Niederreiter cryptosystem

Last updated July 13, 2025

In cryptography, the Niederreiter cryptosystem is a variation of the McEliece cryptosystem developed in 1986 by Harald Niederreiter.^[1] It applies the same idea to the parity check matrix, H, of a linear code. Niederreiter is equivalent to McEliece from a security point of view. It uses a syndrome as ciphertext and the message is an error pattern. The encryption of Niederreiter is about ten times faster than the encryption of McEliece. Niederreiter can be used to construct a digital signature scheme.

Scheme definition

A special case of Niederreiter's original proposal was broken^[2] but the system is secure when used with a Binary Goppa code.

Key generation

Alice selects a binary (n, k)-linear Goppa code, G, capable of correcting t errors. This code possesses an efficient decoding algorithm.
Alice generates a (n − k) × n parity check matrix, H, for the code, G.
Alice selects a random (n − k) × (n − k) binary non-singular matrix, S.
Alice selects a random n × n permutation matrix, P.
Alice computes the (n − k) × n matrix, H^pub = SHP.
Alice's public key is (H^pub, t); her private key is (S, H, P).

Message encryption

Suppose Bob wishes to send a message, m, to Alice whose public key is (H^pub, t):

Bob encodes the message, m, as a binary string e^m' of length n and weight at most t.
Bob computes the ciphertext as c = H^pube^T.

Message decryption

Upon receipt of c = H^pubm^T from Bob, Alice does the following to retrieve the message, m.

Alice computes S⁻¹c = HPm^T.
Alice applies a syndrome decoding algorithm for G to recover Pm^T.
Alice computes the message, m, via m^T = P⁻¹Pm^T.

Signature scheme

Courtois, Finiasz and Sendrier showed how the Niederreiter cryptosystem can be used to derive a signature scheme .^[3]^[4]

Calculate $s=h(d)$ , where $h$ is a Hash Function and $d$ is the signed document.
Calculate $s_{i}=h(s|i),i=0,1,2,\dots$ , where $|$ denotes concatenation.
Attempt to decrypt $s_{i}$ until the smallest value of $i$ (denoted further as $i_{0}$ ) for which $s_{i}$ is decryptable is found.
Use the trapdoor function to compute such $z$ that $Hz^{T}=s_{i_{0}}$ , where $H$ is the public key.
Compute the index $I_{z}$ of $z$ in the space of words of weight 9.
Use $\left[I_{z}|z\right]$ as the signature.

The Verification algorithm is much simpler:

Recover $z$ from index $I_{z}$ .
Compute $s_{1}=Hz^{T}$ with the public key $H$ .
Compute $s_{2}=h(h(d)|i_{0})$ .
Compare $s_{1}$ and $s_{2}$ . If they are the same the signature is valid.

The index $I_{z}$ of $z$ can be derived using the formula below, where $i_{1}<\dots <i_{9}$ denote the positions of non-zero bits of $z$ . $I_{z}=1+\sum _{n=1}^{9}{\binom {i_{n}}{n}}$ The number of bits necessary to store $i_{0}$ is not reducible. On average it will be $log_{2}(9!)\approx 18.4$ bits long. Combined with the average $125.5$ bits necessary to store $I_{z}$ , the signaure will on average be $125.5+18.4\approx 144$ bits long.

References

Henk C. A. van Tilborg. Fundamentals of Cryptology, 11.4.

↑ H. Niederreiter (1986). "Knapsack-type cryptosystems and algebraic coding theory". Problems of Control and Information Theory. Problemy Upravlenija I Teorii Informacii. 15: 159–166.
↑ V. M. Sidel'nikov & S. O. Shestakov (1992). "On the insecurity of cryptosystems based on generalized Reed-Solomon codes". Discrete Mathematics and Applications. 2 (4): 439–444. doi:10.1515/dma.1992.2.4.439. S2CID 120779674.
↑ N. Courtois; M. Finiaz; N. Sendrier (2001). "How to Achieve a McEliece-Based Digital Signature Scheme". Advances in Cryptology — ASIACRYPT 2001. Lecture Notes in Computer Science. Vol. LNCS 2248. pp. 163–164. doi: 10.1007/3-540-45682-1_10 . ISBN 978-3-540-42987-6.
↑ Makoui, Farshid Haidary; Gulliver, Thomas Aaron; Dakhilalian, Mohammad (17 December 2022). "A new code-based digital signature based on the McEliece cryptosystem". IET Communications. 17 (10). Institution of Engineering and Technology (published 6 April 2023): 1199–1207. doi: 10.1049/cmu2.12607 .

External links

Attacking and defending the McEliece cryptosystem Daniel J. Bernstein and Tanja Lange and Christiane Peters

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Niederreiter-1] H. Niederreiter (1986). "Knapsack-type cryptosystems and algebraic coding theory". Problems of Control and Information Theory. Problemy Upravlenija I Teorii Informacii. 15: 159–166.

[SidelnikovS-2] V. M. Sidel'nikov & S. O. Shestakov (1992). "On the insecurity of cryptosystems based on generalized Reed-Solomon codes". Discrete Mathematics and Applications. 2 (4): 439–444. doi:10.1515/dma.1992.2.4.439. S2CID 120779674.

[CFS-3] N. Courtois; M. Finiaz; N. Sendrier (2001). "How to Achieve a McEliece-Based Digital Signature Scheme". Advances in Cryptology — ASIACRYPT 2001. Lecture Notes in Computer Science. Vol. LNCS 2248. pp. 163–164. doi: 10.1007/3-540-45682-1_10 . ISBN 978-3-540-42987-6.

[4] Makoui, Farshid Haidary; Gulliver, Thomas Aaron; Dakhilalian, Mohammad (17 December 2022). "A new code-based digital signature based on the McEliece cryptosystem". IET Communications. 17 (10). Institution of Engineering and Technology (published 6 April 2023): 1199–1207. doi: 10.1049/cmu2.12607 .

[1]

[2]

[3]

[4]