This paper reports on the Walnut Digital Signature Algorithm (WalnutDSA), which is an asymmetric signature scheme recently presented for standardization at the NIST call for post-quantum cryptographic constructions. WalnutDSA is a group theoretical construction, the security of which relies on the hardness of certain problems related to an action of a braid group on a finite set. In spite of originally resisting the typical attacks succeeding against this kind of construction, soon different loopholes were identified rendering the proposal insecure (and finally, resulting in it being excluded from Round 2 of the NIST competition). Some of these attacks are related to the well-structured and symmetric masking of certain secret elements during the signing process. We explain the design principles behind this proposal and survey the main attack strategies that have succeeded, contradicting its claimed security properties, as well as the recently-proposed ideas aimed at overcoming these issues.
The (seemingly close) advent of quantum computing is urging the cryptographic community to search for new constructions that may withstand attacks arising from this new computing paradigm. Post-quantum cryptography is a bursting research area in which tools are designed for a scenario where honest users are restricted to classical computation, while the adversary may eventually have access to quantum computing resources. The American National Institute of Standards and Technology (NIST) initiated in December 2016 “a process to develop and standardize one or more additional public-key cryptographic algorithms [...] that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers” (see ).
Walnut Digital Signature Algorithm (WalnutDSA) was one of the 20 public key signature schemes presented for standardization at the recent NIST call for post-quantum cryptographic constructions. Different mathematical objects were used in these proposals such as lattice theory, coding theory, algebraic geometry (see for instance [2,3,4]), and, in the case of WalnutDSA, braid groups. After a first round of evaluations, only nine of these proposals remained under consideration. WalnutDSA failed to enter the second round, mostly due to a number of attacks that were reported during the one-year evaluation phase.
While it is not unusual that post-quantum cryptographic proposals lack a formal security evaluation within the theoretical framework known as provable security, the lack of a rigorous security analysis of WalnutDSA has been particularly damaging for the scheme’s credit. In particular, it makes it difficult to identify the critical points to fend off in an implementation. As a result, ad-hoc fixes have been proposed by the scheme designers after each published attack. Nevertheless, the effectiveness of these fixes is somewhat hard to judge. Moreover, the actual hardness of the underlying mathematical problems is not well understood. The signature process is simple and symmetric, having two secret group elements acting on the encoded message to be signed. However, this simplicity has been exploited in many of the attacks against the scheme. Unfortunately, several computational problems defined over the main algebraic environment of WalnutDSA (i.e., braid groups) have turned out to be hard to exploit cryptographically, mainly because the computational complexity of such problems may be high in a worst-case definition, while it is unclear how to produce hard instances effectively.
In this document, we give a self-contained review of WalnutDSA, detailing the proposal and describing the main attacks that have been presented against this construction, as well as the possible fixes, currently under discussion, towards a secure implementation of this signature scheme.
Paper roadmap: We start with a short section reviewing the history of braid group cryptography, followed by a section explaining the basics on signature schemes. Then, we give a comprehensive description of WalnutDSA in Section 4. Section 5 is devoted to the various attack strategies deployed against WalnutDSA; from the early factoring attacks (see Section 5.1), to collision attacks (Section 5.2), attempts to undermine the (claimed) one-wayness of the underlying E-multiplication function (Section 5.3), and finally, the recent (and probably the most devastating) attack aiming at the recovery of an alternative secret key by solving a certain rewriting problem (see Section 5.4). The survey wraps up with a short conclusion section.
2. Braid Group Cryptography
Cryptography based on braid groups was born almost 20 years ago and attracted plenty of attention from group theorists, as well as the cryptographic community. The reasons for this are diverse: the schemes were mathematically appealing and the constructions likely to be efficient enough to be practical. Unfortunately, many problems were brought to light after a thorough scrutiny carried out by pure mathematicians and cryptographers. In this section, we briefly review two of the most prominent proposals within this area and refer the interested reader to the survey on the topic by David Garber .
2.1. Cryptographic Constructions Using Braid Groups
The two flagship proposals made for deriving cryptographic constructions using braid groups are a key exchange protocol and a public key encryption scheme.
In 1999, Anshel, Anshel, and Goldfeld  introduced a generic two-party key establishment protocol. Their presentation could be translated into various implementations with different algebraic structures as a base (and, of course, security levels). The one using braid groups attracted the most attention. The security of this construction relied on the hardness of the so-called multiple simultaneous conjugacy search problem (see below) in the braid group.
Later, at CRYPTO 2000, Ko et al.  put forward a braid-based version of the Diffie–Hellman two-party key exchange protocol, as well as an encryption scheme á la ElGamal derived from such a protocol. The main idea behind this construction is as follows: Fix a public braid Using this public information and exchanging messages through a public channel, two users may establish a shared high entropy secret. This secret is derived from a braid of the form which is constructed by letting each user choose a secret conjugating element (a and b respectively) and publicly interchanging the elements and . Indeed, for this idea to work, the conjugating braids a and b should commute. Furthermore, the hardness of the underlying conjugacy search problem (see below) in the braid group is crucial for the security of the scheme, since extracting a or b from the public messages and is enough to deduce the exchanged key.
2.2. Computational Problems in Braid Groups
Many cryptographic proposals (like the ones mentioned above) based their security in computational problems related to the so-called conjugacy problem in , the braid group on strands. However, assuming that these problems are hard is not always reasonable. Indeed, efficient algorithms for special cases of these problems have been behind the cryptanalysis of most of the cryptographic proposals designed using braid groups. Some examples of such problems are:
Conjugacy Decision Problem (CDP). Given determine whether they are conjugate, i.e., whether there exists such that
Conjugacy Search Problem (CSP). Given known to be conjugate, compute such that
Braid Diffie–Hellman Decision Problem (BDHDP). Given such that there exist satisfying and with , determine whether
Braid Diffie–Hellman Search Problem (BDHSP). Given such that there exist satisfying and with , compute
Multiple Simultaneous Conjugacy Search Problem (MSCSP). Given k pairs of elements such that they are all conjugates with respect to the same braid, find such a conjugating braid, i.e., compute such that for all .
Decomposition Problem (DP). Let G be a fixed subgroup of . Given , find such that
Root Extraction Problem (REP). For and such that there exists with compute such a braid
It is easy to see that there are close relations among the above problems. Let us focus on how to solve CSP and CDP. As explained in detail in , the basic idea that has proven more fruitful towards a solution for the CSP and CDP problems involves a set for each braid x (typically a subset of the conjugacy class of A), which characterizes the conjugacy class (i.e., A and B are conjugates if and only if ). Furthermore, there should be an efficient algorithm to compute a representative and a witness , such that Last, it should be possible to construct the full set in a finite number of steps, starting from any representative . Now, given two braids specifying an instance of CSP or CDP, one should:
find representatives and
compute elements of (storing the corresponding witnesses) until either:
is found as an element of proving A and B to be conjugate and providing a conjugating element or
the entire set is constructed without finding proving that A and B are not conjugate.
Several choices of the special sets can be found in the literature: summit sets, super summit sets, ultra summit sets, reduced supper summit sets, etc. All of them are subsets of the conjugacy class of the corresponding braid A. Of course, choosing a simpler and smaller set results in a more efficient algorithm derived from the above strategy. Using the above technique and other sophisticated geometric techniques, Birman, Gebhardt, and González Meneses  provided a polynomial-time algorithm to solve the CSP involving the so-called periodic braids. Furthermore, the same authors proved that the problem would be solved for all instances if a polynomial-time algorithm for a special type of braid (rigid braids) was found.
However, not only full theoretical solutions for the conjugacy problems have been of interest in the cryptographic context; indeed, heuristic algorithms with a significant success rate suffice to thwart the security of a scheme that is based on one of the above problems (we refer again to  for details). As a consequence, all cryptographic proposals built around the above problems are currently considered problematic.
3. Basics on Signature Schemes
In this section, we recall some basic concepts related to public key digital signature schemes and the assessment of provable security for these cryptographic tools. Many of the definitions below are taken from [9,10].
A digital signature scheme is a triplet of algorithms where:
the key generation algorithm, is a probabilistic algorithm that takes as input (for a security parameter ) and returns a pair of public and secret keys, from a designated key space of polynomial size in
Σ, the signing algorithm, is a probabilistic algorithm that takes as input a given message (for a fixed message space) and a secret key and returns a signature (also assumed to belong to a prescribed set of polynomial size in λ). ss of generality, we can assume that each consists of bitstrings of polynomial size in λ. In the sequel, we often drop the subscript λ for the sake of readability
the verification algorithm, is a deterministic algorithm that takes as input a given signature , a message , and a public key and outputs a bit in , checking if is a valid signature of m with respect to .
Typically, a correctness requirement is imposed, establishing that outputs one if it gets a valid signature as the input. The fact that it should output zero for an invalid signature is typically captured by the different definitions of security.
3.1. Security Notions for Signature Schemes
Prior to giving formal definitions of security notions, we informally list the different adversarial goals and attack models, which attempt to capture the main attack strategies that should be prevented for each specific adversary. Let denote a (probabilistic polynomial-time) adversary. We assume that pursues one of the following adversarial goals:
Existential Forgery (EF): tries to produce a valid signature for a message not necessarily adversarial chosen.
