$) provide a practical mechanism for controllable anonymity, enabling a revocation authority (RA) to mandatorily revoke the anonymity of the real signer. However, existing constructions often rely on the assumption of a fully trusted RA, where the correctness of the revocation is not publicly verifiable rendering honest users vulnerable to undetected framing by a compromised RA. Furthermore, the concrete deployment of these schemes is hindered by the certificate management burden of PKI and computation or communication overheads that scale linearly with the ring size, limiting their real-world applicability.
In this paper, we formalize the notion of Identity-Based Revocable and Linkable Ring Signatures ($\mathsf{IB\text{-}RLRS}$), inherently eliminating cumbersome PKI management. Our primary contribution is the enhancement of \textit{revocability} alongside a newly adapted property termed \textit{revocation soundness}, guaranteeing that the real signer's identity can always be extracted, and that a malicious RA cannot frame honest users who did not participate in the signature generation. We present an efficient instantiation of $\mathsf{IB\text{-}RLRS}$ scheme, and prove its security in the random oracle model. Specifically, a novel ring signature construction is proposed, which features a transparent setup and achieves a logarithmic signature size, demonstrating its feasibility for large-scale, privacy-preserving applications.
## 2026/1112
* Title: DeepProve: Verifiable End-to-End Large Language Model Inference
* Authors: Nicolas Gailly, Ismael Hishon-Rezaizadeh, Tianyi Liu, Nicholas Mainardi, Dimitrios Papadopoulos, Charalampos Papamanthou, Christodoulos Pappas, Shravan Srinivasan, Zack Youell, Yupeng Zhang
* [Permalink](
https://eprint.iacr.org/2026/1112)
* [Download](
https://eprint.iacr.org/2026/1112.pdf)
### Abstract
Large Language Models (LLMs) are frontier deep learning systems that have achieved remarkable success across a wide range of AI services. However, their substantial computational and memory requirements make them difficult to deploy and run on local hardware. Due to these resource requirements, users often rely on untrusted cloud infrastructure providers to perform model inference. However, outsourcing introduces the challenge of verifying that the returned output is the genuine result of the specified model. In this work, we present DeepProve, the first system to enable efficient end-to-end verification of full LLM inference (i.e., for all generated tokens of a prompt) on untrusted cloud servers using zero-knowledge proofs (ZKPs). In contrast, prior work either provides only a proof-of-concept partial implementation for a single token (zkGPT, USENIX'25), or focuses exclusively on specific components of the inference pipeline, such as Softmax (zkLLM, CCS'24).
DeepProve achieves end-to-end verification by certifying the correctness of the output sequence rather than encoding the expensive inference computation in-circuit, an approach that would require either circuit size quadratic in the sequence length or costly in-circuit modelling of RAM operations. The core building blocks of DeepProve are sum-check protocol and lookup arguments, which enable efficient proof of correctness of all operators needed for GPT-2 and Gemma 3, such as multi-head attention and layer normalization for GPT-2, and grouped-query attention, root mean square normalization, and rotary positional embeddings for Gemma 3. Our evaluation shows that DeepProve can prove inference of GPT-2 and Gemma 3 at approximately 174 and 86 tokens per minute, respectively, which is 20-60 faster than the state of the art, without any significant loss in accuracy. Verification takes only 1 to 3.7 seconds. By distributing proof computation across multiple nodes, DeepProve can further improve the prover time while reducing the memory requirements for individual machines. With distributed proving, DeepProve can scale the throughput to 1855 tokens per minute. Our work represents the first full system for end-to-end LLM inference verification, thus paving the way for secure and trustworthy AI services.
## 2026/1113
* Title: HRA-Secure Lattice-based Proxy Re-Encryption without Noise Flooding
* Authors: Haotian Yin, Jie Zhang, Yuji Dong, Dominik Wojtczak, Eng Gee Lim
* [Permalink](
https://eprint.iacr.org/2026/1113)
* [Download](
https://eprint.iacr.org/2026/1113.pdf)
### Abstract
Proxy re-encryption (PRE) enables a semi-trusted proxy to transform a ciphertext under one key into a ciphertext decryptable under another key without learning the underlying plaintext. Existing lattice-based PRE schemes that achieve security against honest re-encryption attacks (HRAs) typically rely on noise flooding during re-encryption to statistically hide dependencies on the original ciphertext and the re-encryption key. However, noise flooding substantially increases ciphertext noise and often causes significant parameter growth.
In this work, we present a single-hop owner-encrypted proxy re-encryption (oePRE) scheme that achieves HRA security without statistical noise flooding. In the owner-encrypted setting, ciphertexts are generated directly by the data owner using her secret key, resulting in a simpler noise structure that facilitates efficient re-encryption. Instead of statistically hiding the inherited ciphertext noise, our construction introduces a small deterministic padding error and relies on computational leakage masking.
To formalise this approach, we introduce the noisy error-leakage LWE (NEL-LWE) assumption, which models the hardness of distinguishing LWE samples given a noisy version of the error term. We show that NEL-LWE follows from the recent Leaky-LWE framework of Lai, Swarnakar, and Woo (CiC'25). We further define computational re-encryption simulatability for owner-encrypted PRE and prove that our BGV-style construction achieves HRA security under standard LWE and PRF assumptions.
