Open main menu

Mordechai M. "Moti" Yung is an Israeli-American cryptographer and computer scientist with an industrial research career.

Moti Yung
Alma materColumbia University
Scientific career
ThesisMinimum-Knowledge Transfer Protocol (1988)
Doctoral advisorZvi Galil
Doctoral students


Yung earned his Ph.D. from Columbia University in 1988 under the supervision of Zvi Galil.[1] In the past, he worked at the IBM Thomas J. Watson Research Center, was a vice president and chief scientist at CertCo, was director of Advanced Authentication Research at RSA Laboratories, and a researcher at Snap Inc.[2]; he is currently a research scientist with Google. In parallel to his work in industry, he has also held adjunct and visiting faculty appointments at Columbia through which he advised Ph.D. students including Gödel Prize winner Matthew K. Franklin, and Jonathan Katz.

Cryptovirology, kleptography, and the crypto warsEdit


In 1996, Adam L. Young and Yung coined the term cryptovirology to denote the use of cryptography as an attack weapon via computer viruses and other malware in contrast to its traditional protective role.[3] In particular, they described the first instances of ransomware using public-key cryptography.[4][5]


Young and Yung introduced the notion of kleptography[6] to show how cryptography could be used to attack host cryptosystems where the malicious resulting system with the embedded cryptologic tool in it resists reverse-engineering and cannot be detected by interacting with the host cryptosystem.[7][8][9][10][11] This attack, as in ransomware, also uses internal cryptography as an attack tool to break another cryptographic system.

After the Snowden affair, the NIST was believed to have mounted the first kleptographic attack against the American Federal Information Processing Standard detailing the Dual EC DRBG,[12] essentially exploiting the repeated discrete logarithm based "kleptogram" introduced by Young and Yung.[13] In light of Snowden's revelations, Yung has worked on detecting and correcting cryptosystems that were subverted by their implementation.[14][15][16]

The crypto warsEdit

The work on kleptography is an argument against cryptographic systems and devices given by an external body as "black boxes" as was the Clipper chip and the Capstone program, suggested by the United States government when they tried to control the use of cryptography in the 1990s in what is known as the first stage of the Crypto Wars. In 1995, Yair Frankel and Yung implemented and published a direct attack on the Clipper chip, showing that the key escrow device tracking and authenticating capability (namely, the LEAF) of one device can be attached to messages coming from another device and the message is actually decrypted by the mechanism, thus bypassing the escrow in real time.[17]

Cryptovirology is also a natural tool of the crypto wars defined broadly.[18] Young and Yung later designed software-only escrow encryption in an attempt to get a potential system which possessed many desired properties without tamper-proof hardware, but the inherent third party access requirement remains a vulnerability nevertheless.[19][20].

Basic cryptographic systems and protocolsEdit

Yung has made numerous contributions to several areas in the foundations of basic cryptographic systems and protocols, as well as to areas of applied cryptography and information security. He has also worked on theoretical computer science, and distributed and network algorithms.

Chosen-ciphertext secure encryption and digital signature schemesEdit

Yung has worked with Moni Naor on designing the first public key cryptosystems secure against chosen-ciphertext attack[21] and with Jonathan Katz on chosen ciphertext security of symmetric encryption schemes via authenticated encryption.[22][23] He has also worked with Naor on the design of the first secure digital signature schemes which is not based on trapdoor functions, employing their basic primitive of universal one-way hash functions for signature schemes[24]

Secure computation protocolsEdit

Yung worked on early robust multi-party secure schemes via the notion of "shares of shares" in the area of secure computation protocols[25] in the 1980s,[26] as well as the notion of multi secret (compact/ batched secret) sharing idea.[27] He also worked with Rafail Ostrovsky on the basic notion of "mobile adversary" in multi-party protocols with proactive security fault-tolerance against such adversaries with the underlying technique of proactive secret sharing.[28]

