Cryptanalysis of a Lightweight RFID Authentication Protocol Based on a Variable Matrix Encryption Algorithm

Cryptanalysis of a Lightweight RFID Authentication Protocol Based on a V ariable Matrix Encryption Algorithm Hongjun W u Nanyang T echnological Univ ersity , Singapore Email: wuhj@ntu.edu.sg Abstract —Recently , a two-way RFID authentication protocol based on the so-called AM-SUEO-DBL TKM variable matrix encryption algorithm was proposed for low-cost mobile RFID systems. Its design combines adaptive modulus selection, self- updating matrix ordering, and transpose/block-based matrix gen- eration. In this paper , we show that the protocol has fundamental structural weaknesses. First, the underlying encryption primitive remains a linear transf ormation modulo a session modulus, with no nonlinear confusion layer and no ciphertext chaining . Second, in the concrete lightweight setting emphasized by the original paper , the effective update space is very small: there ar e only a few modulus choices, only f our matrix-order choices when two secret matrices are used, and only a limited family of DBL TKM- generated matrices. Third, the correctness requir ements of the protocol impose nontri vial constraints on the sizes of the mod- ulus and plaintext coordinates, which substantially weaken the claimed entropy of the secret quantities. Building on these observations, we describe a multi-session algebraic attack path. Under r epeated r euse of the same effecti ve matrix and modulus—an e vent that is plausible because of the small update space—ciphertexts corr esponding to N t , N t + 1 , N r , and N r + 1 re veal a full column of the effective matrix. Across sessions, transpose-based matrix generation helps reco ver additional entries of the underlying secret matrices, while the remaining entries can be obtained later from ordinary ciphertext equations. W e then show that candidate factors of the session moduli can be tested by solving reduced equations for the long- term secret S across many sessions and checking for repeated consistent solutions. This, in turn, enables r ecovery of candidate 64-bit moduli and the remaining protocol secrets. T aken together , our r esults indicate that the protocol is structurally insecure and admits a realistic route to full compromise in the lightweight parameter regime advocated for deployment. Index T erms —RFID authentication, cryptanalysis, lightweight cryptography , linear algebra attack, matrix encryption, modulo arithmetic. I . I N T RO D U C T I O N RFID authentication for low-cost tags remains dif ficult because the security requirements and the implementation constraints point in opposite directions. The protocol analyzed in this paper was recently proposed by W ang et al. [1]. On the one hand, an RFID protocol deployed in open wireless en vironments should resist replay , impersonation, traceability , desynchronization, and active manipulation. On the other hand, passi ve and lo w-cost tags hav e v ery limited logic area, storage, and online computational capability . This tension has led to a substantial body of work on lightweight and ultra- lightweight RFID authentication protocols [2]–[6]. A standard observation in this area is that there are two very different design philosophies. One line of work adapts con ventional cryptographic mechanisms to RFID and IoT settings. Examples include protocols based on hash functions, block ciphers, stream ciphers, elliptic-curve cryptography , or other more mature primiti ves [4], [7]–[12]. Such schemes usually inherit better understood security foundations, but they may be criticized for implementation cost when the tar get is an e xtremely constrained tag. A second line of work aims at extremely lightweight deployment and therefore replaces ma- ture primiti ves with simple bitwise operations, table updates, permutations, or algebraically structured transformations [13]– [20]. The literature has repeatedly sho wn that the second direction is fragile: once the primiti ve becomes too structured, security claims often fail under direct cryptanalysis e ven if the protocol looks attracti ve from a cost perspectiv e [4]–[6]. This issue is particularly visible in ultra-lightweight RFID protocols. Early proposals such as LMAP , M2AP , and EMAP were motiv ated by the need to a void expensi ve cryptographic components on low-cost tags [14]–[16]. Similar moti vations appear in later authentication designs for IoT , medical, and logistics environments [7]–[9], [21]. Ho wev er, the history of the field also sho ws that reducing a protocol to a small number of linear or near-linear operations often introduces strong algebraic relations that are e xploitable. In that sense, storage efficienc y and gate-count ef ficiency do not automatically im- ply security; in some cases they are achie ved precisely by introducing the re gularity that makes the system vulnerable. Besides protocol-level lightweight design, another research direction uses hardware characteristics such as ph ysically un- clonable functions. PUF-based schemes attempt to strengthen authentication without storing explicit long-term secrets in ordinary memory [22]–[25]. These approaches are important, but they rely on a different threat model and