Compared with flooding-based HRA-secure lattice PRE schemes, our approach requires only a small additional padding noise and therefore remains much closer to the parameter regime of the underlying IND-CPA-secure construction. Our work demonstrates that computational leakage masking provides a viable alternative to statistical noise flooding for practical single-hop lattice-based proxy re-encryption.
## 2026/1114
* Title: Counterexamples to the Low-Norm Nullstellensatz Hypothesis
* Authors: Alex Lombardi
* [Permalink](
https://eprint.iacr.org/2026/1114)
* [Download](
https://eprint.iacr.org/2026/1114.pdf)
### Abstract
We give several examples of families of polynomials $p_1, ... , p_t \in \mathbb R[x_1, ... , x_n]/\langle x_i^d - 1\rangle_i$ on which the Low-Norm Nullstellensatz Hypothesis of [Devadas-Hopkins-Kalai-Kothari-Lombardi-Mathialagan, STOC 2026] fails to hold. That is, we prove the existence of polynomials $f \in \langle p_1, ... , p_t\rangle$ with coefficient $L^1$ norm $||f||_1 = 1$ but such that every decomposition $f = \sum_i p_i \cdot q_i$ has cost $\sum_i ||q_i||_1 = 2^{\Omega(n)}$. Our examples include one with $d=2$, the regime originally studied by [Devadas et al.], as well as generalizations that would also have sufficed for their purposes.
Our counterexamples highlight an important class of polynomials for (potentially) falsifying the LNNH: for prime $d$, functions $f(x) = f_C(x)=\frac 1 {|C|}\sum_{c\in C} x^c$ that are indicator functions for the input $x \in \mu_d^n\simeq \mathbb Z_d^n$ belonging to a linear subspace $C^\bot \subset \mathbb Z_d^n$, or more generally a coset $C^\bot + \sigma$.
## 2026/1115
* Title: The Fact of the MATTER: Efficient Hardware Accelerators for Wide-Block Memory Encryption
* Authors: Shubham Namdeo Shende, Utsav Banerjee
* [Permalink](
https://eprint.iacr.org/2026/1115)
* [Download](
https://eprint.iacr.org/2026/1115.pdf)
### Abstract
Tweakable block ciphers are important cryptographic primitives for secure memory encryption and partial mitigation of bit flip attacks. Rapid advancements in data-intensive applications such as artificial intelligence and machine learning have motivated the development of new memory technologies with very large data bus widths requiring wide-block memory encryption and its efficient implementation. Recently, the MATTER family of wide-block tweakable ciphers has been proposed for memory encryption in emerging applications. MATTER is a 512-bit balanced Feistel construction which uses the light-weight ASCON permutation as its round function. In this work, we present a comprehensive design space exploration of hardware architectures for accelerating different configurations of MATTER. We provide a detailed comparative analysis of power, performance, area and energy of round-based, unrolled and pipelined hardware implementations of MATTER based on digital synthesis using a 7nm FinFET ASIC standard cell library. We also discuss the suitability of these architectures for different application-specific memory encryption hardware requirements in emerging edge computing systems.
## 2026/1116
* Title: Fast Difficulty Adjustment in Proof-of-Work Consensus
* Authors: Juan Garay, Aggelos Kiayias, Yu Shen
* [Permalink](
https://eprint.iacr.org/2026/1116)
* [Download](
https://eprint.iacr.org/2026/1116.pdf)
### Abstract
One of the main hallmarks of proof-of-work (PoW) consensus protocols is their ability to adjust the difficulty of the PoW, so that it accurately reflects the level of participation and hence maintains security in a setting where protocol participation is unknown and may over time change dramatically. Importantly, this enables the protocol to retain its fundamental characteristics (such as the regularity of dispensing new tokens) irrespectively of the number of parties running the protocol (also known as ``miners'') at any given time.
The speed with which difficulty can be adjusted is a fundamental feature of a blockchain protocol: The faster the rate with which the difficulty is adjusted, the more agile the protocol is in the face of fluctuating participation. In this work, we put forward, for the first time, a blockchain protocol that performs difficulty adjustment in constant time; prior provably secure designs only offered protocols with, at best, poly-logarithmic overhead for difficulty adjustment. Our construction is based on the parallel-chain approach and a new target recalculation function that adjusts mining difficulty making use of information from all chains in the past epoch via a novel application of approximate-agreement techniques that may be of independent interest.
