There is a guide for implementors aimed at readers upgrading cryptographic applications to use Classic McEliece.
For applications with cryptographic performance constraints: Classic McEliece has very large public keys but very small ciphertexts. Public keys can be reused for many ciphertexts, so Classic McEliece can reach lower total costs than other post-quantum encryption systems.
The official Classic McEliece software is in the public domain. The software is constant-time. There is no data flow from secrets to branch conditions, array indices, and integer multiplications. Note that integer multiplications take variable time on many CPUs, possibly including Intel CPUs. This page also links to various unofficial Classic McEliece implementations.
The "f" variants have the same size and are not listed here. The older "pc" variants have 32 extra bytes in ciphertexts.
|public key||private key||ciphertext||session key|
The official Classic McEliece implementations are the following four software implementations for each of the ten selected parameter sets:
ref, portable C software. This implementation is designed for clarity, not performance. This is the reference implementation of Classic McEliece.
vec, portable C software. This implementation vectorizes across 64-bit integers.
sse, C software using machine-specific intrinsics. This implementation uses the Intel/AMD 128-bit vector instructions.
avx, C software using machine-specific intrinsics. This implementation uses the Intel/AMD 256-bit vector instructions.
- November 2021, in SUPERCOP. This was the first release with full TIMECOP support.
- October 2020, in the round-3 NISTPQC submission package.
- June 2020, in SUPERCOP.
- July 2019, in SUPERCOP.
- April 2019,
in the round-2 NISTPQC submission package.
This was the first release with the
- August 2018, in SUPERCOP.
- December 2017, in the round-1 NISTPQC submission package.
Here are cycle counts for the October 2022 software on an Intel Haswell CPU core:
Various authors have released the following further implementations of Classic McEliece, reporting that the implementations are constant-time:
ARM Cortex-M4 microcontrollers: See
https://github.com/pqcryptotw/mceliece-arm-m4and accompanying paper for full implementations of key generation, encapsulation, and decapsulation. A small part of the speedup in these implementations comes from using integer multiplication, which is constant-time on the Cortex-M4. See also earlier Cortex-M4 paper.
https://caslab.csl.yale.edu/code/niederreiter/and accompanying paper for implementations of the core mathematical operations inside key generation, encapsulation, and decapsulation. There is also a newer paper reporting complete key generation, encapsulation, and decapsulation, and improved speeds. See also earlier paper regarding key generation.
For clients streaming ephemeral Classic McEliece keys through a stateless network server: See the McTiny software and paper for stateless encapsulation.
Version: This is version 2022.10.23 of the "Implementation" web page.