Eurocrypt 2025, held in the heart of Europe, brought together the global cryptographic community to discuss cutting-edge research across both theoretical and applied domains.

With 123 research papers, a vibrant lineup of distinguished and invited talks, and multiple community events, this year’s program showcased a wide-ranging exploration of Secure Multiparty Computation, Zero-Knowledge Proofs, Lattice Cryptography, Public-Key Techniques, and Real-World Protocols.

These field notes highlight key invited talks, award-winning papers, and notable papers in the (Non-)Interactive Proofs, Zero-Knowledge, and Web3 spaces, as well as in Secure Messaging.

Distinguished and invited talks

Eurocrypt 2025 showcased a Distinguished Lecture by Kenny Paterson and Invited Talks by Eli Ben-Sasson and Rachel Lin.

Distinguished Lectures, as designated by the IACR Board of Directors, recognize individuals with exceptional contributions to cryptographic research and rotate annually among Eurocrypt, Crypto, and Asiacrypt.

In contrast, Invited Talks are selected by the program committee of each conference to highlight influential voices and emerging topics in the field.

Kenny Paterson "Understanding Cryptography, Backwards"
Kenny Paterson’s Distinguished Lecture was a reflective and personal journey through a career in cryptographic research.

Rather than following a chronological account of the field, Paterson structured his talk around how his own "toolbox" of technical skills and problem-solving instincts evolved over time. From early contributions on de Bruijn sequences to practical vulnerabilities like the Lucky 13 attack on SSL/TLS and flaws in SSH packet handling, he highlighted the importance of creative thinking, serendipity, and learning to pivot.

The talk was a compelling reminder that impactful research is often nonlinear and rooted in the ability to view problems through a versatile lens.

Eli Ben-Sasson "The Rise of zkSTARKs as Blockchain Scaling Technology"
Eli Ben-Sasson recounted his journey from foundational research on Probabilistically Checkable Proofs (PCPs) to co-founding a startup dedicated to applying cryptographic proofs for blockchain scalability.

In his talk, he described how zkSTARKs have evolved from an obscure theoretical construct into what he considers one of the most efficient and future-proof solutions for blockchain scalability and post-quantum security — reportedly saving users billions of dollars. In addition to recapping his personal journey, Ben-Sasson also highlighted how classical models like MIP and IOP, and algorithms such as the Fast Fourier Transform and the Guruswami-Sudan list-decoding method, are now finding renewed purpose in powering modern STARK-based proof systems.

Rachel Lin "Expedition to Obfustopia: Indistinguishability Obfuscation from Well-Studied Assumptions to New Frontiers"
Rachel Lin delivered a deep technical exploration of the evolving landscape of indistinguishability obfuscation (iO), a powerful cryptographic goal that aims to make programs functionally equivalent yet computationally unintelligible. She traced the field’s trajectory from early constructions based on multilinear maps — ultimately broken by cryptanalytic attacks — to more robust foundations grounded in well-studied assumptions such as Learning Parity with Noise (LPN), local pseudorandom generators (in NC⁰), and Decision Linear (DLIN).

While these developments mark a significant milestone, Lin emphasized that achieving practical efficiency and simplicity remains a major challenge. She discussed the difficulty of hiding all intermediate computations and outlined strategies that reduce this burden by shifting complexity into public components. Lin also examined promising efforts to base iO on standard lattice assumptions, which would offer post-quantum security, but noted that these approaches rely on “hint-based” security notions that are still under scrutiny. She concluded with a hopeful outlook, framing the pursuit of practical and theoretically sound iO as one of the most exciting and consequential frontiers in cryptographic research.

Awarded papers

Out of the accepted papers at Eurocrypt 2025, three received awards in recognition of their outstanding contributions.

The Best Paper Awards were presented to Hugues Randriambololona for his work “The Syzygy Distinguisher,” and to Nicholas Carlini, Jorge Chávez-Saab, Anna Hambitzer, Francisco Rodríguez-Henríquez, and Adi Shamir for their paper “Polynomial Time Cryptanalytic Extraction of Deep Neural Networks in the Hard-Label Setting.” The Early-Career Best Paper Award went to Ward Beullens for his paper “Improved Cryptanalysis of SNOVA.”

Best Paper: "The Syzygy Distinguisher" by Hugues Randriambololona (Paper, Slides)

Randriambololona presented a novel subexponential-time distinguisher for alternant and Goppa codes, which has significant implications for code-based cryptography, particularly the Classic McEliece scheme — one of the candidates for post-quantum cryptographic standardization.

Unlike previous distinguishers or structure recovery attacks that suffered from strong regime limitations, this approach applies to real-world parameter settings. The key insight is that the syzygy modules — arising from algebraic geometry — are richer and more structured in Goppa codes than in random codes, allowing a clear statistical separation.

