- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
Goldreich, and Halevi demonstrated [CGH ]. Nevertheless, their construction is rather arti cial and the impact of replacing the random oracle by a traditional hash function in a more conventional design is yet to be clearly outlined.
De nition . (Random Oracle)
A random oracle over f0; 1gn is an algorithm managing a table T , initially empty, which receives bit-strings x of arbitrary length as queries and answers as follow:
If T already contains an entry (x; y), then it simply returns y.
Otherwise, it picks a random y 2 f0; 1gn, inserts the pair (x; y) in T m and nally returns y.
2.7Proof Techniques
. . Hard Problems
Proofsofsecurity incryptographyareusuallyreductions. atis, theytransforman algorithm performing an attack on a system in a certain model to an adversary against a believed-to-be- hardcomputationalproblem, inthesensethatnoprobabilisticpolynomial-timeadversarycan solve it. However, in some sense cryptographic hard problems are harder than N P-Complete problems in the sense that they require that a randomly chosen instance of the problem is hard to solve where N P-Completeness deals with the same issue but for all problems. It then follows that P ̸= N P is not a su cient condition for the existence of these problems. However, if P = N P then no such problem would exist.
Typical conjectured hard problems include |
|
|
|
|
||
|
e Factorization Problem. For two prime numbers p and q, de ne n = pq. |
e |
||||
|
factoring problem is to recover p and q from n. Rabin’s cryptosystem is based on the |
|||||
|
assumption [Rab ]. Recovering the secret key in RSA [RSA ] is also as hard as solv- |
|||||
|
ing this problem. |
|
eth |
|
Given a hard to factor |
|
|
e RSA Problem. |
is is also known as the |
-root problem. |
|||
|
|
|
|
|||
|
integer n, an integer e < n such that gcd(e; φ(n)) = 1, and y 2R Zn, compute x such |
|||||
|
that xe = y (mod n). |
e reason this problem is named this way is because it is the |
computational assumption on which the security of the RSA cryptosystem stands.
e Discrete Logarithm Problem. Given a generator g of a cyclic group G (typically
|
the multiplicative group of a nite eld or an elliptic curve group) and y 2R G, nd |
|
|
x such that gx = y. |
e security of the Elgamal cryptosystem against key recovery |
|
attacks rests on this problem. |
|
|
e Di e-Hellman Problem. is is the problem induced by the Di e-Hellman key |
|
|
agreement protocol. In this problem g a generator of a cyclic group G and x, y are two |
|
|
integers. e problem is, given g, gx, and gy, to recover gxy. |
.
|
|
|
|
|
e Decisional Di e-Hellman Problem. |
e DDH problem is to distinguish be- |
|
tweenaDi e-Hellmantriplet,i.e., (gx; gy; gxy),where g isageneratorofacyclicgroup G and x, y are randomly chosen integers, from a triplet (gx; gy; R), where R is a random uniformly distributed over G. e semantic security of the Elgamal cryptosystem relies on the hardness of this problem.
In the next two sections, we review classical techniques to reduce the security of a cryptosystem to a certain mathematical problem.
. . e Simulation Paradigm and Hybrid Arguments
Intuitively, the best way to express the property that a secure cryptographic functionality is required to not leak any information to an attacker interacting with it in a non-predictable way. e classical way to approach the problem is due to Goldwasser and Micali [GM ] who formalized this requirement by saying that the adversary does not learn any information from interacting with a system then it should be possible to replace all the responses computed by the system by adequate “fake” messages without e ectively disturbing the output of the adversary. Being independent from the cryptographic system, these fake messages can be generated by a third party that is called the simulator. For instance, we expect from a secure block cipher that ciphertexts are indistinguishable from random bit-strings so that we can de ne a simulator that replaces those ciphertexts by random elements.
is simulation is su cient when the adversary has only one access to the functionality, e.g., to an encryption oracle. However, the situation may be more complicated when the adversary produces adaptively chosen queries. e common technique to deal with these issues is to consider intermediate adversaries.
Now assume that the adversary is making a polynomially-bounded q queries to that encryption oracle and the goal is to obtain an adversary who only gets access to random elements and produces an indistinguishable output. We de ne q + 1 intermediate adversaries, denoted A0; : : : ; Ai; : : : ; Aq, called hybrids, such that the i rst queries of Ai are handled by the encryption oracle and the rest of them are processed by the simulator. e idea is to show that if Ai and Ai+1 produce indistinguishable distributions, in the sense that the distance between the two output distributions is negligible, then by triangle inequality A0 and Aq produce indistinguishable distributions. To conclude, the latest two algorithms respectively correspond to the one that only accesses the “real” oracle and to the one that accesses the simulator. e proof technique in its whole is called a hybrid argument.
. . e Game Proof Methodology
Itis o enthe case that a cryptosystem relies onmore thanone assumptionto be proven secure. For these kind of systems, the simulation paradigm shows its limitations as it results in proofs
.
|
|
that are o en complex to follow and verify.
Instead, thegameproofmethodologyallowstotreateachcaseatoncebyconsideringanumber of “intermediate games”. e proof starts by considering a game, denoted Game , played by an adversary A against a challenger that simulates the environment for A and ensures that she follows the game description. e adversary then wins at the end if an event S0 occur. e proof consists of iteratively tweaking the game until we obtain an adversary literally attack-
ing a mathematical problem. Si denotes the event that the adversary wins in Game i. |
ree |
di erent types of transitions are usually considered [Sho ]. |
|
Transitions based on indistinguishability. In such a transition, a small change is made that, if detected by the adversary, would imply an e cient method of distinguishing between two distributions that are indistinguishable (either statistically or computationally).
Transitions based on failure events. In such a transition, we argue that Games i and i + 1 proceed identically unless a certain “failure event” E occurs. Using the di erence Lemma, it can be shown that the statistical distance between the two games, i.e.,
Pr[Si] Pr[Si+1], can be bounded by Pr[E]. erefore, as long as E occurs with negligible probability, the transition goes unnoticed to the adversary.
Bridging Games. ese transitions are generally used to make the proof simpler by reformulating how certain quantities or variables are computed.
.
Part I
THE SECURITY OF RFID PRIMITIVES