7 research outputs found
On the cryptanalysis of the generalized simultaneous conjugacy search problem and the security of the Algebraic Eraser
The Algebraic Eraser (AE) is a cryptographic primitive that can be used to
obscure information in certain algebraic cryptosystems. The Colored Burau Key
Agreement Protocol (CBKAP), which is built on the AE, was introduced by I.
Anshel, M. Anshel, D. Goldfeld, and S. Lemieux in 2006 as a protocol suitable
for use on platforms with constrained computational resources, such as RFID and
wireless sensors. In 2009 A. Myasnikov and A. Ushnakov proposed an attack on
CBKAP that attempts to defeat the generalized simultaneous conjugacy search
problem, which is the public-key computational problem underlying CBKAP. In
this paper we investigate the effectiveness of this attack. Our findings are
that success of the attack only comes from applying it to short keys, and that
with appropriate keys the attack fails in 100% of cases and does not pose a
threat against CBKAP. Moreover, the attack makes assumptions about CBKAP that
do not hold in practical implementations, and thus does not represent a threat
to the use of CBKAP in applications
A Practical Cryptanalysis of the Algebraic Eraser
Anshel, Anshel, Goldfeld and Lemieaux introduced the Colored Burau Key
Agreement Protocol (CBKAP) as the concrete instantiation of their Algebraic
Eraser scheme. This scheme, based on techniques from permutation groups, matrix
groups and braid groups, is designed for lightweight environments such as RFID
tags and other IoT applications. It is proposed as an underlying technology for
ISO/IEC 29167-20. SecureRF, the company owning the trademark Algebraic Eraser,
has presented the scheme to the IRTF with a view towards standardisation.
We present a novel cryptanalysis of this scheme. For parameter sizes
corresponding to claimed 128-bit security, our implementation recovers the
shared key using less than 8 CPU hours, and less than 64MB of memory.Comment: 15 pages. Updated references, with brief comments added. Minor typos
corrected. Final version, accepted for CRYPTO 201
On the Security of the Algebraic Eraser Tag Authentication Protocol
The Algebraic Eraser has been gaining prominence as SecureRF, the company
commercializing the algorithm, increases its marketing reach. The scheme is
claimed to be well-suited to IoT applications but a lack of detail in available
documentation has hampered peer-review. Recently more details of the system
have emerged after a tag authentication protocol built using the Algebraic
Eraser was proposed for standardization in ISO/IEC SC31 and SecureRF provided
an open public description of the protocol. In this paper we describe a range
of attacks on this protocol that include very efficient and practical tag
impersonation as well as partial, and total, tag secret key recovery. Most of
these results have been practically verified, they contrast with the 80-bit
security that is claimed for the protocol, and they emphasize the importance of
independent public review for any cryptographic proposal.Comment: 21 pages. Minor changes. Final version accepted for ACNS 201
Short expressions of permutations as products and cryptanalysis of the Algebraic Eraser
On March 2004, Anshel, Anshel, Goldfeld, and Lemieux introduced the
\emph{Algebraic Eraser} scheme for key agreement over an insecure channel,
using a novel hybrid of infinite and finite noncommutative groups. They also
introduced the \emph{Colored Burau Key Agreement Protocol (CBKAP)}, a concrete
realization of this scheme.
We present general, efficient heuristic algorithms, which extract the shared
key out of the public information provided by CBKAP. These algorithms are,
according to heuristic reasoning and according to massive experiments,
successful for all sizes of the security parameters, assuming that the keys are
chosen with standard distributions.
Our methods come from probabilistic group theory (permutation group actions
and expander graphs). In particular, we provide a simple algorithm for finding
short expressions of permutations in , as products of given random
permutations. Heuristically, our algorithm gives expressions of length
, in time and space . Moreover, this is provable from
\emph{the Minimal Cycle Conjecture}, a simply stated hypothesis concerning the
uniform distribution on . Experiments show that the constants in these
estimations are small. This is the first practical algorithm for this problem
for .
Remark: \emph{Algebraic Eraser} is a trademark of SecureRF. The variant of
CBKAP actually implemented by SecureRF uses proprietary distributions, and thus
our results do not imply its vulnerability. See also arXiv:abs/12020598Comment: Final version, accepted to Advances in Applied Mathematics. Title
slightly change
Kayawood, a Key Agreement Protocol
Public-key solutions based on number theory, including RSA, ECC, and Diffie-Hellman, are subject to various quantum attacks, which makes such solutions less attractive long term. Certain group theoretic constructs, however, show promise in providing quantum-resistant cryptographic primitives because of the infinite, non-cyclic, non-abelian nature of the underlying mathematics. This paper introduces Kayawood Key Agreement protocol (Kayawood, or Kayawood KAP), a new group-theoretic key agreement protocol, that leverages the known NP-Hard shortest word problem (among others) to provide an Elgamal-style, Diffie-Hellman-like method. This paper also (i) discusses the implementation of and behavioral aspects of Kayawood, (ii) introduces new methods to obfuscate braids using Stochastic Rewriting, and (iii) analyzes and demonstrates Kayawood\u27s security and resistance to known quantum attacks
WalnutDSA(TM): A Quantum-Resistant Digital Signature Algorithm
In 2005 I. Anshel, M. Anshel, D. Goldfeld, and S. Lemieux introduced E-Multiplication(TM), a quantum-resistant, group-theoretic, one-way function which can be used as a basis for many different cryptographic applications. This one-way function was specifically designed for constrained devices, running extremely quickly and requiring very little code.
This paper introduces WalnutDSA, a new E-Multiplication-based public-key method which provides efficient verification, allowing low-power and constrained devices to quickly and inexpensively validate digital signatures (e.g., a certificate or authentication). It presents an in-depth discussion of the construction of the digital signature algorithm, analyzes the security of the scheme, provides a proof of security under EUF-CMA, and discusses the practical results from implementations on several constrained devices