Skip to main content

The prevalence of kleptographic attacks on discrete-log based cryptosystems

Part of the Lecture Notes in Computer Science book series (LNCS,volume 1294)


The notion of a Secretly Embedded Trapdoor with Universal Protection (SETUP) and its variations on attacking black-box cryptosystems has been recently introduced. The basic definitions, issues, and examples of various setup attacks (called Kleptographic attacks) have also been presented. The goal of this work is to describe a methodological way of attacking cryptosystems which exploits certain relations between cryptosystem instances which exist within cryptosystems. We call such relations “kleptograms”. The identified kleptogram is used as the base for searching for a setup.

In particular, we employ as a discrete log based kleptogram a basic setup that was presented for the Diffie-Hellman key exchange. We show how it can be embedded in a large number of systems: the ElGamal encryption algorithm, the ElGamal signature algorithm, DSA, the Schnorr signature algorithm, and the Menezes-Vanstone PKCS. These embeddings can be extended directly to the MTI two-pass protocol, the Girault key agreement protocol, and many other cryptographic systems. These attacks demonstrate a systematic way to mount kleptographic attacks. They also show the vulnerability of systems based on the difficulty of computing discrete logs.

The setup attack on DSA exhibits a large bandwidth channel capable of leaking information which hardware black-box implementations (e.g., the Capstone chip) can use. We also show how to employ such channels for what we call “device marking”.

Finally, note that it has been perceived that the DSA signature scheme was originally designed to be robust against its abuse as a public-key channel- to distinguish it from RSA signatures (where the signing function is actually a decryption function). In this paper we refute this “perceived advantage” and show how the DSA system (in hardware or software) can be easily modified to securely leak private keys and secure messages between two cooperating parties.

Key words

  • DSA signature
  • ElGamal encryption
  • ElGamal signature
  • Menezes-Vanstone PKCS
  • Schnorr signature algorithm
  • setup
  • Discrete-Log
  • Diffie-Hellman
  • subliminal channels
  • protocol abuse
  • kleptography
  • leakage-bandwidth
  • randomness
  • pseudorandomness
  • cryptographic system implementations


  1. Proposed Federal Information Processing Standard for Digital Signature Standard (DSS). In v. 56, n. 169 of Federal Register, pages 42980–42982, 1991.

    Google Scholar 

  2. T. ElGamal. A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology—CRYPTO '84, pages 10–18, 1985. Springer-Verlag.

    Google Scholar 

  3. S. Goldwasser, S. Micali. Probabilistic Encryption. J. Comp. Sys. Sci. 28, pp 270–299, 1984.

    MATH  CrossRef  MathSciNet  Google Scholar 

  4. A. Menezes, S. Vanstone. Elliptic curve cryptosystems and their implementation. In Journal of Cryptology, volume 6, pages 209–224, 1993.

    MATH  CrossRef  MathSciNet  Google Scholar 

  5. K. Nyberg, R. Rueppel. Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem. In Advances in Cryptology—EUROCRYPT '94, pages 182–193, 1994. Springer-Verlag.

    Google Scholar 

  6. R. Rivest, A. Shamir, L. Adleman. A method for obtaining Digital Signatures and Public-Key Cryptosystems. In Communications of the ACM, volume 21, n. 2, pages 120–126, 1978.

    MATH  CrossRef  MathSciNet  Google Scholar 

  7. M. Smid, D. Branstad. Response to Comments on the NIST Proposed Digital Signature Standard. In Advances in Cryptology—CRYPTO '92, pages 76–88, 1992. Springer-Verlag.

    Google Scholar 

  8. C. Schnorr. Efficient signature generation by smart cards. In Journal of Cryptology, volume 4, pages 161–174, 1991.

    MATH  CrossRef  Google Scholar 

  9. B. Schneier. Applied Cryptography, pages 309–310, 1994. John Wiley and Sons, Inc.

    Google Scholar 

  10. G. J. Simmons. The Subliminal Channel and Digital Signatures. In Advances in Cryptology—EUROCRYPT '84, pages 51–57, 1985. Springer-Verlag.

    Google Scholar 

  11. G. J. Simmons. Subliminal Communication Is Easy Using the DSA. In Advances in Cryptology—EUROCRYPT '93, 1993. Springer-Verlag.

    Google Scholar 

  12. D. R. Stinson. Cryptography: theory and applications, 1995, CRC Press.

    Google Scholar 

  13. A. Young, M. Yung. The Dark Side of Black-Box Cryptography. In Advances in Cryptology—CRYPTO '96, pages 89–103, Springer-Verlag.

    Google Scholar 

  14. A. Young, M. Yung. Kleptography: Using Cryptography against Cryptography. In Advances in Cryptology—EUROCRYPT '97, pages 62–74, 1997. Springer-Verlag.

    Google Scholar 

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 1997 Springer-Verlag

About this paper

Cite this paper

Young, A., Yung, M. (1997). The prevalence of kleptographic attacks on discrete-log based cryptosystems. In: Kaliski, B.S. (eds) Advances in Cryptology — CRYPTO '97. CRYPTO 1997. Lecture Notes in Computer Science, vol 1294. Springer, Berlin, Heidelberg.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-63384-6

  • Online ISBN: 978-3-540-69528-8

  • eBook Packages: Springer Book Archive