The Cryptographic Applications Workshop will happen on Sunday, May 4, 2025 in Madrid, Spain as affiliated event of Eurocrypt 2025.
workshop description
The Cryptographic Applications Workshop (CAW; the constructive twin of WAC) focuses on the construction and analysis of cryptography built for practice.
Inspired by the Real World Crypto Symposium, it aims to provide a forum for cryptographers in academia and industry to exchange ideas and insights, bridging the gap between research and real-world applications.
The main themes of CAW are
- formalizing the security of deployed cryptography,
- constructing cryptographic primitives and systems for practice, and
- the industry perspective on deployment and maintenance of cryptography.
The workshop consisted of a mixture of invited and contributed talks on recent contributions and developments in the field of applied cryptography.
program
| Sunday May 4, 2025 | |
|---|---|
| 9:00—9:05 (CEST) | |
| 9:05—9:25 (CEST) |
Abstract Anonymous tokens are, essentially, digital (blind) signature schemes that enable issuers to provide users with signatures without learning the user inputs or the final signatures. These primitives allow applications to propagate trust while simultaneously protecting the user identity. They have become a core component for improving the privacy of several real-world applications including ad measurements, authorization protocols, spam detection, and VPNs. In certain real-world applications, it is natural to associate signatures with specific public metadata, ensuring that trust is only propagated with respect to only a certain set of users and scenarios between multiple parties (issuers, users, verifiers). To solve this, we study the notion of anonymous tokens with public metadata. We present a variant of RSA blind signatures with public metadata where issuers may only generate signatures that verify for a certain choice of public metadata a modification of a scheme by Abe and Fujisaki. Our protocol exclusively uses standard cryptography with widely available implementations. We prove security for our protocol from the one-more RSA assumptions with multiple exponents that we introduce and provide evidence that the concrete security bounds should be nearly identical to standard RSA blind signatures. We show that our protocol incurs minimal overhead over standard RSA blind signatures and report anonymous telemetry for a real-world deployment to showcase its scalability. Moreover, the protocol in this paper has been proposed as a technical specification in an IRTF internet draft,adopted by the CFRG. Following this draft, there are multiple available implementations [3,4,5] in various languages. This talk is based on a PETS 2025 paper [6]. [1] Abe, Fujisaki: How to date blind signatures. ASIACRYPT'96. [2] Amjad, Hendrickson, Wood, Yeo: Partially blind RSA signatures [4] blindrsa-ts [6] Amjad, Yeo, Yung. RSA Blind Signatures with Public Metadata. PETS 2025. Authors/Presenters:
|
| 09:25—9:45 (CEST) |
Abstract AES-GCM has been the status quo for efficient symmetric encryption for decades. As technology and cryptographic use-cases evolved over time, AES-GCM has posed some challenges to certain use-cases due to its default 96-bit nonce size, 128-bit block size, and lack of key commitment. Nonce-derived schemes are one way of addressing these challenges: Such schemes derive multiple keys from nonce values, then apply the standard AES-GCM with these derived keys. One example is the AWS Encryption SDK (ESDK) and AWS Key Management Service (KMS) which use HKDF for key derivation and key commitment from a random string. By itself, the use of nonce-derived keys does not address key-commitment issues, however. Some schemes chose to include a built-in key commitment mechanism. In this work, we explore efficient key commitment method for nonce-derived schemes. For concreteness we focus here specifically on adding key-commitment to XAES-256-GCM, a nonce-scheme originally proposed by Filippo Valsorda, but these methods can be adapted to any other nonce-derived scheme. Our focus is on options that use the underlying block cipher and no other primitive, are efficient, and only use standard primitives which are FIPS-approved. We also prove the security of the key commitment scheme, and benchmark its performance. Finally, we quantify the data, message, and message length limits of XAES-256-GCM, prove that XAES is FIPS-compliant and compare it with other derived modes. Authors/Presenters:
|
| 09:45—10:30 (CEST) | |
| 10:30—11:00 (CEST) | coffee break |
| 11:00—11:25 (CEST) |
Abstract Despite Bluetooth's wide spread, it has not received much attention from the cryptographic community, as, e.g., TLS or Signal. By 2021, there have been several security proofs of Bluetooth's stand-alone key exchange protocols but the whole protocol suite and overplay of various parts have not been studied. In this talk, we present two results from cryptographic analysis of the full Secure-Connections protocol, which is the state-of-the-art key agreement in Bluetooth. The first result showed the full protocol to be secure only if treated as trust-on-first-use (TOFU). While the TOFU setting might reflect the real-world scenario, wherein a user buys a new device and pairs it once in a trustful environment (e.g., at home), this leaves other situations out of scope, e.g., pairing in public places or disconnections. The second result addresses this problem and adds authentication to the connection process using standard cryptographic means. This solution thwarts some known attacks, such as pairing and method confusion, just-works downgrade, and others. This talk is based on two recent papers [1, 2] Authors/Presenters:
