Skip to content

Attacking the affine parts of SFLASH

Citations of this article
Mendeley users who have this article in their library.
Get full text


The signature scheme SFLASH has been accepted as candidate in the NESSIE (New European Scheme for Signatures, Integrity, and Encryption) project. We show that recovering the two secret affine mappings F237 → F237in SFLASH can easily be reduced to the task of revealing two linear mappings F237 → F237 . In particular, the 74 bits representing these affine parts do by no means contribute a factor of 274 to the effort required for mounting an attack against the system. This raises some doubts about the design of this NESSIE candidate.




Geiselmann, W., Steinwandt, R., & Beth, T. (2001). Attacking the affine parts of SFLASH. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 2260, pp. 355–359). Springer Verlag.

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free