#eprint LigeSIS: Distribution-friendly Polynomial Commitment \\ Based on Error-correcting Code by Yanpei Guo, Hancheng Lou, Wenjie Qu, Zhuoyuan Xu, Jiaheng Zhang (
https://ia.cr/2026/751)
LigeSIS: Distribution-friendly Polynomial Commitment \\ Based on Error-correcting Code
Polynomial commitment schemes (PCS) are a fundamental building block of modern proof systems. As proof system applications scale to increasingly large workloads, distributed PCS become essential for reducing prover time and memory pressure. Among existing PCS constructions, code-based PCS achieve significantly better concrete prover performance than group-based schemes by avoiding expensive elliptic-curve operations and operating over small-characteristic fields. However, despite these advantages, code-based PCS are notoriously difficult to distribute.
In this work, we present LigeSIS, the first distribution-friendly code-based multilinear PCS. LigeSIS achieves sublinear cross-node communication while keeping the final proof size independent of the number of machines. Our key insight is to replace Merkle-tree hashing with a homomorphic subset-sum hash over Goldilocks64, enabling algebraic aggregation of partial commitments produced by different nodes. To make this approach practical, we further introduce a preprocessing-accelerated subset-sum hash that reduces hashing overhead by up to $8\times$.
Our evaluation shows that, on a single node, LigeSIS achieves performance comparable to the state-of-the-art RS-based PCS WHIR (Eurocrypt’25). In distributed settings, LigeSIS exhibits near-linear scalability in prover time. Compared with distributed MKZG (S\&P’25), LigeSIS achieves a $24 \times$ improvement in prover time. Compared with PIP (Security’26), LigeSIS reduces cross-node communication by up to $20\times$.
#eprint GlitchSnipe: Toward Localized Voltage Fault Attacks by Fatemeh Khojasteh Dana, Saleh Khalaj Monfared, Hamed Okhravi, Shahin Tajik (
https://ia.cr/2026/752)
GlitchSnipe: Toward Localized Voltage Fault Attacks
Voltage glitching is one of the most prominent fault injection techniques due to its effectiveness and simplicity. Although it is generally regarded as a spatially global fault method, in which the injected glitch uniformly affects all circuits on the die, several studies have observed that specific locations may be affected more than others. To characterize this phenomenon, we draw inspiration from methods used in electromagnetic interference (EMI) analysis. In this paper, we demonstrate that voltage attacks can be modeled as the transfer of conducted electromagnetic energy through the power delivery network (PDN) to the chip’s die. By analyzing voltage glitches in the frequency domain and modeling the PDN as a communication channel, we demonstrate that different frequency components of an injected glitch signal propagate through the network in distinct patterns. In this context, we further show that modulating the supply voltage with a single-frequency sinusoidal signal, rather than injecting a pulse-shaped glitch, enables an adversary to influence transistors in specific regions of the chip and thus induce localized faults. To validate these claims, we first propose a post-silicon profiling framework that identifies the frequency bands in which the system’s PDN is most vulnerable and maps the spatial regions of the chip affected by each frequency component. To this end, we perform extensive profiling on several FPGAs using distributed time-to-digital converters (TDCs) to measure the impact of injected signals across a range of frequencies. As a proof-of-concept, we also demonstrate successful localized voltage attacks on simple FSMs and AES-128 implementations with various placements, to further show the sensitivity of chip locations to injected energy at different frequencies. Our results reveal that even minor changes in design placement can significantly affect a circuit’s susceptibility to voltage-based fault attacks, either weakening or strengthening its resilience.
#eprint DDR-SSE: Duplicated Retrieval of Documents for System-wide Secure Searchable Symmetric Encryption by Zichen Gui, Simon-Philipp Merz, Kenneth G. Paterson, Sikhar Patranabis (
https://ia.cr/2026/753)
DDR-SSE: Duplicated Retrieval of Documents for System-wide Secure Searchable Symmetric Encryption
Searchable Symmetric Encryption (SSE) schemes enable efficient keyword searches over encrypted documents at the cost of some leakage. An SSE scheme is said to be system-wide secure if it resists cryptanalysis by an adversary with access to leakage from retrieval of both encrypted indices and encrypted documents. The vast majority of state-of-the-art SSE schemes are, in fact, not system-wide secure (Gui et al., IEEE S&P 2023). Currently, the only efficient system-wide secure SSE scheme is SWiSSSE (Gui et al., PoPETS 2024). However, SWiSSSE requires a client state that is updated per query (which hinders adoption in various practical settings), and its leakage is hard to characterize precisely (thus making security analysis harder).
In this paper, we present DDR-SSE – a practically efficient, system-wide secure SSE scheme that only requires a static client state, and has a simple leakage profile. Technically, we introduce a novel encrypted document retrieval scheme that uses duplicated document storage and randomized document retrieval to suppress access pattern leakage without compromising on practical efficiency. A remarkable feature of our scheme is its conceptual simplicity (unlike SWiSSSE, which uses an extremely involved document retrieval mechanism).
We present a simulation-based security proof for DDR-SSE with respect to a rigorously formal system-wide leakage profile. Through extensive leakage cryptanalysis, we establish that DDR-SSE is resilient to query reconstruction attacks (even under “unrealistically” strong attack assumptions). Finally, we benchmark a prototype implementation of DDR-SSE and show that it scales smoothly to large databases of the size seen in real-world applications.
#eprint BTX: Simple and Efficient Batch Threshold Encryption by Amit Agarwal, Sourav Das, Babak Poorebrahim Gilkalaye, Peter Rindal, Victor Shoup (
https://ia.cr/2026/754)
BTX: Simple and Efficient Batch Threshold Encryption
Batched threshold encryption (BTE) enables a committee of servers to jointly decrypt any chosen subset of ciphertexts from a large pool, while all remaining ciphertexts stay private. BTE is a key building block for encrypted mempools, where transactions are encrypted until block inclusion to mitigate maximal extractable value (MEV). Existing epochless BTE constructions either require user-chosen ciphertext indices that create coordination and censorship concerns or are computationally inefficient.
In this paper, we present BTX, a simple and concretely efficient BTE construction that is both epochless and collision-free: encryption does not require a user-chosen batch index. Our scheme achieves the shortest ciphertext size among all known BTE constructions having the same size as a standard elgamal ciphertext. By making the scheme amenable to FFT, we reduce the decryption cost to $O(B\log B)$ group exponentiations and $O(B)$ pairings, where $B$ is the size of the dynamically chosen batch of ciphertexts.
We implement BTX and two baselines in a shared, aggressively optimized C++ codebase over BLS12-381 with AVX-512 vectorization, FFT-based backends where applicable, and additional low-level engineering throughout. At batch size $B = 512$, using a single core, BTX requires approximately $598$ ms total for decryption, compared with $1197$ ms for the FFT optimized version of partial-fraction evaluation baseline of Boneh et al., an overall $2.0\times$ improvement.
#eprint ACTS: Attestations of Contents in TLS Sessions by Pierpaolo Della Monica, Ivan Visconti, Andrea Vitaletti, Marco Zecchini (
https://ia.cr/2026/755)
ACTS: Attestations of Contents in TLS Sessions
An essential requirement for the large-scale adoption of Web3 is enabling users to benefit from their data even within already deployed systems. This raises an important open question: how can existing, widely adopted software verify that a user has retrieved specific data from a TLS server?
Impressive scientific results (e.g., DECO [CCS20] and the work of Xie et al. [USENIX24]) and industrial products (TLSNotary) have recently made progress in the above challenging direction. However, while they nicely leave TLS servers untouched, the retrieved data is then used in computations with verifiers that are required to run some advanced non-standardized cryptographic schemes (e.g., ZK-SNARKs), which clearly limit the large-scale adoption of the proposed technologies.
In this paper, building on top of previous approaches and relying on the recent concept of Predicate Blind Signatures of Fuchsbauer and Wolf [Eurocrypt24], we bypass the limits of prior work by presenting ACTS, a distributed architecture that, while still leaving TLS servers untouched, it allows a user to show possession of data retrieved from TLS servers simply requiring that the software of the verifier can check a standard signature.
Our contributions include a round-optimal predicate blind signature protocol that produces standard RSA-PSS signatures. We show how this primitive can be integrated into the DECO architecture (and its successors) to certify data retrieved from TLS servers. Furthermore, we have optimized our construction to make it practical on commodity hardware for a large and significant class of policies implemented by the notary (i.e., the actor that is in charge of obliviously certifying TLS data, therefore preserving data confidentiality).
We provide an experimental evaluation on the simple but powerful enough use case of a PDF document downloaded from a TLS server and encoded into an AES-GCM ciphertext. The user will then get a certified PDF through a standard PADES signature added obliviously to the PDF along with some metadata by a notary service. The resulting standard signed PDF document can be transparently verified using off-the-shelf PDF readers. Our experimental validation demonstrates that our architecture is suitable for real-world deployment in concrete scenarios.
#eprint Integral Attack on Reduced-Round Kalyna by Nitish Kumar, Ranit Dutta, Bimal Mandal (
https://ia.cr/2026/756)
Integral Attack on Reduced-Round Kalyna
We study integral cryptanalysis of the Ukrainian block cipher Kalyna and focus on constructing reduced-round distinguishers and key-recovery attacks with low data, time, and memory complexities. Although Kalyna has an SPN-type round structure, its pre-whitening and post-whitening layers use column-wise addition modulo $2^{64}$, which makes the propagation of integral properties more delicate than in XOR-only designs. By combining carefully chosen input multisets with backward extension through inverse round transformations, we obtain integral distinguishers for Kalyna-128, Kalyna-256, and Kalyna-512 in the standard setting, under weak-key assumptions, and in variants without pre-whitening. These distinguishers require as few as $2^8$ or $2^{16}$ chosen texts, substantially improving the data complexity of previously reported public integral results on Kalyna. We further extend them to key-recovery attacks on reduced-round Kalyna by partial decryption and balancedness tests on suitable intermediate states. For example, we obtain a $5$-round key-recovery attack on Kalyna-128/128 with data complexity $2^9$ chosen plaintexts, time complexity $2^{74}$ encryptions, and negligible memory. To the best of our knowledge, this is the first work to provide integral cryptanalysis of Kalyna-256/256 and Kalyna-512/512. Overall, our results give a unified integral analysis of Kalyna across its standard block sizes and clarify the effect of modular whitening on reduced-round distinguishers and key-recovery attacks.
