TY - CHAP
T1 - Universally Composable Subversion-Resilient Cryptography
AU - Chakraborty, Suvradip
AU - Magri, Bernardo
AU - Nielsen, Jesper Buus
AU - Venturi, Daniele
N1 - Funding Information:
S. Chakraborty—Work done while at IST Austria; supported in part by ERC grant 724307. B. Magri—Work done while at Aarhus University. D. Venturi—Supported by the grant SPECTRA from Sapienza University of Rome.
Publisher Copyright:
© 2022, International Association for Cryptologic Research.
PY - 2022
Y1 - 2022
N2 - Subversion attacks undermine security of cryptographic protocols by replacing a legitimate honest party’s implementation with one that leaks information in an undetectable manner. An important limitation of all currently known techniques for designing cryptographic protocols with security against subversion attacks is that they do not automatically guarantee security in the realistic setting where a protocol session may run concurrently with other protocols. We remedy this situation by providing a foundation of reverse firewalls (Mironov and Stephens-Davidowitz, EUROCRYPT’15) in the universal composability (UC) framework (Canetti, FOCS’01 and J. ACM’20). More in details, our contributions are threefold: We generalize the UC framework to the setting where each party consists of a core (which has secret inputs and is in charge of generating protocol messages) and a firewall (which has no secrets and sanitizes the outgoing/incoming communication from/to the core). Both the core and the firewall can be subject to different flavors of corruption, modeling different kinds of subversion attacks. For instance, we capture the setting where a subverted core looks like the honest core to any efficient test, yet it may leak secret information via covert channels (which we call specious subversion).We show how to sanitize UC commitments and UC coin tossing against specious subversion, under the DDH assumption.We show how to sanitize the classical GMW compiler (Goldreich, Micali and Wigderson, STOC 1987) for turning MPC with security in the presence of semi-honest adversaries into MPC with security in the presence of malicious adversaries. This yields a completeness theorem for maliciously secure MPC in the presence of specious subversion. Additionally, all our sanitized protocols are transparent, in the sense that communicating with a sanitized core looks indistinguishable from communicating with an honest core. Thanks to the composition theorem, our methodology allows, for the first time, to design subversion-resilient protocols by sanitizing different sub-components in a modular way.
AB - Subversion attacks undermine security of cryptographic protocols by replacing a legitimate honest party’s implementation with one that leaks information in an undetectable manner. An important limitation of all currently known techniques for designing cryptographic protocols with security against subversion attacks is that they do not automatically guarantee security in the realistic setting where a protocol session may run concurrently with other protocols. We remedy this situation by providing a foundation of reverse firewalls (Mironov and Stephens-Davidowitz, EUROCRYPT’15) in the universal composability (UC) framework (Canetti, FOCS’01 and J. ACM’20). More in details, our contributions are threefold: We generalize the UC framework to the setting where each party consists of a core (which has secret inputs and is in charge of generating protocol messages) and a firewall (which has no secrets and sanitizes the outgoing/incoming communication from/to the core). Both the core and the firewall can be subject to different flavors of corruption, modeling different kinds of subversion attacks. For instance, we capture the setting where a subverted core looks like the honest core to any efficient test, yet it may leak secret information via covert channels (which we call specious subversion).We show how to sanitize UC commitments and UC coin tossing against specious subversion, under the DDH assumption.We show how to sanitize the classical GMW compiler (Goldreich, Micali and Wigderson, STOC 1987) for turning MPC with security in the presence of semi-honest adversaries into MPC with security in the presence of malicious adversaries. This yields a completeness theorem for maliciously secure MPC in the presence of specious subversion. Additionally, all our sanitized protocols are transparent, in the sense that communicating with a sanitized core looks indistinguishable from communicating with an honest core. Thanks to the composition theorem, our methodology allows, for the first time, to design subversion-resilient protocols by sanitizing different sub-components in a modular way.
UR - http://www.scopus.com/inward/record.url?scp=85131961297&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-06944-4_10
DO - 10.1007/978-3-031-06944-4_10
M3 - Chapter
AN - SCOPUS:85131961297
SN - 9783031069437
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 272
EP - 302
BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
A2 - Dunkelman, Orr
A2 - Dziembowski, Stefan
PB - Springer Nature
T2 - 41st Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2022
Y2 - 30 May 2022 through 3 June 2022
ER -