My name is Zach. I’m a Senior Research Engineer at MongoDB in MongoDB Research’s Cryptography Research Group. My pronouns are he/him/his.
My research broadly combines cryptography, data structures, formal methods and optimization, and algorithms to produce privacy-preserving, efficient systems for multi-party computation, data processing, and retrieval. I also ask questions about the practicality and usability of not just encrypted systems, but also the (theoretical and practical) tools that we use to design, implement, and evaluate them.
Previously, I worked on security engineering at D. E. Shaw. & Co. and software engineering at Google and Order.
I completed a concurrent four-year Sc.B. and Sc.M. in Computer Science at Brown University where my studies were generously supported by grants from Brown CS, CrowdStrike, (ISC)2, and others. During my time at Brown, I was the course designer and Head Teaching Assistant of the Computer Science department’s flagship computer systems security course from 2019 to 2021. I was also affiliated with the following research groups:
I’m also interested in running and ultramarathons, speech and debate, public transit, board games, theatrical lighting design, and Dance Dance Revolution.
Our paper “Synq: Public Policy Analytics Over Encrypted Data” will appear at IEEE Security & Privacy 2024 in San Francisco, CA!
Our new product at MongoDB—Queryable Encryption, the first industry database product implementing structured encryption—is now generally available!
I reunited with some of my former collaborators from the Encrypted Systems Lab at Brown University by joining the Cryptography Research Group at MongoDB!
Our paper “Range Search over Encrypted Multi-Attribute Data” will appear at VLDB 2023 in Vancouver, Canada!
Five months after completing my requirements, I “officially” graduated with a Sc.B. in Computer Science (with Honors) and an Sc.M. in Computer Science at Brown University’s annual Commencement.
I was awarded a Senior Prize in Computer Science “for academic work as well as service to Brown CS” (awarded to 6.8% of the graduating class in CS). I also received the Norman K. Meyrowitz ’81 Award for “exceptionally meritorious service to Brown CS” (second to receive the award in the award’s history).
Our paper “Time- and Space- Efficient Aggregate Range Queries on Encrypted Databases” will appear at PETS 2022!
Started work at D. E. Shaw & Co.!
Our work on attacking multi-dimensional encrypted database schemes is now available on ePrint!
I defended my honors thesis on “Time- and Space- Efficient Aggregate Range Queries on Encrypted Databases” and finished my Bachelor’s and Master’s requirements at Brown!
I received an Crowdstrike NextGen Scholarship for 2021!
Received an (ISC)2 Undergraduate Information Security Scholarship for 2021.
I received the Randy Pausch Undergraduate Research Award from Brown CS to support my research with Roberto Tamassia on encrypted databases!
I finished 1st place out of ~100 participants at the inaugural Hack@Home Cybersecurity CTF!
Started an internship at Google.
We design Synq, a system that addresses privacy concerns by supporting public policy analytics over encrypted data. We specifically use an application-centric approach which drives Synq’s design around a study conducted on the opioid epidemic in Massachusetts. We systematize the design considerations of the public policy context and demonstrate how the combination of design considerations that Synq addresses is novel through a survey of the literature. We then present our protocol which combines structured encryption, somewhat homomorphic encryption, and oblivious pseudorandom functions to support a complex query language that includes filtering (retrieving rows by attribute/value pairs), linking (merging rows from different tables that represent the same individual) and aggregate functions (sum, count, average, variance, regression). We formally express the security of our protocol and show that Synq is efficient in practice while satisfying more demanding constraints than prior work.
We present the first systematic study of multi-attribute range search on a symmetrically encrypted database outsourced to an honest-but-curious server. Prior work includes a thorough analysis of single-attribute range search schemes (e.g. Demertzis et al. 2016) and a proposed high-level approach for multi-attribute schemes (De Capitani di Vimercati et al. 2021). We first introduce a flexible framework for building secure range search schemes with an arbitrary number of attributes (dimensions) by adapting a broad class of geometric search data structures to operate on encrypted data. Our framework encompasses widely used data structures such as multi-dimensional range trees and quadtrees, and has strong security properties that we formally prove. We then develop six concrete highly parallelizable range search schemes within our framework that offer a sliding scale of efficiency and security tradeoffs to suit the needs of the application. We evaluate our schemes with a formal complexity and security analysis, a prototype implementation, and an experimental evaluation on real-world datasets.
