Security Group PhD Guide

PhD students that join in the Security Group have very different educational backgrounds. While the Computer Science PhD programme in Cambridge has no formal course requirements, there is a range of skills and areas of knowledge that every research student should aim to acquire during their first year. This includes, in particular, many skills not directly related to your planned specific topic of research, but that will help you to understand and participate in discussions about the research of colleagues, and that you are likely to require in your future work as a computer-security professional.

We encourage every new student to acquire (or refresh) good knowledge, practical experience, and insight into the topics described here. The provided references have been considered particularly helpful by members of the security group.

Also have a look at the Guide for PhD Candidates at Cambridge Computer Lab.

Best bookmark this page and read it again in a few weeks when the dust has settled.

Bibliographic research

Make yourself familiar with the facilities of the Computer Laboratory Library, the Moore Library (DAMPT), the Scientific Periodicals Library (Arts School, New Museums Site), the University Library (West Road), and the Cambridgeshire Central Library (Corn Exchange Street, holds BS/ISO standards).

Learn how to find information using bibliographic databases such as the Science Citation Index, which is available to you via BIDS, for which you get a password in the SPL.

Also learn to use Internet search engines such as AltaVista and Computer Science reference collections such as The Collection of Computer Science Bibliographies.

Dedicate at least two days per month to browsing in the Scientific Periodicals Library through the various Computer Science journals (ACM, IEEE, etc.) in order to stay in touch with recent developments in your field. You should also read all new issues of the Computer and Communications Security Reviews, which are edited by security group members.

In order to stay in touch with the most recent developments in computer security, you should especially have a look every year through the proceedings of the major conferences in the field. These are especially the IEEE Symposium on Security and Privacy, the USENIX Security Symposium, and the conferences on Advances in Cryptology (CRYPTO, EUROCRYPT). You will also find very interesting and relevant contributions in the proceedings of the Fast Software Encryption Workshop, the USENIX Workshop on Electronic Commerce, the USENIX Workshop on Smartcard Technology, the Information Hiding Workshop, the Protocols Workshop, and a number of other events. All of these proceedings are available in Cambridge Libraries. The Computer Laboratory Library archives all IEEE Computer Society and USENIX proceedings, and the University Library archives all Springer Lecture Notes in Computer Science.

Computer security and cryptography

Two books on general computer security that you should have read are

Gollmann is a comprehensive introduction in a broad range of topics, covering access control, security policies, cryptography, database security, and more. Garfinkel/Spafford is a more hands-on book with a lot of important and detailed security knowledge for system administrators. Another excellent computer security book is

It is a bit outdated regarding the latest developments in cryptology (and also out of print) but contains a very good introduction to more classic aspects of cryptography, and also has become a standard reference on database security.

Stewart Lee has recently provided for students of our group the Essays about Computer Security, a collection of his lecture notes, which are also recommended introductory reading.

Dieter Gollman also recomended as a good book

You probably also want to have read at least one of the following common introductory textbooks on modern cryptography:

Schneier is certainly the one most easy to read, but Stinson and Menezes/van Oorschot/Vanstone give a significantly better treatment of various theoretical foundations of cryptography.

You might also find it very helpful to get a good basic understanding of number theory and finite fields, as otherwise many discussions of protocols and attacks involving asymmetric cryptography will remain incomprehensible to you. A good and highly understandable book is

In addition to being easy to read (undergraduate maths level), this includes chapters on RSA and Elliptic Curves.

The following Cambridge lectures are particularly recommended unless you didn't take already equivalent courses:

You should also attend regularly the Tuesday seminars and Friday meetings of the security group, as well as the Wednesday seminars of the department.

Below is a list of classical papers that every computer security student should certainly be familiar with:

And here are a few selected papers that you are recommended to have read to learn a bit about what members of our group have done recently:

Further suggestions welcome!

Practical computer systems knowledge

Characteristic for the field of Computer Security is that almost all aspects of Computer Science are of immediate practical relevance, because the attacker must be assumed to have an equally broad knowledge and will try to find weaknesses in systems at all levels.

To gain a basic understanding of electronics and computer hardware, you should study at least chapter 1 of

and also browse through the introductory parts of chapters 2-5 and 8-12, depending on your level of interest (foundations, transistors, FETs, op-amps, filters, digital electronics, microcomputers).

You should make sure that you have some experience in at least one assembler language (Intel ix86 and Intel 8051 are particularly useful), and you should be able to understand the binary output of one of the compilers that you usually use.

You should be very proficient in at least two or three of the following higher programming languages: C, C++, Perl, Python, Ada, Java.

You should be familiar with common Unix tools, especially with bash, make, rcs, gdb, emacs, perl. You should also try to get some practical experience in Unix system administration, and a good and fun way to do this is to install and play around with Linux on your home PC.

You should be able to format documents in HTML and LaTeX. The best way of learning LaTeX is to read

You will most likely want to use LaTeX to format your thesis and it is also quite commonly used to prepare journal and conference contributions.

Computer networks

You should be familiar with the design of commonly used communication protocols such as the TCP/IP suite. If you have not visited a course on networking, then read for instance:

You should also be familiar with using security tools such as PGP and ssh.


If you are interested in doing any work with smartcards, then read

Markus Kuhn

created 1998-03-05 – last modified 2001-03-19 –