- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
|
|
from linear algebra such as Gauss and Gauss-Jordan elimination, LU decomposition, or the square root method which all run in time complexity (ℓ3). To speed up this phase, other modern methods, asymptotically faster, can be used such as Strassen’s formula for matrix multiplication and inversion [Str ], that runs in time complexity (ℓlog2 7) (ℓ2:8) or the more complex Coppersmith-Winograd algorithm [CW ] which achieve the record complexity of (ℓ2:376). However, we note that this last method is only asymptotically faster as it is outperformed by Strassen’s formula for our values of interest of ℓ.
. . Asymptotic Complexity Analysis
e complexity of the attack is related to the complexity of Algorithm (with a factor of ℓC/m), which, in its turn, is related to the complexity of Algorithm (with a factor of m+1). us, the main component of the attack a ecting the overall complexity is the input n of
Algorithm .
Recalling that P (w) 2 [0; 1], we have
2 2 |
|
|
P (w)(1 |
P (w)) |
|
|
|
|
|
|
|
|
|
|
|
||||||||||
n = |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
r2 |
|
|
|
|
(P ′(w))2 |
|
|
|
|
|
|
|
|
|
|
|
|||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
|
P (w)) ( |
|
|
|
m (1 |
|
|
|
u2 |
) |
|||||
= |
2 |
P (w)(1 |
√2 1 |
|
|
) |
e 2 |
||||||||||||||||||
r2 |
2 |
|
|||||||||||||||||||||||
2 ( 2eu2 ) ; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||||||
and the minimal value of n is reached when u = 0 which happens when |
|||||||||||||||||||||||||
w0 = wopt |
= |
|
t |
m |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||
1 |
2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||
and we obtain |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
P (wopt) = |
|
1 |
; |
|
|
|
P ′(wopt) = |
|
1 |
2 |
|
|
; |
|
|||||||||||
2 |
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
√2 m (1 ) |
|
||||||||||
|
|
|
|
m |
|
|
|
|
|
|
|
|
|||||||||||||
R(wopt) = |
|
|
|
( |
|
|
|
|
|
1) = Ropt: |
|
|
|
|
|
||||||||||
4 |
|
(1 |
|
2 )2 |
|
|
|
|
|
|
|
In order to obtain the minimal complexity, we have to start from a valid triplet
(a; b; z) obtained from a passive attack (or just by impersonating the veri er to the prover) for which w = wopt. As it is unlikely that the expected value of w0 is equal to wopt, we would like to manipulate errors in z to reach an expected value of wopt. Unfortunately, due to the hardness of the LPN problem, we cannot remo e errors from z if w > wopt. However, if w wopt then we can inject errors in z so that the resulting vector has an expected weight of wopt. When
the triplet is known to be valid, in the sense that a session with that transcript was
(a; b; z)
. -
|
|
||||
|
accepted by the veri er, and the false rejection rate of the protocol is negligible, we can use |
||||
|
the approximation w0 m . In such a case, we can derive |
||||
|
|
t m |
|||
|
m |
|
=) t 2m (1 ); |
||
|
1 2 |
||||
|
As the error probability of the attack should be less than 1, erfc( ) should be less than the |
||||
|
inverse of the number of secret bits ℓ. Using the approximation ( x) φ(x)/x when x is |
||||
|
large (so ( |
x) is small), we can set = p |
ln ℓ |
for which we obtain |
|
|
|
|
|
p |
|
|
|
φ( p |
|
|
|
|
e 2 |
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
2) |
|
1 |
|
|
|
|||||||||||
|
|
|
|
|
|
|
|
|
||||||||||||||||
|
erfc( ) = 2 ( |
|
|
2) 2 |
p |
|
|
= |
p |
|
< |
|
|
: |
|
|
|
|||||||
|
|
ℓ |
|
|
||||||||||||||||||||
|
|
2 |
|
|
|
|||||||||||||||||||
us, from the expression of n given above, we distinguish three cases: |
|
|||||||||||||||||||||||
. t 2m (1 |
): as we have w = wopt for which u = 0, the attack has an asymptotic |
|||||||||||||||||||||||
|
complexity of (ℓ ln ℓ). |
|
|
|
|
|
|
( |
|
|
|
|
|
): the complexity is |
||||||||||
. |
|
= 2 |
(1 |
c2 |
|
|
|
|
|
|
|
|
|
for |
|
|
|
|
|
|||||
t |
|
|
|
|
|
|
|
|
|
|
|
ln |
m (1 ) |
|||||||||||
|
m |
|
) c m (1 ) |
|
c = |
|
|
|
|
|
||||||||||||||
|
multiplied by a |
e |
|
factor. |
us, Algorithm still runs in polynomial time. |
|||||||||||||||||||
|
|
|
|
|
√ |
|
|
|
|
|
|
|
|
|
√ |
|
|
. In the other cases, the complexity varies from sub-exponential to exponential but is clearly not polynomial anymore.
Strategy for the case t 2m (1 ). From the hypothesis t 2m (1 ), we have that wopt w = m . us, the best strategy is to optimize the complexity of Algorithm by
having a triplet with an error vector of expected Hamming weight .
(a; b; z) wopt
Our strategy is to use a triplet obtained from a passive attack, and introduce some
(a; b; z)
errorsinit. atis, we ipany (wopt m )/(1 2 ) bitsof z toget ofexpectedHamming weight wopt. A er that, we can use the attack described previously with optimal complexity.
Application to parameter vector II. As these parameters are in the case t 2m (1 |
), |
we can use Algorithm in its optimum complexity to attack R -HB and HB . A |
er |
computing wopt = 77:167, P ′(wopt) = 0:0431, Ropt = 269:39 and the expected value of w = m = 55, we have to ip f = 29 bits to get an expected value close to wopt.
For R -HB the number of bits to retrieve is ℓ = (kx + ky)m = 261 072 for which we can use = 3:164. e total complexity is ℓ 2Ropt = 229:4. In the case of HB the number of secret bits is ℓ = kx + ky + 2m 2 = 1 472 for which we use = 2:265 and end up with complexity of ℓ 2Ropt = 221.
Strategy for t close to 2m (1 ). e case t < 2m (1 ) is trickier to address since the expectedvalueof w becomes greater than wopt. Toachievethesamecomplexityastheprevious
. ( ) - - -
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
case we would have to reduce the Hamming weight of which is infeasible in polynomial time |
|
||||||||||||||||||||||||
due to the hardness of the LPN problem. |
|
|
|
|
|
|
|
||||||||||||||||||
However, if t is a only a little less than 2m (1 |
) then the expected value of w is not |
|
|||||||||||||||||||||||
far from wopt. So, we can use Algorithm without |
ipping any bit of z and the complexity |
|
|||||||||||||||||||||||
is still polynomial. To further speed up the attack, we can remove errors from z in step of |
|
||||||||||||||||||||||||
Algorithm as they are recovered until we reach w = wopt which we can expect to happen at |
|
||||||||||||||||||||||||
iteration i = |
|
w |
|
. |
|
|
|
|
|
|
|
|
|
|
|||||||||||
w0 opt |
|
|
|
|
|
|
|
|
|
|
|
||||||||||||||
w0 |
|
|
|
|
|
|
|
|
|
|
|||||||||||||||
Application to Parameter Set I. |
Although the asymptotic complexity of the attack is expo- |
|
|||||||||||||||||||||||
nential in ℓ when t < 2m (1 |
), we can nevertheless apply the attack on parameter set I |
|
|||||||||||||||||||||||
proposed for HB and R -HB . We |
rst compute w0 = m = 291, wopt = 228, |
|
|||||||||||||||||||||||
P ′(wopt) = 0:0135, R(w0) = 15 532 and Ropt = 2742:6. |
|
||||||||||||||||||||||||
For R -HB , the number of key bits is ℓ = (kx + ky)m = 689 088 and = |
|
||||||||||||||||||||||||
3:308 |
is |
enough to guarantee that erfc( ) |
|
|
1 |
|
. Hence, we obtain a total complexi- |
|
|||||||||||||||||
689 088 |
|
||||||||||||||||||||||||
|
|
|
|
|
w |
w |
opt |
|
