Michele Orrù

I am a chargé de recherche (tenured researcher) at CNRS. Previously, I was a research scholar at UC Berkeley. I got my PhD from École Normale Supérieure and my MSc in math from the University of Trento.

I believe that privacy is a human right. My research seeks to build authentication systems that preserve user anonymity.

Research highlights


I work on improving efficiency and security of zero-knowledge proofs, lightweight anonymous credential systems, and confidential transactions.

Zero-knowledge proofs. In Gemini, I co-invented elastic SNARKs, zero-knowledge proofs that can implement different computation/space trade-offs. One of the core contributions of this work is now used in Microsoft and a16z crypto. I also worked on increasing security of zero-knowledge proof systems against subversion, and designed one of the first post-quantum sound proof systems. I am also leading the standardization of zero-knowledge proofs at the IETF, starting from the Fiat–Shamir transformation and Sigma Protocols.

Confidential transactions. I co-authored the proofs of security for MimbleWimble, a cryptocurrency protocol used in Litecoin, Grin, Beam, and MW Coin, securing more than 4 billion USD.

Anonymous credentials. I co-designed and implemented Google’s Trust Tokens, now in Android and BoringSSL. I solved long-standing open problems in the area, including blind issuance of proofs (Camenisch–Stadler ‘97) and ROS (Schnorr ‘91). The latter had a vast impact also on other primitives such as blind signatures, threshold signatures, and multisignatures. Some of my recent work on keyed-verification anonymous credentials is being used by Apple for anonymous rate-limited credentials and Cloudflare for privacy-preserving rate limiting.

I have also reviewed the cryptography of SecureDrop and Polkadot, and contributed to Python, Debian, and Tor.




In theoretical cryptography authors are listed in alphabetical order, regardless of their contribution amount.

  • A Modular Approach for Keyed-Verification Anonymous Credentials
    Michele Orrù, Lindsey Tulloch, Victor Snyder-Graf, Ian Goldberg
    In submission.

  • A Fiat–Shamir Transformation From Duplex Sponges [ePrint]
    Alessandro Chiesa, Michele Orrù
    TCC 2025 (Proceedings of the 23rd Theory of Cryptography Conference).

  • Revisiting keyed-verification anonymous credentials [ePrint]
    Michele Orrù
    ACM CCS 2025 (Proceedings of the 32nd ACM Conference on Computer and Communications Security)

  • Beyond the circuit: How to Minimize Foreign Arithmetic in ZKP Circuits [ePrint],
    Michele Orrù, George Kadianakis, Mary Maller, Greg Zaverucha
    IACR Communications in Cryptology (Volume 2, Issue 1)

  • Oblivious issuance of proofs [ePrint],
    Michele Orrù, Stefano Tessaro, Greg Zaverucha, Chenzhi Zhu
    CRYPTO 2024 (Proceedings of the 44th Annual International Cryptology Conference)

  • zk-Bench: A Toolset for Comparative Evaluation and Performance Benchmarking of SNARKs [ePrint],
    Jens Ernstberger, Stefanos Chaliasos, George Kadianakis, Philipp Jovanovic, Arthur Gervais, Benjamin Livshits, Michele Orrù
    SCN 2024 (Proceedings of the 14th International Conference on Security in Communication Networks)

  • Non-interactive Mimblewimble transactions, revisited [ePrint],
    Georg Fuchsbauer, Michele Orrù
    ASIACRYPT 2022 (Proceedings of the 28th International Conference on the Theory and Application of Cryptology and Information Security)

  • Gemini: an elastic proof system for diverse environments [ePrint] [Talk] [Code],
    Jonathan Bootle, Alessandro Chiesa, Yuncong Hu, Michele Orrù
    EUROCRYPT 2022 (Proceedings of the 42nd Annual International Conference on Theory and Application of Cryptographic Techniques)

  • Publicly verifiable anonymous tokens with private metadata bit [ePrint],
    Fabrice Benhamouda, Tancrède Lepoint, Michele Orrù, Mariana Raykova
    Preprint.

