- Submitted Package (Dec 2017)
- Package (last update 16.01.2018)
Beside code refactoring we added the check d’=H(s’_1) for decapsulation in the KEM (as described in the documentation) without sending d seperately.
Beside refactoring the FFT transformation has been adapted following [18] to avoid bit-reverse calls. We also reduced the number of InvFFT calls (due to linearity) resulting in factor 2 speed-ups (in total) for the same parameter sets (see below for the reference implementation). Error recovery does not use rounding functions from the C math library any more. Instead it only relies on shifts and elementary operations in constant time. During encryption we add small independently sampled uniform random polynomials (t bits per coefficient) to the public key such that it is uniform random in Rq. The security proof thus also holds for compressed public keys. Furthermore, the secret key size has been reduced. The secret key polynomials are now generated from the secret seed during decryption rather than storing the corresponding polynomials.
|
Parameter |
KeyGen (cycles) |
Enc |
Dec |
Category |
|
| KINDI-256-3-4-2 | New | 111416 | 130204 | 158467 | 3 |
| Old | 203096 | 247793 | 312211 | ||
| KINDI-512-2-4-1 | New | 126369 | 158942 | 209795 | 5 |
| Old | 215542 | 285832 | 382958 | ||
| KINDI-512-2-2-2 | New | 118600 | 153807 | 206709 | 5 |
| Old | 214064 | 280420 | 377962 | ||
| KINDI-256-5-2-2 | New | 268648 | 296470 | 344806 | 5 |
| Old | 519010 | 595043 | 701763 | ||
| KINDI-512-3-2-1 | New | 223902 | 268237 | 341753 | 5 |
| Old | 429952 | 530173 | 672720 |