# The Cracking of WalnutDSA: A Survey

^{1}

^{2}

^{*}

## Abstract

**:**

## 1. Introduction

**Paper roadmap:**We start with a short section reviewing the history of braid group cryptography, followed by a section explaining the basics on signature schemes. Then, we give a comprehensive description of WalnutDSA in Section 4. Section 5 is devoted to the various attack strategies deployed against WalnutDSA; from the early factoring attacks (see Section 5.1), to collision attacks (Section 5.2), attempts to undermine the (claimed) one-wayness of the underlying E-multiplication function (Section 5.3), and finally, the recent (and probably the most devastating) attack aiming at the recovery of an alternative secret key by solving a certain rewriting problem (see Section 5.4). The survey wraps up with a short conclusion section.

## 2. Braid Group Cryptography

#### 2.1. Cryptographic Constructions Using Braid Groups

#### 2.2. Computational Problems in Braid Groups

- Conjugacy Decision Problem (CDP). Given $A,B\in {B}_{n},$ determine whether they are conjugate, i.e., whether there exists $X\in {B}_{n}$ such that $A={X}^{-1}BX.$
- Conjugacy Search Problem (CSP). Given $A,B\in {B}_{n},$ known to be conjugate, compute $X\in {B}_{n}$ such that $A={X}^{-1}BX.$
- Braid Diffie–Hellman Decision Problem (BDHDP). Given $A,B,C,D\in {B}_{n},$ such that there exist $X,Y\in {B}_{n}$ satisfying $B={X}^{-1}AX$ and $C={Y}^{-1}AY,$ with $XY=YX$, determine whether $D=\phantom{\rule{3.33333pt}{0ex}}{Y}^{-1}{X}^{-1}AXY.$
- Braid Diffie–Hellman Search Problem (BDHSP). Given $A,B,C\in {B}_{n},$ such that there exist $X,Y\in {B}_{n}$ satisfying $B={X}^{-1}AX$ and $C={Y}^{-1}AY,$ with $XY=YX$, compute $D={Y}^{-1}{X}^{-1}AXY.$
- Multiple Simultaneous Conjugacy Search Problem (MSCSP). Given k pairs of elements $({U}_{i},{W}_{i})\in {B}_{n}^{2},$ such that they are all conjugates with respect to the same braid, find such a conjugating braid, i.e., compute $X\in {B}_{n}$ such that ${W}_{i}={X}^{-1}{U}_{i}X,$ for all $i=1,\cdots ,k$.
- Decomposition Problem (DP). Let G be a fixed subgroup of ${B}_{n}$. Given $A,B\in {B}_{n}$, find $X,Y\in G$ such that $B=XAY.$
- Root Extraction Problem (REP). For $A\in {B}_{n}$ and $r\in \mathbb{N}$ such that there exists $B\in {B}_{n}$ with $A={B}^{r},$ compute such a braid $B.$

- (i)
- find representatives $\widehat{A}\in {I}_{A}$ and $\widehat{B}\in {I}_{B};$
- (ii)
- compute elements of ${I}_{A}$ (storing the corresponding witnesses) until either:
- (a)
- $\widehat{B}$ is found as an element of ${I}_{A},$ proving A and B to be conjugate and providing a conjugating element or
- (b)
- the entire set ${I}_{A}$ is constructed without finding $\widehat{B},$ proving that A and B are not conjugate.

## 3. Basics on Signature Schemes

**Definition**

**1.**

- $\mathcal{G},$ the key generation algorithm, is a probabilistic algorithm that takes as input ${\mathbf{1}}^{\lambda}$ (for a security parameter $\lambda \in \mathbb{N}$) and returns a pair $(\mathbf{pk},\mathbf{sk})$ of public and secret keys, from a designated key space of polynomial size in $\lambda .$
**Σ**, the signing algorithm, is a probabilistic algorithm that takes as input a given message $m\in {\mathcal{M}}_{\lambda}$ (for a fixed message space) and a secret key $\mathbf{sk}$ and returns a signature $\mathtt{sig}$ (also assumed to belong to a prescribed set of polynomial size in λ). ss of generality, we can assume that each ${\mathcal{M}}_{\lambda}$ consists of bitstrings of polynomial size in λ. In the sequel, we often drop the subscript λ for the sake of readability- $\mathcal{V},$ the verification algorithm, is a deterministic algorithm that takes as input a given signature $\mathtt{sig}$, a message $m\in {\mathcal{M}}_{\lambda}$, and a public key $\mathbf{pk}$ and outputs a bit in $\{0,1\}$, checking if $\mathtt{sig}$ is a valid signature of m with respect to $\mathbf{pk}$.

#### 3.1. Security Notions for Signature Schemes

- Existential Forgery (EF): $\mathcal{A}$ tries to produce a valid signature for a message $m,$ not necessarily adversarial chosen.
- Selective Forgery (SF): $\mathcal{A}$ tries to produce a valid signature for some adversarial chosen fixed message m.
- Universal Forgery (UF): $\mathcal{A}$ aims at producing a valid signature for any given message.
- Total Break (TB): $\mathcal{A}$ tries to retrieve, from the public information, a legitimate signer’s secret key.

- No Message Attack (NMA): $\mathcal{A}$ only knows the public parameters (in particular, the public signing key).
- Random Message Attack (RMA): $\mathcal{A}$ is given signatures on a sequence of messages selected uniformly at random.
- Chosen Message Attack (CMA): $\mathcal{A}$ is given access to a signing oracle, which signs any message chosen by $\mathcal{A}$. Queries to this oracle can be adaptive, i.e., $\mathcal{A}$ may adapt the input messages based on previous output signatures.

**Definition**

**2.**

**Definition**

**3.**

**Definition**

**4.**

## 4. Scheme Description

#### 4.1. Message Encoding

#### 4.1.1. Braids

#### 4.1.2. Encoding

#### 4.2. Key Generation

#### 4.2.1. Colored Burau Representation of the Braid Groups

#### 4.2.2. E-Multiplication

**Definition**

**5.**

#### 4.2.3. Key Generation Mechanism

- $\mathcal{T}=\{{y}_{1},{y}_{2},\dots ,{y}_{N}\}\subset {\mathbb{F}}_{q}$ such that ${y}_{i}\ne 0$, $1\le i\le N$, and ${y}_{a}={y}_{b}=1$ for some $1\le a,b\le N$,
- $\mathcal{P}\left({s}_{1}\right)$, and
- the matrix component of $\mathcal{P}\left({s}_{2}\right)$, denoted by $\mathtt{mat}\left(\mathcal{P}\left({s}_{2}\right)\right)$, that is, $\mathtt{mat}\left(\mathcal{P}\left({s}_{2}\right)\right)$.

#### 4.3. Signature Generation and Verification

#### 4.3.1. Cloaking Elements

**Definition**

**6.**

**Proposition**

**1.**

#### 4.3.2. Signature Generation

#### 4.3.3. Signature Verification

## 5. Cryptanalysis of WalnutDSA

#### 5.1. Factoring Attacks

**Definition**

**7**

**.**Let G be a group; let $\Gamma =\{{g}_{1},\cdots ,{g}_{\gamma}\}$ be a generating set for G; and let $h\in G$. Find an integer L and sequences $({k}_{1},\cdots ,{k}_{L})\in {\{1,\cdots ,\gamma \}}^{L}$ and $({\epsilon}_{1},\cdots ,{\epsilon}_{L})\in {\{\pm 1\}}^{L}$ such that:

#### 5.1.1. Factoring For Universal Forgeries: The Attacks by Hart Et Al., and Beullens and Blackburn

**Theorem**

**1**

**.**Consider the version of WalnutDSA, where it holds that ${s}_{1}={s}_{2}.$ Suppose m, ${m}_{1}$, ${m}_{2}$ are three messages. Let h, ${h}_{1}$, ${h}_{2}$ be the matrix part of $\mathcal{P}\left(E\right(H\left(m\right)\left)\right)$, $\mathcal{P}\left(E\left(H\left({m}_{1}\right)\right)\right)$, $\mathcal{P}\left(E\left({m}_{2}\right)\right)$, respectively. Then,

