New post-quantum Key Encapsulation Mechanism (KEM) designs, evaluated as part of the NIST PQC standardization Project, pose challenging tradeoffs between communication bandwidth and computational overheads. Several KEM designs evaluated in Round-2 of the project are based on QC-MDPC codes. BIKE-2 uses the smallest communication bandwidth, but its key generation requires a costly polynomial inversion. In this paper, we provide details on the optimized polynomial inversion algorithm for QC-MDPC codes (originally proposed in the conference version of this work). This algorithm makes the runtime of BIKE-2 key generation tolerable. It brings a speedup of 11.4× over the commonly used NTL library, and 83.5× over OpenSSL. We achieve additional speedups by leveraging the latest Intel's Vector-PCLMULQDQ instructions, 14.3× over NTL and 103.9× over OpenSSL. Our algorithm and implementation were the reason that BIKE team chose BIKE-2 as the only scheme for its Round-3 specification (now called BIKE).

新的后量子密钥封装机制 (KEM) 设计作为 NIST PQC 标准化项目的一部分进行评估，在通信带宽和计算开销之间提出了具有挑战性的权衡。在项目的第 2 轮中评估的几个 KEM 设计基于 QC-MDPC 代码。BIKE-2 使用最小的通信带宽，但其密钥生成需要代价高昂的多项式求逆。在本文中，我们详细介绍了 QC-MDPC 码的优化多项式反演算法（最初在本工作的会议版本中提出）。该算法使 BIKE-2 密钥生成的运行时间可以忍受。它比常用的 NTL 库提速了 11.4 倍，比 OpenSSL 提速了 83.5 倍。我们通过利用最新的英特尔Vector-PCLMULQDQ实现了额外的加速指令，NTL 上的 14.3 倍和 OpenSSL 上的 103.9 倍。我们的算法和实现是 BIKE 团队选择 BIKE-2 作为其 Round-3 规范（现在称为 BIKE）的唯一方案的原因。