My research focuses on information security and distributed systems, with emphasis on secure protocols for distributed systems. Current research topics are the security of storage systems, particularly storage integrity, the management of cryptographic keys, and distributing trust. I am also interested in steganography and have done research on cryptographic protocols at large.
Users increasingly maintain data in the "cloud" at remote storage service providers. Such services allow users to collaborate with each other and to access the shared data from everywhere. It is important to guarantee the integrity of the data when the service is not trusted, and consistent operations in environments where multiple users access the data concurrently. We have developed efficient protocols that provide atomic storage and implement arbitrary services consistent when the service is correct and weaker so-called forking semantics when the server is faulty [6], [5], [1] and discovered fundamental limitations of such systems [4]. Applying our approach to the Subversion revision control system, we have demonstrated how to guarantee integrity for a practical online collaboration tool [3]. The Venus system [2] extends our method to securing untrusted cloud storage and has been evaluated with Amazon S3.
Cryptographic keys must be maintained securely and reliably. But users struggle with the key-management problem because operating procedures and formats differ across systems. We have built a key-lifecycle management system accessible over a network [1] and led the creation of a new open standard for enterprise key management: the OASIS Key Management Interoperability Protocol (KMIP).
When multiple users access a key server, the interface must be designed with special consideration for cryptographic relations among keys. Cryptographic hardware-security modules (HSMs) face the same problem. Some logical attacks through the key-management operations of HSMs have been reported in the past, which allowed to expose keys merely by exploiting their interfaces in unexpected ways. We show how to secure a key-management system against any attack through its interface. Our design integrates traditional access control with cryptographic semantics, so that the system respects the dependencies among keys introduced through the cryptographic operations [2], [3].
We have also developed a novel key-management scheme with lazy revocation for cryptographic file systems [4], [5].
A promising approach to securing critical services lies in distributing the service over a set of geographically and organizationally separated replicas. By using so-called Byzantine-fault tolerant (BFT) coordination algorithms to keep the replicas logically synchronized, the failure or even the malicious corruption of some components can be tolerated.
We have investigated the BFT state-machine replication method [1], where a request to a service is processed by all components and the client infers the result from a majority of the received answers. Many protocols for this task were known for environments with random or "benign" faults, but we were among the first to address an adversarial, fully asynchronous network [8]. We have developed the first efficient atomic broadcast protocol [7] for this environment, which preserves safety and liveness through randomization. It builds on a novel practical cryptographic solution for the classical problem of Byzantine agreement [9], using threshold cryptography and randomization. The SINTRA prototype [6] shows that our approach is practical and was used to build a dependable distributed DNS service [5].
Other contributions include the first atomic broadcast protocol for asynchronous networks with linear amortized expected message complexity (in the number of nodes) per delivered payload [4], and several consistency protocols for erasure-coded BFT distributed storage systems [2], [3].
Steganography allows to embed a message within another, seemingly harmless message so that its presence cannot be detected. Steganography complements cryptography, whose goal is to protect the content of a message. My interest in steganography is motivated by its relevance for undetectable communication and for watermarking ofdigital content .
We have developed the fundamental ideas for a theory of steganography with information-theoretic security [3], [1]. The topic has subsequently become the focus of many other worksin information theory and it has been extended to a cryptographic model with computational security. Along these lines, we have also defined security for steganography in a public-key cryptographic model and developed a system that protects against active attacks [2].
The wish to jointly execute a computational task between two or more mutually distrusting parties lies the core of most security problems. Mobile code and mobile agents are prominent examples. We have formulated the problem of mobile code security more precisely and shown that a surprisingly large class of computations can be performed in an encrypted fashion [1], but that for most practical scenarios, additional trusted components are needed [2]; the same holds if fairness is desired [3].
Cryptography has identified the fundamental role of the so-called oblivious transfer task; given a protocol for it, one can build arbitrarily complex secure protocols. My research has concentrated on several aspects of oblivious transfer [4], [5], on the problem of private information retrieval [6], and on a related application to secure auctions [7]. In my thesis work I addressed cryptographic protocols with information-theoretic security [8], [9], [10]; a particularly attractive assumption is the storage-bounded model [5], [8], in which only the storage space of an adversary is bounded, but not its computational power.
The list of publications includes other formats and citation details.