. The use of cryptographic devices as "black boxes", namely trusting their internal designs, has been suggested and in fact Capstone technology is offered as a next generation hardware-protected escrow encryption technology. Software cryptographic servers and programs are being offered as well, for use as library functions, as cryptography gets more and more prevalent in computing environments. The question we address in this paper is how the usage of cryptography as a black box exposes users to various threats and attacks that are undetectable in a black-box environment. We present the SETUP (Secretly Embedded Trapdoor with Universal Protection) mechanism, which can be embedded in a cryptographic black-box device. It enables an attacker (the manufacturer) to get the user's secret (from some stage of the output process of the device) in an unnoticeable fashion, yet protects against attacks by others and against reverse engineering (thus, maintaining the relative advantage of the actual...

Subliminal channels can hide the existence of secret messages, and then they are divided into broadband ones and narrowband ones. While a large amount of information can be transmitted over a broadband one, only a small amount can be done over a narrowband one. It is easy to show that a channel can only be a narrowband one, when a one-way function whose image size is su ciently large and which has no trapdoor is in between a carrier state which a receiver can observe and a parameter which the transmitter can control. However it is not clear that how much capacity the communication channel has and how many bits can be transmitted with how much error rate. In this paper, we clarify that, and also consider methods to try to maximize the information bits being transmitted when the error rate is kept under a certain value.

Trojans, viruses and other malware can be categorized as either active or passive in nature. Active viruses (for example) are viruses that perform some outwardly noticeable function. They are typically offensive in nature and cause denial of service attacks or other disturbances. In the electronic warfare context they can translate into "direct military attacks". Passive viruses are, on the other hand, inconspicuous and may for example, simply steal CPU time for a particular computation. They may also secretly leak information and are capable of leaking "intelligence information " to the author (i.e., espionage). Recently, Cryptovirology has been introduced as a means of mounting active viral attacks using public key cryptography. It has been shown to be a tool for extortion attacks and "electronic warfare", where attacks are mounted against information resources. The natural question to ask is whether Cryptovirology is also useful (i.e., provides enhanced functionality) in the area of...

We introduce the notion of tamper-evidence for mix networks in order to defend against attacks aimed at covertly leaking secret information held by corrupted mix servers. This is achieved by letting observers (which need not be trusted) verify the absence of covert channels by means of techniques we introduce herein. Our tamper-evident mix network is a type of re-encryption mixnet in which a server proves that the permutation and re-encryption factors that it uses are correctly derived from a random seed to which the server is committed.

In many real-life situations, massive quantities of signatures have to be issued on cheap passive supports (e.g. paper-based) such as bank-notes, badges, ID cards, driving licenses or passports (hereafter IDs); while large-scale ID replacements are costly and prohibitive, one may reasonably assume that the updating of veri cation equipment (e.g.

A great disadvantage of the ElGamal and the DSA signature scheme is the existence of various subliminal channels as shown previously by Simmons. We demonstrate that these channels also exist in the Meta-ElGamal and Meta-Message recovery schemes, suggest further narrowband subliminal channels and give a solution how to avoid these subliminal channels assuming that the special receiver can't eavesdrop the channel used by the signer and the warden to generate the signature. Without this assumption we show how to avoid broadband subliminal channels in a refinement of the scheme presented before. 1. Introduction In 1983 Simmons introduced the concept of a subliminal channel [Simm83]. This is a channel in a cryptographic protocol like a cryptosystem, an authentication system or a signature scheme which transmits additional messages from the transmitter Alice to a (special) receiver Carol which is hidden and can't be read by the public receiver or the warden Bob. In this paper we foc...

Subliminal channels, discovered by Simmons, yield a possibility to transmit covert messages by embedding them in cryptographic digital data, such as (EC)DSA signatures. The embedded messages are used for transmitting important information, or as watermarks or imprints of the data. Anyone can use or abuse these channels very easily because most cryptographic digital data widely used in the Internet is not subliminal-free. For example, DSA signatures are not subliminal-free and they are widely used in various applications, such as PGP, SSH2 and so on. It is very important to evaluate the ability of such channels. In this paper, we evaluate the channel capacity of narrow-band subliminal channels where a transmitter tries only the limited number of input values.

Abstract. We consider a problem which was stated in a request for comments made by NIST in the FIPS97 document. The question is the following: Can we have a digital signature public key infrastructure where the public (signature verification) keys cannot be abused for performing encryption? This may be applicable in the context of, say, exportable/escrow cryptography. The basic dilemma is that on the one hand, (1) to avoid framing by potentially misbehaving authorities we do not want them to ever learn the “signing keys ” (e.g., Japan at some point declared a policy where signature keys may be required to be escrowed), and on the other hand (2) if we allow separate inaccessible public signatureverificationkeys,thesekeys(basedontrapdoorfunctions)canbe used as “shadow public-keys, ” and hence can be used to encrypt data in an unrecoverable manner. Any solution within the “trapdoor function” paradigm of Diffie and Hellman does not seem to lead to a solution which will simultaneously satisfy (1) and (2). The cryptographic community so far has paid very limited attention to

The capacity of a narrow-band subliminal channel can be proportional to log 2 n, and then its upper bound is log 2 n where n is the number of input values a subliminal transmitter tried. These results are obtained, provided that only the single carrier is transmitted. In this paper, we consider a practical model, a successive carrier-transmission model, where carriers are transmitted one after another successively, and then only n input values are tried between each carrier transmission.

Abstract. We examine covert channels in privacy-enhanced mobile identification devices where the devices uniquely identify themselves to an authorized verifier. Such devices (e.g. RFID tags) are increasingly commonplace in hospitals and many other environments. For privacy, the device outputs used for identification should “appear random ” to any entity other than the verifier, and should not allow physical tracking of device bearers. Worryingly, there already exist privacy breaches for some devices [28] that allow adversaries to physically track users. Ideally, such devices should allow anyone to publicly determine that the device outputs are covert-channel free (CCF); we say that such devices are CCF-checkable. Our main result shows that there is a fundamental tension between identifier privacy and CCFcheckability; we show that the two properties cannot co-exist in a single system. We also develop a weaker privacy model where a continuous observer can correlate appearances of a given tag, but a sporadic observer cannot. We also construct a privacy-preserving tag identification scheme that is CCF-checkable and prove it secure under the weaker privacy model using a new complexity assumption. The main challenge addressed in our construction is the enforcement of public verifiability, which allows a user to verify covert-channel-freeness in her device without managing secret keys external to the device. 1