Selective Forgery (SF): tries to produce a valid signature for some adversarial chosen fixed message m.
Universal Forgery (UF): aims at producing a valid signature for any given message.
Total Break (TB): tries to retrieve, from the public information, a legitimate signer’s secret key.
Similarly, in order to capture adversarial capabilities, we distinguish among the following attack models:
No Message Attack (NMA): only knows the public parameters (in particular, the public signing key).
Random Message Attack (RMA): is given signatures on a sequence of messages selected uniformly at random.
Chosen Message Attack (CMA): is given access to a signing oracle, which signs any message chosen by . Queries to this oracle can be adaptive, i.e., may adapt the input messages based on previous output signatures.
Formal security notions are introduced by combining adversarial goals and capabilities. For instance, a signature scheme is secure in the sense of UF-NMA if given any probabilistic polynomial-time adversary , there exists a negligible function of the security parameter bounding the probability of success of a UF attack, provided that has access only to public information (NMA). Other security notions are defined analogously; for instance, EUF-CMA captures the fact that a CMA adversary will not be able to produce an existential forgery.
Now, we give precise definitions for the three security notions, which are relevant throughout this work.
A signature scheme with message space and security parameter λ is said to be universally unforgeable under no-message attacks (UF-NMA) if for any probabilistic polynomial-time adversary and , then:
A signature scheme with message space and security parameter λ is said to be universally unforgeable under random-message attacks (UF-RMA) if for any probabilistic polynomial-time adversary and , then:
The above definition states that when given a list of message-signature pairs, where the messages are selected uniformly at random, the adversary should still have only a negligible probability of constructing a new valid signature pair.
A signature scheme with message space and security parameter λ is said to be existentially unforgeable under adaptive chosen-message attacks (EUF-CMA) if for any probabilistic polynomial-time adversary with polynomial access to a signing oracle that produces valid signatures with respect to a certain secret key , then:
In the above definition, the adversary is given access to a signing oracle that produces valid signatures with respect to the key pair under attack and faces the challenge of producing a valid signature for a message. This model is particularly relevant for capturing malleability attacks, which exploit the possibility of deriving new valid signatures from legitimate ones.
The standard security definition for signature schemes is EUF-CMA, which is the strongest among the three notions we have introduced. More precisely, every EUF-CMA scheme is UF-RMA, and in turn, every UF-RMA scheme is UF-NMA.
4. Scheme Description
In this section, we describe the Walnut Digital Signature Algorithm (WalnutDSA) introduced in . This construction relies on certain computational properties of nonlinear operations in the Artin braid group  combined with operations in , the group of non-singular matrices with entries in the finite field with q elements.
Informally, in WalnutDSA, the message to be signed is hashed and encoded as a braid in (see Section 4.1). The private key consists of a pair of braids, while an ordered set of N elements in and a pair of elements of the set form the public key (As usual, is the group of permutations of ). Key generation is described in detail in Section 4.2. In order to render brute force attacks ineffective, the key space is made sufficiently large by choosing and . A signature is built from the encoded message, the private keys, and two additional braids used to obscure the private key. Valid signatures must verify a certain equation involving the public key, the encoded message, and E-multiplication, a group-theoretic one-way function introduced in . All these algorithms are precisely described in Section 4.3. Let us start here by describing the mathematical ingredients needed to understand them.
4.1. Message Encoding
WalnutDSA encodes messages as elements in the Artin braid group, which is a nice algebraic and computational habitat.
Informally, the braid group with N strands is a non-Abelian group whose elements can be described as a configuration of N non-intersecting vertical or horizontal strands in three-dimensional space, with ends fixed on two parallel disks. Moreover, the strands flow in one direction without turning back, so that any plane parallel to the disks will intersect each strand exactly once. Multiplication of two braids is defined as concatenation of strands, and two braids are considered equal if one can be continuously transformed into the other, keeping the ends fixed and without intersecting the strands.
More precisely, the braid group with N strands is defined as follows . For , is a group generated by the Artin generators , subject to the following relations:
The Artin generator represents the braid where the ith strand crosses over the th strand. The relation for , corresponds to moving the ith strand over the crossing of the th and the th strand, and the relations for correspond to the fact that crossings that do not share strands commute.
Any braid can be expressed as a product of the Artin generators and their inverses, that is,
where and . Clearly, the expression for b is not unique since applying (1) yields infinite equivalent expressions.
Let be the symmetric group of order N. There exists a group homomorphism defined as follows. For each Artin generator , and for , such that . That is, and are mapped into the element in , which interchanges the and the elements of and leaves the rest fixed. Notice that for . Moreover, for , . Hence, for any braid as in (2), we have:
If is the identity element of , then b is called a pure braid. In other words, a braid is a pure braid if and only if it is in the kernel of .
