LPN-based Authentication

In this section, we revisit existing protocols that are based on LPN (or related problems) and that have been suggested for lightweight applications. More precisely, we evaluate their suitability for RFID systems based on the conditions presented inSubsection 3.2.2. Our respective results for almost 20 HB-type protocols are summarized in tabular form inSubsection 3.2.5on page40.

We start with a short overview of the most significant proposals for lightweight authentication protocols based on the LPN problem. As this branch of research has been initiated by the introduction of HB [HB01] and HB+ _{[JW05], which became the}

prototypes for this family of protocols, these are explained in further detailSubsubsec- tion 3.2.4.2. Moreover, at the example of HB+_{, we discuss the main parameters which}

influence the security and the hardware characteristics of HB-type protocols. This allows us to identify the general cost drivers common to the HB familySubsubsection 3.2.4.3. Subsequently, we present our evaluation results for popular follow-up protocols of HB+

Subsection 3.2.5.

3.2.4.1 Overview of the Considered Protocols

In 2,000, the HB [HB01] protocol was proposed, which is proven to be secure against passive attacks [KSS10]. In order to resist active attacks, HB+ _{[JW05] was introduced}

that is provably secure in the detection-based model (where the adversary is able to communicate only with the tag before attempting to authenticate itself to the reader).

However, if the attacker is given the ability to modify messages which go from the reader to the tag (GRS model), the HB+ _{protocol is not secure anymore as it was shown in}

[GRS05]. As a result, many new HB-type protocols were proposed in order to overcome this and other types of man-in-the-middle (MITM) attacks. In 2006, the HB++_protocol

was introduced [BCD06], which can be seen as running HB+ _{twice with correlated}

challenges and independent secrets. Later, [MP07] proposed the HB-MP protocol, which was designed to be more efficient than HB+ _{but turned out to be vulnerable w.r.t.}

passive attacks [GRS08a], which is why HB-MP+_{[LMM08] has been suggested. Another}

attempt to improve the performance of HB+ _{and to make it resistant against GRS-}

type MITM attacks was the HB∗ _{protocol [DK07]. In 2008 the HB}# _{and RANDOM-} HB#_{protocols were proposed, where the keys were extended from vectors to matrices} [GRS08b]. Another proposal called Trusted hB [BC08] is based on the idea of using a hardware efficient hash function for verifying the integrity of the data in order to resist MITM attacks. PUF-HB [HS08] is a construction which relies on Physically Unclonable Functions (PUFs) as a hardware primitive. In the protocols NLHB [MTSV10] and GHB# [RG12], the linear functions are replaced by non-linear functions while HBN _[BHN11] can be seen as a bilinear variant of HB. In 2011, AUTH [KPC+_{11] was proposed, where}

the security is based on a modified LPN problem, called the subspace LPN problem [Pie]. One year later, a more efficient proposal building on the ideas from [KPC+_{11] called}

Lapin [HKL+_{12] was introduced, whose security relies on the assumed hardness of the}

Ring LPN-problem.

3.2.4.2 The Procotols HB and HB+ and the Main Parameters

The HB protocol [HB01] was originally developed to be used by humans and with this aim was designed to be very simple. Both the reader (verifier) and the tag (prover) share a|x_|-bit long secret x _{∈ {}0, 1_}|x|_{. The protocol is composed of several rounds that are}

conceptually all the same. At the beginning of round i, the verifier chooses a random challenge a(i)_{∈ {0, 1}}|x| _{and sends it to the prover, who replies with ω}

i = (a(i)·x)⊕νi, where νi ∈ {0, 1}represents a biased random noise bit satisfying Prob[νi = 1] = ηfor

a fixed probability η ∈ (0, 0.5). Then the reader verifies whether the received bit ωiis equal to a(i)_{·x. If this is the case the response is called correct and otherwise incorrect.}

The security of HB against passive attacks relies on the LPN problem.

The HB+_{protocol [JW05] was developed to resist active attacks in the detection-based}

model. In extension to the HB protocol, the tag and the reader share an additional secret yof length_|y_|. At the beginning of round i, the tag generates a random blinding factor b(i) _{∈ {0, 1}|}y| _{and sends it to the reader. Afterwards, similar to the HB protocol, the}

reader generates a challenge a(i) _{∈ {0, 1}|}x|_{and sends it to the tag. Then the tag computes}

ωi = (a(i)·x)⊕ (b(i)·y)⊕νiand responds with it to the reader for verification. In the original proposal [JW05], the challenge a(i)_{, the blinding factor b}(i)_{and the secrets x, y all}

was shown in [LF06] that, when striving for 80-bit security in the detection-based model, the x-component of the common secret key(x, y)can be restricted to a length of|x_{| =}80 bits while the security of HB+_{still relies on the hardness of LPN with parameters η and}

|y|, where|y| > |x|as we will explain shortly.

As already mentioned, both protocols, HB and HB+_{, run in r rounds. Each additional}

round increases the confidence of the verifier. To this end, both protocols fix a parameter u ∈ (η, 0.5), such that the authentication is considered to be successful if the number

of incorrect answers is less than t = u_·r. Otherwise, the reader rejects the tag. If the noise probability η is chosen too close to 0.5 then a huge number of rounds is required in order to make the protocol reliable. At the same time, if η is close to 0, then for obtaining the necessary level of security of the protocols, extremely large key lengths_|x_|,_|y_|are inevitable. Hence, an appropriate tradeoff needs to be found, which is specified by the choice of η.

However, besides security considerations, there also practical aspects that impact reasonable choices for η. Usually, random number generators are assumed to produce uniformly distributed random bits. In this case, it is much easier to implement instan- tiations where η = 2−j_{, j ∈ N, as j uniformly distributed bits are sufficient for the} generation of one noise bit νi. However, for other values of η, many more uniformly distributed random bits may be needed to realize a corresponding random bit generator on top of those. Therefore, we restrict η to the values 0.25 and 0.125, which are in fact typical choices for HB-type protocols [LF06].

The reliability of the protocols depends on the probabilities of the possible errors. On the one hand, an honest tag may be rejected with probability PFR (false rejection probability or completeness error). On the other hand, an adversary answering randomly at each round will be authenticated with probability PFA(false acceptance probability or soundness error). For HB and HB+_{these values are computed as follows [GRS08a]:}

PFR = r

∑

i=t+1 r i  ηi(1−η)r−i (3.1) PFA = 1 2r t

∑

i=0 r i  (3.2) According to [LF06], PFAshould be less than 2−80for 80-bit security and PFRshould be less then 2−40_{. In order to achieve such bounds for soundness and completeness errors,} an appropriate combination of the parameters η, r, u needs to be chosen. In [LF06], for each value of η suitable values for u and r were computed, leading to the following two choices:

• Variant 1: η =0.25, u=0.348, r=1164 • Variant 2: η =0.125, u=0.256, r =441

Table 3.3: Parameter choices for the protocol HB+

Variant η |x| |y| Sec r u PFR PFA 1 0.25 80 512 280 _{1164 0.348 2}−45 ₂−83 2 0.125 80 512 277 _{441 0.256 2}−45 ₂−83 3 0.125 80 512 277 _{256 0.1875 0 2}−81

In one of the proposed protocols afterwards [GRS08b], the following trick has been suggested based on ideas from [KS06]: if the tag computes in advance r noise bits and keeps them only if the number of 1s is less than u·r, then the completeness error PFR will be equal to 0. The advantage of this approach is that the number of rounds r can be reduced, while the soundness error is kept small. Our evaluation takes this approach into account as well and uses the parameters provided in [GRS08b]: r =256, η=0.125, u= 0.1875 (variant 3). Summing up, in this work we evaluate, where possible, each protocol in all three explained variants.

