Cryptanalysis of Enhanced TTS, STS and All Its Variants, or: Why Cross-Terms Are Important

  • Enrico Thomae
  • Christopher Wolf
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7374)


We show that the two multivariate signature schemes Enhanced STS, proposed at PQCrypto 2010, and Enhanced TTS, proposed at ACISP 2005, are vulnerable due to systematically missing cross-terms. To this aim, we generalize equivalent keys to so-called good keys for an improved algebraic key recovery attack. In particular, we demonstrate that it is impossible to choose both secure and efficient parameters for Enhanced STS and break all current parameters of both schemes.

Since 2010, many variants of Enhanced STS, such as Check Equations or Hidden Pair of Bijections were proposed. We break all these variants and show that making STS secure will either lead to a variant known as the Oil, Vinegar and Salt signature scheme or, if we also require the signing algorithm to be efficient, to the well-known Rainbow signature scheme. We show that our attack is more efficient than any previously known attack.


Multivariate Cryptography Algebraic Cryptanalysis STS TTS Rank Attack Key Recovery Attack Equivalent Keys 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bardet, M., Faugère, J.-C., Salvy, B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: Proceedings of the International Conference on Polynomial System Solving, pp. 71–74 (2004)Google Scholar
  2. 2.
    Bardet, M., Faugère, J.-C., Salvy, B., Yang, B.-Y.: Asymptotic expansion of the degree of regularity for semi-regular systems of equations. In: Gianni, P. (ed.) MEGA 2005, Sardinia, Italy (2005)Google Scholar
  3. 3.
    Bettale, L., Faugère, J.-C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. Journal of Mathematical Cryptology 3, 177–197 (2009)MathSciNetzbMATHCrossRefGoogle Scholar
  4. 4.
    Billet, O., Gilbert, H.: Cryptanalysis of Rainbow. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 336–347. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Computational Algebra Group, University of Sydney. The MAGMA Computational Algebra System for Algebra, Number Theory and Geometry,
  6. 6.
    Ding, J., Yang, B.-Y., Chen, C.-H.O., Chen, M.-S., Cheng, C.-M.: New Differential-Algebraic Attacks and Reparametrization of Rainbow. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 242–257. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Faugère, J.-C., Din, M.S.E., Spaenlehauer, P.-J.: Gröbner bases of bihomogeneous ideals generated by polynomials of bidegree (1, 1): Algorithms and Complexity. J. Symb. Comput. 46(4), 406–437 (2011)zbMATHCrossRefGoogle Scholar
  8. 8.
    Faugère, J.-C., Levy-dit-Vehel, F., Perret, L.: Cryptanalysis of MinRank. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 280–296. Springer, Heidelberg (2008)Google Scholar
  9. 9.
    Garey, M.R., Johnson, D.S.: Computers and Intractability — A Guide to the Theory of NP-Completeness. W.H. Freeman and Company (1979) ISBN 0-7167-1044-7 or 0-7167-1045-5Google Scholar
  10. 10.
    Gotaishi, M., Tsujii, S.: Hidden Pair of Bijection signature scheme. IACR Cryptology ePrint Archive (2011),
  11. 11.
    Kasahara, M., Sakai, R.: A construction of public-key cryptosystem based on singular simultaneous equations. In: Symposium on Cryptography and Information Security — SCIS 2004, Sendai, Japan, January 27-30. The Institute of Electronics, Information and Communication Engineers (2004)Google Scholar
  12. 12.
    Kipnis, A., Patarin, J., Goubin, L.: Unbalanced Oil and Vinegar signature schemes — extended version, 17 pages (2003)Google Scholar
  13. 13.
    Kipnis, A., Shamir, A.: Cryptanalysis of the Oil & Vinegar Signature Scheme. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 257–266. Springer, Heidelberg (1998)Google Scholar
  14. 14.
    Moh, T.: A public key system with signature and master key function. Communications in Algebra 27(5), 2207–2222 (1999), electronic version, http://citeseer/moh99public.htmlMathSciNetzbMATHCrossRefGoogle Scholar
  15. 15.
    Petzoldt, A., Thomae, E., Bulygin, S., Wolf, C.: Small Public Keys and Fast Verification for \(\mathcal{M}\)ultivariate \(\mathcal{Q}\)uadratic Public Key Systems. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 475–490. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Shamir, A.: Efficient Signature Schemes Based on Birational Permutations. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 1–12. Springer, Heidelberg (1994)Google Scholar
  17. 17.
    Thomae, E.: A Generalization of the Rainbow Band Separation Attack and its Applications to Multivariate Schemes. IACR Cryptology ePrint Archive (2012)Google Scholar
  18. 18.
    Tsujii, S., Fujioka, A., Hirayama, Y.: Generalization of the public-key cryptosystem based on the difficulty of solving non-linear equations. Transactions of the Institute of Electronics and Communication Engineers of Japan (1989)Google Scholar
  19. 19.
    Tsujii, S., Gotaishi, M.: Enhanced STS using check equation - extended version of the signature scheme proposed in the PQCrypt 2010. IACR Cryptology ePrint Archive (2010),
  20. 20.
    Tsujii, S., Gotaishi, M., Tadaki, K., Fujita, R.: Proposal of a Signature Scheme Based on STS Trapdoor. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 201–217. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  21. 21.
    Tsujii, S., Kurosawa, K., Itho, T., Fujioka, A., Matsumoto, T.: A public-key cryptosystem based on the difficulty of solving a system of non-linear equations. Transactions of the Institute of Electronics and Communication Engineers of Japan (1986)Google Scholar
  22. 22.
    C. Wolf, A. Braeken, and B. Preneel. Efficient cryptanalysis of RSE(2)PKC and RSSE(2)PKC. In Conference on Security in Communication Networks — SCN 2004, volume 3352 of Lecture Notes in Computer Science, pages 294–309. Springer, Sept. 8–10 2004. Extended version: Scholar
  23. 23.
    Wolf, C., Preneel, B.: Equivalent Keys in HFE, C*, and Variations. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 33–49. Springer, Heidelberg (2005), extended version, 15 pages, CrossRefGoogle Scholar
  24. 24.
    Wolf, C., Preneel, B.: Equivalent keys in multivariate quadratic public key systems. Journal of Mathematical Cryptology 4(4), 375–415 (2011)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Yang, B.-Y., Chen, J.-M.: Building Secure Tame-like Multivariate Public-Key Cryptosystems: The New TTS. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 518–531. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Enrico Thomae
    • 1
  • Christopher Wolf
    • 1
  1. 1.Horst Görtz Institute for IT-security, Faculty of MathematicsRuhr-University of BochumBochumGermany

Personalised recommendations