Expected Loss Bounds for Authentication in Constrained
Channels
C. Dimitrakakis
A. Mitrokotsa
S. Vaudenay
27 March 2012
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Motivation: Relay attacks
Prover RFID Tag
Verifier RFID Reader
Adversary
tag
Adversary
reader
10 km
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Motivation: Distance bounding protocols
Countermeasure against relay attacks
Distance-bounding challenge-response authentication.
The verifier V can upper bound the distance to an untrusted prover P.
Based on response time
ñ simple calculations required for cheap devices.
Distance
Bounding
Communication
Range
Attacker
Legitimate
User
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Motivation: Distance bounding protocols
Countermeasure against relay attacks
Distance-bounding challenge-response authentication.
The verifier V can upper bound the distance to an untrusted prover P.
Based on response time
ñ simple calculations required for cheap devices.
Main trade-off
More resource use versus higher protocol accuracy.
Distance
Bounding
Communication
Range
Attacker
Legitimate
User
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Overview of our proposal
Constrained channel authentication
Challenge-response phase: lasting n rounds with no error correction.
Success: iff the response is τ -close to the correct response, whith τ a
tolerance threshold τ .
Losses: Trade off false acceptance, false rejection and communication cost.
Standard cryptographic authentication
Challenge-response phase: lasting n rounds assuming error-free channel
Success: iff response is perfectly correct
Error: Make n large enough to be secure with high probability.
Our solution: Expected loss analysis
Integrates error analysis with cryptographic analysis
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Overview
Our contributions
We propose an expected loss model for authentication.
We formulate the problem as minimising the worst-case expected loss.
We suggest an algorithm for doing so.
We prove tight upper and lower bounds.
We apply these bounds to RFID authentication.
We show that our approach strictly dominates others in practice.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Additive-error challenge-response authentication prtotocol
Definition
1
Select the number of challenge-response rounds n
2
Select a threshold τ
At the i-th round:
3
P N.
(i) The verifier sends a challenge ci .
(ii) The prover responds with ri .
(iii) The verifier calculates an error εi
4
P r0, 1s.
The verifier calculates the error function
ε
n
¸
i
5
P N.
1
εi
The verifier V rejects the prover (authenticator) P, if and only if ε ¥ τ .
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Expected Loss Analysis
Loss
`A : loss if we authenticate a malicious party A (attacker).
`U : loss if we fail to authenticate a valid party U (user).
`B : cost of each round of the challenge-response phase.
Total loss
The (random) loss when the prover P is:
L
$
'
&n`B
`U ,
n`B `A ,
'
%n` ,
B
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
if ε ¥ τ and P
if ε τ and P
otherwise.
U
A
Loss bounds for constrained authentication
Expected Loss Analysis
Expected Loss
The expected loss when the communicating party is an attacker A or the user
U is given by respectively:
EpL | Aq n`B
EpL | U q n`B
Ppε τ | Aq `A
Ppε τ | U q 0
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Ppε ¥ τ | Aq 0
Ppε ¥ τ | U q `U .
Loss bounds for constrained authentication
Expected Loss Analysis
Expected Loss
The expected loss when the communicating party is an attacker A or the user
U is given by respectively:
EpL | Aq n`B
EpL | U q n`B
Ppε τ | Aq `A
Ppε ¥ τ | U q `U .
Our goal: minimise worst-case expected loss
The expected loss is in any case bounded by the worst-case expected loss:
E L ¤ max tEpL | Aq, EpL | U qu .
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Overview of the Analysis
We must choose τ, n so that no matter if P
loss EpL | P q is as small as possible.
Intuitively, this happens when EpL | P
A or P U, the expected
A, τ q EpL | P U, τ q.
First, we choose a nearly-optimal threshold τ for a fixed rounds n.
Then, we optimise n.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Choice of threshold
Intermediate step: Bound worst-case expected loss for any given τ, n.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Choice of threshold
Intermediate step: Bound worst-case expected loss for any given τ, n.
Assumption
¤ Epεi | Aq: a lower bound on the per-round error of the attacker A.
¥ Epεi | U q: an upper bound on the per-round error of a user U.
pA ¡ pU .
pA
pU
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Choice of threshold
Intermediate step: Bound worst-case expected loss for any given τ, n.
Assumption
¤ Epεi | Aq: a lower bound on the per-round error of the attacker A.
¥ Epεi | U q: an upper bound on the per-round error of a user U.
pA ¡ pU .
pA
pU
Lemma (Basic expected loss bound)
Let εi
P r0, 1s be the i-th round eror. If, Ass. 1 holds @i, then:
!
)
Lpn; τ q n`B max e pnp τ q `U , e pnp τ q `A
¥ max tEpL | Aq, EpL | U qu ¥ E L.
2
n
U
2
2
n
A
2
is a bound on the expected loss of threshold τ , and rounds n.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Choice of threshold
Theorem (Expected loss for fixed n)
Let ρ `A {`U and select
τ̂n
nppA 2
pU q
ln4∆ρ
¤ τ ¤ npA , then the expected loss E L is bounded by:
n a
EpL | n, τ̂n q ¤ n`B exp ∆2
`A `U .
2
with ∆ pA pU .
If npU
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Choice of threshold
Theorem (Expected loss for fixed n)
Let ρ `A {`U and select
τ̂n
nppA 2
pU q
ln4∆ρ
¤ τ ¤ npA , then the expected loss E L is bounded by:
n a
EpL | n, τ̂n q ¤ n`B exp ∆2
`A `U .
2
with ∆ pA pU .
If npU
Matching lower bound
For Bernoulli-distributed errors, we can prove a matching lower bound so that:
exp
2ppU c q2 n ¥ EpL | nq n`B ¥ exp
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
c ln
pU
c
p1 c q lnp1 pU q
Loss bounds for constrained authentication
n
Choice of the number of rounds
Theorem (Upper bound on expected loss)
¡ 0. If we choose τ τ̂n and
?
1 2CK 1
n̂ ,
C
?
where C ∆2 and K ` ` {` , then the expected loss E L is bounded as:
Assume `A , `U , `B
A U
B
EpL | τ̂n , n̂ q ¤
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
1a
8`B p`A `U q1{4
∆
Loss bounds for constrained authentication
Analysis of RFID Thresholded Protocols
Two RFID distance-bounding protocols:
Swiss-Knife [KAK 08] & Hitomi [PLHCD 10] .
For noise is ω, we can show [MDPLHC10] pA
ω 2 1 , pU 2ω.
So, for these protocols:
E L ¤ n`B
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
e
p 3ωq2 a
n 1
8
`A `U ,
Loss bounds for constrained authentication
Comparison of all losses
Expected Loss
100
10
1
0.1
ns
hns
ELBT1
ELBT2
0
0.05
0.1
0.15
bit error rate
0.2
0.25
0.3
Figure: The worst-case expected Loss L and the bounds L1 and L2 from theorems 1
and 2 respectively vs. the channel error rate ω. n is the value of n that minimises the
worst-case expected loss.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Getting rid of the assumption: Estimating ω
How can we estimate pA , pU ?
Initial message x
Coding function !
Coded message !(x)
....
....
m
k
The initialisation phase uses a coding function Φ : X m
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Ñ X k , with k ¡ m.
Loss bounds for constrained authentication
Estimating ω
X
X
k
m
!min
coding
Ñ X k , with k ¡ m.
A metric γ on X ( usually X t0, 1u and γ Hamming distance) s. t.:
γmin min tγ pΦpx q, Φpy qq : x, y P X m , x y u
Coding function Φ : X m
k
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Estimating ω
X
X
k
m
!min
coding
P X m , the source sends φ Φpx q; the sink gets φ̂, with φ, φ̂ P X k .
The channel has a symmetric error rate ω Ppφ̂i φi q.
!
)
This is decoded as x̂ argmin γ pφ̂, Φpx qq : x P X m .
