methods for subliminal channels Kazukuni Kobara and Hideki Imai Institute of Industrial Science, The University of Tokyo

Transcription

1 In Proc. of International Conference on Information and Communications Security (ICICS'97) : LNCS 1334, pp.325{334,(1997) Self-synchronized message randomization methods for subliminal channels Kazukuni Kobara and Hideki Imai Institute of Industrial Science, The University of Tokyo Roppongi, Minato-ku, Tokyo 106, Japan TEL : Ext 2327 FAX : kobara@imailab.iis.u-tokyo.ac.jp Abstract. When one transmits a secret message sequence on a random number type subliminal channel, he/she has to convert the secret message sequence into a (practically) indistinguishable random number sequence rst, and then embeds it on a carrier sequence. Otherwise the carrier sequence could be distinguished from one that contains no secret message. If others can distinguish whether a secret message sequence is embedded in the carrier sequence, the carrier sequence cannot be a subliminal channel. That is, a converterto convert any message sequence into a (practically) indistinguishable one is required. Moreover in many applications of subliminal channels, the deconverter corresponding to the converter should be self-synchronized with the converted sequence, because additional information to synchronize reduces the indistinguishability. Therefore, both (practical) indistinguishability and self-synchronization are required to the converter for subliminal channels. Vernum encryption can convert any message sequences into perfectly indistinguishable random number sequences. However the receivers cannot decode the message sequences from anywhere of the converted sequences without any knowledge of the synchronization. On the contrary, (ECB), CBC, CFB mode block ciphers and self-synchronizing stream ciphers can realize the self-synchronization. However, most of the output sequences can be distinguished from real or well-designed random number sequences by using the birthday paradox distinguishers we propose in this paper under some conditions. In this paper, we design some pairs of converters and deconverters that satisfy both (practical) indistinguishability and self-synchronization. 1 Introduction Subliminal channels[1][2][3][4] can be made on any digital data satisfying the following conditions: 1. A random number generated by the transmitter is used to generate the digital data. 2. The value of the digital data is not independent of the generated random number.

2 3. Others cannot distinguish whether a secret message sequence is embedded in the sequence of the digital data. 4. The subliminal receiver has access to the digital data and it is possible to decode a transmitted symbol sequence from a sequence of the digital data. We call such digital data a carrier. Suppose that the carriers are generated successively from the transmitter. Then let a symbol s i denote the value of the i th carrier, and t i denote the i th transmitting symbol from the subliminal transmitter to the subliminal receiver. In order to satisfy the condition 4, two methods are available according to whether the receiver can obtain the generated random number sequence. When he/she can, it is satised by only substituting a transmitting symbol sequence for the random number sequence. For example, challenge sequences in challengeresponse protocols are random number sequences themselves and the receiver can obtain it. Therefore by only substituting a transmitting symbol sequence for the random number sequence, the transmitter can send the sequence to the receiver. In case of DSA signatures ( ^m; d; sig) 1, the receiver can obtain the generated random number r from ( ^m; d; sig) by that the signer informs his/her secret x to the receiver in advance, because r = sig 01 (h(^m)+xd) modq [4]. However, in order to satisfy the condition 3, the transmitting symbol sequence must be (practically) indistinguishable sequence. When the receiver cannot obtain the generated random number sequence from the digital data, the following method [4] is available. We call this method the searching method. Let S and T denote the sets of carrier symbols and transmitting symbols, then jsj and jt j denote the number of the elements of them, respectively. Let the number of transmitting (receiving) symbols jt j (jt 0 j) be small, then assign all the elements of S onto each element of T 0 uniformly as shown in Fig.1. A transmitter and the receiver share the mapping and keep it secret. The mapping have to be dicult for others to guess. Therefore, Ext(H k (s)) or Ext(H(E k (s))) can be used as the secret mapping, where Ext is a function to extract some bits from the input, E k is an encryption function, H is a hash function and H k is a key-dependent hash function. When a transmitter sends a symbol, he/she selects r at random, and then check whether the r is transformed onto the legitimate transmitting symbol t. If so, he/she uses the r as the random number. Otherwise he/she selects another r and repeats the same process until he/she nds an appropriate r. He/she can nd such r by trying jt 0 j elements in R on average. The channel capacity and errorrateversus jt j was estimated [5]. By using this method, transmitters can send a symbol on any digital data as long as the data satisfy the conditions 1 and 2. In case of DSA signatures 1 sig = r 01 (h(^m) +xd) modq, d = g r mod p. p and q are large primes satisfying qjp 0 1. g = g 0 p01 q where g 0 is a primitive element ofgf(p). h(^m) is a hash value of an open message ^m. x is the signer's secret. r is a random number generated by the transmitter.

