Abstract
Due to their nature, subliminal channels are mostly regarded as being malicious, but due to recent legislation efforts users’ perception might change. Such channels can be used to subvert digital signature protocols without degrading the security of the underlying primitive. Thus, it is natural to find countermeasures and devise subliminal-free signatures. In this paper we discuss state-of-the-art countermeasures and introduce a generic method to bypass them.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A black-box is a device, process or system, whose inputs and outputs are known, but its internal structure or working is not known or accessible to the user (e.g. tamper proof devices, closed source software).
- 2.
Manufacturers might implement subversion-free signatures just for marketing purposes, while still backdooring some of the devices produced.
- 3.
- 4.
For example, by modifying the way random numbers are generated.
- 5.
Through the system’s outputs.
- 6.
The sender and receiver will further be called prisoners and the third party warden.
- 7.
Found by means of reverse engineering the system, for example.
- 8.
The same assumption is make in Young-Yung’s attack, since their mechanism can also be detected when x is known to the attacker.
- 9.
By choosing 128 messages we simulated the following scenario: the secret key x is generated using a PRNG with a seed of 128 bits and D leaks the seed.
- 10.
By implementing one of these countermeasures.
- 11.
Similar to the trivial channel described in Sect. 2.3.
- 12.
i.e. computing a hash is faster than computing a modular exponentiation.
- 13.
See Appendix A.1 for a definition of the concept.
- 14.
References
mbed TLS. https://tls.mbed.org
Mining Hardware Comparison. https://en.bitcoin.it/wiki/Mining_hardware_comparison
Non-Specialized Hardware Comparison. https://en.bitcoin.it/wiki/Non-specialized_hardware_comparison
OpenMP. https://www.openmp.org/
Safe Prime Database. https://2ton.com.au/safeprimes/
The GNU Multiple Precision Arithmetic Library. https://gmplib.org/
World Map of Encryption Laws and Policies. https://www.gp-digital.org/world-map-of-encryption/
Abdalla, M., Bellare, M., Rogaway, P.: DHAES: An Encryption Scheme Based on the Diffie-Hellman Problem. IACR Cryptology ePrint Archive 1999/7 (1999)
Abdalla, M., Bellare, M., Rogaway, P.: The oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_12
Adams, C., Cain, P., Pinkas, D., Zuccherato, R.: RFC 3161: internet X.509 public key infrastructure time-stamp protocol (TSP). Technical report, Internet Engineering Task Force (2001)
Ateniese, G., Magri, B., Venturi, D.: Subversion-resilient signature schemes. In: ACM-CCS 2015, pp. 364–375. ACM (2015)
Ball, J., Borger, J., Greenwald, G.: Revealed: how US and UK spy agencies defeat internet privacy and security. Guardian 6, 2–8 (2013)
Barker, E., Kelsey, J.: SP 800–90A. Recommendations for Random Number Generation Using Deterministic Random Bit Generators (2012)
Bellare, M., Jaeger, J., Kane, D.: Mass-surveillance without the state: strongly undetectable algorithm-substitution attacks. In: ACM-CCS 2015, pp. 1431–1440. ACM (2015)
Bellare, M., Paterson, K.G., Rogaway, P.: Security of symmetric encryption against mass surveillance. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 1–19. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_1
Bellare, M., Rogaway, P.: Minimizing the use of random oracles in authenticated encryption schemes. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 1–16. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0028457
Bello, L.: DSA-1571-1 OpenSSL—Predictable Random Number Generator. https://www.debian.org/security/2008/dsa-1571 (2008)
Bohli, J.-M., González Vasco, M.I., Steinwandt, R.: A subliminal-free variant of ECDSA. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds.) IH 2006. LNCS, vol. 4437, pp. 375–387. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74124-4_25
Checkoway, S., et al.: A systematic analysis of the juniper dual EC incident. In: ACM-CCS 2016, pp. 468–479. ACM (2016)
Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: USENIX Security Symposium, pp. 319–335. USENIX Association (2014)
Choi, J.Y., Golle, P., Jakobsson, M.: Tamper-evident digital signature protecting certification authorities against malware. In: DASC 2006, pp. 37–44. IEEE (2006)
Dodis, Y., Ganesh, C., Golovnev, A., Juels, A., Ristenpart, T.: A formal treatment of backdoored pseudorandom generators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 101–126. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_5
Dodis, Y., Gennaro, R., Håstad, J., Krawczyk, H., Rabin, T.: Randomness extraction and key derivation using the CBC, cascade and HMAC modes. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 494–510. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_30
Fried, J., Gaudry, P., Heninger, N., Thomé, E.: A kilobit hidden SNFS discrete logarithm computation. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 202–231. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_8
Haber, S., Stornetta, W.S.: How to time-stamp a digital document. In: Menezes, A.J., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 437–455. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-38424-3_32
Hanzlik, L., Kluczniak, K., Kutyłowski, M.: Controlled randomness – a defense against backdoors in cryptographic devices. In: Phan, R.C.-W., Yung, M. (eds.) Mycrypt 2016. LNCS, vol. 10311, pp. 215–232. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61273-7_11
Harkins, D., Carrel, D.: RFC 2409: the internet key exchange (IKE). Technical report, Internet Engineering Task Force (1998)
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., Kivinen, T.: RFC7296: internet key exchange protocol version 2 (IKEv2). Technical report, Internet Engineering Task Force (2014)
Kucner, D., Kutyłowski, M.: Stochastic kleptography detection. In: Public-Key Cryptography and Computational Number Theory, pp. 137–149 (2001)
Kwant, R., Lange, T., Thissen, K.: Lattice klepto. In: Adams, C., Camenisch, J. (eds.) SAC 2017. LNCS, vol. 10719, pp. 336–354. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72565-9_17
Lampson, B.W.: A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: FOCS 1997, pp. 458–467. IEEE Computer Society (1997)
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. J. ACM (JACM) 51(2), 231–262 (2004)
Perlroth, N., Larson, J., Shane, S.: NSA Able to Foil Basic Safeguards of Privacy on Web, vol. 5. The New York Times, New York (2013)
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33
Russell, A., Tang, Q., Yung, M., Zhou, H.-S.: Cliptography: clipping the power of kleptographic attacks. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 34–64. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_2
Russell, A., Tang, Q., Yung, M., Zhou, H.S.: Generic semantic security against a kleptographic adversary. In: ACM-CCS 2017, pp. 907–922. ACM (2017)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Simmons, G.J.: The subliminal channel and digital signatures. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 364–378. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39757-4_25
Simmons, G.J.: Subliminal communication is easy using the DSA. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 218–232. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_18
Simmons, G.J.: Subliminal channels; past and present. Eur. Trans. Telecommun. 5(4), 459–474 (1994)
Teşeleanu, G.: Unifying kleptographic attacks. In: Gruschka, N. (ed.) NordSec 2018. LNCS, vol. 11252, pp. 73–87. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03638-6_5
Teşeleanu, G.: Managing your kleptographic subscription plan. In: Carlet, C., Guilley, S., Nitaj, A., Souidi, E.M. (eds.) C2SI 2019. LNCS, vol. 11445, pp. 452–461. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-16458-4_26
Wu, C.K.: Hash channels. Comput. Secur. 24(8), 653–661 (2005)
Young, A., Yung, M.: The dark side of “Black-Box” cryptography or: should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_8
Young, A., Yung, M.: Kleptography: using cryptography against cryptography. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 62–74. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_6
Young, A., Yung, M.: The prevalence of kleptographic attacks on discrete-log based cryptosystems. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 264–276. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052241
Young, A., Yung, M.: Malicious Cryptography: Exposing Cryptovirology. Wiley, Hoboken (2004)
Zheng, Y., Seberry, J.: Immunizing public key cryptosystems against chosen ciphertext attacks. IEEE J. Sel. Areas Commun. 11(5), 715–724 (1993)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Additional Preliminaries
A Additional Preliminaries
1.1 A.1 Definitions
Definition 6
(Computational Diffie-Hellman -cdh). Let \(\mathbb G\) be a cyclic group of order q, g a generator of \(\mathbb G\) and let A be a PPT algorithm that returns an element from \(\mathbb G\). We define the advantage
If \({ADV}_{\mathbb {G},g}^{\textsc {cdh}}(A)\) is negligible for any PPT algorithm A, we say that the Computational Diffie-Hellman problem is hard in \(\mathbb G\).
