|
|
|
the nal equation becomes too small. For that the number of these vectors is set in practice to |
|
|
be equal to 24 or 26. |
|
|
Compared to exhaustive search algorithms on the correct equations [CTIN ], or on the |
|
|
errors introduced in the equations [GMZZ ], which run in strict exponential time, the |
|
|
BKW algorithm has the advantage of running in (slight) sub-exponential time. However, |
|
|
Levieil and Fouque [LF ] noted that the BKW algorithm makes unnecessary queries to the |
|
|
LPN oracle and proposed to use a Walsh transform to reduce the number of these queries. In- |
|
|
dependently, Lyubashevsky [Lyu ] adapted the BKW algorithm to produce a strict polyno- |
|
|
mial number of requests to the LPN oracle at the cost of a slightly greater overall complexity. |
|
|
Table . , that was compiled by Leveil for his PhD thesis [Lev ] gives the best attack com- |
|
|
plexities from all the previously mentioned algorithms to attack the LPN problem with vari- |
|
|
ous parameters. |
|
|
. . Extensions of the LPN Problem |
|
|
Another branch of research was started by Regev [Reg ] from generalizing the LNP prob- |
|
|
lem to the ring Zp, for a prime p, and called the generalized problem the learning with error |
|
|
problem (LWE). It turned out that this problem enjoys tight relations with lattice reduction |
|
|
problems. On one hand, Regev showed that the decision version of LWE is hard assuming |
|
|
quantum hardness of the gap shortest vector problem GapSVP and the shortest independent |
|
|
vector problem SIVP. On the other hand, Peikert [Pei ] proved a similar result assuming |
|
|
only the classical hardness of an easier version of the GapSVP problem. |
|
|
e LWE problem proved to be very useful in serving as the basis for secure public-key |
|
|
encryption under both chosen-plaintext [Reg , PVW ] and chosen-ciphertext [PW , |
|
|
Pei ] attacks, oblivious transfer [GPV ], identity-based encryption [CHKP ], leakage- |
|
|
resilient encryption [AGV , ACPS ], and more. |
|
|
More recently, Lyubashevsky, Peikert and Regev [LPR ] extended the LWE problem to |
|
|
the ring of integer polynomials modulo a cyclotomic, irreductible over the rationals, polyno- |
|
|
mial, and used its hardness to propose the rst truly practical lattice-based public-key cryp- |
|
|
tosystem with an e cient security reduction. |
|
|
Another variation of the LPN and the LWE problems, known as the subspace LPN and |
|
|
LWEproblemhasbeenintroducedbyPietrzak[Pie ]. Amongothers, theseproblemsserved |
|
|
to construct a MAC from the LPN problem [KPC+ ]. |
|
|
3.2 Security Models for the HB Family |
|
|
Before going into the description of HB-like protocols, we review the main security models |
|
|
for these protocols. All these protocols are symmetric-key based. at is, the prover and the |
|
|
.
|
|
veri er receive a key K uniformly distributed over the set of all possible secret keys.
As many probabilistic protocols, protocols from the HB family admit a false rejection rate. at it, it is possible that a legitimate prover gets rejected by the veri er even if the instance went undisturbed. We shall refer to the probability of this event happening by PFR. Of course,
for practical reasons, we will require this probability to be negligible.
Conversely, it is also possible that a trivial adversary who only produces randomly generated protocol messages succeeds in authenticating as the prover. We denote the probability of this event occurring by PFR. Again, for obvious security reasons, this probability has to be negligible in the security parameter.
For simplicity, we assume the most devastating attack in which the adversary’s goal is to recover the shared key. For these adversaries, we di erentiate multiple attack scenarios.
Passive Adversaries. is is the commonly assumed weakest adversarial model. A passive adversary can only eavesdrop on communications between two parties. is is usually formalized by giving to the adversary the access to an oracle O that returns honestly generated protocol transcripts.
e DET Model. Better known as the active adversarial model, it assumes that the
adversary is able to interact with the two parties independently. at is, the adversary is given a black-box access to one oracle implementing the prover’s and the veri er’s strategies with the secret key as input. A rst INIT message speci es which party the adversary wants the oracle to simulate. Note that the adversary cannot concurrently launch two sessions with the oracle.
e MIM Model. is model considers the most powerful type of adversaries. Attackers in this model are called man-in-the-middle for their ability to “sit” between the prover and the veri er and have complete control the communication channel. Concretely, a man-in-the-middle has the power to insert a message in the channel (as an active adversary would do), but can also modify any message sent by one of the parties.
eGRS-MIMModel. ForreasonsthatwillbemadeclearerinSection . ,arestricted man-in-the-middle adversary in which the adversary can only modify messages going from the veri er to the prover.
Finally, we say that a scheme is secure in a certain model if every probabilistic polynomialtime adversary who belongs to the associated class of adversaries does not recover the key K with a probability better than PFA + negl(k).
3.3The HB Protocol
e rst protocol based on the LPN problem is due to Hopper and Blum, who proposed the HB protocol in [HB ]. Contrarily to its descendants, the aim of the HB protocol is to reach extreme simplicity to be used by humans for authentication. Along with this imposed
.
|
Prover |
|
Veri er |
|
|
Secret: x |
|
Secret: x |
|
|
|
|
|
|
|
|
a |
Choose a 2R f0; 1gk |
|
|
Choose Ber( ) |
|
||
|
z |
|
|
|
|
Compute z = a x ! |
|
Accept if a x = z |
|
|
|
|
||
Figure 3.1: One round of the HB protocol. |
e protocol consists of r such rounds. |
|||
simplicity, introducing a human parties induced substantial limitations for the adversarial model because, as in SAS-based cryptography [Vau b, PV , LP ] that is also intended for humans, the existence of an authenticated channel, such as the voice of the participants is much easier materialize than for electronic devices.
e HB protocol assumes that a prover and a veri er share a k-bit secret vector x. e authentication procedure, depicted in Figure . , consists of repeating r times the following operation: the prover rst picks a random k-bit vector a and sends it the veri er. is latter picks a bit according to the bernoulli distribution of parameter , i.e., Pr[ = 1] = and computes the answer z = a x to be sent back to the prover. At last, the prover veri es whether the equality z = a x holds. If, a er the r repetitions, the equality z = a x was satis ed at least t times, for a threshold t 2 [ r; r/2[, then the veri er acknowledges the prover. Otherwise, authentication fails. Hence, a legitimate prover gets rejected if he introduced at least t + 1 errors in its answers. is event, known as false rejection, happens with probability
∑ |
|
k |
r |
PFR = i=t+1 (i) i(1 )r i |
|
On the another side, the probability that a random answer z gets accepted by the veri er has to be low to guarantee security. is probability, called the false acceptance rate, is given by
PFA = 2 r ∑t (r) i
i=0
In the original paper, Blum and Hopper proved that, as long as the LPN assumption holds, the HB protocol is secure against passive adversaries. e proof comes from the observation that a adversary has only access to the transcript of di erent protocol instances and get pairs of the form (a; z = a x ). As pairs correspond exactly to the output of the Ox; oracle from the LPN problem, any adversary deducing information on the shared secret of HB can be used to deduce information on the LPN secret.
e formal security reduction runs as follows. Given a passive adversary AHB against the HB protocol, we construct an adversary ALPN against the LPN problem that succeeds with
.
|
Prover |
|
Veri er |
||
|
Secret: x; y |
|
Secret: x; y |
||
|
|
|
|
|
|
|
|
ky |
b |
|
|
|
Choose b 2R f0; 1g! |
a |
Choose a 2R f0; 1gkx |
||
|
Choose Ber( ) |
|
|||
|
z |
|
|
||
|
Compute z = a x b y ! |
|
Accept if a x b y = z |
|
|
|
|
|
|
||
|
Figure 3.2: One round of the HB+ protocol. |
|
e protocol consists of r such rounds. |
||
the same probability. |
at is, AHB interacts with a prover and a veri er, relaying messages |
||||
between the two and ALPN interacts with an oracle Ox; .
3.4HB+
Starting from the idea that RFID protocols, like human protocols, should be as simple as possible, Juels and Weis proposed to use the HB protocol as an RFID protocol [JW a]. However, HB’s security properties are insu cient in front of adversaries able to access RFID tags and perform the attack described in the end of the previous section. For this purpose, they proposed the HB+ protocol whose goal was to design an HB-related protocol secure against active adversaries.
To thwart the attack against the HB protocol, Juels and Weis used a randomization technique in HB+ consisting of an extra message added to each round of the protocol, sent by the prover at the beginning, and denoted by b. e shared secret between the prover and the veri er is then composed of two vectors x and y of size kx and ky respectively. Like HB, HB+ consists of repeating r times the following procedure: e prover rst sends a uniformly chosen ky-bit vector b and sends it to the veri er. is latter also generates a random kx-bit vector a and sends it to the veri er. en, a er generating a bit Ber( ), the veri er computes z = a x b y . Upon reception of z, the veri er checks the equality z = a x b y. In the end, the veri er authenticates the prover if a least t authentication rounds succeeded, for t 2 [ r; r/2[.
Not only HB+ ful lls its purpose of denying the active attack against HB, but it is provably immune to attacks performed by active adversaries as that was demonstrated in the paper of Juels and Weis [JW a]. However, their result only hold in the sequential case, i.e., when the adversary has to terminate a session before provoking another one. A later paper by Katz and Shin [KS a] showed that the reduction holds when the adversary is allowed to launch parallel instances with the parties of the protocol if < 1/4 . is result was further generalized for
.