Good Variants of HB + are Hard to Find (The Cryptanalysis of HB ++ , HB ∗ and HB-MP)
Henri Gilbert, Matt Robshaw, and Yannick Seurin Financial Crypto 2008 – January 29, 2008
intro
HB+
HB-MP
HB*
HB++
conclusion
the context pervasive computing (RFID tags . . . ) the issue: protection against duplication and counterfeiting =⇒ authentication pervasive = very low cost =⇒ very few gates for security current proposed solutions use e.g. light-weight block ciphers (aes, present . . . ) dedicated asymmetric cryptography (gps) protocols based on abstract hash functions and PRFs recent proposal HB + at Crypto ’05 by Juels and Weis: very simple, security proof
Financial Crypto 2008 – Y. Seurin
1
Orange Labs
intro
HB+
HB-MP
HB*
HB++
conclusion
outline HB + : strengths and weaknesses cryptanalysis of HB-MP cryptanalysis of HB ∗ cryptanalysis of HB ++ conclusions . . . and a trailer
Financial Crypto 2008 – Y. Seurin
2
Orange Labs
intro
HB+
HB-MP
HB*
HB++
conclusion
the ancestor HB [Hopper and Blum 2001] tag
reader
k -bit secret vector x
k -bit secret vector x a
←−−−−−−−− compute z = a · x ⊕ ν where ν is a noise bit
Pr[ν = 1] = η ηr )
Financial Crypto 2008 – Y. Seurin
3
Orange Labs
intro
HB+
HB-MP
HB*
HB++
conclusion
+
the protocol HB [Juels and Weis 2005] tag
reader
k -bit secret vectors x and y
k -bit secret vectors x and y
draw a random k -bit blinding vector b
b
−−−−−−−−→ a
←−−−−−−−− z compute z = a · x ⊕ b · y ⊕ ν −−−−−−−−→ 1 where Pr[ν = 1] = η < 2
draw a random k -bit challenge a check z = a · x ⊕ b · y
this is repeated for r rounds the authentication is successful iff at most t rounds have been rejected ( t > ηr ) Financial Crypto 2008 – Y. Seurin
4
Orange Labs
intro
the protocol HB
HB+
HB-MP
HB*
HB++
conclusion
+
typical parameter values are:
k ' 250 (length of the secret vectors) η ' 0.125 to 0.25 (noise level) r ' 80 (number of rounds) t ' 30 (acceptance threshold) necessary trade-off between false acceptance rate, false rejection rate and efficiency distribution of the number of errors
Financial Crypto 2008 – Y. Seurin
5
Orange Labs
intro
the security of HB
HB+
HB-MP
HB*
HB++
conclusion
+
HB is provably secure against passive (eavesdropping) attacks HB + is provably secure against active (in some sense) attacks the security relies on the hardness of the Learning from Parity with Noise (LPN) problem: Given q noisy samples (ai, ai · x ⊕ νi) , where x is a secret k -bit vector and Pr[νi = 1] = η , find x . similar to the problem of decoding a random linear code (NP-complete) best solving algorithms require T, q = 2Θ(k/ log(k)) : BKW [2003] , LF [2006] numerical examples: for k = 512 and η = 0.25 , LF requires q ' 289 for k = 768 and η = 0.01 , LF requires q ' 274 Financial Crypto 2008 – Y. Seurin
6
Orange Labs
intro
HB+
HB-MP
HB*
HB++
conclusion
security models passive attacks: the adversary can only eavesdrop the conversations between an honest tag and an honest reader, and then tries to impersonate the tag active attacks on the tag only (a.k.a. active attacks in the detection model): the adversary first interact with an honest tag (actively, but without access to the reader), and then tries to impersonate the tag man-in-the-middle attacks (a.k.a. active attacks in the prevention model): the adversary can manipulate the tag-reader conversation and observe whether the authentication is successful or not passive
active (TAG)
active (MIM)
HB
OK
KO
KO
HB +
OK
OK
KO
Financial Crypto 2008 – Y. Seurin
7
Orange Labs
intro
HB+
HB-MP
HB*
HB++
conclusion
a man-in-the-middle attack against HB + [GRS 2005]
tag
reader
k -bit secret vectors x and y
k -bit secret vectors x and y
draw a random k -bit blinding vector b
b
−−−−−−−−→ a0 =a⊕δ
a
←−−−−− Adv! ←−− compute z 0 = a0 · x ⊕ b · y ⊕ ν where Pr[ν = 1] = η
that HB+ variants that resist the GRS attack are not that easy to come by. Our paper is ...... For HB-MP âxâm denotes the m least significant bits of x and yi is the.
Their children have grown up and moved away. Life, doing what it usually does to a marriage, has replaced their hopes and dreams with accomplishment and.
to as the detection-based model [10] and requires that the adversary queries a tag q times and then attempts to pass the HB+ authentication process by in-.
We consider (in the framework of algorithmic information theory) questions of the following type: .... The strings a and b are independent (have logarithmic mutual.
issue is adrenalised in drama, documentaries and rolling news by repeatedly declaring "gang culture" as the cause of teenage societal meltdown. Gang culture ...
3) If your friend wants to tell you her affairs of the heart... a) You listen to everything b) You listen if it ... 6) If your friend cries... a) You do everything to console her.
Page 1 ...... A second drawback is the key management problemâin a network of N ..... For the desired level of security, do the protocols meet performance.
cutting with HSS substrate. Investigations the coatings behaviour in dry hobbing conditions and high cutting speed. 2. Coatings deposition and characterization.
prevention studies of carcinogen-induced tumours in rats, and of polyps in Min (Apc(+/Ð)) mice: 6714 ... (http://corpet.net/min). .... APC protein may loose its ability to connect chromo- ...... Potential of gene expression profiling in tumours. Foo
And here are no hard Landlords to racke vs with high rents, or extorted fines to consume vs, no tedious pleas no multitudes to occasion such impediments. 3.
10/10/2012. 28. The international role of the euro. Dollar seems firmly entrenched as the leading currency for international reserves. Yet, the euro has taken off.
Nov 4, 2002 - Icelandic, Palestinian Arabic. +. â .... b. they are a necessary part of the grammar that carries an important functional load: ... word in Malayalam.
Coaster ¼ Cross, Hold, Side, Touch, Side, Touch. ¼ turn right stepping back on left (1), step right next to left (2) (6:00). Cross left over right (2), hold (4). Step right ...
Then the Board begins deliberations on an Exposure Draft (ED) of a .... Assets are probable future economic benefits obtained or controlled by a ..... In this case, the first revenue can be handled as a return of the ...... A manual system using T-ac
List of Algorithms ix. List of Tables xiv. List of Figures .... 5.3.3 Error messageanalysis . ...... of authenticating its holder ËA to the mainframe computer B at the ... thentication code (MAC) algorithm such as HMAC to achieve data integrity and
Communication Framework using Authenticated Encryption in Wireless ... related to key management in quantum cryptography like how quantum access nodes ... for Security of Software, Hodorogea and Otto, emphasize the need of robust security .... Illust
This is the updating equation used in the Normalized LMS algorithm. ..... the LMS algorithm, from linear combination of inputs (FIR filters) to quadratic combina-.
Alice communicates with the White rabbit via a network. Secret. 3 / 52 ... Something that you have ... Page 16 ... Leon Alberti devised a cipher wheel, and described the principles .... Put your message in a black bag, you can not read anything.
Most of the accounts in company code 1000 use the UNI currency, whereas company ...... Payment proposal has been created ... âThe second stage is the proposal run. ..... yDebit: unrealized loss; credit: foreign exchange adjustment account.
CrypTool was developed during the end-user awareness program at Deutsche Bank in order to .... 331,252 individuals co-operated over the internet to find the key. ...... 1947, and the second was taken from âLake Wobegon Daysâ, by Garrison Keillor,
example, differences between the dynamics of two populations of the butterfly ... population biology (Legay and Debouzie, 1985). Within a popula- ... ring the life history of the insects, what are the phenotypic and in some ravourable cases the ...
