A Secure Signature Scheme with a Broadband Covert Channel

SATTAR J ABOUD and MOHAMMAD AHMAD AL-FAYOUMI Department of Computer Science The University for Graduate Studies, Faculty of IT Amman - Jordan sattar_aboud@yahoo.com mfayoumi99@yahoo.com

Abstract: - This paper presents a secure signature scheme with a broadband covert channel that does not require the sender to deal with the security of the participant signing key. In this paper we suggested an efficient signature scheme having such a channel using Elgamal signature scheme. But against to the popular thought the design of the digital signature scheme does not maximize the covert utility of its signatures, but minimizes them. The proposed algorithm also demonstrates that numerous discrete logarithm algorithms are vulnerable since they are used in more than one group concurrently, and the key data might reveal by these groups which the discrete logarithm is simple, whilst the digital signature scheme is not susceptible in this means. Keywords: - discrete logarithm problem, Elgamal signature scheme, digital signature scheme, covert channel, broadband channel,
narrowband channel.

1. Introduction
Covert channels are closely related to subliminal channels and are employed to send hidden private information, but both misuse the communications means. Covert channels can be presented in many cryptography schemes, and abuse the intrinsic arbitrariness of the schemes. For instance, private data can be concealed in the arbitrariness of the authenticators of an authentication scheme. Similarly private data can be concealed in the randomness of both digital signature schemes and zero knowledge proof schemes. The first method of Covert channel was invented in 1973 by Lampson [1]. Lampson defined covert channel as channel which are not proposed for data transfer. With this definition subliminal channel might be considered as a particular type of covert channels. Though, this opinion is not shared by everyone [2]. Subliminal channel is typically generated through the implementation of the encryption scheme, and require the computational complexity methods or the data theoretic methods, but not engineering execution techniques. Covert channel could be generated employing any method, but generally require execution channels for instance storage channel and timing channel. Example of storage channel involves

the modulation of storage space, and the hiding of private information in the least significant bits of images. An example of a timing channel employs the duration of the execution central processing unit time. In 1983, Simmons detected that embedded information can be concealed within the authenticator of an authentication scheme [2]. Simmons named this secret channel the subliminal channel. The capacity of this channel is not considerable, a little bits per authenticator. However as Simmons discovered a decade later [3] the possible influence on agreement verification and on the national security of the United State of America may be disastrous. But the second strategic weapons restriction agreement between the United State of America and Russia permitted both countries to authenticate their documents. Whilst it is not possible to conceal embedded information in the documents which is standardized and might be controlled by the other country, this is not the case with the authenticators. The capacity of this channel is sufficient to disclose which silos are filled with nuclear arms and which are not. This data could have been critical to any authority considered a first attack.

Such an illegal communication channel is known as a covert channel. Considerable researches exist on the covert channels in [4,5,6,7,8,9] . It is essential to observe not just the covert channel, but also the situation in which the covert channel happens. Thus, in this paper we propose a secure signature scheme with a broadband covert channel that does not require the sender to deal with the security of the participant signing key.

generator of z p assume also that x is the entity private signing key less than p . Compute the public signature verification key d = a x mod p .Suppose an integer number less than p where gcd(r , ) =1 , with = p 1 , and m is the message to be signed. So the Elgamal signature on m is ( g , s ) such that:
*

g = a r mod p

(1) s = (m x * g ) / r mod (2) The two formerly given covert channels in this scheme are: 1. The broadband channel in which the signer shares the entity signing key with the message receiver, permitting r is inconsiderably detected employing formula (2). We can therefore encrypt a secret message straight on from r .

2. Digital Signature Schemes

The particular security materials of digital signature schemes are still considered as open research challenges [10,11,12,13,14,15] . However, various digital signature schemes have the feature that the signer of a message can conceal certain data in the signature that can be detected by a trusted authority, and that the existence of this concealed data can not be recovered by any given example of the signature. This channel is invented by Simmons, who named it subliminal channel [3]. The difficulty initially began in the environment of nuclear weapons defects in international agreement verification. The United State of America and Russia have made a decision to place particular sensors in every other nuclear side in order to share specific agreed sensor data, and required integrity controls to stop data being processed and therefore to stop supply false information that an attempt does or does not succeed [16]. Also, both sides made sure that the integrity mechanisms can not be misused to transmit other forbidden data. This concerns the schemes employed to consider not only the occurrence of nuclear tests, but also the number of fielded nuclear arms. If a Russian sensor designed to transmit just the absence or presence of an American rocket in storage can covertly communicate the storage site, then this data might be employed to ease a first attack. One of the first designs of tools to confirm international agreement compliance had just such a defect, the sensor site might be communicated employing a covert channel in an early authentication protocol relied on discrete logarithms problem [3]. To perceive the operation of these channels, consider the Elgamal signature algorithm [17,18] . Assume that p is a prime number where computing discrete * logarithms in z p is difficult. Suppose a is the

2.

The narrowband channel in which signer attempts various values of r until the signer can force a number of bits of g to cipher a covert message c , so entity could be required to encrypt a ten bit message in the low order bits of g and tries consecutive values of r until the signer obtained the target. This will take roughly a thousand attempts on average, and typically the covert bandwidth in bits per signature is around the binary logarithm of the number of calculations that signer is eager to achieve.

The narrowband channel may be adequate for a sensor in missile storage to cipher little bits of data, and eventually this data might disclose its physical site. The narrowband covert channel might also be employed to reveal encryption key. Therefore, covert channel is significant in a number of uses. But neither of the mentioned channels is perfect. The signer should either adapt entity signing key or accept serious computational restrictions on the applicable covert bandwidth. This guided the authors to raise the question: is there any different algorithm with a broadband covert channel that does not need the sender to compromise the security of the entity signing key. However, the Elgamal signature scheme has such channel.

3. The Proposed Scheme

Suppose that the modulus p = q * n +1 such that n is smooth and finding discrete logarithms is difficult * in subgroup of z p of order q that is calculated by a n mod p . If the covert message we want to transmit is c , we can find: r c mod n (3) However, we can compute r = c + r * n for certain randomly selected r . Now, when the receiver obtains the signature ( g , s ) then generates g q mod p and computes i as follows:
(a q ) i g q mod p

situations [ 21,22,23] . For instance various tools are available to exclude these attacks, and they are also usable in this algorithm. The proposed scheme is designed to use a combination of an appropriate one way hash function h(.) with which m shell is hashed before signing in order to bind the size of the key in verification. To avoid the potentiality of message collisions, it is preferable that the hash function employed must have a 160 bits product and secure hash algorithm [ 24,25] which seems to be an appropriate choice. In summary, when we apply the Elgamal signature * algorithm with a as a generator of z p , we are signing at the same time in a number of different groups that correspond to the factors of . The proposed signing key can be secure in a few of these, shared with some participants, and will be available to each user mod the smooth part of . This smooth part is at least 2, so that p is a random prime number; it will be around log 2 B [26].

(4)

This is feasible since the order of the subgroup of z* generated by a q mod p is smooth. By the p Pohlig-Hellman scheme [19] combining with Pollard rho algorithm [20], this will require a computation time of O ( B ) where B is the smoothness bound means that the largest prime factor of n . We will then find the congruence:

4. Structure of the Channel

c i mod n (5)
The covert message can thus be detected. Given i , we can find the signing key by formula (2), thus more messages can be recovered. This channel is a broadcast one, in the sense that any person can find the discrete logarithm computation and detect x mod n . Though, we can also generate narrowcast channel, in which the covert message c is just available to participants who have certain shared secret. Especially, when = n * q1 * q 2 + 1 , and the discrete logarithm problem is difficult in the groups of order q1 and q 2 , then the signer can keep entity signing key secret mod q1 but disclose its value mod q 2 to the intended receiver of covert messages. Entity can now transmit the covert message c as r mod q 2 . The multiplicative ability used in this algorithm can also be employed to attack the signature in some

Obviously, the prime p is selected to supply any preferred combination of narrowcast and broadcast channels. The prime that is best for broadcast in Elgamal signature was given in the original design of the digital signature scheme, this have ( p +1) / q = 260 *342 *533 *722 *1118 [27], producing a broadcast channel of about 348 bits. The present DSS [18] proposes another pair of primes, namely:

p = 11302572305695789971211785367127305569 3971918853023736578500807227123949097039725 2022789130125625498690699069989423300403789 036403406843132846623271929333671

q = 90367956442797211944834776705755652497 317033292791895790832691271816184890399
The factors of ( p +1) / q were found by Paul Leyland and are 2.

q1 = 61504999627 q 2 = 37112533158071 q 3 = 34208101743716447893907182873

Employing the prime p for Elgamal signature could give a secure signature, in the groups of order q and q 3 , might be weakened to supply a narrowcast covert channel. These will also be a transmit channel of fairly over 160 bits per signature, as the signing key could be obtained in the groups whose orders are 2, q1 for roughly 237 multiplication and q 2 for roughly 241 multiplications. It must be explicit from this example the way to choose p for any wished combination of broadcast and narrowcast covert channel size. In the example of an arbitrarily selected prime p , it may be exposed that the expected size in bits v of the result of all prime divisors B is just about log 2 B [26]. So the covert channel needs a computation time of O (2 v / 2 ) to convey v bits, whereas the formerly known narrowband channel required around 2 v . Furthermore, v has a large difference, for one in 100 1024-bit primes; one finds a result of v which is around four times bigger than the predictable result [27]. Anyhow, the values of p and q in the present digital signature scheme are not acutely out of the standard. .

