HQC perf. opts., refactoring

peterdettman · peterdettman · commit 7a324ba2209f · 2026-02-22T20:56:27.000+07:00
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/GF2PolynomialCalculator.java b/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/GF2PolynomialCalculator.java
@@ -25,6 +25,11 @@ void addTo(long[] x, long[] z)
         Nat.xorTo64(size, x, z);
     }
 
+    void clear(long[] z)
+    {
+        Nat.zero64(size, z);
+    }
+
     long[] create()
     {
         return new long[size];
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCEngine.java b/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/HQCEngine.java
@@ -22,17 +22,16 @@ class HQCEngine
     private final int fft;
     private final int mulParam;
     private final int N_BYTE;
-    private final int K_BYTE;
     private final int N1N2_BYTE_64;
     private final int N1N2_BYTE;
     private final int[] generatorPoly;
-    private final int N_MU;
+    private final int nMu;
     private final int pkSize;
     private final GF2PolynomialCalculator gf;
     private final int rejectionThreshold;
     private final int cipherTextBytes;
 
-    HQCEngine(int n, int n1, int n2, int k, int g, int delta, int w, int wr, int fft, int nmu, int pkSize,
+    HQCEngine(int n, int n1, int n2, int k, int g, int delta, int w, int wr, int fft, int nMu, int pkSize,
         int[] generatorPoly)
     {
         this.n = n;
@@ -44,11 +43,10 @@ class HQCEngine
         this.generatorPoly = generatorPoly;
         this.g = g;
         this.fft = fft;
-        this.N_MU = nmu;
+        this.nMu = nMu;
         this.pkSize = pkSize;
         this.mulParam = n2 >> 7;
         this.N_BYTE = Utils.getByteSizeFromBitSize(n);
-        this.K_BYTE = k;
         this.N1N2_BYTE_64 = Utils.getByte64SizeFromBitSize(n1 * n2);
         this.N1N2_BYTE = Utils.getByteSizeFromBitSize(n1 * n2);
         this.gf = new GF2PolynomialCalculator(n);
@@ -77,10 +75,10 @@ void genKeyPair(byte[] pk, byte[] sk, SecureRandom secureRandom)
 
         secureRandom.nextBytes(seedKem);
         Shake256RandomGenerator ctxKem = new Shake256RandomGenerator(seedKem, (byte)1);
-        System.arraycopy(seedKem, 0, sk, pkSize + SEED_BYTES + K_BYTE, SEED_BYTES);
+        System.arraycopy(seedKem, 0, sk, pkSize + SEED_BYTES + k, SEED_BYTES);
 
         ctxKem.nextBytes(seedKem);
-        ctxKem.nextBytes(sk, pkSize + SEED_BYTES, K_BYTE);
+        ctxKem.nextBytes(sk, pkSize + SEED_BYTES, k);
 
         hashHI(keypairSeed, 512, seedKem, seedKem.length, (byte)2);
         ctxKem.init(keypairSeed, 0, SEED_BYTES, (byte)1);
@@ -96,9 +94,9 @@ void genKeyPair(byte[] pk, byte[] sk, SecureRandom secureRandom)
         System.arraycopy(keypairSeed, 0, sk, pkSize, SEED_BYTES);
         System.arraycopy(pk, 0, sk, 0, pkSize);
         Arrays.clear(keypairSeed);
-        Arrays.clear(xLongBytes);
-        Arrays.clear(yLongBytes);
-        Arrays.clear(h);
+        gf.clear(xLongBytes);
+        gf.clear(yLongBytes);
+        gf.clear(h);
     }
 
     /**
@@ -112,7 +110,7 @@ void genKeyPair(byte[] pk, byte[] sk, SecureRandom secureRandom)
     void encaps(byte[] u, byte[] v, byte[] kTheta, byte[] pk, byte[] salt, SecureRandom secureRandom)
     {
         // 1. Randomly generate m
-        byte[] m = new byte[K_BYTE];
+        byte[] m = new byte[k];
         byte[] hashEkKem = new byte[SEED_BYTES];
         long[] u64 = gf.create();
         long[] v64 = new long[N1N2_BYTE_64];
@@ -125,7 +123,7 @@ void encaps(byte[] u, byte[] v, byte[] kTheta, byte[] pk, byte[] salt, SecureRan
         pkeEncrypt(u64, v64, pk, m, kTheta, SEED_BYTES);
         Utils.fromLongArrayToByteArray(u, 0, u.length, u64);
         Utils.fromLongArrayToByteArray(v, 0, v.length, v64);
-        Arrays.clear(u64);
+        gf.clear(u64);
         Arrays.clear(v64);
         Arrays.clear(m);
         Arrays.clear(hashEkKem);
@@ -173,19 +171,19 @@ int decaps(byte[] ss, byte[] ct, byte[] sk)
         System.arraycopy(kThetaPrime, 0, ss, 0, 32);
         Arrays.fill(cKemPrimeV64, 0L);
         pkeEncrypt(cKemPrimeU64, cKemPrimeV64, sk, mPrime, kThetaPrime, 32);
-        hashGJ(kBar, 256, hashEkKem, sk, pkSize + SEED_BYTES, K_BYTE, ct, 0, ct.length, (byte)3);
+        hashGJ(kBar, 256, hashEkKem, sk, pkSize + SEED_BYTES, k, ct, 0, ct.length, (byte)3);
 
         int result = (int)(gf.equalTo(u64, cKemPrimeU64) & gf.equalTo(v64, cKemPrimeV64));
 
-        for (int i = 0; i < K_BYTE; i++)
+        for (int i = 0; i < k; i++)
         {
             ss[i] = (byte)(((ss[i] & result) ^ (kBar[i] & ~result)) & 0xff);
         }
 
-        Arrays.clear(u64);
-        Arrays.clear(v64);
-        Arrays.clear(cKemPrimeU64);
-        Arrays.clear(cKemPrimeV64);
+        gf.clear(u64);
+        gf.clear(v64);
+        gf.clear(cKemPrimeU64);
+        gf.clear(cKemPrimeV64);
         Arrays.clear(hashEkKem);
         Arrays.clear(kThetaPrime);
         Arrays.clear(mPrime);
@@ -218,17 +216,16 @@ private void pkeEncrypt(long[] u, long[] v, byte[] ekPke, byte[] m, byte[] theta
 
         vectSampleFixedWeights2(randomGenerator, tmp, wr);// tmp is r1
         gf.addTo(tmp, u);
-        Arrays.clear(e);
-        Arrays.clear(tmp);
+        gf.clear(e);
+        gf.clear(tmp);
         Arrays.clear(res);
     }
 
     private int barrettReduce(int x)
     {
-        long q = ((long) x * N_MU) >>> 32;
-        int r = x - (int) (q * n);
-        r -= (-(((r - n) >>> 31) ^ 1)) & n;
-        return r;
+        int q = (int)(((long)x * nMu) >>> 32);
+        int r = x - n - q * n;
+        return r + ((r >> 31) & n);
     }
 
     private void generateRandomSupport(int[] support, int weight, Shake256RandomGenerator random)
@@ -250,9 +247,9 @@ private void generateRandomSupport(int[] support, int weight, Shake256RandomGene
             {
                 continue;
             }
+
             candidate = barrettReduce(candidate);
             boolean duplicate = false;
-
             for (int k = 0; k < count; k++)
             {
                 if (support[k] == candidate)
@@ -261,11 +258,12 @@ private void generateRandomSupport(int[] support, int weight, Shake256RandomGene
                     break;
                 }
             }
-
-            if (!duplicate)
+            if (duplicate)
             {
-                support[count++] = candidate;
+                continue;
             }
+
+            support[count++] = candidate;
         }
     }
 
@@ -284,69 +282,68 @@ private void writeSupportToVector(long[] v, int[] support, int weight)
             for (int j = 0; j < weight; j++)
             {
                 int tmp = i - indexTab[j];
-                val |= (bitTab[j] & -(1 ^ ((tmp | -tmp) >>> 31)));
+                val |= bitTab[j] & ~((tmp | -tmp) >> 31);
             }
             v[i] = val;
         }
     }
 
-    public void vectSampleFixedWeight1(long[] output, Shake256RandomGenerator random, int weight)
+    private void vectSampleFixedWeight1(long[] output, Shake256RandomGenerator random, int weight)
     {
         int[] support = new int[wr];
         generateRandomSupport(support, weight, random);
         writeSupportToVector(output, support, weight);
     }
 
-    private static void hashHI(byte[] output, int bitLength, byte[] in, int inLen, byte domain)
-    {
-        SHA3Digest digest = new SHA3Digest(bitLength);
-        digest.update(in, 0, inLen);
-        digest.update(domain);
-        digest.doFinal(output, 0);
-    }
-
-    private void hashGJ(byte[] output, int bitLength, byte[] hashEkKem, byte[] mOrSigma, int mOrSigmaOff,
-        int mOrSigmaLen, byte[] saltOrCt, int saltOrCtOff, int saltOrCtOffLen, byte domain)
-    {
-        SHA3Digest digest = new SHA3Digest(bitLength);
-        digest.update(hashEkKem, 0, hashEkKem.length);
-        digest.update(mOrSigma, mOrSigmaOff, mOrSigmaLen);
-        digest.update(saltOrCt, saltOrCtOff, saltOrCtOffLen);
-        digest.update(domain);
-        digest.doFinal(output, 0);
-    }
-
     private void vectSampleFixedWeights2(Shake256RandomGenerator generator, long[] v, int weight)
     {
-        int[] support = new int[wr];
         byte[] rand = new byte[wr << 2];
         generator.xofGetBytes(rand, rand.length);
+
+        int[] support = new int[wr];
         Pack.littleEndianToInt(rand, 0, support);
-        for (int i = 0; i < weight; ++i)
-        {
-            support[i] = i + (int) (((support[i] & 0xFFFFFFFFL) * (n - i)) >> 32);
-        }
 
-        for (int i = weight - 1; i-- > 0;)
+        int i = weight;
+        while (--i >= 0)
         {
-            int found = 0;
+            int support_i = i + (int)(((support[i] & 0xFFFFFFFFL) * (n - i)) >> 32);
+            int notFound = -1;
             for (int j = i + 1; j < weight; ++j)
             {
-                found |= compareU32(support[j], support[i]);
+                notFound &= cdiff(support_i, support[j]);
             }
-            found = -found;
-            support[i] = (found & i) ^ (~found & support[i]);
+            support[i] = (~notFound & i) ^ (notFound & support_i);
         }
+
         writeSupportToVector(v, support, weight);
     }
 
-    private static int compareU32(int v1, int v2)
+    private void vectTruncate(long[] v)
     {
-        return 1 ^ (((v1 - v2) | (v2 - v1)) >>> 31);
+        Arrays.fill(v, N1N2_BYTE_64, (n + 63) >> 6, 0L);
     }
 
-    private void vectTruncate(long[] v)
+    private static int cdiff(int v1, int v2)
     {
-        Arrays.fill(v, N1N2_BYTE_64, (n + 63) >> 6, 0L);
+        return ((v1 - v2) | (v2 - v1)) >> 31;
+    }
+
+    private static void hashGJ(byte[] output, int bitLength, byte[] hashEkKem, byte[] mOrSigma, int mOrSigmaOff,
+        int mOrSigmaLen, byte[] saltOrCt, int saltOrCtOff, int saltOrCtOffLen, byte domain)
+    {
+        SHA3Digest digest = new SHA3Digest(bitLength);
+        digest.update(hashEkKem, 0, hashEkKem.length);
+        digest.update(mOrSigma, mOrSigmaOff, mOrSigmaLen);
+        digest.update(saltOrCt, saltOrCtOff, saltOrCtOffLen);
+        digest.update(domain);
+        digest.doFinal(output, 0);
+    }
+
+    private static void hashHI(byte[] output, int bitLength, byte[] in, int inLen, byte domain)
+    {
+        SHA3Digest digest = new SHA3Digest(bitLength);
+        digest.update(in, 0, inLen);
+        digest.update(domain);
+        digest.doFinal(output, 0);
     }
 }
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/ReedMuller.java b/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/ReedMuller.java
@@ -62,16 +62,15 @@ private static void expandThenSum(int[] desCode, Codeword[] srcCode, int off, in
 
         for (int i = 1; i < mulParam; i++)
         {
+            int[] type32 = srcCode[off + i].type32;
             for (int j = 0; j < 4; j++)
             {
                 for (int k = 0; k < 32; k++)
                 {
-                    desCode[j * 32 + k] += srcCode[i + off].type32[j] >> k & 1;
-
+                    desCode[j * 32 + k] += type32[j] >> k & 1;
                 }
             }
         }
-
     }
 
     private static int findPeaks(int[] input)
@@ -95,10 +94,9 @@ private static int findPeaks(int[] input)
         return peakPos;
     }
 
-
     private static int Bit0Mask(int b)
     {
-        return (-(b & 1));
+        return -(b & 1);
     }
 
     public static void encode(long[] codeword, byte[] m, int n1, int mulParam)
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/ReedSolomon.java b/core/src/main/java/org/bouncycastle/pqc/crypto/hqc/ReedSolomon.java
@@ -111,7 +111,6 @@ private static int computeELP(int[] sigma, int[] syndromes, int delta)
         int degSigmaP = 0;
         int[] sigmaDup = new int[delta + 1];
         int[] sigmaP = new int[delta + 1];
-        int degSigmaDup;
         int pp = Utils.toUnsigned16Bits(-1);
         int dp = 1;
         int d = syndromes[0];
@@ -121,7 +120,7 @@ private static int computeELP(int[] sigma, int[] syndromes, int delta)
         for (int i = 0; i < 2 * delta; i++)
         {
             System.arraycopy(sigma, 0, sigmaDup, 0, delta + 1);
-            degSigmaDup = degSigma;
+            int degSigmaDup = degSigma;
             int dd = GFCalculator.div(d, dp);
 
             for (int j = 1; j <= i + 1 && j <= delta; j++)
@@ -190,20 +189,19 @@ private static void computeErrors(int[] res, int[] zx, byte[] errorCompactSet, i
         int[] betaSet = new int[delta];
         int[] eSet = new int[delta];
 
-        int deltaCount = 0, deltaVal, mask1;
+        int deltaCount1 = 0;
         for (int i = 0; i < n1; i++)
         {
             int mark = 0;
             int mask = errorCompactSet[i] != 0 ? 0xffff : 0;
             for (int j = 0; j < delta; j++)
             {
-                int iMask = j == deltaCount ? 0xffff : 0;
+                int iMask = j == deltaCount1 ? 0xffff : 0;
                 betaSet[j] += iMask & mask & expArrays[i];
                 mark += iMask & mask & 1;
             }
-            deltaCount += mark;
+            deltaCount1 += mark;
         }
-        deltaVal = deltaCount;
 
         for (int i = 0; i < delta; i++)
         {
@@ -223,23 +221,23 @@ private static void computeErrors(int[] res, int[] zx, byte[] errorCompactSet, i
                 temp2 = GFCalculator.mul(temp2, 1 ^ GFCalculator.mul(inv, betaSet[(i + j) % delta]));
             }
 
-            mask1 = i < deltaVal ? 0xffff : 0;
+            int mask1 = i < deltaCount1 ? 0xffff : 0;
             eSet[i] = mask1 & GFCalculator.div(temp1, temp2);
         }
 
-        deltaCount = 0;
+        int deltaCount2 = 0;
         for (int i = 0; i < n1; i++)
         {
             int mark = 0;
             int mask = errorCompactSet[i] != 0 ? 0xffff : 0;
 
