Senior Research Scientist in Post-Quantum Cryptography at SandboxAQ

The post-quantum research team at SandboxAQ, i.e. the team I’m in, is looking to hire a full-time researcher to join our team. Currently, the PQC team consists of:

and you can get a sense what we’ve been up to by checking out our respective DBLP pages linked above and the SandboxAQ publications page. Here are some details about the role:

The SandboxAQ team is looking for a Research Scientist to help functionalize the next generation of cryptographic systems. A successful candidate will be comfortable with research in post-quantum cryptography. We are open to strong candidates that reinforce existing expertise of the team as well as candidates extending our expertise. They will be part of a team of diverse cryptographers and engineers, where they will play a key role in efficient and effective enablement of the technologies being developed. They can learn more about what we’ve been doing so far by checking out our publications page or the individual DBPL pages of our permanent researchers.

Core Responsibilities

Research and design of new post-quantum cryptography primitives and protocols

Engage in team collaborations to meet ambitious product and engineering goals

Present research discoveries and developments including updates and results clearly and efficiently both internally and externally, verbally and in writing

Minimum Qualifications

PhD in Mathematics or Computer Science or equivalent practical experience

Strong background in post-quantum cryptography with a proven publication record at flagship conferences

Deep understanding of cryptographic primitives and protocols

Capacity to work both as an individual contributor and on collaborative projects with strong teamwork skills

Preferred Qualifications

Experience in C, C++, Rust or Go, or equivalent skills to implement and validate innovative cryptographic constructions and/or protocols

Experience with the real-world aspects of cryptography

Experience contributing to open source projects and standardization bodies

Curiosity in a variety of domains of cryptography, security, privacy, or engineering

Social Foundations of Cryptography

I’m rather excited to report that EPSRC decided to fund our grant titled “Social Foundations of Cryptography”. Our project tries to do two things.

First, we want to ground cryptographic security notions in rigorous social science findings rather than “simply” our intuitions that we write down in the introductions of our papers. In Burdens of Proof, Jean-François Blanchette characterises what we – as cryptographers – do as follows:

New cryptographic objects are generated through more or less straightforward combinations of elements of the cryptographic toolbox, such as threshold, proxy, or fairness properties. Like so many modular Lego pieces, cryptographic primitives and design patterns are assembled in new schemes and protocols exhibiting security properties with no obvious real-world equivalents. This creative process is one of the core professional activities of cryptographers, rewarded through conference presentations, journal publications, and commercial patents. Yet the cryptographic paper genre seems to require that these products of mathematical creativity be justified in some “real-world” setting, motivated either by their potential application, their evidential value, or the new threats they identify. These justificatory scenarios are remarkable in their assumptions that the properties of cryptographic objects, as designed and discussed by cryptographers, will translate transparently into the complex social settings they describe.

Our approach is to flip this approach around: make cryptographic security notions contingent on ethnographic findings. This is, of course, a tall order when it comes to, say, PRP security of a block cipher (I enjoy Phil Rogaway’s discussion of cryptographic definitions, Phil is also on our advisory board), but it is perhaps a bit more obvious when we talk about ideal functionalities in simulation-based proofs of complex cryptographic protocols. For these ideal functionalities it is not at all immediately clear they are indeed “ideal”. Still, this remains quite a daunting project and I’m rather nervous about it.

Second, we picked the settings of large-scale urban protests, i.e. ask about security notions and needs of protesters confronting agents of the state. We think these settings (we plan on doing field work in different sites internationally) are rich yet specific. That is, notions of security depend on context and grounding cryptographic notions in such contexts can unlock insights. Post-compromise security needs for a business traveller (having their phone confiscated at an airport) and for protesters (who face arrest) may be quite different.

Another key, distinguishing, feature of these settings is that security notions are quite collective rather than individual, according to our pilot study. In this study we interviewed protesters involved in the Anti Extradition Bill protests in Hong Kong (2019/2020). This work then motivated us to then take a deeper look at Telegram. However, this pilot study has the big caveat that its inquiry was somewhat limited, by necessity.

