28 research outputs found
A Practical Cryptanalysis of the Algebraic Eraser
Anshel, Anshel, Goldfeld and Lemieaux introduced the Colored Burau Key
Agreement Protocol (CBKAP) as the concrete instantiation of their Algebraic
Eraser scheme. This scheme, based on techniques from permutation groups, matrix
groups and braid groups, is designed for lightweight environments such as RFID
tags and other IoT applications. It is proposed as an underlying technology for
ISO/IEC 29167-20. SecureRF, the company owning the trademark Algebraic Eraser,
has presented the scheme to the IRTF with a view towards standardisation.
We present a novel cryptanalysis of this scheme. For parameter sizes
corresponding to claimed 128-bit security, our implementation recovers the
shared key using less than 8 CPU hours, and less than 64MB of memory.Comment: 15 pages. Updated references, with brief comments added. Minor typos
corrected. Final version, accepted for CRYPTO 201
Short expressions of permutations as products and cryptanalysis of the Algebraic Eraser
On March 2004, Anshel, Anshel, Goldfeld, and Lemieux introduced the
\emph{Algebraic Eraser} scheme for key agreement over an insecure channel,
using a novel hybrid of infinite and finite noncommutative groups. They also
introduced the \emph{Colored Burau Key Agreement Protocol (CBKAP)}, a concrete
realization of this scheme.
We present general, efficient heuristic algorithms, which extract the shared
key out of the public information provided by CBKAP. These algorithms are,
according to heuristic reasoning and according to massive experiments,
successful for all sizes of the security parameters, assuming that the keys are
chosen with standard distributions.
Our methods come from probabilistic group theory (permutation group actions
and expander graphs). In particular, we provide a simple algorithm for finding
short expressions of permutations in , as products of given random
permutations. Heuristically, our algorithm gives expressions of length
, in time and space . Moreover, this is provable from
\emph{the Minimal Cycle Conjecture}, a simply stated hypothesis concerning the
uniform distribution on . Experiments show that the constants in these
estimations are small. This is the first practical algorithm for this problem
for .
Remark: \emph{Algebraic Eraser} is a trademark of SecureRF. The variant of
CBKAP actually implemented by SecureRF uses proprietary distributions, and thus
our results do not imply its vulnerability. See also arXiv:abs/12020598Comment: Final version, accepted to Advances in Applied Mathematics. Title
slightly change
Defeating the Ben-Zvi, Blackburn, and Tsaban Attack on the Algebraic Eraser
The Algebraic Eraser Diffie-Hellman (AEDH) protocol was introduced in 2005
and published in 2006 by Anshel-Anshel-Goldfeld-Lemieux as a protocol suitable
for use on platforms with constrained computational resources, such as FPGAs,
ASICs, and wireless sensors. It is a group-theoretic cryptographic protocol
that allows two users to construct a shared secret via a Diffie-Hellman-type
scheme over an insecure channel.
Building on the refuted 2012 permutation-based attack of
Kalka-Teichner-Tsaban, in 2015 Ben-Zvi-Blackburn-Tsaban (BBT) presented a
heuristic attack that attempts to recover the AEDH shared secret. In their
paper BBT reference the AEDH protocol as presented to ISO for certification
(ISO 29167-20) by SecureRF. The ISO draft contains two profiles using the
Algebraic Eraser. One profile is unaffected by this attack; the second profile
is subject to their attack provided the attack runs in real time. This is not
the case in most practical deployments.
The BBT attack is simply a targeted attack that does not attempt to break the
method, system parameters, or recover any private keys. Rather, its limited
focus is to recover the shared secret in a single transaction. In addition, the
BBT attack is based on several conjectures that are assumed to hold when
parameters are chosen according to standard distributions, which can be
mitigated, if not avoided. This paper shows how to choose special distributions
so that these conjectures do not hold making the BBT attack ineffective for
braid groups with sufficiently many strands. Further, the BBT attack assumes
that certain data is available to an attacker, but there are realistic
deployment scenarios where this is not the case, making the attack fail
completely. In summary, the BBT attack is flawed (with respect to the SecureRF
ISO draft) and, at a minimum, over-reaches as to its applicability
Defeating the Kalka--Teicher--Tsaban linear algebra attack on the Algebraic Eraser
The Algebraic Eraser (AE) is a public key protocol for sharing information
over an insecure channel using commutative and noncommutative groups; a
concrete realization is given by Colored Burau Key Agreement Protocol (CBKAP).
