A Subliminal-Free Variant of ECDSA

A mode of operation of the Elliptic Curve Digital Signature Algorithm (ECDSA) is presented which provably excludes subliminal communication through ECDSA signatures. For this, the notion of a signature scheme that is subliminal-free with proof is introduced which can be seen as generalizing subliminal-free signatures and being intermediate to the established concepts of invariant and unique signatures. Motivated by the proposed use of ECDSA for signing passports, our focus is not on proving the mere existence of a subliminal-free ECDSA mode of operation, but on demonstrating its practical potential. The proposed construction relies on the availability of a party acting as warden and on a reasonably-sized non-interactive proof of subliminal-freeness. For instance, in the passport scenario, the passport holder plays the role of the warden, and we show that a suitable combination of the pseudo random function of Naor and Reingold with bit commitments and noninteractive zero-knowledge proofs can be used for accomplishing the required proof of subliminal-freeness with acceptable efficiency.

[1]  Serge Vaudenay,et al.  The Security of DSA and ECDSA , 2003, Public Key Cryptography.

[2]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[3]  Yvo Desmedt,et al.  Simmons' protocol is not free of subliminal channels , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[4]  Yvo Desmedt Subliminal-Free Authentication and Signature (Extended Abstract) , 1988, EUROCRYPT.

[5]  Carl Pomerance,et al.  Advances in Cryptology — CRYPTO ’87 , 2000, Lecture Notes in Computer Science.

[6]  Yvo Desmedt,et al.  Abuses in Cryptography and How to Fight Them , 1988, CRYPTO.

[7]  Bart Preneel,et al.  Advances in cryptology - EUROCRYPT 2000 : International Conference on the Theory and Application of Cryptographic Techniques, Bruges, Belgium, May 14-18, 2000 : proceedings , 2000 .

[8]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[9]  Russell Impagliazzo,et al.  How to recycle random bits , 1989, 30th Annual Symposium on Foundations of Computer Science.

[10]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[11]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[12]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[13]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[14]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[15]  Shafi Goldwasser,et al.  Advances in Cryptology — CRYPTO’ 88: Proceedings , 1990, Lecture Notes in Computer Science.

[16]  Larry Carter,et al.  Universal Classes of Hash Functions , 1979, J. Comput. Syst. Sci..

[17]  Manuel Blum,et al.  Noninteractive Zero-Knowledge , 1991, SIAM J. Comput..

[18]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.

[19]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[20]  Yvo Desmedt,et al.  Divertible and Subliminal-Free Zero-Knowledge Proofs for Languages , 1999, Journal of Cryptology.

[21]  Niklaus Wirth,et al.  Advances in Cryptology — EUROCRYPT ’88 , 2000, Lecture Notes in Computer Science.

[22]  Anna Lysyanskaya,et al.  Unique Signatures and Verifiable Random Functions from the DH-DDH Separation , 2002, CRYPTO.

[23]  Gustavus J. Simmons,et al.  Subliminal Communication is Easy Using the DSA , 1994, EUROCRYPT.

[24]  Samy Bengio,et al.  Special Uses and Abuses of the Fiat-Shamir Passport Protocol , 1987, CRYPTO.

[25]  Gustavus J. Simmons,et al.  The Subliminal Channel and Digital Signature , 1985, EUROCRYPT.

[26]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[27]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[28]  Rainer Steinwandt,et al.  On Subliminal Channels in Deterministic Signature Schemes , 2004, ICISC.

[29]  Rafail Ostrovsky,et al.  Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent (Extended Abstract) , 1992, CRYPTO.

[30]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[31]  Leonid A. Levin,et al.  Pseudo-random generation from one-way functions , 1989, STOC '89.

[32]  Ernest F. Brickell,et al.  Gradual and Verifiable Release of a Secret , 1987, CRYPTO.

[33]  Burton S. Kaliski Advances in Cryptology - CRYPTO '97 , 1997 .

[34]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[35]  Choonsik Park,et al.  Information Security and Cryptology - ICISC 2004, 7th International Conference, Seoul, Korea, December 2-3, 2004, Revised Selected Papers , 2005, ICISC.

[36]  Moti Yung,et al.  Malicious cryptography - exposing cryptovirology , 2004 .

[37]  Gustavus J. Simmons,et al.  The Prisoners' Problem and the Subliminal Channel , 1983, CRYPTO.

[38]  G. J. Simmons An introduction to the mathematics of trust in security protocols , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[39]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .