From Newsgroup: sci.crypt
## In this issue
1. [2026/254] Key Committing Security of HCTR2, Revisited
2. [2026/654] Tighter Bounds for the Oblivious Bit-Fixing Inner ...
3. [2026/1148] Pushing the boundaries of group-based aggregation ...
4. [2026/1150] The Key Control Security of KDF Combiners
5. [2026/1158] A Geometric Approach to Quantum Distinguishers
6. [2026/1179] Permissionless Consensus from a Common Random String
7. [2026/1181] AICE: An Arithmetic-Oriented Stream Cipher for ...
8. [2026/1188] Rank Ceiling for Twiddle-Perturbation Faults on the ...
9. [2026/1191] Accelerating NTRU+ Key Generation via Hierarchical ...
10. [2026/1205] StakeNote: A Proof-of-Stake Protocol for CryptoNote ...
11. [2026/1209] Latency-Aware, High-Throughput Homomorphic AES ...
12. [2026/1210] Uncloneable Cryptography in Linear Quantum Memory
13. [2026/1211] Private Information Retrieval: Share Conversions ...
14. [2026/1212] SecLoRA: Secure Aggregation of Low-Rank Matrix ...
15. [2026/1213] Another Look at Non-Frameability in Group ...
16. [2026/1214] Faster Leader-Based Consensus via Certificates of ...
17. [2026/1215] On the Cryptographic Structure Required for ...
18. [2026/1217] Secure Computation against $\mathsf{NC^1}$ Leakage ...
19. [2026/1218] High-Accuracy, Poisoning-Resilient Frequency ...
20. [2026/1219] Algorithms for solving the isogeny problem with ...
21. [2026/1220] Explicit Transformations from Edge-Depth-Robust to ...
22. [2026/1221] Achieving Shannon Capacity for Computationally ...
23. [2026/1222] UCX is All You Need: A Universal Transform for ...
24. [2026/1223] Neon NTT - (Auto)formalised
25. [2026/1224] On Arithmetic Private Information Retrieval: Why ...
26. [2026/1225] Towards Post-Quantum Secure eSIM Provisioning Protocols
27. [2026/1226] Changing of the Guards with Two Shares - Security ...
28. [2026/1227] Chosen Ciphertext Secure Pseudorandom Codes in the ...
29. [2026/1228] Advancing Pseudorandom Codes: Beyond Parity Checks ...
30. [2026/1229] Invisible Traces: Subversion Attacks on Batch- ...
31. [2026/1230] Formula Freshness for Staged Hybrid Authenticated ...
32. [2026/1231] The Best of Both Worlds: Hybrid Authenticated Key ...
33. [2026/1232] A Heuristic Subexponential Attack on the McEliece ...
34. [2026/1233] Implementation of Learning with Errors in Non- ...
35. [2026/1234] Designing Incentives for Responsive Consensus Protocols
36. [2026/1235] Authenticated Data Structures for Dynamic Workloads
37. [2026/1236] New bounds on private simultaneous quantum message ...
38. [2026/1237] SING: Improving the Efficiency of MPC Protocol ...
39. [2026/1238] On the Additive Sensitivity of LZ77 Under ...
40. [2026/1239] Balanced Additive Randomized Encodings for Shuffle ...
41. [2026/1240] Adaptive attacks on FESTA variants with masked- ...
42. [2026/1241] PoW Micronomics: A Fine-Grained Model for the ...
43. [2026/1242] SoK: The Constant Time Model
44. [2026/1243] LendLocked: Privacy & Transparency for Digital ...
45. [2026/1244] Resource Estimation of a Distributed Quantum ...
46. [2026/1245] Accountable Asynchronous Multi-Party Computation
47. [2026/1246] A Note on Combined Attacks on Fallen Sanctuary
48. [2026/1247] Practical Attacks on a Decentralized Secure ...
49. [2026/1248] Atlantis: Lattice-based Anonymous Tokens with ...
50. [2026/1249] A family of invertible shift-invariant maps with ...
51. [2026/1250] TensorZKP: Repurposing GPU Tensor Cores for High- ...
52. [2026/1251] Related Differentials of $4\times4$ MDS Matrices: A ...
53. [2026/1252] HedgeSwap: Universal Hedged Atomic Swaps Against ...
## 2026/254
* Title: Key Committing Security of HCTR2, Revisited
* Authors: Donghoon Chang, Yu Long Chen, Yukihito Hiraga, Kazuhiko Minematsu, Nicky Mouha, Yusuke Naito, Yu Sasaki, Takeshi Sugawara
* [Permalink](
https://eprint.iacr.org/2026/254)
* [Download](
https://eprint.iacr.org/2026/254.pdf)
### Abstract
This paper presents improved attacks and proofs for the key committing security of EtE-HCTR2, a robust authenticated encryption scheme constructed from HCTR2 and the Encode-then-Encipher (EtE) framework, in light of the ongoing standardization effort of cryptographic accordions by NIST. We improve attacks on the instantiations with two common encodings, where zeros are either appended or prepended to the message, namely EtE_A-HCTR2 and EtE_P-HCTR2. Compared with the state-of-the-art attack by Chen et al. in ToSC 2023(4), our EtE_A-HCTR2 attack reduces the complexity from $O(2^{\tau/2})$ to $O(2^{\max\{\tau/3, \tau-n\}})$ for an $n$-bit block cipher and $\tau$-bit zero padding, which degrades EtE_A-HCTR2's security below the birthday bound. Meanwhile, our EtE_P-HCTR2 attack reduces the complexity from $O(2^{\min \{n/2, \tau\}})$ to $O(2^{\tau/2})$, which is tight with our new security proof. We verify these computationally-bounded attacks by experimentally generating concrete vectors for both EtE_A-HCTR2 with $\tau=96$ and EtE_P-HCTR2 with $\tau=64$, each instantiated with $n=128$, in less than 15 minutes.
We consider yet another padding scheme that appends zeros to the first message block, namely EtE_S-HCTR2, and prove that it has a tight committing security bound of $O(2^{\tau/2})$ by avoiding the issue in EtE_A-HCTR2.
## 2026/654
* Title: Tighter Bounds for the Oblivious Bit-Fixing Inner Product Extractor on Biased Seeds
* Authors: Jack Doerner, Lawrence Roy
* [Permalink](
https://eprint.iacr.org/2026/654)
* [Download](
https://eprint.iacr.org/2026/654.pdf)
### Abstract
The Inner Product Extractor (IPE) of Impagliazzo, Levin, and Luby (STOC'89) takes a seed $h\in\mathbb{F}^\gamma$ and a source $x\in\{0,1\}^\gamma$ for some $\gamma\in\mathbb{N}$ and produces $\langle h,x\rangle$ with error $\varepsilon=\mathsf{SD}((\langle\mathcal{H},\mathcal{X}\rangle,\mathcal{H}),(\mathcal{Y},\mathcal{H}))$ such that $$
\varepsilon\le\frac{1}{2}\sqrt{|\mathbb{F}|^{\gamma}/2^{H_\infty(\mathcal{H})}}\,\,\sqrt{|\mathbb{F}|/2^{H_\infty(\mathcal{X})}}
$$ where $\mathcal{Y}$ is the uniform distribution over $\mathbb{F}$, and $\mathcal{H}$ and $\mathcal{X}$ are the independent but possibly non-uniform distributions from which $h$ and $x$ are drawn, respectively. In other words, the IPE's error grows with the square root of seed bias, at most. This square root arises because prior works bound the squared error using the 2-universality of the IPE. The analysis requires an even power of the error, and the IPE is not $4$-universal.
Motivated by applications to multiparty computation, we revisit the problem of the IPE with biased seeds and prove far tighter bounds on the influence of seed bias by bypassing universal hashing. We first prove an Elevated General Leftover Hash Lemma, which yields an $n^{\text{th}}$ root bound for functions that are almost $n$-universal. Bounding number of inputs on which the IPE is not 4-universal yields $\varepsilon=\mathsf{SD}((\langle\mathcal{H},\mathcal{W}\rangle,\mathcal{H}),(\mathcal{Y},\mathcal{H}))$ where $$
\varepsilon\lesssim\frac{2.1}{2}\left(|\mathcal{F}|^\gamma/2^{H_\infty(\mathcal{H})}\right)^{\frac14} \sqrt{|\mathbb{F}|/2^{H_\infty(\mathcal{W})}}
$$ for any oblivious bit-fixing source $\mathcal{W}$ with $2^{0.585 H_\infty(\mathcal{W})} \le |\mathbb{F}| \le 2^{H_\infty(\mathcal{W})}$. Next, we use matroid theory to directly analyze the $n$-way multicollision probability of the IPE, yielding an asymptotic bound for any even $n$. For $n\ge4$, $0 < \epsilon \le 0.83/(n - 2)$, and $|\mathbb{F}| \le 2^{(1 - \epsilon)\cdot H_\infty(\mathcal{W})}$, as $|\mathbb{F}|\to\infty$, $$
\varepsilon
\le\frac{(n - 1)}{2}\left({|\mathcal{F}|}^\gamma/2^{H_\infty(\mathcal{H})}\right)^{\frac1n} \sqrt{\vphantom{/}2^{-\epsilon\cdot H_\infty(\mathcal{W})}}\,\, (1 + o(1)).
$$ Computing a \emph{concrete} version of this bound requires time exponential in $n$. We compute concrete $\{4,6,8\}^{\text{th}}$-root bounds and demonstrate that no one choice of $n$ is optimal. Finally, we introduce a new class of seed-adaptive oblivious bit-fixing sources, extend our results to such sources, and use this extension to fix a bug that we identify in the proof of the oblivious linear evaluation protocol of Doerner et al. (SP'24).
## 2026/1148
* Title: Pushing the boundaries of group-based aggregation with zero-evading generators of low additive complexity
* Authors: Ariel Gabizon, Dmitry Krachun
* [Permalink](
https://eprint.iacr.org/2026/1148)
* [Download](
https://eprint.iacr.org/2026/1148.pdf)
### Abstract
A zero-evading generator with error parameter $\lambda$ is a distribution $Z$ on $\mathbb{F}^n$ such that for any non-zero vector $x\in \mathbb{F}^n$
the probability that $<a,x>=0$ is at most $2^{-\lambda}$, when $a$ is chosen according to $Z$. We investigate the number of additions required to compute $<a,x>$ given $x$.
The traditional construction chooses a vector $a$ with random $\lambda$-bit elements. Pippenger's algorithm gives an additive complexity of at least $\Omega(\lambda n/(\log(\lambda n))$ for this approach. We give a construction requiring only $O(n^2+\lambda)$ additions, which can be smaller when $n<\lambda/\log(\lambda)$.
We highlight the impact of reducing the number of additions on aggregation of group-based commitments, such as KZG commitments[KZG10]. We pose improving this further to $O(n+\lambda)$ as an interesting open problem.
## 2026/1150
* Title: The Key Control Security of KDF Combiners
* Authors: Ritam Bhaumik
* [Permalink](
https://eprint.iacr.org/2026/1150)
* [Download](
https://eprint.iacr.org/2026/1150.pdf)
### Abstract
At CRYPTO 2025, Bhaumik et al. formalised the notion of Key Control (KC) security of Key Derivation Functions (KDFs). A KC adversary, on seeing the root key of a KDF, attempts to manipulate its auxiliary inputs (the `Context' string) to obtain a derived key from a pre-selected set of keys. In this paper we extend the notion of KC security to Key Combining Functions, which are KDFs that convert two root keys to a single derived key; we name the new notion Combining Key Control (CKC) security. We then investigate the CKC security of KDF Combiners and show that (up to certain limitations) it follows from the KC security of either of the component KDFs.
