Summarizing Results

Table 3.27summarizes the results of evaluation of all the discussed HB-type protocols. We shortly explain the content of the table:

• For each protocol, we give in the second column (labeled “parameters”) the param- eter choices our evaluation is based on. These choices have been mostly derived from literature or, whenever necessary, been calculated on our own. In the lat- ter case, the parameters have always been chosen in favour of the protocol. A detailed explanation of how the parameters have been derived is given inSub- subsection 3.2.4.2for the protocols HB and HB+_{and inSubsection 3.2.5for the}

remaining considered protocols.

• In columns 3–6, four6_{different cost factors are displayed: key storage complexity,}

the numbers of random bits required for generating the noise and blinding factors, respectively, and the total communication complexity (see alsoTable 3.6). Here too, we will later explain in detail how these have been computed.

• The determination of the cost factors now allows to verify whether the conditions explained in Subsection 3.2.2 are fulfilled. If some of these are violated for a certain protocol, this is explicitly stated in the last column. As the bounds given inSubsection 3.2.2are certainly not tight, we indicate here a violation only if the induced costs would be way above these bounds (often by magnitudes). In these cases, we think that it is very improbable that small changes or the application of implementation tricks would be sufficient to make these protocols suitable. In addition, if man In the middle (MITM) attacks are known against the respective protocol, a reference is given as well.

The conclusion one can draw from these results is that each of the considered protocols would induce costs that are significantly outside of the derived bounds. Furthermore, most of the protocols are insecure against MITM attacks. Although one may debate whether MITM attacks are actually relevant in low-cost use cases, note that there are straightforward authentication schemes on the basis of prevalent lightweight ciphers (cf.Subsection 3.2.3) which are perfectly feasible and do not only provide active but also MITM security.7 _{Summing up, it remains an open question to design a protocol based}

6_{Please note, that in order to keep the presentation simple we omit from the table the costs (area size}

and required number of clock-cycles) which were evaluated using implementations of the protocols.

7_{The popular argument that, unlike for cipher-based schemes, active security can actually be “proved”}

for HB-type authentication protocols is only convincing to a limited extent as this “proof” in fact relies on the assumed hardness of the LPN problem.

on LPN (or a related problem) which is secure against MITM attacks and, at the same time, complies to the hardware constraints justified inSubsection 3.2.2.

Table 3.27:Evaluation results for the considered HB-type protocols.

Protocol Parameters KC NRn NRb CC Suitability and Security HB η =0.25, k = 512, r = 1164 512 2328 0 597132 CCfor all sets of parameters.≥ 30000, NRb+ NRn≥ 128

Active attacks. η =0.125, |k| = 512, r = 441 512 1323 0 226233 η =0.125, |k| = 512, r = 256 512 770* 0 131328 HB+ η =0.25, |x| = 80, |y| = 512, r = 1164 592 2328 59568 690252 CC≥ 30000, NRb+ NRn≥ 128. MITM attacks. η =0.125, |x| = 80, |y| = 512, r = 441 592 1323 225792 261513 η =0.125, |x| = 80, |y| = 512, r = 256 592 770* 131072 151808 HB++ η =0.25, r = 731 768 2924 58560 118582 CC≥ 30000, NRb+ NRn≥ 128. MITM attacks. η =0.125, r = 282 768 1692 22640 45844 HB-MP n =1, |k| = 513, m = 512, r = 1164 1026 0 893952* 1191936 CC≥ 30000, NRb+ NRn≥ 128. Passive attacks. n =2, |k| = 513, m = 512, r = 441 1026 0 395136* 451584 HB-MP+ _{n =2, |k| = 512, m = 224, r = 1164 1024 0 391104* 521472 CC≥ 30000, NR} b+ NRn≥ 128. HB∗ _{η =0.5, |k| = 256, r = 80 1024 80 20480 41200 CC≥ 30000, NR} b+ NRn≥ 128. HB∗1 η =0.25, |k| = 512, r = 1164 1536 3492 595968 598296 CC≥ 30000, NRb+ NRn≥ 128. MITM attacks [PT07,GRS08a].

η =0.125, |k| = 512, r = 441 1536 1764 225792 226674

Trusted HB

CC≥ 30000, NRb+ NRn≥ 128. ≈ 7 · 105clock-cycles (max. available 1, 5 · 105_{). MITM attacks .} η =0.25, |x| = 80, |y| = 512, r = 1164 693 2328 595968 690353 RND-HB# η =0.25, |x| = 80, |y| = 512, r = 1164 689088 2328 512 1756 NRb+ NRn≥ 128. MITM attacks. η =0.125, |x| = 80, |y| = 512, r = 441 261072 1323 512 1033 η =0.125, |x| = 80, |y| = 512, r = 256 151552 770* 512 848 HB# η =0.25, |x| = 80, |y| = 512, r = 1164 2918 2328 512 1756 NRb+ NRn≥ 128. MITM attacks. η =0.125, |x| = 80, |y| = 512, r = 441 1472 1323 512 1033 η =0.125, |x| = 80, |y| = 512, r = 256 1102 770* 512 848 HB-MAC η =0.25, |k| = 160, r = 1164 186240 4656 160 2808 KC≥ 2048, NRb+ NRn≥ 128. MITM attacks [Riz09].

η =0.125, |k| = 160, r = 441 70560 2646 160 1362 GHB# η =0.25, |x| = 80, |y| = 512, r = 1164 689088 2328 512 1756 _{KC≥ 2048, NR} b+ NRn≥ 128. η =0.125, |x| = 80, |y| = 512, r = 441 261072 1323 512 1033 η =0.125, |x| = 80, |y| = 512, r = 256 151552 770* 512 848 HBN η =0.25, n = 513, r = 3921 263169 7842 2011473 4026867 KC≥ 2048, NRb+ NRn≥ 128, CC≥ 30000. η =0.125, n = 513, r = 522 263169 1566 267786 536094 HBb η =0.25, |x| = 80, |y| = 512, r = 1164 689088 Unclear 512 1756 KC≥ 2048. Noise generation mechanism is unclear. η =0.125, |x| = 80, |y| = 512, r = 441 261072 Unclear 512 1033 η =0.125, |x| = 80, |y| = 512, r = 256 151552 Unclear 512 848 NL-HB η =0.25, |k| = 512, r = 1164 512 2328 - 597132 Similar to HB, CC ≥ 30000, NRb+ NRn≥ 128. Active attacks. η =0.125, |k| = 512, r = 441 512 1323 - 226233 η =0.125, |k| = 512, r = 256 512 770* - 131328

AUTH Depending on trade-off parameter c,either CC, KC, or both not feasible (cf. [KPC+_{11] and [GRS08b]).}

MAC1

Same as AUTH + CompC ofΘ m2
, m =600, imposed by pairwise

independent permutation (cf. [KPC+_11]).

MAC2

Same as AUTH + CompC ofΘ m2
, m =1200, imposed by pairwise independent permutation (cf. [KPC+_11]).

KC- Key storage complexity;

NRn- Number of uniformly distributed random bits required for noise

NRb- Number of uniformly distributed random bits required for blinding factors CC- The total communication complexity

CompC- The total computational complexity

3.3 On the Performance of Ciphers which Continuously Access