The security of the birational permutation signature schemes
In recent years, researchers have invested a lot of effort in trying to design suitable alternatives to the RSA signature scheme, with lower computational requirements. The idea of using polynomial equations of low degree in several unknowns, with some hidden trap-door, has been particularly attractive. One of the most noticeable attempts to push this idea forward is the Ong-Schnorr-Shamir signature scheme, which has been broken by Pollard and Schnorr. At Crypto '93, Shamir, proposed a family of cryptographic signature schemes based on a new method. His design made subtle use of birational permutations over the set ofk-tuples of integers modulo a large numberN of unknown factorization. However, the schemes presented in Shamir’s paper are weak. In the present paper, we describe several attacks which can be applied to schemes in this general family.
- D. Coppersmith, J. Stern, and S. Vaudenay. Attacks on the birational permutation signature schemes. In:Advances in Cryptology—CRYPTO'93, Santa Barbara, CA. Lecture Notes in Computer Science, vol. 773, pp. 587–593. Springer-Verlag, Berlin, 1994.
- S. R. Czapor, K. O. Geddes, and G. Labahn.Algorithms for Computer Algebra, Kluwer Academic, Amsterdam, 1992.
- S. Lang.Algebra, 2nd edn. Addison-Wesley, Reading, MA, 1984.
- T. Matsumoto and H. Imai. Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In:Advances in Cryptology—EUROCRYPT'88, Davos. Lecture Notes in Computer Science, vol. 330, pp. 419–453, Springer-Verlag, Berlin, 1988.
- H. Ong, C. P. Schnorr, and A. Shamir. A fast signature scheme based on quadratic equations.Proc. 16th ACM Symp. Theory of Computing, pp. 208–216, 1984.
- J. Patarin. Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt'88. In:Advances in Cryptology—CRYPTO '95 Santa Barbara, CA. Lecture Notes in Computer Science vol. 963, pp. 248–261, Springer-Verlag, Berlin, 1995.
- J. M. Pollard and C. P. Schnorr. An efficient solution of the congruencex 2+ky 2=m(modn).IEEE Trans. Inform. Theory, vol. IT-33, no. 5, pp. 702–709, 1987. CrossRef
- R. L. Rivest, A. Shamir and L. M. Adleman. A method for obtaining sigital signatures and public-key cryptosystem.Comm. ACM, vol. 21, pp. 120–126, 1978. CrossRef
- A. Shamir. Efficient signature schemes based on birational permutations. In:Advances in Cryptology—CRYPTO '93, Santa Barbara, CA. Lecture Notes in Computer Science, vol. 773, pp. 1–12, Springer-Verlag, Berlin, 1994.
- T. Theobald. How to break Shamir’s asymmetric basis. In:Advances in Cryptology—CRYPTO '95 Santa Barbara, CA. Lecture Notes in Computer Science, vol. 963, pp. 136–147, Springer-Verlag, Berlin, 1995.
- The security of the birational permutation signature schemes
Journal of Cryptology
Volume 10, Issue 3 , pp 207-221
- Cover Date
- Print ISSN
- Online ISSN
- Additional Links
- Signature schemes
- Birational transformations
- Industry Sectors