bcgit
diff --git a/‎core/src/main/java/org/bouncycastle/asn1/bc/BCObjectIdentifiers.java‎
Lines changed: 49 additions & 0 deletions b/‎core/src/main/java/org/bouncycastle/asn1/bc/BCObjectIdentifiers.java‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎core/src/main/java/org/bouncycastle/pqc/crypto/mayo/GF16Utils.java‎
Lines changed: 3 additions & 33 deletions b/‎core/src/main/java/org/bouncycastle/pqc/crypto/mayo/GF16Utils.java‎
Lines changed: 3 additions & 33 deletions
diff --git a/‎core/src/main/java/org/bouncycastle/pqc/crypto/mayo/MayoKeyPairGenerator.java‎
Lines changed: 2 additions & 1 deletion b/‎core/src/main/java/org/bouncycastle/pqc/crypto/mayo/MayoKeyPairGenerator.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎core/src/main/java/org/bouncycastle/pqc/crypto/mayo/MayoSigner.java‎
Lines changed: 16 additions & 16 deletions b/‎core/src/main/java/org/bouncycastle/pqc/crypto/mayo/MayoSigner.java‎
Lines changed: 16 additions & 16 deletions
diff --git a/‎core/src/main/java/org/bouncycastle/pqc/crypto/mayo/Utils.java‎
Lines changed: 0 additions & 72 deletions b/‎core/src/main/java/org/bouncycastle/pqc/crypto/mayo/Utils.java‎
Lines changed: 0 additions & 72 deletions
@@ -637,4 +637,53 @@ public interface BCObjectIdentifiers
 //    ASN1ObjectIdentifier ov_v_pkc_skc = new ASN1ObjectIdentifier("1.3.9999.9.12.1");
 //    /** 1.3.9999.9.12.2 OQS_OID_P521_OV_V_PKC_SKC */
 //    ASN1ObjectIdentifier p521_ov_v_pkc_skc = new ASN1ObjectIdentifier("1.3.9999.9.12.2");
+
+    /**
+     * Snova
+     */
+    ASN1ObjectIdentifier snova = bc_sig.branch("11");
+    ASN1ObjectIdentifier snova_24_5_4_ssk = snova.branch("1");
+    ASN1ObjectIdentifier snova_24_5_4_esk = snova.branch("2");
+    ASN1ObjectIdentifier snova_24_5_4_shake_ssk = snova.branch("3");
+    ASN1ObjectIdentifier snova_24_5_4_shake_esk = snova.branch("4");
+    ASN1ObjectIdentifier snova_24_5_5_ssk = snova.branch("5");
+    ASN1ObjectIdentifier snova_24_5_5_esk = snova.branch("6");
+    ASN1ObjectIdentifier snova_24_5_5_shake_ssk = snova.branch("7");
+    ASN1ObjectIdentifier snova_24_5_5_shake_esk = snova.branch("8");
+    ASN1ObjectIdentifier snova_25_8_3_ssk = snova.branch("9");
+    ASN1ObjectIdentifier snova_25_8_3_esk = snova.branch("10");
+    ASN1ObjectIdentifier snova_25_8_3_shake_ssk = snova.branch("11");
+    ASN1ObjectIdentifier snova_25_8_3_shake_esk = snova.branch("12");
+    ASN1ObjectIdentifier snova_29_6_5_ssk = snova.branch("13");
+    ASN1ObjectIdentifier snova_29_6_5_esk = snova.branch("14");
+    ASN1ObjectIdentifier snova_29_6_5_shake_ssk = snova.branch("15");
+    ASN1ObjectIdentifier snova_29_6_5_shake_esk = snova.branch("16");
+    ASN1ObjectIdentifier snova_37_8_4_ssk = snova.branch("17");
+    ASN1ObjectIdentifier snova_37_8_4_esk = snova.branch("18");
+    ASN1ObjectIdentifier snova_37_8_4_shake_ssk = snova.branch("19");
+    ASN1ObjectIdentifier snova_37_8_4_shake_esk = snova.branch("20");
+    ASN1ObjectIdentifier snova_37_17_2_ssk = snova.branch("21");
+    ASN1ObjectIdentifier snova_37_17_2_esk = snova.branch("22");
+    ASN1ObjectIdentifier snova_37_17_2_shake_ssk = snova.branch("23");
+    ASN1ObjectIdentifier snova_37_17_2_shake_esk = snova.branch("24");
+    ASN1ObjectIdentifier snova_49_11_3_ssk = snova.branch("25");
+    ASN1ObjectIdentifier snova_49_11_3_esk = snova.branch("26");
+    ASN1ObjectIdentifier snova_49_11_3_shake_ssk = snova.branch("27");
+    ASN1ObjectIdentifier snova_49_11_3_shake_esk = snova.branch("28");
+    ASN1ObjectIdentifier snova_56_25_2_ssk = snova.branch("29");
+    ASN1ObjectIdentifier snova_56_25_2_esk = snova.branch("30");
+    ASN1ObjectIdentifier snova_56_25_2_shake_ssk = snova.branch("31");
+    ASN1ObjectIdentifier snova_56_25_2_shake_esk = snova.branch("32");
+    ASN1ObjectIdentifier snova_60_10_4_ssk = snova.branch("33");
+    ASN1ObjectIdentifier snova_60_10_4_esk = snova.branch("34");
+    ASN1ObjectIdentifier snova_60_10_4_shake_ssk = snova.branch("35");
+    ASN1ObjectIdentifier snova_60_10_4_shake_esk = snova.branch("36");
+    ASN1ObjectIdentifier snova_66_15_3_ssk = snova.branch("37");
+    ASN1ObjectIdentifier snova_66_15_3_esk = snova.branch("38");
+    ASN1ObjectIdentifier snova_66_15_3_shake_ssk = snova.branch("39");
+    ASN1ObjectIdentifier snova_66_15_3_shake_esk = snova.branch("40");
+    ASN1ObjectIdentifier snova_75_33_2_ssk = snova.branch("41");
+    ASN1ObjectIdentifier snova_75_33_2_esk = snova.branch("42");
+    ASN1ObjectIdentifier snova_75_33_2_shake_ssk = snova.branch("43");
+    ASN1ObjectIdentifier snova_75_33_2_shake_esk = snova.branch("44");
 }
@@ -1,5 +1,7 @@
 package org.bouncycastle.pqc.crypto.mayo;
 
