HAL Id: inria-00576696
https://hal.inria.fr/inria-00576696
Submitted on 17 Mar 2011
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of
sci-entific research documents, whether they are
pub-lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diffusion de documents
scientifiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Boolean Functions and Distance Bounding
Cédric Lauradoux
To cite this version:
Cédric Lauradoux. Boolean Functions and Distance Bounding. [Research Report] RR-7568, INRIA.
2011, pp.13. �inria-00576696�
a p p o r t
d e r e c h e r c h e
IS
S
N
0
2
4
9
-6
3
9
9
IS
R
N
IN
R
IA
/R
R
--7
5
6
8
--F
R
+
E
N
G
Networks and Telecommunications
INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE
Boolean Functions and Distance Bounding
Cédric Lauradoux
N° 7568
Centre de recherche INRIA Grenoble – Rhône-Alpes
655, avenue de l’Europe, 38334 Montbonnot Saint Ismier
Téléphone : +33 4 76 61 52 00 — Télécopie +33 4 76 61 52 52
Cédri Lauradoux
Theme: Networks andTele ommuni ations Networks,Systemsand Servi es,DistributedComputing
Équipe-ProjetSWING
Rapportdere her he n°7568Mar h201110pages
Abstra t: Distan e bounding proto ols are a riti al me hanism of wireless te hnologiessu hasRFIDorZigBee. Theyaimtoenfor eastrongerdenition ofauthenti ationbypreventinganykindoftherelayatta k,namelythedistan e fraud, the maafraud and theterrorist fraud. This paper aims to dene the Booleanfun tionsusedinthedistan eboundingproto olsbasedontheworkof Han keandKuhn.Indeed,the hoi eofthesefun tionshasneverbeendis ussed despitethe onsiderableliterature. Wedenethe riteriaonthefun tionneeded todefeat ea h fraud.
Key-words: Distan e bounding,man-in-the-middle,ve torialBoolean fun -tions.
Résumé : Les proto ols de distan e bounding sont très importantspour les te hnologiessansl ommelaRFID ouZigBee. Ils permettent deréaliserune versionfortedel'authenti ationrésistantauxattaquesparrelais,plus exa te-mentlafraudeàladistan e,lafraudemaeuseetlafraudeterroriste. Ce rap-portapourobje tifdedénirlespropriétésrequisespourfon tionsbooléennes employées par es proto ols. En eet, le hoix de es fon tionsn'a jamais été dis utémalgrélenombre onsidérabledepropositionspourledistan ebounding. Nousdénissonsles ritèresrequispour ontrer haquetypedefraude.
1 Introdu tion
Manin the middle atta ks(MITM) areoften redu edto aspe ial asein the ryptographi literature. Indeed,itis alwaysassumedthattheadversary tam-perswiththeexe utionofa ryptographi proto ol. Desmedt etal.[1,2℄have shownthat aMITMinwhi h theadversarysimplyforwardsthemessages be-tweentwopartiesis su ientto breakthe mostadvan ed authenti ation pro-to ols.
Therst ountermeasurestothis lass ofMITMweregivenbyRivest and Shamirin Howto exposean eavesdropper [3℄. Early solutionswere also de-visedbyDesmedt etal.[1,2℄ whentheatta ksrstappearedbut they annot byappliedinany ontext. Finally,distan eboundingproto olswereintrodu ed by Brandsand Chaum [4℄ asa solutionfor low- ost devi es. Basi ally, a dis-tan e bounding proto ol ombines anauthenti ationwith the omputation of anupper-boundonthedistan ebetweenthetwopartiesinvolved. This ombi-nationmitigatesthepossibilitytomountrelayatta ks. Theme hanismfavored to measurethedistan eisthetimeofightbe auseitrequires onlyone lo k. Moredetailsanddenitions anbefoundin [5℄.
