Mathematician in computer security
After having spent almost twenty years as a researcher in the United States, in 2020, Marten van Dijk returned to the Netherlands to found and lead the Computer Security group at CWI Amsterdam. Since 2022, he has also been an endowed professor at VU Amsterdam for one day a week. ‘In the Netherlands, there are not that many people active in the field of computer security. By bringing in my international experience, I want to help make the best use of the scarce resources here.’
You hold Master’s degrees in both mathematics and computer science. How did that combination come about?
‘I have always been attracted to Mathematics. In high school, I had a subscription on the monthly magazine Pythagoras, and I used to participate in their Pythagoras Olympiad each month. I especially enjoyed solving complex puzzles that had a practical implication. At that time, computer science was an upcoming field. It was apparent that it would become a very important topic as a tool or method for every other science, and it was close to mathematical thinking. Since my father had completed multiple studies as well, for my family, it was not that strange to combine different courses.’
What kinds of topics have you been working on over the years?
‘My PhD I obtained in cryptology, which is a nice combination of the theoretical side of mathematics with the practice of computer science. After a short postdoc period in Hong Kong, I got a job as a research scientist at the digital signal processing group at Philips Research. There I became the lead inventor of the error correcting codes that are used in Blu-ray discs.
Philips offered the possibility to move to the US and work as a visiting scientist at MIT. This is where I got involved in processor architectures that offer strong security guarantees. Most notably, my collaboration with the group at MIT led to AEGIS, a secure processor architecture which ideas have been used in Intel SGX, and the introduction of the first circuit realisations of Physical Unclonable Functions. Chips contain a heartbeat in the form of an internal clock mechanism and to a large extent this eliminates timing errors in digital computation. However, by reading out analog signals, you get a unique fingerprint of that specific chip due to manufacturing process errors that cause unique timing differences for the chip. This can be used for security such as device identification and authentication.
After a short period in American industry, I returned to MIT to work on oblivious RAM, which led to a test-of-time award. Then I transferred to the University of Connecticut, where I worked at the faculty of Electrical and Computer Eengineering mostly on hardware security. We studied hardware Trojans, continued secure processor architecture research, work on physical unclonable functions and at large cyber physical systems security.
All in all, over the years I have gained broad experience in the field of security, ranging from theoretical computer science to software engineering and the hardware side of it.’
Why did you decide to move back to the Netherlands?
‘During my time in Connecticut, I regularly came back for longer periods of vacation in the Netherlands and finally a sabbatical year at CWI. For personal reasons, I eventually decided to come back for good. At that time, CWI was searching for a new group leader in the field of computer security, which was a perfect match.’
What are you working on at CWI?
‘I have always remained a mathematician at heart. I like the algorithmic aspect of computer science; providing proofs that something works, and developing relatively simple tricks to improve performance. In my final years in Connecticut, I shifted somewhat towards machine learning. There is still a lot of fundamental science to be done in that field. Here, I am building further in that direction. One of the main questions my group here tries to answer is if secure computation is possible at all, and how security can go hand I hand with efficient use of computing resources.
We aim to be complementary to what happens elsewhere in the Netherlands, and explicitly look for topics that are not addressed yet by other groups. That is one of the reasons we recently stepped into database security, for example. The Netherlands is a small country in which not that many people are working on computer security. So, we have to be smart in what we spend our scarce resources on.’
You are representing the cyber security community in IPN. What is your mission for the Dutch cyber security field?
‘I want to use my experience to help colleagues in the Netherlands to extend their networks and gain more visibility for the field, both on a national and an international level. I especially like to help young colleagues establish a career and advance our knowledge of computer security. What struck me here, is that in the Netherlands, most research funding is not free from politics. When applying for funding, you need to find strategic-political support as well.
When I came back here, I was asked to help erect ACCSS, the association for scientists from all Dutch universities who are active in the field of cyber security, ranging from computer scientists to philosophers and legal researchers. ACCSS is organised in a variety of working groups. It was a logical step to turn the Special Interest Group Cyber Security from IPN into one of the working groups of ACCSS as well.
One of the topics that is close to my heart, is the co-funding from industry that is often required when you are applying for funding here. In the field of cyber security, that is often impossible, since there is virtually no cyber security industry here. I think IPN and ACCSS should join forces and lobby for calls that do not require co-funding by companies. Computer security is still an upcoming field in desperate need for more fundamental research. Especially in the field of security, it is imperative that researchers stay independent and are provided with the freedom to work on curiosity driven research. If anything, history has proven that if you really want to make an impact, you need to explore the more risky routes. Most of them will probably turn into a dead end, but the ones that don’t quite often result in the most valuable findings.
Finally, I think IPN is very important for streamlining computer science education. For example, the cyber security community is now trying to establish more exchange of best practices, and to make courses available open source, in order to learn from each other. The educational burden is way too high to allow for double work. Especially in a field like ours, which is extremely relevant and does not have too many people working on it, we need to use our time and intelligence wisely.’