My main research interests are in the area of applied cryptography and computer security [JR.1–3, JR.5–6, IB.4–5, IC.1–3, IC.5–6, IC.8–9, IC.11–13, IC.15, IC.17–22, IC.25–32, PT.1–12, IPT.1, TR.6, TR.8, TR.3–4, TR.1]. I also work in the area of data security \& privacy [IB.1–3, JR.7, IC.10, IC.14, IC.16, IC.23–24, TR.5], specifically: developing privacy-preserving mechanisms that allow users to access databases without revealing which data they're accessing. Other research topics I am interested in, are logic synthesis of combinatorial circuits and computer architecture security [JR.4, IC.6–7].

In particular, the activity carried out in the last years spans over the following research lines:

Access control is the process of mediating every request to data and services maintained by a system and determining whether the request should be granted or denied. Expressiveness, flexibility, security and privacy are top requirements for an access control system together with, and usually in conflict with, simplicity and efficiency. Database-as-a-service, cloud storage and social networking scenarios raise interesting research issues and there are many challenges in developing techniques for ensuring a selective information sharing and dissemination process. In particular, I focused on (a) access control and data sharing capabilities in outsourcing scenarios [IB.1, IC.10, IC.16, TR.5]; (b) remote indexing of cryptographic databases with privacy guarantees [JR.7, IB.2-3, IC.23-24].

• (a) Data confidentiality has always been an issue of ethical concern. But the enactment of laws to protect the privacy of individuals’ health and financial records pushed a flourishing academic and industrial research to provide technical solutions aimed at preserving the confidentiality of data for almost any type of ICT application. The existing access control solutions for social networks scenarios, as well as web services offering to their users a form of control on own resources, typically assume that the service provider is completely trusted and always entitled to access the resources. This assumption may not always be applicable, as users may want to prevent the access from the server itself, which should be able to guarantee the service without having clear-text access to the resources. An important feature of this confidential data sharing scenario is the third-part management of a database that is virtually owned by multiple clients who wish to share their data with several sets of users enforcing different access control policies for each of them, which should also be confidential with respect to the service provider. I proposed an approach to address the aforementioned issues [IB.1, IC.10, IC.16, TR.5]. My proposal guarantees that only users in the specified group will be able to access the resources, which remain confidential to all the other parties (together with the enforced access policy), including the service itself. The strong points of the solution lie in the scalability and efficiency of the data outsourcing mechanism, and in the decentralized management of access control policies and their evolution. A prototype of the proposed solutions has been realized within the framework of a EU project.

• (b) A major obstacle toward the large adoption of outsourcing, otherwise particularly attractive to individuals and to small/medium organizations, is the perception of insecurity and potential loss of control on sensitive data. Guaranteeing privacy in a context where data are externally outsourced entails protecting confidentiality of the data as well as of the accesses to them. In particular, we recognized three different type of confidentiality requirements: (1) content confidentiality (to maintain confidentiality on the data being outsourced), (2) access confidentiality (to conceal the fact that an access aims at a specific data), (3) pattern confidentiality (referring to more accesses aiming at the same data). Several solutions have been proposed in the past few years, both in the theoretical and in the system communities: such solutions consider a honest-but-curious server and resort to encryption to protect the outsourced data, guaranteeing only the data-confidentiality feature. I worked on the definition and development of an indexing model for a relational database that supports not only data confidentiality, but also confidentiality of the accesses that users make on such data (with respect to third parties and mainly to the service provider). Indeed, the developed solution allows to effectively address the access confidentiality problem also in concurrent scenarios [JR.7, IC.23-24].

My research in applied cryptography and practical security has been concentrated in two areas: (a) efficient HW and SW implementation of cryptographic algorithms – symmetric and elliptic curve public-key schemes, and identity-base schemes, (b) side-channel attacks: differential power analysis, electro-magnetic (EM) attacks, fault analysis.

• (a) The first research topic covers investigations about identity-based cryptosystems (IBE - an evolution of elliptic curve cryptosystems). IBE cryptography is viable alternative to the traditional certificate-based public key infrastructure (PKI). This is especially true when efficient key management and high security are required in large communities of users, where the key-distribution problem is crucial. I focused on carrying out an extensive exploration of the opportunities offered by this novel cryptographic methodology with emphasis on the efficient implementation of IBE algorithms and protocols [TR.4]. This includes the design of software implementations for embedded environments, to optimize time performances [JR.3, IC.1, IC.3], the design and development of efficient hardware architectural solutions, to optimize figures of merit like execution time and device size [JR.1, JR.2, IC.2, IC.5, IC.9], and the proposal of new application protocols of considerable industrial relevance to address the establishment of a secure communication channel between two devices without resorting to a certification authority, but designing a scheme where the mutual authentication of the devices is obtained involving an equal and necessary level of responsibility of both entities [PT.1–12]. Applications employing the aforementioned schemes range from Bluetooth peripheral devices to smartcard libraries and authentication mechanisms for embedded devices.
  The second topic I investigated in the area of practical cryptography is the application of the GPU programming models for the efficient implementation of cryptographic primitives. The investigation aimed at providing a constructive use of the computing power of the GPUs to obtain both low-cost computational speed-ups in the computation of a cipher, and hints about the configuration of security parameters to withstand brute force attacks. I focused on two important applicative scenarios: SSL transactions and “data-at-rest” protection for mass storage [IC.11, IC.13, IC.15, IC.27].

• (b) Although the current standard cryptographic algorithms proved to withstand exhaustive and mathematical attacks, their hardware and software implementations have exhibited side-channel vulnerabilities due to the information leakage through power consumption, electro-magnetic emissions, or device weaknesses against fault-injection techniques. As long as the power and EM analyses in the side-channel area go, I have studied how information leaks when a physical device performs cryptographic operations. Advancements has been obtained in the effectiveness of the power-based attacks through employing digital filtering techniques [IC.18, IC.21].
  Moreover, a sound design-time evaluation of the security of a digital device has been proposed [JR.5, IB.5, IC.30].
  Finally, I introduced a general framework [IC.31, IPT.1, TR.8] to automate the application of countermeasures against Differential Power Attacks aimed at software implementations of cryptographic primitives.The approach makes use of compiler-based techniques to analyze the vulnerabilities of algorithms in their intermediate code representation and apply provable-secure static-time countermeasures. The proposed framework allows to trade-off the performance and the security margins provided by a combined approach in applying the countermeasures at both static-time and run-time. At run-time, the core idea lies in the generation of multiple versions of the code, to prevent an attacker from recognizing the exact point in time where the observed operation is executed and how such operation is performed. This strategy increases the effort needed to retrieve the secret key through hindering the formulation of a correct hypothetical consumption to be correlated with the power measurements. At the current state-of-the-art this is the first comprehensive and general solution to counteract power-based side-channel attacks aimed at SW implementations of embedded devices, with limited impact on both costs and performances.
  In an “active attack” scenario (a.k.a., fault-attack scenario), the adversary perturbs the regular behavior of the encrypting device in order to obtain a small amount of information correlated with the error. As a contribution in this area, we proposed a new attack against the widely adopted implementation of the Elliptic Curve Digital Signature Standard [IC.26] and a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage. This is the first result available in fault attacks literature dealing with a software implementation of a cryptosystem, running on a full fledged CPU with a complete operating system. The works published in [JR.6, IB.4-5, IC.12, IC.17, IC.19] fully characterize the fault model and practically validate the technique considering the AES and RSA ciphers. In addition, in [IC.20] a new software-based countermeasures is proposed, with the aim of minimizing the overheads introduced through the instruction duplication and triplication in the error-detecting or error-correcting cryptosystem implementations.
  Finally, the research investigations in the context of the EU project TOISE about smart grid security & privacy led to classify the threats to these systems into three broad groups: (i) System level threats that attempt to take down the grid; (ii) attempts to steal electrical service; and (iii) attempts to compromise the confidentiality of data on the system. Analyses and considerations we made about vulnerabilities and opportunities of the smart grid technology has been published in [IC.22, IC.25, IC.29].

Boolean matching is the problem of determining whether two Boolean functions are functionally equivalent under the permutation and negation of inputs and outputs. The topic finds numerous applications in verification and logic synthesis. The research contribution [JR.4, IC.7], addresses the P-equivalence Boolean matching, outlining a formal framework that unifies some of the spectral and canonical form-based approaches to the problem. As a first major contribution, we show how these approaches are particular cases of a single generic algorithm, parametric with respect to a given linear transformation of the input function. As a second major contribution, we identify a linear transformation that can be used to significantly speed up Boolean matching with respect to the state-of-the-art.