This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages) This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (November 2014) (Learn how and when to remove this template message) This article may be confusing or unclear to readers. Please help clarify the article. There might be a discussion about this on the talk page. (November 2014) (Learn how and when to remove this template message) This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (September 2013) (Learn how and when to remove this template message) (Learn how and when to remove this template message)

In cryptography, subliminal channels are covert channels that can be used to communicate secretly in normal looking communication over an insecure channel.[1] Subliminal channels in digital signature crypto systems were found in 1984 by Gustavus Simmons.

Simmons describes how the "Prisoners' Problem" can be solved through parameter substitution in digital signature algorithms.[2][a]

Signature algorithms like ElGamal and DSA have parameters which must be set with random information. He shows how one can make use of these parameters to send a message subliminally. Because the algorithm's signature creation procedure is unchanged, the signature remains verifiable and indistinguishable from a normal signature. Therefore, it is hard to detect if the subliminal channel is used.

The broadband and the narrow-band channels can use different algorithm parameters. A narrow-band channel cannot transport maximal information, but it can be used to send the authentication key or datastream.

Research is ongoing : further developments can enhance the subliminal channel, e.g., allow for establishing a broadband channel without the need to agree on an authentication key in advance. Other developments try to avoid the entire subliminal channel.


An easy example of a narrowband subliminal channel for normal human-language text would be to define that an even word count in a sentence is associated with the bit "0" and an odd word count with the bit "1". The question "Hello, how do you do?" would therefore send the subliminal message "1".

The Digital Signature Algorithm has one subliminal broadband[3] and three subliminal narrow-band channels[4]

At signing the parameter has to be set random. For the broadband channel this parameter is instead set with a subliminal message .

  1. Key generation
    1. choose prime
    2. choose prime
    3. calculate generator
    4. choose authentication key and send it securely to the receiver
    5. calculate public key mod
  2. Signing
    1. choose message
    2. (hash function is here substituted with a modulo reduction by 107) calculate message hash value mod mod
    3. instead of random value subliminal message is chosen
    4. calculate inverse of the subliminal message mod
    5. calculate signature value mod mod mod mod
    6. calculate signature value mod mod
    7. sending message with signature triple
  3. Verifying
    1. receiver gets message triple
    2. calculate message hash mod mod
    3. calculate inverse mod
    4. calculate mod mod
    5. calculate mod mod
    6. calculate signature mod mod mod mod
    7. since , the signature is valid
  4. Message extraction on receiver side
    1. from triple (1337; 12, 3)
    2. extract message mod

The formula for message extraction is derived by transposing the signature value calculation formula.

Example: Using a Modulus n = pqr

In this example, an RSA modulus purporting to be of the form n = pq is actually of the form n = pqr, for primes p, q, and r. Calculation shows that exactly one extra bit can be hidden in the digitally signed message. The cure for this was found by cryptologists at the Centrum Wiskunde & Informatica in Amsterdam, who developed a Zero-knowledge proof that n is of the form n = pq.[citation needed] This example was motivated in part by The Empty Silo Proposal.

Example - RSA Case study

Here is a (real, working) PGP public key (using the RSA algorithm), which was generated to include two subliminal channels - the first is the "key ID", which should normally be random hex, but below is "covertly" modified to read "C0DED00D". The second is the base64 representation of the public key - again, supposed to be all random gibberish, but the English-readable message "//This+is+Christopher+Drakes+PGP+public+key//Who/What+is+watcHIng+you//" has been inserted. Adding both these subliminal messages was accomplished by tampering with the random number generation during the RSA key generation phase.

 PGP Key. RSA 2020/C0DED00D   Fprint: 250A 7E38 9A1F 8A86  0811 C704 AF21 222C
 Version: Private


A modification to the Brickell and DeLaurentis signature scheme provides a broadband channel without the necessity to share the authentication key.[5] The Newton channel is not a subliminal channel, but it can be viewed as an enhancement.[6]


With the help of the zero-knowledge proof and the commitment scheme it is possible to prevent the usage of the subliminal channel.[7][8]

It should be mentioned that this countermeasure has a 1-bit subliminal channel. The reason for that is the problem that a proof can succeed or purposely fail.[9]

Another countermeasure can detect, but not prevent, the subliminal usage of the randomness.[10]


  1. ^ Simmons' Prisoners' Problem is not the same as the Prisoner's Dilemma.[1]


  1. ^ a b Gustavus J. Simmons. The Prisoners Problem and the Subliminal Channel. In Advances in Cryptology – CRYPTO ’83, pages 51–67, New York, 1984. Lecture Notes in Computer Science, ed. D. Chaum.
  2. ^ Gustavus J. Simmons. The subliminal channel and digital signatures. In Proc. of the EUROCRYPT 84 workshop on Advances in Cryptology – theory and application of cryptographic techniques, pages 364–378, New York, NY, USA, 1985. Springer-Verlag New York, Inc. doi:10.1007/3-540-39757-4_25
  3. ^ Gustavus J. Simmons. Subliminal communication is easy using the DSA. In EUROCRYPT ’93: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 218–232, Secaucus, NJ, USA, 1994. Springer-Verlag New York, Inc.
  4. ^ Gustavus J. Simmons. The subliminal channel in the U.S. Digital Signature Algorithm (DSA), in Proceedings of the 3rd Symposium on State and Progress of Research in Cryptography (SPRC '93), Rome, Italy, February 15–16, 1993.
  5. ^ Gustavus J. Simmons. A Secure Subliminal Channel (?). In CRYPTO ’85: Advances in Cryptology, pages 33–41, London, UK, 1986. Springer-Verlag.
  6. ^ Ross J. Anderson, Serge Vaudenay, Bart Preneel, and Kaisa Nyberg. The Newton Channel. In Proceedings of the First International Workshop on Information Hiding, pages 151–156, London, UK, 1996. Springer-Verlag.
  7. ^ Yvo Desmedt. Abuses in Cryptography and How to Fight Them. In CRYPTO ’88: Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology, pages 375–389, London, UK, 1990. Springer-Verlag.
  8. ^ Yvo Desmedt. "Subliminal-free authentication and signature". p. 24 of Christoph G. Günther, editor. "Advances in Cryptology - EUROCRYPT '88". 1988.
  9. ^ Desmedt, Yvo (1996). "Simmons' Protocol is Not Free of Subliminal Channels". Proc. of 9th IEEE Computer Security Foundations Workshop. pp. 170–175. CiteSeerX
  10. ^ Choi, Jong Youl; Golle, Philippe; Jakobsson, Markus (2006). "Tamper Evident Digital Signatures: Protecting Certification Authorities Against Malware". Proceedings of the 2nd IEEE International Symposium on Dependable Autonomic and Secure Computing. CiteSeerX
  • Bruce Schneier. Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C, 2. Ed. Wiley Computer Publishing, John Wiley & Sons, Inc., 1995.