From Newsgroup: sci.crypt
## In this issue
1. [2025/1067] Full Anonymity in the Asynchronous Setting from ...
2. [2025/1806] Improved Integral Attack on ChiLow-32 Exploiting ...
3. [2025/1809] On the Security of Linear Secret Sharing with ...
4. [2025/1828] Block-Accumulate Codes: Accelerated Linear Codes ...
5. [2025/1844] Bird of Prey: Practical Signature Combiners ...
6. [2026/212] PANCAKE: A SNARK with Plonkish Constraints, Almost- ...
7. [2026/225] Solving SIS in any norm via Gaussian sampling
8. [2026/249] Have Your CKAKE and Eat it, Too: Efficient, ...
9. [2026/260] Investigating the Wedge Map on SNOVA
10. [2026/272] On the Complexity of Interactive Arguments
11. [2026/276] On the conversion of module representations for ...
12. [2026/292] Crossing with Confidence: Formal Analysis and Model ...
13. [2026/294] Post-Quantum Adaptor Signatures with Strong ...
14. [2026/318] Distributed Monotone-Policy Encryption for DNFs ...
15. [2026/320] Statistically Secure Asynchronous MPC with Linear ...
16. [2026/339] $\mathsf{Spectra}$: Interval-Agnostic Vector Range ...
17. [2026/352] Migrating Bitcoin and Ethereum Addresses to the ...
18. [2026/358] Round-Based Approximation of (Higher-Order) ...
19. [2026/367] High-Precision Functional Bootstrapping for CKKS ...
20. [2026/372] Distributed Monotone-Policy Encryption with Silent ...
21. [2026/373] Partially Non-Interactive Two-Round Threshold and ...
22. [2026/374] WOTS-Tree: Merkle-Optimized Winternitz Signatures ...
23. [2026/375] Liquid Democracy With Two Opposing Factions
24. [2026/376] Is PSI Really Faster Than PSU? Achieving Efficient ...
25. [2026/377] Perfectly Secure Network-Agnostic MPC Comes for Free
26. [2026/378] Information-Theoretic Network-Agnostic MPC with ...
27. [2026/379] Pairing-based Functional Commitments for Circuits ...
28. [2026/380] Lattice HD Wallets: Post-Quantum BIP32 Hierarchical ...
29. [2026/381] Multi-Committee MPC: From Unanimous to Identifiable ...
30. [2026/382] Multi-key Security in the Quantum World: Revisiting ...
31. [2026/383] HCTR$^{++}$ : A Beyond Birthday Bound Secure HCTR2 ...
32. [2026/384] The Structured Generic-Group Model
33. [2026/385] Bridging Privacy and Utility: A Verifiable ...
34. [2026/386] Determining those Boolean functions whose ...
35. [2026/387] A Comprehensive Break of the Tropical Matrix-Based ...
36. [2026/388] Necessary and Sufficient Conditions for the ...
37. [2026/389] Towards Accountability for Anonymous Credentials
38. [2026/390] Succinct Arguments for BatchQMA and Friends under 6 ...
39. [2026/391] Zero-Knowledge IOPPs for Constrained Interleaved Codes
40. [2026/392] Fast cube roots in Fp2 via the algebraic torus
41. [2026/393] VROOM: Accelerating (Almost All) Number-Theoretic ...
42. [2026/394] SQISign on ARM
43. [2026/395] How To Make Delegated Payments on Bitcoin: A ...
44. [2026/396] Anonymity of X-Wing and its Variants
45. [2026/397] Bittersweet Signatures: Bringing LWR to a Picnic ...
46. [2026/398] Orthus: Practical Sublinear Batch-Verification of ...
47. [2026/399] What a Wonderful World: zkSNARKs in the Algebraic ...
48. [2026/400] Non-interactive Blind Signatures with Threshold ...
49. [2026/401] NIROPoK-Based Post-Quantum Sidechain Design on Ethereum
50. [2026/402] Conditionally Linkable Attribute-Based Signatures
51. [2026/403] On the Need for (Quantum) Memory with Short Outputs
## 2025/1067
* Title: Full Anonymity in the Asynchronous Setting from Peony Onion Encryption * Authors: Megumi Ando, Miranda Christ, Kashvi Gupta, Tal Malkin, Dane Smith
* [Permalink](
https://eprint.iacr.org/2025/1067)
* [Download](
https://eprint.iacr.org/2025/1067.pdf)
### Abstract
Onion routing is a popular and practical approach to anonymous communication, and the subject of a growing body of work on designing efficient schemes with provable anonymity, the strongest notion being full anonymity. However, all prior schemes achieving full anonymity assume a synchronous communication setting, which is unrealistic since real networks suffer from message loss and timing attacks. Recently, Ando, Lysyanskaya, and Upfal (TCCrCO24) made progress toward the asynchronous setting by introducing bruisable onion encryption and constructing an efficient protocol with the weaker guarantee of differential privacy.
In this paper, we construct the first efficient fully anonymous onion routing protocol in the asynchronous setting. To do so, we address two main challenges: (1) we develop the first bruisable onion encryption scheme that does not leak information about the onionrCOs position on the routing path, and (2) we design an onion routing protocol using this primitive to achieve full anonymity, rather than only differential privacy. Along the way, we also give a new fully anonymous protocol in the synchronous setting, improving the state-of-the-art in both communication and round complexity.
Both protocols are secure against an active adversary that corrupts a constant fraction of nodes (up to < 1 in the synchronous case, and < 1/2 in the asynchronous case), and rely on standard cryptographic assumptions (CCA-secure public-key encryption and collision-resistant hash functions).
## 2025/1806
* Title: Improved Integral Attack on ChiLow-32 Exploiting the Inverse of the ChiChi Function
* Authors: Akram Khalesi, Zahra Ahmadian, Hosein Hadipour
* [Permalink](
https://eprint.iacr.org/2025/1806)
* [Download](
https://eprint.iacr.org/2025/1806.pdf)
### Abstract
The protection of executable code in embedded systems requires efficient mechanisms that ensure confidentiality and integrity. Belkheyar et al. recently proposed the Authenticated Code Encryption (ACE) framework, with ChiLow-(32 + $\tau$) as the first instantiation of ACE2 at EUROCRYPT 2025. The design of ChiLow-(32 + $\tau$) is based on a 32-bit tweakable block cipher with a quadratic nonlinear layer, known as ChiChi (denoted by $\chi\!\!\chi$), and a nested tweak key schedule optimized for secure code execution under strict query limits.
In this work, we study the resistance of ChiLow to integral cryptanalysis. We identify new integral distinguishers in both the single-tweak and related-tweak models. Using these results and a nested strategy to recover all round tweaks, we present a key-recovery attack on 7 out of 8 rounds of ChiLow. The central contribution of our work is that it resolves the challenge of deriving the master key from the recovered round tweaks, an open problem highlighted by the designers and in a recent cryptanalysis by Peng et al. The attack on 7 rounds requires $2^{6.32}$ chosen ciphertexts, has a time complexity of about $2^{121.75}$ encryptions, and requires negligible memory.
## 2025/1809
* Title: On the Security of Linear Secret Sharing with General Noisy Side-Channel Leakage
* Authors: Utkarsh Gupta, Hessam Mahdavifar
* [Permalink](
https://eprint.iacr.org/2025/1809)
* [Download](
https://eprint.iacr.org/2025/1809.pdf)
### Abstract
Secret sharing is a foundational cryptographic primitive for sharing keys in distributed systems. In a classical $(n,t)$-threshold setting, it involves a dealer who has a secret, a set of $n$ users to whom shares of the secret are sent, and a threshold $t$ which is the minimum number of shares required to recover the secret. These schemes offer an all-or-nothing security approach where less than $t$ shares reveal no information about the secret. But these guarantees are threatened by side-channel attacks which can leak partial information from each share. Initiated by Benhamouda et al. (Crypto'18), the security of linear secret sharing schemes has been studied for bounded leakage attack models, which assume that the adversary can leak bounded functions of each share. However, this model does not translate into real-world attacks, as physical side-channels are inherently noisy. The $\delta$-noisy channel model, proposed by Prouff and Rivain (EurocryptrCO13), is a general leakage framework which captures the noisy behavior of side-channels. In this work, we study the security of linear secret sharing schemes with $\delta$-noisy leakage, and show bounds on the mutual information (MI) and statistical bias ($\Delta^{\mathrm{TV}}$) security metrics. Our results are based on the Fourier analytical framework, first used by Benhamouda et al. (Crypto'18), adapted to the $\delta$-noisy leakage model. To give security bounds, we introduce a security parameter $\eta\le \min{\{1,2\delta\}}$, determined by the Fourier linear biases of the posterior distributions of the leaked secret shares. Then, the Poisson summation formula enables us to bound the ratio between the observed leakage for some given secret, and leakage under independence as $(1\pm \eta^t)$. This is then used to show a) $(n,t \ge \tau (n+1))$-threshold schemes over $\mathbb{F}_q$ have at most $\mathcal{O}(q^{-t(\gamma+1-1/\tau)})$ leakage, given $\eta \le q^{-\gamma}$; and consequently b) for $(n,n)$-threshold schemes the guessing advantage is at most $(q-1) \cdot \eta^n \le (q-1)\cdot (2 \delta)^n$. This work can be viewed as a next step towards closing the gap between theory and practice in leakage resilient cryptography.
## 2025/1828
* Title: Block-Accumulate Codes: Accelerated Linear Codes for PCGs and ZK
* Authors: Vladimir Kolesnikov, Stanislav Peceny, Rahul Rachuri, Srinivasan Raghuraman, Peter Rindal, Harshal Shah
* [Permalink](
https://eprint.iacr.org/2025/1828)
* [Download](
https://eprint.iacr.org/2025/1828.pdf)
### Abstract
Linear error-correcting codes with fast encoding and high minimum distance are a central primitive across modern cryptography. They appear prominently in at least two domains: (1) pseudorandom correlation generators (PCGs), which enable sublinear-communication generation of correlations such as oblivious transfer and vector oblivious linear evaluation, and (2) zero-knowledge proof systems, where linear-time encoders underpin proof soundness and scalability. In both settings, the prover or sender must multiply by a large generator matrix $\mathbf{G}$, often with dimensions in the millions, making computational efficiency the dominant bottleneck.
