CONTENTS
Abstract |
|
|
v |
|
Resumé |
|
|
vii |
|
Contents |
|
|
ix |
|
Remerciements |
|
xv |
||
Personal Bibliography |
xvii |
|||
|
Introduction |
|
|
|
|
. |
e Need for Dedicated Cryptographic Primitives for RFID Tags . . . . |
|
|
|
|
. . |
e HB Family of Authentication protocols . . . . . . . . . . . . . . . |
|
|
|
. . |
From Public-Key Cryptography to MACs: e SQUASH Proposal . . . . |
|
|
. |
Privacy Issues in RFID Systems . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
e Need of a Privacy Model . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Our Privacy Model . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
Preliminaries |
|
|
|
|
. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
Probabilities and Negligible Functions . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
Classical Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Message Authentication Codes . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Cryptographic Hash Functions . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Universal Hash Functions . . . . . . . . . . . . . . . . . . . . . . . |
|
ix
|
|
. . |
Pseudo-Random Functions . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
Public-Key Encryption Schemes . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
Hybrid Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
e Random Oracle Model . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
Proof Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
|
. . |
Hard Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
e Simulation Paradigm and Hybrid Arguments . . . . . . . . . . . |
|
|
|
|
. . |
e Game Proof Methodology . . . . . . . . . . . . . . . . . . . . . |
|
|
PART I T S RFID P |
|
||||
|
e LPN Problem and the HB Family |
|
|||
|
. |
e LPN Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
|
. . |
De nition of the Problem . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
e Average Hardness of the LPN Problem . . . . . . . . . . . . . . . |
|
|
|
|
. . |
Extensions of the LPN Problem . . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
Security Models for the HB Family . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
e HB Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
HB+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
e GRS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
Attempts to |
wart the GRS Attack . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
HB++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
HB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
PUF-HB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
HB |
and its (In)security against Man-in-the-Middle Attacks |
|
||
|
. |
R -HB |
and HB . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
Proposed Parameter Sets . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
e Security of R -HB and HB in the GRS Model . . . . . . . |
|
||
|
|
. . |
e MHB Puzzle . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
e Security Reduction . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
e Insecurity of R -HB and HB in the MIM Model . . . . . . |
|
||
|
|
. . |
Step : Computing the Hamming Weight of the Error Vector . . . . . . . |
|
|
|
|
. . |
Step : Using the Weight Oracle to Obtain Linear Equations . . . . . . . |
|
|
|
|
. . |
Step : Sol ing the Linear System . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
Asymptotic Complexity Analysis . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
Optimizing the Attack . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
Final Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
warting the Attack: the Case of Small t . . . . . . . . . . . . . . . . . |
|
||
Contents
|
|
|
|
|
xi |
|
. |
warting the Attack: the Case of Vectors without False Rejections . . . . |
|
|
|||
. |
Secure Parameters for R -HB and HB . . . . . . . . . . . . . . |
|
|
|||
. Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
||||
Challenging S UASH’s Security Arguments |
|
|
||||
. |
S UASH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|||
|
. . |
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
||
|
. . |
Implementation Trick and Shamir’s Challenge . . . . . . . . . . . . . |
|
|
||
. |
S UASHand S |
UASH- . . . . . . . . . . . . . . . . . . . . . . . |
|
|
||
. |
Known Message Attack on S |
UASHwithout Window Truncation . . |
|
|
||
. |
Chosen Message Attack on S |
UASHwithout Window Truncation . . |
|
|
||
|
. . |
e Non-Mersenne Case . . . . . . . . . . . . . . . . . . . . . . . |
|
|
||
|
. . |
e Mersenne Case . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
||
|
. . |
Numerical Application . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
||
. |
Handling Window Truncation . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|||
|
. . |
Handling the Truncation of the Combinaison of Many Integers . . . . . |
|
|
||
|
. . |
Adapting the Attack on SQUASH- . . . . . . . . . . . . . . . . . . |
|
|
||
|
. . |
Generalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
||
. |
Extending to Non-linear Mappings . . . . . . . . . . . . . . . . . . . . . |
|
|
|||
. |
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|||
PART II P RFID P |
|
||
Privacy Failures in RFID Protocols |
|
||
. |
An ad-hoc Privacy Model . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
ProbIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
ProbIP and the SAT Problem . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Violation of Anonymous Privacy . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Future Development . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
MARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Cryptanalysis of MARP- . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Tracing MARP- . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Cryptanalysis of Auth . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
YA-TRAP, YA-TRAP+ and O-TRAP . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
YA-TRAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
YA-TRAP+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
O-TRAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
Contents
xii
. RIPP-FS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
. |
A Backward and Forward Untraceable Protocol . . . . . . . . . . . . . . |
|
|
. |
O-FRAP and O-FRAKE . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Tracing O-FRAP . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Violating the Forward Privacy of O-FRAP . . . . . . . . . . . . . . . |
|
|
. . |
Breaking the Forward Secrecy of O-FRAKE . . . . . . . . . . . . . . |
|
. |
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
|
|
Privacy Models for RFID |
|
|||
|
. |
e ADO Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
e Extended-Juels-Weis Model . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
Zero-Knowledge Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
Vaudenay’s Privacy Model |
|
||
|
. Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. |
De |
nition of the Model . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
RFID System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Adversarial Capabilities . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Matching Con ersation . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Equivalences and Impossibilities of some Privacy Classes . . . . . . . . . |
|
|
|
|
. . |
From Narrow Privacy to Privacy . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
e Impossibility of Strong Privacy . . . . . . . . . . . . . . . . . . . |
|
|
. |
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
. . |
A Weak-Private Protocol om a PRF . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Narrow-Destructive Privacy om the OSK Protocol . . . . . . . . . . . |
|
|
|
. . |
Narrow-Strong and Forward Privacy Using Public-Key Encryption . . . |
|
|
. |
Comparison with the extended-Juels-Weis Model . . . . . . . . . . . . . |
|
|
|
. |
ZK-Privacy does not Imply Narrow-Weak Privacy . . . . . . . . . . . . . |
|
|
|
. |
Hermans et al.’s Variant . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
Achieving Strong Privacy |
|
||
|
. |
Ng et al’s Proposal: Wise Adversaries . . . . . . . . . . . . . . . . . . . . |
|
|
|
. |
Our Proposal: Incorporate the Blinder into the Adversary . . . . . . . . . |
|
|
|
. |
Sampling Algorithms and the ISH Hypothesis . . . . . . . . . . . . . . . |
|
|
|
. |
Knowledge Extractors and Non-Falsiable Assumptions . . . . . . . . . . |
|
|
|
. Plaintext-Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
Contents
|
|
|
|
|
xiii |
|
|
|
. . |
De nitions . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Instances of Plaintext-Aware Encryption Schemes . . . . . . . . |
. . . . |
|
|
|
|
. . |
From PA+ to PA++ Plaintext-Awareness . . . . . . . . . . . |
. . . . |
|
|
|
. |
Adapting Vaudenay’s De nitions . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
|
. . |
Limiting the Adversary’s Sampling Queries . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
. |
IND-CCA is not Su cient for Strong Privacy . . . . . . . . . . |
. . . . |
|
|
|
|
. |
Strong Privacy Using Plaintext-Awareness . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. |
Security Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
|
. . |
Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
. |
Perspective and Future Development . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
e Case of Mutual Authentication |
|
|
|
||
|
. |
Enriching e De nitions . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
|
. . |
RFID System with Mutual Authentication . . . . . . . . . . . |
. . . . |
|
|
|
|
. . Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
|
. . |
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
. |
De ning Security for the Tags . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. |
Limitations of Mutual Authentication . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. |
Public-Key Based Mutual Authentication RFID Scheme . . . . . |
. . . . |
|
|
|
|
. |
IND-CCA Security is Insu cient for Narrow-Destructive Privacy |
. . . |
|
|
|
|
. |
Narrow-Forward Privacy from IND-CCA Security . . . . . . . |
. . . . |
|
|
|
|
|
. . |
Correctness and Security for the Reader . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Security for the Tags . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
. |
Strong Privacy with Mutual Authentication . . . . . . . . . . . . |
. . . . |
|
|
|
|
|
. . |
Correctness and Security . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Strong Privacy . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
Conclusion |
|
|
|
|
||
|
. |
e Security of RFID Primitives . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
|
. . |
Our Contributions . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Further Work . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
. |
Privacy in RFID Protocols . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
|
. . |
Our Contributions . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
|
. . |
Further Work . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
. |
Final Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
. . . . |
|
|
|
Contents
xiv |
|
|
|
List of Figures |
|
|
List of Tables |
|
|
List of De nitions |
|
|
Bibliography |
|
|
Curriculum Vitæ |
|
Contents