Refactoring in pqc.crypto

Author: peterdettman

core/src/main/java/org/bouncycastle/pqc/crypto/cmce/GF.java

@@ -11,11 +11,6 @@ final short gf_iszero(short a)
         return (short)((a - 1) >> 31);
     }
 
-//    final short gf_add(short left, short right)
-//    {
-//        return (short)(left ^ right);
-//    }
-
     abstract protected void gf_mul_poly(int length, int[] poly, short[] out, short[] left, short[] right, int[] temp);
     abstract protected void gf_sqr_poly(int length, int[] poly, short[] out, short[] input, int[] temp);
 

core/src/main/java/org/bouncycastle/pqc/crypto/cmce/GF12.java

@@ -22,10 +22,7 @@ protected void gf_mul_poly(int length, int[] poly, short[] out, short[] left, sh
 
             for (int j = 0; j < i; j++)
             {
-                int t = temp[i + j];
-                t ^= gf_mul_ext(left_i, right[j]);
-                t ^= gf_mul_ext(left[j], right_i);
-                temp[i + j] = t;
+                temp[i + j] ^= gf_mul_ext_par(left_i, right[j], left[j], right_i);
             }
 
             temp[i + i] = gf_mul_ext(left_i, right_i);
@@ -130,8 +127,7 @@ protected short gf_mul(short left, short right)
 
     protected int gf_mul_ext(short left, short right)
     {
-        int x = left;
-        int y = right;
+        int x = left, y = right;
 
         int z = x * (y & 1);
         for (int i = 1; i < 12; i++)
@@ -142,6 +138,22 @@ protected int gf_mul_ext(short left, short right)
         return z;
     }
 
+    private int gf_mul_ext_par(short left0, short right0, short left1, short right1)
+    {
+        int x0 = left0, y0 = right0, x1 = left1, y1 = right1;
+
+        int z0 = x0 * (y0 & 1);
+        int z1 = x1 * (y1 & 1);
+
+        for (int i = 1; i < 12; i++)
+        {
+            z0 ^= x0 * (y0 & (1 << i));
+            z1 ^= x1 * (y1 & (1 << i));
+        }
+
+        return z0 ^ z1;
+    }
+
     protected short gf_reduce(int x)
     {
 //        assert (x >>> 24) == 0;

core/src/main/java/org/bouncycastle/pqc/crypto/cmce/GF13.java

@@ -22,10 +22,7 @@ protected void gf_mul_poly(int length, int[] poly, short[] out, short[] left, sh
 
             for (int j = 0; j < i; j++)
             {
-                int t = temp[i + j];
-                t ^= gf_mul_ext(left_i, right[j]);
-                t ^= gf_mul_ext(left[j], right_i);
-                temp[i + j] = t;
+                temp[i + j] ^= gf_mul_ext_par(left_i, right[j], left[j], right_i);
             }
 
             temp[i + i] = gf_mul_ext(left_i, right_i);
@@ -112,8 +109,7 @@ protected short gf_mul(short in0, short in1)
 
     protected int gf_mul_ext(short in0, short in1)
     {
-        int x = in0;
-        int y = in1;
+        int x = in0, y = in1;
 
         int z = x * (y & 1);
         for (int i = 1; i < 13; i++)
@@ -124,6 +120,22 @@ protected int gf_mul_ext(short in0, short in1)
         return z;
     }
 
+    private int gf_mul_ext_par(short in0, short in1, short in2, short in3)
+    {
+        int x0 = in0, y0 = in1, x1 = in2, y1 = in3;
+        
+        int z0 = x0 * (y0 & 1);
+        int z1 = x1 * (y1 & 1);
+
+        for (int i = 1; i < 13; i++)
+        {
+            z0 ^= x0 * (y0 & (1 << i));
+            z1 ^= x1 * (y1 & (1 << i));
+        }
+
+        return z0 ^ z1;
+    }
+
     protected short gf_reduce(int x)
     {
 //        assert (x >>> 26) == 0;

core/src/main/java/org/bouncycastle/pqc/crypto/picnic/PicnicEngine.java

@@ -26,15 +26,15 @@ class PicnicEngine
 
     /* Maximum lengths in bytes */
     private static final int PICNIC_MAX_LOWMC_BLOCK_SIZE = 32;
-    private static final int PICNIC_MAX_PUBLICKEY_SIZE = (2 * PICNIC_MAX_LOWMC_BLOCK_SIZE + 1);
+//    private static final int PICNIC_MAX_PUBLICKEY_SIZE = (2 * PICNIC_MAX_LOWMC_BLOCK_SIZE + 1);
     /**
      * < Largest serialized public key size, in bytes
      */
-    private static final int PICNIC_MAX_PRIVATEKEY_SIZE = (3 * PICNIC_MAX_LOWMC_BLOCK_SIZE + 2);
+//    private static final int PICNIC_MAX_PRIVATEKEY_SIZE = (3 * PICNIC_MAX_LOWMC_BLOCK_SIZE + 2);
     /**
      * < Largest serialized private key size, in bytes
      */
-    private static final int PICNIC_MAX_SIGNATURE_SIZE = 209522;
+//    private static final int PICNIC_MAX_SIGNATURE_SIZE = 209522;
     /**
      * < Largest signature size, in bytes
      */
@@ -874,7 +874,7 @@ private int verify_picnic3(Signature2 sig, int[] pubKey, int[] plaintext, byte[]
                  * We simulate the MPC with one fewer party; the unopned party's values are all set to zero. */
                 int unopened = sig.challengeP[indexOf(sig.challengeC, numOpenedRounds, t)];
 
-                int tapeLengthBytes = 2 * andSizeBytes;
+//                int tapeLengthBytes = 2 * andSizeBytes;
                 if(unopened != last)
                 {  // sig.proofs[t].aux is only set when P_t != N
                     tapes[t].setAuxBits(sig.proofs[t].aux);

core/src/main/java/org/bouncycastle/pqc/crypto/picnic/PicnicParameters.java

@@ -7,15 +7,15 @@ public class PicnicParameters
 {
     private static class L1Constants
     {
-        protected static final LowmcConstantsL1 Instance = new LowmcConstantsL1();
+        static final LowmcConstantsL1 INSTANCE = new LowmcConstantsL1();
     }
     private static class L3Constants
     {
-        protected static final LowmcConstantsL3 Instance = new LowmcConstantsL3();
+        static final LowmcConstantsL3 INSTANCE = new LowmcConstantsL3();
     }
     private static class L5Constants
     {
-        protected static final LowmcConstantsL5 Instance = new LowmcConstantsL5();
+        static final LowmcConstantsL5 INSTANCE = new LowmcConstantsL5();
     }
 
     public static final PicnicParameters picnicl1fs = new PicnicParameters("picnicl1fs",  1);
@@ -55,18 +55,19 @@ PicnicEngine getEngine()
             case 2:
             case 7:
             case 10:
-                return new PicnicEngine(param, L1Constants.Instance);
+                return new PicnicEngine(param, L1Constants.INSTANCE);
             case 3:
             case 4:
             case 8:
             case 11:
-                return new PicnicEngine(param, L3Constants.Instance);
+                return new PicnicEngine(param, L3Constants.INSTANCE);
             case 12:
             case 5:
             case 6:
             case 9:
-                return new PicnicEngine(param, L5Constants.Instance);
-            default: return null;
+                return new PicnicEngine(param, L5Constants.INSTANCE);
+            default:
+                return null;
         }
     }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/picnic/Tape.java

@@ -40,11 +40,11 @@ protected void setAuxBits(byte[] input)
      */
     protected void computeAuxTape(byte[] inputs)
     {
-        int[] roundKey = new int[engine.LOWMC_MAX_WORDS];
-        int[] x = new int[engine.LOWMC_MAX_WORDS];
-        int[] y = new int[engine.LOWMC_MAX_WORDS];
-        int[] key = new int[engine.LOWMC_MAX_WORDS];
-        int[] key0 = new int[engine.LOWMC_MAX_WORDS];
+        int[] roundKey = new int[PicnicEngine.LOWMC_MAX_WORDS];
+        int[] x = new int[PicnicEngine.LOWMC_MAX_WORDS];
+        int[] y = new int[PicnicEngine.LOWMC_MAX_WORDS];
+        int[] key = new int[PicnicEngine.LOWMC_MAX_WORDS];
+        int[] key0 = new int[PicnicEngine.LOWMC_MAX_WORDS];
 