|
|
|
w |
opt |
|
|
|
|
|
|||||||
ty of ℓ |
2 |
( |
|
0 |
|
R(w0) + |
|
Ropt) = 2 |
35:4 |
. For HB , we have ℓ = kx + ky + 2m |
|
||||||||||||||
|
|
|
w0 |
|
w0 |
|
|
||||||||||||||||||
2 = 2 918 secret bits to retrieve, so 2 = 2:401 is enough and we get a total complexity of |
|
||||||||||||||||||||||||
|
2 |
|
w0 wopt |
|
|
|
|
|
wopt |
|
26:6 |
. |
|
|
|
|
|
|
|
||||||
ℓ |
|
( |
|
|
|
R(w0) + |
|
|
Ropt) = 2 |
|
|
|
|
|
|
|
|||||||||
|
|
w0 |
|
w0 |
|
|
|
|
|
|
|
. . Optimizing the Attack
Algorithm Finding errors in jJj-bit windows
Input: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
a; b; z, w = wt(aX |
bY z), a set J f0; 1; mg and wJ the number of |
|||||||||||||||
|
non-zero (aX |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
bY z)j, j 2 J |
|
|
|
|
|
|
|
|
|
|
|
||||
Output: I J containing the j with non-zero (aX |
bY z)j, j 2 J. |
|
|
|||||||||||||
Processing: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
: |
if wJ = 0 then |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
: |
I |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
: |
else if wJ = jJj then |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
: |
I |
J |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
: |
else |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
: |
Choose J1 J such that jJ1j = jJj/2 . |
|
|
|
|
|
|
|
|
|
||||||
: |
Set ′ the m-vector with j′ |
= 1 i j 2 J1 |
|
|
|
|
|
|
|
|
|
|||||
: |
Call Algorithm on input (a; b; z ′; n = 4 2R(w)) to get w′. |
|
I |
|
||||||||||||
: |
Call Algorithm with |
(a; b; z; w; J |
; w |
|
= (w + |
j |
J |
1j |
w′)/2) |
to get |
|
|||||
|
1 |
|
J1 |
|
|
|
|
|
1 |
|||||||
: |
Call Algorithm with |
(a; b; z; w; J n J1; wJ |
wJ1 ) to get I2 |
|
|
|
||||||||||
: |
I |
I1 [ I2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
: |
end if |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
is section is dedicated to optimize the attack we presented earlier in this chapter.
. -
|
|
|
|
|
|
|
|
|
||||
|
C(K)/K |
1 |
|
|
|
|
|
|
|
|
|
|
|
|
0.9 |
|
|
|
|
|
|
|
|
|
|
|
|
0.8 |
|
|
|
|
|
|
|
|
|
|
|
|
0.7 |
|
|
|
|
|
|
|
|
|
|
|
|
0.6 |
|
|
|
|
|
|
|
|
|
|
|
|
0.5 |
|
|
|
|
|
|
|
|
|
|
|
|
0.4 |
|
|
|
|
|
|
|
|
|
|
|
|
0.3 |
|
|
|
|
|
|
|
|
|
|
|
|
0.2 |
|
|
|
|
|
|
|
|
|
|
|
|
0.1 |
|
|
|
|
|
|
|
|
|
|
|
|
0 |
8 |
16 |
24 |
32 |
40 |
48 |
56 |
64 |
72 |
80 |
|
|
|
|
|
|
|
|
|
|
|
|
K |
Figure 4.3: Plot of the function C(k)/k. Note that the function has local minima at values which are powers of 2.
Recallthatourattackconsistsoftwophases. At rst, werecovertheHammingweightofthe errorvectorandthenusethatresulttocomputeallitsbits. issecondstepisimplemented by Algorithm by solving the following problem: given a m-bit vector of Hamming weight w and an oracle measuring whether each bit is 1 or 0 (Algorithm ), what is the minimal number of measurements to fully recover ?
Algorithm solves this problem ine ciently by performing m measurements. Instead, Erdős and Rényi showed in [oR ] that the minimal number of measurements required to fully recover is upper-bounded by (m log2 9)/ log2 m and proposed a method to achieve this complexity. For our case, we propose Algorithm , which is an adaptation of the method of Erdös and Rényi.
To determine the error positions in a k-bit window by measuring the weight, Algorithm uses a divide-and-conquer strategy: it splits the vector into two windows of the same length, recovers the error positions of each of them and then applies this strategy recursively. As it will be shown later, this yields a lower number of measurements comparing to measuring a k-bit window bit by bit as Algorithm does.
e number of invocations of Algorithm , Cw(k), to fully recover a k-bit window with known Hamming weight w by Algorithm is de ned by the recursive relation
;w |
2 |
( |
k/2 |
)( |
k/2 |
) |
|
||||
minfw; k/2g |
|
|
|
k |
|
|
(Ci( k/2 ) + Cw i( k/2 )) ; |
||||
Cw(k) = 1 + |
|
|
|
i |
|
|
|
w i |
|
||
i=maxf∑0 |
/ |
g |
|
( |
w |
) |
|
|
|||
|
k |
|
|
|
|
|
|
|
|
|
|
with initial values
C0(k) = 0; Ck(k) = 0 for all k 2 N
We can also compute, C(k), the average number of invocations of Algorithm that are
. ( ) - - -
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 4.2: Complexity of measuring a -bit window applied to the parameter set I and II of HB . |
|
|||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
Parameter Set I |
|
Parameter Set II |
|
||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
k |
|
|
|
16 C(k) |
Cost measurement |
|
16 C(k) |
Cost measurement |
|
|||||||||
|
|
|
|
|
|
k |
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
k |
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
215:95 |
|
|
. |
212:43 |
|
|
|
||
|
|
|
|
|
|
. |
|
|
|
215:96 |
|
|
. |
212:49 |
|
|
|
|||
|
|
|
|
|
|
. |
|
|
|
215:99 |
|
|
. |
212:75 |
|
|
|
|||
|
|
|
|
|
|
. |
|
|
|
216:11 |
|
|
. |
213:90 |
|
|
|
|||
needed by Algorithm to recover the erroneous positions in a k-bit window s: |
|
|||||||||||||||||||
|
|
|
|
|
|
∑ |
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
k |
k |
|
|
|
|
|
|
|
|
|
|||
C(k) = 1 + w=0 (w) Pr[wt(s) = w] Cw(k) |
|
|
|
|
||||||||||||||||
|
|
|
|
|
|
∑ |
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
k |
k |
|
|
|
|
|
|
|
|
|
|||
|
= 1 + w=0 (w) w(1 )k wCw(k) |
|
|
|
|
|||||||||||||||
Splitting the Error Vector. Algorithm takes bene t from Algorithm and uses it to op- |
|
|||||||||||||||||||
timize the number of measurements needed to localize the introduced errors and output m |
|
|||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
linear equations. Algorithm splits the error vector introduced in a triplet (a; b; z) to m/k |
|
|||||||||||||||||||
k-bit windows, and each one of these is recovered using Algorithm . Moreover, in order to |
|
|||||||||||||||||||
minimize the cost of measurement, i.e, the complexity of Algorithm , the weight of the er- |
|
|||||||||||||||||||
ror vector introduced in the target triplet is manipulated to tend towards the optimal value |
|
|||||||||||||||||||
t |
m |
|
at is, once the algorithm learns k positions, if the expected weight of the |
|
||||||||||||||||
wopt = 1 2 . |
|
|
||||||||||||||||||
error vector, w0 is smaller than wopt, then it ips at most wopt |
w0 bits of z that are at correct |
|
||||||||||||||||||
positions. In the opposite case, i.e., when w0 is greater than wopt, the algorithm ips at most |
|
|||||||||||||||||||
w0 wopt bits of z that are at erroneous positions. |
|
|
|
|
||||||||||||||||
e number of calls to Algorithm we need before reaching the optimal case w = wopt, is |
|
|||||||||||||||||||
then |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
wopt |
|
w0 |
|
|
|
|
|
|
when |
wopt w0; |
|
||||||||
i = |
|
|
|
m |
|
|
|
|
|
|
|
|||||||||
k(m |
w0) |
|
|
|
|
|
|
|
||||||||||||
i = |
w0 |
wopt |
m |
|
|
|
|
|
|
when |
wopt w0: |
|
||||||||
k w0 |
|
|
|
|
|
|
|
|
|
|
||||||||||
Hence, the full complexity of Algorithm is |
|
|
|
|
|
|
|
|||||||||||||
N = 2 |
(iR(w0) + |
m |
i Ropt) C(k): |
|
|
|
|
|||||||||||||
|
|
|
|
|
|
|||||||||||||||
k |
|
|
|
|
. -
|
|
Algorithm Optimizing Algorithm
|
|
|
|
= aX |
|
|
Input: a; b; z and w0 the expected value of |
bY z, k |
|||||
Output: A linear equation aX |
|
|
|
|
||
bY = c |
|
|
|
|||
Processing: |
|
|
|
|
|
|
: |
Initialize m-bit vector c |
z |
|
|
|
|
: |
Initialize M |
|
2 |
R(w0)) to get w |
||
: |
Call Algorithm on input |
(a; b; z; n = 4 |
||||
: |
De ne a set S of Ji = fik + 1; : : : ; min((i + 1)k; m)g; i = 1 : : : mk |
|||||
: |
repeat |
|
|
|
|
|
: |
Choose J 2 S |
|
|
|
|
|
: |
Call Algorithm on input (a; b; z J; n = 2R(w)) to get w′ = wt( ^ J) |
|||||
: |
Call Algorithm with (a; b; z; w; J; wJ = (w + jJj w′)/2) to get I |
|||||
: |
Set ci |
ci 1 for all i 2 I |
|
|
|
|
: |
M |
M [ I |
|
|
|
|
: |
Remove J from S |
|
|
|
|
|
: |
if w > wopt then |
|
|
|
|
|
: |
Flip min(jIj; w wopt) bits zi for which i 2 I |
|||||
: |
w |
w min(jIj; w |
wopt) |
|
|
|
: |
else if w < wopt then |
w) bits zi for which i 2 J n I |
||||
: |
Flip min(jJ n Ij; wopt |
|||||
: |
w |
w + min(jJ n Ij; wopt w) |
|
|
|
|
: |
end if |
|
|
|
|
|
: |
until S ̸= |
|
|
|
|
. ( ) - - -
|
|
|
|
|
|
|
|
|
. . Final Algorithm |
|
|
|
|
|
|
||
e |
nal attack is described in Algorithm . |
e idea is to get a vector with low expected |
|
|||||
weight using Algorithm and then |
nd all the erroneous positions inserted by the tag to |
|
||||||
obtain m linear equations and iterate this until we get enough equations to solve and nd |
|
|||||||
the secrets X and Y . To get the lower complexity, we can ip the last bits of z so that we |
|
|||||||
end up with an expected weight of wopt. We note that introducing errors in a full segment as |
|
|||||||
de ned by Step of Algorithm does not increase the needed number of measurements as |
|
|||||||
Cw(k) = Ck w(k). |
|
|
|
|
|
|
||
|
|
|
||||||
Algorithm Final attack on R -HB and HB |
|
|||||||
Input: k, w |
|
|
|
|
|
|
|
|
Output: X, Y the secrets of the tag |
|
|
|
|||||
Processing: |
|
|
|
|
|
|
|
|
: |
Initialize S |
|
ℓ |
|
|
|
|
|
: |
for i = 1 : : : 2 + |
|
|
do |
|
|
|
|
m |
|
|
|
|||||
: |
Call algorithm on input w to get a; b; z with an error vector of expected weight w0 = |
|
||||||
|
(m w) w + w(1 w) |
|
|
|
||||
: |
if wopt > w0 then |
|
|
|
|
|||
: |
Flip the last (wopt |
m )/(1 |
2 ) bits of z |
|
||||
: |
Set w0 |
wopt |
|
|
|
|
|
|
: |
end if |
|
|
|
|
|
|
|
: |
|
|
|
|
|
|
|
|
Call Algorithm on input (a; b; z; w0; k) to get m linear equations |
|
|||||||
: |
Insert linear equations in S |
|
|
|
||||
: |
end for |
|
|
|
|
|
|
|
: |
Solve S |
|
|
|
|
|
|
|
e full complexity in terms of intercepted authentications as |
|
|||||||||||
|
ℓ |
2 |
(iR(w0) + |
|
m |
i Ropt) C(k) + (2 + |
ℓ 1 |
|
||||
|
|
|
|
|
) |
|
: |
|||||
m |
k |
m |
P (w) |
Application to parameter vector II With with input k = 8 and w = 300 we obtain P (w) = 2 7, w0 = 273 and wopt = 228, i = 24, Ropt = 2742:6, R(w0) = 7 026:4. So the full complexity of the attack is derived from and ℓ as shown in Section . . . is is 225 sessions for HB and 233:8 for R -HB .
Application to parameter vector II In this case, we have k = 8, w = 0 and w0 = 55. We ip
29 bits to obtain an error vector of expected weight wopt = 77, which yields Ropt = 269:39 and i = 0. e complexity is 219:7 sessions for HB and 228:1 for R -HB .
. -
|
|
|
|
|
4.4 Thwarting the Attack: the Case of Small t |
||
|
e case of lower t, the false acceptance rate will be very low but the false rejection rate of HB |
||
|
becomes high (e.g. . for t = m ) so that it would require more than one authentication in |
||
|
average for the tag to authenticate itself. e main advantage of this approach is that the com- |
||
|
plexity of Algorithm becomes exponential. Here, we present a better strategy than calling |
||
|
|
|
|
|
Algorithm with an triplet (a; b; z) obtained by a simple passive attack. |
||
|
Our goal is to call Algorithm with a w0 as low as possible. During the protocol, we can set |
||
|
|
^ |
|
|
(^a; b; z^) to (a; b; z ) with of weight w until the veri er accepts z^. en, we launch our |
||
|
|
|
|
|
attack with (a; b; z) = (a; b; z). A detailed description is showed in Algorithm . |
||
|
|
||
|
Algorithm Getting (a; b; z) with low Hamming weight |
|
|
|
|
|
|
|
Input: w |
||
|
Output: (a; b; z) such that (aX bY z) has low weight. |
||
|
Processing: |
||
|
: Pick random vector of Hamming weight w |
||
|
: |
repeat |
|
|
: |
During a protocol with messages (a; b; z), set z^ = z |
|
|
: |
until veri er accepts |
|
e probability that the veri |
er accepts the session with transcript (a; b; z^) is P (w). is |
||||||||||||||
latter can be reformulated as |
|
|
|
|
|
|
|
|
|
||||||
|
|
t |
|
|
m |
w |
|
|
|
|
t |
j |
|
w |
|
|
|
∑ |
(( |
|
) j(1 )m w j |
∑ |
|
|
|||||||
P (w) = j=0 |
|
j |
i=0 ( i ) w i(1 )i) |
||||||||||||
When the veri er accepts, the m |
w positions not in the support of are erroneous with |
||||||||||||||
probability |
∑ |
|
|
( |
|
) |
|
|
∑ |
|
|
( |
|
) |
|
|
t |
|
|
( |
) ( |
t |
j |
w |
|
||||||
w = |
|
j=0 |
(j mj w j |
(1 )m w j |
|
i=0 i |
w i(1 )i) |
: |
|||||||
|
|
|
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
m w P w) |
|
|
|
|
|
|
Ontheotherhand, theotherpositionsof z^inthesupportof arenon-zerowithprobability
|
∑ |
t |
( ) |
wP (w)∑ |
t j |
( |
w |
) |
|
w = |
|
j=0 |
( mj w |
j(1 )m w j |
i=0 i |
|
i |
w i(1 )i) |
: |
|
|
|
|
|
|
|
|
us, because of the high false rejection rate, if the session with transcript (a; b; z^) gets accepted, then we can expect that the error vector , introduced in the original triplet (a; b; z) from the protocol, has weight w0 = (m w) w + w(1 w).
. ( ) - - -