At the RFID Security Workshop 2007, Adi Shamir presented a new challenge-response protocol well suited for RFIDs, although based on the Rabin public-key cryptosystem. This protocol, which we call SQUASH-0, was using a linear mixing function which was subsequently withdrawn. Essentially, we mount an attack against SQUASH-0 with full window which could be used as a "known random coins attack" against Rabin-SAEP. We then extend it for SQUASH-0 with arbitrary window. We apply it with the proposed modulus 21 277*** 1 to run a key recovery attack using 1 024 chosen challenges. Since the security arguments equally apply to the final version of SQUASH and to SQUASH-0, we challenge the blame-game argument for the security of SQUASH. Nevertheless, our attacks are inefficient when using non-linear mixing so the security of SQUASH remains open.
[1]
Gerhard Goos,et al.
Fast Software Encryption
,
2001,
Lecture Notes in Computer Science.
[2]
Adi Shamir,et al.
Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization
,
1999,
CRYPTO.
[3]
Michael Wiener,et al.
Advances in Cryptology — CRYPTO’ 99
,
1999
.
[4]
Dan Boneh,et al.
Simplified OAEP for the RSA and Rabin Functions
,
2001,
CRYPTO.
[5]
Aggelos Kiayias,et al.
Self Protecting Pirates and Black-Box Traitor Tracing
,
2001,
CRYPTO.
[6]
Adi Shamir.
SQUASH - A New MAC with Provable Security Properties for Highly Constrained Devices Such as RFID Tags
,
2008,
FSE.