#### Abstract

Distance-bounding protocol is a useful primitive in resisting distance-based attacks. Currently, most of the existing distance-bounding protocols usually do not take the reuse of nonces in designing the protocols into consideration. However, there have been some literature studies showing that nonce repetition may lead to the leakage of the shared key between protocol participants. Aikaterini et al. introduced a countermeasure that could serve as a supplementary in most distance-bounding systems allowing nonce repetition. However, their proposal only holds against passive attackers. In this paper, we introduce an active attack model and show that their countermeasure is insecure under the proposed active attack model. We also discover that all existing distance-bounding protocols with mutual authentication are vulnerable to distance-based attacks if a short nonce is applied under the proposed active model. To address this security concern, we propose a new distance-bounding protocol with mutual authentication to prevent distance-based attacks under the active adversary model. A detailed security analysis is presented for the proposed distance-bounding protocol with mutual authentication.

#### 1. Introduction

With the rapid development of information technology like 5G, more and more people enjoy the convenience brought by various location-based services provided by service providers. Distance-based attacks enable dishonest users to cheat on their real locations and thus may cause serious economic losses to the merchants. Distance-bounding protocols play a significant role in resisting distance-based attacks since they enable one entity to decide an upper bound on the distance of the other entity contacting with him/her. Distance-bounding protocol is first proposed to preclude relay attack (mafia fraud attack) which is essentially one type of man-in-the-middle attacks by measuring the round-trip times of messages exchanged between the prover and the verifier. The relay attack could be further derived into two variants: one is a distance fraud attack, and the other is a terrorist fraud attack. The distance fraud and terrorist fraud attacks are mainly incurred by the unreasonable design of distance-bounding protocols. Unfortunately, distance-bounding protocol, which is the only primitive that we employ to achieve both identity and distance verification, will be still used in many different security applications in the long future.

The idea of measuring round-trip time to estimate the distance between parties was first proposed by Brands and Chaum in 1993 [1]. However, due to the randomness of response bit in the rapid-bit exchange (RBE) phase, the first distance-bounding protocol achieves neither distance fraud nor terrorist fraud resistance. Furthermore, there have been many controversies about the usage of computing-expensive operations to be an exact public-key-based signature in their design. Since the most likely applications—RFID—tags are often equipped with limited computing capability, Hancke and Kuhn proposed a new distance-bounding protocol which is more compatible with RFID applications by eliminating computing-expensive operations in the slow phase [2]. They used a pseudorandom function which takes two nonces and a secret key as inputs to generate a bit sequence regarded as a response in the RBE phase. This provides certain assurance for reducing the success probability of a dishonest prover in launching distance fraud attacks. However, their construction can resist distance fraud attacks. What is more, it has been known that prestrategy attacks will help a mafia fraud attacker obtain an extra advantage in cheating the verification distance. There are a few works trying to improve Hancke and Kuhn’s distance-bounding protocols so as to reduce the success probability of potential adversaries in launching relay attacks at the RBE phase, such as [3–5]. While some variants of Hancke and Kuhn’s protocol try to combat terrorist fraud attack by using a secret key as a seed for generating the response set at the slow phase based on an assumption that the (dishonest prover) adversary cannot send all the computed information to another adversary [6–8], however, the improved protocols still suffer from a new attack named key-learning attack where an adversary can recover the secret key bit by bit when repeating nonces. There are also some recent works focusing on protecting the prover’s privacy from dishonest verifiers [9–11]. A recent work by Aikaterini et al. [12] makes a formal analysis about the relationship between the security of the secret key and the length of nonces used. Avoine et al. proposed another method to resist the terrorist fraud attack in which secret sharing technique [13] is employed. Capkun et al. gave rise to the first distance-bounding protocol for mutual authentication [14]; nevertheless, their protocol is based on the assumption that the prover has to be equipped with considerable computing capability. This does not scale well as RFID tag usually has limited storage and computation resource. To tackle this problem, Yum et al. proposed a new system based on Hancke and Kuhn’s construction by only using a direction bit to control a user (who is involved in the protocol) to act as either a verifier or prover probabilistically [15]. Subsequently, Avonie et al. pointed out that distance-bounding protocol for mutual authentication [15] had been overestimated and presented a generic solution for converting all previous distance-bounding protocols for unilateral authentication to mutual authentication [16].

##### 1.1. Our Contributions

Aikaterini et al. proposed a novel research result that the security of certain distance-bounding protocols [9, 12, 17, 18] depends on the length of nonces [12]. The authors also came up with a countermeasure to reduce the success probability of an adversary in launching an impersonation attack when the repetition of nonce occurs. However, we find that their protocol is only built on the passive attacker model. Analyzing their system in the active attacker model, we find that it performs no better than the Swiss-Knife protocol under our new active attack. What is more, besides those protocols [17–20] mentioned in [12], other protocols using the secret key [6–8, 21] as a seed to generate response information could be insecure under our attack when short nonces are used. Besides, the repetition of nonce could result in other distance-based attacks to previous distance-bounding protocols. Therefore, the security analysis should be different from the previous analysis which does not allow repetition of nonces. For instance, when short nonces are used, the distance-bounding protocols proposed in [15, 16] are suffering from distance fraud attacks. We present an enhanced protocol that can stop an adversary from launching an active attack. Security analysis of our improved protocol is also presented on a condition where repetition short nonces are used in designing the protocol.