Our study was an interview study, meaning participants self-selected to discuss their security needs with us. Yet, a key challenge in engaging those who depend on security technology is that they are not trained information security professionals. They do not know and, indeed, should not need to know, for example, that confidentiality requires integrity, that existing onboarding practices can be phrased in the language of information security, which different security notions cannot be achieved simultaneously and what guarantees, say, cryptography, can give if asked. Therefore, to know exactly what is taken for granted, or put otherwise, expected or desired, in social interactions, social and technical protocols and, indeed, cryptography is of critical import.

This is where ethnography comes in, as it is uniquely placed to “unearth what the group (under study) takes for granted”. In a nutshell, it’s a social science method involving prolonged field work, i.e. staying with the group under study, to observe not only what they say but also what their social reality and practice is.

On the cryptographic side, our project consists of Ben Dowling (Sheffield) and me. On the ethnography side, it’s Andrea Medrado (Westminster) and Rikke Jensen (RHUL). But we’re hiring! We will have one postdoc position in ethnography at RHUL (perhaps not so relevant to the audience of this blog, see Rikke’s blog post) and one postdoc position in cryptography. This position is only scheduled to start in a year, but if you’re interested please let us know, we have some flexibility about when to put it on the market.

I’ve hired for postdoc positions before, but I think I’ve never been this nervous about that process as here. If working on the protest setting and putting what you’ll do at the mercy of ethnographic findings is for you, please reach out!

Our project website is here: https://social-foundations-of-cryptography.gitlab.io/

Postdoc Position(s)

I am recruiting a postdoc¹ to work with me on “practical advanced post-quantum cryptography from lattices”, the title of my ERC selected, UKRI Frontier Research funded project:

Standardisation efforts for post-quantum public-key encryption and signatures are close to completion. At the same time the most recent decade has seen the deployment, at scale, of more advanced cryptographic algorithms where no efficient post-quantum candidates exist. These algorithms e.g. permit to give strong guarantees even after some parties were compromised, privacy-preserving contact lookups, credentials and e-cash. This project will tackle the challenge of “lifting” such constructions to the post-quantum era by pursuing three guiding questions:

What is the cost of solving lattice problems with and without hints on a quantum computer? Answers to this question will provide confidence in the entire stack of lattice-based cryptography from “basic” to “advanced”. Studying the presence of hints tackles side-channel attacks and advanced constructions.

What are the lattice assumptions that establish feature- and (near) performance-parity with pre-quantum cryptography? Standard lattice assumptions do not seem to establish feature parity with pairing-based or even some Diffie-Hellman-based pre-quantum constructions, how can we achieve efficient and secure advanced practical post-quantum solutions?

How efficient is a careful composition of lattice-base cryptography with other assumptions? If we want to deploy our post-quantum solutions in practice, we will need to design hybrid schemes that are secure if either of their pre- or post-quantum part is secure and to deploy many advanced lattice-based primitives in practice we need to carefully compose them with zero-knowledge proofs to rule out some attacks.

Lattice-based cryptography has established itself as a key technology to realise both efficient basic primitives like post-quantum encryption and advanced solutions such as computation with encrypted data and programs. It is thus well positioned to tackle the middle ground of advanced yet practical primitives for phase 2 of the post-quantum transition.

So when I say “advanced”, I don’t mean Functional Encryption or Indistinguishability Obfuscation, but OPRFs, Blind Signatures, Updatable Public-Key Encryption, even NIKE (sadly!).

I’m quite flexible on what background applicants bring to the table?

Do you like breaking newfangled (and not so newfangled) lattice assumptions?
Do you like to build constructions from those assumptions?
Do you like to reduce lattice problems to each other?
Do you think we can apply tricks from iO or FE to less fancy protocols?

All of that is in scope. If in doubt, drop me an e-mail and we can discuss.

