McEliece is one of the method that NIST are currently considering for standardization in KEM and for Public Key Encryption. This page uses various methods including mceliece348864, mceliece460896, mceliece6688128, mceliece6960119 and mceliece8192128. In McEliece methods, we have three main parameters: m, n and t. With mceliece348864, we have a Level 1 security level with a public key size of 261,120 bytes, a private key size of 6,492 bytes, and a cipher text size of 128 bytes. mceliece460896 has a Level 3 security level with a public key size of 524,160 bytes, a private key size of 13,608 bytes, and a cipher text size of 188 bytes. mceliece460896 has a Level 5 security level with a public key size of 1,0454,992 bytes, a private key size of 13,932 bytes, and a cipher text size of 240 bytes. In this case, we will implement mceliece348864 and other methods.
McEliece PQC Key Exchange Mechanism (KEM) with CIRCL |
Outline
The following is the derived key size and cipher text (in bytes) of each of the core methods [1]:
m n t level | public key secret key ciphertext -------------------------------------------------------------------------- mceliece348864 12 3,488 64 1 | 261,120 6,492 128 mceliece460896 13 4,608 94 3 | 524,160 13,608 188 mceliece6688128 13 6,688 128 5 | 1,044,992 13,932 240 mceliece6960119 13 6,960 119 5 | 1,047,319 13,948 226 mceliece8192128 13 8,192 128 5 | 1,357,824 14,120 240
The following defines the key sizes for Kyber, SABER, NTRU and McEliece:
Type Public key size (B) Secret key size (B) Ciphertext size (B) ------------------------------------------------------------------------ Kyber512 800 1,632 768 Learning with errors (Lattice) Kyber738 1,184 2,400 1,088 Learning with errors (Lattice) Kyber1024 1,568 3,168 1,568 Learning with errors (Lattice) LightSABER 672 1,568 736 Learning with rounding (Lattice) SABER 992 2,304 1,088 Learning with rounding (Lattice) FireSABER 1,312 3,040 1,472 Learning with rounding (Lattice) McEliece348864 261,120 6,452 128 Code based McEliece460896 524,160 13,568 188 Code based McEliece6688128 1,044,992 13,892 240 Code based McEliece6960119 1,047,319 13,948 226 Code based McEliece8192128 1,357,824 14,120 240 Code based NTRUhps2048509 699 935 699 Lattice NTRUhps2048677 930 1,234 930 Lattice NTRUhps4096821 1,230 1,590 1,230 Lattice SIKEp434 330 44 346 Isogeny SIKEp503 378 56 402 Isogeny SIKEp751 564 80 596 Isogeny SIDH 564 48 596 Isogeny
Coding
In this example, we will use the McEliece MEM method:
package main import ( "fmt" "math/rand" "os" "time" "github.com/cloudflare/circl/kem/schemes" ) func main() { meth := "mceliece348864" argCount := len(os.Args[1:]) if argCount > 0 { meth = os.Args[1] } scheme := schemes.ByName(meth) rand.Seed(time.Now().Unix()) var seed [48]byte kseed := make([]byte, scheme.SeedSize()) eseed := make([]byte, scheme.EncapsulationSeedSize()) for i := 0; i < 48; i++ { seed[i] = byte(rand.Intn(255)) } for i := 0; i < scheme.SeedSize(); i++ { kseed[i] = byte(rand.Intn(255)) } for i := 0; i < scheme.EncapsulationSeedSize(); i++ { eseed[i] = byte(rand.Intn(255)) } pk, sk := scheme.DeriveKeyPair(kseed) ppk, _ := pk.MarshalBinary() psk, _ := sk.MarshalBinary() ct, ss, _ := scheme.EncapsulateDeterministically(pk, eseed) ss2, _ := scheme.Decapsulate(sk, ct) fmt.Printf("Method: %s \n", meth) fmt.Printf("Seed for key exchange: %X\n", seed) fmt.Printf("Public Key (pk) = %X (first 32 bytes)\n", ppk[:32]) fmt.Printf("Private key (sk) = %X (first 32 bytes)\n", psk[:32]) fmt.Printf("Cipher text (ct) = %X (first 32 bytes)\n", ct[:32]) fmt.Printf("\nShared key (Bob):\t%X\n", ss) fmt.Printf("Shared key (Alice):\t%X", ss2) fmt.Printf("\n\nLength of Public Key (pk) = %d bytes \n", len(ppk)) fmt.Printf("Length of Secret Key (sk) = %d bytes\n", len(psk)) fmt.Printf("Length of Cipher text (ct) = %d bytes\n", len(ct)) }