We propose a generalized paradigm for building crypto-friendly codes with provable minimum distance. Roughly speaking, these codes are based on the idea of randomized turbo codes such as repeat accumulate codes. We prove that their asymptotic minimum distance is linear and compute the exact expected weight spectrum of the codes for concrete sizes. We observe that our codes achieve full Gilbert-Varshamov minimum distance and outperform all prior constructions.
We construct several novel codes, the most promising of which we call Block-Accumulate codes. Our codes are the fastest on both GPUs and CPUs. If we restrict our attention to codes with provable distance, our code is $8\times$ faster than state of the art on a CPU and $50\times$ faster on a GPU. Even if we use aggressive parameters with conjectured distance, our code is $3\times$ and $20\times$ faster, respectively. Under these parameters, this yields overall PCG speedups of $2.5\times$ on the CPU and $15\times$ on the GPU, achieving about 200 million OTs or binary Beaver triples per second on the GPU (excluding the one-time 10 ms GGM seed expansion). We also observe a $3\times$ speedup and half the peak memory consumption of the Blaze zero-knowledge (PCS) scheme of Brehm et al. (Eurocrypt 25).
## 2025/1844
* Title: Bird of Prey: Practical Signature Combiners Preserving Strong Unforgeability
* Authors: Jonas Janneck
* [Permalink](
https://eprint.iacr.org/2025/1844)
* [Download](
https://eprint.iacr.org/2025/1844.pdf)
### Abstract
Following the announcement of the first winners of the NIST post-quantum cryptography standardization process in 2022, cryptographic protocols are now undergoing migration to the newly standardized schemes. In most cases, this transition is realized through a hybrid approach, in which algorithms based on classical hardness assumptions, such as the discrete logarithm problem, are combined with post-quantum algorithms that rely on quantum-resistant assumptions, such as the Short Integer Solution (SIS) problem.
A combiner for signature schemes can be obtained by simply concatenating the signatures of both schemes. This construction preserves unforgeability of the underlying schemes; however, it does not extend to stronger notions, such as strong unforgeability. Several applications, including authenticated key exchange and secure messaging, inherently require strong unforgeability, yet no existing combiner is known to achieve this property.
This work introduces three practical combiners that preserve strong unforgeability and all BUFF (beyond unforgeability features) properties. Each combiner is tailored to a specific class of classical signature schemes capturing all broadly used schemes that are strongly unforgeable. Remarkably, all combiners can be instantiated with any post-quantum signature scheme in a black-box way making deployment practical and significantly less error prone. The proposed solutions are further highly efficient and have signatures that are at most the size of the (insecure) concatenation combiner. For instance, our most efficient combiner enables the combination of EdDSA with ML-DSA, yielding a signature size that is smaller than the sum of an individual EdDSA signature and an individual ML-DSA signature.
Additionally, we identify a novel signature property that we call random-message validity and show that it can be used to replace the BUFF transform with the more efficient Pornin-Stern transform. The notion may be of independent interest.
## 2026/212
* Title: PANCAKE: A SNARK with Plonkish Constraints, Almost-Free Additions, No Permutation Check, and a Linear-Time Prover
* Authors: Yuxi Xue, Peimin Gao, Xingye Lu, Man Ho Au
* [Permalink](
https://eprint.iacr.org/2026/212)
* [Download](
https://eprint.iacr.org/2026/212.pdf)
### Abstract
We present \(\mathsf{Pancake}\), a linear-time SNARK with a circuit-specific setup that eliminates the explicit representation and separate verification of addition gates in Plonkish constraint systems. Specifically, we consolidate wiring constraints and addition-gate constraints into a single family of general linear constraints, which can be enforced efficiently via a single sumcheck protocol. As a result, \(\mathsf{Pancake}\) achieves ``almost-free'' addition gates, which significantly reduces the witness size and directly improves prover efficiency while preserving full support for high-degree custom gates.
Our implementation shows that \(\mathsf{Pancake}\) outperforms the state-of-the-art Plonkish SNARK \(\mathsf{HyperPlonk}\) (Chen et al., EUROCRYPT 2023) in terms of prover efficiency. For a circuit size of $2^{24}$ where half the gates are additions, \(\mathsf{Pancake}\) achieves prover speedups of $1.67\times$ (single-threaded) and $2.43\times$ (32-threaded), while also generating smaller proofs and maintaining comparable verification time.
## 2026/225
* Title: Solving SIS in any norm via Gaussian sampling
* Authors: Maiara F. Bollauf, Amaury Pouly, Yixin Shen
* [Permalink](
https://eprint.iacr.org/2026/225)
* [Download](
https://eprint.iacr.org/2026/225.pdf)
### Abstract
The Short Integer Solution (SIS) problem plays an important role in lattice-based cryptography. In this paper, we construct a natural and simple algorithm that allows us to solve the SIS problem for any norm in the case where the norm bound $\ell$ is smaller than half the modulus $q$. The algorithm consists in using a discrete Gaussian sampler on the SIS $q$-ary lattice to obtain many lattice vectors, and requires to estimate the probability that one of them is non-zero and falls into a ball of radius $\ell$ in the given norm. For the latter, we improve upon previous analysis of random $q$-ary lattice by obtaining tight bounds on the expected value and variance of the Gaussian mass of the entire lattice and of an $\ell_p$-norm ball, for any $p\in(0,\infty]$. These bounds require new technical results on the discrete Gaussian distribution and on the ratio of two Gaussian mass functions of $\mathbb{Z}$. This allows us to show that the proposed algorithm is provably correct. When instantiated with a Markov chain Monte Carlo (MCMC)-based discrete Gaussian sampler, the complexity of the algorithm can be estimated precisely. Although our algorithm does not break Dilithium, it is at least 50 bits faster than the recent algorithm of Ducas, Engelberts and Loyer \cite{DEJ25} in Crypto 2025 for all security levels.
## 2026/249
* Title: Have Your CKAKE and Eat it, Too: Efficient, Composable KEM-Authenticated Key Exchange
* Authors: Myrto Arapinis, Christopher Battarbee, Mina Doosti
* [Permalink](
https://eprint.iacr.org/2026/249)
* [Download](
https://eprint.iacr.org/2026/249.pdf)
### Abstract
We report on a novel authenticated key-exchange (AKE) protocol where the authentication is achieved entirely by key-encapsulation mechanisms (KEMs). Techniques to achieve AKE with KEMs have been known for some time, but have received renewed attention in a post-quantum world; in contrast to classical cryptography, the data corresponding to the NIST post-quantum KEM standard is a significant save on bandwidth compared to the signature standard. Previous KEM-authenticated AKE protocols are not known to be composable; our protocol offers similar security guarantees, plus composability, while being more efficient in terms of bandwidth compared to non-composable KEM-based AKE protocols, and composable signature-based AKE protocols. Our protocol features a modular design, and a full security proof in the Constructive Cryptography (CC) framework, one of the major composable security frameworks. We also prove the forward secrecy of our protocol, and introduce generic techniques to prove forward secrecy in CC, which may be of independent interest.
## 2026/260
* Title: Investigating the Wedge Map on SNOVA
* Authors: Po-En Tseng, Lih-Chung Wang, Peigen Li, Yen-Liang Kuan
* [Permalink](
https://eprint.iacr.org/2026/260)
* [Download](
https://eprint.iacr.org/2026/260.pdf)
### Abstract
This paper investigates the algebraic structure of SNOVA, a NIST PQC Round 2 candidate, with a specific focus on the kernel dimension of the wedge map. We employ lifting techniques to transform the public key from the matrix ring $\mathbb{F}_q^{l \times l}$ to an equivalent representation over the extension field $\mathbb{F}_{q^l}$, establishing that the rank of the wedge map is a structural invariant. A key contribution of this work is the derivation of a generating function that explicitly characterizes the wedge map's kernel dimension. This algebraic analysis provides a rigorous understanding of SNOVA's geometry, verifying the safety of specific parameter sets and enabling future refined adjustments to guarantee structural security.
## 2026/272
* Title: On the Complexity of Interactive Arguments
* Authors: Idan Baril, Iftach Haitner
* [Permalink](
https://eprint.iacr.org/2026/272)
* [Download](
https://eprint.iacr.org/2026/272.pdf)
### Abstract
We study the minimal hardness assumptions required for constructing interactive arguments
for NP, focusing on succinct argumentsrCowhere the proverrCOs total communication is smaller
than the witness sizerCoand on relaxed forms of zero knowledge, such as witness indistinguisha-
bility. Known constructions of succinct arguments rely on various types of collision-resistant
hash functions, indistinguishability obfuscation, hardness of discrete logarithm, and lattice-based
assumptions, while known constructions of witness-indistinguishable arguments require one-way
functions (OWFs). This suggests that succinct witness-indistinguishable interactive arguments
require OWFs, or equivalently, that the existence of such arguments implies that of OWFs.
Nevertheless, we prove that, at least as far as fully black-box reductions are concerned,
interactive arguments do not imply OWFs. Specifically, we consider assumption-dependent fully
black-box reductions from OWFs to succinct witness-indistinguishable interactive arguments
and an additional hardness assumption G (e.g., NP|+ rea P/poly). Such a reduction is a pair
(f, R) of (oracle-aided) function f and algorithm R such that, for any witness-indistinguishable
interactive argument +a = (P, V) and any inverter Inv of f +a, the algorithm R+a,Inv breaks either
the soundness of +a or the assumption G. We prove that the existence of such a reduction implies
a black-box reduction from OWFs to G alone. Namely, beyond what is implied by G, succinct
witness-indistinguishable interactive arguments have no black-box implications for the existence
of OWFs.
## 2026/276
* Title: On the conversion of module representations for higher dimensional supersingular isogenies
* Authors: Aurel Page, Damien Robert, Julien Soumier
* [Permalink](
https://eprint.iacr.org/2026/276)
* [Download](
https://eprint.iacr.org/2026/276.pdf)
### Abstract
We expand the well developed toolbox between quaternionic ideals and supersingular elliptic curves into its higher dimensional version, namely (Hermitian) modules and maximal supersingular principally polarized abelian varieties. One of our main result is an efficient algorithm to compute an unpolarized isomorphism $A \simeq E_0^g$ given the abstract module representation of $A$. This algorithm relies on a subroutine that solves the Principal Ideal Problem in matrix rings over quaternion orders, combined with a higher dimensional generalisation of the Clapotis algorithm. To illustrate the flexibility of our framework, we also use it to reduce the degree of the output of the KLPT$^2$ algorithm, from $O(p^{25})$ to $O(p^{15.5})$.
