Is curiosity really a bad flaw? With Michele Orrù, the answer is simple: no! As a self-taught programmer, he made his path through the computer science community to the whistleblower community, interested in anonymity and cryptography from a young age. Meeting with Michele, the new CNRS researcher at IRIF. 

“I’m interested in the intersection between authentication and anonymity, questions such as what does it mean to have an identity with respect to someone? What can you disclose? What can you convince about yourself to someone else? My interest in this subject is not only because it's mathematically interesting, but also because it is philosophically stimulating and of great relevance in society.” Michele Orrù, CNRS researcher | Pole Algorithms and discrete structures - Team Algorithms and complexity

I grew up in a small village in Sardinia (Italy). I have always been very interested in sciences; around 12-13, I started coding, which felt more accessible than natural sciences. In the early 2010s, old chats such as IRC were a popular textual interface for people all over the world interested in coding and hacking. It was my window to the world, directing me towards learning things like Python and studying computer science at the university. Ultimately, that is what pushed me towards doing computer security. It was a very open environment: you could talk to anybody without biases of age or race, change your identity instantly, and people were eager to exchange ideas.

I did my bachelor's in computer science and my master’s in mathematics at the University of Trento in Italy, with a small internship at the University of Bristol. Later, I pursued my PhD in Paris at École Normale Supérieure. I stayed there for three and a half years, finished with an internship at Google New York, and continued with a post-doc in Berkeley, California. I came back to Paris in 2023 at CNRS.

About difficulties… I think that the most challenging moments in my academic journey were between my bachelor's and master's, partially because, in tandem with the switch from computer science to math (which kinda requires a different forma mentis), the Math Department used to frown upon non-mathematicians, and I had to prove my worth. I think another challenging point in my career has been finding my research path and getting visibility in an international and fast-moving research environment.

I’m interested in the intersection between authentication and anonymity. Some questions became mathematical, such as what does it mean to have an identity with respect to someone? What can you disclose? What can you convince about yourself or somebody else? My interest in this subject is not only because it’s philosophically interesting but also because I think it has a great relevance in society. The tool I use the most is zero-knowledge proof, an incredible discovery that gave the Turing Award in 2012 to Silvio Micali and Shafi Goldwasser. It allows you to prove that something is true without really saying anything else beyond the fact that this thing is true. A proof, even in a mathematical sense, doesn’t need to give any information besides the fact that the theorem is true. That was something very surprising at the time (and it still is!) yet it's useful for a lot of things. For instance, it can help you to prove properties about yourself without revealing extra information.

The key concepts of my reasearch are digital signatures, zero-knowledge proofs, zk-snarks, cryptocurrencies, confidential transactions, and public-key cryptography.

I think I was just very curious and I asked a lot of questions, and people directed me little by little. I used to spend a lot of time in the local public library, which had a “fast” internet connection (it was the good times of ADSL in Sardinia) and thanks to the kind director of the local library I was able to recover an old Pentium III where I installed a low-memory Linux distribution and started hacking around. In high school, I was directed towards learning Python, and thanks to it I started hanging out a lot with the Python Italia community. At the time I was trying to find projects that could help me improve my Python skills. That's where I started hanging out with the Tor community (Tor is a software allowing you to browse the internet anonymously) and the whistleblowing community. In both of those communities, anonymity is really important. This environment nourished in me a lot of determination to study computer science.

It was around 2012-2013, and it was the times of the Arab Spring, with people trying to push data out, the times of Wikileaks and Snowden where finally the public was understanding the Orwellian capacity of the intelligence services around the world. All these topics evolved in unexpected ways over time, but their energy fueled a lot of my motivation for research.

I think a lot can be done to limit the mass storage of personal identifying information and there are different angles in this story. On the business angle, it’s becoming a liability to store a lot of personal data, for legal and for security reasons, and we don't want businesses to scratch their heads over sensitive data handling problems, or lawyer up in self-defense. On the other side, in the public space, we have developed these frameworks with GDPR, now we need to provide tools for them to enforce it. We need to develop some off-the-shelf solutions that people can just use. Working at CNRS provides a neutral position in service of the public interest, and as such it felt like the right place to be. At IRIF, there is a lot of expertise on all areas of computer science, which can be especially helpful when thinking of the larger picture.

A whistleblowing protocol generally has three parties: a server who must not know anything about anybody, it just receives, stores, and forwards encrypted files. Then, there’s the source, who transmits some information while remaining anonymous, and finally, you have the journalists, who are receiving these files and can handle them. The idea of the platform I co-authored, Globaleaks, is that anybody can set up their whistleblowing server. The server works in such a way that a user can upload documents and news that will be received by journalists, without anyone else being able to read the information, not even the server owner. In other places like Wikileaks, for instance, this does not happen: the editors are the same people receiving the documents. We were trying to break these bonds, to limit liability and improve the resiliency of these systems.

Going back to the “encountered difficulties” in my career, also to figure out morally whether developing a system for anonymous submissions was a good idea was a hard one. At the end of the day, anonymous reporting can be used for anything, including nasty forms of policing. It is really hard to know where to place the limit of these systems and your engagement in an initiative you do not fully support.

I think it's part of our duty as researchers to disseminate our knowledge, especially to non-profits that need the expertise but don’t necessarily have the astronomical budgets of Big Tech to hire a cryptographer. Plus, you never know when a new good research question might come up!  In my early 20s I was going to hacker conferences like the Chaos Communication Congress and I still think of it as my community. Incidentally, it helped me develop a network within the applied security folks, and a habit of always checking back on what happens in the day-to-day trenches of cyberwarfare.

All in all, it is very sporadic work, and each person has different needs. In the past year, I talked for just a few minutes at a EU consortium for a crash course on security for NGOs in Eastern Europe, helped SecureDrop to review their new protocol for protecting journalists and whistleblowers, and worked on improvements for the Signal anonymous credentials systems.

For me, it’s always been more about what I want to do than how to professionally frame my life; those things seem so hard to predict! I have always been the person who knew what to do but not how to do it. I know I want to be a researcher, and I guess the next step would be to start mentoring students (HDR) and push some modern cryptography into the real world!

I’ve recently discovered Château du Feÿ, a community in rural France where people rethink our possible futures. Imagine a 400-year-old chateau that lay empty for a decade, now bridging between local and global ideas, rural and cosmopolitan populations, between countless disciplines, with artists, technologists, entrepreneurs, and researchers. Sounds fun, doesn’t it?


From 2022: CNRS Researcher
2020-2021: Post-doc Berkeley (in Paris because of the pandemic) with Alessandro Chiesa
2017-2020: PhD with Georg Fuchsbauer