Continue reading “Postdoc Position(s)” →

A Surfeit of SIS with Hints Assumptions

After a “lattice-assumptions winter”™ (there, I coined it now!) because “knapsack”, the last few years have seen the introduction of a bunch of newfangled SIS-like assumptions along the lines of:

Given $\left(\mathbf{A}, \{\mathbf{u}_i\}_{0 \le i < k}, \{\mathbf{t}_i\}_{0 \le i < k}\right)$ s.t. $\mathbf{A} \cdot \mathbf{u}_i \equiv \mathbf{t}_i \bmod q$ , with $\mathbf{u}_i$ short, it is hard to find a short $\mathbf{u}^*$ s.t. $\mathbf{A} \cdot \mathbf{u}^* \equiv \mathbf{0} \bmod q$ .

That is, in some shape or form, these assumptions posit that some variant of SIS or ISIS remains hard even if you hand out some short preimages of some specially selected targets. There’s quite some variety here: BASIS instead hands out a trapdoor for a bigger related matrix, one-more-ISIS allows the adversary to pick the targets but has tight norm constraints etc.

I’ve started to track these new assumptions in the SIS with Hints Zoo, with the hope of encouraging cryptanalysis, reductions and/or re-use of existing assumptions. That page has been up for a little while. I’m blogging about it now, because it now has a few “non-trivial” entries, that you might have missed and that illustrate well that cryptanalysis and reductions are fruitful endeavours here:

Knowledge k-R-ISIS is false: Knowledge (I’m good with words like that!) of this break has been circulating a while, but since the paper breaking it is finally out, it is time to amplify the message: The knowledge version of the k-R-ISIS assumption from https://eprint.iacr.org/2022/941 is (at least morally) false. It thus gets a “BROKEN” tag.
Twin k-R-ISIS is no easier than k-R-ISIS: In Appendix A of https://eprint.iacr.org/2023/1469 we show that if you can solve Twin k-R-ISIS you can also solve k-R-ISIS (under parameters etc). It thus gets an “EQUIVALENT” tag.
$h$ -PRISIS is hard: under the M-SIS assumption and for degree $\ell=2$ , as was shown in https://eprint.iacr.org/2023/846. That $\ell=2$ is useful is established in https://eprint.iacr.org/2023/1469. It thus gets a “STANDARD” tag.

If your (favourite) assumption is missing or is misrepresented, please get in touch: PRs welcome, too.

Post-quantum oblivious PRFs from shallow PRFs and TFHE

We – Alex Davidson, Amit Deo, Daniel Gardham and me – have updated our pre-print Crypto Dark Matter on the Torus: Oblivious PRFs from shallow PRFs and TFHE. It has been around for a while, but I am now somewhat confident that we won’t squeeze more performance out of it for the time being, so this feels like the right time to blog about.

What is an OPRF and why should I care? Oblivious pseudorandom functions allow two parties to compute a pseudorandom function (PRF) $z := F_k(x)$ together: a server supplying a key $k$ and a user supplying a private input $x$ . The server does not learn $x$ or $z$ and the user does not learn $k$ . If the user can be convinced that $z$ is correct (i.e. that evaluation is performed under the correct key) then the function is “verifiable oblivious” (VOPRF), otherwise it is only “oblivious” (OPRF). Both may be used in many cryptographic applications. Example applications include anonymous credentials (e.g. Cloudflare’s PrivacyPass), password-based key exchanges (e.g. OPAQUE) and Private Set Intersection (PSI) enabling e.g. privacy-preserving contact look-up on chat platforms.

Sounds good, seems solved! Despite the wide use of (V)OPRFs, most constructions are based on classical assumptions, such as Diffie-Hellman (DH), RSA or even pairing-based assumptions. Indeed, DH-based OPRFs are currently being standardised by the IETF. Their vulnerability to quantum adversaries makes it desirable to find post-quantum solutions, however, known candidates are much less efficient.

