From 587090e744935a96b043a72e37be8b7052a1154d Mon Sep 17 00:00:00 2001
From: Leon <leon.botros@gmail.com>
Date: Sun, 19 May 2019 19:14:46 +0200
Subject: [PATCH] renamed to something more appropriate, copied source code,
 ran astyle

---
 crypto_kem/ledakemlt12/META.yml               |  18 +
 .../clean/H_Q_matrices_generation.c           |  71 ++
 .../clean/H_Q_matrices_generation.h           |  49 ++
 crypto_kem/ledakemlt12/clean/Makefile         |  55 ++
 crypto_kem/ledakemlt12/clean/aes256.c         | 600 ++++++++++++++++
 crypto_kem/ledakemlt12/clean/aes256.h         |  41 ++
 crypto_kem/ledakemlt12/clean/api.h            |  75 ++
 crypto_kem/ledakemlt12/clean/bf_decoding.c    | 114 +++
 crypto_kem/ledakemlt12/clean/bf_decoding.h    |  78 +++
 crypto_kem/ledakemlt12/clean/dfr_test.c       | 114 +++
 crypto_kem/ledakemlt12/clean/dfr_test.h       |   3 +
 crypto_kem/ledakemlt12/clean/gf2x_arith.c     | 462 ++++++++++++
 crypto_kem/ledakemlt12/clean/gf2x_arith.h     | 112 +++
 .../clean/gf2x_arith_mod_xPplusOne.c          | 656 ++++++++++++++++++
 .../clean/gf2x_arith_mod_xPplusOne.h          | 300 ++++++++
 crypto_kem/ledakemlt12/clean/gf2x_limbs.h     |  94 +++
 crypto_kem/ledakemlt12/clean/kem.c            |  97 +++
 crypto_kem/ledakemlt12/clean/niederreiter.h   |  58 ++
 .../ledakemlt12/clean/niederreiter_decrypt.c  | 153 ++++
 .../ledakemlt12/clean/niederreiter_decrypt.h  |  45 ++
 .../ledakemlt12/clean/niederreiter_encrypt.c  |  57 ++
 .../ledakemlt12/clean/niederreiter_encrypt.h  |  41 ++
 .../ledakemlt12/clean/niederreiter_keygen.c   | 145 ++++
 .../ledakemlt12/clean/niederreiter_keygen.h   |  43 ++
 .../ledakemlt12/clean/qc_ldpc_parameters.h    | 157 +++++
 crypto_kem/ledakemlt12/clean/rng.c            | 336 +++++++++
 crypto_kem/ledakemlt12/clean/rng.h            |  96 +++
 crypto_kem/ledakemlt12/clean/sha3.h           |  43 ++
 28 files changed, 4113 insertions(+)
 create mode 100644 crypto_kem/ledakemlt12/META.yml
 create mode 100644 crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.c
 create mode 100644 crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.h
 create mode 100644 crypto_kem/ledakemlt12/clean/Makefile
 create mode 100644 crypto_kem/ledakemlt12/clean/aes256.c
 create mode 100644 crypto_kem/ledakemlt12/clean/aes256.h
 create mode 100644 crypto_kem/ledakemlt12/clean/api.h
 create mode 100644 crypto_kem/ledakemlt12/clean/bf_decoding.c
 create mode 100644 crypto_kem/ledakemlt12/clean/bf_decoding.h
 create mode 100644 crypto_kem/ledakemlt12/clean/dfr_test.c
 create mode 100644 crypto_kem/ledakemlt12/clean/dfr_test.h
 create mode 100644 crypto_kem/ledakemlt12/clean/gf2x_arith.c
 create mode 100644 crypto_kem/ledakemlt12/clean/gf2x_arith.h
 create mode 100644 crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c
 create mode 100644 crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h
 create mode 100644 crypto_kem/ledakemlt12/clean/gf2x_limbs.h
 create mode 100644 crypto_kem/ledakemlt12/clean/kem.c
 create mode 100644 crypto_kem/ledakemlt12/clean/niederreiter.h
 create mode 100644 crypto_kem/ledakemlt12/clean/niederreiter_decrypt.c
 create mode 100644 crypto_kem/ledakemlt12/clean/niederreiter_decrypt.h
 create mode 100644 crypto_kem/ledakemlt12/clean/niederreiter_encrypt.c
 create mode 100644 crypto_kem/ledakemlt12/clean/niederreiter_encrypt.h
 create mode 100644 crypto_kem/ledakemlt12/clean/niederreiter_keygen.c
 create mode 100644 crypto_kem/ledakemlt12/clean/niederreiter_keygen.h
 create mode 100644 crypto_kem/ledakemlt12/clean/qc_ldpc_parameters.h
 create mode 100644 crypto_kem/ledakemlt12/clean/rng.c
 create mode 100644 crypto_kem/ledakemlt12/clean/rng.h
 create mode 100644 crypto_kem/ledakemlt12/clean/sha3.h

diff --git a/crypto_kem/ledakemlt12/META.yml b/crypto_kem/ledakemlt12/META.yml
new file mode 100644
index 00000000..426ffdc3
--- /dev/null
+++ b/crypto_kem/ledakemlt12/META.yml
@@ -0,0 +1,18 @@
+name: LEDAcryptKEM-LT12
+type: kem
+claimed-nist-level: 1
+claimed-security: IND-CCA2
+length-public-key: 6520
+length-secret-key: 468
+length-ciphertext: 6520
+length-shared-secret: 32
+nistkat-sha256: 3bb5945e0aea26f121e1d56946760e506bdfbebb07e2fb018ce737b90b1eee2b
+principal-submitter: Marco Baldi
+auxiliary-submitters:
+  - Alessandro Barenghi
+  - Franco Chiaraluce
+  - Gerardo Pelosi
+  - Paolo Santini
+implementations:
+  - name: clean
+    version: 2.0
diff --git a/crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.c b/crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.c
new file mode 100644
index 00000000..703f316b
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.c
@@ -0,0 +1,71 @@
+/**
+ *
+ * <H_Q_matrices_generation.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#include "H_Q_matrices_generation.h"
+#include "gf2x_arith_mod_xPplusOne.h"
+
+/*----------------------------------------------------------------------------*/
+
+void generateHPosOnes_HtrPosOnes(POSITION_T HPosOnes[N0][DV],
+                                 POSITION_T HtrPosOnes[N0][DV],
+                                 AES_XOF_struct *keys_expander
+                                ) {
+    for (int i = 0; i < N0; i++) {
+        /* Generate a random block of Htr */
+        rand_circulant_sparse_block(&HtrPosOnes[i][0],
+                                    DV,
+                                    keys_expander);
+    }
+    for (int i = 0; i < N0; i++) {
+        /* Obtain directly the sparse representation of the block of H */
+        for (int k = 0; k < DV; k++) {
+            HPosOnes[i][k] = (P - HtrPosOnes[i][k])  % P; /* transposes indexes */
+        }// end for k
+    }
+} // end generateHtr_HtrPosOnes
+
+/*----------------------------------------------------------------------------*/
+
+void  generateQsparse(POSITION_T pos_ones[N0][M],
+                      AES_XOF_struct *keys_expander) {
+    for (int i = 0; i < N0; i++) {
+        int placed_ones = 0;
+        for (int j = 0; j < N0; j++) {
+            rand_circulant_sparse_block(&pos_ones[i][placed_ones],
+                                        qBlockWeights[i][j],
+                                        keys_expander);
+            placed_ones += qBlockWeights[i][j];
+        } // end for j
+    } // end for i
+} // end generateQsparse
+
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.h b/crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.h
new file mode 100644
index 00000000..98a67b51
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/H_Q_matrices_generation.h
@@ -0,0 +1,49 @@
+/**
+ *
+ * <H_Q_matrices_generation.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+#include "qc_ldpc_parameters.h"
+#include "gf2x_limbs.h"
+#include "rng.h"
+/*----------------------------------------------------------------------------*/
+
+
+void generateHPosOnes_HtrPosOnes(POSITION_T HPosOnes[N0][DV],
+                                 POSITION_T HtrPosOnes[N0][DV],
+                                 AES_XOF_struct *niederreiter_keys_expander);
+
+/*----------------------------------------------------------------------------*/
+
+void generateQsparse(POSITION_T pos_ones[N0][M],
+                     AES_XOF_struct *niederreiter_keys_expander);
+
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/Makefile b/crypto_kem/ledakemlt12/clean/Makefile
new file mode 100644
index 00000000..c04d41f5
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/Makefile
@@ -0,0 +1,55 @@
+# This Makefile can be used with GNU Make or BSD Make
+
+SL = 1
+N0 = 2
+DFR_SL_LEVEL = 1
+
+LIB=libLEDAkem_sl$(SL)_N0$(N0)_clean.a
+HEADERS=aes256.h api.h bf_decoding.h dfr_test.h gf2x_arith_mod_xPplusOne.h \
+		gf2x_arith.h gf2x_limbs.h H_Q_matrices_generation.h niederreiter_decrypt.h \
+		niederreiter_encrypt.h niederreiter_keygen.h niederreiter.h \
+		qc_ldpc_parameters.h rng.h sha3.h
+
+OBJECTS=aes256.o bf_decoding.o dfr_test.o gf2x_arith_mod_xPplusOne.o \
+		gf2x_arith.o H_Q_matrices_generation.o kem.o niederreiter_decrypt.o \
+		niederreiter_encrypt.o niederreiter_keygen.o rng.o
+
+CFLAGS=-O3 -Wall -Wextra -Wpedantic -Wvla -Wmissing-prototypes -std=c99 \
+		-DCATEGORY=$(SL) -DN0=$(N0) -DDFR_SL_LEVEL=$(DFR_SL_LEVEL) -I../../../common $(EXTRAFLAGS)
+
+all: $(LIB)
+
+%.o: %.c $(HEADERS)
+	$(CC) $(CFLAGS) -c -o $@ $<
+
+$(LIB): $(OBJECTS)
+	$(AR) -r $@ $(OBJECTS)
+
+clean:
+	$(RM) $(OBJECTS)
+	$(RM) $(LIB)
+
+
+# old makefile
+# CFLAGS = -DCATEGORY=$(SL) -DN0=$(N0) -DDFR_SL_LEVEL=$(DFR_SL_LEVEL) -DCPU_WORD_BITS=64 \
+#        -std=c11 -Wall -pedantic -Wmaybe-uninitialized -Wuninitialized \
+#    -march=native -O3 -g3
+# LDFLAGS = -lm -lkeccak
+# INCLUDES = -I./include
+# SRCDIR = library
+# OBJDIR = bin
+#
+# # Gathers the names of all C files
+#     CSRC = $(wildcard $(SRCDIR)/*.c)
+# # Produces in $(COBJS) the names of .o object files for all C files
+#    COBJS = $(CSRC:$(SRCDIR)/%.c=$(OBJDIR)/%.o)
+#
+# $(OBJDIR)/%.o: $(SRCDIR)/%.c
+# 	$(CC) -c $(CFLAGS) $(INCLUDES)  $< -o $@
+#
+# .PHONY : all clean
+#
+# all: $(COBJS)
+# 	ar rcs $(OBJDIR)/libLEDAkem_sl$(SL)_N0$(N0).a $(COBJS)
+# clean:
+# 	$(RM) $(OBJDIR)/*.o  $(OBJDIR)/libLEDAkem_sl$(SL)_N0$(N0).a
diff --git a/crypto_kem/ledakemlt12/clean/aes256.c b/crypto_kem/ledakemlt12/clean/aes256.c
new file mode 100644
index 00000000..7d6dea97
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/aes256.c
@@ -0,0 +1,600 @@
+/**
+ * AES-256 self contained implementation derived from :
+ *
+ * rijndael-alg-fst.h
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * originally placed in the public domain by the authors.
+ *
+ *
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdint.h>
+#include "aes256.h"
+
+/*
+Te0[x] = S [x].[02, 01, 01, 03];
+Te1[x] = S [x].[03, 02, 01, 01];
+Te2[x] = S [x].[01, 03, 02, 01];
+Te3[x] = S [x].[01, 01, 03, 02];
+Te4[x] = S [x].[01, 01, 01, 01];
+*/
+
+static const uint32_t Te0[256] = {
+    0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
+    0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
+    0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
+    0xe7fefe19U, 0xb5d7d762U, 0x4dababe6U, 0xec76769aU,
+    0x8fcaca45U, 0x1f82829dU, 0x89c9c940U, 0xfa7d7d87U,
+    0xeffafa15U, 0xb25959ebU, 0x8e4747c9U, 0xfbf0f00bU,
+    0x41adadecU, 0xb3d4d467U, 0x5fa2a2fdU, 0x45afafeaU,
+    0x239c9cbfU, 0x53a4a4f7U, 0xe4727296U, 0x9bc0c05bU,
+    0x75b7b7c2U, 0xe1fdfd1cU, 0x3d9393aeU, 0x4c26266aU,
+    0x6c36365aU, 0x7e3f3f41U, 0xf5f7f702U, 0x83cccc4fU,
+    0x6834345cU, 0x51a5a5f4U, 0xd1e5e534U, 0xf9f1f108U,
+    0xe2717193U, 0xabd8d873U, 0x62313153U, 0x2a15153fU,
+    0x0804040cU, 0x95c7c752U, 0x46232365U, 0x9dc3c35eU,
+    0x30181828U, 0x379696a1U, 0x0a05050fU, 0x2f9a9ab5U,
+    0x0e070709U, 0x24121236U, 0x1b80809bU, 0xdfe2e23dU,
+    0xcdebeb26U, 0x4e272769U, 0x7fb2b2cdU, 0xea75759fU,
+    0x1209091bU, 0x1d83839eU, 0x582c2c74U, 0x341a1a2eU,
+    0x361b1b2dU, 0xdc6e6eb2U, 0xb45a5aeeU, 0x5ba0a0fbU,
+    0xa45252f6U, 0x763b3b4dU, 0xb7d6d661U, 0x7db3b3ceU,
+    0x5229297bU, 0xdde3e33eU, 0x5e2f2f71U, 0x13848497U,
+    0xa65353f5U, 0xb9d1d168U, 0x00000000U, 0xc1eded2cU,
+    0x40202060U, 0xe3fcfc1fU, 0x79b1b1c8U, 0xb65b5bedU,
+    0xd46a6abeU, 0x8dcbcb46U, 0x67bebed9U, 0x7239394bU,
+    0x944a4adeU, 0x984c4cd4U, 0xb05858e8U, 0x85cfcf4aU,
+    0xbbd0d06bU, 0xc5efef2aU, 0x4faaaae5U, 0xedfbfb16U,
+    0x864343c5U, 0x9a4d4dd7U, 0x66333355U, 0x11858594U,
+    0x8a4545cfU, 0xe9f9f910U, 0x04020206U, 0xfe7f7f81U,
+    0xa05050f0U, 0x783c3c44U, 0x259f9fbaU, 0x4ba8a8e3U,
+    0xa25151f3U, 0x5da3a3feU, 0x804040c0U, 0x058f8f8aU,
+    0x3f9292adU, 0x219d9dbcU, 0x70383848U, 0xf1f5f504U,
+    0x63bcbcdfU, 0x77b6b6c1U, 0xafdada75U, 0x42212163U,
+    0x20101030U, 0xe5ffff1aU, 0xfdf3f30eU, 0xbfd2d26dU,
+    0x81cdcd4cU, 0x180c0c14U, 0x26131335U, 0xc3ecec2fU,
+    0xbe5f5fe1U, 0x359797a2U, 0x884444ccU, 0x2e171739U,
+    0x93c4c457U, 0x55a7a7f2U, 0xfc7e7e82U, 0x7a3d3d47U,
+    0xc86464acU, 0xba5d5de7U, 0x3219192bU, 0xe6737395U,
+    0xc06060a0U, 0x19818198U, 0x9e4f4fd1U, 0xa3dcdc7fU,
+    0x44222266U, 0x542a2a7eU, 0x3b9090abU, 0x0b888883U,
+    0x8c4646caU, 0xc7eeee29U, 0x6bb8b8d3U, 0x2814143cU,
+    0xa7dede79U, 0xbc5e5ee2U, 0x160b0b1dU, 0xaddbdb76U,
+    0xdbe0e03bU, 0x64323256U, 0x743a3a4eU, 0x140a0a1eU,
+    0x924949dbU, 0x0c06060aU, 0x4824246cU, 0xb85c5ce4U,
+    0x9fc2c25dU, 0xbdd3d36eU, 0x43acacefU, 0xc46262a6U,
+    0x399191a8U, 0x319595a4U, 0xd3e4e437U, 0xf279798bU,
+    0xd5e7e732U, 0x8bc8c843U, 0x6e373759U, 0xda6d6db7U,
+    0x018d8d8cU, 0xb1d5d564U, 0x9c4e4ed2U, 0x49a9a9e0U,
+    0xd86c6cb4U, 0xac5656faU, 0xf3f4f407U, 0xcfeaea25U,
+    0xca6565afU, 0xf47a7a8eU, 0x47aeaee9U, 0x10080818U,
+    0x6fbabad5U, 0xf0787888U, 0x4a25256fU, 0x5c2e2e72U,
+    0x381c1c24U, 0x57a6a6f1U, 0x73b4b4c7U, 0x97c6c651U,
+    0xcbe8e823U, 0xa1dddd7cU, 0xe874749cU, 0x3e1f1f21U,
+    0x964b4bddU, 0x61bdbddcU, 0x0d8b8b86U, 0x0f8a8a85U,
+    0xe0707090U, 0x7c3e3e42U, 0x71b5b5c4U, 0xcc6666aaU,
+    0x904848d8U, 0x06030305U, 0xf7f6f601U, 0x1c0e0e12U,
+    0xc26161a3U, 0x6a35355fU, 0xae5757f9U, 0x69b9b9d0U,
+    0x17868691U, 0x99c1c158U, 0x3a1d1d27U, 0x279e9eb9U,
+    0xd9e1e138U, 0xebf8f813U, 0x2b9898b3U, 0x22111133U,
+    0xd26969bbU, 0xa9d9d970U, 0x078e8e89U, 0x339494a7U,
+    0x2d9b9bb6U, 0x3c1e1e22U, 0x15878792U, 0xc9e9e920U,
+    0x87cece49U, 0xaa5555ffU, 0x50282878U, 0xa5dfdf7aU,
+    0x038c8c8fU, 0x59a1a1f8U, 0x09898980U, 0x1a0d0d17U,
+    0x65bfbfdaU, 0xd7e6e631U, 0x844242c6U, 0xd06868b8U,
+    0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
+    0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
+};
+static const uint32_t Te1[256] = {
+    0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
+    0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
+    0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
+    0x19e7fefeU, 0x62b5d7d7U, 0xe64dababU, 0x9aec7676U,
+    0x458fcacaU, 0x9d1f8282U, 0x4089c9c9U, 0x87fa7d7dU,
+    0x15effafaU, 0xebb25959U, 0xc98e4747U, 0x0bfbf0f0U,
+    0xec41adadU, 0x67b3d4d4U, 0xfd5fa2a2U, 0xea45afafU,
+    0xbf239c9cU, 0xf753a4a4U, 0x96e47272U, 0x5b9bc0c0U,
+    0xc275b7b7U, 0x1ce1fdfdU, 0xae3d9393U, 0x6a4c2626U,
+    0x5a6c3636U, 0x417e3f3fU, 0x02f5f7f7U, 0x4f83ccccU,
+    0x5c683434U, 0xf451a5a5U, 0x34d1e5e5U, 0x08f9f1f1U,
+    0x93e27171U, 0x73abd8d8U, 0x53623131U, 0x3f2a1515U,
+    0x0c080404U, 0x5295c7c7U, 0x65462323U, 0x5e9dc3c3U,
+    0x28301818U, 0xa1379696U, 0x0f0a0505U, 0xb52f9a9aU,
+    0x090e0707U, 0x36241212U, 0x9b1b8080U, 0x3ddfe2e2U,
+    0x26cdebebU, 0x694e2727U, 0xcd7fb2b2U, 0x9fea7575U,
