Message transmission with reverse firewalls—Secure communication on corrupted machines

Yevgeniy Dodis, Ilya Mironov, Noah Stephens-Davidowitz

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Suppose Alice wishes to send a message to Bob privately over an untrusted channel. Cryptographers have developed a whole suite of tools to accomplish this task, with a wide variety of notions of security, setup assumptions, and running times. However, almost all prior work on this topic made a seemingly innocent assumption: that Alice has access to a trusted computer with a proper implementation of the protocol. The Snowden revelations show us that, in fact, powerful adversaries can and will corrupt users’ machines in order to compromise their security. And, (presumably) accidental vulnerabilities are regularly found in popular cryptographic software, showing that users cannot even trust implementations that were created honestly. This leads to the following (seemingly absurd) question: “Can Alice securely send a message to Bob even if she cannot trust her own computer?!” Bellare, Paterson, and Rogaway recently studied this question. They show a strong impossibility result that in particular rules out even semantically secure public-key encryption in their model. However, Mironov and Stephens-Davidowitz recently introduced a new framework for solving such problems: reverse firewalls. A secure reverse firewall is a third party that “sits between Alice and the outside world” and modifies her sent and received messages so that even if the her machine has been corrupted, Alice’s security is still guaranteed. We show how to use reverse firewalls to sidestep the impossibility result of Bellare et al., and we achieve strong security guarantees in this extreme setting. Indeed, we find a rich structure of solutions that vary in efficiency, security, and setup assumptions, in close analogy with message transmission in the classical setting. Our strongest and most important result shows a protocol that achieves interactive, concurrent CCA-secure message transmission with a reverse firewall—i.e., CCA-secure message transmission on a possibly compromised machine! Surprisingly, this protocol is quite efficient and simple, requiring only four rounds and a small constant number of public-key operations for each party. It could easily be used in practice. Behind this result is a technical composition theorem that shows how key agreement with a sufficiently secure reverse firewall can be used to construct a message-transmission protocol with its own secure reverse firewall.

Original languageEnglish (US)
Title of host publicationAdvances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings
PublisherSpringer Verlag
Pages241-372
Number of pages132
Volume9814
ISBN (Print)9783662530177
DOIs
StatePublished - 2016
Event36th International Cryptology Conference, Crypto 2016 - Santa Barbara, United States
Duration: Aug 14 2016Aug 18 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9814
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other36th International Cryptology Conference, Crypto 2016
CountryUnited States
CitySanta Barbara
Period8/14/168/18/16

Fingerprint

Firewall
Reverse
Communication
Cryptography
Key Agreement
Public Key Encryption
Public key
Vulnerability
Analogy
Concurrent
Extremes
Chemical analysis
Vary
Software
Theorem

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Dodis, Y., Mironov, I., & Stephens-Davidowitz, N. (2016). Message transmission with reverse firewalls—Secure communication on corrupted machines. In Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings (Vol. 9814, pp. 241-372). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9814). Springer Verlag. https://doi.org/10.1007/978-3-662-53018-4_13

Message transmission with reverse firewalls—Secure communication on corrupted machines. / Dodis, Yevgeniy; Mironov, Ilya; Stephens-Davidowitz, Noah.

Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. Vol. 9814 Springer Verlag, 2016. p. 241-372 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9814).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Mironov, I & Stephens-Davidowitz, N 2016, Message transmission with reverse firewalls—Secure communication on corrupted machines. in Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. vol. 9814, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9814, Springer Verlag, pp. 241-372, 36th International Cryptology Conference, Crypto 2016, Santa Barbara, United States, 8/14/16. https://doi.org/10.1007/978-3-662-53018-4_13
Dodis Y, Mironov I, Stephens-Davidowitz N. Message transmission with reverse firewalls—Secure communication on corrupted machines. In Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. Vol. 9814. Springer Verlag. 2016. p. 241-372. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-662-53018-4_13
Dodis, Yevgeniy ; Mironov, Ilya ; Stephens-Davidowitz, Noah. / Message transmission with reverse firewalls—Secure communication on corrupted machines. Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. Vol. 9814 Springer Verlag, 2016. pp. 241-372 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{78bc870e7b8a43d58f2f61432a31f929,
title = "Message transmission with reverse firewalls—Secure communication on corrupted machines",
abstract = "Suppose Alice wishes to send a message to Bob privately over an untrusted channel. Cryptographers have developed a whole suite of tools to accomplish this task, with a wide variety of notions of security, setup assumptions, and running times. However, almost all prior work on this topic made a seemingly innocent assumption: that Alice has access to a trusted computer with a proper implementation of the protocol. The Snowden revelations show us that, in fact, powerful adversaries can and will corrupt users’ machines in order to compromise their security. And, (presumably) accidental vulnerabilities are regularly found in popular cryptographic software, showing that users cannot even trust implementations that were created honestly. This leads to the following (seemingly absurd) question: “Can Alice securely send a message to Bob even if she cannot trust her own computer?!” Bellare, Paterson, and Rogaway recently studied this question. They show a strong impossibility result that in particular rules out even semantically secure public-key encryption in their model. However, Mironov and Stephens-Davidowitz recently introduced a new framework for solving such problems: reverse firewalls. A secure reverse firewall is a third party that “sits between Alice and the outside world” and modifies her sent and received messages so that even if the her machine has been corrupted, Alice’s security is still guaranteed. We show how to use reverse firewalls to sidestep the impossibility result of Bellare et al., and we achieve strong security guarantees in this extreme setting. Indeed, we find a rich structure of solutions that vary in efficiency, security, and setup assumptions, in close analogy with message transmission in the classical setting. Our strongest and most important result shows a protocol that achieves interactive, concurrent CCA-secure message transmission with a reverse firewall—i.e., CCA-secure message transmission on a possibly compromised machine! Surprisingly, this protocol is quite efficient and simple, requiring only four rounds and a small constant number of public-key operations for each party. It could easily be used in practice. Behind this result is a technical composition theorem that shows how key agreement with a sufficiently secure reverse firewall can be used to construct a message-transmission protocol with its own secure reverse firewall.",
author = "Yevgeniy Dodis and Ilya Mironov and Noah Stephens-Davidowitz",
year = "2016",
doi = "10.1007/978-3-662-53018-4_13",
language = "English (US)",
isbn = "9783662530177",
volume = "9814",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "241--372",
booktitle = "Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings",
address = "Germany",

}

TY - GEN

T1 - Message transmission with reverse firewalls—Secure communication on corrupted machines

AU - Dodis, Yevgeniy

AU - Mironov, Ilya

AU - Stephens-Davidowitz, Noah

PY - 2016

Y1 - 2016

N2 - Suppose Alice wishes to send a message to Bob privately over an untrusted channel. Cryptographers have developed a whole suite of tools to accomplish this task, with a wide variety of notions of security, setup assumptions, and running times. However, almost all prior work on this topic made a seemingly innocent assumption: that Alice has access to a trusted computer with a proper implementation of the protocol. The Snowden revelations show us that, in fact, powerful adversaries can and will corrupt users’ machines in order to compromise their security. And, (presumably) accidental vulnerabilities are regularly found in popular cryptographic software, showing that users cannot even trust implementations that were created honestly. This leads to the following (seemingly absurd) question: “Can Alice securely send a message to Bob even if she cannot trust her own computer?!” Bellare, Paterson, and Rogaway recently studied this question. They show a strong impossibility result that in particular rules out even semantically secure public-key encryption in their model. However, Mironov and Stephens-Davidowitz recently introduced a new framework for solving such problems: reverse firewalls. A secure reverse firewall is a third party that “sits between Alice and the outside world” and modifies her sent and received messages so that even if the her machine has been corrupted, Alice’s security is still guaranteed. We show how to use reverse firewalls to sidestep the impossibility result of Bellare et al., and we achieve strong security guarantees in this extreme setting. Indeed, we find a rich structure of solutions that vary in efficiency, security, and setup assumptions, in close analogy with message transmission in the classical setting. Our strongest and most important result shows a protocol that achieves interactive, concurrent CCA-secure message transmission with a reverse firewall—i.e., CCA-secure message transmission on a possibly compromised machine! Surprisingly, this protocol is quite efficient and simple, requiring only four rounds and a small constant number of public-key operations for each party. It could easily be used in practice. Behind this result is a technical composition theorem that shows how key agreement with a sufficiently secure reverse firewall can be used to construct a message-transmission protocol with its own secure reverse firewall.

AB - Suppose Alice wishes to send a message to Bob privately over an untrusted channel. Cryptographers have developed a whole suite of tools to accomplish this task, with a wide variety of notions of security, setup assumptions, and running times. However, almost all prior work on this topic made a seemingly innocent assumption: that Alice has access to a trusted computer with a proper implementation of the protocol. The Snowden revelations show us that, in fact, powerful adversaries can and will corrupt users’ machines in order to compromise their security. And, (presumably) accidental vulnerabilities are regularly found in popular cryptographic software, showing that users cannot even trust implementations that were created honestly. This leads to the following (seemingly absurd) question: “Can Alice securely send a message to Bob even if she cannot trust her own computer?!” Bellare, Paterson, and Rogaway recently studied this question. They show a strong impossibility result that in particular rules out even semantically secure public-key encryption in their model. However, Mironov and Stephens-Davidowitz recently introduced a new framework for solving such problems: reverse firewalls. A secure reverse firewall is a third party that “sits between Alice and the outside world” and modifies her sent and received messages so that even if the her machine has been corrupted, Alice’s security is still guaranteed. We show how to use reverse firewalls to sidestep the impossibility result of Bellare et al., and we achieve strong security guarantees in this extreme setting. Indeed, we find a rich structure of solutions that vary in efficiency, security, and setup assumptions, in close analogy with message transmission in the classical setting. Our strongest and most important result shows a protocol that achieves interactive, concurrent CCA-secure message transmission with a reverse firewall—i.e., CCA-secure message transmission on a possibly compromised machine! Surprisingly, this protocol is quite efficient and simple, requiring only four rounds and a small constant number of public-key operations for each party. It could easily be used in practice. Behind this result is a technical composition theorem that shows how key agreement with a sufficiently secure reverse firewall can be used to construct a message-transmission protocol with its own secure reverse firewall.

UR - http://www.scopus.com/inward/record.url?scp=84979626654&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84979626654&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-53018-4_13

DO - 10.1007/978-3-662-53018-4_13

M3 - Conference contribution

AN - SCOPUS:84979626654

SN - 9783662530177

VL - 9814

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 241

EP - 372

BT - Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings

PB - Springer Verlag

ER -