1
1
mirror of https://github.com/henrydcase/pqc.git synced 2024-11-23 07:59:01 +00:00
pqcrypto/crypto_kem/mceliece6960119/clean/bm.c
Thom Wiggers ac2c20045c Classic McEliece (#259)
* Add McEliece reference implementations

* Add Vec implementations of McEliece

* Add sse implementations

* Add AVX2 implementations

* Get rid of stuff not supported by Mac ABI

* restrict to two cores

* Ditch .data files

* Remove .hidden from all .S files

* speed up duplicate consistency tests by batching

* make cpuinfo more robust

* Hope to stabilize macos cpuinfo without ccache

* Revert "Hope to stabilize macos cpuinfo without ccache"

This reverts commit 6129c3cabe1abbc8b956bc87e902a698e32bf322.

* Just hardcode what's available at travis

* Fixed-size types in api.h

* namespace all header files in mceliece

* Ditch operations.h

* Get rid of static inline functions

* fixup! Ditch operations.h
2021-03-24 21:02:45 +00:00

84 lines
1.6 KiB
C

/*
This file is for the Berlekamp-Massey algorithm
see http://crypto.stanford.edu/~mironov/cs359/massey.pdf
*/
#include "bm.h"
#include "params.h"
#define min(a, b) (((a) < (b)) ? (a) : (b))
/* the Berlekamp-Massey algorithm */
/* input: s, sequence of field elements */
/* output: out, minimal polynomial of s */
void PQCLEAN_MCELIECE6960119_CLEAN_bm(gf *out, gf *s) {
int i;
uint16_t N = 0;
uint16_t L = 0;
uint16_t mle;
uint16_t mne;
gf T[ SYS_T + 1 ];
gf C[ SYS_T + 1 ];
gf B[ SYS_T + 1 ];
gf b = 1, d, f;
//
for (i = 0; i < SYS_T + 1; i++) {
C[i] = B[i] = 0;
}
B[1] = C[0] = 1;
//
for (N = 0; N < 2 * SYS_T; N++) {
d = 0;
for (i = 0; i <= min(N, SYS_T); i++) {
d ^= PQCLEAN_MCELIECE6960119_CLEAN_gf_mul(C[i], s[ N - i]);
}
mne = d;
mne -= 1;
mne >>= 15;
mne -= 1;
mle = N;
mle -= 2 * L;
mle >>= 15;
mle -= 1;
mle &= mne;
for (i = 0; i <= SYS_T; i++) {
T[i] = C[i];
}
f = PQCLEAN_MCELIECE6960119_CLEAN_gf_frac(b, d);
for (i = 0; i <= SYS_T; i++) {
C[i] ^= PQCLEAN_MCELIECE6960119_CLEAN_gf_mul(f, B[i]) & mne;
}
L = (L & ~mle) | ((N + 1 - L) & mle);
for (i = 0; i <= SYS_T; i++) {
B[i] = (B[i] & ~mle) | (T[i] & mle);
}
b = (b & ~mle) | (d & mle);
for (i = SYS_T; i >= 1; i--) {
B[i] = B[i - 1];
}
B[0] = 0;
}
for (i = 0; i <= SYS_T; i++) {
out[i] = C[ SYS_T - i ];
}
}