10 PhD Positions at Royal Holloway’s Centre for Doctoral Training in Cyber Security

At Royal Holloway we once again have ten PhD positions in Cyber Security nee Information Security. The catch is that almost all of those positions are reserved for UK residents. Note that this does not mean nationality, see funding page (there might also be some wiggle room in some cases). For more information see the CDT website and the ISG website for what kind of research we do. Closing date is 30 April.

Welcome to the EPSRC Centre for Doctoral Training (CDT) in Cyber Security at Royal Holloway. The Centre was established in 2013, and has as its main objective to produce cohorts of highly-trained researchers with a broad understanding of cyber security.

The CDT is hosted by the Information Security Group (ISG), and provides multidisciplinary training to annual cohorts of around ten students each. The students follow a 4-year doctoral programme: the first phase consists of a taught component comprising 25 per cent of the programme. The remaining three years follow the more traditional path of doctoral studies, with each student undertaking research in an advanced topic in the field of cyber security. See the CDT Course of Study page for more information about the programme.

CDT recruitment typically runs from November to April, to select students for the CDT cohort starting every October. Selected applicants are awarded fully-funded PhD studentships (stipend and College fees) for four years. We consider applications from candidates with undergraduate and masters qualifications in a wide range of disciplines, including, but not limited to, mathematics, computer science, and electrical and electronic engineering.

We are now open for applications for the 2017/18 CDT cohort. We have a number of fully-funded studentships to award to qualified and eligible candidates, to start their PhD studies in September 2017. Closing date for receiving applications is 30 April 2017. We will however assess applications on an ongoing basis, and we reserve the right to make an offer to candidates before the closing date.

Please explore the links below to learn more about the entry requirements, funding and eligibility, and how to apply to Royal Holloway’s CDT in Cyber Security.

Two Lecturer Positions in the Information Security Group

My department – the Information Security Group at Royal Holloway, University of London – has two open positions. One 4 year teaching focused post and one permanent post with the usual research and teaching profile (similar to, say, a Junior Professor in Germany). It’s a nice place to work, there’s good research going on from cryptography and system security to human and social aspects of information security and the ISG hosts one of the two UK Centres for Doctoral Training in Cyber Security which means we have funding for 10 PhD students per year at the moment. Most teaching is at the MSc level.

Continue reading “Two Lecturer Positions in the Information Security Group”

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL

My paper on solving small, sparse secret instances is now on ePrint. Here’s the abstract:

We present novel variants of the dual-lattice attack against LWE in the presence of an unusually short secret. These variants are informed by recent progress in BKW-style algorithms for solving LWE. Applying them to parameter sets suggested by the homomorphic encryption libraries HElib and SEAL yields revised security estimates. Our techniques scale the exponent of the dual-lattice attack by a factor of (2\,L)/(2\,L+1) when \log q = \Theta{\left(L \log n\right)}, when the secret has constant hamming weight h and where L is the maximum depth of supported circuits. They also allow to half the dimension of the lattice under consideration at a multiplicative cost of 2^{h} operations. Moreover, our techniques yield revised concrete security estimates. For example, both libraries promise 80 bits of security for LWE instances with n=1024 and \log_2 q \approx {47}, while the techniques described in this work lead to estimated costs of 68 bits (SEAL) and 62 bits (HElib).

If you want to see what its effect would be on your favourite small, sparse secret instance of LWE, the code for estimating the running time is included in our LWE estimator. The integration into the main function estimate_lwe is imperfect, though. To get you started, here’s the code used to produce the estimates for the rolling example in the paper.

  • Our instance’s secret has hamming weight h=64 and a ternary secret. We always use sieving as the SVP oracle in BKZ:

    sage: n, alpha, q = fhe_params(n=2048, L=2)
    sage: kwds = {"optimisation_target": "sieve", "h":64, "secret_bounds":(-1,1)}
    
  • We establish a base line:

    sage: print cost_str(sis(n, alpha, q, optimisation_target="sieve"))
    
  • We run the scaled normal form approach from Section 4 and enable amortising costs from Section 3 by setting use_lll=True:

    sage: print cost_str(sis_small_secret_mod_switch(n, alpha, q, use_lll=True, **kwds))
    
  • We run the approach from Section 5 for sparse secrets. Setting postprocess=True enables the search for solutions \mathbf{s}_1 with very low hamming weight (page 17):

    sage: print cost_str(drop_and_solve(sis, n, alpha, q, postprocess=True, **kwds))
    
  • We combine everything:

    sage: f = sis_small_secret_mod_switch
    sage: print cost_str(drop_and_solve(f, n, alpha, q, postprocess=True, **kwds))
    

Postdoc Position at Royal Holloway

We got a one year crypto postdoc position in the Information Security Group.

Location Egham
Salary £33,789 to £39,902 per annum – including London Allowance
Closing Date Monday 10 October 2016
Interview Date To be confirmed
Reference 0916-295

The ISG is seeking to recruit a post-doctoral research assistant to work in the area of Cryptography. The position is available now for the period of one year.

The PDRA will work alongside Prof. Kenny Paterson and other cryptographic researchers at Royal Holloway on topics in Cryptography. Our current areas of interest include lattice-based cryptography, multilinear maps, indistinguishability obfuscation, and applied cryptography.

Applicants should have already completed (essential if COS required), or be close to completing, a PhD in a relevant discipline. Applicants should have an outstanding research track record in Cryptography. Applicants should be able to demonstrate scientific creativity, research independence, and the ability to communicate their ideas effectively in written and verbal form.

