Highlights from Real World Cryptography 2025

This is a true story. This is the true story of a group of cryptographers who get together in a conference room and have their presentations taped, to find out what happens when they’re not writing papers. This is The Real World: Crypto.

Technically, Real World Crypto isn’t the latest edition of MTV’s long-running reality show. It’s a conference put on by the International Association for Cryptologic Research. Unlike academic conferences, people with jobs in industry are invited, and there aren’t any written papers. And unlike industry conferences, it’s highly technical with no marketing allowed. Like the show, Real World Crypto lets us see behind doors that are normally closed. And, like trashy reality TV, I can’t not watch it.

(Unfortunately, I couldn’t attend in person. I don’t have the kind of job that will let me spend a week in Bulgaria quite yet. Fortunately, everything’s streamed on YouTube for free.)

I can’t recap every episode of this season, but here are some of the highlights!

Any errors here are mine, or ChatGPT’s, and not from the original speaker.

Apple’s Real World Deployment of Homomorphic Encryption at Scale

Rehan Rishi, Haris Mughees, Fabian Boemer, Karl Tarbe, Nicholas Genise, Akshay Wadia, Ruiyu Zhu

Watch here

There’s no question that Apple is the star of Real World Crypto. Everyone wants to know how their iPhone works, everyone wants to get a job at the Space Donut, and everyone wants a Mac Studio M3 Ultra with 32 cores and 512GB of RAM (coming soon for $14,099.99). But cryptographers in particular love Apple because it’s the first company to widely deploy homomorphic encryption.

What is homomorphic encryption? Well, homo means same, and morphic means change. Put together, it means encryption that allows you to do math on encrypted data without ever revealing what’s inside. Think of it as a magic box that transforms things but keeps the relationships between them intact.

Imagine if my “encryption algorithm” was “multiply everything by 5,” and my top-secret message is 42. Then the “encrypted message” is 210. And then the magic: if I multiply my “encrypted message” by 3, I get 630. Then I decrypt it and get 126. Which is the same as 42 times 3!

I’m sure you’re impressed already and are rushing to patent this groundbreaking new security technology.

But real homomorphic encryption does that process for encryption algorithms that are not just child-proof but actually unbreakable (at least as far as we know). And you can do math that’s a bit more sophisticated than just multiplication on the encrypted data. (Here’s a fun little activity designed to teach homomorphic encryption to kids.)

So how does Apple fit in? Apple is the one big tech company that’s committed to maintaining the privacy of their users. (Looking at you, “Don’t Be Evil” people.) And part of that means they’ll encrypt your data when it’s in their cloud. But Apple wants you to do cloud computation on it, so they can help search and organize your private data.

For example, let’s say you take a picture of the Eiffel Tower. Your phone starts by applying a machine learning model to extract features of your photo. The iron beams, the pointy top, the swarms of other tourists - they all go into coordinates in feature-space.

The machine learning model produces a feature vector, and then your iPhone encrypts it and sends it up to Apple’s servers. They compare it to the encrypted feature vectors from the vast library of photos that have been uploaded, and match it to the closest known location vector, and send that back to your phone.

But Apple never sees the contents of your photo, or even the feature vector itself. All the processing happens on encrypted content only.

And that’s how Apple doesn’t know you visited the Eiffel Tower in Las Vegas. What happens in Vegas stays in Vegas.

While Apple didn’t invent homomorphic encryption, it’s the first company to deploy it on a massive scale. Apple uses homomorphic encryption for photo recognition, but also for a few other purposes such as caller ID. They’ve written a whitepaper here, and open-sourced their components here (client) and here (server).

Mesh Messaging for Large-Scale Protests: Why Cryptography Alone Won’t Save Us

David Inyangson, Sarah Radway, Tushar M. Jois, Nelly Fazio, James Mickens

Watch here

Imagine you live in an authoritarian regime. (For some of us, this is easier to imagine every day.) The best way to voice your opinions is to protest in the streets with a group of friends. But Big Brother has cut off local Internet access, so your phones can only communicate peer-to-peer, and the secret police can arrest any one of your friends and grab their secret key at any time. How do you build a secure, decentralized messaging network that lets you protest without getting disrupted?

(If this sounds more like a game of Werewolf than a realistic protest, you’re right. Unfortunately they won’t let researchers throw real protests for science.)

There’s a huge library of work about solving the mesh-encrypted-messaging problem, but the point of this talk is that none of the existing solutions will work. When simulating a realistic protest, with individual protesting agents moving through virtual streets, the whole network falls apart as massive floods of packets swarm bottlenecks. The secret police don’t have to do anything at all: they can just wait for the system to collapse due to math.

So if you’re an aspiring cryptographer, protester, or secret police agent, there’s still a lot of work left to do. We need better simulations, better routing protocols, and better key distribution to successfully send encrypted messages around the network.

EU Digital Identity and Anonymous Credentials - A Happy End?

Anja Lehmann

Watch here

Here in the US, we don’t believe in national ID cards. Instead we just use our social security numbers, which are possibly the least secure identity mechanism ever devised. A single short number, it can’t be changed ever, and it’s needed for everything from renting an apartment to getting cable TV. And the companies that process social security numbers are all wildly insecure. Realistically, every American has had their social security number stolen and published on the dark web at least 17 times.

Like most things, Europe is a bit smarter. As of last year, all EU countries are working together to deploy a massive, federated identity system. Each country will have its own app, but all of them will be compatible, and they can be used both for government and private purposes. The system is called EU Digital Identity (EUDI).

This session is about the cryptography behind the EUDI standard. EUDI does allow anonymous and pseudonymous proofs - if you want to go into a bar, you can prove your age, without giving up your name. But this is implemented through a central server issuing single-use ECDSA keypairs. The session is about how anonymous proofs could serve the same purpose, using advanced cryptography to avoid the need for a central server. Perhaps in the future, governments will be a little more sophisticated and incorporate anonymous proofs into the next version of the standard.

Is Your Bluetooth Chip Leaking Signals via RF?

Yanning Ji, Elena Dubrova, Ruize Wang

Watch here

Hey - you’ve got something in your ear. It’s a tiny ARM CPU with a hardware accelerated encryption engine and Bluetooth radio.

Does that sound weird? Then maybe you should get a new pair of AirPods.

Embedded, wireless-capable CPUs are cheap, everywhere, and no one really thinks about them. They use AES-encrypted Bluetooth to communicate securely. While AES is pretty unbreakable (as far as we know), these CPUs are cheaply made and have everything on a single chip, including the Bluetooth radio. So it’s natural to ask if the radio leaks any data about the AES encryption keys. Armed with a high-bandwidth software-defined radio, the team investigated.

The answer is: maybe. The chips DO change their RF emissions depending on the AES key. But the change is subtle. An attacker has to average millions of samples to get any bits of the key at all, which takes days at a minimum. Using advanced machine learning, it’s possible to correlate the radio noise with key bits. So the attacker needs a whole lot of data. In the team’s testing, they used 45,000 Bluetooth traces, which took 4.7 days to record.

So right now, this probably isn’t a practical attack unless you’re digging Taylor Swift so much that you listen for a week straight without disconnecting your earphones once. (Typically, they re-key each time they are connected.) And while that might sound like fun, the batteries would probably run out.

As Bruce Schneier said, “Attacks always get better, they never get worse.” Maybe in a few years anyone on the street will be able to listen in on your phone call. Maybe use the speakerphone, and not a Bluetooth connection.

How to Securely Implement Cryptography in Deep Neural Networks

Adi Shamir

Watch here

Each year, the conference gives out two Levchin Prizes for research. Adi Shamir won one of the two prizes, based on his lifetime of achievements. He may be the ‘S’ in “RSA,” but he’s published hundreds of other papers in the field of cryptography, and is one of the all-time greats.

But that’s not the only reason he showed up. Shamir, who’s now 72, has kicked off a big new research problem: can neural networks implement cryptographic algorithms?

At first, the answer seems obvious. It’s already been proven that sufficiently deep neural networks can do math on integers. Since that’s all cryptography is, then of course neural networks can implement cryptography.

The problem is that it’s difficult to make it secure. The neural network inputs are continuous, not binary. By “jittering” the inputs - altering the “binary” inputs by small amounts, like changing a bit from 1 to 0.9 - it’s possible to get the neural network to leak information, including, potentially, the key.

Shamir demonstrates that it actually is possible to make a jitter-proof XOR, which is the gateway to building jitter-proof cryptography on neural networks.

Neural networks are expensive, so I’m sure no one will use them for basic cryptography that a CPU can already do efficiently. However, there may be some applications for federated machine learning or homomorphic cryptography.

Post-quantum encryption (multiple sessions)

Quantum computing is sexy. Using the spooky properties of qubits, someday it might be possible to try all the key combinations for a cryptographic algorithm at the same time, finding the right key in minutes instead of millenia. No surprise that the tech giants love to send out breathless press releases about it, and the media loves to cover them. So far, they’ve only made baby steps toward a quantum computer that will really be useful in practice, so our data is safe.

Post-quantum encryption, on the other hand, is the opposite of sexy. We have encryption algorithms that will hold up to quantum computers; they’re just slow, clunky, hard to implement, and have keys 50 times larger than we’re used to. Every cryptographic protocol has to be redesigned, and every old piece of software has to be adapted to use these big clunky algorithms. And sometimes they have totally-non-quantum related problems that can make your security worse, not better.

