#### 5.1. Factoring Attacks

The essential idea behind these attacks is to forge a signature for any given message m solving a factorization problem in groups, defined as follows:

**Definition** **7** (Factorization problem in groups)

**.** Let G be a group; let $\Gamma =\{{g}_{1},\cdots ,{g}_{\gamma}\}$ be a generating set for G; and let $h\in G$. Find an integer L and sequences $({k}_{1},\cdots ,{k}_{L})\in {\{1,\cdots ,\gamma \}}^{L}$ and $({\epsilon}_{1},\cdots ,{\epsilon}_{L})\in {\{\pm 1\}}^{L}$ such that:A solution to a specific instance of this problem has been exploited by several authors [

19,

20] to construct a new valid signature from several valid signatures, in order to violate UF-CMA. More precisely, Hart et al. presented in [

19] an efficient method to compute, given a couple of signatures on random messages, a new signature on an arbitrary message. However, these forged signatures were significantly longer than those constructed by the honest signer. The design of

WalnutDSA was modified by the authors in order to defeat this attack, yet a refinement of this method, presented in Section 3 of [

20], rendered this modification insufficient.

#### 5.1.1. Factoring For Universal Forgeries: The Attacks by Hart Et Al., and Beullens and Blackburn

The strategy behind [

19] allows for constructing a valid signature for any arbitrary message

m (and is thus a universal forgery). More precisely, Proposition 4 in [

19] states that, given a finite set of signatures:

and taking

${g}_{i}$ as the matrix part of

$\mathcal{P}\left(E\left(H\left({m}_{i}\right)\right)\right)$ for all

$i\in I,$ it holds that, if the matrix part

h of

$\mathcal{P}\left(E\right(H\left(m\right)\left)\right)$ can be factored with respect to the generating set

$\left\{{g}_{i}\phantom{\rule{0.222222em}{0ex}}\right|\phantom{\rule{0.222222em}{0ex}}i\in I\},$ then constructing the very same

word replacing each

${g}_{i}$ with the corresponding braids

${s}_{i}$ from

$\mathcal{S}$ yields a valid signature for

$m.$Beullens and Blackburn explained how to exploit this malleability property through the following simple theorem:

**Theorem** **1** (Theorem 1 from [

20])

**.** Consider the version of WalnutDSA, where it holds that ${s}_{1}={s}_{2}.$ Suppose m, ${m}_{1}$, ${m}_{2}$ are three messages. Let h, ${h}_{1}$, ${h}_{2}$ be the matrix part of $\mathcal{P}\left(E\right(H\left(m\right)\left)\right)$, $\mathcal{P}\left(E\left(H\left({m}_{1}\right)\right)\right)$, $\mathcal{P}\left(E\left({m}_{2}\right)\right)$, respectively. Then,- 1.
If $h={h}_{1}^{-1}$ and ${\mathtt{sig}}_{1}$ is a valid signature for ${m}_{1}$, then ${\mathtt{sig}}_{1}^{-1}$ is a valid signature for m.

- 2.
If $h={h}_{1}\xb7{h}_{2}$ and ${\mathtt{sig}}_{1}$, ${\mathtt{sig}}_{2}$ are valid signatures for ${m}_{1}$ and ${m}_{2}$, respectively, then ${\mathtt{sig}}_{1}\xb7{\mathtt{sig}}_{2}$ is a valid signature for m.

However, the above result is only valid if the public braids

${s}_{1}$ and

${s}_{2}$ coincide, which was only the case in the first versions of the proposal [

11]. All in all, a simple variant of the above theorem, presented in [

20], evidences that choosing

${s}_{1}\ne {s}_{2}$ does not amend the strong malleability inherent to

WalnutDSA:

**Theorem** **2** ([

20])

