About

Rafael Pass is a Professor at Cornell Tech and in the Computer Science Department at Cornell University. He obtained his bachelor’s in Engineering Physics and a master’s in Computer Science, both from the Royal Institute of Technology (KTH) in Sweden, and his Ph.D. in Computer Science from the Massachusetts Institute of Technology (M.I.T.) in 2006. He has been on the faculty of Cornell University since 2006 and joined Cornell Tech in 2013. Professor Pass’ research interests are in the field of Cryptography and its interplay with Computational Complexity and Game Theory. He is a recipient of the NSF Career Award, the AFOSR Young Investigator Award, the Alfred P. Sloan Fellowship, and the Microsoft Faculty Award.

Research topics

• Computer Science
• Algorithm
• Mathematics
• Combinatorics
• Computer Security
• Discrete mathematics
• Theoretical computer science
• Artificial Intelligence
• Programming language
• Microeconomics
• Psychology
• Economics
• Econometrics
• Mathematical economics

Selected publications

• Can we Watermark Low-Entropy LLM Outputs?

  ArXiv.org · 2026-04-13

  articleOpen accessSenior author

  A recent and exciting thread of work focuses on developing methods for watermarking the output of large language models (LLMs). We focus on provably undetectable watermarking-that is, schemes that do not alter the output distribution of the LLM, yet enable embedding a watermark in the output that identifies the output as having been generated by the particular LLM. Furthermore, the watermark should be hard to remove by an adversary that may potentially edit, insert, or delete tokens from the watermarked output. Indeed, recent work (Christ et al. [COLT'24], Christ et al. [CRYPTO'24], Golowich et al. [NeuroIPS'24]) shows how to develop such schemes that are robust against a constant fraction of substitutions, or even against a constant fraction of arbitrary edits. These works, however, make strong assumptions on the entropy present in the output of the LLM. Most notably, they all require constant entropy rate-that is, a constant fraction of the tokens in a sufficiently long substring of the output need to have empirical entropy at least O(log |T|), where T is the alphabet of tokens, and Golowich et al. additionally require T to be larger than the security parameter. In this work, we consider whether we can also watermark the outputs of LLMs when the per-token entropy is just a constant, discarding the dependence on the alphabet size or security parameter. In this regime, we construct: - A watermarking scheme robust against random substitutions (assuming subexponential LPN, as in Christ et al. [CRYPTO'24]) - A watermarking scheme robust against random substitutions and random deletions, given either the additional heuristic assumption that the output of the LLM only introduces random errors (analogous to the assumption made by Christ et al. [CRYPTO'24]) or a construction of a pseudorandom error-correcting code robust to adversarial substitutions and random deletions.

  PublisherOA PDF

• Can we Watermark Low-Entropy LLM Outputs?

  arXiv (Cornell University) · 2026-04-13

  preprintOpen accessSenior author

  A recent and exciting thread of work focuses on developing methods for watermarking the output of large language models (LLMs). We focus on provably undetectable watermarking-that is, schemes that do not alter the output distribution of the LLM, yet enable embedding a watermark in the output that identifies the output as having been generated by the particular LLM. Furthermore, the watermark should be hard to remove by an adversary that may potentially edit, insert, or delete tokens from the watermarked output. Indeed, recent work (Christ et al. [COLT'24], Christ et al. [CRYPTO'24], Golowich et al. [NeuroIPS'24]) shows how to develop such schemes that are robust against a constant fraction of substitutions, or even against a constant fraction of arbitrary edits. These works, however, make strong assumptions on the entropy present in the output of the LLM. Most notably, they all require constant entropy rate-that is, a constant fraction of the tokens in a sufficiently long substring of the output need to have empirical entropy at least O(log |T|), where T is the alphabet of tokens, and Golowich et al. additionally require T to be larger than the security parameter. In this work, we consider whether we can also watermark the outputs of LLMs when the per-token entropy is just a constant, discarding the dependence on the alphabet size or security parameter. In this regime, we construct: - A watermarking scheme robust against random substitutions (assuming subexponential LPN, as in Christ et al. [CRYPTO'24]) - A watermarking scheme robust against random substitutions and random deletions, given either the additional heuristic assumption that the output of the LLM only introduces random errors (analogous to the assumption made by Christ et al. [CRYPTO'24]) or a construction of a pseudorandom error-correcting code robust to adversarial substitutions and random deletions.

