Research | Cybersecurity and Privacy Institute

Research at the Cybersecurity and Privacy Institute

When CPI was founded, four CPI areas of expertise were identified (security, privacy, cryptography, quantum-safe communications). As the initial list was too coarse-grained, we initiated an exercise to refine and revamp the list, with input from CPI members. We began with a draft list and solicited feedback from several senior CPI members, as well as the members of the CPI Faculty Advisory Committee which has representation from every faculty.

The list is intended to be descriptive rather than prescriptive and is used to find the right experts whenever an external partner approaches CPI with a request for proficiency. These nine areas are also indicative of the importance CPI places on addressing global cybersecurity risks, as they encompass a comprehensive and interconnected approach to understanding and proactively addressing the spectrum of cybersecurity and privacy concerns of the global community. Additionally, these areas of expertise expand on the specific fields within which the cybersecurity talent gap exists; illustrating the wide range of interdisciplinary skills required to effectively engage with multi-layered cybersecurity and privacy issues, e.g., implementing surveillance technology in the workplace requires hardware, software, legal, public relations, and ethics skillsets to be effective and responsible.

The Cybersecurity and Privacy Institute (CPI) fosters an interdisciplinary and collaborative approach to research and training in cybersecurity and privacy. Our mandate is to nurture and enhance Canada’s leadership position in cybersecurity and privacy research by partnering with industry to collaborate on these core research areas:

Cryptography

Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of information to view its contents. It provides mathematical and algorithmic tools that are critical for protecting the security of information and communication infrastructures (e.g., the Internet).

Modern cryptography concerns itself with the following four objectives:

Confidentiality: The information cannot be understood by anyone for whom it was unintended
Integrity: The information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected
Non-repudiation: The creator/sender of the information cannot deny at a later stage their intentions in the creation or transmission of the information
Authentication: The sender and receiver can confirm each other's identity and the origin/destination of the information

Research topics	CPI researchers
Blockchain Blockchain is a type of shared database that differs from a typical database in the way that it stores information; blockchains store data in blocks that are then linked together via cryptography.	Guang Gong Sergey Gorbunov Anwar Hasan
Cryptography for Differential Privacy Uses cryptographic primitives to bridge the gap between SDP and LDP. In these solutions, the trusted data curator in SDP is replaced by cryptographic primitives that result in more practical trust assumptions than the SDP model, and better utility than under the LDP model.	Xi He
Cryptography for Distributed Systems Cryptography to secure a distributed system, which is a computing environment in which various components are spread across multiple computers (or other computing devices) on a network. These devices s plit up the work, coordinating their efforts to complete the job more efficiently than if a single device had been responsible for the task.	Ian Goldberg Sergey Gorbunov
Cryptographic Hardware Cryptographic hardware acceleration is the use of hardware to perform cryptographic operations faster than they can be performed in software. Hardware accelerators are designed for computationally intensive software code.	Anwar Hasan Mark Aagaard
Foundations of Cryptography Foundations of cryptography are the paradigms, approaches and techniques used to conceptualize, define, and provide solutions to natural Cryptographic problems.	Sergey Gorbunov Mohammad Hajiabadi David McKinnon
Key Establishment Key establishment is the process by which two (or more) entities establish a shared secret key. Essentially, two methods are used to establish cryptographic keying material between parties: key agreement and key transport.	Ian Goldberg Douglas Stebila
Internet Security Internet Security consists of a range of security tactics for protecting activities and transactions conducted online over the internet.	Ian Goldberg Douglas Stebila
Isogeny-based Cryptography Isogeny-based encryption uses the shortest keys of any proposed post-quantum encryption methods, requiring keys roughly the same size as are currently in use.	David Jao
Lattice-based Cryptography Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions are currently important candidates for post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems, which could, theoretically, be easily attacked by a quantum computer, some lattice-based constructions appear to be resistant to attack by both classical and quantum computers.	Mohammad Hajiabadi Douglas Stebila
Lightweight Cryptography Lightweight cryptography is an encryption method with a small footprint and/or low computational complexity. It is aimed at expanding the applications of cryptography to constrained devices and the IoT, and its related international standardization and guidelines compilation are currently underway.	Guang Gong
Multi-party Computation Multi-party computation is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where cryptography assures security and integrity of communication or storage and the adversary is outside the system of participants (an eavesdropper on the sender and receiver), the cryptography in this model protects participants' privacy from each other.	Ian Goldberg Mohammad Hajiabadi
Post-quantum Cryptography Post-quantum cryptography is cryptographic algorithms (usually public-key algorithms) that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem, or the elliptic-curve discrete logarithm problem. All of these problems can be easily solved on a sufficiently powerful quantum computer running Shor's algorithm.	Mohammad Hajiabadi David Jao Michele Mosca Douglas Stebila Koray Karabina Jon Yard Samuel Erik Jaques
Privacy-preserving Machine Learning Privacy-preserving ML is privacy-enhancing techniques concentrated on allowing multiple input parties to collaboratively train ML models without releasing their private data in its original form.	Guang Gong Xi He
Private Capacity of Quantum Channels Private capacity of quantum channels is a formula for the capacity of a quantum channel for transmitting private classical information is derived. This is shown to be equal to the capacity of the channel for generating a secret key, and neither capacity is enhanced by forward public classical communication.	Debbie Leung
Private Information Retrieval In cryptography, a private information retrieval protocol is a protocol that allows a user to retrieve an item from a server in possession of a database without revealing which item is retrieved.	Ian Goldberg Mohammad Hajiabadi
Pseudorandom Bit Generation Pseudorandom bit generation is an algorithm for generating a sequence of numbers whose properties approximate the properties of sequences of random numbers, which are important in practice for their speed in number generation and their reproducibility. Cryptographic applications require the output not to be predictable from earlier outputs, and more elaborate algorithms, which do not inherit the linearity of simpler PRNGs, are needed.	Guang Gong
Quantum Cryptanalysis Quantum cryptanalysis is the study and evaluation of cryptographic algorithms in the presence of a quantum enabled adversary. Quantum computers are expected, within a decade, to be large enough to have an impact on the cryptographic algorithms currently deployed. Hence, the need to study quantum resource requirements to be properly prepared for future quantum-based concerns.	Michele Mosca

Data science - security and privacy

Data Science - Security and Privacy 

The field of data science is broad in scope, combining multiple fields, such as: artificial intelligence, statistics and data analysis to clarify and extract value from data and derive actionable insights.

‘Big Data’ is fuelling the digital economy and companies are amassing vast amounts of personal data. The exploitation of this data also carries the risk of exposing this data to unauthorized or at least unwanted entities, including business partners and end users. Furthermore, when collecting data from many sources, data integrity is not necessarily ensured. Services relying on data sources can be misled by malicious modification to data thus new protection mechanisms need to be developed.

Selected illustrative challenges include:

Secure and private collection and combination of data sources
Differential privacy in machine learning models and databases
Secure and private inference

Research topics	CPI Researchers
Reliability of Machine Learning Models Building theoretical foundations for defenses and studying their attack resistance against the following: out of distribution data, adversarial examples, random adversaries (random noise models) and semi-random adversaries (mixed random/adversarial corruption models). Developing practical, large-scaled algorithms for real-world AI security problems in computer vision, natural language processing, medical data analysis, etc.	Hongyang Zhang Yaoliang Yu Vijay Ganesh Gautam Kamath N. Asokan Ehsan Amjadian
Differential Privacy in Machine Learning Models and Databases Developing provably private mechanisms to query databases, visualize data, compute statistics or train machine learning models that improve the privacy vs. accuracy trade-off over existing approaches. Developing and evaluating efficient systems that implement those mechanisms in important applications.	Xi He Gautam Kamath Hongyang Zhang N. Asokan Ehsan Amjadian Sujaya Maiyya
Privately Linking Data Sources Designing cryptographic protocols that can securely and efficiently link data sources and compute functions over their intersection. Developing and evaluating practical deployments for real-world applications in record linkage or fintech.	Florian Kerschbaum
Economics of Data Collection and Use Understanding the effects of government intervention and policy on the overall societal welfare of industrial data collection and use. Studying mechanisms, such as data markets, to reconcile commercial data use with citizen’s control of private information.	Anindya Sen
Mis-/Disinformation Studying the spread of mis/disinformation related to collective risks (such as climate change and global pandemics), surveillance, and privacy across a wide variety of national contexts and political regimes. Developing measures and probabilistic models that enable us to better understand when, why, and how mis/disinformation impacts political culture, cognition, deliberation, and identities.	John McLevey

