RFID Ownership Transfer with Positive Secrecy Capacity Channels

RFID ownership transfer protocols (OTPs) transfer tag ownership rights. Recently, there has been considerable interest in such protocols; however, guaranteeing privacy for symmetric-key settings without trusted third parties (TTPs) is a challenge still unresolved. In this paper, we address this issue and show that it can be solved by using channels with positive secrecy capacity. We implement these channels with noisy tags and provide practical values, thus proving that perfect secrecy is theoretically possible. We then define a communication model that captures spatiotemporal events and describe a first example of symmetric-key based OTP that: (i) is formally secure in the proposed communication model and (ii) achieves privacy with a noisy tag wiretap channel without TTPs.


Introduction
Radio frequency identification (RFID) is a widely-deployed technology for supply-chain and inventory management, retail operations and more generally automatic identification. Most of these applications need to be secured.
Ownership transfer protocols (OTPs) allow the secure transfer of tag ownership from a current owner to a new owner. Three different entities are present in an OTP: the tag T whose rights are being transferred, the current owner who has the initial control of T and the new owner who will take control of T when the protocol is completed. OTPs must incorporate security requirements that protect the privacy of both the new and the previous owner of the tag. For RFID applications privacy addresses anonymity that protects the identity of tags and untraceability that prevents interrogations (partial or completed) of a tag being linked. Formal definitions for secure ownership and ownership transfer are provided by van Deursen et al. [1], while several theoretical models have been proposed in the literature that address the privacy of RFID systems [2][3][4][5].
Several OTPs that address security issues have been proposed. However, preventing a previous owner from accessing the key(s) of a tag whose ownership was transferred is still an unsolved problem when symmetric-key techniques are used [6,7]. The current approach for privacy is to either employ a trusted third party (TTP) to break the trust link between a tag and its owner (e.g., [8,9]), or an isolated environment (ISE) (e.g., [10,11]) without any adversarial interference. The first approach is centralized and not appropriate when tags belong to different authorities/companies. In fact, the TTP can be considered as the real holder of the tag's rights, while the different owners have simply delegated ownership. The second approach assumes a weak threat model and, as claimed in [7]: if such protection is adequate, then there is no need for security. Our main contributions in this paper are to: (1) Define a communication model for ownership transfer that addresses spatiotemporal connectivity (Section 3). Many OTPs do not specify the communication setup and assume channels that are impractical for RFID settings. (2) Provide a theoretical analysis of wiretaps with noisy tags (Section 4), show how these could be implemented and prove that perfect secrecy is achievable. (3) Present an OTP that is provably secure in this communication model and that uses a wiretap channel with noisy tags to achieve privacy (Section 5). This is the first example of symmetric-key-based OTP that does not require TTPs or an ISE. GNYlogic and strand spaces [12][13][14][15] are used in the Appendix A for the security analysis.

Definition and Security Requirements
Tag ownership can be defined as the ability to identify and/or access the tag, which in turn usually implies knowledge of private keys stored on the tag. Ownership transfer protocols enable the transfer of ownership rights of a tag T from the current owner Own c , or seller, to a new owner Own n or buyer. At the beginning of the OTP, the seller is the only entity that can identify and trace T , while when the OTP is completed, T can only be identified and/or traced by the buyer. A TTP is usually deployed to manage this ownership transfer.
We next list some specific security requirements for OTPs: Unlinkability or untraceability. An adversary that physically tracks tags can easily determine which executions are linked. This cannot be prevented. Unlinkability is related to the capability of linking interrogations after this physical tracking is temporarily interrupted. Different formal models can be found in the literature (e.g., [2][3][4]). Intuitively, a protocol guarantees unlinkability or privacy if no adversary can decide with advantage better than negligible whether two messages taken from different protocol executions belong to the same tag or not.
Privacy of Own n (backward secrecy): The current owner Own c cannot identify T once ownership rights are transferred to the new owner Own n .
Privacy of Own c (forward secrecy): Once ownership rights of T are transferred to the new owner Own n , past communications between T and previous owners cannot be traced by an adversary (or subsequent owners), even if the current private information stored on T is revealed (e.g., by physical attacks).
OTPs are sometimes designed [10,16,17] to provide extended capabilities such as: tag assurance, undeniable ownership transfer, current ownership proof, ownership delegation and authorized recovery.

