From Newsgroup: sci.crypt
## In this issue
1. [2025/1221] EWEMrl: A White-Box Secure Cipher with Longevity
2. [2026/21] IND-CCA Lattice Threshold KEM under 30 KiB
3. [2026/66] Complete Characterization of Randomness Extraction ...
4. [2026/67] MALeak: Blind Side-Channel Key Recovery Exploiting ...
5. [2026/70] Unlocking the True Potential of Decryption Failure ...
6. [2026/71] ReedrCoMuller Encoding Leakage Enables Single-Trace ...
7. [2026/72] Scalable Distributed Key Generation for Blockchains
8. [2026/73] zkRNN: Zero-Knowledge Proofs for Recurrent Neural ...
9. [2026/74] Noisette: Certifying Differential Privacy ...
10. [2026/75] From $\textsf{TS-SUF-2}$ to $\textsf{TS-SUF-4}$: ...
11. [2026/76] Lether: Practical Post-Quantum Account-Based ...
12. [2026/77] Formalizing Privacy in Decentralized Identity: A ...
13. [2026/78] Breaking the Myth of MPCitH Inefficiency: ...
14. [2026/79] Uniform Sharing in Multiple Stages: NullFresh for ...
15. [2026/80] SoK: Outsourced Private Set Intersection
16. [2026/81] HYPERSHIELD: Protecting the Hypercube MPC-in-the- ...
17. [2026/82] Rank Syndrome Decoding Estimator - An Asymptotic ...
18. [2026/83] Tag-Friendly Lattice Sampler and Applications
19. [2026/84] Combined Indistinguishability Analysis - Verifying ...
20. [2026/85] Beyond-Birthday-Bound Security with HCTR2: Cascaded ...
21. [2026/86] 2PC Memory-Manipulating Programs with Constant Overhead
22. [2026/87] Augmenting BBS with Conventional Signatures
23. [2026/88] BLISK: Boolean circuit Logic Integrated into the ...
24. [2026/89] The Billion Dollar Merkle Tree
25. [2026/90] On the Impossibility of Round-Optimal Pairing-Free ...
26. [2026/91] Round-Optimal Pairing-Free Blind Signatures
27. [2026/92] Integrity from Algebraic Manipulation Detection in ...
28. [2026/93] Optimized Implementation of ML-KEM on ARMv9-A with ...
29. [2026/94] Hardware-Friendly Robust Threshold ECDSA in an ...
30. [2026/95] Tropical cryptography IV: Digital signatures and ...
31. [2026/96] Revisiting the Concrete Security of Falcon-type ...
32. [2026/97] Secret-Subspace Recovery in MAYO via Linearization ...
33. [2026/98] Structured Module Lattice-based Cryptography
34. [2026/99] Arithmetic autocorrelation of binary ...
35. [2026/100] BREAKMEIFYOUCAN!: Exploiting Keyspace Reduction and ...
36. [2026/101] Analysis and Attacks on the Reputation System of Nym
37. [2026/102] Secure Computation for Fixed-point and Floating- ...
38. [2026/103] When Only Parts Matter: Efficient Privacy- ...
39. [2026/104] Deal out oblivious correlations: 2-depth HSS ...
40. [2026/105] Privacy-Preserving LLM Inference in Practice: A ...
41. [2026/106] New Quantum Circuits for ECDLP: Breaking Prime ...
42. [2026/107] VeriN4Ued non-recursive calculation of Bene+i networks ...
43. [2026/108] Extending RISC-V to Support Flexible-Radix ...
44. [2026/109] Concretely Efficient Blind Signatures Based on ...
45. [2026/110] Logarithmic density of rank $\geq1$ and $\geq2$ ...
46. [2026/111] Structured Matrix Constraint Systems for ...
47. [2026/112] PETCHA: Post-quantum Efficient Transciphering with ...
48. [2026/113] How to Steal Oblivious Transfer from Minicrypt
49. [2026/114] Chasing Rabbits Through Hypercubes: Better ...
50. [2026/115] Functional Decomposition of Multivariate ...
51. [2026/116] Generating Falcon Trapdoors via Gibbs Sampler
52. [2026/117] Faultless Key Recovery: Iteration-Skip and Loop- ...
53. [2026/118] Practical Subvector Commitments with Optimal ...
## 2025/1221
* Title: EWEMrl: A White-Box Secure Cipher with Longevity
* Authors: Avik Chakraborti, Shibam Ghosh, Takanori Isobe, Sajani Kundu
* [Permalink](
https://eprint.iacr.org/2025/1221)
* [Download](
https://eprint.iacr.org/2025/1221.pdf)
### Abstract
We propose the first updatable white-box secure cipher, EWEMrl (Extended
WEM with longevity against non-adaptive read-only adversaries), and its natural extension, EWEMxl (Extended WEM with longevity against executable adversaries), both based on WEM (White-box Even-Mansour), and both achieving longevity against
non-adaptive read-only malware. The notion of longevity, introduced by Koike et al., addresses continuous code leakage and is stronger than incompressibility. While
Yoroi claimed longevity, but was broken by Isobe and Todo. Given the prevalence of continuous leakage, developing such ciphers is crucial in white-box cryptography.
Precisely, we have the following.
rCo We first present EWEMr (Extended WEM against non-adaptive read-only adver- saries), a generalization of WEM (White-box Even-Mansour). WEM is the first (and possibly only) white-box cipher based on Even-Mansour (EM), replacing its key addition layer with a secret Sbox. EWEMr achieves a high space-hardness bound in the non-adaptive model, with a new generic proof strategy, but does not provide longevity. Instead, it serves as the base for EWEMrl.
rCo We also present EWEMx (Extended WEM against executable adversaries), which uses EWEMr as subroutines and achieves a high space-hardness bound in the stronger adaptive model. While EWEMx does not achieve longevity, it is the
base design for EWEMxl.
rCo We next propose EWEMrl, that achieves longevity against non-adaptive read-only
malware. None of the existing ciphers, such as SPNbox and SPACE, are designed for longevity. We show that EWEMrl ensures (against non-adaptive read-only adversaries) (1) longevity, (2) high space-hardness in both known-space and chosen-space settings, and (3) security against hybrid code-lifting attacks. rCo Finally, we introduce EWEMxl, a natural extension of EWEMrl with a structure
similar to EWEMx. EWEMxl achieves (2) and (3) in the stronger adaptive model while maintaining (1) in the same non-adaptive and read-only setting.
In summary, our proposals EWEMrl and EWEMxl provide longevity against non- adaptive read-only malware while ensuring security confidence in the black-box setting.
## 2026/21
* Title: IND-CCA Lattice Threshold KEM under 30 KiB
* Authors: Katharina Boudgoust, Oleksandra Lapiha, Rafa|2l del Pino, Thomas Prest
* [Permalink](
https://eprint.iacr.org/2026/021)
* [Download](
https://eprint.iacr.org/2026/021.pdf)
### Abstract
At Asiacrypt'25, Lapiha and Prest proposed a lattice-based IND-CCA threshold key-encapsulation mechanism (TKEM) obtained from a threshold identity-based encryption (TIBE) and a signature scheme. Their construction relies on a variant of the Boneh-Canetti-Halevi-Katz (BCHK) transform, instantiated with a lattice-based TIBE. However it suffers from large ciphertexts at 540 KiB for $\kappa = 128$ bits of security.
We present substantial improvements to their TIBE, resulting in the first concretely efficient lattice-based IND-CCA TKEM, with ciphertexts just under 30 KiB for a threshold $T = 32$, $Q = 2^{45}$ queries, and the same $\kappa$.
Our design simplifies the original framework by leveraging the power of random oracles already present in their construction. We further enhance efficiency by adopting approximate computations where appropriate and by replacing module-NTRU trapdoors with NTRU trapdoors, achieving a remarkable eighteenfold reduction in ciphertext size. Finally, leveraging recent developments in secret sharing, we ensure the verifiability of key-extraction shares even in the presence of malicious parties.
## 2026/66
* Title: Complete Characterization of Randomness Extraction from DAG-Correlated Sources
* Authors: Divesh Aggarwal, Zihan Li, Saswata Mukherjee, Maciej Obremski, Jo|uo Ribeiro
* [Permalink](
https://eprint.iacr.org/2026/066)
* [Download](
https://eprint.iacr.org/2026/066.pdf)
### Abstract
We introduce the SHEDAG (Somewhere Honest Entropic sources over Directed Acyclic Graphs) source model, a general model for multi-block randomness sources with causal correlations.
A SHEDAG source is defined over a directed acyclic graph (DAG) $G$ whose nodes output $n$-bit blocks. Blocks output by honest nodes are independent (by default uniformly random, more generally having high min-entropy), while blocks output by corrupted nodes are arbitrary functions of their causal views (all predecessors in $G$).
We tightly characterize the conditions under which randomness extraction from SHEDAG sources is possible.
$\textbf{Zero-error extraction:}$ We show that perfect extraction from SHEDAG sources with $t$ corruptions is possible if and only if $G$ contains an "unrelated set" (an antichain under reachability) of size at least $t+1$. Conversely, if every unrelated set has size at most $t$, we show that no function can output a perfectly uniform bit. We also provide a polynomial-time algorithm to find a maximum unrelated set, thus efficiently identifying the largest corruption threshold $t$ allowing perfect extraction.
$\textbf{Negligible-error extraction:}$
We identify a quantity that we call "resilience" of a DAG $G$, denoted $\text{res}(G)$, that characterizes the possibility of randomness extraction with negligible error (in the block length).
We show that negligible-error extraction is impossible whenever $t>\text{res}(G)$, and, to complement this, for every $t\leq \text{res}(G)$ we construct explicit extractors with polynomial output length and negligible error.
Our results generalize prior online source models studied by (Aggarwal, Obremski, Ribeiro, Siniscalchi, Visconti, Eurocrypt 2020) and (Chattopadhyay, Gurumukhani, Ringach, FOCS 2024), which correspond to the special case of a SHEDAG source whose DAG $G$ is a path.
## 2026/67
* Title: MALeak: Blind Side-Channel Key Recovery Exploiting Modular Addition Leakage in ARX-based Block Ciphers
* Authors: Inhun Lee, GyuSang Kim, Seokhie Hong, HeeSeok Kim
* [Permalink](
https://eprint.iacr.org/2026/067)
* [Download](
https://eprint.iacr.org/2026/067.pdf)
### Abstract
Side-channel analysis (SCA) is a powerful attack that can recover secret keys by exploiting physical leakages emitted during cryptographic computations. However, most existing approaches assume that an attacker knows the plaintext or ciphertext corresponding to each observed leakage trace. In realistic adversarial settings, the input data corresponding to each leakage trace may be unknown or unavailable. To address this limitation, blind side-channel analysis (blind SCA) aims to recover secret keys using only side-channel traces, without access to plaintext or ciphertext information. Despite this goal, prior blind-SCA studies have largely focused on S-box-induced nonlinearity, leaving other operations of nonlinearity less explored. In this paper, we present the first systematic formulation of a blind SCA scenario targeting modular addition, which is the core nonlinear operation in ARX-based block ciphers. We define the analysis point using a generalized nonlinear function that integrates both the secret key and the modular addition operation. We then observe the feasibility of key recovery through simulation and evaluate robustness under various noise conditions. Building on this formulation, we instantiate the generalized model for concrete ARX-based block ciphers. In particular, we adapt it to the round function structures of HIGHT and SPECK, and derive practical blind SCA procedures tailored to each cipher. Finally, we evaluate our approach in both simulation and real-world settings, using power consumption traces collected from an ARM Cortex-M4 MCU (STM32F415) for the real-world experiments. Our results demonstrate that, even without plaintext or ciphertext information, the proposed approach can meaningfully reduce key candidates and achieve successful key recovery for ARX-based block ciphers.
