Cryptanalysis of SFLASH with Slightly Modified Parameters
نویسندگان
چکیده
SFLASH is a signature scheme which belongs to a family of multivariate schemes proposed by Patarin et al. in 1998 [9]. The SFLASH scheme itself has been designed in 2001 [8] and has been selected in 2003 by the NESSIE European Consortium [6] as the best known solution for implementation on low cost smart cards. In this paper, we show that slight modifications of the parameters of SFLASH within the general family initially proposed renders the scheme insecure. The attack uses simple linear algebra, and allows to forge a signature for an arbitrary message in a question of minutes for practical parameters, using only the public key. Although SFLASH itself is not amenable to our attack, it is worrying to observe that no rationale was ever offered for this “lucky” choice of parameters.
منابع مشابه
Practical Key-Recovery for All Possible Parameters of SFLASH
In this paper we present a new practical key-recovery attack on the SFLASH signature scheme. SFLASH is a derivative of the older C∗ encryption and signature scheme that was broken in 1995 by Patarin. In SFLASH, the public key is truncated, and this simple countermeasure prevents Patarin’s attack. The scheme is well-known for having been considered secure and selected in 2004 by the NESSIE proje...
متن کاملPractical Cryptanalysis of SFLASH
In this paper, we present a practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 following a design they had introduced in 1998. The attack only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes. It can be applied to both SFLASH which was accepted by NESSIE, as well...
متن کاملBiclique Cryptanalysis of Block Ciphers LBlock and TWINE-80 with Practical Data Complexity
In the biclique attack, a shorter biclique usually results in less data complexity, but at the expense of more computational complexity. The early abort technique can be used in partial matching part of the biclique attack in order to slightly reduce the computations. In this paper, we make use of this technique, but instead of slight improvement in the computational complexity, we keep the amo...
متن کاملCryptanalysis of SFLASH
Sflash is a fast multivariate signature scheme. Though the first version Sflash was flawed, a second version, Sflash was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash should not be used, instead a new version Sflash is proposed, which essentially only inc...
متن کاملPolynomial Equivalence Problem and Pencils: Application to Multivariate Cryptanalysis
In this paper, we study the Polynomial Linear Equivalence (PLE) Problem which is the problem of finding two linear transformations S and T such that B = T ◦ A ◦ S given two vectors of multivariate quadratic polynomials A and B. This problem is interesting since it is related to the problem of recovering the secret key of some multivariate cryptographic schemes given only the public key. Additio...
متن کامل