Breaking and fixing the HB+DB protocol

Abstract : The HB protocol and its HB + successor are lightweight authentication schemes based on the Learning Parity with Noise (LPN) problem. They both suffer from the so-called GRS-attack whereby a man-in-the-middle (MiM) adversary can recover the secret key. At WiSec 2015, Pagnin et al. proposed the HB+DB protocol: HB + with an additional distance-bounding dimension added to detect and counteract such MiM attacks. They showed experimentally that HB+DB was resistant to GRS adversaries, and also advanced HB+DB as a distance-bounding protocol, discussing its resistance to worst-case distance-bounding attackers. In this paper, we exhibit flaws both in the authentication and distance-bounding layers of HB+DB; these vulnerabilities encompass practical attacks as well as provable security shortcomings. First, we show that HB+DB may be impractical as a secure distance-bounding protocol, as its distance-fraud and mafia-fraud security-levels scale poorly compared to other distance-bounding protocols. Secondly, we describe an effective MiM attack against HB+DB: our attack refines the GRS-strategy and still leads to key-recovery by the attacker, yet this is not deterred by HB+DB's distance-bounding. Thirdly, we refute the claim that HB+DB's security against passive attackers relies on the hardness of the LPN problem. We also discuss how (erroneously) requiring such hardness, in fact, lowers HB+DB's efficiency and its resistance to authentication and distance-bounding attacks. Drawing on HB+DB's design flaws, we also propose a new distance-bounding protocol – BLOG. It retains parts of HB+DB, yet BLOG is provably secure, even – in particular – against MiM attacks. Moreover, BLOG enjoys better practical security (asymptotical in the security parameter).
Document type :
Conference papers
Complete list of metadatas

Cited literature [20 references]  Display  Hide  Download
Contributor : David Gerault <>
Submitted on : Friday, September 15, 2017 - 6:49:11 PM
Last modification on : Thursday, February 7, 2019 - 5:07:36 PM
Long-term archiving on : Saturday, December 16, 2017 - 2:42:07 PM


Files produced by the author(s)



Ioana Boureanu, David Gerault, Pascal Lafourcade, Cristina Onete. Breaking and fixing the HB+DB protocol. Wisec 2017 - Conference on Security and Privacy in Wireless and Mobile Networks, Jul 2017, Boston, United States. pp.241 - 246, ⟨10.1145/3098243.3098263 ⟩. ⟨hal-01588562⟩



Record views


Files downloads