Cryptanalysis of the TTM Cryptosystem

  • Louis Goubin
  • Nicolas T. Courtois
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1976)


In 1985 Fell and Diffie proposed constructing trapdoor functions with multivariate equations [11]. They used several sequentially solved stages that combine into a triangular system we call T. In the present paper, we study a more general family of TPM (for “Triangle Plus Minus”) schemes: a triangular construction mixed with some u random polynomials and with some r of the beginning equations removed. We go beyond all previous attacks proposed on such cryptosystems using a low degree component of the inverse function. The cryptanalysis of TPM is reduced to a simple linear algebra problem called MinRank(r): Find a linear combination of given matrices that has a small rank r. We introduce a new attack for MinRank called ‘Kernel Attack’ that works for q r small. We explain that TPM schemes can be used in encryption only if q r is small and therefore they are not secure.

As an application, we showed that the TTM cryptosystem proposed by T.T. Moh at CrypTec’99 [15],[16] reduces to MinRank(2). Thus, though the cleartext size is 512 bits, we break it in O(252). The particular TTM of [15],[16] can be broken in O(228) due additional weaknesses, and we needed only few minutes to solve the challenge TTM 2.1. from the website of the TTM selling company, US Data Security.

We also studied TPM in signature, possible only if q u small. It is equally insecure: the ‘Degeneracy Attack’ we introduce runs in q u· polynomial.


Signature Scheme Vector Space Versus Quadratic Polynomial Small Rank Rank Distance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    E.R. Berlekamp, R.J. McEliece, H.C.A. Van Tilborg, On the inherent intractability of certain coding problems, IEEE Transactions on Information Theory, IT-24(3), pp. 384–386, May 1978.CrossRefGoogle Scholar
  2. 2.
    F. Chabaud, Asymptotic analysis of probabilistic algorithms for finding short codewords, in Proceedings of Eurocode’92, Udine, Italy, CISM Courses and lectures n° 339, Springer-Verlag, 1993, pp. 217–228.MathSciNetGoogle Scholar
  3. 3.
    K. Chen, A new identification algorithm, Cryptography Policy and Algorithms Conference, LNCS n° 1029, Springer-Verlag, 1996.Google Scholar
  4. 4.
    C. Y. Chou, D. J. Guan, J. M. Chen, A systematic construction of a Q 2k-module in TTM, Preprint, October 1999. Available at
  5. 5.
    D. Coppersmith, S. Winograd, Matrixm ultiplication via arithmetic progressions, J. Symbolic Computation (1990), 9, pp. 251–280.zbMATHMathSciNetCrossRefGoogle Scholar
  6. 6.
    D. Coppersmith, J. Stern, S. Vaudenay, Attacks on the Birational Permutation Signature Schemes, in Advances in Cryptology, Proceedings of Crypto’93, LNCS n° 773, Springer-Verlag, 1993, pp. 435–443.Google Scholar
  7. 7.
    D. Coppersmith, J. Stern, S. Vaudenay, The Security of the Birational Permutation Signature Schemes, in Journal of Cryptology, 10(3), pp. 207–221, 1997.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    N. Courtois, A. Shamir, J. Patarin, A. Klimov, Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations, in Advances in Cryptology, Proceedings of EUROCRYPT’2000, LNCS n° 1807, Springer, 2000, pp. 392–407.Google Scholar
  9. 9.
    N. Courtois: La sécurité des primitives cryptographiques basées sur les problèmes algébriques multivariables MQ, IP, MinRank, et HFE, PhDt hesis, Paris 6 University, 26 September 2000, partly in English.Google Scholar
  10. 10.
    N. Courtois: The Minrank problem. MinRank, a new Zero-knowledge scheme based on the NP-complete problem. Presented at the rump session of Crypto 2000, available at
  11. 11.
    H. Fell, W. Diffie, Analysis of a public key approach based on polynomial substitutions, in Advances in Cryptology, Proceedings of CRYPTO’85, LNCS n° 218, Springer-Verlag, 1985, pp. 340–349.Google Scholar
  12. 12.
    E.M. Gabidulin, Theory of codes with maximum rank distance, Problems of Information Transmission, 21:1–12, 1985.zbMATHGoogle Scholar
  13. 13.
    S. Harari, A new authentication algorithm, in Coding Theory and Applications, LNCS n° 388, Springer, 1989, pp. 204–211.CrossRefGoogle Scholar
  14. 14.
    A. Kipnis, A. Shamir, Cryptanalysis of the HFE public key cryptosystem, in Advances in Cryptology, Proceedings of Crypto’99, LNCS n° 1666, Springer, 1999, pp. 19–30.Google Scholar
  15. 15.
    T.T. Moh, A public key system with signature and master key functions, Communications in Algebra, 27(5), pp. 2207–2222, 1999. Available at zbMATHMathSciNetCrossRefGoogle Scholar
  16. 16.
    T.T. Moh, A fast public key system with signature and master key functions, in Proceedings of CrypTEC’99, InternationalWorkshop on Cryptographic Techniques and E-commerce, Hong-Kong City University Press, pp. 63–69, July 1999. Available at
  17. 17.
    J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms, in Advances in Cryptology, Proceedings of EUROCRYPT’96, LNCS n° 1070, Springer Verlag, 1996, pp. 33–48.Google Scholar
  18. 18.
    J. Patarin, L. Goubin, Asymmetric cryptography with S-Boxes, in Proceedings of ICICS’97, LNCS n° 1334, Springer, 1997, pp. 369–380.Google Scholar
  19. 19.
    J.O. Shallit, G.S. Frandsen, J.F. Buss, The computational complexity of some problems of linear algebra, BRICS series report, Aarhus, Denmark, RS-96-33. Available at
  20. 20.
    A. Shamir, Efficient Signature Schemes based on Birational Permutations, in Advances in Cryptology, Proceedings of Crypto’93, LNCS n° 773, Springer-Verlag, 1993, pp. 1–12.Google Scholar
  21. 21.
    J. Stern, A new identification scheme based on syndrome decoding, in Advances in Cryptology, Proceedings of CRYPTO’93, LNCS n° 773, Springer-Verlag, 1993, pp. 13–21.Google Scholar
  22. 22.
    J. Stern, F. Chabaud, The cryptographic security of the Syndrome Decoding problem for rank distance codes, in Advances in Cryptology, Proceedings of ASIACRYPT’ 96, LNCS n° 1163, Springer-Verlag, 1985, pp. 368–381.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Louis Goubin
    • 1
  • Nicolas T. Courtois
    • 1
  1. 1.Bull CP8Louveciennes CedexFrance

Personalised recommendations