Practical Cryptanalysis of SFLASH
Pierre-alain FouqueLecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
In this paper, we present a practical attack on the signature scheme SFLASH proposed by Patarin, Goubin and Courtois in 2001 following a design they had introduced in 1998. The attack only needs the public key and requires about one second to forge a signature for any message, after a one-time computation of several minutes. It can be applied to both SFLASH v2 which was accepted by NESSIE, as well as to SFLASH v3 which is a higher security version.
Related papers
Cryptanalysis of SFLASH with Slightly Modified Parameters
Lecture Notes in Computer Science, 2007
SFLASH is a signature scheme which belongs to a family of multivariate schemes proposed by Patarin et al. in 1998 [9]. The SFLASH scheme itself has been designed in 2001 [8] and has been selected in 2003 by the NESSIE European Consortium [6] as the best known solution for implementation on low cost smart cards. In this paper, we show that slight modifications of the parameters of SFLASH within the general family initially proposed renders the scheme insecure. The attack uses simple linear algebra, and allows to forge a signature for an arbitrary message in a question of minutes for practical parameters, using only the public key. Although SFLASH itself is not amenable to our attack, it is worrying to observe that no rationale was ever offered for this "lucky" choice of parameters.
A Fast and Secure Implementation of Sflash
Lecture Notes in Computer Science, 2002
Sflash is a multivariate signature scheme, and a candidate for standardisation, currently evaluated by the European call for primitives Nessie. The present paper is about the design of a highly optimized implementation of Sflash on a low-cost 8-bit smart card (without coprocessor). On top of this, we will also present a method to protect the implementation protection against power attacks such as Differential Power Analysis. Our fastest implementation of Sflash takes 59 ms on a 8051 based CPU at 10MHz. Though the security of Sflash is not as well understood as for example for RSA, Sflash is apparently the fastest signature scheme known. It is suitable to implement PKI on low-cost smart card, token or palm devices. It allows also to propose secure low-cost payment/banking solutions.
SFLASHv3, a Fast Asymmetric Signature Scheme
New, third version of Sflash specification (Sflash …
Note: SFLASH v2 is one of the three asymmetric signature schemes recommended by the Nessie European consortium for low-cost smart cards [21, 16]. The latest imple-mentation report shows that SFLASH v2 is the fastest signature scheme known, see [1] for details. This document ...
Practical Key-Recovery for All Possible Parameters of SFLASH
Lecture Notes in Computer Science, 2011
In this paper we present a new practical key-recovery attack on the SFLASH signature scheme. SFLASH is a derivative of the older C * encryption and signature scheme that was broken in 1995 by Patarin. In SFLASH, the public key is truncated, and this simple countermeasure prevents Patarin's attack. The scheme is well-known for having been considered secure and selected in 2004 by the NESSIE project of the European Union to be standardized. However, SFLASH was practically broken in 2007 by Dubois, Fouque, Stern and Shamir. Their attack breaks the original (and most relevant) parameters, but does not apply when more than half of the public key is truncated. It is therefore possible to choose parameters such that SFLASH is not broken by the existing attacks, although it is less efficient. We show a key-recovery attack that breaks the full range of parameters in practice, as soon as the information-theoretically required amount of information is available from the public-key. The attack uses new cryptanalytic tools, most notably pencils of matrices and quadratic forms.
Algebraic Attacks Over GF (2 K), Application to HFE Challenge 2 and Sflash-V2
Public Key CryptographyPKC 2004, 2004
The problem MQ of solving a system of multivariate quadratic equations over a finite field is relevant to the security of AES and for several public key cryptosystems. For example Sflash, the fastest known signature scheme (cf. [1]), is based on MQ equations over GF (2 7), and Patarin's 500 $ HFE Challenge 2 is over GF (2 4). Similarly, the fastest alleged algebraic attack on AES due to Courtois, Pieprzyk, Murphy and Robshaw uses a MQ system over GF (2 8). At present very little is known about practical solvability of such systems of equations over GF (2 k). The XL algorithm for Eurocrypt 2000 was initially studied over GF (p), and only recently in two papers presented at CT-RSA'02 and ICISC'02 the behaviour of XL is studied for systems of equations over GF (2). In this paper we show (as expected) that XL over GF (2 k), k > 1 (never studied so far) does not always work very well. The reason is the existence of additional roots to the system in the extension field, which is closely related to the remark made by Moh, claiming that the XSL attack on AES cannot work. However, we explain that, the specific set of equations proposed by Murphy and Robshaw already contains a structure that removes the problem. From this, we deduce a method to modify XL so that it works much better over GF (2 k). In addition we show how to break the signature scheme Sflash-v2 recently selected by the European consortium Nessie, by three different methods derived from XL. Our fastest attack is in 2 58. All the three attacks apply also to HFE Challenge 2, and our best attack is in 2 63 .
On the Security of Certificateless Signature Schemes from Asiacrypt 2003
Lecture Notes in Computer Science, 2005
Certificateless public key cryptography is an attractive paradigm for public key cryptography since it does not require certificates in traditional public key cryptography and, at the same time, solves the inherent key escrow problem in identity-based cryptography. Currently, certificateless short signature is receiving significant attention as it is particularly useful in low-bandwidth communication environments. However, most of the certificateless short signature schemes only support low-level security. Recently, Choi et al. presented a certificateless short signature scheme and claimed that it is provably secure against the super adversaries. Nevertheless, in this paper, we show that their scheme is insecure even against a strong Type I adversary. We also propose a new certificateless short signature scheme which is more efficient and more secure than Choi et al.'s scheme.
An Efficient Attack on a Code-Based Signature Scheme
Post-Quantum Cryptography, 2016
Baldi et al. have introduced in [BBC + 13] a very novel code based signature scheme. However we will prove here that some of the bits of the signatures are correlated in this scheme and this allows an attack that recovers enough of the underlying secret structure to forge new signatures. This cryptanalysis was performed on the parameters which were devised for 80 bits of security and broke them with 100, 000 signatures originating from the same secret key.
Improved Fault Analysis of Signature Schemes
Lecture Notes in Computer Science, 2010
At ACISP 2004, Giraud and Knudsen presented the first fault analysis of DSA, ECDSA, XTR-DSA, Schnorr and ElGamal signatures schemes that considered faults affecting one byte. They showed that 2304 faulty signatures would be expected to reduce the number of possible keys to 2 40 , allowing a 160-bit private key to be recovered. In this paper we show that Giraud and Knudsen's fault attack is much more efficient than originally claimed. We prove that 34.3% less faulty signatures are required to recover a private key using the same fault model. We also show that their original way of expressing the fault model under a system of equations can be improved. A more precise expression allows us to obtain another improvement of up to 47.1%, depending on the values of the key byte affected.
Hash-Based Signatures Revisited: A Dynamic FORS with Adaptive Chosen Message Security
Progress in Cryptology - AFRICACRYPT 2020, 2020
FORS is the underlying hash-based few-time signing scheme in SPHINCS + , one of the nine signature schemes which advanced to round 2 of the NIST Post-Quantum Cryptography standardization competition. In this paper, we analyze the security of FORS with respect to adaptive chosen message attacks. We show that in such a setting, the security of FORS decreases significantly with each signed message when compared to its security against non-adaptive chosen message attacks. We propose a chaining mechanism that with slightly more computation, dynamically binds the Obtain Random Subset (ORS) generation with signing, hence, eliminating the offline advantage of adaptive chosen message adversaries. We apply our chaining mechanism to FORS and present DFORS whose security against adaptive chosen message attacks is equal to the non-adaptive security of FORS. In a nutshell, using SPHINCS +-128s parameters, FORS provides 75-bit security and DFORS achieves 150-bit security with respect to adaptive chosen message attacks after signing one message. We note that our analysis does not affect the claimed security of SPHINCS +. Nevertheless, this work provides a better understanding of FORS and other HORS variants, and furnishes a solution if new adaptive cryptanalytic techniques on SPHINCS + emerge.
Critical Analysis of Hash Based Signature Schemes
International Journal of Cyber-Security and Digital Forensics, 2018
Active work is being done to create and develop quantum computers. Traditional digital signature systems that are used in practice are vulnerable to quantum computers attacks. The security of these systems is based on the problem of factoring large numbers and calculating discrete logarithms. Scientists are working on the development of alternatives to RSA, which are protected from attacks by quantum computer. One of the alternatives are hash based digital signature schemes. In the article hash based one-time signatures are considered, their analysis and comparison are done. It is shown that, using Winternitz one-time signature scheme, the length of the signature and of the keys is substantially reduced. But also this scheme has disadvantages, in the case of generating keys, creating a signature and verifying a signature, one-way function should be used much more times, then in Lamport signature scheme. So, must be paid serious attention at the choice of this function, it should be quickly executed and safe.
Related topics
Related papers
Could SFLASH be Repaired?
Lecture Notes in Computer Science
The SFLASH signature scheme stood for a decade as the most successful cryptosystem based on multivariate polynomials, before an efficient attack was finally found in 2007. This attack belongs to a new generation of cryptanalysis which targets geometrical properties of multivariate functions. It works particularly well on SFLASH due to its simple structure but further applications are emerging. Considering these new developments, it occurs that the general design principle of multivariate schemes itself might be questionable : can we effectively hide a specific multivariate function using linear maps ? In this paper, we keep focused on the simple example of SFLASH. We review its recent cryptanalysis and we notice that its weaknesses can all be linked to the fact that the cryptosystem is built on the structure of a large field. As the attack demonstrates, this richer structure can be accessed by an attacker by using the specific symmetry of the core function being used. In fact, this raises the general remark that, since the large field structure is only necessary to perform the secret operations, it indeed should not be encapsulated in the public key. Then, we investigate the effect of restricting this large field to a purely linear subset and we find that the symmetries exploited by the attack are no longer present. At a purely defensive level, this defines a countermeasure which can be used at a moderate overhead. On the theoretical side, this informs us of interesting limitations of the recent attack and provides us with additional elements to answer the general question defined above.
SFLASH, a Fast Asymmetric Signature Scheme for Low-Cost SmartcardsPrimitive Specification and Supporting Documentation
2007
Note: This document specifies the updated final version of the SFLASH signature scheme, slightly modified as allowed in the second stage of Nessie evaluation process, in order to improve the speed and the security. This is therefore the only official ver-sion of SFLASH. In some ...
Fast and Compact ASIC Implementation of SFlash New Signature Scheme
The idea of using multivariate polynomials as public keys has attracted several cryptographers, SFlash signature scheme is a variant of the Matsumoto and Imai multivariate public Key cryptosystem and selected by NESSIE Consortium. In this paper we describe a hardware implementation of SFlash based on bit-parallel architectures to achieve high speed circuits for operations on Finite Fields which can be efficiently used as an authentication unit in wireless devices, smart cards and RFID networks. We have proposed a new generalization to Karatsuba-Ofman multiplier as the core of the design. An ASIC chip can be realized with 78K gates counts and 2.8 2 mm die size with 0.35 m m CMOS technology, with a maximum clock frequency 140 MHZ, which takes about 21.5 s m to sign 259-Bits data.
BEARZ Attack FALCON: Implementation Attacks with Countermeasures on the FALCON Signature Scheme
2019
Post-quantum cryptography is an important and growing area of research due to the threat of quantum computers, as recognised by the National Institute of Standards and Technology (NIST) recent call for standardisation. FALCON is a lattice-based signature candidate submitted to NIST, which has good performance but lacks in research with respect to implementation attacks and resistance. This research proposes the first fault attack analysis of FALCON and finds its lattice trapdoor sampler is as vulnerable to fault attacks as the GPV sampler used in alternative signature schemes. We simulate the post-processing component of this fault attack and achieve a 100% success rate at retrieving the private-key. This research then proposes an evaluation of countermeasures to prevent this fault attack and timing attacks of FALCON. We provide cost evaluations on the overheads of the proposed countermeasures which shows that FALCON has only up to 30% deterioration in performance of its key generation, and only 5% in signing, compared to runtimes without countermeasures.
On the Security of Two Key-Updating Signature Schemes
Lecture Notes in Computer Science, 2005
In ICICS 2004, Gonzalez-Deleito, Markowitch and Dall'Olio proposed an efficient strong key-insulated signature scheme. They claimed that it is (N −1, N)-key-insulated, i.e., the compromise of the secret keys for arbitrarily many time periods does not expose the secret keys for any of the remaining time periods. But in this paper, we demonstrate an attack and show that an adversary armed with the signing keys for any two time periods can compute the signing keys for the remaining time periods except for some very special cases. In a second attack, the adversary can forge signatures for many remaining time periods without computing the corresponding signing keys. Therefore it is only equivalent to a (1, N)-key-insulated signature scheme. A variant forward-secure signature scheme was also presented in ICICS 2004 and claimed more robust than traditional forward-secure signature schemes. But we find that the scheme has two similar weaknesses. We try to repair the two schemes in this paper. 4 The GMD Forward-Secure Signature Scheme and Its Security 4.1 Review of The GMD Forward-Secure Signature Scheme KeyGen(k, l) n, v and h are selected as same as that in the key-insulated scheme.The user randomly chooses t, u ∈ Z * n , such that u 2 = u 2 8+1 mod n and t 2 = t 2 8+1
Quartz, an asymmetric signature scheme for short signatures on PC Primitive specification and supporting
Note: This document specifies the updated final version of the Quartz signature scheme, slightly modified as allowed in the second stage of Nessie evaluation process, in order to improve the speed and the security. In some papers that refer to the old version, it is sometimes called Quartz v1 , and Quartz v2 is the new version. This is therefore the only official version of Quartz. We note that the key generation has not changed, the signature computation has changed, and the signature verification has changed slightly. In the Appendix of the present document we summarize all the changes to Quartz, for readers and developers that are acquainted with the previous version. It also includes an explanation why these changes has been made.
Total Break of the ℓ-IC Signature Scheme
Public Key Cryptography – PKC 2008
In this paper, we describe efficient forgery and full-key recovery attacks on the-IC − signature scheme recently proposed at PKC 2007. This cryptosystem is a multivariate scheme based on a new internal quadratic primitive which avoids some drawbacks of previous multivariate schemes: the scheme is extremely fast since it requires one exponentiation in a finite field of medium size and the public key is shorter than in many multivariate signature schemes. Our attacks rely on the recent cryptanalytic tool developed by Dubois et al. against the SFLASH signature scheme. However, the final stage of the attacks requires the use of Gröbner basis techniques to conclude to actually forge a signature (resp. to recover the secret key). For the forgery attack, this is due to the fact that Patarin's attack is much more difficult to mount against-IC. The key recovery attack is also very efficient since it is faster to recover equivalent secret keys than to forge.
The security of the BLT signature scheme with practical implementation issues
Journal of Science and Technology on Information security, 2022
Keyworks-the BLT signature scheme, KSI infrastructure, non-repudiation, Merkle tree. Từ khóa-Lược đồ chữ ký BLT, hạ tầng KSI, giả mạo tồn tại, tính chống chối bỏ, cây băm Merkle.
On the security of the Courtois-Finiasz-Sendrier signature
Open Mathematics
We prove that a variant of the Courtois-Finiasz-Sendrier signature is strongly existentially unforgeable under chosen message attack in the random oracle model, assuming hardness of the Permuted Goppa Syndrome Decoding Problem (also known as the Niederreiter problem). In addition, we explicitly show that security against key substitution attacks can be arranged by a standard technique of Menezes and Smart, hashing the public key.
Short Signatures, Provable Security, Generic Attacks and Computational Security of Multivariate Polynomial Schemes Such As HFE, Quartz and Sflash
Polynomial Schemes such as HFE, Quartz and Sflash. …, 2004
The object of this paper is the concrete security of recent multivariate signature schemes. A major challenge is to reconcile some "tricky" ad-hoc constructions that allow to make short signatures, with regular provable security. The paper is composed of two parts. In the first part of this paper we formalize and confront with the most recent attacks the security of several known multivariate trapdoor functions. For example the signature scheme Quartz is based on a trapdoor function G belonging to a family called HFEv-. It has two independent security parameters, and we claim that if d is big enough, no better method to compute an inverse of G than the exhaustive search is known. This will allow us to formulate our key assumption on which the provable security results can be build. In the second part, we study the security concrete security of signature schemes under our assumption. We study some general constructions, that transform a trapdoor function into a short signature scheme, and in particular these designed to obtain short signatures. On the one hand, we present generic attacks on such constructions. On the other hand, we study the possibility to prove or justify the security with some well chosen assumptions. Unfortunately for Quartz, our lower and upper security bounds do not coincide. Still the best attack known for Quartz is our generic attack using O(2 80 ) computations with O(2 80 ) of memory. We will also propose an alternative way of doing short signatures for which both bounds do coincide. Finally we also apply our results for Flash and Sflash.
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.