Maître de conférences) in Cryptography at King’s College London 2026

We are looking to recruit a lecturer in cryptography at King’s College London to work with us within the cybersecurity group:

https://www.kcl.ac.uk/jobs/134305-lecturer-in-cryptography

I think it’s fair to say we got strong expertise in lattice-based and post-quantum cryptography here, as well as in protocols with an applied cryptography bent. Check out our publications to get a better picture. For this position, we do not aim to strengthen lattices further, but rather aim to strengthen other areas of cryptography, e.g. protocols, applied cryptography, cryptography in the wild or theory.

The application deadline is somewhat far into the future (5 March 2026). So, if you like, there’s time to reach out to discuss or even to come visit us to check us out.

We’d appreciate any help in spreading the word.

Continue reading “Lecturer (≅ Assistant Professor/Juniorprofessor/Maître de conférences) in Cryptography at King’s College London 2026” →

Internship Position on the Lattice Estimator

Eamonn and I are looking to hire an intern for four months to work on the Lattice Estimator. The internship will be based at King’s College London and is funded by a gift from Zama. We are ideally looking for someone in a PhD programme also working on lattice cryptanalysis who is happy to interrupt their studies for a few months to help us improve the estimator. We’re offering a salary of roughly £4,400 per month before tax.(*)

This would involve reviewing and closing tickets, reviewing the literature for what is currently missing from the estimator to add it and reviewing the code already there for correctness.

If you’re interested, please get in touch with Eamonn Postlethwaite <eamonn.postlethwaite@kcl.ac.uk> and me Martin R. Albrecht <martin.albrecht@kcl.ac.uk> to discuss this position. We are somewhat flexible on timing.

(*) I am writing “roughly” here because internships are not a common thing at King’s College London. In particular, the position would formally be through the King’s Talent Bank and crunching the numbers, the monthly salary ends up being roughly the figure stated above.

Postdoc Position in Lattice-Based Cryptography

We are recruiting a postdoc to work with us on “practical advanced post-quantum cryptography from lattices”, the title of my ERC selected, UKRI Frontier Research funded project:

Standardisation efforts for post-quantum public-key encryption and signatures are close to completion. At the same time the most recent decade has seen the deployment, at scale, of more advanced cryptographic algorithms where no efficient post-quantum candidates exist. These algorithms e.g. permit to give strong guarantees even after some parties were compromised, privacy-preserving contact lookups, credentials and e-cash. This project will tackle the challenge of “lifting” such constructions to the post-quantum era by pursuing three guiding questions:

What is the cost of solving lattice problems with and without hints on a quantum computer? Answers to this question will provide confidence in the entire stack of lattice-based cryptography from “basic” to “advanced”. Studying the presence of hints tackles side-channel attacks and advanced constructions.

What are the lattice assumptions that establish feature- and (near) performance-parity with pre-quantum cryptography? Standard lattice assumptions do not seem to establish feature parity with pairing-based or even some Diffie-Hellman-based pre-quantum constructions, how can we achieve efficient and secure advanced practical post-quantum solutions?

How efficient is a careful composition of lattice-base cryptography with other assumptions? If we want to deploy our post-quantum solutions in practice, we will need to design hybrid schemes that are secure if either of their pre- or post-quantum part is secure and to deploy many advanced lattice-based primitives in practice we need to carefully compose them with zero-knowledge proofs to rule out some attacks.

Lattice-based cryptography has established itself as a key technology to realise both efficient basic primitives like post-quantum encryption and advanced solutions such as computation with encrypted data and programs. It is thus well positioned to tackle the middle ground of advanced yet practical primitives for phase 2 of the post-quantum transition.

So when I say “advanced”, I don’t mean Functional Encryption or Indistinguishability Obfuscation, but OPRFs, Blind Signatures, Updatable Public-Key Encryption, even NIKE (sadly!).

I’m quite flexible on what background applicants bring to the table

Do you like breaking newfangled (and not so newfangled) lattice assumptions?
Do you like to build constructions from those assumptions?
Do you like to reduce lattice problems to each other?
Do you think we can apply tricks from iO or FE to less fancy protocols?

All of that is in scope. If in doubt, drop me an e-mail and we can discuss.

