hHB: A Harder HB
+
Protocol
Ahmad Khoureich Ka
Dept. of Computer Science, Alioune Diop University of Bambey, Bambey, Senegal
Keywords:
RFID, Authentication, LPN, HB
+
, Man-In-the-Middle.
Abstract:
In 2005, Juels and Weis proposed HB
+
, a perfectly adapted authentication protocol for resource-constrained
devices such as RFID tags. The HB
+
protocol is based on the Learning Parity with Noise (LPN) problem and
is proven secure against active adversaries. Since a man-in-the-middle attack on HB
+
due to Gilbert et al.
was published, many proposals have been made to improve the HB
+
protocol. But none of these was formally
proven secure against general man-in-the-middle adversaries. In this paper we present a solution to make the
HB
+
protocol resistant to general man-in-the-middle adversaries without exceeding the computational and
storage capabilities of the RFID tag.
1 INTRODUCTION
Radio-frequency identification (RFID) belongs to the
family of Automatic Identification systems. RFID
system consists of tags and readers that communicate
wirelessly. The RFID tag attached to an object can
be used for access control, product tracking, identi-
fication, etc. Since the tag is programmable, a mali-
cious person can then create counterfeit tags and ben-
efit from it. Hence the need to secure the protocol run
between the tag and the reader.
RFID tags have a low computational and storage
capacity. Therefore, it is impossible to use classical
cryptographic algorithms to secure the protocol they
execute. At Crypto 2005, Juels and Weis proposed
HB
+
(Juels and Weis, 2005), a perfectly adapted au-
thentication protocol for resource-constraineddevices
such as RFID tags. The protocol consists of a number
of rounds of challenge-response authentication. HB
+
is based on the Learning Parity with Noise (LPN)
problem — which is known to be NP-Hard — and
is proven secure against active adversaries (Katz and
Shin, 2006; Juels and Weis, 2005). Since a simple
man-in-the-middle attack on HB
+
due to Gilbert et
al (Gilbert et al., 2005). was published, many pro-
posals (Bringer et al., 2006; Duc and Kim, 2007;
Munilla and Peinado, 2007; Bringer and Chabanne,
2008; Leng et al., 2008) have been made to improve
the HB
+
protocol. But none of these was formally
proven secure against general man-in-the-middle ad-
versaries (Gilbert et al., 2008b; Frumkin and Shamir,
2009; Ouafi et al., 2008).
In this paper we present a solution to make HB
+
resistant to general man-in-the-middle adversaries
without exceeding the computational and storage ca-
pabilities of the RFID tag.
Our paper is organized as follow: (1) we give a
definition of the LPN problem, (2) we describe the
HB
+
protocol, (3) we present our protocol based on
HB
+
and provide security proofs, (4) we conclude
with some observations and future work.
2 THE LPN PROBLEM
The LPN problem is a very known one (Blum et al.,
1994; Kearns, 1998; Hopper and Blum, 2000; Hop-
per and Blum, 2001; Blum et al., 2003; Regev, 2009;
Berlekamp et al., 1978). Let hw(v) denote the Ham-
ming weight of a binary vector v.
Definition 2.1. Let A be a random q×k binary vector
matrix, let x be a random k-bit vector, let ε ∈]0,
1
2
[ be
a constant noise parameter, and let ν be a random
q-bit vector such that hw(ν) < εq. Given A, ε, and
z = (A · x) ⊕ ν, find a k-bit vector x
′
such that hw(A ·
x
′
⊕ z) ≤ εq.
The difficulty of finding x (solving the LPN)
comes from the fact that each bit of A · x is flipped
independently with probability ε, thus making hard to
get a system of linear correct equations in x which can
be easily solved using the Gaussian elimination.
Let Ber
ε
denote the Bernoulli distribution with pa-
rameter ε, (i.e. ν ← Ber
ε
, Pr[ν = 1] = 1 − Pr[ν =
163
Khoureich Ka A..
hHB: A Harder HB+ Protocol.
