ghb#: a provably secure hb-like lightweight authentication protocol

Panagiotis Rizomiliotis and Stefanos Gritzalis

Dept. of Information and Communication Systems Engineering

University of the Aegean, Greece

GHB#: A Provably Secure HB-like Lightweight

Authentication Protocol

June 26-29, Singapore1 ACNS 2012

ContentsMotivation - RFIDThe HB familyThe HB# protocol

DesignSecurity

The GHB# protocolDesignSecurity

Implementation issuesConclusions

June 26-29, Singapore2 ACNS 2012

Motivation - RFID

June 26-29, SingaporeACNS 20123

Radio Frequency IdentificationA technology that enables the electronic

and wireless labeling and identification of objects, humans and animals

Replaces barcodesElectronic device that can store and

transmit data to a reader in a contactless manner using radio wavesMicrochipAntenna

Applications

June 26-29, SingaporeACNS 20124

Practically everywhere

Auto Auto ImmobilizersImmobilizers Automated Vehicle IdAutomated Vehicle Id

Animal TrackingAnimal Tracking Conveyor BeltConveyor Belt

ForkliftForklift

Dock Dock DoorDoor

HandheldHandheld

Point of SalePoint of Sale

Smart ShelvesSmart Shelves

Credit CardCredit Card

Electronic Electronic IdentityIdentity

Main Challenges

June 26-29, SingaporeACNS 20125

Security Confidentiality of stored data Integrity/authenticity Impersonation

Privacy Anonymity Untraceability

Normally, cryptography can solve all these problems.

Restrictions: Low cost Limited hardware and energy

We need new lightweight algorithms!!

The HB family of protocols

June 26-29, SingaporeACNS 20126

A set of ultra-lightweight authentication protocols initiated by Hopper and Blum’s work (the HB protocol) proposed initially for human identification

Then proposed for RFID tagsBased on the LPN problem

The HB family

June 26-29, SingaporeACNS 20127

HB (2001)HB+ (2005)HB++ (2006)HB-MP (2007)HB-MP+(2008)HB* (2007)HB# (2008)Subspace LPN based protocols (2011)

Three attack models (1/3)

June 26-29, SingaporeACNS 20128

PASSIVE-model1. Eavesdrop Tag-Reader2. Impersonate the Tag

DET – model1. Interrogate the Tag (Reader is not present)2. Impersonate the Tag

MIM – model 1. Modify the messages between Tag-Reader (SOS –

learn to authentication result)2. Impersonate the Tag GRS-attack: Modify only the messages send by

the Reader

Three attack models (2/3)DET-model

June 26-29, SingaporeACNS 20129

Three attack models (3/3)MIM-model

June 26-29, SingaporeACNS 201210

GRS-attack when ONLY bi can be modified

The HB# protocol

June 26-29, SingaporeACNS 201211

Gilbert, H., Robshaw, M., Seurin, Y.: HB#: Increasing the Security and Efficiency of HB+. In: Proceedings of Eurocrypt, Springer LNCS, vol. 4965, pp. 361-378, (2008)

1. Random-HB#: X,Y random

2. HB#: X,Y Toeplitz Matrices

)(vwt )1Pr( iv

The HB# protocol’s security

June 26-29, SingaporeACNS 201212

Based on MHB: an extension of the HB puzzle

HB# is secure against the PASSIVE, DET, GRS-attack There is a MIM attack

Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-the-Middle Attack. In: Proceedings of Asiacrypt, Springer LNCS, vol. 5350, pp.108-124 (2008)

Vectorial Boolean Functions

June 26-29, SingaporeACNS 201213

Vectorial Boolean Functions with m inputs and n outputs: mn FFF 22:

Gold Boolean Functions

June 26-29, SingaporeACNS 201214

Gold, R.: Maximal recursive sequences with 3-valued recursive crosscorrelation functions. IEEE Transactions on Information Theory, vol. 14, pp. 154-156, 1968

Power functions on a field

where Algebraic Degree = 2 BalancedAPNHigh nonlinearity

dxxnF2

1),gcd(,2 1 nid i

The GHB# protocol

June 26-29, SingaporeACNS 201215

Modify the HB#

Φ is a Gold Boolean function!

Complexity and other issues

June 26-29, SingaporeACNS 201216

Practically the same the behavior as the HB# protocol

False acceptance rate

False rejection rate

Storage complexity. The memory cost for the tag; i.e. the storage for the two secret matrices, is (kX +kY)m bits.

Communication complexity. The protocol requires (kX +kY + m) bits to be transferred in total.

Security analysis

June 26-29, SingaporeACNS 201217

Provably PASSIVE, DET and MIM secure It is based on the MHB puzzle like the HB#

(Actually, similarly to the HB# proofs our reduction uses rewinding)

The resistance against the MIM attacks is due to the APN property of the Gold function

Intuitive approach

June 26-29, SingaporeACNS 201218

From the presentation of Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-

the-Middle Attack. In: Proceedings of Asiacrypt, Springer LNCS, vol. 5350, pp.108-124 (2008)

HB#

tvzYbXawt )(

vbXz )()(

tzvbbXXaXwt ))()()()((

Estimation of the acceptance rate

GHB#The acceptance rate is random!

Remember Φ is APN!!!!!

Implementation Issues

June 26-29, SingaporeACNS 201219

Implementation of the Gold functionOptimal normal basisRequires 2m + 1 AND gates and 2m XOR

gates.

Complexity Comparison between GHB# and HB#.

Conclusions

June 26-29, SingaporeACNS 201220

RFID need ultra-lightweight protocolsThe HB family is the most promising

candidateGHB# is provably secureIt has the pros and cons of HB# Further research is needed to improve

implementation complexity

Thank you for your attention

June 26-29, SingaporeACNS 201221

Questions??