*Paper Organization*. The rest of the paper is organized as follows. We present Aikaterini et al.’s protocol and a practical attack against their protocol in Section 2. A novel distance-bounding protocol is presented in Section 3. A detailed security analysis regarding the protocol is presented in Section 4, and the paper is concluded in Section 5.

#### 2. Aikaterini et al.’s Protocol for Repetition of Nonces

##### 2.1. Overview of Their Protocol

Aikaterini et al.’s distance-bounding protocol: theoretically, the nonces used in designing distance-bounding protocols should never repeat. Due to practical application especially RFID tags that do use short nonces, we should consider the effects that repetition of nonces brings to the security of distance-bounding protocols. A detailed analysis of this is presented in [12]. They found that if short nonces are used, some previous protocols [17–20] are suffering from a key-learning attack where a passive adversary could learn the secret key bit by bit through the sessions where nonces are repeated. They proposed a countermeasure which can reduce the success probability of getting the secret key when short nonces are used. Their protocol is illustrated in Figure 1.

Compared with protocols in [17–20], Aikaterini et al.’s protocol introduces another random number . In the slow phase, a pseudorandom function is used which takes a couple of random numbers and a constant number as inputs to generate a -length bit sets and . A commitment on the secret key is generated through calculating . The main idea is that a passive adversary has to wait until a repetition of occurs and then he can get some useful information about the secret key, and thus, the success probability of the adversary is reduced compared with the protocols [17–20] where the adversary only needs to wait until repetitions of .

##### 2.2. Active Attack on Their Protocol

In the previous research, we all assume the verifier to be honest while the prover can be dishonest. It seems normal because it is the dishonest tags trying to cheat on their real location. After the research in [12], we can find a strong excuse to assume the verifier to be malicious, since he can find an easy way to acquire the secret key of a tag and imitate the tag ever after. The active adversary we use in this report is defined as follows.

*Definition 1. *The adversary is able to eavesdrop, modify, reroute, and insert messages during the execution of a cryptographic protocol. The adversary is able to obtain the value of any old session key. The adversary may start any number of parallel protocols. The adversary may be a legitimate protocol participant. The adversary does not have infinite computing ability.

Active attack by on their protocol:(1) acts as a malicious verifier who sends a nonce to an honest prover . He records the responses and makes the challenge bits and stores the response bits .(2) keeps sending to , until a repeat nonce is returned, and then in the RBE phase, sends as challenge bits and records the corresponding response bits as .(3) recovers the secret key of through calculating , where .

##### 2.3. Theoretical Analysis of the Active Attack

We follow the analysis in [12] by allowing the nonces be either in Swiss-Knife protocol or in protocols [17–20]. It is worth noting that, under an active attack, the security depends solely on the length of nonces used while has nothing to do with the length of the key, which confirms the research in [12]. What is more, under an active attack, the adversary can fix that means if repeats, then repeats. Let be a sequence of random numbers used in the session, respectively, where . By controlling the challenge bits sent to the prover, the active adversary can recover the secret key when the first repeat of appears. Assume the nonce space is and let be the event that the first repetition of occurs, then the expected number of sessions could be expressed in the following equation:where denotes the probability that the first repetition happens in the th session. Because there are only nonces, therefore the first repetition will appear in the trials for sure. Let be the event that there are no collisions in the previous sessions. Let be the event that the collision appears in the session for the first time. And can be calculated in the following equation:

As for where , it can be calculated as follows:

The probability of means that, in the session, the repetition of appears for the first time:

According to (1)–(4), the expected number of sessions could be expressed in the following equation:

Thus, the expected number of sessions when , can be calculated as in Table 1.

#### 3. A Novel Distance-Bounding Protocol with Mutual Authentication

The primary cause of active attacks in [12] is the lack of verifier authentication. Therefore, distance-bounding protocols for mutual authentication could be a potential solution to active attacks. However, as we can see in type II attack, mutual authentication in the slow phase cannot stop an active adversary from launching an active attack because the key information the active adversary wants to gain is in the RBE phase. This means we have to implement mutual authentication in the RBE phase. Currently, there are two distance-bounding protocols achieving mutual authentication in the RBE phase [15, 16]. However, further analysis shows that if we take repetition of nonces into consideration, both protocols proposed in [15, 16] are suffering from distance fraud attacks when short nonces are used. Since all the challenge bits and response bits are generated in the slow phase, when the nonces repeat, a dishonest prover would have known the challenge bits that would be sent, and thus, he can make an advanced reply. Therefore, we design our distance-bounding protocol with mutual authentication with both fixed and random challenge messages in the RBE phase. In order to avoid confusion, the explanations of the notations used in our protocols are presented in Table 2 and our improved protocol is presented in Figure 2.

