Bit Flipping Key Encapsulation for the Post-Quantum Era

It is a matter of time before quantum computers will break the cryptosystems like RSA and ECC underpinning today’s internet protocols. As Post-Quantum Cryptography (PQC) is a low-cost approach compared to others like quantum key distribution, the National Institute of Standards and Technology (NIST) has recently reviewed and analyzed numerous approaches to PQC. As a PQC candidate, Bit Flipping Key Encapsulation (BIKE) is expected to be standardized as a general-purpose Key Encapsulation Mechanism (KEM) by NIST. However, it lacks a comprehensive review of BIKE associated with technical analysis. This paper aims to present an in-depth review and analysis of the BIKE scheme with respect to relevant attacks. We provide a comprehensive review of the original McEliece (ME) scheme and present a detailed discussion on its practical challenges. Furthermore, we provide an in-depth study on the challenges of ME and BIKE cryptosystems in achieving the Indistinguishability under Chosen-Ciphertext Attack (IND-CCA) security. We provide an analysis of these cryptosystems and their security against several attacks before pointing out the research gaps for strengthening BIKE.


I. INTRODUCTION
Public-key cryptography plays an essential role in the security and integrity of digital services and technologies like communication protocols, cryptocurrencies, cyber security applications, and many more. Generally, the security of the currently used public-key cryptosystems and KEM schemes relies upon the complexity and difficulty of computational problems such as integer factorization problems (used in RSA cryptosystem [1]) and discrete logarithm problems (used in DSA [2], ECDSA [3], El Gamal [4], Diffie-Hellman (DH) key exchange [5], and ECDH [6] algorithms). In classical computation models, both integer factorization and discrete logarithm problems are considered computationally hard. However, recent studies suggest that these ''computationally hard'' challenges will become solvable in polynomial time using quantum computation models [7], [8], [9] with the The associate editor coordinating the review of this manuscript and approving it for publication was Derek Abbott . so-called Cryptographically Relevant Quantum Computers (CRQC) [10]. Such CRQCs will enable the implementation of Shor's quantum algorithm that solves the integer factorization and discrete logarithm problems in polynomial time [11]. CRQCs will also reduce the security level of symmetrickey encryption schemes and cryptographic hash functions through Grover's algorithm [12]. It poses a severe threat to the security of the internet and other critical ICT systems and demands immediate and incremental research efforts to secure current and future data.
Despite the potential for CRQC to break current publickey cryptosystems (asymmetric encryption algorithms), symmetric encryption and cryptographic hash functions may remain relatively secure in the post-quantum era [13], [14]. It is because the current research suggests that quantum algorithms are unlikely to efficiently solve NP-hard problems [9] that are the basis of symmetric encryption schemes and hash functions (see Section II for details about NPhard problems). At most, the symmetric algorithms and hash functions will only need to increase their key size and hash length to maintain the current level of security. For example, in the post-quantum era, a 128-bit level of security can be achieved using AES-256 with a key size of 256. Similarly, a quantum birthday attack presented in [15] uses Grover's algorithm [12] to find collisions for hash functions. 171bit security is achievable through SHA-2 and SHA-3 hash algorithms with 512 bits output [16]. The anticipated impact of envisaged quantum computers on various cryptographic algorithms is summarized in Table 1.
The security of public-key cryptosystems remains a priority in the post-quantum era. NIST [17] is undertaking a standardization project to identify suitable public-key and KEM schemes for the post-quantum era [18]. In July 2022, NIST completed the third round of the standardization project, and four KEM candidate schemes were selected for the fourth round [19] where three of them are code-based algorithms, i.e., BIKE [20], Classic McEliece (CME) [21], and Hamming Quasi-Cyclic (HQC) [22] schemes. Having proven to be quantum-resistant, code-based cryptosystems use the theory of error correcting codes (more precisely, they are based upon structural codes with some intentionally inserted errors such that only the legitimate receiver with the right knowledge could recover the plaintext). Their security inherently relies on the fact that decoding a codeword without the knowledge of the encoding scheme is an NP-complete problem [23], [24]. The security of codebased cryptosystems does not rely on the complexity of any mathematical problem that quantum computers solve efficiently.
However, code-based cryptosystems suffer from many practical issues. For example, the original McEliece (ME) cryptosystem [25] has large public and private key sizes, e.g., 500 KB or more (depending on the required level of accuracy), which is a few hundred times more than the current public-key cryptosystems with a key size of 1 KB to 2 KB. Newer variants of the McEliece cryptosystem reduce the key sizes by complicating the code structure. Unfortunately, the applied modifications incurred security compromises, resulting in successful attacks [26], [27]. The BIKE scheme has been developed to mitigate the key size issue while preserving the security guarantees. Therefore, BIKE is expected to be selected as a standard general-purpose KEM at the end of Round 4 of NIST's PQC standardization process [19].
Although recent studies in [28] and [29] analyze codebased cryptosystems, the literature lacks a comprehensive study of detailed attack descriptions with respect to the latest version of BIKE. We aim to provide insights into BIKE's IND-CCA security and related issues. We adopt a review-cum-tutorial approach to contribute to a deep understanding of the working principles of code-based cryptosystems and present an overview of the known attacks and how they can potentially impact IND-CCA security. In addition, the provided details are important for system architects, security solution designers, and developers to adopt the BIKE cryptosystems in real-world applications. Considering the adoption of standardized technology is crucial as it may take years to integrate the standardized algorithm into various applications successfully. Moreover, our analysis can be used as a reference for comparing with other types of post-quantum public-key cryptosystems.
Our main contributions are summarized as follows: • We present an in-depth review of the state-of-the-art BIKE scheme along with the necessary preliminaries.
• We comprehensively analyze ME and BIKE and describe the reasoning behind the success/failures of various attacks. We also describe the working principles of Bit Flipping Decoder and its state-of-the-art instantiation adopted in BIKE.
• We analyze the IND-CCA security of the ME and BIKE cryptosystems, provide an in-depth discussion on the impact of Decoder Failure Rate (DFR) on IND-CCA security, and point out future research directions. In the remainder of the paper, Section II provides preliminaries on complex problems and code-based cryptography. Section III presents a brief overview of the orthodox ME cryptosystem. Section IV details QC-MDPC-based variant, decoding principles, BIKE, and relevant attacks. Finally, Section V concludes the paper and identifies future research directions.