         key0[engine.stateSizeWords - 1] = 0;
         tapesToParityBits(key0, engine.stateSizeBits);

core/src/main/java/org/bouncycastle/pqc/crypto/picnic/Tree.java

@@ -11,7 +11,7 @@ class Tree
     private static final Logger LOG = Logger.getLogger(Tree.class.getName());
 
     private static final int MAX_SEED_SIZE_BYTES = 32;
-    private final int MAX_AUX_BYTES;
+//    private final int MAX_AUX_BYTES;
 
 
     private int depth;       /* The depth of the tree */
@@ -36,7 +36,7 @@ protected int getLeavesOffset()
     public Tree(PicnicEngine engine, int numLeaves, int dataSize)
     {
         this.engine = engine;
-        MAX_AUX_BYTES = ((engine.LOWMC_MAX_AND_GATES + engine.LOWMC_MAX_KEY_BITS) / 8 + 1);
+//        MAX_AUX_BYTES = ((PicnicEngine.LOWMC_MAX_AND_GATES + PicnicEngine.LOWMC_MAX_KEY_BITS) / 8 + 1);
 
         this.depth =  Utils.ceil_log2(numLeaves) + 1;
         this.numNodes = ((1 << (this.depth)) - 1) - ((1 << (this.depth - 1)) - numLeaves);  /* Num nodes in complete - number of missing leaves */
@@ -287,7 +287,8 @@ protected int revealSeedsSize(int[] hideList, int hideListSize)
     {
         int[] numNodesRevealed = new int[1];
         numNodesRevealed[0] = 0;
-        int[] revealed = getRevealedNodes(hideList, hideListSize, numNodesRevealed);
+//        int[] revealed =
+        getRevealedNodes(hideList, hideListSize, numNodesRevealed);
         return numNodesRevealed[0] * engine.seedSizeBytes;
     }
 
@@ -321,7 +322,8 @@ protected int revealSeeds(int[] hideList, int hideListSize, byte[] output, int o
     protected int openMerkleTreeSize(int[] missingLeaves, int missingLeavesSize)
     {
         int[] revealedSize = new int[1];
-        int[] revealed = this.getRevealedMerkleNodes(missingLeaves, missingLeavesSize, revealedSize);
+//        int[] revealed =
+        getRevealedMerkleNodes(missingLeaves, missingLeavesSize, revealedSize);
         return revealedSize[0] * engine.digestSizeBytes;
     }
 
@@ -432,7 +434,7 @@ private void computeParentHash(int child, byte[] salt)
             /* One node may not have a right child when there's an odd number of leaves */
             engine.digest.update(this.nodes[2 * parent + 2],0, engine.digestSizeBytes);
         }
-        engine.digest.update(salt,0, engine.saltSizeBytes);
+        engine.digest.update(salt,0, PicnicEngine.saltSizeBytes);
         engine.digest.update(Pack.intToLittleEndian(parent), 0, 2);
         engine.digest.doFinal(this.nodes[parent], 0, engine.digestSizeBytes);
         this.haveNode[parent] = true;
@@ -526,10 +528,9 @@ private void expandSeeds(byte[] salt, int repIndex)
 
     private void hashSeed(byte[] digest_arr, byte[] inputSeed, byte[] salt, byte hashPrefix, int repIndex, int nodeIndex)
     {
-
         engine.digest.update(hashPrefix);
         engine.digest.update(inputSeed, 0, engine.seedSizeBytes);
-        engine.digest.update(salt, 0, engine.saltSizeBytes);
+        engine.digest.update(salt, 0, PicnicEngine.saltSizeBytes);
         engine.digest.update(Pack.shortToLittleEndian((short)(repIndex & 0xffff)), 0, 2); //todo check endianness
         engine.digest.update(Pack.shortToLittleEndian((short)(nodeIndex & 0xffff)), 0, 2); //todo check endianness
         engine.digest.doFinal(digest_arr, 0, 2 * engine.seedSizeBytes);

core/src/main/java/org/bouncycastle/pqc/crypto/sike/Fpx.java

@@ -1738,11 +1738,11 @@ protected void fp2sub(long[][] a, long[][] b, long[][] c)
     }
 
     // GF(p^2) subtraction with correction with 4*p, c = a-b+4p in GF(p^2).
-    private void mp2_sub_p4(long[][] a, long[][] b, long[][] c)
-    {
-        mp_subPRIME_p4(a[0], b[0], c[0]);
-        mp_subPRIME_p4(a[1], b[1], c[1]);
-    }
+//    private void mp2_sub_p4(long[][] a, long[][] b, long[][] c)
+//    {
+//        mp_subPRIME_p4(a[0], b[0], c[0]);
+//        mp_subPRIME_p4(a[1], b[1], c[1]);
+//    }
 
     // Multiprecision multiplication, c = a*b mod p.
     protected void fpmul_mont(long[] ma, long[] mb, long[] mc)

core/src/main/java/org/bouncycastle/pqc/crypto/sike/SIDH_Compressed.java

@@ -883,26 +883,26 @@ protected int EphemeralKeyGeneration_A_extended(byte[] PrivateKeyA, byte[] Compr
 
     // Alice's ephemeral public key generation using compression -- SIDH protocol
     // Output: PrivateKeyA[MSG_BYTES + engine.params.SECRETKEY_A_BYTES] <- x(K_A) where K_A = PA + sk_A*Q_A
-    private int EphemeralKeyGeneration_A(byte[] PrivateKeyA, byte[] CompressedPKA)
-    {
-        int[] rs = new int[3],
-              D = new int[engine.params.DLEN_3];
-        long[] c0 = new long[engine.params.NWORDS_ORDER],
-               d0 = new long[engine.params.NWORDS_ORDER],
-               c1 = new long[engine.params.NWORDS_ORDER],
-               d1 = new long[engine.params.NWORDS_ORDER];
-        long[][] a24 = new long[2][engine.params.NWORDS_FIELD];
-        long[][][] f = new long[4][2][engine.params.NWORDS_FIELD];
-        long[][][][] As = new long[engine.params.MAX_Alice+1][5][2][engine.params.NWORDS_FIELD];
-        PointProjFull[] Rs = new PointProjFull[2];
-
-        FullIsogeny_A_dual(PrivateKeyA, As, a24, 0);
-        BuildOrdinary3nBasis_dual(a24, As, Rs, rs, rs, 2);
-        Tate3_pairings(Rs, f);
-        Dlogs3_dual(f, D, d0, c0, d1, c1);
-        Compress_PKA_dual(d0, c0, d1, c1, a24, rs, CompressedPKA);
-        return 0;
-    }
+//    private int EphemeralKeyGeneration_A(byte[] PrivateKeyA, byte[] CompressedPKA)
+//    {
+//        int[] rs = new int[3],
+//              D = new int[engine.params.DLEN_3];
+//        long[] c0 = new long[engine.params.NWORDS_ORDER],
+//               d0 = new long[engine.params.NWORDS_ORDER],
+//               c1 = new long[engine.params.NWORDS_ORDER],
+//               d1 = new long[engine.params.NWORDS_ORDER];
+//        long[][] a24 = new long[2][engine.params.NWORDS_FIELD];
+//        long[][][] f = new long[4][2][engine.params.NWORDS_FIELD];
+//        long[][][][] As = new long[engine.params.MAX_Alice+1][5][2][engine.params.NWORDS_FIELD];
+//        PointProjFull[] Rs = new PointProjFull[2];
+//
+//        FullIsogeny_A_dual(PrivateKeyA, As, a24, 0);
+//        BuildOrdinary3nBasis_dual(a24, As, Rs, rs, rs, 2);
+//        Tate3_pairings(Rs, f);
+//        Dlogs3_dual(f, D, d0, c0, d1, c1);
+//        Compress_PKA_dual(d0, c0, d1, c1, a24, rs, CompressedPKA);
+//        return 0;
+//    }
 
     // Bob's ephemeral shared secret computation using compression
     // It produces a shared secret key SharedSecretB using his secret key PrivateKeyB and Alice's decompressed data point_R and param_A

core/src/main/java/org/bouncycastle/pqc/crypto/sike/SIKEKEMExtractor.java

@@ -25,7 +25,6 @@ public SIKEKEMExtractor(SIKEPrivateKeyParameters privParams)
     private void initCipher(SIKEParameters param)
     {
         engine = param.getEngine();
-        SIKEPrivateKeyParameters privateParams = (SIKEPrivateKeyParameters)key;
     }
 
     public byte[] extractSecret(byte[] encapsulation)