A Note on a Privacy-Preserving Distance-Bounding Protocol

Distance bounding protocols enable a device to establish an upper bound on the physical distance to a communication partner so as to prevent location spoofing, as exploited by relay attacks. Recently, Rasmussen and Capkun (ACM-CCS'08) observed that these protocols leak information on the location of the parties to external observers, which is undesirable in a number of applications-for example if the leaked information leads to the identification of the parties among a group of devices. To remedy this problem, these authors proposed a "privacy-preserving" distance bounding protocol, i.e. that leaks no information on the location of the parties. The present paper reports results from an in-depth security analysis of that new protocol, with as main result an attack that recovers the ephemeral secrets as well as the location information of the two parties for particular choices of parameters. Overall, our results do not contradict the preliminary security analysis by the designers, but rather extends it to other parts of the attack surface.