2.3 Elliptic Curve Cryptography
2.3.1 Elliptic curves
Definition 2.21. An elliptic curve E(K) over a field K consists of a special point 1E called point at infinityand a set of pointsg= (x, y)∈K2 that satisfy theWeierstrass equation:
y2+a1xy+a3y=x3+a2x2+a4x+a6 (2.1) where ai∈Kfor i= 1,2,3,4,6.
An elliptic curve has to be nonsingular, i.e., the polynomial P(x) =x3+a2x2+a4x+a6 must have single roots.
Remark 2.1. Equation2.1is useful when the characteristic ofKchar(K)∈ {2,3}. However, whenchar(K)6∈ {2,3}, equation2.1can be simplified by applying the following transformation:
x1 ← x+4a2+a21 12 y1 ← y+a1x+a3
2 Hereby, we obtain:
y12 = x31+Ax1+B where A, B ∈K.
For the sake of simplicity, in the rest of this section we assume that char(K)6= 2,3.
Remark 2.2. Let r1, r2 and r3 denote the roots of polynomial P(x).
The discriminant of P(x) is defined as:
∆ = (r1−r2)2(r1−r3)2(r2−r3)2
= −(4A3+ 27B2)
Consequently, to check whether an elliptic curve E(K) over field Kis nonsingular, it suffices to compute ∆ and to check whether ∆6=0K.
18
2.3 Elliptic Curve Cryptography
g1
g2
g−13
g3
Figure 2.2: Adding points on an elliptic curve
The Group Law
Let E(K) be an elliptic curve over the fieldKdefined byy2 =x3+Ax+B,A, B ∈K. Let g1 = (x1, y1) and g2 = (x2, y2) be points on E with g1, g2 6= 1E. We define g3 = g1×g2 =g1g2= (x3, y3) as follows:
1. Ifx1 6=x2, then
x3 =s2−x1−x2, y3 =s(x1−x3)−y1, wheres= y2−y1 x2−x1 2. Ifx1 =x2 andy1=−y2, theng3 =1E
3. Ifx1 =x2 andy1=y2 6=0K, then
x3=s2−2x1, y3=s(x1−x3)−y1, wheres= 3x21+A 2y1 Moreover,
∀g∈ E(K), g×1E =1E×g=g
Theorem 2.1. The points on an elliptic curveE(K) form an abelian groupwith respect to the × operation defined above, where the identity element is the point at infinity 1E, and the inverse of a point g= (x, y) on E(K) is defined as g−1 = (x,−y).
Definition 2.22. For allg∈ E(K) and k∈Z, point multiplication of g byk (denoted gk) is defined as:
1. Ifk≥1, then gk=g×g×...×g
| {z }
ktimes
;
2. CRYPTOGRAPHY FUNDAMENTALS 2. if k= 0, then g0 =1E;
3. if k≤ −1, then gk= (g−1)−k.
Definition 2.23. A point g∈ E(K) is called a torsion point, iff g is a point of finite order.
More precisely, g is said to be a q-torsion point (q ∈N), iff gq=1E. 2.3.2 Elliptic Curves over Finite Fields
LetFp be a finite field of orderp and letE(Fp) be an elliptic curve overFp. Given that there is finitely many pairs (x, y) ∈F2p, it follows that the abelian group E(Fp) is also finite.
Theorem 2.2(Hasse (162)). Let E(Fp)be an elliptic curve over the finite fieldFp. The order
#E(Fp) satisfies the following inequality:
|p+ 1−#E(Fp)| ≤2√p
Remark 2.3. Let E(Fp) be an elliptic curve defined over a finite field Fp, then any point g∈ E(Fp) is a torsion point of some order q that divides#E(Fp).
The finite order of elliptic curves over finite fields was the starting point for elliptic curve cryptography, which relies on a set of mathematical problems that are believed to be hard in elliptic curves over finite fields. Namely, the discrete logarithm problem and the Diffie-Hellman problems.
2.3.2.1 Elliptic Curve Discrete Logarithm Problem
Definition 2.24(Elliptic Curve Discrete Logarithm Problem (DLP)). LetE(Fp)be an elliptic curve over a finite field Fp, the elliptic curve discrete logarithm problem is:
Given a q-torsion point g∈ E(Fp) and g˜∈ hgi, find the integer x∈Zq such that ˜g=gx. The integerx is called the discrete logarithm ofg˜to the base g, denoted x=logg(˜g).
The advantage ǫ of an algorithm Ain solving the DL problem is defined as:
ǫ=P r(A(E, g,g)˜ computes x)
Definition 2.25(Elliptic Curve Discrete Logarithm Assumption (DL)). We say that the dis-crete logarithm assumption holds inE(Fp), if for every probabilistic polynomial-time algorithm A, the advantage ǫ in solving DLP inE(Fp) is negligible.
Note that the elliptic curve parameters for cryptographic schemes should be carefully chosen so as to resist known attacks on the DL problem. The best known algorithm to solve DLP is a combination of the Pohlig-Hellman algorithm and the Pollard’s rho algorithm, which runs in O(√qi) where qi is the largest divisor of q. In order to withstand this attack, the elliptic curveE(Fp) and the pointgshould be chosen so that the orderqof pointgis divisible by a sufficiently large prime numberqi. Typically |qi|= 160 bits.
20
2.3 Elliptic Curve Cryptography 2.3.2.2 Elliptic Curve Diffie-Hellman Problems
The Diffie-Hellman problems (DHP) are mathematical problems that were first introduced in the seminal work of Diffie and Hellman (49) to solve the issue of secure key exchange over public (insecure) channels. It is noteworthy that the Diffie-Hellman problems, like the discrete logarithm problem, were proposed initially in the context of finite fields, however in this manuscript, we only focus on their elliptic curve variants.
Definition 2.26 (Elliptic Curve Computational Diffie-Hellman Problem (CDHP)). LetGbe a cyclic subgroup of order q in E(Fp), and g be a generator of G, the computational Diffie-Hellman problem is:
Giveng, gx, gy in Gfor randomly chosen x, y∈Zq, compute gxy.
The advantage ǫof an algorithm Ain solving the CDH problem is defined as:
ǫ=P r(A(G, g, gx, gy) computes gxy)
Definition 2.27 (Elliptic Curve Computational Diffie-Hellman Assumption (CDH)). We say that the computational Diffie-Hellman assumption holds in G, if for every probabilistic polynomial-time algorithm A, the advantage ǫ in solving CDHP inG is negligible.
Remark 2.4. If there is a polynomial-time algorithm that can solve DLP in E(Fp), then this algorithm can use g and gx to compute x. Then, it can compute gxy = (gy)x to solve CDHP in E(Fp).
Definition 2.28 (Elliptic Curve Decisional Diffie-Hellman Problem (DDHP)). Let G be a cyclic subgroup of order q in E(Fp), and g be a generator ofG, the decisional Diffie-Hellman problem is:
Giveng, gx, gy,gz in G, decide whether z=xy.
Let U be the distribution (G, g, gx, gy, gxy), and V be the distribution (G, g, gx, gy, gz), where x, y, z are randomly selected in Zq.
The advantage ǫof an algorithm Ain solving the DDH problem is defined as:
ǫ=|P r(A(U) = 1)−P r(A(V) = 1)|
Definition 2.29(Elliptic Curve Decisional Diffie-Hellman Assumption (DDH)). We say that the decisional Diffie-Hellman assumption holds in G, if for every probabilistic polynomial-time algorithm A, the advantage ǫ in solving DDHP in G is negligible. This means that it is computationally infeasible for any polynomial-time algorithm A to distinguish between the distribution U = (G, g, gx, gy, gxy) and the distribution V = (G, g, gx, gy, gz) for randomly selected x, y, z∈Zq.
Note that if there is a polynomial-time algorithm A that solves CDHP in E(Fp), then this algorithm can be used to solve DDHP in E(Fp). Using g, gx and gy, A computes gxy
2. CRYPTOGRAPHY FUNDAMENTALS
and checks whether gxy =gz. Nonetheless, the reverse is not true. Joux and Nguyen (87) showed that there exist cyclic subgroups of elliptic curves over finite fields where DDHP is easy and CDHP is hard. These subgroups are known as the gap Diffie-Hellman (GDH for short) groups.
The algorithm proposed in (87) solves DDHP by using symmetric bilinear pairings. A symmetric bilinear pairinge is a bilinear function that maps a pair of points (g, h) ∈ E(Fp) to an element of an extension Fpr of the finite field Fp. Since the functione is bilinear, i.e., e(gx, gy) =e(g, g)xy, the DDH problem can be solved by checking whethere(gx, gy) =e(g, gz) or not.
Now, we present some of the definitions related to bilinear pairings on elliptic curves over finite fields that will be used in the sequel of this thesis.
2.3.3 Bilinear Pairings
LetG1,G2 and GT be cyclic groups of the same finite orderq.
Definition 2.30. A bilinear pairing is a mape: G1×G2 →GT, with the following properties:
1. eis bilinear: ∀x, y∈Zq, g∈G1 and h∈G2, e(gx, hy) =e(g, h)xy;
2. e is computable: there is an efficient algorithm to compute e(g, h) for any (g, h) ∈ G1×G2;
3. eisnon-degenerate: ifg is a generator ofG1 andhis a generator of G2, thene(g, h) is a generator of GT.
Typically, the groupsG1 and G2 are subgroups of some elliptic curveE over a finite field Fp, while GT is a multiplicative subgroup of an extension Fpr of the finite field Fp. In this context, r is called the embedding degree of the curveE. Verheul (161) proposed computing bilinear pairings by modifying the Weil and the Tate pairings1. By definition, the Tate and the Weil pairings map a pair of points (g, h)∈G1×G2 to aqth root of unity in GT.
Remark 2.5. Let e:G1×G2 →GT be a bilinear pairing.
• If G1=G2, then the pairinge is said to be symmetric (or of Type 1). Otherwise, it is said to be asymmetric.
• If the pairing e is asymmetric and if there is an efficiently computable homomorphism from G2 to G1 and no efficiently computable homomorphism from G1 to G2, then e is said to be of Type 2. If there are efficiently computable homomorphisms in both directions, thene can be reinterpreted as a Type 1 pairing.
1Bilinear pairings can be defined for all elliptic curves, however, they are efficiently computable only when the embedding degreeris small (87).
22
2.3 Elliptic Curve Cryptography
• If the pairing e is asymmetric and if there is no efficiently computable homomorphism between G1 andG2, then e is said to be of Type 3 2.
• If e is a pairing of Type 1, then the DDH problem is easy in G1. If e is a pairing of Type 2, then the DDH problem is easy in G2.
Remark 2.6. Pairing-based cryptographic schemes usually employ Type 1 and Type 2 pair-ings, however, Chatterjee and Menezes (38), Galbraith et al. (63) showed that Type 3 pairings offer better performances and better security.
Type 1 pairings are generally computed in supersingular curves, while Type 2 and Type 3 pairings are computed in ordinary (non-supersingular) curves such as MNT curves proposed by Miyaji et al. (116). We refer to the work of Freeman et al. (61) for more comprehensive overview on the construction of pairing friendly curves.
Although, bilinear pairings were first introduced in cryptography to construct fast algo-rithms to solve the DL problem (114) and the DDH problem (87) in elliptic curves, they paved the way for practical cryptographic solutions to long standing problems such as: one-round key agreement (86), identity-based encryption (22), short signatures (23, 25), group signa-tures (26), secret handshake (9), ... etc. The fast development of pairing-based cryptography has led to the establishment of new hardness assumptions that we present next.
2.3.4 Bilinear Diffie-Hellman Problems
Definition 2.31 (Bilinear Computational Diffie-Hellman Problem (BCDHP)). Let e:G1× G2 →GT be a bilinear pairing. Let g be a generator of G1 and h be a generator of G2.
The bilinear computational Diffie-Hellman problem is:
Giveng, gx, gy, gz ∈G1 and h, hx, hy ∈G2 for random x, y, z ∈Zq, compute e(g, h)xyz. We denote U = (G1, g, gx, gy, gz) and V = (G2, h, hx, hy).
The advantage ǫof an algorithm Ain solving the BCDH problem is defined as:
ǫ=P r(A(U, V) computes e(g, h)xyz)
Definition 2.32 (Bilinear Computational Diffie-Hellman Assumption (BCDH)). We say that the BCDH assumption holds, if for every probabilistic polynomial-time algorithm A, the advantage ǫin solving BCDHP is negligible.
Definition 2.33 (Bilinear Decisional Diffie-Hellman Problem (BDDHP)). Let e:G1×G2 → GT be a bilinear pairing. Let g be a generator of G1 and h be a generator of G2.
The bilinear decisional Diffie-Hellman problem is:
Giveng, gx, gy, gz ∈G1,h, hx, hy ∈G2 for random x, y, z ∈Zq ande(g, h)z′ ∈GT, decide whether z′ =xyz or not.
2A homomorphism betweenG1 andG2 can always be defined, however, the computation of such a homo-morphism is supposed to be as hard as the discrete logarithms inG1 and inG2 (63).
2. CRYPTOGRAPHY FUNDAMENTALS
We denote U the distribution (G1,G2, g, gx, gy, gz, h, hx, hy, e(g, g)xyz), and V the distri-bution (G1,G2, g, gx, gy, gz, h, hx, hy, e(g, g)z′), where x, y, z and z′ are selected randomly in Zq.
