The first version for the "new" McBits software is now available here. The code length is 2^12 (using GF(2^12)). The number of errors is 62. The public key size is 311736 bytes. The secret key size is 5984 bytes. The ciphertext overhead is 109 bytes. The script (by Christiane Peters) gives 2^157.49 bit ops to attack the system using information set decoding.

As opposed to the "old" McBits, this new McBits makes use of only internal parallelism. The software is fully protected against timing attacks: key generation, encryption, and decryption are all constant-time. The implementation is purely in C (no assembly). Only general-purpose 64-bit registers are used (no XMM/YMM). The software is in the public domain.

Encrypting a short message now takes around 150000 Haswell cycles, while decrypting a short message takes around 400000 Haswell cycles. The code seems improvable even without using vectorization or assembly programming. Our goal is to have a highly optimized implementation for some parameter set that achieves a 2^128 quantum security level. The current implementation is merely a start.


Our CHES 2013 paper is available here.