- 1.
- If $h={h}_{1}^{-1}$ and ${\mathtt{sig}}_{1}$ is a valid signature for ${m}_{1}$, then ${\mathtt{sig}}_{1}^{-1}$ is a valid signature for m.
- 2.
- If $h={h}_{1}\xb7{h}_{2}$ and ${\mathtt{sig}}_{1}$, ${\mathtt{sig}}_{2}$ are valid signatures for ${m}_{1}$ and ${m}_{2}$, respectively, then ${\mathtt{sig}}_{1}\xb7{\mathtt{sig}}_{2}$ is a valid signature for m.

**Theorem**

**2**

**.**Suppose m, ${m}_{1}$, ${m}_{2}$ are three messages. Let h, ${h}_{1}$, ${h}_{2}$ be the matrix part of $\mathcal{P}\left(E\right(H\left(m\right)\left)\right)$, $\mathcal{P}\left(E\left(H\left({m}_{1}\right)\right)\right)$, $\mathcal{P}\left(E\left(H\left({m}_{2}\right)\right)\right)$, respectively. Let ${s}_{1}$, ${s}_{2}$, ${s}_{3}\in {B}_{N}$ be three braids. Then,

- 1.
- If $h={h}_{1}^{-1}$ and ${\mathtt{sig}}_{1}$ is a valid signature for ${m}_{1}$ under the public key $(\mathcal{P}\left({s}_{1}\right),\mathcal{P}\left({s}_{2}\right))$, then ${\mathtt{sig}}_{1}^{-1}$ is a valid signature for m under the public key $(\mathcal{P}\left({s}_{2}\right),\mathcal{P}\left({s}_{1}\right))$.
- 2.
- If $h={h}_{1}\xb7{h}_{2}$ and ${\mathtt{sig}}_{1}\xb7{\mathtt{sig}}_{2}$ are valid signatures for ${m}_{1}$ and ${m}_{2}$ under the public keys $(\mathcal{P}\left({s}_{1}\right),\mathcal{P}\left({s}_{2}\right))$ and $(\mathcal{P}\left({s}_{2}\right),\mathcal{P}\left({s}_{3}\right))$, respectively, then ${\mathtt{sig}}_{1}\xb7{\mathtt{sig}}_{2}$ is a valid signature for m under the public key $(\mathcal{P}\left({s}_{1}\right),\mathcal{P}\left({s}_{3}\right))$.

#### 5.1.2. Factoring Using the Garside Normal Form

- $A={A}^{\prime}$, $C={C}^{\prime}$ up to multiplications with elements in the center of ${B}_{N}$
- $AC={A}^{\prime}{C}^{\prime}.$

**Theorem**

**3**

**.**Let ${W}_{1}\xb7E\left(H\left(m\right)\right)\xb7{W}_{2}\in {B}_{N}$ be a valid signature for some message m, and let ${W}_{1}^{\prime}$, ${W}_{2}^{\prime}\in {B}_{N}$ such that ${W}_{1}^{\prime}\equiv {W}_{1}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\Delta}^{2}$, ${W}_{2}^{\prime}\equiv {W}_{2}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\Delta}^{2}$, and ${W}_{1}\xb7{W}_{2}={W}_{1}^{\prime}\xb7{W}_{2}^{\prime}$. Then,

#### 5.2. Collision Attacks

#### 5.3. Reversing E-Multiplication

**Definition 8**

**.**Given a pair $(M,\sigma )\in {\mathrm{GL}}_{N}\left({\mathbb{F}}_{q}\right)\times {S}_{N}$, such that $(M,\sigma )=\mathcal{P}\left(s\right)$ for some braid $s\in {B}_{N}$, find a braid ${s}^{\prime}\in {B}_{N}$ such that $\mathcal{P}\left({s}^{\prime}\right)=(M,\sigma )$.

#### 5.3.1. Generic Birthday Attack

#### 5.3.2. Subgroup Chain Attack

#### 5.4. Uncloaking Signatures

**Step 1.**The attacker collects k pairs ${\left\{({m}_{i},{\mathtt{sig}}_{i})\right\}}_{i=1}^{k}$ where each ${\mathtt{sig}}_{i}$ is a valid signature for ${m}_{i}$ computed with the same secret key $({s}_{1},{s}_{2})$. Each signature is a braid with the form:$${\mathtt{sig}}_{i}={v}_{1}^{\left(i\right)}\xb7{s}_{1}^{-1}\xb7{v}^{\left(i\right)}\xb7E\left(H\left({m}_{i}\right)\right)\xb7{s}_{2}\xb7{v}_{2}^{\left(i\right)}$$**Step 2.**The attacker, using a heuristic procedure described in [25], is able to remove the cloaking elements from the signatures, that is compute braids ${P}_{i}={s}_{1}^{-1}\xb7E\left(H\left({m}_{i}\right)\right)\xb7{s}_{2}$. It is worth pointing out that Kotov, Menshov, and Ushakov reported a high success rate for their uncloaking algorithm, close to 80% or 100%, depending on the type of cloaking elements used (see Table 2).**Step 3.**The attacker computes the $k-1$ products ${P}_{i}{P}_{i+1}^{-1}$. Note that these are:$$\begin{array}{ccc}\hfill {P}_{1}{P}_{2}^{-1}& =& {s}_{1}^{-1}E\left(H\left({m}_{1}\right)\right)E{\left(H\left({m}_{2}\right)\right)}^{-1}{s}_{1}\hfill \\ & \vdots & \\ \hfill {P}_{k-1}{P}_{k}^{-1}& =& {s}_{1}^{-1}E\left(H\left({m}_{k-1}\right)\right)E{\left(H\left({m}_{k}\right)\right)}^{-1}{s}_{1}\hfill \end{array}$$**Step 4.**The attacker sets ${s}_{2}^{\prime}=E{\left(H\left({m}_{i}\right)\right)}^{-1}\phantom{\rule{0.166667em}{0ex}}{s}_{1}^{\prime}\phantom{\rule{0.166667em}{0ex}}{P}_{i}$ for i of its choice. Under certain conditions, $({s}_{1}^{\prime},{s}_{2}^{\prime})$ works as an alternative secret key to $({s}_{1},{s}_{2})$, in the sense that it produces a valid signature for any message. Moreover, as a braid word, this signature equals the one produced with the original key. This implies that the attack cannot be avoided by limiting the size of accepted signatures. In order to decide if the alternative key $({s}_{1}^{\prime},{s}_{2}^{\prime})$ works as intended, Kotov, Menshov, and Ushakov generated signatures for 10 random messages and checked their validity.

## 6. Final Remarks

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Announcing Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms. Available online: https://csrc.nist.gov/News/2016/Public-Key-Post-Quantum-Cryptographic-Algorithms (accessed on 19 December 2016).
- Persichetti, E. Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment. Cryptography
**2018**, 2, 30. [Google Scholar] [CrossRef] - Hoffstein, J.; Howgrave-Graham, N.; Pipher, J.; Whyte, W. Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign. In The LLL Algorithm—Survey and Applications; Nguyen, P.Q., Vallée, B., Eds.; Information Security and Cryptography; Springer: Berlin, Germany, 2010; pp. 349–390. [Google Scholar] [CrossRef]
- Jalali, A.; Azarderakhsh, R.; Kermani, M.M.; Campagna, M.; Jao, D. Optimized Supersingular Isogeny Key Encapsulation on ARMv8 Processors. IACR Cryptol. ePrint Arch.
**2019**, 2019, 331. [Google Scholar] - Garber, D. Braid Group Cryptography; World Scientific: Singapore, 2007. [Google Scholar]
- Anshel, I.; Anshel, M.; Goldfeld, D. An algebraic method for public-key cryptography. Math. Res. Lett.
**1999**, 6, 287–292. [Google Scholar] [CrossRef] - Ko, K.; Lee, S.; Cheon, J.; Han, J.; Kang, J.; Park, C. New Public-Key Cryptosystem using Braid Groups. In Advances in Cryptology, Proceedings of CRYPTO 2000; Lecture Notes in Computer Science; Springer: Santa Barbara, CA, USA, 2000; Volume 1880, pp. 166–183. [Google Scholar]
- Birman, J.; Gebhardt, V.; González-Meneses, J. Conjugacy in Garside groups I: Periodic braids. J. Algebra
**2007**, 2, 746–776. [Google Scholar] [CrossRef] - Katz, J. Digital Signatures; Springer: Berlin, Germany, 2010. [Google Scholar]
- Goldwasser, S.; Bellare, M. Lecture Notes on Cryptography; MIT: Hong Kong, China, 2001. [Google Scholar]
- Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. WalnutDSA
^{TM}: A Quantum Resistant Digital Signature Algorithm. IACR Cryptol. ePrint Arch.**2017**, 2017, 58. [Google Scholar] - Artin, E. Theory of braids. Ann. Math.
**1947**, 48, 101–126. [Google Scholar] [CrossRef] - Anshel, I.; Anshel, M.; Goldfeld, D.; Lemieux, S. Key agreement, the Algebraic Eraser
^{TM}, and Lightweight Cryptography. In Algebraic Methods in Cryptography, Contemp. Math.; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 1–34. [Google Scholar] - Birman, J.S.; Cannon, J. Braids, Links, and Mapping Class Groups, Annals of Mathematics Studies; Princeton University Press: Princeton, NJ, USA, 1974. [Google Scholar]
- Artin, M. Algebra; Prentice Hall: Upper Saddle River, NJ, USA, 1991. [Google Scholar]
- Birman, J.S.; Ko, K.H.; Lee, S.J. A new approach to the word and conjugacy problems in the braid groups. Adv. Math.
**1998**, 139, 322–353. [Google Scholar] [CrossRef] - Dehornoy, P. A fast method for comparing braids. Adv. Math.
**1997**, 125, 200–235. [Google Scholar] [CrossRef] - Morton, H.R. The multivariable Alexander polynomial for a closed braid. In Lower Dimensional Topology, (Funchal, 1998); American Mathematical Society: Providence, RI, USA, 2006; Volume 233, pp. 167–172. [Google Scholar]
- Hart, D.; Kim, D.; Micheli, G.; Pascual-Perez, G.; Petit, C.; Quek, Y. A Practical Cryptanalysis of WalnutDSA TM. In Proceedings of the Public-Key Cryptography—PKC 2018—21st IACR International Conference on Practice and Theory of Public-Key Cryptography, Rio de Janeiro, Brazil, 25–29 March 2018; Part I—Lecture Notes in Computer Science. Abdalla, M., Dahab, R., Eds.; Springer: Berlin, Germany, 2018; Volume 10769, pp. 381–406. [Google Scholar] [CrossRef]
- Beullens, W.; Blackburn, S.R. Practical Attacks Against the Walnut Digital Signature Scheme. In Proceedings of the Advances in Cryptology—ASIACRYPT 2018—24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, 2–6 December 2018; Part I—Lecture Notes in Computer, Science. Peyrin, T., Galbraith, S.D., Eds.; Springer: Berlin, Germany, 2018; Volume 11272, pp. 35–61. [Google Scholar] [CrossRef]
- Merz, S.; Petit, C. Factoring Products of Braids via Garside Normal Form. In Public Key Cryptography (2); Lecture Notes in Computer Science; Springer: Berlin, Germany, 2019; Volume 11443, pp. 646–678. [Google Scholar]
- Paris, L. Braid groups and Artin groups. arXiv
**2007**, arXiv:math.GR/0711, 2372. [Google Scholar] - Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit Attacks on WalnutDSA (TM). IACR Cryptol. ePrint Arch.
**2019**, 2019, 472. [Google Scholar] - van Oorschot, P.C.; Wiener, M.J. Parallel Collision Search with Cryptanalytic Applications. J. Cryptol.
**1999**, 12, 1–28. [Google Scholar] [CrossRef][Green Version] - Kotov, M.; Menshov, A.; Ushakov, A. An attack on the Walnut digital signature algorithm. Des. Codes Cryptogr.
**2019**, 1–20. [Google Scholar] [CrossRef] - Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. The Walnut Digital Signature Algorithm™ Specifcation. Submitted to NIST PQC Project; 2017. Available online: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions (accessed on 7 July 2019).
- Comments to WalnutDSA™ Proposal to NIST PQCProject. Available online: https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/round-1/official-comments/WalnutDSA-official-comment.pdf (accessed on 7 July 2019).
- Kotov, M.; Menshov, A.; Ushakov, A. Attack on Kayawood Protocol: Uncloaking Private Keys. IACR Cryptol. ePrint Arch.
**2018**, 2018, 604. [Google Scholar] - Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. Kayawood, a Key Agreement Protocol. IACR Cryptol. ePrint Arch.
**2017**, 2017, 1162. [Google Scholar]

**Table 1.**Examples of sequences to defeat collision attack (see [23]).

N | Periodic Sequence S | $\mathbf{dim}\phantom{\rule{4pt}{0ex}}\mathit{S}$ | Recommended q |
---|---|---|---|

10 | $\left\{\right(3,5,7,9),(2,4,6,8),(1,3,5,7),(2,4,6,8),\cdots \}$ | 82 | — |

12 | $\begin{array}{c}\hfill \left\{\right(5,7,9,11),(4,6,8,10),(3,5,7,9),(2,4,6,8),(1,3,5,7),\\ \hfill (2,4,6,8),(3,5,7,9),(4,6,8,10),\cdots \}\end{array}$ | 122 | $32,256$ |

Encoding | Cloaking Elements | 128-Bit | 256-Bit | 256-Bit with $\mathit{N}=11$ |
---|---|---|---|---|

Original | $w{b}_{i}^{\pm 2}{w}^{-1}$ | 80% | 77% | 76% |

Original | $w{b}_{i}^{\pm 4}{w}^{-1}$ | 100% | 100% | 100% |

Alternative proposed in [27] | $w{b}_{i}^{\pm 2}{w}^{-1}$ | 77% | 81% | 81% |

Alternative proposed in [27] | $w{b}_{i}^{\pm 4}{w}^{-1}$ | 97% | 98% | 100% |

**Table 3.**Average running time (in seconds) for the full attack according to [25].

Encoding | Cloaking Elements | 128-Bit | 256-Bit | 256-Bit with $\mathit{N}=11$ |
---|---|---|---|---|

Original | $w{b}_{i}^{\pm 2}{w}^{-1}$ | 18.8 | 120.8 | 213.0 |

Original | $w{b}_{i}^{\pm 4}{w}^{-1}$ | 17.4 | 112.4 | 185.6 |

Alternative proposed in [27] | $w{b}_{i}^{\pm 2}{w}^{-1}$ | 78.7 | 264.9 | 1674.9 |

Alternative proposed in [27] | $w{b}_{i}^{\pm 4}{w}^{-1}$ | 66.2 | 224.6 | 1323.3 |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Escribano Pablos, J.I.; González Vasco, M.I.; Marriaga, M.E.; Pérez del Pozo, Á.L. The Cracking of *WalnutDSA*: A Survey. *Symmetry* **2019**, *11*, 1072.
https://doi.org/10.3390/sym11091072

**AMA Style**

Escribano Pablos JI, González Vasco MI, Marriaga ME, Pérez del Pozo ÁL. The Cracking of *WalnutDSA*: A Survey. *Symmetry*. 2019; 11(9):1072.
https://doi.org/10.3390/sym11091072

**Chicago/Turabian Style**

Escribano Pablos, José Ignacio, María Isabel González Vasco, Misael Enrique Marriaga, and Ángel Luis Pérez del Pozo. 2019. "The Cracking of *WalnutDSA*: A Survey" *Symmetry* 11, no. 9: 1072.
https://doi.org/10.3390/sym11091072