package org.bouncycastle.pqc.crypto.ntru;

import org.bouncycastle.crypto.EncapsulatedSecretExtractor;
import org.bouncycastle.crypto.digests.SHA3Digest;
import org.bouncycastle.pqc.math.ntru.HPSPolynomial;
import org.bouncycastle.pqc.math.ntru.Polynomial;
import org.bouncycastle.pqc.math.ntru.parameters.NTRUHPSParameterSet;
import org.bouncycastle.pqc.math.ntru.parameters.NTRUParameterSet;
import org.bouncycastle.util.Arrays;

/* loaded from: classes12.dex */
public class NTRUKEMExtractor implements EncapsulatedSecretExtractor {
    private final NTRUPrivateKeyParameters ntruPrivateKey;
    private final NTRUParameters params;

    public NTRUKEMExtractor(NTRUPrivateKeyParameters nTRUPrivateKeyParameters) {
        this.params = nTRUPrivateKeyParameters.getParameters();
        this.ntruPrivateKey = nTRUPrivateKeyParameters;
    }

    private void cmov(byte[] bArr, byte[] bArr2, byte b2) {
        byte b3 = (byte) ((~b2) + 1);
        for (int i = 0; i < bArr.length; i++) {
            byte b4 = bArr[i];
            bArr[i] = (byte) (b4 ^ ((bArr2[i] ^ b4) & b3));
        }
    }

    @Override // org.bouncycastle.crypto.EncapsulatedSecretExtractor
    public byte[] extractSecret(byte[] bArr) {
        NTRUParameterSet nTRUParameterSet = this.params.parameterSet;
        byte[] bArr2 = this.ntruPrivateKey.privateKey;
        int ntruCiphertextBytes = nTRUParameterSet.ntruCiphertextBytes() + nTRUParameterSet.prfKeyBytes();
        byte[] bArr3 = new byte[ntruCiphertextBytes];
        new NTRUOWCPA(nTRUParameterSet);
        byte[] bArr4 = this.ntruPrivateKey.privateKey;
        int owcpaMsgBytes = nTRUParameterSet.owcpaMsgBytes();
        byte[] bArr5 = new byte[owcpaMsgBytes];
        Polynomial createPolynomial = nTRUParameterSet.createPolynomial();
        Polynomial createPolynomial2 = nTRUParameterSet.createPolynomial();
        Polynomial createPolynomial3 = nTRUParameterSet.createPolynomial();
        Polynomial createPolynomial4 = nTRUParameterSet.createPolynomial();
        createPolynomial.rqSumZeroFromBytes(bArr);
        createPolynomial2.s3FromBytes(bArr4);
        createPolynomial2.z3ToZq();
        createPolynomial3.rqMul(createPolynomial, createPolynomial2);
        createPolynomial2.rqToS3(createPolynomial3);
        createPolynomial3.s3FromBytes(Arrays.copyOfRange(bArr4, nTRUParameterSet.packTrinaryBytes(), bArr4.length));
        createPolynomial4.s3Mul(createPolynomial2, createPolynomial3);
        byte[] s3ToBytes = createPolynomial4.s3ToBytes(owcpaMsgBytes - nTRUParameterSet.packTrinaryBytes());
        int i = 0;
        int i2 = ((((~((short) (bArr[nTRUParameterSet.ntruCiphertextBytes() - 1] & (255 << (8 - ((nTRUParameterSet.packDegree() * nTRUParameterSet.logQ()) & 7)))))) + 1) >>> 15) & 1) | 0;
        if (nTRUParameterSet instanceof NTRUHPSParameterSet) {
            HPSPolynomial hPSPolynomial = (HPSPolynomial) createPolynomial4;
            short s = 0;
            short s2 = 0;
            while (i < nTRUParameterSet.n() - 1) {
                short s3 = hPSPolynomial.coeffs[i];
                i++;
                s = (short) (s + (s3 & 2));
                s2 = (short) (s2 + (s3 & 1));
                hPSPolynomial = hPSPolynomial;
            }
            i2 |= (((~((((s >>> 1) ^ s2) | 0) | (((NTRUHPSParameterSet) nTRUParameterSet).weight() ^ s))) + 1) >>> 31) & 1;
        }
        createPolynomial2.lift(createPolynomial4);
        int i3 = 0;
        while (i3 < nTRUParameterSet.n()) {
            short[] sArr = createPolynomial.coeffs;
            sArr[i3] = (short) (sArr[i3] - createPolynomial2.coeffs[i3]);
            i3++;
            ntruCiphertextBytes = ntruCiphertextBytes;
        }
        int i4 = ntruCiphertextBytes;
        createPolynomial3.sqFromBytes(Arrays.copyOfRange(bArr4, nTRUParameterSet.packTrinaryBytes() * 2, bArr4.length));
        createPolynomial4.sqMul(createPolynomial, createPolynomial3);
        int i5 = 0;
        for (int i6 = 0; i6 < nTRUParameterSet.n() - 1; i6++) {
            short s4 = createPolynomial4.coeffs[i6];
            i5 = i5 | ((s4 + 1) & (nTRUParameterSet.q() - 4)) | ((s4 + 2) & 4);
        }
        int i7 = ((((~(createPolynomial4.coeffs[nTRUParameterSet.n() - 1] | i5)) + 1) >>> 31) & 1) | i2;
        createPolynomial4.trinaryZqToZ3();
        byte[] s3ToBytes2 = createPolynomial4.s3ToBytes(nTRUParameterSet.owcpaMsgBytes());
        System.arraycopy(s3ToBytes2, 0, bArr5, 0, s3ToBytes2.length);
        System.arraycopy(s3ToBytes, 0, bArr5, nTRUParameterSet.packTrinaryBytes(), s3ToBytes.length);
        SHA3Digest sHA3Digest = new SHA3Digest(256);
        byte[] bArr6 = new byte[sHA3Digest.getDigestSize()];
        sHA3Digest.update(bArr5, 0, bArr5.length);
        sHA3Digest.doFinal(bArr6, 0);
        for (int i8 = 0; i8 < nTRUParameterSet.prfKeyBytes(); i8++) {
            bArr3[i8] = bArr2[nTRUParameterSet.owcpaSecretKeyBytes() + i8];
        }
        for (int i9 = 0; i9 < nTRUParameterSet.ntruCiphertextBytes(); i9++) {
            bArr3[nTRUParameterSet.prfKeyBytes() + i9] = bArr[i9];
        }
        sHA3Digest.reset();
        sHA3Digest.update(bArr3, 0, i4);
        sHA3Digest.doFinal(bArr5, 0);
        cmov(bArr6, bArr5, (byte) i7);
        byte[] copyOfRange = Arrays.copyOfRange(bArr6, 0, nTRUParameterSet.sharedKeyBytes());
        Arrays.clear(bArr6);
        return copyOfRange;
    }

    @Override // org.bouncycastle.crypto.EncapsulatedSecretExtractor
    public int getEncapsulationLength() {
        return this.params.parameterSet.ntruCiphertextBytes();
    }
}
