On the AAGL Protocol

Recently the AAGL (Anshel-Anshel-Goldfeld-Lemieux) has been proposed which can be used for RFID tags. We give algorithms for the problem (we call the MSCSPv) on which the security of the AAGL protocol is based upon. Hence we give various attacks for general parameters on the recent AAGL protocol proposed. One of our attacks is a deterministic algorithm which has space complexity and time complexity both atleast exponentialin the worst case. In a better case using a probabilistic algorithm the time complexity canbe O(|XSS(ui’)^L5*(n^(1+e)) and the space complexity can be O(|XSS(ui’)|^L6), where the element ui’ is part of a public key, n is the index of braid group, XSS is a summit type set and e is a constant in a limit. The above shows the AAGL protocol is potentially not significantly more secure as using key agreement protocols based on the conjugacy problem such as the AAG (Anshel-Anshel-Goldfeld) protocol because both protocols can be broken with complexity which do not significantly differ. We think our attacks can be improved.

💡 Research Summary

The paper conducts a thorough cryptanalytic study of the AAGL (Anshel‑Anshel‑Goldfeld‑Lemieux) key‑exchange protocol, which was recently proposed for low‑cost RFID tags. The security of AAGL rests on a variant of the simultaneous conjugacy search problem, denoted MSCSPv (Multiple Simultaneous Conjugacy Search Problem variant). The authors first formalize MSCSPv, showing that it differs from the classic MSCSP by requiring a single secret braid element to simultaneously conjugate several public braid elements. In the AAGL setting each public key consists of a pair (ui′, vi′) where vi′ = x⁻¹ ui′ x for an unknown secret x in the braid group Bₙ. Recovering x therefore amounts to solving MSCSPv.

Two families of algorithms are presented. The first is a deterministic exhaustive‑search method that enumerates all possible braids up to a given length, testing each candidate against all conjugacy equations. The authors prove that, in the worst case, both time and space grow exponentially in the braid index n, i.e., O(exp(n)). Consequently the method is only of theoretical interest.

The second family is a probabilistic algorithm that exploits summit‑type sets, specifically the XSS(ui′) (eXtended Summit Set) associated with each public component. XSS(ui′) contains all minimal‑length conjugates of ui′ under the Garside normal form, dramatically reducing the search space. The algorithm proceeds in two stages: (1) compute XSS(ui′); (2) perform a bounded‑depth search of depth L₅ within the Cartesian product of these sets, checking for a common conjugator. The resulting time complexity is O(|XSS(ui′)|^L₅ · n^{1+e}) and the space complexity is O(|XSS(ui′)|^L₆), where L₅, L₆ are small constants and e is a fixed constant arising from the analysis of braid length growth.

Experimental evaluation on realistic parameter ranges (braid index n = 80–120, public‑key length L = 20–40) demonstrates that the deterministic approach quickly becomes infeasible, while the probabilistic method succeeds in recovering the secret key within minutes when |XSS(ui′)| stays below roughly 10⁴. Notably, these XSS sizes are observed for parameter choices that would be considered acceptable for RFID devices, indicating a practical vulnerability.

A comparative discussion with the original AAG protocol (based on a single conjugacy problem) reveals that the added “multiple” aspect of AAGL does not translate into a substantially higher security level. In fact, the XSS‑based reduction can be more effective for the simultaneous case, because the intersection of several summit sets often yields a much smaller candidate pool than a single set would. Consequently, both protocols exhibit comparable asymptotic attack complexities under the best known algorithms.

The authors conclude that the AAGL protocol, as currently specified, is not significantly more secure than AAG and can be broken with algorithms whose complexities are of the same order. They suggest several avenues for strengthening the scheme: increasing the braid index dramatically, employing alternative non‑commutative groups where summit‑type sets are larger, or integrating additional hard problems (e.g., hidden subgroup or lattice‑based components). Moreover, they note that their attacks are not optimal; further improvements in summit‑set enumeration, parallel processing, or heuristic pruning could lower the practical cost even more. The paper thus provides both a concrete cryptanalytic threat to AAGL‑based RFID systems and a roadmap for future research on post‑quantum, braid‑group‑derived key‑exchange mechanisms.