From Newsgroup: sci.crypt

## In this issue
1. [2024/565] On the construction of quantum circuits for S-boxes ...
2. [2025/1227] Improved Key-recovery Attacks on ARADI
3. [2025/1793] A note on the soundness of an optimized ...
4. [2026/119] Re2creds: Reusable Anonymous Credentials from ...
5. [2026/120] Equivalent computational problems for superspecial ...
6. [2026/121] Integrating Boomerang into TAGADA
7. [2026/122] The Motte-and-Bailey Framework for Leakage- ...
8. [2026/123] Masking Out of Order: Side-Channel Leaks from ...
9. [2026/124] Generalization of the Class Elimination Attack to ...
10. [2026/125] StarFortress: Hybrid KEMs with Diffie-Hellman Inlining
11. [2026/126] Censorship Resistance vs Throughput in Multi- ...
12. [2026/127] Toward Verifiable Privacy in Decentralized ...
13. [2026/128] The Impossibility of Post-Quantum Public ...
14. [2026/129] The ideal arithmetic correlations of $N$-ary ...
15. [2026/130] Online-Friendly Robust Threshold ECDSA with ...
16. [2026/131] Root-Cause Analysis of Power Side-Channel Leaks in ...
17. [2026/132] Subspace Guessing and Rank-Metric Solvers with Hints
18. [2026/133] Homomorphic Signatures : A Systematization of Knowledge
19. [2026/134] Completing the Chain: Verified Implementations of ...
20. [2026/135] Randomness-Recovery Trapdoors: a new methodology ...
21. [2026/136] Private Proofs of When and Where
22. [2026/137] Hensel-lifting black-box algorithms and fast trace ...
23. [2026/138] From Arithmetic to Shamir: Secure and Efficient ...
24. [2026/139] Cryptanalytic Extraction of Convolutional Neural ...
25. [2026/140] On the Necessity of Public Contexts in Hybrid KEMs: ...
26. [2026/141] Minimizing Mempool Dependency in PoW Mining on ...
27. [2026/142] rCROne More TimerCY: Security of One-time Signature ...
28. [2026/143] A Unified Treatment of Reachability and ...
29. [2026/144] Designated-Verifier Dynamic zk-SNARKs with ...
30. [2026/145] Round-Optimal GUC-Secure Blind Signatures from ...
31. [2026/146] Feistel Tools: Reprogramming and Query-Recording ...
32. [2026/147] OptiBridge: A Trustless, Cost-Efficient Bridge ...
33. [2026/148] ABBA: Lattice-based Commitments from Commutators
34. [2026/149] Private IP Address Inference in NAT Networks via ...
35. [2026/150] Claiming bounties on small scale Poseidon and ...
36. [2026/151] Non-Complete Set Coverings for Higher Order ...
37. [2026/152] On the Quantum Collision Resistance of HCF Hash ...
38. [2026/153] BOLT: Bootstrapping-Aware Logic Resynthesis and ...
39. [2026/154] Oil, Vinegar, and Sparks: Key Recovery from UOV via ...
40. [2026/155] Module Learning With Errors and Structured ...
41. [2026/156] Hachi: Efficient Lattice-Based Multilinear ...
42. [2026/157] In Mid-Stream: Removing the FO-Transform Helps ...
43. [2026/158] Setup Protocols for Sender Anonymity
44. [2026/159] Dinocchio: Distributed Prover for Ring Arithmetic
45. [2026/160] Leveraging ASIC AI Chips for Homomorphic Encryption
## 2024/565
* Title: On the construction of quantum circuits for S-boxes with different criteria based on the SAT solver
* Authors: Da Lin, Chunli Yang, Shengyuan Xu, Shizhu Tian, Bing Sun
* [Permalink](https://eprint.iacr.org/2024/565)
* [Download](https://eprint.iacr.org/2024/565.pdf)
### Abstract
The substitution box (S-box) is often used as the only nonlinear component in symmetric-key ciphers, leading to a significant impact on the implementation performance of ciphers in both classical and quantum application scenarios by S-box circuits. Taking the Pauli-X gate, the CNOT gate, and the Toffoli gate (i.e., the NCT gate set) as the underlying logic gates, this work investigates the quantum circuit implementation of S-boxes based on the SAT solver. Firstly, we propose encoding methods of the logic gates and the NCT-based circuit, based on which we construct STP models for implementing S-boxes. By applying the proposed models to the S-boxes of several well-known cryptographic algorithms, we construct optimal implementations with different criteria for the 4-bit S-boxes and provide the implementation bounds of different criteria for the 5-bit S-boxes. Since S-boxes in the same affine equivalence class share most of the important properties, we then build STP models to further investigate optimizing S-box circuits based on affine equivalence. According to the applications, for almost all the tested 4-bit S-boxes, there always exists an equivalent S-box that can be implemented with half the number of logic gates. Besides, we encode some important cryptographic properties and construct STP models to design S-boxes with given criteria configurations on implementation and properties. As an application, we find an S-box with the same cryptographic properties as the S-box of KECCAK that can be implemented with only 5 NCT gates, even though the application of our models indicates that implementing the KECCAK S-box requires more than 9 NCT gates. Notably, the inputs of the proposed models are tweakable, which makes the models possess some functions not currently available in the public tools for constructing optimized NCT-based circuits for S-boxes.
## 2025/1227
* Title: Improved Key-recovery Attacks on ARADI
* Authors: Orr Dunkelman, Shibam Ghosh
* [Permalink](https://eprint.iacr.org/2025/1227)
* [Download](https://eprint.iacr.org/2025/1227.pdf)
### Abstract
ARADI is a low-latency block cipher introduced by the U.S. National Security Agency (NSA), targeting secure and efficient memory encryption. However, unlike most academic cipher proposals, the design rationale behind ARADI has not been made
public, leaving its security to be only assessed through independent analysis. In this
work, we present improved key-recovery attacks on up to 12 out of 16 rounds of ARADI
in the single-key setting rCo advancing the best known attacks by two rounds. Our
techniques build upon the ZeroSum distinguisher framework and leverage the Fast Hadamard Transform (FHT). A central insight in our attacks is that the linear layer
of ARADI exhibits weak diffusion. This structural property allows partial decryption
with only a subset of the round keys, significantly reducing the key-guessing space.
## 2025/1793
* Title: A note on the soundness of an optimized $\mathsf{gemini}$ variant
* Authors: Ariel Gabizon, Nishat Koti
* [Permalink](https://eprint.iacr.org/2025/1793)
* [Download](https://eprint.iacr.org/2025/1793.pdf)
### Abstract
We give a formal analysis of the optimized variant of the $\mathsf{gemini}$ polynomial commitment scheme [BCHO22] used by the $\href{https://github.com/AztecProtocol/aztec-packages}{\text{Aztec Network}}$. Our work is motivated by an attack on a previous implementation [GL25].
## 2026/119
* Title: Re2creds: Reusable Anonymous Credentials from Malleable NIZK and Legacy Signatures
* Authors: Bin Xie, Tianyu Zheng, Rui Song, Shang Gao, Bin Xiao
* [Permalink](https://eprint.iacr.org/2026/119)
* [Download](https://eprint.iacr.org/2026/119.pdf)
### Abstract
Decentralized identity is revolutionizing secure digital interactions by giving users control over their personal data. Anonymous credentials (ACs) are fundamental to this paradigm, yet their practical application is hindered by significant usability and efficiency challenges. Existing AC systems often struggle with limitations in predicate expressiveness, privacy protection, and incompatibility with widely adopted legacy signatures based on recommended curves. To overcome these obstacles, this paper introduces a novel AC system named Re2creds. Re2creds establishes a new paradigm of reusable credential presentation, which drastically cuts computational costs by allowing the core of a presentation to be reused across multiple sessions with only lightweight updates. Furthermore, Re2creds incorporates a proof combination mechanism that efficiently supports legacy signatures by moving the most computationally intensive cryptographic operations outside the arithmetic circuit. This approach makes it practical to use credentials based on NIST-recommended curves, removing a critical barrier to real-world adoption. We demonstrate Re2credsrCO security properties through a refined UC ideal functionality, accompanied by rigorous proofs. Experimental evaluations demonstrate significant performance improvements over existing schemes: credential generation time decreases by more than 50% when derivingfrom an existing presentation. Additionally, Re2creds makes the presentation of legacy signatures feasible compared to other ACs, which takes less than 1s for a BLS signature based on BN254.
## 2026/120
* Title: Equivalent computational problems for superspecial abelian surfaces
* Authors: Micka|2l Montessinos
* [Permalink](https://eprint.iacr.org/2026/120)
* [Download](https://eprint.iacr.org/2026/120.pdf)
### Abstract
We show reductions and equivalences between various problems related to the computation of the endomorphism ring of principally polarised superspecial abelian surfaces. Problems considered are the computation of the Ibukiyama-Katsura-Oort matrix and computation of unpolarised isomoprhisms between superspecial abelian surfaces.
## 2026/121
* Title: Integrating Boomerang into TAGADA
* Authors: Rocco Brunelli, Marine Minier, Lo|>c Rouquette
* [Permalink](https://eprint.iacr.org/2026/121)
* [Download](https://eprint.iacr.org/2026/121.pdf)
### Abstract
Since 2009, the cryptographic community has its eyes fixed on automatic tools based on solvers to help the cryptanalysts trying to attack symmetric cryptographic schemes. Among those automatic tools, TAGADA is dedicated to search for a particular kind of cryptanalysis called differential cryptanalysis.
It is of major importance for the cryptographic community to have automatic tools dedicated to the analysis of security of symmetric key primitives to be convince about what symmetric key schemes should be used and what symmetric key schemes should not be used.
In this paper, we will see how to extend TAGADA from differential cryptanalysis to boomerang cryptanalysis which is an important kind of attacks in symmetric key cryptography. We will also compare our tool with the two existing ones dedicated to boomerang distinguishers proposed by Hadipour et al. and Derbez et al.
## 2026/122
* Title: The Motte-and-Bailey Framework for Leakage-Resilient Accordion Modes: Featuring Qaitbay and Alicante
* Authors: Mario Marhuenda Beltr|in, Mustafa Khairallah
* [Permalink](https://eprint.iacr.org/2026/122)
* [Download](https://eprint.iacr.org/2026/122.pdf)
### Abstract
Accordion modes have experienced a surge in popularity, partially motivated by the recent NIST Accordion modes project. None of the popular candidates is leakage-resilient by default. In this work, we study the design of a leakage-resilient Accordion mode. Firstly, we present a generic analysis of the Encode-then-Encipher paradigm in the leakage-resilient setting, assuming the enciphering is a leakage resilient STPRP. However, we show that the resulting security, while strong, suffers from some limitations. Next, we introduce Motte-and-Bailey, a general framework building leakage resilient accordion modes, in the spirit of the PIV construction. Motte-and-Bailey, or MaB, for short, is a leveled construction, requiring light assumptions on most of its components to guarantee good STPRPl2, CIML2 and CCAMl2 security. In particular, we require two fully protected calls to a TBC, a collision-resistant hash function (with unbounded or light leakage), and an ideal leakage-resilient PRG, secure against single-trace attacks. Additionally, we present particular instantiations, Qaitbay and Alicante. In Qaitbay the PRG and the hash function are replaced by Sponge functions, while an independent TBC is used for the leak-free calls. Alicante makes use of ideal ciphers, and uses the MDPH hash function and the 2PRG construction, while the leak-free calls are implemented using independent calls to the ideal cipher. Also, we propose to instantiate the TBC in Qaitbay with the permutation based XPX. Moreover, Qaitbay and Alicante come in two flavors, the first one is a normal instantiation of MaB, while the second one, at the cost of one additional protected call to a TBC, provides CCAmL2, a quite elusive security property. We note that our construction provide some of the strongest combinations of security notions that are believed to be possible: Qaitbay-1 and Alicante-1 provide STPRPl2 +CIML2 +CCAMl2, while Qaitbay-2 and Alicante-2 provide the same combination in addition to CCAmL2.
## 2026/123
* Title: Masking Out of Order: Side-Channel Leaks from Software-Masked Cryptography on Out-of-Order Processors
* Authors: Eden Desmet, Suparna Kundu, Ingrid Verbauwhede
* [Permalink](https://eprint.iacr.org/2026/123)
* [Download](https://eprint.iacr.org/2026/123.pdf)
### Abstract
Masking, the primary countermeasure against differential power attacks, guarantees formal security under abstract execution models that are violated in modern micro-architectures. Meanwhile, processors with out-of-order micro-architectures are increasingly used for high-assurance tasks, yet their physical side-channel leakage remains poorly characterized, hindering side-channel security on such platforms.
In this work, we present the first empirical study of physical power side-channel leakage on out-of-order cores. Through practical lab experiments, we identify and validate multiple micro-architectural leakage sources that undermine software masking: register renaming reintroduces register overwrites beyond software control; forwarding leaks through the common data bus, with less impact on security order than in-order forwarding; and concurrent instructions leaks through coupling, with affected instructions determined at runtime. We demonstrate that runtime scheduling and dynamic resource allocation undermine software-only mitigations. To address this, we propose countermeasures that shift part of the responsibility to hardware and require security by design. We further demonstrate that these effects are exploitable in practice by breaking the security of a theoretically secure software-masked lattice-based post-quantum implementation on an out-of-order core. Finally, we find that clock frequency significantly affects leakage of software-masked implementations. This makes security unstable across frequencies and suggests that cryptographic software should be constrained to verified frequencies.
## 2026/124
* Title: Generalization of the Class Elimination Attack to Block Ciphers
* Authors: Osmani Tito-Corrioso
* [Permalink](https://eprint.iacr.org/2026/124)
* [Download](https://eprint.iacr.org/2026/124.pdf)
### Abstract
This work extends the methodology of the Class Elimination Attack (CEA) and the Reference Identities (RI/GRI) used in cryptanalysis for its application to block ciphers like AES and complex SPN variants. Probabilistic results concerning the partitioned key space are generalized to algebraic structures defined over finite fields $ \mathbb{F}_{2^n} $, linking them to the cipher's diffusion and confusion properties. Theorems establishing upper bounds for the expected number of classes to explore as a function of the diffusion capacity are proposed, and a parameterized complexity analysis is provided. The results offer a theoretical framework for evaluating the resistance of symmetric ciphers against attacks based on genetic algorithms and partition optimization.
## 2026/125
* Title: StarFortress: Hybrid KEMs with Diffie-Hellman Inlining
* Authors: Deirdre Connolly, Paul Grubbs
* [Permalink](https://eprint.iacr.org/2026/125)
* [Download](https://eprint.iacr.org/2026/125.pdf)
### Abstract
This short paper formally specifies and analyzes the UG hybrid KEM construction from the IRTF CFRGrCOs recent draft on hybrid (post-quantum/traditional) KEMs. The UG construction is an optimized hybrid of a Diffie-Hellman (DH)-based KEM in a nominal group and a generic IND-CCA KEM. The main optimization is that the group elements derived in the DH-based KEM are rCLinlinedrCY in the key derivation, saving unnecessary hashing. We perform two security analyses of the UG construction: one shows UG is IND-CCA even if the generic IND-CCA KEM is broken; the other complementary analysis shows UG is IND-CCA even if the DH assumptions in the nominal group are broken (by, e.g., a cryptographically-relevant quantum computer).
## 2026/126
* Title: Censorship Resistance vs Throughput in Multi-Proposer BFT Protocols
* Authors: Fatima Elsheimy, Ioannis Kaklamanis, Sarisht Wadhwa, Charalampos Papamanthou, Fan Zhang
* [Permalink](https://eprint.iacr.org/2026/126)
* [Download](https://eprint.iacr.org/2026/126.pdf)
### Abstract
Censorship resistance and high throughput are two key benefits of modern multi-proposer BFT protocols (such as Aptos and Sui). However, in existing designs these two properties are at odds: censorship resistance is typically achieved through duplicating transactions, which in turn harms throughput. This leaves open the question of whether it is possible to improve both properties simultaneously.
In this paper, we formally study the trade-offs between censorship resistance and throughput in multi-proposer BFT protocols, where up to $f$ parties may be Byzantine.
We present a model for the transaction assignment process, which allows us to classify assignment protocols into meaningful categories.
Using this model, we establish fundamental tradeoffs between censorship resistance and throughput. We show that under well-defined conditions, any deterministic transaction assignment protocol that achieves optimal throughput must suffer from $f$ rounds of censorship delay; any deterministic assignment protocol that guarantees every transaction is committed within a constant number of rounds must suffer a factor of $f$ loss in throughput relative to the optimal baseline.
On the positive side, we propose and analyze new transaction-assignment protocols that enable flexible choices among throughputrCocensorship tradeoffs spanning the full spectrum dictated by our lower bounds. In particular, we give a protocol that achieves $\log f$ censorship delay while paying only a factor-2 throughput loss relative to the state-of-the-art MirBFT (EuroSysrCO23), which incurs $f$ rounds of censorship delay. We further propose randomized assignment protocols that provably break both the deterministic lower bound for the censorship delay and throughput in expectation.
All assignment protocols can be integrated with existing multi-proposer protocols as add-ons without modifying the consensus.
