The Cryptographic Applications Workshop will take place on Sunday, May 10, 2026 in Rome, Italy as affiliated event of Eurocrypt 2026.
workshop description
The Cryptographic Applications Workshop (CAW; the constructive twin of WAC) focuses on the construction and analysis of cryptography built for practice.
Inspired by the Real World Crypto Symposium, it aims to provide a forum for cryptographers in academia and industry to exchange ideas and insights, bridging the gap between research and real-world applications.
The main themes of CAW are
- formalizing the security of deployed cryptography,
- constructing cryptographic primitives and systems for practice, and
- the industry perspective on deployment and maintenance of cryptography.
The workshop consists of a mixture of invited and contributed talks on recent contributions and developments in the field of applied cryptography.
program
| Sunday May 10, 2026 | |
|---|---|
| 08:30—09:00 (CEST) | registration |
| 09:00—09:05 (CEST) |
Abstract The organizers will kick of the workshop by introducing this year's theme of "cryptography under real-world constraints and threat models" as well as briefly explaining the workshop logistics. Authors/Presenters: |
| session on real-world threat models | |
| 09:05—09:35 (CEST) |
Abstract TBD Authors/Presenters:
|
| 09:35—10:20 (CEST) |
Abstract We introduce a technique for determining security goals. Given that games and ideal functionalities model specific social relations between various honest and adversarial parties, our methodology is ethnography: a careful social science methodology for studying social relations in their contexts. As a first application of this technique, i.e. ethnography in cryptography, we study security at-compromise (neither pre- nor post-) and introduce the security goal of alert blindness. Specifically, in our 2024–2025 six-and-a-half-month ethnographic fieldwork with protesters in Kenya, we observed that alert blindness captures a security goal of abducted persons who were taken by Kenyan security forces for their presumed activism. This talk will draw on the ethnographic work, demonstrating how we can use what we learn from ethnography to establish cryptographic security notions. This work is focusing on the ethnography for the author's paper with the same title that is published at Eurocrypt 2026 [1]. Authors/Presenters:
|
| 10:20—11:00 (CEST) | coffee break |
| session on E2EE systems | |
| 11:00—11:25 (CEST) |
Abstract End-to-end encrypted email conflicts with common workflows like forwarding and mailing lists, which require redistributing messages without expanding trust or exposing keys. We present a deployed OpenPGP-compatible design that resolves this using proxied ECDH, enabling transparent re-encryption for final recipients without changing sender behavior or revealing long-term secret keys. Our model keeps intermediaries outside the trust boundary while ensuring recipients can read messages without gaining impersonation capabilities. The approach supports nested forwarding and mailing lists with intact user experience and signature verification. We share lessons from large-scale deployment at Proton, including key management, compatibility, and standardization efforts, and discuss limitations and future work such as updated OpenPGP formats and post-quantum support. The system design is based on an ICMC 2021 paper [1] and the authors also worked on an IETF draft [1] to integrate this design with OpenPGP. Authors/Presenters:
|
| 11:25—11:50 (CEST) |
Abstract End-to-end encryption is foundational towards achieving privacy from the eyes of service providers, who are incentivised to collect the largest possible amount of information from their users in order to monetise them. It also protects users from the inevitable data leaks that cloud service providers are frequently subject to. Online calendars are an extremely popular tool, often housing extensive metadata about our daily personal and business lives. Yet, little rigorous research has been devoted to exploring the issue of securing calendar functionality. In this talk, we present ongoing work towards constructing end-to-end encrypted calendars. We describe a basic single-user construction, based around a variant of the CSS cloud storage protocol introduced at CRYPTO 2024. We then propose various extensions to achieve commercial calendar functionality, such as range queries, event sharing and RSVP status updates from event attendees. Authors/Presenters:
|
| 11:50—12:00 (CEST) |
Abstract TBD Authors/Presenters:
|
| session on PQ & messaging | |
| 12:00—12:10 (CEST) |
Abstract This talk presents AWS's journey implementing optimal and formally verified FIPS202 (SHA-3/SHAKE) functions, which form a computational backbone of the ML-KEM and ML-DSA post-quantum algorithms now powering millions of cryptographic operations daily across security-critical AWS services. We demonstrate how we resolved the fundamental tension between performance optimization where improvements translate directly to cost savings at AWS scale, and security assurance, where implementation vulnerabilities could compromise entire service ecosystems. Through hand-crafted assembly optimization and mathematical proof via the HOL Light theorem prover, we achieved both significant performance gains and formal correctness guarantees. Author/Presenter:
|
| 12:10—13:00 (CEST) |
Abstract The Signal Protocol, combined with the sender-hiding wrapper protocol Sealed Sender, provides sender-anonymous secure messaging with strong security properties including Forward Secrecy and Post Compromise Security. With the deployment of PQXDH (initial handshake) in 2023 and Triple Ratchet (message encryption) in 2025, Signal has begun transitioning to hybrid post-quantum security, but important gaps remain: The PQXDH handshake does not provide post-quantum authentication, Sealed Sender does not provide Forward Anonymity or post-quantum anonymity, and the current composition of PQXDH and Sealed Sender is computationally expensive due to redundant key material and key agreements. In this talk we present a new handshake protocol that addresses all of these issues. We use the RingXKEM handshake [1] to attain post-quantum confidentiality and authentication. We hybridize RingXKEM with the XHMQV handshake [2], which reduces the number of elliptic curve operations relative to X3DH [3] to achieve a significant performance improvement and better maximum exposure security, i.e., XHMQV retains security in more compromise scenarios than X3DH. We then present a general construction for Sender Anonymous Key Exchange protocols based on a two-phase handshake: The first phase mixes the sender's ephemeral material with all receiver keys and uses the resulting shared secret to encrypt the remainder of the handshake which uses the sender's identity key. This structure binds the sender identity to the session while concealing it from observers. Applying this construction to both PQXDH and the RingXKEM-XHMQV hybrid yields Sealed PQXDH and Sealed RingXKEM-XHMQV, which provide strong hybrid sender anonymity with negligible overhead—a small number of hashes and a single symmetric encryption—compared to their unsealed counterparts. Sealed PQXDH is currently in development at Signal; Sealed RingXKEM-XHMQV is Signal's leading candidate for a fully post-quantum handshake protocol. [3] Marlinspike, Perrin. The X3DH Key Agreement Protocol. Authors/Presenters:
|
| 13:00—14:30 (CEST) | lunch |
| session on system design | |
| 14:30—14:55 (CEST) |
Abstract A client, Phreeli, hired us to consult on a cryptographic solution for operating on unlinkable linkable identifiers for their phone service—an objective that sounds paradoxical until you see the real-world need: enabling continuity and accountability across interactions while preventing observers from monitoring those interactions to derive a traceable profile. Achieving both properties simultaneously is a non-trivial task, not because the primitives are unknown, but because the system inevitably introduces side channels: protocol metadata, timing, rate limits, operational constraints, and trust relationships between parties. In this talk we recount how a seemingly simple requirement quickly became an exercise in disciplined threat modeling, systems thinking, and careful cryptographic engineering. We ultimately settled on a solution that uses Privacy Pass, threshold OPRFs and hybrid PKE, to achieve the desired "linkable-but-unlinkable" behavior under the client's threat model and operational needs. The resulting design is practical and implementable today, yet it also surfaces open research questions: how to reason about collusion and ecosystem-level metadata leakage, how to do revocation and abuse control without reintroducing tracking, and how to evaluate privacy guarantees in a deployed system rather than in an idealized model. The talk should highlight lessons learned on bridging requirements to cryptography, including lessons of what remained unsolved. Authors/Presenters:
|
| 14:55—15:20 (CEST) |
Abstract Shufflecake [1] is a an open source tool that allows creation of multiple hidden volumes on a storage device in such a way that it is very difficult, even under forensic inspection, to prove the existence of such volumes. This is useful for people who are at risk of forced interrogation and prosecution by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, cypherpunks, and activists for human rights in oppressive regimes. You can consider Shufflecake a "spiritual successor" of tools such as TrueCrypt and VeraCrypt, but vastly improved: it comes with a formal cryptographic security proof, it supports any filesystem of choice, and can concurrently manage multiple independent nested volumes per device, so to make deniability of the existence of these partitions really plausible. In this talk we will present the results of a very active 2025 year in development, which brought important features, massive performance boosts, contributions by our growing community, and we will present the roadmap to the Holy Grail of plausible deniability: A fully hidden Shufflecake OS. Author/Presenter:
|
| 15:20—16:00 (CEST) | coffee break |
| session on digital identities | |
| 16:00—16:20 (CEST) |
