Cryptographic Primitives in RFID Systems

(1)

deposit_hagen

Publikationsserver der Universitätsbibliothek

Mathematik und

Informatik

Dissertation

Gabriele Spenger

Cryptographic Primitives in RFID Systems

(2)

Cryptographic Primitives in RFID Systems

Dissertation for the Degree of

Doctor of Natural Sciences (Dr. rer. nat.)

Gabriele Spenger

FernUniversität in Hagen

Faculty of Mathematics and Computer Science Parallelism and VLSI Group

June 2017

(3)

Erster Gutachter Herr Prof. Dr. Jörg Keller FernUniversität in Hagen

Zweiter Gutachter Herr Prof. Dr.-Ing. Damian Weber

Hochschule für Technik und Wirtschaft des Saarlandes

Vorsitzender der Herr Prof. Dr. Friedrich Steimann Promotionskommission FernUniversität in Hagen

Protokollantin Frau Dr. Daniela Keller FernUniversität in Hagen Tag der mündlichen Prüfung October 05, 2017

(4)

i

Abstract

The growth of electronic communication over the last decades and the development of technologies like Radio Frequency Identication RFID (or more general the In- ternet of Things) has led to a large interest in data security in all kinds of devices.

Sending sensitive information over communication channels that are accessible by attackers, e.g. the Internet, or the air in case of radio transmission, requires measures to secure the condentiality as well as the integrity of the transmitted data. In order to achieve this, cryptographic protocols have been developed and standardized that make use of cryptographic base functions like symmetric or asymmetric encryption, hashing and pseudo-random number generators (PRNGs). Because of the limitations in cost, energy consumption and computational performance for devices like RFID transponders, low-complexity cryptographic functions are of high interest for applications running on these devices.

The security of cryptographic functions such as pseudo-random number generators (PRNGs) can usually not be mathematically proven. Instead, statistical properties of the algorithms are commonly evaluated using standardized test batteries on a limited number of output values. Additionally, susceptibility against known attacks can be investigated. This thesis demonstrates that valuable additional information about the properties of the algorithm can be gathered by analyzing the state space structure. Analysis results for dierent cryptographic primitives including commonly used algorithms as well as recent proposals and chaotic functions are presented.

Furthermore, several novel low-complexity approaches are introduced that improve the state space structure of such algorithms signicantly. The improvement is demonstrated by applying the approaches to dierent algorithms and presenting the analysis results. Further evaluation of the modied algorithms is performed by statistical analysis using the commonly used standardized test batteries.

Keywords: Low-Cost RFID, Lightweight Security, Chaotic Function, Pseudo-Ran- dom Number Generator

(5)

ii

Kurzfassung

Die zunehmende Verbreitung elektronischer Kommunikation in den letzten Jahrzehn- ten und die Entwicklung von Technologien wie z.B. der Radiofrequenz-Identikation RFID (oder allgemeiner des Internets der Dinge) hat zu einem erheblichen Interesse an Datensicherheit in allen Bereichen geführt. Das Übertragen sensibler Informa- tionen über Kommunikationskanäle, die Angrien ausgesetzt sein können, wie z.B.

dem Internet oder der Luft im Falle von Funkübertragung, erfordert Maÿnahmen, um die Vertraulichkeit und Integrität der übertragenen Daten zu gewährleisten. Um dies zu erreichen, wurden kryptographische Protokolle entwickelt und standardisiert, die auf kryptographischen Basisfunktionen wie z.B. symmetrischer und asymmetri- scher Verschlüsselung, Hashing und Pseudozufallszahlengeneratoren basieren. Die Einschränkungen der Geräte wie z.B. RFID Transpondern bzgl. Preis, Stromver- brauch und Rechenleistung führen in Anwendungen auf diesen Geräten zu einem starken Interesse an kryptographischen Funktionen mit geringer Komplexität.

Die Sicherheit kryptographischer Funktionen wie beispielsweise Pseudozufalls- zahlengeneratoren kann im Allgemeinen nicht mathematisch bewiesen werden. Statt- dessen werden üblicherweise die statistischen Eigenschaften der Algorithmen mittels standardisierter Testsuiten auf Basis einer beschränkten Anzahl von Ausgangswerten untersucht. Auÿerdem kann die Anfälligkeit gegen bekannte Angrie geprüft werden.

Die vorliegende Arbeit demonstriert, dass wertvolle zusätzliche Informationen über die Eigenschaften eines Algorithmus' durch die Analyse der Zustandsraumstruktur gewonnen werden können. Es werden Analyseergebnisse verschiedener kryptographischer Primitive, einschlieÿlich verbreiteter Algorithmen sowie neuer Verfahren und chaotischer Funktionen präsentiert.

Des Weiteren werden mehrere neuartige Ansätze vorgestellt, die die Zustands- raumstruktur solcher Algorithmen signikant verbessern. Diese Verbesserungen werden durch ihre Anwendung auf verschiedene Algorithmen sowie einer entsprechenden Zustandsraumanalyse demonstriert. Ergänzt wird dies durch weitere Untersuchun- gen auf Basis einer statistischen Auswertung durch die verbreiteten standardisierten Testsuiten.

Schlüsselworte: Radiofrequenzidentikation, geringe Komplexität, kryptographische Funktionen, Chaotische Funktion, Pseudozufallszahlengenerator

(6)

iii

Acknowledgements

The inspiration for this thesis and the motivation to work on the topic of low- complexity PRNGs was born out of the growing concerns in the general public around privacy in the context of RFID systems. With RFID tags getting ubiquitous and being part of the daily life of everyone, the traceability becomes a problem, as user proles can be created without people being aware. This poses new challenges to cryptographic methods and algorithms that I felt are important to tackle.

The topic of RFID brought me in contact with many knowledgeable people on conferences and symposiums that were inuential to my work and opened my mind for new ideas.

I would like to thank my supervisor Prof. Dr. Jörg Keller for his great guidance, the inspirational discussions and his never-ending patience. I am also grateful for the guidance of Prof. Dr.-Ing. Damian Weber and his helpful input. Furthermore, I want to thank my friends for their fantastic support and for bearing with the amount of time that I spent creating this work. Finally, I want to thank my family for their support and their understanding for the many evenings and weekends I was absorbed in thoughts about random numbers.

Nürnberg, June 2017

(7)

iv

(8)

v

Publications and Previous Work

A number of publications have already been published in the context of this dissertation. In the following, contributions by other authors that have been incorporated are listed.

• G. Spenger, Sicherheit des Pseudozufallszahlengenerators LAMED, in Proc. of the Eight GI SIG SIDAR Graduate Workshop on Reactive Security (SPRING).

Technical Report SR-2013-01, page 18, GI FG SIDAR, München, Feb. 2013.

In this publication, dierent approaches to analyze the state transition graph for functions with large state spaces were presented. An analysis of the LAMED algorithm was shown as a practical application of these methods.

• G. Spenger, J. Keller, Analysis of PRNGs with Large State Spaces and Struc- tural Improvements, in International Journal of RFID Security and Cryptog- raphy, Volume 3, Issue 2, Dec. 2014/2015.

This article demonstrates the break-out approach by parameter modication.

The paper was written by Spenger after valuable input on the break-out idea by Keller.

• G. Spenger, J. Keller, Security Aspects of PRNGs with Large State Spaces, in Proc. 10th International Conference for Internet Technology and Secured Transactions (ICITST-2015), London, Dec. 2015.

In this paper, it was shown how the state space analysis of a reduced state length version of AKARI-1 can provide valuable information about the unmodied algorithm. Furthermore, we presented the result of a sampled analysis of A5/1, clearly demonstrating the known weaknesses of this algorithm. The paper was written by Spenger and edited by Keller.

• G. Spenger, J. Keller, Structural Improvements of Chaotic PRNG Implemen- tations, in Proc. 11th International Conference for Internet Technology and Secured Transactions (ICITST-2016), Barcelona, Spain, Dec. 2016.

In this work, the idea of breaking out by parameter modication was applied to chaotic transition functions. Analysis results for the Logistic and Trigonomet- ric chaotic functions have been shown. The paper was written by Spenger and edited by Keller.

(9)

vi

• J. Keller, G. Spenger, Tweaking Cryptographic Primitives with Moderate State Space by Direct Manipulation, in Proc. IEEE International Conference on Communications (ICC'17), Paris, France, May 2017.

The idea of breaking out is extended in this work by a white box approach that employs a greedy algorithm to identify local optima for the break-out start and target nodes. The idea for this approach comes from Keller, the analysis results from Spenger.

• G. Spenger, J. Keller, Improving the Cycle Lengths of Chaotic PRNGs, in International Journal of Chaotic Computing (IJCC), Volume 4, Issue 1, 2017, ISSN 2046-3332 (Online), http://infonomics-society.org/ijcc/.

The idea of breaking out by parameter modication on chaotic transition functions was statistically evaluated using the NIST test battery. The paper was written by Spenger and reviewed by Keller.

• J. Keller, G. Spenger, S. Wendzel, Ant Colony-inspired Parallel Algorithm to Improve Cryptographic Pseudo Random Number Generators, in IEEE Journal of Cyber Security and Mobility, 2nd Workshop on Bio-inspired Security, Trust, Assurance and Resilience (BioSTAR 2017), May 2017.

In this publication, it was shown that the application of an ant colony algorithm on the state space analysis results in a signicant run time reduction for parallel systems which are necessary for state spaces too large for sequential processing, thus extending the range of the white box approach. The idea comes from Keller, the analysis results from Spenger, Wendzel reviewed and presented the paper.

(10)

vii

Chapter 1 Introduction

This thesis covers aspects of cryptographic primitives specic for RFID applications and related low-complexity implementations, with a focus on pseudo-random number generators. This chapter describes the motivation for the investigations and the respective results that are presented, followed by a summary of the main contributions of this work.

1.1 Motivation

The demand for automated identication systems is present in many areas, e.g. trade, production, supply chain management as well as services [Fin15]. The registration of product specic data allows e.g. automated inventory lists of warehouses or tracking of the location of a shipment on its dispatch route. There is a whole range of technical solutions that deal with this task. The most commonly used method today is the bar code. These printed labels are used for determining the price of goods in shops, but also e.g. for the identication of parcels, and are scanned with an optical reading device. The object provides the information that is needed for its identication itself, which is why the method is called auto identication (auto-ID).

A dierent approach to auto-ID is the use of RFID (Radio Frequency IDentica- tion [Wal83]). In RFID systems, the information is stored on an electronic storage device and transmitted via radio waves. RFID systems and applications are more widespread than evident. There are many areas in which identication processes can be automated and rationalized. RFID systems extend and enhance the functionality and possible applications of traditional auto-ID systems and oer high potential for eciency increase. It is imaginable that RFID will completely replace the optical scan of bar codes in logistics at some point.

Management of stock and inventories in shops and warehouses is a prime domain for low-cost tags. In 2003, the American mass marketing giant Walmart has begun requiring its main suppliers to put electronic tags in the pallets and packing cases that they deliver to it [Avo05]. Although the project was abandoned in 2009, similar projects have been successful, e.g. by the American Department of Defense and in

(15)

2 1. Introduction

2012 in the distribution center of Migros, Switzerland's largest retail company.

With the increasing usage of RFID systems that allow contactless digital automated transmission of information, data security and protection gets more into the focus. Cryptographic methods allow the encryption and authentication of data and thereby the protection against access or modication by unauthorized parties. To make use of the advantages of RFID while protecting the privacy of individuals, the fundamentals of contemporary data privacy laws must be taken into account already early in the design process [OWH⁺04].

The potential application areas for RFID systems are manifold and have various requirements regarding cost, hardware specications, and data security. The MIT publications [SWE02] and [WSRE04] already mention the challenge of encryption on cost ecient RFID systems, coming to the conclusion that the price of RFID tags should not exceed 5 Cents to allow mass market penetration and replace current product identication systems [Sar01]. Such a low unit price increases the challenge to achieve the required data security: as the price is related to the chip area, the number of gates on the RFID tag and thereby the complexity of the executed operations is limited. Furthermore, such a price is not achievable with battery powered tags and the limitation to passively powered tags puts additional constraints to the computational power. When product items carry an electronic ID and can be scanned without intervisibility, the security requirements must be reviewed carefully for each specic application. The fulllment of these requirements on the other hand impacts the hardware specications and the related unit price.

While the motivation of this work is mainly based on RFID applications, the topic of lightweight cryptography is not limited to this technology. With the emerging Internet of Things, low-power devices that communicate over the Internet e.g. using Wi-Fi connections are becoming ubiquitous. These devices have similar requirements regarding data security and privacy and the investigations presented in this work are applicable to them as well. In fact, RFID is believed to be an enabling technology for the Internet of Things [Pos09], which shows how closely related these applications are.

1.2 Main Contributions

The main novel contributions of this work can be summarized under three main topics:

Analysis of Cryptographic Primitives

Cryptographic primitives are well-established, low-level cryptographic algorithms that are frequently used to build cryptographic protocols for computer security systems. One of the most common primitives in secure protocols is the Pseudo-Random Number Generator (PRNG). Others include stream ciphers and hash chains. While all of these functions target dierent applications, they can be treated very similarly from an analysis perspective: they generate

(16)

1.2. Main Contributions 3

a sequence of values (either from a given input or only based on their internal state), that ideally does not allow to draw any conclusion on the input and the internal state. For this reason, these primitives are treated as exchangeable in this work, and examples of each of these categories are used as basis for analysis and improvement.

