About

My name is Zach. I’m a Senior Research Engineer at MongoDB in MongoDB Research’s Cryptography Research Group. My pronouns are he/him/his.

My research broadly combines cryptography, data structures, formal methods and optimization, and algorithms to produce privacy-preserving, efficient systems for multi-party computation, data processing, and retrieval. I also ask questions about the practicality and usability of not just encrypted systems, but also the (theoretical and practical) tools that we use to design, implement, and evaluate them.

Previously, I worked on security engineering at D. E. Shaw. & Co. and software engineering at Google and Order.

I completed a concurrent four-year Sc.B. and Sc.M. in Computer Science at Brown University where my studies were generously supported by grants from Brown CS, CrowdStrike, (ISC)2, and others. During my time at Brown, I was the course designer and Head Teaching Assistant of the Computer Science department’s flagship computer systems security course from 2019 to 2021. I was also affiliated with the following research groups:

I’m also interested in running and ultramarathons, speech and debate, public transit, board games, theatrical lighting design, and Dance Dance Revolution.

News
Dec 2023
Aug 2023

Our new product at MongoDB—Queryable Encryption, the first industry database product implementing structured encryption—is now generally available!

Feb 2023

I reunited with some of my former collaborators from the Encrypted Systems Lab at Brown University by joining the Cryptography Research Group at MongoDB!

Nov 2022

Our paper “Range Search over Encrypted Multi-Attribute Data” will appear at VLDB 2023 in Vancouver, Canada!

May 2022

Five months after completing my requirements, I “officially” graduated with a Sc.B. in Computer Science (with Honors) and an Sc.M. in Computer Science at Brown University’s annual Commencement.

May 2022

I was awarded a Senior Prize in Computer Science “for academic work as well as service to Brown CS” (awarded to 6.8% of the graduating class in CS). I also received the Norman K. Meyrowitz ’81 Award for “exceptionally meritorious service to Brown CS” (second to receive the award in the award’s history).

Feb 2022

Started work at D. E. Shaw & Co.!

Jan 2022

Our work on attacking multi-dimensional encrypted database schemes is now available on ePrint!

Dec 2021

I defended my honors thesis on “Time- and Space- Efficient Aggregate Range Queries on Encrypted Databases” and finished my Bachelor’s and Master’s requirements at Brown!

Aug 2021

I received an Crowdstrike NextGen Scholarship for 2021!

Mar 2021

I received the Randy Pausch Undergraduate Research Award from Brown CS to support my research with Roberto Tamassia on encrypted databases!

Nov 2020

I finished 1st place out of ~100 participants at the inaugural Hack@Home Cybersecurity CTF!

Jun 2020

Started an internship at Google.

Publications
Synq: Public Policy Analytics Over Encrypted Data
Zachary Espiritu, Marilyn George, Seny Kamara, Lucy Qin (listed alphabetically)
45th IEEE Symposium on Security and Privacy (San Francisco, California, USA), May 2024

We design Synq, a system that addresses privacy concerns by supporting public policy analytics over encrypted data. We specifically use an application-centric approach which drives Synq’s design around a study conducted on the opioid epidemic in Massachusetts. We systematize the design considerations of the public policy context and demonstrate how the combination of design considerations that Synq addresses is novel through a survey of the literature. We then present our protocol which combines structured encryption, somewhat homomorphic encryption, and oblivious pseudorandom functions to support a complex query language that includes filtering (retrieving rows by attribute/value pairs), linking (merging rows from different tables that represent the same individual) and aggregate functions (sum, count, average, variance, regression). We formally express the security of our protocol and show that Synq is efficient in practice while satisfying more demanding constraints than prior work.

Range Search over Encrypted Multi-Attribute Data
Evangelia Anna Markatou, Francesca Falzon, Zachary Espiritu, Roberto Tamassia
Very Large Databases Conference (Vancouver, Canada), September 2023

We present the first systematic study of multi-attribute range search on a symmetrically encrypted database outsourced to an honest-but-curious server. Prior work includes a thorough analysis of single-attribute range search schemes (e.g. Demertzis et al. 2016) and a proposed high-level approach for multi-attribute schemes (De Capitani di Vimercati et al. 2021). We first introduce a flexible framework for building secure range search schemes with an arbitrary number of attributes (dimensions) by adapting a broad class of geometric search data structures to operate on encrypted data. Our framework encompasses widely used data structures such as multi-dimensional range trees and quadtrees, and has strong security properties that we formally prove. We then develop six concrete highly parallelizable range search schemes within our framework that offer a sliding scale of efficiency and security tradeoffs to suit the needs of the application. We evaluate our schemes with a formal complexity and security analysis, a prototype implementation, and an experimental evaluation on real-world datasets.