**.** Suppose m, ${m}_{1}$, ${m}_{2}$ are three messages. Let h, ${h}_{1}$, ${h}_{2}$ be the matrix part of $\mathcal{P}\left(E\right(H\left(m\right)\left)\right)$, $\mathcal{P}\left(E\left(H\left({m}_{1}\right)\right)\right)$, $\mathcal{P}\left(E\left(H\left({m}_{2}\right)\right)\right)$, respectively. Let ${s}_{1}$, ${s}_{2}$, ${s}_{3}\in {B}_{N}$ be three braids. Then,- 1.
If $h={h}_{1}^{-1}$ and ${\mathtt{sig}}_{1}$ is a valid signature for ${m}_{1}$ under the public key $(\mathcal{P}\left({s}_{1}\right),\mathcal{P}\left({s}_{2}\right))$, then ${\mathtt{sig}}_{1}^{-1}$ is a valid signature for m under the public key $(\mathcal{P}\left({s}_{2}\right),\mathcal{P}\left({s}_{1}\right))$.

- 2.
If $h={h}_{1}\xb7{h}_{2}$ and ${\mathtt{sig}}_{1}\xb7{\mathtt{sig}}_{2}$ are valid signatures for ${m}_{1}$ and ${m}_{2}$ under the public keys $(\mathcal{P}\left({s}_{1}\right),\mathcal{P}\left({s}_{2}\right))$ and $(\mathcal{P}\left({s}_{2}\right),\mathcal{P}\left({s}_{3}\right))$, respectively, then ${\mathtt{sig}}_{1}\xb7{\mathtt{sig}}_{2}$ is a valid signature for m under the public key $(\mathcal{P}\left({s}_{1}\right),\mathcal{P}\left({s}_{3}\right))$.

Note that the above theorems do not impose a practical restriction on the forged message m, for suitable ${m}_{1},{m}_{2}$ can be constructed for any m in order to mount the UF attack. Still, the forged signatures obtained through these factoring strategies are many orders of magnitude longer than legitimate signatures; thus, imposing length limits on the output signatures (as the authors did in the implementation submitted to the NIST PQCstandardization call) is enough to dodge these attacks.

#### 5.1.2. Factoring Using the Garside Normal Form

Recently, in [

21], it was noticed that whenever a product of braids

$ABC\in {B}_{N}$ is represented in the Garside normal form, parts of the corresponding form of the individual factors

$A,B$, and

C are somewhat easy to extract. In particular, the authors of this paper presented an algorithm for recovering, given

B, elements

${A}^{\prime}$ and

${C}^{\prime}$ such that:

$A={A}^{\prime}$, $C={C}^{\prime}$ up to multiplications with elements in the center of ${B}_{N}$

$AC={A}^{\prime}{C}^{\prime}.$

Note that the center of the group

${B}_{N}$ is a cyclic group generated by the square of the so-called

Garside’s fundamental braid, $\Delta ,$ which is the only positive braid for which any two strands cross exactly once (see [

14,

22] for a classical introduction and a comprehensive survey on braid groups). This decomposition strategy allows for constructing a universal forgery, as stated in the following result:

**Theorem** **3** ([

21])

**.** Let ${W}_{1}\xb7E\left(H\left(m\right)\right)\xb7{W}_{2}\in {B}_{N}$ be a valid signature for some message m, and let ${W}_{1}^{\prime}$, ${W}_{2}^{\prime}\in {B}_{N}$ such that ${W}_{1}^{\prime}\equiv {W}_{1}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\Delta}^{2}$, ${W}_{2}^{\prime}\equiv {W}_{2}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}{\Delta}^{2}$, and ${W}_{1}\xb7{W}_{2}={W}_{1}^{\prime}\xb7{W}_{2}^{\prime}$. Then,is a valid signature for any message ${m}^{\prime}$.Note that since the replaced braids ${W}_{1}$ and ${W}_{2}$ are in principle independent of the message $m,$ the forged signature need not be longer than a legitimate signature. Furthermore, the complexity of this procedure is essentially that of computing Garside normal forms, which can be done in time $\mathcal{O}\left({k}^{2}N\right)$, where k is the number of Artin generators encoding the input braid.

