On Constant-Time QC-MDPC Decoders with Negligible Failure Rate

Abstract

The QC-MDPC code-based KEM Bit Flipping Key Encapsulation (BIKE) is one of the Round-2 candidates of the NIST PQC standardization project. It has a variant that is proved to be IND-CCA secure. The proof models the KEM with some black-box (“ideal”) primitives. Specifically, the decapsulation invokes an ideal primitive called “decoder”, required to deliver its output with a negligible Decoding Failure Rate (DFR). The concrete instantiation of BIKE substitutes this ideal primitive with a new decoding algorithm called “Backflip”, that is shown to have the required negligible DFR. However, it runs in a variable number of steps and this number depends on the input and on the key. This paper proposes a decoder that has a negligible DFR and also runs in a fixed (and small) number of steps. We propose that the instantiation of BIKE uses this decoder with our recommended parameters. We study the decoder’s DFR as a function of the scheme’s parameters to obtain a favorable balance between the communication bandwidth and the number of steps that the decoder runs. In addition, we build a constant-time software implementation of the proposed instantiation, and show that its performance characteristics are quite close to the IND-CPA variant. Finally, we discuss a subtle gap that needs to be resolved for every IND-CCA secure KEM (BIKE included) where the decapsulation has nonzero failure probability: the difference between average DFR and “worst-case” failure probability per key and ciphertext.

Appendices

A Black-Gray Decoder

B Implementing Backflip\(^+\) in Constant-Time

Here, we show how to define and implement a constant-time Backflip\(^+\) decoder, based on a constant-time Black-Gray decoder. The Backflip\(^+\) decoder differs from the Black-Gray decoder in two aspects: a) it uses a new mechanism called TTL; b) it uses new equations for calculating the thresholds. The TTL mechanism is a “smart queue” where the decoder flips back some error bits when it believes that they were mistakenly flipped in previous iterations. It does so unconditionally and it can flip bits even after 5 iterations. The Black-Gray decoder uses a different type of TTL, where the black and gray lists serve as the “smart queue”. However, the error bits are flipped back after only 1 iteration, conditionally, through checking certain thresholds. Indeed, as we report below the differences are observed in cases where the Black-Gray decoder failed to decode after 4 iterations and then w.h.p fails completely. The Backflip decoder shows better recovery capabilities in such cases. Implementing the new TTL queue in constant-time relies mostly on common constant-time techniques.

Handling the New Threshold Function. The Backflip decoder thresholds are a function of two variables [3][Section 2.4.3]: a) the syndrome weight wt(s) as in the Black-Gray decoder; b) the number of error bits that the decoder believes it flipped (denoted \(\bar{e}\)). This function outputs higher thresholds compared to the Black-Gray decoder. This is a conservative approximation. We believe that the design of the Backflip decoder tends to avoid flipping the “wrong” bits so that the decoder would have better recovery capabilities and a lower DFR (assuming that it can execute an un-bounded number of iterations). We point out that evaluating the function involves computing logarithms, exponents, and function minimization, and it is not clear how this can be implemented in constant-time (the reference code [3] is not implemented in constant-time).

One way to address this issue is to pre-calculate the finite number of pairs \((wt(s), \bar{e})\) and their function evaluation, store them in a table, and read them from the table in constant-time. This involves very high latencies.

Similarly to the Black-Gray decoder (in BIKE-1-CPA [3]), we approximate the thresholds function - which is here a function of two variables. A first attempt is shown in Fig. 4. We compute the function over all the valid/relevant inputs and then compute an approximation by fitting it to a plane. Unfortunately, this approximation is not sufficiently accurate, an experiment with \(r=11,779\) (as in BIKE-1-CCA [3]) gave an estimated DFR of \(10^{-4}\) .

Fig. 4.

Approximating the Backflip decoder thresholds function.

To improve the approximation we project the function onto the plane \(\bar{e}=e1\) (\(0 \le e1 \le t\)). Then, for every valid e1, we compute the linear approximation and tabulate the coefficients. Figure 5, Panel (a) illustrates the linear approximation for \(e1=25\). These thresholds improve the DFR but it is still too high.

A refinement can be obtained by partitioning the approximation into five regions. The projection graph in Fig. 5 can be partitioned in five intervals as follows: a) \([a_0,a_1]\), \([a_2,a_3]\), where the threshold is fixed to some minimum value (min); b) \([a_4,a_5]\) where the threshold is d; c) \([a_1, a_2]\) and \([a_3, a_4]\) where the threshold (th) is approximated using \(th = b_0 wt(s) + b_1\) and \(th = c_0 wt(s) + c_1\), respectively. For \(r=11,779\) the values we use are \(a_0=0\), \(a_1=1,578\), \(a_2=1,832\) \(a_3=3,526\), \(a_4=9,910\) \(a_5=r\). The results is shown Fig. 5 Panel (b) for \(\bar{e}=25\). We use these values to define the table (T) with t rows and 8 columns. Every row contains the \(a_1\), \(a_2\), \(a_3\), \(a_4\), \(b_0\), \(b_1\), \(c_0\), \(c_1\) values that correspond to the projection on the plane \(\bar{e}\).

Fig. 5.

