Abstract In this paper we present an algorithm for finding low-weight multiples of polynomials over the binary field using coding theoretic methods. The code defined by the public polynomial is cyclic, allowing an attacker to search for any shift of the sought codeword. Therefore, a code with higher length and dimension is used, having a larger number of low-weight codewords. Additionally, since the degree of the sought polynomial is known, the sought codewords of weight w are transformed by a linear mapping into codewords of weight w − 2. Applying an algorithm for finding low-weight codewords on the constructed code yields complexity for a key-recovery attack against TCHo that is lower than previously expected. 

Available here.