doxygen/cmce__poly_8cpp_source.html

/*

 * Classic McEliece Polynomials

 * Based on the public domain reference implementation by the designers

 * (https://classic.mceliece.org/impl.html - released in Oct 2022 for NISTPQC-R4)

 *

 * (C) 2023 Jack Lloyd

 *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 **/


#include <botan/internal/cmce_poly.h>

#include <botan/internal/ct_utils.h>

#include <botan/internal/stl_util.h>


namespace Botan {


Classic_McEliece_GF Classic_McEliece_Polynomial::operator()(Classic_McEliece_GF a) const {

   BOTAN_DEBUG_ASSERT(a.modulus() == coef_at(0).modulus());


   Classic_McEliece_GF r(CmceGfElem(0), a.modulus());

   for(auto it = m_coef.rbegin(); it != m_coef.rend(); ++it) {

      r *= a;

      r += *it;

   }


   return r;

}

Classic_McEliece_GF Classic_McEliece_Polynomial::operator()(Classic_McEliece_GF a) const  {…}


Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::multiply(const Classic_McEliece_Polynomial& a,

                                                                       const Classic_McEliece_Polynomial& b) const {

   std::vector<Classic_McEliece_GF> prod(m_t * 2 - 1, {CmceGfElem(0), m_poly_f});


   for(size_t i = 0; i < m_t; ++i) {

      for(size_t j = 0; j < m_t; ++j) {

         prod.at(i + j) += (a.coef_at(i) * b.coef_at(j));

      }

   }


   for(size_t i = (m_t - 1) * 2; i >= m_t; --i) {

      for(auto& [idx, coef] : m_position_map) {

         prod.at(i - m_t + idx) += coef * prod.at(i);

      }

   }


   prod.erase(prod.begin() + m_t, prod.end());


   return Classic_McEliece_Polynomial(std::move(prod));

}

Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::multiply(const Classic_McEliece_Polynomial& a, {…}


Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_from_bytes(

   std::span<const uint8_t> bytes) const {

   BOTAN_ARG_CHECK(bytes.size() == m_t * 2, "Correct input size");

   return create_element_from_coef(load_le<std::vector<CmceGfElem>>(bytes));

}


Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_from_coef(

   const std::vector<CmceGfElem>& coeff_vec) const {

   std::vector<Classic_McEliece_GF> coeff_vec_gf;

   CmceGfElem coeff_mask = CmceGfElem((uint16_t(1) << Classic_McEliece_GF::log_q_from_mod(m_poly_f)) - 1);

   std::transform(coeff_vec.begin(), coeff_vec.end(), std::back_inserter(coeff_vec_gf), [&](auto& coeff) {

      return Classic_McEliece_GF(coeff & coeff_mask, m_poly_f);

   });

   return Classic_McEliece_Polynomial(coeff_vec_gf);

}


bool operator==(const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& lhs,

                const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& rhs) {

   return lhs.coeff == rhs.coeff && lhs.idx == rhs.idx;

}

bool operator==(const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& lhs, {…}


std::optional<Classic_McEliece_Minimal_Polynomial> Classic_McEliece_Polynomial_Ring::compute_minimal_polynomial(

   StrongSpan<const CmceIrreducibleBits> seed) const {

   auto polynomial = create_element_from_bytes(seed);

   std::vector<Classic_McEliece_Polynomial> mat;


   mat.push_back(create_element_from_coef(concat<std::vector<CmceGfElem>>(

      std::vector<CmceGfElem>{CmceGfElem(1)}, std::vector<CmceGfElem>(degree() - 1, CmceGfElem(0)))));


   mat.push_back(polynomial);


   for(size_t j = 2; j <= degree(); ++j) {

      mat.push_back(multiply(mat.at(j - 1), polynomial));

   }


   // Gaussian

   for(size_t j = 0; j < degree(); ++j) {

      for(size_t k = j + 1; k < degree(); ++k) {

         auto cond = GF_Mask::is_zero(mat.at(j).coef_at(j));


         for(size_t c = j; c < degree() + 1; ++c) {

            mat.at(c).coef_at(j) += cond.if_set_return(mat.at(c).coef_at(k));