WalnutDSA requires the permutation linked to each encoded message to be the identity. Thus, the encoded message must be a pure braid.
The encoding algorithm utilizes the following collection of pure braids:
This collection of pure braids generates a free subgroup of ,that is the set of products of , , that satisfy no relations except those implied by the group axioms (e.g., , but for ) (, Chapter 7). Any subset of the above collection of pure braids will generate a free subgroup.
Let be a message, and let , , denote a cryptographically-secure hash function. Fix any four generators , and denote by the free subgroup generated by these four generators. Define the encoding function as follows. The hashed message is broken into ℓ 4-bit blocks. For the block, the first two bits determine a generator , , and the next two bits determine an integer . Then,
written in its reduced form, that is products of the form and , , are erased from the braid (see [16,17] for examples of reduction algorithms). This encoding algorithm ensures that each message is mapped to a unique reduced element of the free subgroup generated by .
4.2. Key Generation
The security of WalnutDSA relies on E-multiplication, a function that maps braids in to elements in the set . This mapping is based on the colored Burau representation of . We provide some preliminaries before describing the public and private keys in WalnutDSA.
4.2.1. Colored Burau Representation of the Braid Groups
Let denote the ring of Laurent polynomials in the variables with coefficients in , that is,
For each Artin generator, we define the following matrices :
where is the identity matrix of size and is the zero matrix of adequate size.
Let and . We define:
The product of and in is defined as:
We have that the elements of form a group under this product operation.
where the operations are done from left to right. Furthermore, for convenience, we will write instead of .
4.2.3. Key Generation Mechanism
The signer’s private key consists of two random braids and , written in reduced form, such that , , and are not pure braids. No further prerequisites were made explicit in the original proposal of WalnutDSA.
Let be a braid and a fixed set of N non-zero elements. Define:
where is the identity matrix and is the identity permutation. The signer’s public key consists of:
such that , , and for some ,
the matrix component of , denoted by , that is, .
4.3. Signature Generation and Verification
We now describe WalnutDSA in detail.
4.3.1. Cloaking Elements
First, we discuss elements in the subgroup of pure braids that essentially disappear when performing E-multiplication. The purpose of these elements is to cloak, or hide, the private key used to construct the signature.
Let , and let be a fixed set of N non-zero elements of . A pure braid is called a cloaking element of if:
It is clear from this definition that the set of cloaking elements of depends on the set . The existence of cloaking elements is discussed in the following proposition.
Fix integers , , and fix a set of N non-zero elements such that . Let , , , an Artin generator of , and such that:
is a cloaking element of .
4.3.2. Signature Generation
Fix a hash function , , and let be the braids in the private key. In WalnutDSA, a signature for the message is the braid:
written in reduced form, where are cloaking elements of , , and , respectively.
4.3.3. Signature Verification
The verification algorithm calculates the matrix component of and , denoted by and , respectively, and accepts the signature if the following equation holds:
5. Cryptanalysis of WalnutDSA
5.1. Factoring Attacks
The essential idea behind these attacks is to forge a signature for any given message m solving a factorization problem in groups, defined as follows:
(Factorization problem in groups).Let G be a group; let be a generating set for G; and let . Find an integer L and sequences and such that:
A solution to a specific instance of this problem has been exploited by several authors [19,20] to construct a new valid signature from several valid signatures, in order to violate UF-CMA. More precisely, Hart et al. presented in  an efficient method to compute, given a couple of signatures on random messages, a new signature on an arbitrary message. However, these forged signatures were significantly longer than those constructed by the honest signer. The design of WalnutDSA was modified by the authors in order to defeat this attack, yet a refinement of this method, presented in Section 3 of , rendered this modification insufficient.
5.1.1. Factoring For Universal Forgeries: The Attacks by Hart Et Al., and Beullens and Blackburn
The strategy behind  allows for constructing a valid signature for any arbitrary message m (and is thus a universal forgery). More precisely, Proposition 4 in  states that, given a finite set of signatures:
and taking as the matrix part of for all it holds that, if the matrix part h of can be factored with respect to the generating set then constructing the very same word replacing each with the corresponding braids from yields a valid signature for
Beullens and Blackburn explained how to exploit this malleability property through the following simple theorem:
(Theorem 1 from ).Consider the version of WalnutDSA, where it holds that Suppose m, , are three messages. Let h, , be the matrix part of , , , respectively. Then,
If and is a valid signature for , then is a valid signature for m.
If and , are valid signatures for and , respectively, then is a valid signature for m.
