In June 2025 I graduated from the University of Washington with a Bachelor's in CS and Math and a 5th-Year Master's in CS. I now work as a research engineer in the UW Cryptography Lab.
I have a broad interest in cryptography, security, machine learning, and computer science theory. Currently, I am studying multi-party computation protocols, distributed digital signatures, and artificial intelligence in adversarial settings. I am fortunate to be advised by Stefano Tessaro and Nirvan Tyagi.
I enjoy exploring the mountains and foothills, and have four years of experience as a professional ski patroller at Crystal Mountain Resort.
Publications and Manuscripts:
One-More Unforgeability for Multi- and Threshold Signatures
Sela Navot and Stefano Tessaro (Asiacrypt '24) PaperTalk Video ► Show Abstract
This paper initiates the study of one-more unforgeability for multi-signatures and threshold signatures as a stronger security goal, ensuring that ℓ executions of a signing protocol cannot result in more than ℓ signatures. This notion is widely used in the context of blind signatures, but we argue that it is a convenient way to model strong unforgeability for other types of distributed signing protocols. We provide formal security definitions for one-more unforgeability (OMUF) and show that the HBMS multi-signature scheme does not satisfy this definition, whereas MuSig and MuSig2 do. We also show that mBCJ multi-signatures do not satisfy OMUF, as well as expose a subtle issue with their existential unforgeability (which does not contradict their original security proof). For threshold signatures, we show that FROST satisfies OMUF, but ROAST does not.
POPSTAR: Lightweight Threshold Reporting with Reduced Leakage
Hanjun Li, Sela Navot, and Stefano Tessaro (USENIX Security '24) PaperHanjun's Talk Video ► Show Abstract
This paper proposes POPSTAR, a new lightweight protocol for the private computation of heavy hitters, also known as a private threshold reporting system. In such a protocol, the users provide input measurements, and a report server learns which measurements appear more than a pre-specified threshold. POPSTAR follows the same architecture as STAR (Davidson et al., CCS 2022) by relying on a helper randomness server in addition to a main server computing the aggregate heavy hitter statistics. While STAR is extremely lightweight, it leaks a substantial amount of information, consisting of an entire histogram of the provided measurements (but only reveals the actual measurements that appear beyond the threshold). POPSTAR shows that this leakage can be reduced at a modest cost (~7x longer aggregation time). Our leakage is closer to that of Poplar (Boneh et al., S&P 2021), which relies however on distributed point functions and a different model which requires interactions of two non-colluding servers to compute the heavy hitters.
Insecurity of MuSig and Bellare-Neven Multi-Signatures with Delayed Message Selection
Sela Navot (Preprint) PaperImplementation ► Show Abstract
Multi-signature schemes in pairing-free settings require multiple communication rounds, prompting efforts to reduce the number of signing rounds that need to be executed after the signers receive the message to sign. In MuSig and Bellare-Neven multi-signatures, the signing protocol does not use the message until the third (and final) signing round. This structure seemingly allows pre-processing of the first two signing rounds before the signers receive the message. However, we demonstrate that this approach compromises security and enables a polynomial time attack, which uses the algorithm of Benhamouda et al. to solve the ROS problem.
Master's Thesis: On the Existential and Strong Unforgeability of Multi-Signatures in the
Discrete Log Setting
(Honorable Mention: 2025 Allen School Master's Thesis Awards) Thesis► Show Abstract
Digital signatures are typically required to be existentially unforgeable (EUF), ensuring that no adversary can produce a valid signature on a new message that has not been signed before. A stronger notion, strong unforgeability (SUF), also ensures that adversaries cannot forge new signatures on messages that have already been signed. These notions are well understood for plain signatures, but defining them for distributed multi-signature protocols, where multiple signers jointly produce a signature via an interactive protocol, is more challenging. While EUF has been studied for multi-signatures (using multiple competing definitions), there is no general definition for SUF, even though multi-signature protocols are often used to produce strongly unforgeable plain signatures.
This thesis introduces one-more unforgeability (OMUF) as a convenient way to model SUF in distributed signing protocols, and arrives at the following conclusions:
MuSig and Bellare-Neven multi-signatures satisfy OMUF, even when the first signing round is pre-processed before the message to sign is known, but become completely insecure if the second signing round is also pre-processed.
MuSig2 satisfies OMUF, which is important due to its widespread use in Bitcoin.
The HBMS and mBCJ schemes do not satisfy OMUF, despite the fact that both schemes distributively generate strongly unforgeable plain signatures. Additionally, our analysis reveals an issue with the existential unforgeability of mBCJ, which does not contradict its original security proof.
GUI-based web agents navigate websites by analyzing screenshots rather than HTML, offering a more intuitive approach to web interaction. However, this reliance on visual input introduces new threats, particularly during the visual grounding phase, where agents locate interface elements. We show that visual grounders can be reliably fooled by adversarially crafted third-party ads, even on otherwise trusted websites. Our attacks include Naive Confusion, which mimics real elements to mislead the agent, and an Invisible Attack, which hides perturbations in ads that appear normal to human users. These attacks require no control over the host site and minimal knowledge of the agent’s task, making them both practical and scalable.
Improving Two-Party Shuffling Protocols, and Applications to Private Analytics
Mentored by Nirvan Tyagi, in collaboration with Ian Chang and others
Teaching Assistanship:
Computer Security (CSE 484 / CSE M584) Spring 2025
* 'P' course numbers are Professional Master's courses, 'M' are 5th Year Master's, and the rest are Undergrad.
Me skiing deep snow Photo credit: Andrew Longstreth