FPGA-Based Niederreiter Cryptosystem Using Binary Goppa Codes

  • Wen WangEmail author
  • Jakub SzeferEmail author
  • Ruben NiederhagenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10786)


This paper presents an FPGA implementation of the Niederreiter cryptosystem using binary Goppa codes, including modules for encryption, decryption, and key generation. We improve over previous implementations in terms of efficiency (time-area product and raw performance) and security level. Our implementation is constant time in order to protect against timing side-channel analysis. The design is fully parameterized, using code-generation scripts, in order to support a wide range of parameter choices for security, including binary field size, the degree of the Goppa polynomial, and the code length. The parameterized design allows us to choose design parameters for time-area trade-offs in order to support a wide variety of applications ranging from smart cards to server accelerators. For parameters that are considered to provide “128-bit post-quantum security”, our time-optimized implementation requires 966,400 cycles for the generation of both public and private portions of a key and 14,291 cycles to decrypt a ciphertext. The time-optimized design uses only 121,806 ALMs (52% of the available logic) and 961 RAM blocks (38% of the available memory), and results in a design that runs at about 250 MHz on a medium-size Stratix V FPGA.


Post-Quantum Cryptography Code-based cryptography Niederreiter cryptosystem FPGA Hardware implementation 



This work was supported in part by United States’ National Science Foundation grant 1716541. We would like to acknowledge FPGA hardware donations form Altera (now part of Intel). We also want to thank Tung (Tony) Chou for his invaluable help. This paper has been greatly improved thanks to feedback from our shepherds Lajla Batina and Pedro Maat Costa Massolino and the anonymous reviewers.


  1. 1.
    Alkadri, N.A., Buchmann, J., Bansarkhani, R.E., Krämer, J.: A framework to select parameters for lattice-based cryptography. Cryptology ePrint Archive, Report 2017/615 (2017).
  2. 2.
    Augot, D., Batina, L., Bernstein, D.J., Bos, J., Buchmann, J., Castryck, W., Dunkelman, O., Güneysu, T., Gueron, S., Hülsing, A., Lange, T., Mohamed, M.S.E., Rechberger, C., Schwabe, P., Sendrier, N., Vercauteren, F., Yang, B.Y.: Initial recommendations of long-term secure post-quantum systems. Technical report, PQCRYPTO ICT-645622 (2015).
  3. 3.
    Avanzi, R., Hoerder, S., Page, D., Tunstall, M.: Side-channel attacks on the McEliece and Niederreiter public-key cryptosystems. JCEN 1(4), 271–281 (2011)Google Scholar
  4. 4.
    Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.): Post-Quantum Cryptography. Springer, Heidelberg (2009)zbMATHGoogle Scholar
  5. 5.
    Bernstein, D.J., Chou, T., Schwabe, P.: McBits: fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  6. 6.
    Bernstein, D.J., Lange, T., Peters, C.: Attacking and defending the McEliece cryptosystem. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 31–46. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Chen, L., Moody, D., Liu, Y.K.: NIST post-quantum cryptography standardization.
  8. 8.
    Cherkaoui, A., Fischer, V., Fesquet, L., Aubert, A.: A very high speed true random number generator with entropy assessment. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 179–196. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  9. 9.
    Chou, T.: McBits revisited. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 213–231. Springer, Cham (2017)CrossRefGoogle Scholar
  10. 10.
    DasGupta, A.: The matching, birthday and the strong birthday problem: a contemporary review. J. Stat. Plan. Inference 130(1), 377–389 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Fisher, R.A., Yates, F.: Statistical Tables for Biological, Agricultural and Medical Research. Oliver and Boyd, London (1948)zbMATHGoogle Scholar
  12. 12.
    Gao, S., Mateer, T.: Additive fast Fourier transforms over finite fields. IEEE Trans. Inf. Theory 56(12), 6265–6272 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Guo, Q., Johansson, T., Stankovski, P.: A key recovery attack on MDPC with CCA security using decoding errors. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 789–815. Springer, Heidelberg (2016)CrossRefGoogle Scholar
  14. 14.
    Heyse, S., Güneysu, T.: Code-based cryptography on reconfigurable hardware: tweaking Niederreiter encryption for performance. JCEN 3(1), 29–43 (2013)Google Scholar
  15. 15.
    Li, Y.X., Deng, R.H., Wang, X.M.: On the equivalence of McEliece’s and Niederreiter’s public-key cryptosystems. IEEE Trans. Inf. Theory 40(1), 271–273 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Massey, J.: Shift-register synthesis and BCH decoding. IEEE Trans. Inf. Theory 15(1), 122–127 (1969)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Massolino, P.M.C., Barreto, P.S.L.M., Ruggiero, W.V.: Optimized and scalable co-processor for McEliece with binary Goppa codes. ACM Trans. Embed. Comput. Syst. 14(3), 45 (2015)CrossRefGoogle Scholar
  18. 18.
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. DSN Progr. Rep. 42–44, 114–116 (1978)Google Scholar
  19. 19.
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theory 15, 19–34 (1986)MathSciNetzbMATHGoogle Scholar
  20. 20.
    Patterson, N.: The algebraic decoding of Goppa codes. IEEE Trans. Inf. Theory 21(2), 203–207 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Post-quantum cryptography for long-term security PQCRYPTO ICT-645622.
  22. 22.
    Rostovtsev, A., Stolbunov, A.: Public-key cryptosystem based on isogenies. Cryptology ePrint Archive, Report 2006/145 (2006)Google Scholar
  23. 23.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Foundations of Computer Science - FOCS 1994, pp. 124–134. IEEE (1994)Google Scholar
  24. 24.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Shoufan, A., Strenzke, F., Molter, H.G., Stöttinger, M.: A timing attack against patterson algorithm in the McEliece PKC. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 161–175. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  26. 26.
    Shoufan, A., Wink, T., Molter, G., Huss, S., Strentzke, F.: A novel processor architecture for McEliece cryptosystem and FPGA platforms. IEEE Trans. Comput. 59(11), 1533–1546 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Sidelnikov, V.M., Shestakov, S.O.: On insecurity of cryptosystems based on generalized Reed-Solomon codes. Discret. Math. Appl. 2(4), 439–444 (1992)CrossRefGoogle Scholar
  28. 28.
    Wang, W., Szefer, J., Niederhagen, R.: FPGA-based key generator for the Niederreiter cryptosystem using binary Goppa codes. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 253–274. Springer, Cham (2017)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Yale UniversityNew HavenUSA
  2. 2.Fraunhofer SITDarmstadtGermany

Personalised recommendations