About

Headshot photo of Zachary Espiritu.

My name is Zach. My pronouns are he/him/his. I’m a senior research engineer at MongoDB Research.

My research vision is to make privacy-preserving systems for data processing and retrieval so efficient, expressive, understandable, and appropriately secure that they become the default choice in many real-world scenarios. My recent work focuses on structural-invariant-based leakage attacks, automated leakage analysis engines, expressive and efficient encrypted data structures, and application-centric cryptographic design to support at-risk communities. To do this, I maintain a broad set of interests in cryptography, formal methods, data structures, computer systems, and human factors.

I completed a concurrent Sc.B. and Sc.M. at Brown University. My studies were generously supported by grants from Brown CS, CrowdStrike, (ISC)2, and the CIT Group. I was also affiliated with the following research groups:

I love teaching, and I particularly love teaching computer security. I was the course designer and Head Teaching Assistant of the Computer Science department’s flagship computer systems security course from 2019 to 2021.

Outside of research, I think about things like long distance running, pottery on the wheel, theatrical lighting design, Broadway theater producing and investing, small-scale immersive theater, tabletop gaming, and Dance Dance Revolution.

News
Dec 2025

I’ll be at Asiacrypt 2025 in Melbourne, Australia!

Nov 2025

Our paper “tigro: Trust Infrastructure for Grassroots Organizing via Grounded Digital Annotations” will appear at PETS 2026!

Nov 2025

I’m part of the USENIX Security 2026 Artifact Evaluation Committee!

Sep 2025

Our paper “Leafblower: A Leakage Attack Against TEE-Based Encrypted Databases” will appear at at IEEE Security & Privacy 2026 in San Francisco, CA!

Aug 2025

I’ve joined the inaugural IEEE Security & Privacy 2026 Artifact Evalaution Committee! I’m also part of the PETS 2026 Artifact Evaluation Committee!

Aug 2025

Our paper “Structured Encryption and Distribution-aware Leakage Suppression” will appear at Asiacrypt 2025 in Melbourne, Australia!

May 2025

Our paper “PolySys: an Algebraic Leakage Attack Engine” will appear at the 34th USENIX Security Symposium in Seattle, WA, USA!

Mar 2025

Our paper “Bayesian Leakage Analysis” was published in IACR Communications of Cryptography!

Jan 2025

Our paper “Sequentially Consistent Concurrent Encrypted Multimaps” will appear at IEEE Euro Security & Privacy 2025 in Venice, Italy!

Oct 2024

Range Search is now generally available in MongoDB’s Queryable Encryption!

Dec 2023

Our paper “Synq: Public Policy Analytics Over Encrypted Data” will appear at IEEE Security & Privacy 2024 in San Francisco, CA!

Aug 2023

Our new product at MongoDB—Queryable Encryption, the first industry database product implementing structured encryption—is now generally available!

Feb 2023

I reunited with some of my former collaborators from the Encrypted Systems Lab at Brown University by joining the Cryptography Research Group at MongoDB!

Nov 2022

Our paper “Range Search over Encrypted Multi-Attribute Data” will appear at VLDB 2023 in Vancouver, Canada!

May 2022

Five months after completing my requirements, I “officially” graduated with a Sc.B. in Computer Science (with Honors) and an Sc.M. in Computer Science at Brown University’s annual Commencement.

May 2022

I was awarded a Senior Prize in Computer Science “for academic work as well as service to Brown CS” (awarded to 6.8% of the graduating class in CS). I also received the Norman K. Meyrowitz ’81 Award for “exceptionally meritorious service to Brown CS” (second to receive the award in the award’s history).

May 2022

Our paper “Time- and Space- Efficient Aggregate Range Queries on Encrypted Databases” will appear at PETS 2022!

Dec 2021

I defended my honors thesis on “Time- and Space- Efficient Aggregate Range Queries on Encrypted Databases” and finished my Bachelor’s and Master’s requirements at Brown!

Aug 2021

I received an Crowdstrike NextGen Scholarship for 2021!

Apr 2021

Received an (ISC)2 Undergraduate Information Security Scholarship for 2021.

Mar 2021

I received the Randy Pausch Undergraduate Research Award from Brown CS to support my research with Roberto Tamassia on encrypted databases!

Show older news
Publications

denotes authors listed alphabetically. Click abstracts to expand.

