Subliminal Channels in ECDSA and RSA
25 Dec 2021
§ Motivation
Initially, I found the "Subliminal channel" article on Wikipedia when looking into DSA, and I thought it was interesting. Unfortunately, it is lacking in details and citations.
Cryptosystems often utilize randomized values for security, however, fixing some of these random values to some known value can open up methods of sending covert messages.
§ DSA Subliminal Broadband
This section is based off of Gustavus Simmons' paper "Subliminal Communication is Easy Using the DSA"[1]; refer to this paper for more details regarding this method, and a discussion about a subliminal channel in Elgamal.
§ Background
In DSA for a given message we construct a signature which has a bit length of where , and two primes where .
One way we could attempt to send subliminal messages is to fix either or in the DSA signature, and let the other represent our covert message. Then, the probablilty that we can find that is accepted is the same as the probability of picking a random element in , or .
By inspecting how we generate ,
we can realize we map the residues of modulo to residues modulo . Since and , maps to a unique cycle of order in . Then, for any element with the order of will cycle over the same elements.
For large , we can expect the probability that a randomly chosen will be part of this cycle, and thusly part of a DSA signature, is approximately . However, it is easy to construct a that does occur. Choosing any and compute .
Given any of the valid , any element of is a valid value for . Also, given any , it is possible to get every valid with the right choice of .
It is impractical to compute an exhaustive list of valid , and it is impossible to show that a value cannot occur without an exhaustive search. This means that half of the information in a DSA signature are used in order to provide security.
Then, the remaining bits in the signature are available to be used in subliminal messages.
§ The Broadband
In order for Alice to utilize the subliminal channel to send messages to Bob, Alice must first share her secret key with Bob.
Then, the objective becomes: Alice must be able to communicate any choice of element in to Bob in a way that is impossible for anyone to recover the subliminal message without knowing Alice's secret , or detecting the subliminal channel even if the message is known beforehand.
Because and , there need not be a mapping from , rather we can let instead of choosing a random element.
DSA Subliminal Broadband
Suppose Alice wants to send a covert message to Bob, Alice begins by following the standard DSA procedure: picking , and a overt document .
Alice then generates the signature for the overt document with its signature with the standard formulae
except Alice uses .
Assuming and , Bob can recover by
If either or , then Alice must change one of . Changing the secret is problematic as Alice must be able to alert Bob that she intends on changing the private key.
As is prime, any non-zero element of has a multiplicative inverse. Invertibility is important because it means we do not need to do a forward search to decode (see the paper for more details).
An issue with this method is that it relies on Alice and Bob knowing the same secret ahead of time. However, there exists narrowband subliminal channels over DSA that can be used to communicate the secret covertly before starting a broadband channel.
§ RSA Subliminal Narrowband
In RSA we'd typically choose where are large primes. However, if we chose where are primes, then we can send messages via subliminal channels using the RSA algorithm.
There wasn't an example of this but the Wikipedia article states that we are able to send exactly one bit with this RSA subliminal channel. I suspect that to communicate via this channel, we can fix a prime value , and testing if the value is divisible by .
§ Detecting the Subliminal Channel
Next, we want to investigate if there is method to determine whether is indeed the product of two primes with zero knowledge of the prime factors (zero knowledge proof, ZKP).
On the Wikipedia article, there is a mention to a ZKP that by some researchers at the CWI in Amsterdam, without a citation nor author. Looking at the page history, I found that there once was an attribution to Bert den Boer, again without a citation to the specific paper by the author.
With some research, I found a paper by den Boer in 1991 entitled "Oblivious transfer protecting secrecy"[2] that references a procedure from a paper[3] by Jeroen van de Graaf and Rene Peralta that goes into this problem.
The paper by de Graaf and Peralta describes a protocol for convincing an adversary that an integer is of the form where and .
Safe-Prime
A prime is considered to be a safe-prime iff is prime as well.
Historically, and were desired to be safe-primes as the structure of a Blum integer is more difficult to factor by Pollard's and algorithms.
Blum Integer
A natural number is said to be a Blum integer if is semiprime, i.e. and that and are primes that are congruent to modulo
All safe-primes, except for , belong to the residue class modulo . So, for where are safe-primes, is a Blum integer.
In the case of RSA implementations that utilize Blum modulii, the procedure outlined by de Graaf and Peralta is indeed relevant to the problem, as our question of "is ?" boils down to "is the RSA modulii Blum?".
Outlined below is the procedure from den Boer's paper which is an adversarial version that does not rely on both parties using a mutually trusted source of randomness.
"Theorem 28.1: ZKP that is a Blum integer"
Suppose we want to verify that a composite number is in fact the product of two primes, without knowledge of the two primes.
Let Samantha create a composite number , and find a such that the Jacobi symbol . Samantha then sends these values to Victor.
Samantha and Victor then generate random residues modulo such that their Jacobi symbol is equal to , and they exchange residues.
Victor decides whether Samantha must find values of and such that equal to or , where is defined to be
Samantha sends to Victor, and Victor verifies that satisfies his challenge to Samantha.
Samantha has a chance of producing a successful pair of values. Therefore, Victor will continue this adversarial approach multiple times until he is satisfied that is indeed Blum.
The proofs of correctness and security can be found on the paper by de Graaf and Peralta[3:1].
On researching this problem, I found another paper[4] by Jan Camenisch and Markus Michels on another ZKP that a number is a product of two safe primes.
Unfortunately, with the advent of the quadratic and general number field sieves, it is no longer considered to be advantageous to choose Blum. There is currently no known method to determine if a given number is semiprime short of factorization, which makes finding this subliminal channel much harder to find.
Simmons G.J. (1994) Subliminal Communication is Easy Using the DSA. In: Helleseth T. (eds) Advances in Cryptology — EUROCRYPT ’93. EUROCRYPT 1993. Lecture Notes in Computer Science, vol 765. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48285-7_18 ↩︎
den Boer B. (1991) Oblivious transfer protecting secrecy. In: Damgård I.B. (eds) Advances in Cryptology — EUROCRYPT ’90. EUROCRYPT 1990. Lecture Notes in Computer Science, vol 473. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46877-3_4 ↩︎
van de Graaf J., Peralta R. (1988) A Simple and Secure Way to Show the Validity of Your Public Key. In: Pomerance C. (eds) Advances in Cryptology — CRYPTO ’87. CRYPTO 1987. Lecture Notes in Computer Science, vol 293. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48184-2_9 ↩︎ ↩︎
Camenisch J., Michels M. (1999) Proving in Zero-Knowledge that a Number is the Product of Two Safe Primes. In: Stern J. (eds) Advances in Cryptology — EUROCRYPT ’99. EUROCRYPT 1999. Lecture Notes in Computer Science, vol 1592. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-48910-X_8 ↩︎