TODO: fix the bugs for packing sk of Snova.

Author: gefeili

core/src/main/java/org/bouncycastle/pqc/crypto/snova/GF16Utils.java

@@ -81,6 +81,46 @@ public static void decode(byte[] m, int mOff, byte[] mdec, int decIndex, int mde
         }
     }
 
+    /**
+     * Convert two GF16 values to one byte.
+     *
+     * @param m    the input array of 4-bit values (stored as bytes, only lower 4 bits used)
+     * @param menc the output byte array that will hold the encoded bytes
+     * @param mlen the number of nibbles in the input array
+     */
+    public static void encode(byte[] m, byte[] menc, int outOff, int mlen)
+    {
+        int i, srcIndex = 0;
+        // Process pairs of 4-bit values
+        for (i = 0; i < mlen / 2; i++)
+        {
+            int lowerNibble = m[srcIndex] & 0x0F;
+            int upperNibble = (m[srcIndex + 1] & 0x0F) << 4;
+            menc[outOff++] = (byte)(lowerNibble | upperNibble);
+            srcIndex += 2;
+        }
+        // If there is an extra nibble (odd number of nibbles), store it directly in lower 4 bits.
+        if ((mlen & 1) == 1)
+        {
+            menc[outOff] = (byte)(m[srcIndex] & 0x0F);
+        }
+    }
+
+    public static void encodeMergeInHalf(byte[] m, int mlen, byte[] menc)
+    {
+        int i, half = (mlen + 1) >>> 1;
+        // Process pairs of 4-bit values
+        for (i = 0; i < mlen / 2; i++, half++)
+        {
+            menc[i] = (byte)(m[i] | (m[half] << 4));
+        }
+        // If there is an extra nibble (odd number of nibbles), store it directly in lower 4 bits.
+        if ((mlen & 1) == 1)
+        {
+            menc[i] = (byte)m[i];
+        }
+    }
+
     /**
      * Decodes a nibble-packed byte array into an output array.
      *

core/src/main/java/org/bouncycastle/pqc/crypto/snova/MapGroup1.java

@@ -38,7 +38,19 @@ public int decode(byte[] input, int len)
         return inOff;
     }
 
-    private int decodeP(byte[] input, int inOff, byte[][][][] p, int len)
+//    public int encode(byte[] output, int len)
+//    {
+//        int outOff = encodeP(p11, output, 0, len);
+//        outOff += encodeP(p12, output, outOff, len - outOff);
+//        outOff += encodeP(p21, output, outOff, len - outOff);
+//        outOff += encodeAlpha(aAlpha, output, outOff, len - outOff);
+//        outOff += encodeAlpha(bAlpha, output, outOff, len - outOff);
+//        outOff += encodeAlpha(qAlpha1, output, outOff, len - outOff);
+//        outOff += encodeAlpha(qAlpha2, output, outOff, len - outOff);
+//        return outOff;
+//    }
+
+    static int decodeP(byte[] input, int inOff, byte[][][][] p, int len)
     {
         int rlt = 0;
         for (int i = 0; i < p.length; ++i)
@@ -48,7 +60,7 @@ private int decodeP(byte[] input, int inOff, byte[][][][] p, int len)
         return rlt;
     }
 
-    private int decodeAlpha(byte[] input, int inOff, byte[][][] alpha, int len)
+    private static int decodeAlpha(byte[] input, int inOff, byte[][][] alpha, int len)
     {
         int rlt = 0;
         for (int i = 0; i < alpha.length; ++i)
@@ -64,4 +76,30 @@ private int decodeAlpha(byte[] input, int inOff, byte[][][] alpha, int len)
         return rlt;
     }
 
+    static int encodeP(byte[][][][] p, byte[] output, int outOff, int len)
+    {
+        int rlt = 0;
+        for (int i = 0; i < p.length; ++i)
+        {
+            rlt += encodeAlpha(p[i], output, outOff + rlt, len);
+        }
+        return rlt;
+    }
+
+    static int encodeAlpha(byte[][][] alpha, byte[] output, int outOff, int len)
+    {
+        int rlt = 0;
+        for (int i = 0; i < alpha.length; ++i)
+        {
+            for (int j = 0; j < alpha[i].length; ++j)
+            {
+                int tmp = Math.min(alpha[i][j].length, len << 1);
+                GF16Utils.encode(alpha[i][j], output, outOff + rlt, tmp);
+                rlt += (tmp + 1) >> 1;
+                len -= (tmp + 1) >> 1;
+            }
+        }
+        return rlt;
+    }
+
 }

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SKGF16.java

@@ -356,8 +356,8 @@ public void genF(MapGroup2 map2, MapGroup1 map1, byte[][][] T12)
                 {
                     for (int index = 0; index < v; index++)
                     {
-                        GF16Utils.gf16mMul(temp, map1.p11[i][j][index], T12[index][k], l);
-                        GF16Utils.gf16mAdd(map2.f12[i][j][k], map2.f12[i][j][k], temp, l);
+                        GF16Utils.gf16mMul(map1.p11[i][j][index], T12[index][k], temp, l);
+                        GF16Utils.gf16mAdd(map2.f12[i][j][k], temp, map2.f12[i][j][k], l);
                     }
                 }
             }
@@ -372,8 +372,8 @@ public void genF(MapGroup2 map2, MapGroup1 map1, byte[][][] T12)
                 {
                     for (int index = 0; index < v; index++)
                     {
-                        GF16Utils.gf16mMul(temp, T12[index][j], map1.p11[i][index][k], l);
-                        GF16Utils.gf16mAdd(map2.f21[i][j][k], map2.f21[i][j][k], temp, l);
+                        GF16Utils.gf16mMul(T12[index][j], map1.p11[i][index][k], temp, l);
+                        GF16Utils.gf16mAdd(map2.f21[i][j][k], temp, map2.f21[i][j][k], l);
                     }
                 }
             }
@@ -402,7 +402,7 @@ private static void copy4DMatrix(byte[][][][] src, byte[][][][] dest,
         }
     }
 
-    public void genP22(byte[] outP22, byte[][][] T12, byte[][][][] P21, byte[][][][] F12, SnovaParameters params)
+    public void genP22(byte[] outP22, byte[][][] T12, byte[][][][] P21, byte[][][][] F12)
     {
         int m = params.getM();
         int o = params.getO();
@@ -428,24 +428,23 @@ public void genP22(byte[] outP22, byte[][][] T12, byte[][][][] P21, byte[][][][]
                         for (int index = 0; index < v; index++)
                         {
                             // temp1 = T12[index][j] * F12[i][index][k]
-                            GF16Utils.gf16mMul(temp1, T12[index][j], F12[i][index][k], l);
+                            GF16Utils.gf16mMul(T12[index][j], F12[i][index][k], temp1, l);
 
                             // temp2 = P21[i][j][index] * T12[index][k]
-                            GF16Utils.gf16mMul(temp2, P21[i][j][index], T12[index][k], l);
+                            GF16Utils.gf16mMul(P21[i][j][index], T12[index][k], temp2, l);
 
                             // temp1 += temp2
-                            GF16Utils.gf16mAdd(temp1, temp1, temp2, l);
+                            GF16Utils.gf16mAdd(temp1, temp2, temp1, l);
 
                             // P22[i][j][k] += temp1
-                            GF16Utils.gf16mAdd(P22[i][j][k], P22[i][j][k], temp1, l);
+                            GF16Utils.gf16mAdd(P22[i][j][k], temp1, P22[i][j][k],  l);
                         }
                     }
                 }
             }
 
             // Convert GF16 elements to packed bytes
-            //TODO
-            //GF16Utils.decode(P22, outP22, m * o * o *lsq);
+            MapGroup1.encodeP(P22, outP22, 0, m * o * o *lsq);
         }
         finally
         {

core/src/main/java/org/bouncycastle/pqc/crypto/snova/SnovaEngine.java

@@ -6,12 +6,55 @@ class SnovaKeyElements
     public final byte[][][] T12;     // [v][o]
     public final MapGroup2 map2;
     public final PublicKey publicKey;
+    private int length;
 
     public SnovaKeyElements(SnovaParameters params)
     {
+        int o = params.getO();
+        int l = params.getL();
+        int v = params.getV();
+        int lsq = l * l;
         map1 = new MapGroup1(params);
-        T12 = new byte[params.getV()][params.getO()][16];
+        T12 = new byte[v][o][lsq];
         map2 = new MapGroup2(params);
         publicKey = new PublicKey(params);
+        length = o * params.getAlpha() * lsq * 4 + v * o * lsq + (o * v * v + o * v * o + o * o * v) * lsq;
+    }
+
+    public void encodeMergerInHalf(byte[] output)
+    {
+        byte[] input = new byte[length];
+        int inOff = 0;
+        inOff = copy3d(map1.aAlpha, input, inOff);
+        inOff = copy3d(map1.bAlpha, input, inOff);
+        inOff = copy3d(map1.qAlpha1, input, inOff);
+        inOff = copy3d(map1.qAlpha2, input, inOff);
+        inOff = copy3d(T12, input, inOff);
+        inOff = copy4d(map2.f11, input, inOff);
+        inOff = copy4d(map2.f12, input, inOff);
+        inOff = copy4d(map2.f21, input, inOff);
+        GF16Utils.encodeMergeInHalf(input, length, output);
+    }
+
+    public int copy3d(byte[][][] alpha, byte[] output, int outOff)
+    {
+        for (int i = 0; i < alpha.length; ++i)
+        {
+            for (int j = 0; j < alpha[i].length; ++j)
+            {
+                System.arraycopy(alpha[i][j], 0, output, outOff, alpha[i][j].length);
+                outOff += alpha[i][j].length;
+            }
+        }
+        return outOff;
+    }
+
+    public int copy4d(byte[][][][] alpha, byte[] output, int outOff)
+    {
+        for (int i = 0; i < alpha.length; ++i)
+        {
+            outOff = copy3d(alpha[i], output, outOff);
+        }
+        return outOff;
     }
 }