Abstract
Distance bounding (DB) protocols allow a prover to convince a verifier that they are within a distance bound. A public key distance bounding relies on the public key of the users to prove their identity and proximity claim. There has been a number of approaches in the literature to formalize security of public key distance bounding protocols. In this paper we extend an earlier work that formalizes security of public key DB protocols using an approach that is inspired by the security definition of identification protocols, and is referred to it as distance-bounding identification (\(\mathtt {DBID}\)). We first show that if protocol participants have access to a directional antenna, many existing protocols that have been proven secure, will become insecure, and then show to revise the previous model to include this new capability of the users. DBID approach provides a natural way of modelling man-in-the-middle attack in line with identification protocols, as well as other attacks that are commonly considered in distance bounding protocols. We compare the existing public key DB models, and prove the security of the scheme known as \(\mathtt {ProProx}\), in our model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agiwal, M., Roy, A., Saxena, N.: Next generation 5G wireless networks: a comprehensive survey. IEEE Commun. Surv. Tutor. 18(3), 1617–1655 (2016)
Ahmadi, A., Safavi-Naini, R.: Distance-bounding identification. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, ICISSP, INSTICC, vol. 1, pp. 202–212. SciTePress (2017)
Ahmadi, A., Safavi-Naini, R.: Privacy-preserving distance-bounding proof-of-knowledge. In: Hui, L.C.K., Qing, S.H., Shi, E., Yiu, S.M. (eds.) ICICS 2014. LNCS, vol. 8958, pp. 74–88. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21966-0_6
Avoine, G., Bingöl, M.A., Kardaş, S., Lauradoux, C., Martin, B.: A framework for analyzing RFID distance bounding protocols. J. Comput. Secur. 19(2), 289–317 (2011)
Boureanu, I., Mitrokotsa, A., Vaudenay, S.: Secure and lightweight distance-bounding. In: Avoine, G., Kara, O. (eds.) LightSec 2013. LNCS, vol. 8162, pp. 97–113. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40392-7_8
Brands, S., Chaum, D.: Distance-bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_30
Bussard, L., Bagga, W.: Distance-bounding proof of knowledge protocols to avoid terrorist fraud attacks. Technical report, Institut Eurecom, France (2004)
Chernoff, H.: A measure of asymptotic efficiency for tests of a hypothesis based on the sum of observations. Ann. Math. Stat. 23, 493–507 (1952)
Cremers, C., Rasmussen, K.B., Schmidt, B., Capkun, S.: Distance hijacking attacks on distance bounding protocols. In: Security and Privacy, pp. 113–127 (2012)
Damgård, I.: On \(\sum \)-protocols. Lecture Notes, University of Aarhus, Department for Computer Science (2002)
Desmedt, Y.: Major security problems with the ünforgeablë(feige-)fiat-shamir proofs of identity and how to overcome them. In: Congress on Computer and Communication Security and Protection Securicom 1988, pp. 147–159 (1988)
Dürholz, U., Fischlin, M., Kasper, M., Onete, C.: A formal approach to distance-bounding RFID protocols. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 47–62. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24861-0_4
Francillon, A., Danev, B., Capkun, S.: Relay attacks on passive keyless entry and start systems in modern cars. In: NDSS (2011)
Gambs, S., Killijian, M.O., Lauradoux, C., Onete, C., Roy, M., Traoré, M.: Vssdb: a verifiable secret-sharing and distance-bounding protocol. In: International Conference on Cryptography and Information Security (BalkanCryptSec 2014) (2014)
Gambs, S., Onete, C., Robert, J.M.: Prover anonymous and deniable distance-bounding authentication. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 501–506 (2014)
Gennaro, R.: Multi-trapdoor commitments and their applications to proofs of knowledge secure under concurrent man-in-the-middle attacks. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 220–236. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_14
Guillou, L.C., Quisquater, J.-J.: A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_11
Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 568–587. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_31
Hermans, J., Peeters, R., Onete, C.: Efficient, secure, private distance bounding without key updates. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 207–218. ACM (2013)
Hoeffding, W.: Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58, 13–30 (1963)
Kurosawa, K., Heng, S.-H.: The power of identification schemes. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 364–377. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853_24
Rasmussen, K.B., Capkun, S.: Realization of RF distance bounding. In: USENIX Security Symposium, pp. 389–402 (2010)
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Vaudenay, S.: On modeling terrorist frauds. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 1–20. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-41227-1_1
Vaudenay, S.: Proof of proximity of knowledge. IACR Eprint 695 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Definition 5
(Authentication). An authentication protocol is an interactive pair of protocols \((P(\zeta ), V(z))\) of PPT algorithms operating on a language L and relation \(R=\{(z, \zeta ):z \in L, \zeta \in W(z)\}\), where W(z) is the set of all witnesses for z that should be accepted in authentication. This protocol has the following properties:
-
complete: \(\forall (z,\zeta ) \in R\), we have \(\Pr [Out_{\mathcal {V}}=1:P(\zeta )\leftrightarrow V(z)] = 1\).
-
\(\kappa \)-sound: \(\Pr [Out_{\mathcal {V}}=1:P^*\leftrightarrow V(z)] \le \kappa \) in any of the following two cases; (i) \(z \notin L\), (ii) \(z \in L\) while algorithm \(P^*\) is independent from any \(\zeta \in W(z)\).
\(\Pr [Out_{\mathcal {V}}=1:\mathcal {A}_2(View_{\mathcal {A}_1}) \leftrightarrow V(z)] \le negl\).
Definition 6
(Homomorphic Bit Commitment). A homomorphic bit commitment function is a PPT algorithm Com operating on a multiplicative group G with parameter \(\lambda \), that takes \(b \in \mathbb {Z}_2\) and \(\rho \in G\) as input, and returns \(Com(b;\rho ) \in G\). This function has the following properties:
-
homomorphic: \(\forall b,b' \in \mathbb {Z}_2\) and \(\forall \rho , \rho ' \in G\), we have \(Com(b;\rho )Com(b';\rho ')=Com(b+b';\rho \rho ')\).
-
perfect binding: \(\forall b,b' \in \mathbb {Z}_2\) and \(\forall \rho , \rho ' \in G\), the equality \(Com(b;\rho )=Com(b';\rho ')\) implies \(b=b'\).
-
computational hiding: for a random \(\rho \in _R G\), the distributions \(Com(0,\rho )\) and \(Com(1,\rho )\) are computationally indistinguishable.
Definition 7
(One-way Function). By considering \(\lambda \) as the security parameter, an efficiently computable function \(OUT\leftarrow \text {FUNC}(IN)\), is one-way if there is no PPT algorithm that takes OUT as input and returns IN with non-negligible probability in terms of \(\lambda \).
Definition 8
(Zero-Knowledge Protocol). A pair of protocols \((P(\alpha ), V(z))\) is \(\zeta \)-zero-knowledge for \(P(\alpha )\), if for any PPT interactive machine \(V^*(z,aux)\) there is a PPT simulator S(z, aux) such that for any PPT distinguisher, any \((\alpha :z)\in L\), and any \(aux \in \{0,1\}^*\), the distinguishing advantage between the final view of \(V^*\), in the interaction \(P(\alpha )\leftrightarrow V^*(z,aux)\), and output of the simulator S(z, aux) is bounded by \(\zeta \).
Lemma 6
(Chernoff-Hoeffding Bound, [8, 20]). For any \((\epsilon , n, \tau , q)\), we have the following inequalities about the function \(Tail(n,\tau , \rho )=\sum \limits _{i=\tau }^n {\left( {\begin{array}{c}n\\ i\end{array}}\right) } \rho ^i (1-\rho )^{n-i}\);
-
if \(\frac{\tau }{n}<q-\epsilon \), then \(Tail(n, \tau , q)>1-e^{-2\epsilon ^2n}\)
-
if \(\frac{\tau }{n}>q+\epsilon \), then \(Tail(n, \tau , q)<e^{-2\epsilon ^2n}\)
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Ahmadi, A., Safavi-Naini, R. (2018). Directional Distance-Bounding Identification. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2017. Communications in Computer and Information Science, vol 867. Springer, Cham. https://doi.org/10.1007/978-3-319-93354-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-93354-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93353-5
Online ISBN: 978-3-319-93354-2
eBook Packages: Computer ScienceComputer Science (R0)