DOI: 10.5220/0005500001630169
In Proceedings of the 12th International Conference on Security and Cryptography (SECRYPT-2015), pages 163-169
ISBN: 978-989-758-117-5
Copyright
c
2015 SCITEPRESS (Science and Technology Publications, Lda.)
0] = ε) and let A
x,ε
be the distribution define by {a ←
{0, 1}
k
;ν ← Ber
ε
: (a, a· x⊕ν)}. One consequence of
the hardness of the LPN problem with noise parame-
ter ε is that A
x,ε
is indistinguishable from the uniform
distribution U
k+1
on (k+ 1)-bit strings; see (Katz and
Shin, 2006).
Although many algorithms solving the LPN prob-
lem has been published (Blum et al., 2003; Levieil
and Fouque, 2006; Fossorier et al., 2006), the current
most efficient one due to Blum, Kalai, and Wasser-
man (Blum et al., 2003) has a runtime of 2
O(
k
logk
)
.
3 THE HB
+
PROTOCOL
HB
+
is an authentication protocol based on the LPN
problem and designed for low-cost devices like RFID
tags. The protocol consists of r = r(k) challenge-
response authentication rounds between the reader
and the tag who share two random secrets keys x and
y of length k. A round consists of the following steps
(see fig 1 for a graphical representation):
1. the tag randomly chooses and sends to the reader
a vector b ← {0, 1}
k
called ”blinding factor”,
2. the reader randomly chooses and sends to the tag
a challenge vector a ← {0, 1}
k
3. the tag gets a bit ν following Ber
ε
and responses
to the reader by sending a bit z = a · x⊕ b· y⊕ ν,
4. the reader accepts the authentication round if a ·
x⊕ b· y = z.
The parameters of HB
+
are: the shared secrets x
and y each of length k, the number of rounds r = r(k),
the Bernoulli parameter ε and the threshold u = u(k).
The threshold u is such that it is greater than ε · r so
the reader accepts the tag if the number of rounds for
which Verify a · x⊕ b· y = z returns false is less than
u. Because of ν in the response z of the tag, the prob-
ability that an authentication round be unsuccessful
even for the honest tag is not null. Therefore the event
called false rejection that the reader rejects an honest
tag happens with probability
P
FR
=
r
∑
i=u+1
r
i
ε
i
(1− ε)
r−i
.
At the same time an adversary sending random re-
sponses z to the reader can be accepted with probabil-
ity
P
FA
=
1
2
r
u
∑
i=0
r
i
.
This event is called false acceptance. Fortunately
these probabilities (P
FR
and P
FA
) are negligible in k
because r = r(k) (the use of Chernoff bound helps to
see it).
3.1 Attacks on HB
+
HB
+
is in fact an improvement of an earlier protocol
named HB (Hopper and Blum, 2001) which is secure
against passive attack but vulnerable to active ones.
In an active attack the adversary plays the role of a
reader and tries to get the secrets from an honest tag.
HB
+
is proven secure against this type of attack (Katz
and Shin, 2006; Juels and Weis, 2005) but is defense-
less against more powerful adversaries like man-in-
the-middle (MIM). In such attacks the adversary stays
between the reader and the tag and have the abilities
to tamper with messages exchanged between them.
In (Gilbert et al., 2005) Gilbert, Robshaw, and Sil-
bert present a MIM-attack against HB
+
called GRS
attack. The attack is depicted in fig 2. In the GRS
attack, in order to reveal the secret x, the adversary
does not need to modify all the messages exchanged
between the tag and the reader but only the challenge
vector a. The adversary adds a perturbation δ on the
challenge vector a and looks if the whole authentica-
tion process will be successful or not. The reader will
verify if a
′
· x⊕ b· y = z that is if δ · x ⊕ ν = 0. If the
honest tag continues to be authenticated normally i.e.
with negligible fails (P
FR
) then the whole authentica-
tion process is not disturbed and it means that δ· x = 0
otherwise δ · x = 1. By using δ = e
i
the vector with 1
at position i and 0s elsewhere, the adversary gets the
bit x
i
of x. By repeating the attack k times with differ-
ent δ the adversary gets the whole secret x.
Much work (Bringer et al., 2006; Duc and Kim,
2007; Munilla and Peinado, 2007; Bringer and Cha-
banne, 2008; Leng et al., 2008) has been done in order
to propose a protocol based on the LPN problem and
resistant to the GRS attack. But none of these has
been formally proven secure against general man-in-
the-middle attacks (Gilbert et al., 2008b; Frumkin and
Shamir, 2009; Ouafi et al., 2008).
4 OUR PROPOSAL
Intuitively we believe that the weakness of HB
+
to
the man-in-the-middle attack is due to the fact that
the secret x does not change. This intuition is rein-
forced by our observation of RANDOM-HB
#
(Gilbert
et al., 2008a) — partially resistant to this type of at-
tack (GRS attack), see (Ouafi et al., 2008) — which
can be viewed as an HB
+
protocol where the secret
x varies in each round (although in fact parallel) but
remains fixed for each instance of the protocol.
The main idea is to let the reader choose a random
k-bit secret x and then sends it to the tag in a secure
way. Our protocol denoted hHB for harder HB
+
con-
SECRYPT2015-InternationalConferenceonSecurityandCryptography
164
Tag(x,y) Reader(x,y)
b ← {0, 1}
k
b
a ← {0, 1}
k
a
ν ← Ber
ε
z = a· x⊕ b · y⊕ ν
z
Verify a· x ⊕ b · y = z
Figure 1: A round of the HB
+
Protocol.
Tag(x,y) Reader(x,y)
b ← {0, 1}
k
b
a ← {0, 1}
k
a
a
′
= a⊕ δ
ν ← Ber
ε
z = a
′
· x ⊕ b · y⊕ ν
z
Verify a· x ⊕ b · y = z
Figure 2: The GRS attack. The adversary adds a perturbation on the challenge vector a and looks if the whole authentication
process will be disturbed or not.
sists of two stages. In the first stage the reader selects
a random secret x that it transmits to the tag and in
the second stage hHB is identical to HB
+
. The secret
x is transmitted bit by bit from the reader to the tag.
The reader randomly selects three bits (τ, ξ
0
, ξ
1
) and
sets the value x
i
(a bit of x) to ξ
τ
. After that the three
bits are randomly permuted by a function f
s
(see Al-
gorithm 1 and 2) and securely communicated to the
tag using the vector s ⊕ p
i
where s is a shared secret
and p
i
a vector obtained from the prefix of length i of
x, p
i
= x
1
x
2
...(x
i
)
(|s|−i+1)
. This operation is repeated
|x| + 1 times. The hHB protocol is outlined in figure
3. The first triplet transmitted is used for the initial-
ization of p
0
and the following triplets for the trans-
mission of x. In order to cancel the effet of a MIM
attack on the first triplet, the c
i
vectors used for the
second triplet (only for this one) are chosen such that
their Hamming weight are even. The second stage
of hHB is identical to a round of HB
+
and is run r
times. An authentication round is successful if Verify
a · x ⊕ b · y = z returns true. The reader accepts the
tag if the number of unsuccessful rounds is less than
a threshold u.
