- Can Peggy convince Vic of the veracity of an NP statement, without leaking any information about the witness even in case Vic is malicious and Peggy does not trust her computer? - Can we avoid that Peggy fools Vic into accepting false statements, even if Peggy is malicious and Vic does not trust her computer?
At EUROCRYPT 2015, Mironov and Stephens-Davidowitz introduced cryptographic reverse firewalls (RFs) as an attractive approach to tackling such questions. Intuitively, a RF for Peggy/Vic is an external party that sits between Peggy/Vic and the outside world and whose scope is to sanitize Peggy's/Vic's incoming and outgoing messages in the face of subversion of her/his computer, e.g. in order to destroy subliminal channels.
In this paper, we put forward several natural security properties for RFs in the concrete setting of IPSes. As our main contribution, we construct efficient RFs for different IPSes derived from a large class of Sigma protocols that we call malleable.
A nice feature of our design is that it is completely transparent, in the sense that our RFs can be directly applied to already deployed IPSes, without the need to re-implement them.
Category / Keywords: foundations / subversion; algorithm substitution attacks; cryptographic reverse firewalls; interactive proofs; zero knowledge; witness indistinguishability Date: received 18 Feb 2020, last revised 21 Feb 2020 Contact author: chaya ganesh at gmail com,magri@cs au dk,venturi@di uniroma1 it Available format(s): PDF | BibTeX Citation Note: This updated version contains a fix to an error in the construction of the RF for the OR composition protocol in the previous version of this manuscript. Version: 20200221:092926 (All versions of this report) Short URL: ia.cr/2020/204