> The article misses one of the design goals that's pretty obvious if you look at the reverse-engineered Airtag protocol: they don't do any public key cryptography at all on the tag itself. And the reason for that is that it would wreck their battery life.
>
> Anything that relies on "attestation" violates that constraint.
Article author here. Thanks for making this point.
I agree that you want to minimize the amount of ECC on the tag and certainly you don't want each advertisement to require a separate EC op. However, I don't think the requirement is no crypto on the tag.
1. Each time you change keys (every 15 minutes in detached mode) you have to some EC crypto ops.
2. You could require attestation only prior to reporting, thus keeping the cost fairly low. Note that this does allow a nearby attacker to force you to do crypto but they can also cause you to run the speaker, which consumes power.
There is a paper called BlindMy that points out you can have Apple do the attestation using blind signatures over the tag broadcasts, then store the signed messages on the tag. Requires more RAM but the blind signing protocol actually can be run by a phone, so doesn’t really stress the system. Particularly when the identifier only changes once per day, so only 365 signatures per year. https://petsymposium.org/popets/2023/popets-2023-0006.php
PS Changing the identifier once per day is very bad for privacy.
Article author here. Thanks for making this point.
I agree that you want to minimize the amount of ECC on the tag and certainly you don't want each advertisement to require a separate EC op. However, I don't think the requirement is no crypto on the tag.
1. Each time you change keys (every 15 minutes in detached mode) you have to some EC crypto ops. 2. You could require attestation only prior to reporting, thus keeping the cost fairly low. Note that this does allow a nearby attacker to force you to do crypto but they can also cause you to run the speaker, which consumes power.