Could SFLASH be Repaired?
نویسندگان
چکیده
The SFLASH signature scheme stood for a decade as the most successful cryptosystem based on multivariate polynomials, before an efficient attack was finally found in 2007. This attack belongs to a new generation of cryptanalysis which targets geometrical properties of multivariate functions. It works particularly well on SFLASH due to its simple structure but further applications are emerging. Considering these new developments, it occurs that the general design principle of multivariate schemes itself might be questionable : can we effectively hide a specific multivariate function using linear maps ? In this paper, we keep focused on the simple example of SFLASH. We review its recent cryptanalysis and we notice that its weaknesses can all be linked to the fact that the cryptosystem is built on the structure of a large field. As the attack demonstrates, this richer structure can be accessed by an attacker by using the specific symmetry of the core function being used. In fact, this raises the general remark that, since the large field structure is only necessary to perform the secret operations, it indeed should not be encapsulated in the public key. Then, we investigate the effect of restricting this large field to a purely linear subset and we find that the symmetries exploited by the attack are no longer present. At a purely defensive level, this defines a countermeasure which can be used at a moderate overhead. On the theoretical side, this informs us of interesting limitations of the recent attack and provides us with additional elements to answer the general question defined above.
منابع مشابه
A short comment on the affine parts of SFLASHv3
In [3] SFLASH is presented, which supersedes SFLASH, one of the digital signature schemes in the NESSIE Portfolio of recommended cryptographic primitives [2]. We show that a known attack against the affine parts of SFLASH and SFLASH carries over immediately to the new version SFLASH: The 861 bit representing the affine parts of the secret key can easily be derived from the public key alone.
متن کاملOn the Importance of Protecting in SFLASH against Side Channel Attacks
SFLASH was chosen as one of the final selection of the NESSIE project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memoryconstrained devices. If the implementation on them is careless, we are able to break the secret key. In this paper, we ...
متن کاملSFLASHv3, a fast asymmetric signature scheme
Note: SFLASH is one of the three asymmetric signature schemes recommended by the Nessie European consortium for low-cost smart cards [19, 14]. The latest implementation report shows that SFLASH is the fastest signature scheme known, see [1]. Recent results on solving random systems of quadratic equations over fields of the form GF (2) (see [2]) suggest that the parameters of SFLASH should be in...
متن کاملCryptanalysis of SFLASH
Sflash is a fast multivariate signature scheme. Though the first version Sflash was flawed, a second version, Sflash was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash should not be used, instead a new version Sflash is proposed, which essentially only inc...
متن کاملSFLASH, a fast asymmetric signature scheme
Note: SFLASH is one of the three asymmetric signature schemes recommended by the Nessie European consortium for low-cost smart cards [21, 16]. The latest implementation report shows that SFLASH is the fastest signature scheme known, see [1] for details. This document is a specification of SFLASH-v3 produced for fear of SFLASH-v2 being broken (see [3]). HOWEVER after detailed analysis by Chen, C...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- IACR Cryptology ePrint Archive
دوره 2009 شماره
صفحات -
تاریخ انتشار 2008