. . Asymptotic Complexity Analysis

2 2

P (w)(1

P (w))

n =

r2

(P ′(w))2

2

2

P (w)) (

m (1

u2

)

=

2

P (w)(1

√2 1

)

e 2

r2

2

2 ( 2eu2 ) ;

and the minimal value of n is reached when u = 0 which happens when

w0 = wopt

=

t

m

;

1

2

and we obtain

P (wopt) =

1

;

P ′(wopt) =

1

2

;

2

1

√2 m (1 )

m

R(wopt) =

(

1) = Ropt:

4

(1

2 )2

accepted by the veri er, and the false rejection rate of the protocol is negligible, we can use

the approximation w0 m . In such a case, we can derive

t m

m

=) t 2m (1 );

1 2

As the error probability of the attack should be less than 1, erfc( ) should be less than the

inverse of the number of secret bits ℓ. Using the approximation ( x) φ(x)/x when x is

large (so (

x) is small), we can set = p

ln ℓ

for which we obtain

p

φ( p

e 2

2)

1

erfc( ) = 2 (

2) 2

p

=

p

<

:

ℓ

2

us, from the expression of n given above, we distinguish three cases:

. t 2m (1

): as we have w = wopt for which u = 0, the attack has an asymptotic

complexity of (ℓ ln ℓ).

(

): the complexity is

.

= 2

(1

c2

for

t

ln

m (1 )

m

) c m (1 )

c =

multiplied by a

e

factor.

us, Algorithm still runs in polynomial time.

√

√

Application to parameter vector II. As these parameters are in the case t 2m (1

),

we can use Algorithm in its optimum complexity to attack R -HB and HB . A

er

case we would have to reduce the Hamming weight of which is infeasible in polynomial time

due to the hardness of the LPN problem.

However, if t is a only a little less than 2m (1

) then the expected value of w is not

far from wopt. So, we can use Algorithm without

ipping any bit of z and the complexity

is still polynomial. To further speed up the attack, we can remove errors from z in step of

Algorithm as they are recovered until we reach w = wopt which we can expect to happen at

iteration i =

w

.

w0 opt

w0

Application to Parameter Set I.

Although the asymptotic complexity of the attack is expo-

nential in ℓ when t < 2m (1

), we can nevertheless apply the attack on parameter set I

proposed for HB and R -HB . We

rst compute w0 = m = 291, wopt = 228,

P ′(wopt) = 0:0135, R(w0) = 15 532 and Ropt = 2742:6.

For R -HB , the number of key bits is ℓ = (kx + ky)m = 689 088 and =

3:308

is

enough to guarantee that erfc( )

1

. Hence, we obtain a total complexi-

689 088

w

w

opt

w

opt

ty of ℓ

2

(

0

R(w0) +

Ropt) = 2

35:4

. For HB , we have ℓ = kx + ky + 2m

w0

w0

2 = 2 918 secret bits to retrieve, so 2 = 2:401 is enough and we get a total complexity of

2

w0 wopt

wopt

26:6

.

ℓ

(

R(w0) +

Ropt) = 2

w0

w0

Input:

a; b; z, w = wt(aX

bY z), a set J f0; 1; mg and wJ the number of

non-zero (aX

bY z)j, j 2 J

Output: I J containing the j with non-zero (aX

bY z)j, j 2 J.

Processing:

:

if wJ = 0 then

:

I

:

else if wJ = jJj then

:

I

J

:

else

:

Choose J1 J such that jJ1j = jJj/2 .

:

Set ′ the m-vector with j′

= 1 i j 2 J1

:

Call Algorithm on input (a; b; z ′; n = 4 2R(w)) to get w′.

I

:

Call Algorithm with

(a; b; z; w; J

; w

= (w +

j

J

1j

w′)/2)

to get

1

J1

1

:

Call Algorithm with

(a; b; z; w; J n J1; wJ

wJ1 ) to get I2

:

I

I1 [ I2

:

end if

C(K)/K

1

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0

8

16

24

32

40

48

56

64

72

80

K

;w

2

(

k/2

)(

k/2

)

minfw; k/2g

k

(Ci( k/2 ) + Cw i( k/2 )) ;

Cw(k) = 1 +

i

w i

i=maxf∑0

/

g

(

w

)

k

Table 4.2: Complexity of measuring a -bit window applied to the parameter set I and II of HB .

Parameter Set I

Parameter Set II

k

16 C(k)

Cost measurement

16 C(k)

Cost measurement

k

k

215:95

.

212:43

.

215:96

.

212:49

.

215:99

.

212:75

.

216:11

.

213:90

needed by Algorithm to recover the erroneous positions in a k-bit window s:

∑

k

k

C(k) = 1 + w=0 (w) Pr[wt(s) = w] Cw(k)

∑

k

k

= 1 + w=0 (w) w(1 )k wCw(k)

Splitting the Error Vector. Algorithm takes bene t from Algorithm and uses it to op-

timize the number of measurements needed to localize the introduced errors and output m

linear equations. Algorithm splits the error vector introduced in a triplet (a; b; z) to m/k

k-bit windows, and each one of these is recovered using Algorithm . Moreover, in order to

minimize the cost of measurement, i.e, the complexity of Algorithm , the weight of the er-

ror vector introduced in the target triplet is manipulated to tend towards the optimal value

t

m

at is, once the algorithm learns k positions, if the expected weight of the

wopt = 1 2 .

error vector, w0 is smaller than wopt, then it ips at most wopt

w0 bits of z that are at correct

positions. In the opposite case, i.e., when w0 is greater than wopt, the algorithm ips at most

w0 wopt bits of z that are at erroneous positions.

e number of calls to Algorithm we need before reaching the optimal case w = wopt, is

then

wopt

w0

when

wopt w0;

i =

m

k(m

w0)

i =

w0

wopt

m

when

wopt w0:

k w0

Hence, the full complexity of Algorithm is

N = 2

(iR(w0) +

m

i Ropt) C(k):

k

= aX

Input: a; b; z and w0 the expected value of

bY z, k

Output: A linear equation aX

bY = c

Processing:

:

Initialize m-bit vector c

z

:

Initialize M

2

R(w0)) to get w

:

Call Algorithm on input

(a; b; z; n = 4

:

De ne a set S of Ji = fik + 1; : : : ; min((i + 1)k; m)g; i = 1 : : : mk

:

repeat

:

Choose J 2 S

:

Call Algorithm on input (a; b; z J; n = 2R(w)) to get w′ = wt( ^ J)

:

Call Algorithm with (a; b; z; w; J; wJ = (w + jJj w′)/2) to get I

:

Set ci

ci 1 for all i 2 I

:

M

M [ I

:

Remove J from S

:

if w > wopt then

:

Flip min(jIj; w wopt) bits zi for which i 2 I

:

w

w min(jIj; w

wopt)

:

else if w < wopt then

w) bits zi for which i 2 J n I

:

Flip min(jJ n Ij; wopt

:

w

w + min(jJ n Ij; wopt w)

:

end if

:

until S ̸=

. . Final Algorithm

e

nal attack is described in Algorithm .

e idea is to get a vector with low expected

weight using Algorithm and then

nd all the erroneous positions inserted by the tag to

obtain m linear equations and iterate this until we get enough equations to solve and nd

the secrets X and Y . To get the lower complexity, we can ip the last bits of z so that we

end up with an expected weight of wopt. We note that introducing errors in a full segment as

de ned by Step of Algorithm does not increase the needed number of measurements as

Cw(k) = Ck w(k).

Algorithm Final attack on R -HB and HB

Input: k, w

Output: X, Y the secrets of the tag

Processing:

:

Initialize S

ℓ

:

for i = 1 : : : 2 +

do

m

:

Call algorithm on input w to get a; b; z with an error vector of expected weight w0 =

(m w) w + w(1 w)

:

if wopt > w0 then

:

Flip the last (wopt

m )/(1

2 ) bits of z

:

Set w0

wopt

:

end if

:

Call Algorithm on input (a; b; z; w0; k) to get m linear equations

:

Insert linear equations in S

:

end for

:

Solve S

e full complexity in terms of intercepted authentications as

ℓ

2

(iR(w0) +

m

i Ropt) C(k) + (2 +

ℓ 1

)

:

m

k

m

P (w)

4.4 Thwarting the Attack: the Case of Small t

e case of lower t, the false acceptance rate will be very low but the false rejection rate of HB

becomes high (e.g. . for t = m ) so that it would require more than one authentication in

average for the tag to authenticate itself. e main advantage of this approach is that the com-

plexity of Algorithm becomes exponential. Here, we present a better strategy than calling

Algorithm with an triplet (a; b; z) obtained by a simple passive attack.

Our goal is to call Algorithm with a w0 as low as possible. During the protocol, we can set

^

(^a; b; z^) to (a; b; z ) with of weight w until the veri er accepts z^. en, we launch our

attack with (a; b; z) = (a; b; z). A detailed description is showed in Algorithm .

Algorithm Getting (a; b; z) with low Hamming weight

Input: w

Output: (a; b; z) such that (aX bY z) has low weight.

Processing:

: Pick random vector of Hamming weight w

:

repeat

:

During a protocol with messages (a; b; z), set z^ = z

:

until veri er accepts

e probability that the veri

er accepts the session with transcript (a; b; z^) is P (w). is

latter can be reformulated as

t

m

w

t

j

w

∑

((

) j(1 )m w j

∑

P (w) = j=0

j

i=0 ( i ) w i(1 )i)

When the veri er accepts, the m

w positions not in the support of are erroneous with

probability

∑

(

)

∑

(

)

t

(

) (

t

j

w

w =

j=0

(j mj w j

(1 )m w j

i=0 i

w i(1 )i)

:

m w P w)

∑

t

( )

wP (w)∑

t j

(

w

)

w =

j=0

( mj w

j(1 )m w j

i=0 i

i

w i(1 )i)

: