Moti Yung - Academia.edu (original) (raw)

Papers by Moti Yung

40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039), 1999

The area of "computing with encrypted data" has been studied by numerous authors in the past twen... more The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic two-party case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomial-

Proceedings 38th Annual Symposium on Foundations of Computer Science, 1997

We introduce new e cient techniques for sharing cryptographic functions in a distributed dynamic ... more We introduce new e cient techniques for sharing cryptographic functions in a distributed dynamic fashion. These techniques dynamically and securely transform a distributed function (or secret sharing) representation between t-out-of-l (polynomial sharing) and t-out-of-t (additive sharing). We call the techniques poly-to-sum and sum-to-poly, respectively.

[Proceedings] IEEE INFOCOM '92: The Conference on Computer Communications, 1992

ABSTRACT We extend the use of traditional point-to-point message authentication to multi-receiver... more ABSTRACT We extend the use of traditional point-to-point message authentication to multi-receiver and/or multi-sender scenarios. In this paper we provide efi-cient cryptographic authentication methods for point-to-multipoint communication, where a single sender can broad-cast ( ...

1994 IEEE GLOBECOM. Communications: The Global Bridge, 1994

This paper presents a new design, and a performance study for convergence routing in a general ne... more This paper presents a new design, and a performance study for convergence routing in a general network with multiple spanning trees suggested as a switch-based LAN. In particular, a new algorithm for constructing two edge-disjoint spanning trees of a given network is presented, and the resulting trees are used for convergence routing (a variant of deflection routing with destination convergence

Lecture Notes in Computer Science, 2007

We consider a new model for online secure computation on encrypted inputs in the presence of mali... more We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model of "Computing with Encrypted Data" that was put forth in 1978 by Rivest, Adleman and Dertouzos which involved a single online message. In our model, two parties publish their public keys in an offline stage, after which any party (i.e., any of the two and any third party) can publish encryption of their local inputs. Then in an on-line stage, given any common input circuit C and its set of inputs from among the published encryptions, the first party sends a single message to the second party, who completes the computation.

Proceedings of the twenty-fourth annual ACM symposium on Theory of computing - STOC '92, 1992

Page 1. Communication Complexity of Secure Computation (Extended Abstract)Matthew Franklin* Abstr... more Page 1. Communication Complexity of Secure Computation (Extended Abstract)Matthew Franklin* Abstract A secret-ballot vote for a single proposition is an example of a secure distributed computation. The goal is for n participants ...

DIMACS Series in Discrete Mathematics and Theoretical Computer Science, 1991

Suppose that a weak (polynomial time) device needs to interact over a clear channelwith a strong ... more Suppose that a weak (polynomial time) device needs to interact over a clear channelwith a strong (infinitely-powerful) and untrustworthy adversarial device. Assumingthe existence of one-way functions, during this interaction (game) the infinitelypowerfuldevice can encrypt and (computationally) hide information from the weakdevice. However, to keep the game fair, the weak player must hide information fromthe infinitely-powerful player in the information-theoretic sense.

Lecture Notes in Computer Science, 1993

... Can Be Based on General Complexity Assumptions (EXTENDED ABSTRACT) Moni Naorl, Mail Ostrovsky... more ... Can Be Based on General Complexity Assumptions (EXTENDED ABSTRACT) Moni Naorl, Mail Ostrovsky2*, haratham Ve~~kat-~, Moti Yung4 IBM Research Division, Almaden Rarearch Center, San Jose, CA International Computer Science Institute at Berkeley and ...

Lecture Notes in Computer Science, 1997

In particular, we employ as a discrete log based kleptogram a basic setup that was presented for ... more In particular, we employ as a discrete log based kleptogram a basic setup that was presented for the Diffie-Hellman key exchange. We show how it can be embedded in a large number of systems: the ElGamal encryption algorithm, the ElGamal signature algorithm, DSA, the ...

Lecture Notes in Computer Science, 1997

Abstract. The technology of mobile agents, where software pieces of active control and storage (c... more Abstract. The technology of mobile agents, where software pieces of active control and storage (called mobile agents) travel the network and perform tasks distributively, is of growing interest as an Internet tech-nology. Similarly, smartcard holders can be considered mobile users ...

Lecture Notes in Computer Science, 1997

The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) has been recently in... more The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) has been recently introduced. In this paper we extend the study of stealing information securely and subliminally from black-box cryptosystems. The SETUP mechanisms presented here, in contrast with previous ones, leak secret key information without using an explicit subliminal channel. This extends this area of threats, which we call

Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097), 1997

Trojans, viruses and other malware can be cate-gorized as either active or passive in nature. Ac-... more Trojans, viruses and other malware can be cate-gorized as either active or passive in nature. Ac-tive viruses (for example) are viruses that per-form some outwardly noticeable function. They are typically offensive in nature and cause denial of service attacks or other ...

Symposium on Principles of Distributed Computing, 1991

Rafail OstrovskyMoti YungyAbstractWe initiate a study of distributed adversarial modelof computat... more Rafail OstrovskyMoti YungyAbstractWe initiate a study of distributed adversarial modelof computation in which faults are non-stationary andcan move through the network, analogous to a spreadof a virus or a worm. We show how local computations(at each processor) and global computations can bemade robust using a constant factor resilience and apolynomial factor redundancy in the computation.1 IntroductionComputer viruses pose one of

Proceedings 1996 IEEE Symposium on Security and Privacy, 1996

Traditionally, cryptography and its applications aredefensive in nature, and provide privacy, aut... more Traditionally, cryptography and its applications aredefensive in nature, and provide privacy, authentication,and security to users. In this paper we present theidea of Cryptovirology which employs a twist on cryptography,showing that it can also be used offensively.By being offensive we mean that it can be used tomount extortion based attacks that cause loss of accessto information, loss of confidentiality, and informationleakage, tasks which cryptography typically prevents.In this...

Lecture Notes in Computer Science, 2008

We present a fast algorithm for finding pairs of backdoor RSA primes (p,q) given a security param... more We present a fast algorithm for finding pairs of backdoor RSA primes (p,q) given a security parameter. Such pairs posses an asymmetric backdoor that gives the designer the exclusive ability to factor n = pq, even when the key generation algorithm is public. Our algorithm uses a pair of twisted curves over GF(2257) and we present the first incremental search method to generate such primes. The search causes the \frac12\frac{1}{2} log(n)+O(log(log(n))) least significant bits of n to be modified during key generation after p is selected and before q is determined. However, we show that this is tolerable by using point compression and ECDH. We also present the first rigorous experimental benchmarks of an RSA asymmetric backdoor and show that our OpenSSL-based implementation outperforms OpenSSL RSA key generation. Our application is highly efficient key recovery. Of independent interest, we motivate the need to find large binary twists. We present the twist we generated and how we found it.

Lecture Notes in Computer Science, 1996

Black-box cryptography (ie, crypto using protected devices) is often used, and is strongly endors... more Black-box cryptography (ie, crypto using protected devices) is often used, and is strongly endorsed by tthe US government, namely in the Clipper and in par-ticular in Capstone escrow technology. Also, software crypt#osysterns are offered and used where users do not ...

Proceedings of IEEE INFOCOM '96. Conference on Computer Communications, 1996

ABSTRACT We consider real-time traffic in a heterogeneous internetworking environment with IP rou... more ABSTRACT We consider real-time traffic in a heterogeneous internetworking environment with IP routers, MAC bridges, hubs, switched LANs etc. We assume that the current routing protocols remain unchanged. However in this environment, in order to provide quality of service (QoS): bandwidth, delay, constant-bounded jitter and no-loss due to congestion, we suggest a new flow control function called time-driven priority, which is an internal traffic shaping mechanism. We show how it supports two classes of connections: constant bit rate (CBR) with deterministic guarantees, and variable bit rate (VBR) with statistical multiplexing. The mechanism does not require to identify and separate the packet flows of different real-time sessions/connections inside the network. As a result, it achieves lower switching complexity when compared with other internal traffic shaping methods. As consequences of the time-driven priority mechanism we further achieve: (1) QoS parameters which are independent of the connection bandwidth, (2) QoS parameters which are independent of the existing heterogeneous internetworking asynchronous data traffic and (3) the capability for policing and securing the network QoS

Lecture Notes in Computer Science, 2004

There has been a lot of recent work in the area of proving in zero-knowledge that an RSA modulus ... more There has been a lot of recent work in the area of proving in zero-knowledge that an RSA modulus N is in the correct form. For example, protocols have been given that prove that N is the product of: two safe primes, two primes nearly equal in size, etc. Such proof systems are rather remarkable in what they achieve, but

Lecture Notes in Computer Science, 2006

Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique... more Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. To protect cryptographic implementations (e.g. of the recent AES which will be our running example) against these attacks, a number of innovative countermeasures have been proposed, usually based on the use of space and time redundancies (e.g. error detection/correction techniques, repeated computations). In this paper, we take the next natural step in engineering studies where alternative methods exist, namely, we take a comparative perspective. For this purpose, we use unified security and efficiency metrics to evaluate various recent protections against fault attacks. The comparative study reveals security weaknesses in some of the countermeasures (e.g. intentional malicious fault injection that are unrealistically modelled). The study also demonstrates that, if fair performance evaluations are performed, many countermeasures are not better than the naive solutions, namely duplication or repetition. We finally suggest certain design improvements for some countermeasures, and further discuss security/efficiency tradeoffs.

Proceedings of the ninth annual ACM symposium on Principles of distributed computing - PODC '90, 1990

A high-speed network is a new environment motivated by recent advances in transmission technology... more A high-speed network is a new environment motivated by recent advances in transmission technology. The highspeed environment requires that the network node operate (fast) based solely on local information (at least most of the time). This fact implies properties that are much different than those existing in current architectures and algorithms for traditional large-area networks. The new environment poses new

40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039), 1999

The area of "computing with encrypted data" has been studied by numerous authors in the past twen... more The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic two-party case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomial-

Proceedings 38th Annual Symposium on Foundations of Computer Science, 1997

We introduce new e cient techniques for sharing cryptographic functions in a distributed dynamic ... more We introduce new e cient techniques for sharing cryptographic functions in a distributed dynamic fashion. These techniques dynamically and securely transform a distributed function (or secret sharing) representation between t-out-of-l (polynomial sharing) and t-out-of-t (additive sharing). We call the techniques poly-to-sum and sum-to-poly, respectively.

[Proceedings] IEEE INFOCOM '92: The Conference on Computer Communications, 1992

ABSTRACT We extend the use of traditional point-to-point message authentication to multi-receiver... more ABSTRACT We extend the use of traditional point-to-point message authentication to multi-receiver and/or multi-sender scenarios. In this paper we provide efi-cient cryptographic authentication methods for point-to-multipoint communication, where a single sender can broad-cast ( ...

1994 IEEE GLOBECOM. Communications: The Global Bridge, 1994

This paper presents a new design, and a performance study for convergence routing in a general ne... more This paper presents a new design, and a performance study for convergence routing in a general network with multiple spanning trees suggested as a switch-based LAN. In particular, a new algorithm for constructing two edge-disjoint spanning trees of a given network is presented, and the resulting trees are used for convergence routing (a variant of deflection routing with destination convergence

Lecture Notes in Computer Science, 2007

We consider a new model for online secure computation on encrypted inputs in the presence of mali... more We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model of "Computing with Encrypted Data" that was put forth in 1978 by Rivest, Adleman and Dertouzos which involved a single online message. In our model, two parties publish their public keys in an offline stage, after which any party (i.e., any of the two and any third party) can publish encryption of their local inputs. Then in an on-line stage, given any common input circuit C and its set of inputs from among the published encryptions, the first party sends a single message to the second party, who completes the computation.

Proceedings of the twenty-fourth annual ACM symposium on Theory of computing - STOC '92, 1992

Page 1. Communication Complexity of Secure Computation (Extended Abstract)Matthew Franklin* Abstr... more Page 1. Communication Complexity of Secure Computation (Extended Abstract)Matthew Franklin* Abstract A secret-ballot vote for a single proposition is an example of a secure distributed computation. The goal is for n participants ...

DIMACS Series in Discrete Mathematics and Theoretical Computer Science, 1991

Suppose that a weak (polynomial time) device needs to interact over a clear channelwith a strong ... more Suppose that a weak (polynomial time) device needs to interact over a clear channelwith a strong (infinitely-powerful) and untrustworthy adversarial device. Assumingthe existence of one-way functions, during this interaction (game) the infinitelypowerfuldevice can encrypt and (computationally) hide information from the weakdevice. However, to keep the game fair, the weak player must hide information fromthe infinitely-powerful player in the information-theoretic sense.

Lecture Notes in Computer Science, 1993

... Can Be Based on General Complexity Assumptions (EXTENDED ABSTRACT) Moni Naorl, Mail Ostrovsky... more ... Can Be Based on General Complexity Assumptions (EXTENDED ABSTRACT) Moni Naorl, Mail Ostrovsky2*, haratham Ve~~kat-~, Moti Yung4 IBM Research Division, Almaden Rarearch Center, San Jose, CA International Computer Science Institute at Berkeley and ...

Lecture Notes in Computer Science, 1997

In particular, we employ as a discrete log based kleptogram a basic setup that was presented for ... more In particular, we employ as a discrete log based kleptogram a basic setup that was presented for the Diffie-Hellman key exchange. We show how it can be embedded in a large number of systems: the ElGamal encryption algorithm, the ElGamal signature algorithm, DSA, the ...

Lecture Notes in Computer Science, 1997

Abstract. The technology of mobile agents, where software pieces of active control and storage (c... more Abstract. The technology of mobile agents, where software pieces of active control and storage (called mobile agents) travel the network and perform tasks distributively, is of growing interest as an Internet tech-nology. Similarly, smartcard holders can be considered mobile users ...

Lecture Notes in Computer Science, 1997

The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) has been recently in... more The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) has been recently introduced. In this paper we extend the study of stealing information securely and subliminally from black-box cryptosystems. The SETUP mechanisms presented here, in contrast with previous ones, leak secret key information without using an explicit subliminal channel. This extends this area of threats, which we call

Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097), 1997

Trojans, viruses and other malware can be cate-gorized as either active or passive in nature. Ac-... more Trojans, viruses and other malware can be cate-gorized as either active or passive in nature. Ac-tive viruses (for example) are viruses that per-form some outwardly noticeable function. They are typically offensive in nature and cause denial of service attacks or other ...

Symposium on Principles of Distributed Computing, 1991

Rafail OstrovskyMoti YungyAbstractWe initiate a study of distributed adversarial modelof computat... more Rafail OstrovskyMoti YungyAbstractWe initiate a study of distributed adversarial modelof computation in which faults are non-stationary andcan move through the network, analogous to a spreadof a virus or a worm. We show how local computations(at each processor) and global computations can bemade robust using a constant factor resilience and apolynomial factor redundancy in the computation.1 IntroductionComputer viruses pose one of

Proceedings 1996 IEEE Symposium on Security and Privacy, 1996

Traditionally, cryptography and its applications aredefensive in nature, and provide privacy, aut... more Traditionally, cryptography and its applications aredefensive in nature, and provide privacy, authentication,and security to users. In this paper we present theidea of Cryptovirology which employs a twist on cryptography,showing that it can also be used offensively.By being offensive we mean that it can be used tomount extortion based attacks that cause loss of accessto information, loss of confidentiality, and informationleakage, tasks which cryptography typically prevents.In this...

