## Cryptology ePrint Archive: Report 2018/1142

Factoring Products of Braids via Garside Normal Form

Simon-Philipp Merz and Christophe Petit

Abstract: Braid groups are infinite non-abelian groups naturally arising from geometric braids. For two decades they have been proposed for cryptographic use. In braid group cryptography public braids often contain secret braids as factors and it is hoped that rewriting the product of braid words hides individual factors. We provide experimental evidence that this is in general not the case and argue that under certain conditions parts of the Garside normal form of factors can be found in the Garside normal form of their product. This observation can be exploited to decompose products of braids of the form $ABC$ when only $B$ is known. Our decomposition algorithm yields a universal forgery attack on WalnutDSA, which is one of the 20 proposed signature schemes that are being considered by NIST for standardization of quantum-resistant public-key cryptography. Our attack on WalnutDSA can universally forge signatures within seconds for both the 128-bit and 256-bit security level, given one random message-signature pair. The attack worked on 99.8% and 100% of signatures for the 128-bit and 256-bit security levels in our experiments. Furthermore, we show that the decomposition algorithm can be used to solve instances of the conjugacy search problem and decomposition search problem in braid groups. These problems are at the heart of other cryptographic schemes based on braid groups.

Category / Keywords: public-key cryptography / group based cryptography, post-quantum digital signatures, conjugacy search problem, cryptanalysis

Date: received 23 Nov 2018, last revised 18 Jan 2019

Contact author: simon-philipp merz 2018 at live rhul ac uk

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2018/1142

[ Cryptology ePrint archive ]