Algebraic Attacks on linear RFID Authentication Protocols

Similar documents
Performance Evaluation of an Advanced Man-in-the-Middle Attack Against Certain HB Authentication Protocols

Practical Attacks on HB and HB+ Protocols

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Lecture 10: Zero-Knowledge Proofs

Cryptanalysis of the Algebraic Eraser

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Question: Total Points: Score:

Using semidirect product of (semi)groups in public key cryptography

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Notes 10: Public-key cryptography

Zero-Knowledge Proofs and Protocols

On the Simulatability Condition in Key Generation Over a Non-authenticated Public Channel

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Colored Burau Matrices, E-multiplication, and the Algebraic Eraser Key Agreement Protocol

Quantum key distribution for the lazy and careless

Cryptography and Security Final Exam

1 Number Theory Basics

Lecture 15: Privacy Amplification against Active Attackers

Advanced Cryptography Quantum Algorithms Christophe Petit

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

MATH UN Midterm 2 November 10, 2016 (75 minutes)

A FRAMEWORK FOR UNCONDITIONALLY SECURE PUBLIC-KEY ENCRYPTION (WITH POSSIBLE DECRYPTION ERRORS)

Pruning and Extending the HB + Family Tree

Lecture 17: Constructions of Public-Key Encryption

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

Pseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Cryptography and Security Final Exam

On The Hardness of Approximate and Exact (Bichromatic) Maximum Inner Product. Lijie Chen (Massachusetts Institute of Technology)

Universal Blind Quantum Computing

Message Authentication Codes (MACs)

Public-Key Identification Schemes based on Multivariate Quadratic Polynomials

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Lecture 1: Introduction to Public key cryptography

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

CPSC 467b: Cryptography and Computer Security

Leftovers from Lecture 3

Zero-Knowledge Against Quantum Attacks

Lecture 4: Postulates of quantum mechanics

CS/Ph120 Homework 8 Solutions

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

An Identification Scheme Based on KEA1 Assumption

Hybrid Approach : a Tool for Multivariate Cryptography

HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction

Noisy Diffie-Hellman protocols

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Algebraic Attacks on Human Identification Protocols

Cryptography and Security Final Exam

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1

Prevention of Exponential Equivalence in Simple Password Exponential Key Exchange (SPEKE)

14 Diffie-Hellman Key Agreement

Secret sharing schemes

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Lecture Notes 20: Zero-Knowledge Proofs

Structural Cryptanalysis of SASAS

TROPICAL CRYPTOGRAPHY II: EXTENSIONS BY HOMOMORPHISMS

HIMMO. Oscar Garcia-Morchon, Ronald Rietman, Ludo Tolhuizen. July PHILIPS RESEARCH

Pre-Calculus Midterm Practice Test (Units 1 through 3)

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

A Polynomial Description of the Rijndael Advanced Encryption Standard

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Week 1 Factor & Remainder Past Paper Questions - SOLUTIONS

Ping Pong Protocol & Auto-compensation

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Authentication. Chapter Message Authentication

arxiv: v1 [cs.cr] 1 May 2012

Introducing a new variant of fast algberaic attacks and minimizing their successive data complexity

Topics in Complexity

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

Minimum Number of Multiplications of U Hash Functions

Winter 2011 Josh Benaloh Brian LaMacchia

Public Key Authentication with One (Online) Single Addition

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Zero-Knowledge Proofs 1

Experimental Study of DIGIPASS GO3 and the Security of Authentication

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Cryptanalysis of the Anshel-Anshel-Goldfeld-Lemieux Key Agreement Protocol

Applications of Galois Geometries to Coding Theory and Cryptography

Multiparty Computation

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Introduction to Quantum Cryptography

MTH 1310, SUMMER 2012 DR. GRAHAM-SQUIRE. A rational expression is just a fraction involving polynomials, for example 3x2 2

On the Complexity of the Hybrid Approach on HFEv-

A New Framework for RFID Privacy

Non-Interactive Zero-Knowledge Proofs of Non-Membership

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Generation X and Y. 1. Experiment with the following function using your CAS (for instance try n = 0,1,2,3): 1 2 t + t2-1) n + 1 (

Cryptographical Security in the Quantum Random Oracle Model

Cryptology. Vilius Stakėnas autumn

Solutions to the Midterm Test (March 5, 2011)

THE CONJUGACY SEARCH PROBLEM IN PUBLIC KEY CRYPTOGRAPHY: UNNECESSARY AND INSUFFICIENT

CS120, Quantum Cryptography, Fall 2016

Lecture Notes, Week 10

Interactive protocols & zero-knowledge

RSA RSA public key cryptosystem

AN AUTHENTICATION SCHEME BASED ON THE TWISTED CONJUGACY PROBLEM

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Transcription:

Algebraic Attacks on linear RFID Authentication Protocols 1/14 Algebraic Attacks on linear RFID Authentication Protocols Matthias Krause and Dirk Stegemann University of Mannheim (Germany) 10th GI-Kryptotag March 20, 2009 Technische Universität Berlin, Germany

Algebraic Attacks on linear RFID Authentication Protocols 2/14 Challenge-Response Authentication Protocols Verifier Alice RFID reader accept if proof valid challenge response Prover Bob RFID tag compute proof A passive attacker collects a set O of observed challenge/response pairs cannot manipulate the communication tries to forge valid responses

Algebraic Attacks on linear RFID Authentication Protocols 3/14 Idea of Linear Authentication Protocols Prover and Verifier agree on L linear n-dim. subspaces of {0, 1} m. Verifier Alice RFID reader challenge Prover Bob RFID tag choose l R [L] accept if l {1,..., L} with w V l w R V l Problems: V 1 +... + V L too small responses w efficiently distinguishable from random values V 1 +... + V L too large Pr[successful faugery] too high

Algebraic Attacks on linear RFID Authentication Protocols 4/14 Linear (n, k, L) Authentication Protocols Prover and Verifier agree on L lin. n-dim. subspaces of {0, 1} n+k. Observation: Any linear subspace V l {0, 1} n+k can be represented by a linear mapping f l : {0, 1} n {0, 1} k and a permutation σ l S n+k such that V l = {σ l (v f l (v)), v {0, 1} n }.

Algebraic Attacks on linear RFID Authentication Protocols 4/14 Linear (n, k, L) Authentication Protocols Prover and Verifier agree on L lin. n-dim. subspaces of {0, 1} n+k. Observation: Any linear subspace V l {0, 1} n+k can be represented by a linear mapping f l : {0, 1} n {0, 1} k and a permutation σ l S n+k such that V l = {σ l (v f l (v)), v {0, 1} n }. Verifier Alice RFID reader challenge w := σ l (v f l (v)) for i := 1 to L (x y) := σ 1 l (w) if (y = f l (x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n

Algebraic Attacks on linear RFID Authentication Protocols 5/14 Special Case: The CKK 2 Protocol proposed by Cichoń, Klonowski and Kuty lowski at Pervasive 2008 CKK 2 is a linear (n + k, k, 2) protocol with f 1 = f 2 = f f depends only on the first n inputs. σ 1 exchanges the last two k-bit blocks. σ 2 = id Verifier Alice RFID reader challenge w := σl(v fl(v)) for i := 1 to L (x y) := σ 1 l (w) if (y = fl(x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n

Algebraic Attacks on linear RFID Authentication Protocols 5/14 Special Case: The CKK 2 Protocol proposed by Cichoń, Klonowski and Kuty lowski at Pervasive 2008 CKK 2 is a linear (n + k, k, 2) protocol with f 1 = f 2 = f f depends only on the first n inputs. σ 1 exchanges the last two k-bit blocks. σ 2 = id Verifier Alice RFID reader challenge w := σl(v fl(v)) for i := 1 to L (x y) := σ 1 l (w) if (y = fl(x)) accept reject Implications: V 1 = {(v a b) v {0, 1} n, a = f (v), b {0, 1} k } V 2 = {(v a b) v {0, 1} n, a {0, 1} k, b = f (v)} f (v) can be written as f (v) = c a (1 c) b with c {0, 1} = c(a b) b Prover Bob RFID tag choose l R [L], v R {0, 1} n

Algebraic Attacks on linear RFID Authentication Protocols 6/14 A polynomial Time Attack on CKK 2 Basic Idea Collect a set of responses O = {(v 1 a 1 b 1 ),..., (v m a m b m )}. Observations: Already for m slightly larger than n, {v 1,..., v m } contains a basis of {0, 1} n with high probability. With a basis {v 1,..., v n } of {0, 1} n, any v {0, 1} n can be written as v = d D v d with D {1,..., n}, and

Algebraic Attacks on linear RFID Authentication Protocols 6/14 A polynomial Time Attack on CKK 2 Basic Idea Collect a set of responses O = {(v 1 a 1 b 1 ),..., (v m a m b m )}. Observations: Already for m slightly larger than n, {v 1,..., v m } contains a basis of {0, 1} n with high probability. With a basis {v 1,..., v n } of {0, 1} n, any v {0, 1} n can be written as v = d D v d with D {1,..., n}, and d D f (v) = c(a b) b f (v d ) = c(a b) b d D (c d (a d b d ) b d )) = c(a b) b d D (c d (a d b d )) c(a b) = d D b d b yields k equations in the unknowns c 1,..., c n, c.

Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,...

Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,... repeat Obtain a response (v a b) with v {v 1,..., v n }. Add the k equations given by (c d (a d b d )) c(a b) = b d b d D d D to LES. until LES has full rank.

Algebraic Attacks on linear RFID Authentication Protocols 7/14 A polynomial Time Attack on CKK 2 repeat Obtain a response (v a b). until a basis {v 1,..., v n } of {0, 1} n is found. Initialize a system of linear equations LES in c 1, c 2,... repeat Obtain a response (v a b) with v {v 1,..., v n }. Add the k equations given by (c d (a d b d )) c(a b) = b d b d D d D to LES. until LES has full rank. Compute the images of the basis vectors as f (v i ) = c i (a i b i ) b i for i {1,..., n}. Recover f w.r.t. the standard basis of {0, 1} n.

Algebraic Attacks on linear RFID Authentication Protocols 8/14 Another polynomial Time Attack on CKK 2 Let f be defined by the component functions f r : {0, 1} n {0, 1}, r {1,..., k}, i.e., f (v) = (f 1 (v),..., f k (v)). Observation: If a response (v (a 1,..., a k ) (b 1,..., b k )) satisfies a r = b r for some r, then we know that f r (v) = a r = b r.

Algebraic Attacks on linear RFID Authentication Protocols 8/14 Another polynomial Time Attack on CKK 2 Let f be defined by the component functions f r : {0, 1} n {0, 1}, r {1,..., k}, i.e., f (v) = (f 1 (v),..., f k (v)). Observation: If a response (v (a 1,..., a k ) (b 1,..., b k )) satisfies a r = b r for some r, then we know that f r (v) = a r = b r. Idea: Recover the component functions separately. for r {1,..., k} do repeat Obtain a response (v (a 1,..., a k ) (b 1,..., b k )) with a r = b r until a basis of {0, 1} n is found. Recover f r w.r.t. the standard basis. end for

Algebraic Attacks on linear RFID Authentication Protocols 9/14 Performance of the CKK 2 Attacks Main observations: The most costly operations are Gaussian eliminations. Rather few responses are needed to recover the secret function f A straightforward Magma implementation shows (n, k) #responses attack time first attack (128, 30) 140 0.05 s (1024, 256) 1039 2.95 s second attack (128, 30) 311 0.3 s (1024, 256) 2197 179 s (n, k) = (128, 30) was suggested for practical application. Don t use CKK 2 in practice.

Algebraic Attacks on linear RFID Authentication Protocols 10/14 Attacks on general (n, k, 2) Protocols Verifier Alice RFID reader challenge w := σ l (v f l (v)) for i := 1 to L (x y) := σ 1 l (w) if (y = f l (x)) accept reject Prover Bob RFID tag choose l R [L], v R {0, 1} n Problems of the general (n, k, 2) case: A single response σ 1 (v f 1 (v)) does not say anything about σ 2 (v f 2 (v)) and vice versa. The positions of dependent bits (=bits that belong to v) and independent bits (=bits that belong to f (v)) in a single response are unknown.

Algebraic Attacks on linear RFID Authentication Protocols 11/14 First Step: Attack on linear (n, 1, 2) Protocols Assume that σ 1 = σ 2 = id and consider a set of responses O = {(v 1 w 1 ),..., (v m w m )} with w i {0, 1}. For x i := f 1 (v i ) and y i := f 2 (v i ) it holds that (w i x i )(w i y i ) = 0 for all i {1,..., n}, which leads to quadratic equations in the unknowns x i, y i.

Algebraic Attacks on linear RFID Authentication Protocols 11/14 First Step: Attack on linear (n, 1, 2) Protocols Assume that σ 1 = σ 2 = id and consider a set of responses O = {(v 1 w 1 ),..., (v m w m )} with w i {0, 1}. For x i := f 1 (v i ) and y i := f 2 (v i ) it holds that (w i x i )(w i y i ) = 0 for all i {1,..., n}, which leads to quadratic equations in the unknowns x i, y i. Observation: A symmetry-avoiding linearization allows to recover the secret functions f 1 and f 2 efficiently. Performance for n = 128: Approx. 8390 responses and 4 minutes of computation

Algebraic Attacks on linear RFID Authentication Protocols 12/14 Extension to linear (n, k, 2) Protocols Basic ideas: repeat Guess a dependent position w.r.t. V 1 and V 2 and apply the (n + k 1, 1, 2) attack. until (n + k 1, 1, 2) attack successful Use the result to distinguish responses from V 1 and V 2. Recover specifications for V 1 and V 2 from the respective responses. More details in M. Krause and D. Stegemann: Algebraic Attacks against Linear RFID Authentication Protocols, Workshop Record of the Dagstuhl Seminar on Symmetric Cryptogaphy, 2009.

Algebraic Attacks on linear RFID Authentication Protocols 13/14 Future Work How to extend the attack ideas to efficient attacks for L > 2? What about active attacks against linear (n, k, L) protocols? How do linear (n, k, L) protocols (and their security properties) relate to the HB family of authentication protocols?...

Algebraic Attacks on linear RFID Authentication Protocols 14/14 The End. krause@th.informatik.uni-mannheim.de dstegema@th.informatik.uni-mannheim.de

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback