From 7c188d8ef5b36ede116ee5dbbcae30e207bef788 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Fri, 19 Jan 2024 15:41:18 +0100
Subject: [PATCH 01/27] Utility functions for Classic McEliece

- constant time conditional swap with mask
- floor_log2

Co-Authored-By: Amos Treiber <amos.treiber@rohde-schwarz.com>
---
 src/lib/utils/bit_ops.h  |  8 ++++++++
 src/lib/utils/ct_utils.h | 20 +++++++++++++++-----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/src/lib/utils/bit_ops.h b/src/lib/utils/bit_ops.h
index 504c363ef9e..53a60d663d2 100644
--- a/src/lib/utils/bit_ops.h
+++ b/src/lib/utils/bit_ops.h
@@ -118,6 +118,14 @@ inline constexpr size_t ctz(T n)
    return lb;
 }
 
+template <typename T>
+inline constexpr T floor_log2(T n)
+   requires(std::is_unsigned<T>::value)
+{
+   BOTAN_ARG_CHECK(n != 0, "log2(0) is not defined");
+   return static_cast<T>(high_bit(n) - 1);
+}
+
 template <typename T>
 constexpr uint8_t ceil_log2(T x)
    requires(std::is_integral<T>::value && sizeof(T) < 32)
diff --git a/src/lib/utils/ct_utils.h b/src/lib/utils/ct_utils.h
index e6d864d8e44..f291dc3c34d 100644
--- a/src/lib/utils/ct_utils.h
+++ b/src/lib/utils/ct_utils.h
@@ -257,6 +257,20 @@ class Mask final {
          }
       }
 
+      /**
+     * If this mask is set, swap x and y
+     */
+      template <typename U>
+      void conditional_swap(U& x, U& y) const
+         requires(sizeof(U) <= sizeof(T))
+      {
+         auto cnd = Mask<U>(*this);
+         U t0 = cnd.select(y, x);
+         U t1 = cnd.select(x, y);
+         x = t0;
+         y = t1;
+      }
+
       /**
       * Return the value of the mask, unpoisoned
       */
@@ -304,11 +318,7 @@ inline Mask<T> conditional_assign_mem(T cnd, T* sink, const T* src, size_t elems
 template <typename T>
 inline void conditional_swap(bool cnd, T& x, T& y) {
    const auto swap = CT::Mask<T>::expand(cnd);
-
-   T t0 = swap.select(y, x);
-   T t1 = swap.select(x, y);
-   x = t0;
-   y = t1;
+   swap.conditional_swap(x, y);
 }
 
 template <typename T>

From 052a205980de673b6f51b90193f15e8982b6fd1f Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Fri, 19 Jan 2024 15:43:30 +0100
Subject: [PATCH 02/27] Add --no-stdout flag to botan-test

---
 src/tests/main.cpp               | 5 +++--
 src/tests/runner/test_runner.cpp | 4 +++-
 src/tests/tests.h                | 9 +++++++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/tests/main.cpp b/src/tests/main.cpp
index 3e08a2715a2..110d45bc1bd 100644
--- a/src/tests/main.cpp
+++ b/src/tests/main.cpp
@@ -60,7 +60,7 @@ int main(int argc, char* argv[]) {
    try {
       const std::string arg_spec =
          "botan-test --verbose --help --data-dir= --pkcs11-lib= --provider= "
-         "--log-success --abort-on-first-fail --no-avoid-undefined --skip-tests= "
+         "--log-success --abort-on-first-fail --no-stdout --no-avoid-undefined --skip-tests= "
          "--test-threads=0 --test-results-dir= --run-long-tests --run-memory-intensive-tests "
          "--run-online-tests --test-runs=1 --drbg-seed= --report-properties= *suites";
 
@@ -98,7 +98,8 @@ int main(int argc, char* argv[]) {
                                            parser.flag_set("run-online-tests"),
                                            parser.flag_set("run-long-tests"),
                                            parser.flag_set("run-memory-intensive-tests"),
-                                           parser.flag_set("abort-on-first-fail"));
+                                           parser.flag_set("abort-on-first-fail"),
+                                           parser.flag_set("no-stdout"));
 
       Botan_Tests::Test_Runner tests(std::cout);
 
diff --git a/src/tests/runner/test_runner.cpp b/src/tests/runner/test_runner.cpp
index 289e9aad7fc..f461888fcad 100644
--- a/src/tests/runner/test_runner.cpp
+++ b/src/tests/runner/test_runner.cpp
@@ -73,7 +73,9 @@ class Testsuite_RNG final : public Botan::RandomNumberGenerator {
 }  // namespace
 
 bool Test_Runner::run(const Test_Options& opts) {
-   m_reporters.emplace_back(std::make_unique<StdoutReporter>(opts, output()));
+   if(!opts.no_stdout()) {
+      m_reporters.emplace_back(std::make_unique<StdoutReporter>(opts, output()));
+   }
    if(!opts.xml_results_dir().empty()) {
 #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)
       m_reporters.emplace_back(std::make_unique<XmlReporter>(opts, opts.xml_results_dir()));
diff --git a/src/tests/tests.h b/src/tests/tests.h
index 0696d5acf49..ea7c0e5c7c0 100644
--- a/src/tests/tests.h
+++ b/src/tests/tests.h
@@ -74,7 +74,8 @@ class Test_Options {
                    bool run_online_tests,
                    bool run_long_tests,
                    bool run_memory_intensive_tests,
-                   bool abort_on_first_fail) :
+                   bool abort_on_first_fail,
+                   bool no_stdout) :
             m_requested_tests(requested_tests),
             m_skip_tests(skip_tests.begin(), skip_tests.end()),
             m_data_dir(data_dir),
@@ -90,7 +91,8 @@ class Test_Options {
             m_run_online_tests(run_online_tests),
             m_run_long_tests(run_long_tests),
             m_run_memory_intensive_tests(run_memory_intensive_tests),
-            m_abort_on_first_fail(abort_on_first_fail) {}
+            m_abort_on_first_fail(abort_on_first_fail),
+            m_no_stdout(no_stdout) {}
 
       const std::vector<std::string>& requested_tests() const { return m_requested_tests; }
 
@@ -122,6 +124,8 @@ class Test_Options {
 
       bool abort_on_first_fail() const { return m_abort_on_first_fail; }
 
+      bool no_stdout() const { return m_no_stdout; }
+
       bool verbose() const { return m_verbose; }
 
    private:
@@ -141,6 +145,7 @@ class Test_Options {
       bool m_run_long_tests;
       bool m_run_memory_intensive_tests;
       bool m_abort_on_first_fail;
+      bool m_no_stdout;
 };
 
 namespace detail {

From 8ca673c5e184662ed68687a2ce789452b962eee1 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Tue, 21 Nov 2023 17:53:12 +0100
Subject: [PATCH 03/27] bitvector<> with basic functionality

---
 src/lib/utils/bitvector.h          | 1043 ++++++++++++++++++++++++++++
 src/lib/utils/info.txt             |    1 +
 src/tests/test_utils_bitvector.cpp |  808 +++++++++++++++++++++
 3 files changed, 1852 insertions(+)
 create mode 100644 src/lib/utils/bitvector.h
 create mode 100644 src/tests/test_utils_bitvector.cpp

diff --git a/src/lib/utils/bitvector.h b/src/lib/utils/bitvector.h
new file mode 100644
index 00000000000..763adce3dc1
--- /dev/null
+++ b/src/lib/utils/bitvector.h
@@ -0,0 +1,1043 @@
+/*
+ * An abstraction for an arbitrarily large bitvector that can
+ * optionally use the secure_allocator.
+ *
+ * (C) 2023 Jack Lloyd
+ * (C) 2023 René Meusel, Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ */
+
+#ifndef BOTAN_BIT_VECTOR_H_
+#define BOTAN_BIT_VECTOR_H_
+
+#include <botan/concepts.h>
+#include <botan/exceptn.h>
+#include <botan/mem_ops.h>
+#include <botan/secmem.h>
+#include <botan/internal/bit_ops.h>
+#include <botan/internal/ct_utils.h>
+#include <botan/internal/loadstor.h>
+#include <botan/internal/stl_util.h>
+
+#include <optional>
+#include <span>
+#include <sstream>
+#include <string>
+#include <utility>
+#include <vector>
+
+namespace Botan {
+
+namespace detail {
+
+template <typename T0, typename... Ts>
+struct first_type {
+      using type = T0;
+};
+
+// get the first type from a parameter pack
+template <typename... Ts>
+   requires(sizeof...(Ts) > 0)
+using first_t = typename first_type<Ts...>::type;
+
+// get the first object from a parameter pack
+template <typename T0, typename... Ts>
+constexpr static first_t<T0, Ts...> first(T0&& t, Ts&&...) {
+   return std::forward<T0>(t);
+}
+
+template <typename OutT, typename>
+using as = OutT;
+
+template <typename FnT, std::unsigned_integral BlockT, typename... ParamTs>
+using blockwise_processing_callback_return_type = std::invoke_result_t<FnT, as<BlockT, ParamTs>...>;
+
+template <typename FnT, typename BlockT, typename... ParamTs>
+concept is_blockwise_processing_callback_return_type =
+   std::unsigned_integral<BlockT> &&
+   (std::same_as<BlockT, blockwise_processing_callback_return_type<FnT, BlockT, ParamTs...>> ||
+    std::same_as<bool, blockwise_processing_callback_return_type<FnT, BlockT, ParamTs...>> ||
+    std::same_as<void, blockwise_processing_callback_return_type<FnT, BlockT, ParamTs...>>);
+
+template <typename FnT, typename... ParamTs>
+concept blockwise_processing_callback_without_mask =
+   is_blockwise_processing_callback_return_type<FnT, uint8_t, ParamTs...> &&
+   is_blockwise_processing_callback_return_type<FnT, uint16_t, ParamTs...> &&
+   is_blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs...> &&
+   is_blockwise_processing_callback_return_type<FnT, uint64_t, ParamTs...>;
+
+template <typename FnT, typename... ParamTs>
+concept blockwise_processing_callback_with_mask =
+   is_blockwise_processing_callback_return_type<FnT, uint8_t, ParamTs..., uint8_t /* mask */> &&
+   is_blockwise_processing_callback_return_type<FnT, uint16_t, ParamTs..., uint16_t /* mask */> &&
+   is_blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs..., uint32_t /* mask */> &&
+   is_blockwise_processing_callback_return_type<FnT, uint64_t, ParamTs..., uint64_t /* mask */>;
+
+/**
+ * Defines the callback constraints for the BitRangeOperator. For further
+ * details, see bitvector_base::range_operation().
+ */
+template <typename FnT, typename... ParamTs>
+concept blockwise_processing_callback = blockwise_processing_callback_with_mask<FnT, ParamTs...> ||
+                                        blockwise_processing_callback_without_mask<FnT, ParamTs...>;
+
+template <typename FnT, typename... ParamTs>
+concept manipulating_blockwise_processing_callback =
+   (blockwise_processing_callback_without_mask<FnT, ParamTs...> &&
+    std::same_as<uint32_t, blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs...>>) ||
+   (blockwise_processing_callback_with_mask<FnT, ParamTs...> &&
+    std::same_as<uint32_t, blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs..., first_t<ParamTs...>>>);
+
+template <typename FnT, typename... ParamTs>
+concept predicate_blockwise_processing_callback =
+   (blockwise_processing_callback_without_mask<FnT, ParamTs...> &&
+    std::same_as<bool, blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs...>>) ||
+   (blockwise_processing_callback_with_mask<FnT, ParamTs...> &&
+    std::same_as<bool, blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs..., first_t<ParamTs...>>>);
+
+}  // namespace detail
+
+/**
+ * An arbitrarily large bitvector with typical bit manipulation and convenient
+ * bitwise access methods. Don't use `bitvector_base` directly, but the type
+ * aliases::
+ *
+ *    * bitvector         - with a standard allocator
+ *    * secure_bitvector  - with a secure allocator that auto-scrubs the memory
+ */
+template <template <typename> typename AllocatorT>
+class bitvector_base final {
+   public:
+      using block_type = uint8_t;
+      using size_type = size_t;
+      using allocator_type = AllocatorT<block_type>;
+
+      static constexpr size_type block_size_bytes = sizeof(block_type);
+      static constexpr size_type block_size_bits = block_size_bytes * 8;
+      static constexpr bool uses_secure_allocator = std::is_same_v<allocator_type, secure_allocator<block_type>>;
+
+   private:
+      template <template <typename> typename FriendAllocatorT>