2026
1
tigro: Trust Infrastructure for Grassroots Organizing via Grounded Digital Annotations
Leah Namisa Rosenbloom, Seny Kamara, Zachary Espiritu, Tarik Moataz, Amine Bahi, John Wilkinson
To appear at Privacy Enhancing Technologies Symposium 2026 (Calgary, Canada)

A cryptographic primitive for “grounded annotations”, motivated by the needs of activist communication in authoritarian environments. We create an broader protocol using this primitive and implement it in a proof-of-concept application.

2025
2
Leafblower: A Leakage Attack Against TEE-Based Encrypted Databases
Zachary Espiritu, Seny Kamara, Tarik Moataz, Valentin Ogier
47th IEEE Symposium on Security and Privacy (San Francisco, CA, USA)

Attack against a class of TEE-based encrypted databases. It allows a multi-snapshot external memory adversary (weaker than the traditional, persistent TEE adversaries) to learn the plaintext of INSERT operations on a SQLite database running inside of Gramine. We do this by exploiting B+-tree invariants that are observable just from snapshots of encrypted index files.

Proceedings   Paper  
3
Structured Encryption and Distribution-aware Leakage Suppression
Marilyn George, Seny Kamara, Tarik Moataz, Zachary Espiritu
Asiacrypt 2025 (Melbourne, Australia)

New, static, distribution-aware, replication-based leakage suppressors with better performance than existing full suppressors (Kamara et al. (2018); George et al. (2022)) and prior replication-based suppressors (Pancake, Waffle).

Proceedings  
4
PolySys: an Algebraic Leakage Attack Engine
Zachary Espiritu, Seny Kamara, Tarik Moataz, Andrew Park
34th USENIX Security Symposium (Seattle, WA, USA)

Polynomial-system-based theory for modeling leakage profiles and automatically evaluating their security in provably optimal ways via SAT solvers.

Proceedings  
5
Bayesian Leakage Analysis: A Framework for Analyzing Leakage in Encrypted Search
Zachary Espiritu, Seny Kamara, Tarik Moataz
IACR Communications of Cryptology, Volume 2, Issue 1

Bayesian-network-based theory for modeling leakage profiles and mathematically evaluating their security in provably optimal ways. We also come up with a new network inference algorithm that efficiently handles the types of “leakage networks” commonly seen in encrypted search.

Article  
6
Sequentially Consistent Concurrent Encrypted Multimaps
Archita Agarwal, Zachary Espiritu
10th IEEE European Symposium on Security and Privacy (Venice, Italy)

New definitions, schemes, and implementations for encrypted multimaps that are sequentially consistent, a consistency model that closely resembles the transactional guarantees of common real-world databases.

Proceedings  
2024
7
Synq: An Encrypted Database for Public Policy Studies
Zachary Espiritu, Marilyn George, Seny Kamara, Lucy Qin
45th IEEE Symposium on Security and Privacy (San Francisco, CA, USA)

In collaboration with Brown’s Policy Lab, a system for encrypted, multi-party, data analytics specifically designed to support a government-mandated study run by the Massachusetts’s Department of Public Health on the opioid epidemic.

Proceedings  
2023
8
Range Search over Encrypted Multi-Attribute Data
Francesca Falzon, Evangelia Anna Markatou, Zachary Espiritu, Roberto Tamassia
49th International Conference on Very Large Data Bases (Vancouver, Canada)

New schemes for encrypted, multi-dimensional range search.

Article  
9
Attacks on Encrypted Response-Hiding Range Search Schemes in Multiple Dimensions
Evangelia Anna Markatou, Francesca Falzon, Zachary Espiritu, Roberto Tamassia
Privacy Enhancing Technologies Symposium 2023 (Lausanne, Switzerland)

Algorithmic leakage attacks against encrypted, response-hiding, multi-dimensional range search schemes. We use data structural, invariant-based reasoning to demonstrate how to fully recover the plaintext of queries (and thus, the indexed values).

Article  
2022
10
Time- and Space-Efficient Aggregate Range Queries on Encrypted Databases
Zachary Espiritu, Evangelia Anna Markatou, Roberto Tamassia
Privacy Enhancing Technologies Symposium 2022 (Sydney, Australia)

New schemes for encrypted, aggregate range queries. (This was also my undergraduate honors thesis.)

Article  
Teaching

I served as a teaching assistant every semester I was at Brown University, sometimes even during semesters I wasn't enrolled. denotes a Head Teaching Assistant role.

CSCI 1650: Software Security and Exploitation
Fall 2021

Software exploitation techniques and state-of-the-art mechanisms for hardening software. With Vasileios Kemerlis.

CSCI 1660: Computer Systems Security
Spring 2019, Spring 2020, Spring 2021

An introduction to principles of computer security from an applied viewpoint and provides hands-on experience on security threats and countermeasures. Topics include cryptosystems, web security, network security, malware, code execution vulnerabilities, access control, cryptocurrencies, machine learning, and human and social issues. With Roberto Tamassia (2019, 2020) and Bernardo Palazzi (2021).

  • 2021 contributions:
    • Interviewed, hired, trained, and coordinated staff of 10 undergraduate and graduate TAs.
    • Recurrent guest lecturer in 9 lectures during the semester; delivered over 4 hours of lecture content during the semester.
    • Co-developed and hosted 8 “sections” covering supplementary course content during the semester; developed “discussion” handouts for the sections to help foster community and student-to-student interaction in a remote learning environment.
    • Developed new course project on cloud storage security and secure systems design. Co-designed and developed an implementation-agnostic, adversarial autograder for evaluating and discovering attacks against student implementations, reducing grading workload from 100+ hours of combined TA work hours to ~10 hours of combined TA work hours.
    • Coordinated homework and exam design with staff and professor. Wrote ~50% of the exam problems for 2021.
  • 2020 contributions:
    • Interviewed, hired, trained, and coordinated staff of 11 undergraduate and graduate TAs.
    • Organized creation of new homeworks with a more open-ended, design-based focus; modernized homework content (with questions on cryptography, MPC, web security, networks, data compression, anonymization networks, etc.) and wrote +30 new questions for the entire semester with additional “reserve questions” for future years.
    • Designed new “midterm” component of course focused on open-ended design and security analysis questions; wrote ~80% of the exam problems for 2020.
    • Redeveloped the web security and operating security technical projects to improve learning outcomes and increase efficiency of internal grading processes; facilitiated technical project logistics.
    • Created UTA Manual outlining internal staff processes and responsibilities.
  • 2019 contributions:
    • Interviewed, hired, trained, and coordinated staff of 8 undergraduate and graduate TAs.
    • Ported technical components of projects written in Bash, PHP, Javascript, and Go to Google Cloud Platform’s Compute Engine.
    • Automated setup process of sandbox Linux virtual machines for each project using the Compute Engine API, reducing setup times by up to ~92%.
    • Co-gave “Passwords” lecture with hashcat password recovery demonstration (slide deck, video starting @ 33:27).
CSCI 1730: Design and Implementation of Programming Languages
Fall 2019, Fall 2020

Explores the principles of modern programming languages by implementation; studies data and their types, including polymorphism, type inference, and type soundness; examines compiler and run-time system topics: continuation-passing style and garbage collection. With Shriram Krishnamurthi.

  • 2020 contributions:
    • Interviewed and hired staff of 6 undergraduate TAs.
    • Heavily rewrote 9 assignment specifications on programming language feature implementations in Plait and Racket (examples include “Interpreter”, “Type Checker”, “Type Inference”, “Generators”).
    • Transitioned internal staff infrastructure to Gradescope to automate the majority of grading and feedback distribution; developed autograder framework to emulate a Racket version of Examplar, a research IDE helping students assess their understanding of specifications via example-driven development.
  • 2019 contributions:
    • Interviewed and hired staff of 6 undergraduate TAs.
    • Remotely answered student-submitted questions throughout the semester.
    • Copy-edited several assignment specifications written by other TAs.
CSCI 0190: Accelerated Introduction to Computer Science
Fall 2018

Functional programming, data structures, and algorithms in Racket and Pyret. Includes a summer component taught using the first half of How to Design Programs, then transitions to content based on portions of Programming and Programming Languages during the semester. With Shriram Krishnamurthi.

  • Interviewed, hired, trained, and coordinated staff of 9 undergraduate TAs.
  • Remotely organized summer placement process and grading for 174 students.
  • Rewrote old assignments (“Tour Guide”) and developed new labs (“Iterating Over Trees”, “Tensorflow”).
  • Maintained and added new features to existing, end-to-end Google Apps Script-based pipeline for grading management and distribution.
  • Wrote internal handbook for future iterations of course staff, covering suggestions for recruiting and hiring future teaching assistants, organizing course logistics, running existing course scripts, and more.
CSCI 0040: Introduction to Scientific Computing and Problem-Solving
Spring 2018

Introduction to programming in MATLAB and Python, with an emphasis on STEM data analysis and simulation problems. With Dan Potter.

CSCI 0050: A Data-Centric Introduction to Programming
Fall 2017

Data-focused introduction to computer science using Pyret. With Kathi Fisler.