"Cryptography is easy, getting into cryptography is hard"—yay or nay?
Hey! I'm Anastasiia from Cossack Labs. We are a data protection company and our work is closely related to applied cryptography, both traditional and cutting-edge. Recently, we’ve launched an invite-only cryptographic internship, aimed at computer science students who want to work in the applied crypto space.
Here I’d like to share some backstage details about our crypto R&D internship program.
🔸 Crypto R&D at Cossack Labs 🔸
Crypto R&D has been our main area of interest since Cossack Labs’ launch in 2014, and based on R&D we've built our product line.
Being focused on data security, we developed a number of data protection solutions: open source crypto libraries, software for transparent data encryption in databases, verifiable audit logging system, a framework for operations on end-to-end encrypted data, etc.
Our crypto R&D engineers work on complex and interesting issues at the forefront of modern cryptography: zero knowledge proofs, private information retrieval, smpc, searchable encryption, zk-SNARKs and blockchain privacy, and other applied issues in this domain.
We cover a full cycle of modern cryptographic problems: from scientific papers and math, test implementations and PoCs — to production-ready implementations of cryptographic controls in software and integration with third-party infrastructures.
🔸 Who are crypto R&D engineers? 🔸
Crypto R&D lies at the intersection of multiple technologies: cryptography, software engineering, information security, and hardware.
So, our crypto R&D engineers are either engineers with a cryptological education and a good understanding of the software development process and limitations (from performance to maintainability), or software engineers with deep experience in applied cryptography.
🔸 Crypto R&D internship 🔸
In general, crypto R&D engineering is a rare specialisation that demands to develop more than a few skills.
Not many universities have rich & real-world cryptology education, which makes this profession even harder to enter. During the job interviews, we often see how big is the gap between university knowledge and the discussions in a global cryptographic community.
To fill this gap, we launched our own internship for computer science students interested in cryptography. Currently, we’re beta testing the program with several interns involved.
The training program is very practical and consists of several large topics to be covered in 4-6 months. Our interns are undergrad students, so they combine university courses with the internship and work with us in a part-time paid remote job mode — with flexible hours, regular calls and reviews, mentored by me and my colleagues who are academic cryptographers, software and security engineers.
🔸 Who and why needs crypto R&D internship 🔸
For students 🎓, the internship is a chance to learn more about modern cryptography & data protection and find out if it fits their future career expectations. Also, it’s a great opportunity to work with a group of software developers and applied cryptographers, leave a track record in open source projects, practice teamwork, analyze scientific papers, and present their own research results.
For us 🔐, the internship is an option to "lure" students into this interesting field, give them the advantage to meet cutting-edge cryptography, and, of course, tutor specialists that can work with us at the applied cryptography forefront.
🔹 Internship agenda 🔹
Let’s unpack the program in detail.
It comprises theory (books, courses, scientific papers) and practice (Rust coding, problem-solving, implementation of crypto primitives).
We focus not on coding per se, but on the ability to discuss problems and solutions with colleagues, explain the code, and teamwork. The level of tasks is gradually becoming more sophisticated and approaches the real-life tasks of our engineers.
🔹 Basics 🔹
First, interns study the fundamentals: how cryptographic primitives work under the hood, why using padding and what are padding attacks, how stream ciphers work, CTR bitflipping, dangers of using
IV == key, how hashes work, what's behind of
xor nonce, how RSA/DSA/ECDSA works, key exchange algorithms, side-channel attacks, Merkle trees usage, and other basics.
We use challenges from cryptopals.com and cryptohack.org, aimed at understanding the nature of common cryptographic implementation errors. All challenges should be written in Rust and went through a typical code review process.
At the end of this part, interns work on implementation of the already known symmetric cipher on Rust, and their solution must pass test vectors (theoretical correctness) and be compatible with already known implementations of this cipher in Bouncy Castle and OpenSSL (practical correctness).
🔹 Real world crypto 🔹
Now, the real world work starts. We introduce interns to the world of popular cryptographic libraries, help them to make their first OSS contributions, and let them practice with our cryptographic library Themis which provides a high-level crypto API on 14 languages.
By the end of the internship, the topics are getting closer to the cutting-edge crypto. We involve interns in the daily work of our cryptographers, such as ZKP, zk-SNARKs and blockchain privacy, private verifiable audit logs — they are reading the same whitepapers as we read and designing crypto modules with our team.
🔹 Teamwork skills 🔹
In addition to the cryptographic skills and coding, crypto engineers should be able to "emerge" from the academic world and communicate their thoughts to developers. Each specialist has their own background, and the ability to "translate" information into the language of other people is worth a lot.
We immerse interns in a world where they need to communicate with colleagues in pull requests, discuss problems, and design software in a team. Typical research work can be given as "read the paper, understand how the described technology works, analyze whether it is suitable for the given task, and explain to your fellow non-cryptographers”.
As one of our interns said after his presentation: "There are no boring things in crypto" :)
🔹🔸 What's next? 🔸🔹
Our internship is currently undergoing closed beta testing. After finishing, we will adjust the program and, most likely, make the internship a public practice at Cossack Labs. Stay tuned!
And if you are interested in applied cryptography, here’s something I can recommend:
- read A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup, Serious Cryptography by Jean-Philippe Aumasson or Real-World Cryptography by David Wong
- enrol in Cryptography I (Coursera) or Applied Cryptography (Udacity)
- get through some of these awesome crypto papers
- and, certainly, follow our talks, blog, @Twitter, and dozens of NIST guidelines.
Also, you are welcome to look through our job openings and apply for a matching position if you are in Ukraine.
That's all. 👋 Say hi to me if you're interested in crypto!