Subliminal Hash Channels

Abstract

Due to their nature, subliminal channels are mostly regarded as being malicious, but due to recent legislation efforts users’ perception might change. Such channels can be used to subvert digital signature protocols without degrading the security of the underlying primitive. Thus, it is natural to find countermeasures and devise subliminal-free signatures. In this paper we discuss state-of-the-art countermeasures and introduce a generic method to bypass them.

A Additional Preliminaries

1.1 A.1 Definitions

Definition 6

(Computational Diffie-Hellman -cdh). Let \(\mathbb G\) be a cyclic group of order q, g a generator of \(\mathbb G\) and let A be a PPT algorithm that returns an element from \(\mathbb G\). We define the advantage

If \({ADV}_{\mathbb {G},g}^{\textsc {cdh}}(A)\) is negligible for any PPT algorithm A, we say that the Computational Diffie-Hellman problem is hard in \(\mathbb G\).

Remark 7

The cdh assumption is standard and we include it for completeness. The hdh assumption was formally introduced in [8, 9], although it was informally described as a composite assumption in [16, 49]. According to [16], the hdh assumption is equivalent with the cdh assumption in the ROM. Although an equivalent of the hdh assumption exists in the standard model, in this paper we are working with the Schnorr signature scheme that is secure in the ROM. Thus, the security in the ROM suffices for our purposes.

Definition 7

(Unique Signature Scheme). Let S be a signature scheme and pk be a public key generated by the KeyGen algorithm of S. We say that S is a Unique Signature Scheme if for any message m and any signatures of m, \(\sigma _1 \ne \sigma _2\)

$$\begin{aligned} Pr[\text { Verification}(m, \sigma _1, pk) = \text { Verification}(m, \sigma _2, pk) = {\mathtt true}] \end{aligned}$$

is negligible.

Definition 8

(Re-Randomizable Signature Scheme). Let S be a signature scheme and (pk, sk) be a public/secret key pair generated by the KeyGen algorithm of S. We say that S is a Re-Randomizable Signature Scheme if there exists a PPT algorithm ReRand such that for all messages m the output of ReRand\((m, \sigma , pk)\) is statistically indistinguishable from Sign(m, sk).

1.2 A.2 Covert Channels

Trivial Subliminal Channel. The Schnorr signature supports a subliminal channel based on rejection sampling. We further describe the trivial subliminal channel.

Sign (m, sk): Choose and compute \(r \leftarrow g^k\), until \(\omega \equiv r \bmod 2\). To sign a message \(m \in \{0, 1\}^*\) compute the values \(e \leftarrow h(r\Vert m)\) and \(s \leftarrow k - xe \bmod q\). Output the signature (e, s).

Extract (e, s) :  To extract the embedded message \(\omega \) compute \(\omega \leftarrow g^sy^e \bmod 2\).

Young-Yung SETUP Attack. In [45,46,47,48], the authors propose a kleptographic version of Schnorr signatures and prove it ind-covert secure in the standard model under the hdh assumption. The algorithms of the SETUP attack are shortly described below. Note that after D signs at least two messages, Mallory can recover Charlie’s secret key and, thus, impersonate Charlie.

Malicious ParamGen (pp): Let \(H: \mathbb {G} \rightarrow \mathbb {Z}_q^*\) be a hash function. Output the public parameter \(sp_M = H\). Note that H will be stored in D’s volatile memory.

Malicious KeyGen (pp): Choose and compute \(y_M \leftarrow g^{x_M}\). Output the public key \(pk_M = y_M\). The public key \(pk_M\) will be stored in D’s volatile memory. The secret key is \(sk_M = x_M\); it will only be known by Mallory and will not be stored in the black-box.

Signing Sessions: The possible signing sessions performed by D are described below. Let \(i \ge 1\).

Session\(_0(m_0, sk)\): To sign message \(m_0 \in \mathbb {G}\), D does the following

The value \(k_0\) is stored in D’s volatile memory until the end of Session\(_1\). Output the signature \((r_0, s_0)\).

Session\(_i(m_i, sk, pk_M)\): To sign message \(m_i \in \mathbb {G}\), D does the following

$$\begin{aligned} z_i \leftarrow y_M^{k_{i-1}}, k_i \leftarrow H(z_i), r_i \leftarrow g^{k_i}, e_i \leftarrow h(r_i\Vert m_i), s_i \leftarrow k_i - xe_i \bmod q. \end{aligned}$$

The value \(k_{i}\) is stored in D’s volatile memory until the end of Session\(_{i+1}\). Output the signature \((r_i, s_i)\).

Recovering \((m_i, e_{i-1}, e_i, s_i, sk_M)\): Compute \(r_{i-1} \leftarrow g^{s_{i-1}} y^{e_{i-1}}\), \(\alpha \leftarrow r_{i-1}^{x_M}\) and \(k_i \leftarrow H(\alpha )\). Recover x by computing \(x \leftarrow e_i^{-1} (k_i - s_i)\bmod q\).