Abstract
SFLASH is an instance of the famous C* \(^{-}\) multivariate public key cryptographic schemes and it was chosen by the NESSIE cryptographic project of the European Consortium in 2003 as a candidate signature algorithm used for digital signatures on limited-resource devices. Recently, a successful private key recovery attack on SFLASH was proposed by Bouillaguet, Fouque and Macario-Rat by uncovering the kernel properties of quadratic forms of the central map. The most expensive step in the attack is the calculation of kernel vectors of skew-symmetric matrices over a bivariate polynomial ring. Bouillaguet et al. proposed two methods to accomplish this computation. Both methods involve symbolic computation on bivariate polynomials. The first method computes characteristic polynomials of matrices of polynomials and is very expensive. The second method involves a Gröbner basis computation and so its complexity is difficult to estimate. In this paper, we show this critical step of calculating kernel vectors can be done by numerical computation on field elements instead of symbolic computation. Our method uses a nondeterministic interpolation of polynomial vectors called projective interpolation, and its complexity can be explicitly evaluated. Experiments show that it is much faster, making the total attack on SFLASH about 30 times faster (the critical step is about 100 times faster) than the first method of Bouillaguet et al. The new method is also slighter faster than their second method.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bosma W., Cannon J., Playoust C.: The magma algebra system I: the user language. J. Symb. Comput. 24(3–4), 235–265 (1997).
Bouillaguet C., Fouque P-A., Macario-Rat G.: Practical key-recovery for all possible parameters of SFLASH. In: Lee D.H., Wang X.Y. (eds.) Advances in Cryptology-Asiacrypt 2011, LNCS, vol. 7073, pp. 667–685. Springer, Heidelberg (2011).
Courtois N.T., Goubin L., Patarin J.: SFLASH, a fast asymmetric signature scheme. http://www.cosic.esat.kuleuven.be/nessie/updatedPhase2Specs/sflash/SFLASHv3.pdf (2003). Accessed 20 March 2013.
Ding J.T., Gower J.E., Schmidt D.S.: Multivariate Public-Key Cryptosystems. Springer, Heidelberg (2006).
Dubois V., Fouque P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes A. (ed.) Advances in Cryptology—CRYPTO 2007, LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007).
Dubois V., Fouque P.-A., Stern, J.: Cryptanalysis of SFLASH with slightly modified parameters. In: Naor M. (ed.) Advances in Cryptology—EUROCRYPT 2007, LNCS, vol. 4515, pp. 264–275. Springer, Heidelberg (2007).
Faug\(\grave{e}\)re J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999).
Faug\(\grave{e}\)re J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: ISSAC 2002, pp. 75–83. ACM, New York (2002).
Kaltofen E., Villard G.: On the complexity of computing determinants. Comput. Complex. 13(3–4), 91–130 (2005).
Matsumoto T., Imai H.: Public quadratic polynomial-tuples for efficient signature verification and message encryption. In: G\(\ddot{u}\)nther C.G. (ed.) Advances in Cryptology—EUROCRYPT ’88, LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988).
Preneel B. et al.: NESSIE phase I: selection of primitives. https://www.cosic.esat.kuleuven.be/nessie/deliverables/Decision.pdf (2001). Accessed 20 March 2013.
Preneel B. et al.: Security evaluation of NESSIE first phase. https://www.cosic.esat.kuleuven.be/nessie/deliverables/D13.pdf (2001). Accessed 20 March 2013.
Patarin J.: Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt’88. In: Coppersmith D. (ed.) Advances in Cryptology—CRYPTO ’95, LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995).
Patarin J., Courtois N.T., Goubin L.: FLASH, a fast multivariate signature algorithm. In: Naccache D. (ed.) Topics in Cryptology—CT-RSA 2001, LNCS, vol. 2020, pp. 298–307. Springer, Heidelberg (2005).
Shor P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).
Stein W. et al.: Sage mathematics software (version 4.6.2). http://www.sagemath.org. Accessed 20 March 2013.
Acknowledgments
The authors would like to thank anonymous referees for their helpful comments and suggestions, especially, for their pointing out the issue on the practical complexity of computation of syzygy modules and related web information. Their editorial revision suggestions greatly help the authors to polish the English of the paper. The work of this paper was supported by the National Basic Research Programme under Grant 2013CB834203, the National Natural Science Foundation of China (Grants 61070172 and 10990011), the Strategic Priority Research Program of Chinese Academy of Sciences under Grant XDA06010702, and the State Key Laboratory of Information Security, Chinese Academy of Sciences.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by S. D. Galbraith.
Rights and permissions
About this article
Cite this article
Cao, W., Hu, L. Projective interpolation of polynomial vectors and improved key recovery attack on SFLASH. Des. Codes Cryptogr. 73, 719–730 (2014). https://doi.org/10.1007/s10623-013-9819-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-013-9819-2
Keywords
- Multivariate public key signature
- SFLASH
- Symbolic computation
- Numerical computation
- Projective interpolation