The best known attack on LPN (by Levieil and Fouque, SCN 2006) requires exponential number of samples and exponential number of operations to be performed. This makes this attack impractical because it is infeasible to collect exponentially-many observations of the protocol execution.
We present a passive attack on HB protocol which requires only linear (to the length of the secret key) number of samples. Number of performed operations is still exponential, but attack is efficient for some real-life values of the parameters, i.~e.~noise $\frac{1}{8}$ and key length $144$-bits.
Category / Keywords: cryptographic protocols / lightweight cryptography, RFID, HB, HB+, passive attack Date: received 29 May 2008 Contact author: filipz at im pwr wroc pl Available format(s): PDF | BibTeX Citation Version: 20080602:220707 (All versions of this report) Short URL: ia.cr/2008/241 Discussion forum: Show discussion | Start new discussion