Related Work
We only review the most relevant symmetric-key-based OTPs for RFID. Saito et al. [18] and Molnar et al. [16] presented in 2005 the first OTPs for RFID applications. Saito et al. proposed two protocols: one with and one without TTP. The security of the latter is based on the short range of the backward channel and assumes that it is hard for adversaries to eavesdrop on this channel. Molnar et al. proposed a scheme with TTP to manage tag keys by using a tree structure. Some vulnerabilities of this scheme are discussed in [19]. Soppera [24] also modified Osaka et al.'s scheme, by assuming that owners are able to change the tag's key in an ISE. Their scheme had some vulnerabilities described in [25]. Dimitriou [26] proposed RFIDdot, an ownership transfer scheme based on random nonces and a keyed encryption function, making the assumption that key updates are performed in a private environment. More recently, Song and Mitchell [27,28] also assumed an ISE, but used keyed hash functions and one-time tag identifiers with hash chains. Kapoor and Piramuthu proposed two new schemes [7] based on a TTP and ISE respectively for the transfer of single tags, while a variant of these protocols for multiple tags has also been published [29]. Finally, several schemes have recently been proposed that comply with the EPCGen2 [30] standard for low-cost tags in the UHF band. These again assume TTPs or ISE and combine simple XOR operations, Cyclic Redundancy Codes (CRC16) and/or use the on-board PRNG as the security primitive (e.g., [9,[31][32][33]). The security problems of some of these have been described recently [34].

Motivation: Comparison with Previous Works
As observed, the ownership transfer protocols proposed in the literature rely either on the use of TTPs or the assumption of an ISE. Typically, TTPs have a centralized management that may not be compatible with the distributed management of RFID systems. For example, the RFID parties (the owners) with possibly conflicting interests must trust the TTP that manages their tags. On the other hand, the assumption of ISEs where no adversary can interfere is an assumption of a weak adversary model: if such an environment were available, then no other security protection would be needed [7]. This paper proposes a key exchange protocol that addresses the new owner's privacy concerns without resorting to either TTPs or an ISE.
The discussed protocols also use communication models that are sometimes impractical for real-life scenarios. To illustrate this, let us consider the two protocols proposed in [7]: one with TTP, the other without TTP (but with an ISE), whose flows are shown in Figure 1. In the first, Figure 1a, the TTP does not use a reader to communicate with tag T , but communicates directly (Flows 1-2). This begs the question: if such a TTP were installed in the buyer's or seller's location, what trust issues would arise if the transferred goods belong to different authorities. In the second protocol, Figure 1b, T interacts first with the current owner (the seller, Flow 2) and then with the new owner (the buyer, Flows 3-6). However if something goes wrong (Flow 6 is not received correctly), then the process must be repeated from the beginning. This implies that the buyer and the seller must be available during the transaction, which restricts the possible transaction scenarios to one location (e.g., to a shop). In this paper, we define a communication model where tags can only communicate through readers. This leads to designs of protocols with, if deployed, centralized TTP infrastructures and, in contrast to the examples described above, that allow the seller and buyer to be in different physical locations.

Entity Capabilities
High-level entities include RFID readers, servers and TTPs. In general, these are able to perform complex cryptographic operations, such as asymmetric encryption/decryption and digital signatures/verification. RFID tags: In this paper, we are only concerned with UHF passive tags that operate in the far field [35], which are the most common for supply chain applications. These work at higher distances than tags with inductive coupling, but the delivered power is low; therefore, not too complex (lightweight) cryptographic tools should be used [36]. Low price is also a common requirement, and therefore, tamper-resistant shielding and on-board clocks cannot be usually assumed.

Communication Model
This is defined in terms of its channels with security features, such as privacy and integrity, and connectivity (availability).

