The Cracking of WalnutDSA : A Survey

: This paper reports on the Walnut Digital Signature Algorithm ( WalnutDSA ), which is an asymmetric signature scheme recently presented for standardization at the NIST call for post-quantum cryptographic constructions. WalnutDSA is a group theoretical construction, the security of which relies on the hardness of certain problems related to an action of a braid group on a ﬁnite set. In spite of originally resisting the typical attacks succeeding against this kind of construction, soon different loopholes were identiﬁed rendering the proposal insecure (and ﬁnally, resulting in it being excluded from Round 2 of the NIST competition). Some of these attacks are related to the well-structured and symmetric masking of certain secret elements during the signing process. We explain the design principles behind this proposal and survey the main attack strategies that have succeeded, contradicting its claimed security properties, as well as the recently-proposed ideas aimed at overcoming these issues.


Introduction
The (seemingly close) advent of quantum computing is urging the cryptographic community to search for new constructions that may withstand attacks arising from this new computing paradigm. Post-quantum cryptography is a bursting research area in which tools are designed for a scenario where honest users are restricted to classical computation, while the adversary may eventually have access to quantum computing resources. The American National Institute of Standards and Technology (NIST) initiated in December 2016 "a process to develop and standardize one or more additional public-key cryptographic algorithms [...] that are capable of protecting sensitive government information well into the foreseeable future, including after the advent of quantum computers" (see [1]).
Walnut Digital Signature Algorithm (WalnutDSA) was one of the 20 public key signature schemes presented for standardization at the recent NIST call for post-quantum cryptographic constructions. Different mathematical objects were used in these proposals such as lattice theory, coding theory, algebraic geometry (see for instance [2][3][4]), and, in the case of WalnutDSA, braid groups. After a first round of evaluations, only nine of these proposals remained under consideration. WalnutDSA failed to enter the second round, mostly due to a number of attacks that were reported during the one-year evaluation phase.
While it is not unusual that post-quantum cryptographic proposals lack a formal security evaluation within the theoretical framework known as provable security, the lack of a rigorous security analysis of WalnutDSA has been particularly damaging for the scheme's credit. In particular, it makes it difficult to identify the critical points to fend off in an implementation. As a result, ad-hoc fixes have been proposed by the scheme designers after each published attack. Nevertheless, the effectiveness of these fixes is somewhat hard to judge. Moreover, the actual hardness of the underlying mathematical

Braid Group Cryptography
Cryptography based on braid groups was born almost 20 years ago and attracted plenty of attention from group theorists, as well as the cryptographic community. The reasons for this are diverse: the schemes were mathematically appealing and the constructions likely to be efficient enough to be practical. Unfortunately, many problems were brought to light after a thorough scrutiny carried out by pure mathematicians and cryptographers. In this section, we briefly review two of the most prominent proposals within this area and refer the interested reader to the survey on the topic by David Garber [5].

Cryptographic Constructions Using Braid Groups
The two flagship proposals made for deriving cryptographic constructions using braid groups are a key exchange protocol and a public key encryption scheme.
In 1999, Anshel, Anshel, and Goldfeld [6] introduced a generic two-party key establishment protocol. Their presentation could be translated into various implementations with different algebraic structures as a base (and, of course, security levels). The one using braid groups attracted the most attention. The security of this construction relied on the hardness of the so-called multiple simultaneous conjugacy search problem (see below) in the braid group.
Later, at CRYPTO 2000, Ko et al. [7] put forward a braid-based version of the Diffie-Hellman two-party key exchange protocol, as well as an encryption scheme á la ElGamal derived from such a protocol. The main idea behind this construction is as follows: Fix a public braid g. Using this public information and exchanging messages through a public channel, two users may establish a shared high entropy secret. This secret is derived from a braid of the form (ab)g(ab) −1 , which is constructed by letting each user choose a secret conjugating element (a and b respectively) and publicly interchanging the elements aga −1 and bgb −1 . Indeed, for this idea to work, the conjugating braids a and b should commute. Furthermore, the hardness of the underlying conjugacy search problem (see below) in the braid group is crucial for the security of the scheme, since extracting a or b from the public messages aga −1 and bgb −1 is enough to deduce the exchanged key.

Computational Problems in Braid Groups
Many cryptographic proposals (like the ones mentioned above) based their security in computational problems related to the so-called conjugacy problem in B n , the braid group on n > 0 strands. However, assuming that these problems are hard is not always reasonable. Indeed, efficient algorithms for special cases of these problems have been behind the cryptanalysis of most of the cryptographic proposals designed using braid groups. Some examples of such problems are: • Conjugacy Decision Problem (CDP). Given A, B ∈ B n , determine whether they are conjugate, i.e., whether there exists X ∈ B n such that A = X −1 BX.

•
Conjugacy Search Problem (CSP). Given A, B ∈ B n , known to be conjugate, compute X ∈ B n such that Multiple Simultaneous Conjugacy Search Problem (MSCSP). Given k pairs of elements (U i , W i ) ∈ B 2 n , such that they are all conjugates with respect to the same braid, find such a conjugating braid, i.e., compute X ∈ B n such that W i = X −1 U i X, for all i = 1, . . . , k.
• Decomposition Problem (DP). Let G be a fixed subgroup of B n . Given A, B ∈ B n , find X, Y ∈ G such that B = XAY.

•
Root Extraction Problem (REP). For A ∈ B n and r ∈ N such that there exists B ∈ B n with A = B r , compute such a braid B.
It is easy to see that there are close relations among the above problems. Let us focus on how to solve CSP and CDP. As explained in detail in [5], the basic idea that has proven more fruitful towards a solution for the CSP and CDP problems involves a set I x for each braid x (typically a subset of the conjugacy class of A), which characterizes the conjugacy class (i.e., A and B are conjugates if and only if I A = I B ). Furthermore, there should be an efficient algorithm to compute a representativeÂ ∈ I A and a witness X ∈ B n , such that X −1 AX =Â. Last, it should be possible to construct the full set I A in a finite number of steps, starting from any representativeÂ. Now, given two braids A, B ∈ B n , specifying an instance of CSP or CDP, one should: (i) find representativesÂ ∈ I A andB ∈ I B ; (ii) compute elements of I A (storing the corresponding witnesses) until either: (a)B is found as an element of I A , proving A and B to be conjugate and providing a conjugating element or (b) the entire set I A is constructed without findingB, proving that A and B are not conjugate.
Several choices of the special sets I A can be found in the literature: summit sets, super summit sets, ultra summit sets, reduced supper summit sets, etc. All of them are subsets of the conjugacy class of the corresponding braid A. Of course, choosing a simpler and smaller set results in a more efficient algorithm derived from the above strategy. Using the above technique and other sophisticated geometric techniques, Birman, Gebhardt, and González Meneses [8] provided a polynomial-time algorithm to solve the CSP involving the so-called periodic braids. Furthermore, the same authors proved that the problem would be solved for all instances if a polynomial-time algorithm for a special type of braid (rigid braids) was found.
However, not only full theoretical solutions for the conjugacy problems have been of interest in the cryptographic context; indeed, heuristic algorithms with a significant success rate suffice to thwart the security of a scheme that is based on one of the above problems (we refer again to [5] for details). As a consequence, all cryptographic proposals built around the above problems are currently considered problematic.

Basics on Signature Schemes
In this section, we recall some basic concepts related to public key digital signature schemes and the assessment of provable security for these cryptographic tools. Many of the definitions below are taken from [9,10].

Definition 1.
A digital signature scheme is a triplet of algorithms (G, Σ, V ) where: • G, the key generation algorithm, is a probabilistic algorithm that takes as input 1 λ (for a security parameter λ ∈ N) and returns a pair (pk, sk) of public and secret keys, from a designated key space of polynomial size in λ. • Σ, the signing algorithm, is a probabilistic algorithm that takes as input a given message m ∈ M λ (for a fixed message space) and a secret key sk and returns a signature sig (also assumed to belong to a prescribed set of polynomial size in λ). ss of generality, we can assume that each M λ consists of bitstrings of polynomial size in λ. In the sequel, we often drop the subscript λ for the sake of readability • V, the verification algorithm, is a deterministic algorithm that takes as input a given signature sig, a message m ∈ M λ , and a public key pk and outputs a bit in {0, 1}, checking if sig is a valid signature of m with respect to pk.
Typically, a correctness requirement is imposed, establishing that V outputs one if it gets a valid signature as the input. The fact that it should output zero for an invalid signature is typically captured by the different definitions of security.

Security Notions for Signature Schemes
Prior to giving formal definitions of security notions, we informally list the different adversarial goals and attack models, which attempt to capture the main attack strategies that should be prevented for each specific adversary. Let A denote a (probabilistic polynomial-time) adversary. We assume that A pursues one of the following adversarial goals: • Existential Forgery (EF): A tries to produce a valid signature for a message m, not necessarily adversarial chosen. Similarly, in order to capture adversarial capabilities, we distinguish among the following attack models:

•
No Message Attack (NMA): A only knows the public parameters (in particular, the public signing key).

•
Random Message Attack (RMA): A is given signatures on a sequence of messages selected uniformly at random.

•
Chosen Message Attack (CMA): A is given access to a signing oracle, which signs any message chosen by A. Queries to this oracle can be adaptive, i.e., A may adapt the input messages based on previous output signatures.
Formal security notions are introduced by combining adversarial goals and capabilities. For instance, a signature scheme is secure in the sense of UF-NMA if given any probabilistic polynomial-time adversary A, there exists a negligible function of the security parameter bounding the probability of success of a UF attack, provided that A has access only to public information (NMA). Other security notions are defined analogously; for instance, EUF-CMA captures the fact that a CMA adversary will not be able to produce an existential forgery. Now, we give precise definitions for the three security notions, which are relevant throughout this work.

Definition 2.
A signature scheme (G, Σ, V ) with message space M and security parameter λ is said to be universally unforgeable under no-message attacks (UF-NMA) if for any probabilistic polynomial-time adversary A and ∀m ∈ M, then:

Definition 3.
A signature scheme (G, Σ, V ) with message space M and security parameter λ is said to be universally unforgeable under random-message attacks (UF-RMA) if for any probabilistic polynomial-time adversary A and ∀m ∈ M, then: The above definition states that when given a list of message-signature pairs, where the messages are selected uniformly at random, the adversary should still have only a negligible probability of constructing a new valid signature pair.

Definition 4.
A signature scheme (G, Σ, V ) with message space M and security parameter λ is said to be existentially unforgeable under adaptive chosen-message attacks (EUF-CMA) if for any probabilistic polynomial-time adversary A with polynomial access to a signing oracle O sk that produces valid signatures with respect to a certain secret key sk, then: In the above definition, the adversary is given access to a signing oracle that produces valid signatures with respect to the key pair under attack and faces the challenge of producing a valid signature for a message. This model is particularly relevant for capturing malleability attacks, which exploit the possibility of deriving new valid signatures from legitimate ones.
The standard security definition for signature schemes is EUF-CMA, which is the strongest among the three notions we have introduced. More precisely, every EUF-CMA scheme is UF-RMA, and in turn, every UF-RMA scheme is UF-NMA.

Scheme Description
In this section, we describe the Walnut Digital Signature Algorithm (WalnutDSA) introduced in [11]. This construction relies on certain computational properties of nonlinear operations in the Artin braid group B N [12] combined with operations in GL N (F q ), the group of non-singular N × N matrices with entries in the finite field F q with q elements.
Informally, in WalnutDSA, the message to be signed is hashed and encoded as a braid in B N , (see Section 4.1). The private key consists of a pair of braids, while an ordered set of N elements in F q and a pair of elements of the set GL N (F q ) × S N form the public key (As usual, S N is the group of permutations of {1, 2, . . . , N}). Key generation is described in detail in Section 4.2. In order to render brute force attacks ineffective, the key space is made sufficiently large by choosing N ≥ 8 and q ≥ 32. A signature is built from the encoded message, the private keys, and two additional braids used to obscure the private key. Valid signatures must verify a certain equation involving the public key, the encoded message, and E-multiplication, a group-theoretic one-way function introduced in [13]. All these algorithms are precisely described in Section 4.3. Let us start here by describing the mathematical ingredients needed to understand them.

Message Encoding
WalnutDSA encodes messages as elements in the Artin braid group, which is a nice algebraic and computational habitat.

Braids
Informally, the braid group with N strands B N is a non-Abelian group whose elements can be described as a configuration of N non-intersecting vertical or horizontal strands in three-dimensional space, with ends fixed on two parallel disks. Moreover, the strands flow in one direction without turning back, so that any plane parallel to the disks will intersect each strand exactly once. Multiplication of two braids is defined as concatenation of strands, and two braids are considered equal if one can be continuously transformed into the other, keeping the ends fixed and without intersecting the strands.
More precisely, the braid group with N strands is defined as follows [12]. For N ≥ 2, B N is a group generated by the Artin generators {b 1 , b 2 , . . . , b N−1 }, subject to the following relations: The Artin generator b i represents the braid where the ith strand crosses over the (i + 1)th strand.
corresponds to moving the ith strand over the crossing of the (i + 1)th and the (i + 2)th strand, and the relations b i b j = b j b i for |i − j| ≥ 2 correspond to the fact that crossings that do not share strands commute. Any braid b ∈ B N can be expressed as a product of the Artin generators and their inverses, that is, where 1 ≤ i n ≤ N − 1 and e n ∈ {−1, 1}. Clearly, the expression for b is not unique since applying (1) yields infinite equivalent expressions. Let S N be the symmetric group of order N. There exists a group homomorphism σ : B N → S N defined as follows. For each Artin generator are mapped into the element in S N , which interchanges the i th and the (i + 1) th elements of {1, 2, . . . , N} and leaves the rest fixed. Notice that Hence, for any braid b ∈ B N as in (2), we have: If σ b is the identity element of S N , then b is called a pure braid. In other words, a braid is a pure braid if and only if it is in the kernel of σ.