dif ferent imple- mentation assumptions. In many practical settings, especially for very cheap tags, protocol designers still seek software-like or arithmetic-only constructions. That is exactly the context in which structured matrix-based designs continue to appear . The protocol studied in this paper is a recent example of this latter design style. It is built around modular matrix multiplication rather than around a standard cryptographic primitiv e. The protocol combines three mechanisms: adap- tiv e modulus selection (AM), self-updating encryption order (SUEO), and diagonal block local transpose ke y matrix gener- ation (DBL TKM). The intended effect is clear . Starting from a very small number of secret matrices, the protocol attempts to create many apparent encryption states by varying the modulus, varying the order of multiplication, and allowing transpose- or block-based matrix generation. This idea is attractiv e only if those generated states are both suf ficiently numerous and sufficiently independent from a cryptanalytic point of vie w . Our view is that this is e xactly where the design fails. The first reason is conceptual. The core encryption rule is still only a linear map modulo a selected modulus. The second reason is combinational. In the lightweight setting emphasized by the original protocol, the number of secret matrices must remain small, and therefore the number of genuinely different effecti ve states is also small. The third reason is mathematical. The protocol description mixes 128-bit secrets and nonces with 64-bit matrix elements and modular decryption, which creates nontrivial correctness constraints that are not addressed carefully in the original design. Once these constraints are taken into account, the claimed entropy of the system becomes much smaller than it first appears. This problem is not isolated to RFID. There is a long history of cryptanalysis of matrix-based encryption, beginning with the Hill cipher and continuing through later variants that attempted to strengthen it by modifying the key schedule, the modulus, or the plaintext representation [26]–[31]. The broad lesson from this literature is well known: if the encryption operation remains essentially linear, then apparent ke y-space growth obtained by rearranging or composing linear maps often does not translate into real security . This historical perspectiv e is directly rele vant here because the AM-SUEO- DBL TKM design ultimately deriv es all of its states from a very small family of structured matrices. Another point worth emphasizing is methodological. RFID papers often include symbolic or logic-based validation, for example BAN-logic arguments or automated protocol checks, to support claims of mutual authentication and resistance to replay [32], [33]. Such analyses can be useful for checking message-flow assumptions under idealized primiti ves. They do not, howe ver , establish the hardness of attacking the underly- ing arithmetic transformation. If the encryption primiti ve itself is weak, then symbolic validation does not sa ve the protocol. In this paper , we analyze the AM-SUEO-DBL TKM-based RFID protocol from the perspectiv e of direct cryptanalysis of the underlying matrix mechanism. Our starting point is the concrete lightweight regime highlighted in the original work, namely the case where only two secret matrices are used. In that regime, the SUEO mechanism yields only four orderings, the DBL TKM mechanism still produces only a limited family of ef fecti ve matrices, and the update values contribute only a fe w bits of ef fectiv e control entropy because they are used only through modular reductions into very small tables. W e also show that the correctness of decryption imposes a much tighter range on the plaintext coordinates than the nominal 128-bit statement suggests. After identifying these structural weaknesses, we present a multi-session attack. V ery roughly , if the same ef fectiv e matrix and modulus are reused to encrypt related values such as N t , N t + 1 , N r , and N r + 1 , then ciphertext differences reveal an entire column of the ef fectiv e matrix. Since DBL TKM explicitly allows transposed variants, repeated observations across sessions can be combined to reco ver three entries of each underlying secret matrix, after which the remaining entry can be obtained from an ordinary ciphertext equation. W e then test candidate reduced modulus values by solving for the long-term secret S across many sessions. Candidates that are compatible with the true modular structure produce repeated and mutually consistent values of S mo d q x , whereas incompatible candidates do not sho w such stable behavior . This narrows the set of plausible session moduli and, after full verification, leads to recovery of the remaining protocol state. The main contribution of this work is therefore not merely another attack on a specific RFID proposal. Rather , it is a case study showing that in extremely lightweight authentication design, combinational growth of matrix states should not be confused with cryptographic strength. When the underlying primitiv e is linear and the number of truly independent secret objects is v ery small, multi-session algebraic attacks become natural. A. Our Contrib utions W e summarize our contributions as follows. 1) W e revisit the parameter regime emphasized for lightweight deployment and show that the concrete construction is necessarily v ery small. In particular , the protocol effecti vely relies on two secret matrices in the lightweight setting, leading to only four possible matrix- order choices and only a limited family of DBL TKM- generated matrix states. 2) W e identify a correctness inconsistency in the original description. Since encryption and decryption are per- formed modulo a 64-bit modulus while nonces, iden- tities, and secrets are described as 128-bit values, exact recov ery is impossible unless the plaintext coordinates are constrained to fit below the modulus. This effecti vely reduces the recoverable entropy of each 128-bit quantity . 3) W e give a multi-session algebraic attack on the effecti ve matrices. When the same effecti ve matrix and modulus are reused to encrypt N t , N t + 1 , N r , and N r + 1 , ci- phertext dif ferences reveal a full column of the ef fective matrix. Repeating the observation across sessions and exploiting transpose-based DBL TKM updates yields re- cov ery of three entries of each underlying secret matrix, while the remaining entry is recovered later from an ordinary ciphertext equation. 4) W e propose a modulus-reco very phase based on multi- session consistency tests. By testing candidate reduced modulus values q x and solving for the long-term se- cret S over many sessions, the attacker can identify candidates that repeatedly produce consistent reduced solutions. These candidates can then be combined into candidate 64-bit session moduli and verified against the full equations, leading to recovery of the remaining protocol secrets. B. P aper Or ganization The rest of the paper is organized as follows. Section II summarizes the original protocol and highlights the parameter choices relev ant to our attack. Section III discusses the effec- tiv e security space and the correctness constraints implied by modular decryption. Section IV presents the matrix-recov ery phase. Section V describes the recov ery of factors of the session moduli and the reconstruction of the candidate q values. Section VI explains how the remaining secrets can be recov ered, leading to a complete break. Section VIII concludes the paper . I I . O V E RV I E W O F T H E T A R G E T P ROT O C O L The tar get protocol is built on the linear encryption primiti ve E ( t, A, p ) = At mod p, (1) and the corresponding decryption rule using a modular in verse matrix. The protocol paper states that nonces, secret v alues, modulus, and identifiers are 128-bit values, while each matrix element is 64 bits. The protocol uses two secret matrices in its concrete lightweight example and derives effecti ve encryption states by three mechanisms: • AM: choose a modulus q from an AM inde x table; • SUEO: choose an ordering of the secret matrices; • DBL TKM: generate transpose/block-based v ariants of the matrices. In the authentication stage, the protocol transmits, among others, the encryptions of N t ∥ S , N r ∥ S , N r ∥ S d ∥ S p ∥ S c , N t ∥ S d ∥ S p ∥ S c , N t + 1 ∥ I D , and N r + 1 ∥ I D . The long-term secret S is reused across sessions, while N t and N r are fresh random numbers generated by the tag and reader , respecti vely . The serv er further generates update values S d , S p , S c , which are subsequently reduced modulo small table sizes to select the next DBL TKM pattern, the next SUEO order , and the next AM modulus. A. Pr otocol Flow Relevant to the Attac k For completeness, we summarize only the parts of the target protocol that are directly relev ant to our cryptanalysis. Let A denote the current effecti ve encryption matrix and let p denote the current modulus in the pre-update phase. After the server generates the update v alues S d , S p , and S c , the protocol deriv es a new ef fective matrix A new and a new modulus q through the DBL TKM, SUEO, and AM mechanisms. The corresponding decryption matrix is denoted by B new . The protocol messages used in our attack can be summa- rized as follo ws. 1) The tag generates a fresh random nonce N t and sends C 1 = E ( N t ∥ S, A, p ) . (2) 2) The reader generates a fresh random nonce N r and sends to the serv er C 2 = E ( N r ∥ S, A, p ) . (3) 3) After authenticating the reader , the serv er generates ne w secret values S d , S p , and S c , and sends C 3 = E ( N r ∥ S d ∥ S p ∥ S c , A, p ) . (4) 4) The reader forwards to the tag C 4 = E ( N t ∥ S d ∥ S p ∥ S c , A, p ) . (5) 5) Using the update values, the parties compute S d mo d Z DBL TKM , S p mo d Z SUEO , S c mo d Z AM . (6) and thereby deri ve the next ef fectiv e encryption state ( A new , q ) . 6) The tag then sends C 5 = E ( N t + 1 ∥ I D, A new , q ) , (7) and the reader forwards to the serv er C 6 = E ( N r + 1 ∥ I D, A new , q ) . (8) The attack developed in this paper uses two kinds of structure from the above flow . First, the messages C 1 , C 2 , C 3 , and C 4 are all encrypted under the same pre-update state ( A, p ) . Second, the messages C 5 and C 6 are encrypted under the same post-update state ( A new , q ) . This separation allows us to analyze repeated effecti ve matrices and moduli across sessions and to exploit the algebraic relations between encryptions of N t , N t + 1 , N r , and N r + 1 . B. Small Concr ete State Space The lightweight example emphasized by the protocol paper takes the number of key matrices to be N = 2 . F or this setting, the protocol itself yields the following state-space sizes: Z SUEO =  2 1  1! +  2 2  2! = 4 , (9) Z DBL TKM = (2 N ) + (2 N ) 2 = 4 + 16 = 20 . (10) Moreov er, the accompanying example uses an AM table with eight modulus choices. Hence the entire update mechanism is built from a very small number of combinations. This fact is central to our attack. For N = 2 , the SUEO choices are precisely A, B , AB , B A. (11) Thus the first matrix applied to a plaintext block is either A or B , with probability roughly 1 / 2 under a uniform model. The uncertainty introduced by SUEO is therefore extremely limited in the lightweight regime. I I I . E FF E C T I V E S E C U R I T Y S PAC E A N D C O R R E C T N E S S C O N S T R A I N T S In this section we sho w that the protocol’ s effecti ve security space is much smaller than the ra w bitlengths in the description suggest. A. T iny Contr ol Entr opy of the Update Secr ets Although the protocol describes S d , S p , and S c as 128-bit values, they are used only through S d mo d Z DBL TKM , S p mo d Z SUEO , S c mo d Z AM . (12) For the concrete lightweight setting, this means that the update secrets contribute only log 2 20 ≈ 4 . 32 , log 2 4 = 2 , log 2 8 = 3 (13) bits of control entropy , respectiv ely . Therefore, the nominal 128-bit sizes of S d , S p , S c do not translate into comparable cryptographic strength. B. DBLTKM-Generated Matrix F amily For the concrete setting N = 2 , the protocol paper gi ves Z DBL TKM = 20 , (14) which should be understood as the size of the DBL TKM construction space in the illustrativ e lightweight example. T ogether with the AM and SUEO mechanisms, this still yields only a small family of effecti ve matrices for the protocol. This limited state space is important for cryptanalysis, because repeated effecti ve states across sessions are far more plausible than they would be in a con ventional design with a large independent key space. C. Correctness Imposes a Reduced Plainte xt Range The protocol description states that nonces, secrets, identi- ties, and the modulus are 128-bit values, while each matrix element is 64 bits and encryption/decryption are performed modulo the selected modulus. Ho wever , a plaintext coordinate can be recov ered exactly from modular decryption only if it is represented in a range strictly below the modulus. If an arbitrary 128-bit value is encrypted directly modulo a 64-bit modulus, decryption can recover only the residue class, not the original inte ger . Therefore, correctness requires an implicit encoding of each 128-bit quantity into smaller coordinates. In the most natural two-coordinate encoding, each coordinate must be smaller than q . If q is chosen as a full 64-bit modulus near 2 64 , then a safe correctness margin requires each coordinate to be at most about 63 bits, meaning that the recoverable entropy per nominal 128-bit v alue is effecti vely about 63 × 2 = 126 bits rather than an unrestricted 128 bits. Likewise, the ef fectiv e matrix entries must be interpreted as values constrained so that modular decryption remains meaningful. This observation has two cryptanalytic consequences. First, it weakens the entropy claims made by the target protocol. Second, it changes the beha vior of recov ered matrix columns: when the recovered column entries are below the session modulus, they may appear without visible wraparound, which means that modulus recov ery must rely on consistency across sessions rather than single-session residue anomalies. I V . R E C OV E RY O F T H E E FF E C T I V E A N D S E C R E T M A T R I C E S W e now present the first phase of the attack. The starting point is the linearity of the encryption primitiv e. A. A Column-Reco very Observation Consider two encryptions under the same effecti ve matrix M and the same modulus q : C 1 = M T 1 mo d q , C 2 = M T 2 mo d q . (15) Then C 2 − C 1 = M ( T 2 − T 1 ) mod q . (16) Suppose that the first plaintext component is a nonce block and that the two plaintexts dif fer only by incrementing the nonce by one, while the remaining plaintext blocks remain unchanged. Then, except with negligible probability due to carry across the full encoded nonce, the plaintext dif ference is a basis vector , and the ciphertext difference rev eals one entire column of the ef fective matrix. For the target protocol, the useful values are N t , N t + 1 , N r , and N r + 1 . If, in a gi ven session, these v alues are encrypted using the same effecti ve matrix M and the same modulus q , then the pairs ( N t , N t + 1) and ( N r , N r + 1) each rev eal the same column of M . The second pair serves as a built- in consistency check: a wrong identification of the ef fectiv e matrix or the modulus causes the two recov ered columns to disagree with o verwhelming probability . B. Why Reuse is Plausible In a conv entional cryptographic design, reuse of the same effecti ve transform would be vanishingly unlikely . Here the situation is different. In the lightweight setting, there are only eight AM choices, only four SUEO choices, and only a limited DBL TKM-generated matrix family . As a result, repeated ef fectiv e matrices are not ne gligible ev ents. Moreov er , because DBL TKM explicitly includes transposition, a session may expose a column of A while another session exposes a column of A T , which provides additional information about the same underlying secret matrix. C. F r om Ef fective Matrices to the Secr et Matrices The attack proceeds as follows. 