In this paper, we describe how to choose data in CBKAP to thwart an attack by
Kalka--Teicher--Tsaban
On the Security of the Algebraic Eraser Tag Authentication Protocol
The Algebraic Eraser has been gaining prominence as SecureRF, the company
commercializing the algorithm, increases its marketing reach. The scheme is
claimed to be well-suited to IoT applications but a lack of detail in available
documentation has hampered peer-review. Recently more details of the system
have emerged after a tag authentication protocol built using the Algebraic
Eraser was proposed for standardization in ISO/IEC SC31 and SecureRF provided
an open public description of the protocol. In this paper we describe a range
of attacks on this protocol that include very efficient and practical tag
impersonation as well as partial, and total, tag secret key recovery. Most of
these results have been practically verified, they contrast with the 80-bit
security that is claimed for the protocol, and they emphasize the importance of
independent public review for any cryptographic proposal.Comment: 21 pages. Minor changes. Final version accepted for ACNS 201
Group theory in cryptography
This paper is a guide for the pure mathematician who would like to know more
about cryptography based on group theory. The paper gives a brief overview of
the subject, and provides pointers to good textbooks, key research papers and
recent survey papers in the area.Comment: 25 pages References updated, and a few extra references added. Minor
typographical changes. To appear in Proceedings of Groups St Andrews 2009 in
Bath, U
On the cryptanalysis of the generalized simultaneous conjugacy search problem and the security of the Algebraic Eraser
The Algebraic Eraser (AE) is a cryptographic primitive that can be used to
obscure information in certain algebraic cryptosystems. The Colored Burau Key
Agreement Protocol (CBKAP), which is built on the AE, was introduced by I.
Anshel, M. Anshel, D. Goldfeld, and S. Lemieux in 2006 as a protocol suitable
for use on platforms with constrained computational resources, such as RFID and
wireless sensors. In 2009 A. Myasnikov and A. Ushnakov proposed an attack on
CBKAP that attempts to defeat the generalized simultaneous conjugacy search
problem, which is the public-key computational problem underlying CBKAP. In
this paper we investigate the effectiveness of this attack. Our findings are
that success of the attack only comes from applying it to short keys, and that
with appropriate keys the attack fails in 100% of cases and does not pose a
threat against CBKAP. Moreover, the attack makes assumptions about CBKAP that
do not hold in practical implementations, and thus does not represent a threat
to the use of CBKAP in applications
A Practical Cryptanalysis of WalnutDSA
We present a practical cryptanalysis of WalnutDSA, a digital signature algorithm trademarked by SecureRF. WalnutDSA uses techniques from permutation groups, matrix groups and braid groups, and is designed to provide post-quantum security in lightweight IoT device contexts. The attack given in this paper bypasses the E-MultiplicationTM and cloaked conjugacy search problems at the heart of the algorithm and forges signatures for arbitrary messages in approximately two minutes. We also discuss potential countermeasures to the attack.</p
Analysis of a Group of Automorphisms of a Free Group as a Platform for Conjugacy-Based Group Cryptography
Let F be a finitely generated free group and Aut(F) its group of automorphisms.
In this monograph we discuss potential uses of Aut(F) in group-based cryptography.
Our main focus is on using Aut(F) as a platform group for the Anshel-Anshel-Goldfeld protocol, Ko-Lee protocol, and other protocols based on different versions of the conjugacy search problem or decomposition problem, such as Shpilrain-Ushakov protocol.
We attack the Anshel-Anshel-Goldfeld and Ko-Lee protocols by adapting the existing types of the length-based attack to the specifics of Aut(F). We also present our own version of the length-based attack that significantly increases the attack\u27 success rate. After discussing attacks, we discuss the ways to make keys from Aut(F) resistant to the different versions of length-based attacks including our own