|
|
|
|
|
|
|
|
|
|
Table 4.3: Attack cost for the initial bit of the shared key for HB applied to t = m |
|
||||||||
|
|
Parameter set Algorithm Algorithms + |
|
|
|||||
|
|
|
|
|
|
|
|
|
|
|
|
I |
278 |
258:5 |
|
|
|
||
|
|
II |
230 |
221 |
|
|
|
||
Application to Parameter Set II with t |
= 55 |
Assume that for the parameter set II we set |
|
||||||
t = m 55. |
en, an accepted vector obtained by a passive attack will most likely have |
|
|||||||
weight |
|
|
|
|
|
|
|
|
|
w0 = (m w) 0 + w(1 0) |
|
|
|
|
|
|
|||
50 |
|
|
|
|
|
|
|
|
|
so 4 2R(w0) = 230 operations are su cient to determine its correct weight. |
|
||||||||
Calling Algorithm with w = 41, we get a triplet (a; b; z) with error vector of Hamming |
|
||||||||
|
|
|
|
1 |
|
|
|
|
|
weight w0 = (m |
w) 41 + w(1 41 |
) 33 in |
|
= 220 authentications and can recover |
|
||||
P (w) |
|
||||||||
the weight of in another 4 2R(33) = 220 operations with Algorithm .
Table . shows the costs to determine the rst bit of the secret key, i.e., calling Algorithm with a random vector obtained by a passive attack in comparison to calling Algorithm rst and then Algorithm with its output. Note, that recovering successive bits is always cheaper.
4.5Thwarting the Attack: the Case of Vectors without False Rejections
To thwart the previous attacks without taking parameter sets with huge m or high false rejection rate, we could change the protocol so that the prover generates a vector of constant or bounded Hamming weight. In this section we will show that this leads to di erent attacks.
Assume that the prover accepts a protocol instance (a; b; z), in which an error vector was
introduced by the prover, if and only if wt(aX |
|
bY |
|
Z) = t, then, as |
m |
i = t mod 2, |
|
we can write |
|
|
|
i=1 |
|
||
i |
|
|
|
|
|
|
|
m |
m |
|
|
|
|
|
|
(aX bY )i = |
(zi i) |
|
|
|
|
|
|
=1 |
i=1 |
|
|
|
|
|
|
m
=zi (t mod 2)
i=1
Using this equality, the adversary can ip two bits of z, i.e., she generates a random vector of Hamming weight . In other words, contains exactly two bits set to one, at position i and j, while all the other bits are set to . When the veri er accepts, the adversary deduces exactly
. :
|
|
|
|
||||||||||
|
one of the two bits of z that were ipped is at an erroneous position, i.e, that i j = 1. In |
||||||||||||
|
the othercase, eitherthe twobit positionsare botherroneous orboth correct, i.e., i j |
= 0. |
|||||||||||
|
Hence, through that manipulation, the adversary obtains |
|
|||||||||||
|
|
|
|
|
|
|
|
|
|
1 |
if authentication succeeded |
|
|
|
(aX bY ) = z { 0 |
if authentication failed |
|
||||||||||
|
e probability that the veri |
er accepts z^ is equal to the probability that exactly one erro- |
|||||||||||
|
neous position was |
|
|
|
|
|
|
||||||
|
ipped by the e ect of (nu), which is |
|
|||||||||||
|
|
|
m w |
w |
|
|
|
2w(m |
w) |
|
|
|
|
|
|
|
1 |
|
1 |
= |
|
: |
|
|
|||
|
( |
|
m |
|
|
m(m |
1) |
|
|
||||
|
|
|
) |
|
|
|
|
|
|||||
|
|
|
( |
) |
|
|
|
|
|
|
|
|
|
|
Generalization |
|
|
|
e above approach may be generalized to the case where the Hamming |
||||||||
|
weight of is bounded in the original protocol, i.e. when the veri er accepts if wt( ) |
t |
|||||||||||
and the prover does not generate error vectors with Hamming weight greater than t. is was suggested by Gilbert et al. for parameter set III.
Again, the attacker can replace the message z by z^ = z where is an m-bit vector of Hamming weight 2. In such scenario, authentication fails only when wt( ) 2 ft 1; tg and the attacker ipped two non-erroneous positions. When this event occurs, the attacker learns two error positions corresponding to the bits set to in , i.e.,
(aX bY )i = zi; i ≠ 0:
e success probability of this attack is related to the probability of getting a triplet with an error vector of Hamming weight equal to t 1 or t, and that the adversary picks a that has the e ect of ipping two correct positions. It can be computed as
|
t |
m |
t i |
|
|
m t+i (m 2t+i) |
|
|||
q = |
∑i=0 |
(t ti) |
m(1i |
) |
|
|
|
|
|
|
|
|
(m2 ) |
|
|||||||
|
) |
m i |
|
|
||||||
|
|
∑i=0 |
( i |
) (1 |
|
|
|
|
||
Application to parameter vector III For the parameter vector III, the attacker learns two bits about the secret key every 1/q = 29:02 512 iterations. is is 16 times faster than an attack by Algorithm and needs only ℓ 2/q = 226 to recover a R -HB secret key (219 for HB ).
4.6Secure Parameters for Random-HB and HB
In this section, we investigate the lower bounds on the parameter sets for which our attack is not e ective. Before that, we need to clarify the notion of bit security in HB .
. ( ) - - -
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
De nition . (s-bit Secure Parameter Set for HB ) |
|
|
|
|
|
|
|||||||||||
For HB , a parameter set (kx; ky; m; ; t) is said to achieve s-bit security if reco ering one bit of |
|
||||||||||||||||
information about the secret matrices Xx and Yy or making the veri |
er accept a session without |
|
|||||||||||||||
matching con ersation requires an attack with complexity (in terms of protocol sessions) within |
|
||||||||||||||||
an order of magnitude of at least 2s and comparable time complexity. |
|
||||||||||||||||
Let us assume that Algorithm succeeds with a total error weight of t when the added error |
|
||||||||||||||||
vector has weight w0. We can thus expect that |
|
|
|
|
|
|
|
||||||||||
|
|
|
w |
|
w |
|
|
|
t |
w |
|
||||||
t (m w) |
0 |
+ w (1 |
|
0 |
) |
=) |
w0 |
m |
|
; |
|
||||||
m |
m |
m 2w |
|
||||||||||||||
since t < m/2 and w0 is a decreasing function in terms of w. |
|
|
|
|
|||||||||||||
By using Algorithm with input w we can get (a; b; z) such that = aX bY z has |
|
||||||||||||||||
expected weight w0 in complexity 1/P (w). Based on this triplet we can run Algorithm twice, |
|
||||||||||||||||
once with r = 1/2 and then with r = 1, with complexity 3 2R(w0) and recover one bit |
|
||||||||||||||||
of information about the matrices with error probability bounded by 3 erfc( ). For = 1, |
|
||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2 |
|
|
|
this probability is less than 1/4. Following our algorithms, the time complexity is “reasonably |
|
||||||||||||||||
comparable” (and even negligible) to the complexity in terms of protocol sessions. So we |
|
||||||||||||||||
conclude by saying that parameters m; ; t leading to the existence of w such that |
|
||||||||||||||||
{ |
C1 = |
1 |
+ 3R(w0) |
|
2s |
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|||||||||
w0 = m t w |
|
|
|
|
|
|
|
|
|
|
|||||||
|
|
P (w) |
|
|
|
|
|
|
|
|
|
|
|
|
|||
m 2w
are insecure.
Computing the maximal w for which P (1w) is high, we have P (w) (u) so we expect to have a very small negative u and we can use the approximation P (w) φ(u)/u. Applying this reasoning to a very low P (w0), we obtain
R(w0) 4RoptP (w0)eu20
4Ropt φ(u0)eu20 ; u0
and we derive the complexity
p |
|
|
u22 |
4Ropt |
2 |
|
||
|
|
|
u0 |
|
||||
|
|
|||||||
|
|
|
2 |
|
||||
|
|
u0p |
|
|
||||
C1 u 2 e |
|
2 |
e |
: |
||||
e exponential terms only match when u = u0, leading to w = w0 which translates into
w = |
t |
|
|
m |
|
t |
|
=) u0 = u |
t(21 + ) m |
||
2 |
m w |
2 |
√ |
|
|
||||||
m (1 ) |
|||||||||||
. -
|
|
||||||||||||
|
|
|
|
u |
2 |
|
u2 |
|
|||||
|
|
|
|
|
|
|
0 |
|
|
|
|
|
|
|
|
As the equality e 2 |
= e |
|
|
= 2s only holds when u2 = 2s ln 2, we can replace the value of u |
|||||||
|
|
|
2 |
||||||||||
|
|
from the previous expression to obtain |
|
||||||||||
|
|
|
2s ln 2 = |
(2m t(1 + 2 ))2 |
|
( . ) |
|||||||
|
|
|
|
|
|
|
|||||||
|
|
|
|
|
m(1 |
(1 2 )2) |
|
|
|
||||
|
|
us, any parameter set involving (m; t; ) that satis es this equation is insecure. |
|||||||||||
|
|
In the following, we use this equation to derive bounds on secure parameters for HB , de- |
|||||||||||
|
|
pending on the case: |
|
|
|
|
|
|
|||||
|
|
eworstcasecomplexityinourattackisobtainedwithminimal t, namelyfor t = m . |
|||||||||||
|
|
|
Note that with such a threshold, the honest prover gets rejected with probability 1/2. |
||||||||||
|
|
|
In this case, Equation . simpli |
es to |
|||||||||
|
|
|
|
|
|
2 ln 2 |
( |
|
|
|
) |
||
|
|
|
m = |
|
2 |
|
(1 2 )2 |
|
|
1 s |
|||
Hence, any (m; ) satisfying this equation is insecure. Using this result, we can derive bounds for secure parameters for HB
–For = 1/8 and s = 80 we obtain m = 5 521 and t = 690. We conclude that any parameter with = 1/8, m 5 521, and t = m is insecure in the sense that there exists an attack with complexity within the order of magnitude of 280.
– Similarly, with = 1/4 and s = 80 we nd that m = 5 323 and so t = 1 331. Hence, when = 1/4 any parameter set with m 5 323 is insecure.
General applications require the false rejection rate to be very low, i.e., in the order of 2 s/2. is constraint induces a new equation for the parameters
∑ |
|
m |
m |
i=t+1 ( i ) i(1 )m i 2s/2: |
|
Note that we can rewrite Equation ( . ) as |
|
|||
t = 1 + 2 (2m (1 2 )p2ms ln 2) |
: |
|||
1 |
|
|
|
|
On their own, these two equations are not su cient. Indeed, to satisfy both of tem, we could set a threshold t small enough such that false rejects are negligible and su ciently far from the expected value m such that the attack does not apply. However, we have also to take care of the most rudimental attack an adversary can perform: sending random vectors z. For this reason, we require the false acceptance rate, PFA to be smaller than 2 s, i.e.,
∑t (mi ) 2m s
i=0
. ( ) - - -