Factoring Products of Braids via Garside Normal Form

  • Simon-Philipp MerzEmail author
  • Christophe Petit
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11443)


Braid groups are infinite non-abelian groups naturally arising from geometric braids. For two decades they have been proposed for cryptographic use. In braid group cryptography public braids often contain secret braids as factors and it is hoped that rewriting the product of braid words hides individual factors. We provide experimental evidence that this is in general not the case and argue that under certain conditions parts of the Garside normal form of factors can be found in the Garside normal form of their product. This observation can be exploited to decompose products of braids of the form ABC when only B is known.

Our decomposition algorithm yields a universal forgery attack on WalnutDSATM, which is one of the 20 proposed signature schemes that are being considered by NIST for standardization of quantum-resistant public-key cryptography. Our attack on WalnutDSATM can universally forge signatures within seconds for both the 128-bit and 256-bit security level, given one random message-signature pair. The attack worked on 99.8% and 100% of signatures for the 128-bit and 256-bit security levels in our experiments.

Furthermore, we show that the decomposition algorithm can be used to solve instances of the conjugacy search problem and decomposition search problem in braid groups. These problems are at the heart of other cryptographic schemes based on braid groups.



The authors would like to thank Ward Beullens and the anonymous reviewers for their helpful feedback. This work was produced as part of a master’s thesis of the first author at the University of Oxford. He is now supported by the EPSRC as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/P009301/1).


