Download Package

  • Submitted Package (Dec 2017)
  • Package (last update 16.01.2018)

Beside code refactoring we added the check d’=H(s’_1) for decapsulation in the KEM (as described in the documentation) without sending d seperately.

Beside refactoring the FFT transformation has been adapted following [18] to avoid bit-reverse calls. We also reduced the number of InvFFT calls (due to linearity) resulting in factor 2 speed-ups (in total) for the same parameter sets (see below for the reference implementation). Error recovery does not use rounding functions from the C math library any more. Instead it only relies on shifts and elementary operations in constant time. During encryption we add small independently sampled uniform random polynomials (t bits per coefficient) to the public key such that it is uniform random in Rq. The security proof thus also holds for compressed public keys. Furthermore, the secret key size has been reduced. The secret key polynomials are now generated from the secret seed during decryption rather than storing the corresponding polynomials.



KeyGen (cycles)




KINDI-256-3-4-2 New  111416  130204  158467 3
Old  203096  247793   312211
KINDI-512-2-4-1 New  126369  158942  209795 5
Old  215542  285832  382958
 KINDI-512-2-2-2 New  118600  153807  206709 5
Old  214064  280420  377962
 KINDI-256-5-2-2 New  268648  296470  344806 5
Old  519010  595043  701763
 KINDI-512-3-2-1 New  223902  268237  341753 5
Old  429952  530173  672720