Algorithm 1: Function f
s
that permutes elements of
a triplet (λ
1
, λ
2
, λ
3
).
function f
s
(λ
1
, λ
2
, λ
3
, p
i
)
c
1
← {0, 1}
k
t
1
= c
1
· (s⊕ p
i
) ⊕ λ
1
c
2
← {0, 1}
k
t
2
= c
2
· (s⊕ p
i
) ⊕ λ
2
c
3
← {0, 1}
k
t
3
= c
3
· (s⊕ p
i
) ⊕ λ
3
if λ
1
⊕ λ
2
⊕ λ
3
= 0 then
return ((c
3
,t
3
), (c
1
,t
1
), (c
2
,t
2
))
end if
if λ
1
⊕ λ
2
⊕ λ
3
= 1 then
return ((c
2
,t
2
), (c
3
,t
3
), (c
1
,t
1
))
end if
end function
5 SECURITY PROOFS
5.0.1 Notation and Security Definitions
We call negl any negligible function, that is which
tends to zero faster than any inverse polynomial. That
is, for any polynomial p(·) there exist an N such that
for all integer n greater than N we have negl(n) <
1
p(n)
.
The parameters of hHB are: the shared secrets s
hHB:AHarderHB+Protocol
165
Tag(s,y) Reader(s,y)
τ ← {0, 1} ξ
0
← {0, 1} ξ
1
← {0, 1}
(α, β, γ) = f
s
(τ, ξ
0
, ξ
1
, 0
|s|
)
(α, β, γ)
θ = ξ
τ
p
0
= θ
|s|
(τ, ξ
0
, ξ
1
) = f
−1
s
(α, β, γ, 0
|s|
)
θ = ξ
τ
p
0
= θ
|s|
Repeat k times
τ ← {0, 1} ξ
0
← {0, 1} ξ
1
← {0, 1}
(α, β, γ) = f
s
(τ, ξ
0
, ξ
1
, p
i−1
)
(α, β, γ)
x
i
= ξ
τ
p
i
= x
1
x
2
...(x
i
)
(|s|−i+1)
(τ, ξ
0
, ξ
1
) = f
−1
s
(α, β, γ, p
i−1
)
x
i
= ξ
τ
p
i
= x
1
x
2
...(x
i
)
(|s|−i+1)
Repeat r times. x = x
1
x
2
... x
k
b ← {0, 1}
k
b
a ← {0, 1}
k
a
ν ← Ber
ε
z = a· x⊕ b · y⊕ ν
z
Verify a· x ⊕ b · y = z
Figure 3: The hHB authentication protocol.
and y, the one-time secret x is of length k, the number
of rounds r = r(k) of its second part, the Bernoulli pa-
rameter ε and the threshold u = u(k). The parameters
ε, r and u are the same as for the HB
+
protocol.
Let T
s,y,ε,r
and R
s,y,ε,u,r
denote the algorithms re-
spectively run by the honest tag and the honest reader
in the hHB protocol. Let k denote the security
parameter. An active attack is by definition per-
formed in two stages: first the adversary interacts q(k)
times with the tag, second she tries to authenticate to
the reader. Man-in-the-middle attacks requires more
power than active attacks. There the adversary can
tamper with all messages going from the reader to the
tag and vice versa for q(k) executions of the proto-
col, and after that tries to authenticate to the reader.
The adversary’s advantage according to the model of
attack can be defined as follow
Adv
active
A
(ε, u, r)
def
= Pr
h
s ← {0, 1}
k
; y ← {0, 1}
k
; A
T
s,y,ε,r
(1
k
) :
A, R
s,y,ε,u,r
= accept
i
,
Adv
mim
A
(ε, u, r)
def
= Pr
h
s ← {0, 1}
k
; y ← {0, 1}
k
; A
T
s,y,ε,r
,R
s,y,ε,u,r
(1
k
) :
A, R
s,y,ε,u,r
= accept
i
,
where
A, R
s,y,ε,u,r
denote an attempt of A to authenticate
to the reader.
Algorithm 2: Function f
−1
s
.
function f
−1
s
((c
1
,t
1
), (c
2
,t
2
), (c
3
,t
3
), p
i
)
λ
1
= c
1
· (s⊕ p
i
) ⊕ t
1
λ
2
= c
2
· (s⊕ p
i
) ⊕ t
2
λ
3
= c
3
· (s⊕ p
i
) ⊕ t
3
if λ
1
⊕ λ
2
⊕ λ
3
= 0 then
return (λ
2
, λ
3
, λ
1
)
end if
if λ
1
⊕ λ
2
⊕ λ
3
= 1 then
return (λ
3
, λ
1
, λ
2
)
end if
end function
5.1 Security of the hHB Protocol
against Active Attacks
Theorem 5.1. If HB
+
with parameters 0 < ε <
1
2
, r =
r(k) and u > ε· r is secure against active attacks then
hHB with the same settings of parameters is secure
against active attacks.
Proof. Let A be a probabilistic polynomial-time
adversary interacting with the hHB tag in at
SECRYPT2015-InternationalConferenceonSecurityandCryptography
166
most q executions of the protocol and achieving
Adv
active
A
(ε, u, r) = δ.
We construct a probabilistic polynomial-time ad-
versary A
′
who performs an active attacks on HB
+
and uses A as a sub-routine. For the first phase of the
attack, A
′
simulates for A the hHB tag for q times as
follows:
1. A
′
receives the triplets (α
i
, β
i
, γ
i
) for i = 1..k + 1
sent by A.
2. A
′
forwards b sent by the honest HB
+
tag to A,
3. A replies to A
′
by sending a challenge vector a
which is then forwarded by A
′
to the honest HB
+
tag,
4. A
′
forwards z sent by the honest tag HB
+
to A,
Steps 2., 3. and 4. are run r times. For the second
phase of the attack, A
′
simulates for A the hHB reader
as follows:
5. A
′
generates k + 1 triplets (α
i
, β
i
, γ
i
) and sends it
to A,
6. A sends b to A
′
which it forwards to the honest
HB
+
reader,
7. A
′
sends to A the challenge vector a which it re-
ceived from the honest HB
+
reader,
8. A sends z to A
′
which it forwards to the honest
HB
+
reader,
Steps 6., 7. and 8. are run r times. It is not difficult to
see that the view of A when run as a sub-routine by A
′
is distributed identically to the view of A when per-
forming an active attack on hHB (Because even if A
has carefully chosen the triplets (α
i
, β
i
, γ
i
) it has sent
in step 1, the blinding vector b prevents it to distin-
guish the effects of its choices in the value of z). So,
Adv
active
A
(ε, u, r) = δ = Adv
active
A
′
,HB
+
(ε, u, r).
Because HB
+
is secure against active attack, there is
a negligible function negl such that
Adv
active
A
′
,HB
+
(ε, u, r) ≤ negl(k).
This implies that δ is negligible in k and completes
the proof.
5.2 Security of the hHB against MIM
Attacks on the Second Stage of the
Protocol
The second stage of the hHB protocol is identical to
HB
+
.
Theorem 5.2. Assume the LPN
ε
problem is hard,
where 0 < ε <
1
2
. Then the hHB protocol with pa-
rameters r = r(k) and u > ε· r is secure against man-
in-the-middle attacks on its second stage.
Proof. Let A be a probabilistic polynomial-time ad-
versary tempering with messages of the second stage
of hHB in at most q executions of the protocol and
achieving Adv
MIM
A
(ε, u, r) = δ.
In the first phase of its attack, A eavesdrops and
modifies messages at will in order to gain informa-
tions on secret x by correlating its actions with the
decision of the reader (acceptance or rejection). For
the second phase of the attack, we say for simplicity
that A uses values b = 0.
A has the probability δ of being authenticated by
the reader. This means with probability δ, A does a
good guess of the value of z in at least r − u rounds.
Therefore the probability that A gets an equation in
the secret x is at least δ
1
r−u
. On the other hand, be-
cause each bit x
i
of x comes from one element of a
triplet (α, β, γ), A gets a correct equation in x if she
finds the element of (α, β, γ) which corresponds to x
i
.
