Security and Privacy of PUF-Based RFID Systems

*Ferucio Laurenţiu Ţiplea, Cristian Andriesei and Cristian Hristea*

#### **Abstract**

The last decade has shown an increasing interest in the use of the physically unclonable function (PUF) technology in the design of radio frequency identification (RFID) systems. PUFs can bring extra security and privacy at the physical level that cannot be obtained by symmetric or asymmetric cryptography at the moment. However, many PUF-based RFID schemes proposed in recent years do not even achieve the lowest privacy level in reputable security and privacy models, such as Vaudenay's model. In contrast, the lowest privacy in this model can be achieved through standard RFID schemes that use only symmetric cryptography. The purpose of this chapter is to analyze this aspect. Thus, it is emphasized the need to use formal models in the study of the security and privacy of (PUF-based) RFID schemes. We broadly discuss the tag corruption oracle and highlight some aspects that can lead to schemes without security or privacy. We also insist on the need to formally treat the cryptographic properties of PUFs to obtain security and privacy proofs. In the end, we point out a significant benefit of using PUF technology in RFID, namely getting schemes that offer destructive privacy in Vaudenay's model.

**Keywords:** Radio Frequency Identification (RFID), Physically Unclonable Function (PUF), security, privacy

#### **1. Introduction**

Although the roots of the *Radio Frequency Identification* (RFID) technology can be traced back to World War II, the ancestor of modern RFID technology was introduced by Cardullo and Parks in 1973 [1] when the two proposed a passive radio transponder with memory. In recent years, RFID technology has become increasingly popular and its applicability has expanded to more and more diverse and complex domains and systems. It is worth mentioning here process automation, tracking and identification, toll collection, public transportation, national IDs and passports, medical healthcare systems, pharmaceutical systems, and so on.

From a scientific point of view, RFID has become a well-defined research field, counting more than fifteen thousand scientific papers and books indexed by IEEE, Springer, and Elsevier, and more than twenty-two thousand patents or patent applications indexed by the most essential three regional patent databases (USA, Europe, and Japan) [2]. All of these highlight a rich palette of research directions in RFID technology, such as: system implementation, design principles, chipless implementations, IoT integration, security, and so on.

An interesting aspect is that most of the RFID references cover technical aspects, applications, and protocol design, very few addressing security and privacy issues. The conclusion is that very few research papers dealing with RFID implementation or application start with security and privacy in mind. Obviously, there are RFID applications for which security and privacy are not so vital, such as human activity recognition (e.g., smart gym), environmental corrosive monitoring, soil monitoring, and so on. However, for other fields like people identification or healthcare systems [3, 4], security and privacy are crucial issues.

**2. RFID schemes and systems**

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

temporary variables:

protocol step;

in another protocol step.

*sk* is kept secret by reader;

<sup>1</sup> Contraction from transmitter and receiver. <sup>2</sup> Contraction from transmitter and responder.

polynomial time with respect to the size of its input.

database *DB*;

encryption key.

**87**

restricted that can perform any cryptographic operation.

facilitate some services when they are identified by readers.

An RFID system [14, 15] consists of a *reader*, a set of *tags*, and a *communication protocol* between reader and tags. The reader is a transceiver<sup>1</sup> that is connected through a secure channel with a back-end server, which is a powerful device that maintains a database with tag information. The reader's task is to identify *legitimate tags* (that is, tags with information stored in its database) and to reject all other incoming communication. The reader and its database are trusted entities, and the communication between them is secure. Many RFID protocols proposed so far do not make any separation between the reader and the back-end server. For this reason, the back-end server functions are considered to be taken over by the reader and, as a result, the reader is considered a powerful device not computationally

Opposite the reader, tags are small transponder<sup>2</sup> devices that are considered to be resource constrained. Depending on their class, they can perform only logical operations, symmetric encryption, or even public key cryptography. In practical scenarios, tags are attached to various items or carried by persons in order to

The memory of a tag is typically split into *permanent* (or *internal*) and *temporary* (or *volatile*). The permanent memory stores the state values of the tag, while the temporary memory can be viewed as a set of *temporary variables* used to carry out the calculations required by the communication protocol. There are two types of

1.*local temporary variables*, used by tags only to do computations in a given

2. *global temporary variables*. These get values in a given protocol step to be used

From a formal point of view, an RFID scheme is defined as follows. Let *R* be a *reader identifier* and *T* be a set of *tag identifiers* whose cardinal is polynomial in some

, where:

*security parameter*<sup>3</sup> *<sup>λ</sup>*. An *RFID scheme over <sup>R</sup>*, *<sup>T</sup>* [12, 13] is a triple *<sup>S</sup>* <sup>¼</sup> ð Þ *SetupR*, *SetupT*,*Ident* of *probabilistic polynomial time* (PPT) *algorithms*<sup>4</sup>

1.*SetupR*ð Þ*λ* inputs a security parameter *λ* and outputs a triple ð Þ *pk*, *sk*, *DB*

2.*SetupT pk* ð Þ ,*ID* initializes the tag identified by *ID*. It outputs an initial tag state *S* and a tag specific secret *K*. The pair ð Þ *ID*, *K* is stored in the reader's

<sup>3</sup> A security parameter usually specifies a minimum security value, such as the minimum length of an

<sup>4</sup> A probabilistic (or randomized) algorithm is an algorithm that uses uniformly random bits as an auxiliary input to guide its behavior, in the hope of achieving good performance in the "average case" over all possible choices of random bits. A polynomial time algorithm is an algorithm that runs in

consisting of a key pair ð Þ *pk*, *sk* and an empty database *DB*. *pk* is public, while

Attempts to improve the authentication process in RFID systems or make them resistant to physical attacks (tag corruption, for example) have led to the need to insert unclonable or tamper-evident physical objects into tags. Unclonability offers unique fingerprints to tags, while the tamper-evidence property would protect against corruption. Thus, physically unclonable functions (PUFs) [5–7] have found themself a suitable application in RFID technology and the researchers have already proposed a large spectrum of PUF-based RFID systems. However, the inclusion of PUFs in RFID systems (especially on tags) raises two key questions:


As with respect to the first question it is worth noting that an RFID implementation with strong security properties comes with increased cost for the final RFID product. This is the reason why some authors take into account the concept of *costeffective protocol* [8]. As discussed in [9], the installation costs of current RFID solutions, not necessarily with improved hardware security, are not cheap at all, many different costs being involved when installing an RFID system (including maintenance and training).

As with respect to the second question, PUFs certainly offer security features that standard cryptographic primitives cannot provide. But if these security features are not used in a corresponding way, the result may be worse than if PUFs are not included. The lack of understanding of such issues has led many authors to propose PUF-based RFID schemes that are insecure or not at all private [10, 11] when analyzed in reputable models such as Vaudenay's security and privacy model [12, 13].

In this chapter, we want to highlight:


The whole discussion is conducted on Vaudenay's security and privacy model. This model is currently considered one of the best RFID security and privacy models, offering a classification of the privacy of RFID schemes into eight classes. It is known that the strong privacy class cannot be obtained in this model, while the destructive privacy class can be obtained by using the PUF technology. This gives us an excellent example that justifies the opportunity to use PUFs in RFID technology.

#### **2. RFID schemes and systems**

An interesting aspect is that most of the RFID references cover technical aspects, applications, and protocol design, very few addressing security and privacy issues. The conclusion is that very few research papers dealing with RFID implementation or application start with security and privacy in mind. Obviously, there are RFID applications for which security and privacy are not so vital, such as human activity recognition (e.g., smart gym), environmental corrosive monitoring, soil monitoring, and so on. However, for other fields like people identification or healthcare

Attempts to improve the authentication process in RFID systems or make them resistant to physical attacks (tag corruption, for example) have led to the

1.Are PUFs more efficient in implementation than ordinary cryptographic

2.Do PUFs provide security and privacy that standard cryptographic primitives

As with respect to the first question it is worth noting that an RFID implementation with strong security properties comes with increased cost for the final RFID product. This is the reason why some authors take into account the concept of *costeffective protocol* [8]. As discussed in [9], the installation costs of current RFID solutions, not necessarily with improved hardware security, are not cheap at all, many different costs being involved when installing an RFID system (including

As with respect to the second question, PUFs certainly offer security features that standard cryptographic primitives cannot provide. But if these security features are not used in a corresponding way, the result may be worse than if PUFs are not included. The lack of understanding of such issues has led many authors to propose PUF-based RFID schemes that are insecure or not at all private [10, 11] when analyzed in reputable models such as Vaudenay's security and privacy model

• The need to use PUFs in the construction of secure and private RFID schemes;

• The erroneous use of PUFs that does nothing but lead to insecure schemes and

The whole discussion is conducted on Vaudenay's security and privacy model.

This model is currently considered one of the best RFID security and privacy models, offering a classification of the privacy of RFID schemes into eight classes. It is known that the strong privacy class cannot be obtained in this model, while the destructive privacy class can be obtained by using the PUF technology. This gives us an excellent example that justifies the opportunity to use PUFs in RFID technology.

• The need to formalize the properties of PUFs to achieve provable security;

need to insert unclonable or tamper-evident physical objects into tags. Unclonability offers unique fingerprints to tags, while the tamper-evidence property would protect against corruption. Thus, physically unclonable functions (PUFs) [5–7] have found themself a suitable application in RFID technology and the researchers have already proposed a large spectrum of PUF-based RFID systems. However, the inclusion of PUFs in RFID systems (especially on tags) raises two key

systems [3, 4], security and privacy are crucial issues.

*Cryptography - Recent Advances and Future Developments*

questions:

[12, 13].

**86**

primitives?

cannot provide?

maintenance and training).

a lack of privacy.

In this chapter, we want to highlight:

An RFID system [14, 15] consists of a *reader*, a set of *tags*, and a *communication protocol* between reader and tags. The reader is a transceiver<sup>1</sup> that is connected through a secure channel with a back-end server, which is a powerful device that maintains a database with tag information. The reader's task is to identify *legitimate tags* (that is, tags with information stored in its database) and to reject all other incoming communication. The reader and its database are trusted entities, and the communication between them is secure. Many RFID protocols proposed so far do not make any separation between the reader and the back-end server. For this reason, the back-end server functions are considered to be taken over by the reader and, as a result, the reader is considered a powerful device not computationally restricted that can perform any cryptographic operation.

Opposite the reader, tags are small transponder<sup>2</sup> devices that are considered to be resource constrained. Depending on their class, they can perform only logical operations, symmetric encryption, or even public key cryptography. In practical scenarios, tags are attached to various items or carried by persons in order to facilitate some services when they are identified by readers.

The memory of a tag is typically split into *permanent* (or *internal*) and *temporary* (or *volatile*). The permanent memory stores the state values of the tag, while the temporary memory can be viewed as a set of *temporary variables* used to carry out the calculations required by the communication protocol. There are two types of temporary variables:


From a formal point of view, an RFID scheme is defined as follows. Let *R* be a *reader identifier* and *T* be a set of *tag identifiers* whose cardinal is polynomial in some *security parameter*<sup>3</sup> *<sup>λ</sup>*. An *RFID scheme over <sup>R</sup>*, *<sup>T</sup>* [12, 13] is a triple *<sup>S</sup>* <sup>¼</sup> ð Þ *SetupR*, *SetupT*,*Ident* of *probabilistic polynomial time* (PPT) *algorithms*<sup>4</sup> , where:


<sup>1</sup> Contraction from transmitter and receiver.

<sup>2</sup> Contraction from transmitter and responder.

<sup>3</sup> A security parameter usually specifies a minimum security value, such as the minimum length of an encryption key.

<sup>4</sup> A probabilistic (or randomized) algorithm is an algorithm that uses uniformly random bits as an auxiliary input to guide its behavior, in the hope of achieving good performance in the "average case" over all possible choices of random bits. A polynomial time algorithm is an algorithm that runs in polynomial time with respect to the size of its input.

3.*Ident pk* ð Þ ; *R*ð Þ *sk*, *DB* ;*ID S*ð Þ is an interactive protocol between the reader identified by *R* (with its private key *sk* and database *DB*) and a tag identified by *ID* (with its state *S*) in which the reader ends with an output consisting of *ID* or a special symbol ⊥. The tag may end with no output (*unilateral authentication*), or it may end with an output consisting of *OK* or ⊥ (*mutual authentication*).

*<sup>x</sup>* f g 0, 1 <sup>ℓ</sup>1ð Þ*<sup>λ</sup>* to the tag. On receiving it, the tag generates a random *<sup>y</sup>* f g 0, 1 <sup>ℓ</sup>1ð Þ*<sup>λ</sup>* , computes *z* ¼ *FK*ð Þ *x*, *y* , and answers with ð Þ *y*, *z* . The reader checks its database for a pair ð Þ *ID*,*K* such that *z* ¼ *FK*ð Þ *x*, *y* . If such a pair is found, it outputs *ID* (that is,

The design of an RFID scheme must start from consistent motivations for its usefulness and the desired security and privacy level, in a particular model of security and privacy, for the scheme to be proposed. The second desideratum requires that proofs of security and privacy accompany the proposed scheme. Ideally, the scheme designer should know in advance security and privacy models for RFID schemes and thus to offer his scheme in such a model. However, the practice shows that, although various fairly good security and privacy models have been proposed over time, many authors propose RFID schemes for which they study security and privacy in an ad hoc way without referring to the existing models. It is not surprising then that many of these schemes, analyzed in reputable

In this section, we aim to discuss one of the most critical security and privacy models for RFID, namely Vaudenay's model. We argue that this model falls into the class of gray-box models, and then make a consistent analysis of the corruption oracle in this model. The emphasis on this oracle is more than necessary, both for

The discussion in this section can also be rephrased for other models that offer the corruption ability to the adversary, such as the model based on indistinguishability proposed in [16]. However, the choice of Vaudenay's model for the discussion in this chapter is a matter of the authors'scientific taste and their belief that it is one of the fundamental models for studying security and privacy properties of RFID

A *security* or *privacy model* for a cryptographic construction consists of an *attack model* and a *security* or *privacy goal*, respectively. The attack model specifies the adversary's power, while the security or privacy goal specifies the property we are interested to be achieved by the cryptographic construction. Nowadays, researchers

1.The *black-box model*: this is the traditional model where the adversary can only observe the response of the cryptographic construction when it is queried by inputs of the adversary's choice (the adversary may know the algorithms used

2.The *gray-box model*: this includes the black-box model and supplementary the adversary may use side-channel information such as power consumption,

3.The *white-box model*: this has been introduced in particular for software implementation of the cryptographic constructions. In this model, the adversary is assumed to have full control over the implementation and its

models, do not reach the lowest level of security or privacy [11].

ordinary tags and for tags endowed with physically unclonable functions.

authenticates the tag); otherwise, outputs ⊥.

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

**3. Security and privacy models for RFID**

schemes.

**89**

**3.1 Security and privacy models**

differentiate between three attack models [17]:

in the cryptographic construction);

execution environment.

electro-magnetic radiation, or timing information;

By calling *SetupR*ð Þ*λ* one should understand that a reader identified by *R* is created, initialized, and some public parameters of the system are also established. We simply refer to the reader such created as being *R*. By calling *SetupT pk* ð Þ ,*ID* , a tag identified by *ID* is created, initialized, and registered with the reader by storing some information about it in *DB*. We denote this tag by *T ID*. The meaning of the reader's output *ID* (⊥) is that it authenticates (rejects) the tag. Similarly, the tag outputs *OK* (⊥) when it authenticates (rejects) the reader.

The *correctness* of an RFID scheme means that regardless of how the system is set up, after each complete execution of the interactive protocol between the reader and a legitimate tag, the reader outputs the tag's identity with overwhelming probability. For mutual authentication, correctness asks for one more requirement, namely that the tag outputs *OK* with overwhelming probability.

An *RFID system* is an instantiation of an RFID scheme. This is done by a trusted *operator* ℐ who runs the RFID scheme over a reader identifier *R* and a set *T* of tag identifiers. In a given setting, the reader is initialized exactly once, while each tag at most once. Thus, the reader's database does not store multiple entries for the same tag. However, different settings with the same RFID scheme may initialize the reader and the tags in different ways.

We close the section by an example of a fundamental RFID scheme, namely the PRF-based RFID scheme proposed in [13]. To describe the scheme, let us assume that *λ* is a security parameter, ℓ1ð Þ*λ* and ℓ2ð Þ*λ* are two polynomials, and *F* ¼ ð Þ *FK <sup>K</sup>* <sup>∈</sup> *<sup>K</sup>* is a *pseudo-random function*<sup>5</sup> (PRF), where *FK* : f g 0, 1 <sup>2</sup>ℓ1ð Þ*<sup>λ</sup>* ! f g 0, 1 <sup>ℓ</sup>2ð Þ*<sup>λ</sup>* for all *K* ∈ *K*.

Each tag is equipped with a random key *K* and has the capacity to compute *FK*. The reader maintains a database *DB* with entries for all legitimate tags. Each entry is a vector ð Þ *ID*,*K* , where *ID* is the tag's identity and *K* is its random key.

The protocol is given in **Figure 1** (the use of " " specifies a random selection of an element from a set). As we can see, the reader sends initially a random


#### **Figure 1.** *PRF-based RFID scheme.*

<sup>5</sup> A pseudo-random function is a collection *<sup>F</sup>* <sup>¼</sup> ð Þ *FK <sup>K</sup>* of efficiently-computable functions with the property that no efficient algorithm can distinguish (with significant probability) between a function chosen randomly from this family and a random function (a function whose outputs are fixed at random).

3.*Ident pk* ð Þ ; *R*ð Þ *sk*, *DB* ;*ID S*ð Þ is an interactive protocol between the reader identified by *R* (with its private key *sk* and database *DB*) and a tag identified by *ID* (with its state *S*) in which the reader ends with an output consisting of

*ID* or a special symbol ⊥. The tag may end with no output (*unilateral authentication*), or it may end with an output consisting of *OK* or ⊥ (*mutual*

By calling *SetupR*ð Þ*λ* one should understand that a reader identified by *R* is created, initialized, and some public parameters of the system are also established. We simply refer to the reader such created as being *R*. By calling *SetupT pk* ð Þ ,*ID* , a tag identified by *ID* is created, initialized, and registered with the reader by storing some information about it in *DB*. We denote this tag by *T ID*. The meaning of the reader's output *ID* (⊥) is that it authenticates (rejects) the tag. Similarly, the tag

The *correctness* of an RFID scheme means that regardless of how the system is set up, after each complete execution of the interactive protocol between the reader and a legitimate tag, the reader outputs the tag's identity with overwhelming probability. For mutual authentication, correctness asks for one more requirement,

An *RFID system* is an instantiation of an RFID scheme. This is done by a trusted *operator* ℐ who runs the RFID scheme over a reader identifier *R* and a set *T* of tag identifiers. In a given setting, the reader is initialized exactly once, while each tag at most once. Thus, the reader's database does not store multiple entries for the same tag. However, different settings with the same RFID scheme may initialize the

We close the section by an example of a fundamental RFID scheme, namely the PRF-based RFID scheme proposed in [13]. To describe the scheme, let us assume that *λ* is a security parameter, ℓ1ð Þ*λ* and ℓ2ð Þ*λ* are two polynomials, and *F* ¼

ð Þ *FK <sup>K</sup>* <sup>∈</sup> *<sup>K</sup>* is a *pseudo-random function*<sup>5</sup> (PRF), where *FK* : f g 0, 1 <sup>2</sup>ℓ1ð Þ*<sup>λ</sup>* ! f g 0, 1 <sup>ℓ</sup>2ð Þ*<sup>λ</sup>* for

Each tag is equipped with a random key *K* and has the capacity to compute *FK*.

The reader maintains a database *DB* with entries for all legitimate tags. Each entry is a vector ð Þ *ID*,*K* , where *ID* is the tag's identity and *K* is its random key. The protocol is given in **Figure 1** (the use of " " specifies a random selection

of an element from a set). As we can see, the reader sends initially a random

<sup>5</sup> A pseudo-random function is a collection *<sup>F</sup>* <sup>¼</sup> ð Þ *FK <sup>K</sup>* of efficiently-computable functions with the property that no efficient algorithm can distinguish (with significant probability) between a function chosen randomly from this family and a random function (a function whose outputs are fixed at

outputs *OK* (⊥) when it authenticates (rejects) the reader.

*Cryptography - Recent Advances and Future Developments*

namely that the tag outputs *OK* with overwhelming probability.

*authentication*).

reader and the tags in different ways.

all *K* ∈ *K*.

**Figure 1.**

random).

**88**

*PRF-based RFID scheme.*

*<sup>x</sup>* f g 0, 1 <sup>ℓ</sup>1ð Þ*<sup>λ</sup>* to the tag. On receiving it, the tag generates a random *<sup>y</sup>* f g 0, 1 <sup>ℓ</sup>1ð Þ*<sup>λ</sup>* , computes *z* ¼ *FK*ð Þ *x*, *y* , and answers with ð Þ *y*, *z* . The reader checks its database for a pair ð Þ *ID*,*K* such that *z* ¼ *FK*ð Þ *x*, *y* . If such a pair is found, it outputs *ID* (that is, authenticates the tag); otherwise, outputs ⊥.

### **3. Security and privacy models for RFID**

The design of an RFID scheme must start from consistent motivations for its usefulness and the desired security and privacy level, in a particular model of security and privacy, for the scheme to be proposed. The second desideratum requires that proofs of security and privacy accompany the proposed scheme. Ideally, the scheme designer should know in advance security and privacy models for RFID schemes and thus to offer his scheme in such a model. However, the practice shows that, although various fairly good security and privacy models have been proposed over time, many authors propose RFID schemes for which they study security and privacy in an ad hoc way without referring to the existing models. It is not surprising then that many of these schemes, analyzed in reputable models, do not reach the lowest level of security or privacy [11].

In this section, we aim to discuss one of the most critical security and privacy models for RFID, namely Vaudenay's model. We argue that this model falls into the class of gray-box models, and then make a consistent analysis of the corruption oracle in this model. The emphasis on this oracle is more than necessary, both for ordinary tags and for tags endowed with physically unclonable functions.

The discussion in this section can also be rephrased for other models that offer the corruption ability to the adversary, such as the model based on indistinguishability proposed in [16]. However, the choice of Vaudenay's model for the discussion in this chapter is a matter of the authors'scientific taste and their belief that it is one of the fundamental models for studying security and privacy properties of RFID schemes.

#### **3.1 Security and privacy models**

A *security* or *privacy model* for a cryptographic construction consists of an *attack model* and a *security* or *privacy goal*, respectively. The attack model specifies the adversary's power, while the security or privacy goal specifies the property we are interested to be achieved by the cryptographic construction. Nowadays, researchers differentiate between three attack models [17]:


For instance, the security model IND-CCA means that the security goal is *indistinguishability* (*semantic security*) and the attack model is the *chosen ciphertext attack* [18]. The power of the adversary in this model is specified by giving him access to an *encryption* and *decryption oracles* that assists the adversary to collect a polynomial size set of (plaintext,ciphertext) pairs.

4.*Launch*ðÞ: When the adversary queries this oracle, it means that it wants to launch a new protocol instance. Therefore, the oracle returns to it a unique

5.*SendReader m*ð Þ , *π* : By this oracle, the adversary gets the reader's answer when the message *m* is sent to it as part of the protocol instance *π*. When *m* is the empty message, abusively but suggestively denoted by ∅, this oracle outputs the first message of the protocol instance *π*, assuming that the reader does the first step in the protocol. We emphasize that the reader's answer is conceived as the message sent to the tag by the communication channel and not as the reader's decision output (tag identity or ⊥). Therefore, if the reader does not

6.*SendTag m*ð Þ , *vtag* : This oracle outputs the tag's answer when the message *m* is sent to the tag referred to by *vtag*. When *m* is the empty message, this oracle outputs the first message of the protocol instance *π*, assuming that the tag does the first step in the protocol. As in the case of the *SendReader* oracle, we emphasize that the tag's answer is conceived as the message sent to the reader by the communication channel and not as the tag's decision output (*OK* or ⊥). Therefore, if the tag does not send anything to the reader, the output of this

7.*Result*ð Þ *π* : By this oracle, the adversary is allowed to know the reader's decision with respect to the authentication of the tag in session *π*. More precisely, the oracle outputs ⊥ if in session *π* the reader has not yet made a decision on tag authentication (this also includes the case when the session *π* does not exist), 1 if in session *π* the reader authenticated the tag, and 0 otherwise (this oracle is

8.*Corrupt vtag* ð Þ: This oracle outputs the current permanent (internal) state of the tag referred to by *vtag*, when the tag is not involved in any computation of any protocol step (that is, the permanent state before or after a protocol step).

It is customary to assume that the RFID tags can be corrupted to reveal not only their permanent memory but also the global temporary variables [20]. When the *Corrupt* oracle is considered in such a way, we will refer to Vaudenay's model as being *Vaudenay's model with temporary state disclosure*. We emphasize that "corruption with temporary state disclosure" means corruption of the permanent state and of the global temporary variables, but not of the local temporary variables (more

Now, the adversaries are classified into the following classes, according to the

• *Forward adversaries*: if they access the *Corrupt* oracle, then they can only access

obtained the corresponding information, the tag identified by *vtag* is destroyed and the temporary identifier *vtag* wil no longer be available. The database *DB* will still keep the record associated to this tag (the reader does not know the tag was destroyed). As a consequence, a new tag with the same identifier cannot be

• *Destructive adversaries*: after the adversary has queried *Corrupt vtag* ð Þ and

• *Weak adversaries*: they do not have access to the *Corrupt* oracle;

identifier to be used with this protocol instance;

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

both for unilateral and mutual authentication);

oracle is empty;

details are provided in Section 3.4).

access they get to these oracles:

the *Corrupt* oracle;

**91**

send anything to the tag, the output of this oracle is empty;

The black-box model does not depend on the software or hardware implementation, platform, and so on. In contrast to it, the gray-box model of attack exploits the algorithm/protocol implementation. For instance, the side-channel analysis that can be used with this model may take into account fluctuations in timing delays, power consumption, or emitted signals and radiation [19]. The result of such an analysis varies depending on the implementation, the platform on which it is implemented, the measuring devices. Side-channel analysis is local and not global.

#### **3.2 Vaudenay's RFID security and privacy model**

One of the most influential security and privacy model for RFID is *Vaudenay's model* [12, 13]. In this model, the adversary is a PPT algorithm that is allowed to interact with the RFID scheme. This means that the adversary may create tags to play with them as being the reader (but without having direct access to the reader's database). The adversary may also play with the reader as being any of the tags created by it. Depending on the adversary, it may or may not have access to the tags' internal memory. From a formal point of view, the adversary interacts with the RFID scheme by means of a set of oracles. Before describing these oracles, we mention that each tag in Vaudenay's model is either *free* (i.e., outside the interaction area of the adversary) or *drawn* (i.e., in the interaction area of the adversary). When a tag is created, it is free. The adversary may draw a free tag at any time and, in the end, to free it.

Now, the oracles in Vaudenay's model are the following:


As one can see, *DrawTag* provides the adversary with access to some free tags by means of temporary identifiers, and gives information on whether the tags are legitimate or not (but no other information);

3.*Free vtag* ð Þ: By this oracle, the adversary may free the drawn tag *vtag*. The identifier *vtag* will no longer be used. We assume that when a tag is freed, its temporary state is erased. This is a natural assumption that corresponds to the fact that the tag is no longer powered by reader;

For instance, the security model IND-CCA means that the security goal is *indistinguishability* (*semantic security*) and the attack model is the *chosen ciphertext attack* [18]. The power of the adversary in this model is specified by giving him access to an *encryption* and *decryption oracles* that assists the adversary to collect a polynomial

implementation, platform, and so on. In contrast to it, the gray-box model of attack exploits the algorithm/protocol implementation. For instance, the side-channel analysis that can be used with this model may take into account fluctuations in timing delays, power consumption, or emitted signals and radiation [19]. The result of such an analysis varies depending on the implementation, the platform on which it is implemented, the measuring devices. Side-channel analysis is local and

One of the most influential security and privacy model for RFID is *Vaudenay's model* [12, 13]. In this model, the adversary is a PPT algorithm that is allowed to interact with the RFID scheme. This means that the adversary may create tags to play with them as being the reader (but without having direct access to the reader's database). The adversary may also play with the reader as being any of the tags created by it. Depending on the adversary, it may or may not have access to the tags' internal memory. From a formal point of view, the adversary interacts with the RFID scheme by means of a set of oracles. Before describing these oracles, we mention that each tag in Vaudenay's model is either *free* (i.e., outside the interaction area of the adversary) or *drawn* (i.e., in the interaction area of the adversary). When a tag is created, it is free. The adversary may draw a free tag at any time and,

ð Þ *ID* : When the adversary queries this oracle by *ID* for some

bit *b*, the oracle calls the algorithm *SetupT pk* ð Þ ,*ID* to generate a pair ð Þ *K*, *S* and create a tag *T ID* with the identifier *ID* and initial state *S*. If *b* ¼ 1, ð Þ *ID*,*K* is added to *DB* and the tag is considered *legitimate*;

otherwise (*b* ¼ 0), the tag is considered *illegitimate*. The tag thus created is

2.*DrawTag*ð Þ*δ* : By this oracle, the adversary is allowed to interact with free tags according to some probability distribution *δ* (on these tags). Therefore, this oracle chooses a number of free tags according to *δ*, let us say *n*, generates *n* temporary identities *vtag*1, … , *vtagn*, and outputs *vtag*1, *b*1, … , *vtagn*, *bn*

where *bi* specifies whether the tag *vtagi* is legitimate or not. All these tags are

As one can see, *DrawTag* provides the adversary with access to some free tags by

means of temporary identifiers, and gives information on whether the tags are

3.*Free vtag* ð Þ: By this oracle, the adversary may free the drawn tag *vtag*. The identifier *vtag* will no longer be used. We assume that when a tag is freed, its temporary state is erased. This is a natural assumption that corresponds to the

,

The black-box model does not depend on the software or hardware

size set of (plaintext,ciphertext) pairs.

*Cryptography - Recent Advances and Future Developments*

**3.2 Vaudenay's RFID security and privacy model**

Now, the oracles in Vaudenay's model are the following:

not global.

in the end, to free it.

1.*CreateTag<sup>b</sup>*

**90**

considered *free*;

considered now *drawn*.

legitimate or not (but no other information);

fact that the tag is no longer powered by reader;


It is customary to assume that the RFID tags can be corrupted to reveal not only their permanent memory but also the global temporary variables [20]. When the *Corrupt* oracle is considered in such a way, we will refer to Vaudenay's model as being *Vaudenay's model with temporary state disclosure*. We emphasize that "corruption with temporary state disclosure" means corruption of the permanent state and of the global temporary variables, but not of the local temporary variables (more details are provided in Section 3.4).

Now, the adversaries are classified into the following classes, according to the access they get to these oracles:


created (in this approach, the database cannot store multiple records for the same tag identifier);

where *A*<sup>0</sup> stands for *A* and *A*<sup>1</sup> stands for *A<sup>B</sup>*.

*blinded privacy game* (the bit *b* is 1 in *RFIDprv*

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

*A* to *B* means that *A*-privacy implies *B*-privacy.

**3.3 Vaudenay's model is a gray-box model**

**Figure 2.**

**93**

internal components of the algorithm implementation.

to distinguish between the *real privacy game* (the bit *b* is 0 in *RFIDprv*

An RFID scheme achieves privacy for a class *V* of adversaries if for any adversary *A* ∈*V* there exists a blinder *B* such that *A* has a negligible advantage over 1*=*2

We thus obtain eight concepts of privacy: *strong privacy*, *narrow strong privacy*,

Let us take one last look at Vaudenay's model to fit it into one of the three classes presented at the beginning of Section 3. The attack model associated with it falls in the class of gray-box models. Indeed, all the oracles except *Result* and *Corrupt* are specific to the black-box model because they do not output anything about the

The *Result* oracle facilitates non-invasive side-channel analysis. Obviously, there may be situations in which the adversary can see the final result of the reader (the reader signals non-authentication of the tag, a gate opens, etc.). But, just as well, there are situations in which the adversary cannot see the final result of the reader without use of a specialized oracle. The analysis of Vaudenay's model clearly shows that the *Result* oracle makes a big difference between protocols that ensure privacy against an adversary that has the possibility to use this oracle and protocols that ensure privacy

The *Corrupt* oracle provides the adversary with information about the internal memory of the tag. Although data stored in the internal memory of the tag (such as symmetric keys, public keys) does not depend on implementation or platform, it is internal information of the tag. The need for this oracle results from the fact that tags are devices with poor physical protection. For low-cost tags, corruption could be accomplished and thus the information stored in the permanent tag memory can be retrieved. Temporary (volatile) memory loses its data when the power is interrupted. However, the memory remanence effect may allow to recover some data. As a result, we can say that it is natural to consider the possibility of obtaining the information from the tag memory by various techniques called generically "corruption". Once this information is obtained, the analysis is a theoretical one, abstracting the implementation.

*Privacy and mutual authentication of RFID schemes in Vaudenay's model without temporary state disclosure*

*(PKC stands for public-key cryptography and RO for random oracle).*

against an adversary that does not have the possibility to use this oracle.

*destructive privacy*, and so on. The diagram in **Figure 2** shows the relationship between the eight privacy concepts in Vaudenay's model in the context of unilateral authentication. In this diagram, "N-x" is a shortcut for "narrow x". An arrow from

*<sup>A</sup>*,*S*,*B*ð Þ*λ* ).

*<sup>A</sup>*,*S*,*B*ð Þ*λ* ) from the

• *Strong adversaries*: there are no restrictions on the use of oracles.

If we further restrict the adversary to access the *Result* oracle, we obtain four new classes: *narrow weak*, *narrow forward*, *narrow destructive*, and *narrow strong*.

Now we are ready to introduce the *tag* and *reader authentication* properties as proposed in [12, 13], simply called the *security* of RFID schemes.

An RFID scheme has the property of *tag authentication* if no strong adversary has more than a negligible advantage in causing the reader to authenticate an uncorrupted legitimate tag in a protocol instance where the reader had no conversation with that tag to lead upon its authentication.

An RFID scheme has the property of *reader authentication* if no strong adversary has more than a negligible advantage in causing an uncorrupted legitimate tag to authenticate the reader in a protocol instance where the tag had no conversation with the reader to lead upon its authentication.

*Privacy* in Vaudenay's model generalizes anonymity (which means that the tag ID cannot be inferred) and untraceability (which means that the equality of two tags cannot be inferred). Thus, privacy requires that no adversary can infer nontrivial tag ID relations from the protocol messages. The information provided by a protocol is trivial when the adversary may learn it without making effective use of the protocol messages. To formalize this, Vaudenay's model introduces the concept of a *blinder* that simulates the protocol for adversary without knowing any secret information of the tags or the reader. If this simulation does not change the adversary's output compared to the case when the adversary plays with the real protocol, then the protocol achieves privacy.

A *blinder for an adversary A* that belongs to some class *V* of adversaries is a PPT algorithm *B* that:


When the adversary *A* interacts with the RFID scheme by means of a blinder *B*, we say that *A* is *blinded by B* and denote this by *A<sup>B</sup>*. We emphasize that *A<sup>B</sup>* is allowed to query the oracles *Launch*, *SendReader*, *SendTag*, and *Result* only by means of *B*; all the other oracles are queried in the standard way.

Given an adversary *A*, an RFID scheme *S*, and a blinder *B*, define the following experiment (privacy game) that a challenger sets up for *A*:

Privacy experiment *RFIDprv <sup>A</sup>*,*S*,*B*ð Þ*λ*

1: *b* f g 0, 1 ; 2: Set up the reader; 3: *A<sup>b</sup>* gets the public key *pk*;


7: Return 1 if *b* ¼ *b*<sup>0</sup> and 0, otherwise,

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

created (in this approach, the database cannot store multiple records for the

If we further restrict the adversary to access the *Result* oracle, we obtain four new classes: *narrow weak*, *narrow forward*, *narrow destructive*, and *narrow strong*. Now we are ready to introduce the *tag* and *reader authentication* properties as

An RFID scheme has the property of *tag authentication* if no strong adversary has

An RFID scheme has the property of *reader authentication* if no strong adversary has more than a negligible advantage in causing an uncorrupted legitimate tag to authenticate the reader in a protocol instance where the tag had no conversation

*Privacy* in Vaudenay's model generalizes anonymity (which means that the tag ID cannot be inferred) and untraceability (which means that the equality of two tags cannot be inferred). Thus, privacy requires that no adversary can infer nontrivial tag ID relations from the protocol messages. The information provided by a protocol is trivial when the adversary may learn it without making effective use of the protocol messages. To formalize this, Vaudenay's model introduces the concept of a *blinder* that simulates the protocol for adversary without knowing any secret information of the tags or the reader. If this simulation does not change the adversary's output compared to the case when the adversary plays with the real

A *blinder for an adversary A* that belongs to some class *V* of adversaries is a PPT

1. simulates the *Launch*, *SendReader*, *SendTag*, and *Result* oracles for *A*, without

allowed to it by the class *V* (that is, *B* gets exactly the same information as *A*

When the adversary *A* interacts with the RFID scheme by means of a blinder *B*, we say that *A* is *blinded by B* and denote this by *A<sup>B</sup>*. We emphasize that *A<sup>B</sup>* is allowed to query the oracles *Launch*, *SendReader*, *SendTag*, and *Result* only by means

Given an adversary *A*, an RFID scheme *S*, and a blinder *B*, define the following

2.passively looks at the communication between *A* and the other oracles

uncorrupted legitimate tag in a protocol instance where the reader had no conver-

• *Strong adversaries*: there are no restrictions on the use of oracles.

more than a negligible advantage in causing the reader to authenticate an

proposed in [12, 13], simply called the *security* of RFID schemes.

sation with that tag to lead upon its authentication.

*Cryptography - Recent Advances and Future Developments*

with the reader to lead upon its authentication.

protocol, then the protocol achieves privacy.

when querying these oracles).

Privacy experiment *RFIDprv*

3: *A<sup>b</sup>* gets the public key *pk*; 4: *A<sup>b</sup>* queries the oracles;

6: *A<sup>b</sup>* outputs a bit *b*<sup>0</sup>

1: *b* f g 0, 1 ; 2: Set up the reader;

**92**

having access to the corresponding secrets;

of *B*; all the other oracles are queried in the standard way.

experiment (privacy game) that a challenger sets up for *A*:

5: *A<sup>b</sup>* gets the secret table of the *DrawTag* oracle;

; 7: Return 1 if *b* ¼ *b*<sup>0</sup> and 0, otherwise,

*<sup>A</sup>*,*S*,*B*ð Þ*λ*

algorithm *B* that:

same tag identifier);

where *A*<sup>0</sup> stands for *A* and *A*<sup>1</sup> stands for *A<sup>B</sup>*.

An RFID scheme achieves privacy for a class *V* of adversaries if for any adversary *A* ∈*V* there exists a blinder *B* such that *A* has a negligible advantage over 1*=*2 to distinguish between the *real privacy game* (the bit *b* is 0 in *RFIDprv <sup>A</sup>*,*S*,*B*ð Þ*λ* ) from the *blinded privacy game* (the bit *b* is 1 in *RFIDprv <sup>A</sup>*,*S*,*B*ð Þ*λ* ).

We thus obtain eight concepts of privacy: *strong privacy*, *narrow strong privacy*, *destructive privacy*, and so on. The diagram in **Figure 2** shows the relationship between the eight privacy concepts in Vaudenay's model in the context of unilateral authentication. In this diagram, "N-x" is a shortcut for "narrow x". An arrow from *A* to *B* means that *A*-privacy implies *B*-privacy.

#### **3.3 Vaudenay's model is a gray-box model**

Let us take one last look at Vaudenay's model to fit it into one of the three classes presented at the beginning of Section 3. The attack model associated with it falls in the class of gray-box models. Indeed, all the oracles except *Result* and *Corrupt* are specific to the black-box model because they do not output anything about the internal components of the algorithm implementation.

The *Result* oracle facilitates non-invasive side-channel analysis. Obviously, there may be situations in which the adversary can see the final result of the reader (the reader signals non-authentication of the tag, a gate opens, etc.). But, just as well, there are situations in which the adversary cannot see the final result of the reader without use of a specialized oracle. The analysis of Vaudenay's model clearly shows that the *Result* oracle makes a big difference between protocols that ensure privacy against an adversary that has the possibility to use this oracle and protocols that ensure privacy against an adversary that does not have the possibility to use this oracle.

The *Corrupt* oracle provides the adversary with information about the internal memory of the tag. Although data stored in the internal memory of the tag (such as symmetric keys, public keys) does not depend on implementation or platform, it is internal information of the tag. The need for this oracle results from the fact that tags are devices with poor physical protection. For low-cost tags, corruption could be accomplished and thus the information stored in the permanent tag memory can be retrieved. Temporary (volatile) memory loses its data when the power is interrupted. However, the memory remanence effect may allow to recover some data. As a result, we can say that it is natural to consider the possibility of obtaining the information from the tag memory by various techniques called generically "corruption". Once this information is obtained, the analysis is a theoretical one, abstracting the implementation.

#### **Figure 2.**

*Privacy and mutual authentication of RFID schemes in Vaudenay's model without temporary state disclosure (PKC stands for public-key cryptography and RO for random oracle).*

#### As a conclusion:

1.Vaudenay's attack model falls in the category of gray-box models. It provides the adversary with general information, including a limited amount of side-channel information that does not depend on the implementation or implementation platform;

implementing distinct PUF architectures, larger systems employing PUFs as separate units or protocols dedicated to PUF-based implementations were

when implementing multiple alike, could be exploited.

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

In principle, PUFs can be constructed with any physical entity or structure as long as an intrinsic mismatching or nonlinear behavior, inherent to such entity

For instance, two identical transistors designed in the same technology and on the same mask will show slightly different performances after implementing their layout (real physical circuit). The main difference will be noticed for the threshold voltage, VTH in the case of CMOS process, different for both transistors. As such, a simple CMOS PUF could be obtained when implementing an array of identical transistors, this being also the first architecture reported in literature for chip identification [23] and disclosed in a patent application filed in 1989 [24]. Based on how challenges are applied to the circuit input and the great number of distinct responses (keys) that can be obtained, this particular PUF architecture is a strong PUF, at least according to PUF properties reiterated in [25]. A similar approach, yet implemented with bipolar transistors, was disclosed in a European patent

Another example, even simpler, is that of a discrete electronic part, be it through-hole or surface-mount resistor or capacitor. It is well known that there are no two identical resistors or capacitors even though they have, theoretically, the same value and tolerance and are produced by the same manufacturer. Tolerance gives us valuable information about how much less or more the resistance or capacitance value is different of its nominal value. This sort of uncertainty favors PUF applications even though is not good from design perspective. And this is how

Looking back, many PUF architectures have been proposed during the last two decades, various intrinsic properties being exploited, with many distinct classes identified [25]. This field encompasses so many implementations, technologies and design principles that two different perspectives to classify PUF architectures were used in that review. However, taking into account the scope and field of our study, i.e. RFID, we consider that the second classification (PUF tree), based on mechanism and evaluation parameter, is more relevant. In this regard, the PUF implementations fall into four classes: electronic, optical, radio frequency and magnetic PUFs. Furthermore, since RFID tags have limited chip area and (power) design constraints, it is obvious that electronic PUF architectures, known also as silicon-PUF, are of interest for

Silicon-based PUFs involve conventional integrated circuit design techniques.

1.A PUF architecture should generate at its output a unique sequence, useful either for authentication or cryptographic key generation, developed based on silicon intrinsic (physical) particularities. Therefore, no memory cells are allowed to store such a (PUF response) sequence. However, a (SRAM or DRAM) memory cell could be used to implement a PUF cell and thus generate a single bit of the PUF response because we are not interested in the binary value memorized in that cell but rather of the transition speed and delay,

Two essential design hints are identified regarding the implementation of a

proposed.

**4.1 PUF construction**

application filed in 2013 [26].

our study.

**95**

the first RC PUF came into existence [27, 28].

particular silicon-based PUF architecture:

which are specific to that particular cell;

2. Side-channel analysis that is not covered by Vaudenay's model comes as an additional analysis. It depends on the implementation of the protocol, implementation platform, measuring devices, etc.

#### **3.4 Corruption with temporary state disclosure**

When Vaudenay's model was proposed [13], it was somewhat unclear whether the *Corrupt* oracle returns the full (i.e., permanent and temporary) tag state or only the permanent one. This has also remained unclear in Paisie and Vaudenay's next year paper [12] on mutual authentication. While the distinction between full and permanent state did not have a negative impact on the results already obtained in the case of unilateral authentication, it highlighted several wrong results in the case of mutual authentication [21]. Thus, one of the results in [21], namely Theorem 1, says that there is no RFID scheme that achieves both reader authentication and narrow forward privacy in Vaudenay's model with temporary state disclosure. The argument is as follows. Given a blinder *B*, one may construct an adversary *A<sup>B</sup> sec* against reader authentication so that, if the scheme is narrow forward private then *A<sup>B</sup> sec* has non-negligible advantage to authenticate itself as a valid reader. Going inside the proof, we remark that it is crucial the *Corrupt* oracle returns the full state of a tag in order to allow an adversary to perform the test by which the tag authenticates the reader. By this test, the adversary distinguishes with non-negligible probability between the real privacy game and the blinded one.

#### **4. Physically unclonable functions**

Purely cryptographic and mathematical techniques can provide security in a black-box or partially gray-box model. As we argued in the previous section, Vaudenay's model is a gray-box model. Within this model, no RFID scheme is known, built only on symmetric or asymmetric cryptographic primitives, which would offer destructive privacy. No one has indeed proved the non-existence of such a scheme, but we firmly believe that there is no such scheme. However, if we add physical security objects to the RFID schemes, then we can obtain RFID schemes that are destructive private [22].

Physically unclonable functions (PUFs) are possible candidates that can provide physical security in that they can ensure the secure generation and storage of the cryptographic keys [5–7]. A PUF can be seen as a *physical object* that evaluates a *noisy functions*: when queried with a challenge *x* it generates a response *y* that depends on both *x* and its unique and specific properties which are hard to *clone*. The PUFs are noisy because their specific properties can change with the operating conditions such as supply voltage or ambient temperature. So, PUFs may return slightly different responses when queried with the same challenge multiple times.

During the last years, the PUF concept attracted the attention of the research community and industry. Many research papers and patents focusing on

implementing distinct PUF architectures, larger systems employing PUFs as separate units or protocols dedicated to PUF-based implementations were proposed.

#### **4.1 PUF construction**

As a conclusion:

implementation platform;

construct an adversary *A<sup>B</sup>*

and the blinded one.

**94**

narrow forward private then *A<sup>B</sup>*

**4. Physically unclonable functions**

schemes that are destructive private [22].

1.Vaudenay's attack model falls in the category of gray-box models. It provides the adversary with general information, including a limited amount of side-channel information that does not depend on the implementation or

2. Side-channel analysis that is not covered by Vaudenay's model comes as an additional analysis. It depends on the implementation of the protocol,

When Vaudenay's model was proposed [13], it was somewhat unclear whether the *Corrupt* oracle returns the full (i.e., permanent and temporary) tag state or only the permanent one. This has also remained unclear in Paisie and Vaudenay's next year paper [12] on mutual authentication. While the distinction between full and permanent state did not have a negative impact on the results already obtained in the case of unilateral authentication, it highlighted several wrong results in the case of mutual authentication [21]. Thus, one of the results in [21], namely Theorem 1, says that there is no RFID scheme that achieves both reader authentication and narrow forward privacy in Vaudenay's model with temporary state disclosure. The argument is as follows. Given a blinder *B*, one may

itself as a valid reader. Going inside the proof, we remark that it is crucial the *Corrupt* oracle returns the full state of a tag in order to allow an adversary to perform the test by which the tag authenticates the reader. By this test, the adversary distinguishes with non-negligible probability between the real privacy game

Purely cryptographic and mathematical techniques can provide security in a black-box or partially gray-box model. As we argued in the previous section, Vaudenay's model is a gray-box model. Within this model, no RFID scheme is known, built only on symmetric or asymmetric cryptographic primitives, which would offer destructive privacy. No one has indeed proved the non-existence of such a scheme, but we firmly believe that there is no such scheme. However, if we add physical security objects to the RFID schemes, then we can obtain RFID

Physically unclonable functions (PUFs) are possible candidates that can provide physical security in that they can ensure the secure generation and storage of the cryptographic keys [5–7]. A PUF can be seen as a *physical object* that evaluates a *noisy functions*: when queried with a challenge *x* it generates a response *y* that depends on both *x* and its unique and specific properties which are hard to *clone*. The PUFs are noisy because their specific properties can change with the operating conditions such as supply voltage or ambient temperature. So, PUFs may return slightly different responses when queried with the same challenge multiple times.

During the last years, the PUF concept attracted the attention of the research

community and industry. Many research papers and patents focusing on

*sec* against reader authentication so that, if the scheme is

*sec* has non-negligible advantage to authenticate

implementation platform, measuring devices, etc.

**3.4 Corruption with temporary state disclosure**

*Cryptography - Recent Advances and Future Developments*

In principle, PUFs can be constructed with any physical entity or structure as long as an intrinsic mismatching or nonlinear behavior, inherent to such entity when implementing multiple alike, could be exploited.

For instance, two identical transistors designed in the same technology and on the same mask will show slightly different performances after implementing their layout (real physical circuit). The main difference will be noticed for the threshold voltage, VTH in the case of CMOS process, different for both transistors. As such, a simple CMOS PUF could be obtained when implementing an array of identical transistors, this being also the first architecture reported in literature for chip identification [23] and disclosed in a patent application filed in 1989 [24]. Based on how challenges are applied to the circuit input and the great number of distinct responses (keys) that can be obtained, this particular PUF architecture is a strong PUF, at least according to PUF properties reiterated in [25]. A similar approach, yet implemented with bipolar transistors, was disclosed in a European patent application filed in 2013 [26].

Another example, even simpler, is that of a discrete electronic part, be it through-hole or surface-mount resistor or capacitor. It is well known that there are no two identical resistors or capacitors even though they have, theoretically, the same value and tolerance and are produced by the same manufacturer. Tolerance gives us valuable information about how much less or more the resistance or capacitance value is different of its nominal value. This sort of uncertainty favors PUF applications even though is not good from design perspective. And this is how the first RC PUF came into existence [27, 28].

Looking back, many PUF architectures have been proposed during the last two decades, various intrinsic properties being exploited, with many distinct classes identified [25]. This field encompasses so many implementations, technologies and design principles that two different perspectives to classify PUF architectures were used in that review. However, taking into account the scope and field of our study, i.e. RFID, we consider that the second classification (PUF tree), based on mechanism and evaluation parameter, is more relevant. In this regard, the PUF implementations fall into four classes: electronic, optical, radio frequency and magnetic PUFs. Furthermore, since RFID tags have limited chip area and (power) design constraints, it is obvious that electronic PUF architectures, known also as silicon-PUF, are of interest for our study.

Silicon-based PUFs involve conventional integrated circuit design techniques. Two essential design hints are identified regarding the implementation of a particular silicon-based PUF architecture:

1.A PUF architecture should generate at its output a unique sequence, useful either for authentication or cryptographic key generation, developed based on silicon intrinsic (physical) particularities. Therefore, no memory cells are allowed to store such a (PUF response) sequence. However, a (SRAM or DRAM) memory cell could be used to implement a PUF cell and thus generate a single bit of the PUF response because we are not interested in the binary value memorized in that cell but rather of the transition speed and delay, which are specific to that particular cell;

2.When it comes to intrinsic behavior, PUF construction starts either at transistor or system level. In the first case, it exploits certain anomalies in transistor functionality that could identify a particular circuit similar to a fingerprint, such implementation being reported in some references as analog PUF. In the second case, it uses specific differences that appear when connecting identical logic gates, as it is the case of ring oscillators or SRAM/ DRAM cells array. In such implementation, the randomness property is based on intrinsic variations, at gate level, but the property is exploited and adjusted by digital designers in such manner that the spread of generated patterns (responses) is extended as much as possible. This is the reason why, such class of PUF architectures is reported in literature as digital PUF. The system-level approach favors FPGA based PUF implementations, the FPGA having all digital gates already manufactured, hence it lacks access to the transistor level. The most part of the PUF articles published during the last decade make use of FPGA. Either way, silicon PUF implementation is uniquely favored by the tolerance inherent to manufacturing process, the leading cause of device mismatching. It seems that what deteriorates the real performances of a particular silicon product, becomes quite useful for chip identification/cloning detection and key generation.

experiments and simulations may only show that the scheme is secure with respect to those experiments and simulations. A proof based on ideal primitives has a major advantage: if a cryptographic primitive is assumed ideal and later is proved (by experiments) insecure, we may change it by another one of the same type that we believe is secure. The entire scheme remains unchanged and the security analyses is

When a cryptographic construction is deployed in practice, the secure (ideal) primitives that underlie it are replaced by algorithms for which we do not have a theoretical proof of security. Instead, these algorithms are subjected to intense scrutiny by cryptographers to see if they resist all known classes of attacks and to

PUFs have been introduced to physically supplement specific security properties that cannot be satisfactorily obtained at the software implementation level alone. The security properties offered by PUFs can only be highlighted through experiments and simulations. To be able to apply provable security to cryptographic constructions that include PUFs, it is necessary to formalize their security properties. The major problem that arises in this context is to maintain a balance between formalization and the real physical properties. The difficulty of maintaining this balance comes from the fact that it is quite challenging to capture the behavior of a physical object through a mathematical formula that is accurate or that approximates it well enough. Without such a balance, we can reach situations such as those in which either the formalization is not useful or is too strict and has no practical equivalent. As a result, the formalization must be sufficiently realistic and, at the same time, allow its use in provable security. Among the basic properties we want from a PUF class we mention: [left=.5cm] **Constructability** – this means that it is "easy" to construct a random instance of

**Evaluability** – this includes constructability and further requires that any random instance of a given PUF class can be easily evaluated on any random challenge; **Reproductibility** – this includes evaluability and further requires that the responses resulting from evaluating the same challenge on the same PUF instance

**Uniqueness** – this includes evaluability and further requires that the responses resulting from evaluating the same challenge on different PUF instances should be

**Physical unclonability** – this includes evaluability and further requires that it is hard to create a new PUF instance that is more alike to a given PUF instance than

**Tamper-evidence** – this includes evaluability and further requires that it is hard to physically alter a given PUF instance without having a noticeable effect on its

The choice of the PUF type to be included in a cryptographic system depends on the security properties we want to achieve, and which cannot be obtained through software techniques, as well as on the production costs. For example, the tamperevidence feature can be handy for constructing destructive private RFID schemes. However, today's technological development shows that only optical [48] and coating PUFs [49] can provide this property. Besides, such PUFs have high production

**Unpredictability** – this means evaluability and further requires that no PPT algorithm can predict the answer of a given PUF instance for a given challenge, except with negligible probability, even if it could have previously learned the PUF's answer for a polynomial number of challenges (different from the challenge in question); **One-wayness** – this includes evaluability and further requires that it is hard to

should be similar (in some distance metric) with high probability;

**Identifiability** – this means both reproducibility and uniqueness;

dissimilar (in some distance metric) with high probability;

expressed by the uniqueness property;

invert the answer of a given PUF instance;

challenge-response behavior.

