MPTS 2026: NIST Workshop on Multi-Party Threshold Schemes 2026

The NIST Computer Security Division gives the welcoming remarks to the participants of the NIST Worskhop on Multi-Party Threshold Schemes (MPTS) 2026

"Preview Talk" by Team FROST @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this talk, we will give an update on the upcoming FROST submission to the NIST Threshold Call. We will discuss the preparatory status of the submission, review choices we have made, and discuss what remains. We will review the FROST signature scheme and discuss its strengths relative to other threshold signature schemes. Finally, we will discuss the security of FROST, and give updates in terms of the adaptive security of FROST.

Joint work: Elizabeth Crites, Conrado Gouvea, Jack Grigg, Ian Goldberg, Jonathan Katz, Chelsea Komlo, Mary Maller, Simon Rastikian, Stefano Tessaro, Nikita Sorokovikov, Denis Varlakov, Chenzhi Zhu.

Suggested readings:

• Preview Writeup: FROST: Flexible Round-Optimized Schnorr Threshold Signatures: A Threshold Scheme Interchangeable with EdDSA
• On the adaptive security of FROST (ia.cr/2025/1061)

Abstract. In this talk, I will present two recent works on the adaptive security of threshold Schnorr signature schemes. “A Plausible Attack on the Adaptive Security of Threshold Schnorr Signatures” presents a plausible, efficient attack on the adaptive security of threshold Schnorr signature schemes with keys of a common form. It shows that a wide range of schemes, including all variants of FROST, Sparkle, and Lindell’22, cannot be proven fully adaptively secure without modifications or assuming the hardness of a search problem P defined in this work. “On the Adaptive Security of FROST” examines how these results impact FROST and its variants, which are state-of-the-art threshold Schnorr signature protocols used in real-world applications. In particular, it introduces the low-dimensional vector representation (LDVR) problem, closely related to the problem P, and shows full adaptive security of FROST, FROST2, and FROST3 in the algebraic group model (AGM) and random oracle model (ROM) under the algebraic one-more discrete logarithm (AOMDL) and LDVR assumptions. Half adaptive security is shown to hold in the ROM under AOMDL alone. Together, these works define a new frontier for research on the adaptive security of threshold Schnorr signatures, as the hardness of P and LDVR remain intriguing open questions.

[Slides] Based on two joint works:

• "A Plausible Attack on the Adaptive Security of Threshold Schnorr Signatures" (ia.cr/2025/1001) by Elizabeth Crites, Alistair Stewart
• "On the Adaptive Security of FROST" (ia.cr/2025/1061), by Jonathan Katz, Chelsea Komlo, Stefano Tessaro, Chenzhi Zhu

"Preview Talk" (by Team Fireblocks-3MI) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this talk, I will speak on behalf of the Fireblocks–3MI team about our intention to submit a distributed Schnorr signing protocol based on the folklore three-round construction. I will introduce the team and the organizations leading this effort (Fireblocks and 3MI Labs), and explain why this threshold initiative is crucial for the cryptocurrency and broader Web3 ecosystem. The technical part of the talk will cover the variant of the folklore protocol described in ePrint 2022/1332.

Joint work: Michael Adjedj, Tomer Ashur, Amit Singh Bhati, Geoffroy Couteau, Cyprien Delpech de Saint Guilhem, Michael Gutkin, Nikos Makriyannis.

[Slides] Suggested readings:

• Preview Writeup: Distributed Schnorr Signatures: Classic Schnorr
• On the Classic Protocol for MPC Schnorr Signatures (ia.cr/2022/1332)

"Preview Talk" (by Team BDLR) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this presentation, I will talk about Gargos, a three-round (t, n)-threshold variant of the Schnorr signature scheme based on the paper titled “Adaptively Secure Three-Round Threshold Schnorr Signatures from DDH”. Gargos achieves full adaptive security under standard assumptions. The three rounds in Gargos consists of commitment, opening, and response phases (in this order), followed by deterministic aggregation into a single Schnorr signature. Signing capability is distributed among n parties such that any subset of at least t+1 participants can generate a valid signature, while smaller subsets cannot do so. The scheme assumes a trusted-dealer setup for key generation and is proven adaptively secure against adversaries that may corrupt participants over time. Security is established in the random oracle model under the decisional Diffie–Hellman assumption.

Joint work: Renas Bacho, Sourav Das, Julian Loss, Ling Ren

[Slides] Suggested readings:

• Preview Writeup: Gargos: Threshold Schnorr Signature Scheme

• Adaptively Secure Three-Round Threshold Schnorr Signatures from DDH (ia.cr/2025/1009)

Abstract. Threshold signatures allow a secret key to be distributed among a group of signers, and in order to sign a message, at least a threshold of signers must be involved. This talk focuses on efficient constructions that produce Schnorr signatures (or the standardized version, EdDSA) with adaptive security. The most efficient threshold Schnorr signature scheme is FROST, which has two signing rounds. The static security of FROST is proved under the algebraic one-more discrete logarithm (AOMDL) assumption in the random oracle model (ROM). However, recent works by Crites et al. (CRYPTO '25) show that there is an inherent non-standard computational assumption underlying the adaptive security of FROST. In this talk, I will present Mask-FROST, a new partially non-interactive threshold Schnorr signature scheme that has comparable efficiency to FROST and is adaptively secure under only the AOMDL assumption in the algebraic group model (AGM) and the ROM. All prior adaptive-secure constructions require at least 3 rounds. I will also talk about our impossibility result that shows it is not possible show that Mask-FROST is adaptively secure in the ROM only under the AOMDL assumption.

Joint work: Renas Bacho, Yanbo Chen, Julian Loss, Stefano Tessaro.

[Slides]

"Preview Talk" (by Team BDLR) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this presentation, I will talk about tBLS, a non-interactive (t, n)-threshold variant of the classic Boneh-Lynn-Shacham (BLS) signature scheme. The construction distributes signing capability among n parties such that any subset of at least 𝑡+1 participants can jointly produce a single compact signature, while preserving the verification interface, encodings, and compatibility of standard single-party BLS signatures. Partial signatures are generated non-interactively, are publicly verifiable, and are combined deterministically using Lagrange interpolation in the exponent, yielding a unique final signature indistinguishable from a standard BLS signature.

Joint work: Renas Bacho, Alexandra Boldyreva, Sourav Das, Julian Loss.

