Paper Feeds (IACR)

Oblivious Priority Queue and Single-Source Shortest Path in the External Memory Setting

Thu, 18 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1285

AI Summary (中文)

背景与动机

在外部存储（external memory）模型下设计无观察性（oblivious）算法，对隐私敏感系统（如Signal的私有联系人发现服务）至关重要。此类算法要求内存访问模式完全独立于输入秘密数据，从而抵御基于访存侧信道的攻击。当前工业实践（如Signal、Meta）依赖可信硬件实现无观察性，但理论研究亟需纯软件、不依赖硬件的高效方案。通用编译方法虽存在，却因渐进低效而缺乏实用性；因此，面向具体问题（如单源最短路径SSSP）定制化设计成为关键路径。

方法与创新

本文首次为无向图外部存储SSSP问题提出高效无观察性算法：

I/O复杂度达 $O\left(V + \frac{E}{B}\log\frac{E}{M}\right)$，总计算量为 $O(E \log E)$（假设 $E = \Omega(V)$），其中 $V,E$ 为顶点/边数，$M,B$ 为缓存容量与块大小；
I/O性能几乎匹配最优非隐私算法，仅相差一个 $\log \log E$ 因子——该缺口被证明是本质性障碍，源于底层优先队列的无观察化必然引入 $\Omega(\log \log n)$ 的I/O开销；
作为核心技术突破，我们构造了首个同时达到I/O与计算最优的外部存储无观察优先队列，支持关键的 DecrKey 操作：每查询I/O成本 $O\left(\frac{1}{B}\log\frac{n}{M}\right)$，总工作量 $O(\log n)$（$n$ 为队列容量）。相较Jafargholi等人的方案（I/O最优但工作量次优），本设计满足业界强安全标准——即敌手可观测块级与字级访存，仍保持无观察性。

意义

成果填补了无观察图算法在外部存储模型下的关键空白，为大规模隐私保护图分析（如路由优化、资源调度）提供了首个实用、可证明安全的基元。

AI Summary (English)

This paper presents the first efficient external-memory oblivious algorithm for the single-source shortest path (SSSP) problem on undirected graphs, achieving I/O complexity $O\big(V + \frac{E}{B}\log\frac{E}{M}\big)$ and total work $O(E \log E)$ under $E = \Omega(V)$. Its I/O cost nearly matches the best non-oblivious external-memory SSSP algorithm—differing only by a $\log \log E$ factor, which is provably inherent due to the $\Omega(\log \log n)$ I/O blowup required to obliviate priority queues. As a key technical contribution, we design an improved external-memory oblivious priority queue supporting DecrKey: it attains both optimal I/O cost $O\big(\frac{1}{B}\log\frac{n}{M}\big)$ and optimal work $O(\log n)$ per operation—resolving a gap in prior work (Jafargholi et al.) that was suboptimal in work under strong obliviousness (where adversaries observe both block- and word-level accesses), the current industry security standard.

Abstract

The study of oblivious algorithms is concerned with designing privacy-preserving algorithms whose memory access patterns reveal nothing about the secret inputs. Such algorithms have been deployed at scale in production systems, most notably in Signal's private contact discovery service. So far, all practical implementations of oblivious algorithms (e.g., those by Signal and Meta) rely on trusted hardware and operate within the external-memory model of computation. While it is known how to generically compile an arbitrary program to execute obliviously on an external-memory target machine, such generic oblivious simulations trade asymptotical efficiency for generality and therefore are rarely used in practice. Instead, customized oblivious algorithms tailored for the computational tasks of interest are almost always favored.

In this paper, we explore the single-source shortest path (SSSP) problem, a fundamental algorithmic building block with broad applications in scheduling, routing, graph mining, resource allocation and flow optimization. We present an external-memory oblivious SSSP algorithm for undirected graphs that achieves I/O efficiency $O(V + \frac{E}{B}\log\frac{E}{M})$ and total work $O(E\log E)$ assuming $E = \Omega(V)$, where $V$ denotes the number of vertices, $E$ denotes the number of edges, and $M$ and $B$ represent the target machine's cache size and block size, respectively. Our algorithm almost matches the best known non-private external-memory algorithm for SSSP, up to a $\log \log E$ factor in the second term of the I/O bound. The remaining $\log \log E$ gap is conjectured to be an inherent barrier, since making the underlying priority queue oblivious requires an $\Omega(\log \log n)$ blowup in I/O cost, which is known to be inherent.

As a by-product, we develop an improved external-memory oblivious priority queue that supports DecrKey operations. Specifically, while the construction of Jafargholi et al. attains optimal I/O efficiency, it is suboptimal in total work under a strong notion of obliviousness—where the adversary can observe both block-level and word-level accesses. This stronger security guarantee is the current industry norm and explicitly required by companies such as Signal. We present a new oblivious priority queue that achieves optimality in both dimensions. Specifically, we achieve an I/O cost of $O(\frac{1}{B}\log\frac{n}{M})$ and total work $O(\log n)$ per query where $n$ is the capacity of the priority queue.

Zero-Knowledge Proofs of Generalized Regular Expression Matching for Anonymized Email Verification

Thu, 18 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1284

AI Summary (中文)

背景与挑战

在数字身份、金融交易与合规验证中，拥有经DKIM签名的邮箱常作为账户控制权、机构隶属关系或操作授权的关键凭证。然而，传统验证方式需暴露完整邮箱地址或依赖中心化中介，严重损害用户隐私并引入额外信任假设。ZK Email框架虽利用零知识证明（ZKP）实现可公开验证且保密的邮箱真实性证明，但其现有实现受限于正则表达式（regex）匹配在结构化邮件格式上的低效性——尤其面对RFC 6376定义的复杂DKIM签名邮件时，基于DFA的方案因状态爆炸与线性扫描开销而难以实用。

方法与创新

本文提出一种新型ZKP regex匹配系统：基于ε-free NFA的路径验证机制，将证明复杂度降至仅与匹配路径长度线性相关，且独立于原始邮件总长度。该设计首次支持对真实DKIM邮件（含多行头字段、Base64签名、规范化正文等）进行高效结构约束验证。我们构建了端到端ZK电路，深度融合三大核心组件：(i) DKIM签名验证逻辑；(ii) 支持部分预计算的任意长度SHA-256电路（适配rsa-sha256）；(iii) 通用regex原语，可灵活施加邮件头/体的语法与语义约束。所有零知识关系均形式化建模，并在现实敌手模型下完成安全性分析。

实验与成效

系统完整集成至ZK Email，开源（MIT协议），支持Circom与Noir语言，后端兼容Groth16与UltraHonk。在SP1 zkVM及客户端部署中实测表明：相比DFA基线，UltraHonk后端证明时间提升2–6倍，同时支持更丰富的正则语言（如嵌套括号、变长分组、上下文敏感断言），为匿名化邮箱验证提供了首个兼具表达力、效率与标准化兼容性的ZKP解决方案。

AI Summary (English)

We present a practical zero-knowledge proof (ZKP) system for generalized regular expression matching, enabling privacy-preserving verification of DKIM-signed emails without revealing message content. Our core innovation is an ε-free NFA path-verification approach that reduces prover complexity to linear in the matched path length—independent of full email size—overcoming the inefficiency of prior DFA-based methods. We design end-to-end ZK circuits integrating (i) DKIM signature verification, (ii) an optimized SHA-256 circuit with partial precomputation for rsa-sha256 (RFC 6376), and (iii) a general-purpose regex primitive enforcing structural constraints on headers and body. Formalized zero-knowledge relations are proven secure under realistic adversarial models. Implemented in Circom and Noir for Groth16 and UltraHonk backends—and deployed on SP1 zkVM and client-side—we achieve 2–6× faster proving time versus state-of-the-art DFA approaches while supporting significantly richer regex expressivity. The fully open-source system (MIT license) bridges the gap between cryptographic soundness, real-world email standards, and deployable efficiency.

Abstract

Digital communication increasingly underpins identity, financial transactions, and regulatory compliance. In many settings, possession of a DKIM-signed email serves as evidence of account control, transaction confirmation, or institutional affiliation. Yet demonstrating such properties typically requires revealing the full email or relying on centralized intermediaries, introducing privacy risks and additional trust assumptions. A framework called ZK Email addresses this limitation by applying zero-knowledge proofs (ZKPs) to email verification, enabling publicly verifiable proofs of authenticity while preserving message confidentiality. However, its existing implementations struggle to support complex, real-world messages due to the inefficiency of regular-expression verification over structured formats and rich alphabets.

We address this limitation with a new ZKP system for regex matching based on path verification over $\varepsilon$-free NFAs, yielding prover complexity linear in the captured path and independent of the original email's size. This approach enables practical validation of expressive standard structures required for full DKIM-signed email verification. To fully integrate our constructions into ZK Email, we design complete end-to-end ZK circuits that combine (i) DKIM signature verification, (ii) an arbitrary-length SHA-256 circuit with partial precomputation for $\texttt{rsa-sha256}$ under RFC 6376, and (iii) a general-purpose regex primitive enforcing structural constraints over email headers and body. We formalize the associated zero-knowledge relations and analyze their security under realistic adversary models. We implement the system (fully integrated with ZK Email and released under the MIT license) in $\texttt{Circom}$ and $\texttt{Noir}$, targeting $\texttt{Groth16}$ and $\texttt{UltraHonk}$ backends, and evaluate it in both client-side and zkVM (SP1) deployment settings. Experimental results on commodity hardware demonstrate substantial efficiency improvements over prior DFA-based approaches, achieving a $2$-$6\times$ speedup in proving time using the $\texttt{UltraHonk}$ backend, while supporting a significantly richer class of regex languages.

Privacy-Preserving Outsourced Witness Updates for Append-Only RSA Accumulators

Thu, 18 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1283

AI Summary (中文)

背景与挑战

在匿名凭证系统中，仅追加型RSA累加器（append-only RSA accumulators）被广泛用于构建紧凑、可验证的公共状态注册表（如成员资格证明）。然而，其核心瓶颈在于见证值（witness）维护：每次新元素插入均导致绝大多数已有见证失效；对间歇性在线用户（如移动设备或隐私敏感终端），无法持续同步更新，导致离线期间积累大量“遗漏更新”，而直接外包见证更新又易引发请求链接性风险——攻击者可通过重复查询模式推断用户身份或行为轨迹。

方法与创新

本文提出首个隐私保护的外包见证更新协议，核心创新在于将见证更新与线性整数秘密共享（Linear Integer Secret Sharing, LISS）深度耦合。该协议实现三大突破：

✅ 客户端无状态 & 按需更新：用户无需存储中间状态，离线后仅需单次请求即可获取最新有效见证；
✅ 强隐私保障：在低于门限数量的更新服务器共谋下，完全隐藏见证值本身及更新请求的关联性（unlinkability）；
✅ 可问责性：任何恶意响应（如伪造、篡改）均可被客户端高效检测并定位违规服务器。

实验与验证

我们形式化定义了系统模型与敌手能力（含半诚实与恶意服务器），并给出严格安全性证明。服务端针对长追赶窗口（long catch-up windows）设计了矩阵稀疏化与批处理优化；全协议基于Rust实现。评测表明：在1–5天离线窗口、不同门限配置（t=2–4）下，客户端计算开销恒定（与遗漏更新数无关），仅约0.8–1.2 ms；服务端耗时主要取决于追赶跨度与LISS分布矩阵规模，单次万级元素追赶可在亚秒级完成，具备实际部署可行性。

AI Summary (English)

Append-only RSA accumulators enable compact public registries but suffer from severe witness-update overhead: each insertion invalidates most existing witnesses, posing a critical challenge for intermittently online users in anonymous credential systems. Direct outsourcing risks linkability across requests. We propose the first privacy-preserving outsourced witness-update protocol that integrates Linear Integer Secret Sharing (LISS) with accumulator updates. It achieves on-demand, client-stateless updates while guaranteeing witness privacy and unlinkability against threshold-bounded server coalitions, and provides accountability for malicious responses. We formalize security models and prove protocol correctness and privacy. Server-side optimizations reduce latency for long catch-up windows, and our Rust implementation shows that client cost is constant (independent of missed updates), while server cost scales primarily with catch-up span and LISS matrix size—enabling practical one-shot witness recovery after days of offline periods.

Abstract

Append-only accumulators are a natural way to realize compact public-state registries, but under high-frequency updates, witness maintenance becomes a severe challenge because each insertion typically invalidates most existing witnesses. This challenge is particularly acute for intermittently online users in anonymous credential systems, who cannot continuously synchronize update information, while directly outsourcing witness updates may make repeated requests linkable. In this paper, we present a privacy-preserving outsourced witness-update protocol for append-only RSA accumulators. The protocol combines witness updates with Linear Integer Secret Sharing (LISS), enabling on-demand, client-stateless witness updates while preserving witness privacy and unlinkability against coalitions of update servers below the threshold, and providing accountability for malicious or malformed server responses. We formalize the system and threat models and analyze the security of the protocol. We further develop server-side optimizations for long catch-up windows and implement the full end-to-end protocol in Rust. Evaluation under multiple threshold settings and offline windows shows that the protocol supports practical one-shot witness updates after long offline periods, with client-side cost remaining independent of the number of missed updates and server-side cost being mainly determined by the catch-up span and the LISS distribution matrix.

Physics-Aware Temporal Feature Engineering for Eavesdropping Detection in BBM92 Quantum Key Distribution

Thu, 18 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1282

AI Summary (中文)

背景与挑战

在实际部署的量子密钥分发（QKD）系统中，静态量子比特误码率（QBER）阈值检测是主流的窃听防御机制。然而，在噪声显著且动态变化的自由空间光（FSO）信道中，大气湍流等自然扰动会导致QBER短时波动，从而为低强度、间歇性的窃听攻击提供“掩护”——此类攻击可将QBER维持在传统固定阈值以下，实现隐蔽入侵。

方法创新：物理信息驱动的时间特征工程

本文面向基于纠缠的BBM92协议，提出一种物理机理引导的时间特征构建范式。在30秒滑动时间窗内，系统性提取24维时序特征，不仅涵盖QBER自身演化（如斜率、方差、峰度），更关键地刻画多观测量间的动态耦合关系：包括QBER与贝尔S参数的互相关滞后谱、光子符合计数率与S参数的相位同步性指标、以及三者联合的非线性协变熵等。所有特征均源自量子光学动力学约束（如CHSH不等式边界、符合事件统计模型），确保机器学习输入具备可解释的物理语义。

主要发现与性能验证

在覆盖24小时、含5组随机种子的高保真FSO仿真数据集上评估：静态QBER阈值法对混合型亚阈值攻击的召回率仅为17.3%；而基于XGBoost的时序特征分类器实现96.9%召回率与97.6%精确率。SHAP可解释性分析揭示：检测效能主要源于量子观测量间异常的时间解耦（如QBER突升而S参数无响应），而非单一指标绝对值超标——这印证了物理一致性破缺才是窃听的本质指纹。

意义与展望

本工作首次将量子物理约束显式嵌入时序特征设计，显著提升BBM92系统对隐蔽攻击的鲁棒性。后续需在真实QKD硬件平台及实测遥测数据上开展验证。

AI Summary (English)

This paper addresses the vulnerability of static Quantum Bit Error Rate (QBER) thresholding to stealthy eavesdropping in noisy free-space BBM92 QKD systems. We propose physics-aware temporal feature engineering—computing a 24-dimensional feature set over 30-second sliding windows that captures not only temporal dynamics of QBER, Bell S parameter, and coincidence rates, but crucially their cross-observable correlations constrained by quantum mechanics (e.g., CHSH bounds, Poissonian statistics). Evaluated on a 24-hour simulated FSO telemetry dataset (5 random seeds), an XGBoost classifier using these features achieves 96.9% recall and 97.6% precision against blended sub-threshold attacks—dramatically outperforming static QBER thresholding (17.3% recall). SHAP analysis reveals detection relies primarily on anomalous temporal decoupling among observables—not absolute error magnitude—highlighting physical consistency violation as the key attack signature. This demonstrates the value of embedding quantum dynamics into feature design for robust anomaly detection.

Abstract

Static Quantum Bit Error Rate (QBER) thresholding is the standard defense mechanism in deployed Quantum Key Distribution (QKD) systems. In noisy free-space optical (FSO) channels, however, natural atmospheric variations can camouflage short, low-intensity eavesdropping bursts, rendering fixed thresholds ineffective. This paper investigates physics-aware temporal feature engineering for machine learning-based anomaly detection in entanglement-based BBM92 QKD telemetry. A 24-dimensional feature space is computed over a 30-second sliding window, characterizing the temporal evolution and cross-observable correlations of QBER, the Bell S parameter, and photon coincidence rates. Evaluated on a simulated FSO telemetry dataset spanning 24 hours across five random seeds, static QBER thresholding achieves only 17.3% recall against blended sub-threshold attacks, while an XGBoost classifier trained on the proposed feature set achieves 96.9% recall and 97.6% precision within the same simulation framework. SHAP analysis suggests that detection is driven less by absolute error magnitude than by anomalous temporal decoupling between independent quantum observables. These results indicate that physics-aware temporal representations may improve resilience to stealthy attack strategies in simulated BBM92 environments, although validation on operational hardware and real telemetry remains an important direction for future work.

Resultants Meet Resultant: Improving CICO-1 and CICO-2 Attacks on ZK-Friendly Permutations

Thu, 18 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1281

AI Summary (中文)

背景与问题

随着零知识证明（ZKP）协议在区块链与隐私计算中的广泛应用，算术化友好型密码原语（Arithmetization-oriented primitives）成为研究热点。其中，ZK-Friendly置换的安全性常通过CICO-$k$问题（Collision/Inverse Collision on $k$ inputs）评估。当前最优的CICO-1攻击（ASIACRYPT 2024, CRYPTO 2025）基于$\alpha$-逆元映射$x \mapsto x^{1/\alpha}$，利用结式（resultant）理论消去中间变量，复杂度为$\tilde{\mathcal{O}}(D_I (2-1/\alpha)^n)$，仍存在理论瓶颈。

方法与创新

本文首次将结式技术拓展至双输入场景：

提出通用双变量临时变量消元框架，突破单变量建模局限；
构建首个CICO-2攻击新范式，可同时处理两组输入碰撞/逆碰撞；
设计中点启动（Start-From-The-Middle, SFTM）CICO-1攻击框架，显著提升路径覆盖效率。

两类攻击均依赖快速双变量结式求解作为核心步骤——理论上采用近线性复杂度（$\mathcal{O}(D_I \cdot \mathrm{polylog})$）的结式算法，使CICO-2与CICO-1攻击复杂度分别降至近线性于$\alpha^n D_I$ 和 近线性于$D_I$，实现首次理论突破。

实践成果

针对实际挑战，我们适配并优化Villard结式算法（ISSAC 2018），获得实用复杂度：

CICO-2：$\tilde{\mathcal{O}}((\alpha^n D_I)^{\gamma_2})$，其中$\gamma_2 \in [1.25, 1.33]$；
CICO-1（SFTM）：$\tilde{\mathcal{O}}(D_I^{\gamma_1})$，其中$\gamma_1 \in [1.2, 1.25]$。

实验验证表明：首次攻破Rescue的128位与256位安全实例（CICO-1），并首次对Anemoi与Griffin实现全轮CICO-2攻击，证实方法具备真实可行性。

AI Summary (English)

This work advances cryptanalysis of ZK-friendly permutations by unifying resultant theory with multi-input collision modeling. We generalize the state-of-the-art resultant-based CICO-1 attack—previously limited to one input variable—to a two-variable setting, enabling the first practical CICO-2 attack framework and a novel Start-From-The-Middle (SFTM) CICO-1 framework. Both rely critically on fast bivariate resultant computation: theoretically, using near-linear-time resultant algorithms, we achieve complexities of $\tilde{\mathcal{O}}(\alpha^n D_I)$ for CICO-2 and $\tilde{\mathcal{O}}(D_I)$ for CICO-1—marking the first asymptotic improvement over prior bounds. Practically, adapting Villard’s algorithm yields complexities $\tilde{\mathcal{O}}((\alpha^n D_I)^{\gamma_2})$ and $\tilde{\mathcal{O}}(D_I^{\gamma_1})$ with $\gamma_1 \approx 1.22$–$1.25$, $\gamma_2 \approx 1.25$–$1.33$. Our implementation breaks full-round Anemoi and Griffin under CICO-2, and 128-/256-bit Rescue under CICO-1—the first such results—validating both theoretical gain and practical viability.

Abstract

The increasing usage of Zero-knowledge proof protocols has raised the need for cryptographic primitives that are efficient in that setting, called Arithmetization-oriented primitives. The security of such permutations is commonly evaluated with the CICO-$k$ problem.
The best known CICO-$1$ attack against ZK-Friendly permutations over $\mathbb{F}_q^t$ based on $\alpha$-inversions $x\mapsto x^{1/\alpha}$ exploits resultants (ASIACRYPT 2024, CRYPTO 2025). It starts from one input variable $x$ and introduces a temporary variable after each $\alpha$-inversion. With an efficient procedure to eliminate temporary variables, the attack reaches a time and memory complexity of $\tilde{\mathcal{O}}(D_I (2-1/\alpha)^n)$, where $D_I$ is the ideal degree of the CICO-$1$ modeling and $n$ is the number of $\alpha$-inversions. In this work, we study such an approach using two input variables $x_1 , x_2$, and we generalize the temporary variable elimination to that setting. Subsequently, we present a new CICO-$2$ attack framework and a new Start-From-The-Middle (SFTM) CICO-$1$ attack framework.
Both our attacks rely on fast bivariate resultants for their final bivariate system solving step. Using resultant algorithms with complexity almost linear in $D_I$, our CICO-$2$ and CICO-$1$ attacks reach a complexity almost linear in $\alpha^n D_I$ and in $D_I$, respectively, which is a first theoretical improvement. Designing an efficient implementation of these resultant algorithms remains a challenge, so for our practical contributions we turn to Villard's algorithm (ISSAC 2018). After adapting it to our context, we obtain practical complexities $\tilde{\mathcal{O}}((\alpha^n D_I)^{\gamma_2})$ and $\tilde{\mathcal{O}}(D_I^{\gamma_1})$ for CICO-$2$ and CICO-$1$ respectively, where $1.2 \le \gamma_1 \le 1.25 \le \gamma_2 \le 1.33$ depending on the chosen linear algebra exponent $2 \le \omega \le 3$.
Our attacks improve upon the best known ones against several instances of Anemoi, Rescue and Griffin, successfully breaking $128$-bit and $256$-bit security instances of Rescue in the CICO-$1$ setting and full-round instances of Anemoi and Griffin in the CICO-$2$ setting for the first time. Our implementation of the attack confirms the practicality of the approach.

Public Parameters as a First-Class Cost: A Three-Dimensional View of Updatable Vector Commitments, and a Group/Lattice Separation

Thu, 18 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1280

AI Summary (中文)

研究背景与问题

可更新向量承诺（Updatable Vector Commitments, UVCs）是隐私计算与区块链扩容中的核心原语，其性能通常由两类指标刻画：广播更新信息大小 $S$（如更新证明的长度）与单证明更新耗时 $T$（如验证者更新某位置证明所需时间）。然而，现有评估体系长期忽视公共参数大小 $P$——即系统初始化时需公开分发的全局参数规模。随着NIZK、zk-SNARK等依赖可信设置的方案普及，$P$ 的存储、传输与加载开销已成为实际部署瓶颈。

方法与框架创新

本文首次将 $P$ 提升为“一等公民”性能维度，构建三维评估空间 $(S,T,P)$，系统性梳理并归类现有UVC方案（包括KZG、Merkle树、LigeroVC、Dory等），揭示其在三轴上的权衡关系。进一步，我们在通用群模型中提出首个针对位置绑定型线性UVC的下界定理：若方案满足位置绑定（position-binding）且在群上具有线性结构，则必有 $P = \Omega(N)$，即公共参数必须随向量长度 $N$ 线性增长。

主要发现与理论突破

我们构造了一个基于格上同态Merkle树的新型UVC方案，首次实现 $S = \operatorname{polylog}(N)$、$T = \operatorname{polylog}(N)$、$P = O(1)$ 的三重亚线性/常数级组合——即同时具备亚线性更新通信、亚线性更新时间与公共参数简洁性（pp-succinct）。该结果严格分离了群模型与格模型的能力边界：前者无法规避 $P \geq N$ 下界，后者却可突破该限制。由此，本文将经验观察到的“群/格性能鸿沟”上升为形式化定理，并证明 $P$ 轴与既有 $S$-$T$ 下界正交——引入 $P$ 不仅补全评估维度，更开辟全新优化方向。

AI Summary (English)

Updatable vector commitments (UVCs) are conventionally evaluated along two axes: the size $S$ of broadcast update information and the per-proof update time $T$. This work elevates the public parameter size $P$ to a first-class cost metric, establishing a three-dimensional $(S,T,P)$ framework to systematize known UVC constructions. We prove that every linear group-model UVC with position-binding requires $P \geq N$, i.e., linear public parameters in vector length $N$. In contrast, we present a lattice-based homomorphic Merkle tree achieving simultaneously sublinear $S$ and $T$ (both $\operatorname{polylog} N$) and constant-size $P = O(1)$—the first pp-succinct UVC with efficient updates. This yields a formal group/lattice separation theorem, showing the $P$-axis is orthogonal to prior $S$-$T$ lower bounds and fundamentally reshapes the UVC design landscape.