Real World devoted an entire series of five talks to our post-quantum future. TLS is mostly fixed by now, so the protocols that still need to be worked out are DNSSEC, SSH, and anything non-TLS that uses cryptography. I won’t go into these in detail, since post-quantum mostly depends on the minutiae of these protocols. Just know that some of the smartest people in the industry are sorting out these tricky problems. Hopefully we’ll all be retired by the time the first practical quantum computer comes out, and we can watch the youngsters clean up the rest of the mess.

Deploying TLS Oracles Using Interactive ZK

Xiang Xie

Watch here

The title of this session might look intimidating, with “oracles” and “ZK,” but I think it’s the most practically useful new idea demonstrated at the conference. The idea is not that difficult: if I’m viewing a web page over TLS, how can I prove, months or years later, who sent it to me?

If that sounds like something only Steve Urkel would care about, think more about the practical implications. You could prove that ChatGPT generated a chunk of writing or content. You could prove that a sensitive email really came through GMail. You could prove that at the time you viewed it, the class web page showed the assignment was due at midnight, not 6 PM.

The process of proving this is pretty complicated. The key idea is to record a zero-knowledge proof that encrypted data coming over TLS corresponds to a given plaintext. If you have that, then later on, anyone can check the value of the proof (without even needing the original key). The proof can be recorded on a blockchain, or anywhere else that’s trustworthy and publicly accessible.

Unfortunately, the person who received the content has to generate the proof. You can’t prove I wrote this with ChatGPT! Only I can prove that. And I won’t.

Here’s a related paper (by different authors) that explains the basic idea extremely well: https://arxiv.org/pdf/1909.00938.

Let’s Encrypt: Ten Years Encrypting the Web

Josh Aas

Watch here

The final talk I want to highlight was a true inspiration. In just a few years, Let’s Encrypt transformed the entire Web by bringing encryption to nearly every website out there. As far as successful cryptography projects go, they’re the undisputed champion. Josh Aas, the founder, walked us through their remarkable journey and what’s on the horizon.

(Incidentally I went to the same tiny college as Josh. He is much smarter than me.)

Let’s Encrypt’s success story is even more impressive when you consider their lean approach. Starting with a mere 3-person team, they’ve expanded to just 12 people while serving a staggering 500 million domains and powering a significant portion of today’s internet. Their secret sauce? Embracing open standards, maintaining simple architectures, ruthlessly limiting their feature set, and obsessing over efficiency and security at every turn.

One of the thorniest challenges facing Let’s Encrypt today is certificate revocation – essentially, how to quickly invalidate certificates that have been compromised. The traditional solutions like Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) exist on paper, but browsers rarely check them, and they’re notoriously slow and cumbersome. Both are now deprecated.

The Let’s Encrypt team is working on ways to sort out the revocation problem. The obvious solution (and the one we used for SPIFFE) is to renew certificates every few hours, so you never have to worry about revoking them!

Unfortunately, browsers and other Web infrastructure aren’t quite ready for this, so it’s necessary to experiment with other protocols. A followup talk by Joshua Schank of Mozilla went into some of the solutions under consideration, and how they performed in guinea-pig tests on millions of Firefox users.

Takeaways from Real World Crypto 2025

After binge-watching this season of Real World Crypto, I’m left with several key takeaways:

Privacy is becoming practical. Apple’s deployment of homomorphic encryption shows that privacy-preserving computation is no longer just an academic exercise. Complex operations on encrypted data are now possible at scale, potentially transforming how we think about data privacy.

Security is about more than just math. The mesh messaging research demonstrates that even perfect cryptography can’t overcome physical and network limitations. Real-world deployment requires thinking beyond algorithms to consider how systems perform under realistic conditions.

Government identity systems are evolving. The EU’s digital identity work shows how governments are trying to balance security, privacy, and usability. While not perfect yet, we’re seeing incremental progress toward better systems than the social security numbers many of us rely on.

Hardware remains vulnerable. The Bluetooth side-channel research reminds us that implementation matters as much as theory. The tiny devices we carry everywhere contain potential security flaws that aren’t captured in cryptographic proofs.

The quantum future looms. While not imminent, quantum computing continues to drive significant research and standardization efforts. The industry is wisely preparing now rather than waiting for quantum computers to become practical threats.

Verifiability is the next frontier. The TLS Oracle work shows how we’re moving beyond just encrypting content to proving properties about that content later. As AI-generated content becomes more prevalent, these verification technologies will become increasingly important.

What I love about Real World Crypto is how it bridges theory and practice. Academics and industry professionals come together to solve real problems, not just publish papers. In a field that can often seem abstract and impenetrable, seeing these practical applications reminds us why cryptography matters: it protects real people’s privacy, security, and freedom.

Here’s the full program, with YouTube links to each talk within the all-day recording (may be off by a few minutes). This isn’t available anywhere else!