Crypto++ 8.9
Free C++ class library of cryptographic schemes
gf2n.cpp
1// gf2n.cpp - originally written and placed in the public domain by Wei Dai
2
3#include "pch.h"
4#include "config.h"
5
6#ifndef CRYPTOPP_IMPORTS
7
8#include "cryptlib.h"
9#include "algebra.h"
10#include "randpool.h"
11#include "filters.h"
12#include "smartptr.h"
13#include "words.h"
14#include "misc.h"
15#include "gf2n.h"
16#include "oids.h"
17#include "asn.h"
18#include "cpu.h"
19
20#include <iostream>
21
22ANONYMOUS_NAMESPACE_BEGIN
23
24using CryptoPP::PolynomialMod2;
25
26#if defined(HAVE_GCC_INIT_PRIORITY)
27 const PolynomialMod2 g_zero __attribute__ ((init_priority (CRYPTOPP_INIT_PRIORITY + 60))) = PolynomialMod2();
28 const PolynomialMod2 g_one __attribute__ ((init_priority (CRYPTOPP_INIT_PRIORITY + 61))) = PolynomialMod2(1);
29#elif defined(HAVE_MSC_INIT_PRIORITY)
30 #pragma warning(disable: 4075)
31 #pragma init_seg(".CRT$XCU")
32 const PolynomialMod2 g_zero;
33 const PolynomialMod2 g_one(1);
34 #pragma warning(default: 4075)
35#elif defined(HAVE_XLC_INIT_PRIORITY)
36 #pragma priority(290)
37 const PolynomialMod2 g_zero;
38 const PolynomialMod2 g_one(1);
39#endif
40
41ANONYMOUS_NAMESPACE_END
42
43NAMESPACE_BEGIN(CryptoPP)
44
45#if (CRYPTOPP_CLMUL_AVAILABLE)
46extern CRYPTOPP_DLL void GF2NT_233_Multiply_Reduce_CLMUL(const word* pA, const word* pB, word* pC);
47extern CRYPTOPP_DLL void GF2NT_233_Square_Reduce_CLMUL(const word* pA, word* pC);
48#endif
49
50#if (CRYPTOPP_ARM_PMULL_AVAILABLE)
51extern void GF2NT_233_Multiply_Reduce_ARMv8(const word* pA, const word* pB, word* pC);
52extern void GF2NT_233_Square_Reduce_ARMv8(const word* pA, word* pC);
53#endif
54
55#if (CRYPTOPP_POWER8_VMULL_AVAILABLE) && 0
56extern void GF2NT_233_Multiply_Reduce_POWER8(const word* pA, const word* pB, word* pC);
57extern void GF2NT_233_Square_Reduce_POWER8(const word* pA, word* pC);
58#endif
59
61{
62}
63
64PolynomialMod2::PolynomialMod2(word value, size_t bitLength)
65 : reg(BitsToWords(bitLength))
66{
67 CRYPTOPP_ASSERT(value==0 || reg.size()>0);
68
69 if (reg.size() > 0)
70 {
71 reg[0] = value;
72 SetWords(reg+1, 0, reg.size()-1);
73 }
74}
75
77 : reg(t.reg.size())
78{
79 CopyWords(reg, t.reg, reg.size());
80}
81
82void PolynomialMod2::Randomize(RandomNumberGenerator &rng, size_t nbits)
83{
84 const size_t nbytes = nbits/8 + 1;
85 SecByteBlock buf(nbytes);
86 rng.GenerateBlock(buf, nbytes);
87 buf[0] = (byte)Crop(buf[0], nbits % 8);
88 Decode(buf, nbytes);
89}
90
92{
93 PolynomialMod2 result((word)0, bitLength);
94 SetWords(result.reg, ~(word(0)), result.reg.size());
95 if (bitLength%WORD_BITS)
96 result.reg[result.reg.size()-1] = (word)Crop(result.reg[result.reg.size()-1], bitLength%WORD_BITS);
97 return result;
98}
99
100void PolynomialMod2::SetBit(size_t n, int value)
101{
102 if (value)
103 {
104 reg.CleanGrow(n/WORD_BITS + 1);
105 reg[n/WORD_BITS] |= (word(1) << (n%WORD_BITS));
106 }
107 else
108 {
109 if (n/WORD_BITS < reg.size())
110 reg[n/WORD_BITS] &= ~(word(1) << (n%WORD_BITS));
111 }
112}
113
114byte PolynomialMod2::GetByte(size_t n) const
115{
116 if (n/WORD_SIZE >= reg.size())
117 return 0;
118 else
119 return byte(reg[n/WORD_SIZE] >> ((n%WORD_SIZE)*8));
120}
121
122void PolynomialMod2::SetByte(size_t n, byte value)
123{
124 reg.CleanGrow(BytesToWords(n+1));
125 reg[n/WORD_SIZE] &= ~(word(0xff) << 8*(n%WORD_SIZE));
126 reg[n/WORD_SIZE] |= (word(value) << 8*(n%WORD_SIZE));
127}
128
130{
131 PolynomialMod2 r((word)0, i+1);
132 r.SetBit(i);
133 return r;
134}
135
136PolynomialMod2 PolynomialMod2::Trinomial(size_t t0, size_t t1, size_t t2)
137{
138 // Asserts and checks due to Bing Shi
139 CRYPTOPP_ASSERT(t0 > t1);
140 CRYPTOPP_ASSERT(t1 > t2);
141
142 // The test is relaxed because of ECIES<EC2N>. The high order exponent is t0, but the other exponents are not in descending order.
