Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018
Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys (best combined size of all sub- missions) Very fast key generation and verification Is used in the real world!
Outline of the talk 2/22 1 Preliminaries Braid groups WalnutDSA 2 Attacks Collision search attack Factorization attack Inverting the group action attack Conclusion 3
Outline 3/22 1 Preliminaries Braid groups WalnutDSA 2 Attacks Collision search attack Factorization attack Inverting the group action attack Conclusion 3
Braid groups 4/22 A braid of order N is a collec- tion of strings connecting N up- per points to N lower points. Two braids are equivalent if one can be deformed continuously into the other. = � = Figure: A braid Figure: Equivalence of braids
Braid groups 5/22 We can compose braids and in- vert them. Equivalence classes of braids of order N form a group B N . + = + = = Figure: Inverse of a braid Figure: Composition of braids
Algebraic definition of braid groups 6/22 b 1 b 2 Figure: The braid b 1 b − 1 2 b 3 b 2 b − 1 b 3 1 Braid group B N is generated by a set of Figure: The three N − 1 generators. Artin generators b 1 , b 2 and b 3 that generate B 4 .
Algebraic definition of braid groups 7/22 = = Figure: Relations b 1 b 3 = b 3 b 1 (left) and b 1 b 2 b 1 = b 2 b 1 b 2 (right). Theorem (Artin and Bohnenblust, 1946) These are the only relations between the generators. The braid groups have a purely algebraic definition. � � � b i b j = b j b i for 1 ≤ i < j < N and j − i ≥ 2 � B N = b 1 , · · · , b N − 1 . � b i b i +1 b i = b i +1 b i b i +1 for 1 ≤ i < N − 1 �
The permutation of a braid 8/22 There is a natural homomorphism σ : B N → S N that assigns a permutation 1 2 3 4 5 to each braid. A braid that maps to the identity per- mutation is called p ure. 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 Figure: A braid with underlying Figure: A pure braid. permutation (124)(35) .
E-multiplication 9/22 WalnutDSA uses a new (right) group action ⋆ : B N � GL ( Z p , N ) × S N , called E-multiplication. ( M, π ) ⋆ b := ( M · Mat ( b, π ) , πσ ( b )) We define P : B N → GL ( Z p , N ) × S N by acting on (1 N , e ) P ( b ) := (1 N , e ) ⋆ b, . When restricted to P N , P : P N → GL ( Z p , N ) is a group morphism.
Recap 10/22 For all N , there is a braid groups B N , which has a subgroup P N . We saw 3 objects: σ , a group morphism that takes a braid and outputs a 1 permutation E -multiplication ( ⋆ ), a group action of B N on 2 GL ( Z p , N ) × S N . P ( s ) := (1 N , e ) ⋆ s is a group morphism when restricted to 3 pure braids.
WalnutDSA 11/22 Secret key Two random secret braids s 1 , s 2 . Public key The result of acting on (1 N , e ) with s 1 , s 2 i.e. P ( s 1 ) , P ( s 2 ) Signature A signature for document d is a braid s such that P ( s 1 ) ⋆ s = P ( E ( d )) ⋆ s 2 where E is an encoding function that takes a document and outputs a pure braid. Remark: This can be verified from public information.
Outline 12/22 1 Preliminaries Braid groups WalnutDSA 2 Attacks Collision search attack Factorization attack Inverting the group action attack Conclusion 3
Collision search attack 13/22 A signature sig is valid for document d if P ( s 1 ) ⋆ sig = P ( E ( d )) ⋆ s 2 . The only dependence on d is through P ( E ( d )) . If we can find d 1 , d 2 such that P ( E ( d 1 )) = P ( E ( d 2 )) we can break EUF-CMA security of the signature scheme. The first step in calculating E is a cryptographic hash function ↓ Nothing better than a generic collision search.
Collision search attack 14/22 Distinguished point method: (Van Oorschot , Wiener) Collision search in a function f : D → 1 2 function evaluations. D takes | D | Collision search in q 6 . 5 |P ( E ( { 0 , 1 } ∗ )) | ≈ q 13 ⇒ function evaluations 2 37 . 5 for SL1 2 60 for SL5
Collision search attack 15/22 Finding the following collision took 1 hour on a desktop PC. d 1 = "I would like to receive 9156659270109667494 free samples of chocolate chip cookies." d 2 = "I would like to receive 10213941738370235726 free samples of gluten-free raisin cookies." Adversaries can use this attack if they can hide ± 50 bits of entropy in plausible look- ing messages.
Countermeasures 16/22 The designers of Walnut adopted 2 countermeasures: Change the encoding mechanism E 1 ↓ dim( P ( E (0 , 1 ∗ ))) is now ( N − 2) 2 + 1 instead of 13. Increase N from 8 to 10 2 this results in: Key size +50% Signature size +25%
Factorization attack 17/22 The idea is to collect signatures sig 1 , · · · , sig k for some documents d 1 , · · · , d k . Compute the matrices M i = P ( E ( d i )) . To forge a signature for a document d , write M = P ( E ( d )) as a product of the M i , and use this factorization to combine the signatures sig i into a signature sig for d . We adapted an attack by Hart, Kim, Micheli, Perez, Petit and Quek (Oxford & Birmingham) on an earlier version of Walnut. The attack works fast in practice, but the signatures are much longer than honest signatures ( 2 32 vs 2 12 ) ⇒ not useful in practice. Simple countermeasure: Impose a length limit on signatures.
Inverting group action 18/22 A signature sig is valid for document d if P ( s 1 ) ⋆ sig = P ( E ( d )) ⋆ s 2 . Hard problem Given ( M 1 , π 1 ) and ( M 2 , π 2 ) find a (short) braid s such that ( M 1 , π 1 ) ⋆ s = ( M 2 , π 2 ) . Solution Step 1 : Reduce to the case ( M, π ) ⋆ s = (1 N , e ) Step 2 : Solve the problem using the chain of subgroups. { e } = P 1 ⊂ P 2 ⊂ · · · ⊂ P N − 1 ⊂ P N ⊂ B N
Inverting group action 19/22 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ( M, π ) = , π ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 0 0 0 0 0 1 { e } = P 1 ⊂ P 2 ⊂ · · · ⊂ P N − 1 ⊂ P N ⊂ B N Step 0: Pick s ′ in B N whose permutation is π − 1 .
Inverting group action 19/22 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ( M, π ) ⋆ s ′ = , e 0 0 0 ∗ ∗ ∗ 0 0 0 0 ∗ ∗ 0 0 0 0 0 1 We got three rows of zeros for free! { e } = P 1 ⊂ P 2 ⊂ · · · ⊂ P N − 1 ⊂ P N ⊂ B N Step 1: Find s 1 that kills the last column. O ( q N/ 2 )
Inverting group action 19/22 Observation: A braid in P i acts as multiplication by a matrix that only differs from the identity matrix in the upper left i -by- i matrix. ∗ ∗ ∗ ∗ ∗ 0 ∗ ∗ ∗ ∗ ∗ 0 ∗ ∗ ∗ ∗ ∗ 0 ( M, π ) ⋆ s ′ · s 1 = , e 0 0 0 ∗ ∗ 0 0 0 0 0 1 0 0 0 0 0 0 1 { e } = P 1 ⊂ P 2 ⊂ · · · ⊂ P N − 1 ⊂ P N ⊂ B N � � N − 1 Step 2: Pick s 2 that kills the ( N − 1) -th column. O q 2
Inverting group action 19/22 Observation: A braid in P i acts as multiplication by a matrix that only differs from the identity matrix in the upper left i -by- i matrix. ∗ ∗ ∗ ∗ 0 0 ∗ ∗ ∗ ∗ 0 0 ∗ ∗ ∗ ∗ 0 0 ( M, π ) ⋆ s ′ · s 1 · s 2 = , e 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 1 { e } = P 1 ⊂ P 2 ⊂ · · · ⊂ P N − 1 ⊂ P N ⊂ B N � q N − i/ 2 � Step i : Pick s i that kills the ( N + 1 − i ) -th column. O
Inverting group action 19/22 Observation: A braid in P i acts as multiplication by a matrix that only differs from the identity matrix in the upper left i -by- i matrix. 1 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 0 0 ( M, π ) ⋆ s ′ · s 1 · . . . · s N = , e 0 0 0 1 0 0 0 0 0 0 1 0 0 0 0 0 0 1 { e } = P 1 ⊂ P 2 ⊂ · · · ⊂ P N − 1 ⊂ P N ⊂ B N q N − 3 / 2 � � Most expensive step is O , but we can improve this to � q N/ 2 − 1 � at cost of slightly larger signatures (but still small O enough).
Countermeasures 20/22 forging signature for 128-bit secure parameters: < 1 s forging signature for 256-bit secure parameters: 39 s Parameters Original New Increase N 8 10 2 31 − 1 2 5 q Public key length 83 Bytes 780 Bytes × 9 . 4 Signature length 713 Bytes 1308 Bytes +83% Signing time 39.5 ms 59.2 ms +50% Verification time 0.05 ms 0.09 ms +80%
Outline 21/22 1 Preliminaries Braid groups WalnutDSA 2 Attacks Collision search attack Factorization attack Inverting the group action attack Conclusion 3
Recommend
More recommend
