I thought that the ability to create subliminal messages in a security protocol was generally considered a flaw of that protocol.
For example, an evil ECDSA implementation could leak a user's private key to the implementation's authors. Isn't that (one) reason that newer ECDSA implementations deterministically generate k?
(I'm just repeating what I've read elsewhere on the forums and on the web, e.g. DJB's blog.)
For a start you'd need to *be aware* that the subliminal message exists (there is no way to tell by just looking at the sigs especially if you don't know how the code that encoded them is working as the placement of the message bytes can be made arbitrary).
Also this is only removing 1 or 2 bytes of security (assuming you could work out what had been purposely injected) which is not going to let you crack a private key.
If you consider a "vanity address" it is the same thing. Just because you know that I have an address that is prefixed with 1ciyam does not mean you are going to be able to *crack its private key* (if it were that easy then there should be zero BTC at my sig address - but there isn't).
Sorry, I wasn't very clear.
The "attack" I was trying to refer to involves an evil (and closed source) ECDSA implementation that intentionally leaks X successive bytes of a privkey in each signature it creates. Only someone aware of the leak, e.g the authors of the implementation, would able to take advantage of it. Given multiple signatures, the evil authors could reconstruct privkeys of those using their implementation.
An advantage (perhaps not the main advantage though) of a deterministically generated k is that one can validate the output of a closed-source implementation without needing the source code (assuming the method of generating k is published). If for example ProprietarySoft Corp. published an ECDSA library, researchers could verify that it wasn't using this channel to leak privkeys.
I was just bringing up that point -- none of this really applies to open source implementations.