20 research outputs found
SFLASHv3, a fast asymmetric signature scheme
SFLASH-v2 is one of the three asymmetric signature schemes recommended by the European consortium for low-cost smart cards. The latest implementation report published at PKC 2003 shows that SFLASH-v2 is the fastest signature scheme known.
This is a detailed specification of SFLASH-v3 produced in 2003 for fear of v2 being broken. HOWEVER after detailed analysis by Chen Courtois and Yang [ICICS04], Sflash-v2 is not broken and we still recommend the previous version Sflash-v2, already recommended by Nessie, instead of this version
A Key Substitution Attack on SFLASH^{v3}
A practical key substitution attack on SFLASH^{v3} is described: Given a valid (message, signature) pair (m,\sigma) for some public key v_0, one can derive another public key v_1 (along with matching secret data) such that (m,\sigma) is also valid for v_1. The computational effort needed for finding such a `duplicate\u27 key is comparable to the effort needed for ordinary key generation
Cryptanalysis of SFlash v3
Sflash is a fast multivariate signature scheme. Though the first version Sflash-v1 was flawed, a second version, Sflash-v2 was selected by the Nessie Consortium and was recommended for implementation of low-end smart cards. Very recently, due to the security concern, the designer of Sflash recommended that Sflash-v2 should not be used, instead a new version Sflash-v3 is proposed, which essentially only increases the length of the signature.
The Sflash family of signature schemes is a variant of the Matsumoto and Imai public key cryptosystem. The modification is through the Minus method, namely given a set of polynomial equations, one takes out a few of them to make them much more difficult to solve.
In this paper, we attack the Sflash-v3 scheme by combining an idea from the relinearization method by Kipnis and Shamir, which was used to attack the Hidden Field Equation schemes, and the linearization method by Patarin. We show that the attack complexity is less than 2^80, the security standard required by the Nessie Consortium
A short comment on the affine parts of SFLASH^{v3}
In [http://eprint.iacr.org/2003/211/] SFLASH^{v3} is presented, which supersedes SFLASH^{v2}, one of the digital signature schemes in the NESSIE Portfolio of recommended cryptographic primitives. We show that a known attack against the affine parts of SFLASH^{v1} and SFLASH^{v2} carries over immediately to the new version SFLASH^{v3}: The 861 bit representing the affine parts of the secret key can easily be derived from the public key alone
Hash-based Multivariate Public Key Cryptosystems
Many efficient attacks have appeared in recent years, which have led
to serious blow for the traditional multivariate public key
cryptosystems. For example, the signature scheme SFLASH was broken
by Dubois et al. at CRYPTO\u2707, and the Square signature (or
encryption) scheme by Billet et al. at ASIACRYPTO\u2709. Most
multivariate schemes known so far are insecure, except maybe the
sigature schemes UOV and HFEv-. Following these new developments, it
seems that the general design principle of multivariate schemes has
been seriously questioned, and there is a rather pressing desire to
find new trapdoor construction or mathematical tools and ideal. In
this paper, we introduce the hash authentication techniques and
combine with the traditional MQ-trapdoors to propose a novel
hash-based multivariate public key cryptosystems. The resulting
scheme, called EMC (Extended Multivariate Cryptosystem), can
also be seen as a novel hash-based cryptosystems like Merkle tree
signature. And it offers the double security protection for signing
or encrypting. By the our analysis, we can construct the secure and
efficient not only signature scheme but also encryption scheme by
using the EMC scheme combined some modification methods summarized
by Wolf. And thus we present two new schems: EMC signature scheme
(with the Minus method ``- ) and EMC encryption scheme (with the
Plus method ``+ ). In addition, we also propose a reduced scheme of
the EMC signature scheme (a light-weight signature scheme). Precise
complexity estimates for these schemes are provided, but their
security proofs in the random oracle model are still an open
problem
Construction of the Tsujii-Shamir-Kasahara (TSK) Type Multivariate Public Key Cryptosystem, which relies on the Difficulty of Prime Factorization
A new multivariate public-key cryptosystem (MPKC) with the security based on the difficulty of the prime factoring is proposed. Unlike conventional cryptosystems such as RSA, most MPKCs are expected secure against quantum computers, and their operation of encryption and decryption is expected quick, because they do not need exponential operation. However, their security against quantum computers is very difficult to prove mathematically. We propose a new MPKC based on sequential solution method, assuming the security against von Neumann computers, whose attack seems as difficult as prime factoring. This cryptosystem is applicable to both encryption and signature
1. Kryptotag - Workshop über Kryptographie
Der Report enthält eine Sammlung aller Beiträge der Teilnehmer des 1. Kryptotages am 1. Dezember 2004 in Mannheim
Proposal of a Signature Scheme based on STS Trapdoor
A New digital signature scheme based on Stepwise Triangular Scheme (STS) is proposed. The proposed trapdoor has resolved the vulnerability of STS and secure against both Gröbner Bases and Rank Attacks. In addition, as a basic trapdoor, it
is more efficient than the existing systems. With the efficient implementation, the Multivariate Public Key Cryptosystems (MPKC) signature public key has the signature
longer than the message by less than 25 %, for example
TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor
In this paper, we design a novel one-way trapdoor function, and then propose a new multivariate public key cryptosystem called , which can be used for encryption, signature and authentication. Through analysis, we declare that is secure, because it can resist current known algebraic attacks if its parameters are properly chosen. Some practical implementations for are also given, and whose security level is at least . The comparison shows that is more secure than , and (when and , is still secure), and it can reach almost the same speed of computing the secret map by and (even though was broken, its high speed has been affirmed)
Enhanced STS using Check Equation --Extended Version of the Signature scheme proposed in the PQCrypt2010--
We propose solutions to the problems which has been left in the Enhanced STS, which was proposed in the PQCrypto 2010.
Enhanced STS signature scheme is dened as the public key with the Complementary STS structure, in which two STS public keys are symmetrically joined together. Or, the complementary STS is the public key where simply two STS public keys are joined together, without the protection with Check Equation.
We discuss the following issues left in the Enhanced STS, which was prosented in the PQCrypt2010:
(i) We implied that there may exist a way to cryptanalyze the Complementary STS structure. Although it has been proposed that the system be protected by Check Equations [35][37], in order to cope with an unknown attack, we did not show the concrete procedure. We show the actual procedure to cryptanalyze it and forge a signature.
(ii) We assumed that the Check Equation should be changed every time a document is signed. This practice is not always allowed. We improved this matter. The Check Equation which was proposed in the PQCrypto 2010 dened the valid life as a function of the number of times the documents are signed, because the secret key of Check Equation is analyzed by collecting valid signatures.
Now we propose a new method of integrating the Check Equation into the secret key and eliminate the risk of the hidden information drawn from the existing signature