Security Research Recognized at IEEE S&P 2026

Papers from CS researchers have been accepted to the 47th IEEE Symposium on Security and Privacy (IEEE S&P 2026), a leading conference in computer security and privacy. Work by Baishaki Ray and Junfeng Yang was also recognized with a Distinguished Paper Award, an honor reserved for a select group of submissions identified for their exceptional quality, significance, and potential impact on the field. This recognition highlights the strength of the research and its contribution to advancing innovative approaches to today’s evolving security and privacy challenges.

Distinguished Paper Award

Your Compiler is Backdooring Your Model: Understanding and Exploiting Compilation Inconsistency Vulnerabilities in Deep Learning Compilers
Simin Chen Columbia University, Jinjun Peng Columbia University, Yixin He University of Southern California, Junfeng Yang Columbia University, Baishakhi Ray Columbia University

Abstract:
Deep learning (DL) compilers serve as essential infrastructure in modern DL systems. In this work, we uncover a fundamental security vulnerability inherent in the design principles of DL compilers. Specifically, we ask: Can an official, unmodified DL compiler change a DL model’s semantics during compilation, and can such changes introduce hidden backdoors? To answer this question, we consider both adversarial and natural in-the-wild settings. In the adversarial setting, we propose an attack that generates a benign DL model where the backdoor trigger has no effect on the model’s behavior. However, after compilation, this benign model is transformed into a backdoored version, allowing the trigger to influence its decisions successfully. We evaluate our approach on six DL models, three commercial compilers, and two hardware platforms. Pre-compilation models show no trigger effects and remain undetected by four state-of-the-art backdoor detectors.

In contrast, post-compilation models achieve a 100% attack success rate on triggered inputs while preserving normal behavior on clean inputs, with a 100% prediction consistency rate with the pre-compilation model. Our attack generalizes across different compiler–hardware combinations and floating-point settings. Beyond the intentional adversarial setting, we further conduct an in-the-wild analysis of the top 100 most-downloaded models on HuggingFace—including one with over 220 million downloads—and uncover natural triggers in 31 models using a gradient-guided method. These findings suggest that DL compilers may unintentionally introduce security risks, even in the absence of explicit attacks. Our results uncover an overlooked threat in the ML stack: unmodified DL compilers can silently change the model semantics during compilation. To our knowledge, our work is the first work to demonstrate the inherent security risks of DL compiler design, highlighting a new frontier for secure and trustworthy machine learning.

zkFuzz: Foundation and Framework for Effective Fuzzing of Zero-Knowledge Circuits
Hideaki Takahashi Columbia University, Jihwan Kim Columbia University, Suman Jana Columbia University, Junfeng Yang Columbia University

Abstract:
Zero-knowledge (ZK) circuits enable privacypreserving computations and are central to many cryptographic protocols. Systems like Circom simplify ZK development by combining witness computation and circuit constraints in one program. However, even small errors can compromise security of ZK programs — under-constrained circuits may accept invalid witnesses, while over-constrained ones may reject valid ones. Static analyzers are often imprecise with high false positives, and formal tools struggle with real-world circuit scale. Additionally, existing tools overlook several critical behaviors, such as intermediate computations and program aborts, and thus miss many vulnerabilities.

Our theoretical contribution is the Trace-Constraint Consistency Test (TCCT), a foundational, language-independent formulation of ZK circuit bugs. TCCT provides a unified semantics that subsumes prior definitions and captures both under- and over-constrained vulnerabilities, exposing the full space of ZK bugs that elude prior tools.

Our systems contribution is ZKFUZZ, a novel program mutation-based fuzzing framework for detecting TCCT violations. ZKFUZZ systematically mutates the computational logic of Zk programs guided by a novel fitness function, and injects carefully crafted inputs using tailored heuristics to expose bugs. We evaluated ZKFUZZ on 452 real-world ZK circuits written in Circom, a leading programming system for ZK development. ZKFUZZ successfully identified 85 bugs, including 59 zero-days—39 of which were confirmed by developers and 14 fixed, including bugs undetectable by prior works due to their fundamentally limited formulations, earning thousands of bug bounties. Our preliminary research on Noir, another emerging DSL for ZK circuit, also demonstrates the feasibility of ZKFUZZ to support multiple DSLs.

InsPIRe: Communication-Efficient PIR with Server-side Preprocessing
Rasoul Akhavan Mahdavi Google, Sarvar Patel Google, Joon Young Seo Google, Kevin Yeo Columbia University

Abstract:
We present InsPIRe that is the first private information retrieval (PIR) construction simultaneously obtaining both high-throughput and low query communication while using only server-side preprocessing (meaning no offline communication). Prior PIR schemes with both high-throughput and low query communication required substantial offline communication of either downloading a database hint that is 10-100x larger than the communication cost of a single query (such as SimplePIR and DoublePIR [Henzinger et al., USENIX Security 2023]) or streaming the entire database (such as Piano [Zhou et al., S&P 2024]). In contrast, recent works such as YPIR [Menon and Wu, USENIX Security 2024] avoid offline communication at the cost of increasing the query size by 1.8-2x, up to 1-2 MB per query. Our new PIR protocol, InsPIRe, obtains the best of both worlds by obtaining high-throughput and low communication without requiring any offline communication. Compared to YPIR, InsPIRe requires 5x smaller cryptographic keys, requires up to 50% less online query communication while obtaining up to 25% higher throughput. We show that InsPIRe enables improvements across a wide range of applications and database shapes including the InterPlanetary File System and private device enrollment.

At the core of InsPIRe, we develop a novel ring packing algorithm, InspiRING, for transforming LWE ciphertexts into RLWE ciphertexts. InspiRING is more amenable to the server-side preprocessing setting that allows moving the majority of the necessary operations to offline preprocessing. InspiRING only requires two key-switching matrices whereas prior approaches needed logarithmic key-switching matrices. We also show that InspiRING has smaller noise growth and faster packing times than prior works in the setting when the total key-switching material sizes must be small. To further reduce communication costs in the PIR protocol, InsPIRe performs the second level of PIR using homomorphic polynomial evaluation, which only requires one additional ciphertext from the client.

LatORAM: ORAMs from Lateral Stashes and Delayed Shuffling
Sarvar Patel Google, Giuseppe Persiano Google, Joon Young Seo Google, Kevin Yeo Columbia University

Abstract:
We study the design of Oblivious RAMs (ORAMs) that allow a client to access memory outsourced to a remote, untrusted server without revealing the client’s data access pattern. We are interested in concretely efficient constructions and prior works have yielded different ORAM frameworks with various trade-offs. Tree-based constructions such as RingORAM [Ren et al., USENIX’15] obtain low communication overhead, but require client storage of linear position maps and two roundtrip queries. Hierarchical schemes such as FutORAMa [Asharov et al., CCS’23] further reduce communication at the cost of more roundtrips during queries. Finally, SQRT-ORAM [Goldreich, STOC ’87] enables fast queries of one roundtrip and one block of communication at the cost of larger amortized communication costs.

We present two new constructions, LatORAM and Lat2ORAM, that simultaneously obtain the positive traits of all three types of ORAM constructions. Online queries are blazing fast with one roundtrip and a single block of communication like SQRT-ORAM. Fixing the client memory sizes for comparison, the online communication cost of our constructions are 5-8x smaller than RingORAM and 5-10x smaller than FutORAMa even though both RingORAM and FutORAMa require multiple roundtrips per online query. Furthermore, our total amortized communication is also up to 50% smaller. To obtain our constructions, we present a new lazy approach of lateral stash growth that delays large shuffles.

Of independent interest, we present improved oblivious merging schemes for specific settings important for our ORAMs. Our constructions solely rely on symmetric cryptography