Zero-Knowledge Middleboxes

This paper initiates research on zero-knowledge middleboxes (ZKMBs). A ZKMB is a network middlebox that enforces network usage policies on encrypted traffic. Clients send the middlebox zero-knowledge proofs that their traffic is policy-compliant; these proofs reveal nothing about the client’s communication except that it complies with the policy. We show how to make ZKMBs work with unmodified encrypted-communication protocols (specifically TLS 1.3), making ZKMBs invisible to servers. As a contribution of independent interest, we design zero-knowledge proofs for TLS 1.3 session keys. We apply the ZKMB paradigm to several case studies, including filtering for encrypted DNS protocols. Experimental results suggest that performance, while not yet practical, is promising. The middlebox’s overhead is only 2–5ms of running time per verified proof. Clients must store hundreds of MBs to participate in the protocol, and added latency ranges from tens of seconds (to set up a connection) to several seconds (for each successive packet requiring proof). Our optimized TLS 1.3 proofs improve the client’s costs 6× over an unoptimized baseline.

[1]  Ralph E. Droms,et al.  Dynamic Host Configuration Protocol , 1993, RFC.

[2]  Ariel Gabizon,et al.  PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge , 2019, IACR Cryptol. ePrint Arch..

[3]  Eli Ben-Sasson,et al.  Scalable, transparent, and post-quantum secure computational integrity , 2018, IACR Cryptol. ePrint Arch..

[4]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol , 2020 .

[5]  Cong Wang,et al.  LightBox: SGX-assisted Secure Network Functions at Near-native Speed , 2017, ArXiv.

[6]  Craig Gentry,et al.  Quadratic Span Programs and Succinct NIZKs without PCPs , 2013, IACR Cryptol. ePrint Arch..

[7]  Steffen Haas,et al.  Passive, Transparent, and Selective TLS Decryption for Network Security Monitoring , 2021, SEC.

[8]  Christof Fetzer,et al.  ShieldBox: Secure Middleboxes using Shielded Execution , 2018, SOSR.

[9]  Yuval Ishai,et al.  Ligero: Lightweight Sublinear Arguments Without a Trusted Setup , 2017, Designs, Codes and Cryptography.

[10]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Thomas Ristenpart,et al.  Partitioning Oracle Attacks , 2020, IACR Cryptol. ePrint Arch..

[12]  Robert H. Deng,et al.  Pine: Enabling Privacy-Preserving Deep Packet Inspection on TLS with Rule-Hiding and Fast Connection Establishment , 2020, ESORICS.

[13]  Carmit Hazay,et al.  Ligero++: A New Optimized Sublinear IOP , 2020, CCS.

[14]  Mona Vij,et al.  Snort Intrusion Detection System with Intel Software Guard Extension (Intel SGX) , 2018, ArXiv.

[15]  Ted Taekyoung Kwon,et al.  maTLS: How to Make TLS middlebox-aware? , 2019, NDSS.

[16]  Benjamin Braun Compiling computations to constraints for verified computation , 2012 .

[17]  J. Thaler,et al.  Linear-time and post-quantum zero-knowledge SNARKs for R1CS , 2021 .

[18]  Christopher A. Wood,et al.  Hybrid Public Key Encryption , 2019, RFC.

[19]  Abhi Shelat,et al.  Blind Certificate Authorities , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[21]  Nick Feamster,et al.  Examining How the Great Firewall Discovers Hidden Circumvention Servers , 2015, Internet Measurement Conference.

[22]  Jens Groth,et al.  Nearly Linear-Time Zero-Knowledge Proofs for Correct Program Execution , 2018, IACR Cryptol. ePrint Arch..

[23]  Zuocheng Ren,et al.  Efficient RAM and control flow in verifiable outsourced computation , 2015, NDSS.

[24]  Paul C. Kocher On Certificate Revocation and Validation , 1998, Financial Cryptography.

[25]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 2004, JACM.

[26]  Dongsu Han,et al.  SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module , 2017, APNet.

[27]  Nicholas Spooner,et al.  Proof-Carrying Data from Accumulation Schemes , 2020, IACR Cryptol. ePrint Arch..

[28]  Thomas E. Anderson,et al.  ETTM: A Scalable Fault Tolerant Network Manager , 2011, NSDI.

[29]  Bryan Parno,et al.  Poppins: A Direct Construction for Asymptotically Optimal zkSNARKs , 2021 .

[30]  Christian Rossow,et al.  Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS , 2019, FOCI @ USENIX Security Symposium.

[31]  Sylvia Ratnasamy,et al.  SafeBricks: Shielding Network Functions in the Cloud , 2018, NSDI.

[32]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[33]  Eli Ben-Sasson,et al.  Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture , 2014, USENIX Security Symposium.

[34]  Dinil Mon Divakaran,et al.  A Survey of Privacy-Preserving Techniques for Encrypted Traffic Inspection over Network Middleboxes , 2021, ArXiv.

[35]  Dawn Song,et al.  Transparent Polynomial Delegation and Its Applications to Zero Knowledge Proof , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[36]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[37]  D. McGrew,et al.  The Galois/Counter Mode of Operation (GCM) , 2005 .

[38]  Yevgeniy Dodis,et al.  Fast Message Franking: From Invisible Salamanders to Encryptment , 2018, CRYPTO.

[39]  Justine Sherry,et al.  Middleboxes as a Cloud Service , 2016 .

[40]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[41]  Haya Shulman Pretty Bad Privacy: Pitfalls of DNS Encryption , 2014, WPES.

[42]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[43]  Ralph E. Droms,et al.  DHCP Options and BOOTP Vendor Extensions , 1993, RFC.

[44]  Dan Boneh,et al.  Scaling Verifiable Computation Using Efficient Set Accumulators , 2019, IACR Cryptol. ePrint Arch..

[45]  Zhi Liu,et al.  Embark: Securely Outsourcing Middleboxes to the Cloud , 2016, NSDI.

[46]  Fraser Brown,et al.  Unifying Compilers for SNARKs, SMT, and More , 2020, IACR Cryptol. ePrint Arch..

[47]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[48]  Carmela Troncoso,et al.  Encrypted DNS -> Privacy? A Traffic Analysis Perspective , 2019, NDSS.

[49]  Nick Feamster,et al.  Designing for Tussle in Encrypted DNS , 2020, HotNets.

[50]  Jonathan Katz,et al.  vRAM: Faster Verifiable RAM with Program-Independent Preprocessing , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[51]  Vinod Yegneswaran,et al.  StegoTorus: a camouflage proxy for the Tor anonymity system , 2012, CCS.

[52]  Paul E. Hoffman,et al.  Specification for DNS over Transport Layer Security (TLS) , 2016, RFC.

[53]  Christos Gkantsidis,et al.  And Then There Were More: Secure Communication for More Than Two Parties , 2017, CoNEXT.

[54]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[55]  Dirk Fox,et al.  Advanced Encryption Standard (AES) , 1999, Datenschutz und Datensicherheit.

[56]  Rüdiger Kapitza,et al.  EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[57]  Christian Grothoff,et al.  Toward secure name resolution on the internet , 2018, Comput. Secur..

[58]  Adam M. Costello Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA) , 2003, RFC.

[59]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[60]  Mary Maller,et al.  Marlin: Preprocessing zkSNARKs with Universal and Updatable SRS , 2020, IACR Cryptol. ePrint Arch..

[61]  Nicholas Spooner,et al.  Fractal: Post-Quantum and Transparent Recursive Proofs from Holography , 2020, IACR Cryptol. ePrint Arch..

[62]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[63]  Elaine Shi,et al.  xJsnark: A Framework for Efficient Verifiable Computation , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[64]  Narseo Vallina-Rodriguez,et al.  The Era of TLS 1.3: Measuring Deployment and Use with Active and Passive Methods , 2019, ArXiv.

[65]  Dongsu Han,et al.  A Secure Middlebox Framework for Enabling Visibility Over Multiple Encryption Protocols , 2020, IEEE/ACM Transactions on Networking.

[66]  Arnab Roy,et al.  Poseidon: A New Hash Function for Zero-Knowledge Proof Systems , 2021, USENIX Security Symposium.

[67]  D Manyu,et al.  Hypertext transfer protocol , 2009 .

[68]  Paul E. Hoffman,et al.  Preparation of Internationalized Strings ("stringprep") , 2002, RFC.

[69]  Chunming Qiao,et al.  SPABox: Safeguarding Privacy During Deep Packet Inspection at a MiddleBox , 2017, IEEE/ACM Transactions on Networking.

[70]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[71]  Dirk Fox,et al.  Digital Signature Standard (DSS) , 2001, Datenschutz und Datensicherheit.

[72]  Ben Fisch,et al.  Transparent SNARKs from DARK Compilers , 2020, IACR Cryptol. ePrint Arch..

[73]  Benjamin Braun,et al.  Taking Proof-Based Verified Computation a Few Steps Closer to Practicality , 2012, USENIX Security Symposium.

[74]  Paul E. Hoffman,et al.  Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN) , 2003, RFC.

[75]  John C. Klensin,et al.  Internationalized Domain Names in Applications (IDNA): Protocol , 2008, RFC.

[76]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[77]  Georg Fuchsbauer,et al.  Subversion-Zero-Knowledge SNARKs , 2018, Public Key Cryptography.

[78]  Alessandro Coglio,et al.  Leo: A Programming Language for Formally Verified, Zero-Knowledge Applications , 2021, IACR Cryptol. ePrint Arch..