         }

      }


      const bool is_zero_at_diagonal = mat.at(j).coef_at(j).is_zero();

      CT::unpoison(is_zero_at_diagonal);

      if(is_zero_at_diagonal) {

         // Fail if not systematic. New rejection sampling iteration starts.

         return std::nullopt;

      }


      auto inv = mat.at(j).coef_at(j).inv();


      for(size_t c = j; c < degree() + 1; ++c) {

         mat.at(c).coef_at(j) *= inv;

      }


      for(size_t k = 0; k < degree(); ++k) {

         if(k != j) {

            const auto t = mat.at(j).coef_at(k);


            for(size_t c = j; c < degree() + 1; ++c) {

               mat.at(c).coef_at(k) += mat.at(c).coef_at(j) * t;

            }

         }

      }

   }


   auto minimal_poly_coeffs = mat.at(degree()).coef();

   // Add coefficient 1 since polynomial is monic

   minimal_poly_coeffs.emplace_back(CmceGfElem(1), poly_f());


   return Classic_McEliece_Minimal_Polynomial(std::move(minimal_poly_coeffs));

}

std::optional<Classic_McEliece_Minimal_Polynomial> Classic_McEliece_Polynomial_Ring::compute_minimal_polynomial( {…}


secure_vector<uint8_t> Classic_McEliece_Minimal_Polynomial::serialize() const {

   BOTAN_ASSERT_NOMSG(!coef().empty());

   auto& all_coeffs = coef();

   // Store all except coef for monomial x^t since polynomial is monic (ISO Spec Section 9.2.9)

   auto coeffs_to_store = std::span(all_coeffs).first(all_coeffs.size() - 1);

   secure_vector<uint8_t> bytes(sizeof(uint16_t) * coeffs_to_store.size());

   BufferStuffer bytes_stuf(bytes);

   for(auto& coef : coeffs_to_store) {

      store_le(bytes_stuf.next<sizeof(CmceGfElem)>(), coef.elem().get());

   }

   BOTAN_ASSERT_NOMSG(bytes_stuf.full());

   return bytes;

}

secure_vector<uint8_t> Classic_McEliece_Minimal_Polynomial::serialize() const  {…}


Classic_McEliece_Minimal_Polynomial Classic_McEliece_Minimal_Polynomial::from_bytes(std::span<const uint8_t> bytes,

                                                                                    CmceGfMod poly_f) {

   BOTAN_ASSERT_NOMSG(bytes.size() % 2 == 0);

   const auto coef_vec = load_le<std::vector<CmceGfElem>>(bytes);

   std::vector<Classic_McEliece_GF> coeff_vec_gf;

   std::transform(coef_vec.begin(), coef_vec.end(), std::back_inserter(coeff_vec_gf), [poly_f](auto& coeff) {

      return Classic_McEliece_GF(coeff, poly_f);

   });


   coeff_vec_gf.emplace_back(CmceGfElem(1), poly_f);  // x^t as polynomial is monic


   return Classic_McEliece_Minimal_Polynomial(coeff_vec_gf);

}

Classic_McEliece_Minimal_Polynomial Classic_McEliece_Minimal_Polynomial::from_bytes(std::span<const uint8_t> bytes, {…}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59

BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98

BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29

Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:142

Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition stl_util.h:150

Botan::BufferStuffer::full
constexpr bool full() const
Definition stl_util.h:187

Botan::Classic_McEliece_GF
Represents an element of the finite field GF(q) for q = 2^m.
Definition cmce_gf.h:30

Botan::Classic_McEliece_GF::log_q_from_mod
static size_t log_q_from_mod(CmceGfMod modulus)
Get m.
Definition cmce_gf.h:54

Botan::Classic_McEliece_GF::modulus
CmceGfMod modulus() const
Get the modulus f(z) of GF(q) as a GF_Mod.
Definition cmce_gf.h:75

Botan::Classic_McEliece_Minimal_Polynomial
Representation of a minimal polynomial in GF(q)[y].
Definition cmce_poly.h:81

Botan::Classic_McEliece_Minimal_Polynomial::serialize
secure_vector< uint8_t > serialize() const
Serialize the polynomial to bytes according to ISO Section 9.2.9.
Definition cmce_poly.cpp:127

Botan::Classic_McEliece_Minimal_Polynomial::from_bytes
static Classic_McEliece_Minimal_Polynomial from_bytes(std::span< const uint8_t > bytes, CmceGfMod poly_f)
Create a polynomial from bytes according to ISO Section 9.2.9.
Definition cmce_poly.cpp:141

Botan::Classic_McEliece_Minimal_Polynomial::Classic_McEliece_Minimal_Polynomial
Classic_McEliece_Minimal_Polynomial(std::vector< Classic_McEliece_GF > coef)
Definition cmce_poly.h:83

Botan::Classic_McEliece_Polynomial_Ring::multiply
Classic_McEliece_Polynomial multiply(const Classic_McEliece_Polynomial &a, const Classic_McEliece_Polynomial &b) const
Definition cmce_poly.cpp:30

Botan::Classic_McEliece_Polynomial_Ring::poly_f
CmceGfMod poly_f() const
Definition cmce_poly.h:130

Botan::Classic_McEliece_Polynomial_Ring::degree
size_t degree() const
The degree of polynomials in this ring (and of F(y)).
Definition cmce_poly.h:135

Botan::Classic_McEliece_Polynomial_Ring::compute_minimal_polynomial
std::optional< Classic_McEliece_Minimal_Polynomial > compute_minimal_polynomial(StrongSpan< const CmceIrreducibleBits > seed) const
Compute the minimal polynomial g of polynomial created from a seed.
Definition cmce_poly.cpp:72

Botan::Classic_McEliece_Polynomial
Representation of a Classic McEliece polynomial.
Definition cmce_poly.h:32

Botan::Classic_McEliece_Polynomial::coef
const std::vector< Classic_McEliece_GF > & coef() const
Get the entire coefficients vector of the polynomial.
Definition cmce_poly.h:59

Botan::Classic_McEliece_Polynomial::operator()
Classic_McEliece_GF operator()(Classic_McEliece_GF a) const
Evaluate the polynomial P(x) at a given point a, i.e., compute P(a).
Definition cmce_poly.cpp:18

Botan::Classic_McEliece_Polynomial::coef_at
Classic_McEliece_GF & coef_at(size_t i)
Get the coefficient of the i-th monomial as a reference (from low to high degree).
Definition cmce_poly.h:49

Botan::GF_Mask::is_zero
static GF_Mask is_zero(Classic_McEliece_GF v)
Definition cmce_gf.h:162

Botan::StrongSpan
Definition strong_type.h:638

Botan::Strong< uint16_t, struct CmceGfElem_ >

Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:64

Botan
Definition alg_id.cpp:13

Botan::CmceGfElem
Strong< uint16_t, struct CmceGfElem_ > CmceGfElem
Represents a GF(q) element.
Definition cmce_types.h:19

Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:764

Botan::operator==
bool operator==(const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2)
Definition alg_id.cpp:54

Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:263

Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:521

Botan::b
const SIMD_8x32 & b
Definition simd_avx2_gfni.h:63

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61

Botan::Classic_McEliece_Polynomial_Ring::Big_F_Coefficient
Represents a non-zero coefficient of the modulus F(y) (which is in GF(q)[y]).
Definition cmce_poly.h:111

Botan::Classic_McEliece_Polynomial_Ring::Big_F_Coefficient::idx
size_t idx
Definition cmce_poly.h:112

Botan::Classic_McEliece_Polynomial_Ring::Big_F_Coefficient::coeff
Classic_McEliece_GF coeff
Definition cmce_poly.h:113