Breaking a new instance of TTM cryptosystems

  • Authors:

  • Xuyun Nie;Lei Hu;Jianyu Li;Crystal Updegrove;Jintai Ding

  • Affiliations:

  • State Key Laboratory of Information Security, Graduate School of Chinese Academy of Sciences, Beijing, China;State Key Laboratory of Information Security, Graduate School of Chinese Academy of Sciences, Beijing, China;State Key Laboratory of Information Security, Graduate School of Chinese Academy of Sciences, Beijing, China;Department of Mathematical Sciences, University of Cincinnati, Cincinnati, OH;Department of Mathematical Sciences, University of Cincinnati, Cincinnati, OH

  • Venue:
  • ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

In 2004, the inventors of TTM cryptosystems proposed a new scheme that could resist the existing attacks, in particular, the Goubin-Courtois attack [GC00] and the Ding-Schmidt attack [DS03]. In this paper, we show the new version is still insecure, and we find that the polynomial components of the cipher (Fi) satisfy nontrivial equations of the special form$$\sum\limits_{i=0}^{n-1}a_ix_i+\sum\limits_{0\leq j\leq k\leq m-1}b_{jk}F_jF_k+\sum\limits_{j=0}^{m-1}c_jF_j+d=0,$$ which could be found with 238 computations. From these equations and consequently the linear equations we derive from these equations for any given ciphertext, we can eliminate some of the variables xi by restricting the functions to an affine subspace, such that, on this subspace, we can trivialize the ”lock” polynomials, which are the key structure to ensure its security in this new instance of TTM. Then with method similar to Ding-Schmidt [DS03], we can find the corresponding plaintext for any given ciphertext. The total computational complexity of the attack is less than 239 operations over a finite field of size 28. Our results are further confirmed by computer experiments.