Factoring Products of Braids via Garside Normal Form

. Braid groups are inﬁnite non-abelian groups naturally arising from geometric braids. For two decades they have been proposed for cryptographic use. In braid group cryptography public braids often contain secret braids as factors and it is hoped that rewriting the product of braid words hides individual factors. We provide experimental evidence that this is in general not the case and argue that under certain conditions parts of the Garside normal form of factors can be found in the Garside normal form of their product. This observation can be exploited to decompose products of braids of the form ABC when only B is known. Our decomposition algorithm yields a universal forgery attack on WalnutDSA TM , which is one of the 20 proposed signature schemes that are being considered by NIST for standardization of quantum-resistant public-key cryptography. Our attack on WalnutDSA TM can universally forge signatures within seconds for both the 128-bit and 256-bit security level, given one random message-signature pair. The attack worked on 99.8% and 100% of signatures for the 128-bit and 256-bit security levels in our experiments. Furthermore, we show that the decomposition algorithm can be used to solve instances of the conjugacy search problem and decomposition search problem in braid groups. These problems are at the heart of other cryptographic schemes based on braid groups.


Introduction
Continuous progress in quantum computing and the prospect of large scale quantum computers necessitate the development of quantum-resistant cryptographic algorithms. Currently, the security of most widespread algorithms relies on the hardness of the discrete logarithm problem, the elliptic-curve discrete logarithm problem or the integer factorization problem. All of these mathematical problems can be solved using Shor's quantum algorithm [41]. Even though quantum computers with sufficient processing power to pose a threat to current cryptographic applications presumably do not yet exist, researchers, intelligence agencies and the industry aspire to develop cryptographic systems that remain safe once such devices come into being. Current approaches to attain quantum-resistance include cryptography based on codes, isogenies, lattices and multivariate polynomials over finite fields [19,35,37,43]. Another approach are cryptographic systems based on non-abelian groups [22]. Indeed no quantum algorithm to solve the hidden subgroup problem (the core problem solved by Shor's algorithm for finite abelian groups) is known for general non-abelian groups.
The conjugacy search problem is a fundamental decision problem in combinatorial group theory. Definition 1. Given two braids X, Y ∈ B N where Y = C · X · C −1 for some C ∈ B N , the conjugacy search problem (CSP) in braid groups is to findC ∈ B N such that Y =C · X ·C −1 .
The asserted computational difficulty of the CSP and its variations has inspired many cryptographic primitives on non-abelian groups such as [3,33].
To establish standards for quantum-secure cryptography [39] the National Institute of Standards and Technology (NIST) is currently evaluating public-key algorithms [39]. One of the 20 signature schemes being considered for standardisation is WalnutDSA TM [6] operating on braid groups.
NIST's ongoing standardization project and thus the potential for widespread use of WalnutDSA TM and other braid group algorithms make a thorough security analysis and understanding of the braid group vital. WalnutDSA TM has been analysed before [10,29,34] bringing some weaknesses of the signature scheme to light. However, the attacks could be thwarted by increasing parameters and slightly changing the protocol [40]. A fundamental assumption underlying the security of WalnutDSA TM is that individual factors in a product of three braids are "obfuscated" when they are presented in some normal form.
Our contribution: In this paper, we describe how the Garside normal forms of factors relate to the Garside normal form of their product. Together with an observation based on experiments, we use this to locate single factors in a product of braids and to decompose certain products in braid groups. More precisely, we give an algorithm that can recover the factors of a product ABC ∈ B N up to the centre of the group when only B is known.
Signatures of WalnutDSA TM can be written as a braid word W 1 ·E·W 2 , where W 1 and W 2 are secret braids and E is a deterministic encoding of the message. The product is presented rewritten, e.g. in normal form, with the explicit aim of obfuscating individual factors. Our observations imply that W 1 and W 2 can in fact be efficiently recovered up to the centre of the group. Replacing E by the encoding of any other message yields a new universal forgery attack that works within seconds on most random message-signature pairs. Related work: Braid groups have been suggested for cryptographic purposes for two decades [22] and protocols such as the Anshel-Anshel-Goldfeld key exchange [4] and Ko et al.'s protocol [33] have been studied extensively. A newer protocol sharing some design components with WalnutDSA TM is the Algebraic Eraser [5]. This scheme and the Anshel-Anshel-Goldfeld key exchange have been subject to numerous attacks which were mostly based on representation theory [8,9,31] or on a length-based approach [30,38]. Yet, the same cryptanalytic techniques do not seem to apply to WalnutDSA TM .
Considerable work has been devoted towards a solution of the conjugacy search problem (CSP) in braid groups. Apart from heuristic approaches such as the previously mentioned length-based attacks, the most successful approaches use summit sets [13,24,25].

Responsible Disclosure Process:
We provided the designers of WalnutDSA TM with the details of our attack on the 20th of August. They acknowledged that the attack works. To prevent malicious use of our attack on the signature scheme or similar products by SecureRF, we agreed to postpone the publication of our findings until the 21st of November.
Outline: In Sect. 2, we provide preliminary results on braid groups and the Garside normal form. In Sect. 3 we present the current instantiation of WalnutDSA TM and how it was modified to thwart previous attacks. Section 4 gives our algorithm to recover the factors of a braid ABC presented by its normal form when the braid B is known. In Sect. 5 we describe our attack on WalnutDSA TM and discuss potential countermeasures. Section 6 shows how the decomposition algorithm can be used to solve instances of the conjugacy search problem. We conclude our work in Sect. 7.

Braid Groups
This section provides preliminary mathematical background on braid groups. In Sect. 2.1 we define braid groups and provide their algebraic presentation. Section 2.2 defines the colored Burau representation of braid groups which is needed to explain WalnutDSA TM but not essential for the understanding of our contribution. In Sect. 2.3 we define the Garside normal form. A reader familiar with braid groups and the Garside normal form may proceed to Sect. 3.

Artin Presentation
Let N be a positive integer and let B N denote the braid group on N strands introduced by Emil Artin [7]. Geometrically, the elements of a braid group are the equivalence classes of N strands under ambient isotopy, i.e. we consider two braids the same if we can distort one into the other without breaking any strand. Artin proved that B N is indeed a group with presentation where the group operation is given by concatenation of the strings. Thus, we can represent any braid of B N as a finite, non-unique word in the so called Artin generators b i . Imagining our strands lying in a plane and numbering the strands from left to right, the generator b i corresponds to the i-th strand crossing over the (i + 1)-th strand.
Figures 1 and 2 illustrate the relations given in Presentation (1).
Note that there is a natural homomorphism sending elements of B N to the induced permutations in the symmetric group S N . More precisely, each Artin generator b i is sent to the transposition π i := (i, i + 1). For some braid word Since the corresponding permutations respect the relations in Presentation (1), sending braids to their induced permutations is a well-defined homomorphism. Clearly, this homomorphism from B N to S N is surjective. Braids in the kernel, i.e. braids inducing the identity permutation, are called pure braids.
It is well known that the group of pure braids can be generated by g ij , The generator g ij may be depicted geometrically as braid where the j-th string passes behind the strings (j − 1), . . . , (i + 1), in front of the i-th string and then behind the strings i, . . . , j − 1 back to the j-th position.

Colored Burau Representation
The colored Burau representation of braid groups which we will describe in this section is used to define WalnutDSA TM and its underlying problem. A reader who is mainly interested in the structure being preserved in products of Garside normal forms may want to skip this section. Let q be the power of a prime and let F q [t ±1 1 , . . . , t ±1 N ] be the ring of Laurent polynomials with coefficients in the finite field F q with q elements. There exists an action of , where a permutation acts on the indices of the variables of the Laurent polynomial. That is, for every The action of S N extends to GL N (F q [t ±1 1 , . . . , t ±1 N ]) by applying it entry-wise. For σ ∈ S N and M ∈ GL N (F q [t ±1 1 , . . . , t ±1 N ]), we denote the action by M → σ M .
The colored Burau matrices of each Artin generator are defined as follows [6]: one obtains a group and one can check that the map where π i denotes the transposition (i, i + 1) ∈ S N , extends to a group homomorphism. This group homomorphism is called colored Burau representation of B N [16].

Garside Normal Form
A normal form in a group is a canonical way to represent the elements and thus it provides an opportunity to compare them. Garside was the first to develop a normal form for braid groups [23] which was improved most notably by Thurston [21] and Elrifai and Morton [20] leading to what is known as the Garside normal form today. For further normal forms in braid groups see [11,15,18].
In this section we reproduce some results that led to the development of the Garside normal form to introduce terminology necessary for the explanation of our observation in Sect. 4.
Let B + N denote the monoid of positive braids in B N which are the braids that can be written as a product of positive powers of Artin generators. This is a well-defined monoid as all the defining relations in the presentation of braid groups (1) contain only positive powers of Artin generators.
We denote Garside's "fundamental braid " [23] by Δ. Recall that this braid is the unique positive braid in which any two strands cross exactly once and it is of central importance in the Garside normal form. We recall some properties of the fundamental braid due to Garside [23].
In particular Δ 2 commutes with every generator and lies in the centre of B N . In fact, the centre of B N is cyclic and generated by Δ 2 .
Remark 3. Let τ be the inner automorphism of B N conjugating elements with Δ, i.e.
Then the previous Proposition implies In particular, τ 2 is the identity automorphism. We will continue to denote this automorphism by τ and call it the reflection in B N throughout this paper.

Proposition 4.
[23] For any generator b i , i = 1, . . . , N − 1, we can find positive braids x i and y i ∈ B + N such that An explicit description of the braids x i , y i is given at the same place. Together with Proposition 2 this observation can be used to rewrite any representation of an element of B N efficiently in the form Δ r P , where r ∈ Z and P is a positive braid that cannot be written as a positive word containing Δ as a subword. Listing all possible words P and choosing the lexicographically minimal one for P yields the initial normal form due to Garside. This algorithm has exponential running time in the number of strands N and the braid length, so it is not completely satisfactory from a computational point of view. However, we have the following natural partial order in the monoid of positive braids.
We say a is a prefix of b. This is a partial order invariant under left multiplication, i.e. a ≤ b implies da ≤ db for all d ∈ B + N . Let 1 denote the identity in B N . We see that 1 ≤ A if and only if A ∈ B + N . Given a partial order as in Definition 5 one may wonder whether there is a greatest common prefix in some sense. Permutation braids are exactly those positive braids with any pair of strands crossing at most once and thus uniquely determined by the permutation they induce.
Instead of listing exponentially many representatives and choosing the lexicographically minimal one, the idea of Thurston, Elrifai and Morton was to write a braid word β as a product of permutation braids where uniqueness is achieved by requiring each letter to appear as far to the left as possible.

Definition 9. A product of permutation braids
That is, if we move any crossing from A i+1 to A i the resulting braid would not be a permutation braid anymore. This allows us to formulate the Garside left normal form.

Theorem 10 (Garside left normal form). Every braid β can be represented uniquely by a braid word
Definition 11. Consider the notation of the preceding Theorem 10. We call the integer k the canonical length of β and the integer r the infimum of β.
For details on the algorithms to compute the Garside left normal form we refer to [20,21]. Using the approach of Elrifai and Morton the normal form of some given positive braid word b i1 . . . b i k can be computed in time O(k 2 N ), where k is the number of Artin generators of the braid word given. Thurston's alternative but equivalent solution computes the left normal form of a positive braid word given as a product of permutation braids A 1 . . . A k with time complexity O(k 2 N log N ) [21]. Note, this might be faster than the previous algorithm as most permutation braids are a product of multiple Artin generators.
We want to point out that similar observations as the ones we will state in Sect. 4 for the Garside normal form hold for other normal forms such as the Birman-Ko-Lee (BKL) normal form as well. In particular, structure in the BKL normal form can be exploited directly to attack WalnutDSA TM or solve instances of the conjugacy search problem too. However, using the Garside normal form turned out to be slightly more efficient in our experiments which is why we will mean the Garside left normal form when talking about left normal forms for the remainder of this paper.

