Paul Grubbs's Academic Website

About Me

I am an Assistant Professor in EECS at the University of Michigan. My email address is paulgrub AT umich DOT edu.
If you're interested in working with me, read this before sending an email. I am currently recruiting graduate students.
I use he/him/his pronouns.


My research is in applied cryptography, security, and systems. In my work, I use a wide array of theoretical and practical tools to both prevent security failures (e.g., identifying flaws in existing cryptographic primitives, and building new ones) and reduce the harm failures can cause (e.g., designing new key-value stores that protect data even if they are compromised).

My research interests are broad, but a recurring interest is the interface between cryptographic primitives or protocols and the systems that use them: surprising and subtle things often happen here.

Some of my other interests are censorship, privacy, legal and ethical issues related to information security, and the intersection of technology and society.

Publications (* = authors contributed equally)
See also: Google Scholar, DBLP

Zombie: Middleboxes that Don't Snoop NSDI 2024 (to appear)
Collin Zhang, Zachary DeStefano, Arasu Arun, Joseph Bonneau, Paul Grubbs, Michael Walfish

Interoperability in End-to-End Encrypted Messaging (in submission)
Julia Len, Esha Ghosh, Paul Grubbs, Paul Rösler

    Julia spoke about this work at RWC 2023.

Weak Fiat-Shamir Attacks on Modern Proof Systems IEEE Symposium on Security and Privacy 2023 (Distinguished Paper Award)
Quang Dao*, Jim Miller*, Opal Wright, Paul Grubbs

Context Discovery and Commitment Attacks: How to Break CCM, EAX, SIV, and More EUROCRYPT 2023
Sanketh Menda, Julia Len, Paul Grubbs, Thomas Ristenpart

Spartan and Bulletproofs are simulation-extractible (for free!) EUROCRYPT 2023
Quang Dao, Paul Grubbs

Learned Systems Security (in submission)
Roei Schuster, Jin Peng Zhou, Thorsten Eisenhofer, Paul Grubbs, Nicolas Papernot

Authenticated Encryption with Key Identification ASIACRYPT 2022
Julia Len, Paul Grubbs, Thomas Ristenpart

Snapshot-Oblivious RAMs: Sub-Logarithmic Efficiency For Short Transcripts CRYPTO 2022
Yang Du, Daniel Genkin, Paul Grubbs

Zero-Knowledge Middleboxes USENIX Security 2022
Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, Michael Walfish

    Arasu spoke about this paper at the sdns://2021 workshop. Watch his talk here.
    Read my guest blog on this work for APNIC here. You can also listen to a podcast about this work.

Anonymous, Robust Post-Quantum Public Key Encryption Eurocrypt 2022
Paul Grubbs, Varun Maram, Kenneth G. Paterson

    Varun presented some of our results at NIST's Third PQC Standardization Conference.

Partitioning Oracle Attacks USENIX Security 2021
Julia Len, Paul Grubbs, Thomas Ristenpart

    Julia spoke about this work at RWC 2021.

Pancake: Frequency Smoothing for Encrypted Data Stores USENIX Security 2020 (Distinguished Paper Award)
Paul Grubbs*, Anurag Khandelwal*, Marie-Sarah Lacharité*, Lloyd Brown, Lucy Li, Rachit Agrawal, Thomas Ristenpart

Asymmetric Message Franking: Content Moderation for Metadata-Private End-to-End Encryption CRYPTO 2019
Nirvan Tyagi, Paul Grubbs, Julia Len, Ian Miers, Thomas Ristenpart

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks IEEE Symposium on Security and Privacy 2019
Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud, Kenneth G. Paterson

    Blogs about this work: Matt Green, Bruce Schneier

Pump Up The Volume: Practical Database Reconstruction from Volume Leakage on Range Queries CCS 2018
Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud, Kenneth G. Paterson

Fast Message Franking: From Invisible Salamanders to Encryptment CRYPTO 2018
Yevgeniy Dodis, Paul Grubbs, Thomas Ristenpart, Joanne Woodage

    Here's a video of Joanne's RWC 2019 talk on this work.

The Tao of Inference in Privacy-Protected Databases PVLDB 2018
Vincent Bindschaedler, Paul Grubbs, David Cash, Thomas Ristenpart, Vitaly Shmatikov

Message Franking via Committing Authenticated Encryption CRYPTO 2017
Paul Grubbs, Jiahui Lu, Thomas Ristenpart

    Zoom's current end-to-end encryption design (v2) uses the CtE1 scheme we introduced in this work.

Why Your Encrypted Database Is Not Secure HotOS 2017 (slides)
Paul Grubbs, Thomas Ristenpart, Vitaly Shmatikov

    Adrian Colyer covered this work on his blog, "The Morning Paper".

Leakage-Abuse Attacks against Order-Revealing Encryption IEEE Symposium on Security and Privacy 2017
Paul Grubbs, Kevin Sekniqi, Vincent Bindschaedler, Muhammad Naveed, Thomas Ristenpart

Side-Channel Attacks on Shared Search Indexes IEEE Symposium on Security and Privacy 2017
Liang Wang, Paul Grubbs, Jiahui Lu, Vincent Bindschaedler, David Cash, Thomas Ristenpart

Modifying an Enciphering Scheme After Deployment Eurocrypt 2017
Paul Grubbs, Thomas Ristenpart, Yuval Yarom

Breaking web applications built on top of encrypted data CCS 2016
Paul Grubbs, Richard McPherson, Muhammad Naveed, Thomas Ristenpart, Vitaly Shmatikov

    FAQ about this work
    Adrian Colyer covered this work on his blog, "The Morning Paper".

Leakage-Abuse Attacks Against Searchable Encryption CCS 2015
David Cash, Paul Grubbs, Jason Perry, Thomas Ristenpart

GPU and CPU parallelization of honest-but-curious secure two-party computation ACSAC 2013
Nathaniel Husted, Steve Myers, abhi shelat, Paul Grubbs

My Dissertation

Breaking and Building Encrypted Databases (filed August 2020)
I was very humbled to receive a Cornell CS Dissertation Award for this work.


Yang Du
Quang Dao (MMath 2022 -> PhD student at CMU)
Anna Pui Yung Woo


Zero-Knowledge Middleboxes Real World Cryptography 2022
   I also spoke about this work at: Microsoft Research, DNS OARC 38
Zero-Knowledge Proofs meet TLS IETF 112, November 2021
Pancake: Frequency Smoothing for Encrypted Data Stores Real World Cryptography 2021
Hunting Invisible Salamanders: Cryptographic (in)Security with Attacker-Controlled Keys BlackHat, August 2020
   An article and video about my talk appeared on Dark Reading.
Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks ICERM Workshop on Encrypted Search, June 2019
Message Franking: Invisible Salamanders, Encryptment, and AMFs
   NYC Crypto Day (May 2019), Workshop on Secure Messaging (May 2019), Stanford Security Seminar (May 2019)
Why Your Encrypted Database is Not Secure Second ESSA workshop, 2018
Breaking web applications built on top of encrypted data Real World Cryptography 2017
New Inference Attacks on Order-Preserving Encryption DC Crypto Day, May 2016
On Deploying Property-Preserving Encryption Real World Cryptography 2016
Searchable the REAL world ESSA Workshop, 2015


Winter 2023: EECS 388, Introduction to Computer Security
Fall 2022: EECS 575, Advanced Cryptography
Winter 2022: EECS 498/598, Encrypted Systems
Fall 2021: EECS 575, Advanced Cryptography

During grad school, I was a teaching assistant for CS 5830 (Cryptography) in Spring 2017 and CS 5435 (Security and Privacy Concepts in the Wild) in Fall 2019.


I was (or am) a program committee member for: SAC 2019, CT-RSA 2021, PETS 2021, CRYPTO 2021, IEEE S&P 2022, PETS 2022, EUROCRYPT 2022, IEEE S&P 2023, RWC 2024
I was honored to serve as a mentor for the 2020 Rising Stars workshop.
I also act as a faculty mentor for the undergraduate cryptography club at UMich.


DARPA SIEVE program, September 2021
Meta Privacy-Enhancing Technologies grant, July 2022
NSF CAREER award, March 2023


For the 2020-2021 academic year, I was a postdoc at NYU, working with Michael Walfish and Joseph Bonneau as a part of the Pepper project.

I did my PhD in Computer Science department at Cornell University, advised by the inimitable Tom Ristenpart. I spent my first year in gorgeous Ithaca, and the rest of the time at the Cornell Tech campus in NYC. In Spring 2018, I was hosted by Kenny Paterson in a visit to Royal Holloway, University of London, located in scenic Egham, UK. My graduate studies were supported in part by a 2017 NSF Graduate Research Fellowship (GRF). My GRF materials are available on request.

Between undergrad and grad school, I worked for two and a half years at Skyhigh Networks (now McAfee) as a cryptography engineer.

I did my undergrad at Indiana University, where I majored in Math and Computer Science.


You can tweet at me @pag_crypto or find me on LinkedIn.

When I'm not working, I enjoy watching mysteries and comedies, reading, listening to (and occasionally playing) music, and spending time outside in my hammock. I'm also a licensed amateur radio operator (call sign KE8WII).
Me recently
A recent picture of me