At Lightspeed, we invest in bleeding edge technologies, a significant portion of which trace their roots to university research. If history is any proof, the next Google or Akamai or Sun Microsystems is getting off of the ground right now in the hallowed hallway of a leading Computer Science department. As early-stage investors, if we were to do our job right, we must stay abreast of groundbreaking research happening in the academia and more importantly, of the brilliant minds behind that.
Recently, we got an opportunity to sit down with one such up and coming rockstar researchers in security, Raluca Ada Popa of UC Berkeley. Raluca has already made quite a name for herself through a number of projects (CryptDB, Mylar, etc.) that have been commercialized with great success. We asked Raluca to share with us her background, her research interests and where in security she believes the “puck is going to be.” Here is what she had to say.
Sudip: You have had an incredible journey throughout your career. Please tell us a little bit about your background and how you have reached where you are at today.
Raluca: I’m Romanian and I studied in Romania up to and including high-school. Then, I went to college at Caltech from which I transferred to MIT after one year. I graduated from MIT with two Bachelors, one in computer science and one in mathematics.Then, I stayed on to do a Masters and then a PhD. I was on the point of accepting MIT’s faculty offer to stay there forever (as a lifer!), but instead, I decided to join UC Berkeley’s faculty after doing a short postdoc at ETH Zurich.
How I reached here? It is a combination of passion for engineering (primarily computer science, mathematics and physics), luck to be fit for these subjects, and of course hard work. Looking at the stages above, I had to excel in each one to be able to enter the next one. But it was all a lot of fun.
Sudip: So, why academia? What do you plan to achieve as a professor and researcher? And, why UC Berkeley?
Raluca: Academia gives me the freedom to do research on the problems I believe are important and enables me to build resources and an excellent team of students to tackle these problems. Additionally, I enjoy mentoring, working with students and teaching.
My goals as a professor are not too far from what most professors wish for. I hope to address important problems in the field of computer security, that my research will have an impact on the world, and to mentor students who grow to become accomplished people.
I chose UC Berkeley for three main reasons. First, Berkeley is one of the top three schools in computer science meaning that I can work with exceptional students and faculty. Second, I deeply enjoy and believe in the daring and very collaborative atmosphere at Berkeley. For example, Berkeley has an interesting lab model where professors from different areas come together for 5–6 years to solve what they perceive to be a major problem in computing at that moment. They even sit in cubicles alongside students to create an active atmosphere of collaboration. We are starting a new such lab, called the RISE lab, that brings together faculty from machine learning, databases, systems and security, and embarking on difficult problems any one of us cannot solve alone. The third is the excellent relationship between Berkeley and industry; it’s not easy to create a relationship that is truly beneficial to both sides, and I am impressed at the extent to which Berkeley succeeded to create a synergetic ecosystem.
Besides these reasons, I like Berkeley for other reasons too: the weather, the food, people (even outside of academics), and the Bay area.
Sudip: Throughout your career so far, you have done some really interesting work, some of which has been successfully commercialized as opposed to just adding to the number of publications out there. Is there a secret to that? Do you approach research in a way that is different?
Raluca: I agree that, in security, industrial impact is more rare than in other areas of computer science, such as systems. What I think helped my work have more impact is that I focus on building secure systems and that, in particular, are both practical and designed to facilitate adoption. Work on theory, measurement, and new techniques is useful and required (and I have also done much of this), but delivering a system is what matters in the end. Moreover, if the system is too slow or requires redoing an architecture that has been improved over decades, people won’t use it. So it is important to consider both these aspects. Also, I’ve released source code for all my important projects, which also helped.
But there are more steps one can take from here to increase the chance of impact, and Berkeley’s AMP Lab is an excellent example here. The AMP folks partner with companies with common interests to develop the source code together, students install it at companies during internships, and overall AMP creates an ecosystem in which the system improves and spreads in adoption. I’m learning a lot from AMP’s model.
Sudip: What are some of your favorite projects that you think have had the most impact? How?
Raluca: CryptDB and Mylar had the most impact. Let’s take CryptDB as an example.
CryptDB is an encrypted database using which one can compute SQL queries on the encrypted data without decrypting it. In 2009, cryptographers constructed a fully homomorphic encryption scheme, a beautiful theoretical scheme that enables computing any function on encrypted data. But FHE was and is incredibly slow, it is currently estimated to be 6 orders of magnitude slower than regular computation.
CryptDB’s idea (2011) was to focus on a class of functions instead of aiming at all general functions. It showed that with 5 basic primitive functions (get/put, +, =, >, equijoin), one can implement most SQL and support many applications. By specializing the encryption to these, one can design a practical system, and characterized use cases when it provides strong security. It also showed how to implement such a system on top of existing databases without changing them.
CryptDB started a huge line of work, with tens of other systems proposed, and with various industrial deployments. For example, Microsoft’s Always Encrypted Service is currently released as part of SQL Server 2016. Skyhigh Networks, SAP and Google also developed systems based on this idea. This area of research is still hot today and there are a bunch of open problems.
Sudip: Now that you are here at UC Berkeley, what are some of the areas of research you are planning to purse? What are some of the problems you want to take on in the next few years? Why?
Raluca: One major direction is to enable service providers to handle only encrypted data while still being able to extract value out of the data and carry out their business. In this way, they don’t see the data of the users. Either only users see the result of computations or only certain results are released.
This means that curious employees or hackers get access to encrypted data and not to the actual data.
Such a solution would be a major improvement to security today protecting against many types of attacks in one shot. It would also benefit many parties:
- users would not need to worry about companies like Google or Facebook seeing all their private messages; in turn, these companies can still suggest ads and manage user data
- customers can place their data on the cloud and use the cloud for its compute and storage resources without the cloud seeing the data of the customer
- cloud providers and SaaS companies risk less damage to their reputation when customer data leaks
- certain data analysis (such as medical research) might no longer be hampered by privacy considerations. For example, hospitals today cannot share data due to privacy laws and such aggregate data is important for medical research. Sharing encrypted data and decrypting only agreed-upon results (e.g., effectiveness of a new drug) alleviates privacy concerns
This ambitious goal requires security solutions for all kinds of platforms: data analytics, machine learning, network analysis, web frameworks, databases. My group has been making steady progress in this direction.
Sudip: Given you have been part of both MIT and UC Berkeley, — two of the most entrepreneurial university ecosystems out there — do you have any thoughts to share on how some of the university research can be commercialized better, faster?
Raluca: I think that first and foremost, one needs to understand if one can build a compelling product out of a given research project. There are a lot of exciting research projects out there, but shaping a research project into a product that solves real problems of companies or users is hard. For instance, I know examples of best papers at even systems conferences, for which a productization strategy is not clear.
Second, one needs a team of suitable experts that will work very hard on it. I think that the strategy “take a research idea from academia, find a team of developers, and do it” rarely works. I find it more believable if the researchers who created the idea are dedicated to the startup because they understand its strengths, weaknesses, and have expertise for overcoming obstacles.
Sudip: Finally, from your vantage point, what advice would you have for folks who are trying to get up to speed in your area of research? What are the best ways to get up to speed and stay up to date?
Raluca: I think that the best way to get up to speed is to use online learning materials. There are various online courses in security and cryptography from top universities as well as online materials from regular courses. For example, the website of my graduate course in computer security “CS 261: Systems Security” contains a public syllabus of papers that cover the main areas in computer security, consisting of both core and state-of-the-art papers.
To stay up to date, I recommend following important conferences in the area such as IEEE S&P, Usenix Security, OSDI, SOSP, NSDI and others.