I am a faculty member in the School of Computer Science at the Interdisciplinary Center Herzliya.
My research focuses on employing ideas and techniques from theoretical cryptography to design secure systems in the "real world". I'm also interested the foundations of cryptography and the theory of cryptography in general.
A great example of where theoretical cryptography can help in the real world is the development of cryptographic protocols for "end-to-end verifiable", secure elections. In an "end-to-end verifiable" election, voters can be certain that their votes were correctly tabulated even if they don't trust the computers used to run the election! At the same time, a voter cannot prove to anyone else how they voted, making coercion and vote-buying more difficult.
Publications
- Yevgeniy Dodis, Abhishek Jain, Tal Moran and Daniel Wichs
Counterexamples to Hardness Amplification Beyond Negligible
2012 [BibTex][Abstract]
@INPROCEEDINGS{DJMW12-hardness-amplification,
author = {Yevgeniy Dodis and Abhishek Jain and Tal Moran and Daniel Wichs},
title = {Counterexamples to Hardness Amplification Beyond Negligible},
booktitle = {TCC 2012},
pages = {476--493},
series = {Lecture Notes in Computer Science},
volume = {7194},
year = {2012},
publisher = {Springer},
isbn = {978-3-642-28914-9},
}If we have a problem that is mildly hard, can we create a problem that is significantly harder? A natural approach to hardness amplification is the “direct product”; instead of asking an attacker to solve a single instance of a problem, we ask the attacker to solve several independently generated ones. Interestingly, proving that the direct product amplifies hardness is often highly non-trivial, and in some cases may be false. For example, it is known that the direct product (i.e. “parallel repetition”) of general interactive games may not amplify hardness at all. On the other hand, positive results show that the direct product does amplify hardness for many basic primitives such as one-way functions/relations, weakly-verifiable puzzles, and signatures.
Even when positive direct product theorems are shown to hold for some primitive, the parameters are surprisingly weaker than what we may have expected. For example, if we start with a weak one-way function that no poly-time attacker can break with probability $> \frac{1}{2}$, then the direct product provably amplifies hardness to some negligible probability. Naturally, we would expect that we can amplify hardness exponentially, all the way to $2^{-n}$ probability, or at least to some fixed/known negligible such as $n^{-\log n}$ in the security parameter $n$, just by taking sufficiently many instances of the weak primitive. Although it is known that such parameters cannot be proven via black-box reductions, they may seem like reasonable conjectures, and, to the best of our knowledge, are widely believed to hold. In fact, a conjecture along these lines was introduced in a survey of Goldreich, Nisan and Wigderson (ECCC '95). In this work, we show that such conjectures are false by providing simple but surprising counterexamples. In particular, we construct weakly secure signatures and one-way functions, for which standard hardness amplification results are known to hold, but for which hardness does not amplify beyond just negligible. That is, for any negligible function $\epsilon(n)$, we instantiate these primitives so that the direct product can always be broken with probability $\epsilon(n)$, no matter how many copies we take.
- Mohammad Mahmoody, Tal Moran and Salil Vadhan
Time-Lock Puzzles in the Random Oracle Model
2011 [BibTex][Abstract]
@INPROCEEDINGS{MMV11-timelock,
author = {Mohammad Mahmoody and Tal Moran and Salil Vadhan},
title = {Time-Lock Puzzles in the Random Oracle Model},
booktitle = {CRYTPO 2011},
pages = {39--50},
series = {Lecture Notes in Computer Science},
volume = {6841},
year = {2011},
publisher = {Springer-Verlag},
}A time-lock puzzle is a mechanism for sending messages “to the future”. The sender publishes a puzzle whose solution is the message to be sent, thus hiding it until enough time has elapsed for the puzzle to be solved. For time-lock puzzles to be useful, generating a puzzle should take less time than solving it. Since adversaries may have access to many more computers than honest solvers, massively parallel solvers should not be able to produce a solution much faster than serial ones.
To date, we know of only one mechanism that is believed to satisfy these properties: the one proposed by Rivest, Shamir and Wagner (1996), who originally introduced the notion of time-lock puzzles. Their puzzle is based on the serial nature of exponentiation and the hardness of factoring, and is therefore vulnerable to advances in factoring techniques (as well as to quantum attacks).
In this work, we study the possibility of constructing time-lock puzzles in the random-oracle model. Our main result is negative, ruling out time-lock puzzles that require more parallel time to solve than the total work required to generate a puzzle. In particular, this rules out black-box constructions of such time-lock puzzles from one-way permutations and collision-resistant hash-functions. On the positive side, we construct a time-lock puzzle with a linear gap in parallel time: a new puzzle can be generated with one round of $n$ parallel queries to the random oracle, but $n$ rounds of serial queries are required to solve it (even for massively parallel adversaries).
- John Kelsey, Andrew Regenscheid, Tal Moran and David Chaum
Attacking Paper-Based E2E Voting Systems
2010 [BibTex][Abstract]
@INPROCEEDINGS{KRMC10-attackvote,
author = {John Kelsey and Andrew Regenscheid and Tal Moran and David Chaum},
title = {Attacking Paper-Based E2E Voting Systems},
booktitle = {Towards Trustworthy Elections},
pages = {370--387},
series = {Lecture Notes in Computer Science},
volume = {6000},
year = {2010},
publisher = {Springer},
isbn = {978-3-642-12979-7},
}In this paper, we develop methods for constructing vote-buying/coercion attacks on end-to-end voting systems, and describe vote-buying/coercion attacks on three proposed end-to-end voting systems: Punchscan, Prêt-à-voter and ThreeBallot. We also demonstrate a different attack on Punchscan, which could permit corrupt election officials to change votes without detection in some cases. Additionally, we consider some generic attacks on end-to-end voting systems.
- Tal Moran and Tyler Moore
The Phish-Market Protocol: Secure Sharing Between Competitors
2010 (A version of this article aimed at a more technical audience was previously published in FC 2010.) [BibTex][Abstract]
@ARTICLE{MM10b-phishmarket,
author = {Tal Moran and Tyler Moore},
title = {The Phish-Market Protocol: Secure Sharing Between Competitors},
pages = {40--45},
volume = {8},
number = {4},
year = {2010},
month = July--August,
note = {A version of this article aimed at a more technical audience was previously published in FC 2010.},
journal = {IEEE Security \& Privacy},
doi = {10.1109/MSP.2010.138},
}The Phish-Market protocol encourages take-down companies to share information about malicious websites by compensating them for this data without revealing sensitive information to their competitors. Cryptography lets contributing firms verify payment amounts without learning which offered website URLs were “purchased.”
- Tal Moran and Moni Naor
Split-Ballot Voting: Everlasting Privacy With Distributed Trust
2010 [BibTex][Abstract]
@ARTICLE{MN10-split-ballot,
author = {Tal Moran and Moni Naor},
title = {Split-Ballot Voting: Everlasting Privacy With Distributed Trust},
pages = {16:1--16:43},
volume = {13},
year = {2010},
month = {March},
publisher = {ACM},
journal = {ACM Transactions on Information and System Security},
doi = {http://doi.acm.org/10.1145/1698750.1698756},
}In this paper we propose a new voting protocol with desirable security properties. The voting stage of the protocol can be performed by humans without computers; it provides every voter with the means to verify that all the votes were counted correctly (universal verifiability) while preserving ballot secrecy. The protocol has “everlasting privacy”: even a computationally unbounded adversary gains no information about specific votes from observing the protocol's output. Unlike previous protocols with these properties, this protocol distributes trust between two authorities: a single corrupt authority will not cause voter privacy to be breached. Finally, the protocol is receipt-free: a voter cannot prove how she voted even she wants to do so. We formally prove the security of the protocol in the Universal Composability framework, based on number-theoretic assumptions.
[Preliminary version appeared in 2007 | BibTex]
@INPROCEEDINGS{MN07-split-ballot,
author = {Tal Moran and Moni Naor},
title = {Split-Ballot Voting: Everlasting Privacy With Distributed Trust},
booktitle = {CCS 2007},
pages = {246--255},
year = {2007},
month = October,
publisher = {ACM},
isbn = {978-1-59593-703-2},
} - Tal Moran and Moni Naor
Basing Cryptographic Protocols on Tamper-Evident Seals
2010 [BibTex][Abstract]
@ARTICLE{MN10-tamper-evident-full,
author = {Tal Moran and Moni Naor},
title = {Basing Cryptographic Protocols on Tamper-Evident Seals},
pages = {1283--1310},
volume = {411},
year = {2010},
month = {March},
publisher = {Elsevier Science Publishers Ltd.},
journal = {Theoretical Computer Science},
doi = {10.1016/j.tcs.2009.10.023},
}In this paper we attempt to formally study two very intuitive physical models: sealed envelopes and locked boxes, often used as illustrations for common cryptographic operations. We relax the security properties usually required from locked boxes (such as in bit-commitment protocols) and require only that a broken lock or torn envelope be identifiable to the original sender. Unlike the completely impregnable locked box, this functionality may be achievable in real life, where containers having this property are called “tamper-evident seals”. Another physical object with this property is the “scratch-off card”, often used in lottery tickets. We consider three variations of tamper-evident seals, and show that under some conditions they can be used to implement oblivious transfer, bit-commitment and coin flipping. We also show a separation between the three models. Of particular interest, we give a strongly-fair coin flipping protocol with bias bounded by $O(1/r)$ (where r is the number of rounds), beating the best known bias in the standard model even with cryptographic assumptions.
[Preliminary version appeared in 2005 | BibTex]
@INPROCEEDINGS{MN05-tamper-evident,
author = {Tal Moran and Moni Naor},
title = {Basing Cryptographic Protocols on Tamper-Evident Seals},
editor = {L. Caires et al.},
booktitle = {ICALP 2005},
pages = {285--297},
series = {Lecture Notes in Computer Science},
volume = {3580},
year = {2005},
month = Jul,
publisher = {Springer-Verlag},
} - Dov Gordon, Yuval Ishai, Tal Moran, Rafail Ostrovsky and Amit Sahai
On Complete Primitives for Fairness
2010 [BibTex][Abstract]
@INPROCEEDINGS{GIMOS10-fairness,
author = {Dov Gordon and Yuval Ishai and Tal Moran and Rafail Ostrovsky and Amit Sahai},
title = {On Complete Primitives for Fairness},
editor = {Daniele Micciancio},
booktitle = {TCC 2010},
pages = {91--108},
series = {Lecture Notes in Computer Science},
volume = {5978},
year = {2010},
month = February,
publisher = {Springer Berlin / Heidelberg},
}For secure two-party and multi-party computation with abort, classification of which primitives are complete has been extensively studied in the literature. However, for fair secure computation, where (roughly speaking) either all parties learn the output or none do, the question of complete primitives has remained largely unstudied. In this work, we initiate a rigorous study of completeness for primitives that allow fair computation. We show the following results:
- No “short” primitive is complete for fairness. In surprising contrast to other notions of security for secure two-party computation, we show that for fair secure two-party computation, no primitive of size $O(\log k)$ is complete, where $k$ is a security parameter. This is the case even if we can enforce parallelism in calls to the primitives (i.e., the adversary does not get output from any primitive in a parallel call until it sends input to all of them). This negative result holds regardless of any computational assumptions.
- Coin Flipping and Simultaneous Broadcast are not complete for fairness. The above result rules out the completeness of two natural candidates: coin flipping (for any number of coins) and simultaneous broadcast (for messages of arbitrary length).
- A fairness hierarchy. We clarify the fairness landscape further by exhibiting the existence of a “fairness hierarchy”. We show that for every “short” $\ell = O(\log k)$, no protocol making (serial) access to any $\ell$-bit primitive can be used to construct even a $(\ell+1)$-bit simultaneous broadcast.
- Positive results. To complement the negative results, we exhibit a $k$-bit primitive that is complete for two-party fair secure computation. This primitive implements a “fair reconstruction” procedure for a secret sharing scheme with some robustness properties. We show how to generalize this result to the multi-party setting.
- Fairness combiners. We also introduce the question of constructing a protocol for fair secure computation from primitives that may be faulty. We show a simple functionality that is complete for two-party fair computation when the majority of its instances are honest. On the flip side, we show that this result is tight: no functionality is complete for fairness if half (or more) of the instances can be malicious.