+import org.bouncycastle.util.GF16;
+
 class GF16Utils
 {
     static final long NIBBLE_MASK_MSB = 0x7777777777777777L;
@@ -206,38 +208,6 @@ static void mulAddMUpperTriangularMatXMatTrans(int mVecLimbs, long[] bsMat, byte
         }
     }
 
-    /**
-     * GF(16) multiplication mod x^4 + x + 1.
-     * <p>
-     * This method multiplies two elements in GF(16) (represented as integers 0–15)
-     * using carryless multiplication followed by reduction modulo x^4 + x + 1.
-     *
-     * @param a an element in GF(16) (only the lower 4 bits are used)
-     * @param b an element in GF(16) (only the lower 4 bits are used)
-     * @return the product a * b in GF(16)
-     */
-    static int mulF(int a, int b)
-    {
-        // Carryless multiply: multiply b by each bit of a and XOR.
-        int p = (-(a & 1) & b) ^ (-((a >> 1) & 1) & (b << 1)) ^ (-((a >> 2) & 1) & (b << 2)) ^ (-((a >> 3) & 1) & (b << 3));
-        // Reduce modulo f(X) = x^4 + x + 1.
-        int topP = p & 0xF0;
-        return (p ^ (topP >> 4) ^ (topP >> 3)) & 0x0F;
-    }
-
-    /**
-     * Computes the multiplicative inverse in GF(16) for a GF(16) element.
-     */
-    static byte inverseF(int a)
-    {
-        // In GF(16), the inverse can be computed via exponentiation.
-        int a2 = mulF(a, a);
-        int a4 = mulF(a2, a2);
-        int a8 = mulF(a4, a4);
-        int a6 = mulF(a2, a4);
-        return (byte)mulF(a8, a6);
-    }
-
     /**
      * Performs a GF(16) carryless multiplication of a nibble (lower 4 bits of a)
      * with a 64-bit word b, then reduces modulo the polynomial x⁴ + x + 1 on each byte.
@@ -266,7 +236,7 @@ static void matMul(byte[] a, byte[] b, int bOff, byte[] c, int colrowAB, int row
             byte result = 0;
             for (int k = 0; k < colrowAB; k++)
             {
-                result ^= mulF(a[aRowStart++], b[bOff + k]);
+                result ^= GF16.mul(a[aRowStart++], b[bOff + k]);
             }
             c[cOff++] = result;
         }
 
@@ -7,6 +7,7 @@
 import org.bouncycastle.crypto.KeyGenerationParameters;
 import org.bouncycastle.crypto.digests.SHAKEDigest;
 import org.bouncycastle.util.Arrays;
+import org.bouncycastle.util.GF16;
 import org.bouncycastle.util.Longs;
 
 /**
@@ -94,7 +95,7 @@ public AsymmetricCipherKeyPair generateKeyPair()
         // o ← Decode_o(S[ param_pk_seed_bytes : param_pk_seed_bytes + O_bytes ])
         // Decode nibbles from S starting at offset param_pk_seed_bytes into O,
         // with expected output length = param_v * param_o.
-        Utils.decode(seed_pk, pkSeedBytes, O, 0,  O.length);
+        GF16.decode(seed_pk, pkSeedBytes, O, 0,  O.length);
 
