Blockchain Protocols


Multi-Party Computation (MPC) is a flexible paradigm for computing on confidential data. HoneyBadgerMPC is an asynchronous MPC protocol and implementation that scales to large networks and provides blockchain-grade fault tolerance and availability guarantees. For more info, please see

Pisa: Arbitration Outsourcing for State Channels

PISA builds off the Sprites construction an introduces an incentive protocol to allow users to hire third-parties to arbitrate a state channel dispute on their behalf if they crash. The protocol gives an incentive and penalty to enforce the correct operation of the hired third party up to a financial upper bound for the attacker.
[Arxiv Preprint] [Talk at Off the Chain Workshop]

Sprites and State Channels: Payment Networks that go Faster Than Lighting

Sprites is a payment channel construct that improves upon the current best linearly increasing lock time for a payment routed on a path of channels.
It also includes a generalized state channel construction in the Universal Composability framework for protocols.
[Arxiv Preprint]    [Media Coverage on Coindesk] [Camready]


Honey Badger BFT is the first *asynchronous* consensus protocol for the post-Bitcoin world. Unlike the other protocols you’ve heard of, like Raft, Paxos, and PBFT, our new protocol makes progress whenever messages are delivered, regardless of how long they are delayed. HoneyBadgerBFT just doesn’t care about the timeliness of the underlying network! HoneyBadgerBFT GitHub page The Honey Badger of BFT Protocols Andrew Miller and Yu Xia and Kyle Croman and Elaine Shi and Dawn Song. CCS 2016.

Provable Security for Blockchains

SaUCy – Composable Cryptography Framework

We are developing a modular framework, dubbed SaUCy (short for Super Amazing Universal ComposabilitY), that will simplify the task of securely composing distributed protocols and cryptographic primitives. This idea is rooted in the theory of universal composability, which is widely used in cryptography for on-paper proofs, but has not yet been adapted to software engineering. To this end, we are applying formal methods to UC to simplify its use, bring new clarity, and provide useful tooling.

Cryptocurrency Projects


We analyzed transactions in the Monero network and proposed deanonymization heuristics for transactions. We investigated and proposed solutions to the security flaws in the anonymity of Monero transactions, which enhanced the security of all Cryptonote currencies and led to the adoption of the solutions still in use today. MoneroLink.

PETS 2018 Andrew Miller, Malte Moser, Kevin Lee, Arvind Narayanan.

I can’t believe it’s not Stake! Resource exhaustion attacks on PoS

We presented a new resource exhaustion attack affecting 26+ several chain-based proof-of-stake cryptocurrencies. These vulnerabilities would allow a network attacker with a very small(in some cases, none) amount of stake to crash any of the network nodes running the corresponding software. We conducted a coordinated disclosure in October 2018 to notify development teams of affected cryptocurrencies.

FC 2019 Sanket Kanjalkar, Joseph Kuo, Yunqi Li, Andrew Miller [paper][blog]

Decentralized Identity

CanDID: Can-Do Decentralized Identity with Legacy Compatibility, Sybil-Resistance, and Accountability

CanDID is a platform for practical, user-friendly realization of decentralized identity, the idea of empowering end users with management of their own credentials. While decentralized identity promises to give users greater control over their private data, it burdens users with management of private keys, creating a significant risk of key loss. Existing and proposed approaches also presume the spontaneous availability of a credential-issuance ecosystem, creating a bootstrapping problem. They also omit essential functionality, like resistance to Sybil attacks and the ability to detect misbehaving or sanctioned users while preserving user privacy. CanDID addresses these challenges by issuing credentials in a user-friendly way that draws securely and privately on data from existing, unmodified web service providers. Such legacy compatibility similarly enables CanDID users to leverage their existing online accounts for the recovery of lost keys. Using a decentralized committee of nodes, CanDID provides strong confidentiality for user’s keys, real-world identities, and data, yet prevents users from spawning multiple identities and allows identification (and blacklisting) of sanctioned users.

Oakland 2020 [paper]