|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tag |
|
|
|
System |
|
|
|
|
State: KID |
|
|
|
Database: f: : : ; (ID; KID); : : : g |
|
|
||
|
|
|
|
|
|
|
For |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(a1; b1) : : : ; (aP ; bP ) 2R f0; 1gk+ℓ s.t. |
|
|
|
||||||
|
i |
1; P |
K |
: Hwt(K |
ai |
|
bi) = 2ℓ |
|
|
|
|
8 2 J |
|
# |
|
|
! |
a1;b1;:::;aℓ;bℓ Find (ID; KID) s.t. |
|
||
|
|
|
|
|
|
|
|
KID satis es all the equations |
|
|
|
|
|
|
|
|
Figure 6.1: |
e ProIP protocol |
|
||
6.2ProbIP
. . ProbIP and the SAT Problem
At RFIDSec ’ , Castellucia and Soos [CS ] proposed an RFID protocol (ProbIP) that allows tag identi cation by legitimate readers. Its security is based on the SAT problem. A SAT instance is de ned by a propositional logic formula written in conjonctive normal form, i. e., the AND of several literals, which are, in their turn, written in disjonctive normal form,i. e., as the combinaison of OR and NOT of boolean variables. An example of a SAT instance is given below.
(x1 _ x2 _ :x5) ^ (:x2 _ x3 _ x4) ^ (:x1 _ :x3 _ x4):
Now, given a SAT instance, the associated decisional SAT problem is to determine whether there exists an assignment for the boolean variables such that the formula evaluates to True. e converse computational problem is to nd this solution, if it exists. A similar problem, the ℓ/2-in-ℓ SAT problem, is to determine whether there exists, from L variables, a truth as-
signment to those variables so that each clause has exactly ℓ/2 true literals.
is problem is famous for being the rst one to be proven to lie in the class of complexity N P-Complete in the seminal paper of Cook [Coo ]. However, N P-hardness treats the complexity of solving any instance of a decisional problem. In other words, it only considers the worst-case instances of a problem. us, when constructing a cryptographic primitive it is crucial to ensure that the instances of the NP-Complete problem that are generated are indeed “hard” to solve. Several cryptosystems based on N P-Complete problems were broken just because the generated instances were in fact “easy” to solve. For concrete examples, we refer the interested reader to [Sha ] and [Vau ].
As it is depicted in Figure . , the core idea of ProbIP is to make the tag generate instances of the ℓ/2-in-ℓ SAT problem. For that, each tag is given a k-bit secret key K and the reader is given access to the list of all secrets. e protocol starts by a H message from the reader that initiates a protocol instance. To compute its answer, the tag generates a pair of vectors (a; b) such that a is a k-bit vector whose Hamming weight is equal to ℓ and b is an
.
|
|
|
|||||||
|
ℓ-bit vector. Besides this, we let K#a denote the ℓ-bit vector which contains the bits of KID |
||||||||
|
in positions corresponding to the positions of all the elements of a equal to . We further |
||||||||
|
restrict the Hamming weight of the ℓ-bit vector K#a b to be equal to ℓ/2, i.e., it has exactly |
||||||||
|
ℓ/2 bits equal to . For a complete authentication round, the tag repeats this operation P times. |
||||||||
|
In other words, it generates P pairs, (a1; b1); : : : ; (aP ; bP ) that satisfy the above conditions. |
||||||||
|
Hence, the output of one authentication session for the tag is an (under-de ned) linear system |
||||||||
|
of equations of the form. |
|
|
|
|||||
|
|
iL=1(Kai1 bi1) = L2 |
|
||||||
|
8∑iL=1(Kai2 |
|
bi2) = L2 |
|
|||||
|
> |
|
|
|
|
|
|
|
|
|
> |
|
|
|
|
|
|
|
|
|
>: : : : : : |
|
|
|
|
|
|
|
|
|
>∑ |
|
|
|
|
|
|
|
|
|
< |
|
|
biP ) = L2 |
|
||||
|
> |
iL=1(KaiP |
|
||||||
|
> |
|
|
|
|
|
|
|
|
|
> |
|
|
|
|
|
|
|
|
|
>∑ |
|
|
|
|
|
|
|
|
|
: |
|
|
|
|
|
|
|
|
|
To recover the identity of the tag, the reader goes through its list of secrets and tests which |
||||||||
|
one of them satisfy all the equations. In the end, the tag whose secret solves all equation is |
||||||||
|
accepted as the partner tag. We note that this operation is more e cient if instead of testing |
||||||||
|
all equations at once for every key, each equation could act as a |
lter: the reader rst keeps all |
|||||||
|
keys that satisfy the |
rst equation, then tests them on the second one and so on. Indeed, the |
|||||||
|
whole complexity decreases from P n/2 to s. |
|
|||||||
|
Depending on the parameter set, it may be that a key di erent from the one held by a tag |
||||||||
|
satis es all the equations and be recognized as the partner tag. |
is event is commonly known |
|||||||
|
to as a false positive. To compute the probability of false positives occurring, one has to look |
||||||||
|
at the number of equations for which a random but xed key can be a solution versus the total |
||||||||
|
number of equations. When the RFID system consists of n tags, Castellucia and Soos showed |
||||||||
|
that this probability is given by |
|
|||||||
|
|
|
k |
|
k |
ℓ/2 |
|
P |
|
|
PFA = n ((ℓ/2)(2k |
ℓ/2 |
) |
) |
|
||||
|
) |
|
|||||||
|
|
|
|
( ℓ |
|
|
|
||
From this probability, we can derive the number of equations P that a tag has to provide the reader to authenticate itself. However, for a security point of view, there is still an upperbound for P above which the ℓ/2-in-ℓ SAT problem becomes easier to solve. Nevertheless, having a to small P may induce a high false acceptance rate, which harms the correctness of the whole scheme. Hence, it is crucial to nd a balance between security and e ciency. In order to measure the increasing di culty of the problem when P changes and determine parameter sets, the authors of ProbIP proposed to use a SAT solver, called Minisat, to tentatively solve a ℓ/2-in-ℓ SAT problem with P equations. Unfortunately, no concrete parameter set was suggested.
e security of the scheme was analyzed under the Juels-Weis model. As the adversary selects two tags and is given one of them, chosen randomly, she has to guess the real identity
.
|
|
of the latter with a non-negligible probability, i.e., signi cantly larger than 1 (see Chapter for a complete description of the Juels-Weis model). For that, the adversary needs to interact with the target tag and will ultimately need to decide from which secret was an ℓ/2-in-ℓ SAT instance generated. Since this problem reduces to the decisional ℓ/2-in-ℓ SAT problem, any successful attack on ProbIP leads to an e cient solver of the ℓ/2-in-ℓ SAT problem.
. . Violation of Anonymous Privacy
Before submitting the two tags to the challenger, the Juels-Weis model allows the adversary to interact with all the tags. Namely, the adversary can query the two target ones as many times as she wishes. is is even more easy to carry out when the tag does not authenticate its partner as it is the case in ProbIP. In the following, we show that these interactions lead to the recovery of the tag’s secret, thus violating both its security and privacy.
In short, an adversary could just query the tag until she ends up with enough equations. At this point, it becomes useless to hand the system to a SAT solver since a Gaussian elimination type algorithm would be able to recover the key in polynomial time. More formally, the attack runs as follow. We consider an RFID system with two RFID tags, T0 and T1. We make the adversary send messages to each of the two tags via Send queries to the tag until she gets ℓ equations. Since each request generates P equations, an adversary would need to query the tag n/P times. A er that, she obtains the following system in which vij denotes a boolean variable that is set to 1 if the i-th bit of K is present in the j-th equation
8 |
iL=1 vi1(K[i] bi1) = L2 |
|
||
L vi2(K[i] |
|
bi2) = L |
( . ) |
|
>∑i=1 |
2 |
|||
> |
|
|
|
|
>: : : |
|
|
|
|
>∑ |
|
|
|
|
< |
iL=1 viℓ(K[i] biℓ) = L2 |
|
||
> |
|
|||
> |
|
|
|
|
>
>∑
:
As for any boolean v we can write v + v = 1, we replace any K[i] by the value 1 K[i]. ere are as many as 3n possible equations as the coe cients of each variable K[i] take three
values: 0; 1; 1.
is way, the adversary gets a linear system of n equations and n variables that can be solved using standard methods such as the Gaussian elimination method. In the case where the n equations are not linearly independant, the adversary can still obtain more equations from the tag by sending H messages until she gets enough equations.
. . Future Development
e weakness of this authentication protocol comes from the fact that at each round the adversary gets some information from the same key. So a quick way to counter the attack would
.