## 2026/127
* Title: Toward Verifiable Privacy in Decentralized Identity: A Formal Framework for Minimal Disclosure and Unlinkability
* Authors: Yu Zhang, Zongbin Wang
* [Permalink](https://eprint.iacr.org/2026/127)
* [Download](https://eprint.iacr.org/2026/127.pdf)
### Abstract
This paper presents a formal framework for decentralized identity (DID), which achieves both minimal disclosure and session unlinkability under public verifiability. We instantiate this framework as PrivDID. In PrivDID, a user can prove a predicate about a committed attribute via a single ring signature, thereby hiding in an anonymity set dynamically selected from the public ledger. PrivDID builds on Pedersen commitments and binary-range encodings, and is proven secure in the random oracle model. It is fully W3C-compliant and requires no trusted setup. Implementation shows practical efficiency in storage, communication, and computation, confirming real-world feasibility.
## 2026/128
* Title: The Impossibility of Post-Quantum Public Indifferentiability for Merkle-Damgard
* Authors: Akinori Hosoyamada
* [Permalink](https://eprint.iacr.org/2026/128)
* [Download](https://eprint.iacr.org/2026/128.pdf)
### Abstract
This paper shows that the Merkle-Damgard construction is not public indifferentiable from a Variable-Input-Length (VIL) random oracle in the post-quantum setting.
Classically, Merkle-Damgard is not indifferentiable from a VIL random oracle due to the length extension attack.
Yet, it satisfies public indifferentiability, a weakened but practically powerful notion introduced by Dodis, Ristenpart, and Shrimpton.
This classical result guarantees that Merkle-Damgard can safely replace VIL random oracles in many cryptosystems such as Fiat-Shamir and Full Domain Hash (FDH) signatures, as long as inputs to random oracles are public, while preserving the validity of security proofs.
In this work, we show that this ``free replacement'' of a VIL random oracle by Merkle-Damgard does not hold in the postrCaquantum setting.
We first formalize postrCaquantum public indifferentiability in a way that the composition theorem lifts to the QROM-based proofs for classical cryptosystems, and also define a post-quantum version of sequential indifferentiability, which is even weaker than public indifferentiability.
We then show that Merkle-Damgard is neither postrCaquantum public indifferentiable nor post-quantum sequentially indifferentiable from a VIL random oracle.
Specifically, we construct an explicit quantum distinguisher and prove that its advantage is non-negligible against any efficient simulators for either notion, utilizing Zhandry's compressedrCaoracle technique.
To the best of our knowledge, this is the first conjecture-free example showing that a construction can satisfy a classical indifferentiability-style security notion yet fail to satisfy the corresponding post-quantum notion.
## 2026/129
* Title: The ideal arithmetic correlations of $N$-ary sequences and related results
* Authors: Feifei Yan, Pinhui Ke, Chenhuang Wu
* [Permalink](https://eprint.iacr.org/2026/129)
* [Download](https://eprint.iacr.org/2026/129.pdf)
### Abstract
Arithmetic correlations represent the extension of classical correlations into the with-carry setting and serve as a critical performance criterion for pseudorandom sequences constructed via feedback with carry shift registers. The arithemetic correlation values should be as small as possible for application perspective. This paper establishes a sufficient condition for $N$-ary sequences to have ideal arithmetic correlation. Based on this characterization, it is demonstrated that $N$-ary $\ell$-sequences with a prime connection integer $p$ satisfying $p\equiv1(\textup{mod}\:N)$ exhibit ideal arithmetic correlation. Furthermore, under the condition $N^{p-1}\not\equiv1(\textup{mod}\:p^{2})$, this result is extended to the case where the connection integer is a prime power. Additionally, an upper bound is established for the arithmetic crosscorrelation of binary sequences derived from Fermat quotients with coprime periods.
## 2026/130
* Title: Online-Friendly Robust Threshold ECDSA with Constant Amortized Communication
* Authors: Guofeng Tang, Tian Qiu, Bowen Jiang, Haiyang Xue, Meng Hao, Guomin Yang, Robert H. Deng
* [Permalink](https://eprint.iacr.org/2026/130)
* [Download](https://eprint.iacr.org/2026/130.pdf)
### Abstract
Threshold ECDSA has been an active research topic in recent years, driven by its wide-ranging applications, particularly in blockchain domains. Existing constructions of threshold ECDSA generally fall into two categories: those based on threshold linearly homomorphic encryption (TLHE) and those leveraging the Multiplicative-to-Additive (MtA) paradigm. The TLHE-based approach (e.g., WMC24 in NDSS'24) achieves constant communication per party but incurs an expensive online phase and requires a broadcast channel. In contrast, the MtA-based approach (e.g., DKLs24 in S\&P'24) offers an optimal online phase and avoids the use of a broadcast channel. However, it has the drawback of requiring linear (i.e., $O(n)$) communication per party when $n$ parties are involved.
In this work, we propose an MtA-based threshold ECDSA scheme with constant amortized communication. At the core of our approach is the use of packed secret sharing, which enables the same MtA operations to generate $\ell = \epsilon n$ signatures. With a constant $\epsilon$, the communication complexity per signature is amortized to a constant in dishonest-majority settings. Furthermore, we extend this packing technique to design a robust threshold ECDSA with constant communication under honest-majority settings, which ensures the delivery of valid signatures as long as a sufficient number of parties are honest. In contrast, the state-of-the-art robust MtA-based construction (TX25 in S\&PrCO25) requires linear communication per party. We implement our packed constructions using both CL-based and OT-based MtA protocols. Benchmark results show that our amortized efficiency surpasses that of DKLs24. Moreover, our robust scheme outperforms TX25 and has significantly better online efficiency with comparable overall complexity to WMC24.
## 2026/131
* Title: Root-Cause Analysis of Power Side-Channel Leaks in RISC-V Cryptographic Implementations
* Authors: Asmita Adhikary, Abraham Basurto-Becerra, Lejla Batina, Ileana Buhan, Durba Chatterjee
* [Permalink](https://eprint.iacr.org/2026/131)
* [Download](https://eprint.iacr.org/2026/131.pdf)
### Abstract
Masking is the standard defense against power-based side-channel analysis (SCA) for cryptographic software, in which sensitive variables are split into independent shares. Although prior work often attributes leakage to microarchitectural effects, architectural interactions alone can already introduce subtle leaks that remain poorly understood. In this work, we propose ISALeak, a target-agnostic framework for analyzing full masked implementations to precisely identify and attribute the root causes of side-channel leakage at the instruction-set (ISA) level. ISALeak complements statistical tests such as TVLA by not only detecting leakage, but also localizing and explaining its source. We evaluate our approach on masked AES and masked Ascon across multiple compiler versions and optimizations. Using power measurements from ASIC (PicoRV32) and FPGA (Ibex) RISC-V cores, we show that 20-40% of the leaks detected by TVLA for masked AES originate from architectural register interactions. For masked Ascon, 17-23% of the observed leakage likewise stems from ISA-level effects and consistently manifests in physical power traces.
## 2026/132
* Title: Subspace Guessing and Rank-Metric Solvers with Hints
* Authors: Anmoal Porwal, Harrison Banda, Jan Brinkmann, Anna Baumeister, Juliane Kr|nmer, Antonia Wachter-Zeh
* [Permalink](https://eprint.iacr.org/2026/132)
* [Download](https://eprint.iacr.org/2026/132.pdf)
### Abstract
We show how to improve rank-metric solvers when certain side information (hints) about the secret is available. Concretely, we adapt the kernel search algorithm for MinRank and the GRS algorithm for the Rank Syndrome Decoding problem when some entries in the rank decomposition of the error matrix are known. This setting is motivated by side-channel leakage and cryptographic applications: Mirath and RYDE, two signature candidates in the NIST post-quantum competition, rely on these problems and employ secret keys in this decomposed form. As a main technical ingredient, we give an optimal procedure for guessing a subspace containing the row space of a systematic matrix given only partial knowledge of its entries. Further, we describe a profiling side-channel attack on the reference implementation of Mirath to demonstrate the plausibility of obtaining such hints.
## 2026/133
* Title: Homomorphic Signatures : A Systematization of Knowledge
* Authors: Olive Chakraborty
* [Permalink](https://eprint.iacr.org/2026/133)
* [Download](https://eprint.iacr.org/2026/133.pdf)
### Abstract
Homomorphic Signatures (HS) enable the authentication of data that has been processed by an untrusted party, allowing a verifier to check the correctness of a computation without access to the original signed inputs. Since their introduction, HS have evolved from algebraically restricted linear schemes to expressive non-linear and Fully Homomorphic Signature (FHS) constructions, spanning diverse cryptographic assumptions and security models.
This paper presents a Systematization of Knowledge (SoK) on homomorphic signatures. We organize existing schemes along key dimensions including functional expressiveness, underlying cryptographic primitives, security notions (selective vs. adaptive, single-key vs. multi-key), and privacy guarantees such as context hiding. This unified perspective highlights a fundamental shift from algebraic constructions toward proof-based and post-quantum designs, as well as the growing importance of Multi-Key Homomorphic Signatures (MKHS) for decentralized settings. We conclude by identifying open problems and emerging directions that must be addressed to bridge the gap between theoretical HS constructions and practical verifiable computation.
## 2026/134
* Title: Completing the Chain: Verified Implementations of Hash-Based Signatures and Their Security
* Authors: Manuel Barbosa, Fran|oois Dupressoir, Rui Fernandes, Andreas H|+lsing, Matthias Meijers, Pierre-Yves Strub
* [Permalink](https://eprint.iacr.org/2026/134)
* [Download](https://eprint.iacr.org/2026/134.pdf)
### Abstract
We present the first formally verified implementation of a hash-based signature scheme that is linked to a machine-checked proof of security. Specifically, we provide reference implementations of XMSS and XMSS$^{\textrm{MT}}$ written in Jasmin, targeting the AMD64 architecture. Beyond the implementations, we provide formal EasyCrypt specifications of XMSS and XMSS$^{\textrm{MT}}$, transcribed from RFC~8391, and prove that our implementations adhere to these specifications. Furthermore, for XMSS, we give a machine-checked proof that our specification of RFC~8391 refines the abstract specification proven secure in EasyCrypt by Barbosa, Dupressoir, Gr|-goire, H|+lsing, Meijers and Strub [CRYPTO'23]. In particular, we prove the security of our specification via a reduction, demonstrating that breaking our specification contradicts the [CRYPTO'23] result for our instantiation. Consequently, our implementation is not only functionally correct, but also adheres to a specification that is proven secure. The core technical challenge in our work resides in bridging low-level implementations of TreeHash algorithms with high-level functional specifications used in the pre-existing formalization.
## 2026/135
* Title: Randomness-Recovery Trapdoors: a new methodology for enhancing anamorphic encryption
* Authors: Xuan Thanh Do, Giuseppe Persiano, Duong Hieu Phan, Moti Yung
* [Permalink](https://eprint.iacr.org/2026/135)
* [Download](https://eprint.iacr.org/2026/135.pdf)
### Abstract
The primary goal of Anamorphic encryption ($\mathsf{AE}$), introduced at Eurocrypt 2022, is to enable private communication even in highly adversarial settings, such as when an adversarial $\textit {dictator}$ "legally" confiscates a user's secret keys (compromising the receiver's privacy) and/or coerces users into sending specific messages (compromising the sender's privacy). To achieve this, $\mathsf{AE}$ embeds hidden additional messages within seemingly innocuous ciphertexts where the sender and receiver comply with the dictator's demands and, in doing so, $\mathsf{AE}$ uncovers novel structural properties of encryption mechanisms. One methodology that extends the capability of a ciphertext is to embed the hidden anamorphic message in the randomness used in encryption. However, not all schemes reveal this randomness as part of the decryption process! Here, we unveil a conceptually simple yet general new methodology that achieves $\mathsf{AE}$. It is based on the concept of $\textit {Trapdoor-Aided Randomness Recovery}$ by which one can generate special key pairs $(\mathsf{pk},\mathsf{sk})$ that are still indistinguishable from honestly generated key pairs but possess an associated trapdoor $\mathsf{td}$ that first allows for randomness extraction from a ciphertext (and nothing more). Secondly, importantly and differently from prior proposals, the new trapdoor should be different from and computationally independent of "the decryption trapdoor key." Primarily, this new methodology allows for a generic construction of $\textit{public-key}~\mathsf{AE}$ which is a notion introduced at Crypto 24, where, to date, the only known public-key anamorphism relied on a specific CCA encryption scheme. Note that public-key $\mathsf{AE}$ eliminates the need for a preliminary private interaction between the receiver and the sender, thus greatly extending the applicability of anamorphism. In addition to obtaining public-key anamorphism, the new methodology, in turn, generically allows for extended anamorphic properties: Specifically and significantly, the methodology allows protections against a dictator that may ask for the randomness employed by the sender.
We then show concrete instantiations of the above methodology based on known lattice-based schemes. Specifically, due to the new methodology, we give efficient anamorphic versions of the Dual Regev scheme and the Lindner-Peikert scheme. Technically, we first define a new problem, called $\textit{randomness finding}~(\mathsf{RFinding})$, which requires that even if the adversary obtains the receiver's secret key, then, while it can decrypt, it cannot fully recover the randomness from the ciphertext. Secondly, we reduce the standard LWE assumptions to the hardness of $\mathsf{RFinding}$ for both schemes. Notably, in both schemes we achieve public-key anamorphism utilizing the "trapdoor techniques for lattices" introduced by Micciancio and Peikert at Eurocrypt 2012.
## 2026/136
* Title: Private Proofs of When and Where
* Authors: Uma Girish, Grzegorz Gluch, Shafi Goldwasser, Tal Malkin, Leo Orshansky, Henry Yuen
* [Permalink](https://eprint.iacr.org/2026/136)
* [Download](https://eprint.iacr.org/2026/136.pdf)
### Abstract
Position verification schemes are interactive protocols where entities prove their physical location to others; this enables interactive proofs for statements of the form "I am at a location L." Although secure position verification cannot be achieved with classical protocols (even with computational assumptions), they are feasible with quantum protocols.
In this paper we introduce the notion of zero-knowledge position verification, which generalizes position verification in two ways:
1. enabling entities to prove more sophisticated statements about their locations at different times (for example, "I was NOT near location L at noon yesterday").
2. maintaining privacy for any other detail about their true location besides the statement they are proving.
We construct zero-knowledge position verification from standard position verification and post-quantum one-way functions. The central tool in our construction is a primitive we call position commitments, which allow entities to privately commit to their physical position in a particular moment, which is then revealed at some later time.
## 2026/137
* Title: Hensel-lifting black-box algorithms and fast trace computation for elliptic-curve endomorphisms
* Authors: Lorenz Panny, Damien Robert, Alessandro Sferlazza
* [Permalink](https://eprint.iacr.org/2026/137)
* [Download](https://eprint.iacr.org/2026/137.pdf)
### Abstract
We demonstrate a general and efficient technique to Hensel-lift a solution to a system of ($p$rCaadically analytic) equations which may be given implicitly in the form of an efficient evaluation algorithm. Contrary to textbook Hensel lifting, we do not require the equations to be represented explicitly; indeed, our main application uses the method for a system of equations that can be exponentially larger than its representation as an arithmetic circuit: we show how to compute traces of elliptic-curve endomorphisms over a finite field $\mathbb{F}_q$ by constructing an (approximate) lift to $\mathbb{Z}_q$. Our examples include endomorphisms represented as a chain of V|-lu, reU|-lu, modular, or radical isogenies, as well as HDrCaembedded endomorphisms. The resulting trace-computation algorithm outperforms the state of the art both asymptotically and concretely.
## 2026/138
* Title: From Arithmetic to Shamir: Secure and Efficient Masking Gadgets for Multiplications - Applications to the Post-Quantum Signature Scheme MQOM
* Authors: Vladimir Sarde, Nicolas Debande, Louis Goubin
* [Permalink](https://eprint.iacr.org/2026/138)
* [Download](https://eprint.iacr.org/2026/138.pdf)
### Abstract
Efficiently masking multiplications in software is a long standing and extensively studied problem. A variety of gadgets have been proposed to perform these multiplications, each offering different trade-offs between efficiency and security. However, almost all existing solutions rely on arithmetic masking, in which multiplications cannot be naturally protected. In this work, we introduce two novel gadgets, named A2S and S2A, that enable conversions between arithmetic masking and ShamirrCOs Secret Sharing (SSS)-based masking. With this approach, multiplications can be performed naturally and securely in a sharewise manner. We prove that our gadgets achieve SNI security, which provides security guarantees and straightforward composability. Moreover, we demonstrate that composing them with multiplication yields PINI security. We then provide a detailed complexity analysis and discuss the contexts where our gadgets are most relevant.
As a case study, we apply them to the MQOM post-quantum signature scheme, a candidate in the second round of the NIST additional post-quantum digital signature standardization process. When computing the sensitive multiplications in MQOM, for masking order t = 1, our approach reduces the number of multiplications, additions, and randomness requirements by 31%, 71%, and 60%, respectively, compared to the state of the art, while incurring only small additional memory overhead. We further show that these gains not only hold but actually increase as the masking order grows. Our results demonstrate that arithmetic-to-SSS conversions provide an effective and scalable path toward efficient masked implementations, making them particularly attractive for postquantum cryptography.
