Chosen message attack on multivariate signature elsa at asiacrypt 2017

Yasufumi Hashimoto, Yasuhiko Ikematsu, Tsuyoshi Takagi

Research output: Contribution to journalArticle

Abstract

One of the most efficient post-quantum signature schemes is Rainbow whose hardness is based on the multivariate quadratic polynomial (MQ) problem. ELSA, a new multivariate signature scheme proposed at Asiacrypt 2017, has a similar construction to Rainbow. Its advantages, compared to Rainbow, are its smaller secret key and faster signature generation. In addition, its existential unforgeability against an adaptive chosen-message attack has been proven under the hardness of the MQ-problem induced by a public key of ELSA with a specific parameter set in the random oracle model. The high efficiency of ELSA is derived from a set of hidden quadratic equations used in the process of signature generation. However, the hidden quadratic equations yield a vulnerability. In fact, a piece of information of these equations can be recovered by using valid signatures and an equivalent secret key can be partially recovered from it. In this paper, we describe how to recover an equivalent secret key of ELSA by a chosen message attack. Our experiments show that we can recover an equivalent secret key for the claimed 128-bit security parameter of ELSA on a standard PC in 177 seconds with 1,326 valid signatures.

Original languageEnglish
Pages (from-to)517-524
Number of pages8
JournalJournal of information processing
Volume27
DOIs
Publication statusPublished - Jan 1 2019

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Fingerprint Dive into the research topics of 'Chosen message attack on multivariate signature elsa at asiacrypt 2017'. Together they form a unique fingerprint.

  • Cite this