**97**

moved to the cryptographic primitives.

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

a given PUF class;

get evidence supporting the assumption that they are secure.

Silicon PUFs are still the most appealing ones because they occupy a very small chip area, especially when implemented in smaller technologies (¡65 nm CMOS process), therefore they can be integrated into larger electronic units and systems (such as RFID). In addition, their design and preliminary testing on FPGA development boards ensure their proof of concept reproducibility, feasibility and success, before going deeper to implement a dedicated chip. A selection of representative silicon PUF architectures reported in literature is given below (for more details the reader may consult [6, 20, 29]):

**2000:** Threshold voltage (TV) PUF [24]; **2002:** Ring oscilator (RO) PUF [30]; **2004:** Arbiter PUF (APUF) [31]; **2007:** SRAM PUF [32], LATCH PUF [33]; **2008:** Butterfly (B) PUF [34], D Flip-Flop (DFF) PUF [35]; **2009:** Power distribution (PD) PUF [36], CNN PUF [37]; **2010:** Super High Information Content (SHIC) PUF [38], Glitch PUF [39]; **2011:** Pseudo-LFSR (PL) PUF [40]; **2012:** Buskeeper PUF [41]; **2013:** Micro-electrico-mechanical system (MEMS) PUF [42]; **2014:** Transient effect RO (TERO) PUF [43]; **2015:** Dynamic random access memory (DRAM) PUF [44], SA\_PUF [?]; **2016:** D-PUF [45]; **2017:** Aging-resistant Current-starved RO (ACRO) PUF [46]; **2018:** Cryptanalysis/Robust Multiplexer-based PUF (cMPUF/rMPUF) [47].

#### **4.2 Cryptographic properties of PUFs and idealization**

In cryptography and security we typically build a cryptographic system and prove its security under the assumption that we have used secure ingredients (building blocks) such as *collision-resistant hash functions* (CRHF), *pseudo-random generators* (PRGs), or *pseudo-random functions* (PRFs). These secure ingredients are a kind of "ground truth" of applied cryptography. "Provable security" typically starts only above the level of these secure ingredients. A proof based on

#### *Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

2.When it comes to intrinsic behavior, PUF construction starts either at transistor or system level. In the first case, it exploits certain anomalies in transistor functionality that could identify a particular circuit similar to a fingerprint, such implementation being reported in some references as analog

*Cryptography - Recent Advances and Future Developments*

PUF. In the second case, it uses specific differences that appear when connecting identical logic gates, as it is the case of ring oscillators or SRAM/ DRAM cells array. In such implementation, the randomness property is based on intrinsic variations, at gate level, but the property is exploited and adjusted by digital designers in such manner that the spread of generated patterns (responses) is extended as much as possible. This is the reason why, such class of PUF architectures is reported in literature as digital PUF. The system-level approach favors FPGA based PUF implementations, the FPGA having all digital gates already manufactured, hence it lacks access to the transistor level. The most part of the PUF articles published during the last decade make use of FPGA. Either way, silicon PUF implementation is uniquely favored by the tolerance inherent to manufacturing process, the leading cause of device mismatching. It seems that what deteriorates the real performances of a particular silicon product, becomes quite useful for chip identification/cloning

Silicon PUFs are still the most appealing ones because they occupy a very small chip area, especially when implemented in smaller technologies (¡65 nm CMOS process), therefore they can be integrated into larger electronic units and systems (such as RFID). In addition, their design and preliminary testing on FPGA development boards ensure their proof of concept reproducibility, feasibility and suc-

cess, before going deeper to implement a dedicated chip. A selection of

**2008:** Butterfly (B) PUF [34], D Flip-Flop (DFF) PUF [35]; **2009:** Power distribution (PD) PUF [36], CNN PUF [37];

**2013:** Micro-electrico-mechanical system (MEMS) PUF [42];

**2017:** Aging-resistant Current-starved RO (ACRO) PUF [46];

starts only above the level of these secure ingredients. A proof based on

representative silicon PUF architectures reported in literature is given below (for

**2010:** Super High Information Content (SHIC) PUF [38], Glitch PUF [39];

**2015:** Dynamic random access memory (DRAM) PUF [44], SA\_PUF [?];

**2018:** Cryptanalysis/Robust Multiplexer-based PUF (cMPUF/rMPUF) [47].

In cryptography and security we typically build a cryptographic system and prove its security under the assumption that we have used secure ingredients (building blocks) such as *collision-resistant hash functions* (CRHF), *pseudo-random generators* (PRGs), or *pseudo-random functions* (PRFs). These secure ingredients are a kind of "ground truth" of applied cryptography. "Provable security" typically

detection and key generation.

more details the reader may consult [6, 20, 29]):

**2000:** Threshold voltage (TV) PUF [24]; **2002:** Ring oscilator (RO) PUF [30]; **2004:** Arbiter PUF (APUF) [31];

**2007:** SRAM PUF [32], LATCH PUF [33];

**2014:** Transient effect RO (TERO) PUF [43];

**4.2 Cryptographic properties of PUFs and idealization**

**2011:** Pseudo-LFSR (PL) PUF [40];

**2012:** Buskeeper PUF [41];

**2016:** D-PUF [45];

**96**

experiments and simulations may only show that the scheme is secure with respect to those experiments and simulations. A proof based on ideal primitives has a major advantage: if a cryptographic primitive is assumed ideal and later is proved (by experiments) insecure, we may change it by another one of the same type that we believe is secure. The entire scheme remains unchanged and the security analyses is moved to the cryptographic primitives.

When a cryptographic construction is deployed in practice, the secure (ideal) primitives that underlie it are replaced by algorithms for which we do not have a theoretical proof of security. Instead, these algorithms are subjected to intense scrutiny by cryptographers to see if they resist all known classes of attacks and to get evidence supporting the assumption that they are secure.

PUFs have been introduced to physically supplement specific security properties that cannot be satisfactorily obtained at the software implementation level alone. The security properties offered by PUFs can only be highlighted through experiments and simulations. To be able to apply provable security to cryptographic constructions that include PUFs, it is necessary to formalize their security properties. The major problem that arises in this context is to maintain a balance between formalization and the real physical properties. The difficulty of maintaining this balance comes from the fact that it is quite challenging to capture the behavior of a physical object through a mathematical formula that is accurate or that approximates it well enough. Without such a balance, we can reach situations such as those in which either the formalization is not useful or is too strict and has no practical equivalent. As a result, the formalization must be sufficiently realistic and, at the same time, allow its use in provable security.

Among the basic properties we want from a PUF class we mention: [left=.5cm]

**Constructability** – this means that it is "easy" to construct a random instance of a given PUF class;

**Evaluability** – this includes constructability and further requires that any random instance of a given PUF class can be easily evaluated on any random challenge;

**Reproductibility** – this includes evaluability and further requires that the responses resulting from evaluating the same challenge on the same PUF instance should be similar (in some distance metric) with high probability;

**Uniqueness** – this includes evaluability and further requires that the responses resulting from evaluating the same challenge on different PUF instances should be dissimilar (in some distance metric) with high probability;

**Identifiability** – this means both reproducibility and uniqueness;

**Physical unclonability** – this includes evaluability and further requires that it is hard to create a new PUF instance that is more alike to a given PUF instance than expressed by the uniqueness property;

**Unpredictability** – this means evaluability and further requires that no PPT algorithm can predict the answer of a given PUF instance for a given challenge, except with negligible probability, even if it could have previously learned the PUF's answer for a polynomial number of challenges (different from the challenge in question);

**One-wayness** – this includes evaluability and further requires that it is hard to invert the answer of a given PUF instance;

**Tamper-evidence** – this includes evaluability and further requires that it is hard to physically alter a given PUF instance without having a noticeable effect on its challenge-response behavior.

The choice of the PUF type to be included in a cryptographic system depends on the security properties we want to achieve, and which cannot be obtained through software techniques, as well as on the production costs. For example, the tamperevidence feature can be handy for constructing destructive private RFID schemes. However, today's technological development shows that only optical [48] and coating PUFs [49] can provide this property. Besides, such PUFs have high production

costs, which requires a careful analysis of the environment of the utilization of the RFID schemes that would use such PUFs.

PUF, but if the PUF is noisy, then an additional overhead may be incurred by using fuzzy extractors. Assuming PUFs are tamper-evident, this second approach produces schemes that achieve destructive privacy in Vaudenay's model (please see

In order to adapt Vaudenay's model (with or without temporary state disclosure) to PUF-based RFID schemes, we have to clarify what corruption means in this case.

1.By corrupting a PUF tag, the adversary gets the state of the tag, according to the type of the attack model (with or without temporary state disclosure). Besides, the tag is destroyed, but its PUF can still be evaluated. This variant does not show significant differences compared to the case of corruption of ordinary tags, because the PUF of the tag can now be seen as a public function

2.By corrupting a PUF tag, the adversary gets the state of the tag, according to the type of the attack model (with or without temporary state disclosure). Besides, the tag and its PUF are destroyed (in this case, the PUF cannot

The second scenario is the most significant. Within it, the PUF tag is seen as

As we have seen, the corruption attack in Vaudenay's model may provide the adversary with the full state of the tag. However, this state does not include the values of the local temporary variables. The varied range of side-channel attacks includes other types of attacks, such as those called cold-boot attacks, through which the tag's memory can be frozen. Thus the adversary can obtain the value of the local variables at a given time. This type of attack has also been discussed in RFID-oriented papers, such as [56, 57, 61]. We are not aware of any formal treatment of this scenario in Vaudenay's model. To implement it in Vaudenay's model, the *Corrupt* oracle should be changed to return snapshots of the tag's state during its computation (recall that the standard *Corrupt* oracle returns the tag's state before or after a protocol step). A formal and complete treatment of such a corruption seems hard to reach; on the other side, such a corruption is very strong and probably no PUF-based RFID scheme may achieve a privacy level higher than (narrow) weak under such a corruption. However, special cases may be relevant. One of them is the cold boot attack mentioned

a tamper-evident device (circuit), such as a tamper-evident PUF [58, 59]. Working in this scenario, Theorem 1 in [21], at least in its present form, cannot be applied to PUF-based RFID schemes. This leaves open the invitation to PUF-based design RFID schemes that achieve mutual authentication and higher privacy levels than narrow forward in Vaudenay's model with temporary state disclosure. As we have already said, such schemes cannot be based on ordinary tags. A good choice is to use PUF tags, as it was done in [10, 22, 56, 57, 60]. However, the use of PUF tags does not mean that the schemes are immune to corrupting adversaries. This is because an adversary might not need the entire tag state to attack the scheme. An example in this sense is provided in [10] where it was shown that the RFID schemes proposed in [56, 57] do not achieve mutual authentication and (narrow) destructive privacy in Vaudenay's model with temporary state disclosure, as it was claimed by authors, although they use PUF tags. The proof exploits the fact that these schemes use volatile variables to carry values between

Section 5.3).

**5.2 Tag corruption and PUFs**

At least two main scenarios are possible:

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

anymore be evaluated).

protocol steps.

**99**

that the adversary can evaluate as he wishes;

#### **5. PUF-based RFID systems**

PUFs have proven to be suitable for integration into RFID systems to ensure their security in gray or white box models. So far, two significant directions for the use of PUFs in RFID systems have emerged. We dedicate this section to a discussion of the two directions and the issues that arise regarding them.

#### **5.1 Endowing RFID tags by PUFs**

The vulnerability of RFID systems to corruption consists in the fact that an adversary with corruption abilities can extract the information from the tag's memory and, thus, can impersonate it or, at least, destroy the privacy property. Without having a concrete proof at the moment, the researchers' opinion is that, in Vaudenay's model but not only, destructive privacy cannot be achieved only by using symmetric or asymmetric cryptographic primitives. Storing a private key in the tag's memory is useless when the adversary has corruption capabilities and can use the information obtained through corruption. The use of a public key system in which the private key is stored on the reader side is also useless in Vaudenay's model when destructive privacy is desired.

This discussion naturally leads to the idea of using a tamper-evident mechanism embedded in the tag to help the process of identifying and authenticating it. In this context, PUFs seem to be a good choice and the newest technologies show that it is possible to embed PUFs into tags. These kind of tags, with PUFs embedded into them, will be called *PUF tags*, while the standard tags will sometimes be referred to as *ordinary tags*. A PUF-based RFID scheme is an RFID scheme with PUF tags.

How PUF tags can be built can be very important in terms of tag corruption. This aspect will be touched on in the next section.

Two significant directions have emerged on the authentication protocol of PUFbased RFID schemes. The first direction treats PUFs as fingerprints [50–54]. This approach requires an initial configuration phase in which a PUF model or a large set of PUF challenge-and-response (CR) pairs is pre-computed and stored in the reader's database. To identify a PUF tag, the reader queries it by some challenge, the tag evaluates its PUF on the challenge, and then the reader compares the tag's response with the pre-computed response it already has stored in the database. There are several variants of this scenario, but regardless of these, special attention must be paid to the modeling attacks of PUFs [55]. This is because the adversary might get sufficient CR pairs in order to simulate the tag's PUF. Anyway, the authors of this paper are not aware of any PUF-based RFID schemes based on this approach, and that would provide destructive privacy in Vaudenay's model. Moreover, we believe that it is not possible to achieve this level of privacy through this approach because the set of CR pairs is generally polynomial in size. Then, a strong enough adversary may run the authentication protocol with a tag until it exhausts all CR pairs stored in the database. In such a situation, either a CR pair will be reused, or a reset mechanism has to be used. Regardless of the case, the privacy property might be compromised.

A second direction for the authentication protocol of PUF-based RFID schemes starts from the idea of using PUFs as cryptographic key generators or as storage methods [10, 22, 56, 57]. That is, the tag evaluates its PUF only to generate or extract a cryptographic key. Thus, the PUF is evaluated for a minimum number of challenges. This fact eliminates the shortcoming that the adversary can model the

PUF, but if the PUF is noisy, then an additional overhead may be incurred by using fuzzy extractors. Assuming PUFs are tamper-evident, this second approach produces schemes that achieve destructive privacy in Vaudenay's model (please see Section 5.3).

#### **5.2 Tag corruption and PUFs**

costs, which requires a careful analysis of the environment of the utilization of the

PUFs have proven to be suitable for integration into RFID systems to ensure their security in gray or white box models. So far, two significant directions for the use of PUFs in RFID systems have emerged. We dedicate this section to a discussion

The vulnerability of RFID systems to corruption consists in the fact that an adversary with corruption abilities can extract the information from the tag's memory and, thus, can impersonate it or, at least, destroy the privacy property. Without

This discussion naturally leads to the idea of using a tamper-evident mechanism embedded in the tag to help the process of identifying and authenticating it. In this context, PUFs seem to be a good choice and the newest technologies show that it is possible to embed PUFs into tags. These kind of tags, with PUFs embedded into them, will be called *PUF tags*, while the standard tags will sometimes be referred to as *ordinary tags*. A PUF-based RFID scheme is an RFID scheme with PUF tags. How PUF tags can be built can be very important in terms of tag corruption.

Two significant directions have emerged on the authentication protocol of PUFbased RFID schemes. The first direction treats PUFs as fingerprints [50–54]. This approach requires an initial configuration phase in which a PUF model or a large set of PUF challenge-and-response (CR) pairs is pre-computed and stored in the reader's database. To identify a PUF tag, the reader queries it by some challenge, the tag evaluates its PUF on the challenge, and then the reader compares the tag's response with the pre-computed response it already has stored in the database. There are several variants of this scenario, but regardless of these, special attention must be paid to the modeling attacks of PUFs [55]. This is because the adversary might get sufficient CR pairs in order to simulate the tag's PUF. Anyway, the authors of this paper are not aware of any PUF-based RFID schemes based on this approach, and that would provide destructive privacy in Vaudenay's model. Moreover, we believe that it is not possible to achieve this level of privacy through this approach because the set of CR pairs is generally polynomial in size. Then, a strong enough adversary may run the authentication protocol with a tag until it exhausts all CR pairs stored in the database. In such a situation, either a CR pair will be reused, or a reset mechanism has to be used. Regardless of the case, the privacy

A second direction for the authentication protocol of PUF-based RFID schemes starts from the idea of using PUFs as cryptographic key generators or as storage methods [10, 22, 56, 57]. That is, the tag evaluates its PUF only to generate or extract a cryptographic key. Thus, the PUF is evaluated for a minimum number of challenges. This fact eliminates the shortcoming that the adversary can model the

having a concrete proof at the moment, the researchers' opinion is that, in Vaudenay's model but not only, destructive privacy cannot be achieved only by using symmetric or asymmetric cryptographic primitives. Storing a private key in the tag's memory is useless when the adversary has corruption capabilities and can use the information obtained through corruption. The use of a public key system in which the private key is stored on the reader side is also useless in Vaudenay's model

of the two directions and the issues that arise regarding them.

RFID schemes that would use such PUFs.

*Cryptography - Recent Advances and Future Developments*

**5. PUF-based RFID systems**

**5.1 Endowing RFID tags by PUFs**

when destructive privacy is desired.

property might be compromised.

**98**

This aspect will be touched on in the next section.

In order to adapt Vaudenay's model (with or without temporary state disclosure) to PUF-based RFID schemes, we have to clarify what corruption means in this case. At least two main scenarios are possible:


The second scenario is the most significant. Within it, the PUF tag is seen as a tamper-evident device (circuit), such as a tamper-evident PUF [58, 59]. Working in this scenario, Theorem 1 in [21], at least in its present form, cannot be applied to PUF-based RFID schemes. This leaves open the invitation to PUF-based design RFID schemes that achieve mutual authentication and higher privacy levels than narrow forward in Vaudenay's model with temporary state disclosure. As we have already said, such schemes cannot be based on ordinary tags. A good choice is to use PUF tags, as it was done in [10, 22, 56, 57, 60]. However, the use of PUF tags does not mean that the schemes are immune to corrupting adversaries. This is because an adversary might not need the entire tag state to attack the scheme. An example in this sense is provided in [10] where it was shown that the RFID schemes proposed in [56, 57] do not achieve mutual authentication and (narrow) destructive privacy in Vaudenay's model with temporary state disclosure, as it was claimed by authors, although they use PUF tags. The proof exploits the fact that these schemes use volatile variables to carry values between protocol steps.

As we have seen, the corruption attack in Vaudenay's model may provide the adversary with the full state of the tag. However, this state does not include the values of the local temporary variables. The varied range of side-channel attacks includes other types of attacks, such as those called cold-boot attacks, through which the tag's memory can be frozen. Thus the adversary can obtain the value of the local variables at a given time. This type of attack has also been discussed in RFID-oriented papers, such as [56, 57, 61]. We are not aware of any formal treatment of this scenario in Vaudenay's model. To implement it in Vaudenay's model, the *Corrupt* oracle should be changed to return snapshots of the tag's state during its computation (recall that the standard *Corrupt* oracle returns the tag's state before or after a protocol step). A formal and complete treatment of such a corruption seems hard to reach; on the other side, such a corruption is very strong and probably no PUF-based RFID scheme may achieve a privacy level higher than (narrow) weak under such a corruption. However, special cases may be relevant. One of them is the cold boot attack mentioned

#### *Cryptography - Recent Advances and Future Developments*


**6. Conclusions**

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

and this is in the trend of technology evolution.

**Authors contribution**

script.

**101**

The significant impact of PUF technology in the construction of RFID systems is demonstrated by the great diversity of scientific articles and patents proposed in the last decade. The use of PUFs in the construction of RFID schemes can bring extra security and privacy at the physical level that cannot be obtained by symmetric and asymmetric cryptography at the moment. However, this requires an adequate understanding and analysis of security and privacy models for RFID to consider PUFs only if existing standard techniques cannot lead to the desired security and privacy level. Unfortunately, the literature shows us enough PUF-based RFID schemes proposed in recent years that do not even reach the weak privacy level in Vaudenay's model. In contrast, weak privacy in this model can be achieved through standard RFID schemes that use only symmetric cryptography. This fact clearly shows that a sustained effort is needed to consolidate the understanding of the concept of security and privacy model and adapt it accordingly to PUF technology. In this chapter, we highlighted the aspects mentioned above and emphasized the need to use formal models in the study of security and privacy properties of (PUFbased) RFID schemes. Achieving the level of destructive privacy in Vaudenay's model through PUF-based RFID schemes clearly shows us the potential of using PUF technology in the construction of RFID systems. Even if the security and privacy proofs on PUF-based RFID schemes make use of ideal PUFs, this is not a negative aspect as long as there is practically reasonable support for idealization,

This chapter (structure and content) was proposed by F.L. Ţiplea, who also supervised its complete realization. Section 4.1 was prepared by C. Andriesei, as well as the second and third paragraphs of the introductory section. All the other sections of the chapter were prepared in an equal contribution by F.L. Ţiplea and C. Hristea. All authors have read and agreed to the published version of the manu-

**Figure 3.** *PRF- and PUF-based RFID scheme that achieves destructive privacy and mutual authentication*

above [56, 57, 61]. To defeat it, a PUF double evaluation technique was proposed in [61], which consists of two evaluations in a row of the same PUF. If the attack is applied immediately after the first PUF evaluation, the second PUF evaluation is lost, and vice-versa. This technique was implemented in [56, 57] too. Unfortunately, the authors did not pay much attention to the temporary variables, which made their schemes not to achieve even the narrow forward privacy level [10].

#### **5.3 Destructive privacy by PUF-based RFID schemes**

When the Vaudenay [12, 13] model was proposed, finding an RFID scheme to provide destructive privacy remained an open issue (please see the diagram in **Figure 2**). This problem was later solved by a PUF-based RFID scheme [22, 60]. The scheme, which provides unilateral authentication, is obtained from the PRFbased RFID scheme presented in Section 2, adding tamper-evident PUFs to tags to generate the key *K*. If the adversary corrupts the tag, its PUF is destroyed and cannot be evaluated. Thus, the adversary cannot get the key *K*. The scheme was extended later to ensure mutual authentication [10]. We present it in **Figure 3**. As one can see, the main difference between the scheme in **Figure 1** and this new one is that the domain of the PRF function *F* is extended with one more bit and the tag is endowed with a tamper-evident PUF *P* and a seed *s* for it. Whenever the tag needs to evaluate its PRF, it first computes the key *K* ¼ *P s*ð Þ and then uses it. It has to be understood that after using it, the variable *K* is erased. If the adversary corrupts the tag, the seed *s* he gets is useless because the PUF can no longer be evaluated (please see [10] for details regarding the security and privacy proofs).

As corruption with temporary state disclosure is a real threat in practice, the most natural question is how to extend the above schemes, or how to design new ones, secure and private in Vaudenay's model under such a corruption. It is clear that ordinary tags (i.e., tags that only implement cryptographic primitives) do not help if one wants to achieve both mutual authentication and privacy (Theorem 1 in [21]). Endowing tags with PUFs is a potential solution but it is not a guarantee. It turns out that the subtlety is how to use temporary variables. This has been missed in some recently proposed RFID schemes [56, 57], which made these schemes not to achieve the privacy level claimed by authors [10]. It seems that the use of temporary variables in connection with mutual authentication and privacy is not really very well understood, especially under corruption with temporary state disclosure.

### **6. Conclusions**

The significant impact of PUF technology in the construction of RFID systems is demonstrated by the great diversity of scientific articles and patents proposed in the last decade. The use of PUFs in the construction of RFID schemes can bring extra security and privacy at the physical level that cannot be obtained by symmetric and asymmetric cryptography at the moment. However, this requires an adequate understanding and analysis of security and privacy models for RFID to consider PUFs only if existing standard techniques cannot lead to the desired security and privacy level. Unfortunately, the literature shows us enough PUF-based RFID schemes proposed in recent years that do not even reach the weak privacy level in Vaudenay's model. In contrast, weak privacy in this model can be achieved through standard RFID schemes that use only symmetric cryptography. This fact clearly shows that a sustained effort is needed to consolidate the understanding of the concept of security and privacy model and adapt it accordingly to PUF technology.

In this chapter, we highlighted the aspects mentioned above and emphasized the need to use formal models in the study of security and privacy properties of (PUFbased) RFID schemes. Achieving the level of destructive privacy in Vaudenay's model through PUF-based RFID schemes clearly shows us the potential of using PUF technology in the construction of RFID systems. Even if the security and privacy proofs on PUF-based RFID schemes make use of ideal PUFs, this is not a negative aspect as long as there is practically reasonable support for idealization, and this is in the trend of technology evolution.

### **Authors contribution**

above [56, 57, 61]. To defeat it, a PUF double evaluation technique was proposed in [61], which consists of two evaluations in a row of the same PUF. If the attack is applied immediately after the first PUF evaluation, the second PUF evaluation is lost, and vice-versa. This technique was implemented in [56, 57] too. Unfortunately, the authors did not pay much attention to the temporary variables, which made their

*PRF- and PUF-based RFID scheme that achieves destructive privacy and mutual authentication*

When the Vaudenay [12, 13] model was proposed, finding an RFID scheme to provide destructive privacy remained an open issue (please see the diagram in **Figure 2**). This problem was later solved by a PUF-based RFID scheme [22, 60]. The scheme, which provides unilateral authentication, is obtained from the PRFbased RFID scheme presented in Section 2, adding tamper-evident PUFs to tags to generate the key *K*. If the adversary corrupts the tag, its PUF is destroyed and cannot be evaluated. Thus, the adversary cannot get the key *K*. The scheme was extended later to ensure mutual authentication [10]. We present it in **Figure 3**. As one can see, the main difference between the scheme in **Figure 1** and this new one is that the domain of the PRF function *F* is extended with one more bit and the tag is endowed with a tamper-evident PUF *P* and a seed *s* for it. Whenever the tag needs to evaluate its PRF, it first computes the key *K* ¼ *P s*ð Þ and then uses it. It has to be understood that after using it, the variable *K* is erased. If the adversary corrupts the tag, the seed *s* he gets is useless because the PUF can no longer be evaluated (please

As corruption with temporary state disclosure is a real threat in practice, the most natural question is how to extend the above schemes, or how to design new ones, secure and private in Vaudenay's model under such a corruption. It is clear that ordinary tags (i.e., tags that only implement cryptographic primitives) do not help if one wants to achieve both mutual authentication and privacy (Theorem 1 in [21]). Endowing tags with PUFs is a potential solution but it is not a guarantee. It turns out that the subtlety is how to use temporary variables. This has been missed in some recently proposed RFID schemes [56, 57], which made these schemes not to achieve the privacy level claimed by authors [10]. It seems that the use of temporary variables in connection with mutual authentication and privacy is not really very well understood, especially under corruption with temporary state disclosure.

schemes not to achieve even the narrow forward privacy level [10].

see [10] for details regarding the security and privacy proofs).

**5.3 Destructive privacy by PUF-based RFID schemes**

*Cryptography - Recent Advances and Future Developments*

**Figure 3.**

**100**

This chapter (structure and content) was proposed by F.L. Ţiplea, who also supervised its complete realization. Section 4.1 was prepared by C. Andriesei, as well as the second and third paragraphs of the introductory section. All the other sections of the chapter were prepared in an equal contribution by F.L. Ţiplea and C. Hristea. All authors have read and agreed to the published version of the manuscript.

**References**

80-88

[1] Marion Cardullo and William Parks. Transponder apparatus and system,

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

ePrint Archive, Report 2019/073, 2019.

[12] Radu-Ioan Paise and Serge Vaudenay. Mutual authentication in RFID: Security and privacy. In *Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security*, ASIACCS '08, pages 292–299, New York,

[13] Vaudenay S. On privacy models for RFID. In: *Proceedings of the Advances in Crypotology 13th International Conference on Theory and Application of Cryptology*

ASIACRYPT'07. Berlin, Heidelberg: Springer-Verlag; 2007. pages 68-87

Applications in Contactless Smart Cards and Identification. Wiley Publishing,

[15] Yingjiu Li H. Robert Deng, and Elisa Bertino. *RFID Security and Privacy*. Synthesis Lectures on Information Security, Privacy, and Trust. In: Morgan

https://eprint.iacr.org/2019/073

[11] Cristian Hristea and Ferucio Laurenţiu Ţiplea. Privacy of stateful RFID systems with constant tag identifiers. *IEEE Transactions on Information Forensics and Security*, 15:

1920–1934, Nov 2019.

NY, USA, 2008. ACM

*and Information Security*,

3rd edition, 2010

2888-2902

[14] Klaus Finkenzeller. RFID Handbook: Fundamentals and

& Claypool Publishers. 2013

[16] Hermans J, Peeters R, Preneel B. Proper RFID privacy: Model and protocols. *IEEE Transactions on Mobile Computing*. Dec 2014;**13**(12):

[17] Pascal Sasdrich, Amir Moradi, and Tim Güneysu. White-box cryptography in the gray box. In *Revised Selected Papers of the 23rd International Conference on Fast Software Encryption - Volume 9783*, FSE 2016, pages 185–203, Berlin, Heidelberg, 2016. Springer-Verlag

[2] FPO. Free Patents Online, 2020. http://freepatentsonline.com

healthcare: A review on patient safety. *Procedia computer science*. 2018;**138**:

[4] Antti Lahtela. A short overview of the RFID technology in healthcare. In *2009 Fourth International Conference on Systems and Networks Communications*,

pages 165–169. IEEE, 2009

*Advanced Hardware Security Applications*. Springer International

Berlin Heidelberg; 2013

Publishing; 2019

[5] Halak B. *Physically Unclonable Functions: From Basic Design Principles to*

[6] R Maes. Physically Unclonable Functions: Constructions, Properties and Applications. Springer-Verlag

[7] Christian Wachsmann and Ahmad-Reza Sadeghi. *Physically Unclonable Functions (PUFs): Applications, Models, and Future Directions*. Number 12 in Synthesis Lectures on Information Security, Privacy, & Trust. Morgan &

[8] Jones EC, Chung CA. *RFID and Auto-ID in Planning and Logistics: A Practical Guide for Military UID Applications*.

[9] Ustundag A. *The Value of RFID: Benefits vs*. Costs. Springer-Verlag,

[10] Cristian Hristea and Ferucio Laurenţiu Ţiplea. Destructive privacy

and mutual authentication in Vaudenay's RFID model. Cryptology

Claypool Publishers, Dec 2014

CRC Press; 2016

London; 2013

**103**

[3] Haddara M, Staaby A. RFID applications and adoptions in

Jan 1973. US Patent 3713148

#### **Author details**

Ferucio Laurenţiu Ţiplea1,3\*, Cristian Andriesei2,4 and Cristian Hristea<sup>3</sup>

1 Alexandru Ioan Cuza University of Iasi, Iasi, Romania

2 Gheorghe Asachi Technical University, Iasi, Romania

3 Simion Stoilow Institute of Mathematics of the Romanian Academy, Bucharest, Romania

4 SC AT&C Technology SRL, Iasi, Romania

\*Address all correspondence to: fltiplea@gmail.com

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

#### **References**

[1] Marion Cardullo and William Parks. Transponder apparatus and system, Jan 1973. US Patent 3713148

[2] FPO. Free Patents Online, 2020. http://freepatentsonline.com

[3] Haddara M, Staaby A. RFID applications and adoptions in healthcare: A review on patient safety. *Procedia computer science*. 2018;**138**: 80-88

[4] Antti Lahtela. A short overview of the RFID technology in healthcare. In *2009 Fourth International Conference on Systems and Networks Communications*, pages 165–169. IEEE, 2009

[5] Halak B. *Physically Unclonable Functions: From Basic Design Principles to Advanced Hardware Security Applications*. Springer International Publishing; 2019

[6] R Maes. Physically Unclonable Functions: Constructions, Properties and Applications. Springer-Verlag Berlin Heidelberg; 2013

[7] Christian Wachsmann and Ahmad-Reza Sadeghi. *Physically Unclonable Functions (PUFs): Applications, Models, and Future Directions*. Number 12 in Synthesis Lectures on Information Security, Privacy, & Trust. Morgan & Claypool Publishers, Dec 2014

[8] Jones EC, Chung CA. *RFID and Auto-ID in Planning and Logistics: A Practical Guide for Military UID Applications*. CRC Press; 2016

[9] Ustundag A. *The Value of RFID: Benefits vs*. Costs. Springer-Verlag, London; 2013

[10] Cristian Hristea and Ferucio Laurenţiu Ţiplea. Destructive privacy and mutual authentication in Vaudenay's RFID model. Cryptology

ePrint Archive, Report 2019/073, 2019. https://eprint.iacr.org/2019/073

[11] Cristian Hristea and Ferucio Laurenţiu Ţiplea. Privacy of stateful RFID systems with constant tag identifiers. *IEEE Transactions on Information Forensics and Security*, 15: 1920–1934, Nov 2019.

[12] Radu-Ioan Paise and Serge Vaudenay. Mutual authentication in RFID: Security and privacy. In *Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security*, ASIACCS '08, pages 292–299, New York, NY, USA, 2008. ACM

[13] Vaudenay S. On privacy models for RFID. In: *Proceedings of the Advances in Crypotology 13th International Conference on Theory and Application of Cryptology and Information Security*, ASIACRYPT'07. Berlin, Heidelberg: Springer-Verlag; 2007. pages 68-87

[14] Klaus Finkenzeller. RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and Identification. Wiley Publishing, 3rd edition, 2010

[15] Yingjiu Li H. Robert Deng, and Elisa Bertino. *RFID Security and Privacy*. Synthesis Lectures on Information Security, Privacy, and Trust. In: Morgan & Claypool Publishers. 2013

[16] Hermans J, Peeters R, Preneel B. Proper RFID privacy: Model and protocols. *IEEE Transactions on Mobile Computing*. Dec 2014;**13**(12): 2888-2902

[17] Pascal Sasdrich, Amir Moradi, and Tim Güneysu. White-box cryptography in the gray box. In *Revised Selected Papers of the 23rd International Conference on Fast Software Encryption - Volume 9783*, FSE 2016, pages 185–203, Berlin, Heidelberg, 2016. Springer-Verlag

**Author details**

Romania

**102**

Ferucio Laurenţiu Ţiplea1,3\*, Cristian Andriesei2,4 and Cristian Hristea<sup>3</sup>

3 Simion Stoilow Institute of Mathematics of the Romanian Academy, Bucharest,

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

1 Alexandru Ioan Cuza University of Iasi, Iasi, Romania

*Cryptography - Recent Advances and Future Developments*

2 Gheorghe Asachi Technical University, Iasi, Romania

4 SC AT&C Technology SRL, Iasi, Romania

provided the original work is properly cited.

\*Address all correspondence to: fltiplea@gmail.com

[18] Jonathan Katz and Yehuda Lindell. *Introduction to Modern Cryptography*. Chapman & Hall/CRC, 2nd edition, 2014

[19] Peeters E. *Advanced DPA Theory and Practice: Towards the Security Limits of Secure Embedded Circuits*. Incorporated: Springer Publishing Company; 2013

[20] M. Al-Haidary and Q. Nasir. Physically unclonable functions (PUFs): A systematic literature review. In *2019 Advances in Science and Engineering Technology International Conferences (ASET)*, pages 1–6, 2019

[21] Armknecht F, Sadeghi A-R, Scafuro A, Visconti I, Wachsmann C. Impossibility results for RFID privacy notions. In: Gavrilova ML, Tan CJK, Moreno ED, editors. *Transactions on Computational Science XI*. Berlin, Heidelberg: Springer-Verlag; 2010. pp. 39-63

[22] Ahmad-Reza Sadeghi, Ivan Visconti, and Christian Wachsmann. PUFenhanced RFID security and privacy. In *Workshop on secure component and system identification (SECSI)*, volume 110, 2010

[23] K. Lofstrom, W. R. Daasch, and D. Taylor. IC identification circuit using device mismatch. In *2000 IEEE International Solid-State Circuits Conference. Digest of Technical Papers (Cat. No.00CH37056)*, pages 372–373, 2000

[24] K. Lofstrom. System for providing an integrated circuit with a unique identification. US patent no. 6161213, Dec 2000

[25] McGrath T, Bagci IE, Wang ZM, Roedig U, Young RJ. A PUF taxonomy. *Applied Physics Reviews*. 2019;**6**(1): 011303

[26] Vanhoucke T and Nguyen V. A PUF method using and circuit having an array of bipolar transistors. European patent no. 2833287A1, July 2013

[27] Lee S, Oh M-K, Kang Y, Choi D. Design of resistor-capacitor physically unclonable function for resourceconstrained IoT devices. *Sensors*. 2020;**20** (2), pages 326-337

*Solid-State Circuits Conference. Digest of Technical Papers*, pages 406–611, 2007

Schrijen, and P. Tuyls. Extended abstract: The butterfly PUF protecting IP on every FPGA. In *2008 IEEE International Workshop on Hardware-Oriented Security and Trust*, pages 67–70,

2008

246

Verlag

**105**

[34] S. S. Kumar, J. Guajardo, R. Maes, G.

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

Pseudo-LFSR PUF: A compact, efficient

*Computing and FPGAs*, pages 223–228.

[41] Peter Simons, Erik van der Sluis, and Vincent van der Leest. Buskeeper PUFs, a promising alternative to D flipflop PUFs. In *2012 IEEE International Symposium on Hardware-Oriented Security and Trust*, pages 7–12. IEEE,

[42] Patrick Koeberl, Ünal Kocabas, and Ahmad-Reza Sadeghi. Memristor PUFs: a new generation of memory-based physically unclonable functions. In *2013 Design, Automation & Test in Europe Conference & Exhibition (DATE)*, pages

[43] Bossuet L, Ngo XT, Cherif Z, Fischer V. A PUF based on a transient effect ring oscillator and insensitive to locking phenomenon. *IEEE Trans. Emerg. Top. Comput.* 2014;**2**(1):30-36

[44] Fatemeh Tehranipoor, Nima Karimian, Kan Xiao, and John Chandy.

DRAM based intrinsic physical unclonable functions for system level security. In *Proceedings of the 25th edition on Great Lakes Symposium on VLSI*,

[45] S. Sutar, A. Raha, and V.

*2016 International Conference on Compliers, Architectures, and Sythesis of Embedded Systems (CASES)*, pages 1–10,

Raghunathan. D-PUF: An intrinsically reconfigurable DRAM PUF for device authentication in embedded systems. In

[46] Liu CQ, Cao Y, Chang CH. ACRO-PUF: A low-power, reliable and agingresilient current starved inverter-based ring oscillator physical unclonable function. *IEEE Transactions on Circuits and Systems I: Regular Papers*. 2017;

pages 15–20, 2015

**64**(12):3138-3149

2016

and reliable physical unclonable function. In *2011 International Conference on Reconfigurable*

IEEE, 2011

2012

428–431. IEEE, 2013

[35] Maes R, Tuyls P, Verbauwhede I. Intrinsic PUFs from flip-flops on reconfigurable devices. In: *3rd Benelux workshop on information and system security (WISSec 2008)*. 2008

[36] Ryan Helinski, Dhruva Acharyya, and Jim Plusquellic. A physical unclonable function defined using power distribution system equivalent resistance variations. In *2009 46th ACM/IEEE Design Automation*

*Conference*, pages 676–681. IEEE, 2009

Schlichtmann U, et al. On-chip electric waves: An analog circuit approach to physical uncloneable functions. *IACR Cryptology ePrint Archive*. 2009;**2009**:

[38] Ulrich Ruehrmair, Christian Jaeger, Christian Hilgers, Michael Algasinger, Gyoergy Csaba, and Martin Stutzmann. Security applications of diodes with unique current-voltage characteristics. In *Proceedings of the 14th International Conference on Financial Cryptography and Data Security*, FC'10, page 328–335, Berlin, Heidelberg, 2010. Springer-

[39] Daisuke Suzuki and Koichi Shimizu. The Glitch PUF: A new delay-PUF architecture exploiting glitch shapes. In *International Workshop on Cryptographic Hardware and Embedded Systems*, pages

366–382. Springer, 2010

[40] Yohei Hori, Hyunho Kang,

Toshihiro Katashita, and Akashi Satoh.

[37] Csaba G, Xueming J, Chen Q,

Porod W, Schmidhuber J,

[28] Sangjae Lee, Mi-Kyung Oh, Yousung Kang, and Dooho Choi. RC PUF: A low-cost and an easy-to-design PUF for resource-constrained IoT devices. In Ilsun You, editor, *Information Security Applications*, pages 275–285, Cham, 2020. Springer International Publishing

[29] Herder C, Yu M, Koushanfar F, Devadas S. Physical unclonable functions and applications: A tutorial. *Proceedings of the IEEE*. 2014;**102**(8): 1126-1141

[30] Blaise Gassend, Dwaine E. Clarke, Marten van Dijk, and Srinivas Devadas. Silicon physical random functions. In Vijayalakshmi Atluri, editor, *ACM Conference on Computer and Communications Security*, pages 148– 160. ACM, 2002

[31] Jae W. Lee, Daihyun Lim, Blaise Gassend, G. Edward Suh, Marten van Dijk, and Srinivas Devadas. A technique to build a secret key in integrated circuits for identification and authentication applications. In *2004 Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.04CH37525)*, pages 176–179, 2004

[32] Jorge Guajardo, Sandeep S. Kumar, Geert-Jan Schrijen, and Pim Tuyls. FPGA intrinsic PUFs and their use for IP protection. In *Proceedings of the 9th International Workshop on Cryptographic Hardware and Embedded Systems*, CHES 07, pages 63–80, Berlin, Heidelberg, 2007. Springer-Verlag

[33] Y. Su, J. Holleman, and B. Otis. A 1.6pJ/bit 96% Stable Chip-ID Generating Circuit using Process Variations. In *2007 IEEE International* *Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

*Solid-State Circuits Conference. Digest of Technical Papers*, pages 406–611, 2007

[18] Jonathan Katz and Yehuda Lindell. *Introduction to Modern Cryptography*. Chapman & Hall/CRC, 2nd edition,

*Cryptography - Recent Advances and Future Developments*

[27] Lee S, Oh M-K, Kang Y, Choi D. Design of resistor-capacitor physically unclonable function for resourceconstrained IoT devices. *Sensors*. 2020;**20**

[28] Sangjae Lee, Mi-Kyung Oh, Yousung Kang, and Dooho Choi. RC PUF: A low-cost and an easy-to-design PUF for resource-constrained IoT devices. In Ilsun You, editor,

275–285, Cham, 2020. Springer International Publishing

*Information Security Applications*, pages

[29] Herder C, Yu M, Koushanfar F, Devadas S. Physical unclonable functions and applications: A tutorial. *Proceedings of the IEEE*. 2014;**102**(8):

[30] Blaise Gassend, Dwaine E. Clarke, Marten van Dijk, and Srinivas Devadas. Silicon physical random functions. In Vijayalakshmi Atluri, editor, *ACM Conference on Computer and*

*Communications Security*, pages 148–

[31] Jae W. Lee, Daihyun Lim, Blaise Gassend, G. Edward Suh, Marten van Dijk, and Srinivas Devadas. A technique to build a secret key in integrated circuits for identification and authentication applications. In *2004 Symposium on VLSI Circuits. Digest of*

*No.04CH37525)*, pages 176–179, 2004

[32] Jorge Guajardo, Sandeep S. Kumar, Geert-Jan Schrijen, and Pim Tuyls. FPGA intrinsic PUFs and their use for IP protection. In *Proceedings of the 9th International Workshop on Cryptographic Hardware and Embedded Systems*, CHES 07, pages 63–80, Berlin, Heidelberg, 2007.

[33] Y. Su, J. Holleman, and B. Otis. A

1.6pJ/bit 96% Stable Chip-ID Generating Circuit using Process Variations. In *2007 IEEE International*

*Technical Papers (IEEE Cat.*

(2), pages 326-337

1126-1141

160. ACM, 2002

Springer-Verlag

[19] Peeters E. *Advanced DPA Theory and Practice: Towards the Security Limits of Secure Embedded Circuits*. Incorporated: Springer Publishing Company; 2013

Physically unclonable functions (PUFs): A systematic literature review. In *2019 Advances in Science and Engineering Technology International Conferences*

[22] Ahmad-Reza Sadeghi, Ivan Visconti, and Christian Wachsmann. PUFenhanced RFID security and privacy. In *Workshop on secure component and system identification (SECSI)*, volume 110, 2010

[23] K. Lofstrom, W. R. Daasch, and D. Taylor. IC identification circuit using device mismatch. In *2000 IEEE International Solid-State Circuits*

*Conference. Digest of Technical Papers (Cat. No.00CH37056)*, pages 372–373, 2000

[24] K. Lofstrom. System for providing an integrated circuit with a unique identification. US patent no. 6161213,

[25] McGrath T, Bagci IE, Wang ZM, Roedig U, Young RJ. A PUF taxonomy. *Applied Physics Reviews*. 2019;**6**(1):

[26] Vanhoucke T and Nguyen V. A PUF method using and circuit having an array of bipolar transistors. European patent no. 2833287A1, July 2013

[20] M. Al-Haidary and Q. Nasir.

[21] Armknecht F, Sadeghi A-R, Scafuro A, Visconti I, Wachsmann C. Impossibility results for RFID privacy notions. In: Gavrilova ML, Tan CJK, Moreno ED, editors. *Transactions on Computational Science XI*. Berlin, Heidelberg: Springer-Verlag; 2010.

*(ASET)*, pages 1–6, 2019

pp. 39-63

Dec 2000

011303

**104**

2014

[34] S. S. Kumar, J. Guajardo, R. Maes, G. Schrijen, and P. Tuyls. Extended abstract: The butterfly PUF protecting IP on every FPGA. In *2008 IEEE International Workshop on Hardware-Oriented Security and Trust*, pages 67–70, 2008

[35] Maes R, Tuyls P, Verbauwhede I. Intrinsic PUFs from flip-flops on reconfigurable devices. In: *3rd Benelux workshop on information and system security (WISSec 2008)*. 2008

[36] Ryan Helinski, Dhruva Acharyya, and Jim Plusquellic. A physical unclonable function defined using power distribution system equivalent resistance variations. In *2009 46th ACM/IEEE Design Automation Conference*, pages 676–681. IEEE, 2009

[37] Csaba G, Xueming J, Chen Q, Porod W, Schmidhuber J, Schlichtmann U, et al. On-chip electric waves: An analog circuit approach to physical uncloneable functions. *IACR Cryptology ePrint Archive*. 2009;**2009**: 246

[38] Ulrich Ruehrmair, Christian Jaeger, Christian Hilgers, Michael Algasinger, Gyoergy Csaba, and Martin Stutzmann. Security applications of diodes with unique current-voltage characteristics. In *Proceedings of the 14th International Conference on Financial Cryptography and Data Security*, FC'10, page 328–335, Berlin, Heidelberg, 2010. Springer-Verlag

[39] Daisuke Suzuki and Koichi Shimizu. The Glitch PUF: A new delay-PUF architecture exploiting glitch shapes. In *International Workshop on Cryptographic Hardware and Embedded Systems*, pages 366–382. Springer, 2010

[40] Yohei Hori, Hyunho Kang, Toshihiro Katashita, and Akashi Satoh. Pseudo-LFSR PUF: A compact, efficient and reliable physical unclonable function. In *2011 International Conference on Reconfigurable Computing and FPGAs*, pages 223–228. IEEE, 2011

[41] Peter Simons, Erik van der Sluis, and Vincent van der Leest. Buskeeper PUFs, a promising alternative to D flipflop PUFs. In *2012 IEEE International Symposium on Hardware-Oriented Security and Trust*, pages 7–12. IEEE, 2012

[42] Patrick Koeberl, Ünal Kocabas, and Ahmad-Reza Sadeghi. Memristor PUFs: a new generation of memory-based physically unclonable functions. In *2013 Design, Automation & Test in Europe Conference & Exhibition (DATE)*, pages 428–431. IEEE, 2013

[43] Bossuet L, Ngo XT, Cherif Z, Fischer V. A PUF based on a transient effect ring oscillator and insensitive to locking phenomenon. *IEEE Trans. Emerg. Top. Comput.* 2014;**2**(1):30-36

[44] Fatemeh Tehranipoor, Nima Karimian, Kan Xiao, and John Chandy. DRAM based intrinsic physical unclonable functions for system level security. In *Proceedings of the 25th edition on Great Lakes Symposium on VLSI*, pages 15–20, 2015

[45] S. Sutar, A. Raha, and V. Raghunathan. D-PUF: An intrinsically reconfigurable DRAM PUF for device authentication in embedded systems. In *2016 International Conference on Compliers, Architectures, and Sythesis of Embedded Systems (CASES)*, pages 1–10, 2016

[46] Liu CQ, Cao Y, Chang CH. ACRO-PUF: A low-power, reliable and agingresilient current starved inverter-based ring oscillator physical unclonable function. *IEEE Transactions on Circuits and Systems I: Regular Papers*. 2017; **64**(12):3138-3149

[47] Sahoo DP, Mukhopadhyay D, Chakraborty RS, Nguyen PH. A multiplexer-based arbiter PUF composition with enhanced reliability and security. *IEEE Transactions on Computers*. 2018;**67**(3):403-417

[48] Pappu Srinivasa Ravikanth. Physical One-Way Functions. PhD thesis, USA, 2001

[49] Pim Tuyls, Geert-Jan Schrijen, Boris Škorić, Jan van Geloven, Nynke Verhaegh, and Rob Wolters. Read-proof hardware from protective coatings. In *Proceedings of the 8th International Conference on Cryptographic Hardware and Embedded Systems*, CHES'06, pages 369–383, Berlin, Heidelberg, 2006. Springer-Verlag

[50] Pier Francesco Cortese, Francesco Gemmiti, Bernardo Palazzi, Maurizio Pizzonia, and Massimo Rimondini. Efficient and practical authentication of PUF-based RFID tags in supply chains. In *2010 IEEE International Conference on RFID-Technology and Applications*, pages 182–188. IEEE, 2010

[51] Devadas S, Suh E, Paral S, Sowell R, Ziola T, Khandelwal V. Design and implementation of PUF-based unclonable RFID ICs for anticounterfeiting and security applications. In: *2008 IEEE international conference on RFID*, pages 58–64. IEEE. 2008

[52] Gope P, Lee J, Quek TQS. Lightweight and practical anonymous authentication protocol for RFID systems using physically unclonable functions. *IEEE Transactions on Information Forensics and Security*. Nov 2018;**13**(11):2831-2843

[53] Öztürk E, Hammouri G, Sunar B. Towards robust low cost authentication for pervasive devices. In: *2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom)*, pages 170– 178. IEEE. 2008

[54] Anthony Van Herrewege, Stefan Katzenbeisser, Roel Maes, Roel Peeters, Ahmad-Reza Sadeghi, Ingrid Verbauwhede, and Christian Wachsmann. Reverse fuzzy extractors: Enabling lightweight mutual authentication for PUF-enabled RFIDs. In *International Conference on Financial Cryptography and Data Security*, pages 374–389. Springer, 2012

[61] Süleyman Kardas, Mehmet Sabir Kiraz, Muhammed Ali Bingöl, and Hüseyin Demirci. A novel RFID distance bounding protocol based on physically unclonable functions. In Ari Juels and Christof Paar, editors, *RFID. Security and Privacy*, pages 78–93, 2012. Springer

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

Berlin Heidelberg

**107**

[55] Ulrich Rührmair, Frank Sehnke, Jan Sölter, Gideon Dror, Srinivas Devadas, and Jürgen Schmidhuber. Modeling attacks on physical unclonable functions. In *Proceedings of the 17th ACM Conference on Computer and Communications Security*, CCS '10, pages 237–249, New York, NY, USA, 2010. Association for Computing Machinery

[56] Mete Akgün and M. Ufuk Çaglayan. Providing destructive privacy and scalability in RFID systems using PUFs. *Ad Hoc Netw.*, 32(C):32–42, September 2015

[57] Süleyman Kardas, Serkan Çelik, Muhammet Yildiz, and Albert Levi. PUF-enhanced offline RFID security and privacy. *J. Netw. Comput. Appl.*, 35 (6):2059–2067, November 2012

[58] Dmitry Nedospasov, Jean-Pierre Seifert, Clemens Helfmeier, and Christian Boit. Invasive PUF analysis. In *Proceedings of the 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography*, FDTC '13, pages 30–38, USA, 2013. IEEE Computer Society

[59] Pim Tuyls and Lejla Batina. RFIDtags for anti-counterfeiting. In *Cryptographers' Track at the RSA Conference*, pages 115–131. Springer, 2006

[60] Ahmad-Reza Sadeghi, Ivan Visconti, and Christian Wachsmann. *Enhancing RFID Security and Privacy by Physically Unclonable Functions*, pages 281–305. Springer Berlin Heidelberg, 2010

*Security and Privacy of PUF-Based RFID Systems DOI: http://dx.doi.org/10.5772/intechopen.94018*

[61] Süleyman Kardas, Mehmet Sabir Kiraz, Muhammed Ali Bingöl, and Hüseyin Demirci. A novel RFID distance bounding protocol based on physically unclonable functions. In Ari Juels and Christof Paar, editors, *RFID. Security and Privacy*, pages 78–93, 2012. Springer Berlin Heidelberg

[47] Sahoo DP, Mukhopadhyay D, Chakraborty RS, Nguyen PH. A multiplexer-based arbiter PUF composition with enhanced reliability and security. *IEEE Transactions on Computers*. 2018;**67**(3):403-417

*Cryptography - Recent Advances and Future Developments*

[54] Anthony Van Herrewege, Stefan Katzenbeisser, Roel Maes, Roel Peeters,

Wachsmann. Reverse fuzzy extractors:

authentication for PUF-enabled RFIDs. In *International Conference on Financial Cryptography and Data Security*, pages

[55] Ulrich Rührmair, Frank Sehnke, Jan Sölter, Gideon Dror, Srinivas Devadas, and Jürgen Schmidhuber. Modeling attacks on physical unclonable

functions. In *Proceedings of the 17th ACM*

*Communications Security*, CCS '10, pages 237–249, New York, NY, USA, 2010. Association for Computing Machinery

[56] Mete Akgün and M. Ufuk Çaglayan. Providing destructive privacy and scalability in RFID systems using PUFs.

