CAKE: Code-Based Algorithm for Key Encapsulation

Abstract

Current widely-used key exchange (KE) mechanisms will be vulnerable to quantum attacks when sufficiently strong quantum computers become available. Therefore, devising quantum-resistant replacements that combine efficiency with solid security guarantees is an important and challenging task. This paper proposes several contributions towards this goal. First, we introduce “CAKE”, a key encapsulation algorithm based on the QC-MDPC McEliece encryption scheme, with two major improvements: (a) the use of ephemeral keys that defeats a recent reaction attack against MDPC decoding of the corresponding encryption scheme and (b) a highly efficient key generation procedure for QC-MDPC-based cryptosystems. Then, we present an authenticated key exchange protocol based on CAKE, which is suitable for the Internet Key Exchange (IKE) standard. We prove that CAKE is IND-CPA secure, that the protocol is SK-Secure, and suggest practical parameters. Compared to other post-quantum schemes, we believe that CAKE is a promising candidate for post-quantum key exchange standardization.

Appendices

Appendix

A  Efficiently Sampling Invertible Elements from \(\mathbb {F}_2[x]/\langle X^r - 1 \rangle \)

In this section, we prove that one can efficiently sample an invertible element from \(\mathbb {F}_2[x]/\langle x^r - 1 \rangle \) by taking any polynomial such that \(\mathsf {wt}(h)\) is odd.

Lemma 1

Let \(h \in \mathbb {F}_2[x]\) have even weight. Then h is not invertible modulo \(x^r - 1\).

Proof

We show that \((x - 1) \mid h\) by induction on \(\mathsf {wt}(h)\). For \(\mathsf {wt}(h) = 0\) trivially \((x - 1) \mid h\). Assume that \((x - 1) \mid h\) whenever \(\mathsf {wt}(h) = 2k\) for some \(k \geqslant 0\). Now consider any \(h \in \mathbb {F}_2[x]\) with weight \(\mathsf {wt}(h) = 2(k+1)\), and take two distinct terms \(x^i\), \(x^j\) of h such that \(i < j\). Define \(h' = h - x^i - x^j\), so that \(\mathsf {wt}(h') = 2k\). Then \((x - 1) \mid h'\) by induction, i.e. \(h' = (x - 1)h''\) for some \(h'' \in \mathbb {F}_2[x]\). Hence \(h = h' + x^i + x^j = (x - 1)h'' + x^i(x^{j - i} + 1) = (x - 1)h'' + x^i(x - 1)(x^{j - i - 1} + \dots + 1) = (x - 1)(h'' + x^i(x^{j - i - 1} + \dots + 1))\), and therefore \((x - 1) \mid h\).    \(\square \)

Theorem 2

Let r a prime such that \((x^r - 1)/(x - 1) \in \mathbb {F}_2[x]\) is irreducible. Then any \(h \in \mathbb {F}_2[x]\) with \(\deg (h) < r\) is invertible modulo \(x^r - 1\) iff \(h \ne x^{r - 1} + \dots + 1\) and \(\mathsf {wt}(h)\) is odd.

Proof

Take a term \(x^i\) of h. Then \(\mathsf {wt}(h + x^i) = \mathsf {wt}(h) - 1\) is even, and by Lemma 1 \((x - 1) \mid (h + x^i)\). Hence \(h \bmod (x - 1) = x^i \bmod (x - 1) = 1\), meaning that h is invertible modulo \(x - 1\).

Now, because \((x^r - 1)/(x - 1) = x^{r - 1} + \dots + 1\) is irreducible, if \(\deg (h) < r - 1\) then \(\gcd (h, x^{r - 1} + \dots + 1) = 1\), and if \(\deg (h) = r - 1\), then \(\gcd (h, x^{r - 1} + \dots + 1) = \gcd (h + x^{r - 1} + \dots + 1, x^{r - 1} + \dots + 1) = 1\), since \(\deg (h + x^{r - 1} + \dots + 1) < r - 1\). Hence h is invertible modulo \(x^{r - 1} + \dots + 1\).

Therefore, the combination of the inverses of h modulo \(x - 1\) and modulo \(x^{r - 1} + \dots + 1\) via the Chinese remainder theorem is well defined, and by construction it is the inverse of h modulo \((x - 1)(x^{r - 1} + \dots + 1) = x^r - 1\).    \(\square \)

Corollary 1

One can efficiently sample an invertible element from \({\mathbb {F}_2[x]/\langle x^r - 1 \rangle }\) by taking any polynomial such that \(\mathsf {wt}(h)\) is odd.    \(\square \)