Extended Affine and CCZ Equivalence up to Dimension 4

For all vectorial boolean functions up to dimension 4, we present canonical representatives for all extended affine (EA) and CCZ equivalence classes. We include the size of each class, as well as its algebraic degree and extended Walsh spectrum. We also answer the following questions: How large are these classes? Which of these classes contain bijective functions? And how are these classes grouped into CCZ equivalence classes

Flucht/Migration und Local School Governance. Eine vergleichende Fallstudie in baden-württembergischen Kommunen

Flucht/Migration und Local School Governance. Eine vergleichende Fallstudie in baden-württembergischen Kommune

"I don't know why I check this…" Investigating Expert Users' Strategies to Detect Email Signature Spoofing Attacks

OpenPGP is one of the two major standards for end-to-end email security. Several studies showed that serious usability issues exist with tools implementing this standard. However, a widespread assumption is that expert users can handle these tools and detect signature spoofing attacks. We present a user study investigating expert users’ strategies to detect signature spoofing attacks in Thunderbird. We observed 25 expert users while they classified eight emails as either having a legitimate signature or not. Studying expert users explicitly gives us an upper bound of attack detection rates of all users dealing with PGP signatures. 52% of participants fell for at least one out of four signature spoofing attacks. Overall, participants did\ud not have an established strategy for evaluating email signature legitimacy. We observed our participants apply 23 different types of checks when inspecting signed emails, but only 8 of these checks tended to be useful in identifying the spoofed or invalid signatures. In performing their checks, participants were frequently startled, confused, or annoyed with the user interface, which they found supported them little. All these results paint a clear picture: Even expert users struggle to verify email signatures, usability issues in email security are not limited to novice users, and developers may need proper guidance on implementing email signature GUIs correctl

Finite Energy Solutions in Three-Dimensional Heterotic String Theory

We show that a large class of supersymmetric solutions to the low-energy effective field theory of heterotic string theory compactified on a seven torus can have finite energy, which we compute. The mechanism by which these solutions are turned into finite energy solutions is similar to the one occurring in the context of four-dimensional stringy cosmic string solutions. We also describe the solutions in terms of intersecting eleven-dimensional M-branes, M-waves and M-monopoles.Comment: 23 pages, LaTe

U-duality and M-Theory

This work is intended as a pedagogical introduction to M-theory and to its maximally supersymmetric toroidal compactifications, in the frameworks of 11D supergravity, type II string theory and M(atrix) theory. U-duality is used as the main tool and guideline in uncovering the spectrum of BPS states. We review the 11D supergravity algebra and elementary 1/2-BPS solutions, discuss T-duality in the perturbative and non-perturbative sectors from an algebraic point of view, and apply the same tools to the analysis of U-duality at the level of the effective action and the BPS spectrum, with a particular emphasis on Weyl and Borel generators. We derive the U-duality multiplets of BPS particles and strings, U-duality invariant mass formulae for 1/2- and 1/4-BPS states for general toroidal compactifications on skew tori with gauge backgrounds, and U-duality multiplets of constraints for states to preserve a given fraction of supersymmetry. A number of mysterious states are encountered in D<=3, whose existence is implied by T-duality and 11D Lorentz invariance. We then move to the M(atrix) theory point of view, give an introduction to Discrete Light Cone Quantization (DLCQ) in general and DLCQ of M-theory in particular. We discuss the realization of U-duality as electric-magnetic dualities of the Matrix gauge theory, display the Matrix gauge theory BPS spectrum in detail, and discuss the conjectured extended U-duality group in this scheme.Comment: 132 pages, 37 tables, Latex2e; v3: minor corrections, text reformatted, update of refs, note added about boundaries of M-theory moduli space, final version to appear in Phys. Rep

Outcome after intracranial hemorrhage under dabigatran and reversal with idarucizumab versus under vitamin-K-antagonists – the RIC-ICH study

BackgroundIntracranial hemorrhage (ICH) is a rare but serious side effect associated with the use of oral anticoagulants, such as dabigatran. The specific reversal agent for dabigatran, idarucizumab, is available for the management of individuals with ICH. The aim of this study was to provide real-world evidence on patients with ICH and effective treatment with dabigatran and reversal with idarucizumab in clinical routine compared to those under effective treatment with vitamin-K-antagonist (VKA).MethodsRegistration of Idarucizumab for Patients with IntraCranial Hemorrhage (RIC-ICH) is a non-interventional study conducted in 22 German stroke units that prospectively enrolled dabigatran patients treated with idarucizumab. Retrospective data from VKA patients served as reference population. Main objective was in-hospital mortality. Further objectives included change in bleeding volume, stroke severity, and functional status.ResultIn-hospital mortality was 26.7% in 15 dabigatran and 27.3% in 88 VKA patients (hazard ratio 1.00, 95% CI 0.29–2.60). In patients with bleeding volume &gt; 60 ml, mortality was lower in the dabigatran group (N = 6, 33%) compared to the VKA group (N = 15, 67%; HR 0.24, 95% CI 0.04–0.96). No differences were observed in secondary endpoints between dabigatran and VKA patients.ConclusionThese results, based on data from routine clinical practice, suggest that in-hospital mortality after idarucizumab treatment is comparable to that in patients pretreated with VKA. Due to the low precision of estimates, the results must be interpreted with caution

Leaky McEliece: Secret Key Recovery From Highly Erroneous Side-Channel Information

The McEliece cryptosystem is a strong contender for post-quantum schemes, including key encapsulation for confidentiality of key exchanges in network protocols. A McEliece secret key is a structured parity check matrix that is transformed via Gaussian elimination into an unstructured public key. We show that this transformation is a highly critical operation with respect to side-channel leakage. We assume leakage of the elementary row operations during Gaussian elimination, motivated by actual implementations of McEliece in real world cryptographic libraries (Classic McEliece and Botan). We propose a novel algorithm to reconstruct a secret key from its public key with information from a Gaussian transformation leak. Even if the obtained side-channel leakage is extremely noisy, i.e., each bit can be flipped with probability as high as $\tau \approx 0.4$, our algorithm still succeeds to recover the secret key in a matter of minutes for all proposed (Classic) McEliece instantiations. Remarkably, for high-security McEliece parameters, our attack is more powerful in the sense that it can tolerate even larger $\tau$. Technically, we introduce a novel cryptanalytic decoding technique that exploits the high redundancy exhibited in the McEliece secret key. This allows our decoding routine to succeed in reconstructing each column of the secret key successively. Our result stresses the necessity to well protect highly structured code-based schemes such as McEliece against side-channel leakage

Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)

Diffie-Hellman key exchange (DHKE) is a widely adopted method for exchanging cryptographic key material in realworld protocols like TLS-DH(E). Past attacks on TLS-DH(E) focused on weak parameter choices or missing parameter validation. The confidentiality of the computed DH share, the premaster secret, was never questioned; DHKE is used as a generic method to avoid the security pitfalls of TLS-RSA. We show that due to a subtle issue in the key derivation of all TLS-DH(E) cipher suites in versions up to TLS 1.2, the premaster secret of a TLS-DH(E) session may, under certain circumstances, be leaked to an adversary. Our main result is a novel side-channel attack, named Raccoon attack, which exploits a timing vulnerability in TLS-DH(E), leaking the most significant bits of the shared Diffie-Hellman secret. The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret. If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem. The Raccoon attack takes advantage of uncommon DH modulus sizes, which depend on the properties of the used hash functions. We describe a fully feasible remote attack against an otherwisesecure TLS configuration: OpenSSL with a 1032-bit DH modulus. Fortunately, such moduli are not commonly used on the Internet. Furthermore, with our large-scale scans we have identified implementation-level issues in production-grade TLS implementations that allow for executing the same attack by directly observing the contents of server responses, without resorting to timing measurements