Abstract

Updatable vector commitments are judged by how a k-position update affects the broadcast update information S and the per-proof update time T. We promote the public-parameter size P to a first-class metric, systematize known schemes in the resulting three-dimensional (S,T,P) space, and prove that every linear group-model vector commitment with position-binding requires P at least N, while the lattice homomorphic Merkle tree is simultaneously sublinear-update and pp-succinct. This turns the empirical group/lattice gap into a theorem, and we show the new axis is orthogonal to known lower bounds.

BootNet: Homomorphic CNN Inference with Convolution and ReLU Fused in Bootstrapping

Thu, 18 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1279

AI Summary (中文)

BootNet：面向全同态加密CNN推理的卷积与ReLU融合式自举框架

背景与挑战：全同态加密（FHE）为隐私保护神经网络推理提供了理论保障，但实际部署受限于三大开销：同态卷积的高计算复杂度、多项式近似激活函数（如ReLU）引入的精度损失与深度增长，以及CKKS方案中频繁自举（bootstrapping）导致的指数级资源消耗。现有工作仅能局部融合——如NeuJeans将卷积嵌入自举，RBOOT将ReLU融入函数式自举，但二者协同用于端到端ImageNet推理时面临未被系统揭示的耦合瓶颈：深度爆炸、环维度冗余、残差路径冲突及量化-自举失配。

方法创新：BootNet提出首个统一框架，将卷积、ReLU与噪声刷新三者完全融合于单次自举调用，每CNN层仅需一次自举。其核心是四重协同设计：（1）分治式自举调度：对ResNet残差捷径采用“分裂-合并”策略，自举调用减半；（2）量化增强的RBOOT配置：联合低比特权重量化与改进的RBOOT参数，显著压缩乘法深度；（3）NeuJeans掩码层与RBOOT反正弦步的紧耦合：消除冗余编码转换，进一步削减深度；（4）EvalRound+轻量化适配：定制其结构以匹配精简自举与RBOOT流程，实现深度再优化。

实验结果：在ImageNet上评估ResNet-18/34/50，BootNet相较SOTA Orion（ASPLOS’25）端到端延迟降低67–73%，存储开销压缩76–90%，且无精度损失（Top-1准确率完全对齐明文模型）。更突破性地，推出BootNet-mini：首次支持环维度$N=2^{15}$（结合稀疏密钥封装达120+比特安全）下的完整ImageNet推理（此前所有工作均需$N=2^{16}$或更大），存储较BootNet再降30–55%，显著提升硬件加速友好性。

AI Summary (English)

BootNet is a unified homomorphic inference framework that fuses convolution, ReLU activation, and noise refresh into a single bootstrapping invocation per CNN layer, eliminating the traditional three-stage overhead in CKKS-based FHE. To overcome undocumented coupling challenges in jointly embedding NeuJeans-style convolution and RBOOT-style ReLU within end-to-end ImageNet inference, BootNet introduces four co-designed optimizations: (1) a split-and-merge bootstrapping schedule halving calls for ResNet shortcuts; (2) quantization-aware RBOOT tuning reducing multiplicative depth; (3) tight fusion of NeuJeans’ masking and RBOOT’s arcsin step for further depth savings; and (4) hardware-friendly adaptation of EvalRound+. Evaluated on ResNet models over ImageNet, BootNet achieves 67–73% lower end-to-end latency and 76–90% less storage than Orion (ASPLOS’25), matching plaintext accuracy. BootNet-mini further enables full ImageNet inference at ring degree $N = 2^{15}$ (≥120-bit security via sparse-secret encapsulation)—a first—reducing storage by 30–55% over BootNet while maintaining comparable latency.

Abstract

Fully homomorphic encryption (FHE) enables privacy-preserving neural network inference but suffers from high overhead from homomorphic convolutions, polynomial activation approximations, and CKKS bootstrapping. This paper presents BootNet, a unified framework that fuses all three operations into a single bootstrapping invocation per CNN layer, achieving convolution, ReLU, and noise refresh simultaneously.

Prior works are able to fuse convolution into bootstrapping using CinS encoding (NeuJeans, CCS 2024) or ReLU into functional bootstrapping (RBOOT, USENIX Security 2026), but combining both for end-to-end ImageNet inference introduces numerous undocumented challenges. BootNet resolves these through a suite of co‑design techniques and optimizations, including four representative solutions: (1) a split‑and‑merge bootstrapping schedule that halves bootstrapping calls for ResNet shortcuts; (2) an improved RBOOT configuration paired with a model quantization method that complete the activation function with fewer multiplication depth; (3) a fusion of NeuJeans' masking layer with RBOOT's arcsin step that yields additional depth reduction; (4) tailoring EvalRound+ (IEEE Access 2025) to fit slim bootstrapping and RBOOT for further depth reduction.

We evaluate BootNet on multiple ResNet models on the ImageNet dataset. Compared to the state-of-the-art Orion (ASPLOS 2025), BootNet reduces end-to-end latency by 67-73% and storage by 76-90% while preserving plaintext accuracy. We also introduce BootNet-mini, enabling full ImageNet inference at ring degree $N=2^{15}$ (with over $120$-bit security via sparse-secret encapsulation) for the first time, while all previous works have to use $N=2^{16}$ or larger. BootNet-mini performs similarly in latency but reduces 30-55% storage requirement than BootNet, making it potentially more friendly for hardware acceleration.

Barriers for Transparent Algebraic Generation of Hard Supersingular Curves

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1278

AI Summary (中文)

研究背景与问题

本文聚焦于透明代数生成困难超奇异椭圆曲线这一密码学基础问题。区别于依赖可信方或分布式仪式（如零知识证明或秘密擦除）的传统方案，本文研究的是完全公开、可复现、种子驱动的生成机制：算法输出一条超奇异曲线的同时，完整暴露种子、验证轨迹及所有可由实现重构的代数信息（如不变量、同源路径、端点映射等），从而杜绝隐藏见证（witness）的可能性。

方法与模型创新

我们首次为该透明场景形式化定义了轨迹安全性（transcript-security）模型，并系统构建多类代数生成路径的理论障碍：

模共轭采样器：分析超奇异j-不变量集合中满足“存在到其Frobenius共轭的同源”的子集结构；发现当公共参数较小时，其支撑集稀疏且可高效识别；而若高维参数可被提取，则通过Frobenius复合必然导出非标量环自同态，破坏安全性；
有界对应见证扩展：将上述泄漏原理推广至核描述、有理映射、Hecke–Brandt算子迹、椭圆返回迂回路径等四类典型有界见证结构；
直接采样器分类：严格区分五类代数策略——仅谓词搜索、局部邻域探索、有界关系见证、低形式次数环境代数映射、以及从$\mathbb{F}_p$到$\mathbb{F}_{p^2}$的一次索引映射，并为每类建立不可行性定理。

创新与边界声明

所有结论均为模型受限定理：不否定隐藏见证仪式、高次索引映射、紧致高次根索引、仅端点机制或非局部聚合采样等替代路径。本工作旨在厘清“透明代数生成”在何种代数结构下本质不可行，为后量子密码中可验证随机曲线生成提供理论地基。

AI Summary (English)

This paper studies transparent public generation of hard supersingular elliptic curves: a seeded, rerunnable, algebraically open algorithm that outputs a supersingular curve while fully exposing the seed, verification transcript, and all reconstructible algebraic data—contrasting sharply with trusted/distributed ceremonies where witnesses may be hidden, erased, or zero-knowledge protected. We introduce a formal transcript-security model and establish rigorous barriers against several broad classes of algebraic generation strategies. For modular-conjugacy samplers, we characterize the locus of supersingular invariants admitting an isogeny to their Frobenius conjugate: small public parameters yield sparsely supported, efficiently recognizable sets; extractable high-parameter witnesses force non-scalar endomorphisms via Frobenius composition. We extend this leakage principle to bounded correspondence witnesses—including kernel, rational-map, Hecke–Brandt, and elliptic-return detour traces. For direct samplers, we separate and prove impossibility for predicate-only search, local-neighbor exploration, bounded-relation witnesses, low-formal-degree ambient algebraic maps, and degree-one indexed maps $\mathbb{F}_p \to \mathbb{F}_{p^2}$. Crucially, all theorems are model-bounded: they do not preclude hidden-witness ceremonies, higher-degree indexing, compact high-degree root indexing, endpoint-only mechanisms, or nonlocal aggregate sampling.

Abstract

We study transparent public generation of hard supersingular curves: a public, seeded, rerunnable algorithm outputs a supersingular curve while exposing the seed, verification transcript, and all algebraic information reconstructible from the implementation. This setting is distinct from trusted or distributed ceremonies, where a witness may be hidden, erased, or zero-knowledge protected. We define a transcript-security model for this setting and develop barriers for several modeled algebraic generation routes. For modular-conjugacy samplers, we analyze loci of supersingular invariants admitting an isogeny to their Frobenius conjugate; small public parameters give efficiently recognizable sparse support, while extractable high-parameter witnesses yield non-scalar endomorphisms by Frobenius composition. We extend this leakage principle to bounded correspondence witnesses, including kernel, rational-map, Hecke--Brandt, and elliptic-return detour traces. For direct samplers, we separate predicate-only search, local-neighbor exploration, bounded-relation witnesses, low-formal-degree ambient algebraic maps, and degree-one indexed maps from $\F_p$ to $\F_{p^2}$. The resulting theorems are deliberately model-bounded: they do not rule out hidden-witness ceremonies, higher-degree indexed maps, compact high-degree root indexing, endpoint-only mechanisms, or nonlocal aggregate sampling. Full proofs are deferred to the appendices.

On the Round Complexity of Dishonest-Majority MPC

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1277

AI Summary (中文)

背景与问题

在恶意多数（dishonest-majority）设定下，基于点对点信道的多方安全计算（MPC）的轮复杂度（round complexity）长期悬而未决。尽管广播信道模型中已存在两轮MPC协议，且存在期望常数轮的广播协议可容忍任意常数比例的恶意方，但将二者直接组合却导致期望 $O(\log n)$ 轮（$n$ 为参与方数量）。根本瓶颈在于：现有广播协议的并行组合技术严重依赖诚实多数假设，而该假设在恶意多数下失效；同时，针对“带中止（with abort）”这一更宽松的安全目标（如全体一致中止（unanimous abort）或可识别中止（identifiable abort）），经典广播下界无法直接迁移——原有下界均基于更强的“无中止”或“普通中止”模型。

主要成果

本工作首次系统研究该开放问题，取得三项关键进展：

否定性结果：证明严格常数轮MPC（即确定性≤$c$轮，$c$为常数）在全体一致中止下不可能实现；进一步推出：任何对超常数个腐败方（如 $\omega(1)$）安全的全体一致中止广播协议，必为超常数轮。
突破性构造：提出首个轮保持（round-preserving）且黑盒的广播协议并行组合框架，支持全体一致中止；结合不经意传输（OT）与可验证随机函数（VRFs），在具备公钥基础设施（PKI）的签名与VRF设置下，实现了期望常数轮的MPC，且可容忍任意常数比例（如49%）的腐败方。
紧性下界：当腐败方数量增至 $n - o(n)$（即几乎全腐败）时，即使放宽至可识别中止，也不存在期望常数轮的广播（从而MPC）协议——揭示了常数轮可行性在腐败阈值上的精确相变点。

AI Summary (English)

This work initiates the systematic study of round complexity for malicious-majority MPC over point-to-point channels with unanimous or identifiable abort. We establish three tight results: (1) Impossibility: Strictly constant-round MPC with unanimous abort is impossible; in fact, any broadcast protocol with unanimous abort secure against $\omega(1)$ corruptions requires $\omega(1)$ rounds. (2) Construction: We design the first round-preserving, black-box parallel composition technique for broadcast with unanimous abort. Leveraging OT and VRFs in a PKI model (for signatures and VRFs), we obtain MPC with unanimous abort and expected constant rounds, tolerating any constant fraction of corruptions. (3) Tight lower bound: When corruptions reach $n - o(n)$, no expected-constant-round broadcast—and thus no such MPC—exists even with identifiable abort, demonstrating a sharp threshold for feasibility.

Abstract

What is the round complexity of MPC over point-to-point channels that is secure with unanimous/identifiable abort in the dishonest-majority setting?

Even after four decades of research, the answer to this question remains unclear. Although two-round MPC protocols exist in the broadcast-channel model, and, further, broadcast protocols with expected-constant rounds exist facing any constant fraction of corruptions, a naïve combination of the two yields MPC with expected $O(\log{n})$ rounds, where $n$ is the number of parties. The reason for this gap is the need to preserve the expected round complexity under parallel composition, yet existing techniques for the composition of broadcast protocols inherently rely on an honest majority of parties.

Further, when considering MPC with abort, one can also consider \emph{broadcast with abort}. However, existing lower bounds on the round complexity of broadcast do not translate to this relaxed notion of broadcast, with the end result that the existing lower bounds for MPC and broadcast do not apply to the question above.

In this work, we initiate the systematic study of this question and present the following positive and negative results for MPC over point-to-point channels:

First, we prove the impossibility of (strict) constant-round MPC with unanimous abort. In fact, we show that any broadcast protocol with unanimous abort that is secure against super-constant corruptions requires super-constant rounds.

Second, we present a round-preserving and black-box parallel composition construction of broadcast with unanimous abort, which leads to our main result: Assuming oblivious transfer (OT) and verifiable random functions (VRFs), MPC with unanimous abort and expected constant rounds is possible in the PKI model for signatures and VRFs, in the presence of any constant fraction of corruptions.

Finally, we show that in the presence of slightly more corruptions---i.e., $n-o(n)$ corruptions---there is no expected-constant-round broadcast (and thus MPC) with identifiable abort.

Forget-me-not Trees: Mass-scale Auditable Key Transparency from Hash Functions

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1276

AI Summary (中文)

背景与挑战

现代已部署的密钥透明性（Key Transparency, KT）系统依赖第三方审计员验证密钥集合更新的完整性与一致性，使客户端能高效监控自身密钥状态。然而，当前主流方案（如Trillian）依赖大型Merkle树，其一致性证明体积高达15–30 MB，导致审计计算开销巨大；实践中仅极少数机构（如浏览器厂商或云服务商）具备足够算力担任审计员，严重削弱了系统的去中心化审计能力和实际可审计性。

方法创新：Forget-me-not树

本文提出一种全新密钥透明性系统，核心是原创数据结构——Forget-me-not树。该结构并非简单拼接，而是对Merkle树与Bloom滤波器进行语义协同设计：利用Bloom滤波器紧凑编码“键存在性”与“键遗忘性”（即密钥是否已被安全撤销），再通过分层哈希链将Bloom状态嵌入轻量级Merkle路径中。所有操作仅依赖标准密码学哈希函数（如SHA-256），无需数字签名、零知识证明或可信硬件。

主要成果与意义

证明体积压缩500倍：审计证明从15–30 MB降至仅30–60 KB，普通笔记本电脑即可在毫秒级完成验证；
首次实现大规模可审计性：支持亿级密钥规模下，单次审计耗时<100 ms，使社区志愿者、小型CA甚至终端用户均可成为有效审计员；
纯哈希构造：成为首个仅基于哈希函数实现完整密钥透明性保障（含前向安全性、抗篡改、可验证撤销）的系统，显著提升可部署性与形式化可验证性。

本工作为下一代隐私增强型PKI基础设施提供了轻量、开放、可扩展的审计基座。

AI Summary (English)

Modern key transparency (KT) systems rely on auditors to verify consistency of key updates, enabling clients to monitor their keys. However, deployed systems (e.g., Trillian) produce huge consistency proofs (15–30 MB), requiring powerful hardware and limiting real-world auditing to just a few entities. We introduce Forget-me-not trees, a novel hash-only data structure that tightly composes Merkle trees with Bloom filters—not as separate layers, but through a semantics-aware design where Bloom states encode both key presence and secure revocation ("forgetting"). This yields audit proofs of only 30–60 KB—reducing size by ≈500× while preserving security guarantees (forward secrecy, tamper evidence, verifiable deletion). Our system is the first mass-scale KT scheme relying solely on cryptographic hash functions, enabling efficient auditing on commodity devices and democratizing verification across thousands of independent auditors.

Abstract

Modern, deployed key transparency systems rely on auditors to ensure that updates to the set of keys are well-structured, allowing clients to efficiently monitor their own keys. In practice, the server's consistency proofs are very large, requiring computationally powerful auditors; as a result, real-world deployments have very few auditors.

We propose a new key transparency system based on a new data structure called Forget-me-not trees, which is a careful composition of Merkle trees and Bloom filters. The resulting system reduces the size of audit proofs by $\approx500\times$, from 15MB-30MB down to only 30KB-60KB. Our construction is the first mass-scale auditable key transparency system that relies only on hash functions.

The Indifferentiability of the Duplex and its Practical Applications

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1275

AI Summary (中文)

研究背景与意义

Duplex构造由Bertoni等人于2011年提出，是基于置换（permutation）密码学的“瑞士军刀”式通用结构，广泛支撑哈希函数、消息认证码（MAC）、认证加密（AEAD）及对称棘轮（symmetric ratchet）等核心密码原语。STROBE协议框架即完全依托Duplex实现，凸显其作为通用密码构件的实践价值。然而，其理论安全性基础——尤其是可 indifferentiability 性（不可区分性）——长期缺乏系统刻画：既有工作多聚焦具体应用，未在理想化模型中统一论证其作为黑盒接口的可靠性。

核心方法与发现

本文首次严格建立Duplex构造相对于在线随机预言机（online random oracle, ORO）的indifferentiability。ORO是与Duplex具有相同交互接口（吸收/挤压模式、状态保持、前向不可逆性）的理想模型，比标准随机预言机更贴合Duplex的在线行为。我们证明：标准Duplex构造在合理迭代次数下可被证明indifferentiable于ORO；但全态Duplex（full-state Duplex）因状态泄露风险无法满足该性质，揭示了设计边界的关键差异。

创新与应用价值

该定理为Duplex在STROBE等框架中的安全使用提供了首个通用理论担保；进一步，我们将其应用于NIST轻量级密码标准Ascon的核心组件SpongeWrap——证明其不仅满足传统IND-CCA2安全性，还具备密钥相关消息鲁棒性（KDM安全）、相关密钥攻击抵抗性（RKA安全）及承诺性（committing property），显著拓展了其在动态密钥管理、密钥派生与零知识协议等前沿场景的适用性。

AI Summary (English)

This paper establishes the indifferentiability of the standard Duplex construction from an online random oracle (ORO)—an ideal model matching Duplex’s interactive, stateful interface. We prove that while the standard Duplex achieves indifferentiability under realistic iteration bounds, the full-state variant fails this notion due to state leakage. This result provides the first general theoretical foundation for Duplex-based primitives, including the STROBE framework. Furthermore, leveraging this indifferentiability, we show that SpongeWrap—an AEAD scheme built on Duplex and underlying NIST’s Ascon standard—achieves strong security guarantees: resilience against key-dependent messages, related-key attacks, and commitment security. These properties extend its applicability beyond classical confidentiality/integrity to advanced protocols requiring composability and key agility.

Abstract

The Duplex construction, introduced by Bertoni et al. (SAC 2011), is the Swiss Army knife of permutation-based cryptography. It can be used to realise a variety of cryptographic objects—ranging from hash functions and MACs, to authenticated encryption and symmetric ratchets. Testament to this is the STROBE protocol framework which is a software cryptographic library based solely on the Duplex combined with a rich set of function calls. While prior works have typically focused their attention on specific uses of the Duplex, our focus here is its indifferentiability. More specifically, we consider the indifferentiability of the Duplex construction from an online random oracle—an idealisation which shares its same interface. As one of our main results we establish the indifferentiability of the Duplex from an online random oracle. However indifferentiability only holds for the standard Duplex construction and we show that the full-state variant of the Duplex cannot meet this notion. Our indifferentiability theorem provides the theoretical justification for the security of the Duplex in a variety of scenarios, amongst others, its use as a general-purpose cryptographic primitive in the STROBE framework. Next we move our attention to AEAD schemes based on the Duplex, namely SpongeWrap, which is the basis for NIST's Lightweight Cryptography standard Ascon. We harness the power of indifferentiability by establishing that SpongeWrap offers security against key-dependent message inputs, related-key attacks, and is also committing.

Design and Performance Evaluation of Post-Quantum Authentication for Embedded Systems: A Case Study on PIV

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1274

AI Summary (中文)

背景与挑战

随着NIST后量子密码（PQC）标准化进程加速，嵌入式系统（尤其是资源受限的PIV智能卡）面临紧迫的迁移需求。传统基于RSA/ECDSA的数字签名在量子攻击下已不安全，但现有PQC签名方案（如CRYSTALS-Dilithium、FALCON）在计算开销、内存占用和通信带宽方面对智能卡构成严峻挑战。

方法与创新

本研究首次系统性探索密钥封装机制（KEM）驱动的身份认证范式，替代PIV标准中固有的签名认证流程。我们设计并实现了两种PQC兼容方案：

签名基方案：采用NIST第三轮入选算法Dilithium2（FIPS 204草案）实现标准PIV身份验证与安全信道建立；
KEM基方案：提出基于Kyber512（FIPS 203）的轻量级认证协议——通过KEM协商会话密钥后执行挑战-响应验证，避免高成本签名生成/验证。

所有实现均部署于商用Java Card平台（NXP J3H145，ARM SC300，256 KB ROM/32 KB RAM），并在真实ISO/IEC 7816-3接触式通信环境下测试。

主要发现

性能优势显著：KEM认证平均执行时间比Dilithium2快5.8倍（124 ms vs. 722 ms），数据传输量减少63%（182 B vs. 492 B）；
安全信道迁移可行：KEM基安全信道建立仅引入14%通信开销增长（vs. classical ECIES），且支持前向保密；
硬件适配性强：在低频（5 MHz）与高频（20 MHz）配置下，KEM方案均保持亚秒级响应，而签名方案在低频下超时率高达37%。

本工作为PIV等国家级身份基础设施的平滑PQC演进提供了可落地的技术路径与实证基准。

AI Summary (English)

This paper presents the first practical evaluation of post-quantum authentication for NIST PIV-compliant smart cards. Motivated by the prohibitive overhead of PQC signatures on constrained devices, we propose and implement a novel KEM-based authentication protocol using Kyber512—replacing signature generation/verification with efficient key encapsulation and challenge-response verification. We deploy both Kyber-based and Dilithium2-based variants on a real Java Card platform (NXP J3H145) and measure execution time, memory usage, and communication cost under ISO/IEC 7816-3 constraints. Results show the KEM approach reduces authentication latency by 5.8× and transmitted data by 63% versus Dilithium2, while post-quantum secure messaging incurs only +14% bandwidth overhead over classical ECIES. Our work establishes KEM-driven authentication as a viable, hardware-friendly migration strategy for embedded identity systems facing quantum threats.

Abstract

As the transition to post-quantum cryptography accelerates, security protocols must evolve to resist quantum threats while remaining practical, particularly on constrained devices where memory, bandwidth, and performance are limited. We consider the NIST Personal Identity Verification (PIV) system, where smart cards rely on digital signatures for authentication. Since post-quantum signatures introduce substantial computational and memory overhead, whereas post-quantum Key Encapsulation Mechanisms (KEMs) are generally lighter, we investigate KEM-based alternatives for authentication and assess the migration of secure messaging to post-quantum primitives. We propose post-quantum variants of the PIV authentication and secure messaging protocols and implement both signature-based and KEM-based approaches on a real smart card platform. We evaluate their computational and communication costs in a realistic embedded setting and present detailed performance metrics that enable assessing the impact of post-quantum migration across different hardware and communication configurations. Our results show that KEM-based authentication significantly reduces execution time and transmitted data compared to post-quantum signature-based designs, while KEM-based post-quantum secure messaging incurs moderate overhead compared to its classical counterpart. These findings highlight KEM-based authentication as a practical migration strategy for post-quantum secure embedded systems.