Privacy/Integrity Channels
Between high-level entities (readers, servers or TTPs): These can be considered secure, since fully-fledged cryptographic techniques can be used.
Between readers and tags: By contrast, these are particularly vulnerable; they are wireless (the adversary can eavesdrop and block/modify/inject messages), and tags can only implement lightweight cryptographic mechanisms. Passive tags can only communicate with active entities that are physically close and provide them with energy: i.e., RFID readers.

Connectivity
Connectivity is a function of space and time. As far as we know, OTPs proposed in the literature do not discuss spatiotemporal connectivity issues, though several ( e.g., [7,9,17]) assume channels that allow high-level parties, including a TTP (e.g., [7]), to communicate with a tag T in real time during the execution of the OTP: for example, to restart the protocol if it fails. This implies that T must be physically close to the corresponding high-level parties during the execution of the protocol, which in many practical scenarios may not be the case. Suppose for example that a client purchases RFID-tagged items for tracking and counterfeit prevention via the Internet. The seller dispatches the items, and when these reach the destination, the client requests the transfer of ownership rights. In this case, ownership transfer takes place in a different location from the seller's location, and a different connectivity model is needed, where the seller cannot communicate with the tags at this stage (likewise, buyers cannot communicate with tags at the beginning of the transaction). We also need a spatiotemporal TTP network infrastructure in which TTPs may have to communicate in real time (as in [7]). Figure 2 illustrates the differences between the traditional and the extended communication model. Let R1, R2, TTP be the readers of Own c , Own n , TTP, T a tag, a, b be OTP parties and ∃ (a there exists a channel at time t between a, b", "there exists a secure channel at time t between a, b", respectively. When t is not indicated, continuous connectivity is assumed. We formally define the connectivity requirements of the OTP model by the relations: Thus, a TTP, if deployed, can only communicate with tags T via readers R1, R2.