## 2026/1117
* Title: On the Secrecy of the Encapsulation Coin in ML-KEM
* Authors: Madjid G. Tehrani, William J Buchanan, Mouad Lemoudden
* [Permalink](
https://eprint.iacr.org/2026/1117)
* [Download](
https://eprint.iacr.org/2026/1117.pdf)
### Abstract
ML-KEM (FIPS 203) draws a fresh 32-byte coin at each encapsulation. The shared secret is a deterministic function of the public key and this coin, so a known coin is a recovered key. This is elementary. We ask instead how well the coin's secrecy is protected in practice, and we answer by experiment. On six unmodified libraries (OpenSSL 3.5, wolfSSL 5.9, AWS-LC, Go 1.26, Bouncy Castle 1.83, and CIRCL), and a from-scratch reference, the coin-recovery is reachable in every one; what differs is the guard, from a test-walled package in Go to an ordinary production call in wolfSSL. A second path needs no injection function at all: substituting the generator at build time makes the ordinary encapsulation predictable, while the public re-seed interface correctly refuses to. Outside the validated FIPS-140-3 configuration that most deployments do not yet use, the coin's secrecy rests on convention, not construction. The predictability this permits is externally invisible and parameter-controlled, of the class shown once before in Dual_EC_DRBG. We claim no backdoor; we claim only that the door is reachable, and say so while it is still being closed.
## 2026/1118
* Title: AuditPay: Anonymous Payments with Controlled Oversight
* Authors: Elkana Tovey, Yossi Gilad, Aviv Zohar
* [Permalink](
https://eprint.iacr.org/2026/1118)
* [Download](
https://eprint.iacr.org/2026/1118.pdf)
### Abstract
This paper introduces AuditPay, a novel mechanism for blockchain mixers that enables
controlled oversight through an ``auditing budget.rCOrCO Auditors may monitor up to a
budgeted number of addresses per epoch (e.g., an hour or a day), without revealing
to users which addresses are monitored. Unlike traditional approaches that require
users to voluntarily disclose viewing keys to trusted gatekeepers, AuditPay cryptographically enforces auditing compliance while preserving privacy for non-monitored user addresses and without introducing additional trust assumptions.
At the core of AuditPayrCOs design is a selective encryption mechanism coupled with an
efficient audit-key encoding scheme, enforced by a lightweight zero-knowledge proof. Users encrypt audit-relevant information under an audit key, which permits
decryption only if the payment is to (or, alternatively, from) an address selected
by the auditor for monitoring.
We implement AuditPay as an Ethereum-based payment mixer and show through experiments
on our prototype that its performance and gas-cost overheads are modest, providing
a practical solution for balancing payment oversight with user privacy.
## 2026/1119
* Title: Packed Pre-Constructed PVSS for Randomness Generation and E-Voting
* Authors: Karim Baghery, Eleftheria Makri, Dheeraj Kumar Suryakari
* [Permalink](
https://eprint.iacr.org/2026/1119)
* [Download](
https://eprint.iacr.org/2026/1119.pdf)
### Abstract
Pre-constructed Publicly Verifiable Secret Sharing (PPVSS) extends conventional Publicly Verifiable Secret Sharing (PVSS) by requiring the dealer to publish a commitment or encryption of the shared secret, enabling more efficient and versatile constructions for a variety of cryptographic protocols. In this paper, we further enhance this paradigm by introducing Packed Pre-constructed PVSS (3PVSS), which allows a dealer to encode multiple secrets within a single polynomial while maintaining the pre-constructability property. We present two constructions of 3PVSS schemes. In the first construction, the dealer publishes a single commitment to all shared secrets, providing a compact representation that is particularly suitable for applications requiring efficient communication. In the second construction, the dealer publishes individual commitments to each secret, enabling greater flexibility in applications that require independent verification of multiple shared values. Both schemes preserve the key advantages of PPVSS, including the optimistic reconstruction approach enabled by pre-constructability. We demonstrate that these two variants naturally support different applications. Using the first 3PVSS construction, we revisit the ALBATROSS randomness generation protocol proposed by Cascudo and David (ASIACRYPT 2020) and present a more efficient variant with reduced computation and communication costs. As an application of the second construction, we extend the universally verifiable e-voting protocol recently proposed by Baghery, Knapen, Nicolas, and Rahimi (ACNS 2025) to support multi-candidate elections, while preserving universal verifiability. Our results show that the resulting protocols outperform their original counterparts in terms of efficiency.
## 2026/1120
* Title: Pushing Collision Attacks on SHA-2 to 39 Steps
* Authors: Yingxin Li, Fukang Liu, Haifeng Qian, Jinwei Zhu
* [Permalink](
https://eprint.iacr.org/2026/1120)
* [Download](
https://eprint.iacr.org/2026/1120.pdf)
### Abstract
The SHA-2 family is a U.S. federal standard and mainly includes SHA-256 and SHA-512. In particular, SHA-256 plays a central role in real-world applications and is widely regarded as one of the most important hash functions in use today. At CRYPTO 2026, Li et al. proposed collision attacks up to 37-step SHA-2, but they could not reach 38 steps due to the low-probability uncontrolled part in the corresponding differential characteristics. In this paper, we propose an improved search procedure to find high-quality differential characteristics for 38-step SHA-256 and SHA-512, respectively. Exploiting the special shape of the 38-step differential characteristics, the meet-in-the-middle method to fulfill the corresponding differential conditions is extremely memory-efficient. Consequently, we successfully achieve the first 38-step collision attack on both SHA-256 and SHA-512, whose time complexity is $2^{104.3}$ and $2^{125.4}$, respectively. The memory complexity of the 38-step collision attack is negligible. The methods are also applied to the 36-step and 37-step collision attacks on SHA-2 published at CRYPTO 2026, leading to a significant improvement in both time and memory complexity. In particular, the time complexity of the collision attack on 36-step SHA-256 is only $2^{58.1}$ and the memory complexity is negligible, implying that a practical collision can be found. More remarkably, we apply the new method to 39 steps of SHA-2 and obtain the first effective collision attack on 39-step SHA-512, with a time complexity of $2^{178}$ and negligible memory complexity. However, the method does not yield an effective collision attack on 39-step SHA-256 due to the same issue arising from the low-probability uncontrolled part. Overall, this work further pushed the limit of memory-efficient collision attacks on round-reduced SHA-2 and significantly advances the state of the art.
## 2026/1121
* Title: Security Amplification via Robust Indistinguishability Combiners
* Authors: Benny Applebaum, Nir Bitansky, Nathan Geier
* [Permalink](
https://eprint.iacr.org/2026/1121)
* [Download](
https://eprint.iacr.org/2026/1121.pdf)
### Abstract
A robust combiner for a cryptographic primitive $P$ takes multiple candidate constructions of $P$ and produces a secure construction of $P$ provided that sufficiently many of the candidates are secure. A closely related notion is that of a security amplifier, where given a weakly secure construction of $P$, we aim to obtain a (strongly) secure one. Intuitively, one may expect that any robust combiner should act as an amplifier by thinking of "good randomness" as inducing secure instances, and of "bad randomness" as inducing insecure instances. Formalizing this intuition, however, has turned out to be challenging. Despite significant progress, general results remain limited and confined either to specific primitives or only to the statistical setting.
We establish a new framework of robust indistinguishability combiners, which greatly extends the class of combiners covered by prior work, and prove that they inherently act as security amplifiers. Our results extend to the computational setting, provided that the combiner makes a single query to each candidate. The new framework allows us to rederive previously known amplification results in a simplified manner, as well as prove new amplification results that have so far been out of reach.
As our main application, we present the first security amplifier for functional encryption, resolving an open question that first arose in constructions of indistinguishability obfuscation, and for which a gap was discovered in previous proofs. Our amplifier transforms a weak scheme with any constant indistinguishability error into one with full negligible security.
## 2026/1122
* Title: Pseudo-Oil Subspaces and the Geometry of Underdetermined MQ Problems
* Authors: Massimo Ostuzzi
* [Permalink](
https://eprint.iacr.org/2026/1122)
* [Download](
https://eprint.iacr.org/2026/1122.pdf)
### Abstract
The concrete security of multivariate post-quantum signature schemes is coming under increasing scrutiny as the NIST standardisation process for additional signatures approaches its final stages. Among the leading candidates, the security of MAYO and QR-UOV relies on the hardness of the underdetermined multivariate quadratic (MQ) problem.
This work revisits Hashimoto's algorithm for solving underdetermined systems of MQ equations, reinterpreting it as a computation of a pseudo-oil subspace.
In light of this geometric point of view, we design a new algorithm that, by computing richer pseudo-oil structures, distributes algebraic work across more than two Gr||bner Basis steps, subdividing the initial MQ problem into multiple subproblems that can be solved separately, while linearising multiple equations. Optimising a set of discrete parameters, we select the best trade-off between algebraic solving and combinatorial search. Concretely, our approach lowers the cost of the direct attack against Security Level I parameter sets of MAYO and QR-UOV by 8 and 10 bits, respectively.
## 2026/1123
* Title: Cryptographic Collateralized Loan without Smart Contracts
* Authors: Diego Castejon-Molina, Varun Madathil, Dimitrios Vasilopoulos, Sri AravindaKrishnan Thyagarajan, Pedro Moreno-Sanchez
* [Permalink](
https://eprint.iacr.org/2026/1123)
* [Download](
https://eprint.iacr.org/2026/1123.pdf)
### Abstract
Cryptocurrency lending is growing rapidly, and smart-contract-based loans are expected to grow further. However, existing systems are fundamentally limited: they only operate on smart-contract-enabled blockchains, and assets from other blockchains can be used only via tokenized representations.
In this work, we propose an oracle-aided cryptographic protocol that implements the logic of collateralized loans without smart contracts, instead only requiring basic transactions from the underlying blockchain and hence, being compatible with limited-scripting blockchains, including Bitcoin.
For that, we introduce verifiable graph encryption for signatures (VGES), a new cryptographic primitive that, on input a graph modeling the correspondence between transactions for collateral distribution (vertices) and loan repayments (edges), permits to encrypt the signatures on collateral-distribution transactions ensuring: (1) a signature can only be decrypted after completing loan repayments corresponding to a valid path in the graph from the root (graph enforcement); and (2) anyone can verify that encrypted signatures are valid and can be decrypted after doing the required loan repayments according to the graph (verifiability).
We present two provably secure constructions of VGES and the evaluation of our implementation shows that they offer a tradeoff between the number of required on-chain transactions and off-chain computation, while both remain efficient on commodity hardware.