II. PRELIMINARIES
This section presents the foundation for the next sections of the paper. We first briefly review the categories of computationally-hard problems. Then, we review the syndrome decoding problem, a fundamental element in the security of code-based cryptosystems. We refer the readers to [30] and [31] for detailed information about the theory of error correcting codes.
Throughout this paper, we use bold upper-case letters to denote matrices (e.g., H H H ). For vectors (matrices with a single row or column), we use bold lower-case letters (e.g., e e e).

A. COMPLEXITY OF PROBLEMS
Computational problems are classified based on their inherent complexity. In the following paragraphs, we review various categories in the literature [32], [33].

1) P PROBLEMS
The set of computational problems solvable by algorithms that terminate in some steps bounded by a polynomial in the length of the input, e.g., shortest path problem [34], Rubik's puzzle [35], and many alike.

2) NP PROBLEMS (NON-DETERMINISTIC IN POLYNOMIAL TIME)
The set of verifiable problems in polynomial time (if we are given a correct answer). The NP category covers a range of problems that differ regarding their inherent hardness level. In the easiest form, they include the P category. Based on the definitions, any P problem is NP since it can be verified in polynomial time. On the other hand, the NP class covers algorithmic problems with a high hardness level (with no known deterministic solution that terminates in polynomial time). The computational problems used in the currently deployed cryptosystems are predominantly NP problems with various hardness levels [36], [37]. In addition to the hardness property, they need to be verifiable by legitimate parties in polynomial time. For example, there is no known classical algorithm to solve the factorization problem (used in the RSA cryptosystem) in polynomial time (i.e., the hardness feature). However, the party with the private key (a solution to the problem) can efficiently decrypt the ciphertext (i.e., the verification property).

3) NP-HARD PROBLEMS
The set of problems that have (at least) the same hardness as that of the most difficult problem(s) in the NP category. Moreover, verifying a given answer to the NP-hard problem in polynomial time is challenging. It suggests an overlap between the NP and NP-hard classes, thereby defining another class called NP-complete.

4) NP-COMPLETE PROBLEMS
The set of problems that are both NP and NP-hard. They have two fundamental features: (i) a high level of hardness FIGURE 1. NP-Complete problems are outside the BQP class, meaning that quantum computers can not solve them in polynomial time. However, popular cryptosystems' (RSA and DSA) security relies on integer factorization and discrete logarithm problems and will be very likely compromised in the post-quantum era.
to solve in polynomial time (as an NP-hard problem), and (ii) verifiable in polynomial time (as an NP problem).

5) BOUNDED ERROR QUANTUM POLYNOMIAL-TIME (BQP) PROBLEMS
The problems that can be solved by quantum computers in polynomial time. These include all the P problems and many NP problems (see Fig. 1), e.g., integer factorization (used in RSA cryptosystem) and discrete logarithm problem (used in DSA). Previous research indicates that most NP and all the NP-complete problems are outside the BQP zone [38] (see Fig. 1). Hence, a quantum computer needs more than a polynomial number of steps to solve an NP-complete problem.
NP-complete problems are ideal algorithmic problems for cryptography, particularly in the post-quantum era, because of their highest possible level of inherent difficulties (close to the NP class) when a given solution is verifiable in polynomial time. In other words, beyond that level of hardness, the verification of a solution cannot be performed in polynomial time which is not a desirable feature in cryptography. Moreover, they cannot be solved by quantum computers in polynomial time.
Since the security of code-based cryptosystems is based on the syndrome decoding (SD) problem (which is proved to be NP-complete [38], [39]), they can be suitable alternatives of conventional public-key cryptosystems. The next subsection briefly reviews the SD problem and discusses its NP-completeness.

B. SYNDROME DECODING (SD) PROBLEM
Before we review the SD problem, we briefly present some definitions of error-correcting codes.
Definition 1 (Block Code [30], [31]): The error correcting code C is a block code if the information bit streams are considered as separate fixed-length message segments (blocks). VOLUME 11, 2023 56183 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
In block codes, the information bit streams (i.e., input messages denoted by u u u = (u 1 , u 2 , . . . , u k )) consist of k information digits defined over GF(q). The Galois field GF(q) is a field with a finite number of q distinct elements (e.g., GF(5) = {0, 1, 2, 3, 4}). A block code may comprise q k possible distinct message blocks. The error correcting code C transforms each input message block u u u into a distinct n-bit (n > k) sequence denoted by z z z. Each sequence z z z is called a codeword. As a result, q k distinct legitimate codewords correspond to the q k possible message blocks. The set of q k codewords is referred to as a C(n, k) block code [40]. Unlike source coding mechanisms like MP4 (used for compressing data), in error correcting codes, n − k redundant digits are purposefully added to the information block to attain error correction. Due to the added digits, an error correcting code incurs communication overhead accordingly.
Definition 2 (Rate of a Block Code [30], [31]): The rate (efficiency) of the block code C(n, k) is defined as k/n.
There is a trade-off between the communication overhead imposed by a block error correcting code and its effectiveness in correcting errors.
Definition 3 (Linear Block Code [30], [31]): The error correcting code C(n, k) is a linear code if the modulo-2 sum (i.e., the XOR binary operation if q = 2) of any two or multiple codewords is a valid codeword.
For simplicity, we consider binary block codes that the digits of u u u and z z z are defined over GF (2).
Definition 4 (Hamming Weight and Hamming Distance [40]): The number of non-zero bits in a codeword is called the Hamming weight. The Hamming distance d(x x x, y y y) between two codewords x x x and y y y is the number of bit positions where x x x and y y y differ.
Therefore, d(x x x, 0 0 0) is the Hamming weight of x x x, where 0 0 0 is the vector containing n bits of 0. The minimum distance d min of a linear code C is the minimum Hamming distance between any two distinct codewords.
Definition 5 (Generator Matrix [30], [31]): A generator matrix G G G of a linear code C(n, k) is a k ×n matrix that defines the one-to-one mapping between the k-bit message block u u u and the corresponding n-bit codeword z z z, such that z z z 1×n = u u u 1×k · G G G k×n .
The encoder uses G G G to generate the distinct codewords associated with each message block u u u.
Definition 6 (Systematic Code [41]): A linear code C(n, k) is systematic if its generator matrix can be written in the form of G G G = [I I I k |A A A k×(n−k) ], where I I I k is a k × k identity matrix and A A A is the k × (n − k) coefficient matrix.
When G G G is specified in the systematic form, each n-bit codeword z z z generated by G G G can be split into two parts. The first k bits are equal to the corresponding message block u u u, and the second part has the (n − k) redundant parity-check bits.
Definition 7 (Parity-Check Matrix [30], [31]): The paritycheck matrix H H H of a linear code C(n, k) is an (n−k)×n matrix that is orthogonal to all the codewords of C, i.e., a codeword z z z is in C if and only if H H H · z z z T = 0 0 0.

If G G G is in the systematic form (i.e., G G G = [I I I k |A A A k×(n−k) ]), then H H H is obtained by H H H = [A A A T
|I I I n−k ]. H H H represents the linear relationships that the bits of a codeword z z z must be ordered as a codeword of C. Thus, the decoder uses H H H to verify whether the received vector is a valid codeword of C.
After reviewing the basic concepts of error correcting codes (see [30] and [31] for more details), in the following, we discuss the SD problem.
Definition 8 (Syndrome Decoding Problem): Given three integers n, k, and t (where k < n and t ≤ n), a paritycheck matrix H H H ∈ F 2 (n−k)×n , and a vector Y Y Y ∈ F 2 (n−k) , the syndrome decoding problem searches for a vector e e e ∈ F 2 n of the Hamming weight ≤ t such that H H H · e e e T = Y Y Y . Berlekamp et al. proved that the SD problem is NPcomplete if the parity-check matrix H H H is randomly chosen [39]. The NP-completeness establishes an essential security assumption required for code-based cryptosystems. It justifies why a code-based cryptosystem is a competitive alternative to the current public-key cryptosystems in the post-quantum era. Code-based cryptosystems are built based on the assumption that the efficient decoder of the code used in the encryption process is known only by the legitimate decrypting party (i.e., the party with the private key). Thus, any illegitimate decryption effort has to be done by solving the SD problem in which H H H is a randomly generated parity-check matrix. It makes the recovery of the error vector e e e (that is necessary for decryption) an NP-complete problem. Since this problem falls outside the BQP category of computational problems, code-based cryptosystems are potentially considered quantum-resistant [38].

III. THE McEliece (ME) CRYPTOSYSTEM
In this section, we review the ME cryptosystem as the basis of the CME scheme, analyze the security of ME and discuss its practical challenges.

A. DESCRIPTION
The ME cryptosystem is a public-key scheme invented by Robert McEliece in 1978 [25]. ME is based on error correcting codes, and its security relies on the NP-completeness of the SD problem. The main idea behind ME is to choose an error correcting code for which a fast and efficient decoding algorithm is known (McEliece suggested Goppa codes [42]). To encrypt a message, a disguised version of the generator matrix (of the selected code) is used as the public key to encode the input plaintext message. This setup forces any entity without the knowledge of the associated private key to use the syndrome decoding approach to decrypt the ciphertext, resulting in an NP-complete task according to the SD problem. However, the owner of the private key eliminates the disguise and decrypts the result using the known fast decoder. encryption of a message with Bob's public key transforms the message to a codeword (i.e., the ciphertext), decrypted upon reception by Bob using his private key.
Next, we briefly describe the KeyGen algorithm and elaborate on the steps involved in Encrypt and Decrypt algorithms.
The KeyGen algorithm takes the integers m and t as input and returns the public-private key pair (pk, sk) by performing the following steps.
• To generate a key pair, Bob first generates a Goppa code G(n, k) that can correct t errors. This operation is accomplished by choosing a random Goppa polynomial g(x) with degree t over Galois Field GF(2 m ). This Goppa polynomial is defined as: where n = 2 m and k = n − tm (According to the characteristics of Goppa codes. It should be noted that g(x) is created through the random selection of g i coefficients over GF(2 m ), i.e., g i (i = 0, 1, . . . , t) is a random binary number of m bits. See [42] for more details about Goppa codes).
• Based on the created Goppa code, Bob obtains its generator matrix G G G of dimension k × n.
• Since G G G is used for transforming a plaintext message into a codeword (see Section II for details), Bob now scrambles this matrix by multiplying it with a k × k nonsingular matrix S S S, and n × n permutation matrix P P P (i.e., to disguise G G G). The resultant matrix G G G pub = S S S ·G G G·P P P is published as the public key by Bob along with t, i.e., pk = (G G G pub , t).
• Bob's private key is composed of G G G, S S S, and P P P, i.e., sk = (G G G, S S S, P P P).
To encrypt a k-bit plaintext message u u u with Bob's public key pk, Alice performs the following three steps (see Fig. 2).
• Alice first multiplies u u u with G G G pub to get the n-bit vector z z z = u u u · G G G pub .
• Then, she uses t (the other component of public key) and generates a random binary vector e e e of length n with Hamming weight t (see Section II for Hamming weight).
• Finally, she adds z z z and e e e to get the ciphertext c c c = z z z ⊕ e e e before sending it to Bob (note that addition in module 2 is equivalent to a xor operation).

