7

The Republic of Brutopia are updating the design of their library cards with a new security feature: a 2D barcode containing a cryptographically signed copy of the human-readable fields on the card. This will allow anyone to verify that a card is genuine and has not been tampered with.

Unfortunately, the library card is the principal form of government-issued ID in Brutopia. You'll probably show yours to almost-random strangers several times a day, whether you want to buy beer, open a bank account, or pick up a package at the post office. And now civil rights advocates and conspiracy theorists alike are up in arms about the privacy implications of using the new barcoded cards for that. Who can really know if the barcode only contains the data about you that you can see for yourself on the face of the card?

It didn't help the government that they published full specifications for the barcode content, including a DSA signature at the end. The critics pointed out that a DSA signature contains an ostensibly-random nonce, and there is no way you can check that it is really all random and doesn't secretly code for personally identifiable data.

It appears that what the government needs is to use something else than DSA for signing the cards. As far as I can make out, what we would ideally want here is a public-key signature scheme with the additional property that

It should be infeasible to construct a valid public key $K_p$, a message $M$, and two different signatures $S_1$ and $S_2$ such that $S_1$ and $S_2$ are both valid signatures for $M$ under key $K_p$.

Does this property (or something like it) have a name?

And are there generally accepted signature schemes that provide this?

Naively I would expect that RSA, with the input being a hash of the message, padded to the modulus length in some deterministic way, might work -- but apparently best practice is always to use some random padding when using RSA for anything, so I'm not sure whether that would be vulnerable somehow.

hmakholm left over Monica
  • 560
  • 4
  • 10

2 Answers2

7

Sending information covertly when using legitimate systems is a well-studied field. As another question mentions, key words are covert channel and subliminal channel.

Designing systems with no covert channels is difficult, but not impossible. The main difficulty is to ensure that if any randomness is sampled incorrectly, the legitimate recipient must detect and reject.

For your case, deterministic signatures (as you had almost arrived at yourself) would be sufficient. The main interesting system is RSA-FDH (full-domain hash) which is trivially deterministic. There are also systems that have deterministic signature generation (if you sign the same message twice, you get the same signature), but where someone with the signing key could generate different signatures without the verification algorithm noticing.

For more complicated systems, this becomes much more difficult. For some symmetric cryptosystems, you can use counters instead of random nonces.

CodesInChaos
  • 25,121
  • 2
  • 90
  • 129
K.G.
  • 4,947
  • 19
  • 34
6

RSA with PKCS#1 v1.5 padding for signature genernation would work, as the algorithm is fully deterministic. The random padding is only used for RSA with PKCS#1 v1.5 padding for encryption which is different from the padding for signature generation.

Note that both OAEP and PSS are not deterministic either; they both rely on a random number generator.

I guess the name of the property is a covert channel / without a covert channel. A covert channel is a channel that can be used to communicate between parties that are not meant to communicate (in the protocol). Within cryptography subliminal channel is a specific covert channel that can be used in signatures such as DSA.

Determinism was already mentioned above. If all inputs are known then the outcome of the algorithm is known as well.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323