Exploring Decryption Failures of BIKE: New Class of Weak Keys and Key Recovery Attacks

Tianrui Wang; Anyu Wang; Xiaoyun Wang

Paper 2023/659

Exploring Decryption Failures of BIKE: New Class of Weak Keys and Key Recovery Attacks

Tianrui Wang

, Tsinghua University

Anyu Wang

, Tsinghua University

Xiaoyun Wang, Tsinghua University

Abstract

Code-based cryptography has received a lot of attention recently because it is considered secure under quantum computing. Among them, the QC-MDPC based scheme is one of the most promising due to its excellent performance. QC-MDPC based scheme is usually subject to a small rate of decryption failure, which can leak information about the secret key. This raises two crucial problems: how to accurately estimate the decryption failure rate and how to use the failure information to recover the secret key. However, the two problems are challenging due to the difficulty of geometrically characterizing the bit-flipping decoder employed in QC-MDPC, such as using decoding radius. In this work, we introduce the gathering property and show that it is strongly connected with the decryption failure rate of QC-MDPC. Based on the gathering property, we present two results for QC-MDPC based schemes. The first is a new construction of weak keys obtained by extending the keys that have gathering property via ring isomorphism. For the set of weak keys, we present a rigorous analysis of the probability, as well as experimental simulation of the decryption failure rates. Considering BIKE's parameter set targeting $128$-bit security, our result eventually indicates that the average decryption failure rate is lower bounded by $DFR_{avg} \ge 2^{-122.57}$. The second is a key recovery attack against CCA secure QC-MDPC schemes using decryption failures in a multi-target setting. By decrypting ciphertexts with errors satisfying the gathering property, we show that a single decryption failure can be used to identify whether a target's secret key satisfies the gathering property. Then using the gathering property as extra information, we present a modified information set decoding algorithm that efficiently retrieves the target's secret key. For BIKE's parameter set targeting $128$-bit security, a key recovery attack with complexity $2^{119.88}$ can be expected by using extrapolated decryption failure rates.

Note: A full version of paper.

Metadata

Available format(s): PDF
Category: Attacks and cryptanalysis
Publication info: Published by the IACR in CRYPTO 2023
Keywords: Post-quantum cryptography Code-based cryptography Decryption failure BIKE QC-MDPC Information set decoding
Contact author(s): wangtr22 @ mails tsinghua edu cn
anyuwang @ tsinghua edu cn
xiaoyunwang @ tsinghua edu cn
History: 2023-10-30: revised; 2023-05-10: received; See all versions
Short URL: https://ia.cr/2023/659
License: CC BY

BibTeX

@misc{cryptoeprint:2023/659,
      author = {Tianrui Wang and Anyu Wang and Xiaoyun Wang},
      title = {Exploring Decryption Failures of BIKE: New Class of Weak Keys and Key Recovery Attacks},
      howpublished = {Cryptology ePrint Archive, Paper 2023/659},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/659}},
      url = {https://eprint.iacr.org/2023/659}
}