 Good morning, speaker today. Dr. Soji Bodani is a professor of M.S.A. at PFL, Swiss Federal Institute of Technologies, where he has a security and pictography authority. As you know, Sash has been really active in this field. He has written many papers and books and edited proceedings as program chairs of IACI conferences and workshops, including FSE 95, PKC 2005, Europe 2006, and so on. As today's inviting talk, FSE program committee asked Sash to give a talk on RFIDs. Today's talk is about distance-bounding. This is a cross topic involving construction based on symmetric cryptography. So the title of this talk is called Secure Distance-bounding. Thank you very much. So thank you for this kind introduction. I would like to thank the program committee for inviting me. It's a pleasure to be here. So today I will present you some joint work with Iwana Koryalu and Katerina Mitroko. Good stuff. It's about distance-bounding. Distance-bounding is one way to prove that someone is close to someone else. I can prove that I'm close to you. So maybe here you may be looking at someone who looks like talking, but maybe you're looking at a robot and I may be seated somewhere far away. It's which they are trying to pilot this robot. So if this ID is uncomfortable for you, I can try to prove you that I'm really close to you. So that's one way to an application of distance-bounding. Maybe an interesting application. So I've just arrived from CISERA, so I may be saying some stupidities for any consistency in this talk. So I will first introduce the notion of distance-bounding, and then I will essentially show that there exists no secure distance-bounding in the literature so far, and try to propose a new protocol which is hopefully secure. So first, why distance-bounding? So there is a very popular way to try to win a chess. So if you don't, you don't master chess very well. If you're not a very good chess player, you can try to defeat one master chess in some very easy way. So here you have some guy who tries to defeat two one master chess. So there is one one master chess, one chess one master here who is deeply thinking at what he wants to move, another chess one master here. And this guy is defeating both of them, but the two masters do not know about this part. So here this guy, we make a move, so he's playing the black, he will make a move, and then this guy will run very fast to the other board to do exactly the same move, so he's playing the black against the other, and he waits for the other to make a move so that he will go back and play the same move against the first master. So with this strategy, this guy is not a very good player at the chess, but he can defeat the two grandmasters here, and he's making sure that actually both of them will spend a hard time playing against him. So the things they play against this guy but actually they are playing against each other. So that's actually a relay attack. So a relay attack you have here, a two verb and a very fire, and someone in the middle is playing against both of them at the same time. So here this guy is sending the message, so he explains the very fire side of the protocol, but he's relaying the message to a simulator of a prover here who sends the message to the very fireman. He waits for the answer to forward the backward. So that's a relay attack. So where can we have relay attacks? You can find many applications of relay attacks. So this is an example. Here you have one fancy power, which can be open, which can be controlled by a wireless key. So for some cars you have this kind of wireless key who can open and close the car and even start the engine, and sometimes you don't even have to press a button to do that. So it means that someone who is sitting close to the key holder can just relay whatever he intercepts from the key to someone who is very close to the car and so on so that the car will open. So some people have demonstrated that this attack is feasible against many, many cars. So that's actually a real threat for this application for wireless cars. Another application here, you have an EPFF fellow called Roger here who tries to access to the building of EPFF during night or during the weekend. So during night or during the weekend, the doors are not open but you can just present this kind of car to the entrance door and the door will open. So here you have some contactless protocol between this car which has RFID inside and this RFID reader so that the door will control access and eventually open. So of course you can relay the messages from the car to the door. So if you're here, so for example here I have my EPFF car, so you can just be close to my pocket and just relay the messages to someone with an EPFF to try to open the door of the EPFF. That's a real attack just to open the door. Another application is for payment system. Here you have one payment system which is completely wireless with some wireless cars on this device. But you can also think of a traditional payment system with a credit card. So if you try to buy something in a shop, you will use your card and you will try to pay on the device but maybe this device is malicious maybe this device is just relaying the messages to someone with a fake card is trying to buy something which is more expensive. And you have no clue to protect against this except by seeing that this terminal is malicious. So that's a real attack and it's also a threat. Some people have demonstrated that this is a feasible attack. And to avoid that, we need to prove that the card is close to the terminal making registering the payment. Okay, so for that, Bronson and Schoen propose a long time ago the notion of distance bonding protocol. In the distance bonding protocol, you have a prover of the verifier. So I won't go through this protocol here because you see that there is a public key and we are at FAC. We have a signature, so that's not a good protocol to illustrate that. But later we will see some other protocols which are fully symmetric, which are symmetric keys and nothing about public keys. What you can see here is that in this protocol there is a critical phase in which the verifier is sending a challenge to the prover and the prover has to respond. And this phase is time critical. So here this verifier is sending a challenge and at the same time it starts the clock and when the response arrives, it starts the clock and see if the response arrives fast enough. If the response arrives very quickly, it means that the prover is closing off. So it changes the correctness of the response and that the response arrives very quickly. So the challenge and the responses are consist of a single bit. So here the challenge is a bit and the response is one bit as well. So you don't have so much competition to do so you can expect that the prover will respond immediately and you will just have to measure the time. So it will measure the time of flight of the challenge and the response. Now you rely on the fact that information have a speed limit when you transmit information. The speed limit is the speed of flight. The light goes pretty fast so you have to be very quick when you use the measurement. So if you make an error of one microsecond, during one microsecond the information can move by 300 meters. So if you have an imprecision of one microsecond then when you translate it in terms of distance you have an imprecision of 300 meters. So you don't have any time to waste. You don't have one microsecond here to do the computation. You have to respond immediately with less than one microsecond. So that's the principle of distance boundary. So now more formally, the distance boundary protocol sets an interactive proof. So it's an interactive proof of proximity. You have a verifier, so we assume that this verifier is honest. You have a prover, sometimes the prover may be malicious if it tries to show that it's close to the verifier but actually it's far away so it may be malicious. So there may be a secret to characterize the prover and on the verifier side there will be a key corresponding to this prover as well but since we're at FACC we will assume that these keys are symmetry so it means that the prover has a secret and the verifiers knows this secret. We control that. The prover knows the secret as well. We will assume concurrency between many participants so we may have many provers, many verifiers and the concurrence between them. We may have also malicious participants, of course. Then what do we expect from an interactive proof? We expect completeness. We expect that if a honest prover is close to the verifier and running the protocol then the verifier will accept. We assume some notion of some nest so it means that here if the verifier accepts then there must be one participant close to the verifier who knows the corresponding secret and some kind of security here which says that if you honestly run the protocol then the secret doesn't leak. So it's maybe something which is weaker than the notion of zero-knowledge. You don't need zero-knowledge. So that's the notion you need for identification. You need not to leak any information which can be used to identify the problem. That's what you expect. Now in the literature people identify several kinds of threat. The first kind of threat they imagine is the notion of distance fraud. In the case of distance fraud you have a malicious prover, Pistar, who is interacting with the verifier. The Pistar is far away from the verifier but he tries to cheat with the protocol and convince that he's closing off. So when it's based on the measurement of the time of response it means that the prover has to send the responses before he receives the challenge. He has to anticipate the challenge in response before he receives the challenge. Another possible threat is what this man calls the mafia fraud. So in that case you have a honest prover who is far away from the verifier and someone in the middle who tries to convince the verifier that the prover is closed. So if you think of a real attack that's one example of a mafia fraud. A real attack here. You have an adversary in the middle who is relaying messages from the prover to the verifier. Since the prover is far away it cannot work. So now we can also consider an adversary who is not only relaying messages but also manipulating the messages trying to answer by himself or something. So he may have more general attacks of someone who is in the middle. So that's another popular threat against distance fraud. Another more technical threat is the notion of terrorist fraud. In a terrorist fraud you have a malicious prover who is far away and he has a friend here and he will use his friend so his friend is malicious and he will use his friend so the verifier is closed enough. So