## Abstract

In this work, we propose different techniques that can be used to implement the rank-based key encapsulation methods and public key encryption schemes of the ROLLO, and partially RQC, family of algorithms in a standalone, efficient and constant time library. For simplicity, we focus our attention on one specific instance of this family, ROLLO-I-128. For each of these techniques, we present explicit code (including intrinsics), or pseudo-code and performance measures to show their impact. More precisely, we use a combination of original and known results and describe procedures for Gaussian reduction of binary matrices, generation of vectors of given rank, multiplication with lazy reduction and inversion of polynomials in a composite Galois field. We also carry out a global performance analysis to show the impact of these improvements on ROLLO-I-128. Through the SUPERCOP framework, we compare it to other 128-bit secure KEMs in the NIST competition. To our knowledge, this is the first optimized full constant time implementation of ROLLO-I-128.

This is a preview of subscription content, access via your institution.

## Notes

The full code of our implementation and of the tests we run for the comparisons is available at https://github.com/Crypto-TII/constant_time_rollo.

The code is available in the file

*mach_desc.h*of the library NTL [39], under the method NTL_ALT1_BB_MUL_CODE0.The mul function in

*GF2E.h*.When it is clear from the context, with abuse of notation we indicate \({\mathbf {a}}\times {\mathbf {b}}\) as \({\mathbf {a}}\cdot {\mathbf {b}}\) or \({\mathbf {a}}{\mathbf {b}}\), also for matrix multiplications.

With this option, there is a \(2^{-60}\) probability that an error of weight less than

*d*, or, respectively, less then*r*, is generated during the keygen or, respectively, the encapsulation. Furthermore, in this case, the protocol will not fail.

## References

Abdouli Aa, Bellini E, Caullery F, Manzano M, Mateu V. Rank-metric Encryption on Arm-Cortex M0: Porting code-based cryptography to lightweight devices. In: Proceedings of the 6th on ASIA Public-Key Cryptography Workshop, 2019; pp. 23–30.

Aguilar-Melchor C, Aragon N, Bettaieb S, Bidoux L, Blazy O, Deneuville JC, Gaborit P, Hauteville A, Ruatta O, Tillich JP, et al. ROLLO - Rank-Ouroboros, LAKE & LOCKER. 2018. Available at: https://pqc-rollo.org/doc/rollo-specification_2020-04-21.pdf.

Aguilar-Melchor C, Aragon N, Bettaieb S, Bidoux L, Blazy O, Deneuville JC, Gaborit P, Zémor G. Rank Quasi-Cyclic (RQC). 2017. https://pqc-rqc.org/doc/rqc-specification_2017-11-30.pdf.

Aguilar-Melchor C, Bellini E, Caullery F, Makarim RH, Manzano M, Marcolla C, Mateu V. Constant-time algorithms for ROLLO. Available at: https://csrc.nist.gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/caullery-constant-time-rollo.pdf.

Al Abdouli AS, Al Ali M, Bellini E, Caullery F, Hasikos A, Manzano M, Mateu V. DRANKULA: A McEliece-like Rank Metric based Cryptosystem Implementation.In: Proceedings of the 15th international joint conference on e-business and telecommunications (ICETE 2018), 2018;vol. 2, pp. 230–41. https://doi.org/10.5220/0006838102300241.

Al Shehhi H, Bellini E, Borba F, Caullery F, Manzano M, Mateu V. An IND-CCA-secure code-based encryption scheme using rank metric. In: Progress in cryptology–AFRICACRYPT 2019: 11th international conference on cryptology in Africa, Rabat, Morocco, July 9–11, 2019, Proceedings, 2019; vol. 11627, p. 79. Springer.

Alagic G, Alperin-Sheriff J, Apon D, Cooper D, Dang Q, Kelsey J, Liu YK, Miller C, Moody D, Peralta R, et al. Status report on the second round of the NIST post-quantum cryptography standardization process. National Institute of Standards and Technology: Tech. rep; 2020.

Aragon N, Gaborit P, Hauteville A, Ruatta O, Zémor G. Low rank parity check codes: New decoding algorithms and applications to cryptography. arXiv:1904.00357 [Preprint]. 2019.

Aranha DF, López J, Hankerson D. Efficient software implementation of binary field arithmetic using vector instruction sets. In: International conference on cryptology and information security in Latin America, 2010;pp. 144–61. Springer.

Bardet M, Bros M, Cabarcas D, Gaborit P, Perlner R, Smith-Tone D, Tillich JP, Verbel J. Algebraic attacks for solving the Rank Decoding and MinRank problems without Gröbner obner basis. arXiv:2002.08322 [Preprint]. 2020.

Bellini E, Caullery F, Gaborit P, Manzano M, Mateu V. Improved veron identification and signature schemes in the rank metric. In: Information theory (ISIT), 2019 IEEE international symposium on. IEEE 2019. https://doi.org/10.1109/ISIT.2019.8849585.

Bellini E, Caullery F, Hasikos A, Manzano M, Mateu V. Code-based signature schemes from identification protocols in the rank metric. In: International conference on cryptology and network security, 2018;pp. 277–98. Springer.

Bellini E, Caullery F, Makarim R, Manzano M, Marcolla C, Mateu V. Advances and challenges of rank metric cryptography implementations. In: 2019 IEEE 37th international conference on computer design (ICCD), 2019;pp. 325–8. IEEE.

Bernstein DJ, Chou T, Schwabe P. McBits: fast constant-time code-based cryptography. In: International workshop on cryptographic hardware and embedded systems, 2013;pp. 250–72. Springer.

Bernstein DJ, Lange T. eBACS: ECRYPT Benchmarking of Cryptographic Systems: SUPERCOP (2010). https://bench.cr.yp.to/supercop.html. Accessed 15 July 2020.

Bernstein DJ, Yang BY. Fast constant-time gcd computation and modular inversion. In: IACR transactions on cryptographic hardware and embedded systems 2019;pp. 340–98.

Bos JW, Kleinjung T, Niederhagen R, Schwabe P. Ecc2k-130 on cell cpus. In: International conference on cryptology in Africa, 2010;pp. 225–242. Springer.

Bosma W, Cannon J, Playoust C. The Magma algebra system. I. The user language. J Symbolic Comput. 1997;24(3–4):235–65. https://doi.org/10.1006/jsco.1996.0125.

Drucker N, Gueron S, Kostic D. Constant-time implementations in some proposed KEMs: the case of Rollo and RQC. http://math.haifa.ac.il/shay/Side_Channels_2020_06_23_V01.pdf. 2020.

Enhancing Code Based Zero-Knowledge Proofs Using Rank Metric.

Eron Anderson S. Bit twiddling hacks. https://graphics.stanford.edu/~seander/bithacks.html. Accessed 03 May 2019.

Faure C, Loidreau P. A new public-key cryptosystem based on the problem of reconstructing \(p\)–polynomials. In: International workshop on coding and cryptography, 2005;vol. 3969, pp. 304–15. Springer. https://doi.org/10.1007/11779360_24.

Gabidulin EM, Paramonov A, Tretjakov O. Ideals over a non-commutative ring and their application in cryptology. In: Workshop on the theory and application of of cryptographic techniques, 1991;pp. 482–9. Springer.

Gaborit P, Murat G, Ruatta O, Zémor G. Low rank parity check codes and their application to cryptography. In: Proceedings of the workshop on coding and cryptography WCC-2013, Bergen. 2013.

Gaborit P, Otmani A, Kalachi HT. Polynomial-time key recovery attack on the Faure-Loidreau scheme based on Gabidulin codes. Des Codes Crypt. 2018;86(7):1391–403.

Guajardo J, Paar C. Fast inversion in composite galois fields GF \(((2^n)^{M})\). In: IEEE international symposium on information theory, 1998;pp. 295–5. Citeseer.

Gueron S, Kounavis ME. Intel® carry-less multiplication instruction and its usage for computing the GCM mode. White Paper. 2010.

Hoffstein J, Pipher J, Silverman JH. NTRU: A ring-based public key cryptosystem. In: Lecture notes in computer science, 1998;pp. 267–88. Springer-Verlag.

Intel® C++ Compiler 19.1 Developer guide and Reference. https://software.intel.com/en-us/cpp-compiler-developer-guide-and-reference-overview-intrinsics-for-intel-advanced-vector-extensions-2-intel-avx2-instructions. Accessed 01 Jan 2020.

Itoh T, Tsujii S. A fast algorithm for computing multiplicative inverses in GF(\(2^m\)) using normal bases. Inf Comput. 1988;78(3):171–7.

Karatsuba A, Ofman Y. Multiplication of many-digital numbers by automatic computers. Doklady Akademii Nauk SSSR, Translation in Physics-Doklady 7, 595-596, 1963. 1962;145(2), 293–94.

