Paper 2020/510

On the Applicability of the Fujisaki-Okamoto Transformation to the BIKE KEM

Nir Drucker and Shay Gueron and Dusan Kostic and Edoardo Persichetti

Abstract

The QC-MDPC code-based KEM BIKE is one of the Round-2 candidates of the NIST PQC standardization project. Its specification document describes a version that is claimed to have IND-CCA security. The security proof uses the Fujisaki-Okamoto transformation and a de-coder that targeted a Decoding Failure Rate (DFR) of 2^{-128} (for Level-1 security). However, there are several aspects that need to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of 2^{-128} does not necessarily imply that the underlying PKE is \delta correct with \delta=2^{-128}, as required. In this paper, we handle the necessary aspects in the definitions of the KEM to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of a message-agnostic PKE for which decryption failures are independent of the encrypted message. We show that all the PKE underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.