Remark 7
The cdh assumption is standard and we include it for completeness. The hdh assumption was formally introduced in [8, 9], although it was informally described as a composite assumption in [16, 49]. According to [16], the hdh assumption is equivalent with the cdh assumption in the ROM. Although an equivalent of the hdh assumption exists in the standard model, in this paper we are working with the Schnorr signature scheme that is secure in the ROM. Thus, the security in the ROM suffices for our purposes.
Definition 7
(Unique Signature Scheme). Let S be a signature scheme and pk be a public key generated by the KeyGen algorithm of S. We say that S is a Unique Signature Scheme if for any message m and any signatures of m, \(\sigma _1 \ne \sigma _2\)
is negligible.
Definition 8
(Re-Randomizable Signature Scheme). Let S be a signature scheme and (pk, sk) be a public/secret key pair generated by the KeyGen algorithm of S. We say that S is a Re-Randomizable Signature Scheme if there exists a PPT algorithm ReRand such that for all messages m the output of ReRand\((m, \sigma , pk)\) is statistically indistinguishable from Sign(m, sk).
1.2 A.2 Covert Channels
Trivial Subliminal Channel. The Schnorr signature supports a subliminal channel based on rejection sampling. We further describe the trivial subliminal channel.
Sign (m, sk): Choose and compute \(r \leftarrow g^k\), until \(\omega \equiv r \bmod 2\). To sign a message \(m \in \{0, 1\}^*\) compute the values \(e \leftarrow h(r\Vert m)\) and \(s \leftarrow k - xe \bmod q\). Output the signature (e, s).
Extract (e, s) : To extract the embedded message \(\omega \) compute \(\omega \leftarrow g^sy^e \bmod 2\).
Young-Yung SETUP Attack. In [45,46,47,48], the authors propose a kleptographic version of Schnorr signatures and prove it ind-covert secure in the standard model under the hdh assumption. The algorithms of the SETUP attack are shortly described below. Note that after D signs at least two messages, Mallory can recover Charlie’s secret key and, thus, impersonate Charlie.
Malicious ParamGen (pp): Let \(H: \mathbb {G} \rightarrow \mathbb {Z}_q^*\) be a hash function. Output the public parameter \(sp_M = H\). Note that H will be stored in D’s volatile memory.
Malicious KeyGen (pp): Choose and compute \(y_M \leftarrow g^{x_M}\). Output the public key \(pk_M = y_M\). The public key \(pk_M\) will be stored in D’s volatile memory. The secret key is \(sk_M = x_M\); it will only be known by Mallory and will not be stored in the black-box.
Signing Sessions: The possible signing sessions performed by D are described below. Let \(i \ge 1\).
Session\(_0(m_0, sk)\): To sign message \(m_0 \in \mathbb {G}\), D does the following
The value \(k_0\) is stored in D’s volatile memory until the end of Session\(_1\). Output the signature \((r_0, s_0)\).
Session\(_i(m_i, sk, pk_M)\): To sign message \(m_i \in \mathbb {G}\), D does the following
The value \(k_{i}\) is stored in D’s volatile memory until the end of Session\(_{i+1}\). Output the signature \((r_i, s_i)\).
Recovering \((m_i, e_{i-1}, e_i, s_i, sk_M)\): Compute \(r_{i-1} \leftarrow g^{s_{i-1}} y^{e_{i-1}}\), \(\alpha \leftarrow r_{i-1}^{x_M}\) and \(k_i \leftarrow H(\alpha )\). Recover x by computing \(x \leftarrow e_i^{-1} (k_i - s_i)\bmod q\).
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Teşeleanu, G. (2019). Subliminal Hash Channels. In: Gueye, C., Persichetti, E., Cayrel, PL., Buchmann, J. (eds) Algebra, Codes and Cryptology. A2C 2019. Communications in Computer and Information Science, vol 1133. Springer, Cham. https://doi.org/10.1007/978-3-030-36237-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-36237-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36236-2
Online ISBN: 978-3-030-36237-9
eBook Packages: Computer ScienceComputer Science (R0)