University of Birmingham Factoring Products of Braids via Garside Normal Form

. Braid groups are infinite non-abelian groups naturally arising from geometric braids. For two decades they have been proposed for cryptographic use. In braid group cryptography public braids often contain secret braids as factors and it is hoped that rewriting the product of braid words hides individual factors. We provide experimental evidence that this is in general not the case and argue that under certain conditions parts of the Garside normal form of factors can be found in the Garside normal form of their product. This observation can be exploited to decompose products of braids of the form 𝐴𝐵𝐶 when only 𝐵 is known. Our decomposition algorithm yields a universal forgery attack on WalnutDSA TM , which is one of the 20 proposed signature schemes that are being considered by NIST for standardization of quantum-resistant public-key cryptography. Our attack on WalnutDSA TM can universally forge signatures within seconds for both the 128-bit and 256-bit security level, given one random message-signature pair. The attack worked on 99.8% and 100% of signatures for the 128-bit and 256-bit security levels in our experiments. Furthermore, we show that the decomposition algorithm can be used to solve instances of the conjugacy search problem and decomposition search problem in braid groups. These problems are at the heart of other cryptographic schemes based on braid groups.


Introduction
Continuous progress in quantum computing and the prospect of large scale quantum computers necessitate the development of quantum-resistant cryptographic algorithms.Currently, the security of most widespread algorithms relies on the hardness of the discrete logarithm problem, the elliptic-curve discrete logarithm problem or the integer factorization problem.All of these mathematical problems can be solved using Shor's quantum algorithm [42].Even though quantum computers with sufficient processing power to pose a threat to current cryptographic applications presumably do not yet exist, researchers, intelligence agencies and the industry aspire to develop cryptographic systems that remain safe once such devices come into being.Current approaches to attain quantum-resistance include cryptography based on codes, isogenies, lattices and multivariate polynomials over finite fields [19,36,38,44].Another approach are cryptographic systems based on non-abelian groups [22].Indeed no quantum algorithm to solve the hidden subgroup problem (the core problem solved by Shor's algorithm for finite abelian groups) is known for general non-abelian groups.
The conjugacy search problem is a fundamental decision problem in combinatorial group theory.Definition 1.Given two braids ,  ∈   where  =  •  •  −1 for some  ∈   , the conjugacy search problem (CSP) in braid groups is to find The asserted computational difficulty of the CSP and its variations has inspired many cryptographic primitives on non-abelian groups such as [3,33].
To establish standards for quantum-secure cryptography [40] the National Institute of Standards and Technology (NIST) is currently evaluating public-key algorithms [40].One of the 20 signature schemes being considered for standardisation is WalnutDSA TM [6] operating on braid groups.
NIST's ongoing standardization project and thus the potential for widespread use of WalnutDSA TM and other braid group algorithms make a thorough security analysis and understanding of the braid group vital.WalnutDSA TM has been analysed before [10,29,35] bringing some weaknesses of the signature scheme to light.However, the attacks could be thwarted by increasing parameters and slightly changing the protocol [41].A fundamental assumption underlying the security of WalnutDSA TM is that individual factors in a product of three braids are "obfuscated" when they are presented in some normal form.
Our contribution: In this paper, we describe how the Garside normal forms of factors relate to the Garside normal form of their product.Together with an observation based on experiments, we use this to locate single factors in a product of braids and to decompose certain products in braid groups.More precisely, we give an algorithm that can recover the factors of a product  ∈   up to the centre of the group when only  is known.
Signatures of WalnutDSA TM can be written as a braid word  1 •  •  2 , where  1 and  2 are secret braids and  is a deterministic encoding of the message.The product is presented rewritten, e.g. in normal form, with the explicit aim of obfuscating individual factors.Our observations imply that  1 and  2 can in fact be efficiently recovered up to the centre of the group.Replacing  by the encoding of any other message yields a new universal forgery attack that works within seconds on most random message-signature pairs.Related work: Braid groups have been suggested for cryptographic purposes for two decades [22] and protocols such as the Anshel-Anshel-Goldfeld key exchange [4] and Ko et al.'s protocol [33] have been studied extensively.A newer protocol sharing some design components with WalnutDSA TM is the Algebraic Eraser [5].This scheme and the Anshel-Anshel-Goldfeld key exchange have been subject to numerous attacks which were mostly based on representation theory [8,9,31] or on a length-based approach [30,39].Yet, the same cryptanalytic techniques do not seem to apply to WalnutDSA TM .
Considerable work has been devoted towards a solution of the conjugacy search problem (CSP) in braid groups.Apart from heuristic approaches such as the previously mentioned length-based attacks, the most successful approaches use summit sets [13,24,25].
Responsible Disclosure Process: We provided the designers of WalnutDSA TM with the details of our attack on the 20th of August.They acknowledged that the attack works.To prevent malicious use of our attack on the signature scheme or similar products by SecureRF, we agreed to postpone the publication of our findings until the 21st of November.
Outline: In Section 2, we provide preliminary results on braid groups and the Garside normal form.In Section 3 we present the current instantiation of WalnutDSA TM and how it was modified to thwart previous attacks.Section 4 gives our algorithm to recover the factors of a braid  presented by its normal form when the braid  is known.In Section 5 we describe our attack on WalnutDSA TM and discuss potential countermeasures.Section 6 shows how the decomposition algorithm can be used to solve instances of the conjugacy search problem.We conclude our work in Section 7.

Braid Groups
This section provides preliminary mathematical background on braid groups.In Section 2.1 we define braid groups and provide their algebraic presentation.Section 2.2 defines the colored Burau representation of braid groups which is needed to explain WalnutDSA TM but not essential for the understanding of our contribution.In Section 2.3 we define the Garside normal form.A reader familiar with braid groups and the Garside normal form may proceed to Section 3.

Artin Presentation
Let  be a positive integer and let   denote the braid group on  strands introduced by Emil Artin [7].Geometrically, the elements of a braid group are the equivalence classes of  strands under ambient isotopy, i.e. we consider two braids the same if we can distort one into the other without breaking any strand.Artin proved that   is indeed a group with presentation where the group operation is given by concatenation of the strings.Thus, we can represent any braid of   as a finite, non-unique word in the so called Artin generators   .Imagining our strands lying in a plane and numbering the strands from left to right, the generator   corresponds to the -th strand crossing over the ( + 1)-th strand.Note that there is a natural homomorphism sending elements of   to the induced permutations in the symmetric group S  .More precisely, each Artin generator   is sent to the transposition   := (,  + 1).For some braid word  1 1 . . .     the induced permutation is  1 1 . . .     .Since the corresponding permutations respect the relations in Presentation (1), sending braids to their induced permutations is a well-defined homomorphism.Clearly, this homomorphism from   to S  is surjective.Braids in the kernel, i.e. braids inducing the identity permutation, are called pure braids.
It is well known that the group of pure braids can be generated by   , 1 ≤  <  ≤  [12], where The generator   may be depicted geometrically as braid where the -th string passes behind the strings ( − 1), . . ., ( + 1), in front of the -th string and then behind the strings , . . .,  − 1 back to the -th position.

