The Compilers. Throughout this thesis, we introduced several techniques to achieve stronger from weaker security notions: these are the so-called compilers. The first compiler we present is the key update compiler, which takes as input a mafia, distance, and impersonation-secure weakly-private distance-bounding protocol (note that weak privacy is a basic requirement, where the adversary cannot corrupt provers), and outputs a distance-bounding protocol that still preserves the input protocol’s properties and furthermore achieves narrow-destructive privacy.
The key update compiler requires an additional essential condition: the key generated by the KGen algorithm should be pseudorandom. Note that the key generation algorithm is usually considered separately from the distance-bounding protocols themselves, i.e. no requirement is made of this algorithm in general. Once instantiated with a key generation algorithm that outputs pseudorandom keys, we note that most of the protocols in the distance-bounding literature fulfill in fact the conditions of the compiler, thus we can apply our results to enhance their weak privacy to narrow-destructive privacy.
Another compiler we present is an algorithm to turn a mafia fraud resistant protocol into a strong mafia fraud resistant protocol. Indeed, our results in Chapter 4 indicate that adding a final authentication phase, where the prover authenticates the transcript of the entire session, will in fact ensure that the adversary can only succeed in authenticating to a verifier — even in the presence of an aborting prover within proximity — with negligible probability. We show in fact that this transformation achieves strong mafia fraud resistance even if the underlying protocol is not resistant to key-learning attacks. We depict this in Figure 39, and briefly outline the main technical structure of the compilers below.
Figure 39: The compilers in this thesis, where the pyramid in the upper level denotes that the resulting protocol achieves privacy apart from the fundamental properties of distance-bounding schemes. In the lower part, (KLMF - Mafia) denotes the fact that the underlying protocol is not resistant to key-learning attacks, but resistant to all other types of mafia fraud.
Key Updates. The key update compiler is a modification of the narrow destructive-private protocol introduced by Vaude- nay [73]. There are a few modifications, however. In the protocol used by Vaudenay [73] (which is an authentication, and not a distance-bounding protocol), the verifier never updates state, whereas the prover always updates state (by running a pseudo-random function on the old state). To increase efficiency, we ensure that the verifier also updates state; however, in this context we must ensure that adversaries cannot cause a desynchronisation between the prover and verifier state (a Denial-of-Service – DoS – attack). We achieve this by ensuring that the prover always updates more often than the verifier, and the verifier “catches” up with the prover at the next authentication attempt. If the underlying protocol does not employ mutual authentication, it is possible to postpone all the verification steps for the distance-bounding phase until the final verification phase; however, for protocols using mutual authentication, the verifier must “catch up” with the prover state before the underlying distance-bounding protocol is run. This is done before the distance-bounding step, by an initial challenge-response lazy phase. Since the response is actually computed by using a pseudo-random function, we can merge this step with the initialisation lazy phases of the underlying protocol if these phases include a PRF-based computation.
strMF. Our strMF compiler adds a final lazy phase prover authentication to the protocol, where the prover sends the output of a PRF computed after the time-critical phases of the protocol are run. This prevents the adversary from taking over from an aborting prover once the prover goes offline, since in that case the adversary has to guess the last lazy-phase authentication response, which it can only do with negligible probability. This compiler also achieves strong mafia fraud resistance if the underlying protocol is not entirely mafia fraud resistant, but rather is vulnerable to key-learning attacks.
Location Privacy. Our main result from Chapter 6 is an impossibility result: we in fact show that location privacy cannot be attained by distance-bounding protocols, unless the parties employ very high delays. However, our proof of this statement also gives us a tool to achieve computational location privacy, if we are willing to use such exponential delays. In fact, the trick here is to ensure that the effective communication time is negligible compared to the delay: in this way we ensure that the adversary cannot guess (except with negligible probability) when the parties will communicate the non-bogus messages. This is a tool for achieving a degree of computational location-privacy that can be employed by distance-bounding protocols. A slight inconvenience is that our model in the location-privacy section is in fact not round- based, thus we cannot easily use these results as a compiler on round-based protocols, such as those outlined in Chapter 2. Intuitively, our results should extend to our original framework, which is round-based, but an interesting direction for future work would be to investigate how far our results extend to this setting.
Small and Handy Tricks. Throughout this document, we also introduce a few small tricks and techniques to either achieve or break several security notions. While not significant enough to count as a construction, these tricks can be handy, either towards achieving a security notion, or towards breaking them. We also show a few proof tricks, which we employ in our proofs throughout this thesis. Though we refer the reader to the main contents of the previous chapters, we also list some of these handy tricks below.
