From Newsgroup: sci.crypt
## In this issue
1. [2025/978] Multi-Party Distributed Point Functions with ...
2. [2025/982] Simulatability versus Indistinguishability SOA: CCA ...
3. [2025/986] The R|-nyi Smoothing Parameter and Its Applications ...
4. [2025/1834] Ajax: Fast Threshold Fully Homomorphic Encryption ...
5. [2026/8] A SNARK for (Non-)Subsequences with Text-Sub-Linear ...
6. [2026/15] Qurrency: a quantum-secure, private, and auditable ...
7. [2026/22] FABS: Fast Attribute-Based Signatures
8. [2026/25] JAGUAR: Efficient and Secure Unbalanced PSI under ...
9. [2026/27] Practical SNARGs for Matrix Multiplications over ...
10. [2026/29] Fast Unbalanced Private Computation on Set ...
11. [2026/30] Incremental Single-Server Private Information Retrieval
12. [2026/32] The Algebraic Isogeny Model: A General Model with ...
13. [2026/36] AKE Protocol Combining PQC and QKD
14. [2026/37] On those Boolean functions having only one Walsh zero
15. [2026/38] Scalable Honest-majority MPC for Machine Learning ...
16. [2026/39] Abelian surfaces in Hesse form and explicit isogeny ...
17. [2026/40] Efficient Polynomial Evaluation over Structured ...
18. [2026/41] Towards Privacy-Preserving Unmanned Aerial Vehicles ...
19. [2026/42] Fully Secure DKG Protocols for Discrete Logarithm ...
20. [2026/43] Classical Obfuscation of Quantum Circuits via ...
21. [2026/44] Jindo: Practical Lattice-Based Polynomial ...
22. [2026/45] Formalizing Privacy-Enhanced Whitelists: A Secure ...
23. [2026/46] Euston: Efficient and User-Friendly Secure ...
24. [2026/47] SoK of Private Deep Neural Network Inference with ...
25. [2026/48] Masked Solving of Linear Equations System and ...
26. [2026/49] Argo MAC: Garbling with Elliptic Curve MACs
27. [2026/50] Low-Latency Low-Randomness OPINI Gadgets and Their ...
28. [2026/51] An improved random AKS-class primality proving ...
29. [2026/52] XM-VRF: Forward Secure, Fast and Key Updatable Hash ...
30. [2026/53] Kilobyte-Bandwidth Subliminal Channels in FIPS 204 ...
31. [2026/54] Communication and Storage-Friendly Bidirectional ...
32. [2026/55] RotorCipher: A Modern Approach to Rotor Ciphers ...
33. [2026/56] Rejection Matters: Efficient Non-Profiling Side- ...
34. [2026/57] Timed Commitments and Timed Encryption: Generic ...
35. [2026/58] Zero Knowledge (About) Encryption: A Comparative ...
36. [2026/59] Heli: Heavy-Light Private Aggregation
37. [2026/60] Blind Adaptor Signatures, Revisited: Stronger ...
38. [2026/61] $L$ for the Price of One: On the Benefits of Using ...
39. [2026/62] (Fine-Grained) Unbounded Inner-Product Functional ...
40. [2026/63] Policy-based Access Tokens: Privacy-Preserving ...
41. [2026/64] Breaking the KAZ Suite: Practical Key Recovery ...
42. [2026/65] BABE: Verifying Proofs on Bitcoin Made 1000x Cheaper
## 2025/978
* Title: Multi-Party Distributed Point Functions with Polylogarithmic Key Size from Invariants of Matrices
* Authors: Toomas Krips, Pille Pullonen-Raudvere
* [Permalink](
https://eprint.iacr.org/2025/978)
* [Download](
https://eprint.iacr.org/2025/978.pdf)
### Abstract
Distributed point functions (DPFs), introduced in 2014, are a widely used primitive in secure computation for a wide variety of applications. However, until recently, constructions for DPFs with polylogarithmic keys were known only for the two-party setting, multi-party schemes have key sizes exponential in the number of parties or the domain size.
We generalize the efficient tree-based two-party DPF approach and get a scheme for a polylogarithmic-size DPF for an any number of parties. We use a technique where we have the invariant for off-path leaves such that secret-shared vector is mapped to secret submodules by public matrices.
We show, using a technique by Shamir, that these vectors are hard to compute over $\mathbb{Z}_{pq}$ if factoring is hard. Our scheme is a secure DPF under two new assumptions related to Generic Group Model and the Linear Code Equivalence.
The output of our scheme is in the exponent in some group where Diffie-Hellman type problems are hard which limits the usability of the scheme. Still, it is the first multi-party DPF generalizing the tree-based two-party DPF approach. Our scheme is the first where the key is polylogarithmic in the domain size and independent of the number of parties and the key generation and evaluation can be computed efficiently independently of the number of parties.
## 2025/982
* Title: Simulatability versus Indistinguishability SOA: CCA Relations are Sampler-Dependent
* Authors: Hans Heum
* [Permalink](
https://eprint.iacr.org/2025/982)
* [Download](
https://eprint.iacr.org/2025/982.pdf)
### Abstract
Selective Opening Attack (SOA) is a set of security notions modelling the threat of encryption randomness and/or secret keys leaking after-the-fact. Contrary to expectation, we show that there is no general reduction from simulation-based selective opening security (SSO) to indistinguishability-based selective opening security (ISO) in the CCA setting. In particular, we show that when restricted to certain message distributions, SSO-CCA is incomparable with ISO-CCA. This contrasts the CPA case, where SSO-CPA is known to be strictly stronger than ISO-CPA relative to any message sampler. Any sampler with high enough min-entropy suffices for this rCLsemi-separationrCY to appear. On the other hand, we show that restricting to distributions with very low min-entropy gives rise to an implication.
Our main result does not rely on the presence of selective openings, but rather follow from subtleties in the game structures. At a glance, this may seem to contradict known equivalences between indistinguishability, semantic security, and selective opening security under trivial openings. We reconcile the apparent contradiction by showing that the CCA landscape splits into a rCLhigh-entropyrCY and a rCLlow-entropyrCY world, which for notions of SOA must be treated separately.
## 2025/986
* Title: The R|-nyi Smoothing Parameter and Its Applications in Lattice-Based Cryptography
* Authors: Cong Ling, Laura Luzzi, Hao Yan
* [Permalink](
https://eprint.iacr.org/2025/986)
* [Download](
https://eprint.iacr.org/2025/986.pdf)
### Abstract
The smoothing parameter is a cornerstone concept in lattice-based cryptography. Traditionally defined using the \( L^{\infty} \) distance, this standard formulation can be overly stringent compared to the \( L^1 \) (or statistical) distance more commonly employed in cryptographic contexts. Recent work has proposed relaxed definitions based on Kullback-Leibler (KL) divergence and \( L^1 \) distance, thereby loosening the constraints required for the distance to vanish. However, the additive nature of the \( L^1 \) distance can be limiting for cryptographic applications where probability preservation is essential. In this paper, we introduce the {R|-nyi smoothing parameter} of a lattice, based on R|-nyi divergence, to address this limitation. The advantages of R|-nyi divergence in cryptographic settings are well known thanks to its multiplicative nature. The R|-nyi smooting parameter provides a tunable framework that interpolates between the \( L^1 \) and \( L^{\infty} \) distances, offering enhanced flexibility. We present two complementary methods to study the averaging behavior of the R|-nyi flatness factor: one uses classical tools such as the Minkowski-Hlawka ensemble and RogersrCO formula for computing lattice function moments; the other employs Construction A lattices derived from random codes. Finally, we illustrate how this new perspective yields improvements in lattice-based cryptographic constructions.
## 2025/1834
* Title: Ajax: Fast Threshold Fully Homomorphic Encryption without Noise Flooding
* Authors: Zhenkai Hu, Haofei Liang, Xiao Wang, Xiang Xie, Kang Yang, Yu Yu, Wenhao Zhang
* [Permalink](
https://eprint.iacr.org/2025/1834)
* [Download](
https://eprint.iacr.org/2025/1834.pdf)
### Abstract
Threshold fully homomorphic encryption (ThFHE) enables multiple parties to perform arbitrary computation over encrypted data, while the secret key is distributed across the parties. The main task of designing ThFHE is to construct threshold key-generation and decryption protocols for FHE schemes. Among existing FHE schemes, FHEW-like cryptosystems enjoy the advantage of fast bootstrapping and small parameters.
However, known ThFHE solutions use the ``noise-flooding'' technique to realize threshold decryption, which requires either large parameters or switching to a scheme with large parameters via bootstrapping, leading to a slow decryption process. Besides, for key generation, existing ThFHE schemes either assume a generic MPC or a trusted setup, or incur noise growth that is linear in the number $n$ of parties.
