-rw-r--r-- 2833 libmceliece-20240812/crypto_kem/348864/avx/sk_gen.c raw
/*
This file is for secret-key generation
*/
// 20240805 djb: more use of cryptoint
// 20240508 djb: switch to vec_mul_gf_using_64
// 20221230 djb: add linker lines
// linker define genpoly_gen
// linker use gf_mul gf_inv
// linker use vec_GF_mul
// linker use vec_mul_asm
// linker use transpose_64x64_asm
#include "sk_gen.h"
#include "randombytes.h"
#include "controlbits.h"
#include "transpose.h"
#include "params.h"
#include "util.h"
#include "vec.h"
#include "gf.h"
#include "crypto_declassify.h"
#include "crypto_uint16.h"
#include "crypto_int64.h"
static inline crypto_uint16 gf_is_zero_declassify(gf t)
{
crypto_uint16 mask = crypto_uint16_zero_mask(t);
crypto_declassify(&mask,sizeof mask);
return mask;
}
/* input: v, a list of GF(2^m) elements in bitsliced form */
/* input: idx, an index */
/* return: the idx-th element in v */
static inline gf extract_gf(vec v[GFBITS], int idx)
{
int i;
gf ret;
ret = 0;
for (i = GFBITS-1; i >= 0; i--)
{
ret <<= 1;
ret |= crypto_int64_bitmod_01(v[i], idx);
}
return ret;
}
/* same as extract_gf but reduces return value to 1 bit */
static inline vec extract_bit(vec v[GFBITS], int idx)
{
int i;
vec ret;
ret = 0;
for (i = GFBITS-1; i >= 0; i--)
ret |= v[i];
return crypto_int64_bitmod_01(ret, idx);
}
/* input: f, element in GF((2^m)^t) */
/* output: out, minimal polynomial of f */
/* return: 0 for success and -1 for failure */
int genpoly_gen(gf *out, gf *f)
{
int i, j, k;
gf t, inv;
vec v[ GFBITS ], buf[ GFBITS ][ 64 ], mat[ 64 ][ GFBITS ], mask;
// fill matrix
buf[0][0] = 1;
for (i = 1; i < GFBITS; i++)
buf[i][0] = 0;
for (j = 0; j < GFBITS; j++)
for (i = SYS_T-1; i >= 0; i--)
{
v[j] <<= 1;
v[j] |= crypto_int64_bitmod_01(f[i], j);
}
for (i = 0; i < GFBITS; i++)
buf[i][1] = v[i];
for (k = 2; k <= SYS_T; k++)
{
vec_GF_mul(v, v, f);
if (k < SYS_T)
{
for (i = 0; i < GFBITS; i++)
buf[i][k] = v[i];
}
else
{
for (i = 0; i < SYS_T; i++)
out[i] = extract_gf(v, i);
}
}
for (i = 0; i < GFBITS; i++)
transpose_64x64(buf[i]);
for (j = 0; j < SYS_T; j++)
for (i = 0; i < GFBITS; i++)
mat[j][i] = buf[i][j];
// gaussian
for (i = 0; i < SYS_T; i++)
{
for (j = i+1; j < SYS_T; j++)
{
mask = extract_bit(mat[i], i);
mask -= 1;
for (k = 0; k < GFBITS; k++)
mat[i][k] ^= mat[j][k] & mask;
out[i] ^= out[j] & mask;
}
//
t = extract_gf(mat[i], i);
if (gf_is_zero_declassify(t)) return -1; // return if not systematic
//
inv = gf_inv(t);
vec_mul_gf_using_64(mat[i], mat[i], inv);
out[i] = gf_mul(out[i], inv);
for (j = 0; j < SYS_T; j++)
{
if (j != i)
{
t = extract_gf(mat[j], i);
vec_mul_gf_using_64(v, mat[i], t);
vec_add(mat[j], mat[j], v);
out[j] ^= gf_mul(out[i], t);
}
}
}
return 0;
}