Lightweight Authentication

Lightweight primitives require RFID tags to only compute bit-wise operations such as “⊕”,

“∨” and “∧”, and to store relatively short keying material, which suit perfectly the constrained computational resources of RFID tags. As a result, the design of secure lightweight primitives was the focus of a lot of work on secure and privacy preserving RFID authentication, cf.

(18,29,66,91,130,131,157). However, most of these protocols were shown to be vulnerable to key recovery attacks see, (14,64,108,109,128).

In this section, we first survey the HB⁺ protocol (91) and some of its variants (29, 66).

Then, we describe the F_f protocol (18) which we were able to break using an attack of 2³⁹ steps.

3. RFID SECURITY AND PRIVACY

Among the well-investigated lightweight RFID authentication protocols there are the HB protocols (HB⁺(91), HB⁺⁺(29) , HB^#(66)), whose security and privacy rely on thelearning parity with noise (LPN for short) problem.

Definition 3.8. Let U be a random q×k binary matrix, let xbe a random k-bit vector, let η∈ ]0,1

2[be a constant noise parameter, and letν be a random q-bit vector whose hamming weight hamm(ν)≤ηq.

The learning parity with noise (LPN) problem is defined as:

Given U, η, and z=Ux⊕ν, find ak-bit vector x^′ such that: hamm(Ux^′⊕z)≤ηq.

The LPN problem is known to be NP-complete (13). The best known algorithms to solve the LPN problem have a complexity of 2^{O(log(k)k )}. The first algorithm to reach this complexity was proposed by Blum et al. (20), further optimizations were introduced later by Levieil and Fouque (107), but they only led to slight improvements to the above complexity of solving the LPN problem.

The first protocol in the HB family is HB⁺ (91), see Fig. 3.2. This protocol is a mod-ification of the HB protocol (80) which is a protocol that addresses the problem of secure identification by humans without the assistance of trusted hardware or software. A tagT in the HB⁺ protocol shares a secret keyK_T = (x,y)∈ {0,1}^k× {0,1}^k with readerR. In each round of the protocol execution, tagT generates a randomk-bit vectorb∈ {0,1}^k and sends bto readerR. ReaderR then sends a challenge vectora∈ {0,1}^k to tagT. TagT generates a bit ν according to the Bernoulli distributionBer_η, where η ∈]0,1

2[, and computes a reply z = (a·x)⊕(b·y)⊕ν, where “·” denotes the inner product. Reader R accepts T’s reply, only ifz= (a·x)⊕(b·y), i.e.,ν = 0. Finally, reader R authenticates tag T afterq rounds only if T’s reply was rejected in less than ηq rounds (i.e., ν= 1 in less thanηq rounds).

Assuming the hardness of the LPN problem, the HB⁺ protocol is provably secure against passive adversaries (i.e., “eavesdroppers”). Additionally, Katz et al. (98) proved that HB⁺ remains secure under concurrent executions, meaning that the HB⁺can be parallelized to run in fewer rounds. However, Gilbert et al. (64) showed a man in the middle attack that allows an

44

3.3 RFID Authentication Protocols Tag

K_T = (K, K^′) N₀

Reader

R₀, v₁, v₂, ..., v_q

Figure 3.3: TheFf protocol

active adversaryAto recover the secretK_T = (x,y). To thwart this attack, several protocols based on HB⁺ have been proposed such as: HB⁺⁺ (29) and HB-MP (119). Nonetheless, Gilbert et al. (65) showed again that these variants are not secure against man in the middle attacks. Furthermore, HB protocols are not complete. For 80-bit security, the probability of the reader rejecting a legitimate tag attains 44% as shown in (66). Consequently, Gilbert et al. (66) proposed a new variant called HB^#that aims to have a lower rate of false negatives and to withstand active attacks. The main idea of HB^# is to use kx×p and ky×p-binary matrices X and Y as the tag ’s secrets instead of k-bit binary vectors. The HB^# protocol proceeds similarly to HB⁺, except that the tag is required to send a p-bit message at the end of each round instead of one bit. Now, to optimize storage requirements on tags, Gilbert et al. (66) use Toeplitz matrices that can be entirely defined by the first row and the first column, and it follows that a k×p matrix can be stored in k+p−1 bits rather than in kp bits. However, Ouafi et al. (128) designed a man in the middle attack against HB^# that enables an adversary Ato recover the secret matrices (X,Y).

3.3.1.2 The F_f Protocol

Inspired by the work of Di Pietro and Molva (48), Blass et al. (18) proposedFf, a lightweight protocol for RFID tag authentication whose implementation fits in less than 2000 G.E. The main idea behind F_f is instead of relying on a secure hash function to authenticate tags, F_f uses a lightweight function calledFf whose output size is very small. The small output size of theF_f function results in a large number of collisions (i.e., for different keys,F_f outputs the same value) which is mitigated by executing theF_f protocol in q rounds (typicallyq = 60).

In each round, the F_f function is computed, and its output is used by reader R to filter the secret keys that do not match. In theq^thround, only one secret key is left, and it corresponds to the authenticated tag.

Before detailing the F_f protocol, we describe first the F_f function. The F_f function is built upon a small fan-in function f :{0,1}^l× {0,1}^l→ {0,1}^l, and it is defined as:

F_f :{0,1}^lt× {0,1}^lt→ {0,1}^l, F_f(x, y) = Mt

i=1

f(x^[i], y^[i])

Wherex^[i]respectively y^[i] denote the i^th l-bit block ofx, respectively y.

3. RFID SECURITY AND PRIVACY

Now, we turn to the detailed description of the F_f protocol. Each tag T in the system stores a secret keyKT = (K, K^′) that it shares with readerR. An execution of the protocol is as follows:

• Reader R sends a nonceN₀ ∈ {0,1}^lt to tagT;

• tagT replies with a random number R₀ and the followingq values v_i: v1 = Ff(K, R^a₁¹)⊕Ff(K^′, N1)

v₂ = F_f(K, R^a₂²)⊕F_f(K^′, N₂)

v_q = F_f(K, R^aq^q)⊕F_f(K^′, N_q).

We recall that in theF_f protocol, each tag is equipped with two LFSRs. One LFSR computes q random numberNi from the nonceN0 sent by reader R, and the other generates a random number R₀ and q sets of d random numbers {R¹_i, R²_i, ..., R^d_i}, as shown in the following equations.

N_i = LFSR(N_i−1) 1≤i≤q R¹₁ = LFSR(R₀)

R¹_i = LFSR(R^d_i−1) 2≤i≤q

R^j_i = LFSR(R^j−1_i ) 1≤i≤q, 2≤j≤d

To compute the i^th value v_i sent to the reader, tag T first secretly selects a number a_i ∈ {1,2, ..., d}, then outputs:

vi =Ff(K, R^a_iⁱ)⊕Ff(K^′, Ni)

After receiving the response of tag T, readerR first derives the q random numbersNi, then the q sets of thed random numbers{R¹_i, R²_i, ..., R_i^d}. Next, for each v_i, the reader discards from its database every pair of keys (Kj, K_j^′) that verifies the following:

∀ a∈ {1,2, ..., d}, Ff(Kj, R^a_i)⊕Ff(K_j^′, Ni)6=vi

Contrary to the HB protocols, the F_f protocol is complete, i.e., a valid tag is never rejected. Also, if the function f is balanced, the parameters d, l and q can be chosen in such a way that minimizes the probability of breaking the soundness ofF_f, see (18) for more details.

To implement Ff, Blass et al. (18) proposed a practical set of parameters as depicted in 46

3.3 RFID Authentication Protocols

Table 3.1: Values of Ff’s parameters

lt l t

256 4 64

d q

8 60

Table 3.1, and defined the functionf :{0,1}⁴ × {0,1}⁴ → {0,1}⁴, f(x, y) =z such that:

z₁ = x₄y₁⊕x₁y₂⊕x₂y₃⊕x₃y₄⊕x₁x₂y₁y₂⊕x₂x₃y₂y₃⊕x₃x₄y₃y₄ z₂ = x₁y₁⊕x₂y₂⊕x₃y₃⊕x₄y₄⊕x₁x₃y₁y₃⊕x₂x₄y₂y₄⊕x₁x₄y₁y₄ z₃ = x₃y₁⊕x₄y₂⊕x₁y₃⊕x₂y₄⊕x₁x₂y₁y₄⊕x₂x₃y₂y₄⊕x₃x₄y₁y₃ z₄ = x₂y₁⊕x₃y₂⊕x₄y₃⊕x₁y₄⊕x₁x₃y₃y₄⊕x₂x₄y₂y₃⊕x₁x₄y₁y₂

Where (x₁, x₂, x₃, x₄), (y₁, y₂, y₃, y₄) and (z₁, z₂, z₃, z₄) stand for the binary representation of x, y and z respectively.

However, we showed in (14) two attacks that allow an adversary A to recover the secret key KT = (K, K^′) in 2⁵² and 2³⁹ steps respectively. The first attack relies on the properties of thef function and transforms the problem of extracting K_T into the LPN problem. The second attack exploits the relatively short length (64 bits) of the LFSR’s internal state. In the following, we only describe the second attack as it has better performances, and it does not depend on the properties of the f function.

The starting point of this attack is to find two protocol executions that involve the same tag T and which use the same random seed R₀. As the LFSR used to generate R₀ has an internal state of 64 bits, a tag uses the same seed R₀ after 2³² protocol executions.

First, adversary A picks two nonces N_(0,1) and N_(0,2), and challenges tag T with each of these nonces for 2³² times. Eventually, adversary A will find at least two protocol ex-ecutions involving nonce N_(0,1) and nonce N_(0,2) respectively that use the same seed R₀. Therefore, adversary A is able to collect values v_(i,1) = Ff(K, R^a_i^(i,1))⊕Ff(K^′, N_(i,1)) and v_(i,2) =Ff(K, R_i^a(i,2))⊕Ff(K^′, N_(i,2)) for 1 ≤i≤q. Now, if Ff(K, R_i^a(i,1)) =Ff(K, R_i^a(i,2)), then adversary Aobtains the following equation:

v_(i,1)⊕v_(i,2)=Ff(K^′, N_(i,1))⊕Ff(K^′, N_(i,2))

• Letπj denote the projection from{0,1}^l to {0,1} that sends any element of {0,1}^l to its j^th bits, i.e., for all x= (x₁, x₂, ..., xl) ∈ {0,1}^l πj(x) =xj.

• LetE_(i,j) denote the event that πj(v_(i,1)⊕v_(i,2)) =πj(Ff(K^′, N_(i,1))⊕Ff(K^′, N_(i,2))).

Event E_(i,j) occurs either when a_(i,1) =a_(i,2) or when a_(i,1) 6=a_(i,2) but π_j(F_f(K, R_i^a(i,1))) = π_j(F_f(K, R^a_i^(i,2))) over{0,1}. Since F_f is well balanced andR^j_i is randomly chosen from the set {R¹_i, R²_i, ..., R^d_i}, the first case occurs with probability 1

d, whereas the second case occurs

3. RFID SECURITY AND PRIVACY with probability 1

2(1−1

d). Therefore, eventE_(i,j) happens with probability 1 8+1

2, adversaryAcan repeat his attack several times to obtainN samples of the same equation πj(v_(i,1)⊕v_(i,2)), and if N is large enough, adversary Acan decide the correct value ofπj(F_f(K^′, N_(i,1))⊕F_f(K^′, N_(i,2))) by using a majority vote.

Using Chernoff bounds, we deduce that the probability of adversary A obtaining the correct value ofπj(Ff(K^′, N_(i,1))⊕Ff(K^′, N_(i,2))) in more than N 4×64 linear monomials and 6×64 monomials of degree 2. As a consequence, adversary A must get 640 correct equations πj(v_(i,1)⊕v_(i,2)) = πj(F_f(K^′, N_(i,1))⊕F_f(K^′, N_(i,2))) to recover the key K^′. This happens with probability greater than

(1−exp(−2N ǫ² 1 + 2ǫ))⁶⁴⁰

Since there are q = 60 rounds in one execution of the protocol, it follows that adversary A needs ˜N = 2³³N

q (1−exp(−2N ǫ²

1 + 2ǫ))⁶⁴⁰ interactions with tagT to get a correct linearized system in the 640 monomials. Setting N = 4096, we obtain ˜N = 2^39.09.