The Cryptographic Applications Workshop happened on Sunday, May 26 2024 ETH Zurich in Switzerland as affiliated event of Eurocrypt 2024.

workshop description

The Cryptographic Applications Workshop (CAW; the constructive twin of WAC) focuses on the construction and analysis of cryptography built for practice.
Inspired by the Real World Crypto Symposium, it aims to provide a forum for cryptographers in academia and industry to exchange ideas and insights, bridging the gap between research and real-world applications. The main themes of CAW are

  1. formalizing the security of deployed cryptography,
  2. constructing cryptographic primitives and systems for practice, and
  3. the industry perspective on deployment and maintenance of cryptography.

The workshop consisted of a mixture of invited and contributed talks on recent contributions and developments in the field of applied cryptography.


Sunday, May 26 2024
9:00—9:10 (CEST)


We start the workshop by discussing where this gap arises and introducing a systemization to categorize approaches taken by the applied cryptography community. Some bridge the gap from theory to practice (e.g., standardizing a new primitive), others go in the reverse direction (e.g., proving an already deployed protocol secure).

This will serve as a useful framework throught our workshop to understand how every talk contributes to bridge the gap, and where more work is needed.


  • Matilda Backendal (ETH Zurich)
  • Miro Haller (UC San Diego)
9:10—9:35 (CEST)


Private Information Retrieval (PIR) schemes provide the ability to make private queries on databases that are hosted by a(n) untrusted (semi-honest) server(s). In the the single-server setting (where there are no trust assumptions over non-colluding servers), the majority of approaches with tolerable costs are limited to querying indices (single items) over flat arrays. However, this abstraction differs greatly from real-world instantiations of both structured and unstructured databases. In this talk, we will take a look at LWE-based single-server PIR schemes and what limitations they have to overcome in order to be practical with emphasis on three problems: querying to databases indexed with anything but indices, queries for approximate elements, and handling complex queries. We aim to highlight how these problems matter for real-world applications, and how one might solve them for the real-world.


  • Sofía Celi (Brave Software)
  • Alex Davidson (Universidade NOVA de Lisboa & NOVA LINCS)


9:35—10:00 (CEST)


Encryption at rest is often thought of as the last line of defense: a mechanism to protect data in case a physical disk falls into the hands of an attacker. However, in modern distributed systems, the story is a lot more nuanced and complicated. Besides external malicious actors, organizations also need to account for insider risks and attacks that leverage credentials stolen from employees. This pushes towards solutions that minimize trust in other systems in the same organization. This gets more complicated when considering large (terabyte-sized), distributed files. At the time of encryption, we may not be aware of the data's size, and it could potentially be too large to hold in memory all at once. Traditional definitions of AEAD, Streaming AEAD, and Online AEAD [HRRV'15] are not sufficient. Traditional algorithms don't scale the way modern systems performance requirements do. When running in data centers at scale, silent data corruption (SDC) occurs more frequently than we would intuitively imagine, and any corruption during encryption can lead to data becoming irrecoverable. Designing a solution for different storage systems, without compromising on security, performance, or reliability is a great challenge. This talk focuses on various lessons that we've learned while building a unified encryption solution for Google's storage systems, as well as techniques we've developed to keep data safe at scale.


  • Moreno Ambrosin (Google)

    Moreno Ambrosin is a software engineer in Google's ISE Crypto team working on Tink (Google's Open Source Cryptographic Library), and on storage encryption at scale. Before that, he worked on Confidential Computing for GCP, and on vehicular networks security at Inter Labs. He holds a PhD in Computer Science from the University of Padova.

  • Fernando Lobato Meeser (Google)

    Fernando Lobato Meeser is a Cryptography Engineer working on various security aspects for Google. He performs security reviews for new products and protocols across Google advising other teams on best security best practices and analyzing designs. He is also a contributor to Tink, and works on storage encryption at cloud scale. Before working at Google he worked in Microsoft Azure where he built resilient distributed cloud systems.


10:00—10:30 (CEST)


Apple's 2021 privacy-preserving content scanning proposal was met with consternation from the cryptographic community. Although it was cryptographically sound, critics noted that the socio-technical implications of deploying the system could be disastrous. This episode points to the need for an analytical framework that empowers cryptographers to engage with the socio-technical implications of their proposed systems and serves a bridge for cross-disciplinary conversations about cryptographic deployments.