## 2026/1124
* Title: New Constructions of Functional Adaptor Signatures: Broader Functions and Improved Efficiency
* Authors: Nikhil Vanjani, Garrett Greiner, Sri AravindaKrishnan Thyagarajan, Pratik Soni
* [Permalink](
https://eprint.iacr.org/2026/1124)
* [Download](
https://eprint.iacr.org/2026/1124.pdf)
### Abstract
Functional adaptor signatures (FAS) are a novel cryptographic primitive introduced at CCS'24 that enable privacy-preserving, fine-grained data-payment exchanges between a seller and a buyer in a trustless and atomic manner. In this setup, the seller holds sensitive data \(x\) (e.g., patient records, climate data), and the buyer specifies a function \(f\) (e.g., aggregate, sum). FAS guarantees that the buyer learns \(f(x)\) (and nothing beyond) if and only if the seller receives payment in blockchain-based tokens. Unlike generic smart contracts, FAS-powered solutions excel in privacy, efficiency, and compatibility with diverse blockchain systems. However, prior FAS constructions were limited to linear functions (where $f$ was linear in $x$), restricting their applicability to more complex and prevalent applications including data analytics and ML model evaluations.
In this work, we extend the capabilities of FAS to support higher-degree functions \((\textit{deg} \geq 2)\), significantly broadening its range of applications. Our core contribution is a novel FAS design leveraging homomorphic encryption, which simultaneously achieves enhanced efficiency and compatibility for general functions. This approach diverges fundamentally from the restricted design in CCS'24 which relied on connections to functional encryption. We implement our homomorphic encryption-based FAS for functions arising in applications such as data analytics and machine learning inference. Remarkably, even for linear functions, our new design achieves an order-of-magnitude improvement in performance compared to CCS'24 constructions. Furthermore, our solutions seamlessly integrate with prominent blockchain systems, requiring only a basic signature verification script on standard transactions, thus ensuring practical deployability. As a conceptual contribution, we introduce the general paradigm of a blockchain-based functional fair exchange (FFE) protocol, rigorously define buyer and seller fairness, and show that FAS implies the general goal of FFE.
## 2026/1125
* Title: Threshold Signatures in the Head
* Authors: Thibauld Feneuil, Matthieu Rivain, Damien Vergnaud, Auguste Warm|--Janville
* [Permalink](
https://eprint.iacr.org/2026/1125)
* [Download](
https://eprint.iacr.org/2026/1125.pdf)
### Abstract
Threshold cryptography distributes trust among multiple parties by enabling joint cryptographic operations without reconstructing secret keys. While post-quantum signature schemes based on the MPC-in-the-Head (MPCitH) paradigm are highly generic, recent impossibility results show that their thresholdization either incurs prohibitive distributed symmetric computations or leads to signature sizes growing with the number of signers. Achieving practical tradeoffs in this setting remains challenging. In this paper, we propose a generic framework for threshold MPCitH signatures based on Merkle-tree commitments. Our approach adapts the PIOP+PCS paradigm to the distributed setting by introducing and instantiating the notion of threshold polynomial commitment schemes (TPCS). We present a generic compiler combining a PIOP, a TPCS, and an arithmetic black box into a threshold signature scheme, and prove its unforgeability from the security of its components. We further provide a concrete Merkle-tree-based TPCS achieving moderate signature-size overhead, as low as 200 bytes per signer at the 128-bit security level. This is to be compared with an overhead of roughly 2 kB per signer for the previously suggested approach to thresholdize MPC-in-the-Head based on GGM trees. By compiling this TPCS with a standard PIOP, we obtain a generic threshold signature scheme from any hard problem or one-way function, which we showcase MQ-based and AES-based instantiations.
## 2026/1126
* Title: A correlation duet: Correlation attacks on correlation generators
* Authors: Antoine Joux
* [Permalink](
https://eprint.iacr.org/2026/1126)
* [Download](
https://eprint.iacr.org/2026/1126.pdf)
### Abstract
Pseudo-random correlation generators based on the Quasi-Abelian syndrome
decoding problem were first attacked in an article published at Asiacrypt~2025,
using compressed sensing. In this paper, we revisit the security of the
problem using a more traditional cryptanalytic tool, namely correlation
attacks.
As a result, we get a new cryptanalysis which outperforms the attack from
Asiacrypt 2025 in several directions. It allows recovery of secret error polynomials
with larger Hamming weights, runs approximately $1\,000$ times faster and
uses $1\,000$ times less memory over $\mathbb{F}_3$. Over $\mathbb{F}_4$, the speed-up and
memory gain are even higher.
Due to this new attack, it becomes necessary to entirely revisit the
parameters of several pseudo-random correlation generator proposals, including
FOLEAGE.
