- 2.6k Downloads
At the RFID Security Workshop 2007, Adi Shamir presented a new challenge-response protocol well suited for RFIDs, although based on the Rabin public-key cryptosystem. This protocol, which we call SQUASH-0, was using a linear mixing function which was subsequently withdrawn. Essentially, we mount an attack against SQUASH-0 with full window which could be used as a “known random coins attack” against Rabin-SAEP. We then extend it for SQUASH-0 with arbitrary window. We apply it with the proposed modulus 21 277− 1 to run a key recovery attack using 1 024 chosen challenges. Since the security arguments equally apply to the final version of SQUASH and to SQUASH-0, we challenge the blame-game argument for the security of SQUASH. Nevertheless, our attacks are inefficient when using non-linear mixing so the security of SQUASH remains open.
KeywordsRFID cryptanalysis MAC
- 3.Shamir, A.: SQUASH: A new one-way hash function with provable security properties for highly constrained devices such as RFID tags. In: Invited lecture to the RFID Security 2007 Workshop, http://mailman.few.vu.nl/pipermail/rfidsecuritylist/2007-August/000001.html