From Newsgroup: sci.crypt
## In this issue
1. [2025/277] Tighter Control for Distributed Key Generation: ...
2. [2025/879] Papercraft: Lattice-based Verifiable Delay Function ...
3. [2025/1289] AlphaFL: Secure Aggregation with Malicious$^2$ ...
4. [2026/277] Collusion-Minimized TLS Attestation Protocol for ...
5. [2026/1051] Streamlined Symmetric Private Information Retrieval ...
6. [2026/1172] Post-Quantum Migration Strategy for RSA Encryption
7. [2026/1193] Cryptanalytic Properties of Mealy Machines
8. [2026/1197] VOBE: Verifiable Outsourced Batched Encryption for ...
9. [2026/1203] Signatures with Post-Compromise Accountability
10. [2026/1288] SuccinCT: Succinct Confidential Transaction for ...
11. [2026/1289] A Toolkit for Succinct Lattice-Based Zero Knowledge ...
12. [2026/1290] A Compact Signature Scheme Based on QC-MDGM Codes
13. [2026/1291] Refined OJ Attacks: Tight Complexity for Rank ...
14. [2026/1292] CRAfT: Constant-Round Non-Polynomial Approximation ...
15. [2026/1293] Post-quantum Secure Non-Committing Registered ...
16. [2026/1294] Differential Fault Attack on Atom: Bypassing the ...
17. [2026/1295] A new attack to RSA with small private exponent and ...
18. [2026/1296] Achieving Guaranteed Output Delivery MPC with ...
19. [2026/1297] Breaking the $\Omega(|C|\kappa)$ Barrier on Garbled ...
20. [2026/1298] Weak Keys Break the BUFF Security of HAWK
21. [2026/1299] Decomposition of compressions on elliptic curves ...
22. [2026/1300] Thresholdizing Standardized FALCON Signatures
23. [2026/1301] STRUCTURED LATTICES AND THEIR APPLICATIONS TO SECURITY
24. [2026/1302] TRIP: Thresholding in Regression with Input Privacy
25. [2026/1303] Subspace Differential Uniformity
26. [2026/1304] Security Analysis of One Lightweight ...
27. [2026/1305] SUF-CMA SQISign via Canonical Response Encoding
28. [2026/1306] TETRIS: Automated Design Space Exploration of ...
29. [2026/1307] A Communication-Efficient Local-Verification ...
30. [2026/1308] Trust the Voice, Hide the Source: Anonymous ...
31. [2026/1309] Forensic Cryptanalysis of the Backdoored UA-8295 ...
32. [2026/1310] Designing Wallet-Based User Intervention for ...
33. [2026/1311] The Relative Trace-Zero Subgroup of the Barreto- ...
34. [2026/1312] Post-Quantum Security of Tweakable Key-Alternating ...
35. [2026/1313] So Long, and Thanks for All the Seeds: Attacking ...
36. [2026/1314] HHE Kombat: Benchmarking Hybrid Homomorphic ...
37. [2026/1315] VERDICT: A Cryptographically Verifiable Framework ...
38. [2026/1316] Computing multi-scalar multiplication on memory- ...
39. [2026/1317] ProtogaLattice: Constant-Round Lattice-based ...
40. [2026/1318] Cryptanalysis of HAWK: a Guessing Game
## 2025/277
* Title: Tighter Control for Distributed Key Generation: Share Refreshing and Expressive Reconstruction Policies
* Authors: Sara Montanari, Riccardo Longo, Alessio Meneghetti
* [Permalink](
https://eprint.iacr.org/2025/277)
* [Download](
https://eprint.iacr.org/2025/277.pdf)
### Abstract
The secure management of private keys is a fundamental challenge, particularly for the general public, as losing these keys can result in irreversible asset loss. Traditional custodial approaches pose security risks, while decentralized secret sharing schemes offer a more resilient alternative by distributing trust among multiple parties. In this work, we extend an existing decentralized, verifiable, and extensible cryptographic key recovery scheme based on Shamir's secret sharing. We introduce a refresh phase that ensures proactive security, preventing long-term exposure of secret shares. Our approach explores three distinct methods for refreshing shares, analyzing and comparing their security guarantees and computational complexity. Additionally, we extend the protocol to support any monotone access structure, enabling the most general and fine-grained control over key reconstruction.
## 2025/879
* Title: Papercraft: Lattice-based Verifiable Delay Function Implemented
* Authors: Micha+e Osadnik, Darya Kaviani, Valerio Cini, Russell W. F. Lai, Giulio Malavolta
* [Permalink](
https://eprint.iacr.org/2025/879)
* [Download](
https://eprint.iacr.org/2025/879.pdf)
### Abstract
A verifiable delay function (VDF) requires a specified number of sequential steps to compute, yet the validity of its output can be verified efficiently, much faster than recomputing the function from scratch. VDFs are a versatile cryptographic tool, with many industrial applications, such as blockchain consensus protocols, lotteries and verifiable randomness. Unfortunately, without exceptions, all known practical VDF constructions are broken by quantum algorithms. In this work, we investigate the practicality of VDFs with plausible post-quantum security. We propose Papercraft, a working implementation of a VDF based entirely on lattice techniques and thus plausibly post-quantum secure. Our VDF is based on new observations on lattice-based succinct argument systems with many low-level optimisations, yielding the first lattice-based VDF that is implementable on today's hardware. As an example, our Papercraft implementation can verify a computation of almost 6 minutes in just 7 seconds. Overall, our work demonstrates that lattice-based VDFs are not just a theoretical construct, paving the way for their practical deployment.
## 2025/1289
* Title: AlphaFL: Secure Aggregation with Malicious$^2$ Security for Federated Learning against Dishonest Majority
* Authors: Yufan Jiang, Maryam Zarezadeh, Tianxiang Dai, Stefan K||psell
* [Permalink](
https://eprint.iacr.org/2025/1289)
* [Download](
https://eprint.iacr.org/2025/1289.pdf)
### Abstract
Federated learning (FL) proposes to train a global machine learning model across distributed datasets. However, the aggregation protocol as the core component in FL is vulnerable to well-studied attacks, such as inference attacks, poisoning attacks [71] and malicious participants who try to deviate from the protocol [24]. Therefore, it is crucial to achieve both malicious security and poisoning resilience from cryptographic and FL perspectives, respectively. Prior works either achieve incomplete malicious security [76], address issues by using expensive cryptographic tools [22, 59] or assume the availability of a clean dataset on the server side [32].
In this work, we propose AlphaFL, a two-server secure aggregation protocol achieving both malicious security in the universal composability (UC) framework [19] and poisoning resilience in FL (thus malicious$^2$) against a dishonest majority. We design maliciously secure multi-party computation (MPC) protocols [24, 26, 48] and introduce an efficient input commitment protocol tolerating server-client collusion (dishonest majority). We also propose an efficient input commitment protocol for the non-collusion case (honest majority), which triples the efficiency in time and quadruples that in communication, compared to the state-of-the-art solution in MP-SPDZ [46]. To achieve poisoning resilience, we carry out $L_\infty$ and $L_2$-Norm checks with a dynamic $L_2$-Norm bound by introducing a novel silent select protocol, which improves the runtime by at least two times compared to the classic select protocol. Combining these, AlphaFL achieves malicious$^2$ security at a cost of 25% reA 79% more runtime overhead than the state-of-the-art semi-malicious counterpart Elsa [76], with even less communication cost.
## 2026/277
* Title: Collusion-Minimized TLS Attestation Protocol for Decentralized Applications
* Authors: U-fur +Ren, Murat Osmano-flu, O-fuz Yayla, Can Deniz G||kgedik, Ali Ayd-#n Sel|ouk, Ali Do-fanaksoy
* [Permalink](
https://eprint.iacr.org/2026/277)
* [Download](
https://eprint.iacr.org/2026/277.pdf)
### Abstract
Transport Layer Security (TLS) attestation protocols are a key building block for decentralized applications that require authenticated off-chain data. However, existing Designed Commitment TLS (DCTLS) constructions rely on designated verifiers, which prevents public verifiability and enables prover--verifier collusion in on-chain settings. To address these limitations, we propose a collusion-minimized TLS attestation framework $\Pi_{\mathrm{coll\text{-}min}}$ that extends existing DCTLS protocols to support jointly verifiable attestations with distributed verifiers. The framework combines two complementary components: dx-DCTLS, a generic transformation layer that upgrades existing DCTLS constructions into exportable variants by replacing non-verifiable components with verifiable counterparts, and a decentralized validation layer based on distributed verifiable random functions (DVRFs) and a threshold signature scheme (TSS). Together, these two components allow multiple verifiers to jointly validate TLS attestations while minimizing prover--verifier collusion. In this study, we formalize a threshold attestation unforgeability notion capturing adversarial behaviors in multi-verifier environments and prove security under standard assumptions. Specifically, by transitioning from independent multi-session validations, as commonly employed in decentralized oracle networks (DONs), to a unified and exportable attestation framework, we eliminate the per-verifier repetition on the prover side. Consequently, the prover complexity is reduced from $O(n)$ to $O(1)$. To evaluate practicality, we provide an end-to-end prototype implementation of $\Pi_{\mathrm{coll\text{-}min}}$ and compare it against a DECO-based replication baseline. The results show that the proposed framework remains efficient at high threshold sizes and introduces only modest additional overhead, demonstrating the feasibility of collusion-minimized and jointly verifiable TLS attestations for smart contract environments.
## 2026/1051
* Title: Streamlined Symmetric Private Information Retrieval via R|-nyi Divergence
* Authors: Alex Davidson, Nuno Nogueira, Samuel Pearson, Jo|uo Ribeiro
* [Permalink](
https://eprint.iacr.org/2026/1051)
* [Download](
https://eprint.iacr.org/2026/1051.pdf)
### Abstract
Private Information Retrieval (PIR) protocols allow a client to recover items from a server-held database without revealing the locations of requested items. In Symmetric PIR (SPIR), the client also learns nothing about the database beyond the requested items. Such schemes are critical for maintaining security in applications such as compromised credential checking, where database elements are considered as sensitive as queries. Existing approaches to building SPIR schemes require running multiple cryptographic primitives in parallel. Moreover, they do not naturally translate to the post-quantum setting, even though practical PIR schemes are typically post-quantum due to their reliance on learning with errors (LWE).
This work explores the possibility of deriving SPIR from PIR directly, utilising noise flooding to maintain the privacy of the database. While the common analysis based on the statistical distance leads to impractical parameters, we instead utilise arguments based on the R|-nyi divergence to obtain significantly improved parameters. We obtain simple single-server SPIR from state-of-the-art LWE-based PIR schemes with polynomial noise dimension and ciphertext modulus (concretely of 64 bits in size). Along the way, we note that practical schemes that utilise preprocessing via client-downloaded offline hints require extra protections for the database.
Overall, via an implementation of our approach, we show that post-quantum, round-optimal SPIR schemes can be constructed requiring online communication of 8 MB and server computation costs of 302 ms for a database of 1 million 1 kB elements.
## 2026/1172
* Title: Post-Quantum Migration Strategy for RSA Encryption
* Authors: Udara Pathum, Ashen De Silva
* [Permalink](
https://eprint.iacr.org/2026/1172)
* [Download](
https://eprint.iacr.org/2026/1172.pdf)
### Abstract
Organizations relying on RSA-OAEP encryption in protocols such as JWE, SAML, and OIDC face a critical challenge: transitioning to post-quantum cryptography without disrupting operational continuity. This paper presents a phased migration strategy that uses RSA-KEM-ML-KEM composite Key Encapsulation Mechanisms as an intermediary step between current RSA-OAEP encryption and the target state of pure ML-KEM adoption. We formalize the RSA-KEM-ML-KEM construction, prove IND-CCA2 security via a Split-Key PRF combiner, and integrate it into the Hybrid Public-Key Encryption (HPKE) framework. Our implementation demonstrates that composite schemes enable quantum-resistant encryption while preserving existing RSA key infrastructure, though with measurable throughput trade-offs that inform migration timelines. We analyze protocol-specific integration for JWE, SAML, and OIDC encryption use cases, providing decision frameworks for transitioning from RSA-OAEP through composite approaches to pure post-quantum encryption. This work contributes a formally analyzed transition mechanism and practical migration guidance for organizations seeking to adopt quantum-resistant encryption in RSA-dependent systems, validated through application to identity and access management protocols.
## 2026/1193
* Title: Cryptanalytic Properties of Mealy Machines
* Authors: Zhongfeng Niu, Tim Beyne, Kai Hu, Meiqin Wang
* [Permalink](
https://eprint.iacr.org/2026/1193)
* [Download](
https://eprint.iacr.org/2026/1193.pdf)
### Abstract
This paper proposes a systematic approach to compute cryptanalytic properties of arbitrary Mealy machines or S-functions.
Based on the geometric approach to cryptanalysis, we provide a uniform formula for any cryptanalytic property of such a function, as long as the property is compatible with the way its input and output are split into chunks.
Examples include linear, (quasi) differential, (ultrametric) integral, differential-linear, and boomerang properties.
To illustrate our results, we compute these properties for several important examples, including modular additions, the Chi- and ChiChi-functions, and the SHA-1 step function.
As proof-of-concept applications, we construct a boomerang distinguisher for the Subterranean permutation, and show how to compute the correlations of conditional linear approximations in partitioning-based differential-linear attacks more accurately. Our results also lead to a new approach to compute the algebraic normal form of the inverse of the Chi-function.
## 2026/1197
* Title: VOBE: Verifiable Outsourced Batched Encryption for Secure Delegation of Batched Decryption
* Authors: Kwangsu Lee
* [Permalink](
https://eprint.iacr.org/2026/1197)
* [Download](
https://eprint.iacr.org/2026/1197.pdf)
### Abstract
Batched encryption (BE) has emerged as a novel public-key cryptographic paradigm that enables the efficient decryption of a designated batch of $B$ ciphertexts simultaneously. By incorporating threshold decryption capabilities into this framework, batched threshold encryption (BTE) further decentralizes the decryption process. While both BE and BTE serve as highly effective solutions for mitigating Miner Extractable Value (MEV) attacks in blockchain networks by providing robust mempool privacy, ciphertext integrity, and communication efficiency, they still suffer from heavy computational overhead during the ciphertext decryption phase.
In this paper, we address this computational bottleneck by introducing a novel framework that delegates the heavy decryption workloads to an untrusted cloud server while enabling verifiability of the outsourced computations. To achieve this, we first propose an outsourced batched identity-based encryption (O-BIBE) scheme by integrating outsourcing functionalities into the conventional BIBE paradigm, accompanied by a rigorous security proof. We then construct a verifiable outsourced batched encryption (VOBE) scheme by strategically combining O-BIBE with other core cryptographic building blocks and formally prove its security.
To eliminate the single point of failure and enhance threshold resiliency, we extend our framework to the threshold setting by developing an outsourced threshold batched identity-based encryption (O-TBIBE) scheme. Building upon this, we propose a verifiable outsourced batched threshold encryption (VOBTE) scheme, which successfully achieves decentralized threshold resilience. Our proposed VOBE and VOBTE schemes are the first to concurrently guarantee ciphertext integrity and mempool privacy against sophisticated blockchain attacks, while significantly reducing decryption costs via efficient and verifiable outsourcing.
