Lorena Ronquillo


KEA - Københavns Erhvervsakademi
Guldbergsgade 29N
DK-2200 Copenhagen, Denmark

lorr (at) kea (dot) dk

Short Bio

I'm associate professor (lektor, in Danish) at KEA - Copenhagen School of Design and Technology (KEA Københavns Erhvervsakademi) since 2022, currently specialized in the areas of software security and cryptography.

Previously, I was assistant professor (adjunkt, in Danish) since 2016. From 2013 to 2015 I worked as a postdoc at the DemTech project, led by Carsten Schürmann, at the IT University of Copenhagen (ITU), in Denmark. My research there focused on cryptography applied to e-voting. I did my M.Sc. and also obtained my Ph.D at the Universitat Autònoma de Barcelona, working on coding theory and data-hiding (steganography) under the supervision of professor Josep Rifà i Coma. During my Ph.D studies I was also a visiting researcher at the University College Dublin in Ireland, under the supervision of professor Gary McGuire.

Before that, and right after I finished my Computer Science Engineering degree at the Universitat Autònoma de Barcelona (UAB), I worked as software developer first at Thales Group, and then at the Spanish National Certification Notarial Agency.

If you wish to get a copy of my CV, please contact me. I also invite you to visit my LinkedIn profile.

Publications
  • O. Bélanger, R. Markussen, L. Ronquillo, C. Schuermann, Framing Electoral Transparency: A Comparative Analysis of Three E-vote Counting Ceremonies. 24th World Congress of Political Science. July 2016. pdf
  • L. Ronquillo, Preserving voter's privacy with homomorphic encryption. poster
  • R. Markussen, L. Ronquillo, C. Schuermann, Trust in Internet Election: Observing the Norwegian Decryption and Counting Ceremony. Proceedings of the 6th International Conference on Electronic Voting 2014 (EVOTE2014). October 2014. pdf
  • H. Rifà-Pous, J. Rifà, L. Ronquillo, Z2Z4-additive perfect codes in Steganography, Advances in Mathematics of Communication (AMC), DOI:10.3934/amc.2011.5.425, vol. 5(3), pp. 425–433, August 2011, Shandong (China). pdf
  • J. Rifà, L. Ronquillo, Construction of new completely regular Z2Z4-linear codes from old, Proceedings of the 7th International Workshop on Coding and Cryptography 2011 (WCC2011), Ed. D. Augot, A. Canteaut, pp. 71–79, April 2011, Paris (France). pdf
  • J. Rifà, L. Ronquillo, Product Perfect Z2Z4-linear codes in steganography, Proceedings of the 2010 International Symposium on Information Theory and its Applications (ISITA2010), pp. 696–701, October 2010, Taichung (Taiwan). pdf
  • H. Rifà-Pous, J. Rifà, L. Ronquillo, Perfect Z2Z4-linear codes applied to steganography, Proceedings of the VII Jornadas de Matemática Discreta y Algorítmica (JMDA2010), Ed. D. Sadornil, D. Gómez, F. Santos, pp. 553–564, July 2010, Universidad de Cantabria, Cantabria (Spain).
  • J. Pujol, J. Rifà, L. Ronquillo, Construction of Additive Reed-Muller Codes, Lecture Notes in Computer Science, 18th Symposium on Applied algebra, Algebraic algorithms, and Error Correcting Codes (AAECC2009), Springer Berlin, vol. 5527, pp. 223–226, June 2009, Heidelberg (Germany). pdf
  • J. Rifà, L. Ronquillo, About the Z4-linear Reed-Muller ZRM−(r,m − 1) and RMs(r,m) codes, Proceedings of the VI Jornadas de Matemática Discreta y Algorítmica (JMDA2008), Ed. J. Conde, J. Gimbert, J.M. Miret, R. Moreno, M. Valls, Edicions i publicacions de la UdL, pp. 517–526, July 2008, Lleida (Spain). pdf
Ph.D thesis
  • L. Ronquillo. On additive binary nonlinear codes and steganography. PhD thesis, UAB, 2012. Further information on the defense, abstract and full text can be found here.
Latest public presentations
  • Digital Lead Insight I've presented in Nov. 2022 a webinar on securing the software supply chain at Digital Lead, which is Denmark's national cluster for digital technologies. The slides can be found here.
  • Summer School in Cyber Security 2022: Organization of the school in collaboration with the Center for Cyber Security, Cyber Hub, Digital Lead, and several other educational and research institutions from Denmark (KEA, DTU, SDU, AAU, ITU, KU). Addressed to both national and international professionals and cybersecurity students. My own contribution to the programme was a session on security of software supply chain.
  • IT Security Summer Camp 2022: Erasmus summer camp held in Howest University of Applied Sciences (Belgium) and organized in collaboration with the University of Salford in Manchester (UK), the French engineering school ESIEA, and Hogeschool van Amsterdam (Netherlands). My own contribution to the summer camp programme was a session on threshold cryptography and key management.
  • Digital Tech Summit 2021: this is the largest academic based technology and business event in the Nordic countries which annually gathers people from companies, academia and students within the IT community, both from Denmark and abroad. In particular, I participated in a panel debate discussing with other practitioners from academia and industry about the state of cyber security in Danish companies.
  • CyberSecurity Days 2020: participation in a two-day cybersecurity seminar to promote IT security in Denmark. The event was funded by the Centre for Cybersecurity of the Ministry of Defence and held as a collaboration among Danish educational and research institutions (AAU, AU, CBS, DTU, ITU, KEA, and SDU). My own contribution was a session on cryptography applied to e-voting. The recording is publicly available here.
  • Summer School in Cyber Security 2020: Organization of the school, in collaboration with the Center for Cyber Security and several other institutions from Denmark. Addressed to both national and international professionals and cybersecurity students. My own contribution to the programme was a session on cryptographic primitives used in electronic elections.
Courses I've taught