[57] Süleyman Kardas, Serkan Çelik, Muhammet Yildiz, and Albert Levi. PUF-enhanced offline RFID security and privacy. *J. Netw. Comput. Appl.*, 35 (6):2059–2067, November 2012

[58] Dmitry Nedospasov, Jean-Pierre Seifert, Clemens Helfmeier, and

IEEE Computer Society

2006

2010

Christian Boit. Invasive PUF analysis. In *Proceedings of the 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography*, FDTC '13, pages 30–38, USA, 2013.

[59] Pim Tuyls and Lejla Batina. RFID-

tags for anti-counterfeiting. In *Cryptographers' Track at the RSA Conference*, pages 115–131. Springer,

[60] Ahmad-Reza Sadeghi, Ivan Visconti, and Christian Wachsmann. *Enhancing RFID Security and Privacy by Physically Unclonable Functions*, pages 281–305. Springer Berlin Heidelberg,

Ahmad-Reza Sadeghi, Ingrid Verbauwhede, and Christian

Enabling lightweight mutual

374–389. Springer, 2012

*Conference on Computer and*

*Ad Hoc Netw.*, 32(C):32–42,

September 2015

[48] Pappu Srinivasa Ravikanth. Physical One-Way Functions. PhD thesis, USA,

[49] Pim Tuyls, Geert-Jan Schrijen, Boris

Verhaegh, and Rob Wolters. Read-proof hardware from protective coatings. In *Proceedings of the 8th International Conference on Cryptographic Hardware and Embedded Systems*, CHES'06, pages 369–383, Berlin, Heidelberg, 2006.

[50] Pier Francesco Cortese, Francesco Gemmiti, Bernardo Palazzi, Maurizio Pizzonia, and Massimo Rimondini. Efficient and practical authentication of PUF-based RFID tags in supply chains. In *2010 IEEE International Conference on RFID-Technology and Applications*, pages

[51] Devadas S, Suh E, Paral S, Sowell R, Ziola T, Khandelwal V. Design and implementation of PUF-based unclonable RFID ICs for anti-

counterfeiting and security applications. In: *2008 IEEE international conference on*

Lightweight and practical anonymous authentication protocol for RFID systems using physically unclonable functions. *IEEE Transactions on Information Forensics and Security*. Nov

[53] Öztürk E, Hammouri G, Sunar B. Towards robust low cost authentication for pervasive devices. In: *2008 Sixth Annual IEEE International Conference on*

*Communications (PerCom)*, pages 170–

*RFID*, pages 58–64. IEEE. 2008

[52] Gope P, Lee J, Quek TQS.

2018;**13**(11):2831-2843

*Pervasive Computing and*

178. IEEE. 2008

**106**

Škorić, Jan van Geloven, Nynke

2001

Springer-Verlag

182–188. IEEE, 2010

**Chapter 6**

*Ahmed Drissi*

**Abstract**

theory.

random code

**1. Introduction**

we note.

*Fm*

**109**

*F*2*<sup>m</sup>* : a finite field of 2*<sup>m</sup>* elements.

*K* <sup>∗</sup> : a private set of the element 0.

½ � *x* : the integer part of *x:*

*dQ x*ð Þ: the degree of the polynomial *Q x*ð Þ.

*F<sup>n</sup>*: the scalar product *n* times of the set *F*.

*K x*½ �: the ring of polynomials with an indeterminate. *K x*½ �*=*ð Þ *P* : the quotient ring *K x*½ � de modulo *P*.

<sup>2</sup> : the set of length vectors *m* and components 0 and 1.

The Security of Cryptosystems

Based on Error-Correcting Codes

Quantum computers are distinguished by their enormous storage capacity and relatively high computing speed. Among the cryptosystems of the future, the best known and most studied which will resist when using this kind of computer are cryptosystems based on error-correcting codes. The use of problems inspired by the theory of error-correcting codes in the design of cryptographic systems adds an alternative to cryptosystems based on number theory, as well as solutions to their vulnerabilities. Their security is based on the problem of decoding a random code that is NP-complete. In this chapter, we will discuss the cryptographic properties of error-correcting codes, as well as the security of cryptosystems based on code

**Keywords:** McEliece cipher, hash function, syndrome decoding, correcting codes,

Like all asymmetric cryptographic systems, the idea is to base security on the difficulty of reversing a one-way function with a trap door. The theory of errorcorrecting codes contains well-structured and difficult problems to solve, more or less suitable for use in cryptography. The first who had the idea of using errorcorrecting codes for cryptographic purposes was McEliece in 1978 and he proposed an asymmetric encryption algorithm. In 1986, Niederreiter proposed another cryptographic system equivalent to that of McEliece [1]. The two systems of McEliece and Niederreiter are of equivalent security against a passive attack; however, they are not against an active attack [2]. In the following paragraph, we give an overview of the theory of error-correcting codes. In the third paragraph, we will only deal with the basic systems based on this theory. The last paragraph is devoted to the discussion of security settings and the most well-known attacks. In what follows

#### **Chapter 6**

## The Security of Cryptosystems Based on Error-Correcting Codes

*Ahmed Drissi*

#### **Abstract**

Quantum computers are distinguished by their enormous storage capacity and relatively high computing speed. Among the cryptosystems of the future, the best known and most studied which will resist when using this kind of computer are cryptosystems based on error-correcting codes. The use of problems inspired by the theory of error-correcting codes in the design of cryptographic systems adds an alternative to cryptosystems based on number theory, as well as solutions to their vulnerabilities. Their security is based on the problem of decoding a random code that is NP-complete. In this chapter, we will discuss the cryptographic properties of error-correcting codes, as well as the security of cryptosystems based on code theory.

**Keywords:** McEliece cipher, hash function, syndrome decoding, correcting codes, random code

#### **1. Introduction**

Like all asymmetric cryptographic systems, the idea is to base security on the difficulty of reversing a one-way function with a trap door. The theory of errorcorrecting codes contains well-structured and difficult problems to solve, more or less suitable for use in cryptography. The first who had the idea of using errorcorrecting codes for cryptographic purposes was McEliece in 1978 and he proposed an asymmetric encryption algorithm. In 1986, Niederreiter proposed another cryptographic system equivalent to that of McEliece [1]. The two systems of McEliece and Niederreiter are of equivalent security against a passive attack; however, they are not against an active attack [2]. In the following paragraph, we give an overview of the theory of error-correcting codes. In the third paragraph, we will only deal with the basic systems based on this theory. The last paragraph is devoted to the discussion of security settings and the most well-known attacks. In what follows we note.

*F*2*<sup>m</sup>* : a finite field of 2*<sup>m</sup>* elements. *K x*½ �: the ring of polynomials with an indeterminate. *K x*½ �*=*ð Þ *P* : the quotient ring *K x*½ � de modulo *P*. *K* <sup>∗</sup> : a private set of the element 0. *dQ x*ð Þ: the degree of the polynomial *Q x*ð Þ. *Fm* <sup>2</sup> : the set of length vectors *m* and components 0 and 1. *F<sup>n</sup>*: the scalar product *n* times of the set *F*. ½ � *x* : the integer part of *x:*

*At* : the transpose of the matrix *A*. *Ik*: the identity matrix of order *k*. *gcd*: greatest common divisor. *Ct <sup>n</sup>*: the combination of *t* elements among *n* elements.

#### **2. Error-correcting codes**

#### **2.1 Finite fields**

Finite fields are the basis of many error-correcting codes and cryptographic systems, it is therefore essential to recall the theory of finite fields in order to understand the functioning of linear codes. In this paragraph we present some properties of finite fields and a method of representing them for later use. We are interested in constructing finite fields F2m and the calculations on these fields. Finite fields are generally constructed from primitive polynomials [3].

The principle of error-correcting codes is to add to a message to be transmitted additional information called redundant or control information, so that transmission errors can be detected and corrected. This operation is called coding and its result is a code word, each message is associated, therefore a code word of length

words of the same length >0, written using an alphabet F of q elements. Each message x0, x1, …xk�<sup>1</sup> ð Þ, is an element of the set of F<sup>k</sup> (message space). We then have qk possible messages. We assume that all the code words are of the same length n>k. Encode m messages of length k, m ≤ qk consists in choosing an integer n> k, and associate with each message from F<sup>k</sup> a word from Fn (injectively). The coding introduces a redundancy equal to n � k. Decoding consists of receiving a word x of F<sup>n</sup> to determine if x is a code word and if not correct it thanks to the redundancy.

We call the Hamming distance between words x and y, and we note dH x, y <sup>¼</sup>

We call the minimum distance of a code C an integer d such as d ¼

2

weight of a word x the number of nonzero components of x, we note w xð Þ¼ d x, 0 ð Þ.

min d m, m<sup>0</sup> ð Þ, m ∈C, m<sup>0</sup> ∈C, m 6¼ m<sup>0</sup> f g. We call the weight of a word x of code C on

Let C a minimum distance code d, and x∈ Fn a received message assigned to r

<sup>&</sup>lt;r≤<sup>d</sup> � 1, the C code detects the existence d' errors but risk of making

Let m the code word transmitted and x the message received and assigned from r

1.We show that the code word m is the only code word such as d m, x ð Þ≤r.

Otherwise it exists m<sup>0</sup> of C such as d m<sup>0</sup> ð Þ , x ≤r, we are d m, m<sup>0</sup> ð Þ≤d m, x ð Þþ

2.There is no code word m<sup>0</sup> of C such as d x, m<sup>0</sup> ð Þ<d m, x ð Þ¼ r, but the code word m is not necessarily the only one to check d m, x ð Þ¼ r. Indeed be

1m<sup>0</sup> <sup>2</sup>…m<sup>0</sup>

<sup>1</sup>…m<sup>0</sup>

.

, the code C correct r errors.

, the C code detects the existence of r errors but cannot always

is called code correction capability, we also say that C is a

<sup>n</sup> two code words and if we receive the

r, we'll have d x, m ð Þ¼ d x, m<sup>0</sup> ð Þ¼ r.

let x <sup>¼</sup> ð Þ x0, x1, …xn�<sup>1</sup> <sup>≔</sup> x0x1…xn�<sup>1</sup> and y <sup>¼</sup> y0, y1, …yn�<sup>1</sup>

d x, y the number of index i∈f g 0, 1, 2…<sup>n</sup> � <sup>1</sup> such as xi 6¼ yi

The code is the set of code words thus obtained. We assume that all messages are

<sup>≔</sup> y0y1…yn�<sup>1</sup> of Fn.

, we call Hamming's

greater than that of the message.

*The Security of Cryptosystems Based on Error-Correcting Codes*

*DOI: http://dx.doi.org/10.5772/intechopen.93782*

This is done using the Hamming distance. Definition (hamming distance)

Definitions

errors, with r≥1.

2. If <sup>d</sup>�<sup>1</sup> 2 <sup>&</sup>lt;<sup>r</sup> <sup>¼</sup> <sup>d</sup>

3. If <sup>d</sup> 2

t-corrector code. Proof

**111**

integer w xð Þ¼ d x, 0 ð Þ.

correct them.

The integer t <sup>¼</sup> <sup>d</sup>�<sup>1</sup>

errors then d m, x ð Þ¼ r.

d x, m<sup>0</sup> ð Þ≤2r<d, then m ¼ m<sup>0</sup>

m ¼ m1m2…mn and m<sup>0</sup> ¼ m<sup>0</sup>

message x ¼ m1m2…mrm<sup>0</sup>

Proposal (correction capacity)

1. If 2r<d that is to say that r≤ <sup>d</sup>�<sup>1</sup>

2

2

an erroneous correction.

Definitions

The minimal polynomial of an element β on a finite field F is the unit polynomial with coefficients in F smaller degree and its value in β is zero.

Proposition


This proposition gives us a way to build a finite field: Take a polynomial P irreducible over a field K et former le quotient K x½ �*=*ð Þ P .

Theorem (the primitive element)

If K is a finite field of order q, then the multiplicative group K<sup>∗</sup> is cyclic generated by an element <sup>α</sup> called primitive element of K and we write K<sup>∗</sup> <sup>¼</sup> αi , i <sup>¼</sup> <sup>1</sup>…q� . Any generator of this group is called a primitive element of K.

Definition (primitive polynomial)

We say that a polynomial P∈F2½ � x of degree m is primitive if it is the minimal polynomial of a generator of F<sup>∗</sup> 2m .

Lemma

Let F2½ � <sup>x</sup> ð Þ <sup>m</sup> <sup>¼</sup> f g Q xð Þ∈F2½ � <sup>x</sup> , dQ xð Þ<sup>≤</sup> <sup>m</sup> � <sup>1</sup> ,P xð Þ∈F2½ � <sup>x</sup> ð Þ <sup>m</sup> primitive and <sup>α</sup> <sup>a</sup> root of P xð Þ, so we have: F<sup>m</sup> <sup>2</sup> <sup>≈</sup>F2½ � <sup>x</sup> ð Þ <sup>m</sup> <sup>≈</sup>F2½ � <sup>x</sup> *<sup>=</sup>*ð Þ P xð Þ <sup>≈</sup>F2m <sup>≈</sup>f g<sup>0</sup> <sup>∪</sup> 1, <sup>α</sup>, …α<sup>2</sup>m�<sup>1</sup> .

It follows from this lemma that we can represent the nonzero elements of a finite field F2m by nonzero vectors of Fm <sup>2</sup> and that the α<sup>i</sup> have representatives of xi modP xð Þ and consequently <sup>α</sup><sup>i</sup> <sup>¼</sup> xi modP xð Þ. In what follows we denote by α a primitive element of F2m .

#### **2.2 Principle of error-correcting codes**

In order to transmit a message, it must be coded, it consists in temporarily giving it a certain form, the coding mode depends on the means of transmission, it can be disturbed by noise, hence the need for coding which allows the receiver to find the initial message even if it has been altered. Such coding is called channel coding.

*The Security of Cryptosystems Based on Error-Correcting Codes DOI: http://dx.doi.org/10.5772/intechopen.93782*

The principle of error-correcting codes is to add to a message to be transmitted additional information called redundant or control information, so that transmission errors can be detected and corrected. This operation is called coding and its result is a code word, each message is associated, therefore a code word of length greater than that of the message.

The code is the set of code words thus obtained. We assume that all messages are words of the same length >0, written using an alphabet F of q elements. Each message x0, x1, …xk�<sup>1</sup> ð Þ, is an element of the set of F<sup>k</sup> (message space). We then have qk possible messages. We assume that all the code words are of the same length n>k. Encode m messages of length k, m ≤ qk consists in choosing an integer n> k, and associate with each message from F<sup>k</sup> a word from Fn (injectively). The coding introduces a redundancy equal to n � k. Decoding consists of receiving a word x of F<sup>n</sup> to determine if x is a code word and if not correct it thanks to the redundancy. This is done using the Hamming distance.

Definition (hamming distance)

let x <sup>¼</sup> ð Þ x0, x1, …xn�<sup>1</sup> <sup>≔</sup> x0x1…xn�<sup>1</sup> and y <sup>¼</sup> y0, y1, …yn�<sup>1</sup> <sup>≔</sup> y0y1…yn�<sup>1</sup> of Fn. We call the Hamming distance between words x and y, and we note dH x, y <sup>¼</sup> d x, y the number of index i∈f g 0, 1, 2…<sup>n</sup> � <sup>1</sup> such as xi 6¼ yi , we call Hamming's weight of a word x the number of nonzero components of x, we note w xð Þ¼ d x, 0 ð Þ.

Definitions

*At*

*Ct*

**2.1 Finite fields**

Definitions

Proposition

the field K.

αi

Lemma

element of F2m .

**110**

K x½ �*=*ð Þ <sup>P</sup> is field of q<sup>m</sup> elements.

Theorem (the primitive element)

Definition (primitive polynomial)

polynomial of a generator of F<sup>∗</sup>

root of P xð Þ, so we have: F<sup>m</sup>

and consequently <sup>α</sup><sup>i</sup> <sup>¼</sup> xi

field F2m by nonzero vectors of Fm

**2.2 Principle of error-correcting codes**

: the transpose of the matrix *A*. *Ik*: the identity matrix of order *k*. *gcd*: greatest common divisor.

*Cryptography - Recent Advances and Future Developments*

**2. Error-correcting codes**

*<sup>n</sup>*: the combination of *t* elements among *n* elements.

fields are generally constructed from primitive polynomials [3].

with coefficients in F smaller degree and its value in β is zero.

irreducible over a field K et former le quotient K x½ �*=*ð Þ P .

2m .

Finite fields are the basis of many error-correcting codes and cryptographic systems, it is therefore essential to recall the theory of finite fields in order to understand the functioning of linear codes. In this paragraph we present some properties of finite fields and a method of representing them for later use. We are interested in constructing finite fields F2m and the calculations on these fields. Finite

The minimal polynomial of an element β on a finite field F is the unit polynomial

1.The ring K x½ �*=*ð Þ P is a field if and only if the polynomial P xð Þ is irreducible on

2. If P xð Þ is irreducible of degree m and K a finite field of q elements then

This proposition gives us a way to build a finite field: Take a polynomial P

If K is a finite field of order q, then the multiplicative group K<sup>∗</sup> is cyclic generated by an element <sup>α</sup> called primitive element of K and we write K<sup>∗</sup> <sup>¼</sup>

, i <sup>¼</sup> <sup>1</sup>…q� . Any generator of this group is called a primitive element of K.

We say that a polynomial P∈F2½ � x of degree m is primitive if it is the minimal

Let F2½ � <sup>x</sup> ð Þ <sup>m</sup> <sup>¼</sup> f g Q xð Þ∈F2½ � <sup>x</sup> , dQ xð Þ<sup>≤</sup> <sup>m</sup> � <sup>1</sup> ,P xð Þ∈F2½ � <sup>x</sup> ð Þ <sup>m</sup> primitive and <sup>α</sup> <sup>a</sup>

It follows from this lemma that we can represent the nonzero elements of a finite

In order to transmit a message, it must be coded, it consists in temporarily giving it a certain form, the coding mode depends on the means of transmission, it can be disturbed by noise, hence the need for coding which allows the receiver to find the initial message even if it has been altered. Such coding is called channel coding.

<sup>2</sup> <sup>≈</sup>F2½ � <sup>x</sup> ð Þ <sup>m</sup> <sup>≈</sup>F2½ � <sup>x</sup> *<sup>=</sup>*ð Þ P xð Þ <sup>≈</sup>F2m <sup>≈</sup>f g<sup>0</sup> <sup>∪</sup> 1, <sup>α</sup>, …α<sup>2</sup>m�<sup>1</sup> .

<sup>2</sup> and that the α<sup>i</sup> have representatives of xi

modP xð Þ. In what follows we denote by α a primitive

modP xð Þ

We call the minimum distance of a code C an integer d such as d ¼ min d m, m<sup>0</sup> ð Þ, m ∈C, m<sup>0</sup> ∈C, m 6¼ m<sup>0</sup> f g. We call the weight of a word x of code C on integer w xð Þ¼ d x, 0 ð Þ.

Proposal (correction capacity)

Let C a minimum distance code d, and x∈ Fn a received message assigned to r errors, with r≥1.


The integer t <sup>¼</sup> <sup>d</sup>�<sup>1</sup> 2 is called code correction capability, we also say that C is a t-corrector code.

Proof

Let m the code word transmitted and x the message received and assigned from r errors then d m, x ð Þ¼ r.

1.We show that the code word m is the only code word such as d m, x ð Þ≤r.

Otherwise it exists m<sup>0</sup> of C such as d m<sup>0</sup> ð Þ , x ≤r, we are d m, m<sup>0</sup> ð Þ≤d m, x ð Þþ d x, m<sup>0</sup> ð Þ≤2r<d, then m ¼ m<sup>0</sup> .

2.There is no code word m<sup>0</sup> of C such as d x, m<sup>0</sup> ð Þ<d m, x ð Þ¼ r, but the code word m is not necessarily the only one to check d m, x ð Þ¼ r. Indeed be m ¼ m1m2…mn and m<sup>0</sup> ¼ m<sup>0</sup> 1m<sup>0</sup> <sup>2</sup>…m<sup>0</sup> <sup>n</sup> two code words and if we receive the message x ¼ m1m2…mrm<sup>0</sup> <sup>1</sup>…m<sup>0</sup> r, we'll have d x, m ð Þ¼ d x, m<sup>0</sup> ð Þ¼ r.

3.We know there is an error because x ∉ C, but there may be a code word m<sup>0</sup> ∉ C such as d m<sup>0</sup> ð Þ , x <d m, x ð Þ¼ r.

1. If G <sup>¼</sup> ð Þ Ikj<sup>A</sup> a canonical generator matrix of C then H ¼ �A<sup>t</sup> ð Þ <sup>j</sup>In�<sup>k</sup> is a parity

2. If H <sup>¼</sup> ð Þ <sup>B</sup>jIn�<sup>k</sup> is a parity control matrix of C then, G <sup>¼</sup> Ikj�B<sup>t</sup> ð Þ is a generator

2.we have GH<sup>t</sup> <sup>¼</sup> Ikj�B<sup>t</sup> ð Þð Þ <sup>B</sup>jIn�<sup>k</sup> <sup>t</sup> <sup>¼</sup> <sup>B</sup><sup>t</sup> � <sup>B</sup><sup>t</sup> <sup>¼</sup> 0 then if H is a parity control

The coding is obtained by applying the generator matrix. Decoding consists in applying the control matrix to the message; if the result is 0 then the message is valid otherwise look for errors and correct them. Hx<sup>t</sup> is called syndrome. Suppose the word x is sent through a noisy channel and the word received is y so the error

Given y, the decoder must decide which word of the code x has been transmitted (which error vector?). For a vector u and a code C we call coset class of C, the set u þ C ¼ f g u þ c, c∈C . A representative of a class of C of minimum weight is called

1. If u, v ∈x þ C then, it exists y, z∈C such as u ¼ x þ y and v ¼ x þ z, then u �

If u � v∈C it exists x∈ C such as u � v ¼ x then u ¼ v þ x∈v þ C and we have

ð Þ a þ C ∩ ð Þ b þ C contains the element v, the nit exists x, y∈ C such as v ¼ <sup>a</sup> <sup>þ</sup> <sup>x</sup> <sup>¼</sup> <sup>b</sup> <sup>þ</sup> y hence b <sup>¼</sup> <sup>a</sup> <sup>þ</sup> <sup>x</sup> � <sup>y</sup> and a <sup>¼</sup> <sup>b</sup> <sup>þ</sup> <sup>y</sup> � <sup>x</sup> . <sup>∀</sup><sup>b</sup> <sup>þ</sup> <sup>c</sup>∈<sup>b</sup> <sup>þ</sup> C we have b <sup>þ</sup> <sup>c</sup> <sup>¼</sup> <sup>a</sup> <sup>þ</sup> <sup>x</sup> � <sup>y</sup> <sup>þ</sup> <sup>c</sup><sup>∈</sup> <sup>a</sup> <sup>þ</sup> C (then b <sup>þ</sup> <sup>C</sup>⊂<sup>a</sup> <sup>þ</sup> C). <sup>∀</sup><sup>a</sup> <sup>þ</sup> <sup>c</sup>∈<sup>a</sup> <sup>þ</sup> C We have a <sup>þ</sup> <sup>c</sup> <sup>¼</sup> <sup>b</sup> <sup>þ</sup> <sup>y</sup> � <sup>x</sup> <sup>þ</sup> <sup>c</sup><sup>∈</sup> <sup>b</sup> <sup>þ</sup> C (then a <sup>þ</sup> <sup>C</sup>⊂<sup>b</sup> <sup>þ</sup> C), hence b <sup>þ</sup> <sup>C</sup> <sup>¼</sup>

q.

<sup>q</sup> such as

1.u and v are of the same coset class of C if and only if u � v∈C.

3.Given two coset classes, they are either disjoint or identical.

<sup>q</sup> is in a coset of C.

<sup>v</sup> <sup>¼</sup> <sup>y</sup> � <sup>z</sup><sup>∈</sup> C, because C is a vector subspace of F<sup>n</sup>

q, on a 0 ∈C thena ¼ a þ 0∈ a þ C.

3. Suppose that að Þ <sup>þ</sup> <sup>C</sup> <sup>∩</sup> ð Þ <sup>b</sup> <sup>þ</sup> <sup>C</sup> 6¼ <sup>∅</sup>, the nit exists v <sup>∈</sup>F<sup>n</sup>

<sup>t</sup> ¼ �<sup>A</sup> <sup>þ</sup> <sup>A</sup> <sup>¼</sup> 0, if G is a generator matrix of

control matrix ofC.

Encoding and decoding

vector is e ¼ y � x.

a leader of this class. Theorem

2.Any vector of F<sup>n</sup>

Proof

v ¼ v þ 0 ∈v þ C.

2.Let a∈ Fn

a þ C.

**113**

By applying the preceding theorem

*DOI: http://dx.doi.org/10.5772/intechopen.93782*

1.we have GH<sup>t</sup> <sup>¼</sup> ð Þ� Ikj<sup>A</sup> At ð Þ <sup>j</sup>In�<sup>k</sup>

Let C a n, k, d ½ �<sup>q</sup> linear code then,

C then, H is a parity control matrix of C.

*The Security of Cryptosystems Based on Error-Correcting Codes*

matrix of C we will have G is a generator matrix of C.

matrix of C.

Proof

The most used codes are the linear codes which we discuss in the next part.

#### **2.3 Linear codes**

Definitions

A linear code C of size n and dimension k on the finite field Fq is a vector subspace of F<sup>n</sup> q. We note it n, k, d ½ �<sup>q</sup> with d its minimum distance.

Linear codes are codes in which each code word y is obtained by linear transformation of the components of the initial word (information) x.

A linear code is characterized by its generator matrix G, we have

<sup>C</sup> <sup>¼</sup> <sup>y</sup> <sup>¼</sup> xG*=*x∈F<sup>k</sup> q n o.

let H nð Þ� � k n matrix with coefficients in Fq. H is called the parity control matrix of C if "x∈C ⇔ Hx<sup>t</sup> ".

Fk q: the message space.

The systematic code

The matrix G defines a bijective function F<sup>k</sup> <sup>q</sup> ! C by x ! xG which we represent q<sup>k</sup> messages, its length k by code words, of length n.

The generator matrix G of a C code is not unique; G can be transformed into G<sup>0</sup> ¼ ð Þ IkjA with Ik the identity matrix with k order and A the matrix of k lines and n � k columns.

G and G<sup>0</sup> generate the same C subspace; G<sup>0</sup> is called canonical generator matrix and if the generator matrix of a code is of the form G ¼ ð Þ IkjA , this code is said systematic.

