Fast Polynomial Inversion for Post Quantum QC-MDPC Cryptography

Abstract

The NIST PQC standardization project evaluates multiple new designs for post-quantum Key Encapsulation Mechanisms (KEMs). Some of them present challenging tradeoffs between communication bandwidth and computational overheads. An interesting case is the set of QC-MDPC based KEMs. Here, schemes that use the Niederreiter framework require only half the communication bandwidth compared to schemes that use the McEliece framework. However, this requires costly polynomial inversion during the key generation, which is prohibitive when ephemeral keys are used. One example is BIKE, where the BIKE-1 variant uses McEliece and the BIKE-2 variant uses Niederreiter. This paper shows an optimized constant-time polynomial inversion method that makes the computation costs of BIKE-2 key generation tolerable. We report a speedup of \(11.8{\times }\) over the commonly used NTL library, and \(55.5{\times }\) over OpenSSL. We achieve additional speedups by leveraging the latest Intel’s Vector- instructions on a laptop machine, \(14.3{\times }\) over NTL and \(96.8{\times }\) over OpenSSL. With this, BIKE-2 becomes a competitive variant of BIKE.

Appendices

A Squaring Using and

This appendix describes our C implementation for squaring in \(\mathcal {R}\), using . For brevity, we replace the long names of the C intrinsics with shorter macros as follows.

When (and not vector- ) is available, the square function is

When vector- is available, four multiplications can be executed in parallel and the code is

The permutation and thus some of the flow’s serialization can be removed by using the instruction.

However, our experiments show slower results with this instruction.

Table 6 compares squaring and k-squaring in \(\mathcal {R}\) using our code. Our implementation starts with squaring up to the described threshold and then continues with k-squaring. The threshold depends on the platform.

Table 6. Squaring and k-squaring in \(\mathcal {R}\) using our code. Columns 2 and 3 count cycles, where lower is better (threshold = floor(k-square/square). The r values correspond to the IND-CCA variants of BIKE for Level-1/3/5.

B A \(16 \times 16\) Quad-Words Multiplication Using

This appendix describes the C code of our recursive Karatsuba multiplication.

The function performs four 128-bit Karatsuba multiplications in parallel.

Then, we define the function that receives two 512-bit  registers (a, b) as input, multiplies them and writes the result into the two registers zh||zl. The function performs several permutations to reorganize the quad-words. The relevant masks are:

The variables that are used in this function are: a) , . These hold the lower and upper parts of the 128-bit Karatsuba sub-multiplications; b) , , , , . These are used for the middle term of the 256-bit Karatsuba sub-multiplications; c) , , , , . These are used for middle term of the top 512-bit Karatsuba multiplication; d) that holds all the temporary products to of the middle words.

Define

$$\begin{aligned} AX[i] = a[128(i+1)-1 : 128i] \\ BX[i] = b[128(i+1)-1 : 128i] \\ AY[i]= a[256(i+1)-1 : 256i] \\ BY[i]= b[256(i+1)-1 : 256i] \\ \end{aligned}$$

Then set

$$\begin{aligned}&t[0] = AX1 \oplus AX3|| AX2 \oplus AX3 || AX0 \oplus AX2 || AX0 \oplus AX1 \\&t[1] = BX1 \oplus BX3|| BX2 \oplus BX3 || BX0 \oplus BX2 || BX0 \oplus BX1 \end{aligned}$$

where

$$\begin{aligned}&AX1 \oplus AX3 || AX0 \oplus AX2 = (AX1 || AX0) \oplus (AX3 || AX2) = AY0 \oplus AY1 \\&BX1 \oplus BX3 || BX0 \oplus BX2 = (BX1 || BX0) \oplus (BX3 || BX2) = BY0 \oplus BY1 \end{aligned}$$

and set the lower 128 bits of , to (ignoring the upper bits)

$$\begin{aligned}&t[2][127:0] = AX1 \oplus AX3 \oplus AX0 \oplus AX2 \\&t[3][127:0] = BX1 \oplus BX3 \oplus BX0 \oplus BX2 \end{aligned}$$

The implementation invokes three times: a) for calculating the lower and the upper 512-bit words; b) for the two middle 256-bit words; c) for the middle 512-bit word in the top-level Karatsuba. The number of invocations of for the entire is only 9.

Finally, we complete the four 128-bit Karatsuba by

and the 512-bit result is

For higher efficiency, our Karatsuba implementation holds the data in  registers in order to save memory operations when invoking .

C Fast Permutation

The inverted bit permutation (\(a=map(b)\)) of Sect. 4 can be implemented in a straightforward way as follows. We first convert the map to two maps and , where [i] is the byte index of map(b[i]) and [i] is the position of the relevant bit inside this byte.

A simpler way to apply the map is possible if we store every bit in a byte (that has the value or ).

This can involve a costly conversion to and from across the representations but fortunately, we can speed it up with AVX512 (when available)

Note that the instruction can also be used for the latter conversion (see next). This instruction requires the extension while the instruction requires only which is more common.