  PublisherDOI

• One-Way Functions and Boundary Hardness of Randomized Time-Bounded Kolmogorov Complexity

  Leibniz-Zentrum für Informatik (Schloss Dagstuhl) · 2026-01-01

  articleOpen accessSenior author

  We revisit the question of whether worst-case hardness of the time-bounded Kolmogorov complexity problem, MINK^{poly} - that is, determining whether a string is "structured" (i.e., K^t(x) < n-1) or "random" (i.e., K^{poly(t)} ≥ n-1) - suffices to imply the existence of one-way functions (OWF). Liu-Pass (CRYPTO'25) recently showed that worst-case hardness of a boundary version of MINK^{poly} - where, roughly speaking, the goal is to decide whether given an instance x, (a) x is K^poly-random (i.e., K^{poly(t)}(x) ≥ n-1), or just close to K^poly-random (i.e., K^{t}(x) < n-1 but K^{poly(t)} > n - log n) - characterizes OWF, but with either of the following caveats (1) considering a non-standard notion of probabilistic K^t, as opposed to the standard notion of K^t, or (2) assuming somewhat strong, and non-standard, derandomization assumptions. In this paper, we present an alternative method for establishing their result which enables significantly weakening the caveats. First, we show that boundary hardness of the more standard randomized K^t problem suffices (where randomized K^t(x) is defined just like K^t(x) except that the program generating the string x may be randomized). As a consequence of this result, we can provide a characterization also in terms of just "plain" K^t under the most standard derandomization assumption (used to derandomize just BPP into P) - namely E ̸ ⊆ ioSIZE[2^{o(n)}]. Our proof relies on language compression schemes of Goldberg-Sipser (STOC'85); using the same technique, we also present the the first worst-case to average-case reduction for the exact MINK^{poly} problem (under the same standard derandomization assumption), improving upon Hirahara’s celebrated results (STOC'18, STOC'21) that only applied to a gap version of the MINK^{poly} problem, referred to as GapMINK^{poly}, where the goal is to decide whether K^t(x) ≤ n-O(log n)) or K^{poly(t)}(x) ≥ n-1 and under the same derandomization assumption.

  PublisherDOI

• Guest Column: On Cryptography and Meta-Complexity

  ACM SIGACT News · 2025-06-06

  articleSenior author

  Meta-complexity refers to the study of the computational complexity of computing natural complexity measures, such as time-bounded Kolmogorov complexity and the minimal circuit size. Despite decades of interest, important basic questions about these problems remain unresolved. This survey explores some of the recent connections between meta-complexity and cryptography, focusing on how tools from one domain can help solving long-standing questions in the other.

  PublisherDOI

• Causality Without Causal Models

  Electronic Proceedings in Theoretical Computer Science · 2025-11-25

  articleOpen accessSenior author

  Perhaps the most prominent current definition of (actual) causality is due to Halpern and Pearl.It is defined using causal models (also known as structural equations models).We abstract the definition, extracting its key features, so that it can be applied to any other model where counterfactuals are defined.By abstracting the definition, we gain a number of benefits.Not only can we apply the definition in a wider range of models, including ones that allow, for example, backtracking, but we can apply the definition to determine if A is a cause of B even if A and B are formulas involving disjunctions, negations, beliefs, and nested counterfactuals (none of which can be handled by the Halpern-Pearl definition).Moreover, we can extend the ideas to getting an abstract definition of explanation that can be applied beyond causal models.Finally, we gain a deeper understanding of features of the definition even in causal models.

