- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
|
|
|
|
|
|
|
|
|
|
||
|
Table 4.4: Summary of the complexity of our attacks. |
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
Parameter Set |
kX |
kY |
m |
|
t |
R-HB |
HB |
|
||
|
I |
|
|
|
. |
|
234 |
225 |
|
|
|
|
II |
|
|
|
. |
|
228 |
220 |
|
|
|
|
III(w bounded) |
|
|
|
. |
|
226 |
219 |
|
|
|
Combining the last three equations yield a bound on the size of the parameters that |
|
||||||||||
induce a secure HB |
with practical false acceptance and rejection rates. Unfortunately, |
|
|||||||||
satisfying parameters are too large. |
at is, no m smaller than 15 000, for both values |
|
|||||||||
of , satis es the equations. |
|
|
|
|
|
|
|
|
4.7Perspectives
As it is depicted in Table . , the attack we presented in this chapter is devastating for all the proposed parameter sets of HB . On the other side, we could not propose an easy x against it.
Recently, new proposals for protocols whose security reduces to the LPN problem has been published in a paper by Kiltz et al. [KPC+ ]. eir work essentially consists of two contributions. e rst one is about illustrating a two-round authentication protocol secure against active adversaries. Yet, the protocol can be shown to be insecure in the MIM model. While the proposed protocol has the advantage over HB+ of having fewer messages to exchange and a tighter reduction gap, it requires the prover, i.e., the RFID tag, to perform additional computations by checking the Hamming weight of the challenge. Still, the authors note that it is possible to eliminate this step at the cost of adding to the secret key two n-bit vectors.
e second contribution of the paper is to design a MAC whose existential unforgeability reduces to the LPN problem and use that MAC in a secure challenge-response protocol.
.
5
CHALLENGING S UASH’S SECURITY ARGUMENTS
C
. |
S UASH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. . |
Description . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Implementation Trick and Shamir’s Challenge . . . . . . . . |
|
|
. |
S UASHand S |
UASH- . . . . . . . . . . . . . . . . . . . |
|
|
. |
KnownMessageAttackonS UASHwithoutWindowTrun- |
|
||
|
cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
. |
ChosenMessageAttackonS UASHwithoutWindowTrun- |
|
||
|
cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. . |
e Non-Mersenne Case . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
e Mersenne Case . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Numerical Application . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Handling Window Truncation . . . . . . . . . . . . . . . . . . |
|
||
|
. . Handling the Truncation of the Combinaison of Many Integers |
|
||
|
. . |
Adapting the Attack on SQUASH- . . . . . . . . . . . . . |
|
|
|
. . |
Generalization . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Extending to Non-linear Mappings . . . . . . . . . . . . . . . |
|
||
. |
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
|
|
|
|