Anunay Kulshrestha

2022

Scheffler, S., Kulshrestha, A., & Mayer, J. (2022). Public Verification for Private Hash Matching: Challenges, Policy Responses, and Protocols. Under Revision.
Kulshrestha, A., & Mayer, J. (2022). Estimating Incidental Collection in Foreign Intelligence Surveillance: Large-Scale Multiparty Private Set Intersection with Union and Sum. 31st USENIX Security Symposium.

Abstract: Section 702 of the Foreign Intelligence Surveillance Act authorizes U.S. intelligence agencies to intercept communications content without obtaining a warrant. While Section 702 requires targeting foreigners abroad for intelligence purposes, agencies “incidentally” collect communications to or from Americans and can search that data for purposes beyond intelligence gathering. For over a decade, members of Congress and civil society organizations have called on the U.S. Intelligence Community (IC) to estimate the scale of incidental collection. Senior intelligence officials have acknowledged the value of quantitative transparency for incidental collection, but the IC has not identified a satisfactory estimation method that respects individual privacy, protects intelligence sources and methods, and imposes minimal burden on IC resources. In this work, we propose a novel approach to estimating incidental collection using secure multiparty computation (MPC). The IC possesses records about the parties to intercepted communications, and communications services possess country-level location for users. By combining these datasets with MPC, it is possible to generate an automated aggregate estimate of incidental collection that maintains confidentiality for intercepted communications and user locations. We formalize our proposal as a new variant of private set intersection, which we term multiparty private set intersection with union and sum (MPSIU-Sum). We then design and evaluate an efficient MPSIU-Sum protocol, based on elliptic curve cryptography and partially homomorphic encryption. Our protocol performs well at the large scale necessary for estimating incidental collection in Section 702 surveillance.
Wang, M., Kulshrestha, A., Wang, L., & Mittal, P. (2022). Leveraging Strategic Connection Migration-Powered Traffic Splitting for Privacy. Proceedings of the 22nd Privacy Enhancing Technologies Symposium.

Best HotPETs 2021 Talk

Abstract: Network-level adversaries have developed increasingly sophisticated techniques to surveil and control users’ network traffic. In this paper, we exploit our observation that many encrypted protocol connections are no longer tied to device IP address (e.g., the connection migration feature in QUIC, or IP roaming in WireGuard and Mosh), due to the need for performance in a mobile-first world. We design and implement a novel framework, Connection Migration Powered Splitting (CoMPS), that utilizes these performance features for enhancing user privacy. With CoMPS, we can split traffic mid-session across network paths and heterogeneous network protocols. Such traffic splitting mitigates the ability of a network-level adversary to perform traffic analysis attacks by limiting the amount of traffic they can observe. We use CoMPS to construct a website fingerprinting defense that is resilient against traffic analysis attacks by a powerful adaptive adversary in the open-world setting. We evaluate our system using both simulated splitting data and real-world traffic that is actively split using CoMPS. In our real-world experiments, CoMPS reduces the precision and recall of VarCNN to 29.9% and 36.7% respectively in the open-world setting with 100 monitored classes. CoMPS is not only immediately deployable with any unaltered server that supports connection migration, but also incurs little overhead, decreasing throughput by only 5-20%.

2021

Kulshrestha, A., & Mayer, J. (2021). Identifying Harmful Media in End-to-End Encrypted Communication: Efficient Private Membership Computation. 30th USENIX Security Symposium.

Abstract: End-to-end encryption (E2EE) poses a challenge for automated detection of harmful media, such as child sexual abuse material and extremist content. The predominant approach at present, perceptual hash matching, is not viable because in E2EE a communications service cannot access user content. In this work, we explore the technical feasibility of privacy-preserving perceptual hash matching for E2EE services. We begin by formalizing the problem space and identifying fundamental limitations for protocols. Next, we evaluate the predictive performance of common perceptual hash functions to understand privacy risks to E2EE users and contextualize errors associated with the protocols we design. Our primary contribution is a set of constructions for privacy-preserving perceptual hash matching. We design and evaluate client-side constructions for scenarios where disclosing the set of harmful hashes is acceptable. We then design and evaluate interactive protocols that optionally protect the hash set and do not disclose matches to users. The constructions that we propose are practical for deployment on mobile devices and introduce a limited additional risk of false negatives.

2018

Kulshrestha, A. (2018). Bittersweet Fruits of Incumbency: Evidence from India [Master's thesis]. Stanford University.

Abstract: Casual effects of incumbency (holding public office) have enjoyed extensive academic attention since the 1970s. Regression discontinuity (RD) designs that allow for quasirandom assignment of incumbency status have gained popularity in the past decade and replaced older estimation strategies that were provably biased. However, selection bias induced by candidate attrition threatens the internal validity of such designs. I study incumbency effects in elections to the Lok Sabha, the lower house of the Indian parliament, using RD designs and find that candidates who barely win (and become incumbents) are 10.4 percentage points more likely to contest the subsequent election compared to candidates who barely lose (and become non-incumbents), an increase of 32.68%. In fact, this incumbency advantage has increased to 14.4 percentage points post-1991. Furthermore, I find systematic differences between non-incumbents who rerun and those who do not: non-incumbents that are more experienced and represent larger parties, with presumably higher chances of winning, are more likely to contest again. As much fewer non-incumbents contest the next election and candidate attrition is non-random, it follows that the casual effect of incumbency on any outcome of interest (that is unobserved for non-contestants) in the next election is biased. Finally, I find an upper bound on the incumbency effect on the probability of victory in the subsequent election and show the absence of any incumbency advantage in elections to the Lok Sabha.

2017

Kulshrestha, A., Rampuria, A., Denton, M., & Sreenivas, A. (2017). Cryptographically Secure Multiparty Computation and Distributed Auctions using Homomorphic Encryption. Cryptography, 1(3), 25.

Abstract: We introduce a robust framework that allows for cryptographically secure multiparty computations, such as distributed private value auctions. The security is guaranteed by two-sided authentication of all network connections, homomorphically encrypted bids, and the publication of zero-knowledge proofs of every computation. This also allows a non-participant verifier to verify the result of any such computation using only the information broadcasted on the network by each individual bidder. Building on previous work on such systems, we design and implement an extensible framework that puts the described ideas to practice. Apart from the actual implementation of the framework, our biggest contribution is the level of protection we are able to guarantee from attacks described in previous work. In order to provide guidance to users of the library, we analyze the use of zero knowledge proofs in ensuring the correct behavior of each node in a computation. We also describe the usage of the library to perform a private-value distributed auction, as well as the other challenges in implementing the protocol, such as auction registration and certificate distribution. Finally, we provide performance statistics on our implementation of the auction.
Kulshrestha, A., Shah, A., & Lu, D. (2017). Politically Predictive Potential of Social Networks: Twitter and the Indian General Election 2014. Proceedings of the Fourth Multidisciplinary International Social Networks Conference, 1.

Best Paper Award

Abstract: The Indian General Election 2014 witnessed the casting of 540 million votes, making it the largest democratic exercise in human history. The center-right Bharatiya Janata Party (BJP) single-handedly won a majority of seats in the lower house of the parliament, a feat emulated after 30 years in India’s vibrant multiparty democracy where coalition governments have long been the norm. A new prime minister, Narendra Modi, swept into office with 31% of the vote riding on an extensive social media campaign-a significant first in Indian polity. Some commentators have even gone as far as calling it a Twitter election. We investigate these claims by analyzing the Twitter network in India in the months leading up to and including the election. We study the use of social media by different political actors using an augmented contagion model of information dissemination. We look closely at both the direct role of the actors as well as their catalyzing role and influence in the network. Sentiment analysis based clustering is used to gauge the public opinion. Drawing on these sources, we compare the efficacy of the social media strategies of important political actors. We find that the BJP and its coalition partners pursued a more rigorous and effective social media strategy than those of other political actors. Furthermore, they were able to not only establish but also maintain a robust network of sup- porters that eventually translated into a significant electoral victory.