  PublisherOA PDFDOI

• A Meta-complexity Theoretic Approach to Indistinguishability Obfuscation and Witness Pseudo-Canonicalization

  Lecture notes in computer science · 2025-12-01

  book-chapter
  PublisherDOI

• On the Viability of Open-Source Financial Rails: Economic Security of Permissionless Consensus

  arXiv (Cornell University) · 2024-09-13

  preprintOpen accessSenior author

  Bitcoin demonstrated the possibility of a financial ledger that operates without the need for a trusted central authority. However, concerns persist regarding its security and considerable energy consumption. We assess the consensus protocols that underpin Bitcoin's functionality, questioning whether they can ensure economically meaningful security while maintaining a permissionless design that allows free entry of operators. We answer this affirmatively by constructing a protocol that guarantees economic security and preserves Bitcoin's permissionless design. This protocol's security does not depend on monetary payments to miners or immense electricity consumption, which our analysis suggests are ineffective. Our framework integrates economic theory with distributed systems theory, and formalizes the role of the protocol's user community.

  PublisherOA PDFDOI

• On One-Way Functions, the Worst-Case Hardness of Time-Bounded Kolmogorov Complexity, and Computational Depth

  Lecture notes in computer science · 2024-12-01 · 2 citations

  book-chapterSenior author
  PublisherDOI

• Fair Interest Rates Are Impossible for Lending Pools: Results from Options Pricing

  arXiv (Cornell University) · 2024-10-14

  preprintOpen access

  Cryptocurrency lending pools are services that allow lenders to pool together assets in one cryptocurrency and loan it out to borrowers who provide collateral worth more (than the loan) in a separate cryptocurrency. Borrowers can repay their loans to reclaim their collateral unless their loan was liquidated, which happens when the value of the collateral dips significantly. Interest rates for these pools are currently set via supply and demand heuristics, which have several downsides, including inefficiency, inflexibility, and being vulnerable to manipulation. Here, we reduce lending pools to options, and then use ideas from options pricing to search for fair interest rates for lending pools. In a simplified model where the loans have a fixed duration and can only be repaid at the end of the term, we obtain analytical pricing results. We then consider a more realistic model, where loans can be repaid dynamically and without expiry. Our main theoretical contribution is to show that fair interest rates do not exist in this setting. We then show that impossibility results generalize even to models of lending pools which have no obvious reduction to options. To address these negative results, we introduce a model of lending pools with fixed fees, and model the ability of borrowers to top-up their loans to reduce the risk of liquidation. As a proof of concept, we use simulations to show how our model's predicted interest rates compare to interest rates in practice.

  PublisherOA PDFDOI

• A Direct PRF Construction from Kolmogorov Complexity

  Lecture notes in computer science · 2024-01-01 · 1 citations

  book-chapterSenior author
  PublisherDOI

Recent grants

• AF: Small: New Barriers in Cryptography

  NSF · $500k · 2012–2015

• CAREER: Computation and Collaboration in the Era of the Internet

  NSF · $500k · 2008–2014

Frequent coauthors

• Joseph Y. Halpern

  Cornell University

  58 shared

• Sidharth Telang

  Johns Hopkins University

  46 shared

• Kai-Min Chung

  43 shared

• Vinod Vaikuntanathan

  41 shared

• Sanjam Garg

  37 shared

• Nir Bitansky

  37 shared

• Elaine Shi

  37 shared

• Abhishek Jain

  Johns Hopkins University

  36 shared

Labs

• Rafael Pass LabPI

  Research in theoretical cryptography, including secure multiparty computation, obfuscation, and privacy-preserving techniques.

Education

• B.S., Engineering Physics

  Royal Institute of Technology (KTH)

• M.S., Computer Science

  Royal Institute of Technology (KTH)

• Ph.D., Computer Science

  Massachusetts Institute of Technology (M.I.T.)

  2006

Awards & honors

• NSF Career Award
• AFOSR Young Investigator Award
• Alfred P. Sloan Fellowship
• Microsoft Faculty Award
• NSF Faculty Early Career Development Award (CAREER)