This preview shows page 1. Sign up to view the full content.
Unformatted text preview: bit subliminal message. (5) The chip tries random values of k until it finds one that has the correct quadratic residue properties to send the subliminal message. The odds of a random k being of the correct form are 1 in 16,384. Assuming the chip can test 10,000 values of k per second, it will find one in less than two seconds. This computation does not involve the message and can be performed offline, before Alice wants to sign a message. (6) The chip signs the message normally, using the value of k chosen in step (5). (7) Alice sends the digital signature to Bob, or publishes it on the network, or whatever. (8) Mallory recovers r and, because he knows the 14 primes, decrypts the subliminal message. It’s scary that even if Alice knows what is happening, she cannot prove it. As long as those 14 secret primes stay secret, Mallory is safe. Foiling the DSA Subliminal Channel
The subliminal channel relies on the fact that Alice can choose k to transmit subliminal information. To foil the subliminal channel, Alice cannot be allowed to choose k. However, neither can anyone else; if someone else were allowed to choose k, it would allow that person to forge Alice’s signature. The only solution is for Alice to jointly generate k with another party, call him Bob, in such a way that Alice cannot control a single bit of k and Bob cannot know a single bit of k. At the end of the protocol, Bob should be able to verify that Alice used the k that they jointly generated. Here’s the protocol [1470,1472,1473]: (1) Alice chooses k' and sends Bob u = gk' mod p (2) Bob chooses k" and sends it to Alice. (3) Alice calculates k = k'k" mod (p  1). She uses k to sign her message, M, with the DSA and sends Bob the signature: r and s. (4) Bob verifies that ((uk" mod p) mod q) = r If it does, he knows that k was used to sign M. After step (4), Bob knows that no subliminal information can be embedded in r. If he is a trusted party, he can certify that Alice’s signature is subliminal...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details