Skip to main content

Constant Time Algorithms for ROLLO-I-128


In this work, we propose different techniques that can be used to implement the rank-based key encapsulation methods and public key encryption schemes of the ROLLO, and partially RQC, family of algorithms in a standalone, efficient and constant time library. For simplicity, we focus our attention on one specific instance of this family, ROLLO-I-128. For each of these techniques, we present explicit code (including intrinsics), or pseudo-code and performance measures to show their impact. More precisely, we use a combination of original and known results and describe procedures for Gaussian reduction of binary matrices, generation of vectors of given rank, multiplication with lazy reduction and inversion of polynomials in a composite Galois field. We also carry out a global performance analysis to show the impact of these improvements on ROLLO-I-128. Through the SUPERCOP framework, we compare it to other 128-bit secure KEMs in the NIST competition. To our knowledge, this is the first optimized full constant time implementation of ROLLO-I-128.

This is a preview of subscription content, access via your institution.


  1. The full code of our implementation and of the tests we run for the comparisons is available at

  2. The code is available in the file mach_desc.h of the library NTL [39], under the method NTL_ALT1_BB_MUL_CODE0.

  3. The mul function in GF2E.h.

  4. When it is clear from the context, with abuse of notation we indicate \({\mathbf {a}}\times {\mathbf {b}}\) as \({\mathbf {a}}\cdot {\mathbf {b}}\) or \({\mathbf {a}}{\mathbf {b}}\), also for matrix multiplications.

  5. With this option, there is a \(2^{-60}\) probability that an error of weight less than d, or, respectively, less then r, is generated during the keygen or, respectively, the encapsulation. Furthermore, in this case, the protocol will not fail.


  1. Abdouli Aa, Bellini E, Caullery F, Manzano M, Mateu V. Rank-metric Encryption on Arm-Cortex M0: Porting code-based cryptography to lightweight devices. In: Proceedings of the 6th on ASIA Public-Key Cryptography Workshop, 2019; pp. 23–30.

  2. Aguilar-Melchor C, Aragon N, Bettaieb S, Bidoux L, Blazy O, Deneuville JC, Gaborit P, Hauteville A, Ruatta O, Tillich JP, et al. ROLLO - Rank-Ouroboros, LAKE & LOCKER. 2018. Available at:

  3. Aguilar-Melchor C, Aragon N, Bettaieb S, Bidoux L, Blazy O, Deneuville JC, Gaborit P, Zémor G. Rank Quasi-Cyclic (RQC). 2017.

  4. Aguilar-Melchor C, Bellini E, Caullery F, Makarim RH, Manzano M, Marcolla C, Mateu V. Constant-time algorithms for ROLLO. Available at:

  5. Al Abdouli AS, Al Ali M, Bellini E, Caullery F, Hasikos A, Manzano M, Mateu V. DRANKULA: A McEliece-like Rank Metric based Cryptosystem Implementation.In: Proceedings of the 15th international joint conference on e-business and telecommunications (ICETE 2018), 2018;vol. 2, pp. 230–41.

  6. Al Shehhi H, Bellini E, Borba F, Caullery F, Manzano M, Mateu V. An IND-CCA-secure code-based encryption scheme using rank metric. In: Progress in cryptology–AFRICACRYPT 2019: 11th international conference on cryptology in Africa, Rabat, Morocco, July 9–11, 2019, Proceedings, 2019; vol. 11627, p. 79. Springer.

  7. Alagic G, Alperin-Sheriff J, Apon D, Cooper D, Dang Q, Kelsey J, Liu YK, Miller C, Moody D, Peralta R, et al. Status report on the second round of the NIST post-quantum cryptography standardization process. National Institute of Standards and Technology: Tech. rep; 2020.

  8. Aragon N, Gaborit P, Hauteville A, Ruatta O, Zémor G. Low rank parity check codes: New decoding algorithms and applications to cryptography. arXiv:1904.00357 [Preprint]. 2019.

  9. Aranha DF, López J, Hankerson D. Efficient software implementation of binary field arithmetic using vector instruction sets. In: International conference on cryptology and information security in Latin America, 2010;pp. 144–61. Springer.

  10. Bardet M, Bros M, Cabarcas D, Gaborit P, Perlner R, Smith-Tone D, Tillich JP, Verbel J. Algebraic attacks for solving the Rank Decoding and MinRank problems without Gröbner obner basis. arXiv:2002.08322 [Preprint]. 2020.

  11. Bellini E, Caullery F, Gaborit P, Manzano M, Mateu V. Improved veron identification and signature schemes in the rank metric. In: Information theory (ISIT), 2019 IEEE international symposium on. IEEE 2019.

  12. Bellini E, Caullery F, Hasikos A, Manzano M, Mateu V. Code-based signature schemes from identification protocols in the rank metric. In: International conference on cryptology and network security, 2018;pp. 277–98. Springer.

  13. Bellini E, Caullery F, Makarim R, Manzano M, Marcolla C, Mateu V. Advances and challenges of rank metric cryptography implementations. In: 2019 IEEE 37th international conference on computer design (ICCD), 2019;pp. 325–8. IEEE.

  14. Bernstein DJ, Chou T, Schwabe P. McBits: fast constant-time code-based cryptography. In: International workshop on cryptographic hardware and embedded systems, 2013;pp. 250–72. Springer.

  15. Bernstein DJ, Lange T. eBACS: ECRYPT Benchmarking of Cryptographic Systems: SUPERCOP (2010). Accessed 15 July 2020.

  16. Bernstein DJ, Yang BY. Fast constant-time gcd computation and modular inversion. In: IACR transactions on cryptographic hardware and embedded systems 2019;pp. 340–98.

  17. Bos JW, Kleinjung T, Niederhagen R, Schwabe P. Ecc2k-130 on cell cpus. In: International conference on cryptology in Africa, 2010;pp. 225–242. Springer.

  18. Bosma W, Cannon J, Playoust C. The Magma algebra system. I. The user language. J Symbolic Comput. 1997;24(3–4):235–65.

    Article  MathSciNet  MATH  Google Scholar 

  19. Drucker N, Gueron S, Kostic D. Constant-time implementations in some proposed KEMs: the case of Rollo and RQC. 2020.

  20. Enhancing Code Based Zero-Knowledge Proofs Using Rank Metric.

  21. Eron Anderson S. Bit twiddling hacks. Accessed 03 May 2019.

  22. Faure C, Loidreau P. A new public-key cryptosystem based on the problem of reconstructing \(p\)–polynomials. In: International workshop on coding and cryptography, 2005;vol. 3969, pp. 304–15. Springer.

  23. Gabidulin EM, Paramonov A, Tretjakov O. Ideals over a non-commutative ring and their application in cryptology. In: Workshop on the theory and application of of cryptographic techniques, 1991;pp. 482–9. Springer.

  24. Gaborit P, Murat G, Ruatta O, Zémor G. Low rank parity check codes and their application to cryptography. In: Proceedings of the workshop on coding and cryptography WCC-2013, Bergen. 2013.

  25. Gaborit P, Otmani A, Kalachi HT. Polynomial-time key recovery attack on the Faure-Loidreau scheme based on Gabidulin codes. Des Codes Crypt. 2018;86(7):1391–403.

    Article  MathSciNet  Google Scholar 

  26. Guajardo J, Paar C. Fast inversion in composite galois fields GF \(((2^n)^{M})\). In: IEEE international symposium on information theory, 1998;pp. 295–5. Citeseer.

  27. Gueron S, Kounavis ME. Intel® carry-less multiplication instruction and its usage for computing the GCM mode. White Paper. 2010.

  28. Hoffstein J, Pipher J, Silverman JH. NTRU: A ring-based public key cryptosystem. In: Lecture notes in computer science, 1998;pp. 267–88. Springer-Verlag.

  29. Intel® C++ Compiler 19.1 Developer guide and Reference. Accessed 01 Jan 2020.

  30. Itoh T, Tsujii S. A fast algorithm for computing multiplicative inverses in GF(\(2^m\)) using normal bases. Inf Comput. 1988;78(3):171–7.

  31. Karatsuba A, Ofman Y. Multiplication of many-digital numbers by automatic computers. Doklady Akademii Nauk SSSR, Translation in Physics-Doklady 7, 595-596, 1963. 1962;145(2), 293–94.

  32. Lablanche J, Mortajine L, Benchaalal O, Cayrel PL, El Mrabet N. Optimized implementation of the NIST PQC submission ROLLO on microcontroller. IACR Cryptol ePrint Arch. 2019;2019:787.

    MATH  Google Scholar 

  33. Loidreau P. A new rank metric codes based encryption scheme. In: International Workshop on Post-Quantum Cryptography, 2017; pp. 3–17. Springer.

  34. NIST: Post-Quantum Cryptography Call for Proposals. 2018. Accessed 01 Jan 2020.

  35. Oliveira T, López J, Cervantes-Vázquez D, Rodríguez-Henríquez F. Koblitz curves over quadratic fields. J Cryptol. 2019;32(3):867–94.

    Article  MathSciNet  Google Scholar 

  36. Overbeck R. A new structural attack for GPT and variants. In: International Conference on Cryptology in Malaysia, 2005;pp. 50–63. Springer.

  37. Overbeck R. Structural attacks for public key cryptosystems based on Gabidulin codes. J Cryptol. 2008;21(2):280–301.

    Article  MathSciNet  Google Scholar 

  38. Picek S, Coello CAC, Jakobovic D, Mentens N. Finding short and implementation-friendly addition chains with evolutionary algorithms. J Heuristics. 2018;24(3):457–81.

    Article  Google Scholar 

  39. Shoup, Victor: NTL: A Library for doing Number Theory. 2019. Accessed 01 Jan 2020.

  40. Stein W, et al. Sage mathematics software (Version 9.0). The sage development team. 2020.

Download references

Author information

Authors and Affiliations



Conceptualization: FB, JAP, AMP. Methodology: NR, FB, JAP, AP. Data analysis and interpretation: FB, JAP, AMP. Investigation: SL, IPF, NR. Data Curation: SL, NR. Writing and editing: : FB, JAP, AMP. Revision and final approval: All authors

Corresponding author

Correspondence to Emanuele Bellini.

Ethics declarations

Conflict of interest

Nicolas Aragon has received research grants from French DGA, thus this work was partially funded by French DGA. The remaining authors declare that they have no conflict of interest.

Ethical standards

This article does not contain any studies with human participants or animals, as ruled by the Directive 2010/63/EU, performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Pseudocode for the binary field arithmetic

Pseudocode for the binary field arithmetic

The plain C carryless multiplication algorithm \(\textsf {clmul}_K(a,b)\) is described in algorithm 14. Notice that algorithm 14 works for \(64< m < 129\).

figure m

The AVX2 carryless multiplication algorithm \(\textsf {clmul}_S(a,b)\) is described in algorithm 15. Note that, as algorithm 14, algorithm 15 is suitable for fields \({\mathbb {F}}_{2^{m}}\) with \(64< m < 129\), which include all ROLLO-I and ROLLO-II variants. Let us recall that using Karatsuba multiplication [31] in algorithm 15 instead of steps 3-6 would not give any advantage, as the cost of multiplication and addition with AVX2 instruction is very close. In practice, as we will show, it even performs worse, due to alignment problems.

figure n
figure o

The algorithm to inverleave zeros used for the squaring algorithm is a small modification of the method Interleave bits with 64-bit multiply given by Sean Eron Anderson on his web page Bit Twiddling Hacks [21] which is given in algorithm 16.

figure p

The squaring method is given in algorithm 17. For the AVX2 version, a look-up table based on the instruction _mm_shuffle_epi8 is implemented both in the submission and our work.

figure q

The algorithm for reduction is presented in algorithm 18, where the symbols \(\ll , \gg\) denote field multiplication and division by x respectively (left and right shift operators), \(\oplus\) is the field addition (bit-wise XOR operator), \(\otimes\) the bit-wise AND operator. As for algorithm 15, algorithm 18 is suitable for fields of size up to \(2^{128}\) up to the modification of the values of the masks, the amount of shifts and their width.

figure r

The inversion of an element \(x \in {\mathbb {F}}_{2^{m}}\) is described in algorithm 19. This has been derived using Fermat’s little Theorem stating that \(x^{2^{m}-2} = x^{-1}\). The fixed exponentiation is achieved by the strategy presented in [38, Section 6.2] using the following addition chain of length 9:

$$\begin{aligned} 1 \rightarrow 2 \rightarrow 4 \rightarrow 8 \rightarrow 16 \rightarrow 32 \rightarrow 33 \rightarrow 66 \rightarrow 67 \,. \end{aligned}$$
figure s

Rights and permissions

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Aguilar-Melchor, C., Aragon, N., Bellini, E. et al. Constant Time Algorithms for ROLLO-I-128. SN COMPUT. SCI. 2, 382 (2021).

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: