What is a typical path for those who want to follow this as a career? Is it mostly PhDs in academia? Or governments? Or industries? How do they fall as a distribution?
I worked on the Windows crypto team for a few years. Learned a ton about this area. Most of the work, however, is plumbing. Only a tiny fraction of crypto work is actually on algorithms and that’s mostly performance related.
The interesting thing about Crypto performance tuning is that you really have to ensure that no logical path does a different amount/kind of work than another(i.e. no short circuiting). I used to not think much of it until I saw an RSA private key recovered via acoustic analysis of capacitor whine due to a short circuit condition in a function to multiply two large numbers.(this was using a recent release of openssl) To my knowledge no other area of programming really has this pitfall
If this "I saw" has any further public details, I'd absolutely love to learn more, and I'm pretty sure others would as well.
In particular, I'm especially interested in electrical or real-world attacks - such as capacitor whine! - that can be applied a weakened security situations like asymmetric logic/branching. I vaguely recall CPU voltage fuzzing is a thing, I want to go learn more about that at some point.
I couldn't find the specific lecture/demo that I went to, but I found a video by the same guy with a similar presentation elsewhere. Coincidentally he's also one of the researchers who published the original paper on Meltdown
For the crypto itself, yes. These colleagues had specialized at university and studied afterwards. For the plumbing portions, it’s mostly excruciatingly detail oriented bit manipulation combined with standard windows kernel / core development. I also read a LOT of RFCs.
Most people with full-time crypto jobs have graduate degrees in cryptography. FAANG-type tech giants hire single-digits crypto people per year. What we did at the NCC Cryptography Services practice (a team of non-PhDs working almost entirely on offensive crypto) was pretty anomalous --- and that team is now led by Thomas Pornin, who has a graduate degree in cryptography. :)
Followup: I was asked offline, with a bunch of counterexamples, whether you need to go to school to be good at crypto. I want to be clear that I'm offering career advice here, not technical advice. For the record, I have something like 2 credit hours towards an LAS bachelors from 1995 and nothing else. :)
It's just my observation that people with full-time jobs in cryptography all (with some exceptions that I think prove the rule) have graduate crypto degrees. I'll venture a guess: there are more crypto PhD's interested in jobs in industry than there are full-time crypto jobs in the industry to give them.
I think people probably underestimate just how specialized serious cryptography is as a practiced skill in the industry.
(Also: I mean "crypto" as in "cryptography". Lord knows what's going on in the Monero mines.)
Edit: see tptacek’s reply. He knows that corner of the world far better than I do.
From my external observation there are two main career paths: the math side and the coding side (djb does both, but he’s djb).
For the math side, a PhD is the most likely path to break in. If you are some kind of autodidact genius and were to publish a theoretical attack on an important crypto system, you could probably get involved without a PhD.
On the coding side apparently the best way to break into writing secure code is to first break insecure code+. I don’t know if this is a reasonable filter or not, but it seems to exist. Some people are perfectly happy to stay on the break code side of things and never move to the write code side. If you think you might like this sort of thing check out the cryptopals ctf that should be floating around.
+ meaning find a side channel, some place where a nonce is reused, etc, etc. If you find a way to factor quickly in a particular ECC ring that’s the prior paragraph.
Software security people do not generally move into full-time cryptography jobs --- or, for that matter, test much cryptography at all (more's the pity). The people who code crypto generally have crypto degrees.
I don't know if there is a typical career path here. I work in this space and see people from all over.
Working on the math side of it really does require a PhD and several published papers.
Working on the implementation requires mostly a healthy sense of paranoia and willingness to really pay attention to the details. After that it really is about experience, practice and lots and lots of code review.
If you think you're interested in doing this and you're in the NYC area, I would be happy to chat with you. We do have a few openings. I have contact info in my profile.
I have a graduate degree in mathematics and my field of study is cryptography. I will echo what another commenter said about there being more cryptographers than there are positions available in industry to work on "hard" cryptography. As a result, approximately all cryptographers - both applied and theoretical - have graduate degrees. Successful cryptographers without such degrees (like Moxie Marlinspike) are extraordinarily rare.
There are basically three sectors which will hire people to predominantly work on cryptography.
1. First and foremost you have academia and the public sector. You can try to get tenure at a university or you can join the NSA. This has a healthy mix of applied and theoretical work.
2. Second you can join an industrial research lab. The biggest ones are Microsoft Research, IBM Research, Galois Inc and Google Research. For the most part you'll be working on publishable research with an eye towards things that can be shipped in some way. Isogeny cryptography originally came out of Microsoft in the early 2000s and Craig Gentry (the person who invented the first working example of fully homomorphic encryption) now works at IBM.
3. Third you can join a security consulting firm which is either focused on cryptanalysis or which has a division dedicated to it. The most well known in this arena would be NCC Cryptography Services, Riscure and Cryptography Research (now a division of Rambus).
This is kind of a continuum. You won't get tenure as an academic researcher without a PhD and it will be hard to get into the NSA without one as well. Likewise the top industrial research labs only rarely hire people without PhDs to be research scientist (though it can and does happen). It is comparatively easier to work in cryptography in the consulting industry: I know several people working in side channel research at Riscure who have "only" an MSc, and NCC employs consultants in Cryptography Services who don't have an MSc or PhD.
If you're interested in cryptography as a career path, the most valuable way to pursue that is to be someone with a graduate degree in mathematics who has significant expertise in implementation, performance and cryptanalysis. In particular it's very lucrative to be competent in side channel analysis and hardware optimization. With the exception of speculative blue sky research projects like indistinguishability obfuscation, multiparty computation, homomorphic encryption and post-quantum public-key cryptography, most work to actually be done is in implementation, implementation auditing and implementation optimization. We already have secure designs for most common use cases in AES and ChaCha; working on verifying a given implementation or removing the ways mistakes can be made is much more important.
If you are interested in the boring part, so not how algorithms are invented and implemented, but more on the real world usage, I have written a blog "Commercial Cryptographic Key Management in 2018", where I am explaining a little bit about the hardware, people and processes behind it.
https://www.malgregator.com/key-management.html
