The design of integrating
subliminal channel with
access control
Narn –Yih Lee, Shu-Ya Yang
Applied Mathematics and Computation
Vol: 171, No. 1, pp. 573-580, Dec 2005
Chia–Chi Wu
Outline





Introduction
Digital signature scheme with subliminal
plaintext channels
Digital signature scheme with subliminal
ciphertext channels
Security analyses
Conclusions
Introduction


The subliminal channel
Access control in a hierarchical group
G1
broadcast
G2
G4
M: subliminal message
m: public message
G3
G5
G6
Notations




p,q: two large primes, and q|p-1,
gj: generators with order q in GF(p),
j=1,2,…,7
H(•): a one-way hash function,
*
xs  Zq : the sender’s secret key
6


ys:the sender’s public key ys   gi x g7 x mod p
i 1
where xi is user Gi’s secret key
i
IDi: the user Gi’s identity, i=1,2,…,6
s




xi: user Gi’s secret key, i=1,2,…,6
The sender Gs determines two secret keys x1
for G1 and x5 for G5 .
Gs computes xj=H(xi,IDj) for Gj, j=2,3,4,6 ,
where Gi is a predecessor of Gj
The sender generates two public parameters
rk5=H(xk,ID5)⊕x5, k=2, 3
G
The sender Gs transmits
G
G
1

2
3
xi to Gi in secret.
G4
G5
G6
Digital signature scheme with
subliminal plaintext channels

Signature generation phase

The sender wants to sign m and hide Mi into the
signature. R is a random integer RZq*.
6
e  H ( g
i 1
Mi
i
 g mod p || m),
R
7
si  M i  exi mod q, i  1, 2,..., 6
sR  R  exs mod q.

(e, s1,s2,…,s6,sR) is the signature for m.

Signature verification phase:
6
e  H ( gisi  g 7sR  yse mod p || m)
i 1

Subliminal message recovery phase:

Getting his/her own message
M i  si  exi mod q


Getting his/her subordinates’ messages
Getting M5
x5  H ( xk , ID5 )  rk 5 , k  2 or 3
Digital signature scheme with
subliminal ciphertext channels

Initialization phase:




g: a generator with order q in GF(p)
ys:the sender’s public key, and ys=gxs mod p
Ex(): an AES encryption function, by the key x
Dx(): an AES decryption function, by the key x

Signature generation phase


The sender chooses a random number k Zq*.
ci  Exi ( M i ), i  1, 2,..., 6
r  g k mod p
finds s to satisfy
H (m)  xs  H (c1 || c2 || c3 || c4 || c5 || c6 )  r  ks mod q

generates m’s signature: (r, s, c1, c2, c3, c4, c5, c6)

Signature verification phase
g

H ( m)
y
r  H ( c1||c 2||c 3||c 4||c 5||c 6)
s
 r mod p
s
Subliminal message recover phase
M i  Dxi (ci )
Security Analyses



Unauthorized receivers will get nothing.
Subordinates cannot get their predecessors’
secret information.
The signature cannot be forged.
Conclusions


Their security are all based on the difficulty of
solving the discrete logarithm problem or
breaking one-way hash function.
Each receiver only keeps one secret key.