A Wiretap Channel with Positive Secrecy Capacity
To guarantee the privacy of a new owner Own n of a tag T and prevent the previous owner Own c from accessing T , Own n and T must agree on a fresh key in the presence of Own c : that is, with Own c a potential eavesdropper. Note that Own c has full knowledge of the private keys of T . We shall show that by using Wyner's wiretap channel [37] with noisy tags, we can achieve positive secrecy.
The fundamental property of the superposition of the wireless medium can be pitted against eavesdropping by using interference at the physical layer to degrade communication. Degrading is implemented via reader-controlled interferers called noisy tags. Noisy tags were first used by Juels et al. [38] to protect consumers from unwanted RFID scanning. Later, Castellucia and Avoine [39] used noisy tags for sharing secret keys, which however only addresses passive adversaries since authentication is not ensured. We shall assume that noisy tags do not present any special features, so any tag can become a noisy tag. If more sophisticated noisy tags are available, then implementations with better performance can obviously be achieved. We use the following notation: X, Y, N are random variables taking values x, y, n in the alphabets X , Y, N , respectively. Figure 3 depicts our model of a wiretap channel with input alphabets X , N 1 , . . . , N n T , output alphabet Y and transition probabilities p(y|x, n 1 , . . . , n n T ). Tag T transmits the message S (coded as X) to the new owner Own n (the intended receiver) with the help of n T noisy tags, in the presence of the current owner Own c , who acts as a passive eavesdropper. The wiretap channel can be seen as a stochastic encoder of X with output alphabet Y. The variable Y is input to the maximum a posteriori probability (MAP) estimators of Own n and Own c , but while Own c only knows the value of Y, Own n also knows the values of the inputs N 1 , . . . , N n T . Thus, if we assume the wireless medium is noiseless, then the estimate S = s of Own n is correct, while the estimate S = s of Own c is degraded by the stochastic encoder. This degradation can be quantified by the conditional entropy H(X|Y).
The capacity of the eavesdropper channel (Own c 's) is defined as C eav = H(X) − H(X|Y). The secrecy capacity for the wiretap model is C s = C main − C eav , where C main is the capacity of the main channel (Own n 's). In the noiseless case, we have C main = H(X), and therefore, the secrecy capacity coincides with the conditional entropy of the eavesdropper C s = H(X|Y), while the analysis of secrecy reduces to the eavesdropper's channel. In general, the more degraded the wiretap channel, the higher the secrecy capacity. We assume for this analysis that the adversary cannot identify the source of each message via signal characteristics (fingerprints, level power, phase shifts, etc.). This implies that tags should be close and implement the same modulation alphabet; i.e., N j = X , 1 ≤ j ≤ n T . Possible implementation imperfections, such as delays, signal levels, frequency deviations, etc., should not reveal their origin; i.e., be insignificant or have sufficient randomness. Note that this assumption is implicit in the RFID literature in protocols that address privacy issues: traceability cannot be prevented if tags are physically identified. In this particular case, to prevent an adversary from identifying the target tag, we should guarantee that the tag is close enough to the noisy tags and that it does not present distinguishable imperfections; i.e., insignificant or significant, but changing in every execution. In practice, fortunately, although it is true that no two tags have identical signals, the differences are typically insignificant, making it hard to disambiguate them. As a consequence of the superposition property of the wireless channel, from a theoretical point of view, any modulation can be used (with initial calibration if required), but in practice, some modulations have better features than others. Figure 4 shows a simplified example that uses PPM (pulse position modulation). A bit is encoded by transmitting a pulse in one of two possible time slots. Synchronization between tags is helped by the fact that they share the same reference (reader's) signal. Perfect synchronization is not necessary: tags may have different delays provided there is no pattern that can be exploited to identify a tag.  If noise and imperfection implementations are not considered, the security of the system relies exclusively on the stochastic encoder. For r-ary input alphabets X = {x 0 , x 1 , ..., x r−1 }, with p( , and the cardinality of Y (combinations with repetition of r elements taken n T + 1 at a time) and the transition probabilities can be computed as follows: where y m 0 m 1 ...m r−1 is the output symbol resulting from the combination of m 0 symbols x 0 , m 1 symbols x 1 , and so on, until m r−1 symbols i=0 , where y i is the combination of i symbols x 0 and (n T + 1 − i) symbols x 1 . The transition probabilities p(y i |x j ) are given by: Own c 's detector receives y i and applies the decoding specified by: with g the mapping function g : X → S. The error probability, defined as p e = Pr [s = s], is computed as: where the last summand is zero when n T is even. Figure 5 plots the secrecy capacity C s of the wiretap channel, the error probability and Fano's bound, against the number of noisy tags. Secrecy increases sharply until n T ≈ 5; as n T → ∞, the equivocation of the eavesdropper approaches the unconditional source entropy, and we get perfect secrecy: lim n T →∞ H(X|Y (n T ) ) = H(X) = 1. For n T = 3, the secrecy capacity C s = H(X|Y) = 0.78 offers a good compromise between features and ease of implementation. The capacity of Own c 's channel is just C eav = 0.22 bits.

An Ownership Transfer Protocol
We next present an example of an OTP that: (i) works according to the communication model defined in Section 3.2 and (ii) uses a channel with positive secrecy capacity, implemented with noisy tags, to guarantee the privacy of the new owner.
The protocol addresses practical design features, such as (secure) singulation of tags and the interrogator-talks-first requirement (communication must be initiated by the reader), and guarantees that the information stored on the tag coincides with that provided to the new owner (tag assurance [17]). Note also that it complies with the restrictions in Section 3.1 regarding entities' capabilities. That is, while RFID readers can implement fully-fledged cryptographic tools, RFID tags are restricted to a pseudorandom number generator (PRNG) and a cryptographic (one-way, collision-resistant) hash function F : {0, 1} * → {0, 1} n . The number of inputs is, however, designed to be intentionally low so that it can be more easily adapted to other possible primitives. We assume that identifiers, random numbers and keys all have the same (bit) length n, which is the security parameter of the protocol. We introduce our notation.

ID
identifying information of T . Info ID hash of the manufacturer information.