The propositions of distan e bounding proto ol an be divided into two ategories a ording to the need or not of a nal signature to omplete the authenti ation. Thisdistin tionbetweentheproto olsinspiredbytheresultsof BrandsandChaum[4℄(presen eofasignature)andthosederivedfromHan ke and Kuhn[6℄ (nosignature). Thispaperis dedi ated to thelatter ategories, notmeaningthatourresultsdonotapplytoBrandsandChaum'sproto olbut ratherto simplifytheanalysis. The oreofanydistan eboundingproto olsis anintera tivephasein whi h Bobsendssmall hallengesto Ali ewhoanswers shortly. Thetimingofea h hallenge/responseismeasureda uratelytodedu e an upper-bound on thedistan e. Ea h response is omputedusing aBoolean fun tion
f
whotakesasinput,the hallengeandsomevariablesknownonlyby Ali eandBob. Attheend,Bob he ksthatea hanswerandits orresponding timing are onsistent.Thisworkaimstounderstandhowtheresponseis omputedandmore pre- isely how the fun tion
f
must be hosen to defeat thedierent frauds. The riteriatoresisttothedistan eandmaafraudareratherobviousforthe read-ersfamiliarwithBooleanfun tions. Themain ontributionofthepaperisthe riteriarelated to theterroristfraudwhi h apture ni elythe problemweare fa ing. Ournotationsare ompliantwiththeuseofve torialBooleanfun tions in the perspe tiveof the development of the MIMO te hnology. Throughout thepaper,theexamplesaregivenforBoolean fun tionsfor onvenien e.The Se tion 2 ontains the ba kground related to ve torial Boolean fun -tions. Ourtemplateproto olisdes ribedinSe tion3. Se tion4dealswiththe distan e fraud. Se tion 5 andSe tion 6are respe tivelydevotedto the maa fraudandtheterroristfraud.
2 Notations
We denote by
B
m
n
the set of ve torial Boolean fun tions ofn
variables andm
outputssu hthatn
andm
aretwopositiveintegersandm
≤ n
,f
: F
n
2
→ F
m
2
.Thetruthtableve tor
T
f
off
∈ B
m
n
iswritten:(f (α
0
), · · · , f (α
2
n
−1
)),
where
α
0
,
· · · , α
2
n
−1
are all theelements ofF
n
2
sorted bylexi ographi order. The algebrai normalform (ANF) isalso used to representBooleanfun tions in a ompressed notation. The Hammingweightw
H
(y)
of binary ve tory
=
(y
0
,
· · · , y
m−1
)
oflengthm
isthenumberofoneiny
:P
m−1
i=0
y
i
. Thenotationy
i
∈ F
2
denotesthei
-th oordinateofc
Denition1 Let
U
be ap
-dimensional subspa eofF
n
2
. Therestri tionoff
∈
B
m
n
toU
,denotedf
U
isdenedbyf
U
(x) = f (x), ∀x ∈ U
. Throughout thepaper, aelementx
belonging toF
n
2
is de omposed asthe ve torx
= (c, s, k)
withc
∈ F
n
c
2
,s
∈ F
n
s
2
,k
∈ F
n
k
2
su h thatn
= n
1
+ n
2
+ n
3
. Therestri tionoff
tothesubspa eU
c
ofdimensionn
2
+n
3
denedfor∀c ∈ F
n
c
2
by:U
c
= {(c, s, k)|c = cst, s ∈ F
n
2
s
andk
∈ F
n
k
2
},
issimplynoted
f
c
(x)
,∀x ∈ U
c
. Similarly,f
c,s
istherestri tionoff
toU
c,s
,i.e.c
ands
arekept onstant.Denition2 Ave torialBooleanfun tion
f
issaid tobebalan edifea h ele-mentsofF
m
2
appears2
n−m
timesin thetruthtable ve tor
T
f
.Theproto ol onsideredbetweenAli eandBobisunilateralforits authenti- ationpart. Ali eisalegitimateprover,BobtheverierandEveanadversary.
