In distance-bounding protocols a prover wants to prove that it is located within a distance bound D from a verifier. Distance-bounding (DB) protocols have numerous applications including authentication and proximity checking. The privacy problem in DB protocols was limited to privacy against MiM adversaries. Gambs et al. extended this limitation and proposed a protocol that provides strong privacy when the verifier is malicious, or honest-but-curious registration authority. The protocol however does not provide resistance against terrorist-fraud. In this paper we consider private DB protocols that provide the strongest level of security against all known DB attacks, in particular terrorist-fraud, and provide anonymity of the prover and unlinkability of its sessions against malicious verifiers and assuming an honest-but-curious registration authority. We define private distance-bounding as a special ZKPoK in which a prover presents a commitment on its long-term private-key, and later proves in zero-knowledge that; (ⅰ) she knows the committed value, (ⅱ) she knows a signature of the authority on the committed value (registration proof), and (ⅲ) she is located within a pre-defined distance to the verifier. The prover stays anonymous and its sessions will be unlinkable. We propose a protocol PDB with these properties that resists against all known attacks including terrorist-fraud. PDB is based on Bussard-Bagga (DBPK-Log). PDB also fixes the vulnerability of the protocol pointed out by Bay et al. resulting in a secure public-key DB protocol, hence answering the open question of constructing a secure public-key DB protocol.
展开▼