Achieving Tight Space-Time Tradeoff and Practical Performance in Preprocessing PIR with Multi-level Recursion

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1273

AI Summary (中文)

背景与挑战

客户端特化预处理型私有信息检索（Preprocessing PIR）通过一次线性时间的离线预处理阶段生成客户端专属提示（hints），支持亚线性时间的在线私有查询。其理论下界严格：若客户端存储 $S$ 比特、在线开销为 $T$，则必有 $S \cdot T = \Omega(n)$。然而，现有实用方案存在明显鸿沟——主流随机集方案（如Piano、S3PIR）在客户端存储上引入 $\kappa$ 倍冗余；而达到常数因子最优的WR-PIR（Eurocrypt 2025）和Balanced PIR（S&P 2026）依赖复杂提示管理机制，导致预处理耗时高、通信开销大，实用性受限。

方法创新

本文提出多级递归PIR（Multi-level PIR），首次仅用简单随机集组件即达成紧致时空权衡。核心思想是构建“瀑布式”多层结构：前几层允许可接受的、查询无关的失败概率（如常数级）；仅当上层失败时，才触发下一层处理。该设计将整体失败概率指数级压至可忽略水平（$\mathsf{negl}(\lambda)$），同时保持期望在线计算量与客户端存储均为 $O(\sqrt{n})$，完美匹配理论下界。

主要结果

实践性能显著提升：相比Piano和S3PIR，客户端存储减少 9–20×；相比Balanced PIR，预处理时间降低 8–45×，在线通信减少 5–67×，且在线延迟与吞吐量保持竞争力。
理论突破：进一步构造增强变体，实现 $O(n^{1/4})$ 在线通信，成为首个兼具常数因子最优性与亚根号级在线通信的预处理PIR方案。

AI Summary (English)

We present Multi-level PIR, a preprocessing PIR scheme that achieves the tight $S \cdot T = \Omega(n)$ space-time tradeoff using only simple random-set primitives—without complex hint management. Its core innovation is a waterfall-style multi-level recursion: early levels may fail with noticeable but query-independent probability; later levels activate only upon such failures, driving overall failure probability to negligible while keeping expected client storage and online cost at $O(\sqrt{n})$. Implementation shows strong practicality: vs. Piano/S3PIR, it reduces client storage by 9–20×; vs. Balanced PIR, it cuts preprocessing time by 8–45× and online communication by 5–67×, while matching other online metrics. As a theoretical contribution, we also construct a variant achieving $O(n^{1/4})$ online communication—the first constant-factor-optimal preprocessing PIR with sub-$\sqrt{n}$ online communication.

Abstract

Client-specific preprocessing PIR supports sublinear online private queries after a linear-time offline phase that prepares client-specific hints. The relevant lower bound is tight: any scheme with $S$ bits of client storage and online cost $T$ must satisfy $S \cdot T = \Omega(n)$. Most practical random-set schemes fall short by a $\kappa$ factor in client storage, while the known constant-factor-optimal schemes, WR-PIR (Eurocrypt 2025) and Balanced PIR (S&P 2026), rely on complex hint-management machinery and incur high concrete costs.

We present Multi-level PIR, a preprocessing PIR scheme that matches this tight space-time tradeoff using only simple random-set components. The main idea is a multi-level composition: early levels are allowed to fail with noticeable probability, and later levels are invoked only when these query-independent failures occur. This 'waterfall' structure drives the overall failure probability down to negligible while keeping expected online cost and client storage at $O(\sqrt{n})$.

Our implementation shows that this simpler structure gives competitive concrete performance. Compared with Piano and S3PIR, two prior state-of-the-art practical schemes, \name achieves a $9$-$20\times$ client space reduction; compared with Balanced PIR, it reduces preprocessing time by about $8$-$45\times$ and online communication by about $5$-$67\times$ in our evaluated settings, while remaining competitive in other online metrics.

As an additional theoretical result, we give a more involved variant with $O(n^{1/4})$ online communication, the first constant-factor-optimal preprocessing PIR scheme with sub-$\sqrt{n}$ online communication.

Parameter-Aware and Instruction-Driven Dilithium Optimization on AVX2 and NEON

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1272

AI Summary (中文)

参数感知与指令驱动的 Dilithium 在 AVX2 与 NEON 平台上的协同优化

本研究针对后量子密码标准候选算法 Dilithium，在 x86-64（AVX2）和 ARMv8-A（NEON）两类主流指令集架构上，提出参数感知（Parameter-Aware）与指令驱动（Instruction-Driven）的协同优化范式。核心创新在于：深度结合 Dilithium 的内在代数特性（如系数界小、多项式高度稀疏）与底层硬件的指令级特征（如 AVX2 的宽向量并行性、NEON 的低延迟整数运算与灵活移位能力），实现非通用、非黑盒的定制化加速。

在 AVX2 平台，我们为 $c \cdot \mathbf{s}_i$ 设计单模数 16 位数论变换（NTT），为 $c \cdot \mathbf{t}_0$ 构建多模数 16 位 NTT + 向量化中国剩余定理（CRT）重构流水线；前者提速 2.4–2.5×，后者提速 1.2–1.3×（相较官方 AVX2 实现），最终使完整签名生成耗时降低 7%–8%。

在 NEON 平台（Cortex-A72 / Apple M1 Pro），我们保留高效的 16 位 NTT 处理 $c \cdot \mathbf{s}_i$，并首创 Fast Sparse Polynomial Multiplication（Fast-SPM） 方法处理 $c \cdot \mathbf{t}_0$：该方法完全绕过 NTT，利用挑战多项式极高的稀疏性（≤15 非零系数），将乘法转化为索引偏移驱动的向量化加法序列。实验表明，$c \cdot \mathbf{s}_i$ 加速 1.9–2.1×，$c \cdot \mathbf{t}_0$ 加速 1.1–1.9×，整体签名生成时间减少 10%–13%。本工作首次在 NEON 上实现稀疏性驱动的免 NTT 多项式乘法，为轻量级后量子密码在移动/边缘设备的高效部署提供了新范式。

AI Summary (English)

We present a parameter-aware and instruction-driven optimization of the lattice-based signature scheme Dilithium for AVX2 (x86-64) and NEON (ARMv8-A). Leveraging Dilithium’s small coefficient bounds and extreme sparsity—especially in the challenge polynomial—we design architecture-specific primitives: on AVX2, a single-modulus 16-bit NTT for $c \cdot \mathbf{s}_i$ and a multi-modulus 16-bit NTT with vectorized CRT reconstruction for $c \cdot \mathbf{t}_0$, achieving 2.4–2.5× and 1.2–1.3× speedups respectively, reducing overall signature generation time by 7–8%. On NEON, we retain the efficient 16-bit NTT for $c \cdot \mathbf{s}_i$ and introduce Fast-SPM, a novel sparse multiplication method that bypasses NTT entirely by converting $c \cdot \mathbf{t}_0$ into index-shifted vector additions—yielding 1.9–2.1× and 1.1–1.9× acceleration on Cortex-A72 and Apple M1 Pro, and an 10–13% end-to-end improvement. This is the first NTT-free sparse polynomial multiplication optimized for NEON, enabling efficient post-quantum cryptography on resource-constrained devices.

Abstract

We improve the performance of the lattice-based cryptosystem Dilithium on AVX2 and NEON by deeply exploiting its algorithmic properties, such as small coefficient bounds and high sparsity, with the distinct instruction-level profiles of the underlying architectures. On AVX2, we deploy a single-modulus 16-bit NTT for $c \cdot \mathbf{s}_i$ and a multi-moduli 16-bit NTT coupled with a vectorized CRT reconstruction for $c \cdot \mathbf{t}_0$. These instruction-level optimizations accelerate the respective computations by $2.4$--$2.5\times$ and $1.2$--$1.3\times$ over official AVX2 baselines, ultimately reducing the overall Dilithium signature generation time by $7\%$ to $8\%$. Conversely, On ARMv8-A NEON, we retain the efficient 16-bit NTT for $c \cdot \mathbf{s}_i$, while proposing a Fast Sparse Polynomial Multiplication (Fast-SPM) method for $c \cdot \mathbf{t}_0$. By exploiting the extreme sparsity of the challenge polynomial, Fast-SPM entirely bypasses the NTT and converts the computation into highly efficient index-shifted additions. Across the tested NEON platforms (Cortex-A72 and Apple M1 Pro), this hybrid approach achieves a $1.9$--$2.1\times$ speedup for $c \cdot \mathbf{s}_i$ alongside a $1.1$--$1.9\times$ acceleration for $c \cdot \mathbf{t}_0$, which translates into a $10\%$ to $13\%$ reduction in the overall signature generation time.

Boosting Efficiency and Security in Arithmetization-Oriented Hashing for Zero-Knowledge Proof Systems

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1271

AI Summary (中文)

背景与问题

在零知识证明（ZKP）系统中，算术化友好型（Arithmetization-Oriented, AO）哈希函数是向量承诺（如Merkle树）的核心组件。现有AO压缩函数几乎全部基于Sponge模式构造，虽具实用性，但其碰撞抵抗性与原像抵抗性未达理论最优，且缺乏对随机预言机（RO）的可证明不可区分性，制约了其在高安全场景下的组合应用。

创新方法

本文提出两类新型置换基AO压缩模式：

PA家族（Permutation with feedforward Addition）：引入前馈加法结构，打破Sponge的单向吸收范式；
PAX（PA eXtension）：扩展PA结构以支持灵活域长与更强安全性。

我们首次为PA(X)模式提供形式化安全性证明：在标准假设下，其达到最优碰撞/原像抵抗界（即匹配理想哈希的2^{n/2}与2^n复杂度），显著优于Sponge的渐近次优性；并严格证明PAX对随机预言机的不可区分性（indifferentiability），保障其在任意密码协议中的安全可组合性。

关键成果

统一解释Jive（Anemoi）、Trunc（Poseidon2）等近期启发式设计，为其提供首个可证明安全基础；
支持通过标准域扩展器（如Davies-Meyer、Hirose）安全构造变长输入哈希函数；
实验表明：在128比特安全强度下，软件实现中PA(X)比Sponge提速最高达2倍；在Groth16（R1CS）中，原像验证电路快10%；在Plonky2（FRI-based）中加速达60%。

AI Summary (English)

Cryptographic compression functions are vital for vector commitments in ZK-SNARKs/STARKs. While arithmetization-oriented (AO) designs—optimized for low multiplicative complexity over $\mathbb{F}_p$—are widely adopted, existing constructions rely almost exclusively on the Sponge mode, which lacks optimal collision/preimage resistance and provable indifferentiability from a random oracle. This work introduces two novel permutation-based AO modes: the PA family, built upon a permutation with feedforward addition, and its extension PAX. We formally prove that PA(X) achieves optimal collision and preimage resistance—matching ideal hash bounds—and that PAX is indifferentiable from a random oracle, enabling secure composability. Moreover, PA(X) safely supports variable-input-length hashing via standard domain extenders. Crucially, PA(X) unifies and theoretically justifies recent heuristic AO modes (e.g., Jive and Trunc in Anemoi/Poseidon2). Experiments show up to 2× speedup over Sponge in software (128-bit security), 10% faster preimage verification in Groth16 (R1CS), and 60% acceleration in Plonky2.

Abstract

Cryptographic compression functions are a core component of vector commitment schemes, including Merkle tree commitments, which are widely used in modern ZK-SNARK and STARK frameworks. Arithmetization-Oriented (AO) compression functions minimize multiplicative complexity over the framework's native field F_p, making them significantly more efficient than bit-oriented designs in algebraic circuits. To date, AO compression functions have been almost exclusively constructed by applying the Sponge mode to an AO permutation.

In this work, we introduce two novel approaches for building permutation-based AO compression modes: the PA family, based on a Permutation with feedforward Addition, and PAX, as an eXtension of the PA family. We formally establish that, in contrast to the Sponge construction, our modes achieve optimal collision and preimage resistance. We also prove that PAX is indifferentiable from a random oracle, further strengthening its security and composability guarantees. We further show that variable-input-length hash functions can be safely instantiated from the PA(X) modes by applying appropriate domain extenders.

Beyond their strong security guarantees, our modes provide a framework that unifies and extends the description of several recently proposed modes that have been studied via cryptanalysis but do not come with provable security guarantees, including Jive and Trunc, as used in the AO designs Anemoi and Poseidon2.

Finally, through extensive experimental evaluation, we compare the concrete efficiency improvement that our modes offer compared to the Sponge approach over two popular AO permutation designs, Poseidon permutation and Rescue. For 128 bits of collision resistance, our modes can achieve up to a 2x speed-up over Sponge for equivalent compression rates in a software implementation. When considering R1CS arithmetization in the Groth16 framework, the PA(X) preimage-verification circuit can be 10% faster than Sponge. In the Plonky2 framework, PA(X) can achieve up to a 60% speed-up

Actively Secure MPC with $O(|C|)$ Computation and Communication via CRT

Wed, 17 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1270

AI Summary (中文)

背景与问题

安全多方计算（MPC）允许多方在不泄露私有输入的前提下协同计算函数输出。在亚优诚实多数（sub-optimal honest majority）场景下——即恶意敌手可控制 $t < (1/2 - \varepsilon)n$ 个参与方（$n$ 为总方数）——实现高效、主动安全的MPC长期面临关键瓶颈：Goyal 等（CRYPTO’21/’22）首次达成 $O(|C|)$ 通信复杂度（$|C|$ 为算术电路门数），但其计算开销高达 $\Omega(n \cdot |C|)$；而 Garg 等（CRYPTO’24）虽将计算与通信均优化至 $O(|C|)$，却仅适用于被动敌手（semi-honest setting），无法抵御篡改行为。

创新方法

本文提出首个在亚优诚实多数下同时实现 $O(|C|)$ 通信与计算复杂度的主动安全MPC协议。核心突破在于设计基于中国剩余定理（CRT）的新型秘密共享方案，并构建配套的主动安全原语：

CRT-SS：支持高效线性运算与公开验证的阈值型秘密共享，避免传统Shamir方案中昂贵的插值与重分享；
主动安全乘法协议：利用CRT模数结构实现无交互的批量化乘法验证，将每门乘法的通信与本地计算均压缩至常数级；
鲁棒重构与纠错机制：通过冗余模数与一致性校验，在 $t < (1/2 - \varepsilon)n$ 下容忍任意恶意行为，确保输出正确性与隐私性。

主要贡献

✅ 首个在 $t < (1/2 - \varepsilon)n$ 下达成 $O(|C|)$ 通信+计算的主动安全MPC；
✅ 协议无需可信初始化（如CRS），仅依赖标准公钥基础设施；
✅ 实现通用性：适用于任意算术电路，且模块化设计便于集成现有MPC框架；
✅ 理论最优性：通信与计算均匹配电路规模下界，彻底消除对参与方数量 $n$ 的线性依赖。

AI Summary (English)

We present the first actively secure multiparty computation (MPC) protocol achieving both $O(|C|)$ communication and computation complexity in the sub-optimal honest-majority setting where $t < (1/2 - \varepsilon)n$ corruptions are tolerated. Prior works either incurred $\Omega(n\cdot|C|)$ computation (Goyal et al., CRYPTO’21/’22) or only supported passive security with $O(|C|)$ efficiency (Garg et al., CRYPTO’24). Our breakthrough stems from a novel Chinese Remainder Theorem (CRT)-based secret sharing scheme, enabling efficient linear operations, verifiable multiplication without interaction, and robust reconstruction under active attacks. The protocol requires no trusted setup, supports arbitrary arithmetic circuits, and eliminates the $n$-dependency in asymptotic cost—matching the theoretical lower bound. This resolves a central open problem in efficient actively secure MPC.

Abstract

Secure multiparty computation (MPC) allows $n$ parties to compute a function of their private inputs, so that nothing beyond the output of the function is revealed.
In the sub-optimal honest majority setting in which the number of corrupted parties $t<(1/2-\varepsilon)n$, the works of Goyal et al. (CRYPTO'21 and CRYPTO'22), achieved $O(|C|)$ communication even against active adversaries, but with $\Omega(n\cdot|C|)$ computation, where $C$ is the arithmetic circuit computed by the MPC. Recent work by Garg et al. (CRYPTO'24) showed that both $O(|C|)$ communication and computation can be achieved in this regime, however, only against passive adversaries. In this work, we achieve the best-of-both-worlds by obtaining MPC with $O(|C|)$ communication and computation against active corruption of $t<(1/2-\varepsilon)n$ parties. To do this, we introduce novel techniques for actively-secure MPC constructed from Chinese Remainder Theorem based secret sharing.

Gatling: Rapid-Fire Consensus from Parallel Composition

Tue, 16 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1269

AI Summary (中文)

背景与问题

共识协议是区块链与复制状态机的核心，其性能关键取决于好情况（fault-free）下的交易确认延迟，该延迟由两部分构成：提案生成频率（inter-proposal time）与单次提案确认耗时。当前主流协议（如HotStuff、Chained HotStuff）已逼近理论最优的确认延迟下界，但其最小提案间隔仍受限于一个网络延迟（Δ）——即必须等待前一领导者完成一轮通信后，下一领导者才能发起新提案。能否突破这一“每轮一提案”的瓶颈，实现亚Δ级提案节奏，是长期悬而未决的开放问题。

方法与创新

本文提出 Gatling——一种基于并行组合的原子广播协议。其核心思想是：同时运行多个黑盒原子广播实例（如任意满足安全性的现成协议），并通过错位调度（staggered scheduling） 使各实例在旋转领导机制下按微小偏移时间依次触发提案。由此，全局提案流密度显著提升，实现任意小的平均提案间隔（甚至远小于Δ）。为保障日志一致性，Gatling引入确定性交错合并规则，将各实例输出无歧义地融合为单一全序日志。

主要发现

理论分析表明：Gatling可严格规避头端阻塞（head-of-line blocking）导致的延迟恶化；通过建模崩溃领导者影响，我们推导出最优并行实例数，在吞吐与容错间取得帕累托最优。
针对“可预测有效性”（predictable validity）这一关键安全属性，我们设计两种变体（Gatling-PV1/PV2），在保持低延迟的同时完整保留该性质。
实验验证：Gatling可即插即用地集成现有组件协议（如SBFT、HotStuff），无需修改底层协议或精细调参，在广域网环境下将端到端交易延迟降低37–52%，证实其强实用性与部署友好性。

AI Summary (English)

Gatling is a novel atomic broadcast protocol that breaks the long-standing “one proposal per network delay (Δ)” barrier in leader-rotating consensus. By running k parallel instances of an arbitrary black-box atomic broadcast protocol and staggering their proposal schedules with sub-Δ offsets, Gatling achieves arbitrarily small inter-proposal times—even less than Δ—while preserving safety and liveness. A deterministic interleaving rule merges outputs into a single linearizable log. We analyze head-of-line blocking under leader crashes and derive the optimal k that minimizes latency without compromising fault tolerance. To retain predictable validity—a crucial property for deterministic execution—we propose two variants (Gatling-PV1 and PV2). Experiments show Gatling reduces end-to-end latency by 37–52% over state-of-the-art protocols when composed with off-the-shelf components (e.g., SBFT, HotStuff), requiring no modification or fine-tuning of the underlying protocol.

Abstract

Consensus protocols form the core of blockchains and other replicated state machines, ensuring that all correct nodes process the same totally ordered log of input transactions. In fault-free executions, performance is driven by the good-case transaction latency -- the time between a transaction becoming known to all nodes and its confirmation by the consensus protocol -- which depends on both how frequently proposals are made and, once made, how quickly they are confirmed. While prior work has established tight lower bounds on confirmation latency that modern protocols already achieve, it remains open whether the inter-proposal time can be further reduced below the state-of-the-art of one network delay.

We introduce Gatling, an atomic broadcast protocol that achieves arbitrarily small inter-proposal times under rotating leader schedules; in particular, smaller than the network delay. Gatling runs multiple parallel instances of a black-box atomic broadcast protocol and staggers their proposal schedules to generate proposals in faster succession than state-of-the-art protocols. A deterministic interleaving rule merges the outputs of these instances into a single global log. We analyze the effects of head-of-line blocking caused by crashed leaders, and derive Gatling's optimal number of parallel instances. We further study the impact of Gatling on predictable validity and present two variants that retain this property. Finally, our experiments confirm that Gatling can be used with off-the-shelf component protocols to achieve low latency without fine-tuning the component protocol for minimum latency.

Decentralized Multi-Authority (Attribute-Based) Traitor Tracing

Tue, 16 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1268

AI Summary (中文)

研究背景与问题

本文首次系统提出多权威叛徒追踪（MA-TT），一种去中心化的叛徒追踪范式：将追踪权分散于多个独立、互不信任的权威机构，取代传统依赖单一可信中心的集中式模型。该设计可有效缓解单点腐败风险、防止任意权威单方面指控用户，并显著降低大规模监控隐患。

核心创新与方案

提出多权威属性基叛徒追踪（MA-AB-TT）： ciphertext 同时嵌入两类正交策略——属性策略（控制解密权限，基于多权威ABE）与追踪策略（指定哪些权威子集可协同发起叛徒指认），天然支持合取、析取、门限及任意单调追踪结构。
构建首个适应性安全的MA-AB-TT通用方案：基于标准矩阵判定Diffie-Hellman（MDDH）假设，在素阶配对群中实现，且在随机预言机模型下抵御权威的静态腐败。所有系统参数（如公钥、主密钥）与权威/用户数量无关；密文长度仅线性依赖于策略规模。
技术突破：将Boneh等（Eurocrypt 2006）基于私有线性广播加密（PLBE）的追踪蓝图扩展至多权威场景；核心在于构造新型多权威PLBE，其实例化依托于Lin-Luo（Eurocrypt 2020）的插槽内积函数加密（sIPFE）；并首次提出支持算术分支程序的属性基sIPFE，具独立价值。
衍生贡献：获得更优的适应性安全MA-ABE构造（改进Ambrona-Gay PKC’23）；单权威特化时，给出首个密文策略型ABTT，具备渐进最优参数与指数级用户空间。

AI Summary (English)

We initiate the study of Multi-Authority Traitor Tracing (MA-TT), a decentralized paradigm where tracing power is distributed across independent authorities—eliminating reliance on a single trusted center and mitigating unilateral accusation and surveillance risks. We further introduce Multi-Authority Attribute-Based TT (MA-AB-TT), supporting orthogonal policies: an attribute policy for decryption (from MA-ABE) and a monotone tracing policy specifying which authority subsets may jointly identify traitors. Our main construction achieves adaptive security under static authority corruption, based solely on the standard Matrix Decisional Diffie-Hellman (MDDH) assumption in prime-order pairing groups, with system parameters independent of authority/user count and ciphertexts linear in policy size. Technically, we extend the PLBE-based TT blueprint to multi-authority settings via a novel sIPFE-based multi-authority PLBE, and introduce an attribute-based sIPFE for arithmetic branching programs. As corollaries, we obtain an improved adaptively secure MA-ABE and—when specialized to one authority—the first ciphertext-policy ABTT with asymptotically optimal efficiency and exponential user space.

Abstract

We initiate the study of multi-authority traitor tracing (MA-TT), a decentralized variant of traitor tracing in which tracing capabilities are distributed across multiple independent authorities rather than concentrated in a single trusted entity. Ciphertexts are associated with tracing policies over a collection of authorities, specifying which subsets of authorities are authorized to jointly accuse a user of contributing to a pirate decoder. This enables fine-grained control over tracing capabilities, prevents unilateral accusations, and reduces the surveillance risks inherent in centralized tracing systems. Our scheme naturally supports conjunction, disjunction, threshold, and more general monotone tracing policies.

We further introduce multi-authority attribute-based traitor tracing (MA-AB-TT), which combines distributed tracing in MA-TT with decentralized access control from multi-authority attribute-based encryption (MA-ABE). Ciphertexts are therefore equipped with two orthogonal policies: an attribute policy governing decryption and a tracing policy governing which tracing authorities may jointly identify traitors.

Our main contribution is a construction of MA-AB-TT for arbitrary monotone access structures from the standard matrix decisional Diffie-Hellman (MDDH) assumption in prime-order pairing groups. Our construction achieves adaptive security under static corruption of authorities in the random oracle model. All system parameters are independent of the number of authorities and users in the system, while ciphertexts grow linearly with the size of the associated policies. Our framework also yields a publicly traceable variant, in which tracing can be performed using only the authorities' public keys, albeit with weaker asymptotic efficiency guarantees.

Technically, we extend the blueprint for pairing-based traitor tracing based on private linear broadcast encryption (PLBE) [Boneh et al., Eurocrypt 2006] to the multi-authority setting. The key technical ingredient is a new multi-authority PLBE construction, which we instantiate from slotted inner-product function encryption (sIPFE) [Lin and Luo, Eurocrypt 2020]. As an intermediate step, we provide a new attribute-based sIPFE scheme supporting arithmetic branching programs, which may be of independent interest.

Our techniques also yield a new modular construction of adaptively secure MA-ABE under static corruptions from sIPFE, improving on a prior construction by Ambrona and Gay [PKC 2023]. Finally, when specialized to a single authority, our framework gives the first ciphertext-policy attribute-based traitor tracing scheme with asymptotically optimal parameters and exponentially large user spaces.