We present the first database reconstruction attacks against response-hiding private range search schemes on encrypted databases of arbitrary dimensions. Falzon et al. (VLDB 2022) present a number of range-supporting schemes on arbitrary dimensions exhibiting different security and efficiency trade-offs. Additionally, they characterize a form of leakage, structure pattern leakage, also present in many one-dimensional schemes e.g., Demertzis et al. (SIGMOD 2016) and Faber et al. (ESORICS 2015). We present the first systematic study of this leakage and attack a broad collection of schemes, including schemes that allow the responses to contain false-positives (often considered the gold standard in security). We characterize the information theoretic limitations of a passive persistent adversary. Our work shows that for range queries, structure pattern leakage can be as vulnerable to attacks as access pattern leakage. We give a comprehensive evaluation of our attacks with a complexity analysis, a prototype implementation, and an experimental assessment on real-world datasets.
We develop ARQ, a systematic framework for creating cryptographic schemes that handle range aggregate queries (sum, minimum, median, and mode) over encrypted datasets. ARQ unifies structures from the plaintext data management community with existing STE primitives. We prove how such combinations yield efficient (and secure) constructions in the encrypted setting. As part of this work, we designed and implemented a new, open-source, encrypted search library called Arca and implemented the ARQ framework using this library in order to evaluate ARQ’s practicality. Our experiments on real-world datasets demonstrate the efficiency of the schemes derived from the ARQ framework in comparison to prior work.
Conducting research with MongoDB’s Cryptography Research Group. Collaborating with MongoDB product and engineering teams to transfer and deploy the latest research in cryptography and privacy to practical products.
Developed tools and systems related to Linux platform security on-prem and in the cloud.
Applied cryptography research with Seny Kamara and Roberto Tamassia on structured encryption schemes and leakage-abuse attacks. (Recipient of the $10,000 Randy Pausch Computer Science Undergraduate Summer Research Award for Summer 2021 research funding.)
Developed an open-source OpenSSL engine in C++ allowing OpenSSL-backed web servers to immediately perform TLS signing operations with Google Cloud HSM private keys without any source code modifications.
Created a port of TensorFlow.js for Pyret, a functional scripting language designed for education, to develop Pyret programs with machine learning capabilities. Prototyped implementations for a Pyret Jupyter “kernel” to support Pyret “notebooks” and a command-line Pyret REPL.
Co-developed automated sales lead information validation tool. Streamlined operations team workflows with Slack integrations and automated price comparison tools integrated with product vendor APIs. Optimized PostgreSQL queries for up to ~500x faster full-text searches.
Created client-facing system for customers to automatically schedule recurring orders. Set up continuous integration pipeline and co-wrote test suite from scratch for several thousand lines of code with over 70% coverage. Built web scrapers to automate previously manual product price point collection. Led development of company Ruby style guide.
Software exploitation techniques and state-of-the-art mechanisms for hardening software. With Vasileios Kemerlis.
An introduction to principles of computer security from an applied viewpoint and provides hands-on experience on security threats and countermeasures. Topics include cryptosystems, web security, network security, malware, code execution vulnerabilities, access control, cryptocurrencies, machine learning, and human and social issues. With Roberto Tamassia (2019, 2020) and Bernardo Palazzi (2021).
Explores the principles of modern programming languages by implementation; studies data and their types, including polymorphism, type inference, and type soundness; examines compiler and run-time system topics: continuation-passing style and garbage collection. With Shriram Krishnamurthi.
Functional programming, data structures, and algorithms in Racket and Pyret. Includes a summer component taught using the first half of How to Design Programs, then transitions to content based on portions of Programming and Programming Languages during the semester. With Shriram Krishnamurthi.
Introduction to programming in MATLAB and Python, with an emphasis on STEM data analysis and simulation problems. With Dan Potter.
Data-focused introduction to computer science using Pyret. With Kathi Fisler.
Graduate-Level Coursework:
Undergraduate Coursework:
* Not enrolled in Fall 2019. Some notes on completing the Concurrent Degree can be found here.