On the Security of the Algebraic Eraser™Tag Authentication Protocol

Simon R. Blackburn1 M.J.B. Robshaw2

1Royal Holloway University of London, Egham, Surrey, UK

2Impinj, Seattle, WA, USA

20th June 2016

Simon R. Blackburn (RHUL) Security of Algebraic Eraser Authentication 1 / 8 Overview

Anshel, Anshel, Goldfeld, Lemieux announce the Algebraic Eraser (AE) in 2002. SecureRF (trademark owners) marketing it for IoT. Nov 2015: AE-based RFID tag authentication proposal under ISO/IEC SC31: posted on SecureRF website. Attacks on underlying AE primitive:

I Jan 2008: Myasnikov and Ushakov break proposed parameters. I May 2011: Gunnells recommends increasing parameter sizes. I Jan 2008: Kalka, Tsaban and Teicher break for generic parameters. I Feb 2012: Goldfeld and Gunnells avoid attack by careful choice of system parameters. I Nov 2015: Ben-Zvi, SRB, Tsaban break 128-bit parameters in 8 hours. I Jan 2016: Anshel, Atkins, Goldfeld and Gunnells claim this is not real time for proposed ISO standard. This work: very practical attacks on the proposed ISO standard.

Simon R. Blackburn (RHUL) Security of Algebraic Eraser Authentication 2 / 8 AE Diffie Hellman

Set N = 10, q = 256.

Ω = {(M, σ): M ∈ GLN (q) and σ ∈ Sym(N).

Two parties: Tag and Interrogator.

1 Tag generates private info.

2 Tag computes public key (MT , σT ) ∈ Ω and sends to Interrogator. 3 Interrogator generates private info.

4 Interrogator computes public key (MI , σI ) ∈ Ω and sends to Tag. 5 Parties compute shared value (M, σ) ∈ Ω from private info and public keys. 6 M is the shared key.

Simon R. Blackburn (RHUL) Security of Algebraic Eraser Authentication 3 / 8 Proposed ISO Protocol

Aim: Authenticate Tag to Interrogator.

Tag Interrogator Public key? ←−−−−−−−− (M , σ ) −−−−−−−→T T Generate secret (M , σ ), challenge Find (M, σ) ←−−−−−−−−−−−−−−I I Portion of M −−−−−−−−−−→ Is this correct?

80-bit security Reasonable model: Adversary interacts with Tag; then interacts with Interrogator. Wins if Interrogator accepts.

Simon R. Blackburn (RHUL) Security of Algebraic Eraser Authentication 4 / 8 A simple attack

Observation 1

When (MT , σT ) and σI are fixed, the shared key M is a linear function of MI .

Eve challenges Tag with σI fixed, MI varying, to recover this linear function. Eve can then spoof the Tag whenever the Interrogator uses this σI . Observation 2

σI only takes 5!=120 values!

So... After 273 interactions Eve can spoof with probability 120−1 ≈ 2−7. After2 7 × 273 ≈ 215 interactions, Eve can always spoof.

Simon R. Blackburn (RHUL) Security of Algebraic Eraser Authentication 5 / 8 A more sophisticated attack

The private key of the Tag has two parts: a secret matrix c ∈ GLN (q) and a secret group element in the coloured Burau group. The matrix c can be recovered after 33 interactions with the Tag using a differential attack. Techniques due to Kalka, Tsaban and Teicher (KTT) can then be used to compute M from any challenge (MI , σI ). KTT is heuristic in general. As parameters are small, we can replace heuristics by deterministic and efficient algorithms (see paper).

So... After 33 interactions Eve can always spoof (in real time).

Simon R. Blackburn (RHUL) Security of Algebraic Eraser Authentication 6 / 8 A key recovery attack

There are about 280 possibilities for each part of the key. Eve can recover one part after 33 interactions with the Tag. There is a meet in the middle attack that recovers the remaining part (of an equivalent key). No more interactions. About 250 storage and operations. But why bother when you can spoof anyway?

Simon R. Blackburn (RHUL) Security of Algebraic Eraser Authentication 7 / 8 Does the AE have a future? Atkins and Gunnells (Feb 2016) post a response: Change the protocol by adding a hash to the Tag’s response. Disguises the linear nature of the AE DH protocol. Claims this thwarts all attacks. Does not address the combination of these attacks with the Ben-Zvi–SRB-Tsaban attack. A revised proposal has just emerged (5 May). Comments on AE: “Why Algebraic Eraser may be the riskiest cryptosystem you’ve never heard of”, Dan Goodin, Ars Technica. There is a thread on Cryptography Stack Exchange. Twitter reaction overwhelmingly negative on AE security. I would currently not recommend using the Algebraic Eraser primitive in any applications. I would recommend independent security assessment of any future AE-based proposals before implementation.

Simon R. Blackburn (RHUL) Security of Algebraic Eraser Authentication 8 / 8