Reasonable Security Parameters for the HB and HB Protocols

1
Reasonable Security Parametersfor the HB and HB
Protocols

• Kelsey Livingston and Jennifer Tam
• Mentors Dr. Rebecca Wright Dr. Susanne Wetzel

2
Talk Overview

• Review of RFID and HB protocol
• Analysis of data collected on parameters
• False Positives
• Mathematical Predictions
• Data Collected
• Open Problems

3
RFID technology

• Reader and Tag
• Tag has an ID or secret
• The HB HB protocols were developed as
  authentication protocols

4
HB Protocol
Reader Knows s, e Computes
Reader checks r (q s)
Accepts if r' r
Represents one iteration of the HB protocol.
5
Recall

• Based on the NP-hardness of the LPN problem
• After queries, the reader accepts the tag if
  the tags responses have errors.
• Variable Parameters
• , number of queries
• , number of secrets
• Value of
• Value of , or bounds

6
False Positives

• False Positive An invalid tag which is
  incorrectly accepted by the reader
• False Negative A valid tag which is incorrectly
  rejected by the reader
• Goal A secure protocol minimizes false positives
  and negatives

7
Creating Graphs

• Tested a valid tag
• Each box plot is composed from 50 percentages
  which were calculated from 5000 runs of the
  program
• These graphs represent data collected from 32-bit
  secrets, queries, and blinding factors

8
Acceptance Ratio of HB Protocol With Varying
Amounts of Queries
Constant Values e 0.125 d 0.0625 p 50
9
Acceptance Ratio of HB Protocol With Varying
Bounds
Constant Values e 0.125 n 200 p 50
10
Acceptance Ratio of HB Protocol With Varying
Epsilon Values
Constant Values n 200 d 0.0625 p 50
11
Acceptance Ratio of HB Protocol With Varying
Amounts of Secrets
Constant Values e 0.125 d 0.0625 n 200
12
Probability of Accepting the Incorrect Secret by
HB Protocol
Constant Values e 0.125 d 0.0625 n 200
13
Predicting False Positive

• We wish to calculate the number of possible false
  positives for a given set of parameters.
• Given
• reader with 1 secret
• length queries and secrets
• queries, epsilon, and permitted
  variation
• Can we calculate how many of the possible tags
  will be accepted by a reader?
• Keep in mind that reader and tag are using HB
  Protocol

14
Simplified Case

• Consider ie tag wont
  flip

All 216 possible secrets of length 16
(0 or 1)
I accept all secrets which sent a 0!

• Reader accepts of the possible secrets
• In general, Reader accepts of the secrets

15
Building Intuition

• Build a model that accounts for e

Prob (1-e)
Prob e

• ½ of all possible tags are A, ½ are R
• Can we generalize this to n queries?

16
Two queries
Case of
AA
AR
RA
RR
AA
AR
RA
RR
AA
AR
RA
RR
AA
AR
RA
RR

• ¼ of possible tags have AA
• ½ of possible tags have AR or RA
• ¼ of possible tags have RR
• For 3 queries, group sizes are and

17
Generalizing to n queries

• In general, for n queries

of all tags get rejected on 0 queries
of all tags get rejected on 1 queries
of all tags get rejected on n queries

• Hypothesis

where is the number of secrets of length k
accepted by a reader with 1 secret using n queries
18
Finding Bounds

• What are and ?
• Recall that the reader accept all tags with error
  between and
• Let and such
  that
• Let and

19
Number of False Positives Accepted by a Reader
with 1 Secret Using the HB Protocol
Constant Values e 0.09375 d 0.0625
1.1
1.0
0.2
0.05
0.03
20
Number of False Positives Accepted by a Reader
with 50 Secrets Using the HB Protocol
Constant Values e 0.09375 d 0.0625
43
39
9.9
2.1
1.8
21
Number of False Positives Accepted by Reader With
200 Secrets Using the HB Protocol
Constant Values e 0.09375 d 0.0625
89
86
34
8.2
6.9
22
Open Problems

• Extend the formula to p number of secrets and HB
• Mathematically prove the validity or invalidity
  of the formula
• Show that the parameters found can be implemented
  on real RFID tags
• Extend the Katz Shin proof of security to ¼e½