This paper reports on the Walnut Digital Signature Algorithm (WalnutDSA
), which is an asymmetric signature scheme recently presented for standardization at the NIST call for post-quantum cryptographic constructions. WalnutDSA
is a group theoretical construction, the security of which relies on the hardness of certain problems related to an action of a braid group on a finite set. In spite of originally resisting the typical attacks succeeding against this kind of construction, soon different loopholes were identified rendering the proposal insecure (and finally, resulting in it being excluded from Round 2 of the NIST competition). Some of these attacks are related to the well-structured and symmetric masking of certain secret elements during the signing process. We explain the design principles behind this proposal and survey the main attack strategies that have succeeded, contradicting its claimed security properties, as well as the recently-proposed ideas aimed at overcoming these issues.
This is an open access article distributed under the Creative Commons Attribution License
which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited