Parallel and Concurrent Security of the HB and HB+ Protocols

Hopper and Blum (Asiacrypt 2001) and Juels and Weis (Crypto 2005) recently proposed two shared-key authentication protocols—HB and HB+, respectively—whose extremely low computational cost makes them attractive for low-cost devices such as radio-frequency identification (RFID) tags. The security of these protocols is based on the conjectured hardness of the “learning parity with noise” (LPN) problem, which is equivalent to the problem of decoding random binary linear codes. The HB protocol is proven secure against a passive (eavesdropping) adversary, while the HB+ protocol is proven secure against active attacks.

[1]  Marc Fischlin,et al.  Identification Protocols Secure against Reset Attacks , 2001, EUROCRYPT.

[2]  Venkatesan Guruswami,et al.  List decoding of error correcting codes , 2001 .

[3]  Ran Canetti,et al.  Black-Box Concurrent Zero-Knowledge Requires (Almost) Logarithmically Many Rounds , 2002, SIAM J. Comput..

[4]  Yannick Seurin,et al.  Good Variants of HB+ Are Hard to Find , 2008, Financial Cryptography.

[5]  Selmer M. Johnson Improved asymptotic bounds for error-correcting codes , 1963, IEEE Trans. Inf. Theory.

[6]  Venkatesan Guruswami,et al.  List Decoding of Error-Correcting Codes (Winning Thesis of the 2002 ACM Doctoral Dissertation Competition) , 2005, Lecture Notes in Computer Science.

[7]  Jonathan Katz,et al.  Analyzing the HB and HB+ Protocols in the "Large Error" Case , 2006, IACR Cryptol. ePrint Arch..

[8]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[9]  Hideki Imai,et al.  An Algorithm for Solving the LPN Problem and Its Application to Security Evaluation of the HB Protocols for RFID Authentication , 2006, INDOCRYPT.

[10]  Hugo Krawczyk,et al.  On the Composition of Zero-Knowledge Proof Systems , 1990, ICALP.

[11]  William Hugh Murray,et al.  Modern Cryptography , 1995, Information Security Journal.

[12]  Richard J. Lipton,et al.  Cryptographic Primitives Based on Hard Learning Problems , 1993, CRYPTO.

[13]  Ran Raz,et al.  A parallel repetition theorem , 1995, STOC '95.

[14]  Oded Goldreich,et al.  Modern Cryptography, Probabilistic Proofs and Pseudorandomness , 1998, Algorithms and Combinatorics.

[15]  Rafael Pass,et al.  An efficient parallel repetition theorem for Arthur-Merlin games , 2007, STOC '07.

[16]  Noam Nisan,et al.  On Yao's XOR-Lemma , 1995, Electron. Colloquium Comput. Complex..

[17]  Matthew J. B. Robshaw,et al.  An Active Attack Against HB +-A Provably Secure Lightweight Authentication Protocol , 2022 .

[18]  Kwangjo Kim,et al.  Securing HB+ against GRS Man-in-the-Middle Attack , 2007 .

[19]  Venkatesan Guruswami,et al.  Extensions to the Johnson bound , 2001 .

[20]  Vadim Lyubashevsky,et al.  The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem , 2005, APPROX-RANDOM.

[21]  GoldreichOded,et al.  Definitions and properties of zero-knowledge proof systems , 1994 .

[22]  Adi Shamir,et al.  Witness indistinguishable and witness hiding protocols , 1990, STOC '90.

[23]  Manuel Blum,et al.  A Secure Human-Computer Authentication Scheme , 2000 .

[24]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[25]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, EUROCRYPT.

[26]  Jorge Munilla,et al.  HB-MP: A further step in the HB-family of lightweight authentication protocols , 2007, Comput. Networks.

[27]  Yannick Seurin,et al.  HB#: Increasing the Security and Efficiency of HB+ , 2008, EUROCRYPT.

[28]  Elwyn R. Berlekamp,et al.  On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[29]  PetrankErez,et al.  Black-Box Concurrent Zero-Knowledge Requires (Almost) Logarithmically Many Rounds , 2003 .

[30]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[31]  Avishai Wool,et al.  How to Build a Low-Cost, Extended-Range RFID Skimmer , 2006, USENIX Security Symposium.

[32]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[33]  Avishai Wool,et al.  Picking Virtual Pockets using Relay Attacks on Contactless Smartcard , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[34]  Selmer M. Johnson A new upper bound for error-correcting codes , 1962, IRE Trans. Inf. Theory.

[35]  Johan Håstad,et al.  Some optimal inapproximability results , 2001, JACM.

[36]  Éric Levieil,et al.  An Improved LPN Algorithm , 2006, SCN.

[37]  Ran Canetti,et al.  Hardness Amplification of Weakly Verifiable Puzzles , 2005, TCC.

[38]  Oded Goldreich,et al.  Definitions and properties of zero-knowledge proof systems , 1994, Journal of Cryptology.

[39]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[40]  Julien Bringer,et al.  HB^+^+: a Lightweight Authentication Protocol Secure against Some Attacks , 2006, Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU'06).

[41]  Moni Naor,et al.  Does parallel repetition lower the error in computationally sound protocols? , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[42]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[43]  Florent Chabaud,et al.  On the Security of Some Cryptosystems Based on Error-correcting Codes , 1994, EUROCRYPT.

[44]  Michael Kearns,et al.  Efficient noise-tolerant learning from statistical queries , 1993, STOC.

[45]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).