My research focuses on information security and distributed systems, with emphasis on secure protocols for distributed systems. Current research topics are:
Older research topics:
The blockchain is a public ledger, maintained by many nodes without central authority using a distributed cryptographic protocol, for recording transactions. The nodes validate the information to be appended to the blockchain, and a consensus protocol ensures that the nodes agree on a unique order in which entries are appended. Distributed protocols tolerating faults and adversarial attacks, coupled with cryptographic mechanisms are needed for this. They related to so-called Byzantine agreement protocols.
Based on our earlier work in distributing trust on the Internet , , we are exploring consensus protocols and security mechanisms, and apply them in the context of the Hyperledger Project. Hyperledger is an industry-wide effort to develop an open-source blockchain. We have developed protocols for dealing with non-deterministic operations on blockchains  and are actively involved in the development of Hyperledger Fabric.
See also: a blog about distributing trust, a blog about blockchain consensus, a short video, or the project page.
Cloud services enable convient online collaboration, but require that clients fully trust the service provider in terms of confidentiality, integrity, and availability. Here we focus on integrity guarantees. A group of clients would like to verify the correctness of the remote computation and the server's responses, specifically in terms of data integrity and consistency of the responses to different clients.
Cryptographic protocols that ensure fork-linearizability help clients to check for violations of integrity and consistency by the untrusted server, even when the clients do not communicate with each other. Such protocols ensure that all clients which observe each other's operations are consistent, in the sense that data has not been tampered with, and that their own and other clients' operations are linearizable. We have developed protocols for efficient remote verification of generic untrusted services  and a tool for the Verification of Integrity and Consistency of Cloud Object Storage (VICOS) .
In cloud computing, the owner loses direct control over its data and programs. After outsourcing data to the cloud, the owner is bound to trust the cloud provider for confidentiality, privacy, integrity, and availability. However, cryptographic mechanisms can reduce such trust by allowing the owner to protect its assets. Moreover distributing data to multiple cloud providers reduces the exposure and eliminates threats originating from a single source.
We have developed protocols for storing data on an Intercloud , , , based on client-side cryptography, replication, and erasure coding. For ensuring that information does get into the wrong hands once it is no longer needed, we have developed tools for secure deletion of data .
See also this blog post or the project page.
Users increasingly maintain data in the "cloud" at remote storage service providers. Such services allow users to collaborate with each other and to access the shared data from everywhere. It is important to guarantee the integrity of the data when the service is not trusted, and to ensure consistent operations in environments where multiple users access the data concurrently. We have developed efficient protocols that provide atomic storage and implement arbitrary services consistently when the service is correct and weaker, so-called forking semantics when the server is faulty , ,  and discovered fundamental properties of such systems , . Applying our approach to the Subversion revision control system, we have demonstrated how to guarantee integrity for a practical online collaboration tool . The Venus system  extends our method to securing practical untrusted cloud storage and has been demonstrated and evaluated with Amazon S3.
Cryptographic keys must be maintained securely and reliably. But users struggle with the key-management problem because operating procedures and formats differ across systems. We have built a key-lifecycle management system accessible over a network  and led the creation of a new open standard for enterprise key management: the OASIS Key Management Interoperability Protocol (KMIP).
When multiple users access a key server, the interface must be designed with special consideration for cryptographic relations among keys. Cryptographic hardware-security modules (HSMs) face the same problem. Some logical attacks through the key-management operations of HSMs have been reported in the past, which allowed to expose keys merely by exploiting their interfaces in unexpected ways. We show how to secure a key-management system against any attack through its interface. Our design integrates traditional access control with cryptographic semantics, so that the system respects the dependencies among keys introduced through the cryptographic operations , .
We have also developed a novel key-management scheme with lazy revocation for cryptographic file systems , .
A promising approach to securing critical services lies in distributing the service over a set of geographically and organizationally separated replicas. By using so-called Byzantine-fault tolerant (BFT) coordination algorithms to keep the replicas logically synchronized, the failure or even the malicious corruption of some components can be tolerated.
We have investigated the BFT state-machine replication method , where a request to a service is processed by all components and the client infers the result from a majority of the received answers. Many protocols for this task were known for environments with random or "benign" faults, but we were among the first to address an adversarial, fully asynchronous network . We have developed the first efficient atomic broadcast protocol  for this environment, which preserves safety and liveness through randomization. It builds on a novel practical cryptographic solution for the classical problem of Byzantine agreement , using threshold cryptography and randomization. The SINTRA prototype  shows that our approach is practical and was used to build a dependable distributed DNS service .
Other contributions include the first atomic broadcast protocol for asynchronous networks with linear amortized expected message complexity (in the number of nodes) per delivered payload , and several consistency protocols for erasure-coded BFT distributed storage systems , .
Steganography allows to embed a message within another, seemingly harmless message so that its presence cannot be detected. Steganography complements cryptography, whose goal is to protect the content of a message. My interest in steganography is motivated by its relevance for undetectable communication and for watermarking ofdigital content .
We have developed the fundamental ideas for a theory of steganography with information-theoretic security , . The topic has subsequently become the focus of many other worksin information theory and it has been extended to a cryptographic model with computational security. Along these lines, we have also defined security for steganography in a public-key cryptographic model and developed a system that protects against active attacks .
The wish to jointly execute a computational task between two or more mutually distrusting parties lies the core of most security problems. Mobile code and mobile agents are prominent examples. We have formulated the problem of mobile code security more precisely and shown that a surprisingly large class of computations can be performed in an encrypted fashion , but that for most practical scenarios, additional trusted components are needed ; the same holds if fairness is desired .
Cryptography has identified the fundamental role of the so-called oblivious transfer task; given a protocol for it, one can build arbitrarily complex secure protocols. My research has concentrated on several aspects of oblivious transfer , , on the problem of private information retrieval , and on a related application to secure auctions . In my thesis work I addressed cryptographic protocols with information-theoretic security , , ; a particularly attractive assumption is the storage-bounded model , , in which only the storage space of an adversary is bounded, but not its computational power.
The list of publications includes other formats and citation details.