McBits: Fast Constant-Time Code-Based Cryptography

  • Daniel J. Bernstein
  • Tung Chou
  • Peter Schwabe
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)


This paper presents extremely fast algorithms for code-based public-key cryptography, including full protection against timing attacks. For example, at a 2128 security level, this paper achieves a reciprocal decryption throughput of just 60493 cycles (plus cipher cost etc.) on a single Ivy Bridge core. These algorithms rely on an additive FFT for fast root computation, a transposed additive FFT for fast syndrome computation, and a sorting network to avoid cache-timing attacks.


McEliece Niederreiter CFS bitslicing software implementation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AFIPS conference proceedings, volume 32: 1968 Spring Joint Computer Conference, Reston, Virginia. Thompson Book Company (1968)Google Scholar
  2. 2.
    Ajtai, M., Komlós, J., Szemerédi, E.: An O(n log n) sorting network. In: STOC 1983 [38], pp. 1–9 (1983)Google Scholar
  3. 3.
    Batcher, K.E.: Sorting networks and their applications. In: [1], pp. 307–314 (1968)Google Scholar
  4. 4.
    Beneŝ, V.E.: Mathematical theory of connecting networks and telephone traffic. Academic Press (1965)Google Scholar
  5. 5.
    Berlekamp, E.R.: Algebraic coding theory. McGraw-Hill (1968)Google Scholar
  6. 6.
    Berlekamp, E.R.: Factoring polynomials over large finite fields. Mathematics of Computation 24, 713–715 (1970)MathSciNetCrossRefGoogle Scholar
  7. 7.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: FSE 2005 [34], pp. 32–49 (2005)CrossRefGoogle Scholar
  8. 8.
    Bernstein, D.J.: qhasm software package (2007),
  9. 9.
    Bernstein, D.J.: The Salsa20 family of stream ciphers. In: [59], pp. 84–97 (2008)Google Scholar
  10. 10.
    Bernstein, D.J.: Batch binary Edwards. In: Crypto 2009 [35], pp. 317–336 (2009)CrossRefGoogle Scholar
  11. 11.
    Bernstein, D.J.: Simplified high-speed high-distance list decoding for alternant codes. In: PQCrypto 2011 [67], pp. 200–216 (2011)CrossRefGoogle Scholar
  12. 12.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-quantum cryptography. Springer (2009)Google Scholar
  13. 13.
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed highsecurity signatures. In: CHES 2011 [57] (2011)Google Scholar
  14. 14.
    Bernstein, D.J., Lange, T. (eds.): eBACS: ECRYPT Benchmarking of Cryptographic Systems. accessed 10 June 2013 (2013),
  15. 15.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: PQCrypto 2008 [23], pp. 31–46 (2008)CrossRefGoogle Scholar
  16. 16.
    Bernstein, D.J., Schwabe, P.: NEON crypto. In: CHES 2012 [58], pp. 320–339 (2012)CrossRefGoogle Scholar
  17. 17.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak and the SHA-3 standardization(2013),
  18. 18.
    Biryukov, A., Gong, G., Stinson, D.R. (eds.): Selected areas in cryptography–7th international workshop, SAC 2010, Waterloo, Ontario, Canada, August 12-13, 2010, revised selected papers. LNCS, vol. 6544. Springer (2011)Google Scholar
  19. 19.
    Biswas, B., Sendrier, N.: McEliece cryptosystem implementation: theory and practice. In: [23], pp. 47–62 (2008)CrossRefGoogle Scholar
  20. 20.
    Bordewijk, J.L.: Inter-reciprocity applied to electrical networks. Applied Scientific Research B: Electrophysics, Acoustics, Optics, Mathematical Methods 6, 1–74 (1956)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Borodin, A., Moenck, R.T.: Fast modular transforms. Journal of Computer and System Sciences 8, 366–386 (1974); older version, not a subset, in [48]. ISSN 0022-0000MathSciNetCrossRefGoogle Scholar
  22. 22.
    Boyd, C. (ed.): Advances in cryptology–ASIACRYPT 2001, proceedings of the 7th international conference on the theory and application of cryptology and information security held on the Gold Coast, December 9-13, 2001. LNCS, vol. 2248. Springer (2001)Google Scholar
  23. 23.
    Buchmann, J., Ding, J. (eds.): Post-quantum cryptography, second international workshop, PQCrypto 2008, Cincinnati, OH, USA, October 17-19, 2008, proceedings. LNCS, vol. 5299. Springer (2008)zbMATHGoogle Scholar
  24. 24.
