Password-Based Authentication

Users frequently reuse their passwords when authenticating to various online services. Combined with the use of weak passwords or honeypot/phishing attacks, this brings high risks to the security of the user’s account information. We created several protocols that can allow a user to use a single password to authenticate to multiple services securelyAll our constructions provably protect the user from offline dictionary attacks on the password, phishing, man-in-the-middle, cross-site impersonation or honeypot attacks by the online service providers. Our construction require no server-side changes and can de deployed using a browser extension. We further performed extensive user studies and hold patents on this topic.

We are grateful for the support from the Royal Society Newton Advanced Fellowship.

Social Network Privacy

Many of us employ various kinds of online social networks, such as Facebook, Instagram, Twitter. Unfortunately, there are many security and privacy concerns regarding those systems, including the fact that our data is held by third party servers, is employed for advertisement purposes, and its integrity is not guaranteed.

Our solutions provide cryptographic guarantees on the confidentiality of our profiles, habits, comments, photos, etc. We also have solutions for secure authentication using social networks with the fourth paradigm of authentication: “Someone You Know“.

We are grateful for the support from TÜBA (Türkiye Bilimler Akademisi – Turkish Academy of Sciences).

Searchable Encryption

Encryption hides all the content of the data. But, when we outsource our data to the cloud, this means we lose the capability of efficiently searching for the items we want and hence selectively retrieving them. Searchable encryption techniques enable search over encrypted data by employing encrypted indices and special keys such that only the search result is revealed, whereas the adversary learns neither what is searched for nor the contents of the retrieved documents.

Our solutions work with dynamic data (both keywords and documents can be efficiently changed, added, removed), providing security against fully malicious servers, under both random oracle and the standard model. We also provide forward privacy: if a document is added containing a previously searched keyword, many existing solutions leak this information, while our solution does not leak such additional information.

We are grateful for the support from Bilim Akademisi (Science Academy) and TÜBİTAK.

Secure Cloud Storage

In cloud storage systems, the server (or peer) that stores the client’s data is not necessarily trusted. Therefore, users would like to ensure confidentiality and integrity of their data. Current popular cloud storage services, including but not limited to, Dropbox, Amazon S3, Google Drive, Microsoft OneDrive, unfortunately do not provide the user with sufficient security guarantees. On the contrary, they explicitly decline any responsibility for lost or corrupted data in their service agreements.

 

Using our techniques, both users and companies will benefit. Users will enjoy increased security and provable cryptographic guarantees, while companies can charge premium fees for offering such guarantees, or bring more customers who were worried about security issues. We hold several patents on this topic.

We are grateful for the support from Koç SistemTürk TelekomTÜBİTAK, and European Union COST Action IC1206.

Cloud Computation

Cloud computation can be summarized as outsourcing a computation job that is infeasible or expensive to do with one’s own resources to others with more computation resources. Two main types of these mechanisms are:

  • P2P (peer-to-peer) cloud: Outsourcing the job to multiple entities
  • Giant cloud: Outsourcing the job to a more powerful entity (e.g., Amazon EC2)

Cloud computing presents unique challenges that need to be addressed by cryptography and security experts, as well as game theory and mechanism design principles. Our goal is to combine different techniques to ensure result reliability and inline participation incentives. Further goals may include computation privacy, such as privacy of queries and data in outsourced databases.

We also have efficient solutions for fair and secure two-party and multi-party computation (2PC and MPC). These solutions enable two or more parties to compute a function together, where each party provides some input, but the other parties do not learn any useful information about that input (except, of course, the output of the function). We enable such protocols to be done fairly efficiently, where either all parties receive the output of the computation, or no one receives anything useful.

We are grateful for the support from TÜBİTAK and European Union COST Action IC1306.

Outsourced Databases

Nowadays, outsourcing is very popular, including outsourcing the storage and querying of databases to untrusted servers. There are two main issues with such an outsourced database: Secrecy of the data, and authenticity of the query results. We are interested in developing cryptographic mechanisms to the latter: Our solutions enable a client to verify that the results returned for her query is:

  • Complete: There is no extra record added to or no missing record removed from the result.
  • Correct: All records in the result remain unmodified.
  • Fresh: The result only contains the latest versions of the records in a dynamic database.

We also separate the job of the regular database management system (DBMS), and the database authentication system (DBAS). We leave the DBMS unmodified, and introduce a DBAS system that can work with any DMBS solution. We further let the data owner and queriers to be different parties.

 

We are grateful for the support from TÜBİTAK.

Fair Exchange

Fairly exchanging digital content is an everyday problem. A fair exchange scenario commonly involves Alice and Bob. Alice has something that Bob wants, and Bob has something that Alice wants. A fair exchange protocol guarantees that at the end either each of them obtains what (s)he wants, or neither of them does.

There has been a great deal of research on fairly exchanging two items. But when one considers peer-to-peer systems, efficiency and performance of the fair exchange protocol matters. We created an efficient and scalable optimistic fair exchange protocol suitable for use in high-churn peer-to-peer file sharing systems. Our fairness solutions are also applicable to scenarios including  secure two-party or multi-party computation, as well as cloud storage systems.

Furthermore, while analyzing the limits of fair exchange protocols, we looked at distributing centralized parties, such as the trusted third party, the arbiter. Our results include impossibility cases and optimality proofs.

We are grateful for the support from TÜBİTAK and European Union COST Action IC1306.

Genetic Authentication on the Cloud

Genetic data is one of the most dear, private values a person owns. Yet, it is also very useful for authentication purposes, since we carry it with us all the time, and it can be used to uniquely identify a person. Once you want to create a DNA-based authentication system, where the data is kept at a cloud server and the authentication is performed online, one must protect confidentiality and integrity of the genomic data, and provide privacy against and correctness of the cloud actions.

We are grateful for the support from TÜBİTAK through 1003 Large Scale R&D program. This project is done in collaboration with:

Future Projects

Here are some high-level project ideas that may be developed if a student/collaborator is interested (some of them are extensions to our current or past projects, some are new)

 

  • Usable Security, Password-based Authentication, One-time Passwords, Dictionary Attacks
  • Peer-to-peer systems, including video streaming, storage, distribution, and their security
  • Database Privacy, Private Information Retrieval, Privacy-preserving Information Sharing
  • Private Health Information Sharing, Electronic Health System record privacy
  • Cryptocurrency systems, Electronic Cash, Anonymous Credentials, Bitcoin, Blockchain
  • Electronic identity systems (e-ID and e-passport), Anonymous Authentication, Public Key Infrastructure (PKI)
  • Novel applications with Lattice-based cryptography
  • Novel applications with Elliptic-curve cryptography

 

Contact us with a research proposal if interested. See the Work with Us page.