On Arithmetic Private Information Retrieval: Why Code-Based PIR (Usually) Fails (2026/1224)

Authors

Benny Applebaum, Tel Aviv University
Yuval Ishai, Technion – Israel Institute of Technology
Shahar Shechter, Tel Aviv University

Abstract
We initiate the study of arithmetic private information retrieval (APIR) schemes, in which the database is a vector of field elements and the scheme makes a black-box use of the field. We obtain the following results. 1. Our main result is a negative one: We show that no single-server APIR scheme can achieve non-trivial download cost smaller than $n$ field elements. We observe that recent proposals for code-based PIR (Holzbaur et al., ISIT'20; Verma and Hollanti, ISIT'24) are arithmetic, and show how to break them within a few minutes on a standard workstation for all suggested parameters. 2. We complement the above by positive results in alternative models. Concretely, we show that with either two servers or a single server with secret-key preprocessing, it is possible to construct computationally secure APIR schemes based on well-studied coding assumptions. This is achieved by arithmetizing the distributed-point-function-based PIR of Boyle et al.(CCS'16), and by observing that the recent construction of secret-key single-server PIR by Chen et al.(STOC'26) also arithmetizes. 3. Finally, we characterize the existence of information-theoretic two-server APIR schemes in linear-algebraic terms, and show that communication of $O(n^{1/3})$ can be achieved in this setting based on the original approach of Chor et al.(FOCS'95). The optimality of this result remains an interesting open question.
(show hidden)

Publication status: A major revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

Neon NTT - (Auto)formalised (2026/1223)

Authors

Hanno Becker, Amazon Web Services

Abstract
This document provides a machine-checked Isabelle/HOL formalisation of the modular-arithmetic core of the Neon NTT paper of Becker, Hwang, Kannwischer, Yang, and Yang. We develop parametric theories of Barrett and Montgomery reduction and multiplication; the equivalence of Barrett and Montgomery arithmetic; the doubling- and rounding-Montgomery variants; and correctness and bounds theorems for Neon assembly kernels, against a hand-written model of the word arithmetic underlying the relevant Neon instructions. The development is a directed auto-formalisation: definitions, theorem statements, and proofs were produced by Claude Opus 4.7 and 4.8 using AutoCorrode's LLM-Isabelle integration layers. The human author set the architecture, chose abstractions and proof strategies, often nudged the model toward shorter or cleaner proofs, and controlled which output entered the development. This document is auto-generated from the Isabelle sources through Isabelle’s document preparation system, eliminating drift between prose and formal artifact.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

UCX is All You Need: A Universal Transform for Committing Authenticated Encryption (2026/1222)

Authors

Mihir Bellare, University of California, San Diego
Rishabh Ranjan, University of California, San Diego
Nujud Senan, King Abdulaziz City for Science and Technology
Basel Alomair, King Abdulaziz City for Science and Technology , University of Washington , HUMAIN

Abstract
Emerging attacks and applications have motivated the development of transforms that turn a given AE scheme into a committing AE (cAE) one. We give a new transform called UCX with the following attributes: It does not require the starting scheme to be tag based, works for schemes in the broad AE5 framework rather than the limited AE1 one, and preserves both UNAE (Unique Nonce AE) and MRAE (Misuse Resistant AE) security. No prior transform is ``universal'' in the sense of having the combination of all these properties. The use of UCX in place of prior, limited transforms reduces the risk of error and failure in the real world, where choices may be made by application developers and hidden in software libraries. The committing security of UCX is shown in the ideal-cipher model, and its AE5-security in the standard model. To design UCX, we introduce and build a new primitive, that we call a Tweakable Committing Concealer, and that may be of independent interest.
(show hidden)

Publication status: A minor revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

Achieving Shannon Capacity for Computationally Bounded Errors (2026/1221)

Authors

George Lu, The University of Texas at Austin
Jad Silbak, Massachusetts Institute of Technology
Daniel Wichs, Northeastern University , NTT Research

Abstract
We study error correction in a computationally bounded world, where errors are introduced by an arbitrary polynomial-time adversarial channel. Recent works construct seeded codes in this model, where the encoding and decoding procedure share a public random seed. They achieve significantly better tradeoffs between rate and error tolerance than what is possible information theoretically for unique decoding, essentially matching the parameters of the best known efficiently list-decodable codes. Over the binary alphabet, however, this is still well short of the optimal Shannon capacity with rate $R \approx 1 - H_2(p)$ for a $p < 1/4$ fraction of errors. Even heuristic constructions meeting this target were not previously known. We make progress towards this goal. - $\textbf{Secret-Key Codes.}$ We first study secret-key codes, where the encoder and decoder share a secret key hidden from the adversarial channel. Lipton (STACS '94) constructed one-time secure secret-key codes achieving Shannon capacity in this setting, but it was unknown whether one can get CPA (resp. CCA) security where the adversary may query an encoding oracle (resp. also a decoding oracle). We construct CCA-secure secret-key codes achieving Shannon capacity via pseudorandom codes (PRCs). - $\textbf{Seeded Codes (Heuristic).}$ We can heuristically upgrade the resulting secret-key codes to seeded codes by publishing an obfuscation of the encoding/decoding procedures with a hard-coded secret key as a seed. Security holds in the ideal obfuscation model. - $\textbf{Public-key Codes.}$ We also consider public-key codes, where the decoder has a secret key and the encoder has the corresponding public key. We construct such CPA-secure public-key codes achieving Shannon capacity with unique decoding for $p < 1/4$ errors, and list decoding all the way to $p < 1/2$ errors, assuming PRCs and the subexponential security of standard crypto assumptions (e.g., LWE or DDH or QR or DCR). We also show how to get CCA security in the random oracle model. Our secret-key and public-key codes meeting Shannon capacity are also simultaneously pseudorandom codes.
(show hidden)

Publication status: A minor revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

Explicit Transformations from Edge-Depth-Robust to Node-Depth-Robust Graphs with Improved Concrete Efficiency (2026/1220)

Authors

Jeremiah Blocki, Purdue University West Lafayette
Nathan Smearsoll, Purdue University West Lafayette

Abstract
Depth-robust directed acyclic graphs (DAGs) are an important combinatorial primitive in cryptography, with applications to memory-hard functions, proofs of space, and proofs of sequential work. These applications require node depth-robustness, yet constructing sparse graphs with strong concrete guarantees remains a longstanding challenge. By contrast, edge depth-robust graphs are easier to construct explicitly and achieve better parameters, motivating the problem of efficiently transforming edge-depth-robust graphs into node-depth-robust graphs. We give a new and substantially more efficient transformation from edge-depth-robust graphs to node-depth-robust graphs. We give a new and substantially more efficient transformation from edge-depth-robust graphs to node-depth-robust graphs. Prior work of Blocki and Cinkoske (ITCS 2021) gave a general transformation by replacing each node with an ST-robust graph, resulting in extraordinarily large overhead and relying on non-explicit components. In contrast, our transformation replaces each node with a single superconcentrator rather than an ST-robust graph, yielding an explicit construction whenever the input graph is explicit, with dramatically improved concrete efficiency. Formally, given an $(e,d)$-edge-depth-robust graph $G$ with $N$ nodes and $m$ edges, our transformation generates a graph $G'=Transform(G_N)$ with $N' = O(m)$ nodes, constant indegree, and $(e/3,\, 2d-1)$-node depth-robustness. We also show that the transformation preserves fractional depth-robustness. Moreover, when $m=\omega(N)$, we show that our transformation can amplify depth --- overcoming a key limitation of prior work. In particular, for any parameter $d'$, we can obtain a constant-indegree graph $G'$ with $N' = O(m+d'N)$ nodes and $(e/3,\, (d-e)d')$-node depth-robustness, yielding asymptotically tighter results in the important setting where $m = \omega(N)$ and $e \geq d$ by setting $d' \sim m/N$. As an application, We provide a novel analysis of Schnitger's edge-depth-robust graph construction (FOCS 1983). We show that the graph $G_n$, which has $N=2^{n+1}-1$ nodes and $m \leq n2^{n}$ edges, is $(e,2d-1)$-edge-depth robust for all $e + d \leq 2^n$. Applying our transformation yields an explicit DAG on $N'$ nodes with maximum indegree $2$ and depth-robustness parameters $e = \Omega(N'/\log N')$ and $d = \Omega(N')$, matching the best known asymptotic trade-offs—even compared with non-explicit constructions—while improving the best previously known concrete ed-product lower bound by a multiplicative factor of 6.6.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Algorithms for solving the isogeny problem with oriented elliptic curves (2026/1219)

Authors

Maria Corte-Real Santos, École Normale Supérieure de Lyon , French National Centre for Scientific Research
Arthur Herlédan Le Merdy, KU Leuven
Joseph Macula, University of Colorado Boulder
Michael Meyer, University of Regensburg
Travis Morrison, Virginia Tech
Eli Orvis, University of Colorado Boulder

Abstract
We introduce WayFinder, a framework for generalizing the Delfs-Galbraith and SuperSolver algorithms for the supersingular isogeny problem. Our framework extends the search for elliptic curves with an orientation by an order containing $\mathbb{Z}[\ell \sqrt{-p}]$ to more general orders, and we derive a cost model for such generalisations. Our cost model not only works in a more general context, but also provides more accurate predictions when applied to SuperSolver. We instantiate WayFinder for orders containing $\mathbb{Z}[\ell_1\sqrt{-\ell_2p}]$ where $\ell_i$ are $1$ or primes such that the modular curve $X_0(\ell_2)$ has genus $0$. We then introduce a low-storage algorithm for computing an isogeny between two oriented supersingular elliptic curves, even when the curves are oriented by distinct orders. Together, these provide an algorithm that improves on the state of the art for solving the isogeny problem, and a cost model with potential applications to parameter selection in isogeny-based cryptography.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

High-Accuracy, Poisoning-Resilient Frequency Estimation in the Shuffle Model (2026/1218)

