The Experts below are selected from a list of 603 Experts worldwide ranked by ideXlab platform
Moti Yung - One of the best experts on this subject based on the ideXlab platform.
-
a Subliminal Channel in secret block ciphers
Selected Areas in Cryptography, 2004Co-Authors: Adam Young, Moti YungAbstract:In this paper we present the first general purpose Subliminal Channel that can be built into a secret symmetric cipher by a malicious designer. Subliminal Channels traditionally exploit randomness that is used in probabilistic cryptosystems. In contrast, our Channel is built into a deterministic block cipher, and thus it is based on a new principle. It is a broadcast Channel that assumes that the sender and the receiver know the Subliminal message m s (i.e., something derived from their common key). We show that the designer can expect to be able to read m s when O(|m s |log|m s |) plaintext/ciphertext pairs are obtained. Here |m s | is the length of m s in bits. We show how to turn the Channel into a narrowcast Channel using a deterministic asymmetric cipher and then present an application of the narrowcast Channel. In this application, the secret block cipher securely and Subliminally transmits the symmetric key of the sender and receiver to the malicious designer and confidentiality holds even when the cipher is made public.
-
Selected Areas in Cryptography - A Subliminal Channel in secret block ciphers
Selected Areas in Cryptography, 2004Co-Authors: Adam Young, Moti YungAbstract:In this paper we present the first general purpose Subliminal Channel that can be built into a secret symmetric cipher by a malicious designer. Subliminal Channels traditionally exploit randomness that is used in probabilistic cryptosystems. In contrast, our Channel is built into a deterministic block cipher, and thus it is based on a new principle. It is a broadcast Channel that assumes that the sender and the receiver know the Subliminal message m s (i.e., something derived from their common key). We show that the designer can expect to be able to read m s when O(|m s |log|m s |) plaintext/ciphertext pairs are obtained. Here |m s | is the length of m s in bits. We show how to turn the Channel into a narrowcast Channel using a deterministic asymmetric cipher and then present an application of the narrowcast Channel. In this application, the secret block cipher securely and Subliminally transmits the symmetric key of the sender and receiver to the malicious designer and confidentiality holds even when the cipher is made public.
Gustavus J Simmons - One of the best experts on this subject based on the ideXlab platform.
-
Results concerning the bandwidth of Subliminal Channels
IEEE Journal on Selected Areas in Communications, 1998Co-Authors: Gustavus J SimmonsAbstract:In conjunction with a six-month research program on computer security, cryptology and coding theory hosted by the Isaac Newton Institute of Mathematical Sciences, University of Cambridge, Cambridge, U.K., a Workshop on information hiding was held from May 30 through June 1, 1996. This workshop was devoted to all aspects of information hiding - other than the usual cryptographic concealment of content, including steganography, Subliminal Channels, fingerprinting, covert Channels, etc. Two surprising results pertaining to Subliminal Channels were presented or grew out of presentations made at this workshop. One is of interest to the secure communications protocol designer concerned with denying the use of Subliminal Channels, while the other is important to the designer, or user, of Subliminal Channels. The first raises the question of whether the notion of a "Subliminal-free" communication Channel is an oxymoron, i.e., is it possible to force the bandwidth of the Subliminal Channel to be truly zero? The second forces a more precise formulation of a conjecture the author had made that the bandwidth of a Subliminal Channel is logarithmically limited if the transmitter is unwilling to trust the Subliminal receiver unconditionally. Motivated by these results, this paper reexamines the fundamental questions of the bandwidth available for Subliminal communication as a function of the trust the transmitter has in the Subliminal receiver and of a logically sound interpretation of the term "Subliminal-free".
-
EUROCRYPT - The Subliminal Channel and digital signatures
Advances in Cryptology, 1Co-Authors: Gustavus J SimmonsAbstract:In a paper entitled "The Prisoners' Problem and the Subliminal Channel" [1], the present author showed that a message authentication without secrecy Channel providing m bits of overt communication and r bits of message authentication could be perverted to allow an l < r bit covert Channel between the transmitter and a designated receiver at the expense of reducing the message authentication capability to r-l bits, without affecting the overt Channel. It was also shown that under quite reasonable conditions the detection of even the existence of this covert Channel could be made as difficult as the underlying cryptoalgorithm was difficult to "break." In view of this open -- but indetectable -- existence, the covert Channel was called the "Subliminal" Channel. The examples constructed in [1], although adequate to prove the existence of such Channels, did not appear to be feasible to extend to interesting communications systems. Fortunately, two digital signature schemes have been proposed since Crypto 83 -- one by Ong-Schnorr-Shamir [2] based on the difficulty of factoring sufficiently large composite numbers and one by Gamal [3] based on the difficulty of taking discrete logarithms with respect to a primitive element in a finite field -- that provide ideal bases for implementing practical Subliminal Channels. This paper reviews briefly the essential features of the Subliminal Channel and then discusses implementations in both the Ong-Schnorr-Shamir and Gamal digital signature Channels.
-
CRYPTO - A Secure Subliminal Channel (
Lecture Notes in Computer Science, 1Co-Authors: Gustavus J SimmonsAbstract:At Crypto’83, the present author showed that a transmitter and chosen receiver(s) -- by secretly exchanging some side information -- could pervert an authentication without secrecy Channel to allow them to convert a portion of the authentication information to a hidden (covert) communications Channel [1]. It was also shown that under quite reasonable conditions even the detecticn of the existence of this Covert Channel could be made as difficult as the underlying authentication algorithm was “cryptosecure”. In view of this open -- but indetectable -- existence, such a covert Channel was called a “sublininal” Channel. The examples constructed in [1] were more in the nature of existence proofs than of practical Subliminal communications Channels. At Eurocrypt’84 [2], however, it was shown how to use digital signature schemes as a way of realizing practical Subliminal Channels and, in particular, Subliminal Channels were devised using Ong and Schnorr’s quadratic approximation scheme [3], Ong, Schnorr and Shamir’s quadratic representation schemes [4] and Ong. Schnorr and Shamir’s cubic signature scheme [5] as Well as Carnal’s discrete logarithm-based digital signature scheme [6]. Unfortunately, from the standpoint of providing a secure (and feasible) Subliminal Channel, all Of these digital signature schemes were cryptanalyzed [7],[8] shortly after being proposed. At Crypto’84, a fourth variant to the earlier digital signature schemes of Ong, Schnorr and Shamir was presented by Schnorr [9] which was also quickly cryptanalyzed [10]. At the 1985 IEEE Symposium on Security and Privacy, Okamoto and Shiraishi proposed yet another digital signature scheme based on quadratic inequalities [11] which had been designed to avoid the cryptanalytic weaknesses that hed flawed the schemes of Schnorr, et al. The cryptanalysis of this scheme by Erickell and DeLaurentis is reported elsewhere in these Proceedings [12]. In view of the short-lived nature Of all of these schemes, it has become a high risk venture to propose Subliminal Channels based on digital signatures. The motivation for going so is that digital Signatures can be much easier to calculate and verify tnan full-fledged two-key ciphers. As a result, the benefits (of a successful implementation) far outweigh the risks of perhaps having an insecure digital sianature (or Subliminal) Channel slip by undetected. Based on the cumulative experience gained in cryptanalyzing the six digital signature schemes mentioned above, Brickell and DeLaurentis propose a new scheme in their paper that appears to avoid the weaknesses exploited in the earlier cryptanalyses.
