Moti Yung

Google Inc. | Google · New York City

As part of the responses to the ongoing crypto wars, the notion of Anamorphic Encryption was put forth. The notion allows private communication in spite of a dictator who is engaged in an extreme form of surveillance and or censorship, where it asks for all private keys and knows and may even dictate all messages. The original work pointed out effi...

The goal of this research is to raise technical doubts regarding the usefulness of the repeated attempts by governments to curb Cryptography (aka the “Crypto Wars”), and argue that they, in fact, cause more damage than adding effective control. The notion of Anamorphic Encryption was presented in Eurocrypt’22 for a similar aim. There, despite the p...

In this paper, we propose the Midgame Security attack model, where it is assumed that at some point in the middle of computation with a secret key, and after some secure work (typically but not necessarily initial one), the powerful adversary sees the entire internal state and attempts key recovery/forgery. This security model is motivated by a few...

Inference of causal structures from observational data is a key component of causal machine learning; in practice, this data may be incompletely observed. Prior work has demonstrated that adversarial perturbations of completely observed training data may be used to force the learning of inaccurate causal structural models (SCMs). However, when the...

We study encrypted storage schemes where a client outsources data to an untrusted third-party server (such as a cloud storage provider) while maintaining the ability to privately query and dynamically update the data. We focus on encrypted multi-maps (EMMs), a structured encryption (STE) scheme that stores pairs of label and value tuples. EMMs allo...

Additive Manufacturing (AM) is an important up and coming manufacturing technology which creates three-dimensional objects based on digital design files. While these digital files simplify outsourcing, it also raises security concerns of technical data theft by malicious actors. We propose a novel approach for steganographically embedding validity...

“Exposure Notification (EN) Systems” which have been envisioned by a number of academic and industry groups, are useful in aiding health authorities worldwide to fight the COVID-19 pandemic spread via contact tracing. Among these systems, many rely on the BLE based Google-Apple Exposure Notification (GAEN) API (for iPhones and Android systems).We a...

The standard model security of the Fiat-Shamir transform has been an active research area for many years. In breakthrough results, Canetti et al. (STOC’19) and Peikert-Shiehian (Crypto’19) showed that, under the Learning-With-Errors (\(\mathsf {LWE}_{}\)) assumption, it provides soundness by applying correlation-intractable (CI) hash functions to s...

Cryptosystems have been developed over the years under the typical prevalent setting which assumes that the receiver’s key is kept secure from the adversary, and that the choice of the message to be sent is freely performed by the sender and is kept secure from the adversary as well. Under these fundamental and basic operational assumptions, modern...

We examine the security, privacy, and reliability of Google and Apple’s COVID-19 exposure notification technology, using actual case studies and realistic use cases. Our analysis validates the system, providing piece of mind for adopters of contact tracing and potentially boosting transparency.

The setting of our problem is a distributed architecture facing an enormous user set, where events are repeating and evolving over time, and we want to absorb the stream of events into the model: first local model, then absorb it in the global one, and also care about user privacy. Naturally, we learn a phenomenon which happens distributedly in man...

Beacons are small devices which are playing an important role in the Internet of Things (IoT), connecting “things” without IP connection to the Internet via Bluetooth Low Energy (BLE) communication. In this paper we present the first private end-to-end encryption protocol called the Eddystone-Ephemeral-ID (Eddystone-EID) protocol. This protocol ena...

Model accuracy is the traditional metric employed in machine learning (ML) applications. However, privacy, fairness, and robustness guarantees are crucial as ML algorithms increasingly pervade our lives and play central roles in socially important systems. These four desiderata constitute the pillars of Trustworthy ML (TML) and may mutually inhib...

Our context is anonymous encryption schemes hiding their receiver, but in a setting which allows authorities to reveal the receiver when needed. While anonymous Identity-Based Encryption (IBE) is a natural candidate for such fair anonymity (it gives trusted authority access by design), the de facto security standard (a.k.a. IND-ID-CCA) is incompati...

Google and Apple jointly introduced a digital contact tracing technology and an API called "exposure notification," to help health organizations and governments with contact tracing. The technology and its interplay with security and privacy constraints require investigation. In this study, we examine and analyze the security, privacy, and reliabil...

We look at two basic coding theoretic and cryptographic mechanisms developed separately and investigate relationships between them and their implications. The first mechanism is Proactive Secret Sharing (PSS), which allows randomization and repair of shares using information from other shares. PSS enables constructing secure multi-party computation...

Cryptography is the fundamental cornerstone of cybersecurity employed for achieving data confidentiality, integrity, and authenticity. However, when cryptographic protocols are deployed for emerging applications such as cloud services or big data, the demand for security grows beyond these basic requirements. Data nowadays are being extensively sto...

Secret sharing methods are fundamental data representation and distribution techniques that are crucial to securing distributed storage and multi-party computation. Error correcting codes are the fundamental representation mechanism for tolerating and recovering from faults in data: messages and storage. This work looks at variants of both primitiv...

A scheme which is based on splitting a secret among a set of servers (e.g. in a cloud) where a threshold, t, of them is needed for reconstruction, is advantageous in many ways for the mechanism to work regardless of the exact subset (of size at least t) which participates in the reconstruction. The advantages of such threshold-based cryptographic s...

Over the development of modern cryptography, often, alternative cryptographic schemes are developed to achieve goals that in some important respect are orthogonal. Thus, we have to choose either a scheme which achieves the first goal and not the second, or vice versa. This results in two types of schemes that compete with each other. In the basic a...

We consider threshold public-key encryption, where the decryption servers distributively hold the private key shares, and we need a threshold of these servers to decrypt the message (while the system remains secure when less than the threshold is corrupt). We investigate the notion of chosen-ciphertext secure threshold systems which has been histor...

In this chapter we focus on two important security challenges that naturally emerge for large scale systems composed of cheap devices implementing only symmetric cryptographic algorithms. First, we consider threats due to poor or malicious implementations of protocols, which enable data to be leaked from the devices to an adversary. We present solu...

This book constitutes the post-conference proceedings of the 16th International Conference on Information Security and Cryptology, Inscrypt 2020, held in, China, in December 2020. Due the COVID-19, the conference was held online and physical. The 24 full papers presented together with 8 short papers were carefully reviewed and selected from 79 subm...

This book constitutes the post-conference proceedings of the 17th International Conference on Information Security and Cryptology, Inscrypt 2021, in August 2021. Due the COVID-19, the conference was held online The 28 full papers presented were carefully reviewed and selected from 81 submissions. The papers presents papers about research advances i...

This book constitutes the proceedings of the Third International Conference on Science of Cyber Security, SciSec 2021, held in Shanghai, China, in August 2021. The 17 full papers and 5 short papers presented in this volume were carefully reviewed and selected from 50 submissions. These papers cover the following subjects: Cyber Security, Detection,...

This two-volume set LNICST 398 and 399 constitutes the post-conference proceedings of the 17th International Conference on Security and Privacy in Communication Networks, SecureComm 2021, held in September 2021. Due to COVID-19 pandemic the conference was held virtually. The 56 full papers were carefully reviewed and selected from 143 submissions....

This two-volume set LNICST 398 and 399 constitutes the post-conference proceedings of the 17th International Conference on Security and Privacy in Communication Networks, SecureComm 2021, held in September 2021. Due to COVID-19 pandemic the conference was held virtually. The 56 full papers were carefully reviewed and selected from 143 submissions....

Motivated by the currently widespread concern about mass surveillance of encrypted communications, Bellare et al. introduced at CRYPTO 2014 the notion of Algorithm-Substitution Attack (ASA) where the legitimate encryption algorithm is replaced by a subverted one that aims to undetectably exfiltrate the secret key via ciphertexts. Practically implem...

In modern distributed systems, an adversary's limitations when corrupting subsets of a system's components (e.g., servers) may not necessarily be based on threshold constraints, but rather based on other technical or organizational characteristics. This means that the corruption patterns (and thus protection guarantees) are not based on the adversa...

In modern distributed systems, an adversary’s limitations when corrupting subsets of a system’s components (e.g., servers) may not necessarily be based on threshold constraints, but rather based on other technical or organizational characteristics. This means that the corruption patterns (and thus protection guarantees) are based on the adversary b...

The main real impact of the GDPR regulation of the EU should be improving the protection of data concerning physical persons. The sharp GDPR rules have to create a controllable information environment, and to prevent misuse of personal data. The general legal norms of GDPR may, indeed, be regarded as justified and well motivated by the existing thr...

This work is about constructing methods for simultaneously broadcasting multimedia data privately to a set of subscribers, and on various connections among important efficient variants of the general paradigm. Broadcast Encryption is such a fundamental primitive supporting sending a secure message to any chosen target set of N users. While many eff...

Private intersection-sum with cardinality allows two parties, where each party holds a private set and one of the parties additionally holds a private integer value associated with each element in her set, to jointly compute the cardinality of the intersection of the two sets as well as the sum of the associated integer values for all the elements...

We present the work on HADKEG: a protocol for Highly Available Distributed Key Generation. The context is a highly sensitive redundant generation for use and redundant recovery of a set of symmetric cryptography keys. These keys need to be trusted (random) and secure against failures of randomness employment and leakages, and be available via a rec...

In threshold cryptography, private keys are divided into n shares, each one of which is given to a different server in order to avoid single points of failure. In the case of threshold public-key encryption, at least \(t \le n\) servers need to contribute to the decryption process. A threshold primitive is said robust if no coalition of t malicious...

This book constitutes the post-conference proceedings of the 15th International Conference on Information Security and Cryptology, Inscrypt 2019, held in Nanjing, China, in December 2019. The 23 full papers presented together with 8 short papers and 2 invited papers were carefully reviewed and selected from 94 submissions. The papers cover topics i...

Governments and other bodies stockpile a significant number of zero-day vulnerabilities for offense. But at the same time, they could also have the incentive to help private and commercial organizations patch these vulnerabilities, yet doing so will leak the zero-days, thus removing their offensive capability. This is an offense-defense trade-off....

Volume leakage has recently been identified as a major threat to the security of cryptographic cloud-based data structures by Kellaris \em et al. [CCS'16] (see also the attacks in Grubbs \em et al. [CCS'18] and Lacharité \em et al. [S&P'18]). In this work, we focus on volume-hiding implementations of \em encrypted multi-maps as first considered by...

The papers in this special section identify paradigm shifts in cryptographic engineering. Modern cryptography is almost five decades old, and we have seen some interesting breakthroughs throughout its relatively young history. These include the engineering foundations of symmetric key cryptography and block ciphers in particular (like the DES and t...

In this paper, we study the following “balls in buckets” problem. Suppose there is a sequence B1,B2,…,Bn of buckets having integer sizes s1,s2,…,sn, respectively. For a given target fraction α, 0<α<1, our goal is to sequentially place balls in buckets until at least ⌈αn⌉ buckets are full, so as to minimize the number of balls used, which we shall d...

We study how to construct secure digital signature schemes in the presence of kleptographic attacks. Our work utilizes an offline watchdog to clip the power of subversions via only one-time black-box testing of the implementation. Previous results essentially rely on an online watchdog which requires the collection of all communicating transcripts...

Self-updatable encryption (SUE) is a new kind of public-key encryption, motivated by cloud computing, which enables anyone (i.e. cloud server with no access to private keys) to update a past ciphertext to a future ciphertext by using a public key. The main applications of SUE are revocable-storage attribute-based encryption (RS-ABE) that provides a...

The huge growth of e-shopping has brought convenience to customers and increased revenue to merchants and financial entities. Moreover, e-shopping has evolved to possess many functions, features, and requirements (e.g., regulatory ones). However, customer privacy has been mostly ignored, and while it is easy to add simple privacy to an existing sys...

This book constitutes the proceedings of the Second International Conference on Science of Cyber Security, SciSec 2019, held in Nanjing, China, in August 2019. The 20 full papers and 8 short papers presented in this volume were carefully reviewed and selected from 62 submissions. These papers cover the following subjects: Artificial Intelligence fo...

This book constitutes the post-conference proceedings of the 14th International Conference on Information Security and Cryptology, Inscrypt 2018, held in Fuzhou, China, in December 2018. The 31 full papers presented together with 5 short papers and 1 invited paper were carefully reviewed and selected from 93 submissions. The papers cover topics in...

One option to instantiate Mobile Target Defense (MTD) [27] strategies in distributed storage and computing systems is to design such systems from the ground up using cryptographic techniques such as secret sharing (SS) and secure multiparty computation (MPC). In standard SS a dealer shares a secret s among n parties such that an adversary corruptin...

In this work, we propose a novel framework for privacy-preserving client-distributed machine learning. It is motivated by the desire to achieve differential privacy guarantees in the local model of privacy in a way that satisfies all systems constraints using asynchronous client-server communication and provides attractive model learning properties...

The huge growth of e-shopping has brought convenience to customers, increased revenue to merchants and financial entities and evolved to possess a rich set of functionalities and requirements (e.g., regulatory ones). However, enhancing customer privacy remains to be a challenging problem; while it is easy to create a simple system with privacy, thi...

Recently, a new type of attack called Advanced Persistent Threat (APT) headline the news frequently. Different from other type of attacks, APT often has specific targets given sufficient fund support, and the attack can exist for a long period of time without being discovered. No single current protection approach alone can efficiently defeat APT,...

This book constitutes the thoroughly refereed post-conference proceedings of the 13th International Conference on Information Security and Cryptology, Inscrypt 2017, held in Xi'an, China, in November 2017. The 27 revised full papers presented together with 5 keynote speeches were carefully reviewed and selected from 80 submissions. The papers are...

We warned the public more than 20 years ago that cryptoviral extortion would pose a major threat to users, a threat that has been realized with the advent of Bitcoin but largely neglected until recently. We believe that a reactive mindset along with group conformity are partly to blame for this oversight and, moreover, are negatively impacting secu...

Notable recent security incidents have generated intense interest in adversaries which attempt to subvert---perhaps covertly---crypto\-graphic algorithms. In this paper we develop (IND-CPA) Semantically Secure encryption in this challenging setting. This fundamental encryption primitive has been previously studied in the "kleptographic setting," th...

This tutorial will present a systematic overview of {\em kleptography}: stealing information subliminally from black-box cryptographic implementations; and {\em cliptography}: defending mechanisms that clip the power of kleptographic attacks via specification re-designs (without altering the underlying algorithms). Despite the laudatory history of...

Self-stabilization refers to the ability of systems to recover after temporal violations of conditions required for their correct operation. Such violations may lead the system to an arbitrary state from which it should automatically recover. Today, beyond recovering functionality, there is a need to recover security and confidentiality guarantees...

Recent attacks exploiting a known vulnerability continue a downward spiral of ransomware-related incidents.

Multiprecision multiplication and squaring are fundamental operations used heavily in fielded public key cryptosystems. The method called product scanning for both multiplication and squaring requires fewer memory accesses than the competing approach called operand scanning. A correctness proof for product scanning loop logic will assure that the m...

Bitcoin seems to be the most successful cryptocurrency so far given the growing real life deployment and popularity. While Bitcoin requires clients to be online to perform transactions and a certain amount of time to verify them, there are many real life scenarios that demand for offline and immediate payments (e.g., mobile ticketing, vending machi...

A secure and distributed framework for the management of patients’ information in emergency and hospitalization services is proposed here in order to seek improvements in efficiency and security in this important area. In particular, confidentiality protection, mutual authentication, and automatic identification of patients are provided. The propos...

Revocation and key evolving paradigms are central issues in cryptography, and in PKI in particular. A novel concern related to these areas was raised in the recent work of Sahai, Seyalioglu, and Waters (CRYPTO 2012) who noticed that revoking past keys should at times (e.g., the scenario of cloud storage) be accompanied by revocation of past ciphert...

This book constitutes the refereed post-conference proceedings of the Second International Conference on Cryptology and Malicious Security, held in Kuala Lumpur, Malaysia, December 1-2, 2016. The 26 revised full papers, two short papers and two keynotes presented were carefully reviewed and selected from 51 submissions. The papers are organized in...

This book constitutes the thoroughly refereed post-conference proceedings of the 12th International Conference on Information Security and Cryptology, Inscrypt 2016, held in Beijing, China, in November 2016. The 32 revised full papers presented were carefully reviewed and selected from 93 submissions. The papers are organized in topical sections on...

Kleptography, introduced 20 years ago by Young and Yung [Crypto ’96], considers the (in)security of malicious implementations (or instantiations) of standard cryptographic primitives that may embed a “backdoor” into the system. Remarkably, crippling subliminal attacks are possible even if the subverted cryptosystem produces output indistinguishable...

Threshold cryptography is a fundamental distributed computational paradigm for enhancing the availability and the security of cryptographic public-key schemes. It does it by dividing private keys into n shares handed out to distinct servers. In threshold signature schemes, a set of at least t + 1 <= n servers is needed to produce a valid digital si...

In standard Secret Sharing (SS) a dealer shares a secret s among n parties such that an adversary corrupting no more than t parties does not learn s, while any \(t+1\) parties can efficiently recover s. Over a long period of time all parties may be corrupted and the threshold t may be violated, which is accounted for in Proactive Secret Sharing (PS...

We consider the problem of whether there exist non-trivial constant-round public-coin zero-knowledge (ZK) proofs. To date, in spite of high interest in the problem, there is no definite answer to the question. We focus on the type of ZK proofs that admit a universal simulator (which handles all malicious verifiers), and show a connection between th...

In a secret sharing scheme a dealer shares a secret s among n parties such that an adversary corrupting up to t parties does not learn s, while any t+1 parties can efficiently recover s. Over a long period of time all parties may be corrupted thus violating the threshold, which is accounted for in Proactive Secret Sharing (PSS). PSS schemes periodi...

Digital signatures are perhaps the most important base for authentication and trust relationships in large scale systems. More specifically, various applications of signatures provide privacy and anonymity preserving mechanisms and protocols, and these, in turn, are becoming critical (due to the recently recognized need to protect individuals accor...

Since 1996 we have dedicated research effort on discovering new threats to the computing infrastructure that are the result of combining malicious software (malware) technology with modern cryptography. To the best of our knowledge, this was the first attempt to employ cryptographic methodologies not for defense (e.g., to hide messages, protect the...

The use of Physically Unclonable Functions (PUFs) in cryptographic protocols attracted an increased interest over recent years. Since sound security analysis requires a concise specification of the alleged properties of the PUF, there have been numerous trials to provide formal security models for PUFs. However, all these approaches have been tailo...

E-shopping has grown considerably in the last years, providing customers with convenience, merchants with increased sales, and financial entities with an additional source of income. However, it may also be the source of serious threats to privacy. In this paper, we review the e-shopping process, discussing attacks or threats that have been analyze...

This book constitutes the proceedings of the 10th International Conference on Network and System Security, NSS 2016, held in Taipei, Taiwan, in September 2016. The 31 full and 4 short papers presented in this volume were carefully reviewed and selected from 105 submissions. They were organized in topical sections named: authentication mechanism; c...

This book constitutes the thoroughly refereed post-conference proceedings of the 7th International Conference on Trusted Systems, INTRUST 2015, held in Beijing, China, in December 2015. The revised 12 full papers presented have been carefully reviewed and selected from 29 submissions. They are devoted to all aspects of trusted computing systems, in...

This book constitutes the thoroughly refereed post-conference proceedings of the 11th International Conference on Information Security and Cryptology, Inscrypt 2015, held in Beijing, China in November 2015. The 27 revised full papers presented were carefully reviewed and selected from 79 submissions. The papers are organized in topical sections on...

Structure-preserving signatures (SPS) are signature schemes where messages, signatures and public keys all consist of elements of a group over which a bilinear map is efficiently computable. This property makes them useful in cryptographic protocols as they nicely compose with other algebraic tools (like the celebrated Groth-Sahai proof systems). I...

Quasi-adaptive non-interactive zero-knowledge (QA-NIZK) proofs is a recent paradigm, suggested by Jutla and Roy (Asiacrypt ’13), which is motivated by the Groth-Sahai seminal techniques for efficient non-interactive zero-knowledge (NIZK) proofs. In this paradigm, the common reference string may depend on specific language parameters, a fact that al...

The mission of the 2nd ACM Workshop on Information Sharing and Collaborative Security is to advance the scientific foundations for sharing threat and security-related data among organizations. The call for better information sharing continues to be an important theme in the computer security community and with policy makers. The expectation is that...

Technological innovations in security and privacy are critical to advancing modern computing in our time. I will present an effort involving deployment of experimental commercial applications designed and built as a 'secure multi-party computation protocol for specific tasks,' to be used repetitively to achieve a number of concrete ubiquitous busin...

E-shopping has grown considerably in the last years, providing customers with convenience, merchants with increased sales, and financial entities with an additional source of income. However , it may also be the source of serious threats to privacy. In this paper, we review the e-shopping process, discussing attacks or threats that have been analyz...

We demonstrate a prototype implementation of a provably secure protocol that supports privacy-preserving mutual authentication between a server and a constrained device. Our proposed protocol is based on a physically unclonable function (PUF) and it is optimized for resource-constrained platforms. The reported results include a full protocol analys...

Group signatures are a central cryptographic primitive which allows users to sign messages while hiding their identity within a crowd of group members. In the standard model (without the random oracle idealization), the most efficient constructions rely on the Groth-Sahai proof systems (Eurocrypt’08). The structure-preserving signatures of Abe et a...

The notion of `mobile adversary,' where the opponent can capture parties in a multi-party protocol dynamically, as long as at any given point in time its capturing capability is limited by a bound on number of parties (processors) it can control, has been suggested as an extensions of the traditionally static adversary. The motivation for this adve...

As formalized by Kiltz et al. (ICALP ’05), append-only signatures (AOS) are digital signature schemes where anyone can publicly append extra message blocks to an already signed sequence of messages. This property is useful, e.g., in secure routing, in collecting response lists, reputation lists, or petitions. Bethencourt, Boneh and Waters (NDSS ’07...

Provably secure distance-bounding is a rising subject, yet an unsettled one; indeed, very few distance-bounding protocols, with formal security proofs, have been proposed. In fact, so far only two protocols, namely SKI (by Boureanu et al.) and FO (by Fischlin and Onete), offer all-encompassing security guaranties, i.e., resistance to distance-fraud...