We develop an framework that broadens the analytical frame that is applied to proposed cryptographic deployments. Our framework builds on top of Canetti's UC framework by wrapping proposed ideal functionalities with two protocols: (1) Πintended use, a protocol that describes how software components of the system that are not cryptographically verified should operate, and (2) Πsocial, parts of the socio-technical system that can not or will not be rendered into software. We then show how to apply our framework to the case study of Apple's CSAM scanning proposal. We show how our framework points to protocol-level improvements that can start to mitigate some of the anticipated harms associated with deploying Apple's initial proposal.


  • Gabriel Kaptchuk (Boston University)

    Dr. Gabe Kaptchuk is an incoming Assistant Professor of Computer Science at the University of Maryland, College Park, and he is currently a Research Assistant Professor of Computer Science at Boston University. His research is inspired by a desire to prepare cryptographic systems for high-impact, real-world deployment. Dr Kaptchuk's research spans multiple subdomains of security and privacy, including applied cryptography, theoretical cryptography, and human factors.


10:30—11:00 (CEST) coffee break
11:00—11:45 (CEST)


Over the past 50 years, cryptographers have developed powerful tools for safeguarding computer users and their data. Yet precious few of these ideas have made their way into widespread use. Why is that? And what can we do about it?

This talk will speculate on answers to both questions. To do so, I will draw in part on my own mixed results with bringing research ideas into production. Along the way, I will try to convince you that a failure in this domain can be a success, a success can be a failure, and either outcome can be entertaining.


  • Henry Corrigan-Gibbs (CSAIL MIT)

    Henry Corrigan-Gibbs (he/him) is an assistant professor at MIT in the Department of Electrical Engineering and Computer Science. Henry builds computer systems that provide new security and privacy properties using ideas from cryptography, computer security, and computer systems. Henry completed his PhD in the Applied Cryptography Group at Stanford, where he was advised by Dan Boneh. After that, he was a postdoc with Bryan Ford at EPFL. Henry was a designer of the Prio system for privacy-protecting telemetry data collection. Apple, Google, Mozilla, and others have used Prio to collect aggregate user data in a privacy-friendly way.

11:45—12:30 (CEST) Joint session on secure group messaging


Developing end-to-end encrypted instant messaging solutions for group conversations is an ongoing challenge that has garnered significant attention from practitioners and the cryptographic community alike. Notably, industry-leading messaging apps such as WhatsApp and Signal Messenger have adopted the Sender Keys protocol, where each group member shares their own symmetric encryption key with others. However, until recently, its security had not been formally analysed.

In this talk, we will present our work on modelling the security of Sender Keys (ASIACRYPT 2023). Our new security framework allows for a natural integration of two-party messaging within group messaging sessions. Leveraging this framework, we conduct the first formal analysis of the Sender Keys protocol, which we prove satisfies a weak notion of security. Towards improving security, we propose a series of efficient modifications to Sender Keys without imposing significant performance overhead. We combine these refinements into a new protocol that we call Sender Keys+, which may be of interest both in theory and practice.


  • Daniel Collins (EPFL)

    Daniel is a recent PhD graduate from EPFL under Serge Vaudenay's supervision, and will be starting a postdoc with Vassilis Zikas at Purdue University in June. His main research interests are 1) the theory and practice of secure communication protocols and 2) distributed cryptography broadly (topics including consensus, distributed key generation and multi-party computation).

  • Phillip Gajland (Max Planck Institute for Security and Privacy, Ruhr University Bochum)

    Phillip is a PhD student jointly supervised by Giulio Malavolta at the Max Planck Institute for Security & Privacy, and Eike Kiltz at the Ruhr University Bochum. His research interests lie at the intersection of theoretical and applied cryptography, and include post-quantum security, key exchange, and messaging.



To cover the powerful features and properties of secure group messaging, its definitions and constructions in the literature are typically very complex. In this talk, we take a step back and limit the power of group messaging protocols to significantly reduce its complexity and understand its core components. Concretely, we consider the case that all members of a group are always either senders or receivers. Thus, the interaction is strictly unidirectional from the former to the latter: a group of senders Alice establishes shared keys with a group of receivers Bob. With every shared key, Alice updates her local state to achieve FS and PCS; when receiving an established key, each Bob also updates their local state to achieve FS.

