|
|
|
|
|
|
|
|
|
|
||
|
Table 4.4: Summary of the complexity of our attacks. |
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
Parameter Set |
kX |
kY |
m |
|
t |
R-HB |
HB |
|
||
|
I |
|
|
|
. |
|
234 |
225 |
|
|
|
|
II |
|
|
|
. |
|
228 |
220 |
|
|
|
|
III(w bounded) |
|
|
|
. |
|
226 |
219 |
|
|
|
Combining the last three equations yield a bound on the size of the parameters that |
|
||||||||||
induce a secure HB |
with practical false acceptance and rejection rates. Unfortunately, |
|
|||||||||
satisfying parameters are too large. |
at is, no m smaller than 15 000, for both values |
|
|||||||||
of , satis es the equations. |
|
|
|
|
|
|
|
|
|||
4.7Perspectives
As it is depicted in Table . , the attack we presented in this chapter is devastating for all the proposed parameter sets of HB . On the other side, we could not propose an easy x against it.
Recently, new proposals for protocols whose security reduces to the LPN problem has been published in a paper by Kiltz et al. [KPC+ ]. eir work essentially consists of two contributions. e rst one is about illustrating a two-round authentication protocol secure against active adversaries. Yet, the protocol can be shown to be insecure in the MIM model. While the proposed protocol has the advantage over HB+ of having fewer messages to exchange and a tighter reduction gap, it requires the prover, i.e., the RFID tag, to perform additional computations by checking the Hamming weight of the challenge. Still, the authors note that it is possible to eliminate this step at the cost of adding to the secret key two n-bit vectors.
e second contribution of the paper is to design a MAC whose existential unforgeability reduces to the LPN problem and use that MAC in a secure challenge-response protocol.
.
5
CHALLENGING S UASH’S SECURITY ARGUMENTS
C
. |
S UASH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. . |
Description . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Implementation Trick and Shamir’s Challenge . . . . . . . . |
|
|
. |
S UASHand S |
UASH- . . . . . . . . . . . . . . . . . . . |
|
|
. |
KnownMessageAttackonS UASHwithoutWindowTrun- |
|
||
|
cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
. |
ChosenMessageAttackonS UASHwithoutWindowTrun- |
|
||
|
cation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
. . |
e Non-Mersenne Case . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
e Mersenne Case . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Numerical Application . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Handling Window Truncation . . . . . . . . . . . . . . . . . . |
|
||
|
. . Handling the Truncation of the Combinaison of Many Integers |
|
||
|
. . |
Adapting the Attack on SQUASH- . . . . . . . . . . . . . |
|
|
|
. . |
Generalization . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Extending to Non-linear Mappings . . . . . . . . . . . . . . . |
|
||
. |
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
||
|
|
|
|
|