Active Projects
Formal framework to analyze censorship circumvent systems
Provable security for censorship or anti-censorship systems are still at large: they mostly rely on ad-hoc analysis to claim their guarantees; and consequently, advent of new censorship techniques can render existing anti-censorship techniques completely invalid, and vice-versa. Many important questions need answering in this space and require careful investigation: How to formally analyze the strength of a censorship authority or an anti-censorship system? Is it possible to classify all possible censorship tools or circumvent techniques into a few equivalence classes?
By answering these question, we will be able to quantitatively analyze censorship and anti-censorship systems, which in turn will provide better understanding about how to design anti-censorship systems that are effective against a large class of censorship techniques. As part of this effort, I plan to formally analyze popular anti-censorship protocols like Snowflakes, Obfs4, and VPN; as well as the techniques deployed by well-known censorship regimes like China, Iran, Russia, and India. The insights from this work could be useful in the context of network firewalls and intrusion detection systems as well.
Anonymous Router: anonymous communication without any trusted component in the infrastructure
Anonymous communication systems typically require some trusted entity in the infrastructure to achieve their privacy guarantees, e.g., mixnets require at least one honest mixnode on the path of a message, MPC based protocols require at least one honest server. Few recent protocols (e.g., Pung, Addra) could escape that requirement, however, with additional assumptions/restrictions. Pung and Addra use private information retrieval as their building block and can scale for several thousand users. However, they require the users to agree beforehand who talks to whom, and can only provide relationship anonymity: it is not suitable for stronger notions like sender anonymity, and cannot support an application that requires anonymous broadcast. It is not yet known if such protocols can be designed without the additional setup requirement among users and with that scalability for a large number of users. We aim to solve the above problem by designing a protocol that can achieve sender anonymity in the anonymous broadcast scenario without involving any trusted entity in the infrastructure. Our system has three sets of parties: (i) a set of N senders/uploaders that want to send files, (ii) a set of M recipients/downloaders that want to receive/download files, and (iii) a computationally powerful server that is untrusted for privacy but trusted for availability, e.g., Amazon cloud services.
Analyzing the security and efficiency of continuous stop-and-go mixnets
Continuous stop-and-go mixnets allow interesting tradeoffs in designing anonymous communication systems --- unlike other mixnet-based AC protocols, they do not require a round-based communication model, easily support different types of traffic of different latency requirements, and still provides significantly better anonymity than Tor. Nym Technologies has already deployed such mixnets to support real world applications like Telegram and Bitcoin transactions. Even though such designs are around for last two decades, it was not known if they can provide provable security guarantees --- all existing analyses provided experimental evaluations for specific settings and parameter choices in terms of number of users, topology, choice of delays etc. Such evaluations cannot provide a comprehensive understanding about how the anonymity guarantees will vary with the variation of those parameters and settings. This work attempts to solve that open problem by providing a formal analysis of the anonymity guarantees provided by such continuous mixnets.
Additionally we try quantify the anonymity guarantees when the same (continuous) mixnet infrastructure is used to send multiple different kind of traffic corresponding to different applications (with different latency requirements).
Some results of this work has been recently accepted for PETS 2024.
Privacy Preserving Storage And Computation Outsourcing
SortingHat
Machine learning as a service scenario typically requires the client to trust the server and provide sensitive data in plaintext. However, with the recent improvements in fully homomorphic encryption (FHE) schemes, many such applications can be designed in a privacy-preserving way. We aim to build protocols that allow such outsourcing of computation and storage for ML applications, but in a privacy preserving way.
We built a private decision tree evaluation protocol, which we call SortingHat, where a client can use a decision tree model held by a cloud server to classify its private data without revealing the data or the classification result to the server, while using the computation resources of that server. The work has been published in ACM CCS 2022.
Panacea: A non-interactive Oblivious-RAM
We are also working on a non-interactive Oblivious-RAM protocol in a client-server model, where the client can utilize the server for most of the computations. We achieve that using homomorphic encryption and batching techniques. The work is currently under submission.
Past Projects
Anonymity Trilemma
Many anonymous communication (AC) protocols have been proposed with the aim of improving users' privacy over the Internet. Several of them were able to provide strong anonymity guarantees (cryptographic indistinguishability-based anonymity), however at the cost of having a high latency overhead or high bandwidth overhead. More specifically, AC protocols like the dining cryptographers (DC) network provide anonymity even in the presence of global adversaries (that can observe all network traffic) at the expense of bandwidth overhead, while protocols based on mix-net designs improve anonymity at the expense of higher latency. However, it is not clear how to balance such system parameters to ensure strong anonymity while preserving practical performance.
We worked towards confirming the commonly held belief by the research community that AC protocols can achieve only two of the following three properties: low bandwidth overhead, low latency overhead and strong anonymity (negligible adversarial advantage). We tackled some fundamental questions associated with anonymous communication —
- Can we prove that strong anonymity cannot be achieved without introducing large latency or bandwidth overhead?
- When we wish to introduce the latency and bandwidth overheads simultaneously, do we know the overhead range values that still fall short at providing stronger anonymity?
The papers related to this projects were published in IEEE S&P 2018 and PETS 2020, and are available below —
trilemma ,
comprehensive-trilemma
Building Efficient And Scalable Anonymous Communication Protocols
Over the last several years I have worked on multiple protocols. I briefly describe the selected ones below:
cMix: Mixing with Minimal Real-Time Asymmetric Cryptographic Operations
This protocol eliminates the expensive real-time public key operations by introducing a precomputation phase. I worked on designing, prototype implementation and security analysis of the protocol. This work has been published in ACNS 2017. You can read more about the protocol here.
OrgAn
This protocol aims at providing strong anonymity guarantees for the members of an organization while supporting latency sensitive application. OrgAn achieves low latency by eliminating the overheads of key agreement and slot agreement that is required before every round in other DC-net inspired protocols.
This work has been published in PETS 2022.
Streams
Currently I am working on building a protocol that can provide provable mixing guarantees while scling for millions of users and keeping the end-to-end latency for each message within several seconds. We use a new scaling technique in this protocol that splits the responsibilities of expensive public key operations and mixing into separate servers, and efficiently achieves mixing for millions of messages while tolerating a constant fraction of compromised servers in the system.
This work has been published in CSF 2024. You can read more about the protocol here.
Analyzing Proof-of-Elapsed-Times Concensus Protocols
Proof-of-elapsed-time or PoET utilizes a random wait-time generated by a Trusted Execution Environment (TEE) instead of using proof of work. Although many academic works already point to the efficiency and application of such consensus protocols in large systems, they lacked any formal security analysis, and this work fills that gap. However, the most intriguing implication of the analysis was that \emph{blockchain without mining} coupled with a rate limiting function (that we called \textit{`z-test'}) is secure in a permissioned network as long as more than $67\%$ of the network is honest, even without any hardware security guarantees.
This work has been published in Indocrypt 2021. You can read more about the protocol here.