Microsoft Research has introduced Encrypted Spaces, an active research project exploring how people could collaborate through cloud applications without giving the servers hosting those applications access to their plaintext data.
Encrypted Spaces was presented alongside a new architectural whitepaper.
Encrypted Spaces remains a research project rather than a finished product, and no commercial release or implementation timetable has been announced.
Encrypted Spaces proposes a different division of responsibility.
For users returning after a period offline, Encrypted Spaces uses fast-forward proofs to summarize a longer sequence of activity.
Microsoft Research has introduced Encrypted Spaces, an active research project exploring how people could collaborate through cloud applications without giving the servers hosting those applications access to their plaintext data.
The project is developing an architecture for shared documents, messaging systems, filesystems, databases and other multi-user applications. Cloud servers would continue to store and synchronize information, but users would encrypt and decrypt sensitive content on their own devices and verify the server’s actions through cryptographic proofs.
Encrypted Spaces was presented alongside a new architectural whitepaper. The work has been developed by Michele Orrù of the French National Centre for Scientific Research (CNRS), independent cryptography engineer Trevor Perrin, Nora Trapp of Harvard University and Greg Zaverucha of Microsoft Research.
Microsoft Research said in a LinkedIn post: "The goal is to bring the same privacy and security guarantees to any app that stores user data in the cloud."
The researchers have also released prototype work for a synchronization engine intended to give developers database-style tools without requiring them to design the underlying encryption, key management and verification systems themselves. Encrypted Spaces remains a research project rather than a finished product, and no commercial release or implementation timetable has been announced.
Cloud collaboration without plaintext server access
Most collaborative software depends on centralized servers to store shared information, manage changes and decide what each participant can access. Even when end-to-end encryption is available, it is often designed around message streams rather than changing data structures such as documents, spreadsheets, directories or databases.
Encrypted Spaces proposes a different division of responsibility. The server remains the storage and synchronization point, but is not trusted with the keys needed to read protected content.
Each space contains both application data and system information, including membership records, encryption keys and access-control rules. Authorized participants can insert, update, delete and query shared information, while each operation is added to an append-only changelog.
Clients check that responses match both the authenticated history of the space and its current database state before accepting them. The project describes this approach through the hypothesis: "A trustworthy collaborative application can run on untrusted servers."
The architecture is intended to support groups whose membership changes over time. When someone joins or leaves, encryption keys can be rotated and redistributed. The system is designed to prevent new members from automatically gaining access to information created before they joined and to stop removed users from reading subsequent content.
It also includes retention controls intended to delete access to selected information without requiring every remaining file or record to be encrypted again from scratch.
Proofs replace reliance on the cloud provider
Encrypted Spaces combines encrypted storage with cryptographic verification intended to show whether a server has processed data correctly.
Changes are recorded in a changelog and applied to an authenticated key-value database. The system generates commitments representing both the ordered history of changes and the current state of the shared data.
For individual operations, clients receive what the researchers call tracer proofs. These allow users to check the parts of the database accessed or changed by a server without downloading and verifying the entire database.
For users returning after a period offline, Encrypted Spaces uses fast-forward proofs to summarize a longer sequence of activity. These proofs are designed to confirm that changes were authorized, signatures were valid, concurrent edits followed the application’s rules and the resulting database state matches the recorded history.
The prototype uses a zero-knowledge virtual machine to generate the fast-forward proofs. Zero-knowledge techniques allow one party to demonstrate that a computation was carried out correctly without exposing the underlying protected information.
Membership and key changes are also subject to verification. When a participant is removed, the system can encrypt a new group key for the remaining members and provide evidence that each authorized participant received the same key.
The proposed developer interface is designed to resemble backend services such as Firebase or Supabase. Developers could work with higher-level structures including tables, lists, text fields and files, while the software development kit handles encryption, synchronization, proofs and key management.
Prototype examples include an encrypted filesystem and a group messaging application. In the messaging example, message content, channel names, display names and emoji reactions remain encrypted, while selected structural information can stay visible to the server so it can route and organize requests.
Project tests sensitive community workflows
Microsoft Research is working with Project Resolve to assess whether the architecture could support workflows in which community organizations, health workers and other institutions need to coordinate around sensitive information.
The proposed model could allow multiple organizations to work with shared data without appointing one institution as the trusted custodian of all readable information. Microsoft Research has not disclosed a deployment timetable or named organizations that will test the system.
The architecture also has technical limits. The server may still see metadata left unencrypted by an application’s design, including database structure, identifiers, access patterns, operation timing and the size of encrypted data.
Servers can also refuse to provide data or process requests, meaning encryption and verification do not prevent service disruption. The prototype has not yet implemented the full transparency system needed to stop a server from showing different or outdated histories to separate users.
Further research is planned around reducing metadata leakage, improving proof-generation performance, supporting external identity systems and testing alternative deployment models, including peer-to-peer, federated and local-first applications.
Microsoft Research has published the whitepaper and prototype code for review and further development. Encrypted Spaces is currently positioned as an open research effort, with its next phase focused on technical optimization, real-world testing and collaboration with additional researchers and developers.