+    0x1b120909U, 0x9e1d8383U, 0x74582c2cU, 0x2e341a1aU,
+    0x2d361b1bU, 0xb2dc6e6eU, 0xeeb45a5aU, 0xfb5ba0a0U,
+    0xf6a45252U, 0x4d763b3bU, 0x61b7d6d6U, 0xce7db3b3U,
+    0x7b522929U, 0x3edde3e3U, 0x715e2f2fU, 0x97138484U,
+    0xf5a65353U, 0x68b9d1d1U, 0x00000000U, 0x2cc1ededU,
+    0x60402020U, 0x1fe3fcfcU, 0xc879b1b1U, 0xedb65b5bU,
+    0xbed46a6aU, 0x468dcbcbU, 0xd967bebeU, 0x4b723939U,
+    0xde944a4aU, 0xd4984c4cU, 0xe8b05858U, 0x4a85cfcfU,
+    0x6bbbd0d0U, 0x2ac5efefU, 0xe54faaaaU, 0x16edfbfbU,
+    0xc5864343U, 0xd79a4d4dU, 0x55663333U, 0x94118585U,
+    0xcf8a4545U, 0x10e9f9f9U, 0x06040202U, 0x81fe7f7fU,
+    0xf0a05050U, 0x44783c3cU, 0xba259f9fU, 0xe34ba8a8U,
+    0xf3a25151U, 0xfe5da3a3U, 0xc0804040U, 0x8a058f8fU,
+    0xad3f9292U, 0xbc219d9dU, 0x48703838U, 0x04f1f5f5U,
+    0xdf63bcbcU, 0xc177b6b6U, 0x75afdadaU, 0x63422121U,
+    0x30201010U, 0x1ae5ffffU, 0x0efdf3f3U, 0x6dbfd2d2U,
+    0x4c81cdcdU, 0x14180c0cU, 0x35261313U, 0x2fc3ececU,
+    0xe1be5f5fU, 0xa2359797U, 0xcc884444U, 0x392e1717U,
+    0x5793c4c4U, 0xf255a7a7U, 0x82fc7e7eU, 0x477a3d3dU,
+    0xacc86464U, 0xe7ba5d5dU, 0x2b321919U, 0x95e67373U,
+    0xa0c06060U, 0x98198181U, 0xd19e4f4fU, 0x7fa3dcdcU,
+    0x66442222U, 0x7e542a2aU, 0xab3b9090U, 0x830b8888U,
+    0xca8c4646U, 0x29c7eeeeU, 0xd36bb8b8U, 0x3c281414U,
+    0x79a7dedeU, 0xe2bc5e5eU, 0x1d160b0bU, 0x76addbdbU,
+    0x3bdbe0e0U, 0x56643232U, 0x4e743a3aU, 0x1e140a0aU,
+    0xdb924949U, 0x0a0c0606U, 0x6c482424U, 0xe4b85c5cU,
+    0x5d9fc2c2U, 0x6ebdd3d3U, 0xef43acacU, 0xa6c46262U,
+    0xa8399191U, 0xa4319595U, 0x37d3e4e4U, 0x8bf27979U,
+    0x32d5e7e7U, 0x438bc8c8U, 0x596e3737U, 0xb7da6d6dU,
+    0x8c018d8dU, 0x64b1d5d5U, 0xd29c4e4eU, 0xe049a9a9U,
+    0xb4d86c6cU, 0xfaac5656U, 0x07f3f4f4U, 0x25cfeaeaU,
+    0xafca6565U, 0x8ef47a7aU, 0xe947aeaeU, 0x18100808U,
+    0xd56fbabaU, 0x88f07878U, 0x6f4a2525U, 0x725c2e2eU,
+    0x24381c1cU, 0xf157a6a6U, 0xc773b4b4U, 0x5197c6c6U,
+    0x23cbe8e8U, 0x7ca1ddddU, 0x9ce87474U, 0x213e1f1fU,
+    0xdd964b4bU, 0xdc61bdbdU, 0x860d8b8bU, 0x850f8a8aU,
+    0x90e07070U, 0x427c3e3eU, 0xc471b5b5U, 0xaacc6666U,
+    0xd8904848U, 0x05060303U, 0x01f7f6f6U, 0x121c0e0eU,
+    0xa3c26161U, 0x5f6a3535U, 0xf9ae5757U, 0xd069b9b9U,
+    0x91178686U, 0x5899c1c1U, 0x273a1d1dU, 0xb9279e9eU,
+    0x38d9e1e1U, 0x13ebf8f8U, 0xb32b9898U, 0x33221111U,
+    0xbbd26969U, 0x70a9d9d9U, 0x89078e8eU, 0xa7339494U,
+    0xb62d9b9bU, 0x223c1e1eU, 0x92158787U, 0x20c9e9e9U,
+    0x4987ceceU, 0xffaa5555U, 0x78502828U, 0x7aa5dfdfU,
+    0x8f038c8cU, 0xf859a1a1U, 0x80098989U, 0x171a0d0dU,
+    0xda65bfbfU, 0x31d7e6e6U, 0xc6844242U, 0xb8d06868U,
+    0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
+    0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
+};
+static const uint32_t Te2[256] = {
+    0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
+    0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
+    0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
+    0xfe19e7feU, 0xd762b5d7U, 0xabe64dabU, 0x769aec76U,
+    0xca458fcaU, 0x829d1f82U, 0xc94089c9U, 0x7d87fa7dU,
+    0xfa15effaU, 0x59ebb259U, 0x47c98e47U, 0xf00bfbf0U,
+    0xadec41adU, 0xd467b3d4U, 0xa2fd5fa2U, 0xafea45afU,
+    0x9cbf239cU, 0xa4f753a4U, 0x7296e472U, 0xc05b9bc0U,
+    0xb7c275b7U, 0xfd1ce1fdU, 0x93ae3d93U, 0x266a4c26U,
+    0x365a6c36U, 0x3f417e3fU, 0xf702f5f7U, 0xcc4f83ccU,
+    0x345c6834U, 0xa5f451a5U, 0xe534d1e5U, 0xf108f9f1U,
+    0x7193e271U, 0xd873abd8U, 0x31536231U, 0x153f2a15U,
+    0x040c0804U, 0xc75295c7U, 0x23654623U, 0xc35e9dc3U,
+    0x18283018U, 0x96a13796U, 0x050f0a05U, 0x9ab52f9aU,
+    0x07090e07U, 0x12362412U, 0x809b1b80U, 0xe23ddfe2U,
+    0xeb26cdebU, 0x27694e27U, 0xb2cd7fb2U, 0x759fea75U,
+    0x091b1209U, 0x839e1d83U, 0x2c74582cU, 0x1a2e341aU,
+    0x1b2d361bU, 0x6eb2dc6eU, 0x5aeeb45aU, 0xa0fb5ba0U,
+    0x52f6a452U, 0x3b4d763bU, 0xd661b7d6U, 0xb3ce7db3U,
+    0x297b5229U, 0xe33edde3U, 0x2f715e2fU, 0x84971384U,
+    0x53f5a653U, 0xd168b9d1U, 0x00000000U, 0xed2cc1edU,
+    0x20604020U, 0xfc1fe3fcU, 0xb1c879b1U, 0x5bedb65bU,
+    0x6abed46aU, 0xcb468dcbU, 0xbed967beU, 0x394b7239U,
+    0x4ade944aU, 0x4cd4984cU, 0x58e8b058U, 0xcf4a85cfU,
+    0xd06bbbd0U, 0xef2ac5efU, 0xaae54faaU, 0xfb16edfbU,
+    0x43c58643U, 0x4dd79a4dU, 0x33556633U, 0x85941185U,
+    0x45cf8a45U, 0xf910e9f9U, 0x02060402U, 0x7f81fe7fU,
+    0x50f0a050U, 0x3c44783cU, 0x9fba259fU, 0xa8e34ba8U,
+    0x51f3a251U, 0xa3fe5da3U, 0x40c08040U, 0x8f8a058fU,
+    0x92ad3f92U, 0x9dbc219dU, 0x38487038U, 0xf504f1f5U,
+    0xbcdf63bcU, 0xb6c177b6U, 0xda75afdaU, 0x21634221U,
+    0x10302010U, 0xff1ae5ffU, 0xf30efdf3U, 0xd26dbfd2U,
+    0xcd4c81cdU, 0x0c14180cU, 0x13352613U, 0xec2fc3ecU,
+    0x5fe1be5fU, 0x97a23597U, 0x44cc8844U, 0x17392e17U,
+    0xc45793c4U, 0xa7f255a7U, 0x7e82fc7eU, 0x3d477a3dU,
+    0x64acc864U, 0x5de7ba5dU, 0x192b3219U, 0x7395e673U,
+    0x60a0c060U, 0x81981981U, 0x4fd19e4fU, 0xdc7fa3dcU,
+    0x22664422U, 0x2a7e542aU, 0x90ab3b90U, 0x88830b88U,
+    0x46ca8c46U, 0xee29c7eeU, 0xb8d36bb8U, 0x143c2814U,
+    0xde79a7deU, 0x5ee2bc5eU, 0x0b1d160bU, 0xdb76addbU,
+    0xe03bdbe0U, 0x32566432U, 0x3a4e743aU, 0x0a1e140aU,
+    0x49db9249U, 0x060a0c06U, 0x246c4824U, 0x5ce4b85cU,
+    0xc25d9fc2U, 0xd36ebdd3U, 0xacef43acU, 0x62a6c462U,
+    0x91a83991U, 0x95a43195U, 0xe437d3e4U, 0x798bf279U,
+    0xe732d5e7U, 0xc8438bc8U, 0x37596e37U, 0x6db7da6dU,
+    0x8d8c018dU, 0xd564b1d5U, 0x4ed29c4eU, 0xa9e049a9U,
+    0x6cb4d86cU, 0x56faac56U, 0xf407f3f4U, 0xea25cfeaU,
+    0x65afca65U, 0x7a8ef47aU, 0xaee947aeU, 0x08181008U,
+    0xbad56fbaU, 0x7888f078U, 0x256f4a25U, 0x2e725c2eU,
+    0x1c24381cU, 0xa6f157a6U, 0xb4c773b4U, 0xc65197c6U,
+    0xe823cbe8U, 0xdd7ca1ddU, 0x749ce874U, 0x1f213e1fU,
+    0x4bdd964bU, 0xbddc61bdU, 0x8b860d8bU, 0x8a850f8aU,
+    0x7090e070U, 0x3e427c3eU, 0xb5c471b5U, 0x66aacc66U,
+    0x48d89048U, 0x03050603U, 0xf601f7f6U, 0x0e121c0eU,
+    0x61a3c261U, 0x355f6a35U, 0x57f9ae57U, 0xb9d069b9U,
+    0x86911786U, 0xc15899c1U, 0x1d273a1dU, 0x9eb9279eU,
+    0xe138d9e1U, 0xf813ebf8U, 0x98b32b98U, 0x11332211U,
+    0x69bbd269U, 0xd970a9d9U, 0x8e89078eU, 0x94a73394U,
+    0x9bb62d9bU, 0x1e223c1eU, 0x87921587U, 0xe920c9e9U,
+    0xce4987ceU, 0x55ffaa55U, 0x28785028U, 0xdf7aa5dfU,
+    0x8c8f038cU, 0xa1f859a1U, 0x89800989U, 0x0d171a0dU,
+    0xbfda65bfU, 0xe631d7e6U, 0x42c68442U, 0x68b8d068U,
+    0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
+    0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
+};
+static const uint32_t Te3[256] = {
+
+    0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
+    0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
+    0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
+    0xfefe19e7U, 0xd7d762b5U, 0xababe64dU, 0x76769aecU,
+    0xcaca458fU, 0x82829d1fU, 0xc9c94089U, 0x7d7d87faU,
+    0xfafa15efU, 0x5959ebb2U, 0x4747c98eU, 0xf0f00bfbU,
+    0xadadec41U, 0xd4d467b3U, 0xa2a2fd5fU, 0xafafea45U,
+    0x9c9cbf23U, 0xa4a4f753U, 0x727296e4U, 0xc0c05b9bU,
+    0xb7b7c275U, 0xfdfd1ce1U, 0x9393ae3dU, 0x26266a4cU,
+    0x36365a6cU, 0x3f3f417eU, 0xf7f702f5U, 0xcccc4f83U,
+    0x34345c68U, 0xa5a5f451U, 0xe5e534d1U, 0xf1f108f9U,
+    0x717193e2U, 0xd8d873abU, 0x31315362U, 0x15153f2aU,
+    0x04040c08U, 0xc7c75295U, 0x23236546U, 0xc3c35e9dU,
+    0x18182830U, 0x9696a137U, 0x05050f0aU, 0x9a9ab52fU,
+    0x0707090eU, 0x12123624U, 0x80809b1bU, 0xe2e23ddfU,
+    0xebeb26cdU, 0x2727694eU, 0xb2b2cd7fU, 0x75759feaU,
+    0x09091b12U, 0x83839e1dU, 0x2c2c7458U, 0x1a1a2e34U,
+    0x1b1b2d36U, 0x6e6eb2dcU, 0x5a5aeeb4U, 0xa0a0fb5bU,
+    0x5252f6a4U, 0x3b3b4d76U, 0xd6d661b7U, 0xb3b3ce7dU,
+    0x29297b52U, 0xe3e33eddU, 0x2f2f715eU, 0x84849713U,
+    0x5353f5a6U, 0xd1d168b9U, 0x00000000U, 0xeded2cc1U,
+    0x20206040U, 0xfcfc1fe3U, 0xb1b1c879U, 0x5b5bedb6U,
+    0x6a6abed4U, 0xcbcb468dU, 0xbebed967U, 0x39394b72U,
+    0x4a4ade94U, 0x4c4cd498U, 0x5858e8b0U, 0xcfcf4a85U,
+    0xd0d06bbbU, 0xefef2ac5U, 0xaaaae54fU, 0xfbfb16edU,
+    0x4343c586U, 0x4d4dd79aU, 0x33335566U, 0x85859411U,
+    0x4545cf8aU, 0xf9f910e9U, 0x02020604U, 0x7f7f81feU,
+    0x5050f0a0U, 0x3c3c4478U, 0x9f9fba25U, 0xa8a8e34bU,
+    0x5151f3a2U, 0xa3a3fe5dU, 0x4040c080U, 0x8f8f8a05U,
+    0x9292ad3fU, 0x9d9dbc21U, 0x38384870U, 0xf5f504f1U,
+    0xbcbcdf63U, 0xb6b6c177U, 0xdada75afU, 0x21216342U,
+    0x10103020U, 0xffff1ae5U, 0xf3f30efdU, 0xd2d26dbfU,
+    0xcdcd4c81U, 0x0c0c1418U, 0x13133526U, 0xecec2fc3U,
+    0x5f5fe1beU, 0x9797a235U, 0x4444cc88U, 0x1717392eU,
+    0xc4c45793U, 0xa7a7f255U, 0x7e7e82fcU, 0x3d3d477aU,
+    0x6464acc8U, 0x5d5de7baU, 0x19192b32U, 0x737395e6U,
+    0x6060a0c0U, 0x81819819U, 0x4f4fd19eU, 0xdcdc7fa3U,
+    0x22226644U, 0x2a2a7e54U, 0x9090ab3bU, 0x8888830bU,
+    0x4646ca8cU, 0xeeee29c7U, 0xb8b8d36bU, 0x14143c28U,
+    0xdede79a7U, 0x5e5ee2bcU, 0x0b0b1d16U, 0xdbdb76adU,
+    0xe0e03bdbU, 0x32325664U, 0x3a3a4e74U, 0x0a0a1e14U,
+    0x4949db92U, 0x06060a0cU, 0x24246c48U, 0x5c5ce4b8U,
+    0xc2c25d9fU, 0xd3d36ebdU, 0xacacef43U, 0x6262a6c4U,
+    0x9191a839U, 0x9595a431U, 0xe4e437d3U, 0x79798bf2U,
+    0xe7e732d5U, 0xc8c8438bU, 0x3737596eU, 0x6d6db7daU,
+    0x8d8d8c01U, 0xd5d564b1U, 0x4e4ed29cU, 0xa9a9e049U,
+    0x6c6cb4d8U, 0x5656faacU, 0xf4f407f3U, 0xeaea25cfU,
+    0x6565afcaU, 0x7a7a8ef4U, 0xaeaee947U, 0x08081810U,
+    0xbabad56fU, 0x787888f0U, 0x25256f4aU, 0x2e2e725cU,
+    0x1c1c2438U, 0xa6a6f157U, 0xb4b4c773U, 0xc6c65197U,
+    0xe8e823cbU, 0xdddd7ca1U, 0x74749ce8U, 0x1f1f213eU,
+    0x4b4bdd96U, 0xbdbddc61U, 0x8b8b860dU, 0x8a8a850fU,
+    0x707090e0U, 0x3e3e427cU, 0xb5b5c471U, 0x6666aaccU,
+    0x4848d890U, 0x03030506U, 0xf6f601f7U, 0x0e0e121cU,
+    0x6161a3c2U, 0x35355f6aU, 0x5757f9aeU, 0xb9b9d069U,
+    0x86869117U, 0xc1c15899U, 0x1d1d273aU, 0x9e9eb927U,
+    0xe1e138d9U, 0xf8f813ebU, 0x9898b32bU, 0x11113322U,
+    0x6969bbd2U, 0xd9d970a9U, 0x8e8e8907U, 0x9494a733U,
+    0x9b9bb62dU, 0x1e1e223cU, 0x87879215U, 0xe9e920c9U,
+    0xcece4987U, 0x5555ffaaU, 0x28287850U, 0xdfdf7aa5U,
+    0x8c8c8f03U, 0xa1a1f859U, 0x89898009U, 0x0d0d171aU,
+    0xbfbfda65U, 0xe6e631d7U, 0x4242c684U, 0x6868b8d0U,
+    0x4141c382U, 0x9999b029U, 0x2d2d775aU, 0x0f0f111eU,
+    0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
+};
+static const uint32_t Te4[256] = {
+    0x63636363U, 0x7c7c7c7cU, 0x77777777U, 0x7b7b7b7bU,
+    0xf2f2f2f2U, 0x6b6b6b6bU, 0x6f6f6f6fU, 0xc5c5c5c5U,
+    0x30303030U, 0x01010101U, 0x67676767U, 0x2b2b2b2bU,
+    0xfefefefeU, 0xd7d7d7d7U, 0xababababU, 0x76767676U,
+    0xcacacacaU, 0x82828282U, 0xc9c9c9c9U, 0x7d7d7d7dU,
+    0xfafafafaU, 0x59595959U, 0x47474747U, 0xf0f0f0f0U,
+    0xadadadadU, 0xd4d4d4d4U, 0xa2a2a2a2U, 0xafafafafU,
+    0x9c9c9c9cU, 0xa4a4a4a4U, 0x72727272U, 0xc0c0c0c0U,
+    0xb7b7b7b7U, 0xfdfdfdfdU, 0x93939393U, 0x26262626U,
+    0x36363636U, 0x3f3f3f3fU, 0xf7f7f7f7U, 0xccccccccU,
+    0x34343434U, 0xa5a5a5a5U, 0xe5e5e5e5U, 0xf1f1f1f1U,
+    0x71717171U, 0xd8d8d8d8U, 0x31313131U, 0x15151515U,
+    0x04040404U, 0xc7c7c7c7U, 0x23232323U, 0xc3c3c3c3U,
+    0x18181818U, 0x96969696U, 0x05050505U, 0x9a9a9a9aU,
+    0x07070707U, 0x12121212U, 0x80808080U, 0xe2e2e2e2U,
+    0xebebebebU, 0x27272727U, 0xb2b2b2b2U, 0x75757575U,
+    0x09090909U, 0x83838383U, 0x2c2c2c2cU, 0x1a1a1a1aU,
+    0x1b1b1b1bU, 0x6e6e6e6eU, 0x5a5a5a5aU, 0xa0a0a0a0U,
+    0x52525252U, 0x3b3b3b3bU, 0xd6d6d6d6U, 0xb3b3b3b3U,
+    0x29292929U, 0xe3e3e3e3U, 0x2f2f2f2fU, 0x84848484U,
+    0x53535353U, 0xd1d1d1d1U, 0x00000000U, 0xededededU,
+    0x20202020U, 0xfcfcfcfcU, 0xb1b1b1b1U, 0x5b5b5b5bU,
+    0x6a6a6a6aU, 0xcbcbcbcbU, 0xbebebebeU, 0x39393939U,
+    0x4a4a4a4aU, 0x4c4c4c4cU, 0x58585858U, 0xcfcfcfcfU,
+    0xd0d0d0d0U, 0xefefefefU, 0xaaaaaaaaU, 0xfbfbfbfbU,
+    0x43434343U, 0x4d4d4d4dU, 0x33333333U, 0x85858585U,
+    0x45454545U, 0xf9f9f9f9U, 0x02020202U, 0x7f7f7f7fU,
+    0x50505050U, 0x3c3c3c3cU, 0x9f9f9f9fU, 0xa8a8a8a8U,
+    0x51515151U, 0xa3a3a3a3U, 0x40404040U, 0x8f8f8f8fU,
+    0x92929292U, 0x9d9d9d9dU, 0x38383838U, 0xf5f5f5f5U,
+    0xbcbcbcbcU, 0xb6b6b6b6U, 0xdadadadaU, 0x21212121U,
+    0x10101010U, 0xffffffffU, 0xf3f3f3f3U, 0xd2d2d2d2U,
+    0xcdcdcdcdU, 0x0c0c0c0cU, 0x13131313U, 0xececececU,
+    0x5f5f5f5fU, 0x97979797U, 0x44444444U, 0x17171717U,
+    0xc4c4c4c4U, 0xa7a7a7a7U, 0x7e7e7e7eU, 0x3d3d3d3dU,
+    0x64646464U, 0x5d5d5d5dU, 0x19191919U, 0x73737373U,
+    0x60606060U, 0x81818181U, 0x4f4f4f4fU, 0xdcdcdcdcU,
+    0x22222222U, 0x2a2a2a2aU, 0x90909090U, 0x88888888U,
+    0x46464646U, 0xeeeeeeeeU, 0xb8b8b8b8U, 0x14141414U,
+    0xdedededeU, 0x5e5e5e5eU, 0x0b0b0b0bU, 0xdbdbdbdbU,
+    0xe0e0e0e0U, 0x32323232U, 0x3a3a3a3aU, 0x0a0a0a0aU,
+    0x49494949U, 0x06060606U, 0x24242424U, 0x5c5c5c5cU,
+    0xc2c2c2c2U, 0xd3d3d3d3U, 0xacacacacU, 0x62626262U,
+    0x91919191U, 0x95959595U, 0xe4e4e4e4U, 0x79797979U,
+    0xe7e7e7e7U, 0xc8c8c8c8U, 0x37373737U, 0x6d6d6d6dU,
+    0x8d8d8d8dU, 0xd5d5d5d5U, 0x4e4e4e4eU, 0xa9a9a9a9U,
+    0x6c6c6c6cU, 0x56565656U, 0xf4f4f4f4U, 0xeaeaeaeaU,
+    0x65656565U, 0x7a7a7a7aU, 0xaeaeaeaeU, 0x08080808U,
+    0xbabababaU, 0x78787878U, 0x25252525U, 0x2e2e2e2eU,
+    0x1c1c1c1cU, 0xa6a6a6a6U, 0xb4b4b4b4U, 0xc6c6c6c6U,
+    0xe8e8e8e8U, 0xddddddddU, 0x74747474U, 0x1f1f1f1fU,
+    0x4b4b4b4bU, 0xbdbdbdbdU, 0x8b8b8b8bU, 0x8a8a8a8aU,
+    0x70707070U, 0x3e3e3e3eU, 0xb5b5b5b5U, 0x66666666U,
+    0x48484848U, 0x03030303U, 0xf6f6f6f6U, 0x0e0e0e0eU,
+    0x61616161U, 0x35353535U, 0x57575757U, 0xb9b9b9b9U,
+    0x86868686U, 0xc1c1c1c1U, 0x1d1d1d1dU, 0x9e9e9e9eU,
+    0xe1e1e1e1U, 0xf8f8f8f8U, 0x98989898U, 0x11111111U,
+    0x69696969U, 0xd9d9d9d9U, 0x8e8e8e8eU, 0x94949494U,
+    0x9b9b9b9bU, 0x1e1e1e1eU, 0x87878787U, 0xe9e9e9e9U,
+    0xcecececeU, 0x55555555U, 0x28282828U, 0xdfdfdfdfU,
+    0x8c8c8c8cU, 0xa1a1a1a1U, 0x89898989U, 0x0d0d0d0dU,
+    0xbfbfbfbfU, 0xe6e6e6e6U, 0x42424242U, 0x68686868U,
+    0x41414141U, 0x99999999U, 0x2d2d2d2dU, 0x0f0f0f0fU,
+    0xb0b0b0b0U, 0x54545454U, 0xbbbbbbbbU, 0x16161616U,
+};
+
+static const uint32_t rcon[] = {
+    0x01000000, 0x02000000, 0x04000000, 0x08000000,
+    0x10000000, 0x20000000, 0x40000000, 0x80000000,
+    0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
+};
+
+#define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
+
+#define GETU32(pt) (((uint32_t)(pt)[0] << 24) ^ ((uint32_t)(pt)[1] << 16) ^ ((uint32_t)(pt)[2] <<  8) ^ ((uint32_t)(pt)[3]))
+#define PUTU32(ct, st) { (ct)[0] = (uint8_t)((st) >> 24); (ct)[1] = (uint8_t)((st) >> 16); (ct)[2] = (uint8_t)((st) >>  8); (ct)[3] = (uint8_t)(st); }
+
+/**
+ * Expand the cipher key into the encryption key schedule.
+ *
+ * @return  the number of rounds for the given cipher key size.
+ */
+int rijndaelKeySetupEnc(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[],
+                        int keyBits) {
+    int i = 0;
+    uint32_t temp;
+
+    rk[0] = GETU32(cipherKey     );
+    rk[1] = GETU32(cipherKey +  4);
+    rk[2] = GETU32(cipherKey +  8);
+    rk[3] = GETU32(cipherKey + 12);
+    rk[4] = GETU32(cipherKey + 16);
+    rk[5] = GETU32(cipherKey + 20);
+    rk[6] = GETU32(cipherKey + 24);
+    rk[7] = GETU32(cipherKey + 28);
+    for (;;) {
+        temp = rk[ 7];
+        rk[ 8] = rk[ 0] ^
+                 (Te4[(temp >> 16) & 0xff] & 0xff000000) ^
+                 (Te4[(temp >>  8) & 0xff] & 0x00ff0000) ^
+                 (Te4[(temp      ) & 0xff] & 0x0000ff00) ^
+                 (Te4[(temp >> 24)       ] & 0x000000ff) ^
+                 rcon[i];
+        rk[ 9] = rk[ 1] ^ rk[ 8];
+        rk[10] = rk[ 2] ^ rk[ 9];
+        rk[11] = rk[ 3] ^ rk[10];
+        if (++i == 7) {
+            return 14;
+        }
+        temp = rk[11];
+        rk[12] = rk[ 4] ^
+                 (Te4[(temp >> 24)       ] & 0xff000000) ^
+                 (Te4[(temp >> 16) & 0xff] & 0x00ff0000) ^
+                 (Te4[(temp >>  8) & 0xff] & 0x0000ff00) ^
+                 (Te4[(temp      ) & 0xff] & 0x000000ff);
+        rk[13] = rk[ 5] ^ rk[12];
+        rk[14] = rk[ 6] ^ rk[13];
+        rk[15] = rk[ 7] ^ rk[14];
+
+        rk += 8;
+    }
+    return 0;
+}
+
+void rijndaelEncrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr,
+                     const uint8_t pt[16], uint8_t ct[16]) {
+    uint32_t s0, s1, s2, s3, t0 = 0, t1 = 0, t2 = 0, t3 = 0;
+
+    /*
+    * map byte array block to cipher state
+    * and add initial round key:
+    */
+    s0 = GETU32(pt     ) ^ rk[0];
+    s1 = GETU32(pt +  4) ^ rk[1];
+    s2 = GETU32(pt +  8) ^ rk[2];
+    s3 = GETU32(pt + 12) ^ rk[3];
+    /* round 1: */
+    t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 &
+            0xff] ^ rk[ 4];
+    t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 &
+            0xff] ^ rk[ 5];
+    t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 &
+            0xff] ^ rk[ 6];
+    t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 &
+            0xff] ^ rk[ 7];
+    /* round 2: */
+    s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 &
+            0xff] ^ rk[ 8];
+    s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 &
+            0xff] ^ rk[ 9];
+    s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 &
+            0xff] ^ rk[10];
+    s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 &
+            0xff] ^ rk[11];
+    /* round 3: */
+    t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 &
+            0xff] ^ rk[12];
+    t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 &
+            0xff] ^ rk[13];
+    t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 &
+            0xff] ^ rk[14];
+    t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 &
+            0xff] ^ rk[15];
+    /* round 4: */
+    s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 &
+            0xff] ^ rk[16];
+    s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 &
+            0xff] ^ rk[17];
+    s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 &
+            0xff] ^ rk[18];
+    s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 &
+            0xff] ^ rk[19];
+    /* round 5: */
+    t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 &
+            0xff] ^ rk[20];
+    t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 &
+            0xff] ^ rk[21];
+    t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 &
+            0xff] ^ rk[22];
+    t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 &
+            0xff] ^ rk[23];
+    /* round 6: */
+    s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 &
+            0xff] ^ rk[24];
+    s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 &
+            0xff] ^ rk[25];
+    s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 &
+            0xff] ^ rk[26];
+    s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 &
+            0xff] ^ rk[27];
+    /* round 7: */
+    t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 &
+            0xff] ^ rk[28];
+    t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 &
+            0xff] ^ rk[29];
+    t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 &
+            0xff] ^ rk[30];
+    t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 &
+            0xff] ^ rk[31];
+    /* round 8: */
+    s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 &
+            0xff] ^ rk[32];
+    s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 &
+            0xff] ^ rk[33];
+    s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 &
+            0xff] ^ rk[34];
+    s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 &
+            0xff] ^ rk[35];
+    /* round 9: */
+    t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 &
+            0xff] ^ rk[36];
+    t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 &
+            0xff] ^ rk[37];
+    t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 &
+            0xff] ^ rk[38];
+    t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 &
+            0xff] ^ rk[39];
+
+    /* round 10: */
+    s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 &
+            0xff] ^ rk[40];
+    s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 &
+            0xff] ^ rk[41];
+    s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 &
+            0xff] ^ rk[42];
+    s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 &
+            0xff] ^ rk[43];
+    /* round 11: */
+    t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 &
+            0xff] ^ rk[44];
+    t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 &
+            0xff] ^ rk[45];
+    t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 &
+            0xff] ^ rk[46];
+    t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 &
+            0xff] ^ rk[47];
+
+    /* round 12: */
+    s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 &
+            0xff] ^ rk[48];
+    s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 &
+            0xff] ^ rk[49];
+    s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 &
+            0xff] ^ rk[50];
+    s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 &
+            0xff] ^ rk[51];
+    /* round 13: */
+    t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 &
+            0xff] ^ rk[52];
+    t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 &
+            0xff] ^ rk[53];
+    t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 &
+            0xff] ^ rk[54];
+    t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 &
+            0xff] ^ rk[55];
+
+
+    rk += Nr << 2;
+    /*
+    * apply last round and
+    * map cipher state to byte array block:
+    */
+    s0 =
+        (Te4[(t0 >> 24)       ] & 0xff000000) ^
+        (Te4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+        (Te4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+        (Te4[(t3      ) & 0xff] & 0x000000ff) ^
+        rk[0];
+    PUTU32(ct, s0);
+    s1 =
+        (Te4[(t1 >> 24)       ] & 0xff000000) ^
+        (Te4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+        (Te4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+        (Te4[(t0      ) & 0xff] & 0x000000ff) ^
+        rk[1];
+    PUTU32(ct +  4, s1);
+    s2 =
+        (Te4[(t2 >> 24)       ] & 0xff000000) ^
+        (Te4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+        (Te4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+        (Te4[(t1      ) & 0xff] & 0x000000ff) ^
+        rk[2];
+    PUTU32(ct +  8, s2);
+    s3 =
+        (Te4[(t3 >> 24)       ] & 0xff000000) ^
+        (Te4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+        (Te4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+        (Te4[(t2      ) & 0xff] & 0x000000ff) ^
+        rk[3];
+    PUTU32(ct + 12, s3);
+}
diff --git a/crypto_kem/ledakemlt12/clean/aes256.h b/crypto_kem/ledakemlt12/clean/aes256.h
new file mode 100644
index 00000000..0bdcce8f
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/aes256.h
@@ -0,0 +1,41 @@
+#pragma once
+/**
+ * AES-256 self contained implementation derived from :
+ *
+ * rijndael-alg-fst.h
+ *
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
+ * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
+ * @author Paulo Barreto <paulo.barreto@terra.com.br>
+ *
+ * originally placed in the public domain by the authors.
+ *
+ *
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+
+#define NROUNDS 14
+#define KEYLEN_b 256
+
+int rijndaelKeySetupEnc(uint32_t rk[/*4*(Nr + 1)*/], const uint8_t cipherKey[],
+                        int keyBits);
+void rijndaelEncrypt(const uint32_t rk[/*4*(Nr + 1)*/], int Nr,
+                     const uint8_t pt[16], uint8_t ct[16]);
diff --git a/crypto_kem/ledakemlt12/clean/api.h b/crypto_kem/ledakemlt12/clean/api.h
new file mode 100644
index 00000000..cf7cd668
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/api.h
@@ -0,0 +1,75 @@
+/**
+ *
+ * <api.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+
+#include "qc_ldpc_parameters.h"
+#include "gf2x_limbs.h"
+#include "gf2x_arith_mod_xPplusOne.h"
+
+#define CRYPTO_ALGNAME "LEDA"
+
+/* required bytes of input randomness */
+#define  CRYPTO_RANDOMBYTES TRNG_BYTE_LENGTH
+
+/* size in bytes of the secret key */
+#define  CRYPTO_SECRETKEYBYTES TRNG_BYTE_LENGTH+1
+
+/* size in bytes of the public key */
+#define  CRYPTO_PUBLICKEYBYTES ((N0-1)*NUM_DIGITS_GF2X_ELEMENT*DIGIT_SIZE_B)
+
+/* size in bytes of the shared secret */
+#define  CRYPTO_BYTES HASH_BYTE_LENGTH
+
+/*size in bytes of the ciphertext*/
+#define  CRYPTO_CIPHERTEXTBYTES (NUM_DIGITS_GF2X_ELEMENT*DIGIT_SIZE_B)
+
+/* Your functions must return 0 to indicate success, -1 to indicate an error
+ * condition */
+
+/* Generates a keypair - pk is the public key and sk is the secret key. */
+int crypto_kem_keypair( unsigned char *pk,
+                        unsigned char *sk );
+
+/* Encrypt - pk is the public key, ct is a key encapsulation message
+  (ciphertext), ss is the shared secret.*/
+int crypto_kem_enc( unsigned char *ct,
+                    unsigned char *ss,
+                    const unsigned char *pk );
+
+
+/* Decrypt - ct is a key encapsulation message (ciphertext), sk is the private
+   key, ss is the shared secret */
+
+int crypto_kem_dec( unsigned char *ss,
+                    const unsigned char *ct,
+                    const unsigned char *sk );
diff --git a/crypto_kem/ledakemlt12/clean/bf_decoding.c b/crypto_kem/ledakemlt12/clean/bf_decoding.c
new file mode 100644
index 00000000..e0801a2d
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/bf_decoding.c
@@ -0,0 +1,114 @@
+/**
+ *
+ * <bf_decoding.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+#include "bf_decoding.h"
+#include "gf2x_arith_mod_xPplusOne.h"
+#include <string.h>
+#include <assert.h>
+
+#define ROTBYTE(a)   ( (a << 8) | (a >> (DIGIT_SIZE_b - 8)) )
+#define ROTUPC(a)   ( (a >> 8) | (a << (DIGIT_SIZE_b - 8)) )
+
+int thresholds[2] = {B0, (DV * M) / 2 + 1};
+
+int bf_decoding(DIGIT out[], // N0 polynomials
+                const POSITION_T HtrPosOnes[N0][DV],
+                const POSITION_T QtrPosOnes[N0][M],
+                DIGIT privateSyndrome[]  //  1 polynomial
+               ) {
+    #if P < 64
+#error The circulant block size should exceed 64
+    #endif
+
+    uint8_t unsatParityChecks[N0 * P];
+    POSITION_T currQBlkPos[M], currQBitPos[M];
+    DIGIT currSyndrome[NUM_DIGITS_GF2X_ELEMENT];
+    int check;
+    int iteration = 0;
+
+    do {
+        gf2x_copy(currSyndrome, privateSyndrome);
+        memset(unsatParityChecks, 0x00, N0 * P * sizeof(uint8_t));
+        for (int i = 0; i < N0; i++) {
+            for (int valueIdx = 0; valueIdx < P; valueIdx++) {
+                for (int HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) {
+                    POSITION_T tmp = (HtrPosOnes[i][HtrOneIdx] + valueIdx) >= P ? (HtrPosOnes[i][HtrOneIdx] + valueIdx) - P : (HtrPosOnes[i][HtrOneIdx] + valueIdx);
+                    if (gf2x_get_coeff(currSyndrome, tmp)) {
+                        unsatParityChecks[i * P + valueIdx]++;
+                    }
+                }
+            }
+        }
+
+        /* iteration based threshold determination*/
+        int corrt_syndrome_based = thresholds[iteration];
+
+        //Computation of correlation  with a full Q matrix
+        for (int i = 0; i < N0; i++) {
+            for (int j = 0; j < P; j++) {
+                int currQoneIdx = 0; // position in the column of QtrPosOnes[][...]
+                int endQblockIdx = 0;
+                int correlation = 0;
+
+                for (int blockIdx = 0; blockIdx < N0; blockIdx++) {
+                    endQblockIdx += qBlockWeights[blockIdx][i];
+                    int currblockoffset = blockIdx * P;
+                    for (; currQoneIdx < endQblockIdx; currQoneIdx++) {
+                        int tmp = QtrPosOnes[i][currQoneIdx] + j;
+                        tmp = tmp >= P ? tmp - P : tmp;
+                        currQBitPos[currQoneIdx] = tmp;
+                        currQBlkPos[currQoneIdx] = blockIdx;
+                        correlation += unsatParityChecks[tmp + currblockoffset];
+                    }
+                }
+                /* Correlation based flipping */
+                if (correlation >= corrt_syndrome_based) {
+                    gf2x_toggle_coeff(out + NUM_DIGITS_GF2X_ELEMENT * i, j);
+                    for (int v = 0; v < M; v++) {
+                        unsigned syndromePosToFlip;
+                        for (int HtrOneIdx = 0; HtrOneIdx < DV; HtrOneIdx++) {
+                            syndromePosToFlip = (HtrPosOnes[currQBlkPos[v]][HtrOneIdx] + currQBitPos[v] );
+                            syndromePosToFlip = syndromePosToFlip >= P ? syndromePosToFlip - P : syndromePosToFlip;
+                            gf2x_toggle_coeff(privateSyndrome, syndromePosToFlip);
+                        }
+                    } // end for v
+                } // end if
+            } // end for j
+        } // end for i
+
+        iteration = iteration + 1;
+        check = 0;
+        while (check < NUM_DIGITS_GF2X_ELEMENT && privateSyndrome[check++] == 0);
+
+    } while (iteration < ITERATIONS_MAX && check < NUM_DIGITS_GF2X_ELEMENT);
+
+    return (check == NUM_DIGITS_GF2X_ELEMENT);
+}  // end QdecodeSyndromeThresh_bitFlip_sparse
diff --git a/crypto_kem/ledakemlt12/clean/bf_decoding.h b/crypto_kem/ledakemlt12/clean/bf_decoding.h
new file mode 100644
index 00000000..b14173c2
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/bf_decoding.h
@@ -0,0 +1,78 @@
+/**
+ *
+ * <bf_decoding.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+
+#pragma once
+#include "qc_ldpc_parameters.h"
+#include "gf2x_limbs.h"
+#define  ITERATIONS_MAX   (2)
+
+
+int bf_decoding(DIGIT err[],
+                const POSITION_T HtrPosOnes[N0][DV],
+                const POSITION_T QtrPosOnes[N0][M], // N0 vectors containing exp.s of Qtr ones
+                DIGIT privateSyndrome[]       //  1 polynomial  -- param. in/out
+               );
+
+/*  Definitions for DFR level 2^-64 */
+#if (CATEGORY == 1) && (N0 == 2) && (DFR_SL_LEVEL == 0)
+#define B0 44
+#define T_BAR 4
+#endif
+
+#if ((CATEGORY == 2) || (CATEGORY == 3)) && (N0 == 2) && (DFR_SL_LEVEL == 0)
+#define B0 64
+#define T_BAR 5
+#endif
+
+#if ((CATEGORY == 4) || (CATEGORY == 5)) && (N0 == 2) && (DFR_SL_LEVEL == 0)
+#define B0 89
+#define T_BAR 6
+#endif
+
+/*  Definitions for DFR level 2^-SL */
+#if (CATEGORY == 1) && (N0 == 2) && (DFR_SL_LEVEL == 1)
+#define B0 43
+#define T_BAR 4
+#endif
+
+#if ((CATEGORY == 2) || (CATEGORY == 3)) && (N0 == 2) && (DFR_SL_LEVEL == 1)
+#define B0 64
+#define T_BAR 5
+#endif
+
+#if ((CATEGORY == 4) || (CATEGORY == 5)) && (N0 == 2) && (DFR_SL_LEVEL == 1)
+#define B0 88
+#define T_BAR 6
+#endif
+
+
diff --git a/crypto_kem/ledakemlt12/clean/dfr_test.c b/crypto_kem/ledakemlt12/clean/dfr_test.c
new file mode 100644
index 00000000..d8d93d33
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/dfr_test.c
@@ -0,0 +1,114 @@
+#include "qc_ldpc_parameters.h"
+#include "gf2x_arith_mod_xPplusOne.h"
+#include "bf_decoding.h"
+
+#include <string.h>
+
+/*---------------------------------------------------------------------------*/
+/* Tests if the current code attains the desired DFR. If that is the case,
+ * computes the threshold for the second iteration of the decoder and stores
+ * it in the globally accessible vector*/
+
+extern int thresholds[2];
+
+int DFR_test(POSITION_T LSparse[N0][DV * M]) {
+
+    POSITION_T LSparse_loc[N0][DV * M];
+
+    /*transpose blocks of L, we need its columns */
+    for (int i = 0; i < N0; i++) {
+        for (int j = 0; j < DV * M; j++) {
+            if (LSparse[i][j] != 0) {
+                LSparse_loc[i][j] = (P - LSparse[i][j]) ;
+            }
+        }
+        quicksort(LSparse_loc[i], DV * M);
+    }
+    /* Gamma matrix: an N0 x N0 block circulant matrix with block size p
+     * gamma[a][b][c] stores the intersection of the first column of the a-th
+     * block of L  with the c-th column of the b-th block of L */
+    /* Gamma computation can be accelerated employing symmetry and QC properties */
+    int gamma[N0][N0][P] = {{{0}}};
+    unsigned int rotated_column[DV * M];
+    for (int i = 0; i < N0; i++ ) {
+        for (int j = 0; j < N0; j++ ) {
+            for (int k = 0; k < P; k++) {
+                /* compute the rotated sparse column needed */
+                for (int idxToRotate = 0; idxToRotate < (DV * M); idxToRotate++) {
+                    rotated_column[idxToRotate] = (LSparse_loc[j][idxToRotate] + k) % P;
+                }
+                quicksort(rotated_column, DV * M);
+                /* compute the intersection amount */
+                int firstidx = 0, secondidx = 0;
+                int intersectionval = 0;
+                while ( (firstidx < DV * M) && (secondidx < DV * M) ) {
+                    if ( LSparse_loc[i][firstidx] == rotated_column[secondidx] ) {
+                        intersectionval++;
+                        firstidx++;
+                        secondidx++;
+                    }
+                    if ( LSparse_loc[i][firstidx] > rotated_column[secondidx] ) {
+                        secondidx++;
+                    }
+                    if ( LSparse_loc[i][firstidx] < rotated_column[secondidx] ) {
+                        firstidx++;
+                    }
+                }
+                gamma[i][j][k] = intersectionval;
+
+            }
+        }
+    }
+    for (int i = 0; i < N0; i++ ) {
+        for (int j = 0; j < N0; j++ ) {
+            gamma[i][j][0] = 0;
+        }
+    }
+    /* build histogram of values in gamma */
+    unsigned int gammaHist[N0][DV * M + 1] = {{0}};
+    for (int i = 0; i < N0; i++ ) {
+        for (int j = 0; j < N0; j++ ) {
+            for (int k = 0; k < P; k++) {
+                gammaHist[i][gamma[i][j][k]]++;
+            }
+        }
+    }
+
+    int maxMut[N0], maxMutMinusOne[N0];
+    int allBlockMaxSumst, allBlockMaxSumstMinusOne;
+
+    for (int gammaBlockRowIdx = 0; gammaBlockRowIdx < N0; gammaBlockRowIdx++) {
+        int toAdd = T_BAR - 1;
+        maxMutMinusOne[gammaBlockRowIdx] = 0;
+        int histIdx = DV * M;
+        while ( (histIdx > 0) && (toAdd > 0)) {
+            if (gammaHist[gammaBlockRowIdx][histIdx] > toAdd ) {
+                maxMutMinusOne[gammaBlockRowIdx] += histIdx * toAdd;
+                toAdd = 0;
+            } else {
+                maxMutMinusOne[gammaBlockRowIdx] += histIdx * gammaHist[gammaBlockRowIdx][histIdx];
+                toAdd -= gammaHist[gammaBlockRowIdx][histIdx];
+                histIdx--;
+            }
+        }
+        maxMut[gammaBlockRowIdx] = histIdx + maxMutMinusOne[gammaBlockRowIdx];
+    }
+
+
+    /*seek max values across all gamma blocks */
+    allBlockMaxSumst = maxMut[0];
+    allBlockMaxSumstMinusOne = maxMutMinusOne[0];
+    for (int gammaBlockRowIdx = 0; gammaBlockRowIdx < N0 ; gammaBlockRowIdx++) {
+        allBlockMaxSumst = allBlockMaxSumst < maxMut[gammaBlockRowIdx] ?
+                           maxMut[gammaBlockRowIdx] :
+                           allBlockMaxSumst;
+        allBlockMaxSumstMinusOne = allBlockMaxSumstMinusOne < maxMutMinusOne[gammaBlockRowIdx] ?
+                                   maxMutMinusOne[gammaBlockRowIdx] :
+                                   allBlockMaxSumstMinusOne;
+    }
+    if (DV * M > (allBlockMaxSumstMinusOne + allBlockMaxSumst)) {
+        thresholds[1] = allBlockMaxSumst + 1;
+        return 1;
+    }
+    return 0;
+}
diff --git a/crypto_kem/ledakemlt12/clean/dfr_test.h b/crypto_kem/ledakemlt12/clean/dfr_test.h
new file mode 100644
index 00000000..6e20b5ce
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/dfr_test.h
@@ -0,0 +1,3 @@
+#pragma once
+
+int DFR_test(POSITION_T LSparse[N0][DV * M]);
diff --git a/crypto_kem/ledakemlt12/clean/gf2x_arith.c b/crypto_kem/ledakemlt12/clean/gf2x_arith.c
new file mode 100644
index 00000000..d502741c
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/gf2x_arith.c
@@ -0,0 +1,462 @@
+/**
+ *
+ * <gf2x_arith.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+
+#include "gf2x_arith.h"
+#include <string.h>  // memset(...)
+#include <assert.h>
+
+/*----------------------------------------------------------------------------*/
+
+/* allows the second operand to be shorter than the first */
+/* the result should be as large as the first operand*/
+static inline void gf2x_add_asymm(const int nr, DIGIT Res[],
+                                  const int na, const DIGIT A[],
+                                  const int nb, const DIGIT B[]) {
+    int delta = na - nb;
+    for (unsigned i = 0; i < delta; i++) {
+        Res[i] = A[i];
+    }
+    for (unsigned i = 0; i < nb; i++) {
+        Res[i + delta] = A[i + delta] ^ B[i];
+    }
+} // end gf2x_add
+
+/*----------------------------------------------------------------------------*/
+
+/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */
+
+void right_bit_shift_n(const int length, DIGIT in[], const int amount) {
+    assert(amount < DIGIT_SIZE_b);
+    if ( amount == 0 ) {
+        return;
+    }
+    int j;
+    DIGIT mask;
+    mask = ((DIGIT)0x01 << amount) - 1;
+    for (j = length - 1; j > 0 ; j--) {
+        in[j] >>= amount;
+        in[j] |=  (in[j - 1] & mask) << (DIGIT_SIZE_b - amount);
+    }
+    in[j] >>= amount;
+} // end right_bit_shift_n
+
+/*----------------------------------------------------------------------------*/
+
+/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */
+void left_bit_shift_n(const int length, DIGIT in[], const int amount) {
+    assert(amount < DIGIT_SIZE_b);
+    if ( amount == 0 ) {
+        return;
+    }
+    int j;
+    DIGIT mask;
+    mask = ~(((DIGIT)0x01 << (DIGIT_SIZE_b - amount)) - 1);
+    for (j = 0 ; j < length - 1 ; j++) {
+        in[j] <<= amount;
+        in[j] |=  (in[j + 1] & mask) >> (DIGIT_SIZE_b - amount);
+    }
+    in[j] <<= amount;
+} // end right_bit_shift_n
+
+/*----------------------------------------------------------------------------*/
+
+void gf2x_mul_comb(const int nr, DIGIT Res[],
+                   const int na, const DIGIT A[],
+                   const int nb, const DIGIT B[]) {
+    int i, j, k;
+    DIGIT u, h;
+
+    memset(Res, 0x00, nr * sizeof(DIGIT));
+
+    for (k = DIGIT_SIZE_b - 1; k > 0; k--) {
+        for (i = na - 1; i >= 0; i--)
+            if ( A[i] & (((DIGIT)0x1) << k) )
+                for (j = nb - 1; j >= 0; j--) {
+                    Res[i + j + 1] ^= B[j];
+                }
+
+
+        u = Res[na + nb - 1];
+        Res[na + nb - 1] = u << 0x1;
+        for (j = 1; j < na + nb; ++j) {
+            h = u >> (DIGIT_SIZE_b - 1);
+            u = Res[na + nb - 1 - j];
+            Res[na + nb - 1 - j] = h ^ (u << 0x1);
+        }
+    }
+    for (i = na - 1; i >= 0; i--)
+        if ( A[i] & ((DIGIT)0x1) )
+            for (j = nb - 1; j >= 0; j--) {
+                Res[i + j + 1] ^= B[j];
+            }
+}
+
+/*----------------------------------------------------------------------------*/
+
+static inline void gf2x_exact_div_x_plus_one(const int na, DIGIT A[]) {
+    DIGIT t = 0;
+    for (int i = na - 1; i >= 0; i--) {
+
+        t ^= A[i];
+
+        for (int j = 1; j <= DIGIT_SIZE_b / 2; j = j * 2) {
+            t ^= t << (unsigned) j;
+        }
+        A[i] = t;
+        t >>= DIGIT_SIZE_b - 1;
+    }
+} // end gf2x_exact_div_x_plus_one
+
+/*---------------------------------------------------------------------------*/
+#define MIN_KAR_DIGITS 20
+
+void gf2x_mul_Kar(const int nr, DIGIT Res[],
+                  const int na, const DIGIT A[],
+                  const int nb, const DIGIT B[]) {
+
+    if (na < MIN_KAR_DIGITS || nb < MIN_KAR_DIGITS) {
+        /* fall back to schoolbook */
+        gf2x_mul_comb(nr, Res, na, A, nb, B);
+        return;
+    }
+
+    if (na % 2 == 0) {
+        unsigned bih = na / 2;
+        DIGIT middle[2 * bih], sumA[bih], sumB[bih];
+        gf2x_add(bih, sumA,
+                 bih, A,
+                 bih, A + bih);
+        gf2x_add(bih, sumB,
+                 bih, B,
+                 bih, B + bih);
+        gf2x_mul_Kar(2 * bih, middle,
+                     bih, sumA,
+                     bih, sumB);
+        gf2x_mul_Kar(2 * bih, Res + 2 * bih,
+                     bih, A + bih,
+                     bih, B + bih);
+        gf2x_add(2 * bih, middle,
+                 2 * bih, middle,
+                 2 * bih, Res + 2 * bih);
+        gf2x_mul_Kar(2 * bih, Res,
+                     bih, A,
+                     bih, B);
+        gf2x_add(2 * bih, middle,
+                 2 * bih, middle,
+                 2 * bih, Res);
+        gf2x_add(2 * bih, Res + bih,
+                 2 * bih, Res + bih,
+                 2 * bih, middle);
+    } else {
+        unsigned bih = na / 2 + 1;
+        DIGIT middle[2 * bih], sumA[bih], sumB[bih];
+        gf2x_add_asymm(bih,  sumA,
+                       bih,  A + bih - 1,
+                       bih - 1, A);
+        gf2x_add_asymm(bih,  sumB,
+                       bih,  B + bih - 1,
+                       bih - 1, B);
+        gf2x_mul_Kar(2 * bih, middle,
+                     bih, sumA,
+                     bih, sumB);
+        gf2x_mul_Kar(2 * bih, Res + 2 * (bih - 1),
+                     bih, A + bih - 1,
+                     bih, B + bih - 1);
+        gf2x_add(2 * bih, middle,
+                 2 * bih, middle,
+                 2 * bih, Res + 2 * (bih - 1));
+        gf2x_mul_Kar(2 * (bih - 1), Res,
+                     (bih - 1), A,
+                     (bih - 1), B);
+        gf2x_add_asymm(2 * bih, middle,
+                       2 * bih, middle,
+                       2 * (bih - 1), Res);
+        gf2x_add(2 * bih, Res + bih - 2,
+                 2 * bih, Res + bih - 2,
+                 2 * bih, middle);
+    }
+}
+
+
+/*---------------------------------------------------------------------------*/
+#define MIN_TOOM_DIGITS 35
+
+void gf2x_mul_TC3(const int nr, DIGIT Res[],
+                  const int na, const DIGIT A[],
+                  const int nb, const DIGIT B[]) {
+
+    if (na < MIN_TOOM_DIGITS || nb < MIN_TOOM_DIGITS) {
+        /* fall back to schoolbook */
+        gf2x_mul_Kar(nr, Res, na, A, nb, B);
+        return;
+    }
+
+    unsigned bih; //number of limbs for each part.
+    if (na % 3 == 0) {
+        bih = na / 3;
+    } else {
+        bih = na / 3 + 1;
+    }
+
+    DIGIT u2[bih], u1[bih], u0[bih];
+
+    int leading_slack = (3 - (na) % 3) % 3;
+//     printf("leading slack %d",leading_slack);
+    int i;
+    for (i = 0; i < leading_slack ; i++) {
+        u2[i] = 0;
+    }
+    for (; i < bih; ++i) {
+        u2[i] = A[i - leading_slack];
+    }
+    /* note: only u2 needs to be a copy, refactor */
+    for (; i < 2 * bih; ++i) {
+        u1[i - bih] = A[i - leading_slack];
+    }
+    for (; i < 3 * bih; ++i) {
+        u0[i - 2 * bih] = A[i - leading_slack];
+    }
+
+    DIGIT v2[bih], v1[bih], v0[bih]; /* partitioned inputs */
+    /* note: only v2 needs to be a copy, refactor */
+    for (i = 0; i < leading_slack ; i++) {
+        v2[i] = 0;
+    }
+    for (; i < bih; ++i) {
+        v2[i] = B[i - leading_slack];
+    }
+    /* note , only v2 needs to be a copy */
+    for (; i < 2 * bih; ++i) {
+        v1[i - bih] = B[i - leading_slack];
+    }
+    for (; i < 3 * bih; ++i) {
+        v0[i - 2 * bih] = B[i - leading_slack];
+    }
+
+    DIGIT sum_u[bih]; /*bih digit wide*/
+    gf2x_add(bih, sum_u,
+             bih, u0,
+             bih, u1);
+    gf2x_add(bih, sum_u,
+             bih, sum_u,
+             bih, u2);
+
+    DIGIT sum_v[bih]; /*bih digit wide*/
+    gf2x_add(bih, sum_v,
+             bih, v0,
+             bih, v1);
+    gf2x_add(bih, sum_v,
+             bih, sum_v,
+             bih, v2);
+
+
+    DIGIT w1[2 * bih];
+    gf2x_mul_TC3(2 * bih, w1,
+                 bih, sum_u,
+                 bih, sum_v);
+
+
+    DIGIT u2_x2[bih + 1];
+    u2_x2[0] = 0;
+    memcpy(u2_x2 + 1, u2, bih * DIGIT_SIZE_B);
+    left_bit_shift_n(bih + 1, u2_x2, 2);
+
+    DIGIT u1_x[bih + 1];
+    u1_x[0] = 0;
+    memcpy(u1_x + 1, u1, bih * DIGIT_SIZE_B);
+    left_bit_shift_n(bih + 1, u1_x, 1);
+
+    DIGIT u1_x1_u2_x2[bih + 1];
+    gf2x_add(bih + 1, u1_x1_u2_x2,
+             bih + 1, u1_x,
+             bih + 1, u2_x2);
+
+    DIGIT temp_u_components[bih + 1];
+    gf2x_add_asymm(bih + 1, temp_u_components,
+                   bih + 1, u1_x1_u2_x2,
+                   bih, sum_u);
+
+    DIGIT v2_x2[bih + 1];
+    v2_x2[0] = 0;
+    memcpy(v2_x2 + 1, v2, bih * DIGIT_SIZE_B);
+    left_bit_shift_n(bih + 1, v2_x2, 2);
+
+    DIGIT v1_x[bih + 1];
+    v1_x[0] = 0;
+    memcpy(v1_x + 1, v1, bih * DIGIT_SIZE_B);
+    left_bit_shift_n(bih + 1, v1_x, 1);
+
+    DIGIT v1_x1_v2_x2[bih + 1];
+    gf2x_add(bih + 1, v1_x1_v2_x2,
+             bih + 1, v1_x,
+             bih + 1, v2_x2);
+
+    DIGIT temp_v_components[bih + 1];
+    gf2x_add_asymm(bih + 1, temp_v_components,
+                   bih + 1, v1_x1_v2_x2,
+                   bih, sum_v);
+
+    DIGIT w3[2 * bih + 2];
+    gf2x_mul_TC3(2 * bih + 2, w3,
+                 bih + 1, temp_u_components,
+                 bih + 1, temp_v_components);
+
+    gf2x_add_asymm(bih + 1, u1_x1_u2_x2,
+                   bih + 1, u1_x1_u2_x2,
+                   bih, u0);
+    gf2x_add_asymm(bih + 1, v1_x1_v2_x2,
+                   bih + 1, v1_x1_v2_x2,
+                   bih, v0);
+
+    DIGIT w2[2 * bih + 2];
+    gf2x_mul_TC3(2 * bih + 2, w2,
+                 bih + 1, u1_x1_u2_x2,
+                 bih + 1, v1_x1_v2_x2);
+
+    DIGIT w4[2 * bih];
+    gf2x_mul_TC3(2 * bih, w4,
+                 bih, u2,
+                 bih, v2);
+    DIGIT w0[2 * bih];
+    gf2x_mul_TC3(2 * bih, w0,
+                 bih, u0,
+                 bih, v0);
+
+    // Interpolation starts
+    gf2x_add(2 * bih + 2, w3,
+             2 * bih + 2, w2,
+             2 * bih + 2, w3);
+    gf2x_add_asymm(2 * bih + 2, w2,
+                   2 * bih + 2, w2,
+                   2 * bih, w0);
+    right_bit_shift_n(2 * bih + 2, w2, 1);
+    gf2x_add(2 * bih + 2, w2,
+             2 * bih + 2, w2,
+             2 * bih + 2, w3);
+
+    // w2 + (w4 * x^3+1) = w2 + w4 + w4 << 3
+    DIGIT w4_x3_plus_1[2 * bih + 1];
+    w4_x3_plus_1[0] = 0;
+    memcpy(w4_x3_plus_1 + 1, w4, 2 * bih * DIGIT_SIZE_B);
+    left_bit_shift_n(2 * bih + 1, w4_x3_plus_1, 3);
+    gf2x_add_asymm(2 * bih + 2, w2,
+                   2 * bih + 2, w2,
+                   2 * bih, w4);
+    gf2x_add_asymm(2 * bih + 2, w2,
+                   2 * bih + 2, w2,
+                   2 * bih + 1, w4_x3_plus_1);
+
+    gf2x_exact_div_x_plus_one(2 * bih + 2, w2);
+
+    gf2x_add(2 * bih, w1,
+             2 * bih, w1,
+             2 * bih, w0);
+    gf2x_add_asymm(2 * bih + 2, w3,
+                   2 * bih + 2, w3,
+                   2 * bih, w1);
+
+    right_bit_shift_n(2 * bih + 2, w3, 1);
+    gf2x_exact_div_x_plus_one(2 * bih + 2, w3);
+
+    gf2x_add(2 * bih, w1,
+             2 * bih, w1,
+             2 * bih, w4);
+
+    DIGIT w1_final[2 * bih + 2];
+    gf2x_add_asymm(2 * bih + 2, w1_final,
+                   2 * bih + 2, w2,
+                   2 * bih, w1);
+    gf2x_add(2 * bih + 2, w2,
+             2 * bih + 2, w2,
+             2 * bih + 2, w3);
+
+    // Result recombination starts here
+
+    memset(Res, 0, nr * DIGIT_SIZE_B);
+    /* optimization: topmost slack digits should be computed, and not addedd,
+     * zeroization can be avoided altogether with a proper merge of the
+     * results */
+
+    int leastSignifDigitIdx = nr - 1;
+    for (int i = 0; i < 2 * bih; i++) {
+        Res[leastSignifDigitIdx - i] ^= w0[2 * bih   - 1 - i];
+    }
+    leastSignifDigitIdx -= bih;
+    for (int i = 0; i < 2 * bih + 2; i++) {
+        Res[leastSignifDigitIdx - i] ^= w1_final[2 * bih + 2   - 1 - i];
+    }
+    leastSignifDigitIdx -= bih;
+    for (int i = 0; i < 2 * bih + 2; i++) {
+        Res[leastSignifDigitIdx - i] ^= w2[2 * bih + 2 - 1 - i];
+    }
+    leastSignifDigitIdx -= bih;
+    for (int i = 0; i < 2 * bih + 2 ; i++) {
+        Res[leastSignifDigitIdx - i] ^= w3[2 * bih + 2 - 1 - i];
+    }
+    leastSignifDigitIdx -= bih;
+    for (int i = 0; i < 2 * bih && (leastSignifDigitIdx - i >= 0) ; i++) {
+        Res[leastSignifDigitIdx - i] ^= w4[2 * bih   - 1 - i];
+    }
+}
+
+
+/*----------------------------------------------------------------------------*/
+
+int gf2x_cmp(const unsigned lenA, const DIGIT A[],
+             const unsigned lenB, const DIGIT B[]) {
+
+    int i;
+    unsigned lA = lenA, lB = lenB;
+    for (i = 0; i < lenA && A[i] == 0; i++) {
+        lA--;
+    }
+    for (i = 0; i < lenB && B[i] == 0; i++) {
+        lB--;
+    }
+    if (lA < lB) {
+        return -1;
+    }
+    if (lA > lB) {
+        return +1;
+    }
+    for (i = 0; i < lA; i++) {
+        if (A[i] > B[i]) {
+            return +1;
+        }
+        if (A[i] < B[i]) {
+            return -1;
+        }
+    }
+    return 0;
+
+} // end gf2x_cmp
diff --git a/crypto_kem/ledakemlt12/clean/gf2x_arith.h b/crypto_kem/ledakemlt12/clean/gf2x_arith.h
new file mode 100644
index 00000000..fb966ad6
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/gf2x_arith.h
@@ -0,0 +1,112 @@
+/**
+ *
+ * <gf2x_arith.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+
+#include "gf2x_limbs.h"
+
+/*----------------------------------------------------------------------------*/
+/*
+ * Elements of GF(2)[x] are stored in compact dense binary form.
+ *
+ * Each bit in a byte is assumed to be the coefficient of a binary
+ * polynomial f(x), in Big-Endian format (i.e., reading everything from
+ * left to right, the most significant element is met first):
+ *
+ * byte:(0000 0000) == 0x00 ... f(x) == 0
+ * byte:(0000 0001) == 0x01 ... f(x) == 1
+ * byte:(0000 0010) == 0x02 ... f(x) == x
+ * byte:(0000 0011) == 0x03 ... f(x) == x+1
+ * ...                      ... ...
+ * byte:(0000 1111) == 0x0F ... f(x) == x^{3}+x^{2}+x+1
+ * ...                      ... ...
+ * byte:(1111 1111) == 0xFF ... f(x) == x^{7}+x^{6}+x^{5}+x^{4}+x^{3}+x^{2}+x+1
+ *
+ *
+ * A "machine word" (A_i) is considered as a DIGIT.
+ * Bytes in a DIGIT are assumed in Big-Endian format:
+ * E.g., if sizeof(DIGIT) == 4:
+ * A_i: A_{i,3} A_{i,2} A_{i,1} A_{i,0}.
+ * A_{i,3} denotes the most significant byte, A_{i,0} the least significant one.
+ * f(x) ==   x^{31} + ... + x^{24} +
+ *         + x^{23} + ... + x^{16} +
+ *         + x^{15} + ... + x^{8}  +
+ *         + x^{7}  + ... + x^{0}
+ *
+ *
+ * Multi-precision elements (i.e., with multiple DIGITs) are stored in
+ * Big-endian format:
+ *           A = A_{n-1} A_{n-2} ... A_1 A_0
+ *
+ *           position[A_{n-1}] == 0
+ *           position[A_{n-2}] == 1
+ *           ...
+ *           position[A_{1}]  ==  n-2
+ *           position[A_{0}]  ==  n-1
+ */
+/*----------------------------------------------------------------------------*/
+
+#define TC3
+#if defined(TC3)
+#define GF2X_MUL gf2x_mul_TC3
+#else
+#define GF2X_MUL gf2x_mul_comb
+#endif
+
+
+
+/*----------------------------------------------------------------------------*/
+
+static inline void gf2x_add(const int nr, DIGIT Res[],
+                            const int na, const DIGIT A[],
+                            const int nb, const DIGIT B[]) {
+    for (unsigned i = 0; i < nr; i++) {
+        Res[i] = A[i] ^ B[i];
+    }
+} // end gf2x_add
+
+/*----------------------------------------------------------------------------*/
+
+void GF2X_MUL(const int nr, DIGIT Res[],
+              const int na, const DIGIT A[],
+              const int nb, const DIGIT B[]
+             );
+
+int gf2x_cmp(const unsigned lenA, const DIGIT A[],
+             const unsigned lenB, const DIGIT B[]);
+
+/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */
+void right_bit_shift_n(const int length, DIGIT in[], const int amount);
+
+/* PRE: MAX ALLOWED ROTATION AMOUNT : DIGIT_SIZE_b */
+void left_bit_shift_n(const int length, DIGIT in[], const int amount);
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c b/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c
new file mode 100644
index 00000000..a099ecfb
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.c
@@ -0,0 +1,656 @@
+/**
+ *
+ * <gf2x_arith_mod_xPplusOne.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+
+#include "gf2x_arith_mod_xPplusOne.h"
+#include "rng.h"
+#include <string.h>  // memcpy(...), memset(...)
+#include <assert.h>
+#include <stdalign.h>
+/*----------------------------------------------------------------------------*/
+
+void gf2x_mod(DIGIT out[],
+              const int nin, const DIGIT in[]) {
+
+    long int i, j, posTrailingBit, maskOffset;
+    DIGIT mask, aux[nin];
+
+    memcpy(aux, in, nin * DIGIT_SIZE_B);
+    memset(out, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+    if (nin < NUM_DIGITS_GF2X_MODULUS) {
+        for (i = 0; i < nin; i++) {
+            out[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = in[nin - 1 - i];
+        }
+        return;
+    }
+
+    for (i = 0; i < nin - NUM_DIGITS_GF2X_MODULUS; i += 1) {
+        for (j = DIGIT_SIZE_b - 1; j >= 0; j--) {
+            mask = ((DIGIT)0x1) << j;
+            if (aux[i] & mask) {
+                aux[i] ^= mask;
+                posTrailingBit = (DIGIT_SIZE_b - 1 - j) + i * DIGIT_SIZE_b + P;
+                maskOffset = (DIGIT_SIZE_b - 1 - (posTrailingBit % DIGIT_SIZE_b));
+                mask = (DIGIT) 0x1 << maskOffset;
+                aux[posTrailingBit / DIGIT_SIZE_b] ^= mask;
+            }
+        }
+    }
+
+    for (j = DIGIT_SIZE_b - 1; j >= MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS; j--) {
+        mask = ((DIGIT)0x1) << j;
+        if (aux[i] & mask) {
+            aux[i] ^= mask;
+            posTrailingBit = (DIGIT_SIZE_b - 1 - j) + i * DIGIT_SIZE_b + P;
+            maskOffset = (DIGIT_SIZE_b - 1 - (posTrailingBit % DIGIT_SIZE_b));
+            mask = (DIGIT) 0x1 << maskOffset;
+            aux[posTrailingBit / DIGIT_SIZE_b] ^= mask;
+        }
+    }
+
+    int to_copy = (nin > NUM_DIGITS_GF2X_ELEMENT) ? NUM_DIGITS_GF2X_ELEMENT : nin;
+
+    for (i = 0; i < to_copy; i++) {
+        out[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = aux[nin - 1 - i];
+    }
+
+} // end gf2x_mod
+
+/*----------------------------------------------------------------------------*/
+
+static
+void left_bit_shift(const int length, DIGIT in[]) {
+
+    int j;
+    for (j = 0; j < length - 1; j++) {
+        in[j] <<= 1;                    /* logical shift does not need clearing */
+        in[j] |= in[j + 1] >> (DIGIT_SIZE_b - 1);
+    }
+    in[j] <<= 1;
+} // end left_bit_shift
+
+/*----------------------------------------------------------------------------*/
+
+static
+void right_bit_shift(const int length, DIGIT in[]) {
+
+    int j;
+    for (j = length - 1; j > 0 ; j--) {
+        in[j] >>= 1;
+        in[j] |=  (in[j - 1] & (DIGIT)0x01) << (DIGIT_SIZE_b - 1);
+    }
+    in[j] >>= 1;
+} // end right_bit_shift
+
+/*----------------------------------------------------------------------------*/
+/* shifts by whole digits */
+static inline
+void left_DIGIT_shift_n(const int length, DIGIT in[], int amount) {
+    int j;
+    for (j = 0; (j + amount) < length; j++) {
+        in[j] = in[j + amount];
+    }
+    for (; j < length; j++) {
+        in[j] = (DIGIT)0;
+    }
+} // end left_bit_shift_n
+
+/*----------------------------------------------------------------------------*/
+/* may shift by an arbitrary amount*/
+
+void left_bit_shift_wide_n(const int length, DIGIT in[], int amount) {
+    left_DIGIT_shift_n(length, in, amount / DIGIT_SIZE_b);
+    left_bit_shift_n(length, in, amount % DIGIT_SIZE_b);
+} // end left_bit_shift_n
+
+/*----------------------------------------------------------------------------*/
+
+#if (defined(DIGIT_IS_UINT8) || defined(DIGIT_IS_UINT16))
+static
+uint8_t byte_reverse_with_less32bitDIGIT(uint8_t b) {
+    uint8_t r = b;
+    int s = (sizeof(b) << 3) - 1;
+    for (b >>= 1; b; b >>= 1) {
+        r <<= 1;
+        r |= b & 1;
+        s--;
+    }
+    r <<= s;
+    return r;
+} // end byte_reverse_less32bitDIGIT
+#endif
+
+#if defined(DIGIT_IS_UINT32)
+static
+uint8_t byte_reverse_with_32bitDIGIT(uint8_t b) {
+    b = ( (b * 0x0802LU & 0x22110LU) | (b * 0x8020LU & 0x88440LU)
+        ) * 0x10101LU >> 16;
+    return b;
+} // end byte_reverse_32bitDIGIT
+#endif
+
+#if defined(DIGIT_IS_UINT64)
+static
+uint8_t byte_reverse_with_64bitDIGIT(uint8_t b) {
+    b = (b * 0x0202020202ULL & 0x010884422010ULL) % 1023;
+    return b;
+} // end byte_reverse_64bitDIGIT
+#endif
+
+/*----------------------------------------------------------------------------*/
+
+static
+DIGIT reverse_digit(const DIGIT b) {
+    int i;
+    union toReverse_t {
+        uint8_t inByte[DIGIT_SIZE_B];
+        DIGIT digitValue;
+    } toReverse;
+
+    toReverse.digitValue = b;
+    #if defined(DIGIT_IS_UINT64)
+    for (i = 0; i < DIGIT_SIZE_B; i++) {
+        toReverse.inByte[i] = byte_reverse_with_64bitDIGIT(toReverse.inByte[i]);
+    }
+    return __builtin_bswap64(toReverse.digitValue);
+    #elif defined(DIGIT_IS_UINT32)
+    for (i = 0; i < DIGIT_SIZE_B; i++) {
+        toReverse.inByte[i] = byte_reverse_with_32bitDIGIT(toReverse.inByte[i]);
+    }
+    return __builtin_bswap32(toReverse.digitValue);
+    #elif defined(DIGIT_IS_UINT16)
+    for (i = 0; i < DIGIT_SIZE_B; i++) {
+        toReverse.inByte[i] = byte_reverse_with_less32bitDIGIT(toReverse.inByte[i]);
+    }
+    reversed = __builtin_bswap16(toReverse.digitValue);
+    #elif defined(DIGIT_IS_UINT8)
+    return byte_reverse_with_less32bitDIGIT(toReverse.inByte[0]);
+    #else
+#error "Missing implementation for reverse_digit(...) \
+with this CPU word bitsize !!! "
+    #endif
+    return toReverse.digitValue;
+} // end reverse_digit
+
+
+/*----------------------------------------------------------------------------*/
+
+void gf2x_transpose_in_place(DIGIT A[]) {
+    /* it keeps the lsb in the same position and
+     * inverts the sequence of the remaining bits
+     */
+
+    DIGIT mask = (DIGIT)0x1;
+    DIGIT rev1, rev2, a00;
+    int i, slack_bits_amount = NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - P;
+
+    if (NUM_DIGITS_GF2X_ELEMENT == 1) {
+        a00 = A[0] & mask;
+        right_bit_shift(1, A);
+        rev1 = reverse_digit(A[0]);
+        #if (NUM_DIGITS_GF2X_MOD_P_ELEMENT*DIGIT_SIZE_b - P)
+        rev1 >>= (DIGIT_SIZE_b - (P % DIGIT_SIZE_b));
+        #endif
+        A[0] = (rev1 & (~mask)) | a00;
+        return;
+    }
+
+    a00 = A[NUM_DIGITS_GF2X_ELEMENT - 1] & mask;
+    right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, A);
+
+    for (i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= (NUM_DIGITS_GF2X_ELEMENT + 1) / 2; i--) {
+        rev1 = reverse_digit(A[i]);
+        rev2 = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT - 1 - i]);
+        A[i] = rev2;
+        A[NUM_DIGITS_GF2X_ELEMENT - 1 - i] = rev1;
+    }
+    if (NUM_DIGITS_GF2X_ELEMENT % 2 == 1) {
+        A[NUM_DIGITS_GF2X_ELEMENT / 2] = reverse_digit(A[NUM_DIGITS_GF2X_ELEMENT / 2]);
+    }
+
+    if (slack_bits_amount) {
+        right_bit_shift_n(NUM_DIGITS_GF2X_ELEMENT, A, slack_bits_amount);
+    }
+    A[NUM_DIGITS_GF2X_ELEMENT - 1] = (A[NUM_DIGITS_GF2X_ELEMENT - 1] & (~mask)) | a00;
+} // end transpose_in_place
+
+/*----------------------------------------------------------------------------*/
+
+void rotate_bit_left(DIGIT in[]) { /*  equivalent to x * in(x) mod x^P+1 */
+
+    DIGIT mask, rotated_bit;
+
+    if (NUM_DIGITS_GF2X_MODULUS == NUM_DIGITS_GF2X_ELEMENT) {
+
+        int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1;
+        mask = ((DIGIT)0x1) << msb_offset_in_digit;
+        rotated_bit = !!(in[0] & mask);
+        in[0] &= ~mask;                     /* clear shifted bit */
+        left_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in);
+    } else {
+        /* NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT and
+                * MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0
+                */
+        mask =  ((DIGIT)0x1) << (DIGIT_SIZE_b - 1);
+        rotated_bit = !!(in[0] & mask);
+        in[0] &= ~mask;                     /* clear shifted bit */
+        left_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in);
+
+    }
+    in[NUM_DIGITS_GF2X_ELEMENT - 1] |= rotated_bit;
+} // end rotate_bit_left
+
+
+
+/*----------------------------------------------------------------------------*/
+
+void rotate_bit_right(DIGIT in[]) { /*  x^{-1} * in(x) mod x^P+1 */
+
+    DIGIT rotated_bit = in[NUM_DIGITS_GF2X_ELEMENT - 1] & ((DIGIT)0x1);
+    right_bit_shift(NUM_DIGITS_GF2X_ELEMENT, in);
+
+    if (NUM_DIGITS_GF2X_MODULUS == NUM_DIGITS_GF2X_ELEMENT) {
+        int msb_offset_in_digit = MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS - 1;
+        rotated_bit = rotated_bit << msb_offset_in_digit;
+    } else {
+        /* NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT and
+                * MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0
+                */
+        rotated_bit = rotated_bit << (DIGIT_SIZE_b - 1);
+    }
+    in[0] |= rotated_bit;
+} // end rotate_bit_right
+
+/*----------------------------------------------------------------------------*/
+
+static
+void gf2x_swap(const int length,
+               DIGIT f[],
+               DIGIT s[]) {
+    DIGIT t;
+    for (int i = length - 1; i >= 0; i--) {
+        t = f[i];
+        f[i] = s[i];
+        s[i] = t;
+    }
+}  // end gf2x_swap
+
+/*----------------------------------------------------------------------------*/
+
+/*
+ * Optimized extended GCD algorithm to compute the multiplicative inverse of
+ * a non-zero element in GF(2)[x] mod x^P+1, in polyn. representation.
+ *
+ * H. Brunner, A. Curiger, and M. Hofstetter. 1993.
+ * On Computing Multiplicative Inverses in GF(2^m).
+ * IEEE Trans. Comput. 42, 8 (August 1993), 1010-1015.
+ * DOI=http://dx.doi.org/10.1109/12.238496
+ *
+ *
+ * Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange,
+ * Kim Nguyen, and Frederik Vercauteren. 2012.
+ * Handbook of Elliptic and Hyperelliptic Curve Cryptography,
+ * Second Edition (2nd ed.). Chapman & Hall/CRC.
+ * (Chapter 11 -- Algorithm 11.44 -- pag 223)
+ *
+ */
+
+int gf2x_mod_inverse(DIGIT out[], const DIGIT in[]) {   /* in^{-1} mod x^P-1 */
+
+    int i;
+    long int delta = 0;
+    alignas(32) DIGIT u[NUM_DIGITS_GF2X_ELEMENT] = {0},
+            v[NUM_DIGITS_GF2X_ELEMENT] = {0},
+                                         s[NUM_DIGITS_GF2X_MODULUS] = {0},
+                                                 f[NUM_DIGITS_GF2X_MODULUS] = {0};
+
+    DIGIT mask;
+    u[NUM_DIGITS_GF2X_ELEMENT - 1] = 0x1;
+    v[NUM_DIGITS_GF2X_ELEMENT - 1] = 0x0;
+
+    s[NUM_DIGITS_GF2X_MODULUS - 1] = 0x1;
+    if (MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS == 0) {
+        mask = 0x1;
+    } else {
+        mask = (((DIGIT)0x1) << MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS);
+    }
+    s[0] |= mask;
+
+    for (i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0 && in[i] == 0; i--);
+    if (i < 0) {
+        return 0;
+    }
+
+    if (NUM_DIGITS_GF2X_MODULUS == 1 + NUM_DIGITS_GF2X_ELEMENT)
+        for (i = NUM_DIGITS_GF2X_MODULUS - 1; i >= 1 ; i--) {
+            f[i] = in[i - 1];
+        } else /* they are equal */
+        for (i = NUM_DIGITS_GF2X_MODULUS - 1; i >= 0 ; i--) {
+            f[i] = in[i];
+        }
+
+    for (i = 1; i <= 2 * P; i++) {
+        if ( (f[0] & mask) == 0 ) {
+            left_bit_shift(NUM_DIGITS_GF2X_MODULUS, f);
+            rotate_bit_left(u);
+            delta += 1;
+        } else {
+            if ( (s[0] & mask) != 0) {
+                gf2x_add(NUM_DIGITS_GF2X_MODULUS, s,
+                         NUM_DIGITS_GF2X_MODULUS, s,
+                         NUM_DIGITS_GF2X_MODULUS, f);
+                gf2x_mod_add(v, v, u);
+            }
+            left_bit_shift(NUM_DIGITS_GF2X_MODULUS, s);
+            if ( delta == 0 ) {
+                gf2x_swap(NUM_DIGITS_GF2X_MODULUS, f, s);
+                gf2x_swap(NUM_DIGITS_GF2X_ELEMENT, u, v);
+                rotate_bit_left(u);
+                delta = 1;
+            } else {
+                rotate_bit_right(u);
+                delta = delta - 1;
+            }
+        }
+    }
+
+    for (i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0 ; i--) {
+        out[i] = u[i];
+    }
+
+    return (delta == 0);
+} // end gf2x_mod_inverse
+
+/*----------------------------------------------------------------------------*/
+
+void gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]) {
+
+    DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT];
+    GF2X_MUL(2 * NUM_DIGITS_GF2X_ELEMENT, aux,
+             NUM_DIGITS_GF2X_ELEMENT, A,
+             NUM_DIGITS_GF2X_ELEMENT, B);
+    gf2x_mod(Res, 2 * NUM_DIGITS_GF2X_ELEMENT, aux);
+
+} // end gf2x_mod_mul
+
+/*----------------------------------------------------------------------------*/
+
+/*PRE: the representation of the sparse coefficients is sorted in increasing
+ order of the coefficients themselves */
+void gf2x_mod_mul_dense_to_sparse(DIGIT Res[],
+                                  const DIGIT dense[],
+                                  POSITION_T sparse[],
+                                  unsigned int nPos) {
+    DIGIT aux[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00};
+    DIGIT resDouble[2 * NUM_DIGITS_GF2X_ELEMENT] = {0x00};
+    memcpy(aux + NUM_DIGITS_GF2X_ELEMENT, dense, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+    memcpy(resDouble + NUM_DIGITS_GF2X_ELEMENT, dense,
+           NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+
+    if (sparse[0] != INVALID_POS_VALUE) {
+        left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, resDouble, sparse[0]);
+        left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, sparse[0]);
+
+        for (unsigned int i = 1; i < nPos; i++) {
+            if (sparse[i] != INVALID_POS_VALUE) {
+                left_bit_shift_wide_n(2 * NUM_DIGITS_GF2X_ELEMENT, aux, (sparse[i] - sparse[i - 1]) );
+                gf2x_add(2 * NUM_DIGITS_GF2X_ELEMENT, resDouble,
+                         2 * NUM_DIGITS_GF2X_ELEMENT, aux,
+                         2 * NUM_DIGITS_GF2X_ELEMENT, resDouble);
+            }
+        }
+    }
+
+    gf2x_mod(Res, 2 * NUM_DIGITS_GF2X_ELEMENT, resDouble);
+
+} // end gf2x_mod_mul
+
+/*----------------------------------------------------------------------------*/
+
+
+void gf2x_transpose_in_place_sparse(int sizeA, POSITION_T A[]) {
+
+    POSITION_T t;
+    int i = 0, j;
+
+    if (A[i] == 0) {
+        i = 1;
+    }
+    j = i;
+
+    for (; i < sizeA && A[i] != INVALID_POS_VALUE; i++) {
+        A[i] = P - A[i];
+    }
+
+    for (i -= 1; j < i; j++, i--) {
+        t = A[j];
+        A[j] = A[i];
+        A[i] = t;
+    }
+
+} // end gf2x_transpose_in_place_sparse
+
+/*----------------------------------------------------------------------------*/
+
+void gf2x_mod_mul_sparse(int
+                         sizeR, /*number of ones in the result, max sizeA*sizeB */
+                         POSITION_T Res[],
+                         int sizeA, /*number of ones in A*/
+                         const POSITION_T A[],
+                         int sizeB, /*number of ones in B*/
+                         const POSITION_T B[]) {
+    /* compute all the coefficients, filling invalid positions with P*/
+    unsigned lastFilledPos = 0;
+    for (int i = 0 ; i < sizeA ; i++) {
+        for (int j = 0 ; j < sizeB ; j++) {
+            uint32_t prod = ((uint32_t) A[i]) + ((uint32_t) B[j]);
+            prod = ( (prod >= P) ? prod - P : prod);
+            if ((A[i] != INVALID_POS_VALUE) &&
+                    (B[j] != INVALID_POS_VALUE)) {
+                Res[lastFilledPos] = prod;
+            } else {
+                Res[lastFilledPos] = INVALID_POS_VALUE;
+            }
+            lastFilledPos++;
+        }
+    }
+    while (lastFilledPos < sizeR) {
+        Res[lastFilledPos] = INVALID_POS_VALUE;
+        lastFilledPos++;
+    }
+    quicksort(Res, sizeR);
+    /* eliminate duplicates */
+    POSITION_T lastReadPos = Res[0];
+    int duplicateCount;
+    int write_idx = 0;
+    int read_idx = 0;
+    while (read_idx < sizeR  && Res[read_idx] != INVALID_POS_VALUE) {
+        lastReadPos = Res[read_idx];
+        read_idx++;
+        duplicateCount = 1;
+        while ( (Res[read_idx] == lastReadPos) && (Res[read_idx] != INVALID_POS_VALUE)) {
+            read_idx++;
+            duplicateCount++;
+        }
+        if (duplicateCount % 2) {
+            Res[write_idx] = lastReadPos;
+            write_idx++;
+        }
+    }
+    /* fill remaining cells with INVALID_POS_VALUE */
+    for (; write_idx < sizeR; write_idx++) {
+        Res[write_idx] = INVALID_POS_VALUE;
+    }
+} // end gf2x_mod_mul_sparse
+
+
+/*----------------------------------------------------------------------------*/
+/* the implementation is safe even in case A or B alias with the result */
+/* PRE: A and B should be sorted and have INVALID_POS_VALUE at the end */
+void gf2x_mod_add_sparse(int sizeR,
+                         POSITION_T Res[],
+                         int sizeA,
+                         POSITION_T A[],
+                         int sizeB,
+                         POSITION_T B[]) {
+
+    POSITION_T tmpRes[sizeR];
+    int idxA = 0, idxB = 0, idxR = 0;
+    while ( idxA < sizeA  &&
+            idxB < sizeB  &&
+            A[idxA] != INVALID_POS_VALUE &&
+            B[idxB] != INVALID_POS_VALUE ) {
+
+        if (A[idxA] == B[idxB]) {
+            idxA++;
+            idxB++;
+        } else {
+            if (A[idxA] < B[idxB]) {
+                tmpRes[idxR] = A[idxA];
+                idxA++;
+            } else {
+                tmpRes[idxR] = B[idxB];
+                idxB++;
+            }
+            idxR++;
+        }
+    }
+
+    while (idxA < sizeA && A[idxA] != INVALID_POS_VALUE) {
+        tmpRes[idxR] = A[idxA];
+        idxA++;
+        idxR++;
+    }
+
+    while (idxB < sizeB && B[idxB] != INVALID_POS_VALUE) {
+        tmpRes[idxR] = B[idxB];
+        idxB++;
+        idxR++;
+    }
+
+    while (idxR < sizeR) {
+        tmpRes[idxR] = INVALID_POS_VALUE;
+        idxR++;
+    }
+    memcpy(Res, tmpRes, sizeof(POSITION_T)*sizeR);
+
+} // end gf2x_mod_add_sparse
+
+/*----------------------------------------------------------------------------*/
+
+/* Return a uniform random value in the range 0..n-1 inclusive,
+ * applying a rejection sampling strategy and exploiting as a random source
+ * the NIST seedexpander seeded with the proper key.
+ * Assumes that the maximum value for the range n is 2^32-1
+ */
+static
+int rand_range(const int n, const int logn, AES_XOF_struct *seed_expander_ctx) {
+
+    unsigned long required_rnd_bytes = (logn + 7) / 8;
+    unsigned char rnd_char_buffer[4];
+    uint32_t rnd_value;
+    uint32_t mask = ( (uint32_t)1 << logn) - 1;
+
+    do {
+        seedexpander(seed_expander_ctx, rnd_char_buffer, required_rnd_bytes);
+        /* obtain an endianness independent representation of the generated random
+         bytes into an unsigned integer */
+        rnd_value =  ((uint32_t)rnd_char_buffer[3] << 24) +
+                     ((uint32_t)rnd_char_buffer[2] << 16) +
+                     ((uint32_t)rnd_char_buffer[1] <<  8) +
+                     ((uint32_t)rnd_char_buffer[0] <<  0) ;
+        rnd_value = mask & rnd_value;
+    } while (rnd_value >= n);
+
+    return rnd_value;
+} // end rand_range
+
+
+
+/*----------------------------------------------------------------------------*/
+/* Obtains fresh randomness and seed-expands it until all the required positions
+ * for the '1's in the circulant block are obtained */
+
+void rand_circulant_sparse_block(POSITION_T *pos_ones,
+                                 const int countOnes,
+                                 AES_XOF_struct *seed_expander_ctx) {
+
+    int duplicated, placedOnes = 0;
+
+    while (placedOnes < countOnes) {
+        int p = rand_range(NUM_BITS_GF2X_ELEMENT,
+                           BITS_TO_REPRESENT(P),
+                           seed_expander_ctx);
+        duplicated = 0;
+        for (int j = 0; j < placedOnes; j++) if (pos_ones[j] == p) {
+                duplicated = 1;
+            }
+        if (duplicated == 0) {
+            pos_ones[placedOnes] = p;
+            placedOnes++;
+        }
+    }
+} // rand_circulant_sparse_block
+
+/*----------------------------------------------------------------------------*/
+
+
+void rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT],
+                                    const int countOnes,
+                                    AES_XOF_struct *seed_expander_ctx) {
+
+    int rndPos[countOnes],  duplicated, counter = 0;
+    memset(sequence, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+
+
+    while (counter < countOnes) {
+        int p = rand_range(N0 * NUM_BITS_GF2X_ELEMENT, BITS_TO_REPRESENT(P),
+                           seed_expander_ctx);
+        duplicated = 0;
+        for (int j = 0; j < counter; j++) if (rndPos[j] == p) {
+                duplicated = 1;
+            }
+        if (duplicated == 0) {
+            rndPos[counter] = p;
+            counter++;
+        }
+    }
+    for (int j = 0; j < counter; j++) {
+        int polyIndex = rndPos[j] / P;
+        int exponent = rndPos[j] % P;
+        gf2x_set_coeff( sequence + NUM_DIGITS_GF2X_ELEMENT * polyIndex, exponent,
+                        ( (DIGIT) 1));
+    }
+
+} // end rand_circulant_blocks_sequence
+
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h b/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h
new file mode 100644
index 00000000..ce3e2e86
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/gf2x_arith_mod_xPplusOne.h
@@ -0,0 +1,300 @@
+/**
+ *
+ * <gf2x_arith_mod_xPplusOne.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+
+#include "gf2x_limbs.h"
+#include "qc_ldpc_parameters.h"
+
+#include "gf2x_arith.h"
+#include "rng.h"
+
+/*----------------------------------------------------------------------------*/
+
+#define                NUM_BITS_GF2X_ELEMENT (P)
+#define              NUM_DIGITS_GF2X_ELEMENT ((P+DIGIT_SIZE_b-1)/DIGIT_SIZE_b)
+#define MSb_POSITION_IN_MSB_DIGIT_OF_ELEMENT ( (P % DIGIT_SIZE_b) ? (P % DIGIT_SIZE_b)-1 : DIGIT_SIZE_b-1 )
+
+#define                NUM_BITS_GF2X_MODULUS (P+1)
+#define              NUM_DIGITS_GF2X_MODULUS ((P+1+DIGIT_SIZE_b-1)/DIGIT_SIZE_b)
+#define MSb_POSITION_IN_MSB_DIGIT_OF_MODULUS (P-DIGIT_SIZE_b*(NUM_DIGITS_GF2X_MODULUS-1))
+
+#define                    INVALID_POS_VALUE (P)
+
+#define IS_REPRESENTABLE_IN_D_BITS(D, N)                \
+    (((unsigned long) N >= (1UL << (D - 1)) && (unsigned long) N < (1UL << D)) ? D : -1)
+
+#define BITS_TO_REPRESENT(N)                            \
+    (N == 0 ? 1 : (31                                     \
+                   + IS_REPRESENTABLE_IN_D_BITS( 1, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS( 2, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS( 3, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS( 4, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS( 5, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS( 6, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS( 7, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS( 8, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS( 9, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(10, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(11, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(12, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(13, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(14, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(15, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(16, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(17, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(18, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(19, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(20, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(21, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(22, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(23, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(24, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(25, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(26, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(27, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(28, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(29, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(30, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(31, N)    \
+                   + IS_REPRESENTABLE_IN_D_BITS(32, N)    \
+                   )                                      \
+     )
+
+/*----------------------------------------------------------------------------*/
+
+
+
+/*----------------------------------------------------------------------------*/
+
+static inline void gf2x_copy(DIGIT dest[], const DIGIT in[]) {
+    for (int i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0; i--) {
+        dest[i] = in[i];
+    }
+} // end gf2x_copy
+
+/*---------------------------------------------------------------------------*/
+
+void gf2x_mod(DIGIT out[],
+              const int nin, const DIGIT in[]); /* out(x) = in(x) mod x^P+1  */
+
+/*---------------------------------------------------------------------------*/
+
+void gf2x_mod_mul(DIGIT Res[], const DIGIT A[], const DIGIT B[]);
+
+/*---------------------------------------------------------------------------*/
+
+static inline void gf2x_mod_add(DIGIT Res[], const DIGIT A[], const DIGIT B[]) {
+    gf2x_add(NUM_DIGITS_GF2X_ELEMENT, Res,
+             NUM_DIGITS_GF2X_ELEMENT, A,
+             NUM_DIGITS_GF2X_ELEMENT, B);
+} // end gf2x_mod_add
+
+/*----------------------------------------------------------------------------*/
+
+/*
+ * Optimized extended GCD algorithm to compute the multiplicative inverse of
+ * a non-zero element in GF(2)[x] mod x^P+1, in polyn. representation.
+ *
+ * H. Brunner, A. Curiger, and M. Hofstetter. 1993.
+ * On Computing Multiplicative Inverses in GF(2^m).
+ * IEEE Trans. Comput. 42, 8 (August 1993), 1010-1015.
+ * DOI=http://dx.doi.org/10.1109/12.238496
+ *
+ *
+ * Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange,
+ * Kim Nguyen, and Frederik Vercauteren. 2012.
+ * Handbook of Elliptic and Hyperelliptic Curve Cryptography,
+ * Second Edition (2nd ed.). Chapman & Hall/CRC.
+ * (Chapter 11 -- Algorithm 11.44 -- pag 223)
+ *
+ */
+int gf2x_mod_inverse(DIGIT out[], const DIGIT in[]);/* ret. 1 if inv. exists */
+
+/*---------------------------------------------------------------------------*/
+
+void gf2x_transpose_in_place(DIGIT
+                             A[]); /* in place bit-transp. of a(x) % x^P+1  *
+                                      * e.g.: a3 a2 a1 a0 --> a1 a2 a3 a0     */
+
+/*---------------------------------------------------------------------------*/
+
+/* population count for a single polynomial */
+static inline int population_count(DIGIT upc[]) {
+    int ret = 0;
+    for (int i = NUM_DIGITS_GF2X_ELEMENT - 1; i >= 0; i--) {
+        #if defined(DIGIT_IS_ULLONG)
+        ret += __builtin_popcountll((unsigned long long int) (upc[i]));
+        #elif defined(DIGIT_IS_ULONG)
+        ret += __builtin_popcountl((unsigned long int) (upc[i]));
+        #elif defined(DIGIT_IS_UINT)
+        ret += __builtin_popcount((unsigned int) (upc[i]));
+        #elif defined(DIGIT_IS_UCHAR)
+        const unsigned char split_lookup[] = {
+            0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4
+        };
+        ret += split_lookup[upc[i] & 0xF] + split_lookup[upc[i] >> 4];
+        #else
+#error "Missing implementation for population_count(...) \
+with this CPU word bitsize !!! "
+        #endif
+    }
+    return ret;
+} // end population_count
+
+/*--------------------------------------------------------------------------*/
+
+/* returns the coefficient of the x^exponent term as the LSB of a digit */
+static inline
+DIGIT gf2x_get_coeff(const DIGIT poly[], const unsigned int exponent) {
+    unsigned int straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent;
+    unsigned int digitIdx = straightIdx / DIGIT_SIZE_b;
+    unsigned int inDigitIdx = straightIdx % DIGIT_SIZE_b;
+    return (poly[digitIdx] >> (DIGIT_SIZE_b - 1 - inDigitIdx)) & ((DIGIT) 1) ;
+}
+
+/*--------------------------------------------------------------------------*/
+
+/* sets the coefficient of the x^exponent term as the LSB of a digit */
+static inline
+void gf2x_set_coeff(DIGIT poly[], const unsigned int exponent, DIGIT value) {
+    int straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent;
+    int digitIdx = straightIdx / DIGIT_SIZE_b;
+
+    unsigned int inDigitIdx = straightIdx % DIGIT_SIZE_b;
+
+    /* clear given coefficient */
+    DIGIT mask = ~( ((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx));
+    poly[digitIdx] = poly[digitIdx] & mask;
+    poly[digitIdx] = poly[digitIdx] | (( value & ((DIGIT) 1)) <<
+                                       (DIGIT_SIZE_b - 1 - inDigitIdx));
+}
+/*--------------------------------------------------------------------------*/
+
+/* toggles (flips) the coefficient of the x^exponent term as the LSB of a digit */
+static inline
+void gf2x_toggle_coeff(DIGIT poly[], const unsigned int exponent) {
+
+    int straightIdx = (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_b - 1) - exponent;
+    int digitIdx = straightIdx / DIGIT_SIZE_b;
+    unsigned int inDigitIdx = straightIdx % DIGIT_SIZE_b;
+
+    /* clear given coefficient */
+    DIGIT mask = ( ((DIGIT) 1) << (DIGIT_SIZE_b - 1 - inDigitIdx));
+    poly[digitIdx] = poly[digitIdx] ^ mask;
+}
+/*--------------------------------------------------------------------------*/
+
+void rand_circulant_sparse_block(POSITION_T *pos_ones,
+                                 const int countOnes,
+                                 AES_XOF_struct *seed_expander_ctx);
+/*--------------------------------------------------------------------------*/
+
+void rand_circulant_blocks_sequence(DIGIT sequence[N0 * NUM_DIGITS_GF2X_ELEMENT],
+                                    const int countOnes,
+                                    AES_XOF_struct *seed_expander_ctx
+                                   );
+
+/*---------------------------------------------------------------------------*/
+
+
+void gf2x_mod_add_sparse(int sizeR,
+                         POSITION_T Res[],
+                         int sizeA,
+                         POSITION_T A[],
+                         int sizeB,
+                         POSITION_T B[]);
+
+/*----------------------------------------------------------------------------*/
+
+void gf2x_transpose_in_place_sparse(int sizeA, POSITION_T A[]);
+
+/*----------------------------------------------------------------------------*/
+
+void gf2x_mod_mul_sparse(int
+                         sizeR, /*number of ones in the result, max sizeA*sizeB */
+                         POSITION_T Res[],
+                         int sizeA, /*number of ones in A*/
+                         const POSITION_T A[],
+                         int sizeB, /*number of ones in B*/
+                         const POSITION_T B[]);
+/*----------------------------------------------------------------------------*/
+void gf2x_mod_mul_dense_to_sparse(DIGIT Res[],
+                                  const DIGIT dense[],
+                                  POSITION_T sparse[],
+                                  unsigned int nPos);
+/*----------------------------------------------------------------------------*/
+static inline
+int partition (POSITION_T arr[], int lo, int hi) {
+    POSITION_T x = arr[hi];
+    POSITION_T tmp;
+    int i = (lo - 1);
+    for (int j = lo; j <= hi - 1; j++)  {
+        if (arr[j] <= x) {
+            i++;
+            tmp = arr[i];
+            arr[i] = arr[j];
+            arr[j] = tmp;
+        }
+    }
+    tmp = arr[i + 1];
+    arr[i + 1] = arr[hi];
+    arr[hi] = tmp;
+
+    return i + 1;
+} // end partition
+
+/*----------------------------------------------------------------------------*/
+
+static inline
+void quicksort(POSITION_T Res[], unsigned int sizeR) {
+    /* sort the result */
+    int stack[sizeR];
+    int hi, lo, pivot, tos = -1;
+    stack[++tos] = 0;
+    stack[++tos] = sizeR - 1;
+    while (tos >= 0 ) {
+        hi = stack[tos--];
+        lo = stack[tos--];
+        pivot = partition(Res, lo, hi);
+        if ( (pivot - 1) > lo) {
+            stack[++tos] = lo;
+            stack[++tos] = pivot - 1;
+        }
+        if ( (pivot + 1) < hi) {
+            stack[++tos] = pivot + 1;
+            stack[++tos] = hi;
+        }
+    }
+}
+
+/*---------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/gf2x_limbs.h b/crypto_kem/ledakemlt12/clean/gf2x_limbs.h
new file mode 100644
index 00000000..6ced9310
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/gf2x_limbs.h
@@ -0,0 +1,94 @@
+/**
+ *
+ * <gf2x_limbs.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+
+/*----------------------------------------------------------------------------*/
+
+#include <inttypes.h>
+#include <limits.h>
+#include <stddef.h>
+#include "qc_ldpc_parameters.h"
+
+/*----------------------------------------------------------------------------*/
+
+#define LITTLE_ENDIAN
+
+/*----------------------------------------------------------------------------*/
+/* limb size definitions for the multi-precision GF(2^x) library              */
+/*----------------------------------------------------------------------------*/
+
+#ifndef CPU_WORD_BITS
+typedef size_t DIGIT;
+#define DIGIT_MAX SIZE_MAX
+#else
+// gcc -DCPU_WORD_BITS=64 ...
+#define CAT(a, b, c) PRIMITIVE_CAT(a, b, c)
+#define PRIMITIVE_CAT(a, b, c) a ## b ## c
+
+typedef CAT( uint, CPU_WORD_BITS, _t ) DIGIT;
+#define DIGIT_MAX (CAT(UINT, CPU_WORD_BITS, _MAX))
+#endif
+
+#if (DIGIT_MAX == ULLONG_MAX)
+#define DIGIT_IS_ULLONG
+#elif (DIGIT_MAX == ULONG_MAX)
+#define DIGIT_IS_ULONG
+#elif (DIGIT_MAX == UINT_MAX)
+#define DIGIT_IS_UINT
+#elif (DIGIT_MAX == UCHAR_MAX)
+#define DIGIT_IS_UCHAR
+#else
+#error "unable to find the type of CPU_WORD_BITS"
+#endif
+
+#if (DIGIT_MAX == UINT64_MAX)
+#define DIGIT_IS_UINT64
+#define DIGIT_SIZE_B 8
+#elif (DIGIT_MAX == UINT32_MAX)
+#define DIGIT_IS_UINT32
+#define DIGIT_SIZE_B 4
+#elif (DIGIT_MAX == UINT16_MAX)
+#define DIGIT_IS_UINT16
+#define DIGIT_SIZE_B 2
+#elif (DIGIT_MAX == UINT8_MAX)
+#define DIGIT_IS_UINT8
+#define DIGIT_SIZE_B 1
+#else
+#error "unable to find the bitsize of size_t"
+#endif
+
+#define DIGIT_SIZE_b  (DIGIT_SIZE_B << 3)
+
+#define    POSITION_T uint32_t
+/*----------------------------------------------------------------------------*/
+
diff --git a/crypto_kem/ledakemlt12/clean/kem.c b/crypto_kem/ledakemlt12/clean/kem.c
new file mode 100644
index 00000000..28b55695
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/kem.c
@@ -0,0 +1,97 @@
+/**
+ *
+ * <kem.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#include "niederreiter_keygen.h"
+#include "niederreiter_encrypt.h"
+#include "niederreiter_decrypt.h"
+#include "rng.h"
+#include "sha3.h"
+#include <string.h>
+/* Generates a keypair - pk is the public key and sk is the secret key. */
+int crypto_kem_keypair( unsigned char *pk,
+                        unsigned char *sk ) {
+
+    AES_XOF_struct niederreiter_keys_expander;
+    randombytes( ((privateKeyNiederreiter_t *)sk)->prng_seed,
+                 TRNG_BYTE_LENGTH);
+    seedexpander_from_trng(&niederreiter_keys_expander,
+                           ((privateKeyNiederreiter_t *)sk)->prng_seed);
+    key_gen_niederreiter((publicKeyNiederreiter_t *) pk,
+                         (privateKeyNiederreiter_t *) sk,
+                         &niederreiter_keys_expander);
+    return 0;
+}
+
+/* Encrypt - pk is the public key, ct is a key encapsulation message
+  (ciphertext), ss is the shared secret.*/
+int crypto_kem_enc( unsigned char *ct,
+                    unsigned char *ss,
+                    const unsigned char *pk ) {
+
+    AES_XOF_struct niederreiter_encap_key_expander;
+    unsigned char encapsulated_key_seed[TRNG_BYTE_LENGTH];
+    randombytes(encapsulated_key_seed, TRNG_BYTE_LENGTH);
+    seedexpander_from_trng(&niederreiter_encap_key_expander, encapsulated_key_seed);
+
+    DIGIT error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
+    rand_circulant_blocks_sequence(error_vector,
+                                   NUM_ERRORS_T,
+                                   &niederreiter_encap_key_expander);
+
+    HASH_FUNCTION((const unsigned char *) error_vector,    // input
+                  (N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), // input Length
+                  ss);
+
+    encrypt_niederreiter((DIGIT *) ct, (publicKeyNiederreiter_t *) pk, error_vector);
+    return 0;
+}
+
+
+/* Decrypt - ct is a key encapsulation message (ciphertext), sk is the private
+   key, ss is the shared secret */
+
+int crypto_kem_dec( unsigned char *ss,
+                    const unsigned char *ct,
+                    const unsigned char *sk ) {
+    DIGIT decoded_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
+
+    int decode_ok = decrypt_niederreiter(decoded_error_vector,
+                                         (privateKeyNiederreiter_t *)sk,
+                                         (DIGIT *)ct);
+    HASH_FUNCTION((const unsigned char *) decoded_error_vector,
+                  (N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B),
+                  ss);
+    if (decode_ok == 1) {
+        return 0;
+    }
+    return 1;
+}
diff --git a/crypto_kem/ledakemlt12/clean/niederreiter.h b/crypto_kem/ledakemlt12/clean/niederreiter.h
new file mode 100644
index 00000000..34c05e73
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/niederreiter.h
@@ -0,0 +1,58 @@
+/**
+ *
+ * <niederreiter.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+#include "qc_ldpc_parameters.h"
+#include "gf2x_limbs.h"
+#include "gf2x_arith_mod_xPplusOne.h"
+
+
+/*----------------------------------------------------------------------------*/
+#pragma pack(1)
+
+typedef struct {
+    /* raw entropy extracted from TRNG, will be deterministically expanded into
+     * H and Q during decryption */
+    unsigned char prng_seed[TRNG_BYTE_LENGTH];
+    int8_t rejections;
+} privateKeyNiederreiter_t;
+
+typedef struct {
+    DIGIT Mtr[(N0 - 1)*NUM_DIGITS_GF2X_ELEMENT];
+    // Dense representation of the matrix M=Ln0*L,
+    // An array including a sequence of (N0-1) gf2x elements;
+    // each gf2x element is stored as a binary polynomial(mod x^P+1)
+    // with P coefficients.
+} publicKeyNiederreiter_t;
+
+#pragma pack()
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/niederreiter_decrypt.c b/crypto_kem/ledakemlt12/clean/niederreiter_decrypt.c
new file mode 100644
index 00000000..13023318
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/niederreiter_decrypt.c
@@ -0,0 +1,153 @@
+/**
+ *
+ * <niederreiter_decrypt.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#include "niederreiter_decrypt.h"
+
+#include "qc_ldpc_parameters.h"
+#include "gf2x_arith_mod_xPplusOne.h"
+#include "H_Q_matrices_generation.h"
+
+#include "bf_decoding.h"
+#include "dfr_test.h"
+#include <string.h>
+
+/*----------------------------------------------------------------------------*/
+
+int decrypt_niederreiter(DIGIT err[],            // N0 circ poly
+                         const privateKeyNiederreiter_t *const sk,
+                         const DIGIT syndrome[]  // 1 circ poly
+                        ) {
+    AES_XOF_struct niederreiter_decrypt_expander;
+    seedexpander_from_trng(&niederreiter_decrypt_expander,
+                           sk->prng_seed);
+
+    /**************************************************************************/
+    // sequence of N0 circ block matrices (p x p):
+    POSITION_T HPosOnes[N0][DV];
+    POSITION_T HtrPosOnes[N0][DV];
+    POSITION_T QPosOnes[N0][M];
+    int rejections = sk->rejections;
+    POSITION_T LPosOnes[N0][DV * M];
+    do {
+        generateHPosOnes_HtrPosOnes(HPosOnes, HtrPosOnes,
+                                    &niederreiter_decrypt_expander);
+        generateQsparse(QPosOnes, &niederreiter_decrypt_expander);
+        for (int i = 0; i < N0; i++) {
+            for (int j = 0; j < DV * M; j++) {
+                LPosOnes[i][j] = INVALID_POS_VALUE;
+            }
+        }
+
+        POSITION_T auxPosOnes[DV * M];
+        unsigned char processedQOnes[N0] = {0};
+        for (int colQ = 0; colQ < N0; colQ++) {
+            for (int i = 0; i < N0; i++) {
+                gf2x_mod_mul_sparse(DV * M, auxPosOnes,
+                                    DV, HPosOnes[i],
+                                    qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]);
+                gf2x_mod_add_sparse(DV * M, LPosOnes[colQ],
+                                    DV * M, LPosOnes[colQ],
+                                    DV * M, auxPosOnes);
+                processedQOnes[i] += qBlockWeights[i][colQ];
+            }
+        }
+        rejections--;
+    } while (rejections >= 0);
+
+    POSITION_T QtrPosOnes[N0][M];
+    unsigned transposed_ones_idx[N0] = {0x00};
+    for (unsigned source_row_idx = 0; source_row_idx < N0 ; source_row_idx++) {
+        int currQoneIdx = 0; // position in the column of QtrPosOnes[][...]
+        int endQblockIdx = 0;
+        for (int blockIdx = 0; blockIdx < N0; blockIdx++) {
+            endQblockIdx += qBlockWeights[source_row_idx][blockIdx];
+            for (; currQoneIdx < endQblockIdx; currQoneIdx++) {
+                QtrPosOnes[blockIdx][transposed_ones_idx[blockIdx]] = (P -
+                        QPosOnes[source_row_idx][currQoneIdx]) % P;
+                transposed_ones_idx[blockIdx]++;
+            }
+        }
+    }
+
+    POSITION_T auxSparse[DV * M];
+    POSITION_T Ln0trSparse[DV * M];
+    for (int i = 0; i < DV * M; i++) {
+        Ln0trSparse[i] = INVALID_POS_VALUE;
+        auxSparse[i] = INVALID_POS_VALUE;
+    }
+
+    for (int i = 0; i < N0; i++) {
+        gf2x_mod_mul_sparse(DV * M, auxSparse,
+                            DV,   HPosOnes[i],
+                            qBlockWeights[i][N0 - 1], &QPosOnes[i][ M - qBlockWeights[i][N0 - 1] ]
+                           );
+        gf2x_mod_add_sparse(DV * M, Ln0trSparse,
+                            DV * M, Ln0trSparse,
+                            DV * M, auxSparse
+                           );
+    } // end for i
+    gf2x_transpose_in_place_sparse(DV * M, Ln0trSparse);
+
+    DIGIT privateSyndrome[NUM_DIGITS_GF2X_ELEMENT];
+    gf2x_mod_mul_dense_to_sparse(privateSyndrome,
+                                 syndrome,
+                                 Ln0trSparse,
+                                 DV * M);
+
+    /* prepare mockup error vector in case a decoding failure occurs */
+    DIGIT mockup_error_vector[N0 * NUM_DIGITS_GF2X_ELEMENT];
+    memset(mockup_error_vector, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+    memcpy(mockup_error_vector, syndrome, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+    seedexpander(&niederreiter_decrypt_expander,
+                 ((unsigned char *) mockup_error_vector) + (NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B), TRNG_BYTE_LENGTH);
+
+    int decryptOk = 0;
+    memset(err, 0x00, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+    decryptOk = bf_decoding(err, (const POSITION_T (*)[DV]) HtrPosOnes,
+                            (const POSITION_T (*)[M]) QtrPosOnes, privateSyndrome);
+
+    int err_weight = 0;
+    for (int i = 0 ; i < N0; i++) {
+        err_weight += population_count(err + (NUM_DIGITS_GF2X_ELEMENT * i));
+    }
+    decryptOk = decryptOk && (err_weight == NUM_ERRORS_T);
+
+    if (!decryptOk) {
+        memcpy(err, mockup_error_vector, N0 * NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+    }
+
+    return decryptOk;
+} // end decrypt_niederreiter
+
+/*----------------------------------------------------------------------------*/
+
+
diff --git a/crypto_kem/ledakemlt12/clean/niederreiter_decrypt.h b/crypto_kem/ledakemlt12/clean/niederreiter_decrypt.h
new file mode 100644
index 00000000..7ac486e0
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/niederreiter_decrypt.h
@@ -0,0 +1,45 @@
+/**
+ *
+ * <niederreiter_decrypt.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+
+#include "niederreiter.h"
+#include "gf2x_limbs.h"
+
+/*----------------------------------------------------------------------------*/
+
+int decrypt_niederreiter(DIGIT err[],       // return 1 if everything is ok
+                         const privateKeyNiederreiter_t *const sk,
+                         const DIGIT syndrome[]
+                        );
+
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/niederreiter_encrypt.c b/crypto_kem/ledakemlt12/clean/niederreiter_encrypt.c
new file mode 100644
index 00000000..a4ed2b4a
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/niederreiter_encrypt.c
@@ -0,0 +1,57 @@
+/**
+ *
+ * <niederreiter_encrypt.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#include "niederreiter_encrypt.h"
+#include "qc_ldpc_parameters.h"
+#include "gf2x_arith_mod_xPplusOne.h"
+
+#include <string.h> // memset(...)
+
+void encrypt_niederreiter(DIGIT syndrome[],                // 1  polynomial
+                          const publicKeyNiederreiter_t *const pk,
+                          const DIGIT err[]) {             // N0  polynomials
+    int i;
+    DIGIT saux[NUM_DIGITS_GF2X_ELEMENT];
+
+    memset(syndrome, 0x00, NUM_DIGITS_GF2X_ELEMENT * DIGIT_SIZE_B);
+
+    for (i = 0; i < N0 - 1; i++) {
+        gf2x_mod_mul(saux,
+                     pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
+                     err + i * NUM_DIGITS_GF2X_ELEMENT
+                    );
+        gf2x_mod_add(syndrome, syndrome, saux);
+    }  // end for
+    gf2x_mod_add(syndrome, syndrome, err + (N0 - 1)*NUM_DIGITS_GF2X_ELEMENT);
+} // end encrypt_niederreiter
+
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/niederreiter_encrypt.h b/crypto_kem/ledakemlt12/clean/niederreiter_encrypt.h
new file mode 100644
index 00000000..9da712f7
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/niederreiter_encrypt.h
@@ -0,0 +1,41 @@
+/**
+ *
+ * <niederreiter_encrypt.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+
+#include "niederreiter.h"
+#include "gf2x_limbs.h"
+
+void encrypt_niederreiter(DIGIT syndrome[],
+                          const publicKeyNiederreiter_t *const pk,
+                          const DIGIT err[]
+                         );
diff --git a/crypto_kem/ledakemlt12/clean/niederreiter_keygen.c b/crypto_kem/ledakemlt12/clean/niederreiter_keygen.c
new file mode 100644
index 00000000..9e5a7a32
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/niederreiter_keygen.c
@@ -0,0 +1,145 @@
+/**
+ *
+ * <niederreiter_keygen.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#include "niederreiter_keygen.h"
+
+#include "H_Q_matrices_generation.h"
+#include "gf2x_arith_mod_xPplusOne.h"
+#include "rng.h"
+#include "dfr_test.h"
+
+#include <string.h>
+/*----------------------------------------------------------------------------*/
+/* Implementation that should never be optimized out by the compiler */
+static inline void zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = v;
+    while ( n-- ) {
+        *p++ = 0;
+    }
+} // end zeroize
+
+/*----------------------------------------------------------------------------*/
+
+void key_gen_niederreiter(publicKeyNiederreiter_t   *const pk,
+                          privateKeyNiederreiter_t *const sk,
+                          AES_XOF_struct *keys_expander) {
+    // sequence of N0 circ block matrices (p x p): Hi
+
+    POSITION_T HPosOnes[N0][DV];
+    POSITION_T HtrPosOnes[N0][DV];
+    /* Sparse representation of the transposed circulant matrix H,
+    with weight DV. Each index contains the position of a '1' digit in the
+    corresponding Htr block */
+
+    /* Sparse representation of the matrix (Q).
+    A matrix containing the positions of the ones in the circulant
+    blocks of Q. Each row contains the position of the
+    ones of all the blocks of a row of Q as exponent+
+    P*block_position */
+    POSITION_T QPosOnes[N0][M];
+
+    /*Rejection-sample for a full L*/
+    POSITION_T LPosOnes[N0][DV * M];
+    int is_L_full;
+    int isDFRok;
+    sk->rejections = (int8_t) 0;
+    do {
+        generateHPosOnes_HtrPosOnes(HPosOnes,
+                                    HtrPosOnes,
+                                    keys_expander);
+
+        generateQsparse(QPosOnes,
+                        keys_expander);
+        for (int i = 0; i < N0; i++) {
+            for (int j = 0; j < DV * M; j++) {
+                LPosOnes[i][j] = INVALID_POS_VALUE;
+            }
+        }
+
+        POSITION_T auxPosOnes[DV * M];
+        unsigned char processedQOnes[N0] = {0};
+        for (int colQ = 0; colQ < N0; colQ++) {
+            for (int i = 0; i < N0; i++) {
+                gf2x_mod_mul_sparse(DV * M, auxPosOnes,
+                                    DV, HPosOnes[i],
+                                    qBlockWeights[i][colQ], QPosOnes[i] + processedQOnes[i]);
+                gf2x_mod_add_sparse(DV * M, LPosOnes[colQ],
+                                    DV * M, LPosOnes[colQ],
+                                    DV * M, auxPosOnes);
+                processedQOnes[i] += qBlockWeights[i][colQ];
+            }
+        }
+        is_L_full = 1;
+        for (int i = 0; i < N0; i++) {
+            is_L_full = is_L_full && (LPosOnes[i][DV * M - 1] != INVALID_POS_VALUE);
+        }
+        sk->rejections = sk->rejections + 1;
+        if (is_L_full) {
+            isDFRok = DFR_test(LPosOnes);
+        }
+    } while (!is_L_full || !isDFRok);
+    sk->rejections = sk->rejections - 1;
+
+    DIGIT Ln0dense[NUM_DIGITS_GF2X_ELEMENT] = {0x00};
+    for (int j = 0; j < DV * M; j++) {
+        if (LPosOnes[N0 - 1][j] != INVALID_POS_VALUE) {
+            gf2x_set_coeff(Ln0dense, LPosOnes[N0 - 1][j], 1);
+        }
+    }
+    DIGIT Ln0Inv[NUM_DIGITS_GF2X_ELEMENT] = {0x00};
+    gf2x_mod_inverse(Ln0Inv, Ln0dense);
+    for (int i = 0; i < N0 - 1; i++) {
+        gf2x_mod_mul_dense_to_sparse(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT,
+                                     Ln0Inv,
+                                     LPosOnes[i],
+                                     DV * M);
+    }
+
+    for (int i = 0; i < N0 - 1; i++) {
+        gf2x_transpose_in_place(pk->Mtr + i * NUM_DIGITS_GF2X_ELEMENT);
+    }
+} // end key_gen_niederreiter
+
+/*----------------------------------------------------------------------------*/
+
+void publicKey_deletion_niederreiter(publicKeyNiederreiter_t   *const pk) {
+
+    zeroize(pk, sizeof(publicKeyNiederreiter_t));
+} // publicKey_deletion_niederreiter
+
+/*----------------------------------------------------------------------------*/
+
+void privateKey_deletion_niederreiter(privateKeyNiederreiter_t *const sk) {
+    zeroize(sk, sizeof(privateKeyNiederreiter_t));
+} // privateKey_deletion_niederreiter
+
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/niederreiter_keygen.h b/crypto_kem/ledakemlt12/clean/niederreiter_keygen.h
new file mode 100644
index 00000000..ae5210b7
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/niederreiter_keygen.h
@@ -0,0 +1,43 @@
+/**
+ *
+ * <niederreiter_keygen.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+
+#include "niederreiter.h"
+#include "rng.h"
+
+void key_gen_niederreiter(publicKeyNiederreiter_t   *const pk,
+                          privateKeyNiederreiter_t *const sk,
+                          AES_XOF_struct *keys_expander);
+
+void publicKey_deletion_niederreiter(publicKeyNiederreiter_t    *const pk);
+void privateKey_deletion_niederreiter(privateKeyNiederreiter_t *const sk);
diff --git a/crypto_kem/ledakemlt12/clean/qc_ldpc_parameters.h b/crypto_kem/ledakemlt12/clean/qc_ldpc_parameters.h
new file mode 100644
index 00000000..ab43d044
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/qc_ldpc_parameters.h
@@ -0,0 +1,157 @@
+/**
+ *
+ * <qc_ldpc_parameters.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+#pragma once
+// CATEGORY defined in the makefile
+
+/*----------------------------------------------------------------------------*/
+#if CATEGORY == 1
+#define TRNG_BYTE_LENGTH (24)
+#define    HASH_FUNCTION sha3_256
+#define HASH_BYTE_LENGTH (32)
+// N0 defined in the makefile
+#if (DFR_SL_LEVEL == 0)
+#define    P  (35899)  // modulus(x) = x^P-1
+#define    DV (9)  // odd number
+#define    M  (9)
+#define    M0 (5)
+#define    M1 (4)
+#define    NUM_ERRORS_T   (136)
+
+#elif (DFR_SL_LEVEL == 1)
+#define    P  (52147)  // modulus(x) = x^P-1
+#define    DV (9)  // odd number
+#define    M  (9)
+#define    M0 (5)
+#define    M1 (4)
+#define    NUM_ERRORS_T   (136)
+
+#else
+#error "Unsupported number of circulant blocks"
+#endif
+#endif // end CATEGORY == 1
+
+/*----------------------------------------------------------------------------*/
+
+// We employ the parameters for Category 3 also in the case where the required
+// security level is Category 2, where Category 2 has the following parameters.
+//   #define TRNG_BYTE_LENGTH (32)
+//   #define    HASH_FUNCTION sha3_256
+//   #define HASH_BYTE_LENGTH (32)
+
+/*----------------------------------------------------------------------------*/
+
+#if (CATEGORY == 2) || (CATEGORY == 3)
+#define TRNG_BYTE_LENGTH (32)
+#define    HASH_FUNCTION sha3_384
+#define HASH_BYTE_LENGTH (48)
+// N0 defined in the makefile
+#if (DFR_SL_LEVEL == 0)
+#define    P  (57899)  // modulus(x) = x^P-1
+#define    DV (11)  // odd number
+#define    M  (11)
+#define    M0 (6)
+#define    M1 (5)
+#define    NUM_ERRORS_T   (199)
+
+#elif (DFR_SL_LEVEL == 1)
+#define    P  (96221)  // modulus(x) = x^P-1
+#define    DV (11)  // odd number
+#define    M  (11)
+#define    M0 (6)
+#define    M1 (5)
+#define    NUM_ERRORS_T   (199)
+
+#else
+#error "Unsupported number of circulant blocks"
+#endif
+#endif
+
+/*----------------------------------------------------------------------------*/
+
+// We employ the parameters for Category 4 also in the case where the required
+// security level is Category 5, where Category 4 has the following parameters.
+// #if CATEGORY == 4
+//   #define TRNG_BYTE_LENGTH (40)
+//   #define    HASH_FUNCTION sha3_384
+//   #define HASH_BYTE_LENGTH (48)
+// #endif
+
+/*----------------------------------------------------------------------------*/
+
+#if (CATEGORY == 4) || (CATEGORY == 5)
+#define TRNG_BYTE_LENGTH (40)
+#define    HASH_FUNCTION  sha3_512
+#define HASH_BYTE_LENGTH (64)
+// N0 defined in the makefile
+#if (DFR_SL_LEVEL == 0)
+#define    P  (89051)  // modulus(x) = x^P-1
+#define    DV (13)  // odd number
+#define    M  (13)
+#define    M0 (7)
+#define    M1 (6)
+#define    NUM_ERRORS_T   (267)
+
+#elif (DFR_SL_LEVEL == 1)
+#define    P  (152267)  // modulus(x) = x^P-1
+#define    DV (13)  // odd number
+#define    M  (13)
+#define    M0 (7)
+#define    M1 (6)
+#define    NUM_ERRORS_T   (267)
+
+#else
+#error "Unsupported number of circulant blocks"
+#endif
+#endif
+/*----------------------------------------------------------------------------*/
+
+// Derived parameters, they are useful for QC-LDPC algorithms
+#define HASH_BIT_LENGTH (HASH_BYTE_LENGTH << 3)
+#define               K ((N0-1)*P)
+#define               N (N0*P)
+#define              DC (N0*DV)
+
+// Circulant weight structure of the Q matrix, specialized per value of N0
+#if N0 == 2
+#define    Q_BLOCK_WEIGHTS  {{M0,M1},{M1,M0}}
+#elif N0 == 3
+#define    Q_BLOCK_WEIGHTS  {{M0,M1,M2},{M2,M0,M1},{M1,M2,M0}}
+#elif N0 == 4
+#define    Q_BLOCK_WEIGHTS  {{M0,M1,M2,M3},{M3,M0,M1,M2},{M2,M3,M0,M1},{M1,M2,M3,M0}}
+#else
+#error "Unsupported number of circulant blocks"
+#endif
+
+static const unsigned char qBlockWeights[N0][N0] = Q_BLOCK_WEIGHTS;
+
+
+/*----------------------------------------------------------------------------*/
diff --git a/crypto_kem/ledakemlt12/clean/rng.c b/crypto_kem/ledakemlt12/clean/rng.c
new file mode 100644
index 00000000..cff6f77f
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/rng.c
@@ -0,0 +1,336 @@
+/**
+ *
+ * <rng.c>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+
+#include "rng.h"
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h> // void srand(unsigned int seed); int rand(void); RAND_MAX
+#include <string.h> // void *memset(void *s, int c, size_t n);
+#define __USE_POSIX199309
+#include <time.h> // struct timespec; clock_gettime(...); CLOCK_REALTIME
+
+#include "aes256.h"
+#include "qc_ldpc_parameters.h"
+
+
+/******************************************************************************/
+/*----------------------------------------------------------------------------*/
+/*              start PSEUDO-RAND GENERATOR ROUTINES for rnd.h                */
+/*----------------------------------------------------------------------------*/
+
+
+void initialize_pseudo_random_generator_seed(int ac, char *av[]) {
+
+    if (ac == 2) {
+        srand(atoi(av[1]));
+    } else {
+        struct timespec seedValue;
+        clock_gettime(CLOCK_REALTIME, &seedValue);
+        srand(seedValue.tv_nsec);
+    } // end else-if
+    unsigned char pseudo_entropy[48];
+    for (int i = 0; i < 48; i++) {
+        pseudo_entropy[i] = rand() & 0xff;
+    }
+    randombytes_init(pseudo_entropy,
+                     NULL,
+                     0 /*unused in NIST function*/);
+
+
+} // end initilize_pseudo_random_sequence_seed
+
+
+/*----------------------------------------------------------------------------*/
+
+/* Initializes a dedicated DRBG context to avoid conflicts with the global one
+ * declared by NIST for KATs. Provides the output of the DRBG in output, for
+ * the given length */
+
+
+/*----------------------------------------------------------------------------*/
+/*              end PSEUDO-RAND GENERATOR ROUTINES for rnd.h                  */
+/*----------------------------------------------------------------------------*/
+
+AES256_CTR_DRBG_struct  DRBG_ctx;
+
+void    AES256_ECB(unsigned char *key, unsigned char *ctr,
+                   unsigned char *buffer);
+
+/*
+ seedexpander_init()
+ ctx            - stores the current state of an instance of the seed expander
+ seed           - a 32 byte random value
+ diversifier    - an 8 byte diversifier
+ maxlen         - maximum number of bytes (less than 2**32) generated under this seed and diversifier
+ */
+int
+seedexpander_init(AES_XOF_struct *ctx,
+                  unsigned char *seed,
+                  unsigned char *diversifier,
+                  unsigned long maxlen) {
+    if ( maxlen >= 0x100000000 ) {
+        return RNG_BAD_MAXLEN;
+    }
+
+    ctx->length_remaining = maxlen;
+
+    memset(ctx->key, 0, 32);
+    int max_accessible_seed_len = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH;
+    memcpy(ctx->key, seed, max_accessible_seed_len);
+
+    memcpy(ctx->ctr, diversifier, 8);
+    ctx->ctr[11] = maxlen % 256;
+    maxlen >>= 8;
+    ctx->ctr[10] = maxlen % 256;
+    maxlen >>= 8;
+    ctx->ctr[9] = maxlen % 256;
+    maxlen >>= 8;
+    ctx->ctr[8] = maxlen % 256;
+    memset(ctx->ctr + 12, 0x00, 4);
+
+    ctx->buffer_pos = 16;
+    memset(ctx->buffer, 0x00, 16);
+
+    return RNG_SUCCESS;
+}
+
+/*
+ seedexpander()
+    ctx  - stores the current state of an instance of the seed expander
+    x    - returns the XOF data
+    xlen - number of bytes to return
+ */
+int
+seedexpander(AES_XOF_struct *ctx, unsigned char *x, unsigned long xlen) {
+    unsigned long   offset;
+
+    if ( x == NULL ) {
+        return RNG_BAD_OUTBUF;
+    }
+    if ( xlen >= ctx->length_remaining ) {
+        return RNG_BAD_REQ_LEN;
+    }
+
+    ctx->length_remaining -= xlen;
+
+    offset = 0;
+    while ( xlen > 0 ) {
+        if ( xlen <= (16 - ctx->buffer_pos) ) { // buffer has what we need
+            memcpy(x + offset, ctx->buffer + ctx->buffer_pos, xlen);
+            ctx->buffer_pos += xlen;
+
+            return RNG_SUCCESS;
+        }
+
+        // take what's in the buffer
+        memcpy(x + offset, ctx->buffer + ctx->buffer_pos, 16 - ctx->buffer_pos);
+        xlen -= 16 - ctx->buffer_pos;
+        offset += 16 - ctx->buffer_pos;
+
+        AES256_ECB(ctx->key, ctx->ctr, ctx->buffer);
+        ctx->buffer_pos = 0;
+
+        //increment the counter
+        for (int i = 15; i >= 12; i--) {
+            if ( ctx->ctr[i] == 0xff ) {
+                ctx->ctr[i] = 0x00;
+            } else {
+                ctx->ctr[i]++;
+                break;
+            }
+        }
+
+    }
+
+    return RNG_SUCCESS;
+}
+
+// Use whatever AES implementation you have. This uses AES from openSSL library
+//    key - 256-bit AES key
+//    ptx - a 128-bit plaintext value
+//    ctx - a 128-bit ciphertext value
+
+void
+AES256_ECB(unsigned char *key, unsigned char *ptx, unsigned char *ctx) {
+    uint32_t round_key[4 * (NROUNDS + 1)] = {0x00};
+    rijndaelKeySetupEnc(round_key, key, KEYLEN_b);
+    rijndaelEncrypt(round_key, NROUNDS, ptx, ctx);
+}
+
+void
+randombytes_init(unsigned char *entropy_input,
+                 unsigned char *personalization_string,
+                 int security_strength) {
+    unsigned char   seed_material[48];
+
+    memcpy(seed_material, entropy_input, 48);
+    if (personalization_string)
+        for (int i = 0; i < 48; i++) {
+            seed_material[i] ^= personalization_string[i];
+        }
+    memset(DRBG_ctx.Key, 0x00, 32);
+    memset(DRBG_ctx.V, 0x00, 16);
+    AES256_CTR_DRBG_Update(seed_material, DRBG_ctx.Key, DRBG_ctx.V);
+    DRBG_ctx.reseed_counter = 1;
+}
+
+int
+randombytes(unsigned char *x, unsigned long long xlen) {
+    unsigned char   block[16];
+    int             i = 0;
+
+    while ( xlen > 0 ) {
+        //increment V
+        for (int j = 15; j >= 0; j--) {
+            if ( DRBG_ctx.V[j] == 0xff ) {
+                DRBG_ctx.V[j] = 0x00;
+            } else {
+                DRBG_ctx.V[j]++;
+                break;
+            }
+        }
+        AES256_ECB(DRBG_ctx.Key, DRBG_ctx.V, block);
+        if ( xlen > 15 ) {
+            memcpy(x + i, block, 16);
+            i += 16;
+            xlen -= 16;
+        } else {
+            memcpy(x + i, block, xlen);
+            xlen = 0;
+        }
+    }
+    AES256_CTR_DRBG_Update(NULL, DRBG_ctx.Key, DRBG_ctx.V);
+    DRBG_ctx.reseed_counter++;
+
+    return RNG_SUCCESS;
+}
+
+void
+AES256_CTR_DRBG_Update(unsigned char *provided_data,
+                       unsigned char *Key,
+                       unsigned char *V) {
+    unsigned char   temp[48];
+
+    for (int i = 0; i < 3; i++) {
+        //increment V
+        for (int j = 15; j >= 0; j--) {
+            if ( V[j] == 0xff ) {
+                V[j] = 0x00;
+            } else {
+                V[j]++;
+                break;
+            }
+        }
+
+        AES256_ECB(Key, V, temp + 16 * i);
+    }
+    if ( provided_data != NULL )
+        for (int i = 0; i < 48; i++) {
+            temp[i] ^= provided_data[i];
+        }
+    memcpy(Key, temp, 32);
+    memcpy(V, temp + 32, 16);
+}
+
+
+
+void deterministic_random_byte_generator(unsigned char *const output,
+        const unsigned long long output_len,
+        const unsigned char *const seed,
+        const unsigned long long seed_length
+                                        ) {
+    /* DRBG context initialization */
+    AES256_CTR_DRBG_struct ctx;
+    unsigned char   seed_material[48];
+    memset(seed_material, 0x00, 48);
+    memcpy(seed_material, seed, seed_length);
+
+    memset(ctx.Key, 0x00, 32);
+    memset(ctx.V, 0x00, 16);
+    AES256_CTR_DRBG_Update(seed_material, ctx.Key, ctx.V);
+    ctx.reseed_counter = 1;
+
+    /* Actual DRBG computation as from the randombytes(unsigned char *x,
+     * unsigned long long xlen) from NIST */
+
+    unsigned char   block[16];
+    int             i = 0, length_remaining;
+
+    length_remaining = output_len;
+
+    while ( length_remaining > 0 ) {
+        //increment V
+        for (int j = 15; j >= 0; j--) {
+            if ( ctx.V[j] == 0xff ) {
+                ctx.V[j] = 0x00;
+            } else {
+                ctx.V[j]++;
+                break;
+            }
+        }
+        AES256_ECB(ctx.Key, ctx.V, block);
+        if ( length_remaining > 15 ) {
+            memcpy(output + i, block, 16);
+            i += 16;
+            length_remaining -= 16;
+        } else {
+            memcpy(output + i, block, length_remaining);
+            length_remaining = 0;
+        }
+    }
+    AES256_CTR_DRBG_Update(NULL, ctx.Key, ctx.V);
+    ctx.reseed_counter++;
+
+} // end deterministic_random_byte_generator
+
+void seedexpander_from_trng(AES_XOF_struct *ctx,
+                            const unsigned char *trng_entropy
+                            /* TRNG_BYTE_LENGTH wide buffer */) {
+
+    /*the NIST seedexpander will however access 32B from this buffer */
+    unsigned int prng_buffer_size = TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH;
+    unsigned char prng_buffer[TRNG_BYTE_LENGTH < 32 ? 32 : TRNG_BYTE_LENGTH] = { 0x00 };
+    memcpy(prng_buffer,
+           trng_entropy,
+           TRNG_BYTE_LENGTH < prng_buffer_size ? TRNG_BYTE_LENGTH : prng_buffer_size);
+    /* if extra entropy is provided, add it to the diversifier */
+    #if TRNG_BYTE_LENGTH == 40
+    unsigned char *diversifier = ((unsigned char *)trng_entropy) + 32;
+    #else
+    unsigned char diversifier[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+    #endif
+    /* the required seed expansion will be quite small, set the max number of
+     * bytes conservatively to 10 MiB*/
+    seedexpander_init(ctx, prng_buffer, diversifier, 10 * 1024 * 1024);
+}
diff --git a/crypto_kem/ledakemlt12/clean/rng.h b/crypto_kem/ledakemlt12/clean/rng.h
new file mode 100644
index 00000000..6615c529
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/rng.h
@@ -0,0 +1,96 @@
+/**
+ *
+ * <rng.h>
+ *
+ * @version 2.0 (March 2019)
+ *
+ * Reference ISO-C11 Implementation of the LEDAcrypt KEM-LT cipher using GCC built-ins.
+ *
+ * In alphabetical order:
+ *
+ * @author Marco Baldi <m.baldi@univpm.it>
+ * @author Alessandro Barenghi <alessandro.barenghi@polimi.it>
+ * @author Franco Chiaraluce <f.chiaraluce@univpm.it>
+ * @author Gerardo Pelosi <gerardo.pelosi@polimi.it>
+ * @author Paolo Santini <p.santini@pm.univpm.it>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ **/
+
+#pragma once
+
+/******  From this point on, the code was supplied by NIST ****************/
+//  Created by Bassham, Lawrence E (Fed) on 8/29/17.
+//  Copyright © 2017 Bassham, Lawrence E (Fed). All rights reserved.
+//
+/******    from NIST  ****************/
+
+#include <stdio.h>
+
+#define RNG_SUCCESS      0
+#define RNG_BAD_MAXLEN  -1
+#define RNG_BAD_OUTBUF  -2
+#define RNG_BAD_REQ_LEN -3
+
+typedef struct {
+    unsigned char   buffer[16];
+    int             buffer_pos;
+    unsigned long   length_remaining;
+    unsigned char   key[32];
+    unsigned char   ctr[16];
+} AES_XOF_struct;
+
+typedef struct {
+    unsigned char   Key[32];
+    unsigned char   V[16];
+    int             reseed_counter;
+} AES256_CTR_DRBG_struct;
+
+
+void
+AES256_CTR_DRBG_Update(unsigned char *provided_data,
+                       unsigned char *Key,
+                       unsigned char *V);
+
+int
+seedexpander_init(AES_XOF_struct *ctx,
+                  unsigned char *seed,
+                  unsigned char *diversifier,
+                  unsigned long maxlen);
+
+int
+seedexpander(AES_XOF_struct *ctx, unsigned char *x, unsigned long xlen);
+
+void
+randombytes_init(unsigned char *entropy_input,
+                 unsigned char *personalization_string,
+                 int security_strength);
+
+int
+randombytes(unsigned char *x, unsigned long long xlen);
+
+/******  End of NIST supplied code ****************/
+
+void initialize_pseudo_random_generator_seed(int ac, char *av[]);
+
+void deterministic_random_byte_generator(unsigned char *const output,
+        const unsigned long long output_len,
+        const unsigned char *const seed,
+        const unsigned long long seed_length);
+
+void seedexpander_from_trng(AES_XOF_struct *ctx,
+                            const unsigned char *trng_entropy
+                            /* TRNG_BYTE_LENGTH wide buffer */);
diff --git a/crypto_kem/ledakemlt12/clean/sha3.h b/crypto_kem/ledakemlt12/clean/sha3.h
new file mode 100644
index 00000000..642843de
--- /dev/null
+++ b/crypto_kem/ledakemlt12/clean/sha3.h
@@ -0,0 +1,43 @@
+#pragma once
+
+#define LITTLE_ENDIAN
+#include <libkeccak.a.headers/KeccakHash.h>
+
+static inline
+void sha3_256(const unsigned char *input,
+              unsigned int inputByteLen,
+              unsigned char *output) {
+    Keccak_HashInstance state;
+    Keccak_HashInitialize(&state, 1088,  512, 256, 0x06);
+    Keccak_HashUpdate(&state, input, inputByteLen * 8);
+    Keccak_HashFinal(&state, output);
+}
+
+/**
+  *  Function to compute SHA3-384 on the input message.
+  *  The output length is fixed to 48 bytes.
+  */
+static inline
+void sha3_384(const unsigned char *input,
+              unsigned int inputByteLen,
+              unsigned char *output) {
+    Keccak_HashInstance state;
+    Keccak_HashInitialize(&state, 832,  768, 384, 0x06);
+    Keccak_HashUpdate(&state, input, inputByteLen * 8);
+    Keccak_HashFinal(&state, output);
+}
+
+/**
+  *  Function to compute SHA3-512 on the input message.
+  *  The output length is fixed to 64 bytes.
+  */
+static inline
+void sha3_512(const unsigned char *input,
+              unsigned int inputByteLen,
+              unsigned char *output) {
+    Keccak_HashInstance state;
+    Keccak_HashInitialize(&state, 576,  1024, 512, 0x06);
+    Keccak_HashUpdate(&state, input, inputByteLen * 8);
+    Keccak_HashFinal(&state, output);
+}
+