Furthermore, this method fends off the colored Burau representation used in the implementation of

WalnutDSA; thus, it cannot be prevented by modifying the size of the underlying finite field. The authors of this cryptanalysis suggest that the only way to dodge this attack is to add many concealed cloaking elements to the encoding, which has a significant cost both in signature length and computing time for the generation of signatures. Furthermore, in [

23], the authors of the scheme claimed to have experimentally demonstrated that inserting cloaking elements every 7–12 generators into the braid

$E\left(H\left({m}^{\prime}\right)\right)$ blocked this attack. However, no details were given on how this strategy was theoretically or empirically assessed.

#### 5.2. Collision Attacks

Imposing implicit limits on the output signature sizes is indeed a valid strategy for preventing factoring attacks, and so, it was promptly noticed by the authors of

WalnutDSA. However, in Section 4 of [

20], it was demonstrated that, through a simple collision method, it was possible to compute

short forged signatures, yet not on arbitrary messages.

In Section 4 of [

20], it was observed that if there exist two messages

${m}_{1}$,

${m}_{2}$ such that

$\mathcal{P}\left(E\left(H\left({m}_{1}\right)\right)\right)=\mathcal{P}\left(E\left(H\left({m}_{2}\right)\right)\right)$, then a valid signature for

${m}_{1}$ is valid for

${m}_{2}$ and vice versa. Breaking the EUF-CMA security notion (see Definition 4) is as simple as finding such two messages

${m}_{1}$ and

${m}_{2}$, since an adversary could query a signature for

${m}_{1}$ and then obtain a signature for

${m}_{2}$.

A generic collision attack is expected to require $|\mathcal{P}\left(E\left({\{0,1\}}^{*}\right)\right){|}^{1/2}$ evaluations of function $\mathcal{P}\circ E$. In order to evaluate the feasibility of this attack, it is necessary to estimate the size of $\left|\mathcal{P}\right(E\left({\{0,1\}}^{*}\right)\left)\right|$. The authors of WalnutDSA considered ${q}^{N(N-3)}\xb7N!$ a conservative lower bound for values of $\mathcal{P}$. For 128-bit and 256-bit security levels, these values were ${2}^{216}$ and ${2}^{336}$, respectively, so it is expected to find a collision after ${2}^{108}$ and ${2}^{168}$ evaluations of $\mathcal{P}\circ E$. Hence, a generic collision attack is not practical.

In [

20], it was shown (by means of computer experiments) that

$\left|\mathcal{P}\right(E\left({\{0,1\}}^{*}\right)\left)\right|$ is at most

${q}^{13}$ (lying in an affine subspace over

${\mathbb{F}}_{q}$), so a collision is expected to be found after

${q}^{13/2}$ evaluations of

$\mathcal{P}\circ E$. With this new estimate,

${2}^{32.5}$ and

${2}^{52}$ evaluations of

$\mathcal{P}\circ E$ are necessary for 128-bit and 256-bit security levels, respectively. Therefore, collision attack is practical in this case.

In order to implement this attack, the authors used a generic collision finding algorithm: the distinguished point algorithm of Van Oorschot and Wiener [

24].

This algorithm finds collisions in any function

$f:S\to S$ that behaves like a random function [

24]. The time complexity for finding a single collision is

$\mathcal{O}\left(\sqrt{\left|S\right|}\right)$. A distinguished point is an element of

S satisfying some easily testable property (e.g., a fixed number of leading zero bits). The distinguished point algorithm selects a starting point

${x}_{0}\in S$ at random and produces a chain of points

${x}_{i}=f\left({x}_{i-1}\right)$ for

$i=1,2,\cdots $, until a distinguished point is reached. Then, the starting point

${x}_{0}$, the distinguished point

${x}_{k}$, and the length of the chain are stored. It is expected that after

$\mathcal{O}\left(\sqrt{\left|S\right|}\right)$, the current chain will collide with one of the stored chains. Following the chain from that point, the same distinguished point will be reached.

In [

20], this algorithm was applied to the function

$f=g\circ \mathcal{P}\circ E$ instead of to

$f=\mathcal{P}\circ E$, where

g is a function that crafts plausible messages, given an output of

$\mathcal{P}$. However, no implementation or description of how to build the function

g was provided.