Encoding
WalnutDSA requires the permutation linked to each encoded message to be the identity. Thus, the encoded message must be a pure braid.
The encoding algorithm utilizes the following collection of pure braids: This collection of pure braids generates a free subgroup of B N [14],that is the set of products of g N,i , 1 ≤ i ≤ N − 1, that satisfy no relations except those implied by the group axioms (e.g., Chapter 7). Any subset of the above collection of pure braids will generate a free subgroup. Let m ∈ {0, 1} * be a message, and let H : {0, 1} * → {0, 1} 4 , ≥ 1, denote a cryptographically-secure hash function. Fix any four generators g N,j 1 , g N,j 2 , g N,j 3 , g N,j 4 , and denote by C N,4 the free subgroup generated by these four generators. Define the encoding function E : {0, 1} 4 → C N,4 as follows. The hashed message H(m) is broken into 4-bit blocks. For the k th block, the first two bits determine a generator g N,j n k , 1 ≤ n k ≤ 4, and the next two bits determine an integer 1 ≤ p k ≤ 4. Then, written in its reduced form, that is products of the form are erased from the braid (see [16,17] for examples of reduction algorithms). This encoding algorithm ensures that each message is mapped to a unique reduced element of the free subgroup generated by g N,j 1 , g N,j 2 , g N,j 3 , g N,j 4 .

Key Generation
The security of WalnutDSA relies on E-multiplication, a function that maps braids in B N to elements in the set GL N (F q ) × S N . This mapping is based on the colored Burau representation of B N . We provide some preliminaries before describing the public and private keys in WalnutDSA.

Colored Burau Representation of the Braid Groups
Let L F q ≡ L F q [t 1 , t 2 , . . . , t N ] denote the ring of Laurent polynomials in the variables t 1 , t 2 , . . . , t N with coefficients in F q , that is, For each Artin generator, we define the following N × N matrices [18]: where I n is the identity matrix of size n × n and 0 is the zero matrix of adequate size.
The product of (A, π) and (B, τ) in GL N (L F q ) × S N is defined as: We have that the elements of GL N (L F q ) × S N form a group under this product operation. Now, we define the colored Burau representation: and for all b i and b j , 1 ≤ i, j ≤ N − 1, More generally, for any braid b ∈ B N as in (2), It can be verified that Π CB is a homomorphism that preserves the braid relations (1) and, hence, defines a representation of B N .

E-Multiplication
The key generation in WalnutDSA is based on E-multiplication, a group-theoretic one-way function introduced in [13]. Here, we recall its definition.
Fix a finite field F q and a set of N non-zero elements in F q , T = {y 1 , y 2 , . . . , y N } ⊂ F q .
For every M ∈ GL N (L F q ), we define: Now, we define E-multiplication.
Definition 5. E-multiplication, denoted by , is a right action of the group Π CB (B N ) on the set GL N (F q ) × S N , defined inductively as follows.
More generally, for any braid b ∈ B N as in (2), where the operations are done from left to right. Furthermore, for convenience, we will write (M, π) b instead of (M, π) Π CB (b).

Key Generation Mechanism
The signer's private key consists of two random braids s 1 and s 2 , written in reduced form, such that s 1 , s 2 , and s 1 s 2 are not pure braids. No further prerequisites were made explicit in the original proposal of WalnutDSA.
Let b ∈ B N be a braid and T ⊂ F q a fixed set of N non-zero elements. Define: where I N is the identity N × N matrix and ι N ∈ S N is the identity permutation. The signer's public key consists of: the matrix component of P (s 2 ), denoted by mat(P (s 2 )), that is, mat(P (s 2 )).

Signature Generation and Verification
We now describe WalnutDSA in detail.

Cloaking Elements
First, we discuss elements in the subgroup of pure braids that essentially disappear when performing E-multiplication. The purpose of these elements is to cloak, or hide, the private key used to construct the signature. Definition 6. Let (M, π) ∈ GL N (F q ) × S N , and let T be a fixed set of N non-zero elements of F q . A pure braid v ∈ B N is called a cloaking element of (M, π) if: It is clear from this definition that the set of cloaking elements of (M, π) depends on the set T . The existence of cloaking elements is discussed in the following proposition. Proposition 1. Fix integers N ≥ 2, 1 ≤ a, b ≤ N, and fix a set of N non-zero elements T = {y 1 , y 2 , . . . , y N } ⊂ F q such that y a = y b = 1. Let (M, π) ∈ GL N (F q ) × S N , b i , 1 ≤ i ≤ N − 1, an Artin generator of B N , and w ∈ B N such that: πσ w (i) = a, and πσ w (i + 1) = b.
is a cloaking element of (M, π).

Factoring Attacks
The essential idea behind these attacks is to forge a signature for any given message m solving a factorization problem in groups, defined as follows: Definition 7 (Factorization problem in groups). Let G be a group; let Γ = {g 1 , . . . , g γ } be a generating set for G; and let h ∈ G. Find an integer L and sequences (k 1 , . . . , k L ) ∈ {1, . . . , γ} L and (ε 1 , . . . , ε L ) ∈ {±1} L such that: A solution to a specific instance of this problem has been exploited by several authors [19,20] to construct a new valid signature from several valid signatures, in order to violate UF-CMA. More precisely, Hart et al. presented in [19] an efficient method to compute, given a couple of signatures on random messages, a new signature on an arbitrary message. However, these forged signatures were significantly longer than those constructed by the honest signer. The design of WalnutDSA was modified by the authors in order to defeat this attack, yet a refinement of this method, presented in Section 3 of [20], rendered this modification insufficient.

Factoring For Universal Forgeries: The Attacks by Hart Et Al., and Beullens and Blackburn
The strategy behind [19] allows for constructing a valid signature for any arbitrary message m (and is thus a universal forgery). More precisely, Proposition 4 in [19] states that, given a finite set of signatures: and taking g i as the matrix part of P (E(H(m i ))) for all i ∈ I, it holds that, if the matrix part h of P (E(H(m))) can be factored with respect to the generating set {g i | i ∈ I}, then constructing the very same word replacing each g i with the corresponding braids s i from S yields a valid signature for m. Beullens and Blackburn explained how to exploit this malleability property through the following simple theorem: Theorem 1 (Theorem 1 from [20]). Consider the version of WalnutDSA, where it holds that s 1 = s 2 . Suppose m, m 1 , m 2 are three messages. Let h, h 1 , h 2 be the matrix part of P (E(H(m))), P (E(H(m 1 ))), P (E(m 2 )), respectively. Then, 1. If h = h −1 1 and sig 1 is a valid signature for m 1 , then sig −1 1 is a valid signature for m. 2. If h = h 1 · h 2 and sig 1 , sig 2 are valid signatures for m 1 and m 2 , respectively, then sig 1 · sig 2 is a valid signature for m.
However, the above result is only valid if the public braids s 1 and s 2 coincide, which was only the case in the first versions of the proposal [11]. All in all, a simple variant of the above theorem, presented in [20], evidences that choosing s 1 = s 2 does not amend the strong malleability inherent to WalnutDSA: Theorem 2 ( [20]). Suppose m, m 1 , m 2 are three messages. Let h, h 1 , h 2 be the matrix part of P (E(H(m))), P (E(H(m 1 ))), P (E(H(m 2 ))), respectively. Let s 1 , s 2 , s 3 ∈ B N be three braids. Then, 1. If h = h −1 1 and sig 1 is a valid signature for m 1 under the public key (P (s 1 ), P (s 2 )), then sig −1 1 is a valid signature for m under the public key (P (s 2 ), P (s 1 )). 2. If h = h 1 · h 2 and sig 1 · sig 2 are valid signatures for m 1 and m 2 under the public keys (P (s 1 ), P (s 2 )) and (P (s 2 ), P (s 3 )), respectively, then sig 1 · sig 2 is a valid signature for m under the public key (P (s 1 ), P (s 3 )).
Note that the above theorems do not impose a practical restriction on the forged message m, for suitable m 1 , m 2 can be constructed for any m in order to mount the UF attack. Still, the forged signatures obtained through these factoring strategies are many orders of magnitude longer than legitimate signatures; thus, imposing length limits on the output signatures (as the authors did in the implementation submitted to the NIST PQCstandardization call) is enough to dodge these attacks.

Factoring Using the Garside Normal Form
Recently, in [21], it was noticed that whenever a product of braids ABC ∈ B N is represented in the Garside normal form, parts of the corresponding form of the individual factors A, B, and C are somewhat easy to extract. In particular, the authors of this paper presented an algorithm for recovering, given B, elements A and C such that: Note that the center of the group B N is a cyclic group generated by the square of the so-called Garside's fundamental braid, ∆, which is the only positive braid for which any two strands cross exactly once (see [14,22] for a classical introduction and a comprehensive survey on braid groups). This decomposition strategy allows for constructing a universal forgery, as stated in the following result:
Note that since the replaced braids W 1 and W 2 are in principle independent of the message m, the forged signature need not be longer than a legitimate signature. Furthermore, the complexity of this procedure is essentially that of computing Garside normal forms, which can be done in time O(k 2 N), where k is the number of Artin generators encoding the input braid.
Furthermore, this method fends off the colored Burau representation used in the implementation of WalnutDSA; thus, it cannot be prevented by modifying the size of the underlying finite field. The authors of this cryptanalysis suggest that the only way to dodge this attack is to add many concealed cloaking elements to the encoding, which has a significant cost both in signature length and computing time for the generation of signatures. Furthermore, in [23], the authors of the scheme claimed to have experimentally demonstrated that inserting cloaking elements every 7-12 generators into the braid E(H(m )) blocked this attack. However, no details were given on how this strategy was theoretically or empirically assessed.