Let GoodChoice denote the event find the good ele-
ment in the triplet, F
1
the event all the elements in
the triplet are equal, F
2
the event two elements in the
triplet are equal and F
3
the event all the elements in
the triplet are distinct. Since the way in which x is
transmitted to the tag is an instance of the LPN prob-
lem and the application of f
s
, we have:
Pr[GoodChoice] =Pr[GoodChoice|F
1
] · Pr[F
1
] + Pr[GoodChoice|F
2
] · Pr[F
2
]
+ Pr[GoodChoice|F
3
] · Pr[F
3
]
=
1
(2
k
s
+1
)
2
1 +
3
2
(2
k
s
+1
− 1) +
1
3
(2
k
s
+1
− 1)(2
k
s
+1
− 2)
=
1
3
+
1
2
k
s
+2
+
1
6(2
k
s
+1
)
2
≤
1
3
+
1
2
k
s
+1
,
where k
s
is the length of s.
It follows that δ
1
r−u
≤
1
3
+
1
2
k
s
+1
, this implies that
δ ≤ (
1
3
+
1
2
k
s
+1
)
r−u
. Since k
s
and r − u are functions
of k, (
1
3
+
1
2
k
s
+1
)
r−u
is negligible in k then δ itself is
negligible. This completes the proof.
5.3 Security of the hHB against MIM
Attacks on the First Stage of the
Protocol
The first stage of the hHB protocol consists of the
transmission of the secret x from the reader to the tag.
Lemma 5.3. Let M be a square (n × n) matrix over
F
2
. If the Hamming weight of each row vector of M is
even then det(M) = 0.
Proof. For n = 1 and n = 2, it is easy to verify that
the lemma is true. Let’s prove it for n ≥ 3.
hHB:AHarderHB+Protocol
167
Let M be as in the lemma. M =
r
1
r
2
.
.
.
r
n
where r
i
=
m
i1
m
i2
··· m
in
. We sometimes use the same letter
M to denote the set of row vectors of the matrix M.
Assume toward a contradiction that det(M) 6= 0.
Let P
k
be the set of k-combinations of the set of inte-
gers {1, 2, . . . , n}. Consider
S
M
=
[
P∈P
k
;2≤k≤n
∑
i∈P
r
i
; r
i
the i-th row vector of M
the set of sums of row vectors of M. |S
M
| =
∑
n
k=2
n
k
= 2
n
− n − 1. Let E denotes the set of vec-
tors of even Hamming weight of F
n
2
. Since the sum
of binary vectors of even Hamming weight is a vec-
tor of even weight and det(M) 6= 0, the set S
M
is a
subset of E \ M. |E \ M| = 2
n−1
− n. For n ≥ 3 we
have |S
M
| > |E \ M|, the pigeonhole principal tells us
that there must be at least two elements of S
M
which
are equal thus the vectors of M are linearly dependent
contradicting the assumption that det(M) 6= 0. This
completes the proof of the lemma.
Theorem 5.4. Assume the LPN
ε
problem is hard,
where 0 < ε <
1
2
. Then the hHB protocol with pa-
rameters r = r(k) and u > ε· r is secure against man-
in-the-middle attacks on its first stage.
Proof. In a the man-in-the-middle attack on the first
stage of the hHB protocol, two cases can be consid-
ered:
Case 1. The adversary perturbs the first triplet which
is used to initialize p
0
: This perturbation can lead the
tag to receive
¯
θ instead of θ, and to consider without
loss of generality that x
1
= c
1
· (s ⊕
¯
θ
|s|
) ⊕ t
1
, while
for the reader x
1
= c
1
·(s⊕ θ
|s|
)⊕t
1
. The effect of this
perturbation is canceled when c
1
is chosen such that
c
1
·
¯
θ
|s|
= c
1
·θ
|s|
. This means the Hamming weight of
c
1
is even. Therefore by choosing the elements of the
second triplet with even Hamming weight, the pertur-
bation the adversary adds in the first triplet will have
no effect on the protocol.
Case 2. The adversary perturbs triplets that carry
bits of x: Suppose the adversary adds a perturbation
δ to each c in the (i + 1)-th triplet, 1 ≤ i ≤ k. This
leads the tag to consider without loss of generality that
x
i
= (c
1
⊕ δ) · (s ⊕ p
i−1
) ⊕ t
1
while the reader takes
x
i
= c
1
· (s ⊕ p
i−1
) ⊕ t
1
. If the reader no longer au-
thenticates the honest tag normally i.e. with negligi-
ble fails (P
FR
) then the whole authentication process
is disturbed and it means that δ · s ⊕ δ· p
i−1
= 1 oth-
erwise δ · s ⊕ δ· p
i−1
= 0. Each of these equations in
s contains a noise parameter δ · p
i−1
. There are two
subcases to consider:
1. The adversary chooses a perturbation δ of odd
Hamming weight: In this case, without loss of
generality suppose the perturbation is added to the
second triplet. Then the noise parameter δ · p
0
will be equal to θ which is randomly chosen from
{0, 1}. Thus in order to find the secret s the at-
tacker has to solve the LPN
ε
problem.
2. The adversary chooses a perturbation δ of even
Hamming weight: If a perturbation of even Ham-
ming weight is added to the second triplet (with-
out loss of generality) then δ· p
0
= 0. The attacker
gets a clean equation in s but in the light of lemma
5.3 he will not be able to obtain a system of equa-
tions consisting of linearly independent vectors δ.
Therefore he can’t compute the secret bits of s.
This means the adversary can’t benefit from a man-
in-the-middle attack on the first stage of the hHB pro-
tocol and completes the proof.
5.4 hHB Security Settings
We respectively denote by k
s
, k
x
and k
y
the length of
the secrets s, x and y. The first phase of hHB consists
of the secure transmission of the secret x which relies
on the LPN problem with secret s and ε ∈ [0.49, 0.5[.
Taking into account the recommendations of Levieil
et al (Levieil and Fouque, 2006), we can use k
s
= 256
to achieve at least 88 bits security. For the second
phase of the hHB protocol corresponding to an ex-
ecution of the HB
+
with ε = 0.25 the same recom-
mendations from (Levieil and Fouque, 2006) can be
applied, that is k
x
= 80 and k
y
= 512 to achieve 80
bits security. Using r = 1164 and u = 0.348 × r, the
probability of false acceptance and false rejection are
respectively 2
−80
and 2
−40
.
The transmission cost of x is 3(k
x
+ 1)(k
s
+ 1).
For hHB that transmission cost is added to that of
HB
+
. When k
x
= 80 and k
s
= 256, the transmission
cost of x is equal to 62451 bits which is substantially
high. Nevertheless, the storage and computation cost
of hHB remain low thus suited for low-cost hardware
implementation.
6 CONCLUSIONS
In this paper we have presented a new protocol hHB
which is a solution to thwart the man-in-the-middle
attack against HB
+
. The transmission cost of our pro-
tocol is quite high. But the hHB tag remains a tag as
it is not overloaded (the storage and computation cost
SECRYPT2015-InternationalConferenceonSecurityandCryptography
168
are substantially the same as for HB
+
). Does securing
HB
+
worth that transmission cost ? We say yes, but
it would be very interesting to find a way to lower it
while keeping the same level of security.
REFERENCES
Berlekamp, E. R., McEliece, R. J., and Van Tilborg, H. C.
(1978). On the inherent intractability of certain coding
problems. IEEE Transactions on Information Theory,
24(3):384–386.
Blum, A., Furst, M., Kearns, M., and Lipton, R. J. (1994).
Cryptographic primitives based on hard learning prob-
lems. In Advances in cryptologyCRYPTO93, pages
278–291. Springer.