+      friend class bitvector_base;
+
+      static constexpr block_type one = block_type(1);
+
+      static constexpr size_type block_offset_shift = size_type(3) + ceil_log2(block_size_bytes);
+      static constexpr size_type block_index_mask = (one << block_offset_shift) - 1;
+
+      static constexpr size_type block_index(size_type pos) { return pos >> block_offset_shift; }
+
+      static constexpr size_type block_offset(size_type pos) { return pos & block_index_mask; }
+
+   private:
+      /**
+       * Internal helper to wrap a single bit in the bitvector and provide
+       * certain convenience access methods.
+       */
+      template <typename BlockT>
+         requires std::same_as<block_type, std::remove_cv_t<BlockT>>
+      class bitref_base {
+         private:
+            friend class bitvector_base<AllocatorT>;
+
+            constexpr bitref_base(std::span<BlockT> blocks, size_type pos) :
+                  m_block(blocks[block_index(pos)]), m_mask(one << block_offset(pos)) {}
+
+         public:
+            bitref_base() = delete;
+            bitref_base(const bitref_base&) noexcept = default;
+            bitref_base(bitref_base&&) noexcept = default;
+            bitref_base& operator=(const bitref_base&) = delete;
+            bitref_base& operator=(bitref_base&&) = delete;
+
+            ~bitref_base() = default;
+
+         public:
+            constexpr operator bool() const noexcept { return is_set(); }
+
+            constexpr bool is_set() const noexcept { return (m_block & m_mask) > 0; }
+
+         protected:
+            BlockT& m_block;  // NOLINT(*-non-private-member-variables-in-classes)
+            BlockT m_mask;    // NOLINT(*-non-private-member-variables-in-classes)
+      };
+
+   public:
+      /**
+       * Wraps a constant reference into the bitvector. Bit can be accessed
+       * but not modified.
+       */
+      template <typename BlockT>
+      class bitref final : public bitref_base<BlockT> {
+         public:
+            using bitref_base<BlockT>::bitref_base;
+      };
+
+      /**
+       * Wraps a modifiable reference into the bitvector. Bit may be accessed
+       * and modified (e.g. flipped or XOR'ed).
+       */
+      template <typename BlockT>
+         requires(!std::is_const_v<BlockT>)
+      class bitref<BlockT> : public bitref_base<BlockT> {
+         public:
+            using bitref_base<BlockT>::bitref_base;
+
+            ~bitref() = default;
+            bitref(const bitref&) noexcept = default;
+            bitref(bitref&&) noexcept = default;
+
+            constexpr bitref& set() noexcept {
+               this->m_block |= this->m_mask;
+               return *this;
+            }
+
+            constexpr bitref& unset() noexcept {
+               this->m_block &= ~this->m_mask;
+               return *this;
+            }
+
+            constexpr bitref& flip() noexcept {
+               this->m_block ^= this->m_mask;
+               return *this;
+            }
+
+            // NOLINTBEGIN
+
+            constexpr bitref& operator=(bool bit) noexcept { return assign(bit); }
+
+            constexpr bitref& operator=(const bitref& bit) noexcept { return assign(bit); }
+
+            constexpr bitref& operator=(bitref&& bit) noexcept { return assign(bit); }
+
+            // NOLINTEND
+
+            constexpr bitref& operator&=(bool other) noexcept { return assign(this->is_set() && other); }
+
+            constexpr bitref& operator|=(bool other) noexcept { return assign(this->is_set() || other); }
+
+            constexpr bitref& operator^=(bool other) noexcept { return assign(this->is_set() ^ other); }
+
+         private:
+            constexpr bitref& assign(bool bit) noexcept { return (bit) ? set() : unset(); }
+      };
+
+   public:
+      bitvector_base() : m_bits(0) {}
+
+      bitvector_base(size_type bits) : m_bits(bits), m_blocks(ceil_toblocks(bits)) {}
+
+      /**
+       * Initialize the bitvector from a byte-array. Bits are taken byte-wise
+       * from least significant to most significant. Example::
+       *
+       *    bitvector[0] -> LSB(Byte[0])
+       *    bitvector[1] -> LSB+1(Byte[0])
+       *    ...
+       *    bitvector[8] -> LSB(Byte[1])
+       *
+       * @param bytes The byte vector to be loaded
+       * @param bits  The number of bits to be loaded. This must not be more
+       *              than the number of bytes in @p bytes.
+       */
+      bitvector_base(std::span<const uint8_t> bytes, std::optional<size_type> bits = std::nullopt) {
+         from_bytes(bytes, bits);
+      }
+
+      bool empty() const { return m_bits == 0; }
+
+      size_type size() const { return m_bits; }
+
+      /**
+       * @returns true iff the number of 1-bits in this is odd, false otherwise
+       */
+      bool has_odd_hamming_weight() const {
+         uint64_t acc = 0;
+         full_range_operation([&](std::unsigned_integral auto block) { acc ^= block; }, *this);
+
+         for(size_t i = (sizeof(acc) * 8) >> 1; i > 0; i >>= 1) {
+            acc ^= acc >> i;
