Research

Research at the Cybersecurity and Privacy Institute

When CPI was founded, four CPI areas of expertise were identified (security, privacy, cryptography, quantum-safe communications). As the initial list was too coarse-grained, we initiated an exercise to refine and revamp the list, with input from CPI members. We began with a draft list and solicited feedback from several senior CPI members, as well as the members of the CPI Faculty Advisory Committee which has representation from every faculty.

The list is intended to be descriptive rather than prescriptive and is used to find the right experts whenever an external partner approaches CPI with a request for proficiency. These nine areas are also indicative of the importance CPI places on addressing global cybersecurity risks, as they encompass a comprehensive and interconnected approach to understanding and proactively addressing the spectrum of cybersecurity and privacy concerns of the global community. Additionally, these areas of expertise expand on the specific fields within which the cybersecurity talent gap exists; illustrating the wide range of interdisciplinary skills required to effectively engage with multi-layered cybersecurity and privacy issues, e.g., implementing surveillance technology in the workplace requires hardware, software, legal, public relations, and ethics skillsets to be effective and responsible.

The Cybersecurity and Privacy Institute (CPI) fosters an interdisciplinary and collaborative approach to research and training in cybersecurity and privacy. Our mandate is to nurture and enhance Canada’s leadership position in cybersecurity and privacy research by partnering with industry to collaborate on these core research areas:Ìý

Cryptography

Cryptography

Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of information to view its contents. It provides mathematical and algorithmic tools that are critical for protecting the security of information and communication infrastructures (e.g., the Internet).

Modern cryptography concerns itself with the following four objectives:

  • Confidentiality:ÌýThe information cannot be understood by anyone for whom it was unintended
  • ±õ²Ô³Ù±ð²µ°ù¾±³Ù²â:ÌýThe information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected
  • Non-repudiation:ÌýThe creator/sender of the information cannot deny at a later stage their intentions in the creation or transmission of the information
  • Authentication:ÌýThe sender and receiver can confirm each other's identity and the origin/destination of the information
Research topics CPI researchers
Blockchain
Blockchain is a type of shared database that differs from a typical database in the way
that it stores information; blockchains store data in blocks that are then linked together
via cryptography.

Guang Gong
Cryptography for Differential Privacy
Uses cryptographic primitives to bridge the gap between SDP and LDP.
In these solutions, the trusted data curator in SDP is replaced by
cryptographic primitives that result in more practical trust assumptions
than the SDP model, and better utility than under the LDP model.
Cryptography for Distributed Systems
Cryptography to secure a distributed system, which is a computing
environment in which various components are spread across multiple
computers (or other computing devices) on a network. These devices s
plit up the work, coordinating their efforts to complete the job more
efficiently than if a single device had been responsible for the task.

Cryptographic Hardware
Cryptographic hardware acceleration is the use of hardware to perform
cryptographic operations faster than they can be performed in software.
Hardware accelerators are designed for computationally intensive
software code.

Foundations of Cryptography
Foundations of cryptography are the paradigms, approaches and
techniques used to conceptualize, define, and provide solutions to
natural Cryptographic problems.

David McKinnon
Key Establishment
Key establishment is the process by which two (or more) entities establish
a shared secret key. Essentially, two methods are used to establish
cryptographic keying material between parties: key agreement and
key transport.


Internet Security
Internet Security consists of a range of security tactics for protecting
activities and transactions conducted online over the internet.

