230 likes | 365 Views
GHB#: A Provably Secure HB-like Lightweight Authentication Protocol. Panagiotis Rizomiliotis and Stefanos Gritzalis Dept. of Information and Communication Systems Engineering University of the Aegean, Greece. Contents. Motivation - RFID The HB family The HB# protocol Design Security
E N D
GHB#: A Provably Secure HB-like Lightweight Authentication Protocol PanagiotisRizomiliotis and StefanosGritzalis Dept. of Information and Communication Systems Engineering University of the Aegean, Greece ACNS 2012
Contents • Motivation - RFID • The HB family • The HB# protocol • Design • Security • The GHB# protocol • Design • Security • Implementation issues • Conclusions ACNS 2012
Motivation - RFID • Radio Frequency Identification • A technology that enables the electronic and wireless labeling and identification of objects, humans and animals • Replaces barcodes • Electronic device that can store and transmit data to a reader in a contactless manner using radio waves • Microchip • Antenna ACNS 2012
Conveyor Belt Handheld Point of Sale Forklift Applications • Practically everywhere Credit Card Auto Immobilizers Automated Vehicle Id Animal Tracking Dock Door Electronic Identity Smart Shelves ACNS 2012
Main Challenges • Security • Confidentiality of stored data • Integrity/authenticity • Impersonation • Privacy • Anonymity • Untraceability Normally, cryptography can solve all these problems. Restrictions: • Low cost • Limited hardware and energy We need new lightweight algorithms!! ACNS 2012
The HB family of protocols • A set of ultra-lightweight authentication protocols initiated by Hopper and Blum’s work (the HB protocol) proposed initially for human identification • Then proposed for RFID tags • Based on the LPN problem ACNS 2012
The HB family • HB (2001) • HB+ (2005) • HB++ (2006) • HB-MP (2007) • HB-MP+(2008) • HB* (2007) • HB# (2008) • Subspace LPN based protocols (2011) ACNS 2012
Three attack models (1/3) • PASSIVE-model • Eavesdrop Tag-Reader • Impersonate the Tag • DET – model • Interrogate the Tag (Reader is not present) • Impersonate the Tag • MIM – model • Modify the messages between Tag-Reader (SOS – learn to authentication result) • Impersonate the Tag • GRS-attack: Modify only the messages send by the Reader ACNS 2012
Three attack models (2/3)DET-model ACNS 2012
Three attack models (3/3)MIM-model • GRS-attack when ONLY bi can be modified ACNS 2012
The HB# protocol • Gilbert, H., Robshaw, M., Seurin, Y.: HB#: Increasing the Security and Efficiency of HB+. In: Proceedings of Eurocrypt, Springer LNCS, vol. 4965, pp. 361-378, (2008) • Random-HB#: X,Y random • HB#: X,Y Toeplitz Matrices ACNS 2012
The HB# protocol’s security • Based on MHB: an extension of the HB puzzle • HB# is secure against the PASSIVE, DET, GRS-attack • There is a MIM attack • Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-the-Middle Attack. In: Proceedings of Asiacrypt, Springer LNCS, vol. 5350, pp.108-124 (2008) ACNS 2012
Vectorial Boolean Functions Vectorial Boolean Functions with m inputs and n outputs: ACNS 2012
Gold Boolean Functions • Gold, R.: Maximal recursive sequences with 3-valued recursive crosscorrelation functions. IEEE Transactions on Information Theory, vol. 14, pp. 154-156, 1968 • Power functions on a field where • Algebraic Degree = 2 • Balanced • APN • High nonlinearity ACNS 2012
The GHB# protocol • Modify the HB# Φ is a Gold Boolean function! ACNS 2012
Complexity and other issues • Practically the same the behavior as the HB# protocol • False acceptance rate • False rejection rate • Storage complexity. The memory cost for the tag; i.e. the storage for the two secret matrices, is (kX +kY)m bits. • Communication complexity. The protocol requires (kX +kY + m) bits to be transferred in total. ACNS 2012
Security analysis • Provably PASSIVE, DET and MIM secure • It is based on the MHB puzzle like the HB# • (Actually, similarly to the HB# proofs our reduction uses rewinding) • The resistance against the MIM attacks is due to the APN property of the Gold function ACNS 2012
Intuitive approach • From the presentation of Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-the-Middle Attack. In: Proceedings of Asiacrypt, Springer LNCS, vol. 5350, pp.108-124 (2008) • HB# Estimation of the acceptance rate • GHB# • The acceptance rate is random! Remember Φ is APN!!!!! ACNS 2012
Implementation Issues • Implementation of the Gold function • Optimal normal basis • Requires 2m + 1 AND gates and 2m XOR gates. • Complexity Comparison between GHB# and HB#. ACNS 2012
Conclusions • RFID need ultra-lightweight protocols • The HB family is the most promising candidate • GHB# is provably secure • It has the pros and cons of HB# • Further research is needed to improve implementation complexity ACNS 2012
Thank you for your attention Questions?? ACNS 2012