of the Algebraic Eraser™

Simon R. Blackburn

Royal Holloway University of London

9th June 2016

Simon R. Blackburn (RHUL) The Algebraic Eraser 1 / 14 Diffie-Hellman exchange

Alice and Bob want to agree on a random key K. ∗ They decide upon a large prime p and some g ∈ Zp, then: a Alice chooses a random integer 1 ≤ a < p − 1 and sends c1 = g mod p to Bob. b Bob chooses a random integer 1 ≤ b < p − 1 and sends c2 = g mod p to Alice. a On receiving c2 Alice computes K = c2 mod p. b On receiving c1 Bob computes K = c1 mod p. both share the same key K = g ab mod p.

It works because( g a)b = (g b)a.

Minimum security: Given g, p, c1 and c2, hard to compute K.

Simon R. Blackburn (RHUL) The Algebraic Eraser 2 / 14 Ko Lee Cheon Han Kang Park

Motivation: Diffie–Hellman using non-abelian groups. Let G be a (non-abelian) group. For a, g ∈ G define

g a = a−1ga.

Problem:( g a)b 6= (g b)a, in general. Solution: Choose a ∈ A ≤ G and b ∈ B ≤ G where [A, B] = {1}. The analogue of the DLP is the conjugacy search problem: given g and g a, find a. How do you choose a group G and subgroups A and B? Ko et al. suggest using a . High degree polynomial time attack based on linearisation.

Simon R. Blackburn (RHUL) The Algebraic Eraser 3 / 14 The problem with matrix groups

Let A, B be commuting subgroups of GLn(Fq). Let G ∈ GLn(Fq). Eve is given

−1 C1 = M GM for unknown M ∈ A and −1 C2 = N GN for unknown N ∈ B.

She finds invertible M˜ such that

MC˜ 1 = GM˜ and M˜ commutes with B.

Then M M N M˜ N N M˜ M˜ K = (C2) = (G ) = (G ) = (G ) = C2 .

Simon R. Blackburn (RHUL) The Algebraic Eraser 4 / 14 Anshel, Anshel, Goldfeld, Lemieux: The Algebraic Eraser

Set n = 16 and q = 256.

Based on the coloured Burau group GL(n, Fq(t1,..., tn)) o Sym(n). Elements are pairs:

(M, σ) where M ∈ GL(n, Fq(t1,..., tn)) and σ ∈ Sym(n).

To multiply: (M, σ)(M0, σ0) = (M(M0)σ, σσ0).

Simon R. Blackburn (RHUL) The Algebraic Eraser 5 / 14 The Algebraic Eraser Let Ω = GL(q) × Sym(n). Define a map ϕ from (a subgroup of) GL(n, Fq(t1,..., tn)) to Ω: replace each ti by some non-zero element τi ∈ Fq. For (S, π) ∈ Ω and (M, σ) ∈ GL(n, Fq(t1,..., tn)) o Sym(n), define E-multiplication by (S, π) ∗ (M, σ) = (S ϕ(Mπ), πσ) ∈ Ω.

Choose commuting subgroups A and B of coloured Burau group in some way. Choose commuting subgroups C and D of GL(n, q) in some way. Alice picks c ∈ C, a ∈ A and sends c(I , e) ∗ a to Bob. Bob picks d ∈ D, b ∈ B and sends d(I , e) ∗ b to Alice. Common key is dc(I , e) ∗ a ∗ b = cd(I , e) ∗ b ∗ a.

Simon R. Blackburn (RHUL) The Algebraic Eraser 6 / 14 Early cryptanalysis of the Algebraic Eraser

The Algebraic Eraser was made public in 2002. January 2008: Myasnikov and Ushakov posted a length-based attack: the parameters were too small. May 2011: Gunnells confirms these results, and recommends increasing parameters. January 2008 (independently): Kalka, Tsaban and Teicher break the scheme for generic parameters: a (heuristic) linearisation attack to find the secret matrix c, then a (heuristic) permutation group algorithm to find common keys. February 2012: Goldfeld and Gunnells show how a careful choice of parameters can avoid this attack. 2015: Presentation to IRTF CFRG. Proposed for RFID standard: ISO/IEC 29167-20 over-the-air protocol.

