International Workshop on Public Key Cryptography

PKC 2009: Public Key Cryptography – PKC 2009 pp 411-424

A Practical Key Recovery Attack on Basic TCHo

  • Mathias Herrmann
  • Gregor Leander
Conference paper

DOI: 10.1007/978-3-642-00468-1_23

Volume 5443 of the book series Lecture Notes in Computer Science (LNCS)


TCHo is a public key encryption scheme based on a stream cipher component, which is particular suitable for low cost devices like RFIDs. In its basic version, TCHo offers no IND-CCA2 security, but the authors suggest to use a generic hybrid construction to achieve this security level. The implementation of this method however, significantly increases the hardware complexity of TCHo and thus annihilates the advantage of being suitable for low cost devices. In this paper we show, that TCHo cannot be used without this construction. We present a chosen ciphertext attack on basic TCHo that recovers the secret key after approximately d3/2 decryptions, where d is the number of bits of the secret key polynomial. The entropy of the secret key is \(\log_2\binom{d}{w}\), where w is the weight of the secret key polynomial, and w is usually small compared to d. In particular, we can break all of the parameters proposed for TCHo within hours on a standard PC.


TCHochosen ciphertext attackstream cipher
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Mathias Herrmann
    • 1
  • Gregor Leander
    • 2
  1. 1.Horst Görtz Institute for IT-Security Faculty of MathematicsRuhr-University BochumGermany
  2. 2.Department of MathematicsTechnical University of DenmarkDenmark