Skip to main content
Springer Nature Link
Log in

Exploring Decryption Failures of BIKE: New Class of Weak Keys and Key Recovery Attacks

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14083))

Included in the following conference series:

  • 1693 Accesses

Abstract

Code-based cryptography has received a lot of attention recently because it is considered secure under quantum computing. Among them, the QC-MDPC based scheme is one of the most promising due to its excellent performance. QC-MDPC based schemes are usually subject to a small rate of decryption failure, which can leak information about the secret key. This raises two crucial problems: how to accurately estimate the decryption failure rate and how to use the failure information to recover the secret key. However, the two problems are challenging due to the difficulty of geometrically characterizing the bit-flipping decoder employed in QC-MDPC, such as using decoding radius.

In this work, we introduce the gathering property and show it is strongly connected with the decryption failure rate of QC-MDPC. Based on this property, we present two results for QC-MDPC based schemes. The first is a new construction of weak keys obtained by extending the keys that have gathering property via ring isomorphism. For the set of weak keys, we present a rigorous analysis of the probability, as well as experimental simulation of the decryption failure rates. Considering BIKE’s parameter set targeting 128-bit security, our result eventually indicates that the average decryption failure rate is lower bounded by \(\text {DFR}_{\text {avg}} \ge 2^{-116.61}\). The second entails two key recovery attacks against CCA secure QC-MDPC schemes using decryption failures in a multi-target setting. The two attacks consider whether or not it is allowed to reuse ciphertexts respectively. In both cases, we show the decryption failures can be used to identify whether a target’s secret key satisfies the gathering property. Then using the gathering property as an extra information, we present a modified information set decoding algorithm that efficiently retrieves the target’s secret key. For BIKE’s parameter set targeting 128-bit security, we show a key recovery attack with complexity \(2^{116.61}\) can be mounted if ciphertexts reusing is not permitted, and the complexity can be reduced to \(2^{98.77}\) when ciphertexts reusing is permitted.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For \(\epsilon = 0\) there is nothing to do in this step.

  2. 2.

    An equivalent way is to not perform reject sampling but to count each decryption failure in the overlapping area as 0.5.

  3. 3.

    To be more specific, the complexity of the key recovery step is the product of \(p_{\texttt {true}}^{-1}\) and \(r \cdot T_{\texttt {ISD}}\). For m around 4000, \(p_{\texttt {true}}\) increases faster than \(T_{\texttt {ISD}}\), leading to a drop in the complexity of the key recovery step. But as m becomes very large, the complexity of the key recovery step will eventually approaches to \(2^{128}\).

References

  1. National institute of standards and technology: post-quantum cryptography project (2016). http://csrc.nist.gov/projects/post-quantum-cryptography

  2. Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process. US Department of Commerce, NIST (2022)

    Google Scholar 

  3. Aragon, N., et al.: BIKE. Technical report, National Institute of Standards and Technology (2022). http://csrc.nist.gov/Projects/post-quantum-cryptography/round-4-submissions

  4. Aragon, N., Gaborit, P.: A key recovery attack against LRPC using decryption failures. In: International Workshop on Coding and Cryptography, WCC, vol. 2019 (2019)

    Google Scholar 

  5. Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: how 1 \(+\) 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31

    Chapter  MATH  Google Scholar 

  6. Berlekamp, E.R., McEliece, R.J., van Tilborg, H.C.A.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theor. 24(3), 384–386 (1978). https://doi.org/10.1109/TIT.1978.1055873

  7. Bindel, N., Schanck, J.M.: Decryption failure is more likely after success. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 206–225. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_12

    Chapter  Google Scholar 

  8. Blömer, J., May, A.: New partial key exposure attacks on RSA. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 27–43. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_2

    Chapter  Google Scholar 

  9. Chaulet, J.: Étude de cryptosystèmes à clé publique basés sur les codes MDPC quasi-cycliques. Ph.D. thesis, Paris 6 (2017)

    Google Scholar 

  10. Chaulet, J., Sendrier, N.: Worst case QC-MDPC decoder for McEliece cryptosystem. In: IEEE International Symposium on Information Theory, ISIT 2016, Barcelona, Spain, 10–15 July 2016, pp. 1366–1370. IEEE (2016). https://doi.org/10.1109/ISIT.2016.7541522

  11. Chou, T.: QcBits: constant-time small-key code-based cryptography. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 280–300. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_14

    Chapter  Google Scholar 

  12. Coppersmith, D.: Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol. 10(4), 233–260 (1997). https://doi.org/10.1007/s001459900030

    Article  MathSciNet  MATH  Google Scholar 

  13. D’Anvers, J., Batsleer, S.: Multitarget decryption failure attacks and their application to saber and kyber. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) Proceedings of the 25th IACR International Conference on Practice and Theory of Public-Key Cryptography, PKC 2022, Virtual Event, Part I. LNCS, 8–11 March 2022, vol. 13177, pp. 3–33. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-030-97121-2_1

  14. D’Anvers, J.P., Guo, Q., Johansson, T., Nilsson, A., Vercauteren, F., Verbauwhede, I.: Decryption failure attacks on IND-CCA secure lattice-based schemes. In: Lin, D., Sako, K. (eds.) 22nd International Conference on Theory and Practice of Public Key Cryptography, PKC 2019, Part II. LNCS, Beijing, China, 14–17 April 2019, vol. 11443, pp. 565–598. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-17259-6_19

  15. D’Anvers, J.P., Rossi, M., Virdia, F.: (One) failure is not an option: bootstrapping the search for failures in lattice-based encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) Advances in Cryptology, EUROCRYPT 2020, Part III. LNCS, Zagreb, Croatia, 10–14 May 2020, vol. 12107, pp. 3–33. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-45727-3_1

  16. D’Anvers, J.P., Vercauteren, F., Verbauwhede, I.: The impact of error dependencies on ring/mod-LWE/LWR based schemes. In: Ding, J., Steinwandt, R. (eds.) 10th International Conference on Post-Quantum Cryptography, PQCrypto 2019, Chongqing, China, 8–10 May 2019, pp. 103–115. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-25510-7_6

  17. den Boer, B., Bosselaers, A.: An attack on the last two rounds of MD4. In: Feigenbaum, J. (ed.) Advances in Cryptology, CRYPTO 1991. LNCS, Santa Barbara, CA, USA, 11–15 August 1992, vol. 576, pp. 194–203. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_14

  18. Drucker, N., Gueron, S., Kostic, D.: On constant-time QC-MDPC decoding with negligible failure rate. Cryptology ePrint Archive (2019)

    Google Scholar 

  19. Drucker, N., Gueron, S., Kostic, D.: QC-MDPC decoders with several shades of gray. In: Ding, J., Tillich, J.P. (eds.) 11th International Conference on Post-Quantum Cryptography, PQCrypto 2020, Paris, France, 15–17 April 2020, pp. 35–50. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-44223-1_3

  20. Drucker, N., Gueron, S., Kostic, D., Persichetti, E.: On the applicability of the Fujisaki-Okamoto transformation to the BIKE KEM. Int. J. Comput. Math. Comput. Syst. Theor. 6(4), 364–374 (2021). https://doi.org/10.1080/23799927.2021.1930176

  21. Dumer, I.: On minimum distance decoding of linear codes. In: Proceedings of the 5th Joint Soviet-Swedish International Workshop on Information Theory, pp. 50–52 (1991)

    Google Scholar 

  22. Esser, A., May, A., Verbel, J.A., Wen, W.: Partial key exposure attacks on bike, rainbow and NTRU. In: Dodis, Y., Shrimpton, T. (eds.) Proceedings of the 42nd Annual International Cryptology Conference Advances in Cryptology, CRYPTO 2022, Part III. LNCS, Santa Barbara, CA, USA, 15–18 August 2022, vol. 13509, pp. 346–375. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15982-4_12

  23. Esser, A., May, A., Zweydinger, F.: McEliece needs a break - solving McEliece-1284 and quasi-cyclic-2918 with modern ISD. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology, EUROCRYPT 2022, Part III. LNCS, Trondheim, Norway, 30 May–3 June 2022, vol. 13277, pp. 433–457. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-07082-2_16

  24. Fabsic, T., Hromada, V., Stankovski, P., Zajac, P., Guo, Q., Johansson, T.: A reaction attack on the QC-LDPC McEliece cryptosystem. In: Lange, T., Takagi, T. (eds.) 8th International Workshop on Post-Quantum Cryptography, PQCrypto 2017, Utrecht, The Netherlands, 26–28 June 2017, pp. 51–68. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-59879-6_4

