Firmware Insider: Bluetooth Randomness is Mostly Random

Bluetooth chips must include a Random Number Generator (RNG). This RNG is used internally within cryptographic primitives but also exposed to the operating system for chip-external applications. In general, it is a black box with security-critical authentication and encryption mechanisms depending on it. In this paper, we evaluate the quality of RNGs in various Broadcom and Cypress Bluetooth chips. We find that the RNG implementation significantly changed over the last decade. Moreover, most devices implement an insecure Pseudo-Random Number Generator (PRNG) fallback. Multiple popular devices, such as the Samsung Galaxy S8 and its variants as well as an iPhone, rely on the weak fallback due to missing a Hardware Random Number Generator (HRNG). We statistically evaluate the output of various HRNGs in chips used by hundreds of millions of devices. While the Broadcom and Cypress HRNGs pass advanced tests, it remains indistinguishable for users if a Bluetooth chip implements a secure RNG without an extensive analysis as in this paper. We describe our measurement methods and publish our tools to enable further public testing.Comment: WOOT'2

Searching for ELFs in the Cryptographic Forest

Extremely Lossy Functions (ELFs) are families of functions that, depending on the choice during key generation, either operate in injective mode or instead have only a polynomial image size. The choice of the mode is indistinguishable to an outsider. ELFs were introduced by Zhandry (Crypto 2016) and have been shown to be very useful in replacing random oracles in a number of applications. One open question is to determine the minimal assumption needed to instantiate ELFs. While all constructions of ELFs depend on some form of exponentially-secure public-key primitive, it was conjectured that exponentially-secure secret-key primitives, such as one-way functions, hash functions or one-way product functions, might be sufficient to build ELFs. In this work we answer this conjecture mostly negative: We show that no primitive, which can be derived from a random oracle (which includes all secret-key primitives mentioned above), is enough to construct even moderately lossy functions in a black-box manner. However, we also show that (extremely) lossy functions themselves do not imply public-key cryptography, leaving open the option to build ELFs from some intermediate primitive between the classical categories of secret-key and public-key cryptography

Forschung über Evaluation in der Schweiz: Stand und Aussichten

Seit einiger Zeit hat sich die Forschung, die sich mit Evaluation befasst, klar intensiviert. Dieser Beitrag soll einen Überblick zur Forschung über Evaluation in der Schweiz geben, wobei das Was und Wie der Forschung und nicht die Befunde im Zentrum stehen. Dazu werden die Forschungstätigkeiten in ausgewählten Evaluationsfeldern und zu feldübergreifenden Fragen (wie Nachfrage oder Nutzung) beschrieben. Der Überblick verdeutlicht die zentrale Bedeutung der Evaluationsfachlichkeit: Wird anerkannt, dass Evaluationen neben einer thematischen auch eine eigenständige evaluationsfachliche Expertise erfordern, erhält die Forschung über Evaluation einen höheren Stellenwert

Zimbabwe’s land reform: challenging the myths

Most commentary on Zimbabwe’s land reform insists that agricultural production has almost totally collapsed, that food insecurity is rife, that rural economies are in precipitous decline, that political ‘cronies’ have taken over the land and that farm labour has all been displaced. This paper however argues that the story is not simply one of collapse and catastrophe; it is much more nuanced and complex, with successes as well as failures. The paper provides a summary of some of the key findings from a ten-year study in Masvingo province and the book Zimbabwe’s Land Reform: Myths and Realities. The paper documents the nature of the radical transformation of agrarian structure that has occurred both nationally and within the province, and the implications for agricultural production and livelihoods. A discussion of who got the land shows the diversity of new settlers, many of whom have invested substantially in their new farms. An emergent group ‘middle farmers’ is identified who are producing, investing and accumulating. This has important implications – both economically and politically – for the future, as the final section on policy challenges discusses.ESR

Novel targets and future strategies for acute cardioprotection: Position Paper of the European Society of Cardiology Working Group on Cellular Biology of the Heart

Ischaemic heart disease and the heart failure that often results, remain the leading causes of death and disability in Europe and worldwide. As such, in order to prevent heart failure and improve clinical outcomes in patients presenting with an acute ST-segment elevation myocardial infarction and patients undergoing coronary artery bypass graft surgery, novel therapies are required to protect the heart against the detrimental effects of acute ischaemia/reperfusion injury. During the last three decades, a wide variety of ischaemic conditioning strategies and pharmacological treatments have been tested in the clinic - however, their translation from experimental to clinical studies for improving patient outcomes has been both challenging and disappointing. Therefore, in this Position Paper of the European Society of Cardiology Working Group on Cellular Biology of the Heart, we critically analyse the current state of ischaemic conditioning in both the experimental and clinical settings, provide recommendations for improving its translation into the clinical setting, and highlight novel therapeutic targets and new treatment strategies for reducing acute myocardial ischaemia/reperfusion injury

