ghb#: a provably secure hb-like lightweight authentication protocol
DESCRIPTION
GHB#: A Provably Secure HB-like Lightweight Authentication Protocol. Panagiotis Rizomiliotis and Stefanos Gritzalis Dept. of Information and Communication Systems Engineering University of the Aegean, Greece. Contents. Motivation - RFID The HB family The HB# protocol Design Security - PowerPoint PPT PresentationTRANSCRIPT
Panagiotis Rizomiliotis and Stefanos Gritzalis
Dept. of Information and Communication Systems Engineering
University of the Aegean, Greece
GHB#: A Provably Secure HB-like Lightweight
Authentication Protocol
June 26-29, Singapore1 ACNS 2012
ContentsMotivation - RFIDThe HB familyThe HB# protocol
DesignSecurity
The GHB# protocolDesignSecurity
Implementation issuesConclusions
June 26-29, Singapore2 ACNS 2012
Motivation - RFID
June 26-29, SingaporeACNS 20123
Radio Frequency IdentificationA technology that enables the electronic
and wireless labeling and identification of objects, humans and animals
Replaces barcodesElectronic device that can store and
transmit data to a reader in a contactless manner using radio wavesMicrochipAntenna
Applications
June 26-29, SingaporeACNS 20124
Practically everywhere
Auto Auto ImmobilizersImmobilizers Automated Vehicle IdAutomated Vehicle Id
Animal TrackingAnimal Tracking Conveyor BeltConveyor Belt
ForkliftForklift
Dock Dock DoorDoor
HandheldHandheld
Point of SalePoint of Sale
Smart ShelvesSmart Shelves
Credit CardCredit Card
Electronic Electronic IdentityIdentity
Main Challenges
June 26-29, SingaporeACNS 20125
Security Confidentiality of stored data Integrity/authenticity Impersonation
Privacy Anonymity Untraceability
Normally, cryptography can solve all these problems.
Restrictions: Low cost Limited hardware and energy
We need new lightweight algorithms!!
The HB family of protocols
June 26-29, SingaporeACNS 20126
A set of ultra-lightweight authentication protocols initiated by Hopper and Blum’s work (the HB protocol) proposed initially for human identification
Then proposed for RFID tagsBased on the LPN problem
The HB family
June 26-29, SingaporeACNS 20127
HB (2001)HB+ (2005)HB++ (2006)HB-MP (2007)HB-MP+(2008)HB* (2007)HB# (2008)Subspace LPN based protocols (2011)
Three attack models (1/3)
June 26-29, SingaporeACNS 20128
PASSIVE-model1. Eavesdrop Tag-Reader2. Impersonate the Tag
DET – model1. Interrogate the Tag (Reader is not present)2. Impersonate the Tag
MIM – model 1. Modify the messages between Tag-Reader (SOS –
learn to authentication result)2. Impersonate the Tag GRS-attack: Modify only the messages send by
the Reader
Three attack models (2/3)DET-model
June 26-29, SingaporeACNS 20129
Three attack models (3/3)MIM-model
June 26-29, SingaporeACNS 201210
GRS-attack when ONLY bi can be modified
The HB# protocol
June 26-29, SingaporeACNS 201211
Gilbert, H., Robshaw, M., Seurin, Y.: HB#: Increasing the Security and Efficiency of HB+. In: Proceedings of Eurocrypt, Springer LNCS, vol. 4965, pp. 361-378, (2008)
1. Random-HB#: X,Y random
2. HB#: X,Y Toeplitz Matrices
)(vwt )1Pr( iv
The HB# protocol’s security
June 26-29, SingaporeACNS 201212
Based on MHB: an extension of the HB puzzle
HB# is secure against the PASSIVE, DET, GRS-attack There is a MIM attack
Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-the-Middle Attack. In: Proceedings of Asiacrypt, Springer LNCS, vol. 5350, pp.108-124 (2008)
Vectorial Boolean Functions
June 26-29, SingaporeACNS 201213
Vectorial Boolean Functions with m inputs and n outputs: mn FFF 22:
Gold Boolean Functions
June 26-29, SingaporeACNS 201214
Gold, R.: Maximal recursive sequences with 3-valued recursive crosscorrelation functions. IEEE Transactions on Information Theory, vol. 14, pp. 154-156, 1968
Power functions on a field
where Algebraic Degree = 2 BalancedAPNHigh nonlinearity
dxxnF2
1),gcd(,2 1 nid i
The GHB# protocol
June 26-29, SingaporeACNS 201215
Modify the HB#
Φ is a Gold Boolean function!
Complexity and other issues
June 26-29, SingaporeACNS 201216
Practically the same the behavior as the HB# protocol
False acceptance rate
False rejection rate
Storage complexity. The memory cost for the tag; i.e. the storage for the two secret matrices, is (kX +kY)m bits.
Communication complexity. The protocol requires (kX +kY + m) bits to be transferred in total.
Security analysis
June 26-29, SingaporeACNS 201217
Provably PASSIVE, DET and MIM secure It is based on the MHB puzzle like the HB#
(Actually, similarly to the HB# proofs our reduction uses rewinding)
The resistance against the MIM attacks is due to the APN property of the Gold function
Intuitive approach
June 26-29, SingaporeACNS 201218
From the presentation of Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-
the-Middle Attack. In: Proceedings of Asiacrypt, Springer LNCS, vol. 5350, pp.108-124 (2008)
HB#
tvzYbXawt )(
vbXz )()(
tzvbbXXaXwt ))()()()((
Estimation of the acceptance rate
GHB#The acceptance rate is random!
Remember Φ is APN!!!!!
Implementation Issues
June 26-29, SingaporeACNS 201219
Implementation of the Gold functionOptimal normal basisRequires 2m + 1 AND gates and 2m XOR
gates.
Complexity Comparison between GHB# and HB#.
Conclusions
June 26-29, SingaporeACNS 201220
RFID need ultra-lightweight protocolsThe HB family is the most promising
candidateGHB# is provably secureIt has the pros and cons of HB# Further research is needed to improve
implementation complexity
Thank you for your attention
June 26-29, SingaporeACNS 201221
Questions??