  25. Fujisaki, E., Okamoto, T.: How to enhance the security of public-key encryption at minimum cost. In: Imai, H., Zheng, Y. (eds.) 2nd International Workshop on Theory and Practice in Public Key Cryptography, PKC’99. LNCS, Kamakura, Japan, 1–3 March 1999, vol. 1560, pp. 53–68. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-49162-7_5

  26. Gallager, R.: Low-density parity-check codes. IRE Trans. Inf. Theor. 8(1), 21–28 (1962)

    Article  MathSciNet  MATH  Google Scholar 

  27. Gama, N., Nguyen, P.Q.: New chosen-ciphertext attacks on NTRU. In: Okamoto, T., Wang, X. (eds.) 10th International Conference on Theory and Practice of Public Key Cryptography, PKC 2007. LNCS, Beijing, China, 16–20 April 2007, vol. 4450, pp. 89–106. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71677-8_7

  28. Guo, Q., Johansson, T.: A new decryption failure attack against HQC. In: Moriai, S., Wang, H. (eds.) Advances in Cryptology, ASIACRYPT 2020, Part I. LNCS, Daejeon, South Korea, 7–11 December 2020, vol. 12491, pp. 353–382. Springer, Heidelberg (2020). https://doi.org/10.1007/978-3-030-64837-4_12

  29. Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) Advances in Cryptology, ASIACRYPT 2016, Part I. LNCS, Hanoi, Vietnam, 4–8 December 2016, vol. 10031, pp. 789–815. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53887-6_29

  30. Henecka, W., May, A., Meurer, A.: Correcting errors in RSA private keys. In: Rabin, T. (ed.) Advances in Cryptology, CRYPTO 2010. LNCS, Santa Barbara, CA, USA, 15–19 August 2010, vol. 6223, pp. 351–369. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_19

  31. Heyse, S., von Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.S. (eds.) Cryptographic Hardware and Embedded Systems, CHES 2013. LNCS, Santa Barbara, CA, USA, 20–23 August 2013, vol. 8086, pp. 273–292. Springer, Heidelberg (20123). https://doi.org/10.1007/978-3-642-40349-1_16

  32. Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) 15th Theory of Cryptography Conference, TCC 2017, Part I. LNCS, Baltimore, MD, USA, 12–15 November 2017, vol. 10677, pp. 341–371. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-70500-2_12

  33. Horlemann, A.L., Puchinger, S., Renner, J., Schamberger, T., Wachter-Zeh, A.: Information-set decoding with hints. In: Wachter-Zeh, A., Bartz, H., Liva, G. (eds.) Code-Based Cryptography, CBCrypto 2021. LNCS, vol. 13150, pp. 60–83. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-98365-9_4

  34. Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) Advances in Cryptology, CRYPTO 2003. LNCS, Santa Barbara, CA, USA, 17–21 August 2003, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_14

  35. Jaulmes, É., Joux, A.: A chosen-ciphertext attack against NTRU. In: Bellare, M. (ed.) Advances in Cryptology, CRYPTO 2000. LNCS, vol. 1880, pp. 20–35, Santa Barbara, CA, USA, 20–24 August 2000. Springer, Heidelberg (2020). https://doi.org/10.1007/3-540-44598-6_2

  36. Kirshanova, E., May, A.: Decoding McEliece with a hint - secret Goppa key parts reveal everything. In: Galdi, C., Jarecki, S. (eds.) Proceedings of the 13th International Conference on Security and Cryptography for Networks, SCN 2022, Amalfi, Italy, 12–14 September 2022. LNCS, vol. 13409, pp. 3–20. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-14791-3_1

  37. von Maurich, I., Güneysu, T.: Towards side-channel resistant implementations of QC-MDPC McEliece encryption on constrained devices. In: Mosca, M. (ed.) 6th International Workshop on Post-Quantum Cryptography, PQCrypto 2014, Waterloo, Ontario, Canada, 1–3 October 2014, pp. 266–282. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-319-11659-4_16

  38. May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O} }(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) Advances in Cryptology, ASIACRYPT 2011. LNCS, Seoul, South Korea, 4–8 December 2011, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6