I can share teaching materials and detailed course descriptions upon request.

  • Fall 2022: teaching Introduction to IT Security in the AP degree in Computer Science (Datamatiker, in Danish), and the courses Applied Cryptography (Anvendt Kryptografi, in Danish) and Security Engineering (Softwaresikkerhed, in Danish) at the professional bachelor (PBA) in IT Security at KEA, Denmark. A curated list of the external resources and materials I use for the courses can be found here.
  • Spring 2022, Fall 2021: teaching Applied Cryptography and Security Engineering at the PBA in IT Security, at KEA, Denmark.
  • Spring 2021: teaching Networks and Communications Security (Netværks- og kommunikationssikkerhed in Danish) at the Diploma in IT Security, and the courses Applied Cryptography and Security Engineering at the PBA in IT Security at KEA, Denmark.
  • Fall 2020: teaching the course System Integration at the PBA in Software Development, and the courses Applied Cryptography and Security Engineering at the PBA in IT Security at KEA, Denmark.
  • Spring 2020: teaching Applied Cryptography at the PBA in IT Security at KEA, Denmark.
  • Spring 2019: teaching Introduction to IT Security at the PBA in IT Security at KEA, Denmark.
  • Fall 2018: teaching the courses Introduction to Cryptography, Discrete Mathematics, Research and Dissemination at the PBA in Software Development, and the course Applied Cryptography at the PBA in IT Security at KEA, Denmark.
  • Spring 2018: teaching the courses Introduction to IT Security, and Applied Cryptography at the PBA in IT Security, and the courses Introduction to Cryptography and Research and Dissemination at the PBA in Software Development at KEA, Denmark.
  • Fall 2017: teaching Introduction to IT Security at the PBA in IT Security, and the courses Research and Dissemination and Introduction to Cryptography, both at the PBA in Software Development at KEA, Denmark.
  • Spring 2016: teaching the courses Development of Large Systems and Systems Integration at the PBA in Software Development at KEA, Denmark.
  • Autumn 2015: teaching, together with Troels Bjerre Sørensen, the course Foundations of Computing - Discrete Mathematics, within the M.Sc. in Software Development and Technology and the bachelor in Software Development at ITU, Denmark.
  • Spring 2015: two guest lectures on cryptography and e-voting systems (see slides here) at the course System Architecture and Security, within the M.Sc. in Software Development and Technology at ITU, Denmark.
  • Fall 2014: teaching, together with Marco Carbone, the course Foundations of Computing - Discrete Mathematics, within the M.Sc. in Software Development and Technology and the bachelor in Software Development at ITU, Denmark.
  • Fall 2013: course manager of the course Foundations of Computing - Discrete Mathematics within the M.Sc. in Software Development and Technology at ITU, Denmark.
  • 2011: teaching assistant at the course Information Theory within the degree in Computer Science Engineering at UAB, Spain.
  • 2008, 2009, 2010: teaching assistant at the course Graphs theory and Complexity within the Computer Science Engineering degree at UAB, Spain.
  • 2007: teacher of the Graphs theory and Complexity course within the Technical Engineering in Computer Science degree at UAB, Spain.
(Selected) bachelor thesis supervisions
  • Phishing: problemet, muligheder og awareness by Daniel Silas Rauch, David Alexander Bo Jacobsen and Lasse Flotin Jensen, in collaboration with the non-profit organization Dansk Ungdoms Fællesråd. Spring 2022.
  • Forecast - Hubspot integration by Cristina Doroftei, in collaboration with the company Forecast. Spring 2022.
  • Sikkerheden på Publikumsnettet by Victor Krogsgaard Franck in collaboration with Koncert IT and Københavns Kommune. Fall 2021.
  • Ethical hacking by Iman El-Sayed and Usama Shoaib Manzoor. Fall 2021.
  • Implementering af Microsoft 365 E5 Security - En gennemgang af produktets teknologier og funktioner by Mikkel From Heerfordt, in collaboration with the company Grant Thornton. Fall 2021.
  • OS hardening and automation by Marcus Melcher Elmgreen, Mohammed Hejjo, and Patrick Sirich, in collaboration with the Danish company Topdanmark. Spring 2021.
  • MITRE ATT&CK vs QRadar by Johan Sandgren Stenbøg in collaboration with the company SecureDevice A/S. Spring 2021.
  • A modern approach to DevOps by Marcin Zelent, in collaboration with the company ArchitectureQuote. Spring 2020.
  • Building time management and invoice feature for web application using React and Linear API by Malgorzata Joanna Wójcik, in collaboration with the Dutch company Angry Bytes. Spring 2020.
  • The transition from monolithic to microservices by Jakob Waldemar Olsen and Jasper Ardjuna Hessellund, in collaboration with the company Block by Block ApS. Fall 2019.
  • OSINT by Andreas Anton, in collaboration with the company CERTA Intelligence & Security A/S. Spring 2016.
  • Aditum: a password manager by Lasse Borly. Spring 2016.
  • Implementing Elliptic Curve Cryptography for .NET by Niels Roesen Abildgaard, spring 2014. Co-supervised with Carsten Schuermann.
  • Electronic Voting System by Andreas Precht Poulsen, Mark Thorhauge and Mikkel Hvilshøj Funch, spring 2014. Co-supervised with Fabrizio Montesi.
External examiner
    I am part of the body of external examiners (censor, in Danish) in Computer Science in businesses academies (erhvervsakademier) and was also until 2022 part of the one for universities, for both individual courses and bachelor project exams.
Interests

