arX

iv:1

011.

5295

v1 [

cs.C

R]

24 N

ov 2

010

GDB: Group Distance Bounding Protocols

Srdjan CapkunETH Zurich

capkuns@inf.ethz.ch

Karim El Defrawy(corresponding author)

UC Irvinekeldefra@ics.uci.edu

Gene TsudikUC Irvine

gts@ics.uci.edu

ABSTRACTSecure distance bounding (DB) protocols allow one entity,the verifier, to securely obtain an upper-bound on the dis-tance to another entity, the prover. Thus far, DB was con-sidered mostly in the context of a single prover and a singleverifier. There has been no substantial prior work on se-cure DB in group settings, where a set of provers interactwith a set of verifiers. The need for group distance bounding(GDB) is motivated by many practical scenarios, including:group device pairing, location-based access control and se-cure distributed localization. GDB is also useful in mission-critical networks and automotive computer systems. Thispaper addresses, for the first time, GDB protocols by uti-lizing the newpassive DBprimitive and the novelmutualmulti-party GDBprotocol. We show how they can be usedto construct secure and efficient GDB protocols for varioussettings. We analyze security and performance of our pro-tocols and compare them with existing DB techniques whenapplied to group settings.

1. INTRODUCTIONWireless networks – especially, sensor and mobile ad-hoc

networks, have become increasingly popular. Enabled bypervasive availability of location information, new wirelessscenarios have emerged where accurate proximity informa-tion is essential to both applications and basic networkingfunctions. Such scenarios require secure, reliable and effi-cient verification of distances between nodes, in addition tonode authentication. Distance Bounding (DB) can addresssuch scenarios by allowing one entity (verifier) to obtainan upper-bound on the distance to another entity (prover)and, optionally, authenticate the latter. DB was introducedby Brands and Chaum [4] as a means of preventing the so-called “mafia fraud” attacks on bank ATMs1. In Brands andChaum’s DB approach, a user’s smart-card (verifier) checksits proximity to the ATM (prover). DB has been recentlyimplemented [19] using commercial off-the-shelf electron-ics (resulting in 15cm accuracy). It was also suggested andimplemented as a means of securely determining node loca-1A “mafia fraud” attack occurs when the attacker identifies itself tothe verifier using the identity of a prover, without the latter beingaware (i.e., man-in-the-middle attack).

tions in wireless networks [14, 6, 8, 23].In most prior work, DB was considered in the context of a

single prover and a single verifier. Group Distance Bounding(GDB) is the natural extension of the DB concept to groupsettings with multiple provers and verifiers. Multiple veri-fiers provide several advantages including: higher attack re-silience and improved availability (by avoiding a single pointof compromise or failure), in addition to facilitating localiza-tion using multilateration. The common goal in applicationsthat require GDB is:several devices must securely measuredistances between themselves or should only operate in thevicinity of each other.

GDB is motivated by the following emerging wireless ap-plications: group device pairing – a procedure for setting upan initial secure channel among a group of previously unfa-miliar wireless devices. There are several scenarios wherethis is required, e.g., when an ephemeral ad-hoc group ofusers meet. Each user has a personal wireless device thatmust establish a secure channel with devices of other users.One concrete example using cell-phones is described in [11].Another scenario is that of a single user with multiple de-vices, e.g, in a home area network [5]. A secure mechanismis required to ensure that the group of communicating de-vices is clustered within a particular area, i.e., each device iswithin a certain distance from every other device. The mu-tual multi-party GDB protocol (Section 3.3) achieves this.

Another application that can benefit from GDB is auto-motive computer systems. Recent research [10] pointed outvulnerability of such systems to attacks through wireless in-terfaces (demonstrated in [3] using relay attacks). As morecomponents of such systems communicate wirelessly, it be-comes critical to ensure that the origin of communicationis from within the car to prevent relay attacks. Ensuringthat such components only communicate with each otherprevents attacks through unauthorized or outside maliciouscomponents. The mutual multi-party GDB protocol (Section3.3) achieves this.

GDB is also useful in critical, e.g., military, MANETswhere a key operational requirement is to track locations of,and authenticate, friendly nodes [2]. Critical MANETs gen-erally operate without any infrastructure and in hostile en-vironments where node compromise is quite realistic. GDB

1

can be used to implement location based-access control andlocation-based group key management in critical MANETs.Both mutual multi-party GDB (Section 3.3) and passive DB(Section 3.1) can be used in such settings.

In this paper, we show that a straightforward extensionof previous single prover single verifier DB to GDB is in-efficient and insecure if used for localization without syn-chronization between verifiers (which was also pointed outin [8]). We explore and propose more efficient and secureGDB approaches. We make the following contributions:- Definition of Group Distance Bounding (GDB)- New primitives: Passive DB and Mutual Multi-Party GDB- A set of secure and efficient GDB protocols- Security and performance analysis of proposed protocols

The rest of the paper is organized as follows: we overviewtraditional DB protocols, formulate the GDB problem andstate our system and adversary models in Section 2. Wepresent details and security analysis of our GDB buildingblock primitives in Section 3. We then show how to usethese building blocks to construct GDB protocols in bothone-way and mutual GDB settings in Section 4. We ana-lyze performance and security of GDB protocols in Section5. We discuss related work in Section 6 and conclude withopen issues and future work in Section 7.

2. BACKGROUND AND PROBLEM STATE-MENT

We begin with an overview of DB protocols, followed bythe problem statement and system model.

2.1 Overview of Distance Bounding (DB)Figure 1 shows the generic DB protocol operation. The

core of anyone-way DBprotocol is the distance measure-ment phase, whereby the verifier measures round-trip timebetween sending its challenge and receiving the reply fromthe prover. Verifier’s challenges are unpredictable to theprover and replies are computed as a function of these chal-lenges. Thus, the prover cannot reply to the verifier beforereceiving its challenges. The prover, therefore, cannot pre-tend to be closer to the verifier than it really is (only further).First, the verifier and the prover each generaten b-bit noncesci andri (1 ≤ i ≤ n), respectively. In the Brands-ChaumDB protocol [4], the prover also commits to its nonces (us-ing any secure commitment scheme). The verifier sends allci to the prover, one at a time. Once eachci is received, theprover computes, and responds with a function of its ownnonce and that of the verifier,f(ci, ri). The verifier checksthe reply and measures the elapsed time between each chal-lenge and response. The process is repeatedn times and theprotocol completes successfully only ifall n rounds succeedand all responses correspond to prover’s committed value.The processing time on the prover’s sideα = tPs − tPr mustbe negligible (compared to the time of flight); otherwise, acomputationally powerful prover could claim a false bound.This time might be tolerably small, depending on the un-

Figure 1: Basic DB Operation.

derlying technology, the distance measured and the requiredsecurity guarantees (less than1nsec processing time yields0.15m accuracy [19]).

