Moti Yung

• Ph.D.
• Researcher at Google Inc.

Recent advancements in post-Quantum secure signing have revitalized interest in one-time signatures, such as Lamport’s, and their many signature extensions. Predominantly based on standard hash functions, these signatures avoid reliance on number theoretic assumptions. Existing methods utilize a commitment array, with de-commitment contingent on th...

Anonymous tokens are, essentially, digital signature schemes that enable issuers to provide users with signatures without learning the user inputs or the final signatures. These primitives allow applications to propagate trust while simultaneously protecting the user identity. They have become a core component for improving the privacy of several r...

In this paper, we investigate whether the privacy mechanism of periodically changing the pseudorandom identities of Bluetooth Low Energy (BLE) beacons is sufficient to ensure privacy. We consider a new natural privacy notion for BLE broadcasting beacons which we call ``Timed-sequence- indistinguishability'' of beacons. This new privacy definition i...

This article presents a cryptanalysis of a 19th-century encrypted manuscript discovered in the archives of Conde de Siete Fuentes in Tenerife, Canary Islands, Spain. The manuscript, preserved by the heirs of the 6th Count of Valle de Salazar, utilizes a polyalphabetic substitution cipher. The cryptanalysis was performed by applying statistical freq...

Missing data is commonly encountered in practice, and when the missingness is non-ignorable, effective remediation depends on knowledge of the missingness mechanism. Learning the underlying missingness mechanism from the data is not possible in general, so adversaries can exploit this fact by maliciously engineering non-ignorable missingness mechan...

Causality-informed machine learning has been proposed as an avenue for achieving many of the goals of modern machine learning, from ensuring generalization under domain shifts to attaining fairness, robustness, and interpretability. A key component of causal machine learning is the inference of causal structures from observational data; in practice...

Randomized Partial Checking (RPC) [16] was proposed by Jakobsson, Juels, and Rivest and attracted attention as an efficient method of verifying the correctness of the mixing process in numerous applied scenarios. In fact, RPC is a building block for many electronic voting schemes, including Prêt à Voter [6], Civitas [9], Scantegrity II [5] as well...

Recent advancements in post-Quantum secure signing have revitalized interest in one-time signatures, such as Lamport's, and their many signature extensions. Predominantly based on standard hash functions, these signatures avoid reliance on number theoretic assumptions. Existing methods utilize a commitment array, with de-commitment contingent on th...

Motivated by the violation of two fundamental assumptions in secure communication - receiver-privacy and sender-freedom - by a certain entity referred to as “the dictator”, Persiano et al. introduced the concept of Anamorphic Encryption (AME) for public key cryptosystems (EUROCRYPT 2022). Specifically, they presented receiver/sender-AME, directly t...

As part of the responses to the ongoing crypto wars, the notion of Anamorphic Encryption was put forth. The notion allows private communication in spite of a dictator who is engaged in an extreme form of surveillance and or censorship, where it asks for all private keys and knows and may even dictate all messages. The original work pointed out effi...

The goal of this research is to raise technical doubts regarding the usefulness of the repeated attempts by governments to curb Cryptography (aka the “Crypto Wars”), and argue that they, in fact, cause more damage than adding effective control. The notion of Anamorphic Encryption was presented in Eurocrypt’22 for a similar aim. There, despite the p...

One-time signatures (originated by Lamport) and their extensions to many signatures has gained recent momentum with the need for Post-Quantum secure signing since they are essentially based on standard hash (one-way) functions (rather than number theoretic assumptions). Such signatures, to date, have been based on an array of commitments that are d...

In this paper, we propose the Midgame Security attack model, where it is assumed that at some point in the middle of computation with a secret key, and after some secure work (typically but not necessarily initial one), the powerful adversary sees the entire internal state and attempts key recovery/forgery. This security model is motivated by a few...

Inference of causal structures from observational data is a key component of causal machine learning; in practice, this data may be incompletely observed. Prior work has demonstrated that adversarial perturbations of completely observed training data may be used to force the learning of inaccurate causal structural models (SCMs). However, when the...

We study encrypted storage schemes where a client outsources data to an untrusted third-party server (such as a cloud storage provider) while maintaining the ability to privately query and dynamically update the data. We focus on encrypted multi-maps (EMMs), a structured encryption (STE) scheme that stores pairs of label and value tuples. EMMs allo...

