### Home

I'm a Research Scientist at Visa Research in Palo Alto, CA. I'm currently working on research problems that can be used to build secure, scalable, and privacy-preserving blockchain protocols ranging from distributed consensus to confidential transactions over blockchains. My approach is to combine the strong arguments of theoretical computer science with the efficiency of applied techniques in the context of real-world problems. Previously, I was a postdoctoral associate in Computer Science at Yale University supervised by Joan Feigenbaum.

#### Interests

Security and Privacy of Distributed Algorithms [more]

I am interested in:
1. Designing distributed algorithms that can scale to large networks;
3. Guaranteeing their users' privacy;
4. Rigorously analyzing their performance to find bottlenecks that limit their practicality;
5. Building software systems based on them to solve a day-to-day problem.

#### Current projects

• RapidChain: RapidChain: Scaling Blockchain Consensus with Full Decentralization [abstract]

Most decentralized cryptocurrencies such as Bitcoin rely on a consensus protocol that allows a group of mutually-untrusted participants to agree on a public ledger of transactions known as the blockchain. Unlike traditional consensus mechanisms, a blockchain consensus often happens in a peer-to-peer network with open membership, where new participants (with no identities established yet) can join the system during the protocol execution. This setting introduces new fundamental challenges, such as handling Sybil attacks and node churn while providing scalability, that have only recently been studied in the area of Byzantine consensus protocols. Unfortunately, known techniques still fall short of solving these challenges due to major trust assumptions, poor scalability and load-balancing, and high latency, making them impractical and/or insecure for large-scale transaction processing. In this paper, we introduce RapidChain, a scalable consensus protocol for public blockchains that is resilient to Byzantine faults from close to a $1/3$ fraction of the nodes and requires each node to exchange only a sublinear (in the number of participants) amount of information. Unlike previous work, RapidChain does not rely on any public-key infrastructure, trusted setup, or initial public randomness. Moreover, it allows new participants to join or leave the protocol without delaying its execution. To the best of our knowledge, RapidChain is the first blockchain protocol that can, without any trusted setup, shard both the communication and storage overhead of blockchain among smaller committees of nodes such that each node exchanges only a sublinear amount of information. Our empirical evaluations suggest that fully-decentralized blockchains, such as RapidChain, can be practical and, unlike most cryptocurrencies, can scale up their throughput with more resources (\ie, nodes) added to the system.

• FlyClient: Super-Light Clients for Cryptocurrencies [abstract]

• PriFi: A low-latency protocol for anonymous communication in local-area networks [abstract]

Popular anonymity mechanisms such as Tor provide small communication latency, but are vulnerable to traffic-analysis attacks that can de-anonymize users. Besides, known traffic-analysis resistant techniques such as Dissent are impractical for use in latency-sensitive settings such as wireless networks. We propose PriFi, a low-latency protocol for anonymous communication that is provably-secure against traffic-analysis attacks. PriFi allows members of an organization to access the Internet anonymously while they are on-site (via privacy-preserving WiFi networking) or off-site (via privacy-preserving virtual private networking or VPN).

We reduce communication latency by using a client-relay-server architecture, where a set of servers pre-compute cryptographic material that can cause a major latency bottleneck in the anonymization process when computed on the fly. This architecture, however, introduces vulnerability to equivocation attacks that can be run by a malicious relay to de-anonymize the clients. We describe a simple technique that can prevent such attacks without adding extra latency to the communication.

#### Previous projects

• TorBricks: A bridge distribution algorithm for Tor with blocking-resistance and privacy-preserving properties [abstract]
Tor is currently the most popular network for anonymous Internet access. It critically relies on volunteer nodes called bridges for relaying Internet traffic when a user's ISP blocks connections to Tor. Unfortunately, current methods for distributing bridges are vulnerable to malicious users who obtain and block bridge addresses.

We propose TorBricks, a protocol for distributing Tor bridges to $n$ users, even when an unknown number ${t < n}$ of these users are controlled by a malicious adversary. TorBricks distributes $O(t\log{n})$ bridges and guarantees that all honest users can connect to Tor with high probability after $O(\log{t})$ rounds of communication with the distributor. We also extend our algorithm to perform privacy-preserving bridge distribution when run among multiple untrusted distributors. This not only prevents the distributors from learning bridge addresses and bridge assignment information, but also provides resistance against malicious attacks from a $\lfloor m/3 \rfloor$ fraction of the distributors, where $m$ is the number of distributors.

• Scalable Multi-Party Computation: A secure multi-party computation protocol scalable to millions of nodes [abstract]
We propose scalable protocols for solving the secure multi-party computation (MPC) problem among a large number of parties. We consider both the synchronous and the asynchronous communication models. In the synchronous setting, our protocol is secure against a static malicious adversary corrupting less than a $1/3$ fraction of the parties. In the asynchronous setting, we allow the adversary to corrupt less than a $1/8$ fraction of parties.

For any deterministic function that can be computed by an arithmetic circuit with $m$ gates, both of our protocols require each party to send a number of field elements and perform an amount of computation that is $\tilde{O}(m/n + \sqrt n)$. We also show that our protocols provide statistical and universally-composable security. To achieve our asynchronous MPC result, we define the threshold counting problem and present a distributed protocol to solve it in the asynchronous setting. This protocol is load balanced, with computation, communication and latency complexity of $O(\log{n})$, and can also be used for designing other load-balanced applications in the asynchronous communication model./>

• Secure Decentralized Shuffling: A multi-party shuffling protocol robust against malicious faults [abstract]
In secure multi-party shuffling, multiple parties, each holding an input, want to agree on a random permutation of their inputs while keeping the permutation secret. This problem is important as a primitive in many privacy-preserving applications such as anonymous communication, location-based services, and electronic voting. Known techniques for solving this problem suffer from poor scalability, load-balancing issues, trusted party assumptions, and/or weak security guarantees.

We propose an unconditionally-secure protocol for multi-party shuffling that scales well with the number of parties and is load-balanced. In particular, we require each party to send only a polylogarithmic number of bits and perform a polylogarithmic number of operations while incurring only a logarithmic round complexity. We show security under universal composability against up to about $n/3$ fully-malicious parties. We also provide simulation results showing that our protocol improves significantly over previous work. For example, for one million parties, when compared to the state of the art, our protocol reduces the communication and computation costs by at least three orders of magnitude and slightly decreases the number of communication rounds.