Efficient Public-Key Distance Bounding Protocol

  • Handan KılınçEmail author
  • Serge Vaudenay
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10032)


Distance bounding protocols become more and more important because they are the most accurate solution to defeat relay attacks. They consist of two parties: a verifier and a prover. The prover shows that (s)he is close enough to the verifier. In some applications such as payment systems, using public-key distance bounding protocols is practical as no pre-shared secret is necessary between the payer and the payee. However, public-key cryptography requires much more computations than symmetric key cryptography. In this work, we focus on the efficiency problem in public-key distance bounding protocols and the formal security proofs of them. We construct two protocols (one without privacy, one with) which require fewer computations on the prover side compared to the existing protocols, while keeping the highest security level. Our construction is generic based on a key agreement model. It can be instantiated with only one resp. three elliptic curve computations for the prover side in the two protocols, respectively. We proved the security of our constructions formally and in detail.


Distance bounding RFID NFC Relay attack Key agreement Mafia fraud Distance fraud Distance hijacking 



This work was partly sponsored by the ICT COST Action IC1403 Cryptacus in the EU Framework Horizon 2020.

Supplementary material


  1. 1.
    EMVCo version 2.6 in book c-2 kernel 2 specificationGoogle Scholar
  2. 2.
    Avoine, G., Bingöl, M.A., Kardaş, S., Lauradoux, C., Martin, B.: A framework for analyzing RFID distance bounding protocols. J. Comput. Secur. 19(2), 289–317 (2011)CrossRefGoogle Scholar
  3. 3.
    Avoine, G., Tchamkerten, A.: An efficient distance bounding RFID authentication protocol: balancing false-acceptance rate and memory requirement. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 250–261. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04474-8_21 CrossRefGoogle Scholar
  4. 4.
    Bengio, S., Brassard, G., Desmedt, Y.G., Goutier, C., Quisquater, J.-J.: Secure implementation of identification systems. J. Cryptology 4(3), 175–183 (1991)CrossRefGoogle Scholar
  5. 5.
    Boureanu, I., Mitrokotsa, A., Vaudenay, S.: Secure and lightweight distance-bounding. In: Avoine, G., Kara, O. (eds.) LightSec 2013. LNCS, vol. 8162, pp. 97–113. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40392-7_8 CrossRefGoogle Scholar
  6. 6.
    Boureanu, I., Mitrokotsa, A., Vaudenay, S.: Towards secure distance bounding. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 55–67. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-43933-3_4 Google Scholar
  7. 7.
    Boureanu, I., Mitrokotsa, A., Vaudenay, S.: Practical and Provably Secure Distance-Bounding. IOS Press, Amsterdam (2015)zbMATHCrossRefGoogle Scholar
  8. 8.
    Boureanu, I., Vaudenay, S.: Optimal proximity proofs. In: Lin, D., Yung, M., Zhou, J. (eds.) Inscrypt 2014. LNCS, vol. 8957, pp. 170–190. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-16745-9_10 Google Scholar
  9. 9.
    Brands, S., Chaum, D.: Distance-bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). doi: 10.1007/3-540-48285-7_30 Google Scholar
  10. 10.
    Bussard, L., Bagga, W.: Distance-bounding proof of knowledge to avoid real-time attacks. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) SEC 2005. IAICT, vol. 181, pp. 223–238. Springer, Heidelberg (2005). doi: 10.1007/0-387-25660-1_15 CrossRefGoogle Scholar
  11. 11.
    Chothia, T., Garcia, F.D., Ruiter, J., Breekel, J., Thompson, M.: Relay cost bounding for contactless EMV payments. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 189–206. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47854-7_11 CrossRefGoogle Scholar
  12. 12.
    Cremers, C., Rasmussen, K.B., Schmidt, B., Capkun, S.: Distance hijacking attacks on distance bounding protocols. In: SP, pp. 113–127 (2012)Google Scholar
  13. 13.
    Desmedt, Y.: Major security problems with the unforgeable (Feige-) Fiat-Shamir proofs of identity and how to overcome them. In: SECURICOM, pp. 147–159 (1988)Google Scholar
  14. 14.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  15. 15.
    Dürholz, U., Fischlin, M., Kasper, M., Onete, C.: A formal approach to distance-bounding RFID protocols. In: Lai, X., Zhou, J., Li, H. (eds.) ISC 2011. LNCS, vol. 7001, pp. 47–62. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24861-0_4 CrossRefGoogle Scholar
