Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017

Yasufumi Hashimoto, Yasuhiko Ikematsu, Tsuyoshi Takagi

研究成果: 著書/レポートタイプへの貢献会議での発言

抄録

One of the most efficient post-quantum signature schemes is Rainbow whose hardness is based on the multivariate quadratic polynomial (MQ) problem. ELSA, a new multivariate signature scheme proposed at Asiacrypt 2017, has a similar construction to Rainbow. Its advantages, compared to Rainbow, are its smaller secret key and faster signature generation. In addition, its existential unforgeability against an adaptive chosen-message attack has been proven under the hardness of the MQ-problem induced by a public key of ELSA with a specific parameter set in the random oracle model. The high efficiency of ELSA is derived from a set of hidden quadratic equations used in the process of signature generation. However, the hidden quadratic equations yield a vulnerability. In fact, a piece of information of these equations can be recovered by using valid signatures and an equivalent secret key can be partially recovered from it. In this paper, we describe how to recover an equivalent secret key of ELSA by a chosen message attack. Our experiments show that we can recover an equivalent secret key for the claimed 128-bit security parameter of ELSA on a standard PC in 177 s with 1326 valid signatures.

元の言語英語
ホスト出版物のタイトルAdvances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings
編集者Kan Yasuda, Atsuo Inomata
出版者Springer Verlag
ページ3-18
ページ数16
ISBN(印刷物)9783319979151
DOI
出版物ステータス出版済み - 1 1 2018
イベント13th International Workshop on Security, IWSEC 2018 - Sendai, 日本
継続期間: 9 3 20189 5 2018

出版物シリーズ

名前Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
11049 LNCS
ISSN(印刷物)0302-9743
ISSN(電子版)1611-3349

会議

会議13th International Workshop on Security, IWSEC 2018
日本
Sendai
期間9/3/189/5/18

Fingerprint

Signature
Hardness
Attack
Polynomials
Quadratic equation
Quadratic Polynomial
Multivariate Polynomials
Signature Scheme
Valid
Random Oracle Model
Public key
Vulnerability
High Efficiency
Experiments
Experiment

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

これを引用

Hashimoto, Y., Ikematsu, Y., & Takagi, T. (2018). Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017. : K. Yasuda, & A. Inomata (版), Advances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings (pp. 3-18). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); 巻数 11049 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-97916-8_1

Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017. / Hashimoto, Yasufumi; Ikematsu, Yasuhiko; Takagi, Tsuyoshi.

Advances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings. 版 / Kan Yasuda; Atsuo Inomata. Springer Verlag, 2018. p. 3-18 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); 巻 11049 LNCS).

研究成果: 著書/レポートタイプへの貢献会議での発言

Hashimoto, Y, Ikematsu, Y & Takagi, T 2018, Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017. : K Yasuda & A Inomata (版), Advances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 巻. 11049 LNCS, Springer Verlag, pp. 3-18, 13th International Workshop on Security, IWSEC 2018, Sendai, 日本, 9/3/18. https://doi.org/10.1007/978-3-319-97916-8_1
Hashimoto Y, Ikematsu Y, Takagi T. Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017. : Yasuda K, Inomata A, 編集者, Advances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings. Springer Verlag. 2018. p. 3-18. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-97916-8_1
Hashimoto, Yasufumi ; Ikematsu, Yasuhiko ; Takagi, Tsuyoshi. / Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017. Advances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings. 編集者 / Kan Yasuda ; Atsuo Inomata. Springer Verlag, 2018. pp. 3-18 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{599b058a91324372a49f60f03a565a16,
title = "Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017",
abstract = "One of the most efficient post-quantum signature schemes is Rainbow whose hardness is based on the multivariate quadratic polynomial (MQ) problem. ELSA, a new multivariate signature scheme proposed at Asiacrypt 2017, has a similar construction to Rainbow. Its advantages, compared to Rainbow, are its smaller secret key and faster signature generation. In addition, its existential unforgeability against an adaptive chosen-message attack has been proven under the hardness of the MQ-problem induced by a public key of ELSA with a specific parameter set in the random oracle model. The high efficiency of ELSA is derived from a set of hidden quadratic equations used in the process of signature generation. However, the hidden quadratic equations yield a vulnerability. In fact, a piece of information of these equations can be recovered by using valid signatures and an equivalent secret key can be partially recovered from it. In this paper, we describe how to recover an equivalent secret key of ELSA by a chosen message attack. Our experiments show that we can recover an equivalent secret key for the claimed 128-bit security parameter of ELSA on a standard PC in 177{\^A} s with 1326 valid signatures.",
author = "Yasufumi Hashimoto and Yasuhiko Ikematsu and Tsuyoshi Takagi",
year = "2018",
month = "1",
day = "1",
doi = "10.1007/978-3-319-97916-8_1",
language = "English",
isbn = "9783319979151",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "3--18",
editor = "Kan Yasuda and Atsuo Inomata",
booktitle = "Advances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings",
address = "Germany",

