Source code
We include here the source code of different versions of DME:
- Submission for the NIST-PQC-2017 call for KEM. The file nist-pqc-2017.zip contains a 48-bit implementation of a DME scheme for KEM with 2 rounds (exponential maps) and 6 variables in the subfolder dme-kem-n2m3e48s3. The exponential maps \(E_1:(\mathbb{F}_{q^2})^3\to(\mathbb{F}_{q^2})^3\) and \(E_2:(\mathbb{F}_{q^3})^2\to(\mathbb{F}_{q^3})^2\) are completely fixed. For comparison, two reduced 24-bit versions are also included (with 6 and 8 variables, respectively) in the subfolders dme-kem-n2m3e24s3 and dme-kem-n2m4e24s3. For the version with 8 variables, the intermediate field \(\mathbb{F}_{q^4}\) is used in the second exponential. In addition to that, the subfolder dme-kem3 contains an innovative version that starts with 6 variables (24 bits) but applies first the augmentation map \((x_1,\ldots,x_6)\mapsto(x_1,\ldots,x_6,x_1 x_3 x_5,0)\) before continuing with an 8 variable scheme.
- Submission for the NIST-PQC-2023 call for signature. The file nist-pqc-2023.zip contains a 32-bit, 48-bit and 64-bit implementation of a DME signature scheme with 3 rounds and 8 variables in the subfolder dme-3rnds-8vars-32bits-sign, dme-3rnds-8vars-48bits-sign and dme-3rnds-8vars-64bits-sign, respectively. Both reference and optimized (Intel AVX2) implementations are provided. One of the novelties introduced in these versions is that the three exponential maps \(E_1,E_2,E_3: (\mathbb{F}_{q^2})^4\to(\mathbb{F}_{q^2})^4\) are part of the secret key, i.e. they are not fixed. Only the position of the zero and non-zero entries is predetermined. Certain provisions are required to ensure that the exponentials are invertible and that the number of monomials in the public-key polynomials remain constant (and small). The file nist-pqc-2023-rev1.zip contains a revised version (28-07-2023) including several corrections to the documentation and an omission (input validation) in the implementation.
- The file dme-minus-2024.zip contains a 128-bit implementation of the DME(-) cryptosystem for signatures dme-4rnds-8vars-128bits-sign-half and, for comparison purposes, an implementation of the non-augmented standard DME 128-bit signature scheme dme-4rnds-8vars-128bits-sign with the same exponential maps but without the affine translations.