Botan 3.9.0
Crypto and TLS for C&
polyn_gf2m.cpp
Go to the documentation of this file.
1/*
2 * (C) Copyright Projet SECRET, INRIA, Rocquencourt
3 * (C) Bhaskar Biswas and Nicolas Sendrier
4 *
5 * (C) 2014 cryptosource GmbH
6 * (C) 2014 Falko Strenzke fstrenzke@cryptosource.de
7 * (C) 2015 Jack Lloyd
8 *
9 * Botan is released under the Simplified BSD License (see license.txt)
10 *
11 */
12
13#include <botan/internal/polyn_gf2m.h>
14
15#include <botan/exceptn.h>
16#include <botan/rng.h>
17#include <botan/internal/bit_ops.h>
18#include <botan/internal/code_based_util.h>
19#include <botan/internal/loadstor.h>
20
21namespace Botan {
22
23// NOLINTBEGIN(*-implicit-bool-conversion)
24
25namespace {
26
27gf2m generate_gf2m_mask(gf2m a) {
28 gf2m result = (a != 0);
29 return ~(result - 1);
30}
31
32/**
33* number of leading zeros
34*/
35unsigned nlz_16bit(uint16_t x) {
36 if(x == 0) {
37 return 16;
38 }
39 unsigned n = 0;
40 if(x <= 0x00FF) {
41 n = n + 8;
42 x = x << 8;
43 }
44 if(x <= 0x0FFF) {
45 n = n + 4;
46 x = x << 4;
47 }
48 if(x <= 0x3FFF) {
49 n = n + 2;
50 x = x << 2;
51 }
52 if(x <= 0x7FFF) {
53 n = n + 1;
54 }
55 return n;
56}
57
58} // namespace
59
60int polyn_gf2m::calc_degree_secure() const {
61 int i = static_cast<int>(this->m_coeff.size()) - 1;
62 int result = 0;
63 uint32_t found_mask = 0;
64 uint32_t tracker_mask = 0xffff;
65 for(; i >= 0; i--) {
66 found_mask = expand_mask_16bit(this->m_coeff[i]);
67 result |= i & found_mask & tracker_mask;
68 // tracker mask shall become zero once found mask is set
69 // it shall remain zero from then on
70 tracker_mask = tracker_mask & ~found_mask;
71 }
72 const_cast<polyn_gf2m*>(this)->m_deg = result;
73 return result;
74}
75
76gf2m random_gf2m(RandomNumberGenerator& rng) {
77 uint8_t b[2];
78 rng.randomize(b, sizeof(b));
79 return make_uint16(b[1], b[0]);
80}
81
82gf2m random_code_element(uint16_t code_length, RandomNumberGenerator& rng) {
83 if(code_length == 0) {
84 throw Invalid_Argument("random_code_element() was supplied a code length of zero");
85 }
86 const unsigned nlz = nlz_16bit(code_length - 1);
87 const gf2m mask = (1 << (16 - nlz)) - 1;
88
89 gf2m result = random_gf2m(rng) & mask;
90
91 while(result >= code_length) {
92 // rejection sampling
93 result = random_gf2m(rng) & mask;
94 }
95
96 return result;
97}
98
99polyn_gf2m::polyn_gf2m(const polyn_gf2m& other) = default;
100
101polyn_gf2m::polyn_gf2m(int d, const std::shared_ptr<GF2m_Field>& sp_field) :
102 m_deg(-1), m_coeff(d + 1), m_sp_field(sp_field) {}
103
104/**
105* doesn't save coefficients:
106*/
107void polyn_gf2m::realloc(uint32_t new_size) {
108 this->m_coeff = secure_vector<gf2m>(new_size);
109}
110