Oblivious PRF and FHE, I see where this is going … Indeed, given fully homomorphic encryption (FHE), there is a natural (P)OPRF candidate. The client FHE encrypts input $x$ and sends it with tag $t$ . The server then evaluates the PRF homomorphically or “blindly” using a key derived from $t$ and its own secret key. Finally, the client decrypts the resulting ciphertext to obtain the PRF output. The first challenge with this approach is performance, PRFs tend to have sufficiently deep circuits that FHE schemes struggle to evaluate them efficiently. Even special purpose PRFs such as the LowMC construction require depth ten or more, making them somewhat impractical. More generally, in a binary circuit model we expect to require depth $\Theta( \log \lambda)$ to obtain a PRF resisting attacks with complexity $2^{\Theta(\lambda)}$ .

Yet, if we expand our circuit model to arithmetic circuits with both mod $p$ and mod $q$ gates for $p\neq q$ both primes, shallow proposals exist. The main proposal even has a kewl name: “Crypto Dark Matter PRF”. In particular, the (weak) PRF candidate is

$z := \sum (\mathbf{A} \cdot \mathbf{x} \bmod 2) \bmod 3$

where arithmetic operations are over the integers and $\mathbf{A}$ is the secret key. That’s it! The same work also contains a proposal to “upgrade” this weak PRF, defined for uniformly random inputs $\mathbf{x}$ , to a full PRF, taking any $\mathbf{x}$ . Furthermore, the works already provide oblivious PRF candidates based on this PRF and MPC, but with non-optimal round complexity. Thus, a natural question to ask is if we can construct a round-optimal (or, 2 message) POPRF based on this PRF candidate using the FHE-based paradigm mentioned above.

So what did you actually do? We construct a novel POPRF from lattice assumptions and the “Crypto Dark Matter” PRF candidate in the random oracle model. At a conceptual level, our scheme exploits the alignment of this family of PRF candidates, relying on mixed modulus computations, and programmable bootstrapping in the torus fully homomorphic encryption scheme (TFHE). This allows us to construct an OPRF candidate using only one level of bootstrapping (the most expensive operation in a FHE computation). We also explore a cut-and-choose based strategy for adding verifiability to our OPRF.

Performance. For the core online OPRF functionality, we require amortised 10.0KB communication per evaluation and a one-time per-client setup communication of 2.5MB. I’d say his makes our OPRF practical size-wise. Client computation costs are also somewhat manageable but server computation costs are quite unattractive unless you’re willing to invest in some FHE co-processor. We have some early benchmarks (using tfhe-rs) running the server code in ~150ms on 64 cores. Let me stress that this does not account for “circuit privacy” which should add a factor of 5x to 10x (or the zk systems we need, but we assume those won’t add that much overhead in computation, we do include their sizes in the estimates above). Moreover, our relatively small sizes are the effect of aggressive packing, unpacked the key material should weight about ~2GB in RAM.

Implementation. We do have a somewhat complete implementation of our scheme, but it is in SageMath and thus extremely slow. I should mention, though, that this implementation, too, does not cover the zero-knowledge proof systems we rely on to achieve malicious security.

A Formal Cryptographic Analysis of Matrix’ Core

Our work – “Device-Oriented Group Messaging: A Formal Cryptographic Analysis of Matrix’ Core” – is now out on ePrint and will be presented at IEEE S&P’24; “us” here being Dan Jones, Benjamin Dowling and myself.

Matrix is an open standard for interoperable, federated, real-time communication over the Internet. It consists of a number of specifications which, together, define a federated secure group messaging protocol enabling clients, with accounts on different Matrix servers, to exchange messages.

Last year, together with Sophía Celi, we reported several severe security issues in its cryptographic core, invalidating the cryptographic security guarantees of confidentiality and authentication in the protocol and its flagship client Element.