  • A proposal for the standardization of ∑-protocols [PDF] [Talk] [Talk at NIST]
    Michele Orrù, Stephan Krenn
    4th ZKProof Workshop

  • On the (in)security of ROS [ePrint] [Talk],
    Best paper award
    Fabrice Benhamouda, Tancrède Lepoint, Julian Loss, Michele Orrù, Mariana Raykova
    EUROCRYPT 2021 (Proceedings of the 41st Annual International Conference on Theory and Application of Cryptographic Techniques)

  • Efficient Anonymous Tokens with Private Metadata Bit [ePrint] [Talk] [Code],
    Ben Kreuter, Tancrède Lepoint, Michele Orrù, Mariana Raykova
    CRYPTO 2020 (Proceedings of the 40th Annual International Cryptology Conference)

  • Aggregate cash systems: A cryptographic investigation of Mimblewimble [ePrint] [Talk],
    Georg Fuchsbauer, Michele Orrù, Yannick Seurin
    EUROCRYPT 2019 (Proceedings of the 38th Annual International Conference on Theory and Applications of Cryptographic Techniques)

  • Lattice-Based zk-SNARKs from SSPs [ePrint] [Talk] [Code],
    Rosario Gennaro, Michele Minelli, Michele Orrù, Anca Niţulescu
    ACM CCS 2018 (Proceedings of the 25th ACM Conference on Computer and Communications Security)

  • Non-Interactive Zaps of Knowledge [ePrint],
    Best paper award
    Georg Fuchsbauer, Michele Orrù
    ACNS 2018 (Proceedings of the 16th International Conference on Applied Cryptography and Network Security)

  • Homomorphic Secret Sharing: Optimizations and Applications [ePrint],
    Elette Boyle, Geoffroy Couteau, Niv Gilboa, Yuval Ishai, Michele Orrù
    ACM CCS 2017 (Proceedings of the 24th ACM Conference on Computer and Communications Security)

  • Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection [ePrint],
    Michele Orrù, Emmanuela Orsini, Peter Scholl
    CT-RSA 2017 (Proceedings of The Cryptographers’ Track at the RSA Conference 2017)

  • A Fiat–Shamir Transformation From Duplex Sponges 12 Mar 2026 · Beijing, China · Tsinghua University 11 Feb 2026 · Vienna, Austria · TU Wien 2 Dec 2025 · Aarhus, Denmark · TCC 2025 24 Sep 2025 · Amsterdam, Netherlands · CWI 7 Aug 2025 · Stanford, California · Stanford Theory Seminar 20 May 2025 · London, United Kingdom · King’s College 4 May 2025 · Madrid, Spain · EUROCRYPT Permutation-Based Crypto Workshop

  • On the (in)security of ROS 11 Mar 2026 · Beijing, China · Peking University

  • A new software stack for building anonymous credential systems 4 Feb 2026 · Stanford, USA · Stanford Security Seminar 21 Jan 2026 · Berkeley, USA · UC Berkeley Sky Security Seminar

  • Des preuves zero-knowledge à l’anonymat en ligne 11 Dec 2025 · Paris, France · College de France

  • Sigma Protocols and Fiat–Shamir 17 Mar 2026 · Shenzhen, China · IETF 125 Crypto Forum 6 Nov 2025 · Montreal, Canada · IETF 124 Crypto Forum 25 Mar 2025 · Sofia, Bulgaria · ZKProofs 7 18 Mar 2025 · remote · IETF 122 CFRG

  • Revisiting Keyed-Verification Credentials 14 Oct 2025 · Taipei, Taiwan · ACM CCS 2025 4 May 2025 · Madrid, Spain · EUROCRYPT Cryptographic Applications Workshop 24 Apr 2025 · Cambridge, USA · MIT CSAIL Security Seminar 12 Dec 2024 · Paris, France · Université de Versailles


I love writing code. I help maintain arkworks.rs, one of the most popular zero-knowledge proof libraries, and sigma-rs, an anonyous credential stack. I am the author of an up-and-coming library for the Fiat–Shamir transformation, the OCaml letsencrypt library for μ-kernels, and of a whistleblowing software Globaleaks.

Other side-quests involve orchestrating old electronic robot toys (I have a bunch of Furbys still that can be used for an art project), proving AES-encrypted messages, and spoofing SMS sender, and other useless things.