Paper 2023/1951

Protection Against Subversion Corruptions via Reverse Firewalls in the Plain Universal Composability Framework

Paula Arnold, University of Luebeck
Sebastian Berndt, Technische Hochschule Lübeck
Jörn Müller-Quade, Karlsruhe Institute of Technology, KASTEL Security Research Labs
Astrid Ottenhues, Karlsruhe Institute of Technology, KASTEL Security Research Labs
Abstract

While many modern cryptographic primitives have stood the test of time, attackers started to expand beyond classic cryptanalysis by targeting implementations. Subversion attacks, where the attacker replaces the implementation of the cryptographic primitive to leak sensitive information about the user during a protocol execution, are among the most dangerous of such attacks. The revelations of Snowden have shown that these attacks are deployed by intelligence services. A very promising countermeasure uses cryptographic reverse firewalls that actively remove the covert channel leaking the secret. Chakraborty et al. (EUROCRYPT’22) presented the first model of such firewalls in the universal composability (UC) framework. However, using such a firewall also provides a possible new target for the attacker and in the case that an honest party uses a corrupted firewall, they were not able to prove any security guarantees. Furthermore, their model is quite complex and does not fit into the plain UC model as they restrict the environment. Hence, the authors needed to reprove fundamental theorems such as the composition theorem as well as the security of the underlying protocol. In this paper, we consider a slightly different model of subversion attacks that replace the used randomness, inspired by Dodis et al. (CRYPTO’16), that captures all known subversion attacks. Considering these realistic attacks allows us to use existing UC-secure protocols without the need to reprove their security. We also introduce additional notions of firewall properties, allowing us to reason about corrupted firewalls while maintaining strong security guarantees. To show the versatility of our model, we apply it to commitments and oblivious transfer. This demonstrates the usefulness of our plain UC model, as the only known previous subversion-resilient OT, recently provided by Chakraborty et al. (ASIACRYPT’24), is much more complicated and involved, and was also in the non-plain UC model.

Note: * Clarified many details, * added simpler guide on how to use the model, and * more detailed comparison to related work.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
Subversion ResilienceUniversal ComposabilityOT
Contact author(s)
p arnold @ uni-luebeck de
sebastian berndt @ th-luebeck de
mueller-quade @ kit edu
ottenhues @ kit edu
History
2025-02-19: revised
2023-12-23: received
See all versions
Short URL
https://ia.cr/2023/1951
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1951,
      author = {Paula Arnold and Sebastian Berndt and Jörn Müller-Quade and Astrid Ottenhues},
      title = {Protection Against Subversion Corruptions via Reverse Firewalls in the Plain Universal Composability Framework},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1951},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1951}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.