About

Thomas Ristenpart is a professor at Cornell Tech and a member of the computer science department at Cornell University. He completed his Ph.D. at the University of California, San Diego, in 2010, and his M.S. at the University of California, Davis, in 2005. Before joining Cornell Tech in May 2015, he spent four and a half years as an assistant professor at the University of Wisconsin-Madison. Ristenpart’s research spans a wide range of computer security topics, with recent focuses including digital privacy and safety in interpersonal abuse; anti-abuse mitigations for encrypted messaging systems; improvements to authentication mechanisms, including passwords; and topics in applied and theoretical cryptography. His work is routinely featured in the media and has been recognized by numerous distinguished paper awards, two ACM CCS test-of-time awards, a USENIX Security test-of-time award, an Advocate of New York City award, an NSF CAREER Award, and a Sloan Research Fellowship.

Research topics

• Computer Security
• Computer Science
• Political Science
• Internet privacy
• Law
• Sociology
• Public relations
• Psychology
• Criminology
• Programming language
• Nursing
• Medicine
• Medical emergency
• Theoretical computer science
• World Wide Web
• Business

Selected publications

• Random-Access AEAD for Fast Lightweight Online Encryption

  Lecture notes in computer science · 2026-01-01

  book-chapter
  PublisherDOI

• AI-Facilitated Coercive Control: An Experimental Study

  2026-04-13 · 1 citations

  articleOpen access

  We present an experimental study that investigates how LLM-driven conversational AI tools might be weaponized to facilitate, exacerbate, or commoditize coercive control. Inspired by speculative design, we construct four scenarios that combine well-known coercive control tactics with the current capabilities of conversational AI tools. Then, we explore these scenarios via interactions with popular AI agents (ChatGPT, Gemini). We find that although AI tools refuse straightforward requests for harmful content, their guardrails can be circumvented via strategies such as gradual persuasion, splitting conversations, pre-prompting, and manipulating the AI agent’s settings. Collectively, these strategies enable AI agents to be leveraged in ways that facilitate harassment, intimidation, gaslighting, monitoring, surveillance, and other coercive control tactics. To make these tools safer for everyone, we discuss opportunities for AI agents to resist being abused for coercive control via analysis of users’ conversational patterns, and ensuring that pre-programmed settings are clearly visible to prevent covert manipulation.

  PublisherDOI

• Mitigating Trauma in Qualitative Research Infrastructure: Roles for Machine Assistance and Trauma-Informed Design

  Proceedings of the ACM on Human-Computer Interaction · 2025-05-02 · 4 citations

  article

  Researchers increasingly look to understand experiences of pain, harm, and marginalization via qualitative analysis. Such work is needed to understand and address social ills, but poses risks to researchers' well-being: sifting through volumes of data on painful human experiences risks incurring traumatic exposure in the researcher. In this paper, we explore how the principles of trauma-informed computing (TIC) can be applied to reimagine healthier tools and workflows for qualitative analysis. We apply TIC to create a design provocation called TIQA, a system for qualitative coding that leverages language modeling, semantic search, and recommendation systems to measure and mitigate an analyst's exposure to concepts they find traumatic. Through a formative study of TIQA with 15 participants, we illuminate the complexities of enacting TIC in qualitative knowledge infrastructure, and potential roles for machine assistance in mitigating researchers' trauma. To assist scholars in translating the high-level principles of TIC into sociotechnical system design, we argue for: (a) a conceptual shift from safety as exposure reduction towards safety as enablement; and (b) renewed attention to evaluating the trauma-informedness of design processes, in tandem with the outcomes of designed objects on users' well-being.

  PublisherDOI

• Digital Technologies and Human Trafficking: Combating Coercive Control and Navigating Digital Autonomy

  2025-04-25 · 4 citations

  articleOpen access

  This paper describes a qualitative study that interrogates the types of technology-facilitated coercive control faced by survivors of human trafcking and uncovers potential interventions to aid survivors' recovery.Via semi-structured interviews with 21 participants, including trafcking survivors and professional advocates, we show how trafckers use technology as a lever for control, engaging in surveillance, blackmail, impersonation, and harassment as they compel survivors to stay in the trafcking situation.In recovery, digital footprints keep survivors tethered to their traffcking experience, impacting their digital autonomy, economic mobility, and feelings of safety.Nevertheless, technology can also be a valuable tool for survivors' recovery, connecting them to essential resources and support systems.We discuss the need for interventions and services that account for the specifcity of the trafcking context to help survivors attain digital safety and autonomy, including the potential to adapt existing tech safety services designed for other contexts to human trafcking. CCS Concepts Human-centered computing Empirical studies in HCI ; Security and privacy Human and societal aspects of security and privacy.

