Attack on Kayawood protocol: uncloaking private keys

1 Introduction

Braid group cryptography received significant attention since invention of the first braid-based key-agreement protocols in 1999: Ko-Lee protocol [1] and Anshel-Anshel-Goldefeld protocol [2]. Both protocols use conjugation as main operation, and both were found vulnerable to linear attacks (such as [3] and [4]) and heuristic length-based attacks (such as [5, 6, 7, 8, 9]).

Kayawood protocol (and other protocols from its family: Algebraic Eraser proposed in [10], WalnutDSA proposed in [11], and Ironwood proposed in [12]) uses a different type of action, called E-multiplication, and utilizes commuting actions of non-commuting braids. This is what in our opinion distinguishes Kayawood from “classic” braid-based schemes such as Ko-Lee.

2 Action of colored Burau group on some finite set

Here we review one non-faithful representation of a braid group called the colored Burau group.

2.1 Braid group

In this section we follow the exposition of [22, Section 5.1]. A braid is obtained by laying down a number of parallel pieces of strands and intertwining them, without loosing track of the fact that they run essentially in the same direction. In our pictures the direction is horizontal. We number strands at each horizontal position from the top down. See Figure 1 for example.

Figure 1

A 4-strand braid.

If we put down two braids u and v in a row, so that the end of u matches the beginning of v, we get another braid denoted by uv, i.e., concatenation of n-strand braids is a product. We consider two braids equivalent if there exists an isotopy between them, i.e., it is possible to move the strands of one of the braids in space (without moving the endpoints of strands and moving strands through each other) to get the other braid. We distinguish a special n-strand braid which contains no crossings and call it a trivial braid. Clearly, the trivial braid behaves as left and right identity relative to the defined multiplication. The set B_n of isotopy classes of n-strand braids has a group structure, because if we concatenate a braid with its mirror image in a vertical plane, the result is isotopic to the trivial braid.

Each braid is uniquely defined by a sequence of strand crossings. A crossing is called positive if the front strand has a positive slope, otherwise it is called negative. There are exactly n − 1 crossing types for n-strand braids, we denote them by x₁, . . . , x_n−1, where x_i is a positive crossing of ith and (i + 1)st strands. As we mentioned above, any braid is a sequence of crossings, and the set {x₁, . . . , x_n−1} generates B_n. It is easy to see that crossings x₁, . . . , x_n−1 are subject to the relations

xixj=xjxi for i,j such that |i−j|>1xixi+1xi=xi+1xixi+1 for 1≤i≤n−2.

In fact, it can be shown that the relations above define equivalence relation on braids and, hence, B_n has the following combinatorial presentation:

B n ≃ x 1 , … , x n − 1 ∣ x i x j = x j x i  for  | i − j | > 1 , x i x i + 1 x i = x i + 1 x i x i + 1 .

It easily follows from the presentation above that elements in the subgroups L_n = 〈x₁, . . . , x_m−1〉 and U_n = 〈x_m+1, . . . , x_n−1〉 pairwise commute, where m=⌊ n2 ⌋.

A braid word is a word w = w(x₁, . . . , x_n−1) in the generators of B_n and their inverses:

(1) w=xi1ε1…xikεk,

where 1 ≤ i_j ≤ n − 1 and ε_j = ±1. The length of the braid word (1) is k, denoted by |w|. If u¯=(u1,…,uk) is a k-tuple of braid words, then the total length |u¯| of u¯ is defined as ∑ i=1k| ui |.

Every braid w naturally defines a permutation σ_w, which is a permutation of the endpoints of the involved strands. The corresponding map w ↦ σ_w is an epimorphism. If σ_w is trivial, then w is called a pure braid.

Recall that the commutator of braid words u and v is the braid word [u, v] = u⁻¹v⁻¹uv. For a set of braids u₁, . . . , u_k define a set

C(u1,…,uk)={ c∈Bn∣[ c,ui ]=1 for every 1≤i≤k },

called the centralizer of u₁, . . . , u_k. It is easy to check that a centralizer is a subgroup of B_n.

The group B_n has a cyclic center generated by the element Δ², where Δ is the element, called the half twist, defined as follows:

Δ=(x1…xn−1)⋅(x1…xn−2)⋅…⋅(x1).

2.5 Cloaking elements

Let G be a group acting on a set X, x ∈ X, and x^g ∈ X denotes the result of the action of g ∈ G on x. The stabilizer of x is the set

Stab(x)={ g∈G∣xg=x }.

It is easy to check that Stab(x) is a subgroup of G. The protocol [13] requires braids stabilizing some (M, σ) ∈ GL_n(𝔽_q)× S _n through the right action of the braid group via E-multiplication. Such braids are called cloaking elements in [13, Definition 2.1]. Observe that these elements depend on t-values that are used to define E-multiplication. The following way of constructing cloaking elements was proposed in [13].

Proposition 2.1

([13, Proposition 2.2]). Fix (M, σ) ∈ GL_n(𝔽_q)× S_n and assume that a, b, i ∈ N and w ∈ B_n satisfy the following conditions:

1≤a<b≤n and τa=τb=1,         1≤i<n and σw(i)=σ−1(a),σw(i+1)=σ−1(b).

Then wxi±2w−1∈ Stab((M, σ)).

The main purpose of a cloaking element is to “cloak” a braid A that acts on a given pair (M, σ), multiplication of A on the left by a cloaking element hides some structure of A without changing the way it acts. Observe that the property of a braid to cloak (M, σ) depends on σ only. Hence, we can denote the subgroup of Stab((M, σ)) generated by cloaking elements from Proposition 2.1 by C _σ.

The following naturally follows from Proposition 2.1.

Corollary 2.2

If σ, ρ ∈ S_n are such that σ⁻¹(a) = ρ⁻¹(a) and σ⁻¹(b) = ρ⁻¹(b), then C_σ = C_ρ.

Remark 2.3

Geometrically, conditions of Proposition 2.1 define a braid that:

1. intertwists strands getting strands a and b next to each other using w,

2. double twists a and b using xi2,

3. intertwists strands backwards using w⁻¹.

The obtained braid has the structure as shown in Figure 2.

Figure 2

Cloaking element.

Another way to generate cloaking elements was suggested in [18, D. Atkins on April 4, 2018], see [16, Proposition 2.3]. We do not consider elements of this type here since they are similar to elements of Proposition 2.1, and cryptanalysis [16] showed they are less secure.

3 Kayawood protocol

Kayawood protocol is a two-party, Alice and Bob, key-agreement protocol that uses E-multiplication defined in Section 2.4. The following initial public information is generated by one of the parties or by another entity (and distributed to each party):

1. The braid group B_n, where n ≥ 16 is even.

2. Obfuscation procedures R.

3. A finite field 𝔽_q.

4. Integers a and b satisfying 1 ≤ a < b ≤ n.

5. Non-zero elements τ₁, . . . , τ_n ∈ 𝔽_q such that τ_a = τ_b = 1.

Then Alice generates the following private data:

1. β₁, . . . , β_r ∈ U_n = 〈x_m+1, . . . , x_n−1〉 such that σβ1,…,σβr have high order. Recall that m=⌊ n2 ⌋.

2. z ∈ B_n such that |σ_z({1, . . . , m}) ∩ {1, . . . , m}| ≈ m/2.

3. Her private key is A = zαz⁻¹, where α ∈ L_n = 〈x₁, . . . , x_m−1〉.

Key establishment:

1. Alice sends to Bob {𝓡(zβ₁z⁻¹), . . . , 𝓡(zβ_rz⁻¹)} and σ_A.

2. Bob performs the following:

   1. Generates his private key B as a random product of elements 𝓡(zβ₁z⁻¹), . . . , 𝓡(zβ_rz⁻¹) and their inverses.

   2. Generates random v₁, v₂ ∈ B_n cloaking σ_A and σ_Aσ_B respectively.

   3. Sends his public key P_B = 𝓡(v₁Bv₂) to Alice.

3. Alice performs the following:

   1. Computes σ_B = σ_PB.

   2. Generates random u₁, u₂ ∈ B_n cloaking σ_B and σ_Bσ_A respectively.

   3. Sends her public key P_A = 𝓡(u₁Au₂) to Bob.

4. Finally, the shared key is

computed by Alice as (I, 1) * A * P_B and by Bob as (I, 1) * B * P_A.