1) Collect many sessions and identify those sessions in which the ciphertext pairs corresponding to ( N t , N t + 1) and ( N r , N r + 1) are consistent with the same effecti ve matrix and the same modulus. 2) For each useful session, recover the leaked column of the corresponding ef fectiv e matrix. 3) Use the DBL TKM transpose option to relate observ a- tions obtained from A and A T , and similarly from B and B T . 4) Combine these leaked columns across multiple sessions to recover three entries of each underlying 2 × 2 secret matrix. 5) Recover the remaining entry of each secret matrix from an ordinary ciphertext equation once the corresponding plaintext block and session modulus are known. The key point is that the attack er does not need to classify ev ery possible DBL TKM construction explicitly . It is sufficient to exploit those sessions in which the ef fective matrix is reused and the nonce-dif ference equations are directly applicable. In the concrete 2 × 2 setting, each useful session re veals one full column of the corresponding effecti ve matrix. A leaked column of A together with a leaked column of A T rev eals three entries of the matrix A , and similarly for B . T o see ho w the remaining entry is reco vered, write A =  a b c d  . (17) Suppose that the attack has already recovered a , b , and c . Consider any ordinary cipherte xt equation of the form  C 1 C 2  = A  X Y  mo d q . (18) Then the second ro w gi ves d Y ≡ C 2 − cX (mo d q ) . (19) Whenev er Y is in vertible modulo q , the missing entry is obtained as d ≡ ( C 2 − cX ) Y − 1 (mo d q ) . (20) Thus the nonce-difference phase only needs to recover three entries of each base matrix; the final entry follows in the subsequent plaintext/modulus recov ery phase. Repeating this argument for both base matrices allo ws the attacker to recon- struct the full secret matrix family used by the protocol. Remark 1. The matrix-r ecovery phase does not r equir e r ecov- ering the full session modulus first. It suffices that the same effective matrix and the same modulus ar e used inside the session fr om which the column is r ecover ed. This is the ke y r eason we separate matrix reco very fr om modulus r ecovery . V . R E C OV E RY O F C A N D I D A T E S E S S I O N M O D U L I After the secret matrices ha ve been recov ered, the remaining task is to identify the candidate 64-bit moduli used by the AM mechanism. Our approach is to use multi-session consistency tests to narrow the set of plausible modulus candidates and then verify them against the full protocol equations. The direct approach is to guess a 64-bit modulus, then test the its correctness through decryption, but the complexity of the direct approach is high. W e will reduce this complexity significantly by considering a much smaller factor of p . A. Motivation for a F actor-F irst Searc h In the target design, the AM mechanism is intended to provide eight distinct 64-bit candidate moduli deriv ed from a common hidden quantity . In such a setting, it is natural to search first for smaller factors or residues that can be tested efficiently across many sessions, and only later reconstruct full 64-bit candidates. For a 128-bit p to ha ve eight distinct 64-bit moduli, a small factor must appear in some 64-bit modulus q . Suppose that the smallest factor that appear in the 64-bit moduli is 64-bit, then there could be only two distinct 64-bit moduli. If the smallest factor that appear in the 64-bit moduli is 32-bit, then q has at most four distinct 32-bit factors, and q hav e at most six distinct 64-bit factors. Thus some f actors less than 32-bit must appear in some 64-bit moduli. B. Identification of the Reduced Modulus V alue q x At this stage, we do not assume that the ef fective matrix is symmetric. Let A =  m 11 m 12 m 21 m 22  , A T =  m 11 m 21 m 12 m 22  . Let the long-term secret be S =  s 1 s 2  . The purpose of this phase is to identify a correct reduced modulus value q x and then reco ver S mo d q x . The key observation is that the same long-term secret vector S is reused across different sessions, while the protocol may apply either A or A T in different sessions. Suppose that in one session the protocol uses A to encrypt S , producing ciphertext C ( A ) = c ( A ) 1 c ( A ) 2 ! ≡ A  s 1 s 2  (mo d q x ) . This gives the reduced equations m 11 s 1 + m 12 s 2 ≡ c ( A ) 1 (mo d q x ) , (21) m 21 s 1 + m 22 s 2 ≡ c ( A ) 2 (mo d q x ) . (22) Now suppose that in another session the protocol uses A T to encrypt the same long-term secret vector S , producing ciphertext C ( A T ) = c ( A T ) 1 c ( A T ) 2 ! ≡ A T  s 1 s 2  (mo d q x ) . This gives m 11 s 1 + m 21 s 2 ≡ c ( A T ) 1 (mo d q x ) , (23) m 12 s 1 + m 22 s 2 ≡ c ( A T ) 2 (mo d q x ) . (24) Since the same