Message Transmission with Reverse Firewalls - Secure Communication on Corrupted Machines

Suppose Alice wishes to send a message to Bob privately over an untrusted channel. Cryptographers have developed a whole suite of tools to accomplish this task, with a wide variety of notions of security, setup assumptions, and running times. However, almost all prior work on this topic made a seemingly innocent assumption: that Alice has access to a trusted computer with a proper implementation of the protocol. The Snowden revelations show us that, in fact, powerful adversaries can and will corrupt users' machines in order to compromise their security. And, presumably accidental vulnerabilities are regularly found in popular cryptographic software, showing that users cannot even trust implementations that were created honestly. This leads to the following seemingly absurd question: "Can Alice securely send a message to Bob even if she cannot trust her own computer?!" Bellare, Paterson, and Rogaway recently studied this question. They show a strong impossibility result that in particular rules out even semantically secure public-key encryption in their model. However, Mironov and Stephens-Davidowitz recently introduced a new framework for solving such problems: reverse firewalls. A secure reverse firewall is a third party that "sits between Alice and the outside world" and modifies her sent and received messages so that even if the her machine has been corrupted, Alice's security is still guaranteed. We show how to use reverse firewalls to sidestep the impossibility result of Bellare et al., and we achieve strong security guarantees in this extreme setting. Indeed, we find a rich structure of solutions that vary in efficiency, security, and setup assumptions, in close analogy with message transmission in the classical setting. Our strongest and most important result shows a protocol that achieves interactive, concurrent CCA-secure message transmission with a reverse firewall--i.e., CCA-secure message transmission on a possibly compromised machine! Surprisingly, this protocol is quite efficient and simple, requiring only four rounds and a small constant number of public-key operations for each party. It could easily be used in practice. Behind this result is a technical composition theorem that shows how key agreement with a sufficiently secure reverse firewall can be used to construct a message-transmission protocol with its own secure reverse firewall.

[1]  Bruce Schneier,et al.  Surreptitiously Weakening Cryptographic Systems , 2015, IACR Cryptol. ePrint Arch..

[2]  Kenneth G. Paterson,et al.  Security of Symmetric Encryption against Mass Surveillance , 2014, IACR Cryptol. ePrint Arch..

[3]  Eike Kiltz,et al.  Chosen-Ciphertext Secure Key-Encapsulation Based on Gap Hashed Diffie-Hellman , 2007, Public Key Cryptography.

[4]  Hugo Krawczyk,et al.  Relaxing Chosen-Ciphertext Security , 2003, CRYPTO.

[5]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[6]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[7]  Mike Burmester,et al.  Yvo Desmedt: All Languages in NP Have Divertible Zero-Knowledge Proofs and Arguments Under Cryptographic Assumptions , 1990, EUROCRYPT.

[8]  Manoj Prabhakaran,et al.  Rerandomizable RCCA Encryption , 2007, CRYPTO.

[9]  Moti Yung,et al.  Cliptography: Clipping the Power of Kleptographic Attacks , 2016, ASIACRYPT.

[10]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[11]  Yevgeniy Dodis,et al.  A Formal Treatment of Backdoored Pseudorandom Generators , 2015, EUROCRYPT.

[12]  Ilya Mironov,et al.  Cryptographic Reverse Firewalls , 2015, EUROCRYPT.

[13]  Huaxiong Wang,et al.  Malleability attacks on multi-party key agreement protocols , 2004 .

[14]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[15]  Jens Groth,et al.  Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems , 2004, TCC.

[16]  Abhi Shelat,et al.  Collusion-Free Protocols in the Mediated Model , 2008, CRYPTO.

[17]  Pooya Farshim,et al.  A More Cautious Approach to Security Against Mass Surveillance , 2015, FSE.

[18]  Mihir Bellare,et al.  Resisting Randomness Subversion: Fast Deterministic and Hedged Public-Key Encryption in the Standard Model , 2015, EUROCRYPT.

[19]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[20]  Yvo Desmedt Subliminal-free sharing schemes , 1994, Proceedings of 1994 IEEE International Symposium on Information Theory.

[21]  Arjen K. Lenstra,et al.  Public Keys , 2012, CRYPTO.

[22]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[23]  Yvo Desmedt,et al.  Abuses in Cryptography and How to Fight Them , 1988, CRYPTO.

[24]  Jonathan Katz,et al.  Modeling insider attacks on group key-exchange protocols , 2005, CCS '05.

[25]  J. Ball,et al.  Revealed: How US and UK Spy Agencies Defeat Internet Privacy and Security , 2013 .

[26]  Yvo Desmedt,et al.  All languages in NP have divertible zero-knowledge proofs and arguments under cryptographic assumptions (extended abstract) , 1991 .

[27]  Yevgeniy Dodis,et al.  Interactive Encryption and Message Authentication , 2014, SCN.

[28]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[29]  Abhi Shelat,et al.  Collusion-free protocols , 2005, STOC '05.

[30]  Mihir Bellare,et al.  Mass-surveillance without the State: Strongly Undetectable Algorithm-Substitution Attacks , 2015, IACR Cryptol. ePrint Arch..

[31]  Giuseppe Ateniese,et al.  Subversion-Resilient Signature Schemes , 2015, IACR Cryptol. ePrint Arch..

[32]  Ron Steinfeld,et al.  A Non-malleable Group Key Exchange Protocol Robust Against Active Insiders , 2006, ISC.

[33]  Glenn Greenwald,et al.  No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State , 2014 .

[34]  Kazuo Ohta,et al.  Divertible Zero Knowledge Interactive Proofs and Commutative Random Self-Reducibility , 1990, EUROCRYPT.

[35]  Kilroy,et al.  No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. By Glenn Greenwald, New York, NY: Metropolitan Books, 2014. , 2016 .