Wide Strong Private RF IDentification based on Zero-Knowledge Roel - - PowerPoint PPT Presentation

Provable Privacy Workshop, 10 July 2012

Wide Strong Private RF IDentification based on Zero-Knowledge

Roel Peeters and Jens Hermans

RFID Privacy

500 Euros in wallet Serial numbers: 597387,389473… Wig model #4456 (cheap polyester) 30 items

• f lingerie

Das Kapital and Communist-party handbook Replacement hip medical part #459382

RFID Privacy

500 Euros in wallet Serial numbers: 597387,389473… Wig model #4456 (cheap polyester) 30 items

• f lingerie

Das Kapital and Communist-party handbook Replacement hip medical part #459382 55542390 41126751 09840921 54872164 93479122

RFID Privacy Model

!

DrawTag SendTag SendReader Result Weak Adversary FreeTag

RFID Privacy Model

!

DrawTag SendTag SendReader Result Forward Adversary Corrupt FreeTag

RFID Privacy Model

Forward Adversary Secret

RFID Privacy Model

!

DrawTag SendTag SendReader Result Strong Adversary Corrupt FreeTag

RFID Privacy Model

!

DrawTag SendTag SendReader Result Strong Adversary FreeTag Secret

Private Identification Protocol

! Requirements ! Correct ! Sound ! Private

Should not be neglected !

}

Not sound Not correct

Design Goals

! RFID Identification protocol that is: ! Secure ! Wide-strong private ! Efficient ! Compact hardware

Design Goals

! Secure, wide-strong private protocols require Public Key

Cryptography

! Elliptic Curve Cryptography coprocessor can be implemented on

RFID [LBSV’07] [WH’11]

! Limit the number of cryptographic building blocks, e.g. ideally no

hash functions

Secure, wide-strong protocols

! Two known protocols: ! Vaudenay’s Public Key Encryption ! Canard et al.’s Hashed ElGamal ! Both based on (variant) IND-CCA2

Vaudenay’s Public Key Encryption

Tag (ID, K, PK) Reader (sk, DB)

a b = ENCPK(ID!!K!!a) ID*!!K*!!a* = DECsk(b) a* == a " (ID*, K*) # DB ?

IND-CCA2

DHIES 2 EC mult 1 Hash 1 MAC 1 symm enc

Canard et al.’s Hashed ElGamal

Tag (ID, K, Y) Reader (y, DB)

a T1, T2 T0*!!ID*!!b* = T1 $ H(rT2) ID* # DB? T0 = MACK*(a!!b*)? T0 = MACK(a!!b) T1 = (T0!!ID!!b) $ H(rY) T2 = rP 2 EC mult 1 Hash 1 MAC

Randomized Schnorr

Tag (x, Y) Reader (y, DB)

e s = ex + r1 + r2 X* = e-1(sP - R1 - y-1R2) # DB ? R1 = r1P, R2 = r2Y

Randomized Schnorr

Tag (x, Y) Reader (y, DB)

e - e s = (e - e)x + r1 + r2 X* = e-1(s*P - R1* - y-1R2*) # DB ? R1 = r1P, R2 = r2Y e s + s = ex + r1 + r1 + r2 + r2 R1 + R1, R2 + R2 R1, R2, e, s result

not wide-weak

Randomized Hashed GPS

Tag (x, Y) Reader (y, DB)

e R1, R2, s = ex + r1 + r2 h = H(R1,R2) " X* = e-1(sP - R1 - y-1R2) # DB ? R1 = r1P, R2 = r2Y h = H(R1,R2)

Randomized Hashed GPS

Tag (x, Y) Reader (y, DB)

e - 1 R1, R2, s = (e-1)x + r1 + r2 h = H(R1,R2) e R1, R2, s + x = ex + r1 + r2 h h = H(R1,R2) " X* = e-1(sP - R1 - y-1R2) # DB ? x result

not wide-strong

New Protocol

Tag (x, Y) Reader (y, DB)

e s = dx + er1 d* = x-coord(x-coord(yR2)P) X* = d*-1(sP - eR1) # DB ? d = x-coord(x-coord(r2Y)P) R1 = r1P, R2 = r2P

New Protocol

Tag (x, Y) Reader (y, DB)

e s = dx + er1 d* = x-coord(x-coord(yR2)P) X* = d*-1(sP - eR1) # DB ? d = x-coord(x-coord(r2Y)P) R1 = r1P, R2 = r2P

One More Discrete Logarithm, just like Schnorr

New Protocol

Tag (x, Y) Reader (y, DB)

e s = dx + er1 d* = x-coord(x-coord(yR2)P) X* = d*-1(sP - eR1) # DB ? d = x-coord(x-coord(r2Y)P) R1 = r1P, R2 = r2P

Diffie Hellman One More Discrete Logarithm, just like Schnorr

New Protocol

Tag (x, Y) Reader (y, DB)

e s = dx + er1 d* = x-coord(x-coord(yR2)P) X* = d*-1(sP - eR1) # DB ? d = x-coord(x-coord(r2Y)P) R1 = r1P, R2 = r2P

ECC-based, no hash to keep HW design compact Diffie Hellman One More Discrete Logarithm, just like Schnorr Oracle Diffie Hellman

More Efficient Variant

Tag (x, Y) Reader (y, DB)

e s = dx + er d* = x-coord(yR) X* = d*-1(sP - eR) # DB ? d = x-coord(rY) R = rP

Conclusions

! Proven security and wide-strong privacy ! Efficient : only 2 EC multiplications ! Compact HW: no hash function

Full paper on ePrint

! http://eprint.iacr.org/2012/389