More on the Security of Linear RFID Authentication Protocols

  • Matthias Krause
  • Dirk Stegemann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5867)


The limited computational resources available in RFID tags implied an intensive search for lightweight authentication protocols in the last years. The most promising suggestions were those of the HB-familiy (HB  + , HB #, TrustedHB, ...) initially introduced by Juels and Weis, which are provably secure (via reduction to the Learning Parity with Noise (LPN) problem) against passive and some kinds of active attacks. Their main drawbacks are large amounts of communicated bits and the fact that all known HB-type protocols have been proven to be insecure with respect to certain types of active attacks. As a possible alternative, authentication protocols based on choosing random elements from L secret linear n-dimensional subspaces of GF(2) n + k (so called CKK-protocols) were introduced by Cichoń, Klonowski, and Kutyłowski. These protocols are special cases of (linear) (n,k,L)-protocols which we investigate in this paper. We present several active and passive attacks against (n,k,L)-protocols and propose (n,k,L) + + -protocols which we can prove to be secure against certain types of active attacks. We obtain some evidence that the security of (n,k,L)-protocols can be reduced to the hardness of the learning unions of linear subspaces (LULS) problem. We then present a learning algorithm for LULS based on solving overdefined systems of degree L in Ln variables. Under the hardness assumption that LULS-problems cannot be solved significantly faster, linear (n,k,L)-protocols (with properly chosen n,k,L) could be interesting for practical applications.


Lightweight Cryptography RFID Authentication Algebraic Attacks HB +  CKK CKK2 


  1. 1.
    Blass, E.-O., Kurmus, A., Molva, R., Noubir, G., Shikfa, A.: The F f-family of protocols for RFID-privacy and authentication,
  2. 2.
    Bosma, W., Cannon, J., Playoust, C.: The magma algebra system. i. the user language. J. Symbolic Comput. 24, 235–265 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Bringer, J., Chabanne, H.: Trusted-HB: A low cost version of HB +  secure against a man-in-the-middle attack. IEEE Trans. Inform. Theor. 54, 4339–4342 (2008)CrossRefMathSciNetGoogle Scholar
  4. 4.
    Cichoń, J., Klonowski, M., Kutyłowski, M.: Privacy protection for RFID with hidden subset identifiers. In: Indulska, J., Patterson, D.J., Rodden, T., Ott, M. (eds.) PERVASIVE 2008. LNCS, vol. 5013, pp. 298–314. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. Cryptology ePrint Archive, Report 2008/385 (2008),
  6. 6.
    Dinur, I., Shamir, A.: Cube attacks on tweakable black box polynomials. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 278–299. Springer, Heidelberg (2009)Google Scholar
  7. 7.
    Gołębiewski, Z., Majcher, K., Zagórski, F.: Attacks on CKK family of RFID authentication protocols. In: Coudert, D., Simplot-Ryl, D., Stojmenovic, I. (eds.) ADHOC-NOW 2008. LNCS, vol. 5198, pp. 241–250. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–68 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Faugère, J.-C.: A new efficient algorithm for computing Gröbner basis without reduction to zero (F5). In: Mora, T. (ed.) ISSAC 2002, pp. 75–83. ACM Press, New York (2002)CrossRefGoogle Scholar
  10. 10.
    Frumkin, D., Shamir, A.: Untrusted-HB: Security vulnerabilities of Trusted-HB. Cryptology ePrint Archive, Report 2009/044 (2009),
  11. 11.
    Gilbert, H., Robshaw, M.J.B., Seurin, Y.: HB#: Increasing the security and efficiency of HB + . In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 361–378. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Gilbert, H., Robshaw, M.J.B., Sibert, H.: Active attack against HB + : A provable secure lightweight authentication protocol. Electronic Letters 41, 1169–1170 (2005)CrossRefGoogle Scholar
  13. 13.
    Juels, A.: RFID privacy: A technical primer for the non-technical reader. In: Strandburg, K., Raicu, D.S. (eds.) Privacy and Technologies of Identity: A Cross-Disciplinary Conversation. Springer, Heidelberg (2005)Google Scholar
  14. 14.
    Juels, A., Weis, S.A.: Authenticating pervasive devices with human protocols. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 293–308. Springer, Heidelberg (2005)Google Scholar
  15. 15.
    Langheinrich, M.: A survey of RFID privacy approaches. J. Personal and Ubiquitous Comp. 13, 413–421 (2009)CrossRefGoogle Scholar
  16. 16.
    Ouafi, K., Overbeck, R., Vaudenay, S.: On the security of HB# against a man-in-the-middle attack. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 108–124. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Matthias Krause
    • 1
  • Dirk Stegemann
    • 1
  1. 1.Theoretical Computer ScienceUniversity of MannheimMannheimGermany

Personalised recommendations