About

Professor Dan Boneh is the Rajeev Motwani Professor in the School of Engineering and a Professor of Electrical Engineering at Stanford University. He heads the applied cryptography group and co-directs the Stanford Computer Security Lab. His research focuses on applications of cryptography to computer security, including cryptosystems with novel properties, web security, security for mobile devices, and cryptanalysis. Professor Boneh has authored over a hundred publications in the field and is recognized as a Packard and Alfred P. Sloan fellow. He has received several awards, including the 2014 ACM prize, the 2013 Godel prize, and the 2011 Ishii award for industry education innovation. He earned his Ph.D. from Princeton University and joined Stanford in 1997.

Research topics

• Computer Science
• Computer Security
• Artificial Intelligence
• World Wide Web
• Discrete mathematics
• Political Science
• Sociology
• Mathematics
• Engineering
• Law
• Software engineering
• Mathematical analysis
• Programming language
• Database
• Criminology
• Theoretical computer science
• Public relations
• Operating system
• Internet privacy

Selected publications

• Data for "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations"

  Zenodo (CERN European Organization for Nuclear Research) · 2026-03-30

  otherOpen accessSenior author

  Rust code written to generate and verify a Zero Knowledge Proof (ZKP) generated for the paper "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations". The ZK proof is for the claim that we have compiled two quantum circuits that correctly implements Elliptic Curve Point Addition on the secp256k1 curve: one with 1175 logical qubits and 2.7 million Toffoli gates and one with 1425 logical qubits and 2.1 million Toffoli gates.

  PublisherDOI

• Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations

  ArXiv.org · 2026-03-30

  articleOpen accessSenior author

  This whitepaper seeks to elucidate implications that the capabilities of developing quantum architectures have on blockchain vulnerabilities and mitigation strategies. First, we provide new resource estimates for breaking the 256-bit Elliptic Curve Discrete Logarithm Problem, the core of modern blockchain cryptography. We demonstrate that Shor's algorithm for this problem can execute with either <1200 logical qubits and <90 million Toffoli gates or <1450 logical qubits and <70 million Toffoli gates. In the interest of responsible disclosure, we use a zero-knowledge proof to validate these results without disclosing attack vectors. On superconducting architectures with 1e-3 physical error rates and planar connectivity, those circuits can execute in minutes using fewer than half a million physical qubits. We introduce a critical distinction between fast-clock (such as superconducting and photonic) and slow-clock (such as neutral atom and ion trap) architectures. Our analysis reveals that the first fast-clock CRQCs would enable on-spend attacks on public mempool transactions of some cryptocurrencies. We survey major cryptocurrency vulnerabilities through this lens, identifying systemic risks associated with advanced features in some blockchains such as smart contracts, Proof-of-Stake consensus, and Data Availability Sampling, as well as the enduring concern of abandoned assets. We argue that technical solutions would benefit from accompanying public policy and discuss various frameworks of digital salvage to regulate the recovery or destruction of dormant assets while preventing adversarial seizure. We also discuss implications for other digital assets and tokenization as well as challenges and successful examples of the ongoing transition to Post-Quantum Cryptography (PQC). Finally, we urge all vulnerable cryptocurrency communities to join the ongoing migration to PQC without delay.

  PublisherOA PDF

• Hawkeye: Reproducing GPU-Level Non-Determinism

  ArXiv.org · 2026-03-20

  articleOpen access

  We present Hawkeye, a system for analyzing and reproducing GPU-level arithmetic operations. Using our framework, anyone can re-execute on a CPU the exact matrix multiplication operations underlying a machine learning model training or inference workflow that was executed on an NVIDIA GPU, without any precision loss. This is in stark contrast to prior approaches to verifiable machine learning, which either introduce significant computation overhead to the original model owner, or suffer from non-robustness and quality degradation. The main technical contribution of Hawkeye is a systematic sequence of carefully crafted tests that study rounding direction, subnormal number handling, and order of (non-associative) accumulation during matrix multiplication on NVIDIA's Tensor Cores. We test and evaluate our framework on multiple NVIDIA GPU architectures ( Ampere, Hopper, and Lovelace) and precision types (FP16, BFP16, FP8). In all test cases, Hawkeye enables perfect reproduction of matrix multiplication on a CPU, paving the way for efficient and trustworthy third-party auditing of ML model training and inference. We provide source code for Hawkeye at https://github.com/badasherez/gpu-simulator.