WalnutDSA TM
WalnutDSA TM is a digital signature scheme operating on braid groups. It was proposed by Anshel, Atkins, Goldfeld and Gunnels [6]. This Section summa-rizes the newest version of the signature scheme. In Sect. 3.1 we define E-Multiplication and cloaking elements and state the underlying hardness assumption of WalnutDSA TM . The section is not necessary to understand our attack, but these basic building blocks are needed to define the signature scheme itself. Section 3.2 provides details about parameters used and the signature generation and validation. Finally, we will give a brief overview of previous work on WalnutDSA TM showing that our approach is fundamentally disparate in Sect. 3.3.

E-Multiplication TM and Cloaking Elements
E-Multiplication was first introduced as a one-way function [5] and it is a foundation of WalnutDSA TM .
Let F × q denote the non-zero elements of the finite field F q . An N -tuple of the form τ = (τ 1 , . . . , τ N ) ∈ (F × q ) N will be called "T-values" in the following. Given such a tuple, we can evaluate E-Multiplication is a right action of the colored Burau group We will follow the notation of [6] denoting E-Multiplication with a star: .
For a single Artin generator b i , E-Multiplication is defined as Remark 12. Following the notation of [6], we write (M, σ) β instead of (M, σ) Φ(β) for β ∈ B N . Moreover, we denote by P the map The security of WalnutDSA TM is based on the computational hardness assumption of the reversing E-Multiplication (REM) problem.

Definition 13. Given an ordered pair
The reversing E-Multiplication (REM) problem is to find a braid β such that (Id, id) β = (M, σ).
In particular inverting the map given in (4) is assumed to be hard. Reversing E-Multiplication is enough to break WalnutDSA TM , indeed we will see that the ability to solve the REM problem allows to forge the signature of one message and that solving two instances of the REM problem allows the recovery of the private key from the public key.
However, our attack on WalnutDSA TM bypasses the problem of reversing E-Multiplication. We will see that our attack works solely on braids and is therefore independent of the colored Burau representation and of the size q of the underlying field F q .
Another basic building block of WalnutDSA TM are certain braids termed cloaking elements.
under the right action of the braid group via E-Multiplication.
In WalnutDSA TM cloaking elements of the following form are generated [40].
Proof. This is an immediate consequence of Remark 16. Cloaking elements as proposed by the designers of WalnutDSA TM depend only on the permutation σ and not on the matrix M of the element they are stabilizing. Therefore, we will say that some braid cloaks a permutation σ.
For further details on the generation of cloaking elements in WalnutDSA TM we refer interested readers to the original implementation by SecureRF [1] or our implementation in magma [14] (see [36]). However, our attack will be independent of the way cloaking elements are generated. Concealed cloaking elements are cloaking elements for which the cloaked permutation is not public. Given a braid word W , concealed cloaking elements are added to the word by splitting W into two braid words W 1 and W 2 at a random location and inserting a braid cloaking the permutation induced by W 1 in between.

The Signature Scheme
Key Generation and Parameter Values. Before any message can be signed, the following system wide public parameters need to be fixed: -The number of concealed cloaking elements that will be added.
Our attack will not depend on any weaknesses of the hash function and therefore we can treat H as a random oracle.
Next, the signer chooses braid words w and w by choosing uniformly at random l Artin generators or their inverses. The secret key of the signer is the pair (w, w ), while the public key is (P(w), P(w )) where P is the map given in Remark 12. Note, the length of the private braids w and w is chosen large enough to prevent brute force attacks from being effective. Later, we will see that the success of our new attack is independent of all parameters but N .
As of the 21st of November 2018, the use of the following parameters is suggested for WalnutDSA TM : Message Encoding. In order for signatures to provide integrity and authenticity, a signer must encode the message that is to be signed into the signature. The Walnut digital signature algorithm requires the message to be mapped onto a pure braid.
To encode a message in WalnutDSA TM it is hashed using the publicly known hash function H. Then every two bits of the output specify one pure braid generator (see (2)) and the encoding E(H(m)) of a message m is the product of all pure braid generators selected. As the exact choice of pure braid generators is irrelevant for our attack we refer to [40] for a full description.
Signature Generation. A signer needs to perform the following steps to generate a signature.

Compute the encoded message E H(m) .
2. Generate cloaking elements v, v 1 , v 2 as given by Proposition 15 for the identity and the permutations induced by the private braids w, w , respectively. 3. Add the required number of concealed cloaking elements in randomly chosen locations in the braid words W 1 := v 1 · w −1 · v or W 2 := w · v 2 . 4. Use a rewriting algorithm R to obtain a rewritten braid word which is the signature for m. Signature Verification. To verify a signature, a receiver computes E(H(m)) and checks whether comparing the matrix parts of GL N (F q ) × S N . If both sides of the equation are equal, the receiver accepts the signature as valid. It is easy to check that legitimately produced signatures satisfy (5).

Previous Work on WalnutDSA TM
We want to give a brief overview of previous attacks on the Walnut digital signature algorithm [10,29,34] and the changes they have triggered in the scheme to patch the weaknesses. Moreover, this section shows that our attack uses a completely different approach.
Factorization Attacks. The first attack on a previous version of WalnutDSA TM was published by Hart et al. [29]. In the previous version both secret braids were equal and the public key only consisted of the image of this one secret braid under the map P : The attack exploited a malleability property of the signatures, enabling an attacker to forge a signature by solving a factorization problem in a group of matrices. Trying to destroy the malleability property, the designers of Walnut started using two different private braids. However, Beullens [10,40] showed that the following malleability property holds in this case too.

