On the optimal resistance against mafia and distance fraud in distance-bounding protocols

Download PDF
Open Webpage

Reynaldo Gil Pons, Sjouke Mauw, Rolando Trujillo-Rasua

Published: 01 Jan 2023, Last Modified: 26 Jan 2025Comput. Commun. 2023EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Distance-bounding protocols are security protocols with a time measurement phase used to detect relay attacks, whose security is typically measured against mafia-fraud and distance-fraud attacks. A prominent subclass of distance-bounding protocols, known as lookup-based protocols, use simple lookup operations to diminish the impact of the computation time in the distance calculation. Independent results have found theoretical lower bounds 12nn2+1<math><mrow is="true"><mfrac is="true"><mrow is="true"><mn is="true">1</mn></mrow><mrow is="true"><msup is="true"><mrow is="true"><mn is="true">2</mn></mrow><mrow is="true"><mi is="true">n</mi></mrow></msup></mrow></mfrac><mfenced close=")" open="(" is="true"><mrow is="true"><mfrac is="true"><mrow is="true"><mi is="true">n</mi></mrow><mrow is="true"><mn is="true">2</mn></mrow></mfrac><mo is="true">+</mo><mn is="true">1</mn></mrow></mfenced></mrow></math> and 12n<math><mfrac is="true"><mrow is="true"><mn is="true">1</mn></mrow><mrow is="true"><msup is="true"><mrow is="true"><mn is="true">2</mn></mrow><mrow is="true"><mi is="true">n</mi></mrow></msup></mrow></mfrac></math>, where n<math><mi is="true">n</mi></math> is the number of time measurement rounds, on the security of lookup-based protocols against mafia and distance-fraud attacks, respectively. However, it is still an open question whether there exists a protocol achieving both security bounds. This article closes this question in two ways. First, we prove that the two lower bounds are mutually exclusive, meaning that there does not exist a lookup-based protocol that provides optimal protection against both types of attacks. Second, we provide a lookup-based protocol that approximates those bounds by a small constant factor. Our experiments show that, restricted to a memory size that linearly grows with n<math><mi is="true">n</mi></math>, our protocol offers strictly better security than previous lookup-based protocols against both types of fraud.