111polyn_gf2m::polyn_gf2m(const uint8_t* mem, uint32_t mem_len, const std::shared_ptr<GF2m_Field>& sp_field) :
112 m_deg(-1), m_sp_field(sp_field) {
113 if(mem_len % sizeof(gf2m)) {
114 throw Decoding_Error("illegal length of memory to decode ");
115 }
116
117 uint32_t size = (mem_len / sizeof(this->m_coeff[0]));
118 this->m_coeff = secure_vector<gf2m>(size);
119 this->m_deg = -1;
120 for(uint32_t i = 0; i < size; i++) {
121 this->m_coeff[i] = decode_gf2m(mem);
122 mem += sizeof(this->m_coeff[0]);
123 }
124 for(uint32_t i = 0; i < size; i++) {
125 if(this->m_coeff[i] >= (1 << sp_field->get_extension_degree())) {
126 throw Decoding_Error("error decoding polynomial");
127 }
128 }
129 this->get_degree();
130}
131
132polyn_gf2m::polyn_gf2m(const std::shared_ptr<GF2m_Field>& sp_field) : m_deg(-1), m_coeff(1), m_sp_field(sp_field) {}
133
134polyn_gf2m::polyn_gf2m(int degree,
135 const uint8_t* mem,
136 size_t mem_byte_len,
137 const std::shared_ptr<GF2m_Field>& sp_field) :
138 m_sp_field(sp_field) {
139 const uint32_t polyn_size = degree + 1;
140 if(polyn_size * sp_field->get_extension_degree() > 8 * mem_byte_len) {
141 throw Decoding_Error("memory vector for polynomial has wrong size");
142 }
143 this->m_coeff = secure_vector<gf2m>(degree + 1);
144 const gf2m ext_deg = static_cast<gf2m>(this->m_sp_field->get_extension_degree());
145 for(uint32_t l = 0; l < polyn_size; l++) {
146 uint32_t k = (l * ext_deg) / 8;
147
148 uint32_t j = (l * ext_deg) % 8;
149 gf2m a = mem[k] >> j;
150 if(j + ext_deg > 8) {
151 a ^= mem[k + 1] << (8 - j);
152 }
153 if(j + ext_deg > 16) {
154 a ^= mem[k + 2] << (16 - j);
155 }
156 a &= ((1 << ext_deg) - 1);
157 (*this).set_coef(l, a);
158 }
159
160 this->get_degree();
161}
162
163void polyn_gf2m::set_to_zero() {
164 clear_mem(this->m_coeff.data(), this->m_coeff.size());
165 this->m_deg = -1;
166}
167
168int polyn_gf2m::get_degree() const {
169 int d = static_cast<int>(this->m_coeff.size()) - 1;
170 while((d >= 0) && (this->m_coeff[d] == 0)) {
171 --d;
172 }
173 const_cast<polyn_gf2m*>(this)->m_deg = d;
174 return d;
175}
176
177namespace {
178
179gf2m eval_aux(const gf2m* /*restrict*/ coeff, gf2m a, int d, const std::shared_ptr<GF2m_Field>& sp_field) {
180 gf2m b = coeff[d--];
181 for(; d >= 0; --d) {
182 if(b != 0) {
183 b = sp_field->gf_mul(b, a) ^ coeff[d];
184 } else {
185 b = coeff[d];
186 }
187 }
188 return b;
189}
190
191} // namespace
192
193gf2m polyn_gf2m::eval(gf2m a) {
194 return eval_aux(this->m_coeff.data(), a, this->m_deg, this->m_sp_field);
195}
196
197// p will contain it's remainder modulo g
198void polyn_gf2m::remainder(polyn_gf2m& p, const polyn_gf2m& g) {
199 int i = 0;
200 int j = 0;
201 std::shared_ptr<GF2m_Field> m_sp_field = g.m_sp_field;
202 int d = p.get_degree() - g.get_degree();
203 if(d >= 0) {
204 gf2m la = m_sp_field->gf_inv_rn(g.get_lead_coef());
205
206 const int p_degree = p.get_degree();
207
208 BOTAN_ASSERT(p_degree > 0, "Valid polynomial");
209
210 for(i = p_degree; d >= 0; --i, --d) {
211 if(p[i] != 0) {
212 gf2m lb = m_sp_field->gf_mul_rrn(la, p[i]);
213 for(j = 0; j < g.get_degree(); ++j) {
214 p[j + d] ^= m_sp_field->gf_mul_zrz(lb, g[j]);
215 }
216 (*&p).set_coef(i, 0);
217 }
218 }
219 p.set_degree(g.get_degree() - 1);
220 while((p.get_degree() >= 0) && (p[p.get_degree()] == 0)) {
221 p.set_degree(p.get_degree() - 1);
222 }
223 }
224}
225
226std::vector<polyn_gf2m> polyn_gf2m::sqmod_init(const polyn_gf2m& g) {
227 std::vector<polyn_gf2m> sq;
228 const int signed_deg = g.get_degree();
229 if(signed_deg <= 0) {
230 throw Invalid_Argument("cannot compute sqmod for such low degree");
231 }
232
233 const uint32_t d = static_cast<uint32_t>(signed_deg);
234 uint32_t t = g.m_deg;
235 // create t zero polynomials
236 uint32_t i = 0;
237 for(i = 0; i < t; ++i) {
238 sq.push_back(polyn_gf2m(t + 1, g.get_sp_field()));
239 }
240 for(i = 0; i < d / 2; ++i) {
241 sq[i].set_degree(2 * i);
242 (*&sq[i]).set_coef(2 * i, 1);
243 }
244
245 for(; i < d; ++i) {
246 clear_mem(sq[i].m_coeff.data(), 2);
247 copy_mem(sq[i].m_coeff.data() + 2, sq[i - 1].m_coeff.data(), d);
248 sq[i].set_degree(sq[i - 1].get_degree() + 2);
249 polyn_gf2m::remainder(sq[i], g);
250 }
251 return sq;
252}
253
254/*Modulo p square of a certain polynomial g, sq[] contains the square
255Modulo g of the base canonical polynomials of degree < d, where d is
256the degree of G. The table sq[] will be calculated by polyn_gf2m_sqmod_init*/
257polyn_gf2m polyn_gf2m::sqmod(const std::vector<polyn_gf2m>& sq, int d) {
258 int i = 0;
259 std::shared_ptr<GF2m_Field> sp_field = this->m_sp_field;
260
261 polyn_gf2m result(d - 1, sp_field);
262 // terms of low degree
263 for(i = 0; i < d / 2; ++i) {
264 (*&result).set_coef(i * 2, sp_field->gf_square((*this)[i]));
265 }
266
267 // terms of high degree
268 for(; i < d; ++i) {
269 gf2m lpi = (*this)[i];
270 if(lpi != 0) {
271 lpi = sp_field->gf_log(lpi);
272 gf2m la = sp_field->gf_mul_rrr(lpi, lpi);
273 for(int j = 0; j < d; ++j) {
274 result[j] ^= sp_field->gf_mul_zrz(la, sq[i][j]);
275 }
276 }
277 }
278
279 // Update degre
280 result.set_degree(d - 1);
281 while((result.get_degree() >= 0) && (result[result.get_degree()] == 0)) {
282 result.set_degree(result.get_degree() - 1);
283 }
284 return result;
285}
286
287// destructive
288polyn_gf2m polyn_gf2m::gcd_aux(polyn_gf2m& p1, polyn_gf2m& p2) {
289 if(p2.get_degree() == -1) {
290 return p1;
291 } else {
292 polyn_gf2m::remainder(p1, p2);
293 return polyn_gf2m::gcd_aux(p2, p1);
294 }
295}
296
297polyn_gf2m polyn_gf2m::gcd(const polyn_gf2m& p1, const polyn_gf2m& p2) {
298 polyn_gf2m a(p1);
299 polyn_gf2m b(p2);
300 if(a.get_degree() < b.get_degree()) {
301 return polyn_gf2m(polyn_gf2m::gcd_aux(b, a));
302 } else {
303 return polyn_gf2m(polyn_gf2m::gcd_aux(a, b));
304 }
305}
306
307// Returns the degree of the smallest factor
308size_t polyn_gf2m::degppf(const polyn_gf2m& g) {
309 polyn_gf2m s(g.get_sp_field());
310
311 const size_t ext_deg = g.m_sp_field->get_extension_degree();
312 const int d = g.get_degree();
313 std::vector<polyn_gf2m> u = polyn_gf2m::sqmod_init(g);
314
315 polyn_gf2m p(d - 1, g.m_sp_field);
316
317 p.set_degree(1);
318 (*&p).set_coef(1, 1);
319 size_t result = static_cast<size_t>(d);
320 for(size_t i = 1; i <= (d / 2) * ext_deg; ++i) {
321 polyn_gf2m r = p.sqmod(u, d);
322 if((i % ext_deg) == 0) {
323 r[1] ^= 1;
324 r.get_degree(); // The degree may change
325 s = polyn_gf2m::gcd(g, r);
326
327 if(s.get_degree() > 0) {
328 result = i / ext_deg;
329 break;
330 }
331 r[1] ^= 1;
332 r.get_degree(); // The degree may change
333 }
334 // No need for the exchange s
335 s = p;
336 p = r;
337 r = s;
338 }
339
340 return result;
341}
342
343void polyn_gf2m::patchup_deg_secure(uint32_t trgt_deg, gf2m patch_elem) {
344 if(this->m_coeff.size() < trgt_deg) {
345 return;
346 }
347 for(uint32_t i = 0; i < this->m_coeff.size(); i++) {
348 this->m_coeff[i] |= patch_elem;
349 uint32_t equal = (i == trgt_deg);
350 uint32_t equal_mask = expand_mask_16bit(equal);
351 patch_elem &= ~equal_mask;
352 }
353 this->calc_degree_secure();
354}
355
356// We suppose m_deg(g) >= m_deg(p)
357// v is the problem
358std::pair<polyn_gf2m, polyn_gf2m> polyn_gf2m::eea_with_coefficients(const polyn_gf2m& p,
359 const polyn_gf2m& g,
360 int break_deg) {
361 std::shared_ptr<GF2m_Field> m_sp_field = g.m_sp_field;
362 polyn_gf2m aux;
363
364 // initialisation of the local variables
365 // r0 <- g, r1 <- p, u0 <- 0, u1 <- 1
366 int dr = g.get_degree();
367
368 BOTAN_ASSERT(dr > 3, "Valid polynomial");
369
370 polyn_gf2m r0(dr, g.m_sp_field);
371 polyn_gf2m r1(dr - 1, g.m_sp_field);
372 polyn_gf2m u0(dr - 1, g.m_sp_field);
373 polyn_gf2m u1(dr - 1, g.m_sp_field);
374
375 r0 = g;
376 r1 = p;
377 u0.set_to_zero();
378 u1.set_to_zero();
379 (*&u1).set_coef(0, 1);
380 u1.set_degree(0);
381
382 // invariants:
383 // r1 = u1 * p + v1 * g
384 // r0 = u0 * p + v0 * g
385 // and m_deg(u1) = m_deg(g) - m_deg(r0)
386 // It stops when m_deg (r1) <t (m_deg (r0)> = t)
387 // And therefore m_deg (u1) = m_deg (g) - m_deg (r0) <m_deg (g) - break_deg
388 int du = 0;
389 dr = r1.get_degree();
390 int delta = r0.get_degree() - dr;
391
392 int i = 0;
393 int j = 0;
394 while(dr >= break_deg) {
395 for(j = delta; j >= 0; --j) {