3) DECRYPTION u u u = Decrypt(c c c, sk).
To decrypt ciphertext c c c, Bob uses his private key sk and performs the following steps: Note that e e e ′ = e e e · P P P −1 has the same hamming weight as e e e. Thus, they both have the same effect on the decoder's functionality.
• Bob first multiplies ciphertext c c c with P P P −1 (i.e., a component of private key). It results in c c c ′ = u u u · S S S · G G G · P P P · P P P −1 ⊕ e e e · P P P −1 that is corrupted by some errors e e e ′ . To eliminate the error from this codeword, Bob uses the efficient Goppa decoder. The Hamming weight of e e e ′ and e e e are the same (i.e., t) because multiplying e e e with P P P −1 does not change the weight of e e e (it only scrambles its columns).
• Once the error is removed, the codeword (u u u ·S S S).G G G can be transformed into its corresponding message (i.e., u u u · S S S).
The generator matrix G G G is only known to Bob since this is part of his private key.
• Finally, to get the original message u u u, Bob will simply multiply u u u · S S S with S S S −1 , i.e., u u u · S S S · S S S −1 = u u u. S S S is known to Bob only since it is a part of his private key. Fig. 2 shows the block diagram of the ME cryptosystem.

IV. VARIANTS OF McEliece CRYPTOSYSTEMS
The previous discussion shows that the original McEliece scheme is based on Goppa codes. Using Goppa codes for public key cryptosystems is widely studied and considered safe. However, the key sizes are an important problem with the original McEliece. Variants of the McEliece scheme have been proposed that target a reduction in key sizes [43]. One simple variant is proposed in [44] that does not need permutation or scrambling matrices as in the original McEliece scheme. Generally, these code-based variants allow iterative decoding like Low-Density Parity-Check (LDPC) codes. However, they are proven unsuitable for cryptosystems due to their sparse parity check matrix and the parity check equations corresponding to codewords in a dual code [43]. According to [44], a potential solution to this problem is to increase the weight of parity checks such that it is smaller than the dimension of the code, thereby making it cumbersome to find low-weight codewords in the dual code. This family of codes is called Moderate-Density Parity-Check (MDPC) codes that can be decoded with the same decoders as LDPC codes. For practical reasons, the quasi-cyclic version of MDPC (i.e., QC-MDPC) codes is particularly interesting because the parity check matrix is described by its first row only, resulting in a significant reduction in key sizes [43]. This section presents the details of QC-MDPC codes and discusses their Bit Flipping (BF) decoder. Then, the QC-MDPC variant of the McEliece scheme is presented, and its security issues are discussed.

A. QC-MDPC CODES
We present the Quasi-cyclic (QC) codes' definition as it is needed to understand QC-MDPC codes.
Definition 9 (Quasi-Cyclic Code): A binary linear code C(N , K ) is quasi-cyclic if there exists an integer n 0 < N such that every cyclic shift of a codeword C ∈ C by n 0 bits creates another valid codeword of C.
In a systematic QC code, each codeword C consisted of p blocks of n 0 bits (i.e., N = n 0 × p, where p is an integer), and every block includes k 0 = K /p information bits and r 0 = (n 0 − k 0 ) redundancy (parity) bits. For r 0 = 1, we have In a QC code with r 0 = 1 (or r = p), the generator and parity check matrices comprise p × p circulant blocks [45]. The parity check matrix of a QC code can be written in the following format: where each block H H H i is a p × p binary matrix in the form of To prove the above format for G G G, we use H H HG G G T = 0 0 0 to obtain the following: The aforementioned equation suggests that only the last block of H H H (i.e., H H H n 0 −1 ) is multiplied by Q Q Q T (the lower N − K rows of the second matrix). H H H n 0 −1 has p = N − K columns which is equal to the number of rows in Q Q Q T . Since the above addition is in module 2, we can transfer the first term to the right side of the equation to obtain the following equation: This equation can be re-written as: Finally, we obtain Q Q Q expressed as follows: which is identical to the format of Q Q Q in Eq. 4. Definition 10 (LDPC/MDPC Codes): An (N , r, w)-LDPC or MDPC code is a linear code of length N and dimension K = N − r that is defined by a parity-check matrix with a constant row weight w.
The only difference between LDPC and MDPC codes is in the value of row weight w. For LDPC codes, w is a small constant (usually less than 10); in MDPC codes, row weights are the function of code length, i.e., increase with code length N as O( √ NlogN ). As discussed before, we are interested in MDPC codes only because the LDPC-based McEliece variants suffer from various vulnerabilities [43]. • Public key: Public key: Public key: is the corresponding generator matrix G G G that can be computed from the private key (or H H H ) using Eq. 4. Similar to H , G is also quasi-cyclic that needs storing only the first row instead of the entire matrix. From the above matrix, it is evident that the size of G G G is K × (K + p) = K × N (because p = r = N − K ). As indicated above, the public key G G G can be described using its first row only, which has K + p bits. Since the first K bits of the first row are part of the identity matrix I I I K , the actual size of the key is p = N − K . It significantly reduces the key size compared to N × K in the original McEliece scheme. For example, for the parameters N = 1024 and K = 524 as used in the original McEliece, the key size is drastically reduced from 66 KB to 63 B.
(2) Encryption: The encryption of the QC-MDPC variant is akin to the original McEliece, in which a plaintext message u u u ∈ F K 2 is subjected to the following computation: where e e e ∈ F N 2 is a random vector of weight(e e e) ≤ t, and the value of t is obtained from the error correcting capability of the corresponding decoder [44]. To decrypt ciphertext r r r ∈ F N 2 , the receiver performs the following procedure: • Compute uG uG uG from r r r by subjecting it to a t-error correcting decoder H that leverages the knowledge of H H H for efficient decoding.
• Retrieve u u u from uG uG uG. It can be accomplished by taking the first K bits of uG uG uG as G G G is in a systematic form.
In the QC-MDPC variant, there is no need to deploy the permutation and scrambling matrices P P P and S S S. The simplification makes the decryption procedure simpler than the original McEliece scheme where P P P and S S S are critical elements (regardless of the complexity of the decoder unit that is discussed in the next section).

1) DEALING WITH CHOSEN CIPHERTEXT ATTACKS
Using the systematic format of the generator matrix G G G in the encryption procedure puts the scheme vulnerable to chosen ciphertext and message recovery attacks. It is because the ciphertext r r r = uG uG uG +e e e includes a copy of the plaintext u u u in its first K bits (since r i = u i +e i for 1 ≤ i ≤ K ). Two ciphertexts r r r 1 and r r r 2 are most likely distinguishable if an attacker knows their corresponding plaintexts u u u 1 and u u u 2 . In the worst case, if e i = 0 for 1 ≤ i ≤ K , the ciphertexts are distinguishable with the probability of 1.
To address this issue, Misoczki et al. [44] proposed to deploy a secure CCA2-conversion model in the QC-MDPC variant. Before encryption, the plaintext u u u is applied to a CCA2-conversion unit. It converts plaintext u u u to a random vector whose observation brings no useful knowledge for an adversary. Misoczki et al. recommended using the CCA2-Conversion model proposed by Kobara and Imai in [46].  [44]. However, BF-based decoders are inherently probabilistic decoders that lead to a non-zero decoding failure probability. In such decoders, non-negligible decoding failure rates (DFR) degrade system efficiency and may result in critical security issues (presented in the next section). DFR is defined as the percentage of decoding failures in a given number of decoding attempts [44]. DFR is a critical factor in the efficiency and security of the QC-MDPC variant. In this regard, Misoczki et al. [44] proposed to select the system parameters to achieve a negligible DFR. In the following, we review the BF decoding algorithm and present its modified version proposed by Misoczki et al. for decoding QC-MDPC codes. Then, we investigate the DFR issue in detail and review the approaches proposed to deal with this issue.

1) BIT FLIPPING (BF) DECODER
The Bit Flipping algorithm was proposed by Gallager in 1963 [47]. It is a probabilistic and iterative decoding algorithm that provides an error correction capability that increases with the code length N and decreases with the weight of parity-check equations (i.e., w) [44]. As a quick result, the error correcting capability of BF in MDPC codes is lower than in LDPC codes (because LDPC codes have a smaller w). VOLUME 11, 2023 56187 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
The BF algorithm is defined based on the Tanner graph of an LDPC/MDPC code. The Tanner graph is a visual representation of the parity check matrix and has two sets of nodes: • Check nodes (illustrated by squares in Fig. 3) represent the rows of parity-check matrix. Thus, every Tanner graph has N − K check nodes (each representing a row of H H H ).
• Variable (Bit) nodes (illustrated by circles in Fig. 3) represent the N bits of a received vector r r r that should be decoded. Each bit node in the Tanner graph represents a single column of the parity-check matrix, as the size of r equals the number of columns in H . The following procedure is performed to generate the Tanner graph of an LDPC/MDPC code with the (N − K ) × N parity-check matrix H H H in which h ij is the element located at row i and column j.
• Draw N − K check nodes (squares) and N bit nodes (circles).
• Connect check node i to bit node j if h ij = 1. The number of edges that are connected to check node i (i.e., degree of the node) indicates the number of codeword bits that are involved in the ith parity-check equation (defined by row i of H H H ).
The BF decoding algorithm works as follows: 1) We generate the Tanner graph of the code using the parity-check matrix H H H (i.e., private key). We set iter = 1. 2) Given a specific vector r r r = (r 1 , r 2 , . . . , r N ) (that should be decoded), label each bit node j of the Tanner graph with r j (1 ≤ j ≤ N ). ''unsatisfied''. 6) Make another label l j for each bit node j, where l j is the number of check nodes that (1) have a connection to bit node j, and (2) are labeled with ''unsatisfied''. 7) For each bit node j, if l j is greater than a predetermined threshold b, then we flip r j and update r r r. 8) Set iter = iter +1. If iter is greater than a threshold and ∃ i ∈ {1, 2, . . . , N − K } such that i ̸ = 0, we return ''failure'' and terminate the algorithm. 9) With the updated r r r, we jump to step 2. Based on the presented procedure, the BF decoding algorithm is probabilistic. Decoding failures may occur because the maximum number of iterations may be reached before all the parity-check equations are satisfied. On the other hand, increasing the threshold determined for the number of iterations degrades the decoding performance in terms of speed. Specifically, the number of iterations is automatically greater for MDPC codes with a larger w than for LDPC codes. Intuitively, the complexity of the BF algorithm increases with w. To mitigate this issue, Misoczki et al. proposed modifying the original BF algorithm to select the threshold b. In the proposed approach, instead of a predetermined value of b, it is updated at each iteration using b = MAX u + δ, where MAX u is the maximum number of unsatisfied parity-check equations at that iteration, and δ is a small integer. This approach is shown to be effective in reducing the overall number of iterations since it allows flipping a larger number of bits at each iteration [44]. Moreover, the algorithm can be restarted in case of a decoding failure by reducing δ by 1. In [44], the optimal initial value of δ is empirically determined as 5 to approximately reduce the number of iterations from 65 to 10.

2) MITIGATING THE DFR ISSUE
Although the new variant of the BF algorithm proposed by Misoczki et al. results in performance improvement of the BF-based decoder, the QC-MDPC variant still suffers from the DFR issue. The following three approaches have been proposed in [44] to mitigate the DFR issue.
• Approach 1: Conservative selection of the number of errors t and other system parameters such as N and w so that DFR becomes negligible (e.g., less than 10 −7 ).
• Approach 2: If the decoding process fails for a specific ciphertext, a more sophisticated decoding algorithm with better error correction capability is used. However, this approach increases the decoder's complexity.
• Approach 3: If the decoding process fails for a specific ciphertext, a new encryption will be requested (i.e., a retransmission request). Because a CCA2-conversion module is used, the two transmitted ciphertexts (associated with the encryption of the same message) are like random sequences (they are indistinguishable). Thus, an adversary cannot gain any information from this retransmission. However, the last approach can make the scheme vulnerable to reaction attacks since the decoder informs the sender about the result of the last decoding procedure. A potential inception of such an attack is detailed below:

D. REACTION ATTACK ON QC-MDPC VARIANT
Employing a decoder with a non-negligible DFR may affect the QC-MDPC variant's security. Decoders with a noticeable DFR enable attackers to conduct a reaction attack. The first reaction attack was proposed by Guo [43].
Similarly, the second approach may also create an opportunity for the attacker to obtain information about the result of decoding procedures through conducting side-channel attacks. For example, if approach 2 is adopted, an attacker can monitor the processing time taken by the decoder to decode a ciphertext and conclude whether the decoder had an unsuccessful decoding attempt (in the decoding of the previously-sent ciphertext). In case of failure, the decoder switches to another decoding technique, causing more latency than successful decoding. Thus, the first approach seems the most secure among the two. To fully address this decoding issue, the research community investigated the design of efficient decoders for QC-MDPC codes to achieve negligible DFRs [27], [48], [49].
Various alternative code-based cryptosystems are built on top of the aforementioned schemes, especially the ones included in the NIST's standardization project [17]. In the next section, we will discuss these state-of-the-art variants, including Classic McEliece (CM) [21] and Bit Flipping Key Encapsulation Scheme (BIKE) [20]). Both schemes are included in Round 3 of NIST's standardization project and are potential candidates for the post-quantum key encapsulation mechanism.

E. BIT FLIPPING KEY ENCAPSULATION SCHEME (BIKE)
BIKE [20] is another code-based KEM qualified in the third round of the NIST PQC standardization project as an alternate candidate and is based on QC-MDPC code. It leverages the Fujisaki-Okamoto (FO) CCA transform [50], [51] and the state-of-the-art Black-Gray-Flip (BGF) decoder [49] to address the IND-CCA insecurity issue of the QC-MDPC variant. Three different versions of the BIKE scheme exist, namely, BIKE-1, BIKE-2, and BIKE-3, that target the heterogeneous needs of different cryptographic applications. Following NIST's recommendation, BIKE has converged to a single version that relies heavily on BIKE-2. In the following, we review the final version of BIKE (i.e., spec v4.2 available in [20]) and succinctly describe its subroutines.

1) DEFINITIONS
We briefly present some definitions provided in the BIKE technical specification that are required to understand the subroutines of BIKE.
1) System Parameters: System Parameters: System Parameters: Based on the required level of security (denoted by λ), system parameters r, w, t, and l are determined.
• r is the length of circulant blocks (equivalent to p as discussed earlier). Given r = N /n 0 and n 0 = 2 in BIKE, we have N = 2r. Moreover, since r = N − K , we have N = 2r or r = K . r should be sufficiently large to result in (together with w and t) a low level of DFR such that the required security level λ is finally met (in BIKE, three security levels 1, 3, and 5 have been considered, corresponding to the security of AES-128, AES-192, and AES-256, respectively. To satisfy each level, a separate set of system parameters are recommended).
• w is the row weight of the parity check matrix which is an even positive integer (i.e., w/2 is odd).
• t is the Hamming weight of the error vector which is a positive integer.
• l is the size of the generated (shared) symmetric key which is a positive integer. −→ {0, 1} l , respectively. BIKE consists of three subroutines, key-generation, encapsulation, and decapsulation, depicted in Fig. 4. The ultimate result of these subroutines is a symmetric key secretly shared between two communicating parties. These subroutines work as follows:

2) KEY GENERATION SUBROUTINE
The KeyGen subroutine takes no input (except the system parameters) and generates a public-private key. and send it to the other party as the public key pk pk pk.

3) ENCAPSULATION SUBROUTINE
The Encaps subroutine takes the public key h h h as input and generates a ciphertext C C C (that is sent to the other party) and a symmetric key K K K s that is remained secret and used for encrypting data. The following procedure is performed in this subroutine (see Fig. 4): • Select an l − bit vector m m m from the message space M uniformly at random.

4) DECAPSULATION SUBROUTINE
The Decaps subroutine takes the private key pk pk pk and ciphertext C C C as input and generates the symmetric key K K K s or a failure symbol ⊥. The following procedure is performed in this subroutine: • Compute the syndrome S S S = C C C 0 h h h 0 .
• Decode S S S using the Black-Gray-Flip decoder (that will be reviewed in the next subsection) to obtain the error vectors e e e ′ 0 and e e e ′ 1 . If |e e e ′ 0 | + |e e e ′ 1 | ̸ = t or the decoding procedure fails, return ⊥ and halt. Based on the above subroutines, two communicating parties can securely establish the same (symmetric) key K K K s . If the legitimate device (who owns the private key) receives a valid ciphertext C C C, it will be able to compute K K K s from C C C. However, any malicious attempt to recover K K K s without the knowledge of the private key fails because decoding the received ciphertext using syndrome C C C 0 h h h 0 for an arbitrary QC code is infeasible (i.e., the SD problem is N P-complete). Moreover, the legitimate receiver can verify the integrity of C C C 0 (that is critical in recovering the shared key) through the confirmation of H(m m m ′ ) = (e e e ′ 0 , e e e ′ 1 ). Although the submitters of BIKE provide specific implementation details [20], we present the essential aspects in the next subsection to avoid confusion.

