Ari Juels

Ari Juels
Cornell Tech · Jacobs Technion-Cornell Institute

About

238
Publications
136,327
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
30,798
Citations

Publications

Publications (238)
Preprint
Full-text available
Inherent in the world of cryptocurrency systems and their security models is the notion that private keys, and thus assets, are controlled by individuals or individual entities. We present Liquefaction, a wallet platform that demonstrates the dangerous fragility of this foundational assumption by systemically breaking it. Liquefaction uses trusted...
Preprint
We propose protected pipelines or props for short, a new approach for authenticated, privacy-preserving access to deep-web data for machine learning (ML). By permitting secure use of vast sources of deep-web data, props address the systemic bottleneck of limited high-quality training data in ML development. Props also enable privacy-preserving and...
Preprint
Full-text available
Users of decentralized finance (DeFi) applications face significant risks from adversarial actions that manipulate the order of transactions to extract value from users. Such actions -- an adversarial form of what is called maximal-extractable value (MEV) -- impact both individual outcomes and the stability of the DeFi ecosystem. MEV exploitation,...
Chapter
Pyramid schemes are investment scams in which top-level participants in a hierarchical network recruit and profit from an expanding base of defrauded newer participants. They have existed for over a century, but their historical opacity has prevented in-depth studies. This paper presents an empirical study of Forsage, a smart-contract-based pyramid...
Article
Most permissionless blockchain networks run on peer-to-peer (P2P) networks, which offer flexibility and decentralization at the expense of performance (e.g., network latency). Historically, this tradeoff has not been a bottleneck for most blockchains. However, an emerging host of blockchain-based applications (e.g., decentralized finance) are incre...
Preprint
Non-fungible tokens (NFTs)} are digital objects that reside on blockchains and are typically associated with unique digital media, such as images or music. A recent frenzy of popular interest has given rise seemingly overnight to a multi-billion NFT market. Individual NFTs can sell for millions or tens of millions of dollars, while creators ranging...
Preprint
Most permissionless blockchain networks run on peer-to-peer (P2P) networks, which offer flexibility and decentralization at the expense of performance (e.g., network latency). Historically, this tradeoff has not been a bottleneck for most blockchains. However, an emerging host of blockchain-based applications (e.g., decentralized finance) are incre...
Preprint
We introduce the Clockwork Finance Framework (CFF), a general purpose, formal verification framework for mechanized reasoning about the economic security properties of composed decentralized-finance (DeFi) smart contracts. CFF features three key properties. It is contract complete, meaning that it can model any smart contract platform and all its c...
Preprint
Full-text available
Pyramid schemes are investment scams in which top-level participants in a hierarchical network recruit and profit from an expanding base of defrauded newer participants. Pyramid schemes have existed for over a century, but there have been no in-depth studies of their dynamics and communities because of the opacity of participants' transactions. In...
Chapter
Decades of research in both cryptography and distributed systems has extensively studied the problem of state machine replication, also known as Byzantine consensus. A consensus protocol must satisfy two properties: consistency and liveness. These properties ensure that honest participating nodes agree on the same log and dictate when fresh transac...
Article
Although smart contracts inherit the availability and other security assurances of the blockchain, they are impeded by lack of confidentiality and poor performance. We present Ekiden, a system that aims to close these critical gaps by combining the blockchain with trusted execution environments.
Preprint
Full-text available
Incentive mechanisms are central to the functionality of permissionless blockchains: they incentivize participants to run and secure the underlying consensus protocol. Designing incentive-compatible incentive mechanisms is notoriously challenging, however. Even systems with strong theoretical security guarantees in traditional settings, where users...
Conference Paper
Full-text available
We propose Tesseract, a secure real-time cryptocurrency exchange service. Existing centralized exchange designs are vulnerable to theft of funds, while decentralized exchanges cannot offer real-time cross-chain trades. All currently deployed exchanges are also vulnerable to frontrunning attacks. Tesseract overcomes these flaws and achieves a best-o...
Conference Paper
Full-text available
We present a new primitive supporting file replication in distributed storage networks (DSNs) called a Public Incompressible Encoding (PIE). PIEs operate in the challenging public DSN setting where files must be encoded and decoded with public randomness-i.e., without encryption-and retention of redundant data must be publicly verifiable. They prev...
