ePrint Updates

Abstract. Most prior works on secure Multi-Party Computation (MPC) in asynchronous networks study Guaranteed Output Delivery (GOD), meaning that all parties learn the function output. Asynchronous MPC protocols with GOD necessarily tolerate only t < n/3 corruptions, and they necessarily allow the adversary to exclude the inputs of up to t honest parties from the computation, a phenomenon referred to as input loss. Seeking improvements to threshold/input loss, we consider weakening GOD to security with abort, a standard notion studied in the context of synchronous networks. Unfortunately we show that, when these standard notions are applied in asynchrony, it is not possible to improve the corruption threshold or the input loss. We therefore study relaxations of these standard notions under which protocols can be improved. In particular, we propose a relaxation of the standard notion of correctness for asynchronous MPC protocols. Our relaxed notion requires only that parties obtain the correct output when all parties are honest and when at most a threshold A of the parties are asynchronous. We present several impossibility and feasibility results that completely characterize what is possible in the context of our relaxed correctness. For instance, it is possible to achieve selective abort even when t < n parties are corrupt if (and only if) A < (n-t)/2, but it is impossible to achieve unanimous abort unless t < n/3, even when A=0. We additionally propose a new notion of identifiable abort for asynchronous networks (aIA), and we show that we can achieve fair MPC with aIA and min(A,t) input loss.

Image showing part 2 of abstract.

Asynchronous MPC with Abort (Ananya Appan, David Heath, Ling Ren) ia.cr/2026/455

Abstract. We describe a Las Vegas algorithm for the principal ideal problem in matrix rings M_(g)(O) for g ≥ 2, over maximal orders O in the rational quaternion algebra B_(p, ∞) ramified at ∞ and a prime number p. Under plausible heuristic assumptions, the method has expected polynomial runtime. An implementation in SageMath shows that it runs very efficiently in practice, with compact output. Our main auxiliary result is a method for finding endomorphisms of superspecial abelian varieties (i.e., powers of supersingular elliptic curves) with a prescribed kernel.

The principal ideal problem for endomorphism rings of superspecial abelian varieties (Wouter Castryck, Jonathan Komada Eriksen, Riccardo Invernizzi, Frederik Vercauteren) ia.cr/2026/454

Abstract. Instant messaging services are an integral part of today’s communication and their privacy has wide societal implications. Major messengers deploy end-to-end encryption, hiding message contents from the service provider. Group messaging, however, creates the challenge of also keeping the group membership list private. The Signal messenger currently implements private group management using techniques inspired by Chase, Perrin, and Zaverucha (CCS 2020). Transitioning this system to quantum-safe turns out to be challenging: While one-to-one messaging can often adopt the newly standardized KEMs and signatures in a relatively direct way, private group management is more complex. Signal’s existing design heavily relies on the discrete-log structure to combine anonymous credentials, verifiable encryption, and oblivious PRFs for privacy and functionality. Quantum-safe versions of these components are unfortunately, typically far less efficient, requiring heavy zero-knowledge proofs and large communication per group operation. As a result, simply “swapping in” quantum-safe primitives is unlikely to yield an optimal protocol. This paper reconsiders the design of the entire group system from the ground-up. Our result is a scheme that possesses the same strong privacy guarantees, but is built in a more modular way using simpler underlying cryptographic building blocks that permit a more efficient quantum-safe instantiation. The modularity of our protocol further allows for gradual migration to quantum-safe: we can immediately transition components vulnerable to harvest-now-decrypt-later attacks (such as classical public-key encryption, computationally hiding commitments, etc.) while deferring the transition of other building blocks, such as authentication. We prove our design secure in an extended security model that more comprehensively captures the rich feature set of Signal’s group messaging system.

Image showing part 2 of abstract.

A Quantum-Safe Private Group System for Signal from Key Re-Randomizable Signatures (Graeme Connell, Sebastian Faller, Felix Günther, Julia Hesse, Vadim Lyubashevsky, Rolfe Schmidt) ia.cr/2026/453

Abstract. In a seminal paper at Eurocrypt’25, B. Libert solved the long-standing open question of the CCA1 security of the Damgard-ElGamal scheme under standard assumptions. That paper also further showed that several other schemes, including a variant of Paillier-ElGamal with plaintext zero-padding, are CCA1 secure under falsifiable assumptions. However, all these schemes are only somewhat linearly homomorphic. In this paper, we first tackle the fundamental question of designing efficient “truly” linearly homomorphic encryption schemes achieving CCA1 security under standard and falsifiable assumptions. We generalize Libert’s approach to a large class of group-based PKE, that covers the aforementioned schemes, the Cramer-Shoup Lite scheme as well as new ones. In particular, we use our framework to show that a new variant of Paillier-ElGamal, which we call Damgard-Paillier-ElGamal (DPEG) as its design follows a Knowledge-of-Exponent pattern, achieves CCA1 security solely under the standard DCR assumption. To the best of our knowledge, DPEG is the first “truly” linearly homomorphic encryption scheme that is proven CCA1 secure under a standard assumption. Furthermore, DPEG can be extended to support one level of multiplication while still preserving its CCA1 security under the same assumption. Second, we show that DPEG also achieves Manulis&Nguyen’s stronger notion of vCCA security under a non-falsifiable linear-only homomorphism assumption. We then connect vCCA security to a no-go Theorem of Gentry&Wichs and show that, under mild assumptions, vCCA security cannot be established from any falsifiable assumption. This explains why all currently known vCCA secure constructions, including ours, rely on non-falsifiable assumptions.

Image showing part 2 of abstract.

On the CCA security properties of a class of group-based linearly homomorphic encryption schemes (Duong Hieu Phan, Renaud Sirdey, Jean Vacher) ia.cr/2026/452

Abstract. Oblivious algorithms allow a space-constrained client program to securely outsource storage to an untrusted server. Any program can be compiled to an oblivious form via Oblivious RAM (ORAM), but this is asymptotically and concretely expensive. Recent work (Appan et al., CCS’24) proposed a weakening of ORAM called the Oblivious Single Access Machine (OSAM) model, which offers asymptotically-improved oblivious compilation for many programs, including those that manipulate graph data structures. While of theoretical interest, OSAM graph algorithms were worse than generic ORAM, even for large graphs (tested on graphs of size up to 2²⁴). This work improves the concrete costs of OSAM-based oblivious algorithms. In short, the original work on OSAM proposed algorithms for manipulating objects with pointers to other objects. Pointers and objects can be naturally used to instantiate arbitrary graphs, but the OSAM’s underlying management of pointers involves non-trivial and concretely-expensive algorithms. Our work greatly simplifies and improves the efficiency of OSAM-based pointer handling by co-designing (1) pointer-friendly modifications to the underlying Path ORAM algorithm (Stefanov et al., CCS’13) and (2) new algorithms for managing pointers. We implemented the original OSAM algorithms and our approach. Naturally-written graph algorithms can now be automatically compiled to an oblivious form while enjoying up to a 4× improvement in performance as compared to when using generic Path ORAM (and at least 8× as compared to the original OSAM). In sum, our work provides generic and easy-to-use oblivious tools while concretely improving over prior generic state-of-the-art tools.

Image showing part 2 of abstract.

Oblivious Single Access Machines are Concretely Efficient (Sage Pia, Ananya Appan, Maryam Rezapour, Amey Shukla, Nikhil Date, Benjamin Fuller, Ling Ren, David Heath) ia.cr/2026/451

Abstract. A new paradigm, called -CKKS, proposes to restrict the plaintext space of the homomorphic encryption CKKS scheme from ℂ to a discrete subset of it (e.g., {0, 1}). While sacrificing approximate computations, this allows one to express an arithmetic similar to that available in exact schemes, but with significantly larger parallelism and flexibility due to SIMD computations and the underlying complex arithmetic, which remains available internally. A significant example is the recent work by Boneh and Kim (Crypto ’25), where they present a method to operate on extremely large encrypted integers. In this work, we build a simple computational device that handles integers, decomposed as binary vectors, by evaluating standard mod 2 arithmetic operations using polynomials only. Since we do not resort to the modular reductions based on the functional bootstrapping proposed by Kim and Noh (CIC ’25), this yields a more flexible parameterization, consistent with standard CKKS configurations, e.g., leveled supporting roughly 13 multiplicative levels before bootstrapping. This means that one can use CKKS in ℝ and then switch to ℤ with the same set of parameters – we will refer to this as . Experiments show that our solution has lower latency on all operations (i.e., additions, multiplications, comparisons and logical shifts) by roughly three times, with respect to the current state of the art, although we have smaller throughput due to how data is represented.

Image showing part 2 of abstract.

A flexible and polynomial framework for integer arithmetic in CKKS (Lorenzo Rovida) ia.cr/2026/450

Abstract. We present two constructions of short signature schemes based on the polynomial hardness decisional Diffie Hellman. Our simplest scheme guarantees selective security (i.e. the adversary has to commit to the forged message ahead of time) while the second one realizes full fledged existential unforgeability. Remarkably, our schemes can be implemented over standard prime order groups (no pairings needed) and can be proven secure without resorting to the random oracle heuristic.

