Practical Key-Recovery for All Possible Parameters of SFLASH

  • Charles Bouillaguet
  • Pierre-Alain Fouque
  • Gilles Macario-Rat
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7073)


In this paper we present a new practical key-recovery attack on the SFLASH signature scheme. SFLASH is a derivative of the older C* encryption and signature scheme that was broken in 1995 by Patarin. In SFLASH, the public key is truncated, and this simple countermeasure prevents Patarin’s attack. The scheme is well-known for having been considered secure and selected in 2004 by the NESSIE project of the European Union to be standardized.

However, SFLASH was practically broken in 2007 by Dubois, Fouque, Stern and Shamir. Their attack breaks the original (and most relevant) parameters, but does not apply when more than half of the public key is truncated. It is therefore possible to choose parameters such that SFLASH is not broken by the existing attacks, although it is less efficient.

We show a key-recovery attack that breaks the full range of parameters in practice, as soon as the information-theoretically required amount of information is available from the public-key. The attack uses new cryptanalytic tools, most notably pencils of matrices and quadratic forms.


Quadratic Form Signature Scheme Characteristic Polynomial Computer Algebra System Polar Form 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Albert, A.A.: Symmetric and alternate matrices in an arbitrary field, i. Transactions of the American Mathematical Society 43(3), 386–436 (1938)MathSciNetGoogle Scholar
  2. 2.
    Bosma, W., Cannon, J.J., Playoust, C.: The Magma Algebra System I: The User Language. J. Symb. Comput. 24(3/4), 235–265 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  3. 3.
    Dubois, V., Fouque, P.A., Shamir, A., Stern, J.: Practical Cryptanalysis of SFLASH. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Dubois, V., Fouque, P.A., Stern, J.: Cryptanalysis of SFLASH with Slightly Modified Parameters. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 264–275. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Fell, H.J., Diffie, W.: Analysis of a Public Key Approach Based on Polynomial Substitution. In: Williams, H.C. (ed.) CRYPTO 1985. LNCS, vol. 218, pp. 340–349. Springer, Heidelberg (1986)Google Scholar
  6. 6.
    Fouque, P.A., Macario-Rat, G., Stern, J.: Key Recovery on Hidden Monomial Multivariate Schemes. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 19–30. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Lidl, R., Niederreiter, H.: Finite Fields. Cambridge University Press (2008)Google Scholar
  8. 8.
    Macario-Rat, G.: Cryptanalyse de schémas multivariés et résolution du problème Isomorphisme de Polynômes. PhD thesis, Université Paris Diderot — Paris 7 (June 2010)Google Scholar
  9. 9.
    Mahajan, M., Vinay, V.: Determinant: Combinatorics, algorithms, and complexity. Chicago J. Theor. Comput. Sci. 1997 (1997)Google Scholar
  10. 10.
    Matsumoto, T., Imai, H.: Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and Message-Encryption. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988)Google Scholar
  11. 11.
    Ong, H., Schnorr, C.P., Shamir, A.: An efficient signature scheme based on quadratic equations. In: STOC, pp. 208–216. ACM (1984)Google Scholar
  12. 12.
    Ong, H., Schnorr, C.P., Shamir, A.: Efficient Signature Schemes Based on Polynomial Equations. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 37–46. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  13. 13.
    Patarin, J.: Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt ’88. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995)Google Scholar
  14. 14.
    Patarin, J., Courtois, N., Goubin, L.: SFLASH, a Fast Multivariate Signature Algorithm (2003),
  15. 15.
    Shamir, A.: Efficient Signature Schemes Based on Birational Permutations. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 1–12. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  17. 17.
    Stein, W., et al.: Sage Mathematics Software (Version 4.6.2). The Sage Development Team (2011),
  18. 18.
    Wolf, C., Preneel, B.: Equivalent Keys in HFE, C*, and Variations. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 33–49. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Charles Bouillaguet
    • 1
  • Pierre-Alain Fouque
    • 1
  • Gilles Macario-Rat
    • 2
  1. 1.École Normale SupérieureParisFrance
  2. 2.Orange LabsIssy les Moulineaux Cedex 9France

Personalised recommendations