Research
Password Authentication
We all use passwords to access our sensitive data. But what actually happens after you type your password and hit the "log in" button? How are you authenticated with the web server? For example, does the server store your raw password? (Answer: it shouldn't, as your password is leaked straightaway in case the server is compromised. Instead, the server should store a hash of both your password and an additional "salt," which makes obtaining your password after server compromise much harder.) What if an attacker disguises itself as the server? (Answer: unfortunately, the current Internet protocol for password authentication, the so-called "password-over-TLS," critically relies on the assumption that the server's public key is correctly distributed to you. If you accept an attacker's public key instead, the attacker can immediately decrypt and learn your password.)
A major theme of my work is to design future-generation password protocols, which eliminate the shortcomings of the current approach while retaining its advantages. Check out our protocol in which the client doesn't need a TLS channel to authenticate!
Security Analyses in the Algebraic Group Model
Cryptographers often rely on idealized models in security analyses. For example, the random oracle model treats a hash function as a "box" (i.e., an oracle) that generates random responses for unique queries, and in the generic group model, an algorithm can only see random encodings of group elements. In the algebraic group model, which is in between the generic group model and the "plain" model, an algorithm is restricted in another way: roughly speaking, it must show how its output group elements are computed via applying group operations to group elements it has seen.
The algebraic group model has proven extremely useful in security analyses of cryptographic schemes. See our recent works on applying this model to timed commitments and blind signatures, two primitives extensively used in blockchain systems!