Analyzing the HB and HB+ Protocols in the "Large Error" Case

HB and HB are two shared-key, unidirectional authentication protocols whose extremely low computational cost makes them potentially well-suited for severely resource-constrained devices. Security of these protocols is based on the conjectured hardness of learning parity with noise; that is, learning a secret s given “noisy” dot products of s that are incorrect with probability ε. Although the problem of learning parity with noise is meaningful for any constant ε < 1/2, existing proofs of security for HB and HB only imply security when ε < 1/4. In this note, we show how to extend these proofs to the case of arbitrary ε < 1/2. 1 Background The HB and HB protocols, introduced by Hopper and Blum [7, 8] and Juels and Weis [11] respectively, are shared-key, unidirectional authentication protocols whose efficiency makes them potentially suitable for resource-constrained devices such as RFID tags. The HB protocol is intended to be secure against a passive (eavesdropping) adversary, while the HB protocol is intended to be secure against an active adversary. Security of these protocols is based on the problem of learning parity with noise (the LPN problem) [1, 2, 3, 4, 6, 13, 7, 8, 14]. Roughly speaking (see Section 2.1 for a formal definition), this problem is to determine a secret value s given “noisy” dot products of s with a sequence of randomly-chosen vectors. These dot products are “noisy” in that they are each incorrect with (independent) probability ε, where ε is a fixed constant. The LPN problem is meaningful for any constant ε ∈ (0, 1 2 ). Juels and Weis [11] gave the first proofs of security for the HB and HB protocols based on the hardness of the LPN problem. Although their proofs tolerate any value of ε, their results have some limitations: (1) they do not handle multiple iterations of the protocol, but instead only analyze a “basic authentication step” which does not by itself provide adequate security; and (2) they do not handle parallel or concurrent executions of the HB protocol. (We refer the reader to [12] for a detailed discussion.) Katz and Shin [12] gave proofs that overcame these limitations, but their proofs only imply meaningful security (in either an asymptotic or a concrete sense) for ε < 1 4 . Work done while the authors were visiting IPAM. Dept. of Computer Science, University of Maryland. [email protected]. This research was supported by NSF Trusted Computing grants #0310751 and #0627306, and NSF CAREER award #0447075. Dept. of Computer Science and Engineering, Pennsylvania State University. [email protected]. While we provide some minimal background, our assumption is that the reader is already familiar with [12].