Using a standard PC, the algorithm found a collision after

${2}^{32.2}$ evaluations of

f (

${2}^{32.5}$ evaluations were expected). This took approximately one hour. The two messages found by the algorithm were

In order to mitigate this practical attack, Beullens and Blackburn [

20] recommended to increase the value of

q up to

$q={2}^{20}$ and

$q={2}^{40}$ to accomplish 128-bit and 256-bit security levels, respectively. With these new parameters, the size of the public key is five-times larger and the verification algorithm is 25-times slower for 256 bit.

A better mitigation of this attack is to change the encoding algorithm to output pure braids not restricted to the subgroup generated by

${g}_{N,1}$,

${g}_{N,2}$,

${g}_{N,3}$, and

${g}_{N,4}$. This change would require

${q}^{({(N-2)}^{2}+1)/2}$ evaluations of

$\mathcal{P}\circ E$, and only a minor increase of parameters is needed. It was pointed out in [

20] that a 256-bit security level could be accomplished by setting

$q={2}^{8}$ and

$N=8$, making the key size 50%, the signature size 25% larger, and the verification algorithm two-times slower.

The authors of

WalnutDSA pointed out that any braid output by the encoding mechanism

E (see

Section 4.1.2) is a product of the image (under

$\mathcal{P}$) of the encoding braids used, and thus, it is essential that the subspace spanned by said images is sufficiently large [

23]. They further depicted two design strategies towards defeating this attack (see

Table 1).

#### 5.3. Reversing E-Multiplication

A fundamental hard problem underlying the security of the

Walnut signature scheme is to break the one-wayness of the function:

Here, we write

$\mathcal{P}$ instead of

${\mathcal{P}}_{\mathcal{T}}$ with the understanding that the set

$\mathcal{T}\subset {\mathbb{F}}_{q}$ of non-zero elements is arbitrary, but fixed.

More precisely, the underlying problem is defined as follows.

**Definition 8** (Reversing E-Multiplication (REM) problem [

20])

**.** Given a pair $(M,\sigma )\in {\mathrm{GL}}_{N}\left({\mathbb{F}}_{q}\right)\times {S}_{N}$, such that $(M,\sigma )=\mathcal{P}\left(s\right)$ for some braid $s\in {B}_{N}$, find a braid ${s}^{\prime}\in {B}_{N}$ such that $\mathcal{P}\left({s}^{\prime}\right)=(M,\sigma )$.Observe that if brute force is used to solve the REM problem, then it would take $\mathcal{O}\left(\right|\mathcal{P}\left({B}_{N}\right)\left|\right)$ E-multiplications to find a solution, where $\left|\mathcal{P}\right({B}_{N}\left)\right|$ is the size of the orbit of $({I}_{N},{\iota}_{N})$.

Recall that the private key consists of two braids

${s}_{1},{s}_{2}\in {B}_{N}$, and the corresponding public key consists of

$\mathcal{P}\left({s}_{1}\right)$ and

$\mathtt{mat}\left(\mathcal{P}\left({s}_{2}\right)\right)$, the matrix component of

$\mathcal{P}\left({s}_{2}\right)$. In [

20], it was observed that a valid signature

$\mathtt{sig}$ for a message

m also satisfies:

Therefore, not knowing the permutation component of

$\mathcal{P}\left({s}_{2}\right)$ poses no problem to the attacker since it can be recovered from the permutation component of (

3) without necessarily knowing the encrypted message (no message attack). Indeed, since cloaking elements and

$E\left(H\right(m\left)\right)$ are required to be pure braids, we have:

Once

${\sigma}_{{s}_{2}}$ has been computed, an attacker can solve two instances of the REM problem by finding two braids

${s}_{1}^{\prime},{s}_{2}^{\prime}\in {B}_{N}$ such that

$\mathcal{P}\left({s}_{1}\right)=\mathcal{P}\left({s}_{1}^{\prime}\right)$ and

$\mathcal{P}\left({s}_{2}\right)=\mathcal{P}\left({s}_{2}^{\prime}\right)$, which can be used to sign any message (universal forgery). Hence, solving the REM problem means that UF-NMA security (Definition 2) can be violated.

