Botan 3.10.0
Crypto and TLS for C&
polyn_gf2m.cpp
Go to the documentation of this file.
1/*
2 * (C) Copyright Projet SECRET, INRIA, Rocquencourt
3 * (C) Bhaskar Biswas and Nicolas Sendrier
4 *
5 * (C) 2014 cryptosource GmbH
6 * (C) 2014 Falko Strenzke fstrenzke@cryptosource.de
7 * (C) 2015 Jack Lloyd
8 *
9 * Botan is released under the Simplified BSD License (see license.txt)
10 *
11 */
12
13#include <botan/internal/polyn_gf2m.h>
14
15#include <botan/exceptn.h>
16#include <botan/rng.h>
17#include <botan/internal/code_based_util.h>
18#include <botan/internal/loadstor.h>
19
20namespace Botan {
21
22// NOLINTBEGIN(*-implicit-bool-conversion)
23
24namespace {
25
26gf2m generate_gf2m_mask(gf2m a) {
27 gf2m result = (a != 0);
28 return ~(result - 1);
29}
30
31/**
32* number of leading zeros
33*/
34unsigned nlz_16bit(uint16_t x) {
35 if(x == 0) {
36 return 16;
37 }
38 unsigned n = 0;
39 if(x <= 0x00FF) {
40 n = n + 8;
41 x = x << 8;
42 }
43 if(x <= 0x0FFF) {
44 n = n + 4;
45 x = x << 4;
46 }
47 if(x <= 0x3FFF) {
48 n = n + 2;
49 x = x << 2;
50 }
51 if(x <= 0x7FFF) {
52 n = n + 1;
53 }
54 return n;
55}
56
57} // namespace
58
59int polyn_gf2m::calc_degree_secure() const {
60 int i = static_cast<int>(this->m_coeff.size()) - 1;
61 int result = 0;
62 uint32_t found_mask = 0;
63 uint32_t tracker_mask = 0xffff;
64 for(; i >= 0; i--) {
65 found_mask = expand_mask_16bit(this->m_coeff[i]);
66 result |= i & found_mask & tracker_mask;
67 // tracker mask shall become zero once found mask is set
68 // it shall remain zero from then on
69 tracker_mask = tracker_mask & ~found_mask;
70 }
71 const_cast<polyn_gf2m*>(this)->m_deg = result;
72 return result;
73}
74
75gf2m random_gf2m(RandomNumberGenerator& rng) {
76 uint8_t b[2];
77 rng.randomize(b, sizeof(b));
78 return make_uint16(b[1], b[0]);
79}
80
81gf2m random_code_element(uint16_t code_length, RandomNumberGenerator& rng) {
82 if(code_length == 0) {
83 throw Invalid_Argument("random_code_element() was supplied a code length of zero");
84 }
85 const unsigned nlz = nlz_16bit(code_length - 1);
86 const gf2m mask = (1 << (16 - nlz)) - 1;
87
88 gf2m result = random_gf2m(rng) & mask;
89
90 while(result >= code_length) {
91 // rejection sampling
92 result = random_gf2m(rng) & mask;
93 }
94
95 return result;
96}
97
98polyn_gf2m::polyn_gf2m(const polyn_gf2m& other) = default;
99
100polyn_gf2m::polyn_gf2m(int d, const std::shared_ptr<GF2m_Field>& sp_field) :
101 m_deg(-1), m_coeff(d + 1), m_sp_field(sp_field) {}
102
103/**
104* doesn't save coefficients:
105*/
106void polyn_gf2m::realloc(uint32_t new_size) {
107 this->m_coeff = secure_vector<gf2m>(new_size);
108}
109
110polyn_gf2m::polyn_gf2m(const uint8_t* mem, uint32_t mem_len, const std::shared_ptr<GF2m_Field>& sp_field) :
111 m_deg(-1), m_sp_field(sp_field) {
112 if(mem_len % sizeof(gf2m)) {
113 throw Decoding_Error("illegal length of memory to decode ");
114 }
115
116 uint32_t size = (mem_len / sizeof(this->m_coeff[0]));
117 this->m_coeff = secure_vector<gf2m>(size);
118 this->m_deg = -1;
119 for(uint32_t i = 0; i < size; i++) {
120 this->m_coeff[i] = decode_gf2m(mem);
121 mem += sizeof(this->m_coeff[0]);
122 }
123 for(uint32_t i = 0; i < size; i++) {
124 if(this->m_coeff[i] >= (1 << sp_field->get_extension_degree())) {
125 throw Decoding_Error("error decoding polynomial");
126 }
127 }
128 this->get_degree();
129}
130
131polyn_gf2m::polyn_gf2m(const std::shared_ptr<GF2m_Field>& sp_field) : m_deg(-1), m_coeff(1), m_sp_field(sp_field) {}
132
133polyn_gf2m::polyn_gf2m(int degree,
134 const uint8_t* mem,
135 size_t mem_byte_len,
136 const std::shared_ptr<GF2m_Field>& sp_field) :
137 m_sp_field(sp_field) {
138 const uint32_t polyn_size = degree + 1;
139 if(polyn_size * sp_field->get_extension_degree() > 8 * mem_byte_len) {
140 throw Decoding_Error("memory vector for polynomial has wrong size");
141 }
142 this->m_coeff = secure_vector<gf2m>(degree + 1);
143 const gf2m ext_deg = static_cast<gf2m>(this->m_sp_field->get_extension_degree());
144 for(uint32_t l = 0; l < polyn_size; l++) {
145 uint32_t k = (l * ext_deg) / 8;
146
147 uint32_t j = (l * ext_deg) % 8;
148 gf2m a = mem[k] >> j;
149 if(j + ext_deg > 8) {
150 a ^= mem[k + 1] << (8 - j);
151 }
152 if(j + ext_deg > 16) {
153 a ^= mem[k + 2] << (16 - j);
154 }
155 a &= ((1 << ext_deg) - 1);
156 (*this).set_coef(l, a);
157 }
158
159 this->get_degree();
160}
161
162void polyn_gf2m::set_to_zero() {
163 clear_mem(this->m_coeff.data(), this->m_coeff.size());
164 this->m_deg = -1;
165}
166
167int polyn_gf2m::get_degree() const {
168 int d = static_cast<int>(this->m_coeff.size()) - 1;
169 while((d >= 0) && (this->m_coeff[d] == 0)) {
170 --d;
171 }
172 const_cast<polyn_gf2m*>(this)->m_deg = d;
173 return d;
174}
175
176namespace {
177
178gf2m eval_aux(const gf2m* /*restrict*/ coeff, gf2m a, int d, const std::shared_ptr<GF2m_Field>& sp_field) {
179 gf2m b = coeff[d--];
180 for(; d >= 0; --d) {
181 if(b != 0) {
182 b = sp_field->gf_mul(b, a) ^ coeff[d];
183 } else {
184 b = coeff[d];
185 }
186 }
187 return b;
188}
189
190} // namespace
191
192gf2m polyn_gf2m::eval(gf2m a) {
193 return eval_aux(this->m_coeff.data(), a, this->m_deg, this->m_sp_field);
194}
195
196// p will contain it's remainder modulo g
197void polyn_gf2m::remainder(polyn_gf2m& p, const polyn_gf2m& g) {
198 int i = 0;
199 int j = 0;
200 std::shared_ptr<GF2m_Field> m_sp_field = g.m_sp_field;
201 int d = p.get_degree() - g.get_degree();
202 if(d >= 0) {
203 gf2m la = m_sp_field->gf_inv_rn(g.get_lead_coef());
204
205 const int p_degree = p.get_degree();
206
207 BOTAN_ASSERT(p_degree > 0, "Valid polynomial");
208
209 for(i = p_degree; d >= 0; --i, --d) {
210 if(p[i] != 0) {
211 gf2m lb = m_sp_field->gf_mul_rrn(la, p[i]);
212 for(j = 0; j < g.get_degree(); ++j) {
213 p[j + d] ^= m_sp_field->gf_mul_zrz(lb, g[j]);
214 }
215 (*&p).set_coef(i, 0);
216 }
217 }
218 p.set_degree(g.get_degree() - 1);
219 while((p.get_degree() >= 0) && (p[p.get_degree()] == 0)) {
220 p.set_degree(p.get_degree() - 1);
221 }
222 }
223}
224
225std::vector<polyn_gf2m> polyn_gf2m::sqmod_init(const polyn_gf2m& g) {
226 std::vector<polyn_gf2m> sq;
227 const int signed_deg = g.get_degree();
228 if(signed_deg <= 0) {
229 throw Invalid_Argument("cannot compute sqmod for such low degree");
230 }
231
232 const uint32_t d = static_cast<uint32_t>(signed_deg);
233 uint32_t t = g.m_deg;
234 // create t zero polynomials
235 uint32_t i = 0;
236 for(i = 0; i < t; ++i) {
237 sq.push_back(polyn_gf2m(t + 1, g.get_sp_field()));
238 }
239 for(i = 0; i < d / 2; ++i) {
240 sq[i].set_degree(2 * i);
241 (*&sq[i]).set_coef(2 * i, 1);
242 }
243
244 for(; i < d; ++i) {
245 clear_mem(sq[i].m_coeff.data(), 2);
246 copy_mem(sq[i].m_coeff.data() + 2, sq[i - 1].m_coeff.data(), d);
247 sq[i].set_degree(sq[i - 1].get_degree() + 2);
248 polyn_gf2m::remainder(sq[i], g);
249 }
250 return sq;
251}
252
253/*Modulo p square of a certain polynomial g, sq[] contains the square
254Modulo g of the base canonical polynomials of degree < d, where d is
255the degree of G. The table sq[] will be calculated by polyn_gf2m_sqmod_init*/
256polyn_gf2m polyn_gf2m::sqmod(const std::vector<polyn_gf2m>& sq, int d) {
257 int i = 0;
258 std::shared_ptr<GF2m_Field> sp_field = this->m_sp_field;
259
260 polyn_gf2m result(d - 1, sp_field);
261 // terms of low degree
262 for(i = 0; i < d / 2; ++i) {
263 (*&result).set_coef(i * 2, sp_field->gf_square((*this)[i]));
264 }
265
266 // terms of high degree
267 for(; i < d; ++i) {
268 gf2m lpi = (*this)[i];
269 if(lpi != 0) {
270 lpi = sp_field->gf_log(lpi);
271 gf2m la = sp_field->gf_mul_rrr(lpi, lpi);
272 for(int j = 0; j < d; ++j) {
273 result[j] ^= sp_field->gf_mul_zrz(la, sq[i][j]);
274 }
275 }
276 }
277
278 // Update degre
279 result.set_degree(d - 1);
280 while((result.get_degree() >= 0) && (result[result.get_degree()] == 0)) {
281 result.set_degree(result.get_degree() - 1);
282 }
283 return result;
284}
285
286// destructive
287polyn_gf2m polyn_gf2m::gcd_aux(polyn_gf2m& p1, polyn_gf2m& p2) {
288 if(p2.get_degree() == -1) {
289 return p1;
290 } else {
291 polyn_gf2m::remainder(p1, p2);
292 return polyn_gf2m::gcd_aux(p2, p1);
293 }
294}
295
296polyn_gf2m polyn_gf2m::gcd(const polyn_gf2m& p1, const polyn_gf2m& p2) {
297 polyn_gf2m a(p1);
298 polyn_gf2m b(p2);
299 if(a.get_degree() < b.get_degree()) {
300 return polyn_gf2m(polyn_gf2m::gcd_aux(b, a));
301 } else {
302 return polyn_gf2m(polyn_gf2m::gcd_aux(a, b));
303 }
304}
305
306// Returns the degree of the smallest factor
307size_t polyn_gf2m::degppf(const polyn_gf2m& g) {
308 polyn_gf2m s(g.get_sp_field());
309
310 const size_t ext_deg = g.m_sp_field->get_extension_degree();
311 const int d = g.get_degree();
312 std::vector<polyn_gf2m> u = polyn_gf2m::sqmod_init(g);
313
314 polyn_gf2m p(d - 1, g.m_sp_field);
315
316 p.set_degree(1);
317 (*&p).set_coef(1, 1);
318 size_t result = static_cast<size_t>(d);
319 for(size_t i = 1; i <= (d / 2) * ext_deg; ++i) {
320 polyn_gf2m r = p.sqmod(u, d);
321 if((i % ext_deg) == 0) {
322 r[1] ^= 1;
323 r.get_degree(); // The degree may change
324 s = polyn_gf2m::gcd(g, r);
325
326 if(s.get_degree() > 0) {
327 result = i / ext_deg;
328 break;
329 }
330 r[1] ^= 1;
331 r.get_degree(); // The degree may change
332 }
333 // No need for the exchange s
334 s = p;
335 p = r;
336 r = s;
337 }
338
339 return result;
340}
341
342void polyn_gf2m::patchup_deg_secure(uint32_t trgt_deg, gf2m patch_elem) {
343 if(this->m_coeff.size() < trgt_deg) {
344 return;
345 }
346 for(uint32_t i = 0; i < this->m_coeff.size(); i++) {
347 this->m_coeff[i] |= patch_elem;
348 uint32_t equal = (i == trgt_deg);
349 uint32_t equal_mask = expand_mask_16bit(equal);
350 patch_elem &= ~equal_mask;
351 }
352 this->calc_degree_secure();
353}
354
355// We suppose m_deg(g) >= m_deg(p)
356// v is the problem
357std::pair<polyn_gf2m, polyn_gf2m> polyn_gf2m::eea_with_coefficients(const polyn_gf2m& p,
358 const polyn_gf2m& g,
359 int break_deg) {
360 std::shared_ptr<GF2m_Field> m_sp_field = g.m_sp_field;
361 polyn_gf2m aux;
362
363 // initialisation of the local variables
364 // r0 <- g, r1 <- p, u0 <- 0, u1 <- 1
365 int dr = g.get_degree();
366
367 BOTAN_ASSERT(dr > 3, "Valid polynomial");
368
369 polyn_gf2m r0(dr, g.m_sp_field);
370 polyn_gf2m r1(dr - 1, g.m_sp_field);
371 polyn_gf2m u0(dr - 1, g.m_sp_field);
372 polyn_gf2m u1(dr - 1, g.m_sp_field);
373
374 r0 = g;
375 r1 = p;
376 u0.set_to_zero();
377 u1.set_to_zero();
378 (*&u1).set_coef(0, 1);
379 u1.set_degree(0);
380
381 // invariants:
382 // r1 = u1 * p + v1 * g
383 // r0 = u0 * p + v0 * g
384 // and m_deg(u1) = m_deg(g) - m_deg(r0)
385 // It stops when m_deg (r1) <t (m_deg (r0)> = t)
386 // And therefore m_deg (u1) = m_deg (g) - m_deg (r0) <m_deg (g) - break_deg
387 int du = 0;
388 dr = r1.get_degree();
389 int delta = r0.get_degree() - dr;
390
391 int i = 0;
392 int j = 0;
393 while(dr >= break_deg) {
394 for(j = delta; j >= 0; --j) {
395 gf2m a = m_sp_field->gf_div(r0[dr + j], r1[dr]);
396 if(a != 0) {
397 gf2m la = m_sp_field->gf_log(a);
398 // u0(z) <- u0(z) + a * u1(z) * z^j
399 for(i = 0; i <= du; ++i) {
400 u0[i + j] ^= m_sp_field->gf_mul_zrz(la, u1[i]);
401 }
402 // r0(z) <- r0(z) + a * r1(z) * z^j
403 for(i = 0; i <= dr; ++i) {
404 r0[i + j] ^= m_sp_field->gf_mul_zrz(la, r1[i]);
405 }
406 }
407 } // end loop over j
408
409 if(break_deg != 1) /* key eq. solving */
410 {
411 /* [ssms_icisc09] Countermeasure
412 * d_break from paper equals break_deg - 1
413 * */
414
415 volatile gf2m fake_elem = 0x01;
416 volatile gf2m cond1 = 0;
417 volatile gf2m cond2 = 0;
418 int trgt_deg = r1.get_degree() - 1;
419 r0.calc_degree_secure();
420 u0.calc_degree_secure();
421 if(!(g.get_degree() % 2)) {
422 /* t even */
423 cond1 = r0.get_degree() < break_deg - 1;
424 } else {
425 /* t odd */
426 cond1 = r0.get_degree() < break_deg;
427 cond2 = u0.get_degree() < break_deg - 1;
428 cond1 = cond1 & cond2;
429 }
430 /* expand cond1 to a full mask */
431 gf2m mask = generate_gf2m_mask(cond1);
432 fake_elem = fake_elem & mask;
433 r0.patchup_deg_secure(trgt_deg, fake_elem);
434 }
435 if(break_deg == 1) /* syndrome inversion */
436 {
437 volatile gf2m fake_elem = 0x00;
438 volatile uint32_t trgt_deg = 0;
439 r0.calc_degree_secure();
440 u0.calc_degree_secure();
441 /**
442 * countermeasure against the low weight attacks for w=4, w=6 and w=8.
443 * Higher values are not covered since for w=8 we already have a
444 * probability for a positive of 1/n^3 from random ciphertexts with the
445 * given weight. For w = 10 it would be 1/n^4 and so on. Thus attacks
446 * based on such high values of w are considered impractical.
447 *
448 * The outer test for the degree of u ( Omega in the paper ) needs not to
449 * be disguised. Each of the three is performed at most once per EEA
450 * (syndrome inversion) execution, the attacker knows this already when
451 * preparing the ciphertext with the given weight. Inside these three
452 * cases however, we must use timing neutral (branch free) operations to
453 * implement the condition detection and the counteractions.
454 *
455 */
456 if(u0.get_degree() == 4) {
457 uint32_t mask = 0;
458 /**
459 * Condition that the EEA would break now
460 */
461 int cond_r = r0.get_degree() == 0;
462 /**
463 * Now come the conditions for all odd coefficients of this sigma
464 * candidate. If they are all fulfilled, then we know that we have a low
465 * weight error vector, since the key-equation solving EEA is skipped if
466 * the degree of tau^2 is low (=m_deg(u0)) and all its odd coefficients are
467 * zero (they would cause "full-length" contributions from the square
468 * root computation).
469 */
470 // Condition for the coefficient to Y to be cancelled out by the
471 // addition of Y before the square root computation:
472 int cond_u1 = m_sp_field->gf_mul(u0.m_coeff[1], m_sp_field->gf_inv(r0.m_coeff[0])) == 1;
473
474 // Condition sigma_3 = 0:
475 int cond_u3 = u0.m_coeff[3] == 0;
476 // combine the conditions:
477 cond_r &= (cond_u1 & cond_u3);
478 // mask generation:
479 mask = expand_mask_16bit(cond_r);
480 trgt_deg = 2 & mask;
481 fake_elem = 1 & mask;
482 } else if(u0.get_degree() == 6) {
483 uint32_t mask = 0;
484 int cond_r = r0.get_degree() == 0;
485 int cond_u1 = m_sp_field->gf_mul(u0.m_coeff[1], m_sp_field->gf_inv(r0.m_coeff[0])) == 1;
486 int cond_u3 = u0.m_coeff[3] == 0;
487
488 int cond_u5 = u0.m_coeff[5] == 0;
489
490 cond_r &= (cond_u1 & cond_u3 & cond_u5);
491 mask = expand_mask_16bit(cond_r);
492 trgt_deg = 4 & mask;
493 fake_elem = 1 & mask;
494 } else if(u0.get_degree() == 8) {
495 uint32_t mask = 0;
496 int cond_r = r0.get_degree() == 0;
497 int cond_u1 = m_sp_field->gf_mul(u0[1], m_sp_field->gf_inv(r0[0])) == 1;
498 int cond_u3 = u0.m_coeff[3] == 0;
499
500 int cond_u5 = u0.m_coeff[5] == 0;
501
502 int cond_u7 = u0.m_coeff[7] == 0;
503
504 cond_r &= (cond_u1 & cond_u3 & cond_u5 & cond_u7);
505 mask = expand_mask_16bit(cond_r);
506 trgt_deg = 6 & mask;
507 fake_elem = 1 & mask;
508 }
509 r0.patchup_deg_secure(trgt_deg, fake_elem);
510 }
511 // exchange
512 aux = r0;
513 r0 = r1;
514 r1 = aux;
515 aux = u0;
516 u0 = u1;
517 u1 = aux;
518
519 du = du + delta;
520 delta = 1;
521 while(r1[dr - delta] == 0) {
522 delta++;
523 }
524
525 dr -= delta;
526 } /* end while loop (dr >= break_deg) */
527
528 u1.set_degree(du);
529 r1.set_degree(dr);
530 //return u1 and r1;
531 return std::make_pair(u1, r1); // coefficients u,v
532}
533
534polyn_gf2m::polyn_gf2m(size_t t, RandomNumberGenerator& rng, const std::shared_ptr<GF2m_Field>& sp_field) :
535 m_deg(static_cast<int>(t)), m_coeff(t + 1), m_sp_field(sp_field) {
536 this->set_coef(t, 1);
537 for(;;) {
538 for(size_t i = 0; i < t; ++i) {
539 this->set_coef(i, random_code_element(sp_field->get_cardinality(), rng));
540 }
541
542 const size_t degree = polyn_gf2m::degppf(*this);
543
544 if(degree >= t) {
545 break;
546 }
547 }
548}
549
550void polyn_gf2m::poly_shiftmod(const polyn_gf2m& g) {
551 if(g.get_degree() <= 1) {
552 throw Invalid_Argument("shiftmod cannot be called on polynomials of degree 1 or less");
553 }
554 std::shared_ptr<GF2m_Field> field = g.m_sp_field;
555
556 int t = g.get_degree();
557 gf2m a = field->gf_div(this->m_coeff[t - 1], g.m_coeff[t]);
558 for(int i = t - 1; i > 0; --i) {
559 this->m_coeff[i] = this->m_coeff[i - 1] ^ this->m_sp_field->gf_mul(a, g.m_coeff[i]);
560 }
561 this->m_coeff[0] = field->gf_mul(a, g.m_coeff[0]);
562}
563
564std::vector<polyn_gf2m> polyn_gf2m::sqrt_mod_init(const polyn_gf2m& g) {
565 uint32_t i = 0;
566 uint32_t t = 0;
567 uint32_t nb_polyn_sqrt_mat = 0;
568 std::shared_ptr<GF2m_Field> m_sp_field = g.m_sp_field;
569 std::vector<polyn_gf2m> result;
570 t = g.get_degree();
571 nb_polyn_sqrt_mat = t / 2;
572