Continue reading “Postdoc Position in Lattice-Based Cryptography” →

On the Virtues of Information Security in the UK Climate Movement

Our paper – titled “On the Virtues of Information Security in the UK Climate Movement” – was accepted at USENIX Security’25. Here’s the abstract:

We report on an ethnographic study with members of the climate movement in the United Kingdom (UK). We conducted participant observation and interviews at protests and in various activist settings. Reporting on the findings as they relate to information security, we show that members of the UK climate movement wrestled with (i) a fundamental tension between openness and secrecy; (ii) tensions between autonomy and collective interdependence in information-security decision-making; (iii) conflicting activist ideals that shape security discourses; and (iv) pressures from different social gazes – from each other, from people outside the movement and from their adversaries. Overall, our findings shed light on the social complexities of information-security research in activist settings and provoke methodological questions about programmes that aim to design for activists.

Here, “we” is Mikaela Brough, Rikke Bjerg Jensen and me. Mik is doing a PhD (with Rikke and me) on how members of environmental social movements navigate their information security. She is an ethnographer and her previous degree was in social anthropology. Rikke is a professor in the Information Security Group at Royal Holloway, University of London. She also is an ethnographer and heads up the Ethnography Group there.

If you are one of the handful of people who actually read this blog (hi!), you might wonder what the heck I did on that paper: I am a cryptographer but this paper is neither cryptography nor in a closely related field. Rather, it is a social science paper throwing up methodological questions about social science (granted, in the field of information security). Thus, it makes immediate sense that two trained and qualified social scientists – Mik and Rikke – would write such a paper; me, not so much.

Continue reading “On the Virtues of Information Security in the UK Climate Movement” →

10 June: Jean-François Blanchette Talk in London

Together with Rikke Jensen, we’re organising a talk and discussion with Jean-François Blanchette in London on his book Burdens of Proof, which has been tremendously influential on our thinking around the social foundations of cryptography.

Title

Yeah yeah yeah he has a thing about steganography: Mathematical formalism, disciplinary boundaries, and cryptography’s design culture

Blurb

10-june:-jean-françois-blanchette-talk-in-london.png

https://x.com/martinralbrecht/status/1793640473841881452

What does it take for cryptographic protocols to become credible outside the narrow world of mathematical proofs? In Burdens of Proof (MIT Press, 2012), I examined this question in the early 2000s, as cryptography began to move into legal, bureaucratic, and professional domains. Drawing on fieldwork during the reform of the French Civil Code and its aftermath, the book traced how digital signatures were translated into legal and institutional practice—not through seamless adoption, but through negotiation, reinterpretation, and friction. It argued that mathematical guarantees alone were never enough: to function in the world, cryptographic systems had to be made intelligible, authoritative, and usable within existing structures of trust and responsibility.

This talk revisits the book through the lens of what the field itself historically sidelined as it sought great institutional credibility and social relevance. Steganography, the art of hiding in plain sight, plays a central role here—not only as a technique excluded from the modern cryptographic canon, but as a pointer to everything cryptography has tended to avoid: context, embodiment, ambiguity, and the materiality of technical systems. Paying close attention to has been excluded and avoided, we can better understand the contradictions, assumptions, and imaginaries built into cryptography’s design culture.

Speaker Bio

Jean-François Blanchette serves as director of the Responsible Data Governance program at the École nationale des sciences de l’information et des bibliothèques in Lyon, France, and is Research Professor Emeritus in the Department of Information Studies at UCLA. He is currently writing about the future of personal digital collections in the age of streaming media.

Venue

Royal Holloway (Central London Campus)
Room 1-01
11 Bedford Square
London WC1B 3RE
https://maps.app.goo.gl/U8yyTBgbHtsnoU5Z6

Date/Time

Tuesday, 10 June, 2pm to 4pm

Registration

Registration is not necessary but we’d appreciate if you could let us know if you’re planning to attend, so we can get a sense of numbers to expect.

Analysis of the Telegram Key Exchange

Together with Lenka Mareková, Kenny Paterson, Eyal Ronen and Igors Stepanovs, we have finally completed our (first, formal, in-depth, computational) analysis of the Telegram key exchange. This work is going to be presented at Eurocrypt 2025 in Madrid.

Abstract. We describe, formally model, and prove the security of Telegram’s key exchange protocols for client-server communications. To achieve this, we develop a suitable multi-stage key exchange security model along with pseudocode descriptions of the Telegram protocols that are based on analysis of Telegram’s specifications and client source code. We carefully document how our descriptions differ from reality and justify our modelling choices. Our security proofs reduce the security of the protocols to that of their cryptographic building blocks, but the subsequent analysis of those building blocks requires the introduction of a number of novel security assumptions, reflecting many design decisions made by Telegram that are suboptimal from the perspective of formal analysis. Along the way, we provide a proof of IND-CCA security for the variant of RSA-OEAP+ used in Telegram and identify a hypothetical attack exploiting current Telegram server behaviour (which is not captured in our protocol descriptions). Finally, we reflect on the broader lessons about protocol design that can be taken from our work.

Let me expand a bit on what “the Telegram key exchange” means, here. Telegram uses its bespoke MTProto protocol to secure its client-server communications. The cryptographic core of MTProto consists of a key exchange protocol and an encryption protocol. A few years back we had already analysed the encryption protocol.

Although that prior work focused on the encryption protocol, we also uncovered a vulnerability in Telegram’s key exchange protocol which Telegram fixed in response. We now completed a formal analysis of Telegram’s key exchange protocol and, in a sense, established that this fix works – but with many caveats.

Broadly, we establish that Telegram’s key exchange protocol provides some standard security guarantees. These guarantees, however, rely on several “non-standard” assumptions that appear to be necessary because of the brittle and ad-hoc nature of how Telegram’s protocol was designed.

Below, I reproduce a section from our paper which discusses this. I have edited it to make it somewhat work without the context of the entire paper. The reason why I pulled out this section for this blog post is because we are also trying to convince practitioners to design their protocols to be – at least – “analysis friendly” (ideally, they’d come with such an analysis directly). Friends don’t let friends deploy a cryptographic protocol without a formal cryptographic analysis.

Continue reading “Analysis of the Telegram Key Exchange” →

Rerandomising LWE

Our work, titled Hollow LWE: A New Spin — Unbounded Updatable Encryption from LWE and PCE, is now available on ePrint and will be presented at Eurocrypt 2025 in Madrid in May. It is joint work with Benjamin Benčina and Russell W. F. Lai. The main technical contribution is a new approach – a new spin, haha, we’re funny – to rerandomising LWE public keys. Roughly, the security goal here is that even given the rerandomised secret key, an adversary should not be able to distinguish the original LWE public key from uniform (in the appropriate space).

Continue reading “Rerandomising LWE” →

PhD Position in Cryptography

We are inviting applications for a PhD studentship in the cryptography lab at King’s College London. Specifically, we are looking for an applicant to work with me and Benjamin Dowling.

The PhD could, for example, cover cryptanalysing existing cryptographic technologies/protocols, such as Telegram or WhatsApp, or modelling and designing new cryptographic protocols or primitives.

This PhD will work in a team consisting of social scientists, specifically ethnographers, and us cryptographers. Together, we study what the security needs and wants of participants in large-scale protests are and how these relate to the security guarantees provided by cryptographic solutions.

See, for example, the lecture “Limits of Proofs (Social Foundations)” or this blog post (for another position on this project) for more details of what we’re trying to do here.

We encourage applicants to reach out to us to discuss the position informally before applying, by e-mailing Ben and me: martin.albrecht_AT_kcl.ac.uk and benjamin.dowling_AT_kcl.ac.uk.

Fine print. This is a fully-funded positions covering both fees and maintenance. The latter is at the UKRI rate. We seek applicants with a strong background in mathematics and/or computer science, preferably with some background in cryptography. We will consider applications on a rolling basis.

PhD Position in Lattice-Based Cryptography

We are inviting applications for a PhD studentship in the cryptography lab at King’s College London. Specifically, we are looking for an applicant to work with us in the area of lattice-based cryptography. We are particularly interested in the study of and constructions from new lattice-based assumptions and privacy-preserving technologies based on lattices.

The PhD could cover studying the underlying hard mathematical problems, cryptanalysis, constructions or applications of lattice-techniques. This can cover post-quantum aspects of lattice-based cryptography and/or advanced functionalities.

The applicant would work with me, Ngoc Khanh Nguyen and/or Eamonn Postlethwaite. We encourage applicants to reach out to me to discuss the position informally before applying.

Fine print. This is a fully-funded positions covering both fees and maintenance. The latter is at the UKRI rate. Funded by UKRI Frontier Research. We seek applicants with a strong background in mathematics and/or computer science. We will consider applications on a rolling basis.