There are dierent potential approaches to evaluate if the security mechanisms of a cryptographic primitive meet the requirements. One approach is analyti- cal, involving cryptographic experts searching for vulnerabilities against known attacks. This approach is referred to as cryptanalysis. A dierent approach is experimental, by performing a statistical analysis of a limited set of data being produced by the analyzed algorithm. In an ideal case, this data is not distinguishable from a random set of data. Furthermore, every cryptographic function can be interpreted as a deterministic state transition function. The according state space can be can be analyzed to deduct information about the security. An example of this approach being applied to A5/1 can be found in [BFKM12].

In the rst part of this work, the state of the art in the analysis and evaluation of the graph structure of cryptographic primitives is presented. This is followed by practical applications of dierent analysis methods on several state transition functions ranging from known weak algorithms (e.g. A5/1) to low-complexity algorithms specically targeting RFID applications (LAMED, AKARI) to recent developments (Enocoro and Trivium). Several approaches are presented to extract useful information from the state graph, including investigations around the shortening of the state and sampling of the state space.

The results are put into perspective by comparing them to the expected statistical properties of the state graph of a random transition function.

Structural Improvements

Dierent novel approaches to improve the state graph structure are presented and evaluated. Starting with black box approaches that rely on expectancy values, dierent methods are introduced that build up on each other and take properties of the specic state graph into consideration, crossing the border to a more white box like approach. The dierent approaches are applied to several cryptographic functions, including functions with known weaknesses as well as chaotic functions that are known to be of particularly low computational complexity, but have issues when implemented with limited number precision.

The same analysis methods as in Part 1 of this work are applied to the resulting algorithms and the state properties are compared to the unmodied algorithms from the rst part of this work. Again, the results are put into perspective by comparing to the properties of a random transition function, showing the improvements that can be achieved by the modications.

Statistical Evaluation of the Improved Algorithms

After the presentation of the improved state graph properties in Part 2, the

(17)

4 1. Introduction

impact of the modications on the statistical properties of the output of the algorithms is investigated. While the state graph characteristics represent an important part of the security relevant properties of cryptographic primitives, the more common approach to evaluate security is the analysis of p-values, distributions and other numerical values that can be calculated from long series of output data. Dierent standardized cryptographic suites are applied and the results are compared to the recommendations by the providers of the suites and to the values of widespread cryptographic algorithms.

1.3 Thesis Overview

Chapter 2 outlines the background and related works of RFID, graph theory and cryptographic primitives e. g. pseudo-random generators, stream ciphers or hash chains required for understanding the following chapters. A criterion for a "good"

PRNG is established from the expected state space properties for a random mapping, that is used as threshold in the course of the remaining work.

In Chapter 3, dierent analysis methods for state spaces are described in detail, that take the problem into account that the state space for cryptographic primitives using a large state cannot easily be analyzed completely. The results of practical applications of these methods on dierent cryptographic algorithms including various primitives like PRNGs, symmetric stream ciphers and hash functions are presented in Chapter 4. It is shown that some of the algorithms have weaknesses, as expected from former work and the literature. In particular, simple chaotic functions are investigated and it is proven that they are not suited for security applications.

Chapter 5 introduces several approaches for the improvement of the state space structure. The break-out mechanism is presented, that can improve the properties of the state space of any transition function based on either a black box or a white box approach signicantly. The methods are applied to various functions that have been analyzed in Chapter 4. The results demonstrate that notable increases of period length can be achieved. In particular, it can be shown that the simple chaotic functions, that need a very low computational complexity, are improved in a way that they pass the threshold for "good" PRNGs easily. This might make them usable for certain security applications, where computational complexity is a key issue. Furthermore, it is demonstrated that the improvement approaches also work for algorithms that already have very good state space properties, which proves that the method works for an arbitrary transition function.

In Chapter 6, these improvement approaches are analyzed from a statistical point of view. The commonly applied statistical test suites NIST and DIEHARDER are used to evaluate sequences that are generated by the algorithms that have been improved. The results are put in perspective to the results for the unmodied functions and it can be shown that the statistical properties of the algorithms are not impacted by the modication. Chapter 7 provides a summary of the results and gives an outlook on potential future work.

(18)

5

Chapter 2 Background and Related Works

In this chapter, foundations are laid that are required for the understanding of the contributions of this work. First, a general introduction to RFID systems is given, followed by a discussion of the respective security aspects. After that, a brief introduction to graph theory is presented. The chapter closes with the basics of pseudo-random generators.

2.1 RFID Systems

After providing an overview about RFID technology, this section introduces the security aspects of RFID systems, followed by a brief description of measures protecting privacy in RFID.

2.1.1 Overview of RFID Systems

As of today, the most widespread system for the automated identication of items is the bar code. Originating from two dierent region standards, the United States Universal Product Code (UPC) and the European Article Number (EAN), it has been adopted across the world, cumulating in the common world-wide standard GS1 [Int16]. Dierent avors of bar codes have been standardized, roughly being categorized in one dimensional (1D) and two dimensional (2D) codes in Figure 2.1.

With the ongoing deployment of RFID systems, a successor technology has started taking over, replacing bar codes for a steadily growing number of use cases.

RFID technology has been developed already since 1940. Table 2.1 shows the ad- vancements in RFID over the past decades.

RFID systems consist of transponders (or tags), readers and typically a backend database. Information is exchanged between the tag and the reader via radio frequency signals. RFID systems have a number of advantages to bar codes: they can in theory store and transmit an arbitrary amount of data, which allows identifying not only product groups, but individual items of a product group. They can transmit information without line of sight, and they can potentially transmit data

(19)

6 2. Background and Related Works

Figure 2.1: Bar Code Symbologies

Table 2.1: Decades of RFID [Lan01]

Decade Event

1940 - 1950 Radar rened and used, major World War II development eort.

RFID invented in 1948.

1950 - 1960 Early explorations of RFID technology, laboratory experiments.

1960 - 1970 Development of the theory of RFID.

Start of applications eld trials.

1970 - 1980 Explosion of RFID development.

Tests of RFID accelerate.

Very early adopter implementations of RFID.

1980 - 1990 Commercial applications of RFID enter mainstream.

1990 - 2000 Emergence of standards.

RFID widely deployed.

RFID becomes a part of everyday life.

over a comparably long distance up to 15 m [Fin15], so that they only need to be somewhere near the reader to make communication successful.

There are also aspects that limit the deployment of RFID, most notably privacy concerns and cost. RFID tags have a signicantly higher production cost than bar codes and even the cheapest ones do not meet the 0.05 $ that are considered to be a requirement for economic viability [Sar01]. This price pressure results in very limited resources on the tag, with typically only between 400 and 4000 gates being available for security functions [REC04]. Another aspect that has an impact on resources is the power consumption of the tag. Most RFID systems today are passive, meaning that the power required by the tag is transmitted by radio frequencies.

(20)

2.1. RFID Systems 7

System Components

RFID tags consist of a microchip that stores the data and handles the transmission and potentially security related processing. Attached to the microchip is a coupling element, typically an antenna coil for sending and receiving radio frequency communication (cf. Figure 2.2). Tags can be classied into two categories, active tags that have their own power source, and passive tags that obtain the power from the transmission signal coming from the RFID reader. Passive tags usually have a lower communication range, as the power of the reader signal strongly depends on the distance between the tag and the reader. There are also RFID tags that t into both categories, as they contain a power source to run the microchip, but use the power from the transmission signal to perform the communication.

The RFID reader contains a radio frequency module that is connected to a coupling element. It typically has less computational limitations than the tag, as it is actively powered and has much lower cost restrictions. This allows a major part of security related processing to be performed on the reader instead of the tag. The reader typically connects to a central backend database that allows to share data between readers and provides interfaces for processing the data received from the tags.

The backend database creates a connection between the ID that is stored on the tags and further data. By storing only the ID, the memory requirements for the tag can be reduced to a minimum.

Figure 2.2: RFID Transponder [Etc17]

Passive Communication

Figure 2.3 depicts a passive RFID system. For passive RFID tags, the electromagnetic eld serves two purposes: the transfer of energy to power the tag and the transmission of data. Passive tags most commonly use backscatter or inductive coupling for the data transmission.

(21)

Passive backscatter tags make use of a modulated backscatter. The reader in such systems sends out a steady signal with commands for the tag modulated on. When a tag enters the electromagnetic eld of the reader, it demodulates the commands and reacts to them by rapidly turning on and o of its antenna. This modulates the reection of the reader signal by the tag, which allows the reader to demodulate information from the reected signal.

Inductively coupled tags work by the induction of electrical current in the antenna of the tag. The tag sends data by switching the impedance of its antenna, causing a modulation in the magnetic eld created by the reader. The reader can interpret the data by demodulating the magnetic eld again.

RFID systems that work with very high RF frequencies typically make use of electromagnetic coupling, utilizing both the magnetic and the electric eld of the reader. Due to the use of the electric eld, the range of these tags is higher than the range of inductively coupled tags.

Figure 2.3: General Block Diagram of a Passive RFID System

RFID systems need to follow regulations for the usage of frequency bands. Typ- ically, RFID readers use the ISM bands of 13.56 MHz, or 865-868 MHz in Europe.

These bands are designated by the International Union of Telecommunications and are freely available for low-power, short-range systems. Systems utilizing these bands need to follow specic power and bandwidth regulations. For RFID transponders, these regulations generally do not apply due to their low transmission power. Still, the limited bandwidth for the reader transmission and the low power for the tag transmission result in a requirement for high data eciency. For this reason, e- cient coding and modulation is used to achieve a high ratio of transmitted data rate to transmission power.

Commonly used coding schemes are level codes (Non-Return-to-Zero, NRZ; and Return-to-Zero, RZ), or transition codes (Pulse Pause Modulation, PPM; Pulse Weight Modulation, PWM; and Manchester).

For the modulation, either Amplitude Shift Keying (ASK), Frequency Shift Key- ing (FSK) or Phase Shift Keying (PSK) is typically used.

Avoiding Collisions

In RFID systems, typically several tags exist in the range of the reader, reacting simultaneously to the requests sent from the reader. With several tags communicating on the same channel, a mechanism needs to be dened to prevent collisions

(22)

2.1. RFID Systems 9

and thereby avoid information loss. Due to the limited computational power of the tags and the fact that tags cannot communicate to each other, most of the required work needs to be done by the reader. The usual approach is to query the tags until all singulation identiers are obtained. When all tags have been singulated, the reader can send requests to a single selected tag. Two classes of collision avoidance protocols have been standardized, deterministic and probabilistic protocols. Deter- ministic protocols are based on singulating tags by single bits of their unique ID.

Probabilistic protocols use e.g. a time slot approach, exploiting the probability of several tags responding in the same randomly chosen slot. Usually, probabilistic protocols are used for the 13.56 MHz frequency band, and deterministic protocols for the range of 860-960 MHz.

2.1.2 Security Aspects of RFID Systems

The hardware and cost restrictions in typical low-cost RFID applications present particular challenges for securing the related data transmission. Figure 2.4 shows the relationship between security, performance and computational complexity, which is mostly directly related to cost. Low-cost means limited storage, limited chip area for computations, and low power consumption resulting in even more limited computational power. Therefore, the known and tested algorithms for general security applications are typically not applicable for these systems, because they are not able to perform even basic cryptographic operations. For this reason, ultra-lightweight algorithms have been designed specically with RFID applications in mind, e.g.

[Pos09].

RFID tags can be classied according to their security related capabilities. In [Chi07], tags are divided into four categories, which can be roughly split into high- cost and low-cost classes. In [PL08] the properties have been summed-up, as shown in Table 2.2. The high-cost category is split into the categories full-edged, providing complex cryptographic functions like symmetric or even asymmetric encryption, and simple, which is limited to pseudo-random number generation and one-way hash functions. The low-cost category is split into the categories lightweight, again supporting PRNG and simple checksums, and ultra-lightweight, which is limited to simple bitwise operations. As many RFID applications target the lightweight (or even ultra-lightweight) category of tags for cost reasons, there is a strong desire to research for cryptographic primitives that allow secure communication using the low- est possible complexity. This is an ongoing challenge, because these tags typically have an order of 250-4000 gates [REC04]. To put this into perspective, a SHA-256 implementation requires about 11000 gates to perform a hash calculation on a 512-bit data block [FR06]. Table 2.3 shows further hardware requirements of several cryptographic functions. The required chip area is measured in Gate Equivalents (GE), a unit of measure which allows to specify manufacturing-technology-independent complexity of digital electronic circuits. On modern CMOS chips, one GE constitutes the chip area required for a NAND gate.

(23)

Figure 2.4: Security Triangle [Pos09]

Table 2.2: Classes of RFID Tags [PL08]

Low-Cost High-Cost

Standards EPC Class-1 Generation-2 ISO/IEC 14443 A/B

ISO/IEC 18006-C

Power Source Passively powered Passively powered

Storage 32 - 1K Bits 32 KB - 70 KB

Circuitry 250 - 4K Gates Microprocessor

(Security processing) Standard Cryptographic Primitives Implement 3DES, SHA-1, RSA

cannot be supported RSA

Reading Distance Up to 3 m About 10 cm

(Commercial Devices)

Price 0.05 - 0.1 Euro Several Euros

Physical Attacks Not resistant Tamper Resistance

EAL 5+ Security Level

Resistance to Passive Attacks Yes Yes

Resistance to Active Attacks No Yes

Attacking RFID Systems

This section examines the risks and threats of RFID technology, followed by a description of potential attacks against RFID systems mostly following the classications given in [BDM07] and [MRT10], visualized in Figure 2.5.

(24)

2.1. RFID Systems 11

Table 2.3: Hardware Requirements of Common Cryptographic Algorithms [Pos09]

Algorithm Key Block Datapath Cycles / T'put Tech. Area E. Curr.

Size Size Width Block [Kbps] [µm] [GE] [bps/GE] [µA]

Serialized Architecture

PRESENT 80 64 4 547 11.7 0.18 1,075 10.89 1.4

PRESENT 128 64 4 559 11.45 0.18 1,391 8.23 -

DES 56 64 4 144 44.44 0.18 2,309 19.25 1.19

DESL 56 64 4 144 44.44 0.18 1,848 24.05 0.89

DESX 184 64 4 144 44.44 0.18 2,629 16.9 -

DESXL 184 64 4 144 44.44 0.18 2,168 20.5 -

AES [73] 128 128 8 1,032 12.4 0.35 3400 3.65 3.0

AES [96] 128 128 8 160 80 0.13 3,100 25.81 -

Trivium [89] 80 SC 1 1 100 0.13 2,599 38.48 4.67

Grain [89] 80 SC 1 1 100 0.13 1,294 77.28 2.75

Round-based Architecture

PRESENT 80 64 64 32 200 0.18 1,570 127.4 2.78

PRESENT 128 64 64 32 200 0.18 1,884 106.2 3.67

SEA [144] 96 96 96 93 103.23 0.13 3,758 27.47 1.7

ICEBERG [144] 128 64 64 16 400 0.13 7,732 51.73 3.19

HIGHT [107] 128 64 64 34 188.2 0.25 3,048 61.75 -

Parallelized Architecture

PRESENT [199] 80 64 64 1 6,400 0.18 27,028 236.79 38.3

Risks and Threats

RFID systems with their decentralized structure are particularly susceptible to malicious attacks ranging from passive eavesdropping to active interference. The decentralized parts of the system cannot be defended in the same way as wired communication networks that benet from centralized host-based security mechanisms (e.g.

rewalls). The open communication over radio waves allows easy interception of the data transmission. Many RFID applications imply people carrying around RFID tags, raising additional security concerns like privacy and traceability. RFID technology is particularly pervasive, because many applications are related to consumer products that are used in people's day to day life. Although similar concerns have been raised in the context of other electronic media (e.g. credit cards), the dimen- sion is bigger than for these, because RFID tags can transmit information without intervisibility and without notice.

An additional aspect is the quick evolution of RFID technology, with new transponders being developed and a lot of research and development taking place around security and protocols. This leads to a similar evolution of potential threats and it becomes increasingly dicult to have a global view of the problem [MRT10]. Still, the same requirements on condentiality, integrity, and availability apply as on other data and computing resources.

(25)

Security Concerns

The two main security concerns related to the use of RFID technology are privacy and traceability. There is no common denition of privacy and its meaning varies for dierent people, often depending on cultural and other backgrounds. In general terms, it is the ability of an individual or group to keep their lives and personal aairs out of public view, or to control the ow of information about themselves [PL08].

Every individual has the right to be protected of interference or attacks on their privacy by the law [Ass48]. This is supported by further regulations, e.g. the EU Di- rective 95/46/EC [Dir95] on the protection of individuals with regard to the processing of personal data and the free movement, or Article 8 of the European Convention of Human Rights, identifying the right to have private and family life respected.

RFID technology with its pervasive nature is part of ubiquitous computing, which was predicted to be problematic in the context of privacy already by Weiser in 1991 [Wei91]. A scenario where the loss of privacy in the context of RFID is a threat to an individual can e.g. be given for medical products, which are often tagged with RFID labels as proof of authenticity. If an attacker reads this information in front of the door of a medical store after someone bought an AIDS treatment, he got access to information that the individual might not want to have shared with everyone.

Traceability describes the possibility to track the location of an individual. Lo- cation information can be seen as a subset of privacy information and therefore falls under the same regulations as any other privacy data.

A number of technologies exist that allow location tracking of a person, e.g.

mobile phones (where the location can be retrieved by collecting data about the base station that is in use by the phone), video surveillance, and obviously GPS, which is nowadays part of most smart phones. RFID adds to these technologies, although the information provided by the tags is typically only meaningful to readers that have access to the related backend database.

Often, RFID tags will transmit a static ID, which can be used to identify them from any reader, even if it cannot interpret the actual information behind this ID.

As of today, IDs are most often related to product codes and not to unique items.

Still, it was shown e.g. in [WSRE04] that constellations of tags (meaning a specic combination of products that an individual might carry around at the same time) allow to uniquely identify the owner.

Furthermore, it can be expected that IDs will be used to uniquely identify certain products in the future, making an association between the tag and its owner even easier. An example for such a use of RFID is the E-Passport, which contains a collision avoidance mechanism specied in ISO/IEC 14443 A/B that is based on a unique identier. This allows to uniquely identify a passport and to use it for location tracking.

(26)

Figure 2.5: Attack Classication According to [MRT10]

Disabling

If tags are disabled maliciously, certain use cases can be aected negatively, e.g.

the use of RFID in a shop to track item prices. Tags can be disabled physically by applying a strong electromagnetic eld, commonly known as "kill signal". The high power eld induces a high current in the antenna, eectively overheating and destroying it. Without the antenna, the RFID tag cannot communicate with a reader anymore and is disabled. Dierent technical solutions have been published that allow building a low-cost kill signal generator, e.g. the RFID-Zapper [Col06]. Some tags also can respond to a specic kill command sent by the reader to deliberately disable them after use. Often, this command is protected by a PIN to avoid malicious use.

(27)

In some systems, this disabled state is only a sleeping state and tags can be activated again if required.

Hiding

Hiding means that the presence of a tag is concealed from the reader. A potential scenario for such an attack is an automated cashier system in a shop that calculates the receipt sum from the items that it detects in the vicinity of the exit. If an item cannot be detected, the attacker will be able to leave the shop without paying for it.

Such attacks can be performed by insulating the tag from any kind of electromagnetic radiation, e.g. making use of a Faraday cage, or by disabling the tag by other means.