## 2026/1158
* Title: A Geometric Approach to Quantum Distinguishers
* Authors: Zhili Wu, Zhenzhen Bao
* [Permalink](
https://eprint.iacr.org/2026/1158)
* [Download](
https://eprint.iacr.org/2026/1158.pdf)
### Abstract
This paper introduces a geometric framework for Q2 quantum distinguishers by combining the geometric approach to classical symmetric-key cryptanalysis with the generalized correlation extraction algorithm. Our main technical tool shows that one superposition query, followed by appropriate (unitary) change-of-basis operations, prepares a ``correlation state'' whose amplitudes are the entries of the geometric correlation matrix in the chosen basis. This yields a unified preparation-measurement template that recovers several known quantum distinguishers: (1) hidden structure detection via support constraints in Fourier-type bases (e.g., Simon, Bernstein-Vazirani, Deutsch-Jozsa), and (2) event probability deviation tests via amplitude estimation (covering standard quantizations of linear and differential distinguishers). We analyze when relevant distinguishing mass is diluted across many basis states, identify it as a cause of poor query efficiency in several recent distinguishers, and provide basis-specific mechanisms to concentrate the signal (phase-oracle row restriction in the Fourier setting; chosen-plaintext subset-state restriction in the quasidifferential setting) to restore quadratic advantage. We illustrate the framework on Fourier and quasidifferential instantiations and discuss obstacles for non-unitary integral bases.
## 2026/1179
* Title: Permissionless Consensus from a Common Random String
* Authors: Damiano Abram, Marshall Ball, Juan Garay, Aggelos Kiayias
* [Permalink](
https://eprint.iacr.org/2026/1179)
* [Download](
https://eprint.iacr.org/2026/1179.pdf)
### Abstract
Permissionless consensus enables parties to perform Byzantine agreement without any a priori knowledge about who is participating, except for an upper bound on the number of participants running the protocol (no PKI, etc.). Since NakamotorCOs Bitcoin paper, it has been widely believed that permissionless consensus is feasible provided the (Byzantine) adversary only controls a fraction of the collective computational power. However, all known protocols, including NakamotorCOs, rely on idealized assumptions (or ad hoc instantiations).
Is permissionless consensus possible without such assumptions? Surprising little progress had been made towards solving this open question until the recent result by Ball et al. (Crypto 2024), which showed how to achieve permissionless consensus from proofs of work (PoWs) based on fine-grained complexity assumptions in a setting where a randomness beacon is available to all parties running the protocol. Their work left open whether it is possible to remove the beacon assumption; this question is the focus of our work, which we resolve via a new consensus protocol construction that relies on a novel class of distributed samplers and a common random string (that does not need to be structured or sampled precisely at the onset of the protocol execution).
To prove our protocol secure, we revisit the concept of distributed samplers and adapt it to a setting where multiple sampler executions need to be simultaneously secure. To address this challenge we introduce the primitive we call d-wise independent distributed samplers and put forward constructions for such samplers based on DDH and LWE. We then present our consensus protocol via a modular design that utilizes a new moderately hard cryptographic primitive we call multi-verifier signatures of work, a sort of rCLtime-based signaturerCY we construct by composing distributed samplers and (fine-grained complexity-based) PoWs, and which may be of independent interest.
## 2026/1181
* Title: AICE: An Arithmetic-Oriented Stream Cipher for Heterogeneous Computing * Authors: Bishwajit Chakraborty, Jiahui Gao, Kai Hu, Tao Huang, Zhongfeng Niu, Phuong Pham, Shuzhou Sun, Meiqin Wang, Shuang Wu, Wenhan Xu, Guang Zeng, Chenxu Zhao
* [Permalink](
https://eprint.iacr.org/2026/1181)
* [Download](
https://eprint.iacr.org/2026/1181.pdf)
### Abstract
Heterogeneous computing platforms increasingly rely on high-throughput data paths spanning CPUs and accelerators, yet most high-speed software ciphers are optimized primarily for CPU-centric execution models. We present AICE, an arithmetic-oriented stream cipher over \(\mathbb{Z}/2^{16}\mathbb{Z}\) with a 37-word (592-bit) internal state, a nonlinear feedback combining modular addition, multiplication, bitwise OR, and rotation, a 370-round initialization with post-initialization key feed-forward, and periodic blank updates. We analyze AICE under several cryptanalytic models, including differential trail screening, linear approximation over the abelian group \(\mathbb{Z}/2^{16}\mathbb{Z}\), guess-and-determine state recovery, and exact SMT-based cube evaluation, and find that all observable structural phenomena remain confined to reduced-round settings far below the full initialization. On the AI Cores of Huawei Ascend accelerators, AICE reaches a single-core peak throughput of $114.13$ Gbps on the Ascend 950 and $55.36$ Gbps on the Ascend 910B4, and scales to $1.59$ Tbps on $32$ Ascend 910B4 cores, roughly $54\times$ the throughput of AES-CTR and $107\times$ that of SM4-CTR on the same $32$-core configuration; on the ARM Kunpeng 920 it remains in the same throughput class as hardware instruction accelerated AES-CTR.
## 2026/1188
* Title: Rank Ceiling for Twiddle-Perturbation Faults on the Forward NTT
* Authors: Chakshu Gupta
* [Permalink](
https://eprint.iacr.org/2026/1188)
* [Download](
https://eprint.iacr.org/2026/1188.pdf)
### Abstract
NIST standardised a lattice-based key-encapsulation mechanism (ML-KEM) and a lattice-based digital signature scheme (ML-DSA) in 2024 as post-quantum replacements for classical key establishment and digital signatures. Both compute a forward number-theoretic transform (NTT) over secret-bearing polynomials; the NTT's twiddle constants are a documented fault-attack surface. Published attacks zero every twiddle with a single glitch on ML-KEM key generation, or zero individual twiddles on ML-DSA signing. Countermeasures detect or mask such faults, but none bounds the information that survives when an attacker perturbs twiddles one at a time. This paper supplies that bound as an exact per-layer rank ladder, for arbitrary perturbations $\zeta_k \mapsto \zeta_k^{'}$ with bit-flips included. A single twiddle fault leaks exactly the butterfly length of its layer in secret coefficients, a count attained rather than merely bounded, so one fault per layer pins all but two coefficients for ML-KEM and all but one for ML-DSA. The surviving ambiguity is identical whichever twiddle is hit in each layer: $\mathrm{span}(e_0, e_1)$ for ML-KEM's incomplete NTT, $\mathrm{span}(e_0)$ for ML-DSA's complete NTT. No combination of twiddle-perturbation faults, however large, shrinks it further, and this rank-and-kernel characterisation is machine-checked in Lean 4. The per-layer leakage rate it exposes gives countermeasure designers a closed-form budget for allocating protection.
## 2026/1191
* Title: Accelerating NTRU+ Key Generation via Hierarchical Batch Inversion
* Authors: Jonghyun Kim, Haehyun Cho, Jong Hwan Park
* [Permalink](
https://eprint.iacr.org/2026/1191)
* [Download](
https://eprint.iacr.org/2026/1191.pdf)
### Abstract
In KEM-based TLS 1.3 key establishment, the client generates a fresh KEM key pair for each connection, placing key generation on the handshake critical path. For NTRU+, a KEM based on the NTRU problem selected in the Korean Post-Quantum Cryptography (KpqC) competition, the dominant cost in this path is the polynomial inversion needed to compute the public key. Although NTRU+ uses an NTT-friendly ring and performs this inversion in the NTT domain, the routine still decomposes into many base inversions, each requiring a modular inversion computed by exponentiation.
To accelerate polynomial inversion in the NTT domain, we collect the modular inversions arising from base inversions into a single stage. This makes it possible to apply Montgomery's trick, reducing the number of modular inversions to one at the cost of sequential product and recovery chains. These chains limit instruction-level parallelism (ILP). To address this dependency bottleneck, we apply hierarchical batching to these exposed denominator inversions, splitting the inputs into $k$ groups to expose independent product chains and recursively batching the resulting $k$ group-product inversions. This preserves the arithmetic cost of Montgomery's trick while improving ILP, thereby reducing cycle counts.
We evaluate hierarchical batch inversion across all NTRU+ parameter sets in both C and AVX2. For NTRU+$864$, the parameter set with the largest gains, compared with non-batched polynomial inversion, it reduces polynomial inversion latency by 48.91% in C and 59.57% in AVX2. For key generation, the corresponding speedups are 18.91% in C and 9.34% in AVX2.
## 2026/1205
* Title: StakeNote: A Proof-of-Stake Protocol for CryptoNote Payments
* Authors: Bernardo David, Dimitris Karakostas
* [Permalink](
https://eprint.iacr.org/2026/1205)
* [Download](
https://eprint.iacr.org/2026/1205.pdf)
### Abstract
This work proposes StakeNote, a distributed ledger protocol that combines Proof-of-Stake (PoS) with privacy and anonymity preserving payments. The protocol combines Ouroboros Praos, a provably secure PoS protocol, with CryptoNote, a privacy-preserving payment system based on ring signatures which has been widely used in practice. We prove that StakeNote inherits the security guarantees of Ouroboros Praos and the privacy guarantees of CryptoNote and we demonstrate its practicality via a proof of concept implementation, where block creation requires less than 25 ms and eligibility proofs are approx. 3 KB for anonymity sets of size 16. Finally, we discuss heuristic enhancements that potentially increase privacy and enable dynamic participation.
## 2026/1209
* Title: Latency-Aware, High-Throughput Homomorphic AES Evaluation with CKKS
* Authors: Taeseong Kim, Jonghoo Lee, Taeyeong Noh, Jung Hee Cheon, Guillaume Hanrot
* [Permalink](
https://eprint.iacr.org/2026/1209)
* [Download](
https://eprint.iacr.org/2026/1209.pdf)
### Abstract
Homomorphic Advanced Encryption Standard (AES) evaluation refers to evaluating the AES circuit with a fully homomorphic encryption (FHE)-encrypted secret key. Applications include in particular Transciphering, which converts AES-encrypted data into FHE ciphertexts without exposing the secret key.
Existing homomorphic AES evaluations show a clear separation between latency-oriented solutions and throughput-oriented solutions. CKKS-based methods exploit massive SIMD parallelism and focus on throughput by processing many AES blocks in parallel. They are hardly suitable for latency-critical settings. In contrast, TFHE-based methods process a small number of blocks efficiently. They are preferable for low-latency settings, but provide very limited throughput.
In this work, we show that AES-CKKS evaluation can achieve both interactive latency and high throughput. Our first variant is optimized for latency and decrypts a single AES block in only 34ms on an NVIDIA RTX-5090. This is more than 4|u faster than recent TFHE-based state-of-the-art approaches. Our second variant is based on a new embedding of $\textrm{GF}(16)$, the finite field with 16 elements, into CKKS message space. It is optimized for throughput and processes up to 2048 AES blocks at once, achieving over 200KB/s throughput (a more than 3.1|u improvement over the state-of-the-art CKKS-based approaches), while maintaining latency comparable to TFHE-based methods. To the best of our knowledge, this is the first AES-FHE evaluation algorithm combining good latency and throughput properties, bringing homomorphic outsourcing with AES within reach of real-time applications on constrained devices.
Our main ingredients are redundant structures that maximize SIMD utilization, improved algorithms for the SubBytes step (one of them being based on inversion in $\textrm{GF}(256)$ using CKKS), fusion of linear layers into bootstrapping, and carefully crafted FHE parameters.
