## Smashing SQUASH-0

At the RFID Security Workshop 2007, Adi Shamir presented a new challenge-response protocol well suited for RFIDs, although based on the Rabin public-key cryptosystem. This protocol, which we call SQUASH-0, was using a linear mixing function which was subsequently withdrawn. Essentially, we mount an attack against SQUASH-0 with full window which could be used as a known random coins attack'' against Rabin-SAEP. We then extend it for SQUASH-0 with arbitrary window. We apply it with the proposed modulus $2^{1\,277}-1$ to run a key recovery attack using $1\,024$ chosen challenges. Since the security arguments equally apply to the final version of SQUASH and to SQUASH-0, we challenge the blame-game argument for the security of SQUASH. Nevertheless, our attacks are inefficient when using non-linear mixing so the security of SQUASH remains open.

Editor(s):
Joux, Antoine
Published in:
Advances in Cryptology - EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26-30, 2009. Proceedings, 300-312
Presented at:
EUROCRYPT 2009, Cologne, Germany, April 26-30, 2009
Year:
2009
Publisher:
Berlin, Springer
Keywords:
Laboratories: