Kleptography: Using Cryptography Against Cryptography

  • Adam Young
  • Moti Yung
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1233)


The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) has been recently introduced. In this paper we extend the study of stealing information securely and subliminally from black-box cryptosystems. The SETUP mechanisms presented here, in contrast with previous ones, leak secret key information without using an explicit subliminal channel. This extends this area of threats, which we call “kleptography”.

We introduce new definitions of SETUP attacks (strong, regular, and weak SETUPs) and the notion of m out of n leakage bandwidth. We show a strong attack which is based on the discrete logarithm problem. We then show how to use this setup to compromise the Diffie-Hellman key exchange protocol. We also strengthen the previous SETUP against RSA. The strong attacks employ the discrete logarithm as a one-way function (assuring what is called “forward secrecy”), public-key cryptography, and a technique which we call probabilistic bias removal.

Key words

cryptanalytic attacks kleptography leakage bandwidth Discrete Log Diffie-Hellman RSA design and manufacturing of cryptographic devices and software black-box devices subliminal channels information hiding SETUP mechanisms randomness pseudorandomness 


  1. [Des90]
    Yvo Desmedt. Abuses in Cryptography and How to Fight Them. In Advances in Cryptology—CRYPTO’ 88, pages 375–389, Berlin, 1990. Springer-Verlag.Google Scholar
  2. [DH76]
    W. Diffie, M. Hellman. New Directions in Cryptography. In IEEE Trans. on Information Theory, 22(6), pages 644–654, 1976.CrossRefzbMATHMathSciNetGoogle Scholar
  3. [ElG85]
    T. ElGamal. A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology—CRYPTO’ 84, pages 10–18, Berlin, 1985. Springer-Verlag.Google Scholar
  4. [GGM86]
    O. Goldreich, S. Goldwasser, and S. Micali, How to Construct Random Functions. J. of the ACM, 33(4), pp 210–217, 1986.CrossRefMathSciNetGoogle Scholar
  5. [GM84]
    S. Goldwasser and S. Micali, Probabilistic Encryption. J. Comp. Sys. Sci. 28, pp 270–299, 1984.CrossRefzbMATHMathSciNetGoogle Scholar
  6. [KL95]
    J. Kilian and F.T. Leighton. Fair Cryptosystems Revisited. In Advances in Cryptology—CRYPTO’ 95, pages 208–221, Berlin, 1995. Springer-Verlag.Google Scholar
  7. [RSA78]
    R. Rivest, A. Shamir, L. Adleman. A method for obtaining Digital Signatures and Public-Key Cryptosystems. In Communications of the ACM, volume 21, n. 2, pages 120–126, 1978.CrossRefzbMATHMathSciNetGoogle Scholar
  8. [Sch]
    Jo Schueth, public communication (sci.crypt).Google Scholar
  9. [Sim85]
    G. J. Simmons. The Subliminal Channel and Digital Signatures. In Advances in Cryptology—EUROCRYPT’ 84, pages 51–57, Berlin, 1985. Springer-Verlag.Google Scholar
  10. [Sim94]
    G. J. Simmons. Subliminal Channels: Past and Present. In European Trans. on Telecommunication, 5(4), 1994, pages 459–473.CrossRefGoogle Scholar
  11. [YY96]
    A. Young, M. Yung. The Dark Side of Black-Box Cryptography. In Advances in Cryptology—CRYPTO’ 96, pages 89–103, Springer-Verlag.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1997

Authors and Affiliations

  • Adam Young
    • 1
  • Moti Yung
    • 2
  1. 1.Dept. of Computer ScienceColumbia UniversityColumbia
  2. 2.CertCoUSA

Personalised recommendations