Secure Anonymous Communication on Corrupted Machines With Reverse Firewalls

Abstract

The Snowden revelations in 2013 showed that user machines running cryptographic protocols might be stealthily corrupted by attackers (e.g., manufacturers and supply-chain intermediaries) who could tamper cryptographic implementations to insert backdoors to undermine cryptographic tools. To formalize such attacks, in CRYPTO 2014, Bellare <i>et al.</i> proposed the notion of Algorithm-Substitution Attack (ASA) which has been extensively studied since then. In this work, we turn to investigate the security of anonymous communication (AC) protocol—a well-known tool to protect user privacy on the Internet—in the case when user machines are corrupted. Specifically, we give a formal treatment of ASAs on the universal mixnet-based AC ( <inline-formula><tex-math notation="LaTeX">$\mathsf{U\text{-}Mix\text{-}AC}$</tex-math></inline-formula> ) protocols. We show that ASAs on <inline-formula><tex-math notation="LaTeX">$\mathsf{U\text{-}Mix\text{-}AC}$</tex-math></inline-formula> protocols could be more dangerous than previously thought by presenting attacks that are extremely powerful. As countermeasure, we adopt cryptographic reverse firewall (CRF), originally proposed by Mironov and Stephens-Davidowitz in EUROCRYPT 2015, to restore the security of <inline-formula><tex-math notation="LaTeX">$\mathsf{U\text{-}Mix\text{-}AC}$</tex-math></inline-formula> protocols in the presence of ASAs. We also implement proposed AC protocol, ASAs and CRFs for experimental evaluations, and the results show that the execution time of subverted algorithms is almost the same as that of faithful ones and our designed CRFs are effective to guard the security of <inline-formula><tex-math notation="LaTeX">$\mathsf{U\text{-}Mix\text{-}AC}$</tex-math></inline-formula> protocol.