Foxtail+: A Learning with Errors-based Authentication Protocol for Resource-Constrained Devices

This paper presents Foxtail+, a new shared-key protocol to securely authenticate resource constrained devices, such as Internet of things (IoT) devices. Foxtail+ is based on a previously proposed protocol to authenticate unaided humans, called the Foxtail protocol, which we modify for authenticating resource constrained devices. It uses a computationally lightweight function, called the Foxtail function, which makes it ideal for IoT nodes with low memory, computational, and/or battery resources. We introduce a new family of functions based on the Foxtail function, analyze its security in terms of the number of samples required to obtain the secret, and demonstrate how it is connected with the learning with rounding (LWR) problem. We then build the Foxtail+ protocol from this function family, secure against active adversaries. Finally, we implement and experimentally evaluate the performance of Foxtail+ against a similar alternate protocol, i.e., the modified version of the Hopper and Blum protocol called HB+, and a block cipher based protocol instantiated with AES. The experiments are run on an IoT device connected to a LoRa network which is an IoT specific Low-Power Wide-Area Network (LPWAN). We show that Foxtail+ outperforms HB+ in terms of overall communication and energy cost, and its parallel implementation is comparable to the AES-based protocol in terms of time and energy consumption. To our knowledge, we provide the first implementation of any member of the HB+ family of protocols that directly compares its performance against an AES-based protocol in terms of time and power consumption. Our experiments shed new light on some of the limitations of identification protocols based on lightweight primitives, of which Foxtail+ is a member, over block cipher based protocols. Keywords— Identification protocols, human identification protocols, HB+ protocol, learning with errors, AES

[1]  David Cash,et al.  Efficient Authentication from Hard Learning Problems , 2011, Journal of Cryptology.

[2]  Harry Shum,et al.  Secure Human-Computer Identification (Interface) Systems against Peeping Attacks: SecHCI , 2005, IACR Cryptol. ePrint Arch..

[3]  Frederik Armknecht,et al.  Lightweight Authentication Protocols on Ultra-Constrained RFIDs - Myths and Facts , 2014, RFIDSec.

[4]  Julien Bringer,et al.  HB^+^+: a Lightweight Authentication Protocol Secure against Some Attacks , 2006, Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU'06).

[5]  Yannick Seurin,et al.  How to Encrypt with the LPN Problem , 2008, ICALP.

[6]  Hassan Jameel Asghar,et al.  On the Hardness of the Sum of k Mins Problem , 2011, Comput. J..

[7]  Luigi Catuogno,et al.  A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost Devices , 2008, WISTP.

[8]  Santosh S. Vempala,et al.  Towards Human Computable Passwords , 2017, ITCS.

[9]  Martin R. Albrecht,et al.  Algebraic algorithms for LWE problems , 2015, ACCA.

[10]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[11]  Tieyan Li,et al.  Security Analysis of Two Ultra-Lightweight RFID Authentication Protocols , 2007, SEC.

[12]  Hassan Jameel Asghar,et al.  A New Human Identification Protocol and Coppersmith's Baby-Step Giant-Step Algorithm , 2010, IACR Cryptol. ePrint Arch..

[13]  Hideki Imai,et al.  Human Identification Through Insecure Channel , 1991, EUROCRYPT.

[14]  Jorge Munilla,et al.  HB-MP: A further step in the HB-family of lightweight authentication protocols , 2007, Comput. Networks.

[15]  Jean-Charles Faugère,et al.  On the complexity of the F5 Gröbner basis algorithm , 2013, J. Symb. Comput..

[16]  David A. Cox,et al.  Ideals, Varieties, and Algorithms , 1997 .

[17]  B. Salvy,et al.  Asymptotic Behaviour of the Index of Regularity of Quadratic Semi-Regular Polynomial Systems , 2022 .

[18]  Tanja Lange,et al.  Never Trust a Bunny , 2012, RFIDSec.

[19]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, Journal of Cryptology.

[20]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[21]  Robert H. Deng,et al.  On Limitations of Designing Leakage-Resilient Password Systems: Attacks, Principals and Usability , 2012, NDSS.

[22]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[23]  Ron Steinfeld,et al.  Does Counting Still Count? Revisiting the Security of Counting based User Authentication Protocols against Statistical Attacks , 2013, NDSS.

[24]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[25]  Andrey Bogdanov,et al.  PRESENT: An Ultra-Lightweight Block Cipher , 2007, CHES.

[26]  J. Faugère,et al.  On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations , 2004 .

[27]  Roel Peeters,et al.  Wide Strong Private RFID Identification based on Zero-Knowledge , 2012, IACR Cryptol. ePrint Arch..

[28]  Kwangjo Kim,et al.  Securing HB+ against GRS Man-in-the-Middle Attack , 2007 .

[29]  Silas Richelson,et al.  On the Hardness of Learning with Rounding over Small Modulus , 2016, TCC.

[30]  Sanjeev Arora,et al.  Learning Parities with Structured Noise , 2010, Electron. Colloquium Comput. Complex..

[31]  Richard Zippel,et al.  Probabilistic algorithms for sparse polynomials , 1979, EUROSAM.

[32]  Sandra Dominikus,et al.  Strong Authentication for RFID Systems Using the AES Algorithm , 2004, CHES.

[33]  Ron Steinfeld,et al.  On the Linearization of Human Identification Protocols: Attacks Based on Linear Algebra, Coding Theory, and Lattices , 2015, IEEE Transactions on Information Forensics and Security.

[34]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[35]  Yannick Seurin,et al.  HB#: Increasing the Security and Efficiency of HB+ , 2008, EUROCRYPT.

[36]  Yannick Seurin,et al.  Good Variants of HB+ Are Hard to Find , 2008, Financial Cryptography.

[37]  Marine Minier,et al.  Distinguishers for Ciphers and Known Key Attack against Rijndael with Large Blocks , 2009, AFRICACRYPT.

[38]  Charles R. Johnson,et al.  Matrix analysis , 1985, Statistical Inference for Engineers and Data Scientists.

[39]  Magali Bardet,et al.  Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie , 2004 .

[40]  Matthew J. B. Robshaw,et al.  An Active Attack Against HB +-A Provably Secure Lightweight Authentication Protocol , 2022 .

[41]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[42]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[43]  Christof Paar,et al.  Lapin: An Efficient Authentication Protocol Based on Ring-LPN , 2012, FSE.