Notes from the 45th edition of Eurocrypt in Rome — post-quantum, thresholds, end-to-end deployments, and the people behind the papers.
Eurocrypt is one of the main theory conferences in the field of cryptography, and this year it landed in Rome for its 45th edition. A beautiful city, and a fitting one.
Rome was not built in a day. Neither in polynomial time.
That line is from Anna Lysyanskaya's invited talk on fifty years of modern cryptography, and it's the one thing I keep coming back to. Her point was simple but worth saying out loud: cryptography is everywhere around us already, elections, internet communications, money, AI, freedom of speech, and we've barely started exploring what it can do. Fifty years of modern cryptography, and the surface has barely been scratched. That's not a pessimistic observation. It's an invitation.
The first day's affiliated workshop was probably my favorite part of the week. Talk after talk exposed the same uncomfortable truth: what we can prove and what we can actually deploy are still very far apart.
Proton gave a brutally honest account of e2e mail forwarding: it breaks after one hop, and in most real-world scenarios you just have to accept that. They're using post-quantum proxy re-encryption to even get that far. Signal presented post-quantum ratchets for e2e messaging, which are impressive in theory and genuinely costly in practice. Google made the case that UX is a security problem, not just a design problem, and that our threat models need to account for real users, not just ideal adversaries. AWS talked about formal verification for post-quantum primitives like ML-KEM. And one talk referenced a 2024 CRYPTO paper as the only known formal treatment of e2e security in cloud storage, with the small detail that it still hasn't been deployed anywhere. That gap is an open invitation.
I also had good conversations with people from ANSSI and the Signal team about what secure protocol deployment actually looks like in practice, at scale, with no assumption that users will behave correctly.
Post-quantum was everywhere, which is expected, but the energy has shifted. Less about whether to migrate, more about building new things that are quantum-safe from the start. New constructions, new assumptions, new proofs. The NIST standards are a baseline, not a destination.
Threshold constructions were another recurring thread. Threshold signatures, threshold encryption, threshold everything. MPC is moving from provability to deployability, and the open questions are increasingly about performance and simplicity, not security.
Neural networks in cryptography is a growing area, still early, but showing up in enough talks to be worth watching.
Luca De Feo gave a talk on the history of elliptic curve cryptography and isogenies. A nice walk through how the field evolved, and a good reminder that some of the most interesting mathematics is hiding in the older parts of the literature.
I had the chance to meet Adi Shamir, of Shamir's Secret Sharing, of the S in RSA, and of the Fiat-Shamir transform, which makes three separate reasons to recognize his name. Meeting someone whose work appears in three different parts of your research at the same time is a strange kind of recursion. I also got to discuss with Bart Preneel, Michel Abdalla, Louis Goubin, and Nigel Smart (our advisor at Astran) each of whom has shaped a different corner of the field I work in. I also talked with a lot of interesting people from all over the world.
The rump session was chaotic and funny in all the right ways. The conference dinner was in a palacio.
Cryptography is a living field. Eurocrypt is one of the best reminders of that.