Development and Evaluation of a Code-based Cryptography Library for Constrained Devices

Code-based cryptography is a promising candidate for the diversification of today’s public-key cryptosystems, most of which rely on the hardness of either the Factorization or the Discrete logarithm problem. Both are known to be breakable using an efficient quantum algorithm due to Peter Shor. In contrast, Code-based cryptography is based on the problem of decoding unknown error-correcting codes, which is known to be NP-hard. There exist two basic schemes based on Code-based cryptography, which are named after their inventors Robert McEliece and Harald Niederreiter. Both share the problem of requiring huge key lengths compared to conventional cryptosystems such as RSA, which makes their implementation on embedded devices with very limited ressources challenging. In this thesis, we present an implementation of modern variants of both schemes for AVR microcontrollers and evaluate several different methods of syndrome computation, decoding and root extraction. The implementation includes an adaption of the Berlekamp-Massey-Sugiyama algorithm to binary codes achieving the same level of errorcorrection as the Patterson algorithm. Moreover we implemented two conversions that turn the McEliece and Niederreiter schemes into CCA2-secure cryptosystems. Our implementation is able to provide a security level of up to 128-bit on an ATxmega256 and hence is capable of fulfilling real-world security requirements. Moreover, the implementation outperforms comparable implementations of RSA and ECC in terms of data throughput and achieves a higher performance than previous implementations of the McEliece and Niederreiter cryptosystems. An optimal balance between memory usage and performance for specific use cases can be achieved using the flexible configuration by choosing the most suitable combination of precomputations, lookup tables or on-the-fly computations. We demonstrate the feasibility of implementing a high-performance Code-based cryptography library on a low-cost 8-bit microcontroller and provide evidence that McEliece and Niederreiter can evolve to a fully adequate replacement for traditional cryptosystems.