Advertisement

Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017

  • Yasufumi Hashimoto
  • Yasuhiko Ikematsu
  • Tsuyoshi Takagi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11049)

Abstract

One of the most efficient post-quantum signature schemes is Rainbow whose hardness is based on the multivariate quadratic polynomial (MQ) problem. ELSA, a new multivariate signature scheme proposed at Asiacrypt 2017, has a similar construction to Rainbow. Its advantages, compared to Rainbow, are its smaller secret key and faster signature generation. In addition, its existential unforgeability against an adaptive chosen-message attack has been proven under the hardness of the MQ-problem induced by a public key of ELSA with a specific parameter set in the random oracle model. The high efficiency of ELSA is derived from a set of hidden quadratic equations used in the process of signature generation. However, the hidden quadratic equations yield a vulnerability. In fact, a piece of information of these equations can be recovered by using valid signatures and an equivalent secret key can be partially recovered from it. In this paper, we describe how to recover an equivalent secret key of ELSA by a chosen message attack. Our experiments show that we can recover an equivalent secret key for the claimed 128-bit security parameter of ELSA on a standard PC in 177 s with 1326 valid signatures.

Keywords

Post-quantum cryptography Multivariate public-key cryptography Chosen message attack Rainbow ELSA 

Notes

Acknowledgements

This work was supported by JST CREST (Grant Number JPMJCR14D6). The first author was also supported by JSPS Grant-in-Aid for Scientific Research (C) no. 17K05181.

References

  1. 1.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-Quantum Cryptography. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-540-88702-7CrossRefMATHGoogle Scholar
  2. 2.
    Bettale, L., Faugère, J.C., Perret, L.: Solving polynomial systems over finite fields: improved analysis of the hybrid approach. In: ISSAC 2012, pp. 67–74 (2012)Google Scholar
  3. 3.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symb. Comput. 24, 235–265 (1997)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Ding, J., Chen, M.C., Petzoldt, A., Schmidt, D., Yang, B.Y.: Rainbow, NIST, Post-Quantum Cryptography Standardization, Round 1 Submissions. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
  5. 5.
    Ding, J., Gower, J.E., Schmidt, D.S.: Multivariate Public Key Cryptosystems. Springer, Boston (2006).  https://doi.org/10.1007/978-0-387-36946-4CrossRefMATHGoogle Scholar
  6. 6.
    Ding, J., Schmidt, D.: Rainbow, a new multivariable polynomial signature scheme. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 164–175. Springer, Heidelberg (2005).  https://doi.org/10.1007/11496137_12CrossRefGoogle Scholar
  7. 7.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced oil and vinegar signature schemes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 206–222. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48910-X_15CrossRefGoogle Scholar
  8. 8.
    Kipnis, A., Shamir, A.: Cryptanalysis of the oil and vinegar signature scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055733CrossRefGoogle Scholar
  9. 9.
    Matsumoto, T., Imai, H.: Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988).  https://doi.org/10.1007/3-540-45961-8_39CrossRefGoogle Scholar
  10. 10.
    NIST, Post-Quantum Cryptography Standardization. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/
  11. 11.
    Patarin, J., Courtois, N., Goubin, L.: QUARTZ, 128-bit long digital signatures. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 282–297. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45353-9_21CrossRefGoogle Scholar
  12. 12.
    Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C., Ding, J.: Design principles for HFEv-based multivariate signature schemes. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 311–334. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48797-6_14CrossRefGoogle Scholar
  13. 13.
    Shim, K.-A., Park, C.-M., Koo, N.: An existential unforgeable signature scheme based on multivariate quadratic equations. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 37–64. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70694-8_2CrossRefGoogle Scholar
  14. 14.
    Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Tsujii, S., Itoh, T., Fujioka, A., Kurosawa, K., Matsumoto, T.: A public-key cryptosystem based on the difficulty of solving a system of non-linear equations. Syst. Comput. Jpn. 19(2), 10–18 (1988)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Yasufumi Hashimoto
    • 1
  • Yasuhiko Ikematsu
    • 2
  • Tsuyoshi Takagi
    • 2
  1. 1.Department of Mathematical ScienceUniversity of the RyukyusOkinawaJapan
  2. 2.Department of Mathematical InformaticsUniversity of TokyoTokyoJapan

Personalised recommendations