Tancrède Lepoint

Selected work

Post-quantum cryptography

Quantum computers will eventually break the cryptographic algorithms that secure today’s internet. I have worked on designing, analyzing, and deploying their replacements.

• CRYSTALS-Kyber and CRYSTALS-Dilithium — lattice-based key encapsulation and digital signature schemes, standardized by NIST as ML-KEM and ML-DSA. Now being deployed worldwide to protect against quantum threats.
• Improved security proofs in lattice-based cryptography — introduced the use of Rényi divergence as an alternative to statistical distance for lattice-based security reductions, leading to tighter parameters. Best Paper, Asiacrypt 2015.

AI security

I work on building secure and reliable AI systems, from private training with federated learning and secure aggregation to testing LLM-integrated applications.

• Advances and open problems in federated learning — the foundational survey of federated learning, covering privacy, robustness, and systems challenges. Foundations and Trends in Machine Learning, 2021.
• Secure single-server aggregation with (poly)logarithmic overhead — efficient secure aggregation protocol for privacy-preserving machine learning. Deployed by Google for federated learning with distributed differential privacy. Published at ACM CCS 2020.
• Delta debugging for LLM-integrated systems — a systematic approach to isolating faults in systems that integrate large language models. ICSE-SEIP 2026.

Privacy-enhancing technologies

I design cryptographic systems that let organizations use sensitive data without exposing it—from private information retrieval and anonymous credentials to differential privacy and contact-tracing analytics. Several of these systems have been deployed at scale by Apple and Google.

• Communication–computation trade-offs in PIR — practical homomorphic-encryption-based protocols for private database queries. Deployed by Google for private set membership and by Apple for on-device private information retrieval. Published at Usenix 2021.
• Exposure Notifications Privacy-preserving Analytics — a system for collecting aggregate statistics about COVID-19 exposure notifications without learning anything about individual users. Deployed by Apple and Google.
• Verified foundations for differential privacy — machine-checked proofs that the core algorithms used in differential privacy implementations are correct. Deployed in AWS Clean Rooms Differential Privacy. Distinguished Artifact, PLDI 2025.
• Anonymous tokens with private metadata — cryptographic tokens that let servers verify clients without tracking them. Informed the design of Privacy Pass / Trust Tokens, with an IETF/IRTF draft on signature key blinding. Published at Crypto 2020; related ROS cryptanalysis received Best Paper, Eurocrypt 2021.

All publications & preprints →