An attack on the Walnut digital signature algorithm
- 4 Downloads
In this paper, we analyze security properties of the WalnutDSA, a digital signature algorithm recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, that has been accepted by the National Institute of Standards and Technology for evaluation as a standard for quantum-resistant public-key cryptography. At the core of the algorithm is an action, named E-multiplication, of a braid group on some finite set. The protocol assigns a pair of braids to the signer as a private key. A signature of a message m is a specially constructed braid that is obtained as a product of private keys, the hash value of m encoded as a braid, and three specially designed cloaking elements. We present a heuristic algorithm that allows a passive eavesdropper to recover a substitute for the signer’s private key by removing cloaking elements and then solving a system of conjugacy equations in braids. Our attack has \(100\%\) success rate on randomly generated instances of the protocol. It works with braids only and its success rate is not affected by a choice of the base finite field. In particular, it has the same \(100\%\) success rate for updated parameters values (including a new way to generate cloaking elements, see NIST Post-quantum Cryptography Forum). Implementation of our attack in C++, as well as our implementation of the WalnutDSA protocol, is available on GitHub.
KeywordsWalnutDSA Group-based cryptography Digital signature Algebraic eraser Braid group Colored Burau presentation Conjugacy problem
Mathematics Subject Classification94A60 68W30
- 1.Anshel I., Atkins D., Goldfeld P., Gunnels D.: The Walnut digital signature algorithm(TM) specification. Submitted to NIST PQC project (2017). Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions, accessed 4 April 2018.
- 2.Anshel I., Atkins D., Goldfeld P., Gunnels D.: Kayawood, a key agreement protocol. Preprint. Available at https://eprint.iacr.org/2017/1162 (version: 30-Nov-2017) (2017).
- 3.Anshel I., Atkins D., Goldfeld P., Gunnels D.: WalnutDSA(TM): a quantum-resistant digital signature algorithm. Preprint. Available at https://eprint.iacr.org/2017/058 (version: 30-Nov-2017) (2017).
- 4.Beullens W., Blackburn S.R.: Practical attacks against the Walnut digital signature scheme. Preprint. Available at https://eprint.iacr.org/2018/318/20180404:153741 (2018).
- 6.CRyptography And Groups (CRAG) C++ Library. Available at https://github.com/stevens-crag/crag.
- 10.Hart D., Kim D., Micheli G., Perez G.P., Petit C., Quek Y.: A practical cryptanalysis of WalnutDSA. In: Public-key cryptography—PKC 2018, pp. 381–406. Springer, New York (2018).Google Scholar
- 12.Kotov M.V., Menshov A.V., Ushakov A.V.: Attack on Kayawood protocol: uncloaking private keys. Preprint. Available at https://eprint.iacr.org/2018/604 (version: 18-Jun-2018) (2018).
- 13.NIST PQC forum. Available at https://groups.google.com/a/list.nist.gov/forum/#!forum/pqc-forum, accessed April 4 2018 (2018).
- 14.Miasnikov A.G., Shpilrain V.E., Ushakov A.V.: A practical attack on some braid group based cryptographic protocols. In: Advances in Cryptology—CRYPTO 2005, volume 3621 of Lecture Notes on Computer Science, pp. 86–96. Springer, Berlin (2005).Google Scholar
- 15.Miasnikov A.G., Shpilrain V.E., Ushakov A.V.: Random subgroups of braid groups: an approach to cryptanalysis of a braid group based cryptographic protocol. In: Advances in Cryptology—PKC 2006, volume 3958 of Lecture Notes on Computer Science, pp. 302–314. Springer, Berlin (2006).Google Scholar
- 16.Miasnikov A.G., Shpilrain V.E., Ushakov A.V.: Non-commutative Cryptography and Complexity of Group-Theoretic Problems. Mathematical Surveys and Monographs. AMS, Providence (2011).Google Scholar
- 18.Wang, J.: Average-case completeness of a word problem for groups. In: Proceedings of the Twenty-Seventh Annual ACM Symposium on Theory of Computing, STOC ’95, pp. 325–334. ACM (1995).Google Scholar