## 2026/139
* Title: Cryptanalytic Extraction of Convolutional Neural Networks
* Authors: Xiaohan Sun, Hao Lei, Longxiang Wei, Xiaokang Qi, Kai Hu, Meiqin Wang, Wei Wang
* [Permalink](https://eprint.iacr.org/2026/139)
* [Download](https://eprint.iacr.org/2026/139.pdf)
### Abstract
Neural network model extraction attacks pose a serious threat to the intellectual property of deep learning models. While most prior work focuses on Fully Connected Networks (FCNs), effective extraction of Convolutional Neural Networks (CNNs) remains underexplored, particularly in the hard-label setting. In this work, we propose the first systematic method for the recovery of complete CNN parameters in such conditions. By reformulating convolutional layers as sparse Block Toeplitz with Toeplitz Blocks (BTTB) matrices, we extend the model extraction attack method from FCNs to CNNs. The proposed method supports both one- and two-dimensional CNNs, handling scenarios with multiple kernels, multi-channel structures, and average pooling. To enhance computational efficiency and scalability, a kernel-centric clustering algorithm is proposed to exploit kernel parameter sharing, and a Singular Value Decomposition (SVD)-based acceleration strategy is adopted to address the computational cost of large sample sets. Moreover, we perform experiments to demonstrate that our method accurately and efficiently extracts CNN parameters, including multi-channel, multi-kernel and average-pooling layers, with a worst-case relative error of $2^{-17.75}$ and up to $2^{9.26}$ speedup, and recover large models LeNet-5 within practical runtime.
## 2026/140
* Title: On the Necessity of Public Contexts in Hybrid KEMs: A Case Study of X-Wing
* Authors: Taehun Kang, Changmin Lee, Yongha Son
* [Permalink](https://eprint.iacr.org/2026/140)
* [Download](https://eprint.iacr.org/2026/140.pdf)
### Abstract
Post-quantum migration must balance two risks: future quantum breaks of classical cryptography and residual uncertainty in newly standardized post-quantum cryptography (PQC). Hybrid Key Encapsulation Mechanisms (KEMs) hedge by combining a classical and a PQC component. Prior work shows that optimized combiners may omit large public inputs from the final key-derivation step, but only if the derived key remains bound to the ciphertext transcript and, in multi-target settings, to the intended recipient; otherwise ciphertext manipulation and cross-recipient amortization at the KDF layer can increase an adversaryrCOs concrete advantage. In practice, these requirements are often conflated, leading either to unsafe secret-only schedules or to unnecessary hashing of large transcripts. We distill practitioner-facing, interface-level guidance by separating ciphertext-to-secret binding from multi-target security, and by adopting ciphertext second-preimage resistance (C2PRI) as a checkable criterion under deployed encodings.
We apply this perspective to X-Wing, a hybrid combining ML-KEM with an X25519-based DH-to-KEM under consideration as an IETF Internet-Draft. Under the deployed raw-output interface, we show how distinct classical ciphertexts can yield the same shared secret, motivating hashing of the classical ciphertext in the outer KDF and clarifying when recipient public-key context is needed in multi-target deployments. We also show that similar issues arise for other widely deployed elliptic-curve DiffierCoHellman (ECDH) APIs, including P-256, when they export only partial point information. Finally, we summarize when ciphertext hashing can be omitted, including canonical prime-order abstractions such as Ristretto255 and designs that internalize transcript context via per-component hashing, as in HPKE DiffierCoHellman-based KEM (DHKEM) profiles.
## 2026/141
* Title: Minimizing Mempool Dependency in PoW Mining on Blockchain: A Paradigm Shift with Compressed Block Representation for Enhanced Scalability, Decentralization and Security.
* Authors: Gyu Chol Kim
* [Permalink](https://eprint.iacr.org/2026/141)
* [Download](https://eprint.iacr.org/2026/141.pdf)
### Abstract
While existing Proof-of-Work (PoW) based blockchain protocols have demonstrated innovative potential, they face inherent limitations regarding scalability, efficiency, and decentralization. The compact block propagation method, though effective in reducing network bandwidth and propagation delay in ideal environments, suffers from performance degradation due to mempool inconsistencies among nodes. This paper proposes a novel block propagation and consensus protocol that mitigates the blockchain's dependency on mempool synchronization. The proposed approach redefines the PoW process to shorten the time to consensus despite increased block sizes. Specifically, it includes a compressed transaction input ID list within the compact block to induce nodes to immediately begin mining without full verification. The full verification of transactions adopts a 'delayed verification' method, performed in parallel with the mining operation. This study enables the processing of more transactions quickly while maintaining the decentralization and security of Bitcoin (e.g., achieving approximately 66.7 TPS with 10MB blocks).
## 2026/142
* Title: rCROne More TimerCY: Security of One-time Signature Scheme Using Run-length Encoding Under Two-message Attacks
* Authors: Vikt||ria I. Vill|inyi
* [Permalink](https://eprint.iacr.org/2026/142)
* [Download](https://eprint.iacr.org/2026/142.pdf)
### Abstract
In this paper, we examine the One-time signature scheme using run-length encoding, as proposed by Steinwandt et al., under the scenario where an adversary is allowed to obtain signatures on two messages before attempting to forge a signature on a third message. Our analysis follows the line of security discussion presented by Groot Bruinderink et al. in their paper rCLOops, I Did It Again rCo Security of One-Time Signatures under Two-Message Attacks.rCY By considering various attack models and different strategies, we estimate both the attack complexity and the probability of forging a signature. Our results indicate that the signature scheme performs well under a two-message attack, making it an interesting candidate for a few-time signature scheme. Few-time signature schemes such as HORS are a fundamental building block of stateless hash-based signature schemes.
## 2026/143
* Title: A Unified Treatment of Reachability and Indistinguishability Properties: First-Order Logic with Overwhelming Truth
* Authors: Gergei Bana, Mitsuhiro Okada
* [Permalink](https://eprint.iacr.org/2026/143)
* [Download](https://eprint.iacr.org/2026/143.pdf)
### Abstract
In the formal verification of complexity-theoretic properties of cryptography, researchers have traditionally attempted to capture ``overwhelming truth'' (satisfaction with all but negligible probability) via satisfaction on individual traces of probabilistic execution. However, this approach introduces significant complexity when quantification is present: satisfaction of existential quantification over traces often produces witnesses---such as nonce-guessing oracles---that witnesses that, without further constraints, may not correspond to meaningful global objects like PPT algorithms respecting causal structure. This discrepancy creates significant obstacles when attempting to combine trace properties, such as reachability, with properties that hold globally, such as algorithmic indistinguishability.
We resolve this by shifting from local satisfaction on individual traces to a semantics based on ever-decreasing non-negligible sets. We demonstrate that the logical key to this unification lies in first-order modal logic S4 with non-negligible sets as possible worlds, rather than the propositional S5 fragment with traces as possible worlds suggested in previous investigations by the Squirrel Prover team. By introducing a PPT computational first-order S4 Kripke semantics and adopting Fitting's embedding for trace properties, we provide a unified quantified treatment of overwhelming truth for trace properties and indistinguishability that admits cut-elimination and remains sound and complete---resolving an open question in the literature.
We show that Fitting's embedding naturally accommodates the higher-order quantification used in the Squirrel prover by interpreting function types as sorts in a many-sorted first-order logic; this reduces the need for the specialized $\texttt{const}$ predicate and its associated structural restrictions. Finally, using our findings, we present a hybrid semantics for CryptoVampire that eliminates the need for bounded Skolemization.
## 2026/144
* Title: Designated-Verifier Dynamic zk-SNARKs with Applications to Dynamic Proofs of Index
* Authors: Weijie Wang, Charalampos Papamanthou, Shravan Srinivasan, Dimitrios Papadopoulos
* [Permalink](https://eprint.iacr.org/2026/144)
* [Download](https://eprint.iacr.org/2026/144.pdf)
### Abstract
Recently, the notion of dynamic zk-SNARKs was introduced. A dynamic zk-SNARK augments a standard zk-SNARK with an efficient update algorithm. Given a valid source statement-witness pair $(x,w)$ together with a verifying proof $p$, and a valid target statement-witness pair $(x',w')$, the update algorithm outputs a verifying proof $p'$ for $(x',w')$. Crucially, $p'$ is not recomputed from scratch; instead, the update algorithm takes time roughly proportional to the Hamming distance between $(x,w)$ and $(x',w')$, analogous to how dynamic data structures update the result of a computation after a small change.
In this paper, we initiate the study of designated-verifier dynamic zk-SNARKs: dynamic zk-SNARKs in which only a designated verifier, holding secret verification state, can be convinced by a proof. Following recent advances in designated-verifier zk-SNARKs---such as efficient post-quantum designated verifier SNARKs (CCS 2021) and designated verifier SNARKs with very small proofs (CRYPTO 2025)---we construct a designated-verifier dynamic zk-SNARK with $O(\log n)$ update time, constant proof size, and concrete efficiency. Our construction significantly outperforms Dynalog (both asymptotically and concretely), the only publicly verifiable dynamic zk-SNARK with polylogarithmic update time (Wang et al., 2024).
The concrete efficiency of our construction enables, for the first time, an efficient implementation of a dynamic proof of index: Given a digest $d$ of an arbitrary set and a digest $d'$ of its sorted index (e.g., binary search tree), we produce a SNARK proof certifying the consistency of $d$ and $d'$. More importantly, this proof can be updated in sublinear time when the underlying set changes---for example, when an element is modified or inserted, potentially altering the sorted order. We demonstrate applications of designated-verifier dynamic proofs of index to verifiable dynamic database outsourcing, where a client outsources a database and later maintains verifiable indices for efficient query answering, even under arbitrary database updates.
## 2026/145
* Title: Round-Optimal GUC-Secure Blind Signatures from Minimal Computational and Setup Assumptions
* Authors: Michele Ciampi, Pierpaolo Della Monica, Ivan Visconti
* [Permalink](https://eprint.iacr.org/2026/145)
* [Download](https://eprint.iacr.org/2026/145.pdf)
### Abstract
A blind signature scheme is an interactive protocol that enables a user to obtain a signature on a message without revealing any information about the messagerCosignature pair to the signer. Despite more than 40 years of research, all existing constructions suffer from at least two of the following limitations.
1. The protocol is not round-optimal, requiring more than two messages to be exchanged during the signature phase.
2. There is only game-based security and/or lack of composability with global and observable setup (i.e., there is a need for trusted parameters or to program random oracles).
3. There is a need (unlike regular signatures) of demanding hardness assumptions, especially when targeting post-quantum security.
In this work, we bypass prior results by showing how to blindly sign a message, simultaneously overcoming all of the above three limitations. Specifically, we construct a (Global) Universally Composable (UC), two-round (optimal) blind signature protocol that relies only on one-way functions (optimal), without trusted parameters. The only deviation from the plain model is the need for a global non-programmable random oracle (NPRO). Nicely, our scheme can be instantiated from a variety of assumptions believed to be post-quantum secure (e.g., AES). A central technical component of our scheme is the construction of a novel commitment scheme that enjoys a special (mild) form of composability, which may be of independent interest. Finally, we argue that a concrete instantiation of our scheme has signature sizes and communication complexity suitable for practical applications.
## 2026/146
* Title: Feistel Tools: Reprogramming and Query-Recording for QRPs
* Authors: Yu-Hsuan Huang, Andreas H|+lsing, Varun Maram, Silvia Ritsch, Abishanka Saha
* [Permalink](https://eprint.iacr.org/2026/146)
* [Download](https://eprint.iacr.org/2026/146.pdf)
### Abstract
The quantum random oracle model (QROM) has become the de-facto model to analyze post-quantum security of practical cryptographic schemes which use hash functions. The quantum random permutation model (QRPM), on the other hand, has not enjoyed a similar level of success for studying permutation-based schemes. A main reason is that it lacks the features offered by the former model to enable security proofs: namely, query-recording and reprogramming.
In this work, we present a new approach to simulate bidirectional-query random permutation oracles using Feistel constructions which unlock the above two features in the QRPM. We then show the potential of our framework by:
rCo Analyzing the post-quantum security of a recent variant of the Fiat-Shamir transformation rCo called duplex-sponge Fiat-Shamir (Chiesa and Orr||, TCC 2025) rCo which is deployed in the wild.
rCo Recovering a meaningful quantum query lower bound for the double-sided zero search problem rCo the hardness of which was conjectured by Unruh, but has resisted many attempts until very recently rCo via a simpler approach that generalizes the compressed oracle technique (Zhandry, Crypto 2019) to the QRPM.
All in all, our work demonstrates how the "Feistel toolkit" enables us to achieve reprogramming and query-recording for quantum random permutations, thereby effectively bridging the gap between the QROM and the QRPM in terms of analyzing real-world post-quantum cryptographic schemes and relevant quantum query complexity problems.
## 2026/147
* Title: OptiBridge: A Trustless, Cost-Efficient Bridge Between the Lightning Network and Ethereum
* Authors: Mohsen Minaei, Duc V. Le, Pedro Moreno-Sanchez
* [Permalink](https://eprint.iacr.org/2026/147)
* [Download](https://eprint.iacr.org/2026/147.pdf)
### Abstract
Bridges, protocols that enforce a state transition on a destination ledger conditioned on an event on a source ledger, are central to modern DeFi.
Conventional designs implicitly assume the source ledger event is publicly observable, an assumption that breaks with Layer-2 payment channels such as the Lightning Network, where state updates occur off-chain between counterparties and are invisible to others. This state of affairs advocates for new bridge designs for this setting.
This paper introduces OptiBridge, a bridge between a payment channel (e.g., Lightning Network) and a smart-contract blockchain (e.g., Ethereum) that preserves safety and liveness without adding trust assumptions and remains fully compatible with existing Lightning and Ethereum stacks. OptiBridge follows an optimistic path in the common case: two honest channel peers materialize the intended state on the destination chain by revealing a pre-agreed secret.
To handle faults and adversarial behavior, OptiBridge provides a dispute path orchestrated by a more expressive contract that is deployed {only on demand}. An implementation demonstrates substantial cost savings in the optimistic case: compared to Alba (NDSSrCO25), the optimistic contract deployment uses $\sim 73\%$ less gas ($1.22$M vs. $4.51$M), and proof submission costs $40{,}107$ vs. $253{,}566$ gas; when disputes arise, the dispute contract deployment costs $2{,}785{,}514$ gas and the core dispute call is cheaper ($196{,}438$ vs.$515{,}860$). Our analysis shows that rational users strictly prefer the optimistic path, whereas the dispute mechanism prevents coin theft and imposes higher fees and delays on the deviator.
## 2026/148
* Title: ABBA: Lattice-based Commitments from Commutators
* Authors: Alberto Centelles, Andrew Mendelsohn
* [Permalink](https://eprint.iacr.org/2026/148)
* [Download](https://eprint.iacr.org/2026/148.pdf)
### Abstract
We study the cryptographic properties of sums of commutators of quaternions modulo $q$. We show that for certain parameters, the distribution of the sum of commutators of uniformly random elements with elements sampled from a discrete Gaussian is statistically close to uniform. We also give reductions from worst-case lattice problems such as SIVP to SIS-style problems defined using commutators on structured quaternionic lattices. Together these results indicate one-wayness and collision resistance of the sum-of-commutators function, under worst-case assumptions on lattices. We use this to develop a linearly homomorphic commitment scheme, dubbed `ABBA', which in many cases can be substituted for the widely-used Ajtai commitment scheme. We demonstrate the utility of the properties of commutation by replacing the Ajtai commitments used in Neo (a state-of-the-art folding scheme from lattices) with ABBA commitments, obtaining a 25% commitment size reduction and an almost equally efficient scheme.
## 2026/149
* Title: Private IP Address Inference in NAT Networks via Off-Path TCP Control-Plane Attack
* Authors: Suraj Sharma, Adityavir Singh, Mahabir Prasad Jhanwar
* [Permalink](https://eprint.iacr.org/2026/149)
* [Download](https://eprint.iacr.org/2026/149.pdf)
### Abstract
Recent work at NDSS 2024 demonstrated that widely deployed NAT
behaviors in Wi-Fi routers - including port preservation, insufficient reverse-path validation, and the absence of TCP window tracking
enable off-path TCP hijacking attacks in NATed wireless networks.
These attacks exploit design weaknesses in NAT gateway routers to
detect whether some internal client behind the NAT maintains an
active TCP connection with a target server and, upon detection, to
disrupt or manipulate that connection. In this paper, we show that
these behaviors have significantly broader privacy implications. We
demonstrate that an off-path attacker can not only hijack active
TCP connections but also accurately infer the private IP addresses
of individual clients behind a NAT that are engaged in TCP commu-
nication with a target server. Our attack operates under the same
realistic assumptions as prior work, yet leverages previously unex-
plored behaviors in NAT state management and TCP control-plane
interactions to reconstruct the full client-side connection tuple. We
evaluate our attack both in a controlled laboratory testbed and
in a real-world Wi-Fi network. For SSH connections, our method
reliably identifies the private IP addresses of connected clients and
enables forcible termination of their TCP sessions. For HTTPS
connections, although the attacker successfully terminates the un-
derlying TCP connection, modern browsers rapidly re-establish
a new connection using new ephemeral ports; nevertheless, our
attack reveals the private IP addresses of the originating clients, ex-
posing a persistent privacy leakage. Our findings demonstrate that
off-path TCP hijacking attacks in NATed Wi-Fi networks pose a seri-
ous and previously unrecognized threat to client privacy, extending
well beyond connection disruption to enable deanonymization of
internal hosts.
## 2026/150
* Title: Claiming bounties on small scale Poseidon and Poseidon2 instances using resultant-based algebraic attacks
* Authors: Antoine Bak, Augustin Bariant, Aur|-lien Boeuf, Ma|2l Hostettler, Guilhem Jazeron
* [Permalink](https://eprint.iacr.org/2026/150)
* [Download](https://eprint.iacr.org/2026/150.pdf)
### Abstract
In november 2024, the Ethereum foundation (EF) issued a bounty program with challenges on Poseidon and Poseidon2. The goal of these challenges is to find CICO solutions on different round-reduced instances of Poseidon and Poseidon2, defined on different prime fields. We denote the four main instances Poseidon-256, Poseidon2-64, Poseidon2-31m and Poseidon2-31k. In the challenges, the goal is to solve CICO-1 for Poseidon-256 and Poseidon-64, and CICO-2 for Poseidon-31m and Poseidon-31k.
We found CICO solutions to the first 3 proposed instances of Poseidon2-31m and Poseidon2-31k, along with solutions for the first two Poseidon-256 instances. These solutions have been confirmed to be correct and eligible for bounty by the Ethereum fundation, except for the first instance of Poseidon-256, which was claimed by another team before us. In order to solve the instances of Poseidon2-31m and Poseidon2-31k, we used a new resultant-based approach, whereas our attacks on Poseidon-256 only relies on already-known univariate root finding.
## 2026/151
* Title: Non-Complete Set Coverings for Higher Order Threshold Implementations * Authors: Oriol Farr|as, |oscar Fidalgo, Carlos Andres Lara-Nino
* [Permalink](https://eprint.iacr.org/2026/151)
* [Download](https://eprint.iacr.org/2026/151.pdf)
### Abstract
Side-channel attacks (SCAs) represent an important threat for the implementation of cryptographic algorithms. These attacks exploit the information leakage found in the physical magnitudes of hardware devices (e.g. current draw, electromagnetic emanation). Threshold Implementations (TIs) aim to mitigate SCAs by implementing a modified version of the algorithm that operates over randomized shares of its input and intermediate values. This strategy relies on the possibility of splitting the algorithm to be protected into sub-functions that satisfy certain properties about their dependence structure on the randomized shares. Non-complete set coverings (NCSCs) are combinatorial objects that can provide this dependence structure and guide the design of TIs. Given the desired order of protection $d$ and the algebraic degree $t$ of the functions to be implemented, for an NCSC to be useful, its cardinality $r$ should be small and similar to the number of input shares $s$.
This work contributes to the study of NCSCs for efficient TIs by finding smaller coverings and proving novel theoretical bounds on their cardinality. We present a new NCSC for the case $t=3,d=2$ that is optimal and NCSCs for the cases $t=3,d=3$ and $t=4,d=2$ whose sizes are close to the lower bounds. We also present new combinatorial properties of these coverings and an algorithm for the search of small NCSCs.
## 2026/152
* Title: On the Quantum Collision Resistance of HCF Hash Functions
* Authors: Alis|-e Lafontaine, Andr|- Schrottenloher
* [Permalink](https://eprint.iacr.org/2026/152)
* [Download](https://eprint.iacr.org/2026/152.pdf)
### Abstract
At EUROCRYPT 2020, Hosoyamada and Sasaki obtained the first dedicated quantum collision attacks on hash functions reaching more rounds than the classical ones. Indeed, as the speedup of generic quantum collision search is less than quadratic, an attack based on Grover's search may become comparatively more efficient in the quantum setting.
In this paper, we focus on collision attacks on double-block length hash functions, and more precisely the Hirose compression function (HCF). At ToSC 2021, Chauhan et al. found a 10-round free-start collision attack on HCF-AES-256. At ToSC 2024, Lee and Hong corrected its complexity analysis. However, these two works are superseded by another result of Hirose and Kuwakado (IMACC 2021), which shows that for any $2n$-bit HCF hash function, a quantum free-start collision attack of complexity $\mathcal{O}(2^{n/2})$ exists. While both the works of Chauhan et al. and Lee and Hong are above this generic complexity, we find that a classical attack from Chen et al. (IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 2016) translates to a 9-round quantum attack on HCF-AES-256.
Next, we study the security of HCF against quantum collision attacks (not free-start). We use a generic strategy that transforms a partial preimage attack into a quantum collision attack, and give several applications on HCF hash functions: a 6-round attack on AES-256 and a 15-round attack on Romulus-H (based on Skinny), both exceeding the reach of classical attacks.
## 2026/153
* Title: BOLT: Bootstrapping-Aware Logic Resynthesis and Technology Mapping for Efficient TFHE Circuits
* Authors: Bhuvnesh Chaturvedi, Ayantika Chatterjee, Anupam Chattopadhyay, Debdeep Mukhopadhyay
* [Permalink](https://eprint.iacr.org/2026/153)
* [Download](https://eprint.iacr.org/2026/153.pdf)
### Abstract
Recent interest in fully homomorphic encryption (FHE) has motivated efforts to develop faster and more efficient homomorphic logic circuits. Currently, Torus FHE (TFHE) provides the fastest gate-level bootstrapping and enables homomorphic evaluation over encrypted bits. Prior works typically utilize standard Computer Aided Design (CAD) tools to synthesize TFHE-amenable gate-level netlists. However, the logic resynthesis and technology mapping stages of these tools are designed for reducing area and power rather than bootstrapped gates, which leads to suboptimal netlists for homomorphic execution. In this work, we introduce BOLT, a TFHE-amenable CAD synthesis framework that explicitly targets reductions in bootstrapping depth. BOLT employs a bootstrapping-aware logic resynthesis stage to rewrite sub-networks in the input netlist into functionally equivalent forms that can be evaluated with a single bootstrapping operation. Following this, our bootstrapping-aware technology mapping stage incorporates a custom simulated annealing-based scheduler to decide whether each transformed sub-network should replace its original counterpart immediately or be deferred to enable better future opportunities. Through extensive evaluation on standard benchmark circuits, BOLT achieves significant improvements in homomorphic evaluation time, delivering $8\times$ speedup over the current state-of-the-art and $31\times$ speedup over prior work on FHEW-like schemes.
## 2026/154
* Title: Oil, Vinegar, and Sparks: Key Recovery from UOV via Single Electromagnetic Fault Injection
* Authors: Fabio Campos, Daniel Hahn, Daniel K||nnecke, Marc St||ttinger
* [Permalink](https://eprint.iacr.org/2026/154)
* [Download](https://eprint.iacr.org/2026/154.pdf)
### Abstract
In this work, we present a practical fault-injection attack against the current Unbalanced Oil and Vinegar signature scheme non-deterministic implementation that enables complete secret key recovery from a single faulty signature, given one prior fault-free signature. By applying fault injection to disrupt the mixing of the vinegar and oil components during signature generation, the secret key can be recovered directly from the faulty signature. We validate the attack experimentally on a real device using an electromagnetic fault injection setup, establishing the required glitch in practice rather than through simulation. Our experimental results indicate that a single execution of the attack achieves a success rate exceeding 90%. Furthermore, we demonstrate the real-world feasibility of the attack by transferring the attack parameters to an architecturally equivalent target, requiring only minor recalibration. To the best of our knowledge, this is the first work to demonstrate an electromagnetic fault-injection attack in the context of multivariate-based signature schemes. Additionally, we discuss possible countermeasures to protect implementations of UOV-based schemes against such physical attacks.
## 2026/155
* Title: Module Learning With Errors and Structured Extrapolated Dihedral Cosets
* Authors: Weiqiang Wen, Jinwei Zheng
* [Permalink](https://eprint.iacr.org/2026/155)
* [Download](https://eprint.iacr.org/2026/155.pdf)
### Abstract
The Module Learning With Errors (MLWE) problem is the fundamental hardness assumption underlying the key encapsulation and signature schemes ML-KEM and ML-DSA, which have been selected by NIST for post-quantum cryptography standardization. Understanding its quantum hardness is crucial for assessing the security of these standardized schemes.
Inspired by the equivalence between LWE and Extrapolated Dihedral Cosets Problem (EDCP) in [Brakerski, Kirshanova, Stehl|- and Wen, PKC 2018], we show that the MLWE problem is as hard as a variant of the EDCP, which we refer to as the structured EDCP (stEDCP). This extension from EDCP to stEDCP relies crucially on the algebraic structure of the ring underlying MLWE: the extrapolation depends not only on the noise rate, but also on the ringrCOs degree. In fact, an stEDCP state forms a superposition over an exponential (in ring degree) number of possibilities. Our equivalence result holds for MLWE defined over power-of-two cyclotomic rings with constant module rank, a setting of particular relevance in cryptographic applications. Moreover, we present a reduction from stEDCP to EDCP. Therefore, to analyze the quantum hardness of MLWE, it may be advantageous to study stEDCP, which might be easier than EDCP.
