The Cracking of WalnutDSA: A Survey
Abstract
:1. Introduction
2. Braid Group Cryptography
2.1. Cryptographic Constructions Using Braid Groups
2.2. Computational Problems in Braid Groups
- Conjugacy Decision Problem (CDP). Given determine whether they are conjugate, i.e., whether there exists such that
- Conjugacy Search Problem (CSP). Given known to be conjugate, compute such that
- Braid Diffie–Hellman Decision Problem (BDHDP). Given such that there exist satisfying and with , determine whether
- Braid Diffie–Hellman Search Problem (BDHSP). Given such that there exist satisfying and with , compute
- Multiple Simultaneous Conjugacy Search Problem (MSCSP). Given k pairs of elements such that they are all conjugates with respect to the same braid, find such a conjugating braid, i.e., compute such that for all .
- Decomposition Problem (DP). Let G be a fixed subgroup of . Given , find such that
- Root Extraction Problem (REP). For and such that there exists with compute such a braid
- (i)
- find representatives and
- (ii)
- compute elements of (storing the corresponding witnesses) until either:
- (a)
- is found as an element of proving A and B to be conjugate and providing a conjugating element or
- (b)
- the entire set is constructed without finding proving that A and B are not conjugate.
3. Basics on Signature Schemes
- the key generation algorithm, is a probabilistic algorithm that takes as input (for a security parameter ) and returns a pair of public and secret keys, from a designated key space of polynomial size in
- Σ, the signing algorithm, is a probabilistic algorithm that takes as input a given message (for a fixed message space) and a secret key and returns a signature (also assumed to belong to a prescribed set of polynomial size in λ). ss of generality, we can assume that each consists of bitstrings of polynomial size in λ. In the sequel, we often drop the subscript λ for the sake of readability
- the verification algorithm, is a deterministic algorithm that takes as input a given signature , a message , and a public key and outputs a bit in , checking if is a valid signature of m with respect to .
3.1. Security Notions for Signature Schemes
- Existential Forgery (EF): tries to produce a valid signature for a message not necessarily adversarial chosen.
- Selective Forgery (SF): tries to produce a valid signature for some adversarial chosen fixed message m.
- Universal Forgery (UF): aims at producing a valid signature for any given message.
- Total Break (TB): tries to retrieve, from the public information, a legitimate signer’s secret key.
- No Message Attack (NMA): only knows the public parameters (in particular, the public signing key).
- Random Message Attack (RMA): is given signatures on a sequence of messages selected uniformly at random.
- Chosen Message Attack (CMA): is given access to a signing oracle, which signs any message chosen by . Queries to this oracle can be adaptive, i.e., may adapt the input messages based on previous output signatures.
4. Scheme Description
4.1. Message Encoding
4.1.1. Braids
4.1.2. Encoding
4.2. Key Generation
4.2.1. Colored Burau Representation of the Braid Groups
4.2.2. E-Multiplication
4.2.3. Key Generation Mechanism
- such that , , and for some ,
- , and
- the matrix component of , denoted by , that is, .
4.3. Signature Generation and Verification
4.3.1. Cloaking Elements
4.3.2. Signature Generation
4.3.3. Signature Verification
5. Cryptanalysis of WalnutDSA
5.1. Factoring Attacks
5.1.1. Factoring For Universal Forgeries: The Attacks by Hart Et Al., and Beullens and Blackburn
- 1.
- If and is a valid signature for , then is a valid signature for m.
- 2.
- If and , are valid signatures for and , respectively, then is a valid signature for m.
- 1.
- If and is a valid signature for under the public key , then is a valid signature for m under the public key .
- 2.
- If and are valid signatures for and under the public keys and , respectively, then is a valid signature for m under the public key .
5.1.2. Factoring Using the Garside Normal Form
- , up to multiplications with elements in the center of
5.2. Collision Attacks
5.3. Reversing E-Multiplication
5.3.1. Generic Birthday Attack
5.3.2. Subgroup Chain Attack
5.4. Uncloaking Signatures
- Step 1. The attacker collects k pairs where each is a valid signature for computed with the same secret key . Each signature is a braid with the form:
- Step 2. The attacker, using a heuristic procedure described in [25], is able to remove the cloaking elements from the signatures, that is compute braids . It is worth pointing out that Kotov, Menshov, and Ushakov reported a high success rate for their uncloaking algorithm, close to 80% or 100%, depending on the type of cloaking elements used (see Table 2).
- Step 3. The attacker computes the products . Note that these are:
- Step 4. The attacker sets for i of its choice. Under certain conditions, works as an alternative secret key to , in the sense that it produces a valid signature for any message. Moreover, as a braid word, this signature equals the one produced with the original key. This implies that the attack cannot be avoided by limiting the size of accepted signatures. In order to decide if the alternative key works as intended, Kotov, Menshov, and Ushakov generated signatures for 10 random messages and checked their validity.
6. Final Remarks
Author Contributions
Funding
Conflicts of Interest
References
- Announcing Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms. Available online: https://csrc.nist.gov/News/2016/Public-Key-Post-Quantum-Cryptographic-Algorithms (accessed on 19 December 2016).
- Persichetti, E. Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment. Cryptography 2018, 2, 30. [Google Scholar] [CrossRef]
- Hoffstein, J.; Howgrave-Graham, N.; Pipher, J.; Whyte, W. Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign. In The LLL Algorithm—Survey and Applications; Nguyen, P.Q., Vallée, B., Eds.; Information Security and Cryptography; Springer: Berlin, Germany, 2010; pp. 349–390. [Google Scholar] [CrossRef]
- Jalali, A.; Azarderakhsh, R.; Kermani, M.M.; Campagna, M.; Jao, D. Optimized Supersingular Isogeny Key Encapsulation on ARMv8 Processors. IACR Cryptol. ePrint Arch. 2019, 2019, 331. [Google Scholar]
- Garber, D. Braid Group Cryptography; World Scientific: Singapore, 2007. [Google Scholar]
- Anshel, I.; Anshel, M.; Goldfeld, D. An algebraic method for public-key cryptography. Math. Res. Lett. 1999, 6, 287–292. [Google Scholar] [CrossRef]
- Ko, K.; Lee, S.; Cheon, J.; Han, J.; Kang, J.; Park, C. New Public-Key Cryptosystem using Braid Groups. In Advances in Cryptology, Proceedings of CRYPTO 2000; Lecture Notes in Computer Science; Springer: Santa Barbara, CA, USA, 2000; Volume 1880, pp. 166–183. [Google Scholar]
- Birman, J.; Gebhardt, V.; González-Meneses, J. Conjugacy in Garside groups I: Periodic braids. J. Algebra 2007, 2, 746–776. [Google Scholar] [CrossRef]
- Katz, J. Digital Signatures; Springer: Berlin, Germany, 2010. [Google Scholar]
- Goldwasser, S.; Bellare, M. Lecture Notes on Cryptography; MIT: Hong Kong, China, 2001. [Google Scholar]
- Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. WalnutDSATM: A Quantum Resistant Digital Signature Algorithm. IACR Cryptol. ePrint Arch. 2017, 2017, 58. [Google Scholar]
- Artin, E. Theory of braids. Ann. Math. 1947, 48, 101–126. [Google Scholar] [CrossRef]
- Anshel, I.; Anshel, M.; Goldfeld, D.; Lemieux, S. Key agreement, the Algebraic EraserTM, and Lightweight Cryptography. In Algebraic Methods in Cryptography, Contemp. Math.; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 1–34. [Google Scholar]
- Birman, J.S.; Cannon, J. Braids, Links, and Mapping Class Groups, Annals of Mathematics Studies; Princeton University Press: Princeton, NJ, USA, 1974. [Google Scholar]
- Artin, M. Algebra; Prentice Hall: Upper Saddle River, NJ, USA, 1991. [Google Scholar]
- Birman, J.S.; Ko, K.H.; Lee, S.J. A new approach to the word and conjugacy problems in the braid groups. Adv. Math. 1998, 139, 322–353. [Google Scholar] [CrossRef]
- Dehornoy, P. A fast method for comparing braids. Adv. Math. 1997, 125, 200–235. [Google Scholar] [CrossRef]