Note: The standard CIRCL libary does not implement McEliece, and you thus need to download from here: [here]. A sample run is for mceliece348864 shows that it has a 261,120 byte public key, and a 6,492 byte private key:
Method: mceliece348864 Seed for key exchange: F82857A25D01FBE7504157EF8A384646351F32A8A7A70275F90EEF0D30D84445AD6A55E719165936F501CF4F3F813080 Public Key (pk) = FCBC2B3E9651A94452C59C63DC2CEE88C70A50545E0E3E16BA5AB97108BFD882 (first 32 bytes) Private key (sk) = D3A2566C605DD9DEF35F491F3C570F61FB3EFD3130D6632938A9338F9D21A867 (first 32 bytes) Cipher text (ct) = CD5D5D31F8CD71565D08CF88F21AB8CA7BE32332DFFB6C93C188F8C8367BA85D (first 32 bytes) Shared key (Bob): D6303AE9EAA8F59E22DD6EA89ECB295EAB434219B78B022E769AAEEC66018FB4 Shared key (Alice): D6303AE9EAA8F59E22DD6EA89ECB295EAB434219B78B022E769AAEEC66018FB4 Length of Public Key (pk) = 261120 bytes Length of Secret Key (sk) = 6492 bytes Length of Cipher text (ct) = 96 bytes
and for mceliece460896:
Method: mceliece460896 Seed for key exchange: 1979351CA3A49C4F3661A6560A61B2CC59E8A75FD19E44E394135C6D4C83A0D7E0B936DAD61D5B8B312DFB139BAF2CD6 Public Key (pk) = C2E798F1F9E3342DFD92D3ABDD3C26FD9410786C354EB907C0F347CA5BC68643 (first 32 bytes) Private key (sk) = 786AF5383D46C4C4820B35017153A9DA3C5F16D4601EBCAF0D4B73ACB8B44FA8 (first 32 bytes) Cipher text (ct) = 6956FBF27896354A669DDCC53D52E2DE3D1A197D1A0F59E24F80F46D55490251 (first 32 bytes) Shared key (Bob): 4B0C05B87040E9EC32A4DE9A8C5449051B370CF084940656342DC9D009AFF3CD Shared key (Alice): 4B0C05B87040E9EC32A4DE9A8C5449051B370CF084940656342DC9D009AFF3CD Length of Public Key (pk) = 524160 bytes Length of Secret Key (sk) = 13608 bytes Length of Cipher text (ct) = 156 bytes
and for mceliece6688128:
Method: mceliece6688128 Seed for key exchange: C8BD04CC5D0E295D6D6AB3F619C3DA02A5992586ABA4DBFA5E320B7D8617D34EB083B501751137265AC8C702302AAEF9 Public Key (pk) = BAE1613A7FEB6150374C21E2D2491C7FBCEB215430E2C5F63AB754B37B6AA712 (first 32 bytes) Private key (sk) = 9AC60419BFB6677F03763048D73F5582C4CA9C21495BABFF6D80177670B52183 (first 32 bytes) Cipher text (ct) = 8A95E93C88F7592E74B5C94A00FFE9EA4A4503416E381C06AC4765916154123C (first 32 bytes) Shared key (Bob): 0604DDF0B7005AC3A51A61657A03BF0444C0F47143DE02D44A00EF72706FF264 Shared key (Alice): 0604DDF0B7005AC3A51A61657A03BF0444C0F47143DE02D44A00EF72706FF264 Length of Public Key (pk) = 1044992 bytes Length of Secret Key (sk) = 13932 bytes Length of Cipher text (ct) = 208 bytes
and for mceliece6960119:
Method: mceliece6960119 Seed for key exchange: C8845AD9B5AED9550B2C4A219509D47FAD36AE0A751243E6D3BA6B37D39469C7047E6DC4B8C889412518FBDF8637753D Public Key (pk) = 8A1E577533A399A278A2F4BA13FCFE51767D897210503164C42BE359631C2FB1 (first 32 bytes) Private key (sk) = 01FFF0B9084B94034B3570E082E7A5951B0E9EF02DF2D19E5F983A39CB45DBF0 (first 32 bytes) Cipher text (ct) = D1A9A3DA1A860BEC0695432C885835D8546BBD8B8A84C6DC57864CA84A0AFC53 (first 32 bytes) Shared key (Bob): C934D49ECA4EE542639E1502124D06DB8BF796617013500CC9C37F8C76E752EA Shared key (Alice): C934D49ECA4EE542639E1502124D06DB8BF796617013500CC9C37F8C76E752EA Length of Public Key (pk) = 1047319 bytes Length of Secret Key (sk) = 13948 bytes Length of Cipher text (ct) = 194 bytes
and mceliece8192128:
Method: mceliece8192128 Seed for key exchange: 9CDD8431FCE2949B9E8523EC8BCB31FB7000419B3A56164BA3285A7835D93DD6184832E178AB96C3A14917F435A8D397 Public Key (pk) = 1DC5DBA4A515CA324F46FBDC680F17FDA7577FAE74147DADD03EDF042676A976 (first 32 bytes) Private key (sk) = 729E0F74301EDCF393FD8E2A8E402322CE5CA5E2F419B01CC4E7DCB18857F7A9 (first 32 bytes) Cipher text (ct) = 34629663ED6A2B770FF8F4B6715110BB343AA5408297A30A8E64A364B9E2B867 (first 32 bytes) Shared key (Bob): AB3DA46FC2EEA0BFE6B215060DC2E8B05D77DAD9C6ACBB9B27ABC2A63C2C02B0 Shared key (Alice): AB3DA46FC2EEA0BFE6B215060DC2E8B05D77DAD9C6ACBB9B27ABC2A63C2C02B0 Length of Public Key (pk) = 1357824 bytes Length of Secret Key (sk) = 14120 bytes Length of Cipher text (ct) = 208 bytes