Cristian Lepore

About

It’s 2:30 p.m. on a Friday afternoon. I’m sitting in a Starbucks in Paris. Nothing seems unusual.

Days later, I start receiving strange emails — confirmations of university registrations I never requested.

At first, they’re easy to dismiss as spam. Only gradually does it become clear that something is wrong.

Eventually, I realize my email account had been compromised.

What struck me was the fact that, when it happened, I had no reliable warning, and no way to tell that control over my digital identity had already been lost.

The system worked silently — and successfully — on behalf of someone else.

That delayed realization shaped my interest in security and digital identity.

Today I’m a researcher at the Research Institute in Computer Science of Toulouse (IRIT), working on security, authentication, privacy, and trust management — with a focus on identity systems.

What I work on

I design and study digital identity systems where what a user approves is exactly what the system enforces.

The challenge is that the software mediating these approvals — especially web browsers and client-side components — cannot always be assumed to be trustworthy, observable, or even benign.

My research explores authorization-first authentication: instead of relying on the client to behave correctly (or to alert the user when something goes wrong), the goal is to bind user intent directly to cryptographic signatures and formal authorization models, so that actions cannot be altered, replayed, or misinterpreted — even under partial compromise.

I work at the intersection of formal security models and deployed identity infrastructures, including Self-Sovereign Identity, WebAuthn / FIDO-style authentication, and cross-platform / cross-cloud identity stacks, with a focus on systems that remain secure even when compromise goes unnoticed.

Selected talks & venues

I regularly present work at conferences and research venues in security, privacy, and digital identity, including:

• ARES — Austria (2024)
• WorldCIST — Poland (2024)
• CONVERGENCE — Belgium (2023)
• IEEE MetaCom — Japan (2023)
• Financial Cryptography — Online (2021)

Selected publications

1. Yang, Qifan, Lepore, Cristian, et al. “From Theory to Practice: Data Minimisation and Technical Review of Verifiable Credentials under the GDPR.”
   Computer Law & Security Review, vol. 57, 2025, Article 106138.
2. Bartoletti, Massimo, Lepore, Cristian, et al. “A Formal Model of Algorand Smart Contracts.”
   Financial Cryptography and Data Security (FC 2021), Revised Selected Papers, Springer, 2021.
3. Lepore, Cristian, et al. “A Survey on Blockchain Consensus with a Performance Comparison of PoW, PoS and Pure PoS.”
   Mathematics, vol. 8, no. 10, 2020, Article 1782.

Full list: Google Scholar · ResearchGate