 I'm Simon Blackburn. This is Royal Holloway. This is where I'm from. My other two co-authors are from Bar-Alan University in Israel. He bends these here in the conference. She's a student of Boaz Saban. This was a result of a project when she came to visit Royal Holloway last summer. I want to talk about cryptanalysis of the algebraic eraser. This is a scheme that was introduced a while ago now, in 2002, by Anshall, Anshall, Gollfeldt and Namur. It's a key exchange primitive, a bit like Diffie-Hellman, similar sort of protocol flow, but it's based on matrix groups and permutation groups and break groups. It's a group-based cryptosystem. As a field, group-based cryptography, in general, has a poor reputation. There have been a lot of, at the moment, the many schemes which aren't great that have been proposed. However, Anshall, Anshall and Gollfeldt, in particular, produced some beautiful papers early on with some lovely ideas in. I think it's always interesting to see anything that this group comes up with, because the ideas are worth thinking about. One of the reasons that I first became interested in this area, really because Secure RF, a company, a US company, the owners of the algebraic eraser, and they're actually out there marketing it for interest of things applications. In particular, in 2015, they proposed to ISO standards body an algebraic eraser-based RFID tag authentication protocol. It actually goes to the Secure RF website, and in fact, they've replaced that by a different protocol due to attacks on this protocol. Rhaith, Tyllus, I became interested in this earlier, when Kenny Patterson told me that they were presenting to the IRTF. It's always interesting from my perspective as a group theorist and a cryptographer. If something is getting close to standards, it's really time to look at a script system in a bit more depth. This protocol has had earlier attacks on it. In particular, in 2008, there was an attack by Miastakofa Nushakov using something called a length-based attack, if you know what that is, which break the parameters which were originally proposed in the paper. This basically says that the parameters are too small because this length-based attack scales very badly. In fact, Gunnels recommended introducing the parameters slightly, and that would avoid this attack. It's not in some sense a particularly serious attack because there's an easy remedy. More or less at the same time, in 2008, there was a more serious attack due to Calcuttaika in Saban, which really break the scheme convincingly for generic parameters. It's what I don't mean by generic parameters. One of the things that's strange about the algebraic eraser is that the choice of certain parts of the public parameters of the scheme, the algorithm for generating these public parameters isn't specified by the scheme. It's just said, you choose these things. It's not said how. As a crypt analyst, you're in a difficult situation because it's security by under specification. All you can do, all they did was say, let's choose these things at random, subject to all the publicly known constraints. It's a convincing attack for these generic parameters. This was responded to in a paper by Goldfeld and Gunnels, a preprint, which said, basically, you can avoid the attack by a careful choice of system parameters. I'll give a bit more detail about that in a second. There it is. What's this work about? It's an attack that recovers the key for 128-bit parameters. The parameters are provided by secure IF in just eight hours on a single core in magma, two gigahertz core. I can't really imagine a more convincing attack on the scheme. There we go. I'll give a bit more detail about this. It's quite a technical scheme in lots of ways, the algebraic eraser. I can't give all the details in a 20-minute talk, so I'll try to keep it as non-technical as I can. Alta Becarae's a Diffie-Hulman. It's a key agreement scheme, just like Diffie-Hulman. Same kind of protocol flow. There are two parameters that are picked. First of all, for 128-bit parameters, we have N, which is 16. These are N by N matrices, part of the scheme. Q is two, five, six, Q is a field size. These are 16 by 16 matrices whose entries are elements of a finite field that just fits inside a byte. Eight bits. Diffie-Hulman, the things that are passed between the two parties, are integers modulo P, classically. Here, they're not integers, they're actually pairs. The first thing is a matrix N, which is the N by N matrix with entries in GFQ. The second thing is a permutation. This is just a permutation of N objects, in this case 16 objects. What happens is Diffie-Hulman's a protocol. What happens is Alice generates some private information, which I'll come to in a second. Alice then computes the public key, which is a matrix MA and a permutation, sigma A, from Omega, sends that to Bob. Bob does a similar thing. He generates private information in some way, uses this to compute a public key, sends this to Alice. What both parties do is compute a shared value, matrix M and permutation, sigma, by using the information provided by the other party and the information they've generated privately. It's very similar to Diffie-Hulman at this level, apart from the things you're transmitting from one side to the other. In fact, the way it works is that sigma is actually computable by anybody. So sigma isn't really a private information at all, so you would take M and you'd try to derive the shared key from M. M is the shared key. So sigma is just something that you use to compute M and then you can throw away because it's public. Right. It's a group-based scheme. And so I'm going to talk about now the private information that Alice and Bob use to generate their public key. And this is part of an infinite group, part of an infinite group. This is equivalent to sort of the group in the exponent in Diffie-Hulman, right? That's the integers under addition or integers modulo p minus one, something like that. So here, the group in the exponent is a coloured borough group. It's got this sort of cool symbol here. This is a semi-direct product. D-I-N-F-Q-T-1-T-N, semi-direct product symmetric between point N letters. Now, if you're a group theorist, that's fine. Let me just tell you what this is though. This is a group. The elements of the group are pairs of matrices M and sigma. Sigma is just a permutation as before. Now, M is an N by N matrix, but its entries are N in F-Q. They're quotients of polynomials in the variables T-1 up to T-N. Right? So this is an infinitely many possibilities for these things of some sort of infinite group. So these are the elements. And to multiply them, so you multiply these two elements, so an element is a pair N-sigma, to multiply two of these things together, you just compose the two permutations, right? That bit's easy. How do you multiply the two matrices together? Well, you think you might multiply the two matrices together, but first of all what you do to one of the matrices is you just permute the variables T-1 up to T-N by using the permutation sigma first, right? So if sigma mapped one to two, you replace all the things in which were T-1 in the matrix by T-2. Right, first, before you do the multiplication. So this is a colour barrow group, and this is related to some sort of... It's a topological group theory studied by... Okay, right. So this is the most technical slide. So if you can get through this slide, it's a nice easy slide down towards the end of the talk, right? Okay. So, remember the things we're passing between each other, between us and Bob, are matrices with entries in FQ. So how do you get from these infinite matrices with polynomial entries into entries modulo Q? Well, there's an obvious kind of way of doing it. You just replace all the entries, the variables T-1 up to T-N in your matrix by particular values, call them, let's say, T-1 up to T-N in FQ. Okay? That gives you a matrix with entries in FQ. And if you do this in the right way, you get a map down to GLNQ. Okay? So I say this isn't for the whole of this general linear group because you've got to have some condition on the subgroup, so that this actually is a map. Okay, there we go. So this is some map phi. So now this is equivalent in Diffie-Hillman of exponentiation. Right? You take an entry in S-pi in omega. That's the thing you're going to pass backwards and forwards from Alice and Bob. You have your sort of exponent thing, which is a matrix and a permutation in this big infinite group. You do find something called, well, the author's called e-multiplication. Right? It should be star notation. We should combine these two things. It's kind of like exponentiation. The permutation thing, again, is very easy. You just compose the two permutations. What you do is the simplest thing is that you think of taking the matrix M and you evaluate it to get a matrix with entries over FQ and just do normal matrix multiplication. Before you evaluate it, you permute the variables of the matrix by using the permutation pi. So a little twist. So that's e-multiplication. Okay. Then, how do you actually do the protocol in more detail? You first of all choose commuting subgroups of A and B of the colour barar group. Whilst commuting me, it means if you take any A and A of B and B, then A B equals B A. Right? So you produce them in some way and the authors of the scheme don't tell you how to do this. And then you do the same. You take two commuting subgroups C and D of GLNQ and you choose them in some way. The authors of the scheme don't tell you how to do this. Right. What Alice does is pick an infinite group element from A and a matrix in C and sends something to Bob. She takes the pair in omega, which is the identity matrix and the identity permutation. Star multiplies it with the infinite element A. That's kind of like an explanation. And then multiplies it on the other side by the matrix C. What this means is just you've got matrix entries in FQ, you just multiply. So the result of this star multiplication is matrix comma permutation. You kind of ignore the permutation and multiply that matrix C by that first matrix and replace that matrix product. That's just basically matrix product but ignoring the second entry. Right. Bob picks the same thing, but picks D and D and B and B. D is an entry in this big group. D is just a matrix and sends this thing to Alice. And then the common key, you just do the same operation to the thing you received. Same kind of explanation-style operation. So Bob takes the information he gets from Alice, multiplies it on the right by star B and on the left by D. And just because these things commute to work, that's the same as what Alice does. Alice just takes the information she gets from Bob, star multiplies it by A and multiplies it on the left by C. So I can see that your kind of spirit sank about there, I think. I can see your faces. That's the end of the technical bits of this slide, really. The main thing that's interested is you pick some random stuff, subgroups A, B and C and D in some way. Right. So how does the Calcuttaica-Taban approach work? It's the previous attack. Well, as an adversary, you get the main- the basic parameters of the scheme, which are the size of matrices N, the field size Q, and these elements, Tori, that used to evaluate- everybody has to evaluate at various stages in order to do this star multiplication. And you would also get some public information which is the generated groups C of matrices and the subgroup A of the Calcuttaica-Taban group. Okay. Now this is an unusual scheme in that the public parameters for Alice are slightly different to the public parameters for Bob. They're different matrices. Bob uses a group D of matrices and a subgroup B of the Calcuttaica-Taban group. But in order to interact, we've got access to one of them. So we just assume that we've got one of them. We don't need both. And Eve obviously gets the stuff that's transmitted backwards and forwards between Alice and Bob. And the aim, of course, is to complete the shared key. And how does the attack work? It generates lots of elements from A and uses those elements from A to find linear information about the secret information D and the matrix part of the secret group element B that Bob uses to generate his public key. And this actually, and once you've got collected enough of these relations, these linear information, you can then find D up to a scalar, right? The matrix that Bob uses up to a scalar. Okay, generically. That's phase one. And then at phase two uses some clever algorithm from permutation group theory to find some equivalent element A dashed in this group A with the same permutation as the pair that was transmitted from Alice to Bob. And these two pieces of information are enough to derive the shared key. Now, both of these phases are heuristic, but they're practical for random system parameters. So Gunnels and Goethald responded to this attack, and the attack basically said that their response is saying, ah, choose C very carefully. We haven't said this before, but we're actually going to choose C carefully, right? And what happens here is if you choose C carefully, all this linear information basically collapses, you don't get enough linear relations. So even though for generic parameters this linear information gives you D up to a scalar, this carefully chosen subgroup C doesn't give you enough information. So how does our new approach work? Right, it uses the same information as before, right? The public parameters, Alice's public information, and the information transmitted between Alice and Bob. In phase zero, it's called zero, because we have pre-computation phases before Eve gets this last piece of information. Eve generates lots of words in the generators of A whose associated permutation is trivial. It's quite similar to one of the phases in the previous attack. And then once she's got some of this extra stuff, in phase one Alice finds a group element A twiddles whose permutation agrees with A. She knows this because of the permutation agreeing with A. She gets from this piece of information which is transmitted from Alice to Bob. But rather than finding the secret information D, she actually tries to find the secret information C. There's more stuff to do with Alice. This generates more linear relations, different kind of linear relations. This part is very different to the Calcuttail attack. Which is found this, she recovers the remaining parameters in the shared key. Now, all phases in this algorithm again are heuristic, but they're practical, and there's a key difference which they don't depend on the choice of this subgroup C. They're completely blind to that choice. So the Goldfeld-Gold attack is completely bypassed by this new approach. So what's the outcome from this? Oh, I should say that these things, suppose you're doing well, you use this same permutation group algorithm from the previous attack. A consequence of the attack? Well, QRF very kindly gave us 528 bit parameters sets. Felt five challenges. This is the only way where you can crypto-analyze the scheme, right? Because otherwise they, because we don't know how these parameters are generated. Right, but they kindly provided them to us. Unfortunately, for them, and I'm not into optimizing implementation in magma, on a single gig, two gigahertz core, gave an attack in eight hours, and actually only half of this is pre-computation. Right, so phase zero takes about four hours and the remaining stuff takes about four hours. So this also makes the ISO tag authentication protocol that's proposed by, which is very valuable to the attack. Pretty efficient attack, very efficient attack. It's been an interesting response from secure RF on this. Extremely defensive response. So they're sort of very negative in their tone and also they say some very strange things technically. So, for example, they say that the attack has only limited focus because all it does is recover the shared key. It's an interesting idea of what an adversary for key agreement protocol is. Right? They also say it doesn't apply many times because the adversaries assume to know the public keys. Right? Yeah, that's a good question. Of course, if you don't know the public keys, you can use symmetric techniques, right? A security model. So actually most of the time it spends its time trashing a conjecture attributed to us that we didn't make. Very strange. I must say personally I would be embarrassed. I would be embarrassed to produce this paper. Certainly a cryptography company. I'd be surprised that it would publish this. So certainly I currently not recommend using the algebraic arrays that are primitive in any applications. Right? Clearly. Also I'd say independent security analysis is vital. In this case there's a company that's generating parameters not saying how these parameters are generated and it comes with these kind of responses. That certainly knocks my confidence in what they're saying technically, whether it's going to be true. It needs to be verified independently. So independent security now is absolutely vital. There's some further discussion on this. A great title. Why algebraic arrays are maybe the riskiest cryptosystem you've never heard of. By Dan Goodin in our technical... So a lovely article actually. Dan Goodin I've got a very high respect. I get accurate quotes from all the parties involved. So he was very careful technically. So I've got a lot of respect for the way he wrote that article. So that's a good article. There's also I think a very nice thread on cryptography stack exchange. Which talks about this. I should say that Matt Robshaw and myself have got a paper in AC&S just earlier this year which gives a real-time crypt analysis to proposed ISO protocol. So it's faster. There is a new proposed ISO protocol. After this where they've added some hash. But my worry is that the techniques from this paper but with Matt and the paper presented here a combination of them will apply to this new proposal. So my worry is that the... Certainly I think it would be a surprising that they're proposing an ISO protocol at such an early stage. I don't see anything from the standard saying why this protocol is resistant to these techniques. I feel it's very surprising that they've done this. I worry, I think. So thank you very much.