Philip Soos Written Off Negative Gearing Presentation Oct 2012
Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2...
Transcript of Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2...
![Page 1: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/1.jpg)
Privacy-preserving Security Protocols for RFIDsThesis defense
Mate Soos
INRIA Rhone-Alpes
6th of October 2009
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 1 / 55
![Page 2: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/2.jpg)
Table of Contents
1 Context
2 Ad-hoc protocols
3 Stream ciphers in RFIDs
4 Conclusions
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 2 / 55
![Page 3: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/3.jpg)
Outline
1 ContextRFID hardwareThe privacy problemAuthentication in RFIDs
2 Ad-hoc protocolsProbIPEProbIP
3 Stream ciphers in RFIDsAnalysing stream ciphers with SAT solversAdapting SAT solvers to stream ciphersAdapting stream cipher representation to SAT solversAttacks
4 Conclusions
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 3 / 55
![Page 4: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/4.jpg)
What is an RFID?
An EPC RFID tag is:Small electronic device toidentify items
Projected to be on all items sold
Cheap and disposable
Used in the supply chain totrack goods
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 4 / 55
![Page 5: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/5.jpg)
RFID classification methods
By standards
ISO 18000-*, 14443, 15693
EPCglobal
NFC
By frequencies
Low Frequency (LF): 125/134.2 KHz
High Frequency (HF): 13.56MHz (ISM)
Ultra-HF (UHF): 856-930MHz
Microwave Frequency: 2.4 GHz (ISM)
By power source
Passive
Semi-passive
Active
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 5 / 55
![Page 6: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/6.jpg)
The privacy problem
Causes
RFIDs emit their ID to any query
Their owners are easy to track
Long read range, no line-of-sight
Non human-detectable reader signal
Unique ID
EPC protocol
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 6 / 55
![Page 7: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/7.jpg)
Solutions to the privacy problem
Physical layer-based
Put the tag in a Faraday cage (ex.: mesh wallet)
Kill the tag (ex.: EPC)
Blocker tag, RFID Guardian
Noisy tag
Noisy reader
Protocol layer-based
Pseudonym-rotation
Hash-based (ex.: OSK)
Keytree-based
Ad-hoc primitives (ex. ProbIP)
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 7 / 55
![Page 8: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/8.jpg)
Kill the tag
How it works
1 Give the tag a tag-specific 32-bit PIN code
2 The tag self-destructs
Advantages
Easy to implement
Once killed, cannot be re-awakened
Disadvantages
Loose many of RFIDs’ advantages, e.g.:
Automatic washing-machine
Automatic recognition of items in the fridge
Returning to shops defective items without receipts
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 8 / 55
![Page 9: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/9.jpg)
Noisy tag
How it works
1 Generates pseudo-random noise on the channel
2 Sends reader the noise seed
3 Reader subtracts the noise and recovers the data
Advantages
Simple to implement, should be cheap
Perfect secrecy of data
Multiple noisy tags enhance security
Disadvantages
Random noise needs to be known by the reader
Needs to be worn all the time
Implementation possibility has been questioned
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 9 / 55
![Page 10: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/10.jpg)
Key-trees
Setup
Tags are leaves of a multi-level tree
Tag identifies itself with a key for each level
Reader brute-forces each level
This is nlognp speed, where n is depth, p is pop. size
ExampleRoot
Keys:{Ø}
Tags using k1
Keys:{k1}
Leaf
Keys:{k1, k1,1}
T1,1
Leaf
Keys:{k1, k1,2}
T1,2
Tags using k2
Keys:{k2}
Leaf
Keys:{k2, k2,1}
T2,1
Leaf
Keys:{k2, k2,2}
T2,2
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 10 / 55
![Page 11: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/11.jpg)
Key-trees
Setup
Tags are leaves of a multi-level tree
Tag identifies itself with a key for each level
Reader brute-forces each level
This is nlognp speed, where n is depth, p is pop. size
ExampleRoot
Keys:{Ø}
Tags using k1
Keys:{k1}
Leaf
Keys:{k1, k1,1}
T1,1
Leaf
Keys:{k1, k1,2}
T1,2
Tags using k2
Keys:{k2}
Leaf
Keys:{k2, k2,1}
T2,1
Leaf
Keys:{k2, k2,2}
T2,2
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 10 / 55
![Page 12: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/12.jpg)
Key-trees
Advantages
Good privacy
Fast (log-time identification)
Extensively researched
Disadvantages
Anonymity loss if tags are opened
Needs cryptographic function
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 11 / 55
![Page 13: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/13.jpg)
Authentication in RFIDs
What it is
Used to verify that other party is who he claims to be
Achieved through demonstration that secret is known
Why it is needed
Against counterfeiting (e.g. medicines)
Receiptless guarantee repairs
Solutions
Challenge-response protocol using lightweightcrypto-primitives (e.g. Grain)
Physically Unclonable Functions (PUF)
Rabin cryptosystem-based protocols
LPN-based protocols (e.g. HB#)
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 12 / 55
![Page 14: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/14.jpg)
Topic of the Thesis
RFIDs cannot use standard protocols
Privacy protection
Authentication service
RFIDs require
Novel RFID protocols or crypto-primitives
Analysis of these novel protocols for their security
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 13 / 55
![Page 15: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/15.jpg)
Outline
1 ContextRFID hardwareThe privacy problemAuthentication in RFIDs
2 Ad-hoc protocolsProbIPEProbIP
3 Stream ciphers in RFIDsAnalysing stream ciphers with SAT solversAdapting SAT solvers to stream ciphersAdapting stream cipher representation to SAT solversAttacks
4 Conclusions
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 14 / 55
![Page 16: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/16.jpg)
Ad-hoc protocols — Motivations
Standard ciphers seem not well-adapted to RFIDs
By designing a protocol from scratch, it could better fit RFIDconstraints
Could find potentially unexplored areas, and exploit them
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 15 / 55
![Page 17: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/17.jpg)
ProbIP scheme
Public: keysize K, no. packets sent
Reader R Tag TiDatabase L: Secret key: ki
{. . . , (ki, ID),. . . }
HELLO −→generate P packets
<a1, b1>,. . .,<aL, bL>s.t. aj ∈r [1,K], bj ∈r {0, 1}∑L
j=1
[ki[aj ]⊕ bj
]= L/2
←− generated packets
find (ki, ID) ∈ Ls.t. packets fit∑L
j=1
[ki[aj ]⊕ bj
]= L/2
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 16 / 55
![Page 18: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/18.jpg)
Breaking ProbIP
Ouafi et al. have broken the security of ProbIP.Packets are represented as
L∑i=1
v1i (K[i]⊕ b1i ) = L/2
L∑i=1
v2i (K[i]⊕ b2i ) = L/2
...
L∑i=1
vli(K[i]⊕ bli) = L/2
l — no of packets gathered by the attacker
v – indicator function of given key bit is in the packet
Resulting matrix is solved with Gaussian elimination, in poly-timeMate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 17 / 55
![Page 19: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/19.jpg)
Error-introducing ProbIP
EProbIP is a extension to the original ProbIP protocol:
Tags sometimes send erroneous packets
Reader knows the possible key, so it can filter them
Attacker cannot distinguish between packets
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 18 / 55
![Page 20: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/20.jpg)
EProbIP — security evaluation
Setup:
1 Generate keys (k1, . . . , kn) uniquely and randomly with GenKey
2 Initialise R with keys (k1, . . . , kn)
3 Set each Ti’s key ki with a SetKey call
Phase 1 (Learning):
4 Let A do xA TagInit calls with TA and records received packets into XA
5 Let A do xB TagInit calls with TB and records received packets into XB
Phase 2 (Challenge):
6 TCr← {TA, TB}
7 A performs xC TagInit calls with TC and records received packets into XC
8 A performs calculations on the recorded packets to guess TC?= TA
Experiment succeeds if A guessed TC correctly
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 19 / 55
![Page 21: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/21.jpg)
How can the attacker win the privacy exp.?
Possible methods
1 Find a key that fits most packets — using a MaxSAT solver
2 Use a tailor-made approach using out that the error rate is low
1) Using MaxSAT solvers
Solves for any error rate
Can work on a small amount of packets
Does not benefit from more packets
2) Using strategy adapted to low error rate
Needs a large amount of packets to work
Can benefit from low error rate
Benefits from more packets
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 20 / 55
![Page 22: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/22.jpg)
How can the attacker win the privacy exp.?
Possible methods
1 Find a key that fits most packets — using a MaxSAT solver
2 Use a tailor-made approach using out that the error rate is low
1) Using MaxSAT solvers
Solves for any error rate
Can work on a small amount of packets
Does not benefit from more packets
2) Using strategy adapted to low error rate
Needs a large amount of packets to work
Can benefit from low error rate
Benefits from more packets
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 20 / 55
![Page 23: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/23.jpg)
How can the attacker win the privacy exp.?
Possible methods
1 Find a key that fits most packets — using a MaxSAT solver
2 Use a tailor-made approach using out that the error rate is low
1) Using MaxSAT solvers
Solves for any error rate
Can work on a small amount of packets
Does not benefit from more packets
2) Using strategy adapted to low error rate
Needs a large amount of packets to work
Can benefit from low error rate
Benefits from more packets
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 20 / 55
![Page 24: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/24.jpg)
Strategy adapted to low error-rate
Input: packets XA ∪XC
Output: TA = TC or TA 6= TC
Pick a set of k most prevalent key bits;1
foreach combination of true-false for the picked bits do2
picked key bits ← selected combination;3
while enough packets indicate: key bit must be set to a value do4
key bit ← value indicated;5
end6
if all key bits are set and the satisfied portion of packets is about7
1− err thenreturn TA = TC ;8
end9
end10
return TA 6= TC ;11
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 21 / 55
![Page 25: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/25.jpg)
Implementation: in MiniSat
Modified MiniSat such that:
Inferences are made based on multiple packets
X number of packets needed to make an inference
The X the larger, the more ’robust’ the solving
But more information will be lost
i.e. more packets → faster solving
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 22 / 55
![Page 26: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/26.jpg)
Security rating results
11e+201e+401e+601e+80
1e+1001e+1201e+1401e+1601e+1801e+200
1 10 100 1000 10000 100000
Tim
e(s
)
No. identification sessions
K=200K=400
K=1000
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 23 / 55
![Page 27: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/27.jpg)
Ad-hoc protocols — What have we learnt
Ad-hoc primitives need multiple cycles of design&analysis
Difficult to evaluate the security of the resulting schemes
Can take many years to develop a robust ad-hoc protocol
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 24 / 55
![Page 28: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/28.jpg)
Outline
1 ContextRFID hardwareThe privacy problemAuthentication in RFIDs
2 Ad-hoc protocolsProbIPEProbIP
3 Stream ciphers in RFIDsAnalysing stream ciphers with SAT solversAdapting SAT solvers to stream ciphersAdapting stream cipher representation to SAT solversAttacks
4 Conclusions
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 25 / 55
![Page 29: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/29.jpg)
Stream ciphers in RFIDs
Motivations
We have seen that ad-hoc protocols are notoriously un-robust
Stream ciphers could be adapted to RFIDs — eSTREAM project
Analysis of hardware-oriented stream ciphers is possible with SATsolvers
Contributions
Adapt the SAT solver to the environment of cryptography
Adapt the stream cipher’s representation to SAT solvers
Solve a number of ciphers
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 26 / 55
![Page 30: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/30.jpg)
What is a SAT solver
Solves a problem in CNF
CNF is an “and of or-s”
¬x1 ∨ ¬x3 ¬x2 ∨ x3 x1 ∨ x2
Uses DPLL(ϕ) algorithm
1 If formula ϕ is trivial, return SAT/UNSAT
2 Picks a variable v to branch on
3 v ← value
4 Simplifies formula to ϕ′ and calls DPLL(ϕ′)
5 if SAT, output SAT
6 if UNSAT, v ← opposite value
7 Simplifies formula to ϕ′′ and calls DPLL(ϕ′′)
8 if SAT, output SAT
9 if UNSAT, output UNSAT
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 27 / 55
![Page 31: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/31.jpg)
Problem with XOR-s
The trutha⊕ b⊕ c
must be put into the solver as
a ∨ b ∨ c (1) a ∨ b ∨ c (2)a ∨ b ∨ c (3) a ∨ b ∨ c (4)
So, straightforward conversion takes 2n−1 clauses to model an n-long XOR
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 28 / 55
![Page 32: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/32.jpg)
Solution until now
Example
x1 ⊕ x2 ⊕ x3 ⊕ x4⊕x5 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ x9
Modelled in CNF:
¬i1 ⊕ x1 ⊕ x2 ⊕ x3 ⊕ x4
¬i2 ⊕ x5 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ x9
i1 ⊕ i2
Problems
Still very long to model
Needs extra vars
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 29 / 55
![Page 33: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/33.jpg)
Solution until now
Example
x1 ⊕ x2 ⊕ x3⊕x4 ⊕ x5 ⊕ x6⊕x7 ⊕ x8 ⊕ x9
Modelled in CNF:
¬i1 ⊕ x1 ⊕ x2 ⊕ x3
¬i2 ⊕ x4 ⊕ x5 ⊕ x6
¬i3 ⊕ x7 ⊕ x8 ⊕ x9
i1 ⊕ i2 ⊕ i3
Problems
Still very long to model
Needs extra vars
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 29 / 55
![Page 34: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/34.jpg)
Solution to XOR: xor-clause
Example
a⊕ b⊕ c
Represents regular clauses
a ∨ ¬b ∨ ¬c (1) ¬a ∨ ¬b ∨ c (2)a ∨ b ∨ c (3) ¬a ∨ b ∨ ¬c (4)
changes appearance to match the situation
Example set-up
a = true b = true c = false
⇒ ¬a ∨ ¬b ∨ c
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 30 / 55
![Page 35: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/35.jpg)
Solution to XOR: xor-clause
Example
a⊕ b⊕ c
Represents regular clauses
a ∨ ¬b ∨ ¬c (1) ¬a ∨ ¬b ∨ c (2)a ∨ b ∨ c (3) ¬a ∨ b ∨ ¬c (4)
changes appearance to match the situation
Results
2.2x speed
Order of magnitude savings in memory
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 30 / 55
![Page 36: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/36.jpg)
Solution to XOR: xor-clause
Example
a⊕ b⊕ c
Represents regular clauses
a ∨ ¬b ∨ ¬c (1) ¬a ∨ ¬b ∨ c (2)a ∨ b ∨ c (3) ¬a ∨ b ∨ ¬c (4)
changes appearance to match the situation
Challenges overcome
MiniSat is complex, we needed to completely understand it
Design choices were difficult: e.g. we use special memory alloc. tomaximise cache-hit
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 30 / 55
![Page 37: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/37.jpg)
Dynamic behaviour analysis
Example search tree VisualisedGuesses
Propagations
Generated learntclauses
Clause group causingthe propagation
Calculated statsAverage depth
Most conflicted clauses
No. of guess/branch
Most guessed vars
Most propagated vars
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 31 / 55
![Page 38: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/38.jpg)
Statistics generated
Further stats
Learnt clause size distribution
Branch length distribution
Ex. learnt clause distribution
010002000300040005000
No.
ofcl
ause
s
Learnt clause size
010002000300040005000
0 20 40 60 80 100 120 140 160 180
No.
ofcl
ause
s
Grain — 0 given bits
Grain — 60 given bits
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 32 / 55
![Page 39: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/39.jpg)
Gaussian elimination
Reasoning
Gaussian elimination is efficient for solving systems of linear equations
xor-clause is a linear equation → use Gauss elim. to solve them
Implementation
A-matrix
v10 v8 v9 v12 aug1 1 1 1 00 0 1 1 10 1 0 1 10 1 0 0 1
N-matrix
v10 v8 v9 v12 aug1 1 1 1 00 0 1 1 10 1 0 1 10 1 0 0 1
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 33 / 55
![Page 40: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/40.jpg)
Gaussian elimination
Reasoning
Gaussian elimination is efficient for solving systems of linear equations
xor-clause is a linear equation → use Gauss elim. to solve them
Implementation
A-matrixwith v8 assigned to true
v10 v8 v9 v12 aug1 − 1 1 10 − 1 1 10 − 0 1 00 − 0 0 0
N-matrix
v10 v8 v9 v12 aug1 1 1 1 00 0 1 1 10 1 0 1 10 1 0 0 1
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 33 / 55
![Page 41: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/41.jpg)
Gaussian elimination
Reasoning
Gaussian elimination is efficient for solving systems of linear equations
xor-clause is a linear equation → use Gauss elim. to solve them
Implementation
A-matrixwith v8 assigned to true
v10 v8 v9 v12 aug1 − 1 1 10 − 1 1 10 − 0 1 00 − 0 0 0
N-matrix
v10 v8 v9 v12 aug1 1 1 1 00 0 1 1 10 1 0 1 10 1 0 0 1
Resulting xor-clause:
v8⊕ v12
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 33 / 55
![Page 42: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/42.jpg)
Gaussian elimination
Reasoning
Gaussian elimination is efficient for solving systems of linear equations
xor-clause is a linear equation → use Gauss elim. to solve them
Implementation
A-matrixwith v8 assigned to true
v10 v8 v9 v12 aug1 − 1 1 10 − 1 1 10 − 0 1 00 − 0 0 0
N-matrix
v10 v8 v9 v12 aug1 1 1 1 00 0 1 1 10 1 0 1 10 1 0 0 1
Resulting xor-clause:
v12 = false ← v8⊕ v12
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 33 / 55
![Page 43: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/43.jpg)
Gaussian elimination results
300600900
12001500
0 3 6 9 12 15 18
Tim
e(s)
Gaussian elimination until depth
04e+088e+08
1.2e+091.6e+09
0 3 6 9 12 15 18
No.
ofpr
opag
atio
ns
(∼se
arch
spac
e)
Gaussian elimination until depth
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 34 / 55
![Page 44: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/44.jpg)
Gaussian elimination results
No.help bits
Gaussian elimination active until level
Inactive 2 3
Crypto-1 12 27.0 s 25.8 s(4%) 26.5 s(2%)HiTag2 18 34.8 s 33.9 s(3%) 29.5 s(15%)Bivium B 60 174.0 s 165.1 s(5%) 171.1 s(2%)
Highlights
Search space reduced by up to 87%
Speedup between 0-15%
A mix of linear and non-linear methods
Adds possibility to add other algebraic tools → potentially majorspeedup
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 35 / 55
![Page 45: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/45.jpg)
Logical circuit representation
Example
Legend
Variables → boxes
Functions → hexagons
Complexity measures
Depth of keystream bit
Dependency no.: state ↔ keystream
Difficulty of functions: representation
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 36 / 55
![Page 46: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/46.jpg)
Logical circuit representation
Example
Legend
Variables → boxes
Functions → hexagons
Complexity measures
Depth of keystream bit
Dependency no.: state ↔ keystream
Difficulty of functions: representation
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 36 / 55
![Page 47: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/47.jpg)
Dependency graph generator
Example HiTag2 logical circuit
Usage
Calculate mentioned statistics
Visual clue
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 37 / 55
![Page 48: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/48.jpg)
Dependency graph generator
Example HiTag2 logical circuit
Usage
Calculate mentioned statistics
Visual clue
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 37 / 55
![Page 49: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/49.jpg)
Optimising representation of non-linear functions
Example GF(2) polynomial
x1 + x1x2 + x2x3 + x1x3
Usual representation
x1 + i1 + i2 + i3
No. of clauses: 3× 3 regular+ 1 xor-clause∑
clause length: 31
2 extra variables
Karnaugh-table representation
¬x1 ∨ ¬x3 ¬x2 ∨ x3 x1 ∨ x2
No. of clauses: 3 regular
∑clause length: 6
No extra variables
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 38 / 55
![Page 50: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/50.jpg)
Crypto-1
Background
Used for micropayment in public transport
Best SAT solver-based attack : 200 s to solve on avg.
Best non-SAT solver-based attack: 0.1 s through algebraic attack
Our techniques
0.01
0.1
1
10
100
0 2 4 6 8 10
Tim
e(s
)
No. of randomly guessed bits
Find its secret state in approx. 40 s
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 39 / 55
![Page 51: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/51.jpg)
Bivium B
Background
Simplified version of Trivium eSTREAM candidate
Best SAT solver-based attack against it takes 243 s
Non-SAT solver-based attack: 264.5 s
Our techniques
100
1000
10000
100000
1e+06
40 42 44 46 48 50 52 54 56
Tim
e(s
)
No. of randomly guessed bits
Find its secret state in approx. 236.5 sMate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 40 / 55
![Page 52: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/52.jpg)
Stream ciphers in RFIDs — What we have learnt
SAT solvers are useful to study hardware-oriented stream ciphers
Best results are achieved by adapting both solvers to ciphers andcipher’s representation to solvers
Such a system is able to break certain ciphers
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 41 / 55
![Page 53: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/53.jpg)
Outline
1 ContextRFID hardwareThe privacy problemAuthentication in RFIDs
2 Ad-hoc protocolsProbIPEProbIP
3 Stream ciphers in RFIDsAnalysing stream ciphers with SAT solversAdapting SAT solvers to stream ciphersAdapting stream cipher representation to SAT solversAttacks
4 Conclusions
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 42 / 55
![Page 54: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/54.jpg)
Contributions of the Thesis
Contributions
Created an in-depth state of the art
Conceived two ad-hoc protocols, ProbIP [1] and EProbIP
Analysed the Di Pietro-Molva ad-hoc protocol [2]
Improved SAT solver-based cryptographic attacks [3,4]
References
1 “Secret Shuffling: A Novel Approach to RFID Private Identification” byCastelluccia and Soos, RFIDSec’07
2 “Analysing the Molva and Di Pietro Private RFID Authentication Scheme”by Soos, RFIDSec’08
3 “Solving Low-Complexity Ciphers with Optimized SAT solvers” by Nohland Soos, EUROCRYPT’09 (poster)
4 “Extending SAT Solvers to Cryptographic Problems” by Soos,Castelluccia and Nohl, SAT’09
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 43 / 55
![Page 55: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/55.jpg)
Conclusions
RFID hardware is unnatural to optimise for
Ad-hoc protocols are notoriously fragile, but could be a solutionin the long run
For immediate use, standard crypto-primitives optimised forRFIDs (e.g. HW-oriented stream ciphers) are more suited
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 44 / 55
![Page 56: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/56.jpg)
Future work
Post-Doc in the SALSA team of INRIA
Distributed SAT solving
Iterative SAT solving
Mix of SAT solving and algebraic techniques
RFID-AP ANR project
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 45 / 55
![Page 57: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/57.jpg)
Thank you for your time
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 46 / 55
![Page 58: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/58.jpg)
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 47 / 55
![Page 59: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/59.jpg)
Di Pietro-Molva scheme
The Di-Pietro Molva scheme works as follows:
1 Tag generates nonces r1 . . . r22 Tag sends αp = rp ⊕ k3 Tag sends V [p] = DPM(rp)4 Reader computes DPM(αp ⊕ k) = V ′[p] for all k — the one that fits
is the tag
5 Once tag is identified, authentication takes place
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 48 / 55
![Page 60: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/60.jpg)
Found shortcomings
Problems found in the scheme (published as):
Does not scale — finding tag is linear in population size
Due to func. DPM , there are 22|k|/3 key-equivalence classes (i.e.identification is bad)
(αp, V [p]) pairs do not always contain enough information (pairs arenot independent)
DPM is not secure, each protocol run reveals 1 bit of secret key
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 49 / 55
![Page 61: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/61.jpg)
Research results until now
“Attacking Bivium with MiniSat” by (McDonald et al.)
“Attacking Bivium Using SAT Solvers” by (Eibach et al.)
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 50 / 55
![Page 62: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/62.jpg)
Research results until now
We introduce more randomness
Reference state bits to assign are picked randomly
The picked bits are assigned randomly true or false
Clauses are randomly permutated inside MiniSat
MiniSat’s internal seed (used to randomly explore the search space) isset randomly
MiniSat’s random number generator has been replaced
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 51 / 55
![Page 63: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/63.jpg)
LPN-based
How it works (ex. Random-HB#)
Reader R Tag TiSecrets X,Y Secrets X,Y
ν ∈R {{0, 1}m|Prob.(νi = 1) = η for 1 ≤ i ≤ m}
Choose b ∈R {0, 1}kYb←−
Choose a ∈R {a, 1}kX−→ a
Let z = a · C ⊕ b · Y ⊕ νz←−
CheckHwt(a ·X ⊕ b · Y ⊕ z) ≤ um
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 52 / 55
![Page 64: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/64.jpg)
HB# cont.
Advantages
Simple to implement: needs XOR, random number generator
Protocol is well-analysed by its authors
Disadvantages
Transferred data is large (→ slow)
LPN problem quite unresearched, new research is pushing up secureparameter sizes
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 53 / 55
![Page 65: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/65.jpg)
Example protocol No. 1
Reader Rj Tag TiGenerate nonce IV1
−→ IV1
Generate nonce IV2
and calculateσ = ID ⊕ cipher(k, IV1 ⊕ IV2)
←− IV2, σfind (k, ID) ∈ L s.t.ID = σ ⊕ cipher(k,IV1 ⊕ IV2)
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 54 / 55
![Page 66: Privacy-preserving Security Protocols for RFIDs - Thesis ... · Table of Contents 1 Context 2 Ad-hoc protocols 3 Stream ciphers in RFIDs 4 Conclusions Mate Soos (INRIA Rh^one-Alpes)](https://reader033.fdocuments.in/reader033/viewer/2022060316/5f0c33ba7e708231d4343e53/html5/thumbnails/66.jpg)
Example protocol No. 2
Reader Rj Tag Ti
Generate nonce IV1−→ IV1
Generate nonce IV2 andcalculateM = cipher(IV1, IV2)σ = ID ⊕ cipher(k,M)
←− IV2, σcalculateM = cipher(IV1, IV2)
find (k, ID) ∈ L s.t.ID = σ ⊕ cipher(k,M)
optional — only for mutual authentication
calculateτ = ID ⊕ cipher(k,M ⊕ 1)
−→ τ
check τ?= ID ⊕ cipher(k,M ⊕ 1)
Mate Soos (INRIA Rhone-Alpes) Thesis defense 6th of October 2009 55 / 55