On the applicability of the Fujisaki-Okamoto transformation to the BIKE KEM

摘要

The QC-MDPC code-based KEM BIKE is one of the Round-3 candidates of the NIST PQC standardization project. Its Round-2 specification document described variants claiming to have IND-CCA security. The security proof used the Fujisaki-Okamoto transformation and a decoder targeting a Decoding Failure Rate (DFR) of 2~(-128) (for Level-1 security). However, several aspects needed to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of 2~(-128) does not necessarily imply that the underlying PKE is δ-correct with δ = 2~(-128), as required. In this paper, we handle the necessary aspects to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of message-agnostic PKE. We show that the PKEs underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.