{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T03:45:28Z","timestamp":1760240728004,"version":"build-2065373602"},"reference-count":29,"publisher":"MDPI AG","issue":"9","license":[{"start":{"date-parts":[[2019,8,23]],"date-time":"2019-08-23T00:00:00Z","timestamp":1566518400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Universidad Rey Juan Carlos (CIF: Q2803011B)","award":["2018\/00177\/001 (internal reference M1835)"],"award-info":[{"award-number":["2018\/00177\/001 (internal reference M1835)"]}]},{"DOI":"10.13039\/501100000830","name":"North Atlantic Treaty Organization","doi-asserted-by":"publisher","award":["G5448"],"award-info":[{"award-number":["G5448"]}],"id":[{"id":"10.13039\/501100000830","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>This paper reports on the Walnut Digital Signature Algorithm (WalnutDSA), which is an asymmetric signature scheme recently presented for standardization at the NIST call for post-quantum cryptographic constructions. WalnutDSA is a group theoretical construction, the security of which relies on the hardness of certain problems related to an action of a braid group on a finite set. In spite of originally resisting the typical attacks succeeding against this kind of construction, soon different loopholes were identified rendering the proposal insecure (and finally, resulting in it being excluded from Round 2 of the NIST competition). Some of these attacks are related to the well-structured and symmetric masking of certain secret elements during the signing process. We explain the design principles behind this proposal and survey the main attack strategies that have succeeded, contradicting its claimed security properties, as well as the recently-proposed ideas aimed at overcoming these issues.<\/jats:p>","DOI":"10.3390\/sym11091072","type":"journal-article","created":{"date-parts":[[2019,8,26]],"date-time":"2019-08-26T04:38:23Z","timestamp":1566794303000},"page":"1072","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["The Cracking of WalnutDSA: A Survey"],"prefix":"10.3390","volume":"11","author":[{"given":"Jos\u00e9 Ignacio","family":"Escribano Pablos","sequence":"first","affiliation":[{"name":"MACIMTE, U. Rey Juan Carlos, 28933 M\u00f3stoles, Spain"},{"name":"BBVA Next Technologies, 28050 Madrid, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7452-9121","authenticated-orcid":false,"given":"Mar\u00eda Isabel","family":"Gonz\u00e1lez Vasco","sequence":"additional","affiliation":[{"name":"MACIMTE, U. Rey Juan Carlos, 28933 M\u00f3stoles, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Misael Enrique","family":"Marriaga","sequence":"additional","affiliation":[{"name":"MACIMTE, U. Rey Juan Carlos, 28933 M\u00f3stoles, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"\u00c1ngel Luis","family":"P\u00e9rez del Pozo","sequence":"additional","affiliation":[{"name":"MACIMTE, U. Rey Juan Carlos, 28933 M\u00f3stoles, Spain"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2019,8,23]]},"reference":[{"key":"ref_1","unstructured":"(2016, December 19). Announcing Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms, Available online: https:\/\/csrc.nist.gov\/News\/2016\/Public-Key-Post-Quantum-Cryptographic-Algorithms."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Persichetti, E. (2018). Efficient One-Time Signatures from Quasi-Cyclic Codes: A Full Treatment. Cryptography, 2.","DOI":"10.3390\/cryptography2040030"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Nguyen, P.Q., and Vall\u00e9e, B. (2010). Practical Lattice-Based Cryptography: NTRUEncrypt and NTRUSign. The LLL Algorithm\u2014Survey and Applications, Springer. Information Security and Cryptography.","DOI":"10.1007\/978-3-642-02295-1"},{"key":"ref_4","first-page":"331","article-title":"Optimized Supersingular Isogeny Key Encapsulation on ARMv8 Processors","volume":"2019","author":"Jalali","year":"2019","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref_5","unstructured":"Garber, D. (2007). Braid Group Cryptography, World Scientific."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"287","DOI":"10.4310\/MRL.1999.v6.n3.a3","article-title":"An algebraic method for public-key cryptography","volume":"6","author":"Anshel","year":"1999","journal-title":"Math. Res. Lett."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"166","DOI":"10.1007\/3-540-44598-6_10","article-title":"New Public-Key Cryptosystem using Braid Groups","volume":"Volume 1880","author":"Ko","year":"2000","journal-title":"Advances in Cryptology, Proceedings of CRYPTO 2000"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"746","DOI":"10.1016\/j.jalgebra.2007.02.002","article-title":"Conjugacy in Garside groups I: Periodic braids","volume":"2","author":"Birman","year":"2007","journal-title":"J. Algebra"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Katz, J. (2010). Digital Signatures, Springer.","DOI":"10.1007\/978-0-387-27712-7"},{"key":"ref_10","unstructured":"Goldwasser, S., and Bellare, M. (2001). Lecture Notes on Cryptography, MIT."},{"key":"ref_11","first-page":"58","article-title":"WalnutDSATM: A Quantum Resistant Digital Signature Algorithm","volume":"2017","author":"Anshel","year":"2017","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"101","DOI":"10.2307\/1969218","article-title":"Theory of braids","volume":"48","author":"Artin","year":"1947","journal-title":"Ann. Math."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1090\/conm\/418\/07943","article-title":"Key agreement, the Algebraic EraserTM, and Lightweight Cryptography","volume":"Volume 418","author":"Anshel","year":"2006","journal-title":"Algebraic Methods in Cryptography, Contemp. Math."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Birman, J.S., and Cannon, J. (1974). Braids, Links, and Mapping Class Groups, Annals of Mathematics Studies, Princeton University Press.","DOI":"10.1515\/9781400881420"},{"key":"ref_15","unstructured":"Artin, M. (1991). Algebra, Prentice Hall."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"322","DOI":"10.1006\/aima.1998.1761","article-title":"A new approach to the word and conjugacy problems in the braid groups","volume":"139","author":"Birman","year":"1998","journal-title":"Adv. Math."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"200","DOI":"10.1006\/aima.1997.1605","article-title":"A fast method for comparing braids","volume":"125","author":"Dehornoy","year":"1997","journal-title":"Adv. Math."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1090\/conm\/233\/03427","article-title":"The multivariable Alexander polynomial for a closed braid","volume":"Volume 233","author":"Morton","year":"2006","journal-title":"Lower Dimensional Topology, (Funchal, 1998)"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"381","DOI":"10.1007\/978-3-319-76578-5_13","article-title":"A Practical Cryptanalysis of WalnutDSA TM","volume":"Volume 10769","author":"Abdalla","year":"2018","journal-title":"Proceedings of the Public-Key Cryptography\u2014PKC 2018\u201421st IACR International Conference on Practice and Theory of Public-Key Cryptography"},{"key":"ref_20","first-page":"35","article-title":"Practical Attacks Against the Walnut Digital Signature Scheme","volume":"Volume 11272","author":"Peyrin","year":"2018","journal-title":"Proceedings of the Advances in Cryptology\u2014ASIACRYPT 2018\u201424th International Conference on the Theory and Application of Cryptology and Information Security"},{"key":"ref_21","first-page":"646","article-title":"Factoring Products of Braids via Garside Normal Form","volume":"Volume 11443","author":"Merz","year":"2019","journal-title":"Public Key Cryptography (2)"},{"key":"ref_22","unstructured":"Paris, L. (2007). Braid groups and Artin groups. arXiv, 2372."},{"key":"ref_23","first-page":"472","article-title":"Defeating the Hart et al, Beullens-Blackburn, Kotov-Menshov-Ushakov, and Merz-Petit Attacks on WalnutDSA (TM)","volume":"2019","author":"Anshel","year":"2019","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/PL00003816","article-title":"Parallel Collision Search with Cryptanalytic Applications","volume":"12","author":"Wiener","year":"1999","journal-title":"J. Cryptol."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Kotov, M., Menshov, A., and Ushakov, A. (2019). An attack on the Walnut digital signature algorithm. Des. Codes Cryptogr., 1\u201320.","DOI":"10.1007\/s10623-019-00615-y"},{"key":"ref_26","unstructured":"Anshel, I., Atkins, D., Goldfeld, D., and Gunnells, P.E. (2019, July 07). The Walnut Digital Signature Algorithm\u2122 Specifcation, Available online: https:\/\/csrc.nist.gov\/Projects\/Post-Quantum-Cryptography\/Round-1-Submissions."},{"key":"ref_27","unstructured":"(2019, July 07). Comments to WalnutDSA\u2122 Proposal to NIST PQCProject, Available online: https:\/\/csrc.nist.gov\/CSRC\/media\/Projects\/Post-Quantum-Cryptography\/documents\/round-1\/official-comments\/WalnutDSA-official-comment.pdf."},{"key":"ref_28","first-page":"604","article-title":"Attack on Kayawood Protocol: Uncloaking Private Keys","volume":"2018","author":"Kotov","year":"2018","journal-title":"IACR Cryptol. ePrint Arch."},{"key":"ref_29","first-page":"1162","article-title":"Kayawood, a Key Agreement Protocol","volume":"2017","author":"Anshel","year":"2017","journal-title":"IACR Cryptol. ePrint Arch."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/11\/9\/1072\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:13:25Z","timestamp":1760188405000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/11\/9\/1072"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,8,23]]},"references-count":29,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2019,9]]}},"alternative-id":["sym11091072"],"URL":"https:\/\/doi.org\/10.3390\/sym11091072","relation":{},"ISSN":["2073-8994"],"issn-type":[{"type":"electronic","value":"2073-8994"}],"subject":[],"published":{"date-parts":[[2019,8,23]]}}}