1
Outline
1. Background
1. Attacks on distance-bounding
2. Symmetric vs asymmetric protocol
3. Motivation: DBPK-Log
2. VSSDB
1. Building blocks
2. Protocol
3. Conclusion
2
Objective of distance-bounding
 Authentication protocol + proximity testing
Range
Legitimate
prover
Verifier
 Verifier is trusted, prover is untrusted.
3
Possible applications
Access control
Wireless payment
4
Distance fraud
 A malicious prover want to
cheat on the distance
computed by the verifier.
Range
R-A
Mafia fraud
 An attacker relay the
communication through
a proxy close to a
legitimate prover.
Range
Proxy
RelayR-A
Attack
Prover
is
unaware that an
attack is taking
place.
ATTACKER
Terrorist fraud
 A far away legitimate
prover colludes with an
adversary located close to
the verifier to enable him to
authenticate only once.
Range
Collusion of users
RelayAttack
R-A
Generic format of a DB protocol
1. Initialization phase (1st lazy phase),
2. Interactive phase (heart of the protocol),
Verifier
Prover
c
Ts
Tp
Tr
Distance =
Vc ´ (Tr - Ts - Tp )
2
3. Verification phase (2nd lazy phase).
8
Symmetric versus asymmetric
protocols
 Symmetric response function: secret shared between the
prover and verifier,
 R=fS(c).
 Examples of symmetric protocols : Swiss Knife [Kim et al.,
ICSC 2008], SKI [Boreanu et al, ISC’13], [Gambs et al,
AsiaCCS’13], …
 Asymmetric response function: the verifier has not access
to the prover’s secret.
 Verification of the challenges uses homomorphic property
of bit commitment.
 Only one protocol in the litterature: [Bussard and Bagga,
SEC 2005]
9
Bussard and Bagga protocol (B&B)
1. Initialization phase
Verifier
Y=F(x)
Prover
1. ai, bi
2. fast bit
exchange phase bi
m rounds
Deduce
Z=commit(x,v)
3. ZKProof(x)[Z⋀Y]
Prover:
•Selects k at random,
•Computes e = x ⨁ k
•Computes commitment :
• ai = commit(ki,ui)
• bi = commit(ei,vi)
2. Fast bit exchange phase
Verifier:
• Sends bit challenge {0,1},
• Prover replies with ki if 0 or ei if 1.
3. Final verification phase
•Z=
•ZKProof (x)[Z ⋀ y]
10
Contributions
 B&B-like distance bounding with better resistance to
terrorist attack,
 Introduction of mode during the fast phase,
 Security bounds formally proved.
11
VSSDB
12
Ingredients
 (3,3) secret sharing scheme:
 secret is encrypted using two strings k, l into e,
 each bit of the secret is shared in three parts,
 Verifiable secret sharing:
 each bit of the secret is verified separately,
 Homomorphic bit commitment [Brassard et al, 1988]:
P, Q primes;
N=P×Q and Jacobi(–1/N)= +1,
S = –1 mod N,
Commit(b,rand)= Sb × rand2 mod N,
Commit(b,rand2)× Commit(b,rand2)= Commit(b⨁a,rand3)
13
Registration phase
 Prover  Certification Authority (CA):
 PrivKey={Sksign,x} kept secret.
 Pubkey={Comi},PKSign sent to the verifier.

{Comi}, Comi=Commit(xi,vi), vi=Hi(x).
14
Initialization phase
2. Prover computes session
specific information.
1. Verifier replies with
a nonce.
3. Prover computes
fresh proof.
4. Verifier checks for the
freshness of the proof.
15
Fast bit exchange
5. Prover replies as
soon as possible.
5. Verifier starts the clock.
5. Verifier stops the clock.
16
Verification phase
1. Validity of the signature of the transcript,
2. Responses correspond to the commits,
3. Commitments corresponds to the secret key.
17
Security analysis
 Distance fraud
 Binding of HBCommit,
 mode are chosen by the verifier.
 Mafia fraud
 Hiding of HBCommit,
 Terrorist fraud ?
 GameTF [Fischlin et al., ACNS 2013].
18
GameTF security
 Definition: If an attacker succeeds in a terrorist fraud
then he can launch better mafia fraud attack.
 Trapdoor in the prover:
19
Terrorist VSSDB
20
Security bounds
21
Conclusion and future work
 We
designed an asymmetric distance-bounding
provably secure against distance, mafia and terrorist
frauds.
 Additional contribution: Introduction of mode in the
response function to avoid response of more than one
bit.
 Future work: privacy-preservation, other secret sharing
schemes.
22
Contact: mtraore@laas.fr
23
Attack of Bay and co-authors
Verifier
Y=F(S)
Prover
Attacker
1. ai’, b’i
2. fast bit
exchange phase
Deduce
Z=F(S)
3. ZKProof
Z
Initialization phase:
Attacker:
•Receives z form the malicious prover
•Selects k and e at random,
•Computes commitment (for the m-1 last
rounds) :
• a’i = commit (ki)
• b’i=commit (ei)
•Computes a’0 for k0 at random.
i-1
•b’0= a’0×∏ (a’i×b’i)2 × Z-1 mod N.
Challenge-response phase:
• The attacker wins if
challenge=0.
first
Final verification phase:
The verification phase is relayed to the
prover.
24 24
Opening function
25
Attacks on distance bounding
 Distance fraud
Range
T-A
R-A
Legitimate prover