Authors

Shaoqiang Wu, Nankai University
Jingyu Jia, Nankai University
Yikuan Zhu, Nankai University
Xinhao Li, Nankai University
Changyu Dong, Guangzhou University
Zheli Liu, Nankai University

Abstract
We study frequency estimation in the shuffle model of differential privacy under poisoning attacks, where corrupted users may deviate from the local randomizer to inject crafted in-domain messages. Existing shuffle-model protocols face a core tension: achieving low estimation error relies on flexible multi-message noise generation, which can amplify poisoning influence once messages are anonymized by shuffling. To address this tension, we propose a symmetric binomial-sum noise distribution (i.e., $\mathrm{Bin}(n/2,p) + \mathrm{Bin}(n/2,1-p)$), which preserves high accuracy while limiting the impact of crafted in-domain messages. We realize this distribution via preprocessing-guided noise generation, which routes a balanced collection of mode flags through the shuffler so that each user receives a randomly assigned mode flag that fixes their noise-sampling behavior prior to shuffling. For binary estimation, our protocol requires a single Bernoulli trial per user and at most $2$ messages per user ($1.5$ on average), while bounding the worst-case poisoning influence of a single corrupted user by $O(1/n)$. We extend the protocol to histograms, including large domains via hashing, and provide formal privacy, accuracy, and robustness guarantees. Experiments on real datasets show that our protocols remain resilient under poisoning and reduce MAE by up to nearly $2\times$ over the strongest baseline at comparable per-user communication on small-domain workloads, and stay on par with it on large domains.
(show hidden)

Publication status: Published elsewhere. Major revision. USENIX Security 2026 First uploaded: , last revision:

Secure Computation against $\mathsf{NC^1}$ Leakage without Secure Hardware (2026/1217)

Authors

Yuyu Wang, University of Electronic Science and Technology of China

Abstract
In this work, we construct (stateful) leakage-resilient circuits (LRCs) secure against bounded-output-length leakage functions computable by \(\mathsf{NC}^1\) circuits under the mild worst-case assumption \(\mathsf{NC}^1 \subsetneq \oplus\mathsf{L}/\mathsf{poly}\), without relying on any leak-free hardware components, thereby resolving the open problem left by Bogdanov, Ishai, and Srinivasan (Journal of Cryptology, 2021) and Wang (CRYPTO 2025). Concretely, we first construct a leakage-tolerant circuit with succinct setup (sAI-LTC) secure against 2-adaptive \(\mathsf{NC}^1\) leakage, and then generically combine it with a 2-adaptive leakage-resilient composable encoding scheme to obtain the desired LRC. We further give a direct non-black-box instantiation that optimizes the compiled circuit size at the cost of a slightly larger setup, matching the circuit size of Wang's construction that relies on leak-free hardware while using a more compact setup. Finally, we show that our sAI-LTC generically implies a fine-grained multi-theorem non-interactive proof system for all \(\mathsf{NP}\), with compact common reference strings, perfect soundness, and multi-theorem zero-knowledge with offline simulation against \(\mathsf{NC}^1\) adversaries.
(show hidden)

Publication status: A major revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

New Quantum-Classical Algorithm or the Discrete Logarithm Problem over $\mathbb{Z}_{p}^{*}$ (2026/1216)

Authors

Hidenori Kuwakado, Kansai University
Shoichi Hirose, University of Fukui

Abstract
Shor demonstrated that the discrete logarithm problem in the multiplicative roup $\mathbb{Z}_{p}^{*}$, where $p$ is an odd prime, can be solved fficiently using a period-finding algorithm based on the quantum Fourier transform. In this paper, we propose a quantum-classical algorithm based on algebraic properties that do not rely on periodicity. Specifically, we show that the hardcore predicate for the discrete logarithm problem, which was introduced by Blum and Micali, can be reduced, using the swap test, to the problem of distinguishing between two Bernoulli distributions. In our algorithm, although the swap test is used as a quantum subroutine, most of the computation is performed classically. Moreover, the algorithm does not require the quantum Fourier transform.
(show hidden)

Publication status: Published elsewhere. Major revision. The 54th Quantum Information Technology Symposium First uploaded: , last revision:

On the Cryptographic Structure Required for Verifying Qubits (2026/1215)

Authors

James Bartusek, Columbia University
Itay Shalit, Stanford University

Abstract
Classically testing for the presence of anti-commuting operators on a quantum device is a critical tool underpinning recent progress in classical verification of quantum computation. While such tests can be based on cryptographic assumptions, known constructions rely on highly structured assumptions, e.g. trapdoor claw-free functions. In this work, we seek to explain this state of affairs by constructing strong cryptography from (certain forms of) classical tests of anti-commutation. In particular, we formulate the notion of a test of non-commutation (ToNC), an interactive protocol between a quantum prover and classical verifier in which the prover's final-round response is obtained by measuring one of two binary observables 𝑃₀, 𝑃₁ depending on the verifier's challenge bit 𝑐. We prove that, for a broad range of parameters, ToNC implies classical-communication key agreement (KA), and ToNC combined with one-way functions implies oblivious transfer (OT). Along the way, we develop tools for and provide the first known results on hardness amplification for post-quantum KA and OT, where communication is classical but adversaries may be quantum. In particular, we prove the following results of independent interest. - Post-quantum hard-core measure theorem: For any efficiently sampleable high-min-entropy distribution 𝐷 over pairs (𝑥,𝑏) such that quantum circuits have advantage at most 𝛿 in predicting 𝑏 from 𝑥, there exists a sub-distribution 𝑀≼𝐷 of density 1-𝛿 on which 𝑏 is nearly optimally quantum-hard to predict. - Post-quantum interactive XOR lemma: Given any classically-interactive protocol, if quantum adversaries have advantage at most 𝛿 in guessing a private challenger bit 𝑏, then two sequential repetitions reduce the advantage for predicting the XOR of the challenger bits 𝑏₁⊕𝑏₂ to at most 𝛿² + negl(𝜆).
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Faster Leader-Based Consensus via Certificates of Exclusivity and Overlapping Iterations (2026/1214)

Authors

Matthieu Rambaud, Télécom Paris

Abstract
Blockchain consensus protocols, also known as BFT state-machine replication, enable a system of $n$ players to decide an ever-growing chain of blocks. We consider partial synchrony: after an unknown time GST, messages sent by honest players are delivered within an unknown actual delay $\delta$, and a known bound $\Delta$ satisfies $\delta \leq \Delta$. This setting imposes $t<n/3$ corruptions. We study leader-based consensus, a class with the smallest known latency metrics when sufficiently many designated leaders behave honestly. We consider the mainstream metric of {expected latency in the view-based sense:} for a transaction known to all honest players having entered a post-GST iteration, this is the expected time until that transaction appears in a decided block, under independent random leaders. We introduce Hamster, a rotating-leader consensus protocol, which reduces this expected latency to $\Delta+4\delta$, down from the previous $1.5\Delta+3.5\delta$ bound achieved by Simplex (Chan-Pass, TCC'23) for the same view-based metric. Hamster also brings this latency further down to $\Delta+3.5\delta$ for adversaries that do not get publicly caught equivocating. The main technical novelty is a certificate of exclusivity for a block $B$. It is shown by the next leader as evidence that players can safely vote for a child of $B$. A certificate of exclusivity is an interpolation between a quorum certificate and a timeout certificate, in that it is formed from a mix of votes for a unique block $B$ and complaint votes, proving that $B$ is the only non-dummy block that can still obtain a decision certificate for that iteration. The other novelty of Hamster is the use of {overlapping iterations: after a process has supported a newer proposal, the protocol may still allow it to support a safe proposal of an earlier iteration}. This overlap is what allows old honest proposals to be decided in time despite players advancing iterations faster. We also analyze another metric, called the {pessimistic block proposal time}, which is the time during which a bad leader can delay the proposal of a transaction in a block which will be decided. Hamster achieves a pessimistic block proposal time of $2\Delta+2\delta$, refined to $2\Delta+\delta$ for leaders not caught equivocating, down from $3\Delta+\delta$ for Simplex.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Another Look at Non-Frameability in Group Signatures for Anonymous Auctions (2026/1213)

Authors

Cao Shiqi, Kanazawa University
Keita Emura, Kanazawa University , National Institute of Advanced Industrial Science and Technology

Abstract
In addition to anonymity and traceability, which are the primary security properties of group signatures, non‑frameability is also defined (Bellare-Shi-Zhang, CT-RSA 2005). This property guarantees that even an adversary colluding with all authorities (the opener and the issuer) cannot produce a signature that frames an honest user, and it is regarded as a security notion that protects users. In this short note, we introduce a new perspective on non-frameability, namely that it can also protect the authorities, and we examine its significance in the context of anonymous auctions, a well‑known application of group signatures. We show that non-frameability serves as an effective countermeasure against situations in which a winning bidder falsely claims not to have placed a bid and accuses the organizer of forgery.
(show hidden)

Publication status: Published elsewhere. Minor revision. IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences 2027 First uploaded: , last revision:

SecLoRA: Secure Aggregation of Low-Rank Matrix Products via Functional Encryption (2026/1212)

Authors

Jiangtao Li, Shanghai University
Wei Zhang, Shanghai University
Chen Gong, Shanghai University
Jason (Minhui) Xue, CSIRO , Adelaide University
Junqing Gong, East China Normal University

