Designs, Codes and Cryptography

, Volume 73, Issue 3, pp 719–730 | Cite as

Projective interpolation of polynomial vectors and improved key recovery attack on SFLASH

  • Weiwei Cao
  • Lei Hu


SFLASH is an instance of the famous C* \(^{-}\) multivariate public key cryptographic schemes and it was chosen by the NESSIE cryptographic project of the European Consortium in 2003 as a candidate signature algorithm used for digital signatures on limited-resource devices. Recently, a successful private key recovery attack on SFLASH was proposed by Bouillaguet, Fouque and Macario-Rat by uncovering the kernel properties of quadratic forms of the central map. The most expensive step in the attack is the calculation of kernel vectors of skew-symmetric matrices over a bivariate polynomial ring. Bouillaguet et al. proposed two methods to accomplish this computation. Both methods involve symbolic computation on bivariate polynomials. The first method computes characteristic polynomials of matrices of polynomials and is very expensive. The second method involves a Gröbner basis computation and so its complexity is difficult to estimate. In this paper, we show this critical step of calculating kernel vectors can be done by numerical computation on field elements instead of symbolic computation. Our method uses a nondeterministic interpolation of polynomial vectors called projective interpolation, and its complexity can be explicitly evaluated. Experiments show that it is much faster, making the total attack on SFLASH about 30 times faster (the critical step is about 100 times faster) than the first method of Bouillaguet et al. The new method is also slighter faster than their second method.


Multivariate public key signature SFLASH Symbolic computation Numerical computation Projective interpolation 

Mathematics Subject Classification




The authors would like to thank anonymous referees for their helpful comments and suggestions, especially, for their pointing out the issue on the practical complexity of computation of syzygy modules and related web information. Their editorial revision suggestions greatly help the authors to polish the English of the paper. The work of this paper was supported by the National Basic Research Programme under Grant 2013CB834203, the National Natural Science Foundation of China (Grants 61070172 and 10990011), the Strategic Priority Research Program of Chinese Academy of Sciences under Grant XDA06010702, and the State Key Laboratory of Information Security, Chinese Academy of Sciences.


  1. 1.
    Bosma W., Cannon J., Playoust C.: The magma algebra system I: the user language. J. Symb. Comput. 24(3–4), 235–265 (1997).Google Scholar
  2. 2.
    Bouillaguet C., Fouque P-A., Macario-Rat G.: Practical key-recovery for all possible parameters of SFLASH. In: Lee D.H., Wang X.Y. (eds.) Advances in Cryptology-Asiacrypt 2011, LNCS, vol. 7073, pp. 667–685. Springer, Heidelberg (2011).Google Scholar
  3. 3.
    Courtois N.T., Goubin L., Patarin J.: SFLASH, a fast asymmetric signature scheme. (2003). Accessed 20 March 2013.
  4. 4.
    Ding J.T., Gower J.E., Schmidt D.S.: Multivariate Public-Key Cryptosystems. Springer, Heidelberg (2006).Google Scholar
  5. 5.
    Dubois V., Fouque P.-A., Shamir, A., Stern, J.: Practical cryptanalysis of SFLASH. In: Menezes A. (ed.) Advances in Cryptology—CRYPTO 2007, LNCS, vol. 4622, pp. 1–12. Springer, Heidelberg (2007).Google Scholar
  6. 6.
    Dubois V., Fouque P.-A., Stern, J.: Cryptanalysis of SFLASH with slightly modified parameters. In: Naor M. (ed.) Advances in Cryptology—EUROCRYPT 2007, LNCS, vol. 4515, pp. 264–275. Springer, Heidelberg (2007).Google Scholar
  7. 7.
    Faug\(\grave{e}\)re J.-C.: A new efficient algorithm for computing Gröbner bases (F4). J. Pure Appl. Algebra 139, 61–88 (1999).Google Scholar
  8. 8.
    Faug\(\grave{e}\)re J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: ISSAC 2002, pp. 75–83. ACM, New York (2002).Google Scholar
  9. 9.
    Kaltofen E., Villard G.: On the complexity of computing determinants. Comput. Complex. 13(3–4), 91–130 (2005).Google Scholar
  10. 10.
    Matsumoto T., Imai H.: Public quadratic polynomial-tuples for efficient signature verification and message encryption. In: G\(\ddot{u}\)nther C.G. (ed.) Advances in Cryptology—EUROCRYPT ’88, LNCS, vol. 330, pp. 419–453. Springer, Heidelberg (1988).Google Scholar
  11. 11.
    Preneel B. et al.: NESSIE phase I: selection of primitives. (2001). Accessed 20 March 2013.
  12. 12.
    Preneel B. et al.: Security evaluation of NESSIE first phase. (2001). Accessed 20 March 2013.
  13. 13.
    Patarin J.: Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt’88. In: Coppersmith D. (ed.) Advances in Cryptology—CRYPTO ’95, LNCS, vol. 963, pp. 248–261. Springer, Heidelberg (1995).Google Scholar
  14. 14.
    Patarin J., Courtois N.T., Goubin L.: FLASH, a fast multivariate signature algorithm. In: Naccache D. (ed.) Topics in Cryptology—CT-RSA 2001, LNCS, vol. 2020, pp. 298–307. Springer, Heidelberg (2005).Google Scholar
  15. 15.
    Shor P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).Google Scholar
  16. 16.
    Stein W. et al.: Sage mathematics software (version 4.6.2). Accessed 20 March 2013.

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.State Key Laboratory of Information SecurityInstitute of Information Engineering, Chinese Academy of SciencesBeijingChina

Personalised recommendations