Abstract
In 1985 Fell and Diffie proposed constructing trapdoor functions with multivariate equations [11]. They used several sequentially solved stages that combine into a triangular system we call T. In the present paper, we study a more general family of TPM (for “Triangle Plus Minus”) schemes: a triangular construction mixed with some u random polynomials and with some r of the beginning equations removed. We go beyond all previous attacks proposed on such cryptosystems using a low degree component of the inverse function. The cryptanalysis of TPM is reduced to a simple linear algebra problem called MinRank(r): Find a linear combination of given matrices that has a small rank r. We introduce a new attack for MinRank called ‘Kernel Attack’ that works for q r small. We explain that TPM schemes can be used in encryption only if q r is small and therefore they are not secure.
As an application, we showed that the TTM cryptosystem proposed by T.T. Moh at CrypTec’99 [15],[16] reduces to MinRank(2). Thus, though the cleartext size is 512 bits, we break it in O(252). The particular TTM of [15],[16] can be broken in O(228) due additional weaknesses, and we needed only few minutes to solve the challenge TTM 2.1. from the website of the TTM selling company, US Data Security.
We also studied TPM in signature, possible only if q u small. It is equally insecure: the ‘Degeneracy Attack’ we introduce runs in q u· polynomial.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
E.R. Berlekamp, R.J. McEliece, H.C.A. Van Tilborg, On the inherent intractability of certain coding problems, IEEE Transactions on Information Theory, IT-24(3), pp. 384–386, May 1978.
F. Chabaud, Asymptotic analysis of probabilistic algorithms for finding short codewords, in Proceedings of Eurocode’92, Udine, Italy, CISM Courses and lectures n° 339, Springer-Verlag, 1993, pp. 217–228.
K. Chen, A new identification algorithm, Cryptography Policy and Algorithms Conference, LNCS n° 1029, Springer-Verlag, 1996.
C. Y. Chou, D. J. Guan, J. M. Chen, A systematic construction of a Q 2k-module in TTM, Preprint, October 1999. Available at http://www.usdsi.com/chou.ps
D. Coppersmith, S. Winograd, Matrixm ultiplication via arithmetic progressions, J. Symbolic Computation (1990), 9, pp. 251–280.
D. Coppersmith, J. Stern, S. Vaudenay, Attacks on the Birational Permutation Signature Schemes, in Advances in Cryptology, Proceedings of Crypto’93, LNCS n° 773, Springer-Verlag, 1993, pp. 435–443.
D. Coppersmith, J. Stern, S. Vaudenay, The Security of the Birational Permutation Signature Schemes, in Journal of Cryptology, 10(3), pp. 207–221, 1997.
N. Courtois, A. Shamir, J. Patarin, A. Klimov, Efficient Algorithms for solving Overdefined Systems of Multivariate Polynomial Equations, in Advances in Cryptology, Proceedings of EUROCRYPT’2000, LNCS n° 1807, Springer, 2000, pp. 392–407.
N. Courtois: La sécurité des primitives cryptographiques basées sur les problèmes algébriques multivariables MQ, IP, MinRank, et HFE, PhDt hesis, Paris 6 University, 26 September 2000, partly in English.
N. Courtois: The Minrank problem. MinRank, a new Zero-knowledge scheme based on the NP-complete problem. Presented at the rump session of Crypto 2000, available at http://www.minrank.org
H. Fell, W. Diffie, Analysis of a public key approach based on polynomial substitutions, in Advances in Cryptology, Proceedings of CRYPTO’85, LNCS n° 218, Springer-Verlag, 1985, pp. 340–349.
E.M. Gabidulin, Theory of codes with maximum rank distance, Problems of Information Transmission, 21:1–12, 1985.
S. Harari, A new authentication algorithm, in Coding Theory and Applications, LNCS n° 388, Springer, 1989, pp. 204–211.
A. Kipnis, A. Shamir, Cryptanalysis of the HFE public key cryptosystem, in Advances in Cryptology, Proceedings of Crypto’99, LNCS n° 1666, Springer, 1999, pp. 19–30.
T.T. Moh, A public key system with signature and master key functions, Communications in Algebra, 27(5), pp. 2207–2222, 1999. Available at http://www.usdsi.com/public.ps
T.T. Moh, A fast public key system with signature and master key functions, in Proceedings of CrypTEC’99, InternationalWorkshop on Cryptographic Techniques and E-commerce, Hong-Kong City University Press, pp. 63–69, July 1999. Available at http://www.usdsi.com/cryptec.ps
J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms, in Advances in Cryptology, Proceedings of EUROCRYPT’96, LNCS n° 1070, Springer Verlag, 1996, pp. 33–48.
J. Patarin, L. Goubin, Asymmetric cryptography with S-Boxes, in Proceedings of ICICS’97, LNCS n° 1334, Springer, 1997, pp. 369–380.
J.O. Shallit, G.S. Frandsen, J.F. Buss, The computational complexity of some problems of linear algebra, BRICS series report, Aarhus, Denmark, RS-96-33. Available at http://www.brics.dk/RS/96/33
A. Shamir, Efficient Signature Schemes based on Birational Permutations, in Advances in Cryptology, Proceedings of Crypto’93, LNCS n° 773, Springer-Verlag, 1993, pp. 1–12.
J. Stern, A new identification scheme based on syndrome decoding, in Advances in Cryptology, Proceedings of CRYPTO’93, LNCS n° 773, Springer-Verlag, 1993, pp. 13–21.
J. Stern, F. Chabaud, The cryptographic security of the Syndrome Decoding problem for rank distance codes, in Advances in Cryptology, Proceedings of ASIACRYPT’ 96, LNCS n° 1163, Springer-Verlag, 1985, pp. 368–381.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Goubin, L., Courtois, N.T. (2000). Cryptanalysis of the TTM Cryptosystem. In: Okamoto, T. (eds) Advances in Cryptology — ASIACRYPT 2000. ASIACRYPT 2000. Lecture Notes in Computer Science, vol 1976. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44448-3_4
Download citation
DOI: https://doi.org/10.1007/3-540-44448-3_4
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41404-9
Online ISBN: 978-3-540-44448-0
eBook Packages: Springer Book Archive