The Algebraic Eraser has been gaining prominence as SecureRF, the company
commercializing the algorithm, increases its marketing reach. The scheme is
claimed to be well-suited to IoT applications but a lack of detail in available
documentation has hampered peer-review. Recently more details of the system
have emerged after a tag authentication protocol built using the Algebraic
Eraser was proposed for standardization in ISO/IEC SC31 and SecureRF provided
an open public description of the protocol. In this paper we describe a range
of attacks on this protocol that include very efficient and practical tag
impersonation as well as partial, and total, tag secret key recovery. Most of
these results have been practically verified, they contrast with the 80-bit
security that is claimed for the protocol, and they emphasize the importance of
independent public review for any cryptographic proposal.Comment: 21 pages. Minor changes. Final version accepted for ACNS 201
