Get to know: Paul Grubbs

His research at the intersection of cryptography and systems has already had broad impacts across the IT industry.
Paul Grubbs

Assistant Professor Paul Grubbs is a new faculty member in CSE, joining the Division in Fall 2021 after completing his PhD in Computer Science at Cornell University. Grubbs works at the intersection of cryptography and systems, designing and analyzing end-to-end encrypted systems using theoretical tools from cryptography, empirical methods, and practical knowledge of real systems. He told us a little about his goals as a researcher and professor.

What are the key research problems that motivate your work?

I work on lots of different kinds of research problems at the intersection of computer systems, computer security and cryptography.

In my research, I ask how we can use cryptography to solve computer security problems, or look at ways existing systems use cryptography and ask whether they’re actually doing it right. Often, the answer is no. A lot of the work that I did during my PhD was demonstrating attacks on systems that use cryptography, and finding the security gaps. From there, I fix them and build new cryptographic primitives that solve these problems better from first principles.

I like to use attacks to understand  the state of security. Attacking things is a pretty good way to learn about how they work, because you have to have a pretty detailed understanding of how everything fits together to succeed.

What’s unique about your approach to tackling these problems?

What’s unique is the blend of research methodologies from different disciplines in different areas of computer science. I like to do mathematical analyses and pen and paper proofs and those kinds of things, but also hacking and building systems.

I also think about how systems work and how the pieces fit together, and use real data to try to test hypotheses and derive conclusions.

Tell me about some of your recent work.

One of the problems I worked on the most during my PhD was secure data management, or how to protect the data in a database from compromise, even if the database system is compromised.

It’s increasingly common for users to use databases that are controlled by third parties like Amazon. This is part of the rise of cloud computing where people outsource computation. The problem with using these databases that are controlled by third parties is that, at the end of the day, your data is residing on someone else’s server and ultimately is under their control.

What this means is, in addition to the risk of the database itself being compromised (which happens a fair amount), you have this additional kind of adversary, the party that actually controls that data. If someone at the cloud provider has adversarial intent and wants to attack you, they have access to your data stored in the database.

This is a big problem. It’s very hard for a hospital to justify using cloud services because of the risk of compromising patient data, even though cloud services are really easy to use in a lot of cases and faster and better for enterprises.

So encrypted data management is about using cryptography to enable certain kinds of database queries to be carried out on data that actually sits in the database encrypted. Rather than storing the patient records in plain text, you store some kind of scrambled up version of them. But the way you encrypt it allows you to run certain database workloads. For example, a hospital could fetch a patient’s medical records using their name, but without revealing the patient’s name or the records themselves to the cloud provider.

So even if your database provider attacks you, or even if that database has been penetrated by a third party, data that they get is scrambled up and unreadable. It’s still confidential, even if the system was compromised.

Enabling these queries can’t be done with just standard encryption, so you have to use special encryption schemes that balance the confidentiality requirements and the ability to perform queries. Striking the right balance is difficult, especially if you want your queries to be efficient enough for real settings. One of the things I did in my PhD was explore how to improve the efficiency of these techniques.

Tell me about a project you were especially proud of.

My co-authors and I initiated the study of a new cryptographic primitive, committing authenticated encryption. We started by considering a couple of fairly narrow technical questions but have found that this primitive is needed in a lot of applications. Results from this work have impacted big companies: we found a flaw in a new cryptographic protocol that Facebook deployed, reported it, and received a bug bounty; Google security researchers have found several related bugs in internal systems; Zoom is using an encryption scheme we designed; Amazon has also deployed committing AE in the AWS Encryption SDK. This work resulted in an ongoing standardization effort with the IRTF (the research arm of the IETF), and led to changes in several IRTF standards.

What’s the most important thing you hope to give the graduate students in your lab?

Beyond technical skills, I want to give my students a grad school experience like I had. It was definitely an experience where I grew a lot as a person and gained a lot of independence, both in work and in my life. I feel that I matured as a person. So I hope to give my students  independence and maturity as researchers and as people.

What drew you to work as a professor, and to cryptography?

I grew up in a family of educators. My grandpa was a professor at Indiana University for a long time. The idea of making a career in education is very natural to me, but I also really love science and wanted to make contributions through research. Experiences I had as a TA in undergrad made me confident that I was excited about teaching, so it seemed like a natural career path.

My interest in cryptography goes all the way back to when I was younger. I was really, really interested in math as a kid and also really loved computer security. But back then I wasn’t really doing much real computer security, so it was more like I was excited about movies about hacking, downloading cracked video games, pirating music, and things like that.

But then when I came to college at Indiana University and figured out what I was going to get my degree in, the combination of math and computer science that I chose seemed very naturally to lend itself to cryptography.

The thing that got me into cryptography research was taking a class with a cryptography professor at Indiana University, Steven Myers. After I did well in this class he invited me to become an undergrad researcher in his lab and I worked on my first crypto research project, and then I knew I was excited about it.

When you’re not thinking about computer science, what else do you do?

Some of my hobbies outside of work are related to computer science. I’ve been hacking a little bit on software-defined radio stuff during the pandemic. My partner got me a couple of books on ham radio certifications, so I might try to become a licensed ham radio operator, which is something I’ve wanted to do since I was a kid.

Aside from that, I’ve been doing a fair amount of pleasure reading during the pandemic. I’ve been reading a lot about COVID, and I’ve also found myself reading a lot about historical plagues recently. I read a really good book about the influenza pandemic in 1918.

Other than that, I go for walks in nature and play music every now and then. I like playing piano, and I’m going to pick up my guitar again someday soon.