3 transmitting symbols random number symbols states of a carrier receiving symbols T R S T t=0 O X t=0 O X t=1 X t=1 Fig. 1. Searching method (^m; d; sig), the searching method can be used to nd r satisfying t i = Ext(H(E k (g r mod p))) (1) 2,wherejj denotes concatenation. In order to satisfy the condition 3, the sequence of r satisfying the equation (1) must be a (practically) indistinguishable random number sequence. Because it is easy to prove that the sequence of r becomes a (practically) indistinguishable random number sequence when the transmitted symbol sequence is a (practically) indistinguishable random number sequence as long as the mapping Ext(H(E k ())) or Ext(H k ()) is uniform mapping, and that Ext(H(E k ())) and Ext(H k ()) can usually be considered as uniform mappings, the condition 3 can be satised by only converting a message sequence into a (practically) indistinguishable random number sequence. That is, if a transmitter can convert any message sequences into (practically) indistinguishable random number sequences, he/she can satisfy the condition 3 no matter whether the receiver can observe the generated sequence. Vernum encryption can be the converter. However, it is not a practical way from the viewpoint of synchronization. In many applications of subliminal channels, receivers have to be able to decode the message sequence from middle of the carrier sequence without any knowledge of the synchronization. For example, suppose that a center is a receiver of subliminal message sequences and that software distributed by the center is the transmitter. After that the software is installed to users' computers, the software starts embedding a short subliminal message sequence repetitively on a kind of digital data which is usually used for another purpose such as digital signatures or challenges of challengeresponse protocols, of course the center has to have access to the data. Suppose 2 t i = Ext(H(E k (r 01 (h(^m)+xd) modq))) and t i = Ext(H(E k (g r mod pjjr 01 (h(^m)+ xd) mod q))) are also possible. We ignore subliminal channels on an open message ^m.

4 that there is no feedback channel from the center to the software, and that the center starts observing the carrier sequence when he/she wants. In this case, self-synchronizing is indispensable. (ECB), CBC, CFB mode block ciphers and self-synchronizing stream ciphers [6][7][8] can realize the self-synchronization. However, most of the output sequences are distinguished from real or well-designed pseudo random number sequences by birthday paradox distinguishers we propose in section 2.2 under some conditions. In this paper, we design some pairs of converters and deconverters that realize self-synchronization and that generate more (practically) indistinguishable random number sequences. 2 Distinguishers In order to consider indistinguishability[9], we have to consider what can be distinguishers rst. The following is a list of the distinguishers. 2.1 Cryptanalytic Distinguishers Because receivers can decode a secret message sequence from a carrier sequence, a decoding rule must exist. That is, by nding the decoding rule and then verifying that an understandable message sequence for the receiver can be decoded from the sequence, the sequence can be distinguished from real or well-designed pseudo random number sequences. Therefore, all the cryptanalytic algorithms can be distinguishers. 2.2 Statistical Distinguishers The following distinguishers detect statistical dierences between the sequences. In order to detect them with reasonably high probability, distinguishers have to observe over a certain length of carrier sequences. If the length is sucient large against the length that the transmitter generates in practical use, the distinguishers cannot distinguish them practically. Chi-square test Chi-square test detects the dierences of the probability distribution between two sequences. Suppose the sequences are concatenation of symbols in T. Then let jtj and Ejtj denote the number of each symbol appeared in a sequence, and the expected value. If 2 which is calculated by the following equation is greater than 2 0, which is a border to be able to consider that each jtj follows the expected value of jtj, a statistical hypothesis that the sequence follows the expected probability distribution can be rejected. X jtj0ejtj2 2 = (2) Ejtj t2t 2 0 can be found in a chi-square chart.