R1, R2
readers of Own c and Own n respectively. IDR1, IDR2 identifiers for R1 and R2 respectively. s 1 key that T shares with R1. s 2 key that T shares with R2. s 2 key that T eventually shares with R2. N T , N T random numbers generated by T . N R1 random number generated by R1. N R2 , N R2 random numbers generated by R2. T * t the t noisy tag, with 1 ≤ t ≤ n T . s * t the key that the T * t shares with R2.
5.1. The Ownership Transfer Protocol, Figure 6 Initialization 1. Initially, each owner knows for each tag ID its information and private key s 1 . Likewise, each tag stores, along with its identifier ID and Info ID , the identifier of its owner IDR1 and the private key. R1, R2 agree to transfer ownership of tag T with identifier ID. R1 sends (secure channel) R2 manufacturer information about the tag (Info ID when hashed). 6. If this message is not received correctly by R1 after a period of time, the protocol is repeated from

R1 ⇒ R2
Step 2 (T will replace the stored values IDR2, s ). Otherwise, R1 computes s = F(N T , N R1 , s 1 ) and confirms (secure channel) to R2 that T is ready to be transferred:

R1 ⇒ R2
: ID is ready, s Ownership Transfer 7. If R2 receives R1's confirmation, then it is ready to take ownership of T . R2 computes s 2 = F(s , Info ID ) and broadcasts regularly Query messages.

R2 → tags : Query
8. When T receives a Query, it selects a random nonce N T and sends: T → R2 : F(N T , s 2 ), N T 9. If T is singulated, then R2 selects a fresh random number N R2 and sends: 10. T checks this message for s 2 , and if not correct, for s 1 (and waits for new commands). It does not reply if this is not correct. If R2 is authenticated, T updates the stored values (IDR1, s 1 ) to (IDR2, s 2 ). These values determine tag ownership. T acknowledges this by sending: 11. If the received message is not correct, the protocol is repeated from Step 7. Otherwise, R2 executes the key update protocol in Section 5.2 to prevent R1 from accessing T .
11. If the received message is not correct, the protocol is repeated from Step 7. Otherwise, R2 executes the key update protocol in Section 5.2 to prevent R1 from accessing T .

Analysis
In the Appendix A, we shall use GNY logic [12], which extends the Burrows-Abadi-Needham (BAN) logic (overcoming some of its problems [13,14]), to show the consistency of the assumptions with respect to the source message, as well as the beliefs of the sender and receiver of messages. Principals can only advance their beliefs and increase their possessions based on the physical content of the messages they receive. We use strand spaces [15] to show correctness by excluding vulnerabilities

Analysis
In the Appendix A, we shall use GNY logic [12], which extends the Burrows-Abadi-Needham (BAN) logic (overcoming some of its problems [13,14]), to show the consistency of the assumptions with respect to the source message, as well as the beliefs of the sender and receiver of messages. Principals can only advance their beliefs and increase their possessions based on the physical content of the messages they receive. We use strand spaces [15] to show correctness by excluding vulnerabilities based on the structure of the protocol. Strand spaces use free encryption algebra to detect faults that exploit relations in this algebra. Below, we discuss the most important security properties informally.
1 Untraceable singulation: Replies to Query's (Step 2, Step 7) have the same format and include a nonce selected by the tag. This prevents tag tracing, since messages look random to anyone who does not know the secret key. 2 The privacy of Own c is guaranteed because the key s 1 remains unknown to the new owner Own n .
Indeed, if Own n can compute s 1 given the values: s , N T and N R1 , then Own n can also find the F-preimage of s , which contradicts the assumption that F is one-way. 3 Forward secrecy: Suppose the adversary succeeds in getting the new key s 2 of a tag. The privacy of the prior communications is guaranteed, as in the previous case, because to get s 1 from s 2 , one has to invert F. 4 The privacy of Own n is achieved by using the key update protocol in Section 5.2. 5 Tag assurance: Info ID is the hash of manufacturer information about the tag. The collision resistance of hash functions prevents the adversary from finding another message (pre-image) Info ID with the same hash to forge the information given by the manufacturer. The use of Info ID to compute s 2 guarantees that the information provided by Own c to Own n matches with the information stored by T . Note, however, that cloned tags and corruptible memories are beyond this security feature (cf. [17]).