}

TY - GEN

T1 - Chosen Message Attack on Multivariate Signature ELSA at Asiacrypt 2017

AU - Hashimoto, Yasufumi

AU - Ikematsu, Yasuhiko

AU - Takagi, Tsuyoshi

PY - 2018/1/1

Y1 - 2018/1/1

N2 - One of the most efficient post-quantum signature schemes is Rainbow whose hardness is based on the multivariate quadratic polynomial (MQ) problem. ELSA, a new multivariate signature scheme proposed at Asiacrypt 2017, has a similar construction to Rainbow. Its advantages, compared to Rainbow, are its smaller secret key and faster signature generation. In addition, its existential unforgeability against an adaptive chosen-message attack has been proven under the hardness of the MQ-problem induced by a public key of ELSA with a specific parameter set in the random oracle model. The high efficiency of ELSA is derived from a set of hidden quadratic equations used in the process of signature generation. However, the hidden quadratic equations yield a vulnerability. In fact, a piece of information of these equations can be recovered by using valid signatures and an equivalent secret key can be partially recovered from it. In this paper, we describe how to recover an equivalent secret key of ELSA by a chosen message attack. Our experiments show that we can recover an equivalent secret key for the claimed 128-bit security parameter of ELSA on a standard PC in 177 s with 1326 valid signatures.

AB - One of the most efficient post-quantum signature schemes is Rainbow whose hardness is based on the multivariate quadratic polynomial (MQ) problem. ELSA, a new multivariate signature scheme proposed at Asiacrypt 2017, has a similar construction to Rainbow. Its advantages, compared to Rainbow, are its smaller secret key and faster signature generation. In addition, its existential unforgeability against an adaptive chosen-message attack has been proven under the hardness of the MQ-problem induced by a public key of ELSA with a specific parameter set in the random oracle model. The high efficiency of ELSA is derived from a set of hidden quadratic equations used in the process of signature generation. However, the hidden quadratic equations yield a vulnerability. In fact, a piece of information of these equations can be recovered by using valid signatures and an equivalent secret key can be partially recovered from it. In this paper, we describe how to recover an equivalent secret key of ELSA by a chosen message attack. Our experiments show that we can recover an equivalent secret key for the claimed 128-bit security parameter of ELSA on a standard PC in 177 s with 1326 valid signatures.

UR - http://www.scopus.com/inward/record.url?scp=85052056127&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85052056127&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-97916-8_1

DO - 10.1007/978-3-319-97916-8_1

M3 - Conference contribution

AN - SCOPUS:85052056127

SN - 9783319979151

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 3

EP - 18

BT - Advances in Information and Computer Security - 13th International Workshop on Security, IWSEC 2018, Proceedings

A2 - Yasuda, Kan

A2 - Inomata, Atsuo

PB - Springer Verlag

ER -