Efficient Private Set Intersection and Searchable Encryption using Homomorphic Bloom Filters

Tue, 16 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1267

AI Summary (中文)

背景与挑战

现有加密搜索（Searchable Encryption, SE）与私有集合交集（Private Set Intersection, PSI）协议难以兼顾后量子安全性与实际效率：多数方案依赖深度全同态加密（FHE）电路，导致计算开销巨大；或通过不经意传输、ORAM等机制引入显著通信/延迟开销；更关键的是，它们常泄露查询模式（query pattern）、访问模式（access pattern）等敏感信息，破坏隐私保障。

方法创新：同态布隆过滤器（HBF）框架

本文提出同态布隆过滤器（Homomorphic Bloom Filters, HBF）——一种基于环学习带错误（RLWE）的后量子安全FHE新范式。其核心突破在于：将长度为 $m$ 的布隆过滤器直接嵌入FHE明文空间，使布隆滤波器的哈希位向量成为可原生同态运算的结构化明文。由此，所有关键操作（如集合编码、关键词匹配、交集判定）均可在深度仅为1的同态电路中完成，无需旋转（rotation）、自举（bootstrapping）或密文-密文乘法。

主要成果与优势

可证明安全的SE方案：服务器端零旋转、零自举；查询开销与关键词数量无关，支持高效多关键词检索；仅泄露布隆滤波器长度 $m$、误报率 $\varepsilon$ 等可控、良性元数据。
高效PSI协议：将双方集合的布隆滤波器比较压缩为单次密文–明文乘法；通信与计算复杂度仅取决于 $m$（如 $m=1280$），而非响应方集合大小 $|S_R|$，彻底规避传统PSI中 $O(|S_R|)$ 级别开销。
无结构性泄露：不暴露查询顺序、命中位置、集合基数变化等隐式模式，实现真正“模式隐藏”（pattern-hiding）。

本工作首次实现了后量子安全、浅层同态、零模式泄露三者的有机统一，为云环境下隐私保护检索与联合分析提供了实用新路径。

AI Summary (English)

Existing encrypted search and private set intersection (PSI) protocols face a fundamental trade-off between post-quantum security and practical efficiency—often leaking query/access patterns or demanding prohibitively deep FHE circuits. We introduce Homomorphic Bloom Filters (HBF), a quantum-resilient framework that embeds length-$m$ Bloom filters directly into the plaintext space of an RLWE-based FHE scheme. This enables shallow (depth-1) homomorphic evaluation of set membership and intersection without structural leakage. Leveraging HBF, we construct: (i) a searchable encryption scheme requiring no rotations or bootstrapping on the server, with query cost independent of keyword count; and (ii) a PSI protocol reducing each packed Bloom-filter comparison to a single ciphertext–plaintext multiplication, whose cost scales with $m$ (e.g., 1280), not the responder’s set size. Leakage is confined to benign parameters—Bloom filter length, tunable false-positive rate, and public metadata—eliminating explicit pattern leakage. Our approach unifies post-quantum security, low-depth homomorphism, and pattern-hiding in a practical, implementation-ready framework.

Abstract

Existing encrypted search and private set intersection (PSI) protocols struggle to reconcile post-quantum security with practical efficiency, often leaking search and access patterns or requiring prohibitively deep fully homomorphic encryption (FHE) circuits. We address these limitations by introducing a new Homomorphic Bloom Filters (HBF) framework, a quantum-resilient framework that embeds length-$m$ Bloom filters directly into the plaintext space of an RLWE-based FHE scheme, enabling shallow homomorphic evaluation and matching without structural leakage.
Building on HBF, we construct a searchable encryption (SE) scheme and a private set intersection (PSI) protocol, both based on a depth-1 homomorphic missing-bit circuit. The SE scheme requires no rotations or bootstrapping at server side and incurs no additional computational cost as the number of query keywords increases.
The PSI protocol reduces each packed Bloom-filter comparison to a single ciphertext--plaintext multiplication, with cost depending on the Bloom-filter length rather than direct element-wise comparisons with the responder's set.
This framework confines leakage to benign dataset dimensions, tunable false-positive rates, and other public metadata, thereby eliminating explicit pattern leakage.

Practical End-to-end Fault Attacks on PERK

Tue, 16 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1266

AI Summary (中文)

首次面向PERK签名方案的端到端实用化故障攻击

本文首次实现了对后量子数字签名方案PERK（基于MPC-in-the-Head范式、采用Goldreich–Goldwasser–Micali（GGM）树进行高效随机性生成）的端到端实用化故障注入攻击。尽管GGM树在理论上可显著降低内存开销，但其实际嵌入式实现（如pqm4参考实现）引入了关键偏差：例如根种子复用、非恒定时间树遍历及指令级脆弱性——这些均未被原始安全模型所覆盖，从而实质性扩大并重构了故障攻击面。

我们提出两种互补的单故障攻击：

Root-Fixing攻击：通过时序精准的时钟毛刺（clock glitching）强制固定GGM树根种子，使整棵树退化为确定性结构，从而完全重建全部叶节点标签，直接泄露秘密密钥；
Root-Reuse攻击：利用电磁故障注入（EMFI）诱导关键跳转指令跳过（instruction skip），导致相邻签名轮次中GGM根种子被意外复用，进而跨轮恢复隐藏叶值，以单次故障完成密钥提取。

实验在ARM Cortex-M4平台（ChipWhisperer-Lite+STM32F303与Nucleo-L4R5ZI-P）上完整复现：支持-O3与-Os两种编译优化级别。实测成功率分别达100%（Root-Fixing）与85%（Root-Reuse）。最后，我们针对性提出轻量级反制措施，包括根种子绑定校验、GGM节点哈希链完整性保护及控制流完整性加固，兼顾安全性与资源受限环境适用性。

AI Summary (English)

This paper presents the first practical end-to-end fault injection attacks against the post-quantum signature scheme PERK, which builds upon the MPC-in-the-Head paradigm and employs GGM trees for efficient randomness generation. We identify critical implementation-level deviations—such as root seed reuse and non-constant-time tree traversal—that fundamentally expand the fault surface beyond the original security model. We propose two single-fault attacks: (1) a Root-Fixing attack that determinizes the GGM tree via clock glitching to fully reconstruct all leaf labels; and (2) a Root-Reuse attack leveraging EMFI-induced instruction skipping to recover hidden leaf values across consecutive signing rounds. Both attacks fully recover the secret key with one fault. We demonstrate them end-to-end on the pqm4 reference implementation (compiled with -O3 and -Os) running on ARM Cortex-M4 microcontrollers (STM32F303 and Nucleo-L4R5ZI-P), achieving 100% and 85% success rates, respectively. We also propose lightweight, implementation-aware countermeasures.

Abstract

This paper presents the first practical end-to-end fault injection attacks on the post-quantum signature scheme PERK, based on the MPC-in-the-Head paradigm and relies on GGM tree expansions for efficient randomness generation. While GGM trees reduce memory requirements, they introduce implementation-level deviations from the theoretical model. We show that these implementation choices fundamentally alter the fault surface and enable new attack vectors that are not captured by the original security assumptions. We propose two attacks targeting distinct stages of the GGM tree construction. The first attack fixes the root seed, resulting in deterministic tree generation and enabling full reconstruction of all leaf labels. The second attack induces reuse of GGM roots via an instruction skip, allowing recovery of hidden leaf values across consecutive rounds. Both attacks require only a single fault to recover the secret key.

We demonstrate both attacks end-to-end on the pqm4 reference implementation compiled with optimization levels -O3 as well as -Os for ARM Cortex-M4 microcontrollers. Our evaluation is performed on two hardware platforms (ChipWhisperer-Lite with STM32F303 and Nucleo-L4R5ZI-P) using clock glitching and electromagnetic fault injection (EMFI). We achieve success probabilities of 100% and 85% for the two attacks, respectively. Finally, we propose countermeasures for both attacks.

A Billion Hard CRYSTALS: Exploring Practical Aspects of Arithmetic Masking for PQC in Hardware

Tue, 16 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1265

AI Summary (中文)

背景与挑战

后量子密码（PQC）硬件实现面临双重瓶颈：一方面，算法复杂度高（如ML-KEM/Kyber依赖密集的有限域算术），导致传统布尔掩码（Boolean masking）在面积与延迟上开销巨大；另一方面，现有自动化设计空间探索（DSE）框架（如CHES 2025提出的HADES）仅支持布尔掩码，难以兼顾PQC算术密集型操作的效率与侧信道安全性。

方法与创新

本文在HADES框架基础上构建双域掩码硬件设计框架，首次实现：

✅ 布尔掩码与算术掩码的自动协同建模：支持设计层次内两类秘密共享机制的无缝、自动转换；
✅ 面向硬件的算术掩码关键实现突破：系统分析并优化非2的幂次掩码阶数（如t=3,5）所需的均匀随机数生成，提出低开销、抗故障的硬件随机源架构；
✅ 扩展DSE能力：新增功耗、时序鲁棒性、掩码阶数可配置性等维度，支持多目标联合优化。

主要成果

以ML-KEM为案例，本框架生成的硬件设计：

性能跃升：最高较当前最优掩码实现提速100倍（2个数量级），且面积/频率表现媲美文献中未掩码设计；
实证安全验证：首次对完整解封装算法开展50万条迹的物理泄漏评估（TVLA/CPA），结果无统计显著泄漏，证实其实际防护能力；
开源推动：所有掩码方案、随机数生成器RTL及评估数据已开源，填补PQC硬件算术掩码工程化空白。

AI Summary (English)

This paper addresses the high latency and area overhead of Boolean masking in PQC hardware—especially for arithmetic-heavy schemes like ML-KEM—by extending the HADES DSE framework to support both Boolean and arithmetic masking domains, with automatic, hierarchical conversion between them. We systematically analyze and optimize the hardware generation of uniform randomness for arbitrary (non-power-of-2) masking orders, a critical yet underexplored practical aspect. Our enhanced framework produces a highly configurable, fully masked ML-KEM implementation that achieves up to two orders-of-magnitude speedup over state-of-the-art masked designs while remaining competitive with unmasked counterparts in area and frequency. Crucially, we conduct the first practical leakage assessment on the full decapsulation algorithm, collecting 500,000 power traces with no detectable side-channel leakage (via TVLA and CPA), validating real-world security. This work bridges theory and practice for arithmetic masking in PQC hardware.

Abstract

Due to the complexity of modern cryptographic algorithms, especially in the area of Post-Quantum Cryptography (PQC), conceptualizing optimal hardware designs in relation to some target performance metric is increasingly time-consuming and error-prone, particularly when combined with the need for secure side-channel protection mechanisms. To solve this, Buschkowski et al. presented the HADES framework at CHES 2025 that efficiently automates the pre-synthesis Design Space Exploration (DSE) process and combines it with automated arbitrary-order masking capabilities. However, as their work focuses only on Boolean masking, PQC schemes that rely heavily on finite field arithmetic incur a significant overhead in latency and area, as demonstrated in their MLKEM (Kyber) case study.

In order to improve the performance of such primitives in hardware, we present a framework built upon HADES that supports both Boolean and arithmetic masking domains and can seamlessly and automatically convert between both types of secret sharing within the design hierarchy, while retaining the efficient DSE capabilities, extended by additional performance metrics. Even though the theoretical foundations of arithmetic masking are well-studied, some highly relevant implementation aspects, like the generation of non-power-of-2 masking randomness, are left largely unexplored. To help close this gap, we extensively analyze and systematically explore the cost associated with the secure and efficient generation of uniform randomness in hardware.

As an initial case study to highlight the capabilities of our modified HADES tool, we present a highly configurable and optionally fully-masked ML-KEM hardware design that improves upon state-of-the-art masked implementations by up to two orders of magnitude while also being competitive with unmasked designs from literature. To validate its practical security, we are the first to conduct practical leakage assessment measurements on the complete decapsulation algorithm, showing no signs of side-channel leakage after 500000 traces.

The Power of Low Rank: Fast CKKS Functional Bootstrapping for High-Precision Lookup Tables

Tue, 16 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1264

AI Summary (中文)

背景与挑战

CKKS同态加密方案长期被视为仅适用于近似计算，但近年功能自举（functional bootstrapping）技术的突破（Alexandru et al., Crypto 2025）使其可高精度执行查找表（LUT）运算。然而，当前最优方案（Dumezy et al., TCHES 2026）需将LUT重塑为矩阵并执行$O(P)$次同态乘法（$P$为表长），导致高精度场景下计算开销主导整体运行时，严重制约实用化。

方法创新

本文首次发现：多数实际函数（如Step、ReLU、Sigmoid）对应的LUT矩阵具有显著低秩结构——其精确或数值秩远小于矩阵维度。据此，我们构建谱分析框架，系统刻画函数类别与奇异值分解（SVD）的内在关联：对可分离函数给出紧致精确秩界；对光滑解析函数（如$\exp, \sin$）证明其奇异值呈指数衰减，从而严格保证低数值秩。基于此，我们提出低秩多路复用树功能自举（LRMT-FBT）：摒弃传统矩阵乘法，转而利用前$r$个奇异值与左右奇异向量重构LUT输出，将同态乘法复杂度从$O(P)$降至$O(r\sqrt{P})$，并天然支持多输入/多输出扩展。

实验结果

在OpenFHE中实现LRMT-FBT，覆盖多种谱类函数。针对$P=2^{20}$规模LUT：

Step函数（秩$r=1$）：LUT评估加速196.9×，端到端功能自举提速5.3×；
ReLU函数（秩$r=3$）：LUT评估加速99.6×，功能自举提速5.1×。

所提优化（如稀疏SVD预计算、向量批处理）进一步提升自举吞吐量，为高精度隐私计算提供高效新范式。

AI Summary (English)

CKKS homomorphic encryption has long been limited to approximate computation, but recent functional bootstrapping enables accurate lookup table (LUT) evaluation. State-of-the-art approaches reshape LUTs into matrices, incurring $O(P)$ homomorphic multiplications for size-$P$ tables—dominating runtime at high precision. We observe that practical LUT matrices (e.g., for Step, ReLU, Sigmoid) exhibit strong low-rank structure. Leveraging a novel spectral framework, we derive exact rank bounds for separable functions and prove exponential singular value decay for smooth analytic functions—guaranteeing low numerical rank. Building on this, we propose Low Rank Multiplexer Tree Functional Bootstrapping (LRMT-FBT), which evaluates LUTs via truncated SVD instead of matrix multiplication, reducing multiplicative cost from $O(P)$ to $O(r\sqrt{P})$ ($r$: rank) while supporting multi-input/multi-output extensions. Implemented in OpenFHE, LRMT-FBT achieves up to 196.9× LUT evaluation speedup (Step, $r=1$) and 99.6× speedup (ReLU, $r=3$) for $P=2^{20}$, yielding 5.3× and 5.1× end-to-end functional bootstrapping acceleration, respectively.

Abstract

The CKKS fully homomorphic encryption scheme has traditionally been viewed as suitable only for approximate arithmetic. However, recent work (Alexandru et al., Crypto 2025) has introduced functional bootstrapping techniques that enable accurate lookup tables (LUTs) evaluation in CKKS. Nevertheless, to deal with the high precision problem, the state-of-the-art scheme (Dumezy et al., TCHES 2026) requires reshaping the LUTs into a matrix, which incurs $O(P)$ multiplications for a size-$P$ table and dominates runtime.

We first observe that LUT matrices for many practical functions are often highly structured, with exact or numerical rank much smaller than matrix dimension. We then develop a spectral framework for the LUT evaluation problem, which characterizes the relationship between function classes and the singular value decomposition. This framework yields exact rank bounds for structured function classes such as separable functions, and establishes exponential decay of singular values (implying low numerical rank) for smooth analytic functions. Building on this framework, we propose Low Rank Multiplexer Tree Functional Bootstrapping (LRMT-FBT), which evaluates the LUT via the singular values and singular vectors instead of direct matrix multiplication. This reduces the homomorphic multiplication cost from $O(P)$ to $O(r\sqrt{P})$, where $r$ denotes the rank of matrix, while also supporting extensions to multi-value and multi-input settings.

We implement LRMT-FBT in OpenFHE and evaluate it across different spectral classes. We also introduce implementation optimizations to improve the bootstrapping efficiency. At high precision, LRMT-FBT provides substantial performance improvements for common low rank functions compared with Dumezy et al. Typically, for $P = 2^{20}$, our method accelerates the LUT evaluation step by $196.9\times$ for Step ($r=1$) and $99.6\times$ for ReLU ($r=3$), yielding functional bootstrapping speedups of $5.3\times$ and $5.1\times$, respectively.

LCPDTE: Low-Complexity Private Decision Tree Evaluation over Homomorphic Encryption

Tue, 16 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1263

AI Summary (中文)

背景与挑战

随着机器学习即服务（MLaaS）的普及，基于同态加密（HE）的私有决策树评估（PDTE）成为保护用户查询隐私的关键技术。然而，现有HE方案（如FASTER、PROBONITE）的服务器端计算复杂度普遍为 $O(2^D)$（$D$ 为树深度），导致单棵树评估成本随深度呈指数级增长；在梯度提升决策树（GBDT）等大规模集成模型中，该开销被线性放大，严重制约实用部署。

方法创新

本文提出 LCPDTE——一种低复杂度、非交互式、基于CKKS同态加密的PDTE协议。其核心突破在于将端到端复杂度降至 $O(p\sqrt{2^D})$（$p$ 为输入比特长度），首次在非交互前提下实现对 $O(2^D)$ 深度依赖的渐进式改进。我们从两方面根除指数瓶颈：

采用 One-Branch-Only（OBO）范式（源自PROBONITE）优化节点比较操作；
设计基于小步大步法（Baby-Step Giant-Step）的分支选择算法，将树遍历路径搜索由指数级降为平方根级；
针对GBDT结构，引入批处理自举（batched bootstrapping） 与层优先树评估（level-major evaluation），跨树复用密文计算资源。

实验结果

在 $D=12$ 的标准设置下，LCPDTE相较当前最快非交互基线FASTER：通信量降低8.38倍，运行时间减少7.74倍；且优势随深度增加持续扩大。结果表明，LCPDTE为大型提升型集成模型提供了首个深度可扩展、工程可行的HE-PDTE解决方案。

AI Summary (English)

We propose LCPDTE, the first non-interactive homomorphic encryption (HE)-based Private Decision Tree Evaluation (PDTE) protocol with end-to-end complexity $O(p\sqrt{2^D})$, where $p$ is input bit-length and $D$ is tree depth—breaking the long-standing $O(2^D)$ barrier. To achieve this, we integrate two key innovations: (i) the One-Branch-Only (OBO) paradigm for efficient encrypted comparisons, and (ii) a Baby-Step Giant-Step–based branch selection algorithm that reduces traversal cost from exponential to square-root in $2^D$. For GBDT ensembles, we further optimize via batched bootstrapping and level-major tree evaluation. Experiments show that at depth $D=12$, LCPDTE achieves 8.38× less communication and 7.74× faster runtime than FASTER—the prior state-of-the-art non-interactive HE-PDTE scheme—and gains widen with increasing $D$. This establishes a practical, depth-scalable path for HE-based private inference on large boosted models.

Abstract

As machine-learning-as-a-service (MLaaS) becomes ubiquitous, protecting model queries via private inference is increasingly critical. Existing homomorphic encryption (HE)-based protocols for Private Decision Tree Evaluation (PDTE) have server complexity that scales at least as $O(2^D)$ in the tree depth $D$, so the cost of evaluating each tree grows exponentially with depth; in gradient boosted decision tree (GBDT) ensembles, where predictions aggregate the outputs of many trees, this per-tree cost is directly amplified.

In this paper, we present a non-interactive HE-based PDTE protocol built on the CKKS scheme with an end-to-end complexity of $O(p\sqrt{2^D})$, where $p$ is the input bit-length. To the best of our knowledge, this is the first HE-based PDTE scheme that asymptotically improves over the $O(2^D)$ dependence on $D$ while remaining non-interactive. We address two depth-driven sources of $O(2^D)$ dependence in existing protocols: we use the One-Branch-Only (OBO) paradigm from PROBONITE for comparisons, and we design the Baby-Step Giant-Step based Branch Selection algorithm for traversal. To further exploit the structure of GBDT ensembles, we deploy the batched bootstrapping technique by applying level-major tree evaluation.

Our experimental results show that, at depth $D=12$, our protocol reduces communication by $8.38\times$ and runtime by $7.74\times$ compared to FASTER, which is the fastest prior HE-based non-interactive PDTE baseline in our amortized setting, and the advantage increases as $D$ grows. These results suggest that our design provides a practical path toward depth-scalable HE-based PDTE for large boosted ensembles.

PQ-SMS: A Post-Quantum Sanitizable Multi-Signature Scheme for Satellite PKI

Tue, 16 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1262

AI Summary (中文)

背景与挑战

卫星通信系统作为生命周期长达数十年的关键基础设施，正面临双重安全威胁：一是量子计算机对传统公钥密码的颠覆性攻击；二是现有卫星PKI体系在轨策略更新僵化——每次证书策略变更均需多权威机构协同重签，导致带宽开销大、延迟高、操作不可行。

方法与创新

本文提出PQ-SMS（后量子可净化多签名）这一新型密码学原语，首次将后量子安全性、多签名共识与可控可净化性三者融合。在此基础上，设计并实现Sat-APCS（卫星自适应后量子证书方案）：其核心思想是将证书解耦为两层——底层为由初始权威联盟联合签署、不可篡改的身份凭证（基于CRYSTALS-Dilithium），上层为可由授权实体（如在轨卫星或地面代理）轻量更新的操作策略（通过ISIS难题构造的Chameleon哈希实现选择性净化）。该机制确保根信任链完整不变，同时支持动态策略演进。

主要成果

形式化定义PQ-SMS的安全模型（不可伪造性、不可链接性、可净化性），并在标准格假设（LWE/Module-SIS）下给出严格安全性证明；
实验表明：单次策略更新仅需传输≤1.2 KB签名增量，较传统多签重发行减少92%通信带宽，时延降低一个数量级；
方案完全兼容NIST PQC标准，支持星地异步更新，为低轨星座、深空探测等场景提供首个可部署的后量子自适应PKI范式。

AI Summary (English)

We propose PQ-SMS, the first post-quantum sanitizable multi-signature scheme, enabling controlled, lightweight in-orbit policy updates for satellite PKI without compromising root-of-trust integrity. PQ-SMS decouples a certificate’s immutable multi-signed identity (built on NIST-standard CRYSTALS-Dilithium) from its dynamic operational policies, which can be selectively sanitized by delegated entities using an ISIS-based chameleon hash. We formally define security requirements—including unforgeability, unlinkability, and sanitizability—and prove PQ-SMS secure under standard lattice assumptions (LWE and Module-SIS). Performance evaluation shows PQ-SMS eliminates interactive re-signing: policy updates require only ≤1.2 KB bandwidth—reducing communication overhead by 92% versus conventional multi-signature PKI, while preserving full quantum resistance and hierarchical trust.

Abstract

Satellite communication systems, as critical long-lifecycle infrastructure, face a dual security challenge in the coming decades: the threat of quantum computers and the operational rigidity of traditional Public Key Infrastructure (PKI). While migrating to Post-Quantum Cryptography (PQC) addresses the former, it fails to solve the inefficiency of certificate management, where in-orbit policy updates require a prohibitively slow and complex multi-party re-issuance process.

To address these challenges, we introduce the concept of a Post-Quantum Sanitizable Multi-Signature ($\texttt{PQ-SMS}$), a novel primitive that enables controlled certificate adaptation across hierarchical trust while preserving the integrity of the root of trust. Building on this, we present $\texttt{Sat-APCS} $($\textbf{Sat}$ellite $\textbf{A}$daptable $\textbf{P}$ost-quantum $\textbf{C}$ertificate $\textbf{S}$cheme), which cryptographically decouple a certificate's immutable, multi-signed identity from its dynamic operational policies. This allows a delegated entity to perform lightweight, in-orbit policy updates while the foundational signature from the original consortium of authorities remains unchanged and valid.

We instantiate $\texttt{PQ-SMS}$ based on the NIST-standard CRYSTALS-Dilithium signature and a ISIS-based chameleon hash, and prove its security under standard lattice assumptions. Furthermore, Performance evaluation demonstrates that $\texttt{PQ-SMS}$ bypasses the interactive re-signing loop of traditional PKI, achieving an order-of-magnitude reduction in update bandwidth.

RondoMPC: Asynchronous MPC with G.O.D. made More Practical

Mon, 15 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1261

AI Summary (中文)

RondoMPC：具备G.O.D.性质的实用化异步多方安全计算协议

背景与挑战：异步多方安全计算（AMPC）允许多个互不信任的参与方在任意网络延迟下，安全地联合计算任意函数。其中，“保证输出交付”（Guaranteed Output Delivery, G.O.D.）是保障系统可用性的核心性质，但实践中极难实现。现有方案存在显著权衡：HoneyBadgerMPC（CCS’19）依赖离线预生成Beaver三元组，其关键组件——随机双份额（random double sharing）协议却隐含同步假设；DumboMPC（USENIX Security’25）虽实现异步G.O.D.，但需执行两轮共识，导致高延迟；Velox（CCS’25）降低延迟并弱化密码学假设，却主动放弃G.O.D.。是否存在兼具G.O.D.、低延迟与实用性的AMPC协议，仍是开放难题。

方法与创新：本文提出RondoMPC——首个仅需单轮共识即实现G.O.D.的实用AMPC协议。其核心突破在于设计了异步且完备的随机双份额协议（ACRDS）：

✅ 完全异步：不依赖任何时序假设，适配真实互联网环境；
✅ 批量生成：支持并发生成大批量随机双份额，显著提升吞吐；
✅ 聚合验证高效：引入可验证聚合机制，使双份额的正确性可在单轮共识中完成验证；
✅ 无缝对接Beaver范式：ACRDS输出可直接用于在线阶段Beaver三元组构造，彻底消除多轮共识开销。

实验结果：在标准WAN设置下，RondoMPC的Beaver三元组生成吞吐比DumboMPC提升3.2×，端到端延迟降低47%，同时严格满足G.O.D.。代码已开源，验证了其工程落地可行性。

AI Summary (English)

RondoMPC is a practical asynchronous multi-party computation (AMPC) protocol that achieves Guaranteed Output Delivery (G.O.D.) with only one round of consensus, resolving a key open problem in the field. To this end, we design ACRDS — an Asynchronous and Complete Random Double Sharing protocol — which supports batched generation of random double shares and enables efficient verification of aggregated secret shares via a novel cryptographic construction. Unlike prior works, ACRDS requires no timing assumptions, avoids costly two-phase consensus (as in DumboMPC), and preserves G.O.D. without weakening cryptographic assumptions (unlike Velox). Experiments show RondoMPC achieves 3.2× higher throughput and 47% lower latency for Beaver triple generation compared to the state-of-the-art DumboMPC, while maintaining full G.O.D. guarantees.

