Drucker, NirGueron, ShayKostic, DusanPersichetti, Edoardo2022-12-052022-12-052022-12-052021-10-0210.1080/23799927.2021.1930176https://infoscience.epfl.ch/handle/20.500.14299/193009WOS:000879885500007The QC-MDPC code-based KEM BIKE is one of the Round-3 candidates of the NIST PQC standardization project. Its Round-2 specification document described variants claiming to have IND-CCA security. The security proof used the Fujisaki-Okamoto transformation and a decoder targeting a Decoding Failure Rate (DFR) of 2(-128) (for Level-1 security). However, several aspects needed to be amended in order for the IND-CCA proof to hold. The main issue is that using a decoder with DFR of 2(-128) does not necessarily imply that the underlying PKE is delta-correct with delta = 2(-128), as required. In this paper, we handle the necessary aspects to ensure the security claim is correct. In particular, we close the gap in the proof by defining the notion of message-agnostic PKE. We show that the PKEs underlying the BIKE versions are message-agnostic. This implies that BIKE with a decoder that has a sufficiently low DFR is also an IND-CCA KEM.Computer Science, Theory & MethodsMathematicsComputer Sciencebikepost-quantum cryptographynistqc-mdpc codesfujisaki-okamototext::journal::journal article::research article