McBits: Fast Constant-Time Code-Based Cryptography

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)


This paper presents extremely fast algorithms for code-based public-key cryptography, including full protection against timing attacks. For example, at a 2128 security level, this paper achieves a reciprocal decryption throughput of just 60493 cycles (plus cipher cost etc.) on a single Ivy Bridge core. These algorithms rely on an additive FFT for fast root computation, a transposed additive FFT for fast syndrome computation, and a sorting network to avoid cache-timing attacks.


McEliece Niederreiter CFS bitslicing software implementation 


  1. 1.
    AFIPS conference proceedings, volume 32: 1968 Spring Joint Computer Conference, Reston, Virginia. Thompson Book Company (1968)Google Scholar
  2. 2.
    Ajtai, M., Komlós, J., Szemerédi, E.: An O(n log n) sorting network. In: STOC 1983 [38], pp. 1–9 (1983)Google Scholar
  3. 3.
    Batcher, K.E.: Sorting networks and their applications. In: [1], pp. 307–314 (1968)Google Scholar
  4. 4.
    Beneŝ, V.E.: Mathematical theory of connecting networks and telephone traffic. Academic Press (1965)Google Scholar
  5. 5.
    Berlekamp, E.R.: Algebraic coding theory. McGraw-Hill (1968)Google Scholar
  6. 6.
    Berlekamp, E.R.: Factoring polynomials over large finite fields. Mathematics of Computation 24, 713–715 (1970)MathSciNetzbMATHCrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: FSE 2005 [34], pp. 32–49 (2005)CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J.: qhasm software package (2007),
  9. 9.
    Bernstein, D.J.: The Salsa20 family of stream ciphers. In: [59], pp. 84–97 (2008)Google Scholar
  10. 10.
    Bernstein, D.J.: Batch binary Edwards. In: Crypto 2009 [35], pp. 317–336 (2009)CrossRefGoogle Scholar
  11. 11.
    Bernstein, D.J.: Simplified high-speed high-distance list decoding for alternant codes. In: PQCrypto 2011 [67], pp. 200–216 (2011)CrossRefGoogle Scholar
  12. 12.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-quantum cryptography. Springer (2009)Google Scholar
  13. 13.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed highsecurity signatures. In: CHES 2011 [57] (2011)Google Scholar
  14. 14.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems. accessed 10 June 2013 (2013),
  15. 15.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: PQCrypto 2008 [23], pp. 31–46 (2008)CrossRefGoogle Scholar
  16. 16.
    Bernstein, D.J., Schwabe, P.: NEON crypto. In: CHES 2012 [58], pp. 320–339 (2012)CrossRefGoogle Scholar
  17. 17.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak and the SHA-3 standardization(2013),
  18. 18.
    Biryukov, A., Gong, G., Stinson, D.R. (eds.): Selected areas in cryptography–7th international workshop, SAC 2010, Waterloo, Ontario, Canada, August 12-13, 2010, revised selected papers. LNCS, vol. 6544. Springer (2011)Google Scholar
  19. 19.
    Biswas, B., Sendrier, N.: McEliece cryptosystem implementation: theory and practice. In: [23], pp. 47–62 (2008)CrossRefGoogle Scholar
  20. 20.
    Bordewijk, J.L.: Inter-reciprocity applied to electrical networks. Applied Scientific Research B: Electrophysics, Acoustics, Optics, Mathematical Methods 6, 1–74 (1956)MathSciNetzbMATHCrossRefGoogle Scholar
  21. 21.
    Borodin, A., Moenck, R.T.: Fast modular transforms. Journal of Computer and System Sciences 8, 366–386 (1974); older version, not a subset, in [48]. ISSN 0022-0000MathSciNetzbMATHCrossRefGoogle Scholar
  22. 22.
    Boyd, C. (ed.): Advances in cryptology–ASIACRYPT 2001, proceedings of the 7th international conference on the theory and application of cryptology and information security held on the Gold Coast, December 9-13, 2001. LNCS, vol. 2248. Springer (2001)Google Scholar
  23. 23.
    Buchmann, J., Ding, J. (eds.): Post-quantum cryptography, second international workshop, PQCrypto 2008, Cincinnati, OH, USA, October 17-19, 2008, proceedings. LNCS, vol. 5299. Springer (2008)zbMATHGoogle Scholar
  24. 24.
    Cantor, D.G.: On arithmetical algorithms over finite fields. Journal of Combinatorial Theory, Series A 50, 285–300 (1989)MathSciNetzbMATHCrossRefGoogle Scholar
  25. 25.
    Courtois, N., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: Asiacrypt 2001 [22], pp. 157–174 (2001)CrossRefGoogle Scholar
  26. 26.
    De Feo, L., Schost, É.: transalpyne: a language for automatic transposition (2010),
  27. 27.
    Engeler, E., Caviness, B.F., Lakshman, Y.N. (eds.): Proceedings of the 1996 international symposium on symbolic and algebraic computation, ISSAC ’96, Zurich, Switzerland, July 24-26, 1996. Association for Computing Machinery (1996)Google Scholar
  28. 28.
    Fiduccia, C.M.: On obtaining upper bounds on the complexity of matrix multiplication. In: [47], pp. 31–40 (1972)CrossRefGoogle Scholar
  29. 29.
    Fiduccia, C.M.: On the algebraic complexity of matrix multiplication. Ph.D. thesis. Brown University (1973)Google Scholar
  30. 30.
    Finiasz, M.: Parallel-CFS–strengthening the CFS McEliece-based signature scheme. In: SAC 2010 [18], pp. 159–170 (2011)CrossRefGoogle Scholar
  31. 31.
    Galbraith, S., Nandi, M. (eds.): Progress in cryptology–Indocrypt 2012–13th international conference on cryptology in India, Kolkata, India, December 9-12, 2012, proceedings. LNCS, vol. 7668. Springer (2012)Google Scholar
  32. 32.
    Gao, S., Mateer, T.: Additive fast Fourier transforms over finite fields. IEEE Transactions on Information Theory 56, 6265–6272 (2010)MathSciNetzbMATHCrossRefGoogle Scholar
  33. 33.
    von zur Gathen, J., Gerhard, J.: Arithmetic and factorization of polynomials over F2 (extended abstract). In: ISSAC ’96 [27], pp. 1–9 (1996)Google Scholar
  34. 34.
    Gilbert, H., Handschuh, H. (eds.): Fast software encryption: 12th international workshop, FSE 2005, Paris, France, February 21-23, 2005, revised selected papers. LNCS, vol. 3557. Springer (2005)Google Scholar
  35. 35.
    Halevi, S. (ed.): Advances in cryptology–CRYPTO 2009, 29th annual international cryptology conference, Santa Barbara, CA, USA, August 16-20, 2009, proceedings. LNCS, vol. 5677. Springer (2009)Google Scholar
  36. 36.
    Hermans, J., Vercauteren, F., Preneel, B.: Speed records for NTRU. In: CT-RSA 2010 [55], pp. 73–88 (2010)CrossRefGoogle Scholar
  37. 37.
    Heyse, S., Güneysu, T.: Towards one cycle per bit asymmetric encryption: codebased cryptography on reconfigurable hardware. In: CHES 2012 [58], pp. 340–355 (2012)CrossRefGoogle Scholar
  38. 38.
    Johnson, D.S., Fagin, R., Fredman, M.L., Harel, D., Karp, R.M., Lynch, N.A.,Papadimitriou, C.H., Rivest, R.L., Ruzzo, W.L., Seiferas, J.I. (eds.): Proceedings of the 15th annual ACM symposium on theory of computing, 25-27 April, 1983,Boston Massachusetts, USA. Association for Computing Machinery (1983)Google Scholar
  39. 39.
    Karp, R.M. (chairman): 13th annual symposium on switching and automata theory.IEEE Computer Society (1972)Google Scholar
  40. 40.
    Kim, K. (ed.): Public key cryptography: proceedings of the 4th internationalworkshop on practice and theory in public key cryptosystems (PKC 2001) held on Cheju Island, February 13-15, 2001. LNCS, vol. 1992. Springer (2001)Google Scholar
  41. 41.
    Knuth, D.E.: The art of computer programming, volume 2: seminumerical algorithms,3rd edn. Addison-Wesley (1997)Google Scholar
  42. 42.
    Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems–conversions for McEliece PKC. In: PKC 2001 [40], pp. 19–35 (2001)zbMATHCrossRefGoogle Scholar
  43. 43.
    Landais, G., Sendrier, N.: CFS software implementation (2012); see also newer version [44]Google Scholar
  44. 44.
    Landais, G., Sendrier, N.: Implementing CFS. In: Indocrypt 2012 [31], pp. 474–488 (2012); see also older version [43]Google Scholar
  45. 45.
    Lupanov, O.B.: On rectifier and contact-rectifier circuits. Doklady Akademii Nauk SSSR 111, 1171–1174 (1956). ISSN 0002-3264Google Scholar
  46. 46.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. JPLDSN Progress Report, pp. 114–116 (1978)Google Scholar
  47. 47.
    Miller, R.E., Thatcher, J.W. (eds.): Complexity of computer computations.Plenum Press(1972)Google Scholar
  48. 48.
    Moenck, R.T., Borodin, A.: Fast modular transforms via division. In: [39], pp.90–96 (1972); newer version, not a superset, in [21]Google Scholar
  49. 49.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Problemsof Control and Information Theory 15, 159–166 (1986)Google Scholar
  50. 50.
    Oliveira, T., López, J., Aranha, D.F., Rodríguez-Henríquez, F.: Two is the fastest prime (2013),
  51. 51.
    Overbeck, R., Sendrier, N.: Code-based cryptography. In: [12], pp. 95–145 (2009)Google Scholar
  52. 52.
    Patterson, N.J.: The algebraic decoding of Goppa codes. IEEE Transactions on Information Theory 21, 203–207 (1975)MathSciNetzbMATHCrossRefGoogle Scholar
  53. 53.
    Persichetti, E.: Improving the efficiency of code-based cryptography. Ph.D. thesis.University of Auckland (2012)Google Scholar
  54. 54.
    Peters, C.: Information-set decoding for linear codes over Fq. In: PQCrypto 2010 [60], pp. 81–94 (2010)CrossRefGoogle Scholar
  55. 55.
    Pieprzyk, J. (ed.): Topics in cryptology–CT-RSA 2010, the cryptographers’ track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010, proceedings. LNCS, vol. 5985. Springer (2010)Google Scholar
  56. 56.
    Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.): Cryptology and network security–11th international conference, CANS 2012, Darmstadt, Germany, December12-14, 2012, proceedings. LNCS, vol. 7712. Springer (2012)Google Scholar
  57. 57.
    Preneel, B., Takagi, T. (eds.): Cryptographic hardware and embedded systems–CHES 2011, 13th international workshop, Nara, Japan, September 28-October1, 2011, proceedings. LNCS. Springer (2011)Google Scholar
  58. 58.
    [58] Prouff, E., Schaumont, P. (eds.): Cryptographic hardware and embeddedsystems–CHES 2012–14th international workshop, Leuven, Belgium, September9-12, 2012, proceedings. LNCS, vol. 7428. Springer (2012)Google Scholar
  59. 59.
    Robshaw, M., Billet, O. (eds.): New stream cipher designs. LNCS, vol. 4986.Springer (2008)Google Scholar
  60. 60.
    Sendrier, N. (ed.): Post-quantum cryptography, third international workshop,PQCrypto, Darmstadt, Germany, May 25-28, 2010. LNCS, vol. 6061. Springer(2010)Google Scholar
  61. 61.
    Shell, D.L.: A high-speed sorting procedure. Communications of the ACM 2, 30–32 (1959)CrossRefGoogle Scholar
  62. 62.
    Shoup, V.: A proposal for an ISO standard for public key encryption (version 2.1)(2001),
  63. 63.
    Strenzke, F.: A timing attack against the secret permutation in the McEliece PKC. In: PQCrypto 2010 [60], pp. 95–107 (2010)CrossRefGoogle Scholar
  64. 64.
    Strenzke, F.: Timing attacks against the syndrome inversion in code-based cryptosystems (2011),
  65. 65.
    Strenzke, F.: Fast and secure root finding for code-based cryptosystems. In: CANS 2012 [56], pp. 232–246 (2012)CrossRefGoogle Scholar
  66. 66.
    Wang, Y., Zhu, X.: A fast algorithm for Fourier transform over finite fields andits VLSI implementation. IEEE Journal on Selected Areas in Communications 6, 572–577 (1988)CrossRefGoogle Scholar
  67. 67.
    Yang, B.-Y. (ed.): Post-quantum cryptography, fourth international workshop,PQCrypto, Taipei, Taiwan, November 29-December 02, 2011. LNCS, vol. 7071.Springer (2011)Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  3. 3.Digital Security GroupRadboud University NijmegenNijmegenThe Netherlands

Personalised recommendations