Abstract
Federated fine-tuning of Large Language Models via Low Rank Adaptation (LoRA) faces a critical privacy-efficiency trade-off: low-rank factors can leak sensitive data, yet standard secure aggregation is restricted to linear operations. Existing solutions for aggregating matrix products (e.g., $\mathbf{B}_i \mathbf{A}_i$) either sacrifice exactness, depend on a trusted third party, or incur prohibitive costs at scale. We present SecLoRA, the first decentralized framework achieving exact aggregation of LoRA updates with linear communication complexity. The core of SecLoRA is a novel cryptographic primitive: Pairwise Composable Multi-Client Functional Encryption (PC-DMCFE). Unlike traditional functional encryption, which treats ciphertext recombination as an attack, the dual-encryption architecture of PC-DMCFE ($\mathsf{Enc}_A, \mathsf{Enc}_B$) is intentionally designed to harness this property. It allows any ciphertexts $\mathsf{ct}_A$ and $\mathsf{ct}_B$ to be arbitrarily paired and evaluated via a functional key to reveal their inner product. This unique property enables secure and decentralized aggregation of matrix products without losing LoRA's linear communication advantages. Furthermore, SecLoRA ensures round-isolated decryption to prevent temporal leakage without extra interaction. Evaluation shows that SecLoRA is practical for cross-silo deployments.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Private Information Retrieval: Share Conversions vs. Decoding Polynomials (2026/1211)

Authors

Amos Beimel, Ben Gurion University
Or Lasri, Ben Gurion University

Abstract
A private information retrieval (PIR) protocol enables a client to retrieve a bit from an $N$ bit database replicated among $k$ servers in such a way that each server learns no information about the retrieved bit. Modern PIR protocols with information-theoretic privacy (Efremenko, SICOMP, 2012; Dvir and Gopi, STOC, 2015; Ghasemi et al., STOC, 25) are based on matching vectors over a composite number $m$. To construct a PIR protocol from the matching vectors, these protocols use a decoding polynomial, a sparse polynomial that returns a non-zero value on 1 and returns zero on a certain set implied by the matching vectors. Beimel et al. (CCC, 2012) abstracted the properties required by the transformation computed by the decoding polynomial, defining the notion of share conversion. In such a conversion, a set of parties is given shares of a secret in one secret-sharing scheme, and each party locally computes a new share (without any communication) such that the new shares are shares in a second secret-sharing scheme of a related secret. Beimel et al. showed that share conversion can replace the decoding polynomial in the PIR protocol of Efremenko and constructed a share conversion from the ring $\mathbb{Z}_6$ to the field $\mathbb{F}_{2^2}$. This share conversion cannot be computed by a decoding polynomial, as decoding polynomials convert shares from a ring $\mathbb{Z}_m$ to a finite field of characteristic $p$ such that $p$ does not divide $m$. Alon et al. (TCC, 2025) simplified and generalized the PIR protocols of Dvir and Gopi and Ghasemi et al., using share conversion; however, in this protocol, the share conversion is from a ring $\mathbb{Z}_m$ to a finite field of characteristic $p$ such that $p$ does not divide $m$. In this paper, we study the power of share conversions. Our main result proves that if there is a $k$-party share conversion from a ring $\mathbb{Z}_m$ to a finite field of characteristic $p$ such that $p$ does not divide $m$, then there is a $k$ sparse decoding polynomial from a ring $\mathbb{Z}_m$ to a finite field of characteristic $p$. This result implies that using share conversion in the protocol of Alon et al. can only improve the communication complexity by a constant factor. In addition, we show that if there is a $k$-party share conversion from a ring $\mathbb{Z}_m$ to a finite field, where $m$ is a product of $r$ distinct primes, then $k\geq r+1$, i.e., the number of servers in the resulting PIR protocols using the appropriate matching vectors is at least $r+1$. A similar result was recently proved by Ghasemi and Kopparty (ITCS 26); our lower bound also applies to the case in which the characteristic of the field divides $m$.
(show hidden)

Publication status: Published by the IACR in CRYPTO 2026 First uploaded: , last revision:

Uncloneable Cryptography in Linear Quantum Memory (2026/1210)

Authors

Andrew Huang, Massachusetts Institute of Technology
Omri Shmueli, NTT Basic Research Laboratories
Vinod Vaikuntanathan, Massachusetts Institute of Technology
Mark Zhandry, NTT Basic Research Laboratories , Stanford University

Abstract
Quantum cryptography is a rapidly developing area which leverages quantum information to accomplish classically impossible tasks. In many of these protocols, quantum states are used as long-term cryptographic keys, relying on the quantum no-cloning theorem to ensure that the keys cannot be copied by an adversary. Unfortunately, quantum state tend to decohere, and hence, persistent quantum memory is and will remain one of the most valuable and challenging resources for quantum computers. As such, it will be important to minimize the extent to which our protocols use persistent quantum memory. In this work, we consider the case of one-shot signatures (OSS), and more general quantum signing tokens, important uncloneable primitives where quantum signing keys allow for signing a single message but not two. Very recently, the first OSS scheme was constructed unconditionally in a classical oracle model as well as in the standard model under cryptographic assumptions (Shmueli and Zhandry, CRYPTO 2025). We observe that the quantum memory required for these protocols is a large polynomial (in the security parameter). The main contribution of this work is to significantly decrease the quantum secret key size, in some cases achieving the asymptotically optimal size. One of our schemes guarantees perfect correctness and the other one admits a parallel signing algorithm for long messages. We also achieve strong signature incompressibility, which implies a public-key quantum fire scheme (Çakan, Goyal and Shmueli, QCrypt 2025) with perfect correctness. During the course of this work, we develop novel techniques for proving the security of cryptosystems using coset states, one of the main tools used in uncloneable cryptography.
(show hidden)

Publication status: A major revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

Latency-Aware, High-Throughput Homomorphic AES Evaluation with CKKS (2026/1209)

Authors

Taeseong Kim, Seoul National University
Jonghoo Lee, CryptoLab, Inc.
Taeyeong Noh, CryptoLab, Inc.
Jung Hee Cheon, Seoul National University , CryptoLab, Inc.
Guillaume Hanrot, CryptoLab, Inc.

Abstract
Homomorphic Advanced Encryption Standard (AES) evaluation refers to evaluating the AES circuit with a fully homomorphic encryption (FHE)-encrypted secret key. Applications include in particular Transciphering, which converts AES-encrypted data into FHE ciphertexts without exposing the secret key. Existing homomorphic AES evaluations show a clear separation between latency-oriented solutions and throughput-oriented solutions. CKKS-based methods exploit massive SIMD parallelism and focus on throughput by processing many AES blocks in parallel. They are hardly suitable for latency-critical settings. In contrast, TFHE-based methods process a small number of blocks efficiently. They are preferable for low-latency settings, but provide very limited throughput. In this work, we show that AES-CKKS evaluation can achieve both interactive latency and high throughput. Our first variant is optimized for latency and decrypts a single AES block in only 34ms on an NVIDIA RTX-5090. This is more than 4× faster than recent TFHE-based state-of-the-art approaches. Our second variant is based on a new embedding of $\textrm{GF}(16)$, the finite field with 16 elements, into CKKS message space. It is optimized for throughput and processes up to 2048 AES blocks at once, achieving over 200KB/s throughput (a more than 3.1× improvement over the state-of-the-art CKKS-based approaches), while maintaining latency comparable to TFHE-based methods. To the best of our knowledge, this is the first AES-FHE evaluation algorithm combining good latency and throughput properties, bringing homomorphic outsourcing with AES within reach of real-time applications on constrained devices. Our main ingredients are redundant structures that maximize SIMD utilization, improved algorithms for the SubBytes step (one of them being based on inversion in $\textrm{GF}(256)$ using CKKS), fusion of linear layers into bootstrapping, and carefully crafted FHE parameters.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Preimage sampleable function families without discrete Gaussians (2026/1208)

Authors

Eamonn W. Postlethwaite, King's College London
Filip Trenkić, King's College London

Abstract
We construct preimage sampleable function families on $q$-ary lattices [Gentry–Peikert–Vaikuntanathan, STOC'08] for which preimage sampling reduces to sampling uniform points of unitriangular lattices from simple polytopes: affine linear transforms on the $\ell_1$ and $\ell_\infty$ balls, and a scaled intersection thereof. We build the necessary samplers by adapting an algorithm of [Kannan–Vempala, STOC'97] and improving its analysis. This sampling requires only uniform bits and affine linear transforms on the uniform distribution on $[0,1]$. The collision resistance of these families relies on the short integer solutions problem [Ajtai, STOC'96] in various $\ell_p$ norms. Considering the Lee metric as the $\ell_1$ norm in $q$-ary lattices, we answer an open question to construct such families for the Lee metric [Hörmann–van Woerden, CRYPTO'24]. We also answer an open question of [Plançon--Prest, PKC'21] by sampling from polytopes with inradius smaller by a factor almost square root in the lattice rank. We provide a generic framework for constructing preimage sampleable function families from polytopes with sufficient conditions for realising it. While our parameters are worse than prior discrete Gaussian based constructions, such distributions are challenging from a physical security perspective.
(show hidden)

Publication status: Published by the IACR in CRYPTO 2026 First uploaded: , last revision:

"Sticking their heads out above the parapets": Lived Experiences of Legal Risks in Research (Extended) (2026/1207)

Authors

Sunoo Park, New York University
Daniel R. Thomas, University of Strathclyde

Abstract
Overbroad computer crime, intellectual property, and other laws are well known to create legal risks that can discourage essential research. Notable examples include the US Computer Fraud and Abuse Act and the UK Computer Misuse Act. Because such laws fail to distinguish malicious hacking from good-faith testing and research, researchers face serious legal risks for public-interest research activity like identifying software or hardware vulnerabilities or scraping data. Despite the research community's broad awareness of these risks, our understanding of their practical impacts is limited, as most of the community's knowledge comes from anecdotal evidence rather than systematic study. We conduct the first qualitative study focused on researchers' lived experiences, to empirically document the *impacts of legal risks and threats* on research and researchers*, and *how researchers navigate legal risk situations*. Our study engages two participant groups: researchers with legal-risk experiences in the UK or the US ($N_R=36$), who discuss 130 projects and incidents spanning over three decades, and professionals that offer support to researchers navigating legal risks ($N_S=8$), who have collectively supported thousands of researchers. We thus provide an unprecedented big-picture view of researchers' experiences with legal risks. We synthesise actionable strategies for researchers, and our findings provide evidence to support policy reform.
(show hidden)

Publication status: Published elsewhere. Major revision. USENIX Security Symposium 2026 First uploaded: , last revision:

Scalable, quantum-accessible, and adaptive pseudorandom quantum state and pseudorandom function-like quantum state generators (2026/1206)

Authors

Rishabh Batra, Centre for Quantum Technologies, Singapore , National University of Singapore
Zhili Chen, Centre for Quantum Technologies, Singapore , National University of Singapore
Rahul Jain, Centre for Quantum Technologies, Singapore , National University of Singapore , MajuLab, UMI 3654, Singapore
YaoNan Zhang, Centre for Quantum Technologies, Singapore , National University of Singapore

Abstract
We show new constructions for pseudorandom quantum states (PRS) and pseudorandom function-like quantum state (PRFS) generators satisfying scalability, which means the security parameter can be much larger than the number of qubits, quantum accessibility, which means the adversary can provide quantum input, and adaptivity, which means the adversary can query it adaptively. We present an isometric procedure to prepare quantum states that can be arbitrarily random (i.e., the trace distance from the Haar-random state can be arbitrarily small for the true random case, or the distinguishing advantage can be arbitrarily small for the pseudorandom case). This naturally gives the first construction for scalable, quantum-accessible, and adaptive PRFS assuming quantum-secure one-way functions. Compared to prior PRFS works, we use a stronger definition of quantum accessibility in which the adversary can be ancilla-assisted, i.e., the input state may not be pure and could be entangled with other quantum registers. Thus, our result also gives the first (fully) quantum-accessible PRFS. Our PRFS construction implies various primitives, including long-input PRFS, short-input PRFS, short-output PRFS, non-adaptive PRFS, and classically-accessible adaptive PRFS. This new construction may be helpful in simplifying the microcrypt zoo.
(show hidden)

Publication status: A major revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

StakeNote: A Proof-of-Stake Protocol for CryptoNote Payments (2026/1205)

Authors

Bernardo David, Common Prefix , IT University of Copenhagen (ITU)
Dimitris Karakostas, Common Prefix

Abstract
This work proposes StakeNote, a distributed ledger protocol that combines Proof-of-Stake (PoS) with privacy and anonymity preserving payments. The protocol combines Ouroboros Praos, a provably secure PoS protocol, with CryptoNote, a privacy-preserving payment system based on ring signatures which has been widely used in practice. We prove that StakeNote inherits the security guarantees of Ouroboros Praos and the privacy guarantees of CryptoNote and we demonstrate its practicality via a proof of concept implementation, where block creation requires less than 25 ms and eligibility proofs are approx. 3 KB for anonymity sets of size 16. Finally, we discuss heuristic enhancements that potentially increase privacy and enable dynamic participation.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Robust Single-Trace Full-Key Extraction from Million-Point Traces With Cross-Implementation Transfer (2026/1204)

Authors

Aron Gohr, cryptosolutions
Friederike Laus, Independent Researcher
Gregor Leander, Ruhr University Bochum

Abstract
End-to-end deep-learning side-channel attacks on public-key implementations have recently become possible even for million-sample traces. However, existing methods require large computational resources and extract only partial key shares, which means that dedicated post-processing is required to turn detected leakage into demonstrations of successful key recovery attacks. We present an end-to-end sequence-to-sequence prediction approach to recover complete 256-bit key shares from single raw traces on the SCAAML ECC datasets recently studied by Bursztein et al (TCHES 2024). Our solution combines aggressive trace compression for dimensionality reduction with a 1-D U-Net trained using Connectionist Temporal Classification loss. The key idea is to decouple detecting leakage from mapping each leakage site to the correct part of the secret: the network outputs an annotated map of the trace marking likely leakage sites, and a greedy decoder reconstructs the ordered key bits from that map. Using synthetic tasks, we show that this division of labor circumvents a fundamental problem that causes neural network architectures and training methods commonly used in side-channel analysis to struggle with massive multi-target or misaligned extraction tasks. As a result, we are able to train a single extractor that achieves high accuracy on all four SCAAML ECC datasets in a single training run that takes minutes on a single GPU. The resulting extractors are robust, essentially maintaining their performance under large misalignment (we empirically tested rotations up to \(61\%\) of trace length), while degrading gracefully under a variety of trace corruptions, and even time reversal. They transfer across key shares and datasets with little degradation and no retraining. The U-Net outputs also yield prediction maps that localize leakage along the trace prior to decoding.
(show hidden)

Publication status: A major revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

Signatures with Post-Compromise Accountability (2026/1203)

Authors

Dennis Dayanikli, Hasso Plattner Institute, University of Potsdam
Johannes Lang, Technische Universität Dresden
Anja Lehmann, Hasso Plattner Institute, University of Potsdam

Abstract
Cryptographic signatures play an integral part in ensuring authenticity and integrity in digital systems. Their security crucially relies on the secrecy of the signing key, since knowledge of this key enables an adversary to generate valid signatures on any message. Once a signing key is compromised, the standard countermeasure is to revoke the corresponding public key and to invalidate all signatures produced for this key. However, with this approach even legitimate signatures created by the honest signer would retroactively lose their validity. In this work, we initiate the formal study of a new approach - Signatures with Post-Compromise Accountability (SPCA) - which provides security guarantees even after the secret key was compromised. This notion effectively introduces a grace period for the legitimate key owner, during which the validity of honestly generated signatures is preserved despite the adversary’s knowledge of the secret key. We formally define SPCA and its security guarantees, and present two constructions achieving this notion. Our first construction generalizes the signature-in-signature approach of Błaśkiewicz et al. (ESORICS '21), where an inner signature is embedded into the randomness of an outer signature. This construction, however, requires revealing the signing secret key during revalidation. Our second construction overcomes this limitation by enabling revalidation without disclosing the secret key, yielding stronger security guarantees.
(show hidden)

Publication status: Published elsewhere. Major revision. SCN 2026 - 15th International Conference on Security and Cryptography for Networks First uploaded: , last revision:

Morphic Accumulators and Applications: Optimal Range Proofs, Polynomial Commitments, and Ring Signatures (2026/1202)

Authors

Dimitrios Papadopoulos, Hong Kong University of Science and Technology
Qiang Tang, The University of Sydney
Jiajun Xin, The University of Sydney

Abstract
Cryptographic accumulators based on groups of unknown order (GUO) provide constant-size set membership proofs. For security purposes, existing works require first encoding set elements via division-intractable (DI) hash functions, typically instantiated as random oracles that destroy any algebraic structure. This confines GUO-based accumulators to a purely set-membership role, making them "incompatible" with various existing cryptographic proof techniques over committed integers in the same groups as the GUO, such as constant-size proofs of exponentiation and modular exponent relations. We introduce the notion of morphic accumulators, which replaces the DI hash with a discrete logarithm encoding $H_g(x) = g^x$, mapping set elements to a group before accumulation. We prove, under a variant of the subset product assumption in the generic group model, that this encoding is inherently division intractable, achieving the same security guarantee as random-oracle DI hashes, while simultaneously being a group homomorphism: accumulated elements retain their group-algebraic relationships. This resolves a fundamental tension between compact representation and algebraic structure: the accumulator serves simultaneously as a binding commitment to a set and as a substrate for homomorphic computation over its elements. Morphic accumulators yield asymptotically optimal constructions across multiple domains: range proofs with $O(n)$ prover time, $O(1)$ proof size, $O(1)$ verification with transparent setups (the first scheme to simultaneously achieve these optimal bounds); polynomial commitments with $O(n)$ prover and $O(1)$ proof size, resolving the cubic bottleneck in prior constant-proof-size GUO-based schemes; and the first linkable ring signatures with $O(1)$ signature size, transparent setup, $O(n)$ offline signing and $O(1)$ online signing.
(show hidden)

Publication status: A major revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

Silentium revisited: Pseudorandom Beaver Triple Expansion (2026/1201)

Authors

Vincent Rieder
Enrico Sorbera, Fondazione Bruno Kessler , University Of Trento,

Abstract
In the line of the SPDZ protocol for secure multi-party computation, the generation of Beaver triples is the most expensive task. Silentium (Rieder, PrivCryp 25) is the implementation of a Pseudorandom Correlation Generator (PCG) for Beaver triples (Boyle et al., Crypto 20). PCGs focus on low-communication costs., e.g. their PCG reduces the communication by one order of magnitude compared to protocols in MP-SPDZ. Silentium is an implementation of their PCG, achieving similar running times than MP-SPDZ. We make three theoretical contributions to Silentium, including an implementation. First, we make a practical proposal how to generate Beaver triples over binary fields F2λ, which extends the previous setting over prime fields. For this, we propose a suitable instantiation of the Number Theoretic Transform. Second, we show how to use the binary triples to construct what we call a Beaver triple expansion scheme, that is we construct a scheme that expands a small batch of Beaver triples into a large batch of Beaver triples, in the sense of recently established oblivious transfer extension schemes. This feature enables an efficient preprocessing stage for the PCG, closing a practical issue of Silentium. Finally, we provide details about the Silentium implementation, by clearing a technical bug in the initial theoretical protocol description.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Character Block Encodings for Discrete CKKS: Single-Level LUTs and Low-Depth Arithmetic (2026/1200)

Authors

Jules Dumezy, CEA LIST , University of Paris-Saclay
Elias Suvanto, University of Luxembourg

