Paper 2020/510

On the Applicability of the Fujisaki-Okamoto Transformation to the BIKE KEM

Nir Drucker, Shay Gueron, Dusan Kostic, and Edoardo Persichetti


The QC-MDPC code-based KEM BIKE is one of the Round-2 candidates of the NIST PQC standardization project. Its specification document describes a version that is claimed to have IND-CCA security. The security proof uses the Fujisaki-Okamoto transformation and a de-coder that targeted a Decoding Failure Rate (DFR) of 2^{-128} (for Level-1 security). However, there are several aspects that need to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of 2^{-128} does not necessarily imply that the underlying PKE is \delta correct with \delta=2^{-128}, as required. In this paper, we handle the necessary aspects in the definitions of the KEM to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of a message-agnostic PKE for which decryption failures are independent of the encrypted message. We show that all the PKE underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.

Available format(s)
Public-key cryptography
Publication info
Preprint. MINOR revision.
BIKEPost-Quantum CryptographyNISTQC-MDPC codesFujisaki-Okamoto
Contact author(s)
drucker nir @ gmail com
shay gueron @ gmail com
dusan kostic @ epfl ch
epersichetti @ fau edu
2020-05-05: received
Short URL
Creative Commons Attribution


      author = {Nir Drucker and Shay Gueron and Dusan Kostic and Edoardo Persichetti},
      title = {On the Applicability of the Fujisaki-Okamoto Transformation to the BIKE KEM},
      howpublished = {Cryptology ePrint Archive, Paper 2020/510},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.