A Key Substitution Attack on SFLASH
نویسندگان
چکیده
A practical key substitution attack on SFLASH is described: Given a valid (message, signature) pair (m,σ) for some public key v0, one can derive another public key v1 (along with matching secret data) such that (m,σ) is also valid for v1. The computational effort needed for finding such a ‘duplicate’ key is comparable to the effort needed for ordinary key generation.
منابع مشابه
Practical Key-Recovery for All Possible Parameters of SFLASH
In this paper we present a new practical key-recovery attack on the SFLASH signature scheme. SFLASH is a derivative of the older C∗ encryption and signature scheme that was broken in 1995 by Patarin. In SFLASH, the public key is truncated, and this simple countermeasure prevents Patarin’s attack. The scheme is well-known for having been considered secure and selected in 2004 by the NESSIE proje...
متن کاملOn the Importance of Protecting in SFLASH against Side Channel Attacks
SFLASH was chosen as one of the final selection of the NESSIE project in 2003. It is one of the most efficient digital signature scheme and is suitable for implementation on memory-constrained devices such as smartcards. Side channel attacks (SCA) are a serious threat to memoryconstrained devices. If the implementation on them is careless, we are able to break the secret key. In this paper, we ...
متن کاملA short comment on the affine parts of SFLASHv3
In [3] SFLASH is presented, which supersedes SFLASH, one of the digital signature schemes in the NESSIE Portfolio of recommended cryptographic primitives [2]. We show that a known attack against the affine parts of SFLASH and SFLASH carries over immediately to the new version SFLASH: The 861 bit representing the affine parts of the secret key can easily be derived from the public key alone.
متن کاملPractical Cryptanalysis of SFLASH
In this paper, we present a practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 following a design they had introduced in 1998. The attack only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes. It can be applied to both SFLASH which was accepted by NESSIE, as well...
متن کاملCryptanalysis of SFLASH
Sflash is a fast multivariate signature scheme. Though the first version Sflash was flawed, a second version, Sflash was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash should not be used, instead a new version Sflash is proposed, which essentially only inc...
متن کامل