Parallel and Concurrent Security of the HB and HB + Protocols
Juels andWeis (building on prior work of Hopper and Blum) propose and analyze two shared-key authentication protocols - HB and HB + - whose extremely low computational cost makes them attractive for low-cost devices such as radio-frequency identification (RFID) tags. Security of these protocols is based on the conjectured hardness of the “learning parity with noise” (LPN) problem: the HB protocol is proven secure against a passive (eavesdropping) adversary, while the HB + protocol is proven secure against active attacks.
Juels and Weis prove security of these protocols only for the case of sequential executions, and explicitly leave open the question of whether security holds also in the case of parallel or concurrent executions. In addition to guaranteeing security against a stronger class of adversaries, a positive answer to this question would allow the HB + protocol to be parallelized, thereby substantially reducing its round complexity.
Adapting a recent result by Regev, we answer the aforementioned question in the affirmative and prove security of the HB and HB+ protocols under parallel/concurrent executions. We also give what we believe to be substantially simpler security proofs for these protocols which are more complete in that they explicitly address the dependence of the soundness error on the number of iterations.
KeywordsActive Attack Concurrent Execution Oracle Query Security Reduction Random Linear Code
- 1.Associated Press. Geeks Flex Hacker Muscles at Defcon. Article appeared on CNN.com, August 2 (2005)Google Scholar
- 3.Bellare, M., Impagliazzo, R., Naor, M.: Does Parallel Repetition Lower the Error in Computationally-Sound Protocols? In: 38th IEEE Symposium on Foundations of Computer Science, pp. 374–383. IEEE, Los Alamitos (1997)Google Scholar
- 11.Feige, U., Shamir, A.: Witness Indistinguishability and Witness Hiding Protocols. In: 22nd ACM Symposium on Theory of Computing, pp. 416–426. ACM, New York (1990)Google Scholar
- 12.Gilbert, H., Robshaw, M., Silbert, H.: An Active Attack against HB + — a Provably Secure Lightweight Authentication Protocol (2005), available at: http://eprint.iacr.org/2005/237
- 13.Goldreich, O.: Modern Cryptography, Probabilistic Proofs, and Pseudorandomness. Springer, Heidelberg (1998)Google Scholar
- 15.Goldreich, O., Nisan, N., Wigderson, A.: On Yao’s XOR-Lemma (1995), available at: http://eccc.uni-trier.de/eccc-reports/1995/TR95-050/
- 18.Hopper, N., Blum, M.: A Secure Human-Computer Authentication Scheme. Technical Report CMU-CS-00-139, Carnegie Mellon University (2000)Google Scholar
- 22.Kfir, Z., Wool, A.: Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems (2005), available at: http://eprint.iacr.org/2005/052
- 23.Kirschenbaum, I., Wool, A.: How to Build a Low-Cost, Extended-Range RFID Skimmer (2006), available at: http://eprint.iacr.org/2006/054
- 25.Regev, O.: On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. In: 37th ACM Symposium on Theory of Computing, pp. 84–93. ACM, New York (2005)Google Scholar
- 26.Yao, A.C.-C.: Theory and Applications of Trapdoor Functions. In: 23rd IEEE Symposium on Foundations of Computer Science, pp. 80–91. IEEE, Los Alamitos (1982)Google Scholar