Blum, A., Kalai, A., and Wasserman, H. (2003). Noise-
tolerant learning, the parity problem, and the statis-
tical query model. Journal of the ACM (JACM),
50(4):506–519.
Bringer, J. and Chabanne, H. (2008). Trusted-HB: a low-
cost version of HB
+
secure against man-in-the-middle
attacks. arXiv preprint arXiv:0802.0603.
Bringer, J., Chabanne, H., and Dottax, E. (2006). HB
++
:
a lightweight authentication protocol secure against
some attacks. In Security, Privacy and Trust in Per-
vasive and Ubiquitous Computing, 2006. SecPerU
2006. Second International Workshop on, pages 28–
33. IEEE.
Duc, D. N. and Kim, K. (2007). Securing HB
+
against GRS
man-in-the-middle attack. In Institute of Electronics,
Information and Communication Engineers, Sympo-
sium on Cryptography and Information Security.
Fossorier, M. P., Mihaljevi´c, M. J., Imai, H., Cui, Y., and
Matsuura, K. (2006). An algorithm for solving the
LPN problem and its application to security evalu-
ation of the HB protocols for RFID authentication.
In Progress in Cryptology-INDOCRYPT 2006, pages
48–62. Springer.
Frumkin, D. and Shamir, A. (2009). Un-trusted-HB: Secu-
rity vulnerabilities of trusted-HB. IACR Cryptology
ePrint Archive, 2009:44.
Gilbert, H., Robshaw, M., and Sibert, H. (2005).
Active attack against HB
+
: a provably secure
lightweight authentication protocol. Electronics Let-
ters, 41(21):1169–1170.
Gilbert, H., Robshaw, M. J., and Seurin, Y. (2008a). :
Increasing the security and efficiency of HB
+
. In
Advances in Cryptology–EUROCRYPT 2008, pages
361–378. Springer.
Gilbert, H., Robshaw, M. J., and Seurin, Y. (2008b). Good
variants of HB
+
are hard to find. In Financial Cryp-
tography and Data Security, pages 156–170. Springer.
Hopper, N. J. and Blum, M. (2000). A secure human-
computer authentication scheme. In Technical Report
CMU-CS-00-139. Carnegie Mellon University.
Hopper, N. J. and Blum, M. (2001). Secure human iden-
tification protocols. In Advances in cryptologyASI-
ACRYPT 2001, pages 52–66. Springer.
Juels, A. and Weis, S. A. (2005). Authenticating perva-
sive devices with human protocols. In Advances in
Cryptology–CRYPTO 2005, pages 293–308. Springer.
Katz, J. and Shin, J. S. (2006). Parallel and concur-
rent security of the HB and HB
+
protocols. In Ad-
vances in Cryptology-EUROCRYPT 2006, pages 73–
87. Springer.
Kearns, M. (1998). Efficient noise-tolerant learning from
statistical queries. Journal of the ACM (JACM),
45(6):983–1006.
Leng, X., Mayes, K., and Markantonakis, K. (2008). HB-
MP
+
protocol: An improvement on the HB-MP pro-
tocol. In RFID, 2008 IEEE International Conference
on, pages 118–124. IEEE.
Levieil,
´
E. and Fouque, P. A. (2006). An improved LPN al-
gorithm. In Security and Cryptography for Networks,
pages 348–359. Springer.
Munilla, J. and Peinado, A. (2007). HB-MP: A further step
in the HB-family of lightweight authentication proto-
cols. Computer Networks, 51(9):2262–2267.
Ouafi, K., Overbeck, R., and Vaudenay, S. (2008). On the
security of HB
#
against a man-in-the-middle attack.
In Advances in Cryptology-ASIACRYPT 2008, pages
108–124. Springer.
Regev, O. (2009). On lattices, learning with errors, random
linear codes, and cryptography. Journal of the ACM
(JACM), 56(6):34.
hHB:AHarderHB+Protocol
169