secret vector S is used in both sessions, these equations can be combined. For example, subtracting (21) from (23) gi ves ( m 21 − m 12 ) s 2 ≡ c ( A T ) 1 − c ( A ) 1 (mo d q x ) . Hence, whenever m 21 − m 12 is inv ertible modulo q x , the v alue of s 2 mo d q x is uniquely determined. The v alue of s 1 mo d q x then follows from any independent reduced equation above. More generally , the four reduced equations (21)–(24) form an ov erdetermined system in the two unkno wns s 1 and s 2 , and a correct candidate value of q x should make this system mutually consistent. This gi ves a practical consistency test for candidate values of q x . For each guessed q x , the attacker searches among the collected sessions for one session in which A is used to encrypt S and another in which A T is used to encrypt the same long-term secret vector S . The attacker then reduces the corresponding cipherte xt equations modulo q x and solv es for S mo d q x . A correct guess of q x should produce mutually consistent reduced v alues of S across multiple such session pairs, whereas an incorrect guess is generally not expected to do so. Once the correct reduced modulus value q x has been iden- tified, the attacker proceeds to reconstruct the corresponding candidate 64-bit modulus q . After q is known, the remaining unknown entry of each base matrix can be recovered from the full ciphertext equations, and the remaining protocol secrets then follow by straightforward decryption. C. Reconstructing and V erifying 64-bit Modulus Candidates After several plausible reduced candidates have been iden- tified, they are combined to form candidate 64-bit moduli. Because the target protocol uses only a small AM table, the number of such candidates remains manageable. The attacker can therefore enumerate the resulting 64-bit candidates and test them directly . A candidate modulus q is accepted only if it passes a stronger verification step: when the full session equations are solved under q , the resulting recoveries of the long-term secret S and the associated plaintext blocks must be mutually consistent across many sessions. In other words, the reduced- equation phase serves only to filter candidates, whereas the final decision is made using the full protocol relations. Once the correct 64-bit modulus q has been identified, the recov ery of the full matrices A and B is immediate. The nonce-difference and transpose analysis already determines three entries of each 2 × 2 base matrix. The remaining fourth entry of each matrix is then obtained from an ordinary cipher- text equation, because both the ef fective matrix form and the modulus are no w kno wn. Therefore, at the end of this phase, both A and B are fully recovered, after which the remaining protocol secrets follo w by straightforward decryption. V I . F U L L R E C OV E RY O F T H E R E M A I N I N G S E C R E T S Once the full base matrices and the correct 64-bit modulus hav e been reco vered, the remaining protocol secrets follow by straightforward decryption. A. Recovery of Long-T erm and Session Secr ets W ith the correct matrix and modulus av ailable, the attacker decrypts the protocol messages and recovers S, I D, N t , N r . (25) The update v alues S d , S p , S c are then recov ered from the later encrypted messages. Strictly speaking, a complete imperson- ation break requires only the reduced indices S d mo d 20 , S p mo d 4 , S c mo d 8 , (26) because these values fully determine the ne xt DBL TKM pat- tern, SUEO order , and AM modulus in the lightweight setting. Howe ver , after matrix and modulus recov ery , the full encoded values can also be obtained. B. Complete Pr otocol Compr omise At this point the attacker can compute the same next-state updates as the legitimate parties, decrypt future traffic, and forge v alid messages. Hence the protocol is fully broken in the standard operational sense: confidentiality of the protocol state is lost, mutual authentication can be bypassed, and future sessions can be predicted or impersonated. C. Complexity of the Attac k The practicality of the attack relies on the small state space of the target design. The cost is dominated by collecting enough sessions to observe repeated effecti ve matrices and by the search o ver candidate reduced modulus values. This search is pruned by a multi-session consistenc y test, which discards candidate reduced modulus v alues that do not yield mutually consistent reduced solutions for S across sessions. Since the AM table contains only a small number of candidate 64-bit moduli and SUEO has only four orderings in the lightweight regime, the overall search remains manageable. In Section IV , the probability that the same ef fectiv e matrix A and the same modulus q are used to encrypt N t , N r , N t + 1 , and N r + 1 in a gi ven session is 1 4 × 1 8 = 1 32 . The same probability applies to A T , and like wise to B and B T . Therefore, any one target configuration of this form is expected to appear once every roughly 32 sessions on av erage. Consequently , the attacker must collect a moderate number of sessions until all required matrix/modulus configurations hav e appeared. The computational work in this phase is ne gligible compared with the session collection cost. In