## 2026/1127
* Title: Verifiable Bootstrapping from Lattice-based Folding
* Authors: Amit Deo, Louis Tremblay Thibault
* [Permalink](
https://eprint.iacr.org/2026/1127)
* [Download](
https://eprint.iacr.org/2026/1127.pdf)
### Abstract
We explicitly construct and benchmark the first lattice-based IVC scheme from folding. The scheme supports customizable constraint systems over rings which we exploit to obtain proofs of correct execution of an FHE bootstrapping, a critical component of verifiable FHE. Notably and of independent interest, we introduce a novel CCS relation capable of performing automorphism stability checks which yields better expressivity for CCS over rings. We use this new relation to arithmetize the folding scheme verifier as well as TFHE's bootstrapping operation, and measure the performance of our folding scheme implementation on this arithmetization. Benchmarks indicate smaller proofs compared to the state of the art at the cost of a sharp increase in prover and verifier time. Lastly, we consider the security of folding-based IVC schemes with a super-constant number of recursive rounds and give an argument for the knowledge soundness of our construction in the ROM. Our work also discusses and highlights key open questions for future work, such as the design of hash functions over rings that permit efficient arithmetizations.
## 2026/1128
* Title: Optimized Point Addition Circuits for Elliptic Curve Discrete Logarithms
* Authors: Andr|- Schrottenloher
* [Permalink](
https://eprint.iacr.org/2026/1128)
* [Download](
https://eprint.iacr.org/2026/1128.pdf)
### Abstract
Shor's algorithm represents the main threat of quantum computers to cryptography. In order to precisely understand its feasibility, many authors have worked towards reducing its costs, either at the logical level (assuming a fault-tolerant architecture), or at the physical level (taking into account the constraints of envisioned hardware). In particular, recent works by Chevignard et al. (CRYPTO 2024) and Gidney (arXiv 2025) used improved arithmetic to significantly reduce the qubit cost of factoring RSA public keys.
Even more recently, Babbush et al. (arXiv 2026) improved the cost of computing elliptic curve discrete logarithms, with a reduction of a factor 2 to 3 in gate count and qubit count compared to a previous work by Litinski (arXiv 2023). Their result relies on optimized point addition circuits on elliptic curves over prime fields. However they did not reveal their logical quantum circuits, relying instead on a zero-knowledge proof.
In this paper, we detail a quantum logical circuit architecture which gives similar results as Babbush et al., with a slightly higher number of qubits (around 1.5% increase) and a slightly smaller Toffoli gate count (between 6.5% and 10% reduction) for the curve secp256k1. We also give gate counts for a generic variant of the circuit, which is valid for any prime field.
## 2026/1129
* Title: pSquare-hash: A Family of Tweakable Hash Functions for Physically Secure PQ Signatures
* Authors: Lorenzo Grassi, Mario Marhuenda-Beltr|in, Thorben Moos, Fabian Schmid, Matthias Johann Steiner, Hailun Yan
* [Permalink](
https://eprint.iacr.org/2026/1129)
* [Download](
https://eprint.iacr.org/2026/1129.pdf)
### Abstract
In 2020 and 2024 respectively, NIST released a Special Publication (SP 800-208) and a Federal Information Processing Standard (FIPS 205) specifying hash-based signature schemes with natural quantum resistance thanks to their symmetric foundation. The former recommends the stateful hash-based signature schemes LMS and XMSS, whereas the latter standardizes their stateless counterpart SPHINCS+. While in principle all three constructions can be instantiated with any secure cryptographic hash function, the concrete instances recommended by NIST are currently limited to either the SHA-2 or the SHA-3 family. Building on the maturity of these standardized families is of course a sensible choice. Yet, we argue that neither is particularly well suited for this purpose, especially once physical security matters. As an alternative we suggest pSquare-hash, an arithmetization-oriented family of lightweight tweakable hash functions. We demonstrate that such dedicated tweakable constructions ideally suit the instantiation and security requirements of hash-based signature schemes, potentially leading to efficiency advantages over standard concatenation-based approaches through either a reduction of the permutation size or the number of calls. With respect to physical security, the presence of the tweak enables a clean separation between inputs that need to be protected against leakage/faults and those that are insensitive. The arithmetization-oriented nature and choice of prime enable the effective utilization of masking schemes with superior passive and active attack resistance (e.g., prime-field and/or inner-product masking) and keep the design suitable for zero-knowledge applications. We compare higher-order masked software (Cortex-M4) and hardware (NanGate 15 nm) implementations of pSquare-hash to equivalent SHA-2, SHA-3, SKINNY-Hash, Ascon-Hash and Poseidon2 instances and exhibit favorable characteristics whenever masking is applied.
## 2026/1130
* Title: Reassessing the Security of LPN-C and its HHE-Oriented Variants
* Authors: Orr Dunkelman, Semira Einsele, Hans Heum, Morten |yygarden, Gerhard Wunder
* [Permalink](
https://eprint.iacr.org/2026/1130)
* [Download](
https://eprint.iacr.org/2026/1130.pdf)
### Abstract
The idea of Hybrid Homomorphic Encryption (HHE) is to reduce the computational cost of Fully Homomorphic Encryption (FHE) by encrypting bulk data symmetrically while only encrypting the short symmetric key homomorphically. Its efficiency depends on the multiplicative depth of the symmetric cipher's decryption circuit, motivating FHE-friendly designs.
The Learning Parity with Noise (LPN) problem is a natural candidate for such designs, as it gives rise to simple encryption and decryption circuits over binary fields. In this context, Fouque, Hadjibeyli, and Kirchner proposed LPN-based symmetric encryption schemes based on the LPN-C cryptosystem of Gilbert et al. LPN-C is attractive for HHE while allowing parameter choices that bound decryption failures. However, the concrete security of LPN-C and its HHE-oriented variants remains poorly understood.
We quantify how enforcing bounded noise via rejection sampling reduces the observed noise rate, an effect not captured in prior analyses. This yields immediate speedups for all attacks based on LPN instance solving. We then extend the Arora-Ge-style algebraic attacks to the bounded-noise setting and derive new bounds on the dimension of the induced linear spaces, refining and partially correcting earlier analyses. We show that some parameter regimes are more robust than previously estimated, while new algebraic strategies yield the best known attacks in others.
Overall, our results improve our understanding of the concrete security of LPN-based symmetric encryption schemes, informing parameter selection for FHE-friendly variants.
## 2026/1131
* Title: Public Key Encryption Secure Against Quantum Leakage
* Authors: Alper Cakan, Fuyuki Kitagawa, Ryo Nishimaki, Manasi Shingane, Takashi Yamakawa
* [Permalink](
https://eprint.iacr.org/2026/1131)
* [Download](
https://eprint.iacr.org/2026/1131.pdf)
### Abstract
Side-channel attacks are a relevant threat to many modern cryptographic schemes and often have fatal consequences such as revealing partial information about secret keys. While leakage-resilient cryptography aims to solve this problem, existing works focus exclusively on showing security against classical leakage. Moreover, recent public key encryption (PKE) schemes utilizing quantum secret keys achieve security against unbounded classical leakage, but offer no guarantees on any amount of quantum leakage. Since security guarantees on classical side information do not necessarily translate to guarantees on quantum side information, showing PKE schemes that are secure in the presence of quantum leakage remains open.
In this work, we address this problem by extending the definition of leakage resilience for PKE in the bounded-leakage model to allow for quantum leakage. We provide the following two constructions:
- PKE with Quantum Secret Keys: We construct a PKE scheme that tolerates unbounded classical leakage alongside bounded, constant-rate ($\lambda <0.057$) quantum leakage. Our construction assumes the existence of polynomially secure post-quantum indistinguishability obfuscation (iO) as well as one-way functions (OWFs).
- PKE with Classical Secret Keys: We construct a classical PKE scheme that is secure against bounded quantum leakage. Our construction offers a tradeoff between the achievable leakage rate and the underlying cryptographic assumptions. Assuming the hardness of the learning with errors problem (LWE) we obtain an optimal leakage rate of $\lambda \leq 1-o(1)$. Alternatively, assuming only post-quantum PKE, we obtain a leakge rate of $\lambda\leq \frac{1}{poly(n)}$.
## 2026/1132
* Title: Oblivious Garbling and its Applications
* Authors: Tomer Ashur, Carmit Hazay, Rahul Satish
* [Permalink](
https://eprint.iacr.org/2026/1132)
* [Download](
https://eprint.iacr.org/2026/1132.pdf)
### Abstract
A garbling scheme encodes a function and an input into two independent artifacts from which the output can be recovered, but nothing else is revealed. This clean separation between function and input has made garbling one of the most versatile primitives in cryptography. Yet it hides an asymmetry that has gone largely unexamined: while the input is cryptographically protected, the function is fully exposed to whoever performs the garbling. As garbling is increasingly deployed in settings where garbling is delegated to untrusted infrastructure, published on public ledgers, or distributed among multiple parties, this asymmetry becomes a fundamental barrier. The function, which may encode proprietary models, confidential policies, or sensitive decision logic, is leaked unconditionally to the garbling server.
We introduce oblivious garbling, a new paradigm that closes this gap. In our framework, the garbler receives only a designated leakage of the circuit and remains oblivious to everything else. We present the first construction instantiating this notion where the leakage is the circuit topology alone, achieving linear complexity with no blow-up in the size of the garbled circuit. The construction extends to the malicious setting with no asymptotic overhead. Beyond its theoretical contribution, oblivious garbling has immediate practical consequences: it enables outsourced garbling without function exposure, garbling on untrusted hardware without leaking proprietary logic, and a multi-party garbling protocol in which no garbling party learns the function, all without resorting to universal circuits.
## 2026/1133
* Title: SoK: PIOP-based SNARKs for General Computation
* Authors: Yonghui Guan, Rihe Zhang, Bin Liu, Tianyu Zhao, Jialu Hao, Antonis Michalas
* [Permalink](
https://eprint.iacr.org/2026/1133)
* [Download](
https://eprint.iacr.org/2026/1133.pdf)
### Abstract
Many modern SNARK constructions follow a paradigm that combines a Polynomial Interactive Oracle Proof (PIOP) with an appropriate Polynomial Commitment Scheme (PCS). In this paradigm, the PIOP reduces soundness to the verification of a collection of polynomial relations that are checked though oracle queries, while the PCS enables succinct commitments to the corresponding polynomials. Rather than transmitting the full polynomial representation, the prover commits to the polynomials and later provides evaluations at the points selected by the verifier. The verifier checks the consistency of these evaluation with the commitments and the prescribed polynomial relations. This combination of interactive polynomial queries and succinct commitments lies at the heart of the resulting argument system's efficiency, leading to compact proofs and efficient verification procedures.
