The 4th International Congress on Technology, Communication and Knowledge (ICTCK 2018)

January 24-25, 2018, Mashhad Branch, Islamic Azad University, Mashhad, Iran

Improvement of Two Distance Bounding Protocols

Against Terrorist and Force Attacks
Azadeh Imani Rad
Department of Electrical Engineering,
Yadegar -e- Imam Khomeini (rah),
shahr-e-rey Branch
Islamic Azad University
Tehran, Iran
Azadeh Imany@yahoo.com
Mahdi R.Alaghband
Department of Electrical and Computer Engineering,
Science and Research Branch
Islamic Azad University
Tehran, Iran
m.alaghband@srbiau.ac.ir

Abstract—Widespread deployment of wireless sys-
tems that use the location positioning and physical
proximity to provide services leads to the emergence
of many technologies based on radio frequency. Today,
these systems are used in a wide range of applications
including tracking of people and assets, emergency and
rescue support and access control. One of these tech-
nologies is radio frequency identification (RF ID). Since
the spread of wireless technologies needs to enhance
safety and security, so reliability of location estimates
and the data used in these systems is necessary. One of
the location attacks that can threaten a RF ID system is
”distance fraud attack” in which adversary is a tag itself
that tries to show its distance from reader less than
what it is.”Mafia fraud” in which the attack takes place
without the knowledge of tag and reader. The main
attack is ”terrorist fraud attack” in which the frauder
tag cooperates with adversary. Distance bounding pro-
tocols have been proposed to deal with these attacks
which are a family of authentication protocols based
on challenge and response, and the round-trip time of
signals is measured in them and the physical distance
between the tag and reader will be determined based on
this time. In this paper, we investigate ”terrorist fraud
attack” on two distance bounding protocol schemes,
first TMA protocol and then BSB protocol. Then we
will continue to improve schemes. We Prove that our
scheme is resistant against the carried out attacks based
on formal models.
Keywords: RFID, Distance Bounding Protocol, Terror-
ist Fraud Attack, Force Attack
I. Introduction
Radio frequency identification (RFID) is a contactless
technology which is used in many applicable identification
and authentication plans, such as access control, payment
system, public transportation, passport, etc. the main
goal of RFID systems is to permit connection between
the reader and the utilized tag in the objects. In RFID
systems, either security and privacy are important. Data
in RFID technology is transferred by wireless signals; this
would make intercepting data possible. Distance bounding
[1], [2] is the basic solution to resist against attacks to
tags’s status. Measuring the distance between the tag
and the reader may be based on the received signal
strength(RSS) or the angle of arrival(AoA) of the sys-
tem or the round-trip time(RTT) of the signal [3], [4].
Measuring the signals intensity and its direction of arrival
may be affected by the attack and the adversary is able
to change the intensity and the direction of arrival by
an amplifier and a multi-directional antenna. As a result,
distance bounding protocols are based on measuring the
round-trip time of the signal.
In this paper the improvement of two protocols against
terrorist fraud attack which is one of the main threats to
RFID systems is addressed. In the terrorist fraud there is
man in the middle (MITM) adversary that communicates
with the fraudulent tag and the tag without revealing its
private key to the adversary attempts to provide him with
the required parameters to leave the protocol behind. To
robust the protocols this attack two ways are discussed:
1)limiting the interaction between the tag and adversary
to the slow phase 2)creating limitation for the tag in
helping the adversary. In [5], [6] the first way is applied to
prevent this attack which seems unnecessary and artificial
[7]. In the present study second way is applied to improve
TMA and BSB protocols.
II. RFID Treat
There are three main threats for RFID systems [8]
distance fraud, mafia fraud, and terrorist fraud; these
can be prevented by distance bounding protocol. We will
discuss these attacks in the following.
Distance fraud [9], [10] happens when a fraudulent tag
tries to persuade the reader that it is near to the reader,
while it is not true and the tag is outside the readers
permissible range. In mafia fraud [9], [11], the reader and
the tag are authenticated, but they are far from each other.
The adversary would be placed between the reader and
the tag; this would make the distance between the reader
and the tag look smaller. The adversary then relays the
connection between the reader and the tag. This fraud may
be detected by distance bounding protocol by measuring
the additional delay in the round-trip time of the signal.
In terrorist attack [8], [12], tag cooperates with the ad-
 The 4th International Congress on Technology, Communication and Knowledge (ICTCK 2018)
January 24-25, 2018, Mashhad Branch, Islamic Azad University, Mashhad, Iran
versary. The traitor tag is far from the reader and the
adversary is near to it. The fraudulent tag provides the
required data of the protocol for the adversary, so that
the adversary access to the tag key would not be possible.
III. Related Work
The first distance bounding protocol was introduced by
Brands and Chaum in 1993 [13]. This protocol includes a
slow setting up step that random numbers are exchanged
between them. Then, there is a fast bit exchange step
where the reader sends a single bit to the tag and the timer
is turned on. When the tag sends a single bit response to
the reader and the reader receives it, the timer is turned
off. The reader then measures the round-time trip of the
signal and extracts the propagation time of the signal.
After n protocol runs, there is a final slow step in some
protocols. This step may include complex encryptions such
as commitment and signature or Mac obtained values.
In Brands and Chaum (BC) protocol, final slow phase
is present; it contains signature and commitment and
imposes a high computational overload to the system.
Finally, the reader would decide whether the tag is in
the permissible area or not. Another protocol proposed by
Hancke and Kuhn in 2005 was known as HK [14] and it was
a milestone in this area. In this protocol, the challenge and
response effect is utilized in fast bit exchange stage and
there is no final bit exchange step; these made this protocol
a famous one among RFID protocols. In distance bounding
family protocols, there are two main families of BC family
protocols and HK family protocols; in each family, proto-
cols are improved versions of the main protocol. Since HK
is vulnerable to terrorist attack, Reid et.al was proposed
an improved protocol in 2006 [15], however this protocol
does not provide privacy protection as well. In 2008,
Munilla and Peinado modified HK protocol using void
challenge to reduce the probability of adversary’s success;
this protocol is known as MP [16]. In 2011, Kim and Avoine
proposed KA protocol, based on a combinational scheme of
random challenges and pre-defined challenges [17]. These
protocols have two types of KA1 and KA2. Both protocols
are resist against mafia fraud attack. KA protocols need
memory bits; however, the author shows that KA2 needs
half of the memory needed for KA1, and the robustness
against distance fraud increases. In 2012, Jannati and
Falahati proposed a protocol named JF [18]; pre-defined
challenges and random challenges are used in each round
of this protocol. Although it seemed that the protocol is
robust against terrorist fraud, as well as distance fraud and
mafia fraud, Baghernezhad et. al showed that this protocol
is vulnerable to key recovery attack [9], [19], resulting
in protocol’s vulnerability to mafia fraud and terrorist
fraud [19]. Using the key recovery attack, the adversary’s
probability of success in distance fraud and terrorist fraud
is maximum. Baghernezhad et. al (BSB) [19] proposed
an improvement of JF protocol which was robust against
the key recovery attack, but it was vulnerable to terrorist
Table I
List of Notations
Parameters Description
T The Tag
R The Reader
NR The random nonce generated by reader
NT The random nonce generated by T
P RF Pseudorandom function
n Number of rounds in the fast phase
x The secret key shared between T and reader
ci The ith challenge sent by reader
ri The ith response sent by T
⊕ XOR operator
∆Ti The time difference in the ith round
∆Tmax Maximum allowed time difference
fraud. In this paper, in order to achieve robustness against
terrorist fraud attack, an improvement of this protocol is
proposed.
Moreover, Trujillo-Rasua et. Al proposed a distance
bounding protocol in 2014, known as TMA [20]. In this
protocol, all previous challenges in this round of protocol
are used in forming the intended response of the reader.
This protocol is robust against distance and mafia frauds,
but it is vulnerable to terrorist fraud. In this paper,
improvement of this protocol against terrorist attack is
presented.
In 2016, Guoheng et al. presented a comprehensive solu-
tion to the force attack on the HK family protocol [21].
This article has implemented their solution to several
specific protocols which are often not up to date refer-
ences. Recently, Tu and Piramuthu presented a lightweight
scheme for RFID systems [22]. Tu’s protocol is a robust
protocol that resists against impersonation attack and
keep the tag/reader location private. Also, this protocol
resists against relay attack which is similar to the force
attack. In a relay attack, the adversary is first corresponds
to the tag. Then it communicates with the reader. But
in the force attack, after performing a fast bit exchange
phase, an adversary continues to communicate with both
sides of the protocol.
IV. Evaluation of Distance Bounding Protocol
Distance bounding protocols may be evaluated based
on some characteristics [23].These characteristics may be
categorized in two groups: security-related and implemen-
tation - related characteristics. Decision making criteria to
choose the protocol is based on these characteristics.
A. Security Feature
The goal of security challenges is to reduce the proba-
bility of success and achieve the following features:
• Against Distance Fraud: In section 2 this fraud
is investigated. Preventing this fraud is one of the
security purposes. The adversary’s probability of suc-
cess using this protocol and successful overcoming
the protocol indicates the resistance or non-resistance
against the fraud. One of the goals to create distance
 The 4th International Congress on Technology, Communication and Knowledge (ICTCK 2018)
January 24-25, 2018, Mashhad Branch, Islamic Azad University, Mashhad, Iran
bounding protocols like BC protocol is to prevent this
fraud [12].
• Resistance Against Mafia Fraud: As discussed
in section 2 mafia fraud is among the main RFID
system threats that the encryption cannot prevent the
attack. Accordingly the distance bounding protocols
are formed to prevent this fraud. In examining the
security features of a distance bounding protocol the
probability of the adversary success in the fraud is
considered [12].
• Resistance Against Terrorist Fraud: In section
2 the terrorist fraud is discussed. Resistance against
this fraud is possible when the tag is not willing to
cooperate with the adversary because its cooperation
with the adversary reveals the private key [12]. The
first protocol to strengthen the distance bound pro-
tocol against this attach is the protocol by Reid et
al. Resistance against this fraud is discussed in the
analysis of distance bound protocols .
• Resistance Against Key Recovery attack: in key
recovery attack, the adversary is able to detect one
bit of the tag’s private key. This attack for first time
introduced in [9]. Then this attack discussed in [19].
• Resistance Against Force Attack: force attack is
a kind of man in the middle attack. The adversary
blocks the last transmitted message from the tag to
the reader and starts the fast bit exchange step with
the tag [21], [24]. After 2 rounds of protocol and
getting the responses in these rounds, the hindered
message is sent to the reader and after that, the fast
bit exchange is started by the reader. The adversary
would be in fast bit exchange with the reader and
the tag, and both steps are repeated until N rounds.
The force attack resistance means the adversary’s
probability of success against this attack.
B. Implementation Feature
Widespread limitation of RFID systems requires only
restricted and lightweight protocols.
• The number of encryption operations by the tag (E)
it refers to the number of encryption operations in
the tag. This is the initial evaluation factor of the
protocols computational cost.
Presence or absence of final slow phase (f ) since final
• Pr (Mi ) = ( )i + Pr (Mi |Ci 6= Ĉi )(1 − ( )i ).
slow phase include signature, commitment, and MAC,
and presence of each of them imposes computational
overload to the distance bounding protocol [14].
V. Review on the TMA Protocol
TMA protocol was proposed in 2014 by Truillo-Rasua
et al [20]. TMA reduces the risk of distance and Mafia
fraud attacks. As can be seen in Figure 1 the idea of
dependence of reply to protocol’s previous challenges has
been used. Table I depicts the notations used in this paper.
initial slow phase: Random numbers are exchanged
between T and R. T and R will come to a 3nbit output
with the help of these numbers and the T private key by
using a pseudo-random function that 3nbit is related to
R0 ,R1 & Q parameters respectively. The parameters are
used for the next steps of the protocol.
The exchange of fast bits: At this stage, R chooses
randomly a single-bit of set {0, 1}. At the same time the
timer is turned on. When R recieves the reply from T ,
the timer is turned off. This step is performed n times.
At the, round-trip time of the signal and correctly reply
of the T are checked.
Note that the function fQ (Ci ) are defined as
Li
j=1 (cj ∩ qj ) that Q = q1 q2 .......qn &
fQ (Ci ) =
Ci = c1 .......ci , 1 6 i 6 n .
Resistance to Mafia fraud attack: IN a nutshell,
If the reply of ith session of protocol would depend on
all previous challenges, protocol is immune against mafia
attack.
To analyze the Mafia fraud attack, two strategies of
pre − ask and post − ask can be used [25]. If the protocol
has final slow phase, the use of post − ask strategy will be
necessary; otherwise, this strategy cannot help. As TMA
protocol has not final slow phase, this strategy is not
used and pre − ask strategy is used. It should be noted
that the T in two models of black box and white box has
equal probability of success on the Mafia fraud attack
[20], [26]. According to Delev-Yao model it is possible to
place the tag in the black and white box models. In the
black box model T is disabled such that it is incapable
of the observation of disorder in the implementation of
the protocol and has no control over the channel. In the
white box model T is active and has a full access over
the protocol implementation and control over the channel
[25].
Let Mi be the event that the adversary has won the first
i rounds in mafia fraud. Let Si be the event that the
adversary guesses fQ (Ci )⊕ fQ (Ĉi ) at the ith round. The
probability Pr (Mi ) can be computed as follows :
1 1
2 2
1
Pr (Mi |Ci 6= Ĉi ) = Pr (Mi |Ci 6= Ĉi , Mi−1 ) × ( i +
2 −1
ˆ )(1 − 1 )).
Pr (Mi−1 |Ci−1 6= Ci−1
2i − 1
2i−2
Pr (Mi |Ci 6= Ĉi , Mi−1 ) = i +
2 −1
2i−2
Pr (Si−1 |Ci−1 6= Ĉi−1 , Mi−1 )(1 − i ).
2 −1
1
Pr (Si |Ci 6= Ĉi , Mi ) = +
2
Pr (Si−1 |Mi−1 , Ci−1 6= Ĉi−1 )
×
Pr (Mi |Ci 6= Ĉi )
 The 4th International Congress on Technology, Communication and Knowledge (ICTCK 2018)
January 24-25, 2018, Mashhad Branch, Islamic Azad University, Mashhad, Iran

Prover Verifier
secret x secret x
Slow phase
NP -
picks NP ∈R {0, 1}n picks NV ∈R {0, 1}n
 NV
(Q, R0 , R1 ) = (Q, R0 , R1 ) = P RF (x, NP , NV )
P RF (x, NP , NV )
Fast phase
For i = 1......n :
ci - Picks ci ∈R {0, 1}
 ri start timer
ri = Rici ⊕ fQ (Ci ) stop timer
Computes ∆Ti

Figure 1. The TMA protocol [20]

1 1
Pr (Mi−1 |Ci−1 6= Ĉi−1 )( − ( )i+1 )
4 2
1 i
1−( )
2
Resistance to distance fraud attack: To investigate
the distance fraud attack, the use of early-reply strategy
is useful [25]. In this strategy, adversary, the fraud T ,
attempts to send reply before receiving challenge.
The probability of adversary success in black box model
1 without finding out the T ’s private key. Since terrorist
for distance fraud attack is equal to ( )n because the
2
adversary is not able to see the values of R0 , R1 , & Q. Also
it does not know fQ (Ci−1 ) and should guess the reply [26].
The probability of adversary success in white box
model for distance fraud attack is as follows [18].
The fraud T , adversary, knows values of R0 , R1 , &
Q and either Ri0 ⊕ fQ (Ci−1 k0) = Ri0 ⊕ fQ (Ci−1 ) or
Ri1 ⊕ fQ (Ci−1 k1) = Ri1 ⊕ fQ (Ci−1 ) ⊕ qi occurs for two
challenge modes. As a result, according to the information
of adversary, he only needs to guess fQ (Ci−1 ).
Let Di be the event that the distance fraud adversary
successfully passes the protocol until the ith round. The
probability Pr (Di ) can be computed as follows:
1 1 1 1 and R which is involved in making responses. R prevents
Pr (Di ) = Pr (Di−1 ) + i + Σi−1 Pr (Di ) i−j
4 2 8 j=1 2 to perform ”terrorist fraud attack” on this protocol by
The above protocol is resistant against the force attack,
since the first flow in this protocol is sent by the T and
second message that contains a random number is sent
by the R, and R begins the exchange of fast bit after
this message and the adversary has no opportunity to
interrupt the start of challenges and cannot start bit fast
by T exchange.
Moreover, The adversary cannot recover the key,
because
L the private key is not used for linear (operator
) in reply and the adversary cannot gain information
about the private key T s by changing primary challenge
and replacing challenge with its alternative.
A. Weaknesses of TMA Protocol
In the other side this protocol is vulnerable to terrorist
fraud attacks. Result of the pseudo-random function will
be three parameters of R0 ,R1 & Q; if fraud T gives them
to the adversary, it successfully performs the protocol
fraud is one of the major threats in RFID area, we alleviate
the drawbacks of the TMA protocol and propose a new one
in the next section.
The adversary using these three parameters that obtains
from the fraudulent T can achieve the right response.
At the beginning of the fast bit exchange by the R the
adversary receives the challenge. He knows the Q and
then using the received challenge uses of the R0 or R1
parameters to produce the correct response. Knowing all
the parameters used in the solution structure allows that
adversary to be successful in sending the response.
B. Improved of the TMA Protocol
In our improved scheme Figure 2, R1 , R0 & Q are
combined with each other by a mutual key between the T
adding parameter y = x⊕fD (Q, R0 , R1 )to random number
and putting the phrase D in transmitted flow to the T .
VI. Review on the BSB Protocol
In 2014, Baghenejad et al proposed a protocol for
improving JF protocol in which a pseudo-random function
was used instead of XOR operation to prevent key recov-
ery attack as can be seen in Figure 3 [19]. The result of the
pseudo-random function is a 3n bits divided into 3 values,
R0 , R1 & D. In the fast bit exchange phase, predefined bit
label Wi = Di and the challenge random bit Ci is selected
and sent to the label and the label checks the correctness
 The 4th International Congress on Technology, Communication and Knowledge (ICTCK 2018)
January 24-25, 2018, Mashhad Branch, Islamic Azad University, Mashhad, Iran

Reader Tag
secret x secret x
Slow phase
Picks NT ∈R {0, 1}

Picks NR ∈R {0, 1}  NT
(Q, R0 , R1 ) = P RF (x, NT , NR )
y = x ⊕ fD (Q, R0 , R1 ) NR , y, D - (Q, R0 , R1 ) = P RF (x, NT , NR )
Checks y
Fast phase
For i = 1.....n
Picks ci ∈R {0, 1}
Start timer ci -

Stop timer  ri ri = Rici ⊕ fQ (Ci )

Computes ∆Ti

Figure 2. The Improvment of TMA protocol

Reader Tag
secret x secret x

Slow phase
Picks NR ∈R {0, 1} NR Picks NT ∈R {0, 1}
-
(D, R0 , R1 ) =  NT (D, R0 , R1 ) =
P RF (x, NT , NR ) Fast phase P RF (x, NT , NR )
For i = 1.......n
wi = Di
Picks Ci ∈R {0, 1} C i , Wi -
Start timer
Ri0 if [(wi = Di ) ∩ (ci = 0)]
{
ri = Ri1 if [(wi = Di ) ∩ (ci = 1)]
si ∈R {0, 1} if (wi =
6 Di )
Stop timer  ri
Computes∆T , ri

Figure 3. The BSB protocol [19]

