Subliminal Channels in the Digital Signature Algorithm (DSA)
The recent discussion of possible subliminal channels (which some call covert channels) in the DSA reminds me of a preprint of a paper I received several months back with a rather mysterious note attached to it. There was no return address on the envelope. Apparently a number of Cypherpunks and folks active in the sci.crypt community also received it, as it came up on sci.crypt and we talked about it at a physical Cypherpunks meeting. The note read: "This needs to be made very public. Simmons resigned from Sandia over writing it." Some caveats: * this allegation that Gus Simmons left Sandia was denied by several folks on sci.crypt who actually _know_ Simmons. I don't know him, so I haven't checked directly. * some say this paper is hardly earth-shaking, though the possibility of subliminal channels should be taken seriously, especially in light of the cross-licensing of DSA/DSS with Public Key Partners (RSA Data, etc.). * I don't even know where this paper is being published--the preprint gave no clues. The timing of my getting it, several months back, suggests this year's Crypto Conference. The advance program ought to have it (I can't find my copy). I've OCRed the first page or so, including the Abstract. Too many OCR errors and too many equations with Greek symbols for me to scan-in the entire 20-page paper. The implications for Clipper, Capstone, Skipjack, etc. I'll leave for now. Here it is: The Subliminal Channels in the U.S. Digital Signature Algorithm (DSA) Gustavus J. Simmons Sandia Park. NM 87047. USA Abstract Since the DSA is derivative from El Gamal's digital signature scheme--which Simmons showed in 1985 permitted a subliminal channel--it should come as no surprise that the DSA also permits a similar channel. The subliminal channel in the El Gamal scheme, however, had several shortcomings. In order for the subliminal receiver to be able to recover the subliminal message, it was necessary for him to know the transmitter's secret key. This meant that the subliminal receiver had the capability to utter undetectable forgeries of the transmitter's signature. Also, only a subset of the desired message set could be communicated subliminally (phi (p-l) messages instead of p-1) and some of those that could be transmitted were computationally infeasible for the subliminal receiver to recover. The subliminal channels in the DSA avoid all of these difficulties! In fairness, it should be mentioned that not all are avoided at the same time. The channel in the DSA analogous to the one Simmons demonstrated in the El Gamal scheme can communicate messages conveying the full log-base-2 |X| bits, where X is the set of session keys; all of which are easily recovered by the subliminal receiver. However, this broadband channel still requires the subliminal receiver to know the transmitter's secret key. There are two other narrowband (<< 1og-base-2 |X|) subliminal channels in the DSA that do not give the subliminal receiver any better chance of forging the transmitter's signature than an outsider has. The price one pays for this integrity for the transmitter's signature is a reduced bandwidth for the subliminal channel and a difficult but feasible (dependent on the bandwidth actually used) amount of computation needed to use the channel. Two quite different such channels have been devised: one places the computational load almost entirely on the transmitter, the other almost entirely on the subliminal receiver. Since the total computation is essentially the same in either case, the choice of a particular channel would be based on which end is best equipped to do the necessary computation. To make clear what a remarkable coincidence it is that the apparently inherent shortcomings of subliminal channels using the El Gamal scheme can all be overcome in the DSA, we will analyze each of the channels implemented in both schemes. The inescapable conclusion, though, is that the DSA provides-the most hospitable setting for subliminal communications discovered to date. Introduction In 1983 Simmons introduced the notion of a subliminal channel existing in an encrypted communication channel by pointing out that if for each plaintext there existed two or more corresponding cipher texts, the identity of the cipher used to communicate a plaintext could convey information additional to that revealed by the decryptlon of the cipher [5]. In particular, in a public-key based authentication scheme in which the decryption key must be public information in order for public receivers to be able to decrypt cipher texts and verify the authenticity of the encrypted plaintext, this raised the possibility of there also being subliminal receivers who could recover information hidden from the public receivers: hence the name of a subliminal channel. Clearly subliminal channel receivers must have private information not known to public receivers--and as we will see, the nature of this private information provides a natural classification for subliminal channels. (rest of paper not OCRed...too many errors (blurred fonts), too many equations)
participants (1)
-
tcmay@netcom.com