Though this does not yet break McEliece in practice, the method represents the first time an attack has pierced the exponential barrier for this cryptosystem, casting doubt on the long-assumed stability of its security.

Best Paper: "Polynomial Time Cryptanalytic Extraction of Deep Neural Networks in the Hard-Label Setting" by Carlini, Chávez-Saab, Hambitzer, Rodríguez-Henríquez, and Shamir (Paper, Slides)

Adi Shamir presented the first cryptanalytic attack capable of extracting all parameters of a deep neural network (DNN) in the hard-label setting — a challenging scenario in which the attacker has access only to the final classification labels, not to intermediate numerical outputs.

This breakthrough overcomes key limitations of previous methods, which either relied on detailed output information or required exponential time to handle even small architectures. The central innovation is the identification and use of dual points — input examples that lie precisely on the DNN’s decision boundaries and simultaneously activate ReLU units at their critical points (i.e., where the pre-activation value is zero).

Using this approach, the authors successfully extracted nearly one million parameters from a standard CIFAR-10 model. While the method is not yet practical for very large networks, it marks a significant advance in understanding the susceptibility of black-box DNNs to efficient cryptanalytic extraction.

Early-Career Best Paper: "Improved Cryptanalysis of SNOVA" by Ward Beullens (Paper, Slides)

Ward Beullens introduced new cryptanalytic attacks on SNOVA, a multivariate signature scheme submitted to the NIST additional signature standardization project. He demonstrated that SNOVA’s design — specifically its structured adaptation of the “whipping” technique from the MAYO scheme — introduces exploitable vulnerabilities.

By analyzing the algebraic properties of SNOVA’s public map, Beullens developed forgery attacks that reduce the effective security margin by up to a factor of 2³⁹. Among the most striking results is a practical weak-key attack: for certain parameter sets (such as SNOVA-37-17-2), approximately one in 143,000 public keys can be fully compromised in just a few minutes using a standard laptop.

The paper recommends modifying the whipping structure to mitigate rank deficiencies in matrix combinations—a change not yet fully implemented in SNOVA’s second-round submission, where the attacks remain applicable, albeit with reduced efficiency.

Highlights in (non-)interactive proofs and zero-knowledge

Zero-knowledge proofs and succinct arguments remain a cornerstone of modern cryptographic research, enabling secure, efficient, and privacy-preserving systems across a wide range of applications — from blockchain scalability to verifiable computation.

Eurocrypt 2025 featured a remarkable collection of papers in this space, showcasing advances in both theoretical foundations and practical performance. Below, we explore some of these results.

"New Techniques for Preimage Sampling: Improved NIZKs and More from LWE" by Waters, Wee, and Wu (Paper, Slides)

David Wu presented a new framework for lattice-based cryptography centered around a novel technique for sampling matrices A1,…,Aℓ  together with a succinct, publicly computable trapdoor for solving the shifted multi-preimage sampling problem. This innovation eliminates the need for large, structured hints or trusted setup traditionally required in such constructions.

It enables efficient and modular constructions of cryptographic primitives while relying only on the standard Learning With Errors (LWE) assumption with a polynomial modulus-to-noise ratio.  Using this technique, the authors construct two key applications: (1) a dual-mode NIZK for NP with a linear-size CRS, transparent setup in the hiding mode, and improved security assumptions; and (2) a statistically hiding vector commitment scheme from the SIS assumption, supporting transparent setup and polylogarithmic-size CRS, commitments, and openings. Conceptually, the talk unified prior lattice-based constructions by framing them through this new preimage sampling lens, offering improved efficiency, generality, and cryptographic insight.

"Black-Box NIZK from Vector Trapdoor Hash" by Branco, Choudhuri, Döttling, Jain, Malavolta, and Srinivasan (Paper, Slides)

Pedro Branco presented a novel approach to constructing non-interactive zero-knowledge (NIZK) proof systems using a new cryptographic primitive called Vector Trapdoor Hash (VTDH). This primitive generalizes earlier trapdoor hash techniques and enables black-box constructions of NIZKs via the hidden bits model, a foundational framework for deriving zero-knowledge from basic assumptions.

The work achieves two main results: a statistically sound NIZK based on the Decisional Diffie-Hellman (DDH) and Learning Parity with Noise (LPN) assumptions — marking the first such construction that avoids reliance on LWE, bilinear maps, or factoring — and a dual-mode NIZK under LWE with a polynomial modulus-to-noise ratio, which improves over prior schemes by avoiding lattice trapdoors and private-coin setup.

Although initially limited to single-theorem proofs, these constructions can be extended to the multi-theorem setting using known (but non-black-box) transformations.

Overall, the work offers a modular, assumption-diverse framework for building efficient and secure NIZKs.

"WHIR: Reed-Solomon Proximity Testing with Super-Fast Verification" by Arnon, Chiesa, Fenzi, and Yogev (Paper, Slides)

Giacomo Fenzi introduced WHIR, a new Interactive Oracle Proof of Proximity (IOPP) protocol that sets a new benchmark for efficient proximity testing over constrained Reed–Solomon codes. WHIR achieves ultra-fast verification times, typically measured in hundreds of microseconds—an order of magnitude faster than prior systems like FRI and STIR, which operate on the millisecond scale.

The fast verification speed is a free lunch, WHIR also maintains state-of-the-art performance in prover time, argument size, and hash complexity. Its efficiency is driven by two key innovations: a novel folding strategy that minimizes proof size and enables fast recursive verification, and support for expressive queries over both univariate and multilinear polynomials, making it a powerful drop-in replacement for protocols such as FRI, STIR, and BaseFold.

Fenzi noted that WHIR is already being integrated into blockchain tools like ProveKit, with large-scale deployment underway, potentially reaching over 26 million users.

"Polocolo: A ZK-Friendly Hash Function Based on S-boxes Using Power Residues" by Ha, Hwang, Lee, Park, and Son (Paper, Slides)

Mincheol Son presented Polocolo, a new ZK-friendly hash function engineered to lower proving costs in zero-knowledge protocols, with a particular focus on integration with Plonk.

At the heart of Polocolo is an innovative S-box based on the power residue method, which enables efficient lookup operations over finite fields — leading to substantial gate savings within proof systems. Complementing this is a Plonk-optimized MDS matrix used in the linear layer, further enhancing efficiency. Compared to existing hash functions, Polocolo reduces Plonk gate usage by up to 24%, supporting multiple rounds of non-linear operations without sacrificing performance.

It consistently outperforms alternatives like Anemoi and Reinforced Concrete across various configurations. Both practical and secure, Polocolo’s design principles offer a promising foundation for future ZK-friendly hash function development.

"Succinct Arguments over Towers of Binary Fields" by Diamond and Posen (Paper, Slides)

Benjamin E. Diamond’s talk showcased a new SNARK construction specifically designed for towers of binary fields, enabling efficient proof systems over extremely small fields — down to characteristic 2. The core innovation is an adaptation and generalization of the Brakedown multilinear polynomial commitment scheme, tailored to operate in these constrained settings without the costly embedding overhead typical of small-field SNARKs.

This construction supports succinct arguments with high performance, including efficient handling of cryptographic hash functions like Keccak-256 and Grøstl, which are notoriously difficult to represent in traditional SNARK frameworks. By eliminating reliance on large finite fields and enabling compact, low-overhead encodings, the scheme effectively overcomes long-standing barriers such as trace-length limitations and excessive memory usage, offering a practical pathway to more scalable SNARKs in binary settings.

"Blaze: Fast SNARKs from Interleaved RAA Codes" by Brehm, Chen, Fisch, Resch, Rothblum, and Zeilberger (Paper, Slides)

Hadas Zeilberger and Martijn Brehm presented Blaze, a new multilinear polynomial commitment scheme over binary fields that dramatically improves the efficiency of SNARK proving and verification.

At the heart of Blaze is a code-switching technique that combines an exceptionally fast error-correcting code—the Repeat-Accumulate-Accumulate (RAA) code—with an interactive oracle proof of proximity (IOPP) drawn from existing multilinear commitment frameworks. This composition yields a linear-time prover and a polylogarithmic-time verifier, enabling scalable performance without compromising soundness.

By operating natively over binary fields, Blaze eliminates the embedding overhead typically required for small-field SNARKs and delivers compact, efficient commitments well-suited for large multilinear polynomials.

Benchmarks show that Blaze outperforms previous state-of-the-art schemes like Multilinear FRI and Basefold in both prover speed and proof size, making it a highly promising building block for practical zero-knowledge proof systems.

Advances in blockchain and Web3 cryptographic primitives

As decentralized systems mature, the demand for cryptographic tools that are both scalable and secure continues to grow. Eurocrypt 2025 featured a few notable contributions aimed at advancing the cryptographic foundations of blockchain and Web3 infrastructure. Below, we highlight some of these results.

"MiniCast: Minimizing the Communication Complexity of Reliable Broadcast" by Thomas Locher and Victor Shoup (Paper, Slides)

Victor Shoup presented MiniCast, a new protocol for reliable broadcast in asynchronous networks tolerating up to n/3 corrupt parties. The protocol significantly reduces communication complexity for long messages from the previously best-known bound of 2 ∣m∣ n to 1.5 ∣m∣ n, while maintaining optimal fault tolerance and correctness.

This improvement is particularly impactful for bandwidth-sensitive applications such as blockchain consensus and distributed ledger protocols, where reliable message dissemination is critical and network efficiency directly affects scalability.

"Exponent-VRFs and Their Applications" by Dan Boneh, Iftach Haitner, Yehuda Lindell, and Gil Segev (Paper, Slides)

Yehuda Lindell introduced Exponent-Verifiable Random Functions (eVRFs), a new cryptographic primitive in which the VRF output is revealed only in exponentiated form. This abstraction enables a powerful and unified framework for building a variety of efficient and fully simulatable protocols in threshold cryptography.

Leveraging eVRFs, the authors construct practical protocols for distributed key generation, multiparty Schnorr and ECDSA signing, and verifiable hierarchical deterministic (HD) derivation.

The results demonstrate the broad utility of eVRFs in secure, decentralized environments.

"Distributed Randomness using Weighted VUFs" by Sourav Das, Benny Pinkas, Alin Tomescu, and Zhuolun Xiang (Paper, Slides)

Sourav Das introduced a scalable on-chain randomness protocol tailored for Proof-of-Stake blockchains with weighted validators. The protocol centers on a novel weighted verifiable unpredictable function (VUF) that maintains constant computational and communication cost per party — regardless of validator weight— and a new scalable publicly verifiable secret sharing (PVSS) scheme.

Implemented and tested on the Aptos blockchain, the protocol adds only 133 milliseconds of latency and supports rapid, repeated randomness generation, making it a practical solution for improving fairness, security, and scalability in modern blockchain consensus protocols.

Security analyses of real-world messaging applications

As secure messaging continues to play a vital role in personal privacy and organizational communication, rigorous cryptographic analysis of widely deployed protocols has become more important than ever.

At Eurocrypt 2025, several papers offered deep technical investigations into the design and security guarantees of popular messaging systems. Here are some of these results.

"Analysis of the Telegram Key Exchange" by Martin R. Albrecht, Lenka Mareková, Kenneth G. Paterson, Eyal Ronen, and Igors Stepanovs (Paper, Slides)

This work presents the first formal security analysis of Telegram's client-server key exchange protocols, modeling them in a novel multi-stage key exchange framework and validating their security based on Telegram’s specifications and source code.

"Formal Analysis of Multi-Device Group Messaging in WhatsApp" by Martin R. Albrecht, Benjamin Dowling, and Daniel Jones (Paper, Slides)

The authors provide a formal security analysis of WhatsApp’s multi-device group messaging system, reverse-engineering its implementation and proving security properties in an extended device-oriented messaging model that incorporates device revocation.

"Triple Ratchet: A Bandwidth Efficient Hybrid-Secure Signal Protocol" by Yevgeniy Dodis, Daniel Jost, Shuichi Katsumata, Thomas Prest, and Rolfe Schmidt (Paper, Slides)

This paper introduces the Triple Ratchet protocol, an upgrade to Signal that achieves hybrid (classical and post-quantum) security while maintaining key properties such as forward secrecy, post-compromise security, and bandwidth efficiency.

"Analyzing Group Chat Encryption in MLS, Session, Signal, and Matrix" by Joseph Jaeger and Akshaya Kumar (Paper, Slides)

The authors analyze the group encryption frameworks of MLS, Session, Signal, and Matrix, using the symmetric signcryption model to uncover theoretical weaknesses and propose improvements to strengthen binding between encryption and authentication components.

Final thoughts

As the current President of the IACR, I am extremely glad to see that Eurocrypt 2025 reaffirmed the field’s intellectual diversity and dynamism, with strong representation across foundational theory and practical application.

The program showcased advances in a wide range of areas, including Secure Multiparty Computation, Public-Key Cryptography, Key Exchange, Advanced Cryptographic Schemes, (Non-)Interactive Proofs and Zero-Knowledge, Private Information Retrieval and Garbling, theoretical foundations, and Real-World Cryptography.

From new cryptanalytic insights and obfuscation frameworks to innovations in zero-knowledge protocols and commitment schemes, the conference highlighted both depth and breadth in modern cryptographic research. As always, Eurocrypt served not only as a venue for presenting cutting-edge results but also as a space for connecting ideas across domains and shaping the future trajectory of the field.

The International Association for Cryptologic Research (IACR) is a non-profit scientific organization whose purpose is to further research in cryptology and related fields. Each year, the IACR organizes three general cryptologic conferences — namely Crypto, Eurocrypt, and Asiacrypt — as well as four specialized area conferences (CHES, FSE, PKC, and TCC) and the Real World Crypto Symposium (RWC). These events are widely recognized as the most selective and prestigious venues for presenting original contributions in cryptographic research.