This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSII.2017.2675449, IEEE
Transactions on Circuits and Systems II: Express Briefs
Compact Constant Weight Coding Engines for the
Code Based Cryptography
Jingwei Hu, Ray C.C. Cheung Member, IEEE, Tim Güneysu Member, IEEE
Abstract—We present here a more memory efficient method for
encoding binary information into words of prescribed length and
weight. Existing solutions either require complicated float point
arithmetic or additional memory overhead making it a challenge
for resource constrained computing environment. The solution
we propose here solves these problems yet obtains better coding
efficiency by a memory efficient approximation of the critical
intermediate value in constant weight coding. For the time being,
the design presented in this work is the most compact one for
any code-based encryption schemes.
Index Terms—Code-based Cryptography, McEliece/Niederre-
iter Cryptosystem, Constant Weight Coding, FPGA Implemen-
tation.
I. I NTRODUCTION
OST modern public-key cryptographic systems rely on
M either the integer factorization or discrete logarithm
problem, both of which would be easily solvable on large
enough quantum computers using Shor’s algorithm [1]. The
upcoming breakthroughs of powerful quantum computers have
shown their potential in computing solutions to the problems
mentioned above [2]. The cryptographic research community
has recognized the urgency of this challenge and begun to
settle their security on alternative hard problems in the last
years, such as multivariate-quadratic, lattice-based and code-
based cryptosystems [3], [4]. We address in this paper the
problem of encoding information into binary words of pre-
scribed length and Hamming weight in resource-constrained
computing environment, e.g. reconfigurable hardware, embed-
ded microcontrol systems, etc. This is of interest, in particular,
when one wishes to efficiently implement McEliece’s scheme
[5] or Niederreiter’s scheme [6], the most promising candidates
for code-based cryptography.
For Niederreiter/McEliece encryption, one needs to convert
any binary stream of plaintext into the form of constant weight
words. Constant weight means that the number of ‘1’ in the
binary plaintext must be an constant. The exact solution [7]
of constant weight coding requires the computation of large
binomial coefficients and has a quadratic complexity though
it is optimal as a source coding algorithm. In [8], Sendrier
proposed the first solution with a linear complexity using Huff-
man codes. Afterwards, the author of [8] improves its coding
efficiency very close to 1 by exploiting Goloumb’s run-length
J. Hu and R. Cheung are with the Department of Electronic Engineering,
City University of Hong Kong, Hong Kong e-mail: j.hu@my.cityu.edu.hk;
r.cheung@cityu.edu.hk. T. Güneysu is with the Department of Mathe-
matics and Computer Science, University of Bremen, Germany e-mail:
tim.gueneysu@uni-bremen.de
Manuscript received XX XX, 2016; revised XX XX, 2016.
1549-7747 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1
encoding method [9]. His proposal is fairly easy to implement
and runs in linear time. The price to pay is the variable length
encoding [10]. He also proposed an approximation method
in this paper by restricting the value of d to the power of
two. This method greatly simplifies the encoding process and
improves coding throughput. Heyse et al. [11], [12] followed
this up and proposed to adapt the approximation method from
[10] for embedded system applications.
However, we find the method derived by Heyse et al. is
not applicable for large parameter sets of the Niederreiter
scheme [13]–[15]. Their design maintains a lookup table of
pre-stored data with space complexity of O(n) to encode
input messages into constant weight words. This table is still
quite big for small embedded systems making their design less
unscalable if n is large. For instance, the classical code based
signature — CFS signature scheme [13] exploits very large
Goppa code and it requires to compress the lengthy constant
weight signatures (n = 216 , 218 and 220 ) into binary stream.
MDPC-McEliece/Niederreiter encryption [16] uses very large
n for practical security levels: n is set to 19712 for 128-bit
security and 65536 for 256-bit security. Recently, Baldi et al.
proposed a novel LDGM sparse syndrome signature scheme
[17] which also requires a large constant weight coding during
the signature generation. At the time being, we do not have a
considerably lightweight yet efficient solution for the constant
weight encoding when considering these applications.
The purpose of this work is to propose yet another ef-
ficient constant weight coding engine for all possible se-
cure parameters of the code-based cryptosystems proposed
in literature. Our contributions include: We propose a new
approximation method for computing a critically important
value d in constant weight coding without complicated float
point arithmetic and memory footprint. This method allows
us to implement a compact yet fast constant weight encoder
for resource-constrained computing environment. We improve
the coding efficiency from the point view of source coding by
fine-tuning the optimal precision for computing the value of d,
when compared with other approximation methods. Our secure
implementation of Niederrieter encryptor by integrating the
proposed constant weight encoder can encrypt approximately
1 million plaintexts per second on a Xilinx Virtex-6 FPGA,
requiring 183 slices and 18 memory blocks.
The rest of the paper is structured as follows. We will first
revisit Sendrier’s proposal of constant weight coding and its
approximation variant [10] in Section II. This motivates us
to propose a new approximation method and to fine tune it
for an optimal source coding performance, presented in Sec-
tion III. Section IV describe our actual implementations for the
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSII.2017.2675449, IEEE
Transactions on Circuits and Systems II: Express Briefs
2

proposed constant weight encoder/decoder and Niederrieter
encryption unit. Our results compared with the state of arts
are presented in Section V. Section VI concludes this paper.
returns an integer such that 1 ≤ best d(n, t) ≤ n − t and
Sendrier suggested to choose it close to the number d =
(n − t−1
2 )(1 − 2 1t ) to obtain high coding efficiency. Sendrier
1

also presented an approximation of the best d where the values

II. S ENDRIER ’ S METHODS FOR CONSTANT WEIGHT of d was restricted to power of two [10]. More precisely,
CODING best d(n, t) is first computed via d = (n − t−1 2 )(1 − 1 )
1
2t
Sendrier presented an algorithm for encoding binary infor- and then round to 2⌈log2 (d)⌉ . This method greatly simplifies
mation into words of prescribed length and weight [10]. His the functions of encodefd(·) and decodefd(·) and therefore
encoding algorithm returns a t-tuple (δ1 , δ2 , . . . , δt ) in which gives a significant advantage in speed while the loss of
δi s are the lengths of the longest strings of consecutive ‘0’s. coding efficiency is very limited. The simplified versions of
This method is easy to implement and has linear complexity encoding and decoding with encodefd(·) and decodefd(·) after
with a small loss of information efficiency. In this work, approximation are described as encodefd(δ, d) = base2 (δ, u)
we unfolded the recursive encoding and decoding algorithm and decodefd(d, B) = read(B, u) where base2 (δ, u) denotes
originated from [10], in Algorithm 1 and Algorithm 2. the u least significant bits of the integer δ written in base
2 and u = ⌈log2 (d)⌉. For the above two equations, one
Algorithm 1: Encode Binary String to Constant Weight should particularly pay attention to the case of d = 1, the
Word (Bin2CW) minimum allowed value of d. In this case we have u = 0
Input: message length n, message weight t and a binary stream and therefore we artificially define that base2 (δ, 0) = null
B and read(B, 0) = 0 for ensuring our algorithm works for all
Output: a t-tuple ∆ = (δ1 , δ2 , . . . , δt )
1 δ = 0, index = 1 possible u.
2 while t > 0 do
3 if n ≤ t then III. P ROPOSED APPROXIMATION METHOD OF d
4 t−−, n−− A. Reduce memory footprint and computational steps
5 δindex = δ
6 δ = 0, index++ The most crucial step of constant weight encoding & decod-
7 else ing is to compute the value of d, which requests floating-point
8 d = best d(n, t) arithmetic. However, many embedded/hardware systems do
9 if read(B, 1) = 1 then not have dedicated floating-point units for such computations.
10 n−= d, δ+= d
11 else [12] proposed to replace floating-point units by a lookup table
12 i = decodefd(d, B) for reconfigurable hardware. The problem of their method is
13 δindex = δ + i that, for some (n, t), the lookup table could be large. For
14 n−= (i + 1), t−−, δ = 0, index++ example, (n = 216 , t = 9) requests the size of lookup table
should be 256 Kb, which is obviously not a negligible memory
15 return (δ1 , . . . , δt ) overhead for embedded systems.
To solve this problem, we propose to replace such table
look up by computing d directly using fixed point arithmetic.
Algorithm 2: Decode Constant Weight Word to Binary We split the computation of d into two parts. The first part
1
String (CW2Bin) — θ[t] = (1 − 1/2 t ) is pre-computed and stored in the
Input: n, t and a t-tuple ∆ = (δ1 , δ2 , . . . , δt ) fixed-point format. The second part (n − t−1 2 ) · θ is then
Output: a binary string B efficiently calculated by a fixed-point multiplier. In this fashion
1 index = 1 we notably shrink the size of look-up table from O(n) to O(t)
2 while t != 0 and n > t do . Furthermore, we substitute (n − t−1
3 d = best d(n, t) 2 ) by n based on the
4 if δindex ≥ d then following observations:
• n ≫ t such that n − 2 ≈ n
t−1
5 n−= d, δindex −= d
6 write(B, 1) • Eventually d must be round to an integer and hence the
7 else difference between (n − t−1 2 )θ and nθ is very likely to
8 write(B, 0)
be ignored.
9 write(B, encodefd(δindex , d))
10 n−= (δindex + 1), t−−, index++ This replacement allows us to remove the computational steps
of n − (t − 1)/2 and therefore a faster and simpler imple-
11 return B mentation of constant coding using a single multiplication is
achievable.
We use the same notations from [10] in the above two In summary, our new proposal of the approximation of d
1
algorithms to keep consistency. For example, read(B, i) moves is as d = ⌊n · θ[t]⌋ where θ[t] = (1 − 1/2 t ) is a function
forward and reads i bits in the stream B and returns the integer of t and pre-computed for embedded/hardware designs. Our
whose binary decomposition has been read, most significant new approximation of d is more compact, requiring only one
bit first; write(B, i) moves forward and writes the binary multiplication instead. In the following, we will show this
string i into the stream B; encodefd(δindex , d) returns a binary method also achieves reasonable high coding efficiency as a
string and decodefd(d, B) returns an integer; best d(n, t) source coding algorithm.

1549-7747 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSII.2017.2675449, IEEE
Transactions on Circuits and Systems II: Express Briefs
3

