Sarah Scheffler

I'm just a humble professor tilling my Galois fields.



Recent news

See [here] for our new tech report on user behavior in online age verification.

About me

I am an assistant professor at CyLab, Carnegie Mellon University's Security and Privacy Institute, studying at the intersection of cryptography and policy. I am jointly appointed between Software and Societal Systems (in the School of Computer Science) and Engineering and Public Policy (in the College of Engineering).

I am a studying applied cryptographer working at the intersection of cryptography, privacy, policy, and law. I try to focus my work on what you should do beyond what you can do, and I try to create systematic ways to tailor cryptographic protocols to specific use cases. My interdisciplinary work includes policy and technical analysis of end-to-end encrypted content moderation, compelled decryption, and privacy-preserving computation as applied to age verification, digital identity documents, and more. I also do "pure" applied cryptography, primarily work on zero-knowledge proofs and multi-party computation.

I am also co-director of the CMU CyLab Robotics Security and Privacy Initiative (RSPI).

If you are interested in joining me as a student, please read the section below on working with me. My ideal student has a strong background or interest in cryptography and its intersection with societal, legal, and policy issues.

Formerly, I was a postdoctoral research associate at MIT's Internet Policy Research Initiative, and before that I was a postdoctoral research associate at Princeton University's Center for Information Technology Policy. I obtained my Ph.D. from Boston University in 2021, advised by Prof. Mayank Varia. During my time at BU, I was a Ph.D. student in the BUsec group, and I was an active member of the Cyber Security, Law, and Society Alliance.



Are you interested in working with me?

My group is quite full and I do not anticipate bringing on any new students for Fall 2027.

If you are applying to Ph.D. programs and are interested in having me as your advisor: (As per the note above, I do not anticipate bringing on any new students this year. If you want to apply anyway on the offchance that changes, read on.) Please apply to either CMU's Engineering and Public Policy Ph.D. Program (in the College of Engineering) or the Societal Computing Ph.D. program (in the School of Computer Science). The deadlines are typically in early-mid December. I usually reach out to students I am interested in interviewing to work with me in the early spring; I will probably not respond to any cold-emails you send me.

If you are a master's student or undergraduate already at CMU and are interested in conducting research with me: please send me an email with (1) your CV/resume, (2) your favorite privacy/security experience (a class you took, a project you did, etc.), (3) your major/year/program, (4) what your goals are in pursuing research (exploring? preparing to apply to further research positions? working on a master's thesis?), and (5) your approximate ideal workload (hours/week).

I have found it helpful to do a "trial run" of research on the timescale of 4-8 weeks (similar to a class project) before we decide if we want to continue longer term research. I can typically support undergraduates working for credit (a course) during the semester, and go through existing funded undergraduate research programs (e.g. REUSE) during the summer. It is very rare that I am able to fund undergraduate researchers long-term during the semester, but it does happen from time to time.

I am usually not able to take on mentees from outside CMU.

I sometimes find myself in the position of needing to turn down the offer to work with absoslutely great people simply because I am already overbooked. I apologize if one of those people was you. As the saying goes, it's not you, it's me.



Have a privacy anecdote to share?

Every year I collect "privacy anecdotes" to share in a short talk at the Carnegie Library of Pittsburgh for Data Privacy Day in January! These are little short stories of things you think about, do, etc. that are privacy-relevant. I select some of the submitted anecdotes to read publicly at the event (credited or anonymously). If you want to submit one or more anecdotes, please submit them here: https://sarahscheffler.net/privacy-anecdotes-2026.



Current PhD Students

  • Shuang Liu
  • Sydney Earp
  • Kelsey Merrill
  • Ben Hagag
  • Madelyne Xiao (visiting from Princeton University, primarily advised by Prof. Jonathan Mayer)


Representative Publications and Manuscripts

For all my publications, please see my Google Scholar profile.

Synopsis: Secure and private trend inference from encrypted semantic embeddings
Madelyne Xiao, Palak Jain, Micha Gorelick, Sarah Scheffler
(arxiv preprint)

When Anti-Fraud Laws become a Barrier to Computer Science Research
Madelyne Xiao, Andrew Sellars, Sarah Scheffler
ACM CS&Law 2025

SoK: Content Moderation for End-to-End Encryption
Sarah Scheffler, Jonathan Mayer
PoPETS 2023

Public Verification for Private Hash Matching
Sarah Scheffler, Anunay Kulshrestha, Jonathan Mayer
IEEE S&P 2023

TurboIKOS: Improved Non-interactive Zero Knowledge with Sublinear Memory
Yaron Gvili, Julie Ha, Sarah Scheffler, Mayank Varia, Ziling Yang, Xinyuan Zhang
ACNS 2021

Protecting Cryptography against Compelled Self-Incrimination
Sarah Scheffler, Mayank Varia
USENIX Security 2021

Case Study: Disclosure of Indirect Device Fingerprinting in Privacy Policies
Julissa Milligan, Sarah Scheffler, Andrew Sellars, Trishita Tiwari, Ari Trachtenberg, Mayank Varia
STAST 2019

From Soft Classifiers to Hard Decisions: How fair can we be?
Ran Canetti, Aloni Cohen, Nishanth Dikkala, Govind Ramnarayan, Sarah Scheffler, Adam Smith
ACM FAT* 2019

The Unintended Consequences of Email Spam Prevention
Sarah Scheffler, Sean Smith, Yossi Gilad, Sharon Goldberg
PAM 2018