McEliece in Bouncy Castle Status

[dghgit]

I was alerted to an update saying our McEliece implementation has vanished.

I can say Classic McEliece is implemented in Bouncy Castle as CMCE which may be why it was missed. Note the algorithm is still under going standardization, BSI in Germany have already said they will standardize it, it is likely NIST will choose to as well, CMCE should be there for the long run (last minute tweaks due to standardization aside).

The traditional BC implementation of McEliece had a similar problem to Rainbow - while the available parameters were not necessarily broken they were not secure enough. Note also that CMCE is now a KEM and needs to be used as such, our previous implementation behaved a bit more like RSA. KEM's do require payload to be encrypted using a random session key (which the KEM produces), the security of the algorithms as described does partly depend on this so it's worth the additional expense.

You may wish to consider replacing Rainbow with either Dilithium or SPHINCS+, while it may take a couple of years from now, it does not appear likely Rainbow will survive.

The JCA based example showing the CMCE implementation can be found here:

https://github.com/bcgit/bc-java/blob/main/prov/src/test/java/org/bouncycastle/pqc/jcajce/provider/test/CMCETest.java

Regards,

David

[textbrowser]

Thanks you for the example. McE key generation fails in BC 1.72. The problem may be caused by applying deprecated methods and parameters.

Smoke includes SPHINCS (not SPHNICS+). Rainbow was included before the published compromise. Safe parameters are difficult to support on limited devices.