In 2004, the inventors of TTM cryptosystems proposed a new scheme that could resist the existing attacks, in particular, the Goubin-Courtois attack [GC00] and the Ding-Schmidt attack [DS03]. In this paper, we show the new version is still insecure, and we find that the polynomial components of the cipher (Fi) satisfy nontrivial equations of the special form$$\sum\limits_{i=0}^{n-1}a_ix_i+\sum\limits_{0\leq j\leq k\leq m-1}b_{jk}F_jF_k+\sum\limits_{j=0}^{m-1}c_jF_j+d=0,$$ which could be found with 238 computations. From these equations and consequently the linear equations we derive from these equations for any given ciphertext, we can eliminate some of the variables xi by restricting the functions to an affine subspace, such that, on this subspace, we can trivialize the ”lock” polynomials, which are the key structure to ensure its security in this new instance of TTM. Then with method similar to Ding-Schmidt [DS03], we can find the corresponding plaintext for any given ciphertext. The total computational complexity of the attack is less than 239 operations over a finite field of size 28. Our results are further confirmed by computer experiments.
[1]
T. Moh,et al.
On the Goubin-Courtois Attack on TTM
,
2001,
IACR Cryptol. ePrint Arch..
[2]
Peter W. Shor,et al.
Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer
,
1995,
SIAM Rev..
[3]
Louis Goubin,et al.
Cryptanalysis of the TTM Cryptosystem
,
2000,
ASIACRYPT.
[4]
T. T. Moh,et al.
A public key system with signature and master key functions
,
1999
.
[5]
Jacques Patarin,et al.
Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88
,
1995,
CRYPTO.
[6]
Hideki Imai,et al.
Public Quadratic Polynominal-Tuples for Efficient Signature-Verification and Message-Encryption
,
1988,
EUROCRYPT.
[7]
Bo-Yin Yang,et al.
Building Instances of TTM Immune to the Goubin-Courtois Attack and the Ding-Schmidt Attack
,
2004,
IACR Cryptol. ePrint Arch..
[8]
Jacques Patarin,et al.
About the XL Algorithm over GF(2)
,
2003,
CT-RSA.