Additive Manufacturing (AM) is an important up and coming manufacturing technology which creates three-dimensional objects based on digital design files. While these digital files simplify outsourcing, it also raises security concerns of technical data theft by malicious actors. We propose a novel approach for steganographically embedding validity...

“Exposure Notification (EN) Systems” which have been envisioned by a number of academic and industry groups, are useful in aiding health authorities worldwide to fight the COVID-19 pandemic spread via contact tracing. Among these systems, many rely on the BLE based Google-Apple Exposure Notification (GAEN) API (for iPhones and Android systems).We a...

The setting of our problem is a distributed architecture facing an enormous user set, where events are repeating and evolving over time, and we want to absorb the stream of events into the model: first local model, then absorb it in the global one, and also care about user privacy. Naturally, we learn a phenomenon which happens distributedly in man...

The standard model security of the Fiat-Shamir transform has been an active research area for many years. In breakthrough results, Canetti et al. (STOC’19) and Peikert-Shiehian (Crypto’19) showed that, under the Learning-With-Errors (\(\mathsf {LWE}_{}\)) assumption, it provides soundness by applying correlation-intractable (CI) hash functions to s...

Cryptosystems have been developed over the years under the typical prevalent setting which assumes that the receiver’s key is kept secure from the adversary, and that the choice of the message to be sent is freely performed by the sender and is kept secure from the adversary as well. Under these fundamental and basic operational assumptions, modern...

We examine the security, privacy, and reliability of Google and Apple’s COVID-19 exposure notification technology, using actual case studies and realistic use cases. Our analysis validates the system, providing piece of mind for adopters of contact tracing and potentially boosting transparency.

Beacons are small devices which are playing an important role in the Internet of Things (IoT), connecting “things” without IP connection to the Internet via Bluetooth Low Energy (BLE) communication. In this paper we present the first private end-to-end encryption protocol called the Eddystone-Ephemeral-ID (Eddystone-EID) protocol. This protocol ena...

Model accuracy is the traditional metric employed in machine learning (ML) applications. However, privacy, fairness, and robustness guarantees are crucial as ML algorithms increasingly pervade our lives and play central roles in socially important systems. These four desiderata constitute the pillars of Trustworthy ML (TML) and may mutually inhib...

Our context is anonymous encryption schemes hiding their receiver, but in a setting which allows authorities to reveal the receiver when needed. While anonymous Identity-Based Encryption (IBE) is a natural candidate for such fair anonymity (it gives trusted authority access by design), the de facto security standard (a.k.a. IND-ID-CCA) is incompati...

Google and Apple jointly introduced a digital contact tracing technology and an API called "exposure notification," to help health organizations and governments with contact tracing. The technology and its interplay with security and privacy constraints require investigation. In this study, we examine and analyze the security, privacy, and reliabil...

We look at two basic coding theoretic and cryptographic mechanisms developed separately and investigate relationships between them and their implications. The first mechanism is Proactive Secret Sharing (PSS), which allows randomization and repair of shares using information from other shares. PSS enables constructing secure multi-party computation...

Cryptography is the fundamental cornerstone of cybersecurity employed for achieving data confidentiality, integrity, and authenticity. However, when cryptographic protocols are deployed for emerging applications such as cloud services or big data, the demand for security grows beyond these basic requirements. Data nowadays are being extensively sto...

Secret sharing methods are fundamental data representation and distribution techniques that are crucial to securing distributed storage and multi-party computation. Error correcting codes are the fundamental representation mechanism for tolerating and recovering from faults in data: messages and storage. This work looks at variants of both primitiv...

A scheme which is based on splitting a secret among a set of servers (e.g. in a cloud) where a threshold, t, of them is needed for reconstruction, is advantageous in many ways for the mechanism to work regardless of the exact subset (of size at least t) which participates in the reconstruction. The advantages of such threshold-based cryptographic s...

Over the development of modern cryptography, often, alternative cryptographic schemes are developed to achieve goals that in some important respect are orthogonal. Thus, we have to choose either a scheme which achieves the first goal and not the second, or vice versa. This results in two types of schemes that compete with each other. In the basic a...