Yung has also worked on zero-knowledge proofs,[29][30][31] and commitment schemes: in particular, the notion of interactive hashing for unconditionally hiding commitments from general complexity assumptions[32] and functional commitment[33]

With various coauthors, Yung has also worked on special goal protocols for secure computing (e.g. set intersection, election, digital cash, auctions), and on threshold cryptosystems[34] and fully homomorphic encryption schemes for logarithmic depth circuits.[35]

Authentication and key exchange in communication networksEdit

Yung's work on basic primitives needed in communication networks include the first efficient password-based authenticated key exchange protocol shown secure without idealized random oracle model assumptions.[36] His work in the early 1990's with his IBM coauthors dealt with authentication and authenticated key exchange, observing that cryptographic protocol in real networks run concurrently (and an attack on the suggested ISO protocols of the time), which led to revised modeling of the problem in cryptography.[37]

Zvi Galil, Stuart Haber, and Yung predicted in the mid-1980s that large scale networks, due to scale limitations, will employ public key technology with server only public-key certificates and interactive protocols.[38] This idea can be viewed as an "intellectual predecessor" to the way in which the most prevalent version of Transport Layer Security was implemented in the mid-1990s, using interactive protocols employing SSL certificates only in servers.[39]

Regarding authentication factors that users present to systems when they sign into these systems, the traditional factors include "knowledge factors", "ownership factors", and "inherence factors". Yung and his coauthors also studied more factors that are available to users in modern computing environments with richer context (e.g social relationships).[40]

Information-theoretic cryptographyEdit

In the area of information-theoretic security, Yung and his coauthors investigated multicast key pre-distribution system,[41] perfectly secure message transmission,[42] and multi-user authentication codes.[43] Also, his coding theory based work includes relating Reed–Solomon error correction codes and cryptographic hardness, which led to interleaving decoding work of the same codes.[44][45]

Cryptographic implementationsEdit

Yung coauthored studies on the methodological framework for conducting and analyzing side channel attacks.[46] He also worked on an early remote attestation of software to secure it in run time against the user running the software who may try to subvert the system.[47]

Industrial ResearchEdit

In addition to his scientific contributions in basic and applied research, Yung has worked on projects in industry such as:

  • IBM's authentication protocols for the IBM Systems Network Architecture[37][48]
  • Certco's distributed certification authority (CA);[49]
  • The Greek electronic national lottery, designed with the Research Academic Computer Technology Institute (run by OPAP);[50][51][52]
  • The major cryptographic design ideas behind the universal two factor (U2F) authentication at Google based on the idea of public key technology in a mobile device signing challenges and on the idea of including in the signed message challenger-specific characteristics;[53][54][55].
  • Large scale encryption: Google Ad exchange (Adx)'s multi-purpose authenticated encryption scheme,[56][57] Snap's Account based End-to-End encryption,[58] and Snap's cloud encryption protected against the cloud servers;[59]
  • Snap's approach to distributed learning with differential privacy assurance.[60]; and
  • Google's efforts in applied secure multiparty computations employed routinely for concrete industrial solutions.[61][62][63]



