Could SFLASH be Repaired?

  • Jintai Ding
  • Vivien Dubois
  • Bo-Yin Yang
  • Owen Chia-Hsin Chen
  • Chen-Mou Cheng
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5126)


The SFLASH signature scheme stood for a decade as the most successful cryptosystem based on multivariate polynomials, before an efficient attack was finally found in 2007. In this paper, we review its recent cryptanalysis and we notice that its weaknesses can all be linked to the fact that the cryptosystem is built on the structure of a large field. As the attack demonstrates, this richer structure can be accessed by an attacker by using the specific symmetry of the core function being used. Then, we investigate the effect of restricting this large field to a purely linear subset and we find that the symmetries exploited by the attack are no longer present. At a purely defensive level, this defines a countermeasure which can be used at a moderate overhead. On the theoretical side, this informs us of limitations of the recent attack and raises interesting remarks about the design itself of multivariate schemes.


multivariate cryptography signature SFLASH differential 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    European project IST-1999-12324 on New European Schemes for Signature, Integrity and Encryption,
  2. 2.
    Daniel, J.: Bernstein. eBATs benchmark results,
  3. 3.
    Dubois, V., Fouque, P.-A., Shamir, A., Stern, J.: Practical Cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Dubois, V., Fouque, P.-A., Stern, J.: Cryptanalysis of SFLASH with Slightly Modified Parameters. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 264–275. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Dubois, V., Granboulan, L., Stern, J.: An Efficient Provable Distinguisher for HFE. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 156–167. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Dubois, V., Granboulan, L., Stern, J.: Cryptanalysis of HFE with Internal Perturbation. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 249–265. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Faugère, J.-C., Perret, L.: Polynomial Equivalence Problems: Algorithmic and Theoretical Aspects. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 30–47. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Fouque, P.-A., Granboulan, L., Stern, J.: Differential Cryptanalysis for Multivariate Schemes.. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 341–353. Springer, Heidelberg (2005)Google Scholar
  9. 9.
    Goldman, J., Rota, G.-C.: The Number of Subspaces of a Vector Space. In: Tutte, W.T. (ed.) Recent Progress in Combinatorics, pp. 75–83. Academic Press, London (1969)Google Scholar
  10. 10.
    Lidl, R., Niederreiter, H.: Finite Fields. Encyclopedia of Mathematics and its applications, vol. 20. Cambridge University Press, Cambridge (1997)Google Scholar
  11. 11.
    Matsumoto, T., Imai, H.: Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  12. 12.
    McEliece, R.J.: A Public-Key Cryptosystem based on Algebraic Coding Theory. In: JPL DSN Progress Report, pp. 114–116. California Inst. Technol., Pasadena (1978)Google Scholar
  13. 13.
    NESSIE, New European Schemes for Signatures, Integrity, and Encryption. Portfolio of Recommended Cryptographic Primitives,
  14. 14.
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt 1988. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
  15. 15.
    Patarin, J., Goubin, L., Courtois, N.: \(C^{\mbox{*}}\) \(_{\mbox{-+}}\) and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 35–49. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Shamir, A.: Efficient Signature Schemes Based on Birational Permutations. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 1–12. Springer, Heidelberg (1994)Google Scholar
  17. 17.
    Specifications of SFLASH. Final Report NESSIE, pp. 669–677 (2004)Google Scholar
  18. 18.
    Wolf, C., Preneel, B.: Taxonomy of Public Key Schemes based on the problem of Multivariate Quadratic equations. ePrint Archive Report 2005/077,

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Jintai Ding
    • 1
  • Vivien Dubois
    • 2
  • Bo-Yin Yang
    • 3
  • Owen Chia-Hsin Chen
    • 3
  • Chen-Mou Cheng
    • 4
  1. 1.Dept. of Mathematics and Computer SciencesUniversity of Cincinnati 
  2. 2.CELARFrance
  3. 3.Institute of Information SciencesAcademia SinicaTaiwan
  4. 4.Dept. of Electrical EngineeringNational Taiwan University 

Personalised recommendations