A Practical Cryptanalysis of WalnutDSA

We present a practical cryptanalysis of WalnutDSA, a digital signature algorithm trademarked by SecureRF. WalnutDSA uses techniques from permutation groups, matrix groups and braid groups, and is designed to provide post-quantum security in lightweight IoT device contexts. The attack given in this paper bypasses the E-Multiplication\(^{\text {TM}}\) and cloaked conjugacy search problems at the heart of the algorithm and forges signatures for arbitrary messages in approximately two minutes. We also discuss potential countermeasures to the attack.

[1]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[2]  Volker Gebhardt A New Approach to the Conjugacy Problem in Garside Groups , 2003 .

[3]  J. Birman Braids, Links, and Mapping Class Groups. , 1975 .

[4]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[5]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[6]  Alexander Ushakov,et al.  Cryptanalysis of the Anshel-Anshel-Goldfeld-Lemieux Key Agreement Protocol , 2009, Groups Complex. Cryptol..

[7]  Sangjin Lee,et al.  Potential Weaknesses of the Commutator Key Agreement Protocol Based on Braid Groups , 2002, EUROCRYPT.

[8]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[9]  Hugh R. Morton,et al.  ALGORITHMS FOR POSITIVE BRAIDS , 1994 .

[10]  Thomas P. Hayes,et al.  Near-independence of permutations and an almost sure polynomial bound on the diameter of the symmetric group , 2005, SODA '05.

[11]  Gilles Zémor Hash functions and Cayley graphs , 1994, Des. Codes Cryptogr..

[12]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[13]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[14]  Jean-Jacques Quisquater,et al.  Full Cryptanalysis of LPS and Morgenstern Hash Functions , 2008, SCN.

[15]  H. Helfgott Growth and generation in $\mathrm{SL}_2(\mathbb{Z}/p \mathbb{Z})$ , 2008 .

[16]  F. A. Garside,et al.  THE BRAID GROUP AND OTHER GROUPS , 1969 .

[17]  Gilles Zémor,et al.  Group-theoretic hash functions , 1993, Algebraic Coding.

[18]  Markus Grassl,et al.  Cryptanalysis of the Tillich–Zémor Hash Function , 2010, Journal of Cryptology.

[19]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[20]  Boaz Tsaban,et al.  Short expressions of permutations as products and cryptanalysis of the Algebraic Eraser , 2012, Adv. Appl. Math..

[21]  Allen R. Tannenbaum,et al.  Length-Based Attacks for Certain Group Based Encryption Rewriting Systems , 2003, IACR Cryptol. ePrint Arch..

[22]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[23]  Kristin E. Lauter,et al.  Cryptographic Hash Functions from Expander Graphs , 2008, Journal of Cryptology.

[24]  Boaz Tsaban,et al.  A Practical Cryptanalysis of the Algebraic Eraser , 2016, CRYPTO.

[25]  Gilles Zémor,et al.  Hashing with SL_2 , 1994, CRYPTO.

[26]  Derek Atkins,et al.  WALNUTDSA: A QUANTUM-RESISTANT DIGITAL SIGNATURE ALGORITHM , 2017 .

[27]  W. Waterhouse Two generators for the general linear groups over finite fields , 1989 .

[28]  James Hughes,et al.  A Linear Algebraic Attack on the AAFG1 Braid Group Cryptosystem , 2002, ACISP.

[29]  David Garber,et al.  Braid Group Cryptography , 2007, ArXiv.

[30]  Jean-Jacques Quisquater,et al.  Rubik's for cryptographers , 2011, IACR Cryptol. ePrint Arch..

[31]  Alexander Ushakov,et al.  Length Based Attack and Braid Groups: Cryptanalysis of Anshel-Anshel-Goldfeld Key Exchange Protocol , 2007, Public Key Cryptography.

[32]  Patrick Dehornoy,et al.  A Fast Method for Comparing Braids , 1997 .

[33]  The probability of generating the symmetric group when one of the generators is random , 2006 .

[34]  L'aszl'o Pyber,et al.  Growth in finite simple groups of Lie type of bounded rank , 2010, 1005.1858.

[35]  Jung Hee Cheon,et al.  A Polynomial Time Algorithm for the Braid Diffie-Hellman Conjugacy Problem , 2003, CRYPTO.

[36]  Gilles Zémor,et al.  Collisions for the LPS Expander Graph Hash Function , 2008, EUROCRYPT.

[37]  Derek Atkins,et al.  WalnutDSA(TM): A Quantum Resistant Group Theoretic Digital Signature Algorithm , 2017, IACR Cryptol. ePrint Arch..

[38]  Volker Gebhardt,et al.  Conjugacy in Garside groups I: cyclings, powers and rigidity , 2006, math/0605230.

[39]  David B. A. Epstein,et al.  Word processing in groups , 1992 .

[40]  Jean-Jacques Quisquater,et al.  Cayley Hash Functions , 2011, Encyclopedia of Cryptography and Security.

[41]  Mihir Bellare,et al.  A New Paradigm for Collision-Free Hashing: Incrementality at Reduced Cost , 1997, EUROCRYPT.

[42]  Bo-Yin Yang,et al.  Multivariate Public Key Cryptography , 2009 .

[43]  Jean-Jacques Quisquater,et al.  Preimages for the Tillich-Zémor Hash Function , 2010, Selected Areas in Cryptography.

[44]  David Garber,et al.  Probabilistic Solutions of Equations in the Braid Group , 2005, Adv. Appl. Math..

[45]  Joan S. Birman,et al.  Braids, Links, and Mapping Class Groups. (AM-82) , 1975 .

[46]  Jean-Jacques Quisquater,et al.  How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[47]  László Babai,et al.  On the diameter of permutation groups , 1992, Eur. J. Comb..