In this paper, we propose a fast ThFHE scheme Ajax, by designing threshold key-generation and decryption protocols for FHEW-like cryptosystems. In particular, for threshold decryption, we eliminate the need for noise flooding, and instead present a new technique called ``mask-then-open'' based on random double sharings over different rings, while keeping the advantage of small parameters.
For threshold key generation, we show a simple approach to reduce the noise growth from $n$ times to $max(0.038n,2)$ times in the honest-majority setting, where at most $t=\floor{(n-1)/2}$ parties are corrupted. Our end-to-end implementation reports the running time 17.6 $s$ and 0.9 $ms$ (resp., 91.9 $s$ and 4.4 $ms$) of generating a set of keys and decrypting a single ciphertext respectively, for $n=3$ (resp., $n=21$) parties under the network of 1 Gbps bandwidth and 1 $ms$ ping time. Compared to the state-of-the-art implementation, our protocol improves the end-to-end performance of the threshold decryption protocol by a factor of at least $5.7\times$ $\sim$ $283.6\times$ across different network latencies from $t=1$ to $t=13$. Our approaches can also be applied in other types of FHE schemes like BGV, BFV, and CKKS.
## 2026/8
* Title: A SNARK for (Non-)Subsequences with Text-Sub-Linear Proving Time
* Authors: Dario Fiore, San Ling, Khai Hanh Tang, Hong Hanh Tran, Huaxiong Wang, Yingfei Yan
* [Permalink](
https://eprint.iacr.org/2026/008)
* [Download](
https://eprint.iacr.org/2026/008.pdf)
### Abstract
A keyword $\mathbf{s}$ is a subsequence of a text $\mathbf{t}$ if $\mathbf{s}$ can be obtained by deleting some characters from $\mathbf{t}$; otherwise, $\mathbf{s}$ is a non-subsequence of $\mathbf{t}$. (Non-)subsequence relationships arise in various fields, including genetic analysis, blockchains, and natural language processing. Recently, Ling et al. (SCN 2024) proposed a succinct argument for non-subsequences based on multivariate sumcheck (Lund et al., FOCS 1990) whose prover's running time is at least $\mathcal{O}(n + N + |\Sigma|)$, where $n$ and $N$ are respectively the lengths of strings $\mathbf{s}$ and $\mathbf{t}$, and $\Sigma$ is the alphabet over which $\mathbf{s}$ and $\mathbf{t}$ are defined. As shown in their work, proving non-subsequence relationships is non-trivial since one needs to decompose such an argument into smaller components for sumcheck, permutation, and lookup.
We propose a subsequence scheme that separates proving (non-)subsequences into the following two phases: (i) a preprocessing phase and (ii) a (non-)subsequence proving phase, assuming $n \ll N$ (i.e., $|\mathbf{s}| \ll |\mathbf{t}|$). Specifically, we can generate a one-time preprocessing proof with inputs $\mathbf{t}$ and $\Sigma$, without any knowledge of $\mathbf{s}$. When $\mathbf{s}$ is known, we can determine whether $\mathbf{s}$ is a subsequence of $\mathbf{t}$ and prove the corresponding statement. Employing cached quotients (IACR ePrint 2022/1763), we achieve a running time quasi-linear in $N + |\Sigma|$ for preprocessing, while the running time of proving a (non-)subsequence relationship is $\mathcal{O}(n \log_2 (N + |\Sigma|))$ for each query $\mathbf{s}$. Since $n \ll N$ and $\log_2(N + |\Sigma|)$ grows sub-linearly with the text size, this saves the prover's running time, assuming a preprocessing depending only on $\mathbf{t}$ is computed in advance. Hence, we achieve a \textit{text-sub-linear} proving time.
## 2026/15
* Title: Qurrency: a quantum-secure, private, and auditable platform for digital assets
* Authors: Arka Rai Choudhuri, Sanjam Garg, Matthew Gregoire, Keewoo Lee, Mike Lodder, Hart Montgomery, Guru Vamsi Policharla, Jim Zhang
* [Permalink](
https://eprint.iacr.org/2026/015)
* [Download](
https://eprint.iacr.org/2026/015.pdf)
### Abstract
Central bank digital currencies (CBDCs) and other related digital asset platforms have the potential to revolutionize the financial world. While these platforms have been deployed in test environments by virtually all large financial institutions, including central banks, there are still several limitations of these systems that prevent widespread adoption. These include (i) privacy, (ii) security against quantum adversaries, and (iii) auditability. In this work, we undertake (to our knowledge) the first formal study of these systems.
While there have been many digital asset platforms implemented, we do not know of any formal model for a fundamentally UTXO-based digital asset platform/CBDC. Our first contribution is a formal modeling of a UTXO-based private digital asset system that meets our requirements listed above. This model is loosely based upon the open source software that we found came the closest to meeting our requirements, Linux Foundation Decentralized Trust (LFDT) Zeto. In the course of our formal modeling, we helped to improve the security of Zeto. We then provide an efficient construction of such a system, which we call Qurrency. Qurrency is an efficient UTXO-based privacy-preserving token system that includes an auditing mechanism and is secure against "harvest now, decrypt later" attacks, which is critically important for several central banks, including the Bank of Brazil. We implemented our construction to show that it is practically efficient and can be used on any EVM-based blockchain system with ease.
## 2026/22
* Title: FABS: Fast Attribute-Based Signatures
* Authors: Liqun Chen, Long Meng, Yalan Wang, Nada El Kassem, Christopher JP Newton, Yangguang Tian, Jodie Knapp, Constantin Catalin Dragan, Daniel Gardham, Mark Manulis
* [Permalink](
https://eprint.iacr.org/2026/022)
* [Download](
https://eprint.iacr.org/2026/022.pdf)
### Abstract
Attribute-based signatures (ABS) provide fine-grained control over who
can generate digital signatures and have many real-world applications.
This paper presents a pair of fast ABS schemes: one for Key-Policy ABS
(KP-ABS) and another for Signature-Policy ABS (SP-ABS). Both schemes
support expressive policies using Monotone Span Programs (MSP), and
offer practical features such as large universe, arbitrary attributes, and
adaptive security. Most notably, we provide the first implementation of
MSP-based ABS schemes and demonstrate that our schemes achieve
the best-known asymptotic and concrete performance in this domain.
Asymptotically, key generation, signing and verification time scale
linearly with the number of attributes; verification requires only two
pairing operations. In concrete terms, for 100 attributes, our KP-ABS
scheme performs key generation, signing, and verification in 0.16s, 0.10s,
and 0.13s, respectively; our SP-ABS scheme achieves times of 0.082s,
0.26s, and 0.21s for the same operations.
## 2026/25
* Title: JAGUAR: Efficient and Secure Unbalanced PSI under Malicious Adversaries in the Client-Server Setting
* Authors: Weizhan Jing, Xiaojun Chen, Xudong Chen, Ye Dong, Qiang Liu, Tingyu Fan
* [Permalink](
https://eprint.iacr.org/2026/025)
* [Download](
https://eprint.iacr.org/2026/025.pdf)
### Abstract
In many unbalanced private set intersection (uPSI) applications of the client-server setting, the server needs to perform uPSI with multiple clients. Cong \textit{et al.} (ACM CCS'21) proposed a state-of-the-art (SOTA) uPSI protocol based on fully homomorphic encryption (FHE), achieving malicious security by employing an oblivious pseudorandom function (OPRF) in the pre-processing phase.
However, re-executing existing uPSI protocols with each client imposes significant computational overhead for the server.
In this paper, we present JAGUAR, a maliciously secure and efficient uPSI protocol designed for this setting. JAGUAR reduces online computation through a Divide-and-Combine optimization, requiring only $\mathcal{O}(\sqrt{|X|})$ homomorphic multiplications. Furthermore, it employs a novel fixed VOLE-based OPRF that enables reusable and lightweight pre-processing across multiple clients.
Experimental results demonstrate that JAGUAR achieves up to $2.7\times$ improvement in online runtime compared to the SOTA protocol in LAN. In multi-client scenarios, JAGUAR further outperforms existing protocols by a wide margin in terms of scalability and overall performance.
## 2026/27
* Title: Practical SNARGs for Matrix Multiplications over Encrypted Data
* Authors: Louis Tremblay Thibault, Michael Walter, Jiapeng Zhang
* [Permalink](
https://eprint.iacr.org/2026/027)
* [Download](
https://eprint.iacr.org/2026/027.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) enables computations to be performed directly on encrypted data, without ever requiring decryption. This capability is particularly crucial for privacy-preserving outsourced computation in sensitive fields such as healthcare and finance. While FHE ensures data confidentiality under the honest-but-curious adversarial model, achieving full malicious security, encompassing both integrity and privacy, requires an additional layer of verifiability.