5 Statistics of used or unused symbols Let a denote jt j and x denote the number of kinds of unused symbols in n observed symbols. If a sequence is generated uniformly, Pr(x; n) is given by the following equation[10]: Pr(x; n) = a! a0x X n (01) i 1 a 0 x 0 i : (3) x! i!(a 0 x 0 i)! a i=0 If a is large, the equation (3) can be simplied to the following equation: Pr(x; n) ' a! xn e0 a (1 0 e 0 n a ) x!(a 0 a0x : (4) x)! It can be seen as binomial distribution whose average is ae 0 n a and whose distribution is ne 0 n a (1 0 e 0 n a ). Therefore, if x does not follow the equation (3) or (4), a statistical hypothesis that the sequence is generated uniformly can be rejected. Cycle length Pseudo random number generators are usually designed not to generate short cycles, and then real random number sequences do not make any cycle. Therefore, an algorithm to detect a short cycle length can be a distinguisher. Birthday paradox 2 test and statistics of used or unused symbols become more powerful by applying them to the next symbol after n 0 xed symbols are observed. However in order to get a lot of samples of the n 0 xed symbols, the distinguishers must observe O(jT j n0 ) symbols continuously. Therefore, we propose to reduce the number O(jT j n0 )too(jt j n0 =2 ) by using birthday paradox. We call this distinguisher the birthday paradox distinguisher. The following is the algorithm. Birthday paradox distinguisher Step 1: Observe a sequence of the length of l symbols continuously. Step 2: Find the same patterns as (t i ; 111;t 0 i+(n 01) )inthel symbol sequence for dierent i. Step 3a: Take statistics of the rate that the next symbols after the same pattern coincide. Step 4a: If the rate is far from 1 jt j, the sequence can be distinguished from the real or well-designed pseudo random number sequences. Step 3b: Take statistics of the number of appeared symbols as the next symbols after the same pattern. Step 4b: If the number does not follow the equation (3) or (4), the sequence can be distinguished from the real or well-designed pseudo random number sequences. By the birthday paradox, such sets which coincide with the same (t i ; 111;t i+(n 0 01) ) for dierent i can be obtained by observing about jt j n0 =2 symbols.

6 3 Structure of converters and deconverters Suppose a transmitter divides a message sequence into some blocks, and then converts them into a sequence of transmitting symbols by each block. Let m i and t i denote the value of the i th block in a message sequence and a converted sequence (a transmitting sequence), respectively 3. The sequence of t is transmitted to the receiver by being embedded in a carrier sequence. The receiver obtains the sequence of t from the carrier sequence, and then deconverts it into a sequence of m. Let Conv and Dec denote a converter and a deconverter, respectively. We express them as the following functions: t i = Conv (ith mapping determining input) (m i) (5) m i = Dec (ith mapping determining input) (t i): (6) If the mapping from m i to t i is xed for every i, Pr(t i jm i ) = 1or0. This means the sequence of t can be distinguished from real or well-designed pseudo random number sequences very easily, unless the sequence of m is a real or well-designed pseudo random number sequence. In order to make itbepr(t i jm i )=1=jT j, the i th mapping determining input must contain data which are dynamically changed every i. However, it cannot contain data the receiver cannot obtain because self-synchronization has to be realized. The universal data the receiver can obtain is (t i01 ; 111;t i0n ) for small n. Therefore we include (t i01 ; 111;t i0n ) in the i th mapping determining input. Moreover, we recommend to include nondeterministic input u i in the i th mapping determining input to prevent that the output sequence makes a cycle when a periodic message sequence is transmitted. Nondeterministic input is dened as follows: Denition 1 Let o i denote all the input other than an input u i of a function. If u i cannot be expressed by any deterministic function of (o i ; 111;o i01 ;u i01 ; 111;u i01 ), the u i is nondeterministic input. Nondeterministic input can be taken from timing of key typing or moving of a mouse etc. It is even possible to input it by hands, because it is just for preventing making a cycle and then rigid uniformity is not necessarily required as long as it is nondeterministic. Only one bit of nondeterministic input can change the output sequence dramatically. Because the number of possible output sequences of the length of l symbols increases exponentially as l increases, though it does not increase when the converter has no nondeterministic input. If others can observe the sequence of t, akey k must be included in all the mapping determining input. The key k must be transmitted to the receiver in advance. 3 Note that this block size has nothing to do with the block size which isusedto transmit a message symbol on a carrier.

