The Cracking of WalnutDSA: A Survey

This paper reports on the Walnut Digital Signature Algorithm (WalnutDSA), which is an asymmetric signature scheme recently presented for standardization at the NIST call for post-quantum cryptographic constructions. WalnutDSA is a group theoretical construction, the security of which relies on the hardness of certain problems related to an action of a braid group on a finite set. In spite of originally resisting the typical attacks succeeding against this kind of construction, soon different loopholes were identified rendering the proposal insecure (and finally, resulting in it being excluded from Round 2 of the NIST competition). Some of these attacks are related to the well-structured and symmetric masking of certain secret elements during the signing process. We explain the design principles behind this proposal and survey the main attack strategies that have succeeded, contradicting its claimed security properties, as well as the recently-proposed ideas aimed at overcoming these issues.

[1]  Paul C. van Oorschot,et al.  Parallel Collision Search with Cryptanalytic Applications , 2013, Journal of Cryptology.

[2]  William Whyte,et al.  Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign , 2010, The LLL Algorithm.

[3]  Patrick Dehornoy,et al.  A Fast Method for Comparing Braids , 1997 .

[4]  Giacomo Micheli,et al.  A Practical Cryptanalysis of WalnutDSA , 2017, IACR Cryptol. ePrint Arch..

[5]  D. Goldfeld,et al.  An algebraic method for public-key cryptography , 1999 .

[6]  Derek Atkins,et al.  WalnutDSA(TM): A Quantum Resistant Group Theoretic Digital Signature Algorithm , 2017, IACR Cryptol. ePrint Arch..

[7]  Volker Gebhardt,et al.  Conjugacy in Garside groups III: Periodic braids , 2006 .

[8]  Reza Azarderakhsh,et al.  ARMv8 SIKE: Optimized Supersingular Isogeny Key Encapsulation on ARMv8 Processors , 2019, IEEE Transactions on Circuits and Systems I: Regular Papers.

[9]  Derek Atkins,et al.  Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit Attacks on WalnutDSA(TM) , 2019, IACR Cryptol. ePrint Arch..

[10]  E. Artin The theory of braids. , 1950, American scientist.

[11]  Alexander Ushakov,et al.  Attack on Kayawood protocol: uncloaking private keys , 2018, IACR Cryptol. ePrint Arch..

[12]  Edoardo Persichetti,et al.  Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment , 2018, Cryptogr..

[13]  Alexander Ushakov,et al.  An attack on the Walnut digital signature algorithm , 2018, IACR Cryptol. ePrint Arch..

[14]  Joan S. Birman,et al.  A new approach to the word and conjugacy problems in the braid groups , 1997 .

[15]  Derek Atkins,et al.  Kayawood, a Key Agreement Protocol , 2017, IACR Cryptol. ePrint Arch..

[16]  Simon R. Blackburn,et al.  Practical attacks against the Walnut digital signature scheme , 2018, IACR Cryptol. ePrint Arch..