To address this, a growing body of research has explored combining FHE with techniques from verifiable computation, leading to the notion of verifiable FHE (vFHE). However, the integration of these two paradigms often results in substantial computational overhead, making existing approaches largely impractical for real-world deployment.
In this work, rather than targeting general-purpose verifiable FHE, we design a novel and practical verifiable homomorphic encryption scheme tailored for an important and widely used operation: matrixrCovector multiplication. We provide an open-source implementation and our experimental results demonstrate that the proposed scheme achieves high efficiency, making it ready for practical adoption.
## 2026/29
* Title: Fast Unbalanced Private Computation on Set Intersection from Permuted Multi-Query Private Membership Test
* Authors: Weizhan Jing, Xiaojun Chen, Xudong Chen, Ye Dong, Yaxi Yang, Qiang Liu
* [Permalink](
https://eprint.iacr.org/2026/029)
* [Download](
https://eprint.iacr.org/2026/029.pdf)
### Abstract
Unbalanced private computation on set intersection (uPCSI) enables two parties to securely compute fine-grained functions over $X\cap Y$, where $|Y|\ll |X|$.
Existing works proposed a uPCSI framework based on fully homomorphic encryption (FHE)-based private set intersection (PSI) protocols.
However, their solutions face efficiency limitations, as they introduce an additional comparison procedure with a complexity of $\mathcal{O}(|Y|\log|X|)$.
In this paper, we present a lightweight uPCSI framework with semi-honest security. First, we propose a permuted multi-query private membership test (pmqPMT) protocol and its labeled variant from the FHE-based PSI, thereby avoiding the costly comparison procedure. Upon our pmqPMT, we propose an optimized uPCSI framework for computing arbitrary functions over the intersection, along with several specific optimizations for better efficiency. Besides, our framework can be extended to support more comprehensive labeled uPCSI requirements, covering both single-labeled and double-labeled cases. Compared to the state-of-the-art uPCSI protocols, we achieve over a $4.7\times$ online speedup and reduce communication costs by 15% on average.
## 2026/30
* Title: Incremental Single-Server Private Information Retrieval
* Authors: Pengfei Lu, Guangwu Xu, Zengpeng Li, Mei Wang, Haoyu Cui
* [Permalink](
https://eprint.iacr.org/2026/030)
* [Download](
https://eprint.iacr.org/2026/030.pdf)
### Abstract
Incremental preprocessing in private information retrieval (PIR) schemes refers to handle insertions, modifications, and deletions to the database without requiring complete preprocessing after each update. This broadens the applicability of PIR in practical scenarios. However, two major issues remain: the concept of incremental preprocessing for the single-server PIR is still not established, and the row-level update strategy (iSimplePIR (Row-level)) introduces excessive unnecessary overhead. This paper aims to efficiently extend incremental preprocessing to the single-server setting. To our knowledge, we are the first to propose the formal definition of single-server incremental PIR. Besides, we construct an entry-level incremental scheme (iSimplePIR (Entry-level)) based on SimplePIR (USENIX rCO23). iSimplePIR (Entry-level) supports real-time updates of individual entries, as well as optimization of communication for scenarios with certain update cycles by incorporating a row aggregation mechanism. For a 1\% column-major update in a 1GB database, iSimplePIR (Entry-level) achieves a 224$\times$ reduction in preprocessing computation overhead and a 4.2$\times$ reduction in both communication and monetary costs compared to iSimplePIR (Row-level). When applied to password breach detection with completely random entry updates, iSimplePIR (Entry-level) reduces preprocessing time by 86$\times$. Our technique can be applied to reduce the preprocessing cost of any protocol in the SimplePIR family, such as DoublePIR, authenticated PIR (based on the LWE assumption), VeriSimplePIR, and YPIR.
## 2026/32
* Title: The Algebraic Isogeny Model: A General Model with Applications to SQIsign and Key Exchanges
* Authors: Marius A. Aardal, Andrea Basso, Doreen Riepel
* [Permalink](
https://eprint.iacr.org/2026/032)
* [Download](
https://eprint.iacr.org/2026/032.pdf)
### Abstract
We introduce the Algebraic Isogeny Model (AIM): an algebraic model, akin to the Algebraic Group Model in the group setting, for isogenies and supersingular elliptic curves. This model is significantly more general than previous ones, such as the Algebraic Group Action Model: the AIM works with arbitrary isogenies over $\mathbb{F}_{p^2}$, rather than being limited to oriented ones, which gives considerably more power to the adversary.
Within this model, we obtain three results. First, we show that any result in the AGAM can be lifted to the AIM, strengthening previous results against more powerful adversaries. Then, we prove that the SQIsign identification protocol is ID-sound: in turn, this implies that SQIsign is EUF-CMA secure in the Quantum Random Oracle Model, resolving (in the AIM) a long-standing open problem. Lastly, we establish the equivalence of the DLOG and CDH problems for all SIDH-derived key exchanges, such as M-SIDH, binSIDH, and terSIDH.
## 2026/36
* Title: AKE Protocol Combining PQC and QKD
* Authors: Lo|>c Ferreira
* [Permalink](
https://eprint.iacr.org/2026/036)
* [Download](
https://eprint.iacr.org/2026/036.pdf)
### Abstract
With the advent of quantum computing, which threatens the very foundations of classical cryptography, several authenticated key exchange (AKE) protocols have been proposed, combining classical and post-quantum cryptographic algorithms, and a quantum key distribution (QKD) sub-protocol. The goal being to associate the claimed information theoretic security of QKD, and the security based upon computational assumptions of classical and post-quantum cryptography. To our knowledge, in existing security proofs of such hybrid AKE protocols, the QKD phase is treated as a black box and the impact of establishing the output quantum key appears similar as setting a symmetric key beforehand at the two communicating parties. In this paper, we describe an hybrid AKE protocol and a security model that captures multiple security properties. Our security analysis integrates the security loss induced by the QKD phase as well as that of implied by the classical and post-quantum cryptographic algorithms involved in the protocol.
## 2026/37
* Title: On those Boolean functions having only one Walsh zero
* Authors: Claude Carlet, Pierrick M|-aux, Marek Broll
* [Permalink](
https://eprint.iacr.org/2026/037)
* [Download](
https://eprint.iacr.org/2026/037.pdf)
### Abstract
Boolean functions having only one Walsh zero (or equivalently up to a translation, balanced functions whose sums with non-constant affine Boolean functions are all unbalanced) have been constructed for every n reN 10, by Mesnager and the first author, twenty years ago. This same paper had checked (partly mathematically and partly thanks to computer investigations) that no such function exists for n ren 6 but left open the question of constructing them for 7 ren n ren 9. Since then, functions in 7, 8 and 9 variables having one Walsh zero have been found by Lou and Wang, thanks to ad hoc methods combined with computer searches, but not as elements in infinite classes of functions having this property. In the present paper, we provide such infinite classes for n reN 8. For n = 7, we provide one more function (found by a computer investigation thanks to an algorithm) but we leave open the possibility of finding an infinite class valid for n reN 7. We also provide a secondary construction of functions with one Walsh zero in n + 2 variables from such functions in n variables, which does not need particular conditions on the latter for being successful (and which provides then a systematic way to obtain functions in n + 2 variables from functions in n variables). We investigate mathematical proofs of non-existence of such functions in n ren 6 variables.
## 2026/38
* Title: Scalable Honest-majority MPC for Machine Learning from Mixed Secret Sharings
* Authors: Meilin Li, Meng Hao, Yu Chen
* [Permalink](
https://eprint.iacr.org/2026/038)
* [Download](
https://eprint.iacr.org/2026/038.pdf)
### Abstract
Secure multi-party computation (MPC) provides a promising approach for privacy-preserving machine learning (ML). Existing solutions generally fall into two categories but face scalability and efficiency limitations. Protocols based on Shamir secret sharing (SS) incur high communication costs, while those relying on packed Shamir secret sharing (PS) remain largely theoretical and often require costly secret routing, especially for complex ML tasks.
In this work, we propose a mixed secret sharing strategy that leverages PS sharing for non-linear layers with repeated and independent operations, and SS sharing for linear layers such as matrix multiplications. To efficiently support alternating linear and non-linear computations, we design generic conversions between SS and PS sharings and further integrate them into the corresponding ML protocols, thereby eliminating additional communication and computation overhead. Moreover, we develop efficient PS sharing-based protocols for primitive non-linear building blocks, which enable multiple non-linear operations to be executed with essentially the same communication cost as a single operation.