## 2026/292
* Title: Crossing with Confidence: Formal Analysis and Model Checking of Blockchain Bridges
* Authors: Pyrros Chaidos, Pooya Farshim, Denis Firsov, Dimitar Jetchev, Aggelos Kiayias, Markulf Kohlweiss, Anca Nitulescu
* [Permalink](
https://eprint.iacr.org/2026/292)
* [Download](
https://eprint.iacr.org/2026/292.pdf)
### Abstract
We develop formal code-based security definitions for blockchain bridges and apply them to several bridge architectures deployed in practice. We derive both traditional pen-and-paper proofs and on the other, automated guarantees against bounded counterexamples. The latter is achieved via bounded model checking of our formally specified properties, implemented in Quint, a specification language and model checker closely related to TLA+.
Our definitions are expressed in a precise, code-based variant of the Universal Composition (UC) framework. This enables the modular use of hybrid functionalitiesrCoeven for property-based definitionsrCoand is essential for bounded model checking, where underlying primitives must be idealized.
Accordingly, we idealize and model-check all building blocks used in our protocols. Notably, we formulate a novel UC ideal functionality for Advanced Threshold Signatures (ATS) and modelcheck it for attacks to ensure its robustness
## 2026/294
* Title: Post-Quantum Adaptor Signatures with Strong Security from Cryptographic Group Actions
* Authors: Ryann Cartor, Nathan Daly, Giulia Gaggero, Jason T. LeGrow, Andrea Sanguineti, Silvia Sconza
* [Permalink](
https://eprint.iacr.org/2026/294)
* [Download](
https://eprint.iacr.org/2026/294.pdf)
### Abstract
We present One Round "Cheating" Adaptor Signatures (OR-
CAS): a novel and eN4Cicient construction of adaptor signature schemes
from CSI-FiSh. Our protocol improves substantially on existing group action-based schemes: Unlike IAS (Tairi et al., FC 2021), our scheme
does not require expensive non-interactive zero-knowledge proofs, and
unlike adaptor MCSI-FiSh (Jana et al., CANS 2024) our construction
does not require any modification to the underlying digital signature
scheme. We prove the protocolrCOs security under the strong security no-
tions of Dai et al. (Indocrypt 2022) and Gerhart et al. (Eurocrypt 2024).
## 2026/318
* Title: Distributed Monotone-Policy Encryption for DNFs from Lattices
* Authors: Jeffrey Champion, David J. Wu
* [Permalink](
https://eprint.iacr.org/2026/318)
* [Download](
https://eprint.iacr.org/2026/318.pdf)
### Abstract
Distributed monotone-policy encryption augments public-key encryption with fine-grained decryption capabilities in a trustless manner. In this scheme, users independently generate a public/private key-pair and post their public key to a public-key directory. Thereafter, anyone can encrypt a message to a set of public keys together with an access policy. Any set of users that satisfies the access policy can decrypt the ciphertext while the message should remain computationally hidden to any unsatisfying set of users. The primary efficiency requirement is succinctness: namely, the size of the ciphertext should be sublinear (or polylogarithmic) in the description length of the policy. Distributed monotone-policy encryption directly generalizes recent trustless cryptographic notions like threshold encryption with silent setup and distributed broadcast encryption.
In this work, we show how to construct distributed monotone-policy encryption for Boolean formulas in disjunctive normal form (DNF formulas) that supports an unbounded number of users. Security relies on the decomposed learning with errors (LWE) assumption, a simple and falsifiable lattice assumption, in the random oracle model. Previously, such a scheme was only known from plain witness encryption in the random oracle model. Our scheme has a transparent setup and the ciphertext size is $\mathsf{poly}(\lambda, \log N)$, where $N$ is the number of variables in the DNF formula.
## 2026/320
* Title: Statistically Secure Asynchronous MPC with Linear Communication and $\mathcal{O}(n^5)$ Additive Overhead
* Authors: Xiaoyu Ji, Yifan Song
* [Permalink](
https://eprint.iacr.org/2026/320)
* [Download](
https://eprint.iacr.org/2026/320.pdf)
### Abstract
Secure multiparty computation (MPC) allows distrusted parties to jointly evaluate a common function while keeping their inputs private. In this work, we focus on improving the communication complexity of information-theoretic asynchronous MPC with optimal resilience ($t < n/3$). The current state-of-the-art work in this setting by Goyal, Liu-Zhang, and Song [CryptorCO24] achieves amortized linear communication per gate with $\Omega(n^{14})$ additive overhead. In comparison, the best-known result in the synchronous setting by Goyal, Song, and Zhu [CryptorCO20] achieves the amortized linear communication per gate with only $\mathcal{O}(n^{6})$ additive overhead, revealing a significant gap that we aim to close.
This work closes this gap and goes further. We present the first statistically secure asynchronous MPC protocol achieving amortized linear communication per gate with only $\mathcal{O}(n^{5})$ additive overhead assuming a functionality for Agreement on Common Set (ACS). With the best-known instantiation for ACS, we obtain an asynchronous MPC protocol in the plain model with additive overhead $\mathcal{O}((\kappa+n)n^4\log\kappa)$ in expectation, where $\kappa$ is the security parameter. In the setting of statistical security with optimal resilience, this even surpasses the best synchronous result when $n\geq\sqrt{\kappa\log\kappa}$.
Technically, our contributions include (i) a new protocol for generating Beaver triples with linear communication per triple and $\mathcal{O}(n^3)$ additive overhead assuming functionalities for generating random degree-$t$ Shamir sharings and ACS, and (ii) a new protocol for generating random degree-$t$ Shamir sharings with linear communication per sharing and $\mathcal{O}(n^{5})$ additive overhead assuming a functionality for ACS.
## 2026/339
* Title: $\mathsf{Spectra}$: Interval-Agnostic Vector Range Argument for Unstructured Range Assertions
* Authors: Hao Gao, Qianhong Wu, Bo Qin, Fudong Wu, Zhenyang Ding, Zhiguo Wan
* [Permalink](
https://eprint.iacr.org/2026/339)
* [Download](
https://eprint.iacr.org/2026/339.pdf)
### Abstract
A structured vector range argument proves that a committed vector $\mathbf{v}$ lies in a well-structured range of the form $[0,2^d-1]$. This structure makes the protocol extremely efficient, although it cannot handle more sophisticated range assertions, such as those arising from non-membership attestations. To address this gap, we study a more general setting not captured by prior constructions. In this setting, for each $i$, the admissible integer set for $v_i$ is a union of $k$ intervals $\mathsf{R}_i \overset{\text{def}}{=} \bigcup_{j=0}^{k-1}\left[l_{i,j},r_{i,j}\right]$. In this work, we present novel techniques to prove that $\mathbf{v} \in \mathbb{Z}^n_p$ lies within $\mathsf{R}_0 \times \mathsf{R}_1 \times \cdots \times \mathsf{R}_{n-1}$. We first introduce $\mathsf{RangeLift}$, a generic compiler that lifts a structured vector range argument to support such unstructured range assertions.
Then we present $\mathsf{Spectra}$, a realization of $\mathsf{RangeLift}$ over the $\mathsf{KZG}$-based vector commitment scheme. $\mathsf{Spectra}$ achieves succinct communication and verifier time; its prover complexity is $O(n\,\tfrac{\log N}{\log\log N}\cdot \log(n\tfrac{\log N}{\log\log N}))$, where $N$ upper bounds the maximum interval size across all $\mathsf{R}_i$. Notably, $\mathsf{Spectra}$ is interval-agnostic, meaning its prover complexity is independent of the number of intervals $k$; therefore, its prover cost matches the single-interval case even when each $\mathsf{R}_i$ is composed of hundreds of thousands of intervals. We also obtain two new structured vector range arguments and a batching-friendly variant of the $\mathsf{Cq}^{+}$ lookup argument (PKC'24), which are also of independent interest. Experiments show that $\mathsf{Spectra}$ outperforms well-known curve-based vector range arguments on standard metrics while supporting strictly more expressive range assertions.
## 2026/352
* Title: Migrating Bitcoin and Ethereum Addresses to the Quantum Blockchain Era * Authors: Mehmet Sabir Kiraz, Suleyman Kardas
* [Permalink](
https://eprint.iacr.org/2026/352)
* [Download](
https://eprint.iacr.org/2026/352.pdf)
### Abstract
Recent advances in quantum computing threaten the cryptographic foundations of blockchain systems, including Bitcoin and Ethereum, which rely on elliptic-curve cryptography (ECC) for security. Algorithms such as Shor's algorithm can efficiently solve the discrete logarithm problem (DLP), enabling recovery of private keys from public keys. Existing funds, especially those tied to long-lived addresses or unspent coinbase outputs (such as Satoshi Nakamoto's bitcoins), and Ethereum externally owned accounts become vulnerable once large-scale quantum computers become available. While previous work has suggested post-quantum signature schemes and migration strategies, no widely deployed, end-to-end, backward-compatible, and privacy-preserving migration mechanism has been presented for migrating legacy funds without revealing the corresponding classical public keys on-chain.
In this paper, we present a complete framework for secure migration of both spent and unspent Bitcoin and Ethereum assets to a post-quantum (PQ) security model, using a hybrid approach based on post-quantum signatures and quantum-resistant zero-knowledge proofs (ZKPs). We design zkSTARK circuits that prove knowledge of a witness linking a legacy Bitcoin or Ethereum address to a fresh PQ public key without disclosing the legacy elliptic-curve public key on-chain. We also formalize a one-way post-quantum transition model for migrated assets: legacy authorization is used only at enrollment, while future authorization semantics are governed by post-quantum credentials and migrated-state registry semantics. We further show why hash-security margins must be re-evaluated in the quantum setting by distinguishing collision resistance (BHT-style attacks, approximately $2^{n/3}$) from preimage resistance (Grover-style attacks, approximately $2^{n/2}$), and we motivate hash agility for migration-era commitments and registries. To enable verifiable on-chain transitions, we propose new primitives (\texttt{OP\_CHECKQUANTUMSIG}, \texttt{OP\_CHECKSTARKPROOF}), enabling verification of quantum-safe proofs and signatures. Our work and implementation\footnote{\href{
https://github.com/skardas/pq_bitcoin}{\texttt{github.com/skardas/pq\_bitcoin}}} provide a practical framework for securing legacy blockchain assets against quantum-era threats while preserving backward compatibility and operational continuity.
