Optimized and Scalable Co-Processor for McEliece with Binary Goppa Codes

Asymmetric cryptographic primitives are essential to enable secure communications in public networks or public mediums. Such primitives can be deployed as software libraries or hardware co-processors, the latter being more commonly employed in systems on chip (SoC) scenarios, embedded devices, or application-specific servers. Unfortunately, the most commonly available solutions, based on RSA or elliptic curve cryptography (ECC), are highly processing intensive due to the underlying extended-precision modular arithmetic. Consequently, they are not available on highly constrained platforms. Aiming to tackle this issue, we here investigate an alternative asymmetric encryption scheme that relies on lightweight arithmetic: McEliece. This scheme is especially appealing because, being based on error correction codes, it displays a simpler arithmetic and leads to better performance when compared to RSA or ECC. To evaluate the implementation of this scheme in hardware, we propose and analyze a flexible architecture whose security level and time versus area usage characteristics can be reconfigured as desired. The proposed architecture is suitable to all usual security levels, ranging from 80 to 256 bits. It is also very efficient, being able to perform data decryption with binary Goppa codes in 56µs with 3,402 slices on a Xilinx Spartan-3AN FPGA, whereas the best-known result in the literature for the same FPGA is 115µs with 7,331 slices. Alternatively, the architecture can operate with quasi-dyadic Goppa (QD-Goppa) codes, which involves smaller keys than traditional binary Goppa codes. In the latter case, for an 80-bit security level, the decryption operation can take from 1.1ms with 1,129 slices to 68µs with 8,268 sices. By choosing a more hardware-friendly decoding algorithm, focusing hardware resources on most bottleneck operations and sharing hardware resource for two different algorithms, better results than the those in the literature were obtained.

[1]  William E. Burr,et al.  Recommendation for Key Management, Part 1: General (Revision 3) , 2006 .

[2]  Erik Tews,et al.  Side Channels in the McEliece PKC , 2008, PQCrypto.

[3]  Morgan Barbier,et al.  Key reduction of McEliece's cryptosystem using list decoding , 2011, 2011 IEEE International Symposium on Information Theory Proceedings.

[4]  Guido Bertoni,et al.  Keccak , 2013, EUROCRYPT.

[5]  Santosh Ghosh,et al.  On the implementation of mceliece with CCA2 indeterminacy by SHA-3 , 2014, 2014 IEEE International Symposium on Circuits and Systems (ISCAS).

[6]  Pavol Zajac A note on CCA2-protected McEliece Cryptosystem with a systematic public key , 2014, IACR Cryptol. ePrint Arch..

[7]  Chester Rebeiro,et al.  Pushing the Limits of High-Speed GF(2 m ) Elliptic Curve Scalar Multiplication on FPGAs , 2012, CHES.

[8]  Francisco Argüello Binary GCD algorithm for computing error locator polynomials in Reed-Solomon decoding , 2005 .

[9]  Falko Strenzke A Timing Attack against the Secret Permutation in the McEliece PKC , 2010, PQCrypto.

[10]  O. Antoine,et al.  Theory of Error-correcting Codes , 2022 .

[11]  C MassolinoPedro Maat,et al.  Optimized and Scalable Co-Processor for McEliece with Binary Goppa Codes , 2015 .

[12]  Paulo S. L. M. Barreto,et al.  Monoidic Codes in Cryptography , 2011, PQCrypto.

[13]  Robert H. Deng,et al.  On the equivalence of McEliece's and Niederreiter's public-key cryptosystems , 1994, IEEE Trans. Inf. Theory.

[14]  Paulo S. L. M. Barreto,et al.  Scalable hardware implementation for Quasi-Dyadic Goppa encoder , 2014, 2014 IEEE 5th Latin American Symposium on Circuits and Systems.

[15]  Hermann J. Helgert Decoding of alternant codes (Corresp.) , 1977, IEEE Trans. Inf. Theory.

[16]  Jean-Charles Faugère,et al.  Algebraic Cryptanalysis of McEliece Variants with Compact Keys , 2010, EUROCRYPT.

[17]  Rafael Misoczki,et al.  Two Approaches for Achieving Efficient Code-Based Cryptosystems , 2013 .

[18]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[19]  Nicholas J. Patterson,et al.  The algebraic decoding of Goppa codes , 1975, IEEE Trans. Inf. Theory.

[20]  Tim Güneysu,et al.  MicroEliece: McEliece for Embedded Devices , 2009, CHES.

[21]  Tim Güneysu,et al.  Lightweight code-based cryptography: QC-MDPC McEliece encryption on reconfigurable devices , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[22]  Paulo S. L. M. Barreto,et al.  A survey on key management mechanisms for distributed Wireless Sensor Networks , 2010, Comput. Networks.

[23]  Ingrid Verbauwhede,et al.  BLAKE-512-Based 128-Bit CCA2 Secure Timing Attack Resistant McEliece Cryptoprocessor , 2014, IEEE Transactions on Computers.

[24]  Peter W. Shor,et al.  Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer , 1995, SIAM Rev..

[25]  Abdulhadi Shoufan,et al.  A Novel Cryptoprocessor Architecture for the McEliece Public-Key Cryptosystem , 2010, IEEE Transactions on Computers.

[26]  Robert G. Gallager,et al.  Low-density parity-check codes , 1962, IRE Trans. Inf. Theory.

[27]  Willard L Eastman Euclidean Decoders for BCH Codes , 1988 .

[28]  Paulo S. L. M. Barreto,et al.  Scaling efficient code-based cryptosystems for embedded platforms , 2014, Journal of Cryptographic Engineering.

[29]  Peter Schwabe,et al.  McBits: Fast Constant-Time Code-Based Cryptography , 2013, CHES.

[30]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[31]  Jean-Charles Faugère,et al.  Folding Alternant and Goppa Codes With Non-Trivial Automorphism Groups , 2014, IEEE Transactions on Information Theory.

[32]  Neil J. A. Sloane,et al.  The theory of error-correcting codes (north-holland , 1977 .

[33]  Christopher S. Wallace,et al.  A Suggestion for a Fast Multiplier , 1964, IEEE Trans. Electron. Comput..

[34]  Tim Güneysu,et al.  Smaller Keys for Code-Based Cryptography: QC-MDPC McEliece Implementations on Embedded Devices , 2013, CHES.

[35]  Tim Güneysu,et al.  Code-based cryptography on reconfigurable hardware: tweaking Niederreiter encryption for performance , 2013, Journal of Cryptographic Engineering.

[36]  James L. Massey,et al.  Shift-register synthesis and BCH decoding , 1969, IEEE Trans. Inf. Theory.

[37]  Rafael Misoczki,et al.  Uma família de códigos corretores de erro para criptossistemas eficientes baseados em decodificação de síndromes. , 2010 .

[38]  Paulo S. L. M. Barreto,et al.  MDPC-McEliece: New McEliece variants from Moderate Density Parity-Check codes , 2013, 2013 IEEE International Symposium on Information Theory.

[39]  Dilip V. Sarwate On the complexity of decoding Goppa codes (Corresp.) , 1977, IEEE Trans. Inf. Theory.

[40]  Paulo S. L. M. Barreto,et al.  Quasi-Dyadic CFS Signatures , 2010, Inscrypt.

[41]  Paulo S. L. M. Barreto,et al.  Compact McEliece Keys from Goppa Codes , 2009, IACR Cryptol. ePrint Arch..

[42]  Stanislav Bulygin,et al.  Selecting parameters for secure McEliece-based cryptosystems , 2012, International Journal of Information Security.

[43]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[44]  Jean-Charles Faugère,et al.  Structural cryptanalysis of McEliece schemes with compact keys , 2016, Des. Codes Cryptogr..

[45]  Elaine B. Barker,et al.  SP 800-57. Recommendation for Key Management, Part 1: General (revised) , 2007 .

[46]  Daisuke Suzuki,et al.  How to Maximize the Potential of FPGA-Based DSPs for Modular Exponentiation , 2011, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[47]  Tibor Juhas The use of elliptic curves in cryptography , 2007 .

[48]  Kenneth K. Tzeng,et al.  On extending Goppa codes to cyclic codes (Corresp.) , 1975, IEEE Trans. Inf. Theory.

[49]  Bhaskar Biswas,et al.  Efficient Root Finding of Polynomials over Fields of Characteristic 2. , 2009 .

[50]  Phong Q. Nguyen,et al.  Advances in Cryptology – EUROCRYPT 2013 , 2013, Lecture Notes in Computer Science.

[51]  Jeroen Delvaux,et al.  A Speed Area Optimized Embedded Co-processor for McEliece Cryptosystem , 2012, 2012 IEEE 23rd International Conference on Application-Specific Systems, Architectures and Processors.

[52]  Falko Strenzke Fast and Secure Root Finding for Code-Based Cryptosystems , 2012, CANS.

[53]  Hans Eberle,et al.  Comparing Elliptic Curve Cryptography and RSA on 8-bit CPUs , 2004, CHES.

[54]  Tanja Lange,et al.  Attacking and defending the McEliece cryptosystem , 2008, IACR Cryptol. ePrint Arch..

[55]  Masao Kasahara,et al.  A Method for Solving Key Equation for Decoding Goppa Codes , 1975, Inf. Control..

[56]  W. W. Peterson,et al.  Encoding and error-correction procedures for the Bose-Chaudhuri codes , 1960, IRE Trans. Inf. Theory.