# Abuses in Cryptography and How to Fight Them

## Abstract

The following seems quite familiar: “Alice and Bob want to flip a coin by telephone. (They have just divorced, live in different countries, want to decide who will have the children during the next holiday.). . .” So they use [Blu82]’s (or an improved) protocol. However, Alice and Bob’s divorce has been set up to cover up their spying activities. When they use [Blu82]’s protocol, they don’t care if the “coinflip” is random, but they want to abuse the protocol to send secret information to each other. The counter-espionage service, however, doesn’t know that the divorce and the use of the [Blu82]’s protocol are just cover-ups.

In this paper, we demonstrate how several modern cryptosystems can be abused. We generalize [Sim83b]’s subliminal channel and [DGB87]’s abuse of the [FFS87, FS86] identification systems and demonstrate how one can prevent abuses of cryptosystems.

## Keywords

Quadratic Residue Covert Channel Proof Mechanism Jacobi Symbol Narrow Context## 6 References

- [Ada88]J. A. Adam. Ways to verify the U.S.-Soviet arms pact.
*IEEE Spectrum*, pp. 30–34, February 1988.Google Scholar - [BC86]G. Brassard and C. Crepeau. Non-transitive transfer of confidence: a perfect zero-knowledge interactive protocol for SAT and beyond. In
*27th Annual Symp. on Foundations of Computer Science (FOCS)*, pp. 188–195, IEEE Computer Society Press, October 27–29 1986. Toronto, Ontario, Canada.Google Scholar - [BFM88]M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its applications. In
*Proceedings of the twentieth ACM Symp. Theory of Computing, STOC*, pp. 103–112, May 2–4, 1988.Google Scholar - [BG84]M. Blum and S. Goldwasser. An efficient probabilistic public-key encryption scheme which hides all partial information. In
*Advances in Cryptology. Proc. of Crypto’ 84 (Lecture Notes in Computer Science 196)*, pp. 289–299, Springer-Verlag, New York, 1985. Santa Barbara, August 1984.Google Scholar - [Blu82]M. Blum. Coin flipping by telephone — a protocol for solving impossible problems. In
*digest of papers COMPCON82*, pp. 133–137, IEEE Computer Society, February 1982.Google Scholar - [Dep83]
*Department of Defense Trusted Computer System Evaluation Criteria*. U.S. Department of Defense, August 15 1983. Also known as the Orange Book.Google Scholar - [Des]Y. Desmedt. Abuse-free cryptosystems: particularly subliminal-free authentication and signature. In preparation, available from author when finished.Google Scholar
- [Des88]Y. Desmedt. Subliminal-free authentication and signature. May 1988. Presented at Eurocrypt’88, Davos, Switzerland, to appear in: Advances in Cryptology. Proc. of Eurocrypt 88 (Lecture Notes in Computer Science), Springer-Verlag.Google Scholar
- [DGB87]Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the Fiat-Shamir passport protocol. In C. Pomerance, editor,
*Advances in Cryptology, Proc. of Crypto’ 87 (Lecture Notes in Computer Science 293)*, pp. 21–39, Springer-Verlag, 1988. Santa Barbara, California, U.S.A., August 16–20.Google Scholar - [FFS87]U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In
*Proceedings of the Nineteenth ACM Symp. Theory of Computing, STOC*, pp. 210–217, May 25–27, 1987.Google Scholar - [FS86]A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. Odlyzko, editor,
*Advances in Cryptology, Proc. of Crypto’ 86 (Lecture Notes in Computer Science 263)*, pp. 186–194, Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August 11–15.Google Scholar - [GMR]S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof systems. to appear in Siam J. Comput., vol. 18, No. 1, January 1989.Google Scholar
- [GMR88]S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks.
*Siam J. Comput.*, 17(2), pp. 281–308, April 1988.CrossRefzbMATHMathSciNetGoogle Scholar - [GMW86]O. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodolgy of cryptographic protocol design. In A. Odlyzko, editor,
*Advances in Cryptology, Proc. of Crypto’86 (Lecture Notes in Computer Science 263)*, pp. 171–185, Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August 11–15.Google Scholar - [Lam73]B. W. Lampson. A note on the confinement problem.
*Comm. ACM*, 16(10), pp. 613–615, October 1973.CrossRefGoogle Scholar - [PK79]G. J. Popek and C. S. Kline. Encryption and secure computer networks.
*ACM Computing Surveys*, 11(4), pp. 335–356, December 1979.CrossRefGoogle Scholar - [RS85]R. L. Rivest and A. Shamir. Efficient factoring based on partial information. In F. Pichler, editor,
*Advances in Cryptology. Proc. of Eurocrypt 85 (Lecture Notes in Computer Science 209)*, pp. 31–34, Springer-Verlag, Berlin, 1986.CrossRefGoogle Scholar - [Sim83a]G. J. Simmons. Verification of treaty compliance-revisited. In
*Proc. of the 1983 IEEE Symposium on Security and Privacy*, pp. 61–66, IEEE Computer Society Press, April 25–27 1983. Oakland, California.Google Scholar - [Sim83b]G. J. Simmons. The prisoners’ problem and the subliminal channel. In D. Chaum, editor,
*Advances in Cryptology. Proc. of Crypto 83*, pp. 51–67, Plenum Press N.Y., 1984. Santa Barbara, California, August 1983.Google Scholar - [Sim88]G. J. Simmons. How to insure that data acquired to verify treaty compliance are trustworthy.
*Proc. IEEE*, 76(5), pp. 621–627, May 1988.CrossRefGoogle Scholar