143 if (t1 > t0 || t2 > t0)
144 throw InvalidArgument("PolynomialMod2: exponents must be in descending order");
145
146 PolynomialMod2 r((word)0, t0+1);
147 r.SetBit(t0);
148 r.SetBit(t1);
149 r.SetBit(t2);
150 return r;
151}
152
153PolynomialMod2 PolynomialMod2::Pentanomial(size_t t0, size_t t1, size_t t2, size_t t3, size_t t4)
154{
155 // Asserts and checks due to Bing Shi
156 CRYPTOPP_ASSERT(t0 > t1);
157 CRYPTOPP_ASSERT(t1 > t2);
158 CRYPTOPP_ASSERT(t2 > t3);
159 CRYPTOPP_ASSERT(t3 > t4);
160
161 // The test is relaxed because of ECIES<EC2N>. The high order exponent is t0, but the other exponents are not in descending order.
162 if (t1 > t0 || t2 > t0 || t3 > t0 || t4 > t0)
163 throw InvalidArgument("PolynomialMod2: exponents must be in descending order");
164
165 PolynomialMod2 r((word)0, t0+1);
166 r.SetBit(t0);
167 r.SetBit(t1);
168 r.SetBit(t2);
169 r.SetBit(t3);
170 r.SetBit(t4);
171 return r;
172}
173
174template <word i>
175struct NewPolynomialMod2
176{
177 PolynomialMod2 * operator()() const
178 {
179 return new PolynomialMod2(i);
180 }
181};
182
184{
185#if defined(HAVE_GCC_INIT_PRIORITY) || defined(HAVE_MSC_INIT_PRIORITY) || defined(HAVE_XLC_INIT_PRIORITY)
186 return g_zero;
187#elif defined(CRYPTOPP_CXX11_STATIC_INIT)
188 static const PolynomialMod2 g_zero;
189 return g_zero;
190#else
192#endif
193}
194
196{
197#if defined(HAVE_GCC_INIT_PRIORITY) || defined(HAVE_MSC_INIT_PRIORITY) || defined(HAVE_XLC_INIT_PRIORITY)
198 return g_one;
199#elif defined(CRYPTOPP_CXX11_STATIC_INIT)
200 static const PolynomialMod2 g_one(1);
201 return g_one;
202#else
204#endif
205}
206
207void PolynomialMod2::Decode(const byte *input, size_t inputLen)
208{
209 StringStore store(input, inputLen);
210 Decode(store, inputLen);
211}
212
213void PolynomialMod2::Encode(byte *output, size_t outputLen) const
214{
215 ArraySink sink(output, outputLen);
216 Encode(sink, outputLen);
217}
218
219void PolynomialMod2::Decode(BufferedTransformation &bt, size_t inputLen)
220{
221 CRYPTOPP_ASSERT(bt.MaxRetrievable() >= inputLen);
222 if (bt.MaxRetrievable() < inputLen)
223 throw InvalidArgument("PolynomialMod2: input length is too small");
224
225 reg.CleanNew(BytesToWords(inputLen));
226
227 for (size_t i=inputLen; i > 0; i--)
228 {
229 byte b;
230 (void)bt.Get(b);
231 reg[(i-1)/WORD_SIZE] |= word(b) << ((i-1)%WORD_SIZE)*8;
232 }
233}
234
235void PolynomialMod2::Encode(BufferedTransformation &bt, size_t outputLen) const
236{
237 for (size_t i=outputLen; i > 0; i--)
238 bt.Put(GetByte(i-1));
239}
240
242{
244 Encode(enc, length);
245 enc.MessageEnd();
246}
247
249{
251 if (!dec.IsDefiniteLength() || dec.RemainingLength() != length)
253 Decode(dec, length);
254 dec.MessageEnd();
255}
256
257unsigned int PolynomialMod2::WordCount() const
258{
259 return (unsigned int)CountWords(reg, reg.size());
260}
261
262unsigned int PolynomialMod2::ByteCount() const
263{
264 unsigned wordCount = WordCount();
265 if (wordCount)
266 return (wordCount-1)*WORD_SIZE + BytePrecision(reg[wordCount-1]);
267 else
268 return 0;
269}
270
271unsigned int PolynomialMod2::BitCount() const
272{
273 unsigned wordCount = WordCount();
274 if (wordCount)
275 return (wordCount-1)*WORD_BITS + BitPrecision(reg[wordCount-1]);
276 else
277 return 0;
278}
279
280unsigned int PolynomialMod2::Parity() const
281{
282 unsigned i;
283 word temp=0;
284 for (i=0; i<reg.size(); i++)
285 temp ^= reg[i];
286 return CryptoPP::Parity(temp);
287}
288
289PolynomialMod2& PolynomialMod2::operator=(const PolynomialMod2& t)
290{
291 reg.Assign(t.reg);
292 return *this;
293}
294
295PolynomialMod2& PolynomialMod2::operator^=(const PolynomialMod2& t)
296{
297 reg.CleanGrow(t.reg.size());
298 XorWords(reg, t.reg, t.reg.size());
299 return *this;
300}
301
302PolynomialMod2 PolynomialMod2::Xor(const PolynomialMod2 &b) const
303{
304 if (b.reg.size() >= reg.size())
305 {
306 PolynomialMod2 result((word)0, b.reg.size()*WORD_BITS);
307 XorWords(result.reg, reg, b.reg, reg.size());
308 CopyWords(result.reg+reg.size(), b.reg+reg.size(), b.reg.size()-reg.size());
309 return result;
310 }
311 else
312 {
313 PolynomialMod2 result((word)0, reg.size()*WORD_BITS);
314 XorWords(result.reg, reg, b.reg, b.reg.size());
315 CopyWords(result.reg+b.reg.size(), reg+b.reg.size(), reg.size()-b.reg.size());
316 return result;
317 }
318}
319
320PolynomialMod2 PolynomialMod2::And(const PolynomialMod2 &b) const
321{
322 PolynomialMod2 result((word)0, WORD_BITS*STDMIN(reg.size(), b.reg.size()));
323 AndWords(result.reg, reg, b.reg, result.reg.size());
324 return result;
325}
326
327PolynomialMod2 PolynomialMod2::Times(const PolynomialMod2 &b) const
328{
329 PolynomialMod2 result((word)0, BitCount() + b.BitCount());
330
331 for (int i=b.Degree(); i>=0; i--)
332 {
333 result <<= 1;
334 if (b[i])
335 XorWords(result.reg, reg, reg.size());
336 }
337 return result;
338}
339
340PolynomialMod2 PolynomialMod2::Squared() const
341{
342 static const word map[16] = {0, 1, 4, 5, 16, 17, 20, 21, 64, 65, 68, 69, 80, 81, 84, 85};
343
344 PolynomialMod2 result((word)0, 2*reg.size()*WORD_BITS);
345
346 for (unsigned i=0; i<reg.size(); i++)
347 {
348 unsigned j;
349
350 for (j=0; j<WORD_BITS; j+=8)
351 result.reg[2*i] |= map[(reg[i] >> (j/2)) % 16] << j;
352
353 for (j=0; j<WORD_BITS; j+=8)
354 result.reg[2*i+1] |= map[(reg[i] >> (j/2 + WORD_BITS/2)) % 16] << j;
355 }
356
357 return result;
358}
359
360void PolynomialMod2::Divide(PolynomialMod2 &remainder, PolynomialMod2 &quotient,
361 const PolynomialMod2 &dividend, const PolynomialMod2 &divisor)
362{
363 if (!divisor)
365
366 int degree = divisor.Degree();
367 remainder.reg.CleanNew(BitsToWords(degree+1));
368 if (dividend.BitCount() >= divisor.BitCount())
369 quotient.reg.CleanNew(BitsToWords(dividend.BitCount() - divisor.BitCount() + 1));
370 else
371 quotient.reg.CleanNew(0);
372
373 for (int i=dividend.Degree(); i>=0; i--)
374 {
375 remainder <<= 1;
376 remainder.reg[0] |= dividend[i];
377 if (remainder[degree])
378 {
379 remainder -= divisor;
380 quotient.SetBit(i);
381 }
382 }
383}
384
385PolynomialMod2 PolynomialMod2::DividedBy(const PolynomialMod2 &b) const
386{
387 PolynomialMod2 remainder, quotient;
388 PolynomialMod2::Divide(remainder, quotient, *this, b);
389 return quotient;
390}
391
392PolynomialMod2 PolynomialMod2::Modulo(const PolynomialMod2 &b) const
393{
394 PolynomialMod2 remainder, quotient;
395 PolynomialMod2::Divide(remainder, quotient, *this, b);
396 return remainder;
397}
398
399PolynomialMod2& PolynomialMod2::operator<<=(unsigned int n)
400{
401#if defined(CRYPTOPP_DEBUG)
402 int x=0; CRYPTOPP_UNUSED(x);
404#endif
405
406 if (!reg.size())
407 return *this;
408
409 int i;
410 word u;
411 word carry=0;
412 word *r=reg;
413
414 if (n==1) // special case code for most frequent case
415 {
416 i = (int)reg.size();
417 while (i--)
418 {
419 u = *r;
420 *r = (u << 1) | carry;
421 carry = u >> (WORD_BITS-1);
422 r++;
423 }
424
425 if (carry)
426 {
427 reg.Grow(reg.size()+1);
428 reg[reg.size()-1] = carry;
429 }
430
431 return *this;
432 }
433
434 const int shiftWords = n / WORD_BITS;
435 const int shiftBits = n % WORD_BITS;
436
437 if (shiftBits)
438 {
439 i = (int)reg.size();
440 while (i--)
441 {
442 u = *r;
443 *r = (u << shiftBits) | carry;
444 carry = u >> (WORD_BITS-shiftBits);
445 r++;
446 }
447 }
448
449 if (carry)
450 {
451 // Thanks to Apatryda, http://github.com/weidai11/cryptopp/issues/64
452 const size_t carryIndex = reg.size();
453 reg.Grow(reg.size()+shiftWords+!!shiftBits);
454 reg[carryIndex] = carry;
455 }
456 else
457 reg.Grow(reg.size()+shiftWords);
458
459 if (shiftWords)
460 {
461 for (i = (int)reg.size()-1; i>=shiftWords; i--)
462 reg[i] = reg[i-shiftWords];
463 for (; i>=0; i--)
464 reg[i] = 0;
465 }
466
467 return *this;
468}
469
470PolynomialMod2& PolynomialMod2::operator>>=(unsigned int n)
471{
472 if (!reg.size())
473 return *this;
474
475 int shiftWords = n / WORD_BITS;
476 int shiftBits = n % WORD_BITS;
477
478 size_t i;
479 word u;
480 word carry=0;
481 word *r=reg+reg.size()-1;
482
483 if (shiftBits)
484 {
485 i = reg.size();
486 while (i--)
487 {
488 u = *r;
489 *r = (u >> shiftBits) | carry;
490 carry = u << (WORD_BITS-shiftBits);
491 r--;
492 }
493 }
494
495 if (shiftWords)
496 {
497 for (i=0; i<reg.size()-shiftWords; i++)
498 reg[i] = reg[i+shiftWords];
499 for (; i<reg.size(); i++)
500 reg[i] = 0;
501 }
502
503 return *this;
504}
505
506PolynomialMod2 PolynomialMod2::operator<<(unsigned int n) const
507{
508 PolynomialMod2 result(*this);
509 return result<<=n;
510}
511
512PolynomialMod2 PolynomialMod2::operator>>(unsigned int n) const
513{
514 PolynomialMod2 result(*this);
515 return result>>=n;
516}
517
518bool PolynomialMod2::operator!() const
519{
520 for (unsigned i=0; i<reg.size(); i++)
521 if (reg[i]) return false;
522 return true;
523}
524
525bool PolynomialMod2::Equals(const PolynomialMod2 &rhs) const
526{
527 size_t i, smallerSize = STDMIN(reg.size(), rhs.reg.size());
528
529 for (i=0; i<smallerSize; i++)
530 if (reg[i] != rhs.reg[i]) return false;
531
532 for (i=smallerSize; i<reg.size(); i++)
533 if (reg[i] != 0) return false;
534
535 for (i=smallerSize; i<rhs.reg.size(); i++)
536 if (rhs.reg[i] != 0) return false;
537
538 return true;
539}
540
541std::ostream& operator<<(std::ostream& out, const PolynomialMod2 &a)
542{
543 // Get relevant conversion specifications from ostream.
