17 research outputs found
A Practical Cryptanalysis of WalnutDSA
We present a practical cryptanalysis of WalnutDSA, a digital signature algorithm trademarked by SecureRF. WalnutDSA uses techniques from permutation groups, matrix groups and braid groups, and is designed to provide post-quantum security in lightweight IoT device contexts. The attack given in this paper bypasses the E-MultiplicationTM and cloaked conjugacy search problems at the heart of the algorithm and forges signatures for arbitrary messages in approximately two minutes. We also discuss potential countermeasures to the attack.</p
WalnutDSA(TM): A Quantum-Resistant Digital Signature Algorithm
In 2005 I. Anshel, M. Anshel, D. Goldfeld, and S. Lemieux introduced E-Multiplication(TM), a quantum-resistant, group-theoretic, one-way function which can be used as a basis for many different cryptographic applications. This one-way function was specifically designed for constrained devices, running extremely quickly and requiring very little code.
This paper introduces WalnutDSA, a new E-Multiplication-based public-key method which provides efficient verification, allowing low-power and constrained devices to quickly and inexpensively validate digital signatures (e.g., a certificate or authentication). It presents an in-depth discussion of the construction of the digital signature algorithm, analyzes the security of the scheme, provides a proof of security under EUF-CMA, and discusses the practical results from implementations on several constrained devices
Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit Attacks on WalnutDSA(TM)
The Walnut Digital Signature Algorithm (WalnutDSA) brings together methods in group theory, representation theory, and number theory, to yield a public-key method that provides a means for messages to be signed and signatures to be verified, on platforms where traditional approaches cannot be executed. After briefly reviewing the various heuristic/practical attacks that have be posited by Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit, we detail the parameter choices that defeat each attack, ensure the security of the of the method, and demonstrate its continued utility
Attack on Kayawood Protocol: Uncloaking Private Keys
We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication).
We present a heuristic algorithm that allows a passive eavesdropper to recover Alice\u27s private key by removing cloaking elements. Our attack has 100% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Our implementation of the attack is available on GitHub
Cryptanalysis of protocols using (Simultaneous) Conjugacy Search Problem in certain Metabelian Platform Groups
There are many group-based cryptosystems in which the security relies on the
difficulty of solving Conjugacy Search Problem (CSP) and Simultaneous Conjugacy
Search Problem (SCSP) in their underlying platform groups. In this paper we
give a cryptanalysis of these systems which use certain semidirect product of
abelian groups
Practical Attacks Against the Walnut Digital Signature Scheme
Recently, NIST started the process of standardizing quantum-
resistant public-key cryptographic algorithms. WalnutDSA, the subject of this paper, is one of the 20 proposed signature schemes that are being considered for standardization. Walnut relies on a one-way function called E-Multiplication, which has a rich algebraic structure. This paper shows that this structure can be exploited to launch several practical attacks against the Walnut cryptosystem. The attacks work very well in practice; it is possible to forge signatures and compute equivalent secret keys for the 128-bit and 256-bit security parameters submitted to NIST in less than a second and in less than a minute respectively
AN ATTACK ON THE WALNUT DIGITAL SIGNATURE ALGORITHM
In this paper, we analyze security properties of the WalnutDSA, a digital signature algorithm recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels,that has been accepted by the National Institute of Standards and Technology for evaluation as a standard for quantum-resistant public-key cryptography.
At the core of the algorithm is an action, named E-multiplication, of a braid group on some finite set. The protocol assigns a pair of braids to the signer as a private key. A signature of a message is a specially constructed braid that is obtained as a product of private keys, the hash value of encoded as a braid, and three specially designed cloaking elements.
We present a heuristic algorithm that allows a passive eavesdropper to recover a substitute for the signer\u27s private key by removing cloaking elements and then solving a system of conjugacy equations in braids. Our attack has success rate on randomly generated instances of the protocol. It works with braids only and its success rate is not affected by a choice of the base finite field. In particular, it has the same success rate for recently suggested parameters values (including a new way to generate cloaking elements, see NIST PQC forum https://groups.google.com/a/list.nist.gov/forum/#!forum/pqc-forum). Implementation of our attack in C++, as well as our implementation of the WalnutDSA protocol, is available on GitHub (https://github.com/stevens-crag/crag)
Analysis of a Group of Automorphisms of a Free Group as a Platform for Conjugacy-Based Group Cryptography
Let F be a finitely generated free group and Aut(F) its group of automorphisms.
In this monograph we discuss potential uses of Aut(F) in group-based cryptography.
Our main focus is on using Aut(F) as a platform group for the Anshel-Anshel-Goldfeld protocol, Ko-Lee protocol, and other protocols based on different versions of the conjugacy search problem or decomposition problem, such as Shpilrain-Ushakov protocol.
We attack the Anshel-Anshel-Goldfeld and Ko-Lee protocols by adapting the existing types of the length-based attack to the specifics of Aut(F). We also present our own version of the length-based attack that significantly increases the attack\u27 success rate. After discussing attacks, we discuss the ways to make keys from Aut(F) resistant to the different versions of length-based attacks including our own
Methods for Collisions in Some Algebraic Hash Functions
This paper focuses on devising methods for producing collisions in algebraic
hash functions that may be seen as generalized forms of the well-known Z\'emor
and Tillich-Z\'emor hash functions. In contrast to some of the previous
approaches, we attempt to construct collisions in a structured and
deterministic manner by constructing messages with triangular or diagonal
hashes messages. Our method thus provides an alternate deterministic approach
to the method for finding triangular hashes. We also consider the generalized
Tillich-Z\'emor hash functions over for , relating
the generator matrices to a polynomial recurrence relation, and derive a closed
form for any arbitrary power of the generators. We then provide conditions for
collisions, and a method to maliciously design the system so as to facilitate
easy collisions, in terms of this polynomial recurrence relation. Our general
conclusion is that it is very difficult in practice to achieve the theoretical
collision conditions efficiently, in both the generalized Z\'emor and the
generalized Tillich-Z\'emor cases. Therefore, although the techniques are
interesting theoretically, in practice the collision-resistance of the
generalized Z\'emor functions is reinforced