Isogeny-based Cryptography
Isogeny-based encryption uses the shortest keys of any proposed
post-quantum encryption methods, requiring keys roughly the same
size as are currently in use.
Lattice-based Cryptography Ìý
Lattice-based cryptography is the generic term for constructions of
cryptographic primitives that involve lattices, either in the construction
itself or in the security proof. Lattice-based constructions are currently
important candidates for post-quantum cryptography. Unlike more widely
used and known public-key schemes such as the RSA, Diffie-Hellman or
elliptic-curve cryptosystems, which could, theoretically, be easily attacked
by a quantum computer, some lattice-based constructions appear to be
resistant to attack by both classical and quantum computers.
Ìý

Lightweight Cryptography
Lightweight cryptography is an encryption method with a small footprint
and/or low computational complexity. It is aimed at expanding the applications
of cryptography to constrained devices and the IoT, and its related international
standardization and guidelines compilation are currently underway.		 Guang Gong
Multi-party Computation
Multi-party computation is a subfield of cryptography with the goal of
creating methods for parties to jointly compute a function over their
inputs while keeping those inputs private. Unlike traditional cryptographic
tasks, where cryptography assures security and integrity of communication
or storage and the adversary is outside the system of participants (an
eavesdropper on the sender and receiver), the cryptography in this model
protects participants' privacy from each other.

Post-quantum Cryptography Ìý
Post-quantum cryptography is cryptographic algorithms (usually public-key
algorithms) that are thought to be secure against a cryptanalytic attack by a
quantum computer. The problem with currently popular algorithms is that
their security relies on one of three hard mathematical problems: the integer
factorization problem, the discrete logarithm problem, or the elliptic-curve
discrete logarithm problem. All of these problems can be easily solved on
a sufficiently powerful quantum computer running Shor's algorithm.

Privacy-preserving Machine Learning
Privacy-preserving ML is privacy-enhancing techniques concentrated on
allowing multiple input parties to collaboratively train ML models without
releasing their private data in its original form.

Guang Gong
Private Capacity of Quantum Channels
Private capacity of quantum channels is a formula for the capacity of a
quantum channel for transmitting private classical information is derived.
This is shown to be equal to the capacity of the channel for generating a
secret key, and neither capacity is enhanced by forward public classical
communication.
Private Information Retrieval
In cryptography, a private information retrieval protocol is a protocol that
allows a user to retrieve an item from a server in possession of a database
without revealing which item is retrieved.

Pseudorandom Bit Generation
Pseudorandom bit generation is an algorithm for generating a sequence of
numbers whose properties approximate the properties of sequences of random
numbers, which are important in practice for their speed in number generation
and their reproducibility. Cryptographic applications require the output not to be
predictable from earlier outputs, and more elaborate algorithms, which do not
inherit the linearity of simpler PRNGs, are needed.		 Guang Gong

Quantum Cryptanalysis
Quantum cryptanalysis is the study and evaluation of cryptographic algorithms
in the presence of a quantum enabled adversary. Quantum computers are
expected, within a decade, to be large enough to have an impact on the
cryptographic algorithms currently deployed. Hence, the need to study quantum
resource requirements to be properly prepared for future quantum-based concerns.

Data science - security and privacy

Data Science - Security and Privacy 

The field of data science is broad in scope, combining multiple fields, such as: artificial intelligence, statistics and data analysis to clarify and extract value from data and derive actionable insights.ÌýÌý

‘Big Data’ is fuelling the digital economy and companies are amassing vast amounts of personal data. The exploitation of this data also carries the risk of exposing this data to unauthorized or at least unwanted entities, including business partners and end users. Furthermore, when collecting data from many sources, data integrity is not necessarily ensured. Services relying on data sources can be misled by malicious modification to data thus new protection mechanisms need to be developed.

Selected illustrative challenges include:

  • Secure and private collection and combination of data sources
  • Differential privacy in machine learning models and databases
  • Secure and private inference
Research topics CPI Researchers

Reliability of Machine Learning ModelsÌý
Building theoretical foundations for defenses and studying their
attack resistance against the following: out of distribution data,
adversarial examples, random adversaries (random noise models)
and semi-random adversaries (mixed random/adversarial
corruption models). Developing practical, large-scaled algorithms
for real-world AI security problems in computer vision, natural language
processing, medical data analysis, etc.

Differential Privacy in Machine Learning Models and Databases Ìý
Developing provably private mechanisms to query databases, visualize
data, compute statistics or train machine learning models that improve
the privacy vs. accuracy trade-off over existing approaches. Developing
and evaluating efficient systems that implement those mechanisms in
important applications.

Privately Linking Data Sources Ìý
Designing cryptographic protocols that can securely and efficiently link
data sources and compute functions over their intersection. Developing
and evaluating practical deployments for real-world applications in record
linkage or fintech.

Economics of Data Collection and Use
Understanding the effects of government intervention and policy on the
overall societal welfare of industrial data collection and use. Studying
mechanisms, such as data markets, to reconcile commercial data use
with citizen’s control of private information.		 Anindya Sen
Mis-/Disinformation Ìý
Studying the spread of mis/disinformation related to collective risks
(such as climate change and global pandemics), surveillance, and
privacy across a wide variety of national contexts and political regimes.
Developing measures and probabilistic models that enable us to better
understand when, why, and how mis/disinformation impacts political
culture, cognition, deliberation, and identities.		 John McLevey

Human & Societal Aspects of Security and Privacy

Human & societal aspects of security and privacy

The current 'Digital Age' has witnessed an exponential technological development that has enabled individuals to access a wide array of innovative services and goods through the internet and interact with one another through different digital spaces. However, these technological advances have also come with societal costs, such as:

  • a loss in individual privacy and the potential for being a victim of cyber-crime
  • people being increasingly commodified as data inputs by digital platforms
  • the pervasive spread of misinformation and fake news that result in societal polarization and weakened democracies
  • massive market power and wealth in the hands of a few large firms
  • the emergence of cyber-attacks as significant threats to national security
    Ìý

Selected illustrative challenges include:

  • Technology design
  • Behavioural choices
  • Public policy
Research topics CPI Researchers

Technology Design
Technology design focuses on improving user experiences, security,
and adapting technological designs by increasing the knowledge,
data sets, and understanding of technological impacts in a wide array
of variables.Ìý

Phil Boyle

Heather Love

Adam Molnar

Plinio Morita
Behavioral Choices
Behavioral choices research focuses on the impacts of technology and
technology-related variables on how individuals and/or larger groups
modify their behaviour and choices as a result.

Veronica Kitchen

John McLevey

Alec Cram

Heather Love

Adam Molnar

Plinio Morita
Public Policy
Public policy research encompasses the study of public policies that
govern technology and its implementation, their impacts, and their
potential needs for adjustment.Ìý

Anindya Sen

Bessma Momani

Veronica Kitchen

John McLevey

Adam Molnar

Alec Cram

Legal and Policy Aspects of Security and Privacy

Legal and policy aspects of security and privacy

Legal and Policy Aspects of Security and PrivacyÌýresearch considers how law and policy shape information environments that relate to cybersecurity and privacy across a range of sectors including health, education, government, consumer, the workplace, and law enforcement. As rapid technological innovations outpace regulatory environments, law and policy research considers how existing law and policy may be insufficient or unfit to facilitate meaningful security and privacy. Researchers under this subtheme also often consider how law and policy are employed as a set of tools to improve the design and delivery of security and privacy.

Selected illustrative challenges include:

  • Privacy law and policy reform
  • Digital human rights
  • Governance and regulations by design
Research topics CPI Researchers
Supervised Machine-Learning for Legal Applications Ìý
The application and evaluation of supervised ML for use in electronic
discovery in litigation, in the curation of government records, and for
systematic reviews in evidence-based medicine.
Ethical, Legal, and Policy Considerations of Artificial Intelligence
and Machine-Learning Ìý
AI systems & ML apply learning techniques to statistics to find patterns
in large sets of data and make predictions based on those patterns.
Due to the proliferation of AI in high-risk privacy areas, there is an
increased focus to design and govern AI to be accountable, equitable,
and transparent. This includes studies on how best to serve these goals
in legal and policy contexts.