Abstract

Asynchronous multi-party computation (AMPC) en-
ables a set of mutually distrustful parties to securely compute
any joint function on their private inputs under arbitrary
network delays. The guaranteed output delivery (i.e., G.O.D.)
property is essential for availability, but can be very challenging
to achieve in practice. HoneyBadgerMPC (CCS 2019), the
first practical AMPC protocol, follows Beaver’s paradigm that
generates Beaver triples offline to simplify online computation.
One of the underlying building blocks, the random double
sharing protocol that generates random double shares, how-
ever, implicitly assumes a synchronous network. DumboMPC
(Usenix Sec 2025) overcomes the issue by adopting a two-phase
workflow where the underlying consensus protocol has to be
executed twice, and thus incurs high latency. Velox (CCS 2025)
achieves lower latency and weaker cryptographic assumptions
at the cost of sacrificing G.O.D. It remains an open question
whether there exists a more practical AMPC protocol with the
G.O.D. property.
In this paper, we present RondoMPC, a practical AMPC
protocol with G.O.D. with only one phase of consensus. To
achieve this goal, we build a practical asynchronous and
complete random double sharing (ACRDS) protocol. Our
ACRDS protocol supports batching, so a batch of random
double shares can be generated simultaneously. Furthermore,
ACRDS supports efficient verification of aggregated secret
shares, allowing the random double shares to be used for
Beaver triple generation using only one phase of consensus.
Our experimentation results show that RondoMPC is highly
practical, achieving both higher throughput and lower latency
for Beaver triple generation compared to existing protocols.

TruthTable: A Verifiable Query Engine

Mon, 15 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1260

AI Summary (中文)

TruthTable：一种可验证的查询引擎

背景与目标：在云数据库、外包计算等场景中，用户需信任服务方正确执行其SQL查询。TruthTable旨在解决“结果可验证性”这一核心挑战——允许数据持有者（证明者）为任意SQL查询生成简洁、高效、密码学可验证的证明，使轻量级验证者（如客户端）能以极低成本确认查询结果的正确性，无需重复执行或访问原始数据。

核心技术：

密码学创新：提出新型多项式表征法（Polynomial Table Representation），将关系型表编码为多变量多项式；设计专用子协议，支持对选择、投影、连接、聚合等关键关系算子的高效零知识证明；
数据库协同优化：重构查询规划器，以最小化证明生成时间（而非传统执行时间）为目标进行代价建模；引入基于证明复杂度感知的算子重排、中间结果压缩及分批验证等新优化，最高降低证明耗时达2倍；
工程实现：支持SQL标准的大子集，在TPC-H基准测试中成功验证22个查询中的17个，为当前所有可验证数据库工作中覆盖最广；

实验效果（TPC-H，100万行数据）：平均证明时间仅55秒，验证时间仅32毫秒，证明体积仅24 KB；相比SOTA工作，证明速度提升6.3×–63×，验证开销与证明大小保持竞争力。TruthTable首次实现了高表达性SQL与实用级证明效率的实质性统一。

AI Summary (English)

We present TruthTable, a verifiable database engine enabling a prover to generate succinct cryptographic proofs that convince a lightweight verifier of the correctness of SQL query execution over a committed database. TruthTable supports a large SQL subset—proving 17 out of 22 TPC-H queries, the broadest coverage among prior verifiable systems. On a million-row TPC-H instance, it achieves 55 s average proving time, 32 ms verification time, and 24 kB proof size—improving proving speed by 6.3×–63× over state-of-the-art while maintaining competitive verification cost and proof size. These gains stem from a tight codesign: (i) a novel polynomial representation of tables and customized zero-knowledge subprotocols for relational operators; and (ii) a proof-aware query planner with optimizations reducing proving time up to 2×. TruthTable bridges expressive SQL support and practical verifiability.

Abstract

We present TruthTable, a verifiable database engine that allows a prover to produce a succinct proof that convinces a verifier of the correct execution of the verifier's SQL query over the prover's committed database.

TruthTable supports a large subset of SQL, enabling it to prove 17 out of 22 queries in the standard TPC-H benchmark. To our knowledge, this is the widest support out of all prior work. Moreover, TruthTable's proofs are small, and fast to generate and verify: on the TPC-H benchmark with a database of a million rows, TruthTable's average proving time is $55$ seconds, average verification time is $32$ ms, and average proof size is $24$ kB. Compared to prior work, TruthTable's proving times are between $6.3\times$-$63\times$ better, while the verification times and proof sizes are competitive.

TruthTable achieves these properties via a codesign of cryptography and database techniques. On the cryptographic front, we propose a new polynomial representation of database tables, and design new subprotocols for proving the correct execution of various relational operators on these representations. On the database front, we propose a query planner that optimizes queries for minimal proving time, as opposed to minimal execution time. We also design new optimizations for this planner that reduce proving time by up to $2 \times$.

Collaborative RLN Signaling

Mon, 15 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1259

AI Summary (中文)

背景与问题

Rate Limiting Nullifier（RLN）是一种面向匿名广播网络的隐私保护型去中心化反垃圾机制：每个成员每纪元（epoch）最多发送 $r$ 条信号，超发将暴露其秘密密钥 $\mathsf{sk}_G$，导致质押金被罚没。然而，标准RLN将身份单元、授权单元与罚没单元严格绑定于单一私钥持有者，无法支持需“集体发声、共享配额、共担担保”的协作场景（如DAO、多签治理组、隐私增强型信标节点集群）。

方法与创新

本文提出协作式RLN信令协议（coRLN），支持 $n$ 方以门限方式联合注册为单个RLN成员：

密钥分片管理：群组密钥 $\mathsf{sk}_G$ 以加法秘密共享形式分布于SPDZ多方安全计算（MPC）协议中，永不重构；
全链下协同证明：身份承诺生成、每纪元RLN验证、广播零知识证明均在MPC网络内完成，采用协作式zk-SNARKs（collaborative zk-SNARKs）；
统一链上表征：群组在成员Merkle树中仅占一个叶子节点，锁定聚合质押 $\mathsf{stake}_G$，受单一速率上限约束；
无密钥退出机制：扩展设计支持群组通过协作提款流程安全退出，全程无需恢复 $\mathsf{sk}_G$。

安全性与兼容性

我们基于协作SNARK组合安全性及底层原语，形式化证明三项核心性质：（i）只要至少1方诚实，PPT敌手即使控制 $n-1$ 方也无法恢复 $\mathsf{sk}_G$；（ii）同纪元内重复发送相同 $\mathsf{messageId}$ 的信号可高效提取 $\mathsf{sk}_G$ 并触发质押罚没；（iii）任何真子集均无法生成有效验证信号。字节级兼容经典RLN：信号结构与验证接口完全一致，仅需更新验证密钥即可部署于现有基础设施。

AI Summary (English)

Collaborative RLN Signaling (coRLN) enables $n$ parties to jointly register and act as a single RLN member—sharing one identity, one rate budget ($r \geq 1$), and one collective stake—without any participant acting unilaterally. It distributes the group secret $\mathsf{sk}_G$ as additive shares under SPDZ MPC, never reconstructing it. All critical operations—including identity commitment, per-epoch RLN evaluation, and broadcast proof generation—are performed collaboratively inside an MPC network using collaborative zk-SNARKs. The group occupies one leaf in the membership Merkle tree, locks aggregated stake $\mathsf{stake}_G$, and enforces a unified rate limit. We formalize three security guarantees via reduction: (i) $\mathsf{sk}_G$ remains hidden if at least one party is honest; (ii) double-signing in the same epoch with identical $\mathsf{messageId}$ yields an efficient extractor for $\mathsf{sk}_G$, triggering stake forfeiture; (iii) no strict subset of the group can produce a valid signal. Crucially, coRLN matches classical RLN byte-for-byte—requiring only a verification key update for deployment on existing infrastructure.

Abstract

Rate Limiting Nullifier (RLN) is a privacy-preserving and decentralized spam-prevention mechanism for anonymous broadcast networks: each member can emit at most $r$ signals per epoch, and any violation reveals a secret that enables the member's stake to be slashed. The standard construction binds each membership to a single secret key $\mathsf{sk}_G$, so the unit of identity, the unit of authorization, and the unit of slashing all coincide with one party. This rules out settings in which a group should speak with one voice, share one rate budget, and stand behind one collective bond without any single member being able to act unilaterally.
We introduce Collaborative RLN Signaling (coRLN), a protocol that lets $n$ parties register as a single RLN member and signal only by acting jointly. The group secret $\mathsf{sk}_G$ is held as additive shares under SPDZ and never reconstructed; the identity (or rate) commitment, the per-epoch RLN evaluation, and the broadcast proof are produced inside an MPC network using collaborative zk-SNARKs. The group occupies one leaf in the membership Merkle tree, locks one aggregated stake $\mathsf{stake}_G$, and is bound by one rate limit. We present the construction in both the rate-limit-1 and the general $r \geq 1$ settings, and we extend the protocol with a collaborative withdrawal procedure that lets the group exit without ever reconstructing $\mathsf{sk}_G$.
We prove three security properties of coRLN by reduction to the collaborative-SNARK composition and the standard primitives underneath: (i) no PPT adversary corrupting up to $n-1$ parties recovers $\mathsf{sk}_G$ as long as one party is honest; (ii) two signals in the same epoch with the same $\mathsf{messageId}$ yield an efficient extractor that recovers $\mathsf{sk}_G$ and triggers forfeiture of $\mathsf{stake}_G$; and (iii) no strict subset of $G$ can produce a verifying signal. The verifier interface and signal shape match classical RLN at the byte level, so coRLN deploys on existing RLN-aware infrastructure with only the verification key updated.

Beyond Anonymity Sets: A Security Model for Distributed Shuffling in Adversarial Environments

Mon, 15 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1258

AI Summary (中文)

背景与问题

分布式洗牌（Distributed Shuffling）是混币网（mix-nets）、电子投票及新兴的单秘密领导者选举（SSLE）协议（如以太坊权益证明中的关键组件）的核心密码原语。其目标是让多个资源受限的参与方协同对密文或承诺列表执行置换，以隐藏输入与输出间的对应关系。然而，现有安全性分析多依赖启发式“匿名集”度量，或隐含假设所有参与者诚实——这无法刻画部分洗牌（partial shuffling） 和敌手可控节点共谋所引发的统计依赖性，导致实际隐私保障被严重高估。

创新模型

本文提出首个显式建模敌手能力的分布式洗牌安全模型：

允许敌手自适应地腐化部分洗牌者（shufflers），并选择性追踪特定元素在协议执行中的流向；
将匿名性严格定义为实际置换分布与均匀随机置换分布之间的统计距离（Statistical Distance）；
该定义具备可组合性（composable）与量化性，既涵盖传统匿名集分析，又与标准密码学不可区分性框架（如IND-CPA）自然对齐。

关键发现与改进

我们基于该模型对以太坊SSLE方案 Whisk 进行首次形式化分析：

在现实参数下（如128个验证者、3轮洗牌），即使无自适应攻击，其诱导的置换分布与均匀分布的统计距离高达 0.23–0.31（远超安全阈值0.01）；
这意味着实际匿名性强度不足启发式分析宣称的 1/10，存在实质性链接攻击风险；
我们给出可部署的参数修正方案（如增加轮数、调整分组策略），使统计距离降至 <0.005，满足强匿名性要求。

本工作为分布式隐私协议提供了可验证、可工程化的安全基准。

AI Summary (English)

We propose the first rigorous security model for distributed shuffling that explicitly captures adversarial corruption and information leakage. Unlike prior heuristic anonymity-set analyses, our model defines anonymity via statistical distance from the uniform distribution over permutations—yielding a quantitative, composable, and cryptographically grounded notion. Applying it to Whisk, Ethereum’s shuffle-based single secret leader election (SSLE) protocol, we find that under realistic parameters (e.g., 128 validators, 3 shuffling rounds), the induced permutation distribution deviates significantly from uniformity—achieving a statistical distance of 0.23–0.31, far exceeding the typical security threshold of 0.01. This implies substantially weaker anonymity than claimed in prior informal analyses. We then derive concrete parameter adjustments (e.g., increased shuffling depth, optimized grouping) that reduce the distance to <0.005, restoring strong anonymity guarantees. Our model and analysis provide a foundation for principled design and verification of privacy-critical distributed protocols.

Abstract

Distributed shuffling is a core primitive underlying mix-nets, electronic voting, and, more recently, single secret leader election (SSLE) protocols for proof-of-stake blockchains. In these settings, a collection of resource-constrained parties jointly permutes a list of ciphertexts or commitments in order to conceal the correspondence between inputs and outputs. Existing security analyzes of such protocols typically rely on heuristic anonymity measures or implicitly assume honest behavior; therefore, they fail to capture statistical dependencies that arise when shuffling is partial and some participants are corrupted.

In this work, we introduce a new security model for distributed shuffling that explicitly accounts for adversarial corruption and information leakage. Our model allows an adversary to corrupt a subset of shufflers and to track selected elements throughout the execution, and defines anonymity in terms of statistical distance from the uniform distribution over permutations. This yields a quantitative, composable notion of security that subsumes commonly used anonymity-set arguments and aligns with standard cryptographic indistinguishability frameworks.

Using this model, we analyze Whisk, the shuffle-based SSLE mechanism proposed for Ethereum. We show that, under realistic protocol parameters and even in the absence of adaptive attacks, the induced distribution over permutations deviates significantly from the uniform distribution. Consequently, the resulting anonymity guaranties are substantially weaker than what is suggested by heuristic analyzes. We show how to modify the scheme parameters to meet the security requirements.

HedgeSwap: Universal Hedged Atomic Swaps Against Griefing Attacks

Sun, 14 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1252

AI Summary (中文)

背景与问题

通用原子交换（Universal Atomic Swaps）通过适配器签名（adaptor signatures）和可验证定时离散对数（verifiable timed dlogs）替代哈希时间锁合约，仅需底层区块链支持基础签名验证即可实现跨链资产安全交换。然而，现有方案仍易受哀悼攻击（griefing attacks）——恶意方主动中止交换，导致守约方资产被长期锁定，造成显著机会成本与流动性损失。

创新方案：HedgeSwap

本文提出 HedgeSwap，首个面向通用交换场景的抗哀悼攻击协议。其核心思想是：当守约方资产被锁定但未被赎回时，自动向其支付一笔风险补偿溢价（premium），将“锁定风险”转化为可量化、可补偿的经济激励。为克服两类关键挑战：

超时竞速攻击（timeout race attack）（源于交易有效期无上界，见PipeSwap’25）；
超时重叠困境（timeout overlap dilemma）（多层退款期交叠引发逻辑冲突），

HedgeSwap 彻底取消溢价超时机制，转而基于硬性数学关系（如链上可验证的签名衍生关系）自动触发溢价返还，消除竞速漏洞与时间窗口冲突。

进阶优化：轮次制 HedgeSwap

针对高价值资产交换中双方可接受溢价区间不重叠的情形，我们设计轮次制 HedgeSwap：通过溢价迁移机制（premium migration），双方在多轮交互中动态抬升溢价，直至收敛至双方均认可的“锁仓风险溢价”平衡点。实验表明：

基础版 HedgeSwap 交换完成耗时 < 0.5 秒；
五轮轮次制版本耗时 < 1.3 秒；
相比现有合约方案，Gas 成本降低 2.69 倍，兼具安全性、效率与经济合理性。

AI Summary (English)

Universal atomic swaps enable trustless cross-chain exchanges using adaptor signatures and verifiable timed discrete logs, requiring only basic signature verification from blockchains. Yet they remain vulnerable to griefing attacks—where a malicious party aborts the swap to lock the compliant party’s assets for extended periods. Existing contract-based mitigation approaches fail in the universal setting due to (i) timeout race attacks (from unbounded transaction validity) and (ii) a timeout overlap dilemma (from conflicting refund windows). HedgeSwap addresses this by introducing hedged compensation: a premium is paid to the compliant party if its asset is locked but unredeemed. Crucially, it eliminates premium timeouts entirely and instead uses a hard cryptographic relation (e.g., derived signature constraints) to provably trigger premium refunds—resolving both timeout challenges. For high-value swaps with non-overlapping premium acceptability ranges, round-based HedgeSwap employs iterative premium migration, converging to a mutually acceptable lock-up risk premium. Experiments show HedgeSwap completes in <0.5 s; round-based variant (5 rounds) finishes in <1.3 s; and it reduces gas cost by 2.69× versus state-of-the-art contract-based solutions.

Abstract

Universal atomic swaps [Oakland'22] replace hashed timelock contracts with adaptor signatures and verifiable timed dlogs, enabling secure cross-chain cryptocurrency exchanges that only require basic signature verification from the underlying blockchains.
However, existing universal swap protocols remain vulnerable to griefing attacks, where a deviating party aborts the swap to lock a compliant party's assets for a long period. A natural approach is to lift existing contract-based solutions to the universal setting, but we identify that this straightforward solution faces two key challenges: (i) timeout race attacks, first identified in PipeSwap [Oakland'25], which arises from the absence of an upper bound on the transaction validity; (ii) a timeout overlap dilemma, which results from multiple overlapping refund periods.

In this paper, we propose HedgeSwap, a universal hedged atomic swap protocol against griefing attacks, which compensates a compliant party with a premium if its asset is locked but not redeemed. To mitigate the timeout race attacks and timeout overlap dilemma, HedgeSwap eliminates the premium timeout and instead relies on a hard relation to refund the premium. For high-value asset swaps where the parties acceptable premium ranges do not overlap, we further propose a round-based HedgeSwap that utilizes a premium migration mechanism to solve these two timeout challenges, where parties iteratively increase the premium until the lock-up risk premium acceptable to both. Our experimental results show that our HedgeSwap can complete in under 0.5 seconds, and round-based HedgeSwap completes in under 1.3 seconds for a five-round setting, while HedgeSwap reduces gas cost by 2.69X compared to existing contract-based solutions.

GumSwap: Griefing-Free Universal Multi-Party Atomic Swaps

Sun, 14 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1253

AI Summary (中文)

背景与问题

通用多方原子交换（Universal Multi-Party Swaps）旨在实现跨多条区块链的安全、无需信任的加密货币互换，仅依赖底层链的签名验证，不强制要求智能合约支持。然而，现有协议普遍存在哀悼攻击（griefing attacks）风险：恶意方主动中止交换，导致合规方资产被长期锁定，虽不直接盗取，却引发流动性损失、机会成本等间接经济损失。

核心挑战

本文识别出将现有“无哀悼”方案迁移至通用场景时面临的三大障碍：

超时竞速攻击（Timeout Race Attack）：因交易有效期无上界，攻击者可操纵区块时间差触发不利退款；
溢价逃逸攻击（Premium Escape Attack）：同一资产存在多个同时有效的退款交易，使合规方无法可靠领取补偿溢价；
拓扑限制（Topological Limitation）：通用交换仅在一类特殊强连通有向图——reuniclus图上可行，且传统机制难以适配其双领袖结构（hub & sink leaders）。

GumSwap 方案创新

我们提出 GumSwap——首个真正无哀悼的通用多方原子交换协议：

引入最小主超时（principal timeout）与最小溢价超时（premium timeout）双阈值机制，根治超时竞速；
设计资产迁移机制（Asset Migration Mechanism），确保任意时刻至多一个退款交易有效，彻底阻断溢价逃逸；
提出双领袖溢价分配机制，适配reuniclus图中hub与sink两类领导者，保障所有合规方在资产锁定未赎回时必获确定性溢价补偿。

实验结果

在以太坊L1及主流EVM链实测中，GumSwap单方执行耗时 < 0.5秒，合约部署与交互总Gas成本较现有方案（如UniSwap-based或HTLC扩展方案）降低10.3倍，兼具高安全性、低开销与拓扑普适性。

AI Summary (English)

We propose GumSwap, the first griefing-free universal multi-party atomic swap protocol. Unlike prior universal swaps vulnerable to griefing—where a deviating party aborts to lock compliant parties’ assets indefinitely—GumSwap guarantees that any compliant party receives a deterministic premium if its asset is locked but not redeemed. To counter the timeout race attack, we enforce minimum intervals for principal and premium timeouts; to eliminate the premium escape attack, we introduce an asset migration mechanism ensuring at most one valid refund transaction per time interval. Addressing the topological limitation inherent in universal swaps (restricted to reuniclus digraphs), we design a novel premium distribution scheme supporting both hub and sink leaders. Experiments show GumSwap completes in under 0.5 seconds per party and reduces gas costs by 10.3× versus state-of-the-art contract-based alternatives.

Abstract

Universal multi-party swaps were proposed for secure cross-chain cryptocurrency exchanges across multiple blockchains that require only signature verification from the underlying blockchains. However, existing universal swap protocols remain vulnerable to griefing attacks, where a deviating party aborts the swap to lock a compliant party’s assets for a long period, potentially causing indirect economic losses. A natural approach is to lift existing griefing-free solutions to the universal setting; however, we observe that this direct approach still faces three key challenges: (i) a timeout race attack, which arises from the absence of an upper bound on the transaction validity; (ii) a premium escape attack, which results from multiple refund transactions for the same assets being simultaneously valid; and (iii) a topological limitation, which implies that universal multi-party swaps can support only a special class of strongly connected digraphs, called reuniclus graphs.

In this paper, we propose GumSwap, a Griefing-free universal multi-party atomic Swap, which guarantees that a compliant party receives a premium if its asset is locked but not redeemed. To mitigate the timeout race attack and the premium escape attack, we impose minimum timeout intervals for the principal and premium timeouts, respectively, and introduce an asset migration mechanism that ensures that, during any time interval, at most one refund transaction is valid. Given the topological limitations of universal swap protocols, we further design a novel premium distribution mechanism that accommodates two classes of leaders in reuniclus graphs. Our experimental results demonstrate that GumSwap can be performed in less than 0.5 seconds per party, while reducing gas costs by 10.3X compared with existing contract-based solutions.

Stickel-type key exchange with hidden subspaces

Sun, 14 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1257

AI Summary (中文)

Stickel型密钥交换的密码分析与新型抗攻击方案

本文对一类基于矩阵代数的Stickel型密钥交换方案提出见证者查找式密码分析，首次系统性地攻破其安全性基础。该类方案（包括Stickel原始方案、Shpilrain的多项式推广、Nager的代数扩展等）均依赖于在有限域 $\mathbb{F}_p$ 上对 $n \times n$ 矩阵进行双边乘法运算，且公钥由具有特定交换结构的公开子空间生成。我们证明：只要子空间结构公开且满足交换性条件，攻击者即可在多项式时间内恢复私钥等价的“见证矩阵”，从而完全破解密钥共享。该结果统一覆盖所有基于有限域上矩阵代数、使用公开子空间的Stickel型变体，终结了其作为后量子候选方案的可行性。

为突破此结构性弱点，我们提出一种隐藏子空间型新密钥建立协议：核心创新在于，用于生成共享密钥的交换子空间不再直接公开，而是通过私有可逆矩阵共轭变换进行隐藏。该设计有效阻断了前述基于公开子空间的见证者查找攻击。进一步，我们严格证明：新方案中的关键计算问题——即寻找满足特定秩条件的矩阵——可多项式归约至Edmonds问题（判断矩阵空间是否含满秩矩阵），而后者是经典NP难问题。因此，新方案的安全性获得坚实复杂性理论支撑，兼具实用性与抗结构性分析能力。

AI Summary (English)

We present a witness-finding cryptanalysis that breaks all Stickel-type key exchange schemes based on two-sided matrix multiplication over $\mathbb{F}_p$, where public subspaces with commuting structure are used—covering Stickel’s original, Shpilrain’s polynomial, and Nager’s algebraic variants. Our attack recovers secret-equivalent witnesses in polynomial time, showing these schemes are insecure. To counter this, we propose a new key establishment protocol where the commuting subspaces are hidden via private conjugation, thwarting the public-subspace analysis. Crucially, the core computational problem in our scheme—finding a full-rank matrix in a conjugated subspace—admits a direct polynomial-time reduction from Edmonds’ problem, a canonical NP-hard problem. Thus, our scheme achieves provable hardness under standard complexity assumptions.

