Revisited—The Subliminal Channel in Blockchain and Its Application to IoT Security

: Although digital signature has been a fundamental technology for cryptosystems, it still draws considerable attention from both academia and industry due to the recent raising interest in blockchains. This article revisits the subliminal channel existing digital signature and reviews its abuse risk of the constructor’s private key. From a different perspective on the subliminal channel, we ﬁnd the new concept named the chamber of secrets in blockchains . The found concept, whereby the secret is hidden and later recovered by the constructor from the common transactions in a blockchain, highlights a new way to encourage implementing various applications to beneﬁt efﬁciency and security. Thus, the proposed scheme beneﬁts from the following advantages: (1) avoiding the high maintenance cost of certiﬁcate chain of certiﬁcate authority, or public key infrastructure, and (2) seamlessly integrating with blockchains using the property of chamber of secrets. In order to easily understand the superiority of this new concept, a remote authentication scenario is taken as a paradigm of IoT to demonstrate that the further advantages are achieved: (1) avoiding high demand for storage space in IoT devices, and (2) avoiding maintaining a sensitive table in IoT server.


Introduction
Generally, the digital signature technique is used to demonstrate that a signed message is indeed from the legal signer and unaltered by a villain. Due to the capabilities of authentication, integrity, and nonrepudiation, the related digital signature standards are developed and extensively employed in various applications. Furthermore, the Digital Signature Standard, which specifies a Digital Signature Algorithm (DSA), has been put into the United States government standard for authentication of electronic documents [1]. In addition, the encryption technique is an individual process to agree on confidentiality. In order to guarantee the authentication, integrity, nonrepudiation, and confidentiality, two processes-signature and encryption-are involved in common designs.
For more efficiency, the ordinary digital signature process did not possess confidentiality until Simmons introduced the so-called "subliminal channel" to hide a message within an authentication code [2]. Sequentially, Simmons demonstrated the existence of a subliminal channel in the DSA and the ElGamal signature schemes, which allows a message, named subliminal information, to be secretly hidden into a digital signature.
The elliptic curve digital signature algorithm (ECDSA) [3], accepted as ANSI, IEEE, NIST, ISO standards, is the elliptic curve analogue of DSA. It is intuitive that ECDSA also exists in its subliminal channel [4].
In such a way, only the intended receiver will be able to notice its presence and then recover it. If the signer and the receiver are not the same, there is the risk that the receiver can forge a signature sealed with the signer's private key. Thus, the potentially catastrophic impact on treaty verification on the national security of the USA has been disclosed by Simmons many years later [5]. In response to this threat, more complete discussions were garnered in [6], to name a few, which indicates that mutual trust between the signer and the receiver in all subliminal channels is absolutely necessary. This security risk restricts wide uses of subliminal channel in commercial applications.
With the bloom of cryptocurrency, such as Bitcoin [7] since 2009, and Ethereum [8] since 2013, the blockchain technologies, providing a trusted mechanism without centralized and trusty parties, have captured more and more attention in either academia or the IT industry. A blockchain is a growing list of blocks that are continuously linked by a one-way hash technology and secured using a digital signature technology. Each block contains a couple of transactions Tx which consist of a group of data including the messages of account addresses from and to, etc., and the signatures r and s. Table 1 illustrates an instance of a transaction Tx in the block number 10941440 in the Ethereum blockchain. Some fields of an Ethereum transaction are described as follows.
• from: the sending account address which, also, implies the signer of this transaction. • v: to make up the ECDSA signature along with r and s. Table 1. The structure of one transaction in the Ethereum blockchain. blockHash  0x9d505654f898ac399265ab19263a005c8cde246e7cbbc7131367d1ab59522600  blockNumber  10941440  transactionIndex  0  from  0xF21B66afa206a3Dd5FD263B30708851d0B8BC418  to  0x8D4192005ed871056F53df7840c3B6D5866e3339  value  0  gas  100000  gasPrice  171600000000  input  0xfa09e630000000000000000000000000f21b66afa206a3dd5fd263b30708851d0b8bc418  nonce  53  hash  0x752c353be538865b4708e39f63c6c85a60f81025a38d08ccd432855dc7cfa492  r  0x807afb686424b39e546847e9fc42449fe8bc2f01a54f2379f1e9250a5ae60bee  s  0x624df310a0972d275d531db2ab9323997ad8056fd679ea334ea268b24a95af57  v  38 It is worth noting that ECDSA is adopted to sign a transaction in both Bitcoin and Ethereum. The signature fields r and s in each transaction, as shown in Table 1, are proven. Without loss of generality, a transaction is denoted Tx = <from, ..., r, s>.

Fields Value
For a user in a blockchain, his private key is regarded as his identity and security credential. Notably, the private key is generated and maintained by the user himself, not a trusted third party, and it is used to sign outgoing transactions.

Motivation
In traditional asymmetric cryptography, if Alice intends to verify Bob's signature, she must confirm the validation of Bob's public key first by verifying Bob's certificate. That is, Alice needs to verify the corresponding certificate that is issued by another upper issuer called the intermediate certificate authority (CA). This implies that the signatures of the certificates in the certificate chain should be verified up continuously to the root CA certificate. This is the so-called overhead of public key infrastructure (PKI).

Contribution
Based on these observations, we revisit the subliminal channel from a different perspective that the message sealed in the subliminal channel is later recovered by the signer. This different perspective helps us to discover a new concept, named the chamber of secrets in blockchains. Differing from the application which adopts the Simmons's subliminal channel, the signer has no need to leak his/her own private key to anyone, and thus the abuse risk of private keys disappears. Additionally, four charming characteristics are found in this new concept: natural camouflage, confidentiality, integrity, and efficiency. Furthermore, the following advantages are achieved.
(1) Avoiding the high maintenance cost of CA or PKI. Generally speaking, a blockchain technology has no mechanism to publish users' public keys, which can be extracted from their related transactions instead. In such a way, the public key extraction operation can reach the goal of the authentication of public keys from transactions directly. (2) Seamlessly integrating with blockchains. The proposed scheme utilizes the ECDSA private/public keys without any modification of blockchains. The chamber appears as a common transaction of blockchains. In this way, the proposed scheme does seamlessly comply with a state-of-the-art blockchain.
This new concept is adopted in the applications in which the secrets must be kept safe and retrieved accurately on demand. Taking the remote authentication as a paradigm of Internet of Things (IoT), this article shows that the paradigm alters the benefits to include both efficiency and security, including (1) avoiding high demand for storage space in IoT devices, and (2) avoiding maintaining a sensitive table in IoT server.

A New Concept: The Chamber of Secrets
Herein, a new observation for the subliminal channel is presented. Let us first consider the following scenario borrowed from Harry Potter [9]: In this popular novel, the characters believe the chamber of secrets to be fictive. However, the chamber is opened when the person who has the power to do so appears, thus proving its existence. The chamber was constructed because a person made preparations concealed from others for finishing his expected work at some other time. The person, called the constructor, built the castle, which contains the chamber of secrets, a covert room within the castle to house a scheme executor which would finish the constructor's expected work. The chamber of secrets is well-hidden and looked upon by others as a fictive part of the castle. It requires someone to have the clue to open its entrance, and this is a power which only very few have. Furthermore, in the story, the expected work would be accomplished when the constructor opens the chamber and releases the executor.

Property of the Chamber of Secrets
From this scenario, there are many superior characteristics, described as follows, that fascinate us. First, for hiding a secret well, it must be a good idea that the secret is covered within a common object to attract less attention. As the chamber of secrets is wrapped as a common object, the castle is a camouflage to confuse the public. Second, nobody can find the chamber because only the constructor has the clue that can open its entrance. Under this scenario, the abuses and the debates on trust indeed disappear in the chamber of secrets. Third, according to this scenario, everyone should possess the ability to detect a falsified legend because the legend is circulated throughout the people. However, there is no way for anyone to assure whether the legend is true to determine the existence of the chamber of secrets except the constructor. No doubt the reality of the legend is the key to successfully deal with the chamber. Finally, because the chamber is constructed together with the castle, there is no extra cost for building.
Thus, the expected properties of the chamber can be summarized as follows.
• The chamber appears as a common object to lower the attention of potential attackers.

•
The chamber cannot be opened by anyone but the constructor.

•
The reality of the legend is the key to successfully discover the chamber of secrets.

•
The chamber is constructed together with the common object and therefore no extra cost for the construction of the chamber is required.

How to Construct the Chamber of Secrets in Blockchain
To demonstrate the concept of the chamber of secrets in blockchains, the ECDSA scheme, adopted in the blockchains of Bitcoin and Ethereum, is exploited as an example.
Assume that the elliptic curves E over prime finite field F p , where p be a prime. An elliptic curve equation The points on E F p including a special point O called the point at infinity form a group G = (x, y) : x, y ∈ F p and (x, y) ∈ E F p ∪ {O}. The particular elliptic curve specified in Bitcoin and Ethereum is secp256k1 [10]. The secp256k1 refers to the parameters of the elliptic curve used in Bitcoin's and Ethereum's asymmetric cryptography. The elliptic curve domain parameters over F p are specified by: where finite field modulus (p ) was close to 2 256 and there are still a lot of primes between p and 2 256 .
The chamber constructor selects a private key d ∈ [1, n − 1], and computes a public key Q = d * P. The chamber of secrets scheme consists of three phases: the cryptographic key generation phase, the construction phase, and the unsealing phase.
Phase 1: The cryptographic key generation A chamber constructor creates a cryptographic key CK as a secret and houses it in the chamber. The cryptographic key is generated as follows.
Here, L is treated as the legendary fable possibly known by everybody where L denotes all the transaction fields given in Table 1 except for the fields about digital signature. The cryptographic key CK is the secret housed in the chamber, and only the constructor can release the secret by following the clue dropped by the legend L.
Phase 2: The construction To attract less attention, it must be a good idea that the chamber of secrets is wrapped as a common transaction in blockchains. This phase is used to seal the chamber in an ordinary digital signature on the legend L. The chamber of secrets is constructed as follows.

•
Compute r by using the chamber k as • Solve s from the equation In this phase, the appearance of the signature (r, s) provides a well-camouflaged service for k and the integrity of the legend L can be verified through the constructor's public key as follows.
holds, the signature is valid.
Phase 3: The unsealing Whenever the secret housed in the chamber is demanded, the common signature (r, s) for a transaction and the legend L are required by the chamber constructor. Only the constructor with the knowledge of the private key d can uncover the chamber as follows.

•
Open the chamber with the knowledge of d as • Discover the secret cryptographic key Since the integrity of the legend L is confirmed in Equation (4), this implies that the reconstructed cryptographic key CK is genuine. The cryptographic key housed into the chamber is further used to accomplish the expected work of the constructor.

Discussion
In this section, the characteristics of the chamber of secrets in blockchains are examined. The characteristics of the chamber of secrets can be examined to derive the corresponding security as follows. Prior to demonstrating the security of the proposed scheme, some definitions are given below.

Definition 1. (one-way hash function).
A one-way hash function is defined as the hash function, the output value is defined as h(x), where x is a variable-length value, and the output h(x) is the fixed-length value. A secure one-way hash function y = h(x), where given x to compute y, is easy, but given y to deduce x is hard.

Definition 2. (ECDLP).
Elliptic curve discrete logarithm problem (ECDLP): If a ∈ F * p is unknown, compute a by giving P, and a * P. Theorem 1. Confidentiality: The chamber cannot be opened by anyone but the constructor.
Proof. The chamber k s protected within the digital signature constructed in Equations (2)-(4). If someone intends to retrieve k from Equations (2) and (3), a well-known elliptic curve discrete logarithm problem computationally infeasible to be solved [3] will occur by Definition 2. When someone attempts to recover k from Equation (4), there is no feasible way because of two unknown secrets, k and d, by Definition 2, which are involved in one equation. Only the signer who possesses the knowledge of d has the power to discover k and further retrieves the secret cryptographic key CK = h(L|| k) . Hence, the confidentiality of the chamber is assured. It also implies that the confidentiality of the content encrypted with the cryptographic key is guaranteed when the underlying cryptosystem is proved to be secure enough.

Theorem 2.
Integrity: The reality of the legend is the key to successfully discover the chamber of secrets.
Proof. For the signature, it is impossible to forge a legend fable L to pass the signature verification. That is, once the integrity of L is guaranteed by verifying its digital signature, it also implies that the chamber k embedded in the signature is genuine. The correctness of L and k implies that the fidelity of the cryptographic key CK = h(L|| k) is also assured.

Theorem 3.
Known-key security: The proposed scheme does provide the service of known-key security.
Proof. The cryptographic key generated in the proposed scheme is independent and should not be exposed if other cryptographic keys are compromised. Notedly, if a chamber sealed in an ordinary digital signature on the legend L is not only used one time, the cryptographic key may be further defined as CK = h(L|| k||id) instead, where the parameter id indicates some session. Assume the cryptographic key CK is compromised for some reason. To deduce k from CK is infeasible by Definition 1. Hence, if one cryptographic key is disclosed, it is still hard to know the cryptographic key with different id in another session.
Next, the two characteristics are highlighted as follows. Proposition 1. Natural camouflage: The chamber appears as a common transaction to lower the attention of potential attackers.
Proof. The chamber appears as an ordinarily digital signature (r, s) for the legendary fable L. The chamber is indeed constructed during the generation of a digital signature so that others have no idea where/whether it exists. In other words, the digital signature in a blockchain plays the role of logical camouflage to confuse the public. It also reduces the attention of the malicious attackers. This implies that the chamber may store without using any particular protection mechanisms but blockchains.

Proposition 2.
Efficiency: The chamber is constructed together with the common transaction and therefore no extra cost is required.
Proof. It is obvious that k is an already-existing step within the construction process of an ordinary signature (r, s) for a transaction in blockchains such as Equations (2), (3), and (4). Hence, no extra cost is necessary for the constructor to construct and maintain the chamber.
According to these analyses, the chamber of secrets indeed exists in current blockchain mechanisms such as well-known Bitcoin and Ethereum and, therefore, has no cost at all. Additionally, as the characteristics of the chamber of secrets in blockchains satisfies the expectation investigated above, they will definitely benefit the applications adopted this new concept.

Performance of Implementing an Ordinary Signature
Next, the implementation cost for the signature generation is also discussed. According to Proposition 2, discussing the cost of constructing the chamber is necessary because the construction is indeed a necessary step while generating the signature. Therefore, the focus is shifting to the cost of the signature generation.
Accordingly, Equations (3) and (4) used for the signature construction, and Equation (6) used to unseal the chamber, are all ECDSA-based operations. Among three state-of-the-art algorithms including RSA, DSA, and ECDSA, it is well-known that the ECDSA achieves not only the same level of security with a smaller key size, but it also achieves higher computational efficiency than those of the RSA and DSA. For example, 256-bit ECDSA with the standard elliptic curve defined in secp256k1 provides comparable security to 3072-bit RSA [13]. Thus, the proposed scheme also provides the same level of security as that in either Bitcoin or Ethereum.

The Application of the Chamber of Secrets to IoT
IoT has been a topic of much interest in academia and industry and, in the last decade, security of the IoT systems has become a field of immense research activities. There are a couple of published surveys on IoT security issues focusing on authentication, confidentiality, and so on [14,15]. Mutual identity authentication between IoT servers and IoT devices plays an important role in secure IoT systems.
In this section, a remote authentication scenario between IoT server and IoT devices is illustrated to show the superiority of the new discovery. To remotely authenticate a client, i.e., IoT device, is a very important issue in such an information-networked world. Accordingly, there are many research results that can be found [16,17]. No matter what method is concerned, the underlying idea is very similar, where a client IoT device must register at the IoT server to have a secret-shared token and the token can later be used to generate the challenge-response to verify whether or not the communication partners are genuine.
In such a scenario, the secret token no doubt is very critical. How to protect the token is the major issue in the remote authentication scenario. From the lifetime of the token, these issues can be categorized as follows.

•
The token generation: A secure token should be generated to perform a challengeresponse mechanism.

•
The token prevention: The generated token must be protected to assure the confidentiality and the integrity.

•
The token recovery: The token must be retrieved to perform a challenge-response mechanism.

•
The token renewing: The token should be updated periodically to assure the higher security.
In the following, the scheme based on the chamber of the secrets is illustrated.

Registration Phase
The phases 1 (cryptographic key generation) and 2 (construction) demonstrated in the abovementioned section can be used for the registration because the IoT device will have a secret token CK and the corresponding signature (r, s) for L from the IoT server, where L denotes a public statement about what access rights the remote IoT device is authorized by the IoT server. Precisely, the IoT sever generates and broadcasts the transaction where the " f rom" field is the IoT server's identity, and the "to" field is the registered IoT device's identity. Thus, the secret token CK can be deduced by the IoT server later.

Authentication Phase
Whenever login to the IoT server occurs, the IoT device sends the authorization {L, (r, s)}, i.e., the transaction issued by the IoT server in the registration phase, back to the IoT server or indicates where the transaction is on the blockchain. The IoT server can recover the token CK by processing the abovementioned Phase 3 (unsealing). Once the secure token is obtained, a challenge-response mechanism is able to be used to authenticate each other. Notedly, since the transaction {L, (r, s)} is well-protected by blockchain techniques, the IoT sever needs not verify the validation of the transaction.
This scheme demonstrates a scenario based on the concept of the chamber of secrets, and the issues of this scenario are answered by the characteristics of the concept as follows.

•
The token generation: A secure token is generated with very light overhead, a hash function computation, for the underlying signature scheme, according to Proposition 2.

•
The token prevention: According to Theorem 1 and 2, the token CK is secure against any disclosure and any malicious modification. Therefore, the generated token is protected under the guarantee of the confidentiality and the integrity.

•
The token recovery: According to Theorem 1, only the server has the ability to retrieve the token to verify whether the client is genuine.

•
The token renewing: According to Proposition 1, the token is sealed in the signature to be a camouflage object. To update the token, re-signing the authorized agreement L by the server is performed, and the corresponding secure token will be updated easily.
During the lifetime of the secure token, it is confirmed that the concept of the chamber of secrets provides a very efficient way to implement the challenge-response mechanism in the IoT remote authentication scenario. Additionally, it is worth mentioning that all merits are gained in only one single equation of the ordinary signature equation, rather than a complex combination of the cryptographic primitives.
Upon introducing the chamber of secrets in blockchains into IoT remote authentication systems, the following benefits are further highlighted.
(1) Avoiding high demand for storage space in IoT devices. Whenever logging in the IoT server, the IoT device sends the authorization {L, (r, s)} back to the IoT server by indicating the transaction on the blockchain instead of storing {L, (r, s)} locally. (2) Avoiding maintaining a sensitive table in IoT server. Generally speaking, if the IoT server privately maintains the sensitive table that stores the shared secret between the IoT server and the specific IoT device, it will be an attractive target resulting in potential server compromise. By the design of chamber of secrets, the proposed scheme needs no sensitive table stored in the IoT server. (3) Benefiting integrity of secure token from seamlessly integrating blockchains. The presented model not only satisfies the common criteria analysis but also highlights some seldommentioned merits, including the integrity of the secure token.

Conclusions
This article has revisited the subliminal channel in a digital signature and has discovered and presented the new concept the chamber of secrets in blockchains from a different perspective. Under this concept, four charming characteristics are found: natural camouflage, confidentiality, integrity, and efficiency. We have shown a remote authentication scenario in IoT systems with a challenge-response mechanism to understand and believe the superiority of the proposed concept, as well as a new way of encouraging implementing various applications to benefit efficiency and security.