6 CISpA Papers at eurocrypt 2026

Cas Cremers, Esra Günsay, Vera Wesselkamp (Hasso Plattner Institute), and Mang Zhao (Wuhan University) analyze the security of the Messaging Layer Security (MLS) standard (RFC 9420), which underpins modern secure group messaging systems, and derive security results that have direct real-world implications for systems affecting millions of users. The study provides the first comprehensive cryptographic analysis of the final version of the standard, including so-called “external operations.” These features allow, for example, users to rejoin groups or external services to propose changes—capabilities that had not been covered in earlier analyses. To do so, they introduce a formal models ETK and its extension ETK+ that closely reflect the real protocol and prove that key security properties—confidentiality, consistency, and authentication—are achieved. However, the analysis also identifies an important limitation: when external operations are allowed, a key guarantee known as post-compromise security becomes weaker than previously assumed. Under certain conditions, attackers who obtain long-term secrets may regain access even after recovery mechanisms are applied. As a mitigation, they propose an extension that incorporates additional pre-shared keys (PSKs), which can partially restore stronger security guarantees. Overall, the work provides a more accurate understanding of the security of widely used group messaging protocols. For society, this means that the foundations of secure digital communication can be evaluated and improved more reliably, while also highlighting that even standardized systems require ongoing scrutiny and refinement.

Lucjan Hanzlik, Yi-Fu Lai (Shanghai Jiao Tong University & KU Leuven), Eugenio Paracucchi, and Edoardo Persichetti (Florida Atlantic University) present a new construction for blind signatures, a cryptographic tool widely used to preserve privacy in applications such as digital payments and voting.

Blind signatures allow a signer to approve a message without learning its content or later linking the signature to a specific interaction. At the same time, the system must ensure that users cannot produce more valid signatures than the number of interactions they had.

Existing post-quantum approaches either suffer from efficiency limitations or rely on less standard security assumptions. Building on earlier work (“Tanuki”), they introduce a new framework (“Wombat”) that relies only on a well-established assumption known as the group action inversion problem.

A key contribution is achieving security even when many signing sessions occur simultaneously (concurrent security), which is important for real-world deployments. In addition, they significantly reduce signature sizes, especially in code-based implementations, achieving a reduction by a factor of 14.5 without weakening security guarantees.

To accomplish this, they develop new technical methods that overcome limitations in prior designs and enable more efficient use of the underlying mathematical structures.

This work strengthens the foundations for practical, privacy-preserving cryptographic systems in a future with quantum computers, improving both efficiency and the reliability of the underlying security assumptions without introducing exaggerated claims.

Renas Bacho and Yanbo Chen (University of Ottawa) study new approaches to so-called multi-signatures, which are used in distributed systems such as cryptocurrencies. These schemes allow multiple parties to jointly produce a digital signature that can be verified efficiently. Existing designs typically achieve either strong security or practical efficiency, but rarely both. In particular, large signature sizes and communication overhead remain key limitations. They introduce “Earpick-MS,” a new multi-signature scheme that requires only two rounds of interaction, avoids pairing-based cryptography, and achieves so-called tight security guarantees. A main contribution is the significantly reduced signature size: instead of nine field elements and two group elements, signatures consist of just three field elements and a single bit. This reduces size by roughly a factor of 3.5, improving practicality in resource-constrained environments. They also present “Earpick-TS,” a threshold signature variant where only a subset of participants is needed to sign. This scheme maintains the same compact size and achieves tight security with only two rounds of communication. According to the authors, this is the first pairing-free construction of its kind combining these properties. The work advances cryptographic design by demonstrating that strong security and efficiency can be better balanced than previously thought. Its societal relevance lies in enabling more efficient and scalable secure digital systems, although its real-world impact depends on adoption in practical applications.

Marius A. Aardal (Aarhus University), Andrea Basso (IBM Research Europe), and Doreen Riepel introduce a new theoretical framework called the Algebraic Isogeny Model (AIM) to better analyze the security of modern cryptographic schemes based on isogenies—special mathematical mappings between elliptic curves.

Earlier models could only capture limited versions of these structures. The AIM significantly generalizes them, allowing more powerful types of attacks to be considered. This leads to more realistic and robust security analyses. They first show that results proven in earlier, more restrictive models can be transferred into this broader setting, strengthening confidence in existing security claims.

A key result is a stronger security proof for the SQIsign signature scheme, a candidate in post-quantum cryptography. They demonstrate that it remains secure even against adversaries with quantum access to the random oracle (an idealization used to model hash functions), addressing a previously unresolved issue.

They also prove that for several isogeny-based key exchange protocols, two fundamental mathematical problems—the isogeny-based analogues of the discrete logarithm problem and the computational Diffie–Hellman problem—are equivalent in this model. This simplifies how their security can be evaluated.

Overall, the work provides a clearer theoretical foundation for isogeny-based cryptography. While it has no immediate practical impact, it supports the development of future encryption methods that are expected to remain secure in the presence of quantum computers.

Renas Bacho (CISPA Helmholtz Center for Information Security and Saarland University), Yanbo Chen (University of Ottawa), Julian Loss (Ruhr University Bochum), Stefano Tessaro (University of Washington), and Chenzhi Zhu (NTT Research) study a key problem in modern cryptography: digital signatures that can be jointly produced by multiple parties. These so-called threshold signatures are widely used in applications such as cryptocurrencies.

An important goal is “adaptive security,” where an attacker can decide during execution which participants to corrupt. Existing systems—especially the widely used FROST scheme—require a new and not yet well-studied assumption about the hardness of a mathematical problem (LDVR).

The authors introduce a new scheme called “ms-FROST” that resolves this issue. It achieves adaptive security without relying on this new assumption and instead builds on more established cryptographic foundations. At the same time, it remains efficient and requires only two rounds of communication, which is important in practice.

A key idea is “masking,” where individual contributions are modified so they do not reveal sensitive information, while still combining correctly into a valid final signature.

They also prove a limitation: certain types of security proofs are fundamentally impossible without specific modeling assumptions.

Overall, this work strengthens the theoretical foundations of cryptographic protocols and makes them more robust. For society, this means more reliable security in digital systems—such as financial infrastructure or digital identity—without relying on untested assumptions.