In this section, we describe two algorithms proposed in [

20] that solve the REM problem. The first algorithm is a generic birthday attack, while the second exploits the structure of the braid group

${B}_{N}$ and is more efficient than the first one.

#### 5.3.1. Generic Birthday Attack

Given a pair

$(M,\sigma )\in {\mathrm{GL}}_{N}\left({\mathbb{F}}_{q}\right)\times {S}_{N}$, if we can find two braids

${s}_{1},{s}_{2}\in {B}_{N}$ such that:

then the solution of the REM problem is

${s}^{\prime}={s}_{2}\phantom{\rule{0.166667em}{0ex}}{s}_{1}^{-1}$. In [

20], it was argued that a naive way of finding

${s}_{1}$ and

${s}_{2}$ by constructing tables with values

$(M,\sigma )\u2605{s}_{1}$ and checking if

$({I}_{N},{\iota}_{N})\u2605{s}_{2}$ for random

${s}_{2}$ lying in the table would take

$\mathcal{O}\left(\sqrt{\left|\mathcal{P}\right({B}_{N}\left)\right|}\phantom{\rule{0.166667em}{0ex}}\right)$ E-multiplications, making this method more efficient than a brute force approach. Nevertheless, a naive approach may require too much storage memory.

This inconvenience can be circumvented by using a distinguished point algorithm (see

Section 5.2). In this case, the algorithm is applied to the function:

where

$\mathtt{b}$ and

$\mathtt{s}$ are hash functions that take elements in the orbit of

$({I}_{N},{\iota}_{N})$ as input and output a bit or a braid, respectively.

The idea is to find collisions:

Hence, if a collision is found such that

$b\left({x}_{1}\right)=1$, then

$b\left({x}_{2}\right)=0$ and

$(M,\sigma )\u2605\mathtt{s}\left({x}_{1}\right)=f\left({x}_{1}\right)=f\left({x}_{2}\right)=({I}_{N},{\iota}_{N})\u2605\mathtt{s}\left({x}_{2}\right)$. In this case, a solution of the REM problem is

$\mathtt{s}\left({x}_{2}\right)\phantom{\rule{0.166667em}{0ex}}s{\left({x}_{1}\right)}^{-1}$. On the other hand, if

$b\left({x}_{1}\right)=0$, then a solution of the REM problem is

$\mathtt{s}\left({x}_{1}\right)\phantom{\rule{0.166667em}{0ex}}s{\left({x}_{2}\right)}^{-1}$.

As noted in [

23], this attack is exponential in running time and can be thwarted by choosing the correct parameters for

WalnutDSA, in this case

$N=10$,

$q={2}^{31}-1$ for 128-bit security, and

$N=10$,

$q={2}^{61}-1$ for 256-bit security.

#### 5.3.2. Subgroup Chain Attack

This attack exploits the fact that the restriction of

$\mathcal{P}$ to pure braids is a group homomorphism, which maps the chain of subgroups:

to a nice chain of subgroups of

${\mathrm{GL}}_{N}\left({\mathbb{F}}_{q}\right)$. Here,

${P}_{k}$ denotes the intersection of the subgroup of pure braids in

${B}_{N}$ and the subgroup generated by

${b}_{1},{b}_{2},\dots ,{b}_{k-1}$, that is the subgroup of pure braids such that only the first

k strands cross over each other. More precisely, for each

$1\le k\le N$,

$\mathcal{P}$ is a homomorphism from

${P}_{k}$ into the subgroup:

In contrast to the birthday attack, this method solves the REM problem for a pair

$(M,\sigma )\in {\mathrm{GL}}_{N}\left({\mathbb{F}}_{q}\right)\times {S}_{N}$, by finding in iterative steps a braid

$s\in {B}_{N}$ such that

$(M,\sigma )\u2605s=({I}_{N},{\iota}_{N})$, as follows. First, choose any braid

${s}^{\prime}\in {B}_{N}$ such that

${\sigma}_{{s}^{\prime}}={\sigma}^{-1}$. Therefore,

$(M,\sigma )\u2605{s}^{\prime}=({M}^{\prime},{\iota}_{N})\in {A}_{N}\times {S}_{N}$. Next, find a pure braid

${s}_{N}\in {P}_{N}$ such that

$({M}_{N},{\iota}_{N})=({M}^{\prime},{\iota}_{N})\u2605{s}_{N}=(M,\sigma )\u2605{s}^{\prime}{s}_{N}\in {A}_{N-1}\times {S}_{N}$. The iterative step consists of randomly choosing a target matrix

${M}_{i}\in \mathcal{P}\left({P}_{i}\right)\cap {A}_{i-1}$ and then finding a pure braid

${s}_{i}\in {P}_{i}$ such that:

Notice that in each iterative step, the permutation component is

${\iota}_{N}$ since

${s}_{i}$ is a pure braid, and thus,

${\sigma}_{{s}_{i}}={\iota}_{N}$. This process yields a braid

$s={s}^{\prime}\phantom{\rule{0.166667em}{0ex}}{s}_{N}\phantom{\rule{0.166667em}{0ex}}{s}_{N-1}\cdots {s}_{2}$ such that

$(M,\sigma )\u2605s=({I}_{N},{\iota}_{N})$. Then, the solution to the REM problem is

${s}^{-1}$.

In [

20], it was pointed out that if

${M}_{i}\notin \mathcal{P}\left({P}_{i-1}\right)$ for some

$2\le i\le N$, then it is not possible to complete the attack, and thus, assuming:

for each

$2\le i\le N$, guarantees that the attack will work. This assumption is not too restrictive since it seems to hold for the proposed parameters for

WalnutDSA. With (

4) in mind, the

${i}^{\mathrm{th}}$ iterative step of this attack can be solved by performing a collision search in the space cosets of

${A}_{i-1}$ in

${A}_{i-1}\phantom{\rule{0.166667em}{0ex}}\mathcal{P}\left({P}_{i}\right)$ with a cost of

$\sqrt{|\mathcal{P}\left({P}_{i}\right)|/|\mathcal{P}\left({P}_{i-1}\right)|}$ E-multiplications (see Sections 5.2 and 5.3 of [

20] for details).

In [

20], the running time of this attack was estimated to be

${q}^{N/2-1}$ whenever E-multiplication uses the set of invertible elements

$\mathcal{T}=\{{y}_{1},{y}_{2},\dots ,{y}_{N}\}\subset {\mathbb{F}}_{q}$ with

${y}_{a}={y}_{b}=1$ for some

$1\le a,b\le N$ (see

Section 4.2.2). It was noted in [

23] that if

${y}_{a}$ and

${y}_{b}$ are chosen such that

${y}_{a}\xb7{y}_{b}=-1$, then the running time of the attack is increased to at least

$\sqrt{x}\phantom{\rule{0.166667em}{0ex}}{q}^{(N-1)/2}$, where

$x=60$ for

$N=8$ and

$x=96$ for

$N=10$. Moreover, this attack is defeated by taking

$N=10$,

$q={2}^{31}-1$ for 128-bit security, and

$N=10$,

$q={2}^{61}-1$ for 256-bit security.

#### 5.4. Uncloaking Signatures

Kotov, Menshov, and Ushakov presented in [

25] a powerful attack against

WalnutDSA. It is a heuristic attack that works exclusively with braids and does not need to take into account E-multiplication. The authors reported experiments with one hundred random protocol instances with a 100% success rate. It is worth pointing out that the experiments were carried out for three different settings: the 128 and 256-bit security levels from the official specification [

26] (where

$N=8$) and the 256-bit security version with

$N=11$, proposed in [

27].