## 2026/358
* Title: Round-Based Approximation of (Higher-Order) Differential-Linear Correlation
* Authors: Kai Hu, Zhongfeng Niu, Meiqin Wang
* [Permalink](
https://eprint.iacr.org/2026/358)
* [Download](
https://eprint.iacr.org/2026/358.pdf)
### Abstract
This paper presents a new method for approximating the correlations of differential-linear distinguishers.
From the perspective of Beyne's geometric approach, the differential-linear correlation is a corresponding coordinate of the \textit{correlation vector} associated with the ciphertext multiset, which can be obtained by using the correlation matrix of the \textit{2-wise form} of the cipher.
The composite nature of the correlation matrix leads to a round-based approach to approximate the correlation vector.
This simple approximation is remarkably precise, yielding the most accurate estimation for differential-linear correlations in \ascon thus far and the first DL distinguishers for 6-round \ascon-128a initialization.
For \present, we present 17-round DL distinguishers, 4 rounds longer than the current record.
To apply the round-based approach to ciphers with the large Chi ($\chi$) function as nonlinear functions, we derive theorems to handle the correlation propagation for $\chi$ and its 2-wise form.
Strong DL distinguishers for up to 6 rounds of \subterranean and \koala-$p$ are provided, 2 rounds longer than the previous differential and linear distinguishers.
Furthermore, the round-based approximation idea is also extended to the higher-order differential-linear distinguishers.
We give the first second-order DL distinguisher for 6-round \ascon-128 initialization and the first second-order DL distinguishers for up to 7 rounds of \subterranean and \koala-$p$.
## 2026/367
* Title: High-Precision Functional Bootstrapping for CKKS from Fourier Extension
* Authors: Song Bian, Yunhao Fu, Ruiyu Shen, Haowen Pan, Anyu Wang, Zhenyu Guan * [Permalink](
https://eprint.iacr.org/2026/367)
* [Download](
https://eprint.iacr.org/2026/367.pdf)
### Abstract
We introduce a new (amortized) functional bootstrapping framework over the CKKS homomorphic encryption (HE) scheme based on Fourier extension. While approximating the modular reduction function in CKKS bootstrapping through Fourier series is a well-known technique, how such method can be efficiently generalized to functional bootstrapping is less understood. In this work, we show that, by constructing proper Fourier extensions, any function with a bounded domain in the smoothness class $C^{\kappa}$ can be approximated by a degree-$n$ Fourier series with errors of order $O(n^{-\kappa-2})$ (except at the singularities), improving on previous results on a global error bound of $O(n^{-1})$ [AKP2025]. To achieve such bound, we propose a new way of constructing Fourier extensions, such that the extended functions appear as smooth as possible in the sense of a Fourier approximation. By implementing our functional bootstrapping over OpenFHE, we demonstrate that we can improve the data precision by $10$-$27$ bits and reduce the amortized FBS latency by $1.1$-$2\times$ over a variety of benchmarking functions.
## 2026/372
* Title: Distributed Monotone-Policy Encryption with Silent Setup from Lattices * Authors: Abtin Afshar, Rishab Goyal, Saikumar Yadugiri
* [Permalink](
https://eprint.iacr.org/2026/372)
* [Download](
https://eprint.iacr.org/2026/372.pdf)
### Abstract
Distributed cryptography serves as a cornerstone for building trustless systems, yet existing solutions for distributed policy encryption typically require either a trusted dealer or complex interactive setup protocols. Recent advances have introduced the concept of $silent~setup$, where users independently generate keys and a joint public key is derived deterministically. However, all current silent-setup constructions rely on bilinear pairings, leaving them vulnerable to quantum adversaries. In this work, we present the first distributed monotone-policy encryption scheme with silent setup based on lattices. Our construction supports arbitrary monotone policies represented as Disjunctive Normal Forms (DNFs) and provides a robust, post-quantum foundation for decentralized access control.
## 2026/373
* Title: Partially Non-Interactive Two-Round Threshold and Multi-Signatures with Tighter and Adaptive Security
* Authors: Yanbo Chen
* [Permalink](
https://eprint.iacr.org/2026/373)
* [Download](
https://eprint.iacr.org/2026/373.pdf)
### Abstract
Threshold and multi-signature schemes enable a group of signers to jointly sign messages. In the pairing-free discrete-logarithm setting, there have been extensive research efforts on two-round threshold and multi-signature schemes. A prominent category is partially non-interactive schemes, where the first round is message-independent and can be preprocessed offline. However, there exist gaps in security properties between partially non-interactive schemes and fully online schemes. While there are fully online schemes that achieve rewinding-free or fully adaptive security based on standard assumptions, existing partially non-interactive schemes require the adversary to act algebraically or rely on non-standard assumptions for these properties.
We bridge this gap by proposing a family of new constructions of partially non-interactive threshold and multi-signature schemes. Central to our constructions is a technique that renders HBMS (Bellare and Dai, Asiacrypt 2021) and its variants partially non-interactive. Specifically, we present the following instances:
- The first partially non-interactive two-round multi-signature scheme with a rewinding-free reduction under standard assumptions. This scheme provides a tighter security guarantee against non-algebraic adversaries than all prior partially non-interactive schemes.
- The first partially non-interactive two-round threshold signature scheme achieving fully adaptive security against non-algebraic adversaries under standard assumptions.
## 2026/374
* Title: WOTS-Tree: Merkle-Optimized Winternitz Signatures for Post-Quantum Bitcoin
* Authors: Javier Mateos
* [Permalink](
https://eprint.iacr.org/2026/374)
* [Download](
https://eprint.iacr.org/2026/374.pdf)
### Abstract
We present WOTS-Tree, a stateful hash-based signature scheme for Bitcoin that combines WOTS+ one-time signatures with a binary Merkle tree, supporting up to $2^{21}$ independent signatures per address. The construction instantiates XMSS with parameters specifically optimized for Bitcoin's UTXO model, using a dual hash function design: SHA-256 truncated to 128 bits ($n=16$, $w=256$) for WOTS+ chain evaluations, and full 256-bit SHA-256 for Merkle tree compression. Deployed as dual leaves within BIP-341 Taproot (compatible with the proposed BIP-360 Pay-to-Merkle-Root), the default (hardened) mode provides: (i) a fast-path for single-use UTXOs at 353 bytes, and (ii) a fallback tree for Replace-By-Fee and address reuse at 675 bytes ($K=1{,}024$). For Lightning channels, $K=2^{21}$ yields 1,028-byte witnesses with a 19-second one-time setup. An opt-in compact mode using truncated 128-bit Merkle nodes reduces witnesses to 515--692 bytes at the cost of reduced Merkle binding security ($\approx 60$ bits). WOTS-Tree achieves strict L1 verification bounds of 4,601 hashes ($\approx 0.009$ ms on SHA-NI hardware). The default parameterization provides 115.8-bit classical and 57.9-bit quantum forgery resistance, with the Merkle binding at $\approx 124$ bits, exceeding the WOTS+ forgery bound in both classical and quantum settings. We provide a complete security reduction with concrete bounds, a dual hash instantiation analysis, and a reference implementation with comprehensive test coverage. Default-mode witnesses are $4$--$7\times$ smaller than hypertree variants while aligning naturally with Bitcoin's spend-once transaction model.
## 2026/375
* Title: Liquid Democracy With Two Opposing Factions
* Authors: Krishnendu Chatterjee, Seth Gilbert, Stefan Schmid, Jakub Svoboda, Michelle Yeo
* [Permalink](
https://eprint.iacr.org/2026/375)
* [Download](
https://eprint.iacr.org/2026/375.pdf)
### Abstract
Liquid democracy is a transitive vote delegation process. Previously, the advantages of liquid democracy over
direct voting have been studied in settings where there is a ground truth rCLgoodrCY voting outcome. In this
work, we analyse liquid democracy in a realistic setting with two opposing factions without a ground truth
and under uncertainty. Formally, we consider EYac voters who want to decide on some binary issue by voting.
Each voter has a preference in {0, 1} that represents the opinion of the voter on these issues. That is, a voter
with preference 0 prefers to vote for option 0. We refer to voters with the same preference as being in the
same faction. The goal is for voters in the same faction to cooperatively decide on vote delegation strategies
that maximise their probability of winning the election. In this setting, we present a practical distributed
algorithm under realistic assumptions to decide on an approximately vote delegation strategy that involves
minimal interaction and communication, and under incomplete information about the opposing faction. We
then provide a complete analytical characterisation of optimal vote delegation strategies under complete
information about the opposing faction. Finally, we show that finding optimal delegation strategies in the
general setting is PSPACE-complete.
## 2026/376
* Title: Is PSI Really Faster Than PSU? Achieving Efficient PSU with Invertible Bloom Filters
* Authors: Lucas Piske, Ni Trieu
* [Permalink](
https://eprint.iacr.org/2026/376)
* [Download](
https://eprint.iacr.org/2026/376.pdf)
### Abstract
Private Set Union (PSU) enables two parties to compute the union of their private sets without revealing anything beyond the union itself. Existing PSU protocols remain much slower than private set intersection (PSI), often by a factor of around $30\times$.
In this work, we present the first PSU protocol based on Invertible Bloom Lookup Tables (IBLTs), introducing a fundamentally new framework that departs from traditional, inefficient approaches. Our protocol exploits structural invariants between each partyrCOs IBLTs and their union to compute the union efficiently without explicitly constructing a combined IBLT. Central to our approach is the notion of union peelability, which allows union elements to be recovered directly from the original IBLTs. We securely implement this functionality using only Oblivious Transfer (OT) and Oblivious Pseudorandom Function (OPRF) for equality checks, ensuring no information beyond the union is leaked.
As a result, for set sizes ranging from $2^{14}$ to $2^{20}$, our protocol achieves a runtime of $0.08$ to $2.95$ seconds in the LAN setting, which is comparable to state-of-the-art PSI. We also show substantial speedups over prior PSU workrCoup to $10\times$ faster in LAN settings and consistently faster in WAN scenariosrCowhile maintaining linear computation and communication complexity with small constants.
## 2026/377
* Title: Perfectly Secure Network-Agnostic MPC Comes for Free
* Authors: Xiaoyu Ji, Chen-Da Liu-Zhang, Yifan Song
* [Permalink](
https://eprint.iacr.org/2026/377)
* [Download](
https://eprint.iacr.org/2026/377.pdf)
### Abstract
Secure multiparty computation (MPC) allows a set of parties to jointly compute a function while keeping their inputs private. Classical MPC protocols assume either a synchronous or an asynchronous network. Synchronous protocols tolerate more corrupted parties but rely on a timing bound, while asynchronous protocols make no timing assumptions but handle fewer corruptions.
The network-agnostic model aims to combine the advantages of both. It requires security without knowing in advance whether the network is synchronous or asynchronous, guaranteeing resilience against up to $t_s$ corruptions in the synchronous case and $t_a$ corruptions in the asynchronous case. The optimal corruption threshold for perfect security has been established as $n = 2\max(t_s, t_a) + \max(2t_a, t_s) + 1$, but prior work either falls short of this threshold or requires exponential local computation.
In this work, we present the first perfectly secure network-agnostic MPC protocol with polynomial communication and computation complexity under the optimal threshold. Our protocol achieves expected communication complexity $\mathcal{O}((|C|n + (D+C_I)n^2 + n^6)\log n)$ bits for a circuit of size $|C|$ over a finite field $\mathbb{F}$ of size $\mathcal{O}(n)$, depth $D$, and input size $C_I$.
Our main technical contribution is a compiler that generates Beaver triples in the network-agnostic setting using synchronous and asynchronous triple-generation protocols in a black-box way. Beyond the cost of the underlying protocols, it only requires $\mathcal{O}(n^2)$ instances of network-agnostic Byzantine agreement.
## 2026/378
* Title: Information-Theoretic Network-Agnostic MPC with Polynomial Communication
* Authors: Xiaoyu Ji, Chen-Da Liu-Zhang, Daniel P||llmann, Yifan Song
* [Permalink](
https://eprint.iacr.org/2026/378)
* [Download](
https://eprint.iacr.org/2026/378.pdf)
### Abstract
Network-agnostic MPC protocols tolerate simultaneously a higher number of corruptions $t_s < n/2$ when the network is synchronous, and a lower number $t_a < n/3$ when the network is asynchronous. As such, they provide strong resilience, irrespective of the type of underlying communication network.
We focus on improving the communication complexity of network-agnostic MPC with optimal resilience $2t_s + t_a < n$. In this regime, there are no polynomial-time information-theoretic solutions and current computational protocols (without fully-homomorphic encryption) communicate $O(n^2)$ elements per multiplication gate.
In this work, we significantly advance the landscape by introducing the first information-theoretic protocol with quadratic communication per multiplication gate and the first computational protocol with linear communication per multiplication gate based solely on signatures and symmetric-key encryption.
## 2026/379
* Title: Pairing-based Functional Commitments for Circuits with Shorter Parameters
* Authors: David Balb|is, Dario Fiore, Russell W. F. Lai
* [Permalink](
https://eprint.iacr.org/2026/379)
* [Download](
https://eprint.iacr.org/2026/379.pdf)
### Abstract
Functional commitments (FCs) enable a prover to commit to a message and later produce a succinct proof of its image under any given admissible function. Unlike succinct non-interactive arguments (SNARGs), secure FCs can be realised under falsifiable assumptions in the standard model, making them attractive alternatives when fully algebraic constructions are desired. All known algebraic constructions of FC are either lattice-based or pairing-based. While a lattice-based FC for circuits with almost optimal complexities has been recently achieved [Wee, CRYPTO'25], state-of-the-art pairing-based FCs for bounded-width $w$ [Balb|is-Catalano-Fiore-Lai (BCFL), TCC'23] and bounded-size $s$ circuits [Wee-Wu, EUROCRYPT'24] require prohibitive public parameter sizes $O(\lambda w^5)$ and $O(\lambda s^5)$, respectively.
In this work, we present a new algebraic pairing-based FC which achieves $O(\lambda w^3)$ public parameter size for bounded-width $w$ and unbounded depth $d$ circuits. The construction preserves all nice properties of BCFL: $O(\lambda)$ commitment size, $O(\lambda d^2)$ proof size, additive homomorphism, efficient verification, and chainability. For bounded-size $s$ circuits, we alternatively obtain $O(\lambda s^3)$ public parameters with $O(\lambda d)$ proofs. At the core of our scheme lies a new chainable FC for quadratic functions with commitments computed with respect to a power basis, as well as techniques for switching between different commitment bases.
## 2026/380
* Title: Lattice HD Wallets: Post-Quantum BIP32 Hierarchical Deterministic Wallets from Lattice Assumptions
* Authors: Conor Deegan, James Fitzwater, Kamil Doruk Gur, David Nugent
* [Permalink](
https://eprint.iacr.org/2026/380)
* [Download](
https://eprint.iacr.org/2026/380.pdf)
### Abstract
Hierarchical deterministic (HD) wallets, standardized as BIP32, allow users to manage a tree of cryptographic key pairs from a single master seed. A defining feature is non-hardened derivation: child public keys can be derived from a parent public key alone, enabling watch-only wallets where a server generates fresh receiving addresses while the signing key remains offline. Existing constructions rely on the algebraic structure of elliptic curve public keys, and recovering this functionality in the post-quantum setting is an open problem. We present two post-quantum HD wallet constructions. The first uses ML-DSA and supports hardened (private-key-dependent) derivation with proofs of unlinkability and unforgeability. The second, our primary contribution, uses Raccoon-G, a variant of the Raccoon signature scheme with Gaussian-distributed secrets. We modify Raccoon-G to publish full, unrounded public keys, preserving linearity. Since the sum of Gaussians is again Gaussian with predictable wider variance, derived keys remain statistically close to freshly generated ones, enabling non-hardened public key derivation. We prove unlinkability and unforgeability under standard lattice assumptions, and introduce a method for generating rerandomizable Raccoon-G key pairs from fixed randomness with provable existential unforgeability. Both constructions are implemented in Rust. To our knowledge, this is the first post-quantum HD wallet construction that recovers BIP32's full public key derivation functionality with provable security under standard assumptions.
## 2026/381
* Title: Multi-Committee MPC: From Unanimous to Identifiable Abort
* Authors: Lichun Li, Hongqing Liu, Jiawei Ni, Chaoping Xing, Chen Yuan
* [Permalink](
https://eprint.iacr.org/2026/381)
* [Download](
https://eprint.iacr.org/2026/381.pdf)
### Abstract
In this work, we consider dishonest majority MPC protocols with $(1-\epsilon)n$ corrupted parties for some constant $\epsilon\in (0,1/2)$. In this setting, there exist MPC protocols with unanimous abort that achieve constant communication in both online and offline phases via a packed secret sharing scheme. Departing from their approaches, we revisit the ``committee-based'' approach to design an efficient MPC protocol with constant online and offline communication complexity.
To balance the communication load of each party, our protocol adopts multiple committees, each of constant size. The computation of circuit $C$ is then divided into layers, each assigned to one committee. To securely transmit messages between committees, we introduce the handoff gates, incurring only a slight communication overhead. Furthermore, we leverage circuit-dependent preprocessing and incremental checking to improve the online efficiency. Compared to other MPC protocols in the same corruption setting, our protocol achieves the smallest concrete total communication complexity.
Building upon our multi-committee unanimous-abort protocol, we upgrade it to identifiable abort by adapting a technique from (Rivinius, EUROCRYPT 2025). To integrate this technique into our setting, we adjust the verification timing and introduce a king party to reduce the communication complexity of openings. This yields the first identifiable-abort MPC protocol with constant communication complexity in the sub-optimal dishonest majority setting.
## 2026/382
* Title: Multi-key Security in the Quantum World: Revisiting Tweakable Even-Mansour and FX
* Authors: Rentaro Shiba, Tetsu Iwata
* [Permalink](
https://eprint.iacr.org/2026/382)
* [Download](
https://eprint.iacr.org/2026/382.pdf)
### Abstract
In this paper, we prove the security of symmetric-key constructions in an adversary model called the Q1MK model, which combines the Q1 model, where the adversary makes classical online queries and quantum offline queries, and the multi-key (multi-user) setting. Specifically, under this model, we prove the security of two symmetric-key constructions: the tweakable Even-Mansour cipher (TEM) and the FX construction (FX), as starting points for understanding the post-quantum security of symmetric-key constructions in this adversary model. Our security proofs are based on the hybrid argument technique introduced by Alagic et al. at EUROCRYPT 2022. First, we prove that in order to break TEM in the Q1MK model, $\Omega(2^{\kappa/3})$ classical and quantum queries are needed, regardless of the number of target $\kappa$-bit keys. Then, before turning to the Q1MK security analysis of FX, we revisit the security proof of FX in the standard Q1 model proposed in version 20230317:200508 of ePrint 2022/1097 and tighten it. By the modified proof, we show that in order to break FX with $(\kappa + n)$-bit secret key in the Q1 model, $\Omega(2^{(\kappa+n)/3})$ classical and quantum queries are needed. We then apply this analysis to the Q1MK setting, and we show that in order to break FX in the Q1MK model, $\Omega(2^{(\kappa + n - u)/3})$ classical and quantum queries are needed, when $2^u$ ($\le 2^{\kappa}$) independent keys are in use.
## 2026/383
* Title: HCTR$^{++}$ : A Beyond Birthday Bound Secure HCTR2 Variant
* Authors: G|+lnihal |uzt|+rk, Onur Ko|oak, O-fuz Yayla
* [Permalink](
https://eprint.iacr.org/2026/383)
* [Download](
https://eprint.iacr.org/2026/383.pdf)
### Abstract
Current industry-standard block cipher modes of operation, such as CBC and GCM, are fundamentally limited by the birthday bound $O(2^{n/2})$, a constraint that has evolved from a theoretical concern into a practical security bottleneck in contemporary high-throughput, high-data-volume environments. To address this, the cryptographic community and NIST are prioritizing Beyond Birthday Bound (BBB) security to extend the operational security margin toward the full block size $O(2^n)$. Achieving BBB security requires a departure from traditional constructions, primarily utilizing three methodologies: XOR of Permutations (XORP), Tweakable Block Ciphers (TBCs), and Fresh Rekeying. While none of these innovative BBB modes have been formally standardized, NIST has initiated the Accordion Mode project, defining a new primitive class: the Tweakable Variable-Input-Length Strong Pseudorandom Permutation (VIL-SPRP). This primitive treats the entire message as a single, indivisible block and expects the submission of BBB-secure variants. To contribute to this standardization effort, we propose a simple BBB-secure variant of the HCTR2 algorithm. We first explain the core BBB methodologies, then discuss the operational mechanism of HCTR2, and finally present our proposed BBB-secure construction.
## 2026/384
* Title: The Structured Generic-Group Model
* Authors: Henry Corrigan-Gibbs, Alexandra Henzinger, David J. Wu
* [Permalink](
https://eprint.iacr.org/2026/384)
* [Download](
https://eprint.iacr.org/2026/384.pdf)
### Abstract
This paper introduces the structured generic-group model, an extension of ShouprCOs generic-group model (from Eurocrypt 1997) to capture algorithms that take advantage of some non-generic structure of the group. We show that any discrete-log algorithm in a group of prime order $q$ that exploits the structure of at most a $\delta$ fraction of group elements, in a way that we precisely define, must run in time $\Omega(\min(\sqrt{q},1/\delta))$. As an application, we prove a tight subexponential-time lower bound against discrete-log algorithms that exploit the multiplicative structure of smooth integers, but that are otherwise generic. This lower bound applies to a broad class of index-calculus algorithms. We prove similar lower bounds against algorithms that exploit the structure of small integers, smooth polynomials, and elliptic-curve points.
## 2026/385
* Title: Bridging Privacy and Utility: A Verifiable Framework for Data Valuation via Zero-Knowledge Proofs
* Authors: Ruibang Liu, Minyu Chen, Dengji Ma, Guoqiang Li
* [Permalink](
https://eprint.iacr.org/2026/385)
* [Download](
https://eprint.iacr.org/2026/385.pdf)
### Abstract
Deep learning's hunger for high-quality data has catalyzed a burgeoning economy of decentralized data marketplaces. However, a fundamental trust deficit stifles this ecosystem: buyers fear data poisoning, while sellers fear data leakage. Although the Shapley value offers a rigorous economic framework for fair compensation, its calculation traditionally requires a Trusted Third Party (TTP) to access raw data, creating a single point of failure for privacy. Verifying data valuation without compromising confidentiality remains an open challenge.
In this paper, we present ZK-DV, the first Zero-Knowledge Proof (ZKP) system designed for verifiable, privacy-preserving data valuation. ZK-DV enables a seller to prove that a claimed valuation score (based on Gradient Shapley) is mathematically consistent with the underlying private data and the buyer's model, without revealing either. Our key technical insight is the architectural coupling of model training and valuation: we construct a specialized arithmetic circuit that combines the valuation logic into the backpropagation, extracting marginal utility scores from intermediate gradients. This design, implemented via the GKR protocol with a hybrid commitment strategy, amortizes the heavy cryptographic overhead through batched processing. Extensive experiments on the MNIST dataset demonstrate that ZK-DV is practical: by optimizing batch sizes, we achieve a $2.7\times$ speedup in proof generation, while maintaining a quantization fidelity of $\rho=1.0$ and a low verification cost ($< 0.2$s). ZK-DV thus bridges the gap between cryptographic integrity and economic fairness, paving the way for trustless data exchange
## 2026/386
* Title: Determining those Boolean functions whose restrictions to affine spaces are plateaued
* Authors: Claude Carlet, Darrion Thornburgh
* [Permalink](
https://eprint.iacr.org/2026/386)
* [Download](
https://eprint.iacr.org/2026/386.pdf)
### Abstract
Quadratic Boolean functions (that is, Boolean functions of algebraic degree at most 2), bent Boolean functions (i.e. maximally nonlinear Boolean functions in even numbers of variables) and, as we prove in this paper, partially-bent Boolean functions (i.e. affine extensions of bent functions to linear super-spaces), share a strong property: all their restrictions to affine hyperplanes are plateaued (i.e. have a Walsh transform valued in a set of the form $\{0,\pm \lambda\}$, where $\lambda$ is a positive integer called the amplitude). In this paper we determine for any $n$ and $k<n$ the class $C^n_k$ of those $n$-variable Boolean functions whose restrictions to all $k$-dimensional affine subspaces of $\mathbb F_2^n$ are plateaued (of any amplitude). We characterize partially-bent (resp., quadratic) Boolean functions as those functions that are plateaued on any affine hyperplane (resp., any affine subspace of dimension $k$, where $3 \leq k \leq n-2$, while these are all Boolean functions for $0\leq k\leq 2$). For $n\geq 5$, each of the following classes of Boolean functions happens then to be strictly included in the next one: quadratic functions, partially-bent functions, the restrictions of partially-bent functions to affine hyperplanes, plateaued functions, the restrictions of plateaued functions to affine hyperplanes, and all Boolean functions. We leave open the two problems of determining exactly what are the third and fifth of these classes (we begin the study of the first of these two classes by giving a non-trivial characterization). Our characterization of partially-bent (resp., quadratic) functions extends to strongly plateaued vectorial functions. We state an open question on vectorial functions that happens to be related to an important one on crooked functions.
## 2026/387
* Title: A Comprehensive Break of the Tropical Matrix-Based Signature Scheme
* Authors: Sopan Chavhan, Shrikant Chaudhari
* [Permalink](
https://eprint.iacr.org/2026/387)
* [Download](
https://eprint.iacr.org/2026/387.pdf)
### Abstract
The recent digital signature scheme proposed by Grigoriev, Monico, and Shpilrain (GMS26) attempts to leverage the NP-hardness of tropical matrix factorization as its security foundation. We present a systematic cryptanalysis revealing multiple structural vulnerabilities. First, we demonstrate an existential forgery attack in the chosen-hash model requiring only polynomial-time operations. Second, we establish that the scheme is fundamentally malleable, allowing an adversary to generate arbitrarily many distinct valid signatures for any observed messagerCothereby breaking strong unforgeability. Third, we show that collecting a polynomial number of honest signatures enables partial key recovery through probabilistic leakage of private key entries. Finally, we present an SMT-based key recovery attack that, given only two valid signatures, recovers the full private key in seconds for the recommended parameters. Our attacks do not rely on solving the claimed NP-hard problem but exploit algebraic properties of the signing equations. Combined, they demonstrate that the scheme fails to achieve the standard security notions of existential unforgeability, strong unforgeability, and key confidentiality.
## 2026/388
* Title: Necessary and Sufficient Conditions for the Existence of Ideal Linear Secret Sharing Schemes for Arbitrary Access Structures
* Authors: Zheng Chen, Qiuxia Xu, Chunming Tang
* [Permalink](
https://eprint.iacr.org/2026/388)
* [Download](
https://eprint.iacr.org/2026/388.pdf)
### Abstract
Determining whether an arbitrary access structure can be realized by an ideal linear secret sharing scheme is an important research topic. we use linear codes as the main tool to construct matrices $H$ and $G$ over a finite field $\mathbb{F}_q$ for a given access structure $\Gamma_{\min}$, and show that a necessary and sufficient condition for the existence of an ideal linear secret sharing scheme realizing $\Gamma_{\min}$ is that the equation $GH^{\mathsf{T}}=0$ has a solution. If this equation has a solution, then $H$ serves as the parity-check matrix of a linear code that realizes $\Gamma_{\min}$, and $G$ is the corresponding generator matrix. Furthermore, we prove that the result is equivalent to the following statement: there exists an ideal linear code for realizing the $\Gamma_{\min}$ if and only if it is the port of a matroid that is representable over $\mathbb{F}_q$.
## 2026/389
* Title: Towards Accountability for Anonymous Credentials
* Authors: Shailesh Mishra, Martin Burkhart
* [Permalink](
https://eprint.iacr.org/2026/389)
* [Download](
https://eprint.iacr.org/2026/389.pdf)
### Abstract
Anonymous Credentials (or ACs) enable users to prove claims
with strong privacy guarantees, protecting credential holders
from being tracked by issuers and verifiers. However, these
privacy guarantees imply that a credential holder cannot be
held accountable for misuse (e.g., selling credential checks
online for proving EYaAEYaoEYaA > 18). The lack of accountability may
raise questions about the adoption of ACs into national iden-
tity systems (e.g., European EUDI or Swiss e-ID), which
might lead to the issuing authorities resorting to credential
systems with weaker privacy guarantees (e.g., batch issuance
of one-show credentials). This shows that the lack of account-
ability can adversely impact the levels of privacy enjoyed by
users.
Hence, in this paper, we discuss transferability attacks on
ACs and introduce a framework for providing accountability
in AC systems. In addition to issuers, holders and verifiers,
it assumes the existence of: (i) a law enforcement body (the
police) and a judicial body (the judge) that work together to
find information on credential misuse and; (ii) one or more
digital privacy advocates, called the NGO(s), that ensure the
system is not used for tracking people.
We introduce the cryptographic forensic trail (CFT), which
is attached to each credential show. The CFT can be used for
obtaining more information about an individual if and only
if the police have probable cause and can convince the judge
to issue a corresponding search warrant. Then, the police,
the judge, and the NGO(s) run a multiparty protocol for
decrypting relevant trails only. The protocol mimics checks
and balances of a healthy democracy, in which neither law
enforcement nor justice can track people as they will. Even
if both branches colluded, the NGO(s) can detect the misuse
and block further use.
In addition to possible extensions, we discuss performance
constraints on mobile phones and argue that practical feasi-
bility of the CFT is within reach.
## 2026/390
* Title: Succinct Arguments for BatchQMA and Friends under 6 Rounds
* Authors: Rishab Goyal, Aditya Jain, Shashwatha Mitra GB
* [Permalink](
https://eprint.iacr.org/2026/390)
* [Download](
https://eprint.iacr.org/2026/390.pdf)
### Abstract
We study the problem of minimizing round complexity in the context of succinct classical argument systems for quantum computation. All prior works either require at least 8 rounds of interaction between the quantum prover and classical verifier, or rely on the idealized quantum random oracle model (QROM). We design:
1. A 4-round public-coin (except for the first message) argument system for batchQMA lan- guages. Our results come in two flavors:
(a) Under the post-quantum hardness of functional encryption and learning with errors (LWE), we achieve optimal communication complexity (i.e., all message sizes are independent of batch size).
(b) Under the post-quantum hardness of LWE, we achieve optimal communication com- plexity except for the verifierrCOs first message.
2. A 6-round private-coin argument system for monotone policy batchQMA languages, under the post-quantum hardness of LWE. The communication complexity is independent of the batch size as well as the monotone circuit size.
One of our main technical contributions is a new approach to prove soundness without rewind- ing cheating provers. We bring the notion of straight-line partial extractability to argument systems for quantum computation. All previous works crucially relied on rewinding cheating provers, thus needed rCLstate-preservingrCY succinct arguments of knowledge (AoKs) for NP to prove soundness.
## 2026/391
* Title: Zero-Knowledge IOPPs for Constrained Interleaved Codes
* Authors: Alessandro Chiesa, Giacomo Fenzi, Guy Weissenberg
* [Permalink](
https://eprint.iacr.org/2026/391)
* [Download](
https://eprint.iacr.org/2026/391.pdf)
### Abstract
Succinct arguments based on interactive oracle proofs (IOPs) have achieved remarkable efficiency improvements and are now widely adopted in applications. State-of-the-art IOPs involve protocols for testing proximity to constrained interleaved linear codes, and enjoy essentially optimal parameters. However, recent IOP constructions provide no privacy guarantees, which remain a must for many applications.
We present an IOP of proximity for testing constrained interleaved linear codes that achieves (honest-verifier) zero-knowledge, while incurring a negligible overhead compared to the (non-zero-knowledge) state of the art. In line with recent constructions, our construction satisfies round-by-round knowledge soundness with a straightline extractor and negligible error.
We propose a definition of (honest-verifier) zero-knowledge for interactive oracle reductions (IORs) that we prove is compatible with composition, and then obtain our result by constructing and modularly composing several lightweight zero-knowledge IORs. Our key technical contributions are a zero-knowledge sumcheck IOR and a zero-knowledge code-switching IOR that fit the strict efficiency requirements of our setting; these contributions and other technical complications entailed overcoming several challenges with new notions and protocols. Finally, along the way, we highlight the efficiency benefits of high-distance codes obtained from dispersers, which may be of independent interest.
## 2026/392
* Title: Fast cube roots in Fp2 via the algebraic torus
* Authors: Youssef El Housni
* [Permalink](
https://eprint.iacr.org/2026/392)
* [Download](
https://eprint.iacr.org/2026/392.pdf)
### Abstract
Computing cube roots in quadratic extensions of finite fields is a subroutine that arises in elliptic-curve point decompression, hash-to-curve and isogeny-based protocols. We present a new algorithm that, for $p \equiv 1 \pmod{3}$ rCowhich holds in all settings where $\mathbb{F}_{p^2}$ cube roots arise in practicerCo reduces the $\mathbb{F}_{p^2}$ cube root to operations entirely in the base field $\mathbb{F}_p$ via the algebraic torus $\mathbb{T}_2(\mathbb{F}_p)$ and Lucas sequences. We prove correctness in all residuosity cases and implement the algorithm using the $\texttt{gnark-crypto}$ open-source library. Benchmarks on six primes spanning pairing-based and isogeny-based cryptography show $1.6$rCo$2.3\times$ speed-ups over direct (addition chain) exponentiations in $\mathbb{F}_{p^2}$. We also extend the approach to $p \equiv 2 \pmod{3}$ and, more generally, to any odd $n$-th roots in quadratic towers $\mathbb{F}_{p^{2^k}}$ with $\gcd(n, p+1) = 1$.
## 2026/393
* Title: VROOM: Accelerating (Almost All) Number-Theoretic Cryptography Using Vectorization and the Residue Number System
* Authors: Simon Langowski, Kaiwen He, Srini Devadas
* [Permalink](
https://eprint.iacr.org/2026/393)
* [Download](
https://eprint.iacr.org/2026/393.pdf)
### Abstract
Modular arithmetic with a large prime modulus is a dominant computational cost in number-theoretic cryptography. Modular operations are especially challenging to parallelize efficiently on CPUs using vector instructions; standard CPU implementations rely on costly carry operations and permutation instructions to align with the multiplication datapath, negating the benefits of vectorization.
We develop vectorized algorithms for modular addition and multiplication, and present a new, constant-time modular multiplication algorithm suitable for general moduli - prime or otherwise. Our method uses a Residue Number System (RNS) representation to align the arithmetic naturally with wide vector units, and strategically eliminate extraneous instructions. Existing works either require the use of customized hardware or fail to show latency improvements.
Reducing the latency of modular arithmetic results in speedups for cryptographic applications. We accelerate RSA-4096 signatures by $4.0\times$ (verify) and $1.3\times$ (sign) over OpenSSL, and speed up BLS signature verifications by $3.43\times$ over the assembly-optimized BLST library. To facilitate broad practical adoption, we plan to upstream our implementation into BoringSSL, where it will directly benefit real-world TLS and cryptographic deployments.
## 2026/394
* Title: SQISign on ARM
* Authors: Luca De Feo, Li-Jie Jian, Ting-Yuan Wang, Bo-Yin Yang
* [Permalink](
https://eprint.iacr.org/2026/394)
* [Download](
https://eprint.iacr.org/2026/394.pdf)
### Abstract
We present the first vectorized implementation of SQIsign for high-performance Arm architectures. SQIsign is a promising candidate in the NIST On-Ramp Digital Signatures Call Round 2 to its most compact key and signature sizes. However, its signing performance remains a primary bottleneck, particularly the ideal-to-isogeny conversion. The conversion requires a large number of operations on elliptic curves and Abelian varieties, which depend on finite field arithmetic. Despite recent algorithmic improvements, research on high-performance implementations and efficient vectorized finite field arithmetic for SQIsign is still unexplored.
Our main contribution is the first demonstration of non-trivial vectorization speedups for SQIsign. By leveraging the NEON instruction set, we implement highly efficient finite field arithmetic and batched elliptic curve operations tailored for 2-dimensional isogeny chain computations. This accelerates the subroutine by 2.24$\times$ over the state-of-the-art. Moreover, our improvements are completely orthogonal to the recent algorithmic improvement Qlapoti (Asiacrypt 2025), offering similar performance gains in the SQIsign signing algorithm. When combined with Qlapoti, our implementation achieves a speedup of more than 2.24$\times$ in signing at NIST security level I. We expect our work to inspire further SQIsign optimization from a vectorization perspective, especially for quaternion computations with precise bounds.
## 2026/395
* Title: How To Make Delegated Payments on Bitcoin: A Question for the AI Agentic Future
* Authors: Jay Taylor, Paul Gerhart, Sri AravindaKrishnan Thyagarajan
* [Permalink](
https://eprint.iacr.org/2026/395)
* [Download](
https://eprint.iacr.org/2026/395.pdf)
### Abstract
AI agents and custodial services are increasingly being entrusted as intermediaries to conduct transactions on behalf of institutions. The stakes are high: The digital asset market is projected to exceed \$16 trillion by 2030, where exchanges often involve proprietary, time-sensitive goods. Although industry efforts like GooglerCOs Agent-to-Payments (AP2) protocol standardize how agents authorize payments, they leave open the core challenge of fair exchange: ensuring that a buyer obtains the asset if and only if the seller is compensated without exposing sensitive information.
We introduce proxy adaptor signatures (PAS), a new cryptographic primitive that enables fair exchange through delegation without sacrificing atomicity or privacy. A stateless buyer issues a single request and does not need to manage long-term cryptographic secrets while proxies complete the exchange with a seller. The seller is guaranteed payment if the buyer can later reconstruct the purchased witness; meanwhile, the proxies remain oblivious to the witness throughout the protocol. We formalize PAS under a threshold model that tolerates the collusion of up to $t-1$ proxies. We also present an efficient construction from standard primitives that is compatible with Bitcoin, Cardano, and Ethereum. Finally, we evaluate a Rust implementation that supports up to 30 proxies. Our prototype is concretely efficient: buyer and seller computations take place in microseconds, proxy operations in milliseconds, and on-chain costs are equivalent to those of a standard transaction without fair exchange.
## 2026/396
* Title: Anonymity of X-Wing and its Variants
* Authors: Jiawei Bao, Jiaxin Pan
* [Permalink](
https://eprint.iacr.org/2026/396)
* [Download](
https://eprint.iacr.org/2026/396.pdf)
### Abstract
X-Wing (Barbosa et al., CiC Volume 1, Issue 1) is a hybrid key encapsulation mechanism (KEM) currently considered for standardization by IETF and deployed by major companies such as Google to ensure a secure transition to post-quantum cryptography. It combines a classical X25519 KEM with the post-quantum ML-KEM-768.
In this paper, we propose the first analysis of the anonymity of X-Wing. We are interested in tight and memory-tight reductions that offer stronger security guarantees. We first establish in the standard model that for any IND-CCA secure KEM, weak anonymity implies full anonymity, and our reduction is tight not only in success probability and time but also in memory consumption. We then prove in the random oracle model that X-Wing achieves weak anonymity if both X25519 and ML-KEM-768 are weakly anonymous. The former can even be proven without a hardness assumption.
Our proof on the weak anonymity of X-Wing does not preserve the memory-tightness of the underlying KEMs. To improve it, we propose a slight variant of X-Wing that preserves memory-tightness. Finally, we improve the existing IND-CCA proof of the original X-Wing by Barbosa et al. using our new memory-tight analysis.
## 2026/397
* Title: Bittersweet Signatures: Bringing LWR to a Picnic for Hardware-Friendly MPC-in-the-Head
* Authors: Brieuc Balon, Gianluca Brian, Sebastian Faust, Carmit Hazay, Elena Micheli, Fran|oois-Xavier Standaert
* [Permalink](
https://eprint.iacr.org/2026/397)
* [Download](
https://eprint.iacr.org/2026/397.pdf)
### Abstract
Post-quantum signature schemes are becoming increasingly important due to the threat of quantum computers to classical cryptographic schemes. Among the approaches considered in the literature, the MPC-in-the-head paradigm introduced by Ishai et al. (STOC'07) provides an innovative solution for constructing zero-knowledge proofs by exploiting Multi-Party Computation (MPC). This technique has proven to be a versatile tool in order to design efficient cryptographic schemes, including post-quantum signatures.
Building on the MPC-in-the-head paradigm, we introduce Bittersweet signatures, a new class of signature schemes based on the Learning With Rounding (LWR) assumption. Their main advantage is conceptual simplicity: by exploiting (almost) key-homomorphic pseudorandom functions (PRFs), a cryptographic object that preserves pseudorandomness while allowing linear operations on keys, we obtain a very regular design offering nice opportunities for parallel implementations.
Theoretically, analyzing Bittersweet signatures requires addressing significant challenges related to the (carry) leakage that almost key-homomorphic operations lead to.
Concretely, Bittersweet signatures natively lead to competitive signature sizes, trading moderate software performance overheads for hardware performance gains when compared to state-of-the-art MPC-in-the-head schemes (e.g., relying on code-based assumptions), while admittedly lagging a bit behind recent algorithms based on
the VOLE-in-the-head or Threshold-Computation-in-the-head frameworks.
Besides, their scalability and algebraic structure makes them promising candidates for leakage-resilient implementations. The new abstractions we introduce additionally suggest interesting research directions towards further optimization and generalization.
## 2026/398
* Title: Orthus: Practical Sublinear Batch-Verification of Lattice Relations from Standard Assumptions
* Authors: Madalina Bolboceanu, Jonathan Bootle, Vadim Lyubashevsky, Antonio Merino-Gallardo, Gregor Seiler
* [Permalink](
https://eprint.iacr.org/2026/398)
* [Download](
https://eprint.iacr.org/2026/398.pdf)
### Abstract
The past several years have seen a rapid rise in practical lattice-based proof systems with linear-sized zero-knowledge proofs forming the foundation of many of the most efficient quantum-safe privacy protocols, and succinct proofs rapidly catching up and surpassing other quantum-safe alternatives in many metrics. A recent comparison of lattice-based aggregate signatures (Ethereum Foundation, 2025) involving the hash-based aggregate signature scheme Plonky3 and the instantiation of aggregate signatures from Falcon from the LaZer lattice library (Lyubashevsky, Seiler, Steuer, CCS 2024) using LaBRADOR (Beullens, Seiler, Crypto 2023), showed that lattice-based constructions have an advantage in terms of proof size and prover time, but are around an order of magnitude slower with regards to verification time. In general, it appears that slower verification times are the main obstacle to the adoption of succinct lattice-based proof systems.
In this work, we introduce and implement Orthus, a proof system with sub-linear verification designed for relations that naturally arise in lattice-based constructions. Asymptotically, the verification time grows with the square root of the witness size, and for a concrete example of aggregating Falcon signatures our implementation reduces the verifier running time by a factor of $9X$ when aggregating $2^{17}$ signatures.
## 2026/399
* Title: What a Wonderful World: zkSNARKs in the Algebraic Group Model are Universally Composable
* Authors: Gaspard Anthoine, Dario Fiore, Mahak Pancholi
* [Permalink](
https://eprint.iacr.org/2026/399)
* [Download](
https://eprint.iacr.org/2026/399.pdf)
### Abstract
Zero-Knowledge Succinct Non-interactive Arguments of Knowledge (zkSNARKs) are important cryptographic primitives critical in many real-world applications. zkSNARKs are not used in isolation but are deployed within a broader context in which other cryptographic protocols may be concurrently executed. Universal-Composability (UC) allows rigorous analysis of cryptographic primitives being used in such arbitrary contexts. A UC analysis is even more desirable for popular, well-audited, and heavily deployed zkSNARKs already being used in practice.
Prior works that study the UC security of existing zkSNARKs (without modifications) are either not modular, hence requiring case-by-case analysis for new proof systems, or have largely focused on zkSNARKs in the Random Oracle Model (ROM). The latter includes zkSNARKs with logarithmic proof sizes compiled from Interactive Oracle Proofs. This state of the art leaves out a large family of very efficient, often constant-size, zkSNARKs that rely on the Algebraic Group Model (AGM) and optionally on the ROM. This includes zkSNARKs compiled from Polynomial Interactive Oracle Proofs, such as Plonk and Marlin, among others.
In this work, we address the UC security for unmodified zkSNARKs that are proven secure in AGM (+ROM). Our approach is modular: we identify simple, and mostly standard properties on the underlying zkSNARK that imply UC security. We observe that checking these properties for existing zkSNARKs is a surprisingly simple task using the rigorous formulation of AGM from Jaeger and Mohan (CRYPTO'24). The simplicity and modularity of our framework makes it easy-to-use for concluding UC security of several zkSNARKs in the same setting. Concretely, using our framework we establish that Plonk and Marlin are UC secure without any overhead.
## 2026/400
* Title: Non-interactive Blind Signatures with Threshold Issuance
* Authors: Foteini Baldimtsi, Lucjan Hanzlik, Aayush Yadav
* [Permalink](
https://eprint.iacr.org/2026/400)
* [Download](
https://eprint.iacr.org/2026/400.pdf)
### Abstract
Non-interactive blind signatures (NIBS) capture the minimal setting of blind signatures where the message space is restricted to unstructured random strings. They enable a signer to pre-compute presignatures without prior interaction, while ensuring that only the intended recipient can derive the corresponding blind signature.
In this work, we consider the problem of threshold issuance of NIBS. Specifically, we introduce the notion of non-interactive threshold blind signatures (NITBS), where a user obtains partial presignatures from a threshold of signers and locally combines them into a valid blind signature. We provide a formal treatment of this primitive by defining the corresponding security notions of blindness and one-more unforgeability. We then present the first concrete construction of NITBS, obtained by adapting the Pointcheval-Sanders (PS) signature scheme, and establish its security in the algebraic group model. Our micro-benchmarking results show that our construction attains the smallest presignature and signature sizes and the fastest issuance among all existing NIBS schemes.
## 2026/401
* Title: NIROPoK-Based Post-Quantum Sidechain Design on Ethereum
* Authors: Hassan Khodaiemehr, Khadijeh Bagheri, Saeid Yazdinejad, Chen Feng
* [Permalink](
https://eprint.iacr.org/2026/401)
* [Download](
https://eprint.iacr.org/2026/401.pdf)
### Abstract
This paper presents a pioneering approach to constructing sidechains on the Ethereum network with a focus on post-quantum security. Our framework integrates a novel quantum-resistant version of a non-interactive random oracle proof of knowledge (NIROPoK) scheme, alongside a quantum-resistant proof-of-stake mechanism and a post-quantum bridge based on the Dilithium digital signature scheme. By harnessing these advanced cryptographic techniques, we establish a robust defense against quantum computing threats while ensuring enhanced privacy for blockchain transactions. By conducting a thorough analysis and implementing our approach, we demonstrate the feasibility and effectiveness of creating quantum-resistant sidechains within the Ethereum ecosystem. Our proposed sidechain is also capable of securing Ethereum transactions from quantum threats using EthereumrCOs current architecture and security measures.
## 2026/402
* Title: Conditionally Linkable Attribute-Based Signatures
* Authors: Minh Pham, Khoa Nguyen, Slim Bettaieb, Mukul Kulkarni, Willy Susilo * [Permalink](
https://eprint.iacr.org/2026/402)
* [Download](
https://eprint.iacr.org/2026/402.pdf)
### Abstract
Attribute-Based Signatures (ABS) enable users to authenticate messages under expressive attribute policies while remaining anonymous. Existing ABS variants, however, treat linkability as a static, system-wide property: signatures are either always unlinkable, as in standard ABS, or globally linkable, as in traceable or accountable extensions. This rigid dichotomy fails to capture scenarios where correlation should arise only under explicitly declared conditions.
This work introduces Conditionally Linkable Attribute-Based Signatures (CLABS), a framework extending ABS with programmable, context-dependent linkability. Each certified user with attribute $x$ is associated with a linking set $L_x$ over a public context space $\mathcal{T}$. For each context $\tau\in\mathcal{T}$, a public function $f_\tau$ specifies how attributes are compared. Two signatures are publicly linkable if and only if $\tau\in L_x\cap L_{x'}$ and $f_\tau(x)=f_\tau(x')$; otherwise they remain unlinkable. This enables selective, verifiable correlation without central trust and with leakage limited to the opt-in bit.
We formalize the syntax and security notions of CLABS, capturing conditional linkability and context-aware anonymity, thereby ensuring privacy and verifiable linkage under voluntary participation. CLABS unifies global unlinkability and fine-grained, context-specific linkage within a single formal framework.
We realize CLABS generically using three modular components: a pseudorandom function for deterministic tag generation, a conventional signature for attribute certification, and a signature of knowledge (SoK) proving correct tag computation and Boolean policy satisfaction without revealing $x$. Finally, we instantiate CLABS under standard lattice assumptions in the quantum random oracle model (QROM), achieving post-quantum security while supporting arbitrary Boolean policies. The techniques we employ to prove circuit satisfiability and tag correctness may be of independent interest.
## 2026/403
* Title: On the Need for (Quantum) Memory with Short Outputs
* Authors: Zihan Hao, Zikuan Huang, Qipeng Liu
* [Permalink](
https://eprint.iacr.org/2026/403)
* [Download](
https://eprint.iacr.org/2026/403.pdf)
### Abstract
In this work, we establish the first separation between computation with bounded and unbounded space, for problems with short outputs (i.e., working memory can be exponentially larger than output size), both in the classical and the quantum setting. Towards that, we introduce a problem called nested collision finding, and show that optimal query complexity can not be achieved without exponential memory.
Our result is based on a novel ``two-oracle recording'' technique, where one oracle ``records'' the computation's long outputs under the other oracle, effectively reducing the time-space trade-off for short-output problems to that of long-output problems. We believe this technique will be of independent interest for establishing time-space tradeoffs in other short-output settings.
--- Synchronet 3.21d-Linux NewsLink 1.2