Bessma Momani
Understanding the Risks and Regulation of Workplace Surveillance in
Canada’s Transition to a Digital Economy Ìý
Employers & employees require guidance navigating and updating
transparent equitable policies related to surveillance technologies for
employees. These policies must be informed by best practices that
protect employee rights, data security, and equitable treatment.		 Adam Molnar
Responding to Cyber-threats, Cyberattacks, and The Weaponization
of Dis/Mis-information Ìý
Focusing on response methods to cyberattacks and the weaponization
of dis/misinformation, this research seeks to establish the potential
consequences of the (mis)use of information in a digital sphere, and
the ways in which these malicious acts can be prevented or mitigated.

Bessma Momani

Veronica Kitchen

Large-scale Data Governance and Modern Techniques for
Managing User Consent
A consent management system allows customers to determine what
personal data they are willing to share, which satisfies the lawful
requirement for entities to obtain user consent for collecting data, as
they are responsible for collecting and managing customer consent.
A good consent management process logs and tracks consent
collection, and ensures privacy, so that said entities are in compliance
with worldwide laws and regulations.

 Plinio Morita

Maintaining Security, Trust, and Privacy in Health Tech Innovations Ìý
As health data is potentially the most personal and sensitive data for
individuals, they must be comfortable sharing this data with a healthcare
entity. Healthcare is highly regulated, and health data is a prime target
for cybercrime; hence, the very best efforts are required in this area.

Adam Molnar

Plinio Morita
Surveillance and Privacy in Urban Governance Ìý
Surveillance and privacy in urban governanceÌý is helpful to governments,
allowing them to gather information and exercise control, which is necessary
to fulfill their roles factoring many variables such as increased mobility/anonymity
in modern life. Conversely, unchecked surveillance can lead to inequality,
discrimination, and repression, undermining a democratic society. Research
in this area seeks to promote oversight, accountability, and balance.		 Phil Boyle

Network Security

Network security

Network securityÌýresearch aims at building secure network infrastructures and communication protocols to protect end users’ data, applications, devices, as well as networked assets, from a vast landscape of cyber threats. As businesses increasingly rely on distributed software applications that run across networks, the need for developing holistic solutions that incorporate resource monitoring, access control, threat detection, and attack mitigation capabilities in different operational settings has become a central concern for network administrators.

Selected illustrative challenges include:

  • Secure protocols for distributed systems
  • Data-driven security automation for software-defined networks
  • Security in the era of blockchains
  • Mobile and IOT security
Research topics CPI researchers

Secure Protocols for Distributed Systems
Distributed systems are a network of computing devices that share
information and workload to increase efficiency, with the application
of cryptographic schemes to secure the data that is transmitted
throughout a distributed system, such as a healthcare network.

Guang Gong

Data-driven Security Automation for Software-defined Networks Ìý
Data-driven security automation uses machine learning to analyze
big data and improve cybersecurity responses and adaptations.
A software-defined network is the ability to abstract the management
and administrative capabilities of the technology. With SDN, it’s the
ability to control the provisioning of network devices, VLANs, firewall
rules, etc., and the flow of data.

Roberto Guglielml

Security in the Era of BlockchainsÌý
Blockchain technology produces a structure of data with inherent
security qualities, based on principles of cryptography, decentralization,
and consensus, promoting trust in transactions. It is not infallible however,
hence security research to improve blockchain viability is an
ongoing initiative.

Guang Gong

Sherman Shen

Mobile and IoT Security
Connected devices can be limited in resources in terms of computing
power, storage, bandwidth, and energy. Mobile and IoT security
applications require adaptive methods for highly diverse contexts
utilizing varied resources and conceivably dynamic environments.

