Practical Attacks on the Walnut Signature Scheme Ward Beullens - - PowerPoint PPT Presentation

Practical Attacks on the Walnut Signature Scheme

Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018

Introduction

1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys (best combined size of all sub- missions) Very fast key generation and verification Is used in the real world!

Outline of the talk

2/22

1 Preliminaries

Braid groups WalnutDSA

2 Attacks

Collision search attack Factorization attack Inverting the group action attack

3

Conclusion

Outline

3/22

1 Preliminaries

Braid groups WalnutDSA

2 Attacks

Collision search attack Factorization attack Inverting the group action attack

3

Conclusion

Braid groups

4/22

Figure: A braid

A braid of order N is a collec- tion of strings connecting N up- per points to N lower points. Two braids are equivalent if one can be deformed continuously into the other.

= =

Figure: Equivalence of braids

Braid groups

5/22

+ =

Figure: Composition of braids

We can compose braids and in- vert them. Equivalence classes of braids of order N form a group BN.

+ = =

Figure: Inverse of a braid

Algebraic definition of braid groups

6/22 b1 b2 b3

Figure: The three Artin generators b1, b2 and b3 that generate B4. Figure: The braid b1b−1

2 b3b2b−1 1

Braid group BN is generated by a set of N − 1 generators.

Algebraic definition of braid groups

7/22

= =

Figure: Relations b1b3 = b3b1 (left) and b1b2b1 = b2b1b2 (right).

Theorem (Artin and Bohnenblust, 1946) These are the only relations between the generators. The braid groups have a purely algebraic definition.

BN =

• b1, · · · , bN−1
• bibj = bjbi

for 1 ≤ i < j < N and j − i ≥ 2 bibi+1bi = bi+1bibi+1 for 1 ≤ i < N − 1

• .

The permutation of a braid

8/22 There is a natural homomorphism σ : BN → SN that assigns a permutation to each braid. A braid that maps to the identity per- mutation is called pure. 1 2 3 4 5 2 4 5 1 3

Figure: A braid with underlying permutation (124)(35).

1 2 3 4 5 1 2 3 4 5

Figure: A pure braid.

E-multiplication

9/22 WalnutDSA uses a new (right) group action ⋆ : BN GL(Zp, N) × SN, called E-multiplication. (M, π) ⋆ b := (M · Mat(b, π), πσ(b)) We define P : BN → GL(Zp, N) × SN by acting on (1N, e) P(b) := (1N, e) ⋆ b, . When restricted to PN, P : PN → GL(Zp, N) is a group morphism.

Recap

10/22 For all N, there is a braid groups BN, which has a subgroup PN. We saw 3 objects:

1

σ, a group morphism that takes a braid and outputs a permutation

2

E-multiplication (⋆), a group action of BN on GL(Zp, N) × SN.

3

P(s) := (1N, e) ⋆ s is a group morphism when restricted to pure braids.

WalnutDSA

11/22

Secret key

Two random secret braids s1, s2.

Public key

The result of acting on (1N, e) with s1, s2 i.e. P(s1), P(s2)

Signature

A signature for document d is a braid s such that P(s1) ⋆ s = P(E(d)) ⋆ s2 where E is an encoding function that takes a document and outputs a pure braid. Remark: This can be verified from public information.

Outline

12/22

1 Preliminaries

Braid groups WalnutDSA

2 Attacks

Collision search attack Factorization attack Inverting the group action attack

3

Conclusion

Collision search attack

13/22 A signature sig is valid for document d if P(s1) ⋆ sig = P(E(d)) ⋆ s2 . The only dependence on d is through P(E(d)). If we can find d1, d2 such that P(E(d1)) = P(E(d2)) we can break EUF-CMA security

• f the signature scheme.

The first step in calculating E is a cryptographic hash function ↓ Nothing better than a generic collision search.

Collision search attack

14/22 Distinguished point method: (Van Oorschot , Wiener) Collision search in a function f : D → D takes |D|

1 2 function evaluations.

|P(E({0, 1}∗))| ≈ q13 ⇒ Collision search in q6.5 function evaluations 237.5 for SL1 260 for SL5

Collision search attack

15/22 Finding the following collision took 1 hour

• n a desktop PC.

d1 ="I would like to receive 9156659270109667494 free samples

• f chocolate chip cookies."

d2 ="I would like to receive 10213941738370235726 free samples

• f gluten-free raisin cookies."

Adversaries can use this attack if they can hide ±50 bits of entropy in plausible look- ing messages.

Countermeasures

16/22 The designers of Walnut adopted 2 countermeasures:

1

Change the encoding mechanism E ↓ dim(P(E(0, 1∗))) is now (N − 2)2 + 1 instead of 13.

2

Increase N from 8 to 10 this results in: Key size +50% Signature size +25%

Factorization attack

17/22 The idea is to collect signatures sig1, · · · , sigk for some documents d1, · · · , dk. Compute the matrices Mi = P(E(di)). To forge a signature for a document d, write M = P(E(d)) as a product of the Mi, and use this factorization to combine the signatures sigi into a signature sig for d. We adapted an attack by Hart, Kim, Micheli, Perez, Petit and Quek (Oxford & Birmingham) on an earlier version of Walnut. The attack works fast in practice, but the signatures are much longer than honest signatures (232 vs 212) ⇒ not useful in practice. Simple countermeasure: Impose a length limit on signatures.

Inverting group action

18/22 A signature sig is valid for document d if P(s1) ⋆ sig = P(E(d)) ⋆ s2 .

Hard problem

Given (M1, π1) and (M2, π2) find a (short) braid s such that (M1, π1) ⋆ s = (M2, π2).

Solution

Step 1 : Reduce to the case (M, π) ⋆ s = (1N, e) Step 2 : Solve the problem using the chain of subgroups. {e} = P1 ⊂ P2 ⊂ · · · ⊂ PN−1 ⊂ PN ⊂ BN

Inverting group action

19/22 (M, π) =                 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 1         , π         {e} = P1 ⊂ P2 ⊂ · · · ⊂ PN−1 ⊂ PN ⊂ BN Step 0: Pick s′ in BN whose permutation is π−1.

Inverting group action

19/22 (M, π) ⋆ s′ =                 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 1         , e         We got three rows of zeros for free! {e} = P1 ⊂ P2 ⊂ · · · ⊂ PN−1 ⊂ PN ⊂ BN Step 1: Find s1 that kills the last column. O(qN/2)

Inverting group action

19/22 Observation: A braid in Pi acts as multiplication by a matrix that

• nly differs from the identity matrix in the upper left i-by-i matrix.

(M, π) ⋆ s′ · s1 =                 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 1 1         , e         {e} = P1 ⊂ P2 ⊂ · · · ⊂ PN−1 ⊂ PN ⊂ BN Step 2: Pick s2 that kills the (N − 1)-th column. O

• q

N−1 2

Inverting group action

19/22 Observation: A braid in Pi acts as multiplication by a matrix that

• nly differs from the identity matrix in the upper left i-by-i matrix.

(M, π) ⋆ s′ · s1 · s2 =                 ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ 1 1 1         , e         {e} = P1 ⊂ P2 ⊂ · · · ⊂ PN−1 ⊂ PN ⊂ BN Step i : Pick si that kills the (N + 1 − i)-th column. O

• qN−i/2

Inverting group action

19/22 Observation: A braid in Pi acts as multiplication by a matrix that

• nly differs from the identity matrix in the upper left i-by-i matrix.

(M, π) ⋆ s′ · s1 · . . . · sN =                 1 1 1 1 1 1         , e         {e} = P1 ⊂ P2 ⊂ · · · ⊂ PN−1 ⊂ PN ⊂ BN Most expensive step is O

• qN−3/2

, but we can improve this to O

• qN/2−1

at cost of slightly larger signatures (but still small enough).

Countermeasures

20/22 forging signature for 128-bit secure parameters: < 1s forging signature for 256-bit secure parameters: 39s Parameters Original New Increase N 8 10 q 25 231 − 1 Public key length 83 Bytes 780 Bytes ×9.4 Signature length 713 Bytes 1308 Bytes +83% Signing time 39.5 ms 59.2 ms +50% Verification time 0.05 ms 0.09 ms +80%

Outline

21/22

1 Preliminaries

Braid groups WalnutDSA

2 Attacks

Collision search attack Factorization attack Inverting the group action attack

3

Conclusion

Concluding remarks

22/22 Original parameters are totally broken New sizes are comparable to lattice signature schemes. Latest iteration of Walnut seems broken by the Kotov, Menshov and Ushakov attack. Despite this Walnut is still being pushed into the wild

Figure: Updated key and signature sizes.