Short Signatures from DDH without Pairings or Random Oracles (Dario Catalano, Valentina Frasca, Emanuele Giunta) ia.cr/2026/449

Abstract. Polynomials are a fundamental mathematical object underlying virtually all of theoretical computer science. In proof systems, a common task for the verifier is to evaluate a polynomial of degree d at m distinct points. The best known algorithm for this problem performs O((m + d) ⋅ log²(m + d)) field operations. We present a concretely efficient MA protocol for this problem in which the verifier runs in : the prover sends a single message consisting of d − 1 field elements, and the verifier performs only O(m + d) field operations. We further extend our protocol to handle the more general setting of evaluating multiple polynomials at multiple points, and for this problem, we construct an AMA protocol. Our protocols improve the verifier time in several interactive proofs. Most notably are the sumcheck protocol over a large summation domain and protocols that rely on polynomial quotienting. In particular, by a straightforward application of our results, we reduce the verifier’s runtime in the STIR protocol (CRYPTO 2024) to match that of WHIR (EUROCRYPT 2025), despite WHIR being highly optimized for verification time. As an additional application, we show that any univariate polynomial commitment schemes (PCS) can be transformed, in a black-box manner, into a new scheme that efficiently supports batch openings at multiple points. In particular, opening m points incurs only a constant overhead compared to opening a single point.

Image showing part 2 of abstract.

Interactive Proofs for Batch Polynomial Evaluation (Gal Arnon, Alessandro Chiesa, Giacomo Fenzi, Eylon Yogev) ia.cr/2026/448

Abstract. Despite improvements to authentication mechanisms, account compromise remains frequent and users need a trustworthy way to determine what devices have accessed their accounts. Doing so, however, is in tension with privacy goals on the modern web, which mandate that web services not learn static device identifiers. Recent work aims to address this tension via client-side encrypted access logging (CSAL), but their approach does not allow retrieving all log entries and users may miss information about adversarial accesses. We present Trace, a new CSAL system that achieves complete logging while preserving privacy. Trace records verifiable evidence of each authentication in an encrypted log stored by an independent logging service, ensuring that only the user can inspect it. The web service remains unaware of the logging, preserving backward compatibility with existing authentication infrastructures. Unlike prior approaches, Trace simultaneously achieves verifiable device attribution, backward compatibility, and formally-analyzed security against malicious adversaries. Our prototype implementation reaches over 10 K authentications per second on a single core, suggesting it can scale efficiently for large services.

Image showing part 2 of abstract.

Trace: Complete Client-Side Account Access Logging (Paul Gerhart, Carolina Ortega Pérez, Thomas Ristenpart) ia.cr/2026/447

Abstract. In 2022, Castryck and Decru introduced an attack that broke several isogeny-based schemes, including SIKE, which had advanced to the final round of the NIST Post-Quantum Cryptography Standardization Competition. Despite this attack, research on isogeny-based cryptography has continued, primarily due to the compact key sizes offered by these schemes compared to other post-quantum approaches. There are now many isogeny-based schemes that are resistant to the Castryck-Decru attack. These schemes typically involve advanced mathematical structures that may require significant time and effort to study. In this paper, we provide a structured survey of isogeny-based signature schemes that are resistant to the Castryck-Decru attack, aiming to facilitate an understanding of the current landscape and the most practically relevant schemes in this area. We categorize these signature schemes into two main classes: those based on the CSIDH group action and the SQIsign family. For each class, we discuss their fundamental design principles, security assumptions, and specific constructions. We also compare their performance and compactness. Additionally, we describe one representative scheme from each class that is particularly relevant in practice due to its efficiency or compactness. In conclusion, we compare the performance of the schemes discussed in this work with other post-quantum signature schemes.

Image showing part 2 of abstract.

Survey of isogeny-based signature schemes resistant to Castryck–Decru attack (J. S. Bobrysheva, A. S. Zelenetsky, V. V. Davydov) ia.cr/2026/446

Abstract. Post-quantum cryptography focuses on research of cryptographic primitives, including public key encryption and signatures, that can resist the attacks mounted by an adversary with an access to a quantum computer. An alternative is to employ quantum cryptography to protect communication links by employing principles of quantum physics to protect security of the key exchange. Recently, a group key establishment protocol that combines these approaches in a secure way was presented by Steinwandt and Gonzales Vasco. We have successfully imple- mented and employed this protocol in a prototype application. In this article we describe the overall architecture and specific details of the implementation that can be of interest for scientific community. We conclude with a discussion of specific challenges, options and open problems that can accompany similar imple- mentation task.