3 Template proto ol
Tosupportyourhuntof thefun tion
f
,wegiveatemplatedistan e bounding proto ol. Theproto olisdepi tedFig.1.Priortotheexe utionoftheproto ol,Ali eandBobhaveagreedonase ret key
K
ofℓ
× n
c
bits, on ave torial Booleanfun tionf
and apseudo-random fun tion (PRF)g
. Thekey is viewhas a ve torK
= (k
0
, k
1
,
· · · , k
ℓ−1
)
with
k
j
∈ F
n
k
2
,
∀j ∈ [0, ℓ − 1]
. Then, our template proto ol is omposed of three steps.1) Initialization Ali e and Bob ex hange the non es
N
A
andN
B
. They usethefun tiong
to omputetheashareinternalstateS
= (s
0
, s
1
,
· · · , s
ℓ−1
)
,
s
j
∈ F
n
s
2
,
∀j ∈ [0, ℓ − 1]
. The stateS
an be the output ofg(K, N
A
, N
B
)
. It worthmentioningthat theduration of theinitialization phaseis subje tto importanttimingvariationsbe ausethe omputationalpoweroftheprover an belimitedandthe omputationofg
anbetime onsuming.2)Intera tivephaseThisphase onsistsin
ℓ
rounds. Atea hround,Bob pi ksrandomlya hallengec
j
∈ F
n
c
2
andsendsittoAli ewhore eivesˆ
c
j
. Ali e omputes:
r
j
= f (ˆ
c
j
, s
j
, k
j
).
(1) This phaserequiredapre isesyn hronizationbe auseBob omputesthe time spentbetweentheemissionofthe hallengesc
j
and there eptionof the orre-spondinganswer
r
ˆ
j
. ThisRoundTrip Time (RTT) isdenoted
δ
j
.Ali e Bob
K
∈ F
ℓ×n
k
2
, f
∈ B
n
m
, g
aPRFK
∈ F
ℓ×n
k
2
, f
∈ B
n
m
, g
aPRF Initializationphase Pi ksN
A
N
A
−−−−−−−−−−−−→
N
B
←−−−−−−−−−−−−
Pi ksN
B
Forj
= 1 · · · m
Forj
= 1 · · · m
Fori
= 1 · · · n
Fori
= 1 · · · n
Computes
r
i,j
Computesr
i,j
Intera tivephase For
j
= 1 · · · ℓ
ˆ
c
j
←−−−−−−−−−−−
Pi ksc
j
∈ F
n
c
2
r
j
= f (ˆ
c
j
, s
j
, k
j
)
Sendsr
j
−−−−−−−−−−→
r
ˆ
j
Measuresδt
j
Result If∀c
j
ˆ
r
j
?
= f (c
j
, s
j
, k
j
)
and∀j
,δt
j
≤ ∆
ThenSu ess Otherwise FailureFigure1: Thetemplatedistan eboundingproto ol.
3) Result Bob he ks that ea h answer
ˆ
r
i
re eived from Ali e is orre t, i.e.r
ˆ
j
= f (c
j
, s
j
, k
j
)
andthat
∀i, δ
i
≤ ∆
with∆
agiventhreshold. Thetime measuringmethodandtheatta ksrelatedtothisme hanismarenotdis ussed in here. Thepre ision of this measurementis riti al with respe t to the ap-pli ations. Thereaders an onsulttheworks[7,8, 9℄formoreinformationon thissubje t.Thetemplateproto oldes ribedinthisse tionfollowstheprin ipledened byHan keandKuhn[6℄ ex eptfortwopoints.
Multi- hannel ommuni ations Ali e and Bob are using MIMO radio systemsoverahalf-duplex hannel,i.e. they antransmitseveralbits simulta-neously overdierent hannels. It impliesthat
n
c
>
1
andm >
1
. A similar hypothesisismadein[10℄with MUSE-p
HKin whi hsymbolsbelongingtoF
p
,p >
2
aretransmittedbyAli e andBob. Inthe originalworksof Han keand Kuhn[6℄,thevaluesn
c
= 1
,n
= 3
andm
= 1
were onsideredforanusagein RFID.Wealsoassumethat the ommuni ationsarenoise-free.Key insertion The purpose of the proto ol of Han ke and Kuhn [6℄ is to defeat the maa fraud and the distan e fraud. All the variables used as an inputtothefun tion
f
providednoinformationonthekey(n
k
= 0
). itresults that thisproto ol annotdefeattheterroristfraud. As a onsequen e,thekey shared byAli e and Bob must be dire tly used during the omputation off
.BussardandBagga[11℄aretobe reditedforthisidea. Thisparti ularproblem is onsideredin Se tion6.