             for (int j = 0; j < delta; j++)
             {
-                int iMask = j == deltaCount ? 0xffff : 0;
+                int iMask = j == deltaCount2 ? 0xffff : 0;
                 res[i] += iMask & mask & eSet[j];
                 mark += iMask & mask & 1;
             }
-            deltaCount += mark;
+            deltaCount2 += mark;
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,11 @@ void addTo(long[] x, long[] z)`
`25`	`25`	`Nat.xorTo64(size, x, z);`
`26`	`26`	`}`
`27`	`27`
	`28`	`+ void clear(long[] z)`
	`29`	`+ {`
	`30`	`+ Nat.zero64(size, z);`
	`31`	`+ }`
	`32`	`+`
`28`	`33`	`long[] create()`
`29`	`34`	`{`
`30`	`35`	`return new long[size];`
Original file line number	Diff line number	Diff line change
`@@ -62,16 +62,15 @@ private static void expandThenSum(int[] desCode, Codeword[] srcCode, int off, in`
`62`	`62`
`63`	`63`	`for (int i = 1; i < mulParam; i++)`
`64`	`64`	`{`
	`65`	`+ int[] type32 = srcCode[off + i].type32;`
`65`	`66`	`for (int j = 0; j < 4; j++)`
`66`	`67`	`{`
`67`	`68`	`for (int k = 0; k < 32; k++)`
`68`	`69`	`{`
`69`		`- desCode[j * 32 + k] += srcCode[i + off].type32[j] >> k & 1;`
`70`		`-`
	`70`	`+ desCode[j * 32 + k] += type32[j] >> k & 1;`
`71`	`71`	`}`
`72`	`72`	`}`
`73`	`73`	`}`
`74`		`-`
`75`	`74`	`}`
`76`	`75`
`77`	`76`	`private static int findPeaks(int[] input)`
`@@ -95,10 +94,9 @@ private static int findPeaks(int[] input)`
`95`	`94`	`return peakPos;`
`96`	`95`	`}`
`97`	`96`
`98`		`-`
`99`	`97`	`private static int Bit0Mask(int b)`
`100`	`98`	`{`
`101`		`- return (-(b & 1));`
	`99`	`+ return -(b & 1);`
`102`	`100`	`}`
`103`	`101`
`104`	`102`	`public static void encode(long[] codeword, byte[] m, int n1, int mulParam)`
Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,6 @@ private static int computeELP(int[] sigma, int[] syndromes, int delta)`
`111`	`111`	`int degSigmaP = 0;`
`112`	`112`	`int[] sigmaDup = new int[delta + 1];`
`113`	`113`	`int[] sigmaP = new int[delta + 1];`
`114`		`- int degSigmaDup;`
`115`	`114`	`int pp = Utils.toUnsigned16Bits(-1);`
`116`	`115`	`int dp = 1;`
`117`	`116`	`int d = syndromes[0];`
`@@ -121,7 +120,7 @@ private static int computeELP(int[] sigma, int[] syndromes, int delta)`
`121`	`120`	`for (int i = 0; i < 2 * delta; i++)`
`122`	`121`	`{`
`123`	`122`	`System.arraycopy(sigma, 0, sigmaDup, 0, delta + 1);`
`124`		`- degSigmaDup = degSigma;`
	`123`	`+ int degSigmaDup = degSigma;`
`125`	`124`	`int dd = GFCalculator.div(d, dp);`
`126`	`125`
`127`	`126`	`for (int j = 1; j <= i + 1 && j <= delta; j++)`
`@@ -190,20 +189,19 @@ private static void computeErrors(int[] res, int[] zx, byte[] errorCompactSet, i`
`190`	`189`	`int[] betaSet = new int[delta];`
`191`	`190`	`int[] eSet = new int[delta];`
`192`	`191`
`193`		`- int deltaCount = 0, deltaVal, mask1;`
	`192`	`+ int deltaCount1 = 0;`
`194`	`193`	`for (int i = 0; i < n1; i++)`
`195`	`194`	`{`
`196`	`195`	`int mark = 0;`
`197`	`196`	`int mask = errorCompactSet[i] != 0 ? 0xffff : 0;`
`198`	`197`	`for (int j = 0; j < delta; j++)`
`199`	`198`	`{`
`200`		`- int iMask = j == deltaCount ? 0xffff : 0;`
	`199`	`+ int iMask = j == deltaCount1 ? 0xffff : 0;`
`201`	`200`	`betaSet[j] += iMask & mask & expArrays[i];`
`202`	`201`	`mark += iMask & mask & 1;`
`203`	`202`	`}`
`204`		`- deltaCount += mark;`
	`203`	`+ deltaCount1 += mark;`
`205`	`204`	`}`
`206`		`- deltaVal = deltaCount;`
`207`	`205`
`208`	`206`	`for (int i = 0; i < delta; i++)`
`209`	`207`	`{`
`@@ -223,23 +221,23 @@ private static void computeErrors(int[] res, int[] zx, byte[] errorCompactSet, i`
`223`	`221`	`temp2 = GFCalculator.mul(temp2, 1 ^ GFCalculator.mul(inv, betaSet[(i + j) % delta]));`
`224`	`222`	`}`
`225`	`223`
`226`		`- mask1 = i < deltaVal ? 0xffff : 0;`
	`224`	`+ int mask1 = i < deltaCount1 ? 0xffff : 0;`
`227`	`225`	`eSet[i] = mask1 & GFCalculator.div(temp1, temp2);`
`228`	`226`	`}`
`229`	`227`
`230`		`- deltaCount = 0;`
	`228`	`+ int deltaCount2 = 0;`
`231`	`229`	`for (int i = 0; i < n1; i++)`
`232`	`230`	`{`
`233`	`231`	`int mark = 0;`
`234`	`232`	`int mask = errorCompactSet[i] != 0 ? 0xffff : 0;`
`235`	`233`
`236`	`234`	`for (int j = 0; j < delta; j++)`
`237`	`235`	`{`
`238`		`- int iMask = j == deltaCount ? 0xffff : 0;`
	`236`	`+ int iMask = j == deltaCount2 ? 0xffff : 0;`
`239`	`237`	`res[i] += iMask & mask & eSet[j];`
`240`	`238`	`mark += iMask & mask & 1;`
`241`	`239`	`}`
`242`		`- deltaCount += mark;`
	`240`	`+ deltaCount2 += mark;`
`243`	`241`	`}`
`244`	`242`	`}`
`245`	`243`	`}`