We say that a protocol is secure against a passive eavesdropper if there is no probabilistic polynomial time algorithm that can compute the shared key (I, 1) * A * B based on the public information exchanged by the parties, namely:

The corresponding computational problem can be approached on two different levels: matrices and braids.

4 Finding the shared key using public keys

Testing out our generating procedures, we discovered a very surprising property of random keys. In about 60% of the cases one of the following equalities was satisfied:

i.e., the shared key could be obtained using public keys. After a thorough check of our implementation we realized that our observation is not a result of an error, but a feature of the design of the protocol. We suspect that the authors are unaware of this problem, otherwise it would be mentioned in the description of Kayawood.

5 Passive attack: finding Alice’s private key

In [13, Section 5] the authors show that the problem of computing the shared key based on public data is polynomial-time equivalent to the cloaking problem formulated as follows.

Cloaking problem. Given a braid β = R(v₁β₀v₂),where v₁, v₂ are cloaking elements for known permutations and β₀ is a braid in an unknown subgroup of B_n, find the element (I, id) * β₀.

The authors of [13] claim that there is no known approach to the problem and even brute-force enumeration will result in a collection of possible pairs (I, id) * β₀ and there is no a priori way to decide which β₀ is correct. In this section we show that the last statement is incorrect and reduce security of Kayawood protocol to some clearly stated problem of computational group theory.

Cloaking problem for Alice (CPA). Given braids b₁, . . . , b_r commuting with an unknown braid A, a permutation σ_B associated with an unknown braid B ∈ 〈b₁, . . . , b_r〉, and a braid PA∈CσBA, find any element in the intersection CσBPA∩C(b1,…,br).

An instance of CPA can be viewed as a tuple

satisfying the conditions mentioned in the statement of the problem. A solution for that instance is any element from the intersection

This defines the basic idea of our attack: we uncloak Alice’s public key (solving the CPA problem) and obtain a substitute for her private key.

6 Conjugating instances of the cloaking problem: search for the secret conjugator z

In this section we show that design of the Kayawood protocol leaves us some freedom to manipulate with the secret conjugator z efficiently reducing its length to much smaller values (see Tables 1 and 2). We would like to stress from the beginning that it is pointless and impossible to find the exact element z based on the available public data (see Section 6.2), and we never approach that problem. Instead, we are looking for a “sufficiently good” substitute for z.

7 C_σ-coset enumeration

One way to find a solution for the instance (6) is to enumerate elements in the coset CσBPA until an element commuting with b₁, . . . , b_r is found. A straightforward approach to coset enumeration requires to find a generating set for the subgroup C_σB and enumerate its elements. Instead, we developed a different way to solve (6) that attempts to directly identify and remove cloaking elements from P_A. Our algorithm is based on the following rather informally stated observations.

1. As mentioned in Remark 2.3, the letters x_i in the word wxi±2w−1 from Proposition 2.1 twist two particular strands σ−1(a) and σ−1(b).

2. Replacement wxiεxiεw−1→wxi−εxiεw−1, where ε = ±1, produces the trivial braid.

3. Replacement of a single letter xi±1 that twists strands σ⁻¹(a) and σ⁻¹(b) with xi∓1 in a braid word w1xi±1w2 corresponds to multiplication of the word on the left by cloaking element w1xi∓2w1−1.

4. Multiplying a braid word with cloaking elements on the left or on the right (or inserting a cloaking element into a random position) usually increases the length of the braid.

5. Even though obfuscation of a cloaked braid word changes the way the word looks, it preserves the isotopy type of the braid and the result of obfuscation typically twists strands σ⁻¹(a) and σ⁻¹(b) at the crossing corresponding to the middle of wxi±2w−1.

6. By tracing strands in a given braid, we can algorithmically find all letters that twist strands σ⁻¹(a) and σ⁻¹(b). We call those letters critical letters for the corresponding strands.

Recall that we switch from the instance (7) to an instance (9), so we need to enumerate the coset CσBσcc−1PAc. Instead of total coset enumeration, our algorithm attempts to decrease the length of the element c⁻¹P_Ac by flipping powers of the critical letters and applying braid-minimization to the result expecting the length to decrease.

In more detail, the algorithm iteratively constructs a subset of CσBσcc−1PA c starting from the set {c⁻¹P_Ac}. On each iteration it picks a shortest unprocessed word w and performs the following manipulations for each critical letter xi±1 in w that twists strands (σ_Bσ_c)⁻¹(a) and (σ_Bσ_c)⁻¹(b):

1. compute a new word by replacing xi±1 with its inverse xi∓1;

2. shorten the obtained braid word using geodesic-braid minimization algorithm;

3. add the result to the current set.

We say that the algorithm is successful if it finds a word that commutes with δ⁻¹β₁δ, . . . , δ⁻¹ β_rδ. We admit failure if the algorithm is unable to find such a word, and there is no length decrease on the last 100 iterations.

In case of a failure, we randomly reset the instance. To do that, we choose a shortest word in the set of checked words, cloak it by 3 cloaking elements on the left and on the right respectively, apply the normal form and the braid minimization procedure, and start CσBσcc−1PAc enumeration from the resulting braid word. If coset enumeration fails 3 times, we admit failure for the whole attack.

8 Tested parameter values and the results

The paper [13] does not describe the precise procedure to generate cloaking elements from Proposition 2.1, but such a description can be found in [27], see also [16, Section 2]. In particular, for security reasons, the conjugator w in a cloaking element is augmented with L random pure braid generators. Since values of L for 128- and 256-bit security levels are not mentioned in [13], we choose the corresponding values from [27].

For 128-bit security level we use the following parameters:

1. n = 16.

2. q = 32.

3. r = 32.

4. L = 15.

5. |B| = 22 (in terms of generators R(zβ₁z⁻¹), . . . , R(zβ_rz⁻¹)).

6. |z| ∈ [180, 250], |α| ∈ [300, 400], |β_i| ∈ [50, 100].

For 256-bit security level the parameters are:

1. n = 16.

2. q = 256.

3. r = 32.

4. L = 30.

5. |B| = 43.

6. |z| ∈ [300, 400], |α| ∈ [300, 400], |β_i| ∈ [100, 200].

As mentioned in Introduction, after a series of attacks on WalnutDSA the authors proposed several changes to the protocol including changes to the cloaking procedure (see [18, D. Atkins on May 23, 2018]). It was suggested to use several cloaking element inserted into the private keys at random positions. We implemented and tested this idea as well. For cloaking elements we use conjugators w of lengths in the range [30, 50] and insert 30 (for 128-bit level) and 60 (for 256-bit level) such cloaking elements into random positions inside private keys. These insertions are made iteratively, so randomly chosen positions may also be inside previously inserted cloaking elements.

Overall, we tested four versions of the Kayawood protocol, two original versions for 128- and 256-bit security levels and two versions using multiple cloaking elements to mask private keys (with the other parameters corresponding to 128- and 256-bit levels). We used Garside normal form followed by the braid minimization reduction to obfuscate zβ_iz⁻¹ and stochastic rewriting to obfuscate public keys. For each version of the protocol we performed 100 experiments consisting of the following steps:

1. Generate a random protocol instance.

2. Generate random Alice’s private data.

3. Run key establishment protocol.

4. Run heuristic search for z as described in Section 6.2.

5. Run coset enumeration to find a substitute for Alice’s private key as described in Section 7.

Our algorithm solved all randomly generated instances, i.e., our attack had 100% success rate. Moreover, in most cases we found the original private key. Also, we investigated the behavior of heuristic search for z and, for the recovered conjugator c, collected the lengths |z⁻¹c|. For words c⁻¹zβ₁z⁻¹c, . . . , c⁻¹zβ_rz⁻¹c we checked whether they are actually written in the generators of U_n, and for c⁻¹zαz⁻¹c we checked whether it is written in the generators of L_n.

All experiments were performed on a machine with two 8-core 3.1 GHz Intel Xeon CPU E5-2687W and 64GB RAM. The results are provided in Tables 1 and 2.

9 Conclusion

Kayawood protocol, described in [13], does not provide the claimed level of security. It suffers from poor choice of cloaking elements. By design, cloaking elements have very specific geometric type defined by a fixed pair of strands that can be algorithmically recognized and removed. Thus, the definition of cloaking elements seems to be the weak part of the protocol. We doubt that security can be improved simply by increasing parameter values. Nevertheless, we believe that stabilizers for E-multiplication have very rich and algebraically interesting structure and using better cloaking elements (not simply conjugates of squares) can make the protocol more secure.