[79]  Jing Ma,et al.  TVIDS: Trusted virtual IDS with SGX , 2019, China Communications.

[80]  Carsten Lund,et al.  Proof verification and hardness of approximation problems , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[81]  Jonathan Lee,et al.  Dory: Efficient, Transparent arguments for Generalised Inner Products and Polynomial Commitments , 2020, IACR Cryptol. ePrint Arch..

[82]  Cong Wang,et al.  Assuring String Pattern Matching in Outsourced Middleboxes , 2018, IEEE/ACM Transactions on Networking.

[83]  Jon Howell,et al.  Geppetto: Versatile Verifiable Computation , 2015, 2015 IEEE Symposium on Security and Privacy.

[84]  David D. Clark,et al.  Tussle in cyberspace: defining tomorrow's Internet , 2002, IEEE/ACM Transactions on Networking.

[85]  Tommy Pauly,et al.  Oblivious DNS over HTTPS , 2022, RFC.

[86]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[87]  Mary Maller,et al.  SnarkPack: Practical SNARK Aggregation , 2021, IACR Cryptol. ePrint Arch..

[88]  Andrew J. Blumberg,et al.  Verifying computations without reexecuting them: from theoretical possibility to near-practicality , 2013, Electron. Colloquium Comput. Complex..

[89]  Joseph K. Liu,et al.  Towards Practical Encrypted Network Traffic Pattern Matching for Secure Middleboxes , 2020, IACR Cryptol. ePrint Arch..

[90]  Sanjeev Arora,et al.  Probabilistic checking of proofs: a new characterization of NP , 1998, JACM.

[91]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[92]  Thomas Ristenpart,et al.  Message Franking via Committing Authenticated Encryption , 2017, CRYPTO.

[93]  Karthikeyan Bhargavan,et al.  A Formal Treatment of Accountable Proxying Over TLS , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[94]  Ariel Gabizon,et al.  plookup: A simplified polynomial protocol for lookup tables , 2020, IACR Cryptol. ePrint Arch..

[95]  Abhi Shelat,et al.  Doubly-Efficient zkSNARKs Without Trusted Setup , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[96]  Jianping Wu,et al.  Building Generic Scalable Middlebox Services Over Encrypted Protocols , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[97]  Leonid A. Levin,et al.  Checking computations in polylogarithmic time , 1991, STOC '91.

[98]  Yael Tauman Kalai,et al.  Delegating computation: interactive proofs for muggles , 2008, STOC.

[99]  Eli Ben-Sasson,et al.  SNARKs for C: Verifying Program Executions Succinctly and in Zero Knowledge , 2013, CRYPTO.

[100]  Dongxi Liu,et al.  OblivSketch: Oblivious Network Measurement as a Cloud Service , 2021, NDSS.

[101]  Srinath T. V. Setty,et al.  Nova: Recursive Zero-Knowledge Arguments from Folding Schemes , 2021, IACR Cryptol. ePrint Arch..

[102]  Oded Goldreich,et al.  Probabilistic Proof Systems: A Primer , 2008, Found. Trends Theor. Comput. Sci..

[103]  Benjamin Braun,et al.  Verifying computations with state , 2013, IACR Cryptol. ePrint Arch..

[104]  Paul E. Hoffman,et al.  DNS Queries over HTTPS (DoH) , 2018, RFC.

[105]  Fan Zhang,et al.  DECO: Liberating Web Data Using Decentralized Oracles for TLS , 2020, CCS.

[106]  Markulf Kohlweiss,et al.  Sonic: Zero-Knowledge SNARKs from Linear-Size Universal and Updatable Structured Reference Strings , 2019, IACR Cryptol. ePrint Arch..

[107]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[108]  Paul E. Hoffman,et al.  Internationalizing Domain Names in Applications (IDNA) , 2003, RFC.

[109]  Vyas Sekar,et al.  Practical Verifiable In-network Filtering for DDoS Defense , 2019, 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS).

[110]  Simon Josefsson,et al.  Internet Engineering Task Force (ietf) Using Kerberos Version 5 over the Transport Layer Security (tls) Protocol , 2011 .

[111]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[112]  Paul C. van Oorschot,et al.  A survey and analysis of TLS interception mechanisms and motivations , 2020, ArXiv.

[113]  Ee-Chien Chang,et al.  PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules , 2019, CCS.

[114]  Sean Bowe,et al.  Recursive Proof Composition without a Trusted Setup , 2020 .

[115]  Srinath T. V. Setty,et al.  Spartan: Efficient and general-purpose zkSNARKs without trusted setup , 2020, IACR Cryptol. ePrint Arch..

[116]  Joonsang Baek,et al.  P2DPI: Practical and Privacy-Preserving Deep Packet Inspection , 2021, AsiaCCS.