Inourproto ol,alltheroundsare independent. Inwhat followsthe round number
j
isoftenomittedforthevariablesc, s, k
to simplifythenotations. Example1 Theproto olproposedbyHan keandKuhn[6 ℄usedtheparametersn
= 3, m = 1
,n
k
= 0
,n
c
= 1
andn
s
= 2
. The Boolean fun tionf
used is denedby:∀c ∈ F
2
, s
∈ F
2
2
, f
(c
0
, s
0
, s
1
) = c
0
s
0
+ c
0
s
1
+ s
1
.
Wenow onsider how to the fun tion
f
is hosen. Finding good ve torial Boolean fun tion onsists to nd the appropriate restri tions off
that will aptureagivenatta k.4 Distan e fraud
Inadistan efraud,Ali eattemptstolieonherdistan etoBob. Su hanatta k is parti ularly riti al for ankle monitor in riminal surveillan e appli ations. The ankle monitor has to restri t the a tion of Ali e. If she is not in the neighborhoodofBob andanalarmis triggered. IfAli e anmakebelieveBob sheisin theneighborhoodwhilesheisnot: she an ommit rimes.
To arryoutadistan efraud,Ali e antryto ompensatetheextradistan e by answering Bob's hallengesbefore they were sent. This strategy is known astheearly reply in theliterature. TheabilityofAli etosu eedthedistan e frauddepends onher apabilitytointera twith theanklemonitor(the devi e used to exe utethe proto ol). If the devi e is tamperedresistant, then Ali e is onherown. Thisis referredasthebla k-boxmodelin theliterature[5℄. To defeat su hanadversary,thefun tion
f
mustbe hosensu hthat:Property 1 To defeat the distan e fraud in the bla k-box model, the fun tion
f
in the proto olP
mustbebalan ed.Anybiasin thefun tionprovideanadvantagetotheadversary.
ThereisanwayforAli etosu eedtheearlyreplystrategy. She anexe ute the intera tive phasewith our devi e prior to exe uting the intera tivephase with Bob. She send
c
ˆ
∈ F
n
c
2
to the devi e and obtainr
= f (ˆ
c, s, k)
. This information an help Ali e to hoose an appropriate reply. This strategy is known aspre-ask-then-early-reply. If the fun tion is not hosen properly and adversary an narrowdown the possible answer and gainan advantage. The followingproperty apturethis strategyto modelitintoa riterionforf
. Property 2 Tomaximizetheresistan etothepre-ask-then-early-replystrategy in thebla k-boxmodel,the fun tionf
mustveriedthat:∀c, s, k, ˆ
c, f
U
(c, s, k)
isbalan edwithU
= {(c, s, k)|f (ˆ
c, s, k) = r, ˆ
c
= cst}.
The other model for the relation between Ali e and her devi e is known as the white-box. Ali e an tamper with the exe ution of the algorithm to re overusefulinformation. Itmeansthat Ali eknowstheinternalvalueofthe algorithm,i.e.s
andk
.Property 3 Tomaximize the resistan e tothe distan e fraudin the white-box model, thefun tion
f
mustveried:∀s, k, f
s,k
(c, s, k)
isbalan ed.Property3is thestrongestonesin eweassumethat Ali ehasa essedto thelargeamountofinformation.
