There is a guide for implementors aimed at readers upgrading cryptographic applications to use Classic McEliece.
For applications with cryptographic performance constraints: Classic McEliece has very large public keys but very small ciphertexts. Public keys can be reused for many ciphertexts, so Classic McEliece can reach lower total costs than other post-quantum encryption systems.
The official Classic McEliece software is in the public domain. The software is constant-time. There is no data flow from secrets to branch conditions, array indices, and integer multiplications. Note that integer multiplications take variable time on many CPUs, possibly including Intel CPUs. This page also links to various unofficial Classic McEliece implementations.
Sizes
The "f" variants have the same size and are not listed here. The older "pc" variants have 32 extra bytes in ciphertexts.
| public key | private key | ciphertext | session key | |
|---|---|---|---|---|
| 261120 | 6492 | 96 | 32 | mceliece348864 |
| 524160 | 13608 | 156 | 32 | mceliece460896 |
| 1044992 | 13932 | 208 | 32 | mceliece6688128 |
| 1047319 | 13948 | 194 | 32 | mceliece6960119 |
| 1357824 | 14120 | 208 | 32 | mceliece8192128 |
Official implementations
The official Classic McEliece implementations are the following four software implementations for each of the ten selected parameter sets:
ref, portable C software. This implementation is designed for clarity, not performance. This is the reference implementation of Classic McEliece.vec, portable C software. This implementation vectorizes across 64-bit integers.sse, C software using machine-specific intrinsics. This implementation uses the Intel/AMD 128-bit vector instructions.avx, C software using machine-specific intrinsics. This implementation uses the Intel/AMD 256-bit vector instructions.
These implementations were released in October 2022 in the round-4 NISTPQC submission package and in the SUPERCOP benchmarking package. Previous releases for the "pc" variants:
- November 2021, in SUPERCOP. This was the first release with full TIMECOP support.
- October 2020, in the round-3 NISTPQC submission package.
- June 2020, in SUPERCOP.
- July 2019, in SUPERCOP.
- April 2019,
in the round-2 NISTPQC submission package.
This was the first release with the
348864,460896, and6688128parameter sets. - August 2018, in SUPERCOP.
- December 2017, in the round-1 NISTPQC submission package.
Here are cycle counts for the October 2022 software on an Intel Haswell CPU core:
| quartile | median | quartile | |
|---|---|---|---|
| 34951 | 36457 | 38980 | mceliece348864 enc |
| 69674 | 76086 | 88956 | mceliece460896 enc |
| 165296 | 171442 | 185077 | mceliece6688128 enc |
| 139980 | 144678 | 149592 | mceliece6960119 enc |
| 155174 | 156945 | 159040 | mceliece8192128 enc |
| 127036 | 127140 | 127256 | mceliece348864 dec |
| 262919 | 263046 | 263225 | mceliece460896 dec |
| 305910 | 306212 | 306925 | mceliece6688128 dec |
| 286353 | 286596 | 287038 | mceliece6960119 dec |
| 309938 | 310097 | 310475 | mceliece8192128 dec |
| 35039714 | 56705880 | 67615011 | mceliece348864 keypair |
| 35970884 | 35976620 | 35981416 | mceliece348864f keypair |
| 116209838 | 153266214 | 264539700 | mceliece460896 keypair |
| 117267744 | 117297677 | 117331130 | mceliece460896f keypair |
| 265554240 | 443746986 | 532990499 | mceliece6688128 keypair |
| 274329761 | 274384229 | 274430338 | mceliece6688128f keypair |
| 241288202 | 316995472 | 468394597 | mceliece6960119 keypair |
| 240198020 | 240226771 | 240254131 | mceliece6960119f keypair |
| 308008713 | 486195290 | 664466919 | mceliece8192128 keypair |
| 306203040 | 306238935 | 306280509 | mceliece8192128f keypair |
Unofficial implementations
Various authors have released the following further implementations of Classic McEliece, reporting that the implementations are constant-time:
-
ARM Cortex-M4 microcontrollers: See
https://github.com/pqcryptotw/mceliece-arm-m4and accompanying paper for full implementations of key generation, encapsulation, and decapsulation. A small part of the speedup in these implementations comes from using integer multiplication, which is constant-time on the Cortex-M4. See also earlier Cortex-M4 paper. -
FPGAs: See
https://caslab.csl.yale.edu/code/niederreiter/and accompanying paper for implementations of the core mathematical operations inside key generation, encapsulation, and decapsulation. There is also a newer paper reporting complete key generation, encapsulation, and decapsulation, and improved speeds. See also earlier paper regarding key generation. -
For clients streaming ephemeral Classic McEliece keys through a stateless network server: See the McTiny software and paper for stateless encapsulation.
Version: This is version 2022.10.23 of the "Implementation" web page.