Smashing SQUASH-0

Authors:
Khaled Ouafi;Serge Vaudenay
Affiliations:
EPFL, Lausanne, Switzerland CH-1015;EPFL, Lausanne, Switzerland CH-1015
Venue:
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
Year:
2009

Citing 3
Cited 7

Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization

CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Simplified OAEP for the RSA and Rabin Functions

CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
SQUASH --- A New MAC with Provable Security Properties for Highly Constrained Devices Such as RFID Tags

Fast Software Encryption

Hedged Public-Key Encryption: How to Protect against Bad Randomness

ASIACRYPT '09 Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Lightweight privacy preserving authentication for RFID using a stream cipher

FSE'10 Proceedings of the 17th international conference on Fast software encryption
Authenticated and misuse-resistant encryption of key-dependent data

CRYPTO'11 Proceedings of the 31st annual conference on Advances in cryptology
Identity-Based (lossy) trapdoor functions and applications

EUROCRYPT'12 Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques
The GLUON family: a lightweight hash function family based on FCSRs

AFRICACRYPT'12 Proceedings of the 5th international conference on Cryptology in Africa
A minimum disclosure approach to authentication and privacy in RFID systems

Computer Networks: The International Journal of Computer and Telecommunications Networking
A practical quadratic residues based scheme for authentication and privacy in mobile RFID systems

Ad Hoc Networks

Quantified Score

Hi-index	0.01

Visualization

Abstract

At the RFID Security Workshop 2007, Adi Shamir presented a new challenge-response protocol well suited for RFIDs, although based on the Rabin public-key cryptosystem. This protocol, which we call SQUASH-0, was using a linear mixing function which was subsequently withdrawn. Essentially, we mount an attack against SQUASH-0 with full window which could be used as a "known random coins attack" against Rabin-SAEP. We then extend it for SQUASH-0 with arbitrary window. We apply it with the proposed modulus 21 277*** 1 to run a key recovery attack using 1 024 chosen challenges. Since the security arguments equally apply to the final version of SQUASH and to SQUASH-0, we challenge the blame-game argument for the security of SQUASH. Nevertheless, our attacks are inefficient when using non-linear mixing so the security of SQUASH remains open.