Implementation of a post-quantum hybrid group key exchange protocol (Tomáš Fabšič, Samuel Klement, Zoltán Raffay, Pavol Zajac) ia.cr/2026/445

Abstract. Security evaluation of masking in low-noise regimes remains poorly understood: increasing the masking order does not automatically translate into higher concrete resistance once many correlated intermediates are processed by a full implementation. A common approach is to reduce noisy side-channel leakage to the random probing model (RPM), but existing reductions can be too loose to yield meaningful leakage rates in practice, and current RPM analyses often rely on costly simulations or numerically propagated bounds. This work develops analytic and algorithmic tools for estimating and upper-bounding RPM security of masked gadgets and their compositions. First, for noisy Hamming-weight leakage over 𝔽_(2^(u)) we compute concrete RPM leakage-rate parameters for a tighter 𝔽₂-linear reduction based on binary inner products, providing a tangible link between SNR and probing rate. Second, for 𝔽_(q)-linear circuits we leverage a vector-space representation to characterize RPM leakage as an erasure event, yielding a direct connection to local metrics such as advantage and implying global simulability for refreshed, block-separated executions. Third, we improve Monte Carlo estimation of rare leakage events using importance sampling, enabling evaluation in low-rate/high-order regimes that are infeasible with naive sampling. Finally, we revisit the leakage-diagram technique and derive explicit bounds for refresh gadgets, and we apply the same viewpoint to composition through , showing that SNI—while sufficient for threshold probing model (TPM)—does not capture the RPM phenomenon governing refresh boundaries. We implement our methods in , a tool that compiles gadget descriptions into linear-algebraic representations and supports exact computation as well as Monte Carlo/importance-sampling estimation of RPM security parameters.

Image showing part 2 of abstract.

Leakage-Diagrams, Importance Sampling, and Composition in the Random Probing Model (Vahid Jahandideh, Bart Mennink, Lejla Batina) ia.cr/2026/444

Abstract. The problem of computing an isogeny of large prime degree from a supersingular elliptic curve of unknown endomorphism ring is assumed to be hard both for classical as well as quantum computers. In this work, we first build a two-round identification protocol whose security reduces to this problem. The challenge consists of a random large prime q and the prover simply replies with an efficient representation of an isogeny of degree q from its public key. Using the hash-and-sign paradigm, we then derive a signature scheme with a very simple and flexible signing procedure and prove its security in the standard model. The most efficient variant of our signature schemes features a signing which is 1.4× to 1.6× faster than the most recent implementaion of SQIsign, whereas verification ranges from 1.2× slower to 1.01× faster depending on the security level. The sizes of public key and signature are comparable to existing schemes.

PRISM with a pinch of salt: Simple, Efficient and Strongly Unforgeable Signatures from Isogenies (Andrea Basso, Giacomo Borin, Wouter Castryck, Maria Corte-Real Santos, Riccardo Invernizzi, Antonin Leroux, Luciano Maino, Frederik Vercauteren, Benjamin Wesolowski) ia.cr/2026/443

Abstract. SMAUG-T and HAETAE, designated as target algorithms for national standardization via the Korean Post-Quantum Cryptography (KpqC) competition, run efficiently on general-purpose platforms. On ARM Cortex-M4 class microcontrollers, however, peak stack usage becomes a key constraint: while SMAUG-T can be executed on typical Cortex-M4 boards, the baseline HAETAE implementation exceeds the available SRAM (e.g., 91{,}176,B stack for signing), motivating dedicated memory optimization. To address this problem, we propose a suite of memory optimization techniques for SMAUG-T and HAETAE that enable their practical operation within the strict memory budget of the Cortex-M4. Experimental results demonstrate that, compared to the KpqClean_ver2 baseline, peak stack usage was reduced by 73–83~% for SMAUG-T5 (e.g., 24{,}300,B$4, 240 Bindecapsulation)andbyabout90 %forHAETAE5(e.g., 91, 176 B$8{,}092,B in signing). Furthermore, a branchless constant-time design was applied throughout to ensure that the optimized implementations remain robust against side-channel threats such as timing attacks. This work provides a practical methodology for deploying KpqC lattice-based cryptography in memory-constrained embedded environments.

Image showing part 2 of abstract.

Memory-Efficient Implementation of SMAUG-T and HAETAE (Yulim Hyoung, Subeen Cho, Uijae Kim, Minwoo Lee, Hwajeong Seo, Minjoo Sim) ia.cr/2026/442

Abstract. Private Set Intersection (PSI) allows two mutually distrusting parties to compute the intersection of their private sets without revealing any additional information. Fuzzy PSI, an approximate variant of PSI, allows the receiver to learn points of the sender that are “close” to its points. More formally, the receiver learns all y in the sender’s set that satisfy dist(x, y) < δ for some element x in the receiver’s set and threshold parameter δ. Recently, there has been significant progress on Fuzzy PSI, as it allows us to realize several important applications such as password matching, facial recognition, and contact tracing in a privacy-preserving manner. However, existing Fuzzy PSI constructions make strong assumptions on the input sets, such as receiver set disjointedness or projected disjointedness. In this work, we analyze those strong assumptions from a practical viewpoint and observe a gap between theory and practice, i.e., real-world data sets do not abide to those assumptions. To bridge the gap, we first define a new relaxed and weaker assumption based on the low density of sets, demonstrate the assumption to be practical, and build a compiler that converts constructions under the strong assumption to those under the new, practical assumption. At the core of our transformation is a novel idea involving higher-dimensional lifting and coloring. Combining our transformation with current Fuzzy PSI protocols under the strong assumption yields efficient and practical Fuzzy PSI protocols. We also concretely analyze the run-time and overhead of our transformed protocols for parameters for illustrative applications, such as password matching.

Image showing part 2 of abstract.

Fuzzy Private Set Intersection for Real-World Datasets (Satvinder Singh, Yanxue Jia, Aniket Kate) ia.cr/2026/441

Abstract. The transition to post-quantum cryptography (PQC) significantly increases the computational cost of TLS~1.3 handshakes. In particular, hybrid handshakes incur even greater overhead, as they require performing both classical and PQC algorithms for key exchange and authentication. This paper systematically analyzes the performance of hybrid PQC TLS~1.3 handshakes using a POSIX thread pool-based parallel execution model. We evaluate a total of 135 combinations comprising 3 classical KEMs, 3 ML-KEM variants, 3 classical DSAs, and 5 PQC DSAs. Sequential execution times range from 429.2 to 1,907.0~μs, while parallel execution times range from 356.7 to 1,380.8~μs, achieving speedups of 1.08× to 1.40× across all combinations. The highest speedup is observed in P-384-based configurations, where the overlap between classical and PQC operations is most pronounced. Furthermore, we recommend both throughput-oriented combinations based on FN-DSA and currently standardized ML-DSA combinations for each NIST security level. These results provide practical design guidance for mitigating performance degradation in hybrid PQC TLS deployments.

Image showing part 2 of abstract.

Performance Analysis of a Thread Pool-Based Parallel Execution Model for Hybrid Post-Quantum TLS 1.3 Handshakes (Si-Woo Eum, Min-Ho Song, Hwa-Jeong Seo) ia.cr/2026/440

Abstract. We specify OCH, the first authenticated encryption with associated data scheme built to provide 128-bit multi-user AE security, 128-bit context commitment security, and 256-bit nonces with optional nonce privacy. It therefore addresses pressing limitations of currently widely-deployed schemes. We construct and formally analyze the security of OCH in a modular fashion, with transforms that are of broader applicability. On Intel Raptor Lake CPUs, OCH using the Areion permutation family has a peak encryption speed of 0.62 cycles per byte (cpb), not far off from AES128-GCM (0.38cpb) and outperforming both ChaCha20/Poly1305 (1.63cpb) and TurboSHAKE128-Wrap (3.52cpb).

The OCH Authenticated Encryption Scheme (Sanketh Menda, Mihir Bellare, Viet Tung Hoang, Julia Len, Thomas Ristenpart) ia.cr/2026/439

Abstract. Private set intersection (PSI) has become extremely practical, in large part due to the fact that modern protocols rely almost exclusively on cheap, symmetric-key cryptography. The same cannot be said for the variant of PSI called updatable PSI (UPSI; Badrinarayanan et al., PoPETS 2022), where parties’ input sets evolve over time, and the cost of re-computing the intersection depends only on the changes to their sets. In existing UPSI protocols, the number of public-key operations scales with the number of items. In this work, we introduce the first UPSI protocol that largely avoids public-key operations. In fact, our protocol uses mostly the same protocol tools/techniques that have been so successful in making (plain) PSI truly practical. By leveraging symmetric-key primitives, our implementation achieves orders-of-magnitude improvements over prior work. Additionally, we observe that existing UPSI security proofs do not consider an adversary who can choose protocol inputs adaptively (i.e., choose which items to add to the set the current epoch based on the adversary’s view in previous epochs). We observe that several existing UPSI protocols are trivially broken by such adaptive input selection (even with semi-honest corruption). Several variants of our protocol are secure in the presence of adaptively chosen inputs. Along the way, we also introduce a new and cleaner abstraction for a common idiom of using an oblivious key-value store (OKVS; Garimella et al., Crypto 2021) to represent a set of items. Our new abstraction, called affine set encoding, may be of independent interest.

Image showing part 2 of abstract.

Updatable Private Set Intersection from Symmetric-Key Techniques (Junxin Liu, Peihan Miao, Mike Rosulek, Xinyi Shi, Jifeng Wang) ia.cr/2026/438

Abstract. Recently, Stateful Private Information Retrieval (PIR) has emerged as a promising new paradigm of PIR. Despite significant recent progress, state-of-the-art single-server schemes in this paradigm still suffer from practical inefficiencies in communication, computation, and/or client storage. In this work, we construct a new single-server stateful PIR scheme called HarmonyPIR that achieves efficient communication, computation, and client storage. From a technical standpoint, we build on the recent work of Wang and Ren (EUROCRYPT 25) and propose a new hint organization that uses only a single random permutation. The random permutation can be instantiated using either AES or the recently standardized FF1 Format-Preserving Encryption, yielding two variants of HarmonyPIR. Our new scheme achieves up to two orders of magnitude better amortized computation and up to five times better amortized communication than state-of-the-art schemes.

Efficient Single-Server Stateful PIR Using Format-Preserving Encryption (Pranav Shriram Arunachalaramanan, Ling Ren) ia.cr/2026/437

Abstract. Post-quantum assumptions may not rely on the difficulty of finding secret subgroups as many classical schemes did. Instead, several assumptions make use of more general group actions, with the belief that quantum algorithms are not helpful in this less structured setting. Famously, some isogeny constructions use the action of an ideal class group on elliptic curves, but equivalence problems in error-correcting codes and lattices also exhibit such structures. Previous works hence presented anonymity-preserving constructions in a generic group action framework; however, they were not general enough to encompass the group action underlying the Lattice Isomorphism Problem (LIP), for which the acting group is infinite (in fact, not even compact) and non-commutative. We bridge this gap by, from zero-knowledge proofs of OR statements, building generic blind signature and strong designated-verifier signature with non-delegability constructions from standard assumptions corresponding to a generalised group action inverse problem.

Image showing part 2 of abstract.

Post-Quantum Anonymous Signatures from the Lattice Isomorphism Group Action (Chris van Noorden, Paola de Perthuis) ia.cr/2026/436

Abstract. Traceable secret sharing complements traditional schemes by enabling the identification of parties who sell their shares. Recently, two independent works extended traceable secret sharing to general access structures. Goyal, Jain, and Partap [EC’26] introduced a model in which a reconstruction box is augmented with a label I ⊆ [n] and is only required to distinguish between two secrets when queried with the shares of parties in I. Based on how this label relates to the corrupted set J that built the box, they defined two notions of traceability. If I ∩ J = ∅, the model is called ∅-strong traceability, for which they presented a construction based on indistinguishability obfuscation (iO). Otherwise, their model is calledstrong traceability, for which they proved an impossibility result. Farràs and Guiot [EC’26] proposed a different model, which we call hiding traceability, where the reconstruction box has no label and the access structure is hidden from the parties. In this work, we improve traceable secret sharing for general access structures in three directions. First, we present a fully information-theoretic scheme for the ∅-strong traceability model, eliminating the need for strong cryptographic assumptions. This resolves an open question posed by Goyal, Jain, and Partap, who asked what are the minimal assumptions needed in the ∅-strong traceability model. Second, motivated by the impossibility of strong traceability, we introduce a relaxed notion calledhidden mildly strong traceability. This model is relevant in practice and bridges the strong and hidden models. For this setting, we present an information-theoretic scheme for general access structures. Finally, we consider the more general model of stateful traceability, where reconstruction boxes may keep state across queries, and we prove an impossibility result for this setting.

Image showing part 2 of abstract.

Information-Theoretic Strong Traceable Secret Sharing Schemes (Oriol Farràs, Miquel Guiot) ia.cr/2026/435

Abstract. End-to-end cloud storage solutions are deployed at large scale, yet recent works have demonstrated severe attacks against their confidentiality and integrity. Motivated by this, a first formal treatment of secure cloud storage was given at CRYPTO 2024 by Backendal, Davis, Günther, Haller and Paterson (BDGHP). They define syntax and security notions, capturing client-to-client security of cloud storage schemes with respect to a password distribution. They also give an efficient construction using the Two-Hash Diffie-Hellman (2HDH) OPRF and standard cryptographic building blocks, which they prove secure under selective corruptions in the random oracle model. However, several aspects of practical security guarantees remain open. We extend and refine the work of BDGHP along multiple dimensions, advancing the analysis of secure cloud storage schemes. First, we prove that their construction can be proven secure against adaptive corruptions (with a slight modification), circumventing technical challenges posed by file sharing. Second, we modularize the scheme further by introducing an abstraction for the authentication procedure. This allows us to identify the concrete role of 2HDH and alternative instantiations. Third, we introduce a weaker model that captures adversaries who can arbitrarily control the network, except during registration. This allows us to prove concrete guarantees about online password guessing attacks, whereas the stronger model inherently allows for offline guessing. Finally, we formalize and prove explicit authentication, relying on the security of our new authentication abstraction and the MAC scheme, where the latter was previously not used in the security analysis.

Image showing part 2 of abstract.

Secure Cloud Storage: Modularization, Network Adversaries and Adaptive Corruptions (Jonas Janneck, Doreen Riepel) ia.cr/2026/434

Abstract. This paper presents the first round-optimal threshold blind signature without random oracles. Our construction achieves security in the algebraic group model (AGM) for asymmetric pairing groups, and tolerates adaptive corruption of up to t − 1 signers, where t is the threshold. We improve upon the recent threshold blind signatures of Lehmann, Nazarian and Özbay (EUROCRYPT 2025) and Jarecki and Nazarian (ASIACRYPT 2025) in two ways: we eliminate both the reliance on random oracles and the need for q-type assumptions in the AGM. As a core building block, we introduce a new pairing-based round-optimal blind signature without random oracles, based on the 2-DL assumption in the AGM. Both blind signature schemes achieve communication and computation costs only twice that of the celebrated blind BLS signature.