However, the above result is only valid if the public braids and coincide, which was only the case in the first versions of the proposal . All in all, a simple variant of the above theorem, presented in , evidences that choosing does not amend the strong malleability inherent to WalnutDSA:
().Suppose m, , are three messages. Let h, , be the matrix part of , , , respectively. Let , , be three braids. Then,
If and is a valid signature for under the public key , then is a valid signature for m under the public key .
If and are valid signatures for and under the public keys and , respectively, then is a valid signature for m under the public key .
Note that the above theorems do not impose a practical restriction on the forged message m, for suitable can be constructed for any m in order to mount the UF attack. Still, the forged signatures obtained through these factoring strategies are many orders of magnitude longer than legitimate signatures; thus, imposing length limits on the output signatures (as the authors did in the implementation submitted to the NIST PQCstandardization call) is enough to dodge these attacks.
5.1.2. Factoring Using the Garside Normal Form
Recently, in , it was noticed that whenever a product of braids is represented in the Garside normal form, parts of the corresponding form of the individual factors , and C are somewhat easy to extract. In particular, the authors of this paper presented an algorithm for recovering, given B, elements and such that:
, up to multiplications with elements in the center of
Note that the center of the group is a cyclic group generated by the square of the so-called Garside’s fundamental braid, which is the only positive braid for which any two strands cross exactly once (see [14,22] for a classical introduction and a comprehensive survey on braid groups). This decomposition strategy allows for constructing a universal forgery, as stated in the following result:
().Let be a valid signature for some message m, and let , such that , , and . Then,
is a valid signature for any message .
Note that since the replaced braids and are in principle independent of the message the forged signature need not be longer than a legitimate signature. Furthermore, the complexity of this procedure is essentially that of computing Garside normal forms, which can be done in time , where k is the number of Artin generators encoding the input braid.
Furthermore, this method fends off the colored Burau representation used in the implementation of WalnutDSA; thus, it cannot be prevented by modifying the size of the underlying finite field. The authors of this cryptanalysis suggest that the only way to dodge this attack is to add many concealed cloaking elements to the encoding, which has a significant cost both in signature length and computing time for the generation of signatures. Furthermore, in , the authors of the scheme claimed to have experimentally demonstrated that inserting cloaking elements every 7–12 generators into the braid blocked this attack. However, no details were given on how this strategy was theoretically or empirically assessed.
5.2. Collision Attacks
Imposing implicit limits on the output signature sizes is indeed a valid strategy for preventing factoring attacks, and so, it was promptly noticed by the authors of WalnutDSA. However, in Section 4 of , it was demonstrated that, through a simple collision method, it was possible to compute short forged signatures, yet not on arbitrary messages.
In Section 4 of , it was observed that if there exist two messages , such that , then a valid signature for is valid for and vice versa. Breaking the EUF-CMA security notion (see Definition 4) is as simple as finding such two messages and , since an adversary could query a signature for and then obtain a signature for .
A generic collision attack is expected to require evaluations of function . In order to evaluate the feasibility of this attack, it is necessary to estimate the size of . The authors of WalnutDSA considered a conservative lower bound for values of . For 128-bit and 256-bit security levels, these values were and , respectively, so it is expected to find a collision after and evaluations of . Hence, a generic collision attack is not practical.
In , it was shown (by means of computer experiments) that is at most (lying in an affine subspace over ), so a collision is expected to be found after evaluations of . With this new estimate, and evaluations of are necessary for 128-bit and 256-bit security levels, respectively. Therefore, collision attack is practical in this case.
In order to implement this attack, the authors used a generic collision finding algorithm: the distinguished point algorithm of Van Oorschot and Wiener .
This algorithm finds collisions in any function that behaves like a random function . The time complexity for finding a single collision is . A distinguished point is an element of S satisfying some easily testable property (e.g., a fixed number of leading zero bits). The distinguished point algorithm selects a starting point at random and produces a chain of points for , until a distinguished point is reached. Then, the starting point , the distinguished point , and the length of the chain are stored. It is expected that after , the current chain will collide with one of the stored chains. Following the chain from that point, the same distinguished point will be reached.
In , this algorithm was applied to the function instead of to , where g is a function that crafts plausible messages, given an output of . However, no implementation or description of how to build the function g was provided.
Using a standard PC, the algorithm found a collision after evaluations of f ( evaluations were expected). This took approximately one hour. The two messages found by the algorithm were
In order to mitigate this practical attack, Beullens and Blackburn  recommended to increase the value of q up to and to accomplish 128-bit and 256-bit security levels, respectively. With these new parameters, the size of the public key is five-times larger and the verification algorithm is 25-times slower for 256 bit.
A better mitigation of this attack is to change the encoding algorithm to output pure braids not restricted to the subgroup generated by , , , and . This change would require evaluations of , and only a minor increase of parameters is needed. It was pointed out in  that a 256-bit security level could be accomplished by setting and , making the key size 50%, the signature size 25% larger, and the verification algorithm two-times slower.
The authors of WalnutDSA pointed out that any braid output by the encoding mechanism E (see Section 4.1.2) is a product of the image (under ) of the encoding braids used, and thus, it is essential that the subspace spanned by said images is sufficiently large . They further depicted two design strategies towards defeating this attack (see Table 1).
5.3. Reversing E-Multiplication
A fundamental hard problem underlying the security of the Walnut signature scheme is to break the one-wayness of the function:
Here, we write instead of with the understanding that the set of non-zero elements is arbitrary, but fixed.
More precisely, the underlying problem is defined as follows.
(Reversing E-Multiplication (REM) problem ).Given a pair , such that for some braid , find a braid such that .
Observe that if brute force is used to solve the REM problem, then it would take E-multiplications to find a solution, where is the size of the orbit of .
Recall that the private key consists of two braids , and the corresponding public key consists of and , the matrix component of . In , it was observed that a valid signature for a message m also satisfies:
Therefore, not knowing the permutation component of poses no problem to the attacker since it can be recovered from the permutation component of (3) without necessarily knowing the encrypted message (no message attack). Indeed, since cloaking elements and are required to be pure braids, we have:
Once has been computed, an attacker can solve two instances of the REM problem by finding two braids such that and , which can be used to sign any message (universal forgery). Hence, solving the REM problem means that UF-NMA security (Definition 2) can be violated.
In this section, we describe two algorithms proposed in  that solve the REM problem. The first algorithm is a generic birthday attack, while the second exploits the structure of the braid group and is more efficient than the first one.
5.3.1. Generic Birthday Attack
Given a pair , if we can find two braids such that:
then the solution of the REM problem is . In , it was argued that a naive way of finding and by constructing tables with values and checking if for random lying in the table would take E-multiplications, making this method more efficient than a brute force approach. Nevertheless, a naive approach may require too much storage memory.
This inconvenience can be circumvented by using a distinguished point algorithm (see Section 5.2). In this case, the algorithm is applied to the function:
where and are hash functions that take elements in the orbit of as input and output a bit or a braid, respectively.
The idea is to find collisions:
Hence, if a collision is found such that , then and . In this case, a solution of the REM problem is . On the other hand, if , then a solution of the REM problem is .
As noted in , this attack is exponential in running time and can be thwarted by choosing the correct parameters for WalnutDSA, in this case , for 128-bit security, and , for 256-bit security.
5.3.2. Subgroup Chain Attack
This attack exploits the fact that the restriction of to pure braids is a group homomorphism, which maps the chain of subgroups:
to a nice chain of subgroups of . Here, denotes the intersection of the subgroup of pure braids in and the subgroup generated by , that is the subgroup of pure braids such that only the first k strands cross over each other. More precisely, for each , is a homomorphism from into the subgroup:
In contrast to the birthday attack, this method solves the REM problem for a pair , by finding in iterative steps a braid such that , as follows. First, choose any braid such that . Therefore, . Next, find a pure braid such that . The iterative step consists of randomly choosing a target matrix and then finding a pure braid such that:
Notice that in each iterative step, the permutation component is since is a pure braid, and thus, . This process yields a braid such that . Then, the solution to the REM problem is .
In , it was pointed out that if for some , then it is not possible to complete the attack, and thus, assuming:
for each , guarantees that the attack will work. This assumption is not too restrictive since it seems to hold for the proposed parameters for WalnutDSA. With (4) in mind, the iterative step of this attack can be solved by performing a collision search in the space cosets of in with a cost of E-multiplications (see Sections 5.2 and 5.3 of  for details).
In , the running time of this attack was estimated to be whenever E-multiplication uses the set of invertible elements with for some (see Section 4.2.2). It was noted in  that if and are chosen such that , then the running time of the attack is increased to at least , where for and for . Moreover, this attack is defeated by taking , for 128-bit security, and , for 256-bit security.
5.4. Uncloaking Signatures
Kotov, Menshov, and Ushakov presented in  a powerful attack against WalnutDSA. It is a heuristic attack that works exclusively with braids and does not need to take into account E-multiplication. The authors reported experiments with one hundred random protocol instances with a 100% success rate. It is worth pointing out that the experiments were carried out for three different settings: the 128 and 256-bit security levels from the official specification  (where ) and the 256-bit security version with , proposed in .
In a nutshell, the attack works as follows: An adversary, which collects several arbitrary pairs of messages and valid signatures, is able to compute an alternative secret key such that, when used to sign any message, it produces the same signature as the real secret key. Therefore, this is a very strong attack as it violates a rather weak security notion for signatures (UF-RMA; see Definition 3), that is an adversary with access to signatures for random messages (not adversarially chosen) can produce a valid signature for any message of its choice; that is, it achieves a universal forgery.
Next, we provide a high-level description of the attack:
Step 1. The attacker collects k pairs where each is a valid signature for computed with the same secret key . Each signature is a braid with the form:
where are cloaking elements.
Step 2. The attacker, using a heuristic procedure described in , is able to remove the cloaking elements from the signatures, that is compute braids . It is worth pointing out that Kotov, Menshov, and Ushakov reported a high success rate for their uncloaking algorithm, close to 80% or 100%, depending on the type of cloaking elements used (see Table 2).
Step 3. The attacker computes the products . Note that these are:
obtaining a system of conjugacy equations in where only is unknown. In , another heuristic algorithm to obtain a solution of the system (not necessarily equal to ) was developed.
Step 4. The attacker sets for i of its choice. Under certain conditions, works as an alternative secret key to , in the sense that it produces a valid signature for any message. Moreover, as a braid word, this signature equals the one produced with the original key. This implies that the attack cannot be avoided by limiting the size of accepted signatures. In order to decide if the alternative key works as intended, Kotov, Menshov, and Ushakov generated signatures for 10 random messages and checked their validity.
In , a 100% success rate of the full attack was reported. One interesting fact is that the attack did not need many message/signature pairs in order to succeed: Kotov, Menshov, and Ushakov affirmed that, in all their experiments, six successfully uncloaked signatures were enough to get five conjugacy equations and a valid alternative secret key. Average running times for the full attack are shown in Table 3.
With respect to possible countermeasures against their attack, Kotov, Menshov, and Ushakov themselves made several proposals. The first one is to artificially introduce many so-called critical letters in the secret braids (locating critical letters is one of the main ingredients in the uncloaking algorithm). In addition, they proposed using many more cloaking elements (around 30) on each side of the signature. Nevertheless, they pointed out that it is not even clear if this measure would be useful as it does not neutralize their attack  against Kayawood , another braid-based protocol. Finally, Kotov et al. recommended short conjugators for constructing cloaking elements, making them less visible.
The proponents of WalnutDSA recognize the weakness of their original implementation against the uncloaking attack and put forward in  a countermeasure against it. Namely, they introduced the concept of concealed cloaking elements and proposed to add six of them to the computation of each signature, which translated into a 6.7% increase of the signature size. Kotov, Menshov, and Ushakov questioned the effectiveness of the approach in the NIST PQC project discussion forum , pointing out that their algorithms were designed taking into account the existence of precisely three cloaking elements, but could be modified to deal with more of them.
6. Final Remarks
WalnutDSA is a beautifully-designed signature scheme, conceived in the remarkable mathematical scenario of braid groups. Despite the inspiring ideas involved in the construction of this scheme, the many attacks explained in this survey demonstrate that there is still a long way to go before a suitable key generation/parameter selection process is identified. We believe that it will be rather difficult to fix the security problems described, which may be an unavoidable consequence of the adept and symmetric signature procedure. A formal security analysis, as well as a deeper understanding of the actual relation between the cryptanalytic goals and the affiliated mathematical problems are essential ingredients for a secure implementation of WalnutDSA. Maybe a promising idea is to start by identifying the concrete cost of a forgery. For instance, a first step would be to assess whether a forger can be used in a black-box manner to reverse the related E-multiplication procedure (i.e., to solve the REM problem). Once such a result is at hand, the next step would be to look for solid instances of REM that could be used for secure key generation.
All authors contributed equally to this survey, searching for related results, selecting relevant information and writing and reviewing the draft.
This research was funded by NATO Science for Peace and Security Programme, grant number G5448 and by MINECO under Grant MTM2016-77213-R.