7 As a result, the converter and the deconverter must be expressed as follows: t i = Conv ((k);(ui );t i01 ;111;t i0n )(m i ) (7) m i = Dec ((k);(ui );t i01 ;111;t i0n )(t i ): (8) k and u i are optional and they can be removed according to a situation. Well-designed converters that can be expressed in the above form can achieve Pr(t i j(k);m i ;t i01 ; 111;t i0n 0 ) '( 1 jt j (n 0 <n) 1 juj or 0 (n0 n) : (9) In order to distinguish it from real or well-designed pseudo random number sequences, O(jT j n=2 )symbols have to be observed under the condition that m i is xed for every i. IfO(jT j n=2 ) is suciently large, the output sequence can be considered as a practically indistinguishable against known distinguishers. 4 Designing concrete converters and deconverters In this section, we design some converters and deconverters by using encryption functions E (whose decryption functions are D) and hash functions H whose input size is innite. We suppose that 1. E and D can be considered as (pseudo) random permutations 2. H can be considered as a (pseudo) random function 3. m i is xed for every i. 4.1 When both receivers and others can obtain the transmitted symbols t In this case, a key k is required. We consider the following equations rst: t 0 i = E Ext(H(kjjui jjt i01 jj111jjt i0n ))(m i ) (10) t i =(t 0 ijju i ) (11) m i = E Ext(H(kjjui jjt i01 jj111jjt i0n ))(t 0 i ); (12) where jj denotes concatenation, and Ext denotes a function to extract some bits from the input to adjust the output size to the key size of E (dierent from the size of k). u i is nondeterministic input described in the section 3. Though the mapping from M i to T i is changed every i, Pr(t i jk; m i ) 6= 1=jT j when the key size of E (dierent form the size of k) is smaller than the plain text size of one block of E (D). Therefore this combination cannot be used universally.

8 The following structure can be considered to satisfy Pr(t i jk; m i ;t i01 ; 111;t 0 i0n ) ' 1 jt j for n0 <nas long as u i is uniform, because E is permutation and H can be considered as a (pseudo) random function. t 0 i = E k (m i 8 H(u i jjt i01 jj111jjt i0n )) (13) t i =(t 0 ijju i ) (14) m i = E k (t 0 i 8 H(u i jjt i01 jj jjt i0n )); (15) where 8 denotes an exclusive-or operation. However, the birthday paradox distinguishers can distinguish the sequence of t (t 0 ) from real or well-designed random number sequences by observing O(jHj 1=2 ) symbols successively, because anyone can know the hash value of (u i jjt i01 jj jjt i0n ) and then he/she can verify that the following equation is held when these equations are used. Pr(t 0 i = t 0 jjh(u i jjt i01 jj111jjt i0n )=H(u j jjt j01 jj jjt j0n )) = 1 (16) Such i and j can be found by observing O(jHj 1=2 ) symbols successively, where jhj denotes the number of possible output of H. Though O(jHj 1=2 ) might be still large, it is not the optimum characteristic the equation(7) and (8) can achieve. From the same discussion, the birthday paradox distinguishers can distinguish output sequences of CBC and CFB mode block ciphers from real or well-designed random number sequences by observing O(jEj 1=2 ) symbols successively, where jej denotes two power of the plain text size of one block of E. The following equations have the optimum characteristic, because the hash value of H(E k ()) is not known to others 4. t 0 i = m i 8 H(E k (u i jjt i01 jj111jjt i0n )) (17) t i =(t 0 ijju i ) (18) m i = t 0 i 8 H(E k (u i jjt i01 jj jjt i0n )) (19) However it is not desirable because u i must be uniform exactly. Ifitisnot uniform, others might be able to distinguish the dierence. The following equations accept a little biased u i,becauseu i is exclusive-ored by the output of H, and the output of H can be considered as uniform from the assumption of H. t i = E k ((m i jju i ) 8 H(E k (t i01 jj jjt i0n ))) (20) m i = Rem(D k (t i ) 8 H(E k (t i01 jj111jjt i0n ))) = Rem(m i jju i ); (21) where Rem(m i jju i ) is a function to remove u i from (m i X jju i ). In this case, Pr(t i = t j j(t i01 ; 111;t i0n )=(t j01 ; 111;t j0n )) = Pr(u i ) 2 (22) u i 2U 4 It is possible to substitute a key-dependent hash function H k for the H(E k ()).

9 where U denotes a set of all the possible values of u. When u is uniform, the right side becomes 1=jUj 5. However it seems a little bit redundant to use E twice. The main purpose of E k is to keep the output values of H secret. The following equations perform the same purpose by one E. t 0 i =(m i jju i ) 8 H(t 0 i01jj111jjt 0 i0n) (23) t i = E k (t 0 i) (24) t 0 i = D k (t i ) (25) m i = Rem(t 0 i 8 H(t 0 i01jj111jjt 0 i0n)) = Rem(m i jju i ) (26) Moreover, H does not have tobeaone-way or a collision-free function in this case as long as H can be considered as a (pseudo) random function. Therefore we recommend equations(23) and (24) as a converter which can convert any message sequences into practically indistinguishable random number sequences, and then recommend equation (25) and (26) as the deconverter. The deconverter can self-synchronize with the sequence of t after n symbols are observed. Moreover, the sequence of t does not make acycleeven if the same message symbol is transmitted repetitively because of the nondeterministic input. Only one bit per i of the nondeterministic input is sucient to prevent making a cycle. The bit size of u i can be used as a security parameter to control the balance of indistinguishability and information transmission rate (bit size of m i / bit size of t i ). When indistinguishability is more important than the information transmission rate, the bit size should be increased. On the contrary, when the rate is more important than indistinguishability, it should be decreased. It is even possible to remove it if either m i is nondeterministic or that the bit size of (t 0 i01jj111jjt 0 i0n ) is suciently large. In order to distinguish the sequence of t, a distinguisher either has to break the E k or has to observe continuous O(jT j n=2 ) symbols under the assumption that m i is xed. 4.2 When others cannot know the transmitted symbols t In this case, k is not necessarily required, because the sequences of t are kept in secret to others. Therefore, by the same reason discussion in the previous subsection, Conv and Dec can be simplied as follows: t i =(m i jju i ) 8 H(t i01 jj111jjt i0n ) (27) m i = Rem(t i 8 H(t i01 jj111jjt i0n )) = Rem(m i jju i ): (28) 5 If the rst (left) E k is removed in the equation(20), Pr(Rem(t i ) = Rem(t j )j(t i01; 111;t i0n) =(t j01; 111;t j0n))=1:

10 5 Conclusion We considered message randomization methods for subliminal channels. In many applications of subliminal channels, both self-synchronization and (practical) indistinguishability are required. However there is few methods to satisfy both. Although Vernum encryption perfectly satises the indistinguishability, it does not satisfy self-synchronization. On the contrary, although (ECB), CBC, CFB mode block ciphers and self-synchronizing stream ciphers satisfy self-synchronization, most of them do not have the optimum characteristic from the view point of indistinguishability. Therefore, we considered the structure to satisfy both (practical) indistinguishability and self-synchronization, and then designed some pairs of converters and deconverters. The converters can transform any message sequences into practically indistinguishable random number sequences, and the output sequences do not make any cycles because of the nondeterministic input. The deconverters can decode the message sequences from anywhere of the converted sequences. In order to distinguish the converted sequences from real or well-designed random number sequences, either underlying computational infeasibility to know t 0, t or k has to be broken or O(jT j n=2 ) symbols have to be observed under the situation that m i is xed every i. The next step of this research is to nd more powerful distinguishers and to evaluate the indistinguishability more exactly. References 1. B. Schneier. \Subliminal Channel". In \Applied Cryptography, Second Edition", pages 531{536. John Wiley & Sons, G. J. Simmons. \Subliminal Channels : Past and Present". European Trans. on Telecommunications, 4(4):459{473, Jul/Aug Y. Desmedt, C. Goutier, and S. Bengio. \Special uses and abuses of the at-shamir passport". In Proc. of CRYPTO '87, LNCS 293, pages 21{39. Springer{Verlag, G. J. Simmons. \Subliminal communication is easy using the DSA". In Proc. of EUROCRYPT '93, LNCS 765, pages 218{232. Springer{Verlag, K. Kobara and H. Imai. \The capacity of a channel with a one-way function". In Proc. of Japan{Korea Joint Workshop on Information Security and Cryptology (JW-ISC) '97, pages 173{179, R. A. Rueppel. \Stream ciphers". In Contemporary Cryptology, pages 65{134. IEEE Press, R. A. Rueppel. \Analysis and Design of Stream Ciphers". Springer{Verlag, J. Daemen, R. Govaerts, and J. Vandewalle. \resynchronization weakness in synchronous stream ciphers". In Proc. of EUROCRYPT '93, LNCS 765, pages 159{ 176. Springer{Verlag, D. R. Stinson. \Cryptography, Theory and Practice". CRC Press, S. Kullback. \Statistical methods in cryptanalysis". Aegean Park Press, This article was processed using the LaT E X macro package with LLNCS style