544 long f = out.flags() & std::ios::basefield; // Get base digits.
545 int bits, block;
546 char suffix;
547 switch(f)
548 {
549 case std::ios::oct :
550 bits = 3;
551 block = 4;
552 suffix = 'o';
553 break;
554 case std::ios::hex :
555 bits = 4;
556 block = 2;
557 suffix = 'h';
558 break;
559 default :
560 bits = 1;
561 block = 8;
562 suffix = 'b';
563 }
564
565 if (!a)
566 return out << '0' << suffix;
567
568 SecBlock<char> s(a.BitCount()/bits+1);
569 unsigned i;
570
571 static const char upper[]="0123456789ABCDEF";
572 static const char lower[]="0123456789abcdef";
573 const char* const vec = (out.flags() & std::ios::uppercase) ? upper : lower;
574
575 for (i=0; i*bits < a.BitCount(); i++)
576 {
577 int digit=0;
578 for (int j=0; j<bits; j++)
579 digit |= a[i*bits+j] << j;
580 s[i]=vec[digit];
581 }
582
583 while (i--)
584 {
585 out << s[i];
586 if (i && (i%block)==0)
587 out << ',';
588 }
589
590 return out << suffix;
591}
592
594{
596}
597
599{
601 return QuotientRing<Domain>(Domain(), modulus).MultiplicativeInverse(*this);
602}
603
605{
606 signed int d = Degree();
607 if (d <= 0)
608 return false;
609
610 PolynomialMod2 t(2), u(t);
611 for (int i=1; i<=d/2; i++)
612 {
613 u = u.Squared()%(*this);
614 if (!Gcd(u+t, *this).IsUnit())
615 return false;
616 }
617 return true;
618}
619
620// ********************************************************
621
622GF2NP::GF2NP(const PolynomialMod2 &modulus)
624{
625}
626
627GF2NP::Element GF2NP::SquareRoot(const Element &a) const
628{
629 Element r = a;
630 for (unsigned int i=1; i<m; i++)
631 r = Square(r);
632 return r;
633}
634
635GF2NP::Element GF2NP::HalfTrace(const Element &a) const
636{
637 CRYPTOPP_ASSERT(m%2 == 1);
638 Element h = a;
639 for (unsigned int i=1; i<=(m-1)/2; i++)
640 h = Add(Square(Square(h)), a);
641 return h;
642}
643
644GF2NP::Element GF2NP::SolveQuadraticEquation(const Element &a) const
645{
646 if (m%2 == 0)
647 {
648 Element z, w;
649 RandomPool rng;
650 do
651 {
652 Element p((RandomNumberGenerator &)rng, m);
654 w = p;
655 for (unsigned int i=1; i<=m-1; i++)
656 {
657 w = Square(w);
658 z = Square(z);
659 Accumulate(z, Multiply(w, a));
660 Accumulate(w, p);
661 }
662 } while (w.IsZero());
663 return z;
664 }
665 else
666 return HalfTrace(a);
667}
668
669// ********************************************************
670
671GF2NT::GF2NT(unsigned int c0, unsigned int c1, unsigned int c2)
672 : GF2NP(PolynomialMod2::Trinomial(c0, c1, c2))
673 , t0(c0), t1(c1)
674 , result((word)0, m)
675{
676 // Asserts and checks due to Bing Shi
677 CRYPTOPP_ASSERT(c0 > c1 && c1 > c2 && c2==0);
678
679 // The test is relaxed because of ECIES<EC2N>. The high order exponent is t0, but the other exponents are not in descending order.
