Principal Security Architect

Description

Title: Principal Security Architect

Location: Concord, CA

Duration: 6 months

Work Engagement: W2

Work Schedule: Hybrid 3 days in office/2 days remote

Compensation: $70-75/hr is the pay range that the employer reasonably expects to pay for this position

Benefits on offer for this contract position: Health Insurance, Life insurance, 401K and Voluntary Benefits

Summary:

In this contingent resource assignment, you may: Consult on or participate in moderately complex initiatives and deliverables within Specialty Software Engineering and contribute to large-scale planning related to Specialty Software Engineering deliverables. Review and analyze moderately complex Specialty Software Engineering challenges that require an in-depth evaluation of variable factors. Contribute to the resolution of moderately complex issues and consult with others to meet Specialty Software Engineering deliverables while leveraging solid understanding of the function, policies, procedures, and compliance requirements. Collaborate with client personnel in Specialty Software Engineering. Required Qualifications: Specialty Software Engineering experience, or equivalent demonstrated through one or a combination of the following: work or consulting experience, training, military experience, education.

Key Responsibilities:

• MPC Protocol Implementation: Architect and implement high-performance threshold signature schemes (specifically DKLS23 or similar) for ECDSA key generation and signing.

• Confidential Computing Architecture: Design and build services that run inside Trusted Execution Environments (TEEs), specifically targeting AMD SEV-SNP and Intel TDX via Confidential Containers (CoCo).

• Attestation Framework: Implement the RATS (Remote ATtestation procedureS) architecture (RFC 9334) to ensure that no key share is released until the requesting node proves its hardware and software integrity to a Key Broker Service.

• Hardware Security Integration: Design "Cold Ceremony" workflows that integrate offline hardware tokens as offline Key Encryption Keys (KEKs) for disaster recovery and deep storage.

• Secure Enclave Development: Write and optimize memory-safe code (Rust/Go) that operates on key material exclusively within encrypted memory regions, ensuring zero leakage to the host OS or hypervisor.

• Policy-to-Cryptography Binding: Design mechanisms to cryptographically bind business logic approvals (e.g., WebAuthn assertions) directly to the MPC signing session, eliminating the gap between "approval" and "execution".

Key Requirements:

• Applicants must be authorized to work for ANY employer in the U.S. This position is not eligible for visa sponsorship.

• Systems Programming: 7+ years of experience in systems-level engineering, with expert proficiency in Go (for orchestration) and Rust (for cryptographic primitives).

• Applied Cryptography: Deep experience implementing Threshold Cryptography and Multi-Party Computation (MPC). You should be comfortable implementing papers like GG20 from scratch.

• Confidential Computing: Hands-on experience with TEE technologies, specifically Confidential Containers (CoCo), AMD SEV-SNP, or Intel SGX/TDX. You must understand attestation flows, measurements, and memory encryption.

• Attestation Standards: familiarity with the RATS architecture and components like Key Broker Services (KBS) and Attestation Services (AS).

• Secure Architecture: Experience designing "Defense-in-Depth" systems where infrastructure (Kubernetes/Cloud) is treated as untrusted.