[Slides] Suggested readings:

• Preview Writeup: tBLS: Threshold BLS Signature Scheme
• On the Adaptive Security of the Threshold BLS Signature Scheme (ia.cr/2022/534)

Abstract. In this talk, we revisit the security of the three-round threshold Schnorr signature scheme Sparkle, introduced by Crites, Komlo, and Maller (CRYPTO 2023). Sparkle has a simple and elegant design and was proposed to achieve security under adaptive corruptions. Subsequent work by Bacho et al. (EUROCRYPT 2024), however, identified a gap in the original security proof, even in the static corruption model. To address this issue, the authors proposed a modified construction, Sparkle+, which requires each party to sign its protocol view, introducing significant overhead. While static security of Sparkle+ was proven under the discrete-logarithm assumption, its adaptive-security proof was later shown to be flawed by Crites and Stewart (CRYPTO 2025). We show that no such modification is necessary. We provide new—and in fact tight—security proofs for the original Sparkle construction in both the static and adaptive corruption models. Our analysis resolves the gap identified by Bacho et al. via a novel reduction that correctly simulates the adversary's view. Static security is obtained via a tight reduction to our circular discrete-logarithm (CDL) assumption (CRYPTO 2025), and full adaptive security is obtained via a tight reduction to an interactive extension of CDL. We justify these assumptions in the elliptic-curve generic group model of Groth and Shoup (EUROCRYPT 2022).

Joint work: Ojaswi Acharya, Gavin Cho, Georg Fuchsbauer, Adam O'Neill, Marek Sefranek.

[Slides]

Abstract. Threshold cryptography is a standard technique for distributing trust by splitting cryptographic keys into multiple shares held by different parties. Normally, in threshold cryptography, we assume there is a trusted dealer who distributes the shares to different parties or that the parties participate in an interactive distributed key-generation protocol to derive their individual shares. In recent years, several works have proposed a new model where users independently choose their public key, and there is a deterministic function that derives the joint public key associated with a group of users from their individual keys. Schemes with this silent (i.e., non-interactive) setup allow us to have the utility of threshold cryptography without needing a trusted dealer or an interactive setup. In this talk, I will describe a new pairing-based approach for constructing threshold signatures and encryption schemes with silent setup. Our techniques allow us to support expressive policies (including threshold policies) while only relying on simple algebraic tools. This yields constructions with shorter signatures and ciphertexts compared to previous pairing-based constructions. Concretely, the signature size in our threshold signature scheme is 3 group elements and the ciphertext size in our threshold encryption scheme is 4 group elements.

Joint work: Brent Waters, David Wu

[Slides] Suggested reading: Silent Threshold Cryptography from Pairings: Expressive Policies in the Plain Model (ia.cr/2025/1547)

Abstract. This talk addresses the question of defining unforgeability for threshold signatures. Despite rapid growth in the literature, divergent and sometimes incomparable models have created some degree of confusion and hindered comparisons. I will first revisit joint work with Bellare, Crites, Komlo, Maller, and Zhu (CRYPTO 2022), which introduced fine-grained notions of unforgeability for threshold signatures. This work highlights subtle but important distinctions, such as whether a message should be considered signed once a protocol is initiated or only after its completion, and how the latter is defined. Our framework offers a hierarchy of definitions that better captures these nuances. I will then discuss more recent work with Sela Navot (ASIACRYPT 2024) on defining strong unforgeability for multi-party signing protocols. We propose one-more unforgeability as a versatile approach to define strong unforgeability. Time permitting, I will also comment on stronger security notions such as UC security and other modeling aspects.

Joint work: Based on works with Mihir Bellare, Chenzhi Zhu, Elizabeth Crites, Chelsea Komlo, Mary Maller, Sela Navot

[Slides] Suggested reading: One-More Unforgeability for Multi- and Threshold Signatures (ia.cr/2024/1947)

Abstract. Informal panel conversation about security of threshold signatures (such as Schnorr/EdDSA, ECDSA, BLS) based on the elliptic-curve discrete-logarithm problem (ECDLP). What is the cost and value of pursuing certain advanced security features? The conversation may several perspectives, such as:

• Security against adaptive corruptions
• Strong unforgeability
• Security formulation (ideal functionalities, security games)
• Useful properties beyond unforgeability
• Security assumptions, security tightness

Abstract. MPTS 2026, the NIST Workshop on Multi-Party Threshold Scheme 2026, brings together multiple perspectives of Threshold Cryptography. This year's event counts with 40+ talks, given over the span of four days (January 26–29). The workshop features diverse topics, such as threshold signatures, threshold PKE/KEM, threshold ciphers/hashing, fully-homomorphic encryption (FHE), and zero-knowledge proofs (ZKP). A main reference point for the workshop is the recently published NIST Threshold Call (IR 8214C), which establishes a process for collecting reference materials. The workshop already includes 20+ "Preview Talks", which will present plans of upcoming submissions to the NIST Threshold Call. Updates to the workshop program will be published in the workshop webpage: https://csrc.nist.gov/events/2026/mpts2026

Presented by Luís Brandão.

[Slides] Suggested readings:

• NIST First Call for Multi-Party Threhsold Schemes (NIST IR 8214C), joint work with René Peralta
• Notes on Threshold EdDSA/Schnorr Signatures (NIST IR 8214B ipd), joint work with Michael Davidson

Abstract. In this talk, we will present a new protocol for two-party ECDSA signing that simultaneously achieves the best concrete computation and bandwidth efficiency relative to prior work, without compromising on round complexity. On a conceptual level, our protocol only makes blackbox use of generic cryptography—Oblivious Transfer during setup and Pseudorandom Functions when signing—and is asymptotically optimal in communication (linear in the security parameter). The technical insights that underlie our protocol are a Pseudorandom Correlation Function for Vector Oblivious Linear Evaluation over a large ring, and a generalization of proof techniques from previous work.

Presented by Yashvant Kondi.

[Slides] Suggested reading: Two-party ECDSA Signing at Constant Communication Overhead (ia.cr/2025/1813)

"Preview Talk" (by Team Fireblocks-3MI) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this talk, I will speak on behalf of the Fireblocks–3MI team, which intends to submit two distributed ECDSA protocols as submission packages to NIST’s threshold call: one based on Canetti et al. (CCS 2021) for distributed ECDSA, and one based on recent work by Adjedj et al. (ePrint 2024/1950) for two-party ECDSA. The goal of this talk is to publicize our plans, solicit input, and explore collaborations with interested parties. I will also argue that multi-party ECDSA has matured to the point where the community should advance a single, unified submission, one that would encompass both Paillier-based protocols (e.g., CGGMP21) and alternative approaches.

Joint work: Michael Adjedj, Tomer Ashur, Amit Singh Bhati, Geoffroy Couteau, Cyprien Delpech de Saint Guilhem, Michael Gutkin, Nikos Makriyannis.

