The Security, Privacy and Trust Group is a broad group of researchers whose expertise ranges from cryptography and formal verification to human factors and social aspects. Our interdisciplinary work pools expertise from Informatics and other disciplines, represented by the Edinburgh Cyber Security, Privacy and Trust Institute which hosts the University's UK Government recognised Academic Centre of Excellence in Cyber Security Research (ACE-CSR). AREASCryptography and Distributed LedgerCryptography is an essential component of security and privacy. It safeguards the confidentiality and integrity of data at rest and in transit, and also enables secure and private computation on sensitive information.Our team has a range of experience in the area of cryptography including blockchain, zero-knowledge, secure computation, e-voting, digital content distribution, verification of protocols, and quantum cryptography. Kiayias’s work on blockchain foundations has received worldwide recognition (he has authored one of the most widely cited works on the topic) and he has collaborated with Yahoo, Snapchat, IBM, and IOHK on related projects. His research has been applied in fintech (with the New Economic Forum and RBS) and has explored digital traceability of interactions between people and objects. The EPSRC TIPS project Ox-Chain combines these to study distributed ledgers for improving logistical operations related to the circular economy.Kohlweiss works on cryptographic foundations for secure communication, privacy, and zero-knowledge. A particular focus has been succinct non-interactive arguments of knowledge (SNARKs), as widely deployed on blockchains. His research introduced the concept of updatable and universal common reference strings for SNARKs, which has been influential in the design of SNARK ceremonies and proving systems.Michele Ciampi received his PhD in 2018 with a thesis on two-party cryptographic protocols, obtaining the Best Thesis in Theoretical Computer Science Award from the European Association for Theoretical Computer Science (Italian Chapter). Now a Chancellor’s Fellow at the School of Informatics (since 2021), his research focuses on secure computation, with particular emphasis on multi-party computation and zero-knowledge proofs. His work has established state-of-the-art lower bounds for the complexity of multi-party computation, with the majority of his results published in top-tier venues like Eurocrypt and Crypto. Michele’s work also covers privacy aspects related to blockchain and distributed systems.(Michele Ciampi, Markulf Kohlweiss, Aggelos Kiayias)Distributed Systems SecurityContent coming soon.(Aggelos Kiayias)Quantum Cyber SecurityWe explore the effects that quantum computing and quantum technologies in general have on cyber security. This includes research on establishing the security of classical post-quantum cryptosystems against quantum attacks, the new possibilities that quantum communication networks may offer, and the further looking establishment of secure quantum cloud platforms ensuring the correctness, resilience, and trustworthiness of quantum computing by providing users with a secure, verifiable, and private environment for handling their data.The Quantum Software Lab (Kashefi, Arapinis, Wallden, Doosti, Cojocaru) has set the benchmark, both theoretically and experimentally, for a hybrid network of quantum and classical devices to provide quantum-backed security guarantees.Future information and communication networks will certainly consist of both classical and quantum devices, some of which are expected to be dishonest, with various degrees of functionality, ranging from simple routers to servers executing quantum algorithms. The group adopts a hybrid approach, integrating quantum and classical elements, exploring various scenarios that span from the near-term post-quantum cryptography to the distant future of the quantum internet era.They develop protocols for quantum cloud platforms that ensure the correctness, resilience, and trustworthiness of quantum computing by providing users with a secure, verifiable, and private environment for handling their data. They design practical solutions that can be deployed on currently available quantum cloud hardware platforms with multiple users using both quantum links as well hardware secure modules.The group is also active in quantum cryptanalysis: exploring the capabilities that attackers using quantum algorithms have in compromising the security of cryptosystems.(Elham Kashefi, Myrto Arapinis, Petros Wallden, Alexandru Cojocaru, Mina Doosti, Quantum Software Lab)Protocol and Program VerificationInformatics has a long history of basic research on programming language design and semantics which has been applied to verify that designs and code provide mathematically rigorous security guarantees. This theme covers cryptographic protocol verification, with work on checking both protocol design (Arapinis, Gordon) and security of protocol implementations (Gordon), as well as formal foundations needed to express and check protocol properties.The work includes building tools for automatic property checking, verification and testing on deployed systems (Arapinis, Aspinall, Gordon, Stark).(Myrto Arapinis, Andrew Gordon, David Aspinall, Ian Stark)Socio-technical Security and Economics of Security & PrivacyToo often, real-world security and privacy failures are caused by not implementing known solutions. The incentives to create risk and dependable systems have been studied for over 15 years in UoE Informatics and Social Sciences.In the field of security economics, Woods explores how to quantify cyber risk, how to better respond to cyber incidents, and the role of insurance. Kiayias and Filos-Ratsikas use game-theory to model incentives in blockchain systems.(Charles Raab, Burkhard Schafer, Kami Vaniea, Chris Speed, Daniel Woods, Aggelos Kiayias, Aris Filos-Ratsikas)Usable Security & PrivacyHuman factors are perhaps the largest cause of security failure. This research strand focuses on applying human-centred research methods. Jingjie Li studies user perceptions of security and privacy risks, as well as processes used by experts in tasks like reverse engineering. Daniel Woods studies security experts and their incentives to implement security and privacy.(Jingjie Li, Daniel Woods, Kami Vaniea)Device SecurityInformatics has a long-standing Mobility and Security group. Recent work covers resource-limited devices such as ARM microcontrollers that underpin the Internet of Things (Stark), and modern mobile platforms such as Android (Aspinall).The group uses verification logics, type systems, and program analysis to protect devices, for instance, by expressing and enforcing resource constraints that attackers would have to violate to exploit them. Proof-carrying code (digital evidence) is applied to certify security to provide efficient independent checking of third-party code. Prototypes from the EPSRC App Guarden project can enforce policies on Android apps, using machine learning techniques to automatically find (and explain) specifications of malicious behaviour.(Ian Stark, David Aspinall)Secure Future NetworksSatellite constellations, such as Starlink and OneWeb, are broadening access to high-speed Internet connectivity across the globe. With these advances come unexplored risks and opportunities for hybrid and space-based secure and private networks and communication systems.We explore opportunistic satellite link usage to improve the latency of low- and high-latency communication networks, like Tor and mixnets, that resist adversarial manipulation (Elahi). We also explore the impact of satellite channel characteristics on the current state-of-the-art network protocols (Marina) and their privacy and security (Elahi).Two security-relevant developments are shaping future networks: spectrum sharing for wireless to increase bandwidth and efficiency, and the proliferation of Software Defined Networking (SDN), including its extension to build an over-arching distributed, technology-agnostic network.The University of Edinburgh is a partner in TOUCAN, a large EPSRC programme grant on network convergence. Contributions include techniques for protecting traffic from eavesdroppers which complement cryptography: optical networking (Haas) which limits to line of sight, and physical layer secrecy which limits wireless propagation (Ratnarajah).We also contribute to wireless security within SDN with frameworks for security management applications (Marina), and through major testbed activities (Haas), which will be interconnected with other UK facilities (INITIATE project). Other networking topics include privacy-preserving mix-nets via the Horizon 2020 project PANORAMIX coordinated by UoE (Kiayias); differential privacy applied to location data from mobile devices (Marina); and verifiable SDN transformations for networks under attack (Aspinall).(Harald Haas, Mahesh Marina, T. Ratnarajah, David Aspinall, Aggelos Kiayias, Amirhesam Elahi)Data Science TechniquesData science methods bring the power to help cyber security, but also risk causing privacy and confidentiality leaks or dangerous automated decisions. Information origin, derivation or history is tracked with data provenance techniques (Cheney) which can be applied to system configuration, software supply chains, and auditing for intelligence or forensic analysis.UoE is a partner in the transformational DARPA Transparent Computing project which seeks to fight advanced persistent threats by pervasive collection and analysis of provenance.In wireless security, crowd-sourced data can detect intrusions or unusual behaviour in wireless networks (Marina). Other data science uses include malware and network anomaly detection (Aspinall), approximate data structures for persistent item detection in high-speed data streams (Patras), malicious traffic classification (Patras), and applications of probabilistic programming (Gordon).Adversaries can also exploit these techniques for traffic analysis of network metadata, enabling attacks like website fingerprinting and correlation attacks (Juarez).Work by our postdoctoral researchers includes differential privacy, secure multi-party computation and adversarial machine learning.(James Cheney, David Aspinall, Paul Patras, Andrew Gordon, Mahesh Marina, Marc Juarez)Applications of AI to SecurityWe explore the dual use of AI and machine learning techniques in cybersecurity, investigating how these techniques both enable new cyberattacks and more effective defences.(David Aspinall, James Cheney, Andrew Gordon, Marc Juarez, Mahesh Marina, Paul Patras)Security and Privacy of AI/MLThe rapid adoption of machine learning and AI technologies and their new applications is raising serious privacy and security concerns.Our research in this area includes investigating improved differential privacy techniques for training neural networks and data valuation (Sarkar) and studying how these techniques influence and interact with algorithmic fairness in the resulting models (Juarez).Other topics of interest include developing lightweight techniques for increasing the robustness of AI classifiers against adversarial input manipulation and deriving structured and interpretable interpretations of how different parts of neural models influence their decisions (Patras).We are also studying watermarking techniques to mitigate some of the risks of the deployment of generative AI models (Juarez).(Marc Juarez, Paul Patras, Rik Sarkar)Mailing listssecurity-privacy@inf: general announcements, seminars and other events (Informatics related, open)cyber-secpriv@mlist.is.ed.ac.uk: announcements and events (CSPTI related, UoE only)Please also see our page of links to some external collaborators.If you have comments or corrections for these web pages, please contact Gareth Beedham This article was published on 2024-11-22