A class of precomputation-based distance-bounding protocols Jorge - - PowerPoint PPT Presentation

a class of precomputation based distance bounding
SMART_READER_LITE
LIVE PREVIEW

A class of precomputation-based distance-bounding protocols Jorge - - PowerPoint PPT Presentation

Nov 28, 2022 130 likes •688 views

Introduction Lookup-based protocols Properties and security analysis Conclusions A class of precomputation-based distance-bounding protocols Jorge Toro-Pozo University of Luxembourg (joint work with Sjouke Mauw and Rolando Trujillo-Rasua,

slide-1
SLIDE 1

Introduction Lookup-based protocols Properties and security analysis Conclusions

A class of precomputation-based distance-bounding protocols

Jorge Toro-Pozo University of Luxembourg

(joint work with Sjouke Mauw and Rolando Trujillo-Rasua, to appear at Euro S&P 2016)

Nancy, France. March 16, 2016

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-2
SLIDE 2

Introduction Lookup-based protocols Properties and security analysis Conclusions

Relay attack: how to beat a grand master

White Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-3
SLIDE 3

Introduction Lookup-based protocols Properties and security analysis Conclusions

Relay attack: how to beat a grand master

White Black Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-4
SLIDE 4

Introduction Lookup-based protocols Properties and security analysis Conclusions

Relay attack: how to beat a grand master

White Black d4 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-5
SLIDE 5

Introduction Lookup-based protocols Properties and security analysis Conclusions

Relay attack: how to beat a grand master

White Black d4 d4 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-6
SLIDE 6

Introduction Lookup-based protocols Properties and security analysis Conclusions

Relay attack: how to beat a grand master

White Black d4 d4 d5 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-7
SLIDE 7

Introduction Lookup-based protocols Properties and security analysis Conclusions

Relay attack: how to beat a grand master

White Black d4 d4 d5 d5 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-8
SLIDE 8

Introduction Lookup-based protocols Properties and security analysis Conclusions

Relay attack: how to beat a grand master

White Black d4 d4 d5 d5

Definition (Relay attack) A relay attack is a man-in-the-middle attack where the adversary manipulates the communication by only relaying the verbatim messages between reader and the tag.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-9
SLIDE 9

Introduction Lookup-based protocols Properties and security analysis Conclusions

Relay attack: how to beat a grand master

White Black d4 d4 d5 d5

Definition (Relay attack) A relay attack is a man-in-the-middle attack where the adversary manipulates the communication by only relaying the verbatim messages between reader and the tag.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-10
SLIDE 10

Introduction Lookup-based protocols Properties and security analysis Conclusions

Solution: distance bounding protocols

Definition (Distance Bounding) A distance bounding protocol is an authentication protocol that in addition checks the distance between tag and reader. The computed distance is an upper-bound on their actual distance.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-11
SLIDE 11

Introduction Lookup-based protocols Properties and security analysis Conclusions

Radio Frequency Identification - RFID

Communication is contactless. Line-of-sight is not necessary. Messages are broadcast. Limited resources (memory, processor speed, energy, interaction time).

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-12
SLIDE 12

Introduction Lookup-based protocols Properties and security analysis Conclusions

Radio Frequency Identification - RFID

Communication is contactless. Line-of-sight is not necessary. Messages are broadcast. Limited resources (memory, processor speed, energy, interaction time). Tags respond to the reader’s requests without explicit agreement of their holder

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-13
SLIDE 13

Introduction Lookup-based protocols Properties and security analysis Conclusions

Radio Frequency Identification - RFID

Communication is contactless. Line-of-sight is not necessary. Messages are broadcast. Limited resources (memory, processor speed, energy, interaction time). Tags respond to the reader’s requests without explicit agreement of their holder

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-14
SLIDE 14

Introduction Lookup-based protocols Properties and security analysis Conclusions

Distance bounding protocols are vulnerable

Mafia-fraud attacks

... and also to other attacks, e.g. distance fraud terrorist fraud distance hijacking

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-15
SLIDE 15

Introduction Lookup-based protocols Properties and security analysis Conclusions

Distance bounding protocols are vulnerable

Mafia-fraud attacks

... and also to other attacks, e.g. distance fraud terrorist fraud distance hijacking

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-16
SLIDE 16

Introduction Lookup-based protocols Properties and security analysis Conclusions

A few distance bounding protocols

Brands and Chaum (Fiat-Shamir) Brands and Chaum (Schnorr) Brands and Chaum (signature) Bussard and Bagga CRCS Hancke and Kuhn Hitomi KA2 Kuhn, Luecken, Tippenhauer MAD Meadows et al. for F(· · · ) = NV , NP ⊕ P Munilla and Peinado Noise resilient MAD Poulidor Reid et al. Swiss-Knife Tree WSBC+DB WSBC+DB Noent Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-17
SLIDE 17

Introduction Lookup-based protocols Properties and security analysis Conclusions

Many of them have been broken

Brands and Chaum (Fiat-Shamir) Brands and Chaum (Schnorr) Brands and Chaum (signature) Bussard and Bagga CRCS Hancke and Kuhn Hitomi KA2 Kuhn, Luecken, Tippenhauer MAD Meadows et al. for F(· · · ) = NV , NP ⊕ P Munilla and Peinado Noise resilient MAD Poulidor Reid et al. Swiss-Knife Tree WSBC+DB WSBC+DB Noent Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-18
SLIDE 18

Introduction Lookup-based protocols Properties and security analysis Conclusions

Some common principles

Are composed by two phases:

Slow phase: generation of random values, exchange of parameters, preparation of data structures. Fast phase: 1-bit messages, tag performs at most lookup/and/xor/. . . ; repeat this n times.

Need very short processing time at the tag (otherwise the adversary could overclock the tag).

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-19
SLIDE 19

Introduction Lookup-based protocols Properties and security analysis Conclusions

Some common principles

Are composed by two phases:

Slow phase: generation of random values, exchange of parameters, preparation of data structures. Fast phase: 1-bit messages, tag performs at most lookup/and/xor/. . . ; repeat this n times.

Need very short processing time at the tag (otherwise the adversary could overclock the tag). Perform the authentication during the fast phase.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-20
SLIDE 20

Introduction Lookup-based protocols Properties and security analysis Conclusions

Some common principles

Are composed by two phases:

Slow phase: generation of random values, exchange of parameters, preparation of data structures. Fast phase: 1-bit messages, tag performs at most lookup/and/xor/. . . ; repeat this n times.

Need very short processing time at the tag (otherwise the adversary could overclock the tag). Perform the authentication during the fast phase. Do not have a final slow phase.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-21
SLIDE 21

Introduction Lookup-based protocols Properties and security analysis Conclusions

Some common principles

Are composed by two phases:

Slow phase: generation of random values, exchange of parameters, preparation of data structures. Fast phase: 1-bit messages, tag performs at most lookup/and/xor/. . . ; repeat this n times.

Need very short processing time at the tag (otherwise the adversary could overclock the tag). Perform the authentication during the fast phase. Do not have a final slow phase. We call them Lookup-based protocols

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-22
SLIDE 22

Introduction Lookup-based protocols Properties and security analysis Conclusions

Some common principles

Are composed by two phases:

Slow phase: generation of random values, exchange of parameters, preparation of data structures. Fast phase: 1-bit messages, tag performs at most lookup/and/xor/. . . ; repeat this n times.

Need very short processing time at the tag (otherwise the adversary could overclock the tag). Perform the authentication during the fast phase. Do not have a final slow phase. We call them Lookup-based protocols

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-23
SLIDE 23

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-24
SLIDE 24

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-25
SLIDE 25

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-26
SLIDE 26

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-27
SLIDE 27

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-28
SLIDE 28

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-29
SLIDE 29

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-30
SLIDE 30

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1 r 1

2

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-31
SLIDE 31

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1 r 1

2

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-32
SLIDE 32

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1 r 1

2

1

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-33
SLIDE 33

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1 r 1

2

1

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-34
SLIDE 34

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1 r 1

2

1 r 3

3

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-35
SLIDE 35

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1 r 1

2

1 r 3

3

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-36
SLIDE 36

Introduction Lookup-based protocols Properties and security analysis Conclusions

Avoine and Tchamkerten’s proposal (2009)

V

Fast phase

P

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1

r 0

1

1 r 1

2

1 r 3

3

r0 r0

1

r1

1

1 r0

2

r1

2

r2

2

r3

2

1 1 r0

3

r1

3 r2 3

r3

3 r4 3

r5

3 r6 3

r7

3

1 0 1 0 1 0 1 Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-37
SLIDE 37

Introduction Lookup-based protocols Properties and security analysis Conclusions

Two well-known lookup-based protocols

Mafia Fraud Memory usage HK protocol

  • 3

4

n

O(n) AT protocol

1 2n (1 + n 2)

O(2n)

HK is simple, low cost requirements, but not good in security

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-38
SLIDE 38

Introduction Lookup-based protocols Properties and security analysis Conclusions

Two well-known lookup-based protocols

Mafia Fraud Memory usage HK protocol

  • 3

4

n

O(n) AT protocol

1 2n (1 + n 2)

O(2n)

HK is simple, low cost requirements, but not good in security AT is the most secure existing DBP, but it requires exponential memory

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-39
SLIDE 39

Introduction Lookup-based protocols Properties and security analysis Conclusions

Two well-known lookup-based protocols

Mafia Fraud Memory usage HK protocol

  • 3

4

n

O(n) AT protocol

1 2n (1 + n 2)

O(2n)

HK is simple, low cost requirements, but not good in security AT is the most secure existing DBP, but it requires exponential memory

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-40
SLIDE 40

Introduction Lookup-based protocols Properties and security analysis Conclusions

Questions

1 Can we model this class of lookup-based protocols and

perform a generic analysis for its elements?

2 Does it exist a lookup-based protocol better than AT? 3 Do we need an exponential memory to achieve

1 2n (1 + n 2)?

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-41
SLIDE 41

Introduction Lookup-based protocols Properties and security analysis Conclusions

The model: Finite Automata

q0 q1 q2 q3 q4 q5 q6 q7 q8 1 1 1 1 1 1 1

An example of HK protocol with 4 rounds.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-42
SLIDE 42

Introduction Lookup-based protocols Properties and security analysis Conclusions

Properties: lower bound

Theorem The probability value

1 2n

1 + n

2

is a tight lower bound on the

resistance to mafia fraud of lookup-based distance-bounding protocols with n rounds. So, we can’t do better than AT in lookup-based protocols.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-43
SLIDE 43

Introduction Lookup-based protocols Properties and security analysis Conclusions

Properties: lower bound

Theorem The probability value

1 2n

1 + n

2

is a tight lower bound on the

resistance to mafia fraud of lookup-based distance-bounding protocols with n rounds. So, we can’t do better than AT in lookup-based protocols. Note that if we allow strong crypto and an extra phase, we can achieve

1 2n (Brands & Chaum 1993).

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-44
SLIDE 44

Introduction Lookup-based protocols Properties and security analysis Conclusions

Properties: lower bound

Theorem The probability value

1 2n

1 + n

2

is a tight lower bound on the

resistance to mafia fraud of lookup-based distance-bounding protocols with n rounds. So, we can’t do better than AT in lookup-based protocols. Note that if we allow strong crypto and an extra phase, we can achieve

1 2n (Brands & Chaum 1993).

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-45
SLIDE 45

Introduction Lookup-based protocols Properties and security analysis Conclusions

Properties: generic calculation of security

We introduce the uniformity number u ∈ {1, . . . , n} of a protocol. The higher u, the harder it is for the attacker to predict the state of the protocol. Theorem Let P be a lookup-based distance-bounding protocol with uniformity number u for n > 0 rounds. Then the success probability of a mafia-fraud attack is Rn, where R0 = 1 and Ri = 1 2i +

i−1

  • j=0

Ri−j−1 2j+min(u,j+1)+1 , This indeed instantiates to

  • 3

4

n for HK and to

1 2n (1 + n 2) for AT.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-46
SLIDE 46

Introduction Lookup-based protocols Properties and security analysis Conclusions

Properties: generic calculation of security

We introduce the uniformity number u ∈ {1, . . . , n} of a protocol. The higher u, the harder it is for the attacker to predict the state of the protocol. Theorem Let P be a lookup-based distance-bounding protocol with uniformity number u for n > 0 rounds. Then the success probability of a mafia-fraud attack is Rn, where R0 = 1 and Ri = 1 2i +

i−1

  • j=0

Ri−j−1 2j+min(u,j+1)+1 , This indeed instantiates to

  • 3

4

n for HK and to

1 2n (1 + n 2) for AT.

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-47
SLIDE 47

Introduction Lookup-based protocols Properties and security analysis Conclusions

Properties: optimality implies exponential memory?

Do we need exponential memory to achieve AT’s security ? We think so, but still don’t have a formal proof

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-48
SLIDE 48

Introduction Lookup-based protocols Properties and security analysis Conclusions

Properties: optimality implies exponential memory?

Do we need exponential memory to achieve AT’s security ? We think so, but still don’t have a formal proof We think our automata-based model will allows us to prove it

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-49
SLIDE 49

Introduction Lookup-based protocols Properties and security analysis Conclusions

Properties: optimality implies exponential memory?

Do we need exponential memory to achieve AT’s security ? We think so, but still don’t have a formal proof We think our automata-based model will allows us to prove it

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-50
SLIDE 50

Introduction Lookup-based protocols Properties and security analysis Conclusions

Our proposed protocol

The uniform protocols: an example of a 2-uniform protocol

q0 q1 q2 q3 q4 q5 q6 q7 q8 q9 q10 q11 q12 q13 q14

Approximates

1 2n (1 + n 2)

They required linear space. The uniformity value u is pre-defined

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-51
SLIDE 51

Introduction Lookup-based protocols Properties and security analysis Conclusions

Security and memory usage analysis

Mafia Fraud Memory usage HK protocol

  • 3

4

n

O(n) u-Uniform Rn(u) − − − →

u→n 1 2n (1 + n 2)

O(2u × n) AT protocol

1 2n (1 + n 2)

O(2n)

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-52
SLIDE 52

Introduction Lookup-based protocols Properties and security analysis Conclusions

Conclusions

Better understanding and generic treatment of lookup-based distance-bounding protocols. Fundamental results on security and memory usage. Novel family of protocols that approximates optimality with low costs in memory. Can we extend our results to a larger class of protocols? What is the resistance of lookup-based protocols to distance fraud, terrorist frauds, etc.? Can we generalize the various types of fraud into one notion? Can we provide a causality-based definition of distance bounding (as opposed to time/space based)?

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-53
SLIDE 53

Introduction Lookup-based protocols Properties and security analysis Conclusions

Conclusions

Better understanding and generic treatment of lookup-based distance-bounding protocols. Fundamental results on security and memory usage. Novel family of protocols that approximates optimality with low costs in memory. Can we extend our results to a larger class of protocols? What is the resistance of lookup-based protocols to distance fraud, terrorist frauds, etc.? Can we generalize the various types of fraud into one notion? Can we provide a causality-based definition of distance bounding (as opposed to time/space based)?

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols

slide-54
SLIDE 54

Introduction Lookup-based protocols Properties and security analysis Conclusions

Thanks for your attention

jorge.toro@uni.lu http://satoss.uni.lu/members/jorge/

Jorge Toro-Pozo University of Luxembourg A class of precomputation-based distance-bounding protocols