-
EUROCRYPT - Subliminal communication is easy using the DSA
Advances in Cryptology — EUROCRYPT ’93, 1Co-Authors: Gustavus J SimmonsAbstract:In I985, Simmons showed how to embed a Subliminal Channel in digital signatures created using the El Gamal signature scheme. This Channel, though, had several shortcomings. In order for the Subliminal receiver to be able to recover the Subliminal message, it was necessary Tor him to know the transmitter's secret key. This meant that the Subliminal receiver had the capability to utter undetectable forgeries of the transmitter's signature. Also, only a fraction of the number of messages that the Channel could accommodate in principal could actually be communicated Subliminally (?(p-1) messages instead of p-1) and some of those that could be transmitted were computationally infeasible for the Subliminal receiver to recover.In August 1991, the U.S. National Institute of Standards and Technology proposed as a standard a digital signature algorithm (DSA) derived from the El Gamal scheme. The DSA accommodates a number of Subliminal Channels that avoid all of the shortcomings encountered in the El Gamal scheme. In fairness, it should be mentioned that not all are avoided at the same time. The Channel in the DSA analogous to the one Simmons demonstrated in the El Gamal scheme can use all of the bits contained in the signature that are not used to provide for the security of the signature against forgery, alteration or transplantation, and is hence said to be broadband. All messages can be easily encoded for communication through this Channel and are easily decoded by the Subliminal receiver. However, this broadband Channel still requires that the Subliminal receiver know the transmitter's secret key. There are two narrowband Subliminal Channels in the DSA, though, that do not give the Subliminal receiver any better chance of forging the transmitter's signature than an outsider has. The price one pays to secure this integrity for the transmitter's signature is a greatly reduced bandwidth for the Subliminal Channel and a large, but feasible--dependent on the bandwidth actually used--amount of computation needed to use the Channel. In one realization of a narrowband Subliminal Channel, the computational burden is almost entirely on the transmitter while in the other it is almost entirely on the Subliminal receiver.In this paper we discuss only the broadband Channel. The narrowband Channels have been described by Simmons in a paper presented at the 3rd Symposium on State and Progress of Research in Cryptography, Rome, Italy, February 15-16, 1993. Space does not permit them to be described here. The reader who wishes to see just how easy it is to communicate Subliminally using the DSA is referred to that paper as well. The inescapable conclusion, though, is that the DSA provides the most hospitable setting for Subliminal communications discovered to date.
Adam Young - One of the best experts on this subject based on the ideXlab platform.
-
a Subliminal Channel in secret block ciphers
Selected Areas in Cryptography, 2004Co-Authors: Adam Young, Moti YungAbstract:In this paper we present the first general purpose Subliminal Channel that can be built into a secret symmetric cipher by a malicious designer. Subliminal Channels traditionally exploit randomness that is used in probabilistic cryptosystems. In contrast, our Channel is built into a deterministic block cipher, and thus it is based on a new principle. It is a broadcast Channel that assumes that the sender and the receiver know the Subliminal message m s (i.e., something derived from their common key). We show that the designer can expect to be able to read m s when O(|m s |log|m s |) plaintext/ciphertext pairs are obtained. Here |m s | is the length of m s in bits. We show how to turn the Channel into a narrowcast Channel using a deterministic asymmetric cipher and then present an application of the narrowcast Channel. In this application, the secret block cipher securely and Subliminally transmits the symmetric key of the sender and receiver to the malicious designer and confidentiality holds even when the cipher is made public.
-
Selected Areas in Cryptography - A Subliminal Channel in secret block ciphers
Selected Areas in Cryptography, 2004Co-Authors: Adam Young, Moti YungAbstract:In this paper we present the first general purpose Subliminal Channel that can be built into a secret symmetric cipher by a malicious designer. Subliminal Channels traditionally exploit randomness that is used in probabilistic cryptosystems. In contrast, our Channel is built into a deterministic block cipher, and thus it is based on a new principle. It is a broadcast Channel that assumes that the sender and the receiver know the Subliminal message m s (i.e., something derived from their common key). We show that the designer can expect to be able to read m s when O(|m s |log|m s |) plaintext/ciphertext pairs are obtained. Here |m s | is the length of m s in bits. We show how to turn the Channel into a narrowcast Channel using a deterministic asymmetric cipher and then present an application of the narrowcast Channel. In this application, the secret block cipher securely and Subliminally transmits the symmetric key of the sender and receiver to the malicious designer and confidentiality holds even when the cipher is made public.
H U Yupu - One of the best experts on this subject based on the ideXlab platform.
-
anonymous Subliminal Channel scheme based on t n threshold cryptosystem
Computer Engineering, 2007Co-Authors: H U YupuAbstract:Security threats and system weakness of present Subliminal Channel schemes are analyzed. Combining Shamir Lagrange interpolation formula based secret-sharing scheme and Subliminal Channel, a threshold Subliminal Channel scheme with conditional anonymity based on (t, n) threshold cryptosystem is presented. The threshold secret-sharing of the scheme enables the Subliminal message to be recoverable only by no less than t members of the n receivers, and the secret piece of each member can remain valid and secure after Subliminal message recovering, so the scheme achieves multi-secret sharing. The probabilistic encryption algorithm and identity blinding make the Subliminal message sender indistinguishable with other ordinary signers for secrecy protection, and the anonymity can also be conveniently revoked if necessary. The scheme prevents coalition attack and generalized signature forgery, avoids the misuse of Subliminal message producing and recovering. Further detailed analyses also justify its brevity, security, high efficiency, and thus considerable improvement on system overheads regarding software and hardware application.
Xin Xiangjun - One of the best experts on this subject based on the ideXlab platform.
-
Construction of Subliminal Channel in ID-Based Signatures
2009 WASE International Conference on Information Engineering, 2009Co-Authors: Xin Xiangjun, Li QingboAbstract:Based on the bilinear pairings, by covering the Subliminal message with a shared temporary key generated from the time stamp, an ID-based signature scheme with Subliminal Channel is proposed, which can be proved to be secure in random oracle under the hardness assumption of computing Diffie-Hellman problem (CDHP). According to the construction of the proposed scheme, it is found that it is easy to construct a Subliminal Channel in the ID-based signatures. Therefore, the existence of the Subliminal Channel in the ID-based signatures can also limit the applications of the ID-based signatures.
-
A New Digital Signature Scheme with Threshold Subliminal Channel
2009 WASE International Conference on Information Engineering, 2009Co-Authors: Xin Xiangjun, Zhi GuizhenAbstract:To improve the security and efficiency of the signature scheme with threshold Subliminal Channel, by using the Lagrange interpolating polynomial and the Schnorr signature scheme under modular n, a new digital signature scheme with (t, l) threshold Subliminal Channel is proposed. In the new scheme, the Subliminal Channel can be used efficiently. On the other hand, under the hardness assumptions of factoring RSA modular and computing discrete logarithm, the proposed scheme can be proved to be secure against resending Subliminal message attack, forgery attack and conspiracy attack.
-
digital signature scheme with a t l threshold Subliminal Channel based on rsa signature scheme
Computational Intelligence and Security, 2008Co-Authors: Li Wei, Li Gang, Xin XiangjunAbstract:The first digital signature scheme with a (t, l) threshold Subliminal Channel was proposed by Lee et al. However, according to our analysis, it is found that Lee et al.?s scheme is low efficient in practice. At the same time, Lee et al.?s scheme is not secure against resending attack. Then, a randomized RSA signature scheme is proposed. The proposed randomized RSA signature scheme can be proved to be secure under adaptive chosen-message attacks in the random oracle model. Based on this signature scheme, by using the Lagrange interpolating polynomial and distributing the secret shadows of the RSA exponent among n Subliminal receivers, a new digital signature scheme with a (t, l) threshold Subliminal Channel is proposed, which overcomes all the shortcomings of the scheme proposed by Lee et al. The new scheme is secure and efficient in practice.
-
CIS (2) - Digital Signature Scheme with a (t, l) Threshold Subliminal Channel Based on RSA Signature Scheme
2008 International Conference on Computational Intelligence and Security, 2008Co-Authors: Li Wei, Li Gang, Xin XiangjunAbstract:The first digital signature scheme with a (t, l) threshold Subliminal Channel was proposed by Lee et al. However, according to our analysis, it is found that Lee et al.?s scheme is low efficient in practice. At the same time, Lee et al.?s scheme is not secure against resending attack. Then, a randomized RSA signature scheme is proposed. The proposed randomized RSA signature scheme can be proved to be secure under adaptive chosen-message attacks in the random oracle model. Based on this signature scheme, by using the Lagrange interpolating polynomial and distributing the secret shadows of the RSA exponent among n Subliminal receivers, a new digital signature scheme with a (t, l) threshold Subliminal Channel is proposed, which overcomes all the shortcomings of the scheme proposed by Lee et al. The new scheme is secure and efficient in practice.