    Cantor, D.G.: On arithmetical algorithms over finite fields. Journal of Combinatorial Theory, Series A 50, 285–300 (1989)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Courtois, N., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: Asiacrypt 2001 [22], pp. 157–174 (2001)CrossRefGoogle Scholar
  26. 26.
    De Feo, L., Schost, É.: transalpyne: a language for automatic transposition (2010),
  27. 27.
    Engeler, E., Caviness, B.F., Lakshman, Y.N. (eds.): Proceedings of the 1996 international symposium on symbolic and algebraic computation, ISSAC ’96, Zurich, Switzerland, July 24-26, 1996. Association for Computing Machinery (1996)Google Scholar
  28. 28.
    Fiduccia, C.M.: On obtaining upper bounds on the complexity of matrix multiplication. In: [47], pp. 31–40 (1972)CrossRefGoogle Scholar
  29. 29.
    Fiduccia, C.M.: On the algebraic complexity of matrix multiplication. Ph.D. thesis. Brown University (1973)Google Scholar
  30. 30.
    Finiasz, M.: Parallel-CFS–strengthening the CFS McEliece-based signature scheme. In: SAC 2010 [18], pp. 159–170 (2011)CrossRefGoogle Scholar
  31. 31.
    Galbraith, S., Nandi, M. (eds.): Progress in cryptology–Indocrypt 2012–13th international conference on cryptology in India, Kolkata, India, December 9-12, 2012, proceedings. LNCS, vol. 7668. Springer (2012)Google Scholar
  32. 32.
    Gao, S., Mateer, T.: Additive fast Fourier transforms over finite fields. IEEE Transactions on Information Theory 56, 6265–6272 (2010)MathSciNetCrossRefGoogle Scholar
  33. 33.
    von zur Gathen, J., Gerhard, J.: Arithmetic and factorization of polynomials over F2 (extended abstract). In: ISSAC ’96 [27], pp. 1–9 (1996)Google Scholar
  34. 34.
    Gilbert, H., Handschuh, H. (eds.): Fast software encryption: 12th international workshop, FSE 2005, Paris, France, February 21-23, 2005, revised selected papers. LNCS, vol. 3557. Springer (2005)Google Scholar
  35. 35.
    Halevi, S. (ed.): Advances in cryptology–CRYPTO 2009, 29th annual international cryptology conference, Santa Barbara, CA, USA, August 16-20, 2009, proceedings. LNCS, vol. 5677. Springer (2009)Google Scholar
  36. 36.
    Hermans, J., Vercauteren, F., Preneel, B.: Speed records for NTRU. In: CT-RSA 2010 [55], pp. 73–88 (2010)CrossRefGoogle Scholar
  37. 37.
    Heyse, S., Güneysu, T.: Towards one cycle per bit asymmetric encryption: codebased cryptography on reconfigurable hardware. In: CHES 2012 [58], pp. 340–355 (2012)CrossRefGoogle Scholar
  38. 38.
    Johnson, D.S., Fagin, R., Fredman, M.L., Harel, D., Karp, R.M., Lynch, N.A.,Papadimitriou, C.H., Rivest, R.L., Ruzzo, W.L., Seiferas, J.I. (eds.): Proceedings of the 15th annual ACM symposium on theory of computing, 25-27 April, 1983,Boston Massachusetts, USA. Association for Computing Machinery (1983)Google Scholar
  39. 39.
    Karp, R.M. (chairman): 13th annual symposium on switching and automata theory.IEEE Computer Society (1972)Google Scholar
  40. 40.
    Kim, K. (ed.): Public key cryptography: proceedings of the 4th internationalworkshop on practice and theory in public key cryptosystems (PKC 2001) held on Cheju Island, February 13-15, 2001. LNCS, vol. 1992. Springer (2001)Google Scholar
  41. 41.
    Knuth, D.E.: The art of computer programming, volume 2: seminumerical algorithms,3rd edn. Addison-Wesley (1997)Google Scholar
  42. 42.
    Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems–conversions for McEliece PKC. In: PKC 2001 [40], pp. 19–35 (2001)CrossRefGoogle Scholar
  43. 43.
    Landais, G., Sendrier, N.: CFS software implementation (2012); see also newer version [44]Google Scholar
  44. 44.
    Landais, G., Sendrier, N.: Implementing CFS. In: Indocrypt 2012 [31], pp. 474–488 (2012); see also older version [43]Google Scholar
  45. 45.
    Lupanov, O.B.: On rectifier and contact-rectifier circuits. Doklady Akademii Nauk SSSR 111, 1171–1174 (1956). ISSN 0002-3264Google Scholar
  46. 46.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. JPLDSN Progress Report, pp. 114–116 (1978)Google Scholar
  47. 47.
    Miller, R.E., Thatcher, J.W. (eds.): Complexity of computer computations.Plenum Press(1972)Google Scholar
  48. 48.
    Moenck, R.T., Borodin, A.: Fast modular transforms via division. In: [39], pp.90–96 (1972); newer version, not a superset, in [21]Google Scholar
  49. 49.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Problemsof Control and Information Theory 15, 159–166 (1986)Google Scholar
  50. 50.
    Oliveira, T., López, J., Aranha, D.F., Rodríguez-Henríquez, F.: Two is the fastest prime (2013),
  51. 51.
    Overbeck, R., Sendrier, N.: Code-based cryptography. In: [12], pp. 95–145 (2009)Google Scholar
  52. 52.
    Patterson, N.J.: The algebraic decoding of Goppa codes. IEEE Transactions on Information Theory 21, 203–207 (1975)MathSciNetCrossRefGoogle Scholar
  53. 53.
    Persichetti, E.: Improving the efficiency of code-based cryptography. Ph.D. thesis.University of Auckland (2012)Google Scholar
  54. 54.
    Peters, C.: Information-set decoding for linear codes over Fq. In: PQCrypto 2010 [60], pp. 81–94 (2010)CrossRefGoogle Scholar
  55. 55.
    Pieprzyk, J. (ed.): Topics in cryptology–CT-RSA 2010, the cryptographers’ track at the RSA Conference 2010, San Francisco, CA, USA, March 1-5, 2010, proceedings. LNCS, vol. 5985. Springer (2010)Google Scholar
  56. 56.
    Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.): Cryptology and network security–11th international conference, CANS 2012, Darmstadt, Germany, December12-14, 2012, proceedings. LNCS, vol. 7712. Springer (2012)Google Scholar
  57. 57.
    Preneel, B., Takagi, T. (eds.): Cryptographic hardware and embedded systems–CHES 2011, 13th international workshop, Nara, Japan, September 28-October1, 2011, proceedings. LNCS. Springer (2011)Google Scholar
  58. 58.
    [58] Prouff, E., Schaumont, P. (eds.): Cryptographic hardware and embeddedsystems–CHES 2012–14th international workshop, Leuven, Belgium, September9-12, 2012, proceedings. LNCS, vol. 7428. Springer (2012)Google Scholar
  59. 59.
    Robshaw, M., Billet, O. (eds.): New stream cipher designs. LNCS, vol. 4986.Springer (2008)Google Scholar
  60. 60.
    Sendrier, N. (ed.): Post-quantum cryptography, third international workshop,PQCrypto, Darmstadt, Germany, May 25-28, 2010. LNCS, vol. 6061. Springer(2010)Google Scholar
  61. 61.
    Shell, D.L.: A high-speed sorting procedure. Communications of the ACM 2, 30–32 (1959)CrossRefGoogle Scholar
  62. 62.
    Shoup, V.: A proposal for an ISO standard for public key encryption (version 2.1)(2001),
  63. 63.
    Strenzke, F.: A timing attack against the secret permutation in the McEliece PKC. In: PQCrypto 2010 [60], pp. 95–107 (2010)CrossRefGoogle Scholar
  64. 64.
    Strenzke, F.: Timing attacks against the syndrome inversion in code-based cryptosystems (2011),
  65. 65.
    Strenzke, F.: Fast and secure root finding for code-based cryptosystems. In: CANS 2012 [56], pp. 232–246 (2012)CrossRefGoogle Scholar
  66. 66.
    Wang, Y., Zhu, X.: A fast algorithm for Fourier transform over finite fields andits VLSI implementation. IEEE Journal on Selected Areas in Communications 6, 572–577 (1988)CrossRefGoogle Scholar
  67. 67.
    Yang, B.-Y. (ed.): Post-quantum cryptography, fourth international workshop,PQCrypto, Taipei, Taiwan, November 29-December 02, 2011. LNCS, vol. 7071.Springer (2011)Google Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Daniel J. Bernstein
    • 1
    • 2
  • Tung Chou
    • 2
  • Peter Schwabe
    • 3
  1. 1.Department of Computer ScienceUniversity of Illinois at ChicagoChicagoUSA
  2. 2.Department of Mathematics and Computer ScienceTechnische Universiteit EindhovenEindhovenThe Netherlands
  3. 3.Digital Security GroupRadboud University NijmegenNijmegenThe Netherlands

Personalised recommendations