Cryptographic reverse firewalls for interactive proof systems

Chaya Ganesh, Bernardo Magri, Daniele Venturi

Research output: Contribution to journalArticlepeer-review

92 Downloads (Pure)


We study interactive proof systems (IPSes) in a strong adversarial setting where the machines of honest parties might be corrupted and under control of the adversary. Our aim is to answer the following, seemingly paradoxical, questions: • Can Peggy convince Vic of the veracity of an NP statement, without leaking any information about the witness even in case Vic is malicious and Peggy does not trust her computer? • Can we avoid that Peggy fools Vic into accepting false statements, even if Peggy is malicious and Vic does not trust her computer? At EUROCRYPT 2015, Mironov and Stephens-Davidowitz introduced cryptographic reverse firewalls (RFs) as an attractive approach to tackling such questions. Intuitively, a RF for Peggy/Vic is an external party that sits between Peggy/Vic and the outside world and whose scope is to sanitize Peggy's/Vic's incoming and outgoing messages in the face of subversion of her/his computer, e.g. in order to destroy subliminal channels. In this paper, we put forward several natural security properties for RFs in the concrete setting of IPSes. As our main contribution, we construct efficient RFs for different IPSes derived from a large class of Sigma protocols that we call malleable. A nice feature of our design is that it is completely transparent, in the sense that our RFs can be directly applied to already deployed IPSes, without the need to re-implement them.

Original languageEnglish
Pages (from-to)104-132
Number of pages29
JournalTheoretical Computer Science
Early online date10 Dec 2020
Publication statusPublished - 6 Feb 2021


  • Algorithm-substitution attacks
  • Cryptographic reverse firewalls
  • Interactive proofs
  • Subversion
  • Witness indistinguishability
  • Zero knowledge


Dive into the research topics of 'Cryptographic reverse firewalls for interactive proof systems'. Together they form a unique fingerprint.

Cite this