• Proving mafia fraud resistance. In Chapter 2 we formally prove the mafia fraud resistance of several distance- bounding protocols. Though the proofs are slightly different for each protocol, the general strategy goes as follows: (1) first we argue that, except with negligible probability, we can replace the response strings computed by the prover by random bit-strings each of length Nc; (2) then we argue that the nonce pairs are unique in a verifier-adversary
session, up to a single matching adversary-prover session; and (3) under these assumptions, we argue that the adversary’s winning probability is negligible. For the third step, we usually compute the bound recursively, i.e. we look at the probability that the adversary wins Nc− (i + 1) time-critical phases, given that it has already won the
first i time-critical phases. We usually analyse the effectiveness of four separate strategies: (i) the Go-Early strategy, which has already been outlined in section 7.1.2, where the adversary tries to guess the verifier’s challenge, querying the prover before being queried by the verifier (this ensures the phase is not tainted); (ii) the Go-Late strategy, where the adversary responds to the verifier before receiving the response from the prover (again, this bypasses relaying scheduling, thus the phase is not tainted); (iii) the Modify-It strategy, where the adversary flips the challenge received from the verifier, thus ensuring the phase is not tainted. This strategy is different from the Go-Early strategy: indeed, in the Go-Early strategy the adversary usually has a 1
2 probability that the adversary guesses the correct challenge;
by contrast, in the Modify-It strategy the adversary’s challenge is always different from the verifier’s challenge; (iv) the Taint-It strategy, where the adversary simply taints the phase and wins (this strategy can only be used in at most Tmax phases). A final step in the proof is to bound the success strategy by completing the recursive computation of
the success probability.
• Bypassing mafia fraud resistance. We use a handy trick in our separation of mafia fraud resistance from distance, terrorist, and impersonation security: we introduce a back door that enables an adversary to break mafia fraud resistance without affecting any other property. We do this by exploiting the definition of tainted phases in mafia fraud. Namely, we modify a protocol which is otherwise mafia fraud resistant such that the prover prepends a bit to its first lazy-phase message. An honest prover always prepends a 0 bit, while an adversary can prepend a 1 bit instead. If it receives a 1 bit, the verifier expects the conjugate bit of the correct response in each of the time-critical phases. This modified protocol is no longer mafia fraud resistant, since the adversary can now bypass the tainted- phase definition and flip the prepended 0 bit forwarded by an honest prover to a 1 bit, thus making the verifier expect the flipped response bits. During time-critical phases, adversary forwards the correct challenges as it receives them from the verifier, then flips the responses that the prover forwards, thus authenticating. However, properties like impersonation security and distance and terrorist fraud resistance (the latter with all its flavours, i.e. SimTF, GameTF, or strSimTF security) are preserved. Intuitively, this holds because in distance fraud, the prover is the dishonest prover itself and thus knows the correct responses (flipped or otherwise, anyway). Impersonation security only affects lazy phases, thus the modification of the protocol is irrelevant to this attack. Finally (though this is a more verbose argument), terrorist fraud resistance is preserved because for every successful adversary, the simulator will be able to use the simulator against the original scheme, removing the prepended bits.
• Impersonation security. We have very easily added impersonation security to the protocol due to Kim and Avoine [49], by exploiting the fact that the protocol already uses a pseudo-random function (PRF) in order to compute the prover and verifier output for the time-critical phases. Thus, by employing a PRF with a larger output size, we can include a session-specific authentication string that the prover can forward during authentication phases. This is a trick that can be used in most distance-bounding schemes in the literature, and we argue that it is necessary to make this modification to the protocols which do not offer impersonation security. In particular, since lazy-phase communication is not restricted to a single bit, a single phase of lazy-phase authentication ensures that the total security degree of the scheme is much increased.
• Mutual authentication. We note that the protocol due to Kim and Avoine [49] achieves a measure of time-critical mutual authentication, since some of the verifier’s challenges are pre-computed and can be verified by the prover. We note that it is also possible to achieve mutual authentication during lazy phases, though we note that the adversary can just forward these messages to the prover during the lazy phases. However, mutual authentication is employed to good use to achieve KLMF and resp. strMF security. As was already explained earlier, in the KLMF compiler the verifier sends, in a lazy phase, a value v, which either authenticates the verifier to the prover (in which case the prover does not update its state), or it does not authenticate the verifier (in this case, the prover updates state).
The same trick is employed in our strMF compiler, which builds on the KLMF compiler, adding a last phase of prover-authentication.
• Proving GameTF security. In Chapter 4 we give a few proofs of GameTF security for various distance-bounding protocols. The structure of the proof is usually as follows: we assume, towards contradiction, that the protocol is not GameTF secure. Thus, there must exist a strong terrorist adversary which (1) authenticates (aided online by the dishonest prover) with non-negligible probability, such that (2) all adversaries sharing state (the state is the view of the strong terrorist adversary) with the terrorist adversary and running a mafia fraud interaction with the prover and verifier has a probability to authenticate that is upper bounded by the protocol’s mafia fraud resistance. The argument usually develops by outlining an adversary as in (2) that wins with greater probability than the mafia fraud resistance of the protocol, which contradicts the assumption and thus proves that the protocol is GameTF secure. For GameTF secure protocols in the literature, we build a second adversary that interacts with the strong terrorist adversary as the simulator does in the SimTF security proofs, but which also uses its mafia MITM interaction with the prover to authenticate (in particular, as opposed to the Simulator in SimTF security, the adversary running a mafia fraud interaction can also taint phases).