Vashek
(Vaclav) Matyas
Vashek
(Vaclav) Matyas
Centre for Research on Cryptography and Security Faculty of Informatics Masaryk University Botanicka 68a 602 00 Brno - Czech Republic E-mail: LastName at fi.muni.cz Office hours: TBS for the Autumn 2026 semester.
Usable security with respect to both end-user and advanced users (e.g., developers or admins). Our article No Thumbs Up in Pictures! Experimental Fingerprint Forgery for Inexperienced Impostors brings some very interesting results on exposing computer science students to the art of fingerprint forgery and evaluating their results and perceptions. And more details on the first year of this effort are provided in a conference paper Fingerprint forgery training: Easy to learn, hard to perform. Our article Two-factor authentication time: How time-efficiency and time-satisfaction are associated with perceived security and satisfaction provides some very interesting results from the area of multifactor authentication methods usability. And our paper Investigating Installers of Security Software in 20 Countries: Individual-and Country-Level Differences brings some very interesting insights into. anti-malware software installation, motivation and other factors. We published some very interesting results about developers in our paper What Johnny thinks about using two-factor authentication on GitHub: A survey among open-source developers and other results in our study Usability Insights from Establishing TLS Connections at IFIP SEC 2022. Usability for end-users was a topic of our viewpoint article Even if users do not read security directives, their behavior is not so catastrophic in the Communications of the ACM, and also in an article Usable and secure? User perception of four authentication methods for mobile banking in the Computers & Security (Elsevier) journal. Our work in the second domain was presented in the extended version - Will You Trust This TLS Certificate? Perceptions of People Working in IT of our ACSAC 2019 paper, and related matters also in our paper Why Johnny the Developer Can't Work with Public Key Certificates: An Experimental Study of OpenSSL Usability at RSA Cryptographers' Track 2018. Work in the first domain brought interesting findings like Experimental large-scale review of attractors for detection of potentially unwanted applications in Computers & Security or A large-scale comparative study of beta testers and standard users in the Communications of the ACM.
Examination of security certification ecosystems, where we analyze certification ecosystems of Common Criteria and FIPS 140 security evaluation schemes. Our paper Chain of trust: Unraveling references among Common Criteria certified products (also available in pre-print here) shows how we built the graph of references among the Common Criteria certified products, determining the different contexts of references with a supervised machine-learning algorithm. We show that just a dozen of certified components are relied on by at least 10% of the whole ecosystem -- making them a prime target for malicious actors. Our tool sec-certs used for the analyses (and available through the web interface as well as in open source code) was first presented in our article sec-certs: Examining the security certification practice for better vulnerability mitigation.
International Journal of Information Security (Springer), where I'm member of the Editorial Board.
The Research, Development and Innovation Council (of Czech Republic).
My lectures in security/crypto here at the Masaryk
University: 
Information Security and Cryptography (PV080 - in English).
Authentication and Access Control (PV157 - taught in Czech - Autentizace a rizeni pristupu).
Applied Cryptography (PV079 - in English).
Advanced Topics in Information Technology Security (PA018 - in English).
Postgraduate Seminar on IT Security and Cryptography (PA168 - in English).
More information on these courses can be found through the university webpages on my courses, and our centre at FI.
Information for our students inquiring about supervision, support, etc. can be found at this page.
I gladly supervise PhD students Yasir Yakup Demircan, Katarina Galanska, Milan Patnaik, Vojtech Suchanek, and I had the great pleasure to work with my PhD graduates Milan Broz, Vit Bukac, Jan Jancar, Adam Janovsky, Filip Jurnecka, Dusan Klinec, Jan (Honza) Krhovjak, Agata Kruzikova, Marek Kumpost, Jiri Kur, Matus Nemec, Lukas Nemec, Martina Olliaro, Radim Ostadal, Vladimir Sedlacek, Vlasta Bukacova, Martin Stehlik, Andriy Stetsko, Petr Svenda, Martin Ukrop.
Analyzing outputs of crypto primites, where we analyzed outputs of various crypto primitives for their properties, primarily statistical ones. Our Journal of Cryptology paper A Bad Day to Die Hard: Correcting the Dieharder Battery is shared results of a side-effect of our work, and we brought some very interesting results in our Large-scale randomness study of security margins for 100+ cryptographic functions. We also analysed usage of crypto primitives in our SECRYPT 2022 paper A Longitudinal Study of Cryptographic API: A Decade of Android Malware Our results published at ESORICS 2020 in the paper Biased RSA private keys: Origin attribution of GCD-factorable keys complement those from our older paper The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli (ROCA) that received the Real-World Impact Award at the 2017 ACM CCS conference. Measuring Popularity of Cryptographic Libraries in Internet-Wide Scans was presented at ACSAC 2017. Prior to that we published our RSA key fingerprinting findings as The Million-Key Question Investigating the Origins of RSA Public Keys won the best paper award at Usenix Security 2016. Check the previous link for additional resources to this paper, including an online key classification tool. Our work also includes examinations of statistical tests as such, involving also significant speed-up of NIST STS and interpretation of the tests. Other improvements are described (and algorithms provided) in Evolving boolean functions for fast and efficient randomness testing (paper at ACM GECCO 2018) and in Optimizing the NIST Statistical Test Suite and the Berlekamp-Massey Algorithm. Our paper Towards True Random Number Generation in Mobile Environments from NordSec 2009 (paper download), and earlier work with more experimental results appeared in paper The Sources of Randomness in Mobile Devices, NordSec 2007 (paper download).
Security of wireless sensor networks, with focus on security protocols, intrusion detection and also privacy. Here we found a very promising interplay between secrecy amplification and key derived from signal properties, presenting the final design and evaluation of our protocols in our 2021 Future Networks and Communications conference paper Practical approach to re-securing compromised wireless sensor networks (with the Best Paper Award) and article Crowdsourced Security Reconstitution for Wireless Sensor Networks: Secrecy Amplification, with some further discussions of selected protocols published in Evaluating Dynamic Approaches to Key (Re-)Establishment in Wireless Sensor Networks, and in Adaptive Secrecy Amplification with Radio Channel Key Extraction and in Entropy Crowdsourcing Protocols for Link Key Updates in Wireless Sensor Networks. We focused also on examination of various attacker approaches and models, see the extended version of our CANS 2016 paper Attackers in Wireless Sensor Networks Will Be Neither Random nor Jumping - Secrecy Amplification Case. We also presented very interesting protocol designs for secrecy amplification in wireless sensor networks in our paper On Secrecy Amplification Protocols presented at the 9th WISTP International Conference on Information Security Theory and Practice (WISTP 2015). "Improving Intrusion Detection Systems for Wireless Sensor Networks" is our proposal of a framework for IDS parameter setting in wireless sensor networks, presented at ACNS 2014. Conflicts between Intrusion Detection and Privacy Mechanisms for Wireless Sensor Networks is our article in IEEE Security & Privacy 11.5 (2013), "An Adaptive Security Architecture for Location Privacy Sensitive Sensor Network Applications" is our design presented in a paper at LightSec 2013 - Lightweight Cryptography for Security and Privacy. "Multi-Objective Optimization of Intrusion Detection Systems for Wireless Sensor Networks" was presented at the 12th European Conference on Artificial Life (ECAL 2013). Related starting discussion of issues in the area of privacy and IDSs in WSNs can be found in our paper Attack detection vs. privacy - How to find the link or how to hide it?, presented at the 2011 Security Protocols Workshop. "Two Improvements of Random Key Predistribution for Wireless Sensor Networks" was presented at the 8th International Conference on Security and Privacy in Communication Networks (SecureComm 2012); "Evolutionary Design of Message Efficient Secrecy Amplification Protocols" then was our work presented at 15th European Conference on Genetic Programming (EuroGP 2012); and "On the Credibility of Wireless Sensor Network Simulations: Evaluation of Intrusion Detection System" work presented at SIMUTools 2012.
Full Disk Encryption with Crypto Data Integrity, where our work with Milan Broz and others is published as a an arXiv technical report or in a shorter version at IFIP SEC 2018 paper that won the best student paper award. Our implementation has been included in the Linux kernel since the version 4.12.
Examining certain Denial of Service attacks, where we analyzed the threat of DDoS-for-hire services to low and medium power cloud-based servers or home users, investigating popularity and availability of such services, their payment models, subscription pricing, complexity of the generated attack traffic and performance. Our paper Service in denial clouds going with the winds was presented at the Network and System Security 2015. Our paper Analyzing traffic features of common standalone DoS attack tools came with a comparative analysis of traffic features of DoS attacks that were generated by state-of-the-art standalone DoS attack tools. We provide a classification of different attack traffic features, including utilized evasion techniques and encountered anomalies. We also proposed a new research direction for the detection of DoS attacks at the source end, based on repeated attack patterns recognition.
Study of biometric authentication systems. 
A
full version of a paper written with Zdenek Riha and presented at
the Computer Information Systems and Industrial Management
Applications 2010 conference, is available as the technical
report FIMU-RS-2010-07. We have a book on biometric
authentication (in Czech), where I took care of co-editing (and
writing up some) chapters. An older summary paper reviewing major
security
and usability issues of biometric authentication systems was
presented at the Communications and Multimedia Security Conference,
summary of trends and visions was presented at the Information
Security Summit 2002, and few other papers presented at other
conferences. A good summarizing article Toward
Reliable User Authentication through Biometrics appeared in IEEE
Security & Privacy and an introductory technical report written
also with Zdenek Riha is also available.
Shouldersurfing attacks, namely in relation to the Chip&PIN card payment authorisation. We conducted an intensive study to compare the (in)security of signature- vs. PINpad-based payment authorisation by customers. More results came out in an IEEE Computer article, results from the first round of our experiments are available either as old slides or drafted lecture notes (final version can be found in the proceedings of 2005 Cambridge Workshop on Security Protocols). A book on these and related issues on authentication and authorization is available in Czech.
Information privacy, where we undertook another privacy valuation experiment, results from which are prepared for a publication, following the attention of both expert and general public that has been drawn to our Value of Location Privacy paper (copyright ACM, presented at WPES 2006). This work has been undertaken in the framework of activities around the FIDIS Network of Excellence. Earlier on, we also examined ways to model the state of privacy in a given system - and possibly to use this model for evaluating various aspects of privacy. We started with a critical review of the older Common Criteria approach, provided for additional definitions of unlinkability and also refined the approach, revising also the Freiburg Privacy Diamond work of Alf Zugenmeier et al. Preliminary results of our work are in contributions to the Privacy and Security workshops of Ubicomp 2004 and Fourth IEEE International Conference on Data Mining, and the underlying considerations were presented at the Cambridge Workshop on Security Protocols. In my earlier work in this area, I also worked on analysing and reporting doctor-level prescribing information in the Xponent project with IMS Health. A paper (draft of which is available here) for Healthcare Informatics Journal 4.3-4 outlines some of the issues. Yet older work involves participation in drafting the Privacy Class of the Common Criteria, and also work relevant to the Canadian privacy scene that was presented as the Technical Report "Information Privacy in Canada (Legislation in the Face of Changing Technologies)", TR-246, School of Computer Science, Carleton University.
The Global Internet Trust Register published by MIT Press in March 1999 contains the fingerprints of many important public keys used throughout the world, and you can read more on the effort here.
IT Security Terminology, of course with focus on the Czech language. A part of this effort is oriented towards "English-Czech Terminology of IT Security" - a dictionary with Czech explanatory notes, published by the Computer Press, s.r.o. Praha 1996. Second issue is now on the horizon.
Security Evaluation Criteria where did some work on the Communication and Privacy Classes for the Common Criteria v0.9 in cooperation with the Canadian Communications Security Establishment.
Just in case you met me during my 2025 sabbatical with Cybernetica or at the University of Tartu, Delta Centre, or in 2017 with Red Hat Czech and CyLab, Carnegie Mellon University, or in 2011/12 as a Fulbright-Masaryk Visiting Scholar at the Center for Research on Computation and Society (CRCS), Harvard University, or in 2003/04 either as a Visiting Researcher with Microsoft Research Cambridge, or a Visiting Lecturer with University College Dublin, Department of Computer Science, then yes, it is me. :-) And again thanks to all these institutions, their employees, and other visitors at the time for their kind hospitality and/or inspiring discussions.
Vashek
Matyas
E-mail: LastName at fi.muni.cz
Last update: May 20, 2026.