What we originally set out to do was to formally analyse Matrix, i.e. not “just” find some vulnerabilities that leave open the question whether there are lurking more, but to get some more rigorous assurances that whole classes of attacks will fail:

a-formal-cryptographic-analysis-of-matrix’-core.jpeg

Continue reading “A Formal Cryptographic Analysis of Matrix’ Core” →

UK Crypto Day (June 2023 Edition)

Together with Nick Spooner and Sarah Meikeljohn, I’m co-organising the next UK Crypto Day.¹

Date	23 June
Venue	King’s College London
Registration	Here
Programme	https://uk-crypto-day.github.io/2023/06/23/

We got some nice speakers/talks lined up:

Jonathan Bootle: The Sumcheck Protocol, Applications, and Formal Verification

The sumcheck protocol plays a central role in many constructions of efficient zero-knowledge arguments. In this talk, I will describe the sumcheck protocol, explain why it is so useful, and discuss recent work on a machine-checkable security proof.

Bio. Jonathan Bootle is a researcher in the Foundational Cryptography Group at IBM Research – Zurich. His research focuses on constructing efficient zero-knowledge proofs, especially those based on lattice assumptions or error-correcting codes.

Bernardo Magri: YOSO – You Only Speak Once

Imagine a setting where whenever a party in a protocol sends a message, its IP address becomes known, and it gets immediately killed by the adversary in a DoS attack. This implies that in any given protocol a party can only send a single message at a random point in time. Can we do secure multiparty computation in this setting? In this talk we introduce the YOSO MPC model that is based around the notion of roles, which are randomly assigned stateless parties that can send a single message for the entire duration of the protocol. We will show how one we can leverage the infrastructure of public blockchains to securely YOSO-compute any function with private inputs.

Bio. Bernardo Magri is a Senior Lecturer at the CS department at University of Machester. His research interests are on the theoretical and practical aspects of cryptography and distributed ledgers.

Sunoo Park: Email Attribution and Election Audits

My talk will focus on two recent works. The first concerns preventing the exploitation of stolen email data. Email is used widely for personal, industry, and government communication; as such, it is a valuable target for attack. Such attacks are compounded by email’s strong attributability: today, any attacker who gains access to your email can easily prove to others that the stolen messages are authentic. We define and construct non-attributable email using a new cryptographic signature primitive.

The second paper concerns a new model of post-election audits, loosely inspired by multi-prover interactive proofs. Post-election audits perform statistical hypothesis testing to confirm election outcomes. However, existing approaches are costly and laborious for close elections—often the most important cases to audit. We instead propose automated consistency checks, augmented by manual checks of only a small number of ballots. Our protocols scan each ballot twice, shuffling the ballots between scans: a “two-scan” approach inspired by two-prover proof systems.

Bio: Sunoo Park is a Postdoctoral Fellow at Columbia University and Visiting Fellow at Columbia Law School. Her research interests range across cryptography, security, and technology law. She received her Ph.D. in computer science at MIT, her J.D. at Harvard Law School, and her B.A. in computer science at the University of Cambridge.

Michele Ciampi: On the round-complexity of secure multi-party computation

In multi-party computation (MPC), multiple entities, each having some inputs want to jointly compute a function of these inputs with the guarantee that nothing aside from the output of the function will be leaked. In this talk, we are going to investigate how many messages the parties of an MPC need to exchange to securely realise any functionality with simulation-based security in the case where there is no setup and the majority of the parties can be corrupted. We will then consider a relaxation of the standard simulation-based paradigm, and discuss whether this lead to more efficient MPC protocols which still realize non-trivial functionalities which meaningful security.

Bio. Michele Ciampi is a Chancellor’s Fellow at the School of Informatics at the University of Edinburgh. His work focuses on theoretical aspects of cryptography, including multi-party computation protocols, zero-knowledge proofs, and blockchain.

François Dupressoir: Revisiting machine-checked AKE security — Reports from a possibly active trench

Machine-checked cryptographic proofs, as supported by tools such as EasyCrypt, CryptHOL or SSProve, aim at increasing trust in cryptographic algorithms by producing machine-checkable evidence that their security follows from relatively (sometimes) standard hardness assumptions. With only a few exceptions, their application has unfortunately been limited to small, typically non-interactive, constructions. A significant exception is a Eurocrypt 2015 paper applying EasyCrypt to a family of Authenticated Key Exchange protocols, whose massive proof has unfortunately been lost to time (and some obnoxious IT practices). This talk will report on an ongoing (or perhaps, hopefully, not) attempt at understanding better the interplay between EasyCrypt, interactive protocols, and a few competing pen-and-paper definition and proof methodologies. By doing so, I hope to provoke discussions around the goal and value of security proof and their machine-checked variants, and about what “traditional” cryptographers might expect or want from proof tools.

