Paper 2020/854

Designing Reverse Firewalls for the Real World

Angèle Bossuat, Xavier Bultel, Pierre-Alain Fouque, Cristina Onete, and Thyla van der Merwe


Reverse Firewalls (RFs) were introduced by Mironov and Stephens-Davidowitz to address algorithm-substitution attacks (ASAs) in which an adversary subverts the implementation of a provably-secure cryptographic primitive to make it insecure. This concept was applied by Dodis et al. in the context of secure key exchange (handshake phase), where the adversary wants to exfiltrate sensitive information by using a subverted client implementation. RFs are used as a means of "sanitizing" the client-side protocol in order to prevent this exfiltration. In this paper, we propose a new security model for both the handshake and record layers, a.k.a. secure channel. We present a signed, Diffie-Hellman based secure channel protocol, and show how to design a provably-secure reverse firewall for it. Our model is stronger since the adversary has a larger surface of attacks, which makes the construction challenging. Our construction uses classical and off-the-shelf cryptography.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. ESORICS 2020
reverse firewallsprovable security
Contact author(s)
angele bossuat @ irisa fr
xavier bultel @ insa-cvl fr
2020-07-12: received
Short URL
Creative Commons Attribution


      author = {Angèle Bossuat and Xavier Bultel and Pierre-Alain Fouque and Cristina Onete and Thyla van der Merwe},
      title = {Designing Reverse Firewalls for the Real World},
      howpublished = {Cryptology ePrint Archive, Paper 2020/854},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.