We consider threshold public-key encryption, where the decryption servers distributively hold the private key shares, and we need a threshold of these servers to decrypt the message (while the system remains secure when less than the threshold is corrupt). We investigate the notion of chosen-ciphertext secure threshold systems which has been histor...

In this chapter we focus on two important security challenges that naturally emerge for large scale systems composed of cheap devices implementing only symmetric cryptographic algorithms. First, we consider threats due to poor or malicious implementations of protocols, which enable data to be leaked from the devices to an adversary. We present solu...

This book constitutes the post-conference proceedings of the 16th International Conference on Information Security and Cryptology, Inscrypt 2020, held in, China, in December 2020. Due the COVID-19, the conference was held online and physical. The 24 full papers presented together with 8 short papers were carefully reviewed and selected from 79 subm...

This book constitutes the post-conference proceedings of the 17th International Conference on Information Security and Cryptology, Inscrypt 2021, in August 2021. Due the COVID-19, the conference was held online The 28 full papers presented were carefully reviewed and selected from 81 submissions. The papers presents papers about research advances i...

This book constitutes the proceedings of the Third International Conference on Science of Cyber Security, SciSec 2021, held in Shanghai, China, in August 2021. The 17 full papers and 5 short papers presented in this volume were carefully reviewed and selected from 50 submissions. These papers cover the following subjects: Cyber Security, Detection,...

This two-volume set LNICST 398 and 399 constitutes the post-conference proceedings of the 17th International Conference on Security and Privacy in Communication Networks, SecureComm 2021, held in September 2021. Due to COVID-19 pandemic the conference was held virtually. The 56 full papers were carefully reviewed and selected from 143 submissions....

This two-volume set LNICST 398 and 399 constitutes the post-conference proceedings of the 17th International Conference on Security and Privacy in Communication Networks, SecureComm 2021, held in September 2021. Due to COVID-19 pandemic the conference was held virtually. The 56 full papers were carefully reviewed and selected from 143 submissions....

Motivated by the currently widespread concern about mass surveillance of encrypted communications, Bellare et al. introduced at CRYPTO 2014 the notion of Algorithm-Substitution Attack (ASA) where the legitimate encryption algorithm is replaced by a subverted one that aims to undetectably exfiltrate the secret key via ciphertexts. Practically implem...

In modern distributed systems, an adversary's limitations when corrupting subsets of a system's components (e.g., servers) may not necessarily be based on threshold constraints, but rather based on other technical or organizational characteristics. This means that the corruption patterns (and thus protection guarantees) are not based on the adversa...

In modern distributed systems, an adversary’s limitations when corrupting subsets of a system’s components (e.g., servers) may not necessarily be based on threshold constraints, but rather based on other technical or organizational characteristics. This means that the corruption patterns (and thus protection guarantees) are based on the adversary b...

The main real impact of the GDPR regulation of the EU should be improving the protection of data concerning physical persons. The sharp GDPR rules have to create a controllable information environment, and to prevent misuse of personal data. The general legal norms of GDPR may, indeed, be regarded as justified and well motivated by the existing thr...

This work is about constructing methods for simultaneously broadcasting multimedia data privately to a set of subscribers, and on various connections among important efficient variants of the general paradigm. Broadcast Encryption is such a fundamental primitive supporting sending a secure message to any chosen target set of N users. While many eff...

Private intersection-sum with cardinality allows two parties, where each party holds a private set and one of the parties additionally holds a private integer value associated with each element in her set, to jointly compute the cardinality of the intersection of the two sets as well as the sum of the associated integer values for all the elements...

We present the work on HADKEG: a protocol for Highly Available Distributed Key Generation. The context is a highly sensitive redundant generation for use and redundant recovery of a set of symmetric cryptography keys. These keys need to be trusted (random) and secure against failures of randomness employment and leakages, and be available via a rec...

In threshold cryptography, private keys are divided into n shares, each one of which is given to a different server in order to avoid single points of failure. In the case of threshold public-key encryption, at least \(t \le n\) servers need to contribute to the decryption process. A threshold primitive is said robust if no coalition of t malicious...

This book constitutes the post-conference proceedings of the 15th International Conference on Information Security and Cryptology, Inscrypt 2019, held in Nanjing, China, in December 2019. The 23 full papers presented together with 8 short papers and 2 invited papers were carefully reviewed and selected from 94 submissions. The papers cover topics i...

Governments and other bodies stockpile a significant number of zero-day vulnerabilities for offense. But at the same time, they could also have the incentive to help private and commercial organizations patch these vulnerabilities, yet doing so will leak the zero-days, thus removing their offensive capability. This is an offense-defense trade-off....

Volume leakage has recently been identified as a major threat to the security of cryptographic cloud-based data structures by Kellaris \em et al. [CCS'16] (see also the attacks in Grubbs \em et al. [CCS'18] and Lacharité \em et al. [S&P'18]). In this work, we focus on volume-hiding implementations of \em encrypted multi-maps as first considered by...

The papers in this special section identify paradigm shifts in cryptographic engineering. Modern cryptography is almost five decades old, and we have seen some interesting breakthroughs throughout its relatively young history. These include the engineering foundations of symmetric key cryptography and block ciphers in particular (like the DES and t...

In this paper, we study the following “balls in buckets” problem. Suppose there is a sequence B1,B2,…,Bn of buckets having integer sizes s1,s2,…,sn, respectively. For a given target fraction α, 0<α<1, our goal is to sequentially place balls in buckets until at least ⌈αn⌉ buckets are full, so as to minimize the number of balls used, which we shall d...

We study how to construct secure digital signature schemes in the presence of kleptographic attacks. Our work utilizes an offline watchdog to clip the power of subversions via only one-time black-box testing of the implementation. Previous results essentially rely on an online watchdog which requires the collection of all communicating transcripts...

Self-updatable encryption (SUE) is a new kind of public-key encryption, motivated by cloud computing, which enables anyone (i.e. cloud server with no access to private keys) to update a past ciphertext to a future ciphertext by using a public key. The main applications of SUE are revocable-storage attribute-based encryption (RS-ABE) that provides a...

The huge growth of e-shopping has brought convenience to customers and increased revenue to merchants and financial entities. Moreover, e-shopping has evolved to possess many functions, features, and requirements (e.g., regulatory ones). However, customer privacy has been mostly ignored, and while it is easy to add simple privacy to an existing sys...

This book constitutes the proceedings of the Second International Conference on Science of Cyber Security, SciSec 2019, held in Nanjing, China, in August 2019. The 20 full papers and 8 short papers presented in this volume were carefully reviewed and selected from 62 submissions. These papers cover the following subjects: Artificial Intelligence fo...

This book constitutes the post-conference proceedings of the 14th International Conference on Information Security and Cryptology, Inscrypt 2018, held in Fuzhou, China, in December 2018. The 31 full papers presented together with 5 short papers and 1 invited paper were carefully reviewed and selected from 93 submissions. The papers cover topics in...

One option to instantiate Mobile Target Defense (MTD) [27] strategies in distributed storage and computing systems is to design such systems from the ground up using cryptographic techniques such as secret sharing (SS) and secure multiparty computation (MPC). In standard SS a dealer shares a secret s among n parties such that an adversary corruptin...

In this work, we propose a novel framework for privacy-preserving client-distributed machine learning. It is motivated by the desire to achieve differential privacy guarantees in the local model of privacy in a way that satisfies all systems constraints using asynchronous client-server communication and provides attractive model learning properties...

The huge growth of e-shopping has brought convenience to customers, increased revenue to merchants and financial entities and evolved to possess a rich set of functionalities and requirements (e.g., regulatory ones). However, enhancing customer privacy remains to be a challenging problem; while it is easy to create a simple system with privacy, thi...

Recently, a new type of attack called Advanced Persistent Threat (APT) headline the news frequently. Different from other type of attacks, APT often has specific targets given sufficient fund support, and the attack can exist for a long period of time without being discovered. No single current protection approach alone can efficiently defeat APT,...

This book constitutes the thoroughly refereed post-conference proceedings of the 13th International Conference on Information Security and Cryptology, Inscrypt 2017, held in Xi'an, China, in November 2017. The 27 revised full papers presented together with 5 keynote speeches were carefully reviewed and selected from 80 submissions. The papers are...

