Research on security, privacy and trust in the School of Informatics of the University of Edinburgh spans a range of topics. The Security, Privacy and Trust Group is a broad group of researchers whose expertise ranges from cryptography and formal verification to human factors and social aspects. Our interdisciplinary work pools expertise from Informatics and other disciplines, represented by the Edinburgh Cyber Security, Privacy and Trust Institute which hosts the University's UK Government recognised Academic Centre of Excellence in Cyber Security Research (ACE-CSR). Cryptography and Distributed Ledger Cryptography is an essential component of security and privacy which enables the confidential exchange of information as well as powering us to make provable statements around the properties of data. Our team has a range of experience in the area of cryptography including blockchain, e-voting, digital content distribution, verification of protocols, and quantum cryptography. Kiayias’s work on blockchain foundations has received world-wide recognition (he has authored one of the most widely cited works on the topic) and he has collaborated with Yahoo, Snapchat, IBM, and IOHK on related projects. Speed, a designer, devised Block Exchange, a workshop for explaining distributed ledger to stakeholders. His research has been applied in fintech (with the New Economic Forum and RBS) and has explored digital traceability of interactions between people and objects. The EPSRC TIPS project Ox-Chain combines these to study distributed ledgers for improving logistical operations related to the circular economy. Quantum-enhanced Security. Kashefi’s group has set the benchmark, both theoretically and experimentally, for a hybrid network of quantum and classical devices to provide quantum-backed security guarantees. Such a network will enable secure delegation of computational tasks to untrusted but verifiable large-scale computing servers. Pioneering contributions include the inventions of the fields of quantum verification and quantum cloud computing. New research directions include post-quantum cryptography, quantum blockchain and application of multiparty quantum computation for electronic voting (Kashefi, Arapinis). Protocol and Program Verification Informatics has a long history of basic research on programming language design and semantics which has been applied to verify that designs and code provide mathematically rigorous security guarantees. This theme covers cryptographic protocol verification, with work on checking both protocol design (Arapinis, Gordon) and security of protocol implementations (Gordon), as well as formal foundations needed to express and check protocol properties. The work includes building tools for automatic property checking, verification and testing on deployed systems (Arapinis, Aspinall, Gordon, Stark). Socio-technical Security Security and privacy technologies should be usable and work with people to avoid mistakes and encourage safe behavior. Technology ought to support people in making secure decisions rather than encourage workarounds through poor design, or fail to protect their privacy and security properly. Socio-technical aspects of risk and dependability have been studied for over 15 years in UoE Informatics and Social Sciences. There is extensive study of regulatory policy (Raab) on societal risks associated with privacy and surveillance, such as on improving Privacy Impact Assessments for the UK Information Commissioner’s Office. At the intersection between Law and Informatics, Schafer applies AI techniques to cyber crime and security, alongside studying the relevant legal frameworks. Meanwhile, human factors are perhaps the largest cause of security failure. Vaniea’s research in usable security examines resource sharing between the home and office, with implications for access control systems, and user-level controls affecting privacy and security, such as software update mechanisms. Speed brings design thinking to imagine security and privacy implications of technology, including work on the Ambient Environments theme in the EPSRC PETRAS Hub for security and privacy in IoT. Secure Future Networks Two security-relevant developments are shaping future networks: spectrum sharing for wireless to increase bandwidth and efficiency, and the proliferation of Software Defined Network- ing (SDN), including its extension to build an over-arching distributed, technology agnostic network. The University of Edinburgh is a partner in TOUCAN, a large EPSRC programme grant on network convergence. Our contributions include two techniques for protecting traffic from eavesdroppers which complement cryptography: optical networking (Haas) which limits to line of sight and physical layer secrecy which limits wireless propagation (Ratnarajah). We also contribute to wireless security within SDN with frameworks for security management applications (Marina), and through major testbed activities (Haas), which will be interconnected with other UK facilities (INITIATE project). Other networking topics include privacy-preserving mix-nets via the Horizon 2020 project PANORAMIX coordinated by UoE (Kiayias); differential privacy applied to location data from mobile devices (Marina); and verifiable SDN transformations for networks under attack (Aspinall). Device Security Informatics has a long-standing Mobility and Security group . Recent work covers resource-limited devices such as ARM microcontrollers that underpin the Internet of Things (Stark), and modern mobile platforms such as Android (Aspinall). The group uses verification logics, type systems, and program analysis to protect devices, for instance, by expressing and enforcing resource constraints that attackers would have to violate to exploit them. Proof-carrying code (in general, digital evidence) is applied to certify security to provide efficient independent checking of 3rd party code. Prototypes from the EPSRC App Guarden project can enforce policies on Android apps, using machine learning techniques to automatically find (and explain) specifications of malicious behaviour. Data Science Techniques Data science methods bring the power to help cyber security, but also risk causing privacy and confidentiality leaks or dangerous automated decisions. Information origin, derivation or history is tracked with data provenance techniques (Cheney) which can be applied to system configuration, software supply chains, and auditing for intelligence or forensic analysis. UoE is a partner in the transformational DARPA Transparent Computing project which seeks to fight advanced persistent threats by pervasive collection and analysis of provenance. In wireless security, crowd-sourced data can detect intrusions or unusual behaviour in wireless networks (Marina). Other data science uses include malware and network anomaly detection (Aspinall) and applications of probabilistic programming (Gordon). Work by our postdoctoral researchers includes differential privacy, secure multi-party computation and adversarial machine learning. Mailing lists security-privacy@inf: general announcements, seminars and other events (Informatics related, open) cyber-secpriv@mlist.is.ed.ac.uk: announcements and events (CSPTI related, UoE only) security-club@inf: a club with informal meetings, run by Myrto Arapinis (Informatics only) Please also see our page of links to some external collaborators. If you have comments or corrections for these web pages, please contact Kami Vaniea or David Aspinall. This article was published on 2024-11-22