Section V , the main computational cost is the search ov er candidate values of q x . Under the structural assumption that one rele vant factor of a 64-bit modulus has size at most 32 bits, the attacker tests at most about 2 32 candidate values. F or each candidate q x , the attacker checks consistency across a small number of useful session instances by solving small modular linear systems for S mo d q x . Since a useful configuration appears with probability about 1 / 32 , only a moderate number of such systems need to be tested per guess; for example, testing around 128 small systems per candidate giv es a total computational effort on the order of 2 32 · 128 = 2 39 small modular linear-system checks and the correct guess is expected the correct guess is expected to yield about four mutually consistent reduced solutions on average. In Section VI, once the correct modulus and the required matrix entries hav e been identified, the remaining recov ery steps inv olve only straightforward solution of a few small lin- ear equations and direct decryption of the remaining protocol values. Hence the computational cost of this phase is ne gligible compared with the session-collection cost of Section IV and the candidate search in Section V . Overall, the attack requires collecting a moderate number of sessions until the necessary matrix/modulus configurations appear , and then performing about 2 39 small modular consis- tency checks in the reduced-modulus search phase. Thus the dominant computational complexity is the Section V search, while the dominant data complexity is the session collection in Section IV . V I I . D I S C U S S I O N Our attack highlights a general lesson that extends be- yond the target protocol. Replacing standard cryptographic primitiv es with highly structured linear transformations often produces designs that look combinatorially rich but are in fact extremely small once implementation constraints are taken into account. In the present case, the requirement of lightweight deployment forces the number of secret matrices to remain tiny . As a result, the advertised update mechanisms do not provide a cryptographically meaningful state space. A second lesson is that correctness constraints matter . If a protocol claims to encrypt and decrypt 128-bit values modulo a 64-bit modulus, then either a special encoding must be specified or exact decryption is impossible. An y cryptanalysis of such a design must therefore consider not only the nominal bitlengths claimed in the protocol description but also the actual coordinate ranges required for correctness. Finally , the tar get protocol illustrates the danger of using transposition and block-diagonal composition as a substitute for real diffusion. These operations do not hide the linear structure; instead, they create algebraic relations that can be exploited across sessions. V I I I . C O N C L U S I O N W e have presented a cryptanalysis of a recently pro- posed lightweight RFID authentication protocol based on AM, SUEO, and DBL TKM matrix updates. Our analysis shows that the protocol has a very small effecti ve state space in the concrete lightweight setting, suffers from a correctness inconsistency in its treatment of 128-bit values under 64-bit modular encryption, and is vulnerable to a practical multi- session algebraic attack. By le veraging repeated use of the same ef fective matrix and modulus, we recov er columns of the effecti ve matrices from the encryptions of N t , N t + 1 , N r , and N r + 1 . Using transpose relations across sessions, we recover three entries of each underlying secret matrix, and then determine the remaining entries from ordinary ciphertext equations once the corresponding plaintext blocks and moduli are known. W e then use multi-session consistency tests on reduced equations for the long-term secret S to identify candidate session moduli, which are subsequently verified against the full protocol equations and used to recov er the remaining protocol secrets. These results indicate that the security claims of the target protocol do not hold in the lightweight parameter regime advocated by its authors. More broadly , our work emphasizes that lightweight authentication protocols must be ev aluated not merely by storage savings or combinational ke y-space counts, but by rigorous cryptanalysis of their actual algebraic structure. R E F E R E N C E S [1] Y . W ang, R. Liu, T . Gao, F . Shu, X. Lei, Y . W u, G. Gui, and J. W ang, “ A Novel RFID Authentication Protocol Based on a Block-Order- Modulus V ariable Matrix Encryption Algorithm, ” IEEE Tr ansactions on Information F orensics and Security , v ol. 20, pp. 8597–8612, 2025. [2] A. Juels, “Minimalist Cryptography for Low-Cost RFID T ags, ” Security in Communication Networks , pp. 149–164, 2004. [3] S. A. W eis, S. E. Sarma, R. L. Rivest, and D. W . Engels, “Security and Priv acy Aspects of Lo w-Cost Radio Frequency Identification Systems, ” Security in P ervasive Computing , pp. 201–212, 2004. [4] A. Juels, “RFID Security and Priv acy: A Research Survey , ” IEEE Journal on Selected Ar eas in Communications , vol. 24, no. 2, pp. 381– 394, 2006. [5] G. Mudra and L. Cui, “ An Ov erview of Lightweight RFID Authentica- tion Protocols and Their Applications in a Maritime Internet of Things En vironment, ” Electr onics , v ol. 12, no. 13, Art. 2990, 2023. [6] D. Scott, “ A Surv ey of RFID Authentication Protocols, ” arXiv pr eprint arXiv:2404.01753 , 2024. [7] H. Ning, H. Liu, and L. T . Y ang, “ Aggregated-Proof Based Hierarchical Authentication Scheme for the Internet of Things, ” IEEE T ransactions on P arallel and Distributed Systems , v ol. 21, no. 2, pp. 220–232, 2010. [8] Y . Cao, S. M. Jameel, and A. Amin, “ An ECC-Based RFID Authenti- cation Scheme for T elecare Medical Information Systems, ” J ournal of Medical Systems , vol. 42, no. 11, 2018. [9] R. Amin, S. H. Islam, G. P . Biswas, M. K. Khan, N. Kumar , and K.- K. R. Choo, “ An Efficient and Practical Smart Card Based Anonymity Preserving User Authentication Scheme for TMIS Using Elliptic Curve Cryptography , ” J ournal of Medical Systems , vol. 39, no. 11, 2015. [10] A. Bogdanov , L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw , Y . Seurin, and C. V ikkelsoe, “PRESENT: An Ultra- Lightweight Block Cipher, ” CHES , pp. 450–466, 2007. [11] C. Beierle, J. Jean, S. K ¨ olbl, G. Leander , G. Peyrin, L. Perrin, A. Poschmann, Y . Sasaki, and S. Steinberger , “The SKINNY Family of Block Ciphers and Its Lo w-Latency V ariant MANTIS, ” CRYPTO , pp. 123–153, 2016. [12] J.-P . Aumasson, L. Henzen, W . Meier, and M. Naya-Plasencia, “QU ARK: A Lightweight Hash, ” J ournal of Cryptology , vol. 26, no. 2, pp. 313–339, 2013. [13] T . Dimitriou, “ A Lightweight RFID Protocol to Protect Against T race- ability and Cloning Attacks, ” Secur eComm , pp. 59–66, 2005. [14] P . Peris-Lopez, J. C. Hernandez-Castro, J. M. E. T apiador, and A. Rib- agorda, “LMAP: A Real Lightweight Mutual Authentication Protocol for Lo w-Cost RFID T ags, ” W orkshop on RFID Security , 2006. [15] P . Peris-Lopez, J. C. Hernandez-Castro, J. M. E. T apiador, and A. Rib- agorda, “M2AP: A Minimalist Mutual-Authentication Protocol for Low- Cost RFID T ags, ” UIC W orkshops , pp. 912–923, 2006. [16] P . Peris-Lopez, J. C. Hernandez-Castro, J. M. E. T apiador, and A. Rib- agorda, “EMAP: An Ef ficient Mutual-Authentication Protocol for Lo w- Cost RFID T ags, ” O TM W orkshops , pp. 352–361, 2006. [17] J.-S. Chou, “ An Efficient Mutual Authentication RFID Scheme Based on Cryptographic Hashing, ” J ournal of Information Science and Engi- neering , v ol. 23, no. 6, pp. 1733–1743, 2007. [18] H.-Y . Chien and C.-W . Huang, “ A Lightweight RFID Protocol Using Substring, ” EUC W orkshops , pp. 422–431, 2007. [19] Y .-C. Lee, C.-H. Hsieh, and Y .-C. Huang, “ A New Ultralightweight RFID Protocol with Mutual Authentication, ” International Journal of Innovative Computing, Information and Contr ol , vol. 4, no. 5, pp. 1211– 1220, 2008. [20] A. Kumar and V . Saxena, “Survey and Analysis of Lightweight Authen- tication Protocols for Internet of Things, ” IntechOpen , 2020. [21] M. A. Jan, F . Khan, M. Alazab, and A. Jolfaei, “ A Blockchain-Enabled Lightweight RFID Authentication Protocol for Supply Chains, ” IEEE T ransactions on Industrial Informatics , vol. 18, no. 9, pp. 6298–6308, 2022. [22] L. Bolotnyy and G. Robins, “Physically Unclonable Function-Based Security and Priv acy in RFID Systems, ” IEEE P erCom W orkshops , pp. 211–220, 2007. [23] D. Lim, J. W . Lee, B. Gassend, G. E. Suh, M. van Dijk, and S. Dev adas, “Extracting Secret Ke ys from Integrated Circuits, ” IEEE T ransactions on VLSI Systems , vol. 13, no. 10, pp. 1200–1205, 2005. [24] M. Akgun and A. Kavak, “ A PUF-Based RFID Mutual Authentication Protocol for IoT Applications, ” International Journal of Communication Systems , v ol. 30, no. 18, 2017. [25] M. Aman, A. Basil, B. Sikdar , and M. H. A. Hijazi, “ A PUF-Based Authentication Protocol for RFID-Enabled Healthcare, ” IEEE Internet of Things Journal , v ol. 8, no. 6, pp. 4291–4303, 2021. [26] L. S. Hill, “Cryptography in an Algebraic Alphabet, ” The American Mathematical Monthly , vol. 36, no. 6, pp. 306–312, 1929. [27] J. Overbey , W . T rav es, and J. W ojdylo, “On the Keyspace of the Hill Cipher , ” Cryptologia , v ol. 29, no. 1, pp. 59–72, 2005. [28] S. Saeednia, “How to Make the Hill Cipher Secure, ” Cryptologia , vol. 24, no. 4, pp. 353–360, 2000. [29] A. Ismail, M. Amin, and H. Diab, “How to Repair the Hill Cipher , ” Journal of Zhejiang University SCIENCE A , vol. 7, no. 12, pp. 2022– 2030, 2006. [30] M. T oorani and A. A. Beheshti, “SSK: A Secure Symmetric-K ey Cryp- tosystem Based on the Hill Cipher, ” J ournal of Systems and Softwar e , vol. 83, no. 2, pp. 331–339, 2010. [31] S. H. Islam and G. P . Biswas, “ A More Efficient V ariant of the Hill Cipher for Image Encryption, ” Neural Computing and Applications , vol. 24, pp. 1311–1319, 2014. [32] M. Burro ws, M. Abadi, and R. Needham, “ A Logic of Authentication, ” Pr oceedings of the Royal Society of London. Series A , v ol. 426, no. 1871, pp. 233–271, 1989. [33] A. Armando, D. Basin, Y . Boichut, Y . Chev alier , L. Compagna, J. Cuel- lar , P . Hankes Drielsma, P .-C. Heam, O. Kouchnarenko, J. Mantovani, S. M ¨ odersheim, D. v on Oheimb, M. Russo, J. Santiago, M. T uruani, L. V igan ` o, and L. Vigneron, “The A VISP A T ool for the Automated V al- idation of Internet Security Protocols and Applications, ” CA V , pp. 281– 285, 2005.