ABSTRACT
Bit Flipping Key Encapsulation (BIKE), a shortlisted scheme that proceeded to the fourth round of NIST’s standardization project for post-quantum cryptosystems, is conducive to implementation on embedded devices due to its small key size. However, prior research has indicated the possibility of reaction attacks on this scheme with the potential of compromising private keys through decoder failures. To ensure protection against such reaction attacks, the Decoder Failure Rate (DFR) needs to be sufficiently low. Since these attacks belong to a category of chosen-ciphertext attacks (CCA), a low DFR is essential for ensuring IND-CCA security. The Black Gray Flip (BGF) decoder adopted in the BIKE offers sufficient security. However, the size of the keys needed for the required security level may still be precarious for resource-constrained devices. Therefore, in this work, we formulate and analyze the potential variants of the BGF decoder and compare their performance with the original BGF decoder. To accomplish this, we generate a large set of ciphertexts, and utilize them to compute the DFR of the various variants of the BGF decoder. Our analysis confirms that the BGF decoder with parameters adopted in the original BIKE submission to NIST performs optimally with larger block sizes, which are essential for ensuring higher security levels.
- Marco Baldi. 2014. QC-LDPC code-based cryptosystems. In QC-LDPC Code-Based Cryptography. Springer, 91–117.Google Scholar
- William Barker, William Polk, and Murugiah Souppaya. 2020. Getting Ready for Post-Quantum Cryptography: Explore Challenges Associated with Adoption and Use of Post-Quantum Cryptographic Algorithms. the publications of NIST Cyber Security White Paper (DRAFT), CSRC. NIST. GOV 26 (2020).Google Scholar
- Nir Drucker and Shay Gueron. 2019. A toolbox for software optimization of QC-MDPC code-based cryptosystems. Journal of Cryptographic Engineering 9, 4 (2019), 341–357.Google ScholarCross Ref
- Nir Drucker, Shay Gueron, and Dusan Kostic. 2019. On constant-time QC-MDPC decoding with negligible failure rate.IACR Cryptol. ePrint Arch. 2019 (2019), 1289.Google Scholar
- Nir Drucker, Shay Gueron, and Dusan Kostic. 2020. QC-MDPC decoders with several shades of gray. In Proceedings of the 11th International Conference on Post-Quantum Cryptography. Springer, 35–50.Google ScholarCross Ref
- Nir Drucker, Shay Gueron, Dusan Kostic, and Edoardo Persichetti. 2021. On the applicability of the Fujisaki-Okamoto transformation to the BIKE KEM. International Journal of Computer Mathematics: Computer Systems Theoryjust-accepted (2021), 1–13.Google ScholarCross Ref
- Nicolas Aragon et al.2022. Official Web Page of BIKE Suite. https://bikesuite.org.Google Scholar
- Yi Fang, Guoan Bi, Yong Liang Guan, and Francis CM Lau. 2015. A survey on protograph LDPC codes and their applications. IEEE Communications Surveys & Tutorials 17, 4 (2015), 1989–2016.Google ScholarDigital Library
- Robert Gallager. 1962. Low-density parity-check codes. IRE Transactions on information theory 8, 1 (1962), 21–28.Google ScholarCross Ref
- Qian Guo, Thomas Johansson, and Paul Stankovski. 2016. A key recovery attack on MDPC with CCA security using decoding errors. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. Springer, 789–815.Google ScholarCross Ref
- Dennis Hofheinz, Kathrin Hövelmanns, and Eike Kiltz. 2017. A modular analysis of the Fujisaki-Okamoto transformation. In Proceedings of the 2017 Theory of Cryptography Conference. Springer, 341–371.Google ScholarDigital Library
- Toshiya Itoh and Shigeo Tsujii. 1988. A fast algorithm for computing multiplicative inverses in GF (2m) using normal bases. Information and computation 78, 3 (1988), 171–177.Google Scholar
- Neal Koblitz. 1987. Elliptic curve cryptosystems. Mathematics of computation 48, 177 (1987), 203–209.Google Scholar
- Mathworks. 2022. Matrix Inverse. https://au.mathworks.com/help/matlab/ref/inv.htmlGoogle Scholar
- Robert J McEliece. 1978. A public-key cryptosystem based on algebraic. Coding Thv 4244 (1978), 114–116.Google Scholar
