TY - GEN
T1 - Zombie
T2 - 21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024
AU - Zhang, Collin
AU - DeStefano, Zachary
AU - Arun, Arasu
AU - Bonneau, Joseph
AU - Grubbs, Paul
AU - Walfish, Michael
N1 - Publisher Copyright:
© 2024 Proceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024. All rights reserved.
PY - 2024
Y1 - 2024
N2 - Zero-knowledge middleboxes (ZKMBs) are a recent paradigm in which clients get privacy while middleboxes enforce policy: clients prove in zero knowledge that the plaintext underlying their encrypted traffic complies with network policies, such as DNS filtering. However, prior work had impractically poor performance and was limited in functionality. This work presents Zombie, the first system built using the ZKMB paradigm. Zombie introduces techniques that push ZKMBs to the verge of practicality: preprocessing (to move the bulk of proof generation to idle times between requests), asynchrony (to remove proving and verifying costs from the critical path), and batching (to amortize some of the verification work). Zombie’s choices, together with these techniques, reduce client and middlebox overhead by ≈ 3.5×, lowering the critical path overhead for a DNS filtering application on commodity hardware to less than 300ms or, in the asynchronous configuration, to 0. As an additional contribution that is likely of independent interest, Zombie introduces a portfolio of techniques to encode regular expressions in probabilistic (and zero-knowledge) proofs. These techniques significantly improve performance over a standard baseline, asymptotically and concretely. Zombie builds on this portfolio to support policies based on regular expressions, such as data loss prevention.
AB - Zero-knowledge middleboxes (ZKMBs) are a recent paradigm in which clients get privacy while middleboxes enforce policy: clients prove in zero knowledge that the plaintext underlying their encrypted traffic complies with network policies, such as DNS filtering. However, prior work had impractically poor performance and was limited in functionality. This work presents Zombie, the first system built using the ZKMB paradigm. Zombie introduces techniques that push ZKMBs to the verge of practicality: preprocessing (to move the bulk of proof generation to idle times between requests), asynchrony (to remove proving and verifying costs from the critical path), and batching (to amortize some of the verification work). Zombie’s choices, together with these techniques, reduce client and middlebox overhead by ≈ 3.5×, lowering the critical path overhead for a DNS filtering application on commodity hardware to less than 300ms or, in the asynchronous configuration, to 0. As an additional contribution that is likely of independent interest, Zombie introduces a portfolio of techniques to encode regular expressions in probabilistic (and zero-knowledge) proofs. These techniques significantly improve performance over a standard baseline, asymptotically and concretely. Zombie builds on this portfolio to support policies based on regular expressions, such as data loss prevention.
UR - http://www.scopus.com/inward/record.url?scp=85194176068&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85194176068&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85194176068
T3 - Proceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024
SP - 1917
EP - 1935
BT - Proceedings of the 21st USENIX Symposium on Networked Systems Design and Implementation, NSDI 2024
PB - USENIX Association
Y2 - 16 April 2024 through 18 April 2024
ER -