## 2026/1210
* Title: Uncloneable Cryptography in Linear Quantum Memory
* Authors: Andrew Huang, Omri Shmueli, Vinod Vaikuntanathan, Mark Zhandry
* [Permalink](
https://eprint.iacr.org/2026/1210)
* [Download](
https://eprint.iacr.org/2026/1210.pdf)
### Abstract
Quantum cryptography is a rapidly developing area which leverages quantum information to accomplish classically impossible tasks. In many of these protocols, quantum states are used as long-term cryptographic keys, relying on the quantum no-cloning theorem to ensure that the keys cannot be copied by an adversary. Unfortunately, quantum state tend to decohere, and hence, persistent quantum memory is and will remain one of the most valuable and challenging resources for quantum computers. As such, it will be important to minimize the extent to which our protocols use persistent quantum memory.
In this work, we consider the case of one-shot signatures (OSS), and more general quantum signing tokens, important uncloneable primitives where quantum signing keys allow for signing a single message but not two. Very recently, the first OSS scheme was constructed unconditionally in a classical oracle model as well as in the standard model under cryptographic assumptions (Shmueli and Zhandry, CRYPTO 2025). We observe that the quantum memory required for these protocols is a large polynomial (in the security parameter).
The main contribution of this work is to significantly decrease the quantum secret key size, in some cases achieving the asymptotically optimal size. One of our schemes guarantees perfect correctness and the other one admits a parallel signing algorithm for long messages. We also achieve strong signature incompressibility, which implies a public-key quantum fire scheme (|cakan, Goyal and Shmueli, QCrypt 2025) with perfect correctness.
During the course of this work, we develop novel techniques for proving the security of cryptosystems using coset states, one of the main tools used in uncloneable cryptography.
## 2026/1211
* Title: Private Information Retrieval: Share Conversions vs. Decoding Polynomials
* Authors: Amos Beimel, Or Lasri
* [Permalink](
https://eprint.iacr.org/2026/1211)
* [Download](
https://eprint.iacr.org/2026/1211.pdf)
### Abstract
A private information retrieval (PIR) protocol enables a client to retrieve a bit from an $N$ bit database replicated among $k$ servers in such a way that each server learns no information about the retrieved bit. Modern PIR protocols with information-theoretic privacy (Efremenko, SICOMP, 2012; Dvir and Gopi, STOC, 2015; Ghasemi et al., STOC, 25) are based on matching vectors over a composite number $m$. To construct a PIR protocol from the matching vectors, these protocols use a decoding polynomial, a sparse polynomial that returns a non-zero value on 1 and returns zero on a certain set implied by the matching vectors.
Beimel et al. (CCC, 2012) abstracted the properties required by the transformation computed by the decoding polynomial, defining the notion of share conversion. In such a conversion, a set of parties is given shares of a secret in one secret-sharing scheme, and each party locally computes a new share (without any communication) such that the new shares are shares in a second secret-sharing scheme of a related secret.
Beimel et al. showed that share conversion can replace the decoding polynomial in the PIR protocol of Efremenko and constructed a share conversion from the ring $\mathbb{Z}_6$ to the field $\mathbb{F}_{2^2}$. This share conversion cannot be computed by a decoding polynomial, as decoding polynomials convert shares from a ring $\mathbb{Z}_m$ to a finite field of characteristic $p$ such that $p$ does not divide $m$. Alon et al. (TCC, 2025) simplified and generalized the PIR protocols of Dvir and Gopi and Ghasemi et al., using share conversion; however, in this protocol, the share conversion is from a ring $\mathbb{Z}_m$ to a finite field of characteristic $p$ such that $p$ does not divide $m$.
In this paper, we study the power of share conversions. Our main result proves that if there is a $k$-party share conversion from a ring $\mathbb{Z}_m$ to a finite field of characteristic $p$ such that $p$ does not divide $m$, then there is a $k$ sparse decoding polynomial from a ring $\mathbb{Z}_m$ to a finite field of characteristic $p$. This result implies that using share conversion in the protocol of Alon et al. can only improve the communication complexity by a constant factor.
In addition, we show that if there is a $k$-party share conversion from a ring $\mathbb{Z}_m$ to a finite field, where $m$ is a product of $r$ distinct primes, then $k\geq r+1$, i.e., the number of servers in the resulting PIR protocols using the appropriate matching vectors is at least $r+1$. A similar result was recently proved by Ghasemi and Kopparty (ITCS 26); our lower bound also applies to the case in which the characteristic of the field divides $m$.
## 2026/1212
* Title: SecLoRA: Secure Aggregation of Low-Rank Matrix Products via Functional Encryption
* Authors: Jiangtao Li, Wei Zhang, Chen Gong, Jason (Minhui) Xue, Junqing Gong * [Permalink](
https://eprint.iacr.org/2026/1212)
* [Download](
https://eprint.iacr.org/2026/1212.pdf)
### Abstract
Federated fine-tuning of Large Language Models via Low Rank Adaptation (LoRA) faces a critical privacy-efficiency trade-off: low-rank factors can leak sensitive data, yet standard secure aggregation is restricted to linear operations. Existing solutions for aggregating matrix products (e.g., $\mathbf{B}_i \mathbf{A}_i$) either sacrifice exactness, depend on a trusted third party, or incur prohibitive costs at scale. We present SecLoRA, the first decentralized framework achieving exact aggregation of LoRA updates with linear communication complexity. The core of SecLoRA is a novel cryptographic primitive: Pairwise Composable Multi-Client Functional Encryption (PC-DMCFE). Unlike traditional functional encryption, which treats ciphertext recombination as an attack, the dual-encryption architecture of PC-DMCFE ($\mathsf{Enc}_A, \mathsf{Enc}_B$) is intentionally designed to harness this property. It allows any ciphertexts $\mathsf{ct}_A$ and $\mathsf{ct}_B$ to be arbitrarily paired and evaluated via a functional key to reveal their inner product. This unique property enables secure and decentralized aggregation of matrix products without losing LoRA's linear communication advantages. Furthermore, SecLoRA ensures round-isolated decryption to prevent temporal leakage without extra interaction. Evaluation shows that SecLoRA is practical for cross-silo deployments.
## 2026/1213
* Title: Another Look at Non-Frameability in Group Signatures for Anonymous Auctions
* Authors: Cao Shiqi, Keita Emura
* [Permalink](
https://eprint.iacr.org/2026/1213)
* [Download](
https://eprint.iacr.org/2026/1213.pdf)
### Abstract
In addition to anonymity and traceability, which are the primary security properties of group signatures, nonrCaframeability is also defined (Bellare-Shi-Zhang, CT-RSA 2005). This property guarantees that even an adversary colluding with all authorities (the opener and the issuer) cannot produce a signature that frames an honest user, and it is regarded as a security notion that protects users. In this short note, we introduce a new perspective on non-frameability, namely that it can also protect the authorities, and we examine its significance in the context of anonymous auctions, a wellrCaknown application of group signatures. We show that non-frameability serves as an effective countermeasure against situations in which a winning bidder falsely claims not to have placed a bid and accuses the organizer of forgery.
## 2026/1214
* Title: Faster Leader-Based Consensus via Certificates of Exclusivity and Overlapping Iterations
* Authors: Matthieu Rambaud
* [Permalink](
https://eprint.iacr.org/2026/1214)
* [Download](
https://eprint.iacr.org/2026/1214.pdf)
### Abstract
Blockchain consensus protocols, also known as BFT state-machine replication, enable a system of $n$ players to decide an ever-growing chain of blocks. We consider partial synchrony: after an unknown time GST, messages sent by honest players are delivered within an unknown actual delay $\delta$, and a known bound $\Delta$ satisfies $\delta \leq \Delta$. This setting imposes $t<n/3$ corruptions. We study leader-based consensus, a class with the smallest known latency metrics when sufficiently many designated leaders behave honestly.
We consider the mainstream metric of {expected latency in the view-based sense:} for a transaction known to all honest players having entered a post-GST iteration, this is the expected time until that transaction appears in a decided block, under independent random leaders.
We introduce Hamster, a rotating-leader consensus protocol, which reduces this expected latency to $\Delta+4\delta$, down from the previous $1.5\Delta+3.5\delta$ bound achieved by Simplex (Chan-Pass, TCC'23) for the same view-based metric.
Hamster also brings this latency further down to $\Delta+3.5\delta$ for adversaries that do not get publicly caught equivocating.
The main technical novelty is a certificate of exclusivity for a block $B$. It is shown by the next leader as evidence that players can safely vote for a child of $B$. A certificate of exclusivity is an interpolation between a quorum certificate and a timeout certificate, in that it is formed from a mix of votes for a unique block $B$ and complaint votes, proving that $B$ is the only non-dummy block that can still obtain a decision certificate for that iteration.
The other novelty of Hamster is the use of {overlapping iterations: after a process has supported a newer proposal, the protocol may still allow it to support a safe proposal of an earlier iteration}.
This overlap is what allows old honest proposals to be decided in time despite players advancing iterations faster.
We also analyze another metric, called the {pessimistic block proposal time}, which is the time during which a bad leader can delay the proposal of a transaction in a block which will be decided.
Hamster achieves a pessimistic block proposal time of $2\Delta+2\delta$, refined to $2\Delta+\delta$ for leaders not caught equivocating, down from $3\Delta+\delta$ for Simplex.
## 2026/1215
* Title: On the Cryptographic Structure Required for Verifying Qubits
* Authors: James Bartusek, Itay Shalit
* [Permalink](
https://eprint.iacr.org/2026/1215)
* [Download](
https://eprint.iacr.org/2026/1215.pdf)
### Abstract
Classically testing for the presence of anti-commuting operators on a quantum device is a critical tool underpinning recent progress in classical verification of quantum computation. While such tests can be based on cryptographic assumptions, known constructions rely on highly structured assumptions, e.g. trapdoor claw-free functions.
In this work, we seek to explain this state of affairs by constructing strong cryptography from (certain forms of) classical tests of anti-commutation. In particular, we formulate the notion of a test of non-commutation (ToNC), an interactive protocol between a quantum prover and classical verifier in which the prover's final-round response is obtained by measuring one of two binary observables EYaareC, EYaareU depending on the verifier's challenge bit EYaE. We prove that, for a broad range of parameters, ToNC implies classical-communication key agreement (KA), and ToNC combined with one-way functions implies oblivious transfer (OT).
Along the way, we develop tools for and provide the first known results on hardness amplification for post-quantum KA and OT, where communication is classical but adversaries may be quantum. In particular, we prove the following results of independent interest.
- Post-quantum hard-core measure theorem: For any efficiently sampleable high-min-entropy distribution EYE+ over pairs (EYaN,EYaA) such that quantum circuits have advantage at most EYc+ in predicting EYaA from EYaN, there exists a sub-distribution EYaCre+EYE+ of density 1-EYc+ on which EYaA is nearly optimally quantum-hard to predict.
- Post-quantum interactive XOR lemma: Given any classically-interactive protocol, if quantum adversaries have advantage at most EYc+ in guessing a private challenger bit EYaA, then two sequential repetitions reduce the advantage for predicting the XOR of the challenger bits EYaAreUreoEYaAree to at most EYc+-# + negl(EYLa).
## 2026/1217
* Title: Secure Computation against $\mathsf{NC^1}$ Leakage without Secure Hardware
* Authors: Yuyu Wang
* [Permalink](
https://eprint.iacr.org/2026/1217)
* [Download](
https://eprint.iacr.org/2026/1217.pdf)
### Abstract
In this work, we construct (stateful) leakage-resilient circuits (LRCs) secure against bounded-output-length leakage functions computable by \(\mathsf{NC}^1\) circuits under the mild worst-case assumption \(\mathsf{NC}^1 \subsetneq \oplus\mathsf{L}/\mathsf{poly}\), without relying on any leak-free hardware components, thereby resolving the open problem left by Bogdanov, Ishai, and Srinivasan (Journal of Cryptology, 2021) and Wang (CRYPTO 2025).