Colored Burau Representation
The colored Burau representation of braid groups which we will describe in this section is used to define WalnutDSA TM and its underlying problem.A reader who is mainly interested in the structure being preserved in products of Garside normal forms may want to skip this section.
Let  be the power of a prime and let F  [ ±1 1 , . . .,  The colored Burau matrices of each Artin generator are defined as follows [6]: , where the   are written in the -th row for 2 ≤  ≤  − 1. Equipping the semidirect product GL  (F  [ ±1 1 , . . .,  ±1  ]) S  with the operation one obtains a group and one can check that the map where   denotes the transposition (,  + 1) ∈ S  , extends to a group homomorphism.This group homomorphism is called colored Burau representation of   [16].

Garside Normal Form
A normal form in a group is a canonical way to represent the elements and thus it provides an opportunity to compare them.Garside was the first to develop a normal form for braid groups [23] which was improved most notably by Thurston [21] and Elrifai and Morton [20] leading to what is known as the Garside normal form today.For further normal forms in braid groups see [11,15,18].
In this section we reproduce some results that led to the development of the Garside normal form to introduce terminology necessary for the explanation of our observation in Section 4.

Let 𝐵 +
denote the monoid of positive braids in   which are the braids that can be written as a product of positive powers of Artin generators.This is a well-defined monoid as all the defining relations in the presentation of braid groups (1) contain only positive powers of Artin generators.
We denote Garside's "fundamental braid " [23] by .Recall that this braid is the unique positive braid in which any two strands cross exactly once and it is of central importance in the Garside normal form.We recall some properties of the fundamental braid due to Garside [23].
Proposition 2. Let   be the braid group on  strands.For  = 1, . . .,  − 1, we have In particular  2 commutes with every generator and lies in the centre of   .In fact, the centre of   is cyclic and generated by  2 .Remark 3. Let  be the inner automorphism of   conjugating elements with , i.e.

𝜏 : 𝐵
Then the previous Proposition implies In particular,  2 is the identity automorphism.We will continue to denote this automorphism by  and call it the reflection in   throughout this paper.
Proposition 4. [23] For any generator   ,  = 1, . . .,  − 1, we can find positive braids   and An explicit description of the braids   ,   is given at the same place.Together with Proposition 2 this observation can be used to rewrite any representation of an element of   efficiently in the form    , where  ∈ Z and  is a positive braid that cannot be written as a positive word containing  as a subword.Listing all possible words  and choosing the lexicographically minimal one for  yields the initial normal form due to Garside.This algorithm has exponential running time in the number of strands  and the braid length, so it is not completely satisfactory from a computational point of view.However, we have the following natural partial order in the monoid of positive braids.
Definition 5. Let ,  ∈  +  .We write  ≤  if  =  for some  ∈  +  .We say  is a prefix of .This is a partial order invariant under left multiplication, i.e.  ≤  implies  ≤  for all  ∈  +  .Let 1 denote the identity in   .We see that 1 ≤  if and only if  ∈  +  .
Given a partial order as in Definition 5 one may wonder whether there is a greatest common prefix in some sense.Proposition 6. [23] For any two elements ,  ∈  +  there exists a unique element  such that  ≤ ,  ≤  and that  ′ ≤  for every common prefix  ′ of  and .Definition 7. Using the same notation as in the previous proposition, we call  the greatest common divisor (gcd) of  and  and we write  =  ∧ .
Elrifai and Morton [20] and Thurston [21] independently developed two different algorithms to compute the normal form of a braid in polynomial time building on top of Garside's results.The centrepiece of their work is to consider the following braids.Definition 8.The positive prefixes of  are called permutation braids, i.e.  ∈   is a permutation braid if and only if 1 ≤  ≤ .
Permutation braids are exactly those positive braids with any pair of strands crossing at most once and thus uniquely determined by the permutation they induce.
Instead of listing exponentially many representatives and choosing the lexicographically minimal one, the idea of Thurston, Elrifai and Morton was to write a braid word  as a product of permutation braids where uniqueness is achieved by requiring each letter to appear as far to the left as possible.
That is, if we move any crossing from  +1 to   the resulting braid would not be a permutation braid anymore.This allows us to formulate the Garside left normal form.
Theorem 10 (Garside left normal form).Every braid  can be represented uniquely by a braid word where  ∈ Z, 1 <   <  and    +1 is a left-weighted product for 1 ≤  ≤ .
Definition 11.Consider the notation of the preceding Theorem 10.We call the integer  the canonical length of  and the integer  the infimum of .
For details on the algorithms to compute the Garside left normal form we refer to [20,21].Using the approach of Elrifai and Morton the normal form of some given positive braid word  1 . . .   can be computed in time ( 2  ), where  is the number of Artin generators of the braid word given.Thurston's alternative but equivalent solution computes the left normal form of a positive braid word given as a product of permutation braids  1 . . .  ′ with time complexity ( ′2  log  ) [21].Note, this might be faster than the previous algorithm as most permutation braids are a product of multiple Artin generators.
We want to point out that similar observations as the ones we will state in Section 4 for the Garside normal form hold for other normal forms such as the Birman-Ko-Lee (BKL) normal form as well.In particular, structure in the BKL normal form can be exploited directly to attack WalnutDSA TM or solve instances of the conjugacy search problem too.However, using the Garside normal form turned out to be slightly more efficient in our experiments which is why we will mean the Garside left normal form when talking about left normal forms for the remainder of this paper.

WalnutDSA TM
WalnutDSA TM is a digital signature scheme operating on braid groups.It was proposed by Anshel, Atkins, Goldfeld and Gunnels [6].This Section summarizes the newest version of the signature scheme.In Section 3.1 we define E-Multiplication and cloaking elements and state the underlying hardness assumption of WalnutDSA TM .The section is not necessary to understand our attack, but these basic building blocks are needed to define the signature scheme itself.Section 3.2 provides details about parameters used and the signature generation and validation.Finally, we will give a brief overview of previous work on WalnutDSA TM showing that our approach is fundamentally disparate in Section 3.3.