Remark 1 The reader familiar with the design of blo k- iphers andespe ially s-boxes,may haveremarkedthat wearenotsofar fromthe resilien y riterion (ex ept for Property 2). Indeed, it applies on a subset of inputvariables of
f
nottoallthe variables. Thismakesthe dieren ewith resilien y.5 Maa fraud
Inthemaafraud,anexternaladversary,Eve,isintrodu edandAli eis on e againhonest. Toimpersonate Ali eandmeet thetiming onstraints,Everst relaytheinitialization phase. Then, shehastwostrategies,namely theno-ask strategyandthepre-ask strategy,tosu eedtheatta k. Intheno-askstrategy, Eveexe utesdire tlytheintera tivephasewithBob. Sheknows
c
whi hdenes theappropriaterestri tiontoworkwith.Property 4 Tomaximize the resistan e tothe no-askstrategy,the fun tion
f
mustveried:∀c, f
c
(c, s, k)
isbalan ed.Inthepre-askstrategy,Eveisallowedtoexe utetheintera tivephasewith Ali e prior to exe uting her own instan e of the intera tive phase with Bob. Eve sends
ˆ
c
to Ali e and obtainr
= f (ˆ
c, s, k)
. During the exe ution of the intera tive phasewith Bob, Evere eivesc
and attempts to answer. Ifc
ˆ
= c
, sherepliesr
andwins theround. Otherwise, sheisonherownifthefun tion veriesthefollowingproperty.Property 5 Tomaximizethe resistan etothepre-askstrategy,thefun tion
f
mustveried:∀c 6= ˆ
c, I(f (c, s, k); f (ˆ
c, s, k)) = 0,
where
I
stands forthe mutualinformation.Onemayhavenoti edthefa t thatweneverspeakaboutthedis losureof the keyduring our analysis of thedistan e and maa fraud. In fa t, we an dealwith these twofraudswhile onsidering
n
k
= 0
. The problemof the key dis losureis relatedto theterroristfraud.6 Terrorist fraud
Theterroristfraudisatri kybusiness. Theproto oldesignerhastodealwith twoadversaries.Indeed,Ali e onspireswithEvetode eiveBobonthedistan e betweenthem. Su has enarioo urswhenAli epaysEveforgettingaperfe t alibi to ommit a rime. The terrorist fraud anbe risky for Ali e if Eve is able to (re)impersonate her afterward: Eve ould ommit rimes pretending
to be Ali e. Hen e, Ali e agrees to arry out a terroristfraud only if Eve is abletoa hieveaone-timeimpersonation. Morepre isely,weassumethatAli e does notget involved in aterroristfraud if Eve, by doing so, may gainsome advantageforfurtheratta ks.
Toprevent amali iousAli e from helping Eve, these ret keymust be in-trodu edasaninputto
f
asanin entivenotto heat. Moreover,these retof an honest Ali e must notbeexposed. Theswiss knife to thwartthis fraudis threshold ryptography.Property 6 Toprevenanykeyleakageduringaterroristfraud,thefun tion
f
that∀c, s, k
:I(k; f (c, s, k)|c) =
0,
(2)I(k; f (c, s, k)|c, Φ
δ−1
(s)) =
0,
(3)I(k; f (c, s, k)|c, Φ
δ
(s)) =
n
k
,
(4)I(k; f (c, s, k)|c, f (ˆ
c, s, k)|ˆ
c) =
0,
(5) wherec
ˆ
6= c
andΦ
δ
(s)
isany ombinationofδ
oordinates ofs
.Ea hequationofthepreviousproperty orrespondstoaspe i situationofour proto ol. Fromthissituation,Eve anextra tsomeknowledgeonthevariables ofthepro otol.
