Cryptanalysis of the TTM Cryptosystem
In 1985 Fell and Diffie proposed constructing trapdoor functions with multivariate equations . They used several sequentially solved stages that combine into a triangular system we call T. In the present paper, we study a more general family of TPM (for “Triangle Plus Minus”) schemes: a triangular construction mixed with some u random polynomials and with some r of the beginning equations removed. We go beyond all previous attacks proposed on such cryptosystems using a low degree component of the inverse function. The cryptanalysis of TPM is reduced to a simple linear algebra problem called MinRank(r): Find a linear combination of given matrices that has a small rank r. We introduce a new attack for MinRank called ‘Kernel Attack’ that works for q r small. We explain that TPM schemes can be used in encryption only if q r is small and therefore they are not secure.
As an application, we showed that the TTM cryptosystem proposed by T.T. Moh at CrypTec’99 , reduces to MinRank(2). Thus, though the cleartext size is 512 bits, we break it in O(252). The particular TTM of , can be broken in O(228) due additional weaknesses, and we needed only few minutes to solve the challenge TTM 2.1. from the website of the TTM selling company, US Data Security.
We also studied TPM in signature, possible only if q u small. It is equally insecure: the ‘Degeneracy Attack’ we introduce runs in q u· polynomial.
KeywordsSignature Scheme Vector Space Versus Quadratic Polynomial Small Rank Rank Distance
- 3.K. Chen, A new identification algorithm, Cryptography Policy and Algorithms Conference, LNCS n° 1029, Springer-Verlag, 1996.Google Scholar
- 4.C. Y. Chou, D. J. Guan, J. M. Chen, A systematic construction of a Q 2k-module in TTM, Preprint, October 1999. Available at http://www.usdsi.com/chou.ps
- 6.D. Coppersmith, J. Stern, S. Vaudenay, Attacks on the Birational Permutation Signature Schemes, in Advances in Cryptology, Proceedings of Crypto’93, LNCS n° 773, Springer-Verlag, 1993, pp. 435–443.Google Scholar
- 8.N. Courtois, A. Shamir, J. Patarin, A. Klimov, Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations, in Advances in Cryptology, Proceedings of EUROCRYPT’2000, LNCS n° 1807, Springer, 2000, pp. 392–407.Google Scholar
- 9.N. Courtois: La sécurité des primitives cryptographiques basées sur les problèmes algébriques multivariables MQ, IP, MinRank, et HFE, PhDt hesis, Paris 6 University, 26 September 2000, partly in English.Google Scholar
- 10.N. Courtois: The Minrank problem. MinRank, a new Zero-knowledge scheme based on the NP-complete problem. Presented at the rump session of Crypto 2000, available at http://www.minrank.org
- 11.H. Fell, W. Diffie, Analysis of a public key approach based on polynomial substitutions, in Advances in Cryptology, Proceedings of CRYPTO’85, LNCS n° 218, Springer-Verlag, 1985, pp. 340–349.Google Scholar
- 14.A. Kipnis, A. Shamir, Cryptanalysis of the HFE public key cryptosystem, in Advances in Cryptology, Proceedings of Crypto’99, LNCS n° 1666, Springer, 1999, pp. 19–30.Google Scholar
- 16.T.T. Moh, A fast public key system with signature and master key functions, in Proceedings of CrypTEC’99, InternationalWorkshop on Cryptographic Techniques and E-commerce, Hong-Kong City University Press, pp. 63–69, July 1999. Available at http://www.usdsi.com/cryptec.ps
- 17.J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms, in Advances in Cryptology, Proceedings of EUROCRYPT’96, LNCS n° 1070, Springer Verlag, 1996, pp. 33–48.Google Scholar
- 18.J. Patarin, L. Goubin, Asymmetric cryptography with S-Boxes, in Proceedings of ICICS’97, LNCS n° 1334, Springer, 1997, pp. 369–380.Google Scholar
- 19.J.O. Shallit, G.S. Frandsen, J.F. Buss, The computational complexity of some problems of linear algebra, BRICS series report, Aarhus, Denmark, RS-96-33. Available at http://www.brics.dk/RS/96/33
- 20.A. Shamir, Efficient Signature Schemes based on Birational Permutations, in Advances in Cryptology, Proceedings of Crypto’93, LNCS n° 773, Springer-Verlag, 1993, pp. 1–12.Google Scholar
- 21.J. Stern, A new identification scheme based on syndrome decoding, in Advances in Cryptology, Proceedings of CRYPTO’93, LNCS n° 773, Springer-Verlag, 1993, pp. 13–21.Google Scholar
- 22.J. Stern, F. Chabaud, The cryptographic security of the Syndrome Decoding problem for rank distance codes, in Advances in Cryptology, Proceedings of ASIACRYPT’ 96, LNCS n° 1163, Springer-Verlag, 1985, pp. 368–381.Google Scholar