5) DETAILS ON BIKE 6) HOW IS THE ENCODING PROCEDURE PERFORMED IN THE Encaps SUBROUTINE?
The BIKE scheme is based on Niederreiter's framework [52] (like CM), so the encoding procedure is performed using the parity-check matrix. In BIKE, the parity-check matrix is deployed in its systematic format. Thus, for the encoding procedure, we have Note that H H H T is a 2r × r matrix. 56190 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. Alice uses Bob's public key to securely generate a session key K K K s . Once Bob receives the ciphertext C C C , he can obtain the same K K K s as Alice generated (it should be mentioned that BIKE does not receive any plaintext as input because it is a KEM scheme used by two entities to secretly generate a shared key). After the shared session key generation, both parties can use K K K s to communicate their message through a data encryption mechanism (DEM).

This is because
Since This follows from the fact that addition is performed in module 2.
The above syndrome can be applied to a BF-based decoder (or any other appropriate decoder) to obtain e e e 0 and e e e 1 . Now, we investigate the encoded vector C C C 0 = e e e 0 + e e e 1  as input to decode S S S = C C C 0 h h h 0 ). However, since the BF decoder can lead to higher DFR, we discuss the Black-Gray-Flip (BGF) decoder recommended to be deployed in the Decaps subroutine of BIKE in the following subsection.

8) BGF DECODER
The BGF decoder [49] is a variant of the Black-Gray (BG) decoder [48], [53], which is a complex version of the BF decoder. The main difference between BG and the original BF decoder is that a BG decoder may flip back the value of a bit (variable) node (or an error bit, equivalently) if it is convinced that the bit was mistakenly flipped in the previous iteration. A simple version is the Time-to-Live (TTL) mechanism. However, in BG, a more complex version of TTL is used. In this version, the decoder creates two lists of bit nodes (called Black and Gray lists) to keep track of those bit flips that are regarded as ''uncertain'' [54]. The first list (i.e., Black) maintains the positions of those bit nodes that were just flipped. However, the second list (i.e., Gray) keeps positions of bit nodes for which the number of unsatisfied parity checks is close to the threshold b but below it (i.e., greater than b − δ, where δ is a small value chosen empirically).
In every iteration of BG, the following three steps are performed. In step 1, the decoder decides whether or not the value of a bit node should be flipped by comparing the corresponding unsatisfied parity checks with threshold b (akin to a single iteration of the BF decoder). In addition, it computes the black and gray lists. In steps 2 and 3, another iteration of BF is performed, but only the bit nodes in the black and gray lists are considered (for steps 2 and 3, respectively). In these steps, the value of black/gray bit nodes is updated if the number of their corresponding unsatisfied parity checks is greater than a newly set threshold = [(d + 1)/2] + 1 (where d = w/2 is a positive odd integer, and the row weight w is a positive even integer), to gain more confidence in the flipped bits [49]. Finally, the value of the syndrome is updated based on the obtained error vector. If it is equal to zero, the obtained error vector is returned, and the algorithm terminates. Otherwise, if the current iteration number is less than the maximum number of iterations, another iteration is performed; otherwise, ⊥ is returned, and the algorithm terminates.
The BGF decoder (deployed in BIKE), as depicted in Fig. 5, is similar to BG. It starts with one iteration of the BG decoder but proceeds with several BF iterations until either condition is met: The syndrome vector becomes zero, or the maximum number of iterations is reached (see Fig. 5). It translates to less number of required steps to achieve lower DFR as compared with the BG decoder. For example, for N I iterations, BG would essentially need 3 × N I steps (N I represents the number of iterations taken to recover all errors), whereas BGF needs 3 × (N I − 1) steps [49].
The BGF decoder has been identified as the most efficient variant of the BF algorithm in terms of DFR and complexity [49]. In BIKE, the thresholds used in BGF are computed using the functions tuned through extensive simulations. These threshold values are considered important system parameters since they determine the level of DFR in a decoder. In BIKE, the threshold values are obtained based on the target DFRs that are 2 −128 , 2 −192 and 2 −256 for the respective levels of security (i.e., λ).
The formal proof of a negligible DFR is a perplexing task (no mathematical model has been proposed yet). Thus, in BIKE, the corresponding threshold values for different DFR levels are estimated through extensive simulations and extrapolations [55], [56].

9) BIKE SECURITY AGAINST REACTION ATTACKS
The QC-MDPC variant of the McEliece is vulnerable to a specific reaction attack that exploits the decoding failures to recover the private key [43]. This vulnerability has been seriously considered in BIKE since it deploys a QC-MDPC encoder. In this regard, BIKE submitters have proposed two approaches to address the reaction attack.
• Approach 1: This approach assumes that the party who sends the public key to initiate a session (i.e., the private key owner) generates a fresh public-private key pair for every session. In other words, this party never decapsulates more than one ciphertext with a single private key. Therefore, reaction-based key recovery attacks like the one proposed in [43] are no longer feasible because they need many observations of the decoder's reaction based on the same key pair. This approach is suitable for synchronous communication protocols (e.g., TLS) in which the immediate refreshing of the public-private key pair is possible. As a result, the mechanism needs to be IND-CPA secure only since CCA attacks are automatically addressed in such usage models. Moreover, this usage model provides both backward and forward secrecy.
• Approach 2: This approach is appropriate when a publicprivate key pair is reused for two or more symmetric key exchanges (i.e., two or more runs of the BIKE algorithm). It can occur either intentionally or inadvertently. For example, in asynchronous communication protocols (e.g., email), adoption of approach 1 is not feasible since the party that is sending data (through a DEM unit) needs a fresh version of the public key, which may not be provided yet by the other party (e.g., the other party is offline). In such scenarios, the deployed decoder must offer a negligible DFR, i.e., the system parameters r, w, and t must be carefully selected such that the DFR is low enough to match the security requirement. The first approach results in a high level of latency due to the key generation procedure (and publishing of the updated public key) that needs to be performed at the beginning of each symmetric key exchange session. It can be a considerable issue for the key generation phase to take longer than the encapsulation procedure because it includes the computation of an inversion. According to the implementation results provided in the BIKE specification [20], the key generation procedure may take 2 to 4 times longer than the encapsulation procedure. Based on these results, the key generation phase shares 20 to 30 percent (approximately) in the overall latency. It indicates that updating the publicprivate key pairs for each key exchange session results in a 25 to 40 percent increase in latency. The large latency resulting from the decapsulation procedure partially mitigates this issue. Moreover, in the BIKE technical specification, deploying a batch key generation mechanism is proposed to allow computing only one polynomial inversion for every F key generation. Therefore, KeyGen is accelerated when establishing shared keys.
Moreover, reusing the key pair a few times does not result in an effective threat since the reaction-based key recovery attacks [43] rely on observing many decoding failures. Thus, adopting approach 2 with a non-negligible DFR seems secure if the number of key reuses is small.

10) BIKE SECURITY AGAINST SIDE-CHANNEL ATTACKS
In a side-channel attack, the attacker attempts to gain knowledge about a cryptosystem by observing the implementationrelated parameters of the system (e.g., power consumption, timing information, etc.) rather than directly targeting the weaknesses that may exist in the system architecture [57]. In a specific class of side-channel attacks (timing attacks), the attacker targets to obtain knowledge by measuring the time taken to execute different algorithms, processes, or subroutines of the cryptosystem. This type of sidechannel attack can be conducted on the QC-MDPC variant of the McEliece scheme by observing the time taken to decode different ciphertexts. Even if the decoder performs an implicit rejection when the decoding fails (such that the rejection brings no useful knowledge to an attacker), it is still possible for the attacker to identify decoding failures with high probability by measuring the decoding time. BFbased decoders have an iterative structure that causes the algorithm's run time to vary, i.e., the run time depends on the number of iterations required to find the decoded vector successfully. Thus, if it takes longer than expected for the decoding algorithm to terminate, the attacker (who monitors the run time) will know that a decoding failure has occurred.
In the BIKE specification, it is proposed to use a constanttime implementation of the BGF decoder to address sidechannel attacks. In other words, the number of iterations is fixed for decoding different ciphertexts. Thus, based on the employed implicit-rejection version of Fujisaki-Okamoto transformation [50], [51], any malicious attempt to identify decoding failures will be unsuccessful. Using fresh publicprivate key pairs addresses the issue of reaction attacks (including side-channel attacks). However, as discussed in the previous subsection, this solution is not feasible for asynchronous applications. Thus, the constant-time implementation approach must be adopted to avoid side-channel attacks.

11) IMPACT OF WEAK-KEYS ON BIKE
Security of BIKE (IND-CCA security) is dependent upon the low DFR of the deployed decoder (e.g., BGF decoder as used in BIKE). For example, authors in [27] have argued that DFR needs to be as low as 2 −λ for λ-bit of IND-CCA security. However, interestingly, recent research has pointed out the existence of some specific (private) keys that negatively impact the DFR and the IND-CCA security. Such keys are referred to as weak-keys. For example, Drucker et al. [48] have argued that IND-CCA security of BIKE is difficult to claim without first proving (or disproving) the existence of weak-keys and formally quantifying their impact on DFR. Sendrier et al. [58] have demonstrated through empirical analysis that the average DFR is not hugely impacted by the known weak-keys. Thus, Drucker et al. argued that the existence of weak-keys is not critical to IND-CCA claims. However, this analysis is insufficient to claim the IND-CCA security of the BIKE. Subsequently, they conducted a similar analysis with the BGF decoder (see [59] for details) and argued that weak-keys do not significantly impact the DFR. However, another similar work [60] conducted a similar analysis with the BFG decoder and concluded different results compared with [59]. More precisely, this work (i.e., [60]) argued, based upon their analysis, that weakkeys could be a potential threat to IND-CCA security of BIKE. However, this difference could be using different parameters and platforms for their respective analysis. Our analysis suggests that some of the parameters in [59] are unclear, and subsequent empirical analysis with similar parameters may help ascertain weak-keys impact. Both these works are empirical, making it difficult to favor one or the other without understanding the root cause of the difference.

V. CONCLUSION AND FUTURE WORK
In this paper, we investigated the BIKE, i.e., a post-quantum key encapsulation scheme that has recently progressed to Round 4 of the NIST PQC standardization project and is likely to be standardized as a general-purpose KEM. This paper offers the necessary preliminaries and comprehends the orthodox ME cryptosystem and its contemporary variations based on QC-MDPC (e.g., BIKE) for fledgling researchers, security architects, and developers. We also comprehensively reviewed various possible attacks on such code-based cryptosystems and described the potential reasonings for the success or failure of such attacks. We comprehensively elaborated the working principles of the Bit-Flipping decoder and its state-of-the-art variants, such as the BGF decoder, and its role in facilitating certain types of reaction and side-channel attacks in BIKE. Our analysis of recent literature suggests that the weak-key issue has been described differently by different research works and demands a subsequent analysis by first benchmarking the approach, parameters, and potentially the data (e.g., ciphertexts and key-pairs used in DFR analysis). Although there have been no benchmarking efforts, we identify one dataset [61] for future analysis. Similarly, our review of related literature suggests no comparisons of BIKE with other candidates shortlisted in Round 4. We believe such a comparison may relieve interesting insights that may help in further tweaking VOLUME 11, 2023 56193 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. this scheme. Similarly, making BIKE an authenticated-KEM (AKEM) is also currently overlooked and thus may open the door to some attacks that leverage the lack of authentication by design (see [62] for details). AKEM ensures that the party who initiates the symmetric key generation process (owner of the private key) can authenticate the other party when a ciphertext C C C is received to ensure the sender's legitimacy. It will help BIKE (or A-BIKE) to alleviate the possibility of various attacks.