As mentioned above, the protocols’ security relies on the LPN problem. The proofs of security for HB against passive attacks and for HB+ _{against active attacks were}

simplified by Katz et al. and extended to the parallel versions of the protocols [KS06, KSS10], which means that several rounds can be performed at the same time. Based on the state-of-the-art heuristic algorithm for solving the LPN problem [LF06], reasonable parameter choices for achieving (almost) 80-bit security are |x| = 512 for HB and |x_{| =}80,_|y_{| =}512 for HB+. In these cases, solving the LPN-problem would take 289 bytes of memory if η = 0.25 and 277 _{bytes of memory if η = 0.125. Our parameter} choices for HB+_{implementations are summarized in theTable 3.3.}

3.2.4.3 Cost Drivers of LPN-based Protocols

InSubsection 3.2.2, we have established a concrete notion of the term lightweight in the RFID context by providing actual hardware limits for low-cost tags. As our goal is to assess for (allegedly) lightweight authentication protocols whether they in fact comply to all of the respective hardware limits, we first need to identify the major cost drivers of such schemes. In particular, we will discuss for each of the following protocol properties how it is linked to the hardware properties of RFID tags in the $0.05 to $0.10 cost range discussed inSubsection 3.2.2.

Symmetric Key. All HB-type authentication protocols use symmetric keys5. Conse-

quently, the full shared secret, must permanently be available on the (passively powered)

5_{For the sake of simplicity, in this subsection, the term key will always be used to refer to the shared}

secret’s unique representation as a binary vector in the corresponding scheme, irrespective of potential blow-up measures like, e.g., the use of Toeplitz matrices. In particular, the key size lower bounds the size of the individual key storage required on each tag.

tag, hence implying the need for some non-volatile key storage. Depending on the de- ployment scenario, multiple (e.g., batches of) RFID tags might share a single key or, in other cases, tag-individual secrets may be required.

Closely related, but even more restrictive w.r.t. key storage options, is a potential need to set or change the secret key of a tag that is already in the field, as compared to irreversibly fixing the key once at production time. In the latter case, key-dependent masks may be used in the factory to apply the secret keys directly to so-called wafers in the process of creating Integrated Circuits (ICs) for low-cost RFID tags. However, while this can alleviate the need for additional components like EEPROMs or fuses (cf.Subsection 3.2.2- Area), it inevitably results in the potentially dangerous situation that large quantities of tags will now share the same irreversible key. Concretely, as production costs increase with each new mask (by thousands of U.S. dollars), the size of per-mask-batches must be big enough (i.e., hundreds of thousands or even millions of devices) to allow for per-tag savings (e.g., by removing the need for EEPROMs) which compensate for the additional costs of using multiple masks. At the same time, an attacker’s outlook on, e.g., counterfeiting large amounts of items who are all protected by tags using the same key, may now easily justify the costs for retrieving the respective key by means of reverse engineering (for instance, through etching and the use of an electron microscope).

Ultimately, if the deployment scenario requires fully individual keys, the use of masks is clearly not feasible anymore and two other, more flexible options remain: EEPROMs and fuses, whose major hardware properties and limitations w.r.t. low-cost RFID tags were summarized inSubsection 3.2.2. These general preconditions will now be compared to the requirements imposed by how symmetric keys are chosen and used in HB-type protocols. Clearly, EEPROMs offer the highest degree of flexibility as a key storage, allowing, e.g., to redeploy existing tags after changing their keys. On contrast, when resorting to fuses, keys are irreversible and need to be written already at production time. However, unlike masks, fuses allow for individual keys on a per tag basis. Hence, as fuses neither suffer from the high power consumption nor from the latency problems characteristic of EEPROMs, they are a viable option when individual but fixed keys are required.

Unfortunately, in the context of HB-type authentication protocols, key storage options are further restricted by the large key size common to these schemes. In [KPC+_11],

key sizes for multiple HB-type protocols are specified on the basis of the parameter l denoting the length of an LPN secret. For example, the key size of the original HB+

protocol, i.e., the variant suggested by Juels and Weis in [JW05], is given by 2l along with l = 500 described as a “typical parameter”. Please note that the resulting key length of 1000 bit is even at the lower end of the protocols summarized in [KPC+_{11] (which}

range from l bit for the original HB protocol [HB01], over 4.2_·lbit for AUTH [KPC+11], up to 80·l = 40, 000 bit for a MITM-secure protocol also suggested in [KPC+_{11]; see} Subsection 3.2.5for further details). However, e.g. due to area requirements, already for

1,000 bit it seems highly questionable whether fuses can still be considered a feasible option for storing the secret key on a low-cost RFID tag. Moreover, it is easy to see that, similar to (or even worse than) masks, fuses fail to provide substantial physical security. Ultimately, it depends on the deployment scenario whether this is an actual thread, hence requiring the use of, e.g., EEPROMs instead. Bring to mind, however, that in the context of low-cost RFID devices, EEPROMs typically do not allow for storing more than 2,048 bit. As a result, it must be suspected that many of the HB-type protocols discussed inSubsection 3.2.5are already precluded by their key size from practical application on RFID tags in the $0.05 to $0.10 range.

Challenges, Blinding Factors, and Noise Bits. Another property characteristic of

HB-type protocols is their heavy use of challenges and what is often referred to as blinding factors. For most HB-type protocols, the following three phases per round can be identified: (1) The prover creates a vector of random bits, the so-called blinding factor, which is then transmitted wirelessly to the verifier. (2) Just alike, the verifier now also creates a random bit vector and sends it to the tag. (3) Depending on the specific protocol, the prover deterministically computes some 1-bit value based on the blinding factor in (1), the challenge in (2), as well as the secret/shared key. Finally, he needs to produce one more random bit, which, on contrast to the aforementioned challenge and blinding vectors, is not based on the uniform but some other, fixed distribution. Adding this so-called noise bit to the 1-bit value yielded by the previous operation is crucial to the security of HB-type protocols, as described inSubsubsection 3.2.4.2. The resulting bit is then sent to the verifier, who will check whether it is correct or not. In the following paragraph, we will denote the number of protocol rounds per authentication run by r and, for reasons of simplicity, assume that the blinding vector in step (1) as well as the challenge vector in step (2) are both of length l, i.e., the size of the secret key (as done in the original HB+_{paper [JW05] and popular follow-up works like [KPC}+_11]).

Apparently, the protocol scheme we just outlined makes heavy use of at least two hardware resources previously identified as potential bottlenecks for low-cost RFID tags: the transmission bandwidth (Subsection 3.2.2) and the generation of random numbers. Concretely, in each round of the above archetypical example, the commu- nication complexity amounts to 2l+1 and the prover needs to obtain l uniformly random bits and 1 differently distributed random bit from his RNG. Hence, a single authentication procedure consisting of r rounds has a communication complexity of at approximately 2·l_·rbit and requires at least r_·lrandom bits on the prover’s side. As in the previous paragraph about key sizes, let us exemplify the actual consequences of these complexities for HB-type protocols using parameters described as “typical” in [KPC+_{11]: l = 500 and r = 250. Moreover, as justified inSubsection 3.2.2, let us}

consider 150 msec to be the maximum time available for a complete authentication. As a result, at least 2·500·250 = 250, 000 bit would need to be transmitted within 150

msec, corresponding to a vastly implausible transmission rate of 250, 000/0.15 bit/s ≈1.66 Mbit/s (as compared to actual values between 10,000 bit/s and 200,000 bit/s as given inSubsection 3.2.2). Similarly far from reality is the idea that an RFID tag whose production costs are in the $0.05-$0.10 range could actually feature an RNG delivering as much as 500_·250 = 125, 000 uniformly distributed random bits within just 150 msection Apart from the apparent bottlenecks transmission bandwidth and generation of random numbers, the generalizing description of HB-type protocol at the beginning of this paragraph contained a third aspect worth investigating. Concretely, depending on the involved operations, the first computation in step (3) can easily turn out to consume (possibly too) many clock cycles, especially in view of the fact that three operands of bit-length 500 are involved. As this is highly protocol-specific and implementation-dependent (e.g., parallel vs. serial processing in step (3) of HB+_{) though,}

the question of computational complexity will be treated, where of importance, in the corresponding ofSubsection 3.2.5.

In document Lightweight symmetric cryptography (Page 56-62)