Collision Attacks
Imposing implicit limits on the output signature sizes is indeed a valid strategy for preventing factoring attacks, and so, it was promptly noticed by the authors of WalnutDSA. However, in Section 4 of [20], it was demonstrated that, through a simple collision method, it was possible to compute short forged signatures, yet not on arbitrary messages.
In Section 4 of [20], it was observed that if there exist two messages m 1 , m 2 such that P (E(H(m 1 ))) = P (E (H(m 2 ))), then a valid signature for m 1 is valid for m 2 and vice versa. Breaking the EUF-CMA security notion (see Definition 4) is as simple as finding such two messages m 1 and m 2 , since an adversary could query a signature for m 1 and then obtain a signature for m 2 .
A generic collision attack is expected to require |P (E({0, 1} * ))| 1/2 evaluations of function P • E. In order to evaluate the feasibility of this attack, it is necessary to estimate the size of |P (E({0, 1} * ))|. The authors of WalnutDSA considered q N(N−3) · N! a conservative lower bound for values of P. For 128-bit and 256-bit security levels, these values were 2 216 and 2 336 , respectively, so it is expected to find a collision after 2 108 and 2 168 evaluations of P • E. Hence, a generic collision attack is not practical.
In [20], it was shown (by means of computer experiments) that |P (E({0, 1} * ))| is at most q 13 (lying in an affine subspace over F q ), so a collision is expected to be found after q 13/2 evaluations of P • E. With this new estimate, 2 32.5 and 2 52 evaluations of P • E are necessary for 128-bit and 256-bit security levels, respectively. Therefore, collision attack is practical in this case.
In order to implement this attack, the authors used a generic collision finding algorithm: the distinguished point algorithm of Van Oorschot and Wiener [24].
This algorithm finds collisions in any function f : S → S that behaves like a random function [24]. The time complexity for finding a single collision is O( |S|). A distinguished point is an element of S satisfying some easily testable property (e.g., a fixed number of leading zero bits). The distinguished point algorithm selects a starting point x 0 ∈ S at random and produces a chain of points x i = f (x i−1 ) for i = 1, 2, . . . , until a distinguished point is reached. Then, the starting point x 0 , the distinguished point x k , and the length of the chain are stored. It is expected that after O( |S|), the current chain will collide with one of the stored chains. Following the chain from that point, the same distinguished point will be reached.
In [20], this algorithm was applied to the function f = g • P • E instead of to f = P • E, where g is a function that crafts plausible messages, given an output of P. However, no implementation or description of how to build the function g was provided.
Using a standard PC, the algorithm found a collision after 2 32.2 evaluations of f (2 32.5 evaluations were expected). This took approximately one hour. The two messages found by the algorithm were m 1 = "I would like to receive 7181666883746416503free samples of delicious cookies". m 2 = "I pledge to donate 3519533052089988469 USD to Ward Beullens".
In order to mitigate this practical attack, Beullens and Blackburn [20] recommended to increase the value of q up to q = 2 20 and q = 2 40 to accomplish 128-bit and 256-bit security levels, respectively. With these new parameters, the size of the public key is five-times larger and the verification algorithm is 25-times slower for 256 bit.
A better mitigation of this attack is to change the encoding algorithm to output pure braids not restricted to the subgroup generated by g N,1 , g N,2 , g N, 3 , and g N, 4 . This change would require q ((N−2) 2 +1)/2 evaluations of P • E, and only a minor increase of parameters is needed. It was pointed out in [20] that a 256-bit security level could be accomplished by setting q = 2 8 and N = 8, making the key size 50%, the signature size 25% larger, and the verification algorithm two-times slower.

Reversing E-Multiplication
A fundamental hard problem underlying the security of the Walnut signature scheme is to break the one-wayness of the function: Here, we write P instead of P T with the understanding that the set T ⊂ F q of non-zero elements is arbitrary, but fixed.
More precisely, the underlying problem is defined as follows.
Observe that if brute force is used to solve the REM problem, then it would take O(|P (B N )|) E-multiplications to find a solution, where |P (B N )| is the size of the orbit of (I N , ι N ).
Recall that the private key consists of two braids s 1 , s 2 ∈ B N , and the corresponding public key consists of P (s 1 ) and mat(P (s 2 )), the matrix component of P (s 2 ). In [20], it was observed that a valid signature sig for a message m also satisfies: P (s 1 ) sig = P (E(H(m))) s 2 . ( Therefore, not knowing the permutation component of P (s 2 ) poses no problem to the attacker since it can be recovered from the permutation component of (3) without necessarily knowing the encrypted message (no message attack). Indeed, since cloaking elements and E(H(m)) are required to be pure braids, we have: Once σ s 2 has been computed, an attacker can solve two instances of the REM problem by finding two braids s 1 , s 2 ∈ B N such that P (s 1 ) = P (s 1 ) and P (s 2 ) = P (s 2 ), which can be used to sign any message (universal forgery). Hence, solving the REM problem means that UF-NMA security (Definition 2) can be violated.
In this section, we describe two algorithms proposed in [20] that solve the REM problem. The first algorithm is a generic birthday attack, while the second exploits the structure of the braid group B N and is more efficient than the first one.

Generic Birthday Attack
Given a pair (M, σ) ∈ GL N (F q ) × S N , if we can find two braids s 1 , s 2 ∈ B N such that: then the solution of the REM problem is s = s 2 s −1 1 . In [20], it was argued that a naive way of finding s 1 and s 2 by constructing tables with values (M, σ) s 1 and checking if (I N , ι N ) s 2 for random s 2 lying in the table would take O( |P (B N )| ) E-multiplications, making this method more efficient than a brute force approach. Nevertheless, a naive approach may require too much storage memory. This inconvenience can be circumvented by using a distinguished point algorithm (see Section 5.2). In this case, the algorithm is applied to the function: where b and s are hash functions that take elements in the orbit of (I N , ι N ) as input and output a bit or a braid, respectively. The idea is to find collisions: Hence, if a collision is found such that b( . In this case, a solution of the REM problem is s( On the other hand, if b(x 1 ) = 0, then a solution of the REM problem is s(x 1 ) s(x 2 ) −1 . As noted in [23], this attack is exponential in running time and can be thwarted by choosing the correct parameters for WalnutDSA, in this case N = 10, q = 2 31 − 1 for 128-bit security, and N = 10, q = 2 61 − 1 for 256-bit security.

Subgroup Chain Attack
This attack exploits the fact that the restriction of P to pure braids is a group homomorphism, which maps the chain of subgroups: to a nice chain of subgroups of GL N (F q ). Here, P k denotes the intersection of the subgroup of pure braids in B N and the subgroup generated by b 1 , b 2 , . . . , b k−1 , that is the subgroup of pure braids such that only the first k strands cross over each other. More precisely, for each 1 ≤ k ≤ N, P is a homomorphism from P k into the subgroup: In contrast to the birthday attack, this method solves the REM problem for a pair (M, σ) ∈ GL N (F q ) × S N , by finding in iterative steps a braid s ∈ B N such that (M, σ) s = (I N , ι N ), as follows. First, choose any braid s ∈ B N such that σ s = σ −1 . Therefore, (M, σ) s = (M , ι N ) ∈ A N × S N . Next, find a pure braid s N ∈ P N such that (M N , The iterative step consists of randomly choosing a target matrix M i ∈ P (P i ) ∩ A i−1 and then finding a pure braid s i ∈ P i such that: Notice that in each iterative step, the permutation component is ι N since s i is a pure braid, and thus, σ s i = ι N . This process yields a braid s = s s N s N−1 · · · s 2 such that (M, σ) s = (I N , ι N ). Then, the solution to the REM problem is s −1 .
In [20], it was pointed out that if M i ∈ P (P i−1 ) for some 2 ≤ i ≤ N, then it is not possible to complete the attack, and thus, assuming: for each 2 ≤ i ≤ N, guarantees that the attack will work. This assumption is not too restrictive since it seems to hold for the proposed parameters for WalnutDSA. With (4) in mind, the i th iterative step of this attack can be solved by performing a collision search in the space cosets of A i−1 in A i−1 P (P i ) with a cost of |P (P i )|/|P (P i−1 )| E-multiplications (see Sections 5.2 and 5.3 of [20] for details).
In [20], the running time of this attack was estimated to be q N/2−1 whenever E-multiplication uses the set of invertible elements T = {y 1 , y 2 , . . . , y N } ⊂ F q with y a = y b = 1 for some 1 ≤ a, b ≤ N (see Section 4.2.2). It was noted in [23] that if y a and y b are chosen such that y a · y b = −1, then the running time of the attack is increased to at least √ x q (N−1)/2 , where x = 60 for N = 8 and x = 96 for N = 10. Moreover, this attack is defeated by taking N = 10, q = 2 31 − 1 for 128-bit security,and N = 10, q = 2 61 − 1 for 256-bit security.

Uncloaking Signatures
Kotov, Menshov, and Ushakov presented in [25] a powerful attack against WalnutDSA. It is a heuristic attack that works exclusively with braids and does not need to take into account E-multiplication. The authors reported experiments with one hundred random protocol instances with a 100% success rate. It is worth pointing out that the experiments were carried out for three different settings: the 128 and 256-bit security levels from the official specification [26] (where N = 8) and the 256-bit security version with N = 11, proposed in [27].
In a nutshell, the attack works as follows: An adversary, which collects several arbitrary pairs of messages and valid signatures, is able to compute an alternative secret key such that, when used to sign any message, it produces the same signature as the real secret key. Therefore, this is a very strong attack as it violates a rather weak security notion for signatures (UF-RMA; see Definition 3), that is an adversary with access to signatures for random messages (not adversarially chosen) can produce a valid signature for any message of its choice; that is, it achieves a universal forgery.
Next, we provide a high-level description of the attack:

•
Step 1. The attacker collects k pairs {(m i , sig i )} k i=1 where each sig i is a valid signature for m i computed with the same secret key (s 1 , s 2 ). Each signature is a braid with the form: 2 are cloaking elements.

•
Step 2. The attacker, using a heuristic procedure described in [25], is able to remove the cloaking elements from the signatures, that is compute braids P i = s −1 1 · E(H(m i )) · s 2 . It is worth pointing out that Kotov, Menshov, and Ushakov reported a high success rate for their uncloaking algorithm, close to 80% or 100%, depending on the type of cloaking elements used (see Table 2).

•
Step 3. The attacker computes the k − 1 products P i P −1 i+1 . Note that these are: obtaining a system of conjugacy equations in B N where only s 1 is unknown. In [25], another heuristic algorithm to obtain a solution s 1 of the system (not necessarily equal to s 1 ) was developed.

•
Step 4. The attacker sets s 2 = E(H(m i )) −1 s 1 P i for i of its choice. Under certain conditions, (s 1 , s 2 ) works as an alternative secret key to (s 1 , s 2 ), in the sense that it produces a valid signature for any message. Moreover, as a braid word, this signature equals the one produced with the original key. This implies that the attack cannot be avoided by limiting the size of accepted signatures. In order to decide if the alternative key (s 1 , s 2 ) works as intended, Kotov, Menshov, and Ushakov generated signatures for 10 random messages and checked their validity.  [27] wb ±2 i w −1 77% 81% 81% Alternative proposed in [27] wb ±4 i w −1 97% 98% 100% In [25], a 100% success rate of the full attack was reported. One interesting fact is that the attack did not need many message/signature pairs in order to succeed: Kotov, Menshov, and Ushakov affirmed that, in all their experiments, six successfully uncloaked signatures were enough to get five conjugacy equations and a valid alternative secret key. Average running times for the full attack are shown in Table 3. Table 3. Average running time (in seconds) for the full attack according to [25].

Encoding
Cloaking With respect to possible countermeasures against their attack, Kotov, Menshov, and Ushakov themselves made several proposals. The first one is to artificially introduce many so-called critical letters in the secret braids (locating critical letters is one of the main ingredients in the uncloaking algorithm). In addition, they proposed using many more cloaking elements (around 30) on each side of the signature. Nevertheless, they pointed out that it is not even clear if this measure would be useful as it does not neutralize their attack [28] against Kayawood [29], another braid-based protocol. Finally, Kotov et al. recommended short conjugators for constructing cloaking elements, making them less visible.
The proponents of WalnutDSA recognize the weakness of their original implementation against the uncloaking attack and put forward in [23] a countermeasure against it. Namely, they introduced the concept of concealed cloaking elements and proposed to add six of them to the computation of each signature, which translated into a 6.7% increase of the signature size. Kotov, Menshov, and Ushakov questioned the effectiveness of the approach in the NIST PQC project discussion forum [27], pointing out that their algorithms were designed taking into account the existence of precisely three cloaking elements, but could be modified to deal with more of them.

Final Remarks
WalnutDSA is a beautifully-designed signature scheme, conceived in the remarkable mathematical scenario of braid groups. Despite the inspiring ideas involved in the construction of this scheme, the many attacks explained in this survey demonstrate that there is still a long way to go before a suitable key generation/parameter selection process is identified. We believe that it will be rather difficult to fix the security problems described, which may be an unavoidable consequence of the adept and symmetric signature procedure. A formal security analysis, as well as a deeper understanding of the actual relation between the cryptanalytic goals and the affiliated mathematical problems are essential ingredients for a secure implementation of WalnutDSA. Maybe a promising idea is to start by identifying the concrete cost of a forgery. For instance, a first step would be to assess whether a forger can be used in a black-box manner to reverse the related E-multiplication procedure (i.e., to solve the REM problem). Once such a result is at hand, the next step would be to look for solid instances of REM that could be used for secure key generation.