Internship Reports

Every CDT student is expected to undertake the equivalent of a three-month internship with an external project partner during their study period. There is considerable flexibility in when and how this is, and while a “typical” internship will occur in one three-month block towards the end of the second year of study, some may take the form of several shorter internships distributed over a wider period. Some students may also choose to conduct more than one internship. Our students have enjoyed placements with a wide range of our external partners, and below, you will find some of their reports.

Oliver Bock-Brown Government Office for Science (May - August 2023) Learning the Ways of Whitehall: Interning at the Government Office for Science The Government Office for Science, or GO-S, sits under the banner of the newly formed Department for Science, Innovation and Technology, and is responsible for giving scientific advice to the Prime Minister and Cabinet. This summer, I spent three months interning there as part of a UKRI policy internship. I joined the Technology and Science Insights team, or TSI for short (one thing you soon learn is the civil service runs on acronyms), and spent my time largely focused on a pilot project looking at emerging technologies. GO-S as an organisation has a broad programme of work, reflecting the priorities of the Government Chief Scientific Adviser, Dame Angela McLean. Due to its positioning as an independent group, GO-S is slightly outside the realm of politics, and thus less influenced by political priorities. Perhaps as a consequence, they are well-known for their work on futures and foresight, and in thinking about longer time horizons. It is also a relatively small group—occupying one floor of an anonymous building in Westminster, a stone’s throw from St James’s Park—but is a friendly and welcoming place to work. Indeed, when I was there, they organised a picnic in the park that Dame Angela unexpectedly attended on her way back from the Prime Minister, and I ended up chatting to her for a few minutes about my PhD. She graciously appeared to find it a very interesting topic. In terms of the work itself, your mileage will vary depending upon which team you work for at GO-S. I was on the engagement side of the TSI team (or the ‘cool team’, as one person described it), which saw me working on a couple of more urgent team projects, as well as leading a pilot project on a topic of emerging interest within government. There were commonalities with my PhD research, as I had to do a mini lit review, scope out a project plan, decide on potential stakeholders to interview, draft a question schedule, and then interview them—indeed, the response rate here was pretty good, which I put down to having a gov.uk email address. However, I also worked with other members of the team on this project and spoke to a good few people from across other government departments. This was a great opportunity to gain insight into the various projects exploring science and tech issues across government. Highlights of my time at GO-S include the frequent training sessions, some of which gave useful insight into the policy and briefing process, while others refreshed presentation and facilitation skills. I also got to attend The Economist’s conference on quantum tech, which featured a range of interesting talks as well as a truly fantastic spread, and a few London Tech Week events, too. Back at GO-S, I had the chance to present my PhD work a couple of times, which appeared to go down well—or at least the head of our team said it stimulated a lot of discussions, whilst they enjoyed my presenting style (I think my over-use of movie analogies helped). I also made the most of being in central London, finding last minute deals on theatre tickets and running across the King, Queen, and PM whilst walking about. Would I recommend working for the civil service, and GO-S in particular? Absolutely. I enjoyed my time there, met some great people, and was impressed by the open and collaborative culture, as well as the range of subjects they work on. I’m now thinking about working there after I complete my PhD, where beforehand the civil service hadn’t featured on my radar. That said, there is one negative about GO-S; they use Dells loaded with Windows. An unpleasant shock for someone used to Macs!

Wrenna Robson Quantinuum (October 2022 – February 2023) During the Winter of 2022-2023, I completed a remote internship at Quantinuum, a quantum computing company formerly known as Cambridge Quantum, based in the UK and US. While I am based in Manchester, the quantum cryptography team I worked with had members located in various locations, and remote work was the norm. Although the work I did was not directly related to my PhD, which focuses on formal methods for cryptography verification, I acquired several skills that will prove useful in my future career, including experience with the Rust programming language. I had the opportunity to deliver two presentations to the team, one on my research and another on error reconciliation in quantum error correction, which I found fascinating to learn about. I received positive feedback on my presentation skills, which I attribute to my training at CDT, as well as the opportunity to deliver my second presentation in person at Quantinuum’s London offices. I also had the chance to visit their Cambridge offices during an internal conference. This internal conference was another highlight of my internship. I was able to meet the various teams within Quantinuum and gain insight into their diverse research areas and exciting research directions. There was a real feeling of a company pushing to innovate and expand the horizons of knowledge. Of course, a business must also make money, and the team I was working in is one of those that has produced one of Quantinuum’s products that are available to external customers, Quantum Origin. This is a cloud-based service designed to supply cryptographic keys which are “quantum-enhanced” – what this means in technical terms is that they are produced from an entropy source that is verifiably truly random in a particular sense. One of the challenges for a knowledge-based R&D company is transforming into a profitable productorientated company. Quantinuum is facing this challenge and observing how these problems manifest first-hand was very educational. However, I am confident that Quantinuum has the potential to become an extremely strong company with a bright future. During my internship, I gained proficiency in Rust, which I had not previously used. I learned the basics of Rust and how to port a Python program, which has proven useful since returning to my PhD. My manager, Matty Hoban, was supportive of my learning and provided ample opportunities for growth. I appreciated working with Matty and gained valuable insights from him. I learnt a lot from Matty and I think he was really glad of the chance to work with me too. I brought a perspective to things that was useful to the team and we’d often spend time just talking through ideas to understand them. One of the challenges of quantum cryptography is that cryptographers and quantum information scientists speak very different languages in a sense, and learning to bridge that gap was a challenging process in a good way! One of the most interesting concepts I learned about was device-independent cryptography, which involves reasoning about quantum devices while knowing little about their internals. The idea of verifying the presence of quantum behaviour without having access to a device was unexpected and underscored the counter-intuitive nature of quantum thinking. Overall, I am glad I completed the internship at Quantinuum, and I anticipate referencing it when applying for jobs after completing my PhD. While I am uncertain about whether I would personally work for Quantinuum in the future, I believe that they have the potential to become an exceptionally strong company.

Erin Hales UK Health Security Agency (September -December 2022) I completed a three-month internship in the Autumn term based at the UK Health Security Agency. I worked in the Environmental Monitoring and Health Protection team. This internship was part of the UKRI policy internship scheme, and so I took off my cryptography hat and got stuck into reviewing the latest literature to prepare reports on the most recent science for my team. The team I worked with primarily focused on wastewater surveillance, so it was interesting to learn about an area of science that is quite far removed from what I have worked on during my PhD. The same skills of needing to communicate new and complex ideas under pressure were very useful, but now I was communicating about something I had only just learned myself. Learning how to pitch things at the right complexity level to the different stakeholders involved a steep learning curve, and it was interesting to meet so many different people. It was great to get a taste of life outside academia, and I was glad to practise my communication skills in a new environment. It was interesting to work as part of a much larger structure than my normal research group. I also got a taste for how government works, and got to see how government policy is formed. This was quite different to a more traditional industry-based internship, and also to the research visits that I’ve been on throughout my PhD. It was interesting to apply my skills to real-life problems, and also problems that I heard about in the news during the pandemic, such as wastewater monitoring of covid spread. Now I’m certainly at least considering a career in civil service once I’ve finished my PhD...

Simon Philip-Merz IBM Research (June -September 2022 Last Summer, I had the privilege of doing an internship at IBM Research Europe in Zurich. The mission of the Zurich Lab is to pursue cutting-edge research related to information technology without the goal of generating revenue. In many cases the groups work on foundational research spanning a vast range of areas such as nanotechnology, atomic force microscopy and quantum technology. Many groups maintain a close relationship with ETH Zurich. The research environment was not dissimilar to an academic one, with PhD students and postdocs also in the labs of IBM. I joined the ‘Foundations of Cryptography’ group for the summer under the supervision of Luca De Feo. We worked on multiple problems related to the design and analysis of new postquantum cryptographic group actions. The researchers in the cryptography group were working on many interesting projects in a variety of directions, e.g. lattice- and isogeny-based cryptography, zero-knowledge proofs, and protocols. Moreover, they were a social crowd who made it a great pleasure to spend some months in Zurich inside and outside the lab. The great weather facilitated further wonderful exploration into the Swiss Alps.

Natasha Rhoden Clementine (June – September 2022) After deciding that I would like to seek out an internship during the Summer of 2022 and receiving helpful advice from staff and students within the CDT, I reached out to tech founders of UK-based app start-ups. I created a shortlist of start-ups after identifying how I could leverage my understanding of digital accessibility gained through my PhD studies, alongside my practical psychology experience, to contribute to the quality of experience of their users. I also wanted to work with an organisation which aimed to contribute towards a social good, so I targeted apps focussed on mental health, the circular economy, and support for workers in the care industry. Clementine, an app focussed on providing wellbeing support through hypnotherapy, was keen for insights around user experience ahead of an upcoming high street product launch. User experience (UX) research aims to improve understanding of the factors driving user behaviour and involves application of research methods to meet user needs through product design. My work with Clementine as an UX researcher centred around exploration of user interactions with the app, communication to users around protection of their personal data, and the effect of app functionality on users’ ability to achieve their mental health goals. I really enjoyed designing humancentred, qualitative research projects based on the brief I received from Clementine’s founder and product manager. For instance, when combining semi-structured qualitative research with live navigation of prototypes and usability testing to develop user experience solutions. Despite this internship being remote, I had the opportunity to review my progress regularly within a small, tightly knit, and supportive team. I was also given the freedom to determine my own day-to-day tasks and independently solve problems to achieve broad objectives. The most fulfilling part of this internship was giving feedback directly to the founder and decision makers on the product management team. It was extremely rewarding and satisfying to have my research valued, to the extent that I can see my functionality and design solutions within the latest version of the app. My internship has helped me to develop interview strategies which effectively prompt users to offer insights about their own human-computer interaction experiences. These strategies will be applied to my PhD fieldwork. This experience has motivated me to continue to work with a variety of social good tech start-ups in future

Lenka Marekova. Cisco (June–August 2021) and Cloudflare (September 2021–February 2022) I have recently come back after undertaking two industry internships back-to-back, the first one in the summer of 2021 at Cisco and the second, longer one, covering the following autumn and winter at Cloudflare. Cisco is a large corporation known for networking hardware. However, they also have a Security & Collaboration division, where I joined the CTO team. At the time, it was focused on developing new features for Webex, a video-conferencing software product aimed at business customers which also integrates large group chats for employees. My project involved designing and prototyping how the upcoming Messaging Layer Security (MLS) standard could be integrated into Webex without reducing its features. It was an invaluable experience to see how cryptography is implemented in the real world and to understand the concerns that impact design of security-critical products, which are often unrelated to academic cryptography. Cloudflare is often described as a content delivery network company, but this is nowadays only a part of what they do. Their network can also be used for DDoS protection, running serverless code, just to give two examples. I joined their Research team, which is involved in academic research, various standardisation efforts as well as applying the research in practice. Given the longer duration of the internship, we agreed on two projects. The first one was initially about making Salt, an open-source tool used internally for infrastructure management, post-quantum secure, however in the process we discovered and reported a number of vulnerabilities in the design. The second project involved more theoretical work on a formal model of an upcoming standard for privacy-preserving measurements. Both internships were remote, partially due to the pandemic but partially also because both teams are spread across several countries and time zones. This can make it more challenging to organise your day, since the working hours often only overlap when it’s evening in Europe. I was initially cautious to accept a remote position, but I’m glad I took the opportunity. Both teams have been operating partially remotely since before the pandemic, so the only loss was in occasional meetups that could not happen, and there were plenty of occasions to get to know my co-workers better.