A Key Update Protocol, Figure 7
The parties are: the reader R2, tag T and n T noisy tags T * t , 1 ≤ t ≤ n T . R2 shares with T a private key s 2 and with each T * t a private key s * t . In this protocol, T updates privately the key s 2 with a fresh keys 2 .
R2 → T , {T * t } n T t=1 : F(S,s 2 ) 4 T computess 2 = F(N R2 , S, s 2 ) and checks that the message from R2 is correct. If so, T updates its private key s 2 tos 2 . T → R2 : F(N R2 ,s 2 ) 5 R2 checks the received message. If correct, the key update protocol (KUP) is completed, and R2 informs R1. Otherwise, R2 sends a new Query and checks if T has updated its key. If not, the KUP is repeated. R2 ⇒ R1 : Ownership is transferred.

Analysis
Attacks by external adversaries on the KUP can target privacy (traceability) or availability (de-synchronization). These are prevented by the wiretap channel with positive secrecy and a cryptographic hash function that authenticates messages. More specifically: Traceability: T remains untraceable because the exchanged messages look random to anyone who does not know s 2 .
De-synchronization: The adversary cannot compute F(N R2 ,s s ) or F(S,s 2 ), that are required by parties to update their keys, without knowing s 2 .
The protection extends to threats from past and future owners of T . For example, even if R1 knows s 1 and can get s 2 , R1 does not know the keys s * t of the noisy tags and, therefore, cannot filter out S * t to get S and computes 2 . In particular, R1 knows C eav · n/C s = (1 − C s ) · n/C s bits of S, but the remaining n bits remain unknown. Thus, once the KUP is completed, R1 has no control over the tag T and cannot trace it.

Conclusions
Cryptographic protection is usually handled at the application layer and cannot exploit signal features at the physical layer, which restricts its scope. We have shown in this paper that backward privacy of an OTP can be guaranteed with the use of channels with positive secrecy capacity. The implementation of such channels with noisy tags has been analyzed and the value n T = 3, for which the capacity of the eavesdropper's channel is only C eav = 0.22 bits, provides a good compromise between performances and the ease of implementation. We also defined a communication model for RFID ownership transfer that captures spatiotemporal requirements. Protocols defined in this model can be applied to a wider range of practical scenarios. Finally, we have presented the first example of a symmetric-key OTP that does not require a TTP or ISE and formally proved that it is correct and secure in this model. Author Contributions: All authors contributed equally to this work.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Protocol Analysis
Because of space limitations, we only show here the consistency and correctness of the ownership transfer (OT) subprotocol in Section 5.1 (Flow 7-Flow 10). The analysis for the first part is similar.
In Figure A1, we present the notation we shall use: P, Q, . . . are protocol parties (principals); X, Y, . . . are formulae; and s is a key. The conjunction (X, Y) is also a formula.
Initial assumptions: At the beginning of each run of the OT subprotocol, we assume that parties T and R2: (i) believe (trust) each other: T |≡ R2 |≡ T ; (ii) believe that the secret s 2 to be shared between them is suitable: T |≡ (T ← → R2). In addition, each party possesses the secret key s 2 and a fresh nonce: T s 2 , T N T , T |≡ N T , R2 s 2 and R2 N R2 , R2 |≡ N R2 . Finally, T believes that (s 2 , N T ) is recognizable, and R2 believes that (N T , s 2 ) and (N R2 , s 2 ) are recognizable: T |≡ φ(s 2 , N T ), R2 |≡ φ(N T , s 2 ) and R2 |≡ φ(N R2 , s 2 ). P X : P possesses X P X : P is told (or receives) X P |≡ X : P believes X Q |⇒ C : Q has jurisdiction over C X : X is fresh (X, Y) : either X or Y is fresh φ(X) : X is recognizable P |∼ X : P once conveyed X * X : X is "not originated here" formula P s ↔ Q : s is a suitable secret for P, Q Figure A1. GNY reasoning notation.
The goal of the OT subprotocol is for R2 and T to exchange the key s 2 . The GNY logic parses the description of protocols for formal reasoning. A formalized description of the OT subprotocol is presented in Figure A2 In this, Flows 8, 9 and 10 include message extensions (· · · X) that are assumed assumptions. To prove consistency, we must show that on completion of the subprotocol, the following formulae can be deduced: Four of these are initial assumptions. Therefore, we only need to show the formulae: For this purpose, we use the deduction rules of GNY logic. A deduction rule consists of a set of premises P 1 , . . . , P n and a conclusion C, written: P 1 , ... ,P n C . In Figure A3, we list the rules that we shall use to deduce formulae: f (X) and h(X) are computationally feasible functions of X, with h(X) a one-way function. T1 P * X P X ; P1 P X P X ; P3 , P |≡ f (X) ; I6 P |≡Q |∼ X, P |≡ X P |≡ Q X I3 P * h(X,s), P (X,s), P |≡ P s ↔Q, P |≡ (X,s) P |≡Q |∼ (X,s), P |≡Q |∼ h(X,s) Figure A3. GNY logic postulates.
To show that Formulas (A1) and (A2) can be deduced from protocol assumptions and transmitted messages, we analyze below the parsed OT subprotocol in Figure A2. 7. No belief or possession can be derived from this message. 8. Apply the being-told rule T1 and the possession rule P1 to R2 * N T to get R2 N T . Apply the recognizability rule R5 to the initial assumptions R2 |≡ φ(N T , s 2 ) to get that R2 recognizes T .
No postulate enables us to further derive new beliefs or possessions from this message.
In particular, we cannot derive the freshness of the message. 9. Apply rules T1 and P1 to T * N R2 to get T N R2 . Apply the freshness rule F1 to the initial assumptions T |≡ N T , φ(s 2 , N T ) to get T |≡ (s 2 , N T ). Apply the interpretation rule I3 to: the previous result, T * F(s 2 , N T ) and the initial assumptions T (s 2 , N T ) and T |≡ (T Strand spaces: We next show the correctness of the OT subprotocol using strand spaces [12,15]. To simplify the analysis, we remove Flow 7, which does not provide any cryptographic information. A strand space Σ is a collection of strands and a graph generated by a causality relation. A strand s is a sequence of events that represent either a protocol execution by a legitimate party (principal) or a sequence of actions by a penetrator. We refer to the messages that can be exchanged between the principals as terms of the strand. In a protocol, principals can either send or receive terms, and this is represented with a positive or a negative sign, respectively. We write a b if a is a subterm of b. The trace tr(s) of a strand is the sequence of its signed terms. A node of Σ is a pair n = s, i , with s ∈ Σ, 1 ≤ i ≤ length(tr(s)). The set of nodes is denoted by N . We say that node n = s, i belongs to strand s. term(n) is the i-th signed term tr(s) i of s.