Concretely, we first construct a leakage-tolerant circuit with succinct setup (sAI-LTC) secure against 2-adaptive \(\mathsf{NC}^1\) leakage, and then generically combine it with a 2-adaptive leakage-resilient composable encoding scheme to obtain the desired LRC.
We further give a direct non-black-box instantiation that optimizes the compiled circuit size at the cost of a slightly larger setup, matching the circuit size of Wang's construction that relies on leak-free hardware while using a more compact setup.
Finally, we show that our sAI-LTC generically implies a fine-grained multi-theorem non-interactive proof system for all \(\mathsf{NP}\), with compact common reference strings, perfect soundness, and multi-theorem zero-knowledge with offline simulation against \(\mathsf{NC}^1\) adversaries.
## 2026/1218
* Title: High-Accuracy, Poisoning-Resilient Frequency Estimation in the Shuffle Model
* Authors: Shaoqiang Wu, Jingyu Jia, Yikuan Zhu, Xinhao Li, Changyu Dong, Zheli Liu
* [Permalink](
https://eprint.iacr.org/2026/1218)
* [Download](
https://eprint.iacr.org/2026/1218.pdf)
### Abstract
We study frequency estimation in the shuffle model of differential privacy under poisoning attacks, where corrupted users may deviate from the local randomizer to inject crafted in-domain messages. Existing shuffle-model protocols face a core tension: achieving low estimation error relies on flexible multi-message noise generation, which can amplify poisoning influence once messages are anonymized by shuffling.
To address this tension, we propose a symmetric binomial-sum noise distribution (i.e., $\mathrm{Bin}(n/2,p) + \mathrm{Bin}(n/2,1-p)$), which preserves high accuracy while limiting the impact of crafted in-domain messages. We realize this distribution via preprocessing-guided noise generation, which routes a balanced collection of mode flags through the shuffler so that each user receives a randomly assigned mode flag that fixes their noise-sampling behavior prior to shuffling. For binary estimation, our protocol requires a single Bernoulli trial per user and at most $2$ messages per user ($1.5$ on average), while bounding the worst-case poisoning influence of a single corrupted user by $O(1/n)$. We extend the protocol to histograms, including large domains via hashing, and provide formal privacy, accuracy, and robustness guarantees. Experiments on real datasets show that our protocols remain resilient under poisoning and reduce MAE by up to nearly $2\times$ over the strongest baseline at comparable per-user communication on small-domain workloads, and stay on par with it on large domains.
## 2026/1219
* Title: Algorithms for solving the isogeny problem with oriented elliptic curves
* Authors: Maria Corte-Real Santos, Arthur Herl|-dan Le Merdy, Joseph Macula, Michael Meyer, Travis Morrison, Eli Orvis
* [Permalink](
https://eprint.iacr.org/2026/1219)
* [Download](
https://eprint.iacr.org/2026/1219.pdf)
### Abstract
We introduce WayFinder, a framework for generalizing the Delfs-Galbraith and SuperSolver algorithms for the supersingular isogeny problem. Our framework extends the search for elliptic curves with an orientation by an order containing $\mathbb{Z}[\ell \sqrt{-p}]$ to more general orders, and we derive a cost model for such generalisations.
Our cost model not only works in a more general context, but also provides more accurate predictions when applied to SuperSolver. We instantiate WayFinder for orders containing $\mathbb{Z}[\ell_1\sqrt{-\ell_2p}]$ where $\ell_i$ are $1$ or primes such that the modular curve $X_0(\ell_2)$ has genus $0$. We then introduce a low-storage algorithm for computing an isogeny between two oriented supersingular elliptic curves, even when the curves are oriented by distinct orders. Together, these provide an algorithm that improves on the state of the art for solving the isogeny problem, and a cost model with potential applications to parameter selection in isogeny-based cryptography.
## 2026/1220
* Title: Explicit Transformations from Edge-Depth-Robust to Node-Depth-Robust Graphs with Improved Concrete Efficiency
* Authors: Jeremiah Blocki, Nathan Smearsoll
* [Permalink](
https://eprint.iacr.org/2026/1220)
* [Download](
https://eprint.iacr.org/2026/1220.pdf)
### Abstract
Depth-robust directed acyclic graphs (DAGs) are an important combinatorial primitive in cryptography, with applications to memory-hard functions, proofs of space, and proofs of sequential work. These applications require node depth-robustness, yet constructing sparse graphs with strong concrete guarantees remains a longstanding challenge. By contrast, edge depth-robust graphs are easier to construct explicitly and achieve better parameters, motivating the problem of efficiently transforming edge-depth-robust graphs into node-depth-robust graphs. We give a new and substantially more efficient transformation from edge-depth-robust graphs to node-depth-robust graphs. We give a new and substantially more efficient transformation from edge-depth-robust graphs to node-depth-robust graphs. Prior work of Blocki and Cinkoske (ITCS 2021) gave a general transformation by replacing each node with an ST-robust graph, resulting in extraordinarily large overhead and relying on non-explicit components. In contrast, our transformation replaces each node with a single superconcentrator rather than an ST-robust graph, yielding an explicit construction whenever the input graph is explicit, with dramatically improved concrete efficiency.
Formally, given an $(e,d)$-edge-depth-robust graph $G$ with $N$ nodes and $m$ edges, our transformation generates a graph $G'=Transform(G_N)$ with $N' = O(m)$ nodes, constant indegree, and $(e/3,\, 2d-1)$-node depth-robustness. We also show that the transformation preserves fractional depth-robustness. Moreover, when $m=\omega(N)$, we show that our transformation can amplify depth --- overcoming a key limitation of prior work. In particular, for any parameter $d'$, we can obtain a constant-indegree graph $G'$ with $N' = O(m+d'N)$ nodes and $(e/3,\, (d-e)d')$-node depth-robustness, yielding asymptotically tighter results in the important setting where $m = \omega(N)$ and $e \geq d$ by setting $d' \sim m/N$. As an application, We provide a novel analysis of Schnitger's edge-depth-robust graph construction (FOCS 1983). We show that the graph $G_n$, which has $N=2^{n+1}-1$ nodes and $m \leq n2^{n}$ edges, is $(e,2d-1)$-edge-depth robust for all $e + d \leq 2^n$. Applying our transformation yields an explicit DAG on $N'$ nodes with maximum indegree $2$ and depth-robustness parameters $e = \Omega(N'/\log N')$ and $d = \Omega(N')$, matching the best known asymptotic trade-offsrCoeven compared with non-explicit constructionsrCowhile improving the best previously known concrete ed-product lower bound by a multiplicative factor of 6.6.
## 2026/1221
* Title: Achieving Shannon Capacity for Computationally Bounded Errors
* Authors: George Lu, Jad Silbak, Daniel Wichs
* [Permalink](
https://eprint.iacr.org/2026/1221)
* [Download](
https://eprint.iacr.org/2026/1221.pdf)
### Abstract
We study error correction in a computationally bounded world, where errors are introduced by an arbitrary polynomial-time adversarial channel. Recent works construct seeded codes in this model, where the encoding and decoding procedure share a public random seed. They achieve significantly better tradeoffs between rate and error tolerance than what is possible information theoretically for unique decoding, essentially matching the parameters of the best known efficiently list-decodable codes. Over the binary alphabet, however, this is still well short of the optimal Shannon capacity with rate $R \approx 1 - H_2(p)$ for a $p < 1/4$ fraction of errors. Even heuristic constructions meeting this target were not previously known. We make progress towards this goal.
- $\textbf{Secret-Key Codes.}$ We first study secret-key codes, where the encoder and decoder share a secret key hidden from the adversarial channel. Lipton (STACS '94) constructed one-time secure secret-key codes achieving Shannon capacity in this setting, but it was unknown whether one can get CPA (resp. CCA) security where the adversary may query an encoding oracle (resp. also a decoding oracle). We construct CCA-secure secret-key codes achieving Shannon capacity via pseudorandom codes (PRCs).
- $\textbf{Seeded Codes (Heuristic).}$ We can heuristically upgrade the resulting secret-key codes to seeded codes by publishing an obfuscation of the encoding/decoding procedures with a hard-coded secret key as a seed. Security holds in the ideal obfuscation model.
- $\textbf{Public-key Codes.}$ We also consider public-key codes, where the decoder has a secret key and the encoder has the corresponding public key. We construct such CPA-secure public-key codes achieving Shannon capacity with unique decoding for $p < 1/4$ errors, and list decoding all the way to $p < 1/2$ errors, assuming PRCs and the subexponential security of standard crypto assumptions (e.g., LWE or DDH or QR or DCR). We also show how to get CCA security in the random oracle model.
Our secret-key and public-key codes meeting Shannon capacity are also simultaneously pseudorandom codes.
## 2026/1222
* Title: UCX is All You Need: A Universal Transform for Committing Authenticated Encryption
* Authors: Mihir Bellare, Rishabh Ranjan, Nujud Senan, Basel Alomair
* [Permalink](
https://eprint.iacr.org/2026/1222)
* [Download](
https://eprint.iacr.org/2026/1222.pdf)
### Abstract
Emerging attacks and applications have motivated the development of transforms that turn a given AE scheme into a committing AE (cAE) one. We give a new transform called UCX with the following attributes: It does not require the starting scheme to be tag based, works for schemes in the broad AE5 framework rather than the limited AE1 one, and preserves both UNAE (Unique Nonce AE) and MRAE (Misuse Resistant AE) security. No prior transform is ``universal'' in the sense of having the combination of all these properties. The use of UCX in place of prior, limited transforms reduces the risk of error and failure in the real world, where choices may be made by application developers and hidden in software libraries. The committing security of UCX is shown in the ideal-cipher model, and its AE5-security in the standard model. To design UCX, we introduce and build a new primitive, that we call a Tweakable Committing Concealer, and that may be of independent interest.
## 2026/1223
* Title: Neon NTT - (Auto)formalised
* Authors: Hanno Becker
* [Permalink](
https://eprint.iacr.org/2026/1223)
* [Download](
https://eprint.iacr.org/2026/1223.pdf)
### Abstract
This document provides a machine-checked Isabelle/HOL formalisation of the modular-arithmetic core of the Neon NTT paper of Becker, Hwang, Kannwischer, Yang, and Yang. We develop parametric theories of Barrett and Montgomery reduction and multiplication; the equivalence of Barrett and Montgomery arithmetic; the doubling- and rounding-Montgomery variants; and correctness and bounds theorems for Neon assembly kernels, against a hand-written model of the word arithmetic underlying the relevant Neon instructions.
The development is a directed auto-formalisation: definitions, theorem statements, and proofs were produced by Claude Opus 4.7 and 4.8 using AutoCorrode's LLM-Isabelle integration layers. The human author set the architecture, chose abstractions and proof strategies, often nudged the model toward shorter or cleaner proofs, and controlled which output entered the development.
This document is auto-generated from the Isabelle sources through IsabellerCOs document preparation system, eliminating drift between prose and formal artifact.
## 2026/1224
* Title: On Arithmetic Private Information Retrieval: Why Code-Based PIR (Usually) Fails
* Authors: Benny Applebaum, Yuval Ishai, Shahar Shechter
* [Permalink](
https://eprint.iacr.org/2026/1224)
* [Download](
https://eprint.iacr.org/2026/1224.pdf)
### Abstract
We initiate the study of arithmetic private information retrieval (APIR) schemes, in which the database is a vector of field elements and the scheme makes a black-box use of the field.