396 gf2m a = m_sp_field->gf_div(r0[dr + j], r1[dr]);
397 if(a != 0) {
398 gf2m la = m_sp_field->gf_log(a);
399 // u0(z) <- u0(z) + a * u1(z) * z^j
400 for(i = 0; i <= du; ++i) {
401 u0[i + j] ^= m_sp_field->gf_mul_zrz(la, u1[i]);
402 }
403 // r0(z) <- r0(z) + a * r1(z) * z^j
404 for(i = 0; i <= dr; ++i) {
405 r0[i + j] ^= m_sp_field->gf_mul_zrz(la, r1[i]);
406 }
407 }
408 } // end loop over j
409
410 if(break_deg != 1) /* key eq. solving */
411 {
412 /* [ssms_icisc09] Countermeasure
413 * d_break from paper equals break_deg - 1
414 * */
415
416 volatile gf2m fake_elem = 0x01;
417 volatile gf2m cond1 = 0;
418 volatile gf2m cond2 = 0;
419 int trgt_deg = r1.get_degree() - 1;
420 r0.calc_degree_secure();
421 u0.calc_degree_secure();
422 if(!(g.get_degree() % 2)) {
423 /* t even */
424 cond1 = r0.get_degree() < break_deg - 1;
425 } else {
426 /* t odd */
427 cond1 = r0.get_degree() < break_deg;
428 cond2 = u0.get_degree() < break_deg - 1;
429 cond1 = cond1 & cond2;
430 }
431 /* expand cond1 to a full mask */
432 gf2m mask = generate_gf2m_mask(cond1);
433 fake_elem = fake_elem & mask;
434 r0.patchup_deg_secure(trgt_deg, fake_elem);
435 }
436 if(break_deg == 1) /* syndrome inversion */
437 {
438 volatile gf2m fake_elem = 0x00;
439 volatile uint32_t trgt_deg = 0;
440 r0.calc_degree_secure();
441 u0.calc_degree_secure();
442 /**
443 * countermeasure against the low weight attacks for w=4, w=6 and w=8.
444 * Higher values are not covered since for w=8 we already have a
445 * probability for a positive of 1/n^3 from random ciphertexts with the
446 * given weight. For w = 10 it would be 1/n^4 and so on. Thus attacks
447 * based on such high values of w are considered impractical.
448 *
449 * The outer test for the degree of u ( Omega in the paper ) needs not to
450 * be disguised. Each of the three is performed at most once per EEA
451 * (syndrome inversion) execution, the attacker knows this already when
452 * preparing the ciphertext with the given weight. Inside these three
453 * cases however, we must use timing neutral (branch free) operations to
454 * implement the condition detection and the counteractions.
455 *
456 */
457 if(u0.get_degree() == 4) {
458 uint32_t mask = 0;
459 /**
460 * Condition that the EEA would break now
461 */
462 int cond_r = r0.get_degree() == 0;
463 /**
464 * Now come the conditions for all odd coefficients of this sigma
465 * candiate. If they are all fulfilled, then we know that we have a low
466 * weight error vector, since the key-equation solving EEA is skipped if
467 * the degree of tau^2 is low (=m_deg(u0)) and all its odd cofficients are
468 * zero (they would cause "full-length" contributions from the square
469 * root computation).
470 */
471 // Condition for the coefficient to Y to be cancelled out by the
472 // addition of Y before the square root computation:
473 int cond_u1 = m_sp_field->gf_mul(u0.m_coeff[1], m_sp_field->gf_inv(r0.m_coeff[0])) == 1;
474
475 // Condition sigma_3 = 0:
476 int cond_u3 = u0.m_coeff[3] == 0;
477 // combine the conditions:
478 cond_r &= (cond_u1 & cond_u3);
479 // mask generation:
480 mask = expand_mask_16bit(cond_r);
481 trgt_deg = 2 & mask;
482 fake_elem = 1 & mask;
483 } else if(u0.get_degree() == 6) {
484 uint32_t mask = 0;
485 int cond_r = r0.get_degree() == 0;
486 int cond_u1 = m_sp_field->gf_mul(u0.m_coeff[1], m_sp_field->gf_inv(r0.m_coeff[0])) == 1;
487 int cond_u3 = u0.m_coeff[3] == 0;
488
489 int cond_u5 = u0.m_coeff[5] == 0;
490
491 cond_r &= (cond_u1 & cond_u3 & cond_u5);
492 mask = expand_mask_16bit(cond_r);
493 trgt_deg = 4 & mask;
494 fake_elem = 1 & mask;
495 } else if(u0.get_degree() == 8) {
496 uint32_t mask = 0;
497 int cond_r = r0.get_degree() == 0;
498 int cond_u1 = m_sp_field->gf_mul(u0[1], m_sp_field->gf_inv(r0[0])) == 1;
499 int cond_u3 = u0.m_coeff[3] == 0;
500
501 int cond_u5 = u0.m_coeff[5] == 0;
502
503 int cond_u7 = u0.m_coeff[7] == 0;
504
505 cond_r &= (cond_u1 & cond_u3 & cond_u5 & cond_u7);
506 mask = expand_mask_16bit(cond_r);
507 trgt_deg = 6 & mask;
508 fake_elem = 1 & mask;
509 }
510 r0.patchup_deg_secure(trgt_deg, fake_elem);
511 }
512 // exchange
513 aux = r0;
514 r0 = r1;
515 r1 = aux;
516 aux = u0;
517 u0 = u1;
518 u1 = aux;
519
520 du = du + delta;
521 delta = 1;
522 while(r1[dr - delta] == 0) {
523 delta++;
524 }
525
526 dr -= delta;
527 } /* end while loop (dr >= break_deg) */
528
529 u1.set_degree(du);
530 r1.set_degree(dr);
531 //return u1 and r1;
532 return std::make_pair(u1, r1); // coefficients u,v
533}
534
535polyn_gf2m::polyn_gf2m(size_t t, RandomNumberGenerator& rng, const std::shared_ptr<GF2m_Field>& sp_field) :
536 m_deg(static_cast<int>(t)), m_coeff(t + 1), m_sp_field(sp_field) {
537 this->set_coef(t, 1);
538 for(;;) {
539 for(size_t i = 0; i < t; ++i) {
540 this->set_coef(i, random_code_element(sp_field->get_cardinality(), rng));
541 }
542
543 const size_t degree = polyn_gf2m::degppf(*this);
544
545 if(degree >= t) {
546 break;
547 }
548 }
549}
550
551void polyn_gf2m::poly_shiftmod(const polyn_gf2m& g) {
552 if(g.get_degree() <= 1) {
553 throw Invalid_Argument("shiftmod cannot be called on polynomials of degree 1 or less");
554 }
555 std::shared_ptr<GF2m_Field> field = g.m_sp_field;
556
557 int t = g.get_degree();
558 gf2m a = field->gf_div(this->m_coeff[t - 1], g.m_coeff[t]);
559 for(int i = t - 1; i > 0; --i) {
560 this->m_coeff[i] = this->m_coeff[i - 1] ^ this->m_sp_field->gf_mul(a, g.m_coeff[i]);
561 }
562 this->m_coeff[0] = field->gf_mul(a, g.m_coeff[0]);
563}
564
565std::vector<polyn_gf2m> polyn_gf2m::sqrt_mod_init(const polyn_gf2m& g) {
566 uint32_t i = 0;
567 uint32_t t = 0;
568 uint32_t nb_polyn_sqrt_mat = 0;
569 std::shared_ptr<GF2m_Field> m_sp_field = g.m_sp_field;
570 std::vector<polyn_gf2m> result;
571 t = g.get_degree();
572 nb_polyn_sqrt_mat = t / 2;
573
574 std::vector<polyn_gf2m> sq_aux = polyn_gf2m::sqmod_init(g);
575
576 polyn_gf2m p(t - 1, g.get_sp_field());
577 p.set_degree(1);
578
579 (*&p).set_coef(1, 1);
580 // q(z) = 0, p(z) = z
581 for(i = 0; i < t * m_sp_field->get_extension_degree() - 1; ++i) {
582 // q(z) <- p(z)^2 mod g(z)
583 polyn_gf2m q = p.sqmod(sq_aux, t);
584 // q(z) <-> p(z)
585 polyn_gf2m aux = q;
586 q = p;
587 p = aux;
588 }
589 // p(z) = z^(2^(tm-1)) mod g(z) = sqrt(z) mod g(z)
590
591 for(i = 0; i < nb_polyn_sqrt_mat; ++i) {
592 result.push_back(polyn_gf2m(t - 1, g.get_sp_field()));
593 }
594
595 result[0] = p;
596 result[0].get_degree();
597 for(i = 1; i < nb_polyn_sqrt_mat; i++) {
598 result[i] = result[i - 1];
599 result[i].poly_shiftmod(g);
600 result[i].get_degree();
601 }
602
603 return result;
604}
605
606std::vector<polyn_gf2m> syndrome_init(const polyn_gf2m& generator, const std::vector<gf2m>& support, int n) {
607 int i = 0;
608 int j = 0;
609 int t = 0;
610 gf2m a = 0;
611
612 std::shared_ptr<GF2m_Field> m_sp_field = generator.get_sp_field();
613
614 std::vector<polyn_gf2m> result;
615 t = generator.get_degree();
616
617 //g(z)=g_t+g_(t-1).z^(t-1)+......+g_1.z+g_0
618 //f(z)=f_(t-1).z^(t-1)+......+f_1.z+f_0
619
620 for(j = 0; j < n; j++) {
621 result.push_back(polyn_gf2m(t - 1, m_sp_field));
622
623 (*&result[j]).set_coef(t - 1, 1);
624 for(i = t - 2; i >= 0; i--) {
625 (*&result[j]).set_coef(i, (generator)[i + 1] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][i + 1]));
626 }
627 a = ((generator)[0] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][0]));
628 for(i = 0; i < t; i++) {
629 (*&result[j]).set_coef(i, m_sp_field->gf_div(result[j][i], a));
630 }
631 }
632 return result;
633}
634
635polyn_gf2m::polyn_gf2m(const secure_vector<uint8_t>& encoded, const std::shared_ptr<GF2m_Field>& sp_field) :
636 m_sp_field(sp_field) {
637 if(encoded.size() % 2) {
638 throw Decoding_Error("encoded polynomial has odd length");
639 }
640 for(uint32_t i = 0; i < encoded.size(); i += 2) {
641 gf2m el = (encoded[i] << 8) | encoded[i + 1];
642 m_coeff.push_back(el);
643 }
644 get_degree();
645}
646
647secure_vector<uint8_t> polyn_gf2m::encode() const {
648 secure_vector<uint8_t> result;
649
650 if(m_deg < 1) {
651 result.push_back(0);
652 result.push_back(0);
653 return result;
654 }
655
656 uint32_t len = m_deg + 1;
657 for(unsigned i = 0; i < len; i++) {
658 // "big endian" encoding of the GF(2^m) elements
659 result.push_back(get_byte<0>(m_coeff[i]));
660 result.push_back(get_byte<1>(m_coeff[i]));
661 }
662 return result;
663}
664
665void polyn_gf2m::swap(polyn_gf2m& other) noexcept {
666 std::swap(this->m_deg, other.m_deg);
667 std::swap(this->m_sp_field, other.m_sp_field);
668 std::swap(this->m_coeff, other.m_coeff);
669}
670
671bool polyn_gf2m::operator==(const polyn_gf2m& other) const {
672 return m_deg == other.m_deg && m_coeff == other.m_coeff;
673}
674
675// NOLINTEND(*-implicit-bool-conversion)
676
677} // namespace Botan
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
Botan::Decoding_Error
Definition exceptn.h:191