- Tal Moran and Tyler Moore
The Phish Market Protocol: Securely Sharing Attack Data Between Competitors
2010 [BibTex][Abstract]
@INPROCEEDINGS{MM10-phishing,
author = {Tal Moran and Tyler Moore},
title = {The Phish Market Protocol: Securely Sharing Attack Data Between Competitors},
editor = {Radu Sion},
booktitle = {FC 2010},
pages = {222--237},
series = {Lecture Notes in Computer Science},
volume = {6052},
year = {2010},
month = January,
}A key way in which banks mitigate the effects of phishing is to remove fraudulent websites or suspend abusive domain names. This `take-down' is often subcontracted to specialist firms. Prior work has shown that these take-down companies refuse to share `feeds' of phishing website URLs with each other, and consequently, many phishing websites are not removed because the firm with the take-down contract remains unaware of their existence. The take-down companies are reticent to exchange feeds, fearing that competitors with less comprehensive lists might `free-ride' off their efforts by not investing resources to find new websites, as well as use the feeds to poach clients. In this paper, we propose the Phish Market protocol, which enables companies with less comprehensive feeds to learn about websites impersonating their own clients that are held by other firms. The protocol is designed so that the contributing firm is compensated only for those websites affecting its competitor's clients and only those previously unknown to the receiving firm. Crucially, the protocol does not reveal to the contributing firm which URLs are needed by the receiver, as this is viewed as sensitive information by take-down firms. Using complete lists of phishing URLs obtained from two large take-down companies, our elliptic-curve-based implementation added a negligible average 5 second delay to securely share URLs.
- Josh Benaloh, Tal Moran, Lee Naish, Kim Ramchen and Vanessa Teague
Shuffle-Sum: Coercion-Resistant Verifiable Tallying for STV Voting
2009 [BibTex][Abstract]
@ARTICLE{BMNRT09-shuffle-sum,
author = {Josh Benaloh and Tal Moran and Lee Naish and Kim Ramchen and Vanessa Teague},
title = {Shuffle-Sum: Coercion-Resistant Verifiable Tallying for STV Voting},
pages = {685--698},
volume = {4},
number = {4},
year = {2009},
month = December,
journal = {IEEE Transactions on Information Forensics and Security},
doi = {10.1109/TIFS.2009.2033757},
}There are many advantages to voting schemes in which voters rank all candidates in order, rather than just choosing their favourite. However, these schemes inherently suffer from a coercion problem when there are many candidates, because a coercer can demand a certain permutation from a voter and then check whether that permutation appears during tallying. Recently developed cryptographic voting protocols allow anyone to audit an election (universal verifiability), but existing systems are either not applicable to ranked voting at all, or reveal enough information about the ballots to make voter coercion possible. We solve this problem for the popular single transferable vote (STV) ranked voting system, by constructing an algorithm for the verifiable tallying of encrypted votes. Our construction improves upon existing work because it extends to multiple-seat STV and reveals less information than other schemes. The protocol is based on verifiable shuffling of homomorphic encryptions, a well-studied primitive in the voting arena. Our protocol is efficient enough to be practical, even for a large election.
- Tal Moran, Moni Naor and Gil Segev
An Optimally Fair Coin Toss
2009 [BibTex][Abstract]
@INPROCEEDINGS{MNS09-coinflip,
author = {Tal Moran and Moni Naor and Gil Segev},
title = {An Optimally Fair Coin Toss},
booktitle = {TCC 2009},
pages = {1--18},
series = {Lecture Notes in Computer Science},
volume = {5444},
year = {2009},
month = March,
publisher = {Springer},
}We address one of the foundational problems in cryptography: the bias of coin-flipping protocols. Coin-flipping protocols allow mutually distrustful parties to generate a common unbiased random bit, guaranteeing that even if one of the parties is malicious, it cannot significantly bias the output of the honest party. A classical result by Cleve [STOC '86] showed that for any two-party $r$-round coin-flipping protocol there exists an efficient adversary that can bias the output of the honest party by $\Omega(1/r)$. However, the best previously known protocol only guarantees $O(1/\sqrt{r})$ bias, and the question of whether Cleve's bound is tight has remained open for more than twenty years. In this paper we establish the optimal trade-off between the round complexity and the bias of two-party coin-flipping protocols. Under standard assumptions (the existence of oblivious transfer), we show that Cleve's lower bound is tight: we construct an $r$-round protocol with bias $O(1/r)$.
- Tal Moran, Moni Naor and Gil Segev
Deterministic History-Independent Strategies for Storing Information on Write-Once Memories
2009 [BibTex][Abstract]
@ARTICLE{MNS09-history-full,
author = {Tal Moran and Moni Naor and Gil Segev},
title = {Deterministic History-Independent Strategies for Storing Information on Write-Once Memories},
pages = {43--67},
volume = {5},
number = {1},
year = {2009},
publisher = {Theory of Computing},
url = {http://www.theoryofcomputing.org/articles/v005a002},
journal = {Theory of Computing},
doi = {10.4086/toc.2009.v005a002},
}Motivated by the challenging task of designing “secure” vote storage mechanisms, we deal with information storage mechanisms that operate in extremely hostile environments. In such environments, the majority of existing techniques for information storage and for security are susceptible to powerful adversarial attacks. In this setting, we propose a mechanism for storing a set of at most K elements from a large universe of size N on write-once memories in a manner that does not reveal the insertion order of the elements. We consider a standard model for write-once memories, in which the memory is initialized to the all 0's state, and the only operation allowed is flipping bits from 0 to 1. Whereas previously known constructions were either inefficient (required $\Theta(K^2)$ memory), randomized, or employed cryptographic techniques which are unlikely to be available in hostile environments, we eliminate each of these undesirable properties. The total amount of memory used by the mechanism is linear in the number of stored elements and poly-logarithmic in the size of the universe of elements. In addition, we consider one of the classical distributed computing problems: conflict resolution in multiple-access channels. By establishing a tight connection with the basic building block of our mechanism, we construct the first deterministic and non-adaptive conflict resolution algorithm whose running time is optimal up to poly-logarithmic factors.
[Preliminary version appeared in 2007 | BibTex]
@INPROCEEDINGS{MNS07-history,
author = {Tal Moran and Moni Naor and Gil Segev},
title = {Deterministic History-Independent Strategies for Storing Information on Write-Once Memories},
booktitle = {ICALP 2007},
series = {Lecture Notes in Computer Science},
volume = {4596},
year = {2007},
month = July,
publisher = {Springer},
isbn = {987-5-540-73419-2},
} - Tal Moran, Ronen Shaltiel and Amnon Ta-Shma
Non-interactive Timestamping in the Bounded Storage Model
2009 [BibTex][Abstract]
@ARTICLE{MST09-timestamping-full,
author = {Tal Moran and Ronen Shaltiel and Amnon Ta-Shma},
title = {Non-interactive Timestamping in the Bounded Storage Model},
pages = {189--226},
volume = {22},
number = {2},
year = {2009},
journal = {J. Cryptology},
doi = {10.1007/s00145-008-9035-9},
}A timestamping scheme is a mechanism allowing one party, the “stamper”, to prove that it knew of a certain document at some earlier time. We say that such a scheme is passive if a stamper can stamp a document without communicating with any other player. The only communication performed is at validation time. Passive timestamping has many advantages, such as information theoretic privacy and enhanced robustness. Passive timestamping, however, is not possible against polynomial time adversaries that have unbounded (but polynomial) storage at their disposal. As a result, no passive timestamping schemes were constructed up to date. We show that passive timestamping is possible in the Bounded Storage Model. I.e., where there is an upper bound on the amount of storage that the adversary has and all players have access to a long random string. To the best of our knowledge, this is the first example of a cryptographic task that is possible in the bounded storage model, but is impossible in the “standard cryptographic setting”, even assuming cryptographic assumptions. We give an explicit construction that is secure against all bounded storage adversaries, and a significantly more efficient construction secure against all bounded storage adversaries that run in polynomial time.
[Preliminary version appeared in 2004 | BibTex]
@INPROCEEDINGS{MST04-timestamping,
author = {Tal Moran and Ronen Shaltiel and Amnon Ta-Shma},
title = {Non-interactive Timestamping in the Bounded Storage Model.},
editor = {Matthew K. Franklin},
booktitle = {CRYPTO 2004},
pages = {460--476},
series = {Lecture Notes in Computer Science},
volume = {3152},
year = {2004},
publisher = {Springer},
} - Tal Moran and Gil Segev
David and Goliath Commitments: UC Computation for Asymmetric Parties Using Tamper-Proof Hardware
2008 [BibTex][Abstract]
@INPROCEEDINGS{MS08-david-and-goliath,
author = {Tal Moran and Gil Segev},
title = {David and Goliath Commitments: UC Computation for Asymmetric Parties Using Tamper-Proof Hardware},
booktitle = {Eurocrypt 2008},
pages = {527--544},
series = {Lecture Notes in Computer Science},
volume = {4965},
year = {2008},
month = April,
publisher = {Springer},
isbn = {978-3-540-78966-6},
}Designing secure protocols in the Universal Composability (UC) framework confers many advantages. In particular, it allows the protocols to be securely used as building blocks in more complex protocols, and assists in understanding their security properties. Unfortunately, most existing models in which universally composable computation is possible (for useful functionalities) require a trusted setup stage. Recently, Katz [Eurocrypt '07] proposed an alternative to the trusted setup assumption: tamper-proof hardware. Instead of trusting a third party to correctly generate the setup information, each party can create its own hardware tokens, which it sends to the other parties. Each party is only required to trust that its own tokens are tamper-proof. Katz designed a UC commitment protocol that requires both parties to generate hardware tokens. In addition, his protocol relies on a specific number-theoretic assumption. In this paper, we construct UC commitment protocols for “David” and “Goliath”: we only require a single party (Goliath) to be capable of generating tokens. We construct a version of the protocol that is secure for computationally unbounded parties, and a more efficient version that makes computational assumptions only about David (we require only the existence of a one-way function). Our protocols are simple enough to be performed by hand on David's side. These properties may allow such protocols to be used in situations which are inherently asymmetric in real-life, especially those involving individuals versus large organizations. Classic examples include voting protocols (voters versus “the government”) and protocols involving private medical data (patients versus insurance-agencies or hospitals).
- Tal Moran and Moni Naor
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy
2006 [BibTex][Abstract]
@INPROCEEDINGS{MN06-voting,
author = {Tal Moran and Moni Naor},
title = {Receipt-Free Universally-Verifiable Voting With Everlasting Privacy},
editor = {Cynthia Dwork},
booktitle = {CRYPTO 2006},
pages = {373--392},
series = {Lecture Notes in Computer Science},
volume = {4117},
year = {2006},
month = September,
publisher = {Springer},
isbn = {3-540-37432-9},
}We present the first universally verifiable voting scheme that can be based on a general assumption (existence of a non-interactive commitment scheme). Our scheme is also the first receipt-free scheme to give “everlasting privacy” for votes: even a computationally unbounded party does not gain any information about individual votes (other than what can be inferred from the final tally). Our voting protocols are designed to be used in a “traditional” setting, in which voters cast their ballots in a private polling booth (which we model as an untappable channel between the voter and the tallying authority). Following in the footsteps of Chaum and Neff, our protocol ensures that the integrity of an election cannot be compromised even if the computers running it are all corrupt (although ballot secrecy may be violated in this case). We give a generic voting protocol which we prove to be secure in the Universal Composability model, given that the underlying commitment is universally composable. We also propose a concrete implementation, based on the hardness of discrete log, that is more efficient.
- Tal Moran and Moni Naor
Polling with Physical Envelopes: A Rigorous Analysis of a Human-Centric Protocol
2006 [BibTex][Abstract]
@INPROCEEDINGS{MN06-crrt,
author = {Tal Moran and Moni Naor},
title = {Polling with Physical Envelopes: A Rigorous Analysis of a Human-Centric Protocol},
editor = {Serge Vaudenay},
booktitle = {Eurocrypt 2006},
pages = {88--108},
series = {Lecture Notes in Computer Science},
volume = {4004},
year = {2006},
month = May,
publisher = {Springer-Verlag},
}We propose simple, realistic protocols for polling that allow the responder to plausibly repudiate his response, while at the same time allow accurate statistical analysis of poll results. The protocols use simple physical objects (envelopes or scratch-off cards) and can be performed without the aid of computers. One of the main innovations of this work is the use of techniques from theoretical cryptography to rigorously prove the security of a realistic, physical protocol. We show that, given a few properties of physical envelopes, the protocols are unconditionally secure in the universal composability framework.
The Qilin Project
As part of the effort to bridge the gap between theory and practice, I've started the Qilin project: an open-source SDK for rapid prototyping of cryptographic protocols. You can read more about it (as well as browse the source repository and download the latest version of the library) on the Qilin homepage.
Previous (Academic) Lives
I did my Phd at The Weizmann Institute of Science under the supervision of Moni Naor. My PhD thesis was concerned with methods for designing and analyzing cryptographic schemes that take into account the differences between humans and computers, such as the end-to-end-verifiable voting example mentioned above. Another example is a protocol for polling sensitive questions that maintain privacy for the responder using physical envelopes or scratch-off cards.
My undergraduate and master's were completed at Tel-Aviv University under Prof. Muli Safra.
Miscellanea
- A tool for visualizing the Fourier-Walsh transforms of arbitrary Boolean functions.
- A great example of "human cryptogaphy" (i.e., cryptographic protocols that can be performed with materials in every kitchen) is this puzzle, due to Naor, Naor and Reingold, and published in the highly respected Journal of Craptology.