#### 4. Security Analysis

In this section, we provide a detailed analysis for our proposed protocol against distance fraud, mafia fraud, and terrorist fraud attacks. We first define some notations that will be used in this section. Let denote the adversary success probability in the th round of the RBE phase Let and be the fixed challenge bit from the prover and response bit from the verifier while and be the adversary’s guessing challenge and response bits, respectively, in the th round of the RBE phase Let and be the random challenge bit from the verifier and response bit from the prover while and be the guessing challenge and response bits from an adversary in the th round of the RBE phase

##### 4.1. Active Attack and Passive Attack

We first evaluate the success probability of an active adversary on our improved protocol since the adversary has no knowledge of the secret key . When the adversary receives the fixed challenge bit from the prover in one single round, he has to guess about the response . As for the random challenge bit , according to our active attack model, before he meets a repetition of , he will keep sending as the random challenge. Therefore, the success probability of the active adversary in one single round is . Therefore, the success probability of the active adversary in rounds is .

##### 4.2. Distance Fraud Attack

In distance fraud attack, a dishonest prover tries to make the verifier believe that he is closer than he really is by providing advanced responses. Let us consider a single round in the RBE phase. Since a dishonest prover has all the knowledge about , he can always give a correct . However, he cannot determine the challenge bit from the verifier. When , he can give a success response while when he has to choose or as an advance response. Therefore, the success probability of the dishonest user in each round can be expressed as

Therefore, the success probability of a dishonest prover in launching a distance fraud attack is .

##### 4.3. Mafia Fraud Attack

In mafia fraud attack, both the verifier and prover are honest. An adversary tries to launch a mafia fraud attack between the verifier and prover by acting as the prover with the verifier and verifier with the prover. We say the adversary succeeds if she is successfully authenticated by either the verifier or prover. Therefore, we divide the attack into the following two situations, and the success probabilities and are calculated, respectively. The adversary first acts as the prover communicating with the verifier and then acts as the verifier using the information got from the verifier and communicates with the prover The adversary first acts as the verifier communicating with the prover and then acts as the prover using the information got from the prover and communicates with the verifier

###### 4.3.1. Case I

In this case, the adversary possesses no knowledge about . Therefore, in one single round, he has to guess the values of and , and the success probability in one single round can be expressed as follows: . Therefore, the success probability of the adversary under Case I in *n* rounds is .

###### 4.3.2. Case II

In this case, the adversary has to guess the response bit to the prover and that a verifier might ask later in one single round, and thus, the success probability in one single round can be expressed as follows: .

Therefore, the success probability of the adversary under Case II in *n* rounds is .

##### 4.4. Terrorist Fraud Attack

In terrorist fraud attack, a dishonest prover collaborates with an adversary trying to cheat on his real location. It is worth noticing that the dishonest prover should provide as much information as possible on the condition that that information will not reveal his secret key. Therefore, we first evaluate that information in our protocol that could be given to an adversary by a dishonest prover which is presented in Table 3.

Further analysis shows that the adversary can recover and then he can calculate the secret key held by the dishonest user which contradicts the definition of terrorist fraud attack. Therefore, we only need to analyze Cases II to VII, and the corresponding success probabilities are presented in Table 4.

Therefore, the success probability of the dishonest prover and adversary in launching a terrorist fraud attack is .

##### 4.5. Comparison with Existing Distance-Bounding Protocols

We compare our proposed distance-bounding protocol with some popular existing protocols and the result is presented in Table 5. It can be seen from the result that our proposed protocol is the first protocol that is secure under the active adversary model as well as achieves mutual authentication. For space limitation, we use “M” to represent mafia fraud attack, “T” to represent terrorist fraud attack, “MA” to represent mutual authentication, “NR” to represent nonce repetition, and “SA” to represent secure under active adversary model.

#### 5. Conclusions

In this paper, we propose an active attack on the distance-bounding protocol proposed in [12] where an adversary can catch the secret key much more efficiently when short nonces are used. Theoretical analysis shows their protocol performs no better than the protocols [17–20] under our active attack. We propose an enhanced version of their protocol as a countermeasure to the active attack using the knowledge of mutual authentication. However, when previous distance bounding protocols allowing short nonces [15, 16] are applied into real-world applications, since all challenge bits in these protocols are fixed, therefore it will cause a distance fraud attack. Therefore, we set both fixed and random challenge bits in the RBE phase. Detailed security analysis is also presented which takes repetition of nonces into consideration. Through the length of the RBE phase be extended to -length, our improved protocol shows a better result in resisting the key-learning attack as well as achieves mutual authentication.

#### Data Availability

The datasets used or analysed during the current study are available from the corresponding author on reasonable request.

#### Conflicts of Interest

The authors do not have any possible conflicts of interest.

#### Authors’ Contributions

Weiwei Liu is mainly responsible for the design of the protocol and the corresponding security analysis. Hua Guo is in charge of the comparison between the novel protocol and the previous ones while Yangguang Tian is responsible for the paper writing and feasibility analysis.

#### Acknowledgments

This work was partially sponsored by the project of youth talent promotion in Henan Province under grant no. 2021HYTP011.