Generic Attacks and the Security of Quartz [chapter]

Nicolas T. Courtois
2002 Lecture Notes in Computer Science  
The signature scheme Quartz is based on a trapdoor function G belonging to a family called HFEv-. It has two independent security parameters, and we claim that if d is big enough, no better method to compute an inverse of G than the exhaustive search is known. Such a (quite strong) assumption, allows to view Quartz as a general construction, that transforms a trapdoor function into a short signature scheme. The main object of this paper is the concrete security of this construction. On one
more » ... we present generic attacks on such schemes. On the other hand, we study the possibility to prove or justify the security with some well chosen assumptions. Unfortunately for Quartz, our lower and upper security bounds do not coincide. Still the best attack known for Quartz is our generic attack using O(2 80 ) computations with O(2 80 ) of memory. We will also propose an alternative way of doing short signatures for which both bounds do coincide.
doi:10.1007/3-540-36288-6_26 fatcat:jr24hl5jr5byzfp2ol76ojp4e4