## 2026/1203
* Title: Signatures with Post-Compromise Accountability
* Authors: Dennis Dayanikli, Johannes Lang, Anja Lehmann
* [Permalink](
https://eprint.iacr.org/2026/1203)
* [Download](
https://eprint.iacr.org/2026/1203.pdf)
### Abstract
Cryptographic signatures play an integral part in ensuring authenticity and integrity in digital systems. Their security crucially relies on the secrecy of the signing key, since knowledge of this key enables an adversary to generate valid signatures on any message. Once a signing key is compromised, the standard countermeasure is to revoke the corresponding public key and to invalidate all signatures produced for this key. However, with this approach even legitimate signatures created by the honest signer would retroactively lose their validity. In this work, we initiate the formal study of a new approach - Signatures with Post-Compromise Accountability (SPCA) - which provides security guarantees even after the secret key was compromised. This notion effectively introduces a grace period for the legitimate key owner, during which the validity of honestly generated signatures is preserved despite the adversaryrCOs knowledge of the secret key. We formally define SPCA and its security guarantees, and present two constructions achieving this notion. Our first construction generalizes the signature-in-signature approach of B+ea+ckiewicz et al. (ESORICS '21), where an inner signature is embedded into the randomness of an outer signature. This construction, however, requires revealing the signing secret key during revalidation. Our second construction overcomes this limitation by enabling revalidation without disclosing the secret key, yielding stronger security guarantees.
## 2026/1288
* Title: SuccinCT: Succinct Confidential Transaction for Miner Privacy
* Authors: Ying-Teng Chen, Tsz Hon Yuen, Dongkun Hou, Jie Xu, Joseph K. Liu, Wayne Yang, Jiangshan Yu
* [Permalink](
https://eprint.iacr.org/2026/1288)
* [Download](
https://eprint.iacr.org/2026/1288.pdf)
### Abstract
Confidential transaction (CT) protocols are widely used to protect the privacy of blockchain-based cryptocurrency transactions. However, existing CT schemes primarily focus on ordinary users' anonymity and amount confidentiality, while overlooking miner privacy as a native objective. In particular, the privacy of miners' coinbase-receiving addresses has not been systematically considered in security models. In this paper, we identify two novel attacks against miner privacy in existing CT protocols, called miner privacy attacks and anonymity reduction attacks. These attacks arise from the transparency of the mining coinbase amounts and transaction fees in the underlying blockchain systems. When miners' accounts are included in a CT, our general solutions compatible with all schemes can prevent adversaries from identifying miners as the real spenders or excluding miners from the possible spender sets.
We propose SuccinCT, the first CT protocol based on the DualRing structure to address the aforementioned attacks. Compared with existing schemes, SuccinCT achieves the smallest overall transaction size while protecting miner privacy. Specifically, the proof size of SuccinCT is about 20% smaller than the latest BulletCT (USENIX SEC'25). We implement SuccinCT and evaluate its performance for ring sizes from 128 to 1024. The results show that signature generation takes about 2-3 ms and verification takes about 1-2 ms. These results demonstrate that SuccinCT provides stronger privacy guarantees, novel construction, and practical efficiency for real-world deployment.
## 2026/1289
* Title: A Toolkit for Succinct Lattice-Based Zero Knowledge Proofs
* Authors: Beatrice Biasioli, Madalina Bolboceanu, Vadim Lyubashevsky, Antonio Merino-Gallardo, Micha+e Osadnik, Gregor Seiler, Patrick Steuer
* [Permalink](
https://eprint.iacr.org/2026/1289)
* [Download](
https://eprint.iacr.org/2026/1289.pdf)
### Abstract
The development of proof systems whose security relies on the hardness of lattice problems has been a fruitful research area in recent years. By leveraging the techniques introduced in LaBRADOR (Beullens, Seiler, Crypto 2023), the state-of-the-art lattice-based schemes have very fast provers and have output sizes under 100KB for arbitrarily large statements. These proofs are in fact the smallest, and often have the fastest provers, out of all post-quantum schemes.
In addition to succinctness, many applications also require witness privacy. Achieving this can, in theory, be done by combining LaBRADOR with a linear-size zero-knowledge proof. While such a combination has already been described in the LaBRADOR paper itself, as well as in the works of Albrecht et al. (Eurocrypt 2024) and del Pino et al. (Crypto 2025), its concrete costs remained unexplored.
In this work, we provide the first concrete construction and implementation that adds zero-knowledge proofs to LaBRADOR by integrating the linear-size zero-knowledge proof from (Lyubashevsky, Nguyen, Plan|oon, Crypto 2022) into the protocol. We describe the non-trivial challenges that this entails and show practicality of the construction by benchmarking several use-cases. We make the proof system and primitives accessible by extending the LaZer library (Lyubashevsky, Seiler, Steuer, CCS 2024) in a way that they can easily be used in other applications.
## 2026/1290
* Title: A Compact Signature Scheme Based on QC-MDGM Codes
* Authors: Alessandro Annechini, Alessandro Barenghi, Gerardo Pelosi
* [Permalink](
https://eprint.iacr.org/2026/1290)
* [Download](
https://eprint.iacr.org/2026/1290.pdf)
### Abstract
Constructing a post-quantum signature scheme that is simultaneously compact and efficient remains a central challenge in code-based cryptography. Existing schemes based on turning a zero-knowledge identification scheme into a signature exhibit either large signatures or slow verification procedures. On the other hand, the design of hash-and-sign code-based schemes initiated by Courtois, Finiasz and Sendrier in $2001$ has led to schemes such as Wave and MIRANDA, that provide small signatures at the cost of massive public key sizes, with comparatively demanding signature algorithms.
In this work, we present ASTRA-Sign: a quASi-cyclic code-based full-distance decoding TRApdoor Signature Scheme, combining the hash-and-sign paradigm with quasi-cyclic moderate density generator matrix codes to obtain small signatures and small public keys. The security of our scheme is based on the hardness of finding low weight codewords in quasi-cyclic codes, and on the hardness of finding a codeword that has full Hamming distance from a given random vector. We analyse key recovery and signature forgery attacks against ASTRA, and we propose several parameter sets achieving $128$-, $192$- and $256$-bit security. Our scheme exhibits public keys and signatures below $1$kB for $128$ bits of security, with sub $50\mu$s verification times.
## 2026/1291
* Title: Refined OJ Attacks: Tight Complexity for Rank Decoding Problems and Their Cryptographic Implications
* Authors: Yongcheng Song, Rongmao Chen, Xinyi Huang, Jiang Zhang, Chao Lin
* [Permalink](
https://eprint.iacr.org/2026/1291)
* [Download](
https://eprint.iacr.org/2026/1291.pdf)
### Abstract
The Rank Decoding (RD) problem lies at the core of rank-based cryptography. To enable efficient constructions, several variants have been introduced, notably the Non-Homogeneous RD (NHRD) problem and the Blockwise RD (BRD) problem. The \emph{quantum} security of these systems is currently considered to be determined by the complexity of combinatorial attacks such as AGHT, PRR, and Ourivski--Johansson (OJ) attacks. However, for the OJ attack, the modeling, soundness, and relative complexities remain poorly understood, particularly for the NHRD and BRD variants, thereby limiting confidence in security claims and hindering the design of compact schemes.
In this work, we refine the modelings for the OJ attack (PIT, 2002) and the Improved OJ (IOJ, IEEE TIT 2025) attack, and obtain general and tight complexities on the RD, NHRD, and BRD problems. We show that the IOJ attack rests on optimistic assumptions that do not hold in practical random decoding scenarios, and thus its advantage over OJ should be disregarded in security assessments. For the RD problem, the OJ attack remains a strong candidate for the most powerful combinatorial attack in certain parameter regions, particularly when the code dimension $k$ is small and the extension
degree $m$ is large. For the NHRD problem, we show that the OJ attack is the most powerful combinatorial attack for the parameters of NH-Multi-UR-AG, yielding up to a 100-bit improvement over the adapted AGHT attack (IEEE TIT 2024), while still preserving the claimed security level. For the BRD problem, we derive complexity formulas for general block structures, resolving questions posed in prior works (Asiacrypt 2023, IEEE TIT 2025, PQC 2024). Our analysis also reveals that the OJ attack is previously underestimated by about $\gamma^2$ bits, where $\gamma$ denotes the minimum block weight. We further show that the OJ attack outperforms AGHT and PRR attacks in certain parameter regions, achieving up to a 136-bit advantage over PRR (IEEE TIT 2025). Our work advances the understanding of decoding problems in the rank metrics and reinforces the security of related cryptosystems.
## 2026/1292
* Title: CRAfT: Constant-Round Non-Polynomial Approximation and P2P Network for Secure Transformer Inference
* Authors: Jinghao Zhao, Hongwei Yang, Xiaoyu Song, Meng Hao, Hui He, Weizhe Zhang
* [Permalink](
https://eprint.iacr.org/2026/1292)
* [Download](
https://eprint.iacr.org/2026/1292.pdf)
### Abstract
Transformer models have recently emerged as a game-changing technology for applications in content generation. However, severe privacy concerns and the scalability bottlenecks of existing secure protocols limit their large-scale deployment. To address these challenges, we present CRAfT, an innovative system designed for high-scalability and low-latency secure Transformer inference. The core contributions of CRAfT are threefold: First, we propose a novel ciphertext packing strategy tailored for multiple mutually distrustful users. This approach completely eliminates the need for ciphertext rotations in linear projections layer and effectively offloads massive communication traffic to the high-speed P2P network. Second, we introduce a novel branch-free iterative fitting strategy based on trigonometric functions, which accurately approximates sigmoid-like functions (e.g., Tanh, Sigmoid, and erf in GELU). In the interval $[-3, 3]$, its approximation accuracy exceeds that of the plaintext Tanh-based GELU, while requiring only 4 communication rounds without relying on polynomial approximations. Finally, for complex operations like Softmax that exhibit partial sigmoid-like characteristics, we transform them into standard sigmoid-like functions, allowing us to directly apply our fitting strategy to minimize cryptographic costs while maintaining model accuracy. Comprehensive evaluations on BERT-base demonstrate that CRAfT increases multi-client inference throughput by up to $8.5\times$ and reduces per-client WAN communication volume by 38.4% compared to the highly optimized baseline (BumbleBee).
## 2026/1293
* Title: Post-quantum Secure Non-Committing Registered Functional Encryption
* Authors: Ramprasad Sarkar
* [Permalink](
https://eprint.iacr.org/2026/1293)
* [Download](
https://eprint.iacr.org/2026/1293.pdf)
### Abstract
Non-committing encryption (NCE) is a key primitive for proving security against adaptive corruptions, enabling simulators to generate ciphertexts before the encrypted message is known. Existing non-committing constructions for attribute-based encryption primitives [Hiroka et al., ASIACRYPT 2021; Goyal et al., PKC 2025] typically rely on centralized trust that generate users' secret keys. However, modern cryptographic systems increasingly aim to eliminate such trust assumptions through decentralized frameworks such as registered encryption, where users independently generate and register their own keys.
In this work, we initiate the study of non-committing registered functional encryption (NC-RFE) as a generalization of non-committing attribute-based encryption in the decentralized framework. We formalize the notion of NC-RFE by adapting classical non-committing security to the registered setting. We then present a generic construction based on indistinguishability obfuscation and zero-knowledge arguments, and prove its security assuming a secure underlying registered functional encryption (RFE) scheme. We further provide a lattice-based instantiation, yielding a post-quantum secure NC-RFE scheme based on the hardness of the plain LWE and equivocal LWE assumptions.
## 2026/1294
* Title: Differential Fault Attack on Atom: Bypassing the Double Key Filter using Filtered Faults
* Authors: Vaibhav Dixit, Satyam Kumar, Santanu Sarkar
* [Permalink](
https://eprint.iacr.org/2026/1294)
* [Download](
https://eprint.iacr.org/2026/1294.pdf)
### Abstract
In this paper, we present a Differential Fault Attack (DFA) on the lightweight stream cipher Atom, proposed by Banik et al. in IACR Transactions on Symmetric Cryptography (TOSC)-2021. It employs two key filters simultaneously during the pseudo-random generation algorithm phase, one of which depends on LFSR state bits. Due to this LFSR-dependent key filter, the authors claim that forming algebraic equations relating key and state bits as variables to the keystream bits is difficult unless the entire LFSR state is known. In contrast, we propose a method to formulate such algebraic equations without guessing any LFSR bits. This enables us to implement a successful DFA on Atom. To the best of our knowledge, this is the first successful DFA reported on Atom . In the proposed DFA, we identify the location of injected faults using a weighted ensemble of trained MLP and XGBoost models. To further improve accuracy, we filter out ML predictions with confidence below a predefined threshold. We found that this strategy significantly reduces the number of SAT solver invocations and improves the overall time complexity of the attack.
Based on our experiments, we demonstrate a successful DFA on Atom within a practical time by injecting 18 faults, provided all are correctly identified. Obtaining a set of 18 correctly identified faults requires, on average, 52 fault injections. The attack requires a total of 70 keystream bits (normal and faulty combined) just after a fault injection and guessing two random key bits.
## 2026/1295
* Title: A new attack to RSA with small private exponent and partial information.
* Authors: Jorge Jimenez Urroz
* [Permalink](
https://eprint.iacr.org/2026/1295)
* [Download](
https://eprint.iacr.org/2026/1295.pdf)
### Abstract
We give a new algorithm to attack RSA with small
private exponent, when some partial information of $p + q$ is given.
The algorithm is a very simple modification of original WienerrCOs
attack with continued fractions, and allows us to factor $n$ whenever $d<n^{(1+\delta)/2}$ if we know a $+|$-fraction of the most significant bits of $n$. The algorithm is unconditional, which is not the case in previous improvements that use Coppersmith method. As a simple example, our algorithm can be applied to break any cryptosystem with modulus $n$ of $512$ bits and $d < n^{0.3}$, given an improvement in the original.
attack of Wiener.
## 2026/1296
* Title: Achieving Guaranteed Output Delivery MPC with Constant Rounds and Linear Communication in Minicrypt
* Authors: Junru Li, Yifan Song
* [Permalink](
https://eprint.iacr.org/2026/1296)
* [Download](
https://eprint.iacr.org/2026/1296.pdf)
### Abstract
In this work, we study the communication complexity of constant-round MPC with guaranteed output delivery (GOD) in Minicrypt. We construct the first MPC protocol in this setting with linear communication complexity of $O(|C|n\kappa+Dn^3\kappa^3+W_I{\sf poly}(n,\kappa))$ bits under the assumption of a random oracle, where $|C|$ is the circuit size, $D$ is the circuit depth, $W_I$ is the number of input wires, and $\kappa$ is the security parameter.
In comparison, the previously best-known construction with linear communication ($O(|C|n)$), presented by Goyal et al. (CRYPTO 2020), requires $O(D+n^2)$ round complexity. When targeting $O(D)$ round complexity, the best-known result by Agarwal et al. (ASIACRYPT 2024) still requires $O(|C|n^3)$ communication complexity. More communication is needed to achieve constant round complexity, even with non-black-box use of the underlying cryptographic primitives.