Abstract
Functional bootstrapping has made discrete computation practical in the Cheon-Kim-Kim-Song (CKKS) scheme, but it fuses four distinct tasks - lookup table (LUT) evaluation, modular reduction, noise cleaning, and ciphertext refreshing - into a single rigid pipeline. As a consequence, a generic LUT over an alphabet of size $t$ costs multiplicative depth proportional to $\log_2 t$ and consumes a large share of the modulus budget during a fixed bootstrapping procedure, invoked each time a LUT evaluation or modular reduction is needed. We show that this pipeline can be unbundled by changing the representation, rather than optimizing the bootstrapping, through block encodings. A finite-alphabet value is carried across several CKKS slots whose coordinates form a basis of functions on the alphabet, typically the characters of a finite abelian group. In such a basis, every LUT is an affine plaintext map evaluated in a single multiplicative level, with depth independent of $t$. Modular reduction comes for free: a block encoding cannot represent anything but a residue, so arithmetic modulo $t$ is native. Because the encoded values lie on the unit circle, noise growth is independent of the alphabet size $t$. In the worst case, it matches the noise growth of standard discrete CKKS on the smallest alphabet $\mathbb Z_2$, and in more typical workloads it is linear in the number of operations, exponentially better than discrete CKKS at every $t > 2$. Noise cleaning becomes a constant-depth procedure of at most four levels, because the alphabet-dependent part is an LUT and only a fixed-degree-3 smoothstep is nonlinear. Finally, since LUTs are no longer part of the bootstrapping, refreshing reverts to its classical role as a maintenance operation invoked only to regain multiplicative depth. Any CKKS bootstrapping can be used, rather than a constrained and expensive pipeline. We instantiate the framework with several block encodings that make modular addition, modular multiplication, xor or min/max possible with a single CKKS multiplication. We use them to build CRT arithmetic over large composite moduli, and finite-state prefix scans for radix addition and subtraction in depth $4 + \lceil\log_2 d\rceil$ and for equality and comparison in depth $3 + \lceil\log_2 d\rceil$ for $d$ radix digits. For example, a 256-bit CRT modular addition or multiplication consumes a single multiplicative level and has a latency of 4.7 ms on a single thread.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

A Post-Quantum Commitment Scheme from Richelot Isogeny Walks on Superspecial Genus-2 Jacobians (2026/1199)

Authors

Nouhou Abdou Idris, Mohammed VI Polytechnic University
Mustapha Hedabou, Mohammed VI Polytechnic University

Abstract
We present a post-quantum commitment scheme based on kernel-tagged punctured Richelot isogeny walks on superspecial genus-2 Jacobians. The puncturing rule skips every step landing in the product locus, detected by I10 = 0, so honest executions remain in the Jacobian locus and avoid the entry point of known product-locus attacks. Each opening is encoded as a deterministic non-backtracking walk together with a kernel tag recording its action on a small public auxiliary torsion basis. The tag is verified as part of the opening and is kept explicit throughout the security analysis. In particular, scalar-related collisions force equality of the ordered kernel sequence and hence equality of the tag, so any nontrivial binding attack yields a short non-scalar endomorphism. Using spectral bounds for the Richelot graph, we show that puncturing preserves rapid mixing for logarithmic walk lengths, which yields statistical hiding for the tagged punctured scheme. We therefore reduce binding to the Short Richelot Endomorphism Problem (SREP), relate SREP to the One-Endomorphism Problem and, under a standard KLPT2 -style heuristic, to the endomorphism-ring problem. A SageMath prototype based on (2, 2)-Kummer isogenies indicates practical performance at standard security levels.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Splittings and Endomorphism Rings (2026/1198)

Authors

Péter Kutas, University of Birmingham , Eötvös Loránd University
Min-Yi Shen

Abstract
Finding a nontrivial endomorphism of a given supersingular elliptic curve is a hardness assumption of isogeny-based cryptography. We prove the reduction from it to the problem of finding a splitting of a given principally polarized abelian surface. By using this new reduction, we also prove the heuristic equivalence of the splitting problem with a degree restriction and the endomorphism ring problem in dimension two.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

VOBE: Verifiable Outsourced Batched Encryption for Secure Delegation of Batched Decryption (2026/1197)

Authors

Kwangsu Lee, Sejong University

Abstract
Batched encryption (BE) has emerged as a novel public-key cryptographic paradigm that enables the efficient decryption of a designated batch of $B$ ciphertexts simultaneously. By incorporating threshold decryption capabilities into this framework, batched threshold encryption (BTE) further decentralizes the decryption process. While both BE and BTE serve as highly effective solutions for mitigating Miner Extractable Value (MEV) attacks in blockchain networks by providing robust mempool privacy, ciphertext integrity, and communication efficiency, they still suffer from heavy computational overhead during the ciphertext decryption phase. In this paper, we address this computational bottleneck by introducing a novel framework that delegates the heavy decryption workloads to an untrusted cloud server while enabling verifiability of the outsourced computations. To achieve this, we first propose an outsourced batched identity-based encryption (O-BIBE) scheme by integrating outsourcing functionalities into the conventional BIBE paradigm, accompanied by a rigorous security proof. We then construct a verifiable outsourced batched encryption (VOBE) scheme by strategically combining O-BIBE with other core cryptographic building blocks and formally prove its security. To eliminate the single point of failure and enhance threshold resiliency, we extend our framework to the threshold setting by developing an outsourced threshold batched identity-based encryption (O-TBIBE) scheme. Building upon this, we propose a verifiable outsourced batched threshold encryption (VOBTE) scheme, which successfully achieves decentralized threshold resilience. Our proposed VOBE and VOBTE schemes are the first to concurrently guarantee ciphertext integrity and mempool privacy against sophisticated blockchain attacks, while significantly reducing decryption costs via efficient and verifiable outsourcing.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Grand Danois: Succinct Multilinear Polynomial Commitments over Lattices (2026/1196)

Authors

Anders Kallesoe, Aarhus University
Hamidreza Khoshakhlagh, Aarhus University , Partisia ApS

Abstract
We present Grand Danois, a new post-quantum multilinear polynomial commitment scheme from lattices for polynomials over $\mathbb{F}_q$ that achieves polylogarithmic $O(\lambda \ell)$ verification complexity and proof sizes. We build on the general approach introduced in Hachi (ePrint 2026/156) with two key changes. First, we switch to the vanishing Short Integer Solution (vSIS) assumption to obtain structured public parameters for our commitment scheme and utilize this structure to design an adapted sumcheck protocol amenable to succinct verification. Second, we modify the quadratic relation used in Hachi and Greyhound (CRYPTO 2024) so that it becomes compatible with proving norm bounds using Johnson-Lindenstrauss projections. This is achieved through an adaptation of the structured projection strategy introduced in RoK and Roll (ASIACRYPT 2025). This has the benefit for communication complexity in that proving norm bounds and correct polynomial evaluation are integrated into a single protocol, reducing the number of commitments sent by the prover. Furthermore, we impose additional structure on our random projections to reduce the witness size even more aggressively during each round of recursion without sacrificing verification complexity. Under the vSIS assumption, our construction yields an estimated proof size of roughly $80-90$ KB for $2^{32}$-size polynomial evaluations.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

DecryptChain: A Permissionless Proof-of-Work Encrypted Mempool (2026/1195)

Authors

Nicolas Alhaddad, Boston University
Alireza Kavousi, University College London

Abstract
Blockchain mempool transparency fuels Maximal Extractable Value (MEV), where attackers can front-run, back-run, and reorder transactions as soon as they appear. Encrypted mempools aim to delay the release of information until block commitment, yet nearly all existing designs rely on a trusted decryption committee. This creates two structural problems. First, committee members hold decryption material by design, so a colluding threshold can reconstruct the decryption key and learn transactions before block commitment. Second, once such a committee becomes malicious, honest parties have no easy in-protocol way to recover: restoring privacy for future epochs requires an external intervention such as a hard fork that replaces the committee and rotates the long-lived cryptographic material. In this work, we ask whether encrypted mempools can instead use proof-of-work to realize an open and recoverable decryption committee. We then introduce DecryptChain, a permissionless proof-of-work encrypted mempool in which decryption authority is not assigned to persistent identities or long-lived key shares. Instead, decryption is continuously re-contested through public computational work. Even if an adversary successfully breaches one epoch, it gains no reusable secret for future epochs; honest parties can always re-enter and recover the decryption process by contributing sufficient work. DecryptChain decouples block production from decryption, enabling it to operate as a Layer-2 timely decryption service on any underlying blockchain while preserving eventual decryption for committed on-chain encrypted transactions.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Unconditionally Secure MPC for Boolean Circuits with Constant Communication (2026/1194)

Authors

Yubo Zeng, Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, Beijing, China
Kang Yang, State Key Laboratory of Cryptology, Beijing, China
Dengguo Feng, Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, Beijing, China
Min Zhang, Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences, Beijing, China

Abstract
The communication complexity of unconditionally Secure Multi-Party Computation (MPC) protocols has been studied by a series of works in the honest-majority setting. For evaluating an arbitrary Boolean circuit, the state-of-the-art MPC protocol by Goyal et al. (Crypto 2021 and Crypto 2022) achieves the total communication cost of $O(\log n)$ bits per gate, where $n$ is the number of parties. In this work, we present the first unconditional MPC protocol for any Boolean circuit with communication of $O(1)$ bits per gate. We first construct an unconditionally secure protocol in the presence of semi-honest adversaries, and then strengthen it to guarantee security against malicious adversaries with the same communication efficiency.
(show hidden)

Publication status: Published elsewhere. Major revision. A major revision of an IACR publication in Crypto 2026 First uploaded: , last revision:

Cryptanalytic Properties of Mealy Machines (2026/1193)

Authors

Zhongfeng Niu, Nanyang Technological University
Tim Beyne, KU Leuven
Kai Hu, Shandong University
Meiqin Wang, Shandong University

Abstract
This paper proposes a systematic approach to compute cryptanalytic properties of arbitrary Mealy machines or S-functions. Based on the geometric approach to cryptanalysis, we provide a uniform formula for any cryptanalytic property of such a function, as long as the property is compatible with the way its input and output are split into chunks. Examples include linear, (quasi) differential, (ultrametric) integral, differential-linear, and boomerang properties. To illustrate our results, we compute these properties for several important examples, including modular additions, the Chi- and ChiChi-functions, and the SHA-1 step function. As proof-of-concept applications, we construct a boomerang distinguisher for the Subterranean permutation, and show how to compute the correlations of conditional linear approximations in partitioning-based differential-linear attacks more accurately. Our results also lead to a new approach to compute the algebraic normal form of the inverse of the Chi-function.
(show hidden)

Publication status: A minor revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

Lower Bounds on Black-Box Constructions of Pseudorandom Functions (2026/1192)

Authors

Bar Alon, Tel Aviv University
Itai Dinur, Ben-Gurion University of the Negev , Georgetown University
Muthuramakrishnan Venkitasubramaniam, Georgetown University

Abstract
In their seminal work, Goldreich, Goldwasser, and Micali [CRYPTO 1984] constructed a pseudorandom function (PRF) using a black-box access to a pseudorandom generator (PRG). When combined with Levin's domain extension technique, the GGM construction invokes the PRG $\omega(\log n)$ times, where $n$ denotes the input length to the PRG. To this day, no black-box construction achieving fewer calls is known. Recently, Beimel, Malkin, and Mazor [CRYPTO 2024] showed that for a certain family of constructions, which they termed \emph{tree constructions}, the GGM construction is optimal. However, the basic challenge of whether a PRF can be built with just \emph{one invocation} of the PRG still remains open. In this work, we consider fully black-box constructions of PRFs from PRGs, where both the construction and the reduction are required to be black-box, and the number of interactions the reduction makes with the adversary is independent of the number of oracle calls the adversary makes to its underlying function within each interaction. Our main result shows that no such construction can have $o(n/\log n)$ and $o(\mathsf{in}/\log\mathsf{in})$ \emph{non-adaptive} calls to the PRG, where $\mathsf{in}$ is the input length of the PRF. This impossibility holds even for weak PRFs with one-bit output, where the adversary is restricted to making i.i.d. uniformly random queries. In addition, we prove a lower bound for weak PRFs with sufficiently long outputs that holds even when the construction is allowed to make adaptive queries to the PRG.
(show hidden)

Publication status: Published by the IACR in CRYPTO 2026 First uploaded: , last revision:

Accelerating NTRU+ Key Generation via Hierarchical Batch Inversion (2026/1191)

Authors

Jonghyun Kim, Korea University
Haehyun Cho, Soongsil University
Jong Hwan Park, Sangmyung University

Abstract
In KEM-based TLS 1.3 key establishment, the client generates a fresh KEM key pair for each connection, placing key generation on the handshake critical path. For NTRU+, a KEM based on the NTRU problem selected in the Korean Post-Quantum Cryptography (KpqC) competition, the dominant cost in this path is the polynomial inversion needed to compute the public key. Although NTRU+ uses an NTT-friendly ring and performs this inversion in the NTT domain, the routine still decomposes into many base inversions, each requiring a modular inversion computed by exponentiation. To accelerate polynomial inversion in the NTT domain, we collect the modular inversions arising from base inversions into a single stage. This makes it possible to apply Montgomery's trick, reducing the number of modular inversions to one at the cost of sequential product and recovery chains. These chains limit instruction-level parallelism (ILP). To address this dependency bottleneck, we apply hierarchical batching to these exposed denominator inversions, splitting the inputs into $k$ groups to expose independent product chains and recursively batching the resulting $k$ group-product inversions. This preserves the arithmetic cost of Montgomery's trick while improving ILP, thereby reducing cycle counts. We evaluate hierarchical batch inversion across all NTRU+ parameter sets in both C and AVX2. For NTRU+$864$, the parameter set with the largest gains, compared with non-batched polynomial inversion, it reduces polynomial inversion latency by 48.91% in C and 59.57% in AVX2. For key generation, the corresponding speedups are 18.91% in C and 9.34% in AVX2.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

CMoSS: Composable Modular Security Specifications Framework (2026/1190)

Authors

Sara Wrótniak, University of Connecticut
Hemi Leibowitz, The College of Management Academic Studies
Ewa Syta, Trinity College
Amir Herzberg, University of Connecticut

Abstract
CMoSS facilitates modular specifications, design and analysis of cryptographic protocols. Modular design and analysis is achieved by supporting provably-secure compositions of protocols; typically, a protocol uses a blackbox subprotocol, and is proven secure when composed with any subprotocol meeting the blackbox specifications. For modularity of specifications, CMoSS extends the approach of the MoSS framework: protocol specifications are defined modularly, by a set of independent predicates (games) for each model (assumption) and requirement (goal). CMoSS makes it feasible to rigorously specify, develop and analyze realistic applied cryptographic protocols, supporting real-time concurrency and involving different attacker capabilities, delays, faults and synchronization challenges. CMoSS specifications provide a precise formalization of the informal specifications used by practitioners, facilitating provable security for practical protocols.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Do You Need a Receipt? Anonymous Credential Revocation at Continental Scale via Private Record Certification (2026/1189)

Authors

Kasra Edalatnejad, Technical University of Darmstadt
Sebastian Faust, Technical University of Darmstadt
Jonas Hofmann, Technical University of Darmstadt
Philipp-Florens Lehwalder, Technical University of Darmstadt
Thomas Schneider, Technical University of Darmstadt

Abstract
A key challenge in digital credential systems is revocation, that is, the ability to revoke credentials post-issuance and verify their status upon presentation. While anonymous credentials enhance privacy over classical credentials (e.g., by providing unlinkability), they complicate revocation. Existing revocation schemes for anonymous credentials often suffer from high client or verifier computation, long delays before revocation takes effect (e.g., epoch-based settings), or require updates to all users with each revocation. We present an efficient, real-time revocation system for anonymous credentials with decentralized revocation authorities based on a novel primitive called Private Record Certification (PRC). PRC enables users to obtain a certificate for a record stored in a server-managed database without the servers learning which record was requested. This primitive is of independent interest, and we construct it by combining techniques from private information retrieval and secure multi-party computation. Our revocation scheme outsources its costs to the revocation authorities and has minimal overhead for clients and verifiers, while ensuring the communication costs are sublinear in the number of credentials for the revocation authorities. We build a prototype and demonstrate that our system achieves sub-second real-time latency at a scale of over 1 billion credentials, with an online operational cost of 2.5$ per server for processing 1 million PRC queries.
(show hidden)

Publication status: Published elsewhere. Minor revision. USENIX Security 2026 First uploaded: , last revision:

Rank Ceiling for Twiddle-Perturbation Faults on the Forward NTT (2026/1188)

Authors

Chakshu Gupta, Georgia Institute of Technology

Abstract
NIST standardised a lattice-based key-encapsulation mechanism (ML-KEM) and a lattice-based digital signature scheme (ML-DSA) in 2024 as post-quantum replacements for classical key establishment and digital signatures. Both compute a forward number-theoretic transform (NTT) over secret-bearing polynomials; the NTT's twiddle constants are a documented fault-attack surface. Published attacks zero every twiddle with a single glitch on ML-KEM key generation, or zero individual twiddles on ML-DSA signing. Countermeasures detect or mask such faults, but none bounds the information that survives when an attacker perturbs twiddles one at a time. This paper supplies that bound as an exact per-layer rank ladder, for arbitrary perturbations $\zeta_k \mapsto \zeta_k^{'}$ with bit-flips included. A single twiddle fault leaks exactly the butterfly length of its layer in secret coefficients, a count attained rather than merely bounded, so one fault per layer pins all but two coefficients for ML-KEM and all but one for ML-DSA. The surviving ambiguity is identical whichever twiddle is hit in each layer: $\mathrm{span}(e_0, e_1)$ for ML-KEM's incomplete NTT, $\mathrm{span}(e_0)$ for ML-DSA's complete NTT. No combination of twiddle-perturbation faults, however large, shrinks it further, and this rank-and-kernel characterisation is machine-checked in Lean 4. The per-layer leakage rate it exposes gives countermeasure designers a closed-form budget for allocating protection.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

HEGIDE: A MIMD Oblivious Processor for Private Function Evaluation over CKKS (2026/1187)

Authors

Jules Dumezy, CEA LIST , University of Paris-Saclay
Nicolas Ye, CEA LIST , University of Paris-Saclay
Pierre-Emmanuel Clet, CEA LIST , University of Paris-Saclay
Olive Chakraborty, CEA LIST , University of Paris-Saclay
Aymen Boudguiga, CEA LIST , University of Paris-Saclay

Abstract
While FHE enables computation on encrypted data, protecting the program itself remains a theoretical and practical challenge, often forcing practitioners to choose between exposing proprietary logic or suffering impractical performance penalties. This paper introduces HEGIDE, an oblivious processor based on the (discrete) Cheon-Kim-Kim-Song (CKKS) scheme that bridges the gap between theoretical Private Function Evaluation (PFE) and its practical realization. Central to our contribution is OSReM (Oblivious Shift Register Memory), a novel memory architecture that circumvents the linear complexity of standard FHE-RAM writes. By treating memory as a shift register, OSReM enables low-latency, constant-time writes without the need for expensive full-memory bootstrapping. HEGIDE leverages a MIMD (Multiple Instruction, Multiple Data) design, utilizing CKKS packing to evaluate distinct program threads in parallel, thus maximizing throughput. While the processor architecture natively supports arbitrary word sizes and instructions, we provide a compiler that manages memory scheduling to abstract the complexity of the shift-register design. We provide a proof-of-concept full implementation of HEGIDE using the OpenFHE library. Experimental results demonstrate the efficiency of our approach, achieving an amortized cycle time of just 6.4 ms for a 16-bit processor - two orders of magnitude faster in throughput than comparable approaches - offering a viable path for the secure execution of proprietary algorithms on encrypted data.
(show hidden)

Publication status: Published elsewhere. Minor revision. ACM CCS 2026 First uploaded: , last revision:

Butterfly Effect: Multi-Key FHE from Ring-LWR (2026/1186)

