I am a PhD candidate in computer science at Stanford, advised by Dan Boneh.
I build systems that use cryptography to empower and protect their users. Descriptions of a few major projects are below. For more details on my past research, please see my full list of publications.
Prio: Private Computation of Aggregate Statistics
Deployed in the nightly build of the Firefox browser.
Prio is a system for the privacy-preserving collection of aggregate statistics. The system achieves 50-100x speed-ups over comparable systems by using a new type of zero-knowledge proof on secret-shared data. A browser vendor could use Prio to learn how many users turn on "private browsing" mode, without learning which users these are. Prio supports a variety of common aggregation functions, including average, variance, approximate most-popular, and linear regression. (Joint work with Dan Boneh.) Paper, NSDI 2017 • Slides (.pdf) • Video • Experimental code
Deployment in Firefox: Mozilla's blog post • Production code
Riposte: Anonymous Messaging at Million-User Scale
IEEE S&P Distinguished Paper Award. Caspar Bowden PET Award.
Riposte is the first system for anonymous broadcast messaging that simultaneously protects against traffic-analysis attacks, prevents anonymous denial-of-service attacks by malicious clients, and scales to million-user anonymity sets. To achieve these properties, Riposte makes novel use of techniques from the domains of private information retrieval and secure multi-party computation. (Joint work with Dan Boneh and David Mazières.) Paper, Oakland 2015 • Slides (.pdf) • Video • Code My other work on anonymous messaging includes: – Atom, SOSP 2017. Scaling mix-net systems to thousands of nodes.
– Verdict, USENIX Sec. 2013. DoS-resistant anonymous communication.
– Dissent, OSDI 2012. Making DC-nets closer to practical for messaging.
Preprocessing Attacks on the Discrete-Log Problem
Best Young Researcher Paper Award.
In a preprocessing attack, an adversary precomputes a data structure in an offline phase that lets it break a particular cryptosystem faster in a subsequent online phase. These attacks are relevant when many people use the same cryptographic parameters, as is the case with the standard discrete-log-based systems used on the Internet (e.g., in TLS and SSH). We prove that the existing discrete-log preprocessing attacks are essentially the best ones possible, amongst preprocessing attacks that operate in all groups. Our results imply that any improved preprocessing attack against standard elliptic-curve cryptosystems would somehow have to exploit the special structure of a particular curve. (Joint work with Dmitry Kogan.) Paper, Eurocrypt 2018 • Slides (.pdf) • Blog Post