Paper 2018/1142

Factoring Products of Braids via Garside Normal Form

Simon-Philipp Merz and Christophe Petit


Braid groups are infinite non-abelian groups naturally arising from geometric braids. For two decades they have been proposed for cryptographic use. In braid group cryptography public braids often contain secret braids as factors and it is hoped that rewriting the product of braid words hides individual factors. We provide experimental evidence that this is in general not the case and argue that under certain conditions parts of the Garside normal form of factors can be found in the Garside normal form of their product. This observation can be exploited to decompose products of braids of the form $ABC$ when only $B$ is known. Our decomposition algorithm yields a universal forgery attack on WalnutDSA, which is one of the 20 proposed signature schemes that are being considered by NIST for standardization of quantum-resistant public-key cryptography. Our attack on WalnutDSA can universally forge signatures within seconds for both the 128-bit and 256-bit security level, given one random message-signature pair. The attack worked on 99.8% and 100% of signatures for the 128-bit and 256-bit security levels in our experiments. Furthermore, we show that the decomposition algorithm can be used to solve instances of the conjugacy search problem and decomposition search problem in braid groups. These problems are at the heart of other cryptographic schemes based on braid groups.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
group based cryptographypost-quantum digital signaturesconjugacy search problemcryptanalysis
Contact author(s)
simon-philipp merz 2018 @ live rhul ac uk
2019-01-18: revised
2018-11-29: received
See all versions
Short URL
Creative Commons Attribution


      author = {Simon-Philipp Merz and Christophe Petit},
      title = {Factoring Products of Braids via Garside Normal Form},
      howpublished = {Cryptology ePrint Archive, Paper 2018/1142},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.