Lecture Notes in Computer Science, 2008

We present a fast algorithm for finding pairs of backdoor RSA primes (p,q) given a security param... more We present a fast algorithm for finding pairs of backdoor RSA primes (p,q) given a security parameter. Such pairs posses an asymmetric backdoor that gives the designer the exclusive ability to factor n = pq, even when the key generation algorithm is public. Our algorithm uses a pair of twisted curves over GF(2257) and we present the first incremental search method to generate such primes. The search causes the \frac12\frac{1}{2} log(n)+O(log(log(n))) least significant bits of n to be modified during key generation after p is selected and before q is determined. However, we show that this is tolerable by using point compression and ECDH. We also present the first rigorous experimental benchmarks of an RSA asymmetric backdoor and show that our OpenSSL-based implementation outperforms OpenSSL RSA key generation. Our application is highly efficient key recovery. Of independent interest, we motivate the need to find large binary twists. We present the twist we generated and how we found it.

Lecture Notes in Computer Science, 1996

Black-box cryptography (ie, crypto using protected devices) is often used, and is strongly endors... more Black-box cryptography (ie, crypto using protected devices) is often used, and is strongly endorsed by tthe US government, namely in the Clipper and in par-ticular in Capstone escrow technology. Also, software crypt#osysterns are offered and used where users do not ...

Proceedings of IEEE INFOCOM '96. Conference on Computer Communications, 1996

ABSTRACT We consider real-time traffic in a heterogeneous internetworking environment with IP rou... more ABSTRACT We consider real-time traffic in a heterogeneous internetworking environment with IP routers, MAC bridges, hubs, switched LANs etc. We assume that the current routing protocols remain unchanged. However in this environment, in order to provide quality of service (QoS): bandwidth, delay, constant-bounded jitter and no-loss due to congestion, we suggest a new flow control function called time-driven priority, which is an internal traffic shaping mechanism. We show how it supports two classes of connections: constant bit rate (CBR) with deterministic guarantees, and variable bit rate (VBR) with statistical multiplexing. The mechanism does not require to identify and separate the packet flows of different real-time sessions/connections inside the network. As a result, it achieves lower switching complexity when compared with other internal traffic shaping methods. As consequences of the time-driven priority mechanism we further achieve: (1) QoS parameters which are independent of the connection bandwidth, (2) QoS parameters which are independent of the existing heterogeneous internetworking asynchronous data traffic and (3) the capability for policing and securing the network QoS

Lecture Notes in Computer Science, 2004

There has been a lot of recent work in the area of proving in zero-knowledge that an RSA modulus ... more There has been a lot of recent work in the area of proving in zero-knowledge that an RSA modulus N is in the correct form. For example, protocols have been given that prove that N is the product of: two safe primes, two primes nearly equal in size, etc. Such proof systems are rather remarkable in what they achieve, but

Lecture Notes in Computer Science, 2006

Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique... more Deliberate injection of faults into cryptographic devices is an effective cryptanalysis technique against symmetric and asymmetric encryption algorithms. To protect cryptographic implementations (e.g. of the recent AES which will be our running example) against these attacks, a number of innovative countermeasures have been proposed, usually based on the use of space and time redundancies (e.g. error detection/correction techniques, repeated computations). In this paper, we take the next natural step in engineering studies where alternative methods exist, namely, we take a comparative perspective. For this purpose, we use unified security and efficiency metrics to evaluate various recent protections against fault attacks. The comparative study reveals security weaknesses in some of the countermeasures (e.g. intentional malicious fault injection that are unrealistically modelled). The study also demonstrates that, if fair performance evaluations are performed, many countermeasures are not better than the naive solutions, namely duplication or repetition. We finally suggest certain design improvements for some countermeasures, and further discuss security/efficiency tradeoffs.

Proceedings of the ninth annual ACM symposium on Principles of distributed computing - PODC '90, 1990

A high-speed network is a new environment motivated by recent advances in transmission technology... more A high-speed network is a new environment motivated by recent advances in transmission technology. The highspeed environment requires that the network node operate (fast) based solely on local information (at least most of the time). This fact implies properties that are much different than those existing in current architectures and algorithms for traditional large-area networks. The new environment poses new