static
void RecFindRoots(vec_GF2E& x, const GF2EX& f)
{
if (deg(f) == 0) return;
if (deg(f) == 1) {
long k = x.length();
x.SetLength(k+1);
x[k] = ConstTerm(f);
return;
}
GF2EX h;
GF2E r;
{
GF2EXModulus F;
build(F, f);
do {
random(r);
clear(h);
SetCoeff(h, 1, r);
TraceMap(h, h, F);
GCD(h, h, f);
} while (deg(h) <= 0 || deg(h) == deg(f));
}
RecFindRoots(x, h);
div(h, f, h);
RecFindRoots(x, h);
}
///////////////////////////////////////////////////////////////////////////
// PURPOSE:
// Computes the syndrome of a sparse vector
// of the binary BCH code of design distance d.
// The vector is viewed as a vector of 0's and 1's
// being indexed by all nonzero elements of GF2E; because
// it is sparse, it is given as the set a of
// elements of GF2E where the coordinates of the vector are equal to 1.
// If used to compute the secure sketch, the sketch will
// tolerate symmetric difference of up to (d-1)/2
//
//
// ALGORITHM:
// The syndrome is computed as a vector of
// f(j) = (a_0)^j + (a_2)^j + ... + (a_s)^j
// for odd i from 1 do d-1, where a_i is the i-th component
// of the input vector A.
// (only the odd j are needed, because
// f(2j) is simply the square of f(j)).
// Because in C++ we number from 0, f(j) will reside
// in location (j-1)/2.
//
//
// ASSUMPTIONS:
// Let m=GF2E::degree() (i.e., the field is GF(2^m)).
// Assumes d is odd,
// greater than 1, and less than 2^m (else BCH codes don't make sense).
// Assumes the input set has no zeros (they will be ignored)
//
//
// RUNNING TIME:
// Takes time O(len*d) operations in GF(2^m),
// where len is the length of the input vector
//
void BCHSyndromeCompute(vec_GF2E & ss, const vec_GF2E & a, long d)
{
GF2E a_i_to_the_j, multiplier;
long i, j;
ss.SetLength((d-1)/2); // half the syndrome length,
// because even power not needed
// We will compute the fs in parallel: first add
// all the powers of a_1, then of a_2, ..., then of a_s
for (i = 0; i < a.length(); ++i)
{
a_i_to_the_j = a[i];
sqr(multiplier, a[i]); // multiplier = a[i]*a[i];
// special-case 0, because it doesn't need to be multiplied
// by the multiplier
ss[0] += a_i_to_the_j;
for (long j = 3; j < d; j+=2)
{
a_i_to_the_j *= multiplier;
ss[(j-1)/2] += a_i_to_the_j;
}
}
}
void mul(vec_GF2E& x, const vec_GF2E& a, const GF2E& b_in)
{
GF2E b = b_in;
long n = a.length();
x.SetLength(n);
long i;
for (i = 0; i < n; i++)
mul(x[i], a[i], b);
}
void add(vec_GF2E& x, const vec_GF2E& a, const vec_GF2E& b)
{
long n = a.length();
if (b.length() != n) LogicError("vector add: dimension mismatch");
x.SetLength(n);
long i;
for (i = 0; i < n; i++)
add(x[i], a[i], b[i]);
}
void FindRoots(vec_GF2E& x, const GF2EX& ff)
{
GF2EX f = ff;
if (!IsOne(LeadCoeff(f)))
Error("FindRoots: bad args");
x.SetMaxLength(deg(f));
x.SetLength(0);
RecFindRoots(x, f);
}
void InnerProduct(GF2E& x, const vec_GF2E& a, const vec_GF2E& b)
{
long n = min(a.length(), b.length());
long i;
GF2X accum, t;
clear(accum);
for (i = 0; i < n; i++) {
mul(t, rep(a[i]), rep(b[i]));
add(accum, accum, t);
}
conv(x, accum);
}
///////////////////////////////////////////////////////////////////////////
// Produces a vector res such that res[2i]=ss[i]
// and res[2i+1]=ss[i]*ss[i]
//
// Used to recover the redundant representation
// of the BCH syndrome (which includes even values of j)
// from the representation produced by BCHSyndromeCompute
// Because C++ indexes from 0, the j-th coordinate of the syndrome
// will end up in location j-1.
//
// Takes time O(d) operations in GF2E, where d is the output length
//
static
void InterpolateEvens(vec_GF2E & res, const vec_GF2E & ss)
{
// uses relation syn(j) = syn(j/2)^2 to recover syn from ss
long i;
res.SetLength(2*ss.length());
// odd coordinates (which, confusingly, means even i)
// are just copied from the input
for (i = 0; i < ss.length(); ++i)
res[2*i] = ss[i];
// even coordinates (odd i) are computed via squaring.
for (i = 1; i < res.length(); i+=2)
sqr(res[i], res[(i-1)/2]); // square
}
void clear(vec_GF2E& x)
{
long n = x.length();
long i;
for (i = 0; i < n; i++)
clear(x[i]);
}
void VectorCopy(vec_GF2E& x, const vec_GF2E& a, long n)
{
if (n < 0) LogicError("VectorCopy: negative length");
if (NTL_OVERFLOW(n, 1, 0)) ResourceError("overflow in VectorCopy");
long m = min(n, a.length());
x.SetLength(n);
long i;
for (i = 0; i < m; i++)
x[i] = a[i];
for (i = m; i < n; i++)
clear(x[i]);
}
void InnerProduct(GF2E& x, const vec_GF2E& a, const vec_GF2E& b,
long offset)
{
if (offset < 0) LogicError("InnerProduct: negative offset");
if (NTL_OVERFLOW(offset, 1, 0)) ResourceError("InnerProduct: offset too big");
long n = min(a.length(), b.length()+offset);
long i;
GF2X accum, t;
clear(accum);
for (i = offset; i < n; i++) {
mul(t, rep(a[i]), rep(b[i-offset]));
add(accum, accum, t);
}
conv(x, accum);
}
static
void FindFactors(vec_GF2EX& factors, const GF2EX& f, const GF2EX& g,
const vec_GF2E& roots)
{
long r = roots.length();
factors.SetMaxLength(r);
factors.SetLength(0);
RecFindFactors(factors, f, g, roots, 0, r-1);
}
long IsZero(const vec_GF2E& a)
{
long n = a.length();
long i;
for (i = 0; i < n; i++)
if (!IsZero(a[i]))
return 0;
return 1;
}
static
void mul_aux(vec_GF2E& x, const vec_GF2E& a, const mat_GF2E& B)
{
long n = B.NumRows();
long l = B.NumCols();
if (n != a.length())
LogicError("matrix mul: dimension mismatch");
x.SetLength(l);
long i, k;
GF2X acc, tmp;
for (i = 1; i <= l; i++) {
clear(acc);
for (k = 1; k <= n; k++) {
mul(tmp, rep(a(k)), rep(B(k,i)));
add(acc, acc, tmp);
}
conv(x(i), acc);
}
}
static
void mul_aux(vec_GF2E& x, const mat_GF2E& A, const vec_GF2E& b)
{
long n = A.NumRows();
long l = A.NumCols();
if (l != b.length())
LogicError("matrix mul: dimension mismatch");
x.SetLength(n);
long i, k;
GF2X acc, tmp;
for (i = 1; i <= n; i++) {
clear(acc);
for (k = 1; k <= l; k++) {
mul(tmp, rep(A(i,k)), rep(b(k)));
add(acc, acc, tmp);
}
conv(x(i), acc);
}
}
static
void IterFindFactors(vec_GF2EX& factors, const GF2EX& f,
const GF2EX& g, const vec_GF2E& roots)
{
long r = roots.length();
long i;
GF2EX h;
factors.SetLength(r);
for (i = 0; i < r; i++) {
add(h, g, roots[i]);
GCD(factors[i], f, h);
}
}
void applyLinPoly(GF2E& beta, const vec_GF2E& C, const GF2E& alpha, long p)
{
long d = GF2E::degree();
assert(d == C.length());
GF2E gamma, res;
gamma = to_GF2E(GF2X(1, 1));
res = C[0]*alpha;
for (long i = 1; i < d; i++) {
gamma = power(gamma, p);
res += C[i]*to_GF2E(CompMod(rep(alpha), rep(gamma), GF2E::modulus()));
}
beta = res;
}
static
void solve_impl(GF2E& d, vec_GF2E& X, const mat_GF2E& A, const vec_GF2E& b, bool trans)
{
long n = A.NumRows();
if (A.NumCols() != n)
LogicError("solve: nonsquare matrix");
if (b.length() != n)
LogicError("solve: dimension mismatch");
if (n == 0) {
set(d);
X.SetLength(0);
return;
}
long i, j, k, pos;
GF2X t1, t2;
GF2X *x, *y;
const GF2XModulus& p = GF2E::modulus();
vec_GF2XVec M;
M.SetLength(n);
for (i = 0; i < n; i++) {
M[i].SetSize(n+1, 2*GF2E::WordLength());
if (trans)
for (j = 0; j < n; j++) M[i][j] = rep(A[j][i]);
else
for (j = 0; j < n; j++) M[i][j] = rep(A[i][j]);
M[i][n] = rep(b[i]);
}
GF2X det;
set(det);
for (k = 0; k < n; k++) {
pos = -1;
for (i = k; i < n; i++) {
rem(t1, M[i][k], p);
M[i][k] = t1;
if (pos == -1 && !IsZero(t1)) {
pos = i;
}
}
if (pos != -1) {
if (k != pos) {
swap(M[pos], M[k]);
}
MulMod(det, det, M[k][k], p);
// make M[k, k] == -1 mod p, and make row k reduced
InvMod(t1, M[k][k], p);
for (j = k+1; j <= n; j++) {
rem(t2, M[k][j], p);
MulMod(M[k][j], t2, t1, p);
}
for (i = k+1; i < n; i++) {
// M[i] = M[i] + M[k]*M[i,k]
t1 = M[i][k]; // this is already reduced
x = M[i].elts() + (k+1);
y = M[k].elts() + (k+1);
for (j = k+1; j <= n; j++, x++, y++) {
// *x = *x + (*y)*t1
mul(t2, *y, t1);
add(*x, *x, t2);
}
}
}
else {
clear(d);
return;
}
}
X.SetLength(n);
for (i = n-1; i >= 0; i--) {
clear(t1);
for (j = i+1; j < n; j++) {
mul(t2, rep(X[j]), M[i][j]);
add(t1, t1, t2);
}
add(t1, t1, M[i][n]);
conv(X[i], t1);
}
conv(d, det);
}
///////////////////////////////////////////////////////////////////////////
// PURPOSE:
// Given syndrome ssWithoutEvens of BCH code with design distance d,
// finds sparse vector (with no more than
// (d-1)/2 ones) with that syndrome
// (note that syndrome as well sparse vector
// representation are defined at BCHSyndromeCompute above).
// 'answer' returns positions of ones in the resulting vector.
// These positions are elements of GF2E (i.e., we view the vector
// as a vector whose positions are indexed by elements of GF2E).
// Returns false if no such vector exists, true otherwise
// The input syndrome is assumed to not have even powers, i.e.,
// has (d-1)/2 elements, such as the syndrome computed by BCHSyndromeCompute.
//
// ASSUMPTIONS:
// Let m=GF2E::degree() (i.e., the field is GF(2^m)).
// This algorithm assumes that d is odd, greater than 1, and less than 2^m.
// (else BCH codes don't make sense).
// Assumes input is of length (d-1)/2.
//
// ALGORITHM USED:
// Implements BCH decoding based on Euclidean algorithm;
// For the explanation of the algorithm, see
// Syndrome Encoding and Decoding of BCH Codes in Sublinear Time
// (Excerpted from Fuzzy Extractors:
// How to Generate Strong Keys from Biometrics and Other Noisy Data)
// by Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin and Adam Smith
// or Theorem 18.7 of Victor Shoup's "A Computational Introduction to
// Number Theory and Algebra" (first edition, 2005), or
// pp. 170-173 of "Introduction to Coding Theory" by Jurgen Bierbrauer.
//
//
// RUNNING TIME:
// If the output has e elements (i.e., the length of the output vector
// is e; note that e <= (d-1)/2), then
// the running time is O(d^2 + e^2 + e^{\log_2 3} m) operations in GF(2^m),
// each of which takes time O(m^{\log_2 3}) in NTL. Note that
// \log_2 3 is approximately 1.585.
//
bool BCHSyndromeDecode(vec_GF2E &answer, const vec_GF2E & ssWithoutEvens, long d)
{
long i;
vec_GF2E ss;
// This takes O(d) operation in GF(2^m)
InterpolateEvens(ss, ssWithoutEvens);
GF2EX r1, r2, r3, v1, v2, v3, q, temp;
GF2EX *Rold, *Rcur, *Rnew, *Vold, *Vcur, *Vnew, *tempPointer;
// Use pointers to avoid moving polynomials around
// An assignment of polynomials requires copying the coefficient vector;
// we will not assign polynomials, but will swap pointers instead
Rold = &r1;
Rcur = &r2;
Rnew = &r3;
Vold = &v1;
Vcur = &v2;
Vnew = &v3;
SetCoeff(*Rold, d-1, 1); // Rold holds z^{d-1}
// Rcur=S(z)/z where S is the syndrome poly, Rcur = \sum S_j z^{j-1}
// Note that because we index arrays from 0, S_j is stored in ss[j-1]
for (i=0; i<d-1; i++)
SetCoeff (*Rcur, i, ss[i]);
// Vold is already 0 -- no need to initialize
// Initialize Vcur to 1
SetCoeff(*Vcur, 0, 1); // Vcur = 1
// Now run Euclid, but stop as soon as degree of Rcur drops below
// (d-1)/2
// This will take O(d^2) operations in GF(2^m)
long t = (d-1)/2;
while (deg(*Rcur) >= t) {
// Rold = Rcur*q + Rnew
DivRem(q, *Rnew, *Rold, *Rcur);
// Vnew = Vold - qVcur)
mul(temp, q, *Vcur);
sub (*Vnew, *Vold, temp);
// swap everything
tempPointer = Rold;
Rold = Rcur;
Rcur = Rnew;
Rnew = tempPointer;
tempPointer = Vold;
Vold = Vcur;
Vcur = Vnew;
Vnew = tempPointer;
}
// At the end of the loop, sigma(z) is Vcur
// (up to a constant factor, which doesn't matter,
// since we care about roots of sigma).
// The roots of sigma(z) are inverses of the points we
// are interested in.
// We will check that 0 is not
// a root of Vcur (else its inverse won't exist, and hence
// the right polynomial doesn't exist).
if (IsZero(ConstTerm(*Vcur)))
return false;
// Need sigma to be monic for FindRoots
MakeMonic(*Vcur);
// check if sigma(z) has distinct roots if not, return false
// this will take O(e^{\log_2 3} m) operations in GF(2^m),
// where e is the degree of sigma(z)
if (CheckIfDistinctRoots(*Vcur) == false)
return false;
// find roots of sigma(z)
// this will take O(e^2 + e^{\log_2 3} m) operations in GF(2^m),
// where e is the degree of sigma(z)
answer = FindRoots(*Vcur);
// take inverses of roots of sigma(z)
for (i = 0; i < answer.length(); ++i)
answer[i] = inv(answer[i]);
// It is now necessary to verify if the resulting vector
// has the correct syndrome: it is possible that it does
// not even though the polynomial sigma(z) factors
// completely
// This takes O(de) operations in GF(2^m)
vec_GF2E test;
BCHSyndromeCompute (test, answer, d);
return (test==ssWithoutEvens);
}
void applyLookupTable(vec_GF2E& ltable, vec_GF2E& tgt){
int i, n=tgt.length();
for(i=0; i<n; i++){
tgt[i] = ltable[getLong(tgt[i])];
}
}