- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
|
|
is not secure. Instead, we prove that security is satis ed when the encryption scheme is INDCCA secure and it also follows that the protocol becomes Forward private.
eorem .
If the encryption scheme of Figure . is IND-CPA secure then the scheme is correct and NarrowForward private. Furthermore, if the cryptosystem is IND-CCA secure, then the scheme is secure and Forward private.
We divide our proof in four parts. In the rst part, we show that the scheme is correct and secure for the reader. We then demonstrate that it is secure for the tags. Finally, we prove that it is Narrow-Forward private. We conclude that it is Forward private using Lemma . .
. . Correctness and Security for the Reader
Correctness is trivially induced by the correctness of the public-key encryption. Regarding security for the reader, it follows from eorem . based on IND-CCA security.
. . Security for the Tags
We let the security experiment played by a xed A that has her environment simulated by B. e later has access to a decryption oracle that it uses to simulate the queries that require the secret key, namely S R (c; ) and R ( ). For that, it just queries the decryption oracle with c, gets a bit-string that it matches against ID KID a and returns the last bits of the recovered plaintext in case of success. Otherwise, it returns a random bit-string. e
same procedure is used to decide on the success of a protocol session.
Again, we let Si be the event that the adversary wins the security experiment in Game i.
Game . Let S0 be the event that the adversary wins the security experiment. Note that the adversary does not issue a S R (c; ) on the target session that induces a matching conversation. ( is is the unique value that makes the tag accept and the adversary win so getting it from S R results in a matching conversation.)
Game . We make a change in Game and de ne Game as being the same except that all queriesS ( ; ) neverproducean a thatwassentbeforetotheS T interface. In other words, we require that A never guesses a. As a is chosen uniformly, when A makes s calls to S T , the probability of this event happening is bounded by s2 so that
j Pr[S0] Pr[S1]j s2 :
Since s is polynomially bounded, this probability is negligible when 2 is negligible.
. - -
|
|
Game . We now modify the way B handles S R (c; ) queries in instances that have either no matching conversation but c was the output of a S T query or a matching conversation with an illegitimate tag. For those, B returns uniformly distributed b ’s.
Simulationisperfectasillegitimatetagsgetrejectedwithprobability1 ( edatabase does not contain their corresponding entry) and ciphertexts that embed a reader challenge di erent from the one of the instance provoke the failure of the comparison a er decryption. In other words,
Pr[S2] = Pr[S1]
Game . We further adapt B’s behavior regarding S R (c; ) queries for sessions thathavematchingconversationwithlegitimatetags. SinceB isalsohandling S - T queries, it knows the plaintext corresponding to the c sent in an instance with matching conversation. We thus modify B so that it keeps a table of pairs (a; b) for every ciphertext produced for a legitimate tag. is way, B does not need to access its decryption oracle for c’s that were produced by legitimate tags in matching sessions. Clearly, we have that
Pr[S3] = Pr[S2]
Game . We now alter the S T (a; vtag) interface so that instead of computing the encryption of ID KID a b, it encrypts a random R of the same length. (Recall that no such output is sent by B to the decryption oracle.)
We now construct a hybrid argument to show that j Pr[S4] Pr[S3]j is negligible. We construct the hybrids as follow: B(i) is an algorithm simulating A for which the i rst S T (ai; vtag) queries are treated by picking a random bi and encrypting ID KID ai bi. e rest of the queries are processed by encrypting random strings. We let C denote an adversary playing the IND-CCA game, simulating B2(i)/B2(i + 1), that submits ID KID ai bi (as in B2(i + 1)) and R (as in B2(i)) to the IND-CCA challenger who randomly chooses one of the messages and returns its encryption. C then continues B2(i)/B2(i + 1)’s execution and returns its
output. |
e di erence in the output of B2(i) and B2(i + 1) can be expressed as a |
|
distinguisher advantage for the IND-CCA game which is negligible by assump- |
||
tion. |
erefore, we nd that |
|
j Pr[S4] Pr[S3]j = negl(k): |
|
|
At this point, A is receiving messages that are unrelated to b. |
erefore, the only way for |
|
her to win the game is to guess b which happens with probability 2 |
. erefore, the scheme |
|
is secure. |
|
|
.
|
|
|
. . Privacy |
|
|
To prove privacy, we reduce a xed Narrow-Forward adversary to a one playing against the |
|
|
corresponding one-way authentication protocol, i.e., the same protocol without the last mes- |
|
|
sage and reader authentication. Recall that this protocol is Narrow-Strong private. erefore, |
|
|
we only need to construct a blinder for the S R (c; ) ! b interface. However, |
|
|
keeping the soundness of the proof requires us to split this simulation in two steps: We rst |
|
|
take care of the case in which an instance fails. We then proceed as in |
|
|
Basically, the blinder for S R returns uniformly distributed b’s. To show that this |
|
|
simulationisindistinguishablefromthe b sentbythereader, weproceedinanumberofgames. |
|
|
We denote by Si the event that the adversary wins Game i. |
|
|
Game . WeletthisgamebetheoriginalprivacygameplayedbyaNarrow-Forwardadversary |
|
|
A. Recallthatprivacyrequires A’sS T andS R ,initstwovariants, |
|
|
queries to be simulated. |
|
|
Game . We rsteliminatethecaseinwhichtheadversarysubmitsa c thatwasnottheanswer |
|
|
ofany S T query. Sincethetranscriptoftheinstancewouldhavenomatching |
|
|
conversation, security ensures that the reader outputs ? and chooses a random b |
|
|
for its answer. We nd that |
|
|
j Pr[S1] Pr[S0]j Pr[E] |
|
|
erefore, we make B outputting random -bit strings. |
|
|
Game . We proceed similarly for the case in which c is the output of a S T (a ; vtag) |
|
|
query in which vtag is an illegitimate tag ( is information is yield by D T .) |
|
|
or a was not sent by the rst S R query of the same session, i.e., the con- |
|
|
versation (a ; c) is not matching. Since decryption yields an a that is di erent from |
|
|
the one sent for the session, authentication fails with probability 1 so the reader |
|
|
outputs a uniformly distributed b . In this case, the blinder’s simulation is perfect. |
|
|
Game . At last, we have an adversary who only sends c’s that were produced by legitimate |
|
|
tags on sessions with matching conversation. Consequently, the answer from the |
|
|
S R interface will consist of a b that is equal to the b that was picked by |
|
|
the tag. Clearly, the adversary has no information on this b except that it is con- |
|
|
tained in the ciphertext c. More formally, we use the IND-CPA property of the en- |
|
|
cryption scheme to change c to a random value. In other words, we construct a blin- |
|
|
derforboththeS T interfaceandtheremainingqueriestotheS R |
|
|
interface. |
|
|
Welet B(i) bethehybridblinderforwhichthe i rstqueriesS T (a; vtag) ! |
|
|
c and the eventual subsequent S R (c; ) ! b queries are handled by |
|
|
setting c to be the encryption of a random r of the same length as ID KID a b and |
|
|
b is picked randomly while the rest of the queries are processed in the usual way. |
|
|
. - -