573 std::vector<polyn_gf2m> sq_aux = polyn_gf2m::sqmod_init(g);
574
575 polyn_gf2m p(t - 1, g.get_sp_field());
576 p.set_degree(1);
577
578 (*&p).set_coef(1, 1);
579 // q(z) = 0, p(z) = z
580 for(i = 0; i < t * m_sp_field->get_extension_degree() - 1; ++i) {
581 // q(z) <- p(z)^2 mod g(z)
582 polyn_gf2m q = p.sqmod(sq_aux, t);
583 // q(z) <-> p(z)
584 polyn_gf2m aux = q;
585 q = p;
586 p = aux;
587 }
588 // p(z) = z^(2^(tm-1)) mod g(z) = sqrt(z) mod g(z)
589
590 for(i = 0; i < nb_polyn_sqrt_mat; ++i) {
591 result.push_back(polyn_gf2m(t - 1, g.get_sp_field()));
592 }
593
594 result[0] = p;
595 result[0].get_degree();
596 for(i = 1; i < nb_polyn_sqrt_mat; i++) {
597 result[i] = result[i - 1];
598 result[i].poly_shiftmod(g);
599 result[i].get_degree();
600 }
601
602 return result;
603}
604
605std::vector<polyn_gf2m> syndrome_init(const polyn_gf2m& generator, const std::vector<gf2m>& support, int n) {
606 int i = 0;
607 int j = 0;
608 int t = 0;
609 gf2m a = 0;
610
611 std::shared_ptr<GF2m_Field> m_sp_field = generator.get_sp_field();
612
613 std::vector<polyn_gf2m> result;
614 t = generator.get_degree();
615
616 //g(z)=g_t+g_(t-1).z^(t-1)+......+g_1.z+g_0
617 //f(z)=f_(t-1).z^(t-1)+......+f_1.z+f_0
618
619 for(j = 0; j < n; j++) {
620 result.push_back(polyn_gf2m(t - 1, m_sp_field));
621
622 (*&result[j]).set_coef(t - 1, 1);
623 for(i = t - 2; i >= 0; i--) {
624 (*&result[j]).set_coef(i, (generator)[i + 1] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][i + 1]));
625 }
626 a = ((generator)[0] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][0]));
627 for(i = 0; i < t; i++) {
628 (*&result[j]).set_coef(i, m_sp_field->gf_div(result[j][i], a));
629 }
630 }
631 return result;
632}
633
634polyn_gf2m::polyn_gf2m(const secure_vector<uint8_t>& encoded, const std::shared_ptr<GF2m_Field>& sp_field) :
635 m_sp_field(sp_field) {
636 if(encoded.size() % 2) {
637 throw Decoding_Error("encoded polynomial has odd length");
638 }
639 for(uint32_t i = 0; i < encoded.size(); i += 2) {
640 gf2m el = (encoded[i] << 8) | encoded[i + 1];
641 m_coeff.push_back(el);
642 }
643 get_degree();
644}
645
646secure_vector<uint8_t> polyn_gf2m::encode() const {
647 secure_vector<uint8_t> result;
648
649 if(m_deg < 1) {
650 result.push_back(0);
651 result.push_back(0);
652 return result;
653 }
654
655 uint32_t len = m_deg + 1;
656 for(unsigned i = 0; i < len; i++) {
657 // "big endian" encoding of the GF(2^m) elements
658 result.push_back(get_byte<0>(m_coeff[i]));
659 result.push_back(get_byte<1>(m_coeff[i]));
660 }
661 return result;
662}
663
664void polyn_gf2m::swap(polyn_gf2m& other) noexcept {
665 std::swap(this->m_deg, other.m_deg);
666 std::swap(this->m_sp_field, other.m_sp_field);
667 std::swap(this->m_coeff, other.m_coeff);
668}
669
670bool polyn_gf2m::operator==(const polyn_gf2m& other) const {
671 return m_deg == other.m_deg && m_coeff == other.m_coeff;
672}
673
674// NOLINTEND(*-implicit-bool-conversion)
675
676} // namespace Botan
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
Botan::Decoding_Error
Definition exceptn.h:191
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::RandomNumberGenerator::randomize
void randomize(std::span< uint8_t > output)
Definition rng.h:71
Botan::polyn_gf2m
Definition polyn_gf2m.h:27
Botan::polyn_gf2m::set_to_zero
void set_to_zero()
Definition polyn_gf2m.cpp:162
Botan::polyn_gf2m::encode
secure_vector< uint8_t > encode() const
Definition polyn_gf2m.cpp:646
Botan::polyn_gf2m::get_degree
int get_degree() const
Definition polyn_gf2m.cpp:167
Botan::polyn_gf2m::get_sp_field
std::shared_ptr< GF2m_Field > get_sp_field() const
Definition polyn_gf2m.h:79
Botan::polyn_gf2m::eea_with_coefficients
static std::pair< polyn_gf2m, polyn_gf2m > eea_with_coefficients(const polyn_gf2m &p, const polyn_gf2m &g, int break_deg)
Definition polyn_gf2m.cpp:357
Botan::polyn_gf2m::set_coef
void set_coef(size_t i, gf2m v)
Definition polyn_gf2m.h:89
Botan::polyn_gf2m::polyn_gf2m
polyn_gf2m(const std::shared_ptr< GF2m_Field > &sp_field)
Definition polyn_gf2m.cpp:131
Botan::polyn_gf2m::swap
void swap(polyn_gf2m &other) noexcept
Definition polyn_gf2m.cpp:664
Botan::polyn_gf2m::get_lead_coef
gf2m get_lead_coef() const
Definition polyn_gf2m.h:85
Botan::polyn_gf2m::patchup_deg_secure
void patchup_deg_secure(uint32_t trgt_deg, gf2m patch_elem)
Definition polyn_gf2m.cpp:342
Botan::polyn_gf2m::sqmod_init
static std::vector< polyn_gf2m > sqmod_init(const polyn_gf2m &g)
Definition polyn_gf2m.cpp:225
Botan::polyn_gf2m::sqrt_mod_init
static std::vector< polyn_gf2m > sqrt_mod_init(const polyn_gf2m &g)
Definition polyn_gf2m.cpp:564
Botan::polyn_gf2m::polyn_gf2m
polyn_gf2m()
Definition polyn_gf2m.h:34
Botan::polyn_gf2m::calc_degree_secure
int calc_degree_secure() const
Definition polyn_gf2m.cpp:59
Botan::polyn_gf2m::operator==
bool operator==(const polyn_gf2m &other) const
Definition polyn_gf2m.cpp:670
Botan::polyn_gf2m::sqmod
polyn_gf2m sqmod(const std::vector< polyn_gf2m > &sq, int d)
Definition polyn_gf2m.cpp:256
Botan::polyn_gf2m::eval
gf2m eval(gf2m a)
Definition polyn_gf2m.cpp:192
Botan::polyn_gf2m::degppf
static size_t degppf(const polyn_gf2m &g)
Definition polyn_gf2m.cpp:307
Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
Botan::lex_to_gray
gf2m lex_to_gray(gf2m lex)
Definition code_based_util.h:38
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
Botan::expand_mask_16bit
uint16_t expand_mask_16bit(T tst)
Definition code_based_util.h:25
Botan::random_code_element
gf2m random_code_element(uint16_t code_length, RandomNumberGenerator &rng)
Definition polyn_gf2m.cpp:81
Botan::syndrome_init
std::vector< polyn_gf2m > syndrome_init(const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
Definition polyn_gf2m.cpp:605
Botan::random_gf2m
gf2m random_gf2m(RandomNumberGenerator &rng)
Definition polyn_gf2m.cpp:75
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Botan::decode_gf2m
gf2m decode_gf2m(const uint8_t *mem)
Definition gf2m_small_m.cpp:102
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:119
Botan::gf2m
uint16_t gf2m
Definition gf2m_small_m.h:20
Botan::make_uint16
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition loadstor.h:92
Generated by doxygen 1.15.0