Can a nonce be used to steganographically hide a message?

Question

If a standard encryption scheme involves a nonce, as most do, can the nonce be used to hide another small message?

That is, the nonce (rather than being randomly generated) is a hidden message XORed with another secret key. As long as this other secret key is hashed/random and unique for each message, this is equivalent to random, right?

In an extended nonce setup (such as Xsalsa) 192 bits could be sent as a hidden/deniable message. I realise this is still tiny, but it seems truly deniable since you are using a standard encryption scheme, therefore overcoming the issue detailed in the answer here.

Aside from the obvious problem/hassle of exchanging a 2nd secret key and sending small messages as a series of larger ones, is this a viable idea?

Answer 1

You can do this, although the implications are limited.

• If you have a secret key, an algorithm, and a communication channel that can send bytes, you can send an encrypted message.
• It doesn't matter what secondary uses (i.e. nonce) that data may have. What matters is that they transmit the message.
• Algorithms typically provide security proofs based on properties of the nonce. If the nonce is indistinguishable from a random number, it can be used as if it were a random number. If a nonce is not the product of two prime numbers, then it can be used as if it were not the product of two prime numbers. As long as your "nonce" obeys these properties, whatever they are, it will be secure.

In general, this idea is as viable as any stenographic system which hides the content in a protocol. Its validity depends greatly on a threat model. Your adversary clearly has the ability to observe your encrypted traffic (or there would be no need for stenography like this). Can they also require you to use specific algorithms? If your approach was popular, you might run into issues where the adversary mandates an algorithm for nonce. This algorithm may satisfy the proofs needed to ensure the underlying communications are secure, but be insufficient for use in your stenographic approach. (for example, they might require you construct nonce from a merkle tree, and provide them the frontier of the tree at any time to prove you are using their algorthm. This could decrease the bandwidth of your stenographic channel to any arbitrarially small amount)

The most likely issue would be an algorithmic proof of the underlying communication algorithm which depended on a property you no longer had. For example, there are communication schemes which depend on the unpredictability of an initialization value to prevent replay attacks. If your stenographic communications get cracked enough to start predicting the nonce on your future messages, you may become susceptible to replay attacks that you would otherwise be immune to. This is a case-by-case thing, so you'd have to go into the specifics of your underlying message stream to see whether such an exploit might accidentally arise.