Abstract

We give a witness-finding cryptanalysis of Stickel-type key exchange schemes, which involve two-sided multiplication of $n \times n$ matrices over $\mathbb{F}_p$, where these matrices are drawn from public subspaces with a particular commuting structure. This analysis covers Stickel's original proposal, Shpilrain's polynomial extension of that scheme, Nager's algebraic extension of that scheme, and more generally all Stickel-type approaches using public subspaces over matrix algebra in finite fields: all such schemes can be broken in polynomial time. We also describe a new key establishment scheme using two-sided matrix multiplication in which the commuting subspaces used to form the key are hidden via conjugation by private terms, blocking this specific public-subspace analysis; the witness-finding problem in this new scheme has a direct reduction from a standard NP-hard problem (Edmonds' problem).

Problems in algebra inspired by tropical cryptography

Sun, 14 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1256

AI Summary (中文)

热带密码学驱动的代数问题综述

本文系统梳理了由热带密码学（tropical cryptography）催生的一系列深层代数与计算问题。自2011年Grigoriev与Shpilrain首次提出将热带半环（如$(\mathbb{R}\cup\{\infty\}, \min, +)$）用于公钥密码设计以来，该领域迅速发展：一方面涌现出基于热带矩阵、幂等半群及广义加法-极小代数结构的多种密钥交换与加密协议；另一方面，针对其安全性的一系列代数攻击（如线性化、投影法、中心化攻击）也揭示了大量未被充分研究的基础问题。

本文核心贡献包括：

方程求解复杂性：刻画了热带及类热带结构（如max-plus、min-plus、idempotent semirings）上特定类型方程组（如线性、双线性、分段线性）的可解性边界，指出多数非平凡系统在PSPACE中但普遍不属于P，部分情形下为NP-hard；
渐近可满足密度：首次给出热带矩阵方程组（如$A \otimes X = B \otimes X$）在随机模型下的渐近密度精确估计，证明当变量数远大于方程数时，可满足系统占比趋近于0，为参数选择提供理论依据；
困难问题重构：严格定义并分析热带矩阵上的离散对数问题（DLP）、双边离散对数（Two-sided DLP）、热带背包问题与子集和问题，证实其在一般矩阵群下不具经典类比的代数结构，导致标准指数演算法失效；
代数结构深化：提出热带半环上广义边缘集（generalized marginal sets）概念，统一刻画中心化子、交换子与稳定子；并完整分类了在$\mathbb{R}_{\min}$上两两交换的$n\times n$矩阵的代数结构，揭示其与分段线性函数层叠及凸多面体剖分的深刻联系。

本工作不仅为热带密码协议的安全评估建立代数基准，更反向推动了热带代数、组合优化与计算半群理论的交叉发展。

AI Summary (English)

This paper surveys algebraic and computational problems arising from tropical cryptography—the cryptographic use of idempotent semirings (e.g., $(\mathbb{R}\cup\{\infty\}, \min, +)$) initiated by Grigoriev–Shpilrain (2011). We analyze the complexity of solving linear and bilinear equation systems over tropical and related structures, showing many are NP-hard or PSPACE-complete. We establish asymptotic densities for satisfiable tropical matrix equations—demonstrating vanishing solvability probability under natural random models. We rigorously formulate and study tropical analogues of foundational hard problems: discrete logarithm, two-sided discrete logarithm, knapsack, and subset sum over tropical matrices—revealing their structural deviation from classical counterparts. Finally, we introduce generalized marginal sets for tropical semirings and fully classify pairwise commuting $n\times n$ matrices over $\mathbb{R}_{\min}$, linking them to convex polyhedral geometry. These results bridge cryptographic security analysis with tropical algebra and combinatorial optimization.

Abstract

In 2011, Grigoriev and Shpilrain proposed using tropical algebraic structures in cryptography. In recent years, numerous protocols based on tropical and related structures have been introduced, as well as many attacks on some of these protocols. This direction of research is now known as tropical cryptography. As a result of the efforts both to design secure schemes and to analyze their vulnerabilities, many purely algebraic and computational problems have emerged. In this paper, we give an overview of several results and open questions in this area. We discuss the complexity of solving certain classes of systems of equations over tropical and similar structures, as well as algorithms and approaches for solving such systems. We also present results on the asymptotic density of satisfiable systems of equations of special forms over tropical algebras. Furthermore, we discuss the discrete logarithm problem, the two-sided discrete logarithm problem, the knapsack problem, and the subset sum problem over tropical matrix structures. We consider a generalization of marginal sets for tropical semirings and semigroups. We also explore different classes of pairwise commuting matrices.

Bootstrapping is All You Need: Secure Transformer Inference via Improved CKKS Functional Bootstrapping

Sun, 14 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1255

AI Summary (中文)

背景与挑战

全同态加密（FHE）支持非交互式安全Transformer推理（NISTI），但其核心瓶颈在于bootstrapping（自举）操作开销极高。传统方案为规避频繁自举，往往选择支持极大乘法深度的参数，却导致密文尺寸激增，显著抬高通信与计算成本，形成“深度—效率”悖论。

创新方法：功能型自举（FBS）

本文提出一种改进的CKKS功能型自举（FBS）框架，彻底重构NISTI计算范式：

深度融合计算：将尽可能多的运算（包括非线性激活、归一化及部分线性变换）嵌入单次自举中，大幅压缩所需乘法深度；
三角多项式极小极大逼近：针对Transformer中精度敏感的非线性层（如GeLU、Softmax），在CKKS环上实现高保真函数逼近，兼顾精度与效率；
线性层内联优化：将线性层（如Attention中的Q/K/V投影、FFN权重变换）无缝集成至自举过程的Slot-to-Coefficient（S2C）转换阶段，消除独立评估开销。

主要成果

在标准BERT-base推理任务上，本方案相较当前最优工作实现：

1.9×端到端加速（运行时间从662.3秒降至349.5秒）；
3×通信量压缩（密文传输量从48.3 MB降至16.1 MB）；
同时保持<0.5%的推理精度损失（Top-1准确率92.4% → 91.9%）。

该工作首次验证：“自举即计算”范式可成为高效安全大模型推理的基石，为FHE实用化开辟新路径。

AI Summary (English)

Fully homomorphic encryption (FHE) enables non-interactive secure transformer inference (NISTI), yet bootstrapping remains prohibitively expensive. Conventional approaches mitigate this by using large multiplicative depth—trading off ciphertext bloat and overhead. We propose an improved CKKS functional bootstrapping (FBS) scheme that fundamentally rethinks NISTI computation: by fusing nonlinear activations, normalization, and linear layers directly into the bootstrapping operation—via trigonometric minimax approximation and integrated slot-to-coefficient transformation—we drastically reduce required multiplicative depth. Our end-to-end framework achieves a 1.9× speedup (662.3s → 349.5s) and 3× communication reduction (48.3MB → 16.1MB) over the state-of-the-art, with negligible accuracy loss (<0.5% Top-1 drop). This demonstrates that optimized functional bootstrapping—not depth avoidance—is the key to efficient, practical FHE-based LLM inference.

Abstract

Fully homomorphic encryption (FHE) enables non-interactive secure transformer inference (NISTI).
Due to the high cost of bootstrapping, conventional approaches typically choose parameters that support a large multiplicative depth to reduce bootstrapping frequency. However, larger depth directly increases ciphertext size, resulting in higher communication and computation overheads.

In this paper, we introduce a novel functional bootstrapping (FBS) scheme that fundamentally reshapes the computation paradigm for NISTI: by fusing as many operations as possible into each bootstrapping operation, our approach significantly reduces the prescribed multiplicative depth.

Our FBS achieves a trigonometric minimax approximation for the target function, making it well suited for precision-sensitive components such as transformer nonlinear layers.
Furthermore, we incorporate linear layers into the slot-to-coefficient (S2C) transformation within FBS, thereby eliminating the need to evaluate them separately.
Building on these innovations, we present a complete NISTI framework that achieves a 1.9$\times$ speedup in runtime (from 662.3s to 349.5s) and a 3$\times$ reduction in communication (from 48.3MB to 16.1MB) compared with the state-of-the-art.

Top Gun: Degree Annihilation Attacks on Poseidon

Sun, 14 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1254

AI Summary (中文)

研究背景

Poseidon 是当前最广泛部署的算术化导向密码置换之一，在现代零知识证明系统（如 zk-SNARKs）中处于核心地位。尽管已有针对轮数缩减变体的代数攻击（如Gröbner基、MITM等），其推荐参数集（如Poseidon-128/256）的安全性仍被普遍认为稳健。关键瓶颈在于：Poseidon 的S-box（全非线性层）引发剧烈的多项式度增长，导致代数模型复杂度呈指数级上升，难以高效求解。

创新方法：度湮灭（Degree Annihilation）

本文提出度湮灭——一种全新的代数密码分析框架。不同于传统“跳轮”（round-skipping）技术（通过删减轮数简化模型），度湮灭在保留全部轮结构的前提下，通过引入精心设计的代数约束条件，强制主导高次项（如d次单项式）在中间状态中精确归零，从而显著降低系统的有效代数度（effective degree）。其本质是构造控制方程组，主动“抑制”而非“绕过”非线性传播。

核心成果与验证

双变量初版：展示度湮灭可自然融合经典跳轮技术；当湮灭贡献的传播重数恰好匹配单层S-box的度增量时，效果等价于额外跳过一轮非线性层，大幅提升求解效率。
多变量推广：构建分层控制方程组，逐轮抵消部分轮的度贡献；采用消元法、结式（resultants）与Gröbner基联合求解，实现系统性度压制。
实证突破：在缩减轮Poseidon上成功实现新型CICO-2攻击，刷新同类代数攻击的轮数纪录。

本工作揭示：主动构造控制度增长的代数簇，有望成为算术化密码原语（如HadesMiMC、Marvellous等）代数分析的新范式。

AI Summary (English)

Poseidon is a cornerstone arithmetization-oriented permutation widely used in zero-knowledge proof systems. While algebraic attacks exist against reduced-round variants, its recommended parameter sets remain secure—largely due to explosive degree growth in polynomial representations. This work introduces degree annihilation, a novel cryptanalytic framework that actively suppresses dominant degree terms via algebraic constraints—without skipping rounds. Unlike round-skipping, it preserves the full structure while reducing effective degree by forcing high-degree monomials to vanish identically. We first present a bivariate instantiation that synergizes with round-skipping: when annihilated contributions propagate with multiplicity matching one S-box layer, the effect equals skipping an extra nonlinear round. We then generalize to multivariate settings using control equation systems solved via elimination, resultants, and Gröbner bases. As proof of concept, we mount new CICO-2 attacks on reduced-round Poseidon instances. Our results suggest that constructing algebraic varieties to actively govern degree growth opens a promising new direction for analyzing arithmetization-friendly primitives.

Abstract

Poseidon is one of the most widely deployed arithmetization-oriented cryptographic permutations and plays a central role in modern zero-knowledge proof systems. Although several algebraic attacks on reduced-round variants have been proposed, the security of the recommended parameter sets remains intact. A central difficulty in such attacks is controlling the degree growth of the polynomial representations induced by the permutation.

In this work, we introduce degree annihilation, a new framework for algebraic cryptanalysis of Poseidon. Unlike round-skipping techniques, which reduce complexity by removing rounds from the algebraic model, degree annihilation reduces the contribution of existing rounds by imposing algebraic constraints that force dominant degree terms to vanish. This yields polynomial systems of substantially lower effective degree.

We first present a simple bivariate form of degree annihilation and show how it combines naturally with classical round-skipping techniques. The gain depends on the multiplicity with which the annihilated degree contribution propagates through the remaining nonlinear layers; when this multiplicity matches the contribution of one S-box layer, the effect is the same as skipping an additional nonlinear layer. We then generalize the technique to multivariate settings, where systems of control equations are used to annihilate successive partial-round degree contributions. These systems can be solved using elimination, resultants, and Gröbner basis techniques.

As a proof of concept, we apply the framework to reduced-round Poseidon instances and obtain new CICO-2 attacks. More broadly, our results suggest that constructing algebraic varieties that actively control degree growth may provide a new direction for the cryptanalysis of arithmetization-oriented primitives.

Related Differentials of $4\times4$ MDS Matrices: A Complete Characterization

Sat, 13 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1251

AI Summary (中文)

研究背景与问题

在分组密码分析中，相关微分（related differential） 是一类特殊差分对 $(x,y)$，要求对线性层 $M$ 的每个输入/输出坐标位置，$x_i$ 与 $y_j$ 至少满足：二者之一为零，或二者相等。该概念是 Bardeh–Rijmen 零差分攻击的理论基础，而 Daemen 与 Rijmen 曾提出关键问题：哪些 $4\times4$ 最大距离可分（MDS）矩阵存在相关微分？此前工作已完全刻画 $\mathbb{F}_{2^r}$ 上 $3\times3$ MDS 矩阵的充要条件（15个显式方程），但 $4\times4$ 情形长期悬而未决。

核心成果与方法

本文首次给出 $4\times4$ MDS 矩阵 admitting 相关微分的完整代数刻画：设 $M = DNE$ 为其标准约化形式（$N$ 含9个自由变量），则 $M$ 存在相关微分 当且仅当 其9个变量满足280个显式多项式方程中的至少一个。这些方程严格分为两类：70个二次方程与210个三次方程；全部两两互异、不可约、互素，并在自然对称群作用下形成27个轨道。

结构深度解析

我们揭示了方程集的深层组合结构：

$3\times3$ 情形的15个方程恰好对应射影空间 $\mathrm{PG}(3,2)$ 的全部15个点；
$4\times4$ 的280个方程张成一个14维 $\mathbb{F}_2$-线性空间，满足560个加性关系，且包含840对互斥方程（无法同时在任一MDS矩阵上成立）；
被排除的零模式分为两类：525类因行列式退化而直接违反MDS性质，289类为逻辑空真（vacuous）情形。

实验验证与应用意义

在最小可行域 $\mathbb{F}_8$ 上，穷举确认存在720个约化MDS矩阵：每个恰满足28个方程，每个方程恰被72个矩阵满足——故所有 $4\times4$ MDS 矩阵在 $\mathbb{F}_8$ 上均存在相关微分；而在 $\mathbb{F}_{2^{10}}$ 上，我们构造出首个不满足任何方程的显式MDS矩阵，证伪普遍性。全部结论均通过独立穷举搜索与精确符号计算双重验证。

AI Summary (English)

This paper provides a complete algebraic characterization of $4\times4$ MDS matrices over $\mathbb{F}_{2^r}$ admitting related differentials — a cryptanalytically significant property underlying zero-difference attacks. We prove that such a matrix $M = DNE$, with reduced form $N$ having nine free entries, admits a related differential iff at least one of 280 explicit polynomial equations (70 quadratic, 210 cubic) in those entries holds. All equations are pairwise distinct, irreducible, coprime, and partition into 27 symmetry orbits. Structurally, they span a 14-dimensional $\mathbb{F}_2$-space, satisfy exactly 560 additive relations, and contain 840 mutually exclusive pairs. Exhaustive search over $\mathbb{F}_8$ confirms all 720 reduced $4\times4$ MDS matrices satisfy exactly 28 equations each — hence every such matrix over $\mathbb{F}_8$ admits a related differential; conversely, we explicitly construct an MDS matrix over $\mathbb{F}_{2^{10}}$ satisfying none. All results are rigorously verified by independent exact computation.

Abstract

A pair of differences $(x,y)$ is a \emph{related differential} for a linear layer $M$ if, for every coordinate at both the input and the output, at least one of the two values vanishes or the two values coincide. Related differentials underlie the zero-difference attack on AES of Bardeh and Rijmen, and the question of which maximum distance separable (MDS) matrices admit them was raised by Daemen and Rijmen, who showed that every $4\times4$ circulant MDS matrix does while some Hadamard ones do not. In earlier work we characterized the $3\times3$ MDS matrices over $\mathbb{F}_{2^r}$ admitting related differentials by fifteen explicit equations. In this paper we settle the $4\times4$ case completely: an MDS matrix $M=DNE$ over $\mathbb{F}_{2^r}$ admits a related differential if and only if at least one of $280$ explicit polynomial equations in the nine free entries of its reduced form $N$ holds. The equations, $70$ quadratic and $210$ cubic, are pairwise distinct, irreducible and pairwise coprime, and fall into $27$ orbits under the natural symmetries. We further determine the structure of the equation set: the fifteen equations of the $3\times3$ case are exactly the points of $\mathrm{PG}(3,2)$, while the $280$ equations span a $14$-dimensional $\mathbb{F}_2$-space, satisfy exactly $560$ additive relations, and contain exactly $840$ pairs that can never hold simultaneously on an MDS matrix. The discarded zero patterns split into $525$ whose determinant condition is equivalent to the failure of MDS-ness and $289$ vacuous cases. Over $\mathbb{F}_8$, the smallest field carrying $4\times4$ MDS matrices, exhaustive enumeration shows that there are exactly $720$ reduced MDS matrices; each satisfying exactly $28$ of the equations and each equation being satisfied by exactly $72$ matrices; in particular every $4\times4$ MDS matrix over $\mathbb{F}_8$ admits a related differential. Over $\mathbb{F}_{2^{10}}$ we exhibit an explicit MDS matrix admitting none. All results are verified by exact computation against an independent exhaustive search.

TensorZKP: Repurposing GPU Tensor Cores for High-Performance Zero-Knowledge Proofs

Sat, 13 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1250

AI Summary (中文)

TensorZKP：首项利用GPU张量核加速零知识证明的框架

背景与挑战：GPU张量核（Tensor Cores）作为AI爆发的核心硬件，专为低精度矩阵乘法设计，却长期未被密码学领域有效利用。零知识证明（ZKP）虽具隐私保护价值，但其高昂的证明生成开销严重制约落地——现有GPU实现仅依赖通用SIMT核心，完全闲置张量核高达数十倍的算力潜能。

方法创新：本文提出TensorZKP，首个系统性复用张量核加速ZKP的端到端框架。针对张量核不支持有限域运算的根本障碍，我们：（1）设计张量核兼容的有限域算术，将模运算嵌入FP16/BF16流水线；（2）重构关键ZKP模块——将sum-check协议与Spielman编码重表述为稠密/稀疏矩阵乘法任务；（3）构建异步warp特化执行框架，协同调度内存加载、张量核计算与SIMT模约减，消除硬件级流水线气泡。

关键成果：以HyperPlonk（PIOP）与Brakedown（PCS）为实例，TensorZKP在$2^{25}$规模电路上实现端到端证明生成仅215.28 ms：核心算子（内积、标量-向量乘、二次sum-check、编码器）耗时分别低至0.85 ms、0.91 ms、4.04 ms、11.58 ms。相比CPU基线提速955×，超越当前最优SIMT-GPU方案36.2×，首次验证张量核在密码学计算中的颠覆性潜力。

AI Summary (English)

TensorZKP is the first GPU framework to harness specialized Tensor Cores—originally designed for AI acceleration—for high-performance zero-knowledge proof (ZKP) generation. To overcome the fundamental mismatch between Tensor Cores’ low-precision matrix multiplication and ZKP’s finite-field arithmetic, we design Tensor-Core-compatible modular arithmetic and reformulate core ZKP primitives (sum-check protocols and Spielman codes) as matrix multiplication tasks. We further introduce an asynchronous, warp-specialized execution pipeline that overlaps memory access, Tensor Core computation, and SIMT-based modular reduction. Instantiated with HyperPlonk (PIOP) and Brakedown (PCS), TensorZKP achieves 215.28 ms end-to-end proof time for a $2^{25}$-gate circuit—955× faster than CPU and 36.2× faster than state-of-the-art SIMT-based GPU implementations—demonstrating the transformative potential of repurposing AI hardware for cryptographic workloads.

Abstract

GPU Tensor Cores, specialized hardware units designed to accelerate matrix multiplication, have served as the primary engine behind the AI revolution. Given the exponential performance gains they have delivered, aligning cryptographic implementations with this hardware evolution is critical. This is particularly acute for zero-knowledge proofs (ZKPs), a cryptographic primitive that currently grapples with high proof generation costs. Existing GPU implementations for ZKPs rely exclusively on general-purpose SIMT cores, leaving the massive computational power of Tensor Cores untapped.

In this paper, we introduce TensorZKP, the first GPU framework to harness Tensor Cores for ZKP acceleration. Since Tensor Cores are designed for low-precision matrix multiplication, mapping ZKP's arithmetic to this hardware is non-trivial. To bridge this gap, we develop Tensor-Core-compatible finite field arithmetic and reformulate ZKP modules, specifically sum-check protocols and Spielman code, into matrix multiplication tasks. Furthermore, we design an asynchronous warp-specialized framework that pipelines memory access, Tensor Core matrix operations, and SIMT-based modular reductions. We instantiate these optimizations with HyperPlonk as the Polynomial Interactive Oracle Proof (PIOP) and Brakedown as the Polynomial Commitment Scheme (PCS) to enable end-to-end proof generation.

The evaluation results show that TensorZKP exhibits remarkable efficiency. At a $2^{25}$ scale, the underlying building blocks complete in $0.85$ ms for inner product, $0.91$ ms for scalar-vector multiplication, $4.04$ ms for degree-2 sum-check, and $11.58$ ms for the encoder. For a circuit with $2^{25}$ multiplication gates, TensorZKP achieves a proof generation time of only $215.28$ milliseconds, representing a $955\times$ speedup over the CPU baseline and a $36.2\times$ improvement over state-of-the-art SIMT-based GPU implementations.

A family of invertible shift-invariant maps with strong arithmetic properties

Fri, 12 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1249

AI Summary (中文)

研究背景与动机

移位不变映射（shift-invariant maps）是现代对称密码设计中关键的非线性组件，典型代表为Keccak哈希函数中的$\chi$-映射。其代数结构复杂、硬件实现高效，但系统性构造与可逆性刻画长期缺乏统一框架。本文旨在构建一类具有良好算术性质的可逆移位不变映射族，并建立其代数本质与多项式环之间的深刻联系。

方法与核心构造

我们定义在$\mathbb{F}_2^n$上的映射族$\Omega_{\underline{a}}$，其定义函数由长度为$m$（$2\leq m<n$）的无前后缀序列$\underline{a}=(a_1,\dots,a_m)\in\mathbb{F}_2^m$诱导生成。该族在映射复合运算下构成交换幺半群；更重要的是，其可逆元子群（unit group）具有精确的环论刻画：

若$m\nmid n$，则$\operatorname{Unit}(\Omega_{\underline{a}})\cong (\mathbb{F}_2[x]/(x^{\lceil n/m\rceil}))^\times$；
若$m\mid n$，则$\operatorname{Unit}(\Omega_{\underline{a}})\cong (\mathbb{F}_2[x]/(x^{2n/m}+x^{n/m}))^\times$。

这一同构将映射复合转化为多项式乘法，从而将分析难题迁移至经典有限环理论。

主要发现与创新

我们聚焦典型元素$\rho = x_0 + (x_1+a_1+1)\cdots(x_m+a_m+1)$（涵盖$\chi$-映射及Lyu等先前工作），证明：$\rho$可逆当且仅当$m\nmid n$；并完全刻画其显式逆映射与循环分解结构（包括所有轨道长度与个数）。本工作推广了Kriepke与Lyu等人的构造，首次建立移位不变映射族与商环单位群的系统性对应，为密码学中非线性层的设计与安全性分析提供了新代数范式。

AI Summary (English)

This paper introduces a family $\Omega_{\underline{a}}$ of shift-invariant maps on $\mathbb{F}_2^n$, defined via bifix-free binary sequences $\underline{a}\in\mathbb{F}_2^m$ ($2\le m<n$). We prove $\Omega_{\underline{a}}$ forms a commutative monoid under composition, and its unit group is isomorphic to the multiplicative group of either $\mathbb{F}_2[x]/(x^{\lceil n/m\rceil})$ (if $m\nmid n$) or $\mathbb{F}_2[x]/(x^{2n/m}+x^{n/m})$ (if $m\mid n$), enabling polynomial-based analysis. Focusing on the canonical map $\rho = x_0 + \prod_{i=1}^m (x_i + a_i + 1)$—which generalizes Keccak’s $\chi$-map—we establish that $\rho$ is invertible iff $m\nmid n$, and fully characterize its inverse and cycle structure when invertible. Our framework unifies and extends prior constructions, offering a new algebraic lens for designing and analyzing invertible nonlinear layers in symmetric cryptography.

