All the ways lead to Rome: a summary of our trip to Eurocrypt, zkSummit, and zkProof

During the last two weeks, cryptographic research moved to Rome with a host of events: May 7th featured the return of zkSummit 14, May 9th-10th had zkProof 8 and several Eurocrypt side-events and from the 11th until the 13th Eurocrypt 2026 took place. Lambda, together with Aligned, and the Center on Cryptography and Distributed Systems of the University of Buenos Aires (CCSD), as well as our friends and partners of 3MI Labs, attended the events to discuss the latest results and work on the upcoming challenges. We came excited to see how the broader academic community is approaching topics such as zero-knowledge, the quantum threat and how formal verification and AI are influencing cryptographic research.

At zkSummit 14 we had a full house after a one-year hiatus. We presented our talk on lambda-vm: minimalistic and performant zkvm, where we discussed the design philosophy behind our current endeavour to build a performant zkvm following the same line of work as our execution client, ethrex. Adding zero-knowledge to current proof systems was a hot topic, with presentations from Giacomo Fenzi on ZO0K: zero-knowledge IOPP for Constrained Interleaved Codes and Ron Rothblum on VEIL, the lightweight construction for SP1. Antonio Sanso discussed algebraic attacks on the Poseidon hash function, explaining in detail how these work. Other events were dedicated to analyzing the current security of algebraic hash functions and in developing clear guidelines for the selection of such hash functions. The Ethereum Foundation participated with several key talks, apart from Antonio's, including their sprint on zkvm security and zkID. Our friends from Miden also presented on their Arithmetic Circuit Evaluation chiplet and it was a nice chance to continue discussing and working with them. The closing panel was really great, discussing the quantum threat, what are the steps and approach we should take against quantum computers and the timelines. Originally, it was supposed to be a panel with Justin Drake and Dan Boneh, but it extended to include also Daira-Emma Hopwood and Jens Groth, as well as other researchers.

zkProof8 was the next stop in the agenda, which included two additional side events: IOPFest (on the development of Interactive Oracle Proofs) and ArkLib day, focusing on formal verification. There were several discussions on the development of new IOPs based on hash functions and of new Interactive Oracle Reductions (IORs), which are now a building block that helps us better understand the security of current IOPs, as well as develop accumulation/folding schemes for hash based proof systems. There were also some discussions on optimality results of IOPs, and how the definitions and framework have evolved over the last decade. Alessandro Chiesa discussed how we got from linear codes to new proximity tests and the current framework to study proof systems.

The Ethereum Foundation had several key talks. Dan Boneh presented the Proximity Prize (where the EF gives prizes up to USD 1,000,000 for advancing results related to proximity gaps).

Later, there was a panel with Dan Boneh and Justin Drake on post-quantum readiness in zero-knowledge proof systems. Justin also discussed quantum cryptanalysis. One key takeaway is that many researchers believe that the quantum timeline is actually shorter, and, even if it were not so, we should act as if it were, since there is a lot of uncertainty. Later, in Eurocrypt, there was an explanation on quantum factoring algorithms.

The following day in zkProof8 was dedicated to formal verification and the Ethereum Foundation's effort on ArkLib, and continued with talks on IOPs, adding zero-knowledge to proof systems and folding schemes.

On Sunday, we attended the 1st Workshop on Symmetric Primitives over prime fields and integer RINGs, which was merged with Cryptanalysis of Algebraic Hash Functions. It was focused on the design of symmetric-key primitives over prime fields and integer rings for Multi-Party Computation (MPC), Homomorphic Encryption (HE), Zero-Knowledge (ZK), and Format-Preserving Encryption (FPE) and new and improved cryptanalysis for such primitives. There was a presentation by Dmitry Khovratovich on the Poseidon Cryptanalysis. Léo Perrin presented a survey of several primitives over rings and fields that got broken recently, focusing on hash functions. The work on round-skipping techniques to reduce the security of the Poseidon hash function by Alex Rodríguez García was really insightful. Even though these side events were on Sunday, they were really crowded.

Finally, on Monday we had the start of Eurocrypt 2026 in Parco della Musica for four consecutive days on various topics of cryptography. Most of the time, there were three tracks in parallel, making it a hard choice which talks to attend. Zero-knowledge I featured Query Optimal IOPs and Jagged Polynomial Commitments. In the first case, while it is asymptotically better, the concrete efficiency for the current size of programs we want to prove is still worse than FRI or WHIR. We discussed in a previous post about Jagged PCS, and it was nice to see performance gains when working with proof systems over multilinear polynomials. Another interesting session was on Neural Networks in Cryptography, and how they are being used in cryptanalysis. Adi Shamir's (the S in RSA) talk on Deep Neural Cryptography was really insightful, explaining the pitfalls of implementing cryptography over a machine that operates over the real numbers. In parallel, several talks on Fully Homomorphic Encryption were taking place. In the afternoon, there was a full session dedicated to quantum computation, with several tricks to speed up computations. It was continued on Tuesday morning with some impossibility results and then an explanation on Reducing the Number of Qubits in Quantum Discrete Logarithms on Elliptic Curves by Clémence Chevignard. This last talk contained several ideas on how to speed up the solution of elliptic curve discrete log problem. Many ideas included using some well-known strategies when working over elliptic curves such as using projective coordinates, avoiding inversions all together, leveraging the Chinese Remainder Theorem and doing some classical precomputations, showing that previous bounds on the size of quantum computers to solve this problem are overestimated. It remains to see whether techniques such as endomorphisms can be used to further improve computation times, but it seems likely we will get lower estimates (in fact, Google's paper, which came out later improved on this bound).

There were also further talks on zero-knowledge and quantum, including a talk on the sumcheck protocol for approximate computations. There was an invited talk by Anna Lysyanskaya on Fifty years of Modern Cryptography (Diffie and Hellman's paper is exactly 50 years old), where she covered how modern cryptography permeates society, some of the current challenges and on the efforts for anonymous credentials and identity, showing that these are still hot topics in cryptography. Isogenies had their separate track and there was a keynote presentation by Luca De Feo.

Another interesting track for us was the one on Garbled Circuits, since they are one of the key building blocks for verifying zero-knowledge proofs in Bitcoin. We could see several strategies and their tradeoffs. Zero-knowledge continued with further tracks, which included a presentation on FRI-Binius by Giacomo. Finally, advanced signatures and post-quantum cryptography tracks closed the final day. It was an intense week in which we got to see the latest advances, understand more about new topics and their applications, as well as discuss with friends and partners. Of course, we also got to enjoy Rome, remember the Roman Empire and enjoy Italian cuisine.

It was great to see so many friends there and see how the landscape of cryptography is evolving. Zero-knowledge remains a hot topic, though different from what we saw back in 2021: focus is now on hash-based proof systems, improving proof sizes and developing folding schemes. Post-quantum cryptography is everywhere. Most protocols and researchers are pushing for the development of more efficient primitives and the adoption of post-quantum secure primitives long before the estimated Q-day. There are tradeoffs, but migrating really complex systems to new primitives is not something we can do in a few days. We are bullish on the effort the Ethereum Foundation is making to secure Ethereum long-term with Lean Ethereum, and how fast the effort on formal verification is progressing. We are moving as fast as possible to have our zkvm ready, making it really simple to understand and with minimal moving parts. This, in turn, should make formal verification of the spec and codebase much easier. We had a lot of time to discuss the zkvm and the security of algebraic hash functions with our friends from 3MI Labs. Now it's time to build. Stay tuned for more news.