Cryptanalysis of SFlash v3

Sflash is a fast multivariate signature scheme. Though the first version Sflash-v1 was flawed, a second version, Sflash-v2 was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash-v2 should not be used, instead a new version Sflash-v3 is proposed, which essentially only increases the length of the signature. The Sflash family of signature schemes is a variant of the Matsumoto and Imai public key cryptosystem. The modification is through the Minus method, namely given a set of polynomial equations, one takes out a few of them to make them much more difficult to solve. In this paper, we attack the Sflash-v3 scheme by combining an idea from the relinearization method by Kipnis and Shamir, which was used to attack the Hidden Field Equation schemes, and the linearization method by Patarin. We show that the attack complexity is less than 2^80, the security standard required by the Nessie Consortium

Extension Field Cancellation: a New Central Trapdoor for Multivariate Quadratic Systems

This paper introduces a new central trapdoor for multivariate quadratic (MQ) public-key cryptosystems that allows for encryption, in contrast to time-tested MQ primitives such as Unbalanced Oil and Vinegar or Hidden Field Equations which only allow for signatures. Our construction is a mixed-field scheme that exploits the commutativity of the extension field to dramatically reduce the complexity of the extension field polynomial implicitly present in the public key. However, this reduction can only be performed by the user who knows concise descriptions of two simple polynomials, which constitute the private key. After applying this transformation, the plaintext can be recovered by solving a linear system. We use the minus and projection modifiers to inoculate our scheme against known attacks. A straightforward C++ implementation confirms the efficient operation of the public key algorithms

A short comment on the affine parts of SFLASH^{v3}

In [http://eprint.iacr.org/2003/211/] SFLASH^{v3} is presented, which supersedes SFLASH^{v2}, one of the digital signature schemes in the NESSIE Portfolio of recommended cryptographic primitives. We show that a known attack against the affine parts of SFLASH^{v1} and SFLASH^{v2} carries over immediately to the new version SFLASH^{v3}: The 861 bit representing the affine parts of the secret key can easily be derived from the public key alone

Total Break of the l-IC Signature Scheme

The original publication is available at www.springerlink.comInternational audienceIn this paper, we describe efficient forgery and full-key recovery attacks on the l-IC- signature scheme recently proposed at PKC 2007. This cryptosystem is a multivariate scheme based on a new internal quadratic primitive which avoids some drawbacks of previous multivariate schemes: the scheme is extremely fast since it requires one exponentiation in a finite field of medium size and the public key is shorter than in many multivariate signature schemes. Our attacks rely on the recent cryptanalytic tool developed by Dubois et al. against the SFLASH signature scheme. However, the final stage of the attacks require the use of Grobner basis techniques to conclude to actually forge a signature (resp. to recover the secret key). For the forgery attack, this is due to the fact that Patarin's attack is much more difficult to mount against l-IC. The key recovery attack is also very efficient since it is faster to recover equivalent secret keys than to forge

Linearity Measures for MQ Cryptography

We propose a new general framework for the security of multivariate quadratic (\mathcal{MQ}) schemes with respect to attacks that exploit the existence of linear subspaces. We adopt linearity measures that have been used traditionally to estimate the security of symmetric cryptographic primitives, namely the nonlinearity measure for vectorial functions introduced by Nyberg at Eurocrypt \u2792, and the $(s, t)$--linearity measure introduced recently by Boura and Canteaut at FSE\u2713. We redefine some properties of \mathcal{MQ} cryptosystems in terms of these known symmetric cryptography notions, and show that our new framework is a compact generalization of several known attacks in \mathcal{MQ} cryptography against single field schemes. We use the framework to explain various pitfalls regarding the successfulness of these attacks. Finally, we argue that linearity can be used as a solid measure for the susceptibility of \mathcal{MQ} schemes to these attacks, and also as a necessary tool for prudent design practice in \mathcal{MQ} cryptography

Properties of the Discrete Differential with Cryptographic Applications

Recently, the $C^{*-}$ signature scheme has been completely broken by Dubois et al. (Dubois et al., CRYPTO and EUROCRYPT 2007). As a consequence, the security of SFLASH and other multivariate public key systems have been impaired. The attacks presented in (Dubois et al., CRYPTO and EUROCRYPT 2007) rely on a symmetry of the differential of the encryption mapping. In (Ding et al., 2007), Ding et al. experimentally justify the use projection as a method of avoiding the new attack. In this paper, we derive some properties of the discrete differential, give a theoretical justification for the reparation in (Ding et al., 2007), and establish the exact context in which this attack is applicable

SFLASHv3, a fast asymmetric signature scheme

SFLASH-v2 is one of the three asymmetric signature schemes recommended by the European consortium for low-cost smart cards. The latest implementation report published at PKC 2003 shows that SFLASH-v2 is the fastest signature scheme known. This is a detailed specification of SFLASH-v3 produced in 2003 for fear of v2 being broken. HOWEVER after detailed analysis by Chen Courtois and Yang [ICICS04], Sflash-v2 is not broken and we still recommend the previous version Sflash-v2, already recommended by Nessie, instead of this version

Cryptanalysis of multi-HFE

Multi-HFE (Chen et al., 2009) is one of cryptosystems whose public key is a set of multivariate quadratic forms over a finite field. Its quadratic forms are constructed by a set of multivariate quadratic forms over an extension field. Recently, Bettale et al. (2013) have studied the security of HFE and multi-HFE against the min-rank attack and found that multi-HFE is not more secure than HFE of similar size. In the present paper, we propose a new attack on multi-HFE by using a diagonalization approach. As a result, our attack can recover equivalent secret keys of multi-HFE in polynomial time for odd characteristic case. In fact, we experimentally succeeded to recover equivalent secret keys of several examples of multi-HFE in about fifteen seconds on average, which was recovered in about nine days by the min-rank attack

Two-Face: New Public Key Multivariate Schemes

We present here new multivariate schemes that can be seen as HFE generalization having a property called `Two-Face\u27. Particularly, we present five such families of algorithms named `Dob\u27, `Simple Pat\u27, `General Pat\u27, `Mac\u27, and `Super Two-Face\u27. These families have connections between them, some of them are refinements or generalizations of others. Notably, some of these schemes can be used for public key encryption, and some for public key signature. We introduce also new multivariate quadratic permutations that may have interest beyond cryptography

Enhanced STS using Check Equation --Extended Version of the Signature scheme proposed in the PQCrypt2010--

We propose solutions to the problems which has been left in the Enhanced STS, which was proposed in the PQCrypto 2010. Enhanced STS signature scheme is dened as the public key with the Complementary STS structure, in which two STS public keys are symmetrically joined together. Or, the complementary STS is the public key where simply two STS public keys are joined together, without the protection with Check Equation. We discuss the following issues left in the Enhanced STS, which was prosented in the PQCrypt2010: (i) We implied that there may exist a way to cryptanalyze the Complementary STS structure. Although it has been proposed that the system be protected by Check Equations [35][37], in order to cope with an unknown attack, we did not show the concrete procedure. We show the actual procedure to cryptanalyze it and forge a signature. (ii) We assumed that the Check Equation should be changed every time a document is signed. This practice is not always allowed. We improved this matter. The Check Equation which was proposed in the PQCrypto 2010 dened the valid life as a function of the number of times the documents are signed, because the secret key of Check Equation is analyzed by collecting valid signatures. Now we propose a new method of integrating the Check Equation into the secret key and eliminate the risk of the hidden information drawn from the existing signature