Directional Distance-Bounding Identification

Abstract

Distance bounding (DB) protocols allow a prover to convince a verifier that they are within a distance bound. A public key distance bounding relies on the public key of the users to prove their identity and proximity claim. There has been a number of approaches in the literature to formalize security of public key distance bounding protocols. In this paper we extend an earlier work that formalizes security of public key DB protocols using an approach that is inspired by the security definition of identification protocols, and is referred to it as distance-bounding identification (\(\mathtt {DBID}\)). We first show that if protocol participants have access to a directional antenna, many existing protocols that have been proven secure, will become insecure, and then show to revise the previous model to include this new capability of the users. DBID approach provides a natural way of modelling man-in-the-middle attack in line with identification protocols, as well as other attacks that are commonly considered in distance bounding protocols. We compare the existing public key DB models, and prove the security of the scheme known as \(\mathtt {ProProx}\), in our model.

Appendix

Definition 5

(Authentication). An authentication protocol is an interactive pair of protocols \((P(\zeta ), V(z))\) of PPT algorithms operating on a language L and relation \(R=\{(z, \zeta ):z \in L, \zeta \in W(z)\}\), where W(z) is the set of all witnesses for z that should be accepted in authentication. This protocol has the following properties:

• complete: \(\forall (z,\zeta ) \in R\), we have \(\Pr [Out_{\mathcal {V}}=1:P(\zeta )\leftrightarrow V(z)] = 1\).

• \(\kappa \)-sound: \(\Pr [Out_{\mathcal {V}}=1:P^*\leftrightarrow V(z)] \le \kappa \) in any of the following two cases; (i) \(z \notin L\), (ii) \(z \in L\) while algorithm \(P^*\) is independent from any \(\zeta \in W(z)\).

  \(\Pr [Out_{\mathcal {V}}=1:\mathcal {A}_2(View_{\mathcal {A}_1}) \leftrightarrow V(z)] \le negl\).

Definition 6

(Homomorphic Bit Commitment). A homomorphic bit commitment function is a PPT algorithm Com operating on a multiplicative group G with parameter \(\lambda \), that takes \(b \in \mathbb {Z}_2\) and \(\rho \in G\) as input, and returns \(Com(b;\rho ) \in G\). This function has the following properties:

• homomorphic: \(\forall b,b' \in \mathbb {Z}_2\) and \(\forall \rho , \rho ' \in G\), we have \(Com(b;\rho )Com(b';\rho ')=Com(b+b';\rho \rho ')\).

• perfect binding: \(\forall b,b' \in \mathbb {Z}_2\) and \(\forall \rho , \rho ' \in G\), the equality \(Com(b;\rho )=Com(b';\rho ')\) implies \(b=b'\).

• computational hiding: for a random \(\rho \in _R G\), the distributions \(Com(0,\rho )\) and \(Com(1,\rho )\) are computationally indistinguishable.

Definition 7

(One-way Function). By considering \(\lambda \) as the security parameter, an efficiently computable function \(OUT\leftarrow \text {FUNC}(IN)\), is one-way if there is no PPT algorithm that takes OUT as input and returns IN with non-negligible probability in terms of \(\lambda \).

Definition 8

(Zero-Knowledge Protocol). A pair of protocols \((P(\alpha ), V(z))\) is \(\zeta \)-zero-knowledge for \(P(\alpha )\), if for any PPT interactive machine \(V^*(z,aux)\) there is a PPT simulator S(z, aux) such that for any PPT distinguisher, any \((\alpha :z)\in L\), and any \(aux \in \{0,1\}^*\), the distinguishing advantage between the final view of \(V^*\), in the interaction \(P(\alpha )\leftrightarrow V^*(z,aux)\), and output of the simulator S(z, aux) is bounded by \(\zeta \).

Lemma 6

(Chernoff-Hoeffding Bound, [8, 20]). For any \((\epsilon , n, \tau , q)\), we have the following inequalities about the function \(Tail(n,\tau , \rho )=\sum \limits _{i=\tau }^n {\left( {\begin{array}{c}n\\ i\end{array}}\right) } \rho ^i (1-\rho )^{n-i}\);

• if \(\frac{\tau }{n}<q-\epsilon \), then \(Tail(n, \tau , q)>1-e^{-2\epsilon ^2n}\)

• if \(\frac{\tau }{n}>q+\epsilon \), then \(Tail(n, \tau , q)<e^{-2\epsilon ^2n}\)