Best of Real World Crypto 2025: Field notes

Editor’s note: Field Notes is a series where we report on the ground at significant industry, research, and other events. In this edition, a16z crypto Technical Advisor Joseph Bonneau shares highlights from the 14th edition of the Real World Crypto (RWC) 2025 conference and affiliated workshops, which were held at the National Palace of Culture in Sofia, Bulgaria from March 26–28. See the full program and recordings of the talks here.

Unlike many other primarily academic venues, the Real World Crypto (RWC) 2025 conference does not publish peer-reviewed papers. Instead, talks are selected to highlight the most interesting research papers and industry projects of the prior year, many of which were published in other forums. In essence, RWC is an annual “greatest hits” event in cryptography, similar to the annual Science of Blockchain Conference (SBC).

Traditionally, RWC has focused on non-blockchain applications of cryptography (in part because SBC focuses exclusively on that area). This year’s conference featured 46 talks over three days covering almost every topic in cryptography, including advances in encrypted messaging, TLS and Web PKI, and post-quantum cryptography. However, in what is perhaps a sign of the increasing impact of web3 research on the broader cryptography space, this year’s event did feature many presentations related to the web3 ecosystem.

This post will cover a few highlights.

A clear trend was increasing interest in the use of modern succinct proof systems (SNARKs) for interfacing with “legacy” cryptographic systems in several application areas. This represents both a contribution from the web3 research community (as several of these projects use proof systems originally developed for web3) and an opportunity, as legacy systems can be integrated into web3 projects in interesting new ways.

Zero-knowledge proofs and identity

Several talks focused on using zero-knowledge proofs for identity systems. In particular, there were 3 talks alone on efficient proofs of legacy signature schemes:

• Anja Lehmann of the University of Potsdam gave an overview of the EU’s Digital Identity Wallet (EUDI) project, which all member states are required to implement by 2026. While the regulation mandates several privacy goals, including selective disclosure of identity information, the current proposal does not utilize Anonymous Credentials, though this is now under reconsideration thanks to the input of many cryptographers.
• abhi shelat of Northeastern University presented a protocol for zero-knowledge proofs of possession of a signed credential. This project uses Ligero proofs, observing that theoretical succinctness is not critical if practical communication overheads remain small. This project optimizes instead for avoiding trusting setup and having lightweight proving time suitable for computation on a phone. One interesting optimization was using a P-256 extension field to perform arithmetic, which counterintuitively improves performance.
• Greg Zaverucha of Microsoft presented Crescent, an anonymous credential scheme built using a hybrid of Spartan and Groth16. Crescent can prove in zero-knowledge possession of a JWT (JSON Web Token) issued by a directory service. An example application is privacy-preserving online age verification.
• Pui Yung Anna Woo and Chad Sharp from the University of Michigan presented efficient implementations for proofs-of-possession of many legacy signatures. In particular, they showed that for RSA and post-quantum signature schemes like Falcon and Dilithium, which feature large signatures, there may be compelling performance advantages from shrinking the size of signatures using SNARKs, even in applications where privacy is not needed.

Attacks on zero-knowledge proof systems

As ZK proof systems continue their development, implementations are drawing increased attention from the security community. Two talks highlighted practical vulnerabilities:

• Oana Ciobotaru of Open Zeppelin presented a practical attack on insecure ZK implementations within the Ethereum ecosystem. Among several other vulnerabilities found during security audits, the talk focused on an attack on PlonK called the “Last Challenge Attack” (because the last Fiat-Shamir challenge is insecurely computed). This attack leads to a total soundness break: Verifiers can be tricked into accepting proofs of false statements. Like other attacks on weak Fiat-Shamir, it is the result of subtleties in deriving Fiat-Shamir challenges that are often incompletely specified in research papers and not fully understood by developers. This vulnerability was found in the wild during a security audit but fortunately was disclosed and fixed before affecting any live system.
• Shibam Mukherjee of Graz University of Technology presented cache-timing-based side-channel attacks on popular ZK proving libraries. These attacks assume an adversary can run code on the same machine as the prover, for example an unprivileged program running alongside a privileged program computing a ZK proof with a secret witness. By studying which lines of the cache are accessed during proving, the unprivileged process can learn some information about the witness (in some cases the entire witness is leaked). These attacks were demonstrated for field-arithmetic libraries as well as for two circuit-friendly hash functions (Poseidon and Reinforced Concrete). Fortunately, the talk concluded that fixing these vulnerabilities by using constant-time implementations adds only negligible overhead.

Applications of crypto to traditional financial systems

Silvio Petriconi of Bocconi University presented findings from a two-year EU-sponsored commission into the suitability of issuing a “Digital Euro” CBDC. The talk expressed his personal opinions and not an official recommendation, the commission was non-binding and any decision to adopt a Digital Euro must be taken by the European Central Bank. This talk focused on challenges for using a UTXO-based chain. Advantages identified of UTXOs over an account-based model included better concurrency/scalability, better privacy, and flexibility. The commission investigated the openCBDC project by MIT DCI and the Boston Federal Reserve and found it demonstrated acceptable performance (1.7 M tps). CBDCs are different from traditional cryptocurrencies and they have no public blockchain. They also require additional features including holding limits and anti-money-laundering controls. Money-laundering and fraud detection were identified as the biggest open issues.

Other web3-related talks

Several other talks showcased cryptographic developments in the web3 community to the broader RWC audience:

• Muthu Venkitasubramaniam of Ligero Inc. presented the Ligetron platform, providing a live demo of the in-browser developer experience and browser speed test.
• Foteini Baldimtsi and Deepak Maram of Mysten Labs presented zkLogin, Mysten’s implementation of privacy-preserving authentication for the Sui blockchain using legacy Oauth credentials (this work was also presented at SBC 2024 and at a16z crypto summer research program last year).
• Yael Kalai of MIT presented an invited talk on “Compressing Proofs using Cryptography,” essentially an overview of the theoretical underpinnings of modern SNARKs including the celebrated GKR protocol (of which she is the “K”).
• I (Joseph Bonneau) presented an overview and tutorial on distributed randomness beacons, a topic I have also written about on this blog.

Other interesting talks

• Adi Shamir implementing crypto using Deep Neural Networks
  • From the abstract: “[In this talk] I will develop a new and completely practical method for implementing any desired cryptographic functionality as a standard ReLU-based DNN in a provably secure and correct way.”
• AI agents and encrypted messaging
  • From the abstract: “[In this talk] we (1) examine a wide range of technical configurations that could fall under the broad umbrella of “feeding E2EE content to AI models,” taking into consideration the state of the art in cryptography, privacy technologies, and AI/ML…”
• Apple’s Real World Deployment of Homomorphic Encryption at Scale
  • From the abstract: “This talk will walk through the details on Apple’s implementation of HE, Private Information Retrieval (PIR) and Private Nearest Neighbor Search (PNNS) in features such as Photos, Safari, Mail, and the Phone app, addressing key optimizations applied to the algorithms and end-to-end system design.”

***

Joseph Bonneau is a Technical Advisor on the a16z crypto team and an Associate Professor in the Computer Science Department at the Courant Institute, New York University. Prior to joining the faculty at NYU, he received a PhD from Cambridge and postdocs at Princeton and Stanford and was an advisor to the Zcash, Algorand, Mina, and Chia projects. He is a co-author of the textbook Bitcoin and Cryptocurrency Technologies. His research focuses on applied cryptography and computer security and is known for pioneering work on Verifiable Delay Functions.

***

The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the current or enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; a16z has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments for which the issuer has not provided permission for a16z to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://a16z.com/investments/.

The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.