of Wi , if it is correct and Ci = 0, Ri0 is sent and if Ci = 1,
Ri1 is sent to the R, otherwise if Wi 6= Di is detected as
an error and for all other challenges and this challenge, a
random number is sent. The main purpose of this protocol
is to prevent information leakage.
We investigate the Mafia Fraud Attack in two white
and black box models. As mentioned before, for analyzing
the Mafia Fraud Attack, Post-ask and Pre-ask strategies
can be used depending on the protocol’s requirements
[25]. Since the BSB protocol does not have a slow final
phase, pre-ask strategy is used to analyze the protocol.
In Mafia Fraud Attack, the probability of the adversary’s
success would be equal for the black box model and the
white box model.
The adversary guesses two random numbers for ci and Wi
and sends them to the label. If Wi is guessed correctly,
label sends a proper reply to the adversary for the
challenge it has received. When the bit exchange phase
initiates from the R, the adversary uses the replies as
follows. If ci and Wi sent by the adversary to the label
match ci and Wi of the R, the adversary will send the
reply it has received from the label to the R, otherwise
the adversary should guess the reply [18], [19] .
Let ei be the event that the T detect the error at the ith
round and êi be the event that the T not detect the error
at the ith round. Let Ei be the event that the T detect
the error at the jth round for the first time and Êi be the
event that the T not detect the error up the nth round.
This probability can be computed as follows :
 The 4th International Congress on Technology, Communication and Knowledge (ICTCK 2018)
January 24-25, 2018, Mashhad Branch, Islamic Azad University, Mashhad, Iran
Pmaf ia = P (maf ia|E)P (E)+ protocols, by calculating the time difference between the
Σnj=1 P r(maf ia|Eh )P (Ej ) challenge and the reply and using the threshold time for
1 1 the distance between the T and the R in the allowed
P (ei ) = P (ei ) = , P (E) = ( )n
2 2 region, R can judge the mafia fraud attack. Fast bit
1 j−1 1 1
p(Ej ) = (Πj=1
i=1 P (e i ))P (e j ) = ( ) ( ) = ( )j exchange mechanism is in fact a suitable remote anti-
2 2 2 attack approach and is the core of HK protocols.
1 1 1
P (maf ia|E = Πni=1 P ((Sm )i |ei ) = Πni=1 [ × 1 + × ] = In this protocol the adversary prevents sending message
2 2 2
3 from T to R to perform the force attack and blocks this
( )n
4 message. Then he selects a random number and sends it
P (maf ia|ej ) = Πj−1 i=1 P [(sm )i |ei ]× to the T , if wi = Di , T sends the correct response to the
3 1
Πi=j P [(sm )i |ei ] = ( )j−1 × ( )n−j−1
n adversary; otherwise he will send a random response. Then
4 2 the adversary sends another random number and sends the
3 1
P (maf ia) = ( )n × ( )n + blocked message to the reader after receiving its response.
4 2
3 3 1 1 The fast bit exchange stage is determined by R and the
Σnj=1 ( )j−1 × ( 21 )n−j−1 × ( 12 )j = ( )n × ( )n + ( )n−1 ×
4 4 2 2 adversary runs both fast bit exchange stages with T and
3 3 1 1 3
Σnj=1 ( )j−1 = ( )n × ( )n + ( )n−1 × (1 − ( )n ) R to the end.
4 4 2 2 4
Distance Fraud Attack: According to the early-reply B. Improved of BSB Protocol
strategy, fraudulent T sends the reply to the R before As can be seen in Figure 4 to improve the BSB protocol,
receiving the challenge in order to decrease the sweeping y = x ⊕ hD (Q, R0 , R1 ) is sent only once for R along
time of the signal such that the R is convinced that a T with T random number.R verifies the results of this
is located in its adjacency. improvement which were to meet weaknesses of protocol
The probability of adversary success in black box model are obtained as follows.
1 The Probability of success of terrorist fraud attack in
for distance fraud attack is equal to ( )n because the
2 black box model is equal to the probability of success of
adversary is not able to see the values of R0 , R1 , & D adversary in mafia fraud attack in the white box model.
. According to definition of this fraud for white box model,
The probability of adversary success in white box model T should cooperate with adversary, so that the adversary
3
for distance fraud attack is equal to ( )n . The adversary to be able to successfully pass the protocol. If adversary
4
able to see the values of R0 , R1 , & D but he don’t know cooperates with T , the T should give the parameters D,
challenges. If Ri0 = Ri1 , then he send reply. If Ri0 6= Ri1 , R0 &R1 available to the adversary. Due to presence of y
he send random reply. in flows, T ’s private key will be revealed. As a result, the
Key recovery attack in BSB protocol is not employed T will not cooperate with the adversary.
neither directly nor under XOR operation for generating
replies. Therefore the adversary is unable to recover key Key-recovery attack: As linear relationship and
by leaking information. Thus the improved protocol is XOR operator have not been used in our improved pro-
robust against this attack. tocol for making the appropriate responses contrary to JF
protocol, two responses are independent from each other.
So, adversary would not be able to retrieve the private key.
A. Weaknesses of BSB Protocol In this protocol the XoR operator is no used to build the
In this section, we clarify that BSB protocol is vulner- responses. The responses are independent of each other
able to both terrorist fraud and force attacks. Since the and both are pseudo-random functions. Hence the attack
fraudulent T gives values of R0 ,R1 and D to the adversary is not effective on the protocol.
in coordination with him and the adversary can pass the Force attack: parameter y and the way of making it in
terrorist fraud attack with probability of 1. a way that all the main parameters such as private key,
As also discussed in Section 5.1, the adversary starts the sending time t and responses are used in them causes that
fast bit exchange stage with R after receiving the required adversary cannot perform the fast bit exchange phase with
parameters of the fraudulent tag. The adversary has the the T by positioning between the T and R. Then, it starts
values R0 and R1 and based on the sent challenges by R fast bit exchange phase with the R after running the first
sends one of the two parameters. two steps of its n round and simultaneously performs the
This protocol is vulnerable to force attack. force attack both phases.
is a different form of mafia fraud attack. In mafia fraud The use of parameter y in the protocol reinforces the
attack, adversary communicates with the T and the R protocol against the attack. Making parameter y from
simultaneously to decrease the distance between the T timestamps will cause the message blockage and sending
and the R and reaches the allowable distance. But because it in another time causes T −t ≥ ∆Tmax and the adversary
of the fast bit exchange mechanism in distance bounding faces failure in the rest of the attack.
 The 4th International Congress on Technology, Communication and Knowledge (ICTCK 2018)
January 24-25, 2018, Mashhad Branch, Islamic Azad University, Mashhad, Iran

Reader Tag
secret x secret x
Slow phase
Picks NR ∈R {0, 1} NR - Picks NT ∈R {0, 1}
(D, R0 , R1 ) = P RF (x, NT , NR )
Records T  NT , y, t y = x ⊕ hD (R0 , R1 , t)
(D, R0 , R1 ) =
P RF (x, NT , NR )
Checks y
Checks T − t 6 ∆tmax

Fast phase
For i = 1.......n
wi = Di
Picks Ci ∈R {0, 1} C i , Wi -
Start timer
Ri0 if [(wi = Di ) ∩ (ci = 0)]
{
ri = Ri1 if [(wi = Di ) ∩ (ci = 1)]
6 Di )
si ∈R {0, 1} if (wi =
Stop timer  ri
Computes∆T , ri

Figure 4. The Improvment of BSB protocol

Table II
Comparison of Distance Bounding Protocol

Protocol DFA MFA TFA KRA FA f E

HK [14] (3/4)n (3/4)n 1 3 5 Yes 1
MP [16] (3/4) n (3/5)n 1 3 5 Yes 2
KA [17] (7/8)n (1/2)n 1 3 5 No 1
JF [18] (3/4)n 1 1 5 5 No 1
TMA [20] cf. cf. 1 3 3 No 1
Imp TMA cf. cf. 3 3 3 No 2
BSB [19] (3/4)n cf. 1 5 5 No 1
Imp BSB (3/4)n cf. 3 5 3 No 2
Note:
DFA: Distance Fraud Attack f : final slow phase
MFA:Mafia Fraud Attack E: Encryption Operations by the T
TFA: Terrorist Fraud Attack 3: Resistance Against the Attack
KRA: Key Recovery Attack 5: Vulnerable Against the Attack
FA: Force Attack cf.: see also

