Boolean Functions and Distance Bounding

HAL Id: inria-00576696

https://hal.inria.fr/inria-00576696

Submitted on 17 Mar 2011

HAL is a multi-disciplinary open access

archive for the deposit and dissemination of

sci-entific research documents, whether they are

pub-lished or not. The documents may come from

teaching and research institutions in France or

abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est

destinée au dépôt et à la diffusion de documents

scientifiques de niveau recherche, publiés ou non,

émanant des établissements d’enseignement et de

recherche français ou étrangers, des laboratoires

publics ou privés.

Boolean Functions and Distance Bounding

Cédric Lauradoux

To cite this version:

Cédric Lauradoux. Boolean Functions and Distance Bounding. [Research Report] RR-7568, INRIA.

2011, pp.13. �inria-00576696�

a p p o r t

d e r e c h e r c h e

IS

S

N

0

2

4

9

-6

3

9

9

IS

R

N

IN

R

IA

/R

R

--7

5

6

8

--F

R

+

E

N

G

Networks and Telecommunications

INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE

Boolean Functions and Distance Bounding

Cédric Lauradoux

N° 7568

Centre de recherche INRIA Grenoble – Rhône-Alpes

655, avenue de l’Europe, 38334 Montbonnot Saint Ismier

Téléphone : +33 4 76 61 52 00 — Télécopie +33 4 76 61 52 52

Cédri Lauradoux

Theme: Networks andTele ommuni ations Networks,Systemsand Servi es,DistributedComputing

Équipe-ProjetSWING

Rapportdere her he n°7568Mar h201110pages

Abstra t: Distan e bounding proto ols are a riti al me hanism of wireless te hnologiessu hasRFIDorZigBee. Theyaimtoenfor eastrongerdenition ofauthenti ationbypreventinganykindoftherelayatta k,namelythedistan e fraud, the maafraud and theterrorist fraud. This paper aims to dene the Booleanfun tionsusedinthedistan eboundingproto olsbasedontheworkof Han keandKuhn.Indeed,the hoi eofthesefun tionshasneverbeendis ussed despitethe onsiderableliterature. Wedenethe riteriaonthefun tionneeded todefeat ea h fraud.

Key-words: Distan e bounding,man-in-the-middle,ve torialBoolean fun -tions.

Résumé : Les proto ols de distan e bounding sont très importantspour les te hnologiessansl ommelaRFID ouZigBee. Ils permettent deréaliserune versionfortedel'authenti ationrésistantauxattaquesparrelais,plus exa te-mentlafraudeàladistan e,lafraudemaeuseetlafraudeterroriste. Ce rap-portapourobje tifdedénirlespropriétésrequisespourfon tionsbooléennes employées par es proto ols. En eet, le hoix de es fon tionsn'a jamais été dis utémalgrélenombre onsidérabledepropositionspourledistan ebounding. Nousdénissonsles ritèresrequispour ontrer haquetypedefraude.

1 Introdu tion

Manin the middle atta ks(MITM) areoften redu edto aspe ial asein the ryptographi literature. Indeed,itis alwaysassumedthattheadversary tam-perswiththeexe utionofa ryptographi proto ol. Desmedt etal.[1,2℄have shownthat aMITMinwhi h theadversarysimplyforwardsthemessages be-tweentwopartiesis su ientto breakthe mostadvan ed authenti ation pro-to ols.

Therst ountermeasurestothis lass ofMITMweregivenbyRivest and Shamirin Howto exposean eavesdropper [3℄. Early solutionswere also de-visedbyDesmedt etal.[1,2℄ whentheatta ksrstappearedbut they annot byappliedinany ontext. Finally,distan eboundingproto olswereintrodu ed by Brandsand Chaum [4℄ asa solutionfor low- ost devi es. Basi ally, a dis-tan e bounding proto ol ombines anauthenti ationwith the omputation of anupper-boundonthedistan ebetweenthetwopartiesinvolved. This ombi-nationmitigatesthepossibilitytomountrelayatta ks. Theme hanismfavored to measurethedistan eisthetimeofightbe auseitrequires onlyone lo k. Moredetailsanddenitions anbefoundin [5℄.