We write n 1 ≺ n 2 to indicate that n 1 precedes n 2 in a strand (not necessarily immediately). An unsigned term t occurs in n iff t term(n);n is an entry point for a set of terms I ⊂ T iff (if and only if) term (n) = +t for some t ∈ I, and whenever n ≺ n, then term (n ) / ∈ I. An unsigned term t originates on n iff n is an entry point for I = {t : t t }. t is uniquely originating iff t originates at a unique n ∈ N . A bundle is a portion of a strand space that consists of strands of a protocol session that are hooked together, where one strand sends a message and the other receives the same message. For a protocol to be correct, each such bundle must contain one strand for each one of the legitimate principals participating in a session, with all parties agreeing on nonces and session keys. The penetrator (adversary) has a set of keys K P (shared with accomplices or "lost") and a set of penetrator traces P that model her/his capabilities. Penetration traces typically require hooking several atomic traces. In Figure A4, we list the atomic penetrator traces we shall consider [12]. A protocol attack is captured by combining penetrator traces with protocol strands. Definition A1. (Σ, P ) is an infiltrated strand space if Σ is a strand space and P ⊂ Σ is such that tr(p) is a penetrator trace for all p ∈ P.
Definition A2. An infiltrated strand space (Σ, P ) is an OTP space if Σ has three kinds of strands: Step 1. Penetrator strands s ∈ P Step 2. Initiator strands s ∈ Init[T , R2, N T , N R2 ] defined by: T is the principal associated with this strand.
Step 3. Responder strands s ∈ Resp[T , R2, N T , N R2 ], defined by: R2 is the principal associated with this strand.
Proof. We prove this using four lemmas. Let n 0 be the node s, 2 (the second node of the reader) that outputs the term v 0 = (F(s 2 , N T ), N R2 ) and n 3 the node s, 3 that receives the term v 3 = F(N R2 , s 2 ). Two additional nodes n 1 , n 2 such that n 0 ≺ n 1 ≺ n 2 ≺ n 3 will be identified.
Proof. We know that N R2 v 0 , and the sign of n 0 is positive. We just need to show that N R2 s, 1 . Since term ( s, 1 ) = (F(N T , s 2 ), N T ), we only need to check that N T = N R2 , which is a hypothesis, and that s 2 = N R2 , which follows from the stipulation N R2 / ∈ K.
The next lemma establishes that the crucial step is taken by a regular strand and not a penetrator strand. Lemma A2. The set S = {n ∈ C: v 3 term(n) ∧ v 0 / term(n)} has a −minimal node n 2 , which is regular and has a positive sign.
Proof. S is non-empty because n 3 ∈ C; and n 3 contains v 3 , but not v 0 . Since S is a partially-ordered set (because C is), it has at least one −minimal node n 2 , and its sign must be positive. Therefore, we just need to check that n 2 does not lie on a penetrator strand p. For this purpose, we shall examine all of the atomic penetrator traces tr(p) listed in Figure A4.
M. tr(p) = +t : Then, N R2 t and N R2 originates on t, which is not possible because N R2 originates on the regular node n 0 (Lemma A1).
By the minimality of n 2 , v 0 gh. Hence, g = F(N T , s 2 ) and h = N R2 . However, then v 3 / h and n 2 / ∈ S, contradicting the initial assumption.
Therefore, n 2 does not lie on a penetrator strand.
Proof. From Lemma A1, we know that N R2 originates at n 0 , and by assumption, it is unique in Σ. Furthermore, n 2 = n 0 since v 0 term (n 0 ) and v 0 / −1.5 mm term (n 2 ). Therefore, N R2 does not originate at n 2 , and there is a node n 1 preceding n 2 on the same strand, such that N R2 term (n 1 ). By the minimal property of n 2 , v 0 term (n 1 ). However, as no regular node contains a combination as a proper subterm, term(n 1 ) = (F(s 2 , N T ), N R2 ).
Lemma A4. The regular strand t containing n 1 and n 2 is an initiator strand contained in C.
Proof. n 1 precedes n 2 in the same strand. Node n 2 is a positive regular node and comes after a node with the form (F(s 2 , N T ), N R2 ). Hence, t is an initiator strand, since a responder strand would only contain a negative node after one of that form. Thus, n 1 and n 2 are the second and the third nodes of t, respectively.
Lemmas A3 and A4 complete the proof of Proposition A1.
Proposition A2. If (Σ, P ) is an OTP space and N T is uniquely originating in Σ, then there is at most one strand t ∈ Init[T , R2, N T , N R2 ] for any T , R2 and N R2 .
Proof. Let t ∈ Init[T , R2, N T , N R2 ] for T , R2 and N R2 . Then, t, 1 is positive, N T term t, 1 , and N T cannot possibly occur earlier on t. Therefore, N T originates at node t, 1 . Since N T originates uniquely in Σ, there can be at most one such t.
(B) AGREEMENT: the initiator's guarantee: Proposition A3. Suppose that: (Σ, P ) is an OTP space, C is a bundle of Σ, s ∈ Init[T , R2, N T , N R2 ], s 2 / ∈ K P and N T is uniquely originating in Σ. Then, there exists a responder strand t ∈ Resp[T , R2, N T , N R2 ].
Proof. Consider the set {m ∈ C : F(s 2 , N T ) term(m)}. This is not empty, because it contains s, 2 , and so, it contains a minimal node m 0 . If m 0 lies on a regular strand t, then we can show that t ∈ Resp[T , R2, N T , N R2 ]. If instead, m 0 lies on a penetrator strand p, then p should be an E-strand with trace: −s 2 , −N T , +F(s 2 , N T ) , but this contradicts the assumption s 2 / ∈ K P .