An attack on the Walnut digital signature algorithm

In this paper, we analyze security properties of the WalnutDSA, a digital signature algorithm recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, that has been accepted by the National Institute of Standards and Technology for evaluation as a standard for quantum-resistant public-key cryptography. At the core of the algorithm is an action, named E-multiplication, of a braid group on some finite set. The protocol assigns a pair of braids to the signer as a private key. A signature of a message m is a specially constructed braid that is obtained as a product of private keys, the hash value of m encoded as a braid, and three specially designed cloaking elements. We present a heuristic algorithm that allows a passive eavesdropper to recover a substitute for the signer’s private key by removing cloaking elements and then solving a system of conjugacy equations in braids. Our attack has $$100\%$$100% success rate on randomly generated instances of the protocol. It works with braids only and its success rate is not affected by a choice of the base finite field. In particular, it has the same $$100\%$$100% success rate for updated parameters values (including a new way to generate cloaking elements, see NIST Post-quantum Cryptography Forum). Implementation of our attack in C++, as well as our implementation of the WalnutDSA protocol, is available on GitHub.

[1]  Alexei G. Myasnikov,et al.  Random Subgroups of Braid Groups: An Approach to Cryptanalysis of a Braid Group Based Cryptographic Protocol , 2006, Public Key Cryptography.

[2]  Joan S. Birman,et al.  A new approach to the word and conjugacy problems in the braid groups , 1997 .

[3]  Simon R. Blackburn,et al.  Practical attacks against the Walnut digital signature scheme , 2018, IACR Cryptol. ePrint Arch..

[4]  Derek Atkins,et al.  WalnutDSA(TM): A Quantum Resistant Group Theoretic Digital Signature Algorithm , 2017, IACR Cryptol. ePrint Arch..

[5]  Alexander Ushakov,et al.  Attack on Kayawood protocol: uncloaking private keys , 2018, IACR Cryptol. ePrint Arch..

[6]  A. Myasnikov,et al.  Non-Commutative Cryptography and Complexity of Group-Theoretic Problems , 2011 .

[7]  David B. A. Epstein,et al.  Word processing in groups , 1992 .

[8]  Giacomo Micheli,et al.  A Practical Cryptanalysis of WalnutDSA , 2017, IACR Cryptol. ePrint Arch..

[9]  Patrick Dehornoy,et al.  A Fast Method for Comparing Braids , 1997 .

[10]  Alexei G. Myasnikov,et al.  A Practical Attack on a Braid Group Based Cryptographic Protocol , 2005, CRYPTO.

[11]  Vladimir Shpilrain,et al.  Generic case complexity , 2011 .

[12]  Ilya Kapovich,et al.  Generic-case complexity, decision problems in group theory and random walks , 2002, ArXiv.

[13]  Volker Gebhardt A New Approach to the Conjugacy Problem in Garside Groups , 2003 .

[14]  Giacomo Micheli,et al.  A Practical Cryptanalysis of WalnutDSA , 2017, IACR Cryptol. ePrint Arch..

[15]  Jie Wang,et al.  Average-case completeness of a word problem for groups , 1995, STOC '95.

[16]  Alexander A. Razborov,et al.  The Set of Minimal Braids is co-NP-Complete , 1991, J. Algorithms.