Authors

Mansi Goyal, Indian Institute of Technology Roorkee
Ali Raya, Indian Institute of Technology Roorkee
Mohakjot Dhiman, Indian Institute of Technology Ropar
Aditi Kar Gangopadhyay

Abstract
The Learning with Errors (LWE) problem is a fundamental hardness assumption underlying most fully homomorphic encryption (FHE) schemes. Given the close relationship between the Learning with Rounding (LWR) and LWE problems, several cryptographic constructions have also been developed based on LWR. In particular, LWR-based schemes often benefit from simpler and more efficient implementations, as they eliminate the need for explicit Gaussian error sampling. Despite these advantages, relatively few FHE constructions in the literature are based on the LWR assumption. At AsiaCCS 2025, Goyal and Gangopadhyay proposed a multi-key FHE (MKFHE) scheme based on LWR that adopts a public-key extension mechanism rather than the conventional ciphertext-extension paradigm. The authors also identified the development of a ring-based analogue as an open future direction. In this work, we present two Ring-LWR-based MKFHE constructions that can be viewed as ring analogues of the LWR-based MKFHE scheme of Goyal and Gangopadhyay. To the best of our knowledge, these are the first MKFHE schemes based on the Ring-LWR assumption. Compared with existing Ring-LWE-based multi-key constructions, our schemes achieve improved compactness in terms of storage and communication costs. We provide concrete parameterizations supporting circuits of varying multiplicative depths and present a proof-of-concept implementation to validate our claims.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

A Note on ``Secure and Efficient Data Deduplication in JointCloud Storage'' (2026/1185)

Authors

Zhengjun Cao, Shanghai University
Lihua Liu, Shanghai Maritime University

Abstract
We show that the data deduplication scheme [IEEE Trans. Cloud Comput., 11(1), 156-167, 2023] is flawed due to some inconsistent computations. The scheme tries to propose a hybrid encryption and authentication mechanism based on RSA cryptosystem and pairing cryptosystem, but it has confused the different group operations. In the data sharing phase, the cloud service provider cannot determine which stored tag matches the temporary tag, and fails to return the stored data to the requester. To fix, it should explicitly specify which is randomized by modular exponentiation with an RSA modulus, and which is randomized by point multiplication over the underlying elliptic curve.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Public-Key Pseudorandom Codes from Distorted McEliece Assumptions (2026/1184)

Authors

Victor Dyseryn, Télécom Paris
Danilo Francati, Sapienza University of Rome
Daniele Venturi, Sapienza University of Rome

Abstract
Pseudorandom codes (PRCs), introduced at Crypto 2024 by Christ and Gunn, are encryption schemes with pseudorandom ciphertexts and error-correction guarantees. PRCs are useful as a tool to obtain watermarking for generative models, in particular ensuring that a watermark is hard to remove against an attacker that can modify up to a given fraction of the watermarked output (a.k.a. the robustness property). A PRC is public-key if the encoding procedure is public (whereas detection requires the corresponding secret key). In this paper, we provide the first construction of public-key PRCs for the binary alphabet satisfying robustness in the presence of a constant fraction of substitutions ($1/6 - \varepsilon$, for arbitrary $\varepsilon > 0$) and at the same time achieving pseudorandomness against sub-exponential-time distinguishers. The pseudorandomness property relies on a new family of distorted McEliece assumptions that we introduce, instantiated with a class of expanded subcodes of Reed-Solomon codes, called Raw Reed-Solomon codes, for which we provide heuristic evidence of (plausible) sub-exponential hardness. Our construction is obtained by revisiting the original blueprint by Christ and Gunn to obtain public-key PRCs based on McEliece assumptions. Along the way, we also uncover that their blueprint does not work directly with Raw Reed-Solomon codes. In particular, we show that a generating matrix of a permuted Raw Reed-Solomon code is distinguishable in polynomial time from a uniformly random generating matrix. To circumvent that difficulty, we propose to distort the public key by multiplication with a sparse invertible matrix of constant row Hamming weight.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Validity in Responsive Byzantine Agreement (2026/1183)

Authors

Diana Ghinea, Lucerne University of Applied Sciences and Arts
Simon Holmgaard Kamp, Ruhr University Bochum
Chen-Da Liu-Zhang, Lucerne University of Applied Sciences and Arts

Abstract
Byzantine Agreement (BA) protocols must ensure not only agreement and termination, but also validity: the value agreed upon should meaningfully reflect the honest parties' inputs. The choice of validity condition can change the exact resilience threshold at which BA is solvable. Tight characterizations for BA with general validity conditions are known in the partially synchronous model (PODC'23), in the synchronous model (PODC'24), and in the network-agnostic model (DISC'25). We focus on general validity for synchronous BA with responsive termination. Such protocols remain secure against up to $t_s$ byzantine corruptions, but incur a running time that depends on the actual network delay $\delta$, rather than the conservative delay bound $\Delta \gg \delta$, whenever at most $t_r \leq t_s$ parties are corrupted. We present a tight characterization of the validity properties solvable in this setting. We prove that every non-trivial validity property requires $n>2 t_r+t_s$ in authenticated settings, where a public-key infrastructure and digital signatures are available, and $n>3 t_s$ in unauthenticated settings. These threshold conditions are accompanied by a validity-dependent requirement, the responsive similarity condition: roughly, for any concrete configuration of honest inputs, there is a value that is valid for any view that a protocol could obtain from this initial configuration. We then present matching protocols in both settings, showing that these conditions are sufficient. The main technical contribution is an authenticated responsive Core-Set Agreement protocol requiring $n>2 t_r+t_s$. This threshold may place the protocol in an honest-minority regime, where prior constructions for general validity do not apply and where standard Synchronous Broadcast is not responsive. Finally, we instantiate the characterization for several standard validity notions -- weak validity, strong unanimity, convex validity, and honest-input validity.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Fast Bounded-Independence Functions and Their Duals (2026/1182)

Authors

Martijn Brehm, University of Amsterdam
Yuval Ishai, Technion – Israel Institute of Technology , AWS
Nicolas Resch, University of Amsterdam

Abstract
We continue the study of fast functions, computable by linear-size circuits, that share useful properties of random functions. Motivated by cryptographic applications, we generalize and improve on previous results in this area, obtaining the following results: - For any constant $t$, we construct a fast $t$-wise independent hash function with algebraic degree $\log_2 t$ (over $\mathbb F_2$), simultaneously optimizing both asymptotic circuit size and degree. - We simplify and improve a recent construction (ITCS 2026) of a family of fast codes with fast duals, both meeting the Gilbert-Varshamov bound. Unlike the previous construction, our construction has negligible failure probability, can accommodate general fields and rates, supports a systematic encoding, and admits fast universal encoders. - We strengthen the above to support stronger random-like properties, such as optimal combinatorial list-decoding. This is achieved by constructing, for any constant $t$, a family of fast linear functions that map any $t$ linearly independent inputs to uniform and statistically independent outputs. Prior to our work, this was only known for $t=1$. We demonstrate the usefulness of the above results to cryptography. This includes the first nontrivial protocols for perfectly secure multiparty computation whose circuit complexity scales linearly with the number of parties, as well as protocols for computing encrypted matrix-vector products with optimal asymptotic circuit complexity.
(show hidden)

Publication status: Published elsewhere. Major revision. ITC 2026 First uploaded: , last revision:

AICE: An Arithmetic-Oriented Stream Cipher for Heterogeneous Computing (2026/1181)

Authors

Bishwajit Chakraborty, Shield Lab, Huawei Technologies Co., Ltd.
Jiahui Gao, Shield Lab, Huawei Technologies Co., Ltd.
Kai Hu, School of Cyber Science and Technology, Shandong University, Qingdao, China
Tao Huang, Shield Lab, Huawei Technologies Co., Ltd.
Zhongfeng Niu, Independent Researcher
Phuong Pham, Shield Lab, Huawei Technologies Co., Ltd.
Shuzhou Sun, Shield Lab, Huawei Technologies Co., Ltd.
Meiqin Wang, School of Cyber Science and Technology, Shandong University, Qingdao, China
Shuang Wu, Shield Lab, Huawei Technologies Co., Ltd.
Wenhan Xu, Shield Lab, Huawei Technologies Co., Ltd.
Guang Zeng, Shield Lab, Huawei Technologies Co., Ltd.
Chenxu Zhao, School of Cyber Science and Technology, Shandong University, Qingdao, China

Abstract
Heterogeneous computing platforms increasingly rely on high-throughput data paths spanning CPUs and accelerators, yet most high-speed software ciphers are optimized primarily for CPU-centric execution models. We present AICE, an arithmetic-oriented stream cipher over \(\mathbb{Z}/2^{16}\mathbb{Z}\) with a 37-word (592-bit) internal state, a nonlinear feedback combining modular addition, multiplication, bitwise OR, and rotation, a 370-round initialization with post-initialization key feed-forward, and periodic blank updates. We analyze AICE under several cryptanalytic models, including differential trail screening, linear approximation over the abelian group \(\mathbb{Z}/2^{16}\mathbb{Z}\), guess-and-determine state recovery, and exact SMT-based cube evaluation, and find that all observable structural phenomena remain confined to reduced-round settings far below the full initialization. On the AI Cores of Huawei Ascend accelerators, AICE reaches a single-core peak throughput of $114.13$ Gbps on the Ascend 950 and $55.36$ Gbps on the Ascend 910B4, and scales to $1.59$ Tbps on $32$ Ascend 910B4 cores, roughly $54\times$ the throughput of AES-CTR and $107\times$ that of SM4-CTR on the same $32$-core configuration; on the ARM Kunpeng 920 it remains in the same throughput class as hardware instruction accelerated AES-CTR.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

SNARGs for NP from Unprovability of Mathematical Theorems (2026/1180)