Round-Optimal Threshold Blind Signatures without Random Oracles (Georg Fuchsbauer, Fabian Regen, Hoeteck Wee) ia.cr/2026/433

Abstract. The processing of ML-KEM (formerly CRYSTALS-Kyber), a key encapsulation mechanism with post-quantum security, is performed by multiplication, addition, and subtraction of polynomials whose coefficients lie in the finite field 𝔽₃₃₂₉. To reduce the number of such operations, it is common to use the Number Theoretic Transform (NTT). This paper focuses on arithmetic over 𝔽₃₃₂₉ and proposes the use of a logarithmic representation with respect to a primitive element α of 𝔽₃₃₂₉^(*) for implementing multiplication, addition, and subtraction over 𝔽₃₃₂₉. In this representation, multiplication in 𝔽₃₃₂₉^(*) can be reduced to addition in ℤ₃₃₂₈. Furthermore, addition and subtraction in 𝔽₃₃₂₉^(*) can be computed in the logarithmic domain by using Zech’s logarithm. However, special treatment is required when 0 ∈ 𝔽₃₃₂₉ is involved in the operations. This paper proposes a new implementation method of the logarithmic representation for arithmetic over 𝔽₃₃₂₉, including the handling of such exceptional cases.

Finite Field Arithmetic for ML-KEM Using Zech’s Logarithm (Masaaki Shirase) ia.cr/2026/432

Abstract. We revisit the three-round threshold Schnorr signature scheme Sparkle of Crites, Komlo, and Maller (CRYPTO 2023), as well as its variant Sparkle+. While Sparkle+ was accompanied by a claim of full adaptive security, subsequent work identified a gap in the analysis. Moreover, the original—and simpler and more efficient—Sparkle scheme has so far lacked even a proof of static security. We resolve this state of affairs by giving the first proof of static security for Sparkle and then, as our main result, a tight proof of full adaptive security in the pure random oracle model, i.e. without relying on the algebraic group model. The core obstacle is that, in the fully adaptive setting for Sparkle, rewinding arguments fundamentally break down. To address this, our proof is based on a new Vandermonde circular discrete-logarithm (VCDL) assumption, an interactive strengthening of the circular discrete-logarithm assumption of Cho et al. (CRYPTO 2025), originally introduced to prove tight security of basic Schnorr signatures. In particular, circular-style assumptions eliminate the need for rewinding. Beyond tightness, our analysis highlights circular-style assumptions as a general approach to achieving security in settings—such as full adaptive security—where rewinding is inherently problematic. We justify VCDL by reducing it to the low-dimensional vector representation (LDVR) problem of Crites et al. (CRYPTO 2025) in the elliptic-curve generic group model; conversely, VCDL implies LDVR in the standard model. Finally, we generalize VCDL (and similarly LDVR) by abstracting away the specific choice of Vandermonde vectors. As an application, we identify a different assumption within this framework that yields a tight proof of adaptive multi-user security for the basic Schnorr signature scheme, a result of independent interest.

Image showing part 2 of abstract.

Revisiting the Security of Sparkle (Ojaswi Acharya, Georg Fuchsbauer, Adam O'Neill, Marek Sefranek) ia.cr/2026/431

Abstract. It has been a very long standing open question whether the CFS signature scheme whose security is basically that of a McEliece scheme based on very high rate binary Goppa codes could be attacked or not. There was a first cryptanalytic result by Faugère et al in 2011 consisting in finding a distinguisher for the binary Goppa codes used in this scheme showing that these codes can be distinguished in polynomial time from a random binary linear code. However despite numerous cryptanalytic attempts and even if the original distinguisher has been significantly improved, no attack on the McEliece scheme based on binary Goppa codes has been found so far except for very peculiar Goppa codes of degree 2. We show here that the Pfaffian modeling used in the distinguishing attack of Couvreur, Mora and Tillich of Asiacrypt 2023 can actually be used together with a shortening trick and looking for squares in the corresponding ideal to find a polynomial attack on the CFS scheme based on very high rate binary Goppa codes.This breaks this 25 years old signature scheme. We demonstrate the effectiveness of this approach by recovering the key of TII McEliece challenges with a claimed key security of up to 210 bits.

Image showing part 2 of abstract.

An attack on the CFS scheme and on TII McEliece challenges (Magali Bardet, Axel Lemoine, Jean-Pierre Tillich) ia.cr/2026/430

Abstract. Range queries can filter, aggregate, and retrieve database entries that lie in a specified multi-dimensional rectangle. Private range queries allow a client to query a server’s public database while keeping the client’s multi-dimensional rectangle hidden. We construct RangeR, a constant-round private range query scheme that supports any associative aggregation function (e.g., SUM, MAX, TOP-K) and works with any number of servers. In the single-server setting, RangeR is orders of magnitude faster and uses 50%-90% less communication than HADES (VLDB 2025), a prior single-server private range query scheme that only supports linear aggregation functions. We describe how RangeR can be used to implement a privacy-preserving map application that can return the highest-rated restaurants near a user. Using data from OpenStreetMaps, we estimate that a user can find the highest-rated restaurants within one kilometer of their location within 2 seconds, while revealing only that the user is somewhere in the USA.

Efficient Private Range Queries on Public Data (Pranav Shriram Arunachalaramanan, Ananya Appan, David Heath, Ling Ren) ia.cr/2026/429

Abstract. The distributed nature of federated learning systems makes them vulnerable to backdoor attacks in which malicious clients manipulate local training data using trigger-dependent behaviors to cause targeted misclassification. Although homomorphic encryption preserves the privacy of model updates during aggregation, it limits the application of conventional defenses that require access to plaintext updates. Moreover, distinguishing poisoned models from benign variations becomes more challenging under non-independent and identically distributed (non-IID) data distributions.To address this challenge, we introduce a defense strategy that operates at inference time by identifying abnormal internal activation patterns within the aggregated global model, rather than filtering encrypted individual updates during training. The proposed approach analyzes neurons that exhibit low activation on clean inputs, referred to as “dormant” neurons, but become disproportionately active in the presence of trigger patterns. By constructing a statistical activation baseline using a small clean dataset, we derive class-specific thresholds that serve as decision boundaries to detect and reject suspicious predictions. Since the proposed method relies on global model behavior at inference time instead of inspecting individual client updates, it does not introduce additional training overhead and remains robust under non-IID data settings. Our approach maintains a strong balance between privacy, security, and accuracy by defending against backdoor attacks without requiring access to client updates. Experimental results demonstrate that even with a 99% attack success rate and 90% main-task accuracy, the proposed defense method successfully detects 100% poisoned images.

Image showing part 2 of abstract.

Defending Against Backdoor Attacks in Homomorphically Encrypted Federated Learning (Ikhlas Mastour, Imane Haidar, Layth Sliman, Raoudha Ben Djemaa) ia.cr/2026/428

Abstract. This paper formally specifies and analyzes the CK hybrid key encapsulation mechanism (KEM) construction from the IRTF CFRG’s recent draft on hybrid (post-quantum/traditional) KEMs CK combines two KEMs using a PRF to produce a hybrid KEM. Unlike the QSF framework of Barbosa et al., which combines an IND-CCA KEM with a nominal group (Diffie-Hellman-style), CK combines a C2PRI-secure post-quantum-secure KEM with an IND-CCA traditionlly-secure KEM constructed from an IND-CCA2 public key encryption (PKE) scheme, such as RSA-OAEP. We additionally show how to securely promote an IND-CCA2 PKE into an IND-CCA KEM. We perform two complementary security analyses of CK in the standard model: the first shows CK is IND-CCA assuming the traditional KEM is IND-CCA, the post-quantum KEM is C2PRI, and the KDF is a secure PRF; the second shows CK is IND-CCA assuming the post-quantum KEM is IND-CCA and the KDF is a secure PRF, even if the traditional KEM is completely broken. Neither proof requires the random oracle model.

StarHunters— Secure Hybrid Post-Quantum KEMs From IND-CCA2 PKEs (Deirdre Connolly, Mike Ounsworth, Sophie Schmieg, Douglas Stebila) ia.cr/2026/427

Abstract. The rapid advancement of quantum computing poses significant challenges to the security of existing cryptographic constructions. Several constructions that are provably secure in the classical setting, e.g., the 3-round Luby–Rackoff, Even–Mansour, Keyed Sum of Permutations, become vulnerable when the adversary is granted quantum oracle access (the Q2 model). In contrast, when the adversary is restricted to classical oracle queries while retaining the ability to perform quantum computations locally (the Q1 model), such attacks no longer apply. In this paper, we investigate the Q1 security of the Keyed Sum of Permutations construction and two closely related variants - one employing identical permutations and another using a single key. We prove that all three constructions achieve n/3-bit security in the Q1 model. In addition, for the same-key variant, we exhibit a key-recovery attack with matching complexity, thereby establishing the tightness of our security bound. For the remaining two constructions, we derive key-recovery attacks with complexity 2^(2n/3).

Post-Quantum Security of Keyed Sum of Permutations and Its Siblings (Nilanjan Datta, Avijit Dutta, Sougata Mandal, Hrithik Nandi, Amlan Sinha) ia.cr/2026/426