Conference Paper
We introduce CHURP (CHUrn-Robust Proactive secret sharing). CHURP enables secure secret-sharing in dynamic settings, where the committee of nodes storing a secret changes over time. Designed for blockchains, CHURP has lower communication complexity than previous schemes: $O(n)$ on-chain and $O(n^2)$ off-chain in the optimistic case of no node failu...
Conference Paper
Full-text available
Biometric authentication is increasingly being used for large scale human authentication and identification, creating the risk of leaking the biometric secrets of millions of users in the case of database compromise. Powerful "fuzzy" cryptographic techniques for biometric template protection, such as secure sketches, could help in principle, but go...
Conference Paper
The growing adoption of digital assets---including but not limited to cryptocurrencies, tokens, and even identities---calls for secure and robust digital assets custody. A common way to distribute the ownership of a digital asset is (M, N)-threshold access structures. However, traditional access structures leave users with a painful choice. Setting...
Preprint
Thanks to the widespread deployment of TLS, users can access private data over channels with end-to-end confidentiality and integrity. What they cannot do, however, is prove to third parties the {\em provenance} of such data, i.e., that it genuinely came from a particular website. Existing approaches either introduce undesirable trust assumptions o...
Article
The Hydra Framework is a new, principled approach to modeling and detecting security-critical bugs. Fusing a variant of classical N-version (redundant) programming with automated bug bounty payouts, Hydra provides economically rigorous and cost-effective bounty protections for smart contracts.
Preprint
Blockchains, and specifically smart contracts, have promised to create fair and transparent trading ecosystems. Unfortunately, we show that this promise has not been met. We document and quantify the widespread and rising deployment of arbitrage bots in blockchain systems, specifically in decentralized exchanges (or "DEXes"). Like high-frequency tr...
Article
Smart contracts are applications that execute on blockchains. Today they manage billions of dollars in value and motivate visionary plans for pervasive blockchain deployment. While smart contracts inherit the availability and other security assurances of blockchains, however, they are impeded by blockchains' lack of confidentiality and poor perform...
Conference Paper
Full-text available
Blockchains and more general distributed ledgers are becoming increasingly popular as efficient, reliable, and persistent records of data and transactions. Unfortunately, they ensure reliability and correctness by making all data public, raising confidentiality concerns that eliminate many potential uses. In this paper we present Solidus, a protoco...
Conference Paper
Full-text available
Motivated by typo correction in password authentication, we investigate cryptographic error-correction of secrets in settings where the distribution of secrets is a priori (approximately) known. We refer to this as the distribution-sensitive setting.
Article
Cloud computing has emerged as a dominant platform for computing forthe foreseeable future, resulting in an ongoing disruption to the waywe build and deploy software. This disruption offers a rareopportunity to integrate new approaches to computer security. In thispaper we outline a vision of security in this new era of cloudcomputing, laying out a...
Conference Paper
Most prominent cryptocurrencies utilize proof of work (PoW) to secure their operation, yet PoW suffers from two key undesirable properties. First, the work done is generally wasted, not useful for anything but the gleaned security of the cryptocurrency. Second, PoW is naturally outsourceable, leading to inegalitarian concentration of power in the h...
Article
Cloud computing has emerged as a dominant computing platform for the foreseeable future, resulting in an ongoing disruption to the way we build and deploy software. This disruption offers a rare opportunity to integrate new approaches to computer security. The aggregating effect of cloud computing and the role of cloud providers as trust anchors ca...
Conference Paper
Full-text available
Smart contracts are programs that execute autonomously on blockchains. Their key envisioned uses (e.g. financial instruments) require them to consume data from outside the blockchain (e.g. stock quotes). Trustworthy data feeds that support a broad range of data requests will thus be critical to smart contract ecosystems. We present an authenticated...
Conference Paper
Thanks to their anonymity (pseudonymity) and elimination of trusted intermediaries, cryptocurrencies such as Bitcoin have created or stimulated growth in many businesses and communities. Unfortunately, some of these are criminal, e.g., money laundering, illicit marketplaces, and ransomware. Next-generation cryptocurrencies such as Ethereum will inc...
Conference Paper
Full-text available
Machine learning (ML) models may be deemed confidential due to their sensitive training data, commercial value, or use in security applications. Increasingly often, confidential ML models are being deployed with publicly accessible query interfaces. ML-as-a-service ("predictive analytics") systems are an example: Some allow users to train models on...
Article
Protecting social norms as confidentiality wanes.
Conference Paper
Full-text available
The increasing popularity of blockchain-based cryptocurrencies has made scalability a primary and urgent concern. We analyze how fundamental and circumstantial bottlenecks in Bitcoin limit the ability of its current peer-to-peer overlay network to support substantially higher throughputs and lower latencies. Our results suggest that reparameterizat...
Conference Paper
The increasing popularity of blockchain-based cryptocurrencies has made scalability a primary and urgent concern. We analyze how fundamental and circumstantial bottlenecks in Bitcoin limit the ability of its current peer-to-peer overlay network to support substantially higher throughputs and lower latencies. Our results suggest that reparameterizat...
Conference Paper
We introduce Falcon codes, a class of authenticated error correcting codes that are based on LT codes and achieve the following properties, for the first time simultaneously: (1) with high probability, they can correct adversarial corruptions of an encoded message, and (2) they allow very efficient encoding and decoding times, even linear in the me...
Article
Full-text available
In today's data-driven world, programmers routinely incorporate user data into complex algorithms, heuristics, and application pipelines. While often beneficial, this practice can have unintended and detrimental consequences, such as the discriminatory effects identified in Staples's online pricing algorithm and the racially offensive labels recent...
Article
Full-text available
Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user's encrypted vault can mount offline brute-f...
Patent
Full-text available
An authentication system including a first server configured to store identifiers of respective users in association with respective pseudonyms, and a second server configured to store templates of the respective users in association with the respective pseudonyms. Input is received from a given user in conjunction with an authentication attempt. T...
Patent
Full-text available
An authentication system comprises multiple servers and a controller coupled to or otherwise associated with the servers. The controller is configured to control storage in the servers of respective chaff sets or other types of value sets, each including at least one secret value obscured within a distinct arrangement of other values. Each of the s...
Conference Paper
Full-text available
Secure storage of genomic data is of great and increasing importance. The scientific community's improving ability to interpret individuals' genetic materials and the growing size of genetic database populations have been aggravating the potential consequences of data breaches. The prevalent use of passwords to generate encryption keys thus poses a...
Patent
In one embodiment, a set of servers generates at least one challenge that is sent to a client. The servers receive from the client a response that includes a message generated as a function of the challenge. The response also includes a digital signature computed on the message using a secret key of a key pair generated for a current epoch. The cli...
Patent
Full-text available
Methods and apparatus are provided for fraud detection and remediation in knowledge-based authentication (KBA). A knowledge-based authentication method is performed by a server for restricting access of a user to a restricted resource. The exemplary knowledge-based authentication method comprises challenging the user with one or more questions requ...
Conference Paper
We provide a formal treatment of backdoored pseudorandom generators (PRGs). Here a saboteur chooses a PRG instance for which she knows a trapdoor that allows prediction of future (and possibly past) generator outputs. This topic was formally studied by Vazirani and Vazirani, but only in a limited form and not in the context of subverting cryptograp...
Patent
Full-text available
Methods, apparatus and articles of manufacture for implementing cryptographic devices operable in a challenge-response mode are provided herein. A method includes storing a set of authentication information in a first cryptographic device associated with a user, receiving a challenge in the first cryptographic device in connection with a user authe...
Patent
Methods and apparatus are provided for generation of forward secure pseudorandom numbers. A forward secure pseudorandom number is generated by obtaining a first state si corresponding to a current leaf node vi in a hierarchical tree, wherein the current leaf vi produces a first pseudorandom number ri−t and wherein the hierarchical tree comprises at...
Patent
At least one virtual machine implemented on a given physical machine in an information processing system is able to detect the presence of one or more other virtual machines that are also co-resident on that same physical machine. More particularly, at least one virtual machine is configured to avoid usage of a selected portion of a memory resource...
Patent
Full-text available
Knowledge-based authentication (KBA) is provided using historically-aware questionnaires. The KBA can obtain a plurality of historically different answers from the user to at least one question; challenge the user with the question for a given period of time; receive a response from the user to the question; and grant access to the restricted resou...
Patent
Full-text available
A client device or other processing device comprises a file encoding module, with the file encoding module being configured to separate a file into a plurality of sets of file blocks, to assign sets of the file blocks to respective ones of a plurality of servers, to define a plurality of parity groups each comprising a different subset of the plura...
Patent
Methods and apparatus are provided for embedding auxiliary information in one-time passcode authentication tokens. Auxiliary information is embedded in authentication information transmitted to a receiver by obtaining the auxiliary information; and mapping the auxiliary information to a codeword using a secret key, wherein the secret key is shared...
Patent
A proof of retrievability (POR) mechanism is applicable to a data object for providing assurances of data object possession to a requesting client by transmitting only a portion of the entire data object. The client compares or examines validation values returned from predetermined validation segments of the data object with previously computed val...
Patent
A distributed challenge-response protocol is carried out between a verifier and a prover. The verifier comprises servers storing respective shares of a set of challenge-response pairs. A particular challenge of one of the challenge-response pairs is sent to the prover, and a response to the challenge is received from the prover. The received respon...
Patent
Full-text available
Improved techniques are provided for the generation of exfiltration-resilient cryptographic keys. A method is provided for generating exfiltration-resilient cryptographic keys for authentication and/or digital signing. A set of authentication information sk[i] is stored in a device associated with a user and a set of public keys pk[i] are provided...
Patent
A processing device comprises a processor coupled to a memory and implements a host-based intrusion detection system configured to permit detection of tampering with at least one software component installed on the processing device. The host-based intrusion detection system comprises a forward-secure logging module configured to record information...
Patent
Full-text available
Disclosed is a method and apparatus for performing steps to cause encoded information to be stored at a client device during a first network session between a server and the client device. To cause encoded information to be stored at a client device, the server first determines a set of network resource requests that encode the information. These n...
Patent
An apparatus comprises a medical device configured for implantation into a living organism. The medical device comprises processing circuitry, a memory and interface circuitry configured for communication with a monitoring device. The medical device is configured to receive a request for access from the monitoring device, to measure a physiological...
Article
Full-text available
We present an epidemiological study of malware encounters in a large, multi-national enterprise. Our data sets allow us to observe or infer not only malware presence on enterprise computers, but also malware entry points, network locations of the computers (i.e., inside the enterprise network or outside) when the malware were encountered, and for s...
Article
Full-text available
We present a new attack framework for conducting cache- based side-channel attacks and demonstrate this framework in attacks between tenants on commercial Platform-as-a-Service (PaaS) clouds. Our framework uses the Flush- Reload attack of Gullasch et al. as a primitive, and ex- tends this work by leveraging it within an automaton-driven strategy fo...
Patent
Full-text available
A first cryptographic device is configured to store a set of keys that is refreshed in each of a plurality of epochs. The first cryptographic device computes for each of at least a subset of the epochs at least one view based on at least a portion of the set of keys for that epoch, and transmits the views to a second cryptographic device in associa...
Patent
A processing device comprising a processor coupled to a memory is configured to determine a risk of simultaneous theft of a primary device and at least one satellite device associated with the primary device, and to identify said at least one satellite device as an appropriate authentication factor for use in an authentication process involving the...
Conference Paper
Security analytics is a catchall term for vulnerability assessment and intrusion detection leveraging security logs from a wide array of Security Analytics Sources (SASs), which include firewalls, VPNs, and endpoint instrumentation. Today, nearly all security analytics systems suffer from a lack of even basic data protections. An adversary can eave...
Patent
Full-text available
An improved technique involves protecting a set of resources in a distributed computer system by scheduling epochs for replacing keys that have a variable duration. Along these lines, a Variable Epoch Scheduler (VES) generates schedules of key updates for a set of players in the distributed system such that at least two epochs in the schedules have...
Patent
A processing device comprises a processor coupled to a memory and implements a graph-based approach to protection of a system comprising information technology infrastructure from a persistent security threat. Attack-escalation states of the persistent security threat are assigned to respective nodes in a graph, and defensive costs for preventing t...
Patent
A client device or other processing device comprises a file processing module, with the file processing module being operative to provide a file to a file system for encoding, to receive from the file system a corresponding encoded file, and to verify that the file system stores at least a designated portion of an encapsulation of the encoded file....
Patent
Full-text available
Methods and apparatus are provided for secure and reliable transmission of messages over a silent alarm channel. A plurality of messages are transmitted by obtaining the plurality of messages; and transmitting the plurality of messages on a forward-secure channel to a receiver, wherein the forward-secure channel comprises a buffer having a pluralit...
Patent
Servers are configured to operate in two or more threshold security planes with each such threshold security plane implementing at least a portion of a corresponding threshold security protocol involving at least a subset of the servers. The servers are implemented on at least one processing device comprising a processor coupled to a memory. Multip...
Patent
A first cryptographic device generates plaintext information characterizing at least one key or other secret value associated with that device. The first cryptographic device releases portions of the plaintext information to a second cryptographic device over respective time intervals. The portions of the plaintext information are configured by the...
Article
Honey encryption (HE) addresses the challenge of encrypting messages using keys that are vulnerable to guessing attacks, such as the passwords selected by ordinary users. HE creates a ciphertext that, when decrypted with an incorrect key or password, yields a valid-looking but bogus message. So, attackers can't tell when decryption has been success...
Article
Decoy objects, often labeled in computer security with the term honey, are a powerful tool for compromise detection and mitigation. There has been little exploration of overarching theories or set of principles or properties, however. This short paper (and accompanying keynote talk) briefly explore two properties of honey systems, indistinguishabil...
Conference Paper
Decoy objects, often labeled in computer security with the term honey, are a powerful tool for compromise detection and mitigation. There has been little exploration of overarching theories or set of principles or properties, however. This short paper (and accompanying keynote talk) briefly explore two properties of honey systems, indistinguishabil...
Conference Paper
We introduce honey encryption (HE), a simple, general approach to encrypting messages using low min-entropy keys such as passwords. HE is designed to produce a ciphertext which, when decrypted with any of a number of incorrect keys, yields plausible-looking but bogus plaintexts called honey messages. A key benefit of HE is that it provides security...
Conference Paper
Bit coin is widely regarded as the first broadly successful e-cash system. An oft-cited concern, though, is that mining Bit coins wastes computational resources. Indeed, Bit coin's underlying mining mechanism, which we call a scratch-off puzzle (SOP), involves continuously attempting to solve computational puzzles that have no intrinsic utility. We...
Patent
Example embodiments of the present invention provide authenticated file system that provides integrity and freshness of both data and metadata more efficiently than existing systems. The architecture of example embodiments of the present invention is natural to cloud settings involving a cloud service provider and enterprise-class tenants, thereby...
Patent
Full-text available
A first cryptographic device is configured to store secret information that is refreshed in each of a plurality of epochs. The first cryptographic device receives an epoch control signal, and adjusts at least one epoch responsive to the received epoch control signal. Refreshed secret information associated with an adjusted epoch is utilized to auth...
Patent
Full-text available
A key is updated in a first cryptographic device and an update message comprising information characterizing the updated key is sent from the first cryptographic device to a second cryptographic device. The update message as sent by the first cryptographic device is configured to permit the second cryptographic device to detect compromise of the up...
Patent
A first cryptographic device is configured to determine at least a key for a current epoch and a key for a subsequent epoch, and to transmit the keys for the current and subsequent epochs over a secure channel to a second cryptographic device. The second cryptographic device utilizes the key for the current epoch to decrypt an additional key that w...
Patent
Cloud infrastructure of a cloud service provider comprises a processing platform implementing a security policy enforcement framework. The security policy enforcement framework comprises a policy analyzer that is configured to identify at least one security policy associated with at least one tenant of the cloud service provider, to analyze the sec...
Patent
Full-text available
An improved technique for assessing the security status of a device on which a soft token is run collects device posture information from the device running the soft token and initiates transmission of the device posture information to a server to be used in assessing whether the device has been subjected to malicious activity. The device posture i...