CyLab researchers to present at the IEEE Symposium on Security and Privacy

CyLab faculty members and students will present their research on a wide variety of topics at the 47th Institute of Electrical and Electronics Engineers (IEEE) Symposium on Security and Privacy (IEEE S&P 2026). Held in San Francisco on May 18th through the 21st, the event is the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field.

CyLab faculty members Limin Jia and Lujo Bauer, as well as postdoctoral fellow Elisaweta Masserova, are serving on the IEEE S&P 2026 Program Committee.

The symposium also includes several co-located workshops that feature CyLab researchers as organizers and keynote speakers.

Joseph Calandrino, a CyLab faculty member, is serving as general co-chair of the 10th Workshop on Technology and Consumer Protection (ConPro ’26), and Jenny Tang, Ph.D. student in Carnegie Mellon’s Societal Computing program, is serving on the ConPro ‘26 Program Committee.

Enze “Alex” Liu, a CyLab postdoctoral researcher, is serving on the Program Committee for the Workshop on Artwork Security and Provenance in the Age of AI (ArtSec 2026).

Additionally, CyLab faculty Matt Fredrikson is giving a keynote address at the co-located workshop on Secure Agents for Generative Artificial Intelligence (SAGAI ‘26).

Here, we’ve compiled a list of the papers co-authored by CyLab Security and Privacy Institute members that are being presented at IEEE S&P 2026 and its co-located workshops.

Papers at the IEEE Symposium on Security and Privacy

Zelda: Efficient Multi-server Preprocessing PIR with Unconditional Security

Authors: Bo Peng, Peking University; Ashrujit Ghoshal, Indian Institute of Technology Madras; Mingxun Zhou, The Hong Kong University of Science and Technology; Elaine Shi, Carnegie Mellon University

Abstract: Private Information Retrieval (PIR) schemes without preprocessing are known to incur linear server computation per client query. Several recent works have shown that by relying on a onetime preprocessing phase, we can get around this barrier, and achieve sublinear computation per query without relying on any cryptographic assumptions. Beimel et al. (CRYPTO’00) first showed a family of schemes whose bandwidth and computation per query scale as fast as n O(1/S) where S denotes the number of servers and n denotes the database size. Unfortunately, their schemes are not practical partly because the servers must each store an encoded version of the database, and the encoding length grows sharply as we increase S. The recent work of Singh et al. (TCC’24) showed how to achieve similar bandwidth scaling but without the server space blowup. To get this, they rely on a different type of preprocessing called client-specific preprocessing, where the stateful client stores some hints and the servers store only the original database. Unfortunately, Singh et al.’s result is completely impractical due to the reliance on Dvir and Gopi’s PIR as a building block.

We propose Zelda (short for ZEro-Leakage Data Access), the first concretely efficient, information-theoretic multi-server PIR scheme with sublinear computation. Our work makes both theoretical and practical contributions. On the theoretical front, we devise a unified framework for constructing multi-server PIR with client-specific preprocessing. This gives us a parametrizable family of schemes that asymptotically outperform all prior constructions in the same setting, including Singh et al. (TCC’24) and Ishai et al. (CRYPTO’24). On the practical front, Zelda is conceptually simple, self-contained, and does not rely on any underlying PIR as a building block. We implemented Zelda and open sourced our code. We compared the concrete performance of Zelda with a state-of-the-art PIR scheme called QuarterPIR (Eurocrypt’24), which relies on pseudorandom functions for security. Experimental results show that Zelda outperforms QuarterPIR in terms of online response time and client space (assuming typical fiber optical links), at the price of increased costs for offline maintenance operations.

