About
151
Publications
37,990
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
7,898
Citations
Introduction
Skills and Expertise
Additional affiliations
September 2009 - June 2015
Publications
Publications (151)
Blockchain systems often rely on rationality assumptions for their security, expecting that nodes are motivated to maximize their profits. These systems thus design their protocols to incentivize nodes to execute the honest protocol but fail to consider out-of-band collusion. Existing works analyzing rationality assumptions are limited in their sco...
Blockchain systems often rely on rationality assumptions for their security, expecting that nodes are motivated to maximize their profits. These systems thus design their protocols to incentivize nodes to execute the honest protocol but fail to consider out-of-band collusion. Existing works analyzing rationality assumptions are limited in their sco...
Internet blackouts are challenging environments for anonymity and censorship resistance. Existing popular anonymity networks (e.g., Freenet, I2P, Tor) rely on Internet connectivity to function, making them impracticable during such blackouts. In such a setting, mobile ad-hoc networks can provide connectivity, but prior communication protocols for a...
Front-running attacks, which benefit from advanced knowledge of pending transactions, have proliferated in the cryptocurrency space since the emergence of decentralized finance. Front-running causes devastating losses to honest participants$\unicode{x2013}$estimated at \$280M each month$\unicode{x2013}$and endangers the fairness of the ecosystem. W...
Leader-based consensus algorithms are vulnerable to liveness and performance downgrade attacks. We explore the possibility of replacing leader election in Multi-Paxos with random exponential backoff (REB), a simpler approach that requires minimum modifications to the two phase Synod Paxos and achieves better resiliency under attacks. We propose Bax...
Most existing remote electronic voting systems are vulnerable to voter coercion and vote buying. While coercion-resistant voting systems address this challenge, current schemes assume that the voter has access to an untappable, incorruptible device during voter registration. We present TRIP, an in-person voter registration scheme enabling voters to...
Distributed ledgers provide high availability and integrity , making them a key enabler for practical and secure computation of distributed workloads among mutually distrustful parties. Many practical applications also require strong confidentiality , however. This work enhances permissioned and permissionless blockchains with the ability to manage...
While democracy is founded on the principle of equal opportunity to manage our lives and pursue our fortunes, the forms of money we have inherited from millenia of evolution has brought us to an unsustainable dead-end of exploding inequality. PoPCoin proposes to leverage the unique historical opportunities that digital cryptocurrencies present for...
Organizational networks are vulnerable to trafficanalysis attacks that enable adversaries to infer sensitive information fromnetwork traffic—even if encryption is used. Typical anonymous communication networks are tailored to the Internet and are poorly suited for organizational networks.We present PriFi, an anonymous communication protocol for LAN...
It is commonly held that asynchronous consensus is much more complex, difficult, and costly than partially-synchronous algorithms, especially without using common coins. This paper challenges that conventional wisdom with que sera consensus QSC, an approach to consensus that cleanly decomposes the agreement problem from that of network asynchrony....
Most encrypted data formats leak metadata via their plaintext headers, such as format version, encryption schemes used, number of recipients who can decrypt the data, and even the recipients’ identities. This leakage can pose security and privacy risks to users, e.g., by revealing the full membership of a group of collaborators from a single encryp...
Can we improve Internet transparency without worsening user anonymity? For a long time, researchers have been proposing transparency systems, where traffic reports produced at strategic network points help assess network behavior and verify service-level agreements or neutrality compliance. However, such reports necessarily reveal when certain traf...
While showing great promise, smart contracts are difficult to program correctly, as they need a deep understanding of cryptography and distributed algorithms, and offer limited functionality, as they have to be deterministic and cannot operate on secret data. In this paper we present Protean, a general-purpose decentralized computing platform that...
Software-update mechanisms are critical to the security of modern systems, but their typically centralized design presents a lucrative and frequently attacked target. In this work, we propose CHAINIAC, a decentralized software-update framework that eliminates single points of failure , enforces transparency, and provides efficient verifi-ability of...
The increasing number of health-data breaches is creating a complicated environment for medical-data sharing and, consequently, for medical progress. Therefore, the development of new solutions that can reassure clinical sites by enabling privacy-preserving sharing of sensitive medical data in compliance with stringent regulations (e.g., HIPAA, GDP...
Most encrypted data formats, such as PGP, leak substantial metadata in their plaintext headers, such as format version, encryption schemes used, the number of recipients who can decrypt the data, and even the identities of those recipients. This leakage can pose security and privacy risks, e.g., by revealing the full membership of a group of collab...
Humanitarian action, the process of aiding individuals in situations of crises, poses unique information-security challenges due to natural or manmade disasters, the adverse environments in which it takes place, and the scale and multi-disciplinary nature of the problems. Despite these challenges, humanitarian organizations are transitioning toward...
Designing a secure permissionless distributed ledger (blockchain) that performs on par with centralized payment processors, such as Visa, is a challenging task. Most existing distributed ledgers are unable to scale-out, i.e., to grow their total processing capacity with the number of validators; and those that do, compromise security or decentraliz...
In recent work on open, privacy-preserving, accountable surveillance, we have proposed the use of cryptographic protocols that enable law-enforcement and intelligence agencies to obtain actionable information about targeted users of mass-communication systems without intruding on the privacy of untargeted users. Our suggestion that appropriate tech...
Popular anonymity protocols such as Tor provide low communication latency but are vulnerable to that can de-anonymize users. Traffic-analysis resistant protocols typically do not achieve low-latency communication (e.g., Dissent, Riffle), or are restricted to a specific type of traffic (e.g., Herd, Aqua). In this paper, we present PriFi, the first p...
Atom is an anonymous messaging system that protects against traffic-analysis attacks. Unlike many prior systems, each Atom server touches only a small fraction of the total messages routed through the network. As a result, the system's capacity scales near-linearly with the number of servers. At the same time, each Atom user benefits from "best pos...
Current solutions for privacy-preserving data sharing among multiple parties either depend on a centralized authority that must be trusted and provides only weakest-link security (e.g., the entity that manages private/secret cryptographic keys), or leverage on decentralized but impractical approaches (e.g., secure multi-party computation). When the...
2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery. Atom is an anonymous messaging system that protects against traffic-analysis attacks. Unlike many prior systems, each Atom server touches only a small fraction of the total messages routed through the network. As a result, the system’s ca...
Bias-resistant public randomness is a critical component in many (distributed) protocols. Generating public randomness is hard, however, because active adversaries may behave dishonestly to bias public random choices toward their advantage. Existing solutions do not scale to hundreds or thousands of participants, as is needed in many decentralized...
Atom is an anonymity system that protects against traffic-analysis attacks and avoids the scalability bottlenecks of traditional mix-net- and DC-net-based anonymity systems. Atom consists of a distributed network of mix servers connected with a carefully structured link topology. Unlike many anonymous communication system with traffic-analysis prot...
Popular anonymity mechanisms such as Tor provide low communication latency but are vulnerable to traffic analysis attacks that can de-anonymize users. Moreover, known traffic-analysis-resistant techniques such as Dissent are impractical for use in latency-sensitive settings such as wireless networks. In this paper, we propose PriFi, a low-latency p...
How can government agencies acquire actionable, useful information about legitimate targets, while preserving the privacy of innocent parties and holding government agencies accountable? Towards understanding this crucial issue, we present the first privacy-preserving protocol for contact chaining, an operation that law-enforcement and intelligence...
While showing great promise, Bitcoin requires users to wait tens of minutes for transactions to commit - even then offering only probabilistic guarantees. This paper introduces ByzCoin, a novel Byzantine consensus protocol that leverages scalable collective signing to commit Bitcoin transactions irreversibly within seconds. ByzCoin achieves Byzanti...
The question of how government agencies can acquire actionable, useful information about legitimate but unknown targets without intruding upon the electronic activity of innocent parties is extremely important. We address this question by providing experimental evidence that actionable, useful information can indeed be obtained in a manner that pre...
The secret keys of critical network authorities - such as time, name, certificate, and software update services - represent high-value targets for hackers, criminals, and spy agencies wishing to use these keys secretly to compromise other hosts. To protect authorities and their clients proactively from undetected exploits and misuse, we introduce C...
Federated identity providers, e.g., Facebook and PayPal, offer a convenient means for authenticating users to third-party applications. Unfortunately such cross-site authentications carry privacy and tracking risks. For example, federated identity providers can learn what applications users are accessing; meanwhile, the applications can know the us...
Existing anonymity systems sacrifice anonymity for efficient communication or vice-versa. Onion-routing achieves low latency, high bandwidth, and scalable anonymous communication, but is susceptible to traffic analysis attacks. Designs based on DC-Nets, on the other hand, protect the users against traffic analysis attacks, but sacrifice bandwidth....
The massive parallelism and resource sharing embodying today's cloud business
model not only exacerbate the security challenge of timing channels, but also
undermine the viability of defenses based on resource partitioning. This paper
proposes hypervisor-enforced timing mitigation to control timing channels in
cloud environments. This approach clos...
Online infrastructure often depends on security-critical authorities such as
logging, time, and certificate services. Authorities, however, are vulnerable
to the compromise of one or a few centralized hosts yielding "weakest-link"
security. We propose collective authorities or cothorities, an architecture
enabling thousands of participants to witne...
PU hardware is becoming increasingly general purpose, quickly outgrowing the traditional but constrained GPU-as-coprocessor programming model. To make GPUs easier to program and easier to integrate with existing systems, we propose making the host's file system directly accessible from GPU code. GPUfs provides a POSIX-like API for GPU programs, exp...
Users often wish to communicate anonymously on the Internet, for example, in group discussion or instant messaging forums. Existing solutions are vulnerable to misbehaving users, however, who may abuse their anonymity to disrupt communication. Dining Cryptographers Networks (DC-nets) leave groups vulnerable to denial-of-service and Sybil attacks; m...
Social networking sites supporting federated identities offer a convenient
and increasingly popular mechanism for cross-site authentication.
Unfortunately, they also exacerbate many privacy and tracking risks. We propose
Crypto-Book, an anonymizing layer enabling cross-site authentication while
reducing these risks.
Crypto-Book relies on a set of i...
Distributed systems achieve scalability by balancing load across many
machines, but wide-area distribution can introduce worst-case response
latencies proportional to the network's delay diameter. Crux is a general
framework to build locality-preserving distributed systems, by transforming
some existing scalable distributed algorithm A into a new a...
TCP congestion control algorithms implicitly assume that the per-flow throughput is at least a few packets per round trip time. Environments where this assumption does not hold, which we refer to as small packet regimes, are common in the contexts of wired and cellular networks in developing regions. In this paper we show that in small packet regim...
As GPU hardware becomes increasingly general-purpose, it is quickly outgrowing the traditional, constrained GPU-as-coprocessor programming model. This article advocates for extending standard operating system services and abstractions to GPUs in order to facilitate program development and enable harmonious integration of GPUs in computing systems....
Today's systems pervasively rely on redundancy to ensure reliability. In complex multi-layered hardware/software stacks, however – especially in the clouds where many independent businesses deploy interacting services on common infrastructure – seemingly independent systems may share deep, hidden dependencies, undermining redundancy efforts and int...
Obtaining and maintaining anonymity on the Internet is challenging. The state
of the art in deployed tools, such as Tor, uses onion routing (OR) to relay
encrypted connections on a detour passing through randomly chosen relays
scattered around the Internet. Unfortunately, OR is known to be vulnerable at
least in principle to several classes of atta...
Despite the attempts of well-designed anonymous communication tools to
protect users from being tracked or identified, other artifacts, such as a
user's environment and behavior, may leak a user's identity. Plugging this
leaky boat of web anonymity requires a "top-to-bottom" whole-system approach,
rather than focusing on specific protocols or layer...
Through cross-site authentication schemes such as OAuth and OpenID, users increasingly rely on popular social networking sites for their digital identities--but use of these identities brings privacy and tracking risks. We propose Crypto-Book, an extension to existing digital identity infrastructures that offers privacy-preserving, digital identiti...
As organizations and individuals have begun to rely more and more heavily on cloud-service providers for critical tasks, cloud-service reliability has become a top priority. It is natural for cloud-service providers to use redundancy to achieve reliability. For example, a provider may replicate critical state in two data centers. If the two data ce...
To enhance the reliability of cloud services, many application providers leverage multiple cloud providers for redundancy. Unfortunately, such techniques fail to recognize that seemingly independent redundant clouds may share third-party infrastructure components, e.g., power sources and Internet routers, which could potentially undermine this redu...
The security of any cryptosystem relies on the secrecy of the system's secret
keys. Yet, recent experimental work demonstrates that tens of thousands of
devices on the Internet use RSA and DSA secrets drawn from a small pool of
candidate values. As a result, an adversary can derive the device's secret keys
without breaking the underlying cryptosyst...
Software-Defined Networking offers the appeal of a simple, centralized programming model for managing complex networks. However, challenges in managing low-level details, such as setting up and maintaining correct and efficient forwarding tables on distributed switches, often compromise this conceptual simplicity. In this pa- per, we present Maple,...
We present the design and prototype implementation of ConScript, a framework
for using JavaScript to allow casual Web users to participate in an anonymous
communication system. When a Web user visits a cooperative Web site, the site
serves a JavaScript application that instructs the browser to create and submit
"dummy" messages into the anonymity s...
Software-Defined Networking offers the appeal of a simple, centralized programming model for managing complex networks. However, challenges in managing low-level details, such as setting up and maintaining correct and efficient forwarding tables on distributed switches, often compromise this conceptual simplicity. In this pa- per, we present Maple,...
Many parallel programs are intended to yield deterministic results, but unpredictable thread or process interleavings can lead to subtle bugs and nondeterminism. We are exploring a producer-consumer memory model---SPMC---for efficient system-enforced deterministic parallelism. However, the previous eager page mapping wastes physical memory, and can...
Some anonymity schemes might in principle protect users from pervasive
network surveillance - but only if all messages are independent and unlinkable.
Users in practice often need pseudonymity - sending messages intentionally
linkable to each other but not to the sender - but pseudonymity in dynamic
networks exposes users to intersection attacks. W...
PU hardware is becoming increasingly general purpose, quickly outgrowing the traditional but constrained GPU-as-coprocessor programming model. To make GPUs easier to program and easier to integrate with existing systems, we propose making the host's file system directly accessible from GPU code. GPUfs provides a POSIX-like API for GPU programs, exp...
PU hardware is becoming increasingly general purpose, quickly outgrowing the traditional but constrained GPU-as-coprocessor programming model. To make GPUs easier to program and easier to integrate with existing systems, we propose making the host's file system directly accessible from GPU code. GPUfs provides a POSIX-like API for GPU programs, exp...
PU hardware is becoming increasingly general purpose, quickly outgrowing the traditional but constrained GPU-as-coprocessor programming model. To make GPUs easier to program and easier to integrate with existing systems, we propose making the host's file system directly accessible from GPU code. GPUfs provides a POSIX-like API for GPU programs, exp...
The consequences of security breaches due to system administrator errors can be catastrophic. Software systems in general, and OSes in particular, ultimately depend on a fully trusted administrator whom is granted superuser privileges that allow him to fully control the system. Consequently, an administrator acting negligently or unethically can ea...
Current anonymous communication systems make a trade-off between weak anonymity among many nodes, via onion routing, and strong anonymity among few nodes, via DC-nets. We develop novel techniques in Dissent, a practical group anonymity system, to increase by over two orders of magnitude the scalability of strong, traffic analysis resistant approach...
The DC-nets approach to anonymity has long held attraction for its strength
against traffic analysis, but practical implementations remain vulnerable to
internal disruption or "jamming" attacks requiring time-consuming tracing
procedures to address. We present Verdict, the first practical anonymous group
communication system built using proactively...
Most compression algorithms used in storage systems today are based on an increasingly outmoded sequential processing model. Systems wishing to decompress blocks out-of-order or in parallel must reset the compressor's state before each block, reducing adaptiveness and limiting compression ratios. To remedy this situation, we present Non-Linear Comp...
Anonymous communication capabilities are useful and desirable, but practical onion routing approaches are vulnerable to traffic anal-ysis and DoS attacks—especially against a powerful adversary, such as a repressive government or compromised ISP. To fill this gap we introduce D3, the first practical anonymous group communication system offering ano...
Social networks (SNs) enable physically distributed groups to communicate seamlessly. Unfortunately such communication can be easily mined by adversaries in attempts to breach users' privacy or suppress open discussion on sensitive topics. While anonymous posting can help protect users by hiding the link between individuals and the messages they po...
Cloud computing is appealing from management and efficiency perspectives, but
brings risks both known and unknown. Well-known and hotly-debated information
security risks, due to software vulnerabilities, insider attacks, and
side-channels for example, may be only the "tip of the iceberg." As diverse,
independently developed cloud services share ev...