CHABANNE AND FUMAROLI: NOISY CRYPTOGRAPHIC PROTOCOLS FOR LOW-COST RFID TAGS 3563
Shannon bound in terms of amount of leaked information. How-
ever, Cascade would be too complex to ﬁt into simple low cost
tags. Practically, when the error rate is sufﬁciently low—which
can be easily achieved by performing enough Bit Pair Iteration
protocol passes—most errors are corrected during the ﬁrst pass
of Cascade. From this observation, we propose introducing two
Fig. 1. Initialization scenario. (a) Actual scenario. (b) Equivalent scenario. major changes in Cascade.
• First, the same block size is set for every pass. The block
size should also divide the string size, so that only ﬁxed
respectively, where denotes the Hamming distance. length blocks have to be analyzed.
The worst case is achieved when both and are greater • Second, a permutation is set once and for all and cabled
than . Should that be the case, and have to perform an inside the tag. It is hence straightforward to apply it to
advantage distillation phase to gain the advantage over i.e., to the string. On the contrary, choosing the permutation at
eventually get less errors than . random and sending it through the communication channel
The Bit Pair Iteration Protocol introduced in  turns out to at the beginning of each pass as required in Cascade would
be a quite efﬁcient one implementing the advantage distillation have been infeasible in low-cost tags.
phase. and group their bits by pair and then tell each other Much less efﬁcient than Cascade, but also much easier to im-
the parity of each pair. If both parities do not match, then plement, our protocol still converges in the stated context.
and get rid of the pair. Otherwise, they undertake to keep the
information associated with the involved pair while giving as A. Proposed Reconciliation Protocol
little information as possible. Namely, they keep only the ﬁrst Let
bit of the pair since globally got one bit of information about • be the length of the strings to be reconciled,
the pair from its parity. The retained bit might still differ, but • be the block size with ,
it can be shown that and ’s bits agree more and more each • be a pre-cabled permutation in the set of all bijections of
time the process is repeated . .
For our purpose, let be the reader, be the tag and be The protocol is composed of several identical passes. Let
some passive eavesdropper. Then either or has to send the and , respectively, denote and ’s string at the beginning of
initial string in the satellite’s place. If is the initial sender the protocol. The th pass of our protocol is described as follows.
(see Fig. 1(a)), then and . 1) and , respectively, compute and
Let the communication channels and be .
considered independant and ’s version of the string taken as 2) and divide and in blocks.
reference. The previous scenario is then equivalent to having 3) For from 1 to .
sent the string and and having received it with independant a) Let and denote the th block of and ’s
noise patterns respectively characterized by and string, respectively. If the parity of and
(see Fig. 1(b)). are the same, and continue with the next block
Hence even if at the outset. Let (or the next pass if all blocks in the current pass have
denote the Shannon bit entropy function for already been checked out). Otherwise, they perform a
some random variable on a set . A string received with prob- dichotomic search which returns a position such that
ability provides information bit. Let .
(resp. ) be the information rate learnt b) inverts to correct the error.
by (resp. by ). Since is strictly decreasing on [0, 1/2], we
get in terms of Shannon information. B. Protocol Analysis
Under these conditions, and always have an advantage
Estimating the amount of leaked information during the
over , a fact already known to Wyner in .
reconciliation phase is needed by the subsequent phases and
Note that the advantage distillation phase is not necessary
achieved through the following proposition.
anymore whatever low may be. Practically however,
Proposition 1: Let be the block size, (resp. ) be
implementing the Bit Pair Iteration Protocol in the ﬁrst stage
the bit error rate (resp. the bit leak rate) after passes of the
provides one with an effective way of increasing both the relia-
reconciliation protocol. We have
bility of and ’s string as well as the eavesdropper’s disad-
IV. LOW-COST RECONCILIATION PROTOCOL
Some errors in ’s string may remain. During the informa-
tion reconciliation phase, and exchange some information where denotes the bit error rate at the beginning of the
to correct these errors. Cascade, introduced in , is built so reconciliation protocol;
that and efﬁciently correct their errors while maintaining 2)
the information leaked to relatively low (see  for a detailed
description). Cascade’s performance is actually very close to the
3564 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 8, AUGUST 2006
1) Let be a random variable representing the number of er-
rors in a given block of size when the string’s bit error
probability is . If the errors are uniformely distributed at
the beginning of the protocol and the permutation is chosen
at random among all permutations of (or
has adequate properties, see the following section), it is
legitimate to consider that these errors remain uniformely
distributed within the string at the beginning of each pass.
Thus, can be approximated by a binomial law with pa-
rameters . Let be the probability that is odd, we Fig. 2. Bit error rate e as a function of k and i.
Since one error per odd parity block is corrected, we get
2) Let us consider the -th pass of the protocol with Fig. 3. Bit leak rate d as a function of k and i.
. For each block, at least one bit is revealed for
parity testing. If the block’s parity is odd, then more
bits are revealed to locate the error. Thus, the bit leak rate The rest of the section formally describes a quality measure
during the th pass is given by for such a candidate permutation.
Let be the set containing the
positions in the -th block, for .
Let denote the cardinality of the set of all elements
Hence, such that for all with we have
where denote the set of all subsets of of size .
Eventually, an adequate measure according to the stated
reconciliation problem for a permutation might be deﬁned as
The formula also holds for corresponding to the
trivial case .
Smaller obviously lead to cheapest hardware implementa-
tion of the protocol and faster bit error rate decrease (see Fig. 2). Suppose . An ideal permutation according to
However, the parameter cannot be chosen too small because and is such that
it also leads to higher bit leak rates (see Fig. 3). This analysis
shows that there is a tradeoff between error correction rate and
leaked information rate according to the initial bit error rate and
available gate count.
The most accurate is reached with .
C. Choice of a Permutation
V. TOWARD PRIVACY AMPLIFICATION
The estimate of remaining errors pass after pass is based
on the hypothesis that the permutation is chosen at random. At the end of the reconciliation protocol, and agreed
However, the choice of a permutation with adequate properties on a string with very high probability. In this last phase, they
proves sufﬁcient practically. publicly pick a compression function which, applied to this
An adequate permutation for our reconciliation protocol partially secret string, allows them to derive a shorter – but al-
should map distinct positions in a given block to distinct most perfectly secure – key . Thereby, can be chosen has a
blocks. This would guarantee the composition of the blocks be secret key during the subsequent exchanges in, for example, the
very different from pass to pass. so-called one-time pad encryption scheme.
CHABANNE AND FUMAROLI: NOISY CRYPTOGRAPHIC PROTOCOLS FOR LOW-COST RFID TAGS 3565
The compression function is actually chosen from a universal TABLE I
class of hash functions we introduce in the following deﬁnition. E ’S ERROR RATE AFTER INITIALIZATION
Deﬁnition 1 (Universal Class of Functions): A class of
functions from to is universal if, for all pairs of
distinct elements in , the probability that the event
occurs is at most when is chosen randomly uni-
formely in . TABLE II
Some universal class of functions are quite easy to imple- COMPRESSION RATE ACHIEVED BY THE BIT PAIR ITERATION PROTOCOL
ment. In particular,  proposes the universal class of hash
functions WH-64 with Toeplitz that can be implemented from
WH-16 which requires only 460 logic gates.
A. Discussion on the Achievable Key Length
Let denotes the standard Shannon entropy and denotes R’S ERROR RATE AFTER BIT PAIR ITERATION PROTOCOL
the collision entropy. The following theorems allow us to derive
the length of .
Theorem 1 (Bennett, Brassard, Crépeau, Maurer ): Let
be a random variable with values in the set , and be another
random variable corresponding to the choice of an element in a TABLE IV
universal class of hash functions according to a E ’S ERROR RATE AFTER BIT PAIR ITERATION PROTOCOL
uniform distribution. Then
Theorem 2 (Cachin, Maurer ): Let and be random are decreased so that less information bits are needed during
variables with alphabets and , respectively, and let be the reconciliation phase. The Bit Pair Iteration Protocol leads
an arbitrary security parameter. With probability at least , to a reduction rate thus and we get a new shorter string of
takes on a value for which length (see Table II). With regard to , ’s bit error
probability is while ’s is (see Tables III and
IV). See  for details on evaluating the bit error probability
and compression rate of the Bit Pair Iteration Protocol. Before
Proposition 2 (Achievable Secret Key Length): Let reconciliation, ’s associated collision entropy is estimated at
• be a lower bound on ’s collision entropy about the secret .
string hold by before information reconciliation; Note that it is not necessary to store the entire initial -bit
• be the number of bits revealed during information rec- string inside . Rather, the received initialization bits should be
onciliation; stored in a smaller buffer. When this buffer is full, its content is
• et be arbitrary security parameters. immediately processed by the Bit Pair Iteration protocol and the
Then the ﬁnal secret string length is about which resulting bits are stored in the -bit buffer that will be used for
only learns information bits with probability at information reconciliation.