Simon R. Blackburn (RHUL) The Algebraic Eraser 7 / 14 Cryptanalysis of the Algebraic Eraser 2015

July 2015: Sample keys provided to SRB by SecureRF, after request. 5 October 2015: SecureRF publish details of the proposed AE standard for ISO. 12 October 2015: Ben-Zvi, SRB, Tsaban derive the shared key in under 8 hours (128-bit parameters). SecureRF are informed. November 2015: The attack is posted. Accepted for CRYPTO 2016.

I Derives the common key without finding c. I Linearisation is used to make membership testing for C easier. I Linearisation used to weaken the information the adversary needs to derive. I Gets rid of the permutation group using heuristic permutation group algorithms. I Reduces to matrices. I Heuristic attack; works well in practice. I Goldfeld–Gunnells countermeasure bypassed entirely.

Simon R. Blackburn (RHUL) The Algebraic Eraser 8 / 14 Cryptanalysis of the Algebraic Eraser 2016

January 2016: Anshel, Atkins, Goldfeld, Gunnells post a response to the attack. They sketch how they hope to resist the BBT attack. They comment on the security model. They say the BBT attack is not real time. Many people not convinced by their response: see Crypto Stack Exchange.

Simon R. Blackburn (RHUL) The Algebraic Eraser 9 / 14 The ISO Standard

Protocol to authenticate an RFID tag to a terminal. AE Diffie–Hellman. Exchange public keys to get a shared key. Terminal requests a portion of the shared key to authenticate. ‘80-bit security’, with n = 12, q = 256. Fully specified parameters.

Simon R. Blackburn (RHUL) The Algebraic Eraser 10 / 14 Real time attack on the ISO protocol

February 2016: SRB, Robshaw post real-time attacks on the ISO protocol. (Now to appear at ACNS 2016.) Tag impersonation of a target tag with probability 2−7 after 273 queries. Tag impersonation of a target tag with 100% success rate after 215 queries. Full recovery of half the tag’s private key after 33 queries. Subsequent tag impersonation with 100% success rate using Kalka–Teicher–Tsaban techniques. Complete (equivalent) tag private key recovery using 249 operations and storage.

Simon R. Blackburn (RHUL) The Algebraic Eraser 11 / 14 Real time attack on the ISO protocol 2

More information: The attack is not heuristic. Exploits the linear nature of E-multiplication. Novel use of a permutation group algorithm to part-recover the private key. Uses non-heuristic parts of the Kalka–Teicher–Tsaban attack. February 2016: Atkins and Gunnells post a response. Change the protocol by adding a hash to the Tag’s response. Disguises the linear nature of the AE DH protocol. Claims this thwarts all attacks. Does not address the combination of these attacks with the Ben-Zvi–SRB-Tsaban attack.

Simon R. Blackburn (RHUL) The Algebraic Eraser 12 / 14 The future of the Algebraic Eraser?

“Why Algebraic Eraser may be the riskiest you’ve never heard of”, Dan Goodin, Ars Technica. There is a thread on Stack Exchange. Twitter reaction overwhelmingly negative on AE security. I would currently not recommend using the Algebraic Eraser primitive in any applications. The only hope: ”seems to be to make the problem of expressing a permutation as a short product of given permutations difficult, by working with very carefully chosen distributions.” The problem: n has to be increased to an impractical level. Anshel et al propose to use singular matrices to compensate for this.

Simon R. Blackburn (RHUL) The Algebraic Eraser 13 / 14 Some Links This talk will appear soon on my home page:

http://www.ma.rhul.ac.uk/sblackburn

A. Ben-Zvi, S.R. Blackburn and B. Tsaban, ‘A practical cryptanalysis of the Algebraic Eraser’, CRYPTO 2016:

https://eprint.iacr.org/2015/1102.pdf

S.R. Blackburn and M.J.B. Robshaw, ‘On the security of the Algebraic Eraser tag ’, ACNS 2016:

https://eprint.iacr.org/2016/091.pdf

See http://tinyurl.com/oqu2q2b for an Ars Technica article on this research.

Simon R. Blackburn (RHUL) The Algebraic Eraser 14 / 14