As of September 2025, I'm a software engineer at Artemis Software Works, working on our core product, Surfboard. We're a young startup — stay tuned for updates!
In June 2025 I finished a 5th-year Master's in CS from the University of Washington, after earning my Bachelor’s in CS and Math. At UW I worked in the Cryptography Lab, where I was fortunate to be advised by Stefano Tessaro and Nirvan Tyagi. I was also a teaching assistant for several courses.
I’m interested in all things computer science, especially cryptography, security, and machine learning. I also enjoy exploring the mountains on skis, bikes, and foot, and I’ve spent several winters working at Crystal Mountain Resort as a professional ski patroller.
Publications and Manuscripts
On the Existential and Strong Unforgeability of Multi-Signatures in the
Discrete Log Setting Master's Thesis Honorable Mention: 2025 Allen School Master's Thesis Awards Thesis ► Show Abstract
Digital signatures are typically required to be existentially unforgeable (EUF), ensuring that no adversary can produce a valid signature on a new message that has not been signed before. A stronger notion, strong unforgeability (SUF), also ensures that adversaries cannot forge new signatures on messages that have already been signed. These notions are well understood for plain signatures, but defining them for distributed multi-signature protocols, where multiple signers jointly produce a signature via an interactive protocol, is more challenging. While EUF has been studied for multi-signatures (using multiple competing definitions), there is no general definition for SUF, even though multi-signature protocols are often used to produce strongly unforgeable plain signatures.
This thesis introduces one-more unforgeability (OMUF) as a convenient way to model SUF in distributed signing protocols, and arrives at the following conclusions:
MuSig and Bellare-Neven multi-signatures satisfy OMUF, even when the first signing round is pre-processed before the message to sign is known, but become completely insecure if the second signing round is also pre-processed.
MuSig2 satisfies OMUF, which is important due to its widespread use in Bitcoin.
The HBMS and mBCJ schemes do not satisfy OMUF, despite the fact that both schemes distributively generate strongly unforgeable plain signatures. Additionally, our analysis reveals an issue with the existential unforgeability of mBCJ, which does not contradict its original security proof.
One-More Unforgeability for Multi- and Threshold Signatures
Sela Navot and Stefano Tessaro Asiacrypt 2024 Paper | Talk Video ► Show Abstract
This paper initiates the study of one-more unforgeability for multi-signatures and threshold signatures as a stronger security goal, ensuring that ℓ executions of a signing protocol cannot result in more than ℓ signatures. This notion is widely used in the context of blind signatures, but we argue that it is a convenient way to model strong unforgeability for other types of distributed signing protocols. We provide formal security definitions for one-more unforgeability (OMUF) and show that the HBMS multi-signature scheme does not satisfy this definition, whereas MuSig and MuSig2 do. We also show that mBCJ multi-signatures do not satisfy OMUF, as well as expose a subtle issue with their existential unforgeability (which does not contradict their original security proof). For threshold signatures, we show that FROST satisfies OMUF, but ROAST does not.
POPSTAR: Lightweight Threshold Reporting with Reduced Leakage
Hanjun Li, Sela Navot, and Stefano Tessaro USENIX Security 2024 Paper | Hanjun's Talk Video ► Show Abstract
This paper proposes POPSTAR, a new lightweight protocol for the private computation of heavy hitters, also known as a private threshold reporting system. In such a protocol, the users provide input measurements, and a report server learns which measurements appear more than a pre-specified threshold. POPSTAR follows the same architecture as STAR (Davidson et al., CCS 2022) by relying on a helper randomness server in addition to a main server computing the aggregate heavy hitter statistics. While STAR is extremely lightweight, it leaks a substantial amount of information, consisting of an entire histogram of the provided measurements (but only reveals the actual measurements that appear beyond the threshold). POPSTAR shows that this leakage can be reduced at a modest cost (~7x longer aggregation time). Our leakage is closer to that of Poplar (Boneh et al., S&P 2021), which relies however on distributed point functions and a different model which requires interactions of two non-colluding servers to compute the heavy hitters.
Insecurity of MuSig and Bellare-Neven Multi-Signatures with Delayed Message Selection
Sela Navot Preprint Paper | Implementation ► Show Abstract
Multi-signature schemes in pairing-free settings require multiple communication rounds, prompting efforts to reduce the number of signing rounds that need to be executed after the signers receive the message to sign. In MuSig and Bellare-Neven multi-signatures, the signing protocol does not use the message until the third (and final) signing round. This structure seemingly allows pre-processing of the first two signing rounds before the signers receive the message. However, we demonstrate that this approach compromises security and enables a polynomial time attack, which uses the algorithm of Benhamouda et al. to solve the ROS problem.
GUI-based web agents navigate websites by analyzing screenshots rather than HTML, offering a more intuitive approach to web interaction. However, this reliance on visual input introduces new threats, particularly during the visual grounding phase, where agents locate interface elements. We show that visual grounders can be reliably fooled by adversarially crafted third-party ads, even on otherwise trusted websites. Our attacks include Naive Confusion, which mimics real elements to mislead the agent, and an Invisible Attack, which hides perturbations in ads that appear normal to human users. These attacks require no control over the host site and minimal knowledge of the agent’s task, making them both practical and scalable.
Improving Two-Party Shuffling Protocols, and Applications to Private Analytics
Mentored by Nirvan Tyagi, in collaboration with Ian Chang and others