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::RandomNumberGenerator::randomize
void randomize(std::span< uint8_t > output)
Definition rng.h:71
Botan::polyn_gf2m
Definition polyn_gf2m.h:27
Botan::polyn_gf2m::set_to_zero
void set_to_zero()
Definition polyn_gf2m.cpp:163
Botan::polyn_gf2m::encode
secure_vector< uint8_t > encode() const
Definition polyn_gf2m.cpp:647
Botan::polyn_gf2m::get_degree
int get_degree() const
Definition polyn_gf2m.cpp:168
Botan::polyn_gf2m::get_sp_field
std::shared_ptr< GF2m_Field > get_sp_field() const
Definition polyn_gf2m.h:79
Botan::polyn_gf2m::eea_with_coefficients
static std::pair< polyn_gf2m, polyn_gf2m > eea_with_coefficients(const polyn_gf2m &p, const polyn_gf2m &g, int break_deg)
Definition polyn_gf2m.cpp:358
Botan::polyn_gf2m::set_coef
void set_coef(size_t i, gf2m v)
Definition polyn_gf2m.h:89
Botan::polyn_gf2m::polyn_gf2m
polyn_gf2m(const std::shared_ptr< GF2m_Field > &sp_field)
Definition polyn_gf2m.cpp:132
Botan::polyn_gf2m::swap
void swap(polyn_gf2m &other) noexcept
Definition polyn_gf2m.cpp:665
Botan::polyn_gf2m::get_lead_coef
gf2m get_lead_coef() const
Definition polyn_gf2m.h:85
Botan::polyn_gf2m::patchup_deg_secure
void patchup_deg_secure(uint32_t trgt_deg, gf2m patch_elem)
Definition polyn_gf2m.cpp:343
Botan::polyn_gf2m::sqmod_init
static std::vector< polyn_gf2m > sqmod_init(const polyn_gf2m &g)
Definition polyn_gf2m.cpp:226
Botan::polyn_gf2m::sqrt_mod_init
static std::vector< polyn_gf2m > sqrt_mod_init(const polyn_gf2m &g)
Definition polyn_gf2m.cpp:565
Botan::polyn_gf2m::polyn_gf2m
polyn_gf2m()
Definition polyn_gf2m.h:34
Botan::polyn_gf2m::calc_degree_secure
int calc_degree_secure() const
Definition polyn_gf2m.cpp:60
Botan::polyn_gf2m::operator==
bool operator==(const polyn_gf2m &other) const
Definition polyn_gf2m.cpp:671
Botan::polyn_gf2m::sqmod
polyn_gf2m sqmod(const std::vector< polyn_gf2m > &sq, int d)
Definition polyn_gf2m.cpp:257
Botan::polyn_gf2m::eval
gf2m eval(gf2m a)
Definition polyn_gf2m.cpp:193
Botan::polyn_gf2m::degppf
static size_t degppf(const polyn_gf2m &g)
Definition polyn_gf2m.cpp:308
Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
Botan::lex_to_gray
gf2m lex_to_gray(gf2m lex)
Definition code_based_util.h:38
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
Botan::expand_mask_16bit
uint16_t expand_mask_16bit(T tst)
Definition code_based_util.h:25
Botan::random_code_element
gf2m random_code_element(uint16_t code_length, RandomNumberGenerator &rng)
Definition polyn_gf2m.cpp:82
Botan::syndrome_init
std::vector< polyn_gf2m > syndrome_init(const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
Definition polyn_gf2m.cpp:606
Botan::random_gf2m
gf2m random_gf2m(RandomNumberGenerator &rng)
Definition polyn_gf2m.cpp:76
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Botan::decode_gf2m
gf2m decode_gf2m(const uint8_t *mem)
Definition gf2m_small_m.cpp:102
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:119
Botan::gf2m
uint16_t gf2m
Definition gf2m_small_m.h:20
Botan::make_uint16
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)
Definition loadstor.h:92
Generated by doxygen 1.14.0