Good variants of HB+ are hard to find

The strikingly simple HB+ protocol of Juels and Weis [11] has been proposed for the authentication of low-cost RFID tags. As well as being computationally efficient, the protocol is accompanied by ail elegant proof of security. After its publication, Gilbert et al. [8] demonstrated a simple man-in-the-middle attack that allowed ail attacker to recover the secret authentication keys. (The attack does not contradict the proof of security since the attacker lies outside the adversarial model.) Since then a range of schemes closely related to H+ have been proposed and these are intended to build on the security of HB+ while offering resistance to the attack of [8]. In this paper we show that many of these variants can still be attacked using the techniques of [8] and the original HB+ protocol remains the most attractive member of the HB+ family.