Abstract
In this paper, we analyze security properties of the WalnutDSA, a digital signature algorithm recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, that has been accepted by the National Institute of Standards and Technology for evaluation as a standard for quantum-resistant public-key cryptography. At the core of the algorithm is an action, named E-multiplication, of a braid group on some finite set. The protocol assigns a pair of braids to the signer as a private key. A signature of a message m is a specially constructed braid that is obtained as a product of private keys, the hash value of m encoded as a braid, and three specially designed cloaking elements. We present a heuristic algorithm that allows a passive eavesdropper to recover a substitute for the signer’s private key by removing cloaking elements and then solving a system of conjugacy equations in braids. Our attack has \(100\%\) success rate on randomly generated instances of the protocol. It works with braids only and its success rate is not affected by a choice of the base finite field. In particular, it has the same \(100\%\) success rate for updated parameters values (including a new way to generate cloaking elements, see NIST Post-quantum Cryptography Forum). Implementation of our attack in C++, as well as our implementation of the WalnutDSA protocol, is available on GitHub.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Anshel I., Atkins D., Goldfeld P., Gunnels D.: The Walnut digital signature algorithm(TM) specification. Submitted to NIST PQC project (2017). Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions, accessed 4 April 2018.
Anshel I., Atkins D., Goldfeld P., Gunnels D.: Kayawood, a key agreement protocol. Preprint. Available at https://eprint.iacr.org/2017/1162 (version: 30-Nov-2017) (2017).
Anshel I., Atkins D., Goldfeld P., Gunnels D.: WalnutDSA(TM): a quantum-resistant digital signature algorithm. Preprint. Available at https://eprint.iacr.org/2017/058 (version: 30-Nov-2017) (2017).
Beullens W., Blackburn S.R.: Practical attacks against the Walnut digital signature scheme. Preprint. Available at https://eprint.iacr.org/2018/318/20180404:153741 (2018).
Birman J.S., Ko K.H., Lee S.J.: A new approach to the word and conjugacy problems in the braid groups. Adv. Math. 139, 322–353 (1998).
CRyptography And Groups (CRAG) C++ Library. Available at https://github.com/stevens-crag/crag.
Dehornoy P.: A fast method for comparing braids. Adv. Math. 125, 200–235 (1997).
Epstein D.B.A., Cannon J.W., Holt D.F., Levy S.V.F., Paterson M.S., Thurston W.P.: Word Processing in Groups. Jones and Bartlett Publishers, Burlington (1992).
Gebhardt V.: A new approach to the conjugacy problem in garside groups. J. Algebra 292, 282–302 (2005).
Hart D., Kim D., Micheli G., Perez G.P., Petit C., Quek Y.: A practical cryptanalysis of WalnutDSA. In: Public-key cryptography—PKC 2018, pp. 381–406. Springer, New York (2018).
Kapovich I.E., Miasnikov A.G., Schupp P.E., Shpilrain V.E.: Generic-case complexity, decision problems in group theory and random walks. J. Algebra 264, 665–694 (2003).
Kotov M.V., Menshov A.V., Ushakov A.V.: Attack on Kayawood protocol: uncloaking private keys. Preprint. Available at https://eprint.iacr.org/2018/604 (version: 18-Jun-2018) (2018).
NIST PQC forum. Available at https://groups.google.com/a/list.nist.gov/forum/#!forum/pqc-forum, accessed April 4 2018 (2018).
Miasnikov A.G., Shpilrain V.E., Ushakov A.V.: A practical attack on some braid group based cryptographic protocols. In: Advances in Cryptology—CRYPTO 2005, volume 3621 of Lecture Notes on Computer Science, pp. 86–96. Springer, Berlin (2005).
Miasnikov A.G., Shpilrain V.E., Ushakov A.V.: Random subgroups of braid groups: an approach to cryptanalysis of a braid group based cryptographic protocol. In: Advances in Cryptology—PKC 2006, volume 3958 of Lecture Notes on Computer Science, pp. 302–314. Springer, Berlin (2006).
Miasnikov A.G., Shpilrain V.E., Ushakov A.V.: Non-commutative Cryptography and Complexity of Group-Theoretic Problems. Mathematical Surveys and Monographs. AMS, Providence (2011).
Paterson M.S., Razborov A.A.: The set of minimal braids is co-NP-complete. J. Algorithms 12, 393–408 (1991).
Wang, J.: Average-case completeness of a word problem for groups. In: Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, STOC ’95, pp. 325–334. ACM (1995).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by M. Paterson.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Anton Menshov was supported by Russian Science Foundation (Project N16-11-10002)
Rights and permissions
About this article
Cite this article
Kotov, M., Menshov, A. & Ushakov, A. An attack on the Walnut digital signature algorithm. Des. Codes Cryptogr. 87, 2231–2250 (2019). https://doi.org/10.1007/s10623-019-00615-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-019-00615-y
Keywords
- WalnutDSA
- Group-based cryptography
- Digital signature
- Algebraic eraser
- Braid group
- Colored Burau presentation
- Conjugacy problem