International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News item: 08 June 2015

Yevgeniy Dodis, Ilya Mironov, Noah Stephens-Davidowitz
ePrint Report ePrint Report
A secure reverse firewall, as recently defined by Mironov and Stephens-Davidowitz, is a third party that \"sits between a user and the outside world\" and modifies the user\'s sent and received messages so that even if the user\'s machine has been corrupted, her security is still guaranteed! In other words, reverse firewalls allow us to provide meaningful (and, indeed, very strong) security guarantees against powerful adversaries that may have tampered with the user\'s hardware or software (or adversaries that are aware of bugs in the user\'s protocol implementation). A long list of recent revelations shows that such threats are extremely common in practice, and they present a serious, arguably existential, threat to cryptography. Importantly, reverse firewalls defend against such threats without sharing any secrets with the user, and in general we expect the user to place essentially no trust in the firewall.

While Mironov and Stephens-Davidowitz demonstrated that reverse firewalls can be constructed for very strong cryptographic primitives (which are of mostly theoretical interest), we study reverse firewalls for perhaps the most natural cryptographic task: secure message transmission. We find a rich structure of solutions that vary in efficiency, security, and setup assumptions, in close analogy with message transmission in the classical setting. Our strongest and most important result shows a protocol that achieves interactive, concurrent CCA-secure message transmission with a reverse firewall---i.e., CCA-secure message transmission on a possibly compromised machine! Surprisingly, this protocol is quite efficient and simple, requiring only a small constant number of public-key operations. It could easily be used in practice. Behind this result is a technical composition theorem that shows how key agreement with a sufficiently secure reverse firewall can be used to construct a message-transmission protocol with its own secure reverse firewall.

Expand

Additional news items may be found on the IACR news page.