Angela Heeler Accenture: June – November 2021 I spent six months in 2021 as a Data Scientist intern at Accenture via an opportunity offered by the Alan Turing Institute. I was nearing the end of an interruption of studies following the deaths of both my parents, after putting my PhD research on hold. The internship, therefore, came at an opportune moment, enabling me to return to the rhythm of working academically. The Turing Internship Network offers internships for doctoral students studying subjects with a data science and/or AI focus. As a Turing network intern, you get to apply your academic skills to real-world challenges working for one of the Turing Internship Network partners. Accenture is a global professional service company specialising in information technology and consulting services. It serves 6K clients in more than 120 countries. Accenture’s Applied Intelligence team were looking for an “intern who brings a multidisciplinary approach to problem-solving in the real world. This person may have an unconventional background (...) multitude of academic and work experience and is (...) fascinated by a multidisciplinary approach”. Having ticked these boxes but not meeting the stated requirements of having a behavioural science or psychology background, I reached out to the recruiters to check my suitability. This is the second time I have adopted this approach during a recruitment process, and both times gave me some good insights as to the role on offer. I was fairly amazed to land this role and after waiting impatiently for the paperwork to be completed and for the laptop to arrive, I interrupted my interruption of CDT studies to start my internship at Accenture. The internship was almost exclusively online although I did get to see my colleagues in 2D regularly. When finally, I did get to meet the team and other interns in person, at the very snazzy London office, I was surprised at how I had actually got to know everyone despite meeting only online up to that point. My role was to consider the unification of behavioural and data science to create a new client offering for Accenture. I embarked on a study to first define behavioural and data science, then research projects in Accenture in either discipline and then create case studies where both behavioural and data science play a part. Behavioural science has its roots in psychology and aims to understand human behaviour. Popular books on behavioural science employ the phrase “choice architecture” where one person influences another’s choice by giving their behaviour a “nudge” towards the desired behaviour. Data science has its roots in IT and statistics and extracts knowledge from data. In Accenture, the behavioural scientists and the data scientists work in different departments on different projects. I spent time talking with employees to understand the organisation and how Accenture works with its clients, as I have never worked for a management consultancy before. I then used the same research methods as my CDT studies to make my own network of contacts and interview 30 people. I asked interviewees about their roles, and recent projects they had worked on with a behavioural element, data science element or both. I then analysed the data, presented my findings and drafted a whitepaper. I have been encouraged by Accenture to convert the whitepaper into an academic paper, which I plan to do. Not to spoil any future reading of the paper but I found that by behavioural and data scientists pooling their skills, they can transform data into information so that clients can gain knowledge to make the desired behavioural changes. During the internship, I was introduced to an online collaborative whiteboard platform called Miro, which is used by marketing and advertising companies. I am now a complete fan as there are so many templates to choose from to express your ideas and unlike PowerPoint, you do not have to constrain your ideas to individual slides. I found the internship to be very interesting and a good way for me to get back into both academic and business writing. I attended weekly team meetings and various brown bag sessions where colleagues would talk in a sanitised way about their recent client projects and Accenture’s views on current issues such as green energy. The Data Science group also had a knowledge exchange session and amiable chat session every Friday lunchtime that combined being informative and sociable at the same time. However, like other management consultants, the Accenture employees work extremely hard, and it was not unusual for the managers to have back-to-back meetings scheduled from 08:00 until 21:00, all in 30-minute slots. I would say it was a different experience from my previous in-person internships but had two distinct advantages. First, there was no commute so I could study in the evenings, and second, I was easily able to network and interview employees in America, Germany, and the Nordics in addition to the UK. This added depth to the research.

Georgia Crossland Facebook. June-September 2021 In the summer of 2021, I completed an internship as a qualitative user experience (UX) researcher at Facebook on the Advertising Business Products team. Despite the internship being remote, I fully enjoyed the experience and came away from it feeling prepared for post-PhD life. UX research refers to the practice of studying user interactions with technology, to assist with the design of human-centred products and experiences. UX researchers use a range of methods to do this, such as usability testing, interviews, ethnography, surveys, diary studies and more. While, quantitative and mixed methods researchers also work in this field, my UX research experience at Facebook was qualitative. UX researchers at Facebook work with product teams to apply their learnings from different studies to help manage design on their products as well as push boundaries in new immersive technologies. Interns are treated as full-time employees and are given many responsibilities – which engenders a feeling of accomplishment! My projects included research with small to medium sized businesses, conducting usability testing and interviews, as well as writing reports for a privacy focussed workstream. Not only was I able to experience what it’s like to work in a large organisation and learn new skills, I felt I was able to apply the knowledge gained from my PhD to the job at hand - largely that relating to usable cyber security and psychology. I greatly enjoyed the work I did here and accepted a returning full-time offer. The possibility of a returning offer is another advantage of an internship at Facebook or many other large tech firms. In addition to the research, I had the benefit of working within a great team, and alongside other UX research interns, who were also in the process of completing PhDs. This has given me an extra support network beyond that of the 3-month internship. I further found it encouraging to intern in an organisational culture that encouraged dialogue and debate about the company's products and policies. I am very grateful to the CDT for allowing me this opportunity. Studying within a doctoral programme that actively encourages internships in industry, to equip students with a mindset to tackle issues outside of academia, significantly improved my PhD experience.

Nathan Rutherford HP Labs, Bristol: April - October 2021 HP is a global leader in providing enterprise and personal computing products, ranging from laptops with built-in security protections, to management services for managing and monitoring the security for a fleet of enterprise solutions. HP Labs role within the organisation is to focus on anticipating medium to long-term problems that will impact HP customers, identify opportunities for innovation through early-stage proof-of-concept prototyping, and communicate these to the core business units (Anticipate->Innovate->Communicate). Each lab focuses on a specific area of interest for HP, these include 3D printing & Microfluidics, Digital Manufacturing and more importantly for my work, Security. I was based in HP Security Labs in Bristol, which has three broad areas of focus for research; Device Security (end-point-devices), Infrastructure Security (including cryptography, and supply chains), and Security Management (malware analysis and various topics in data-science). While each one of these areas deserves an article in their own right, I will stick to my experiences working with the device team alongside the incredible systems researcher Chris Dalton. From April 2021 to November 2021 I was a Security Lab Intern at HP Labs, Bristol. As a member of the Device Security team I was focused on anticipating how we might better use hardware to support security solutions implemented in software, so that we can make more clear assumptions about what the software can and cannot be trusted to do. My day-to-day activities were not so different to what I would expect from my PhD research. I spent a lot of time reading about novel methods published in security conferences, and implementing a PoC solution as a communication tool. The difference and potential for growth as a researcher really came down to how I evaluated the potential utility or impact of the academic research presented at a conference for our industry use-cases. Industry research was (in my opinion) much more grounded in the reality, ensuring there is a balanced focus between advancing the 'state-of-the-art' and considering how the research could potentially improve the experience of HP partners and customers. While a subtle shift in mindset, I found this to be immensely valuable in developing my constructive criticism skills when evaluating research. I also got the opportunity to attend meetings held by HP leadership, which gave me a valuable insight to how research is viewed by top executives in the tech industry. Of course due to the COVID pandemic I was based remotely for the duration of my internship. However this did not detract from my experience working at HP Labs at all, which I credit to the incredible culture cultivated by Simon, Kayte, Boris, and Jonathan. Everyone at the lab was very friendly and welcoming, going out of their way to setup one-on-one zoom calls to get to chat with me about what I was doing throughout my six month tenure. Kayte encouraged and facilitated coffee chats between all of us interns, many of which were based over seas and shared stories about their work and life experiences. The lab was its own research community, with teams sharing what research they had been up to, and weekly tech-talks by individual researchers about a topic they have been researching. Jonathan's weekly poet of the week was also a personal highlight of mine, and really set the atmosphere for the labs collectivist culture. My personal view is that I benefited greatly from my six month internship at HP Labs, and would encourage anyone thinking of doing an industry research internship to take the opportunity. On a technical level I gained experience with many tools that are common within systems research both in industry and academia. As a researcher I gained more confidence in my ability to evaluate and communicate research ideas. It also allowed me to 'round out' my professional knowledge, giving me insight into how tech companies are managed, operated, and potential career tracks available outside of academic research. Overall I found it to be a fulfilling experience, and glad that this is something that is encouraged as part of my PhD.

Jodie Knapp Thales: July – October 2021. I commenced a three-month internship with Thales UK from July to October 2021 and have come away from the experience with a positive outlook post-PhD. I have spent my time in the CDT enjoying research, however, I was keen to experience research in a business context with more emphasis on designing practical protocols.  The internship saw me working on a specific project within the very welcoming and supportive cryptographic research team. I highly enjoyed interacting with different people in the business, working in a group and polishing skills such as programming. Further, I developed my speaking skills and gained confidence voicing my opinions and contributing to the project. Whilst I was only able to attend my internship in person a couple of days out of the working week, the balance of home versus office work was not an issue as I had as much support at home as I did in person. Upon returning to my research I found I had renewed motivation to keep up with the pace of working at Thales and structure my working days in an efficient, productive way. Completing an internship outside of my area and comfort zone has been productive and beneficial to my PhD and thoughts towards a future career.

Robert Markiewicz F-Secure. June - September 2021 F-Secure is a global company with a rich history in the field of information security and anti-virus (AV, developing the first heuristic-based scanners for AV as well as the first anti-rootkit products. Following several acquisitions and developments in its offering, F-Secure provides industry-leading cyber-security consulting services globally. Part of this development includes a strong summer internship programme I had the privilege of attending. The 12-week Cyber Security Consulting Internship, as well as F-Secure as a whole, places a strong emphasis on training and skills development. For the first four weeks, I along with the other interns attended a series of seminars and workshops on the most prevalent areas of cyber security, such as application security, network security, cryptography etc. These included working with real-world examples, with up to date threats outlined, analyzed, and reproduced to gain a complete understanding of their impacts and how to detect such threats on a clients infrastructure. My remaining time at the company was dedicated to a brief research project proposed by fellows (F-Secure's name for employees) within the company. With a background in machine learning, I set out to detect malicious JavaScript automatically using common classification techniques. This included engineering the complete data collection pipeline for both malicious and benign samples, processing and storing of samples, feature engineering and finally classification and statistical analysis of collected samples. The result was a pipeline that allowed for any new websites to be scanned for javascript, and with an accuracy reaching 99% detect if the JavaScript contained within was malicious or not. Undertaking a remote internship during a covid lockdown is not something many would hope for, but my worries were quickly quashed once I experienced the remarkably positive work culture at F-Secure. Online chat rooms were constantly bustling with conversations ranging from the deeply technical to endless streams of cats. These "water cooler" moments we all miss from in-person working were had despite it all, and the openness and friendly disposition of all at the company made my time there a real pleasure. So, to anyone who is thinking about going ahead and either taking an internship with F-Secure or a full-time role: do it!