Lablanche J, Mortajine L, Benchaalal O, Cayrel PL, El Mrabet N. Optimized implementation of the NIST PQC submission ROLLO on microcontroller. IACR Cryptol ePrint Arch. 2019;2019:787.

Loidreau P. A new rank metric codes based encryption scheme. In: International Workshop on Post-Quantum Cryptography, 2017; pp. 3–17. Springer.

NIST: Post-Quantum Cryptography Call for Proposals. 2018. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Post-Quantum-Cryptography-Standardization/Call-for-Proposals. Accessed 01 Jan 2020.

Oliveira T, López J, Cervantes-Vázquez D, Rodríguez-Henríquez F. Koblitz curves over quadratic fields. J Cryptol. 2019;32(3):867–94.

Overbeck R. A new structural attack for GPT and variants. In: International Conference on Cryptology in Malaysia, 2005;pp. 50–63. Springer.

Overbeck R. Structural attacks for public key cryptosystems based on Gabidulin codes. J Cryptol. 2008;21(2):280–301.

Picek S, Coello CAC, Jakobovic D, Mentens N. Finding short and implementation-friendly addition chains with evolutionary algorithms. J Heuristics. 2018;24(3):457–81.

Shoup, Victor: NTL: A Library for doing Number Theory. 2019. https://shoup.net/ntl/. Accessed 01 Jan 2020.

Stein W, et al. Sage mathematics software (Version 9.0). The sage development team. 2020. http://www.sagemath.org.

## Author information

### Authors and Affiliations

### Contributions

Conceptualization: FB, JAP, AMP. Methodology: NR, FB, JAP, AP. Data analysis and interpretation: FB, JAP, AMP. Investigation: SL, IPF, NR. Data Curation: SL, NR. Writing and editing: : FB, JAP, AMP. Revision and final approval: All authors

### Corresponding author

## Ethics declarations

### Conflict of interest

Nicolas Aragon has received research grants from French DGA, thus this work was partially funded by French DGA. The remaining authors declare that they have no conflict of interest.

### Ethical standards

This article does not contain any studies with human participants or animals, as ruled by the Directive 2010/63/EU, performed by any of the authors.

## Additional information

### Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

## Pseudocode for the binary field arithmetic

### Pseudocode for the binary field arithmetic

The plain C carryless multiplication algorithm \(\textsf {clmul}_K(a,b)\) is described in algorithm 14. Notice that algorithm 14 works for \(64< m < 129\).

The AVX2 carryless multiplication algorithm \(\textsf {clmul}_S(a,b)\) is described in algorithm 15. Note that, as algorithm 14, algorithm 15 is suitable for fields \({\mathbb {F}}_{2^{m}}\) with \(64< m < 129\), which include all ROLLO-I and ROLLO-II variants. Let us recall that using Karatsuba multiplication [31] in algorithm 15 instead of steps 3-6 would not give any advantage, as the cost of multiplication and addition with AVX2 instruction is very close. In practice, as we will show, it even performs worse, due to alignment problems.

The algorithm to inverleave zeros used for the squaring algorithm is a small modification of the method *Interleave bits with 64-bit multiply* given by Sean Eron Anderson on his web page *Bit Twiddling Hacks* [21] which is given in algorithm 16.

The squaring method is given in algorithm 17. For the AVX2 version, a look-up table based on the instruction _mm_shuffle_epi8 is implemented both in the submission and our work.

The algorithm for reduction is presented in algorithm 18, where the symbols \(\ll , \gg\) denote field multiplication and division by *x* respectively (left and right shift operators), \(\oplus\) is the field addition (bit-wise XOR operator), \(\otimes\) the bit-wise AND operator. As for algorithm 15, algorithm 18 is suitable for fields of size up to \(2^{128}\) up to the modification of the values of the masks, the amount of shifts and their width.

The inversion of an element \(x \in {\mathbb {F}}_{2^{m}}\) is described in algorithm 19. This has been derived using Fermat’s little Theorem stating that \(x^{2^{m}-2} = x^{-1}\). The fixed exponentiation is achieved by the strategy presented in [38, Section 6.2] using the following addition chain of length 9:

## Rights and permissions

## About this article

### Cite this article

Aguilar-Melchor, C., Aragon, N., Bellini, E. *et al.* Constant Time Algorithms for ROLLO-I-128.
*SN COMPUT. SCI.* **2**, 382 (2021). https://doi.org/10.1007/s42979-021-00761-y

Received:

Accepted:

Published:

DOI: https://doi.org/10.1007/s42979-021-00761-y