Merge remote-tracking branch 'refs/remotes/origin/master'

Author: dghgit

core/src/main/java/org/bouncycastle/pqc/crypto/cmce/BENES.java

@@ -2,6 +2,9 @@
 
 abstract class BENES
 {
+    private static final long[] TRANSPOSE_MASKS = { 0x5555555555555555L, 0x3333333333333333L,
+        0x0F0F0F0F0F0F0F0FL, 0x00FF00FF00FF00FFL, 0x0000FFFF0000FFFFL, 0x00000000FFFFFFFFL };
+
     protected final int SYS_N;
     protected final int SYS_T;
     protected final int GFBITS;
@@ -17,77 +20,70 @@ public BENES(int n, int t, int m)
     /* output: out, transpose of in */
     static void transpose_64x64(long[] out, long[] in)
     {
-        int i, j, s, d;
-
-        long x, y;
-        long[][] masks = {
-                {0x5555555555555555L, 0xAAAAAAAAAAAAAAAAL},
-                {0x3333333333333333L, 0xCCCCCCCCCCCCCCCCL},
-                {0x0F0F0F0F0F0F0F0FL, 0xF0F0F0F0F0F0F0F0L},
-                {0x00FF00FF00FF00FFL, 0xFF00FF00FF00FF00L},
-                {0x0000FFFF0000FFFFL, 0xFFFF0000FFFF0000L},
-                {0x00000000FFFFFFFFL, 0xFFFFFFFF00000000L}
-        };
+        transpose_64x64(out, in, 0);
+    }
 
-        for (i = 0; i < 64; i++)
-            out[i] = in[i];
+    static void transpose_64x64(long[] out, long[] in, int offset)
+    {
+        System.arraycopy(in, offset, out, offset, 64);
 
-        for (d = 5; d >= 0; d--)
+        int d = 5;
+        do
         {
-            s = 1 << d;
-            for (i = 0; i < 64; i += s*2)
+            long m = TRANSPOSE_MASKS[d];
+            int s = 1 << d;
+            for (int i = offset; i < offset + 64; i += s * 2)
             {
-                for (j = i; j < i+s; j++)
+                for (int j = i; j < i + s; j += 4)
                 {
-                    x = (out[j] & masks[d][0]) | ((out[j+s] & masks[d][0]) << s);
-                    y = ((out[j] & masks[d][1]) >>> s) | (out[j+s] & masks[d][1]);
-
-                    out[j+0] = x;
-                    out[j+s] = y;
+//                    Bits.bitPermuteStep2(ref out[j + s + 0], ref out[j + 0], m, s);
+//                    Bits.bitPermuteStep2(ref out[j + s + 1], ref out[j + 1], m, s);
+//                    Bits.bitPermuteStep2(ref out[j + s + 2], ref out[j + 2], m, s);
+//                    Bits.bitPermuteStep2(ref out[j + s + 3], ref out[j + 3], m, s);
+                    long lo0 = out[j + 0];
+                    long lo1 = out[j + 1];
+                    long lo2 = out[j + 2];
+                    long lo3 = out[j + 3];
+                    long hi0 = out[j + s + 0];
+                    long hi1 = out[j + s + 1];
+                    long hi2 = out[j + s + 2];
+                    long hi3 = out[j + s + 3];
+                    long t0 = ((lo0 >>> s) ^ hi0) & m;
+                    long t1 = ((lo1 >>> s) ^ hi1) & m;
+                    long t2 = ((lo2 >>> s) ^ hi2) & m;
+                    long t3 = ((lo3 >>> s) ^ hi3) & m;
+                    out[j + 0] = lo0 ^ t0 << s;
+                    out[j + 1] = lo1 ^ t1 << s;
+                    out[j + 2] = lo2 ^ t2 << s;
+                    out[j + 3] = lo3 ^ t3 << s;
+                    out[j + s + 0] = hi0 ^ t0;
+                    out[j + s + 1] = hi1 ^ t1;
+                    out[j + s + 2] = hi2 ^ t2;
+                    out[j + s + 3] = hi3 ^ t3;
                 }
             }
         }
+        while (--d >= 2);
 
-    }
-
-    static void transpose_64x64(long[] out, long[] in, int offset)
-    {
-        int i, j, s, d;
-
-        long x, y;
-        long[][] masks = {
-                {0x5555555555555555L, 0xAAAAAAAAAAAAAAAAL},
-                {0x3333333333333333L, 0xCCCCCCCCCCCCCCCCL},
-                {0x0F0F0F0F0F0F0F0FL, 0xF0F0F0F0F0F0F0F0L},
-                {0x00FF00FF00FF00FFL, 0xFF00FF00FF00FF00L},
-                {0x0000FFFF0000FFFFL, 0xFFFF0000FFFF0000L},
-                {0x00000000FFFFFFFFL, 0xFFFFFFFF00000000L}
-        };
-
-        for (i = 0; i < 64; i++)
-            out[i + offset] = in[i + offset];
-
-        for (d = 5; d >= 0; d--)
+        do
         {
-            s = 1 << d;
-            for (i = 0; i < 64; i += s*2)
+            long m = TRANSPOSE_MASKS[d];
+            int s = 1 << d;
+            for (int i = offset; i < offset + 64; i += s * 2)
             {
-                for (j = i; j < i+s; j++)
+                for (int j = i; j < i + s; ++j)
                 {
-                    x = (out[j+offset] & masks[d][0]) | ((out[j+s + offset] & masks[d][0]) << s);
-                    y = ((out[j+offset] & masks[d][1]) >>> s) | (out[j+s + offset] & masks[d][1]);
-
-                    out[j+0 + offset] = x;
-                    out[j+s + offset] = y;
+//                    Bits.bitPermuteStep2(ref out[j + s], ref out[j], m, s);
+                    long lo = out[j + 0];
+                    long hi = out[j + s];
+                    long t = ((lo >>> s) ^ hi) & m;
+                    out[j + 0] = lo ^ t << s;
+                    out[j + s] = hi ^ t;
                 }
             }
         }
-
+        while (--d >= 0);
     }
 
-
     abstract protected void support_gen(short[] s, byte[] c);
-
-
-
 }

core/src/main/java/org/bouncycastle/pqc/crypto/cmce/CMCEEngine.java

@@ -1532,13 +1532,21 @@ private int pk_gen(byte[] pk, byte[] sk, int[] perm, short[] pi, long[] pivots)
             if (usePadding)
             {
                 int pk_index = 0, tail = PK_NROWS % 8;
-                for (i = 0; i < PK_NROWS; i++)
+                if (tail == 0)
+                {
+                    System.arraycopy(mat[i], (PK_NROWS - 1) / 8, pk, pk_index, SYS_N / 8);
+                    pk_index += SYS_N / 8;
+                }
+                else
                 {
-                    for (j = (PK_NROWS - 1) / 8; j < SYS_N / 8 - 1; j++)
+                    for (i = 0; i < PK_NROWS; i++)
                     {
-                        pk[pk_index++] = (byte)(((mat[i][j] & 0xff) >>> tail) | (mat[i][j + 1] << (8 - tail)));
+                        for (j = (PK_NROWS - 1) / 8; j < SYS_N / 8 - 1; j++)
+                        {
+                            pk[pk_index++] = (byte)(((mat[i][j] & 0xff) >>> tail) | (mat[i][j + 1] << (8 - tail)));
+                        }
+                        pk[pk_index++] = (byte)((mat[i][j] & 0xff) >>> tail);
                     }
-                    pk[pk_index++] = (byte)((mat[i][j] & 0xff) >>> tail);
                 }
             }
             else

core/src/main/java/org/bouncycastle/pqc/crypto/cmce/GF12.java

@@ -37,7 +37,8 @@ protected void gf_mul_poly(int length, int[] poly, short[] out, short[] left, sh
                 temp[i - length + poly[j]] ^= temp_i;
             }
             {
-                temp[i - length] ^= gf_mul_ext(gf_reduce(temp_i), (short)2);
+                // NOTE: Safe because gf_reduce allows up to 24 bits, but gf_mul_ext(_par) only produces 23.
+                temp[i - length] ^= temp_i << 1;
             }
         }
 
@@ -66,7 +67,8 @@ protected void gf_sqr_poly(int length, int[] poly, short[] out, short[] input, i
                 temp[i - length + poly[j]] ^= temp_i;
             }
             {
-                temp[i - length] ^= gf_mul_ext(gf_reduce(temp_i), (short)2);
+                // NOTE: Safe because gf_reduce allows up to 24 bits, but gf_sq_ext only produces 23.
+                temp[i - length] ^= temp_i << 1;
             }
         }