  16. 16.
    Fischlin, M., Onete, C.: Terrorism in distance bounding: modeling terrorist-fraud resistance. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 414–431. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38980-1_26 CrossRefGoogle Scholar
  17. 17.
    Gambs, S., Onete, C., Robert, J.-M.: Prover anonymous and deniable distance-bounding authentication. In: ASIA CCS, ACM Symposium, pp. 501–506 (2014)Google Scholar
  18. 18.
    Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: SecureComm 2005, pp. 67–73. IEEE (2005)Google Scholar
  19. 19.
    Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 568–587. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-23822-2_31 CrossRefGoogle Scholar
  20. 20.
    Hermans, J., Peeters, R., Onete, C.: Efficient, secure, private distance bounding without key updates. In: WiSec, pp. 207–218 (2013)Google Scholar
  21. 21.
    Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ecdsa). Int. J. Inf. Secur. 1(1), 36–63 (2001)CrossRefGoogle Scholar
  22. 22.
    Kılınç, H., Vaudenay, S.: Comparison of public-key distance bounding protocols, under submissionGoogle Scholar
  23. 23.
    Kılınç, H., Vaudenay, S.: Optimal proximity proofs revisited. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 478–494. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-28166-7_23 CrossRefGoogle Scholar
  24. 24.
    Kim, C.H., Avoine, G.: RFID distance bounding protocol with mixed challenges to prevent relay attacks. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 119–133. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-10433-6_9 CrossRefGoogle Scholar
  25. 25.
    Kim, C.H., Avoine, G., Koeune, F., Standaert, F.-X., Pereira, O.: The swiss-knife RFID distance bounding protocol. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 98–115. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00730-9_7 CrossRefGoogle Scholar
  26. 26.
    Krawczyk, H.: HMQV: a high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). doi: 10.1007/11535218_33 CrossRefGoogle Scholar
  27. 27.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-75670-5_1 CrossRefGoogle Scholar
  28. 28.
    Lauter, K., Mityagin, A.: Security analysis of KEA authenticated key exchange protocol. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 378–394. Springer, Heidelberg (2006). doi: 10.1007/11745853_25 CrossRefGoogle Scholar
  29. 29.
    Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An efficient protocol for authenticated key agreement. Des. Codes Crypt. 28(2), 119–134 (2003)MathSciNetzbMATHCrossRefGoogle Scholar
  30. 30.
    Okamoto, T., Pointcheval, D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 104–118. Springer, Heidelberg (2001). doi: 10.1007/3-540-44586-2_8 CrossRefGoogle Scholar
  31. 31.
    Shoup, V.: A proposal for an ISO standard for public key encryption (2.0) (2001)Google Scholar
  32. 32.
    Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Crypt. 46(3), 329–342 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  33. 33.
    Vaudenay, S.: On privacy models for RFID. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 68–87. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-76900-2_5 CrossRefGoogle Scholar
  34. 34.
    Vaudenay, S.: On modeling terrorist frauds. In: Susilo, W., Reyhanitabar, R. (eds.) ProvSec 2013. LNCS, vol. 8209, pp. 1–20. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-41227-1_1 CrossRefGoogle Scholar
  35. 35.
    Vaudenay, S.: On privacy for RFID. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 3–20. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-26059-4_1 Google Scholar
  36. 36.
    Vaudenay, S.: Privacy failure in the public-key distance-bounding protocol. IET Inf. Secur. 10(4), 188–193 (2015)CrossRefGoogle Scholar
  37. 37.
    Vaudenay, S.: Private and secure public-key distance bounding. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 207–216. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-47854-7_12 CrossRefGoogle Scholar
  38. 38.
    Vaudenay, S.: Sound proof of proximity of knowledge. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS, vol. 9451, pp. 105–126. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-26059-4_6 Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.EPFLLausanneSwitzerland

Personalised recommendations