We obtain the following results.
1. Our main result is a negative one: We show that no single-server APIR scheme can achieve non-trivial download cost smaller than $n$ field elements.
We observe that recent proposals for code-based PIR (Holzbaur et al., ISIT'20; Verma and Hollanti, ISIT'24) are arithmetic, and show how to break them within a few minutes on a standard workstation for all suggested parameters.
2. We complement the above by positive results in alternative models. Concretely, we show that with either two servers or a single server with secret-key preprocessing, it is possible to construct computationally secure APIR schemes based on well-studied coding assumptions.
This is achieved by arithmetizing the distributed-point-function-based PIR of Boyle et al.(CCS'16), and by observing that the recent construction of secret-key single-server PIR by Chen et al.(STOC'26) also arithmetizes.
3. Finally, we characterize the existence of information-theoretic two-server APIR schemes in linear-algebraic terms, and show that communication of $O(n^{1/3})$ can be achieved in this setting based on the original approach of Chor et al.(FOCS'95). The optimality of this result remains an interesting open question.
## 2026/1225
* Title: Towards Post-Quantum Secure eSIM Provisioning Protocols
* Authors: Harrison Banda, Hannes Bartz, Juliane Kr|nmer, Michael Meyer, Vincent Quentin Ulitzsch
* [Permalink](
https://eprint.iacr.org/2026/1225)
* [Download](
https://eprint.iacr.org/2026/1225.pdf)
### Abstract
The eSIM specification enables remote SIM provisioning without the need to hand out a physical SIM card. Instead of a physical SIM card, the subscriber downloads a SIM profile, which contains a subscriber's identity and authentication key material, to their embedded UICC, a discrete, embedded chip in the user's phone. This provisioning process is specified in the remote SIM provisioning (RSP) protocol and is secured through contemporary public-key cryptography. However, the potential advent of general-purpose quantum computers threatens the security of RSP.
This paper provides a quantum threat analysis of the RSP protocol, considering both Harvest Now, Decrypt Later attacks and active quantum attacks. To alleviate this threat, this paper introduces PQC-RSP, a post quantum secure version of the RSP protocol. The main challenge we address is the introduction of key encapsulation mechanisms (KEMs) into the RSP protocol, both in a PQC-only and hybrid version, and the security implications of this modification. We prove the security of PQC-RSP and review the performance overhead introduced through the usage of post quantum cryptography.
## 2026/1226
* Title: Changing of the Guards with Two Shares - Security Flaws, Corrrections, and Application to Low-Latency AES
* Authors: Feng Zhou, Gehui Yang, Junhuai Yang, Hua Chen, Limin Fan
* [Permalink](
https://eprint.iacr.org/2026/1226)
* [Download](
https://eprint.iacr.org/2026/1226.pdf)
### Abstract
Masking stands as one of the most effective countermeasures against side-channel attacks. While a number of recent works have investigated first-order masking schemes that eliminate the need for fresh randomness, most existing solutions trade off this randomness reduction against increased latency or area overhead. This paper targets the simultaneous achievement of low latency and zero fresh randomness. To this end, we make the following contributions. First, we identify a security flaw in the round-based design proposed by Askeland et al.\ at CARDIS 2022, which builds upon the Changing of the Guards (COTG) technique. Second, we propose a revised construction that rectifies this vulnerability without incurring any additional randomness or latency penalty. Finally, by integrating the Time Sharing Masking (TSM) S-box introduced at CHES 2025, we present a first-order masked AES implementation with a latency of 20 clock cycles that requires no fresh randomness.
## 2026/1227
* Title: Chosen Ciphertext Secure Pseudorandom Codes in the Standard Model
* Authors: Nico D||ttling, Antoine Joux, Venkata Koppula, Mahesh Sreekumar Rajasree, Hendrik Waldner
* [Permalink](
https://eprint.iacr.org/2026/1227)
* [Download](
https://eprint.iacr.org/2026/1227.pdf)
### Abstract
Pseudorandom codes (PRCs), recently proposed by Christ and Gunn (CRYPTO'24), are encryption schemes that have pseudorandom ciphertexts and a decryption algorithm which is resilient against a bounded number of Hamming errors. This notion provides a significant strengthening over standard PKE and has exciting applications in, e.g., watermarking LLMs. The recent work of Alrabiah et al. (STOC'25) initiated the study of CCA-secure public-key PRCs, where the adversary is additionally given access to a decoding oracle. In terms of realizations, they provide one that can be proven secure in the random oracle model. Constructing CCA-secure public-key PRCs in the standard model remained an open problem.
In this work, we resolve this problem and provide the first construction of CCA-secure public-key PRCs in the standard model. Our construction achieves a constant rate and can decode from a constant fraction of adversarial errors. In fact, our construction is a general blueprint that can be instantiated from a broad range of standard cryptographic assumptions.
As an additional contribution, we construct a strong adaptively robust public-key pseudorandom code with conjectured sub-exponential security based on a new family of assumptions we call Noisy McEliece. In a nutshell, these assumptions mask a scrambled generator matrix from an efficiently decodable inner-code family with sparse Bernoulli noise; this additional error is meant to obscure the algebraic structure targeted by known attacks and thereby permits candidate instantiations from broader classes of codes.
## 2026/1228
* Title: Advancing Pseudorandom Codes: Beyond Parity Checks and Standard-Model CCA1 Security
* Authors: Yu Chen, Xinyu Mao, Hongxu Yi
* [Permalink](
https://eprint.iacr.org/2026/1228)
* [Download](
https://eprint.iacr.org/2026/1228.pdf)
### Abstract
Pseudorandom codes (PRCs) are error-correcting codes whose codewords are computationally indistinguishable from uniform random strings,
a primitive motivated by the need to robustly watermark generative AI models. While recent breakthroughs have established the feasibility of PRCs,
critical challenges remain regarding the diversity of their underlying cryptographic assumptions and their security against active adversaries.
This work advances the study of PRCs on two complementary fronts: structural diversity and advanced security.
On the structural side, we propose a novel PRC template that departs from the prior one based on sparse parity-check trapdoors.
We introduce a new LPN-type assumption, formalized as Dense-Planted LPN,
which postulates $(\mathbf{M}\mathbf{T}, \ \mathbf{M}\mathbf{T}\mathbf{s}+\mathbf{e})\ \approx_c\ (\mathbf{M}\mathbf{T}, \ \mathbf{u})$,
where $\mathbf{T}$ is a random dense matrix and $\mathbf{M}$ is sampled from a distribution containing a planted structure.
This hidden structure enables a completely new decoding mechanism based on a local-window search rather than global parity checks.
Notably, this template provides a viable path toward constructing PRCs from assumptions beyond code-based ones, including Learning with Errors (LWE) assumptions.
On the security side, we construct the first public-key PRC secure against pre-challenge chosen-codeword attacks (CCA1) in the standard model.
In realistic watermarking deployments where detectors are exposed as public services, CCA security is essential.
However, prior CCA-secure PRCs were only achievable in the random oracle model.
By formally introducing and instantiating a robust tag-based equivocal bit commitment scheme combined with robust hinting PRGs,
we demonstrate that CCA1 security can be achieved in the standard model without sacrificing decoding robustness.
## 2026/1229
* Title: Invisible Traces: Subversion Attacks on Batch-Issued Credentials
* Authors: Anna-Birgitta Burmeister, Anna Fennig, Andreas Franke, Karla Friedrichs, Anja Lehmann, Kurt-Kester Lei|fering, Konrad Letz, Cavit |uzbay
* [Permalink](
https://eprint.iacr.org/2026/1229)
* [Download](
https://eprint.iacr.org/2026/1229.pdf)
### Abstract
All EU member states are required to roll out a digital identity system - the European Digital Identity (EUDI) wallet - by the end of 2026. Strong privacy is at the core of the underlying regulation, which mandates the EUDI wallet to support selective disclosure and unlinkability. The wallet currently being developed relies on the batch issuance of one-time ECDSA credentials that sign attributes through individually salted hashes for selective disclosure. This solution is known to achieve only a weak form of unlinkability, where the credential issuer must be honest: a malicious issuer could trace users through the salted hashes it signs and the signature value itself. But such a tracing attack requires the issuer to store all signed data and communicate with the verifying parties for tracing, which can be argued to be too cumbersome or obvious to happen in reality. In this work, we therefore initiate the study of a more subtle type of subversion attacks. Therein, the issuer can deviate from the issuance protocol, with two goals:
(i) enabling verifiers in possession of a short tracing key to de-anonymize users and
(ii) keeping this deviation undetectable from users.
We formalize unlinkability against such subversion attacks, and show that batch-issued credentials with salted hashes do not achieve that form of privacy. We present several undetectable subversion attacks against batch-issued ECDSA credentials and suggest lightweight mechanisms to provably mediate them.
## 2026/1230
* Title: Formula Freshness for Staged Hybrid Authenticated Key Exchange
* Authors: Anis Bkakria, Merland Chrislain Chadrel BAFOUETILA
* [Permalink](
https://eprint.iacr.org/2026/1230)
* [Download](
https://eprint.iacr.org/2026/1230.pdf)
### Abstract
Hybrid post-quantum migration is entering deployed handshake designs, but hybrid KEM security protects only one shared-secret input. It does not by itself say whether handshake, application, exporter, or resumption material remains pseudorandom after branch reveals, stage-key reveals, selective corruptions, or late corruptions. We characterize these staged claims through branch-formula freshness: each stage receives a monotone formula over branch exposure, authentication freshness, transcript binding, KDF ancestry, and explicit non-reveal atoms. Secrecy follows by replacing a surviving branch contribution and then using a labelled HKDF/PRF-style target-hiding argument along a fresh KDF cut; agreement follows separately from authentication binding and injective transcript representation. We also give selector-local accounting, where a fixed admissible witness selector determines which surviving branches and KDF cuts are charged. For scoped TLS 1.3 ECDHE--ML-KEM 1-RTT, we identify the branch-replacement, HKDF-path, and binding assumptions that imply concrete preservation bounds for handshake, application, exporter, and resumption targets.
## 2026/1231
* Title: The Best of Both Worlds: Hybrid Authenticated Key Exchange for QKD(N) without Signatures
* Authors: Sebastian Clermont, Johanna Henrich
* [Permalink](
https://eprint.iacr.org/2026/1231)
* [Download](
https://eprint.iacr.org/2026/1231.pdf)
### Abstract
Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD) are both contenders for securing communication against quantum adversaries, but are at different stages of maturity. For hedging security risks, hybridization is the default approach. Unlike previous research on classicalrCopost-quantum hybrids, we propose a QKD-PQC hybrid for Authenticated Key Exchange (AKE).
To minimize the attack surface, we completely remove the requirement for digital signature schemes and propose a Hybrid Authenticated Key Exchange (HAKE) that combines Post-Quantum (PQ) AKE and QKD key agreement, leveraging Key Encapsulation Mechanisms (KEMs) for both key exchange and authentication. Our fully modular security analysis, based on the recent multi-input Key Derivation Function (KDF) framework by Backendal et al. (Eurocrypt 2025), establishes AKE security in the CK01 model and yields a conditional information-theoretic security guarantee when the QKD component is uncompromised; a property not achieved by prior hybrid protocols. We demonstrate the protocolrCOs practical feasibility with benchmarks using ML-KEM, FrodoKEM, and Classic McEliece.
## 2026/1232
* Title: A Heuristic Subexponential Attack on the McEliece Cryptosystem
* Authors: Pierre Briaud, Axel Lemoine, Hugues Randriambololona, Jean-Pierre Tillich
* [Permalink](
https://eprint.iacr.org/2026/1232)
* [Download](
https://eprint.iacr.org/2026/1232.pdf)
### Abstract
We provide a new way of performing an algebraic attack on the McEliece cryptosystem based on binary Goppa codes. It also applies in general to the case where the field over which the Goppa code is defined is of even characteristic. It is based on a new algebraic modeling for finding as in [CMT23,M25,BLT26] matrices of rank $2$ in the code of quadratic relations related to the Goppa code that is attacked. Such matrices are then used to recover the secret algebraic structure of the code, from which an equivalent secret key can be efficiently derived, leading to a full key-recovery attack. A byproduct of our approach is a new distinguisher for Goppa codes in even characteristic which is as the syzygy distinguisher of [R25] subexponential in the security parameter of the scheme. We demonstrate the effectiveness of our attack on McEliece TII challenges, some of which having been studied in [BLT26], and aimed at having $83$,$89$,$119$,$166$, $210$ and even $248$ bit security respectively and CFS keys with parameters $r=9$ and $m=16$, corresponding to a security of $74.9$ bits according to [LS12]. This CFS key was not attacked in practice in [BLT26] and took us 14 hours of computation and 24GB of RAM. We make the conjecture that this attack has a complexity which is of the same nature as the distinguisher, namely subexponential in the security parameter.
## 2026/1233
* Title: Implementation of Learning with Errors in Non-Commuting Multiplicative Groups
* Authors: Aleksejus Mihalkovich, Lina Dindiene, Eligijus Sakalauskas
* [Permalink](
https://eprint.iacr.org/2026/1233)
* [Download](
https://eprint.iacr.org/2026/1233.pdf)
### Abstract
In this paper, we demonstrate a way to generalize learning with errors (LWE) to the family of so-called modular-maximal cyclic groups which are non-commuting. Since the group $\mathbb{M}_{2^t}$ has two cycles of maximal multiplicative order, we use this fact to construct an accurate criterion for restoring the message bit with overwhelming probability. Furthermore, we implement the original idea by O. Regev in the considered group to gain benefits from the non-commutativity of $\mathbb{M}_{2^t}$. Also we prove that using this approach we can achieve a level of security comparable to the original idea.
## 2026/1234
* Title: Designing Incentives for Responsive Consensus Protocols
* Authors: Mahimna Kelkar, Ertem Nusret Tas, Maryam Bahrani, Tim Roughgarden
* [Permalink](
https://eprint.iacr.org/2026/1234)
* [Download](
https://eprint.iacr.org/2026/1234.pdf)
### Abstract
Modern consensus protocols often aspire to be responsive---that is, to confirm transactions in time proportional to the actual network delays as opposed to a (typically much larger) worst-case bound on network delays.
Responsiveness can yield substantial practical improvements in both protocol latency and throughput.
In blockchain settings, however, block proposers commonly have economic incentives (most notably MEV) to delay their blocks, a phenomenon repeatedly observed in practice, e.g., in the block production supply chains for Ethereum and Solana. Such incentives clash with responsiveness in existing protocol designs.
This paper develops a rigorous framework for designing incentive-compatible responsive consensus protocols. We first consider the canonical case of single-leader protocols and establish feasibility results characterizing the conditions on the distribution of network latency under which responsiveness can be incentivized through a suitable reward function. We further quantify the amount of stake required from the leader to deter dishonest delays.
We then show strong positive results for protocols with multiple leaders, demonstrating that the multi-leader approach is fundamentally superior to single-leader designs for resolving the tension between responsiveness and incentive-compatibility: by forcing leaders to compete for rewards, much of the burden otherwise placed on the incentive mechanism is alleviated. Notably, this results in simpler reward mechanisms with no stake requirements that also remain feasible in parameter regimes which are provably impossible under a single leader.
## 2026/1235
* Title: Authenticated Data Structures for Dynamic Workloads
* Authors: Ziheng (Tom) Shangguan, Aviv Yaish, Dahlia Malkhi
* [Permalink](
https://eprint.iacr.org/2026/1235)
* [Download](
https://eprint.iacr.org/2026/1235.pdf)
### Abstract
We introduce the Huffman-Merkle Tree (HMT), an authenticated data structure (ADS) optimized for dynamic workloads where some items may be more frequently accessed than others, and access frequencies change over time. An ADS allows proving item membership against a short commitment to a large mutable state, with applications including verifiable storage, Internet transparency services, and blockchains. Optimizing ADS performance under continuously changing access frequencies has not been fully addressed before, neither in theory nor in practice. HMT tackles access skew via tiering: "hot" items are stored according to a Huffman coding layout where frequently accessed items are closer to the root and thus contribute less to overall costs, while a binary Merkle Tree (MT) is used for cold and new elements to lower their update overhead. To efficiently handle dynamic workloads, we incrementally apply and batch layout changes, track access frequencies via count-min sketch, use a tier promotion cache, and consider various tier migration policies. We implement HMT and compare it on real-world data against Ethereum's Merkle Patricia Trie (MPT) ADS and its proposed replacement, the Unified Binary Tree (UBT). Our evaluation considers two metrics: the amount of hashing per ADS update and access-weighted membership-proof size. The latter metric captures both the cost of accessing each item and its access frequency. We find that the best HMT policy uses about 2.4x and 0.34x less average hash operations than MPT and UBT respectively, while featuring proofs shorter by 0.18x than MPT and 0.55x than UBT.
## 2026/1236
* Title: New bounds on private simultaneous quantum message passing
* Authors: Uma Girish, Alex May, Natalie Parham, Henry Yuen
* [Permalink](
https://eprint.iacr.org/2026/1236)
* [Download](
https://eprint.iacr.org/2026/1236.pdf)
### Abstract
In the private simultaneous message (PSM) setting, $k$ players obtain inputs $x_i\in\{0,1\}^n$ and then independently send messages to a referee, who should learn $f(x_1,...,x_k)$ but no other information about $(x_1,...,x_k)$. The PSM setting was introduced as a minimal model for secure multiparty computation. In the quantum setting, PSM has been related to non-local quantum computation (NLQC), and has several connections to the complexity of Boolean functions. The communication and correlation cost of implementing private simultaneous message passing may be much larger than the cost without privacy, and the cost of privacy in this setting remains poorly understood. Here, we give new upper and lower bounds on the PSM model, in both the quantum and classical settings. Concretely, we prove two lower bounds:
1) Ne-iiporuk's measure lower bounds the entanglement required for $k$-player quantum PSM with perfect correctness. This can be evaluated to give quadratic lower bounds for some explicit functions.
2) The rank of the communication matrix of $f(x_1,x_2)$ lower bounds 2-player quantum PSM with perfect privacy but imperfect correctness. This implies a previously unknown lower bound on classical PSM with imperfect correctness.
When allowing both quantum communication and shared entanglement, these two bounds are the first lower bounds on quantum PSM that make use of the privacy condition. Regarding upper bounds, we show:
1) Letting $s$ be the size of a quantum circuit computing $f$, $d_f$ be the circuit depth, $k$ the number of players, $n$ the number of bits received by each player, and $\epsilon$ the correctness parameter of the PSM protocol, we obtain the upper bound $\mathsf{PSM}_k^*(f) \leq (kn +s) \cdot \log^{O( d_f)}(s/\epsilon)$.
2) The square of the Fourier 1 norm of $f$, $\Vert \hat{f}\Vert_1^2$, upper bounds the classical PSM complexity, $\mathsf{PSM}(f)\leq O(\Vert \hat{f} \Vert^2_1)$.
In proving the first upper bound, we also generalize existing $T$-depth based techniques for NLQC from $2$ to $k\geq 2$ parties, and consider cases where the Clifford layers are restricted to having small light cones. These generalizations may be of independent interest.
## 2026/1237
* Title: SING: Improving the Efficiency of MPC Protocol Assignment using Graph Neural Networks
* Authors: Jannis Bl|+ml, Moritz Huppert, Nora Khayata, Joachim Schmidt, Thomas Schneider
* [Permalink](
https://eprint.iacr.org/2026/1237)
* [Download](
https://eprint.iacr.org/2026/1237.pdf)
### Abstract
Secure Multi-Party Computation (MPC) enables private computation, but has significantly higher overhead than plaintext execution. Hybrid MPC compilers improve concrete efficiency by mapping distinct computation parts to contextually optimal MPC protocols. However, state-of-the-art systems like Silph (Chen et al., S&PrCO23) depend on deployment-specific cost models that are cumbersome to retune, and compute mappings via brittle heuristics or costly Integer Linear Programming (ILP), limiting scalability and portability across protocols and deployment settings.
We present SING, the first machine-learning-based framework for hybrid MPC share assignment. SING leverages Graph Neural Networks (GNNs) for: (1) imitation of SilphrCOs assignments, accelerating share assignment by up to $76,697\times$ with comparable quality; and (2) cost-driven learning, where we train a GNN cost predictor on synthetic or empirical costs (e.g., runtime or communication), freeze it, and train the share-assigning GNN to minimize predicted costs. The latter supports expressive non-linear cost models, avoiding ILP's linearity constraints, and enables retargeting to new protocol suites and deployment settings by re-fitting the predictor. Finally, we release our synthetic benchmark resources, including a dataset of 704 MPC circuits with wide-ranging hybrid assignments.
## 2026/1238
* Title: On the Additive Sensitivity of LZ77 Under Consecutive Edits
* Authors: Jeremiah Blocki, Seunghoon Lee
* [Permalink](
https://eprint.iacr.org/2026/1238)
* [Download](
https://eprint.iacr.org/2026/1238.pdf)
### Abstract
We revisit the problem of mitigating information leakage in the widely used but insecure compress-then-encrypt paradigm. While encryption hides message contents, the ciphertext length is directly related to the length of the compressed message, which may, in turn, leak information about the {\em content} of the message itself. Recent work of Blocki et al. (TCC 2025) proposed an $(\varepsilon,\delta)$-differentially private approach that adds randomized padding calibrated to the global sensitivity of the compression algorithm, and showed that the global sensitivity of LZ77 is $O(W^{2/3}\log n)$, where $n$ is the input length and $W$ is the sliding
window size.
However, prior analysis focused only on sensitivity with respect to single-character edits, which leads to limited privacy guarantees when protecting longer substrings such as passwords, passphrases, cookies, or confidential user records. A natural attempt to handle longer secrets is to appeal to group privacy, but for approximate differential privacy, this leads to very poor parameter degradation: in particular, the effective value of $\delta$ can grow exponentially with the group size $g$. In this work, we introduce and study the sensitivity of compression schemes under block edits. Specifically, we define two strings to be $g$-neighbors if they differ only within a contiguous interval of length $g$.
Our main technical contribution is a nearly tight characterization of the $g$-consecutive sensitivity of LZ77. We show that the $g$-consecutive sensitivity of both LZ77 variants (with and without self-referencing) is at most $O((W^{2/3}+g+\sqrt{Wg})\log n)$. In particular, when $g \leq W^{1/3}$, the bound simplifies to $O(W^{2/3}\log n)$, matching the known bound for single-character edits. Thus, calibrating noise to the single-character sensitivity of LZ77 already suffices to protect much longer contiguous substrings. We provide matching lower bounds to demonstrate that our upper bound is tight, e.g., when $n=W=O(g^2)$, the $g$-consecutive sensitivity of LZ77 is at least $\tilde{\Omega}(g^{1.5})$, matching the $\sqrt{Wg}=O(g^{1.5})$ term from our upper bound up to a logarithmic factor.