Cloning

Cloning is the process of duplicating a tag so that the reader cannot detect a dier- ence. The goal of this attack is to pretend a fake identity of the entity the tag is attached to. The prevention of cloning is well covered by current cryptographic protocols, typically involving hash calculations or asymmetric encryption. For low-cost RFID tags, these methods are not applicable due to the high required computational complexity. Their use is restricted to higher cost RFID chips, like those embedded into the electronic passport.

Tracking

Tracking of a tag can be used to create "movement proles" of individuals, violating their rights on privacy. To perform the tracking, tags need to be identied by non- authorized RFID readers. Dierently to cloning, there is no need to be able to access all data on the tag. Instead, it is sucient to access any kind of data that is unique to the tag. Tracking can be prevented by similar measures as cloning.

Replay and Relay Attacks

Replay attacks work by storing transmitted messages from a valid communication and resending it in a dierent context later on, thereby pretending knowledge that is private to the original sender. This allows the attacker to gain access to data or items it is not authorized to. Prevention against replay attacks is possible by using nonces that are randomly created for every communication. The communication data depends on this nonce, so a replay attack is not successful. Relay attacks are similar, but instead of storing the data from a valid communication, the communication is relayed between the two communication parties by the attacker. This is eectively carrying out the authorization process over an arbitrary distance and without knowledge of one of the participants (see Figure 2.6). A practical implementation of a relay attack on an RFID system is presented in [Han06].

(28)

Figure 2.6: Relay Attack [Avo05]

Eavesdropping

Eavesdropping describes any attack with the goal of overhearing a communication between tag and reader. RFID tags are particularly susceptible for eavesdropping due to their operation with radio frequencies. The distance for which communication can be overheard depends on the strength of the signals, with the reader signal typically being much stronger than the signal emitted by the tag. While the specied reading distance from an RFID tag is small, Kr et al. showed that this distance can be increased employing a loop antenna and signal processing [KW05]. As with any other communication, RFID systems should employ measures to secure the transmitted data if it is sensible.

Attacks against Backend

For completeness it is worth to mention that attacks do not necessarily only target the reader and the tag and the communication between them, but can also be directed towards the backend, where all information in the system is being processed.

As any other database, RFID backends are communicating over a network with the readers and are exposing interfaces to further systems utilizing the data. As such they are exposed to threats in the same way as other database systems, including network attacks, computer viruses etc.

2.1.3 Measures to Protect Privacy in RFID

Dierent measures can be taken to protect privacy and avoid traceability. Avoine classies these measures into three categories as specied in the following [Avo05].

Palliative Techniques

One technique that is particularly applicable to supply chains is to simply kill the tags. When the tag reaches the end of the chain, e.g. during checkout in the shop, it is not needed anymore. There are a couple of disadvantages to this method, as for tags with unique keys the management of keys in the database becomes more complex with keys getting invalid and potentially getting reused at a later point in time. Furthermore, it is dicult to conrm that a tag has actually been disabled.

(29)

Dierent methods are applicable to disable a tag. Besides the ones described in Subsection 2.1.2, tags can be constructed such that the antenna can easily be man- ually separated from the chip. This allows the tag to be activated again, but only intentionally [KM05].

Other techniques interrupt the communication between the tag and a reader by shielding the signal with a Faraday cage and thereby also only allowing communication by user action. Similarly, communication can be based on a secret information that is only accessible by an optical reader. Again, a user can avoid unintended communication by not exposing the tag to view. Independent on the actual technique to stop a tag from communication, Garnkel elaborated the so-called "RFID Bill of Rights" [Gar02], which outlines the fundamental rights of the tag's bearers.

Garnkel claims:

• The right to know whether products contain RFID tags.

• The right to have RFID tags removed or deactivated when they purchase products.

• The right to use RFID-enabled services without RFID tags.

• The right to access an RFID tag's stored data.

• The right to know when, where and why the tags are being read.

These methods are ecient, but the requirement for user action and the other disadvantages do not make them applicable for many use cases. For many applications, the use of security protocols is much more appropriate [Avo13].

Protocols Resistant to Traceability

A tag that sends its information unencrypted is easy to trace. Encrypting the information with a key it shares with the reader avoids this, but has a number of disadvantages. If the same key is used by all tags in the RFID system, security can be easily corrupted by an adversary that is able to access the content of a single tag.

If a dierent key is used by each tag, there are two cases: either the encryption is deterministic, resulting in an identical ciphertext being sent every time. This obviously does not solve the traceability issue, as the tag can be easily identied with ciphertext it transmits. Or, the encryption is randomized, choosing from a selection of encryption keys. This creates a complexity problem on the reader side, as the reader needs to test all keys in the database to nd the one that matches the ciphertext sent by the tag. This method is in fact a challenge-response protocol where the reader does not know the tag's identity. Such scenarios are exactly what public- key encryption schemes have been developed for. Unfortunately, the complexity of public-key encryption prevents it from being used in low-complexity RFID systems.

The overall goal for these protocols is to make sure that the information transmitted is changed for every transmission instance. There are two categories in which these

(30)

2.2. Graph Theory 17

protocols can be classied, those where the necessary refresh of the information is triggered by the reader, and those where the refresh is performed by the tag itself without help by the reader.

Protocols Based on Reader-Aided ID-Refreshment

Reader-aided refresh is usually a 3-moves protocol. First, the reader sends a request to the tag, followed by the tag replay that allows its identication. As a nal step, the reader sends data to the tag that allows it to refresh the information that it will send for the next identication. If an adversary is able to send a successful request to the tag followed by a fake refresh information, the tag and the database behind the reader will get out of sync, rendering the tag unusable by the RFID system.

This means, that this class of protocols is only useful for a weak adversary model.

Protocols Based on Self-Refreshment

Usually, protocols that are based on a self-refresh of the tag identier without reader interaction are 2-moves or 3-moves protocols when mutual authentication between reader and tag is required. These protocols usually require cryptographic primitives to be implemented on the tag, typically involving a PRNG (e.g. [WSRE04], [MW04]), a hash function [RKKW05] or an encryption function [FDW04]. These protocols are not limited in general to a weak adversary model and therefore are the best approach to avoid traceability. For this reason, this work concentrates on the respective low-complexity functions for such cryptographic primitives, with a particular focus on PRNGs.

2.2 Graph Theory

This section provides the basics of graph theory that are required for understanding the analyses performed later in this work. After dening dierent properties of mathematical functions according to [Tur09], [Die00], [CLGM⁺95], [FO90] and [SF13], the dierent elements of a function graph are explained.

Denition: Injective, Surjective and Bijective Function

LetAand B be sets. A function or a mapping fromA toB, denoted by f :A→B is a relation from A to B in which every element from A appears exactly once as the rst component of an ordered pair in the relation. If A is nite as well and if a∈A is interpreted as a discrete state,f is also called a state transition function.

• The function f :A→B is injective, if for two dierent elementsa₁ 6=a₂ of A it follows that f(a₁)6=f(a₂).

• The function f : A → B is surjective, if for every element b ∈ B an element a ∈A exists, with f(a) =b.

(31)

• The function f : A → B is bijective, if it is both injective and surjective. If A =B, f is called self mapping.

Denition: Directed Graph

A directed graph G = (V, E) (digraph) is a tuple of the sets V (the set of nodes) and E (the set of edges) with E ⊆ V ×V. For nite V it follows that E and thus Gare also nite. In the following, any mention of graph in this work is referring to a directed graph, unless explicitly specied otherwise.

Denition: State Transition Graph

A state transition graph G = (V, E) is a graph induced by a function f : V → V withE ={(x, f(x)) :x∈V}. The functionf(x)denotes the transition from a state x0 =x to another state x1 =f(x).

Denition: Subgraph

LetG= (V, E) be a graph and U ⊆V, then the subgraph G(U)that is induced by U is the graph G(U) := (U, E⁰) with E⁰ = E∩U ×U and the nodes incident to e are inU.

Denition: Degrees of Vertices

LetG= (V, E)be a graph, then the in-degree of a nodev, meaning the total number of all ingoing edges of v, is E(v). Correspondingly, A(v) is the outdegree, meaning the total number of all outgoing edges ofv. If E(v) = 0, v is called a leaf.

Denition: Paths and Ways

A path p = (v₀, v₁, ..., vm−1, v_m) in a graph G is a nite sequence of nodes, with (vi, vi+1)∈E for i= 0, ..., m−1.

The length of the path ism. The node v₀ is called the start node or head of the path p, the node v_m is called the end node or tail. The remaining nodes of p are called inner nodes.

A path p is called simple path or way, if no node is passed multiple times, that is if all nodesv_i and allv_j withi6=j and i, j ∈ {0, ..., m} are pairwise distinct, with the possible exceptionv₀ =v_m.

Denition: Cycle or Circle

A way W =v₀, v₁, ...v_l with l≥1 in a graph G is called cycle or circle, if v₀ =v_l. l is called the length of the cycle.

(32)

2.2. Graph Theory 19

Denition: Connected Component

A graph G= (V, E) is called weakly connected if and only if for all nodes u, v ∈V with u6=v a way exists betweenu and v or between v and u.

A subgraph G(U) of G is called connected component or simply component of G if and only if G(U) is connected and G(U ∪ {v})∀v ∈ V \U is not connected.

This means G(U) is maximal connected. Figure 2.7 shows a typical example for a connected component of a transition graph.

The total number of nodes in a connected component is called the size of the component.

Figure 2.7: A Typical Connected Component of a State Transition Graph [BFKM12]

Denition: Tree

In undirected graphs, a connected graph B that does not contain a cycle is called tree and has m =n−1 edges. For two nodes u, v ∈V, exactly one path u →v in B exists.

A polytree (also known as oriented tree or singly connected network) is a directed acyclic graph whose underlying undirected graph is a tree. As the remains of this work refers to directed graphs only, tree is used synonym to polytree in the following unless noted otherwise. It is furthermore notable, that in the course of this work only directed graphs with indegreeE(v)≤1 are considered.

As further convention, in this work the root of a tree is dened to be the node u (u ∈ V) where the tree connects to a cycle. The length of the way from u to v (u, v ∈ V) is called depth of v in B or tail length λ(u). The longest way is the maximum tree size. The direction of a tree is assumed to be given by the direction

(33)

of the graph, meaning that in the course of this work a tree shall be dened to be directed towards its root.

Denition: Rho Length

The rho length ρ(u)is dened as the sum of the tail length λ(u)and the lengthl of the cycle that the path starting fromu connects to.

Denition: Predecessors Size

The predecessors size of a node u is dened as the size of the tree rooted at u.

2.3 Cryptographic Pseudo-Random Number Gener- ators

Random numbers are needed and used in many security related applications. They are an essential component for the generation of passwords, session keys and for authentication protocols. The security of such applications depends substantially on the quality of the involved random number generator. Predictable random numbers allow unauthorized parties to eavesdrop communication, counterfeit a false identity or manipulate the transmitted information. In the following, the basics of Random Number Generators are explained, with a subsequent discussion of the quality of pseudo-random number generators.

2.3.1 Overview of Random Number Generators

Random Number Generators can be classied into True Random Number Genera- tors and Pseudo-Random Number Generators. A true random number generator (TRNG) requires a naturally occurring source of randomness. Designing a hardware device or software program to exploit this randomness and produce a bit sequence that is free of biases and correlations is a dicult task. Additionally, for most cryptographic applications, the generator must not be subject to observation or manipulation by an adversary.

Random bit generators based on natural sources of randomness are subject to inuence by external factors, and also to malfunction [MvOV96]. It is imperative that such devices be tested periodically, for example by using statistical tests. Pass- ing these statistical tests is a necessary but not sucient condition for a generator to be secure. In [Neu04], a list of constraints is given which could be tested.

A simple example for a statistical test of a Random Number Generators is to count the number of zeros in the generated random sequence. Common statistical tests are the frequency, serial, poker, autocorrelation, run and long run test which are described in [Knu98], [BP82], [FO10]. In Chapter 5 of Menezes et al. [MvOV96],

(34)

2.3. Cryptographic Pseudo-Random Number Generators 21

it is shown that it is impossible to give a mathematical proof whether a Random Number Generator creates real random numbers or not.

Denition: Pseudo-Random Number Generator

Pseudo-Random Number Generators (PRNGs) are generally deterministic state transition functions f : M → M mapping a nite state space to itself as long as they do not receive new seed or entropy bits. Every output of the PRNG results in a state transition. This means that the generated sequences of pseudo-random numbers are periodic. Figure 2.8 depicts the general structure of a PRNG. The output is deterministic and dependent on the state. Therefore, only the state is considered in the following. Usually the output is compressed, meaning that the relationship between output and internal state of the PRNG is not unique and the PRNG constitutes a one-way-function.

If a single state is interpreted as a node and the transition between a state and its unique successor state is interpreted as an edge, the result is a directed graph G_f = (V;E) with V := M and E := {(x;f(x))|x ∈ M} where M is the set of states. The structure of the generated graph provides information about the behavior of the pseudo-random generator. Due to the nite state space of a real world implementation of a PRNG, every path in the state space will end up in a cycle, resulting in a periodic output sequence. For non-bijective transition functions the graph typically consists of several weakly connected components. Each of these components consists of one cycle and generally several trees with roots located on the cycle (see e.g. Figure 2.7).

Figure 2.8: Pseudo-Random Number Generator

Attacks on Pseudo-Random Number Generators

Attacks on Pseudo-Random Number Generators can be classied as follows [KSWH98]:

1. Direct Cryptanalytic Attack

The capability of an attacker to distinguish between the output of a PRNG and real random outputs is covered by the term direct cryptanalytic attack.

(35)

This attack is applicable to most applications of PRNGs, although there are some applications, where the PRNG output cannot be accessed directly (e.g.

when the PRNG is used to generate triple-DES keys).

2. Input-Based Attacks

The access or control of the input of the PRNG enables an attacker to cryptana- lyze the PRNG and perform an input attack. Input attacks can be categorized into known-input, replayed-input, and chosen-input attacks. Known-input attacks can be performed, when a source that is used as input for the PRNG is observable by the attacker. Replayed-input attacks are applicable, if the input can not only be observed, but the data can be fed into the PRNG again.

Chosen-input attacks require maximum control by the attacker, as it involves feeding arbitrary data into the PRNG, e.g. while analysing a smart card with a cryptanalytic attack.

3. State Compromise Extension Attacks

When the stateSof the PRNG has been recovered successfully at some point in time, an attacker might extend this knowledge to other points in time using a state compromise extension attack. This kind of attack is particularly likely to be successful, when the PRNG is started with insucient entropy and therefore the start state is easily guessable.

(a) Backtracking Attacks: A backtracking attack uses the compromise of the PRNG state S at timet to learn previous PRNG outputs.

(b) Permanent Compromise Attacks: A permanent compromise attack occurs if, once an attacker compromises S at time t, all future and past S values are vulnerable to attack.

(c) Iterative Guessing Attacks: An iterative guessing attack uses knowledge of S at time t, and the intervening PRNG outputs, to learn S at timet+, when the inputs collected during this span of time are guessable (but not known) by the attacker.

(d) Meet-in-the-Middle Attacks: A meet-in-the-middle attack is essen- tially a combination of an iterative guessing attack with a backtracking attack. Knowledge ofS at timest andt+ 2allow the attacker to recover S at timet+.

Several examples for attacks on specic widespread PRNG implementations are presented in [KSWH98].

2.3.2 Metrics for a "Good" PRNG

To be able to compare the quality of PRNGs, it is required that metrics are dened that allow to associate a measurable quality with a certain PRNG implementation.

(36)

2.3. Cryptographic Pseudo-Random Number Generators 23

The selected properties to compare depend heavily on the application, but for security related applications the following criteria are reasonable and can be extracted from the state space structure of the PRNG function:

• Number of Components

• Cycle Lengths of the Components

• Size of the Components

A further candidate for a criterion is the ratio of branches (nodes with more than one predecessor), as these increase the backwards secrecy. This conicts with the cycle length criterion to a certain extent.

In order to make a decision about "good" PRNGs, not only the criteria to compare need to be dened, but also thresholds separating "good" and "bad" PRNGs are required. In [FO90], several expected values for random mappings have been derived and formulated as theorems. Random mappings can provide a reference for PRNG functions and can help dening thresholds for "good" PRNGs. In the following, the denitions of expected values and variance are given. After that, the theorems for random mappings are presented. At the end of the section, a proposed denition of a "good" PRNG is given.

Denition: Expected Value

The expected value of a discrete random variable is denoted byE, and it represents the mean value of the outcomes. It is obtained by nding the value of

E =X

[x·P(x)]. (2.1)

Denition: Variance

The variance of a random variable X is the expected value of the squared deviation from the mean ofX, µ=E[X] :

σ²(X) = E[(X−µ)²]. (2.2) Theorems for Random Mappings

Theorem 2 (Direct Parameters) The expectations of parameters number of components, number of cyclic nodes, number of leaves, number of image nodes, and number ofk-th iterate image nodes (meaning: the number of predecessor nodes that lead to a given node after k iterations) in a random mapping of size n have the asymptotic forms, as n → ∞,

(37)

(i) # Components ¹₂logn

(ii) # Cyclic nodes p

πn/2 (iii) # Terminal nodes e⁻¹n (iv) # Image nodes (1−e⁻¹)n (v) # k-th iterate image nodes (1−τ_k)n, where the τ_k satisfy the recurrence τ₀ = 0, τ_k+1 =e^−1+r^k.

Proof: see [FO90]

Theorem 3 (Cumulative Parameter Estimates) Seen from a random point in a random mapping F_n, the expectations of parameters tail length, cycle length, rho- length, tree size, component size, and predecessor size have the following asymptotic forms:

(i) Tail length (λ) p πn/8 (ii) Cycle length (µ) p

πn/8 (iii) Rho length (ρ=λ+µ) p

πn/2

(iv) Tree size n/3

(v) Component size 2n/3 (vi) Predecessor size p

πn/8.

Proof: see [FO90]

Theorem 4 (r-congurations) For any xed integer r, the parameters number of r-nodes (nodes with an indegree r), number of predecessor trees of size r, number of cycle trees of size r and number of components of size r, have the following asymptotic mean values:

(i) r-nodes ne⁻¹/r!

(ii) r-predecessor trees nt_re^−r/r!

(iii) r-cycle trees (p

πn/2)·t_re^−r/r!

(iv) r-cycles 1/r

(v) r-components cre−r/r!,

where tr is the number of trees having r nodes, tr =r^r−1, and cr =r![z^r]c(z) is the number of connected mappings of size r.

Proof: see [FO90]

Theorem 5 The expectation of the maximum cycle lengthµ^maxin a random mapping of F_n satises

E{µ^max|Fn} ∼c1

√n, (2.3)

where c₁ ≈0.78248 is given by c₁ =

rπ 2

Z ∞ 0

[1−e^−E¹^(v)]dv, (2.4)

Cryptographic Primitives in RFID Systems

deposit_hagen

Mathematik und

Informatik

Dissertation

Gabriele Spenger

Cryptographic Primitives in RFID Systems

Cryptographic Primitives in RFID Systems

Dissertation for the Degree of

Doctor of Natural Sciences (Dr. rer. nat.)

Gabriele Spenger

FernUniversität in Hagen

Faculty of Mathematics and Computer Science Parallelism and VLSI Group

Abstract

Kurzfassung

Acknowledgements

Publications and Previous Work

Contents

Chapter 1 Introduction

1.1 Motivation

1.2 Main Contributions

1.3 Thesis Overview

Chapter 2

Background and Related Works

2.1 RFID Systems

2.1.1 Overview of RFID Systems

2.1.2 Security Aspects of RFID Systems

2.1.3 Measures to Protect Privacy in RFID

2.2 Graph Theory

2.3 Cryptographic Pseudo-Random Number Gener- ators

2.3.1 Overview of Random Number Generators

2.3.2 Metrics for a "Good" PRNG