now if his friend is close to the verifier one trivial way is to stop giving him his key and letting him run the protocol. But since there are malicious or so there are friends they don't trust each other. Here we consider an adversary a malicious prover who tries to get the help of a friend to pass the protocol and give him any credential so that his friend will be able to impersonate the prover. So he tries to help this adversary to pass the protocol but without giving the key. Now you can also consider impersonation fraud so that the case of an adversary tries to convince that the prover is close to the verifier so he's not a prover he doesn't produce a secret. And sometimes there are even more exotic attacks such as a notion of distance hijacking so distance hijacking was proposed by Kheber, Hasmussan, Schmidt, and Jakun. You have a malicious prover who is far away from the verifier but you have some other provers who are close to the verifier they hold some other secret and this guy is trying to interfere with the communication between this honest prover and the verifier so that the verifier will be convinced that this guy is actually close to the verifier. So for some protocol this kind of attack is feasible and it's called distance hijacking so this prover is hijacking the distance between this honest prover and the verifier. Okay? So these are the popular threats that we can find in literature. So in our work we try to consider essentially three threat models the notion of distance fraud but in the notion of distance fraud we introduce concurrency so normally in distance fraud you just have a malicious prover and a verifier but here we introduce also other participants so we tolerate right concurrency so if we tolerate concurrency then this notion also capture the notion of distance hijacking so we can factor two threat models we also take the notion of man in the middle attack so that's an attack in which you have two phases the learning phase and an attack phase in the learning phase you have an adversary provers, verifiers and they all interact with each other without any restriction so in this phase the adversary is trying to learn some information about keys essentially and during the attack phase you have a prover who is far away from the verifier and the adversary who has learned something during the learning phase who tries to convince the verifier that the prover is closed so it's not the case so with this notion this is something which is a bit more general than the mafia fraud because in mafia fraud there is no learning phase but if you adopt this model it also captures a notion of impersonation fraud it's a bit more general it captures some other notion as well and finally we also consider a pollution fraud which is very similar to terrorist fraud maybe a bit more general we say that if a prover who is far from the verifier and interact with the adversary makes a verifier and accepts that the view of the adversary will give a clue so that this adversary can run manage the middle attack so now we try to track some information to run manage the middle attack to run a logic in our management that's pollution fraud so this is what we want to do and we will consider the security of protocols against these threats so now if you if you look at the literature you have many protocols existing so this is a short list of protocols which are available in the literature there are also many attacks to Christians so if you look at the literature the probability of success of these attacks and you can see that for many protocols you have so for example the Brown and Schoen doesn't resist the pollution fraud so actually it was not made to resist the pollution fraud you can see that pollution fraud are feasible the Musa or Bangalore protocol has actually a distance fraud it's physically a distance fraud and you see that in all the protocols there is at least one attack except this Swiss knife protocol and this other protocol TV now this result do not include some newer more recent attack that we will discuss in this presentation so we will see that actually all these protocols are available okay? so that's it about the introduction to distance building so now we will see the difficulty to make these protocols secure so we start with a very simple protocol which is a protocol proposed by Henke and Kuhn in 2005 so you can see that you have a prover in the verifier so the share of secret attacks so the prover will convince the verifier that he knows this secret and that he is close to the verifier so the distance between the verifier and the prover is small enough so we start with some initialization the exchange of nonces and with these nonces they derive two vectors so with this secret key they use the pseudo function here and they derive from the nonces two vectors a1 and a2 then you have the distance building phase which is time critical so you have n rounds and for each round so the verifier selects one bit for the challenge so the challenge is either one or two so he said the corresponding bits as a challenge to the prover if the challenge is one the prover responds with one bit of a1 if the challenge is two he responds with one bit of a2 so he responds with this corresponding bit and the verifier will verify that this bit is correct and that the response arrives quickly enough so if it goes for all the iterations then the verifier is happy and he says ok so this authentication is accepted so now this protocol is vulnerable against terrorist fraud actually it was not meant to resist it's not a big discovery so let's just see how this terrorist fraud works so in this terrorist fraud you have this malicious prover you have the adversary who is a friend of this malicious prover and during the initialization phase there are plenty of facts so they can just relay messages so as they change the nonsense and at the end of this initialization the prover can just leave the two vectors a1 and a3 to the adversary now with this vector a1 and a3 the adversary can run the time critical phase you can directly answer to the verifier but these two vectors a1 and a2 do not give him any advantage so a1 and a2 will not help the adversary to later impersonate the prover so that's a terrorist fraud ok so if you want to protect against this kind of attack we have to change the protocol now one way to do that is to use the protocol by this person that we call DBM here in this protocol you still have two vectors the first one is derived from the nonsense and the second one is just the vector a1 solved with a secret so if you do that you cannot use the previous example because if you reveal a1 and a2 it means that you reveal x because it's solved between a1 and a2 and a2 is x so here the malicious prover can no longer reveal a1 and a2 without compromising his secret so this attack is no longer feasible but now with this protocol you have some other problems actually you can do a man in the middle attack against this protocol so how does it work so that's a man in the middle attack against DBM which was proposed by a team of one current standard in which first you have so that this is a honest prover this is a honest great fighter you have another three just related messages between the prover and the great fighter so that's a running phase so you assume that the prover is close to the great fighter so the prover and the great fighter are close to each other but there is a man in the middle who is relaying the nonsense and at the end he will relay the challenges and responses so I said for one for one which is at the round J so he selected J and for this round J he decides to flip the challenge instead of forwarding CI star for what the complement of CI star so what happens and for the response he will just respond at random to this challenge so what happens is that from the prover the response to the complemented challenge and then from the verifier he will deduce the answer to this CI star because if the verifier is happy about the protocol it means that his responses was correct and he is not happy it means that his answer was not correct in any case he will deduce what is the correct answer because the answer is just a bit so he will deduce the answer to CI star and the complement of CI star so it means that you will learn one bit of A1 and the corresponding bit of A2 but since you have this relation here it means that you will learn one bit of X so if you learn one bit of X you learn some information about X so you can iterate this attack and you will get the vector X completely so you can do this manage the middle attack and get the secret and with this secret you can impersonate the prover so that you manage the middle attack so now we have a problem with this scheme because this scheme essentially leaks X so the idea of the attack is that now we have two vectors and if you play manage the middle you can get one piece of information from the prover and the other piece of information from the verifier so you can get two answers corresponding to this bit so one way to do that is instead of having two vectors we use three vectors three vectors which are here so now you go back so that's an idea which is used in A1, Doha Do and Marta published in 2011 so now you derive again two vectors from the answers and now for the challenge you have three possibilities because you will have three vectors first vector is A1 second vector is A2 and the third vector will be the serve between A1, A2 and X so you follow this scheme and the idea is essentially to use the secret sharing so you use the secret sharing and you get X but you need two shares are not enough to be constructed X you need the three shares to be constructed X so with the prover we get one share with the verifier we get another share but that's not enough to be constructed X so that's the idea of this protocol to use the secret sharing and what I forgot to say is that in this protocol the protocol we use so this is some kind of encryption based on one time pad but there was a proposal to use some other encryption scheme other than that but these other solutions are also insecure so if you use for instance the addition modulo some number or the addition with a random multiplicity factor then we can also break this scheme with a law clever management tag this is what we proposed actually in December as you can see so now we go back to this protocol so now we fix the problem of this management tag but as we will see there are still some other problems so the problem comes with the usage of this function and was present in all the previous protocol as well so here what we use for the function is a pseudo-random function so in many papers about distance bonding people use pseudo-random functions they say see it's pseudo-random