On Secure Cloud Computing for Genomic Data: From Storage to Analysis

Although privacy is generally considered to be the right of an individual or group to control information about themselves, such a right has become challenging to protect in the digital era, this is exemplified by the case of cloud-based genomic computing. Despite the rapid progress in understanding, producing, and using genomic information, the practice of genomic data protection remains a fairly underdeveloped area. One of the indisputable reasons is that most nonexpert individuals do not realize the sensitive nature of their genomic data, unless it has been used against them. Many commercial organizations take advantage of their customers by taking control of personal genomic information, if customers want to benefit from services such as genetic analysis; even worse, these organizations often do not enforce proper protection, which could result in embarrassing data breaches. In this thesis, we investigate the potential threats of cloud- based genomic computing systems and propose various countermeasures by taking into account the functionality requirement.

We begin with the most basic system where only symmetric encryption is needed for the cloud storage of genomic data, and we propose a new solution that protects the data against brute-force attacks that threaten the security of password-based encryption in direct-to-consumer companies. The solution employs honey encryption, where plaintext messages need to be transformed to a different space with uniform distribution on elements. We present a novel distribution-transformation encoder. We provide formal security proof of our solution.

We analyze the scenario where efficient searching on encrypted data is necessary. We propose a system that provides fast retrieval on encrypted compressed data and that enables individuals to authorize access to fine-grained regions during data retrieval. Our solution addresses three critical dimensions in platforms that use large genomic data: encryption, compression, and efficient data retrieval. Compared with a previous de facto standard solution for storing aligned genomic data, our solution uses 18% less storage.

To enable complicated data analysis, we focus on a proposal for secure quality-control of genomic data by using secure multi-party computation based on garbled circuits. Our proposal is for aggregated genomic data sharing, where researchers want to collaborate to perform large-scale genome-wide association studies in order to identify significant genetic variants for certain diseases. Data quality control is the very first stage of such a collaboration and remains a driving factor for further steps. We investigate the feasibility of advanced cryptographic techniques in the data protection of this phase. We demonstrate that for certain protocols, our solution is efficient and scalable.

With the advent of precision medicine based on genomic data, the future of big data has become clearly inseparable from cloud-based genomic computing. It is important to continuously re-evaluate the standards of cloud-based genomic computing as novel technologies are developed, security threats arise, and more complex genomic analyses become possible. This is not only a battle against cyber criminals, but also against rigid and ignorant practices. Integrative solutions that carefully consider the use and misuse of personal genomic data are essential for ensuring secure, effective storage and maximizing utility in treating and preventing disease.

Privacy-Enhancing Technologies for Medical and Genomic Data: From Theory to Practice

