Michele Orrù

I believe that privacy is a human right and that cryptography can help foster an open society. My research seeks to build authentication mechanisms that preserve user anonymity. I work on:

In the past, I contributed to Python, Debian, and Tor. I co-designed Globaleaks, an open-source whistleblowing platform now translated in more than 90 languages and used by more than 300 organizations, and co-authored the cryptography behind Google’s Trust Tokens. Sometimes, I help NGOs on matters of digital security.

I am a chargé de recherche (equivalent to Assistant Professor) at CNRS. Previously, I have been at UC Berkeley as research scholar. I got my PhD from École Normale Supérieure, and my MSc in math from the University of Trento. I attended the Recurse Center in Fall 2020 (W2’20).

Google Scholar Icon

Publications Highlight

  • Oblivious issuance of proofs. Imagine blind signatures, but beyond traditional statements of “knowledge of a secret key”. Our preprint describes how 𝛴-protocols can be blindly (obliviously) issued.
  • Elastic arguments. A new class of zero-knowledge proofs with streaming! Provers can now fine-tune memory use, and with streaming we can prove knowledge of secret inputs of gigantic circuits! We tested for up tens of billions of gates in a single machine, and storing less than 2GB!
  • Aggregate cash systems. Aggregate cash system are electronic cash systems that bundle transactions like you’d bunch up aggregate signatures. This nifty concept comes from Mimblewimble (which we prove secure!) is now used currencies such as Grin and Litecoin.
Github Icon


I am actively involved in maintaining the arkworks.rs algebra crate. My recent contributions include:

  • zka.lc: Think of this as a calculator for the concrete performance of public-key cryptography operations. You add items to your shopping list and zkalc gives you the total time at the checkout.
  • tinybear: proving knowledge an AES-encrypted message using Schnorr proofs in 30 milliseconds and 80KB.
  • nimue: a dedicated library for transforming interactive cryptographic protocols into non-interactive ones (the Fiat-Shamir transform), streamlining security processes.