Feargus Pendlebury Facebook. September-December 2020 Last fall I returned to Facebook for a second internship, this time working with the Compromised Accounts Measurement team. This team is part of the Community Integrity organisation which aims to prevent abuse, focusing on the detection and removal of harmful content to ensure that the different platforms, namely Facebook and Instagram, are safe and inclusive spaces for people to interact in.   As the name implies, Compromised Accounts tackles the issue of user accounts which have been hacked, or in some cases, self-compromised (where users purposely lend their account to a bad actor, either for financial gain or reciprocity). This is an important attack vector as compromised accounts typically go on to perform a wide range of downstream abuse, hoping that the 'realness' of the account will cloak any signal that gives away that they're engaging in harmful behavior.   While some compromised accounts can be easily identified by automated systems due to the anomalous nature of their activity, many sophisticated attackers are harder to detect except by specialized harm prevention teams, but this is largely the result of manual investigation which does not scale particularly well. My research there aimed to reduce this burden, by developing techniques to automatically generate high precision rules from small sets of labeled examples, which can then be scaled to label larger sample sizes. Such automatic labeling has two core benefits: it allows for more examples to be used for machine learning which helps scale the automated detection systems to capture more sophisticated attackers, and it improves the quality of the measurement to ensure that integrity teams have a more accurate understanding of the abuse prevalence in real time.    Like most of the integrity teams, Compromised Accounts is composed of engineers, data scientists, and research scientists, all with different backgrounds, experience levels, and specializations. This makes it a truly awesome place to learn about the different challenges in social network security and perspectives on how to tackle them. I also had the good fortune of visiting during a particularly lively few months: the COVID-19 pandemic was ongoing, the US 2020 election occurred, and new regulation from the European ePrivacy Directive came into force, all of which offered great learning opportunities for a security intern.   I would definitely recommend others to consider social networks as a topic of their research (or their internships) as the kind of security and privacy issues facing these networks are hugely impactful on our everyday lives. What's more, these issues are largely the consequence of a connected world where everyone shares the same digital space. As the future will only see us get more connected, we have to try and get it right.

Eamonn Postlethwaite PQShield, Oxford, June–December 2020  PQShield has a small but exciting research lab in Oxford with a focus, unsurprisingly, on post quantum cryptography. Among their staff they have two authors of finalists of the NIST post quantum cryptography standardisation process, along with a designer of instruction sets for the RISC-V architecture, and experts in safe randomness generation. It is not a shock, therefore, that it is a vibrant and bubbling research environment. I worked under Dr Thomas Prest, whose friendly and comprehensive pedagogy cannot be overstated. Together we worked on a number of projects, some still ongoing, on topics as varied as the formal construction of more efficient arguments of knowledge from unstructured lattice assumptions (with the ultimate aim of creating more efficient accumulators; exceptionally powerful primitives) and the nitty gritty of parameter selection for variants of lattice based KEMs to optimise their performance in the context of large groups on secure messaging platforms. The researchers at PQShield have an unerring ability to find problems that are both of theoretical interest and imminently practically useful, and are a friendly bunch to boot

Marcel Armour Crypto Quantic. May - December 2020 Crypto Quantique are a start-up based in London who are developing a novel Key Provisioning Architecture (KPA) for the generation, distribution, and certification of cryptographic keys used by Internet of Things (IoT) devices and the cloud. This architecture involves a number of different entities and cryptographic protocols. At its heart, the architecture makes use of a Quantum-Driven Physical Unclonable Function (QD-PUF) technology, which generates cryptographic key material based on the intrinsic quantum fingerprint of a silicon device. I was based in the cloud platform software development team, which grew from 4 members when I started to 11 by the end. I learnt a lot about the different roles and tasks in a software development team. It was interesting to see how the team dynamic changed as the team grew. At the start, there was a lot more opportunity to take on small pieces of work and contribute to areas outside my direct responsibilities, which was a great opportunity for me as an intern. I got some insight into a software development project and agile management. I was also able to do a bit of coding in python – I even had to use my very basic knowledge of javascript at one point, which was nice. I played around with Hardware Security Modules, learnt about the python Django framework and how the backend and frontend of a website work together. My main responsibilities were to work on cryptography problems that arose from the business needs and strategy of the company: a mixture of open-ended research questions and practical problems. Part of my work was to put together an analysis of the cryptographic security of the key provisioning architecture. This required me to understand the architecture and protocols used, to formulate and interrogate the threat model, and to examine the security provided along with the assumptions underlying that security. I also worked on using the key provisioning architecture to encrypt firmware and came up with an idea that was implemented by the software engineering team. I had to work out the parameters of the problem, find a practical solution and present the solution convincingly to my colleagues, as well as working with my colleagues to refine and develop the idea further. I worked on translating the theoretical solution to a usable set of instructions for the developers, a process that I found hugely rewarding. Towards the end of the internship, I worked on communicating the core product (the QD-PUF, its randomness and reliability) both to a general audience an a more academic audience.  I put together a ‘white paper’ aimed at a general (technical) audience, and also had the opportunity to contribute to an academic paper that the team is looking to publish describing their QD-PUF.  As well as learning more about cryptography ‘in the real world’, I also learnt a great deal about working in industry, certificates and PKI, IoT devices and what it is like working for a start-up. Of course, due to the global pandemic my internship was remote, which meant that I didn’t get the “full” experience of working in an office. Nevertheless, I had a great time and had the opportunity to work with some fantastic colleagues and exciting technology. I am very grateful to Crypto Quantique for hosting me.

Feargus Pendlebury Facebook. September - December 2019 Last autumn, Feargus spent three months interning at Facebook as part of their Abusive Accounts Detection team. As widely known, Facebook faces a number of challenges regarding the misuse of its platforms by bad actors who try to exploit its scale and reach to propagate harmful content. To rise to these challenges, Facebook has been rapidly growing its Community Integrity organisation over the last couple of years. To tackle the root cause of abuse, Community Integrity encompasses a number of teams that specialise in detecting, tracking, and responding to fake, abusive, or compromised accounts from which harmful content originates. The Abusive Accounts Detection team design and manage a number of pipelines for identifying bad actors on Facebook and Instagram, many of which include machine learning methods to help manage the huge scale of internet traffic that passes through the platform. The main limitation to deploying machine learning detection in a security context is that the data is adversarial in nature---attackers actively try to evade detection and will react to any changes made to the defences. This means the thing you're trying to detect morphs and evolves, sometimes very suddenly and severely, which can cause you to misclassify legitimate accounts or let malicious accounts slip through. Much of the research there aims to develop more robust, adaptable approaches that can handle the shift in distribution, or to obscure the change in signal when the defences are updated so that the attacker doesn't feel a need to change their habits at all. My research there focused on developing novel techniques to use the shift in the data distribution (which is usually a bad thing) to instead predict how attacker behaviour was beginning to change. This would allow teams to be more proactive when updating the pipelines and less reliant on manual effort, freeing up expertise to focus on other requirements. Seeing attackers change their behaviour in real time, with real data, at massive scale, was an extremely exciting and eye-opening experience which I've found invaluable for informing the context of my subsequent research. I had a really fun time interning at Facebook - interns are treated the same as full-time employees, given the same responsibilities, and expected to contribute to the production codebase which makes for a really cool experience. I also found it heartening to experience an internal culture that encouraged dialogue and debate about the company's policies and future direction. Overall, I'm very grateful to have been able to work with and learn from some brilliant people in the Community Integrity teams and am thankful for the CDT for enabling us to take the time out to tackle security problems from the industry perspective

Pallavi Sivakumaran  F-Secure Consulting. May - November 2019   F-Secure Consulting makes available a significant amount of training resources for its employees. While there is no formal technical training schedule, the availability of these resources alone is enough for most people. I would like to specifically mention Playground, an in-house developed cloud platform on which training labs can be run. A number of security exercises are available, targeting different platforms and technologies, as well as different levels of expertise. Several labs also offer step-by-step guidance or hints, so that beginners can learn techniques for approaching specific problems. I found Playground to be an invaluable resource during my placement. During the final three months of the placement, I was asked to develop a tool that would simplify the identification of Android logic bugs for Mobile Pwn2Own competitions. (For anyone who is unfamiliar with Pwn2Own, these are competitions where the goal is to execute code or exfiltrate files from various devices, usually with minimal or no end-user interaction.) Previous employees from MWR had developed a proof-of-concept that went one step towards achieving this goal. My task was to expand upon their work and develop a complete, extensible tool that could be executed with minimal effort. Embarking on an industry placement in the middle of a PhD involves several practical considerations that need to be taken into account. Firstly, whether or not the organisation provides financial support will determine whether PhD funding can be interrupted, which in turn may limit the duration of the placement. The duration should also be selected to be long enough to maximise the benefits to the student and the organisation, and yet not so long that the student finds it difficult to return to their own research at the end of the placement. In addition, unless the organisation’s office is situated close to the university, the student will have to decide whether to temporarily move to new accommodation or to endure potentially long commutes. As an example, I opted to remain close to the university, which necessitated a daily commute of over three hours. Pallavi's industry placement was with F-Secure Consulting (originally MWR Infosecurity) – a cyber-security consultancy with a strong research focus. The company provides vulnerability assessments and red-teaming services, but also offers more specialised security analyses of proprietary hardware and firmware. In addition, it actively contributes to the InfoSec community via technical whitepapers and open-source security tools. It was this last aspect that strongly appealed to me, as it’s something fairly rare in a standard security consulting firm. Phase 01: Training and shadowing Once I had gone through a number of training labs, I was assigned to shadow security consultants on a few projects. This, again, was very useful, as I was able to observe and often also participate in the different stages of a project, including the initial requirements gathering, preparation of the statement of work, the actual assessment itself, as well as the report write-up. Phase 02: Internal development project The tool I developed (pre-christened Jandroid by my predecessors) allows for extendable template-based pattern-matching for Android APKs. Development was completed just as F-Secure concluded its preparations for that year’s Mobile Pwn2Own, which meant that the tool could be used to verify some pre-identified vulnerabilities in the applications under test. Jandroid was made available as open-source software via F-Secure Labs’ GitHub shortly before my placement ended. Thoughts Despite these challenges, I found the industry placement to be a great learning experience and is a component of the PhD that I believe students should make the most of.

Torben Hansen  Amazon Web Services. February - June 2018   AWS provides Infrastructure-as-a-service together with a plethora of web services (cryptography related services entail KMS, ACM and CloudHSM). These services help companies reduce the complexity of providing, e.g. availability, redundancy, security and scalability of IT. AWS works at an unbelievable scale, and service many well-known companies: Netflix, Spotify, Airbnb, General Electric, Siemens, Slack, and the list goes on and on. AWS is truly scale of scale. Part of my work as an intern was to specify hybrid key exchange methods in SSH and prototype these in an SSH implementation. The work was done in relation to the ongoing post-quantum cryptography “competition” run by the US National Institute of Standards and Technology (NIST), where AWS has contributed to two submissions: BIKE and SIKE. SSH is a widely used and supported secure communication. Unfortunately, the current cryptographic algorithms used in SSH are insecure against quantum adversaries, i.e. bad people that have access to a large quantum computer. A hybrid key exchange method is an attempt to thwart attacks by such adversaries, by combining a current cryptographic algorithm with a new post-quantum cryptographic algorithm. But since post-quantum algorithms are new, they do not yet possess a high level of trust. However, the hybrid key exchange method construction remains secure even if a post-quantum cryptographic algorithm turns out not to be cryptographically secure. The hybrid key exchange method prototypes and specification have both been contributed by AWS to the Open Quantum Safe project. Being an intern at AWS was a fantastic experience. Interns are treated as regular employees, given responsibility, and have the chance to contribute code to production systems used by millions and millions of people. Also, a nice perk of interning at AWS in Seattle is that dogs are allowed in AWS offices. So, if some problem is frustrating you, canine help is always near!

Amit Deo. Joint NUS/Singtel research lab. October - December 2018 During this internship, I was investigating alternative solutions to a secure data sharing problem that the lab has been looking at. Finding a satisfactory balance between functionality/efficiency requirements for certain parties and security in the presence of collusion was a particularly challenging aspect of the research. Despite the fact that I was working on a cryptography project, this internship gave me ample opportunity to learn about numerous techniques used in secure multiparty computation as well as the data structures that are used in the design of various schemes. Beyond the research I did during my time there, it was interesting to see how the interaction between the industrial and academic sides of the lab helped shape a common direction for the research being carried out. In particular, it was fascinating to watch presentations where representatives from Singtel would give feedback on the progress of research projects and identify possible future directions. It was very refreshing to see how inclusive the lab was in terms of allowing interns to attend such talks and showing a willingness for engaging in open discussion on research ideas. In summary, I am extremely grateful for the opportunity to visit the NUS/Singtel lab and for the opportunity to make useful contacts there. I am also thankful to both the NUS/Singtel lab and the CDT for making this internship possible.

Ben Curtis, Research Visits A visit to another institution can be a beneficial experience for several reasons. First, collaborating with other PhD students and/or academics allows for an academic network to be built or expanded, and also allows you to share knowledge with your peers. Second, learning how other people carry out research can allow you to develop new skills and therefore improve the efficiency of your own research. Third, such a visit can lead to a lasting research partnership, which is valuable for all parties. Throughout the course of my PhD, I have been lucky to go on two such visits: the first in 2017 to TU Darmstadt in Germany and the second in 2019 to New Jersey Institute of Technology in the USA. Although both trips were only around 10 days long (sometimes visits can be much longer, such as a few months), these research visits have been an invaluable experience and have helped me to develop several research skills. During the trip to Darmstadt, I was visiting Dr Thomas Wunderer (who was then a PhD student, and has now graduated from Prof Johannes Buchmann's group). Dr Wunderer specialises in lattice-based cryptanalysis, and I was able to learn a lot during the course of this trip - much of which has set me up for future research. This trip gave me the opportunity to visit Germany for the first time and also allowed me to work alongside a more experienced PhD student, which is definitely beneficial for fairly new students. During the visit to New Jersey Institute of Technology I was visiting Prof Kurt Rohloff, the Director of NJIT’s Cybersecurity Research Center. This trip has resulted in an ongoing research project between Royal Holloway and NJIT. As part of this trip I was able to visit the offices of a start-up called Duality Technologies, who are based at NJIT, and are a company specialising in privacy-preserving computing through the use of, for example, homomorphic encryption. I will be going back to Duality in the summer as an intern, which is an exciting opportunity! I would encourage all other students in the CDT who are interested in research visits to pursue this opportunity, and try to set up a visit to another institution - they are definitely worthwhile experiences.

.Ela Lee.  Crypto Quantique. September 2017 - March 2018   As part of my CDT training, I undertook a six-month internship at Crypto Quantique - a startup based in London. Crypto Quantique have developed a microchip where each chip generates unique randomness. Since good randomness are needed for keys, which are the foundation of secure cryptography, this is very exciting. As part of my CDT training, I undertook a six-month internship at Crypto Quantique - a startup based in London. Crypto Quantique have developed a microchip where each chip generates unique randomness. Since good randomness are needed for keys, which are the foundation of secure cryptography, this is very exciting. In my PhD much of my work has been more on the theoretical side, so it was good for me to gain an appreciation for implementation and the challenges it presents. For example, I spent some time considering alternatives for post-processing that are more power-friendly, so the product would be more suitable for IoT environments where battery power is precious. I was very fortunate in that my experience wasn’t limited to the technical. I also gained an appreciation for the business case, getting to sit in on meetings with potential partners and contribute to the discussion. I also had a good degree of freedom in my work. Whilst I had some set tasks, I was given the freedom to explore ways in which the chip could be used to create novel crypto solutions. It was a great exercise in being able to explain my ideas, why I thought these would work well for the chip, and why this would present a unique solution that would be of interest to clients. Overall I am very grateful to Crypto Quantique for the experience, and thankful for the CDT model for encouraging us to spend time outside academia to see how useful our expertise is in the real world.

Alex Davidson Cloudflare. 2016 I spent this summer at Cloudflare. The company hosts a content delivery network (CDN) that ensures websites perform better by distributing content across their points of presence worldwide; they also use their vast network structure to mitigate threats to website security such as DDoS attacks and spam generation. A considerable amount of work is also spent on developing novel cryptographic solutions to real-world problems that the company faces and this was the main reason why I wanted to spend my internship here. I was fortunate enough to work within the cryptography team which is led by Nick Sullivan, spending time in both the London and San Francisco offices. Under Nick's guidance I worked on a project to make Cloudflare protected websites more accessible to Tor (also VPN/I2P) users. This involved developing solutions that reduced the number of challenge pages that users of Tor would have to pass when navigating to such a webpage. Such challenge pages are usually represented in the form of CAPTCHAs that require the user to perform a task to distinguish whether they are actually human or not. My work involved designing and implementing a cryptographic solution in the form of a blinded token protocol that allowed users to submit signed tokens instead of having to complete a CAPTCHA solution for each access, where a user receives these tokens after completing an initial solution. The blind aspect of these tokens guarantees that the tokens are not linkable on Cloudflare's side and thus anonymity is ensured (a key principle for Tor's threat model). The specification of our design can be found online (https://github.com/cloudflare/challenge-bypass-specification) and the protocol will be made available to the public in the near future. The opportunities to work in rapidly growing companies such as Cloudflare on state-of-the-art cryptographic solutions are very few and for this reason I am grateful to be given this chance. Working at Cloudflare in particular allowed me an unparalleled insight into how cryptographic solutions can be employed in the real world. Furthermore I found it especially useful working with Nick and others who are well-respected individuals in the information security community. I intend to revisit these connections and the work I did in both an academic and an industrial context in the future.

Carlton Shepherd VASCO 2016 This summer I completed an internship at VASCO Data Security Inc. – a NASDAQ-listed financial security firm headquartered in Wemmel, on the outskirts of Brussels. The company is recognised for its multi-factor authentication and electronic signature products, as well as mobile app security and risk management solutions. I worked within the VASCO Innovation Center, which is responsible for envisioning new product areas and creating prototypes and intellectual property accordingly. I worked specifically on risk management for the Internet of Things, namely methods for forecasting future security risks on financial services, such as insurance, blockchain-related products and frictionless payments. During my time, I was exposed to various standards for threat modelling and risk assessment, particularly ISO 27005, as well as others, such as STRIDE and DREAD, which I hadn't used previously on the CDT. I was slightly apprehensive initially, since I knew neither of the languages spoken in the Brussels region – Dutch and French – other than 'hallo', 'tot ziens' and the myriad of French phrases we use in English. However, this was put at ease immediately after arriving: Brussels is very accessible for newcomers! I thoroughly enjoyed my time and I remain in contact with those at VASCO. I already find that my internship is informing the research I'm currently conducting at the CDT.

Robert Lee NXP. June - September 2015 This summer I completed an internship at NXP Semiconductors at their offices in Leuven, Belgium. For three months I worked on extending a side-channel analysis tool that was originally developed by a previous intern a couple of years ago. Side-channel analysis is a powerful attack that is a major threat to many of the devices that are deployed in settings such as transport ticketing, payments and many more. Being able to detect the presence of side-channel leakage is important to anyone wishing to produce secure hardware. Before starting at NXP I thought I had a fairly good understanding of the topic, but I learned that performing the attacks requires far more knowledge than just understanding them. Definitely a case of theory vs practice in action! I found the internship to be a great opportunity to work on some real-world security problems and to work on a tool that is in use today. It was definitely a big change to be working on research in industry instead of the academic setting at RHUL and I enjoyed the opportunity and found the experience invaluable.

Thyla van der Merwe Mozilla. July - October 2015 This summer I completed an internship at the Mozilla Corporation in Mountain View, California, and was fortunate enough to be mentored by Eric Rescorla. Eric is the editor of the TLS 1.3 specification, the next incarnation of the TLS protocol. TLS 1.3 is The Internet Engineering Task Force (IETF)’s answer to the weaknesses in TLS 1.2 and the TLS Working Group is in the process of finalizing its design. Under Eric’s guidance and together with Sam Scott, a fellow CDT cohort member and Mozilla intern, I worked on the symbolic verification of TLS 1.3. The TLS protocol is used by millions of users on a daily basis and verification of its security properties is of critical importance. We conducted our analysis in collaboration with Professor Cas Cremers and Marko Horvat of the University of Oxford and we are in the process of submitting our findings to the IEEE Symposium on Security and Privacy (2016), a top-ranked security conference in the US.  The team has been in constant contact with TLS Working Group and has made several comments and recommendations regarding the new specification. As part of my internship, I attended a TLS Interim Meeting in Seattle and was able to meet several of the TLS Working Group members. The opportunity to work in the US, and in Silicon Valley in particular, has been invaluable to my development as researcher in the field of security, and I am very pleased that my internship provided a chance for academia-industry collaboration.

Thalia Laing HP Labs. June - September 2015 This summer I was fortunate enough to be able to complete a three month internship at HP Labs in B­ristol. I worked with a team of researchers that were considering security in the Internet of Things.  During my internship I learnt a lot about security in practice. Although I knew industry faced different challenges and had potentially contrasting focuses to academia with their research, these were highlighted further and I gained experience in identifying and discussing potential concerns regarding real world applications. My three months at HP also reinforced the Masters courses I had completed in the first year of my PhD. Towards the end of my internship I participated in an HP poster fair where I presented my work to other researchers. This was a fantastic opportunity to explain my work and to network and discuss other people’s research interests. Overall, the internship was a fantastic opportunity for me to sample working in industry.