We implement our framework for secure multi-party ML inference and conduct extensive experiments. Compared to the SOTA work LXY24 (USENIX Security '24), our approach reduces communication by $3.6$-$6.1 \times$, while achieving $1.5$-$4.3 \times$ runtime improvement in the WAN setting and comparable or up to $2.3 \times$ better performance in the LAN setting.
## 2026/39
* Title: Abelian surfaces in Hesse form and explicit isogeny formulas
* Authors: Thomas Decru, Sabrina Kunzweiler
* [Permalink](
https://eprint.iacr.org/2026/039)
* [Download](
https://eprint.iacr.org/2026/039.pdf)
### Abstract
We develop a new method for the computation of $(3,3)$-isogenies between principally polarized abelian surfaces. The idea is to work with models in $\mathbb P^8$ induced by a symmetric level-$3$ theta structure. In this setting, the action of three-torsion points is linear, and the isogeny formulas can be described in a simple way as the composition of easy-to-evaluate maps. In the description of these formulas, the relation with the Burkhardt quartic threefold plays an important role. Furthermore, we discuss generalizations of the idea to higher dimensions as well as different isogeny degrees.
## 2026/40
* Title: Efficient Polynomial Evaluation over Structured Space and Application to Polynomial Method
* Authors: Fukang Liu, Vaibhav Dixit, Daisuke Yamamoto, Wakaha Ogata, Santanu Sarkar, Willi Meier
* [Permalink](
https://eprint.iacr.org/2026/040)
* [Download](
https://eprint.iacr.org/2026/040.pdf)
### Abstract
It is well-known that evaluating a Boolean polynomial $f$ of any degree $d$ in $n$ variables over the full space $\mathbb F_2^n$ takes $n\cdot 2^n$ bit operations and $2^n$ bits of memory with standard Mobius transform. When $d$ is relatively small, Bouillaguet et al. proposed at CHES 2010 the fast exhaustive search (FES) algorithm. In this algorithm, by using Gray code to enumerate all elements in $\mathbb F_2^n$, evaluating $f$ on all inputs in $\mathbb F_2^n$ takes $\big(\sum_{i=0}^{d}\binom{n}{i}\big)^2+d\cdot 2^n=\binom{n}{\leq d}^2+d\cdot 2^n$ bit operations and $\binom{n}{\leq d}$ bits of memory. The term $\binom{n}{\leq d}^2$ represents the cost of the initialization phase. This problem has received new attention in recent years, which was studied by Dinur at EUROCRYPT 2021, by Furue and Takagi at PQCrypto 2023, and by Bouillaguet at TOMS 2024. All these algorithms work on the full space, and have a similar additional phase such as the initialization phase in the FES algorithm, which takes much more than $\binom{n}{\leq d}$ bit operations. In this work, we propose a simple yet efficient algorithm to evaluate $f$ over the structured space $P_{n_s}^{w_s}\times \cdots \times P_{n_1}^{w_1}\subseteq \mathbb F_2^n$ where $\sum_{i=1}^{s}n_i=n$ and $P_{n_i}^{w_i}$ denotes the set of $n_i$-bit binary strings with Hamming weight not larger than $w_i$. Our algorithm is inspired by the FES algorithm and Furue-Takagi's algorithm. However, our algorithm can work on a more general space, and is also distinguished by an efficient additional phase, which is simply reading all coefficients of $f$ and thus takes only $\binom{n}{\leq d}$ bit operations. For complexity, our algorithm takes $\binom{n}{\leq d}+d\cdot \Pi_{i=1}^{s}\binom{n_i}{\leq w_i}$ bit operations and consumes $(d+1)\cdot \binom{n}{\leq d}$ bits of memory. For applications, we prove that it is either infeasible or nontrivial to adapt the FES algorithm with monotone Gray code, which somehow answers a question raised by Dinur at EUROCRYPT 2021. Moreover, our algorithm provides a proven method to solve a critical step in Dinur's algorithm for the polynomial method, without affecting its time complexity. In particular, we also address the open problem proposed at TOMS 2024, and improve the polynomial evaluation algorithms even over the full space.
## 2026/41
* Title: Towards Privacy-Preserving Unmanned Aerial Vehicles Shared Logistics via Dynamic Sanitizable Signature with Multiple Sanitizers
* Authors: Mingwei Zeng, Qingyang Zhang, Jie Cui, Hong Zhong, Fengqun Wang
* [Permalink](
https://eprint.iacr.org/2026/041)
* [Download](
https://eprint.iacr.org/2026/041.pdf)
### Abstract
In recent years, unmanned aerial vehicles (UAVs) have shown great potential in logistics delivery due to their ability to bypass traffic congestion and adapt to complex terrains. Their high efficiency, low cost, and wide coverage make them a valuable supplement to last-mile logistics.
However, third-party UAV systems operating in open environments are vulnerable to eavesdropping, tampering, and other cyber-attacks, which poses risks of sensitive information leakage.
Meanwhile, warehouse nodes for sanitizing private information are widely deployed in logistics systems and need to be dynamically adjusted according to demand, which poses a challenges for the management of sanitization permissions.
To address these issues, we propose a dynamic sanitizable signature with multiple sanitizers, enabling each sanitizer to independently sanitize sensitive information in signed messages, thus preserving logistics data privacy.
Our scheme is applicable to UAV logistics scenarios and supports the addition and revocation of sanitizers without modifying existing keys, thereby enabling flexible and efficient permissions management.
Security analysis shows that the proposed scheme ensures unforgeability, privacy preservation, and other security properties. A implementation on AmovLab Prometheus 600 UAVs demonstrates lower computational and communication overhead than existing privacy-preserving schemes, confirming its efficiency and practicality in UAV logistics systems.
## 2026/42
* Title: Fully Secure DKG Protocols for Discrete Logarithm Revisited
* Authors: Karim Baghery, Hossein Moghaddas
* [Permalink](
https://eprint.iacr.org/2026/042)
* [Download](
https://eprint.iacr.org/2026/042.pdf)
### Abstract
In EUROCRYPT 1999, Gennaro, Jarecki, Krawczyk, and Rabin (GJKR) showed that in the well-known Pedersen robust Distributed Key Generation (DKG) protocol for the Discrete Logarithm (DL), an adversary can bias the distribution of the resulting public key. To address this issue, they proposed a fully secure, statistically unbiased variant of the Pedersen DKG protocol. The GJKR protocol achieves robustness and guarantees that the final public key remains uniformly random, even in the presence of computationally unbounded corrupted parties, though at the cost of $O(n^2)$ computational complexity, where $n$ denotes the number of parties.
In this paper, we revisit fully secure robust DKG protocols for the DL setting and propose three more efficient alternatives, each achieving $O(n)$ computational complexity while offering different trade-offs in security, efficiency, and round complexity. Our first protocol, like the GJKR scheme, guarantees that the distribution of the final public key remains uniformly random, even against computationally unbounded adversaries. The second protocol is concretely more efficient and ensures that the public key distribution is computationally indistinguishable from uniform. In our third construction, we focus on minimizing the number of rounds in the second protocol and present a 3-round variant of it. Our third scheme can be viewed as a fully secure and round-reduced variant of the biased construction by Atapoor et al. (ASIACRYPT 2023). In comparison with the most recent low-round fully secure DKG protocols by Katz (CRYPTO 2024), Cascudo-David (EUROCRYPT 2024), Kate et al. (CCS 2024), and Boneh et al. (EUROCRYPT 2025)--all of which achieve three rounds via two online rounds and one preprocessing round (or vice versa)--our three-round DKG protocol requires only $O(n)$ exponentiations, as opposed to at least $O(n^2)$.
## 2026/43
* Title: Classical Obfuscation of Quantum Circuits via Publicly-Verifiable QFHE * Authors: James Bartusek, Aparna Gupte, Saachi Mutreja, Omri Shmueli
* [Permalink](
https://eprint.iacr.org/2026/043)
* [Download](
https://eprint.iacr.org/2026/043.pdf)
### Abstract
A classical obfuscator for quantum circuits is a classical program that, given the classical description of a quantum circuit $Q$, outputs the classical description of a functionally equivalent quantum circuit $\widetilde{Q}$ that hides as much as possible about $Q$. Previously, the only known feasibility result for classical obfuscation of quantum circuits (Bartusek and Malavolta, ITCS 2022) was limited to "null" security, which is only meaningful for circuits that always reject. On the other hand, if the obfuscator is allowed to compile the quantum circuit $Q$ into a quantum state $\ket{\widetilde{Q}}$, there exist feasibility results for obfuscating much more expressive classes of circuits: All pseudo-deterministic quantum circuits (Bartusek, Kitagawa, Nishimaki and Yamakawa, STOC 2023, Bartusek, Brakerski and Vaikuntanathan, STOC 2024), and even all unitaries (Huang and Tang, FOCS 2025).
We show that (relative to a classical oracle) there exists a classical obfuscator for all pseudo-deterministic quantum circuits. As our main technical step, we give the first construction of a compact quantum fully-homomorphic encryption (QFHE) scheme that supports public verification of (pseudo-deterministic) quantum evaluation, relative to a classical oracle.
To construct our QFHE scheme, we improve on an approach introduced by Bartusek, Kitagawa, Nishimaki and Yamakawa (STOC 2023), which previously required ciphertexts that are both quantum and non-compact due to a heavy use of quantum coset states and their publicly-verifiable properties. As part of our core technical contribution, we introduce new techniques for analyzing coset states that can be generated "on the fly", by proving new cryptographic properties of the one-shot signature scheme of Shmueli and Zhandry (CRYPTO 2025). Our techniques allow us to produce QFHE ciphertexts that are purely classical, compact, and publicly-verifiable. This additionally yields the first classical verification of quantum computation protocol for BQP that simultaneously satisfies blindness and public-verifiability.
## 2026/44
* Title: Jindo: Practical Lattice-Based Polynomial Commitment for Zero-Knowledge Arguments
* Authors: Intak Hwang, Hyeonbum Lee, Jinyeong Seo, Yongsoo Song
* [Permalink](
https://eprint.iacr.org/2026/044)
* [Download](
https://eprint.iacr.org/2026/044.pdf)
### Abstract
We present $\textsf{Jindo}$, a new lattice-based polynomial commitment scheme (PCS) readily available for compiling polynomial interactive oracle proofs (PIOP) into zero-knowledge arguments of knowledge (ZKAoK).
$\textsf{Jindo}$ improves upon the previous lattice-based PCSs $\textsf{CELPC}$ (CRYPTO' 24) and $\textsf{Greyhound}$ (CRYPTO' 24) by seamlessly integrating their strengths.
Specifically, we incorporate the coefficient encoding method of $\textsf{CELPC}$ with a new evaluation protocol inspired by $\textsf{Greyhound}$, inheriting only the advantages of both schemes. As a result, $\textsf{Jindo}$ enjoys native support for a large base field, a large challenge set, the evaluation hiding property, and efficient batched evaluation.
Our implementation shows that $\textsf{Jindo}$ improves $\textsf{CELPC}$ with 1.3x faster proof generation, 3.7x faster verification, and 4.8x smaller proof size when evaluating polynomials of degree $2^{19}$ over a 255-bit prime field.
Furthermore, $\textsf{Jindo}$ outperforms $\textsf{CELPC}$ with 3.5x faster proof generation, 9.7x faster verification, and 12.3x smaller proof size when compiling PIOP from $\textsf{Buckler}$ (CCS' 25) to prove the validity of an RLWE sample, demonstrating its practical efficacy in ZKAoK construction from PIOP.
## 2026/45
* Title: Formalizing Privacy-Enhanced Whitelists: A Secure Framework with Hidden Policies
* Authors: Yu Zhang, Zongbin Wang
* [Permalink](
https://eprint.iacr.org/2026/045)
* [Download](
https://eprint.iacr.org/2026/045.pdf)
### Abstract
The whitelist is a foundational and widely deployed access control mechanism. In its prevalent implementation, the verifying entity typically requires access to the plaintext authorization policy to perform enforcement. This creates a concentrated security risk: the verifier becomes a high-value target, and its compromise could lead to the full exposure of the sensitive whitelistrCoa single point of failure for policy confidentiality. This work formalizes and addresses this risk by introducing a new paradigm of Privacy-Enhanced Whitelists. Our framework cryptographically decouples policy enforcement from policy exposure. A trusted issuer encodes the whitelist, enabling the verifier to validate memberships using only cryptographically blinded commitments, without ever needing the plaintext list. We provide a formal security model that rigorously defines and achieves security even against an adversary who compromises the verifierrCOs state. The system is realized via an efficient construction based on polynomial commitments in elliptic curve groups and supports dynamic policy updates. By shifting the trust assumption from the verifierrCOs infrastructure to cryptographic verification, our work establishes a practical foundation for scenarios where the whitelist itself must remain a protected secret.
## 2026/46
* Title: Euston: Efficient and User-Friendly Secure Transformer Inference with Non-Interactivity
* Authors: Xinwen Gao, Shaojing Fu, Lin Liu, Zhuotao Liu, Yuchuan Luo, Yongjun Wang
* [Permalink](
https://eprint.iacr.org/2026/046)
* [Download](
https://eprint.iacr.org/2026/046.pdf)
### Abstract
Secure TransFormer Inference (STFI) frameworks have been proposed to address privacy concerns over user inputs and model parameters in Transformer-based LLMs. While most existing solutions rely on interactive protocols that incur substantial user-server communication overhead, non-interactive STFI variants have recently emerged to eliminate such dependencies. Nevertheless, state-of-the-art non-interactive STFI frameworks still suffer from critical limitations. (i) Large ciphertext sizes and multiple rotations alongside heavy user-side overhead in Homomorphic Matrix Multiplication (HMM). (ii) High approximation costs and depth consumptions in Homomorphic Nonlinear Evaluations (HNE).
To address these limitations, we present Euston, an efficient and user-friendly STFI with non-interactivity. By combining RNS-CKKS fully homomorphic encryption with optimized methods, Euston achieves unprecedented efficiency in offline online inference paradigm. The key innovations are twofold. (i) For linear operations, we adopt Singular Value Decomposition (SVD) with our novel batched HMMs to minimize ciphertext size and reduce rotation counts, simultaneously lowering user-side computational, communication and storage overhead. (ii) For nonlinear operations, we employ column(diagonal)-packed ciphertext matrix formats to eliminate costly rotations and depth regulation strategies to reduce depth consumption in non-interactive HNEs, which not only avoids user-server communications but also accelerates inference performance. In comparision with the state-of-the-art approach (NEXUS, NDSS 2025), Euston achieves up to 3100|u lower preprocessing costs for the user and 8.8|u higher system-wide inference performance, specifically delivering a 90|u speedup for HMM and a 165.7|u speedup for HNE. Our results demonstrate that Euston establishes new efficiency frontiers for user-friendly STFI deployment across cloud and edge environments.
## 2026/47
* Title: SoK of Private Deep Neural Network Inference with Approximate Fully Homomorphic Encryption
* Authors: Zaira Pindado, Thomas Spendlhofer, Mohamed Allam, Priyam Mehta, Lena Martens, Antonio J. Pe|#a
* [Permalink](
https://eprint.iacr.org/2026/047)
* [Download](
https://eprint.iacr.org/2026/047.pdf)
### Abstract
Deep neural networks (DNNs), a hot topic in this decade, are already solving many practical problems previously unchallenged. There are clear use cases of strong requirements for privacy protection in DNN models and input data. Fully Homomorphic Encryption (FHE) schemes provide privacy by enabling operations upon encrypted data with post-quantum security, at the expense of vast data size increase. Overwhelming execution times and memory sizes currently limit DNN inference with FHE to severely reduced models and datasets. In this article, we thoroughly review the state of the art and the state of the practice around this topic, and identify the current challenges remaining to enable efficient DNN inference with FHE in production-sized use cases, along with the most promising trends to address them. Advancing upon previous review articles in the literature, our focus is specifically on deep learning inference on top of high-performance hardware. From our analysis, we set what we consider to be an ideal private inference system for DNNs, capturing notions already present in the literature and generalizing them.
## 2026/48
* Title: Masked Solving of Linear Equations System and Application to UOV Signatures
* Authors: Jean-S|-bastien Coron, Fran|oois G|-rard, Bowen Zhang
* [Permalink](
https://eprint.iacr.org/2026/048)
* [Download](
https://eprint.iacr.org/2026/048.pdf)
### Abstract
In response to the looming quantum threat, NIST has selected four algorithms for standardization (i.e., ML-KEM, ML-DSA, SLH-DSA, and FN-DSA), yet three of the four schemes are based on Euclidean lattices, which raises concerns about the mathematical diversity of post-quantum algorithms. NIST has therefore announced an additional call for post-quantum signatures with a preference for schemes constructed from assumptions other than lattices. Among such candidates, the Unbalanced Oil and Vinegar (UOV) signature over the multivariate quadratic (MQ) problem is attractive for its short signature and security against quantum cryptanalysis. However, the practical implementations of UOV remain vulnerable to power side-channel attacks.
In this paper, we address this issue by presenting two improved techniques for masking linear equations system solving at arbitrary order,
with a proof of security in the $t$-probing model. We show that in the masked setting, our inversion-based techniques outperform Gaussian elimination, unlike the unmasked setting where Gaussian elimination is typically more efficient. As an application, we develop a complete C implementation of the fully masked UOV signing using our improved techniques. Compared to masked Gaussian elimination, our techniques achieve at least $2.2$ times speedup at high-order. Against Kundu's latest implementation (CCS 2025), our masked UOV signing is faster by an average factor of $4.0$ at higher masking orders.
## 2026/49
* Title: Argo MAC: Garbling with Elliptic Curve MACs
* Authors: Liam Eagen, Ying Tong Lai
* [Permalink](
https://eprint.iacr.org/2026/049)
* [Download](
https://eprint.iacr.org/2026/049.pdf)
### Abstract
Off-chain cryptography enables more expressive smart contracts for Bitcoin. Recent work, including BitVM, use SNARKs to prove arbitrary computation, and garbled circuits to verifiably move proof verification off-chain. We define a new garbling primitive, Argo MAC, that enables over $1000\times$ more efficient garbled SNARK verifiers. Argo MAC efficiently translates from an encoding of the bit decomposition of a curve point to a homomorphic MAC of that point. These homomorphic MACs enable much more efficient garbling. In subsequent work, we will describe how to use Argo MAC to construct garbled SNARK verifiers for pairing-based SNARKs.
## 2026/50
* Title: Low-Latency Low-Randomness OPINI Gadgets and Their Formal Verification * Authors: Lixuan Wu, Yanhong Fan, Guowei Liu, Chaoran Wang, Meiqin Wang
* [Permalink](
https://eprint.iacr.org/2026/050)
* [Download](
https://eprint.iacr.org/2026/050.pdf)
### Abstract
Masking is an essential countermeasure against side-channel attacks, yet implementing secure and low-latency hardware masking remains challenging. In particular, although OPINI provides strong composability guarantees for single-cycle iterative architectures, prior low-latency OPINI gadget, $\rm HPC4$, is limited to two-input multiplication. In this work, we present a low-latency, low-randomness, first-order OPINI gadget applicable to arbitrary Boolean functions, denoted as $\rm GOM$. Independent and concurrent work by Rahimi and Moradi proposes OTSM, which is also a generic, low-latency first-order OPINI gadget. Our construction involves two new techniques: (i)~extending the $\rm HPC4$ idea--originally masking each share of one secret input with two bits of randomness--to masking each shared monomial derived from the input shares accordingly, and (ii)~a randomness-reassignment technique that enables the two circuits generating the output shares to reuse the same set of randomness while preserving OPINI security. To validate OPINI security, we propose a formal verification technique based on three symbolic reduction rules, and use it to verify multiple low-latency OPINI gadgets (i.e., $\rm HPC4$, $\rm GOM$ and $\rm OTSM$). Leveraging the generality of our gadget, we instantiate several OPINI-secure S-boxes across different algebraic degrees. For the algebraic-degree-2 Ascon S-box, our gadget achieves a 21\% reduction in area and a 28\% reduction in randomness compared to the $\rm HPC4$-based implementation. We further construct higher-degree S-boxes from the PRESENT, PRINCE and AES ciphers and report their hardware performance as reference baselines. We also provide an apples-to-apples comparison with $\rm OTSM$. All masked S-boxes are successfully verified within 20~minutes using our formal verification method. Finally, FPGA-based experiments confirm the practical security of the masked implementations.
## 2026/51
* Title: An improved random AKS-class primality proving algorithm
* Authors: Haining Fan
* [Permalink](
https://eprint.iacr.org/2026/051)
* [Download](
https://eprint.iacr.org/2026/051.pdf)
### Abstract
We present an improved AKS condition $\binom {e \cdot |S|+ de - 1}{de - 1} \ge n^{\lceil \sqrt{d e/3} \rceil}$ for the random AKS algorithm, where $|S|$ is the number of congruences to be tested, $e$ the degree of the modulo polynomial $x^e-r$ and $d$ the multiplicative order of $n$ modulo $e$. It is based on Bernstein's result and better than his condition $\binom {e \cdot |S|+ e - 1}{e - 1} > n^{\lceil \sqrt{d^2 e/3} \rceil}$ when $d>1$; this improved condition enables us to choose a smaller $e$: theoretically by a factor $> d$ ($d \in (\log n)^{O(1)}$) and numerically $\ge d^2$ and $< d^3$ for most practical cases; and thus improves time and space complexities.
## 2026/52
* Title: XM-VRF: Forward Secure, Fast and Key Updatable Hash Based Verifiable Random Function
* Authors: Suman Ghosh, Ratna Dutta, Sourav Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2026/052)
* [Download](
https://eprint.iacr.org/2026/052.pdf)
### Abstract
Randomness that is unbiased, unpredictable and publicly
verifiable is a crucial requirement for many blockchain-based Web3 ap- plications. Verifiable Random Functions (VRFs) inherently provide these properties. A practical VRF scheme requires fast key generation time as
well as features like many evaluations also for different rounds in the blockchain. In this work, we propose a post-quantum secure key updat-
able VRF construction namely XM-VRF that relies on symmetric cryp-
tographic building blocks such as hash functions and PseudoRandom
Generators (PRGs). At the heart of our construction lies a quantum
safe Extended Merkle Signature Scheme(XMSS) organized across multi-
ple layers. We reformulate the XMSS signature scheme in a structured
manner to align with our XM-VRF construction. The principal benefit
of proposed XM-VRF compared to existing solution is itrCOs enhanced key generation efficiency as well as the property of many evaluations from
each secret-verification key pair. The proposed scheme is proven to sat-
isfy forward security, while also being resilient against forgery attacks,
as established through a rigorous security analysis. We emphasize that
our XM-VRF autonomously updates its secret key during the evaluation
process, performing this update concurrently with the VRF output gen-
eration to maintain uninterrupted state progression. Finally, we design a protocol for random committee selection within the Algorand blockchain framework,leveraging XM-VRF to ensure unbiased, verifiable, and stake- proportional participant selection.
## 2026/53
* Title: Kilobyte-Bandwidth Subliminal Channels in FIPS 204 ML-DSA via Packed-Commitment Embedding
* Authors: Mounir IDRASSI
* [Permalink](
https://eprint.iacr.org/2026/053)
* [Download](
https://eprint.iacr.org/2026/053.pdf)
### Abstract
Galteland and Gj|+steen observe that Dilithium-family signatures admit broadband subliminal channels in a secret-key-assisted setting where the receiver can reconstruct the signerrCOs hidden commitment from a public signature. This note gives a standards-specific instantiation for FIPS 204 ML-DSA. We do not claim a new subliminal-channel technique: our goal is to make the FIPS 204 patch point and byte-level embedding interface explicit and to list the resulting capacities for the approved parameter sets.
Two FIPS 204 facts drive the construction: for any accepted signature, the commitment vector \(y\) is recoverable from \((c, z)\) given \(s_1\), and the standardized \(\gamma_1\) values make the packing/unpacking mapping a bijection on its fixed-length byte input. We embed an \(L\)-byte payload by XOR-masking a pseudorandom packed container and decoding it with the standard unpacking routine: the resulting signatures verify under unmodified verifiers.
We implemented the patch in the mldsa-native C library and validated round-trip extraction, abort-rate statistics, and distribution sanity checks for all three parameter sets. Changes, scripts, and artifacts are available in the mldsa-native-sublime fork on GitHub. The per-signature covert capacity is \(32\ell w - 32\) bytes, where \(w = \log_2(2\gamma_1)\), namely 2,272 bytes for ML-DSA-44, 3,168 bytes for ML-DSA-65, and 4,448 bytes for ML-DSA-87. As in prior work, extraction requires \(s_1\), so the relevant setting is kleptographic/ASA-style secret sharing rather than public tagging.
## 2026/54
* Title: Communication and Storage-Friendly Bidirectional Multi-hop CPA Secure Proxy Re-encryption from Supersingular Isogenies
* Authors: Manas Jana, Ratna Dutta, Sourav Mukhopadhyay
* [Permalink](
https://eprint.iacr.org/2026/054)
* [Download](
https://eprint.iacr.org/2026/054.pdf)
### Abstract
$\textit{Proxy re-encryption}$ (PRE) is an essential cryptographic primitive for managing secure access delegation in outsourced data environments, particularly public cloud systems. PRE is a public key encryption (PKE) with two additional algorithms - (i) re-encryption key generation by which a proxy server generates a re-encryption key; (ii) re-encryption algorithm by which the proxy server can transform the ciphertext under the delegator's public key to a ciphertext under the delegatee's public key enabling the delegatee to decrypt the message originally intended for the delegator. With the advent of quantum computing, a pressing need arises to design PRE schemes based on quantum-resistant assumptions. This paper addresses this requirement by presenting the first construction of a bidirectional PRE ($\mathsf{bPRE}$) from supersingular isogenies. Our $\mathsf{bPRE}$ is built upon the commutative supersingular isogeny-based PKE scheme $\mathsf{MSimS}$, a variant of the isogeny-based PKE scheme $\mathsf{SimS}$ and achieves security against $\textit{chosen-plaintext attack}$ (CPA) in the standard model under the hardness of the commutative supersingular isogeny decisional Diffie-Hellman (CSSIDDH) problem. The resultant $\mathsf{bPRE}$ supports efficient re-encryption of ciphertexts by the proxy server for the delegator as well as the delegatee and inherits the multi-hop property, enabling chainable delegation of access rights. Significantly, our isogeny-based $\mathsf{bPRE}$ is asymptotically efficient, offering an efficient reduction in bandwidth consumption compared to current lattice-based proposals in terms of key size and ciphertext size. This makes the scheme a highly compact and practical candidate for post-quantum cloud security. Furthermore, our PKE scheme $\mathsf{MSimS}$ is of independent interest which is proven to be CPA secure under the hardness of the CSSIDDH problem and secure against chosen ciphertext attack (CCA) under the hardness of the CSSIDDH problem and the commutative supersingular isogeny knowledge of exponent (CSSIKOE) problem.
## 2026/55
* Title: RotorCipher: A Modern Approach to Rotor Ciphers Using Sponge Functions and Modular Arithmetic
* Authors: Edimar Ver|!ssimo da Silva
* [Permalink](
https://eprint.iacr.org/2026/055)
* [Download](
https://eprint.iacr.org/2026/055.pdf)
### Abstract
The revival of classical cryptography paradigms from the perspective of modern primitives offers promising avenues for the design of resilient stream ciphers. This work presents RotorCipher V2, an algorithm that reimagines the structural complexity of virtual rotor machines, integrating it with the proven security of the SHA-3 family of sponge functions. The system architecture begins with a robust key derivation process, employing the memory-hard Argon2id algorithm (with a memory cost of 64 MB) to convert user credentials into a 512-bit seed, mitigating brute-force attack vectors. The central innovation of the proposal lies in the deterministic rCLbootstrappingrCY of the internal components: using SHAKE256 as an Extendable Output Function (XOF),
the system dynamically selects sizes for five virtual rotors from a permuted list of prime numbers (between 300 and 10,000). Unlike historical mechanical machines, the combined output of the rotors is not used directly; it undergoes non-linear mixing via modular multiplication 2^16 + 1 (a technique remaining from the IDEA cipher) to compose a temporary entropy table. This table feeds back into an independent
instance of SHAKE256, which in turn generates 1024-byte keystream blocks, ensuring that the internal state of the rotors remains cryptographically isolated from the final output. From a software engineering perspective, the paper details a secure implementation in the Rust language, prioritizing memory security and mitigation of side-channel attacks. The code employs constant-time comparisons for integrity verification and automatic zeroing of critical secrets from memory. Simultaneously, performance is optimized through the explicit use of SIMD instructions (AVX2 and SSE2) for in-place XOR operations. The resulting protocol offers a complete solution for file encryption, guaranteeing authenticity and integrity through HMAC-SHA3-512
tags, establishing itself as a high-performance hybrid tool.
## 2026/56
* Title: Rejection Matters: Efficient Non-Profiling Side-Channel Attack on ML-DSA via Exploiting Public Templates
* Authors: Yuhan Zhao, Wei Cheng, Zehua Qiao, Yuejun Liu, Yongbin Zhou
* [Permalink](
https://eprint.iacr.org/2026/056)
* [Download](
https://eprint.iacr.org/2026/056.pdf)
### Abstract
ML-DSA (formerly CRYSTALS-Dilithium), NISTrCOs primary post-quantum signature standard, is increasingly deployed along with the post-quantum transitions. Yet when the implementations of ML-DSA are deployed in practice, their physical security remains underexplored. In this work, we reveal a new attack surface against ML-DSA by exploiting the leakages from both rejected signing trials and the final accepted signing trial. We present, to the best of our knowledge, the first side-channel attack that simultaneously leverages leakage from both trials without relying on clone devices. Unlike traditional Secret-based Template Attacks, which require profiling the leakage of the sensitive intermediates on a clone device, our PTA (Public-based Template Attack) builds leakage templates solely from publicly available data on the target device itself. With challenge $c$ known, we then perform CPA on the sensitive intermediates using traces from both rejected and accepted signing trials, quadrupling (on average) exploitable leakage per signing request for ML-DSA-44. The experimental results on power traces from an ARM Cortex-M4 board show that challenges $c$ are fully recovered with only {96 traces}, and then the key recovery succeeds in around 300 traces rCo a fact of 10x fewer than prior art. We highlight that our attack can be applied across all three ML-DSA variants with different security levels.
Moreover, our attack works straightforwardly in the hedged (non-deterministic) mode of ML-DSA, demonstrating that the hedging offers no SCA protection in this scenario.
## 2026/57
* Title: Timed Commitments and Timed Encryption: Generic Constructions and Instantiations from Isogenies
* Authors: Mingjie Chen, Jonas Meers
* [Permalink](
https://eprint.iacr.org/2026/057)
* [Download](
https://eprint.iacr.org/2026/057.pdf)
### Abstract
Introduced by Boneh and Naor (CRYPTO 2000), timed commitments are a versatile primitive that found numerous applications in e-voting, contract signing and auctions. In TCC 2020, Katz, Loss and Xu showed that non-interactive timed commitments (NITC) can be generically built from timed public key encryption (TPKE). Unfortunately, almost all constructions for either primitive rely on classical, i.e. non post-quantum, assumptions or require inefficient building blocks like indistinguishable obfuscation or fully homomorphic encryption.
In this work, we propose generic constructions for non-interactive timed commitments and timed encryption, assuming only efficient building blocks like verifiable random functions, trapdoor delay functions and NIZK proof systems. Both our NITC (called LEIBNITC) and our TPKE (called NYTPKE) can be instantiated from isogenies, making them post-quantum secure. The instantiation of LEIBNITC with isogenies is very efficient and yields commitments of size 2328 bits, representing one of the most efficient timed commitments in the literature.
## 2026/58
* Title: Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers
* Authors: Matteo Scarlata, Giovanni Torrisi, Matilda Backendal, Kenneth G. Paterson
* [Permalink](
https://eprint.iacr.org/2026/058)
* [Download](
https://eprint.iacr.org/2026/058.pdf)
### Abstract
The paper is currently under embargo, and will be released mid-February 2026. ## 2026/59
* Title: Heli: Heavy-Light Private Aggregation
* Authors: Ryan Lehmkuhl, Henry Corrigan-Gibbs, Emma Dauterman, David J. Wu
* [Permalink](
https://eprint.iacr.org/2026/059)
* [Download](
https://eprint.iacr.org/2026/059.pdf)
### Abstract
This paper presents Heli, a system that lets a pair of servers collect aggregate statistics about private client-held data without learning anything more about any individual client's data. Like prior systems, Heli protects client privacy against a malicious server, protects correctness against misbehaving clients, and supports common statistical functions: average, variance, and more. Heli's innovation is that only one of the servers (the "heavy server") needs to do per-run work proportional to the number of clients; the other server (the "light server") does work sublinear in the number of clients, after a one-time setup phase. As a result, a computationally limited party, such as a low-budget non-profit, could potentially serve as the second server for a Heli deployment with millions of clients.
Heli relies on a new cryptographic primitive, aggregation-only encryption, that allows computing certain restricted functions on many clients' encrypted data. In a deployment with ten million clients, in which the servers privately compute the sum of 32 client-held 1-bit integers, Heli's heavy server does 240,000 core-s of work and the light server does 7 core-ms of work. Compared with prior work, the heavy server does 38$\times$ more computation, but the light server does 120,000$\times$ less.
## 2026/60
* Title: Blind Adaptor Signatures, Revisited: Stronger Security Definitions and Their Construction toward Practical Applications
* Authors: Masashi Hisai, Naoto Yanai
* [Permalink](
https://eprint.iacr.org/2026/060)
* [Download](
https://eprint.iacr.org/2026/060.pdf)
### Abstract
Although both blind signatures and adaptor signatures have individually attracted attention, there is little research on combining these primitives so far. To the best of our knowledge, although the only existing scheme is the scheme by Qin et al. (S\&P 2023), it does not consider practical security notions, namely full extractability, unlinkability, and pre-verify soundness, especially against adversaries with rich attack interfaces.
In this paper, we propose the first blind adaptor signature scheme that satisfies the above security definitions. We first formalize the security of a blind adaptor signature scheme and prove a relationship between our security definitions and the existing security definitions, as well as showing several gaps in the existing schemes as a technical problem. Our main idea to overcome this problem is to leverage relations that support random self-reducibility instead of additional random numbers for blind signatures. Such a construction can embed relations into the signature components by re-randomizing them with the relations, and hence satisfies all the above security definitions. We then introduce new proof techniques to prove the full extractability by leveraging the unlinkability. We also discuss applications of the proposed scheme.
## 2026/61
* Title: $L$ for the Price of One: On the Benefits of Using more than $t+1$ Parties in Threshold Signing
* Authors: Daniel Escudero, Yashvanth Kondi, Yifan Song, Hern|in Vanegas
* [Permalink](
https://eprint.iacr.org/2026/061)
* [Download](
https://eprint.iacr.org/2026/061.pdf)
### Abstract
In threshold ECDSA a committee of $N$ parties holds---say, Shamir---shares of degree $t$ of a secret key, where typically $N\gg t$ for operational purposes (e.g. redundancy to prevent losing the key). At signing time, $t+1$ parties can execute a protocol to produce a signature on a given message without leaking anything about the secret key. In this work we show that if we use $n=t+2(\ell-1) + 1$ parties for signing instead, we can compute $\ell$ signatures without increasing at all the communication costs per party, essentially getting $\ell\times$ more signatures almost for free in a dishonest majority.
Our result is achieved by making use of packed secret-sharing to distribute multiple secrets with no communication penalty. This introduces several challenges not present in the non-packed domain, which leads us to introduce two primitives that may be of independent interest: we show how to prove that a sharing contains small elements efficiently, and its use in distributing consistent sharings of the same secret modulo two different integers. We also show how to generate degree-$2$ preprocessing material with constant communication via an adaptation of the virtual parties idea by Bracha from 1987.
We compare the communication of our protocol to sign $\ell$ messages with respect to the state-of-the-art in $t+1$-party ECDSA signing by (Doerner et al, S&P'24), which needs to be repeated $\ell$ times. Our results show that, for appropriate regimes of $(t,n,\ell)$, our protocol can achieve 5x less communication (and even a larger factor) than theirs while adding only a few extra parties for the computation.
## 2026/62
* Title: (Fine-Grained) Unbounded Inner-Product Functional Encryption from LWE * Authors: Valerio Cini, Erkan Tairi
* [Permalink](
https://eprint.iacr.org/2026/062)
* [Download](
https://eprint.iacr.org/2026/062.pdf)
### Abstract
Inner-product functional encryption (IPFE), introduced by Abdalla-Bourse-De Caro-Pointcheval (PKC'15), is a public-key primitive that allows to decrypt an encrypted vector $\mathbf{x}$ with a secret key associated to a vector $\mathbf{y}$ such that only their inner-product $\langle\mathbf{x},\mathbf{y}\rangle$ is revealed. The initial definition and constructions all required the length of such vectors to be bounded at setup, and therefore, be fixed in the public parameters.
In order to overcome this drawback, Dufour-Sans-Pointcheval (ACNS'19) and Tomida-Takashima (AC'18) introduced the notion of unbounded IPFE, where the length of vectors does not need to be fixed during the setup phase, and gave constructions from pairing-based assumptions.
In this paper, we make progress and provide the first unbounded IPFE constructions that i) are based on the Learning With Errors (LWE) assumption and proven secure in the standard model, ii) achieve adaptive security, iii) provide fine-grained access control, i.e., are identity- and attribute-based, and iv) rely only on black-box access to cryptographic and lattice algorithms. Hence, our constructions are also plausibly post-quantum secure.
## 2026/63
* Title: Policy-based Access Tokens: Privacy-Preserving Verification for Digital Identity
* Authors: Kiran Pun, Daniel Gardham, Nick Frymann
* [Permalink](
https://eprint.iacr.org/2026/063)
* [Download](
https://eprint.iacr.org/2026/063.pdf)
### Abstract
Passports, driving licences, and other government-issued identity documents are frequently used to prove attributes about an individual, such as their date of birth or home address. Traditional paper-based approaches are being transitioned to digital identities, which are becoming increasingly important for online interactions and transactions, allowing individuals to prove their identity without needing to present physical documents. However, existing solutions suffer from cumbersome primitives, for example, the European Commission is actively experimenting with Zero-Knowledge proof based solutions for the EUrCOs Digital Identity Wallet, or lack of functionality such as the UKrCOs right-to-work share codes.
In this paper, we present a new cryptographic primitive, Policy-Based Access Tokens, that allows for lightweight verification of user attributes through a service (such as a government office). We propose two variants of the scheme: PAT-I offers token unforgeability such that malicious parties cannot verify personal data without a valid token. This is then extended in PAT-II to allow for distributed delegation to a set of proxies, offering fine-grained revocation. We consider stronger security properties that prevent proxies colluding, whilst providing anonymity against the service provider. We give generic constructions of our schemes, prove their security in the standard model, and provide instantiations based on bilinear pairings. Finally, we provide a proof-of-concept implementation which demonstrates that our protocols are efficient, with token verification taking ree 100ms.
## 2026/64
* Title: Breaking the KAZ Suite: Practical Key Recovery Attacks on MySEAL 2.0rCOs Post-Quantum Candidates
* Authors: Zhuo Huang, Yu Yu, Xiaogang Zhou
* [Permalink](
https://eprint.iacr.org/2026/064)
* [Download](
https://eprint.iacr.org/2026/064.pdf)
### Abstract
Targeting the suite of four cryptographic schemes under review in Malaysia's MySEAL 2.0 initiative, we present practical key recovery attacks that break three of them: the KAZ-KA key agreement scheme, the KAZ-KEM key encapsulation mechanism, and the KAZ-SIGN v2.0 digital signature. All three schemes operate over $\mathbb{Z}_N$ where $N$ is a primorial-the product of consecutive small primes. This design choice makes the group order $\varphi(N)$ extremely smooth, enabling efficient attacks. For KAZ-KA and KAZ-KEM, we recover the private key by enumerating candidates modulo each small prime factor and solving discrete logarithms in small groups. For KAZ-SIGN v2.0, we exploit the linear structure of signatures to formulate a hidden number problem instance, which we solve using lattice reduction with only two signatures. Our attacks, executed on a MacBook, recover the secret keys in under one second for all recommended security levels (128, 192, and 256 bits), demonstrating that these schemes are fundamentally insecure.
## 2026/65
* Title: BABE: Verifying Proofs on Bitcoin Made 1000x Cheaper
* Authors: Sanjam Garg, Dimitris Kolonelos, Mikhail Sergeevitch, Srivatsan Sridhar, David Tse
* [Permalink](
https://eprint.iacr.org/2026/065)
* [Download](
https://eprint.iacr.org/2026/065.pdf)
### Abstract
Endowing Bitcoin with the ability to verify succinct proofs has been a longstanding problem with important applications such as scaling Bitcoin and allowing the Bitcoin asset to be used in other blockchains trustlessly. It is a challenging problem due to the lack of expressiveness in the Bitcoin scripting language and the small Bitcoin block space. BitVM2 is the state-of-the-art verification protocol for Bitcoin used in several mainnets and testnets, but it suffers from very high on-chain Bitcoin transaction fees in the unhappy path (over $14,000 in a recent experiment). Recent research BitVM3 dramatically reduces this on-chain cost by using a garbled SNARK verifier circuit to shift most of the verification off-chain, but each garbled circuit is 42 Gibytes in size, so the off-chain storage and setup costs are huge. This paper introduces BABE, a new proof verification protocol on Bitcoin, which preserves BitVM3's savings of on-chain costs but reduces its off-chain storage and setup costs by three orders of magnitude. BABE uses a witness encryption scheme for linear pairing relations to verify Groth16 proofs. Since Groth16 verification involves non-linear pairings, this witness encryption scheme is augmented with a secure two-party computation protocol implemented using a very efficient garbled circuit for scalar multiplication on elliptic curves. The design of this garbled circuit builds on a recent work, Argo MAC, which gives an efficient garbling scheme to compute homomorphic MACs on such curves.
--- Synchronet 3.21a-Linux NewsLink 1.2