A toolbox for software optimization of QC-MDPC code-based cryptosystems

  • Nir Drucker
  • Shay GueronEmail author
Regular Paper


The anticipated emergence of quantum computers in the foreseeable future drives the cryptographic community to start considering cryptosystems, which are based on problems that remain intractable even with large-scale quantum computers. One example is the family of code-based cryptosystems that relies on the syndrome decoding problem. Recent work by Misoczki et al. (in: 2013 IEEE international symposium on information theory, pp 2069–2073, 2013. showed a variant of McEliece encryption which is based on quasi cyclic moderate density parity check (QC-MDPC) codes and has significantly smaller keys than the original McEliece encryption. It was followed by the newly proposed QC-MDPC-based cryptosystems CAKE (Barreto et al. in: IMA international conference on cryptography and coding, Springer, Berlin, pp 207–226, 2017) and Ouroboros (Deneuville et al. in Ouroboros: a simple, secure and efficient key exchange protocol based on coding theory, Springer, Cham, pp 18–34, 2017. These motivate dedicated new software optimizations. This paper lists the cryptographic primitives that QC-MDPC cryptosystems commonly employ, studies their software optimizations on modern processors, and reports the achieved speedups. It also assesses methods for side channel protection of the implementations and their performance costs. These optimized primitives offer a useful toolbox that can be used, in various ways, by designers and implementers of QC-MDPC cryptosystems. Indeed, we applied our methods to generate a platform-specific additional implementation of “BIKE”—a QC-MDPC key encapsulation mechanism (KEM) proposal submitted to the NIST Post-Quantum Project (NIST:Post-Quantum Cryptography—call for proposals,, 2017). This gave a \(5\times \) speedup compared to the reference implementation.


QC-MDPC Code-based cryptography Post-Quantum Cryptography 

Mathematics Subject Classification

94A60 14G50 94B35 94B15 



This research was supported by: The PQCRYPTO project, which was partially funded by the European Commission Horizon 2020 research Programme, Grant #645622; The Israel Science Foundation (Grant No. 1018/16); The Ministry of Science and Technology, Israel, and the Department of Science and Technology, Government of India; The Center for Cyber Law and Policy at the University of Haifa. Opinions, findings, conclusions, and recommendations, expressed in this material, are those of the author(s) and do not necessarily reflect the views of their employers and the granting agencies.

Supplementary material


  1. 1.
    Aguilar, C., Blazy, O., Deneuville, J.C., Gaborit, P., Zémor, G.: Efficient encryption from random quasi-cyclic codes. IEEE Trans. Inf. Theory 64(5), 3927–3943 (2018)MathSciNetzbMATHGoogle Scholar
  2. 2.
    Aragon, N., Barreto, P.S.L.M., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.-C., Gaborit, P., Gueron, S., Guneysu, T., Melchor, C.A., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J.P., Zémor, G.: BIKE: Bit Flipping Key Encapsulation. (2017). Retrieved 8 Jan 2019
  3. 3.
    Baldi, M., Chiaraluce, F., Garello, R.: On the usage of quasi-cyclic low-density parity-check codes in the McEliece cryptosystem. In: 2006 First International Conference on Communications and Electronics, pp. 305–310 (2006).
  4. 4.
    Baldi, M., Chiaraluce, F., Garello, R., Mininni, F.: Quasi-cyclic low-density parity-check codes in the McEliece cryptosystem. In: 2007 IEEE International Conference on Communications, pp. 951–956 (2007).
  5. 5.
    Baldi, M., Bodrato, M., Chiaraluce, F.: A new analysis of the McEliece cryptosystem based on QC-LDPC codes. In: Security and Cryptography for Networks, pp. 246–262 (2008)Google Scholar
  6. 6.
    Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Using LDGM Codes and Sparse Syndromes to Achieve Digital Signatures, pp. 1–15. Springer, Berlin (2013)zbMATHGoogle Scholar
  7. 7.
    Barker, E.B., Kelsey, J.M.: SP 800-90A. Recommendation for random number generation using deterministic random bit generators. Tech. rep., NIST, Gaithersburg, MD, United States (2012)Google Scholar
  8. 8.
    Barreto, P.S., Gueron, S., Gueneysu, T., Misoczki, R., Persichetti, E., Sendrier, N., Tillich, J.P.: CAKE: Code-based Algorithm for Key Encapsulation. In: IMA International Conference on Cryptography and Coding, pp. 207–226. Springer (2017)Google Scholar
  9. 9.
    Barreto, P.S.L.M.: Private communication (2017)Google Scholar
  10. 10.
    Bodrato, M.: Towards optimal Toom–Cook multiplication for univariate and multivariate polynomials in characteristic 2 and 0. In: Carlet, C., Sunar, B. (eds.) Arithmetic of Finite Fields, pp. 116–133. Springer, Berlin (2007)Google Scholar
  11. 11.
    Cayrel, P.L., Hoffmann, G., Persichetti, E.: Efficient Implementation of a CCA2-Secure Variant of McEliece Using Generalized Srivastava Codes, pp. 138–155. Springer, Berlin (2012). zbMATHGoogle Scholar
  12. 12.
    Chaulet, J., Sendrier, N.: Worst case QC-MDPC decoder for McEliece cryptosystem. In: 2016 IEEE International Symposium on Information Theory (ISIT), pp. 1366–1370 (2016).
  13. 13.
    Cook, S.A., Aanderaa, S.O.: On the minimum computation time of functions. Trans. Am. Math. Soc. 142, 291–314 (1969)MathSciNetzbMATHGoogle Scholar
  14. 14.
    Courtois, N.T., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 157–174. Springer (2001)Google Scholar
  15. 15.
    Deneuville, J.C., Gaborit, P., Zémor, G.: Ouroboros: A Simple, Secure and Efficient Key Exchange Protocol Based on Coding Theory, pp. 18–34. Springer International Publishing, Cham (2017). zbMATHGoogle Scholar
  16. 16.
    Drucker, N., Gueron, S.: A-toolbox-for-software-optimization-of-qc-mdpc-code-based-cryptosystems. (2017). Accessed 1 Jan 2019
  17. 17.
    Drucker, N., Gueron, S.: Additional implementation of BIKE. (2018). Retrieved 8 Jan 2019
  18. 18.
    Faugère, J.C., Otmani, A., Perret, L., de Portzamparc, F., Tillich, J.P.: Structural cryptanalysis of McEliece schemes with compact keys. Des. Codes Cryptogr. 79(1), 87–112 (2016). MathSciNetzbMATHGoogle Scholar
  19. 19.
    Gallager, R.: Low-density parity-check codes. IRE Trans. Inf. Theory 8(1), 21–28 (1962). MathSciNetzbMATHGoogle Scholar
  20. 20.
    Gueron, S.: Intel’s new AES instructions for enhanced performance and security. In: FSE, vol. 5665, pp. 51–66. Springer (2009)Google Scholar
  21. 21.
    Gueron, S.: Intel® advanced encryption standard (AES) new instructions set Rev. 3.01. Intel Corporation. Intel Corporation. (2010)
  22. 22.
    Gueron, S.: A j-lanes tree hashing mode and j-lanes SHA-256. J. Inf. Secur. 4(01), 7 (2013)Google Scholar
  23. 23.
    Gueron, S.: Parallelized hashing via j-lanes and j-pointers tree modes, with applications to SHA-256. J. Inf. Secur. 5(03), 91 (2014)Google Scholar
  24. 24.
    Gueron, S., Kounavis, M.: Efficient implementation of the Galois Counter Mode using a carry-less multiplier and a fast reduction algorithm. Inf. Process. Lett. 110(14), 549–553 (2010). MathSciNetzbMATHGoogle Scholar
  25. 25.
    Gueron, S., Kounavis, M.E.: Intel® carry-less multiplication instruction and its usage for computing the GCM mode. White Paper (2010)Google Scholar
  26. 26.
    Gueron, S., Krasnov, V.: Simultaneous hashing of multiple messages. J. Inf. Secur. 3(04), 319 (2012)Google Scholar
  27. 27.
    Gueron, S., Schlieker, F.: Speeding up R-LWE Post-quantum Key Exchange, pp. 187–198. Springer International Publishing, Cham (2016). Google Scholar
  28. 28.
    Guo, Q., Johansson, T., Stankovski, P.: A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors, pp. 789–815. Springer, Berlin (2016). zbMATHGoogle Scholar
  29. 29.
    Huffman, W.C., Pless, V.: Fundamentals of Error-Correcting Codes. Cambridge University Press, Cambridge (2010)zbMATHGoogle Scholar
  30. 30.
    Intel Corporation.: Intel\(^{\textregistered }\) Architecture Instruction Set Extensions and Future Features Programming Reference. (2017). Retrieved 8 Jan 2019
  31. 31.
    Intel Corporation.: Intel Intrinsics Guide. (2018). Retrieved 8 Jan 2019
  32. 32.
    Jovanovic, B.D., Levy, P.S.: A look at the rule of three. Am. Stat. 51(2), 137–139 (1997)Google Scholar
  33. 33.
    Kabatianskii, G., Krouk, E., Smeets, B.: A Digital Signature Scheme Based on Random Error-Correcting Codes, pp. 161–167. Springer, Berlin (1997). zbMATHGoogle Scholar
  34. 34.
    Karatsuba, A., Ofman, Y.: Multiplication of multidigit numbers on automata. Sov. Phys. Dokl. 7, 595 (1963)Google Scholar
  35. 35.
    Guido, B., Joan, D., Michaël, P., Gilles, V. A., Ronny, V.K.: Keccak Code Package (KCP). (2017). Retrieved 30 Nov 2017
  36. 36.
    Maurich, I.V., Oder, T., Güneysu, T.: Implementing QC-MDPC McEliece encryption. ACM Trans. Embed Comput. Syst. 14(3), 44:1–44:27 (2015). Google Scholar
  37. 37.
    McEliece, R.: A public-key cryptosystem based on algebraic. Coding Thv 4244, 114–116 (1978)Google Scholar
  38. 38.
    Misoczki, R., Barreto, P.S.L.M.: Compact McEliece Keys from Goppa Codes, pp. 376–392. Springer, Berlin (2009). zbMATHGoogle Scholar
  39. 39.
    Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. Cryptology ePrint Archive, Report 2012/409. (2012). Retrieved 8 Jan 2019
  40. 40.
    Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.: MDPC-McEliece: New McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory, pp. 2069–2073 (2013).
  41. 41.
    Monico, C., Rosenthal, J., Shokrollahi, A.: Using low density parity check codes in the McEliece cryptosystem. In: 2000 IEEE International Symposium on Information Theory (Cat. No.00CH37060), IEEE, p. 215 (2000).
  42. 42.
    NIST.: NIST:Post-Quantum Cryptography—call for proposals. (2017). Retrieved 1 Nov 2018
  43. 43.
    OpenSSL.: OpenSSL, Commit: 2dbfa8444bdf7669a54006c4a83d1e60ba374528. (2017). Retrieved 30 Sept 2017
  44. 44.
    Phesso, A., Tillich, J.P.: An Efficient Attack on a Code-Based Signature Scheme, pp. 86–103. Springer International Publishing, Cham (2016). zbMATHGoogle Scholar
  45. 45.
    Gaudry, P., Brent, R., Zimmermann, P., Thomé, E.: gf2x-1.2. (2017). Retrieved 8 Jan 2019
  46. 46.
    Shoup, V.: Number Theory C++ Library (NTL) version 10.5.0. (2017). Retrieved 30 Nov 2017
  47. 47.
    Stern, J.: A new identification scheme based on syndrome decoding. In: Annual International Cryptology Conference, pp. 13–21. Springer (1993)Google Scholar
  48. 48.
    Toom, A.L.: The complexity of a scheme of functional elements realizing the multiplication of integers. Sov. Math. Dokl. 3, 714–716 (1963)zbMATHGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.University of HaifaHaifaIsrael
  2. 2.Amazon Web Services Inc.SeattleUSA

Personalised recommendations