TY - GEN
T1 - Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017
AU - Hashimoto, Yasufumi
AU - Ikematsu, Yasuhiko
AU - Takagi, Tsuyoshi
N1 - Funding Information:
Acknowledgements. This work was supported by JST CREST (Grant Number JPMJCR14D6). The first author was also supported by JSPS Grant-in-Aid for Scientific Research (C) no. 17K05181.
Publisher Copyright:
© 2018, Springer Nature Switzerland AG.
PY - 2018
Y1 - 2018
N2 - One of the most efficient post-quantum signature schemes is Rainbow whose hardness is based on the multivariate quadratic polynomial (MQ) problem. ELSA, a new multivariate signature scheme proposed at Asiacrypt 2017, has a similar construction to Rainbow. Its advantages, compared to Rainbow, are its smaller secret key and faster signature generation. In addition, its existential unforgeability against an adaptive chosen-message attack has been proven under the hardness of the MQ-problem induced by a public key of ELSA with a specific parameter set in the random oracle model. The high efficiency of ELSA is derived from a set of hidden quadratic equations used in the process of signature generation. However, the hidden quadratic equations yield a vulnerability. In fact, a piece of information of these equations can be recovered by using valid signatures and an equivalent secret key can be partially recovered from it. In this paper, we describe how to recover an equivalent secret key of ELSA by a chosen message attack. Our experiments show that we can recover an equivalent secret key for the claimed 128-bit security parameter of ELSA on a standard PC in 177Â s with 1326 valid signatures.
AB - One of the most efficient post-quantum signature schemes is Rainbow whose hardness is based on the multivariate quadratic polynomial (MQ) problem. ELSA, a new multivariate signature scheme proposed at Asiacrypt 2017, has a similar construction to Rainbow. Its advantages, compared to Rainbow, are its smaller secret key and faster signature generation. In addition, its existential unforgeability against an adaptive chosen-message attack has been proven under the hardness of the MQ-problem induced by a public key of ELSA with a specific parameter set in the random oracle model. The high efficiency of ELSA is derived from a set of hidden quadratic equations used in the process of signature generation. However, the hidden quadratic equations yield a vulnerability. In fact, a piece of information of these equations can be recovered by using valid signatures and an equivalent secret key can be partially recovered from it. In this paper, we describe how to recover an equivalent secret key of ELSA by a chosen message attack. Our experiments show that we can recover an equivalent secret key for the claimed 128-bit security parameter of ELSA on a standard PC in 177Â s with 1326 valid signatures.
UR - http://www.scopus.com/inward/record.url?scp=85052056127&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85052056127&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-97916-8_1
DO - 10.1007/978-3-319-97916-8_1
M3 - Conference contribution
AN - SCOPUS:85052056127
SN - 9783319979151
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 3
EP - 18
BT - Advances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings
A2 - Yasuda, Kan
A2 - Inomata, Atsuo
PB - Springer Verlag
T2 - 13th International Workshop on Security, IWSEC 2018
Y2 - 3 September 2018 through 5 September 2018
ER -