I am a PhD candidate in computer science at Stanford, advised by Dan Boneh.
I build systems that use cryptography to empower and protect their users. Descriptions of a few major projects are below. For more details on my past research, please see my full list of publications.
Prio: Private Computation of Aggregate Statistics
Prio is a system for the privacy-preserving collection of aggregate statistics. The system achieves 50-100x speed-ups over comparable systems by using a new type of zero-knowledge proof on secret-shared data. A browser vendor could use Prio to learn how many users turn on "private browsing" mode, without learning which users these are. Prio supports a variety of common aggregation functions, including average, variance, approximate most-popular, and linear regression. (Joint work with Dan Boneh.)
Paper (NSDI 2017) • Slides (.pdf) • Video
Experimental code • Mozilla's production code
Riposte: Anonymous Messaging at Million-User Scale
IEEE S&P Distinguished Paper Award. Caspar Bowden PET Award.
Riposte is the first system for anonymous broadcast messaging that simultaneously protects against traffic-analysis attacks, prevents anonymous denial-of-service attacks by malicious clients, and scales to million-user anonymity sets. To achieve these properties, Riposte makes novel use of techniques from the domains of private information retrieval and secure multi-party computation. (Joint work with Dan Boneh and David Mazières.)
Paper (Oakland 2015) • Slides (.pdf) • Video • Code
My other work on anonymous messaging includes:
Atom (SOSP 2017), Verdict (USENIX Sec. 2013), Dissent (OSDI 2012)
Preprocessing Attacks on the Discrete-Log Problem
Best Young Researcher Paper Award.
In a preprocessing attack, an adversary precomputes a data structure in an offline phase that lets it break a particular cryptosystem faster in a subsequent online phase. These attacks are relevant when many people use the same cryptographic parameters, as is the case with the standard discrete-log-based systems used on the Internet (e.g., in TLS and SSH). We prove that the existing discrete-log preprocessing attacks are essentially the best ones possible, amongst preprocessing attacks that operate in all groups. Our results imply that any improved preprocessing attack against standard elliptic-curve cryptosystems would somehow have to exploit the special structure of a particular curve. (Joint work with Dmitry Kogan.)
Paper (Eurocrypt 2018) • Slides (.pdf) • Blog Post