  PublisherOA PDF

• Data for "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations"

  Zenodo (CERN European Organization for Nuclear Research) · 2026-04-15

  otherOpen accessSenior author

  Rust code written to generate and verify a Zero Knowledge Proof (ZKP) generated for the paper "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations". The ZK proof is for the claim that we have compiled two quantum circuits that correctly implements Elliptic Curve Point Addition on the secp256k1 curve: one with 1175 logical qubits and 2.7 million Toffoli gates and one with 1425 logical qubits and 2.1 million Toffoli gates.

  PublisherDOI

• Data for "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations"

  Zenodo (CERN European Organization for Nuclear Research) · 2026-04-15

  otherOpen accessSenior author

  Rust code written to generate and verify a Zero Knowledge Proof (ZKP) generated for the paper "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations". The ZK proof is for the claim that we have compiled two quantum circuits that correctly implements Elliptic Curve Point Addition on the secp256k1 curve: one with 1175 logical qubits and 2.7 million Toffoli gates and one with 1425 logical qubits and 2.1 million Toffoli gates.

  PublisherDOI

• Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations

  arXiv (Cornell University) · 2026-03-30

  preprintOpen accessSenior author

  This whitepaper seeks to elucidate implications that the capabilities of developing quantum architectures have on blockchain vulnerabilities and mitigation strategies. First, we provide new resource estimates for breaking the 256-bit Elliptic Curve Discrete Logarithm Problem, the core of modern blockchain cryptography. We demonstrate that Shor's algorithm for this problem can execute with either &lt;1200 logical qubits and &lt;90 million Toffoli gates or &lt;1450 logical qubits and &lt;70 million Toffoli gates. In the interest of responsible disclosure, we use a zero-knowledge proof to validate these results without disclosing attack vectors. On superconducting architectures with 1e-3 physical error rates and planar connectivity, those circuits can execute in minutes using fewer than half a million physical qubits. We introduce a critical distinction between fast-clock (such as superconducting and photonic) and slow-clock (such as neutral atom and ion trap) architectures. Our analysis reveals that the first fast-clock CRQCs would enable on-spend attacks on public mempool transactions of some cryptocurrencies. We survey major cryptocurrency vulnerabilities through this lens, identifying systemic risks associated with advanced features in some blockchains such as smart contracts, Proof-of-Stake consensus, and Data Availability Sampling, as well as the enduring concern of abandoned assets. We argue that technical solutions would benefit from accompanying public policy and discuss various frameworks of digital salvage to regulate the recovery or destruction of dormant assets while preventing adversarial seizure. We also discuss implications for other digital assets and tokenization as well as challenges and successful examples of the ongoing transition to Post-Quantum Cryptography (PQC). Finally, we urge all vulnerable cryptocurrency communities to join the ongoing migration to PQC without delay.

  PublisherDOI

• BountyBench: Dollar Impact of AI Agent Attackers and Defenders on Real-World Cybersecurity Systems

  ArXiv.org · 2025-05-21

  preprintOpen access

  AI agents have the potential to significantly alter the cybersecurity landscape. Here, we introduce the first framework to capture offensive and defensive cyber-capabilities in evolving real-world systems. Instantiating this framework with BountyBench, we set up 25 systems with complex, real-world codebases. To capture the vulnerability lifecycle, we define three task types: Detect (detecting a new vulnerability), Exploit (exploiting a given vulnerability), and Patch (patching a given vulnerability). For Detect, we construct a new success indicator, which is general across vulnerability types and provides localized evaluation. We manually set up the environment for each system, including installing packages, setting up server(s), and hydrating database(s). We add 40 bug bounties, which are vulnerabilities with monetary awards from \$10 to \$30,485, covering 9 of the OWASP Top 10 Risks. To modulate task difficulty, we devise a new strategy based on information to guide detection, interpolating from identifying a zero day to exploiting a given vulnerability. We evaluate 10 agents: Claude Code, OpenAI Codex CLI with o3-high and o4-mini, and custom agents with o3-high, GPT-4.1, Gemini 2.5 Pro Preview, Claude 3.7 Sonnet Thinking, Qwen3 235B A22B, Llama 4 Maverick, and DeepSeek-R1. Given up to three attempts, the top-performing agents are Codex CLI: o3-high (12.5% on Detect, mapping to \$3,720; 90% on Patch, mapping to \$14,152), Custom Agent: Claude 3.7 Sonnet Thinking (67.5% on Exploit), and Codex CLI: o4-mini (90% on Patch, mapping to \$14,422). Codex CLI: o3-high, Codex CLI: o4-mini, and Claude Code are more capable at defense, achieving higher Patch scores of 90%, 90%, and 87.5%, compared to Exploit scores of 47.5%, 32.5%, and 57.5% respectively; while the custom agents are relatively balanced between offense and defense, achieving Exploit scores of 17.5-67.5% and Patch scores of 25-60%.

  PublisherOA PDFDOI

• VerITAS: Verifying Image Transformations at Scale

  2025-05-12 · 6 citations

  articleSenior author

  Verifying image provenance has become an important topic, especially in the realm of news media. To address this issue, the Coalition for Content Provenance and Authenticity (C2PA) developed a standard to verify image provenance that relies on digital signatures produced by cameras. However, photos are usually edited before being published, and a signature on an original photo cannot be verified given only the published edited image. In this work, we describe VerITAS, a system that uses zero-knowledge proofs (zk-SNARKs) to prove that only certain edits have been applied to a signed photo. While past work has created image editing proofs for photos, VerITAS is the first to do so for realistically large images (30 megapixels). Our key innovation enabling this leap is the design of a new proof system that enables proving knowledge of a valid signature on a large amount of witness data. We run experiments on realistically large images that are more than an order of magnitude larger than those tested in prior work. In the case of a computationally weak signer, such as a camera, we are able to generate a proof of valid edits for a 90 MB image in just over thirteen minutes, costing about $0.54 on AWS per image. In the case of a more powerful signer, we are able to generate a proof of valid edits for a 90 MB image in just over three minutes, costing only $0.13 on AWS per image. Either way, proof verification time is less than a second. Our techniques apply broadly whenever there is a need to prove that an efficient transformation was applied correctly to a large amount of signed private data.

  PublisherDOI

• ExpProof : Operationalizing Explanations for Confidential Models with ZKPs

  ArXiv.org · 2025-02-06

  preprintOpen access

  In principle, explanations are intended as a way to increase trust in machine learning models and are often obligated by regulations. However, many circumstances where these are demanded are adversarial in nature, meaning the involved parties have misaligned interests and are incentivized to manipulate explanations for their purpose. As a result, explainability methods fail to be operational in such settings despite the demand \cite{bordt2022post}. In this paper, we take a step towards operationalizing explanations in adversarial scenarios with Zero-Knowledge Proofs (ZKPs), a cryptographic primitive. Specifically we explore ZKP-amenable versions of the popular explainability algorithm LIME and evaluate their performance on Neural Networks and Random Forests. Our code is publicly available at https://github.com/emlaufer/ExpProof.

  PublisherOA PDFDOI

• Rabin Digital Signature Scheme

  2025-01-01

  book-chapter1st authorCorresponding
  PublisherDOI

Recent grants

• SaTC: CORE: Frontier: Collaborative: End-to-End Trustworthiness of Machine-Learning Systems

  NSF · $1.9M · 2018–2025

• Information Technology Research (ITR): Sensitive Infromation in a Wired World

  NSF · $6.8M · 2003–2012

• TWC: Medium: Collaborative Research: Computing on Cryptographic Data

  NSF · $400k · 2012–2017

• TWC: Small: Collaborative: Computation and Access Control on Big Multiuser Data

  NSF · $100k · 2014–2018

• ITR: Deployment-Oriented Security and Content Protection

  NSF · $1.9M · 2002–2007

Frequent coauthors

• Brent Waters

  29 shared

• Henry Corrigan-Gibbs

  Massachusetts Institute of Technology

  27 shared

• Xavier Boyen

  Queensland University of Technology

  24 shared

• Mark Zhandry

  22 shared

• David J. Wu

  18 shared

• Amit Sahai

  17 shared

• Florian Tramèr

  16 shared

• Elie Bursztein

  16 shared

Awards & honors

• 2014 ACM prize
• 2013 Godel prize
• 2011 Ishii award for industry education innovation
• Packard fellow
• Alfred P. Sloan fellow