关于Fujisaki-Okamoto变换在BIKE KEM中的适用性

IF 0.9 Q3 COMPUTER SCIENCE, THEORY & METHODS

International Journal of Computer Mathematics: Computer Systems Theory Pub Date : 2021-05-30 DOI:10.1080/23799927.2021.1930176

Nir Drucker, S. Gueron, Dusan Kostic, Edoardo Persichetti

{"title":"关于Fujisaki-Okamoto变换在BIKE KEM中的适用性","authors":"Nir Drucker, S. Gueron, Dusan Kostic, Edoardo Persichetti","doi":"10.1080/23799927.2021.1930176","DOIUrl":null,"url":null,"abstract":"The QC-MDPC code-based KEM BIKE is one of the Round-3 candidates of the NIST PQC standardization project. Its Round-2 specification document described variants claiming to have IND-CCA security. The security proof used the Fujisaki–Okamoto transformation and a decoder targeting a Decoding Failure Rate (DFR) of (for Level-1 security). However, several aspects needed to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of does not necessarily imply that the underlying PKE is δ-correct with , as required. In this paper, we handle the necessary aspects to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of message-agnostic PKE. We show that the PKEs underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.","PeriodicalId":37216,"journal":{"name":"International Journal of Computer Mathematics: Computer Systems Theory","volume":null,"pages":null},"PeriodicalIF":0.9000,"publicationDate":"2021-05-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"On the applicability of the Fujisaki–Okamoto transformation to the BIKE KEM\",\"authors\":\"Nir Drucker, S. Gueron, Dusan Kostic, Edoardo Persichetti\",\"doi\":\"10.1080/23799927.2021.1930176\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The QC-MDPC code-based KEM BIKE is one of the Round-3 candidates of the NIST PQC standardization project. Its Round-2 specification document described variants claiming to have IND-CCA security. The security proof used the Fujisaki–Okamoto transformation and a decoder targeting a Decoding Failure Rate (DFR) of (for Level-1 security). However, several aspects needed to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of does not necessarily imply that the underlying PKE is δ-correct with , as required. In this paper, we handle the necessary aspects to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of message-agnostic PKE. We show that the PKEs underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.\",\"PeriodicalId\":37216,\"journal\":{\"name\":\"International Journal of Computer Mathematics: Computer Systems Theory\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.9000,\"publicationDate\":\"2021-05-30\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Journal of Computer Mathematics: Computer Systems Theory\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1080/23799927.2021.1930176\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Computer Mathematics: Computer Systems Theory","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1080/23799927.2021.1930176","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 8

摘要

基于QC-MDPC代码的KEM BIKE是NIST PQC标准化项目的第三轮候选项目之一。它的第二轮规范文档描述了声称具有IND-CCA安全性的变体。安全性证明使用了Fujisaki-Okamoto变换和一个解码失败率(DFR)为(对于1级安全性)的解码器。然而，为了使IND-CCA证明成立，需要修改几个方面。主要问题是，使用DFR为的解码器并不一定意味着底层PKE是δ-正确的，如需要。在本文中，我们处理了必要的方面，以确保安全索赔是正确的。特别是，我们通过定义消息不可知PKE的概念来缩小证明中的差距。我们展示了基于BIKE版本的pke是消息不可知的。这意味着具有足够低DFR的解码器的BIKE也是一个IND-CCA KEM。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

On the applicability of the Fujisaki–Okamoto transformation to the BIKE KEM

The QC-MDPC code-based KEM BIKE is one of the Round-3 candidates of the NIST PQC standardization project. Its Round-2 specification document described variants claiming to have IND-CCA security. The security proof used the Fujisaki–Okamoto transformation and a decoder targeting a Decoding Failure Rate (DFR) of (for Level-1 security). However, several aspects needed to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of does not necessarily imply that the underlying PKE is δ-correct with , as required. In this paper, we handle the necessary aspects to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of message-agnostic PKE. We show that the PKEs underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

International Journal of Computer Mathematics: Computer Systems Theory Computer Science-Computational Theory and Mathematics

CiteScore

1.80

自引率

0.00%

发文量