#eprint Integral Distinguishers and a 4-Round Key-Recovery Attack on Kuznyechik Without Initial Key Whitening by Nitish Kumar, Ranit Dutta, Bimal Mandal (
https://ia.cr/2026/757)
Integral Distinguishers and a 4-Round Key-Recovery Attack on Kuznyechik Without Initial Key Whitening
Kuznyechik is a 128-bit block cipher standardized in GOST~R~34.12--2015. In this paper We study Kuznyechik from the viewpoint of integral cryptanalysis, i.e., we track how structured multisets of chosen plaintexts propagate through the round functions. Starting from a first-order structure of $2^8$ plaintexts (one byte takes all $256$ values while the remaining bytes are fixed), we obtain a 2-round distinguisher:
after two rounds, every byte position is balanced, meaning that the XOR-sum over the $256$ texts equals zero. Next, in the setting without initial key-whitening, we extend this distinguisher to three rounds by applying one inverse round to the original structure to construct a new input set. Finally, we turn the 3-round balanced property into a 4-round key-recovery attack by partially inverting the last round and filtering last-round key-byte guesses using the balanced test; multiple independent structures remove false candidates.
#eprint Incentivizing Geographic Diversity for Decentralized Systems by Marc Roeschlin, Evangelos Markakis, Raghav Bhaskar, Aggelos Kiayias (
https://ia.cr/2026/758)
Incentivizing Geographic Diversity for Decentralized Systems
Permissionless Decentralized networks, such as blockchains, are typified by self-determined participation. Unfortunately, this has resulted in lack of geographic diversity in several blockchains due to benefits emanating from network proximity between nodes and the higher availability of computing infrastructure in certain areas. Lack of diversity in the resulting network can make it susceptible to eopolitical events, blockchain or cryptocurrency-adverse law-making, and natural disasters. While there exists a growing body of work in verifiable localization in distributed systems, very little exists on mechanisms promoting geographic diversity in distributed systems. Our work sets out to initiate the study of the incentivization of geographic diversity in permissionless distributed systems. We design a family of mechanisms that incentivize network nodes to truthfully declare and diversify their locations. In particular, we provide a game theoretic analysis to derive the conditions under which truthful location reporting is an equilibrium. The conditions relate the offered rewards (for geo-diversity) and the success probability of the underlying localization protocol to detect falsely claimed locations. Our proposed mechanisms assume an underlying secure node localization protocol based solely on round-trip times (RTT) measurements from participants of the protocol. We initiate a formal model to reason about such localization protocols and identify network topologies that are ideal for resisting location spoofing attempts. We evaluate effectiveness of our incentive mechanisms in different scenarios of node placement and underlying network structure. Our validation is based on two RTT data sets we use to derive maximal spoofing distance and attack success rates that adversarial nodes can achieve when operating alone or in collusion with other nodes.
#eprint A Scalable Fault Countermeasure for SLH-DSA: Trade-offs Between Memory, Performance, and Fault Resilience by Melissa Azouaoui, Tobias Schneider, Denise Verbakel (
https://ia.cr/2026/759)
A Scalable Fault Countermeasure for SLH-DSA: Trade-offs Between Memory, Performance, and Fault Resilience
We introduce compressed caching, a scalable and parameterizable countermeasure
against grafting tree fault attacks on SLH-DSA. Unlike standard caching,
which entails fully caching the WOTS+ signatures and public keys, compressed
caching achieves significant memory savings while maintaining strong fault detection
capabilities. It can be tuned to achieve a trade-off between caching memory size, fault
resilience, and performance, making it well-suited for deployment across devices with
varying resource and security constraints. We provide a security and performance
analysis of compressed caching and show that it can be configured to achieve high fault
detection probability and outperform standard caching, mainly in terms of memory
but also in terms of performance. Additionally, we explore granular variants of both
standard and compressed caching and study on a finer scale the memory-performance
trade-off of both standard and compressed caching. Our results demonstrate that
compressed caching is especially advantageous for constrained devices, outperforming
standard caching when less than approximately 256 kB of caching memory is available.
#eprint A Simple Batched Threshold Encryption Scheme by Guru-Vamsi Policharla (
https://ia.cr/2026/760)
A Simple Batched Threshold Encryption Scheme
In this note, we construct a simple batched threshold encryption scheme that satisfies censorship resistance, does not suffer from epoch restrictions, and has quasi-linear decryption complexity $O(B\log{B})$ in the batch size $B$. Our scheme has a CPA secure ciphertext size of $|\mathbb{G}_1| + |\mathbb{G}_T|$, and a CCA secure ciphertext size of $|\mathbb{G}_1| + 2|\mathbb{F}| + |\mathbb{G}_T|$. Our construction requires an interactive setup phase (involving secure multiplications) and has secret keys that grow linearly with the batch size.