  39. McEliece, R.J.: A public-key cryptosystem based on algebraic Coding Theory, pp. 114–116. The Deep Space Network Progress Report, DSN PR 42-44 (1978)

    Google Scholar 

  40. Misoczki, R., Tillich, J., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: Proceedings of the 2013 IEEE International Symposium on Information Theory, Istanbul, Turkey, 7–12 July 2013, pp. 2069–2073. IEEE (2013). https://doi.org/10.1109/ISIT.2013.6620590

  41. Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.: MDPC-McEliece: New McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory, pp. 2069–2073. IEEE (2013)

    Google Scholar 

  42. Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Contr. Inform. Theor. 15(2), 157–166 (1986)

    MathSciNet  MATH  Google Scholar 

  43. Sendrier, N.: Decoding one out of many. In: Yang, B.Y. (ed.) 4th International Workshop on Post-Quantum Cryptography, PQCrypto 2011, Tapei, Taiwan, 29 November–2 December 2011, pp. 51–67. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5_4

  44. Sendrier, N., Vasseur, V.: On the decoding failure rate of QC-MDPC bit-flipping decoders. In: Ding, J., Steinwandt, R. (eds.) 10th International Conference on Post-Quantum Cryptography, PQCrypto 2019, Chongqing, China, 8–10 May 2019, pp. 404–416. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-25510-7_22

  45. Sendrier, N., Vasseur, V.: On the existence of weak keys for QC-MDPC decoding. Cryptology ePrint Archive (2020)

    Google Scholar 

  46. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994, pp. 124–134. IEEE Computer Society Press (1994). https://doi.org/10.1109/SFCS.1994.365700

  47. Tillich, J.: The decoding failure probability of MDPC codes. In: 2018 IEEE International Symposium on Information Theory, ISIT 2018, Vail, CO, USA, 17–22 June 2018, pp. 941–945. IEEE (2018). https://doi.org/10.1109/ISIT.2018.8437843

  48. Vasseur, V.: Post-quantum cryptography: a study of the decoding of QC-MDPC codes. Ph.D. thesis, Université de Paris (2021)

    Google Scholar 

  49. Vasseur, V.: QC-MDPC codes DFR and the IND-CCA security of bike. HAL (2022)

    Google Scholar 

  50. Zhou, Y., van de Pol, J., Yu, Y., Standaert, F.X.: A third is all you need: extended partial key exposure attack on CRT-RSA with additive exponent blinding. In: Proceedings of the 28th International Conference on the Theory and Application of Cryptology and Information Security, Advances in Cryptology (ASIACRYPT 2022, Part IV), Taipei, Taiwan, 5–9 December 2022, pp. 508–536. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-22972-5_18

Download references

Acknowledgments

We thank the anonymous reviewers from CRYPTO 2023 for the valuable comments. This work is supported by the National Key R &D Program of China (2020YFA0309705, 2018YFA0704701), Shandong Key Research and Development Program (2020ZLYS09), the Major Scientific and Technological Innovation Project of Shandong, China (2019JZZY010133), the Major Program of Guangdong Basic and Applied Research (2019B030302008), and Tsinghua University Dushi Program.

Author information

Authors and Affiliations

  1. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing, China

    Tianrui Wang

  2. Institute for Advanced Study, BNRist, Tsinghua University, Beijing, China

    Anyu Wang & Xiaoyun Wang

  3. Zhongguancun Laboratory, Beijing, China

    Anyu Wang & Xiaoyun Wang

  4. National Financial Cryptography Research Center, Beijing, China

    Anyu Wang & Xiaoyun Wang

  5. Shandong Institute of Blockchain, Jinan, China

    Xiaoyun Wang

  6. Key Laboratory of Cryptologic Technology and Information Security (Ministry of Education), School of Cyber Science and Technology, Shandong University, Qingdao, China

    Xiaoyun Wang

Authors
  1. Tianrui Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anyu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaoyun Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anyu Wang .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, T., Wang, A., Wang, X. (2023). Exploring Decryption Failures of BIKE: New Class of Weak Keys and Key Recovery Attacks. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14083. Springer, Cham. https://doi.org/10.1007/978-3-031-38548-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38548-3_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38547-6

  • Online ISBN: 978-3-031-38548-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships