In the place where Julius Caesar supposedly invented one of the oldest known ciphers, cryptography's biggest annual gathering found a natural home. Eurocrypt 2026 in Rome had over 750 participants, making it the largest edition yet. Fittingly, HPI was also contributing more than ever: researchers from our group had three papers accepted to the main conference and delivered three additional talks at the affiliated workshops.
- Device-Bound Anonymous Credentials With(out) Trusted Hardware: To prevent copying of digital credentials, such as digital identity cards, they are bound to secure hardware on the user's device. While trusting this hardware makes sense for security, it is problematic when users also need privacy — for instance, proving they hold a valid credential without being tracked. In this work, we develop efficient constructions that protect user privacy even when the hardware is untrusted. Authors: Karla Friedrichs, Franklin Harding, Anja Lehmann and Anna Lysyanskaya. https://eprint.iacr.org/2025/1995
- Putting Multi into Multi-Signatures: Tight Security for Multiple Signers: Multi-signatures allow multiple parties to jointly produce a single compact signature on a shared message, with verification against an aggregated public key. Existing multi-signature schemes only prove security for a single honest signer, losing security linearly as more signers join — a poor fit for a primitive designed for multiple parties. We introduce the first multi-signature schemes with tight multi-user security and key aggregation. Authors: Anja Lehmann and Cavit Özbay. https://eprint.iacr.org/2025/2198
- ETK: External-Operations TreeKEM and the Security of MLS in RFC 9420: The Messaging Layer Security (MLS) protocol is used in secure messaging apps to enable end-to-end encrypted group chats with strong guarantees, such as restoring confidentiality even after a group member has been compromised. This work formally analyzes the current MLS standard, including previously unconsidered optional features, and builds on Vera's Master's thesis done at CISPA. Authors: Cas Cremers, Esra Günsay, Vera Wesselkamp and Mang Zhao. https://eprint.iacr.org/2025/229
The team has also given three talks at the affiliated Cryptographic Applications Workshop (CAW) and the Workshop on Foundations and Applications of Privacy-Enhancing Cryptography (PrivCrypt):
Anja Lehmann Keynote: "EUDI Wallet & Anonymous Credentials: Status and Open Challenges" (PrivCrypt Workshop) & Panel (CAW Workshop)
The EU Digital Identity Wallet aims to provide cryptographically strong yet unlinkable authentication — properties that anonymous credentials deliver naturally and have been well understood in academia for over two decades. Yet the first version of the EUDI Wallet does not use them, relying on batch issuance of many one-time standard signatures instead. This talk explored what has hindered their adoption and what it will take to bridge the gap. Anja also participated in a panel on digital identities at the CAW workshop. https://privcryptworkshop.github.io./slides/key/slides_Lehmann.pdf
Alexandros Zacharakis — "Anonymous Credentials on Legacy Phones" (CAW Workshop)
Deploying anonymous credentials in the EUDI Wallet is blocked by the fact that the secure hardware in today's smartphones only support legacy algorithms like ECDSA, not the cryptography that modern credential schemes require. We present several approaches to bridge this gap, offering trade-offs between implementation simplicity, standardization compatibility, and efficiency. https://eprint.iacr.org/2026/965
Andrea Flamini — "Issuer-Hiding for BBS Credentials via Randomizable Keys" (PrivCrypt Workshop)
Credential presentations can reveal more than intended: for instance, a simple age proof based on a national ID not only shows that the user is old enough, but also which country issued the credential — effectively disclosing the user's nationality. We show how to hide the issuer's identity, so that a presentation only proves certification by a trusted issuer, without revealing which one. https://eprint.iacr.org/2026/369