least . Our reconciliation protocol is then implemented with an ad
Proof: See . hoc block length. passes of our protocol are performed where
is chosen such that and ’s shared errors evaluates to
VI. TOTAL EVALUATION OF OUR PROPOSAL while the number of revealed exchanged bits
The hardware implementation of these protocols is easily is not too high. Both and are computed using
scalable. It can be optimized to reach a compromise with the Proposition 1. and share a partially secret string of
communication efﬁciency and gate count. length . Again, note that a permutation on the set
Suppose that broadcasts an -bit string that is received by must be precabled once and for all tags. Depending on imple-
and with a bit error rate respectively and . After this mentation, this should require no more than two -bit registers.
initialization phase, considering owns the reference version, In a last phase, and apply a compression function to
and ’s version are the image of ’s string received through this partially secret string. This compression function is usually
a binary symmetric channel with a bit error rate respectively picked at random from a universal class of hash functions. In
and (see Table I). our setting, this compression function is ﬁxed once and for all
Although ’s bit error rate is higher than ’s, several passes of tags. An advisable choice is the universal class of hash functions
the Bit Pair Iteration protocol are performed. In so doing, the proposed in  especially well suited for our context since this
advantage is increased while ’s bit errors compared to ’s should require roughly 640 logic gates.
3566 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 8, AUGUST 2006
The security parameter being set to and , requires some bandwidth and few gates. Moreover, no key man-
highly secret information bits can actually be distilled from the agement is needed. Though not tested against physical experi-
only partially secure bits. More precisely, with probability at mentation, the feasibility of our scenario is very likely provided
least which can be very close to provided is big low signal-to-noise ratio during the initialization phase. Even-
enough, learns at most bit about this highly secret tually, our approach seems pragmatic for this difﬁcult problem.
Let us assume that the intrinsic observed error rates are The authors would like to thank the anonymous referees for
and . broadcasts a 600-bit string. The bit helpful comments.
error rates of and relative to the string held by become
and , respectively. and perform one
pass of the Bit Pair Iteration protocol. The a posteriori bit error
rate of and become and . The com-  S. A. Weis, “Security and Privacy in Radio-Frequency Identiﬁcation
Devices,” Master’s, Mass. Inst. Technol. (MIT), Cambridge, MA,
pression rate is , thus the length of the string becomes 2003.
bits. ’s collision entropy about the string shared by  Web-Based Bibliography 2003–2005 [Online]. Available: http://
and can be estimated at . lasecwww.epﬂ.ch/~gavoine/rﬁd/, Security and privacy in RFID sys-
Our reconciliation protocol is performed with the parameters  C. H. Bennett, G. Brassard, C. Crépeau, and U. Maurer, “General-
, and initial bit error probability ized privacy ampliﬁcation,” IEEE Trans. Inf. Theory, vol. 41, no. 6,
. After one pass of the protocol, the expected number of pp. 1915–1923, Nov. 1995.
 C. Castelluccia and G. Avoine, “Noisy tags: A pretty good key ex-
errors in the common string is and the expected change protocol for RFID tags,” in Int. Conf. Smart Card Research
number of disclosed bits is . After four pass and Advanced Applications—CARDIS (Lecture Notes in Computer Sci-
of the protocol, the expected number of errors in the common ence). Berlin, Germany: Springer-Verlag, 2006.
 M. Gander and U. Maurer, “On the secret-key rate of binary random
string is and the expected number variables,” in Proc. 1994 IEEE Int. Symp. Information Theory, Trond-
of disclosed bits is . As for the security param- heim, Norway, Jun./Jul. 1994, p. 351.
eters, let and . Then, with probability at least  A. Wyner, “The wire-tap channel,” Bell Syst. Tech. J., vol. 54, pp.
, at least highly se-  G. Brassard and L. Salvail, “Secret-key reconciliation by public discus-
cret bits can be distilled about which ’s information is at most sion,” in Proc. EUROCRYPT ’93: Workshop on the Theory and Appli-
. cations of Cryptographic Technics on Advances in Cryptology. New
York: Springer-Verlag, 1994, pp. 410–423.
 K. Yüksel, “Universal Hashing for Ultra-Low-Power Cryptographic
VII. CONCLUSION Hardware Applications,” Master’s thesis, Worcester Poly. Inst.,
Worcester, MA, 2004.
This paper shows how to exploit the noisy environment of  C. Cachin and U. Maurer, “Linking information reconciliation and pri-
RFID tags to circumvent low-end eavesdroppers. Our solution vacy ampliﬁcation,” J. Cryptol., vol. 10, no. 2, pp. 97–110, 1997.