Polynomial Lattices for the BIKE Cryptosystem
Michael Schaller
TL;DR
The paper reframes BIKE's key-recovery weakness as a rank-$2$ lattice problem over a polynomial ring derived from the public key, treating the secret key as a sparse lattice vector. It builds a concrete lattice $L$ with basis $(x^r-1,0)$ and $(h,1)$ and applies Lenstra-style polynomial-lattice reduction to obtain a reduced basis, enabling a generalized weak-key search that combines lattice reduction with brute-force bounded by a degree parameter. By connecting Thue's lemma, Mahler's analogue of Minkowski, and rational reconstruction within a unified polynomial-lattice framework, the work shows how to recover more weak keys than prior approaches (e.g., BardetDLO16) and provides insights into short-vector hardness under a weight-based norm. The results suggest directions for extending the method to higher-rank lattices and for potential applications to HQC, highlighting open questions about deeper lattice-theoretic approaches to quasi-cyclic cryptosystems and their weak-key landscapes.
Abstract
In this paper we introduce a rank $2$ lattice over a polynomial ring arising from the public key of the BIKE cryptosystem. The secret key is a sparse vector in this lattice. We study properties of this lattice and generalize the recovery of weak keys from "Weak keys for the quasi-cyclic MDPC public key encryption scheme". In particular, we show that they implicitly solved a shortest vector problem in the lattice we constructed. Rather than finding only a shortest vector, we obtain a reduced basis of the lattice which makes it possible to check for more weak keys.