In a nutshell, the attack works as follows: An adversary, which collects several arbitrary pairs of messages and valid signatures, is able to compute an alternative secret key such that, when used to sign any message, it produces the same signature as the real secret key. Therefore, this is a very strong attack as it violates a rather weak security notion for signatures (UF-RMA; see Definition 3), that is an adversary with access to signatures for random messages (not adversarially chosen) can produce a valid signature for any message of its choice; that is, it achieves a universal forgery.

Next, we provide a high-level description of the attack:

**Step 1.** The attacker collects

k pairs

${\left\{({m}_{i},{\mathtt{sig}}_{i})\right\}}_{i=1}^{k}$ where each

${\mathtt{sig}}_{i}$ is a valid signature for

${m}_{i}$ computed with the same secret key

$({s}_{1},{s}_{2})$. Each signature is a braid with the form:

where

${v}^{\left(i\right)},{v}_{1}^{\left(i\right)},{v}_{2}^{\left(i\right)}$ are cloaking elements.

**Step 2.** The attacker, using a heuristic procedure described in [

25], is able to remove the cloaking elements from the signatures, that is compute braids

${P}_{i}={s}_{1}^{-1}\xb7E\left(H\left({m}_{i}\right)\right)\xb7{s}_{2}$. It is worth pointing out that Kotov, Menshov, and Ushakov reported a high success rate for their uncloaking algorithm, close to 80% or 100%, depending on the type of cloaking elements used (see

Table 2).

**Step 3.** The attacker computes the

$k-1$ products

${P}_{i}{P}_{i+1}^{-1}$. Note that these are:

obtaining a system of conjugacy equations in

${B}_{N}$ where only

${s}_{1}$ is unknown. In [

25], another heuristic algorithm to obtain a solution

${s}_{1}^{\prime}$ of the system (not necessarily equal to

${s}_{1}$) was developed.

**Step 4.** The attacker sets ${s}_{2}^{\prime}=E{\left(H\left({m}_{i}\right)\right)}^{-1}\phantom{\rule{0.166667em}{0ex}}{s}_{1}^{\prime}\phantom{\rule{0.166667em}{0ex}}{P}_{i}$ for i of its choice. Under certain conditions, $({s}_{1}^{\prime},{s}_{2}^{\prime})$ works as an alternative secret key to $({s}_{1},{s}_{2})$, in the sense that it produces a valid signature for any message. Moreover, as a braid word, this signature equals the one produced with the original key. This implies that the attack cannot be avoided by limiting the size of accepted signatures. In order to decide if the alternative key $({s}_{1}^{\prime},{s}_{2}^{\prime})$ works as intended, Kotov, Menshov, and Ushakov generated signatures for 10 random messages and checked their validity.

In [

25], a 100% success rate of the full attack was reported. One interesting fact is that the attack did not need many message/signature pairs in order to succeed: Kotov, Menshov, and Ushakov affirmed that, in all their experiments, six successfully uncloaked signatures were enough to get five conjugacy equations and a valid alternative secret key. Average running times for the full attack are shown in

Table 3.

With respect to possible countermeasures against their attack, Kotov, Menshov, and Ushakov themselves made several proposals. The first one is to artificially introduce many so-called

critical letters in the secret braids (locating critical letters is one of the main ingredients in the uncloaking algorithm). In addition, they proposed using many more cloaking elements (around 30) on each side of the signature. Nevertheless, they pointed out that it is not even clear if this measure would be useful as it does not neutralize their attack [

28] against Kayawood [

29], another braid-based protocol. Finally, Kotov et al. recommended short conjugators for constructing cloaking elements, making them less visible.

The proponents of

WalnutDSA recognize the weakness of their original implementation against the uncloaking attack and put forward in [

23] a countermeasure against it. Namely, they introduced the concept of concealed cloaking elements and proposed to add six of them to the computation of each signature, which translated into a 6.7% increase of the signature size. Kotov, Menshov, and Ushakov questioned the effectiveness of the approach in the NIST PQC project discussion forum [

27], pointing out that their algorithms were designed taking into account the existence of precisely three cloaking elements, but could be modified to deal with more of them.