Dear BIKE team.
I have a few questions regarding the security proof given in http://bikesuite.org/files/BIKE.pdf .
Theorems 2 and 3 seem to claim that the security assumptions for BIKE-1 are unlike those of BIKE-2, but rather similar to the security assumptions for BIKE-3. Is this right? If so, that seems surprising, since a BIKE-2 key exchange can be turned by an adversary into a fairly generic BIKE-1 key exchange, with the same shared secret, simply by
Likewise, as long as f1 is invertible, a BIKE-1 key exchange can be turned by an adversary into a generic BIKE-2 key exchange by
Additionally, I am having trouble following the proof. On page 33 of the linked pdf, it is claimed that the public key of BIKE-1 is an instance of the (2-1) QCSD problem, defined on page 29, but I cannot see the connection. (I can, however, see how to turn it into a QCCF problem, assuming f1 is invertible, I think.) Am I missing something?
Thanks,
Ray Perlner
Dear Ray, dear all,
Thank you for your comments on BIKE. Indeed the proof had a few typos in sorting out the underlying security problems for BIKE variants.
We have updated the proof to a more formal and detailed format, and it is now available on our website http://bikesuite.org/. For backtracking the changes, we are still keeping the old version of the document on our website.
We stress that these changes do not impact the practical security of the scheme, the parameters, nor the algorithms/spec of our schemes.
Please let us know if you have additional comments/questions.
Best regards,
BIKE Team