  1. ^ Moti Yung at the Mathematics Genealogy Project
  2. ^ Dave, Paresh (March 29, 2016), "New member on Snapchat's cybersecurity team", This week in L.A. tech, Los Angeles Times
  3. ^ Young, A.; M. Yung (1996). Cryptovirology: extortion-based security threats and countermeasures. IEEE Symposium on Security and Privacy. pp. 129–140. doi:10.1109/SECPRI.1996.502676. ISBN 0-8186-7417-2.
  4. ^ Skeptical Experts and Smart Attackers. Feb. 2 2013
  5. ^ Ransomware: The future of extortion By Jibu Elias September 04, 2017
  6. ^ Infosecurity Magazine: The Dark Side of Cryptography: Kleptography in Black-Box Implementations
  7. ^ Young, Adam; Yung, Moti (1996), "The Dark Side of "Black-Box" Cryptography or: Should We Trust Capstone?", Adam L. Young, Moti Yung: The Dark Side of "Black-Box" Cryptography, or: Should We Trust Capstone? CRYPTO 1996: 89-103, Lecture Notes in Computer Science, 1109, p. 89, doi:10.1007/3-540-68697-5_8, ISBN 978-3-540-61512-5
  8. ^ Young, Adam; Yung, Moti (1997), "Kleptography: Using Cryptography Against Cryptography", Adam L. Young, Moti Yung: Kleptography: Using Cryptography Against Cryptography. EUROCRYPT 1997: 62-74, Lecture Notes in Computer Science, 1233, p. 62, doi:10.1007/3-540-69053-0_6, ISBN 978-3-540-62975-7
  9. ^ Young, Adam; Yung, Moti (1997), "The prevalence of kleptographic attacks on discrete-log based cryptosystems", Adam L. Young, Moti Yung: The Prevalence of Kleptographic Attacks on Discrete-Log Based Cryptosystems. CRYPTO 1997: 264-276, Lecture Notes in Computer Science, 1294, p. 264, doi:10.1007/BFb0052241, ISBN 978-3-540-63384-6
  10. ^ Young, Adam; Yung, Moti (1998), "Monkey: Black-Box Symmetric Ciphers Designed for MONopolizing KEYs", Adam L. Young, Moti Yung: Monkey: Black-Box Symmetric Ciphers Designed for MONopolizing KEYs. FSE 1998: 122-133, Lecture Notes in Computer Science, 1372, p. 122, doi:10.1007/3-540-69710-1_9, ISBN 978-3-540-64265-7
  11. ^ Young, Adam; Yung, Moti (2001), "Bandwidth-Optimal Kleptographic Attacks", Adam L. Young, Moti Yung: Bandwidth-Optimal Kleptographic Attacks. CHES 2001: 235-250, Lecture Notes in Computer Science, 2162, p. 235, doi:10.1007/3-540-44709-1_20, ISBN 978-3-540-42521-2
  12. ^ Larry Greenemeier (18 September 2013). "NSA Efforts to Evade Encryption Technology Damaged U.S. Cryptography Standard". Scientific American.
  13. ^ Green, Matt, presentation: From Heartbleed to Juniper and Beyond (PDF)
  14. ^ Alexander Russell, Qiang Tang, Moti Yung, Hong-Sheng Zhou: Cliptography: Clipping the Power of Kleptographic Attacks, Asiacrypt 2016, Springer LNCS
  15. ^ Russell, Alexander; Tang, Qiang; Yung, Moti; Zhou, Hong-Sheng (2017), "Generic Semantic Security against a Kleptographic Adversary", Alexander Russell, Qiang Tang, Moti Yung, Hong-Sheng Zhou: Generic Semantic Security against a Kleptographic Adversary. CCS 2017: 907-922, pp. 907–922, doi:10.1145/3133956.3133993, ISBN 9781450349468
  16. ^ Russell, Alexander; Tang, Qiang; Yung, Moti; Zhou, Hong-Sheng (2018), "Correcting Subverted Random Oracles", Alexander Russell, Qiang Tang, Moti Yung, Hong-Sheng Zhou: Correcting Subverted Random Oracles. CRYPTO (2) 2018: 241-271, Lecture Notes in Computer Science, 10992, pp. 241–271, doi:10.1007/978-3-319-96881-0_9, ISBN 978-3-319-96880-3
  17. ^ Y. Frankel and M. Yung. Escrow Encryption Systems Visited: Attacks, Analysis and Designs. Crypto 95 Proceedings, August 1995
  18. ^ ZDNet: Cyber Wars, book review: High-profile hacks, deconstructed
  19. ^ Adam L. Young, Moti Yung: Auto-Recoverable Auto-Certifiable Cryptosystems. EUROCRYPT 1998: 17-3
  20. ^ The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption
  21. ^ Moni Naor, Moti Yung: Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks. STOC 1990: 427-437, Stoc '90, 1990, pp. 427–437, doi:10.1145/100216.100273, ISBN 9780897913614
  22. ^ Jonathan Katz, Moti Yung: Complete characterization of security notions for probabilistic private-key encryption. STOC 2000: 245-254 [1]
  23. ^ Jonathan Katz, Moti Yung: Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation. FSE 2000: 284-299 [2]
  24. ^ Moni Naor, Moti Yung: Universal One-Way Hash Functions and their Cryptographic Applications. STOC 1989: 33-43, Stoc '89, 1989, pp. 33–43, doi:10.1145/73007.73011, ISBN 9780897913072
  25. ^ R. Cramer, Introduction to Secure Computation
  26. ^ Zvi Galil, Stuart Haber, Moti Yung: Cryptographic Computation: Secure Faut-Tolerant Protocols and the Public-Key Model. CRYPTO 1987: 135-155 [3]
  27. ^ Matthew K. Franklin, Moti Yung: Communication Complexity of Secure Computation (Extended Abstract). STOC 1992: 699-710 [4]
  28. ^ Rafail Ostrovsky, Moti Yung: How to Withstand Mobile Virus Attacks (Extended Abstract). PODC 1991: 51-59 [5]
  29. ^ Russell Impagliazzo, Moti Yung: Direct Minimum-Knowledge Computations. CRYPTO 1987: 40-51 [6]
  30. ^ Gilles Brassard, Claude Crépeau, Moti Yung: Constant-Round Perfect Zero-Knowledge Computationally Convincing Protocols. Theor. Comput. Sci. 84(1): 23-52 (1991)[7]
  31. ^ Andrew Chi-Chih Yao, Moti Yung, Yunlei Zhao: Concurrent Knowledge Extraction in Public-Key Models. J. Cryptology 29(1): 156-219 (2016)[8]
  32. ^ Moni Naor, Rafail Ostrovsky, Ramarathnam Venkatesan, Moti Yung: Perfect Zero-Knowledge Arguments for NP Using Any One-Way Permutation. J. Cryptology 11(2): 87-108 (1998)[9]
  33. ^ Benoît Libert, Somindu C. Ramanna, Moti Yung: Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulators from Simple Assumptions. ICALP 2016: 30:1-30:14 [10]
  34. ^ Alfredo De Santis, Yvo Desmedt, Yair Frankel, Moti Yung: How to share a function securely. STOC 1994: 522-533 [11]
  35. ^ Sander, Tomas; Young, Adam L.; Yung, Moti (1999). Non-Interactive CryptoComputing For NC1. Focs1991. pp. 554–566. doi:10.1109/SFFCS.1999.814630. ISBN 978-0-7695-0409-4.
  36. ^ Jonathan Katz, Rafail Ostrovsky, Moti Yung:Efficient and secure authenticated key exchange using weak passwords. J. ACM 57(1): 3:1-3:39 (2009) [12]
  37. ^ a b Bird, Inder S. Gopal, Amir Herzberg, Philippe A. Janson, Shay Kutten, Refik Molva, Moti Yung: Systematic Design of Two-Party Authentication Protocols. CRYPTO 1991: 44-61
  38. ^ Zvi Galil, Stuart Haber, Moti Yung: Symmetric Public-Key Encryption. CRYPTO 1985: 128-137 [13]
  39. ^ What is an SSL certificate?
  40. ^ John G. Brainard, Ari Juels, Ronald L. Rivest, Michael Szydlo, Moti Yung: Fourth-factor authentication: somebody you know. ACM Conference on Computer and Communications Security 2006: 168-178
  41. ^ Carlo Blundo, Alfredo De Santis, Amir Herzberg, Shay Kutten, Ugo Vaccaro, Moti Yung: Perfectly-Secure Key Distribution for Dynamic Conferences. CRYPTO 1992: 471-486 [14]
  42. ^ Danny Dolev, Cynthia Dwork, Orli Waarts, Moti Yung: Perfectly Secure Message Transmission. J. ACM 40(1): 17-47 (1993)[15]
  43. ^ Yvo Desmedt, Yair Frankel, Moti Yung: Multi-Receiver/Multi-Sender Network Security: Efficient Authenticated Multicast/Feedback. INFOCOM 1992: 2045-2054 [16]
  44. ^ Aggelos Kiayias, Moti Yung: Cryptographic Hardness Based on the Decoding of Reed–Solomon Codes. IEEE Trans. Inf. Theory 54(6): 2752-2769 (2008)[17]
  45. ^ Daniel Bleichenbacher, Aggelos Kiayias, Moti Yung: Decoding interleaved Reed-Solomon codes over noisy channels. Theor. Comput. Sci. 379(3): 348-360 (2007)[18]
  46. ^ François-Xavier Standaert, Tal Malkin, Moti Yung: A Unified Framework for the Analysis of Side-Channel Key Recovery Attacks. EUROCRYPT 2009: 443-461
  47. ^ Mario Baldi, Yoram Ofek, Moti Yung: Idiosyncratic Signatures for Authenticated Execution of Management Code. DSOM 2003: 204-206
  48. ^ IBM Knowledge Center: Session level authentication
  49. ^ Visa and Mastercard have just announced the selection of two companies -- CertCo and Spyrus, 05/20/97
  50. ^ Konstantinou, Elisavet; Liagkou, Vasiliki; Spirakis, Paul; Stamatiou, Yannis C.; Yung, Moti (2004), "Electronic National Lotteries", Elisavet Konstantinou, Vasiliki Liagkou, Paul Spirakis, Yannis, C. Stamatiou, Moti Yung, Electronic National Lotteries, Financial Cryptography 2004, Springer LNCS 3110, Lecture Notes in Computer Science, 3110, p. 147, doi:10.1007/978-3-540-27809-2_18, ISBN 978-3-540-22420-4
  51. ^ Opap S.A. Corporate presentation 2006
  52. ^ Kino: Draw Process
  53. ^ Patent US 8532620: Trusted mobile device based security, 05/17/11
  54. ^ Patent US 883897B1: User authentication method, 02/28/11
  55. ^ U2F Explained]
  56. ^ [The advertising Exchange lecture
  57. ^ Patent US9178855B1:Systems and methods for multi-function and multi-purpose cryptography
  58. ^ Catch Me If You Can: An Account Based End-to-end Encrtyption for 1/1 Snaps
  59. ^ Memories for Your Eyes Only
  60. ^ Pihur, Vasyl; Korolova, Aleksandra; Liu, Frederick; Sankuratripati, Subhash; Yung, Moti; Huang, Dachuan; Zeng, , Ruogu (2018), Differentially-Private "Draw and Discard" Machine Learning, arXiv:1807.04369, Bibcode:2018arXiv180704369P
  61. ^ Ray, Indrajit (2015), Moti Yung, From Mental Poker to Core Business: Why and How to Deploy Secure Computation Protocols? ACM Conference on Computer and Communications Security 2015 1-2, CCS '15, pp. 1–2, doi:10.1145/2810103.2812701, ISBN 9781450338325
  62. ^ From Mental Poker to Core Business: How and Why to Deploy Secure Computation Protocols
  63. ^ The Register: Google takes the PIS out of advertising: New algo securely analyzes shared encrypted data sets without leaking contents
  64. ^ IACR Distinguished Lectures, retrieved 2012-03-11
  65. ^ ACM Names Fellows for Computing Advances that Are Transforming Science and Society Archived 2014-07-22 at the Wayback Machine, Association for Computing Machinery, accessed 2013-12-10
  66. ^ Esorics Awards
  67. ^ IACR Moti Yung, IACR Fellow, 2014
  68. ^ SIGSAC Awards
  69. ^ [19] IEEE fellows 2015
  70. ^ [20] EATCS fellows
  71. ^ Moti Yung Received IEEE Computer Society 2018 W. Wallace McDowell Award

External linksEdit