TREAD: A generic construction for provably TFresistant distance bounding

Gildas Avoine3 Xavier Bultel1 Sébastien Gambs 2 DavidGerault1 Pascal Lafourcade1 Cristina Onete 3 Jean-Marc

Robert 4

1University Clermont Auvergne, 2UQAM, Montréal, 3INSA/IRISA Rennes,4ÉTS, Montréal

FutureDB

This talk : Outline

TREADI Family of protocolsI Provably secureI Modular : several possible instances

I LightweightI Private vs eavesdropperI Anonymous vs verifiers

I New mechanism for TF resistanceThe DFKO framework

I Another security model for DBI Dürholz, Fischlin, Kasper, Onete (2011)I Overview of the proofs for TREAD

Why provable ?

I Too many broken protocolsI A 2015 survey on 40+ protocols found only 9 survivorsI New attack statregies appear regularly

I TF against noise resistant protocolsI MF via key recovery/bit flippingI PRF programming attacksI . . .

Why anonymous ?

I User tracking has become pervasiveI Location history reveal a lot :

I Work addressI Home addressI Social links

I DB is a good candidate for tracking

Why a new approach for TF resistance ?

I TF resistance : if P helps A once, then A can impersonnate P at willI Generally done by forcing P to leak his key for A to succeedI r0 = a, r1 = a ⊕ XI P can give A a noisy version of his secret : proving it is enough to

pass is difficultPrevious solutions :

I FO, SPADE : BackdoorI SKI, DBopt : Leakage schemeI Proprox : Extractor

Additionally, it helped with anonymity

Combining TF resistance and anonymity

I Challenging (with a revocation mechanism)I Metro access system

I Anonymity for location privacyI DF/DH/TF resistance to prevent access sublettingI MF for obvious reasons

TREAD : Design

Prover P Verifier VAgree on r0,r1←−−−−−−−−−−−→for i = 0 to n

Pick ci ∈ {0, 1}ci←−−−−−−−−−−−− Start clock

rcii−−−−−−−−−−−−→ Stop clockstore ∆ti

Everything is in the setting of r0 and r1(Usually PRF)

One problem : PRF programming

I PRF securiy : PRFX (input) ≡ random if x random and hiddenI 6= unpredictible if the key is known : Encx (input) is a PRFI DF : PRFX (NP,NV ) =

I Cste if NP = H(X)I fx (NP, NV ) otherwise

is a PRFI Not safe if combined with the key eitherI MF : PRFX (NP,NV , a) =

I X if a = fX (NP, NV ) ⊕ XI fx (NP, NV , a) otherwise

is a PRFLet’s remove the PRF !

How to pick the response vectors

I ∀i , r0i = r1i : DF, MFI ∀i , r0i 6= r1i : DF, MFI ∀i , r1i = r0i ⊕ Xi : TF, MF

Solution : P pick a, b, V picks m, r0 = a, r1 = b ⊕mP authenticates a, b with a signature S and an encryption scheme E

TREAD...almost

Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key

a||b $← {0, 1}2·nσp = S.sigsk(a||b)

e = E.encek(a||b||σp)e−−−−−−−−−−−−→ (a||b||σp) = E.decdk(e)

if S.vervk(σp , a||b||idprv(P)) = 0then abort

m←−−−−−−−−−−−− m $← {0, 1}n

r0 = a, r1 = b ⊕mfor i = 0 to n

Pick ci ∈ {0, 1}ci←−−−−−−−−−−−− Start clock

rcii−−−−−−−−−−−−→ Stop clockstore ∆ti

TREAD with identities

Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key

idpub(P) : public identityidprv(P) : private identity

a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))

e = E.encek(a||b||idprv(P)||σp)e||idpub(P)

−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)if S.vervk(σp , a||b||idprv(P)) = 0then abort

m←−−−−−−−−−−−− m $← {0, 1}n

r0 = a, r1 = b ⊕mfor i = 0 to n

Pick ci ∈ {0, 1}ci←−−−−−−−−−−−− Start clock

rcii−−−−−−−−−−−−→ Stop clockstore ∆ti

Security of TREAD

If E is a CCA-2 secure encryption scheme, and S is unforgeable, thenTREAD is

I DF/DH resistant, and PrDF = ( 34 )n

I MF resistant, and PrMF = ( 34 )n + negl . (signature+encryption)

I And SimTF ResistantProofs in the DFKO (Dürholz, Fischlin, Kasper, Onete) model

The DFKO model

I Session based (P-V, P-A, A-V)I A strictly increasing clock marker(sid ,m) per sessionI A quantified in terms of t, qobs , qP , qVI Notion of tainted sessionI A wins if he is accepted in an untainted session

DFKO : DF/DH

A malicious, far away prover P∗ tries to be accepted by V , possibly inthe presence of honest provers near the verifier.

I CommitTo(ri) ≡ send in advanceI Prompt(ri) ≡ use P’s responseI In practice, two dummy sessions

A session is tainted if during the time critical partI P∗ does not either commit or prompt for one roundI P∗ changes his response after receiving the challenge

P∗ wins if ∃pid such thatI pid is not taintedI P∗ is accepted in pid

TREAD : DH resistance

Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key

idpub(P) : public identityidprv(P) : private identity

a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))

e = E.encek(a||b||idprv(P)||σp)e||idpub(P)

−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)r0 = a, r1 = b ⊕m

I r0i 6= r1i for half the rounds due to mI commit correct with probability 34 for each roundI For DH-like attacks :I Pr

[rP∗i = rPi

]= 12

The best strategy is to guess ri in advance

DFKO : MF

A is between a far away P and VA session is tainted if A performs pure relaying during the time criticalphase, ie :P c

′i←− A ci←− V

P ri−→ A r′i−→ V

I ci = c ′iI ri = r ′iI A receives ci before sending c ′iI A receives ri before sending r ′iA wins if ∃pid such that

I pid is not taintedI P is accepted in pid

A can perform impure relaying(equivalent to the learning phase of BMV)

TREAD : MF resistance

Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key

idpub(P) : public identityidprv(P) : private identity

a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))

e = E.encek(a||b||idprv(P)||σp)e||idpub(P)

−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)r0 = a, r1 = b ⊕m

I r0i 6= r1i for half the rounds due to mI a, b protected by EI A cannot forge eI a, b are never reused, A only learns the responses for one set of

challenges (or slightly more)

DFKO : SimTF

P∗ helps A, the protocol is resistant if after one success, a simulator withthe view of A Prsim can pass with probability at least PrA.A session is tainted if A and P∗ communicate at all during the timecritical phase.Other notions :

I GameTF : Prsim ≥ PrMF

I strSimTF : like simTF, but A and P∗ can communicate during thetime critical phase

TREAD : TF resistance

Counter intuitiveI Combining r0 and r1 gives no keyI No full secret vector recoveryI No backdoor/extractor/leakage scheme

Key idea : A can replay eRewind A and make him play again

ReplayWith the prover

P A Vh1−−−→

e−−−→m←−−− m←−−−

h2(m)−−−→ci←−−−

rcii−−−→

Later, with a challengerCP A = sim CV V

h1−−−→e−−−→ e−−−→

m←−−− m←−−−m2←−−−

h2(m)−−−→ci←−−− ci←−−−

rcii−−−→rcii ⊕((mi⊕m2 i )·ci )−−−−−−−−−−−→

No extraction

I No assumptions on h1 or h2(m)I No assumption on how much bits A knowsI If A wins once, he can replay the same game and win againI But : proof more difficult if no SimTF

Some instances : symmetric

E : Symmetric encryption, S : Mac, idpub=PProver P Verifier V

ek : encryption key dk : decryption keysk : signature key vk : verification key

idpub(P) : public identityidprv(P) : private identity

a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))

e = E.encek(a||b||idprv(P)||σp)e||idpub(P)

−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)

I No anonymity, no privacyI Lightweight

Some instances : public key

E : Public key encryption, idpub=∅, idpriv=PProver P Verifier V

ek : encryption key dk : decryption keysk : signature key vk : verification key

idpub(P) : public identityidprv(P) : private identity

a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))

e = E.encek(a||b||idprv(P)||σp)e||idpub(P)

−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)

I Privacy vs eavesdroppersI Requires public key

Some instances : group signature

E : Public key encryption, S : Group signature, idpub=∅,idpriv=GroupID

Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key

idpub(P) : public identityidprv(P) : private identity

a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))

e = E.encek(a||b||idprv(P)||σp)e||idpub(P)

−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)

I Privacy vs eavesdroppersI Anonymous wrt verifiersI Requires group signatures

e can be precomputed

Other options

Prover P Verifier Vek : encryption key dk : decryption keysk : signature key vk : verification key

idpub(P) : public identityidprv(P) : private identity

a||b $← {0, 1}2·nσp = S.sigsk(a||b||idprv(P))

e = E.encek(a||b||idprv(P)||σp)e||idpub(P)

−−−−−−−−−−−−→ (a||b||idprv(P)||σp) = E.decdk(e)

I More lightweight : E : Symmetric encryption, S : MAC, idpub=∅,idpriv=P

I Identity based encryptionI idpub=group, idpriv=identityI Any combination, as long as E is CCA2-secure and S is unforgeable.

e can be precomputed

The anonymous version

I Anonymity directly comes from the group signatureI We extend the model to perform the proofsI Join, corrupt, revoke...

A note on recent attacks

Distance-Bounding Protocols : Verification without Time andLocation

andSjouke Mauw, Zach Smith, Jorge Toro-Pozo, Rolando Trujillo-Rasua

Proving physical proximity using symbolic modelsAlexandre Debant, Stéphanie Delaune, Cyrille Wiedling

I Multible, possibly dishonest verifiersI Not possible in our model, but still very relevantI V ∗ deciphers e, and gets a, b, σp = S.sigsk(a||b)I V ∗ can use a, b, σp = S.sigsk(a||b) with another verifier and

impersonate P

Possible solutions

I Authenticating the verifier (eg certificate)I Setting σp = S.sigsk(a, b,V ) and e = E.encek(a, b,V , idprv(P), σp)I But then TF resistance only for one verfiierI (needs to be verified)

Thank you for your attention !

Questions ?