Subliminal channels in digital signature crypto systems were found in 1984 by Gustavus Simmons. They are a subgroup of Covert channels and can be used to communicate secretly in a normal looking communication over an insecure channel with help of digital signatures [1].

Simmons describes how the dilemma can be solved through parameter substitution in digital signature algorithms [2]. In signature algorithms like ElGamal and DSA exist parameters which have to be set with random. He shows how one can make usage of these parameter to send a message subliminally. Because the algorithm's signature creation procedure is unchanged, the signature remains verifiable and indistinguishable from a normal signature. Therefore it is hard to detect if the subliminal channel is used.

Subliminal channels can be classified into broadband and narrow-band channel. The broadband channel uses almost all available bits. Every channel which uses less bits is called a narrow-band channel. The additionally used bits are needed for further protection, e.g., impersonation. The broadband and the narrow-band channels can use different algorithm parameters. A narrow-band channel cannot transport maximal information, but it preserves the authentication key. Further developments enhance the subliminal channel, e.g., allow for establishing a broadband channel without the need to agree on an authentication key in advance. Other developments try to avoid the entire subliminal channel.

Examples

The easiest way to establish a subliminal channel is, to define that an even word count in a sentence is associated with the bit "0" and an odd word count with the bit "1". The question "Hello, how do you do?" would therefore send the subliminal message "1".

The Digital Signature Algorithm has a subliminal broadband[3] and three subliminal narrow-band channels [4].

At signing the parameter ${\displaystyle k}$ has to be set random. For the broadband channel this parameter is instead set with a subliminal message ${\displaystyle m'}$.

1. Key generation
1. choose prime ${\displaystyle p = 2347}$
2. choose prime ${\displaystyle q = 23}$
3. calculate generator ${\displaystyle g = 266}$
4. choose authentication key ${\displaystyle x = 1468}$ and send it securely to the receiver
5. calculate public key ${\displaystyle y = g^x}$ mod ${\displaystyle p = 2100}$
2. Signing
1. choose message ${\displaystyle m = 1337}$
2. (hash function ${\displaystyle H(m)}$ is here substituted with a modulo reduction by 107) calculate message hash value ${\displaystyle h = m}$ mod ${\displaystyle q = 1337}$ mod ${\displaystyle 107 = 53}$
3. instead of random value ${\displaystyle k = ?}$ subliminal message ${\displaystyle m' = 17}$ is chosen
4. calculate inverse of the subliminal message ${\displaystyle m'^{-1} = 19}$ mod ${\displaystyle 23}$
5. calculate signature value ${\displaystyle r = (g^k}$ mod ${\displaystyle p)}$ mod ${\displaystyle q = (266^{17}}$ mod ${\displaystyle 2347)}$ mod ${\displaystyle 23 = 12}$
6. calculate signature value ${\displaystyle s = k^{-1} * (h + x*r)}$ mod ${\displaystyle q = 19 * (53 + 1468 * 12)}$ mod ${\displaystyle 23 = 3}$
7. sending message with signature triple ${\displaystyle (1337; 12, 3)}$
3. Verifying
1. receiver gets message triple ${\displaystyle (m; r, s) = (1337; 12, 3)}$
2. calculate message hash ${\displaystyle h = H(m)}$ mod ${\displaystyle q = 1337}$ mod ${\displaystyle 107 = 53}$
3. calculate inverse ${\displaystyle w = s^{-1}}$ mod ${\displaystyle q = 8}$
4. calculate ${\displaystyle u_1 = (h * w)}$ mod ${\displaystyle q = 53 * 8}$ mod ${\displaystyle 23 = 10}$
5. calculate ${\displaystyle u_2 = (r * w)}$ mod ${\displaystyle q = 12 * 8}$ mod ${\displaystyle 23 = 4}$
6. calculate signature ${\displaystyle v = (g^{u_1} * y^{u_2}}$ mod ${\displaystyle p)}$ mod ${\displaystyle q = (266^{10} * 2100^4}$ mod ${\displaystyle 2347)}$ mod ${\displaystyle 23 = 12}$
7. since ${\displaystyle v = r}$, the is signature valid
4. Message extraction on receiver side
1. from triple (1337; 12, 3)
2. extract message ${\displaystyle m' = 8 * (53 + 1468 * 12)}$ mod ${\displaystyle 23 = 17}$

The formula for message extraction is derived by transposing the signature value ${\displaystyle s}$ calculation formula.

• ${\displaystyle s = m'^{-1} * (h + xr)}$ mod ${\displaystyle q}$
• ${\displaystyle s * m' = h + xr}$ mod ${\displaystyle q}$
• ${\displaystyle m' = s^{-1} * (h + xr)}$ mod ${\displaystyle q}$

Improvements

A modification to the Brickell and DeLaurentis signature scheme provides a broadband channel without the necessity to share the authentication key [5]. The Newton channel is not a subliminal channel, but it can be viewed as an enhancement [6].

Countermeasures

With the help of the Zero-knowledge proof and the Commitment scheme it is possible to prevent the usage of the subliminal channel [7]. It should be mentioned that the countermeasure from [7] has a 1-bit subliminal channel. The reason for that is the problem that a proof can succeed or purposely fail [8].

Another countermeasures can detect, not prevent, the subliminal usage of the randomness [9].

References

1. Gustavus J. Simmons. The Prisoners Problem and the Subliminal Channel. In Advances in Cryptology – CRYPTO ’83, pages 51–67, New York, 1984. Lecture Notes in Computer Science, ed. D. Chaum.
2. Gustavus J. Simmons. The subliminal channel and digital signatures. In Proc. of the EUROCRYPT 84 workshop on Advances in cryptology: theory and application of cryptographic techniques, pages 364–378, New York, NY, USA, 1985. Springer-Verlag New York, Inc.
3. Gustavus J. Simmons. Subliminal communication is easy using the DSA. In EUROCRYPT ’93: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 218–232, Secaucus, NJ, USA, 1994. Springer-Verlag New York, Inc.
4. Gustavus J. Simmons. The subliminal channel in the U.S. Digital Signature Algorithm (DSA), 1993
5. Gustavus J. Simmons. A Secure Subliminal Channel (?). In CRYPTO ’85: Advances in Cryptology, pages 33–41, London, UK, 1986. Springer-Verlag.
6. Ross J. Anderson, Serge Vaudenay, Bart Preneel, and Kaisa Nyberg. The Newton Channel. In Proceedings of the First International Workshop on Information Hiding, pages 151–156, London, UK, 1996. Springer-Verlag.
7. Yvo Desmedt. Abuses in Cryptography and How to Fight Them. In CRYPTO ’88: Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, pages 375–389, London, UK, 1990. Springer-Verlag.
8. Yvo Desmedt. Simmons’ Protocol is Not Free of Subliminal Channels. In In Proc. of 9th IEEE Computer Security Foundations Workshop, pages 170–175, 1996.
9. Protecting Certiﬁcation Authorities and Jong Youl Choi. Tamper Evident Digital Signatures:. Technical report, In Proceedings of the Symposium on Dependable Autonomic and Secure Computing 2006, 2005.
• Bruce Schneier. Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C, 2. Ed. Wiley Computer Publishing, John Wiley & Sons, Inc., 1995.