Meet Elena Andreeva, Our New Assistant Professor for Security and Privacy
Elena gives us an insight into the world of cyber security and explains where the challenges in modern cryptography lie.
What brought you to TU Wien Informatics and Vienna?
TU Wien has the best reputation in Computer Science in Austria and is internationally renowned for its quality education and research. This was a powerful attraction point for me. The Security and Privacy Group that I am part of is also internationally recognized in security and cryptography, and I found a perfect fit for my research profile. The group outputs excellent research results and is led by Matteo Maffei. We also have strong theoretical and practical security and cryptography researchers as Georg Fuchsbauer and Martina Lindorfer in our S&P research unit.
When I looked closer at the security and privacy research unit, I noticed a very international team. Later on, I got to know all people and saw they were very open-minded, which I appreciate very much. Diversity expands horizons, brings better research ideas, and is a more flourishing environment for joint collaborative work. The group diversity is a solid attraction point because I don’t always find such versatile groups. Apart from that, Vienna has one of the highest-ranked living standards in Europe, so of course, one cannot deny the associated advantages. I lived in Copenhagen and Brussels previously, so I have developed a liking for capitals, and I hope soon to discover the inspiring cultural and social environments of Vienna.
Cyber Security sounds very exciting and adventurous. What exactly is Cyber Security?
Cyber Security tries to protect our contemporary digital lives since a large part of our lives happens in the digital space. We all need to attend to this digital side of our lives as it introduces many threats with severe consequences like leakage or misuse of sensitive personal data or assets and disruption of essential services. It is hence paramount to pay special attention to Cyber Security. Cyber Security ensures that everything we do in that realm of our digital reality is sound, there is no violation of our rights as individuals, there is no threat to our private information, and our societal services are well protected— all these by securing our digital systems and communications relying on concrete mathematical algorithms.
How would you describe your work in 90 seconds?
I work in cryptography which is the fundamental science behind cybersecurity, ensuring the soundness of mathematical foundations and building blocks of cybersecurity. Modern cryptography is an applied science and highly interdisciplinary. Within cryptography, I work in symmetric cryptography, where the communicating parties use an identical, that is, symmetric, secret key as opposed to a pair of public and secret keys used in public key or asymmetric cryptography. I look at the crypto algorithm and how we use it in particular systems online or digital systems in general. Then I identify the security threats and create rigorous mathematical models that encompass these threats, and define the concrete mathematical conditions and requirements for the security of an algorithm. Then I design secure symmetric cryptographic algorithms that comply with the definitional models via proofs of security. Throughout, I cross-check for vulnerabilities and attacks in my designs, whether I have missed something. Or I identify weak security spots in existing systems and try to incorporate them into the definitional models and hence into the algorithm’s requirements.
What are the challenges in your research area?
There are plenty of challenges: One main challenge I see is that most of our security solutions nowadays are based on existing cryptography designed some twenty years or more ago. Naturally, we have a bulk of security applications that require some different and novel cryptography—one with novel security and efficiency properties than earlier known and available. The challenge here is to design the crypto algorithms that fit these novel requirements. We have the Internet of Things domain, where the devices are inherently small and have many constraints on their resources. For such small devices, we need to develop cryptographic solutions that are highly efficient and guarantee the security we are looking for. We need to satisfy particular constraints that were not existing twenty years ago.
On the other hand, we have new paradigms in Cloud Computation like computation on data in the encrypted domain. The privacy of our data will benefit tremendously if we can enable functionalities that perform computation on that encrypted data without even decrypting it, therefore not leaking the owners’ identity or any sensitive part of the data. To enable practical solutions in this domain, we will need to employ cryptography with specific security and efficiency features. The challenge here is to bring new solutions that satisfy the novel constraints of these emerging technologies.
My latest research focuses on addressing such challenges. I recently developed the novel cryptographic algorithm—Forkcipher, which provides confidentiality and authenticity to short messages and is highly efficient in the IoT domain. Forkcipher with the ForkAE scheme was in the second round of the international standardization NIST selection process and came as a very promising cipher alternative for emerging applications in cryptography. My most recent result proposes a new ABR hashing mode. This new ABR hashing mode has tremendous potential for applications like blockchains, smart contracts, file archiving, etc. In the future, I hope to bring the difference regarding novel crypto algorithms for emerging cryptographic applications.
And where do you see the highest potential for Cyber-Crime in the future?
I cannot name a particular domain, but I think different domains of digital applications come with significant potential vulnerabilities. One specific field that is highly unprotected is IoT. Over 90% of our IoT devices send unencrypted traffic, which is a significant vulnerability and can be exploited by malicious parties at any point in time. If we don’t take urgent measures in that direction, we will encounter serious problems as we have started to see: online attacks via connected devices like cameras, home appliances or even children toys. We already see the consequences—for example, the attacker can gain unauthorized access to the private data and personal life (video footage, digital home control). Another threat lies in cloud computing. Although in the EU the GDPR was created to protect our online rights and our data—how it is collected, stored and used, we are still catching up with safeguarding it, both technologically and legislatively.
What should people look out for in everyday life?
I would advise people always to use products that have certified cryptography in place. I know this is very hard to check. It isn’t always easy for the average users to explore their privacy settings on their mobile phones. Different apps communicate user data among them. A user should be aware of this and deactivate such options where not necessary. For example, a weather app does not need access to a user’s photos, contact lists or camera. As users, it is also our duty and responsibility to understand the functionalities of the modern technologies we use, at least up to their privacy and security implications. Regarding internet banking and online purchases, users should be cautious not to use a public device. For these purposes, they should also avoid using insecure internet connections such as unknown Wifi connection at a public place (cafe, shopping center etc.) which often have weak security. Most modern banks allow people to sign or confirm their transactions with the aid of an external device or app. This is a highly suggested practice.
The industries bringing different digital technologies and devices into our lives have a vital role to play. They carry a responsibility to ensure user (data) privacy and secrecy. They should make the privacy and security feature default or easy to use in their products. A recent example in this direction is Apple’s feature on their iOS that allows users to stop apps from tracking user activities across different apps. Unfortunately, we are not in a situation where security is the default option, so we should look for these options ourselves and do our part for now. I envision a future where we would have much easier settings as users. This will entail a considerable effort from interdisciplinary areas. We have succeeded very little (both in research and industry) to give enough attention to usability as we have been primarily technologically oriented. As researchers, we also need to make attempts in that direction to bridge this gap.
What makes you happy in your work?
I am a creative person—that is my most distinguishing feature. Bringing creativity into science is fundamentally the way I enjoy science. I would like to say the most enjoyable part of this process for me is the creative part, where I can sit down and have the time and space to ponder on my ideas and play with them. Eventually, I know that something good and constructive will come out of it, a beautiful process. Science is not an effort and a push towards results—in my opinion, it should be a creative process like art, and I approach it that way. It should be something that comes from inside, flows easily, and you persistently nourish that process.
Of course, I also enjoy the collaborative aspect of my work. Working in international cooperations with brilliant minds worldwide is rewarding and a unique feature of scientific research. I come from the beautiful country of Bulgaria, and I’ve worked in research environments in Belgium, Denmark and now Austria, which has been a tremendously enriching experience for me. Unfortunately, the situation with COVID has hindered the interchange of ideas and meeting people. Supporting this only through digital means is not a viable alternative. People need to meet via seminars, conferences and other events to have an effective change of ideas, and this is how actually creativity flourishes and interest and curiosity often arise. I don’t think this happens so easily in the digital space.
Interview: Claudia Vitt, 2021