Secure Anonymous Communication on Corrupted Machines With Reverse Firewalls

The Snowden revelations in 2013 showed that user machines running cryptographic protocols might be stealthily corrupted by attackers (e.g., manufacturers and supply-chain intermediaries) who could tamper cryptographic implementations to insert backdoors to undermine cryptographic tools. To formalize such attacks, in CRYPTO 2014, Bellare et al. proposed the notion of Algorithm-Substitution Attack (ASA) which has been extensively studied since then. In this work, we turn to investigate the security of anonymous communication (AC) protocol-a well-known tool to protect user privacy on the Internet-in the case when user machines are corrupted. Specifically, we give a formal treatment of ASAs on the universal mixnet-based AC (\mathsf{U\text{-}Mix\text{-}AC} U-Mix-AC ) protocols. We show that ASAs on \mathsf{U\text{-}Mix\text{-}AC} U-Mix-AC protocols could be more dangerous than previously thought by presenting attacks that are extremely powerful. As countermeasure, we adopt cryptographic reverse firewall (CRF), originally proposed by Mironov and Stephens-Davidowitz in EUROCRYPT 2015, to restore the security of \mathsf{U\text{-}Mix\text{-}AC} U-Mix-AC protocols in the presence of ASAs. We also implement proposed AC protocol, ASAs and CRFs for experimental evaluations, and the results show that the execution time of subvert