- Rafael Misoczki, Jean-Pierre Tillich, Nicolas Sendrier, and Paulo SLM Barreto. 2013. MDPC-McEliece: New McEliece variants from moderate density parity-check codes. In Proceedings of the 2013 IEEE International Symposium on Information Theory. IEEE, 2069–2073.Google ScholarCross Ref
- Michele Mosca. 2018. Cybersecurity in an era with quantum computers: Will we be ready?IEEE Security & Privacy 16, 5 (2018), 38–41.Google Scholar
- Alexander Nilsson, Irina E. Bocharova, Boris D. Kudryashov, and Thomas Johansson. 2021. A Weighted Bit Flipping Decoder for QC-MDPC-based Cryptosystems. In Proceedings of the 2021 IEEE International Symposium on Information Theory (ISIT). 1266–1271. https://doi.org/10.1109/ISIT45174.2021.9517902Google ScholarDigital Library
- Alexander Nilsson, Thomas Johansson, and Paul Stankovski Wagner. 2018. Error amplification in code-based cryptography. Cryptology ePrint Archive (2018).Google Scholar
- NIST. 2020. NIST’s post-quantum cryptography program enters selection round. https://www.nist.gov/news-events/news/2020/07/nists-post-quantum-cryptography-program-enters-selection-roundGoogle Scholar
- NIST. 2020. Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process. National Institute of Standards and Technology (NIST) (2020). https://doi.org/10.6028/NIST.IR.8309Google Scholar
- M.R. Nosouhi, S.W. Shah, L. Pan, and R Doss. 2022. DU-QS22: A Dataset for Analyzing QC-MDPC-Based Quantum-Safe Cryptosystems. In Proceedings of the Applied Cryptography in Computer and Communications. AC3 2022. https://doi.org/10.1007/978-3-031-17081-2_1Google ScholarCross Ref
- NSA. 2021. Quantum computing and post-quantum cryptography. https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Quantum_FAQs_20210804.PDFGoogle Scholar
- Ronald L Rivest, Adi Shamir, and Leonard Adleman. 1978. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 2 (1978), 120–126.Google ScholarDigital Library
- Nicolas Sendrier. 2017. Code-Based Cryptography: State of the Art and Perspectives. IEEE Security & Privacy 15, 4 (2017), 44–50. https://doi.org/10.1109/MSP.2017.3151345Google ScholarDigital Library
- Nicolas Sendrier and Valentin Vasseur. 2019. On the decoding failure rate of QC-MDPC bit-flipping decoders. In Proceedings of the 10th International Conference on Post-Quantum Cryptography. Springer, 404–416.Google ScholarCross Ref
- Nicolas Sendrier and Valentin Vasseur. 2020. About low DFR for QC-MDPC decoding. In Proceedings of the 11th International Conference on 2020-Post-Quantum Cryptography (PQCrypto), Vol. 12100. Springer, 20–34.Google ScholarCross Ref
- Alex Weibel. 2021. Round 2 post-quantum TLS is now supported in AWS KMS. https://aws.amazon.com/blogs/security/round-2-post-quantum-tls-is-now-supported-in-aws-kms/Google Scholar
Index Terms
- SoK: On Efficacy of the BGF Decoder for QC-MDPC-based Quantum-Safe Cryptosystems
Recommendations
Comparative Analysis of Iterative Decoding Algorithms for QC-MDPC McEliece Cryptosystems
NISS '23: Proceedings of the 6th International Conference on Networking, Intelligent Systems & SecurityQC-MDPC McEliece cryptosystems are a promising candidate for post-quantum cryptography due to their resistance to quantum attacks. However, the performance of these cryptosystems is heavily reliant on the decoding algorithms used for decryption. In ...
IND-CCA Secure Hybrid Encryption from QC-MDPC Niederreiter
PQCrypto 2016: Proceedings of the 7th International Workshop on Post-Quantum Cryptography - Volume 9606QC-MDPC McEliece attracted significant attention as promising alternative public-key encryption scheme believed to be resistant against quantum computing attacks. Compared to binary Goppa codes, it achieves practical key sizes and was shown to perform ...
On Constant-Time QC-MDPC Decoders with Negligible Failure Rate
Code-Based CryptographyAbstractThe QC-MDPC code-based KEM Bit Flipping Key Encapsulation (BIKE) is one of the Round-2 candidates of the NIST PQC standardization project. It has a variant that is proved to be IND-CCA secure. The proof models the KEM with some black-box (“ideal”) ...
Comments