B. Represent θ[t] in fixed-point format bound measures the coding efficiency [10]. It is also worth
As aforementioned, θ[t] is an array of fractional numbers mentioning that for (n = 220 , t = 8), the performance of
and should be stored in fixed-point format. Note that the our proposal falls slightly behind with only 0.68% of loss
integer part of θ[t] must be 0 and therefore we only need when compared with the Sendrier’s method, it nonetheless
to preserve its fractional part. Hereafter, we denote our fixed- outruns Sendrier’s approximation and Heyse’s approximation.
point format as fixed 0 i, where i indicates the bits we have In particular, the performance of Heyse’s approximation turns
used for storing the fractional part of θ[t]. out to be unfavourable with 56.73% loss and we are pushing
In practice, we hope to use fixed 0 i with the smallest i the limits of Heyse’s method here as the lower bits of n are
while maintaining desirable coding efficiency. Smaller i means innegligible and cannot be removed with such large n.
lower data storage and also a simpler multiplication, which
is particularly advisable for resource-constrained computing IV. P ROPOSED CONSTANT WEIGHT ENCODER AND
platforms. Indeed, one of the key issues of this paper is to DECODER
determine the best fixed 0 i for θ[t]. In the next section, we The most critical arithmetic unit is the best d module which
describe our experiments on exploring the optimal fixed 0 i. computes the best value of d according to the input n and t.
With our proposal of computation of best d, it consists of
C. Find the optimal precision for constant weight encoding three stages performing the following task:
The purpose of the precision tuning is to find the lowest 1) compute θ[t] via a priority encoder. As discussed in
precision that still maintains a relative high coding efficiency. previous section, format fixed 0 6 is used to represent
A lower precision means we can use a multiplier of smaller θ[t] for (n = 210 , t = 38) and (n = 211 , t = 27) and
operand size leading to better path delay and slice utilization. fixed 0 4 is used for (n = 216 , t = 9) and (n = 220 , t =
A higher coding efficiency means one can encode more bits 8). We find by analysis that for some t, the values of
from the source into a constant weight word. This is of interest, θ[t] are identical, driving us to exploit priority encoder
in particular, when someone encrypts a relatively large file to simplify the encoding of θ[t].
using code-based crypto: It takes much less time for encryption 2) compute n · θ[t] via a fixed point multiplier. We
if we have a high coding efficiency close to 1. configured the Xilinx LogiCORE IP to implement high-
To find the optimal precision of fixed 0 i, we studied performance, optimized multipliers for different n and
how different i could affect the coding efficiency. In our t. The fractional part of the multiplication result is
experiments, we investigated all possible precision from f- truncated and its integer part is preserved for the next
p 0 32 to fp 0 1 to compare with the Sendrier’s methods [10] stage to process.
and Heyse’s approximate version [11]. Table I compares our 3) output the value of d and u. Recall that the value of
n · θ[t] must be round to d = 2u . Here again another
TABLE I: The coding performance of the optimal d chosen priority encoder is used to decode the integer part of
from our approximation method n · θ[t].
avg. number coding efficiency
n, t method A. Bin2CW encoding and decoding engine
of bits read efficiency improved
origin. [10] 229.34 99.54% — Figure 1 depicts the architecture of the proposed constant
10 approx. [10] 225.52 97.86% -1.68% weight encoder. Input binary message is passed inwards using
2 , 38
approx. [12] 221.51 96.12% -3.42%
n*fixed 0 6 227.29 98.65% -0.89% a non-symmetric 8-to-1 FIFO which imitates the function of
origin. [10] 202.74 99.58% — read(B, 1). We use a serial-in-parallel-out shift register to
approx. [10] 199.62 98.04% -1.54% perform read(B, u), 0 ≤ u ≤ ⌈log2 ( n2 )⌉. The proposed best d
211 , 27
approx. [12] 199.83 98.14% -1.44% module is exploited here to compute the value of d. The values
n*fixed 0 6 200.27 98.36% -1.22% of n, t, δ are accordingly updated using three registers.
origin. [10] 125.24 99.79% —
approx. [10] 123.13 98.09% -1.70%
Figure 2 depicts the architecture of the proposed constant
216 , 9 weight decoder. A m-to-m bit FIFO is used instead to transfer
approx. [12] 119.67 95.33% -4.46%
n*fixed 0 4 124.27 99.02% -0.77% the input t-tuple word by word. This logic is actually the bottle
origin. [10] 144.41 99.80% — neck in the constant weight decoder when compared with the
approx. [10] 142.59 98.54% -1.26% encoder. We similarly use three registers to update the values
220 , 8
approx. [12] 62.30 43.06% -56.73%
of n, t, δ. The major difference is that the shift register here
n*fixed 0 4 143.41 99.11% -0.68%
outputs the value of δ bit by bit as step 9 of Algorithm 2
proposed methods with the Sendrier’s [10], Sendrier’s original requires.
approximation using power of 2 [10] and Heyse’s table lookup
approximation [11]. From this table it is seen that our proposal B. Integrating with the Niederreiter encryptor
is the closest approximation of Sendrier’s method among all In this section, we demonstrate how the proposed Bin2CW
five parameter sets used for the Niederreiter scheme. Note that encoder can integrate with the Niederrieter encryptor for data
the average number of bits we have to read before producing
( ) encryption, shown in Algorithm 3.
the constant weight words is upper bound by log2 nt and The Bin2CW encoder is used to perform the first step in
the thus the ratio of the average number read and the upper this algorithm. Recall that Bin2CW encoder returns a t-tuple

1549-7747 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSII.2017.2675449, IEEE
Transactions on Circuits and Systems II: Express Briefs
4

&::RUG
,1,7 %(67BG

$''5
!"&
!"# 5RZ
5($'B 5($'B

!"$
!"&
!"% '() &(
0HVVDJHELWV
ELW5HJLVWHU
,QLWLDO ,QLWLDO
YDOXH YDOXH

!"# !"$ !"% ELW5HJLVWHU

ELW,QWHJHU$GGHU

ELW*)$GGHU

!"

Fig. 1: General architecture of CW encoder

Fig. 3: Block diagram of the Niederrieter encryptor.

integer ranging from 0 to n − t but the constant weight word

!"& ,1,7 %(67BG exactly ranges from 0 to n. That is to say, the last t rows of
!"# the public key Ĥ T are never used.
!"$
!"%
To fix this flaw from [12], we propose to return the ‘real’
),+ )*+
!"( constant weight binary words of length n and Hamming
!"' weight t. Suppose the constant weight are represented by
,QLWLDO ,QLWLDO
(i1 , . . . , it ), the coordinates of the ‘1’s in ascending order, then
YDOXH YDOXH
we compute i1 = δ1 , i2 = δ2 + i1 + 1, . . ., it = δt + it−1 + 1
as the input of the second step, Algorithm 3.
!"# !"$ !"% Figure 3 depicts our revised version of Niederreiter encryp-
tion unit on the basis of [12]. The public key Ĥ T is stored in
an internal BRAM and row-wise addressed by the output of
the 11 bit register. Two 11-bit integer adders are embedded
!"(
to convert (δ1 , . . . , δt ) to (i1 , . . . , it ) which are eventually
!"& !"'
stored in the 11 bit register. The vector-matrix multiplication
in step 2, Algorithm 3 is equivalent to the summation of
XOR operations of selected rows of Ĥ T , denoted here as a
GF (2297 ) adder in this figure. It is also worth mentioning
Fig. 2: General architecture of CW decoder that the vector-matrix multiplication work concurrently with
CW encoding: Whenever a valid ik has been computed, it is
Algorithm 3: Niederreiter Message Encryption transferred to the GF (2297 ) adder summing up the selected
rows. After the last it has been computed, the last indexed
Input: message vector m, public key pk ={Ĥ,t} where Ĥ is
an n by mt matrix row of Ĥ T also has been added to the sum. This sum, stored
Output: ciphertext c in the 297-bit register, is now available as the ciphertext.
1 Bob encodes the message m as a binary matrix/vector of length
n and weight at most t.
2 Bob computes the ciphertext as c = ĤmT , mT is the transpose
V. R ESULTS AND COMPARISONS
of matrix m. We captured our constant weight coding architecture in
3 return c
the Verilog language and prototyped our design on Xilinx
Virtex-6 FPGA (Table II). To the best of our knowledge, the
only compact implementations of constant weight coding have
of integers (δ1 , . . . , δt ), which records the distance between been proposed by Heyse et al. [12]. We fairly compare our
consecutive ’1’s in the string. However such t-tuple cannot work with theirs and with the software implementation from
be directly transferred to compute the ciphertext. We believe Sendrier [10], shown in Table II.
that the way Heyse et al. [12] encrypts c = ĤmT with m = We observe that in our designs, the memory footprint stays
(δ1 , . . . , δt ) is incorrect due to two reasons: First, it is very constantly low and the high clock frequency also maintains
likely that δi = δj where i ̸= j such that the number of as the parameters grow. This is because the main difference
errors are less than t and it is assumed to be insecure from among encoders or decoders with different parameters n and
cryptoanalysis points of view. Second, (δ1 , . . . , δt ) returns the t is the operand size of multiplier embedded in the best d

1549-7747 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCSII.2017.2675449, IEEE
Transactions on Circuits and Systems II: Express Briefs
5

TABLE II: Compact implementations of CW encoder and decoder on Xilinx Virtex-6 FPGA
Area Memory Frequency Throughout Coding
n, t Method Coding aspects Platform
[slices] blocks [MHz] [Mbps] efficiency
Bin2CW, new approx. 91 0+1 350 190.9
This work Xilinx xc6vlx240t 98.36%
CW2Bin, new approx. 95 0+1 340 172.0
11 Bin2CW, Heyse’s approx. 118 0+1 340 218.1
n=2 , t = 27 Heyse et al. [12] Xilinx xc6vlx240t 98.14%
CW2Bin, Heyse’s approx. 110 0+1 340 172.2
∗ Bin2CW, original 18.0 99.58%
Sendrier [10] Intel Pentium 4 — — 2400
Bin2CW, approximate 35.1 98.04%
Bin2CW, new approx. 103 0+1 440 322.0
This work Xilinx xc6vlx240t 99.02%
CW2Bin, new approx. 109 0+1 310 216.9
Bin2CW, Heyse’s approx. 90 10+3 240 187.5
n = 216 , t = 9 Heyse et al. [12] Xilinx xc6vlx240t 95.33%
CW2Bin, Heyse’s approx. 90 10+3 230 175.2
Bin2CW, original 18.4 99.79%
Sendrier [10] Intel Pentium 4 — — 2400
Bin2CW, approximate 23.0 98.09%

∗ Sendrier implemented a different but very close parameter set n = 211 , t = 30. We also put it here for reference.

TABLE III: FPGA Implementation results of Niederreiter en- the Niederreiter encryptor on a Xilinx device. Experiments
cryption with n = 2048, t = 27 compared with [12] after PAR show that our lightweight implementation of Niederrieter
Aspect (Virtex6-VLX240) Niederreiter [12] This work encrypting unit can encrypt approximately 1 million plaintexts
Slices 315 183 per second on a Xilinx Virtex-6 FPGA, requiring 183 slices
LUTs 926 505 and 18 memory blocks.
FFs 875
BRAMs 17
Frequency 300 MHz
CW Encode e = Bin2CW(m) ≈ 200 cycles
Encrypt c = e · Ĥ ≈ 200 cycles
Area×Time ≈ 210
∗ We
used 16×36Kb RAMs and 2×16Kb RAMs
module, which grows logarithmically from 11bit × 6bit to
16bit × 4bit. On the other hand, the memory overhead of
Heyse’s implementations grow linearly with n and might be
problematic when n is large as aforementioned. To show this,
we re-implemented Heyse’s work for (n = 216 , t = 9). The
experimental results verifies this point. Additionally, another
negative side effect of heavy memory overhead is that the
working frequency of circuits drops rapidly as shown in
Table II. For large parameters (Table II (b)), such look up table
is extremely large by consuming 13 memory blocks, leading
to slower speed due to relatively far and complicated routing.
These block memories are the real bottleneck of Heyse’s work
as n grows.
We finally implemented the Niederreiter encryptor, a cryp-
tographic application where constant weight coding is used
exactly as mentioned in Section IV. Table III compares our
work with the state of art [12]. Our new implementation is the
most compact one with better area-time tradeoffs. We use the
same block memory as [12] did where 16 × 36Kb + 1 × 18Kb
RAMs are utilized to store the public key matrix Ĥ, and one
18Kb RAM for the 8-to-1 FIFO within the constant weight
encoder.
VI. C ONCLUSION
We proposed a new method of determining the optimal
value d in constant weight coding. This method enabled a
more compact yet efficient implementation of constant weight
encoder and decoder for resource-constrained computing sys-
tems. Afterwards, we exploited this new encoder to implement
498
18∗
340 MHz R EFERENCES
349.1 cycles [1] P. W. Shor, “Polynomial-time algorithms for prime factorization and dis-
352.1 cycles crete logarithms on a quantum computer,” SIAM journal on computing,
189.5 vol. 26, no. 5, pp. 1484–1509, 1997.
[2] N. Xu, J. Zhu, D. Lu, X. Zhou, X. Peng, and J. Du, “Quantum
factorization of 143 on a dipolar-coupling nuclear magnetic resonance
