Subliminal Communication is Easy Using the DSA
In I985, Simmons showed how to embed a subliminal channel in digital signatures created using the El Gamal signature scheme. This channel, though, had several shortcomings. In order for the subliminal receiver to be able to recover the subliminal message, it was necessary Tor him to know the transmitter’s secret key. This meant that the subliminal receiver had the capability to utter undetectable forgeries of the transmitter’s signature. Also, only a fraction of the number of messages that the channel could accommodate in principal could actually be communicated subliminally (ϕ(p-1) messages instead of p-1) and some of those that could be transmitted were computationally infeasible for the subliminal receiver to recover.
In August 1991, the U.S. National Institute of Standards and Technology proposed as a standard a digital signature algorithm (DSA) derived from the El Gamal scheme. The DSA accommodates a number of subliminal channels that avoid all of the shortcomings encountered in the El Gamal scheme. In fairness, it should be mentioned that not all are avoided at the same time. The channel in the DSA analogous to the one Simmons demonstrated in the El Gamal scheme can use all of the bits contained in the signature that are not used to provide for the security of the signature against forgery, alteration or transplantation, and is hence said to be broadband. All messages can be easily encoded for communication through this channel and are easily decoded by the subliminal receiver. However, this broadband channel still requires that the subliminal receiver know the transmitter’s secret key. There are two narrowband subliminal channels in the DSA, though, that do not give the subliminal receiver any better chance of forging the transmitter’s signature than an outsider has. The price one pays to secure this integrity for the transmitter’s signature is a greatly reduced bandwidth for the subliminal channel and a large, but feasible—dependent on the bandwidth actually used—amount of computation needed to use the channel. In one realization of a narrowband subliminal channel, the computational burden is almost entirely on the transmitter while in the other it is almost entirely on the subliminal receiver.
In this paper we discuss only the broadband channel. The narrowband channels have been described by Simmons in a paper presented at the 3rd Symposium on State and Progress of Research in Cryptography, Rome, Italy, February 15–16, 1993. Space does not permit them to be described here. The reader who wishes to see just how easy it is to communicate subliminally using the DSA is referred to that paper as well. The inescapable conclusion, though, is that the DSA provides the most hospitable setting for subliminal communications discovered to date.
KeywordsSigned Message Modular Exponentiation Forward Search Digital Signature Scheme Digital Signature Algorithm
- 1.El Gamal, T., “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Trans. on Info. Theory. Vol. IT-31, No. 4, July 1985, pp. 469–72.Google Scholar
- 2.NIST, “A Proposed Federal Information Processing Standard for Digital Signal Standard (DSS),” Fed. Register. Vol. 56, No. 169, Aug., 1991, pp. 42980–2.Google Scholar
- 3.NIST, “Specifications for a Digital Signature Standard (DSS),” Federal Information Processing Standards Pub. xx (Draft), Aug. 19, 1991, 12 pps.Google Scholar
- 5.Simmons, C. J., “A Secure Subliminal Channel (?),” Crypto’85, Santa Barbara, CA, August 18–22, 1985, Advances in Cryptology, Ed. by H. C. Williams, Springer-Verlag, Berlin, 1986, pp. 33–41.Google Scholar
- 6.Simmons, G. J., “The Subliminal Channels in the U.S. Digital Signature Algorithm (DSA),” presented at the 3rd Symposium on State and Progress of Research in Cryptography, Rome, Italy, February 15–16, 1993, to be published in the Proceedings of the SPRC’93.Google Scholar
- 7.Simmons, G. J., and D. Holdridge, “Forward Search as a Cryptanalytic Tool Against a Public Key Privacy Channel,” Proc. of the IEEE Computer Soc. 1982 Svmp. on Security and Privacy. Oakland, CA, April 26–28, 1982, pp. 117–128.Google Scholar