## 2026/70
* Title: Unlocking the True Potential of Decryption Failure Oracles: A Hybrid Adaptive-LDPC Attack on ML-KEM Using Imperfect Oracles
* Authors: Qian Guo, Denis Nabokov, Thomas Johansson
* [Permalink](
https://eprint.iacr.org/2026/070)
* [Download](
https://eprint.iacr.org/2026/070.pdf)
### Abstract
Side-channel attacks exploiting Plaintext-Checking (PC) and Decryption Failure (DF) oracles are a pressing threat to deployed post-quantum cryptography. These oracles can be instantiated from tangible leakage sources like timing, power, and microarchitectural behaviors, making them a practical concern for leading schemes based on lattices, codes, and isogenies. In this paper, we revisit chosen-ciphertext side-channel attacks that leverage the DF oracle on ML-KEM. While DF oracles are often considered inefficient compared to their binary PC counterparts in lattice-based schemes, we demonstrate that their full potential has been largely unrealized.
We introduce a novel attack framework that combines adaptive query generation with belief propagation for Low-Density Parity-Check (LDPC) codes. Our methodology crafts carefully balanced parity checks over multiple secret coefficients, maximizing the Shannon information extracted from each oracle query, even in the presence of significant noise. This approach dramatically reduces the number of queries required for a full key recovery, achieving near-optimal efficiency by approaching the theoretical Shannon information bound. For ML-KEM-768 with an oracle accuracy of 95%, our attack requires only 2950 queries (a 1.35 ratio to the Shannon lower bound), establishing that a well-designed DF attack can surpass the efficiency of state-of-the-art binary PC attacks.
To validate the practical impact of our findings, we apply our framework to the recent GoFetch attack, showing significant gains in this real-world, microarchitectural side-channel scenario. Our method reduces the required measurement traces by over an order of magnitude and eliminates the need for computationally expensive post-processing, enabling a full key recovery on higher-security schemes previously considered intractable.
## 2026/71
* Title: ReedrCoMuller Encoding Leakage Enables Single-Trace Message Recovery in HQC
* Authors: Jaeho Jeon, Donghyen Kim, Suseong Lee, Young-Sik Kim
* [Permalink](
https://eprint.iacr.org/2026/071)
* [Download](
https://eprint.iacr.org/2026/071.pdf)
### Abstract
HQC is a code-based key-encapsulation mechanism standardized by NIST, whose decapsulation
follows a Fujisaki--Okamoto (FO) transform and therefore re-executes encryption-side
encoding during deterministic re-encryption. In this paper, we show that this design
choice exposes a critical leakage point in the \emph{Reed--Muller (RM) encoding} routine:
across the NIST-submitted implementations, the HQC team's official codebase, and the
PQClean implementations.
We demonstrate the practical impact of this leakage on a ChipWhisperer CW308 UFO board with an STM32F303 (Cortex-M4) target. Using a total of 5{,}000 power traces for profiling and evaluation, we recover the full 128-bit encapsulation message from a \emph{single} decapsulation trace with up to 96.9\% success. In comparison, the current state of the art for single-trace HQC message recovery based on \emph{soft-analytical side-channel attacks} (SASCA) reports profiling on the order of
500{,}000 traces; our approach therefore reduces the required profiling budget by two
orders of magnitude while achieving comparable single-trace capability.
Beyond session-key compromise, we show that direct recovery of the decrypted message can serve as an oracle primitive that substantially lowers the cost of oracle instantiation in prior HQC secret-key recovery frameworks. While prior oracle instantiations typically map leakage to a discrete set of task-specific labels, our approach recovers the decrypted message itself, and thus applies uniformly over the full message space (i.e., arbitrary $m'$ values). Concretely, we reduce the profiling cost required to instantiate a \emph{decryption success/failure} oracle, multi-value plaintext-checking, and full-decryption oracles by approximately 90.3\%, 84.83\%, and 26.7\%, respectively.
## 2026/72
* Title: Scalable Distributed Key Generation for Blockchains
* Authors: Aniket Kate, Pratyay Mukherjee, Pratik Sarkar, Hamza Saleem, Nibesh Shrestha, David Yang
* [Permalink](
https://eprint.iacr.org/2026/072)
* [Download](
https://eprint.iacr.org/2026/072.pdf)
### Abstract
Distributed key generation (DKG) is a foundational building block for designing efficient threshold cryptosystems, which are crucial components of blockchain ecosystems. Existing DKG protocols address the problem in a standalone setting, focusing on establishing the final DKG public key and individual secret keys among the participating parties. This work focuses on DKG primitives for use over blockchain, where the final DKG public key must be available on-chain, enabling on-chain smart contracts to seamlessly execute threshold cryptographic verifications. We observe that existing standalone DKG designs do {\em not} sufficiently exploit the presence of blockchain, leaving substantial scope for improvement in performance.
In this work, we design the first discrete-log-based DKG protocol tailored for use over blockchain, leveraging the blockchain's built-in consensus mechanism to realize DKG efficiently. Interestingly, the use of blockchains enables us to solve DKG while tolerating up to one-half Byzantine faults even in non-synchronous settings. Our protocol is asynchronous, allowing it to operate independently of the network's timing assumptions, with the exact network model depending on the destination blockchain.
Our solution further utilizes an associated random beacon to select smaller committees and achieves a DKG protocol with sub-cubic communication complexity, sub-quadratic computation complexity, and minimal on-chain storage. Notably, our protocol employs a single invocation of consensus and can terminate in just eleven communication rounds in the good case when deployed on an optimal latency partially synchronous blockchain. Our experiments show that our protocol terminates faster than state-of-the-art standalone protocols, with similar bandwidth overhead for committee members and significantly reduced bandwidth for other parties. Additionally, our protocol benefits from higher CPU resourcesrCowhen deployed on machines with $32$ vCPUs, it completes in approximately $6.5$ seconds in the optimistic case, even for larger systems with $256$ nodes.
## 2026/73
* Title: zkRNN: Zero-Knowledge Proofs for Recurrent Neural Network Inference
* Authors: Fatemeh Zarinjouei, Behzad Abdolmaleki, Maryam Zarezadeh, Bhavish Mohee, Aysajan Abidin, Stefan K||psell
* [Permalink](
https://eprint.iacr.org/2026/073)
* [Download](
https://eprint.iacr.org/2026/073.pdf)
### Abstract
Neural networks have achieved remarkable success across a wide range of domains, including applications involving sequential data such as natural language processing and time-series prediction. However, in many real-world deployments, it is essential to ensure the integrity of the inference processrConamely, that the output of a model is correctly computedrCowithout revealing the modelrCOs data. While prior work has introduced zero-knowledge proof (ZKP) schemes for convolutional and feedforward neural networks, these do not extend naturally to recurrent architectures due to the challenges introduced by temporal dependencies and weight sharing.
In this paper, we propose zkRNN, a novel ZKP system for recurrent neural networks (RNNs), enabling the prover to demonstrate that a modelrCOs output is correctly computed over a sequential input without revealing any information about the model parameters. Our approach builds upon the GKR protocol, and a recursive sum-check framework introduced in prior work and adapts them to handle the recurrent structure of RNNs. We design a circuit representation that encodes hidden-state transitions, unrolls computation across time steps, and shares weights in a manner compatible with sum-check-based verification. Our protocol achieves polylogarithmic verifier time and proof size in the size of the final iteration circuit and remains independent of the sequence length. The evaluation results demonstrate practical proof generation and succinct, sequence-length-independent verification, with second-scale proving and millisecond-scale verification.
## 2026/74
* Title: Noisette: Certifying Differential Privacy Mechanisms Efficiently
* Authors: Qi Pang, Radhika Garg, Ziling Liu, Hanshen Xiao, Virginia Smith, Wenting Zheng, Xiao Wang
* [Permalink](
https://eprint.iacr.org/2026/074)
* [Download](
https://eprint.iacr.org/2026/074.pdf)
### Abstract
Differential privacy (DP) has emerged as a rigorous framework for privacy-preserving data analysis, with widespread deployment in industry and government. Yet existing implementations typically assume that the party applying the mechanism can be trusted to sample noise correctly. This trust assumption is overly optimistic: a malicious party may deviate from the protocol to gain accuracy or avoid scrutiny, thereby undermining usersrCO privacy guarantees.
In this paper, we introduce Noisette, a family of efficient protocols for certifying DP noise sampling across both discrete and continuous settings. We design a protocol that supports any discrete distribution through certifiable lookup table evaluation, and introduce a staircase-based optimization that greatly improves efficiency without compromising privacy or utility. We further extend this framework to continuous mechanisms, providing the first efficient protocol for certifiable continuous noise sampling.
We demonstrate the practicality of our protocols through concrete DP applications, including mean estimation and federated learning. Our protocols outperform the prior state-of-the-art by up to $64\times$ in runtime and $24\times$ in communication, while preserving the same accuracy as uncertified DP mechanisms. These results establish Noisette as the first efficient, scalable, and general-purpose solution for certifiable DP noise sampling, making certified privacy guarantees practical in high-stakes applications.
## 2026/75
* Title: From $\textsf{TS-SUF-2}$ to $\textsf{TS-SUF-4}$: Practical Security Enhancements for $\textsf{FROST2}$ Threshold Signatures
* Authors: Syh-Yuan Tan, Will Wang, Ryan Chow
* [Permalink](
https://eprint.iacr.org/2026/075)
* [Download](
https://eprint.iacr.org/2026/075.pdf)
### Abstract
Threshold signature schemes play a vital role in securing digital assets within blockchain and distributed systems. $\textsf{FROST2}$ stands out as a practical threshold Schnorr signature scheme, noted for its efficiency and compatibility with standard verification processes. However, under the one-more discrete logarithm assumption, with static corruption and centralized key generation settings, $\textsf{FROST2}$ has been shown by Bellare et al. (in CRYPTO 2022) to achieve only $\textsf{TS-SUF-2}$ security, which is a consequence of its vulnerability to $\textsf{TS-UF-3}$ attacks.
In this paper, we address this security limitation by presenting two enhanced variants of $\textsf{FROST2}$: $\textsf{FROST2}\texttt{+}$ and $\textsf{FROST2}\texttt{#}$, both achieving the $\textsf{TS-SUF-4}$ security level under the same computational assumptions as the original $\textsf{FROST2}$.
The first variant, $\textsf{FROST2}\texttt{+}$, strengthens $\textsf{FROST2}$ by integrating additional pre-processing token verifications that help mitigate $\textsf{TS-UF-3}$ and $\textsf{TS-UF-4}$ vulnerabilities while maintaining practical efficiency.
We show that $\textsf{FROST2}\texttt{+}$ can achieve $\textsf{TS-SUF-4}$ security not only under the same conditions as the original $\textsf{FROST2}$ analysis, but also when initialized with a distributed key generation protocol such as $\textsf{PedPoP}$.
Building on these improvements, we identify optimization opportunities that lead to our second variant, $\textsf{FROST2}\texttt{#}$, which achieves $\textsf{TS-SUF-4}$ security with enhanced computational efficiency by eliminating redundant calculations.
Our benchmark shows that the performance of $\textsf{FROST2}\texttt{+}$ is comparable to $\textsf{FROST2}$ while $\textsf{FROST2}\texttt{#}$ is at least 3 times faster than $\textsf{FROST2}$.
## 2026/76
* Title: Lether: Practical Post-Quantum Account-Based Private Blockchain Payments
* Authors: Hongxiao Wang, Muhammed F. Esgin, Ron Steinfeld, Siu-Ming Yiu
* [Permalink](
https://eprint.iacr.org/2026/076)
* [Download](
https://eprint.iacr.org/2026/076.pdf)
### Abstract
We introduce Lether, the first practical account-based private block-chain payment protocol based on post-quantum lattice assumptions, following the paradigm of Anonymous Zether (FC '19, IEEE S&P '21). The main challenge in building such a protocol from lattices lies in the absence of core building blocks: unbounded-level additively-homomorphic multi-message multi-recipient public key encryption (mmPKE), and event-oriented linkable ring signatures with support for multiple tags (events). To address these issues, we propose a verifiable refreshable additively-homomorphic mmPKE scheme and a plug-and-play event-oriented linkable tag scheme from lattices. We believe both to be of independent interest.
To achieve unbounded-level homomorphic evaluation in the lattice-based setting without relying on heavy techniques such as bootstrapping or large moduli (e.g., over 60 bits) in fully homomorphic encryption (FHE), we introduce a lightweight and blockchain-friendly mechanism called refresh. Namely, each user is required to verifiably refresh their account after a certain number of transactions. With our tailored parameter settings, the amortized per-refresh costs of communication and computation are only about 1.3% and 1.5%, respectively, of the cost of a transaction.
We also optimize the implementations of LNP22 lattice-based zero-knowledge proof system (Crypto '22) in the LaZer library (CCS rCO24), to support efficient batching of various proof components. Overall, for a typical transaction, the total communication cost becomes about 68 KB, with the associated zero-knowledge proof accounting for about 51 KB of this total. Each of proof generation and verification take a fraction of a second on a standard PC.
As an additional contribution, we formalize new definitions for Anonymous Zether-like protocols that more accurately capture real-world blockchain settings. These definitions are generic and are expected to benefit the broader development of account-based private blockchain payment protocols, beyond just lattice settings.
## 2026/77
* Title: Formalizing Privacy in Decentralized Identity: A Provably Secure Framework with Minimal Disclosure
* Authors: Yu Zhang, Zongbin Wang
* [Permalink](
https://eprint.iacr.org/2026/077)
* [Download](
https://eprint.iacr.org/2026/077.pdf)
### Abstract
This paper presents a formal framework for enhancing privacy in decentralized identity (DID) systems, resolving the inherent conflict between blockchain verifiability and the principle of minimal data disclosure. At its core, we introduce a provably secure cryptographic protocol that leverages attribute commitments on-chain and zero-knowledge proofs for off-chain validation. This approach allows users to demonstrably prove the validity of predicates about their attributes without revealing the underlying sensitive values.
We formally define the security and privacy requirements for such a systemrCoincluding consistency, attribute-based indistinguishability, and predicate-based indistinguishabilityrCowithin a semi-honest adversarial model. We then construct a concrete scheme that realizes these properties under standard cryptographic assumptions. The proposed architecture is designed for full backward compatibility with W3C DID standards, ensuring practical deployability. Security analysis provides rigorous, provable guarantees, while performance evaluation confirms the efficiency of the core cryptographic operations, supporting its use in resource-constrained environments. This work establishes a foundational and analyzable basis for building decentralized identity systems where both accountability and user privacy are essential.
## 2026/78
* Title: Breaking the Myth of MPCitH Inefficiency: Optimizing MQOM for Embedded Platforms
* Authors: Ryad Benadjila, Thibauld Feneuil
* [Permalink](
https://eprint.iacr.org/2026/078)
* [Download](
https://eprint.iacr.org/2026/078.pdf)
### Abstract
Signature schemes based on the MPC-in-the-Head (MPCitH) paradigm play an important role in enabling cryptosystems founded on a wide diversity of hardness assumptions. While the design of such schemes is currently stabilizing, providing efficient implementations on embedded devices remains a critical challenge, as MPCitH frameworks are known to manipulate large data structures and to rely heavily on symmetric primitives.
In this work, we present a highly optimized implementation of the NIST candidate MQOM (version 2) targeting embedded microcontrollers. Our implementation significantly outperforms existing MPCitH implementations on such platforms, both in terms of memory footprint and execution time. In particular, for the L1 parameter set, we can achieve an SRAM usage below 10 KB, including the key and signature buffers, while preserving practical signing and verification performance.
We also provide the first memory-friendly implementation of the one-tree technique, which is used to reduce signature sizes in several MPCitH-based schemes. This enables a comparative analysis of the implementation costs of correlated trees versus the one-tree technique. We then demonstrate how streaming and precomputation techniques can further mitigate the impact of the running time and the signature size.
## 2026/79
* Title: Uniform Sharing in Multiple Stages: NullFresh for Arbitrary Functions * Authors: Artemii Ovchinnikov, Aein Rezaei Shahmirzadi, Siemen Dhooghe
* [Permalink](
https://eprint.iacr.org/2026/079)
* [Download](
https://eprint.iacr.org/2026/079.pdf)
### Abstract
In the field of hardware masking, threshold implementations are a well-known technique that provides glitch-resistant power analysis security. While they guarantee probing security, finding a uniform sharing without additional randomness is difficult, making it challenging to apply to certain functions and, consequently, making it impossible to develop a tool that can straightforwardly generate the masked circuit. Additionally, this approach forces designers to use at least three shares in the underlying masking, which can make the design more costly. Other schemes, like DOM, which can work with two shares, often require fresh randomness. To address these issues, Shahmirzadi and Moradi introduced the NullFresh masking technique at CHES 2021. This method allows for uniform sharing with no additional randomness, using the minimal number of shares. However, similar to original threshold implementations, it is not always straightforward to find a NullFresh masking for arbitrary functions.
In this work, we introduce an automated technique to provide masking for arbitrary functions, ensuring first-order security. This technique is applicable to functions where the number of output bits does not exceed the number of input bits. While this technique introduces additional register stages (resulting in higher latency and area) compared to existing methods, it addresses the automation challenges of threshold implementations, which have remained an open problem since their inception. We present the masking technique, along with proofs of glitch-extended probing security, and demonstrate its application to several ciphers, including PRINCE, MIDORI, SKINNY, KECCAK, and AES. The masked designs were verified using SILVER and PROLEAD, and tested on an FPGA through TVLA.
## 2026/80
* Title: SoK: Outsourced Private Set Intersection
* Authors: Sophie Hawkes, Christian Weinert
* [Permalink](
https://eprint.iacr.org/2026/080)
* [Download](
https://eprint.iacr.org/2026/080.pdf)
### Abstract
Private set intersection (PSI) protocols are an essential privacy-enhancing technology for many real-world use cases, ranging from mobile contact discovery to fraud detection. However, PSI executed directly between input parties can result in unreasonable performance overhead. This motivates the study of outsourced PSI, where clients delegate the heavy PSI operations to an untrusted (cloud) server.
In this SoK, we introduce a framework of 12 distinct properties that characterize outsourced PSI protocols based on security, functionality, and efficiency. By analyzing 20 protocols through this framework, we provide a valuable resource and an interactive tool for researchers and practitioners to select the most suitable protocols for their specific requirements. Finally, we discuss research gaps between trends in regular PSI and the current state of outsourced PSI, identifying promising avenues for future work.
## 2026/81
* Title: HYPERSHIELD: Protecting the Hypercube MPC-in-the-Head Framework Against Differential Probing Adversaries without Masking
* Authors: Linda Pirker, Quinten Norga, Suparna Kundu, Anindya Ganguly, Barry van Leeuwen, Angshuman Karmakar, Ingrid Verbauwhede
* [Permalink](
https://eprint.iacr.org/2026/081)
* [Download](
https://eprint.iacr.org/2026/081.pdf)
### Abstract
Post-quantum secure digital signatures based on the MPC-in-the-Head (MPCitH) paradigm, a zero-knowledge (ZK) proof-based construction, are becoming increasingly popular due to their small public key size. However, the development of techniques for protecting MPCitH-based schemes against side-channel attacks remains slow, despite them being critical for real-world deployment.
In this work, we adapt the Hypercube-MPCitH framework exploiting its native use of additive secret sharing to enable inherent protection against first- and high-order differential power analysis (DPA). We first perform a sensitivity analysis of the Hypercube Syndrome Decoding in the Head (SDitH) digital signature scheme with respect to both simple and differential power analysis. Based on the insight into its side-channel sensitivity, we then propose a tweak to the signature scheme to increase its inherent resistance against DPAs by design, eliminating the need to explicitly mask large parts of the signing procedure. More specifically, this is achieved through the novel (k+1)-Hypercube ZK Protocol: the proposed tweak increases the number of hidden shares an adversary must probe to recover the secret key from one to k+1, thus achieving inherent masking order k. Typically, increasing the amount of hidden shares results in a degradation of soundness in the zero-knowledge proof and as a result increases the signature size to a point where the scheme becomes of limited practical interest. To address this, we propose a technique to select the hidden shares in a more structured and optimal fashion, by exploiting the GGM tree structure in the Hypercube-MPCitH framework. As a result, the amount of revealed seeds is reduced, thus resulting in a smaller signature size even compared to the original hypercube protocol.
Finally, we implement and benchmark the proposed Hypercube-SDitH signature scheme, comparing it against the cost of traditional masking. We propose different parameter sets that explore a trade-off between computational overhead and signature size. For 3rd-order protection, our tweaked signature scheme only incurs a 35-50% overhead in computational cost, compared to an estimated overhead of 300% for a fully masked implementation, while the overhead in signature size stays relatively low (52%). Overall, we demonstrate that the proposed (k+1)-Hypercube ZK Protocol can be used to construct efficient, DPA-resistant MPCitH-based digital signatures.
## 2026/82
* Title: Rank Syndrome Decoding Estimator - An Asymptotic and Concrete Analysis * Authors: Andre Esser, Javier Verbel, Ricardo Villanueva-Polanco
* [Permalink](
https://eprint.iacr.org/2026/082)
* [Download](
https://eprint.iacr.org/2026/082.pdf)
### Abstract
The Rank Syndrome Decoding (RSD) problem forms the foundation of many post-quantum cryptographic schemes. Its inherent hardness, with best known algorithms for common parameter regimes running in time exponential in $n^2$ (for $n$ being the code length), enables compact parameter choices and efficient constructions. Several RSD-based submissions to the first NIST PQC process in 2017 were, however, invalidated by algebraic attacks, raising fundamental concerns about the security of RSD-based designs.
