Lapin: An Efficient Authentication Protocol Based on Ring-LPN

  • Stefan Heyse
  • Eike Kiltz
  • Vadim Lyubashevsky
  • Christof Paar
  • Krzysztof Pietrzak
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7549)


We propose a new authentication protocol that is provably secure based on a ring variant of the learning parity with noise (LPN) problem. The protocol follows the design principle of the LPN-based protocol from Eurocrypt’11 (Kiltz et al.), and like it, is a two round protocol secure against active attacks. Moreover, our protocol has small communication complexity and a very small footprint which makes it applicable in scenarios that involve low-cost, resource-constrained devices.

Performance-wise, our protocol is more efficient than previous LPN-based schemes, such as the many variants of the Hopper-Blum (HB) protocol and the aforementioned protocol from Eurocrypt’11. Our implementation results show that it is even comparable to the standard challenge-and-response protocols based on the AES block-cipher. Our basic protocol is roughly 20 times slower than AES, but with the advantage of having 10 times smaller code size. Furthermore, if a few hundred bytes of non-volatile memory are available to allow the storage of some off-line pre-computations, then the online phase of our protocols is only twice as slow as AES.


HB protocols RFID authentication LPN problem Ring-LPN problem 


  1. [ACPS09]
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. [Atm]
    Atmel, ATmega163 datasheet,
  3. [BFKL93]
    Blum, A., Furst, M.L., Kearns, M., Lipton, R.J.: Cryptographic Primitives Based on Hard Learning Problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  4. [BKL+07]
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: An Ultra-Lightweight Block Cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. [BKW03]
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  6. [DKPW12]
    Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message Authentication, Revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 355–374. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. [DR02]
    Daemen, J., Rijmen, V.: The design of rijndael: AES - the advanced encryption standard. Springer (2002)Google Scholar
  8. [GPW+04]
    Gura, N., Patel, A., Wander, A., Eberle, H., Shantz, S.C.: Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 119–132. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. [GRS05]
    Gilbert, H., Robshaw, M., Sibert, H.: An active attack against HB+ – a provably secure lightweight authentication protocol, Cryptology ePrint Archive, Report 2005/237 (2005),
  10. [GRS08a]
    Gilbert, H., Robshaw, M.J.B., Seurin, Y.: H\(B^{\sharp}\): Increasing the Security and Efficiency of HB + . In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 361–378. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  11. [GRS08b]
    Gilbert, H., Robshaw, M., Seurin, Y.: How to Encrypt with the LPN Problem. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 679–690. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. [HB00]
    Hopper, N., Blum, M.: A secure human-computer authentication scheme. Tech. Report CMU-CS-00-139, Carnegie Mellon University (2000)Google Scholar
  13. [HB01]
    Hopper, N.J., Blum, M.: Secure Human Identification Protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. [HLPS11]
    Hanrot, G., Lyubashevsky, V., Peikert, C., Stehlé, D.: Personal communication (2011)Google Scholar
  15. [HMV03]
    Hankerson, D., Menezes, A.J., Vanstone, S.: Guide to elliptic curve cryptography. Springer-Verlag New York, Inc., Secaucus (2003)zbMATHGoogle Scholar
  16. [JW05]
    Juels, A., Weis, S.A.: Authenticating Pervasive Devices with Human Protocols. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 293–308. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. [Kir11]
    Kirchner, P.: Improved generalized birthday attack. Cryptology ePrint Archive, Report 2011/377 (2011),
  18. [KPC+11]
    Kiltz, E., Pietrzak, K., Cash, D., Jain, A., Venturi, D.: Efficient authentication from hard learning problems. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 7–26. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. [KS06a]
    Katz, J., Shin, J.S.: Parallel and Concurrent Security of the HB and HB +  Protocols. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 73–87. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. [KS06b]
    Katz, J., Smith, A.: Analyzing the HB and HB+ protocols in the “large error” case. Cryptology ePrint Archive, Report 2006/326 (2006),
  21. [KSS10]
    Katz, J., Shin, J.S., Smith, A.: Parallel and concurrent security of the HB and HB+ protocols. Journal of Cryptology 23(3), 402–421 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  22. [KW05]
    Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard. In: International Conference on Security and Privacy for Emerging Areas in Communications Networks, pp. 47–58 (2005)Google Scholar
  23. [KW06]
    Kirschenbaum, I., Wool, A.: How to build a low-cost, extended-range RFID skimmer. In: Proceedings of the 15th USENIX Security Symposium (SECURITY 2006), pp. 43–57. USENIX Association (August 2006)Google Scholar
  24. [Lan12]
    Lange, T.: Personal communication (2012)Google Scholar
  25. [LF06]
    Levieil, É., Fouque, P.-A.: An Improved LPN Algorithm. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 348–359. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  26. [LLS09]
    Lee, H., Lee, K., Shin, Y.: AES implementation and performance evaluation on 8-bit microcontrollers. CoRR abs/0911.0482 (2009)Google Scholar
  27. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  28. [Lyu05]
    Lyubashevsky, V.: The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem. In: Chekuri, C., Jansen, K., Rolim, J.D.P., Trevisan, L. (eds.) APPROX 2005 and RANDOM 2005. LNCS, vol. 3624, pp. 378–389. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. [MSP]
    MSP430 datasheeetGoogle Scholar
  30. [OOV08]
    Ouafi, K., Overbeck, R., Vaudenay, S.: On the Security of HB# against a Man-in-the-Middle Attack. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 108–124. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  31. [Poe]
    Poettering, B.: AVRAES: The AES block cipher on AVR controllers,
  32. [Reg09]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6) (2009)Google Scholar
  33. [Tik]
    Tikkanen, J.: AES implementation on AVR ATmega, 328 p.,
  34. [Wik]
    WISP Wiki, WISP 4.0 DL hardware,

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Stefan Heyse
    • 1
  • Eike Kiltz
    • 1
  • Vadim Lyubashevsky
    • 2
  • Christof Paar
    • 1
  • Krzysztof Pietrzak
    • 3
  1. 1.Ruhr-Universität BochumGermany
  2. 2.INRIA / ENSParisFrance
  3. 3.IST AustriaAustria

Personalised recommendations