Jean Louis Raisaro

The impressive technological advances in genomic analysis and the significant drop in the cost of genome sequencing are paving the way to a variety of revolutionary applications in modern healthcare. In particular, the increasing understanding of the human genome, and of its relation to diseases, health and to responses to treatments brings promise of improvements in better preventive and personalized medicine. Unfortunately, the impact on privacy and security is unprecedented. The genome is our ultimate identifier and, if leaked, it can unveil sensitive and personal information such as our genetic diseases, our propensity to develop certain conditions (e.g., cancer or Alzheimer's) or the health issues of our family. Even though legislation, such as the EU General Data Protection Regulation (GDPR) or the US Health Insurance Portability and Accountability Act (HIPAA), aims at mitigating abuses based on genomic and medical data, it is clear that this information also needs to be protected by technical means. In this thesis, we investigate the problem of developing new and practical privacy-enhancing technologies (PETs) for the protection of medical and genomic data. Our goal is to accelerate the adoption of PETs in the medical field in order to address the privacy and security concerns that prevent personalized medicine from reaching its full potential. We focus on two main areas of personalized medicine: clinical care and medical research. For clinical care, we first propose a system for securely storing and selectively retrieving raw genomic data that is indispensable for in-depth diagnoses and treatments of complex genetic diseases such as cancer. Then, we focus on genetic variants and devise a new model based on additively-homomorphic encryption for privacy-preserving genetic testing in clinics. Our model, implemented in the context of HIV treatment, is the first to be tested and evaluated by practitioners in a real operational setting. For medical research, we first propose a method that combines somewhat-homomorphic encryption with differential privacy to enable secure feasibility studies on genetic data stored at an untrusted central repository. Second, we address the problem of sharing genomic and medical data when the data is distributed across multiple mistrustful institutions. We begin by analyzing the risks that threaten patientsâ privacy in systems for the discovery of genetic variants, and we propose practical mitigations to the re-identification risk. Then, for clinical sites to be able to share the data without worrying about the risk of data breaches, we develop a new system based on collective homomorphic encryption: it achieves trust decentralization and enables researchers to securely find eligible patients for clinical studies. Finally, we design a new framework, complementary to the previous ones, for quantifying the risk of unintended disclosure caused by potential inference attacks that are jointly combined by a malicious adversary, when exact genomic data is shared. In summary, in this thesis we demonstrate that PETs, still believed unpractical and immature, can be made practical and can become real enablers for overcoming the privacy and security concerns blocking the advancement of personalized medicine. Addressing privacy issues in healthcare remains a great challenge that will increasingly require long-term collaboration among geneticists, healthcare providers, ethicists, lawmakers, and computer scientists.

EPFL2018

Secure communication using authenticated channels

Sylvain Pasini

Our main motivation is to design more user-friendly security protocols. Indeed, if the use of the protocol is tedious, most users will not behave correctly and, consequently, security issues occur. An example is the actual behavior of a user in front of an SSH certificate validation: while this task is of utmost importance, about 99% of SSH users accept the received certificate without checking it. Designing more user-friendly protocols may be difficult since the security should not decrease at the same time. Interestingly, insecure channels coexist with channels ensuring authentication. In practice, these latters may be used for a string comparison or a string copy, e.g., by voice over IP spelling. The shorter the authenticated string is, the less human interaction the protocol requires, and the more user-friendly the protocol is. This leads to the notion of SAS-based cryptography, where SAS stands for Short Authenticated String. In the first part of this thesis, we analyze and propose optimal SAS-based message authentication protocols. By using these protocols, we show how to construct optimal SAS-based authenticated key agreements. Such a protocol enables any group of users to agree on a shared secret key. SAS-based cryptography requires no pre-shared key, no trusted third party, and no public-key infrastructure. However, it requires the user to exchange a short SAS, e.g., five decimal digits. By using the just agreed secret key, the group can now achieve a secure communication based on symmetric cryptography. SAS-based authentication protocols are often used to authenticate the protocol messages of a key agreement. Hence, each new secure communication requires the interaction of the users to agree on the SAS. A solution to reduce the user interaction is to use digital signature schemes. Indeed, in a setup phase, the users can use a SAS-based authentication protocol to exchange long-term verification keys. Then, using digital signatures, users are able to run several key agreements and the authentication of protocol messages is done by digital signatures. In the case where no authenticated channel is available, but a public-key infrastructure is in place, the SAS-based setup phase is avoided since verification keys are already authenticated by the infrastructure. In the second part of this thesis, we also study two problems related to digital signatures: (1) the insecurity of digital signature schemes which use weak hash functions and (2) the privacy issues from signed documents. Digital signatures are often proven to be secure in the random oracle model. The role of random oracles is to model ideal hash functions. However, real hash functions deviate more and more from this idealization. Indeed, weaknesses on hash functions have already been discovered and we are expecting new ones. A question is how to fix the existing signature constructions based on these weak hash functions. In this thesis, we first try to find a better way to model weak hash function. Then, we propose a (randomized) pre-processing to the input message which transforms any weak signature implementation into a strong signature scheme. There remains one drawback due to the randomization. Indeed, the random coins must be sent and thus the signature enlarges. We also propose a method to avoid the increase in signature length by reusing signing coins. Digital signatures may also lead to privacy issues. Indeed, given a message and its signature, anyone can publish the pair which will confirm the authenticity of the message. In certain applications, like in electronic passports (e-passports), publishing the authenticated data leads to serious privacy issues. In this thesis, we define the required security properties in order to protect the data privacy, especially in the case of e-passport verification. The main idea consists for the e-passport to keep the signature secret. The e-passport should only prove that it knows a valid signature instead of revealing it. We propose a new primitive, called Offline Non-Transferable Authentication Protocol (ONTAP), as well as efficient implementations that are compatible with the e-passport standard signature schemes.

