Sayon Duttagupta
Postdoctoral Researcher in COSIC at KU Leuven
Applied Cryptography & IoT Security
About Me
đ Hi! I’m Sayon, a postdoctoral researcher in the COSIC research group at KU Leuven. I recently defended my PhD, Analysis and Design of Cryptographic Protocols for IoT Devices, under the supervision of Bart Preneel and Dave SingelĂ©e.
My research examines how cryptographic protocols behave in real connected systems once they are embedded into products, standards, and large-scale ecosystems. I work at the intersection of applied cryptography, wireless security, and usable security, with a focus on IoT and cyber-physical systems where security decisions are shaped by usability, deployment constraints, and user interaction.
A core theme of my work is secure device onboarding at scale. I study authentication, pairing, and key establishment protocols for constrained and consumer-facing devices, analysing how convenience-driven design choices can introduce subtle but serious security and privacy risks. Through a combination of protocol analysis, system-level evaluation, and empirical experimentation, I aim to uncover these weaknesses and provide principled guidance for more robust designs.
More broadly, my interests include protocol design and analysis for embedded and wireless systems, key management in resource-constrained environments, security mechanisms that rely on proximity and context, and the tension between usability and security in modern connected products. Across my work, I focus on real-world cryptography, analysing how security protocols interact with deployment constraints, wireless environments, and system-level realities.
My ErdĆs number is 4, and my Dijkstra number is 4. Outside research, I enjoy racquet sports, exploring gastronomy, learning new languages, and the occasional dive into etymology and politics.
Please feel free to get in touch!
Publications (7)
Cite
@misc{cryptoeprint:2025/1268,
author = {Sayon Duttagupta and Arman Kolozyan and Georgio Nicolas and Bart Preneel and Dave Singelee},
title = {{Whatâs the Matter? An In-Depth Security Analysis of the Matter Protocol}},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/1268},
year = {2025},
url = {https://eprint.iacr.org/2025/1268}
}
My PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZwll9xYJKwYBBAHaRw8BAQdAOCoOT1nDI9D9aPaAy9D120dxG/eCvlltKZlK vXXQkyPNNFNheW9uIER1dHRhZ3VwdGEgPFNheW9uLkR1dHRhZ3VwdGFAZXNhdC5r dWxldXZlbi5iZT7CjwQTFggANxYhBHFaPNeW4Xva48Sn6vFLRsI7KTa5BQJnCWX3 BQkFo5qAAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ8UtGwjspNrmTqAEAxxxAxKGY th5FEeF3UYHsw2Ig7QEK0jIvS+/eyu5g2gwA/j5XSv2i1HVKOzkNbk2ORvGvCMR7 2QKt7NcGP7pTrsgCzjgEZwll+BIKKwYBBAGXVQEFAQEHQJOu8SgOwWO7HMI8yns+ C12vLqkkLkByL1VGeWBulHZQAwEIB8J+BBgWCAAmFiEEcVo815bhe9rjxKfq8UtG wjspNrkFAmcJZfgFCQWjmoACGwwACgkQ8UtGwjspNrn7uwEAgwpVrY1DadpwF+I3 0eEEdoRAJKfoZRHpGi/LN7iXcYIA/0CDY7MQMXYYAsTo+mkW5AEuDUpQDNLuznTe xkDt+McO =qmfs -----END PGP PUBLIC KEY BLOCK-----
Cite
@misc{cryptoeprint:2025/1502,
author = {Sayon Duttagupta and Dave Singelée and Xavier Carpent and Volkan Guler and Takahito Yoshizawa and Seyed Farhad Aghili and Aysajan Abidin and Bart Preneel},
title = {{CARPOOL: Secure And Reliable Proof of Location}},
howpublished = {Cryptology {ePrint} Archive, Paper 2025/1502},
year = {2025},
url = {https://eprint.iacr.org/2025/1502}
}My PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZwll9xYJKwYBBAHaRw8BAQdAOCoOT1nDI9D9aPaAy9D120dxG/eCvlltKZlK vXXQkyPNNFNheW9uIER1dHRhZ3VwdGEgPFNheW9uLkR1dHRhZ3VwdGFAZXNhdC5r dWxldXZlbi5iZT7CjwQTFggANxYhBHFaPNeW4Xva48Sn6vFLRsI7KTa5BQJnCWX3 BQkFo5qAAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ8UtGwjspNrmTqAEAxxxAxKGY th5FEeF3UYHsw2Ig7QEK0jIvS+/eyu5g2gwA/j5XSv2i1HVKOzkNbk2ORvGvCMR7 2QKt7NcGP7pTrsgCzjgEZwll+BIKKwYBBAGXVQEFAQEHQJOu8SgOwWO7HMI8yns+ C12vLqkkLkByL1VGeWBulHZQAwEIB8J+BBgWCAAmFiEEcVo815bhe9rjxKfq8UtG wjspNrkFAmcJZfgFCQWjmoACGwwACgkQ8UtGwjspNrn7uwEAgwpVrY1DadpwF+I3 0eEEdoRAJKfoZRHpGi/LN7iXcYIA/0CDY7MQMXYYAsTo+mkW5AEuDUpQDNLuznTe xkDt+McO =qmfs -----END PGP PUBLIC KEY BLOCK-----
Cite
@inproceedings{ZeroTouch,
author = {Antonijevi\'{c}, Nikola and Duttagupta, Sayon and Singel\'{e}e, Dave and R\'{u}a, Enrique Argones and Preneel, Bart},
title = {{ZeroTouch: Reinforcing RSS for Secure Geofencing}},
booktitle = {Proceedings of the 30th ACM Symposium on Access Control Models and Technologies},
doi = {10.1145/3734436.3734448},
pages = {189â200},
numpages = {12},
series = {SACMAT '25},
year = {2025}
}
My PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZwll9xYJKwYBBAHaRw8BAQdAOCoOT1nDI9D9aPaAy9D120dxG/eCvlltKZlK vXXQkyPNNFNheW9uIER1dHRhZ3VwdGEgPFNheW9uLkR1dHRhZ3VwdGFAZXNhdC5r dWxldXZlbi5iZT7CjwQTFggANxYhBHFaPNeW4Xva48Sn6vFLRsI7KTa5BQJnCWX3 BQkFo5qAAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ8UtGwjspNrmTqAEAxxxAxKGY th5FEeF3UYHsw2Ig7QEK0jIvS+/eyu5g2gwA/j5XSv2i1HVKOzkNbk2ORvGvCMR7 2QKt7NcGP7pTrsgCzjgEZwll+BIKKwYBBAGXVQEFAQEHQJOu8SgOwWO7HMI8yns+ C12vLqkkLkByL1VGeWBulHZQAwEIB8J+BBgWCAAmFiEEcVo815bhe9rjxKfq8UtG wjspNrkFAmcJZfgFCQWjmoACGwwACgkQ8UtGwjspNrn7uwEAgwpVrY1DadpwF+I3 0eEEdoRAJKfoZRHpGi/LN7iXcYIA/0CDY7MQMXYYAsTo+mkW5AEuDUpQDNLuznTe xkDt+McO =qmfs -----END PGP PUBLIC KEY BLOCK-----
Cite
@INPROCEEDINGS{PathSafe,
author = {Monaco, Doriana and AntonijeviÄ, Nikola and Duttagupta, Sayon and SingelĂ©e, Dave and Sacco, Alessio and Marin, Eduard and Preneel, Bart},
title = {{PathSafe: Secure Path Verification in Software-Defined Networks}},
booktitle = {NOMS 2025-2025 IEEE Network Operations and Management Symposium},
doi = {10.1109/NOMS57970.2025.11073644},
year = {2025}
}My PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZwll9xYJKwYBBAHaRw8BAQdAOCoOT1nDI9D9aPaAy9D120dxG/eCvlltKZlK vXXQkyPNNFNheW9uIER1dHRhZ3VwdGEgPFNheW9uLkR1dHRhZ3VwdGFAZXNhdC5r dWxldXZlbi5iZT7CjwQTFggANxYhBHFaPNeW4Xva48Sn6vFLRsI7KTa5BQJnCWX3 BQkFo5qAAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ8UtGwjspNrmTqAEAxxxAxKGY th5FEeF3UYHsw2Ig7QEK0jIvS+/eyu5g2gwA/j5XSv2i1HVKOzkNbk2ORvGvCMR7 2QKt7NcGP7pTrsgCzjgEZwll+BIKKwYBBAGXVQEFAQEHQJOu8SgOwWO7HMI8yns+ C12vLqkkLkByL1VGeWBulHZQAwEIB8J+BBgWCAAmFiEEcVo815bhe9rjxKfq8UtG wjspNrkFAmcJZfgFCQWjmoACGwwACgkQ8UtGwjspNrn7uwEAgwpVrY1DadpwF+I3 0eEEdoRAJKfoZRHpGi/LN7iXcYIA/0CDY7MQMXYYAsTo+mkW5AEuDUpQDNLuznTe xkDt+McO =qmfs -----END PGP PUBLIC KEY BLOCK-----
Cite
@INPROCEEDINGS{PISA,
author = {Duttagupta, Sayon and Singelée, Dave},
title = {{PISA: Privacy-Preserving Smart Parking}},
booktitle = {2025 IEEE 22nd Consumer Communications & Networking Conference (CCNC)},
doi = {10.1109/CCNC54725.2025.10976197},
year = {2025}
}
My PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZwll9xYJKwYBBAHaRw8BAQdAOCoOT1nDI9D9aPaAy9D120dxG/eCvlltKZlK vXXQkyPNNFNheW9uIER1dHRhZ3VwdGEgPFNheW9uLkR1dHRhZ3VwdGFAZXNhdC5r dWxldXZlbi5iZT7CjwQTFggANxYhBHFaPNeW4Xva48Sn6vFLRsI7KTa5BQJnCWX3 BQkFo5qAAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ8UtGwjspNrmTqAEAxxxAxKGY th5FEeF3UYHsw2Ig7QEK0jIvS+/eyu5g2gwA/j5XSv2i1HVKOzkNbk2ORvGvCMR7 2QKt7NcGP7pTrsgCzjgEZwll+BIKKwYBBAGXVQEFAQEHQJOu8SgOwWO7HMI8yns+ C12vLqkkLkByL1VGeWBulHZQAwEIB8J+BBgWCAAmFiEEcVo815bhe9rjxKfq8UtG wjspNrkFAmcJZfgFCQWjmoACGwwACgkQ8UtGwjspNrn7uwEAgwpVrY1DadpwF+I3 0eEEdoRAJKfoZRHpGi/LN7iXcYIA/0CDY7MQMXYYAsTo+mkW5AEuDUpQDNLuznTe xkDt+McO =qmfs -----END PGP PUBLIC KEY BLOCK-----
Cite
@inproceedings{HAT-imd,
author = {Duttagupta, Sayon and Marin, Eduard and Singel\'{e}e, Dave and Preneel, Bart},
title = {{HAT: Secure and Practical Key Establishment for Implantable Medical Devices}},
booktitle = {Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy},
doi = {10.1145/3577923.3583646},
pages = {213â224},
numpages = {12},
series = {CODASPY '23},
year = {2023}
}
My PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZwll9xYJKwYBBAHaRw8BAQdAOCoOT1nDI9D9aPaAy9D120dxG/eCvlltKZlK vXXQkyPNNFNheW9uIER1dHRhZ3VwdGEgPFNheW9uLkR1dHRhZ3VwdGFAZXNhdC5r dWxldXZlbi5iZT7CjwQTFggANxYhBHFaPNeW4Xva48Sn6vFLRsI7KTa5BQJnCWX3 BQkFo5qAAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ8UtGwjspNrmTqAEAxxxAxKGY th5FEeF3UYHsw2Ig7QEK0jIvS+/eyu5g2gwA/j5XSv2i1HVKOzkNbk2ORvGvCMR7 2QKt7NcGP7pTrsgCzjgEZwll+BIKKwYBBAGXVQEFAQEHQJOu8SgOwWO7HMI8yns+ C12vLqkkLkByL1VGeWBulHZQAwEIB8J+BBgWCAAmFiEEcVo815bhe9rjxKfq8UtG wjspNrkFAmcJZfgFCQWjmoACGwwACgkQ8UtGwjspNrn7uwEAgwpVrY1DadpwF+I3 0eEEdoRAJKfoZRHpGi/LN7iXcYIA/0CDY7MQMXYYAsTo+mkW5AEuDUpQDNLuznTe xkDt+McO =qmfs -----END PGP PUBLIC KEY BLOCK-----
Cite
@INPROCEEDINGS{T-HIBE,
author = {Duttagupta, Sayon and Singelée, Dave and Preneel, Bart},
title = {{T-HIBE: A Novel Key Establishment Solution for Decentralized, Multi-Tenant IoT Systems}},
booktitle = {2022 IEEE 19th Annual Consumer Communications & Networking Conference (CCNC)},
doi = {10.1109/CCNC49033.2022.9700537},
year = {2022}
}My PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK----- xjMEZwll9xYJKwYBBAHaRw8BAQdAOCoOT1nDI9D9aPaAy9D120dxG/eCvlltKZlK vXXQkyPNNFNheW9uIER1dHRhZ3VwdGEgPFNheW9uLkR1dHRhZ3VwdGFAZXNhdC5r dWxldXZlbi5iZT7CjwQTFggANxYhBHFaPNeW4Xva48Sn6vFLRsI7KTa5BQJnCWX3 BQkFo5qAAhsDBAsJCAcFFQgJCgsFFgIDAQAACgkQ8UtGwjspNrmTqAEAxxxAxKGY th5FEeF3UYHsw2Ig7QEK0jIvS+/eyu5g2gwA/j5XSv2i1HVKOzkNbk2ORvGvCMR7 2QKt7NcGP7pTrsgCzjgEZwll+BIKKwYBBAGXVQEFAQEHQJOu8SgOwWO7HMI8yns+ C12vLqkkLkByL1VGeWBulHZQAwEIB8J+BBgWCAAmFiEEcVo815bhe9rjxKfq8UtG wjspNrkFAmcJZfgFCQWjmoACGwwACgkQ8UtGwjspNrn7uwEAgwpVrY1DadpwF+I3 0eEEdoRAJKfoZRHpGi/LN7iXcYIA/0CDY7MQMXYYAsTo+mkW5AEuDUpQDNLuznTe xkDt+McO =qmfs -----END PGP PUBLIC KEY BLOCK-----
Updates
News, talks, and updates
đ Jan 2026 Defended my PhD! đ„ł
đïž Jan 2026 WhisperPair received broad media coverage, including WIRED and The New York Times. For a full list of coverage, see the media coverage section on the project website.
đ Jan 2026 We disclosed the WhisperPair vulnerability as CVE-2025-36911. We also shot a demo video!
đ Jul 2025 Our security analysis of Matter is available on ePrint – IACR ePrint 2025/1268
đ€ Jan 2025 Presented PISA at IEEE CCNC 2025 in Las Vegas, USA.
đ€ Oct 2024 Invited talk at the imec Wireless Event in Leuven, Belgium, on Secure Localisation-based Device Commissioning.
đ§ââïž Nov 2023 Programme Committee member, ACM WiSec 2024.
đ€ Aug 2023 Invited talk at IFIP WG 11.4 in Amsterdam, The Netherlands, on Security Protocols for IoT.
đ€ Apr 2023 Presented HAT at ACM CODASPY 2023 in Charlotte, USA.
Extras
Research Projects
I have contributed to and coordinated research activities across national, regional, and European projects focused on security and privacy for connected and embedded systems.
FWO SPITE - Security and Privacy in an Internet of Things Environment (Grant #S002417N)
VLAIO TRUSTI - Secure remote software updates in IoT (Grant #HBC.2021.0742)
EU TELEMETRY - Trustworthy mEthodologies, open knowLedgE and autoMated tools for sEcurity Testing of IoT software, hardware, and ecosystems (Grant #101119747)
Masterâs Thesis Supervision
I have supervised masterâs theses across KU Leuven and international partner institutions, covering applied cryptography, network security, and secure systems design.
Ward van Gerwen (Computer Science, KU Leuven), 2021 – 2022, Blockchain Based Data Management System in an IoT Environment
Nikola AntonijeviÄ (ESAT, KU Leuven), 2022 – 2023, Secure Path Verification in Software Defined Networks
Rachit Parikh (ISI Kolkata, India), 2022 – 2023, TKBE: Two Key Broadcast Encryption for the IoT
Supriyo Banerjee (ISI Kolkata, India), 2024 – 2025, Multi party Key Establishment for Resource Constrained Devices
Internship Supervision
I have supervised research internships focused on protocol design and implementaion, security analysis, and real world system evaluation.
- Quinten Pinkhof, 2021, Location based Authentication
- Nikola AntonijeviÄ, 2022, Location based Device Commissioning
- Arman Kolozyan, 2024, Security Analysis of the Matter Protocol
- Seppe Wyns, 2025, Security Analysis of the Google Fast Pair Protocol
- Francesco Milizia, 2025, Symmetric Key Authentication with PFS for IoT Systems
- Neeranuch Jitkhajornwanich, 2026, Dissymmetric Modes for Symmetric Cryptography in IoT Protocols
Selected Media Coverage
- WIRED, “Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking” by Andy Greenberg and Lily Hay Newman
- The New York Times, “Wireless Earbuds Can Be Hacked. Here’s How to Protect Yourself by Max Eddy
- Engadget, “Flaw in 17 Google Fast Pair audio devices could let hackers eavesdrop” by Will Shanklin
- The Register, “Fast Pair, loose security: Bluetooth accessories open to silent hijack” by Carly Page
- The Verge, “Sony, Anker, and other headphones have a serious Google Fast Pair security vulnerability” by Andrew Liszewski
Teaching
- Fall 2025 - Cryptographic Protocols (H0Q28A)