Attacks on Encrypted Response-Hiding Range Search Schemes in Multiple Dimensions
Francesca Falzon, Evangelia Anna Markatou, Zachary Espiritu, Roberto Tamassia
Proceedings of Privacy Enhancing Technologies (Lausanne, Switzerland), July 2023

We present the first database reconstruction attacks against response-hiding private range search schemes on encrypted databases of arbitrary dimensions. Falzon et al. (VLDB 2022) present a number of range-supporting schemes on arbitrary dimensions exhibiting different security and efficiency trade-offs. Additionally, they characterize a form of leakage, structure pattern leakage, also present in many one-dimensional schemes e.g., Demertzis et al. (SIGMOD 2016) and Faber et al. (ESORICS 2015). We present the first systematic study of this leakage and attack a broad collection of schemes, including schemes that allow the responses to contain false-positives (often considered the gold standard in security). We characterize the information theoretic limitations of a passive persistent adversary. Our work shows that for range queries, structure pattern leakage can be as vulnerable to attacks as access pattern leakage. We give a comprehensive evaluation of our attacks with a complexity analysis, a prototype implementation, and an experimental assessment on real-world datasets.

Time- and Space-Efficient Aggregate Range Queries on Encrypted Databases
Zachary Espiritu, Evangelia Anna Markatou, Roberto Tamassia
Proceedings of Privacy Enhancing Technologies (Sydney, Australia), July 2022

We develop ARQ, a systematic framework for creating cryptographic schemes that handle range aggregate queries (sum, minimum, median, and mode) over encrypted datasets. ARQ unifies structures from the plaintext data management community with existing STE primitives. We prove how such combinations yield efficient (and secure) constructions in the encrypted setting. As part of this work, we designed and implemented a new, open-source, encrypted search library called Arca and implemented the ARQ framework using this library in order to evaluate ARQ’s practicality. Our experiments on real-world datasets demonstrate the efficiency of the schemes derived from the ARQ framework in comparison to prior work.

Experience
New York, NY
Senior Research Engineer, Cryptography
Feb 2023 – Current

Conducting research with MongoDB’s Cryptography Research Group. Collaborating with MongoDB product and engineering teams to transfer and deploy the latest research in cryptography and privacy to practical products.

New York, NY
Systems Engineer, Platform Engineering and Information Security
Feb 2022 – Feb 2023

Developed tools and systems related to Linux platform security on-prem and in the cloud.

Undergraduate Researcher
Fall 2020 – Spring 2022

Applied cryptography research with Seny Kamara and Roberto Tamassia on structured encryption schemes and leakage-abuse attacks. (Recipient of the $10,000 Randy Pausch Computer Science Undergraduate Summer Research Award for Summer 2021 research funding.)

Remote
Software Engineering Intern
Summer 2020

Developed an open-source OpenSSL engine in C++ allowing OpenSSL-backed web servers to immediately perform TLS signing operations with Google Cloud HSM private keys without any source code modifications.

Undergraduate Researcher
Summer 2018

Created a port of TensorFlow.js for Pyret, a functional scripting language designed for education, to develop Pyret programs with machine learning capabilities. Prototyped implementations for a Pyret Jupyter “kernel” to support Pyret “notebooks” and a command-line Pyret REPL.

Software Engineering Intern
Summer 2017

Co-developed automated sales lead information validation tool. Streamlined operations team workflows with Slack integrations and automated price comparison tools integrated with product vendor APIs. Optimized PostgreSQL queries for up to ~500x faster full-text searches.

Software Engineering Intern
Summer 2016

Created client-facing system for customers to automatically schedule recurring orders. Set up continuous integration pipeline and co-wrote test suite from scratch for several thousand lines of code with over 70% coverage. Built web scrapers to automate previously manual product price point collection. Led development of company Ruby style guide.

Teaching
I served as a teaching assistant every semester I was at Brown University, sometimes even during semesters I wasn't enrolled. Semesters marked with an asterisk (*) denote a Head Teaching Assistant role.

Fall 2021*

Software exploitation techniques and state-of-the-art mechanisms for hardening software. With Vasileios Kemerlis.

Spring 2019*, Spring 2020*, Spring 2021*

An introduction to principles of computer security from an applied viewpoint and provides hands-on experience on security threats and countermeasures. Topics include cryptosystems, web security, network security, malware, code execution vulnerabilities, access control, cryptocurrencies, machine learning, and human and social issues. With Roberto Tamassia (2019, 2020) and Bernardo Palazzi (2021).

  • 2021 contributions:
    • Interviewed, hired, trained, and coordinated staff of 10 undergraduate and graduate TAs.
    • Recurrent guest lecturer in 9 lectures during the semester; delivered over 4 hours of lecture content during the semester.
    • Co-developed and hosted 8 “sections” covering supplementary course content during the semester; developed “discussion” handouts for the sections to help foster community and student-to-student interaction in a remote learning environment.
    • Developed new course project on cloud storage security and secure systems design. Co-designed and developed an implementation-agnostic, adversarial autograder for evaluating and discovering attacks against student implementations, reducing grading workload from 100+ hours of combined TA work hours to ~10 hours of combined TA work hours.
    • Coordinated homework and exam design with staff and professor. Wrote ~50% of the exam problems for 2021.
  • 2020 contributions:
    • Interviewed, hired, trained, and coordinated staff of 11 undergraduate and graduate TAs.
    • Organized creation of new homeworks with a more open-ended, design-based focus; modernized homework content (with questions on cryptography, MPC, web security, networks, data compression, anonymization networks, etc.) and wrote +30 new questions for the entire semester with additional “reserve questions” for future years.
    • Designed new “midterm” component of course focused on open-ended design and security analysis questions; wrote ~80% of the exam problems for 2020.
    • Redeveloped the web security and operating security technical projects to improve learning outcomes and increase efficiency of internal grading processes; facilitiated technical project logistics.
    • Created UTA Manual outlining internal staff processes and responsibilities.
  • 2019 contributions:
    • Interviewed, hired, trained, and coordinated staff of 8 undergraduate and graduate TAs.
    • Ported technical components of projects written in Bash, PHP, Javascript, and Go to Google Cloud Platform’s Compute Engine.
    • Automated setup process of sandbox Linux virtual machines for each project using the Compute Engine API, reducing setup times by up to ~92%.
    • Co-gave “Passwords” lecture with hashcat password recovery demonstration (slide deck, video starting @ 33:27).
Fall 2019, Fall 2020*

Explores the principles of modern programming languages by implementation; studies data and their types, including polymorphism, type inference, and type soundness; examines compiler and run-time system topics: continuation-passing style and garbage collection. With Shriram Krishnamurthi.

  • 2020 contributions:
    • Interviewed and hired staff of 6 undergraduate TAs.
    • Heavily rewrote 9 assignment specifications on programming language feature implementations in Plait and Racket (examples include “Interpreter”, “Type Checker”, “Type Inference”, “Generators”).
    • Transitioned internal staff infrastructure to Gradescope to automate the majority of grading and feedback distribution; developed autograder framework to emulate a Racket version of Examplar, a research IDE helping students assess their understanding of specifications via example-driven development.
  • 2019 contributions:
    • Interviewed and hired staff of 6 undergraduate TAs.
    • Remotely answered student-submitted questions throughout the semester.
    • Copy-edited several assignment specifications written by other TAs.
Fall 2018*

Functional programming, data structures, and algorithms in Racket and Pyret. Includes a summer component taught using the first half of How to Design Programs, then transitions to content based on portions of Programming and Programming Languages during the semester. With Shriram Krishnamurthi.

  • Interviewed, hired, trained, and coordinated staff of 9 undergraduate TAs.
  • Remotely organized summer placement process and grading for 174 students.
  • Rewrote old assignments (“Tour Guide”) and developed new labs (“Iterating Over Trees”, “Tensorflow”).
  • Maintained and added new features to existing, end-to-end Google Apps Script-based pipeline for grading management and distribution.
  • Wrote internal handbook for future iterations of course staff, covering suggestions for recruiting and hiring future teaching assistants, organizing course logistics, running existing course scripts, and more.
Spring 2018

Introduction to programming in MATLAB and Python, with an emphasis on STEM data analysis and simulation problems. With Dan Potter.

Fall 2017

Data-focused introduction to computer science using Pyret. With Kathi Fisler.

Education
Brown University
Providence, RI
Concurrent Sc.B. / Sc.M. in Computer Science
September 2017 - December 2021 *

Graduate-Level Coursework:

  • Advanced Probabilistic Methods in Computer Science
  • Algorithms: in Depth
  • Foundations of Prescriptive Analytics (SAT, CP, LP, IP, Local Search)
  • Human-Computer Interaction Seminar
  • Operating Systems Laboratory
  • Topics in Computer Systems Security

Undergraduate Coursework:

  • Advanced Deductive Logic (Computability and Logic)
  • Cryptography
  • Computer Systems Security
  • Design and Analysis of Algorithms
  • Design and Implementation of Programming Languages
  • Discrete Structures and Probability
  • Distributed Computer Systems
  • Introduction to Computer Systems
  • Introduction to Computer Graphics
  • Logic For Systems (Formal Methods and Verification)
  • Operating Systems
  • Software Security and Exploitation
  • Statistical Inference
  • Technology and Health Behavior Change
  • User Interfaces and User Experience

* Not enrolled in Fall 2019. Some notes on completing the Concurrent Degree can be found here.

Regis High School
New York, NY
September 2013 - June 2017
Projects
> Zachary.projects.filter({(p): p.type == all software academic design games case_studies fun_things })
Sorry, there's nothing here yet.
(Try a different filter!)