it's a pseudo-random function actually if we can break the protocol with this pseudo-random function we can also break the protocol when we replace this function by a really random function so that's a security argument which is very familiar for people who manipulate pseudo-random functions if you can break the protocol with this PRF you can also break the protocol if you replace the PRF by a random function so this is what many people do so if the other person can break the scheme with a PRF then he can break the idealized version of the scheme when we replace by a pseudo-random function but this argument needs some condition to be valid so this argument is valid if the adversary doesn't have access to the key PRF key because if he has access to the PRF key he can easily distinguish the PRF from a random function and if this PRF key is not used anywhere else that's for distance fraud if you consider distance fraud then this first condition is not satisfied in distance fraud the adversary is a prover called the key the adversary knows the key this condition is not satisfied and if you try to protect against there is fraud that's the case which is here the key is used somewhere else it's not only used in this period it's used somewhere else so this second condition is not satisfied either so you cannot use this argument so this in some papers but this proof is incorrect but it's even worse it's not only that the proof is incorrect but the result is also incorrect so there are some PRF for which the protocol is insecure so actually we can construct PRF for which the protocols are insecure so for the protocol TV what we do is that we try to program a PRF so that it will render the protocol insecure so this is a technique that we proposed recently at the in print conference we say that if we start from a PRF let's say that G is a PRF we will construct another PRF which is almost everywhere equal to this PRFG except at some very special points which are some kind of trapdoor these trapdoor are not accessible to a regular adversary so here's the idea that this PRF will have a trapdoor which is actually the key of the PRF you say that if the NP that you input here is equal to the key if the NP is equal to X you will say that FX of NKV is equal to X concatenated with the itself in other case it just corresponds to G so with this property we can easily show that F is also a PRF but when we plant F in the protocol the protocol is insecure so why is it insecure so imagine that now you have this F and you have a malicious prover so the malicious prover could select his notes NP equal to his secret X so he selects NP equal to X and what will happen is that FX of NP and V will be equal to X concatenated with itself so A1 and A2 are equal to X A1 is equal to X A2 is equal to X and the A3 which is A1 A2 is equal to X so no matter what is the challenge the response will always be a bit of X so since the response doesn't depend on the challenge the malicious prover can send the response before he sees the challenge so he can anticipate the challenge and send the response before so that the response will arrive on time and the verifier will think that the prover is closed so we have here the distance from base on the real PRF so to avoid this kind of attack we propose to change the basis protocol by using a notion of PRF masking here the idea is that now the verifier will select the vector A so you will select A1 and A2 and it will set this selection encrypted using the PRF so what he said is N which is X or X of NPNB send it to the prover so the prover can decrease and get A so it's almost the same protocol except that now the prover has no influence on this vector A1 and A2 so you have no influence it cannot make A1 and A2 be equal to X for instance even with a regular PRF so now with a PRF that it resists to a distance from how about there is food it's still insecure so this is still insecure against there is food and we can again program the PRF so that the protocol is weak against there is food so how does it work we start with a PRF an existing PRF and we define a predicate which will say as inputs to the PRF are trapdoors so we have an input possible input to the PRF so actually it's half of the input so half of the input some alpha and t and we define this relation so this relation will depend on X and normally it's half for an adversary to create a string alpha and t which satisfies this predicate so we want enter into the detail of this predicate but imagine that this predicate say which string alpha t is a trapdoor and which is not now to define this function F F you say that for the trapdoor if you use a trapdoor input if nv is a trapdoor if nv satisfies this predicate then you answer by a1 and a2 equal to x this is exceptional in the other cases you will answer to something which looks like random actually it's not exactly the function g so the function g will return some alpha beta gamma what you return is alpha beta gamma and beta so gx of alpha so we can show that this construction is also PRF now what can we do with this PRF if we plug it to our protocol we can have an adversary who play with a number and who send as a challenge 1, 1, 1, 1 and 1 and then 3, 3, 3, 3, 3 so for half of the ones the challenge will be 1 for the other half it will be 3 so when the challenge is 1 the answer is from the vector a1 so the vector a1 is alpha