The QC-MDPC code-based KEM BIKE is one of the Round-3 candidates of the NIST PQC standardization project. Its Round-2 specification document described variants claiming to have IND-CCA security. The security proof used the Fujisaki–Okamoto transformation and a decoder targeting a Decoding Failure Rate (DFR) of (Formula presented.) (for Level-1 security). However, several aspects needed to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of (Formula presented.) does not necessarily imply that the underlying PKE is δ-correct with (Formula presented.), as required. In this paper, we handle the necessary aspects to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of message-agnostic PKE. We show that the PKEs underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.
On the applicability of the Fujisaki–Okamoto transformation to the BIKE KEM / Drucker, N.; Gueron, S.; Kostic, D.; Persichetti, E.. - In: INTERNATIONAL JOURNAL OF COMPUTER MATHEMATICS. COMPUTER SYSTEMS THEORY. - ISSN 2379-9927. - 6:4(2021), pp. 364-374. [10.1080/23799927.2021.1930176]
On the applicability of the Fujisaki–Okamoto transformation to the BIKE KEM
Persichetti E.
2021
Abstract
The QC-MDPC code-based KEM BIKE is one of the Round-3 candidates of the NIST PQC standardization project. Its Round-2 specification document described variants claiming to have IND-CCA security. The security proof used the Fujisaki–Okamoto transformation and a decoder targeting a Decoding Failure Rate (DFR) of (Formula presented.) (for Level-1 security). However, several aspects needed to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of (Formula presented.) does not necessarily imply that the underlying PKE is δ-correct with (Formula presented.), as required. In this paper, we handle the necessary aspects to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of message-agnostic PKE. We show that the PKEs underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.