- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
|
|
tances in addition to the right one. Simple consistency checks can discard wrong assignments, if any, and recover all ki’s. Clearly, all computations are pretty simple and we only used 210 chosen challenges.
Using the nal trick in the Mersenne case we use d = 6 and thus 64 chosen challenges to get 64 equations which yield 26 bits each.
With N = 21 277 1 and the worst case ℓ = r, i.e., the mixing function is not expanding the key, the attack works for b a 21 and we can take d = 19. We request for 219 chosen challenges. We obtain 219 equations with roughly 1:6 unknowns per equation.
By using the nal trick we take d = 10. e T ( N) + part wastes 10 bits from the window and we can expect to have a single unknown per remaining bit so that we can simply read it through the window. Provided that the window has at least 32 bits we expect to read 22 bits in each of the 1 024 equations so we can recover all bits.
5.6Extending to Non-linear Mappings
Incasethemapping L isa(non-linear) permutation, wecanadaptourattackstrategybychoosing the challenges as follow
pick d challenges C1; : : : ; Cd.
compute the chosen challenges by C (x) = L 1 ( j xjL(Cj)).
By using,
ci (x) = ( 1)Li(C (x)) = ( 1) j xjLi(Cj) = ( 1)x Ui
Equation ( . ) remains unchanged so that we can still apply all the attacks described through Sections . and . . More generally, we can extend these attacks to any mixing function of form f(K; C) = g(K) L(C) as long as we can nd vector spaces of dimension d in the range of L.
5.7Conclusion
OneargumentformotivatingtheS UASHalgorithmconsistedofplayingthe“blamegame”: if anyone could break S UASH, then the Rabin cryptosystem is the one which should be blamed instead of the S UASH design. Clearly, our attack demonstrates that this argument is not correct. ere are instances of the S UASH algorithm which can be broken although we still have no clue how to factor integers. Indeed, our method translates into a “known random coins attack” against Rabin-SAEP which leads to a plaintext recovery. Known random coins attacks are not relevant for public-key cryptosystems although they are in the way S UASH is using it.
. -
|
|
So, although the “blame game” argument is not valid, the security of S UASH is still an open problem.
. ’
Part II
PRIVACY IN RFID PROTOCOLS