This article has multiple issues. Please helpimprove it or discuss these issues on thetalk page.(Learn how and when to remove these messages) This article includes a list ofgeneral references, butit lacks sufficient correspondinginline citations. Please help toimprove this article byintroducing more precise citations.(November 2014) (Learn how and when to remove this message) This articlemay beconfusing or unclear to readers. Please helpclarify the article. There might be a discussion about this onthe talk page.(November 2014) (Learn how and when to remove this message) This articlemay be too technical for most readers to understand. Pleasehelp improve it tomake it understandable to non-experts, without removing the technical details.(September 2013) (Learn how and when to remove this message) (Learn how and when to remove this message)

In cryptography,subliminal channels arecovert channels that can be used to communicate secretly in normal looking communication over aninsecure channel.^[1] Subliminal channels indigital signature crypto systems were found in 1984 byGustavus Simmons.

Simmons describes how the "Prisoners' Problem" can be solved through parameter substitution indigital signature algorithms.^[2][a]

Signature algorithms likeElGamal andDSA have parameters which must be set with random information. He shows how one can make use of these parameters to send a message subliminally. Because the algorithm's signature creation procedure is unchanged, the signature remains verifiable and indistinguishable from a normal signature. Therefore, it is hard to detect if the subliminal channel is used.

• Subliminal channels can be classified into broadband and narrowband channel types.
• Broadband and narrowband channels can exist in the same datastream.
• The broadband channel uses almost all available bits that are available to use. This is commonly understood to mean {≥50% but ≤90%} channel utilization.
• Every channel which uses fewer bits is called a narrow-band channel.
• The additional used bits are needed for further protection, e.g.,impersonation.

The broadband and the narrow-band channels can use different algorithm parameters. A narrow-band channel cannot transport maximal information, but it can be used to send the authentication key or datastream.

Research is ongoing : further developments can enhance the subliminal channel, e.g., allow for establishing a broadband channel without the need to agree on an authentication key in advance. Other developments try to avoid the entire subliminal channel.

An easy example of a narrowband subliminal channel for normal human-language text would be to define that an even word count in a sentence is associated with the bit "0" and an odd word count with the bit "1". The question "Hello, how do you do?" would therefore send the subliminal message "1".

TheDigital Signature Algorithm has one subliminal broadband^[3] and three subliminal narrow-band channels^[4]

At signing the parameter${\displaystyle k}$ has to be set random. For the broadband channel this parameter is instead set with a subliminal message${\displaystyle m^{\prime }}$.

1. Key generation
   1. choose prime${\displaystyle p=2347}$
   2. choose prime${\displaystyle q=23}$
   3. calculate generator${\displaystyle g=266}$
   4. choose authentication key${\displaystyle x=1468}$ and send it securely to the receiver
   5. calculate public key${\displaystyle y=g^x}$ mod${\displaystyle p=2100}$
2. Signing
   1. choose message${\displaystyle m=1337}$
   2. (hash function${\displaystyle H(m)}$ is here substituted with a modulo reduction by 107) calculate message hash value${\displaystyle h=m}$ mod${\displaystyle q=1337}$ mod${\displaystyle 107=53}$
   3. instead of random value${\displaystyle k=?}$ subliminal message${\displaystyle m^{\prime }=17}$ is chosen
   4. calculate inverse of the subliminal message${\displaystyle m^{\prime -1}=19}$ mod${\displaystyle 23}$
   5. calculate signature value${\displaystyle r=(g^k}$ mod${\displaystyle p)}$ mod${\displaystyle q=({266}^{17}}$ mod${\displaystyle 2347)}$ mod${\displaystyle 23=12}$
   6. calculate signature value${\displaystyle s=k^{-1}\ast (h+x\ast r)}$ mod${\displaystyle q=19\ast (53+1468\ast 12)}$ mod${\displaystyle 23=3}$
   7. sending message with signature triple${\displaystyle (1337;12,3)}$
3. Verifying
   1. receiver gets message triple${\displaystyle (m;r,s)=(1337;12,3)}$
   2. calculate message hash${\displaystyle h=H(m)}$ mod${\displaystyle q=1337}$ mod${\displaystyle 107=53}$
   3. calculate inverse${\displaystyle w=s^{-1}}$ mod${\displaystyle q=8}$
   4. calculate${\displaystyle u_1=(h\ast w)}$ mod${\displaystyle q=53\ast 8}$ mod${\displaystyle 23=10}$
   5. calculate${\displaystyle u_2=(r\ast w)}$ mod${\displaystyle q=12\ast 8}$ mod${\displaystyle 23=4}$
   6. calculate signature${\displaystyle v=(g^{u_1}\ast y^{u_2}}$ mod${\displaystyle p)}$ mod${\displaystyle q=({266}^{10}\ast {2100}^4}$ mod${\displaystyle 2347)}$ mod${\displaystyle 23=12}$
   7. since${\displaystyle v=r}$, the signature is valid
4. Message extraction on receiver side
   1. from triple (1337; 12, 3)
   2. extract message${\displaystyle m^{\prime }=8\ast (53+1468\ast 12)}$ mod${\displaystyle 23=17}$

The formula for message extraction is derived by transposing the signature value${\displaystyle s}$ calculation formula.

• ${\displaystyle s=m^{\prime -1}\ast (h+xr)}$ mod${\displaystyle q}$
• ${\displaystyle s\ast m^{\prime }=h+xr}$ mod${\displaystyle q}$
• ${\displaystyle m^{\prime }=s^{-1}\ast (h+xr)}$ mod${\displaystyle q}$

In this example, an RSA modulus purporting to be of the form n = pq is actually of the form n = pqr, for primes p, q, and r. Calculation shows that exactly one extra bit can be hidden in the digitally signed message. The cure for this was found by cryptologists at theCentrum Wiskunde & Informatica inAmsterdam, who developed aZero-knowledge proof that n is of the form n = pq.^{[citation needed]} This example was motivated in part byThe Empty Silo Proposal.

Here is a (real, working) PGP public key (using the RSA algorithm), which was generated to include two subliminal channels - the first is the "key ID", which should normally be random hex, but below is "covertly" modified to read "C0DED00D". The second is thebase64 representation of the public key - again, supposed to be all random gibberish, but the English-readable message "//This+is+Christopher+Drakes+PGP+public+key//Who/What+is+watcHIng+you//" has been inserted. Adding both these subliminal messages was accomplished by tampering with the random number generation during the RSAkey generation phase.

 PGP Key. RSA 2020/C0DED00D   Fprint: 250A 7E38 9A1F 8A86  0811 C704 AF21 222C  -----BEGIN PGP PUBLIC KEY BLOCK----- Version: Private  mQESAgAAAAAAAAEH5Ar//This+is+Christopher+Drakes+PGP+public+key// Who/What+is+watcHIng+you//Di0nAraP+Ebz+iq83gCa06rGL4+hc9Gdsq667x 8FrpohTQzOlMF1Mj6aHeH2iy7+OcN7lL0tCJuvVGZ5lQxVAjhX8Lc98XjLm3vr1w ZBa9slDAvv98rJ8+8YGQQPJsQKq3L3rN9kabusMs0ZMuJQdOX3eBRdmurtGlQ6AQ AfjzUm8z5/2w0sYLc2g+aIlRkedDJWAFeJwAVENaY0LfkD3qpPFIhALN5MEWzdHt Apc0WrnjJDby5oPz1DXxg6jaHD/WD8De0A0ARRAAAAAAAAAAAbQvQ2hyaXN0b3Bo ZXIgRHJha2UgPENocmlzdG9waGVyLkRyYWtlQFBvQm94LmNvbT60SE5ldFNhZmUg c2VjdXJpdHkgc29mdHdhcmUgZGlyZWN0b3IgQ2hyaXN0b3BoZXIgRHJha2UgPE5l dFNhZmVAUG9Cb3guY29tPokBEgMFEDPXgvkcP9YPwN7QDQEB25oH4wWEhg9cBshB i6l17fJRqIJpXKAz4Zt0CfAfXphRGXC7wC9bCYzpHZSerOi1pd3TpHWyGX3HjGEP 6hyPfMldN/sm5MzOqgFc2pO5Ke5ukfgxI05NI0+OKrfc5NQnDOBHcm47EkK9TsnM c3Gz7HlWcHL6llRFwk75TWwSTVbfURbXKx4sC+nNExW7oJRKqpuN0JZxQxZaELdg 9wtdArqW/SY7jXQn//YJV/kftKvFrA24UYLxvGOXfZXpP7Gl2CGkDI6fzism75ya xSAgn9B7BqQ4BLY5Vn+viS++6Rdavykyd8j9sDAK+oPz/qRtYJrMvTqBErN4C5uA IV88P1U= =/BRt -----END PGP PUBLIC KEY BLOCK-----

A modification to theBrickell and DeLaurentis signature scheme provides a broadband channel without the necessity to share the authentication key.^[5]TheNewton channel is not a subliminal channel, but it can be viewed as an enhancement.^[6]

With the help of thezero-knowledge proof and thecommitment scheme it is possible to prevent the usage of the subliminal channel.^[7][8]

It should be mentioned that this countermeasure has a 1-bit subliminal channel. The reason for that is the problem that a proof can succeed or purposely fail.^[9]

Another countermeasure can detect, but not prevent, the subliminal usage of the randomness.^[10]

• Seminar: "Covert Channels and Embedded Forensics"

• Cryptography

• Articles with short description
• Short description is different from Wikidata
• Articles lacking in-text citations from November 2014
• All articles lacking in-text citations
• Wikipedia articles needing clarification from November 2014
• All Wikipedia articles needing clarification
• Wikipedia articles that are too technical from September 2013
• All articles that are too technical
• Articles with multiple maintenance issues
• All articles with unsourced statements
• Articles with unsourced statements from July 2022