  1. 1.
    About SecureRF. Accessed 21 Nov 2018
  2. 2.
    Anshel, I., Atkins, D., Goldfeld, P., Gunnels, D.: Kayawood, a key agreement protocol (2017). Preprint: Version 30 Nov 2017
  3. 3.
    Anshel, I., Anshel, M., Fisher, B., Goldfeld, D.: New key agreement protocols in braid group cryptography. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 13–27. Springer, Heidelberg (2001). Scholar
  4. 4.
    Anshel, I., Anshel, M., Goldfeld, D.: An algebraic method for public-key cryptography. Math. Res. Lett. 6, 287–292 (1999)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Anshel, I., Anshel, M., Goldfeld, D., Lemieux, S.: Key agreement, the algebraic eraser, and lightweight cryptography. Contemp. Math. 418, 1–34 (2007)MathSciNetzbMATHGoogle Scholar
  6. 6.
    Anshel, I., Atkins, D., Goldfeld, D., Gunnells, P.E.: WalnutDSA: a quantum resistant group theoretic digital signature algorithm (2017). Preprint available at, 30 Nov 2017
  7. 7.
    Artin, E.: Theorie der Zöpfe. Abhandlungen aus dem mathematischen Seminar der Universität Hamburg. 4, 47–72 (1925)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Ben-Zvi, A., Blackburn, S.R., Tsaban, B.: A practical cryptanalysis of the Algebraic Eraser. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 179–189. Springer, Heidelberg (2016). Scholar
  9. 9.
    Ben-Zvi, A., Kalka, A., Tsaban, B.: Cryptanalysis via algebraic spans. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 255–274. Springer, Cham (2018). Scholar
  10. 10.
    Beullens, W., Blackburn, S.: Practical attacks against the Walnut digital signature scheme (2018). Accepted to Asiacrypt 2018. Preprint:
  11. 11.
    Birman, J., Ko, K.H., Lee, S.J.: A new approach to the word and conjugacy problems in the braid groups. Adv. Math. 139(2), 322–353 (1998)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Birman, J.S.: Braids, Links, and Mapping Class Groups. (AM-82), vol. 82. Princeton University Press, Princeton (1975)Google Scholar
  13. 13.
    Birman, J.S., Gebhardt, V., González-Meneses, J.: Conjugacy in Garside groups I: cyclings, powers and rigidity. Groups Geom. Dyn. 1(3), 221–279 (2007)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: the user language. J. Symb. Comput. 24(3–4), 235–265 (1997)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Bressaud, X.: A normal form for braids. J. Knot Theory Ramif. 17(06), 697–732 (2008)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Burau, W.: Über Zopfgruppen und gleichsinnig verdrillte Verkettungen. Abhandlungen aus dem Mathematischen Seminar der Universität Hamburg. 11, 179–186 (1935)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Dehornoy, P.: A fast method for comparing braids. Adv. Math. 125(2), 200–235 (1997)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Dehornoy, P.: Alternating normal forms for braids and locally Garside monoids. J. Pure Appl. Algebra 212(11), 2413–2439 (2008)MathSciNetCrossRefGoogle Scholar
  19. 19.
    Ding, J., Yang, B.Y.: Multivariate public key cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 193–241. Springer, Heidelberg (2009). Scholar
  20. 20.
    Elrifai, E.A., Morton, H.R.: Algorithms for positive braids. Q. J. Math. 45(180), 479–498 (1994)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Epstein, D., Cannon, J., Holt, D., Levy, S., Paterson, M., Thurston, W.: Word Processing in Groups (1992)Google Scholar
  22. 22.
    Garber, D.: Braid group cryptography. In: Braids: Introductory Lectures On Braids, Configurations and Their Applications, pp. 329–403. World Scientific (2010)Google Scholar
  23. 23.
    Garside, F.A.: The braid group and other groups. Q. J. Math. 20(1), 235–254 (1969)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Gebhardt, V.: A new approach to the conjugacy problem in Garside groups. J. Algebra 292(1), 282–302 (2005)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Gebhardt, V., González-Meneses, J.: The cyclic sliding operation in Garside groups. Mathematische Zeitschrift 265(1), 85–114 (2010)MathSciNetCrossRefGoogle Scholar
  26. 26.
    Gebhardt, V., González-Meneses, J.: Generating random braids. J. Comb. Theory Ser. A 120(1), 111–128 (2013)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Gebhardt, V., Tawn, S.: Normal forms of random braids. J. Algebra 408, 115–137 (2014)MathSciNetCrossRefGoogle Scholar
  28. 28.
    Goldwasser, S., Bellare, M.: Lecture notes on cryptography. Summer course “Cryptography and computer security” at MIT (1996)Google Scholar
  29. 29.
    Hart, D., Kim, D., Micheli, G., Pascual-Perez, G., Petit, C., Quek, Y.: A practical cryptanalysis of WalnutDSA\(^{\text{ TM }}\). In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 381–406. Springer, Cham (2018). Scholar
  30. 30.
    Hughes, J., Tannenbaum, A.: Length-based attacks for certain group based encryption rewriting systems. arXiv preprint cs/0306032 (2003)Google Scholar
  31. 31.
    Kalka, A., Teicher, M., Tsaban, B.: Short expressions of permutations as products and cryptanalysis of the Algebraic Eraser. Adv. Appl. Math. 49(1), 57–76 (2012)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Knuth, D.E., Morris Jr., J.H., Pratt, V.R.: Fast pattern matching in strings. SIAM J. Comput. 6(2), 323–350 (1977)MathSciNetCrossRefGoogle Scholar
  33. 33.
    Ko, K.H., Lee, S.J., Cheon, J.H., Han, J.W., Kang, J.S., Park, C.: New public-key cryptosystem using braid groups. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 166–183. Springer, Heidelberg (2000). Scholar
  34. 34.
    Kotov, M., Menshov, A., Ushakov, A.: An attack on the Walnut digital signature algorithm. Des. Codes Crypt. 1–20 (2018)Google Scholar
  35. 35.
    McEliece, R.: A public-key cryptosystem based on algebraic coding theory. Deep. Space Netw. Prog. Rep. 44, 114–116 (1978)Google Scholar
  36. 36.
    Merz, S.P.: Non obfuscating power of Garside normal forms (2018). GitHub repository at
  37. 37.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). Scholar
  38. 38.
    Myasnikov, A.D., Ushakov, A.: Length based attack and braid groups: cryptanalysis of Anshel-Anshel-Goldfeld key exchange protocol. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 76–88. Springer, Heidelberg (2007). Scholar
  39. 39.
    National Institute for Standards and Technology (NIST): Post-quantum crypto standardization (2016).
  40. 40.
  41. 41.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, 1994 Proceedings, pp. 124–134. IEEE (1994)Google Scholar
  42. 42.
    Shpilrain, V., Ushakov, A.: Thompson’s group and public key cryptography. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 151–163. Springer, Heidelberg (2005). Scholar
  43. 43.
    Stolbunov, A.: Constructing public-key cryptographic schemes based on class group action on a set of isogenous elliptic curves. Adv. Math. Commun. 4(2), 215–235 (2010)MathSciNetCrossRefGoogle Scholar
  44. 44.
    Van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)MathSciNetCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Royal Holloway, University of LondonEghamUK
  2. 2.University of BirminghamBirminghamUK

Personalised recommendations