Revisiting the Security of Qian et al.’s Revised Tree-\(\hbox {LSHB}^+\) Protocol

  • 113 Accesses


Due to the limited computation and memory capabilities of the identification tags, RFID systems are susceptible to various attacks. In 2014, a lightweight mutual authentication RFID protocol that supports key update was proposed by Qian et al., and it was claimed to be secure against several known attacks. In this paper, however, we show that their protocol cannot resist key recovery attack, where an adversary, after interacting with the tag several times, can recover the authentication keys of the system in polynomial time with non-negligible probability. Additionally, we also prove that their protocol cannot provide strong backward security or strong forward security: an adversary who has compromised some continuous authentication keys, can successfully recover all the future authentication keys and some of the previous authentication keys, which completely breaks the security of the authentication protocol. We then propose a new protocol which provides key recovery resilience, both strong backward security and strong forward security, and also resistance against various known types of attacks.

This is a preview of subscription content, log in to check access.

Access options

Buy single article

Instant unlimited access to the full article PDF.

US$ 39.95

Price includes VAT for USA

Subscribe to journal

Immediate online access to all issues from 2019. Subscription will auto renew annually.

US$ 199

This is the net price. Taxes to be calculated in checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Change history

  • 13 December 2019

    The authors' second affiliation was missing in the original article.

  • 13 December 2019

    The authors' second affiliation was missing in the original article.


  1. 1.

    To guarantee the security strength of the key update, we assume \(K_1^i \ne O\) for any i, otherwise the authentication key would be zero after updating i times. Thus there are at least two non-zero elements in \(\overrightarrow{\lambda }\).

  2. 2.

    Apparently, this theorem can only make sense when \(i \ge j+2\).

  3. 3.

    The above \(K_{1_{(k_x \times k_x)}}\) in Eq. (11) for the update of \(\overrightarrow{key_{x}}\) is a sub-matrix of \(K_{2_{(k_y \times k_y)}}\) since \(k_x < k_y\) according to Table 1, then the leakage of \(K_2\) implies the leakage of \(K_1\), which leads to the leakage of all the subsequent \(\overrightarrow{key_{x}}\) given the continuous leaked keys {\(\overrightarrow{key_{x}},\overrightarrow{key_{y}}\)}.


  1. 1.

    Hopper, N. J., & Blum, M. (2001). Secure human identification protocols. In Cryptology-ASIACRYPT 2001, Lecture Notes in Computer Science (Vol. 2248, pp. 52–66).

  2. 2.

    Juels, A., & Weis, S. (2005). Authenticating pervasive devices with human protocols. In Cryptology-ASIACRYPT 2005, Lecture Notes in Computer Science (Vol. 3621, pp. 293–308).

  3. 3.

    Gilbert, H., Robshaw, M., & Silbert, H. (2005). An active attack against \({\rm HB}^+\)-a provable secure lightweighted authentication protocol. Cryptology ePrint archive, report 2005/237. Accessed 14 Feb 2019.

  4. 4.

    Bringer, J., Chabanne, H., Dottax, E., & Chabanne, H. (2006). \({\rm HB}^{++}\): A lightweight authentication protocol secure against some attacks. In Proceedings of the second international workshop on security, privacy and trust in pervasive and ubiquitous computing (SecPerU06) (pp. 28–33).

  5. 5.

    Duc, D. N., & Kim, K. (2007). Securing \({\rm HB}^+\) against GRS man-in-the-middle attack. In Institute of Electronics. Information and Communication Engineers, Symposium on Cryptography and Information Security, Jan 23–26 2007.

  6. 6.

    Munilla, J., & Peinado, A. (2007). HP-MP: A further step in the HB-family of lightweight authentication protocols. Computer Networks, 51(9), 2262–2267.

  7. 7.

    Leng, X., Mayes, K., & Markantonakis, K. (2008). HB-\({\rm MP}^{+}\) protocol: An improvement on the HB-MP protocol. In IEEE international conference on RFID, Apr 16–17 2008 (pp. 118–124).

  8. 8.

    Gilbert, H., Robshaw, M. J., & Seurin, Y. (2008). Good variants of \({\rm HB}^{+}\) are hard to find. In Financial Cryptography and Data Security 2008, Lecture Notes in Computer Science (Vol. 5143, pp. 156–170).

  9. 9.

    Gilbert, H., Robshaw, M., & Seurin, Y. (2008). \({\rm HB}^{\#}\): Increasing the security and efficiency of \({\rm HB^+}\). In Cryptology-EUROCRYPT 2008, Lecture Notes in Computer Science (vol. 4965, pp. 361–387).

  10. 10.

    Ouafi, K., Overbock, R., & Vaudenay, S. (2008). On the security of \({\rm HB}^{\#}\) against a man-in-the-middle attack. In Cryptology-ASIACRYPT 2008, Lecture Notes in Computer Science (Vol. 5350, pp. 3108–124).

  11. 11.

    Bosley, C., Haralambiev, K., & Nicolosi, A. (2011). HBN: An HB-like protocol secure against man-in-the-middle attacks. Cryptology ePrint Archive, report 2011/350. Accessed 14 Feb 2019.

  12. 12.

    Rizomiliotis, P., & Gritzalis, S. (2012). \(\text{GHB}^{\#}\): A provably Secure HB-Like lightweight authentication protocol. In ACNS 2012, Lecture Notes in Computer Science (vol. 7341, pp. 489–506).

  13. 13.

    Aseeri, A., & Bamasag, O. (2016). Achieving protection against man-in-the-middle attack in HB family protocols implemented in RFID tags. International Journal of Pervasive Computing and Communications, 12(3), 375–390.

  14. 14.

    Li, Z., Gong, G., & Qin, Z. (2013). Secure and efficient LCMQ entity authentication protocol. IEEE Transactions on Information Theory, 59(6), 4042–4054.

  15. 15.

    Molnar, D., & Wagner, D. (2004). Privacy and security in library RFID: Issues, practices, and architectures. In ACM CCS 2004 (pp. 210–219).

  16. 16.

    Halevi, T., Saxena, N., & Halevi, S. (2011). Tree-based HB protocols for privacy-preserving authentication of RFID tags. Journal of Computer Security, 19(2), 343–363.

  17. 17.

    Deng, G., Li, H., Zhang, Y., & Wang, J. (2013). Tree-LS\({\rm HB}^{+}\): An LPN-based lightweight mutual authentication RFID protocol. Wireless Personal Communications, 72(1), 159–174.

  18. 18.

    Qian, X., Liu, X., Yang, S., & Zuo, C. (2014). Security and privacy analysis of Tree-LS\({\rm HB}^+\) protocol. Wireless Personal Communications, 77(4), 3125–3141.

  19. 19.

    Lei, M., Li, H., Liu, W., & Jin, D. (2017). Security analysis of the Qian et al. protocol: A revised Tree-LS\({\rm HB}^+\) protocol. Wireless Personal Communications, 96(1), 1083–1098.

  20. 20.

    Berlekamp, E. R., McEliece, R. J., & Tilborg, V. (1978). On the inherent intractability of certain coding problems. IEEE Transactions on Information Theory, 24(3), 384–386.

  21. 21.

    Blum, A., Kalai, A., & Wasserman, H. (2003). Noise-tolerant learning, the parity problem, and the statistical query model. Journal of the ACM, 50(4), 506–519.

  22. 22.

    Zhang, B., Jiao, L., & Wang, M. (2016). Faster algorithms for solving LPN. In Cryptology-EUROCRYPT 2016, Lecture Notes in Computer Science (vol. 9665, pp. 168–195).

  23. 23.

    Krawczyk, H. (1994). LFSR-based hashing and authentication. In Cryptology-CRYPTO 1994, Lecture Notes in Computer Science (vol. 839, pp. 129–139).

  24. 24.

    Krawczyk, H. (1995). New hash functions for message authentication. In Cryptology-CRYPTO 1995, Lecture Notes in Computer Science (vol. 921, pp. 301–310).

Download references


This work was supported by the National Key Research and Development Program of China (2017YFB0802500) and National Natural Science Foundation of China (61572485, U1536205).

Author information

Correspondence to Xinyu Li.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Li, X., Xu, J. & Zhang, Z. Revisiting the Security of Qian et al.’s Revised Tree-\(\hbox {LSHB}^+\) Protocol. Wireless Pers Commun 106, 321–343 (2019) doi:10.1007/s11277-019-06164-w

Download citation


  • RFID
  • Security
  • HB family
  • Tree-based
  • Mutual authentication