GHB#: A Provably Secure HB-like Lightweight Authentication Protocol
Download
Report
Transcript GHB#: A Provably Secure HB-like Lightweight Authentication Protocol
GHB#: A Provably Secure HB-like
Lightweight Authentication Protocol
Panagiotis Rizomiliotis and Stefanos Gritzalis
Dept. of Information and Communication Systems Engineering
University of the Aegean, Greece
1
ACNS 2012
June 26-29, Singapore
Contents
Motivation - RFID
The HB family
The HB# protocol
Design
Security
The GHB# protocol
Design
Security
Implementation issues
Conclusions
2
ACNS 2012
June 26-29, Singapore
Motivation - RFID
Radio Frequency Identification
A technology that enables the electronic and wireless labeling
and identification of objects, humans and animals
Replaces barcodes
Electronic device that can store and transmit data to a reader
in a contactless manner using radio waves
Microchip
Antenna
3
ACNS 2012
June 26-29, Singapore
Applications
Practically everywhere
Credit Card
Auto Immobilizers
Automated Vehicle Id
Forklift
Handheld
Conveyor Belt
Animal Tracking
Dock Door
Point of Sale
Electronic Identity
4
ACNS 2012
Smart Shelves
June 26-29, Singapore
Main Challenges
Security
Confidentiality of stored data
Integrity/authenticity
Impersonation
Privacy
Anonymity
Untraceability
Normally, cryptography can solve all these problems.
Restrictions:
Low cost
Limited hardware and energy
We need new lightweight algorithms!!
5
ACNS 2012
June 26-29, Singapore
The HB family of protocols
A set of ultra-lightweight authentication protocols initiated
by Hopper and Blum’s work (the HB protocol) proposed
initially for human identification
Then proposed for RFID tags
Based on the LPN problem
6
ACNS 2012
June 26-29, Singapore
The HB family
HB (2001)
HB+ (2005)
HB++ (2006)
HB-MP (2007)
HB-MP+(2008)
HB* (2007)
HB# (2008)
Subspace LPN based protocols (2011)
7
ACNS 2012
June 26-29, Singapore
Three attack models (1/3)
PASSIVE-model
1. Eavesdrop Tag-Reader
2. Impersonate the Tag
DET – model
1. Interrogate the Tag (Reader is not present)
2. Impersonate the Tag
MIM – model
1. Modify the messages between Tag-Reader (SOS – learn to authentication
result)
2. Impersonate the Tag
GRS-attack: Modify only the messages send by the Reader
8
ACNS 2012
June 26-29, Singapore
Three attack models (2/3)
DET-model
9
ACNS 2012
June 26-29, Singapore
Three attack models (3/3)
MIM-model
GRS-attack when ONLY bi can be modified
10
ACNS 2012
June 26-29, Singapore
The HB# protocol
Gilbert, H., Robshaw, M., Seurin,Y.: HB#: Increasing the Security and
Efficiency of HB+. In: Proceedings of Eurocrypt, Springer LNCS, vol. 4965,
pp. 361-378, (2008)
1.
Random-HB#: X,Y random
2.
HB#: X,Y Toeplitz Matrices
Pr( v i 1)
11
ACNS 2012
wt (v )
June 26-29, Singapore
The HB# protocol’s security
Based on MHB: an extension of the HB puzzle
HB# is secure against the PASSIVE, DET, GRS-attack
There is a MIM attack
Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-
the-Middle Attack. In: Proceedings of Asiacrypt, Springer LNCS, vol. 5350,
pp.108-124 (2008)
12
ACNS 2012
June 26-29, Singapore
Vectorial Boolean Functions
Vectorial Boolean Functions with m inputs and n outputs:
F : F2 F2
n
13
ACNS 2012
m
June 26-29, Singapore
Gold Boolean Functions
Gold, R.: Maximal recursive sequences with 3-valued
recursive crosscorrelation functions. IEEE Transactions on
Information Theory, vol. 14, pp. 154-156, 1968
Power functions on a field F
2
x x
n
d
where d 2 , gcd( i , n ) 1
Algebraic Degree = 2
Balanced
APN
High nonlinearity
i 1
14
ACNS 2012
June 26-29, Singapore
The GHB# protocol
Modify the HB#
Φ is a Gold Boolean function!
15
ACNS 2012
June 26-29, Singapore
Complexity and other issues
Practically the same the behavior as the HB# protocol
False acceptance rate
False rejection rate
Storage complexity. The memory cost for the tag; i.e. the
storage for the two secret matrices, is (kX +kY)m bits.
Communication complexity. The protocol requires (kX +kY
+ m) bits to be transferred in total.
16
ACNS 2012
June 26-29, Singapore
Security analysis
Provably PASSIVE, DET and MIM secure
It is based on the MHB puzzle like the HB#
(Actually, similarly to the HB# proofs our reduction uses
rewinding)
The resistance against the MIM attacks is due to the APN
property of the Gold function
17
ACNS 2012
June 26-29, Singapore
Intuitive approach
From the presentation of
Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-the-Middle Attack. In:
Proceedings of Asiacrypt, Springer LNCS, vol. 5350, pp.108-124 (2008)
HB#
Estimation of the
acceptance rate
wt ( a X bY z v ) t
GHB#
z ( X ) ( b ) v
The acceptance rate is random!
18
ACNS 2012
wt ( ( X ) ( a X ) ( bX ) ( b ) v z ) t
Remember Φ is APN!!!!!
June 26-29, Singapore
Implementation Issues
Implementation of the Gold function
Optimal normal basis
Requires 2m + 1 AND gates and 2m XOR gates.
Complexity Comparison between GHB# and HB#.
19
ACNS 2012
June 26-29, Singapore
Conclusions
RFID need ultra-lightweight protocols
The HB family is the most promising candidate
GHB# is provably secure
It has the pros and cons of HB#
Further research is needed to improve implementation
complexity
20
ACNS 2012
June 26-29, Singapore
Thank you for your attention
Questions??
21
ACNS 2012
June 26-29, Singapore