Good variants of HB\(^{ + }\) are hard to find. (English) Zbl 1175.94079

Tsudik, Gene (ed.), Financial cryptography and data security. 12th international conference, FC 2008, Cozumel, Mexico, January 28–31, 2008. Revised selected papers. Berlin: Springer (ISBN 978-3-540-85229-2/pbk). Lecture Notes in Computer Science 5143, 156-170 (2008).
Summary: The strikingly simple HB\(^{ + }\) protocol of A. Juels and S. A. Weis [“Authenticating pervasive devices with human protocols”, Lect. Notes Comput. Sci. 3621, 293–308 (2005; Zbl 1145.94470)] has been proposed for the authentication of low-cost RFID tags. As well as being computationally efficient, the protocol is accompanied by an elegant proof of security. After its publication, H. Gilbert et al. [“An active attack against HB\(^+\) – a provably secure lightweight authentication protocol”, IEE Elec. Letters 41, No. 21, 1169–1170, available at http://www.avoine.net/rfid/download/papers/GilbertRS-2005-manuscript.pdf (2005)] demonstrated a simple man-in-the-middle attack that allowed an attacker to recover the secret authentication keys. (The attack does not contradict the proof of security since the attacker lies outside the adversarial model.) Since then a range of schemes closely related to HB\(^{ + }\) have been proposed and these are intended to build on the security of HB\(^{ + }\) while offering resistance to the attack of Gilbert et al. [loc. cit.]. In this paper we show that many of these variants can still be attacked using the techniques of Gilbert et al. [loc. cit.] and the original HB\(^{ + }\) protocol remains the most attractive member of the HB\(^{ + }\) family.
For the entire collection see [Zbl 1155.94009].


94A60 Cryptography
94A62 Authentication, digital signatures and secret sharing


Zbl 1145.94470
Full Text: DOI Link