[Slides] Suggested readings:

• Preview Writeup: Distributed ECDSA Signatures: Fireblocks’ CGGMP protocol
• UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts (ia.cr/2021/060)
• Preview Writeup: Two-Party ECDSA Signatures: Fireblocks’s BAM Protocol
• Two-Round 2PC ECDSA at the Cost of 1 OLE (ia.cr/2024/1950)

"Preview Talk" (by Team BICYCCLIST) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this preview talk, we introduce TECLA and THE CLASH, efficient two-party and threshold ECDSA schemes, respectively, built upon Class Group Cryptography. Both schemes take advantage from linearly homomorphic public key encryption (PKE) to distribute private shares of the distributed ECDSA signature between parties. The specific PKE building block is the Castagnos-Laguillaumie (CL) encryption scheme, whose main advantage is the reduction of communication costs compared with other linearly homomorphic PKE. Both schemes are accompanied by benchmarked implementations using the BICYCL public repository, an optimized and specialized library for class group cryptography. In this presentation, we present TECLA and THE CLASH, their building blocks and their main characteristics, and we give an overwiew on their benchmarks using our implementation, which will be part of our submission packages. The packages satisfy the requirement of the NIST call as interchangeability and provable security. More specifically, TECLA achieves simulation based security against probabilistic polynomial time (PPT) malicious adversaries which statically corrupt one of the parties. THE CLASH has game based security against probabilistic polynomial time (PPT) malicious adversaries which statically corrupt a threshold t < n, where n is the number of parties. The proposal fits in Category N1.2: ECDSA signing.

Joint work: Cyril Bouvier, Guilhem Castagnos, Dario Catalano, Quentin Combal, Fabien Laguillaumie, Federico Savasta, Ida Tucker.

[Slides] Suggested readings:

• Preview Writeup: TECLA: Two-party ECDSA from CLAss groups
• Preview Writeup: Two-Party ECDSA from Linearly Homomorphic Encryption over Class Groups
• I want to ride my BICYCL: BICYCL Implements CryptographY in CLass groups (ia.cr/2022/1466)

"Preview Talk" (by Team RedETA) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this talk we present (Red)ETA: Refreshable Extensible DLOG Enhanced Threshold Algorithms, a suite of DLOG-based threshold Digital Signature Schemes to be submitted to the NIST Threshold Call. A distinctive part of our work is ETA-keygen: a Decentralized Key Generation compatible with complex access structures such as threshold access trees, that also comprises a refreshing mechanism useful for the security against mobile adversaries, that is, active, adaptive, snapshot (i.e. not persistent) but roaming (the corruption sets may change overtime as long as at any time the corrupted parties are less than a threshold). Integrating ETA-keygen with DLOG threshold signing algorithms, we obtain ETA-Schnorr, ETA-EdDSA, and ETAECDSA. In particular, ETA-EdDSA is a deterministic Schnorr-like threshold signature where the shared deterministic nonce generation is verifiable by the signers. In line with the state of the art, ETA-Schnorr is secure against adaptive adversaries, with the security against mobile adversaries currently under investigation. ETA-EdDSA and ETA-ECDSA are proven secure against static adversaries who, contrary to the mainstream approach, are also involved in the key-gen. Their security against adaptive and mobile adversaries is still under investigation.

Joint work: Riccardo Longo, Alessandro Barenghi, Michele Battagliola, Alessio Meneghetti, Gerardo Pelosi, Edoardo Signorini.

[Slides] Suggested reading:

• Preview Writeup: Refreshable Extensible DLOG Enhanced Threshold Algorithms
• Tighter Control for Distributed Key Generation: Share Refreshing and Expressive Reconstruction Policies (ia.cr/2025/277)

"Preview Talk" (by Team SplitForge) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. This talk showcases a set of signing an decryption protocols for two (main) parties, the descriptions, prototype implementations and benchmarking results of which we intend to package and submit to the Threshold Call of the National Institute of Standards and Technology (NIST). The commonality of the showcased protocols lies in the roles and the security capabilities of the two parties. We consider the setting where one of the parties initiates protocol runs and the second one responds while trying to authenticate the first party. Additionally, in the considered setting, the first party's ability to protect its keyshare is less than adequate --- its encrypted memory may leak to the adversary, and the encryption key may only have low entropy. We discuss the security properties that a protocol deployed in this setting (which we call "server-assisted" signing / decryption) should satisfy, and justify the interest towards this setting by existing large-scale deployments. We show protocols for signing with RSA, signing with ECDSA, and for (non-standard) decryption, all with these properties. Finally, we present a protocol for two-party ML-DSA signing (with a third, offline party creating correlated random values). This protocol has not (yet) been designed for server-assisted setting, but should be easy to adapt.

Joint work: Peeter Laud, Alisa Pankova, Nikita Snetkov, Jelizaveta Vakarjuk, Petr Muzikant, Aivo Kalu, Burak Can Kus, Semjon/Sona Kravtšenko, Raul-Martin Rebane, Mart Oruaas.

[Slides] Suggested readings:

• Preview Writeup: SplitKey: Two-Party Signing and Decryption with Extra Features
• Trilithium: Efficient and Universally Composable Distributed ML-DSA Signing (ia.cr/2025/675)
• Universally Composable Server-Supported Signatures for Smartphones (ia.cr/2024/1941)

Abstract. An overview of Crypto Algorithm Validations at NIST.

Presented by Chris Celi.

[Slides] Suggested readings: 

• List of FIPS-approved algorithms: NIST SP 800-140C and NIST SP 800-140D.
• CAVP website

Abstract. In this talk, we show how floating-point arithmetic can lead to non-deterministic results and how this issue can be addressed during validation.

Presented by Pierre Ciadoux

[Slides]

"Preview Talk" (by Team Zama) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. The presentation will present three cryptosystems which Zama intends to submit to the NIST call for threshold primitives. The first is the TFHE Homomorphic Encryption Scheme, the second is the ZHEnith ZK proof system for showing that TFHE ciphertexts are well formed, and finally the Nexus MPC system which enables distributed key generation and distributed decryption for Homomorphic Encryption schemes such as TFHE, BGV and BFV.

Joint work: Mathieu Ballandras, Carl Bootland, Kelong Cong, Ben Curtis, Daniel Demmler, Tore Kasper Frederiksen, Marc Joye, Benoît Libert, Jean-Baptiste Orfila, Nigel P. Smart, Titouan Tanguy, Samuel Tap, Michael Walter.