Authors

Yao-Ching Hsieh, University of Washington
Abhishek Jain, NTT Research and Johns Hopkins University
Jiatu Li, Massachusetts Institute of Technology
Surya Mathialagan, NTT Research

Abstract
Modern cryptography relies on the intractability of computational problems. We present an approach to building cryptography from a new source of hardness: \emph{proving mathematical theorems}. Our main result is a construction of succinct non-interactive arguments (SNARGs) for NP under a new, but natural, assumption on the hardness of proving lower bounds in proof complexity. Specifically, our assumption states that it is impossible to prove, within a weak bounded arithmetic theory, the correctness of certifying hard tautologies against Extended Frege. This assumption is inspired by an informal mathematical challenge proposed by Razborov [Ann. Math. '15], and can be viewed as a generalization of an unconditional unprovability result due to Krajíček and Pudlák [J. Symb. Log. '89]. Our construction is a simple variant of the SNARG construction of Jin, Kalai, Lombardi, and Vaikuntanathan [STOC '24]. While the soundness of their construction was proven only for a subclass of NP, we prove its soundness for all of NP under our assumption. At the heart of our result is the observation that cryptographic reasoning is simple in a formal sense: the security proof of most cryptographic primitives can be formalized in a weak theory. In particular, we show how to formalize the scheme of Jin et al. in Jeřábek's theory $\mathsf{APC}_1$ [J. Symb. Log. '07], a weak theory of bounded arithmetic.
(show hidden)

Publication status: Published elsewhere. Minor revision. STOC 2026 First uploaded: , last revision:

Permissionless Consensus from a Common Random String (2026/1179)

Authors

Damiano Abram, The University of Edinburgh
Marshall Ball, New York University
Juan Garay, Texas A&M University
Aggelos Kiayias, The University of Edinburgh

Abstract
Permissionless consensus enables parties to perform Byzantine agreement without any a priori knowledge about who is participating, except for an upper bound on the number of participants running the protocol (no PKI, etc.). Since Nakamoto’s Bitcoin paper, it has been widely believed that permissionless consensus is feasible provided the (Byzantine) adversary only controls a fraction of the collective computational power. However, all known protocols, including Nakamoto’s, rely on idealized assumptions (or ad hoc instantiations). Is permissionless consensus possible without such assumptions? Surprising little progress had been made towards solving this open question until the recent result by Ball et al. (Crypto 2024), which showed how to achieve permissionless consensus from proofs of work (PoWs) based on fine-grained complexity assumptions in a setting where a randomness beacon is available to all parties running the protocol. Their work left open whether it is possible to remove the beacon assumption; this question is the focus of our work, which we resolve via a new consensus protocol construction that relies on a novel class of distributed samplers and a common random string (that does not need to be structured or sampled precisely at the onset of the protocol execution). To prove our protocol secure, we revisit the concept of distributed samplers and adapt it to a setting where multiple sampler executions need to be simultaneously secure. To address this challenge we introduce the primitive we call d-wise independent distributed samplers and put forward constructions for such samplers based on DDH and LWE. We then present our consensus protocol via a modular design that utilizes a new moderately hard cryptographic primitive we call multi-verifier signatures of work, a sort of “time-based signature” we construct by composing distributed samplers and (fine-grained complexity-based) PoWs, and which may be of independent interest.
(show hidden)

Publication status: A minor revision of an IACR publication in CRYPTO 2026 First uploaded: , last revision:

Sensing Censorship and Censuring Censors with Censorship-Evident Publishing Systems (2026/1178)

Authors

Swaminathan Ramesh, University of Calgary
Ryan Henry, University of Calgary

Abstract
Censorship has always existed, serving both to prevent harms and to inflict them by chilling speech, suppressing organizing, and withholding inconvenient facts and ideas; most technical work aims to prevent all forms of censorship --- the "good", the "bad", and everything in between. We study the complementary, rarely explored goal of making any censorship attempt transparent. We formalize censorship-evident publishing systems (CEPS), protocols that force both overt and covert takedowns to yield transferable evidence. We also provide a CEPS instantiation with Streisand, a proof-of-concept deployment that combines a blockchain-backed timestamp oracle, private information retrieval (PIR)-based anonymous queries to prevent extraction attempts from being conspicuous, and probabilistic Merkle-witness retrieval to produce compact censorship proofs. We present performance evaluations on a 1.3 GiB Enron-derived dataset with regex-based PII redaction to model realistic censorship, and demonstrate that a background daemon can detect heavy censorship after a small number of post-censorship queries, making Streisand an effective auditing mechanism rather than interactive file retrieval. We also discuss design trade-offs (proof size vs. computation, PIR sufficiency vs. necessity), scalability limits, and how CEPS complements existing transparency practices, with Streisand as a starting point for CEPS deployments.
(show hidden)

Publication status: Published elsewhere. Major revision. ASIA CCS 2026 First uploaded: , last revision:

Advanced Vector Extensions 512 Acceleration of LSH and LEA-GCM (2026/1177)

Authors

Seung-Won Lee, Hansung University
Min-Ho Song, Hansung University
Ha-Gyeong Kim, Hansung University
Ui-Jae Kim, Hansung University
Si-Woo Eum, Hansung University
Hwa-Jeong Seo, Hansung University

Abstract
This paper presents high-performance Advanced Vector Extensions 512 (AVX-512) implementations of two Korean standard cryptographic algorithms: the Lightweight Secure Hash (LSH) hash function and Lightweight Encryption Algorithm-Galois/Counter Mode (LEA-GCM) authenticated encryption. For LSH, we apply three optimization strategies: single-message processing using AVX-512 512-bit vector registers, dual-message parallel processing through register interleaving, and multi-core parallelization using a dynamic queue-based pthread thread pool. For LEA-GCM, we propose an end-to-end optimization that replaces scalar Counter mode (CTR) encryption with 16-block AVX-512 parallel processing and Streaming SIMD Extensions (SSE)-based Galois Hash (GHASH) authentication with VPCLMULQDQ-based 4-block parallel processing. Performance evaluation on an Intel Core i7-1165G7 (Tiger Lake) processor shows that LSH-256 achieves an average 1.16× throughput improvement and LSH-512 achieves an average 1.61× improvement over the Korea Internet and Security Agency (KISA) AVX2 reference implementation. Dual-message interleaving achieves an average superlinear speedup of 2.28× driven by instruction-level parallelism (ILP), and the 8-core thread pool delivers speedups of 3.50× to 5.12×. The optimized LEA-GCM implementation achieves a 3.26× throughput improvement over the KISA SSE-based reference and a 12.1× improvement over the pure software implementation for 4096-byte inputs, with correctness verified against KISA official test vectors.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

Anonymous E-Voting on Hyperledger Fabric: Practical Mitigation of the Verification Paradox and Coercion Resistance (2026/1176)

Authors

Yoon-Nyoung Jung, Hansung University
Su-Been Cho, Hansung University
Seo-Hyun Yun, Hansung University
Hwa-Jeong Seo, Hansung University

Abstract
Electronic voting systems inherently encompass a structural tension among ballot secrecy, verifiability, and coercion resistance. Voters must be able to verify whether their votes have been included; however, if such verification information can serve as evidence presentable to a third party, it becomes a basis for post-election intimidation. Existing studies have focused primarily on performance evaluation or data separation, and have not comprehensively addressed the structural tension between verifiability and coercion resistance. This study defines this tension as the verification paradox and designs and implements an electronic voting prototype on a three-organization consortium based on Hyperledger Fabric 2.5, combining a 2-of-3 endorsement policy, nullifier-based anonymity, Exponential ElGamal homomorphic tallying, zero-knowledge proof (ZKP)-based ballot validity verification, panic password-based deniable verification, and Private Data Collection (PDC)-based coerced vote separation. Quantitative evaluation results confirm a server latency overhead of +0.9% for ElGamal relative to the AES performance baseline, statistical indistinguishability between normal and panic responses (p > 0.05), and a peak throughput of approximately 40.7 TPS (with an error rate of 0%) under 1,000 concurrent voters. This study demonstrates that permissioned blockchains can provide practical mitigation of the verification paradox through implementation and quantitative evaluation.
(show hidden)

Publication status: Preprint. First uploaded: , last revision:

AI-based KCMVP Pre-certification System: A Hybrid Model of Rule-based Detection and LLM Semantic Analysis (2026/1175)

Authors

Su-Been Cho, Hansung University
Do-Yun Park, Hansung University
Da-Eun Lim, Hansung University
Jae-Hwan Kim, Hansung University
Su-Min Jeong, Hansung University
Yu-Lim Hyoung, Hansung University
Hwa-Jeong Seo, Hansung University

Abstract
The Korean Cryptographic Module Validation Program (KCMVP) is a national certification system that verifies the security and conformity of cryptographic modules deployed in government and public institutions. The current process typically takes about one and a half years, during which frequent supplement requests and the resulting retesting cycles substantially raise costs and delay schedules. To address this, we propose an AI-based pre-certification framework that combines rule-based deterministic detection (L1), RAG-based guideline-evidence retrieval (L2), and LLM-based final decision (L3) into a funnel-shaped pipeline that progressively reduces false positives. L1 applies more than 170 YAML inspection rules across four pattern types (missing, regex, semantic, ast) to perform deterministic detection. L2 retrieves and attaches KCMVP guideline evidence to each violation through multi-stage RAG search, and L3 employs Gemini 2.5 Flash-Lite to make context-aware decisions on false-positive candidates. In an initial evaluation on 128 Ground Truth cases derived from the KISA LEA code, the system detected all 128 cases, achieving 100% recall, while L3 correctly removed 9 of 46 FP candidates (19.6%) without inducing any false negatives (FN), confirming the stepwise refinement effect of the funnel structure. A blind verification on a certified commercial cryptographic module (~14.5 KLOC) yielded a low detection frequency of 0.58 cases per 1,000 lines of code, supporting the system’s practicality in real environments.
(show hidden)

Publication status: Preprint. First uploaded: , last revision: