ac2c20045c
* Add McEliece reference implementations * Add Vec implementations of McEliece * Add sse implementations * Add AVX2 implementations * Get rid of stuff not supported by Mac ABI * restrict to two cores * Ditch .data files * Remove .hidden from all .S files * speed up duplicate consistency tests by batching * make cpuinfo more robust * Hope to stabilize macos cpuinfo without ccache * Revert "Hope to stabilize macos cpuinfo without ccache" This reverts commit 6129c3cabe1abbc8b956bc87e902a698e32bf322. * Just hardcode what's available at travis * Fixed-size types in api.h * namespace all header files in mceliece * Ditch operations.h * Get rid of static inline functions * fixup! Ditch operations.h
84 lines
1.6 KiB
C
84 lines
1.6 KiB
C
/*
|
|
This file is for the Berlekamp-Massey algorithm
|
|
see http://crypto.stanford.edu/~mironov/cs359/massey.pdf
|
|
*/
|
|
#include "bm.h"
|
|
|
|
#include "params.h"
|
|
|
|
#define min(a, b) (((a) < (b)) ? (a) : (b))
|
|
|
|
/* the Berlekamp-Massey algorithm */
|
|
/* input: s, sequence of field elements */
|
|
/* output: out, minimal polynomial of s */
|
|
void PQCLEAN_MCELIECE6688128_CLEAN_bm(gf *out, gf *s) {
|
|
int i;
|
|
|
|
uint16_t N = 0;
|
|
uint16_t L = 0;
|
|
uint16_t mle;
|
|
uint16_t mne;
|
|
|
|
gf T[ SYS_T + 1 ];
|
|
gf C[ SYS_T + 1 ];
|
|
gf B[ SYS_T + 1 ];
|
|
|
|
gf b = 1, d, f;
|
|
|
|
//
|
|
|
|
for (i = 0; i < SYS_T + 1; i++) {
|
|
C[i] = B[i] = 0;
|
|
}
|
|
|
|
B[1] = C[0] = 1;
|
|
|
|
//
|
|
|
|
for (N = 0; N < 2 * SYS_T; N++) {
|
|
d = 0;
|
|
|
|
for (i = 0; i <= min(N, SYS_T); i++) {
|
|
d ^= PQCLEAN_MCELIECE6688128_CLEAN_gf_mul(C[i], s[ N - i]);
|
|
}
|
|
|
|
mne = d;
|
|
mne -= 1;
|
|
mne >>= 15;
|
|
mne -= 1;
|
|
mle = N;
|
|
mle -= 2 * L;
|
|
mle >>= 15;
|
|
mle -= 1;
|
|
mle &= mne;
|
|
|
|
for (i = 0; i <= SYS_T; i++) {
|
|
T[i] = C[i];
|
|
}
|
|
|
|
f = PQCLEAN_MCELIECE6688128_CLEAN_gf_frac(b, d);
|
|
|
|
for (i = 0; i <= SYS_T; i++) {
|
|
C[i] ^= PQCLEAN_MCELIECE6688128_CLEAN_gf_mul(f, B[i]) & mne;
|
|
}
|
|
|
|
L = (L & ~mle) | ((N + 1 - L) & mle);
|
|
|
|
for (i = 0; i <= SYS_T; i++) {
|
|
B[i] = (B[i] & ~mle) | (T[i] & mle);
|
|
}
|
|
|
|
b = (b & ~mle) | (d & mle);
|
|
|
|
for (i = SYS_T; i >= 1; i--) {
|
|
B[i] = B[i - 1];
|
|
}
|
|
B[0] = 0;
|
|
}
|
|
|
|
for (i = 0; i <= SYS_T; i++) {
|
|
out[i] = C[ SYS_T - i ];
|
|
}
|
|
}
|
|
|