However, SFLASH was practically broken in 2007 by Dubois, Fouque, Stern and Shamir. Their attack breaks the original (and most relevant) parameters, but does not apply when more than half of the public key is truncated. It is therefore possible to choose parameters such that SFLASH is not broken by the existing attacks, although it is less efficient.
We show a key-recovery attack that breaks the full range of parameters in practice, as soon as the information-theoretically required amount of information is available from the public-key. The attack uses new cryptanalytic tools, most notably pencils of matrices and quadratic forms.Category / Keywords: public-key cryptography / SFLASH, multivariate cryptography, practical cryptanalysis, key-recovery Date: received 27 May 2011 Contact author: charles bouillaguet at ens fr Available formats: PDF | BibTeX Citation Version: 20110528:181310 (All versions of this report) Discussion forum: Show discussion | Start new discussion