We demonstrate that, using standard lightweight building blocks like Key Encapsulation Mechanisms (KEMs), unidirectional group messaging can be built with highly practical efficiency and strong security. Moreover, while this consideration may seem theoretically motivated, we emphasize the practical applicability: This limited unidirectional notion of group messaging captures Signal's Sender Key Mechanism, which is used for group chats in WhatsApp and Signal, as well as unidirectional patterns of the Noise protocol framework. Yet, neither of these two practical instantiations achieves the security guarantees that we consider desirable.

At the end of our talk, we will discuss the strengths, weaknesses, and challenges of unidirectional messaging with the speakers of the talk on Sender Keys.


  • Paul Rösler (FAU Erlangen-Nürnberg)

    Paul is an Assistant Professor at FAU Erlangen-Nürnberg, where he leads the Real-World Cryptography Group. His research covers applied cryptography, especially the security of messaging protocols. He was a postdoc at the Cryptography Group, New York University and at the Cryptoplexity Group, TU Darmstadt, and he received a Ph.D. at the Chair for Network and Data Security, Ruhr University Bochum.


12:30—13:30 (CEST) lunch break
13:30—14:00 (CEST)


The widespread deployment of end-to-end encrypted messaging has seen the development of formal threat models and cryptographic security notions aimed at providing guarantees on the confidentiality and authenticity of messages and session keys for participants in one-to-one and group chats.

These notions, however, do not capture the process of group formation, where many individual users decide to share a common chat room. In practice, messaging services allow groups to be formed by direct invite by one or more administrators (closed groups), or by generating and openly sharing an invite link that automatically grants access to the chat room to anybody with access to the link (open groups). The back-end to these processes is identical from the cryptographic point of view, and results in a new user joining some form of continuous group-key agreement protocol.

From a user-experience point of view, open and closed chat groups present significant obstacles when used as an mean to organise collective action. Closed groups imply a significant administrative overhead, requiring careful vetting of applicants. Open groups are too permissive, and can result in undesired parties joining sensitive conversations.

Inspired by the literature on anonymous reputation systems, we investigate the problem of defining "semi-open" messaging groups. Ideally, these include access control mechanisms providing the ability to openly share a group-invitation link, while only letting individuals with a high in-group reputation join automatically.

In our talk we will explore the many complications of defining a meaningful threat model while achieving an acceptable user experience. We will see how existing reputation systems such as AnonRep, PRSONA, and group-signature-based constructions do likely not satisfy our requirements, and we will propose possible protocols that: are potentially compatible with pre-existing secure messaging services, provide non-trivial security from intruders, allow group members to participate to the reputation computation while being offline, and allow some transparency with regards to the overall reputation estimation.


  • Fernando Virdia (Universidade NOVA de Lisboa & NOVA LINCS)

    Fernando Virdia is a post-doctoral researcher in NOVA LINCS, Universidade NOVA de Lisboa. Fernando's current research focuses on developing new practical functionality for secure messaging. He is also active in cryptanalysis, with a special focus towards post-quantum cryptographic hardness assumptions.


14:00—14:30 (CEST)


In 2023, Signal has deployed a new, quantum-safe version of its initial handshake protocol, called PQXDH. To achieve this post-quantum security, PQXDH combines the prior "extended triple Diffie-Hellman" (X3DH) handshake with a post-quantum secure KEM, following a hybrid approach that is meant to uphold security if either Diffie-Hellman is broken by a quantum computer or the KEM's security does not hold up. In this talk, we will present results from our ongoing game-based key exchange security analysis of PQXDH, complementing the tool-based analysis of Bhargavan, Jacomme, Kiefer, and Schmidt.

