On the Security of the Algebraic Eraser Tag Authentication Protocol

The Algebraic Eraser has been gaining prominence as SecureRF, the company commercializing the algorithm, increases its marketing reach. The scheme is claimed to be well-suited to IoT applications but a lack of detail in available documentation has hampered peer-review. Recently more details of the system have emerged after a tag authentication protocol built using the Algebraic Eraser was proposed for standardization in ISO/IEC SC31 and SecureRF provided an open public description of the protocol. In this paper we describe a range of attacks on this protocol that include very efficient and practical tag impersonation as well as partial, and total, tag secret key recovery. Most of these results have been practically verified, they contrast with the 80-bit security that is claimed for the protocol, and they emphasize the importance of independent public review for any cryptographic proposal.Comment: 21 pages. Minor changes. Final version accepted for ACNS 201

Addressing the Algebraic Eraser Diffie--Hellman Over-the-Air Protocol

The Algebraic Eraser Diffie-Hellman (AEDH) protocol, first introduced in 2005 as a key agreement and authentication protocol, has been proposed as a standard in ISO JTC-1/SC-31 (29167-20) to protect various communication protocols like RFID, NFC, or Bluetooth for devices associated with ISO-18000 and the Internet of Things. A recent paper by M.J.B. Robshaw and Simon R Blackburn claims to recover sufficient data to impersonate a device or, with a bit more work, recover the private keys of a device if an attacker uses the draft 29167-20 protocol and gains direct access to the resulting shared secret computation. This paper shows that simply adding a Hash or a Message Authentication Code (MAC) to the proposed authentication protocol overcomes the purported attacks. These simple standard enhancements thwart all of these attacks; that is, attacks of this nature fail. As the 29167-20 draft is currently a work item under active development within the ISO process, all these attacks would normally have been addressed in the working group, and no AEDH protocol in the public domain currently transmits the computed shared secret. Therefore, contrary to the conclusion of Robshaw and Blackburn, a simple addition to the draft protocol, similar in nature to protections in other protocols like TLS, makes the AEDH protocol perfectly suitable for authentication of passive tags and other low-power, constrained devices

A Practical Cryptanalysis of the Algebraic Eraser

Anshel, Anshel, Goldfeld and Lemieaux introduced the Colored Burau Key Agreement Protocol (CBKAP) as the concrete instantiation of their Algebraic Eraser scheme. This scheme, based on techniques from permutation groups, matrix groups and braid groups, is designed for lightweight environments such as RFID tags and other IoT applications. It is proposed as an underlying technology for ISO/IEC 29167-20. SecureRF, the company owning the trademark Algebraic Eraser, has presented the scheme to the IRTF with a view towards standardisation. We present a novel cryptanalysis of this scheme. For parameter sizes corresponding to claimed 128-bit security, our implementation recovers the shared key using less than 8 CPU hours, and less than 64MB of memory.Comment: 15 pages. Updated references, with brief comments added. Minor typos corrected. Final version, accepted for CRYPTO 201

EEoP: A Lightweight Security Scheme over PKI in D2D Cellular Networks

Device-to-Device (D2D) communication is a promising technology that facilitates the deployment of devices to provide extended coverage where devices can act as user or relays. However, introducing such technology where the user can act as semi-intelligent relays, open a wide range of security threats, specifically, in terms of confidentiality and integrity. Another key issue of these devices is the limited computational and storage capabilities. Thus, to address the above challenges, this paper proposed a computationally lightweight crypto system based on Elliptic curve and ElGamal over public-key infrastructure (EEoP). It uses ECC for creation of keys while uses ElGamal for encryption and decryption over public-key infrastructure. Mathematical analysis shows that EEoP ensures the confidentiality and integrity of the communication. Performance analysis shows that proposed scheme outperformed the baseline protocols. The proposed crypto system can be used in relay-based communication

Hickory Hash(TM): Implementing an Instance of an Algebraic Eraser(TM) Hash Function on an MSP430 Microcontroller

Recently a novel family of braid based cryptographic hash function candidates was published, claiming to be suitable for use in low resource environments. It was shown that the new hash function family performed extremely well on a range of cryptographic test suites. In this paper we instantiate an instance of the hash family, called Hickory Hash, fix a set of parameters, implement it on a Texas Instruments MSP430 16-bit microcontroller, and compare its performance characteristics to SHA2. We show that the Hickory Hash can be a viable tool for low-power, constrained devices like those associated with the Internet of Things

WalnutDSA(TM): A Quantum-Resistant Digital Signature Algorithm

In 2005 I. Anshel, M. Anshel, D. Goldfeld, and S. Lemieux introduced E-Multiplication(TM), a quantum-resistant, group-theoretic, one-way function which can be used as a basis for many different cryptographic applications. This one-way function was specifically designed for constrained devices, running extremely quickly and requiring very little code. This paper introduces WalnutDSA, a new E-Multiplication-based public-key method which provides efficient verification, allowing low-power and constrained devices to quickly and inexpensively validate digital signatures (e.g., a certificate or authentication). It presents an in-depth discussion of the construction of the digital signature algorithm, analyzes the security of the scheme, provides a proof of security under EUF-CMA, and discusses the practical results from implementations on several constrained devices

Compact-LWE: Enabling Practically Lightweight Public Key Encryption for Leveled IoT Device Authentication

Leveled authentication allows resource-constrained IoT devices to be authenticated at different strength levels according to the particular types of communication. To achieve efficient leveled authentication, we propose a lightweight public key encryption scheme that can produce very short ciphertexts without sacrificing its security. The security of our scheme is based on the Learning With Secretly Scaled Errors in Dense Lattice (referred to as Compact-LWE) problem. We prove the hardness of Compact-LWE by reducing Learning With Errors (LWE) to Compact-LWE. However, unlike LWE, even if the closest vector problem (CVP) in lattices can be solved, Compact-LWE is still hard, due to the high density of lattices constructed from Compact-LWE samples and the relatively longer error vectors. By using a lattice-based attack tool, we verify that the attacks, which are successful on LWE instantly, cannot succeed on Compact-LWE, even for a small dimension parameter like $n=13$, hence allowing small dimensions for short ciphertexts. On the Contiki operating system for IoT, we have implemented our scheme, with which a leveled Needham-Schroeder-Lowe public key authentication protocol is implemented. On a small IoT device with 8MHZ MSP430 16-bit processor and 10KB RAM, our experiment shows that our scheme can complete 50 encryptions and 500 decryptions per second at a security level above 128 bits, with a public key of 2368 bits, generating 176-bit ciphertexts for 16-bit messages. With two small IoT devices communicating over IEEE 802.15.4 and 6LoWPAN, the total time of completing an authentication varies from 640ms (the 1st authentication level) to 8373ms (the 16th authentication level), in which the execution of our encryption scheme takes only a very small faction from 46ms to 445ms

Analysis of a Group of Automorphisms of a Free Group as a Platform for Conjugacy-Based Group Cryptography

Let F be a finitely generated free group and Aut(F) its group of automorphisms. In this monograph we discuss potential uses of Aut(F) in group-based cryptography. Our main focus is on using Aut(F) as a platform group for the Anshel-Anshel-Goldfeld protocol, Ko-Lee protocol, and other protocols based on different versions of the conjugacy search problem or decomposition problem, such as Shpilrain-Ushakov protocol. We attack the Anshel-Anshel-Goldfeld and Ko-Lee protocols by adapting the existing types of the length-based attack to the specifics of Aut(F). We also present our own version of the length-based attack that significantly increases the attack\u27 success rate. After discussing attacks, we discuss the ways to make keys from Aut(F) resistant to the different versions of length-based attacks including our own

Homomorphic encryption in algebraic settings

PhD ThesisCryptography methods have been around for a long time to protect sensitive data. With data sets becoming increasingly large we wish to not only store sensitive data in public clouds but in fact, analyse and compute there too. The idea behind homomorphic encryption is that encryption preserves the structure and allows us to perform the same operations on ciphertext as we would on the plaintext. A lot of the work so far restricts the operations that can be performed correctly on ciphertexts. The goal of this thesis is to explore methods for encryption which should greatly increase the amount of analysis and computation that can be performed on ciphertexts. First of all, we will consider the implications of quantum computers on cryptography. There has already been research conducted into quantum-resistant encryption methods. The particular method we will be interested in is still classical. We are assuming these schemes are going to be used in a post-quantum world anyway, we look at how we can use the quantum properties to improve the cryptosystem. More speci cally, we aim to remove a restriction that naturally comes with the scheme restricting how many operations we can perform on ciphertexts. Secondly, we propose a key exchange protocol that works in a polynomial ideal setting. We do this so that the key can be used for a homomorphic cryptography protocol. The advantage of using key exchange over a public key system is that a large proportion of the process needs to be carried out only once instead of needing a more complicated encryption function to use for each piece of data. Polynomial rings are an appropriate choice of structure for this particular type of scheme as they allow us to do everything we need. We will examine how we can perform computation correctly on ciphertexts and address some of the potential weaknesses of such a process. Finally after establishing a fully homomorphic encryption system we will take a more in-depth look at complexity. Measuring the complexity of mathematical problems is, of course, crucial in cryptography, but the choice of measure is something we need to consider seriously. In the nal chapter we will look at generic complexity as its gives us a good feel for how di cult the typical instances of a problem are to solve.Engineering and Physical Sciences Research Council, Centre for Doctoral Training in Cloud Computing for Big Dat

Programming Languages and Systems

This open access book constitutes the proceedings of the 28th European Symposium on Programming, ESOP 2019, which took place in Prague, Czech Republic, in April 2019, held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019