- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
LIST OF FIGURES
. |
An RFID Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
An RFID System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
Message Authentication Code . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e IND-CPA Security Experiment. . . . . . . . . . . . . . . . . . . . |
|
. |
e IND-CCA Security Experiment. . . . . . . . . . . . . . . . . . . |
|
. |
e HB protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e HB+ protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e HB++ protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e HB protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e PUF-HB protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e R -HB and HB protocols. . . . . . . . . . . . . . . . . . . |
|
. |
e Man-in-the-Middle Attack against R -HB and HB . . . . . |
|
. |
Plot of the function C(k)/k. . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
Basic challenge-response authentication protocol based on a MAC. . . . |
|
. |
Structure of S UASH . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e ProIP protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e MARPprotocol . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e MARPprotocol . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e Auth protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e YA-TRAP protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e YA-TRAP+ protocol. . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e O-TRAP protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
e RIPP-FS protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
|
|
. |
e backward and forward untraceable RFID protocol. . . . . . . . . . . |
|
|
. |
e O-FRAP protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
e O-FRAKE protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. Implications, separations and Equivalences in Vaudenay’s Privacy notions. |
|
|
|
. Acorrect, secure, andWeakprivateRFIDauthenticationprotocolbased |
|
|
|
|
on a pseudo-random function. . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. A weakly correct, secure, and Narrow-Destructive private RFID authen- |
|
|
|
|
tication protocol in the random oracle model. . . . . . . . . . . . . . . . |
|
|
. A correct, secure, Narrow-Strong, and Forward private RFID authenti- |
|
|
|
|
cation protocol based on an IND-CCA public-key encryption scheme. . |
|
|
. |
Augmented protocol for RFID tags. . . . . . . . . . . . . . . . . . . . . |
|
|
. Acorrect,secure,andStrong-privateRFIDauthenticationprotocolbased |
|
|
|
|
on an IND-CPA and PA + plaintext-aware public-key encryption scheme. |
|
|
. |
A Public-Key Based Mutual Authentication Protocol. . . . . . . . . . . . |
|
List of Figures
LIST OF TABLES
. |
Complexity of Solving the LPN problem . . . . . . . . . . . . . . . . . . |
|
. |
Practical parameter sets for HB . . . . . . . . . . . . . . . . . . . . . . |
|
. |
Complexity of measuring a -bit window applied to the parameter set I |
|
|
and II of HB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
. |
Attack cost for the initial bit of the shared key for HB applied to t = m |
|
. |
Summary of the complexity of our attacks. . . . . . . . . . . . . . . . . . |
|
. |
^ |
|
Basic properties for computing R(V ). . . . . . . . . . . . . . . . . . . . |