FPGA-based Key Generator for the Niederreiter Cryptosystem Using Binary Goppa Codes

  • Wen WangEmail author
  • Jakub SzeferEmail author
  • Ruben NiederhagenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10529)


This paper presents a post-quantum secure, efficient, and tunable FPGA implementation of the key-generation algorithm for the Niederreiter cryptosystem using binary Goppa codes. Our key-generator implementation requires as few as 896,052 cycles to produce both public and private portions of a key, and can achieve an estimated frequency Fmax of over 240 MHz when synthesized for Stratix V FPGAs. To the best of our knowledge, this work is the first hardware-based implementation that works with parameters equivalent to, or exceeding, the recommended 128-bit “post-quantum security” level. The key generator can produce a key pair for parameters \(m=13\), \(t=119\), and \(n=6960\) in only 3.7 ms when no systemization failure occurs, and in \(3.5 \cdot 3.7\) ms on average. To achieve such performance, we implemented an optimized and parameterized Gaussian systemizer for matrix systemization, which works for any large-sized matrix over any binary field \(\text {GF}(2^m)\). Our work also presents an FPGA-based implementation of the Gao-Mateer additive FFT, which only takes about 1000 clock cycles to finish the evaluation of a degree-119 polynomial at \(2^{13}\) data points. The Verilog HDL code of our key generator is parameterized and partly code-generated using Python and Sage. It can be synthesized for different parameters, not just the ones shown in this paper. We tested the design using a Sage reference implementation, iVerilog simulation, and on real FPGA hardware.


Post-Quantum Cryptography Code-based cryptography Niederreiter key generation FPGA Hardware implementation 



We want to thank Tung Chou for his invaluable help, in particular for discussions about the additive FFT implementation.


  1. 1.
    Augot, D., Batina, L., Bernstein, D.J., Bos, J., Buchmann, J., Castryck, W., Dunkelman, O., Güneysu, T., Gueron, S., Hülsing, A., Lange, T., Mohamed, M.S.E., Rechberger, C., Schwabe, P., Sendrier, N., Vercauteren, F., Yang, B.Y.: Initial recommendations of long-term secure post-quantum systems. Technical report, PQCRYPTO ICT-645622 (2015). Accessed 22 June 2017
  2. 2.
    Bernstein, D.J.: High-speed cryptography in characteristic 2. Accessed 17 Mar 2017
  3. 3.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-Quantum Cryptography. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  4. 4.
    Bernstein, D.J., Chou, T., Schwabe, P.: McBits: fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  6. 6.
    Cherkaoui, A., Fischer, V., Fesquet, L., Aubert, A.: A very high speed true random number generator with entropy assessment. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 179–196. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Chou, T.: McBits revisited. In: Fischer, W., Homma, N. (eds.) Cryptographic Hardware and Embedded Systems. LNCS, Springer (2017)Google Scholar
  8. 8.
    Fisher, R.A., Yates, F.: Statistical Tablesfor Biological, Agriculturaland Medical Research. Oliver and Boyd, London (1948)Google Scholar
  9. 9.
    Gao, S., Mateer, T.: Additive fast fourier transforms over finite fields. IEEE Trans. Inf. Theory 56(12), 6265–6272 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Symposium on the Theory of Computing - STOC 1996, pp. 212–219. ACM (1996)Google Scholar
  11. 11.
    Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016)CrossRefGoogle Scholar
  12. 12.
    Heyse, S., Maurich, I., Güneysu, T.: Smaller keys for code-based cryptography: QC-MDPC McEliece implementations on embedded devices. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 273–292. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  13. 13.
    Hu, J., Cheung, R.C.C.: An application specific instruction set processor (ASIP) for the Niederreiter cryptosystem. Cryptology ePrint Archive, Report 2015/1172 (2015)Google Scholar
  14. 14.
    Karatsuba, A., Ofman, Y.: Multiplication of multidigit numbers on automata. Sov. Phys. Dokl. 7, 595–596 (1963)Google Scholar
  15. 15.
    Massolino, P.M.C., Barreto, P.S.L.M., Ruggiero, W.V.: Optimized and scalable co-processor for McEliece with binary Goppa codes. ACM Trans. Embed. Comput. Syst. 14(3), 45 (2015)CrossRefGoogle Scholar
  16. 16.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Prog. Rep. 42–44, 114–116 (1978)Google Scholar
  17. 17.
    Montgomery, P.L.: Five, six, and seven-term Karatsuba-like formulae. IEEE Trans. Comput. 54(3), 362–369 (2005)CrossRefzbMATHGoogle Scholar
  18. 18.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15, 19–34 (1986)MathSciNetzbMATHGoogle Scholar
  19. 19.
    PKCS #11 base functionality v2.30, p. 172. Accessed 20 June 2017
  20. 20.
    Post-quantum cryptography for long-term security PQCRYPTO ICT-645622. Accessed 17 March 2017
  21. 21.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006)Google Scholar
  22. 22.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Foundations of Computer Science - FOCS 1994, pp. 124–134. IEEE (1994)Google Scholar
  23. 23.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Shoufan, A., Wink, T., Molter, G., Huss, S., Strentzke, F.: A novel processor architecture for McEliece cryptosystem and FPGA platforms. IEEE Trans. Comput. 59(11), 1533–1546 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Sidelnikov, V.M., Shestakov, S.O.: On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discrete Mathe. Appl. 2(4), 439–444 (1992)Google Scholar
  26. 26.
    Wang, W., Szefer, J., Niederhagen, R.: Solving large systems of linear equations over GF(2) on FPGAs. In: Reconfigurable Computing and FPGAs - ReConFig 2016, pp. 1–7. IEEE (2016)Google Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Yale UniversityNew HavenUSA
  2. 2.Fraunhofer Institute SITDarmstadtGermany

Personalised recommendations