The propositions of distan e bounding proto ol an be divided into two ategories a ording to the need or not of a nal signature to omplete the authenti ation. Thisdistin tionbetweentheproto olsinspiredbytheresultsof BrandsandChaum[4℄(presen eofasignature)andthosederivedfromHan ke and Kuhn[6℄ (nosignature). Thispaperis dedi ated to thelatter ategories, notmeaningthatourresultsdonotapplytoBrandsandChaum'sproto olbut ratherto simplifytheanalysis. The oreofanydistan eboundingproto olsis anintera tivephasein whi h Bobsendssmall hallengesto Ali ewhoanswers shortly. Thetimingofea h hallenge/responseismeasureda uratelytodedu e an upper-bound on thedistan e. Ea h response is omputedusing aBoolean fun tion

f

whotakesasinput,the hallengeandsomevariablesknownonlyby Ali eandBob. Attheend,Bob he ksthatea hanswerandits orresponding timing are onsistent.

Thisworkaimstounderstandhowtheresponseis omputedandmore pre- isely how the fun tion

f

must be hosen to defeat thedierent frauds. The riteriatoresisttothedistan eandmaafraudareratherobviousforthe read-ersfamiliarwithBooleanfun tions. Themain ontributionofthepaperisthe riteriarelated to theterroristfraudwhi h apture ni elythe problemweare fa ing. Ournotationsare ompliantwiththeuseofve torialBooleanfun tions in the perspe tiveof the development of the MIMO te hnology. Throughout thepaper,theexamplesaregivenforBoolean fun tionsfor onvenien e.

The Se tion 2 ontains the ba kground related to ve torial Boolean fun -tions. Ourtemplateproto olisdes ribedinSe tion3. Se tion4dealswiththe distan e fraud. Se tion 5 andSe tion 6are respe tivelydevotedto the maa fraudandtheterroristfraud.

2 Notations

We denote by

B

m

n

the set of ve torial Boolean fun tions of

n

variables and

m

outputssu hthat

n

and

m

aretwopositiveintegersand

m

≤ n

,

f

: F

n

2

→ F

m

2

.

Thetruthtableve tor

T

f

of

f

∈ B

m

n

iswritten:

(f (α

0

), · · · , f (α

2

n

−1

)),

where

α

0

,

· · · , α

2

n

−1

are all theelements of

F

n

2

sorted bylexi ographi order. The algebrai normalform (ANF) isalso used to representBooleanfun tions in a ompressed notation. The Hammingweight

w

H

(y)

of binary ve tor

y

=

(y

0

,

· · · , y

m−1

)

oflength

m

isthenumberofonein

y

:

P

m−1

i=0

y

i

. Thenotation

y

i

∈ F

2

denotesthe

i

-th oordinateof

c

Denition1 Let

U

be a

p

-dimensional subspa eof

F

n

2

. Therestri tionof

f

∈

B

m

n

to

U

,denoted

f

U

isdenedby

f

U

(x) = f (x), ∀x ∈ U

. Throughout thepaper, aelement

x

belonging to

F

n

2

is de omposed asthe ve tor

x

= (c, s, k)

with

c

∈ F

n

c

2

,

s

∈ F

n

s

2

,

k

∈ F

n

k

2

su h that

n

= n

1

+ n

2

+ n

3

. Therestri tionof

f

tothesubspa e

U

c

ofdimension

n

2

+n

3

denedfor

∀c ∈ F

n

c

2

by:

U

c

= {(c, s, k)|c = cst, s ∈ F

n

2

s

and

k

∈ F

n

k

2

},

issimplynoted

f

c

(x)

,

∀x ∈ U

c

. Similarly,

f

c,s

istherestri tionof

f

to

U

c,s

,i.e.

c

and

s

arekept onstant.

Denition2 Ave torialBooleanfun tion

f

issaid tobebalan edifea h ele-mentsof

F

m

2

appears

2

n−m

timesin thetruthtable ve tor

T

f

.

