GHB#: A Provably Secure HB-like
Lightweight Authentication Protocol
Panagiotis Rizomiliotis and Stefanos Gritzalis
Dept. of Information and Communication Systems Engineering
University of the Aegean, Greece
1
ACNS 2012
June 26-29, Singapore
Contents
 Motivation - RFID
 The HB family
 The HB# protocol
 Design
 Security
 The GHB# protocol
 Design
 Security
 Implementation issues
 Conclusions
2
ACNS 2012
June 26-29, Singapore
Motivation - RFID
 Radio Frequency Identification
 A technology that enables the electronic and wireless labeling
and identification of objects, humans and animals
 Replaces barcodes
 Electronic device that can store and transmit data to a reader
in a contactless manner using radio waves
 Microchip
 Antenna
3
ACNS 2012
June 26-29, Singapore
Applications
 Practically everywhere
Credit Card
Auto Immobilizers
Automated Vehicle Id
Forklift
Handheld
Conveyor Belt
Animal Tracking
Dock Door
Point of Sale
Electronic Identity
4
ACNS 2012
Smart Shelves
June 26-29, Singapore
Main Challenges
 Security
 Confidentiality of stored data
 Integrity/authenticity
 Impersonation
 Privacy
 Anonymity
 Untraceability
Normally, cryptography can solve all these problems.
Restrictions:
 Low cost
 Limited hardware and energy
We need new lightweight algorithms!!
5
ACNS 2012
June 26-29, Singapore
The HB family of protocols
 A set of ultra-lightweight authentication protocols initiated
by Hopper and Blum’s work (the HB protocol) proposed
initially for human identification
 Then proposed for RFID tags
 Based on the LPN problem
6
ACNS 2012
June 26-29, Singapore
The HB family
 HB (2001)
 HB+ (2005)
 HB++ (2006)
 HB-MP (2007)
 HB-MP+(2008)
 HB* (2007)
 HB# (2008)
 Subspace LPN based protocols (2011)
7
ACNS 2012
June 26-29, Singapore
Three attack models (1/3)
 PASSIVE-model
1. Eavesdrop Tag-Reader
2. Impersonate the Tag
 DET – model
1. Interrogate the Tag (Reader is not present)
2. Impersonate the Tag
 MIM – model
1. Modify the messages between Tag-Reader (SOS – learn to authentication
result)
2. Impersonate the Tag
 GRS-attack: Modify only the messages send by the Reader
8
ACNS 2012
June 26-29, Singapore
Three attack models (2/3)
DET-model
9
ACNS 2012
June 26-29, Singapore
Three attack models (3/3)
MIM-model
 GRS-attack when ONLY bi can be modified
10
ACNS 2012
June 26-29, Singapore
The HB# protocol
 Gilbert, H., Robshaw, M., Seurin,Y.: HB#: Increasing the Security and
Efficiency of HB+. In: Proceedings of Eurocrypt, Springer LNCS, vol. 4965,
pp. 361-378, (2008)
1.
Random-HB#: X,Y random
2.
HB#: X,Y Toeplitz Matrices
Pr( v i  1)  
11
ACNS 2012
wt (v )  
June 26-29, Singapore
The HB# protocol’s security
 Based on MHB: an extension of the HB puzzle
 HB# is secure against the PASSIVE, DET, GRS-attack
 There is a MIM attack
 Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-
the-Middle Attack. In: Proceedings of Asiacrypt, Springer LNCS, vol. 5350,
pp.108-124 (2008)
12
ACNS 2012
June 26-29, Singapore
Vectorial Boolean Functions
Vectorial Boolean Functions with m inputs and n outputs:
F : F2  F2
n
13
ACNS 2012
m
June 26-29, Singapore
Gold Boolean Functions
 Gold, R.: Maximal recursive sequences with 3-valued
recursive crosscorrelation functions. IEEE Transactions on
Information Theory, vol. 14, pp. 154-156, 1968
 Power functions on a field F
2
x x
n
d
where d  2 , gcd( i , n )  1
 Algebraic Degree = 2
 Balanced
 APN
 High nonlinearity
i 1
14
ACNS 2012
June 26-29, Singapore
The GHB# protocol
 Modify the HB#
Φ is a Gold Boolean function!
15
ACNS 2012
June 26-29, Singapore
Complexity and other issues
 Practically the same the behavior as the HB# protocol
 False acceptance rate
 False rejection rate
 Storage complexity. The memory cost for the tag; i.e. the
storage for the two secret matrices, is (kX +kY)m bits.
 Communication complexity. The protocol requires (kX +kY
+ m) bits to be transferred in total.
16
ACNS 2012
June 26-29, Singapore
Security analysis
 Provably PASSIVE, DET and MIM secure
 It is based on the MHB puzzle like the HB#
 (Actually, similarly to the HB# proofs our reduction uses
rewinding)
 The resistance against the MIM attacks is due to the APN
property of the Gold function
17
ACNS 2012
June 26-29, Singapore
Intuitive approach
 From the presentation of
Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-the-Middle Attack. In:
Proceedings of Asiacrypt, Springer LNCS, vol. 5350, pp.108-124 (2008)
 HB#
Estimation of the
acceptance rate
wt ( a X  bY  z  v )  t
 GHB#

z   ( X )   ( b  )  v
The acceptance rate is random!
18
ACNS 2012


wt (  ( X )   ( a X )   ( bX )   ( b  )  v  z )  t
Remember Φ is APN!!!!!
June 26-29, Singapore
Implementation Issues
 Implementation of the Gold function
 Optimal normal basis
 Requires 2m + 1 AND gates and 2m XOR gates.
 Complexity Comparison between GHB# and HB#.
19
ACNS 2012
June 26-29, Singapore
Conclusions
 RFID need ultra-lightweight protocols
 The HB family is the most promising candidate
 GHB# is provably secure
 It has the pros and cons of HB#
 Further research is needed to improve implementation
complexity
20
ACNS 2012
June 26-29, Singapore
Thank you for your attention
Questions??
21
ACNS 2012
June 26-29, Singapore