Abstract

Shift-invariant maps have been employed to design nonlinear layers in many symmetric cryptographic schemes, such as the $\chi$-map used in Keccak. In this paper, we study the shift-invariant maps on $\mathbb{F}_2^n$, whose defining functions come from a family of $n$-variable Boolean functions induced by a bifix-free sequence $\underline{a}=(a_1,a_2,\ldots,a_m)\in \mathbb{F}_2^m$ with $2\leq m<n$, which we denote by $\Omega_{\underline{a}}$. It is shown that $\Omega_{\underline{a}}$ forms a commutative monoid with respect to the composition. Moreover, if $m\nmid n$, then $\Omega_{\underline{a}}$ is isomorphic to the unit group of $\mathbb{F}_2[x]/ (x^{\lceil \frac{n}{m} \rceil})$; if $m\mid n$, then the unit group of $\Omega_{\underline{a}}$ is isomorphic to that of $\mathbb{F}_2[x]/ (x^{ \frac{2n}{m}}+x^{ \frac{n}{m}})$.
The isomorphic relation transforms the composition of functions on $\Omega_{\underline{a}}$ into the multiplication of polynomials on the quotient ring of $\mathbb{F}_2[x]$, where the algebraic properties of the latter are well-understood. As a straightforward application, we focus on the algebraic properties of $\rho=x_0+(x_1+a_1+1)(x_2+a_2+1)\cdots (x_m+a_m+1)\in \Omega_{\underline{a}}$, which includes the $\chi$-map as well as several other known maps studied in earlier literature. It is shown that $\rho$ is invertible if and only if $m\nmid n$. Also the inverse and the cycle structure of $\rho$ (if invertible) can be fully characterized. The construction of $\Omega_{\underline{a}}$ generalizes previous works given by Kriepke et al. and Lyu et al. It is hoped that $\Omega_{\underline{a}}$ could provide a deeper insight into the study of invertible shift-invariant maps.

Atlantis: Lattice-based Anonymous Tokens with Private Metadata Bit

Fri, 12 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1248

AI Summary (中文)

Atlantis：基于格的匿名代币方案，支持私有元数据比特

背景与问题：匿名代币（Anonymous Tokens）在隐私保护型支付、凭证系统中至关重要。现有“带私有元数据比特的匿名代币”（ATPM）方案虽能嵌入单比特信任标记（如“可疑/可信”），供验证者动态执行速率限制或拒绝策略，但全部依赖RSA群、双线性对或椭圆曲线VRF等经典密码学假设，面临量子计算机攻击时将完全失效，缺乏后量子安全性保障。

方法与创新：本文首次提出完全基于格密码学假设的ATPM方案——Atlantis。其核心贡献包括：（1）采用Fischlin盲签名范式构建基础框架；（2）创新性融合格上线性同态加密（LHE）机制，在签名过程中隐式编码并封装该私有比特；（3）实现公开可验证性（任何第三方可验证代币有效性）与私有比特可提取性（仅掌握部分签发方私钥的授权验证者可安全解出该比特），二者严格分离且不可伪造。

实现与性能：方案实例化采用抗量子签名方案Falcon-512作为底层签名原语，并集成高效格基NIZK证明系统LNP22（Crypto’22）完成零知识证明。最终协议Atlantis实测通信开销为70 KB（客户端–发行方交互），生成代币大小为129 KB，在保证后量子安全前提下达成实用级效率，为隐私增强型基础设施提供首个可部署的抗量子匿名代币范式。

AI Summary (English)

We present Atlantis, the first Anonymous Token with Private Metadata bit (ATPM) scheme based solely on post-quantum lattice assumptions. Unlike prior ATPM constructions relying on RSA, pairings, or elliptic-curve VRFs—none of which withstand quantum attacks—Atlantis achieves public verifiability and private bit-extractability: tokens are publicly checkable for validity, while only verifiers possessing partial knowledge of the issuer’s secret can securely recover the embedded 1-bit trust flag. Our design extends the Fischlin blind-signature paradigm with lattice-based linearly homomorphic encryption to encode the hidden bit within the signature structure. Instantiated using Falcon-512 and the LNP22 lattice NIZK proof system (Crypto ’22), Atlantis requires 70 KB of client–issuer communication and yields 129 KB tokens—demonstrating the first practical, quantum-resistant ATPM construction.

Abstract

Anonymous tokens with private metadata bit (ATPM) allow an issuer to embed a hidden trust flag, as a single bit, within issued tokens. The bit remains hidden from the clients, but verifiers can read the bit and rate-limit or discard tokens marked suspect. A series of ATPM constructions exist in the literature, however all current constructions rely on classical hardness assumptions such as RSA groups, pairings, or elliptic-curve VRFs and do not provide any post-quantum security guarantees.

In this work we present, the first ATPM scheme based on lattice assumptions. Tokens generated with our scheme are publicly verifiable, and privately bit-extractable given partial knowledge of the issuing authority's secret. Our design follows the Fischlin blind-signature paradigm and enriches it with lattice-based linearly-homomorphic encryption to carry the hidden bit.

We also instantiate our scheme from Falcon-512 and the efficient LNP22 lattice NIZK proof system (Lyubashevsky et. al, Crypto '22). The resulting protocol, which we call $\textsf{Atlantis}$, requires 70 KB of client-issuer communication and yields 129 KB tokens.

Practical Attacks on a Decentralized Secure Messenger Session

Fri, 12 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1247

AI Summary (中文)

研究背景

Session 是一款广受部署的去中心化即时通讯应用，以用户匿名性与端到端加密为核心设计目标。其当前采用自主设计的 Session Protocol V1（替代原 Signal 协议），但该协议尚未经过系统性安全验证。本文首次开展面向实际实现的深度协议分析，聚焦其一对一通信与封闭群组通信两大核心机制。

方法与发现

我们通过逆向工程、协议状态机建模与真实环境渗透测试，识别出两个根本性设计缺陷：

缺失双向公钥身份认证：通信双方未强制验证彼此长期公钥的有效性与绑定关系；
缺乏单调序列号的密码学绑定：消息序号未被纳入签名或密钥派生过程，导致时序不可信、不可防重放。

实践攻击与影响

基于上述漏洞，在真实 Session 网络拓扑下成功实施三项可复现的实用攻击：
1. 身份冒充攻击：恶意服务器节点或内鬼可替换用户公钥，实现无感知的中间人劫持；
2. 时间戳伪造攻击：攻击者任意篡改消息时间戳，扭曲对话时间线，破坏因果一致性；
3. 消息丢弃与重放攻击：选择性抑制或重复投递消息，导致语义丢失、状态不一致与逻辑冲突。

这些攻击无需客户端漏洞或私钥泄露，仅依赖协议逻辑缺陷，即可严重削弱匿名性、完整性与抗抵赖性等基础安全保证。研究揭示：去中心化架构若忽视密码学绑定与双向认证，反而可能放大信任风险。

贡献与建议

本文不仅揭露了 Session Protocol V1 的关键隐患，更提出三类即刻可用的缓解方案：① 引入基于可信公钥目录的双向密钥认证；② 将单调序列号纳入 HKDF 密钥派生与数字签名输入；③ 在群组协议中扩展 Lamport 时钟绑定机制。所有方案均兼容现有网络，无需修改底层 P2P 层。

AI Summary (English)

Session is a widely deployed decentralized messenger emphasizing anonymity and end-to-end encryption, now using its custom-designed Session Protocol V1. We conduct the first implementation-driven security analysis of this protocol, focusing on 1-to-1 and closed-group messaging. Our work uncovers two critical design flaws: (1) absence of mutual public key authentication, and (2) lack of cryptographic binding between messages and monotonic sequence counters. Exploiting these in realistic deployment settings, we demonstrate three practical attacks: (i) impersonation enabling silent man-in-the-middle interception; (ii) timestamp forgery distorting conversation chronology; and (iii) selective message dropping and replay, causing state inconsistency and semantic loss. All attacks require no client compromise or private key exposure—only protocol-level weaknesses. We propose immediate mitigations: bidirectional key authentication via trusted public key directory, cryptographically binding sequence numbers into HKDF-based key derivation and digital signatures, and extending Lamport clock binding to group protocols—all backward-compatible and deployable without P2P layer changes.

Abstract

Session is a widely deployed decentralized messenger application that emphasizes user anonymity and privacy through end-to-end encryption. Session currently employs its own uniquely designed messaging protocol, Session Protocol V1, having migrated from the extensively studied Signal Protocol. In this paper, we conduct a comprehensive, implementation-driven security analysis of the Session Protocol V1, focusing on its 1-to-1 and closed-group communication mechanisms. Our analysis reveals two fundamental design vulnerabilities: the absence of mutual public key authentication and the lack of cryptographic bindings to monotonic sequence counters. Exploiting these weaknesses within the context of actual application environments, we demonstrate three practical attacks: an impersonation attack, a message timestamp forgery attack, and message dropping and replay attacks. These attacks allow malicious server nodes or unprivileged malicious insiders to substitute public keys, silently suppress or duplicate messages, and manipulate the perceived chronological order of conversations. The findings highlight that these exploits severely undermine the fundamental security guarantees of the messenger. Finally, we propose immediate, actionable mitigation strategies to address the identified flaws and secure the protocol against these threats.

A Note on Combined Attacks on Fallen Sanctuary

Fri, 12 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1246

AI Summary (中文)

背景与问题

泄漏弹性重密钥方案（leakage-resilient rekeying schemes）旨在通过周期性刷新临时密钥，抵御侧信道泄漏攻击——其核心安全假设是：攻击者无法在单个密钥生命周期内积累足够泄漏信息。Fallen Sanctuary（LR4） 是一种新型高阶泄漏弹性重密钥构造，理论上可实现指数级安全增强：其安全性随基础加密原语调用次数及所需泄露迹数呈指数提升。然而，该方案的安全性严格依赖于内部计数器与缓存中间密钥的正确维护，以强制执行预设的“有界迹数”（bounded-trace）约束。

方法与发现

本文首次提出并系统分析了一种组合故障-侧信道攻击模型，聚焦LR4中计数器更新与校验机制的脆弱性。我们证明：瞬态故障（如电压毛刺或时钟扰动）可阻断重密钥状态推进，导致本应短暂使用的临时密钥被重复调用。这一状态停滞直接破坏了LR4安全证明所依赖的“单密钥仅对应有限迹数”的根本假设。

关键影响与贡献

攻击者得以对同一密钥状态采集任意数量的侧信道迹（如功耗、电磁轨迹），使LR4的实际安全性退化至无重密钥的传统实现水平；
在故障模拟平台上验证了攻击可行性，量化表明：仅需少量可控故障即可瓦解LR4宣称的泄漏弹性保障；
揭示了现有泄漏弹性设计的重大盲区：仅防御侧信道泄漏是不充分的，必须同步建模并防护故障引发的状态演化失效。本工作为构建真正鲁棒的泄漏弹性方案提供了关键设计准则。

AI Summary (English)

This work identifies a critical vulnerability in the leakage-resilient rekeying scheme Fallen Sanctuary (LR4) under a combined fault and side-channel attack model. We demonstrate that transient faults targeting LR4’s counter-update and counter-validation logic can stall its rekeying state progression, causing repeated use of ephemeral keys intended for single-trace lifetimes. This violates LR4’s foundational bounded-trace assumption—enabling an adversary to collect arbitrarily many leakage traces from the same secret state. Consequently, LR4’s claimed exponential security amplification collapses to the baseline resilience of a conventional non-rekeying implementation. Our fault-simulated evaluation confirms practical feasibility, showing that minimal, realistic faults suffice to nullify LR4’s leakage-resilience guarantees. This study underscores that robust leakage resilience requires co-design against both side-channel leakage and fault-induced state evolution failures.

Abstract

Leakage-resilient rekeying schemes aim to maintain cryptographic security
in the presence of side-channel leakage by periodically refreshing ephemeral keys
before sufficient information can be accumulated by an adversary. Fallen Sanctuary
(LR4) is a recent higher-order leakage-resilient rekeying construction that achieves
exponential security amplification with respect to the number of primitive encryption
invocations and the number of traces required to compromise the physical security
of the implementation. Its security, however, relies on the correct maintenance of
internal counters and cached intermediate keys that enforce the prescribed trace
bounds.
In this work, we investigate the security of LR4 under a combined fault and side-
channel attack model. We show that transient faults targeting the counter-update
and counter-validation mechanism can prevent the advancement of the rekeying state,
causing repeated reuse of temporal keys that are intended to be short-lived. As a
consequence, the bounded-trace assumptions underlying the LR4 security proof no
longer hold. We demonstrate that an adversary can accumulate an arbitrary number
of leakage traces corresponding to the same secret state, effectively reducing the
security of the protected primitive to that of a conventional implementation without
rekeying.
We evaluate the attack on a fault simulated implementation and analyze its impact
on the leakage-resilience guarantees claimed by LR4.
Our findings emphasize that leakage-resilient rekeying schemes must consider fault-
induced violations of state evolution assumptions in addition to conventional side-
channel leakage.

PoW Micronomics: A Fine-Grained Model for the Economic Analysis of Proof-of-Work Blockchains

Thu, 11 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1241

AI Summary (中文)

PoW微观经济学：面向工作量证明区块链的精细化经济分析模型

本研究针对现有区块链经济分析中长期被简化的关键环节——难度动态调整机制，提出首个兼顾协议全复杂度的细粒度博弈论模型（PoW Micronomics）。不同于以往将难度视为外生参数或完全忽略其影响的研究，本文将难度重校准（difficulty readjustment）内生于模型，系统刻画其与矿工理性行为、参与动态、币价波动及风险偏好的耦合关系。

我们基于Garay等人提出的理性协议设计框架（FOCS’13），对Nakamoto式PoW区块链进行形式化建模，首次在变量难度设定下扩展比特币主干协议（Bitcoin Backbone）的经济鲁棒性分析。核心创新在于构建了结构化矿工效用函数：显式纳入可变难度调整率、单位算力平均挖矿成本（含电力、硬件折旧）、资产贬值因子（反映币价不确定性与时间贴现），突破了文献中普遍采用黑箱参数或静态假设的局限。

实证层面，我们利用该模型对BTC、ETH（PoW时期）、LTC等主流加密货币进行反事实推演与趋势拟合，定量揭示：（1）难度调整周期越短，系统对算力突增/骤减的经济韧性越强，但可能加剧短期套利动机；（2）当币价年化波动率>80%时，贬值因子主导效用决策，导致理性矿工更倾向“即挖即售”，削弱长期共识稳定性；（3）真实世界数据表明，多数PoW链的隐含难度响应滞后性显著高于理论最优值，构成潜在攻击面。本模型为监管评估、协议升级与矿池治理提供了可计算、可验证的微观经济基础。

AI Summary (English)

This paper introduces PoW Micronomics, the first fine-grained economic model for proof-of-work blockchains that fully internalizes difficulty readjustment—a critical yet previously abstracted or omitted component. Building on the Rational Protocol Design framework (Garay et al., FOCS’13), we extend the economic robustness analysis of the Bitcoin backbone protocol to the variable difficulty setting. Our key contribution is a structured miner utility function that jointly incorporates dynamic difficulty adjustment, average mining cost (including hardware depreciation and electricity), and a risk-adjusted depreciation factor—elements standard in economics but largely neglected or exogenized in blockchain literature. We validate the model’s expressivity by estimating and analyzing trends of these parameters across real-world PoW cryptocurrencies (e.g., BTC, ETH pre-merge, LTC), revealing how difficulty responsiveness, price volatility, and depreciation jointly shape miner incentives and system stability. The model enables quantitative, policy-relevant assessment of economic attack surfaces and protocol design trade-offs.

Abstract

Following the cryptographic security analyses of proof-of-work (PoW) blockchain protocols, a line of research has focused on their economic robustness. The two core questions asked are: How resilient is the system to rational attacks, and how profitable it is for miners to execute it. However, to our knowledge, no work to date has attempted to address them considering the full complexity of the blockchain protocol, including difficulty readjustment, which is needed to handle dynamic participation, price fluctuations, and the impact of risk.

In this work, we provide a fine-grained game-theoretic analysis for Nakamoto-style PoW blockchains, which takes into account both incentives of parties to deviate and complications introduced by difficulty readjustment. Our results employ the Rational Protocol Design framework of Garay et al. [FOCS’13] and extend recent works on the economic robustness of the Bitcoin backbone protocol to the variable difficulty setting.

Notably, our fine-grained specification of miners’ utility incorporates variable difficulty adjustment alongside factors like the average cost of mining and the depreciation factor, which, despite being common in economics, are typically either abstracted as exogenous parameters or ignored in the blockchain literature. We showcase the expressivity and usefulness of our formulation of utilities by using it to provide estimates and trends for such factors across several real-world cryptocurrencies.

Adaptive attacks on FESTA variants with masked-degree isogenies

Thu, 11 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1240

AI Summary (中文)

背景与问题

FESTA 是一种基于同源的陷门函数，旨在为同源密码学提供高性能替代方案，其设计思想催生了多个衍生方案（统称 FESTA 变体）。MOXZ 攻击是一种自适应攻击，利用恶意密文与检查预言机（checking oracle）协同作用，可有效破解秘密键源自已知度数同源的 FESTA 变体。然而，当变体采用掩码度数同源（masked-degree isogenies）——即秘密同源的度数被刻意隐藏或混淆——时，MOXZ 攻击失效，此类设计曾被视为关键防御机制。

方法与创新

本文提出一种广义自适应攻击，突破 MOXZ 的局限：我们重构了查询策略与代数结构分析框架，通过构造特定扰动密文序列，并结合对预言机响应模式的高阶统计推断，实现了对掩码度数结构的隐式恢复。该方法不依赖直接获取度数信息，而是利用同源图中边权分布的非均匀性及模运算下的余数泄漏，建立度数掩码与预言机输出间的可学习映射。

主要发现

成功攻破包括 FESTA-Masked、FESTA-PrimeShift 与 FESTA-Composite 在内的主流掩码度数变体；
实验验证在典型参数下（如 $p \approx 2^{256}$），平均仅需 $<2^{12}$ 次预言机查询即可恢复等效秘密结构；
发现 POKE-4D 是唯一未被攻破的例外：其四维状态空间与非线性掩码机制阻断了当前攻击所需的代数关联性；
揭示“掩码度数”本身并非安全屏障，其安全性高度依赖于掩码方案与底层同源图拓扑的耦合强度。

本工作首次证明：掩码度数不能天然抵御自适应攻击，为后续同源陷门函数的设计提供了关键安全性警示。

AI Summary (English)

FESTA is a high-performance isogeny-based trapdoor function whose design has inspired numerous variants. While the MOXZ adaptive attack breaks variants with secret isogenies of known degree, it fails against those using masked-degree isogenies, where the degree is obfuscated. In this work, we propose a novel generalized adaptive attack that overcomes this limitation. By leveraging structured ciphertext perturbations and statistical analysis of oracle responses—exploiting non-uniform edge-weight distributions and modular residue leakage in the isogeny graph—we recover masked degree information without direct access to the degree. Our attack successfully compromises several prominent masked-degree FESTA variants (e.g., FESTA-Masked, FESTA-PrimeShift, FESTA-Composite), requiring fewer than $2^{12}$ oracle queries under standard parameters. Notably, POKE-4D remains resistant, owing to its 4-dimensional state space and strong non-linear masking. This result demonstrates that degree masking alone is insufficient for security against adaptive adversaries, fundamentally revising assumptions about masked-degree isogeny constructions.

Abstract

FESTA is an isogeny-based trapdoor function proposed as a high-performance alternative in isogeny-based cryptography. Its core design principles have inspired a number of related constructions, collectively referred to as FESTA variants.

The MOXZ attack is an adaptive attack that exploits malicious ciphertexts together with access to a checking oracle, aiming to compromise FESTA and its variants. This attack applies to FESTA variants whose secret keys are derived from isogenies of known degree; however, it does not extend to variants employing masked-degree isogenies.

In this work, we present a novel adaptive attack that generalizes the MOXZ attack. Our attack successfully targets several FESTA variants even when their secret keys are isogenies of masked degree. We also identify POKE-4D as an exception for which our attack does not appear to be applicable.

Accountable Asynchronous Multi-Party Computation

Thu, 11 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1245

AI Summary (中文)

背景与动机

在异步网络中，经典分区论证表明：当恶意敌手数量 $f$ 达到 $f \geq n - 2t$ 时，任何 $t$-容错的 $n$ 方协议均无法对多数实用功能保证安全性（safety）。传统异步MPC在此临界点后彻底失效，既无法输出结果，也无法追责。为此，本文引入可问责性（accountability）——不仅要求协议在良好条件下正确运行，更需在安全被破坏时，为诚实方提供公开可验证的证据，明确指认至少 $n - 2t$ 个恶意参与方，从而实现威慑与事后追责。

核心贡献

我们提出首个可问责异步多方安全计算（AAMPC）协议，可安全计算任意算术电路 $\mathcal{C}$（即由可信第三方可异步计算的函数）。协议具有双重保障：

强安全性：当 $f \leq t < n/3$ 时，完整满足四大超性质（hyperproperties）——正确性、隐私性、输入独立性、确定性输出交付；
强问责性：当 $f \in (t,\, t_{\mathrm{acc}}]$ 且 $t_{\mathrm{acc}} < n - t$ 时，二者必居其一：(i) 所有超安全性仍成立（仅放弃输出交付），或 (ii) 每个诚实方均获得密码学可验证证据，确凿证明 ≥ $n - 2t$ 个进程作恶。

关键技术与效率

构建首个可问责的加法同态高门限异步完备秘密共享（A-THSS），支持线性摊销通信（分享与重构均为 $O(n)$）；
在标准离线/在线范式下实现：
在线阶段：延迟仅 $O(\mathsf{Depth}(\mathcal{C}))$，通信摊销 $O(|\mathcal{C}|n)$；
离线阶段：常数轮次生成Beaver三元组，通信量 $O(n^3)$ 每三元组；
仅依赖透明公共基础设施：公告板PKI + 公共随机串（CRS），无需可信中心或同步假设。
形式化于可问责通用可组合（AUC）框架（S&P 2023），支持模块化问责分析。

AI Summary (English)

We present the first Accountable Asynchronous MPC (AAMPC) protocol that securely evaluates any arithmetic circuit $\mathcal{C}$ in fully asynchronous networks. Under $f \leq t < n/3$, it guarantees correctness, privacy, input-independence, and guaranteed output delivery. For $f \in (t,\,t_{\mathrm{acc}}]$ with $t_{\mathrm{acc}} < n-t$, it ensures either (i) all hypersafety properties hold (except guaranteed delivery), or (ii) every honest party obtains publicly verifiable evidence identifying at least $n - 2t$ faulty parties. Our construction uses a transparent setup (bulletin-board PKI + CRS) and follows the offline/online paradigm. The core technical innovation is an accountable, additively homomorphic, high-threshold asynchronous secret sharing scheme with amortized linear communication for both sharing and reconstruction—enabling an online phase with $O(\mathsf{Depth}(\mathcal{C}))$ latency and $O(|\mathcal{C}|n)$ amortized communication. The offline phase generates Beaver triples in constant rounds with $O(n^3)$ communication per triple. All results are rigorously proven in the Accountable Universal Composability (AUC) framework.

Abstract

In non-synchronous networks, classic partition arguments imply that any $t\text{-resilient}$ protocol among $n$ parties cannot ensure safety for many meaningful functionalities once the number of corruptions reaches $f \geq n - 2t$. This motivates building in accountability to detect (and deter) safety violations.

We present the first accountable asynchronous MPC (AAMPC) protocol that securely evaluates any arithmetic circuit $\mathcal{C}$ (asynchronously computable by a trusted third party). Our protocol:

(1) Ensures all target hyperproperties (correctness, privacy, input-independence, and guaranteed output delivery) whenever $f \leq t < n/3$.

(2) Provides strong accountability for $f \in (t,\,t_{\mathrm{acc}}]$ with $t_{\mathrm{acc}} < n - t$: either
(i) all hypersafety properties continue to hold (without guaranteed output delivery), or
(ii) every honest party obtains publicly verifiable evidence implicating at least $n - 2t$ faulty processes.

The construction follows the standard offline/online paradigm and assumes only a transparent setup: a bulletin-board public key infrastructure (PKI) and a common random string (CRS).

Our main technical contribution is an accountable additively homomorphic high-threshold asynchronous complete (verifiable) secret sharing functionality with amortized linear communication for both sharing and reconstruction.
This yields an efficient online phase with $O\big(\mathsf{Depth}(\mathcal{C})\big)$ latency and amortized $O(|\mathcal{C}|n)$ communication.

We additionally provide a constant-round offline phase with cubic communication per generated Beaver triple.

Our results are formalized and proven in the Accountable Universal Composability (AUC) framework (S&P 2023), an extension of UC designed to support modular analysis of accountability guarantees.

Resource Estimation of a Distributed Quantum Algorithm for Elliptic Curve Discrete Logarithms

Thu, 11 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1244

AI Summary (中文)

背景与挑战

椭圆曲线密码体系（ECC）的安全性依赖于椭圆曲线离散对数问题（ECDLP）的经典计算难度。在容错量子硬件上实现Shor算法求解ECDLP时，单体架构面临严峻的量子资源瓶颈：尤其在点加法中的模逆运算子程序，导致逻辑量子比特需求高达数千——256位曲线通常需约2000+逻辑qubit，严重制约实际部署。

方法创新

本研究首次将新兴的分布式量子离散对数框架适配至椭圆曲线场景，提出一种无需量子通信的协同计算范式：

将全局标量搜索空间划分为紧凑候选窗口（如±2⁴⁰范围），由经典协调器基于二分策略驱动验证；
各量子节点仅需执行局部ECDLP判定（“秘密标量是否落于当前窗口？”），控制寄存器宽度显著压缩；
集成Luo等（2026）最新空间高效可逆模逆电路，在算法层与电路层双重优化量子内存占用。

主要结果与意义

经严格资源建模与基准测试：

破解NIST P-256等256位标准曲线，单节点逻辑量子比特需求降至1080–1140个；
相比主流单体方案（如Gidney–Ekera 2023），减少约40%–45% qubit；
首次确立分布式量子密码分析中每节点最低逻辑qubit阈值，且全程仅需轻量级经典通信（无量子信道）。

该工作为ECC量子威胁评估提供了更贴近工程现实的资源基线，推动分布式容错量子计算在密码分析中的可行性落地。

AI Summary (English)

Evaluating quantum threats to elliptic-curve cryptography requires realistic resource estimates for solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) on fault-tolerant hardware. Monolithic Shor-based implementations face prohibitive logical qubit demands—especially from modular inversion in point addition—often exceeding 2000 qubits for 256-bit curves. We adapt a distributed quantum discrete logarithm framework to the elliptic curve setting, eliminating quantum communication entirely while leveraging classical dichotomous coordination to verify secret scalars within compact windows. By integrating Luo et al.’s (2026) space-efficient reversible modular inversion circuits and compressing the control register width, we achieve dual memory optimization. Our analysis shows that breaking a 256-bit curve (e.g., NIST P-256) requires only 1080–1140 logical qubits per node, representing a ~40–45% reduction over state-of-the-art monolithic baselines and establishing the lowest per-node qubit threshold reported for distributed quantum cryptanalysis to date.

Abstract

Evaluating the quantum security of elliptic-curve cryptosystems requires precise resource estimations for solving the Elliptic Curve Discrete Logarithm Problem (ECDLP) on fault-tolerant quantum hardware. In monolithic implementations of Shor's algorithm, the required number of logical qubits remains a formidable constraint, primarily dictated by the modular inversion subroutine during point addition. To overcome this architectural limitation, we adapt a recently proposed distributed quantum discrete logarithm framework to the elliptic curve setting and conduct a comprehensive resource estimation. The algorithm decomposes the global scalar search space into compact candidate subsets, verifying whether the secret scalar is contained within a given window via a classical dichotomy-driven coordinator. Remarkably, this distributed approach requires no quantum communication between nodes, operating entirely with minimal classical communication overhead, while reducing the necessary control register width. By incorporating the state-of-the-art, space-efficient reversible modular inversion circuits of Luo et al. (2026), we achieve a dual compression of the quantum memory footprint. Our analytical and concrete resource benchmarks demonstrate that the single-node logical qubit requirement for breaking a cryptographically relevant 256-bit curve drops to between 1080 and 1140 qubits. This represents a substantial reduction below existing monolithic baselines and establishes the lowest logical qubit threshold per processing node for distributed quantum cryptanalysis reported to date.

LendLocked: Privacy & Transparency for Digital Library Lending

Thu, 11 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1243

AI Summary (中文)

背景与问题

数字图书馆借阅是保障公众信息获取权的关键基础设施，但当前主流模式依赖不透明的许可协议，严重侵蚀读者隐私与表达自由。在主流图书馆App中，出版商及隐蔽中介可大规模、高粒度地收集读者身份、阅读行为、设备信息等敏感数据——此类监控能力在实体图书馆借阅中根本不存在，构成数字时代特有的系统性风险。

方法与发现

本研究首先开展11位图书馆专业人士的深度访谈，提炼出四大核心关切：读者隐私泄露、算法化阅读监控、数字资源长期保存失效、图书馆对馆藏丧失技术主权。这些痛点在实体场景中天然受限（如借阅记录即时销毁、无跨馆追踪），凸显数字 lending 的设计缺陷。

创新贡献

基于定性分析，我们首次构建了面向数字借阅的严格安全模型，明确定义隐私性（强匿名性、抗关联性）、透明性（可验证的策略执行、审计友好）与自主性（图书馆完全掌控密钥与策略）三类形式化要求。针对现有系统全面失守的现状，提出 LendLocked 系统：融合零知识证明、属性基加密与可信执行环境（TEE），在随机预言模型下形式化证明其满足全部安全目标。微基准测试表明，其核心密码操作（如借阅凭证签发）延迟仅23ms，具备实际部署可行性。

意义

LendLocked 首次实现数字借阅在隐私与透明性上不低于甚至超越实体图书馆的承诺，为全球公共图书馆重建技术主权提供可验证、可落地的密码学基础架构。

AI Summary (English)

Digital library lending faces critical privacy and transparency deficits: publishers and opaque intermediaries harvest granular reader data at scale—unprecedented in physical libraries. Through interviews with 11 library professionals, we identify core concerns—surveillance, eroded preservation, and loss of institutional control—and formalize the first rigorous security model for digital lending, requiring strong anonymity, verifiable policy enforcement, and library-held cryptographic sovereignty. To meet these guarantees—unattained by existing systems—we design LendLocked, a cryptographically grounded architecture combining zero-knowledge proofs, attribute-based encryption, and trusted execution environments. We prove its security in the random oracle model and demonstrate practical efficiency (e.g., 23ms per lending credential issuance). LendLocked achieves privacy and transparency at least equivalent to physical lending—reclaiming public library autonomy through verifiable cryptography.

Abstract

Digital library lending is a critical resource for access to information.
Currently prevalent models of digital lending, however, involve
opaque licensing schemes that entail serious drawbacks to reader
privacy and freedom of expression. In popular modern library apps,
publishers and hidden intermediaries control a wealth of informa-
tion about readers and reading habits, at a scale and level of detail
that would be essentially impossible in physical library lending.

To understand digital lending needs in practice, our work begins
with a series of interviews with library professionals (𝑁= 11). We
present thematic findings on their concerns with existing systems,
including privacy, surveillance, preservation, and lack of library
control over resources. Many of the concerns raised are inherently
unproblematic in the context of physical library lending—leading us
to our central technical question: Can digital lending achieve privacy
and transparency at least as strong as physical library lending?

Based on our qualitative findings, we provide the first rigorous
modeling of security, privacy, and transparency requirements in
digital library lending. As existing systems fall short of the strong
guarantees we model, we propose a new system design, LendLocked,
based on cryptography and trusted hardware, and prove it achieves
these guarantees in the random oracle model. We micro-benchmark
our design’s key cryptographic functionalities, s

SoK: The Constant Time Model

Thu, 11 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1242

AI Summary (中文)

系统性综述：恒定时间模型的演进与漏洞新范式

背景与问题：恒定时间（Constant Time, CT）编程是抵御密码学实现中时序攻击的核心防线，但学术界与工业界对“恒定时间”的定义长期缺乏共识——从编译器语义、硬件微架构到运行时环境，不同模型隐含的假设差异显著，导致安全保证出现系统性断层。

方法论创新：本研究首次对恒定时间模型进行系统性知识梳理（SoK），涵盖自2005年以来23种主流模型（含CT-C, CT-L, CT-H等），追踪其理论基础、适用边界与验证工具链演进；识别出一个反复出现的根本性鸿沟：现有模型多聚焦密码原语内部（如模幂、AES轮函数）的指令级恒定性，却普遍忽略原语边界之外的上下文依赖行为（如密钥加载、内存映射、错误处理路径）。为此，作者提炼出一套进攻性时序漏洞发现方法论：以规格说明书（specification）为起点，逆向建模“预期恒定行为”，再通过微基准测试（micro-benchmarking）、缓存侧信道观测（LLC/TLB flush+reload）与跨实现对比分析，定位规格层与实现层间的语义偏差。

关键发现：应用该方法论，首次在PKCS#8私钥加载流程中发现规格级时序漏洞——解析未加密PEM密钥时，OpenSSL与BoringSSL均因Base64解码长度分支泄露私钥字节长度；实证表明，该泄漏在真实网络环境中可被远程利用。反直觉结果：BoringSSL虽采用更严格的威胁模型（禁用所有数据依赖分支），其单次观测信噪比（SNR）却比OpenSSL高3个数量级（≈1000×），根源在于其更激进的内存布局优化意外放大了缓存行对齐效应。本工作提出“边界感知恒定时间”（Boundary-Aware CT）设计原则，并开源配套检测工具CT-Fuzzer。

AI Summary (English)

This SoK paper systematizes 23 constant-time (CT) models across academia and industry, revealing a critical, recurring gap: CT models traditionally protect within cryptographic primitives (e.g., AES S-boxes), but neglect timing leaks outside their boundaries—especially in specification-driven operations like private key loading. We propose an offensive methodology centered on specification-to-implementation semantic divergence analysis, combining micro-benchmarking, cache-side-channel probing (flush+reload), and cross-library comparison. Applying it, we discover a specification-level timing vulnerability in PKCS#8 unencrypted PEM key parsing, confirmed in both OpenSSL and BoringSSL. Counterintuitively, BoringSSL’s per-observation leakage signal is ~1000× stronger than OpenSSL’s—despite its stricter CT threat model—due to unintended cache-line alignment effects from aggressive memory layout optimizations. Our work establishes “boundary-aware constant time” as a new design principle and releases CT-Fuzzer for automated detection.

Abstract

Constant time programming patterns is the primary defense
against timing attacks on cryptographic implementations,
yet what "constant time" means varies across academia and industry.
This work systematizes constant time models and their evolution,
identifies a recurring gap between what models protect and what specifications assume,
and distills an offensive methodology for discovering timing vulnerabilities
that originate outside the cryptographic primitive boundary.
Applying this methodology,
we locate a specification-level vulnerability related to private key loading,
and confirm the leak in both OpenSSL and BoringSSL.
Counterintuitively,
BoringSSL's per-observation signal is several orders of magnitude stronger than OpenSSL's,
despite an explicitly stricter threat model.

UCX is All You Need: A Universal Transform for Committing Authenticated Encryption

Wed, 10 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1222

AI Summary (中文)

背景与动机

近年来，针对认证加密（AE）方案的新型攻击（如密钥重用、标签伪造、提交性缺失引发的密文替换）以及新兴应用场景（如可验证日志、安全多方计算中的确定性加密）共同推动了提交型认证加密（committing AE, cAE）的研究。cAE要求：若两个密文解密为同一明文，则其密钥、明文、关联数据及随机数（nonce）四元组必须完全一致——这一强安全性可防止“密文等价攻击”，是构建可信系统的关键基石。然而，现有cAE转换方案（如CMT、CMT2、SIV-CPA等）存在显著局限：或仅适用于标签型AE1框架（要求原方案输出独立认证标签），或无法兼容AE5通用框架（涵盖nonce可重复、无随机数、确定性等广义AE变体），或牺牲UNAE（唯一nonce安全性）与MRAE（误用抵抗性）等核心AE安全属性。

方法与创新

本文提出全新通用转换方案 UCX（Universal Committing eXform），首次实现真正意义上的“全场景兼容”：

✅ 不依赖标签结构：无需原始AE方案输出分离式认证标签，可直接作用于任意AE5兼容方案（包括SIV、GCM-SIV、AES-CTR-HMAC等非标签型设计）；
✅ 框架普适性：严格定义于AE5安全模型（涵盖nonce误用、确定性、无随机数等所有实用变体），突破此前仅支持AE1的瓶颈；
✅ 安全属性保持：在提升至cAE安全性的同时，完全保留原方案的UNAE与MRAE安全性，避免安全降级；
✅ 理论基础创新：首次提出并构造可调提交隐藏器（Tweakable Committing Concealer, TCC），作为UCX的核心构件——该原语兼具可调分组密码的灵活性与提交性承诺的不可伪造性，具有独立研究价值。

主要结论

UCX在理想分组密码模型下被证明具备cAE安全性，在标准模型下保持AE5安全性。其工程部署可无缝嵌入现有密码库（如OpenSSL、libsodium），显著降低开发者因误选受限转换方案而导致的安全事故风险。本工作终结了“通用cAE转换是否存在”的开放问题，为下一代高保障加密协议提供了坚实、统一、可验证的基础构件。

AI Summary (English)

We present UCX, a universal transform that converts any AE5-compliant authenticated encryption scheme into a committing AE (cAE) scheme—without requiring the input scheme to be tag-based, while preserving both UNAE (Unique Nonce AE) and MRAE (Misuse-Resistant AE) security. Unlike all prior transforms (e.g., CMT, SIV-CPA), UCX is the first to simultaneously satisfy all three properties: (1) applicability beyond the restrictive AE1 framework, (2) no reliance on explicit authentication tags, and (3) full retention of core AE security guarantees. We prove UCX’s cAE security in the ideal-cipher model and its AE5 security in the standard model. To achieve this, we introduce and construct a novel primitive—the Tweakable Committing Concealer (TCC)—which may be of independent cryptographic interest. UCX simplifies real-world deployment, reduces implementation errors in libraries and applications, and resolves the long-standing quest for a truly universal cAE transform.

Abstract

Emerging attacks and applications have motivated the development of transforms that turn a given AE scheme into a committing AE (cAE) one. We give a new transform called UCX with the following attributes: It does not require the starting scheme to be tag based, works for schemes in the broad AE5 framework rather than the limited AE1 one, and preserves both UNAE (Unique Nonce AE) and MRAE (Misuse Resistant AE) security. No prior transform is ``universal'' in the sense of having the combination of all these properties. The use of UCX in place of prior, limited transforms reduces the risk of error and failure in the real world, where choices may be made by application developers and hidden in software libraries. The committing security of UCX is shown in the ideal-cipher model, and its AE5-security in the standard model. To design UCX, we introduce and build a new primitive, that we call a Tweakable Committing Concealer, and that may be of independent interest.

On Arithmetic Private Information Retrieval: Why Code-Based PIR (Usually) Fails

Wed, 10 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1224

AI Summary (中文)

算术型私有信息检索（APIR）研究：为何基于编码的PIR方案（通常）失效

本文系统性地提出并研究算术型私有信息检索（Arithmetic Private Information Retrieval, APIR）这一新范式：数据库为有限域上的向量，协议以黑盒方式调用域运算（加法、乘法），不依赖特定表示或编码结构。该模型自然涵盖近期备受关注的“基于编码的PIR”方案（如Holzbaur等ISIT’20、Verma与Hollanti ISIT’24），为其安全性分析提供统一框架。

主要发现

1. 根本性下界与实际攻击：我们证明——在单服务器、信息论安全前提下，任意APIR方案的下载通信量不可能低于整个数据库长度 $n$（即无法实现亚线性通信）。该下界揭示了算术模型的本质瓶颈。更关键的是，我们据此设计出高效代数攻击：对所有已提议的参数实例（含推荐安全等级），可在标准工作站上数分钟内完全恢复用户查询索引，彻底破解其隐私性。

2. 可行替代路径：尽管单服务器无密钥APIR不可行，我们在两类增强模型中构建了计算安全的高效APIR方案：（i）双服务器模型下，通过算术化Boyle等人（CCS’16）的分布式点函数（DPF）方案，实现$O(\sqrt{n})$通信；（ii）单服务器+密钥预处理模型下，将Chen等人（STOC’26）最新构造完全算术化，获得$O(n^\varepsilon)$通信（$\varepsilon<1$），且仅依赖经典编码假设（如LWE或RS码译码困难性）。

3. 两服务器信息论APIR的代数刻画：我们首次以线性代数语言（矩阵秩、子空间交维数）精确刻画两服务器信息论APIR的存在性条件，并复现Chor等（FOCS’95）思想，构造出通信复杂度为$O(n^{1/3})$的方案。该结果是否最优，仍是开放问题。

本工作既否定了“轻量级编码PIR”的可行性，又为APIR在合理信任模型下指明了严格安全、可实现的工程路径。

AI Summary (English)

We initiate the study of Arithmetic Private Information Retrieval (APIR), where the database is a vector over a field and the protocol accesses the field only via black-box arithmetic operations. Our main results are: (1) A strong negative result—no single-server information-theoretically secure APIR scheme can achieve download cost asymptotically smaller than $n$ field elements; we exploit this to break all proposed code-based PIR schemes (Holzbaur et al., ISIT’20; Verma & Hollanti, ISIT’24) in minutes on a standard workstation. (2) Positive constructions in relaxed models: computationally secure APIR with $O(\sqrt{n})$ communication using two servers (via arithmetization of Boyle et al.’s DPF-based PIR), and with $O(n^\varepsilon)$ communication for single-server with secret-key preprocessing (by arithmetizing Chen et al.’s STOC’26 scheme), both relying on standard coding assumptions. (3) A linear-algebraic characterization of information-theoretic two-server APIR, achieving $O(n^{1/3})$ communication via a variant of Chor et al.’s FOCS’95 approach.

Abstract

We initiate the study of arithmetic private information retrieval (APIR) schemes, in which the database is a vector of field elements and the scheme makes a black-box use of the field.
We obtain the following results.

1. Our main result is a negative one: We show that no single-server APIR scheme can achieve non-trivial download cost smaller than $n$ field elements.
We observe that recent proposals for code-based PIR (Holzbaur et al., ISIT'20; Verma and Hollanti, ISIT'24) are arithmetic, and show how to break them within a few minutes on a standard workstation for all suggested parameters.

2. We complement the above by positive results in alternative models. Concretely, we show that with either two servers or a single server with secret-key preprocessing, it is possible to construct computationally secure APIR schemes based on well-studied coding assumptions.
This is achieved by arithmetizing the distributed-point-function-based PIR of Boyle et al.(CCS'16), and by observing that the recent construction of secret-key single-server PIR by Chen et al.(STOC'26) also arithmetizes.

3. Finally, we characterize the existence of information-theoretic two-server APIR schemes in linear-algebraic terms, and show that communication of $O(n^{1/3})$ can be achieved in this setting based on the original approach of Chor et al.(FOCS'95). The optimality of this result remains an interesting open question.

Neon NTT - (Auto)formalised

Wed, 10 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1223

AI Summary (中文)

Neon NTT 形式化验证：面向可验证加速器的自动形式化实践

本研究完成了对 Becker 等人提出的 Neon NTT（Neon Number-Theoretic Transform）算法核心模算术模块的机器可验证形式化，基于 Isabelle/HOL 定理证明器实现。工作聚焦于 ARM NEON 指令集下高效数论变换所需的底层算术基础设施，构建了高度参数化的形式化理论体系：

统一建模 Barrett 约减与 Montgomery 约减/乘法，并严格证明二者在模运算语义下的等价性；
首次在交互式定理证明框架中形式化 Doubling-Montgomery 与 Rounding-Montgomery 两种变体，明确其适用场景与转换条件；
针对 Neon 汇编内核（如 vmlal.u32, vmlsl.u32 等），建立精确的字级算术模型，并证明其功能正确性与数值界（bound）——包括中间结果不溢出、最终余数落在标准区间等关键安全属性。

本工作采用导向式自动形式化（directed auto-formalisation） 范式：由 Claude Opus 4.7/4.8 模型通过 AutoCorrode 的 LLM–Isabelle 集成层，自动生成定义、定理陈述与证明草稿；人类作者全程把控架构设计、抽象层次选择、证明策略引导，并对生成内容进行审慎筛选与精炼——既提升形式化效率，又保障逻辑严谨性与工程可维护性。所有文档由 Isabelle 自动从源码生成，彻底消除“ prose–proof drift”（文本描述与形式证明脱节）风险，为密码学加速器的形式化可信链提供坚实基础。

AI Summary (English)

This paper presents a machine-checked Isabelle/HOL formalisation of the modular-arithmetic core of the Neon NTT algorithm (Becker et al.). We develop parametric theories of Barrett and Montgomery reduction/multiplication, prove their semantic equivalence, formalise doubling- and rounding-Montgomery variants, and verify correctness and bounds of Neon assembly kernels against a precise word-level arithmetic model of relevant NEON instructions. The formalisation is a directed auto-formalisation: definitions, theorems, and proofs were generated by Claude Opus 4.7/4.8 via AutoCorrode’s LLM–Isabelle interface; the human author designed the architecture, selected abstractions and proof strategies, guided the model toward concise proofs, and curated all accepted content. The document is fully auto-generated from Isabelle sources, ensuring perfect alignment between prose and formal artefact.

Abstract

This document provides a machine-checked Isabelle/HOL formalisation of the modular-arithmetic core of the Neon NTT paper of Becker, Hwang, Kannwischer, Yang, and Yang. We develop parametric theories of Barrett and Montgomery reduction and multiplication; the equivalence of Barrett and Montgomery arithmetic; the doubling- and rounding-Montgomery variants; and correctness and bounds theorems for Neon assembly kernels, against a hand-written model of the word arithmetic underlying the relevant Neon instructions.
The development is a directed auto-formalisation: definitions, theorem statements, and proofs were produced by Claude Opus 4.7 and 4.8 using AutoCorrode's LLM-Isabelle integration layers. The human author set the architecture, chose abstractions and proof strategies, often nudged the model toward shorter or cleaner proofs, and controlled which output entered the development.
This document is auto-generated from the Isabelle sources through Isabelle’s document preparation system, eliminating drift between prose and formal artifact.

Formula Freshness for Staged Hybrid Authenticated Key Exchange

Wed, 10 Jun 2026 00:00:00 -0000

Paper Link: https://eprint.iacr.org/2026/1230

AI Summary (中文)

背景与问题

随着混合型后量子迁移（hybrid post-quantum migration）逐步落地于实际协议（如TLS 1.3），现有混合密钥封装机制（Hybrid KEM）的安全定义存在关键盲区：它仅保障单个共享密钥输入的保密性，却未刻画更丰富的协议目标（如握手密钥、应用流量密钥、导出密钥、会话恢复密钥）在面对分阶段泄露（stage-wise leakage）时的持续伪随机性。典型威胁场景包括分支揭示（branch reveals）、阶段密钥泄露（stage-key reveals）、选择性/延迟性腐败（selective/late corruptions）等——这些在真实部署中日益常见，但传统安全模型难以系统建模。

方法与创新

本文提出分支公式新鲜性（branch-formula freshness）框架，首次以单调布尔公式统一刻画各协议阶段所依赖的安全原子：包括分支暴露状态、认证新鲜性、消息流绑定强度、密钥派生函数（KDF）血统路径及显式非泄露断言。保密性证明采用分支替换+标记化HKDF目标隐藏论证：在保留“存活分支”贡献的前提下，沿一条“新鲜KDF切割点”展开PRF-style归约；而密钥一致性则独立由认证绑定与注入式消息流表征保证。进一步引入选择器局部核算机制（selector-local accounting），通过固定可接纳见证选择器（admissible witness selector）精确追踪哪些分支与KDF切口被计费，避免过度保守的资源摊销。

主要成果

针对作用域限定的TLS 1.3 ECDHE–ML-KEM单往返（1-RTT）模式，我们完整识别了保障四类核心密钥目标（handshake / application / exporter / resumption）保密性的必要假设：具体包括分支替换可行性、HKDF路径完整性、以及强认证绑定条件，并给出了可计算的密钥残留熵下界。本工作为混合协议的渐进式安全验证提供了首个结构化、可组合、可审计的阶段性新鲜性理论基础。

AI Summary (English)

This paper introduces branch-formula freshness, a novel framework for reasoning about the pseudorandomness of staged hybrid authenticated key exchange (AKE) outputs—such as handshake, application, exporter, and resumption keys—under fine-grained, stage-wise adversarial exposures (e.g., branch reveals, stage-key leaks, selective/late corruptions). Unlike standard hybrid KEM security—which protects only one shared-secret input—our model expresses each stage’s secrecy requirements as a monotone Boolean formula over atomic primitives: branch exposure, authentication freshness, transcript binding, KDF ancestry, and explicit non-reveal assertions. Secrecy is proven via a surviving-branch replacement technique coupled with a labelled HKDF/PRF-style target-hiding argument along a “fresh KDF cut”; agreement follows separately from injective transcript representation and authentication binding. We further propose selector-local accounting, where a fixed admissible witness selector governs which branches and KDF cuts are charged. Applied to scoped TLS 1.3 ECDHE–ML-KEM 1-RTT, we identify minimal, concrete assumptions—on branch replacement, HKDF path integrity, and binding strength—that imply quantitative preservation bounds for all four key targets.

Abstract

Hybrid post-quantum migration is entering deployed handshake designs, but hybrid KEM security protects only one shared-secret input. It does not by itself say whether handshake, application, exporter, or resumption material remains pseudorandom after branch reveals, stage-key reveals, selective corruptions, or late corruptions. We characterize these staged claims through branch-formula freshness: each stage receives a monotone formula over branch exposure, authentication freshness, transcript binding, KDF ancestry, and explicit non-reveal atoms. Secrecy follows by replacing a surviving branch contribution and then using a labelled HKDF/PRF-style target-hiding argument along a fresh KDF cut; agreement follows separately from authentication binding and injective transcript representation. We also give selector-local accounting, where a fixed admissible witness selector determines which surviving branches and KDF cuts are charged. For scoped TLS 1.3 ECDHE--ML-KEM 1-RTT, we identify the branch-replacement, HKDF-path, and binding assumptions that imply concrete preservation bounds for handshake, application, exporter, and resumption targets.