Theproto ol onsideredbetweenAli eandBobisunilateralforits authenti- ationpart. Ali eisalegitimateprover,BobtheverierandEveanadversary.

3 Template proto ol

Tosupportyourhuntof thefun tion

f

,wegiveatemplatedistan e bounding proto ol. Theproto olisdepi tedFig.1.

Priortotheexe utionoftheproto ol,Ali eandBobhaveagreedonase ret key

K

of

ℓ

× n

c

bits, on ave torial Booleanfun tion

f

and apseudo-random fun tion (PRF)

g

. Thekey is viewhas a ve tor

K

= (k

0

, k

1

,

· · · , k

ℓ−1

₎

with

k

j

∈ F

n

k

2

,

∀j ∈ [0, ℓ − 1]

. Then, our template proto ol is omposed of three steps.

1) Initialization  Ali e and Bob ex hange the non es

N

A

and

N

B

. They usethefun tion

g

to omputetheashareinternalstate

S

= (s

0

, s

1

,

· · · , s

ℓ−1

₎

,

s

j

_{∈ F}

n

s

2

,

∀j ∈ [0, ℓ − 1]

. The state

S

an be the output of

g(K, N

A

, N

B

)

. It worthmentioningthat theduration of theinitialization phaseis subje tto importanttimingvariationsbe ausethe omputationalpoweroftheprover an belimitedandthe omputationof

g

anbetime onsuming.

2)Intera tivephaseThisphase onsistsin

ℓ

rounds. Atea hround,Bob pi ksrandomlya hallenge

c

j

_{∈ F}

n

c

2

andsendsittoAli ewhore eives

ˆ

c

j

. Ali e omputes:

r

j

= f (ˆ

c

j

, s

j

, k

j

).

(1) This phaserequiredapre isesyn hronizationbe auseBob omputesthe time spentbetweentheemissionofthe hallenges

c

j

and there eptionof the orre-spondinganswer

r

ˆ

j

. ThisRoundTrip Time (RTT) isdenoted

δ

j

.

Ali e Bob

K

∈ F

ℓ×n

k

2

, f

∈ B

n

m

, g

aPRF

K

∈ F

ℓ×n

k

2

, f

∈ B

n

m

, g

aPRF Initializationphase Pi ks

N

A

N

A

−−−−−−−−−−−−→

N

B

←−−−−−−−−−−−−

Pi ks

N

B

For

j

= 1 · · · m

For

j

= 1 · · · m

For

i

= 1 · · · n

For

i

= 1 · · · n

Computes

r

i,j

Computes

r

i,j

Intera tivephase For

j

= 1 · · · ℓ

ˆ

c

j

←−−−−−−−−−−−

Pi ks

c

j

_{∈ F}

n

c

2

r

j

_{= f (ˆ}

_c

j

_{, s}

j

_{, k}

j

₎

Sends

r

j

_{−−−−−−−−−−→}

r

ˆ

j

Measures

δt

j

Result If

∀c

j

_ˆ

_r

j

?

= f (c

j

_{, s}

j

_{, k}

j

₎

and

∀j

,

δt

j

≤ ∆

ThenSu ess Otherwise Failure

Figure1: Thetemplatedistan eboundingproto ol.

3) Result  Bob he ks that ea h answer

ˆ

r

i

re eived from Ali e is orre t, i.e.

r

ˆ

j

_{= f (c}

j

_{, s}

j

_{, k}

j

₎

andthat

∀i, δ

i

≤ ∆

with

∆

agiventhreshold. Thetime measuringmethodandtheatta ksrelatedtothisme hanismarenotdis ussed in here. Thepre ision of this measurementis riti al with respe t to the ap-pli ations. Thereaders an onsulttheworks[7,8, 9℄formoreinformationon thissubje t.

Thetemplateproto oldes ribedinthisse tionfollowstheprin ipledened byHan keandKuhn[6℄ ex eptfortwopoints.

Multi- hannel ommuni ations  Ali e and Bob are using MIMO radio systemsoverahalf-duplex hannel,i.e. they antransmitseveralbits simulta-neously overdierent hannels. It impliesthat

n

c

>

1

and

m >

1

. A similar hypothesisismadein[10℄with MUSE-

p

HKin whi hsymbolsbelongingto

F

p

,

p >

2

aretransmittedbyAli e andBob. Inthe originalworksof Han keand Kuhn[6℄,thevalues

n

c

= 1

,

n

= 3

and

m

= 1

were onsideredforanusagein RFID.Wealsoassumethat the ommuni ationsarenoise-free.

Key insertion  The purpose of the proto ol of Han ke and Kuhn [6℄ is to defeat the maa fraud and the distan e fraud. All the variables used as an inputtothefun tion

f

providednoinformationonthekey(

n

k

= 0

). itresults that thisproto ol annotdefeattheterroristfraud. As a onsequen e,thekey shared byAli e and Bob must be dire tly used during the omputation of

f

.

BussardandBagga[11℄aretobe reditedforthisidea. Thisparti ularproblem is onsideredin Se tion6.

Inourproto ol,alltheroundsare independent. Inwhat followsthe round number

j

isoftenomittedforthevariables

c, s, k

to simplifythenotations. Example1 Theproto olproposedbyHan keandKuhn[6 ℄usedtheparameters

n

= 3, m = 1

,

n

k

= 0

,

n

c

= 1

and

n

s

= 2

. The Boolean fun tion

f

used is denedby:

∀c ∈ F

2

, s

∈ F

2

2

, f

(c

0

, s

0

, s

1

) = c

0

s

0

+ c

0

s

1

+ s

1

.

Wenow onsider how to the fun tion

f

is hosen. Finding good ve torial Boolean fun tion onsists to nd the appropriate restri tions of

f

that will aptureagivenatta k.

4 Distan e fraud

Inadistan efraud,Ali eattemptstolieonherdistan etoBob. Su hanatta k is parti ularly riti al for ankle monitor in riminal surveillan e appli ations. The ankle monitor has to restri t the a tion of Ali e. If she is not in the neighborhoodofBob andanalarmis triggered. IfAli e anmakebelieveBob sheisin theneighborhoodwhilesheisnot: she an ommit rimes.

To arryoutadistan efraud,Ali e antryto ompensatetheextradistan e by answering Bob's hallengesbefore they were sent. This strategy is known astheearly reply in theliterature. TheabilityofAli etosu eedthedistan e frauddepends onher apabilitytointera twith theanklemonitor(the devi e used to exe utethe proto ol). If the devi e is tamperedresistant, then Ali e is onherown. Thisis referredasthebla k-boxmodelin theliterature[5℄. To defeat su hanadversary,thefun tion

f

mustbe hosensu hthat:

Property 1 To defeat the distan e fraud in the bla k-box model, the fun tion

f

in the proto ol

P

mustbebalan ed.

Anybiasin thefun tionprovideanadvantagetotheadversary.

ThereisanwayforAli etosu eedtheearlyreplystrategy. She anexe ute the intera tive phasewith our devi e prior to exe uting the intera tivephase with Bob. She send

c

ˆ

∈ F

n

c

2

to the devi e and obtain

r

= f (ˆ

c, s, k)

. This information an help Ali e to hoose an appropriate reply. This strategy is known aspre-ask-then-early-reply. If the fun tion is not hosen properly and adversary an narrowdown the possible answer and gainan advantage. The followingproperty apturethis strategyto modelitintoa riterionfor

f

. Property 2 Tomaximizetheresistan etothepre-ask-then-early-replystrategy in thebla k-boxmodel,the fun tion

f

mustveriedthat:

∀c, s, k, ˆ

c, f

U

(c, s, k)

isbalan edwith

U

= {(c, s, k)|f (ˆ

c, s, k) = r, ˆ

c

= cst}.

The other model for the relation between Ali e and her devi e is known as the white-box. Ali e an tamper with the exe ution of the algorithm to re overusefulinformation. Itmeansthat Ali eknowstheinternalvalueofthe algorithm,i.e.

s

and

k

.

Property 3 Tomaximize the resistan e tothe distan e fraudin the white-box model, thefun tion

f

mustveried:

∀s, k, f

s,k

(c, s, k)

isbalan ed.

Property3is thestrongestonesin eweassumethat Ali ehasa essedto thelargeamountofinformation.

Remark 1 The reader familiar with the design of blo k- iphers andespe ially s-boxes,may haveremarkedthat wearenotsofar fromthe resilien y riterion (ex ept for Property 2). Indeed, it applies on a subset of inputvariables of

f

nottoallthe variables. Thismakesthe dieren ewith resilien y.

5 Maa fraud

Inthemaafraud,anexternaladversary,Eve,isintrodu edandAli eis on e againhonest. Toimpersonate Ali eandmeet thetiming onstraints,Everst relaytheinitialization phase. Then, shehastwostrategies,namely theno-ask strategyandthepre-ask strategy,tosu eedtheatta k. Intheno-askstrategy, Eveexe utesdire tlytheintera tivephasewithBob. Sheknows

c

whi hdenes theappropriaterestri tiontoworkwith.

Property 4 Tomaximize the resistan e tothe no-askstrategy,the fun tion

f

mustveried:

∀c, f

c

(c, s, k)

isbalan ed.

Inthepre-askstrategy,Eveisallowedtoexe utetheintera tivephasewith Ali e prior to exe uting her own instan e of the intera tive phase with Bob. Eve sends

ˆ

c

to Ali e and obtain

r

= f (ˆ

c, s, k)

. During the exe ution of the intera tive phasewith Bob, Evere eives

c

and attempts to answer. If

c

ˆ

= c

, shereplies

r

andwins theround. Otherwise, sheisonherownifthefun tion veriesthefollowingproperty.

Property 5 Tomaximizethe resistan etothepre-askstrategy,thefun tion

f

mustveried:

∀c 6= ˆ

c, I(f (c, s, k); f (ˆ

c, s, k)) = 0,

where

I

stands forthe mutualinformation.

Onemayhavenoti edthefa t thatweneverspeakaboutthedis losureof the keyduring our analysis of thedistan e and maa fraud. In fa t, we an dealwith these twofraudswhile onsidering

n

k

= 0

. The problemof the key dis losureis relatedto theterroristfraud.

6 Terrorist fraud

Theterroristfraudisatri kybusiness. Theproto oldesignerhastodealwith twoadversaries.Indeed,Ali e onspireswithEvetode eiveBobonthedistan e betweenthem. Su has enarioo urswhenAli epaysEveforgettingaperfe t alibi to ommit a rime. The terrorist fraud anbe risky for Ali e if Eve is able to (re)impersonate her afterward: Eve ould ommit rimes pretending

to be Ali e. Hen e, Ali e agrees to arry out a terroristfraud only if Eve is abletoa hieveaone-timeimpersonation. Morepre isely,weassumethatAli e does notget involved in aterroristfraud if Eve, by doing so, may gainsome advantageforfurtheratta ks.

Toprevent amali iousAli e from helping Eve, these ret keymust be in-trodu edasaninputto

f

asanin entivenotto heat. Moreover,these retof an honest Ali e must notbeexposed. Theswiss knife to thwartthis fraudis threshold ryptography.

Property 6 Toprevenanykeyleakageduringaterroristfraud,thefun tion

f

that

∀c, s, k

:

I(k; f (c, s, k)|c) =

0,

(2)

I(k; f (c, s, k)|c, Φ

δ−1

(s)) =

0,

(3)

I(k; f (c, s, k)|c, Φ

δ

(s)) =

n

k

,

(4)

I(k; f (c, s, k)|c, f (ˆ

c, s, k)|ˆ

c) =

0,

(5) where

c

ˆ

6= c

and

Φ

δ

(s)

isany ombinationof

δ

oordinates of

s

.

Ea hequationofthepreviousproperty orrespondstoaspe i situationofour proto ol. Fromthissituation,Eve anextra tsomeknowledgeonthevariables ofthepro otol.

Equation2Therstthingto he kisifaneavesdropper anre over

k

from the hallenge

c

andits orrespondinganswer

f

(c, s, k)

.

Equation3and4The on ernofthis equationisto determinedhowmu h information an be provided by Ali e to Eve. Equation 3 and 4 des ribes a thresholds heme. Providingtoomu hinformationtoEvemustexposethekey. Thefun tion

f

, kandthe oordinatesof

s

a t asasystemofshares in se ret-sharings heme.

Equation5Eve anlaun hfaultatta kinordertore overthekey. Tomount thisatta k,shemodiesthelegitimate hallenge

c

su hthatAli ere eives

ˆ

c

with

ˆ

c

6= c

. Ali esends

r

= f (ˆ

c, s, k)

toBob. ButEvetamperswiththisanswerand Bob re eived

r

ˆ

hosenbyEve. If Eveknowsiftheresultis orre tornot,she knows

f

(c, s, k)

,

f

(ˆ

c, s, k)

with

c

ˆ

6= c

. Then,she antrytore over

k

from this material. Avariantofthisatta kwasrstpresentedin [12℄.

Example2 Let onsider

f

(c, s, k) = k

0

c

0

+ s

0

+ k

0

. This fun tion has been proposedin the proto ol of Reid et al.[13℄. This fun tion mat hes the riteria requiredforthe maafraud. Letseeifthereareany informationleakageonthe key. It iseasy tosee that

I(k

0

; f (c

0

, s

0

, k

0

)|c

0

) = 0

. Evelearns

s

0

+ k

0

if

c

0

is equal to

0

. Otherwise(

c

0

= 1

),Evelearns

s

0

. Equation 2isveried. However, it also means that Equation 5 an not be satised. The fault atta k provides to Eve

e

0

(

f

(1, s

0

, k

0

)

) and

s

0

+ k

0

(

f

(0, s

0

, k

0

)

), so she an re over the key. Equation 3and4arealso notsatised.

7 Con lusion

Studyingdistan eboundingproto olsfromtheperspe tiveofve torialBoolean fun tions oers many new ideas apart from giving solutions to the terrorist fraud. Inthispaper,we onsiderthat thefun tion wasxedandknowntothe adversary. Followingthese hypothesis,wedenethe riteriaon

f

. Proto olsin whi h Ali eandBob agree onarandom Booleanfun tion atthe beginning of theproto olmaybevaluableandinterestingfrom ase uritypointofview.

Changingthefun tion

f

atea hround ouldbealsointerestingbutitshould bedone arefullysin e su h as heme mayhaveabigimpa ton thea ura y of the timing pro edure. A way to do sois to use asequential ir uit rather thana ombinatorial ir uitforthe omputationof theanswers. Bydoingso, the fun tion is virtually modied at ea h round without a signi ant impa t onthe timinga ura y. This approa h wasexploredin [12, 14℄. A theoreti al omparison of these two strategies, ombinatorial and sequential is yet to be done.

A knowledgement

TheauthorwouldliketothankallthemembersoftheGSIgroupforthefruitful dis ussionsonthemanyaspe tsofdistan e boundingproto ols.

Referen es

[1℄ Desmedt,Y.,Goutier,C.,Bengio,S.: Spe ialUsesandAbusesofthe Fiat-ShamirPassportProto ol.In: Advan esinCryptologyCRYPTO'87. Le -tureNotesin ComputerS ien e 293,Santa Barbara,CA, USA, Springer-Verlag(1988)2139

[2℄ Beth, T., Desmedt, Y.: Identi ation Tokens - or: Solving the Chess GrandmasterProblem.In:Advan esinCryptologyCRYPTO'90.Le ture NotesinComputerS ien e537,SantaBarbara,CA,USA,Springer-Verlag (1990)169177

[3℄ Rivest,R.L.,Shamir,A.: Howtoexposeaneavesdropper.Communi ation oftheACM 27(4)(1984)393394

[4℄ Brands, S., Chaum, D.: Distan e-Bounding Proto ols. In: Advan es in Cryptology EUROCRYPT'93. Le ture Notesin ComputerS ien e 765, Lofthus,Norway,Springer-Verlag(1993)344359

[5℄ Avoine,G.,Bingöl,M.A.,Karda³,S.,Lauradoux,C.,Martin,B.: AF rame-work forAnalyzingRFID Distan e BoundingProto ols. Journalof Com-puterSe uritySpe ialIssueonRFIDSystemSe urity(2010)Toappear.

