Analysis and Correction of the Attack against the LPNProblem Based Authentication Protocols
Abstract
:1. Introduction
2. Preliminaries
 Variables are denoted with normal, bold or capital bold letters (e.g., x, $\mathbf{x}$ and $\mathbf{X}$) if they represent single elements, vectors, or matrices, respectively
 ${\mathbb{Z}}_{2}^{m}$: set of all mdimensional binary vectors
 ${\mathbb{Z}}_{2}^{k\times m}$: set of all $k\times m$dimensional binary matrices
 ${\mathbf{x}}_{i}$: ith element of binary vector $\mathbf{x}$
 ${\mathbf{1}}_{i}$: binary vector with all zeros, except on the position i
 $\mathbf{x}\oplus \mathbf{y}$: bitwise XOR operation of two binary vectors $\mathbf{x}$ and $\mathbf{y}$
 $\parallel \mathbf{x}\parallel $: the Hamming weight of binary vector $\mathbf{x}$ (sum of its elements)
 $x\stackrel{\$}{\leftarrow}X$: sampling a value x which follows uniform distribution over a finite set X
 $Pr\left[A\right]$: probability of an event A
 ${\mathrm{B}er}_{\tau}$: Bernoulli distribution with parameter $\tau $. $x\leftarrow {\mathrm{B}er}_{\tau}$ is sampling of value x such that $P(x=1)=\tau $, $P(x=0)=1\tau $
 $Bin(n,p)$: Binomial distribution of n experiments with success probability p of each experiment
 $\mathbf{e}\leftarrow {\mathrm{B}er}_{\tau}^{m}$: sampling binary vector $\mathbf{e}\in {\mathbb{Z}}_{2}^{m}$ such that ${\mathbf{e}}_{i}\leftarrow {\mathrm{B}er}_{\tau},i=1,\dots ,m$
 $\mathcal{N}(\mu ,{\sigma}^{2})$: Normal distribution with mean $\mu $ and variance ${\sigma}^{2}$
 $\mathsf{\Phi}\left(x\right)$: standard normal cumulative distribution function
 $erfc\left(x\right)=2\mathsf{\Phi}(x\sqrt{2})$: complementary error function
 ${X}_{n}\stackrel{\mathcal{D}}{\to}\mathcal{X}$: sequence of random variables ${X}_{1},{X}_{2},\dots {X}_{n}$ converges weakly (in distribution) to a distribution $\mathcal{X}$ as $n\to \infty $
 $P\left(\overline{w}\right)$: probability of acceptance during the OOV attack when the Adversary adds noise vector $\overline{\mathbf{e}},\parallel \overline{\mathbf{e}}\parallel =\overline{w}$ to a regular noise vector $\mathbf{e}$ in a protocol session, that is, $P\left(\overline{w}\right)=Pr[\parallel \mathbf{e}\oplus \overline{\mathbf{e}}\parallel \le thr]$
 ${P}_{OOV}\left(\overline{w}\right):=\mathsf{\Phi}\left(\frac{thr(m\parallel \overline{e}\parallel )\tau \parallel \overline{e}\parallel (1\tau )}{\sqrt{m\tau (1\tau )}}\right)$: approximation of $P\left(\overline{w}\right)$ used in the OOV attack [12].
 Collects a triplet $(\overline{\mathbf{a}},\overline{\mathbf{b}},\overline{\mathbf{z}}=\overline{\mathbf{a}}\mathbf{X}\oplus \overline{\mathbf{b}}\mathbf{Y}\oplus \overline{\mathbf{e}})$ of messages exchanged between the Tag and the Reader by eavesdropping one of their communication sessions
 Replaces each triplet $(\mathbf{a},\mathbf{b},\mathbf{z})$ of messages between the Tag and the Reader during n following communication sessions with a triplet $(\mathbf{a}\oplus \overline{\mathbf{a}},\mathbf{b}\oplus \overline{\mathbf{b}},\mathbf{z}\oplus \overline{\mathbf{z}})$
 Counts the number c of “ACCEPT” decisions of the Reader at the end of those n sessions.
3. Revision of the OOV Attack
3.1. Revision of the Theoretical Analysis behind the OOV Weight Estimate
3.1.1. Incorrect Claim that Cumulative Noise Vector $\mathbf{e}\oplus \overline{\mathbf{e}}$ Follows Binomial Distribution
3.1.2. Approximation of Acceptance Rates $P\left(\overline{w}\right)\approx {P}_{OOV}\left(\overline{w}\right)$ without Error Estimation
3.1.3. Unknown Error Bound of the Weight Estimate Process
3.1.4. Main Conclusions
 The distribution of the Hamming weight of cumulative noise vector is wrongly assessed as Binomial,
 Approximation $P\left(\overline{w}\right)\approx {P}_{OOV}\left(\overline{w}\right)$ lacks error estimation,
 The error of the weight estimate procedure is unknown. Since error bound of $P\left(\overline{w}\right)\approx {P}_{OOV}\left(\overline{w}\right)$ is unknown, this consequently also stands for the final approximation $\frac{c}{n}\approx {P}_{OOV}\left(\overline{w}\right)$ which produces the output of weight estimate procedure.
3.2. Error Estimation of Acceptance Rates Approximation $P\left(\overline{w}\right)\approx {P}_{OOV}\left(\overline{w}\right)$
3.2.1. Standard Upper Error Bound for CLT Approximations
3.2.2. The Exact Distribution of the Acceptance Rates
3.2.3. Exact Error of the Approximation $P\left(\overline{w}\right)\approx {P}_{OOV}\left(\overline{w}\right)$
3.3. Proper Decision Zones
 the inverse function might not preserve the ratios of distances, so, for example, it could be possible that ${P}^{1}\left(\frac{c}{n}\right)$ is closer to $\overline{w}$ than to $\overline{w}+1$, while $\frac{c}{n}$ is actually closer to $P(\overline{w}+1)$ than to $P\left(\overline{w}\right)$,
 ${P}_{OOV}$ is used as an approximation of exact acceptance rates P with unknown precision,
 $\overline{w}$ should be determined by considering which of the possible distributions is $\frac{c}{n}$ most likely sampled from, i.e., by probabilistic reasoning, instead of simply applying the inverse function to $\frac{c}{n}$ value.
3.4. The Exact and the Approximate Probability Distribution Relation
4. Correction of the OOV Attack
4.1. Correction of the OOV Attack Algorithm
Algorithm 1PBOOV weight estimate alg. Approximating $\overline{w}=\parallel \overline{\mathbf{e}}\parallel $ 