- Morton, H.R. The multivariable Alexander polynomial for a closed braid. In Lower Dimensional Topology, (Funchal, 1998); American Mathematical Society: Providence, RI, USA, 2006; Volume 233, pp. 167–172. [Google Scholar]
- Hart, D.; Kim, D.; Micheli, G.; Pascual-Perez, G.; Petit, C.; Quek, Y. A Practical Cryptanalysis of WalnutDSA TM. In Proceedings of the Public-Key Cryptography—PKC 2018—21st IACR International Conference on Practice and Theory of Public-Key Cryptography, Rio de Janeiro, Brazil, 25–29 March 2018; Part I—Lecture Notes in Computer Science. Abdalla, M., Dahab, R., Eds.; Springer: Berlin, Germany, 2018; Volume 10769, pp. 381–406. [Google Scholar] [CrossRef]
- Beullens, W.; Blackburn, S.R. Practical Attacks Against the Walnut Digital Signature Scheme. In Proceedings of the Advances in Cryptology—ASIACRYPT 2018—24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, 2–6 December 2018; Part I—Lecture Notes in Computer, Science. Peyrin, T., Galbraith, S.D., Eds.; Springer: Berlin, Germany, 2018; Volume 11272, pp. 35–61. [Google Scholar] [CrossRef]
- Merz, S.; Petit, C. Factoring Products of Braids via Garside Normal Form. In Public Key Cryptography (2); Lecture Notes in Computer Science; Springer: Berlin, Germany, 2019; Volume 11443, pp. 646–678. [Google Scholar]
- Paris, L. Braid groups and Artin groups. arXiv 2007, arXiv:math.GR/0711, 2372. [Google Scholar]
- Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit Attacks on WalnutDSA (TM). IACR Cryptol. ePrint Arch. 2019, 2019, 472. [Google Scholar]
- van Oorschot, P.C.; Wiener, M.J. Parallel Collision Search with Cryptanalytic Applications. J. Cryptol. 1999, 12, 1–28. [Google Scholar] [CrossRef] [Green Version]
- Kotov, M.; Menshov, A.; Ushakov, A. An attack on the Walnut digital signature algorithm. Des. Codes Cryptogr. 2019, 1–20. [Google Scholar] [CrossRef]
- Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. The Walnut Digital Signature Algorithm™ Specifcation. Submitted to NIST PQC Project; 2017. Available online: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions (accessed on 7 July 2019).
- Comments to WalnutDSA™ Proposal to NIST PQCProject. Available online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/WalnutDSA-official-comment.pdf (accessed on 7 July 2019).
- Kotov, M.; Menshov, A.; Ushakov, A. Attack on Kayawood Protocol: Uncloaking Private Keys. IACR Cryptol. ePrint Arch. 2018, 2018, 604. [Google Scholar]
- Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. Kayawood, a Key Agreement Protocol. IACR Cryptol. ePrint Arch. 2017, 2017, 1162. [Google Scholar]
N | Periodic Sequence S | Recommended q | |
---|---|---|---|
10 | 82 | — | |
12 | 122 |
Encoding | Cloaking Elements | 128-Bit | 256-Bit | 256-Bit with |
---|---|---|---|---|
Original | 80% | 77% | 76% | |
Original | 100% | 100% | 100% | |
Alternative proposed in [27] | 77% | 81% | 81% | |
Alternative proposed in [27] | 97% | 98% | 100% |
© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).
Share and Cite
Escribano Pablos, J.I.; González Vasco, M.I.; Marriaga, M.E.; Pérez del Pozo, Á.L. The Cracking of WalnutDSA: A Survey. Symmetry 2019, 11, 1072. https://doi.org/10.3390/sym11091072
Escribano Pablos JI, González Vasco MI, Marriaga ME, Pérez del Pozo ÁL. The Cracking of WalnutDSA: A Survey. Symmetry. 2019; 11(9):1072. https://doi.org/10.3390/sym11091072
Chicago/Turabian StyleEscribano Pablos, José Ignacio, María Isabel González Vasco, Misael Enrique Marriaga, and Ángel Luis Pérez del Pozo. 2019. "The Cracking of WalnutDSA: A Survey" Symmetry 11, no. 9: 1072. https://doi.org/10.3390/sym11091072