TY - GEN
T1 - Breaking a new instance of TTM cryptosystems
AU - Nie, Xuyun
AU - Hu, Lei
AU - Li, Jianyu
AU - Updegrove, Crystal
AU - Ding, Jintai
PY - 2006
Y1 - 2006
N2 - In 2004, the inventors of TTM cryptosystems proposed a new scheme that could resist the existing attacks, in particular, the Goubin-Courtois attack [GC00] and the Ding-Schmidt attack [DS03]. In this paper, we show the new version is still insecure, and we find that the polynomial components of the cipher (Fi) satisfy nontrivial equations of the special form ∑i=0n-1aixi + ∑ 0≤j≤k≤m-1 bjkFjFk+ ∑ j=0 m-1 cjFj + d = 0, which could be found with 238 computations. From these equations and consequently the linear equations we derive from these equations for any given ciphertext, we can eliminate some of the variables xi by restricting the functions to an affine subspace, such that, on this subspace, we can trivialize the "lock" polynomials, which are the key structure to ensure its security in this new instance of TTM. Then with method similar to Ding-Schmidt [DS03], we can find the corresponding plaintext for any given ciphertext. The total computational complexity of the attack is less than 2 39 operations over a finite field of size 28. Our results are further confirmed by computer experiments.
AB - In 2004, the inventors of TTM cryptosystems proposed a new scheme that could resist the existing attacks, in particular, the Goubin-Courtois attack [GC00] and the Ding-Schmidt attack [DS03]. In this paper, we show the new version is still insecure, and we find that the polynomial components of the cipher (Fi) satisfy nontrivial equations of the special form ∑i=0n-1aixi + ∑ 0≤j≤k≤m-1 bjkFjFk+ ∑ j=0 m-1 cjFj + d = 0, which could be found with 238 computations. From these equations and consequently the linear equations we derive from these equations for any given ciphertext, we can eliminate some of the variables xi by restricting the functions to an affine subspace, such that, on this subspace, we can trivialize the "lock" polynomials, which are the key structure to ensure its security in this new instance of TTM. Then with method similar to Ding-Schmidt [DS03], we can find the corresponding plaintext for any given ciphertext. The total computational complexity of the attack is less than 2 39 operations over a finite field of size 28. Our results are further confirmed by computer experiments.
KW - Multivariate public key cryptography
KW - Quadratic polynomial
KW - TTM
UR - http://www.scopus.com/inward/record.url?scp=33746656151&partnerID=8YFLogxK
U2 - 10.1007/11767480_14
DO - 10.1007/11767480_14
M3 - Conference Proceeding
AN - SCOPUS:33746656151
SN - 3540347038
SN - 9783540347033
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 210
EP - 225
BT - Applied Cryptography and Network Security - 4th International Conference, ACNS 2006, Proceedings
PB - Springer Verlag
T2 - 4th International Conference on Applied Cryptography and Network Security, ACNS 2006
Y2 - 6 June 2006 through 9 June 2006
ER -