4.2. Comparison of the OOV and PBOOV Attack Success
4.2.1. Noise Vector Hamming Weight Estimate
4.2.2. Noise Vector Bits Recovery
4.2.3. Secret Keys Recovery Comparison
 
 $\lfloor \frac{l}{m}\rfloor $ whole mbit noise vectors—which happens with probability $pvr{\left(\overline{w}\right)}^{\lfloor \frac{l}{m}\rfloor}$,
 
 and then the remaining $l\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}m$ bits, by guessing incorrectly one more noise vector weight, and recovering each one of them—which happens with probability $pvrest\left(\overline{w}\right)={p}_{0}{p}_{{i}_{1}}^{(l\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}m)\tau}{p}_{{i}_{0}}^{(l\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}m)(1\tau )}$ for parameter set II and$pvrest\left(\overline{w}\right)={p}_{0}^{*}{p}_{{i}_{1}}^{*\Delta}{p}_{{i}_{0}}^{*\frac{\Delta (1\tau )}{\tau}}{p}_{{i}_{1}}^{(l\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}m\frac{\Delta}{\tau})\tau}{p}_{{i}_{0}}^{(l\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}m\frac{\Delta}{\tau})(1\tau )}$ for parameter set I, since $\frac{\Delta}{\tau}<l\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}m$.
5. Experimental Results and Discussion
5.1. Evaluation of the Acceptance Rates
5.2. Precision Comparison of the OOV and PBOOV Weight Estimate: Experimental
5.3. Evaluation of the PBOOV Attack Precision
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Appendix A
Parameter Set I  Parameter Set II  

HB#  RandomHB#  HB#  RandomHB#  
$\theta $  2.401  3.308  2.265  3.164 
$R\left({w}_{exp}\right)$  16,780.41 *  269.39  
$R\left({w}_{opt}\right)$  2742.61  
$R({w}_{exp}1)$  15,789.60  270.95  
$R({w}_{opt}1)$  2743.75  
${n}_{{w}_{exp}}={\theta}^{2}R\left({w}_{exp}\right)$  96,736  183,626  1382  2697 
${n}_{{w}_{opt}}={\theta}^{2}R\left({w}_{opt}\right)$  15,811  30,012  
${n}_{{w}_{exp}1}={\theta}^{2}R({w}_{exp}1)$  91,024  172,783  1390  2712 
${n}_{{w}_{opt}1}={\theta}^{2}R({w}_{opt}1)$  15,817  30,024 
References
 Avoine, G.; Carpent, X.; HernandezCastro, J. Pitfalls in ultralightweight authentication protocol designs. IEEE Trans. Mob. Comput. 2015, 15, 2317–2332. [Google Scholar] [CrossRef]
 Baashirah, R.; Abuzneid, A. Survey on prominent RFID authentication protocols for passive tags. Sensors 2018, 18, 3584. [Google Scholar] [CrossRef] [PubMed] [Green Version]
 D’Arco, P. Ultralightweight cryptography. In International Conference on Security for Information Technology and Communications; Springer: Cham, Switzerland, 2018; pp. 1–16. [Google Scholar]
 Hopper, N.J.; Blum, M. Secure Human Identification Protocols. In Advances in Cryptology—ASIACRYPT 2001. ASIACRYPT 2001. Lecture Notes in Computer Science; Boyd, C., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2248. [Google Scholar]
 Katz, J.; Shin, J.S. Parallel and Concurrent Security of the HB and HB^{+} Protocols. In Advances in Cryptology—EUROCRYPT 2006. EUROCRYPT 2006. Lecture Notes in Computer Science; Vaudenay, S., Ed.; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4004. [Google Scholar]
 Katz, J.; Shin, J.S.; Smith, A. Parallel and concurrent security of the HB and HB+ protocols. J. Cryptol. 2010, 23, 402–421. [Google Scholar] [CrossRef] [Green Version]
 Gilbert, H.; Robshaw, M.; Sibert, H. Active attack against HB+: A provably secure lightweight authentication protocol. Electron. Lett. 2005, 41, 1169–1170. [Google Scholar] [CrossRef] [Green Version]
 Bringer, J.; Chabanne, H.; Dottax, E. HB++: A Lightweight Authentication Protocol Secure against Some Attacks. In Proceedings of the Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU’06), Lyon, France, 29 June 2006; IEEE Computer Society: Washington, DC, USA, 2006; pp. 28–33. [Google Scholar]
 Munilla, J.; Peinado, A. HBMP: A further step in the HBfamily of lightweight authentication protocols. Comput. Netw. 2007, 51, 2262–2267. [Google Scholar] [CrossRef]
 Gilbert, H.; Robshaw, M.J.; Seurin, Y. Good variants of HB+ are hard to find. In Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 156–170. [Google Scholar]
 Gilbert, H.; Robshaw, M.J.B.; Seurin, Y. HB#: Increasing the Security and Efficiency of HB^{+}. In Advances in Cryptology—EUROCRYPT 2008. Lecture Notes in Computer Science; Smart, N., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 4965. [Google Scholar]
 Ouafi, K.; Overbeck, R.; Vaudenay, S. On the Security of HB# against a ManintheMiddle Attack. In Advances in Cryptology—ASIACRYPT 2008. Lecture Notes in Computer Science; Pieprzyk, J., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5350. [Google Scholar]
 Leng, X.; Mayes, K.; Markantonakis, K. HBMP+ protocol: An improvement on the HBMP protocol. In Proceedings of the 2008 IEEE International Conference on RFID, Las Vegas, NV, USA, 16–17 April 2008; IEEE: Piscataway, NJ, USA, 2008; pp. 118–124. [Google Scholar]
 Yoon, B.; Sung, M.Y.; Yeon, S.; Oh, H.S.; Kwon, Y.; Kim, C.; Kim, K.H. HBMP++ protocol: An ultra lightweight authentication protocol for RFID system. In Proceedings of the 2009 IEEE International Conference on RFID, Orlando, FL, USA, 27–28 April 2009; IEEE Computer Society: Washington, DC, USA, 2009; pp. 186–191. [Google Scholar]
 Aseeri, A.; Bamasak, O. HBMP*: Towards a ManintheMiddleResistant Protocol of HB Family. In 2nd Mosharaka International Conference on Mobile Computing and Wireless Communications (MICMCWC 2011); Mosharaka for Research and Studies: Amman, Jordan, 2011; Volume 2, pp. 49–53. [Google Scholar]
 Bringer, J.; Chabanne, H. TrustedHB: A lowcost version of HB+ secure against maninthemiddle attacks. IEEE Trans. Inf. Theory 2008, 54, 4339–4342. [Google Scholar] [CrossRef]
 Madhavan, M.; Thangaraj, A.; Sankarasubramanian, Y.; Viswanathan, K. NLHB: A nonlinear HopperBlum protocol. In Proceedings of the 2010 IEEE International Symposium on Information Theory, Austin, TX, USA, 13–18 June 2010; IEEE: Piscataway, NJ, USA, 2010; pp. 2498–2502. [Google Scholar]
 Bosley, C.; Haralambiev, K.; Nicolosi, A. HB^{N}: An HBlike protocol secure against maninthemiddle attacks. IACR Cryptol. ePrint Arch. 2011, 2011, 350. [Google Scholar]
 Rizomiliotis, P.; Gritzalis, S. GHB#: A provably secure HBlike lightweight authentication protocol. In International Conference on Applied Cryptography and Network Security; Springer: Berlin/Heidelberg, Germany, 2012; pp. 489–506. [Google Scholar]
 Hammouri, G.; Öztürk, E.; Birand, B.; Sunar, B. Unclonable lightweight authentication scheme. In International Conference on Information and Communications Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 33–48. [Google Scholar]
 Hammouri, G.; Sunar, B. PUFHB: A tamperresilient HB based authentication protocol. In International Conference on Applied Cryptography and Network Security; Springer: Berlin/Heidelberg, Germany, 2008; pp. 346–365. [Google Scholar]
 Deng, G.; Li, H.; Zhang, Y.; Wang, J. TreeLSHB+: An LPNbased lightweight mutual authentication RFID protocol. Wirel. Pers. Commun. 2013, 72, 159–174. [Google Scholar] [CrossRef]
 Qian, X.; Liu, X.; Yang, S.; Zuo, C. Security and privacy analysis of treeLSHB+ protocol. Wirel. Pers. Commun. 2014, 77, 3125–3314. [Google Scholar] [CrossRef]
 Karrothu, A.; Scholar, R.; Norman, J. An analysis of LPN based HB protocols. In Proceedings of the 2016 Eighth International Conference on Advanced Computing (ICoAC), Chennai, India, 19–21 January 2017; IEEE: Piscataway, NJ, USA, 2017; pp. 138–145. [Google Scholar]
 Knežević, M.; Tomović, S.; Mihaljević, M.J. ManInTheMiddle Attack against Certain Authentication Protocols Revisited: Insights into the Approach and Performances ReEvaluation. Electronics 2020, 9, 1296. [Google Scholar] [CrossRef]
 Koralov, L.; Sinai, Y.G. Theory of Probability and Random Processes; Springer: Berlin/Heidelberg, Germany, 2007; pp. 131–134. [Google Scholar]
 Shiganov, I.S. Refinement of the upper bound of the constant in the central limit theorem. J. Math. Sci. 1986, 35, 2545–2550, (translated from Stab. Probl. Stoch. Models 1982, 105–115.). [Google Scholar] [CrossRef]
 Shevtsova, I.G. An improvement of convergence rate estimates in the Lyapunov theorem. Dokl. Math. 2010, 82, 862–864. [Google Scholar] [CrossRef]
Parameter Set  ${\mathit{k}}_{\mathit{x}}$  ${\mathit{k}}_{\mathit{y}}$  m  $\mathit{\tau}$  $\mathbf{thr}$ 

I  80  512  1164  0.25  405 
II  80  512  441  0.125  113 
Parameter Set I  Parameter Set II  

HB#  RandomHB#  HB#  RandomHB#  
claimed precision $=1erfc\left(\theta \right)$  0.999315  0.999997  0.998641  0.999992 
real precision $={p}_{0}({w}_{exp},{w}_{exp},4{n}_{{w}_{exp}})$  0.087803  0.031017  0.038852  0.006860 
${p}_{0}({w}_{exp}1,{w}_{exp},4{n}_{{w}_{exp}})$  0.912197  0.968983  0.961146  0.993139 
Parameter Set I  Parameter Set II  

HB#  RandomHB#  HB#  RandomHB#  
targeted precision $=1erfc\left(\theta \right)$  0.999315  0.999997  0.998641  0.999992 
real precision $={p}_{0}^{\prime}({w}_{exp},{w}_{exp},4{n}_{{w}_{exp}})$  0.999506  0.999998  0.998641  0.999992 
Parameter Set I  Parameter Set II  

HB#  RandomHB#  HB#  RandomHB#  
claimed precision $=1\frac{1}{2}erfc\left(\theta \right)$  0.999658  0.9999986  0.999320  0.999996 
${p}_{{i}_{1}}({w}_{exp},{w}_{exp},{n}_{{w}_{exp}})$  $14.4\times {10}^{9}$  $11.1\times {10}^{15}$  $15.5\times $${10}^{9}$  $17.1\times $${10}^{16}$ 
${p}_{{i}_{1}}({w}_{opt},{w}_{opt},{n}_{{w}_{opt}})$  $14.6\times {10}^{13}$  $13.9\times {10}^{23}$  
${p}_{{i}_{0}}({w}_{exp},{w}_{exp},{n}_{{w}_{exp}})$  0.858089  0.930114  0.764623  0.843169 
${p}_{{i}_{0}}({w}_{opt},{w}_{opt},{n}_{{w}_{opt}})$  0.365592  0.317990  
${p}_{{i}_{1}}({w}_{exp}1,{w}_{exp},{n}_{{w}_{exp}1})$  0.991712  0.999518  0.993508  0.999740 
${p}_{{i}_{1}}({w}_{opt}1,{w}_{opt},{n}_{{w}_{opt}1})$  0.999908  $11.3\times {10}^{7}$  
${p}_{{i}_{0}}({w}_{exp}1,{w}_{exp},{n}_{{w}_{exp}1})$  0.999997  $12.8\times {10}^{10}$  0.999957  $12.1\times $${10}^{8}$ 
${p}_{{i}_{0}}({w}_{opt}1,{w}_{opt},{n}_{{w}_{opt}1})$  0.998863  0.999987 
Parameter Set I  Parameter Set II  

HB#  RandomHB#  HB#  RandomHB#  
claimed precision  0.670720  0.998314  0.739967  0.998306 
$pvr\left({w}_{exp}\right)$  0.245168  0.932141  0.573019  0.973427 
Parameter Set I  Parameter Set II  

HB#  RandomHB#  HB#  RandomHB#  
targeted precision $=1\frac{1}{2}erfc\left(\theta \right)$  0.999658  0.9999986  0.999320  0.999996 
${p}_{{i}_{1}}^{\prime}({w}_{exp},{w}_{exp},{n}_{{w}_{exp}})$  0.999623  0.9999983  0.999345  0.999996 
${p}_{{i}_{1}}^{\prime}({w}_{opt},{w}_{opt},{n}_{{w}_{opt}})$  0.999660  0.9999986  
${p}_{{i}_{0}}^{\prime}({w}_{exp},{w}_{exp},{n}_{{w}_{exp}})$  0.999874  0.9999998  0.999351  0.999996 
${p}_{{i}_{0}}^{\prime}({w}_{opt},{w}_{opt},{n}_{{w}_{opt}})$  0.999659  0.9999986 
Parameter Set I  Parameter Set II  

HB#  RandomHB#  HB#  RandomHB#  
claimed precision  0.670720  0.998314  0.739967  0.998306 
$pv{r}^{\prime}\left({w}_{exp}\right)$  0.698279  0.998538  0.749770  0.998443 
HB#  RandomHB#  

num. tests  2000  25,000 
targeted OOV weight est. precision $=1erfc\left(\theta \right)$  0.998641  0.999992 
experimentally obtained weight est. precision  0.999  1 
targeted OOV bit precision $=1\frac{1}{2}erfc\left(\theta \right)$  0.999320  0.999996 
experimentally obtained avg. bit precision  0.999342  0.999996 
experimentally obtained 0bit precision  0.999344  0.999996 
experimentally obtained 1bit precision  0.999333  0.999995 
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. 
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Tomović, S.; Knežević, M.; Mihaljević, M.J. Analysis and Correction of the Attack against the LPNProblem Based Authentication Protocols. Mathematics 2021, 9, 573. https://doi.org/10.3390/math9050573
Tomović S, Knežević M, Mihaljević MJ. Analysis and Correction of the Attack against the LPNProblem Based Authentication Protocols. Mathematics. 2021; 9(5):573. https://doi.org/10.3390/math9050573
Chicago/Turabian StyleTomović, Siniša, Milica Knežević, and Miodrag J. Mihaljević. 2021. "Analysis and Correction of the Attack against the LPNProblem Based Authentication Protocols" Mathematics 9, no. 5: 573. https://doi.org/10.3390/math9050573