- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
2
PRELIMINARIES
C
. Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
. |
Probabilities and Negligible Functions . . . . . . . . . . . . . |
|
|
. |
Classical Cryptography . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Symmetric Encryption . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Message Authentication Codes . . . . . . . . . . . . . . . . |
|
|
. . |
Cryptographic Hash Functions . . . . . . . . . . . . . . . . |
|
|
. . |
Universal Hash Functions . . . . . . . . . . . . . . . . . . . |
|
|
. . |
Pseudo-Random Functions . . . . . . . . . . . . . . . . . . |
|
. |
Public-Key Encryption Schemes . . . . . . . . . . . . . . . . . |
|
|
. |
Hybrid Encryption . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
e Random Oracle Model . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Proof Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Hard Problems . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . |
e Simulation Paradigm and Hybrid Arguments . . . . . . |
|
|
. . |
e Game Proof Methodology . . . . . . . . . . . . . . . . . |
|
|
|
|
|
|
|
2.1Notations
In all this dissertation, we de ne a probabilistic algorithm to be an interactive Turing machine running on two tapes, one containing its inputs and the other one its randomness. An algorithm is said to be polynomial or to run in polynomial-time if it stops a er a polynomial number of steps in the size of it entry tape. Algorithms can also be deterministic: ose are the ones that can be modeled by a Turing machine that only runs on a tape that contains its explicit inputs.
We use the notation A(x; y) ! z to refer to running the algorithm A with input x and y and obtaining z as an output. When the algorithm is interactive and has access to an oracle O, we shall denote it AO. Finally, we de ne the view of an interactive algorithm to be its random tape and all the answers that it got from interacting with the oracles it had at its disposal. All the other messages can be computed from this view and the algorithm’s description. For an algorithm A, its view is denoted viewA.
For a discrete set X, jXj refers to its cardinality, i.e., the number of elements it contains. A vector v whose components are bits is called a binary vector. We also de ne the Hamming weight of a binary vectors as the number of 1’s that it contains.
Finally, we let N denote the set of natural numbers, 0 inclusive, and N denote the set of naturalnumbersgreaterthan 0. Likewise, Z isthesetofintegers. Zp denotesthesetofpositive integers smaller than p and Zp is a subset of the former that only includes integers that a coprime with p.
2.2Probabilities and Negligible Functions
We rst start by recalling some basic de nitions for probabilities. e probability mass function of a discrete probability distribution is a function f such that f(x) = Pr[x = x]. We also recall the de nition of the cumulative distribution function F (x) = Pr[x x].
roughout this dissertation, we will explicitly use four probability distribution. For the sake of completeness, we describe them inhere.
e Uniform Distribution. Over a discrete set, the uniform distribution assign to
|
every entry an equal probability. |
at is, its probability mass function is a constant |
|
|
function that sums to 1 over all elements of X, i.e., |
|
|
|
8x 2 X : f(x) = jXj 1: |
|
|
|
Even if it constitutes an abuse of notation, we write x 2R X to express the fact that x |
||
|
is chosen from X according to the uniform distribution. |
|
|
|
e Bernoulli Distribution. |
is distribution is de ned over the binary set f0; 1g |
|
|
and models the success of an experiment that is controlled with a probability p. |
at |
.