Breaking a new instance of TTM cryptosystems

Abstract

In 2004, the inventors of TTM cryptosystems proposed a new scheme that could resist the existing attacks, in particular, the Goubin-Courtois attack [GC00] and the Ding-Schmidt attack [DS03]. In this paper, we show the new version is still insecure, and we find that the polynomial components of the cipher (F i) satisfy nontrivial equations of the special form ∑ i=0 n-1 a i x i + ∑ 0≤j≤k≤m-1 b jk F j F k + ∑ j=0 m-1 c j F j + d = 0, which could be found with 2 38 computations. From these equations and consequently the linear equations we derive from these equations for any given ciphertext, we can eliminate some of the variables x i by restricting the functions to an affine subspace, such that, on this subspace, we can trivialize the "lock" polynomials, which are the key structure to ensure its security in this new instance of TTM. Then with method similar to Ding-Schmidt [DS03], we can find the corresponding plaintext for any given ciphertext. The total computational complexity of the attack is less than 2 39 operations over a finite field of size 2 8. Our results are further confirmed by computer experiments. © Springer-Verlag Berlin Heidelberg 2006.