JP4863283B2 - Authentication system with lightweight authentication protocol - Google Patents

Description

  The present invention relates to an authentication system for authenticating wireless tag data using an authentication protocol, for example. More specifically, the present invention relates to a challenge tag suitable for a device with limited power and computational resources such as a wireless tag (RFID). The present invention relates to an authentication system based on a new lightweight authentication protocol that uses a model of a binary communication path with information insertion, loss, and inversion based on response communication.

  The design of lightweight authentication protocols for applications under very limited implementation conditions is widely recognized by researchers as a difficult problem to solve. As an example having such a problem of the mounting environment, there is a problem of authentication in RFID (radio-frequency identification) used as a wireless tag. In recent years, papers such as Non-Patent Document 9 and Non-Patent Document 10 have been published regarding authentication methods in RFID systems.

  On the other hand, in Non-Patent Document 6, the safety of the technique used in these papers, specifically, the margin of safety estimated in Non-Patent Document 9 is claimed. It is pointed out that it is lower than what it is. In Non-Patent Document 6, a new algorithm that efficiently solves the LPN (Learning Parity with Noise) problem, which is based on the authentication method proposed in Non-Patent Document 6, is proposed, and its performance is evaluated. Yes.

  This algorithm is based on an improved version of the recently proposed “fast correlation attack”, and similarly “decimation”, “linear combining”, “hypothesis ( concepts such as “hypothesis” and “minimum distance decoding”. Unlike the fast correlation attack, the LPN problem has the property that pre-processing is not allowed at all due to its nature.

  The algorithm proposed there is a stronger attack method than the BKW algorithm previously proposed by Blum, Kalai, and Wasserman and said to be the strongest attack so far. In fact, the BKW algorithm has been shown to be a special case of the proposed algorithm. However, the BKW algorithm does not optimize the parameters proposed in Non-Patent Document 6.

  In Non-Patent Document 6, as an RFID authentication protocol, passive attacks (that is, attackers act on the system) are proposed for the HB protocol proposed by Hopper and Blum, and the improved version of the HB + protocol (see Non-Patent Document 9). A detailed safety evaluation is performed in an environment assuming no eavesdropping, for example, an attack using information obtained only by eavesdropping or regular communication).

  In Non-Patent Document 6, the security of the HB protocol is reevaluated using the proposed algorithm. It was clarified that the safety margin reported at the time of the proposal was overestimated.

Non-patent documents 1 to 20 exemplified below can be referred to as technologies related to other authentication systems.

ER Berlekamp, RJ McEliece, and HCA van Tilborg, "On the Inherent Intractability of Certain Coding Problems", IEEE Trans.Info. Theory, vol. 24, pp. 384-386, 1978. A. Blum, A. Kalai and H. Wasserman, "Noise-Tolerant Learning, the Parity Problem, and the Statistical Query Model", Journal of the ACM, vol. 50, no. 4, pp.506-519, July 2003. P. Chose, A. Joux and M. Mitton, "Fast Correlation Attacks: An Algorithmic Point of View", EUROCRYPT2002, Lecture Notes in Computer Science, vol. 2332, pp.209-221, 2002. E. Drinea and M. Mitzenmacher, "On Lower Bounds for the Capacity of DeletionChannels", IEEE Trans. Inform. Theory, vol. 52, pp. 4648-4657, Oct. 2006. MPCFossorier, MJ Mihaljevic and H. Imai, "A Unified Analysis for the FastCorrelation Attack", 2005 IEEE Int. Symp. Inform. Theory-ISIT'2005, Adelaide, Australia, Sept. 2005, Proceedings, pp. 2012-2015 (ISBN 0-7803-9151-9). MPCFossorier, MJ Mihaljevic, H. Imai, Y. Cui and K. Matsuura, "An Algorithm for Solving the LPN Problem and its Application to Security Evaluation of theHB Protocols for RFID Authentication", INDOCRYPT2006, Lecture Notes in Computer Science, vol. 4329, pp 48-62, 2006. H. Gilbert, M. Robshaw and H. Sibert, "An Active Attack against HB +-a Provably SecureLightweight Authentication Protocol", IACR, Cryptology ePrint Archive, Report 2005/237, July 2005. Available at http: //eprint.iacr. org / 2005/237. N. Hopper and M. Blum, "Secure Human Identification Protocols", ASIACRYPT 2001, Lecture Notes in Computer Science, vol. 2248, pp. 52-66, 2001. A. Juels and S. Weis, "Authenticating Pervasive Devices with Human Protocols", CRYPTO2005, Lecture Notes in Computer Science, vol. 3621, pp. 293-308, 2005.Updated version available at: http: //www.rsasecurity. com / rsalabs / staff / bios / ajuels / publications / pdfs / lpn.pdf. J. Katz and J.S. Shin, "Parallel and Concurrent Security of the HB and HB + Protocols", EU-ROCRYPT2006, Lecture Notes in Computer Science, vol. 4004, pp.73-87, 2006. MJMihaljevic, MPC Fossorier and H. Imai, "A General Formulation of Algebraic and Fast Correlation Attacks Based on Dedicated SampleDecimation", AAECC2006, Lecture Notes in Computer Science, vol. 3857, pp.203-214, 2006. MJMihaljevic, MPC Fossorier and H. Imai, "Cryptanalysis of KeystreamGenerator by Decimated Sample Based Algebraic and Fast CorrelationAttacks", INDOCRYPT2005, Lecture Notes in Computer Science, vol. 3797, pp.155-168, Dec. 2005. MJMihaljevic, MPC Fossorier and H. Imai, "A low-complexity and high-performance algorithm for the fast correlation attack", FSE2000, Lecture Notes in Computer Science, vol. 1978, pp. 196-212, 2001. [14] MJMihaljevic, MPC Fossorier and H. Imai, "Fast Correlation Attack Algorithm with List Decoding and an Application", FSE2001, Lecture Notesin Computer Science, vol. 2355, pp. 196-210, 2002. [15] MJMihaljevic, MPC Fossorier and H. Imai, "Key management with minimized secret storage using an erasure channel approach", IEEE Communications Letters, vol. 9, pp. 741-743, Aug. 2005. [16] M. Mitzenmacher and E. Drinea, "A Simple Lower Bound for the Capacity of the Deletion Channel", IEEE Trans. Inform. Theory, vol. 52, pp. 4657-4660, Oct. 2006. D. Wagner, "A Generalized Birthday Problem," CRYPTO '02, Lecture Notes in Computer Science, vol. 2442, pp. 288-304, 2002. MJMihaljevic, MPC Fossorier and H. Imai, "Key management with minimized secret storage using an erasure channel approach", IEEE Communications Letters, vol. 9, pp. 741-743, Aug. 2005. E. Drinea and M. Mitzenmacher, "On Lower Bounds for the Capacity of DeletionChannels", IEEE Trans. Inform. Theory, vol. 52, pp. 4648-4657, Oct. 2006. M. Mitzenmacherand E. Drinea, "A Simple Lower Bound for the Capacity of the DeletionChannel", IEEE Trans. Inform. Theory, vol. 52,

[Problems in RFID systems and authentication]
In many cases, the RFID system is very complicated as a whole. However, when generally used for commercial use, the RFID system is roughly composed of the following three subsystems.
(1) RF subsystem; this consists of a part for identifying individual RFIDs and a part in charge of processing related to wireless communication.
(2) Enterprise Subsystem: This is a system that holds, processes, and analyzes data obtained from the RF subsystem to make it useful for supported commercial services. Includes a computer that runs software created for the system.
(3) Mutual enterprise subsystem: A system connected to an enterprise subsystem when information needs to be shared across geographical or organizational boundaries.

  Each RFID system has an RF subsystem, and almost all RFID systems have an enterprise subsystem. In order to enable RFID identification using radio, the RF subsystem is composed of the following two parts.

(A) An RFID tag (sometimes referred to as a repeater) is a very small electronic device and is attached to or embedded in an object. Each RFID tag has a unique identification number (ID), and may have other functions such as a memory, an environmental sensor, and a security function for storing additional information when necessary. .
(B) An RFID interrogator (often called a reader) detects what each RFID tag is attached to and associates data with the RFID tag in order to correlate data related to the object to which the RFID tag is attached. Perform wireless communication.

  The RFID tag and the RFID reader perform bidirectional wireless communication. Each has an antenna and has a function of modulating and demodulating radio signals. One of the main security problems of an RFID tag is an authentication protocol that realizes a function in which the RFID tag is authenticated by an RFID reader. An RFID tag is a system component that, in many scenarios, has a very limited capacity (data processing capacity and storage capacity), and therefore can only support lightweight authentication protocols.

[HB protocol for RFID authentication]
In Non-Patent Document 9 published following the pioneering work by Hopper and Blum, an authentication protocol using two shared keys is proposed and analyzed. Since they require a very small calculation cost, they can be applied to low-priced devices such as RFID tags. The first protocol, called the HB protocol, has proved safe against passive attackers (only eavesdropping).

  On the other hand, the second proposed protocol (called the HB + protocol) has proven a stronger class of security that takes into account active attackers. The security of these two protocols is based on the assumption that the parity value identification “learning parity with noise” (LPN) problem in the presence of noise is difficult (see, for example, Non-Patent Document 2).

  Non-Patent Document 9 proves safety when the HB protocol and the HB + protocol are executed in parallel or in parallel. The theoretical framework on which the HB protocol is based is as follows.

A specific example will be described. It is assumed that the tag “Alice” to be authenticated and the computing device (reader) “C” share the k-bit secret information x. Then, consider a scene (authentication protocol) in which “Alice” tries to authenticate himself to “C”. At this time, “C” randomly selects challenge data aε {0, 1} ^k and sends it to “Alice”. “Alice” calculates the inner product (a · x) and returns the result to “C”. “C” calculates the inner product (a · x), and if the parity bit of “Alice” is correct, it judges that this one-round authentication is successful and accepts it. In a certain round, the probability that a user who does not know the secret information x trying to impersonate “Alice” will guess the value of the correct inner product (a · x) is ½. By repeating this one-round authentication r times, “Alice” can reduce the probability of succeeding in all of this simple parity estimation to 2- ^r .

  However, if the eavesdropping user is able to obtain the correct challenge-response value for the number of O (k) made between “Alice” and “C”, the eavesdropper will By using the erasing method, the value of the secret information x can be calculated immediately. In order to prevent an eavesdropper performing a passive attack from calculating the secret information x, “Alice” adds noise to the response value. “Alice” intentionally sends an erroneous response with a constant probability within the range of p∈ (0, 1/2). At this time, “C” authenticates the ID of “Alice” when the number of errors is smaller than pr.

  Consider a case where an eavesdropper, that is, a passive attacker, eavesdrops on multiple rounds of the HB protocol that have been executed and attempts to impersonate. Each challenge data a is assumed to be a value in a certain row of the matrix A. Similarly, a set of responses is regarded as a vector z.

  When a set A of challenge data a is given, it is conceivable to calculate a vector x which is secret information as a natural attack performed by an attacker. In other words, the attacker may attempt to calculate the secret information x used to calculate the response data set z containing a small amount of noise, given the set A of challenge data a in the HB protocol. That's what it means.

  The attacker's goal in such a case is the same as the main problem we are analyzing here. This problem is known as a problem of estimating parity in a situation involving noise, the LPN problem (the learning parity in the presence of noise). Non-Patent Document 9 shows that in both HB and HB + protocols, security against passive attackers depends on the difficulty of solving the LPN problem.

  On the other hand, Non-Patent Document 7 reports a man-in-the-middle attack on the HB + protocol. However, the following discussion given in Non-Patent Document 9 and Non-Patent Document 10 shows that the impact of such attack methods is limited.

  According to Non-Patent Document 10 (p. 76), even if the attack of Non-Patent Document 7 is successful and the protocol can be weakened, it is necessary to discuss the security of the HB / HB + protocol in a weaker attack model. It doesn't mean not. There is a trade-off between efficiency and safety, and according to the research results of the present inventors, it can be said that this trade-off also exists in the HB / HB + protocol.

  Further, Appendix A of Non-Patent Document 9 states that the man-in-the-middle attack of Non-Patent Document 7 cannot be applied to a system having a detection function that immediately warns when many authentications fail. Furthermore, there is the fact that man-in-the-middle attacks are very difficult, especially when performing short-range communications such as RFID systems. Therefore, the authentication system according to the present invention focuses only on the LPN problem and passive attack on the HB / HB + protocol, as will be described later.

[HB protocol model using binary symmetric channel]
The models of the HB / HB + protocol using a binary symmetric channel are given as shown in FIGS. 1 and 2, respectively. FIG. 1 is a diagram illustrating modeling of one round process of the HB protocol, and FIG. 2 is a diagram illustrating modeling of one round process of the HB + protocol. In FIG. 1, 10 is a secret key storage unit that stores secret key information, 11 is an inner product data generation unit that generates data for parity check by an inner product operation of challenge data and secret key information, and 12 generates random bits. A random number bit generator 13 is an output processing unit that executes a process that serves as a bit inversion communication path by a binary symmetric communication path and outputs response data. In FIG. 2, 20 is a secret key storage unit for storing two secret key information, 21 is an inner product data generating unit for generating data for parity check by inner product operation of challenge data and two secret key information, 22 Is a random number bit generator for generating random bits, and 23 is an output processing unit that executes a process that serves as a bit inversion communication path by a binary symmetric communication path and outputs response data.

  An outline of the operation of the system using the HB protocol for challenge-response communication shown in FIG. 1 will be described. When the challenge data is input to the inner product data generation unit 11, the inner product data generation unit 11 reads out the secret key information stored in the secret key storage unit 10 and performs a parity check by the inner product operation of the challenge data and the secret key information. Data is generated and supplied to the output processing unit 13. The output processing unit 13 executes a process that plays the role of bit inversion in the binary symmetric communication path using the data from the inner product data generation unit 11 and the random number bits from the random number bit generator 12 and outputs response data. One round of the challenge / response communication is performed, and the authentication protocol is executed.

  The same operation is performed for the system based on the HB + protocol of challenge / response communication shown in FIG. To explain the general operation, when challenge data is input to the inner product data generation unit 21, the inner product data generation unit 21 reads out two pieces of secret key information stored in the secret key storage unit 20, and the challenge data and 2 Data for parity check by inner product calculation of one secret key information is generated and supplied to the output processing unit 23. The output processing unit 23 executes a process that plays the role of bit inversion in the binary symmetric communication path using the data from the inner product data generation unit 21 and the random number bits from the random number bit generator 22 and outputs response data.

[Safety re-evaluation of HB protocol and HB protocol for RFID authentication]
The security of the HB protocol depends on the difficulty of solving the LPN problem “learning parity with noise” (see non-patent document 9 and non-patent document 10).
In order to formally define the LPN problem, the following notation is introduced:
(1) x = [x _i ] ^k _{i = 1} represents a k-dimensional binary vector.
(2) G = [g _i ] ⁿ _{i = 1} represents a k × n binary matrix, and each g _i = [g _i (j)] ^k _{j = 1} represents a k-dimensional binary column vector. .
(3) y = [y _i ] ⁿ _{i = 1} , z = [z _i ] ⁿ _{i = 1} represents an n-dimensional binary vector.
(4) For each i = 1, 2,..., N, e _i is the real value of the binary random variable E _i , Pr (E _i = 1) = p and Pr (E _i = 0) = 1− p, and all the random variables Ei are independent of each other.

For vector G and vector x, vector y and vector z are calculated as follows: y = x · G, z _i = y _i (+) e _i , i = 1, 2, 3,. n. Therefore, the LPN problem related to this description is formally defined as follows: That is, the LPN problem is a “problem for restoring the secret information x when G, z, and p are given”.

The problems related to the safety evaluation of the HB protocol are summarized in the following two processes.
(1) Sample collection for decoding by storing challenge and response exchanged while the protocol is running, and creating a matrix G and vector z defining the relevant LPN problem. That is, each challenge data is recorded as a column vector g _i of the matrix G, and response data corresponding to each is recorded as an element z _i of the vector z.
(2) Solving the LPN problem with the obtained data.

  In Non-Patent Document 6, a new algorithm for solving the LPN problem proposed and analyzed there and an analysis of the impact on the safety margin claimed when the HB protocol of the algorithm is proposed are reported. This algorithm is based on an improved version of the recently proposed fast correlation attack, which includes “decimation”, “linear combining”, “hypotheizing”, “minimum distance decoding ( The concept of “minimum distance decoding” is adopted. However, unlike general fast correlation attacks, the LPN problem has the property that preprocessing is not allowed at all due to its nature. This proposed algorithm is a more powerful attack method than the BKW algorithm proposed by Blum, Kalai, and Wasserman, which has been said to be the strongest attack so far. In fact, it is shown that the BKW algorithm is a special case of this proposed algorithm (however, parameters are not optimized in the BKW algorithm).

  The present invention has been made to solve such a conventional problem, and an object of the present invention is to provide an authentication system using a lightweight authentication protocol that can be used to authenticate RFID tag data, for example. Another object of the present invention is to provide a two-way communication path with information insertion, loss, and inversion based on challenge-response communication suitable for devices with limited power and computational resources, such as wireless tags (RFID). It is to provide an authentication system based on a new lightweight authentication protocol using the above model.

  In order to achieve the above object, an authentication system using a lightweight authentication protocol according to the present invention is basically used for designing a lightweight authentication protocol by challenge-response communication using a two-way symmetric channel model. Provide a way to solve the problem. In the authentication system of the present invention, a comprehensive theoretical framework of the design method is constructed particularly for a lightweight authentication protocol. By using this framework, authentication with a lightweight authentication protocol that can be realized with the same level of implementation complexity and higher security compared to the same type of protocols proposed so far. It is intended to provide a system.

  Specifically, the authentication system according to the present invention includes, as a first aspect, a secret key storage unit that stores secret key information, and an inner product that generates data for parity check by an inner product operation of challenge data and secret key information. Control of bit inversion, random number bit insertion control, inner product data evaluation control based on a pseudo random number bit string generated by a key stream based on secret key information, a random number bit generator that generates random number bits, and a data generation unit A control unit that performs each control process, and a process that functions as a communication channel for bit loss, bit insertion, and bit inversion by a binary communication channel based on random bits controlled by the control unit and outputs response data And an output processing unit.

  In addition, the authentication system according to the present invention generates, as a second form, a secret key storage unit that stores two secret key information, and data for parity check by an inner product operation of the challenge data and the two secret key information. Inner product data generation unit, random number bit generator for generating random number bits, bit inversion control, random number bit insertion control, inner product data evaluation control based on pseudo random number bit string generated by key stream based on secret key information A control unit that performs each of the control processes, and a process that is controlled by the control unit to perform a role of a bit missing, bit inserting, and bit inverting channel by a binary channel based on random number bits And an output processing unit for outputting.

  According to the authentication system of the present invention, a comprehensive framework is provided for an authentication protocol using a probabilistic challenge-response method using a two-way channel model, and the property of probabilistic behavior is two-dimensionally symmetric. An authentication system for authenticating a wireless tag is configured by an authentication protocol modeled using a communication path model including a communication path and a more general noise. This model is different from the methods that have been proposed so far, and the authentication system has a noise that causes the loss, insertion, and inversion of information in the binary channel model based on random bits based on the characteristics of the probabilistic behavior. Compared with the same type of protocols that have been proposed so far, it can be realized with the same level of implementation complexity and higher safety in terms of safety. It is an authentication system using a lightweight authentication protocol.

[Basic concept of lightweight authentication protocol]
The security issues of the HB protocol discussed above can be summarized as follows.
(1) The probabilistic order problem of the HB protocol corresponding to the noise of the binary symmetric channel; and (2) The security problem of the HB protocol corresponding to the difficulty of solving the LPN problem:

Therefore, the main concept in constructing the lightweight authentication protocol according to the present invention executed under the limited implementation conditions similar to the HB protocol is as follows.
(A) A more complex model is used in probabilistic challenge-response communication.
(B) The security of the new protocol is reduced to a more complicated problem than the LPN problem.
(C) A lightweight authentication protocol model system using a binary communication path with bit loss, insertion, and inversion.

The new framework for a new kind of authentication protocol is based on the theoretical framework of binary channels with bit loss, insertion and inversion. This new lightweight authentication protocol model has the following important features:
(1) Provide higher safety at the same mounting cost.
(2) A different method is used, which is different from the method using the framework of the two-way symmetric channel reported so far.
(3) Based on the use of a control unit that performs control logic processing that plays the following role.
(3a) The secret key and the first challenge data of the round control the output process.
(3b) Determine whether inner product data is calculated. The inner product data is calculated with a probability of q <1. This means that the complexity evaluation of the total dot product data is reduced.

The following two protocols are proposed as the lightweight authentication protocol provided by the present invention.
(4) Protocol 1: An authentication protocol that is secure against passive and certain types of active attacks.
(5) Protocol 2: An authentication protocol that is secure against passive and general active attacks. However, man-in-the-middle attacks are not considered. Compared to protocol 1, the implementation complexity is somewhat higher.

  The configuration of a model authentication system based on two authentication protocols, protocol 1 and protocol 2, is shown in FIGS. 3 and 4, respectively. 5 and 6 show the configuration of the control unit according to protocol 1 and protocol 2, respectively.

  FIG. 3 is a diagram illustrating a model of one round process of protocol 1 that provides security based on passive attacks in the authentication system according to the present invention. In FIG. 3, 30 is a secret key storage unit for storing secret key information, 31 is an inner product data generating unit for generating data for parity check by inner product operation of challenge data and secret key information, and 32 is for generating random bits. Random number bit generator 33, which is controlled by the control unit, executes a process that plays the role of a bit missing, bit inserting, and bit inverting communication path based on random number bits and outputs response data. And 34 are control units that perform control processing of bit inversion control, random number bit insertion control, and inner product data evaluation control based on a pseudo random number bit string generated by a key stream based on secret key information.

  Here, one round process of the protocol 1 that provides security based on the passive attack in the authentication system is performed as follows. The secret key storage unit 30 stores secret key information for performing authentication using an authentication protocol. When challenge data is given to the inner product data generation unit 31, the inner product data generation unit 31 stores the challenge data and the secret key information. Data for parity check by inner product operation is generated. The random number bit generator 32 generates random number bits and supplies them to the output processing unit 33. The control unit 34 performs control processing of bit inversion control, random number bit insertion control, and inner product data evaluation control based on the pseudo random number bit string generated by the key stream based on the secret key information. The output processing unit 33 is controlled by the control unit 34 and executes processing that serves as a communication channel for bit omission, bit insertion, and bit inversion through the binary communication channel based on the random number bits from the random number bit generator 32. Response data is output.

  The configuration of the control unit 34 according to the protocol 1 includes a Keith stream generator 91 and a control logic unit 92, as shown in FIG. When the challenge data for triggering the round process is input, the key stream generator 91 generates a pseudo random number bit string based on the secret key information and supplies the pseudo random number bit string to the control logic unit 92. The control logic unit 92 performs control processing of bit inversion control, random number bit insertion control, and inner product data evaluation control based on the pseudo random number bit string.

  FIG. 4 is a diagram illustrating one round processing model of protocol 2 that provides security based on active attacks in the authentication system according to the present invention. The information on the secret key x and secret key y used in the system of FIG. 4 is a binary vector representing two pieces of secret key information. In FIG. 4, 40 is a secret key storage unit for storing two secret key information, 41 is an inner product data generating unit for generating data for parity check by inner product of two secret key information, and 42 is a random number bit. Random number bit generator 43, which is controlled by the control unit, outputs a response data by executing a process that plays a role of a bit missing, bit inserting, and bit inverting channel based on a random bit based on a random bit The processing unit is a control unit that performs control processing of bit inversion control, random number bit insertion control, and inner product data evaluation control based on a pseudo random number bit string generated by a key stream based on 44 secret key information.

  Here, one round process of protocol 2 that provides security based on active attacks in the authentication system is performed as follows. The secret key storage unit 40 stores two pieces of secret key information. When challenge data is given to the inner product data generation unit 41, the inner product data generation unit 41 performs parity check by inner product calculation of the challenge data and the secret key information. Generate data for The random number bit generator 42 generates random number bits and supplies the generated random number bit string to the output processing unit 43 and the inner product data generation unit. The control unit 44 performs control processing of bit inversion control, random number bit insertion control, and inner product data evaluation control based on the pseudo random number bit string generated by the key stream based on the secret key information. The output processing unit 43 is controlled by the control unit 44 to execute a process that plays the role of a bit loss, bit insertion, and bit inversion communication channel based on the random number bits and outputs response data.

  The configuration of the control unit 44 according to the protocol 2 includes a Keith stream generator 101 and a control logic unit 102 as shown in FIG. When the challenge data for triggering the round process is input, the key stream generator 101 generates a pseudo random number bit string based on the secret key information and supplies it to the control logic unit 102. The control logic unit 102 performs control processing of bit inversion control, random number bit insertion control, and inner product data evaluation control based on the pseudo random number bit string. Here, the blindfold factor b is supplied from the random number bit generator 22 to the key stream generator 101, and the generation of the pseudo random number bit string is further randomized.

[Description of authentication protocol and round processing]
The authentication process is performed based on a plurality of round challenge-response protocols. Each round is composed of one of the following two types of rounds.
(1) A valid round of protocol (related to authentication itself and security).
(2) Protocol dummy round (which extends security).

When N, L, η, and Δ are parameters that take appropriate values, the framework of the authentication protocol provided by the authentication system of the present invention is as follows.
(1) Each protocol performs authentication processing for N (= NE + ND) rounds of tags on the reader. Here, NE represents the number of effective rounds, and ND represents the number of dummy rounds.
(2) Each round is composed of one challenge / response communication. The challenge data including the element for disturbing is an L-dimensional binary vector, and the response data is 1-bit information.
(3) On the reader side, the result of each round is either “round acceptance” or “round rejection” based on the bit of the received response data and the value of the legitimate response data calculated by itself.
(4) For a given protocol parameter η, if the total number of round rejections is less than NE + Δ << N / 2, the protocol determines that a valid authentication has been performed. If it is determined that the authentication is valid, the RFID reader determines that it is communicating with a valid RFID tag.

  If the RFID reader is communicating with a legitimate RFID tag, the common secret key is shared between them, and the RFID reader knows which round is valid and which round is a dummy. It should be noted that it means.

  The valid and dummy rounds of protocol 1 according to the present invention are illustrated in FIGS. 7 and 8, respectively. FIG. 7 is a diagram for explaining message exchange during the effective round of the protocol 1, and FIG. 8 is a diagram for explaining message exchange during the dummy round of the protocol 1.

  Further, the effective round and the dummy round of the protocol 2 according to the present invention are illustrated in FIGS. 9 and 10, respectively. FIG. 9 is a diagram for explaining message exchange during the effective round of protocol 2, and FIG. 10 is a diagram for explaining message exchange during the dummy round of protocol 2.

[Comparison of concepts based on authentication protocol and HB protocol of the present invention]
The ideas based on the conventional technique and the newly provided technique in the authentication protocol according to the present invention are compared, and are summarized into the same part and different parts as follows.
(1) Same part (1a) For authentication, a plurality of parity checks are used through challenge / response communication.
(1b) Force the attacker to obtain a parity check only from a noisy channel.
(2) Different part (2a) The new approach forces the use of a channel with noise different from the conventional one.
(2b) When the safety grounds of the existing method and the proposed method are compared, the following can be said. This means that the conventional authentication protocol puts safety grounds on the difficulty of solving the LPN problem with a parity check seen through a binary symmetric channel with probability p (typically p <0.25). .
(2c) In the authentication protocol according to the present invention, the difficulty of the problem of comparing more complicated sequences in the parity check seen through the binary communication path with erasure, insertion and inversion of bits is based on security. Means.

[Notes on safety evaluation]
The security of the authentication protocol of the present invention can be regarded as decoding complexity in a binary communication path involving bit loss, insertion, and inversion. Only legitimate tags can generate correct valid bit strings and dummy round bit strings, which means that for legitimate readers, authentication processing for communications with legitimate tags is a decryption in a binary symmetric channel. It means that it becomes a simple problem.

  On the other hand, restoration of secret key information by an attacker corresponds to a decryption problem in a communication path with intense noise such as loss, insertion, and inversion of bits. The above problem can be referred to FIG. 11 explaining it. As shown in FIG. 11, parity check data used for authentication is randomly inserted into communication data in the authentication protocol.

  In addition, the discussion regarding the safety evaluation of the proposed authentication protocol is described in detail in Non-Patent Document 18, Non-Patent Document 19, and Non-Patent Document 20, which can be referred to.

Assuming the same input as for the BKW algorithm as the same example of the algorithm provided by the present invention, the gain obtained with the provided algorithm depends on the optimization of the added parameters and its more sophisticated structure. ing. The factors of the features can be summarized as follows.
(A) Selection (discard) of parity check at the time of sample collection. In that process, only appropriate parity check data is used. Thereby, the computational complexity can be reduced.
(B) Appropriate balancing of hypothesis testing and decoding complexity under given hypotheses.

  The algorithm proposed in Non-Patent Document 6 for solving the LPN problem can be reduced to the BKW algorithm. That is, the BKW algorithm represents a special case of this provided algorithm. Thus, the provided algorithm operates at least as well as the BKW algorithm, and in many situations is more efficient (as a result of the possibility of optimization based on a flexible structure that varies according to a given input). To work.

When collecting samples for decryption, the following issues should be noted.
(A) Each authentication session associated with the same secret key, and thus all the challenge-response pairs obtained, can be used to obtain that secret key.
(B) Collecting a set obtained from each authentication session, s authentication sessions of independent r mutual authentication challenge and response, given r column vectors of the matrix G and corresponding to r elements of the vector z Thus, a k × n matrix G and an n-dimensional vector z can be obtained. Here, n = s · r.

  Therefore, by collecting information from different authentication sessions using the same secret key, a large number of samples necessary for decryption can be obtained. They are data suitable for sophisticated processing for calculating a secret key.

[Safety evaluation of HB protocol based on BKW algorithm and algorithm proposed in Non-Patent Document 6]
According to Non-Patent Document 6, here, in order to give a re-evaluation of security against passive attacks of HB and HB + protocols, the security is re-evaluated using the algorithm that solves the LPN problem proposed in Non-Patent Document 6 To do. As a result, it has been found that the safety margin so far has been well estimated.

  This security assessment assumes that only passive attacks are performed. In accordance with the security evaluation method employed in Non-Patent Document 9, the degree of security is measured using the amount of calculation required to decrypt one bit of the secret key.

To explain a simple example, first, the safety of the HB protocol taking parameters of k = 32 and p = 0.25 is considered. Then, assume that a sample of size n = 2 ²⁴ can be collected. As suggested in Non-Patent Document 9, the safety margin of the protocol when the BKW algorithm is used when the parameters a = 2 and b = 16 are used is as follows.

Based on the proposed 3 and proposes 4 of Non-Patent Document 6, the expected value of the time complexity of BKW algorithm (calculation time) is ^{ka 3 (1-2p) -2a 2 b} = 32 · 2 3 · 2 4 · 2 16 is proportional to the safety margin (average complexity to decode one bit of the secret key) is 2 ^23.

For the algorithm provided by the present invention, if w = 2, b ₀ = 16, b _H = 5 are selected based on Table 1 of Non-Patent Document 6, the average complexity for decrypting one bit of the secret key is , the ² · 2 11/16 = ^{2 8.} As a result, this simple example allows the algorithm provided by the present invention to reduce the time complexity to approximately the third root of the BKW algorithm.

表１は、受動的攻撃に対するＨＢプロトコルの安全余裕度を示している。この場合に、使用される鍵はｋビットからなり、使用されるノイズは、ＢＫＷおよび非特許文献６のアルゴリズムに基づいてＰ＝０．２５に対応している。 In the safety evaluation of the HB protocol when k = 224, n = 2 ⁸⁰ , p = 0.25, the BKW algorithm taking a = 4, b = 56 is considered (see Non-Patent Document 9), Based on Table 3 of Non-Patent Document 6, consider a proposed algorithm that takes w = 6, b ₀ = 58, b _H = 56. At this time, the respective safety margins are 2 ⁸⁰ and 2 ⁶¹ . Also in this case, a significant advantage is obtained with the algorithm proposed by the present invention. These results for safety assessment are summarized in Table 1 below.

Table 1 shows the safety margin of the HB protocol against passive attacks. In this case, the key used consists of k bits, and the noise used corresponds to P = 0.25 based on the algorithm of BKW and Non-Patent Document 6.

With regard to the special case considered in Table 3 of Non-Patent Document 6, the algorithm provided by the present invention performs (log ₂ w + 1) ³ (1) for the BKW algorithm by performing appropriate optimization of all parameters. -2p) A gain exceeding ^-w times can be obtained. For example, for k = 32 and k = 224, the values 2 ⁵ and 2 ¹⁴ respectively. On the other hand, the corresponding gains are 2 ¹⁵ and 2 ¹⁹ .

  Since the safety of both HB and HB + protocols uses the difficulty of the LPN problem as the basis of safety, an algorithm that solves the problem proposed in Non-Patent Document 6 is used for their safety evaluation. It was. Given the same decryption scenario, this algorithm was shown to be able to decrypt the private key with less computational complexity than the BKW algorithm. Therefore, it has become clear that the safety margin reported in Appendix D of Non-Patent Document 9 is well estimated.

  In the authentication system based on the lightweight authentication protocol of the present invention, the vulnerability pointed out in Non-Patent Document 6 with a low complexity (calculation amount, storage amount, electric energy, etc.) equivalent to the protocol proposed in Non-Patent Document 9 An authentication protocol that does not have a password is configured.

  In the present invention, there is provided an authentication system using a lightweight authentication protocol constituted by a general method of designing a certain lightweight authentication protocol using a probabilistic challenge-response method on a binary sequence.

  In contrast to modeling stochastic behavior using a noisy channel model known as a two-way symmetric channel with previously proposed techniques, the lightweight authentication protocol of the present invention. In the authentication system according to, the nature of the probabilistic behavior is modeled using a channel model with noise that causes loss, insertion and inversion of information in a binary sequence. By using this new method, the authentication protocol can be given a different structure.

The most different points from the methods proposed so far are the following two.
(1) In the authentication protocol according to the present invention, a dedicated control unit is added. By the control processing of the control unit, modeling is performed using a communication channel model with noise that causes loss, insertion, and inversion of information in the binary sequence.
(2) There are two options for each round of the authentication protocol according to the present invention. This is a valid round and a dummy round generated in a pseudo-random manner.

The following two advantages can be obtained by performing pseudo-random selection between the effective round and the dummy round.
(1) The average complexity of response evaluation can be reduced.
(2) The security of the protocol can be improved. Assuming that an appropriate control unit is used, the proposed authentication protocol can show the following advantages over the HB protocol.
(2a) The complexity in mounting is comparable.
(2b) Higher security can be achieved in the sense of authentication.
(2c) A shorter secret key may be used.

  In particular, I would like to emphasize the following points. Although the security of the HB protocol relies on the difficulty of solving the LPN (Learning Parity with Noise) problem, a stronger attack algorithm than the previously proposed attacks has been proposed (Non-patent) Reference 6). It has been shown that the safety margin of the HB protocol is lower than what has been reported so far when this attack method is used. On the other hand, the authentication protocol provided by the present invention does not have the vulnerability of the HB protocol as reported recently in Non-Patent Document 6. This is because the security of the authentication protocol provided by the present invention does not rely on the difficulty of the LPN problem.

It is a figure explaining modeling of one round process of an HB protocol. It is a figure explaining modeling of one round process of HB + protocol. FIG. 3 is a diagram illustrating modeling of one round process of protocol 1 that provides security based on passive attacks in an authentication system according to the present invention. FIG. 6 is a diagram illustrating modeling of one round process of protocol 2 that provides security based on active attacks in an authentication system according to the present invention. It is a figure explaining the control part of the protocol 1. It is a figure explaining the control part of the protocol 2. It is a figure explaining the message exchange between the effective rounds of the protocol 1. It is a figure explaining the message exchange between the dummy rounds of the protocol 1. FIG. It is a figure explaining the message exchange between the effective rounds of the protocol 2. It is a figure explaining the message exchange between the protocol 2 dummy rounds. It is a figure explaining the sequence of a response.

Explanation of symbols

10 Secret key storage unit,
11 Inner product data generation unit,
12 Random number bit generator,
13 output processing unit,
20 Private key storage unit,
21 inner product data generation unit,
22 random bit generator,
23 output processing unit,
30 Secret key storage unit,
31 inner product data generation unit,
32 random bit generator,
33 output processing unit,
34 control unit,
40 private key storage,
41 inner product data generation unit,
42 random bit generator,
43 output processing unit,
44 control unit,
91 key stream generator,
92 control logic 101 key stream generator,
102 Control logic

Claims (2)

An authentication system for authenticating wireless tag data using an authentication protocol,
A secret key storage unit for storing secret key information;
An inner product data generation unit for generating data for parity check by inner product operation of challenge data and secret key information;
A random bit generator for generating random bits;
By inputting the challenge data, a pseudo random number bit string is generated by a key stream based on the secret key information, and control processing of bit inversion control, random number bit insertion control, inner product data evaluation control based on the pseudo random number bit string A control unit for performing
Based on the random bits generated and controlled by the control unit, the data for parity check is randomized by executing a process that mimics the role of a binary communication path with bit loss, bit insertion, and bit inversion. And an output processing unit for outputting response data inserted into the authentication system. An authentication system for authenticating wireless tag data using an authentication protocol,
A secret key storage unit for storing two pieces of secret key information;
An inner product data generation unit for generating data for parity check by inner product operation of challenge data and two secret key information;
A random bit generator for generating random bits;
By inputting the challenge data, a pseudo random number bit string is generated by a key stream based on the secret key information and a blindfold factor supplied from the random number bit generator , control of bit inversion based on the pseudo random number bit string , random bit A control unit that performs control processing of insertion control and inner product data evaluation control;
Based on the generated random number bits controlled by the control unit, processing for imitating the role of a communication path with bit loss, bit insertion, and bit inversion is executed, and data for the parity check is randomly inserted. And an output processing unit for outputting the response data.

Images