[6℄ Han ke,G., Kuhn,M.: An RFID Distan eBounding Proto ol. In: Con-feren e on Se urity and Priva y for Emerging Areas in Communi ation NetworksSe ureComm2005,Athens,Gree e, IEEE(2005)

[7℄ Han ke,G.P.: Pra ti al Atta ksonProximityIdenti ationSystems. In: IEEESymposiumonSe urityandPriva y-S&P2006,Berkeley,California, USA,IEEEComputerSo iety(2006)328333

[8℄ Clulow,J.,Han ke,G.P.,Kuhn,M.G.,Moore,T.: SoNearandYetSoFar: Distan e-BoundingAtta ksinWirelessNetworks. In:Se urityandPriva y inAd-Ho andSensorNetworks,ThirdEuropeanWorkshop-ESAS2006. Le ture Notes in Computer S ien e 4357, Hamburg, Germany, Springer Verlag(2006)8397

[9℄ Flury, M., Poturalski, M., Papadimitratos, P., Hubaux, J.P., LeBoude , J.Y.: Ee tivenessofDistan e-De reasingAtta ksAgainstImpulseRadio Ranging. In: 3rdACMConferen e onWirelessNetworkSe urity-WiSe 2010,NJ,USA(2010)

[10℄ Avoine,G.,Floerkemeier,C.,Martin,B.: RFIDDistan eBounding Multi-stateEnhan ement. In: Pro eedingsof the10thInternationalConferen e onCryptologyinIndiaIndo rypt2009.Le tureNotes inComputer S i-en e5922,NewDelhi,India,Springer-Verlag(2009)290307

[11℄ Bussard,L., Bagga, W.: Distan e-bounding proofof knowledgeto avoid real-time atta ks. In Ryoi hi, S., Sihan, Q., Eiji, O., eds.: Se urity and Priva y in theAge of Ubiquitous Computing. Volume 181of IFIP Inter-national Federationfor Information Pro essing., Chiba, Japan, Springer-Verlag(2005)223238

[12℄ Kim, C.H., Avoine, G., Koeune, F., Standaert, F.X., Pereira, O.: The Swiss-Knife RFIDDistan e BoundingProto ol. In: International Confer-en eonInformationSe urityandCryptologyICISC'08.Le tureNotesin ComputerS ien e5461,Seoul,Korea,Springer-Verlag(2008)98115

[13℄ Reid,J.,Nieto,J.M.G.,Tang,T.,Senadji,B.: Dete tingrelayatta kswith timing-based proto ols. In: ACM symposium on Information, omputer and ommuni ationsse urity-ASIACCS'07,Singapore,ACM(2007)204 213

[14℄ Kara,O., Karda³,S.,Bingöl, M.A., Avoine,G.: OptimalSe urityLimits ofRFID Distan eBoundingProto ols. In: Workshop onRFIDSe urity RFIDSe '10,Istanbul,Turkey(2010)

Centre de recherche INRIA Grenoble – Rhône-Alpes

655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)

Centre de recherche INRIA Bordeaux – Sud Ouest : Domaine Universitaire - 351, cours de la Libération - 33405 Talence Cedex

Centre de recherche INRIA Lille – Nord Europe : Parc Scientifique de la Haute Borne - 40, avenue Halley - 59650 Villeneuve d’Ascq

Centre de recherche INRIA Nancy – Grand Est : LORIA, Technopôle de Nancy-Brabois - Campus scientifique

615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex

Centre de recherche INRIA Paris – Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex

Centre de recherche INRIA Rennes – Bretagne Atlantique : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex

Centre de recherche INRIA Saclay – Île-de-France : Parc Orsay Université - ZAC des Vignes : 4, rue Jacques Monod - 91893 Orsay Cedex

Centre de recherche INRIA Sophia Antipolis – Méditerranée : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex

Éditeur

INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)

http://www.inria.fr