Hash Functions and RFID Tags: Mind the Gap

The security challenges posed by RFID-tag deployments are well-known. In response there is a rich literature on new cryptographic protocols and an on-tag hash function is often assumed by protocol designers. Yet cheap tags pose severe implementation challenges and it is far from clear that a suitable hash function even exists. In this paper we consider the options available, including constructions based around compact block ciphers. While we describe the most compact hash functions available today, our work serves to highlight the difficulties in designing lightweight hash functions and (echoing [17]) we urge caution when routinely appealing to a hash function in an RFID-tag protocol.

[1]  Shoichi Hirose Provably Secure Double-Block-Length Hash Functions in a Black-Box Model , 2004, ICISC.

[2]  Eli Biham,et al.  A Framework for Iterative Hash Functions - HAIFA , 2007, IACR Cryptol. ePrint Arch..

[3]  Antoine Joux,et al.  Multicollisions in Iterated Hash Functions. Application to Cascaded Constructions , 2004, CRYPTO.

[4]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[5]  John P. Steinberger,et al.  The Collision Intractability of MDC-2 in the Ideal Cipher Model , 2007, IACR Cryptol. ePrint Arch..

[6]  Thomas Peyrin,et al.  Combining Compression Functions and Block Cipher-Based Hash Functions , 2006, ASIACRYPT.

[7]  David Taniar,et al.  Computational Science and Its Applications - ICCSA 2005, International Conference, Singapore, May 9-12, 2005, Proceedings, Part I , 2005, ICCSA.

[8]  Choonsik Park,et al.  Information Security and Cryptology - ICISC 2004, 7th International Conference, Seoul, Korea, December 2-3, 2004, Revised Selected Papers , 2005, ICISC.

[9]  Pil Joong Lee,et al.  Advances in Cryptology — ASIACRYPT 2001 , 2001, Lecture Notes in Computer Science.

[10]  Vincent Rijmen,et al.  The WHIRLPOOL Hashing Function , 2003 .

[11]  Younghwa An,et al.  RFID System for User's Privacy Protection , 2005, 2005 Asia-Pacific Conference on Communications.

[12]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[14]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[15]  Thomas Peyrin,et al.  Security Analysis of Constructions Combining FIL Random Oracles , 2007, FSE.

[16]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[17]  David Naccache,et al.  Topics in Cryptology — CT-RSA 2001 , 2001, Lecture Notes in Computer Science.

[18]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[19]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[20]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[21]  Bart Preneel,et al.  MAME: A Compression Function with Reduced Hardware Requirements , 2007, CHES.

[22]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[23]  S.A. Weis RFID privacy workshop , 2004, IEEE Security & Privacy Magazine.

[24]  Jennifer Seberry,et al.  Advances in Cryptology — AUSCRYPT '90 , 1990, Lecture Notes in Computer Science.

[25]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[26]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[27]  Ivan Damgård,et al.  A Design Principle for Hash Functions , 1989, CRYPTO.

[28]  Philippe Oechslin,et al.  A scalable and provably secure hash-based RFID protocol , 2005, Third IEEE International Conference on Pervasive Computing and Communications Workshops.

[29]  María Bárbara Álvarez Torres,et al.  On the Move to Meaningful Internet Systems 2004: OTM 2004 Workshops , 2004, Lecture Notes in Computer Science.

[30]  Bruce Schneier,et al.  Second Preimages on n-bit Hash Functions for Much Less than 2n Work , 2005, IACR Cryptol. ePrint Arch..

[31]  Shoichi Hirose,et al.  Some Plausible Constructions of Double-Block-Length Hash Functions , 2006, FSE.

[32]  Jongsung Kim,et al.  HIGHT: A New Block Cipher Suitable for Low-Resource Device , 2006, CHES.

[33]  Wu Wen Hash Functions Based on Block Ciphers , 2009 .

[34]  Jean-Jacques Quisquater,et al.  2n-Bit Hash-Functions Using n-Bit Symmetric Block Cipher Algorithms , 1990, EUROCRYPT.

[35]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[36]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[37]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[38]  Donghoon Chang A Practical Limit of Security Proof in the Ideal Cipher Model : Possibility of Using the Constant As a Trapdoor In Several Double Block Length Hash Functions , 2006, IACR Cryptol. ePrint Arch..

[39]  Marc Joye,et al.  Cryptographic Hardware and Embedded Systems - CHES 2004 , 2004, Lecture Notes in Computer Science.

[40]  Martin Feldhofer,et al.  A Case Against Currently Used Hash Functions in RFID Protocols , 2006, OTM Workshops.

[41]  Mitsuru Matsui,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[42]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[43]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[44]  Christof Paar,et al.  New Lightweight DES Variants , 2007, FSE.

[45]  Shoichi Hirose,et al.  How to Construct Double-Block-Length Hash Functions ∗ , 2006 .

[46]  Chae Hoon Lim,et al.  mCrypton - A Lightweight Block Cipher for Security of Low-Cost RFID Tags and Sensors , 2005, WISA.

[47]  Lars R. Knudsen,et al.  New Attacks on all Double Block Length Hash Functions of Hash Rate 1, including the Parallel-DM , 1994, EUROCRYPT.

[48]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[49]  Ralph C. Merkle,et al.  One Way Hash Functions and DES , 1989, CRYPTO.

[50]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[51]  Adi Shamir SQUASH - A New MAC with Provable Security Properties for Highly Constrained Devices Such as RFID Tags , 2008, FSE.

[52]  Christof Paar,et al.  Ultra-Lightweight Implementations for Smart Devices - Security for 1000 Gate Equivalents , 2008, CARDIS.

[53]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’89 , 1991, Lecture Notes in Computer Science.

[54]  Katsuyuki Okeya Side Channel Attacks Against HMACs Based on Block-Cipher Based Hash Functions , 2006, ACISP.

[55]  Andrew W. Appel,et al.  Formal aspects of mobile code security , 1999 .

[56]  Xuejia Lai,et al.  Security of Iterated Hash Functions Based on Block Ciphers , 1994, CRYPTO.

[57]  Paul Müller,et al.  A hash-based pseudonymization infrastructure for RFID systems , 2006, Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU'06).

[58]  Ingrid Verbauwhede,et al.  Cryptographic Hardware and Embedded Systems - Ches 2007 , 2008 .

[59]  Bruce Schneier One-way hash functions , 1991 .

[60]  T. Good,et al.  Hardware results for selected stream cipher candidates , 2007 .

[61]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[62]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[63]  Dong Hoon Lee,et al.  Efficient Authentication for Low-Cost RFID Systems , 2005, ICCSA.

[64]  Sandra Dominikus,et al.  Strong Authentication for RFID Systems Using the AES Algorithm , 2004, CHES.

[65]  Joos Vandewalle,et al.  Collision-free hashfunctions based on blockcipher algorithms , 1989, Proceedings. International Carnahan Conference on Security Technology.

[66]  Matthew J. B. Robshaw,et al.  Analysis of SHA-1 in Encryption Mode , 2001, CT-RSA.

[67]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[68]  Koutarou Suzuki,et al.  Cryptographic Approach to “Privacy-Friendly” Tags , 2003 .

[69]  Jennifer Seberry,et al.  LOKI - A Cryptographic Primitive for Authentication and Secrecy Applications , 1990, AUSCRYPT.

[70]  Jian Huang,et al.  An approach to security and privacy of RFID system for supply chain , 2004, IEEE International Conference on E-Commerce Technology for Dynamic E-Business.

[71]  Tassos Dimitriou,et al.  A Lightweight RFID Protocol to protect against Traceability and Cloning attacks , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).