Persichetti, E. Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment. Cryptography2018, 2, 30. [Google Scholar] [CrossRef]
Hoffstein, J.; Howgrave-Graham, N.; Pipher, J.; Whyte, W. Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign. In The LLL Algorithm—Survey and Applications; Nguyen, P.Q., Vallée, B., Eds.; Information Security and Cryptography; Springer: Berlin, Germany, 2010; pp. 349–390. [Google Scholar] [CrossRef]
Jalali, A.; Azarderakhsh, R.; Kermani, M.M.; Campagna, M.; Jao, D. Optimized Supersingular Isogeny Key Encapsulation on ARMv8 Processors. IACR Cryptol. ePrint Arch.2019, 2019, 331. [Google Scholar]
Garber, D. Braid Group Cryptography; World Scientific: Singapore, 2007. [Google Scholar]
Anshel, I.; Anshel, M.; Goldfeld, D. An algebraic method for public-key cryptography. Math. Res. Lett.1999, 6, 287–292. [Google Scholar] [CrossRef]
Ko, K.; Lee, S.; Cheon, J.; Han, J.; Kang, J.; Park, C. New Public-Key Cryptosystem using Braid Groups. In Advances in Cryptology, Proceedings of CRYPTO 2000; Lecture Notes in Computer Science; Springer: Santa Barbara, CA, USA, 2000; Volume 1880, pp. 166–183. [Google Scholar]
Birman, J.; Gebhardt, V.; González-Meneses, J. Conjugacy in Garside groups I: Periodic braids. J. Algebra2007, 2, 746–776. [Google Scholar] [CrossRef]
Katz, J. Digital Signatures; Springer: Berlin, Germany, 2010. [Google Scholar]
Goldwasser, S.; Bellare, M. Lecture Notes on Cryptography; MIT: Hong Kong, China, 2001. [Google Scholar]
Anshel, I.; Anshel, M.; Goldfeld, D.; Lemieux, S. Key agreement, the Algebraic EraserTM, and Lightweight Cryptography. In Algebraic Methods in Cryptography, Contemp. Math.; American Mathematical Society: Providence, RI, USA, 2006; Volume 418, pp. 1–34. [Google Scholar]
Birman, J.S.; Cannon, J. Braids, Links, and Mapping Class Groups, Annals of Mathematics Studies; Princeton University Press: Princeton, NJ, USA, 1974. [Google Scholar]
Artin, M. Algebra; Prentice Hall: Upper Saddle River, NJ, USA, 1991. [Google Scholar]
Birman, J.S.; Ko, K.H.; Lee, S.J. A new approach to the word and conjugacy problems in the braid groups. Adv. Math.1998, 139, 322–353. [Google Scholar] [CrossRef]
Morton, H.R. The multivariable Alexander polynomial for a closed braid. In Lower Dimensional Topology, (Funchal, 1998); American Mathematical Society: Providence, RI, USA, 2006; Volume 233, pp. 167–172. [Google Scholar]
Hart, D.; Kim, D.; Micheli, G.; Pascual-Perez, G.; Petit, C.; Quek, Y. A Practical Cryptanalysis of WalnutDSA TM. In Proceedings of the Public-Key Cryptography—PKC 2018—21st IACR International Conference on Practice and Theory of Public-Key Cryptography, Rio de Janeiro, Brazil, 25–29 March 2018; Part I—Lecture Notes in Computer Science. Abdalla, M., Dahab, R., Eds.; Springer: Berlin, Germany, 2018; Volume 10769, pp. 381–406. [Google Scholar] [CrossRef]
Beullens, W.; Blackburn, S.R. Practical Attacks Against the Walnut Digital Signature Scheme. In Proceedings of the Advances in Cryptology—ASIACRYPT 2018—24th International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, QLD, Australia, 2–6 December 2018; Part I—Lecture Notes in Computer, Science. Peyrin, T., Galbraith, S.D., Eds.; Springer: Berlin, Germany, 2018; Volume 11272, pp. 35–61. [Google Scholar] [CrossRef]
Merz, S.; Petit, C. Factoring Products of Braids via Garside Normal Form. In Public Key Cryptography (2); Lecture Notes in Computer Science; Springer: Berlin, Germany, 2019; Volume 11443, pp. 646–678. [Google Scholar]
Paris, L. Braid groups and Artin groups. arXiv2007, arXiv:math.GR/0711, 2372. [Google Scholar]
Anshel, I.; Atkins, D.; Goldfeld, D.; Gunnells, P.E. Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit Attacks on WalnutDSA (TM). IACR Cryptol. ePrint Arch.2019, 2019, 472. [Google Scholar]
van Oorschot, P.C.; Wiener, M.J. Parallel Collision Search with Cryptanalytic Applications. J. Cryptol.1999, 12, 1–28. [Google Scholar] [CrossRef]
Kotov, M.; Menshov, A.; Ushakov, A. An attack on the Walnut digital signature algorithm. Des. Codes Cryptogr.2019, 1–20. [Google Scholar] [CrossRef]
The statements, opinions and data contained in the journal Symmetry are solely
those of the individual authors and contributors and not of the publisher and the editor(s).
MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The statements, opinions and data contained in the journals are solely
those of the individual authors and contributors and not of the publisher and the editor(s).
MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.