## 2026/1297
* Title: Breaking the $\Omega(|C|\kappa)$ Barrier on Garbled Circuit Size in the Random Oracle Model
* Authors: Junru Li, Yifan Song
* [Permalink](
https://eprint.iacr.org/2026/1297)
* [Download](
https://eprint.iacr.org/2026/1297.pdf)
### Abstract
In this paper, we study garbled circuits in the random oracle model against a computationally unbounded adversary with $T$ queries to a (programmable) random oracle. From Yao's garbled circuits (SFCS 1986) to Three-Halves (CRYPTO 2021), the garbled circuit size has been reduced from $8|C|(\log T+\kappa)$ bits to $1.5|C|(\log T+\kappa)$ bits for achieving a statistical error of $2^{-\kappa}$, where $|C|$ is the circuit size and $\kappa$ is the statistical security parameter. However, no known result achieves $o(|C|\kappa)$ bits of garbled circuit size by now, and it is widely believed that a garbled circuit must have $\Omega(|C|\kappa)$ bits in the random oracle model.
In this work, we present the first garbling scheme that achieves $o(|C|\kappa)$ bits of garbled circuit size in the random oracle model. In particular, for a circuit $C$ of size $|C|$ and depth $D$, the achieved garbled circuit size is $O(|C|\log T+D\kappa^2\log T)$ bits. This breaks the long-standing $\Omega(|C|\kappa)$ barrier on the garbled circuit size.
We extend our garbling scheme to a maliciously secure two-party computation protocol with communication of $O(|C|\log T+D(\log T+\kappa)^2\log T+{\sf poly}(\kappa,\log T))$ bits against any $T$-query adversary assuming parallel oblivious transfers and a (programmable) random oracle. The protocol only requires 1 OT round and 3 one-way communication rounds. If only requiring one of the two parties to have output, a similar communication complexity can be achieved for constructing a non-interactive secure computation (NISC) protocol, which only relies on the preprocessing of bit-OT correlations and a random oracle. Compared to a concurrent work on NISC by Ishai et al. (EUROCRYPT 2026) in the same setting, we achieve a better amortized communication cost per gate at the cost of an additional term related to the circuit depth. The NISC protocol with a similar communication cost can also be constructed from a (slightly stronger version of) semi-malicious 2-round OT protocol.
## 2026/1298
* Title: Weak Keys Break the BUFF Security of HAWK
* Authors: Quang Dao
* [Permalink](
https://eprint.iacr.org/2026/1298)
* [Download](
https://eprint.iacr.org/2026/1298.pdf)
### Abstract
HAWK is a signature scheme based on the module lattice isomorphism problem, and the only lattice-based candidate in the third round of NIST's call for additional post-quantum signatures. Its specification claims that HAWK achieves the BUFF (Beyond UnForgeability Features) security properties "as is", without applying the generic BUFF transform, citing the analysis of Aulbach, D|+zl|+, Meyer, Struck, and Weish|nupl (PQCrypto'24).
We refute this claim for HAWK exactly as specified. Several of the BUFF games let the adversary register a public key of its own choosing, yet the HAWK reference verifier performs almost no validity check on a key beyond decoding it. We exhibit degenerate "weak" public keys under which the all-zero signature verifies for all random-oracle challenges except the negligible symmetry-breaking corner case, and use them to break the three BUFF properties whose games let the adversary supply both the verification key and the signature: message-bound signatures, malicious strong universal exclusive ownership, and weak non-resignability.
We trace these breaks to gaps in the BUFF proofs for HAWK of Aulbach et al.: one missing case analysis, and three steps that silently assume properties of the adversarially chosen keys as if they come from honest key generation. Honest key generation already enforces bounds that would reject our weak-key family on the attacks we exhibit. We prove that enforcing this norm floor at verification yields message-bound security for constant keys, but we make no claim that it fully restores BUFF security.
## 2026/1299
* Title: Decomposition of compressions on elliptic curves and point recovery
* Authors: Robert Dry+eo
* [Permalink](
https://eprint.iacr.org/2026/1299)
* [Download](
https://eprint.iacr.org/2026/1299.pdf)
### Abstract
Let $E$ be an elliptic curve over a perfect field $K$. A function $f\in K(E)$ is a compression of degree 2 on $E$ if $f(-P) = f(P)$ for all $P\in E$, and the field extension $K(f)\subset K(E)$ is of degree 2. For a finite subgroup $G\subset E$ over $K$ a function $w\in K(E)$ we will call a $G$-compression if $w(\pm P +G) = w(P)$ for all $P\in E$, and the field extension $K(w)\subset K(E)$ is of degree $2|G|$. We will show that $w\in K(E)$ is a $G$-compression if and only if $w = f\circ \Phi$ for a separable isogeny $\Phi:E\to E'$ over $K$ with
$\ker \Phi=G$, an elliptic curve $E'/K$, and a compression $f\in K(E')$ of degree 2 on $E'$. This allows to obtain a doubling, a differential addition, and a method for point recovery for $G$-compressions using known properties of compressions of degree 2. For $G$-compressions $w$ studied in the literature on an extended Jacobi quartic, a twisted Edwards curve, a twisted Jacobi intersection, and a twisted Hessian curve (for the first and third model additional conditions on coefficients are assumed) we will give the decomposition $w = f\circ \Phi$ as above, and the function induced by the dual isogeny $\widehat{\Phi}$ and compressions of degree 2, which can be used for point recovery. For the first three models this isogeny $\Phi$ is to a Montgomery curve over $K$, and has the first coordinate $x(\Phi)=1/w$. We also give isomorphisms from some models of elliptic curves to a
Montgomery curve.
## 2026/1300
* Title: Thresholdizing Standardized FALCON Signatures
* Authors: Radhika Garg, Daniel Escudero, Antigoni Polychroniadou, Akira Takahashi, Xiao Wang
* [Permalink](
https://eprint.iacr.org/2026/1300)
* [Download](
https://eprint.iacr.org/2026/1300.pdf)
### Abstract
Threshold signatures allow a quorum of parties to jointly produce a
signature while preventing any smaller subset from doing so.
Following NIST's post-quantum standardization, designing threshold
schemes compatible with the newly selected primitives is a pressing
task. In particular, no prior threshold signature scheme produces
signatures verifiable under the unmodified FALCON verification
algorithm - the NIST-selected post-quantum scheme with the smallest
signatures and keys.
In this work, we present the first such threshold FALCON signing
protocol, establishing its feasibility. Our technical contributions
are threefold. First, we adapt the MPC-based discrete Gaussian
sampling protocol of Wei et al. [CCS:WYFCW23] to support
private centers and standard deviations, as required by
FALCON's signing process. Second, we carry out a
R|-nyi divergence analysis of the Klein sampler under fixed-point
arithmetic, showing that $73$ bits of precision suffice to achieve
the same security as the FALCON specification. Third, we design an
efficient MPC protocol for the Klein sampler that exploits the fixed
trapdoor basis to construct a pseudorandom correlation generator for authenticated VOLE using only two-party DPFs, reducing per-signature communication significantly over standard authenticated triple
generation. We implement and benchmark our protocol in two settings:
$N$-party signing with all-but-one corruption, and 3-party signing
with honest majority, demonstrating that threshold FALCON signing is
feasible for applications where compatibility with the FALCON standard
is required.
## 2026/1301
* Title: STRUCTURED LATTICES AND THEIR APPLICATIONS TO SECURITY
* Authors: LENNY FUKSHANSKY, CAMILLA HOLLANTI, RAHINATOU Y. NJAH NCHIWO
* [Permalink](
https://eprint.iacr.org/2026/1301)
* [Download](
https://eprint.iacr.org/2026/1301.pdf)
### Abstract
Euclidean lattices are an interesting object of study in many regards and can have a rich structure arising from various constructions, e.g., from number field extensions. A particularly interesting class is the one of well-rounded lattices, as they relate to the well-known densest sphere packing problem in geometry, theta function minimization, and the famous Minkowski and Woods conjectures. In addition to being an important mathematical object in their own right, lattices also play a central role in many applications. This paper offers a survey of structured lattices and discusses their recent applications in lattice-based cryptography and secure wireless communications. Our goal is to spark the interest of mathematicians and adjacent communities in these fascinating topics in the intersection of lattices, number theory, cryptography, and wireless communications.
## 2026/1302
* Title: TRIP: Thresholding in Regression with Input Privacy
* Authors: Chrysa Oikonomou, Katerina Sotiraki
* [Permalink](
https://eprint.iacr.org/2026/1302)
* [Download](
https://eprint.iacr.org/2026/1302.pdf)
### Abstract
Secure computation allows multiple parties to jointly evaluate a function without leaking their individual inputs. An intrinsic issue with these techniques is that they do not offer any protection against parties which may contribute bad quality or even maliciously crafted data.
We introduce TRIP, a protocol which protects against malicious manipulations of the input in secure computation of linear regression tasks. Linear regression is the cornerstone in many machine learning tasks, and hence creating secure protocols for this task is a crucial step towards secure machine learning.
Our protocol utilizes a novel combination of techniques from secure computation, robust statistics, and differential privacy.
On synthetic data, TRIP recovers the planted ground truth; on real-world datasets, its model remains close to the clean OLS baseline under up to 40\% target corruption. In terms of efficiency, our protocol runs up to $250\times$ faster than an MPC-only baseline for $10^6$ samples. Even in the smallest parameter setting, TRIP is $10\times$ faster than our baseline.
## 2026/1303
* Title: Subspace Differential Uniformity
* Authors: Sondre R|+njom, Arne Sandrib, Joakim Sunde
* [Permalink](
https://eprint.iacr.org/2026/1303)
* [Download](
https://eprint.iacr.org/2026/1303.pdf)
### Abstract
The main contribution of this paper is to introduce Subspace Differential Uniformity (SDU) for S-boxes and block ciphers. The SDU is essentially a measure of how well any function spreads input differences clustered in affine subspaces away from affine clusters in output differences. We provide some lower bounds for the SDU and describe an efficient algorithm for computing the SDU. Moreover, we provide results for some popular classes of S-boxes up to $n=8$.
## 2026/1304
* Title: Security Analysis of One Lightweight Certificateless Mutual Authentication Scheme Based on Signatures for IIoT
* Authors: Zhengjun Cao, Lihua Liu
* [Permalink](
https://eprint.iacr.org/2026/1304)
* [Download](
https://eprint.iacr.org/2026/1304.pdf)
### Abstract
We show that the certificateless signature scheme [IEEE ITJ, 26852-26865, 2024] is insecure against public key replacement attack. An adversary can forge signatures for any message by replacing the signer's public key. We find the two components $\delta_A$ and $T_A$ of signature $\sigma_A=(m_A, ID_A, \delta_A, T_A)$ are not tightly bound to the target message $m_A$ and the singer's identity $ID_A$. The inherent flaw results in that the adversary can find an efficient signing algorithm functionally equivalent to the valid signing algorithm. The findings could be helpful for researchers unfamiliar with the designing techniques for certificateless signatures.
## 2026/1305
* Title: SUF-CMA SQISign via Canonical Response Encoding
* Authors: Dustin Ray
* [Permalink](
https://eprint.iacr.org/2026/1305)
* [Download](
https://eprint.iacr.org/2026/1305.pdf)
### Abstract
SQIsign is the only isogeny-based digital signature scheme under
consideration in NIST's post-quantum standardization process. All
published security results, including the first complete proof
(CRYPTO 2025), establish only existential unforgeability under
chosen-message attack (EUF-CMA). It is known informally that SQIsign
does not achieve strong unforgeability (SUF-CMA) due to the
non-uniqueness of its two-dimensional isogeny representation.
We make three contributions. First, we identify a concrete
malleability vector in the SQIsign v2.0 specification: the basis
change matrix in the signature can be negated modulo 2^N to produce a
distinct valid signature for the same public key and message. This is
the direct structural analog of ECDSA's (r,s) versus (r,n-s)
malleability. We provide a proof-of-concept against the C reference implementation at all three NIST security levels.
Second, we propose a minimal fix: canonical matrix encoding, where the
signer normalizes the matrix and the verifier rejects non-canonical
forms. We prove that after canonicalization, the response encoding is
injective (each mathematical response isogeny maps to exactly one byte
string), using the structure of reducible gluings of abelian
varieties.
Third, we prove that the modified scheme achieves SUF-CMA in the
quantum random oracle model under the assumptions of the existing
EUF-CMA proof together with an explicit compatible-auxiliary-isogeny
hardness assumption (consistent with the endomorphism ring hardness
underlying SQIsign): the sigma protocol's honest-verifier
zero-knowledge and special soundness together with computationally
unique responses (established by our encoding injectivity result)
imply SUF-CMA. This is the first SUF-CMA result for any SQIsign
variant.
## 2026/1306
* Title: TETRIS: Automated Design Space Exploration of RandomnessrCoLatency Trade-offs in Masked Hardware
* Authors: Nilotpola Sarma, Tapish Patidar, Nupur Brahamanya, Chandan Karfa
* [Permalink](
https://eprint.iacr.org/2026/1306)
* [Download](
https://eprint.iacr.org/2026/1306.pdf)
### Abstract
Given a fixed security order, the randomness and latency of masked hardware present a trade-off. This trade-off has not been structurally examined well enough to enable an efficient search for a user-optimal (randomness/latency efficient) masked design. Gadget-based masking has simplified masking using masked functions called \textit{gadgets} corresponding to simpler (unmasked) functions as building blocks for larger masked designs. These gadgets, in turn, have masking-order dependent latency-randomness costs, lending a structure to the randomness and latency of gadget-based masked hardware. This structure enables automated Design-Space Exploration (DSE) of gadget-based masked hardware that takes in a user's constraints on randomness (or latency) to arrive at the latency (randomness)- optimal assignment of gadgets with less area and vice versa.
This article introduces a software-level DSE approach the basis of which are the two DSE algorithms - Minimize Latency under Randomness Constraints (MLRC) and Minimize Randomness under Latency Constraints (MRLC) which are duals of each other. While prior work solves the problem of optimizing masked hardware by formulating a global SAT optimization, our results show that gadget-based masked hardware using Probe-Isolating Non-Interference (PINI) gadgets embody a structured trade-off lending efficient heuristic-based solutions instead of relying on heavy global optimizations. This gives our tool comparable to superior area results in under a millisecond - a speedup of several orders of magnitude - to the SOTA.
## 2026/1307
* Title: A Communication-Efficient Local-Verification Framework for Maliciously Secure MPC with a Two-Thirds Honest Majority
* Authors: Hanchao Ku, Hikaru Tsuchida, Mingwu Zhang, Takashi Nishide
* [Permalink](
https://eprint.iacr.org/2026/1307)
* [Download](
https://eprint.iacr.org/2026/1307.pdf)
### Abstract
Secure Multi-Party Computation (MPC) is a cryptographic primitive that enables multiple parties to jointly compute a function over their inputs without revealing the inputs. An MPC protocol is required to provide security against adversarial behavior, typically considered in two classic models: the \textit{semi-honest} model, where adversaries follow the protocol but attempt to learn additional information from the transcript, and the \textit{malicious} model, where adversaries may arbitrarily deviate from the protocol. Protocols secure against semi-honest adversaries are often more efficient, but in many real-world applications the stronger guarantee of malicious security is required.
In this work, we propose an efficient MPC protocol secure against static malicious adversaries controlling at most $t<n/3$ out of $n$ parties. Our protocol builds on Shamir's secret sharing and follows a compiler-based approach: the parties first evaluate the circuit using a semi-honest protocol and then run a verification procedure that enables honest parties to detect cheating except with small statistical error. Our construction injects fresh randomness into the verification procedure to detect cheating even in the presence of incorrect multiplication triples. It also reduces communication overhead by replacing several invocations of multiplication verification with local degree-$2t$ computations and a batched opening, while keeping the local verification cost comparable to or lower than that of prior protocols. We give a concrete instantiation of the compiler and prove that the resulting protocol is secure against malicious adversaries.
## 2026/1308
* Title: Trust the Voice, Hide the Source: Anonymous Provenance for Verifiably Edited Audio
* Authors: Xiyuan Fu, Zixing Wang, Hongbo Wang, Yu Chen
* [Permalink](
https://eprint.iacr.org/2026/1308)
* [Download](
https://eprint.iacr.org/2026/1308.pdf)
### Abstract
Audio recordings are often used as evidence, but modern forgery tools make their origin harder to verify. Existing authentication methods require releasing the original signed recording, which exposes sensitive source content as well as provenance information. Redacting the audio avoids that disclosure, but doing so also invalidates the original signature. Revealing the edit operations to prove edit compliance can also disclose the redacted content. This creates a conflict for existing approaches: authenticating a released audio file requires disclosing the original audio, edit operations, or identity of the recording device, but preserving privacy requires keeping all three hidden.
In this work, we propose $\textit{Privacy-Preserving Audio Authentication Systems}$ (PPAAS). PPAAS uses a single relation that binds source provenance and edit correctness to the same hidden witness. This witness includes both the attested source recording and device attestation, so the verifier can be convinced that the released audio came from an authorized device and was obtained through allowed edits, without learning the source recording, the edit operations, or which enrolled device produced it. We formalize this notion and provide two constructions adapted to different editing scenarios. The first is a $\textit{segmentation-based}$ construction that requires zero-knowledge proofs only for actively edited segments and is therefore well-suited to sparse edits. The second is an $\textit{iteration-based}$ construction that uses Incrementally Verifiable Computation (IVC) with zero-knowledge compression to fold repeated checks into a single proof, which is efficient for dense edits. Our evaluations show the practicality of both constructions: the segmentation-based approach minimizes cost for sparse edits, whereas the iteration-based approach becomes preferable as edit density increases.
## 2026/1309
* Title: Forensic Cryptanalysis of the Backdoored UA-8295 Message Terminal
* Authors: Stijn Maatje, Marc Stevens
* [Permalink](
https://eprint.iacr.org/2026/1309)
* [Download](
https://eprint.iacr.org/2026/1309.pdf)
### Abstract
Nation State Agencies go to great lengths to obtain signal intelligence, including backdooring cryptographic standards and equipment. Although the existence of these backdoor efforts is common knowledge, only few of known backdoored systems have been publicly analysed.
In this paper we present the first detailed $\textit{forensic cryptanalysis}$ of the backdoored UA-8295 message terminal and we try to answer questions how the UA-8295's backdoor was designed and for which attack. Towards a better understanding of real-world backdoor design, we posit a $\textit{Backdoor Conjecture}$ that provides handles to reason about the design of backdoors and the attacks they are designed for.
## 2026/1310
* Title: Designing Wallet-Based User Intervention for Approval Phishing Mitigation
* Authors: Maggie Yongqi Guan, Yuqi Xu, Yunlong Mao, Wei Tong, Xiaobo Zhou, Kanye Ye Wang
* [Permalink](
https://eprint.iacr.org/2026/1310)
* [Download](
https://eprint.iacr.org/2026/1310.pdf)
### Abstract
Approval phishing is a form of Web3 phishing that exploits token approval mechanisms to trick users into granting attackers spending authority over their tokens. As attackers increasingly hijack legitimate websites, URL-based detection alone becomes insufficient, leaving crypto wallets as the last line of defense. Based on the characteristics of approval mechanisms, we propose four wallet-based interventions for mitigating approval phishing: Spending Cap Suggestion, Active Spender Warning, Passive Spender Warning, and Delayed Confirmation. We evaluate the interventions through a between-subjects experiment (n = 364) and semi-structured interviews (n = 23). Compared with the control group, the Spending Cap Suggestion condition significantly increases the likelihood that users set spending caps. The Active Spender Warning, Passive Spender Warning, and Delayed Confirmation conditions all increase cancellation rates of phishing tasks, although the increases are statistically significant only for Active Spender Warning and Delayed Confirmation conditions. The effectiveness of the interventions varies across users, as users may struggle to interpret suspicious cues and focus on transaction outcomes while overlooking approval details. Our findings highlight the need to strengthen defenses against such attacks by increasing users' awareness of post-approval consequences and supporting approval-parameter verification at the moment of authorization.
## 2026/1311
* Title: The Relative Trace-Zero Subgroup of the Barreto-Naehrig Curves
* Authors: Julius Zhang
* [Permalink](
https://eprint.iacr.org/2026/1311)
* [Download](
https://eprint.iacr.org/2026/1311.pdf)
### Abstract
We prove a folklore characterization of the BN pairing subgroup as the kernel of a relative trace map on the $n$-torsion points.
## 2026/1312
* Title: Post-Quantum Security of Tweakable Key-Alternating Feistel Ciphers in the Multi-Key Setting
* Authors: Rentaro Shiba, Tetsu Iwata
* [Permalink](
https://eprint.iacr.org/2026/1312)
* [Download](
https://eprint.iacr.org/2026/1312.pdf)
### Abstract
In this paper, we prove the post-quantum security of the Tweakable Key-Alternating Feistel cipher (TKAF) with a public random function in the Q1 model, under the assumption that the adversary is given quantum access to the internal primitive. Specifically, our target is the TKAF studied in the classical setting by Yan et al. (ACNS 2020), where the tweak is injected into the round-key XOR via a hash function of $\epsilon$-AXU family. Our proof draws on the post-quantum security proof for the (non-tweakable) key-alternating Feistel ciphers by Basak et al. (ASIACRYPT 2025), and adapts it to the tweakable setting and further to the multi-key setting, where an adversary can access multiple classical oracles. As a result, we prove that the 3-round TKAF is post-quantum TPRP-secure and the 4-round TKAF is post-quantum STPRP-secure. Specifically, under the assumption that the adversary is given classical access to $\ell$ independently specified oracles, at least $\mathrm{\Omega} (2^{n/3}/\ell^{2/3})$ classical and quantum queries or $\mathrm{\Omega}(\epsilon^{-1/2})$ classical queries are required to break the post-quantum TPRP security of the 3-round TKAF and to break the post-quantum STPRP security of the 4-round TKAF.
## 2026/1313
* Title: So Long, and Thanks for All the Seeds: Attacking GGM-trees in Post-quantum signatures
* Authors: Gustavo Banegas, Damya Bouizegarene
* [Permalink](
https://eprint.iacr.org/2026/1313)
* [Download](
https://eprint.iacr.org/2026/1313.pdf)
### Abstract
Post-quantum signatures built from Fiat--Shamir transforms of zero-knowledge identification protocols---including LESS, CROSS, and MEDS---use GGM-tree seed
compression to shrink signatures, revealing only the seeds of public rounds while hiding the challenge-dependent ones. This mechanism introduces a fault-attack surface: faulting the seed-publication can expose hidden seeds alongside their zero-knowledge responses, enabling recovery of secret information. We introduce the Generic ZK Seed Tree (GZKST), a unified abstraction of GGM-tree generation, challenge partitioning, and seed publication across these schemes, and formalize its correctness and seed-hiding invariants. We show that prior attacks on LESS-v1 and LESS-v2 violate the same invariant despite targeting different implementation layers and tree constructions, derive generic key-recovery algorithms from this view,
and bound the number of effective faulted signatures needed for full recovery---only a few successful queries suffice for every MEDS parameter set. We further demonstrate the attacks in practice through clock-glitch fault injection against the MEDS reference implementation on an ARM Cortex-M4 (ChipWhisperer-Lite), identifying multiple exploitable surfaces in tree traversal and path construction that enable complete tree disclosure, partial subtree recovery, or leakage of hidden leaves.
## 2026/1314
* Title: HHE Kombat: Benchmarking Hybrid Homomorphic Encryption Schemes
* Authors: Hossein Abdinasibfar, Camille Nuoskala, Antonis Michalas
* [Permalink](
https://eprint.iacr.org/2026/1314)
* [Download](
https://eprint.iacr.org/2026/1314.pdf)
### Abstract
Hybrid Homomorphic Encryption (HHE) is emerging as a practical alternative to fully homomorphic encryption by offloading computational overhead to the cloud. Despite the growing number of HHE schemes and implementations, no unified evaluation methodology currently exists. In this work, we present a comprehensive and reproducible benchmarking framework covering both standard and HE-friendly HHE schemes. We analyze and evaluate 19 open-source HHE frameworks, comprising 218 distinct ciphers' benchmarks, across diverse HE libraries and programming languages.
To ensure fair comparison, we interpret the main results under an HHE-128 security target, separating standardized or author-claimed 128-bit settings from below-target measurements.
Our contributions include a unified repository, a language-agnostic benchmarking tool, and detailed metrics on runtime and memory usage. The results offer actionable insights into the security-aware performance trade-offs of each design and lay the groundwork for standardizing future HHE evaluations.
## 2026/1315
* Title: VERDICT: A Cryptographically Verifiable Framework for Secure Data Lineage in Decentralized DAGs
* Authors: Bilel Zaghdoudi, Maria Potop Butucaru
* [Permalink](
https://eprint.iacr.org/2026/1315)
* [Download](
https://eprint.iacr.org/2026/1315.pdf)
### Abstract
Ensuring the integrity and traceability of data transformations in
distributed systems presents significant challenges, particularly in environments where data privacy and decentralization are paramount.
This paper introduces a novel secure lineage verification
system based on Directed Acyclic Graphs (DAGs) and homomorphic
hash functions, VERDICT. Our approach represents data artifacts
and their transformations as two interconnected DAGs: a Data DAG
tracking data dependencies and an Event DAG capturing causality
between transformation events. We propose a level-based DAG
compression technique that decomposes these graphs based on
distance from genesis nodes, enabling efficient verification through
skip DAG structures. The system incorporates bucket indexing and
Merkle tree verification to provide cryptographic guarantees of
data and event existence. We present formal algorithms for DAG
construction, level-based hashing, skip DAG traversal, and verification processes. Security analysis demonstrates the systemrCOs resistance
to tampering and modification attacks while maintaining
privacy. Replay attacks are prevented through an application-layer challenge-response mechanism. Our approach has significant applications
in federated learning environments and decentralized
architectures, where it can serve as a notary component for tracing
events without compromising data confidentiality. Theoretical analysis
shows that our method achieves verification in EYae(logEYac) time
in the number of DAG levels, independent of the number of nodes
per level, making it suitable for large-scale distributed systems.
## 2026/1316
* Title: Computing multi-scalar multiplication on memory-constrained devices
* Authors: L|-o No|2l, Thomas Plantard
* [Permalink](
https://eprint.iacr.org/2026/1316)
* [Download](
https://eprint.iacr.org/2026/1316.pdf)
### Abstract
Multi-Scalar Multiplication is a critical operation in most pairing-based zero knowledge proofs. In a lot of studies, memory limitations have often been reported to be the primary bottleneck preventing the calculation of larger MSMs. In this paper, we are particularly interested in the acceleration of this operation on devices with limited memory.
PippengerrCOs algorithm (also known as bucket method) is the most efficient and, consequently, the most widely used method to calculate Multi-Scalar Multiplications. We propose an optimization of PippengerrCOs algorithm which is at least as efficient as the original, and significantly more effective when operating under limited memory. The main idea is to use an adapted number of buckets depending on the available memory instead of $2^w reA1$. We conducted tests on the curve BLS12-381 with Multi-Scalar Multiplications ranging from $2^8$ to $2^{14}$ points. The results obtained demonstrate that we have a very significant gain (up to $40\%$) for very limited memories. This gain gradually decreases as more memory becomes available, until we achieve performance comparable to PippengerrCOs once memory is no longer limited. For example, in a Multi-Scalar Multiplication with $2^{13}$ points, we observe a gain of $40\%$ with only $1$ KB of memory, $20\%$ with $15$ KB, $15\%$ with $35$ KB, and so on, down to $1.5\%$ once memory is no longer a constraint.
## 2026/1317
* Title: ProtogaLattice: Constant-Round Lattice-based Folding for General Polynomial Relations
* Authors: David Balb|is, Anca Nitulescu, Maxime Plan|oon
* [Permalink](
https://eprint.iacr.org/2026/1317)
* [Download](
https://eprint.iacr.org/2026/1317.pdf)
### Abstract
Folding schemes are gaining traction recently as they unlock practical instantiations of incrementally verifiable computation (IVC) and proof-carrying data (PCD). In particular, there has been a growing interest in folding schemes for high-degree relations, as these can efficiently arithmetize complex computations. While the landscape is vast, all lattice-based constructions such as Latticefold+, (Super)Neo, and Cyclo heavily rely on the sumcheck protocol. Sumcheck gives efficient proving times, but the verifier circuits become very large, partially because of the many random oracle invocations required. These hinder the efficiency of IVC and PCD instantiations, as the prover must prove the execution of the verifier circuit at every iteration.
We present ProtogaLattice, a new lattice-based folding scheme for general high-degree polynomial relations that drastically reduces the size of the verifier's circuits. We deviate from the sumcheck approach and instead take inspiration from Protostar [B|+nz & Chen, Asiacrypt '23] and Protogalaxy [Eagen & Gabizon, '23], which fold witnesses using algebraic techniques in a constant number of rounds. Our contribution is threefold:
(1) a novel technique to achieve PCD through Protogalaxy, which we find of interest also in the classical (i.e. pairing-based) setting,
(2) a folding scheme that combines multiple instances of polynomial relations into accumulators, and
(3) a bootstrapping protocol to reduce the norm of the witnesses underlying these accumulators. A full iteration of ProtogaLattice requires only four random oracle calls (not counting the overhead induced by the extra range proof used as a black-box).
Our techniques open new directions towards building lattice-based proofs that support more expressive relations and that present smaller recursion overheads.
## 2026/1318
* Title: Cryptanalysis of HAWK: a Guessing Game
* Authors: Ben Nelson, Joshua Limbrey, Cong Ling, Andrew Mendelsohn
* [Permalink](
https://eprint.iacr.org/2026/1318)
* [Download](
https://eprint.iacr.org/2026/1318.pdf)
### Abstract
HAWK is a signature scheme that was introduced in 2022, and uses the lattice isomorphism problem (LIP) as a basis for post-quantum cryptography. In this work, we describe a classical algorithm that recovers the HAWK secret key in probabilistic polynomial time, assuming four number-theoretic heuristics. The reduction from the rank-2 module-LIP instances underlying HAWK to nrdPIP (Eurocrypt '25) is central to our algorithm. At a high level, we first conjugate the HAWK public Gram matrix $G$ by a random lower-triangular unimodular matrix $U$ with `short' entries, forming a new Gram matrix $G':=U^\ast GU$, and then test whether the $\mathcal{O}$-nrdPIP instance attached to $G'$ is unusually easy. In particular, for a non-negligible proportion of such instances $G'$, one can use the Lenstra-Silverberg algorithm to solve the corresponding $\mathcal{O}$-nrdPIP instance using a subfield approach. By resampling $U$ until such an instance is uncovered and solved, which can be seen as `re-randomising' the $\mathcal{O}$-nrdPIP instance whilst fixing the corresponding module-LIP instance, we are then able to recover a valid HAWK private key. At the time of writing, we do not claim that HAWK is broken, as we have not yet verified these heuristics experimentally. On the other hand, these heuristics seem to be very plausible, and we hope to be able to verify this in the future with an implementation of our algorithm.
--- Synchronet 3.22a-Linux NewsLink 1.2