The signature scheme SFLASH has been accepted as candidate in the NESSIE (New European Scheme for Signatures, Integrity, and Encryption) project. We show that recovering the two secret affine mappings F237 → F237in SFLASH can easily be reduced to the task of revealing two linear mappings F237 → F237 . In particular, the 74 bits representing these affine parts do by no means contribute a factor of 274 to the effort required for mounting an attack against the system. This raises some doubts about the design of this NESSIE candidate.
Geiselmann, W., Steinwandt, R., & Beth, T. (2001). Attacking the affine parts of SFLASH. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 2260, pp. 355–359). Springer Verlag. https://doi.org/10.1007/3-540-45325-3_31