E-Multiplication TM and Cloaking Elements
E-Multiplication was first introduced as a one-way function [5] and it is a foundation of WalnutDSA Remark 12.Following the notation of [6], we write (, ) ⋆  instead of (, ) ⋆ () for  ∈   .Moreover, we denote by  the map ↦ → (Id, id) ⋆ .
The security of WalnutDSA TM is based on the computational hardness assumption of the reversing E-Multiplication (REM) problem.
In particular inverting the map given in ( 4) is assumed to be hard.Reversing E-Multiplication is enough to break WalnutDSA TM , indeed we will see that the ability to solve the REM problem allows to forge the signature of one message and that solving two instances of the REM problem allows the recovery of the private key from the public key.However, our attack on WalnutDSA TM bypasses the problem of reversing E-Multiplication.We will see that our attack works solely on braids and is therefore independent of the colored Burau representation and of the size  of the underlying field F  .
Another basic building block of WalnutDSA TM are certain braids termed cloaking elements.
under the right action of the braid group via E-Multiplication.
In WalnutDSA TM cloaking elements of the following form are generated [41].
Let   denote the permutation induced by some braid  ∈   and let   be an Artin generator for 1 Proof.This is an immediate consequence of Remark 16.Cloaking elements as proposed by the designers of WalnutDSA TM depend only on the permutation  and not on the matrix  of the element they are stabilizing.Therefore, we will say that some braid cloaks a permutation .
For further details on the generation of cloaking elements in WalnutDSA TM we refer interested readers to the original implementation by SecureRF [1] or our implementation in magma [14](see [37]).However, our attack will be independent of the way cloaking elements are generated.
Concealed cloaking elements are cloaking elements for which the cloaked permutation is not public.Given a braid word  , concealed cloaking elements are added to the word by splitting  into two braid words  1 and  2 at a random location and inserting a braid cloaking the permutation induced by  1 in between.

The Signature Scheme
Key Generation and Parameter Values Before any message can be signed, the following system wide public parameters need to be fixed: -The rank  of the braid group   .
-The number of concealed cloaking elements that will be added.
-A hash function  : {0, 1} * → {0, 1} 2 for some .Our attack will not depend on any weaknesses of the hash function and therefore we can treat  as a random oracle.
Next, the signer chooses braid words  and  ′ by choosing uniformly at random  Artin generators or their inverses.The secret key of the signer is the pair (,  ′ ), while the public key is ((), ( ′ )) where  is the map given in Remark 12. Note, the length of the private braids  and  ′ is chosen large enough to prevent brute force attacks from being effective.Later, we will see that the success of our new attack is independent of all parameters but  .
As of the 21st of November 2018, the use of the following parameters is suggested for WalnutDSA Message Encoding In order for signatures to provide integrity and authenticity, a signer must encode the message that is to be signed into the signature.The Walnut digital signature algorithm requires the message to be mapped onto a pure braid.
To encode a message in WalnutDSA TM it is hashed using the publicly known hash function .Then every two bits of the output specify one pure braid generator (see (2)) and the encoding (()) of a message  is the product of all pure braid generators selected.As the exact choice of pure braid generators is irrelevant for our attack we refer to [41] for a full description.
Signature Generation A signer needs to perform the following steps to generate a signature.

Compute the encoded message 𝐸
(︀ () )︀ .2. Generate cloaking elements ,  1 ,  2 as given by Proposition 15 for the identity and the permutations induced by the private braids ,  ′ , respectively.3. Add the required number of concealed cloaking elements in randomly chosen locations in the braid words Use a rewriting algorithm ℛ to obtain a rewritten braid word which is the signature for .
Signature Verification To verify a signature, a receiver computes (()) and checks whether comparing the matrix parts of GL  (F  ) × S  .If both sides of the equation are equal, the receiver accepts the signature as valid.It is easy to check that legitimately produced signatures satisfy (5).

Previous Work on WalnutDSA TM
We want to give a brief overview of previous attacks on the Walnut digital signature algorithm [10,29,35] and the changes they have triggered in the scheme to patch the weaknesses.Moreover, this section shows that our attack uses a completely different approach.
Factorization Attacks The first attack on a previous version of WalnutDSA TM was published by Hart et al. [29].In the previous version both secret braids were equal and the public key only consisted of the image of this one secret braid under the map  : The attack exploited a malleability property of the signatures, enabling an attacker to forge a signature by solving a factorization problem in a group of matrices.Trying to destroy the malleability property, the designers of Walnut started using two different private braids.However, Beullens [10,41] showed that the following malleability property holds in this case too.Theorem 17. [10] Let ,  1 and  2 be messages and let ℎ, ℎ 1 and ℎ 2 be the matrix parts of 1 and Sig 1 is a valid signature for  1 under the public key is a valid signature for  under the public key An algorithm to solve this factorization problem with time complexity  (︀ )︀ was proposed by Hart et al. [29].However, the factorizations contained roughly 2 25 elements of the set given in (6) and consequently the forged signature satisfies the verification equation, but can be easily detected due to its enormous length.By imposing an upper limit on the length of valid signatures as was done in the implementation submitted to NIST, the attack was blocked.In contrast, the forgeries produced by our attack will be of the same length as legitimately produced signatures.
Collision Search Attack Beullens and Blackburn [10,41] realized that the originally proposed 4-bit encoder was not injective and that it mapped to a set of braids where the matrix parts under the function  were lying in a surprisingly low dimensional, 13 dimensional, affine subspace over F  .This made the scheme susceptible to a generic collision search attack.More precisely, it was possible to find pairs of distinct messages  1 and  2 such that ((( 1 ))) = ((( 2 ))) for sufficiently small  using a generic collision search algorithm.Beullens and Blackburn implemented the collision search due to van Oorschot and Wiener [45] which takes | (︀ (({0, 1})) Recall that a signature is accepted as valid if ( 5) is satisfied.Given a collision of  1 and  2 , an attacker can query a signature for  1 and gets automatically a valid signature for  2 .Consequently, the signature scheme was not existentially unforgeable [28].
To counter the attack the designers of WalnutDSA TM changed the encoder to the 2-bit version described previously, where  (︀ (({0, 1} * )) )︀ lies in an affine subspace of dimension ( − 2) 2 + 1 [41] over F  , which is greater than 13 for  ≥ 6. Together with a significant raise of the parameters  and , the generic collision search attack became ineffective.Our attack will be independent of , but we will see that it can be defeated to some extend by further increasing the parameter  .

Reversing E-Multiplication
The last attack presented in [10] solves the underlying problem of WalnutDSA TM , reversing E-Multiplication (REM) [see Definition 13], directly.
Note, it suffices to solve a single instance of the REM problem to forge a signature of a freely chosen message or solve two instances of the REM problem to obtain an equivalent pair of secret braids from the public key.Thus, the hardness of this problem is crucial for the security of WalnutDSA TM .
The attack exploits that E-Multiplication restricted to pure braids is a group homomorphism which maps the chain of subgroups to a nice chain of subgroups in GL  (F  ).Here,   ⊂   denotes the subgroup of pure braids on  strings that can be identified with the pure braids of   or, formulated differently, the pure braids that can be written in the generators  1 , . . .,  −1 .Exploiting this subgroup structure, the REM problem can be solved by successively reducing the problem to a smaller subgroup using collision searches.The authors of [10] suggest moreover a slightly finer chain of subgroups for the first reductions which are the most costly ones to improve the performance of the algorithm further.
The resulting attack requires (  2 −1 ) E-Multiplications, and was blocked by a significant increase in the parameters  and  .As mentioned before, our attack will be independent of  and can only be defeated to some extent by increasing  significantly.

Uncloaking Signatures
The most recent attack is due to Kotov, Menshov and Ushakov [35].They give a heuristic attack which operates purely on braids.The attack removes cloaking elements of a previous version of the Walnut digital signature algorithm without concealed cloaking elements.
The authors observed that cloaking elements in WalnutDSA TM are always generated in such a way that the strands corresponding to the inverse T-values cross each other (see Proposition 15).Since T-values are public, an attacker can trace all strands and find "critical positions" in a signature where there might be a cloaking element.This allows a length-based attack: Note that untwisting the middle part of cloaking elements produces a trivial braid.An attacker guesses the location of cloaking elements and tries to remove them by untwisting the critical position.When multiplying signatures with removed cloaking elements together, more precisely one such signature multiplied with the inverse of another, further elements cancel out.If the remaining word is of significantly shorter length, one has heuristic evidence that the cloaking elements have been removed successfully.
The uncloaking procedure on multiple signatures leads to a system of conjugacy equations in   (potentially with errors).Once again this can be heuristically solved using a length-based approach.
For earlier work about length-based attacks we refer amongst others to [30,39].
To patch Walnut, concealed cloaking elements, i.e. cloaking elements that are inserted in random locations before and after the encoded message, were introduced.Removing multiple concealed cloaking elements that are not inserted consecutively into the signature appears to be more difficult.
The designers of WalnutDSA TM suggested to insert concealed cloaking elements [41].For  = 10 this yields the values given in the table in Section 3.2.However, the number  was estimated under the assumption that one needs to know the permutation of a cloaking element in order to remove it.As this does not hold, the efficacy of this countermeasure has been disputed [41].
We will see that the success of our attack is independent of the number of concealed cloaking elements inserted to the signature the way it was suggested by the designers of WalnutDSA TM .However, we will discuss in Section 5.3 that adding a significant number of concealed cloaking elements to the encoded message might thwart our attack at the cost of enlarging signatures and slowing down the signature generation and verification.

Decomposition of Products in Braid Groups
The use of normal forms as "obfuscation procedures" in cryptographic schemes such as WalnutDSA TM suggests that properties of single braids are well hidden in the normal form of their product.In this section, we will see that this is in general not the case.More precisely, we will argue that we can expect some (potentially reflected) permutation braids of factors with sufficiently large canonical length to appear in the normal form of their product.
In Section 4.1 we prove how the permutation braids of factors relate to the permutation braids of their product.Together with the experimental results of Section 4.2 this yields the observation stated in the previous paragraph.In Section 4.3 we show how the observation can be exploited under certain conditions to recover the factors of products of the form  ∈   up to the centre ⟨ 2 ⟩, when  is known.The algorithm to decompose products of braids will be at the heart of our cryptanalysis of WalnutDSA TM in Section 5 and our new solutions to the conjugacy and decomposition search problems in Section 6.

Garside Normal Form of Products
Recall that   =   −  −1 =  (  − ) for  = 1, . . .,  − 1 by Proposition 2 and Remark 3. Let   •  1 . . .  and   •  1 . . .  be the normal forms of two elements ,  ∈   respectively.Pushing all 's in the product  to the front yields for  ′ ≡  (mod 2) since  2 is the identity map.This is a product of permutation braids by the following Lemma of which we will omit the straightforward proof.
Clearly, the condition will not be met for most ,  ∈   .When computing the left normal form of  in general, new 's might be created in the process of computing the left-weighted product of   ( 1 ) . . .  (  ) 1 . . .  .Moving these 's to the front results in reflections of all leftward permutation braids, which yields the following proposition.
This process continues inductively to the left until some permutation braid is not changed anymore.If one of the changed permutation braids becomes  during this process, it is moved to the front by reflecting all leftward permutation braids.
Remark 21.It is not hard to find particular braids for which the previous proposition does not contain a lot of information as  = .This happens for example, if  =  −1 when the product vanishes or if  and  are braids that do not share common strands and thus commute.However, in the next section we will see that for every  and randomly chosen braids ,  ∈   the expected value for  is bounded independently of .
Clearly, if  is smaller than  the permutation braids in the left normal forms of  and  coincide on the left hand side up to reflection.Next, we show that the rightmost permutation braids of the left normal forms of  and  coincide too.The following Proposition due to Elrifai and Morton provides us with a link between multiplication of a braid on the left and on the right.
Proof.Clearly, we can show the proposition for  −1 and  −1 instead of  and .More precisely, we show that the permutation braids on the right hand side of  −1  −1 coincide with the ones of  −1 .

Penetration Distance
In this section we provide experimental results to estimate the size of the parameter  in Propositions 20 and 23 for "randomly" chosen braids  and .We will find that for every  this expectation is uniformly bounded independently of the canonical lengths of the factors  and .
Since the braid group   is infinite for  ≥ 2, choosing braids at random is a non-trivial task.In practice, there are various ways to choose braids of   in a randomized manner.However, different methods result in different probability distributions on   .
Recall that every braid word can be rewritten as an element of the monoid of positive braids  +  which we introduced in Section 2.3.Let || denote the length of a positive braid  ∈  +  , i.e. the number of Artin generators occurring in any positive braid word representing .Since the defining relations of the braid group (and the braid monoid) are homogeneous, this is well-defined.
We start by recalling some results due to Gebhardt and Tawn [27] who studied the Garside normal forms of random braids.They analysed statistical properties of the normal forms of positive braids of length  generated using two methods: i) Choose uniformly at random  Artin generators   ∈ { 1 , . . .,   −1 } and concatenate them, i.e.
choose uniformly at random a braid word from the set of all positive braid words of  +  of length .We say that we generate positive words of length  uniformly at random.ii) Consider the set of all braids that can be represented by a braid word of length  and choose uniformly at random one braid from this set.We say that we generate uniformly at random positive braids of length .
Note, the number of words representing the same element of  +  depends on the element.Therefore, both variants yield different probability distributions on the set of all braids that can be represented by positive braid words of length .
However, the implementation of the second method is significantly more difficult in practice (see [26] for an algorithm that runs polynomially in  and ) which is why most (cryptographic) applications generate "random braids" similarly to the first method.
Following the terminology of Gebhardt and Tawn, we call conjugation with , i.e. a reflection, of a permutation braid a trivial change.We define the penetration distance as follows.Conjecture 25. [27] Let  ∈   be a braid which is randomly chosen from either the uniformly generated random words or from the uniformly generated random braids of length  and let   be a randomly chosen Artin generator of   .Then the expected penetration distance is bounded independently of the length  of the braid, i.e. there exists some  such that for all  E(pd(,   )) < .
The conjecture raises the question whether there still exists an upper bound for the expected penetration distance of the product  of two randomly chosen braids or braid words independently of their lengths.That is when  is an arbitrary randomly chosen braid or braid word as well instead of a single randomly chosen Artin generator.
For the purpose of investigating this question, we conducted an experiment in magma [14].We generated 2.000 instances of pairs of braid words ,  ∈   for different given lengths using the built-in random function of the braid package in magma.To obtain a "random" braid of given length , this function chooses uniformly at random   from  ∪  −1 ∖ −1 −1 for  = 1, . . ., , where  and  −1 is the set of Artin generators and their inverses respectively.In other words, the built-in random function chooses uniformly at random a braid word from the set of all freely reduced braid words of a given length .
Given such pairs of randomly generated braid words , , we computed the product  and the penetration distance for each particular instance.This was done by comparing the permutation braids in the left normal forms of  and  directly.The diagram in Figure 3 shows the average penetration distance with respect to the lengths of  and  for different values of  .We observe that for each  the average penetration distance increases with the word lengths of the random braids and eventually converges to some bound.Furthermore, these bounds increase with the number of strands  of the braid group.Note that for our attack on WalnutDSA TM we will be mainly interested in estimates for  = 10 because this is the parameter used.
The convergence suggests that for every  there exists an upper bound for the expected penetration distance of the product of randomly generated freely reduced braid words independently of their lengths.
Conjecture 26.Let ,  ∈   be braid words that are picked uniformly at random from all freely reduced braid words of length .Then there exists a   ∈ N such that for all , we have Plotting the distribution of penetration distances for products of randomly chosen freely reduced braid words for different lengths we noted that most data points are distributed closely around the mean.Now, Conjeture 26 has significant importance for Proposition 20.Let  and  be two randomly chosen braids of canonical length  and  respectively.Assuming Conjecture 26, i.e. assuming that the expected penetration distance is bounded by some   independently of the lengths of  and , Proposition 20 implies that we expect at least the leftmost  −   permutation braids of  and  to coincide up to reflection whenever  ≥   .
Looking at the proof of Proposition 23 we see that   is a bound for the expected size of the parameter  too.This is because the inverse of freely reduced braid words of a given length is a freely reduced braid word of the same length.Thus, drawing freely reduced braid words of a given length from the braid group   has the same probability distribution as drawing their inverses.Hence, if  and  are two randomly chosen braids of canonical length  and , we expect at least the  −   rightmost permutation braids of  and  to coincide whenever  ≥   .

The Algorithm
We use the last part of this section to describe how our observation can be utilised to decompose products  of braids , ,  ∈   , when  is known.More precisely, we discuss how to recover  ′ ≡  (mod  2 ),  ′ ≡  (mod  2 ) such that  =  ′  ′ .Here, by (mod  2 ) we mean up to multiplication with powers of  2 .Later, we can apply this algorithm to break WalnutDSA TM and solve instances of the conjugacy and decomposition search problems.
Let  =   •  1 . . .  ,  =   •  1 . . .  , and  =   •  1 . . .  be the left normal forms of randomly chosen freely reduced braid words , ,  ∈   .Assume that  is greater than the   given by Conjecture 26.We have discussed in the previous section that we can expect the left normal form of  to be of the form for some permutation braids  1 , . . .,   such that   •  1 . . .  =   ( +1 ) . . .  (  ) •  −  and  ∈ Z is the number of fundamental braids  that are being created when computing the leftweighted form of   ( +1 ) . . .  (  ) 1 . . .  .Now, if the part of the normal form of  that was preserved into  is of canonical length greater than   + 1, which we expect to happen for  ≥ 2  + 1, the left normal form of () is expected to be of the form 11) by Proposition 23 and the previous section, where   ′ •  1 . . .  is a left-weighted product of permutation braids equal to  ++ ( 1 ) . . . ++ (  ) •  + ( 1 ) . . . + (  ) if the centre of  equals  2 which we expect for sufficiently long .
We will keep this notation for the remainder of this section.Let the left normal form of a given  be where  =  +  +  +  +  ′ .By the previous discussion, we know that  −  > 0 can be expected for randomly chosen freely reduced braid words ,  and  ∈   with  of canonical length greater than 2  + 1.
It is now a straightforward procedure to recover  ′ ≡  (mod  2 ) and  ′ ≡  (mod  2 ) such that  =  ′  ′ knowing only : 1. Compute the left normal forms of  and .2. Check, whether there is a contiguous subsequence  1 . . . 2 of permutation braids of the left normal form of  for some 1 ≤  ≤  1 <  2 ≤  ≤  in the left normal form of  using a string-matching algorithm.If such a subsequence is found, save the location in the left normal form of  and  and go to 3. Otherwise, do the same search for contiguous subsequences  ( 1 ) . . . ( 2 ) of  () in the left normal form of .
If no common subsequence of permutation braids can be found either, we terminate the process and cannot recover the factors.If multiple common subsequences are found, we run the following steps for every of the finitely many possible solution.Notice, the latter is not very likely to happen for randomly chosen braid words and sufficiently long subsequences.3. Split the braid  or  () =  ( 1 ) . . . (  ) at  1 resp. ( 1 ) into two parts.Then, do the same for .Denote the parts   ,   ,   , and   .Note that we find the subsequence  + (  ) . . . + (  ) in  or  () depending on whether  +  leaves residue 0 or 1 modulo 2, since  2 is the identity.Thus, even though we know neither  nor  we can determine the residue of  +  (mod 2) which we denote by ( + ) ′ .Using the notation of previous paragraphs, we compute :=  + ( 1+1 ) . . . + (  ) Since  +  +  − ( + ) ′ ≡  (mod 2) and − + ( + ) ′ ≡  (mod 2), we have recovered  ′ ≡  (mod  2 ) and  ′ ≡  (mod  2 ).Using  ≡ − + ( + ) ′ (mod 2), we have furthermore The success rate of this decomposition algorithm will be discussed in Section 6.
5 New Attack on WalnutDSA TM In this section we want to present our attack on the group-based signature scheme WalnutDSA TM which is an application of the decomposition algorithm we have developed in Section 4.
In Section 5.1 we present the idea behind our attack on WalnutDSA TM , before providing experimental results on the success of our attack in Section 5.2.In Section 5.3 we discuss how different parameters influence the running time and success rate of our attack and we suggest one potential countermeasure.

Universal Forgery Attack
Let  be a message with the legitimately produced signature Sig ∈   .Recall that the braids corresponding to signatures of WalnutDSA TM have a representative braid word of the form where (()) is the encoded message and  1 ,  2 ∈   are braids of the form  1 •  −1 •  and  ′ •  2 with additional concealed cloaking elements inserted.Here, ,  ′ ∈   are the private braids of the signer and ,  1 ,  2 are braids cloaking the identity of S  and the permutations induced by  and  ′ , respectively.
It is easy to see that the braid Sig ′ :=  1 • (( ′ )) •  2 is a valid signature for the message  ′ .Hence, the ability to locate (()) in a legitimate signature and replacing it by (( ′ )) for an arbitrarily chosen message  ′ gives rise to a universal forgery attack.
To prevent attackers from finding the encoded message by just parsing through the signature, the designers of WalnutDSA TM suggested an obfuscation procedure.That is, the application of a rewriting algorithm such as the Garside normal form, BKL normal form [11], stochastic rewriting [2] or Dehornoy's handle reduction [17] to the braid before appending the signature to a message.
Note that rewriting changes only the representative of the same braid.Consequently, normal forms are the strongest way to obfuscate signatures because every attacker can compute them given another representative of the same braid.
Our experimental results in the next section will show that most legitimately produced signatures of WalnutDSA TM are susceptible to the decomposition algorithm described in Section 4.3.Since anybody can compute the encoding of a message , this allows us to recover this is enough to obtain forged signatures for any other message  ′ .

Experimental Results
We have implemented the relevant parts of WalnutDSA TM and our attack in magma [14].The source code of our implementations can be found on GitHub [37].For our experiments we used the recommended parameters as listed in Section 3.2 for the two security levels.In particular, the number of strands  was set to 10.
By Section 4 we know that the crucial part for our decomposition algorithm to work is finding a (potentially reflected) contiguous subsequence of permutation braids of the normal form of (()) in the normal form of the signature of .We generated 1.000 instances of signatures for randomly chosen messages  and both security levels.In our experiment, we were able to locate such a common subsequence of permutation braids in the normal forms of   (︀ (()) )︀ and  1 • (()) •  2 for either  = 0 or 1 in all instances.The following table, Figure 4, shows the canonical lengths of the common subsequences we found for the 128-and 256-bit parameters respectively.To put this into context, we measured the canonical length of encoded messages.For the 128-bit parameters, encoded messages had canonical lengths ranging from 112 to 165 with a mean of 140.The range for 256-bit parameters was 248 to 310 with a mean of 280 permutation braids.
To determine the position of a common subsequence of permutation braids in (reflected) encoded message   (︀ (()) )︀ and signature Sig, we compared a specified number Len of permutation braids of   (︀ (()) )︀ and Sig for  = 0, 1 at a time.Note that finding common subsequences of a given length is faster than finding all common subsequences of arbitrary lenghts.
The larger the number Len it becomes less likely that a common subsequence appears in the signature just by coincidence.However, we want it to be small enough to actually find a common subsequence in most cases.Fixing Len = 15 turned out to be a good choice in our implementation but taking Len = 10 or 20 leads to almost the same results.Later, we will see that increasing the number of strands  in the Walnut digital signature algorithm would lead to shorter common subsequences of permutation braids.In this situation we can improve our algorithm to find the common position and whether  = 0 or 1 by reducing Len inductively whenever we can not find a common subsequence of permutation braids for  = 0 and 1 until we find one or Len = 0.
Testing our entire attack on randomly generated instances, 99.8% of legitimately produced signatures for the 128-bit parameters turned out to allow our universal forgery attack.For the 256-bit security level all 100% of signatures were susceptible.
The algorithm to recover the braids  ′ 1 and  ′ 2 and thus to produce universal forgeries takes time less than a second for the 128-bit and only a couple seconds for the 256-bit parameters.
The higher success rate for the 256-bit parameters can be explained with the output of the hash function being twice as long.This results in the normal form of the encoding containing roughly twice as many permutation braids.Therefore, it is more likely to find a common contiguous subsequence of permutation braids in the left normal forms of the signature and the (reflected) encoded message.

Countermeasures
Finally, we want to discuss how different parameters of WalnutDSA TM influence the running time and success rate of our attack and we suggest one potential countermeasure.Here, the success rate means the proportion of signatures that allows a universal forgery attack.
Independence from : Unlike the attacks [10,29], our attack works on the braids only and thus independently of the colored Burau representation.In particular, it is independent of the size  of the underlying finite field F  .
Increasing the length of the private braids: Increasing the number of concealed cloaking elements or the length of private braids makes both  1 and  2 and consequently the signature larger.We see that the running time of our attack is quadratic in the length of the signature and thus it slows down our attack a little bit, while simultaneously enlarging the size of signatures.
We have seen in Section 4.3 that the expected number of permutation braids that change non-trivially when multiplying with randomly chosen braid words on the left and right is bounded independently of their length.Therefore, we do not expect enlarging  1 and  2 to have a great influence on the success of our attack.Indeed, we generated random instances of Walnut signatures using different lengths for private keys.This did not seem to have any influence on the number of permutation braids found as a common subsequence in the signature and the (reflected) encoding.The success rate of the attack did not change even for very long private braids either.
For private braids randomly chosen from freely reduced words of length 15.000 Artin generators (instead of 287), our attack is still successful within a few minutes while legitimate signatures reach the imposed upper limit for the length of signatures that are being accepted as valid in the current implementation of WalnutDSA TM .Consequently, increasing the length of private braids is not useful to thwart our attack.
Increasing  : Looking at the formula for the running time, increasing  is another way to slow down the attack slightly.
More interesting, however, is that increasing  decreases the success rate.We conducted an experiment generating WalnutDSA TM instances for different values of  .Figure 5 shows the percentage of signatures allowing our universal forgery attack out of 1.500 randomly generated Walnut instances depending on  .
We have seen in Figure 3 that raising  influences the number of permutation braids that are expected to change when multiplying with braids on the right.For multiplication on the left, we obtained the same result.At the same time the canonical length of the encoding remains constant when scaling up  since it only depends on the length of the output of the hash function used in WalnutDSA TM .Combined, this implies that the expected length of the common subsequence of permutation braids of signature and encoding shrinks when raising  .Note that we cannot just reduce the length of the output of the hash function as the signature scheme would become vulnerable to collision search attacks [41].
As our attack does not work anymore once there is no common subsequence of permutation braids left, this explains the decreasing success rate when increasing  .In the 256-bit version the hash function has a longer output and therefore the common subsequence of permutation braids of encoding and signature is larger than in the 128-bit setting.This justifies, why the success probability decreases slower when increasing  for the 256-bit security level.Moreover, we measured the success of our attack by checking whether we recovered the braids  1 and  2 modulo their centre successfully.For large  it is more likely that the centre of the encoding (()) does not equal  2 and as we recover braids  1 and  2 modulo the centre of (()) this might not be accepted as valid.
Considering our experiment shown in Figure 5, the success of our attack seems to decrease exponentially when increasing  .However, this would increase the size of the public keys and slow down the signature verification quadratically in  .Moreover, one could fear that with  increasing and the hash output length constant, the encoding will not have good mixing properties.It might be possible to isolate the encoding in the signature just parsing through the braid, therefore leading to other weaknesses.
Adding additional cloaking elements to the encoded message: Finally, one could add some randomness to the encoder altering the permutation braids in the signature corresponding to the encoding which can be done by adding concealed cloaking elements (see Section 3.1) to the encoding.This countermeasure was independently found and suggested by the WalnutDSA TM team in a private correspondence.Clearly, the previously described attack to recover  1 and  2 modulo  2 does not necessarily work anymore after adding cloaking elements to the encoding.However, forging signatures is possible as long as we can find at least one permutation braid in the signature corresponding to a permutation braid in the encoding and the encoding separates the permutation braids of  1 and  2 .This is,  are the parts of the encoding (()) containing additionally concealed cloaking elements.Together with the fact that all encodings are pure braids, we have therefore for  = 0 or 1 We know that this still satisfies ( 5) and thus it is a valid signature for  ′ .Hence, even though an attacker can not recover  1 and  2 up to the centre they can still compute a forged signature for any message  ′ as long as they find a single permutation braid from the encoding in the signature at the correct position.
Consequently, to counter the attack one needs to make sure that all permutation braids originating from the encoding in the signature are changed.Our experiments show that introducing one cloaking element changes sometimes only 5 permutation braids in their surrounding for  = 10.Considering the canonical length of common subsequences measured in Section 5, we would therefore expect that at least 30 and 60 additional concealed cloaking elements need to be added for the two security levels.However, it might be necessary to add even more cloaking elements to prevent being susceptible to our attack after applying an uncloaking procedure such as the one due to Kotov, Menshov, and Ushakov [35] to critical positions in the middle of the signature eventually removing concealed cloaking elements.
Altogether, adding additional concealed cloaking elements to the encoding is the best way we found to thwart our attack.Yet, it would slow down the signature generation as all additional concealed cloaking elements need to be generated separately and it would enlarge the signatures of WalnutDSA TM .

Application to the Conjugacy and Decomposition Search Problem
Another problem that can be solved using our decomposition algorithm from Section 4 is the decomposition search problem which can be formulated for the braid group as follows.
Definition 28.Given two elements ,  of the braid group   and two subsets ,  ∈   .The decomposition search problem (DSP) is to find elements  ∈  and  ∈  such that  = .
It is straightforward to construct key exchange protocols based on this problem, assuming that elements of  and  commute with each other [34,43].Here, our decomposition algorithm of the previous subsection can be used to recover  and  for some instances up to elements of the centre of , given  = .
Recall that our algorithm to solve DSP by decomposing the braid  is not only fast but also requires almost no memory.Given  and a product of braids  in   , the decomposition algorithm of Section 4 is dominated by the time it takes to compute the Garside normal form of , i.e. (|| 2  log  ) using Thurston's approach where || denotes the number of permutation braids a given positive braid word of  is written in.Note, that the Garside normal form can be computed even faster in practice [27].
We analysed the success of our decomposition algorithm for randomly chosen braid words ,  and .To this end we generated uniformly at random freely reduced braid words , ,  ∈   of given lengths using magma [14].Given the product  and , we applied the decomposition algorithm and considered a run successful whenever we were able to recover  and  up to the centre of   , i.e. up to multiplication by powers of  2 .
Figure 6 shows the percentage of successful recoveries depending on the word lengths of ,  and  for different numbers of strands  .We see that the attack is very successful for sufficiently long randomly chosen braid words reaching 100% success rate.Moreover, we see that this "sufficient" length increases with  .This is no surprise since the bound of Conjecture 26 increases with  as previously noticed.Thus, for words that are shorter it is less likely to find a contiguous subsequence of (reflected) permutation braids of  in .Moreover, for randomly chosen words  of short length it is more likely that the centre of the braid associated to  does not equal the centre of the braid group generated by  2 .Therefore, braids recovered for short  using our decomposition algorithm might not be accepted as valid in our experiments.
Clearly, the conjugacy search problem (Definition 1) is a special case of the decomposition search problem and our decomposition algorithm can be used to solve instances of the conjugacy search problem too.Indeed, a successful run of the decomposition algorithm provides us with a braid C equal to  up to the centre of , given  and  =  •  •  −1 .Consequently C is a solution to the conjugacy search problem, as Recall that our decomposition algorithm needs a common subsequence of permutation braids of   () and  =  •  •  −1 , for  = 0 or 1, to work.By Section 4.2, we can expect this for braid words  and  that are chosen uniformly at random whenever  has sufficiently large canonical length depending on  .However, in the case of the conjugacy search problem we can apply our decomposition algorithm for some short  as well, exploiting that  and  are conjugate.This is because  can be recovered by applying the decomposition algorithm to the braids   and   = ( •  •  −1 )  =  •   •  −1 with larger canonical length instead of  and  , where  is a positive integer.We tested this procedure for randomly generated braid words of a given length  and .Whenever the decomposition algorithm was not able to find a common subsequence in the permutation braids of   () and  =  •  •  −1 for  = 0 or 1, we tried it on   and   instead.
In our experiments we used  = 4 and reran the decomposition algorithm on powers at most 3 times.The result of our experiments can be seen in Figure 7 and shows clearly that the decomposition algorithm works in the case of CSP for shorter words than for the DSP displayed in Figure 6.
However, we want to point out that there is not always an  such that   and   share a potentially reflected subsequence of permutation braids.Indeed, the minimal counterexample is  = 4,  =  1 and  =  2  1  −1 2 , where   are Artin generators.We denote permutation braids by their induced permutation.The left normal forms of   and   are the products (1, 2)  and (1, 3, 2, 4)(2, 3) −1 (1, 3, 2) respectively, which do not share a single permutation braid.Due to the vast use of the CSP, DSP and its variants in the design of cryptographic protocols, studying further applications of our decomposition algorithm and a thorough comparison with other solutions to the conjugacy and decomposition search problem in braid groups will be subject to future work.

Conclusion and Further Work
In cryptographic schemes based on braid groups, products of braids are often constructed involving secret braids as factors, and it is hoped that rewriting the product will hide the individual factors.We demonstrated that this is not the case for randomly chosen braid words.We provided an algorithm to compute individual components of products  when  is known and  is presented in normal form.We expect this decomposition to work for randomly chosen braids ,  and  if  is of canonical length greater than 2  + 1, where   is the number given by Conjecture 26.In Section 4.2 we estimated   experimentally for some values of  .
As an application of our decomposition algorithm we presented a new universal forgery attack on the previously unbroken instantiation of WalnutDSA TM .Given a single random message-signature pair, our attack allows to forge signatures for arbitrary messages within seconds for the 128-bit and 256-bit security levels.Hereby, the forgeries are indistinguishable from legitimately produced signatures.Our experiments showed that 99.8% and 100% of legitimately produced signatures in WalnutDSA TM can be used in our new attack for the claimed 128-bit and 256-bit security levels respectively.In contrast to previous attacks, our attack produces signatures that are identically distributed as legitimate signatures and applies to all versions of WalnutDSA TM .Unlike the previous attacks in [10,29], our attack works on the braids only.Thus, it does not depend on the colored Burau representation of the braid group and is independent of the size  of the underlying finite field F  .We have further discussed how other parameters influence the success probability and running time of our universal forgery attack.Adding sufficiently many concealed cloaking elements to the encoding may thwart our attack at the cost of increasing the length of signatures and slowing down the signature generation algorithm.
As another application, we provide a new algorithm for solving the conjugacy and decomposition search problems, two problems at the heart of other cryptographic systems based on braid groups [22].The running time of this algorithm is dominated by the time it takes to compute the Garside normal form of  but also requires almost no memory to work.
We leave a full theoretical analysis of our decomposition algorithm for products of braids to further work.In particular, a proof of Conjecture 26 would be very interesting, even from a purely mathematical point of view.Conjecture 25 due to Gebhardt and Tawn [27] which would provide a partial solution is yet to be proven as well.
Improving our attack, finding different countermeasures and studying the efficiency of the one suggested by us might be of interest for further research regarding WalnutDSA TM .More generally, we believe that our decomposition algorithm is applicable to other cryptographic schemes that have been suggested for braid groups.Researching further applications and a thorough comparison of our new solution to the conjugacy and decomposition search problems in braid groups to existing approaches will be subject for future work.

Definition 24 . [ 27 ]
For two braids  and , the penetration distance pd(, ) for the product  is the number of permutation braids at the end of the normal form of  which undergo a non-trivial change in the normal form of the product.I.e.pd(, ) = cl () − max { ∈ {0, . . ., cl ()} :  − inf () ∧   =  − inf () ∧   } where cl (•) denotes the canonical length and inf(•) the infimum of a braid.Based on their experiments, Gebhardt and Tawn conjectured the following.

Fig. 3 :
Fig. 3: Average penetration distance after multiplication with braid of given length on the right hand side

Fig. 4 :
Fig. 4: Lengths of common subsequences of permutation braids of encodings and signatures

Fig. 6 :
Fig. 6: Success rate of decomposition algorithm for instances of the DSP
Sig 1 , Sig 2 are valid signatures for  1 and  2 under the public keys   , Sig  ) that are valid under the same public key.By the malleability properties, it suffices to find a factorization ℎ = ℎ 1 • ℎ −1 (︀ ( 1 ), ( 2 ) )︀ and (︀ ( 2 ), ( 3 ) )︀ respectively, then Sig 1 • Sig 2 is a valid signature for  under the public key (︀ ( 1 ), ( 3 ) )︀ .Suppose, an attacker wants to forge a signature for the message  under the public key 2 • ℎ 3 . . .ℎ −1 −1 • ℎ  to get a valid signature for , where ℎ  denotes the matrix part of  (︀ ((  )) )︀ .Such a factorization can be obtained by writing ℎ • ℎ −1 1 as a product of elements of the set Lemma 18.Let 1 ≤  1 ,  2 ≤  be elements of   .Then 1 ≤  ( 1 ),  ( 2 ) ≤  too.Furthermore,  1  2 is a left-weighted product if and only if  ( 1 ) ( 2 ) is left-weighted.Thus, (8) is a product of permutation braids but in general not left-weighted.However, we see that  ( 1 ) . . .(  ) is a left-weighted product by Lemma 18 and thus the following Lemma is an immediate consequence.Lemma 19.Let   •  1 . . .  and   •  1 . . .  be the left normal forms of the braids ,  ∈   respectively.Let  ′ ≡  (mod 2), then Note that we have   •  1 . . .  =   ( −  +1 ) . . .  (  ) •  1 . . .  .The algorithms to compute the Garside left normal form visualize the previous proposition quite well.If  1 • • •   is a left normal form and we multiply with an Artin generator   on the right, this modifies the last permutation braid if     ∧  ̸ =   ∧ .If   is not changed all leftward permutation braids are still in left normal form and we are done.If   is changed two conditions must be met for  −1 to be changed as well.First,     ∧  must contain another Artin generator   in the set of all Artin generators the word can start with compared to   ∧ .And second,  −1 Proposition 20.Let ,  ∈   and let   •  1 . ..and   •  1 . ..be their left normal form respectively.The left normal form of  is ++ •  + ( 1 ) . . .+ ( − ) •  1 . . .,for some integer 0 ≤  ≤  and permutation braids  1 , . . .,   , where  ∈ Z is the number of 's that are created when computing the left normal form of   ( 1 ) . . .  (  ) 1 . . .  .