Bio. François Dupressoir is a Senior Lecturer at the University of Bristol, where he heads the Cryptography Research Group. His research revolves around bringing formal methods and formal reasoning techniques to cryptographic security of algorithms, protocols and their implementations.

Yixin Shen: Finding Many Collisions via Reusable Quantum Walks — Application to Lattice Sieving

Given a random function $f$ with domain $[2^n]$ and codomain $[2^m]$ , with $m \geq n$ , a collision of $f$ is a pair of distinct inputs with the same image. Collision finding is a ubiquitous problem in cryptanalysis, and it has been well-studied using both classical and quantum algorithms. Indeed, the quantum query complexity of the problem is well known to be $\Theta(2^{m/3})$ , and matching algorithms are known for any value of $m$ . The situation becomes different when one is looking for multiple collision pairs. Here, for $2^k$ collisions, a query lower bound of $\Theta(2^{(2k+m)/3})$ was shown by Liu and Zhandry (EUROCRYPT 2019). A matching algorithm is known, but only for relatively small values of $m$ , when many collisions exist.

In this paper, we improve the algorithms for this problem and, in particular, extend the range of admissible parameters where the lower bound is met. Our new method relies on a chained quantum walk algorithm, which might be of independent interest. It allows to extract multiple solutions of an MNRS-style quantum walk, without having to recompute it entirely: after finding and outputting a solution, the current state is reused as the initial state of another walk. As an application, we improve the quantum sieving algorithms for the Shortest Vector Problem (SVP), with a complexity of $2^{0.2563d + o(d)}$ instead of the previous $2^{0.2570d + o(d)}$ .

Bio. Yixin Shen is a research fellow at Royal Holloway, University of London. Her work focuses on quantum algorithms and their application in lattice-based cryptanalysis. She completed her PhD at Université Paris Cité in 2021. After that, she worked as a postdoctoral researcher at Royal Holloway. In 2022, she obtained a five-year EPSRC Quantum Technology Career Development Fellowship.

Footnotes:

Formerly, known as London-ish Crypto Day, but that produced a name clash with Liz’ London Crypto Day.

SandboxAQ Internships

You may or may not be aware that at SandboxAQ we have an ~~internship~~ residency programme. Residencies would typically be remote but can be on-site, they can take place year round and last between three to twelve months, full-time or part-time. To take part, you’d need to be a PhD student or postdoc somewhere.

In the interest of advertising our programme, here are two example ideas I’d be interested in.

Add SIS and (overstretched-)NTRU to the Lattice Estimator

The name “lattice estimator” at present is more aspirational than factual. In particular, we cover algorithms for solving LWE but not algorithms for solving SIS or (overstretched) NTRU. Well, we implicitly cover SIS because solving SIS implies solving LWE (and we cost that: the “dual attack”), we don’t have a nice interface to ask “how hard would this SIS instance be”. Adding this would be a nice contribution to the community, given how widely that estimator is used.

OPRFs from Lattices

Our first work on building OPRFs from lattices costs about 2MB of bandwidth if you ignore the zero-knowledge proofs and something like 128GB (yes, GB) if you count them. Since then, proving lattice statements has become a lot cheaper, so a natural project is to reconsider our construction: use newer/smaller proofs, tune the parameters, prove it in a nicer game-based model or in UC. To give you a taste of what is possible: This work building a non-interactive key-exchange (NIKE) has to solve essentially the same problem (noise drowning + ZK proofs) and achieves smaller parameters.

If you are interested, or have some other ideas, ping me and apply for a PQC resident position.