The proposed scheme has suggestions for security and secrecy; a person can find out the message key k as well as the signing key x mod m , actually in a standard discrete logarithm based cryptography, we can expect to detect the keys mod the smooth element of the order. It could be reckless of a developer to let such server key disclosure, as numerous random number generators illustrate regularities as a result of resonances, or implementation bugs. An Elgamal algorithm employing the p and q originally suggested by the digital signature scheme could be disclosing more than two thirds of every key. In lots of applications, and this would be adequate to raise the attack. However, for now we suggest that developers of Diffie-Hellman and Elgamal sort schemes must apply groups of prime order each time.

6. Conclusions and Extensions

We have solved Simmons difficulty by proving that the Elgamal signature scheme has a broadband covert channel; the proposed channel, which does not require the sender to compromise the security of the entity signing key. However, Simmons assumption that such mechanisms did not exits is not completely wrong, since the bandwidth of the suggested channel in bits for each signature is precisely equivalent to the number of bits that the signer is set to compromise of entity signing key. Thus, it may clearly be that Simmons assumption holds with a more exact formulation. We have also perceived that the design of the digital signature scheme does not maximize the covert usefulness of its signatures, but minimizes them. The proposed scheme also demonstrates that numerous discrete logarithm based schemes are vulnerable, whilst the digital signature scheme is not susceptible in this means. It appears that it is not possible to generate covert channel signature schemes employ arbitrariness, but this has not been verified. Also no covert free channel scheme exists to date for generating exponent keys and it is not known if one can be generated. Failed stopping attack against schemes which are initially considered is a covert channel raises a subliminal channel with very small capacity; approximately 1 / 2 bit actually 1 / ln(2) [31]. In

5. Discussion
The proposed channel occurs when a digital signature is carried out in a composite group with the feature that the key in one or more of its subgroups is shared with the receiver. This sharing could be explicit, in the case of the narrowband channel, or implied in the case where trusted secret can easily calculate the key in the appropriate group or groups. It is obvious that the suggested channel could be avoided by working in a group of prime order. In the instance mentioned, we might substitute a by a ( p 1) / 2 or a ( p 1) / q3 , and in fact this is the approach used by digital signature scheme [28]. After the digital signature scheme was suggested, it developed to have been designed to increase the secret channel size [29]. This statement was denied at the time by a person in charge in NSA [30], and we can at present notice that he was correct; the digital signature scheme does not increase the secret benefit of a signature, but reduces it by eradicating the suggested channel.

fact schemes which just support covert channels with very low capacity may be satisfactory. The difficulty is that the recent researches on covert channels have concentrated on all protocols. A measurement system appears much harder. In reality, we do not know one method that proofs the failed stopping channel is the only one that could be employed against signature schemes for example those proposed in [32,33,34, 35,36,37 ] . Other covert channels with a bigger capacity might be present. In addition, it appears not simple to determine a time complexity equal for the information hypothetical notation of capacity [38]. In fact, the introduction of public key by Diffie-Hellman [39] has confirmed that the standard measure of data is inadequate.

References
[1] [2] Lampson B. W, A note on the confinement problem, Communication of ACM, Vol. 16(10), pp. 613-615, 1973. Simmons, G. J, The prisoners' problem and thesubliminal channel, In advances in Cryptology, Proceeding of Crypto 83 (1984) D. Chaum, Ed. Plenum Press N.Y. pp. 51-67. Simmons, G Subliminal Channels Past and Present, European Transactions on Telecommunications v 5 no 4 1994, pp. 459-473. Mike Burmester, Yvo G. Desmedt, Toshiya Itoh and Kouichi Sakurai, A progress Report on Subliminal-free Channels, Proceeding of the First International Workshop, May 30 June 1, 1996.pp. 157-168. Cambridge, U.K. John Giffin et al., Covert Messages through TCP Timestamps, Massachusetts Institute of Technology, 2002. Andrew Hintz, Covert Channels in TCP and IP Headers,2003.www.guh.nu/projects/cc/courtch an.ppt Joanna Rutkowska, NUSHU, Sample implementation of Unidirectional Passive Covert Channel in the TCP ISN number, 2004 Steven J. Murdoch and Stephen Lewis, Embedding Covert Channels into TCP/IP, Information Hiding Workshop Proceeding 2005 Lucena, N.B., Lwandoponlos, G., Chapin, S. J., Covert Channel in IPv6, In. 5th Privacy Enhancing Technologies Workshop 2005.

[3] [4]

[5] [6] [7] [8]

[9]

[10] Sattar J Aboud and Asim El Sheikh, A New Method for Public Key Cryptosystem and Digital Signature Scheme Based on both Integer Factorizations and Discrete Logarithms, Asian Journal of Information Technology, Vol. 3, Number 4, 2004, pp. 284289. [11] Sattar J Aboud and Mohammed Ahmed AlFayoumi, Two Efficient Digital and Multisignature Schemes, Proceeding of the IASTED International Conference on Computational Intelligence, Calgary, Canada, 2005, pp. 457-362. [12] Musbah, M Aqel and M. Ammar, Function Structure and Operation of a Modern System for Authentication of Signatures of Bank Checks, Pak. Information Technology Journal 4(1), 2005, pp. 96-105. [13] Ammar, M and M. Musbah, Verification of Signatures of Bank Checks at very Low Resolutions and Noisy Images, Applied Science University Journal, Jordan, 2003. [14] Ammar, M and M. Mousbah, A High Efficiency Method for Automatic Signature Verification, Patent No. 09/453730, 2/12/1999, USA, 2002. [15] Douglas R Stinson, "Cryptography Theory and Practice," CRC 3rd 2006, pp. 281-317. [16] Simmons, G How to Insure That Data Acquired to Verify Treaty Compliance are Trustworthy, Contemporary Cryptology, IEEE 1992, pp. 617-630 [17] T. Elgamal, A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, IEEE Transactions on Information Theory, v 31, no 4, pp. 469-472, 1985. [18] Federal Information Processing Standards, Digital Signature Standard, National Institute of Standards and Technology, US Department of Commerce, (FIPS) Publication 186, Washington D.C., May 1994. [19] Pohlig, S and M Hellman, An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Signature, IEEE Transactions on Information Theory, v 24, no 1 1978, pp. 106-110. [20] Pollard, J Monte Carlo Methods for Index Computation mod p, Mathematics of Computation, v 32 no 149 July 1978, pp. 918924

[21] Sattar J Aboud and Evon M Abu-Taieh, A New Deterministic RSA-Factoring Algorithm, Jordan Journal of Applied Science, Volume 8, No. 1, pp. 54-66, Amman-Jordan, 2006. [22] Sattar Aboud, Baghdad Method for Calculating Multiplicative Inverse international Conference on Information Technology, Las Vegas, Nevada, USA, 2004, pp. 816-819. [23] Sattar Aboud Fraction Integer Method (FIM) for Calculating Multiplicative Inverse, Journal of Systemics, Cybernetics and Informatics, Volume 2, Number 5, 2005, USA [24] FIPA 180-1, Secure Hash Standard, US Department of Commerce/NIST, 1995 [25] FIPA 180-1, Secure Hash Standard, US Department of Commerce/NIST, 1994 [26] Oorschot P van and M Wiener, On DiffieHellman Key Agreement with Short Exponents, Advances in Cryptology, EUROCRYPT 96, Springer LNCS, v1070 pp, 332-343 [27] Anderson, R A Practical RSA Trapdoor, Electronics Letters v 29 no 11 pp. 993-995 [28] Schneier, B Applied Cryptography, 2nd edition, Wiley 1995. [29] G Simmons, Subliminal Communication is easy using the DSS, Advances in Cryptology, EUROCRYPT 93, Springer LNCS, v 765, pp. 218-232. [30] Snow, B Comment made from the floor at Eurocrypt, 1993. [31] Desmedt, Y. Simmons', Protocol is not free of subliminal channels, proceeding of the 9 th IEEE Computer Security Foundations Workshop, County Kerry, Ireland, June 10-12, 1990. [32] Desmedt, Y., Subliminal Free authentication and signature, In advances in Cryptology, proceeding of Euro-crypt '88, Lecture Notes in Computer Science 330, May 1988, SpringerVelag pp. 23-33. [33] Norman E. Proctor and Peter G. Neumann, Architectural Implications of Covert Channels, In proceeding of the 15th National Computer Security Conference, pp. 236-243, NIST/ NCSC, Baltimore, MD, 1992. [34] Ira S. Moskowitz and Myong H. Kang, Covert Channels How to stay? In proceedings of COMPASS, pp. 235-243, IEEE Press, 1994

[35] Fiat, A., and Shamir, A, How to prove yourself: practical solutions to identification and signature problems, in advances in cryptology proceeding of crypto '86, Lecture notes in computer science 263, 1987, springerverlag, pp. 186-194. [36] Simmons, G. J., An Introduction to the mathematics of trust in security protocols, in proceedings of computer security foundations workshop VI (1993), IEEE Computer society Press, pp. 121-127. [37] Simmons, G. J., The subliminal channels in the U.S. Digital signature algorithm (DSS), in proceedings of the 3rd symposium on,: state and progress of research in cryptography, W. Wolfowicz, ed. Pp. 35-54, 1993. [38] Shannon, C. E., A mathematical theory of communications, Bell system technical Journal, vol. 27, pp. 623-656, 1948. [39] Diffie W., Hellman, M. E, New directions in cryptography, IEEE Transactions information theory, vol. IT-22(6), pp. 644-654, 1976.