[Slides] Suggested readings: 

• Preview Writeup: TFHE, ZHEnith and Nexus: A Suite of Cryptosystems to Enable Fully Homomorphic Encryption Applications
• Threshold (Fully) Homomorphic Encryption (ia.cr/2025/699)

Abstract. Threshold Fully Homomorphic Encryption (Th-FHE) is an extension of Fully Homomorphic Encryption (FHE) where the decryption capacity is splitted across multiple parties. As shown by Boneh et al [CRYPTO'18], Th-FHE may be used to thresholdize a cryptographic function CF, by publicly providing Th-FHE encryptions of CF's secrets, letting each party homomorphically evaluating CF and running the Th-FHE decryption protocol. In this presentation, we will show how to transform the CKKS FHE scheme of Cheon et al [ASIACRYPT'17] into an efficient Th-FHE, and use it to thresholdize several cryptographic functions. Concerning the Th-FHE version of CKKS, we will first highlight the performance of CryptoLab's HEaaN library, both for approximate and exact computations. We will then describe a distributed key generation algorithm to obtain a Th-FHE parametrization that is as efficient as the best FHE parametrizations, without relying on a trusted dealer. Finally, we will describe how to efficiently perform noise flooding in threshold decryption. In the second part of the talk, we will highlight applications of threshold CKKS: one-round threshold AES128 in < 0.1s, two-round threshold Dilithium in <1s and near real-time 1:N identification based on irises for millions of users.

Based on works with: Jung Hee Cheon, Hyeongmin Choe, François Colin de Verdière, Jincheol Ha, Guillaume Hanrot, Jaehyung Kim, Jung Woo Kim, Seonhong Min, Taeyeong Noh, Jai Hyun Park, Alain Passelègue, Damien Stehlé, Elias Suvanto. Made possible with CryptoLab's HEaaN library.

[Slides] Suggested reading: DKG for Threshold CKKS-FHE (ia.cr/2025/2057);  Threshold FHE with Synchronized Decryptors (ia.cr/2026/031)

"Preview Talk" (by Team PANTHERIA) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this talk, we first describe the conventional (non-threshold) FHE cryptosystems already implemented in OpenFHE, Lattigo, and Poulpy, which serve as the basis for thresholdization. The following conventional FHE schemes are included: BFV, BGV, CGGI/TFHE, CKKS, DM/FHEW, and LMK+. All of these schemes are based on the hardness of (Ring) Learning With Errors and support various native homomorphic operations. Next, we summarize the thresholdized variants of BFV, BGV, and CKKS implemented in OpenFHE and Lattigo, which use homomorphic addition for distributed key generation and noise flooding for distributed decryption, in the passively secure model for the small and medium categories and dishonest majority. Then, we propose Th-(d)BFV, Th-FHEW, and Th-BGV as thresholdized extensions of (decomposed) BFV, LMK+, and BGV, respectively, that use a Multi-Party Computation (MPC)-based protocol for distributed decryption to support small lattice parameters and achieve active security in the small and medium categories for both dishonest and honest majority settings. We also propose an improved distributed key generation protocol for Th-FHEW, which minimizes the key generation noise. Moreover, we will consider the Laminate verifiable computation method to achieve active security for homomorphic evaluation in the Th-(d)BFV and Th-BGV

Joint work: Andreea Alexandru, Ahmad Al Badawi, Daniel Apon, Jean-Philippe Bossuat, Sylvain Chatel, Ben Fisch, Nicholas Genise, Shai Halevi, Loïs Huguenin, Guy Itzhaki, Andrey Kim, Yongwoo Lee, Zeyu Liu, Janmajaya Mall, Christian Mouchet, Carlo Pascoe, Chris Peikert, Kabir Peshawaria, Yuriy Polyakov, Saraswathy R.V., Sarabjeet Singh, Yongsoo Song, Eran Tromer, Vinod Vaikuntanathan, Vincent Zucca, Guy Zyskind.

[Slides] Suggested readings: 

• Preview Writeup: PANTHERIA: Threshold FHE for RLWE-Based Cryptosystems

Abstract: This talk provides an update on several NIST efforts in symmetric-key cryptography, including Lightweight Cryptography (LWC), the Accordion project, and work on wide-block ciphers. It reviews the status of the LWC standardization effort, highlighting the selection of Ascon and ongoing activities to support secure and efficient deployment in constrained environments. The talk also introduces Accordion, a new initiative focused on flexible authenticated-encryption modes that address a range of security and performance requirements, and discusses its design goals, security properties, and relationship to existing NIST-approved modes. Finally, the talk describes NIST’s decision to proceed with standardization work on Rijndael with 256-bit blocks (Rijndael-256), motivated by feedback on existing block-cipher modes and increasing demands for large-data processing.

Presented by Meltem Sönmez Turan

[Slides] Suggested readings:

• NIST IR 8552: Requirements for Cryptographic Accordions
• SP 800 232: Ascon-Based Lightweight Cryptography Standards for Constrained Devices: Authenticated Encryption, Hash, and Extendable Output Functions

"Preview Talk" (part 1/2, by Team MPC MINIons) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this talk, we present an overview of the MPC Minions team's plan for a MiniMPC submission to the NIST Threshold Call, which provides a suite of cryptographic protocols in Minicrypt for securely evaluating any Boolean circuits, thus making it highly suitable for supporting threshold operations of Minicrypt primitives (i.e., N3 and S3). The protocol supports two or more parties, assuming a static adversary corrupting at most all but one party. The submission includes building blocks at different levels, providing modular composition without sacrificing efficiency. It includes definitions and constructions for correlation robustness, oblivious transfer extension, authenticated Boolean triples, and authenticated garbling. Many of these tools could be of independent interest to submissions in other contexts.

Joint work: Hongrui Cui, Chun Guo, Xiaojie Guo, David Heath, Jonathan Katz, Vladimir Kolesnikov, Alex Malozemoff, Samuel Ranellucci, Mike Rosulek, Lawrence Roy, Xiao Wang, Chenkai Weng, Kang Yang, Yu Yu.

[Slides] Suggested reading: Preview Writeup: MiniMPC: Threshold Schemes for (and from) MiniCrypt

"Preview Talk" (part 2/2, by Team MPC MINIons) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this talk, we provide more technical descriptions of the new constructions and proofs on top of existing published work when the MPC Minions team prepares for the MiniMPC submission to the NIST Threshold Call. The overall goal is to improve the performance, security, and modularity of the proposed protocols. In particular, we designed 1) a new bucketing strategy with optimal locality for authenticated Boolean triples and 2) a new notion of correlated robustness that, unlike prior notions, can be used for composition with provable security. We finally discuss how they are incorporated in the submission and how they could be useful for other submissions.

Joint work: Hongrui Cui, Chun Guo, Xiaojie Guo, David Heath, Jonathan Katz, Vladimir Kolesnikov, Alex Malozemoff, Samuel Ranellucci, Mike Rosulek, Lawrence Roy, Xiao Wang, Chenkai Weng, Kang Yang, Yu Yu.

[Slides] Suggested reading: Preview Writeup: MiniMPC: Threshold Schemes for (and from) MiniCrypt

Abstract. In this presentation, we will discuss the required and desired properties of Ascon for an efficient multi-party threshold implementation. We will also evaluate how well our work meets these criteria. Our focus will be on the Ascon-AEAD128 authenticated encryption and decryption scheme. Due to their nearly identical construction, our observations also apply to Ascon-Hash256 and Ascon-[C]XOF128. We focus on ensuring security against active adversaries corrupting up to one-third of the participating parties. Currently, our work focuses on the online part of the protocol and communication costs in bits. To this end, we rely heavily on packing to align a multi-party evaluation more closely with Ascon's hardware-oriented design. For this, we will explore the Reverse Multiplication-Friendly Embeddings packing mechanism introduced by Cascudo et al. in 2018.

Joint work: Aysajan Abidin, Erik Pohle, Bart Preneel, Peter Schwarz

[Slides] Suggested reading: Evaluating Ascon in Secure Multi-Party Computation using Reverse Multiplication-Friendly Embeddings (ia.cr/2025/1538)

"Preview Talk" (by Team Symphony) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract: This talk will give a preview overview of the package submission Symphony which is a protocol family to securely evaluate the AES block cipher, the hash functions SHA2 and SHA3, and the MAC schemes G-/C-/H- and KMAC in the three-party honest majority setting. The underlying MPC technique is based on replicated secret sharing over Boolean extension fields, combined with oblivious table lookup protocols. We target active security with abort and also cover the specification of a separate gadget for preprocessing of random one-hot vector correlations. The talk includes a summary on replicated secret sharing over Boolean extension fields, gives details on the oblivious lookup table techniques by Morita et al. (Usenix Security 2025) and shows the interconnection between different modules in the submission package. We will also present preliminary benchmark results for secure AES enciphering.

Joint work: Hiraku Morita, Erik Pohle, Peter Scholl, Daniel Tschudi.

[Slides] Suggested readings:

• Preview Writeup: Threshold Evaluation of Symmetric Primitives: A protocol family for threshold AES, SHA2, SHA3 and G-/C-/H-/KMAC evaluation in the three-party, honest majority setting
• MAESTRO: Multi-party AES using Lookup Tables (ia.cr/2024/1317)

"Preview Talk" (by Team Haystack) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this presentation, I'll explain how to take a stateful hash-based signature scheme like LMS, and turn it into a threshold hash-based signature scheme.  It is surprising that this is even possible, given the complete lack of nice algebraic structure in these schemes.  However, it turns out that the resulting schemes are quite practical and efficient.  Our techniques require a trusted dealer for setup, and assume signing happens between an untrusted aggregator and several trustees, each with a share of the private key.  The aggregator also needs access to a large common reference string defined for each public key, with a size of 0.1 GiB -- 10 GiB for typical LMS parameters.  All communications in the scheme are point-to-point, and during signing the aggregator and trustees each do about the same amount of computation required for an ordinary LMS signature.  Verification is the same as for any other LMS signature.  The aggregator needs access to a reasonable-sized hard drive to access the CRS; the trustees can be implemented on low-end devices such as smartcards.  Threshold signatures are especially valuable for stateful hash-based signatures, because they solve the state-management problems; instead of a single device failure leading to key reuse, many trustees' devices must fail at the same time in order for a key to be reused.

Joint work: John Kelsey, Stefan Lucks, Nathalie Lang.

[Slides] Suggested readings:

• Preview Writeup: Haystack: Threshold and Distributed Stateful Hash-Based Signatures
• Turning Hash-Based Signatures into Distributed Signatures and Threshold Signatures (cic.iacr.org/p/2/2/24)

Abstract: This talk will provide a brief history of the NIST PQC Standardization project, including milestones, the first set of PQC standards (FIPS) and the on-ramp signatures. The presentation will also discuss continued work in the Migration to PQC project (including the Crypto Agility whitepaper) and recently released publications related to the project.

Presented by Dustin Moody. Joint work with the NIST PQC team.

[Slides] Suggested readings: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), SP 800-227 (Recommendations for KEMs), NISTIR 8547 (Transition fo PQC).

"Preview Talk" (by Team Tanuki) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract: In this presentation, we give an overview of our lattice-based threshold signature scheme, which features a two-round signing protocol with preprocessing, compact signatures and verification keys, and unforgeability against a dishonest majority in the random oracle model. The scheme scales to up to 1024 signers and produces Raccoon-compatible signatures. From a design perspective, Tanuki can be viewed as a synthesis of two previously proposed schemes in the literature: Espitau–Katsumata–Takemure (CRYPTO ’24) and Ringtail (S&P ’25).

Joint work: Cecilia Boschini, Thomas Espitau, Aaron Kaiser, Shuichi Katsumata, Darya Kaviani, Russell W.F. Lai, Giulio Malavolta, Thomas Prest, Peter Schwabe, Akira Takahashi, Kaoru Takemure, Mehdi Tibouchi.

[Slides] Suggested readings:

• Preview Writeup: Tanuki: Two-round Threshold Signatures from Lattices
• "Two-Round Threshold Signature from Algebraic One-More Learning with Errors” (ia.cr/2024/496)
• "Ringtail: Practical Two-Round Threshold Signatures from Learning with Errors” (ia.cr/2024/1113)

"Preview Talk" (by Team Hermine) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this talk, we will introduce Hermine, a post-quantum threshold signature scheme based on the Raccoon signature scheme that replicates the advanced properties of the classical FROST. Hermine is a (partially non-interactive) 2-round protocol with distributed key generation, efficient key refresh and non-interactive identifiable aborts. Its security relies on the AOM-MSIS assumption, which holds under the standard MLWE and MSIS assumptions. We plan to submit Hermine as its own package to the NIST MPTC Call, and we will discuss the different components to be included. Our core technical innovation is a novel use of the Vandermonde Secret Sharing with short shares, combined with techniques from the 2-round signature scheme of Espitau et al. (CRYPTO 2024). We design distributed key generation for this sharing, and a refresh mechanism. Furthermore, our techniques eliminate the need for zero-shares to randomize signature shares, ensuring that signature shares double as valid signatures under the corresponding public key shares, and thus enabling a non-interactive identification of aborting parties.

Joint work: Giacomo Borin, Sofía Celi, Rafael del Pino, Thomas Espitau, Shuichi Katsumata, Guilhem Niot, Thomas Prest, Kaoru Takemure.

[Slides] Suggested readings: 

• Preview Writeup: Hermine: An Efficient Raccoon-Style Non-Interactive Threshold Signature with Advanced Properties
• Two-Round Threshold Signature from Algebraic One-More Learning with Errors (ia.cr/2024/496)
• Threshold Signatures Reloaded: ML-DSA and Enhanced Raccoon with Identifiable Aborts (ia.cr/2025/1166)

Abstract: In this talk, we introduce the first lattice-based threshold blind signature (TBS) scheme. TBS is an important primitive for building robust, privacy-preserving applications, and combines the privacy guarantees of blind signatures with the ability of threshold signatures to distribute the private key across multiple servers. TBS are especially useful for critical signing infrastructure where privacy is required, for instance with Central Bank Digital Currencies (CBDCs). CBDCs can be built from blind signatures in a privacy-preserving manner. Crucially, as the signing key allows to issue coins, any key compromise is fatal. TBS remedy this issue by distributing the signing procedure across multiple servers. However, all existing TBS constructions become insecure in the presence of quantum computers, and no practical post-quantum alternative has been established. Our work fills this important gap. We present a construction proven secure under an interactive variant of the Short Integer Solution (SIS) assumption. Our scheme is practical and supported by a formal analysis and a concrete implementation, with signature sizes only 1.4x to 2.5x larger than comparable non-threshold lattice-based blind signatures, making it a viable solution for applications like CBDCs.

Joint work: Sebastian Faller, Guilhem Niot.

[Slides] Suggested readings: Lattice-based Threshold Blind Signatures (ia.cr/2025/1566)

"Preview Talk" (by Team Amber) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract: In this talk I will discuss a family of post-quantum threshold KEMs based on lattice assumptions. Using our BCHK+ transform we combine a threshold identity-based encryption (IBE) and a one-time signature to build a threshold KEM with strong security guarantees (e.g. IND-CCA2). I will discuss two possible instantiations of the threshold IBE and the corresponding security vs efficiency trade-offs including estimating the ciphertext sizes of the scheme. This construction uses light-weight lattice techniques, whereas the previous works could only achieve a post-quantum CCA secure threshold KEM using the machinery of fully homomorphic encryption (FHE), multi-party computation (MPC), or non-interactive zero-knowledge (NIZK).

Joint work: Katharina Boudgoust, Rafael del Pino, Oleksandra Lapiha, Thomas Prest.

[Slides] Suggested reading:

• Preview Writeup: Amber: a Family of Efficient Lattice-Based IND-CCA Threshold KEMs
• IND-CCA Lattice Threshold KEM under 30 KiB (ia.cr/2026/021)

"Preview Talk" (by Team Quorus) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this presentation, we present an overview of our multi-party key and signature generation protocol for the module-lattice digital signature algorithm (ML-DSA). Our proposal includes an MPC-friendly variant of ML-DSA retaining compatibility with the FIPS 204 compliant verification algorithm, a distributed key generation (DKG) protocol, and an efficient threshold signing protocol with offline preprocessing. Our protocols are designed to provide strong security guarantees, such as post-quantum security and UC security, scalability to medium-sized groups ofsigners (e.g., up to 64) assuming an honest majority, and low signing latency in the online phase.

Joint work: Alexander Bienstock, Leo de Castro, Daniel Escudero, Antigoni Polychroniadou, Akira Takahashi.

[Slides] Suggested readings:

• Preview Writeup: Quorus: Scalable Threshold ML-DSA from MPC
• Efficient, Scalable Threshold ML-DSA Signatures: An MPC Approach (ia.cr/2025/1163)

"Preview Talk" (by Team Mithril) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. This talk will present Mithril, an efficient threshold signature protocol for the Module-Lattice-based Digital Signature Algorithm (ML-DSA/FIPS 204). It is based on the paper “Efficient Threshold ML-DSA”, to appear at USENIX Security ’26, and we plan to submit Mithril as a proposal to the NIST MPTC Call. The proposed scheme resolves the core incompatibility between ML-DSA’s rejection sampling and multi-party computation by using replicated secret sharing with short shares. This enables local, per-party rejection sampling, thus avoiding the need for a costly global abort multi-party computation. The protocol supports both distributed key generation (DKG) and a posteriori sharing of an existing ML-DSA key, preserving the original public key. It is proven to be as secure as ML-DSA in the dishonest majority model and is fully compatible with verifiers for the ML-DSA standard. Our evaluation demonstrates practicality for any threshold T with at least up to N=6 parties, with per-party communication under 1 MB. Signing latency is under 20 ms locally, while it stays under 1s in a global WAN setting.

Joint work: Sofia Celi, Gustavo Delerue, Rafael del Pino, Guilhem Niot, Thomas Espitau, Thomas Prest.

[Slides] Suggested readings:

• Preview Writeup: Mithril: Efficient Threshold ML-DSA from Secret Sharing with Short Shares
• Efficient Threshold ML-DSA (ia.cr/2026/013)

"Preview Talk" (by Team PQarrots) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract: Cryptographic group actions offer a flexible framework for instantiating plausibly post-quantum schemes, effectively generalizing core ideas behind classical discrete logarithm cryptography. In particular, the group structure allows for an (almost) immediate application of well-known threshold secret sharing techniques, to obtain distributed post-quantum cryptographic protocols such as digital signatures and public key encryption. These schemes can also be augmented with a distributed key generation procedure. In this presentation we give an overview of our package submission based on isogeny group actions. We explain advantages and limitations of group actions in general and of isogenies in particular. We also discuss the security of the underlying assumptions, with a focus on quantum attacks against group actions, and on the appropriate security models for group actions.

Joint work: PQarrots: Isogenies-TGA, Marius A. Årdal, Shahla Atapoor, Karim Baghery, Andrea Basso, Xavier Bonnetain, Giacomo Borin, Daniele Cozzo, Pierrick Dartois, Luca De Feo, Max Duparc, Jonathan K. Eriksen, Tako Boris Fouotsa, Arthur Herlédan Le Merdy, Riccardo Invernizzi, Samuel Jaques, Yi-Fu Lai, Dania Lazzarini, Jason T. LeGrow, Luciano Maino, Jonas Meers, Michael Meyer, Sikhar Patranabis, Robi Pedersen, Giacomo Pope, Doreen Riepel, Damien Robert, Ryan Rueger, Sina Schaeffler, André Schrottenloher, Frederik Vercauteren.