This is a full time post, available as soon as possible for a fixed term period of 12 months. This post is based in Egham, Surrey, where the College is situated in a beautiful, leafy campus near to Windsor Great Park and within commuting distance from London.

Informal enquiries can be made to Kenny Paterson at kenny.paterson@rhul.ac.uk.

The Human Resources Department can be contacted with queries by email at: recruitment@rhul.ac.uk.

London-ish Lattice Coding & Crypto Meeting: 21 September 2016

The next London-ish Lattice Coding & Crypto Meeting is coming up on September 21.

Programme

  • 11:00–12:30 | Jean-Claude Belfiore: Ideal Lattices: Connections between number fields and coding constructions
  • 13:30–15:00 | Dan Shepherd: Rings and Modules for Identity-Based Post-Quantum Public-Key Cryptography
  • 15:30–16:30 | Antonio Campello: Sampling Algorithms for Lattice Gaussian Codes
  • 16:30–17:00 | Cong Ling: Lattice Gaussian Sampling with Markov Chain Monte Carlo (MCMC)
  • 17:00–18:30 | Daniel Dadush: Solving SVP and CVP in 2^n Time via Discrete Gaussian Sampling

Venue

Arts Building Ground Floor Room 24
Royal Holloway, University of London
Egham Hill
Egham
Surrey TW20 0EX

See meeting website for details.

London-ish Lattice Coding & Crypto Meetings

Cong Ling and myself are starting London-ish Lattice Coding & Crypto Meetings. Please help us spread the word.

Lattice-based approaches are emerging as a common theme in modern cryptography and coding theory. In communications, they are an indispensable mathematical tool to construct powerful error-correction codes achieving the capacity of wireless channels. In cryptography, they are used to building lattice-based schemes with provable security, better asymptotic efficiency, resilience against quantum attacks and new functionalities such as fully homomorphic encryption.

We are setting up meetings on lattices in cryptography and coding in the London area. 1 These meetings are inspired by similar meetings held in Lyon 2 and are aimed at connecting the two communities in the UK with a common interest in lattices, with a long-term goal of building a synergy of the two fields.

The meetings will consist of several talks on related topics, with a format that will hopefully encourage interaction (e.g. longer than usual time slots).

Tentative program

For details (as they become available) see website.

11:00 – 12:30: Achieving Channel Capacity with Lattice Codes Cong Ling

13:30 – 15:00: Post-Quantum Cryptography Nigel Smart

15:00 – 16:30: Lattice Coding with Applications to Compute-and-Forward Alister Burr

16:30 – 18:00: A Subfield Lattice Attack on Overstretched NTRU Assumptions Martin Albrecht

Venue

Room 611
(Dennis Gabor Seminar Room)
Department of Electrical and Electronic Engineering
Imperial College London
South Kensington London
SW7 2AZ

http://www.imperial.ac.uk/visit/campuses/south-kensington/

Registration

Everyone is welcome. Two caveats:

  1. Speakers are told the audience is somewhat familiar with lattices.
  2. Please send us an email at c.ling@imperial.ac.uk, so that the size of the room fits with the number of participants.

Footnotes:

1

Our definition of London includes Egham, where Royal Holloway’s main campus is located.

GSW13: 3rd Generation Homomorphic Encryption from Learning with Errors

This week our reading group studied Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based by Craig Gentry, Amit Sahai and Brent Waters: a 3rd generation fully homomorphic encryption scheme.

The paper is partly motivated by that multiplication in previous schemes was complicated or at least not natural. Let’s take the BGV scheme where ciphertexts are simply LWE samples a_i, b_i = -\langle a_i, s\rangle  + \mu_i \cdot \lceil q/2\rfloor + e_i for a_i \in \mathbb{Z}_q^n and b_i \in \mathbb{Z}_q with \mu_i being the message bit \in \{0,1\} and e_i is some “small” error. Let’s write this as c_i = (a_i, b_i) \in \mathbb{Z}_q^{n+1} because it simplifies some notation down the line. In this notation, multiplication can be accomplished by c_1 \otimes c_2 because \langle c_1 \otimes  c_2, s \otimes  s\rangle \approx \mu_1 \cdot \mu_2. However, we now need to map s \otimes s back to s using “relinearisation”, this is the “unnatural” step.

However, this is only unnatural in this particular representation. To see this, let’s rewrite a_i, b_i as a linear multivariate polynomial f_i = b_i - \sum_{j=1}^n a_{ij} \cdot x_j \in \mathbb{Z}_q[x_1,\dots,x_n]. This polynomial evaluates to \approx  \mu on the secret s = (s_1,\dots,s_n). Note that evaluating a polynomial on s is the same as reducing it modulo the set of polynomials G = (x_1 - s_1,\dots, x_n - s_n).

Continue reading “GSW13: 3rd Generation Homomorphic Encryption from Learning with Errors”

Writing (Crypto) Papers and Version Control

Academics write. Academics in my field also tend to write in groups of two to five people. Back in the dark days — which I’m told are not over for many researchers — this used to involve mailing LaTeX sources around, forgetting to attach the right file, “I take the editing token for file.tex” e-mails, questions like “Where is the most recent version of the draft?” and so on. In some cases, I’m told authors actually sat down together and did grammar fixes in a meeting. In a word, it was horrible.

Judging from anecdotal evidence, it is not that bad anymore. Many people now use some sort of revision control to write their papers, with either Subversion or Git being the tool of choice. However, my impression is that we don’t use the tools available to us to the extent we should. So let me try to make my case for a better practice of collaborative writing for (crypto) academics.

Continue reading “Writing (Crypto) Papers and Version Control”