IBM at Eurocrypt 2026

The migration to post-quantum cryptography (PQC) and increasing regulatory requirements such as the EU Cyber Resilience Act and DORA, increase the demand for comprehensive visibility into cryptographic assets across software systems. A Cryptography Bill of Materials (CBOM) provides a standardized inventory of cryptographic algorithms, protocols, certificates, and related material used within software components and services. This paper presents the anatomy of CBOMs as standardized in OWASP CycloneDX (ECMA-424), examining the object model for cryptographic assets, dependency relationships, and evidence capture. We analyze how CBOMs integrate with the broader xBOM ecosystem, including Software (SBOM), Operations (OBOM), Hardware (HBOM), and SaaS BOMs, to provide full-stack cryptographic transparency. Through practical use cases, we demonstrate how CBOMs enable policy-based compliance evaluation, support hybrid PQC migration strategies, and facilitate cryptographic agility. We discuss challenges in CBOM generation including naming ambiguities, configuration-driven cryptography, and the distinction between provision of cryptography and consumption. Finally, we outline evolution toward future CBOM revisions.

The impending post-quantum cryptographic transition requires replacing algorithms across entire software portfolios, yet no systematic method exists for decomposing cryptographic agility into assessable dimensions. The term conflates distinct capabilities, including algorithm replacement, policy-driven selection, and implementation substitution, and the absence of a structured decomposition impedes both assessment and principled API design. We make four contributions. First, we introduce a component-based assessment framework that characterizes application-level cryptographic agility along seven orthogonal dimensions, capturing non-hierarchical profiles that linear maturity models cannot represent. Second, we derive thirteen API design principles from five foundational architectural properties. Third, we demonstrate their realization through concrete Protocol Buffers API patterns. Fourth, we evaluate six representative systems (PKCS#11, OpenSSL~3.0, JCA, Google Tink, AWS KMS, and HashiCorp Vault Transit), revealing three pervasive gaps: most achieve only partial operation decoupling (uniform signatures, but algorithm-specific parameters still leak through) and none reaches intent-based key creation, making algorithm migration a per-site code-change problem; none provides policy-driven algorithm selection, so organizations govern who may use cryptography but not which algorithms; and most lack the ability to transform existing keys to new algorithms. These gaps are independent and individually sufficient to prevent agile migration, explaining why post-quantum transition remains a code-change problem despite decades of API progress.

An oblivious pseudorandom function (OPRF) is a cryptographic tool that enables fast and secure authentication and key derivation from passwords. In the past few years, the adoption of OPRFs has flourished and today they are at the core of the PIN-protected backup methods of WhatsApp and Signal, and of privacy-enhancing browser technologies. All vendors deploy the so-called 2Hash-Diffie-Hellman (2HashDH) OPRF, which relies on discrete-logarithm-type assumptions that are standard yet known to be prone to quantum attacks.

Recent advancements in cryptographic research (e.g., Dodgson et al., Eurocrypt 2025) have brought up post-quantum OPRFs that are fast enough to deploy them in the setting of, e.g., WhatsApp or Signal. Yet none of these constructions %that achieves the required level of security e.g., for WhatsApps backup protocol are based on standard assumptions.

In this work, we investigate combiners for OPRFs, namely a ``best-of-both'' combination of a classical and a post-quantum OPRF that is secure as long as one of them is. First, we give formal evidence that so-called black-box combiners do not exist, indicating that combining OPRFs is subtle and bears similarities with other powerful yet hard-to-combine cryptographic primitives like oblivious transfer (OT).

We then give a (non-black-box) combiner for OPRFs and show that it can be instantiated with 2HashDH and the currently most efficient post-quantum OPRFs based on Legendre symbols. In particular, the reliance on the less standard Legendre-based hardness assumption does not harm the security of 2HashDH. This gives vendors a viable path to lift the security of their OPRF deployments to a post-quantum level.

Partial fraction decomposition is a fundamental technique in mathematics where products of rational functions can be expressed as sums of fractions. While rational functions have been used in various cryptographic constructions, their rich algebraic structure has not been systematically explored as a direct foundation for building cryptographic primitives. In this work, we describe and exploit two key properties of partial fraction decomposition:
(1) the decomposition property itself, which enables efficient set membership testing, and (2) a novel linear independence property arising from the non-singularity of Cauchy matrices, which enables threshold cryptography.

We present two main applications. First, we construct a key-value commitment scheme where a dictionary is represented as a linear combination of partial fractions $\sum_i \frac{v_i}{X + k_i}$. Our scheme achieves constant-size commitments (a single group element) and proofs, supports homomorphic updates enabling stateless operation, and provides efficient membership and non-membership proofs through simple pairing equations. We also introduce \emph{Credential-based Key-Value Commitments}, where keys are registered via Boneh-Boyen signatures, enabling applications in permissioned settings.

Second, we construct a dynamic threshold encryption scheme leveraging the linear independence of partial fraction products. For an authorized set $S$ and threshold $t$, parties with secret keys corresponding to partial fractions $\frac{1}{X+i}$ can produce decryption shares that, together with publicly derivable shares, form a full-rank linear system structured as a special Cauchy matrix. Our scheme achieves compact ciphertexts, supports public preprocessing of public keys to a succinct encryption key, enables dynamic threshold selection at encryption time, and provides robustness through share verification without random oracles. The combining algorithm exploits efficient Cauchy matrix inversion via barycentric interpolation.

We prove security of our constructions in the standard model under new $q$-type assumptions and establish their generic hardness in the generic bilinear group model. Our work demonstrates that working directly with the algebraic structure of rational fractions, rather than converting to polynomial representations, yields elegant and efficient cryptographic constructions with concrete advantages over prior work.

Falcon is a winner of NIST’s six-year post-quantum cryptography standardisation competition. Based on the celebrated full-domain-hash framework of Gentry, Peikert and Vaikuntanathan (GPV) (STOC’08), Falcon leverages NTRU lattices to achieve the most compact signatures among lattice-based schemes.

Its security hinges on a Rényi divergence-based argument for Gaussian samplers. However, the GPV proof, which uses statistical distance to argue closeness of distributions, fails when applied naively to Falcon due to parameter choices resulting in statistical distances as large as $2^{34}$. Additional implementation-driven deviations from the GPV framework further invalidate the original proof, leaving Falcon without a security proof despite its selection for standardisation.

In this work, we provide the first formal security proof of Falcon in the random oracle model, achieved through a few conservative modifications, now incorporated into the forthcoming standard. At the heart of our analysis lies an adaptation of the GPV framework to work with the Rényi divergence, along with an optimised method for parameter selection under this measure. We also analyse the FFO Sampler that is used in Falcon. Further, we prove the equivalence of plain unforgeability to a multi-target inhomogeneous SIS problem, and strong unforgeability to a second-preimage version of this problem, providing clear targets for cryptanalysis. Assuming these problems are as hard as standard SIS, we demonstrate that Falcon-512 barely satisfies the claimed 120-bit security target, while Falcon-1024 achieves the claimed security level.