We warned the public more than 20 years ago that cryptoviral extortion would pose a major threat to users, a threat that has been realized with the advent of Bitcoin but largely neglected until recently. We believe that a reactive mindset along with group conformity are partly to blame for this oversight and, moreover, are negatively impacting secu...

Notable recent security incidents have generated intense interest in adversaries which attempt to subvert---perhaps covertly---crypto\-graphic algorithms. In this paper we develop (IND-CPA) Semantically Secure encryption in this challenging setting. This fundamental encryption primitive has been previously studied in the "kleptographic setting," th...

This tutorial will present a systematic overview of {\em kleptography}: stealing information subliminally from black-box cryptographic implementations; and {\em cliptography}: defending mechanisms that clip the power of kleptographic attacks via specification re-designs (without altering the underlying algorithms). Despite the laudatory history of...

Self-stabilization refers to the ability of systems to recover after temporal violations of conditions required for their correct operation. Such violations may lead the system to an arbitrary state from which it should automatically recover. Today, beyond recovering functionality, there is a need to recover security and confidentiality guarantees...

Recent attacks exploiting a known vulnerability continue a downward spiral of ransomware-related incidents.

Multiprecision multiplication and squaring are fundamental operations used heavily in fielded public key cryptosystems. The method called product scanning for both multiplication and squaring requires fewer memory accesses than the competing approach called operand scanning. A correctness proof for product scanning loop logic will assure that the m...

Bitcoin seems to be the most successful cryptocurrency so far given the growing real life deployment and popularity. While Bitcoin requires clients to be online to perform transactions and a certain amount of time to verify them, there are many real life scenarios that demand for offline and immediate payments (e.g., mobile ticketing, vending machi...

A secure and distributed framework for the management of patients’ information in emergency and hospitalization services is proposed here in order to seek improvements in efficiency and security in this important area. In particular, confidentiality protection, mutual authentication, and automatic identification of patients are provided. The propos...

Revocation and key evolving paradigms are central issues in cryptography, and in PKI in particular. A novel concern related to these areas was raised in the recent work of Sahai, Seyalioglu, and Waters (CRYPTO 2012) who noticed that revoking past keys should at times (e.g., the scenario of cloud storage) be accompanied by revocation of past ciphert...

This book constitutes the refereed post-conference proceedings of the Second International Conference on Cryptology and Malicious Security, held in Kuala Lumpur, Malaysia, December 1-2, 2016. The 26 revised full papers, two short papers and two keynotes presented were carefully reviewed and selected from 51 submissions. The papers are organized in...

This book constitutes the thoroughly refereed post-conference proceedings of the 12th International Conference on Information Security and Cryptology, Inscrypt 2016, held in Beijing, China, in November 2016. The 32 revised full papers presented were carefully reviewed and selected from 93 submissions. The papers are organized in topical sections on...

Kleptography, introduced 20 years ago by Young and Yung [Crypto ’96], considers the (in)security of malicious implementations (or instantiations) of standard cryptographic primitives that may embed a “backdoor” into the system. Remarkably, crippling subliminal attacks are possible even if the subverted cryptosystem produces output indistinguishable...

Threshold cryptography is a fundamental distributed computational paradigm for enhancing the availability and the security of cryptographic public-key schemes. It does it by dividing private keys into n shares handed out to distinct servers. In threshold signature schemes, a set of at least t + 1 <= n servers is needed to produce a valid digital si...

In standard Secret Sharing (SS) a dealer shares a secret s among n parties such that an adversary corrupting no more than t parties does not learn s, while any \(t+1\) parties can efficiently recover s. Over a long period of time all parties may be corrupted and the threshold t may be violated, which is accounted for in Proactive Secret Sharing (PS...

We consider the problem of whether there exist non-trivial constant-round public-coin zero-knowledge (ZK) proofs. To date, in spite of high interest in the problem, there is no definite answer to the question. We focus on the type of ZK proofs that admit a universal simulator (which handles all malicious verifiers), and show a connection between th...

In a secret sharing scheme a dealer shares a secret s among n parties such that an adversary corrupting up to t parties does not learn s, while any t+1 parties can efficiently recover s. Over a long period of time all parties may be corrupted thus violating the threshold, which is accounted for in Proactive Secret Sharing (PSS). PSS schemes periodi...