For x
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Estimating ω
X
X
k
m
"
!min
coding
^
"
Let θ be the number of errors in φ̂, θ
γ pφ, φ̂q.
Let θ̂ γ pΦpx̂ q, φ̂q be the distance between the closest valid codeword
Φpx̂ q and the received φ̂.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Estimating ω
Main idea
We always select the correct codeword, i.e. θ
Let ω̂
θ̂
k
θ̂, if θ pγmin 1q{2.
be our empirical error rate.
Via the Hoeffding inequality we can obtain high probability bounds for ω.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Estimating ω
Main idea
We always select the correct codeword, i.e. θ
Let ω̂
θ̂
k
θ̂, if θ pγmin 1q{2.
be our empirical error rate.
Via the Hoeffding inequality we can obtain high probability bounds for ω.
Bounds for the Swiss-Knife [KAK 08] family of protocols
The following values for pA and pU hold with probability 1 δ:
pA
1
ω̂
2
c
ln 2{δ
,
8k
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
pU
2ω̂ c
2 ln 2{δ
.
k
Loss bounds for constrained authentication
Experimental comparison
Comparison 1: noise estimators
Arbitrary values of ω.
Empirical value ω̂.
High-probability values ω̂.
Comparison 2: thresholds
Our approach.
An asymptotically optimal Bayesian approach [BSV10].
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
Our approach
Expected loss
hw=0.1
hw=0.01
hw=0.001
hw=k/n
d=0.1
d=0.01
1
0.01
0.1
omega
Figure: Our threshold a) Arbitrary noise: ω̂
101 , 102 , 103 . b) Empirically
estimated ω̂ θ̂ k, c) pA , pU calculated via the bound with δ
101 , 102 . We
assume `A 10, `U
1, `B
102 .
{
Pt
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
u
Pt
Loss bounds for constrained authentication
u
Bayesian approach [BSV10]
Expected loss
hw=0.1
hw=0.01
hw=0.001
hw=k/n
d=0.1
d=0.01
1
0.01
0.1
omega
Figure: Asymptotic threshold a) Arbitrary noise: ω̂
101 , 102 , 103 . b)
Empirically estimated ω̂ θ̂ k, c) pA , pU calculated via the bound with
δ
101 , 102 . We assume `A 10, `U
1, `B
102 .
Pt
u
{
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Pt
u
Loss bounds for constrained authentication
Conclusions
Contributions
Proposed a loss framework for authentication in constraint channels.
Performed expected loss analysis.
Integrates error analysis with cryptographic analysis.
Important in communications where:
challenges & responses are costly,
significant uncertainty about response correctness.
Simple algorithm for selecting a threshold and number of rounds
Provided bounds on the worst case expected loss.
Presented a high probability method for estimating the channel noise.
Applied to RFID distance bounding protocols
Showed it strictly dominates other approaches.
Applications and Future work
Captchas.
Generalisation of the analysis.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication
T. Baignères, P. Sepehrdad, and S. Vaudenay.
Distinguishing distributions using Chernoff information.
In ProvSec 2010. Springer-Verlag, 2010.
C. H. Kim, G. Avoine, F. Koeune, F.-X. Standaert, and O. Pereira.
The Swiss-Knife RFID Distance Bounding Protocol.
In Proceedings of ICISC ’08, LNCS. Springer-Verlag, Dec. 2008.
A. Mitrokotsa, C. Dimitrakakis, P. Peris-Lopez, and J. C.
Hernandez-Castro.
Reid et al.’s distance bounding protocol and mafia fraud attacks over
noisy channels.
IEEE Communication Letters, 14(2):121–123, 2010.
P. Peris-Lopez, J. C. Hernandez-Castro, C. Dimitrakakis, A. Mitrokotsa,
and J. M. E. Tapiador.
Shedding Light on RFID Distance Bounding Protocols and Terrorist Fraud
Attacks.
Computer Communications, Submitted, arXiv:0906.4618, 2010.
C. Dimitrakakis, A. Mitrokotsa, S. Vaudenay
Loss bounds for constrained authentication