|
| 11:25—11:50 (CEST) |
Abstract Key encapsulation mechanisms (KEMs) allow two parties to establish a shared secret over a public network and are a cornerstone for making real-world crypto systems quantum-safe. Standardized schemes like ML-KEM however do not always satisfy the requirements of real-world protocols and securely implementing them can be brittle. This talk will discuss two advanced KEM concepts that address these issues. 1. (Hybrid) Obfuscation Some deployments require that KEM public keys or ciphertexts can be obfuscated to look like random bytestrings, e.g., via the widely-used Elligator encoding. These include protocols which hide metadata for user security and privacy (e.g., Tor's obfs4 pluggable transport) as well as password authenticated key exchange protocols (e.g., EKE). In this talk, we consider a replacement for Elligator in the post-quantum setting. We present Kemeleon: novel encodings that map ML-KEM public keys and ciphertexts to random bytestrings. Kemeleon is currently being considered for adoption by the CFRG. We further discuss how to combine traditional and post-quantum obfuscated KEMs. In contrast with hybrid key exchange where simple concatenation yields a secure solution, hybrid obfuscation is more subtle. We present a nested construction that allows provably-secure instantiations from deployed schemes. 2. Verifiable Decapsulation Cryptographic protocols often contain verification steps that are essential for security. Yet, faulty implementations missing these steps can easily go unnoticed, as the protocol might still function correctly. A prime example is Apple's goto fail; bug, erroneously skipping certificate verification. Similarly, an implementation flaw messing up the re-encryption check in FO-transformed KEMs (like ML-KEM) might be security-critical but could go undetected. This notably happened to HQC's reference implementation (and downstream users, such as liboqs), and was only noticed after 19 months. In this talk, we present an approach to make correct implementation of the re-encryption check in FO-based KEMs verifiable, with the aim to prevent such issues in the future. By including an unpredictable "confirmation code" from the encryption step into the key derivation, we ensure that re-encryption was indeed performed during decapsulation. We show how to apply this technique to ML-KEM and HQC with minimal overhead, and that it indeed catches the HQC bug through basic test cases. Author/Presenter:
|
| 11:50—12:15 (CEST) |
Abstract Proof-carrying data (PCD) is a powerful cryptographic primitive for computational integrity in a distributed setting. State-of-the-art constructions of PCD are based on accumulation schemes (and, closely related, folding schemes). We present WARP: the first accumulation scheme with linear prover time and logarithmic verifier complexity. Our scheme is hash-based (secure in the random oracle model), plausibly post-quantum secure, and supports unbounded accumulation depth. We achieve our result by constructing an interactive oracle reduction of proximity that works with any linear code over a sufficiently large field. Along the way, we introduce a new notion of straight line round-by-round knowledge soundness that is compatible with linear error correcting codes without efficient (error-tolerant) decoding algorithms. Author/Presenter:
|
| 12:15—13:00 (CEST) |
Abstract PETs, in particular those based on advanced cryptography, are powerful tools to create systems in which data is hidden from potential adversaries, hence preserving privacy. In this talk we discuss whether this power is enough when it comes to digitalize services without increasing their potential to harm individuals and communities. Author/Presenter:
|
| 13:00—14:15 (CEST) | lunch break |
| 14:15—14:45 (CEST) |
Abstract Modern messaging services use protocols which hide the content of the communication through end-to-end encryption. However, these protocols often attach metadata to ciphertexts, such as sender and receiver identities or sequence numbers. This metadata can be used to infer sensitive information about users, e.g., who they communicate with. To remove or reduce this metadata, one could adapt messaging protocols individually, which would be a tedious task. Instead, we study and formalize the concept of a generic anonymity wrapper which can be used on top of existing (group) messaging protocols to remove metadata and thus make communication anonymous. A related idea is implemented by Signal's Sealed Sender protocol, which uses the receiver's public key to re-encrypt the ciphertext and metadata to hide the sender identity. Since the key is static, all anonymity guarantees are lost once the receiver's private key is exposed. In constrast, the anonymity wrapper we introduce, which is a generalization of the wrapper for mesh networks proposed by Bienstock et al. (CCS’23), allows for key updates using fresh key material of the underlying messaging protocol. It thus captures that, when a key is compromised, anonymity can be restored (post-compromise anonymity) and prior communication remains anonymous (forward anonymity). Another drawback of Sealed Sender is that sending a group message requires the user to encrypt their ciphertext with each group member's public key individually, resulting in linear communication overhead. Our wrapper, on the other hand, only adds a small constant overhead as it uses symmetric keys. Lastly, since our security model includes key exposure, we constructed the anonymity wrapper to store as little metadata as possible in the sender's and receiver's memory. Authors/Presenters:
|
| 14:45—15:15 (CEST) |
Abstract Secret keys are critical for protecting user secrets in end-to-end encrypted applications, but users need to be able to access their secrets even if they lose all of their devices and only remember a password. We designed the secret recovery system SVR3 with Signal messenger to back up user secrets with strong privacy. In this talk, I will describe lessons learned in the process of designing this system to meet real-world constraints. The SVR3 appeared at OSDI’24 [1]. Author/Presenter:
|
| 15:15—15:45 (CEST) | coffee break |
| 15:45—16:05 (CEST) |
Abstract As cryptographic protocols transition to post-quantum security, most adopt hybrid solutions combining pre-quantum and post-quantum assumptions. However, this shift often introduces trade-offs in terms of efficiency, compactness, and in some cases, even security. One such example is deniability, which enables users, such as journalists or activists, to deny authorship of potentially incriminating messages. While deniability was once mainly of theoretical interest, protocols like X3DH, used in Signal and WhatsApp, provide it to billions of users. Recent work (Collins et al., PETS’25) has further bridged the gap between theory and real-world applicability. In the post-quantum setting, however, protocols like PQXDH, as well as others such as Apple’s iMessage with PQ3, do not support deniability. This talk explores how we can preserve deniability in the post-quantum setting by leveraging unconditional (statistical) guarantees instead of computational assumptions - distinguishing deniability from confidentiality and authenticity. As a case study, we present a hybrid authenticated key encapsulation mechanism (AKEM) that provides statistical deniability, while maintaining authenticity and confidentiality through a combination of pre-quantum and post-quantum assumptions. Specifically, we introduce two combiners at different levels of abstraction. First, at the highest level, we propose a black-box construction that combines two AKEMs, showing that deniability is preserved only when both constituent schemes are deniable. Second, we present Shadowfax, a non-black-box combiner that integrates a pre-quantum NIKE, a post-quantum KEM, and a post-quantum ring signature. We demonstrate that Shadowfax ensures deniability in both dishonest and honest receiver settings. When instantiated, we rely on statistical security for the former, and on a pre- or post-quantum assumption in the latter. Finally, we provide an optimised, yet portable, implementation of a specific instantiation of Shadowfax yielding ciphertexts of 1 781 bytes and public keys of 1 449 bytes. Our implementation achieves competitive performance: encapsulation takes 1.9 million cycles and decapsulation takes 800 000 cycles on an Apple M1 Pro. Authors/Presenters:
|
| 16:05—16:35 (CEST) |
Abstract Signal Messenger is working on an update to the Double Ratchet protocol that will provide hybrid ECDH and MLWE based forward secrecy (FS) and post compromise security (PCS). In this talk we will present Signal’s candidate protocol, what options we considered in its design, and how we compare these protocols. After briefly reviewing our recent work [1] on hybrid ratchets, erasure code based transmission for bandwidth limited environments, and ratcheting KEMs, we will see that the design space for ratcheting protocols in a bandwidth limited setting is large and that we need new ways to measure Post Compromise Security (PCS) to compare protocols. To this end, we introduce the size of the “Vulnerable Message Set” as our metric and use it to evaluate the PCS of a family of 6 protocols that make several natural optimization choices, out of which, two of these protocols stand out. One is an optimized version of the Triple Ratchet protocol [1], and another is a very simple protocol compatible with the NIST standardized ML-KEM which has been overlooked. Signal is still evaluating the final design, and we will announce the latest on this process. Authors/Presenters:
|
| 16:35—17:15 (CEST) |
Panelists:
|
timeline
- November 2024: open call for contributed talks
- February 7, 2025 AoE: deadline for contributed talks
- February 28, 2025: decision for contributed talks
- March 2025: publish program
date and location
Date: Sunday, May 4, 2025
Location: Facultad de Ciencias Matemáticas, Universidad Complutense de Madrid (UCM) (Google maps) in Madrid, Spain. (Room TBD.)
registration
Select CAW under “affiliated events” when registering for Eurocrypt 2025.
student registration fee waivers
We have funding to cover the registration costs of a few student attendees. To apply, please email the organizers with a short motivation why you want to attend CAW and need funding for doing so until March 21, 2025 AoE.
organizers
ETH Zurich
UC San Diego
ETH Zurich
ETH Zurich
sponsors
If you would also like to support us, please contact us by email.