Human & Societal Aspects of Security and Privacy

Human & societal aspects of security and privacy

The current 'Digital Age' has witnessed an exponential technological development that has enabled individuals to access a wide array of innovative services and goods through the internet and interact with one another through different digital spaces. However, these technological advances have also come with societal costs, such as:

a loss in individual privacy and the potential for being a victim of cyber-crime
people being increasingly commodified as data inputs by digital platforms
the pervasive spread of misinformation and fake news that result in societal polarization and weakened democracies
massive market power and wealth in the hands of a few large firms
the emergence of cyber-attacks as significant threats to national security

Selected illustrative challenges include:

Technology design
Behavioural choices
Public policy

Research topics	CPI Researchers
Technology Design Technology design focuses on improving user experiences, security, and adapting technological designs by increasing the knowledge, data sets, and understanding of technological impacts in a wide array of variables.	Phil Boyle Heather Love Marcel O'Gorman Jennifer Whitson Adam Molnar Urs Hengartner Plinio Morita Leah Zhang-Kennedy Stacey Watson Kami Vaniea
Behavioral Choices Behavioral choices research focuses on the impacts of technology and technology-related variables on how individuals and/or larger groups modify their behaviour and choices as a result.	Veronica Kitchen John McLevey Alec Cram Maura Grossman Heather Love Marcel O'Gorman Jennifer Whitson Adam Molnar Urs Hengartner Plinio Morita Lean Zhang-Kennedy
Public Policy Public policy research encompasses the study of public policies that govern technology and its implementation, their impacts, and their potential needs for adjustment.	Anindya Sen Ian Goldberg Bessma Momani Veronica Kitchen John McLevey Adam Molnar Alec Cram

Research topics

CPI Researchers

Technology Design
Technology design focuses on improving user experiences, security,
and adapting technological designs by increasing the knowledge,
data sets, and understanding of technological impacts in a wide array
of variables.

Behavioral Choices
Behavioral choices research focuses on the impacts of technology and
technology-related variables on how individuals and/or larger groups
modify their behaviour and choices as a result.

Public Policy
Public policy research encompasses the study of public policies that
govern technology and its implementation, their impacts, and their
potential needs for adjustment.

Legal and Policy Aspects of Security and Privacy

Legal and policy aspects of security and privacy

Legal and Policy Aspects of Security and Privacy research considers how law and policy shape information environments that relate to cybersecurity and privacy across a range of sectors including health, education, government, consumer, the workplace, and law enforcement. As rapid technological innovations outpace regulatory environments, law and policy research considers how existing law and policy may be insufficient or unfit to facilitate meaningful security and privacy. Researchers under this subtheme also often consider how law and policy are employed as a set of tools to improve the design and delivery of security and privacy.

Selected illustrative challenges include:

Privacy law and policy reform
Digital human rights
Governance and regulations by design

Research topics	CPI Researchers
Supervised Machine-Learning for Legal Applications The application and evaluation of supervised ML for use in electronic discovery in litigation, in the curation of government records, and for systematic reviews in evidence-based medicine.	Maura Grossman
Ethical, Legal, and Policy Considerations of Artificial Intelligence and Machine-Learning AI systems & ML apply learning techniques to statistics to find patterns in large sets of data and make predictions based on those patterns. Due to the proliferation of AI in high-risk privacy areas, there is an increased focus to design and govern AI to be accountable, equitable, and transparent. This includes studies on how best to serve these goals in legal and policy contexts.	Maura Grossman Bessma Momani Vijay Ganesh
Understanding the Risks and Regulation of Workplace Surveillance in Canada’s Transition to a Digital Economy Employers & employees require guidance navigating and updating transparent equitable policies related to surveillance technologies for employees. These policies must be informed by best practices that protect employee rights, data security, and equitable treatment.	Adam Molnar
Responding to Cyber-threats, Cyberattacks, and The Weaponization of Dis/Mis-information Focusing on response methods to cyberattacks and the weaponization of dis/misinformation, this research seeks to establish the potential consequences of the (mis)use of information in a digital sphere, and the ways in which these malicious acts can be prevented or mitigated.	Bessma Momani Veronica Kitchen
Large-scale Data Governance and Modern Techniques for Managing User Consent A consent management system allows customers to determine what personal data they are willing to share, which satisfies the lawful requirement for entities to obtain user consent for collecting data, as they are responsible for collecting and managing customer consent. A good consent management process logs and tracks consent collection, and ensures privacy, so that said entities are in compliance with worldwide laws and regulations.	Plinio Morita
Maintaining Security, Trust, and Privacy in Health Tech Innovations As health data is potentially the most personal and sensitive data for individuals, they must be comfortable sharing this data with a healthcare entity. Healthcare is highly regulated, and health data is a prime target for cybercrime; hence, the very best efforts are required in this area.	Adam Molnar Plinio Morita
Surveillance and Privacy in Urban Governance Surveillance and privacy in urban governance is helpful to governments, allowing them to gather information and exercise control, which is necessary to fulfill their roles factoring many variables such as increased mobility/anonymity in modern life. Conversely, unchecked surveillance can lead to inequality, discrimination, and repression, undermining a democratic society. Research in this area seeks to promote oversight, accountability, and balance.	Phil Boyle

Network Security

Network security

Network security research aims at building secure network infrastructures and communication protocols to protect end users’ data, applications, devices, as well as networked assets, from a vast landscape of cyber threats. As businesses increasingly rely on distributed software applications that run across networks, the need for developing holistic solutions that incorporate resource monitoring, access control, threat detection, and attack mitigation capabilities in different operational settings has become a central concern for network administrators.

Selected illustrative challenges include:

Secure protocols for distributed systems
Data-driven security automation for software-defined networks
Security in the era of blockchains
Mobile and IOT security

Research topics	CPI researchers
Secure Protocols for Distributed Systems Distributed systems are a network of computing devices that share information and workload to increase efficiency, with the application of cryptographic schemes to secure the data that is transmitted throughout a distributed system, such as a healthcare network.	Sergey Gorbunov Douglas Stebila Guang Gong Mahesh Tripunitara Samer Al-Kiswany
Data-driven Security Automation for Software-defined Networks Data-driven security automation uses machine learning to analyze big data and improve cybersecurity responses and adaptations. A software-defined network is the ability to abstract the management and administrative capabilities of the technology. With SDN, it’s the ability to control the provisioning of network devices, VLANs, firewall rules, etc., and the flow of data.	Bernard Wong Raouf Boutaba Diogo Barradas Samer Al-Kiswany
Security in the Era of Blockchains Blockchain technology produces a structure of data with inherent security qualities, based on principles of cryptography, decentralization, and consensus, promoting trust in transactions. It is not infallible however, hence security research to improve blockchain viability is an ongoing initiative.	Sergey Gorbunov Raouf Boutaba Guang Gong Sherman Shen Mahesh Tripunitara Stacey Watson
Mobile and IoT Security Connected devices can be limited in resources in terms of computing power, storage, bandwidth, and energy. Mobile and IoT security applications require adaptive methods for highly diverse contexts utilizing varied resources and conceivably dynamic environments.	Urs Hengartner Sherman Shen Guang Gong Stacey Watson

Operational Security Aspects

Operational security aspects

Operational security are the organizational processes deployed to prevent sensitive information from being compromised and seeks to identify threats and activities that could result in critical data being leaked or revealed to a hostile actor. These processes are most effective when fully integrated into all planning and operational processes. It includes five steps:

critical data identification
threat analysis
vulnerability analysis
risk analysis
integration of appropriate countermeasures

Selected illustrative challenges include:

Information systems assurance involves review, evaluation, and reporting on the integrity of information systems and the information they produce, focusing on the processes used to develop, operate, change, and control those information systems. Information systems assurance services include diagnostic assessments of the strengths and weaknesses of IT governance, assessments of information systems controls, assessments of compliance with management policies, standards and regulatory requirements, assessments of the effectiveness of information systems development, operation and change, and other assessments designed to provide assurance to a variety of stakeholders about the integrity of information systems and the information they produce.

Research topics	CPI researchers
Operational Continuity of Mission-critical Information Systems Operational continuity of mission critical information systems focuses on designing and assessing mechanisms to ensure the operational continuity of mission-critical information systems through the use of comprehensive controls and effective incident response strategies.	Efrim Boritz Meng Xu
Professional Practice in External/Internal Auditing Professional practice in external/internal auditing involves investigating areas of professional practice in external auditing and internal auditing which rely on the exercise of professional judgment and aims to identify factors affecting judgment processes and systematic determinants of judgment quality, with a particular focus on judgement enhancement through decision aids and decision support systems.	Efrim Boritz Alec Cram
Information Systems Control Initiatives Information systems control initiatives focus on how information systems control initiatives can contribute to improving the performance of organizational processes, including systems development and cybersecurity.	Alec Cram Efrim Boritz
Automated Program Analysis/Testing/Verification Tools This topic is intersects with the area of system and software security, with a focus on delivering high-quality solutions to practical security programs, especially in finding and patching vulnerabilities in critical computer systems.	Meng Xu

Privacy-Enhancing Technologies

Privacy-enhancing technologies

Privacy-enhancing technologies research is aimed at empowering people to individually control who can gain access to personal information about them, what those with access can do with that information, and with whom those with access can share the information. Many companies and governments have assembled massive amounts of data about individuals, or are placing restrictions on what information individuals can access, which acutely threatens people's privacy and calls for the ongoing development of new and stronger technologies.

Selected illustrative challenges include:

Provable privacy guarantees
Censorship circumvention

Research topics	CPI researchers
Differential Privacy DP is a system for publicly sharing information about a dataset by describing the patterns of groups within the dataset while withholding information about individuals in the dataset. If the effect of making an arbitrary single substitution in the database is small enough, the query result cannot be used to infer much about an individual, which provides privacy.	Xi He Gautam Kamath Florian Kerschbaum
Censorship Circumvention Censorship circumvention is the use of various methods and tools to bypass internet censorship. An arms race has developed between censors and developers of circumvention software, resulting in more sophisticated blocking techniques by censors and the development of harder-to-detect tools by researchers.	Diogo Barradas Ian Goldberg
Privacy for Machine Learning Some ML applications require private individuals’ data, which is uploaded to centralized locations in clear text for ML algorithms to extract patterns, and build models from them. Such applications clearly necessitate ML specific privacy protections.	N. Asokan Florian Kerschbaum Sherman Shen Yaoliang Yu
Cryptography Cryptography refers to secure information and communication techniques derived from mathematical concepts and a set of rule-based calculations called algorithms, to transform messages in ways that are hard to decipher. These deterministic algorithms are used for cryptographic key generation, digital signing, verification to protect data privacy, web browsing on the internet and confidential communications such as credit card transactions and email.	Ian Goldberg Guang Gong Koray Karabina Samuel Erik Jaques
Social Issues As most technology and privacy issues involve human interactions and/or impacts, it is important to study these impacts through a lens that focuses on these variables. This includes examining sociological, psychological, and sociopolitical interactions with technology and privacy concerns.	Marcel O'Gorman Plinio Morita
Mobile Privacy Mobile privacy refers to the privacy rights of users of mobile devices (smartphones, tablets, smart watches, etc.) that are different from and typically additional to the rights of users of internet-based services in general. Mobile devices often contain GPS info, myriad forms of personal data, microphones, and cameras etc., making their security a crucial necessity for users.	Urs Hengartner Plinio Morita

Quantum-Safe Communication

Quantum-safe communication

Quantum safe communication, also known as quantum-resistant communication, refers to methods of transmitting information that is secure against the potential future use of quantum computers. These computers, which are still in the early stages of development, have the potential to break many of the conventional encryption methods currently used to protect sensitive data.

This research field is concerned with the development of cryptographic primitives and protocols that can withstand attacks even by large-scale quantum computers.

Selected illustrative challenges include:

Quantum Key Distribution
Post-Quantum Cryptography
Quantum Algorithms and Cryptanalysis

Research topics	CPI researchers
Quantum Information Theory Quantum Information Theory is the mathematical theory of information–processing tasks using quantum mechanical systems. such as storage and transmission of information.	Debbie Leung Norbert Lütkenhaus Jon Yard
Quantum Algorithms and Cryptanalysis Quantum cryptanalysis focuses on developing and analyzing quantum algorithms for breaking cryptographic assumptions.	Debbie Leung Michele Mosca Samuel Erik Jaques
Standardization of Post-quantum Cryptography and QKD Standardization of post-quantum cryptography and QKD develop new public-key cryptography standards specifying one or more unclassified, publicly disclosed digital signature, public-key encryption, and key-establishment algorithms that are available worldwide, capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers.	David Jao Thomas Jennewein Norbert Lütkenhaus Michele Mosca Douglas Stebila
Post-quantum Cryptography Post-quantum cryptography, or quantum-resistant cryptography, aims to develop cryptographic systems that are secure against both classical and quantum computers, and can work in conjunction with existing networks and communications protocols.	Guang Gong Mohammad Hajiabadi Anwar Hasan David Jao Michele Mosca Douglas Stebila Koray Karabina Samuel Erik Jaques
Quantum Key Distribution QKD is a secure communication method for exchanging encryption keys only known between shared parties, using properties found in quantum physics to exchange cryptographic keys in a manner that is provable and provides security. QKD enables two parties to create and share a key which is then used to encrypt and decrypt messages; QKD is the method of distributing the key, not the key or the data exchanged.	Thomas Jennewein Norbert Lütkenhaus

Software, Hardware, and Systems Security

Software, hardware, and systems security

Research efforts are aimed at securing computing devices and the software that runs on them from external cyberattacks. With computing systems being an essential component of every Canadian’s life, especially with millions of devices working from home since 2020, it is increasingly important to secure the hardware and software that they depend on.

Selected illustrative challenges include:

Vulnerability Detection
Certifying Security Properties of Systems
Hardware-assisted Software Protection

Research topics	CPI researchers
Hardware-Assisted Run-Time Protection HW-assisted run-time protection is used to harden computer systems against modern run-time attacks; software defenses offer strong security guarantees, but their usefulness is limited by high performance overhead.	N. Asokan Cathy Gebotys Ali Mashtizadeh
Ensuring Security Properties with Custom Type Systems Custom type systems are used to detect if there exists any kind of violation of confidentiality or integrity in a program.	Arie Gurfinkel Werner Dietl Sihang Liu
Memory Safety of Low-Level Code Memory safety bugs are often security issues, memory safe languages are more secure.	Arie Gurfinkel Mei Nagappan N. Asokan Ali Mashtizadeh Meng Xu
Embedded Systems Security An embedded system is a programmable hardware component with a minimal operating system and software. Embedded system security is a strategic approach to protecting software running on embedded systems from attack.	Sebastian Fischmeister
Software Security Software security describes frameworks, processes, methodologies, and strategies that enhance security and reduce vulnerabilities within software and the environment in which it runs. Approaches to software security are frequently structured around potential malicious cyber-attacks.	Chengnian Sun Mei Nagappan Yousra Aafer Meng Xu Raouf Boutaba Sujaya Maiyya Samer Al-Kiswany Sirisha Rambhatla Yash Vardhan Pant Seyed Majid Zahedi Sihang Liu
Mobile/IoT Security Mobile (wireless) security is the protection of smartphones, tablets, laptops, and other portable computing devices, and the networks they connect to. Internet of Things (IoT) security is the safeguards and protections for cloud-connected devices such as home automation, security cameras, and any other technology that connects directly to the cloud.	Yousra Aafer Mahesh Tripunitara
Formal Methods in Security Formal methods are a specific type of mathematically rigorous techniques for the specification, development, and verification of software and hardware systems, in this case, with a security focus.	Mark Aagaard Vijay Ganesh Meng Xu Guang Gong Anwar Hasan Sujaya Maiyya