Post on 25-Jan-2021
TREAD: A generic construction for provably TFresistant distance bounding
Gildas Avoine3 Xavier Bultel1 Sébastien Gambs 2 DavidGerault1 Pascal Lafourcade1 Cristina Onete 3 Jean-Marc
Robert 4
1University Clermont Auvergne, 2UQAM, Montréal, 3INSA/IRISA Rennes,4ÉTS, Montréal
FutureDB
This talk : Outline
TREADI Family of protocolsI Provably secureI Modular : several possible instances
I LightweightI Private vs eavesdropperI Anonymous vs verifiers
I New mechanism for TF resistanceThe DFKO framework
I Another security model for DBI Dürholz, Fischlin, Kasper, Onete (2011)I Overview of the proofs for TREAD
Why provable ?
I Too many broken protocolsI A 2015 survey on 40+ protocols found only 9 survivorsI New attack statregies appear regularly
I TF against noise resistant protocolsI MF via key recovery/bit flippingI PRF programming attacksI . . .
Why anonymous ?
I User tracking has become pervasiveI Location history reveal a lot :
I Work addressI Home addressI Social links
I DB is a good candidate for tracking
Why a new approach for TF resistance ?
I TF resistance : if P helps A once, then A can impersonnate P at willI Generally done by forcing P to leak his key for A to succeedI r0 = a, r1 = a ⊕ XI P can give A a noisy version of his secret : proving it is enough to
pass is difficultPrevious solutions :
I FO, SPADE : BackdoorI SKI, DBopt : Leakage schemeI Proprox : Extractor
Additionally, it helped with anonymity
Combining TF resistance and anonymity
I Challenging (with a revocation mechanism)I Metro access system
I Anonymity for location privacyI DF/DH/TF resistance to prevent access sublettingI MF for obvious reasons
TREAD : Design
Prover P Verifier VAgree on r0,r1←−−−−−−−−−−−→for i = 0 to n
Pick ci ∈ {0, 1}ci←−−−−−−−−−−−− Start clock
rcii−−−−−−−−−−−−→ Stop clockstore ∆ti
Everything is in the setting of r0 and r1(Usually PRF)
One problem : PRF programming
I PRF securiy : PRFX (input) ≡ random if x random and hiddenI 6= unpredictible if the key is known : Encx (input) is a PRFI DF : PRFX (NP,NV ) =
I Cste if NP = H(X)I fx (NP, NV ) otherwise
is a PRFI Not safe if combined with the key eitherI MF : PRFX (NP,NV , a) =
I X if a = fX (NP, NV ) ⊕ XI fx (NP, NV , a) otherwise
is a PRFLet’s remove the PRF !
How to pick the response vectors
I ∀i , r0i = r1i : DF, MFI ∀i , r0i 6= r1i : DF, MFI ∀i , r1i = r0i ⊕ Xi : TF, MF
Solution : P pick a, b, V picks m, r0 = a, r1 = b ⊕mP authenticates a, b with a signature S and an encryption scheme E
TREAD...almost
Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key
a||b $← {0, 1}2·nσp = S.sigsk(a||b)
e = E.encek(a||b||σp)e−−−−−−−−−−−−→ (a||b||σp) = E.decdk(e)
if S.vervk(σp , a||b||idprv(P)) = 0then abort
m←−−−−−−−−−−−− m $← {0, 1}n
r0 = a, r1 = b ⊕mfor i = 0 to n
Pick ci ∈ {0, 1}ci←−−−−−−−−−−−− Start clock
rcii−−−−−−−−−−−−→ Stop clockstore ∆ti
TREAD with identities
Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key
idpub(P) : public identityidprv(P) : private identity
a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))
e = E.encek(a||b||idprv(P)||σp)e||idpub(P)
−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)if S.vervk(σp , a||b||idprv(P)) = 0then abort
m←−−−−−−−−−−−− m $← {0, 1}n
r0 = a, r1 = b ⊕mfor i = 0 to n
Pick ci ∈ {0, 1}ci←−−−−−−−−−−−− Start clock
rcii−−−−−−−−−−−−→ Stop clockstore ∆ti
Security of TREAD
If E is a CCA-2 secure encryption scheme, and S is unforgeable, thenTREAD is
I DF/DH resistant, and PrDF = ( 34 )n
I MF resistant, and PrMF = ( 34 )n + negl . (signature+encryption)
I And SimTF ResistantProofs in the DFKO (Dürholz, Fischlin, Kasper, Onete) model
The DFKO model
I Session based (P-V, P-A, A-V)I A strictly increasing clock marker(sid ,m) per sessionI A quantified in terms of t, qobs , qP , qVI Notion of tainted sessionI A wins if he is accepted in an untainted session
DFKO : DF/DH
A malicious, far away prover P∗ tries to be accepted by V , possibly inthe presence of honest provers near the verifier.
I CommitTo(ri) ≡ send in advanceI Prompt(ri) ≡ use P’s responseI In practice, two dummy sessions
A session is tainted if during the time critical partI P∗ does not either commit or prompt for one roundI P∗ changes his response after receiving the challenge
P∗ wins if ∃pid such thatI pid is not taintedI P∗ is accepted in pid
TREAD : DH resistance
Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key
idpub(P) : public identityidprv(P) : private identity
a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))
e = E.encek(a||b||idprv(P)||σp)e||idpub(P)
−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)r0 = a, r1 = b ⊕m
I r0i 6= r1i for half the rounds due to mI commit correct with probability 34 for each roundI For DH-like attacks :I Pr
[rP∗i = rPi
]= 12
The best strategy is to guess ri in advance
DFKO : MF
A is between a far away P and VA session is tainted if A performs pure relaying during the time criticalphase, ie :P c
′i←− A ci←− V
P ri−→ A r′i−→ V
I ci = c ′iI ri = r ′iI A receives ci before sending c ′iI A receives ri before sending r ′iA wins if ∃pid such that
I pid is not taintedI P is accepted in pid
A can perform impure relaying(equivalent to the learning phase of BMV)
TREAD : MF resistance
Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key
idpub(P) : public identityidprv(P) : private identity
a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))
e = E.encek(a||b||idprv(P)||σp)e||idpub(P)
−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)r0 = a, r1 = b ⊕m
I r0i 6= r1i for half the rounds due to mI a, b protected by EI A cannot forge eI a, b are never reused, A only learns the responses for one set of
challenges (or slightly more)
DFKO : SimTF
P∗ helps A, the protocol is resistant if after one success, a simulator withthe view of A Prsim can pass with probability at least PrA.A session is tainted if A and P∗ communicate at all during the timecritical phase.Other notions :
I GameTF : Prsim ≥ PrMF
I strSimTF : like simTF, but A and P∗ can communicate during thetime critical phase
TREAD : TF resistance
Counter intuitiveI Combining r0 and r1 gives no keyI No full secret vector recoveryI No backdoor/extractor/leakage scheme
Key idea : A can replay eRewind A and make him play again
ReplayWith the prover
P A Vh1−−−→
e−−−→m←−−− m←−−−
h2(m)−−−→ci←−−−
rcii−−−→
Later, with a challengerCP A = sim CV V
h1−−−→e−−−→ e−−−→
m←−−− m←−−−m2←−−−
h2(m)−−−→ci←−−− ci←−−−
rcii−−−→rcii ⊕((mi⊕m2 i )·ci )−−−−−−−−−−−→
No extraction
I No assumptions on h1 or h2(m)I No assumption on how much bits A knowsI If A wins once, he can replay the same game and win againI But : proof more difficult if no SimTF
Some instances : symmetric
E : Symmetric encryption, S : Mac, idpub=PProver P Verifier V
ek : encryption key dk : decryption keysk : signature key vk : verification key
idpub(P) : public identityidprv(P) : private identity
a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))
e = E.encek(a||b||idprv(P)||σp)e||idpub(P)
−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)
I No anonymity, no privacyI Lightweight
Some instances : public key
E : Public key encryption, idpub=∅, idpriv=PProver P Verifier V
ek : encryption key dk : decryption keysk : signature key vk : verification key
idpub(P) : public identityidprv(P) : private identity
a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))
e = E.encek(a||b||idprv(P)||σp)e||idpub(P)
−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)
I Privacy vs eavesdroppersI Requires public key
Some instances : group signature
E : Public key encryption, S : Group signature, idpub=∅,idpriv=GroupID
Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key
idpub(P) : public identityidprv(P) : private identity
a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))
e = E.encek(a||b||idprv(P)||σp)e||idpub(P)
−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)
I Privacy vs eavesdroppersI Anonymous wrt verifiersI Requires group signatures
e can be precomputed
Other options
Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key
idpub(P) : public identityidprv(P) : private identity
a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))
e = E.encek(a||b||idprv(P)||σp)e||idpub(P)
−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)
I More lightweight : E : Symmetric encryption, S : MAC, idpub=∅,idpriv=P
I Identity based encryptionI idpub=group, idpriv=identityI Any combination, as long as E is CCA2-secure and S is unforgeable.
e can be precomputed
The anonymous version
I Anonymity directly comes from the group signatureI We extend the model to perform the proofsI Join, corrupt, revoke...
A note on recent attacks
Distance-Bounding Protocols : Verification without Time andLocation
andSjouke Mauw, Zach Smith, Jorge Toro-Pozo, Rolando Trujillo-Rasua
Proving physical proximity using symbolic modelsAlexandre Debant, Stéphanie Delaune, Cyrille Wiedling
I Multible, possibly dishonest verifiersI Not possible in our model, but still very relevantI V ∗ deciphers e, and gets a, b, σp = S.sigsk(a||b)I V ∗ can use a, b, σp = S.sigsk(a||b) with another verifier and
impersonate P
Possible solutions
I Authenticating the verifier (eg certificate)I Setting σp = S.sigsk(a, b,V ) and e = E.encek(a, b,V , idprv(P), σp)I But then TF resistance only for one verfiierI (needs to be verified)
Thank you for your attention !
Questions ?