Security of DB protocols relies on two assumptions: (1)challenges are random, and unpredictable to the prover be-fore being sent by the verifier, and (2) challenges traversethe distance between the prover and the verifier at maximumpossible speed. i.e., the speed of electromagnetic waves. Af-ter executing a DB protocol, the verifier knows that distance

to the prover is at mosttVr −tVs −α

2 · c, whereα is the process-ing time of prover (ideally, negligible) andc the speed oflight [4]. DB protocols typically require(2n+ C) messages,whereC is the number of messages exchanged in the pre-and post-processing protocol phases. Typically,C << nand thus can be ignored.

In some cases (e.g., distributed localization), there is aneed for mutual DB between two parties:P1 andP2. Thiscan be achieved by modifying the one-way DB protocol suchthat each response fromP2 to a challenge byP1 also in-cludes a challenge fromP2 toP1. This requires2n+2C+1messages instead of2(2n+ C) for mutual DB and is shownin [25]. Both parties generate and commit to two random bitstrings[c1, c2, ..., cn] and[s1, s2, ..., sn]. P1 starts by send-ing the first challenge bitc1 andP2 replies withc1 ⊕ s1. P1

measures the time between sendingc1 and receiving the re-sponse.P1 then replies withc2 ⊕ s1. P2 measures the timebetween sendingc1 ⊕ s1 and receiving the response. Thisprocess is repeatedn times. The mutual DB procedure isconsidered successful if both parties verify all responsesandmatch previously committed values (see [25] for more de-tails). We take advantage of this optimization in constructingmutual GDB protocols.

If prover authentication is required, public key signaturescan be used to sign challenges and responses. The verifiervalidates the signature in the last step, as shown in Figure 1.The protocol succeedsonly if the signature is valid. Publickey identification schemes (e.g., Schnorr or Fiat-Shamir) canalso be used as described in [4].

2

Figure 2: Group Distance Bounding Variants.

2.2 Problem Statement and System ModelWe first present the general GDB problem statement and

its variants, then describe our system and adversary models.Problem Statement:In general, GDB involvesone or moreprovers interacting withone or more verifiers. The goalof verifiers is to accurately and securely establish distancebounds (DBs) to provers and, optionally, authenticate them.Provers are generally untrusted, i.e., they may behave ma-liciously by reporting false distances and identities. Eachdevice can be a prover, a verifier or both, i.e., we take intoaccount both one-way and mutual DB. We consider threeGDB cases (see also Figure 2):1- MPNV:N verifiers establish DBs toM provers.2- 1PNV:N verifiers establish DBs to a single prover.3- MP1V:A single verifier establishes DBs toM provers.In mutual GDB, the two special cases (1PNV andMP1V )are equivalent and are called (1-to-M). In addition, there isa case whereN peer nodes are required to establish mutualDB with each other; we call itmutual multi-partyGDB.System Model:We make the following assumptions:- Coverage:All devices are within each others’ transmissionrange. This is a common assumption in all DB literature,e.g., [4, 14, 23, 21, 18, 24].- Accuracy:Each device can implement distance bounding,i.e., is capable of fast and accurate processing - on the orderof nanoseconds2.- Keys: Each device has a public/private key pair and a cer-tificate binding the public key to its identity. (Applies onlyif authentication is required).- Collusion:Colluding provers do not reveal their secret keysto each other. (Applies only if authentication is required).- Interaction between Verifiers:In one-way GDB, verifiersknow each others’ locations or distances separating them.This is not required in mutual GDB.Adversary Model: We assume that the adversary is compu-tationally bounded and can not prevent nodes within its radiorange from receiving its transmissions (i.e., not using direc-tional antennas). In one-way GDB, the adversary can onlycompromise provers. Verifiers trust each other in one-wayGDB. In mutual GDB, all nodes are treated equally with notrust assumptions. Our adversary model covers the follow-ing attacks in one-way GDB settings (based on attacks inone-way DB [4]):

1- Distance Fraud Attack: A dishonest prover claims2 Possible using off-the-shelf electronics as in [19] or using UWBranging platforms e.g.[1, 14].

DB(s) Distance Bound(s)P ProverV (Va, Vp) Verifier (subscript denotes active or passive)DBx,y DB established by verifierx on proverytx,y Time of flight between nodesx andydx,y Distance between nodesx andy (dx,y = dy,x)n (na, np) Number of DB rounds (subscript denotes active or passive)da Fraction of verifiers performingna active roundsH( ) Cryptographically secure hash functionPrch(X) Fraction of DB rounds in which nodeX cheats

Table 1: Notation.

to be closer than it really is. (Note that a prover can al-ways claim to be further by delaying responses.) The goal ofthis attack in one-way GDB is to shorten the distance fromthe malicious prover to one or more (or even all) verifiers.

2- Mafia Fraud Attack: A form of a man-in-the-middle(MiTM) attack. The adversary, who is close to the verifier,interacts with it, while posing as the prover. In parallel, itinteracts with the prover posing as the verifier. The goal is tofool the verifier into believing that the adversary is the proverlocated closer to the verifier than the actual prover. In one-way GDB, we consider a version of this attack where theadversary places one or more nodes between the prover(s)and one or more verifiers. The adversary aims to convinceverifiers that these intermediate nodes are real provers whichare located closer to them than actual provers.We consider the following attacks in mutual GDB settings:

1- Passive Distance Fraud Attack: In mutual GDB withone group ofN nodes, each node has to establishN − 1DBs. We assume that the adversary can compromise at mostN −2 nodes. The goal of this attack is for two (or more)un-compromisednodes to establish incorrect DBs to each other.

2- Node Insertion Attack: The adversary inserts one ormore fake nodes into the group. It succeeds if other “hon-est” nodes in the group accept such fake nodes as legitimategroup members and establish DBs to them. Such DB shouldalso be shorter than the real distance to these fake nodes.

3. GDB BUILDING BLOCKSWe first introduce a new building block primitive for con-

structing secure and efficient GDB protocols,one-way pas-sive DB. We then consider an optimization to decrease num-ber of messages in GDB protocols,interleaved one-to-manymutual DB. By combining the two we construct the novelmutual multi-party GDBprotocol. In mutual multi-partyGDB each node, in a group ofN nodes, engages in a se-cure mutual DB protocol with its (N − 1) peers. Notationused in this paper is reflected in Table 1.

3.1 One-Way Passive DBWhenever a prover and a verifier engage in a DB protocol,

some information about their locations and mutual distanceis leaked [18]. We use this observation in the presence ofmultiple verifiers. We show that it is unnecessary foreveryverifier to directly interact with the prover (P ) to establish

3

Figure 3: Messages Observed by Passive Verifier.

a DB. If at least oneactive verifier (Va) interacts withP ,any other passive verifier (Vp) can deduce the DB betweenitself andP by observing messages betweenP andVa. Weassume thatVp andVa trust each other, know the distanceseparating them (or each other’s locations) and are both re-quired to establish a DB toP . We address passive DB withuntrusted verifiers in Section 5.3.

Figure 3 shows howVp observes timings (Ti) of messagesexchanged in a DB protocol betweenP andVa. Vp can con-struct the following equations:

T1 = t0 + tVa,Vp(1)

T2 = t0 + tVa,P + αp + tP,Vp(2)

T3 = t0 + 2 · tVa,P + αP + αVa+ tVa,Vp

(3)

whereαP andαVaare processing times ofP andVa, re-

spectively (ideallyαP is equal to zero) andt0 is the protocolstarting time.Vp can determine time of flight for signals be-tweenP andVa thus computing the distance between them:

dVa,P = c · tVa,P = c ·(T3 − T1)− αP − αVa

2(4)

Wherec denotes speed of light. ForVa (andVp) to measurethe distance between itself andP , αP must be negligible (orconstant) and known3.

Overview of establishing a passive DB:Vp uses time dif-ference of arrival (TDoA) of three messages, its own loca-tion andVa’s location to construct the locus ofP ’s possi-ble locations (a hyperbola similar to other TDoA techniques[12]). Vp then determines the distance betweenVa andP (asshown in Equation 4) and constructs a circle with a radiusequal to that distance. This circle intersects withP ’s loca-tion locus at two points (s1 ands2). Vp computes DB toPas the distance between itself ands1 (or s2)4.

Details of establishing a passive DB:We now demon-strate the details of the procedure. We also show that ifPmanages to cheat and shorten the passive DB established byVp, then the active DB established byVa mustalso be short-ened. Since the DB established byVa can not be shortened,3Common assumption in DB literature, e.g., [4, 14, 23, 21, 18,24].4If Vp does not knowVa’s exact location but only the distance toVa, then, instead of a sector of a circle,Vp obtains an area betweentwo circles with radii corresponding to furthest and closest pointsto Vp on the hyperbola. In that case the larger radius will be usedas a DB toP .

a passive DB is as secure as the active DB established be-tweenVa andP . SupposeVa is located at(xa, ya) andVp isat (xp, yp). Vp knows its own location and that ofVa (hencethe distancedVa,Vp

). Without loss of generality we assume(xa, ya) = (0, 0) to be the origin of a coordinate system. Itfollows that:

dVa,Vp=

√

(xp − xa)2 + (yp − ya)2 =√

(xp)2 + (yp)2

(5)We further assume thatP is at(x, y). Vp also knows that:

dVp,P =√

(x− xp)2 + (y − yp)2 =√

(x)2 + (dVa,Vp− y)2

(6)

dVa,P =√

(x− xa)2 + (y − ya)2 =√

(x)2 + (y)2 (7)

If three messages as in Figure 3 are received at times:T1, T2 andT3, respectively,Vp computesdVa,P as shownin Equations 4.Vp also computes:

c · (T2−T1) = c ·δ1 = dVa,P +c ·αP +dP,Vp−dVa,Vp

(8)

Wherec is speed of light. However, sincedVa,P (Equations4) anddVa,Vp

(verifiers know distances between them) areknown,Vp obtains:

Γ = c · (δ1 − αP ) + dVa,Vp= dVa,P + dVp,P =

√

(x)2 + (y)2 +√

(x)2 + (dVa,Vp− y)2 (9)

Which yields the following formula for the locus ofP ’spossible location (which lies on a hyperbola due to TDoA[12]):

y =dVa,Vp

√

(d2Va,Vp− Γ2)± Γ ·

√

(4x2 + d2Va,Vp− Γ2)

2√

(d2Va,Vp− Γ2)

(10)Note thatDBVa,P = dVa,P is an upper bound on the dis-

tance betweenP andVa. UsingdVa,P , Vp can construct an-other equation for the locus ofP ’s possible location (a circlearoundVa with radiusdVa,P ):

(x − xa)2 + (y − ya)

2 = (dVa,P )2 (11)

Vp can now establish a passive DB using the intersectionof both loci (i.e., solving both equations 11 and 10). ThisDB is the distance betweenVp’s own location(xp, yp) andthe intersection of P’s loci described by equations 11 and10. This DB (DBVp,P = dVp,P ) will only be in a sector of acircle, not in the entire circle as in the case of an active DB.

Substitutingx = xa+√

(dVa,P )2 − (y − ya)2 (from equa-

tion 11) into equation 10, the y-coordinate ofP ’s locationbecomes:y ∝ (dVa,P ) (same forP ’s x-coordinate). ForVp

to compute a wrong (shorter)DB to P , it has to have com-puted a shorterdVa,P . A shorterdVa,P requiresDBVa,P tohave been computed shorter than the actual distance betweenP andVa (which is not possible as shown in Section 2.1).

To better illustrate this, Figures 4(a) and 4(b) show anexample scenario.P (labeled Actual Prover in Figures) at

4

-10

-5

0

5

10

15

20

-15 -10 -5 0 5 10 15

met

ers

meters

Active Verifier

Passive Verifier

Actual Prover and correct DB

(a) Correct Passive DB

-10

-5

0

5

10

15

20

-15 -10 -5 0 5 10 15

met

ers

meters

Active Verifier

Passive Verifier

Wrong DB on Prover

Actual Prover

(b) Incorrect Passive DB

Figure 4: Establishing a Correct and Incorrect Passive DB.

(−7,−7) is on one of several possible hyperbolas. The DBfromVa at (0, 0) toP is shown as a circle aroundVa (labeledas Active Verifier in Figures). IfP somehow cheats so thatthe passive DB is shorter, then this would require that thecircle drawn aroundVp at (0, 10) intersects the hyperbola ata point ((−3,−1.5) in Figure 4(b)) close toVp. This pointwill be inside the circle established byVa. If this is the casethen the DB computed byVa has to be shorter than the actualdistance toP which is not possible. IfVp actively engages ina DB protocol withVa, it would get the circle shown aroundit in Figure 4(a). However, in this passive case, it gets a sec-tor of that circle, which is the arc connecting the two points((−7,−7) and (7,−7)) where the computed hyperbola inter-sects the circle around the active verifier. We have shown inSection 2.1 how active DB prevents the distance fraud attack.Since passive DB is as secure as active DB, it will preventthe distance fraud attack. Adding authentication to passiveDB prevents the mafia-fraud attack because an attacker willnot be able to authenticate itself to a passive verifier unless italso does to an active one. A passive verifier can utilize thesame authentication mechanism as an active verifier. Activeverifiers can use public key signatures (or public key iden-tification schemes) to authenticate provers, as described inSection 2.1. All necessary information (commitment, chal-lenges, responses and signatures) required to authenticateprovers also reach passive verifiers. The only disadvantageis that a passive verifier does not send its own challenges.Passive DB remains secure because it assumes trusted activeverifiers. If that is not the case, mutual one-to-many DB ormutual multi-party GDB can be used.

3.2 Interleaved One-to-Many Mutual DBWhen one node engages in mutual DB withM other nodes,

one-to-many mutual DB, the number of required messagescan be reduced by interleaving challenges and responses todifferent nodes. We label the “one” node in this case the ini-tiator (Pi) and the other “many” nodes (M) the “participants”(Pj , j ∈ {1, ...,M}). Pi performs mutual DB with eachPj ;

however, the last message of the interaction with onePj isused as the first challenge of the interaction withPj+1. Thisprocess can be generalized forM parties, one initiator andnrounds, resulting in a protocol withn · (2M + 1) messages.This would have requiredn · (4M) orn · (3M) messages ifpairwise single prover single verifier DB or interleaved sin-gle prover single verifier DB were used respectively.

3.3 Mutual Multi-Party GDBThe obvious approach to establish mutual DBs between

every pair of nodes, in a group ofN nodes, is to performit sequentially between each pair. This requires2n · N ·(N − 1) messages and is insecure. A malicious node, act-ing as a prover, can selectively delay messages to anotherspecific node acting as a verifier. This yields a larger DB,to that node only, and results in false localizations if multi-lateration is used as shown in [8]. One can interleave chal-lenges and responses to reduce the number of messages to(2n+1)·N ·(N−1)

2 , but selective delaying of responses will stillbe possible. Our protocol,mutual multi-party GDB, relieson the broadcast nature of the wireless channel and takes ad-vantage of message overhearing and appropriate timing ofchallenges and responses.All nodes simultaneously engagein thesame protocol. The protocol combines passive DB andinterleaving of challenges and responses (similar to Section3.2) to reduce message complexity fromO(N2) to O(N)without sacrificing security.

We begin with a simple four-node example, shown in Fig-ure 5. Each node (k) first generaten random bit strings(bi,k), each of lengthl. Each node broadcasts a commitmentto these bit strings. These commitments are hashed and usedby nodes to order themselves in a logical ring. This orderingdetermines the sequence in which nodes send and respondto challenges. In Figure 5 nodes order themselves clock-wise starting fromP1 to P4. P1 starts and sends the firstof its generated bits strings (b1,1) as a challenge to its leftlogical neighborP2 (message 1).P2 computes and sendsthe reply (rp2,1) to P1 using its own first bit string (b1,2)

5

and the challenge bit string (b1,1) received fromP1, i.e.,message 2 isrp2,1 = b1,1 ⊕ b1,2. P3 uses the reply fromP2 to P1 as a challenge and computes its own reply toP2

(rp3,2 = b1,3 ⊕ rp2,1) and broadcasts it as message 3.P4

uses this reply (rp3,2) as a challenge fromP3 and computesits own reply (rp4,3 = b1,4 ⊕ rp3,2) and sends it toP1 asmessage 4.P1 then replies toP4 with message 5 containingrp1,4 = b2,1 ⊕ rp4,3. The process is repeated again counter-clock wise but using the second bit string. All challengesand responses are broadcast and all nodes receive and recordthem. Nodes only respond to challenges from their imme-diate logical neighbors. Once a node computes all requiredDBs, it broadcasts them with a hash of all received chal-lenges and responses (and optionally signs them if authen-tication is required). This will require four additional mes-sages. We note here that each node independently computesDBs to other nodes based on linear equations constructedfrom the reception times as illustrated in Linear equationscan be solved with standard automated methods, e.g., Gausselimination or Gauss-Jordan elimination. Table 2. Nodesdo notrely on any reported measurements from other nodes,hence the same model of distrusting a node acting as a proveras in the original DB protocol holds.

Any mutual DB protocol for four nodes will require fourcommit (and four de-commit) messages which are not shownin Figure 5. The main difference is in number of messagesin the rapid bit exchange phase. In Figure 5 a total of8 mes-sages are required in that phase, in the case of sequentialpairwise DB24 will be needed and18 in case of sequentialDB with interleaving. The process can be generalized to thecase ofN nodes. The total number of messages for the gen-eral case ofN nodes andn rounds in the rapid bit exchangephase is5: n · (2N). Additionally,2N messages are requiredfor the commitments and decommitments to make sure thatevery node has used the random bits it generated and hascomputed DBs correctly.

Security:The mutual multi-party GDB protocol is secureagainst distance-fraud and passive distance fraud attacksaslong as the group contains at least two honest neighboringnodes (in the logical ring). A malicious node launching anyattacks will be detected by these two (or more) honest neigh-bors because the active DB between them can not be influ-enced byany other node. When immediate neighbors of anode exchange messages with their own neighbors, that nodeestablishes passive DBs on these two-hop neighbors. TheseDBs are established passively and can not be affected by anyother node because, as we have shown, passive DB is as se-

5This can be derived by analyzing the construction of linear equa-tions from observing messages. Any node can construct2N − 2independent equations from time of arrival of2N consecutive mes-sages (as each node sends two messages). These equations have2N − 2 unknowns,N unknowns for time of flight between pairsof neighboring nodes andN − 3 between the observing node andevery other node (see in Figure 6). There’s an additional unknown,the variablet0, corresponding protocol starting time. These equa-tions can be solved resulting in a unique solution.