680 if (c1 > c0 || c2 > c0)
681 throw InvalidArgument("GF2NT: exponents must be in descending order");
682}
683
684const GF2NT::Element& GF2NT::MultiplicativeInverse(const Element &a) const
685{
686 if (t0-t1 < WORD_BITS)
688
689 SecWordBlock T(m_modulus.reg.size() * 4);
690 word *b = T;
691 word *c = T+m_modulus.reg.size();
692 word *f = T+2*m_modulus.reg.size();
693 word *g = T+3*m_modulus.reg.size();
694 size_t bcLen=1, fgLen=m_modulus.reg.size();
695 unsigned int k=0;
696
697 SetWords(T, 0, 3*m_modulus.reg.size());
698 b[0]=1;
699 CRYPTOPP_ASSERT(a.reg.size() <= m_modulus.reg.size());
700 CopyWords(f, a.reg, a.reg.size());
701 CopyWords(g, m_modulus.reg, m_modulus.reg.size());
702
703 while (1)
704 {
705 word t=f[0];
706 while (!t)
707 {
708 ShiftWordsRightByWords(f, fgLen, 1);
709 if (c[bcLen-1])
710 bcLen++;
711 CRYPTOPP_ASSERT(bcLen <= m_modulus.reg.size());
712 ShiftWordsLeftByWords(c, bcLen, 1);
713 k+=WORD_BITS;
714 t=f[0];
715 }
716
717 unsigned int i=0;
718 while (t%2 == 0)
719 {
720 t>>=1;
721 i++;
722 }
723 k+=i;
724
725 if (t==1 && CountWords(f, fgLen)==1)
726 break;
727
728 if (i==1)
729 {
730 ShiftWordsRightByBits(f, fgLen, 1);
731 t=ShiftWordsLeftByBits(c, bcLen, 1);
732 }
733 else
734 {
735 ShiftWordsRightByBits(f, fgLen, i);
736 t=ShiftWordsLeftByBits(c, bcLen, i);
737 }
738 if (t)
739 {
740 c[bcLen] = t;
741 bcLen++;
742 CRYPTOPP_ASSERT(bcLen <= m_modulus.reg.size());
743 }
744
745 if (f[fgLen-1]==0 && g[fgLen-1]==0)
746 fgLen--;
747
748 if (f[fgLen-1] < g[fgLen-1])
749 {
750 std::swap(f, g);
751 std::swap(b, c);
752 }
753
754 XorWords(f, g, fgLen);
755 XorWords(b, c, bcLen);
756 }
757
758 while (k >= WORD_BITS)
759 {
760 word temp = b[0];
761 // right shift b
762 for (unsigned i=0; i+1<BitsToWords(m); i++)
763 b[i] = b[i+1];
764 b[BitsToWords(m)-1] = 0;
765
766 if (t1 < WORD_BITS)
767 for (unsigned int j=0; j<WORD_BITS-t1; j++)
768 {
769 // Coverity finding on shift amount of 'word x << (t1+j)'.
770 // temp ^= ((temp >> j) & 1) << (t1 + j);
771 const unsigned int shift = t1 + j;
772 CRYPTOPP_ASSERT(shift < WORD_BITS);
773 temp ^= (shift < WORD_BITS) ? (((temp >> j) & 1) << shift) : 0;
774 }
775 else
776 b[t1/WORD_BITS-1] ^= temp << t1%WORD_BITS;
777
778 if (t1 % WORD_BITS)
779 b[t1/WORD_BITS] ^= temp >> (WORD_BITS - t1%WORD_BITS);
780
781 if (t0%WORD_BITS)
782 {
783 b[t0/WORD_BITS-1] ^= temp << t0%WORD_BITS;
784 b[t0/WORD_BITS] ^= temp >> (WORD_BITS - t0%WORD_BITS);
785 }
786 else
787 b[t0/WORD_BITS-1] ^= temp;
788
789 k -= WORD_BITS;
790 }
791
792 if (k)
793 {
794 word temp = b[0] << (WORD_BITS - k);
796
797 if (t1 < WORD_BITS)
798 {
799 for (unsigned int j=0; j<WORD_BITS-t1; j++)
800 {
801 // Coverity finding on shift amount of 'word x << (t1+j)'.
802 // temp ^= ((temp >> j) & 1) << (t1 + j);
803 const unsigned int shift = t1 + j;
804 CRYPTOPP_ASSERT(shift < WORD_BITS);
805 temp ^= (shift < WORD_BITS) ? (((temp >> j) & 1) << shift) : 0;
806 }
807 }
808 else
809 {
810 b[t1/WORD_BITS-1] ^= temp << t1%WORD_BITS;
811 }
812
813 if (t1 % WORD_BITS)
814 b[t1/WORD_BITS] ^= temp >> (WORD_BITS - t1%WORD_BITS);
815
816 if (t0%WORD_BITS)
817 {
818 b[t0/WORD_BITS-1] ^= temp << t0%WORD_BITS;
819 b[t0/WORD_BITS] ^= temp >> (WORD_BITS - t0%WORD_BITS);
820 }
821 else
822 b[t0/WORD_BITS-1] ^= temp;
823 }
824
825 CopyWords(result.reg.begin(), b, result.reg.size());
826 return result;
827}
828
829const GF2NT::Element& GF2NT::Multiply(const Element &a, const Element &b) const
830{
831 size_t aSize = STDMIN(a.reg.size(), result.reg.size());
832 Element r((word)0, m);
833
834 for (int i=m-1; i>=0; i--)
835 {
836 if (r[m-1])
837 {
838 ShiftWordsLeftByBits(r.reg.begin(), r.reg.size(), 1);
839 XorWords(r.reg.begin(), m_modulus.reg, r.reg.size());
840 }
841 else
842 ShiftWordsLeftByBits(r.reg.begin(), r.reg.size(), 1);
843
844 if (b[i])
845 XorWords(r.reg.begin(), a.reg, aSize);
846 }
847
848 if (m%WORD_BITS)
849 r.reg.begin()[r.reg.size()-1] = (word)Crop(r.reg[r.reg.size()-1], m%WORD_BITS);
850
851 CopyWords(result.reg.begin(), r.reg.begin(), result.reg.size());
852 return result;
853}
854
855const GF2NT::Element& GF2NT::Reduced(const Element &a) const
856{
857 if (t0-t1 < WORD_BITS)
858 return m_domain.Mod(a, m_modulus);
859
860 SecWordBlock b(a.reg);
861
862 size_t i;
863 for (i=b.size()-1; i>=BitsToWords(t0); i--)
864 {
865 word temp = b[i];
866
867 if (t0%WORD_BITS)
868 {
869 b[i-t0/WORD_BITS] ^= temp >> t0%WORD_BITS;
870 b[i-t0/WORD_BITS-1] ^= temp << (WORD_BITS - t0%WORD_BITS);
871 }
872 else
873 b[i-t0/WORD_BITS] ^= temp;
874
875 if ((t0-t1)%WORD_BITS)
876 {
877 b[i-(t0-t1)/WORD_BITS] ^= temp >> (t0-t1)%WORD_BITS;
878 b[i-(t0-t1)/WORD_BITS-1] ^= temp << (WORD_BITS - (t0-t1)%WORD_BITS);
879 }
880 else
881 b[i-(t0-t1)/WORD_BITS] ^= temp;
882 }
883
884 if (i==BitsToWords(t0)-1 && t0%WORD_BITS)
885 {
886 word mask = ((word)1<<(t0%WORD_BITS))-1;
887 word temp = b[i] & ~mask;
888 b[i] &= mask;
889
890 b[i-t0/WORD_BITS] ^= temp >> t0%WORD_BITS;
891
892 if ((t0-t1)%WORD_BITS)
893 {
894 b[i-(t0-t1)/WORD_BITS] ^= temp >> (t0-t1)%WORD_BITS;
895 if ((t0-t1)%WORD_BITS > t0%WORD_BITS)
896 b[i-(t0-t1)/WORD_BITS-1] ^= temp << (WORD_BITS - (t0-t1)%WORD_BITS);
897 else
898 CRYPTOPP_ASSERT(temp << (WORD_BITS - (t0-t1)%WORD_BITS) == 0);
899 }
900 else
901 b[i-(t0-t1)/WORD_BITS] ^= temp;
902 }
903
904 SetWords(result.reg.begin(), 0, result.reg.size());
905 CopyWords(result.reg.begin(), b, STDMIN(b.size(), result.reg.size()));
906 return result;
907}
908
909void GF2NP::DEREncodeElement(BufferedTransformation &out, const Element &a) const
910{
911 a.DEREncodeAsOctetString(out, MaxElementByteLength());
912}
913
914void GF2NP::BERDecodeElement(BufferedTransformation &in, Element &a) const
915{
916 a.BERDecodeAsOctetString(in, MaxElementByteLength());
917}
918
919void GF2NT::DEREncode(BufferedTransformation &bt) const
920{
921 DERSequenceEncoder seq(bt);
922 ASN1::characteristic_two_field().DEREncode(seq);
923 DERSequenceEncoder parameters(seq);
924 DEREncodeUnsigned(parameters, m);
925 ASN1::tpBasis().DEREncode(parameters);
926 DEREncodeUnsigned(parameters, t1);
927 parameters.MessageEnd();
928 seq.MessageEnd();
929}
930
931void GF2NPP::DEREncode(BufferedTransformation &bt) const
932{
933 DERSequenceEncoder seq(bt);
934 ASN1::characteristic_two_field().DEREncode(seq);
935 DERSequenceEncoder parameters(seq);
936 DEREncodeUnsigned(parameters, m);
937 ASN1::ppBasis().DEREncode(parameters);
938 DERSequenceEncoder pentanomial(parameters);
939 DEREncodeUnsigned(pentanomial, t3);
940 DEREncodeUnsigned(pentanomial, t2);
941 DEREncodeUnsigned(pentanomial, t1);
942 pentanomial.MessageEnd();
943 parameters.MessageEnd();
944 seq.MessageEnd();
945}
946
947GF2NP * BERDecodeGF2NP(BufferedTransformation &bt)
948{
949 member_ptr<GF2NP> result;
950
951 BERSequenceDecoder seq(bt);
952 if (OID(seq) != ASN1::characteristic_two_field())
954 BERSequenceDecoder parameters(seq);
955 unsigned int m;
956 BERDecodeUnsigned(parameters, m);
957 OID oid(parameters);
958 if (oid == ASN1::tpBasis())
959 {
960 unsigned int t1;
961 BERDecodeUnsigned(parameters, t1);
962 result.reset(new GF2NT(m, t1, 0));
963 }
964 else if (oid == ASN1::ppBasis())
965 {
966 unsigned int t1, t2, t3;
967 BERSequenceDecoder pentanomial(parameters);
968 BERDecodeUnsigned(pentanomial, t3);
969 BERDecodeUnsigned(pentanomial, t2);
970 BERDecodeUnsigned(pentanomial, t1);
971 pentanomial.MessageEnd();
972 result.reset(new GF2NPP(m, t3, t2, t1, 0));
973 }
974 else
975 {
977 return NULLPTR;
978 }
979 parameters.MessageEnd();
980 seq.MessageEnd();
981
982 return result.release();
983}
984
985// ********************************************************
986
987GF2NT233::GF2NT233(unsigned int c0, unsigned int c1, unsigned int c2)
988 : GF2NT(c0, c1, c2)
989{
990 // Asserts and checks due to Bing Shi
991 CRYPTOPP_ASSERT(c0 > c1 && c1 > c2 && c2==0);
992
993 // The test is relaxed because of ECIES<EC2N>. The high order exponent is t0, but the other exponents are not in descending order.
994 if (c1 > c0 || c2 > c0)
995 throw InvalidArgument("GF2NT233: exponents must be in descending order");
996}
997
998const GF2NT::Element& GF2NT233::Multiply(const Element &a, const Element &b) const
999{
1000#if (CRYPTOPP_CLMUL_AVAILABLE)
1001 if (HasCLMUL())
1002 {
1003 CRYPTOPP_ASSERT(a.reg.size()*WORD_BITS == 256);
1004 CRYPTOPP_ASSERT(b.reg.size()*WORD_BITS == 256);
1005 CRYPTOPP_ASSERT(result.reg.size()*WORD_BITS == 256);
1006
1007 const word* pA = a.reg.begin();
1008 const word* pB = b.reg.begin();
1009 word* pR = result.reg.begin();
1010
1011 GF2NT_233_Multiply_Reduce_CLMUL(pA, pB, pR);
1012 return result;
1013 }
1014 else
1015#elif (CRYPTOPP_ARM_PMULL_AVAILABLE)
1016 if (HasPMULL())
1017 {
1018 CRYPTOPP_ASSERT(a.reg.size()*WORD_BITS == 256);
1019 CRYPTOPP_ASSERT(b.reg.size()*WORD_BITS == 256);
1020 CRYPTOPP_ASSERT(result.reg.size()*WORD_BITS == 256);
1021
1022 const word* pA = a.reg.begin();
1023 const word* pB = b.reg.begin();
1024 word* pR = result.reg.begin();
1025
1026 GF2NT_233_Multiply_Reduce_ARMv8(pA, pB, pR);
1027 return result;
1028 }
1029 else
1030#elif (CRYPTOPP_POWER8_VMULL_AVAILABLE) && 0
1031 if (HasPMULL())
1032 {
1033 CRYPTOPP_ASSERT(a.reg.size()*WORD_BITS == 256);
1034 CRYPTOPP_ASSERT(b.reg.size()*WORD_BITS == 256);
1035 CRYPTOPP_ASSERT(result.reg.size()*WORD_BITS == 256);
1036
1037 const word* pA = a.reg.begin();
1038 const word* pB = b.reg.begin();
1039 word* pR = result.reg.begin();
1040
1041 GF2NT_233_Multiply_Reduce_POWER8(pA, pB, pR);
1042 return result;
1043 }
1044 else
1045#endif
1046
1047 return GF2NT::Multiply(a, b);
1048}
1049
1050const GF2NT::Element& GF2NT233::Square(const Element &a) const
1051{
1052#if (CRYPTOPP_CLMUL_AVAILABLE)
1053 if (HasCLMUL())
1054 {
1055 CRYPTOPP_ASSERT(a.reg.size()*WORD_BITS == 256);
1056 CRYPTOPP_ASSERT(result.reg.size()*WORD_BITS == 256);
1057
1058 const word* pA = a.reg.begin();
1059 word* pR = result.reg.begin();
1060
1061 GF2NT_233_Square_Reduce_CLMUL(pA, pR);
1062 return result;
1063 }
1064 else
1065#elif (CRYPTOPP_ARM_PMULL_AVAILABLE)
1066 if (HasPMULL())
1067 {
1068 CRYPTOPP_ASSERT(a.reg.size()*WORD_BITS == 256);
1069 CRYPTOPP_ASSERT(result.reg.size()*WORD_BITS == 256);
1070
1071 const word* pA = a.reg.begin();
1072 word* pR = result.reg.begin();
1073
1074 GF2NT_233_Square_Reduce_ARMv8(pA, pR);
1075 return result;
1076 }
1077 else
1078#elif (CRYPTOPP_POWER8_VMULL_AVAILABLE) && 0
1079 if (HasPMULL())
1080 {
1081 CRYPTOPP_ASSERT(a.reg.size()*WORD_BITS == 256);
1082 CRYPTOPP_ASSERT(result.reg.size()*WORD_BITS == 256);
1083
1084 const word* pA = a.reg.begin();
1085 word* pR = result.reg.begin();
1086
1087 GF2NT_233_Square_Reduce_POWER8(pA, pR);
1088 return result;
1089 }
1090 else
1091#endif
1092
1093 return GF2NT::Square(a);
1094}
1095
1096NAMESPACE_END
1097
1098#endif
Classes for performing mathematics over different fields.
Classes and functions for working with ANS.1 objects.
std::ostream & operator<<(std::ostream &out, const OID &oid)
Print a OID value.
void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag=INTEGER, T minValue=0, T maxValue=T(0xffffffff))
BER Decode unsigned value.
Definition asn.h:857
size_t DEREncodeUnsigned(BufferedTransformation &out, T w, byte asnTag=INTEGER)
DER Encode unsigned value.
Definition asn.h:821
@ OCTET_STRING
ASN.1 Octet string.
Definition asn.h:38
void BERDecodeError()
Raises a BERDecodeErr.
Definition asn.h:104
virtual const Element & Gcd(const Element &a, const Element &b) const
Calculates the greatest common denominator in the ring.
Definition algebra.cpp:56
virtual const Element & MultiplicativeInverse(const Element &a) const=0
Calculate the multiplicative inverse of an element in the group.
Copy input to a memory buffer.
Definition filters.h:1200
BER General Decoder.
Definition asn.h:381
BER Sequence Decoder.
Definition asn.h:526
Interface for buffered transformations.
Definition cryptlib.h:1657
virtual size_t Get(byte &outByte)
Retrieve a 8-bit byte.
size_t Put(byte inByte, bool blocking=true)
Input a byte for processing.
Definition cryptlib.h:1678
virtual lword MaxRetrievable() const
Provides the number of bytes ready for retrieval.
DER General Encoder.
Definition asn.h:492
DER Sequence Encoder.
Definition asn.h:558
Euclidean domain.
Definition algebra.h:316
GF(2^n) with Polynomial Basis.
Definition gf2n.h:299
GF(2^n) with Pentanomial Basis.
Definition gf2n.h:375
GF(2^n) with Trinomial Basis.
Definition gf2n.h:335
An invalid argument was detected.
Definition cryptlib.h:208
Object Identifier.
Definition asn.h:265
Exception thrown when divide by zero is encountered.
Definition gf2n.h:33
Polynomial with Coefficients in GF(2)
Definition gf2n.h:27
void DEREncodeAsOctetString(BufferedTransformation &bt, size_t length) const
encode value as big-endian octet string
void Encode(byte *output, size_t outputLen) const
encode in big-endian format
static PolynomialMod2 Monomial(size_t i)
Provides x^i.
signed int Degree() const
the zero polynomial will return a degree of -1
Definition gf2n.h:130
static const PolynomialMod2 & One()
The One polinomial.
bool IsIrreducible() const
check for irreducibility
static PolynomialMod2 Pentanomial(size_t t0, size_t t1, size_t t2, size_t t3, size_t t4)
Provides x^t0 + x^t1 + x^t2 + x^t3 + x^t4.
bool IsUnit() const
only 1 is a unit
Definition gf2n.h:230
void BERDecodeAsOctetString(BufferedTransformation &bt, size_t length)
decode value as big-endian octet string
byte GetByte(size_t n) const
return the n-th byte
unsigned int BitCount() const
number of significant bits = Degree() + 1
unsigned int WordCount() const
number of significant words = ceiling(ByteCount()/sizeof(word))
static PolynomialMod2 AllOnes(size_t n)
Provides x^(n-1) + ... + x + 1.
static PolynomialMod2 Trinomial(size_t t0, size_t t1, size_t t2)
Provides x^t0 + x^t1 + x^t2.
PolynomialMod2 InverseMod(const PolynomialMod2 &) const
calculate multiplicative inverse of *this mod n
unsigned int Parity() const
sum modulo 2 of all coefficients
PolynomialMod2()
Construct the zero polynomial.
static const PolynomialMod2 & Zero()
The Zero polinomial.
unsigned int ByteCount() const
number of significant bytes = ceiling(BitCount()/8)
static void Divide(PolynomialMod2 &r, PolynomialMod2 &q, const PolynomialMod2 &a, const PolynomialMod2 &d)
calculate r and q such that (a == d*q + r) && (deg(r) < deg(d))
static PolynomialMod2 Gcd(const PolynomialMod2 &a, const PolynomialMod2 &n)
greatest common divisor
void SetByte(size_t n, byte value)
set the n-th byte to value
Quotient ring.
Definition algebra.h:387
Interface for random number generators.
Definition cryptlib.h:1440
virtual void GenerateBlock(byte *output, size_t size)
Generate random array of bytes.
Randomness Pool based on AES-256.
Definition randpool.h:44
Secure memory block with allocator and cleanup.
Definition secblock.h:731
iterator begin()
Provides an iterator pointing to the first element in the memory block.
Definition secblock.h:836
void CleanNew(size_type newSize)
Change size without preserving contents.
Definition secblock.h:1143
void CleanGrow(size_type newSize)
Change size and preserve contents.
Definition secblock.h:1179
void Grow(size_type newSize)
Change size and preserve contents.
Definition secblock.h:1160
void Assign(const T *ptr, size_type len)
Set contents and size from an array.
Definition secblock.h:898
size_type size() const
Provides the count of elements in the SecBlock.
Definition secblock.h:867
SecBlock typedef.
Definition secblock.h:1226
SecBlock typedef.
Definition secblock.h:1228
Restricts the instantiation of a class to one static object without locks.
Definition misc.h:309
const T & Ref(...) const
Return a reference to the inner Singleton object.
Definition misc.h:329
Square block cipher.
Definition square.h:25
String-based implementation of Store interface.
Definition filters.h:1259
Pointer that overloads operator ->
Definition smartptr.h:38
Library configuration file.
unsigned char byte
8-bit unsigned datatype
Definition config_int.h:66
word64 word
Full word used for multiprecision integer arithmetic.
Definition config_int.h:192
const unsigned int WORD_BITS
Size of a platform word in bits.
Definition config_int.h:260
const unsigned int WORD_SIZE
Size of a platform word in bytes.
Definition config_int.h:255
Functions for CPU features and intrinsics.
Abstract base classes that provide a uniform interface to this library.
Implementation of BufferedTransformation's attachment interface.
Classes and functions for schemes over GF(2^n)
Utility functions for the Crypto++ library.
unsigned int BitPrecision(const T &value)
Returns the number of bits required for a value.
Definition misc.h:1047
unsigned int BytePrecision(const T &value)
Returns the number of 8-bit bytes or octets required for a value.
Definition misc.h:1024
size_t BitsToWords(size_t bitCount)
Returns the number of words required for the specified number of bits.
Definition misc.h:1163
T Crop(T value, size_t bits)
Truncates the value to the specified number of bits.
Definition misc.h:1131
const T & STDMIN(const T &a, const T &b)
Replacement function for std::min.
Definition misc.h:657
size_t BytesToWords(size_t byteCount)
Returns the number of words required for the specified number of bytes.
Definition misc.h:1153
bool SafeConvert(T1 from, T2 &to)
Perform a conversion from from to to.
Definition misc.h:718
Crypto++ library namespace.
ASN.1 object identifiers for algorithms and schemes.
Precompiled header file.
Class file for Randomness Pool.
Classes for automatic resource management.
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition trap.h:68
Support functions for word operations.
void ShiftWordsRightByWords(word *r, size_t n, size_t shiftWords)
Right shift word array.
Definition words.h:212
void XorWords(word *r, const word *a, const word *b, size_t n)
XOR word arrays.
Definition words.h:66
void SetWords(word *r, word a, size_t n)
Set the value of words.
Definition words.h:35
word ShiftWordsLeftByBits(word *r, size_t n, unsigned int shiftBits)
Left shift word array.
Definition words.h:149
void ShiftWordsLeftByWords(word *r, size_t n, size_t shiftWords)
Left shift word array.
Definition words.h:194
size_t CountWords(const word *x, size_t n)
Count the number of words.
Definition words.h:21
word ShiftWordsRightByBits(word *r, size_t n, unsigned int shiftBits)
Right shift word array.
Definition words.h:172
void CopyWords(word *r, const word *a, size_t n)
Copy word array.
Definition words.h:48
void AndWords(word *r, const word *a, const word *b, size_t n)
AND word arrays.
Definition words.h:93