Recently, a two-way RFID authentication protocol based on the AM-SUEO-DBLTKM variable matrix encryption algorithm was proposed for low-cost mobile RFID systems. Its design combines adaptive modulus selection, self-updating matrix ordering, and transpose/block-based matrix generation. In this paper, we show that the protocol has structural weaknesses. First, the underlying primitive remains a linear transformation modulo a session modulus, with no nonlinear confusion layer and no ciphertext chaining. Second, in the lightweight setting emphasized by the original paper, the update space is very small: there are only a few modulus choices, only four matrix-order choices when two secret matrices are used, and only a limited family of DBLTKM-generated matrices. Third, the correctness requirements of the protocol impose nontrivial constraints on the sizes of the modulus and plaintext coordinates, weakening the claimed entropy of the secret quantities. Building on these observations, we describe a multi-session algebraic attack path. Under repeated reuse of the same matrix and modulus -- an event plausible because of the small update space -- ciphertexts corresponding to $N_t$, $N_t+1$, $N_r$, and $N_r+1$ reveal a full column of the matrix. Across sessions, transpose-based matrix generation helps recover additional entries of the secret matrices, while the remaining entries can be obtained later from ordinary ciphertext equations. We then show that candidate factors of the session moduli can be tested by solving reduced equations for secret $S$ across many sessions and checking for mutually consistent solutions. This, in turn, enables recovery of candidate 64-bit moduli and the remaining protocol secrets. Taken together, our results indicate that the protocol is structurally insecure and admits a realistic route to full compromise in the lightweight parameter regime advocated for deployment.

翻译：近期，针对低成本移动RFID系统提出了一种基于AM-SUEO-DBLTKM可变矩阵加密算法的双向RFID认证协议。该协议的设计融合了自适应模数选择、自更新矩阵排序以及基于转置/分块的矩阵生成方法。本文揭示了该协议存在的结构性缺陷。首先，其底层原语仍是与会话模数进行线性变换，缺少非线性混淆层和密文链接机制。其次，在原始论文强调的轻量级设定下，更新空间极为有限：仅存在少量模数选择、在使用两个秘密矩阵时仅有四种矩阵阶数选项，以及有限的DBLTKM生成矩阵族。第三，协议的正确性要求对模数和明文坐标的尺寸施加了非平凡约束，从而削弱了声称的秘密量熵值。基于这些发现，我们描述了一种多会话代数攻击路径。在相同矩阵与模数重复使用（由于更新空间狭小，该情况极可能发生）的条件下，对应$N_t$、$N_t+1$、$N_r$和$N_r+1$的密文会暴露矩阵的完整列。跨会话来看，基于转置的矩阵生成有助于恢复秘密矩阵的额外条目，而剩余条目可通过常规密文方程获取。我们进一步证明，通过跨多会话求解缩减方程中的秘密$S$并检验互容解，可测试会话模数的候选因子。这一过程进而能够恢复64位候选模数及协议其余秘密。综合而言，我们的结果表明该协议存在结构性不安全问题，在倡导部署的轻量级参数范围内存在实现完全破解的可行路径。