Secure Authentication

Theorem 4.3. ROTIV ensures secure authentication under the resistance to existential forgery of MAC.

Proof. To simplify the proof, we assume that the key K_T shared between a tag T and its owner is not updated after each successful authentication. As the key update is only required to achieve privacy and exclusive ownership, it is irrelevant for the authentication proof.

LetOMAC be an oracle that when queried with messagemreturnsσ =MAC_K(m), where K ∈F_q.

We show that if there is an adversaryAwho breaks the security ofROTIV’s authentica-tion with a non-negligible advantageǫ, then we can construct an adversaryBthat breaks the resistance to existential forgery of MAC (See Definition2.10) with a non-negligible advantage ǫ^′.

To break the resistance to existential forgery ofMAC, adversary Bsimulates challenger C and creates a complete ROTIV system as described in the following.

• B selects randomly x ∈F_q, and computes h^x. Here, x is the secret key sk_I of issuer I and h^x is the corresponding public keypk_I.

• B selects η elements xk ∈F_q, and provides each owner in ROTIV with the secret key sk_k=x_k and the matching public keypk_k= (g,g˜_k=g^xk).

• To initialize the set of ntags in ROTIV, adversaryB proceeds as follows:

– B selects randomly ID_i ∈ F_q,1 ≤ i ≤ n−1 and computes c⁰_Ti = (1, H(ID_i)^skI).

Then, B selects randomly KTi ∈F_q and stores S_T⁰_i = (KTi, c⁰_Ti) into Ti, 1 ≤ i ≤ n−1. Finally, Bcomputes Ti’s ownership referencesrefTi.

– ThenBcreates a tagT_nwhose secret key isK. TagT_nstores the stateS_T⁰_n =c⁰_Tn. Learning phase. Adversary Bsimulates challenger Cas depicted below:

• B simulatesOTag and returns r tags T_i to adversaryA, for whichA queries the oracle OExecute.

Note that if A selects tag Tn at this step of the game, then B simulates both tag Tn

and T_n’s ownerO_(Tn,k) by querying the oracle OMAC.

• Again,B simulates oracle OTag in order to returnr additional tags T_i^′ to adversary A. This time,A can read the internal states of tags T_i^′. We point out that if adversaryA selects tagT_n at this step, thenB stops the authentication game.

4. RFID-BASED OWNERSHIP TRANSFER WITH ISSUER VERIFICATION

Challenge phase.

• In the challenge phase, adversary A selects a challenge tag T_c by querying the oracle O^Tag. IfTc 6=Tn, then Bstops the authentication game.

• Otherwise, adversaryAqueries the oracleOExecute with tagT_c which starts aROTIV’s authentication.

1.) If A impersonates O_(Tc,k), then A starts the authentication by sending a nonce N_T^j

c to T_c.

Bsimulates tagT_c: he generates a random nonceR^j_T

c and queries the oracleOMAC

with messagem= (N_T^j_c, R^j_Tc, c^j_Tc). The oracle OMAC returns σ=MAC_K(m), and B sendsR^j_T

c,c^j_T

c and σ to adversaryA. AdversaryA replies with (c^j+1_T

c , σ_c).

Since adversaryAhas a non-negligible advantageǫin impersonating ownerO_(Tc,k), σ_c =MAC_K(m_c), where m_c = (R^j_T

c, c^j+1_T

c ). To break the resistance to existential forgery ofMAC_K, adversaryB outputs (mc, σc).

2.) IfA impersonatesT_c, thenB sends a fresh nonceN_T^j

c to A. Upon receiving N_T^j

c, Agenerates a random numberR^j_Tc and sendsR^j_Tc, a ciphertextc^j_Tc andσc to B. If adversary A has a non-negligible advantage ǫ in impersonating tag T_c, then σ_c =MAC_K(N_T^j

c, R^j_T

c, c^j_T

c).

Accordingly, to break the existential forgery of MACK,B outputs (mc, σc), where m_c = (N_T^j

c, R^j_T

c, c^j_T

c).

Here we quantify the advantage ǫ^′ of adversary B. Adversary B succeeds in breaking the resistance to existential forgery of MAC, if he does not stop the authentication game when simulating challengerC.

Let E denote the event: B does not stop the authentication game.

Let E₁ denote the event: Bdoes not stop the authentication game in the learning phase.

LetE₂ denote the event: Bdoes not stop the authentication game in the challenge phase.

Let pdenote the probability that A selects tag Tn.

Adversary B does not stop the authentication game in the learning phase, if and only if, adversary A does not pick tag Tn in the second phase of the learning phase. Consequently, P r(E₁) = (1−p)^r. Further,Bdoes not stop the authentication game in the challenge phase, if and only if, adversaryA selects tag Tn as his challenge tagT_c. Thus,P r(E2) =p.

It follows that π =P r(E) =P r(E₁)P r(E₂) = (1−p)^rp, and thatǫ^′ =πǫ.

Therefore, if adversaryAhas a non-negligible advantageǫin breakingROTIV’s security, thenBwill have a non-negligible advantageǫ^′ in breaking the resistance to existential forgery by making at most 4rs+ 1 queries to the oracle OMAC. This leads to a contradiction under the security of MAC.

88

4.6 Security Analysis Note thatπ is maximal whenp= 1

r and πmax = 1−¹_rr

r ≃ 1

er. 4.6.2 Exclusive Ownership

Theorem 4.4. ROTIV ensures exclusive ownership under the XDH assumption.

Proof. Assume there is an adversaryAwho succeeds in the exclusive ownership game with a non-negligible advantage ǫ. We show that there is an adversary B who uses adversary A to break the DDH assumption in G₁ with a non-negligible advantageǫ^′.

To break the DDH assumption inG₁, adversaryB proceeds as follows.

First,B simulates challengerCand creates a complete ROTIV system.

• B selects randomly sk_I ∈ F_q and computes pk_I = h^skI. Here sk_I is the secret key of issuer I and pk_I is the corresponding public key.

• B selects randomly η random numbers x_k ∈ F_q, and provides each owner O_k in the supply chain with a pair of matching public and secret keys pk_k = (g,g˜k = g^xk) and sk_k =x_k.

• B creates ntagsTi.

Learning phase. Adversary Aenters the learning phase.

• B simulatesOTag and suppliesA withr tagsTi.

• Adversary A is allowed to run authentication sessions with tags Ti, to acquire their ownership and to transfer this ownership to owners of his choice.

Challenge phase.

• AdversaryB queries the oracle ODDH to receive (g, g^x, g^y, g^z).

• In the challenge phase, B simulates OTag and provides A with a challenge tag T_c. Without loss of generality, we assume thatT_c’s owner isOk.

Before giving the tag T_c to adversaryA, adversaryB encryptsT_c’s signature usingg^x from the DDH challenge:

c^j_Tc = (u^j_Tc, v^j_Tc) = (g^xr, H(IDc)^skI(g^xr)^xk) = (g^xr, H(IDc)^skIg˜^xr_k ) Wherer is a random number inF_q.

• A now can read the internal state of tag T_c.

• A selects a challenge ownerOc, and transfers the ownership of tag T_c to Oc.

4. RFID-BASED OWNERSHIP TRANSFER WITH ISSUER VERIFICATION

If adversaryAhas a non-negligible advantageǫin breaking the exclusive ownership, then adversary A will be able to supply Oc during the ownership transfer protocol with correct ownership references:

ref_T = (S,id, K^old, K^new,rand^old,rand^new) Wheree(g^xr, h) =e(g,rand^new), i.e.,rand^new=h^xr.

To break the DDH assumption, adversary Bverifies whether e(g^z, h^r) =e(g^y,rand^new) = e(g^y, h^xr). If so, Boutputsz=xy, otherwise, he outputs z6=xy.

As a result, if adversary A has a non-negligible advantage ǫ in breaking exclusive own-ership, then adversary B will have a non-negligible advantage ǫ^′ = ǫ in breaking the DDH assumption.