[Slides] Suggested readings: 

• Preview Writeup: PQarrots: Macaw, Kea and Kakapo: Threshold primitives from (isogeny-based) group actions
• Threshold Schemes from Isogeny Assumptions (ia.cr/2019/1288)

"Preview Talk" (by Team PANTHERIA) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract: PRISM is a recent isogeny-based signature, whose security relies on the presumed hardness of computing large-degree isogenies. In this talk, we show how exploit its flexible signing procedure to construct a T-out-of-N threshold signature protocol, discussing the advantages and drawbacks of the approach.  The scheme can be instantiated in various ways, each having different trade-offs between the efficiency of the signing and verification procedures. Furthermore, relying on a recently re-discovered technique for secret sharing, we can extend the scheme for up to N = 32 parties with a signing procedure requiring T + 2 rounds of communications. The core functionality we use is the computation of pushforwards of large-degree isogenies in higher dimensions, applied sequentially by each party. Thus, the unforgeability of the threshold signature holds under a new security assumption involving pushforwards of large-degree isogenies through secret degree isogenies. To our knowledge, this is the first practical post-quantum threshold signature with a combined signature and public key size smaller than 500 bytes and a communication cost per party below the 300 bytes, not relying on generic MPC, FHE and NIZK techniques.

Joint work: Andrea Basso, Luciano Maino, Maria Corte-Real Santos, Robi Pedersen, Riccardo Invernizzi.

[Slides] Suggested reading: PRISM: Simple and compact identification and signatures from large prime degree isogenies. (ia.cr/2025/135)

"Preview Talk" (by Team LEAST) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. Group actions are fundamental mathematical tools, with a long history of use in cryptography. In this presentation we show that isomorphism problems which stem from non-abelian cryptographic group actions can be viable building blocks for threshold signature schemes. In particular we focus on the Linear Code Equivalence group action and show how to obtain a threshold signature for it, that we call LEAST. The signature is compatible with LESS digital signature, that is currently in the Round 2 Additional Signatures standardization effort. We also present a distributed key generation for it and a more efficient but centralized key generation obtained by the Vandermonde Secret Sharing. The results presented in this talk will be included in a future submission to the NIST Threshold Call.

Joint work: Michele Battagliola, Marco Baldi, Giacomo Borin, Giovanni Di Crescenzo, Rahmi El Mechri, Alessio Meneghetti, Edoardo Persichetti, Paolo Santini, Floyd Zweydinger.

[Slides] Suggested reading:

• Preview Writeup: LEAST: Linear Equivalence Action Threshold Signature
• Enhancing Threshold Group Action Signature Schemes: Adaptive Security and Scalability Improvements (ia.cr/2025/085)

"Preview Talk" (by Team Vinaigrette) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. In this presentation (accompanying the preview package), we introduce Vinaigrette, an optimized framework for thresholdizing post-quantum signature schemes based on the Oil-and-Vinegar construction, with a focus on Unbalanced Oil and Vinegar (UOV) and MAYO (hence, multivariate-based cryptography). Vinaigrette achieves threshold signing using secure multiparty computation (MPC) in a dishonest-majority setting with active security. The framework supports distributed key generation, preserves the original verification algorithms and parameter sets of UOV and MAYO, and follows an offline/online architecture in which expensive message-independent operations are moved to a pre-processing phase. The online signing phase is lightweight and simple, involving only simple linear operations and information-theoretic checks, enabling practical deployment and one message-dependent round. We will discuss the design; implementation results and performance; and the potential of its modular procedures to be used independently.

Joint work: Ward Beullens, Giacomo Borin, Sofia Celi, Diego F. Aranha, Lisa Kohl, Guilhem Niot, Fabio Campos, Basil Hess, Matthias J. Kannwischer.

[Slides] Suggested readings:

• Preview Writeup: Vinaigrette: An MPC Approach for Threshold UOV and MAYO
• Share the MAYO: Thresholdizing MAYO (ia.cr/2024/1960)

Abstract: Secure distributed generation of RSA moduli (e.g., generating N=pq where none of the parties learns anything about p or q) is an important cryptographic task, that is needed both in threshold implementations of RSA-based cryptosystems and in other, advanced cryptographic protocols that assume that all the parties have access to a trusted RSA modulo. In this paper, we provide a novel protocol for secure distributed RSA key generation based on the Miller-Rabin test. Compared with the more commonly used Boneh-Franklin test (which requires many iterations), the Miller-Rabin test has the advantage of providing negligible error after even a single iteration of the test for large enough moduli (e.g., 4096 bits). From a technical point of view, our main contribution is a novel divisibility test which allows to perform the primality test in an efficient way, while keeping p and q secret. Our semi-honest RSA generation protocol uses any underlying secure multiplication protocol in a black-box way, and our protocol can therefore be instantiated in both the honest or dishonest majority setting based on the chosen multiplication protocol. Our semi-honest protocol can be upgraded to protect against active adversaries at low cost using existing compilers. Finally, we provide an experimental evaluation showing that for the honest majority case, our protocol is much faster than Boneh-Franklin.

Joint work: Jakob Burkhardt, Ivan Damgård, Tore Kasper Frederiksen, Satrajit Ghosh, Claudio Orlandi.

[Slides] Suggested reading: Improved Distributed RSA Key Generation Using the Miller-Rabin Test (ia.cr/2023/644)

"Preview Talk" (by Team PiVer) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract: In this presentation, we introduce PiVer, a unified and modular framework for constructing verifiable secret sharing (VSS) schemes with computational security in synchronous communication settings. Verifiable secret sharing enables a dealer to distribute shares of a secret such that correctness can be publicly or privately verified, even in the presence of malicious behavior. PiVer builds on the earlier Π framework (from PKC 2025) and systematically integrates several of its recent extensions into a single design methodology. These include pre-constructed and round-optimal variants, batching and packing techniques for improved efficiency, and support for general access structures beyond simple thresholds. The framework is highly flexible, relying only on standard cryptographic commitments and a random oracle, and can be instantiated with post-quantum–secure components. We will discuss how PiVer simplifies the design space of VSS, enables efficient and practical implementations, and supports real-world threshold cryptographic applications, like distributed key generation. The talk also highlights ongoing open-source implementations and performance results, demonstrating the practicality of PiVer for standardization.

Joint work: Shahla Atapoor, Karim Baghery, Daniele Cozzo, Robin Jadoul, Hossein Moghaddas, Georgio Nicolas, Robi Pedersen, Mahdi Rahimi, Jannik Spiessens, Barry Van Leeuwen.

[Slides] Suggested readings:

• Preview Writeup: PiVer: Π Verifiable Secret Sharing Framework
• VSS from Distributed ZK Proofs and Applications (ia.cr/2023/992)
• Π: A Unified Framework for Computational Verifiable Secret Sharing (ia.cr/2023/1669)

Abstract: Threshold Multi-Party cryptographic protocols are crucial tools in security-critical distributed systems like blockchains and distributed Cyber-Physical Systems. Folklore literature employed Information-Theoretic cryptography to design protocols, which incurs a high communication cost. Subsequent literature improved communication costs using public-key cryptography; however, these protocols incur a large computational cost from expensive public-key operations, which inhibits scalability. We address this bottleneck by designing protocols using lightweight cryptography - cryptographic Hash functions and Symmetric Key Encryption. These primitives are 1000x faster than public-key-based primitives, and they are also friendly to the Post-Quantum world. However, as these tools lack the transcript homomorphism offered by public-key-based tools, we employ novel distributed computing techniques to limit the increase in communication compared to public-key-based protocols. In the talk, I will discuss three new protocols - a) HashRand (CCS 2024), an asynchronous random beacon protocol that produces a continuous stream of secure randomness, b) Velox (CCS 2025), an asynchronous Multi-Party Computation protocol that enables computation over private inputs, and c) an asynchronous Dynamic Proactive Secret Sharing protocol that enables blockchains with dynamic participation to maintain secrets. Through extensive experimental evaluation, we have demonstrated that our works (and other lightweight cryptography-based threshold cryptographic protocols) achieve at least two orders of magnitude performance improvement over prior public-key-based threshold cryptographic protocols for 100 parties, substantially enhancing scalability through computational efficiency.

Joint work: Saurabh Bagchi, Akhil Bandarupalli, Adithya Bhat, Xiaoyu Ji, Soham Jog, Aniket Kate, Chen-Da Liu-Zhang, Daniel Pöllmann, Michael Reiter, Yifan Song.

[Slides] Suggested reading: Velox: Scalable Fair Asynchronous MPC from Lightweight Cryptography (ia.cr/2025/1630)

Abstract: We show a general impossibility result that broadly rules out efficient threshold signing protocols for all known hash-based signature schemes. In particular, we formally model hash-based signatures as schemes which are provably secure in the random oracle model and base their security purely on the security of the underlying random oracle. Using techniques from straight-line extractable NIZKs (non-interactive zero knowledge proofs), our main result shows that there exists no protocol secure against a majority of malicious parties that realizes the signing algorithm of any hash-based signature scheme in an oracle-respecting manner, ie. where each of the parties has only black-box access to the random oracle. The result shows that any protocol to distributively sign a hash-based signature scheme must distributively evaluate the hash function, which significantly reduces efficiency. Our result is broad and encompasses all known hash-based signature schemes in practice, including SPHINCS, SPHINCS+ and XMSS, extending the recent work of [DKR24] that only applied to a limited class of hash-based schemes that use MPC-in-the-head (and notably not to any presently standardized schemes). We believe this serves as a strong argument against the adoption of the SLH-DSA standard in settings which may require threshold signing.

Joint work: Yashvanth Kondi, Naman Kumar, Akira Hernan Vanegas.

[Slides] Suggested reading: Sometimes You Can’t Distribute Random-Oracle-Based Proofs (ia.cr/2023/1381)

"Preview Talk" (by Team Schmivitz) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract: This preview talk presents Schmivitz, which we plan to submit to the NIST Threshold Call. Schmivitz is a Vector Oblivious Linear Evaluation in the Head (VOLEitH) Zero-Knowledge (ZK) system that includes two gadgets, Weak VOLEs and VOLEitH, which can be used as building blocks for cryptographic applications such as threshold signature and encryption schemes. We also define Random All-But-One Vector Commitments as an internal gadget which is a core building block of VOLEitH-proofs, but is equally important in other Zero-Knowledge Proof systems. We have an open source Rust reference implementation of Schmivitz and discuss preliminary performance results.

Joint work: Carsten Baum, Emmanuela Orsini, Peter Scholl, Benoit Razet, Marcella Hastings, Shibam Mukherjee, Christian Rechberger, James Parker.

[Slides] Suggested readings:

• Preview Writeup: Schmivitz: VOLEitH Based ZK Gadgets for Threshold Cryptography
• Publicly Verifiable Zero-Knowledge and Post-Quantum Signatures from VOLE-in-the-Head (ia.cr/2023/996)

"Preview Talk" (by Team SmallWood) @ MPTS 2026, in reply to the NIST Threshold Call

Abstract. This talk is related to the SmallWood previous submission to the MIST MPTC call. SmallWood is a hash-based zero-knowledge argument of knowledge, designed for efficiently proving statements of small to medium size. While existing hash-based arguments such as STARK or Brakedown achieve excellent asymptotic performance for very large instances, and protocols such as VOLE-in-the-Head excel for tiny instances, SmallWood bridges the gap between these extremes. It efficiently handles proofs related to moderate-size statements, such as demonstrating knowledge of a private key, a digital signature, or a hash preimage. Built entirely upon hash-based primitives, SmallWood provides post-quantum security, as it relies only on assumptions believed to resist quantum attacks. Although its precise application domain is still under exploration, SmallWood already shows promising integration potential within lattice-based cryptosystems and arithmetization-oriented hash constructions, making it a compelling candidate for future threshold cryptographic frameworks. SmallWood was first introduced in a preprint released in early 2025, accompanied by preliminary proof-of-concept implementations. This talk will provide an overview of the SmallWood construction, which follows the widely used approach of composing a Polynomial Commitment Scheme (PCS) with a Polynomial Interactive Oracle Proof (PIOP). It will also showcase preliminary results across several applications, including arithmetic circuits, lattice-based statements, and the design of SNARK-friendly post-quantum signatures.

Joint work: Thibauld Feneuil, Matthieu Rivain.

[Slides] Suggested readings:

• Preview Writeup: SmallWood: Hash-Based Zero-Knowledge Arguments for Relatively Small Instances
• SmallWood: Hash-Based Polynomial Commitments and Zero-Knowledge Arguments for Relatively Small Instances (ia.cr/2025/1085)

Abstract: With the advent of Blockchains, there has been reinvigorated interest in deploying ZK-proof systems in the form of ZKSNARKs, an attractive, non-interactive, succinct variant. Yet, current deployments require heavy hardware / huge running times / very large memory. I will present the Ligetron platform that can allow to build and deploy an end-to-end system for these applications. Crucially, the platform is powered by the Ligetron system developed by Ligero Inc. that showcases competitive speeds from lightweight platforms (eg, a web browser on a mobile phone). Furthermore, I will show how the platform leverages the ZK-WASM feature of the Ligetron system, allowing developers to implement their zkApps from the browser by coding in standard high-level languages such as C/C++/Rust.

Joint work: Muthuramakrishnan Venkitasubramaniam, Carmit Hazay, Ruihan Wang.

[Sildes] Suggested reading: Ligero: Lightweight Sublinear Arguments Without a Trusted Setup (ia.cr/2022/1608)

Abstract. We present our approach to developing zk protocols for schemes that use ecdsa, sha, and other legacy formats.