Single-to-Multi-Theorem Transformations for Non-Interactive Statistical Zero-Knowledge

Non-interactive zero-knowledge proofs or arguments allow a prover to show validity of a statement without further interaction. For non-trivial statements such protocols require a setup assumption in form of a common random or reference string (CRS). Generally, the CRS can only be used for one statement (single-theorem zero-knowledge) such that a fresh CRS would need to be generated for each proof. Fortunately, Feige, Lapidot and Shamir (FOCS 1990) presented a transformation for any non-interactive zero-knowledge proof system that allows the CRS to be reused any polynomial number of times (multi-theorem zero-knowledge). This FLS transformation, however, is only known to work for either computational zero-knowledge or requires a structured, non-uniform common reference string. In this paper we present FLS-like transformations that work for non-interactive statistical zero-knowledge arguments in the common random string model. They allow to go from single-theorem to multi-theorem zero-knowledge and also preserve soundness, for both properties in the adaptive and non-adaptive case. Our first transformation is based on the general assumption that one-way permutations exist, while our second transformation uses lattice-based assumptions. Additionally, we define different possible soundness notions for non-interactive arguments and discuss their relationships

A Random Oracle for All of Us

We introduce the notion of a universal random oracle. Analogously to a classical random oracle it idealizes hash functions as random functions. However, as opposed to a classical random oracle which is created freshly and independently for each adversary, the universal random oracle should provide security of a cryptographic protocol against all adversaries simultaneously. This should even hold if the adversary now depends on the random function. This reflects better the idea that the strong hash functions like SHA-2 and SHA-3 are fixed before the adversary decides upon the attack strategy. Besides formalizing the notion of the universal random oracle model we show that the model is asymptotically equivalent to Unruh’s auxiliary-input random oracle model (Crypto 2007). In Unruh’s model the adversary receives some inefficiently computed information about the random oracle as extra input. Noteworthy, while security in the universal random oracle model implies security in the auxiliary-input random oracle model tightly, the converse implication introduces an inevitable security loss. This implies that the universal random oracle model provides stronger guarantees in terms of concrete security. Validating the model we finally show, via a direct proof with concrete security, that a universal random oracle is one-way

On Derandomizing Yao\u27s Weak-to-Strong OWF Construction

The celebrated result of Yao (FOCS\u2782) shows that concatenating $n\cdot p(n)$ copies of a weak one-way function (OWF) $f$, which can be inverted with probability $1-\tfrac{1}{p(n)}$, yields a strong OWF $g$, showing that weak and strong OWFs are black-box equivalent. Yao\u27s transformation is not security-preserving, i.e., the input to $g$ needs to be much larger than the input to $f$. Understanding whether a larger input is inherent is a long-standing open question. In this work, we explore necessary features of constructions which achieve short input length by proving the following: for any direct product construction of a strong OWF $g$ from a weak OWF $f$, which can be inverted with probability $1-\tfrac{1}{p(n)}$, the input size of $g$ must grow as $\Omega(p(n))$. Here, direct product refers to the following structure: the construction $g$ executes some arbitrary pre-processing function (independent of $f$) on its input $s$, obtaining a vector $(x_1, \cdots, x_l)$, and outputs $f(x_1), \cdots, f(x_l)$. When setting the pre-processing to be the identity, one recovers thus Yao\u27s construction. Our result generalizes to functions $g$ with post-processing, as long as the post-processing function is not too lossy. Thus, in essence, any weak-to-strong OWF hardness amplification must either (1) be very far from security-preserving, (2) use adaptivity, or (3) must be very far from a direct-product structure (in the sense that post-processing of the outputs of $f$ is very lossy). On a technical level, we use ideas from lower bounds for secret-sharing to prove the impossibility of derandomizing Yao in a black-box way. Our results are in line with Goldreich, Impagliazzo, Levin, Venkatesan, and Zuckerman (FOCS 1990) who derandomize Yao\u27s construction for regular weak OWFs by evaluating the OWF along a random walk on an expander graph – the construction is adaptive, since it alternates steps on the expander graph with evaluations of the weak OWF

On Derandomizing Yao’s Weak-to-Strong OWF Construction

International audienc