Software
This is the webpage for the "new" McBits software.
As opposed to the "old" McBits, the new McBits makes use of only internal parallelism.
The software is fully protected against timing attacks:
key generation, encryption, and decryption are all constanttime.
The 2nd version of the software is now available here.
This version includes three implementations for two parameter sets.
The implementation m12_t62_simple uses the parameters
m=12 (for field size 2^{m}),
n=4096 (code length),
t=62 (number of errors).
The public key size is 311736 bytes.
The secret key size is 5984 bytes (without compression).
The ciphertext overhead is 109 bytes.
The script isdfq.gp
(by Christiane Peters)
gives 2^{157.49} bit ops to attack the system using information set decoding.
The implementations m13_t128_sse and m13_t128_avx use the parameters
m=13,
n=8192,
t=128.
The public key size is 1357824 bytes.
The secret key size is 13008 bytes (without compression).
The ciphertext overhead is 224 bytes.
isdfq.gp
gives 2^{297.35} bit ops.
Using the implementation m13_t128_avx,
encrypting a short message now takes around 294000 Haswell cycles,
while decrypting a short message takes around 333000 Haswell cycles.
The software is in the public domain.
Papers
The CHES 2017 paper (for the "new" McBits) is available here.
The CHES 2013 paper (for the "old" McBits) is available here.
Contributors

Tung Chou,
Technische Universiteit Eindhoven, the Netherlands