The advantage ǫ of an algorithm Ain solving the BDDH problem is defined as:
ǫ=|P r(A(U) = 1)−P r(A(V) = 1)|
Definition 2.34 (Bilinear Decisional Diffie-Hellman Assumption (BDDH)). We say that the BDDH assumption holds, if for every probabilistic polynomial-time algorithmA, the advantage ǫ in solving BDDHP is negligible. This means that it is computationally infeasible for any polynomial-time algorithm Ato distinguish between the two distributions U and V.
Although a symmetric bilinear pairing e : G1 ×G2 → GT enables solving the DDH problem in G1 and in G2, it is believed that if eis a Type 2 (Type 3 resp.) bilinear pairing, then the DDH assumption still holds inG1 (in bothG1 and G2 resp.). To that effect, Scott (144) introduced two related hardness assumptions which are: the external Diffie-Hellman assumption and the symmetric external Diffie-Hellman assumption.
Definition 2.35 (External Diffie-Hellman Assumption (XDH)). We say that the external Diffie-Hellman assumption holds inG1andG2, ifG1 andG2are two groups with the following properties:
1. There exists a bilinear pairing e:G1×G2→GT; 2. the decisional Diffie-Hellman assumption holds in G1.
Definition 2.36 (Symmetric External Diffie-Hellman Assumption (SXDH)). We say that the symmetric external Diffie-Hellman assumption holds inG1 andG2, ifG1 andG2 are two groups with the following properties:
1. There exists a bilinear pairing e:G1×G2→GT;
2. the decisional Diffie-Hellman assumption holds in both G1 and G2.
2.4 Summary
In this chapter, we surveyed some of the concepts of provable security, together with the cryptographic primitives that will be referenced in the remainder of this thesis. We also provided an overview of elliptic curve cryptography and bilinear pairings which are used to design our security protocols. Now, the reader can either move on to PartIwhere we present previous work on RFID security and privacy, or to Part II, where we introduce our secure multi-party protocols for the RFID setting.
24
Part I
From RFID Authentication to Privacy Preserving Supply Chain
Management
3
RFID Security and Privacy
The proliferation of RFID tags comes with new threats to the security and the privacy of companies/individuals owning tags. These potential threats have given rise to an active research area that deals primarily with the formalization of security and privacy models, and with the design of secure and privacy preserving RFID authentication protocols. The main challenges in this area are the definition of formal models that comprehensively capture the capabilities of areal world adversary, and the design of authentication protocols 1.) that are provably secure and privacy preserving with respect to the formal models, and 2.) that fit the stringent computational resources of RFID tags.
The purpose of this chapter therefore is to introduce the existing privacy and security models and to survey some of the proposed RFID authentication protocols. To this end, we start with a quick overview, in Section 3.1, of RFID technology and the main privacy and security threats related to the potential deployment of this technology. We then present the formal security and privacy definitions while explaining how they capture the adversarial behavior in the RFID environment. In Section 4.2, we analyze some of the prominent au-thentication protocols in the literature which we classify depending on their computational requirements on RFID tags. Finally in Section 3.4, we wrap up the chapter by highlighting some of the limitations of RFID privacy and the need for a more realistic adversary model.
The latter allows us to design secure and privacy preserving RFID protocols that go beyond simple tag-reader authentication to propose secure and efficient solutions for supply chain management. These protocols will be presented in Part II.
3.1 RFID Fundamentals
RFID is a technology that primarily identifies and tracks objects with neither direct line of sight nor human intervention. An RFID tag is a low cost wireless device which labels the object to which it is attached by having a unique and unreusable identifier. The tag’s unique identifier acts as a pointer to a database entry that contains the history of the tagged object.
3. RFID SECURITY AND PRIVACY
dĂŐ ZĞĂĚĞƌ ĂĐŬĞŶĚ
ƐLJƐƚĞŵ
^ŚĂƌĞĚŝŶƐĞĐƵƌĞ ĐŚĂŶŶĞů
^ĞĐƵƌĞ ĐŚĂŶŶĞů ĐŚĂŶŶĞů
Figure 3.1: RFID environment
Consequently, RFID technology was envisioned to replace barcodes in the supply chain as it favors fast and automated product identification and tracking, together with the possibility of recording and tracing the history of tagged products from production, to distribution, to finally end users.
An RFID system involves more components than the already mentioned RFID tags. A typical RFID system consists of:
• RFID tags;
• RFID readers;
• backend systems.
Tags and readers communicate over a shared insecure wireless channel, whereas the channel between RFID readers and backend systems is generally assumed to be secure.
In the sequel of this chapter, we discuss in more details the components and the applica-tions of RFID technology. Then, we list some of the security and the privacy challenges that hinder the deployment of this technology.
For a more thorough description of RFID systems, we refer to (59).
3.1.1 RFID Tags
An RFID tag consists of a small microchip that features limited data storage, limited logical functionalities, and an antenna. Tags can be classified based on their operating frequency.
High frequency HF tags operate at 13.56 MHz frequency and their maximum read range is 1 m. Ultra-high frequency UHF tags operate in the 858 to 930 MHz frequency band and their average read range is 3 m. UHF tags are the dominant technology for supply chain applications, whereasHFtags are more suitable for RFID-based ticketing or near field applications. Tags can also be distinguished based on the underlying powering method (135).
A passive tag is a tag which does not have any power supply (i.e., battery) of its own, and therefore, relies on the the signal sent by readers nearby to harvest the necessary energy it needs to reply to readers’ queries. Anactive tag on the other hand, has its own power supply
28
3.1 RFID Fundamentals and can initiate communication with readers. A semi-active tag is a hybrid tag which has its own power supply but never initiates communication with readers.
Passive tags are much cheaper than active ones and therefore, more suitable to replace optical barcodes in supply chains. The advantages of passive tags are their low cost, their small size and their lifetime which is not restricted by battery life. However, passive tags come with little resources and few computational capabilities which turn the design of RFID-based applications into a real challenge.
We thus primarily focus on passive tags.
3.1.2 RFID Readers and Backend Systems
RFID readers are transceivers which are able to communicate with tags using a radio fre-quency channel. A reader may be able to read or write data into tags. A reader consists of an antenna, a microprocessor, a power supply, and possibly an interface that enables the reader to forward the data received from tags to a backend system.
The backend system is typically a database that collects information forwarded by readers for various purposes that depend on the application for which RFID technology is used.
There are two categories of readers (59):
• Stationary readers: Readers are placed at a fixed location and permanently connected to a network so as to communicate with the backend system, e.g., RFID-based access control systems where readers are located at the entry point of some secured area.
• Portable readers: Readers can be handheld and not be required to communicate per-manently with a backend system. They are mostly used for querying prices of products at a supermarket or for inventorying.
3.1.3 RFID Applications
RFID technology can be embedded into various applications depending on the purpose of tag identification. The most prominent applications for RFID are automated payment, access control, tracking andsupply chain management.
The largest area of RFID applications is supply chain management whereby tags store application specific data in addition to tag identifiers. This additional data is used to auto-mate and to regulate the processes of production and distribution in the supply chain, while minimizing errors and human intervention. By attaching RFID tags to products, managers of supply chains can automatically identify counterfeits, production bottlenecks, stock shortage and the origin of defective products. This type of applications is of a great business value as it reduces both time and errors when managing products, while decreasing the number of people involved in the supply chain.
Sometimes a tag is not only required to identify itself but it is also required to prove that the proclaimed identity is legitimate through authentication. Such a functionality is needed
3. RFID SECURITY AND PRIVACY
in applications such as automated payment, anti-counterfeiting, car immobilizers and access control to secured areas.
Another field of application is tracking the location of tagged objects. Since readers are placed in fixed and known locations, the location of a tagged object can be easily traced with a certain accuracy. Such an application is useful for example to track pets, to detect the presence of assets or products in a factory or a warehouse, or to locate people inside a building.
Moreover, the advocates of RFID tags believe that the potential ubiquity of RFID will lead to applications that assist people with daily tasks. One of these applications is “intelli-gent homes” with smart appliances such as washing machines that“automatically select the appropriate wash cycles to prevent damaging delicate fabrics, or refrigerators that detect food expiration or shortage”(89). Along the same lines, RFID technology could be used to facil-itate home navigation and medication compliance for the elderly, for e.g. an RFID enabled medicine cabinet could verify whether a patient complies with his medication intakes or not (89).
3.1.4 Security and Privacy Threats
In this section, we describe some of the security and privacy threats related to the deployment of RFID technology.
3.1.4.1 Security Threats
RFID technology faces various security threats such as denial of service, relay attacks, and cloning.
• Denial of service: Such an attack can be performed by creating a signal in the same frequency band as legitimate readers, and causing therefore electromagnetic jamming that prevents legitimate tags from communicating with legitimate readers.
• Relay attacks: These attacks are implemented by placing an adversarial device be-tween a legitimate RFID tag and a legitimate reader. This device relays information exchanged between the two legitimate parties which are fooled into thinking that they are physically close to each other.
• Cloning: This attack can be executed by eavesdropping on tags’ communication with
• Cloning: This attack can be executed by eavesdropping on tags’ communication with