Journal of Cryptographic Engineering

, Volume 3, Issue 1, pp 29–43 | Cite as

Code-based cryptography on reconfigurable hardware: tweaking Niederreiter encryption for performance

  • Stefan HeyseEmail author
  • Tim Güneysu
CHES 2012


Today’s public-key schemes that are either based on the factorization or the discrete logarithm problem. Since both problems are closely related, a major breakthrough in cryptanalysis (e.g., with the advent of quantum computing will render nearly all currently employed security system useless. Code-based public-key schemes rely on the alternative security assumption that decoding generic linear binary codes is NP-complete. Two code-based schemes for public-key encryption are available due to McEliece and Niederreiter. Although most researchers analyzed and implemented McEliece’s cryptosystem, we show in this work that the scheme by Niederreiter has some important advantages, such as smaller keys, more practical plain and ciphertext sizes and less computation complexity. In particular, we propose an efficient FPGA implementation of Niederreiter’s scheme that can encrypt more than 1.5 million plaintexts per seconds on a Xilinx Virtex-6 FPGA—outperforming all known implementations of other popular public-key cryptosystems so far.


Code-based Goppa McEliece Niederreiter Embedded FPGA 



The work described in this paper has been supported in part by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT II. This work has been also been supported in part by the Ministry of Economic Affairs and Energy of the State of North Rhine-Westphalia (Grant 315-43-02/2-005-WFBO-009).


