HB+ is a secure authentication protocol that is extremeley simple to
implement in hardware. Its low implementation cost could make HB+ useful
in preventing "skimming", counterfeiting, or cloning of cheap pervasive
devices like RFID tags. HB+ was developed with Ari Juels of
RSA Security and was presented at Crypto'05. HB+ builds
on a protocol for human-to-computer authentication originally developed
by Nick Hopper and
Manuel Blum (HB).
Here are presentation slides from
Crypto'05 and another page about
Security Vulnerabilities of Trusted-HB"
Dmitry Frumkin and Adi Shamir
Synopsis: Frumkin and Shamir show attacks against
Increasing the Security and Efficiency of HB+"
Henri Gilbert, Matthew J.B.
Robshaw and Yannick
Synopsis: Gilbert, Robshaw, and Seurin offer a variant of HB+
named HB# that is resistant to man-in-the-middle attacks.
- "PUF-HB: A
Tamper-Resilient HB Based Authentication Protocol"
Ghaith Hammouri and Berk
Synopsis: Hammouri and Sunar make use of physically unclonable
functions (PUFs) to make a tamper-resilient HB variant.
- "Trusted-HB: a
low-cost version of HB+ secure against Man-in-The-Middle
Julien Bringer and Herve
Synopsis: Bringer and Chabanne offer a new HB+ variant that
makes use of Krawczyk's hash-based authentication schemes using
Topelitz-based LFSR constructions, and is resistant to
- "Analyzing the
HB and HB+ Protocols in the ``Large Error'' Case"
Jonathan Katz and Adam Smtih
Synopsis: Katz and Smith show how to extend proofs of HB+
security to the general case where the noise parameter $\epsilon <
1/2$. Previous results had shown HB+ to be secure only when $\epsilon
- "An attack of HB+ in the detection-based model"
Eric Levieil and Pierre-Alain
Cryptography for Networks - September 2006
Synopsis: This paper offers an LPN algorithm with better
constant factors than the Blum, Kalai, Wasserman
algorithm. The steps to brute-force attack an HB+ instance are
decreased and the lengths of secure HB+ keys will increase
proportionally. See Section 2.8 of
my PhD thesis for a discussion of HB+ key lengths.
- "HB++: a Lightweight Authentication Protocol Secure against
Julien Bringer and Herve
Chabanne and Emmanuelle Dottax,
Security, Privacy and Trust in Pervasive and Ubiquitous Computing -
SecPerU, June 2006
Synopsis: This paper presents a new HB+ variant that is claimed
to be secure against man-in-the-middle attacks, such as those described
by Gilbert, Robshaw, and Sibert. HB++ relies on additional secret key
material and universal hash functions to detect man-in-the-middle
- "Parallel and
Concurrent Security of the HB and HB+ Protocols"
Jonathan Katz and Ji Sun Shin
Cryptology -- EUROCRYPT, 2006
Synopsis: This paper answers an open question from the original
HB+ paper by showing that HB+ is indeed secure under concurrent and
parallel composition. This greatly reduces the round complexity of HB+
to a constant three rounds for any security parameter.
- "An Active
Attack Against HB+ - A Provably Secure Lightweight Authentication
Henri Gilbert and Matt
Robshaw and Herve Sibert, 2005
IEE Electronic Letters 41, 21, pgs 1169--1170, 2005
Synopsis: This paper presents a man-in-the-middle attack against
HB+. This attack requires many failed authentications to extract HB+
keys. It would not be feasible in a detection model where many
failed authentications would raise an alarm.
- "Authenticating Pervasive
Devices with Human Protocols"
Juels and Stephen A. Weis
Cryptology -- CRYPTO 2005, Presentation Slides
LNCS, volume 3621, pages 293-308, 2005
Synopsis: This is the original HB+ paper.
- "Secure Human
Nicholas J. Hopper
and Manuel Blum,
Cryptology - ASIACRYPT 2001, LNCS, volume 2248, pages 52-66,
Synopsis: This is the original paper that presents the HB
protocol, which HB+ is based on. HB is not secure against passive
adversaries, although two variants presented in this paper and based on
other assumptions are secure against active adversaries.