On the (non) obfuscating power of Garside Normal Forms

Braid groups are infinite non-abelian groups naturally arising from geometric braids that have been used in cryptography for the last two decades. In braid group cryptography public braids often contain secret braids as a factor and it is hoped that rewriting the product of braid words hides the individual factors. We provide experimental evidence that this is in general not the case and argue that under certain conditions parts of the Garside normal form of factors can be found in the Garside normal form of their product. This observation can be exploited to decompose products in braid groups of the form ABC when only B is known. Our decomposition algorithm yields a universal forgery attack on WalnutDSA, which is one of the 20 proposed signature schemes that are being considered by NIST for standardization of quantum-resistant public-key cryptographic algorithms. Our attack on WalnutDSA can universally forge signatures within seconds for both the 128-bit and 256-bit security level, given one random message-signature pair. The attack worked on 99.8% and 100% of signatures for the 128-bit and 256-bit security levels in our experiments. Furthermore, we show that the decomposition algorithm can be used to solve instances of the conjugacy search problem and decomposition search problem in braid groups. These problems are at the heart of other cryptographic schemes based on braid groups.

[1]  Boaz Tsaban,et al.  Cryptanalysis via Algebraic Spans , 2018, CRYPTO.

[2]  Boaz Tsaban,et al.  Short expressions of permutations as products and cryptanalysis of the Algebraic Eraser , 2012, Adv. Appl. Math..

[3]  Patrick Dehornoy,et al.  A Fast Method for Comparing Braids , 1997 .

[4]  Derek Atkins,et al.  Kayawood, a Key Agreement Protocol , 2017, IACR Cryptol. ePrint Arch..

[5]  Mihir Bellare,et al.  Lecture Notes on Cryptography , 2001 .

[6]  Joan S. Birman,et al.  A new approach to the word and conjugacy problems in the braid groups , 1997 .

[7]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[8]  Alexander Ushakov,et al.  Length Based Attack and Braid Groups: Cryptanalysis of Anshel-Anshel-Goldfeld Key Exchange Protocol , 2007, Public Key Cryptography.

[9]  Xavier Bressaud A NORMAL FORM FOR BRAIDS , 2008 .

[10]  V. Gebhardt,et al.  Normal forms of random braids , 2013, 1302.6676.

[11]  Anton Stolbunov,et al.  Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves , 2010, Adv. Math. Commun..

[12]  Simon R. Blackburn,et al.  Practical attacks against the Walnut digital signature scheme , 2018, IACR Cryptol. ePrint Arch..

[13]  Hugh R. Morton,et al.  ALGORITHMS FOR POSITIVE BRAIDS , 1994 .

[14]  Patrick Dehornoy Alternating normal forms for braids and locally Garside monoids monoids , 2007 .

[15]  Derek Atkins,et al.  WALNUTDSA: A QUANTUM-RESISTANT DIGITAL SIGNATURE ALGORITHM , 2017 .

[16]  Jung Hee Cheon,et al.  New Public-Key Cryptosystem Using Braid Groups , 2000, CRYPTO.

[17]  David Garber,et al.  Braid Group Cryptography , 2007, ArXiv.

[18]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[19]  Volker Gebhardt A New Approach to the Conjugacy Problem in Garside Groups , 2003 .

[20]  Giacomo Micheli,et al.  A Practical Cryptanalysis of WalnutDSA , 2017, IACR Cryptol. ePrint Arch..

[21]  Juan González-Meneses,et al.  Generating random braids , 2013, J. Comb. Theory, Ser. A.

[22]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[23]  Bo-Yin Yang,et al.  Multivariate Public Key Cryptography , 2009 .

[24]  Donald E. Knuth,et al.  Fast Pattern Matching in Strings , 1977, SIAM J. Comput..

[25]  Volker Gebhardt,et al.  Conjugacy in Garside groups I: cyclings, powers and rigidity , 2006, math/0605230.

[26]  Werner Burau,et al.  Über Zopfgruppen und gleichsinnig verdrillte Verkettungen , 1935 .

[27]  David B. A. Epstein,et al.  Word processing in groups , 1992 .

[28]  Iris Anshel,et al.  New Key Agreement Protocols in Braid Group Cryptography , 2001, CT-RSA.

[29]  F. A. Garside,et al.  THE BRAID GROUP AND OTHER GROUPS , 1969 .

[30]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[31]  Alexander Ushakov,et al.  An attack on the Walnut digital signature algorithm , 2018, IACR Cryptol. ePrint Arch..

[32]  Emil Artin,et al.  Theorie der Zöpfe , 1925 .

[33]  Allen R. Tannenbaum,et al.  Length-Based Attacks for Certain Group Based Encryption Rewriting Systems , 2003, IACR Cryptol. ePrint Arch..

[34]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[35]  D. Goldfeld,et al.  An algebraic method for public-key cryptography , 1999 .

[36]  Juan González-Meneses,et al.  The cyclic sliding operation in Garside groups , 2008, 0808.1430.

[37]  Vladimir Shpilrain,et al.  Thompson's Group and Public Key Cryptography , 2005, ACNS.

[38]  Boaz Tsaban,et al.  A Practical Cryptanalysis of the Algebraic Eraser , 2016, CRYPTO.