top row, left to right: Ueli Maurer, Phillip Rogaway, Martin Hirt, Vassilis Zikas

middle row, left ro right: Christian Badertscher, Sandro Coretti, Grégory Demay, Robert Enderlein, Daniel Jost

bottom row, left to right: Christian Matt, Pavel Raykov, Björn Tackmann, Daniel Tschudi

## Recent Research Highlights

**Generic equivalence of breaking RSA and factoring.**A long-standing open problem in cryptography is whether breaking the RSA cryptosystem is as hard as factoring the modulus, or whether it is potentially much easier. It is proved in [AM09] that breaking RSA and factoring are equivalent in a generic model of computation. Any generic algorithm for breaking RSA can be transformed into a factoring algorithm.**Efficient symmetric cryptography under very weak assumptions.**In contrast to the standard notion of a pseudo-random function (PRF), which is indistinguishable from a random function for a computationally-bounded adversary asking arbitrarily many queries (within its running time constraint), the new notion of an s-query weak PRF was introduced in [MT08]. Such a function need only be secure against an adversary who obtains a fixed number s (e.g. s=2) of input-output pairs and, moreover, the inputs are random (not chosen). It is shown that provably-secure encryption can be obtained from an s-query weak PRF essentially as efficiently as from a full-fledged PRF.**Quantum cryptography -- revisited.**Quantum cryptography has been advocated as being provably secure based only that the laws of quantum mechanics are correct. It was shown in [AKMR07] that, contrary to the established security proofs in quantum cryptography, there are provably-secure key agreement schemes which can be broken. While a generated key is indeed provably secure, its security is potentially lost when it is used. This shows that the traditional security definition is too weak. The flaw is due to a locking property of the notion of accessible information in quantum physics: one additional (physical) bit of information can increase the accessible information by more than one bit. This problem was solved in [Ren05] where the right security definition for quantum key distribution is stated and a new framework for proving the security is proposed.

You can also browse our Research highlights, Search engine for publications, and List of available publications.