Abstract The European Digital Identity (EUDI) Wallet aims to enable secure and user-centric authentication, with eIDAS 2.0 requiring privacy by design, selective disclosure, and unlinkability across transactions. Current solutions rely on traditional signature schemes such as ECDSA, and achieve only limited unlinkability under strong trust assumptions and incur substantial deployment overhead, due to the issuance of one-time credentials. Anonymous credentials provide stronger security and privacy guarantees as they come with built-in multi-show unlinkability. However, credentials alone do not guarantee non-transferability, which is typically achieved through device binding via secure elements (SE), and by binding each presentation to the device that contains the SE. While academic solutions for that problem exist, they assume non-standard cryptographic capabilities from the SE, whereas deployed hardware supports only legacy algorithms such as ECDSA. Bridging these two worlds would enable the practical adoption of advances achieved through years of research on anonymous credentials, without requiring updates to user hardware. In this talk, we examine the technical challenges of closing this gap and propose several ways to overcome them, based on our work [1]. We present multiple approaches with a broad range of trade-offs, from simplicity of implementation and standardization to computational efficiency. Authors/Presenters:
|
| 16:20—16:50 (CEST) |
Abstract The European Digital Identity Framework (EUDIF) regulation [2], which entered into force in May 2024, requires that each Member State of the EU offer a digital wallet adhering to the requirements outlined in the regulation by 2026. From a functionality perspective, the core purpose of the EUDIF is to provide individuals with a digital means to identify and authenticate themselves, but also to enable them to store and show authenticated attributes well beyond traditional identity-related information. The vision is that attributes stored in the user's EUDIF wallet will serve as a basis to authorize access to online and offline services. Proposed use cases for the EUDIF include digitalized driving licences, digitalized identities for accessing public and banking services, storing and sharing of travel documents, age verification, and more. The eIDAS2.0 regulation mandates support for pseudonyms, selective disclosure, and unlinkable authentications. Following feedback from cryptographers on eIDAS2.0 [1], the development of the EUDIF shifted towards a system based on anonymous credentials. This is a celebrated move by many, as it is believed to enable the safe and privacy-preserving deployment of the EUDIF. In this talk, we take a step back and reconsider whether the addition of cryptographic tools is sufficient to mitigate the broader impact of the proposed sweeping system. We abstract away from specific implementations and use cases, and formalize a model of the EUDIF. Its syntax and operation is expressive enough to capture all currently proposed use cases, and to reason formally about privacy properties thereof. Our analysis then considers privacy through a harms-based lens. We highlight for the EUDIF, (1) the fundamental harms stemming from the minimal leakage of the system's functionality, (2) the harms stemming from its digital nature, and (3) the harms stemming from particular use cases. For the latter, we discuss two extreme use cases: on one hand, use cases requiring complete identities glean no benefits from selective disclosure and other privacy properties of anonymous credentials; on the other end of the spectrum, age verification appears to be an ideal application for anonymous credentials, but still introduces greater capabilities for surveillance, censorship, and discrimination across the Internet. Authors/Presenters:
|
| 16:50—17:30 (CEST) |
Panelists: TBD |
timeline
- November 2025: open call for contributed talks
- January 30, 2026 AoE: deadline for contributed talks
- March 6, 2026: decision for contributed talks
- March 2026: publish program
- May 2026: workshop
date and location
Date: Sunday, May 10, 2026
Location: Città Universitaria (University Campus) of Sapienza University of Rome in Rome, Italy.
Room information will be added at a later time.
registration
All participants (including speakers) have to register for CAW over the Eurocrypt 2026 registration by selecting CAW under “affiliated events”. It is possible to only register for workshops, or workshops and the conference.
remote participation
This year, we provide the option to participate remotely at our workshop to make it accessible to the members of our community that cannot or prefer not to travel to Madrid.
Registration is free. Please fill out this Google form before May 8 to receive the Zoom link.
The remote option will be provided on a best effort basis, but we aim to provide good video and audio quality, as well as the opportunity to ask questions.
recordings of CAW 2025
For a preview of what to expect, you can rewatch the recordings of some CAW 2025 talks:
organizers
Università della Svizzera italiana (USI)
UC San Diego
sponsors
We thank ZISC for contributing some funding for speakers and student stipends.
If you would also like to support us, please contact us by email.