system,” Phys. Rev. Lett., vol. 108, p. 130501, Mar 2012.
[3] D. J. Bernstein, “Introduction to post-quantum cryptography,” in Post-
Quantum Cryptography. Springer, 2009, pp. 1–14.
[4] R. Overbeck and N. Sendrier, “Code-based cryptography,” in Post-
quantum cryptography. Springer, 2009, pp. 95–145.
[5] R. J. McEliece, “A public-key cryptosystem based on algebraic coding
theory,” DSN progress report, vol. 42, no. 44, pp. 114–116, 1978.
[6] H. Niederreiter, “Knapsack-type cryptosystems and algebraic coding
theory,” Pproblems Of Control and Information Theory-Problemy Up-
ravleniya I Thorii Informatsii, vol. 15, no. 2, pp. 159–166, 1986.
[7] T. M. Cover, “Enumerative source encoding,” IEEE Transactions on
Information Theory, vol. 19, no. 1, pp. 73–77, 1973.
[8] N. Sendrier, “Efficient generation of binary words of given weight,” in
Cryptography and Coding. Springer, 1995, pp. 184–187.
[9] G. Goloumb, “Run length encoding,” IEEE Transactions on Information
Theory, vol. 12, pp. 399–401, 1966.
[10] N. Sendrier, “Encoding information into constant weight words,” in
2005 IEEE International Symposium on Information Theory Proceedings
(ISIT). IEEE, 2005, pp. 435–438.
[11] S. Heyse, “Low-reiter: Niederreiter encryption scheme for embedded
microcontrollers,” in Post-Quantum Cryptography. Springer, 2010, pp.
165–181.
[12] S. Heyse and T. Güneysu, “Towards one cycle per bit asymmet-
ric encryption: code-based cryptography on reconfigurable hardware,”
in Cryptographic Hardware and Embedded Systems–CHES 2012.
Springer, 2012, pp. 340–355.
[13] N. T. Courtois, M. Finiasz, and N. Sendrier, “How to achieve a Mceliece-
based digital signature scheme,” in Advances in Cryptology-ASIACRYPT
2001. Springer, 2001, pp. 157–174.
[14] G. Landais and N. Sendrier, “Implementing cfs,” in Progress in Cryptol-
ogy - INDOCRYPT 2012: 13th International Conference on Cryptology.
Springer, 2012, pp. 474–488.
[15] M. Finiasz, “Parallel-CFS,” in Selected areas in cryptography. Springer,
2011, pp. 159–170.
[16] R. Misoczki, J.-P. Tillich, N. Sendrier, and P. S. Barreto, “MDPC-
Mceliece: New Mceliece variants from moderate density parity-check
codes,” in 2013 IEEE International Symposium on Information Theory
Proceedings (ISIT). IEEE, 2013, pp. 2069–2073.
[17] M. Baldi, M. Bianchi, F. Chiaraluce, J. Rosenthal, and D. Schipani, “Us-
ing LDGM codes and sparse syndromes to achieve digital signatures,”
in Post-quantum cryptography. Springer, 2013, pp. 1–15.

1549-7747 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.