Focusing on this paradigm, we adopt the frontend and backend decomposition of SNARKs for general computation introduced by Thaler and develop a unified framework that refines this separation at a finer granularity. We present this framework as a single coherent structure and analyze its components in a systematic manner. Within this unified view, we incorporate lookup arguments and recursive proof composition, both of which are key to improving efficiency and applicability, as main components of the framework, showing how they interact with both the frontend and backend. This organization allows readers to reason clearly about the construction, composition and analysis of modern SNARKs.
## 2026/1134
* Title: SPIDER: Two Server Functionality for the Cost of Zero
* Authors: Ofir Dvir, Kali Hale, Javin Zipkin, Divyakant Agrawal, Dahlia Malkhi * [Permalink](
https://eprint.iacr.org/2026/1134)
* [Download](
https://eprint.iacr.org/2026/1134.pdf)
### Abstract
We introduce baseSPIDER and SPIDER, private information retrieval (PIR) schemes that embody two technical advancements.
The baseSPIDER protocol operates with a single server and a stateful client that performs pre-processing and stores hints for future queries. In this setting, baseSPIDER introduces a new approach that matches the asymptotically optimal communication complexity of state-of-the-art schemes while improving constant factors--an advantage that is particularly significant for databases with large entries. In addition, baseSPIDER offers a conceptually simpler design relative to prior protocols.
SPIDER operates over a default database interface and requires no cooperation from the server at any stage. To our knowledge, SPIDER is the first single-server PIR construction of this design, achieving privacy without specialized APIs, auxiliary server state, or protocol-specific interaction beyond conventional indexed access.
SPIDER is built via a simple transformation of baseSPIDER to the default server setting, eliminating deployment barriers and enabling immediate applicability to existing systems. This transformation can be applied more broadly to three recent PIR solutions, adapting them for use in the default-server paradigm and yielding solutions of independent interest. SPIDER compares to the resulting modified solutions by exhibiting a simpler design while incurring higher client computational work.
## 2026/1135
* Title: Private Information Retrieval: A Tutorial and Survey
* Authors: Pranav Shriram Arunachalaramanan, Yue Chen, Ling Ren
* [Permalink](
https://eprint.iacr.org/2026/1135)
* [Download](
https://eprint.iacr.org/2026/1135.pdf)
### Abstract
Private information retrieval (PIR) is a fundamental primitive for protecting user privacy. It enables a user to retrieve entries from a public database without revealing which entries are being retrieved. PIR has been studied in many settings, e.g., with information-theoretic or computational security, with a single server or multiple non-colluding servers, and with or without preprocessing to the database. In this article, we describe several PIR schemes that we believe are accessible to readers without prior knowledge in PIR. Although conceptually simple, these schemes capture the main ideas underlying mainstream design paradigms. We also describe extensions of PIR that support keyword queries and batch queries. Beyond describing the schemes themselves, we characterize the concrete efficiency of different PIR paradigms, provide guidance on selecting a paradigm in practice, and discuss practical applications of PIR.
We hope this article helps readers understand the current research landscape in PIR and serves as a starting point for exploring more advanced topics in the field.
## 2026/1136
* Title: Local Constraints Behind Fourier Analysis of Neural Distinguishers for SPECK32/64
* Authors: Yunjae Hwang, Sunyeop Kim, Hanbeom Shin, Deukjo Hong, Seokhie Hong, Dongjae Lee, Jaechul Sung, Byoungjin Seok
* [Permalink](
https://eprint.iacr.org/2026/1136)
* [Download](
https://eprint.iacr.org/2026/1136.pdf)
### Abstract
Neural distinguishers for ARX ciphers can exploit information beyond classical difference distributions and several interpretability frameworks have been proposed. In this paper, we study two frameworks for SPECK32/64 by connecting their viewpoints: local constraints of modular addition and Fourier analysis of trained neural distinguishers. We show that the dominant Fourier parities of a raw-pair differential neural distinguisher can be rewritten in the local variables associated with the last modular addition. This representation separates value-dependent variant differential-linear terms from difference-dependent traditional terms, and explains their biases through specific local constraints and branch effects. We further extend the analysis to a boomerang right-quartet setting. We construct a neural distinguisher whose input is only the original ciphertext pair, while positive and negative samples are matched with respect to the observed ciphertext difference. Fourier analysis of this distinguisher reveals dominant value-dependent parities. We trace these terms to borrow synchronization in the first inverse step of the lower boomerang characteristic, yielding specific local conditions. Our results indicate that the dominant Fourier features learned in these settings are observable projections of concrete carry or borrow constraints of the ARX operation.
--- Synchronet 3.22a-Linux NewsLink 1.2