## 2026/1239
* Title: Balanced Additive Randomized Encodings for Shuffle Differential Privacy
* Authors: Yu Wei, Jaspal Singh, Adya Agrawal, Vassilis Zikas
* [Permalink](
https://eprint.iacr.org/2026/1239)
* [Download](
https://eprint.iacr.org/2026/1239.pdf)
### Abstract
Shuffle differential privacy (shuffle DP) offers an attractive distributed alternative to standard differential privacy. It uses a secure shuffler to permute users' randomized encodings, providing individual data privacy without a central trusted entity. A key challenge, however, is to achieve both generality and client efficiency. Under information-theoretic shuffle-DP guarantees, protocols that nearly match central-model utility are restricted to statistical tasks such as summation and histograms. In contrast, in the computational setting, additive randomized encodings (ARE), introduced by Halevi et al. (CRYPTO 2023), yield a generic compiler that achieves central-model utility for arbitrary mechanisms. However, their construction incurs prohibitive worst-case computation and communication costs for clients, making it impractical for resource-constrained devices such as mobile phones, IoT sensors, and web browsers.
In this work, we present a client-efficient one-round compiler from central DP to non-robust computational shuffle DP. To achieve this, we first construct a new balanced ARE scheme, where all the clients almost equally share the computational burden in the protocol. For a mechanism $M$ over $n$ clients, this reduces the worst-case per-client computation from $O(|M|)$ in prior work to $O(|M|/n)$, where $|M|$ denotes the circuit complexity of the mechanism. The key technical ingredient is a new permute-XOR ARE primitive that enables wire splicing across independently generated garbled subcircuits. Secondly we design a more efficient ARE-to-shuffle compiler, whose client bandwidth scales with the sparsity and cross-partition structure parameter of the ARE encoding - a quantity that is always sublinear in $n$. This is an improvement over Halevi et al. (CRYPTO 2023) where each client bandwidth is $\Omega(n)$. At a high level, the first contribution improves client computation while the second improves client bandwidth.
We provide an implementation of our generic compiler for differentially private tasks including selection, distinct elements, and linear contextual bandits. We obtain shuffle protocols that match the utility of their central-model counterparts with reasonable client overhead. We evaluate our method across a range of practical settings, and observe substantial gains over the compiler of Halevi et al., with per-client computational and bandwidth speedups increasing linearly in the number of clients.
## 2026/1240
* Title: Adaptive attacks on FESTA variants with masked-degree isogenies
* Authors: Tomoki Moriya
* [Permalink](
https://eprint.iacr.org/2026/1240)
* [Download](
https://eprint.iacr.org/2026/1240.pdf)
### Abstract
FESTA is an isogeny-based trapdoor function proposed as a high-performance alternative in isogeny-based cryptography. Its core design principles have inspired a number of related constructions, collectively referred to as FESTA variants.
The MOXZ attack is an adaptive attack that exploits malicious ciphertexts together with access to a checking oracle, aiming to compromise FESTA and its variants. This attack applies to FESTA variants whose secret keys are derived from isogenies of known degree; however, it does not extend to variants employing masked-degree isogenies.
In this work, we present a novel adaptive attack that generalizes the MOXZ attack. Our attack successfully targets several FESTA variants even when their secret keys are isogenies of masked degree. We also identify POKE-4D as an exception for which our attack does not appear to be applicable.
## 2026/1241
* Title: PoW Micronomics: A Fine-Grained Model for the Economic Analysis of Proof-of-Work Blockchains
* Authors: Juan Garay, Yun Lu, Julien Prat, Brady Testa, Vassilis Zikas
* [Permalink](
https://eprint.iacr.org/2026/1241)
* [Download](
https://eprint.iacr.org/2026/1241.pdf)
### Abstract
Following the cryptographic security analyses of proof-of-work (PoW) blockchain protocols, a line of research has focused on their economic robustness. The two core questions asked are: How resilient is the system to rational attacks, and how profitable it is for miners to execute it. However, to our knowledge, no work to date has attempted to address them considering the full complexity of the blockchain protocol, including difficulty readjustment, which is needed to handle dynamic participation, price fluctuations, and the impact of risk.
In this work, we provide a fine-grained game-theoretic analysis for Nakamoto-style PoW blockchains, which takes into account both incentives of parties to deviate and complications introduced by difficulty readjustment. Our results employ the Rational Protocol Design framework of Garay et al. [FOCSrCO13] and extend recent works on the economic robustness of the Bitcoin backbone protocol to the variable difficulty setting.
Notably, our fine-grained specification of minersrCO utility incorporates variable difficulty adjustment alongside factors like the average cost of mining and the depreciation factor, which, despite being common in economics, are typically either abstracted as exogenous parameters or ignored in the blockchain literature. We showcase the expressivity and usefulness of our formulation of utilities by using it to provide estimates and trends for such factors across several real-world cryptocurrencies.
## 2026/1242
* Title: SoK: The Constant Time Model
* Authors: Billy Bob Brumley
* [Permalink](
https://eprint.iacr.org/2026/1242)
* [Download](
https://eprint.iacr.org/2026/1242.pdf)
### Abstract
Constant time programming patterns is the primary defense
against timing attacks on cryptographic implementations,
yet what "constant time" means varies across academia and industry.
This work systematizes constant time models and their evolution,
identifies a recurring gap between what models protect and what specifications assume,
and distills an offensive methodology for discovering timing vulnerabilities that originate outside the cryptographic primitive boundary.
Applying this methodology,
we locate a specification-level vulnerability related to private key loading, and confirm the leak in both OpenSSL and BoringSSL.
Counterintuitively,
BoringSSL's per-observation signal is several orders of magnitude stronger than OpenSSL's,
despite an explicitly stricter threat model.
## 2026/1243
* Title: LendLocked: Privacy & Transparency for Digital Library Lending
* Authors: Boya Wang, Peter Hall, Sunoo Park
* [Permalink](
https://eprint.iacr.org/2026/1243)
* [Download](
https://eprint.iacr.org/2026/1243.pdf)
### Abstract
Digital library lending is a critical resource for access to information. Currently prevalent models of digital lending, however, involve
opaque licensing schemes that entail serious drawbacks to reader
privacy and freedom of expression. In popular modern library apps,
publishers and hidden intermediaries control a wealth of informa-
tion about readers and reading habits, at a scale and level of detail
that would be essentially impossible in physical library lending.
To understand digital lending needs in practice, our work begins
with a series of interviews with library professionals (EYaU= 11). We
present thematic findings on their concerns with existing systems,
including privacy, surveillance, preservation, and lack of library
control over resources. Many of the concerns raised are inherently unproblematic in the context of physical library lendingrColeading us
to our central technical question: Can digital lending achieve privacy
and transparency at least as strong as physical library lending?
Based on our qualitative findings, we provide the first rigorous
modeling of security, privacy, and transparency requirements in
digital library lending. As existing systems fall short of the strong guarantees we model, we propose a new system design, LendLocked,
based on cryptography and trusted hardware, and prove it achieves
these guarantees in the random oracle model. We micro-benchmark
our designrCOs key cryptographic functionalities, s
## 2026/1244
* Title: Resource Estimation of a Distributed Quantum Algorithm for Elliptic Curve Discrete Logarithms
* Authors: MohamadAli Khajeian
* [Permalink](
https://eprint.iacr.org/2026/1244)
* [Download](
https://eprint.iacr.org/2026/1244.pdf)
### Abstract
Evaluating the quantum security of elliptic-curve cryptosystems requires precise resource estimations for solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) on fault-tolerant quantum hardware. In monolithic implementations of Shor's algorithm, the required number of logical qubits remains a formidable constraint, primarily dictated by the modular inversion subroutine during point addition. To overcome this architectural limitation, we investigate a recently proposed distributed quantum discrete logarithm framework, apply it to the elliptic curve setting, and conduct a comprehensive resource estimation. The algorithm decomposes the global scalar search space into compact candidate subsets, verifying whether the secret scalar is contained within a given window via a classical dichotomy-driven coordinator. This distributed approach requires no quantum communication between nodes and operates entirely with minimal classical communication overhead, while significantly reducing the necessary control register width. By synthesizing this framework with the state-of-the-art, space-efficient reversible modular inversion circuits of Luo et al. (2026), we model a dual compression of the quantum memory footprint. Our analytical and concrete resource benchmarks demonstrate that the single-node logical qubit requirement for breaking a cryptographically relevant 256-bit curve drops to between 1080 and 1140 qubits. This represents a substantial reduction below existing monolithic baselines and establishes the lowest logical qubit threshold per processing node for distributed quantum cryptanalysis reported to date.
## 2026/1245
* Title: Accountable Asynchronous Multi-Party Computation
* Authors: Pierre Civit, Rachid Guerraoui
* [Permalink](
https://eprint.iacr.org/2026/1245)
* [Download](
https://eprint.iacr.org/2026/1245.pdf)
### Abstract
In non-synchronous networks, classic partition arguments imply that any $t\text{-resilient}$ protocol among $n$ parties cannot ensure safety for many meaningful functionalities once the number of corruptions reaches $f \geq n - 2t$. This motivates building in accountability to detect (and deter) safety violations.
We present the first accountable asynchronous MPC (AAMPC) protocol that securely evaluates any arithmetic circuit $\mathcal{C}$ (asynchronously computable by a trusted third party). Our protocol:
(1) Ensures all target hyperproperties (correctness, privacy, input-independence, and guaranteed output delivery) whenever $f \leq t < n/3$.
(2) Provides strong accountability for $f \in (t,\,t_{\mathrm{acc}}]$ with $t_{\mathrm{acc}} < n - t$: either
(i) all hypersafety properties continue to hold (without guaranteed output delivery), or
(ii) every honest party obtains publicly verifiable evidence implicating at least $n - 2t$ faulty processes.
The construction follows the standard offline/online paradigm and assumes only a transparent setup: a bulletin-board public key infrastructure (PKI) and a common random string (CRS).
Our main technical contribution is an accountable additively homomorphic high-threshold asynchronous complete (verifiable) secret sharing functionality with amortized linear communication for both sharing and reconstruction.
This yields an efficient online phase with $O\big(\mathsf{Depth}(\mathcal{C})\big)$ latency and amortized $O(|\mathcal{C}|n)$ communication.
We additionally provide a constant-round offline phase with cubic communication per generated Beaver triple.
Our results are formalized and proven in the Accountable Universal Composability (AUC) framework (S&P 2023), an extension of UC designed to support modular analysis of accountability guarantees.
## 2026/1246
* Title: A Note on Combined Attacks on Fallen Sanctuary
* Authors: Enanko Basak, Sayandeep Saha
* [Permalink](
https://eprint.iacr.org/2026/1246)
* [Download](
https://eprint.iacr.org/2026/1246.pdf)
### Abstract
Leakage-resilient rekeying schemes aim to maintain cryptographic security
in the presence of side-channel leakage by periodically refreshing ephemeral keys
before sufficient information can be accumulated by an adversary. Fallen Sanctuary
(LR4) is a recent higher-order leakage-resilient rekeying construction that achieves
exponential security amplification with respect to the number of primitive encryption
invocations and the number of traces required to compromise the physical security
of the implementation. Its security, however, relies on the correct maintenance of
internal counters and cached intermediate keys that enforce the prescribed trace
bounds.
In this work, we investigate the security of LR4 under a combined fault and side-
channel attack model. We show that transient faults targeting the counter-update
and counter-validation mechanism can prevent the advancement of the rekeying state,
causing repeated reuse of temporal keys that are intended to be short-lived. As a
consequence, the bounded-trace assumptions underlying the LR4 security proof no longer hold. We demonstrate that an adversary can accumulate an arbitrary number
of leakage traces corresponding to the same secret state, effectively reducing the
security of the protected primitive to that of a conventional implementation without
rekeying.
We evaluate the attack on a fault simulated implementation and analyze its impact
on the leakage-resilience guarantees claimed by LR4.
Our findings emphasize that leakage-resilient rekeying schemes must consider fault-
induced violations of state evolution assumptions in addition to conventional side-
channel leakage.
## 2026/1247
* Title: Practical Attacks on a Decentralized Secure Messenger Session
* Authors: Kota Urushigaki, Hayato Kimura, Atsushi Tanaka, Takanori Isobe
* [Permalink](
https://eprint.iacr.org/2026/1247)
* [Download](
https://eprint.iacr.org/2026/1247.pdf)
### Abstract
Session is a widely deployed decentralized messenger application that emphasizes user anonymity and privacy through end-to-end encryption. Session currently employs its own uniquely designed messaging protocol, Session Protocol V1, having migrated from the extensively studied Signal Protocol. In this paper, we conduct a comprehensive, implementation-driven security analysis of the Session Protocol V1, focusing on its 1-to-1 and closed-group communication mechanisms. Our analysis reveals two fundamental design vulnerabilities: the absence of mutual public key authentication and the lack of cryptographic bindings to monotonic sequence counters. Exploiting these weaknesses within the context of actual application environments, we demonstrate three practical attacks: an impersonation attack, a message timestamp forgery attack, and message dropping and replay attacks. These attacks allow malicious server nodes or unprivileged malicious insiders to substitute public keys, silently suppress or duplicate messages, and manipulate the perceived chronological order of conversations. The findings highlight that these exploits severely undermine the fundamental security guarantees of the messenger. Finally, we propose immediate, actionable mitigation strategies to address the identified flaws and secure the protocol against these threats.
## 2026/1248
* Title: Atlantis: Lattice-based Anonymous Tokens with Private Metadata Bit
* Authors: Foteini Baldimtsi, Aayush Yadav
* [Permalink](
https://eprint.iacr.org/2026/1248)
* [Download](
https://eprint.iacr.org/2026/1248.pdf)
### Abstract
Anonymous tokens with private metadata bit (ATPM) allow an issuer to embed a hidden trust flag, as a single bit, within issued tokens. The bit remains hidden from the clients, but verifiers can read the bit and rate-limit or discard tokens marked suspect. A series of ATPM constructions exist in the literature, however all current constructions rely on classical hardness assumptions such as RSA groups, pairings, or elliptic-curve VRFs and do not provide any post-quantum security guarantees.
In this work we present, the first ATPM scheme based on lattice assumptions. Tokens generated with our scheme are publicly verifiable, and privately bit-extractable given partial knowledge of the issuing authority's secret. Our design follows the Fischlin blind-signature paradigm and enriches it with lattice-based linearly-homomorphic encryption to carry the hidden bit.
We also instantiate our scheme from Falcon-512 and the efficient LNP22 lattice NIZK proof system (Lyubashevsky et. al, Crypto '22). The resulting protocol, which we call $\textsf{Atlantis}$, requires 70 KB of client-issuer communication and yields 129 KB tokens.
## 2026/1249
* Title: A family of invertible shift-invariant maps with strong arithmetic properties
* Authors: Xiao-Xin Zhao, Deng Tang, Zhong-Xiao Wang, Qun-Xiong Zheng
* [Permalink](
https://eprint.iacr.org/2026/1249)
* [Download](
https://eprint.iacr.org/2026/1249.pdf)
### Abstract
Shift-invariant maps have been employed to design nonlinear layers in many symmetric cryptographic schemes, such as the $\chi$-map used in Keccak. In this paper, we study the shift-invariant maps on $\mathbb{F}_2^n$, whose defining functions come from a family of $n$-variable Boolean functions induced by a bifix-free sequence $\underline{a}=(a_1,a_2,\ldots,a_m)\in \mathbb{F}_2^m$ with $2\leq m<n$, which we denote by $\Omega_{\underline{a}}$. It is shown that $\Omega_{\underline{a}}$ forms a commutative monoid with respect to the composition. Moreover, if $m\nmid n$, then $\Omega_{\underline{a}}$ is isomorphic to the unit group of $\mathbb{F}_2[x]/ (x^{\lceil \frac{n}{m} \rceil})$; if $m\mid n$, then the unit group of $\Omega_{\underline{a}}$ is isomorphic to that of $\mathbb{F}_2[x]/ (x^{ \frac{2n}{m}}+x^{ \frac{n}{m}})$.
The isomorphic relation transforms the composition of functions on $\Omega_{\underline{a}}$ into the multiplication of polynomials on the quotient ring of $\mathbb{F}_2[x]$, where the algebraic properties of the latter are well-understood. As a straightforward application, we focus on the algebraic properties of $\rho=x_0+(x_1+a_1+1)(x_2+a_2+1)\cdots (x_m+a_m+1)\in \Omega_{\underline{a}}$, which includes the $\chi$-map as well as several other known maps studied in earlier literature. It is shown that $\rho$ is invertible if and only if $m\nmid n$. Also the inverse and the cycle structure of $\rho$ (if invertible) can be fully characterized. The construction of $\Omega_{\underline{a}}$ generalizes previous works given by Kriepke et al. and Lyu et al. It is hoped that $\Omega_{\underline{a}}$ could provide a deeper insight into the study of invertible shift-invariant maps.
## 2026/1250
* Title: TensorZKP: Repurposing GPU Tensor Cores for High-Performance Zero-Knowledge Proofs
* Authors: Tao Lu, Jipeng Zhang, Yanpei Guo, Xuanming Liu, Wenjie Qu, Zonghui Wang, Wenzhi Chen, Jiaheng Zhang
* [Permalink](
https://eprint.iacr.org/2026/1250)
* [Download](
https://eprint.iacr.org/2026/1250.pdf)
### Abstract
GPU Tensor Cores, specialized hardware units designed to accelerate matrix multiplication, have served as the primary engine behind the AI revolution. Given the exponential performance gains they have delivered, aligning cryptographic implementations with this hardware evolution is critical. This is particularly acute for zero-knowledge proofs (ZKPs), a cryptographic primitive that currently grapples with high proof generation costs. Existing GPU implementations for ZKPs rely exclusively on general-purpose SIMT cores, leaving the massive computational power of Tensor Cores untapped.
In this paper, we introduce TensorZKP, the first GPU framework to harness Tensor Cores for ZKP acceleration. Since Tensor Cores are designed for low-precision matrix multiplication, mapping ZKP's arithmetic to this hardware is non-trivial. To bridge this gap, we develop Tensor-Core-compatible finite field arithmetic and reformulate ZKP modules, specifically sum-check protocols and Spielman code, into matrix multiplication tasks. Furthermore, we design an asynchronous warp-specialized framework that pipelines memory access, Tensor Core matrix operations, and SIMT-based modular reductions. We instantiate these optimizations with HyperPlonk as the Polynomial Interactive Oracle Proof (PIOP) and Brakedown as the Polynomial Commitment Scheme (PCS) to enable end-to-end proof generation.
The evaluation results show that TensorZKP exhibits remarkable efficiency. At a $2^{25}$ scale, the underlying building blocks complete in $0.85$ ms for inner product, $0.91$ ms for scalar-vector multiplication, $4.04$ ms for degree-2 sum-check, and $11.58$ ms for the encoder. For a circuit with $2^{25}$ multiplication gates, TensorZKP achieves a proof generation time of only $215.28$ milliseconds, representing a $955\times$ speedup over the CPU baseline and a $36.2\times$ improvement over state-of-the-art SIMT-based GPU implementations.
## 2026/1251
* Title: Related Differentials of $4\times4$ MDS Matrices: A Complete Characterization
* Authors: Kamil Otal, Ali Mert S|+l|oe, O-fuz Yayla
* [Permalink](
https://eprint.iacr.org/2026/1251)
* [Download](
https://eprint.iacr.org/2026/1251.pdf)
### Abstract
A pair of differences $(x,y)$ is a \emph{related differential} for a linear layer $M$ if, for every coordinate at both the input and the output, at least one of the two values vanishes or the two values coincide. Related differentials underlie the zero-difference attack on AES of Bardeh and Rijmen, and the question of which maximum distance separable (MDS) matrices admit them was raised by Daemen and Rijmen, who showed that every $4\times4$ circulant MDS matrix does while some Hadamard ones do not. In earlier work we characterized the $3\times3$ MDS matrices over $\mathbb{F}_{2^r}$ admitting related differentials by fifteen explicit equations. In this paper we settle the $4\times4$ case completely: an MDS matrix $M=DNE$ over $\mathbb{F}_{2^r}$ admits a related differential if and only if at least one of $280$ explicit polynomial equations in the nine free entries of its reduced form $N$ holds. The equations, $70$ quadratic and $210$ cubic, are pairwise distinct, irreducible and pairwise coprime, and fall into $27$ orbits under the natural symmetries. We further determine the structure of the equation set: the fifteen equations of the $3\times3$ case are exactly the points of $\mathrm{PG}(3,2)$, while the $280$ equations span a $14$-dimensional $\mathbb{F}_2$-space, satisfy exactly $560$ additive relations, and contain exactly $840$ pairs that can never hold simultaneously on an MDS matrix. The discarded zero patterns split into $525$ whose determinant condition is equivalent to the failure of MDS-ness and $289$ vacuous cases. Over $\mathbb{F}_8$, the smallest field carrying $4\times4$ MDS matrices, exhaustive enumeration shows that there are exactly $720$ reduced MDS matrices; each satisfying exactly $28$ of the equations and each equation being satisfied by exactly $72$ matrices; in particular every $4\times4$ MDS matrix over $\mathbb{F}_8$ admits a related differential. Over $\mathbb{F}_{2^{10}}$ we exhibit an explicit MDS matrix admitting none. All results are verified by exact computation against an independent exhaustive search.
## 2026/1252
* Title: HedgeSwap: Universal Hedged Atomic Swaps Against Griefing Attacks
* Authors: Dongkun Hou, Ying-Teng Chen, Shujie Cui, Tsz Hon Yuen, Joseph K. Liu, Jiangshan Yu
* [Permalink](
https://eprint.iacr.org/2026/1252)
* [Download](
https://eprint.iacr.org/2026/1252.pdf)
### Abstract
Universal atomic swaps [Oakland'22] replace hashed timelock contracts with adaptor signatures and verifiable timed dlogs, enabling secure cross-chain cryptocurrency exchanges that only require basic signature verification from the underlying blockchains.
However, existing universal swap protocols remain vulnerable to griefing attacks, where a deviating party aborts the swap to lock a compliant party's assets for a long period. A natural approach is to lift existing contract-based solutions to the universal setting, but we identify that this straightforward solution faces two key challenges: (i) timeout race attacks, first identified in PipeSwap [Oakland'25], which arises from the absence of an upper bound on the transaction validity; (ii) a timeout overlap dilemma, which results from multiple overlapping refund periods.
In this paper, we propose HedgeSwap, a universal hedged atomic swap protocol against griefing attacks, which compensates a compliant party with a premium if its asset is locked but not redeemed. To mitigate the timeout race attacks and timeout overlap dilemma, HedgeSwap eliminates the premium timeout and instead relies on a hard relation to refund the premium. For high-value asset swaps where the parties acceptable premium ranges do not overlap, we further propose a round-based HedgeSwap that utilizes a premium migration mechanism to solve these two timeout challenges, where parties iteratively increase the premium until the lock-up risk premium acceptable to both. Our experimental results show that our HedgeSwap can complete in under 0.5 seconds, and round-based HedgeSwap completes in under 1.3 seconds for a five-round setting, while HedgeSwap reduces gas cost by 2.69X compared to existing contract-based solutions.
--- Synchronet 3.22a-Linux NewsLink 1.2