## 2026/156
* Title: Hachi: Efficient Lattice-Based Multilinear Polynomial Commitments over Extension Fields
* Authors: Ngoc Khanh Nguyen, George O'Rourke, Jiapeng Zhang
* [Permalink](https://eprint.iacr.org/2026/156)
* [Download](https://eprint.iacr.org/2026/156.pdf)
### Abstract
In this work, we present Hachi, a concretely efficient multilinear polynomial commitment scheme that offers succinct proof sizes of $\mathrm{poly}(\ell,\lambda)$ and achieves a rCLsquare-rootrCY verifier time complexity of $\tilde{O}(\sqrt{2^\ell \lambda})$ for $\ell$-variate polynomials under the Module-SIS assumption. Compared to the current state-of-the-art scheme, Greyhound (CRYPTO~2024), Hachi provides an asymptotic improvement of $\tilde{O}(\lambda)$ in verification time, which translates into a practical 12.5-fold speedup, while maintaining compact proofs of approximately $55$ KB.
To improve the verification time, we adopt the sumcheck protocol. Note that the standard sumcheck has efficiency bottlenecks for lattice-based constructions, since lattice operations are usually performed over power-of-two cyclotomic rings $\mathbf{R}_{q} := \mathbb{Z}_q[X]/(X^d + 1)$. To address this challenge, we provide a novel approach that integrates Greyhound with the ring-switching idea proposed by Huang, Mao and Zhang (ePrint 2025). Surprisingly, under this approach, the verifier does not need to perform any multiplication over $\mathbf{R}_{q}$, enabling a much faster verification time. This technique could be of independent interest for building lattice-based SNARKs, particularly for achieving faster verification.
As a separate contribution, we introduce a generic reduction that converts polynomial evaluation proofs over extension fields $\mathbb{F}_{q^k}$ (under suitable parameter regimes) into equivalent statements over cyclotomic rings $\mathbf{R}_{q}$. This reduction is compatible with existing lattice-based polynomial commitment schemes and can be integrated as a modular enhancement to broaden applicability to statements over extension fields.
## 2026/157
* Title: In Mid-Stream: Removing the FO-Transform Helps against Leakage but is not Enough
* Authors: Duy|-n Pay, Thomas Peters, Fran|oois-Xavier Standaert
* [Permalink](https://eprint.iacr.org/2026/157)
* [Download](https://eprint.iacr.org/2026/157.pdf)
### Abstract
The Fujisaki-Okamoto transform is a popular solution to design post-
quantum public key encryption schemes, or key encapsulation mechanisms. In order to
ensure security against chosen-ciphertext attacks, it checks the validity of ciphertexts
by re-encrypting decrypted messages. This operation in turn leads to severe side-
channel weaknesses, because the re-encrypted messages can be made key-dependent.
Hence, distinguishing them thanks to leakage is sufficient to extract (long-term)
secret key information. As a result, recent works suggested to ensure the validity of
ciphertexts by other means than re-encryption. For now, the main candidate for this
purpose, integrated in the Polka encryption scheme (PKC 2023) and analyzed more generically by H||velmanns et al. (EUROCRYPT 2025), is to use continuous norm checks through the decryption process. In this paper, we evaluate the extent to which
replacing the FO-transform by such norm checks helps resistance against leakage.
Negatively, we exhibit new attack vectors that were not anticipated in previous (heuristic) analyzes. Positively, we observe that the removal of the FO-transform
nevertheless reduces the attack surface and we identify possible tracks to further
minimize it. Overall, our results therefore shed light on the challenge of designing
post-quantum public-key encryption schemes, or key encapsulation mechanisms, that
can be efficiently protected against side-channel attacks. We hope they can inform
theory about leakage sources that could be better taken over by design, to develop
new schemes allowing a scarcer use of implementation-level countermeasures.
## 2026/158
* Title: Setup Protocols for Sender Anonymity
* Authors: Tian Huang, Jiatai Zhang, Megumi Ando
* [Permalink](https://eprint.iacr.org/2026/158)
* [Download](https://eprint.iacr.org/2026/158.pdf)
### Abstract
Anonymous communication is essential for secure and private interactions over public networks. Existing solutions that provide provable anonymity rely on the so-called simple I/O setting, where every participant sends and receives the same number of messages, masking their true communication pattern. The only known way to enforce this setting is through dialing protocols. Such protocols establish pairwise conversations, but each recipient inevitably learns who attempted to contact them, violating sender anonymity, the guaranty that even the recipient cannot determine who attempted to contact them.
In this work, we introduce the notion of enhanced dialing protocols, a broad class of protocols that enforce the simple I/O setting. We also initiate the first formal study of such protocols with respect to sender anonymity. We introduce a framework that captures three key properties: security, correctness, and fairness. Within this framework, we present Fusion, a protocol that achieves perfect correctness and fairness while incurring only unavoidable leakage, and Fusion+, a differentially private variant that reduces this leakage at the cost of some correctness. Through theoretical analysis, we quantify the fundamental trade-off between privacy and correctness in Fusion+.
## 2026/159
* Title: Dinocchio: Distributed Prover for Ring Arithmetic
* Authors: Katerina Sotiraki, Yunhao Wang, Fan Zhang
* [Permalink](https://eprint.iacr.org/2026/159)
* [Download](https://eprint.iacr.org/2026/159.pdf)
### Abstract
Nearly all existing SNARK systems are optimized for arithmetic over finite fields. Using them to prove statements involving ring arithmetic, which underlies lattice-based cryptography and fully homomorphic encryption (FHE), incurs substantial overhead. Consequently, practical deployments of FHE often rely on the \textit{honest-but-curious} assumptions, leaving a gap in the verifiability of the FHE computation. Several recent works have explored zero-knowledge proofs tailored to lattice-based schemes, yet still suffer from high prover costs and limited scalability.
In this work, we introduce Dinocchio, the first distributed SNARK for rings with constant proof size and constant verification time. For a setting with $m$ sub-provers, Dinocchio achieves an approximately $m$-fold speedup in prover time compared to Rinocchio (JoC'23), while preserving the constant verification time independent of $m$.
We demonstrate the practicality of Dinocchio through matrix multiplication, which is a crucial building block to large-scale lattice-based applications. With matrices of size $2^{12} \times 2^{12}$, the corresponding arithmetic circuit contains $\sim2^{32}$ constraints, which is beyond the reach of all existing works. Our microbenchmarks show that Dinocchio can generate a succinct proof in around $9.23$ hours with $128$ sub-provers, more than $108\times$ faster than the prior work, and the verifier completes the verification in under $16$ seconds.
## 2026/160
* Title: Leveraging ASIC AI Chips for Homomorphic Encryption
* Authors: Jianming Tong, Tianhao Huang, Jingtian Dang, Leo de Castro, Anirudh Itagi, anupam golder, asra ali, Jeremy Kun, jevin jiang, arvind arvind, G. Edward Suh, Tushar Krishna
* [Permalink](https://eprint.iacr.org/2026/160)
* [Download](https://eprint.iacr.org/2026/160.pdf)
### Abstract
Homomorphic Encryption (HE) provides strong data privacy for cloud services but at the cost of prohibitive computational overhead. While GPUs have emerged as a practical platform for accelerating HE, there remains an order-of-magnitude energy-efficiency gap compared to specialized (but expensive) HE ASICs. This paper explores an alternate direction: leveraging existing AI accelerators, like Google's TPUs with coarse-grained compute and memory architectures, to offer a path toward ASIC-level energy efficiency for HE. However, this architectural paradigm creates a fundamental mismatch with SoTA HE algorithms designed for GPUs. These algorithms rely heavily on: (1) high-precision (32-bit) integer arithmetic to now run on a TPU's low-throughput vector unit, leaving its high-throughput low-precision (8-bit) matrix engine (MXU) idle, and (2) fine-grained data permutations that are inefficient on the TPU's coarse-grained memory subsystem. Consequently, porting GPU-optimized HE libraries to TPUs results in severe resource under-utilization and performance degradation. To tackle above challenges, we introduce CROSS, a compiler framework that systematically transforms HE workloads to align with the TPU's architecture. CROSS makes two key contributions: (1) Basis-Aligned Transformation (BAT), a novel technique that converts high-precision modular arithmetic into dense, low-precision (INT8) matrix multiplications, unlocking and improving the utilization of TPU's MXU for HE, and (2) Memory-Aligned Transformation (MAT), which eliminates costly runtime data reordering by embedding reordering into compute kernels through offline parameter transformation. CROSS (TPU v6e) achieves higher throughput per watt on NTT and HE operators than WarpDrive, FIDESlib, FAB, HEAP, and Cheddar, establishing AI ASIC as the SotA efficient platform for HE operators. Code: https://github.com/EfficientPPML/CROSS
--- Synchronet 3.21b-Linux NewsLink 1.2