privacy preserving protocolshyperelliptic.org/ciot/slides/hermans.pdf · privacypreservingprotocols...
TRANSCRIPT
![Page 1: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/1.jpg)
Privacy Preserving Protocols
Privacy Preserving ProtocolsWorkshop on Cryptography for the Internet of Things
Jens HermansKU Leuven - COSIC
20 November 2012
![Page 2: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/2.jpg)
Privacy Preserving Protocols
Introduction
Cryptography in Daily Life
RFID
![Page 3: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/3.jpg)
Privacy Preserving Protocols
Introduction
Cryptography in Daily Life
Car Keys
![Page 4: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/4.jpg)
Privacy Preserving Protocols
Introduction
Cryptography in Daily Life
Access Control
![Page 5: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/5.jpg)
Privacy Preserving Protocols
Introduction
Cryptography in Daily Life
Product Tracking
![Page 6: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/6.jpg)
Privacy Preserving Protocols
RFID Privacy
1 RFID PrivacyRequirements
2 Privacy ModelsProtocol AnalysisProvable Security (Privacy)Privacy ModelInsider AttacksRequirements
3 Lightweight Cryptography
4 Existing Protocols
5 Protocol DesignDesignPerformance
6 Conclusions and Future Perspectives
![Page 7: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/7.jpg)
Privacy Preserving Protocols
RFID Privacy
Why?
Industrial espionage
![Page 8: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/8.jpg)
Privacy Preserving Protocols
RFID Privacy
Why?
User privacy
![Page 9: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/9.jpg)
Privacy Preserving Protocols
RFID Privacy
Why?
Das KapitalInsulin pump
UnderwearMembership
implant
User privacy
![Page 10: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/10.jpg)
Privacy Preserving Protocols
RFID Privacy
Why?
Wireless Gun
![Page 11: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/11.jpg)
Privacy Preserving Protocols
RFID Privacy
RFID Privacy: goals
ID = u0012345, S = ...
...
{ (ID=u0012345, P=...) , ...}ID = ?
![Page 12: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/12.jpg)
Privacy Preserving Protocols
RFID Privacy
RFID Privacy: goals
ID = u0012345, S = ...
ID = u7654321, S = ...
Link?#Tags?
![Page 13: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/13.jpg)
Privacy Preserving Protocols
RFID Privacy
Corrupting Tags
![Page 14: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/14.jpg)
Privacy Preserving Protocols
RFID Privacy
Requirements
Different Privacy Solutions
Protocol Level Privacy
Kill Command
Destroy Tag
Shielding
(Read Range Reduction)
...
![Page 15: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/15.jpg)
Privacy Preserving Protocols
RFID Privacy
Requirements
Threat Analysis / Requirements
PrivacyLow High
Security Low
Supply Chain Public Transport
Payments
High Car Keys Access Control
Passports
![Page 16: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/16.jpg)
Privacy Preserving Protocols
Privacy Models
1 RFID PrivacyRequirements
2 Privacy ModelsProtocol AnalysisProvable Security (Privacy)Privacy ModelInsider AttacksRequirements
3 Lightweight Cryptography
4 Existing Protocols
5 Protocol DesignDesignPerformance
6 Conclusions and Future Perspectives
![Page 17: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/17.jpg)
Privacy Preserving Protocols
Privacy Models
Protocol Analysis
Protocol Analysis
ID = u0012345, S = ...
...
{ (ID=u0012345, P=...) , ...}ID = ?
Properties:
Security
Privacy: untraceability
Allow corruption
![Page 18: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/18.jpg)
Privacy Preserving Protocols
Privacy Models
Protocol Analysis
Protocol Analysis
ID = u0012345, S = ...
...
{ (ID=u0012345, P=...) , ...}ID = ?
ResultsMany published protocols broken:⇒ Lack of formal proofs!
![Page 19: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/19.jpg)
Privacy Preserving Protocols
Privacy Models
Provable Security (Privacy)
Provable Security (Privacy)
![Page 20: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/20.jpg)
Privacy Preserving Protocols
Privacy Models
Provable Security (Privacy)
Provable Security (Privacy)
Adversary
System
Adversary wins if ...
![Page 21: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/21.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Juels-Weis model (2005)
Adversary
System
A B
A or B
Adversary wins if output is correct tag.
![Page 22: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/22.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Vaudenay model (2007)
Adversary (Blinded)
System
B
Adversary wins if output is true and not trivial
![Page 23: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/23.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Privacy Model Hermans et al. (2011)
Design goals:
Strong adversary: can always corrupt
Solve issues with wide strong privacy
Model ‘reality’
Easy to use
![Page 24: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/24.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Privacy Model Hermans et al. (2011)
Adversary
System
A B
A C
![Page 25: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/25.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Privacy Model Hermans et al. (2011)
Adversary
System
A B
A CAdversary wins if random bit is guessed correctly.
![Page 26: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/26.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Privacy Model Hermans et al. (2011)
New Features:
corruption → on real tag
wide strong privacy
Features (reused):
Virtual tag handles
Indistinguishability based
Single random bit for entiresystem
![Page 27: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/27.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Indistinguishability
Encryption:
RO
IND-CPA
IND-CCA
IND-CCA2
...
abc
#!$
xyz Privacy-models:
Juels-Weis
Vaudenay
Hermans et al.
![Page 28: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/28.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Indistinguishability
Encryption:
RO
IND-CPA
IND-CCA
IND-CCA2
...
A B Privacy-models:
Juels-Weis
Vaudenay
Hermans et al.
![Page 29: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/29.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Privacy Levels
Strong Forward
Wid
eNa
rrow
Weak
at end
at end
![Page 30: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/30.jpg)
Privacy Preserving Protocols
Privacy Models
Privacy Model
Privacy Requirements
Privacy Level Application
Narrow Weak Supply Chain
Narrow Forward Smart Products
Wide Weak Car Keys
Wide Forward
PaymentsAccess TokensPassportsPublic Transport
![Page 31: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/31.jpg)
Privacy Preserving Protocols
Privacy Models
Insider Attacks
Insider Attacks
Adversary
System
Insider Tag
![Page 32: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/32.jpg)
Privacy Preserving Protocols
Privacy Models
Requirements
Privacy Requirements
Privacy Level Application
Narrow Weak Supply Chain
Narrow Forward Smart Products
Wide Weak Car Keys
PaymentsWide Forward + Insider Access Tokens
PassportsPublic Transport
![Page 33: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/33.jpg)
Privacy Preserving Protocols
Privacy Models
Requirements
Privacy Requirements
Privacy Level Application
Narrow Weak Supply Chain
Narrow Forward Smart Products
Wide Weak Car Keys
PaymentsWide Forward + Insider Access TokensCurrently: Wide Strong Passports
Public Transport
![Page 34: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/34.jpg)
Privacy Preserving Protocols
Lightweight Cryptography
1 RFID PrivacyRequirements
2 Privacy ModelsProtocol AnalysisProvable Security (Privacy)Privacy ModelInsider AttacksRequirements
3 Lightweight Cryptography
4 Existing Protocols
5 Protocol DesignDesignPerformance
6 Conclusions and Future Perspectives
![Page 35: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/35.jpg)
Privacy Preserving Protocols
Lightweight Cryptography
Lightweight Devices
↔
![Page 36: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/36.jpg)
Privacy Preserving Protocols
Lightweight Cryptography
Lightweight Cryptography?
Limits:
Area (➾➾➾)
Time
Power
Energy
![Page 37: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/37.jpg)
Privacy Preserving Protocols
Lightweight Cryptography
Typical Ingredients for Protocols
Primitive Status
RNG OK?Key Update ???Block Cipher OKHash Function OK
ECC OK∑
???
![Page 38: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/38.jpg)
Privacy Preserving Protocols
Lightweight Cryptography
Lightweight Elliptic Curve Cryptography
R
P
Q
x
y Implementation [LBSV10]:
Area (14.5 kGE)
Time (85ms)
Power (13.8 ➭W)
Energy (1.18 ➭J)
![Page 39: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/39.jpg)
Privacy Preserving Protocols
Existing Protocols
1 RFID PrivacyRequirements
2 Privacy ModelsProtocol AnalysisProvable Security (Privacy)Privacy ModelInsider AttacksRequirements
3 Lightweight Cryptography
4 Existing Protocols
5 Protocol DesignDesignPerformance
6 Conclusions and Future Perspectives
![Page 40: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/40.jpg)
Privacy Preserving Protocols
Existing Protocols
PRF (Block cipher) based [ISO/IEC 9798-2]
State: xj
Tag T
Secrets: DB = {xj}
Reader
c ∈R {0, 1}n
c
p ∈R {0, 1}m
r = Fx(c||p)
r, p
Search xj ∈ DBs.t.Fxj
(c||p) = r
Privacy
Wide-Weak
![Page 41: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/41.jpg)
Privacy Preserving Protocols
Existing Protocols
Symmetric Key and Efficiency
Damgard-Pedersen ’08:
Independent keys: inefficient O(n)
Correlated keys:
efficient O(log(n))privacy loss
![Page 42: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/42.jpg)
Privacy Preserving Protocols
Existing Protocols
Symmetric Key and Efficiency
Damgard-Pedersen ’08:
Independent keys: inefficient O(n)
Correlated keys:
efficient O(log(n))privacy loss
Key Updating
Higher Privacy Level (narrow forward)
Desynchronization Attacks / Efficiency Problems
Implementation cost?
![Page 43: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/43.jpg)
Privacy Preserving Protocols
Existing Protocols
EC Schnorr ProtocolState: xj ,Y
Tag T
Secrets: y, DB = {Xj}
Reader
r ∈R Zℓ
R = rP
R 6= O?
e
e 6= 0?s = x+ er
s
X = sP − eR ∈ DB ?
Privacy
None
![Page 44: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/44.jpg)
Privacy Preserving Protocols
Existing Protocols
Randomized Schnorr [BCI08]State: xj ,Y
Tag T
Secrets: y, DB = {Xj}
Reader
r1, r2 ∈R Zℓ
R1 = r1P ,R2 = r2Y
R1,R2 6= O?
e
s = ex+ r1 + r2
s
X = e−1(sP−R1−y−1R2) ∈ DB
Privacy
Narrow Strong
![Page 45: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/45.jpg)
Privacy Preserving Protocols
Existing Protocols
Randomized Hash GPS [BCI09]State: xj ,Y
Tag T
Secrets: y, DB = {Xj}
Reader
r1, r2 ∈R Zℓ
R1 = r1P ,R2 = r2Y z = H(R1,R2)
R1,R2 6= O?
e
s = ex+ r1 + r2
s,R1,R2
Verify z
X = e−1(sP−R1−y−1R2) ∈ DB
Privacy
Narrow Strong and Wide Forward
![Page 46: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/46.jpg)
Privacy Preserving Protocols
Existing Protocols
IND-CCA2 Encryption [Vau07]
State: sj, ID
Tag T
PK: KP . Secrets: DB = {sj}
Reader
c ∈R {0, 1}n
c
r = EncKP(ID||sj ||c)
r
ID||sj ||c← DecKS(r)
Search sj ∈ DB
Privacy
Wide Strong
![Page 47: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/47.jpg)
Privacy Preserving Protocols
Existing Protocols
Performance
Protocol Privacy Ins. Ext. Snd. Operations
Schnorr no no yes 1 EC mult
Randomized Schnorr narrow-strong no yes 2 EC mult
Rand. Hashed GPS narrow-strong no yes 2 EC multwide-forward 1 hash
![Page 48: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/48.jpg)
Privacy Preserving Protocols
Existing Protocols
Performance
Protocol Privacy Ins. Ext. Snd. Operations
Schnorr no no yes 1 EC mult
Randomized Schnorr narrow-strong no yes 2 EC mult
Rand. Hashed GPS narrow-strong no yes 2 EC multwide-forward 1 hash
Vaudenay wide-strong yes no 2 EC mult+ DHIES 1 hash
1 MAC1 symm enc
Hash ElGamal wide-strong yes no 2 EC mult1 hash1 MAC
![Page 49: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/49.jpg)
Privacy Preserving Protocols
Protocol Design
Design
1 RFID PrivacyRequirements
2 Privacy ModelsProtocol AnalysisProvable Security (Privacy)Privacy ModelInsider AttacksRequirements
3 Lightweight Cryptography
4 Existing Protocols
5 Protocol DesignDesignPerformance
6 Conclusions and Future Perspectives
![Page 50: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/50.jpg)
Privacy Preserving Protocols
Protocol Design
Design
New Protocol [Peeters, Hermans 2012]
Design protocol:
Correct
Extended soundness
(At least) Wide Forward + Insider privacy
Efficient
![Page 51: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/51.jpg)
Privacy Preserving Protocols
Protocol Design
Design
EC Schnorr ProtocolState: xj ,Y
Tag T
Secrets: y, DB = {Xj}
Reader
r ∈R Zℓ
R = rP
R 6= O?
e
e 6= 0?s = x+ er
s
X = sP − eR ∈ DB ?
![Page 52: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/52.jpg)
Privacy Preserving Protocols
Protocol Design
Design
Key Assumptions
Oracle Diffie-Hellman Assumption
(A = aP ,B = bP , abP) ∼ (A = aP ,B = bP , rP)
with extra O(Z ) := xcoord(bZ )P .
X Logarithm
xcoord(rP)P ∼ r ′P
![Page 53: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/53.jpg)
Privacy Preserving Protocols
Protocol Design
Design
New Protocol
State: x,Y = yP
Tag T
Secrets: y DB : {Xi = xiP}
Reader R
r1, r2 ∈R Z∗
ℓ
R1 = r1P ,R2 = r2P
e ∈R Z∗
ℓ
e
d = xcoord(xcoord(r2Y )P )
s = x+ er1 + d
d = xcoord(xcoord(yR2)P )X = (s− d)P − eR1 ∈ DB ?
![Page 54: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/54.jpg)
Privacy Preserving Protocols
Protocol Design
Design
New Protocol - Extended Soundness
State: x,Y = yP
Tag T
Secrets: y DB : {Xi = xiP}
Reader R
r1, r2 ∈R Z∗
ℓ
R1 = r1P,R2 = r2P
e ∈R Z∗
ℓ
e
d = xcoord(xcoord(r2Y )P )
s = x+ er1 + d
d = xcoord(xcoord(yR2)P )X = (s− d)P − eR1 ∈ DB ?
Extended SoundnessSchnorr protocol ⇒ extended soundness (OMDL assumption)
![Page 55: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/55.jpg)
Privacy Preserving Protocols
Protocol Design
Design
New Protocol - Privacy
State: x,Y = yP
Tag T
Secrets: y DB : {Xi = xiP}
Reader R
r1, r2 ∈R Z∗
ℓ
R1 = r1P ,R2 = r2P
e ∈R Z∗
ℓ
e
d = xcoord(xcoord(r2Y)P)
s = x+ er1 + d
d = xcoord(xcoord(yR2)P)X = (s− d)P − eR1 ∈ DB ?
![Page 56: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/56.jpg)
Privacy Preserving Protocols
Protocol Design
Performance
Performance
Protocol Privacy Ins. Ext. Snd. Operations
Schnorr no no yes 1 EC mult
Randomized Schnorr narrow-strong no yes 2 EC mult
Rand. Hashed GPS narrow-strong no yes 2 EC multwide-forward 1 hash
Vaudenay wide-strong yes no 2 EC mult+ DHIES 1 hash
1 MAC1 symm enc
Hash ElGamal wide-strong yes no 2 EC mult1 hash1 MAC
![Page 57: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/57.jpg)
Privacy Preserving Protocols
Protocol Design
Performance
Performance
Protocol Privacy Ins. Ext. Snd. Operations
Schnorr no no yes 1 EC mult
Randomized Schnorr narrow-strong no yes 2 EC mult
Rand. Hashed GPS narrow-strong no yes 2 EC multwide-forward 1 hash
Vaudenay wide-strong yes no 2 EC mult+ DHIES 1 hash
1 MAC1 symm enc
Hash ElGamal wide-strong yes no 2 EC mult1 hash1 MAC
Our Protocol wide-forward-insider yes yes 4 EC mult- optimised version wide-forward-insider yes yes 2 EC mult
![Page 58: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/58.jpg)
Privacy Preserving Protocols
Conclusions and Future Perspectives
Summary
Overview RFID Privacy Models & Privacy Levels
Implementation Aspects
RFID Protocols
New Private & Efficient RFID Protocol
![Page 59: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/59.jpg)
Privacy Preserving Protocols
Conclusions and Future Perspectives
Future Perspectives
Privacy models
‘Fair’ comparison
Restrictions on tag corruption
Simulatability vs indistinguishability
Protocols
New applications
Other primitives → feasible?
Analyze underlying assumptions (DDH-variants)
![Page 60: Privacy Preserving Protocolshyperelliptic.org/CIoT/slides/hermans.pdf · PrivacyPreservingProtocols Privacy Preserving Protocols Workshop on Cryptography for the Internet of Things](https://reader033.vdocument.in/reader033/viewer/2022050308/5f70198dd6427239170d4536/html5/thumbnails/60.jpg)
Privacy Preserving Protocols
Conclusions and Future Perspectives
?