  PublisherOA PDFDOI

• Transcript Franking for Encrypted Messaging

  Lecture notes in computer science · 2025-12-07

  book-chapterOpen accessSenior author
  PublisherOA PDFDOI

• Transcript Franking for Encrypted Messaging

  ArXiv.org · 2025-07-25

  preprintOpen accessSenior author

  Message franking is an indispensable abuse mitigation tool for end-to-end encrypted (E2EE) messaging platforms. With it, users who receive harmful content can securely report that content to platform moderators. However, while real-world deployments of reporting require the disclosure of multiple messages, existing treatments of message franking only consider the report of a single message. As a result, there is a gap between the security goals achieved by constructions and those needed in practice. Our work introduces transcript franking, a new type of protocol that allows reporting subsets of conversations such that moderators can cryptographically verify message causality and contents. We define syntax, semantics, and security for transcript franking in two-party and group messaging. We then present efficient constructions for transcript franking and prove their security. Looking toward deployment considerations, we provide detailed discussion of how real-world messaging systems can incorporate our protocols.

  PublisherOA PDFDOI

• Rerouting LLM Routers

  arXiv (Cornell University) · 2025-01-03

  preprintOpen access

  LLM routers aim to balance quality and cost of generation by classifying queries and routing them to a cheaper or more expensive LLM depending on their complexity. Routers represent one type of what we call LLM control planes: systems that orchestrate use of one or more LLMs. In this paper, we investigate routers' adversarial robustness. We first define LLM control plane integrity, i.e., robustness of LLM orchestration to adversarial inputs, as a distinct problem in AI safety. Next, we demonstrate that an adversary can generate query-independent token sequences we call ``confounder gadgets'' that, when added to any query, cause LLM routers to send the query to a strong LLM. Our quantitative evaluation shows that this attack is successful both in white-box and black-box settings against a variety of open-source and commercial routers, and that confounding queries do not affect the quality of LLM responses. Finally, we demonstrate that gadgets can be effective while maintaining low perplexity, thus perplexity-based filtering is not an effective defense. We finish by investigating alternative defenses.

  PublisherOA PDFDOI

• The OCH Authenticated Encryption Scheme

  2025-11-19

  articleOpen accessSenior author

  We specify OCH, the first authenticated encryption with associated data scheme built to provide 128-bit multi-user AE security, 128-bit context commitment security, and 256-bit nonces with optional nonce privacy. It therefore addresses pressing limitations of currently widely-deployed schemes. We construct and formally analyze the security of OCH in a modular fashion, with transforms that are of broader applicability. On Intel Raptor Lake CPUs, OCH using the Areion permutation family has a peak encryption speed of 0.62 cycles per byte (cpb), not far off from AES128-GCM (0.38cpb) and outperforming both ChaCha20/Poly1305 (1.63cpb) and TurboSHAKE128-Wrap (3.52cpb).

  PublisherDOI

• Interoperable Symmetric Message Franking

  2025-11-19

  articleOpen access

  The recent Digital Markets Act (DMA), a regulation passed by the European Union in 2022, requires messaging applications with large user bases to support interoperable end-to-end encrypted (E2EE) communication. This raises numerous questions about how to adapt cryptographic protocols to this setting in a way that preserves security and privacy. This question is not only limited to the main messaging protocols, but also extends to protocols for abuse mitigation such as the symmetric message franking protocol first proposed by Facebook. The latter uses symmetric cryptography to enable reporting abusive E2EE messages in a way that allows the platform to cryptographically verify the report's veracity.

  PublisherDOI

• Injection Attacks Against End-to-End Encrypted Applications

  2024-05-19 · 6 citations

  articleSenior author

  We explore an emerging threat model for end-to-end (E2E) encrypted applications: an adversary sends chosen messages to a target client, thereby "injecting" adversarial content into the application state. Such state is subsequently encrypted and synchronized to an adversarially-visible storage. By observing the lengths of the resulting cloud-stored cipher-texts, the attacker backs out confidential information.We investigate this injection threat model in the context of state-of-the-art encrypted messaging applications that support E2E encrypted backups. We show proof-of-concept attacks that can recover information about E2E encrypted messages or attachments sent via WhatsApp, assuming the ability to compromise the target user’s Google or Apple account (which gives access to encrypted backups). We also show weaknesses in Signal’s encrypted backup design that would allow injection attacks to infer metadata including a target user’s number of contacts and conversations, should the adversary somehow obtain access to the user’s encrypted Signal backup.While we do not believe our results should be of immediate concern for users of these messaging applications, our results do suggest that more work is needed to build tools that enjoy strong E2E security guarantees.

  PublisherDOI

Recent grants

• CAREER: Infrastructure for Secure Cloud Computing

  NSF · $385k · 2015–2019

• CAREER: Infrastructure for Secure Cloud Computing

  NSF · $280k · 2013–2015

Frequent coauthors

• Nicola Dell

  Cornell University

  32 shared

• Ari Juels

  24 shared

• Paul Grubbs

  University of Michigan–Ann Arbor

  23 shared

• Thomas Shrimpton

  University of Florida

  20 shared

• Mihir Bellare

  18 shared

• Emily Tseng

  Cornell University

  13 shared

• Rahul Chatterjee

  University of Wisconsin–Madison

  12 shared

• Michael M. Swift

  University of Wisconsin–Madison

  12 shared

Labs

• Tom Ristenpart's LabPI

  Research focus not provided in the HTML snippet.

Education

• Ph.D.

  University of California, San Diego

  2010

• M.S.

  University of California, Davis

  2005

Awards & honors

• ACM CCS test-of-time award
• USENIX Security test-of-time award
• Advocate of New York City award
• NSF CAREER Award
• Sloan Research Fellowship