Mordechai M. (Moti) Yung is an Israeli-American cryptographer and computer scientist currently employed at Snap Inc.
Yung earned his Ph.D. from Columbia University in 1988 under the supervision of Zvi Galil. In the past, he worked at the IBM Thomas J. Watson Research Center, was a vice president and chief scientist at CertCo, was director of Advanced Authentication Research at RSA Laboratories and worked at Google until early 2016. He has also held adjunct and visiting faculty appointments at Columbia through which he advised several Ph.D. students (see ) including Gödel Prize winner Matthew K. Franklin and Jonathan Katz.
Scientific and Technical Contributions
Yung's contributions span a broad range of areas, from theory and foundations of cryptography and related areas, via systems security basic new notions and mechanisms, to actual industrial innovations contributing to the frontier of technology advancement and development.
Trust and Novel Attacks:
In a 1996 publication with Adam L. Young, Yung coined the term cryptovirology to denote the use of cryptography (as an attack weapon rather than its traditional protective role) by computer viruses and other malware and discovered the secure attack (from the attacker's perspective) for kidnapping data known as ransomware. (For economic analysis of the attack, see ). Young and Yung authored the book Malicious Cryptography: Exposing Cryptovirology (John Wiley & Sons, 2004). (See also.)
In 1996 Yung and Young introduced the notion of kleptography to show how to use cryptography to attack host cryptosystems where the malicious resulting system with the embedded cryptologic tool in it resists reverse-engineering. The first such attack against a real system is believed (based on the Snowden affair) to have been mounted by NIST against the American Federal Information Processing Standard detailing the Dual_EC_DRBG, essentially exploiting the repeated discrete logarithm based "kleptogram" introduced in the above-mentioned Crypto 1997 paper by Young and Yung. (Note that an earlier direct approach by NIST to have access to encryption via the Clipper chip during the 1990s Crypto Wars era was shown to have flaws: one confirmed fundamental flaw was described in Yung's earlier work.) Further, in light of Snowden's revelations, making cryptographic designs robust to kleptographic attacks has become an area of investigation, see.
The above notions are fundamental to understanding trust in computing systems, demonstrating that an attack on a system can only be completely understood/ reversed by an attacker which is outside the system (i.e., holder of a private portion of a public key), and cannot be understood or reversed within the acting system itself (a security boundary argument which goes beyond the `end to end' system security argument demonstrated by the seminal `Reflections on Trusting Trust' lecture by Ken Thompson).
Basic Research and Foundations:
Yung has contributed extensively with numerous coauthors to the foundations and theory of basic cryptographic systems and protocols, and co-invented notions, constructions, and systems, some of which are very closely related to and influenced the practice of concrete cryptography and secure and private systems.
His contributions include innovating the notion of public key cryptosystems secure against chosen-ciphertext attack, which is currently a major requirement from public-key encryption schemes operating on the Internet. Prior to the work in it was unclear if such security level applies to public key systems, the work suggested a paradigm of `encrypt twice and show consistency of cleartext under the two ciphertexts' (now called the Naor-Yung paradigm) which was used to achieve non-adaptive chosen ciphertext security. Other contributions of his in this area include novel symmetric-key based investigations of security notions classifications, and chosen ciphertext via Authenticated encryption, as well as showing how to achieve this strong adaptive security notion in various public-key settings and systems.
He has worked on design of various Digital signature schemes, and in particular, contributed to the foundations of signature schemes where for general signature scheme it was shown that one does not need the trapdoor property of the underlying functions; the work introduces (as a central tool) the basic primitive of Universal one-way hash function. The work is central in understanding practical signature schemes within the Hash-based cryptography framework.
In the area of secure computation protocols, his early work presented the first robust multi-party secure scheme via the notion of `shares of shares', as well as the multi secret (compact/ batched secret) sharing idea.
His work further pioneered the basic notion of `mobile adversary' in multi-party protocols with proactive security fault-tolerance against such adversaries; the work invented the basic underlying technique of Proactive secret sharing which is needed to cope with this strong adversary: this work was, perhaps, the first design in the general area known now as Proactive cyber defense: The method allows redundancy of distributed processors to withstand corruption, as long as in well defined short periods, majority of processors are not corrupted (but over time all processors may get corrupted): This is a substantial extension of the traditional basic notion of Byzantine fault tolerance where correctness and security is only assured if majority of processors remain uncorrupted throughout the entire lifetime of the system: the work shows how codes can correct shares (parts of the codeword) and is the first example of storage repair under what became to be known as ``regeneration codes..
Yung further worked on basic issues in Zero-knowledge proofs, and Commitment schemes: in particular, the notion of interactive hashing for unconditionally hiding commitments from general complexity assumptions and functional commitment
His work dealt heavily with proof techniques of cryptographic ciphers: symmetric key systems, as well as numerous basic and advanced aspects public key systems, and digital signature schemes. His work also covered more involved protocols to perform these basic cryptographic tasks in various more complex and constrained settings: For example, the work that initiated the provable security treatment of the notion called Threshold cryptosystem, where a capability to perform a cryptographic function is shared (rather than sharing a value for one time reconstruction).
Also notable is his early contributions to Homomorphic encryption over any logarithmic depth circuit (an intermediate achievement that took over 20 years since the notion of homomorphic encryption over a set of operation which provides Functional completeness was suggested as an abstract idea in).
He also contributed to more basic primitives which are directly needed in communication networks, like key agreement and Authentication protocols, as well as to Password-authenticated key agreement protocols, specifically to the first efficient password-based such protocol shown secure without idealized Random oracle model assumption.
Yung's further practice-oriented work predicted early in the mid 1980s that large scale networks, due to scale limitations, will employ public key technology with server only public-key certificates; (this idea had been an` intellectual predecessor' of the way the most prevalent version of Transport Layer Security was implemented in the mid 1990s). Another practice-oriented foundational work which influenced engineering practices was presented in the area of cryptographic hardware design and side-channel analysis against key recovery attacks.
In the area of Information-theoretic security Yung's work pioneered investigations of multicast key pre-distribution system, perfectly secure message transmission, and multi-user authentication codes. Also, his Coding theory based work includes relating Reed–Solomon error correction codes and cryptographic hardness, which, in turn, led to interleaving decoding work of the same codes.
His work further gave rise to numerous basic new cryptographic ideas in protocols implementing important special tasks like: voting schemes, auctions, e-payments /ecash, special privacy preserving protocols, and Traitor tracing systems which protect leakage of keys from receivers of broadcast messages environment.
In addition, he worked on Algorithm design and analysis, in general, and specifically in the area of Distributed algorithms and Computer networks algorithms, and Fault Tolerance including Self-stabilization.
Industrial Contributions:
In addition to his extensive scientific contributions in basic and applied research, Yung has spent a career in industry working with engineers, developers, business experts, and other scientists, and concurrently contributed over the years to numerous innovative real-world constructions. These have led to practical implementations that were, in turn, deployed as part of actual systems and networks. His industrial contributions have enhanced the security and privacy of businesses infrastructure, and enabled new concrete applications. These include the following :
Authentication and key exchange protocols for improvement of the network security of IBM Systems Network Architecture (in particular, the authentication within IBM LU6.2. see This infrastructural work, as part of IBM Research project, was one of the intellectual predecessors to the cryptographic community's extensive work on cryptographic models for authentication and key exchange, and to works on concurrent sessions in cryptography; it further facilitated IBM engagement with the Internet security design.
A joint project between IBM and GTE conducted an early exploration of security of data networks over a cellular phone infrastructure.
Certco's pioneering distributed certification authority. Note that Certco pioneered an integrated Risk management approach to Information security.
The design of the central engine behind the Greek electronic national lottery, run nationwide by OPAP and designed and implemented with a team from the Research Academic Computer Technology Institute, see. The highly sensitive system employs numerous cryptographic systems and primitives such as: randomness and pseudorandomness extraction (e.g., Pseudorandom generators), commitment schemes, and signature scheme with Forward secrecy.
Yung participated in RSA Inc.'s anti phishing business expansion efforts (see:) and started research on extended authentication factors based on modern computing environments
Yung's work dealt directly with the issue of User authentication and enhancement of the traditional authentication factors to modern computing environment (in particular, exploiting social relationships). This works is employed in social networks for account recovery purposes as originally advocated.
Inventing, in Google, the universal two factor authentication based on public key technology in a mobile device. This activity started what was followed by numerous efforts in the company which led to forming the FIDO Alliance. The notion is fundamentally different from earlier one-time password devices which rely on sharing a secret with a server or a hierarchies of servers (and secrets can be compromised without breaking individual devices ); here, in contrast, due to the fact that now devices can apply public-key cryptographic operations, the entire secret remains always within the device itself.
Contributions within Google privacy efforts group: developments in Data anonymization (see, e.g.,), and Google's user dashboard initiation (allowing users to have transparency and control, see).
Google's (Doubleclick's) Ad Exchange's (a pioneering platform for Real Time Bidding a prototypical deployed system of what is known generically as Ad exchange technology) which powers Display advertising Internet-wide: Yung contributed to the security and encryption aspects important for user privacy, including the heavily used (billions of transactions per day) multi-function multi-purpose encryption method.
Google's `privacy by design' protocols in various areas, like: data collection and its dynamic presentation, employing differential privacy, and beacon's privacy based on Ephemeral IDs.
Snapchat basic security protocols for cloud storage encryption.
Notably, his work introduced advanced cryptography which employed, for the first time, privacy preserving analytics done routinely (in/ by Google and partners) as part of an established company's daily business, using a system developed with numerous internal collaborators, based on Secure multi-party computation protocol technology (technology initiated as theoretical studies already in the late 1970s with the seminal mental poker research). See.
Systems Security, Privacy, and Anonymity Research:
Yung worked on software systems security and further characterized the adversary to consider against software systems that are given to users, calling it MATE: `Man-at-the-End' attack (which became popular in the software obfuscation community). Yung has contributed to anonymity and privacy as well, working on cryptographic anonymous credentials such as Group signature, as well as group encryption protocols. Yung together with Adam L. Young cryptanalyzed the Reduced-Seat Buses Protocol for anonymous communication. In the same paper they broke multiple anonymous communication protocols, such as Taxis, showing that the crucial property of key-anonymity was missing. They proposed the Drunk Motorcyclists protocol for anonymous communication and proved that it is secure under the Decisional Diffie–Hellman assumption.
In 2010 Moti Yung was the annual Distinguished Lecturer of the International Association for Cryptologic Research at Eurocrypt, see
In 2013 he became a fellow of the Association for Computing Machinery (See also )
In 2014 he became a fellow of the International Association for Cryptologic Research
In 2014 he received the ESORICS (European Symposium on Research in Computer Security) Outstanding Research Award
In 2014, as well, he received the ACM's SIGSAC Outstanding Innovation Award
In 2015 he became an IEEE fellow
In 2017 he became a fellow of the European Association for Theoretical Computer Science
