Zero-Knowledge Middleboxes: Enforcing Network Policy without Sacrificing Privacy

Abstract: There is a fundamental conflict between network clients, who want to
keep their traffic private, and administrators, who want to enforce a
variety of policies on client traffic, using middleboxes. I'll
describe a project that resolves this conflict: Zero-Knowledge
Middleboxes (ZKMB). With ZKMB, clients send middleboxes zero-knowledge
proofs about their encrypted traffic; these proofs reveal nothing
about the underlying plaintext, except that it complies with the
policy. We show how to make ZKMB work in real-time with unmodified
encrypted-communication protocols (specifically TLS 1.3), making ZKMB
invisible to servers. Our system gains performance by exploiting the
bursty nature of web traffic and by modifying Spartan (CRYPTO '20) to
amortize costs. We also show how to efficiently encode DNS filtering
and complex DLP policies in zero knowledge in the ZKMB framework.
Joint work with Arasu Arun, Joseph Bonneau, Paul Grubbs, Michael
Walfish, Collin Zhang, and Ye Zhang.