  1. 1.
    Bailey, D.V., Coffin, D., Elbirt, A., Silverman, J.H., Woodbury, A.D.: NTRU in Constrained Devices. In: Cryptographic Hardware and Embedded Systems—CHES 2001. LNCS, vol. 2162, pp. 262–272 (2001)Google Scholar
  2. 2.
    Berger, T.P., Cayrel, P.-L., Gaborit, P., Otmani, A.: Reducing key length of the McEliece cryptosystem. In: Proceedings of the 2nd International Conference on Cryptology in Africa: Progress in Cryptology, AFRICACRYPT ’09, pp. 77–97. Springer, Berlin (2009)Google Scholar
  3. 3.
    Berlekamp, B.: Nonbinary BCH decoding. IEEE Trans Inf Theory 14(2), 242 (1968)CrossRefGoogle Scholar
  4. 4.
    Berlekamp, E.: Goppa Codes. IEEE Trans. Inf. Theory IT-19(5) (1973)Google Scholar
  5. 5.
    Berlekamp, E.R.: A survey of coding theory. J. R. Stat. Soc. Ser. A (General) 135(1) (1972)Google Scholar
  6. 6.
    Bernstein, D.J.: List decoding for binary Goppa codes. In: Proceedings of the Third International Conference on Coding and Cryptology, IWCC’11, pp. 62–80. Springer, Berlin (2011)Google Scholar
  7. 7.
    Bernstein, D.J., Lange, T.: eBACS: ECRYPT Benchmarking of Cryptographic Systems (2009).
  8. 8.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Proceedings of the International Workshop on Post-Quantum Cryptography-PQCrypto ’08. LNCS, vol. 5299, pp. 31–46. Springer, Berlin (2008)Google Scholar
  9. 9.
    Biswas, B., Herbert, V.: Efficient root finding of polynomials over fields of characteristic 2. In: WEWoRC 2009 (2009)Google Scholar
  10. 10.
    Biswas, B., Sendrier, N.: McEliece crypto-system: a reference implementationGoogle Scholar
  11. 11.
    Bogdanov, A., Eisenbarth, T., Rupp, A., Wolf, C.: Time-area optimized public-key engines: MQ-cryptosystems as replacement for elliptic curves? In: Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems-CHES 2008, vol. 5154. LNCS, pp. 45–61. Springer (2008)Google Scholar
  12. 12.
    Bouyukliev, I.G.: About the code equivalence. World Scientific, Hackensack, pp. 126–151 (2007)Google Scholar
  13. 13.
    Bras-Amors, M., O’Sullivan, M.E.: The Berlekamp-Massey algorithm and the Euclidean algorithm: A closer link. In: CoRR, Vol. abs/0908.2198 (2009)Google Scholar
  14. 14.
    Canteaut, A., Chabaud, F.: Improvements of the attacks on cryptosystems based on error-correcting codes (1995)Google Scholar
  15. 15.
    Cayrel, P.-L., Hoffmann, G., Persichetti, E.: Efficient implementation of a CCA2-secure variant of McEliece using generalized srivastava codes. In: Proceedings of the 15th International Conference on Practice and Theory in Public Key Cryptography, PKC’12, pp. 138–155. Springer, Berlin (2012)Google Scholar
  16. 16.
    Chang, K.: I.B.M. Researchers Inch Toward Quantum Computer. New York Times Article (2012).
  17. 17.
    Chien, R.: Cyclic decoding procedures for Bose-Chaudhuri-Hocquenghem codes. IEEE Trans. Inf. Theor. 10(4), 357–363 (2006)CrossRefGoogle Scholar
  18. 18.
    Cover, T.: Enumerative source encoding 19(1), 73–77 (1973)Google Scholar
  19. 19.
    Dinh, H., Moore, C., Russell, A.: McEliece and Niederreiter cryptosystems that resist quantum fourier sampling attacks. In: Proceedings of the 31st Annual Conference on Advances in Cryptology, CRYPTO’11, pp. 761–779. Springer, Berlin (2011)Google Scholar
  20. 20.
    Dornstetter, J.-L.: On the equivalence between Berlekamp’s and Euclid’s algorithms. IEEE Trans. Inf. Theory 33(3), 428–431 (1987)MathSciNetzbMATHCrossRefGoogle Scholar
  21. 21.
    ECRYPT: Yearly report on algorithms and keysizes (2007–2008). Technical Report, D.SPA.28 Rev. 1.1, July 2008.
  22. 22.
    Eisenbarth, T., Güneysu, T., Heyse, S., Paar, C.: Microeliece: McEliece for embedded devices. In: CHES ’09: Proceedings of the 11th International Workshop on Cryptographic Hardware and Embedded Systems, pp. 49–64. Springer, Berlin (2009)Google Scholar
  23. 23.
    Engelbert, D., Overbeck, R., Schmidt, A.: A summary of McEliece-type cryptosystems and their security. IACR Cryptol. ePrint Arch. 2006, 162 (2006)Google Scholar
  24. 24.
    Faugere, J.-C., Otmani, A., Perret, L., Tillich, J.-P.: Algebraic cryptanalysis of McEliece variants with compact keys (2009)Google Scholar