Sherman Shen

Guang Gong

Operational Security Aspects

Operational security aspects

Operational security are the organizational processes deployed to prevent sensitive information from being compromised and seeks to identify threats and activities that could result in critical data being leaked or revealed to a hostile actor. These processes are most effective when fully integrated into all planning and operational processes. It includes five steps:

  • critical data identification
  • threat analysis
  • vulnerability analysis
  • risk analysis
  • integration of appropriate countermeasures

Selected illustrative challenges include:

Information systems assurance involves review, evaluation, and reporting on the integrity of information systems and the information they produce, focusing on the processes used to develop, operate, change, and control those information systems. Information systems assurance services include diagnostic assessments of the strengths and weaknesses of IT governance, assessments of information systems controls, assessments of compliance with management policies, standards and regulatory requirements, assessments of the effectiveness of information systems development, operation and change, and other assessments designed to provide assurance to a variety of stakeholders about the integrity of information systems and the information they produce.Ìý

Research topics CPI researchers
Operational Continuity of Mission-critical Information Systems
Operational continuity of mission critical information systems focuses
on designing and assessing mechanisms to ensure the operational
continuity of mission-critical information systems through the use of
comprehensive controls and effective incident response strategies.

Efrim Boritz

Professional Practice in External/Internal Auditing
Professional practice in external/internal auditing involves investigating
areas of professional practice in external auditing and internal auditing
which rely on the exercise of professional judgment and aims to identify
factors affecting judgment processes and systematic determinants of
judgment quality, with a particular focus on judgement enhancement
through decision aids and decision support systems.

Efrim Boritz

Alec Cram

Information Systems Control Initiatives
Information systems control initiatives focus on how information systems
control initiatives can contribute to improving the performance of
organizational processes, including systems development and cybersecurity.

Alec Cram

Efrim Boritz

Automated Program Analysis/Testing/Verification Tools
This topic is intersects with the area of system and software security,
with a focus on delivering high-quality solutions to practical security
programs, especially in finding and patching vulnerabilities in critical
computer systems. Ìý

Privacy-Enhancing Technologies

Privacy-enhancing technologies

Privacy-enhancing technologies research is aimed at empowering people to individually control who can gain access to personal information about them, what those with access can do with that information, and with whom those with access can share the information. Many companies and governments have assembled massive amounts of data about individuals, or are placing restrictions on what information individuals can access, which acutely threatens people's privacy and calls for the ongoing development of new and stronger technologies.

Selected illustrative challenges include:

  • Provable privacy guarantees
  • Censorship circumvention
Research topics CPI researchers

Differential Privacy Ìý
DP is a system for publicly sharing information about a dataset by
describing the patterns of groups within the dataset while withholding
information about individuals in the dataset. If the effect of making
an arbitrary single substitution in the database is small enough, the
query result cannot be used to infer much about an individual, which
provides privacy.

Censorship Circumvention Ìý
Censorship circumvention is the use of various methods and tools to
bypass internet censorship. An arms race has developed between
censors and developers of circumvention software, resulting in more
sophisticated blocking techniques by censors and the development
of harder-to-detect tools by researchers.

Privacy for Machine Learning Ìý
Some ML applications require private individuals’ data, which is
uploaded to centralized locations in clear text for ML algorithms to
extract patterns, and build models from them. Such applications clearly
necessitate ML specific privacy protections.

Sherman Shen

Cryptography Ìý
Cryptography refers to secure information and communication
techniques derived from mathematical concepts and a set of rule-based
calculations called algorithms, to transform messages in ways that
are hard to decipher. These deterministic algorithms are used for
cryptographic key generation, digital signing, verification to protect data
privacy, web browsing on the internet and confidential communications
such as credit card transactions and email.

Guang Gong

Social Issues Ìý
As most technology and privacy issues involve human interactions
and/or impacts, it is important to study these impacts through a lens
that focuses on these variables. This includes examining sociological,
psychological, and sociopolitical interactions with technology and
privacy concerns.

Plinio Morita

Mobile Privacy Ìý
Mobile privacy refers to the privacy rights of users of mobile devices
(smartphones, tablets, smart watches, etc.) that are different from and
typically additional to the rights of users of internet-based services in
general. Mobile devices often contain GPS info, myriad forms of
personal data, microphones, and cameras etc., making their security a
crucial necessity for users.

Plinio Morita

Quantum-Safe Communication

Quantum-safe communication

Quantum safe communication, also known as quantum-resistant communication, refers to methods of transmitting information that is secure against the potential future use of quantum computers. These computers, which are still in the early stages of development, have the potential to break many of the conventional encryption methods currently used to protect sensitive data.Ìý

This research field is concerned with the development of cryptographic primitives and protocols that can withstand attacks even by large-scale quantum computers.ÌýÌý

Selected illustrative challenges include:

  • Quantum Key Distribution
  • Post-Quantum Cryptography
  • Quantum Algorithms and Cryptanalysis
Research topics CPI researchers

Quantum Information Theory Ìý
Quantum Information Theory is the mathematical theory of
information–processing tasks using quantum mechanical
systems. such as storage and transmission of information.



Norbert ³¢Ã¼³Ù°ì±ð²Ô³ó²¹³Ü²õ

Quantum Algorithms and Cryptanalysis Ìý
Quantum cryptanalysis focuses on developing and analyzing
quantum algorithms for breaking cryptographic assumptions.



Standardization of Post-quantum Cryptography and QKD Ìý
Standardization of post-quantum cryptography and QKD develop
new public-key cryptography standards specifying one or more
unclassified, publicly disclosed digital signature, public-key encryption,
and key-establishment algorithms that are available worldwide,
capable of protecting sensitive government information well into the
foreseeable future, including after the advent of quantum computers.



Thomas Jennewein

Norbert ³¢Ã¼³Ù°ì±ð²Ô³ó²¹³Ü²õ



Post-quantum Cryptography Ìý
Post-quantum cryptography, or quantum-resistant cryptography,
aims to develop cryptographic systems that are secure against
both classical and quantum computers, and can work in conjunction
with existing networks and communications protocols. Ìý

Guang Gong











Ìý
Quantum Key Distribution Ìý
QKD is a secure communication method for exchanging encryption
keys only known between shared parties, using properties found in
quantum physics to exchange cryptographic keys in a manner that
is provable and provides security. QKD enables two parties to create
and share a key which is then used to encrypt and decrypt messages;
QKD is the method of distributing the key, not the key or the data exchanged.

Thomas Jennewein

Norbert ³¢Ã¼³Ù°ì±ð²Ô³ó²¹³Ü²õÌý

Software, Hardware, and Systems Security

Software, hardware, and systems security

Research efforts are aimed at securing computing devices and the software that runs on them from external cyberattacks. With computing systems being an essential component of every Canadian’s life, especially with millions of devices working from home since 2020, it is increasingly important to secure the hardware and software that they depend on.

Selected illustrative challenges include:

  • Vulnerability Detection
  • Certifying Security Properties of Systems
  • Hardware-assisted Software Protection
Research topics CPI researchers

Hardware-Assisted Run-Time Protection
HW-assisted run-time protection is used to harden computer
systems against modern run-time attacks; software defenses
offer strong security guarantees, but their usefulness is limited
by high performance overhead.

Ensuring Security Properties with Custom Type Systems Ìý
Custom type systems are used to detect if there exists any kind
of violation of confidentiality or integrity in a program.

Memory Safety of Low-Level Code Ìý
Memory safety bugs are often security issues, memory safe
languages are more secure.

Embedded Systems Security
An embedded system is a programmable hardware component
with a minimal operating system and software. Embedded system
security is a strategic approach to protecting software running on
embedded systems from attack. Ìý

 Sebastian Fischmeister

Software Security
Software security describes frameworks, processes, methodologies,
and strategies that enhance security and reduce vulnerabilities within
software and the environment in which it runs. Approaches to software
security are frequently structured around potential malicious cyber-attacks.

Yash Vardhan Pant

Mobile/IoT Security
Mobile (wireless) security is the protection of smartphones, tablets,
laptops, and other portable computing devices, and the networks
they connect to. Internet of Things (IoT) security is the safeguards and
protections for cloud-connected devices such as home automation,
security cameras, and any other technology that connects directly
to the cloud.

Formal Methods in Security
Formal methods are a specific type of mathematically rigorous
techniques for the specification, development, and verification of
software and hardware systems, in this case, with a security focus.

Guang Gong