Cryptology ePrint Archive: Report 2020/204

Cryptographic Reverse Firewalls for Interactive Proof Systems

Chaya Ganesh and Bernardo Magri and Daniele Venturi

Abstract: We study interactive proof systems (IPSes) in a strong adversarial setting where the machines of *honest parties* might be corrupted and under control of the adversary. Our aim is to answer the following, seemingly paradoxical, questions:

- Can Peggy convince Vic of the veracity of an NP statement, without leaking any information about the witness even in case Vic is malicious and Peggy does not trust her computer? - Can we avoid that Peggy fools Vic into accepting false statements, even if Peggy is malicious and Vic does not trust her computer?

At EUROCRYPT 2015, Mironov and Stephens-Davidowitz introduced cryptographic reverse firewalls (RFs) as an attractive approach to tackling such questions. Intuitively, a RF for Peggy/Vic is an external party that sits between Peggy/Vic and the outside world and whose scope is to sanitize Peggy's/Vic's incoming and outgoing messages in the face of subversion of her/his computer, e.g. in order to destroy subliminal channels.

In this paper, we put forward several natural security properties for RFs in the concrete setting of IPSes. As our main contribution, we construct efficient RFs for different IPSes derived from a large class of Sigma protocols that we call malleable.

A nice feature of our design is that it is completely transparent, in the sense that our RFs can be directly applied to already deployed IPSes, without the need to re-implement them.

Category / Keywords: foundations / subversion; algorithm substitution attacks; cryptographic reverse firewalls; interactive proofs; zero knowledge; witness indistinguishability

Date: received 18 Feb 2020, last revised 21 Feb 2020

Contact author: chaya ganesh at gmail com,magri@cs au dk,venturi@di uniroma1 it

Available format(s): PDF | BibTeX Citation

Note: This updated version contains a fix to an error in the construction of the RF for the OR composition protocol in the previous version of this manuscript.

Version: 20200221:092926 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]