Generate-then-Verify: Reconstructing Data from Limited Published Statistics

Authors: Terrance Liu and Eileen Xiao, Carnegie Mellon University; Adam Smith, Boston University; Pratiksha Thaker and Steven Wu, Carnegie Mellon University

Abstract: We study the problem of reconstructing tabular data from aggregate statistics, in which the attacker aims to identify interesting claims about the sensitive data that can be verified with 100% certainty given the aggregates. Successful attempts in prior work have conducted studies in settings where the set of published statistics is rich enough that entire datasets can be reconstructed with certainty. In our work, we instead focus on the regime where many possible datasets match the published statistics, making it impossible to reconstruct the entire private dataset perfectly (i.e., when approaches in prior work fail). We propose the problem of partial data reconstruction, in which the goal of the adversary is to instead output a subset of rows and/or columns that are guaranteed to be correct. We introduce a novel integer programming approach that first generates a set of claims and then verifies whether each claim holds for all possible datasets consistent with the published aggregates. We evaluate our approach on the housing-level microdata from the U.S. Decennial Census release, demonstrating that privacy violations can still persist even when information published about such data is relatively sparse.

Transient Architectural Execution: From Weird Gates to Weird Programs

Authors: Ping-Lun Wang, Fraser Brown, and Riccardo Paccagnella, Carnegie Mellon University; Eyal Ronen, Tel Aviv University; Riad S. Wahby, Carnegie Mellon University; Yuval Yarom, Ruhr University Bochum

Abstract: An emerging body of work has explored the construction of weird gates—code segments computing on microarchitectural state not exposed by the instruction set architecture. Weird gates abstract microarchitectural state (e.g., CPU cache residency) as Boolean values and compute logical functions over these values. Researchers have used weird gates in applications like side-channel amplification and malware obfuscation. Indeed, in principle, the computational model of weird gates—a Boolean circuit of bounded size—can perform (bounded) arbitrary computation. In practice, however, this model is less efficient (both asymptotically and concretely) than the standard processor model, which supports conditional execution, indexed memory, and richer data types. In this paper, we show how to build weird computation in the processor model rather than the circuit model. The primitive that makes this possible is transient architectural execution: transiently loading microarchitectural state into registers, computing on it, and storing the results back into microarchitectural state—without exposing any state architecturally. Transient architectural execution, a generalization of prior weird gates and transient execution attacks, allows us to wield the full computational capability of the processor to operate on microarchitectural state. We also show how to use the state of the branch predictor to emulate wide variables of up to 16 bits. As a result, our weird programs are over two orders of magnitude faster than weird gates and can compute functions that are impractical using prior approaches.

New Constructions of Functional Adaptor Signatures: Broader Functions and Improved Efficiency

Authors: Nikhil Vanjani, Carnegie Mellon University; Garrett Greiner, University of Utah; Sri Aravinda Krishnan Thyagarajanan, University of Sydney; Pratik Soni, University of Utah

Abstract: Functional adaptor signatures (FAS) are a novel cryptographic primitive introduced at CCS’24 that enable privacy-preserving, fine-grained data-payment exchanges between a seller and a buyer in a trustless and atomic manner. In this setup, the seller holds sensitive data x (e.g., patient records, climate data), and the buyer specifies a function f (e.g., aggregate, sum). FAS guarantees that the buyer learns f (x) (and nothing beyond) if and only if the seller receives payment in blockchain-based tokens. Unlike generic smart contracts, FAS-powered solutions excel in privacy, efficiency, and compatibility with diverse blockchain systems. However, prior FAS constructions were limited to linear functions (where f was linear in x), restricting their applicability to more complex and prevalent applications including data analytics and ML model evaluations.

In this work, we extend the capabilities of FAS to support higher-degree functions (deg ≥ 2), significantly broadening its range of applications. Our core contribution is a novel FAS design leveraging homomorphic encryption, which simultaneously achieves enhanced efficiency and compatibility for general functions. This approach diverges fundamentally from the restricted design in CCS’24 which relied on connections to functional encryption. We implement our homomorphic encryption-based FAS for functions arising in applications such as data analytics and machine learning inference. Remarkably, even for linear functions, our new design achieves an order-of-magnitude improvement in performance compared to CCS’24 constructions. Furthermore, our solutions seamlessly integrate with prominent blockchain systems, requiring only a basic signature verification script on standard transactions, thus ensuring practical deployability. As a conceptual contribution, we introduce the general paradigm of a blockchain-based functional fair exchange (FFE) protocol, rigorously define buyer and seller fairness, and show that FAS implies the general goal of FFE.

Incalmo: An Autonomous LLM-assisted System for Red Teaming Multi-Host Networks

Authors: Brian Singer, Carnegie Mellon University; Keane Lucas, Anthropic; Lakshmi Adiga, Meghna Jain, Lujo Bauer, and Vyas Sekar; Carnegie Mellon University

Abstract: Security operators use red teams to simulate real attackers and proactively find defense gaps. In realistic enterprise settings, this involves executing multi-host network attacks spanning many “stepping stone” hosts. Unfortunately, red teams are expensive and entail significant expertise and effort. Given the promise of LLMs in CTF challenges, we first analyze whether LLMs can autonomously execute multi-host red-team exercises. We find that state-of-the-art LLM-assisted offense systems (e.g., PentestGPT, CyberSecEval3) with leading LLMs (e.g., Sonnet 4, Gemini 2.5 Pro) are unable to do so.

Building on our observations in understanding the failure modes of state-of-the-art systems, we argue the need to improve the abstractions and interfaces for LLM-assisted red teaming. Based on this insight, we design and implement Incalmo, an LLM-assisted system for autonomously red teaming multihost networks. Incalmo uses LLMs to plan red-team exercises in terms of high-level declarative tasks that are executed by domain-specific task agents. Incalmo also uses auxiliary services to manage context and acquired assets.

For our evaluation, we develop MHBench, a novel multihost attack benchmark with 40 realistic emulated networks (from 22 to 50 hosts). We find that Incalmo successfully acquires critical assets (i.e., key hosts or data) in 37 of 40 MHBench environments. In contrast, state-of-the-art LLMassisted systems succeed in only three of 40 environments. We also show that Incalmo is efficient: successful attacks took 12–54 minutes and cost ≤ $15 in LLM credits.

The Battle of Metasurfaces: Understanding Security in Smart Radio Environments

Authors: Paul Staat and Christof Paar, Max Planck Institute for Security and Privacy (MPI-SP); Swarun Kumar, Carnegie Mellon University

Abstract: Metasurfaces, or reconfigurable intelligent surfaces, have emerged as a transformative technology for next-generation wireless systems, enabling digitally controlled manipulation of electromagnetic wave propagation. By turning the traditionally passive radio environment into a smart, programmable medium, metasurfaces promise advances in communication and sensing. However, metasurfaces also present a new security frontier: both attackers and defenders can exploit them to alter wireless propagation for their own advantage. While prior security research has primarily explored unilateral metasurface applications – empowering either attackers or defenders – this work investigates symmetric scenarios, where both sides possess comparable metasurface capabilities. Using both theoretical modeling and real-world experiments, we analyze how competing metasurfaces interact for diverse objectives, including signal power and sensing perception. Thereby, we present the first systematic study of context-agnostic metasurface-to-metasurface interactions and their implications for wireless security. Our results reveal that the outcome of metasurface “battles” depends on an interplay of timing, placement, algorithmic strategy, and hardware scale. Across multiple case studies in Wi-Fi environments, including wireless jamming, channel obfuscation for sensing and communication, and sensing spoofing, we demonstrate that opposing metasurfaces can substantially or fully negate each other’s effects. By undermining previously proposed security and privacy schemes, our findings open new opportunities for designing resilient and high-assurance physical-layer systems in smart radio environments.

Goldilocks and the Three P-States: Mitigating Hertzbleed with Formal Leakage Guarantees

Authors: Inwhan Chun, Carnegie Mellon University; Christine Guo, Princeton University; Riccardo Paccagnella, Carnegie Mellon University

Abstract: Hertzbleed is an emerging class of remote timing attacks that can leak secrets previously considered beyond the reach of timing analysis. The attack exploits how, when a processor exceeds power or thermal limits and starts throttling, CPU frequency—and thus, program runtime—becomes dependent on power consumption. In response to Hertzbleed, several software-level mitigations have been proposed, including masking, key refresh, noise injection, and disabling frequency boost. However, none of these mitigations achieves general software applicability, low overhead, and provable security.

In this work, we introduce Goldilocks, a practical mitigation against Hertzbleed. Goldilocks treats Hertzbleed as an information-theoretic channel and limits how much information the channel can carry by constraining when and how throttling can occur. It can be deployed on existing processors with no changes to application software, maintains a CPU frequency level that is "just right" for each machine and workload, and provides formal leakage bounds that reduce worst-case leakage growth from linear in execution time to as little as logarithmic. Our evaluation across a variety of processors and workloads shows that Goldilocks effectively mitigates Hertzbleed attacks and incurs low overhead.

From "Be Careful" to "Here's Why": Investigating User Reasoning with Context-Specific SMS Scam Warnings

Authors: Elijah Bouma-Sims, Enze Liu, Alexandra Xinran Li, and Lorrie Faith Cranor; Carnegie Mellon University

Abstract: SMS-based scams continue to pose a persistent security threat, yet today’s mobile warning interfaces often provide generic alerts that users may overlook. In other domains, context-specific explanations have improved users’ ability to evaluate malicious content, and advances in generative AI (GAI) make it feasible to generate such explanations at scale. While service providers are now exploring similar approaches for SMS, it remains unclear how to best present contextual information so that users can act on it appropriately. We conducted a task-based interview study (n = 20) with US-based Android users in which participants assessed SMS messages using an inbox-style interface. Participants viewed both current Google Messages warnings and hypothetical contextual warnings. Among other results, our findings indicate that users value the concrete direction and evidence provided by context-specific warnings, which helped them reason about the legitimacy of the message. However, participants had differing preferences on the level of detail necessary or the extent to which AI involvement should be disclosed. We conclude by discussing design implications of our results for integrating context-specific warnings into mobile messaging interfaces, with relevance for both SMS and other scam domains.

Papers at the 10th Workshop on Technology and Consumer Protection (ConPro ’26)

Measuring User Responses to Online Age Verification Mechanisms Through a Deceptive Experiment

Authors: Yanzi Lin and Cheng Zhang, Carnegie Mellon University; Madelyne Xiao, Princeton University; Lorrie Faith Cranor and Sarah Scheffler; Carnegie Mellon University

Abstract: The U.S. Supreme Court's 2025 decision in Free Speech Coalition v. Paxton established that age verification systems must be "adequately tailored" to avoid undue burdens on adults' First Amendment rights. We conducted an IRB-approved, deceptive web experiment (n = 1635) examining how different age verification methods affect adults' decisions to access R-rated content. Completion rates varied significantly: checkbox self-attestation achieved 99%, government-ID methods only 23-27% regardless of data-handling reassurances, email-based estimation 86%, and AI facial estimation 51%. Follow-up survey responses (n = 884) revealed concerns about privacy, surveillance, and data security. These findings suggest that technically robust verification methods may be ineffective in practice if users systematically decline to comply.

Beyond Fake Reviews: Exploring Superficially Benign Practices That May Distort Online Reviews

Author: Joseph A. Calandrino, Carnegie Mellon University

Abstract: Discussions of online review manipulation often focus on intentionally dishonest practices, such as fake reviews. A far broader set of practices may influence the likelihood that consumers write reviews and the content of those reviews. These other practices may not intentionally deceive and may even offer some benefits to consumers. For example, a product manufacturer may aggressively urge customers to write reviews, resulting in additional honest review information for future customers. Even in the absence of ill intent, these practices may distort reviews and their details in ways that directly influence the purchasing decisions of prospective customers or do so indirectly via automated systems that rely on reviews. We propose to explore these dynamics by compiling relevant practices, evaluating the impact of those practices on consumer reviewing behavior and automated systems, assembling possible interventions, and assessing the impact of interventions on consumer perception and behavior.