Equation2Therstthingto he kisifaneavesdropper anre over
k
from the hallengec
andits orrespondinganswerf
(c, s, k)
.Equation3and4The on ernofthis equationisto determinedhowmu h information an be provided by Ali e to Eve. Equation 3 and 4 des ribes a thresholds heme. Providingtoomu hinformationtoEvemustexposethekey. Thefun tion
f
, kandthe oordinatesofs
a t asasystemofshares in se ret-sharings heme.Equation5Eve anlaun hfaultatta kinordertore overthekey. Tomount thisatta k,shemodiesthelegitimate hallenge
c
su hthatAli ere eivesˆ
c
withˆ
c
6= c
. Ali esendsr
= f (ˆ
c, s, k)
toBob. ButEvetamperswiththisanswerand Bob re eivedr
ˆ
hosenbyEve. If Eveknowsiftheresultis orre tornot,she knowsf
(c, s, k)
,f
(ˆ
c, s, k)
withc
ˆ
6= c
. Then,she antrytore overk
from this material. Avariantofthisatta kwasrstpresentedin [12℄.Example2 Let onsider
f
(c, s, k) = k
0
c
0
+ s
0
+ k
0
. This fun tion has been proposedin the proto ol of Reid et al.[13℄. This fun tion mat hes the riteria requiredforthe maafraud. Letseeifthereareany informationleakageonthe key. It iseasy tosee thatI(k
0
; f (c
0
, s
0
, k
0
)|c
0
) = 0
. Evelearnss
0
+ k
0
ifc
0
is equal to0
. Otherwise(c
0
= 1
),Evelearnss
0
. Equation 2isveried. However, it also means that Equation 5 an not be satised. The fault atta k provides to Evee
0
(f
(1, s
0
, k
0
)
) ands
0
+ k
0
(f
(0, s
0
, k
0
)
), so she an re over the key. Equation 3and4arealso notsatised.7 Con lusion
Studyingdistan eboundingproto olsfromtheperspe tiveofve torialBoolean fun tions oers many new ideas apart from giving solutions to the terrorist fraud. Inthispaper,we onsiderthat thefun tion wasxedandknowntothe adversary. Followingthese hypothesis,wedenethe riteriaon
f
. Proto olsin whi h Ali eandBob agree onarandom Booleanfun tion atthe beginning of theproto olmaybevaluableandinterestingfrom ase uritypointofview.Changingthefun tion
f
atea hround ouldbealsointerestingbutitshould bedone arefullysin e su h as heme mayhaveabigimpa ton thea ura y of the timing pro edure. A way to do sois to use asequential ir uit rather thana ombinatorial ir uitforthe omputationof theanswers. Bydoingso, the fun tion is virtually modied at ea h round without a signi ant impa t onthe timinga ura y. This approa h wasexploredin [12, 14℄. A theoreti al omparison of these two strategies, ombinatorial and sequential is yet to be done.A knowledgement
TheauthorwouldliketothankallthemembersoftheGSIgroupforthefruitful dis ussionsonthemanyaspe tsofdistan e boundingproto ols.
Referen es
[1℄ Desmedt,Y.,Goutier,C.,Bengio,S.: Spe ialUsesandAbusesofthe Fiat-ShamirPassportProto ol.In: Advan esinCryptologyCRYPTO'87. Le -tureNotesin ComputerS ien e 293,Santa Barbara,CA, USA, Springer-Verlag(1988)2139
[2℄ Beth, T., Desmedt, Y.: Identi ation Tokens - or: Solving the Chess GrandmasterProblem.In:Advan esinCryptologyCRYPTO'90.Le ture NotesinComputerS ien e537,SantaBarbara,CA,USA,Springer-Verlag (1990)169177
[3℄ Rivest,R.L.,Shamir,A.: Howtoexposeaneavesdropper.Communi ation oftheACM 27(4)(1984)393394
[4℄ Brands, S., Chaum, D.: Distan e-Bounding Proto ols. In: Advan es in Cryptology EUROCRYPT'93. Le ture Notesin ComputerS ien e 765, Lofthus,Norway,Springer-Verlag(1993)344359
[5℄ Avoine,G.,Bingöl,M.A.,Karda³,S.,Lauradoux,C.,Martin,B.: AF rame-work forAnalyzingRFID Distan e BoundingProto ols. Journalof Com-puterSe uritySpe ialIssueonRFIDSystemSe urity(2010)Toappear.
[6℄ Han ke,G., Kuhn,M.: An RFID Distan eBounding Proto ol. In: Con-feren e on Se urity and Priva y for Emerging Areas in Communi ation NetworksSe ureComm2005,Athens,Gree e, IEEE(2005)
[7℄ Han ke,G.P.: Pra ti al Atta ksonProximityIdenti ationSystems. In: IEEESymposiumonSe urityandPriva y-S&P2006,Berkeley,California, USA,IEEEComputerSo iety(2006)328333
[8℄ Clulow,J.,Han ke,G.P.,Kuhn,M.G.,Moore,T.: SoNearandYetSoFar: Distan e-BoundingAtta ksinWirelessNetworks. In:Se urityandPriva y inAd-Ho andSensorNetworks,ThirdEuropeanWorkshop-ESAS2006. Le ture Notes in Computer S ien e 4357, Hamburg, Germany, Springer Verlag(2006)8397
[9℄ Flury, M., Poturalski, M., Papadimitratos, P., Hubaux, J.P., LeBoude , J.Y.: Ee tivenessofDistan e-De reasingAtta ksAgainstImpulseRadio Ranging. In: 3rdACMConferen e onWirelessNetworkSe urity-WiSe 2010,NJ,USA(2010)
[10℄ Avoine,G.,Floerkemeier,C.,Martin,B.: RFIDDistan eBounding Multi-stateEnhan ement. In: Pro eedingsof the10thInternationalConferen e onCryptologyinIndiaIndo rypt2009.Le tureNotes inComputer S i-en e5922,NewDelhi,India,Springer-Verlag(2009)290307
[11℄ Bussard,L., Bagga, W.: Distan e-bounding proofof knowledgeto avoid real-time atta ks. In Ryoi hi, S., Sihan, Q., Eiji, O., eds.: Se urity and Priva y in theAge of Ubiquitous Computing. Volume 181of IFIP Inter-national Federationfor Information Pro essing., Chiba, Japan, Springer-Verlag(2005)223238
[12℄ Kim, C.H., Avoine, G., Koeune, F., Standaert, F.X., Pereira, O.: The Swiss-Knife RFIDDistan e BoundingProto ol. In: International Confer-en eonInformationSe urityandCryptologyICISC'08.Le tureNotesin ComputerS ien e5461,Seoul,Korea,Springer-Verlag(2008)98115
[13℄ Reid,J.,Nieto,J.M.G.,Tang,T.,Senadji,B.: Dete tingrelayatta kswith timing-based proto ols. In: ACM symposium on Information, omputer and ommuni ationsse urity-ASIACCS'07,Singapore,ACM(2007)204 213
[14℄ Kara,O., Karda³,S.,Bingöl, M.A., Avoine,G.: OptimalSe urityLimits ofRFID Distan eBoundingProto ols. In: Workshop onRFIDSe urity RFIDSe '10,Istanbul,Turkey(2010)
Centre de recherche INRIA Grenoble – Rhône-Alpes
655, avenue de l’Europe - 38334 Montbonnot Saint-Ismier (France)
Centre de recherche INRIA Bordeaux – Sud Ouest : Domaine Universitaire - 351, cours de la Libération - 33405 Talence Cedex
Centre de recherche INRIA Lille – Nord Europe : Parc Scientifique de la Haute Borne - 40, avenue Halley - 59650 Villeneuve d’Ascq
Centre de recherche INRIA Nancy – Grand Est : LORIA, Technopôle de Nancy-Brabois - Campus scientifique
615, rue du Jardin Botanique - BP 101 - 54602 Villers-lès-Nancy Cedex
Centre de recherche INRIA Paris – Rocquencourt : Domaine de Voluceau - Rocquencourt - BP 105 - 78153 Le Chesnay Cedex
Centre de recherche INRIA Rennes – Bretagne Atlantique : IRISA, Campus universitaire de Beaulieu - 35042 Rennes Cedex
Centre de recherche INRIA Saclay – Île-de-France : Parc Orsay Université - ZAC des Vignes : 4, rue Jacques Monod - 91893 Orsay Cedex
Centre de recherche INRIA Sophia Antipolis – Méditerranée : 2004, route des Lucioles - BP 93 - 06902 Sophia Antipolis Cedex
Éditeur
INRIA - Domaine de Voluceau - Rocquencourt, BP 105 - 78153 Le Chesnay Cedex (France)
http://www.inria.fr