Theorem Let C a n, k ½ �<sup>q</sup> linear code.

1. If G is a generator matrix of C and H a parity control matrix of C then GHt <sup>¼</sup> 0.

2. If G is a k � n matrix of rank k and H is a nð Þ� � k n matrix of rank n � k such as GH<sup>t</sup> <sup>¼</sup> 0 then we have:

H is a parity control matrix of C if and only if G is a generator matrix of C. Proof


(Þ we have y∈C if and only if it exists x∈Fk <sup>q</sup> such as y ¼ xG. Then y∈C if and only if yH<sup>t</sup> <sup>¼</sup> xGH<sup>t</sup> <sup>¼</sup> 0. Then H is a parity control matrix of C.

In the case of systematic code, we have the following corollary. Corollary Let C a n, k ½ �<sup>q</sup> linear code


Proof By applying the preceding theorem


Encoding and decoding

The coding is obtained by applying the generator matrix. Decoding consists in applying the control matrix to the message; if the result is 0 then the message is valid otherwise look for errors and correct them. Hx<sup>t</sup> is called syndrome. Suppose the word x is sent through a noisy channel and the word received is y so the error vector is e ¼ y � x.

Given y, the decoder must decide which word of the code x has been transmitted (which error vector?). For a vector u and a code C we call coset class of C, the set u þ C ¼ f g u þ c, c∈C . A representative of a class of C of minimum weight is called a leader of this class.

Theorem

3.We know there is an error because x ∉ C, but there may be a code word

The most used codes are the linear codes which we discuss in the next part.

A linear code C of size n and dimension k on the finite field Fq is a vector

q. We note it n, k, d ½ �<sup>q</sup> with d its minimum distance. Linear codes are codes in which each code word y is obtained by linear transformation of the components of the initial word (information) x. A linear code is characterized by its generator matrix G, we have

let H nð Þ� � k n matrix with coefficients in Fq. H is called the parity control

The generator matrix G of a C code is not unique; G can be transformed into G<sup>0</sup> ¼ ð Þ IkjA with Ik the identity matrix with k order and A the matrix of k lines and

G and G<sup>0</sup> generate the same C subspace; G<sup>0</sup> is called canonical generator matrix and if the generator matrix of a code is of the form G ¼ ð Þ IkjA , this code is said

1. If G is a generator matrix of C and H a parity control matrix of C then GHt <sup>¼</sup> 0.

2. If G is a k � n matrix of rank k and H is a nð Þ� � k n matrix of rank n � k such

H is a parity control matrix of C if and only if G is a generator matrix of C.

2.)Þ Since GH<sup>t</sup> <sup>¼</sup> 0, then we have GiH<sup>t</sup> <sup>¼</sup> 0. For all i <sup>¼</sup> <sup>1</sup>…k. And since H is a parity control matrix of C, we have the Gi belong to C. rg Gð Þ¼ k, then Gi f g , i ¼ 1…k constitute a basis of C. It follows that G is a generator matrix of C.

1.We know that H<sup>t</sup> <sup>¼</sup> 0, <sup>∀</sup>x∈C, in particular we have GiH<sup>t</sup> <sup>¼</sup> 0 for all i <sup>¼</sup> <sup>1</sup>…<sup>k</sup>

<sup>q</sup> ! C by x ! xG which we represent

<sup>q</sup> such as y ¼ xG. Then y∈C if and

m<sup>0</sup> ∉ C such as d m<sup>0</sup> ð Þ , x <d m, x ð Þ¼ r.

*Cryptography - Recent Advances and Future Developments*

**2.3 Linear codes**

Definitions

<sup>C</sup> <sup>¼</sup> <sup>y</sup> <sup>¼</sup> xG*=*x∈F<sup>k</sup>

n o

matrix of C if "x∈C ⇔ Hx<sup>t</sup>

q: the message space. The systematic code

Let C a n, k ½ �<sup>q</sup> linear code.

as GH<sup>t</sup> <sup>¼</sup> 0 then we have:

q

.

".

The matrix G defines a bijective function F<sup>k</sup>

q<sup>k</sup> messages, its length k by code words, of length n.

with Gi is line of G. It follows that GH<sup>t</sup> <sup>¼</sup> 0.

(Þ we have y∈C if and only if it exists x∈Fk

only if yH<sup>t</sup> <sup>¼</sup> xGH<sup>t</sup> <sup>¼</sup> 0. Then H is a parity control matrix of C. In the case of systematic code, we have the following corollary.

subspace of F<sup>n</sup>

Fk

n � k columns.

systematic. Theorem

Proof

Corollary

**112**

Let C a n, k ½ �<sup>q</sup> linear code

Let C a n, k, d ½ �<sup>q</sup> linear code then,

1.u and v are of the same coset class of C if and only if u � v∈C.

2.Any vector of F<sup>n</sup> <sup>q</sup> is in a coset of C.

3.Given two coset classes, they are either disjoint or identical.

Proof

1. If u, v ∈x þ C then, it exists y, z∈C such as u ¼ x þ y and v ¼ x þ z, then u � <sup>v</sup> <sup>¼</sup> <sup>y</sup> � <sup>z</sup><sup>∈</sup> C, because C is a vector subspace of F<sup>n</sup> q.

If u � v∈C it exists x∈ C such as u � v ¼ x then u ¼ v þ x∈v þ C and we have v ¼ v þ 0∈v þ C.

2.Let a∈ Fn q, on a 0 ∈C thena ¼ a þ 0∈ a þ C.

3. Suppose that að Þ <sup>þ</sup> <sup>C</sup> <sup>∩</sup> ð Þ <sup>b</sup> <sup>þ</sup> <sup>C</sup> 6¼ <sup>∅</sup>, the nit exists v <sup>∈</sup>F<sup>n</sup> <sup>q</sup> such as ð Þ a þ C ∩ ð Þ b þ C contains the element v, the nit exists x, y∈ C such as v ¼ <sup>a</sup> <sup>þ</sup> <sup>x</sup> <sup>¼</sup> <sup>b</sup> <sup>þ</sup> y hence b <sup>¼</sup> <sup>a</sup> <sup>þ</sup> <sup>x</sup> � <sup>y</sup> and a <sup>¼</sup> <sup>b</sup> <sup>þ</sup> <sup>y</sup> � <sup>x</sup> . <sup>∀</sup><sup>b</sup> <sup>þ</sup> <sup>c</sup>∈<sup>b</sup> <sup>þ</sup> C we have b <sup>þ</sup> <sup>c</sup> <sup>¼</sup> <sup>a</sup> <sup>þ</sup> <sup>x</sup> � <sup>y</sup> <sup>þ</sup> <sup>c</sup><sup>∈</sup> <sup>a</sup> <sup>þ</sup> C (then b <sup>þ</sup> <sup>C</sup>⊂<sup>a</sup> <sup>þ</sup> C). <sup>∀</sup><sup>a</sup> <sup>þ</sup> <sup>c</sup>∈<sup>a</sup> <sup>þ</sup> C We have a <sup>þ</sup> <sup>c</sup> <sup>¼</sup> <sup>b</sup> <sup>þ</sup> <sup>y</sup> � <sup>x</sup> <sup>þ</sup> <sup>c</sup><sup>∈</sup> <sup>b</sup> <sup>þ</sup> C (then a <sup>þ</sup> <sup>C</sup>⊂<sup>b</sup> <sup>þ</sup> C), hence b <sup>þ</sup> <sup>C</sup> <sup>¼</sup> a þ C.

#### Principle

We construct the standard array of C which is a matrix of qn�<sup>k</sup> lines and qk columns. It contains all the vectors of Fn q; its first line corresponds to the words of C with vector 0 on the left. The other lines represent the cosets ui þ C with the class leader ui to the left. The procedure is as follows:

gives the position of the error written in binary in the form ⋯b3b2b1b0. We can

Let n <sup>¼</sup> <sup>q</sup> � 1 with q <sup>¼</sup> 2m et Fq½ � <sup>x</sup> ð Þ <sup>k</sup> The set of polynomials of degree strictly less than k on F2m . Let us build a length code n and dimension k. Let L ¼ ð Þ α1, α2, ⋯αn,

<sup>2</sup><sup>m</sup> <sup>¼</sup> <sup>α</sup><sup>i</sup>

1 1 … 1 *α*<sup>1</sup> *α*<sup>2</sup> … *α<sup>n</sup> :: ::* … *::*

By its structure, this code has a minimum distance of at least n � k þ 1, because two polynomials of degrees less than k distinct cannot be equal in addition to k � 1 positions. This distance is exactly equal to n � k þ 1, since the evaluation of a

F2m of the form n, k, n ½ � � k þ 1 <sup>q</sup> which can have both good transmission rate and

Reed-Solomon codes represent a special case of a slightly more general class

Let L ¼ ð Þ α1, α2, …α<sup>n</sup> a suite of n distinct elements of F2m and g zð Þ∈ F2m ½ � z a unit polynomial of degree r irreducible in F2m ½ � z . The irreducible binary Goppa code, its support L (generator vector) and its generator polynomial g noted Γð Þ L, g is the

<sup>2</sup> such that one of the following equivalent

called generalized Reed-Solomon codes GRS whose definition is as follows.

1

CCCCCA

The set of codes with the generator matrix G of the form

<sup>2</sup> … *α<sup>k</sup>*�<sup>1</sup> *<sup>n</sup>*

1

CCCCCA *:*

<sup>i</sup>¼<sup>1</sup> ð Þ <sup>x</sup> � <sup>α</sup><sup>i</sup> his weight is n � <sup>k</sup> <sup>þ</sup> 1. So we have a code on

Each word of the code is the evaluation of a function f of Fq½ � <sup>x</sup> ð Þ <sup>k</sup> on L then, we

<sup>i</sup>¼<sup>1</sup>bi2i and ej the vector of which only

, i <sup>¼</sup> <sup>1</sup>…<sup>n</sup> � �, with <sup>α</sup> primitive of F2m .

<sup>2</sup><sup>m</sup> et ð Þ α1, α2, ⋯αn, a vector of length n

is called the family of generalized Reed-

then correct y <sup>¼</sup> y1⋯yn like x <sup>þ</sup> ej for j <sup>¼</sup> <sup>P</sup><sup>n</sup>

*DOI: http://dx.doi.org/10.5772/intechopen.93782*

*The Security of Cryptosystems Based on Error-Correcting Codes*

a vector formed of distinct elements of F<sup>∗</sup>

have a length code n and dimension k and generator matrix

0

BBBBB@

*G* ¼

Let vð Þ 1, v2, …vn a vector of length n in F<sup>∗</sup>

<sup>2</sup> … *vnα<sup>k</sup>*�<sup>1</sup> *<sup>n</sup>*

<sup>z</sup>�α<sup>i</sup> <sup>¼</sup> 0modg zð Þ*:*

<sup>2</sup><sup>m</sup> , with the α<sup>i</sup> are distinct two by two.

*v*<sup>1</sup> *v*<sup>2</sup> … *vn v*1*α*<sup>1</sup> *v*2*α*<sup>2</sup> … *vnα<sup>n</sup>* … *::* … …

*α<sup>k</sup>*�<sup>1</sup> <sup>1</sup> *α<sup>k</sup>*�<sup>1</sup>

the jth coordinate is nonzero.

**2.5 The Reed-Solomon codes**

polynomial of the form Q<sup>k</sup>�<sup>1</sup>

good correction ability.

Remark

Definition

*v*1*α<sup>k</sup>*�<sup>1</sup>

Solomon codes.

Definition

<sup>1</sup> *v*2*α<sup>k</sup>*�<sup>1</sup>

**2.6 The classical Goppa codes**

set of words a <sup>¼</sup> ð Þ a1, …an <sup>∈</sup>F<sup>n</sup>

<sup>i</sup>¼<sup>1</sup> ai

characterizations is verified:

1.Rað Þ¼ <sup>z</sup> <sup>P</sup><sup>n</sup>

**115**

in F<sup>∗</sup>

0

BBBBB@

*G* ¼


When the word y is received, we look for its position in the standard table. The decoder then decides that the error vector e corresponds to the class leader who is located in the first column of the same row of y and decode y like x ¼ y � e, by choosing the code word of the first line on the same column ofy.

#### Remark

The standard table provides nearest neighbor decoding. Note that this process is too slow and too expensive in memory for large codes. In practice each code has by its structure a decoding algorithm.

#### **2.4 The hamming code**

A Hamming code with r≤2 redundancy is a linear code 2r � 1, 2r ½ � � <sup>1</sup> � <sup>r</sup> <sup>2</sup> its parity control matrix H, with H is a matrix of r lines and 2r � 1 columns that correspond to the set of all nonzero vectors of Fr 2.

Theorem

The minimum distance of the Hamming 2r � 1, 2r ½ � � <sup>1</sup> � <sup>r</sup> <sup>2</sup> code is d <sup>¼</sup> <sup>3</sup> (it therefore corrects a single error).

Proof

This code does not contain any element of weight 1 and 2 otherwise we would have a column of H which would be zero or two columns of H would be identical.

It exists x∈C such as w xð Þ¼ 3, indeed by definition of the parity control


<sup>x</sup> <sup>¼</sup> ð Þ <sup>1110</sup><sup>⋯</sup> <sup>0</sup> its weight w xð Þ¼ 3 and belongs to C because Hx<sup>t</sup> <sup>¼</sup> 0. Decoding

The vector syndrome x of which only the jth component is nonzero is none other than the transpose of the jth column of H. If the columns of H are ordered in increasing order of binary numbers, the jth column corresponds to the binary writing of j, hence the following decoding algorithm:

Let y a message received, we calculate Hyt . If Hyt <sup>¼</sup> 0 then, y corresponds to the message transmitted. If Hy<sup>t</sup> 6¼ 0 and assuming there is only one error, Hy<sup>t</sup> directly

gives the position of the error written in binary in the form ⋯b3b2b1b0. We can then correct y <sup>¼</sup> y1⋯yn like x <sup>þ</sup> ej for j <sup>¼</sup> <sup>P</sup><sup>n</sup> <sup>i</sup>¼<sup>1</sup>bi2i and ej the vector of which only the jth coordinate is nonzero.

#### **2.5 The Reed-Solomon codes**

Principle

Fn

Remark

Theorem

Decoding

**114**

Proof

<sup>q</sup> appear only once.

its structure a decoding algorithm.

(it therefore corrects a single error).

matrix H, the first 3 columns are

correspond to the set of all nonzero vectors of Fr

**2.4 The hamming code**

columns. It contains all the vectors of Fn

leader ui to the left. The procedure is as follows:

*Cryptography - Recent Advances and Future Developments*

1.We list the words of C starting with 0 on the first line.

choosing the code word of the first line on the same column ofy.

We construct the standard array of C which is a matrix of qn�<sup>k</sup> lines and qk

with vector 0 on the left. The other lines represent the cosets ui þ C with the class

2.We choose a vector u1 of minimum weight that does not belong to the first line and we list in the second line the elements u1 þ C, by entering below 0 the

4.We iterate this process until all the side classes are listed and all the vectors of

When the word y is received, we look for its position in the standard table. The decoder then decides that the error vector e corresponds to the class leader who is located in the first column of the same row of y and decode y like x ¼ y � e, by

The standard table provides nearest neighbor decoding. Note that this process is too slow and too expensive in memory for large codes. In practice each code has by

A Hamming code with r≤2 redundancy is a linear code 2r � 1, 2r ½ � � <sup>1</sup> � <sup>r</sup> <sup>2</sup> its

This code does not contain any element of weight 1 and 2 otherwise we would have a column of H which would be zero or two columns of H would be identical. It exists x∈C such as w xð Þ¼ 3, indeed by definition of the parity control

000 … ⋮⋮⋮ … 000 … 011 … 101 …

The vector syndrome x of which only the jth component is nonzero is none other

message transmitted. If Hy<sup>t</sup> 6¼ 0 and assuming there is only one error, Hy<sup>t</sup> directly

0

BBBBBB@

writing of j, hence the following decoding algorithm: Let y a message received, we calculate Hyt

<sup>x</sup> <sup>¼</sup> ð Þ <sup>1110</sup><sup>⋯</sup> <sup>0</sup> its weight w xð Þ¼ 3 and belongs to C because Hx<sup>t</sup> <sup>¼</sup> 0.

than the transpose of the jth column of H. If the columns of H are ordered in increasing order of binary numbers, the jth column corresponds to the binary

2.

1

CCCCCCA

then the vector

. If Hyt <sup>¼</sup> 0 then, y corresponds to the

parity control matrix H, with H is a matrix of r lines and 2r � 1 columns that

The minimum distance of the Hamming 2r � 1, 2r ½ � � <sup>1</sup> � <sup>r</sup> <sup>2</sup> code is d <sup>¼</sup> <sup>3</sup>

class leader u1 and below each element x∈ C the element u1 þ x.

3.We choose u2 in the same way and we repeat the same operation.

q; its first line corresponds to the words of C

Let n <sup>¼</sup> <sup>q</sup> � 1 with q <sup>¼</sup> 2m et Fq½ � <sup>x</sup> ð Þ <sup>k</sup> The set of polynomials of degree strictly less than k on F2m . Let us build a length code n and dimension k. Let L ¼ ð Þ α1, α2, ⋯αn, a vector formed of distinct elements of F<sup>∗</sup> <sup>2</sup><sup>m</sup> <sup>¼</sup> <sup>α</sup><sup>i</sup> , i <sup>¼</sup> <sup>1</sup>…<sup>n</sup> � �, with <sup>α</sup> primitive of F2m . Each word of the code is the evaluation of a function f of Fq½ � <sup>x</sup> ð Þ <sup>k</sup> on L then, we have a length code n and dimension k and generator matrix

$$G = \begin{pmatrix} 1 & 1 & \dots & 1 \\ & a\_1 & a\_2 & \dots & a\_n \\ & \dots & \dots & \dots & \dots \\ & a\_1^{k-1} & a\_2^{k-1} & \dots & a\_n^{k-1} \end{pmatrix}.$$

By its structure, this code has a minimum distance of at least n � k þ 1, because two polynomials of degrees less than k distinct cannot be equal in addition to k � 1 positions. This distance is exactly equal to n � k þ 1, since the evaluation of a polynomial of the form Q<sup>k</sup>�<sup>1</sup> <sup>i</sup>¼<sup>1</sup> ð Þ <sup>x</sup> � <sup>α</sup><sup>i</sup> his weight is n � <sup>k</sup> <sup>þ</sup> 1. So we have a code on F2m of the form n, k, n ½ � � k þ 1 <sup>q</sup> which can have both good transmission rate and good correction ability.

Remark

Reed-Solomon codes represent a special case of a slightly more general class called generalized Reed-Solomon codes GRS whose definition is as follows.

Definition

Let vð Þ 1, v2, …vn a vector of length n in F<sup>∗</sup> <sup>2</sup><sup>m</sup> et ð Þ α1, α2, ⋯αn, a vector of length n in F<sup>∗</sup> <sup>2</sup><sup>m</sup> , with the α<sup>i</sup> are distinct two by two.

The set of codes with the generator matrix G of the form

*G* ¼ *v*<sup>1</sup> *v*<sup>2</sup> … *vn v*1*α*<sup>1</sup> *v*2*α*<sup>2</sup> … *vnα<sup>n</sup>* … *::* … … *v*1*α<sup>k</sup>*�<sup>1</sup> <sup>1</sup> *v*2*α<sup>k</sup>*�<sup>1</sup> <sup>2</sup> … *vnα<sup>k</sup>*�<sup>1</sup> *<sup>n</sup>* 0 BBBBB@ 1 CCCCCA is called the family of generalized Reed-

Solomon codes.

#### **2.6 The classical Goppa codes**

Definition

Let L ¼ ð Þ α1, α2, …α<sup>n</sup> a suite of n distinct elements of F2m and g zð Þ∈ F2m ½ � z a unit polynomial of degree r irreducible in F2m ½ � z . The irreducible binary Goppa code, its support L (generator vector) and its generator polynomial g noted Γð Þ L, g is the set of words a <sup>¼</sup> ð Þ a1, …an <sup>∈</sup>F<sup>n</sup> <sup>2</sup> such that one of the following equivalent characterizations is verified:

$$\mathbf{1.R\_a(z) = \sum\_{i=1}^n \frac{a\_i}{z - a\_i}} = \mathbf{0}$$

$$\mathbf{2.Ha^t} = \mathbf{0} \text{ with } H = \begin{pmatrix} \mathbf{1} & \mathbf{1} & \dots & \mathbf{1} \\\\ a\_1 & a\_2 & \dots & a\_n \\\\ \dots & \dots & \dots & \dots \\\\ a\_1^{r-1} & a\_2^{r-1} & \dots & a\_n^{r-1} \end{pmatrix} \begin{pmatrix} \mathbf{g}(a\_1)^{-1} & & & & \\ & \dots & & & \\ & & \dots & & \\ & & & \dots & \\ & & & & \mathbf{g}(a\_n)^{-1} \end{pmatrix}$$

k � k (S is jammer). The public key will be G<sup>0</sup> ¼ SGP which is indistinguishable from a random matrix (The definition of a random matrix comes from the definition of random code which be introduced in section four). The knowledge of S, P and G allows us to find the structure of the design code and provides us with the

We cite the component algorithms of the McEliece cryptosystem [4].

Choose a generator matrix G in systematic form of the design code. Choose an invertible matrix S her size k with coefficients in Fq.

<sup>q</sup> (an error) his weight less than or equal to the design code

1000101 010001 1 00101 10 0001 1 1 1

3 7 5

Calculate x<sup>0</sup> ¼ fGð Þ u with fG the design code decoding algorithm, whose gener-

The use of binary Goppa code as a secret key is initially proposed by McEliece in

1011100 01 1101 0 1 101001*:*

its original version. Where he took the following parameters: m <sup>¼</sup> 10, n <sup>¼</sup> 2n <sup>¼</sup> 1024, r ¼ 50, k ¼ n � mr ¼ 524*:* So far it seems that this choice is perfectly safe, but

it is not used in practice because the size of its public key is very large.

We use the Hamming code with its generator matrix <sup>G</sup> <sup>¼</sup>

2 6 4

A family of linear codes n, k, d ½ �<sup>q</sup> chosen for design.

*The Security of Cryptosystems Based on Error-Correcting Codes*

Choose a permutation matrix P her size is n � n.

.

.

q.

.

S�<sup>1</sup> .

Input: the cipher text y, The private key S, G, P ð Þ.

decoding algorithm.

Input

Procedure

Output

Input

Procedure

Procedure

ator matrix is G. Calculate x ¼ x<sup>0</sup>

Remark

Example

**117**

correction capacity.

*3.1.1 The algorithms of the McEliece system*

*DOI: http://dx.doi.org/10.5772/intechopen.93782*

The generation of keys

Calculate G<sup>0</sup> ¼ SGP.

The private key S, G, P ð Þ. Encryption of the plaintext.

The public key G<sup>0</sup>

The public key G<sup>0</sup>

The plaintext x∈ Fk

Choose a vector e ∈F<sup>n</sup>

Calculate y ¼ xG<sup>0</sup> þ e. Output: The cipher text y. Decryption of cipher text

Calculate u <sup>¼</sup> yP�<sup>1</sup>

Output: the plaintext x.

and parity check matrix H ¼

The generation of keys

parity check matrix.

3. g zð Þ divided <sup>d</sup>σað Þ<sup>z</sup> dz with c <sup>σ</sup>að Þ¼ <sup>z</sup> <sup>Q</sup><sup>n</sup> <sup>i</sup>¼1ð Þ <sup>z</sup> � <sup>α</sup><sup>i</sup> ai locator polynomial.

The construction of a code Goppa:

Goppa's code is a linear code on the field F2, its construction requires the use of an extension F2m . Each element of the matrix H is then broken down into m elements of F2 placed in columns, using a projection of F2m in Fm <sup>2</sup> ; we go from a size matrix r � n on F2m to a matrix of size rm � *n* on *F*<sup>2</sup> so it is a length code n ¼ j j L and dimension k ¼ n � mr and has a minimum distance at least equal to d ¼ r þ 1. Indeed the parity check matrix H is written as the product of a Vandermonde matrix and an invertible matrix therefore all under a square matrix r � r of H is invertible, then there are no code words with a weight less than or equal to r.

The decoding of a Goppa code:

Several techniques exist to decode Goppa codes but they work by the same principle. Let c<sup>0</sup> <sup>¼</sup> <sup>c</sup> <sup>þ</sup> e and w eð Þ<sup>&</sup>lt; <sup>r</sup> 2 . We start by calculating the syndrome Rc0ð Þz on F2m ; from this syndrome we will write a key equation, and we will finish the decoding by solving the key equation to finde.

If Rað Þ¼ z 0 the word will belong to the code.

The key equation

Let <sup>σ</sup>eð Þ¼ <sup>z</sup> <sup>P</sup><sup>n</sup> <sup>i</sup>¼<sup>1</sup>ð Þ <sup>z</sup> � <sup>α</sup><sup>i</sup> ei of degree <<sup>r</sup> 2 . On introduit le polynôme weð Þ¼ z σeð Þz Reð Þz mod g zð Þ called evaluator polynomial.

$$\sigma\_{\mathbf{e}}(\mathbf{z})\mathbf{R}\_{\mathbf{e}}(\mathbf{z}) = \sum\_{i=1}^{n} \frac{\mathbf{e}\_{i}}{\mathbf{z} - \mathbf{a}\_{i}} \prod\_{j=1}^{n} \left(\mathbf{z} - \mathbf{a}\_{j}\right)^{\mathbf{e}\_{i}} \text{mod } \mathbf{g}(\mathbf{z}) = \sum\_{i=1}^{n} \mathbf{e}\_{i} \prod\_{j=1 \atop j \neq i}^{n} (\mathbf{z} - \mathbf{a}\_{j})^{\mathbf{e}\_{i}} \text{mod } \mathbf{g}(\mathbf{z}).$$

We can solve the key equation in two different ways: Berlekamp Massey's algorithm and the extended Euclidean algorithm. The latter has the advantage of being easier to present. Indeed we seek to find we and σ<sup>e</sup> of degree <<sup>r</sup> <sup>2</sup> such as weð Þ¼ z σeð Þz Reð Þz mod g zð Þ¼ σeð Þz Reð Þþ z k zð Þ g zð Þ. If we try to calculate the gcd of g, R ð Þ<sup>e</sup> with the extended Euclidean algorithm, we will calculate at each step the polynomials ui, vi, ri checking Reui þ gvi ¼ ri*:* At each step the polynomials ui and vi will be of degree <i and the degree of ri is equal to r � i. There is therefore a step at which if we stop the algorithm we will find a solution of the equation σ<sup>e</sup> ¼ ui0 and wi0 ¼ ri0 to a scalar coefficient.

#### **3. Encryption/decryption systems**

#### **3.1 The basic system (McEliece)**

We start by generating a code n, k, d ½ �<sup>q</sup> linear of a well-chosen family and its generator matrix G. We are going to mix this matrix to make it indistinguishable from a random matrix, so we need a permutation matrix P her size is n � n (having 1 in each row and column and 0 everywhere) and an invertible matrix S her size

*The Security of Cryptosystems Based on Error-Correcting Codes DOI: http://dx.doi.org/10.5772/intechopen.93782*

k � k (S is jammer). The public key will be G<sup>0</sup> ¼ SGP which is indistinguishable from a random matrix (The definition of a random matrix comes from the definition of random code which be introduced in section four). The knowledge of S, P and G allows us to find the structure of the design code and provides us with the decoding algorithm.