Figure 5: Mutual Multi-Party GDB Example

Figure 6: Breaking down Mutual Multi-party GDB intoPassive DBs.

cure as active DB. This process is repeated until all DBs areestablished. The example in Figure 6 shows how nodeP1

uses interactions between different nodes in the group to es-tablish a DB on each of them.P1 establishes DB directlywith its neighborsP2 andP6, it then uses the messages ex-changed betweenP2 andP3 to establish a passive DB onP3

and those betweenP3 andP4 to DBP4 and betweenP4 andP5 to DB P5. This process is carried out by each node in-dependently during the protocol at different times resultingin secure DBs established to other nodes. The descriptionof Figure 6 is simplified to convey the intuition. In real-ity, when solving linear equations constructed from TDoAof messages, several equations resulting from different inter-actions will be used in computing each DB to a non neighbor(details are shown in Table 2). For example, in Table 2,P1

uses equations ofT7, T3 andT9 to DB P3, as opposed toT3

only as in the simplified explanation (Figure 6).To demonstrate how attacks can be detected consider how

each node computes DBs from the arrival times of messagesas shown in Table 2. AssumingP1, P2 andP4 are honestandP3 is malicious.P3 can launch attacks by delaying itsmessages (number3 and7) by δ1 andδ2 respectively. Thisattack will be detected becauseDBP1,P2 computed byP1,and that computed byP2 will not be the same. This will bedetected when nodes broadcast their computed DBs at theend of the protocol.P1 will computeDBP1,P2 = T2/2 =tP1,P2 (from message2 in the column forP1), whereasP2

will computeDBP1,P2 = T5 − tP2,P3 − tP3,P4 − tP1,P4 =tP1,P2 − (δ1 +

δ22 ) (from messages5 and3 and steps (a) and

(b) in the last row of the column forP2). A similar detection

6

Msg Participant 1 (P1) Participant 2 (P2) Participant 3 (P3) Participant 4 (P4)1 Sender T1 = t0 + tP1,P2 T1 = t0 + tP1,P3 T1 = t0 + tP1,P42 T2 = 2tP1,P2 → DBP1,P2 Sender T2 = t0 + tP1,P2 + tP2,P4 + tP2,P3 T2 = t0 + tP1,P23 T3 = tP1,P2 + tP2,P3 + tP3,P1 T3 = 2tP2,P3 → DBP2,P3 Sender T3 = t0 + tP1,P2 + tP2,P3 + tP3,P44 T4 = tP1,P2 + tP2,P3 + tP3,P4 T4 = tP2,P3 + tP3,P4 + tP2,P4 T4 = 2tP3,P4 → DBP3,P4 Sender

+tP4,P15 Sender T5 = tP2,P3 + tP3,P4 T5 = tP3,P4 T5 = 2tP4,P1 → DBP4,P1

+tP4,P1 + tP1,P2 +tP4,P1 + tP1,P36 T6 = 2tP1,P4 → DBP1,P4 T6 = tP2,P3 + tP3,P4 T6 = 2tP3,P4 + 2tP4,P1 Sender

+2tP4,P1 + tP4,P27 T7 = tP1,P4 + tP3,P4 T7 = 2tP2,P3 + 2tP3,P4 Sender T7 = 2tP4,P3 → DBP4,P3

+tP3,P1 +2tP4,P18 T8 = tP1,P4 + tP3,P4 Sender T8 = 2tP3,P2 → DBP3,P2 T8 = tP4,P3

+tP2,P3 + tP1,P2 +tP3,P2 + tP2,P4

(a)T7 + T3 − T4 = 2tP1,P3 (a)T6 − T4 = 2tP1,P4 (a)T6 − 2tP3,P4 = 2tP1,P4 (a)T8 + T2 − T3

→ DBP1,P3 (b) T7 − T3 + T4 − T6 (b) T5 − tP3,P4 = 2tP4,P2 → DBP4,P2= 2tP3,P4 −tP1,P4 = 2tP1,P3(c) T6 − tP2,P3 − tP3,P4 → DBP1,P3−2tP1,P4 = tP2,P4 → DBP2,P4(d) T5 − tP2,P3 − tP3,P4−tP1,P4 = tP1,P2 → DBP2,P1

Table 2: Message Reception Times and Constructed Equationsin the Mutual Multi-Party GDB Protocol for Figure5 (ti,j = tj,i, tx,y → DBx,y means thatDBx,y can be directly computed from tx,y, the last row shows additionalcomputation required to establish the DBs).

will occur betweenP2 andP4 but based onDBP2,P4 . Evenif P3 andP4 are both malicious and colluding, the attackwill be detected becauseDBP1,P2 computed byP2 will beDBP1,P2 = tP1,P2 − δ2

2 (assumingP3 delays its messagesby δ1 andδ2 respectively, whereasP4 delays its message byδ3 andδ4). Variations in computed DBs can be detected if atleast two honest nodes are neighbors in the constructed ring.

Node authentication in this protocol can be achieved usingtraditional public key signatures. Each node initially broad-casts its public key certificate in the commitment phase. Onceall (2nN ) protocol rounds are completed, each node hashesall exchanged challenges and responses and signs the result-ing hash. Recall that all nodes receive all challenges andresponses due to wireless broadcast. All signatures are thenbroadcasted and each node verifiesN − 1 signatures. Allnodes are authentic if all signatures verify successfully.

4. DB EXTENDED TO GROUP SETTINGSWe now show how to construct protocols for the two most

general GDB cases: (1)M provers andN verifiers (MPNV)in one-way GDB, and (2) NtoM in mutual GDB. All othercases can be obtained by setting the values ofN andM asdesired. For comparison, we consider a basic GDB proto-col where nodes sequentially engage in a naıve single proversingle verifier (mutual) DB. In each case we propose an al-ternative approach based on passive DB, mutual multi-partyGDB or one-to-many mutual DB. We assume thatn roundsof DB are required in all cases.

4.1 One-Way MPNV GDBIn this case nodes either act as provers or as verifiers.

The goal at the end of the protocol is for allN verifiersto have DBs to allM provers. In a naive MPNV proto-col, each prover interacts sequentially inn rounds of DBwith each verifier. This is repeated untilall provers have

interacted with all verifiers. The total number of messagesis: (2n · N · M). When constructing a protocol for thisgroup setting based on passive DB there are two parametersto consider: (1) the number of active and passive DB roundsperformed by each verifier and (2) how the active verifiersare selected (i.e., deterministic or probabilistic). The secondparameter does not affect the challenges and responses andhow every node performs DB but has an effect on the se-curity if verifiers are compromised (discussed in Section 5).Active verifiers can be selected randomly or by any leaderelection protocol (e.g., [16]), the rest will be passive veri-fiers. Other strategies could be explored but are out of scopeof this paper. The number of active verifiers, active roundsand how many perform passive rounds affects the number ofmessages required, the time needed for completing the pro-cess and the security of the DB. If all verifiers are treatedequally two parameters can be used to describe a generalprotocol: (1) the number of active verifiers and (2) the num-ber of active rounds by each verifier. If each of theN veri-fiers is required to performn rounds of DB, we call the num-ber of active roundsna (and passive roundsnp = n − na).We denote withda the fraction of verifiers which performna active rounds. The remaining verifiers perform passiverounds. Each verifier will have(da · (N − 1) · na) oppor-tunities to execute passive DB with each of theM provers.Two interesting cases are obtained by settingda = 1/N andna = n, only one verifier interacts actively with all provers,and by settingda = 1 andna = n/N all verifiers interactequallywith all provers. By varying these two parameters(na andda) one can obtain a protocol with the required se-curity level and less messages than sequential pairwise inter-action (performance and security analysis in Section 5).

4.2 Mutual NtoM GDBIn the general case ofNtoM mutual DB there are two

7

Setting Base Case Our ProtocolNumber of Messages Number of Messages

MPNV 2n · N · M (2na + 1) · (N · da) · M1PNV (2n + 1) · N (2na + 1) ·N · da

MP1V (2n + 1) · M 2n +∑M−1

j=1 (j + 1)

·(n − ((M − 1) − j))

1toM 4n · M n · (2M + 1)NtoM 4n · N · M 2n · (N + M)

Table 3: Number of Messages in GDB Protocols.

groups,G1 andG2, of N andM nodes respectively.Allnodes inG1 are required to establish DBs toeach of thenodes inG2 and vice versa, i.e., there is a total of2N · M(butN · M unique) DBs to be established. There are threeapproaches to construct GDB protocols for this setting: (1)based on one-way passive DB, (2) mutual multi-party GDBor (3) one-to-many mutual DB.

(1) NtoM Using Passive DB: A fraction (d1) of nodes inG1, d1 · N , will establishna1 active andnp1 passive DBrounds with each of theM nodes inG2. The rest of the(1 − d1)N nodes inG1 establishonly passive rounds. Thisstep involves one-way DB so at the endonly nodes inG1

will establish DBs to nodes inG2. Nodes inG2 are requiredto perform a similar step whered2 ·M nodes establishna2

active andnp2 passive rounds of DB with each of theNnodes inG1. The rest of the(1 − d2)M nodes inG2 estab-lish onlypassive rounds. After this step all nodes inG2 willhave established one-way DBs to nodes inG1. This proto-col requires nodes inG1 to trust each other and know eachother’s locations or distances separating them (same forG2).

(2) NtoM Using Mutual Multi-Party GDB: All the nodesin both groups can be regarded as one group of sizeN +M .TheN +M nodes can engage in a mutual multi-party GDBprotocol as shown in Section 3.3, i.e., the general case of theexample of Figure 5. Such a protocol will require2n(N +M) messages. At the end each node will have DBs to all theN+M−1 other nodes. Some of these DBs are not required,since we assumed that nodes inG1 (andG2) don’t performDB on other nodes in the same group.

(3) NtoM Using One-to-Many Mutual DB: Each of theNnodes inG1 engages in a one-to-many mutual DB protocoldescribed in Section 3.2 with allM nodes inG2. This is aone-to-many mutual DB, so all nodes inG2 will also estab-lish a DB to each node inG1. The total number of messagesin such a protocol will be:nN · (2M + 1).

5. PERFORMANCE AND SECURITY ANAL-YSIS

We first analyze performance of proposed GDB protocols.We then consider security of active DB in group settings,passive DB with untrusted verifiers and their combination.Our GDB protocols either use mutual multi-party GDB ora combination of passive and active DB. Their security canbe understood by analyzing the underlying mechanisms andcombinations thereof. Correctness and security of passiveDB and mutual multi-party GDB are analyzed in Sections

3.1 and 3.3 respectively.

5.1 Performance of GDB ProtocolsTable 3 compares number of messages required in one-

way and mutual GDB protocols to the base case (runningpairwise DB between nodes). Table 4 shows total time re-quired to compute all DBs. We compare against this basecase because there are no previous proposals for GDB. OurNtoM protocol in both tables is based on mutual multi-party GDB. Our proposals require fewer messages and de-pend on the fraction of active verifiers and active roundsperformed. In the MPNV case, only (na · da) messagesare required, wherena is the fraction of active rounds per-formed by the fraction of active verifiers,da. Figure 7(c)shows how the number of messages increases as a functionof the fraction of active rounds and active verifiers (M=10provers and N=10 verifiers and n=10 DB rounds). Figure7(d) shows how the number of messages varies with thenumber of provers and verifiers (to illustrate this dependencywe assume that number of provers is the same as number ofverifiers,N = M , and that fraction of active rounds is equalto fraction of active verifiers,na = da). In the case of 60nodes (30 provers and 30 verifiers) if the fraction of activeverifiers and active rounds is reduced to0.8, 33% of mes-sages can be saved. Decreasing this fraction to0.6 savesmore than55% of messages. Similar savings are also attain-able for lower and larger numbers of provers/verifiers.

5.2 Security of Active DB vs Mutual Multi-Party GDB

The probability of a single prover successfully cheatinga single verifier decreases exponentially with the number ofDB rounds (n) in an active DB protocol. Forn rounds aprover has2−n chance to successfully guess all challengebits and send responses ahead of time. This tricks the verifierinto measuring a shorter round trip time of flight6. A Veri-fier in an active DB protocol does not have to trust any otherentity. In group settings where each pair of provers verifiersengage in an active DB protocol, these security guaranteesstill hold. However, active DB in group settings is insecureifused for localization. When a prover actively interacts witheach verifier separately, it can selectively enlarge its distanceby delaying messages. Verifiers will incorrectly localize theprover using such DBs. Secure-localization schemes mustalways requireat least threeverifiers to interact with theproversimultaneously. The mutual multi-party GDB proto-col achieves this by design. In mutual multi-party GDBallnodes participate simultaneously in thesameprotocol andoverhear each other’s messages. A node can not selectivelydelay messages to other nodes, it can either delay them toallnodes ornone.

62−n is the probability for Brands-Chaum protocol [4], whereasin some other protocols like Hancke-Kuhn [13], this probability is(3/4)−n.

8

Setting Base Case Time Our Protocol TimeMPNV 2n ·

∑Ni=1

∑Mj=1 tVi,Pj

(2na + 1) ·∑da·N

j=1

∑Mk=1 tPk,Vj

1PNV 2n ·∑

Ni=1 tP,Vi

(2na + 1) ·∑da·N

j=1 tP,Vj

MP1V 2n ·∑j

i=1 tV,Pi, j ∈ 1,M (n · max(tV,Pi

)) +∑M−1

i=1 tV,Pi

1toM 4n ·∑

Mj=1 tPi,Pj

2n ·∑M+1

j=1 tPj ,P(j+1)mod(M+1)

NtoM 4n∑N

i=1

∑Mj=1 tPi,Pj

2n · (N + M)max(tPi,Pj),

∀i, j ∈ {1,M}

Table 4: Time Required in GDB Protocols.

5.3 Security of Passive DB with Untrusted Ac-tive Verifiers

Passive DB with untrusted verifiers is mainly useful inMANETs, where nodes continuously encounter new peers.Passive DB is secure if the active verifier behaves honestlyand is trusted as shown in Section 3.1. This will be the casein a fixed (or mobile) verification infrastructure with priorsecurity association, or under the control of one administra-tive entity. A malicious active verifier can undermine secu-rity of passive DB as follows:

(1) Reporting a Fake Location (or Distance):A passiveverifier requires the exact location or the distance to the ac-tive one in order to be able to construct the DB as shown inSection 3.1. The passive verifier will wrongfully computethe hyperbola (in Equation 10), if the active verifier reportsan incorrect location or distance, leading to a wrong passiveDB.

(2) Sending Early Challenges: Even if the active verifierreports its location or distance correctly, it can send newchallenges prematurely. This leads the passive verifier to be-lieve that the prover is closer than it actually is (as shown inFigure 3).Vp wrongfully computes the distancedVa,P inter-secting incorrectly with the hyperbola (as shown in Figure4(a)), and leading to a wrong DB.

An essential aspect of passive DB is implicit trust thatthe active verifier is behaving honestly, i.e., not cheatingbyperforming either of the previous two attacks. We devise ametric, theDB Correctness(DBC), to illustrate the effec-tiveness of passive DB in the presence of such attacks. WedefineDBC for n rounds of passive DB as follows:

DBC = 1− 2n·(Prch(Va)−1) (12)

wherePrch(Va) is the fraction of rounds in whichVa

cheats. Note that cheating in passive DB is different thanin active DB. In active DB,P is the one cheating, whereasin passive DB we are concerned with the case whereVa isthe one cheating. WhenVa does not cheat in any DB rounds,Prch(Va) will be 0 andDBC = 1 − 2−n. WhenVa cheatsin all DB roundsPrch(Va) will be 1 andDBC = 0. Theaverage correctness (DBCavg) in a DB to a given prover,obtained by a passive verifier, in the case ofN active veri-fiers (Va1 , Va2 ...VaN

,) (each engaging inn1, n2...nN roundsof DB respectively) is computed as the average of individual

DBC for each verifier:

DBCavg =N −

∑Ni=1 2

ni·(Prch(Va(i))−1)

N(13)

Figure 7(a) shows howDBCavg is affected by varyingfraction of rounds in which active verifiers cheat (x-axis) andthe fraction of cheating active verifiers. In the case consid-ered (10 verifiers and 10 DB rounds) even if 50% of the ac-tive verifiers cheat in 50% of their rounds, the DB will beestablished correctly over 98% of the time. As long as lessthan half of the active verifiers cheat in less than 90% of theirrounds, the DB will be correct more than 70% of the time.

5.4 Combined Passive/Active DB SecurityWhen a verifier performsna active rounds andnp passive

rounds both can be combined to obtain a more stable DB.We estimate the correctness in such a combined DB usinga metric (DBCa/p) as follows (note that both passive andactive rounds have to result in the same DB):

DBCa/p = 1− (2−na ·

∑Ni=1 2

np(i)·(Prch(Va(i))−1)

N) (14)

If all other active verifiers cheat in all their DB rounds,DBCa/p becomes that of the active rounds performed bya verifier only, i.e.,1 − (2−na). Otherwise the likelihoodof correctness of the established DB increases with any ad-ditional passive rounds. Figure 7(b) shows how theDB isaffected by cheating of active verifiers during passive DB byshowing howDBCa/p changes. In the case considered (10verifiers) even if only two rounds of active (na) DB are per-formed and as long as the fraction of rounds being cheatedin is less than 1 correctness of the DB captured byDBCa/p

increases. Even if the probability of cheating in passive DBrounds is as high as 0.5,DBCa/p will increase to over 0.95if there are four or more opportunities to do passive DB.

6. RELATED WORKDB was first proposed in [4] to enable asingle verifierto

determine an upper-bound on the physical distance to asin-gle proverand authenticate it as summarized in Section 2.1.Several optimizations and studies of DB were then consid-ered. In particular, [18] studied information leakage in DBprotocols as a privacy problem that should be avoided. Inour work, we start from this observation to construct pas-sive DB and the mutual multi-party GDB protocol. [25]proposed a mutual DB protocol by interleaving challengesand responses but also between a single prover and a singleverifier. [23], [21] and [6] investigated using DB protocolsfor location verification and secure localization with threeverifiers. The setting in [23] is a special case of MPNVwith M = 1 andN = 3. [20] investigated the so-called“in-region verification” and claimed that, for certain appli-cations, such as sensor networks and location-based accesscontrol, in-region verification is a better match than locationdetermination. [8] and [7] considered collusion attacks on

9

0.5

0.6

0.7

0.8

0.9

1

0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

DB

Cav

g

Fraction of Rounds where Active Verifiers Cheat

10% Cheating Active Verifiers20% Cheating Active Verifiers30% Cheating Active Verifiers40% Cheating Active Verifiers50% Cheating Active Verifiers

(a)

0.75

0.8

0.85

0.9

0.95

1

0 0.2 0.4 0.6 0.8 1

DB

Ca/

p

Fraction of Rounds where Active Verifiers Cheat

np=10*na (na=2)np=5*na(na=2)np=2*na(na=2)

np=na(na=2)

(b)

0

500

1000

1500

2000

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Num

ber

of M

essa

ges

Fraction of Active DB Rounds

Base Caseda=0.2da=0.4da=0.6da=0.8da=1.0

(c)

0

10000

20000

30000

40000

50000

0 10 20 30 40 50

Num

ber

of M

essa

ges

Number of Provers/Verifiers

Base Caseda=0.2da=0.4da=0.6da=0.8da=1.0

(d)

Figure 7: (a) DBCavg (Equation 13) and (b) DBCa/p (Equation 14) vs Probability of Cheating in Rounds with TenVerifiers (N=10); (c) and (d) Number of Messages in Passive DBbased MPNV Protocol

DB location verification protocols. Other work, such as [26]looked at using time difference of arrival (TDoA) to deter-mine location of transmitters. [26] proposed using TDoA inthe context of Ultra-Wideband (UWB). The work in [24, 14]recently implemented the first RF based TDoA secure local-ization system using commercial off-the-shelf UWB rangingdevices. DB was also studied in the context of ad-hoc net-works (e.g., [25]), sensor network (e.g., [15] [6]) and RFID(e.g., [9] [13]) applications. Finally, DB has been used todevelop secure proximity based access control protocols forimplementable medical devices in [17] and implemented us-ing commercial off-the-shelf electronic components in [19].

To summarize, our work differs from prior results, since:(1) we introduce for the first timepassive DBand themutualmulti-party GDB protocolwhich are more suitable for groupsettings, (2) we consider general GDB cases with multipleprovers and multiple verifiers (in the one-way and mutualDB settings), (3) we study a large spectrum of possible pro-tocol designs and (4) consider node authentication in bothone-way and mutual GDB.

7. DISCUSSION AND CONCLUSIONThis paper presents the first investigation of group dis-

tance bounding (GDB). GDB is a fundamental mechanismfor secure operation in wireless networks where verifyingdistances between, or locations of, groups of nodes is re-quired. We have shown how to construct protocols that aremore efficient and secure than applying existing DB tech-niques in group settings. We made minimal assumptionsabout GDB settings to make our proposals as general as pos-sible. However we acknowledge two open issues: (1) It re-mains an open question whether a passive verifier can pas-sively establish a DB without knowing the location of (ordistance to) an active one, while perhaps knowing other in-formation about distances to other nodes. (2) We have notaddressed denial-of-service attacks in group settings (i.e.,noisy environments). We note though that single prover sin-gle verifier DB in noisy environments has been addressed inboth the one-way and mutual cases in [13, 22].

8. REFERENCES[1] Multispectral Solutions Inc., Urban Positioning System (UPS).

http://www.multispectral.com.[2] RFC1677-Tactical Radio Frequency Communication Requirements for IPng.

http://www.faqs.org/rfcs/rfc1677.html.

[3] A. Francillion B. Danev and S.Capkun. Relay attacks on passive keyless entryand start systems in modern cars. InCryptology ePrint Archive: Report2010/332, 2010.

[4] S. Brands and D. Chaum. Distance-bounding protocols. InEUROCRYPT ’93,pages 344–359. Springer-Verlag New York, Inc., 1994.

[5] E. Callaway and P. Gorday et. al et. al. Home networking with ieee 802.15.4: adeveloping standard for low-rate wireless personal area networks.Communications Magazine, IEEE, 40(8):70–77, aug 2002.

[6] S. Capkun and J. Hubaux. Secure positioning of wireless devices withapplication to sensor networks. InIEEE INFOCOM, 2005.

[7] N. Chandran, V. Goyal, R. Moriarty, and R. Ostrovsky. Position basedcryptography. InCRYPTO ’09, pages 391–407, Berlin, Heidelberg, 2009.Springer-Verlag.

[8] Jerry T. Chiang, Jason J. Haas, and Yih-Chun Hu. Secure and precise locationverification using distance bounding and simultaneous multilateration. InACMWiSec ’09, pages 181–192.

[9] S. Drimer and S. Murdoch. Keep your enemies close: distance bounding againstsmartcard relay attacks. InSS’07: Proceedings of 16th USENIX SecuritySymposium, Berkeley, CA, USA, 2007. USENIX Association.

[10] F. Roesner et al. A. Czeskis. Experimental security analysis of a modernautomobile.In IEEE Symposium on Security and Privacy, 0:447–462, 2010.

[11] O. Chen et al. C. Chen. Gangs: gather, authenticate ’n group securely. InMobiCom’08, pages 92–103, New York, NY, USA. ACM.

[12] Fredrik Gunnarsson. Positioning using time-difference of arrival measurements.In In Proceedings of the IEEE International Conference on Acoustics, Speech,and Signal Processing, 2003.

[13] G. Hancke and M. Kuhn. An rfid distance bounding protocol. InSECURECOMM ’05, pages 67–73, Washington, DC, USA, 2005. IEEEComputer Society.

[14] H. Luecken M. Kuhn and N. Tippenhauer. UWB impulse radiobased distancebounding. InProceedings of the Workshop on Positioning, Navigation andCommunication (WPNC), 2010.

[15] C. Meadows, P. Syverson, and L. Chang. Towards more efficient distancebounding protocols for use in sensor networks. InSecurecomm and Workshops,2006, pages 1–5, 28 2006-Sept. 1 2006.

[16] J. Welch N. Malpani and N. Vaidya. Leader election algorithms for mobile adhoc networks. InDIALM’00, pages 96–103.

[17] K. Rasmussen, C. Castelluccia, T. Heydt-Benjamin, andS.Capkun.Proximity-based access control for implantable medical devices. InACMCCS’09, 2009.

[18] K. Rasmussen and S.Capkun. Location privacy of distance bounding protocols.In ACM CCS ’08, pages 149–160, 2008.

[19] K. Rasmussen and S.Capkun. Realization of rf distance bounding. InProceedings of the USENIX Security Symposium, 2010.

[20] N. Sastry, U. Shankar, and D. Wagner. Secure verification of location claims. InWiSe ’03: Proceedings of the 2nd ACM workshop on Wireless security, NewYork, NY, USA, 2003. ACM.

[21] V. Shmatikov and M. Wang. Secure verification of location claims withsimultaneous distance modification. InASIAN, 2007.

[22] D. Singelee and B. Preneel. Distance bounding in noisy environments. InESAS2007, volume 4572 ofLecture Notes in Computer Science, pages 101–115,Cambridge,UK. Springer-Verlag.

[23] D. Singelee and B. Preneel. Location verification usingsecure distancebounding protocols. InMobile Adhoc and Sensor Systems Conference, 2005.IEEE International Conference on, Nov. 2005.

[24] N. Tippenhauer and S.Capkun. Id-based secure distance bounding andlocalization. InIn Proceedings of ESORICS (European Symposium on Researchin Computer Security), 2009.

[25] S. Capkun. L. Buttyan and J. Hubaux. Sector: secure tracking of nodeencounters in multi-hop wireless networks. InACM SASN’03, pages 21–32,New York, NY, USA. ACM.

[26] D. Young, C. Keller, D. Bliss, and K. Forsythe. Ultra-wideband (uwb)transmitter location using time difference of arrival (tdoa) techniques. volume 2,pages 1225–1229 Vol.2, Nov. 2003.

10