beta so for the first half you will answer with a bit of alpha beta so the first half of alpha beta it's alpha you will give to the adversary the vector alpha then for the other half the challenge is 3 when the challenge is 3 you answer with a1 so a2 so x so a1 is this a2 is this so a1 and so a2 so x that's only the right path you will answer by gx of alpha so x so you answer with gx of alpha so x that's only what is satisfied in this relation so if you do it like this the response will form a vector alpha t which satisfies the predicate so if you run the protocol with this set of challenge you learn one trapdoor so you can run again the protocol using this trapdoor you select n equal to this trapdoor and the pover will select a1 and a2 equal to x so it means that the pover will give all the bit of x by answering the challenge so with this you have another attack which is the man in the middle attack against the protocol by programming the PR and now there is no way to change the protocol actually we didn't find any way to change the protocol to make it secure so that we can prove that it's secure based on the PRF assumption so the only way we found to fix this problem is to put some extra assumption together essentially what we want to do what we want to do here so we have this F dependent key but we are using the key somewhere else so if you know the results about homomorphic encryption you know that for doing the bootstrapping technique at some point you need to encrypt a secret key with a public key so you need to you need a crypto system which is secure when you encrypt your secret key yourself so that's exactly the idea that we have here we have a key and we will use the key somewhere else so we need some extra notion so for homomorphic encryption it's called a circular security for the encryption and here is a similar notion that we need which is the notion of circular key security for a PRF so now we need some extra assumption to this circular key security circular key security means that if you have an oracle such that you can select the input of the PRF and you can select a linear combination of this PRF and a vector x prime by playing with this oracle you cannot distinguish if x prime is equal to x or if x prime is completely independent from x that's the notion of circular key security if you cannot distinguish when x prime is equal to x or x prime is independent in a proof when you write a proof first you have this x and you will change it to another game where you put something independent from x and then you will use the key write assumption to prove the security there is one technical problem here is that if you pick some queries which are all equal to the input of x and if you have some coefficient b with a linear combination which is 0 you have to have a similar combination the a is also 0 you have to enforce this combination to be 0 otherwise you could make the linear combination of these responses and learn some bit of information about x prime and distinguish if x prime is equal to x or x so you have questions that are your queries and with this you have a new notion of security which is used for a key write which is circular key security and we then wonder if it is feasible to construct circular key security because we can easily construct them in the modern rock and roll that's the kind of I need to check on this notion what I forgot to say is that there are many other protocols which have problems with PRF programming these are the protocols that we were able to break using PRF programming and we were able to instantiate the PRF by making this protocol with the consensus protocol by pure force, extreme gas power connected and protocol by I want to check at them and also the Swiss knife protocol that I mentioned before so now we have a protocol in which we assume that f is a PRF with a circular key security there is still something that we didn't consider is the presence of noise so remember that when you send a challenge you don't have any time to waste you need to answer immediately so you have no time to do computation and you're sending just a single bit with very big power so even through this there will be noise so some rounds will fail so some rounds will be incorrect so you have to tolerate the noise so since the probability some error in one round will be a constant the number of rounds which will fail will be linear eventually so you have a linear number failure so you need to tolerate some errors so what you will require now is that there are at least a number of correct rounds in this protocol to make the verifier happy about the truth so if we do that we may think that it doesn't have an impact of security but actually it has there is something which has been overlooked by many people to come to this protocol which has been published very recently it was in December last year it was a problem identified by Hank which says ok so now if you don't need to pass all the rounds so it means that you can make a very interesting terrorist vote now you have this malicious pover his friend adversary here what they can do is that they can collaborate for the initialization phase but at the end of the initialization phase the malicious pover will compute the response function so for this protocol the response function is defined here and it will set the table of this response function for exactly tau rounds so you give tau response function to the adversary so the adversary will be able to use this table to response correctly to tau rounds all the other rounds will be answered at wrong time and it doesn't matter because the verifier only need tau correct rounds with this response function of course it will leak some bits of the secret but it will leak only tau bits of the secret so if you make sure that you are leaking the tau same bits for every terrorist vote then you don't reveal all the other n minus tau bits and since it's a linear number of bits which remains it still it requires exponential time to reconstruct the secret so it doesn't leak the secret it leaks one bit one part of the secret but not all the bits and still takes exponential time to fully reconstruct the secret so you have here terrorist vote which which is based on the theory I want to know so now we have a problem to fix this because there is actually no easy way if you want to have this kind of protocol so now we will move on to a protocol that we designed to resist to all this kind of force that we call the ski protocol so why the ski protocol I wonder what is this acronym so we have found the Synergy infrastructure as an existing acronym we have found the Sheffield Kidney Institute so I found a series here of ski protocol so we are looking at this actually the acronym comes from the name of the author I work on this with my friends Katerina and you and we just get the first letter of the first name to make this acronym so what is this ski protocol looking like so it's very similar to what we presented except that now instead of showing to X here in this third possible challenge we show the information about X which comes from the leakage scheme so we have a leakage scheme l mu X which will leak some information about X so the idea here is that the verifier will choose what is the leakage function that he wants to have in the case there is a terrorist code and this l mu of X is defined here so essentially this l mu of X will have all the bits X prime equal all equal to the dot product between mu this vector mu and X so it means that now if you try to do a terrorist code like before you will reveal tau bits and these tau bits will all be equal to mu dot X so it means that you reveal one bit of information about X but this bit is chosen by the verifier so if in one execution of mu in the other execution you will find that you will select another mu and after a few trials you will reconstruct X completely that's what we have found to fix this protocol so for the completeness so if we define a function B like this so if we assume that everybody is honest if it doesn't work study the completeness if we assume that the probability that one round is incorrect is equal to this P noise constant then the probability to pass the protocol is equal to this quantity so if we apply the channel bound so we just take tau over L less than 1 minus P noise with some gap and with tau over L not too large then we are ensured to pass the protocol except with the probability that we have an exponential minus 2L squared M so we have to select tau not too large and if tau is not too large then we have completeness of the protocol that's for completeness now we can wonder what are the best attack we can find so here is the best distance that we can find against this protocol actually it's not only the best that we have found it shows that it's the best so this attack has the best probability of success that we can have against this protocol so in this attack so the prove the malicious prove just follows the protocol except that here so he has to send a response before he sees the challenge so he selects the response by taking one response with the largest pre-made by the response function so to maximize his chance to be correct he doesn't know the challenge just select the R the response which has the largest pre-made by this response function so we can show that the probability that one round is correct is 3 over 4 so if the probability we correct is 3 over 4 then the probability of success of the entire attack depending on tau is this quantity so we can again apply the channel bound and now we have to select tau large enough that the probability of success of this attack is negligible so now we have to select tau over n larger than 3 over 4 plus some tips here so tau over n needs to be larger than 3 over 4 it needs to be less than 1 minus p noise so that we have the two protocols so the best distance prove that we have the best mafia prove that we have is this one in this attack you have the address 3 in the middle who just relay the messages and then it does a protocol with a prove which is far away so that you will learn one response for everyone after you learn one response for everyone then you can start the distance bounding phase with a verifier so if you select the same challenge as the one that is sent to the proveer then he's happy, knows how to answer otherwise he just answers after another and with this attack we can show that one round will be correct it's quantity 2 over 3 so we can review the same computation and what we deduce is that tau over n needs to be larger than 2 over 3 so that the probability of success of this attack so that the best mafia prove that we have again the protocol and the last there is food that we have is this one so that's the best probability of success that we can have so you have a malicious proveer when he spread the address 3 so they just collaborate for the initialization phase and at the end of the initialization phase the malicious proveer will send a table of response function but this table of responses is correctly the answer is that they select some challenges and he sends the table except that for these particular challenges he puts something which is random so instead of putting for sure the correct answer he puts something which is random sometimes it's a correct answer sometimes it's not so he sends this table to the adversary and the adversary will use it to response so it's easy to show that it doesn't reveal the secret because there is one challenge which is one response in the table which is always one doubt it doesn't reveal the secret but here's the probability to pass a protocol we can show that it's 5 or 6 if it's 5 or 6 send by a kind of channel bound we obtain that tau over 10 must be greater than 5 or 6 plus some hexagons so to summarize if the noise is less than 1 over 6 minus 0.7 then we have completeness we have resistence with failure probability bounded by some this exponential but we need this condition so if the noise has a probability less than 1 over 6 then we can tune tau correctly we have completeness and resistance to all these actually these are not only the best that we found but we can also prove it we can prove that these are the best attacks so we are convinced that our proof is correct so if the proof is correct then we have that if we have f is a circular key in secret prf and we have we require tau correct rounds then there is no distance fault which can succeed with probability greater than this there is no mechanism in the attack which can succeed with probability greater than this and if you have a collusion fault such as the collusion fault succeeds with probability greater than this for anybody to see here then we can use the view of the adversary to run a management attack which will run which will succeed with that probability and it corresponds to the values that we have here so it means that if key noise is less than 1 over 6 you can tune tau such that all these probabilities are okay so that's maybe the first distance running protocol so we have probability against all these strike models another question is can we optimize this protocol can we do something more efficient can we minimize 10 for instance corresponding to some security can we adjust tau correctly so what happens if we have probability of noise which is greater than 1 over 6 then we don't know how to solve we don't have any protocol which can generate a noise with probability greater than 1 over 6 so that's actually the first step to make a security so that in conclusion we have seen that there are several protocols which are insecure in the literature and even so many security rules which are incorrect but now we have a protocol for which we can put the security and now we wonder thank you very much it's time for questions and comments are there any comments or questions from the circular security of BRF you assume that in general can you construct it from standard BRF no actually I don't know how to construct in the slum model so I presume that it may even prove some separation but that's a in fact this random all of the sanity check as it goes through to the generic model as well I didn't change I have a question is the scheme protocol or any in your presentation adopted in the real world by the so actually I don't know about existing distance-bound protocols I've heard that some distance-bound protocols it's a my fair count I don't know about it but I presume that sooner or later we have distance-bound protocols in real world it seems the presented protocols are very lightweight in terms of hardware implementation is my guess correct so here essentially we don't have so much to do in this product world what we have to do is some XOR some evolution of the PRF it's something completely linear and for the time 21 phase so if we want to compute our lines and we just have to read one bit or to compute XOR with 3 bits that I presume that the best way is just to prepare for the response to start in the memory just to read the memory so we just have 3 bits to start to prepare for the work and how large is N so how many times do you have to repeat in the distance-bound phase so N will depend on the security level so it can be maybe 80 does it take in the distance-bound phase so I don't know about practical use I presume that here if you are closing off with the speed of light being very fast then you need just 80 iterations very fast thank you very much any comments or questions just one small question is it published anywhere? the ski protocol or not yet? maybe you said it not yet and is it possible to do something I know it's FSC but is it possible to do something analog in the public key model? yes actually the Bronson shop protocol is in the public key model but it doesn't resist to terrorist fraud there is also another paper by some people in Bronson who has a protocol based on public key techniques but there is also a problem with terrorist fraud it doesn't resist to terrorist fraud but it's still open so you can find a protocol based on public key techniques which resist to these fraud models thanks thank you very much thank you very much you're welcome