#### *3.1.1 The algorithms of the McEliece system*

2.Hat <sup>¼</sup> 0 with *<sup>H</sup>* <sup>¼</sup>

3. g zð Þ divided <sup>d</sup>σað Þ<sup>z</sup>

parity check matrix.

The construction of a code Goppa:

The decoding of a Goppa code:

principle. Let c<sup>0</sup> <sup>¼</sup> <sup>c</sup> <sup>þ</sup> e and w eð Þ<sup>&</sup>lt; <sup>r</sup>

i¼1

wi0 ¼ ri0 to a scalar coefficient.

**3. Encryption/decryption systems**

**3.1 The basic system (McEliece)**

**116**

The key equation Let <sup>σ</sup>eð Þ¼ <sup>z</sup> <sup>P</sup><sup>n</sup>

<sup>σ</sup>eð Þ<sup>z</sup> Reð Þ¼ <sup>z</sup> <sup>X</sup><sup>n</sup>

decoding by solving the key equation to finde. If Rað Þ¼ z 0 the word will belong to the code.

<sup>i</sup>¼<sup>1</sup>ð Þ <sup>z</sup> � <sup>α</sup><sup>i</sup>

σeð Þz Reð Þz mod g zð Þ called evaluator polynomial.

ei z � α<sup>i</sup> Yn j¼1

1 1 … 1 *α*<sup>1</sup> *α*<sup>2</sup> … *α<sup>n</sup> :: :*…… …

<sup>2</sup> … *αr*�<sup>1</sup> *<sup>n</sup>*

Goppa's code is a linear code on the field F2, its construction requires the use of

matrix r � n on F2m to a matrix of size rm � *n* on *F*<sup>2</sup> so it is a length code n ¼ j j L and dimension k ¼ n � mr and has a minimum distance at least equal to d ¼ r þ 1. Indeed the parity check matrix H is written as the product of a Vandermonde matrix and an invertible matrix therefore all under a square matrix r � r of H is invertible, then there are no code words with a weight less than or equal to r.

Several techniques exist to decode Goppa codes but they work by the same

on F2m ; from this syndrome we will write a key equation, and we will finish the

2

We can solve the key equation in two different ways: Berlekamp Massey's algorithm and the extended Euclidean algorithm. The latter has the advantage of

weð Þ¼ z σeð Þz Reð Þz mod g zð Þ¼ σeð Þz Reð Þþ z k zð Þ g zð Þ. If we try to calculate the gcd of g, R ð Þ<sup>e</sup> with the extended Euclidean algorithm, we will calculate at each step the polynomials ui, vi, ri checking Reui þ gvi ¼ ri*:* At each step the polynomials ui and vi will be of degree <i and the degree of ri is equal to r � i. There is therefore a step at which if we stop the algorithm we will find a solution of the equation σ<sup>e</sup> ¼ ui0 and

We start by generating a code n, k, d ½ �<sup>q</sup> linear of a well-chosen family and its generator matrix G. We are going to mix this matrix to make it indistinguishable from a random matrix, so we need a permutation matrix P her size is n � n (having 1 in each row and column and 0 everywhere) and an invertible matrix S her size

mod g zð Þ¼ <sup>X</sup><sup>n</sup>

i¼1 ei Yn j ¼ 1 j 6¼ i

2

ei of degree <<sup>r</sup>

z � α<sup>j</sup> � �ej

being easier to present. Indeed we seek to find we and σ<sup>e</sup> of degree <<sup>r</sup>

an extension F2m . Each element of the matrix H is then broken down into m

1

0

BBBBB@

*<sup>g</sup>*ð Þ *<sup>α</sup>*<sup>1</sup> �<sup>1</sup>

<sup>i</sup>¼1ð Þ <sup>z</sup> � <sup>α</sup><sup>i</sup> ai locator polynomial.

. We start by calculating the syndrome Rc0ð Þz

. On introduit le polynôme weð Þ¼ z

z � α<sup>j</sup> � �ej

mod g zð Þ*:*

<sup>2</sup> such as

*::*

*::*

*<sup>g</sup>*ð Þ *<sup>α</sup><sup>n</sup>* �<sup>1</sup>

<sup>2</sup> ; we go from a size

1

CCCCCA

CCCCCA

*αr*�<sup>1</sup> <sup>1</sup> *αr*�<sup>1</sup>

dz with c <sup>σ</sup>að Þ¼ <sup>z</sup> <sup>Q</sup><sup>n</sup>

elements of F2 placed in columns, using a projection of F2m in Fm

0

*Cryptography - Recent Advances and Future Developments*

BBBBB@

We cite the component algorithms of the McEliece cryptosystem [4]. The generation of keys Input A family of linear codes n, k, d ½ �<sup>q</sup> chosen for design. Procedure Choose a generator matrix G in systematic form of the design code. Choose an invertible matrix S her size k with coefficients in Fq. Choose a permutation matrix P her size is n � n. Calculate G<sup>0</sup> ¼ SGP. Output The public key G<sup>0</sup> . The private key S, G, P ð Þ. Encryption of the plaintext. Input The public key G<sup>0</sup> . The plaintext x∈ Fk q. Procedure Choose a vector e ∈F<sup>n</sup> <sup>q</sup> (an error) his weight less than or equal to the design code correction capacity. Calculate y ¼ xG<sup>0</sup> þ e. Output: The cipher text y. Decryption of cipher text Input: the cipher text y, The private key S, G, P ð Þ. Procedure Calculate u <sup>¼</sup> yP�<sup>1</sup> . Calculate x<sup>0</sup> ¼ fGð Þ u with fG the design code decoding algorithm, whose generator matrix is G. Calculate x ¼ x<sup>0</sup> S�<sup>1</sup> . Output: the plaintext x. Remark

The use of binary Goppa code as a secret key is initially proposed by McEliece in its original version. Where he took the following parameters: m <sup>¼</sup> 10, n <sup>¼</sup> 2n <sup>¼</sup> 1024, r ¼ 50, k ¼ n � mr ¼ 524*:* So far it seems that this choice is perfectly safe, but it is not used in practice because the size of its public key is very large.

Example

We use the Hamming code with its generator matrix <sup>G</sup> <sup>¼</sup> 1000101 010001 1 00101 10 0001 1 1 1 2 6 6 6 4 3 7 7 7 5 and parity check matrix H ¼ 1011100 01 1101 0 1 101001*:* 2 6 4 3 7 5 The generation of keys

Let the private key S, G, P. S ¼ 1000 0101 1011 0001 2 6 6 6 4 3 7 7 7 <sup>5</sup> <sup>¼</sup> <sup>S</sup>�<sup>1</sup> , P ¼ 0100000 0001000 0010000 1000000 0000001 0000100 0000010 2 6 6 6 6 6 6 6 6 6 6 6 4 3 7 7 7 7 7 7 7 7 7 7 7 5 , <sup>P</sup>�<sup>1</sup> <sup>¼</sup> 0001000 1000000 0010000 0100000 0000010 0000001 0000100 2 6 6 6 6 6 6 6 6 6 6 6 4 3 7 7 7 7 7 7 7 7 7 7 7 5 The public key: G<sup>0</sup> ¼ SGP ¼ 01001 11 1001001 1 1 10001 10001 11 2 6 6 6 4 3 7 7 7 5 Encryption Let the plaintext x ¼ ð Þ 0110 and let error vector e ¼ ð Þ 0010000 . The cipher text is y ¼ xG<sup>0</sup> þ e ¼ ð Þþ 0111000 ð Þ¼ 0010000 ð Þ 0101000 . Decryption We decipher the text received y ¼ ð Þ 0101000 . We have y ¼ xG<sup>0</sup> þ e ¼ xSGP þ e then P�<sup>1</sup> <sup>¼</sup> xSG <sup>þ</sup> eP�<sup>1</sup> <sup>¼</sup> ð Þ¼ <sup>1100000</sup> <sup>y</sup><sup>0</sup> . Hy0<sup>t</sup> <sup>¼</sup> 1 1 0 0 B@ 1 CA, so the error is in the third position hence u ¼ ð Þ¼ 1110000 xSG. And since G is generator matrix of the systematic system then xS <sup>¼</sup> ð Þ <sup>1110</sup> then x <sup>¼</sup> ð Þ <sup>1110</sup> <sup>S</sup>�<sup>1</sup> <sup>¼</sup> ð Þ <sup>0110</sup> . x. Then the

Choose a parity check matrix H of design code.

*The Security of Cryptosystems Based on Error-Correcting Codes*

Choose a permutation matrix *P* of sizen � n.

.

*DOI: http://dx.doi.org/10.5772/intechopen.93782*

.

xt .

y.

P�<sup>1</sup> .

Calculate H<sup>0</sup> ¼ SHP.

The private key S, H, P ð Þ.

The public key H0

The public key H0

The cipher text y. Decryption Input

Calculate y<sup>0</sup> <sup>¼</sup> <sup>S</sup>�<sup>1</sup>

The private key S, H, P ð Þ. The cipher text y.

The plaintext x∈ Fn

Output

Encryption Input

Procedure Calculate y ¼ H<sup>0</sup>

Procedure

check matrix is H. Calculate x ¼ x<sup>0</sup>

The plaintext x.

give the following definitions:

• Code equivalence

• Random code

**119**

been generated randomly.

Output

Remark

Output

Choose a matrix S, invertible of size *k* with coefficients in Fq.

<sup>q</sup> of weight less than or equal to the correction capacity.

Calculate x<sup>0</sup> <sup>¼</sup> fH <sup>y</sup><sup>0</sup> with fH the code syndrome decoding algorithm, its parity

Reed-Solomon codes were originally proposed by Niederreiter as a family of

The security of cryptosystems based on error-correcting codes is based on the problem of distinguishing the design code (hidden) from a random code. We first

Two codes are said to be equivalent if their generator matrices (respectively

A random code is a linear code of which the *k* linearly independent lines of the generator matrix (or the n linearly independent columns of the parity matrix) have

The main parameters for securing an McEliece cryptosystem and its variants are then the structure of the code family chosen for the design, which it is desirable that it will be difficult to find an equivalent code. Since the robustness of such a system lies in the difficulty of decoding and the hidden structure of the design code, then

codes that could be considered by his cryptosystem. In 1992 Sidelnikov and Shestakov have shown that it is easy to attack this cryptosystem [2].

**4. The security of cryptosystems based on correcting codes**

parity) are deduced from each other by permutation of columns.

#### **3.2 The Niederreiter variant**

plaintext sought.

Let C a linear t-corrector code of length *n* and dimension *k*. Let H a parity check matrix of C her size is nð Þ� � k n. We randomly choose an invertible matrix S and P a permutation matrix. We calculate H<sup>0</sup> ¼ SHP. We will have H<sup>0</sup> a public key and ð Þ S, H, P the private key, with the knowledge of a syndrome decoding algorithm in C. Let x a plaintext of length *n* and weight *t*, we calculate the cipher text y ¼ H<sup>0</sup> xt . The recipient receives *y* knowing the secret key, he can calculate S�<sup>1</sup> <sup>y</sup> <sup>¼</sup> HPxt . Using the syndrome decoding algorithm of C, he can find Px<sup>t</sup> and applying P�<sup>1</sup> the plaintext x is found.

The algorithms of the Niederreiter cryptosystem [5] The generation of keys

Input

A linear code n, k, d ½ �<sup>q</sup> is chosen for the design, of which we know a decoding algorithm by syndrome.

Procedure

*The Security of Cryptosystems Based on Error-Correcting Codes DOI: http://dx.doi.org/10.5772/intechopen.93782*

Let the private key S, G, P.

*Cryptography - Recent Advances and Future Developments*

0001000 1000000 0010000 0100000 0000010 0000001 0000100

The public key: G<sup>0</sup> ¼ SGP ¼

then P�<sup>1</sup> <sup>¼</sup> xSG <sup>þ</sup> eP�<sup>1</sup> <sup>¼</sup> ð Þ¼ <sup>1100000</sup> <sup>y</sup><sup>0</sup>

, P ¼

Let the plaintext x ¼ ð Þ 0110 and let error vector e ¼ ð Þ 0010000 . The cipher text is y ¼ xG<sup>0</sup> þ e ¼ ð Þþ 0111000 ð Þ¼ 0010000 ð Þ 0101000 .

position hence u ¼ ð Þ¼ 1110000 xSG. And since G is generator matrix of the systematic system then xS <sup>¼</sup> ð Þ <sup>1110</sup> then x <sup>¼</sup> ð Þ <sup>1110</sup> <sup>S</sup>�<sup>1</sup> <sup>¼</sup> ð Þ <sup>0110</sup> . x. Then the

The recipient receives *y* knowing the secret key, he can calculate S�<sup>1</sup>

The algorithms of the Niederreiter cryptosystem [5]

0100000 0001000 0010000 1000000 0000001 0000100 0000010

01001 11 1001001 1 1 10001 10001 11

We decipher the text received y ¼ ð Þ 0101000 . We have y ¼ xG<sup>0</sup> þ e ¼ xSGP þ e

Let C a linear t-corrector code of length *n* and dimension *k*. Let H a parity check matrix of C her size is nð Þ� � k n. We randomly choose an invertible matrix S and P a permutation matrix. We calculate H<sup>0</sup> ¼ SHP. We will have H<sup>0</sup> a public key and ð Þ S, H, P the private key, with the knowledge of a syndrome decoding algorithm in C. Let x a plaintext of length *n* and weight *t*, we calculate the cipher text y ¼ H<sup>0</sup>

Using the syndrome decoding algorithm of C, he can find Px<sup>t</sup> and applying P�<sup>1</sup> the

A linear code n, k, d ½ �<sup>q</sup> is chosen for the design, of which we know a decoding

. Hy0<sup>t</sup> <sup>¼</sup>

1 1 0 1

CA, so the error is in the third

xt .

.

<sup>y</sup> <sup>¼</sup> HPxt

0

B@

,

S ¼

<sup>P</sup>�<sup>1</sup> <sup>¼</sup>

Encryption

Decryption

plaintext sought.

plaintext x is found.

Input

**118**

The generation of keys

algorithm by syndrome. Procedure

**3.2 The Niederreiter variant**

Choose a parity check matrix H of design code. Choose a matrix S, invertible of size *k* with coefficients in Fq. Choose a permutation matrix *P* of sizen � n. Calculate H<sup>0</sup> ¼ SHP. Output The public key H0 . The private key S, H, P ð Þ. Encryption Input The public key H0 . The plaintext x∈ Fn <sup>q</sup> of weight less than or equal to the correction capacity. Procedure Calculate y ¼ H<sup>0</sup> xt . Output The cipher text y. Decryption Input The private key S, H, P ð Þ. The cipher text y. Procedure Calculate y<sup>0</sup> <sup>¼</sup> <sup>S</sup>�<sup>1</sup> y. Calculate x<sup>0</sup> <sup>¼</sup> fH <sup>y</sup><sup>0</sup> with fH the code syndrome decoding algorithm, its parity check matrix is H. Calculate x ¼ x<sup>0</sup> P�<sup>1</sup> . Output The plaintext x. Remark

Reed-Solomon codes were originally proposed by Niederreiter as a family of codes that could be considered by his cryptosystem. In 1992 Sidelnikov and Shestakov have shown that it is easy to attack this cryptosystem [2].

#### **4. The security of cryptosystems based on correcting codes**

The security of cryptosystems based on error-correcting codes is based on the problem of distinguishing the design code (hidden) from a random code. We first give the following definitions:

• Code equivalence

Two codes are said to be equivalent if their generator matrices (respectively parity) are deduced from each other by permutation of columns.

• Random code

A random code is a linear code of which the *k* linearly independent lines of the generator matrix (or the n linearly independent columns of the parity matrix) have been generated randomly.

The main parameters for securing an McEliece cryptosystem and its variants are then the structure of the code family chosen for the design, which it is desirable that it will be difficult to find an equivalent code. Since the robustness of such a system lies in the difficulty of decoding and the hidden structure of the design code, then

the attacker can attempt to attack the system by two methods: decoding attack and structural attack. The resistance of the system to these two attack methods depends on the family of codes chosen for the design. The choice of code family is the essential point in the design of the cryptosystem.

If the set of information I does not contain an error position eð Þ <sup>I</sup> ¼ 0 and like GI

<sup>n</sup> possibilities to choose k ¼ j jI positions of 1, 2, f g …n ( Ij j is a

and the average number of iterations will be <sup>1</sup>

0 1 <sup>¼</sup> <sup>G</sup>�<sup>1</sup>

<sup>¼</sup> ð Þþ <sup>11010011</sup> ð Þ¼ <sup>00001000</sup> ð Þ¼ <sup>11011011</sup> m GIjGJ

10110101 <sup>01101110</sup>

Consider an instance of problem 2. For a parity check matrix H of size r � n, a syndrome s and a weight t. If the weight t is even, let us separate the columns of H

et L2 <sup>¼</sup>

2, that is to say eð Þ <sup>1</sup>je2 is solution of problem 2. The probability that one of the solutions splits into two equal parts of the parity

2 . Common elements of L1 and L2 are such

• The recovery of a plaintext encrypted twice by the same McEliece system

This is an active attack that only applies to the McEliece encryption system (because it is not deterministic) and does not apply to the Niederreiter system. Suppose the plaintext x is encrypted in two different ways. We will have y1 ¼ xG þ e1, y2 ¼ xG þ e2 où e1 et e2 sont deux vecteurs d'erreur distincts de poids t. We get the word y1 � y2 ¼ e1 � e2 which is less than or equal to 2t. Once an attacker has detected that the two cipher texts y1 and y2 correspond to the same plaintext, this information will reduce the number of iterations of the decoding algorithm set

<sup>2</sup> and the weight <sup>t</sup>

; to solve problem 2 you have to repeat these operations <sup>1</sup>

2

I

G�<sup>1</sup>

n � t positions where ei ¼ 0. So the probability of getting the set of information I

Let us try to attack the following system by this method: We

G�<sup>1</sup>

<sup>I</sup> GJ. Then e ¼ 0jyJ � yI

<sup>n</sup>�<sup>t</sup> possibilities to choose k ¼ j jI positions among

G�<sup>1</sup> <sup>I</sup> GJ*:* is

p.

<sup>I</sup> GJ ¼ ð Þ 001000 , it

p on

is invertible, we obtain yI ¼ xGI, eJ ¼ yJ � yI

*DOI: http://dx.doi.org/10.5772/intechopen.93782*

*The Security of Cryptosystems Based on Error-Correcting Codes*

n�t Ck n

haveG <sup>¼</sup> <sup>11100101</sup>

andGJ <sup>¼</sup> <sup>110101</sup>

0101 1110 .

Let I <sup>¼</sup> f g 1, 5 <sup>⊂</sup>f g 1, 2, …<sup>8</sup> then GI <sup>¼</sup> 1 0

<sup>¼</sup> ð Þ <sup>00001000</sup> .

¼ m

• Decoding by paradox of birthdays

yI ¼ ð Þ 1, 1 and yJ ¼ ð Þ 0, 1, 0, 0, 1, 1 . Then eJ ¼ yJ � yI

in two sets of the same size H1 and H2 such as H ¼ ð Þ H1jH2 .

<sup>2</sup> and the weight <sup>t</sup>

1, e1of length <sup>n</sup>

The cipher text y ¼ ð Þ 10101011 ett ¼ 1. looking m, e ð Þ such as mG þ e ¼ y.

<sup>101110</sup> .

the solution sought. Remark We have Ck

with eI <sup>¼</sup> 0 is p <sup>¼</sup> Ck

Example

follows that eIjeJ

yI jyJ <sup>þ</sup> eIjeJ

<sup>s</sup> <sup>þ</sup> H2et

matrix is p <sup>¼</sup> Ct*<sup>=</sup>*<sup>2</sup>

that H1e<sup>t</sup>

**121**

then m ¼ ð Þ 11 .

Let us build L1 <sup>¼</sup> H1et

<sup>1</sup> <sup>¼</sup> <sup>s</sup> <sup>þ</sup> H2e<sup>t</sup>

2,e2of length <sup>n</sup>

n*=*2 <sup>2</sup> Ct n

different permutations of the public code.

cardinally of I). And we have C<sup>k</sup>

#### **4.1 Decoding attack**

The attacker directly attempts to decode the cipher text in the *C* code (generator matrix *G* or public key parity *H*); the principle consists of decoding the intercepted cipher text relative to the public code using general decoding algorithms. We cite two decoding problems in a random code:

Problem 1

Given *G* a random binary matrix of size *k* � *n*, generator of a *C* code of dimension *k*. *x* a random word of F<sup>n</sup> <sup>2</sup> and t a positive integer, find if there is an error word e of F<sup>n</sup> <sup>2</sup> such as w eð Þ≤ t and x þ e∈C.

Problem 2

Given H a binary random parity matrix; her size nð Þ� � k n of a *C* code its dimension k, s a random vector of F<sup>n</sup>�<sup>k</sup> <sup>2</sup> and t a positive integer, find if there is a word x of F<sup>n</sup> <sup>2</sup> such as w xð Þ<sup>≤</sup> t and Hx<sup>t</sup> <sup>¼</sup> s.

Decoding in random code is behind the following attacks:

• Algorithme de décodage par ensemble d'information

The principle is based on two steps: the selection of a set of information and the search for low-weight word. There are several variants which propose to optimize one or the other of these two steps.

Definition

Let C a linear code of generator matrix G and length n. A set of information I is a subset of 1, 2, f g …n such as GI, her size k � k formed of columns of G labeled by the elements of I, is invertible.

Remark

The matrix GIjGJ with I <sup>∪</sup> <sup>J</sup> <sup>¼</sup> f g 1, 2, …<sup>n</sup> is equivalent to G. Algorithm Input G: a matrix generating of a code C. t: a positive integer. y: a word of Fn <sup>2</sup> such as d y, C <sup>≤</sup>t. Output The couple x, e ð Þ such as y ¼ xG þ e where w eð Þ≤t. Procedure Randomly draw a set of information I of the code C (let J such as I ∪ J ¼ f g 1, 2, …n ). Calculate R <sup>¼</sup> <sup>G</sup>�<sup>1</sup> <sup>I</sup> GJ. Write y ¼ yI jyJ . Calculate eJ ¼ yJ � yI R. Repeat the previous operations until you find eJ such as w eJ ≤t. Returne ¼ 0jeJ . Determine the word x such as y � e ¼ xG. Proof We have a y ¼ xG þ e and y ¼ yI jyJ <sup>¼</sup> x GIjGJ <sup>þ</sup> eIjeJ . Hence eI <sup>¼</sup> yI � xGI and eJ ¼ yJ � xGJ.

*The Security of Cryptosystems Based on Error-Correcting Codes DOI: http://dx.doi.org/10.5772/intechopen.93782*

If the set of information I does not contain an error position eð Þ <sup>I</sup> ¼ 0 and like GI is invertible, we obtain yI ¼ xGI, eJ ¼ yJ � yI G�<sup>1</sup> <sup>I</sup> GJ. Then e ¼ 0jyJ � yI G�<sup>1</sup> <sup>I</sup> GJ*:* is the solution sought.

Remark

the attacker can attempt to attack the system by two methods: decoding attack and structural attack. The resistance of the system to these two attack methods depends on the family of codes chosen for the design. The choice of code family is the

The attacker directly attempts to decode the cipher text in the *C* code (generator matrix *G* or public key parity *H*); the principle consists of decoding the intercepted cipher text relative to the public code using general decoding algorithms. We cite

<sup>2</sup> and t a positive integer, find if there is an error

<sup>2</sup> and t a positive integer, find if there is a

≤t.

. Hence eI <sup>¼</sup>

Given *G* a random binary matrix of size *k* � *n*, generator of a *C* code of

Given H a binary random parity matrix; her size nð Þ� � k n of a *C* code its

The principle is based on two steps: the selection of a set of information and the search for low-weight word. There are several variants which propose to optimize

Let C a linear code of generator matrix G and length n. A set of information I is a subset of 1, 2, f g …n such as GI, her size k � k formed of columns of G labeled by the

with I <sup>∪</sup> <sup>J</sup> <sup>¼</sup> f g 1, 2, …<sup>n</sup> is equivalent to G.

Randomly draw a set of information I of the code C (let J such as I ∪ J ¼

jyJ 

¼ x GIjGJ

<sup>þ</sup> eIjeJ

essential point in the design of the cryptosystem.

*Cryptography - Recent Advances and Future Developments*

two decoding problems in a random code:

<sup>2</sup> such as w eð Þ≤ t and x þ e∈C.

<sup>2</sup> such as w xð Þ<sup>≤</sup> t and Hx<sup>t</sup> <sup>¼</sup> s.

Decoding in random code is behind the following attacks:

• Algorithme de décodage par ensemble d'information

dimension *k*. *x* a random word of F<sup>n</sup>

dimension k, s a random vector of F<sup>n</sup>�<sup>k</sup>

one or the other of these two steps.

G: a matrix generating of a code C.

<sup>I</sup> GJ.

R.

Determine the word x such as y � e ¼ xG.

jyJ .

.

We have a y ¼ xG þ e and y ¼ yI

<sup>2</sup> such as d y, C <sup>≤</sup>t.

The couple x, e ð Þ such as y ¼ xG þ e where w eð Þ≤t.

Repeat the previous operations until you find eJ such as w eJ

elements of I, is invertible.

The matrix GIjGJ

t: a positive integer. y: a word of Fn

Calculate R <sup>¼</sup> <sup>G</sup>�<sup>1</sup>

Calculate eJ ¼ yJ � yI

yI � xGI and eJ ¼ yJ � xGJ.

Write y ¼ yI

Returne ¼ 0jeJ

**4.1 Decoding attack**

Problem 1

Problem 2

Definition

Remark

Output

f g 1, 2, …n ).

Proof

**120**

Procedure

Algorithm Input

word e of F<sup>n</sup>

word x of F<sup>n</sup>

We have Ck <sup>n</sup> possibilities to choose k ¼ j jI positions of 1, 2, f g …n ( Ij j is a cardinally of I). And we have C<sup>k</sup> <sup>n</sup>�<sup>t</sup> possibilities to choose k ¼ j jI positions among n � t positions where ei ¼ 0. So the probability of getting the set of information I with eI <sup>¼</sup> 0 is p <sup>¼</sup> Ck n�t Ck n and the average number of iterations will be <sup>1</sup> p. Example Let us try to attack the following system by this method: We haveG <sup>¼</sup> <sup>11100101</sup> 0101 1110 . The cipher text y ¼ ð Þ 10101011 ett ¼ 1. looking m, e ð Þ such as mG þ e ¼ y. Let I <sup>¼</sup> f g 1, 5 <sup>⊂</sup>f g 1, 2, …<sup>8</sup> then GI <sup>¼</sup> 1 0 0 1 <sup>¼</sup> <sup>G</sup>�<sup>1</sup> I andGJ <sup>¼</sup> <sup>110101</sup> <sup>101110</sup> . yI ¼ ð Þ 1, 1 and yJ ¼ ð Þ 0, 1, 0, 0, 1, 1 . Then eJ ¼ yJ � yI G�<sup>1</sup> <sup>I</sup> GJ ¼ ð Þ 001000 , it follows that eIjeJ <sup>¼</sup> ð Þ <sup>00001000</sup> .

$$\begin{aligned} \left( \mathbf{y}\_{\mathrm{l}} \mathbf{y}\_{\mathrm{l}} \right) + \left( \mathbf{e}\_{\mathrm{l}} \middle| \mathbf{e}\_{\mathrm{l}} \right) &= \left( \mathbf{11010011} \right) + \left( \mathbf{000001000} \right) = \left( \mathbf{11011011} \right) = \mathbf{m} \left( \mathbf{G}\_{\mathrm{l}} \middle| \mathbf{G}\_{\mathrm{l}} \right) \\ &= \mathbf{m} \begin{bmatrix} \mathbf{1} & \mathbf{0} & \mathbf{1} & \mathbf{1} & \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{1} \\ \mathbf{0} & \mathbf{1} & \mathbf{1} & \mathbf{0} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{0} \end{bmatrix} \end{aligned}$$

then m ¼ ð Þ 11 .

• Decoding by paradox of birthdays

Consider an instance of problem 2. For a parity check matrix H of size r � n, a syndrome s and a weight t. If the weight t is even, let us separate the columns of H in two sets of the same size H1 and H2 such as H ¼ ð Þ H1jH2 .

Let us build L1 <sup>¼</sup> H1et 1, e1of length <sup>n</sup> <sup>2</sup> and the weight <sup>t</sup> 2 et L2 <sup>¼</sup>

<sup>s</sup> <sup>þ</sup> H2et 2,e2of length <sup>n</sup> <sup>2</sup> and the weight <sup>t</sup> 2 . Common elements of L1 and L2 are such that H1e<sup>t</sup> <sup>1</sup> <sup>¼</sup> <sup>s</sup> <sup>þ</sup> H2e<sup>t</sup> 2, that is to say eð Þ <sup>1</sup>je2 is solution of problem 2.

The probability that one of the solutions splits into two equal parts of the parity n*=*2 <sup>2</sup>

matrix is p <sup>¼</sup> Ct*<sup>=</sup>*<sup>2</sup> Ct n ; to solve problem 2 you have to repeat these operations <sup>1</sup> p on different permutations of the public code.

• The recovery of a plaintext encrypted twice by the same McEliece system

This is an active attack that only applies to the McEliece encryption system (because it is not deterministic) and does not apply to the Niederreiter system. Suppose the plaintext x is encrypted in two different ways. We will have y1 ¼ xG þ e1, y2 ¼ xG þ e2 où e1 et e2 sont deux vecteurs d'erreur distincts de poids t. We get the word y1 � y2 ¼ e1 � e2 which is less than or equal to 2t. Once an attacker has detected that the two cipher texts y1 and y2 correspond to the same plaintext, this information will reduce the number of iterations of the decoding algorithm set

of information. Message forwarding is detected by observing the weight of the two cipher texts. If the two plaintexts are identical then, the weight of the sum of the two numerical texts remains less than 2t in general (t the correction capacity).

the keys used. We quote here a successful attack on an McEliece system with the

Sidelnikov and Shestakov showed [6] that generalized Reed-Solomon codes were so structured that one could find a decoder of the public code in polynomial time. The systematic form of the matrix generating a *GRS* code can be obtained

1

CCCCCA

such that Ið Þ¼ <sup>j</sup><sup>R</sup> SG and Rij <sup>¼</sup> vj

vi

, fið Þ <sup>α</sup><sup>2</sup> v2 vi

j ¼ k þ 1…n

*v*<sup>1</sup> *v*<sup>2</sup> … *vn v*1*α*<sup>1</sup> *v*2*α*<sup>2</sup> … *vnα<sup>n</sup>* … *::* … …

. Alors la matrice Ið Þ jR is the generator matrix in systematic form

<sup>1</sup> *v*2*α<sup>k</sup>*�<sup>1</sup>

� �

<sup>j</sup>¼<sup>1</sup>fijxj�<sup>1</sup> of degree k � 1 such that fið Þ¼ <sup>α</sup><sup>i</sup> 1, fi <sup>α</sup><sup>j</sup>

a matrix generating a Reed-Solomon

vi Q<sup>k</sup> s ¼ 1 s 6¼ i

, …fið Þ <sup>α</sup><sup>n</sup> vn vi

1

CCCA.

where

<sup>2</sup> … *vnα<sup>k</sup>*�<sup>1</sup> *<sup>n</sup>*

and S invertible matrix its size k � k such that

αj�α<sup>s</sup> αi�α<sup>s</sup>

� � <sup>¼</sup> 0 for

Reed-Solomon code as the design code.

*DOI: http://dx.doi.org/10.5772/intechopen.93782*

from the following proposition:

0

BBBBB@

s ¼ 1 s 6¼ i

*v*1*α<sup>k</sup>*�<sup>1</sup>

Fqm and a matrix R <sup>¼</sup> Rij � � <sup>i</sup> <sup>¼</sup> <sup>1</sup>…<sup>k</sup>

αj�α<sup>s</sup> <sup>α</sup>i�α<sup>s</sup> <sup>¼</sup> <sup>P</sup><sup>k</sup>

<sup>j</sup> <sup>¼</sup> 1, 2…k and j 6¼ i. We note S <sup>¼</sup> fij

αj�α<sup>s</sup> αi�α<sup>s</sup>

of the generator matrix *GRS* code *G* ¼

.

j � �

i ¼ 0,*::*k � 1 j ¼ 1…n

<sup>1</sup> *v*2*α<sup>k</sup>*�<sup>1</sup>

Proposal

Let *G* ¼

Proof

fið Þ¼ <sup>x</sup> <sup>Q</sup><sup>k</sup>

Rij ¼ fi α<sup>j</sup>

Rij <sup>¼</sup> vj vi Q<sup>k</sup> s ¼ 1 s 6¼ i

Proof

Results

G<sup>0</sup> ¼ SG.

**123**

the latest proposal. Algorithm Input

constituting the key space. The public key G<sup>0</sup>

The matrix G <sup>¼</sup> vjα<sup>i</sup>

� � vj vi .

Corollary

• The attack of Sidelnikov and Shestakov

*The Security of Cryptosystems Based on Error-Correcting Codes*

*v*<sup>1</sup> *v*<sup>2</sup> … *vn v*1*α*<sup>1</sup> *v*2*α*<sup>2</sup> … *vnα<sup>n</sup>* … *::* … …

<sup>2</sup> … *vnα<sup>k</sup>*�<sup>1</sup> *<sup>n</sup>*

For i ¼ 1, 2…k we define the following interpolation polynomial

vi � �

i ¼ 1…k j ¼ 1…*:*k .

By construction of polynomials fi, the k first columns of the matrix SG form the identity matrix, therefore S is invertible and SG ¼ ð Þ IjR where R ¼ Rij and

0

BBB@

A family of generalized Reed-Solomon code of length *n*, of dimension *k*

*v*1*α<sup>k</sup>*�<sup>1</sup>

Can be deducted from the definition of the generalized Reed-Solomon code and

j ¼ k þ 1…n

The ith row of the matrix produces SG is fið Þ <sup>α</sup><sup>1</sup> v1

Let I the identity matrix its order k and R <sup>¼</sup> Rij � � <sup>i</sup> <sup>¼</sup> <sup>1</sup>…<sup>k</sup>

code generalized on Fqm then there is a matrix k � k invertible S coefficient in

Algorithm

Input

G: The public key of sizek � n.

Two words y1 and y2 such as y1 ¼ xG þ e1, y2 ¼ xG þ e2 where e1 and e2 are two distinct error vectors of weightt.

Output The plaintext x. Procedure

Calculate y1 � y2.

Randomly draw a set of information I⊂f g 1, 2, …n which label the zero positions of y1 � y2.

Calculate eJ ¼ yJ � yI G�<sup>1</sup> <sup>I</sup> GJ où y1 ¼ yI jyJ etI <sup>∪</sup> <sup>J</sup> <sup>¼</sup> f g 1, 2…<sup>n</sup> . Repeat the previous operations until the weight of e (≤t). Return x ¼ yI G�<sup>1</sup> I .

Example

Let us try to attack by this method the system of the previous example. Either plaintext encrypted two ways in which the public key is

$$\mathbf{G} = \begin{bmatrix} \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{0} & \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{1} \\ \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{0} \end{bmatrix}.$$

$$\mathbf{y}\_1 = \mathbf{m}\mathbf{G} + \mathbf{e}\_1 = (\mathbf{1}\mathbf{1}) \begin{bmatrix} \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{0} & \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{1} \\ \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{0} \end{bmatrix} + (\mathbf{0}\mathbf{0}\mathbf{0}\mathbf{1}\mathbf{0}\mathbf{0}\mathbf{0}) = (\mathbf{1}\mathbf{0}\mathbf{1}\mathbf{0}\mathbf{1}\mathbf{0}\mathbf{1}).$$

$$\mathbf{y}\_2 = \mathbf{m}\mathbf{G} + \mathbf{e}\_2 = (\mathbf{1}\mathbf{1}) \begin{bmatrix} \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{0} & \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{1} \\ \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{0} \end{bmatrix} + (\mathbf{0}\mathbf{1}\mathbf{0}\mathbf{0}\mathbf{0}\mathbf{0}\mathbf{0}) = (\mathbf{1}\mathbf{0}\mathbf{0}\mathbf{1}\mathbf{0}\mathbf{1}).$$

$$\mathbf{y}\_1 + \mathbf{y}\_2 = (\mathbf{0}\mathbf{0}\mathbf{1}\mathbf{0}\mathbf{0}\mathbf{0}\mathbf{0}).$$

Draw a set of information that labels the zero positions of y1 þ y2 let I ¼ f g 7, 8 . GI <sup>¼</sup> 0 1 1 0 <sup>¼</sup> <sup>G</sup>�<sup>1</sup> <sup>I</sup> , GJ <sup>¼</sup> <sup>111001</sup> 0101 11 ; y1 ¼ ð Þ 10101011 , yI ¼ ð Þ 11 , yJ ¼ ð Þ 101010 .

$$\mathbf{e}\_{\mathbf{l}} = \mathbf{y}\_{\mathbf{l}} - \mathbf{y}\_{\mathbf{l}} \mathbf{G}\_{\mathbf{l}}^{-1} \mathbf{G}\_{\mathbf{l}} = (101010) - (11) \begin{bmatrix} 0 & 1 \\ 1 & 0 \end{bmatrix} \begin{bmatrix} 1 & 1 & 1 & 0 & 0 & 1 \\ 0 & 1 & 0 & 1 & 1 & 1 \end{bmatrix} = (000100).$$

$$\begin{pmatrix} \mathbf{y}\_{\mathbf{l}} \mathbf{|y}\_{\mathbf{l}} \end{pmatrix} + \begin{pmatrix} \mathbf{e}\_{\mathbf{l}} |\mathbf{e}\_{\mathbf{l}}\rangle \end{pmatrix} = (11101010) + (00000100) = (11101110)$$

$$= \mathbf{m} \begin{bmatrix} \mathbf{0} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{1} & \mathbf{0} & \mathbf{0} & \mathbf{1} \\ \mathbf{1} & \mathbf{0} & \mathbf{0} & \mathbf{1} & \mathbf{0} & \mathbf{1} & \mathbf{1} & \mathbf{1} \end{bmatrix}$$

So we extract m ¼ ð Þ 11 .

#### **4.2 Structural attack**

The attacker tries to find a decomposition of the key G<sup>0</sup> ¼ S1G1P1, which allows it to develop its own decoding algorithm. Succeeding in a structural attack generally amounts to finding a code equivalent to the public code for which we know a decoding algorithm. This attack depends exclusively on the structure of the space of the keys used. We quote here a successful attack on an McEliece system with the Reed-Solomon code as the design code.

• The attack of Sidelnikov and Shestakov

Sidelnikov and Shestakov showed [6] that generalized Reed-Solomon codes were so structured that one could find a decoder of the public code in polynomial time. The systematic form of the matrix generating a *GRS* code can be obtained from the following proposition:

Proposal

of information. Message forwarding is detected by observing the weight of the two cipher texts. If the two plaintexts are identical then, the weight of the sum of the two numerical texts remains less than 2t in general (t the correction capacity).

Two words y1 and y2 such as y1 ¼ xG þ e1, y2 ¼ xG þ e2 where e1 and e2 are two

Randomly draw a set of information I⊂f g 1, 2, …n which label the zero positions

jyJ 

etI ∪ J ¼ f g 1, 2…n .

*:*

þ ð Þ¼ 00010000 ð Þ 10101011

þ ð Þ¼ 00100000 ð Þ 10011011

¼ ð Þ 000100 *:*

Algorithm Input

Output

of y1 � y2.

The plaintext x. Procedure

Calculate y1 � y2.

Calculate eJ ¼ yJ � yI

G�<sup>1</sup> I .

<sup>¼</sup> <sup>G</sup>�<sup>1</sup>

y1 ¼ ð Þ 10101011 , yI ¼ ð Þ 11 , yJ ¼ ð Þ 101010 .

<sup>I</sup> GJ ¼ ð Þ� 101010 ð Þ 11

¼ m

þ eIjeJ

G�<sup>1</sup>

yI jyJ 

So we extract m ¼ ð Þ 11 .

**4.2 Structural attack**

**122**

Return x ¼ yI

y1 ¼ mG þ e1 ¼ ð Þ 11

y2 ¼ mG þ e2 ¼ ð Þ 11

GI <sup>¼</sup> 0 1 1 0 

eJ ¼ yJ � yI

Example

G�<sup>1</sup>

<sup>I</sup> GJ où y1 ¼ yI

Either plaintext encrypted two ways in which the public key is

Let us try to attack by this method the system of the previous example.

<sup>G</sup> <sup>¼</sup> <sup>11100101</sup> 0101 1110 

y1 þ y2 ¼ ð Þ 00110000 *:*

Draw a set of information that labels the zero positions of y1 þ y2 let I ¼ f g 7, 8 .

;

111001

0101 11 

0101 11 

The attacker tries to find a decomposition of the key G<sup>0</sup> ¼ S1G1P1, which allows it to develop its own decoding algorithm. Succeeding in a structural attack generally amounts to finding a code equivalent to the public code for which we know a decoding algorithm. This attack depends exclusively on the structure of the space of

<sup>¼</sup> ð Þþ <sup>11101010</sup> ð Þ¼ <sup>00000100</sup> ð Þ <sup>11101110</sup>

01 111001 100101 11 

11100101 0101 1110 

11100101 0101 1110 

<sup>I</sup> , GJ <sup>¼</sup> <sup>111001</sup>

Repeat the previous operations until the weight of e (≤t).

G: The public key of sizek � n.

*Cryptography - Recent Advances and Future Developments*

distinct error vectors of weightt.

Let *G* ¼ *v*<sup>1</sup> *v*<sup>2</sup> … *vn v*1*α*<sup>1</sup> *v*2*α*<sup>2</sup> … *vnα<sup>n</sup>* … *::* … … *v*1*α<sup>k</sup>*�<sup>1</sup> <sup>1</sup> *v*2*α<sup>k</sup>*�<sup>1</sup> <sup>2</sup> … *vnα<sup>k</sup>*�<sup>1</sup> *<sup>n</sup>* 0 BBBBB@ 1 CCCCCA a matrix generating a Reed-Solomon

code generalized on Fqm then there is a matrix k � k invertible S coefficient in Fqm and a matrix R <sup>¼</sup> Rij � � <sup>i</sup> <sup>¼</sup> <sup>1</sup>…<sup>k</sup> j ¼ k þ 1…n such that Ið Þ¼ <sup>j</sup><sup>R</sup> SG and Rij <sup>¼</sup> vj vi Q<sup>k</sup> s ¼ 1 s 6¼ i αj�α<sup>s</sup> αi�α<sup>s</sup>

Proof

For i ¼ 1, 2…k we define the following interpolation polynomial fið Þ¼ <sup>x</sup> <sup>Q</sup><sup>k</sup> s ¼ 1 s 6¼ i αj�α<sup>s</sup> <sup>α</sup>i�α<sup>s</sup> <sup>¼</sup> <sup>P</sup><sup>k</sup> <sup>j</sup>¼<sup>1</sup>fijxj�<sup>1</sup> of degree k � 1 such that fið Þ¼ <sup>α</sup><sup>i</sup> 1, fi <sup>α</sup><sup>j</sup> � � <sup>¼</sup> 0 for

<sup>j</sup> <sup>¼</sup> 1, 2…k and j 6¼ i. We note S <sup>¼</sup> fij vi � � i ¼ 1…k j ¼ 1…*:*k .

The ith row of the matrix produces SG is fið Þ <sup>α</sup><sup>1</sup> v1 vi , fið Þ <sup>α</sup><sup>2</sup> v2 vi , …fið Þ <sup>α</sup><sup>n</sup> vn vi � �

By construction of polynomials fi, the k first columns of the matrix SG form the identity matrix, therefore S is invertible and SG ¼ ð Þ IjR where R ¼ Rij and Rij ¼ fi α<sup>j</sup> � � vj vi .

Corollary

Let I the identity matrix its order k and R <sup>¼</sup> Rij � � <sup>i</sup> <sup>¼</sup> <sup>1</sup>…<sup>k</sup> j ¼ k þ 1…n where

Rij <sup>¼</sup> vj vi Q<sup>k</sup> s ¼ 1 s 6¼ i αj�α<sup>s</sup> αi�α<sup>s</sup> . Alors la matrice Ið Þ jR is the generator matrix in systematic form

of the generator matrix *GRS* code *G* ¼ *v*<sup>1</sup> *v*<sup>2</sup> … *vn v*1*α*<sup>1</sup> *v*2*α*<sup>2</sup> … *vnα<sup>n</sup>* … *::* … … *v*1*α<sup>k</sup>*�<sup>1</sup> <sup>1</sup> *v*2*α<sup>k</sup>*�<sup>1</sup> <sup>2</sup> … *vnα<sup>k</sup>*�<sup>1</sup> *<sup>n</sup>* 0 BBB@ 1 CCCA.

Proof

Can be deducted from the definition of the generalized Reed-Solomon code and the latest proposal.

Algorithm

Input

A family of generalized Reed-Solomon code of length *n*, of dimension *k* constituting the key space.

The public key G<sup>0</sup>

.

Results

The matrix G <sup>¼</sup> vjα<sup>i</sup> j � �i ¼ 0,*::*k � 1 j ¼ 1…n and S invertible matrix its size k � k such that

G<sup>0</sup> ¼ SG.

Procedure Put the matrix G<sup>0</sup> in form Ið Þ jR by Gaussian elimination. Determine the matrix G <sup>¼</sup> vjα<sup>i</sup> j � �i ¼ 0,*::*k � 1 j ¼ 1…n such that α1, …α<sup>n</sup> et v1, …vn check the equations Rij <sup>¼</sup> vj vi Q<sup>k</sup> s ¼ 1 αj�α<sup>s</sup> αi�α<sup>s</sup> .

**References**

2001

2014

pp. 114-116

159-166

435. 1990

**125**

1992;**2**(4):439-444

correcteurs d'erreurs.

[1] Cayrel PL. Nouveaux résultats en cryptographie basée sur les codes

*DOI: http://dx.doi.org/10.5772/intechopen.93782*

*The Security of Cryptosystems Based on Error-Correcting Codes*

[11] Kumar R, Naidu AS, Singh A, Tentu AN. McEliece cryptosystem: Simulation

International Journal of Computing Science and Mathematics. 2020;**12**(1):

and security vulnerabilities.

64-81

[2] Loidreau P. Etude et optimisation de cryptosystèmes à clé publique fondés sur la théorie des codes correcteurs [doctoral dissertation]; Thèse de doctorat. ENSTA Paris.

[3] Drissi A. Formation doctorale [doctoral dissertation]. Thèse de doctorat. Université Ibn Zohr;

[4] McEliece RJ. A Public-Key Cryptosystem Based on Algebraic Coding Theory, 42441978.

[5] Niederreiter H. Knapsack-type cryptosystems and algebraic coding theory. Problems of Control and Information Theory. 1986;**15**(2):

[6] Sidelnikov VM, Shestakov SO. On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Mathematics and Applications.

[7] Drissi A, Asimi A. One-way hash function based on goppa codes «OHFGC». Applied Mathematical Sciences. 2013;**7**(143):7097-7104

[8] Dallot L. Sécurité de protocoles cryptographiques fondés sur les codes correcteurs d'erreurs [doctoral dissertation]; France: Université de Caen/Basse-Normandie; 2010

[9] Merkle R. One way hash functions and DES. In: Crypto 1989, LNCS. Vol.

[10] Pretzel O. Error-Correcting Codes and Finite Fields. Student ed. Oxford

University Press, Inc.; 1996

s 6¼ i Determine the matrix *S* such that G<sup>0</sup> ¼ SG.

#### **5. Conclusion**

In conclusion, the security of cryptosystems based on error-correcting codes is strongly linked to the family of code used in the design of the system. The cryptosystem based on the Reed-Solomon code was broken by Sidelnikov and Shestakov in 1992. The version of McEliece using Goppa codes has been studied for 40 years and it seems perfectly secure from a cryptographic point of view; but it is not used in practice because the size of its public key is much larger that we know how to do with systems from other fields (RSA for example), hence the importance of finding a way to reduce the size of their public key. In the end, the McEliece system based on Goppa's code remains a preferred system as a post-quantum cryptosystem. We have not covered in this chapter other cryptographic applications of error-correcting codes, including hash functions [3, 7–11], pseudo-random generators, identification protocols, etc.

### **Author details**

Ahmed Drissi National School for Applied Sciences, ENSA, Abdelmalek Essaadi University, Tangier, Morocco

\*Address all correspondence to: idrissi2006@yahoo.fr

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

*The Security of Cryptosystems Based on Error-Correcting Codes DOI: http://dx.doi.org/10.5772/intechopen.93782*

#### **References**

Procedure

equations Rij <sup>¼</sup> vj

**5. Conclusion**

**Author details**

Tangier, Morocco

Ahmed Drissi

**124**

Determine the matrix G <sup>¼</sup> vjα<sup>i</sup>

generators, identification protocols, etc.

vi Q<sup>k</sup> s ¼ 1 s 6¼ i

Put the matrix G<sup>0</sup> in form Ið Þ jR by Gaussian elimination.

αj�α<sup>s</sup> αi�α<sup>s</sup> .

*Cryptography - Recent Advances and Future Developments*

Determine the matrix *S* such that G<sup>0</sup> ¼ SG.

j � �

i ¼ 0,*::*k � 1 j ¼ 1…n

In conclusion, the security of cryptosystems based on error-correcting codes is strongly linked to the family of code used in the design of the system. The cryptosystem based on the Reed-Solomon code was broken by Sidelnikov and Shestakov in 1992. The version of McEliece using Goppa codes has been studied for 40 years and it seems perfectly secure from a cryptographic point of view; but it is not used in practice because the size of its public key is much larger that we know how to do with systems from other fields (RSA for example), hence the importance of finding a way to reduce the size of their public key. In the end, the McEliece system based on Goppa's code remains a preferred system as a post-quantum cryptosystem. We have not covered in this chapter other cryptographic applications of error-correcting codes, including hash functions [3, 7–11], pseudo-random

National School for Applied Sciences, ENSA, Abdelmalek Essaadi University,

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

\*Address all correspondence to: idrissi2006@yahoo.fr

provided the original work is properly cited.

such that α1, …α<sup>n</sup> et v1, …vn check the

[1] Cayrel PL. Nouveaux résultats en cryptographie basée sur les codes correcteurs d'erreurs.

[2] Loidreau P. Etude et optimisation de cryptosystèmes à clé publique fondés sur la théorie des codes correcteurs [doctoral dissertation]; Thèse de doctorat. ENSTA Paris. 2001

[3] Drissi A. Formation doctorale [doctoral dissertation]. Thèse de doctorat. Université Ibn Zohr; 2014

[4] McEliece RJ. A Public-Key Cryptosystem Based on Algebraic Coding Theory, 42441978. pp. 114-116

[5] Niederreiter H. Knapsack-type cryptosystems and algebraic coding theory. Problems of Control and Information Theory. 1986;**15**(2): 159-166

[6] Sidelnikov VM, Shestakov SO. On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Mathematics and Applications. 1992;**2**(4):439-444

[7] Drissi A, Asimi A. One-way hash function based on goppa codes «OHFGC». Applied Mathematical Sciences. 2013;**7**(143):7097-7104

[8] Dallot L. Sécurité de protocoles cryptographiques fondés sur les codes correcteurs d'erreurs [doctoral dissertation]; France: Université de Caen/Basse-Normandie; 2010

[9] Merkle R. One way hash functions and DES. In: Crypto 1989, LNCS. Vol. 435. 1990

[10] Pretzel O. Error-Correcting Codes and Finite Fields. Student ed. Oxford University Press, Inc.; 1996

[11] Kumar R, Naidu AS, Singh A, Tentu AN. McEliece cryptosystem: Simulation and security vulnerabilities. International Journal of Computing Science and Mathematics. 2020;**12**(1): 64-81

**Chapter 7**

Ciphers

*Orhun Kara*

**Abstract**

preimage

**127**

**1. Introduction**

values for message authentication codes.

<sup>1</sup> Permutations as one-way functions are out of scope of this chapter.

Tradeoff Attacks on Symmetric

Tradeoff attacks on symmetric ciphers can be considered as the generalization of

the exhaustive search. Their main objective is reducing the time complexity by exploiting the memory after preparing very large tables at a cost of exhaustively searching all the space during the precomputation phase. It is possible to utilize data (plaintext/ciphertext pairs) in some cases like the internal state recovery attacks for stream ciphers to speed up further both online and offline phases. However, how to take advantage of data in a tradeoff attack against block ciphers for single key recovery cases is still unknown. We briefly assess the state of art of tradeoff attacks on symmetric ciphers, introduce some open problems and discuss the security criterion on state sizes. We discuss the strict lower bound for the internal state size of keystream generators and propose more practical and fair bound along with our reasoning. The adoption of our new criterion can break a fresh ground in boosting

the security analysis of small keystream generators and in designing ultra-

**Keywords:** symmetric cipher, block cipher, stream cipher, tradeoff attack, keystream, keystream generator, Hellman table, rainbow table, one-way function,

source devices such as IoT devices, wireless sensors or RFID tags.

lightweight stream ciphers with short internal states for their usage in specially low

In general, bulk encryption is performed through symmetric ciphers; that is, block ciphers or stream ciphers. Hash functions, message authentication codes and authenticated encryption schemes are also based on the quite similar design and security principles. All these cryptographic primitives are examples of one-way functions for which it must be computationally infeasible to find a preimage. Indeed, the only generic method to invert a given output is exhaustively searching for one of its inputs.<sup>1</sup> This may be embodied as brute force attacks on block ciphers

and stream ciphers, internal state recovery attacks on keystream generators, preimage attacks on hash functions or constructing valid messages to given tag

ertheless, once it is executed, the prepared tables can be used several times.

The brute force attacks can be expedited significantly by utilizing very large tables that have been already prepared during the offline phase. This phase is called the precomputation phase also and is usually equivalent to exhaustive search. Nev-

#### **Chapter 7**