Theorem 17.
[10] Let m, m 1 and m 2 be messages and let h, h 1 and h 2 be the matrix parts of P E(H(m)) , P E(H(m 1 )) and P E(H(m 2 )) , respectively.
For braids w 1 , w 2 , w 3 ∈ B N , we have and Sig 1 is a valid signature for m 1 under the public key P(w 1 ), P(w 2 ) , then Sig −1 1 is a valid signature for m under the public key P(w 2 ), P(w 1 ) . (ii) If h = h 1 · h 2 and Sig 1 , Sig 2 are valid signatures for m 1 and m 2 under the public keys P(w 1 ), P(w 2 ) and P(w 2 ), P(w 3 ) respectively, then Sig 1 · Sig 2 is a valid signature for m under the public key P(w 1 ), P(w 3 ) .
Suppose, an attacker wants to forge a signature for the message m under the public key P(w), P(w ) . Clearly, they can compute the matrix h = Matrix P E(H(m)) . Next, the attacker collects pairs of messages and signatures (m i , Sig i ) that are valid under the same public key. By the malleability properties, it suffices to find a factorization Such a factorization can be obtained by writing h · h −1 1 as a product of elements of the set An algorithm to solve this factorization problem with time complexity O q N −1 2 was proposed by Hart et al. [29]. However, the factorizations contained roughly 2 25 elements of the set given in (6) and consequently the forged signature satisfies the verification equation, but can be easily detected due to its enormous length. By imposing an upper limit on the length of valid signatures as was done in the implementation submitted to NIST, the attack was blocked. In contrast, the forgeries produced by our attack will be of the same length as legitimately produced signatures.

Collision Search Attack.
Beullens and Blackburn [10,40] realized that the originally proposed 4-bit encoder was not injective and that it mapped to a set of braids where the matrix parts under the function P were lying in a surprisingly low dimensional, 13 dimensional, affine subspace over F q . This made the scheme susceptible to a generic collision search attack. More precisely, it was possible to find pairs of distinct messages m 1 and m 2 such that P(E(H(m 1 ))) = P(E(H(m 2 ))) for sufficiently small q using a generic collision search algorithm. Beullens and Blackburn implemented the collision search due to van Oorschot and Wiener Recall that a signature is accepted as valid if (5) is satisfied. Given a collision of m 1 and m 2 , an attacker can query a signature for m 1 and gets automatically a valid signature for m 2 . Consequently, the signature scheme was not existentially unforgeable [28].
To counter the attack the designers of WalnutDSA TM changed the encoder to the 2-bit version described previously, where P E(H({0, 1} * )) lies in an affine subspace of dimension (N − 2) 2 + 1 [40] over F q , which is greater than 13 for N ≥ 6. Together with a significant raise of the parameters N and q, the generic collision search attack became ineffective. Our attack will be independent of q, but we will see that it can be defeated to some extend by further increasing the parameter N . Note, it suffices to solve a single instance of the REM problem to forge a signature of a freely chosen message or solve two instances of the REM problem to obtain an equivalent pair of secret braids from the public key. Thus, the hardness of this problem is crucial for the security of WalnutDSA TM .
The attack exploits that E-Multiplication restricted to pure braids is a group homomorphism which maps the chain of subgroups to a nice chain of subgroups in GL N (F q ). Here, P i ⊂ B N denotes the subgroup of pure braids on N strings that can be identified with the pure braids of B i or, formulated differently, the pure braids that can be written in the generators b 1 , . . . , b i−1 . Exploiting this subgroup structure, the REM problem can be solved by successively reducing the problem to a smaller subgroup using collision searches. The authors of [10] suggest moreover a slightly finer chain of subgroups for the first reductions which are the most costly ones to improve the performance of the algorithm further.
The resulting attack requires O(q N 2 −1 ) E-Multiplications, and was blocked by a significant increase in the parameters q and N . As mentioned before, our attack will be independent of q and can only be defeated to some extent by increasing N significantly.
Uncloaking Signatures. The most recent attack is due to Kotov,Menshov and Ushakov [34]. They give a heuristic attack which operates purely on braids. The attack removes cloaking elements of a previous version of the Walnut digital signature algorithm without concealed cloaking elements.
The authors observed that cloaking elements in WalnutDSA TM are always generated in such a way that the strands corresponding to the inverse T-values cross each other (see Proposition 15). Since T-values are public, an attacker can trace all strands and find "critical positions" in a signature where there might be a cloaking element. This allows a length-based attack: Note that untwisting the middle part of cloaking elements produces a trivial braid. An attacker guesses the location of cloaking elements and tries to remove them by untwisting the critical position. When multiplying signatures with removed cloaking elements together, more precisely one such signature multiplied with the inverse of another, further elements cancel out. If the remaining word is of significantly shorter length, one has heuristic evidence that the cloaking elements have been removed successfully.
The uncloaking procedure on multiple signatures leads to a system of conjugacy equations in B N (potentially with errors). Once again this can be heuristically solved using a length-based approach. For earlier work about length-based attacks we refer amongst others to [30,38].
To patch Walnut, concealed cloaking elements, i.e. cloaking elements that are inserted in random locations before and after the encoded message, were introduced. Removing multiple concealed cloaking elements that are not inserted consecutively into the signature appears to be more difficult.
The designers of WalnutDSA TM suggested to insert κ ≥ 2 · (security level in bits) log 2 (N !) concealed cloaking elements [40]. For N = 10 this yields the values given in the table in Sect. 3.2. However, the number κ was estimated under the assumption that one needs to know the permutation of a cloaking element in order to remove it. As this does not hold, the efficacy of this countermeasure has been disputed [40].
We will see that the success of our attack is independent of the number of concealed cloaking elements inserted to the signature the way it was suggested by the designers of WalnutDSA TM . However, we will discuss in Sect. 5.3 that adding a significant number of concealed cloaking elements to the encoded message might thwart our attack at the cost of enlarging signatures and slowing down the signature generation and verification.

Decomposition of Products in Braid Groups
The use of normal forms as "obfuscation procedures" in cryptographic schemes such as WalnutDSA TM suggests that properties of single braids are well hidden in the normal form of their product. In this section, we will see that this is in general not the case. More precisely, we will argue that we can expect some (potentially reflected) permutation braids of factors with sufficiently large canonical length to appear in the normal form of their product.
In Sect. 4.1 we prove how the permutation braids of factors relate to the permutation braids of their product. Together with the experimental results of Sect. 4.2 this yields the observation stated in the previous paragraph. In Sect. 4.3 we show how the observation can be exploited under certain conditions to recover the factors of products of the form ABC ∈ B N up to the centre Δ 2 , when B is known. The algorithm to decompose products of braids will be at the heart of our cryptanalysis of WalnutDSA TM in Sect. 5 and our new solutions to the conjugacy and decomposition search problems in Sect. 6.

Garside Normal Form of Products
. . , N − 1 by Proposition 2 and Remark 3. Let Δ a · A 1 . . . A n and Δ b · B 1 . . . B m be the normal forms of two elements A, B ∈ B N respectively. Pushing all Δ's in the product AB to the front yields for b ≡ b (mod 2) since τ 2 is the identity map. This is a product of permutation braids by the following Lemma of which we will omit the straightforward proof.
Thus, (8) is a product of permutation braids but in general not left-weighted. However, we see that τ (A 1 ) . . . τ(A n ) is a left-weighted product by Lemma 18 and thus the following Lemma is an immediate consequence.
for some integer 0 ≤ c ≤ n and permutation braids X 1 , . . . , X l , where k ∈ Z is the number of Δ's that are created when computing the left normal form of The algorithms to compute the Garside left normal form visualize the previous proposition quite well. If A 1 · · · A n is a left normal form and we multiply with an Artin generator b i on the right, this modifies the last permutation braid if A n b i ∧ Δ = A n ∧ Δ. If A n is not changed all leftward permutation braids are still in left normal form and we are done. If A n is changed two conditions must be met for A n−1 to be changed as well. First, A n b i ∧ Δ must contain another Artin generator b j in the set of all Artin generators the word can start with compared to A n ∧ Δ. And second, A n−1 b j ∧ Δ = A n−1 ∧ Δ. This process continues inductively to the left until some permutation braid is not changed anymore. If one of the changed permutation braids becomes Δ during this process, it is moved to the front by reflecting all leftward permutation braids.
Remark 21. It is not hard to find particular braids for which the previous proposition does not contain a lot of information as c = n. This happens for example, if B = A −1 when the product vanishes or if A and B are braids that do not share common strands and thus commute. However, in the next section we will see that for every N and randomly chosen braids A, B ∈ B N the expected value for c is bounded independently of n.
Clearly, if c is smaller than n the permutation braids in the left normal forms of A and AB coincide on the left hand side up to reflection. Next, we show that the rightmost permutation braids of the left normal forms of B and AB coincide too. The following Proposition due to Elrifai and Morton provides us with a link between multiplication of a braid on the left and on the right.

Proposition 22.
[20] Let Δ u · x 1 . . . x m be the left normal form of X. Then the left normal form of The braid x −1 i Δ is called the right complement of x i . Let δ denote the map sending permutation braids to their right complement. It is easy to check that δ induces a bijection on the permutation braids and δ 2 = τ .

Proposition 23. Let A, B ∈ B N and let
for some integer 0 ≤ c ≤ m and permutation braids Y 1 , . . . , Y l , where k ∈ Z is the number of Δ's that are created when computing the left normal form of Proof. Clearly, we can show the proposition for A −1 and B −1 instead of A and B. More precisely, we show that the permutation braids on the right hand side of A −1 B −1 coincide with the ones of B −1 .
By Proposition 20 we know that the left normal form of B 1 . .
for some 0 ≤ c ≤ m, k ∈ Z and permutation braids X 1 , . . . , X l . Proposition 22 implies that the left normal form of (B 1 . . using Simultaneously

Penetration Distance
In this section we provide experimental results to estimate the size of the parameter c in Propositions 20 and 23 for "randomly" chosen braids A and B. We will find that for every N this expectation is uniformly bounded independently of the canonical lengths of the factors A and B.
Since the braid group B N is infinite for N ≥ 2, choosing braids at random is a non-trivial task. In practice, there are various ways to choose braids of B N in a randomized manner. However, different methods result in different probability distributions on B N .
Recall that every braid word can be rewritten as an element of the monoid of positive braids B + N which we introduced in Sect. 2.3. Let |x| denote the length of a positive braid x ∈ B + N , i.e. the number of Artin generators occurring in any positive braid word representing x. Since the defining relations of the braid group (and the braid monoid) are homogeneous, this is well-defined.
We start by recalling some results due to Gebhardt and Tawn [27] who studied the Garside normal forms of random braids. They analysed statistical properties of the normal forms of positive braids of length k generated using two methods: (i) Choose uniformly at random k Artin generators b i ∈ {b 1 , . . . , b N −1 } and concatenate them, i.e. choose uniformly at random a braid word from the set of all positive braid words of B + N of length k. We say that we generate positive words of length k uniformly at random. (ii) Consider the set of all braids that can be represented by a braid word of length k and choose uniformly at random one braid from this set. We say that we generate uniformly at random positive braids of length k.
Note, the number of words representing the same element of B + N depends on the element. Therefore, both variants yield different probability distributions on the set of all braids that can be represented by positive braid words of length k.
However, the implementation of the second method is significantly more difficult in practice (see [26] for an algorithm that runs polynomially in N and k) which is why most (cryptographic) applications generate "random braids" similarly to the first method.
Following the terminology of Gebhardt and Tawn, we call conjugation with Δ, i.e. a reflection, of a permutation braid a trivial change. We define the penetration distance as follows. A and B, the penetration distance pd(A, B) for the product AB is the number of permutation braids at the end of the normal form of A which undergo a non-trivial change in the normal form of the product. I.e.

pd(A, B)=cl(A)−max{i
where cl(·) denotes the canonical length and inf(·) the infimum of a braid.
Based on their experiments, Gebhardt and Tawn conjectured the following.

Conjecture 25.
[27] Let A ∈ B N be a braid which is randomly chosen from either the uniformly generated random words or from the uniformly generated random braids of length k and let b i be a randomly chosen Artin generator of B N . Then the expected penetration distance is bounded independently of the length k of the braid, i.e. there exists some C such that for all k The conjecture raises the question whether there still exists an upper bound for the expected penetration distance of the product AB of two randomly chosen braids or braid words independently of their lengths. That is when B is an arbitrary randomly chosen braid or braid word as well instead of a single randomly chosen Artin generator.
For the purpose of investigating this question, we conducted an experiment in magma [14]. We generated 2.000 instances of pairs of braid words A, B ∈ B N for different given lengths using the built-in random function of the braid package in magma. To obtain a "random" braid of given length k, this function chooses uniformly at random a i from X ∪ X −1 \a −1 i−1 for k = 1, . . . , k, where X and X −1 is the set of Artin generators and their inverses respectively. In other words, the built-in random function chooses uniformly at random a braid word from the set of all freely reduced braid words of a given length k.
Given such pairs of randomly generated braid words A, B, we computed the product AB and the penetration distance for each particular instance. This was We observe that for each N the average penetration distance increases with the word lengths of the random braids and eventually converges to some bound. Furthermore, these bounds increase with the number of strands N of the braid group. Note that for our attack on WalnutDSA TM we will be mainly interested in estimates for N = 10 because this is the parameter used.
The convergence suggests that for every N there exists an upper bound for the expected penetration distance of the product of randomly generated freely reduced braid words independently of their lengths.
Conjecture 26. Let A, B ∈ B N be braid words that are picked uniformly at random from all freely reduced braid words of length k. Then there exists a C N ∈ N such that for all k, we have Plotting the distribution of penetration distances for products of randomly chosen freely reduced braid words for different lengths we noted that most data points are distributed closely around the mean. Now, Conjeture 26 has significant importance for Proposition 20. Let A and B be two randomly chosen braids of canonical length n and m respectively. Assuming Conjecture 26, i.e. assuming that the expected penetration distance is bounded by some C N independently of the lengths of A and B, Proposition 20 implies that we expect at least the leftmost n − C N permutation braids of A and AB to coincide up to reflection whenever n ≥ C N .
Looking at the proof of Proposition 23 we see that C N is a bound for the expected size of the parameter c too. This is because the inverse of freely reduced braid words of a given length is a freely reduced braid word of the same length. Thus, drawing freely reduced braid words of a given length from the braid group B N has the same probability distribution as drawing their inverses. Hence, if A and B are two randomly chosen braids of canonical length n and m, we expect at least the m − C N rightmost permutation braids of B and AB to coincide whenever m ≥ C N .

The Algorithm
We use the last part of this section to describe how our observation can be utilised to decompose products ABC of braids A, B, C ∈ B N , when B is known. More precisely, we discuss how to recover A ≡ A (mod Δ 2 ), C ≡ C (mod Δ 2 ) such that AC = A C . Here, by (mod Δ 2 ) we mean up to multiplication with powers of Δ 2 . Later, we can apply this algorithm to break WalnutDSA TM and solve instances of the conjugacy and decomposition search problems.
Let A = Δ a · A 1 . . . A n , B = Δ b · B 1 . . . B m , and C = Δ c · C 1 . . . C r be the left normal forms of randomly chosen freely reduced braid words A, B, C ∈ B N . Assume that m is greater than the C N given by Conjecture 26. We have discussed in the previous section that we can expect the left normal form of BC to be of the form and k ∈ Z is the number of fundamental braids Δ that are being created when computing the left-weighted form of τ c (B j+1 ) . . . τ c (B m )C 1 . . . C r . Now, if the part of the normal form of B that was preserved into BC is of canonical length greater than C N + 1, which we expect to happen for m ≥ 2C N + 1, the left normal form of A(BC) is expected to be of the form by Proposition 23 and the previous section, where Δ k · X 1 . . . X r is a leftweighted product of permutation braids equal to τ b+c+k (A 1 ) . . . τ b+c+k (A n ) · τ c+k (B 1 ) . . . τ c+k (B i ) if the centre of B equals Δ 2 which we expect for sufficiently long B. We will keep this notation for the remainder of this section. Let the left normal form of a given ABC be where u = a+b+c+k+k . By the previous discussion, we know that i−j > 0 can be expected for randomly chosen freely reduced braid words A, B and C ∈ B N with B of canonical length greater than 2C N + 1.
It is now a straightforward procedure to recover A ≡ A (mod Δ 2 ) and C ≡ C (mod Δ 2 ) such that AC = A C knowing only B: 1. Compute the left normal forms of B and ABC. 2. Check, whether there is a contiguous subsequence B i1 . . . B i2 of permutation braids of the left normal form of B for some 1 ≤ i ≤ i 1 < i 2 ≤ j ≤ m in the left normal form of ABC using a string-matching algorithm. If such a subsequence is found, save the location in the left normal form of B and ABC and go to 3. Otherwise, do the same search for contiguous subsequences If no common subsequence of permutation braids can be found either, we terminate the process and cannot recover the factors. If multiple common subsequences are found, we run the following steps for every of the finitely many possible solution. Notice, the latter is not very likely to happen for randomly chosen braid words and sufficiently long subsequences. 3. Split the braid B or τ (B) = τ (B 1 ) . . . τ(B m ) at B i1 resp. τ (B i1 ) into two parts. Then, do the same for ABC. Denote the parts B I , B II , ABC I , and ABC II . Note that we find the subsequence τ c+k (B i ) . . . τ c+k (B j ) in B or τ (B) depending on whether c + k leaves residue 0 or 1 modulo 2, since τ 2 is the identity.
Thus, even though we know neither c nor k we can determine the residue of c + k (mod 2) which we denote by (c + k) . Using the notation of previous paragraphs, we compute

New Attack on WalnutDSA TM
In this section we want to present our attack on the group-based signature scheme WalnutDSA TM which is an application of the decomposition algorithm we have developed in Sect. 4. In Sect. 5.1 we present the idea behind our attack on WalnutDSA TM , before providing experimental results on the success of our attack in Sect. 5.2. In Sect. 5.3 we discuss how different parameters influence the running time and success rate of our attack and we suggest one potential countermeasure.

Universal Forgery Attack
Let m be a message with the legitimately produced signature Sig ∈ B N . Recall that the braids corresponding to signatures of WalnutDSA TM have a representative braid word of the form where E(H(m)) is the encoded message and W 1 , W 2 ∈ B N are braids of the form v 1 · w −1 · v and w · v 2 with additional concealed cloaking elements inserted. Here, w, w ∈ B N are the private braids of the signer and v, v 1 , v 2 are braids cloaking the identity of S N and the permutations induced by w and w , respectively.
It is easy to see that the braid Sig := W 1 · E(H(m )) · W 2 is a valid signature for the message m . Hence, the ability to locate E(H(m)) in a legitimate signature and replacing it by E(H(m )) for an arbitrarily chosen message m gives rise to a universal forgery attack.
To prevent attackers from finding the encoded message by just parsing through the signature, the designers of WalnutDSA TM suggested an obfuscation procedure. That is, the application of a rewriting algorithm such as the Garside normal form, BKL normal form [11], stochastic rewriting [2] or Dehornoy's handle reduction [17] to the braid before appending the signature to a message.
Note that rewriting changes only the representative of the same braid. Consequently, normal forms are the strongest way to obfuscate signatures because every attacker can compute them given another representative of the same braid.
Our experimental results in the next section will show that most legitimately produced signatures of WalnutDSA TM are susceptible to the decomposition algorithm described in Sect. 4.3. Since anybody can compute the encoding of a message m, this allows us to recover W 1 ≡ W 1 (mod Δ 2 ) and W 2 ≡ W 2 (mod Δ 2 ) such that W 1 · W 2 = W 1 · W 2 given only one valid signature W 1 · E(H(m)) · W 2 of any m. As W 1 · E(H(m )) · W 2 = W 1 · E(H(m )) · W 2 , this is enough to obtain forged signatures for any other message m .
Proposition 27. Let W 1 · E(H(m)) · W 2 ∈ B N be a valid signature for some message m and let W 1 , W 2 ∈ B N such that W 1 ≡ W 1 (mod Δ 2 ), W 2 ≡ W 2 (mod Δ 2 ) and W 1 · W 2 = W 1 · W 2 . Then, is a valid signature for any message m .
Computation of universal forgeries: Given a signature Sig = W 1 ·E H(m) · W 2 and the corresponding message m, an adversary computes the encoded message E H(m) and uses the procedure described in Sect. 4.3 to recover two braids W 1 , W 2 such that W 1 ≡ W 1 (mod Δ 2 ), W 2 ≡ W 2 (mod Δ 2 ) and W 1 · W 2 = W 1 · W 2 . By Proposition 27, this suffices to compute a valid signature for any message m : Comparison to legitimately produced signatures: Since W 1 and W 2 are legitimately produced and do not depend on E H(m) , it is impossible to distinguish a forged signature of the form W 1 · E H(m ) · W 2 from a legitimately produced signature for m . In particular, the length of our forgeries is the same as the one of legitimately produced signatures. However, given two signatures one could recognize that at least one was likely forged. Note an attacker can solve this issue by adding an additional concealed cloaking element to W 1 and W 2 .
Complexity: In our decomposition algorithm of Sect. 4.3, we need to compute the Garside normal form of Sig and E H(m) in the first step. Using Thurston's method, this takes time in O(|Sig| 2 N log N ) and O(|E(H(m))| 2 N log N ) respectively. Here | · | means the number of permutation braids of the given positive braid word, not necessarily in left normal form.
The second step of the algorithm requires to find a common contiguous subsequence of permutation braids in the normal forms. Fixing a length Len for the common subsequence that we want to find, the naive algorithm compares O(rl) products of Len permutation braids, where r and l denote the canonical length of E(H(m)) and Sig respectively. We implemented this naive approach in our attack on WalnutDSA TM (see [36]). A more efficient solution is to use the Knuth-Morris-Pratt string-searching algorithm [32]. Running this algorithm on all contiguous subsequence of permutation braids of length Len from the (reflected) encoding and the signature takes O(r(l + Len)) comparisons of permutation braids.
For WalnutDSA TM , we have |E(H(m))| ≤ |Sig|. As the number of permutation braids in the Garside normal is minimal compared to other positive braid words we have moreover r ≤ |E(H(m))| and l ≤ |Sig| and thus recovering the positions and whether the subsequence of the encoding in the signature is reflected takes O(|Sig| 2 ) comparisons of permutation braids. Since the rest of the decomposition algorithm runs in linear time, the algorithm to forge signatures is dominated by the time it takes to compute the Garside normal form, i.e O(|Sig| 2 N log N ).
Note that generating legitimate signatures is quadratic in N too. Moreover, the Garside normal form of a signature might need to be computed as well, depending on the rewriting algorithm used in the generation of WalnutDSA TM signatures.

Improvements:
As the encoded message is located in between of two braids W 1 and W 2 of roughly the same size in the signature, we anticipate to find the subsequence of the permutation braids of τ k E(H(m)) roughly in the middle of the signature. Therefore, it is faster on average to start the search for common permutation braids in the middle part of the signature and encoding.

Experimental Results
We have implemented the relevant parts of WalnutDSA TM and our attack in magma [14]. The source code of our implementations can be found on GitHub [36]. For our experiments we used the recommended parameters as listed in Sect. 3.2 for the two security levels. In particular, the number of strands N was set to 10.
By Sect. 4 we know that the crucial part for our decomposition algorithm to work is finding a (potentially reflected) contiguous subsequence of permutation braids of the normal form of E(H(m)) in the normal form of the signature of m. We generated 1.000 instances of signatures for randomly chosen messages m and both security levels. In our experiment, we were able to locate such a common subsequence of permutation braids in the normal forms of τ k E(H(m)) and W 1 · E(H(m)) · W 2 for either k = 0 or 1 in all instances. The following table, Fig. 4, shows the canonical lengths of the common subsequences we found for the 128-and 256-bit parameters respectively. To put this into context, we measured the canonical length of encoded messages. For the 128-bit parameters, encoded messages had canonical lengths ranging from 112 to 165 with a mean of 140. The range for 256-bit parameters was 248 to 310 with a mean of 280 permutation braids.
To determine the position of a common subsequence of permutation braids in (reflected) encoded message τ k E(H(m)) and signature Sig, we compared a specified number Len of permutation braids of τ k E(H(m)) and Sig for k = 0, 1 at a time. Note that finding common subsequences of a given length is faster than finding all common subsequences of arbitrary lenghts.
The larger the number Len it becomes less likely that a common subsequence appears in the signature just by coincidence. However, we want it to be small enough to actually find a common subsequence in most cases. Fixing Len = 15 turned out to be a good choice in our implementation but taking Len = 10 or 20 leads to almost the same results.
Later, we will see that increasing the number of strands N in the Walnut digital signature algorithm would lead to shorter common subsequences of permutation braids. In this situation we can improve our algorithm to find the common position and whether k = 0 or 1 by reducing Len inductively whenever we can not find a common subsequence of permutation braids for k = 0 and 1 until we find one or Len = 0.
Testing our entire attack on randomly generated instances, 99.8% of legitimately produced signatures for the 128-bit parameters turned out to allow our universal forgery attack. For the 256-bit security level all 100% of signatures were susceptible.
The algorithm to recover the braids W 1 and W 2 and thus to produce universal forgeries takes time less than a second for the 128-bit and only a couple seconds for the 256-bit parameters.
The higher success rate for the 256-bit parameters can be explained with the output of the hash function being twice as long. This results in the normal form of the encoding containing roughly twice as many permutation braids. Therefore, it is more likely to find a common contiguous subsequence of permutation braids in the left normal forms of the signature and the (reflected) encoded message.

Countermeasures
Finally, we want to discuss how different parameters of WalnutDSA TM influence the running time and success rate of our attack and we suggest one potential countermeasure. Here, the success rate means the proportion of signatures that allows a universal forgery attack.
Independence from q: Unlike the attacks [10,29], our attack works on the braids only and thus independently of the colored Burau representation. In particular, it is independent of the size q of the underlying finite field F q .
Increasing the length of the private braids: Increasing the number of concealed cloaking elements or the length of private braids makes both W 1 and W 2 and consequently the signature larger. We see that the running time of our attack is quadratic in the length of the signature and thus it slows down our attack a little bit, while simultaneously enlarging the size of signatures.
We have seen in Sect. 4.3 that the expected number of permutation braids that change non-trivially when multiplying with randomly chosen braid words on the left and right is bounded independently of their length. Therefore, we do not expect enlarging W 1 and W 2 to have a great influence on the success of our attack. Indeed, we generated random instances of Walnut signatures using different lengths for private keys. This did not seem to have any influence on the number of permutation braids found as a common subsequence in the signature and the (reflected) encoding. The success rate of the attack did not change even for very long private braids either.
For private braids randomly chosen from freely reduced words of length 15.000 Artin generators (instead of 287), our attack is still successful within a few minutes while legitimate signatures reach the imposed upper limit for the length of signatures that are being accepted as valid in the current implementation of WalnutDSA TM . Consequently, increasing the length of private braids is not useful to thwart our attack.
Increasing N : Looking at the formula for the running time, increasing N is another way to slow down the attack slightly.
More interesting, however, is that increasing N decreases the success rate. We conducted an experiment generating WalnutDSA TM instances for different values of N . Figure 5 shows the percentage of signatures allowing our universal forgery attack out of 1.500 randomly generated Walnut instances depending on N . We have seen in Fig. 3 that raising N influences the number of permutation braids that are expected to change when multiplying with braids on the right. For multiplication on the left, we obtained the same result. At the same time the canonical length of the encoding remains constant when scaling up N since it only depends on the length of the output of the hash function used in WalnutDSA TM . Combined, this implies that the expected length of the common subsequence of permutation braids of signature and encoding shrinks when raising N . Note that we cannot just reduce the length of the output of the hash function as the signature scheme would become vulnerable to collision search attacks [40].
As our attack does not work anymore once there is no common subsequence of permutation braids left, this explains the decreasing success rate when increasing N . In the 256-bit version the hash function has a longer output and therefore the common subsequence of permutation braids of encoding and signature is larger than in the 128-bit setting. This justifies, why the success probability decreases slower when increasing N for the 256-bit security level. Moreover, we measured the success of our attack by checking whether we recovered the braids W 1 and W 2 modulo their centre successfully. For large N it is more likely that the centre of the encoding E(H(m)) does not equal Δ 2 and as we recover braids W 1 and W 2 modulo the centre of E(H(m)) this might not be accepted as valid.
Considering our experiment shown in Fig. 5, the success of our attack seems to decrease exponentially when increasing N . However, this would increase the size of the public keys and slow down the signature verification quadratically in N . Moreover, one could fear that with N increasing and the hash output length constant, the encoding will not have good mixing properties. It might be possible to isolate the encoding in the signature just parsing through the braid, therefore leading to other weaknesses.
Adding additional cloaking elements to the encoded message: Finally, one could add some randomness to the encoder altering the permutation braids in the signature corresponding to the encoding which can be done by adding concealed cloaking elements (see Sect. 3.1) to the encoding. This countermeasure was independently found and suggested by the WalnutDSA TM team in a private correspondence.
Clearly, the previously described attack to recover W 1 and W 2 modulo Δ 2 does not necessarily work anymore after adding cloaking elements to the encoding. However, forging signatures is possible as long as we can find at least one permutation braid in the signature corresponding to a permutation braid in the encoding and the encoding separates the permutation braids of W 1 and W 2 . This is, because we have We know that this still satisfies (5) and thus it is a valid signature for m . Hence, even though an attacker can not recover W 1 and W 2 up to the centre they can still compute a forged signature for any message m as long as they find a single permutation braid from the encoding in the signature at the correct position. Consequently, to counter the attack one needs to make sure that all permutation braids originating from the encoding in the signature are changed. Our experiments show that introducing one cloaking element changes sometimes only 5 permutation braids in their surrounding for N = 10. Considering the canonical length of common subsequences measured in Sect. 5, we would therefore expect that at least 30 and 60 additional concealed cloaking elements need to be added for the two security levels. However, it might be necessary to add even more cloaking elements to prevent being susceptible to our attack after applying an uncloaking procedure such as the one due to Kotov,Menshov,and Ushakov [34] to critical positions in the middle of the signature eventually removing concealed cloaking elements.
Altogether, adding additional concealed cloaking elements to the encoding is the best way we found to thwart our attack. Yet, it would slow down the signature generation as all additional concealed cloaking elements need to be generated separately and it would enlarge the signatures of WalnutDSA TM .