##

Date de l'exposé : 21 février 2020

### On weak keys in QC-MDPC schemes

Quasi-cyclic moderate density parity check (QC-MDPC) codes allow the design of McEliece-like public-key encryption schemes with compact keys and a security that provably reduces to hard decoding problems for quasi-cyclic codes. Because of these features, QC-MDPC have attracted a lot of interest from the cryptographic community. In particular, the BIKE suite of key exchange mechanisms has been selected to the second round of the NIST call for standardization of quantum safe cryptographic primitives.
To reach IND-CCA security, it is necessary to prove that the decoding failure rate (DFR) is negligible. Getting a formal proof of a low DFR is a difficult task. Instead, we propose to ensure this low DFR under some additional security assumption on the decoder. This assumption relates to the asymptotic behavior of the decoder and is supported by several other works. We thus evaluate a decoder by simulation and extrapolate its DFR under the decoder security assumption. Using standard techniques from communication systems, we can evaluate the confidence in our extrapolation.
The construction of a set of weak keys, in the sense that they have a higher DFR, has been exhibited in a recent work [Drucker, Gueron, Kostic 2019]. We observe that these keys are related to the key recovery reaction attack of [Guo, Johansson, Stankovski 2016] by the fact that they have an atypical "spectrum". From this observation, we can generalize the construction by directly generating keys with an atypical spectrum. Using combinatorics to count these weak keys and applying our methodology to evaluate the DFR, we prove that they do not affect the security of the scheme.