Gustavus J. Simmons

The Prisoners’ Problem and the Subliminal Channel

Two accomplices in a crime have been arrested and are about to be locked in widely separated cells. Their only means of communication after they are locked up will he by way of messages conveyed for them by trustees -- who are known to be agents of the warden. The warden is willing to allow the prisoners to exchange messages in the hope that he can deceive at least one of them into accepting as a genuine communication from the other either a fraudulent message created by the warden himself or else a modification by him of a genuine message. However, since he has every reason to suspect that the prisoners want to coordinate an escape plan, the warden will only permit the exchanges to occur if the information contained in the messages is completely open to him -- and presumably innocuous. The prisoners, on the other hand, are willing to accept these conditions, i.e., to accept some risk of deception in order to be able to communicate at all, since they need to coordinate their plans. To do this they will have to deceive the warden by finding a way of communicating secretly in the exchanges, i.e., of establishing a “subliminal channel” between them in full view of the warden, even though the messages themselves contain no secret (to the warden) information‡. Since they anticipate that the warden will try to deceive them by introducing fraudulent messages, they will only exchange messages if they are permitted to authenticate them.

A survey of information authentication

The general principles that underlie all authentication schemes are reviewed and illustrated using the examples of an early telegraphy cable code, a US military authentication protocol, and authentication of electronic funds transfers in the US Federal Reserve System. Authentication threats from inside the system (i.e. untrustworthy sender or receiver) are described. The classification of authentication schemes as computationally secure, provably secure, or unconditionally secure is explained, and theoretical results are presented showing that a large number of encoding rules must be available in any unconditionally secure authentication code. Current authentication practices are examined. >

How to (really) share a secret

In information based systems, the integrity of the information (from unauthorized scrutiny or disclosure, manipulation or alteration, forgery, false dating, etc.) is commonly provided for by requiring operation(s) on the information that one or more of the participants, who know some private piece(s) of information not known to all of the other participants, can carry out but which (probably) can’t be carried out by anyone who doesn’t know the private information. Encryption/decryption in a single key cryptoalgorithm is a paradigm of such an operation, with the key being the private (secret) piece of information. Although it is implicit, it is almost never stated explicitly that in a single-key cryptographic communications link, the transmitter and the receiver must unconditionally trust each other since either can do anything that the other can.

Subliminal channels; past and present

Subliminal channels were devised by Simmons in 1978 to demonstrate a fundamental flaw in a protocol the U.S. was considering using to allow the U.S.S.R. to verify U.S. compliance with the terms of the SALT II treaty. The examples given of such channels were more in the nature of existence proofs than feasible communication channels until 1984 when it was shown that most digital signature schemes could be caused to host subliminal communications hidden in the digital signatures. Almost all of these subliminal channels, however, had several shortcomings. In order for the subliminal receiver to be able to recover a subliminal message, it was apparently necessary for him to know the transmitters (the signers) secret key. This meant that the subliminal receiver had to be given the capability to utter undetectable forgeries of the transmitters signature. Also, only a subset of the natural message set could be communicated subliminally and some of those that could be transmitted were computationally infeasible for the subliminal receiver to recover. A digital signature standard (DSS) has recently been adopted by the U.S. government (May, 1994) which like most other digital signature schemes also permits subliminal communications to be concealed in signatures. Remarkably though, the subliminal channels in the DSS avoid all of the shortcomings that limit the usefulness of these channels in other digital signature schemes. This paper briefly describes the setting for the discovery of subliminal channels and then in some detail, the nature and shortcomings of the subliminal channels in the El Gamal digital signature scheme - to which the DSS is closely related. Finally, to make clear what a remarkable coincidence it is that the apparently inherent shortcomings present in subliminal channels realized in the El Gamal scheme can all be overcome in channels realized in the DSS, each of the channels is analyzed in detail in both schemes. The inescapable conclusion, though, is that the DSS provides the most hospitable setting for subliminal communications discovered to date.

Symmetric and Asymmetric Encryption

All cryptosystems currently m use are symmetrm m the sense that they require the transmitter and receiver to share, m secret, either the same pmce of reformation (key) or one of a paLr of related keys easdy computed from each other, the key is used m the encryption process to introduce uncertainty to an unauthorized receiver. Not only is an asymmetric encryption system one in whmh the transmitter and receiver keys are different, but in addition it Is computatmnally mfeaslble to compute at least one from the other. Asymmetric systems make it possible to authent2cate messages whose contents must be revealed to an opponent or allow a transmitter whose key has been compromised to communmate m privacy to a receiver whose key has been kept secret--neither of which is possible using a symmetric cryptosystem. This paper opens with a brmf dmcussion of encryptmn principles and then proceeds to a comprehensive discussion of the asymmetric encryptmn/decryp tion channel and its application m secure communmations.

A protocol to set up shared secret schemes without the assistance of mutually trusted party

All shared secret or shared control schemes devised thus far are autocratic in the sense that they depend in their realization on the existence of a single party—which may be either an individual or a device—that is unconditionally trusted by all the participants in the scheme [5,6]. The function of this trusted party is to first choose the secret (piece of information) and then to construct and distribute in secret to each of the participants the private pieces of information which are their shares in the shared secret or control scheme. The private pieces of information are constructed in such a way that any authorized concurrence (subset) of the participants will jointly have sufficient information about the secret to reconstruct it while no unauthorized collection of them will be able to do so. For many applications, though, there is no one who is trusted by all of the participants, and in the extreme case, no one who is trusted by anyone else. In the absence of a trusted party or authority, no one can be trusted to know the secret and hence—until now—it has appeared to be impossible to construct and distribute the private pieces of information needed to realize a shared control scheme. It is worth noting that in commercial and/or internation(al) applications, this situation is more nearly the norm than the exception.

Subliminal communication is easy using the DSA

In I985, Simmons showed how to embed a subliminal channel in digital signatures created using the El Gamal signature scheme. This channel, though, had several shortcomings. In order for the subliminal receiver to be able to recover the subliminal message, it was necessary Tor him to know the transmitters secret key. This meant that the subliminal receiver had the capability to utter undetectable forgeries of the transmitters signature. Also, only a fraction of the number of messages that the channel could accommodate in principal could actually be communicated subliminally (?(p-1) messages instead of p-1) and some of those that could be transmitted were computationally infeasible for the subliminal receiver to recover.In August 1991, the U.S. National Institute of Standards and Technology proposed as a standard a digital signature algorithm (DSA) derived from the El Gamal scheme. The DSA accommodates a number of subliminal channels that avoid all of the shortcomings encountered in the El Gamal scheme. In fairness, it should be mentioned that not all are avoided at the same time. The channel in the DSA analogous to the one Simmons demonstrated in the El Gamal scheme can use all of the bits contained in the signature that are not used to provide for the security of the signature against forgery, alteration or transplantation, and is hence said to be broadband. All messages can be easily encoded for communication through this channel and are easily decoded by the subliminal receiver. However, this broadband channel still requires that the subliminal receiver know the transmitters secret key. There are two narrowband subliminal channels in the DSA, though, that do not give the subliminal receiver any better chance of forging the transmitters signature than an outsider has. The price one pays to secure this integrity for the transmitters signature is a greatly reduced bandwidth for the subliminal channel and a large, but feasible--dependent on the bandwidth actually used--amount of computation needed to use the channel. In one realization of a narrowband subliminal channel, the computational burden is almost entirely on the transmitter while in the other it is almost entirely on the subliminal receiver.In this paper we discuss only the broadband channel. The narrowband channels have been described by Simmons in a paper presented at the 3rd Symposium on State and Progress of Research in Cryptography, Rome, Italy, February 15-16, 1993. Space does not permit them to be described here. The reader who wishes to see just how easy it is to communicate subliminally using the DSA is referred to that paper as well. The inescapable conclusion, though, is that the DSA provides the most hospitable setting for subliminal communications discovered to date.

A Cartesian product construction for unconditionally secure authentication codes that permit arbitration

An authentication code consists of a collection of encoding rules associating states of an information source with messages that are to be used to communicate the state to a designated receiver. In order for a collection of encoding rules to be useful as an authentication code there must also exist one or more probability distributions on the rules which, if used by the receiver and transmitter (the insiders) to choose secretly the encoding rule they use, will result in the receiver being able to (probably) detect fraudulent messages sent by an outsider or modifications by him of legitimate messages.Authentication codes that permit arbitration are codes that in addition to protecting the insiders from deception by outsiders, also protect against some forms of insider deception. This is accomplished by making it possible for an arbiter to resolve (again in probability) certain disputes between the transmitter and receiver: the transmitter disavowing a message that he actually sent or the receiver claiming to have received a message that the transmitter did not send.An infinite class of authentication codes that permit arbitration is constructed and some bounds on the probability of a deception going undetected are proven. These codes are shown to be unconditionally secure, i.e., it is shown that the probability of a deception either going undetected or else of being unjustly attributed to an innocent party is independent of the computing capability or investment that a would-be cheater is willing to make.

The history of subliminal channels

In 1978 the United States was considering adopting a national security protocol designed to enable the U.S.S.R. to verify how many Minuteman missiles the United States had emplaced in a field of 1000 silos without revealing which silos actually contained missiles. For this protocol to have been acceptable to the U.S.S.R., the messages would have had to be digitally signed with signatures which the U.S.S.R. could verify were authentic, but which the United States could not forge. Subliminal channels were the discovery that these digital signatures could host undetectable covert channels. In general, any time redundant information is introduced into a communication to provide an overt function such as digital signatures, error detection and/or correction, authentication, etc. it may be possible to subvert the purported function to create a covert (subliminal) communications channel. This paper recounts the development of subliminal channels from their origins when only a couple of bits could be communicated covertly to today when potentially a couple of hundred bits can be concealed in signatures generated using the most popular digital signature schemes.

A Software Protection Scheme

We discuss a technological means of protecting software from unauthorized duplication and use, which does not at the same time limit its sale or distribution on rely on a trusted authority.