  25. 25.
    Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Advances in Cryptology EUROCRYPT 96, vol. 1070. Lecture Notes in Computer Science, pp. 245–255. Springer, Berlin (1996)Google Scholar
  26. 26.
    Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: CRYPTO ’99: Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, pp. 537–554. Springer, London (1999)Google Scholar
  27. 27.
    Ghosh, S., Delvaux, J., Uhsadel, L., Verbauwhede, I.: A speed area optimized embedded co-processor for McEliece cryptosystem. In: 2012 IEEE 23rd International Conference on Application-Specific Systems, Architectures and Processors (ASAP), pp. 102–108 (2012)Google Scholar
  28. 28.
    Goppa, V.: A new class of linear correcting codes. Probl. Peredachi Inf. 6(3), 24–30 (1969)MathSciNetGoogle Scholar
  29. 29.
    Gorenstein, D., Peterson, W.W., Zierler, N.: Two-error correcting Bose-Chaudhuri codes are quasi-perfect. Inf. Comput. 3(3), 291–294 (1960)MathSciNetzbMATHGoogle Scholar
  30. 30.
    Güneysu, T., Paar, C., Pelzl, J.: Special-purpose hardware for solving the elliptic curve discrete logarithm problem. ACM Trans. Reconfig. Technol. Syst. (TRETS) 1(2), 1–21 (2008)CrossRefGoogle Scholar
  31. 31.
    Helion Technology Inc.: Modular Exponentiation Core Family for Xilinx FPGA. Data Sheet, October 2008.
  32. 32.
    Heyse, S.: Low-Reiter: Niederreiter encryption scheme for embedded microcontrollers. In : Sendrier, N. (ed.) Post-Quantum Cryptography, Third International Workshop, PQCrypto 2010, Darmstadt, Germany, May 25–28, 2010. Proceedings, vol. 6061. Lecture Notes in Computer Science, pp. 165–181. Springer, Berlin (2010)Google Scholar
  33. 33.
    Heyse, S.: Implementation of McEliece based on quasi-dyadic Goppa codes for embedded devices. In: Yang, B.-Y. (ed.) Post-Quantum Cryptography, volume 7071 of Lecture Notes in Computer Science, pp. 143–162. Springer, Berlin (2011)Google Scholar
  34. 34.
    Heyse, S., Güneysu, T.: Towards one cycle per bit asymmetric encryption: code-based cryptography on reconfigurable hardware. In: Prouff, E., Schaumont, P. (eds.) CHES, vol. 7428. Lecture Notes in Computer Science, pp. 340–355. Springer, Berlin (2012)Google Scholar
  35. 35.
    Heyse, S., Moradi, A., Paar, C.: Practical power analysis attacks on software implementations of McEliece. In: Sendrier, N. (ed.) Post-Quantum Cryptography, vol. 6061. Lecture Notes in Computer Science, pp. 108–125. Springer, Berlin (2010). doi: 10.1007/978-3-642-12929-29
  36. 36.
    Hoffmann, G.: Implementation of McEliece using quasi-dyadic Goppa Codes. Bachelor thesis, TU Darmstadt (2011)
  37. 37.
    Horner, W.G.: A new method of solving numerical equations of all orders, by continuous approximation. Philosophical Transactions of the Royal Society of London 109, 308–335 (1819)CrossRefGoogle Scholar
  38. 38.
    Huber, K.: Note on decoding binary Goppa codes. Electron. Lett. 32(2), 102–103 (1996)CrossRefGoogle Scholar
  39. 39.
    Huffman, C.W., Pless, V.: Fundamentals of Error-Correcting Codes. Cambridge University Press, Cambridge (2003)zbMATHCrossRefGoogle Scholar
  40. 40.
    Kobara, K., Imai, H.: Semantically secure McEliece public-key cryptosystems-conversions for McEliece. In: Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography, PKC ’01, pp. 19–35, London, UK. Springer, Berlin (2001)Google Scholar
  41. 41.
    Lee, K.: Interpolation-based decoding of alternant codes. In: CoRR, vol. abs/cs/0702118 (2007)Google Scholar
  42. 42.
    Li, Y.X., Deng, R.H., wang, X.M.: On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Trans. Inf. Theor. 40(1), 271–273 (2006)MathSciNetGoogle Scholar
  43. 43.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep. 42(44), 114–116 (1978)Google Scholar
  44. 44.
    Minder, L.: Cryptography based on error correcting codes. PhD Thesis, Ècole Polytechnique Fédérale de Lausanne (2007)Google Scholar
  45. 45.
    Misoczki, R., Barreto, P.S.: Compact McEliece keys from Goppa codes. In: Selected Areas in Cryptography: 16th Annual International Workshop (SAC 2009), pp. 376–392. Springer, Berlin (2009)Google Scholar
  46. 46.
    Misoczki, R., Barreto, P.S.: Selected areas in cryptography. In: Chapter Compact McEliece Keys from Goppa Codes, pp. 376–392. Springer, Berlin (2009)Google Scholar
  47. 47.
    Molter, H., Stöttinger, M., Shoufan, A., Strenzke, F.: A simple power analysis attack on a mceliece cryptoprocessor. J. Cryptogr. Eng. 1(29–36) (2011). doi: 10.1007/s13389-011-0001-3
  48. 48.
    Niebuhr, R., Cayrel, P.-L.: Broadcast attacks against code-based schemes. In: Armknecht, F., Lucks, S. (eds) WEWoRC, vol. 7242. Lecture Notes in Computer Science, pp. 1–17. Springer, Berlin (2011)Google Scholar
  49. 49.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Control Inf. Theory/Problemy Upravlen. Teor Inf. 15(2), 159–166 (1986)Google Scholar
  50. 50.
    Overbeck, R., Sendrier, N.: Code-based cryptography. In: Bernstein, Daniel J., et al. (ed.) Post-Quantum Cryptography. First International Workshop PQCrypto 2006, Leuven, The Netherland, May 23–26, 2006, pp. 95–145. Selected Papers. Springer, Berlin (2009) Google Scholar
  51. 51.
    Patterson, N.: The algebraic decoding of Goppa codes. IEEE Trans. Inf. Theory 21(2), 203–207 (1975)Google Scholar
  52. 52.
    Persichetti, E.: Compact McEliece keys based on Quasi-Dyadic Srivastava codes. IACR Cryptol. ePrint Arch. 2011, 179 (2011)Google Scholar
  53. 53.
    Peterson, W.: Encoding and error-correction procedures for the Bose-Chaudhuri codes. IRE Trans. Inf. Theory 6(4), 459–470 (1960)CrossRefGoogle Scholar
  54. 54.
    Pierre-Louis Cayrel: Code-based cryptosystems: implementations.
  55. 55.
    Pointcheval, D.: Chosen-Ciphertext security for any one-way cryptosystem. In: Imai, H., Zheng, Y. (eds.) Workshop on Practice and Theory in Public-Key Cryptography (PKC ’00), vol. 1751. Lecture Notes in Computer ScienceSpringer, pp. 129–146. Melbourne, Australia (2000)Google Scholar
  56. 56.
    Sendrier, N.: Efficient generation of binary words of given weight. In: Cryptography and Coding, vol. 1025. Lecture Notes in Computer Science, pp. 184–187. Springer, Berlin (1995)Google Scholar
  57. 57.
    Sendrier, N.: Encoding information into constant weight words. In: Proceedings of International Symposium on Information Theory ISIT 2005, pp. 435–438 (2005)Google Scholar
  58. 58.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetzbMATHCrossRefGoogle Scholar
  59. 59.
    Shoufan, A., Strenzke, F., Molter, H., Stöttinger, M.: A timing attack against Patterson algorithm in the McEliece PKC. In: Lee, D., Hong, S. (eds.) Information, Security and Cryptology ICISC 2009, vol. 5984. Lecture Notes in Computer Science, pp. 161–175. Springer, Berlin (2010). doi: 10.1007/978-3-642-14423-312
  60. 60.
    Shoufan, A., Wink, T., Molter, H.G., Huss, S.A., Strenzke. F.: A Novel processor architecture for McEliece cryptosystem and FPGA platforms. In: 20th IEEE International Conference on Application-specific Systems, Architectures and Processors (2009)Google Scholar
  61. 61.
    Strenzke, F.: A timing attack against the secret permutation in the McEliece PKC. In: Sendrier, N. (ed.) Post-Quantum Cryptography, vol. 6061. Lecture Notes in Computer Science, pp. 95–107. Springer, Berlin (2010). doi: 10.1007/978-3-642-12929-28
  62. 62.
    Strenzke, F., Tews, E., Molter, H., Overbeck, R., Shoufan, A.: Side channels in the McEliece PKC. In: 2nd workshop on post-quantum cryptography, pp. 216–229. Springer, Berlin (2008)Google Scholar
  63. 63.
    Sudan, M.: List decoding: algorithms and applications. SIGACT News 31(1), 16–27 (2000)CrossRefGoogle Scholar
  64. 64.
    Sugiyama, Y., Kasahara, M., Hirasawa, S., Namekawa, T.: A method for solving key equation for decoding goppa codes. Inf. Control 27(1), 87–99 (1975)MathSciNetzbMATHCrossRefGoogle Scholar
  65. 65.
    Sutter, G., Deschamps, J., Imana., J.: Efficient elliptic curve point multiplication using digit-serial binary field operations. IEEE Trans. Ind. Electron. 60(1), 217–225 (2013)CrossRefGoogle Scholar
  66. 66.
    Xilinx Inc.: Data Sheets and Product Information for Xilinx Spartan and Virtex FPGAs.

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.Horst Görtz Institute for IT-SecurityRuhr-Universitä BochumBochumGermany

Personalised recommendations