OFFICIAL COMMENT: BIKE

[Perlner, Ray (Fed)]

Dear BIKE team.

 

I have a few questions regarding the security proof given in http://bikesuite.org/files/BIKE.pdf .

 

Theorems 2 and 3 seem to claim that the security assumptions for BIKE-1 are unlike those of BIKE-2, but rather similar to the security assumptions for BIKE-3. Is this right? If so, that seems surprising, since a BIKE-2 key exchange can be turned by an adversary into a fairly generic BIKE-1 key exchange, with the same shared secret, simply by

 

1. Switching f0, f1 and multiplying them by a random polynomial (gh0) , resulting in f0’ and f1’ and,
2. Replacing the ciphertext  c with (c0, c1) = (mf0’ + c, mf1’).

 

Likewise, as long as f1 is invertible, a BIKE-1 key exchange can be turned by an adversary into a generic BIKE-2 key exchange by

1. Replacing f0 and f1 by f1’ = f1^-1 f0 and,
2. Replacing (c0, c1) by c = c1 f1’ + c0.

 

Additionally, I am having trouble following the proof. On page 33 of the linked pdf, it is claimed that the public key of BIKE-1 is an instance of the (2-1) QCSD problem, defined on page 29, but I cannot see the connection. (I can, however, see how to turn it into a QCCF problem, assuming f1 is invertible, I think.) Am I missing something?

 

 

Thanks,

Ray Perlner

[BIKE Team]

Dear Ray, dear all,

 

Thank you for your comments on BIKE. Indeed the proof had a few typos in sorting out the underlying security problems for BIKE variants.

 

We have updated the proof to a more formal and detailed format, and it is now available on our website http://bikesuite.org/. For backtracking the changes, we are still keeping the old version of the document on our website.

 

We stress that these changes do not impact the practical security of the scheme, the parameters, nor the algorithms/spec of our schemes.

 

Please let us know if you have additional comments/questions.

 

Best regards,

BIKE Team