Approximating the threshold function when \(\bar{e}=25\) is fixed.

For every \((s1,e1) = (wt(s),\bar{e})\) the threshold is computed by

To evaluate the thresholds in constant-time we used a constant-time function that compares two integers j, k and returns the mask if \(j<k\) and the mask otherwise. The threshold computation is now:

With this we can implement Backflip\(^+\) in constant-time, provided that we fix a-priori the number of iterations.

C Achieving the Same DFR Bounds as of [20]

We ran experiments with Backflip\(^+\) and \(X_{BF}=100\) for BIKE-1 Level-1, scanning all the 34 legitimate \(r \in [8500,9340]\) (prime r values such that \(x^r - 1\) is a primitive polynomial) with 4.8M tests for every value. Applying our extrapolation methodology (see Sect. 4) to the acquired data leads to the results illustrated in Fig. 6 Panels (a) and (b). The figure highlights the pairs (DFR; r) for DFR \(2^{-64}\) and \(2^{-128}\) with the smallest possible r. For example, with \(r=12,539\) the linear extrapolation gives DFR of \(2^{-128}\). Note that [3] claims a DFR of \(2^{-128}\) for a smaller \(r=11,779\). For comparison, with \(r=11,779\) our methodology gives a DFR of \(2^{-104}\). We can guess that either different TTL values were used for every r, or that other r values were used, or that a different extrapolation methodology was applied.

We show one possible methodology (“Last-Linear”) that gives a DFR of \({\sim }2^{-128}\) with \(r=11,779\) when applied to the acquired data: a) Ignore the points from the data-set for which \(100-\)DFR is too low to be calculated reliably (e.g., the five lower points in Fig. 6); b) Draw a line through the last two remaining data points with the highest values of r. The rationale is that the “linear regime” of the DFR evolution starts for values of r that are beyond those that can be estimated in an experiment. Thus, a line drawn through two data points where r is smaller than the starting point of the linear regime leads to an extrapolation that is lower-bounded by the “real” linear evolution. With this approach, the question is how to choose the two points for which experimental data is obtained and the DFR is extrapolated from.

This shows that different ways to acquire and interpret the data give different upper bounds for the DFR. Since the extrapolation shoots over a large gap of r values, the results are sensitive to the chosen methodology. It is interesting to note that if we take our data points for Black-Gray and \(X_{BG}=5\) and use the Last-Linear extrapolation, we can find two points that would lead to \(2^{-128}\) and \(r=11,779\), while more conservative methodology gives only \(2^{-101}\).

Fig. 6.

BIKE-1 Level-1 Backflip\(^+\) different extrapolation methods. See the text for details. The sub-captions detail the (DFR; r) for DFR values: \(2^{-64}\), \(2^{-128}\).

D Additional Information

The following values of r were used by the extrapolation method:

• BIKE-1 Level-1: 9349, 9547, 9749, 9803, 9859, 9883, 9901, 9907, 9923, 9941, 9949, 10037, 10067, 10069, 10091, 10093, 10099, 10133, 10139.

• BIKE-1 Level-3: 19013, 19037, 19051, 19069, 19141, 19157, 19163, 19181, 19219, 19237, 19259, 19301, 19333, 19373, 19387, 19403, 19427, 19469, 19483, 19507, 19541, 19571, 19597, 19603, 19661, 19709, 19717, 19739, 19763, 19813, 19853.

E The Linear and the Quadratic Extrapolations

Table 4 gives the equations for the linear and the quadratic extrapolation together with the extrapolated values of r for a DFR of \(2^{-23}\), \(2^{-64}\), and \(2^{-128}\). It covers the tuple (scheme, level, decoder, X), where decoder \(\in \) {BG=Black-Gray, BF=Backflip\(^+\)}.

The BIKE specification [3] chooses r to be the minimum required for achieving a certain security level, and the best bandwidth trade-off. It also indicates that it is possible to increase r by “plus or minus \(50\%\)” (leaving w, t fixed) without reducing the complexity of the best known key/message attacks. This is an interesting observation. For example, increasing the BIKE-1 Level-3 \(r=19,853\) by \(50\%\) gives \(r=29,779\) which is already close to the BIKE-1 Level-5 that has \(r=32,749\) (of course with different w and t). We take a more conservative approach and restrict r values to be at most \(30\%\) above their CCA values stated in [3]. Table 4 labels values beyond this limit as N/A.

Table 4. The linear and the quadratic extrapolation equations, and the computed r values for a given DFR. The cases labeled with N/A are those where the value of r to achieve a target DFR could not be found in the range \([0.7r', 1.3r']\), where \(r'\) is the recommended value for IND-CCA security in [3]

F Illustration Graphs

Fig. 7.

Histograms of the cases (vertical axis; measured in percentage) that end-up with some weight of an “ideal” errors vector (horizontal axis) after the \(X_{BG}=1,2,3,4\) iterations. The decoder is the Black-Gray decoder. Panels a, c, e, g represents the results for \(r=9,803\) and Panels b, d, f, h for \(r=10,163\) with \(f=0,20,30,40\). A lower error weight is better. See explanation in the text.

Fig. 8.

BIKE-1 Level-1 and Level-3 extrapolations (see Sect. 4 for details).