My current interests are focused on application security (aka. appsec) and the broader field of DevSecOps, involving all the security activities and tests that can be incorporated in the different stages of the SDLC and in many cases also automated within the CI/CD pipeline. I have experience using threat modeling tools like OWASP Threat Dragon, SAST tools like SonarQube, DAST tools like Burp Suite, SCA tools like Retire.js, acceptance security testing tools like Gauntlt. among others. I am especially interested in software supply chain hardening including container security through best practices and vulnerability scanners like Grype or Trivy, as well as newer initiatives like the introduction of SBOM through SBOM generator tools like Syft, and security frameworks like SLSA. A lot is going on in the software supply chain security landscape and I find it promising and fascinating.

I'm also currently interested in the area of applied cryptography, with a focus on the secure implementation of cryptographic primitives and security protocols. From the courses I've been teaching, I've gained experience using cryptographic libraries such as PyNaCl, which is a Python binding of libsodium (which is in turn a fork of the well-known NaCl library), and the PyCryptodome library, which is an (improved with regards to secure defaults) fork of the old PyCrypto. From my past software development and consulting professional experiences I'm also comfortable using the Bouncy Castle Crypto API.

I have always enjoyed teaching and knowledge-sharing in general: from designing the training materials and hands-on assignments, to connecting with the students/audience, acknowledging their background and previous professional experiences and understanding their needs, challenges and potentially different learning styles, while creating a comfortable and engaging environment for all the participants to acquire relevant skills and competences. A list of courses and public speaking events I've been involved in can be found under the Teaching tab.

My past research career encompassed areas like cryptography (in particular, zero-knowledge proofs, commitment schemes), e-voting (everlasting privacy, secret sharing, coercion-freeness), data-hiding (steganography), and coding theory (Z4-linear codes, nonlinear codes, perfect codes, syndrome coding problem). A list of publications can be found under the Research tab.

Cybersecurity consulting tasks

In 2014 I was part of the evaluation committee of the vVote electronic voting system, developed by the Victorian electoral commmission, Australia.

Our evaluation included a security assessment of the software implementation, with both manual and automated source code reviews; a review of the implementation of cryptographic components (mix-net, non-interactive zero-knowledge proofs of knowledge, elliptic curve and threshold encryption, randomization); a remediation guidance of the issues identified; and a risk analysis.

Our report can no longer be accessed online but I can share it upon request.
Social