A defect of the implementation schemes of the TTM cryptosystem

Jintai Ding Dieter Schmidt

TBD mathscidoc:2207.43099

IACR Cryptol. ePrint Arch., 2013.5
We show all the existing TTM implementation schemes have a defect that there exist linearization equations \sum_{i=1,j=1}^{n,m} a_{ij} x_i y_j(x_1,...,x_n) + \sum_{i=1}^n b_i x_i + \sum_{j=1}^m c_j y_j(x_1,...,x_n) + d = 0, which are satisfied by the components y_i(x_1,...,x_n) of the ciphers of the TTM schemes. We further demonstrate that, for the case of the most recent two implementation schemes in two versions of the paper \cite{CM}, where the inventor of TTM used them to refute a claim in \cite{CG}, if we do a linear substitution with the linear equations derived from the linearization equations for a given ciphertext, we can find the plaintext easily by an iteration of the procedure of first search for linear equations by linear combinations and then linear substitution. The computation complexity of the attack on these two schemes is less than 2^{35} over a finite field of size 2^8.
No keywords uploaded!
[ Download ] [ 2022-07-21 14:06:55 uploaded by dingjt ] [ 236 downloads ] [ 0 comments ]
  title={A defect of the implementation schemes of the TTM cryptosystem},
  author={Jintai Ding, and Dieter Schmidt},
  booktitle={IACR Cryptol. ePrint Arch.},
Jintai Ding, and Dieter Schmidt. A defect of the implementation schemes of the TTM cryptosystem. 2013. In IACR Cryptol. ePrint Arch.. http://archive.ymsc.tsinghua.edu.cn/pacm_paperurl/20220721140655043986681.
Please log in for comment!
Contact us: office-iccm@tsinghua.edu.cn | Copyright Reserved