         // Expand P1 and P2 into the array P using seed_pk.
         Utils.expandP1P2(p, P, seed_pk);
 
@@ -10,6 +10,7 @@
 
 import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Bytes;
+import org.bouncycastle.util.GF16;
 import org.bouncycastle.util.Longs;
 import org.bouncycastle.util.Pack;
 
@@ -50,7 +51,6 @@ public class MayoSigner
     @Override
     public void init(boolean forSigning, CipherParameters param)
     {
-
         if (forSigning)
         {
             pubKey = null;
@@ -135,7 +135,7 @@ public byte[] generateSignature(byte[] message)
 
             // Decode the portion of S after the first param_pk_seed_bytes into O.
             // (In C, this is: decode(S + param_pk_seed_bytes, O, param_v * param_o))
-            Utils.decode(seed_pk, pk_seed_bytes, O, 0, O.length);
+            GF16.decode(seed_pk, pk_seed_bytes, O, 0, O.length);
 
             // Expand P1 and P2 into the long array P using seed_pk.
             Utils.expandP1P2(params, P, seed_pk);
@@ -187,7 +187,7 @@ public byte[] generateSignature(byte[] message)
             System.arraycopy(salt, 0, tmp, digestBytes, saltBytes);
             shake.update(tmp, 0, digestBytes + saltBytes);
             shake.doFinal(tenc, 0, params.getMBytes());
-            Utils.decode(tenc, t, m);
+            GF16.decode(tenc, t, m);
             int size = v * k * mVecLimbs;
             long[] Pv = new long[size];
             byte[] Ox = new byte[v];
@@ -202,7 +202,7 @@ public byte[] generateSignature(byte[] message)
                 // Decode vectors
                 for (int i = 0; i < k; i++)
                 {
-                    Utils.decode(V, i * vbytes, Vdec, i * v, v);
+                    GF16.decode(V, i * vbytes, Vdec, i * v, v);
                 }
 
                 //computeMandVPV(params, Vdec, P, params.getP1Limbs(), P, Mtmp, vPv);
@@ -225,7 +225,7 @@ public byte[] generateSignature(byte[] message)
 //                    A[(i + 1) * (ok + 1) - 1] = 0;
 //                }
 
-                Utils.decode(V, k * vbytes, r, 0, ok);
+                GF16.decode(V, k * vbytes, r, 0, ok);
 
                 if (sampleSolution(A, y, r, x))
                 {
@@ -248,7 +248,7 @@ public byte[] generateSignature(byte[] message)
             }
 
             // Encode and add salt
-            Utils.encode(s, sig, nk);
+            GF16.encode(s, sig, nk);
             System.arraycopy(salt, 0, sig, sig.length - saltBytes, saltBytes);
 
             return Arrays.concatenate(sig, message);
@@ -316,10 +316,10 @@ public boolean verifySignature(byte[] message, byte[] signature)
         shake.update(tmp, 0, digestBytes);
         shake.update(signature, sigBytes - saltBytes, saltBytes);
         shake.doFinal(tEnc, 0, mBytes);
-        Utils.decode(tEnc, t, m);
+        GF16.decode(tEnc, t, m);
 
         // Decode signature
-        Utils.decode(signature, s, kn);
+        GF16.decode(signature, s, kn);
 
         // Evaluate public map
         //evalPublicMap(params, s, P1, P2, P3, y);
@@ -385,7 +385,7 @@ void computeRHS(long[] vPv, byte[] t, byte[] y)
                         continue;
                     }
 
-                    long product = GF16Utils.mulF(top, ft);
+                    long product = GF16.mul(top, ft);
                     if ((jj & 1) == 0)
                     {
                         tempBytes[jj >> 1] ^= (byte)(product & 0xF);
@@ -515,10 +515,10 @@ void computeA(long[] Mtmp, byte[] AOut)
         for (int i = 0, idx = 0; i < F_TAIL_LEN; i++)
         {
             int ft = fTailArr[i];
-            tab[idx++] = (byte)GF16Utils.mulF(ft, 1);
-            tab[idx++] = (byte)GF16Utils.mulF(ft, 2);
-            tab[idx++] = (byte)GF16Utils.mulF(ft, 4);
-            tab[idx++] = (byte)GF16Utils.mulF(ft, 8);
+            tab[idx++] = (byte)GF16.mul(ft, 1);
+            tab[idx++] = (byte)GF16.mul(ft, 2);
+            tab[idx++] = (byte)GF16.mul(ft, 4);
+            tab[idx++] = (byte)GF16.mul(ft, 8);
         }
 
         // Final processing
@@ -550,7 +550,7 @@ void computeA(long[] Mtmp, byte[] AOut)
             {
                 for (int i = 0; i + r < m; i++)
                 {
-                    Utils.decode(Abytes, (((r * AWidth) >> 4) + c + i) << 3,
+                    GF16.decode(Abytes, (((r * AWidth) >> 4) + c + i) << 3,
                         AOut, (r + i) * ACols + c, Math.min(16, ACols - 1 - c));
                 }
             }
@@ -762,7 +762,7 @@ void ef(byte[] A, int nrows, int ncols)
             }
 
             // Multiply the pivot row by the inverse of the pivot element.
-            vecMulAddU64(rowLen, pivotRow, GF16Utils.inverseF(pivot), pivotRow2);
+            vecMulAddU64(rowLen, pivotRow, GF16.inv((byte)pivot), pivotRow2);
 
             // Conditionally write the pivot row back into the correct row (if pivot is nonzero).
             for (int row = lowerBound, rowRowLen = lowerBound * rowLen; row <= upperBound; row++, rowRowLen += rowLen)
@@ -798,7 +798,7 @@ void ef(byte[] A, int nrows, int ncols)
         for (int i = 0, irowLen = 0; i < nrows; i++, irowLen += rowLen)
         {
             Pack.longToLittleEndian(packedA, irowLen, len_4, bytes, 0);
-            Utils.decode(bytes, 0, A, outIndex, ncols);
+            GF16.decode(bytes, 0, A, outIndex, ncols);
             outIndex += ncols;
         }
     }
 
@@ -11,78 +11,6 @@
 
 class Utils
 {
-    /**
-     * Decodes an encoded byte array.
-     * Each byte in the input contains two nibbles (4-bit values); the lower nibble is stored first,
-     * followed by the upper nibble.
-     *
-     * @param m       the input byte array (each byte holds two 4-bit values)
-     * @param mdec    the output array that will hold the decoded nibbles (one per byte)
-     * @param mdecLen the total number of nibbles to decode
-     */
-    public static void decode(byte[] m, byte[] mdec, int mdecLen)
-    {
-        int i, decIndex = 0, blocks = mdecLen >> 1;
-        // Process pairs of nibbles from each byte
-        for (i = 0; i < blocks; i++)
-        {
-            // Extract the lower nibble
-            mdec[decIndex++] = (byte)(m[i] & 0x0F);
-            // Extract the upper nibble (shift right 4 bits)
-            mdec[decIndex++] = (byte)((m[i] >> 4) & 0x0F);
-        }
-        // If there is an extra nibble (odd number of nibbles), decode only the lower nibble
-        if ((mdecLen & 1) == 1)
-        {
-            mdec[decIndex] = (byte)(m[i] & 0x0F);
-        }
-    }
-
-    public static void decode(byte[] m, int mOff, byte[] mdec, int decIndex, int mdecLen)
-    {
-        // Process pairs of nibbles from each byte
-        int blocks = mdecLen >> 1;
-        for (int i = 0; i < blocks; i++)
-        {
-            // Extract the lower nibble
-            mdec[decIndex++] = (byte)(m[mOff] & 0x0F);
-            // Extract the upper nibble (shift right 4 bits)
-            mdec[decIndex++] = (byte)((m[mOff++] >> 4) & 0x0F);
-        }
-        // If there is an extra nibble (odd number of nibbles), decode only the lower nibble
-        if ((mdecLen & 1) == 1)
-        {
-            mdec[decIndex] = (byte)(m[mOff] & 0x0F);
-        }
-    }
-
-    /**
-     * Encodes an array of 4-bit values into a byte array.
-     * Two 4-bit values are packed into one byte, with the first nibble stored in the lower 4 bits
-     * and the second nibble stored in the upper 4 bits.
-     *
-     * @param m    the input array of 4-bit values (stored as bytes, only lower 4 bits used)
-     * @param menc the output byte array that will hold the encoded bytes
-     * @param mlen the number of nibbles in the input array
-     */
-    public static void encode(byte[] m, byte[] menc, int mlen)
-    {
-        int i, srcIndex = 0;
-        // Process pairs of 4-bit values
-        for (i = 0; i < mlen / 2; i++)
-        {
-            int lowerNibble = m[srcIndex] & 0x0F;
-            int upperNibble = (m[srcIndex + 1] & 0x0F) << 4;
-            menc[i] = (byte)(lowerNibble | upperNibble);
-            srcIndex += 2;
-        }
-        // If there is an extra nibble (odd number of nibbles), store it directly in lower 4 bits.
-        if ((mlen & 1) == 1)
-        {
-            menc[i] = (byte)(m[srcIndex] & 0x0F);
-        }
-    }
-
     public static void unpackMVecs(byte[] in, int inOff, long[] out, int outOff, int vecs, int m)
     {
         int mVecLimbs = (m + 15) >> 4;