ERC Consolidator Grant: Advanced Practical Post-Quantum Cryptography from Lattices

My ERC Consolidator Grant application titled “Advanced Practical Post-Quantum Cryptography from Lattices” has been selected(*) for funding by the European Research Council. Here’s my blurb:

Standardisation efforts for post-quantum public-key encryption and signatures are close to completion. At the same time the most recent decade has seen the deployment, at scale, of more advanced cryptographic algorithms where no efficient post-quantum candidates exist. These algorithms e.g. permit to give strong guarantees even after some parties were compromised, privacy-preserving contact lookups, credentials and e-cash. This project will tackle the challenge of “lifting” such constructions to the post-quantum era by pursuing three guiding questions:

What is the cost of solving lattice problems with and without hints on a quantum computer? Answers to this question will provide confidence in the entire stack of lattice-based cryptography from “basic” to “advanced”. Studying the presence of hints tackles side-channel attacks and advanced constructions.

What are the lattice assumptions that establish feature- and (near) performance-parity with pre-quantum cryptography? Standard lattice assumptions do not seem to establish feature parity with pairing-based or even some Diffie-Hellman-based pre-quantum constructions, how can we achieve efficient and secure advanced practical post-quantum solutions?

How efficient is a careful composition of lattice-base cryptography with other assumptions? If we want to deploy our post-quantum solutions in practice, we will need to design hybrid schemes that are secure if either of their pre- or post-quantum part is secure and to deploy many advanced lattice-based primitives in practice we need to carefully compose them with zero-knowledge proofs to rule out some attacks.

Lattice-based cryptography has established itself as a key technology to realise both efficient basic primitives like post-quantum encryption and advanced solutions such as computation with encrypted data and programs. It is thus well positioned to tackle the middle ground of advanced yet practical primitives for phase 2 of the post-quantum transition.

Concretely, this grant award means that I’ll be recruiting for several postdoc and PhD student (international fees, i.e. not restricted to people from the UK) positions in post-quantum and lattice-based cryptography. I have a bit of flexibility in when to put those on the market, so if you think these positions would fit you well, feel free to get in touch with me to informally discuss it.

In somewhat related news, we’re hiring for a lecturer (≈ assistant professor) position at King’s College London. We’re also hiring for PhD or postdoc residency (≈ intern) positions at SandboxAQ.

(*) Well, there is the tiny issue of Brexit: “As described in Annex 3 of the ERC Work Programme 2022, successful applicants established in a country in the process of associating to Horizon Europe will not be treated as established in an associated country if the association agreement does not apply by the time of the signature of the grant agreement.” See also UKRI’s guidance on the UK’s guarantee scheme.

Lecturer (≅ Assistant Professor/Juniorprofessor/Maître de conférences) in Cryptography at King’s College London

As you may or may not have heard, I will join the Department of Informatics at King’s College London from 2023. Specifically, I will join the Cybersecurity Group there with the aim to build a cryptography lab. As part of that plan, we are going to hire for four staff positions (three at the lecturer level, one at the senior lecturer level). The first of these is now on the market:

https://jobs.kcl.ac.uk/gb/en/job/054515/Lecturer-in-Cryptography

Note that the plan here is not to build an exclusive lattice-based cryptography, mathematical cryptography, post-quantum cryptography or a cryptanalysis lab, but our ambition is to build a lab with expertise across cryptography. I think this creates a fun and interesting research environment. So consider applying if you consider FSE, CHES, PKC, TCC or RWC your home venue or any other area of cryptography.

Normally, in this genre of blog posts I’d now go on talking about how amazing the department and everybody in it is but I’ve yet to start at KCL myself. However, everything I’ve seen so far makes me really quite optimistic, the department is strong and the people are nice.

The application deadline is somewhat far into the future (1 March 2023). So, if you like, there’s plenty of time to reach out to discuss or even to come visit us to check us out.

We’d appreciate any help in spreading the word. Happy to answer any questions I can answer or to direct to you to someone who can.

Continue reading “Lecturer (≅ Assistant Professor/Juniorprofessor/Maître de conférences) in Cryptography at King’s College London” →