Practical Key-Recovery for All Possible Parameters of SFLASH
نویسندگان
چکیده
In this paper we present a new practical key-recovery attack on the SFLASH signature scheme. SFLASH is a derivative of the older C∗ encryption and signature scheme that was broken in 1995 by Patarin. In SFLASH, the public key is truncated, and this simple countermeasure prevents Patarin’s attack. The scheme is well-known for having been considered secure and selected in 2004 by the NESSIE project of the European Union to be standardized. However, SFLASH was practically broken in 2007 by Dubois, Fouque, Stern and Shamir. Their attack breaks the original (and most relevant) parameters, but does not apply when more than half of the public key is truncated. It is therefore possible to choose parameters such that SFLASH is not broken by the existing attacks, although it is less efficient. We show a key-recovery attack that breaks the full range of parameters in practice, as soon as the information-theoretically required amount of information is available from the public-key. The attack uses new cryptanalytic tools, most notably pencils of matrices and quadratic forms.
منابع مشابه
Cryptanalysis of SFLASH with Slightly Modified Parameters
SFLASH is a signature scheme which belongs to a family of multivariate schemes proposed by Patarin et al. in 1998 [9]. The SFLASH scheme itself has been designed in 2001 [8] and has been selected in 2003 by the NESSIE European Consortium [6] as the best known solution for implementation on low cost smart cards. In this paper, we show that slight modifications of the parameters of SFLASH within ...
متن کاملPractical Cryptanalysis of SFLASH
In this paper, we present a practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 following a design they had introduced in 1998. The attack only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes. It can be applied to both SFLASH which was accepted by NESSIE, as well...
متن کاملA Key Substitution Attack on SFLASH
A practical key substitution attack on SFLASH is described: Given a valid (message, signature) pair (m,σ) for some public key v0, one can derive another public key v1 (along with matching secret data) such that (m,σ) is also valid for v1. The computational effort needed for finding such a ‘duplicate’ key is comparable to the effort needed for ordinary key generation.
متن کاملA family of weak keys in HFE and the corresponding practical key-recovery
The HFE (Hidden Field Equations) cryptosystem is one of the most interesting public-key multivariate scheme. It has been proposed more than 10 years ago by Patarin and seems to withstand the attacks that break many other multivariate schemes, since only subexponential ones have been proposed. The public key is a system of quadratic equations in many variables. These equations are generated from...
متن کاملLecture Notes in Computer Science 4622
In this paper, we present a practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 following a design they had introduced in 1998. The attack only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes. It can be applied to both SFLASH which was accepted by NESSIE, as well...
متن کامل