EPFL2009

A Mobile World of Security

Christine Neuberg

Security in mobile communications is a topic of increasing relevance in everyday life. We all use mobile devices for everyday communications, maybe even for exchanging confidential information with the work place. This requires security systems that are reliable and stable even though mobility and number of users are increasing. An established solution in today's systems is to use symmetric cryptographic systems by relying on pre-established secrets. There are a few drawbacks. The first problem is that all security information is stored in one central storage place. This implies that users are required to trust this storage place. They need to trust that data is properly handled and well protected. The mechanism of storing pre-established long-term secrets at a central storage also makes it vulnerable to adversaries. As soon as someone gains access to it, he automatically has access to all secret information necessary to capture communications. A second problem is that security mechanisms implemented in today's mobile communication systems were designed for a moderate number of users. Since then, the number of users has grown significantly and continues to do so. It would thus be desirable to have a system that is flexible in terms of the number of users it can handle. The third and maybe the most crucial problem is the fact that today's security systems rely on computational cryptography. This means that the security mechanisms in cellular communication systems were designed with limited computational power of the adversary in mind. However, the computational power of computers is growing and systems might be breakable in the near future. A complementary notion of security is information-theoretic security. Systems built in this spirit are unbreakable even with unlimited computational power. These systems exploit the knowledge of statistical properties of the environment. This means mainly that security systems can be proved to be secure with respect to assumptions on the correlated sources and with respect to the nature of the knowledge the adversary can gain. The main idea of information-theoretic security is that two communication partners have access to correlated random sources. An adversary being potentially present in the system, has only degraded access to the source. The common knowledge can be used in order to generate sequences that are very similar among each other. Because the adversary has access to the random source, he is able to generate his own version of the sequence. It is fundamental that the sequences of the communicationpartners are stronger correlated among each other than with respect to the adversary. This advantage in knowledge can be interpreted as a secret among the communication partners to the adversary. In communicating over an authenticated but public channel, this secret can be extracted from the original sequence by both parties. In order for both keys to be equal, the original sequences need to coincide. This is not necessarily the case, but can be achieved by discussion over the public channel. In the first part of this thesis, we propose a security system that relies on information-theoretic security. We will demonstrate how this system can be implemented in cellular communication systems. The movement of the users is random and we want to use it as a random source. We assume that users are moving along a random itinerary while visiting a random sequence of cells. Users not only visit cells in a random order, they also stay for a random time in each cells. It turns out that it is the sequence of durations that contributes most to the randomness of the sequence. We call the sequence of durations timing. This sequence is known to users and to the infrastructure, but only parts of it are known to potential adversaries. By recording the sequence of cells along with the time of residence, both the user and the infrastructure will be able to acquire very similar sequences. After the collection process, a procedure for key agreement is applied. Due to the underlying process, the key will not be uniformly distributed. As this is a requirement for perfect secret keys, a final part of the protocol is privacy amplification, where the perfectly secret bits will be extracted. This system is lightweight as it is based on readily available information and only a small amount of post-processing is required. In the second part of this thesis, we analyze the performance of the system. For this, we demonstrate how the process of bit collection can be analytically modeled. Our analysis leads to two conclusions. It gives us intuition about how to choose parameters such that the scheme performs optimally. Our scheme can be applied to settings that fulfill certain conditions. Conclusions from analysis allow to specify such conditions. We will show the implication of this conclusion in sketching some alternative applications of our scheme.

EPFL2011