package org.spongycastle.pqc.crypto.newhope;

import java.security.SecureRandom;
import kotlin.UShort;
import org.spongycastle.crypto.digests.SHA3Digest;
import org.spongycastle.crypto.digests.SHAKEDigest;
import org.spongycastle.crypto.engines.ChaChaEngine;
import org.spongycastle.crypto.params.KeyParameter;
import org.spongycastle.crypto.params.ParametersWithIV;

/* loaded from: classes3.dex */
class NewHope {
    public static final int AGREEMENT_SIZE = 32;
    public static final int POLY_SIZE = 1024;
    public static final int SENDA_BYTES = 1824;
    public static final int SENDB_BYTES = 2048;

    public static void a(byte[] bArr, short[] sArr) {
        SHAKEDigest sHAKEDigest = new SHAKEDigest(128);
        sHAKEDigest.update(bArr, 0, bArr.length);
        int i2 = 0;
        while (true) {
            byte[] bArr2 = new byte[256];
            sHAKEDigest.doOutput(bArr2, 0, 256);
            for (int i3 = 0; i3 < 256; i3 += 2) {
                int i4 = ((bArr2[i3] & 255) | ((bArr2[i3 + 1] & 255) << 8)) & 16383;
                if (i4 < 12289) {
                    int i5 = i2 + 1;
                    sArr[i2] = (short) i4;
                    if (i5 == 1024) {
                        return;
                    } else {
                        i2 = i5;
                    }
                }
            }
        }
    }

    public static void keygen(SecureRandom secureRandom, byte[] bArr, short[] sArr) {
        byte[] bArr2 = new byte[32];
        secureRandom.nextBytes(bArr2);
        short[] sArr2 = new short[1024];
        a(bArr2, sArr2);
        byte[] bArr3 = new byte[32];
        secureRandom.nextBytes(bArr3);
        Poly.d(sArr, bArr3, (byte) 0);
        short[] sArr3 = Precomp.f18160c;
        for (int i2 = 0; i2 < 1024; i2++) {
            sArr[i2] = Reduce.b((sArr[i2] & UShort.MAX_VALUE) * (65535 & sArr3[i2]));
        }
        short[] sArr4 = Precomp.f18159a;
        NTT.a(sArr, sArr4);
        short[] sArr5 = new short[1024];
        Poly.d(sArr5, bArr3, (byte) 1);
        for (int i3 = 0; i3 < 1024; i3++) {
            sArr5[i3] = Reduce.b((sArr5[i3] & UShort.MAX_VALUE) * (sArr3[i3] & UShort.MAX_VALUE));
        }
        NTT.a(sArr5, sArr4);
        short[] sArr6 = new short[1024];
        Poly.f(sArr2, sArr, sArr6);
        short[] sArr7 = new short[1024];
        Poly.a(sArr6, sArr5, sArr7);
        Poly.g(bArr, sArr7);
        System.arraycopy(bArr2, 0, bArr, 1792, 32);
    }

    public static void sharedA(byte[] bArr, short[] sArr, byte[] bArr2) {
        short[] sArr2 = new short[1024];
        short[] sArr3 = new short[1024];
        Poly.b(bArr2, sArr2);
        for (int i2 = 0; i2 < 256; i2++) {
            int i3 = i2 * 4;
            byte b = bArr2[i2 + 1792];
            int i4 = b & 255;
            sArr3[i3] = (short) (b & 3);
            sArr3[i3 + 1] = (short) ((i4 >>> 2) & 3);
            sArr3[i3 + 2] = (short) ((i4 >>> 4) & 3);
            sArr3[i3 + 3] = (short) (i4 >>> 6);
        }
        short[] sArr4 = new short[1024];
        Poly.f(sArr, sArr2, sArr4);
        Poly.c(sArr4);
        ErrorCorrection.c(bArr, sArr4, sArr3);
        SHA3Digest sHA3Digest = new SHA3Digest(256);
        sHA3Digest.update(bArr, 0, 32);
        sHA3Digest.doFinal(bArr, 0);
    }

    public static void sharedB(SecureRandom secureRandom, byte[] bArr, byte[] bArr2, byte[] bArr3) {
        short[] sArr = new short[1024];
        byte[] bArr4 = new byte[32];
        Poly.b(bArr3, sArr);
        int i2 = 0;
        System.arraycopy(bArr3, 1792, bArr4, 0, 32);
        short[] sArr2 = new short[1024];
        a(bArr4, sArr2);
        byte[] bArr5 = new byte[32];
        secureRandom.nextBytes(bArr5);
        short[] sArr3 = new short[1024];
        Poly.d(sArr3, bArr5, (byte) 0);
        short[] sArr4 = Precomp.f18160c;
        for (int i3 = 0; i3 < 1024; i3++) {
            sArr3[i3] = Reduce.b((sArr3[i3] & UShort.MAX_VALUE) * (65535 & sArr4[i3]));
        }
        short[] sArr5 = Precomp.f18159a;
        NTT.a(sArr3, sArr5);
        short[] sArr6 = new short[1024];
        int i4 = 1;
        Poly.d(sArr6, bArr5, (byte) 1);
        for (int i5 = 0; i5 < 1024; i5++) {
            sArr6[i5] = Reduce.b((sArr6[i5] & UShort.MAX_VALUE) * (sArr4[i5] & UShort.MAX_VALUE));
        }
        NTT.a(sArr6, sArr5);
        short[] sArr7 = new short[1024];
        Poly.f(sArr2, sArr3, sArr7);
        Poly.a(sArr7, sArr6, sArr7);
        short[] sArr8 = new short[1024];
        Poly.f(sArr, sArr3, sArr8);
        Poly.c(sArr8);
        short[] sArr9 = new short[1024];
        int i6 = 2;
        Poly.d(sArr9, bArr5, (byte) 2);
        Poly.a(sArr8, sArr9, sArr8);
        short[] sArr10 = new short[1024];
        short s2 = 8;
        byte[] bArr6 = new byte[8];
        bArr6[0] = 3;
        byte[] bArr7 = new byte[32];
        ChaChaEngine chaChaEngine = new ChaChaEngine(20);
        chaChaEngine.init(true, new ParametersWithIV(new KeyParameter(bArr5), bArr6));
        chaChaEngine.processBytes(bArr7, 0, 32, bArr7, 0);
        int[] iArr = new int[8];
        int i7 = 0;
        while (i7 < 256) {
            int i8 = ((bArr7[i7 >>> 3] >>> (i7 & 7)) & i4) * 4;
            int i9 = i7 + 256;
            int i10 = i7 + 512;
            int a2 = ErrorCorrection.a(i2, 4, (sArr8[i7] * s2) + i8, iArr) + ErrorCorrection.a(i4, 5, (sArr8[i9] * 8) + i8, iArr) + ErrorCorrection.a(i6, 6, (sArr8[i10] * 8) + i8, iArr);
            int i11 = i7 + 768;
            int a3 = (24577 - (a2 + ErrorCorrection.a(3, 7, (sArr8[i11] * 8) + i8, iArr))) >> 31;
            int i12 = ~a3;
            int[] iArr2 = {(i12 & iArr[0]) ^ (a3 & iArr[4]), (i12 & iArr[i4]) ^ (a3 & iArr[5]), (i12 & iArr[i6]) ^ (a3 & iArr[6]), (iArr[7] & a3) ^ (i12 & iArr[3])};
            int i13 = iArr2[0];
            int i14 = iArr2[3];
            sArr10[i7] = (short) ((i13 - i14) & 3);
            sArr10[i9] = (short) ((iArr2[1] - i14) & 3);
            sArr10[i10] = (short) ((iArr2[2] - i14) & 3);
            sArr10[i11] = (short) (((i14 * 2) + (-a3)) & 3);
            i7++;
            i4 = 1;
            s2 = 8;
            i2 = 0;
            i6 = 2;
        }
        Poly.g(bArr2, sArr7);
        for (int i15 = 0; i15 < 256; i15++) {
            int i16 = i15 * 4;
            bArr2[i15 + 1792] = (byte) ((sArr10[i16 + 3] << 6) | sArr10[i16] | (sArr10[i16 + 1] << 2) | (sArr10[i16 + 2] << 4));
        }
        ErrorCorrection.c(bArr, sArr8, sArr10);
        SHA3Digest sHA3Digest = new SHA3Digest(256);
        sHA3Digest.update(bArr, 0, 32);
        sHA3Digest.doFinal(bArr, 0);
    }
}
