A Practical Key Recovery Attack on Basic TCHo

TCHo is a public key encryption scheme based on a stream cipher component, which is particular suitable for low cost devices like RFIDs. In its basic version, TCHo offers no IND-CCA2 security, but the authors suggest to use a generic hybrid construction to achieve this security level. The implementation of this method however, significantly increases the hardware complexity of TCHo and thus annihilates the advantage of being suitable for low cost devices. In this paper we show, that TCHo cannot be used without this construction. We present a chosen ciphertext attack on basic TCHo that recovers the secret key after approximately d 3/2 decryptions, where d is the number of bits of the secret key polynomial. The entropy of the secret key is $\log_2\binom{d}{w}$, where w is the weight of the secret key polynomial, and w is usually small compared to d . In particular, we can break all of the parameters proposed for TCHo within hours on a standard PC.

[1]  Willi Meier,et al.  TCHo: A Hardware-Oriented Trapdoor Cipher , 2007, ACISP.

[2]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[3]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[4]  María Bárbara Álvarez Torres,et al.  On the Move to Meaningful Internet Systems 2004: OTM 2004 Workshops , 2004, Lecture Notes in Computer Science.

[5]  P. Zimmermann,et al.  High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams , 2004, 2105.06013.

[6]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[7]  Anne Canteaut,et al.  A New Algorithm for Finding Minimum-Weight Words in a Linear Code: Application to McEliece’s Cryptosystem and to Narrow-Sense BCH Codes of Length , 1998 .

[8]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[9]  Serge Vaudenay,et al.  When Stream Cipher Analysis Meets Public-Key Cryptography , 2006, Selected Areas in Cryptography.

[10]  Joachim von zur Gathen,et al.  Finding Low Weight Polynomial Multiples Using Lattices , 2007, IACR Cryptol. ePrint Arch..

[11]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[12]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[13]  Martin Feldhofer,et al.  A Case Against Currently Used Hash Functions in RFID Protocols , 2006, OTM Workshops.

[14]  Kaoru Kurosawa,et al.  Tag-KEM/DEM: A New Framework for Hybrid Encryption and A New Analysis of Kurosawa-Desmedt KEM , 2005, EUROCRYPT.