VII. Comparison and Conclusion

We described the T M A and BSB protocols in section
5 and 6. Then, we showed the protocols weakness against
terrorist fraud attacks and force attack. We compare our
improved schemes are resistant against the mentioned
attacks and the possibility of carrying out the attacks has
reached zero , as can be seen on Table II. In addition, we
show that our scheme is more resistant against attacks
than the other provided schemes. In continue we show in
Figures 5 to 7 adversary success probability diagram and
spider chart of described protocols.
In Figure 5 analyzes the relationship between the likeli-
hood of distance fraud and the number of cycles in the fast
bit exchange phase. As the Figure suggests for the protocol
constant with less likelihood of attack is more appropriate.
Figure 5. The Distance Fraud Success Probability
In Figure 6 the relationship between the likelihood of
protocols addressed in this paper and the number of cycles
in the rapid exchange of bit stage is considered. In this
Figure similar to Figure 5 for n the protocol constant with
less likelihood of attack is more appropriate. In Figure
7, the spider chart is applied to present the good linear
relationship between the protocols. The axis related to
different types of protocols is divided from log1 (chart
center) to log2 (1/2n ) (out of the chart). The axis related
to f has two points (chart center) and point 1 (out of
the chart). The axis related to E is divided from 0 (chart
center) to 2 (out of the chart).
Furthermore, lightweight or secure protocols can be ap-
 The 4th International Congress on Technology, Communication and Knowledge (ICTCK 2018)
January 24-25, 2018, Mashhad Branch, Islamic Azad University, Mashhad, Iran
Figure 6. The Mafia Fraud Success Probability
Figure 7. Spider Chart of HK Protocol [14], MP Protocol [16] & Our
Improved Protocols
plied as distance bounding protocol, but it is hard to
design a robust protocol which is both lightweight and
resist to all of RFID treats. For example, there is a trade-
off between mafia and distance fraud attack.
References
[1] Bengio, Samy, et al. ”Secure implementation of identification
systems.” Journal of Cryptology 4.3 (1991): 175-183.
[2] Beth, Thomas, and Yvo Desmedt. ”Identification Tokens-or:
Solving the Chess Grandmaster Problem.” Crypto. Vol. 90. 1990.
[3] GÃijrel, Ali Ozhan, Atakan Arslan, and Mete AkgÃijn. ”Non-
uniform stepping approach to RFID distance bounding prob-
lem.” Data Privacy Management and Autonomous Spontaneous
Security. Springer, Berlin, Heidelberg, 2011. 64-78.
[4] Miri, Jamel, Bechir Nsiri, and Ridha Bouallegue. ”Secure Dis-
tance Bounding Protocol on TH-UWB.” IT Convergence and
Security (ICITCS), 2016 6th International Conference on.
IEEE, 2016.
[5] Avoine, Gildas, et al. ”A framework for analyzing RFID distance
bounding protocols.” Journal of Computer Security 19.2 (2011):
289-317.
[6] Durholz, Ulrich, et al. ”A formal approach to distance-bounding
RFID protocols.” International Conference on Information Se-
curity. Springer, Berlin, Heidelberg, 2011.
[7] Fischlin, Marc, and Cristina Onete. ”Terrorism in distance
bounding: modeling terrorist-fraud resistance.” International
Conference on Applied Cryptography and Network Security.
Springer, Berlin, Heidelberg, 2013.
[8] Boureanu, Ioana, and Serge Vaudenay. ”Optimal proximity
proofs.” International Conference on Information Security and
Cryptology. Springer, Cham, 2014.
[9] Kim, Chong Hee, et al. ”The Swiss-Knife RFID Distance Bound-
ing Protocol.” ICISC. Vol. 5461. 2008.
[10] Avoine, Gildas, et al. ”A Terrorist-fraud Resistant and
Extractor-free Anonymous Distance-bounding Protocol.” Pro-
ceedings of the 2017 ACM on Asia Conference on Computer
and Communications Security. ACM, 2017.
[11] Entezari, Rahim, Hossein Bahramgiri, and Mahnaz Tajamolian.
”RFID unilateral distance bounding protocols: A trade-off be-
tween mafia and distance fraud.” Computer Communications 98
(2017): 97-105.
[12] Bultel, Xavier, et al. ”A prover-anonymous and terrorist-fraud
resistant distance-bounding protocol.” Proceedings of the 9th
ACM Conference on Security & Privacy in Wireless and Mobile
Networks. ACM, 2016.
[13] Brands, Stefan, and David Chaum. ”Distance-bounding proto-
cols.” Workshop on the Theory and Application of of Crypto-
graphic Techniques. Springer, Berlin, Heidelberg, 1993.
[14] Hancke, Gerhard P., and Markus G. Kuhn. ”An RFID distance
bounding protocol.” Security and Privacy for Emerging Areas
in Communications Networks, 2005. SecureComm 2005. First
International Conference on. IEEE, 2005.
[15] Reid, Jason, et al. ”Detecting relay attacks with timing-based
protocols.” Proceedings of the 2nd ACM symposium on Infor-
mation, computer and communications security. ACM, 2007.
[16] Munilla, Jorge, and Alberto Peinado. ”Distance bounding proto-
cols for RFID enhanced by using voidâĂŘchallenges and anal-
ysis in noisy channels.” Wireless communications and mobile
computing 8.9 (2008): 1227-1232.
[17] Kim, Chong, and Gildas Avoine. ”RFID distance bounding pro-
tocol with mixed challenges to prevent relay attacks.” Cryptology
and Network Security (2009): 119-133.
[18] Jannati, Hoda, and Abolfazl Falahati. ”Mutual implementation
of predefined and random challenges over RFID distance bound-
ing protocol.” Information Security and Cryptology (ISCISC),
2012 9th International ISC Conference on. IEEE, 2012.
[19] Baghernejad, Fatemeh, Nasour Bagheri, and Masoumeh
Safkhani. ”Security analysis of the distance bounding protocol
proposed by jannati and falahati.” Journal of Electrical and
Computer Engineering Innovations 2.2 (2014): 85-92.
[20] Trujillo-Rasua, Rolando, Benjamin Martin, and Gildas Avoine.
”Distance bounding facing both mafia and distance frauds.”
IEEE Transactions on Wireless Communications 13.10 (2014):
5690-5698.
[21] Wei, Guoheng, Huanguo Zhang, and Ya Wang. ”A new relay at-
tack on distance bounding protocols and its solution with time-
stamped authentication for RFID.” Wuhan University Journal
of Natural Sciences 21.1 (2016): 37-46.
[22] Tu, Yuju, and Selwyn Piramuthu. ”Lightweight Non-Distance-
Bounding Means to Address RFID Relay Attacks.” Decision
Support Systems (2017).
[23] Avoine, Gildas, Sjouke Mauw, and Rolando Trujillo-Rasua.
”Comparing distance bounding protocols: A critical mission
supported by decision theory.” Computer Communications 67
(2015): 92-102.
[24] Wei, Guoheng, Huanguo Zhang, and Ya Wang. ”A new relay at-
tack on distance bounding protocols and its solution with time-
stamped authentication for RFID.” Wuhan University Journal
of Natural Sciences 21.1 (2016): 37-46.
[25] Avoine, Gildas, et al. ”A framework for analyzing RFID distance
bounding protocols.” Journal of Computer Security 19.2 (2011):
289-317.
[26] Trujillo-Rasua, Rolando, Benjamin Martin, and Gildas Avoine.
”Distance bounding facing both mafia and distance frauds.”
IEEE Transactions on Wireless Communications 13.10 (2014):
5690-5698.