In this work, we revisit the parameters of prominent rank-based constructions and analyze the rationales that guided their selection, as well as their security against modern attacks. We provide a unified complexity analysis of all major RSD algorithms, including combinatorial, algebraic, and hybrid approaches, under a common cost model. All estimates are made publicly available through a dedicated open source module.
Furthermore, we present the first asymptotic analysis of these algorithms, yielding deep insights into the relations between different procedures. We show that all studied algorithms converge to one of three distinct asymptotic runtime exponents.
We then provide an asymptotic baseline in terms of the worst-case decoding exponent. In particular, we find that for an extension degree equal to the code length, the best known algorithms achieve a complexity of $2^{0.1481n^2 + o(n^2)}$, attained simultaneously by algebraic and combinatorial approaches. Overall, our results reinforce confidence in the RSD assumption and the design rationales of modern RSD-based schemes such as RYDE.
## 2026/83
* Title: Tag-Friendly Lattice Sampler and Applications
* Authors: Corentin Jeudy, Olivier Sanders
* [Permalink](
https://eprint.iacr.org/2026/083)
* [Download](
https://eprint.iacr.org/2026/083.pdf)
### Abstract
The NIST lattice-based cryptographic standards are set to be widely adopted, offering solutions to the most common cryptographic needs, namely key establishment and authentication (signature). This shifted the attention to more advanced primitives such as threshold cryptography as well as privacy-enhanced technologies, where the transition is expected to be more complex. This is particularly true in the context of post-quantum anonymous authentication where the existing mechanisms may not match the performance requirements of industrial applications. An important avenue for improvement of said performances is the lattice sampler, which is at the center of these mechanisms. Despite recent progress, prior samplers neglected one component: the tag. The latter is not only necessary for security, but it also impacts the efficiency of the subsequent constructions if not handled properly.
In this paper, we introduce a new sampler with an enhanced tag management that yet retain the main features of current samplers, and can thus be used as a plug-in replacement. It offers a sampling quality independent of the tag, allowing for producing preimages that are both smaller and faster to generate than those from the very recent sampler of Jeudy and Sanders (Asiacrypt'25). Far from being anecdotal, plugging it into several advanced authentication mechanisms results in size improvements of up to 30%, while being 35% faster.
## 2026/84
* Title: Combined Indistinguishability Analysis - Verifying random probing leakage under random faults
* Authors: Armand Schinkel, Pascal Sasdrich
* [Permalink](
https://eprint.iacr.org/2026/084)
* [Download](
https://eprint.iacr.org/2026/084.pdf)
### Abstract
Cryptographic hardware implementations are vulnerable to combined physical implementation attacks, integrating Side-Channel Analysis and Fault-Injection Analysis to compromise their security. Although theoretically sound countermeasures exist, their practical application is often complicated and error-prone, making automated security verification a necessity. Various tools have been developed to address this need, using different approaches to formally verify security, but they are limited in their ability to analyze complex hardware circuits in the context of Combined Analysis and advanced probabilistic adversary models.
In this work, we introduce a novel verification method that assesses the security of complex hardware circuits in the context of random probing with random faults, a scenario that more closely reflects real-world combined attack scenarios. Our approach centers around symbolic fault simulation and the derivation of a fault-enhanced leakage function using the Fourier-Hadamard Transform, enabling the computation of tight leakage probabilities for arbitrary circuits and providing a more accurate and comprehensive security analysis. By integrating our method into the INDIANA security verification framework, we extended its capabilities to analyze the leakage behavior of circuits in the presence of random faults, demonstrating the practicality of our approach.
The results of our evaluation highlight the versatility and scalability of our approach, which can efficiently compute leakage probabilities under various fault scenarios for large-scale attacks, e.g., for a masked round of the PRESENT cipher. Notably, our method can complete most experiments in less than an hour, demonstrating a significant improvement over existing estimation-based tools. This achievement confirms the potential of our approach to provide a more comprehensive and practically useful security assessment of hardware circuits, and marks an important step forward for the development of secure hardware systems.
## 2026/85
* Title: Beyond-Birthday-Bound Security with HCTR2: Cascaded Construction and Tweak-based Key Derivation
* Authors: Yu Long Chen, Yukihito Hiraga, Nicky Mouha, Yusuke Naito, Yu Sasaki, Takeshi Sugawara
* [Permalink](
https://eprint.iacr.org/2026/085)
* [Download](
https://eprint.iacr.org/2026/085.pdf)
### Abstract
The block cipher (BC) mode for realizing a variable-input-length strong tweakable pseudorandom permutation (VIL-STPRP), also known as the accordion mode, is a rapidly growing research field driven by NIST's standardization project, which considers AES as a primitive. Widely used VIL-STPRP modes, such as HCTR2, have birthday-bound security and provide only 64-bit security with AES. To provide higher security, NIST is considering two directions: to develop new modes with beyond-birthday-bound (BBB) security and to use Rijndael-256-256 with HCTR2. This paper pursues the first direction while maintaining compatibility with HCTR2. In particular, we provide two solutions to achieve BBB security for two different approaches: (i) general cases without any conditions on the tweak and (ii) under the condition that the same tweak is not repeated too often as adopted in bbb-ddd-AES recently presented at Eurocrypt 2025. For the first approach, we propose a new mode, CHCTR, that iterates HCTR2 with two independent keys, which achieves $2n/3$-bit security in the multi-user (mu) setting and satisfies NIST's requirements. For the second approach, we prove mu security of HCTR2, which allows us to apply the tweak-based key derivation (TwKD) to HCTR2 in a provable manner. When the number of BC calls processed by a single tweak is upper-bounded by $2^{n/3}$, HCTR2-TwKD achieves $2n/3$-bit mu security. By benchmarking optimized software implementations, we show that CHCTR with AES-256 outperforms HCTR2 with Rijndael-256-256, in all the twelve processor models examined. Similarly, HCTR2-TwKD outperforms bbb-ddd-AES in general cases, and it is even comparable to bbb-ddd-AES rigorously optimized for tweak-repeating use cases using precomputation.
## 2026/86
* Title: 2PC Memory-Manipulating Programs with Constant Overhead
* Authors: David Heath
* [Permalink](
https://eprint.iacr.org/2026/086)
* [Download](
https://eprint.iacr.org/2026/086.pdf)
### Abstract
General-purpose secure multiparty computation (MPC) remains bottlenecked in large part by a lack of efficient techniques for handling memory access. We demonstrate a remarkably simple and efficient 2PC instantiation of random access memory (RAM), based on distributed point functions (DPFs, Gilboa and Ishai, Eurocrypt'14). Our semi-honest 2PC protocol can be achieved from oblivious transfer (OT) and a black-box pseudorandom generator (PRG).
For a memory that stores large enough data words, our 2PC RAM incurs constant communication overhead per access. Like prior works that leverage DPFs to achieve memory access, our work incurs linear computation per access, but our per-access communication is lean.
Our 2PC RAM is built on top of an obliviousness-friendly model of computation called the single access machine model (SAM, Appan et al., CCS'24). In the SAM model, each memory slot can be read at most once. We present a simple 2PC SAM protocol, where each single-access memory operation incurs at most $2w + O(\lambda \lg n)$ bits of communication, where $w$ is the word size, $n$ is the number of memory words, and $\lambda$ is a security parameter. Of this cost, only $2w + 2\lg n$ bits are incurred in the online phase.
Our RAM operations are (non-cryptographically) compiled to SAM operations. At most a logarithmic number of SAM operations are needed per RAM operation; if word size is large, even fewer SAM operations are required. Alternatively, there are now many oblivious algorithms that compile directly to SAM more efficiently than via a compilation to RAM, and our 2PC SAM can instantiate these algorithms. As one example, we can use our 2PC SAM to implement privacy-preserving graph traversal (DFS or BFS) over a secret-shared size-$n$ graph while revealing nothing beyond the runtime of the SAM program. Our construction achieves online communication $O(n \lg n)$ bits, asymptotically matching the number of bits touched in a corresponding cleartext graph traversal.
## 2026/87
* Title: Augmenting BBS with Conventional Signatures
* Authors: Sietse Ringers
* [Permalink](
https://eprint.iacr.org/2026/087)
* [Download](
https://eprint.iacr.org/2026/087.pdf)
### Abstract
Anonymous credential schemes such as BBS face a significant deployment barrier: currently available secure hardware such as HSMs required for eIDAS Level of Assurance High does not yet support BBS signatures or pairing-friendly curves. We address this challenge by augmenting BBS credentials with a conventional signature (such as ECDSA), where the issuer additionally signs part of the BBS signature using a conventional signature private key that can be secured in widely available HSMs. While disclosing the extra signature breaks unlinkability, we argue this is acceptable for high-assurance use cases where disclosed attributes already uniquely identify the user. For use cases not requiring this additional security, the conventional signature can be omitted to preserve BBS unlinkability. We prove that augmented BBS credentials are existentially unforgeable under chosen message attacks, with security depending solely on the conventional signature private key rather than the BBS private key. This approach provides a practical migration path to full BBS deployment while (apart from unlinkability) maintaining several key BBS advantages.
## 2026/88
* Title: BLISK: Boolean circuit Logic Integrated into the Single Key
* Authors: Oleksandr Kurbatov, Yevhen Hrubiian, Illia Melnyk, Lasha Antadze
* [Permalink](
https://eprint.iacr.org/2026/088)
* [Download](
https://eprint.iacr.org/2026/088.pdf)
### Abstract
This paper introduces BLISK, a framework that compiles a monotone Boolean authorization policy into a single signature verification key, enabling only the authorized signer subset to produce the standard constant-size aggregated signatures. BLISK combines (1) $n$-of-$n$ multisignatures to realize conjunctions, (2) key agreement protocols to realize disjunctions, and (3) verifiable group operations (for instance, based on the 0-ART framework). BLISK avoids distributed key generation (allowing users to reuse their long-term keys), supports publicly verifiable policy compilation, and enables non-interactive key rotation.
## 2026/89
* Title: The Billion Dollar Merkle Tree
* Authors: Thomas Coratger, Dmitry Khovratovich, Bart Mennink, Benedikt Wagner * [Permalink](
https://eprint.iacr.org/2026/089)
* [Download](
https://eprint.iacr.org/2026/089.pdf)
### Abstract
The Plonky3 Merkle tree implementation has become one of the most widely deployed Merkle tree constructions due to its high efficiency, andrCothrough its integration into numerous succinct-argument systemsrCoit currently helps secure an estimated \$4 billion in assets. Somewhat paradoxically, however, the underlying 2-to-1 compression function is not collision-resistant, nor even one-way, which at first glance appears to undermine the security of the entire Merkle tree. The prevailing ad-hoc countermeasure is to pre-hash data before using them as leaves in this otherwise insecure Merkle tree.
In this work, we provide the first rigorous security analysis of this Merkle tree design and show that the Plonky3 approach is, in fact, sound. Concretely, we show (strong) position-binding and extractability.
## 2026/90
* Title: On the Impossibility of Round-Optimal Pairing-Free Blind Signatures in the ROM
* Authors: Marian Dietz, Julia Kastner, Stefano Tessaro
* [Permalink](
https://eprint.iacr.org/2026/090)
* [Download](
https://eprint.iacr.org/2026/090.pdf)
### Abstract
Blind signatures play a central role in cryptographic protocols for privacy-preserving authentication and have attracted substantial attention in both theory and practice. A major line of research, dating back to the 1990s, has focused on constructing blind signatures from pairing-free groups. However, all known constructions in this setting require at least three moves of interaction between the signer and the user. These schemes treat the underlying group as a black box and rely on the random oracle in their security proofs. While computationally efficient, they suffer from the drawback that the signer must maintain state during a signing session. In contrast, round-optimal solutions are known under other assumptions and structures (e.g., RSA, lattices, and pairings), or via generic transformations such as FischlinrCOs method (CRYPTO~'06), which employ non-black-box techniques.
This paper investigates whether the three-round barrier for pairing-free groups is inherent. We provide the first negative evidence by proving that, in a model combining the Random Oracle Model (ROM) with MaurerrCOs Generic Group Model, no blind signature scheme can be secure if it signs sufficiently long messages while making at most a logarithmic number of random oracle queries. Our lower-bound techniques are novel in that they address the interaction of both models (generic groups and random oracles) simultaneously.
## 2026/91
* Title: Round-Optimal Pairing-Free Blind Signatures
* Authors: Julia Kastner, Stefano Tessaro, Greg Zaverucha
* [Permalink](
https://eprint.iacr.org/2026/091)
* [Download](
https://eprint.iacr.org/2026/091.pdf)
### Abstract
We present the first practical, round-optimal blind signatures in pairing-free groups.
We build on the Fischlin paradigm (EUROCRYPT 2007) where a first signature is computed on a commitment to the message and the final signature is a zero-knowledge proof of the first signature.
We use the Nyberg-Rueppel signature scheme as the basis (CCS 1993), it is a well-studied scheme with a verification equation that is sufficiently algebraic to allow efficient proofs, that do not need to make non-black box use of a random oracle.
Our construction offers flexibility for trade-offs between underlying assumptions and supports issuance of signatures on vectors of attributes making it suitable for use in anonymous credential systems.
As a building block, we show how existing NIZKs can be modified to allow for straight-line extraction.
We implement variants of our construction to demonstrate its practicality, varying the choice of elliptic curve and the proof system used to compute the NIZK.
With conservative parameters (NIST-P256 and SHA-256) and targeting short proofs, signatures are 1349 bytes long, and on a typical laptop can be generated in under 500ms and verified in under 100ms.
## 2026/92
* Title: Integrity from Algebraic Manipulation Detection in Trusted-Repeater QKD Networks
* Authors: Ailsa Robertson, Christian Schaffner, Sebastian R. Verschoor
* [Permalink](
https://eprint.iacr.org/2026/092)
* [Download](
https://eprint.iacr.org/2026/092.pdf)
### Abstract
Quantum Key Distribution (QKD) allows secure communication without relying on computational assumptions, but can currently only be deployed over relatively short distances due to hardware constraints. To extend QKD over long distances, networks of trusted repeater nodes can be used, wherein QKD is executed between neighbouring nodes and messages between non-neighbouring nodes are forwarded using a relay protocol. Although these networks are being deployed worldwide, no protocol exists which provides provable guarantees of integrity against manipulation from both external adversaries and corrupted intermediates. In this work, we present the first protocol that provably provides both confidentiality and integrity. Our protocol combines an existing cryptographic technique, Algebraic Manipulation Detection (AMD) codes, with multi-path relaying over trusted repeater networks. This protocol achieves Information-Theoretic Security (ITS) against the detection of manipulation, which we prove formally through a sequence of games.
## 2026/93
* Title: Optimized Implementation of ML-KEM on ARMv9-A with SVE2 and SME
* Authors: Hanyu Wei, Wenqian Li, Shiyu Shen, Hao Yang, Yunlei Zhao
* [Permalink](
https://eprint.iacr.org/2026/093)
* [Download](
https://eprint.iacr.org/2026/093.pdf)
### Abstract
As quantum computing continues to advance, traditional public-key cryptosystems face increasing vulnerability, necessitating a global transition toward post-quantum cryptography (PQC). A primary challenge for both cryptographers and system architects is the efficient integration of PQC into high-performance computing platforms. ARM, a dominant processor architecture, has recently introduced ARMv9-A to accelerate modern workloads such as artificial intelligence and cloud computing. Leveraging its Scalable Vector Extension 2 (SVE2) and Scalable Matrix Extension (SME), ARMv9-A provides sophisticated hardware support for high-performance computing. This architectural evolution motivates the need for efficient implementations of PQC schemes on the new architecture. In this work, we present a highly optimized implementation of ML-KEM, the post-quantum key encapsulation mechanism (KEM) standardized by NIST as FIPS 203, on the ARMv9-A architecture. We redesign the polynomial computation pipeline to achieve deep alignment with the vector and matrix execution units. Our optimizations encompass refined modular arithmetic and highly vectorized polynomial operations. Specifically, we propose two NTT variants tailored to the architectural features of SVE2 and SME: the vector-based NTT (VecNTT) and the matrix-based NTT (MatNTT), which effectively utilize layer fusion and optimized data access patterns. Experimental results on the Apple M4 Pro processor demonstrate that VecNTT and MatNTT achieve performance improvements of up to $7.18\times$ and $7.77\times$, respectively, compared to the reference implementation. Furthermore, the matrix-vector polynomial multiplication, which is the primary computational bottleneck of ML-KEM, is accelerated by up to $5.27\times$. Our full ML-KEM implementation achieves a 52.47% to 60.09% speedup in key encapsulation across all security levels. To the best of our knowledge, this is the first work to implement and evaluate ML-KEM leveraging SVE2 and SME on real ARMv9-A hardware, providing a practical foundation for future PQC deployments on next-generation ARM platforms.
## 2026/94
* Title: Hardware-Friendly Robust Threshold ECDSA in an Asymmetric Model
* Authors: Hankyung Ko, Seunghwa Lee, Sookyung Eom, Sunghyun Jo
* [Permalink](
https://eprint.iacr.org/2026/094)
* [Download](
https://eprint.iacr.org/2026/094.pdf)
### Abstract
We propose Asymmetric Robust Threshold ECDSA (ART-ECDSA), a robust and hardware-friendly threshold ECDSA protocol designed for asymmetric settings where one participant is a resource-constrained hardware device. The scheme achieves full robustness and cheater identification while minimizing the computational and communication burden on the hardware signer. Our design leverages CastagnosrCoLaguillaumie (CL) homomorphic encryption to replace Paillier-based operations and remove costly range proofs, yielding compact ciphertexts and simple zero-knowledge proofs. All heavy multiparty computations, including multiplicative-to-additive (MtA) conversions and distributed randomness generation, are offloaded to online cosigners, allowing the hardware party to remain lightweight. ART-ECDSA provides an efficient asymmetric signing protocol with formal security proofs in the UC framework, achieving both robustness and hardware efficiency within a single design.
Our implementation on an ARM Cortex-M7 microcontroller (400 MHz, 3 MB Flash, 2 MB SRAM) shows that the hardware party performs only lightweight computation (50 ms in presigning and ren 10 s in signing) and transmits about 300 Bytes and 3 KB in each phase, which easily fits within the bandwidth limits of BLE and NFC. These results demonstrate that ART-ECDSA is practical for cold-storage and embedded hardware environments without compromising security.
## 2026/95
* Title: Tropical cryptography IV: Digital signatures and secret sharing with arbitrary access structure
* Authors: Dima Grigoriev, Chris Monico, Vladimir Shpilrain
* [Permalink](
https://eprint.iacr.org/2026/095)
* [Download](
https://eprint.iacr.org/2026/095.pdf)
### Abstract
We use tropical algebras as platforms for a very efficient digital signature protocol. Security relies on computational hardness of factoring a given tropical matrix in a product of two matrices of given dimensions; this problem is known to be NP-complete.
We also offer a secret sharing scheme with an arbitrary access structure where security of the shared secret is based on computational hardness of the same problem.
## 2026/96
* Title: Revisiting the Concrete Security of Falcon-type Signatures
* Authors: Huiwen Jia, Shiduo Zhang, Yang Yu, Chunming Tang
* [Permalink](
https://eprint.iacr.org/2026/096)
* [Download](
https://eprint.iacr.org/2026/096.pdf)
### Abstract
Falcon is a selected signature scheme in the NIST post-quantum standardization. It is an efficient instantiation of the GPV framework over NTRU lattices. While the GPV framework comes with an elegant security proof in theory, Falcon had no formal proof involving concrete parameters for a long time. Until recently, Fouque et al. initiate the concrete security analysis of Falcon-type signatures. They give a formal proof of Falcon+, a minor modification of Falcon, in the random oracle model, whereas they claim that Falcon+-512 barely achieves the claimed 120-bit security for plain unforgeability. % and neither Falcon+-512 nor Falcon+-1024 offer strong unforgeability. Furthermore, they show that standard reductions for strong unforgeability are vacuous for Falcon parameters, necessitating the introduction of a new, non-standard assumption.
In this work, we revisit the concrete security analysis of Falcon-type signatures and present positive results. We develop improved analytic tools by leveraging the profile of the NTRU trapdoor bases. This eliminates the security loss for both Falcon+-512 and Falcon+-1024 in the case of plain unforgeability. We also apply our new analysis to the recent weak-smoothness variant Falcon-ws (Zhang et al. Asiacrypt 2025) that admits smaller parameters than Falcon under a non-standard assumption. As a result, we propose new parameters for Falcon-ws allowing for provable security under standard assumptions and signature size 17.8% (resp. 12.8%) smaller than that of Falcon-512 (resp. Falcon-1024) simultaneously. Moreover, we give a refined strong unforgeability security proof by replacing the worst-case analysis with a probabilistic analysis, which leads to a substantial increase in concrete security. Based on this, we show that by using a tighter Gaussian sampler, e.g. the one in Falcon-ws, Falcon-type signatures can achieve concrete security for strong unforgeability closely consistent with the claimed security level while keeping the compact size.
## 2026/97
* Title: Secret-Subspace Recovery in MAYO via Linearization of Errors from a Single Fault
* Authors: Alberto Marcos
* [Permalink](
https://eprint.iacr.org/2026/097)
* [Download](
https://eprint.iacr.org/2026/097.pdf)
### Abstract
We present a fault injection attack against MAYO that, from a single faulty execution, enables the recovery of structural information about the secret. We consider a simple fault model: a controlled perturbation in a single oil coordinate of a signature block, which induces an error $e \in \mathcal{O}$ (the secret subspace) with a known oil part. We show that the observable mismatch in verification, $\Delta t = P^*(s') - t$, can be expressed exactly as the image of $e$ under a publicly derivable linear operator $\mathcal{L}$, obtained by expanding $P^*$ and using (i) the bilinearity of the differential $P'$ in characteristic $2$ and (ii) the key property $P(u)=0$ for all $u \in \mathcal{O}$. This linearization makes it possible to separate vinegar and oil coordinates and to reduce the recovery of the unknown component $e_V$ to solving a linear system over $\mathbb{F}_q$, under generic full-rank conditions for typical parameters. Once $e$ is recovered, the faulty signature can be corrected and, more importantly, a nonzero vector of the secret subspace is obtained, which serves as a starting point to scale to key recovery via known oil-space reconstruction techniques. We further discuss the practical feasibility when the exact position and value of the fault are unknown, showing that a bounded search over $k \cdot o$ positions and $q-1$ values keeps the cost low for the official parameter sets, and that the attack is also applicable to the randomized variant of MAYO.
## 2026/98
* Title: Structured Module Lattice-based Cryptography
* Authors: Joppe W. Bos, Joost Renes, Frederik Vercauteren, Peng Wang
* [Permalink](
https://eprint.iacr.org/2026/098)
* [Download](
https://eprint.iacr.org/2026/098.pdf)
### Abstract
The ongoing transition to Post-Quantum Cryptography (PQC) has highlighted the need for cryptographic schemes that offer high security, strong performance, and fine-grained parameter selection. In lattice-based cryptography, particularly for the popular module variants of learning with errors (Module-LWE) and learning with rounding (Module-LWR) schemes based on power-of-two cyclotomics, existing constructions often force parameter choices that either overshoot or undershoot desired security levels due to structural constraints. In this work, we introduce a new class of techniques that are the best of both worlds: structured Module-LWE (or LWR) embeds more algebraic structure than a module such that it significantly improves performance, yet less structure than a power-of-two cyclotomic ring such that it still enables more flexible and efficient parameter selection. We present two concrete instances: a construction based on a radical extension of a two-power cyclotomic field denoted radical Ring-LWE (RR-LWE) or Ring-LWR (RR-LWR), and a cyclotomic block-ring module lattice approach (BRM-LWE or BRM-LWR). These new structured Module-LWE and LWR reduce the required number of uniformly random bytes in its matrix by a factor up to the module rank and allows efficient NTT implementations while enabling more granular security-performance trade-offs. We analyze the security of these constructions, provide practical parameter sets, and present implementation results demonstrating a performance improvement of up to 37% compared to an optimized implementation of ML-KEM. Our techniques apply to both key encapsulation mechanisms and digital signature schemes, offering a pathway to more adaptable and performant PQC standards.
## 2026/99
* Title: Arithmetic autocorrelation of binary half-$\ell$-sequences with connection integer $p^{r}q^{s}$
* Authors: Feifei Yan, Pinhui Ke
* [Permalink](
https://eprint.iacr.org/2026/099)
* [Download](
https://eprint.iacr.org/2026/099.pdf)
### Abstract
Half-$\ell$-sequences, as a extension of $\ell$-sequences, have attracted research interest over the past decade. The arithmetic correlation of half-$\ell$-sequences is known for connection integers of the form $p^r$. In this paper, we extend this result by deriving the arithmetic correlation for half-$\ell$-sequences with connection integers of the form $p^r q^s $. The results indicate that when $p\equiv -1 \pmod{8}$ and $q\equiv \pm 3 \pmod{8}$, the arithmetic autocorrelation can be determined by the number of odd integers in the cyclic subgroup generated by $2$ modulo $p$.
## 2026/100
* Title: BREAKMEIFYOUCAN!: Exploiting Keyspace Reduction and Relay Attacks in 3DES and AES-protected NFC Technologies
* Authors: Nathan Nye, Philippe Teuwen, Tiernan Messmer, Steven Mauch, Struan Clark, Zinong Li, Zachary Weiss, Lucifer Voeltner
* [Permalink](
https://eprint.iacr.org/2026/100)
* [Download](
https://eprint.iacr.org/2026/100.pdf)
### Abstract
This paper presents an in-depth analysis of vulnerabilities in MIFARE Ultralight C (MF0ICU2), MIFARE Ultralight AES (MF0AES), NTAG 223 DNA (NT2H2331G0 and NT2H2331S0), NTAG 224 DNA (NT2H2421G0 and NT2H2421S0), and widely circulated counterfeit Ultralight C cards based on Giantec GT23SC4489, Feiju FJ8010, and USCUID-UL. We reveal multiple avenues to substantially weaken the security of each technology and its implementation across a range of configurations. We demonstrate how, through relay-based man-in-the-middle techniques and partial key overwrites --- optionally combined with tearing techniques --- an attacker can reduce the keyspace of two-key Triple DES (2TDEA) from $2^{112}$ to $2^{28}$ or less in certain real-world deployments, thereby making brute-force key recovery feasible with modest computational resources. We further discuss how the MIFARE Ultralight AES protocol can be similarly affected, particularly when CMAC integrity checks are not enforced. We also find that the security offered by NTAG 223 DNA and NTAG 224 DNA is undermined by the absence of integrity checks on commands and the calculation of a CMAC over Secure Unique NFC (SUN) messages, providing an unauthenticated ciphertext oracle that facilitates key recovery. Field observations, especially in hospitality deployments, underscore the urgent need for proper configuration, key diversification, and counterfeit detection.
## 2026/101
* Title: Analysis and Attacks on the Reputation System of Nym
* Authors: Xinmu Alexis Cao, Matthew Green
* [Permalink](
https://eprint.iacr.org/2026/101)
* [Download](
https://eprint.iacr.org/2026/101.pdf)
### Abstract
Nym is a reputation- and incentive-enhanced anonymous communications network that utilizes staking, performance monitoring, and rewards to encourage high-quality contributions. In this work, we analyze the reputation mechanism used in NymrCOs Mixnet and NymVPN service. Using a combination of source code analysis, data collection from Nym mainnet, and network simulations with a custom simulator, we demonstrate active attacks that may allow a moderately resourced adversary to gain control of a fraction of Nym MixnetrCOs active set. This condition may enable connection de-anonymization attacks. In particular, we show that the mechanism Nym uses to measure node performance is vulnerable to a form of rCLframingrCY attack that allows a small number of low-stake nodes to damage the score of high-reputation active nodes. We then consider and discuss various mitigations. This work highlights the challenge of nodesrCO reliability measurement in reputation-enhanced networks, where the entry of low-reputation nodes is required for network survivability but also grants attackers a platform to launch attacks against the network.
## 2026/102
* Title: Secure Computation for Fixed-point and Floating-point Arithmetic
* Authors: Tianpei Lu, Bingsheng Zhang, Yuyang Feng, Kui Ren
* [Permalink](
https://eprint.iacr.org/2026/102)
* [Download](
https://eprint.iacr.org/2026/102.pdf)
### Abstract
Secure Multi-Party Computation (MPC) protocols naturally operate over rings/fields, and they are less efficient for real-number arithmetics, which are commonly needed in AI-powered applications. State-of-the-art solutions are hindered by the high cost of fixed-point and floating-point operations.
This work addresses these bottlenecks by proposing a series of novel MPC protocols. Compared to SOTA, our fixed-point multiplication protocol reduces the online communication cost by about $75\%$. For scenarios where higher precision is required, we present the first constant-round floating-point arithmetic protocol for addition and multiplication in the three-party computation (3PC) setting, reducing the communication overhead of SOTA by approximately $95\%$. The experimental results demonstrate that our fixed-point multiplication protocol is more than $3\times$ faster than all mainstream solutions (such as ABY3, Falcon, Orca, etc.). Our floating-point addition and multiplication protocols are over $3\times$ and $5\times$, respectively, faster than SOTA, SecFloat [S&P 23].
## 2026/103
* Title: When Only Parts Matter: Efficient Privacy-Preserving Analytics with Fully Homomorphic Encryption
* Authors: Alexandros Bakas, Dimitrios Schoinianakis
* [Permalink](
https://eprint.iacr.org/2026/103)
* [Download](
https://eprint.iacr.org/2026/103.pdf)
### Abstract
The increasing reliance on cloud-based computation for data-intensive applications raises critical concerns about data confidentiality. Fully Homomorphic Encryption (FHE) provides strong theoretical guarantees by allowing computations over encrypted data, but its high computational cost limits its practicality in large-scale scenarios such as image analysis or matrix-based workloads. In this work, we introduce $\Pi_{ROI}$, a hybrid privacy-preserving computation protocol that leverages region-based selective encryption. The core idea is to encrypt only the sensitive Regions of Interest (ROIs) under an FHE scheme, while keeping the remaining, non-sensitive parts of the data in plaintext. This approach achieves end-to-end confidentiality for sensitive regions while significantly improving computational efficiency. We formally define the security of $\Pi_{ROI}$ through an ideal functionality $\mathcal{F}_{\text{proc}}$ and prove that it securely realizes $\mathcal{F}_{\text{proc}}$ against a semi-honest cloud service provider under standard cryptographic assumptions (IND-CPA, IND-CCA2, EUF-CMA, and collision-resistance). Experimental evaluation demonstrates that $\Pi_{ROI}$ offers substantial performance gains in mixed-sensitivity workloads.
## 2026/104
* Title: Deal out oblivious correlations: 2-depth HSS circuit for silent V-OLE generation
* Authors: Davide Cerutti, Stelvio Cimato
* [Permalink](
https://eprint.iacr.org/2026/104)
* [Download](
https://eprint.iacr.org/2026/104.pdf)
### Abstract
We analyzed in depth theHomomorphic Secret Sharing construction applied forPseudorandom Correlation Function, and we obtained interesting results for various applications.
In this paper, we discuss how the PCF can be achieved using the Damgard-Jurik HSS schema by solving the distance function over a ciphertext parametric space of \(\mathbb{Z}^{*}_{n^{\zeta + 1}}\),
performing the distributed multiplication protocol as the base building block for our PCF.
We created aweak PCF for Vector-OLE via 1-depth HSS circuit, furthermore, via what we called pre-computation with RO-less, we achieved astrong PCF for V-OLE between two parties correct against anhonest-but-curious adversary \(\mathcal{A}_{\mathsf{hbc}}\) and fail-safe secure against an active adversary \(\mathcal{A}_{\mathsf{poly}}\).
We also extended our main construction by describing a silent approach in two different ways described as semi-silent by a pre-sampling assumption between the parties and a true-silent protocol execution exploiting the generation of seeds by a PRF.
As a last step, we discussed how to build a \(n \times\)OLE generator via our pre-computation session to craft an arbitrary amount of OLE correlation.
## 2026/105
* Title: Privacy-Preserving LLM Inference in Practice: A Comparative Survey of Techniques, Trade-Offs, and Deployability
* Authors: Davide Andreoletti, Alessandro Rudi, Emanuele Carpanzano, Tiziano Leidi
* [Permalink](
https://eprint.iacr.org/2026/105)
* [Download](
https://eprint.iacr.org/2026/105.pdf)
### Abstract
Large Language Models (LLMs) are increasingly deployed as cloud services, raising practical concerns about the confidentiality of user prompts and generated completions. In this paper, we survey privacy-preserving inference solutions for Transformer-based LLMs with the explicit goal of supporting operational choices in real-world deployments. We adopt a strong operational notion of privacy: only the client can read the prompt and the corresponding completion, end to end. The review is organised around the main families of Privacy-Enhancing Technologies (PETs). For each family, we examine representative systems and how they address key bottlenecks in confidential LLM inference, such as non-linear layers and autoregressive decoding. We then compare these approaches in terms of trust assumptions, scalability, and deployment maturity. This comparison characterises the current practical landscape of privacy-preserving LLM inference and motivates a trust-minimising deployment trajectory: from TEE-based solutions that enable large-scale confidential inference today; through crypto-augmented designs that reduce reliance on hardware trust at higher computational cost; toward Fully Homomorphic Encryption as a principled long-term endpoint for non-interactive confidentiality.
## 2026/106
* Title: New Quantum Circuits for ECDLP: Breaking Prime Elliptic Curve Cryptography in Minutes
* Authors: Hyunji Kim, Kyungbae Jang, Siyi Wang, Anubhab Baksi, Gyeongju Song, Hwajeong Seo, Anupam Chattopadhyay
* [Permalink](
https://eprint.iacr.org/2026/106)
* [Download](
https://eprint.iacr.org/2026/106.pdf)
### Abstract
This paper improves quantum circuits for realizing Shor's algorithm on elliptic curves. We present optimized quantum point addition circuits that primarily focus on reducing circuit depth, while also taking the qubit count into consideration. Our implementations significantly reduce circuit depth and achieve up to 40% improvement in the qubit count-depth product compared to previous works, including those by M. Roetteler et al. (Asiacrypt'17) and T. H|nner et al. (PQCrypto'20).
Using our quantum circuits, we newly assess the post-quantum security of elliptic curve cryptography. Under the MAXDEPTH constraint proposed by NIST, which limits the maximum circuit depth to $2^{40}$, the maximum depth in our work is $2^{28}$ for the P-521 curve (well below this threshold). For the total gate count and full depth product, a metric defined by NIST for evaluating quantum attack resistance, the maximum complexity for the same curve is $2^{65}$, far below the post-quantum security level 1 requirement of $2^{157}$.
Beyond these logical analyses, we estimate the fault-tolerant costs (i.e., at the level of physical resources) for breaking elliptic curve cryptography. As one of our results, the P-224 curve (comparable to RSA-2048 in security) can be broken in 34 minutes using 19.1 million physical qubits, or in 96 minutes using 6.9 million physical qubits under our two optimization approaches.
## 2026/107
* Title: VeriN4Ued non-recursive calculation of Bene+i networks applied to Classic McEliece
* Authors: Wrenna Robson, Samuel Kelly
* [Permalink](
https://eprint.iacr.org/2026/107)
* [Download](
https://eprint.iacr.org/2026/107.pdf)
### Abstract
The Bene+i network can be utilised to apply a single permutation to different inputs repeatedly. We present novel generalisations of Bernstein's formulae for the control bits of a Bene+i network and from them derive an iterative control bit setting algorithm. We provide verified proofs of our formulae and prototype a a provably correct implementation in the Lean language and theorem prover. We develop and evaluate portable and vectorised implementations of our algorithm in the C programming language. Our implementation utilising Intel's Advanced Vector eXtensions 2 feature reduces execution latency by 25% compared to the equivalent implementation in the libmceliece software library.
## 2026/108
* Title: Extending RISC-V to Support Flexible-Radix Multiply-Accumulate Operations
* Authors: Isaar Ahmad, Hao Cheng, Johann Gro|fsch|ndl, Daniel Page
* [Permalink](
https://eprint.iacr.org/2026/108)
* [Download](
https://eprint.iacr.org/2026/108.pdf)
### Abstract
Specified as part of the (standard, optional) M extension, the mul and mulhu instructions reflect support for unsigned integer multiplication in RISC-V base Instruction Set Architectures (ISAs) such as RV32I and RV64I: given w-bit integers x and y for a word size w, they respectively produce the less- and more-significant w bits of the (2 -+ w)-bit product r = x |u y. This typically minimal, and hence RISC-like form contrasts sharply with many alternative ISAs. For example, ARMv7-M includes a rich set of multiply and multiply-accumulate instructions; these cater for a wide variety of important use-cases in cryptography, where multi-precision integer arithmetic is often a central requirement. In this paper, we explore the extension of RV32I and RV64I, i.e., an Instruction Set Extension (ISE), with richer support for unsigned integer multiplication. Our design has three central features: 1) it includes dedicated carry propagation and multiply-accumulate instructions, 2) those instructions allow flexible selection of the radix (thus catering for reduced- and full-radix representations), and 3) the design can be considered for any w, and so uniformly across both RV32I and RV64I. A headline outcome of our evaluation is that, for X25519-based scalar multiplication, use of the ISE affords 1.5|u and 1.6|u improvement for full- and reduced-radix cases, respectively, on RV32I, and 1.3|u and 1.7|u improvement for full- and reduced-radix cases, respectively, on RV64I.
## 2026/109
* Title: Concretely Efficient Blind Signatures Based on VOLE-in-the-Head Proofs and the MAYO Trapdoor
* Authors: Carsten Baum, Marvin Beckmann, Ward Beullens, Shibam Mukherjee, Christian Rechberger
* [Permalink](
https://eprint.iacr.org/2026/109)
* [Download](
https://eprint.iacr.org/2026/109.pdf)
### Abstract
Blind signatures (Chaum, CRYPTO 82) are important building blocks in many privacy-preserving applications, such as anonymous credentials or e-cash schemes. Recent years saw a strong interest in building Blind signatures from post-quantum assumptions, primarily from lattices. While performance has improved, no construction has reached practical efficiency in terms of computation and communication. The state of the art requires at least $20$ KB size of communication for each showing of a lattice-based Blind signature to a verifier, and more than $100$ ms in prover time.
In this work, we propose an alternative direction with a plausibly post-quantum Blind signature scheme called PoMFRIT. It builds on top of the VOLE-in-the-head Zero-Knowledge proof system (Baum et al. CRYPTO 2023), which we combine with the MAYO digital signature scheme (Beullens, SAC 2021). We implement multiple versions of PoMFRIT to demonstrate security and performance trade-offs, and provide detailed benchmarks of our constructions. Signature issuance requires \(0.45\) KB communication for Blind signatures of size \(6.7\) KB. Showing a Blind signature can be done in $<76$ ms even for a conservative construction with $128$ bit security. As a building block for our Blind signature scheme, we implement the first VOLE-in-the-head proof for hash functions in the SHA-3 family, which we consider of independent interest.
## 2026/110
* Title: Logarithmic density of rank $\geq1$ and $\geq2$ genus-2 Jacobians and applications to hyperelliptic curve cryptography
* Authors: Razvan Barbulescu, Mugurel Barcau, Vicentiu Pasol, George Turcas
* [Permalink](
https://eprint.iacr.org/2026/110)
* [Download](
https://eprint.iacr.org/2026/110.pdf)
### Abstract
In this work we study quantitative existence results for genus-$2$ curves over $\mathbb{Q}$ whose Jacobians have Mordell-Weil rank at least $1$ or $2$, ordering the curves by the naive height of their integral Weierstrass models. We use geometric techniques to show that asymptotically the Jacobians of almost all integral models with two rational points at infinity have rank $r \geq 1$. Since there are $\asymp X^{\frac{13}{2}}$ such models among the $X^7$ curves $y^2=f(x)$ of height $\leq X$, this yields a lower bound of logarithmic density $13/14$ for the subset of rank $r \geq 1$. We further present a large explicit subfamily where Jacobians have ranks $r \geq 2$, yielding an unconditional logarithmic density of at least $5/7$. Independently, we give a construction of genus-$2$ curves with split Jacobian and rank $2$, producing a subfamily of logarithmic density at least $ 2/21$. Finally, we analyze quadratic and biquadratic twist families in the split-Jacobian setting, obtaining a positive proportion of rank-$2$ twists. These results have implications for Regev's quantum algorithm in hyperelliptic curve cryptography.
## 2026/111
* Title: Structured Matrix Constraint Systems for Architecture-Hiding Succinct Zero-Knowledge Proofs for Neural Networks
* Authors: Mingshu Cong, Sherman S. M. Chow, Tsz Hon Yuen, Siu-Ming Yiu
* [Permalink](
https://eprint.iacr.org/2026/111)
* [Download](
https://eprint.iacr.org/2026/111.pdf)
### Abstract
Succinct zero-knowledge machine learning (zkML) uses zk succinct non-interactive arguments of knowledge (zkSNARKs) to prove neural-network (NN) computations with logarithmic-size proofs. However, general-purpose zkSNARKs do not scale in zkML because compiling matrix-heavy NNs into arithmetic circuits is memory-prohibitive. Existing zkML methods rely on rank-1 constraint systems (R1CS) to hide NN architectures while retaining succinctness. Removing circuit-based representations, it has remained unclear how to hide NN architectures without sacrificing succinctness.
Motivated by this gap, we introduce matrix-circuit satisfiability (Mat-Circ-SAT) and a high-dimensional variant of R1CS, termed high-dimensional R1CS (HD-R1CS), for Mat-Circ-SAT. Architecturally, HD-R1CS encodes NN architectures via sparse matrices whose dimensions scale with the number of matrices, rather than with the total number of scalar entries, as in R1CS. Notably, we present zkSMART (zero-knowledge sparse matrix argument via restructuring transform) as a zkSNARK protocol for HD-R1CS.
Compared to Evalyn (Asiacrypt '25), which hides the NN architecture using the proof-of-proof technique, zkSMART performs better in concrete prover time for deep NNs. More precisely, for NN computations with $M$ matrices of size $n \times n$, we achieve $O(n^2 M)$ prover time, $O(\log(nM))$ proof size and verifier time, and $O(n^2 M)$ RAM usage with a small constant factor. Such asymptotic efficiency enables our protocol to scale to NNs with up to a billion parameters.
## 2026/112
* Title: PETCHA: Post-quantum Efficient Transciphering with ChaCha
* Authors: Antonio Guimar|ues, Gabriela M. Jacob, Hilder V. L. Pereira
* [Permalink](
https://eprint.iacr.org/2026/112)
* [Download](
https://eprint.iacr.org/2026/112.pdf)
### Abstract
Fully Homomorphic Encryption (FHE) is a powerful primitive which allows a computationally weak client to outsource computation to a powerful server while maintaining privacy. However, FHE typically suffers from high ciphertext expansion, meaning that the amount of data the client has to send to the server increases by many orders of magnitude after it is encrypted. To solve this problem, the approach known as transciphering consists in combining symmetric encryption with FHE. The most common choice of cipher in this context is the AES, which has been used as a benchmark for transciphering. However, although FHE is typically post-quantum secure, existing transciphering protocols only use AES-128, failing thus to offer security against quantum adversaries.
In this work, we construct transciphering protocols based on standard ciphers that offer post-quantum security. For this, we propose algorithms to efficiently evaluate the ChaCha cipher with FHE. We notice that ChaCha is a well-established cipher which even has a standardized version in TLS offering 256 bits of security against classic attackers, thus, 128 bits of security in the quantum world.
We show that our solutions have both better latency and throughput than the state-of-the-art transciphering protocol based on AES. Namely, compared with an extended (128-bit PQ secure) version of Hippogryph (Bela|>d et al., IACR CiC 2025), in single-core experiments, our running times are up to 11.7 times faster while our throughput is more than 50 times higher.
## 2026/113
* Title: How to Steal Oblivious Transfer from Minicrypt
* Authors: Cruz Barnum, David Heath
* [Permalink](
https://eprint.iacr.org/2026/113)
* [Download](
https://eprint.iacr.org/2026/113.pdf)
### Abstract
The celebrated work of Impagliazzo and Rudich (STOC'89) provides an oracle separation between those primitives implied by a random oracle (RO) and those that imply key agreement and public-key cryptography. For the last 36 years, this result seemed to cleanly separate two worlds: Minicrypt, which is often described as what can be achieved from only ROs, and Cryptomania, which is a world where public-key cryptography exists.
This work presents a natural primitive, called an oblivious interactive hash function (OIHF), and shows the following:
(1) OIHFs can be constructed from ROs.
(2) OIHFs can be constructed from oblivious transfer (OT), and hence they are implied by various well-studied public-key-style assumptions.
(3) The existence of an OIHF implies OT, via a non-blackbox reduction. Point (1) places the primitive into Minicrypt, point (2) implies that OIHFs exist as long as OT exists, and point (3) shows that this primitive circumvents the barrier imposed by Impagliazzo and Rudich by implying public-key primitives -- specifically OT -- anyway.
## 2026/114
* Title: Chasing Rabbits Through Hypercubes: Better algorithms for higher dimensional 2-isogeny computations
* Authors: Pierrick Dartois, Max Duparc
* [Permalink](
https://eprint.iacr.org/2026/114)
* [Download](
https://eprint.iacr.org/2026/114.pdf)
### Abstract
The devastating attacks against SIDH (Supersingular Isogeny Diffie-Hellman) have popularised the practical use of isogenies of dimension $2$ and above in cryptography. Though this effort was primarily focused on dimension 2, $4$-dimensional isogenies, have been used in several isogeny-based cryptographic constructions including SQIsignHD, SQIPrime, (qt-)Pegasis and MIKE. These isogenies are also interesting for number theoretic applications related to higher dimensional isogeny graphs. In 2024, a work by Pierrick Dartois introduced algorithms to compute efficiently chains of $2$-isogenies with Mumford's level $2$ theta coordinates in all dimensions, focusing on cryptographic applications in dimension $4$. In this paper, we improve Dartois' results by providing a simpler and faster method to compute generic isogenies in any dimension, and new computation and evaluation algorithms adapted to gluing isogenies from a product of four elliptic curves, with techniques that generalise a previous work by Max Duparc in dimension $2$. Unlike previous algorithms by Dartois, the algorithms we propose are both easy to implement and naturally constant time. We apply our results to propose the first constant time C implementation of a $4$-dimensional chain of $2$-isogenies, adapted to the qt-Pegasis algorithm and running in less than $25$ ms for a $500$ bit prime. With our new gluing evaluation method, we are able to work fully over $\mathbb{F}_p$ instead of $\mathbb{F}_{p^2}$, allowing further efficiency gains. Indeed, our new formulae accelerate the proof of concept SageMath implementation of qt-Pegasis by up to 19 % for a $500$ bit prime.
## 2026/115
* Title: Functional Decomposition of Multivariate Polynomials: Revisit and New Improvements
* Authors: Dong-Jie Guo, Qun-Xiong Zheng, Zhong-Xiao Wang, Xiao-Xin Zhao
* [Permalink](
https://eprint.iacr.org/2026/115)
* [Download](
https://eprint.iacr.org/2026/115.pdf)
### Abstract
The Functional Decomposition Problem (FDP) involves expressing a given set of multivariate polynomials as a composition of simpler polynomials. Traditional methods, such as Faug|?re-PerretrCOs AlgoFDP and its generalized variant MultiComPoly, rely on Gr||bner basis computations on ideals generated from derivatives of composed polynomials h = f rua g, where f and g are called left-factor and right-factor of h, respectively. The computational cost of these methods increases significantly with both the number of variables and the degrees of the component polynomials in f and g, and their existing complexity estimates are not sufficiently precise. This paper presents two algorithmic improvements to FDP. First, we replace Gr||bner basis computation with GaussrCoJordan elimination (GJE) to convert the coefficient matrix into its reduced row-echelon form (RREF), offering a clearer formulation of a key step in MultiComPoly. The resulting algorithm, named RREFComPoly, integrates this change. Additionally, by using exact binomials in place of original binomial approximations and refining the estimation of a critical parameter, we achieve a tighter complexity bound than that of MultiComPoly. Our second and more impactful contribution, PartComPoly, inverts the conventional FDP workflow. Instead of directly recovering the vector space spanned by the component
polynomials of g, PartComPoly first uses a localization strategy to recover f and partial information of g with RREFComPoly, and then iteratively reconstructs g by solving a series of linear systems derived from the obtained f and partial information of g. This inversion dramatically reduces computational complexity and expands the solvable domain of FDP, making previously intractable instances rCo such as those which were claimed to be not computationally exploitable in [1, page 175] rCo computationally tractable for the first time. Our experiments have confirmed the correctness and validity of both algorithms RREFComPoly and PartComPoly.
## 2026/116
* Title: Generating Falcon Trapdoors via Gibbs Sampler
* Authors: Chao Sun, Thomas Espitau, Junjie Song, Jinguang Han, Mehdi Tibouchi * [Permalink](
https://eprint.iacr.org/2026/116)
* [Download](
https://eprint.iacr.org/2026/116.pdf)
### Abstract
Falcon is a lattice-based signature scheme that has been selected as a standard in NIST post-quantum cryptography standardization project. The trapdoor generation process of Falcon amounts to generating two polynomials, $f$ and $g$, that satisfy certain conditions to achieve a quality parameter $\alpha$ as small as possible, because smaller $\alpha$ usually leads to higher security levels and shorter signatures. The original approach to generate NTRU trapdoors, proposed by Ducas, Lyubashevsky, and Prest (ASIACRYPT 2014), is based on trial-and-repeat, which generates $f$ and $g$ with small Gaussian coefficients and tests whether they satisfy the condition or not. If not, the process is repeated. In practice, $\alpha$ is chosen as 1.17 because it is the smallest value that keeps the number of repetitions relatively small.
A recent work by Espitau et al. (ASIACRYPT 2023) proposed a new approach to generate NTRU trapdoors: instead of using trial-and-repeat, sample $f$ and $g$ in the Fourier domain that satisfies the targeted quality and map them back to ring elements. In principle, the idea of Fourier sampling applies to Falcon itself as well, but the sampling region in the Fourier domain for Falcon has a distinct, less elegant geometric shape, which makes sampling more challenging.
In this paper, we adopt Markov Chain Monte Carlo (MCMC) methods for sampling. The core idea is to start from an arbitrary point within the target region and perform random walks until the point approximates a random sample from the desired distribution. Specifically, we use Gibbs sampler with Fourier sampling to generate Falcon trapdoors.
Our approach allows us to achieve \(\alpha\) values arbitrarily close to 1 efficiently, whereas the original trial-and-repeat method would require impractically many repetitions (far exceeding trillions) to reach even \(\alpha = 1.04\). In particular, Falcon-512 currently falls short of the NIST level one requirement of 128 bits, but our method effectively mitigates this gap.
Furthermore, our approach eliminates the need for discrete Gaussian sampling, which is challenging to implement and secure. Instead, our method relies solely on uniform sampling over an interval, simplifying the implementation and improving efficiency.
## 2026/117
* Title: Faultless Key Recovery: Iteration-Skip and Loop-Abort Fault Attacks on LESS
* Authors: Xiao Huang, Zhuo Huang, Yituo He, Quan Yuan, Chao Sun, Mehdi Tibouchi, Yu Yu
* [Permalink](
https://eprint.iacr.org/2026/117)
* [Download](
https://eprint.iacr.org/2026/117.pdf)
### Abstract
To enhance the diversity of basic hard problems underlying post-quantum cryptography (PQC) schemes, NIST launched an additional call for PQC
signatures in 2023. Among numerous candidate schemes, several code-based
ones, which have successfully advanced to the second round, are constructed
by applying the Fiat--Shamir transform to the parallel repetition of a (relatively low soundness) commit-and-prove sigma protocol similar to the Stern identification scheme.
In Fiat--Shamir-based signatures, it is well-known that key material will be leaked if an attacker can somehow obtain what amounts, in the sigma
protocol, to the responses to different challenges with respect to the same commitment. This idea is for example at the basis of a famous differential fault attack against deterministic Fiat--Shamir-based signatures like EdDSA.
It is usually difficult to mount a fault injection attack based on that principle against a properly randomized Fiat--Shamir-based scheme however
(at least with single faults): since commitment collisions are ruled out, it typically involves obtaining the responses to multiple challenges with
respect to the same commitment within a single execution of the signature, which is often impossible by construction (e.g., because the extra
information will not fit in a single signature, or because it is hard to
force the computation of both responses).
Due to the comparative inefficiency of signatures based on Stern-like
protocols with parallel repetition, candidate constructions are led to
use clever compression techniques to reduce signature size, in a way that increases the attack surface for physical attacks. In this paper, we demonstrate this against the LESS signature scheme, which uses so-called GGM trees for signature compression. We propose a simple fault attack on the construction of a binary array used to build the GGM tree, and show that a small number of faulty signatures suffice for full key recovery.
We provide a thorough mathematical model of the attack as well as extensive experimental validation with glitch attacks on a ChipWhisperer board,
showing that, depending on the target parameter set and the precise fault
model we consider, full key recovery can very often be achieved with just
one or two faulty signatures, and never more than a couple hundred even in
the least favorable scenario for the attacker.
## 2026/118
* Title: Practical Subvector Commitments with Optimal Opening Complexity
* Authors: Matteo Campanelli
* [Permalink](
https://eprint.iacr.org/2026/118)
* [Download](
https://eprint.iacr.org/2026/118.pdf)
### Abstract
We introduce a simple pairing-based vector commitment with subvector opening where, after a one-time preprocessing, the prover can open a subvector of size $\ell$ in linear time. Our focus is on practically relevant solutions compatible with already deployed setupsrCospecifically, the powers-of-$\tau$ setup used by KZG and many popular SNARKs.
When compared to aSVC (Tomescu et al., SCN 2020)rCothe state of the art in deployable subvector commitments, with $O(\ell \log^2 \ell)$ prover and verifier timerCoour scheme achieves substantial concrete improvements: our opening is over $\approx 60\times$ faster on subvectors of any size; on large subvectors our opening and verification achieve respectively $\approx 4000\times$ and $170\times$ speedups (and four times as much with parallelism).
Our main result is a construction where:
- A commitment is a single $\mathbb{G}_2$ element; a proof is a single $\mathbb{G}_1$ element;
- Opening requires $\ell$ point additions in $\mathbb{G}_1$;
- Verification is dominated by $2\ell$ $\mathbb{G}_1$ operations.
We also describe two variants of our main design that are directly compatible with deployed schemes and where the commitment is a $\mathbb{G}_1$ element; these two schemes show similar speedups over prior work. We additionally support cross-commitment and distributed aggregation, and provide an open-source implementation.
--- Synchronet 3.21b-Linux NewsLink 1.2