Secure Integration of Asymmetric and Symmetric Encryption Schemes
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Algorithms for quantum computation: discrete logarithms and factoring
SFCS '94 Proceedings of the 35th Annual Symposium on Foundations of Computer Science
When stream cipher analysis meets public-key cryptography
SAC'06 Proceedings of the 13th international conference on Selected areas in cryptography
TCHo: a hardware-oriented trapdoor cipher
ACISP'07 Proceedings of the 12th Australasian conference on Information security and privacy
A case against currently used hash functions in RFID protocols
OTM'06 Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part I
Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of kurosawa-desmedt KEM
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
IEEE Transactions on Information Theory
Divisibility of polynomials over finite fields and combinatorial applications
Designs, Codes and Cryptography
| Hi-index | 0.00 |
TCHo is a public key encryption scheme based on a stream cipher component, which is particular suitable for low cost devices like RFIDs. In its basic version, TCHo offers no IND-CCA2 security, but the authors suggest to use a generic hybrid construction to achieve this security level. The implementation of this method however, significantly increases the hardware complexity of TCHo and thus annihilates the advantage of being suitable for low cost devices. In this paper we show, that TCHo cannot be used without this construction. We present a chosen ciphertext attack on basic TCHo that recovers the secret key after approximately d 3/2 decryptions, where d is the number of bits of the secret key polynomial. The entropy of the secret key is $\log_2\binom{d}{w}$, where w is the weight of the secret key polynomial, and w is usually small compared to d . In particular, we can break all of the parameters proposed for TCHo within hours on a standard PC.