Could SFLASH be Repaired?

The SFLASH signature scheme stood for a decade as the most successful cryptosystem based on multivariate polynomials, before an efficient attack was finally found in 2007. This attack belongs to a new generation of cryptanalysis which targets geometrical properties of multivariate functions. It works particularly well on SFLASH due to its simple structure but further applications are emerging. Considering these new developments, it occurs that the general design principle of multivariate schemes itself might be questionable : can we effectively hide a specific multivariate function using linear maps ? In this paper, we keep focused on the simple example of SFLASH. We review its recent cryptanalysis and we notice that its weaknesses can all be linked to the fact that the cryptosystem is built on the structure of a large field. As the attack demonstrates, this richer structure can be accessed by an attacker by using the specific symmetry of the core function being used. In fact, this raises the general remark that, since the large field structure is only necessary to perform the secret operations, it indeed should not be encapsulated in the public key. Then, we investigate the effect of restricting this large field to a purely linear subset and we find that the symmetries exploited by the attack are no longer present. At a purely defensive level, this defines a countermeasure which can be used at a moderate overhead. On the theoretical side, this informs us of interesting limitations of the recent attack and provides us with additional elements to answer the general question defined above.