Cryptanalysis of SFLASH with Slightly Modified Parameters

نویسندگان

  • Vivien Dubois
  • Pierre-Alain Fouque
  • Jacques Stern
چکیده

SFLASH is a signature scheme which belongs to a family of multivariate schemes proposed by Patarin et al. in 1998 [9]. The SFLASH scheme itself has been designed in 2001 [8] and has been selected in 2003 by the NESSIE European Consortium [6] as the best known solution for implementation on low cost smart cards. In this paper, we show that slight modifications of the parameters of SFLASH within the general family initially proposed renders the scheme insecure. The attack uses simple linear algebra, and allows to forge a signature for an arbitrary message in a question of minutes for practical parameters, using only the public key. Although SFLASH itself is not amenable to our attack, it is worrying to observe that no rationale was ever offered for this “lucky” choice of parameters.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Practical Key-Recovery for All Possible Parameters of SFLASH

In this paper we present a new practical key-recovery attack on the SFLASH signature scheme. SFLASH is a derivative of the older C∗ encryption and signature scheme that was broken in 1995 by Patarin. In SFLASH, the public key is truncated, and this simple countermeasure prevents Patarin’s attack. The scheme is well-known for having been considered secure and selected in 2004 by the NESSIE proje...

متن کامل

Practical Cryptanalysis of SFLASH

In this paper, we present a practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 following a design they had introduced in 1998. The attack only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes. It can be applied to both SFLASH which was accepted by NESSIE, as well...

متن کامل

Biclique Cryptanalysis of Block Ciphers LBlock and TWINE-80 with Practical Data Complexity

In the biclique attack, a shorter biclique usually results in less data complexity, but at the expense of more computational complexity. The early abort technique can be used in partial matching part of the biclique attack in order to slightly reduce the computations. In this paper, we make use of this technique, but instead of slight improvement in the computational complexity, we keep the amo...

متن کامل

Cryptanalysis of SFLASH

Sflash is a fast multivariate signature scheme. Though the first version Sflash was flawed, a second version, Sflash was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash should not be used, instead a new version Sflash is proposed, which essentially only inc...

متن کامل

Polynomial Equivalence Problem and Pencils: Application to Multivariate Cryptanalysis

In this paper, we study the Polynomial Linear Equivalence (PLE) Problem which is the problem of finding two linear transformations S and T such that B = T ◦ A ◦ S given two vectors of multivariate quadratic polynomials A and B. This problem is interesting since it is related to the problem of recovering the secret key of some multivariate cryptographic schemes given only the public key. Additio...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2007