Beyond introducing the PQXDH design itself and discussing the security of its hybrid approach, in our talk we will focus on security modeling aspects and the assumptions arising on KEMs when proving the kind of "full-exposure" security the Signal handshake aims at (cf. the analysis of X3DH by Cohn-Gordon et al., EuroS&P 2017). In particular, a new aspect of our model is capturing that semi-static and (some) ephemeral keys are authenticated via signatures; a property which becomes more prominent in the quantum-safe version of Signal's handshake. In terms of security assumptions on the KEM, we will highlight the concrete KEM property needed to prevent a re-encapsulation attack identified abstractly in the analysis by Bhargavan et al. While the Kyber KEM used in PQXDH has this property, it is of independent interest as it goes beyond classic IND-CCA security requested (and proven) for quantum-safe KEMs.


  • Rune Fiedler (TU Darmstadt)

    Rune is a fourth-year PhD student at TU Darmstadt, Germany, supervised by Marc Fischlin. His research interests cover Signal's messaging protocol(s), post-quantum security, deniability, and signature schemes.


14:30—15:00 (CEST)


Fully Encrypted Protocols (FEPs) have arisen in practice as an effective technique to avoid network censorship. Such protocols are designed to produce messages that appear completely random. This design hides communications metadata, such as version and length fields, and makes it difficult to even determine what protocol is being used. Moreover, these protocols frequently support padding to hide the length of protocol fields and the contained message. These techniques have relevance well beyond censorship circumvention, as protecting protocol metadata has security and privacy benefits for all Internet communications. The security of FEP designs depends on cryptographic assumptions, but neither security definitions nor proofs exist for them. We provide novel security definitions that capture the metadata-protection goals of FEPs. Our definitions are given in both the datastream and datagram settings, which model the ubiquitous TCP and UDP interfaces available to protocol designers. We prove relations among these new notions and existing security definitions. We further present new FEP constructions and prove their security. Finally, we survey existing FEP candidates and characterize the extent to which they satisfy FEP security. We identify novel ways in which these protocols are identifiable, including their responses to the introduction of data errors and the sizes of their smallest protocol messages.


  • Aaron Johnson (U.S. Naval Research Laboratory)


15:00—15:30 (CEST) coffee break
15:30—16:00 (CEST)


Critical to the success of today's tech industry is its ability to gain insights into user behavior. Normally the data required to glean such insights are collected without consideration for user privacy. Fortunately, and due in part to advancements in cryptography, we have seen a trend in recent years towards minimizing data collection to only the information required for the given application. The goal of the PPM ("Privacy Preserving Measurement") working group at IETF is to standardize cryptographic tools for data minimization. So far this work has centered around a particular class of lightweight protocols for multi-party computation. In this talk we describe some of these protocols and their use cases. We focus on the "last mile" of cryptographic research for these protocols, in which the protocol on paper is translated into the specification that forms the basis of a production system. Finally, we briefly discuss some future directions for the PPM working group.


  • Christopher Patton (Cloudflare Research)


16:00—17:00 (CEST)


This panel will discuss one avenue of bridging the gap between theory and practice: standardization. In an effort to provide diverse perspectives on this topic, our panelists have been involved with standards from academia, industry, or IETF. Together, we will discuss the benefits and challenges of standardization.


  • Deirdre Connolly (SandboxAQ)

    Co-chair of the TLS working group, an IETF working group that produces multiple documents related to the TLS protocol

  • John Preuß Mattsson (Ericsson Research)

    Internet and cellular security standards (EDHOC, 5G, TLS)

  • Luís Brandão (Foreign Guest Researcher at NIST (Contractor from Strativia))

    NIST standardization efforts: Multi-Party Threshold Cryptography, Privacy Enhancing Cryptography, Interoperable Randomness Beacons, Circuit Complexity

  • Stefan Koelbl (Google)

    ISO SC 27/WG2, Skinny/SPHINCS+

  • Sofía Celi (Brave Software)

    Chair of the IETF working group "Human Rights Protocol Considerations"


date and location

Date: Sunday, May 26 2024

Location: HG E1.2 in the main building of ETH Zurich, in Switzerland.


Select CAW under “affiliated events” when registering for Eurocrypt 2024.

student registration fee waivers

We have funding to cover the registration costs of a few student attendees. To apply, please email the organizers with a short motivation why you want to attend CAW and need funding for doing so.


Matilda Backendal
ETH Zurich
Miro Haller
University of California, San Diego


ZISC logo

We thank ZISC for contributing some speaker travel funding.

If you would also like to support us, please contact us by email.