Optimized implementation of QC‐MDPC code‐based cryptography

Abstract: Summary This paper presents a new enhanced version of the QcBits key encapsulation mechanism, which is a constant‐time implementation of the Niederreiter cryptosystem using QC‐MDPC codes. In this version, we updated the implementation parameters to meet the 128‐bit quantum security level, replaced some of the core algorithms to avoid using slower instructions, vectorized the entire code using the AVX‐512 instruction set extension, and applied several other techniques to achieve a competitive performance level.… Show more

“…The avx2 implementation follows the strategy above, where b is set to 256 to fit the size of YMM registers. Note that there is no general shift instruction for YMM registers, so the avx2 implementation follows [GAB19] to use AVX intrinsics to carry out the shift by s (0) positions.…”

“…In [GAB19], the authors suggested a simple way to improve the approach above. The idea is that, since adding b i only affects the first log 2 i + 1 bits of the counter, there is no need to update the remaining bits.…”

“…We actually tried to use the techniques in Section 3 for our M4 implementation but found that the approach in Section 4 is still faster. We believe this is due to the fact that the size of YMM registers on Haswell is much larger than the size of general-purpose registers on the Cortex-M4, and that there are powerful intrinsics/instructions (as shown in [GAB19]) that can be used to manipulate YMM registers so that even a shift of s (0) ∈ {0, . .…”

Optimizing BIKE for the Intel Haswell and ARM Cortex-M4

“…The avx2 implementation follows the strategy above, where b is set to 256 to fit the size of YMM registers. Note that there is no general shift instruction for YMM registers, so the avx2 implementation follows [GAB19] to use AVX intrinsics to carry out the shift by s (0) positions.…”

“…In [GAB19], the authors suggested a simple way to improve the approach above. The idea is that, since adding b i only affects the first log 2 i + 1 bits of the counter, there is no need to update the remaining bits.…”

“…We actually tried to use the techniques in Section 3 for our M4 implementation but found that the approach in Section 4 is still faster. We believe this is due to the fact that the size of YMM registers on Haswell is much larger than the size of general-purpose registers on the Cortex-M4, and that there are powerful intrinsics/instructions (as shown in [GAB19]) that can be used to manipulate YMM registers so that even a shift of s (0) ∈ {0, . .…”

Optimizing BIKE for the Intel Haswell and ARM Cortex-M4

“…Furthermore, our general strategy and many of our constructions are familiar to cryptographers 18 . Some of these researchers have produced related optimizations using advanced SIMD instructions 19,20 .…”

Efficient computation of positional population counts using SIMD instructions

“…The paper “ Optimized implementation of QC‐MDPC code‐based cryptography ” presents a new enhanced version of the QcBits key encapsulation mechanism (KEM), which is a constant time implementation of the Niederreiter cryptosystem using QC‐MDPC codes . The parallel solution uses vector instructions (AVX 512) and applies several other techniques to achieve a competitive performance level.…”

Foreword to the special issue of the workshop on high performance computing systems (XVIII Simpósio em Sistemas Computacionais de Alto Desempenho, WSCAD 2017)