+         }
+
+         acc &= one;
+
+         return acc == 1;
+      }
+
+      /**
+       * @returns a copy of this bitvector as a secure_bitvector
+       */
+      auto as_locked() const { return subvector<secure_allocator>(0, size()); }
+
+      /**
+       * @returns a copy of this bitvector as a standard-allocated bitvector
+       */
+      auto as_unlocked() const { return subvector<std::allocator>(0, size()); }
+
+      /**
+       * @returns true if @p other contains the same bit pattern as this
+       */
+      template <template <typename> typename OtherAllocatorT>
+      bool equals(const bitvector_base<OtherAllocatorT>& other) const noexcept {
+         return size() == other.size() &&
+                full_range_operation(
+                   []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) { return lhs == rhs; }, *this, other);
+      }
+
+      /// @name Serialization
+      /// @{
+
+      /**
+       * Re-initialize the bitvector with the given bytes. See the respective
+       * constructor for details. This should be used only when trying to save
+       * allocations. Otherwise, use the constructor.
+       *
+       * @param bytes  the byte range to load bits from
+       * @param bits   (optional) if not all @p bytes should be loaded in full
+       */
+      void from_bytes(std::span<const uint8_t> bytes, std::optional<size_type> bits = std::nullopt) {
+         m_bits = bits.value_or(bytes.size_bytes() * 8);
+         BOTAN_ARG_CHECK(m_bits <= bytes.size_bytes() * 8, "not enough data to load so many bits");
+         resize(m_bits);
+
+         // load as much aligned data as possible
+         const auto verbatim_blocks = m_bits / block_size_bits;
+         const auto verbatim_bytes = verbatim_blocks * block_size_bytes;
+         if(verbatim_blocks > 0) {
+            typecast_copy(std::span{m_blocks}.first(verbatim_blocks), bytes.first(verbatim_bytes));
+         }
+
+         // load remaining unaligned data
+         for(size_type i = verbatim_bytes * 8; i < m_bits; ++i) {
+            ref(i) = ((bytes[i >> 3] & (uint8_t(1) << (i & 7))) != 0);
+         }
+      }
+
+      /**
+       * Renders the bitvector into a byte array. By default, this will use
+       * `std::vector<uint8_t>` or `Botan::secure_vector<uint8_t>`, depending on
+       * the allocator used by the bitvector. The rendering is compatible with
+       * the bit layout explained in the respective constructor.
+       */
+      template <concepts::resizable_byte_buffer OutT =
+                   std::conditional_t<uses_secure_allocator, secure_vector<uint8_t>, std::vector<uint8_t>>>
+      OutT to_bytes() const {
+         OutT out(ceil_tobytes(m_bits));
+         to_bytes(out);
+         return out;
+      }
+
+      /**
+       * Renders the bitvector into a properly sized byte range.
+       *
+       * @param out  a byte range that has a length of at least `ceil_tobytes(size())`.
+       */
+      void to_bytes(std::span<uint8_t> out) const {
+         const auto bytes_needed = ceil_tobytes(m_bits);
+         BOTAN_ARG_CHECK(bytes_needed <= out.size_bytes(), "Not enough space to render bitvector");
+
+         // copy as much aligned data as possible
+         const auto verbatim_blocks = m_bits / block_size_bits;
+         const auto verbatim_bytes = verbatim_blocks * block_size_bytes;
+         if(verbatim_blocks > 0) {
+            typecast_copy(out.first(verbatim_bytes), std::span{m_blocks}.first(verbatim_blocks));
+         }
+
+         // copy remaining unaligned data
+         for(size_type i = verbatim_bytes * 8; i < m_bits; ++i) {
+            out[i >> 3] |= static_cast<uint8_t>(ref(i)) << (i & 7);
+         }
+      }
+
+      /**
+       * Renders this bitvector into a sequence of "0"s and "1"s.
+       */
+      std::string to_string() const {
+         // TODO: if we introduce iterators for the bitvector class
+         //       we might be able to move this into a cpp file.
+         std::stringstream ss;
+         for(size_type i = 0; i < size(); ++i) {
+            ss << ref(i);
+         }
+         return ss.str();
+      }
+
+      /// @}
+
+      /// @name Capacity Accessors and Modifiers
+      /// @{
+
+      size_type capacity() const { return m_blocks.capacity() * block_size_bits; }
+
+      void reserve(size_type bits) { m_blocks.reserve(ceil_toblocks(bits)); }
+
+      void resize(size_type bits) {
+         const auto new_number_of_blocks = ceil_toblocks(bits);
+         if(new_number_of_blocks != m_blocks.size()) {
+            m_blocks.resize(new_number_of_blocks);
+         }
+
+         m_bits = bits;
+         zero_unused_bits();
+      }
+
+      void push_back(bool bit) {
+         const auto i = size();
+         resize(i + 1);
+         ref(i) = bit;
+      }
+
+      void pop_back() {
+         if(!empty()) {
+            resize(size() - 1);
+         }
+      }
+
+      /// @}
+
+      /// @name Bitwise and Global Accessors and Modifiers
+      /// @{
+
+      auto at(size_type pos) {
+         check_offset(pos);
+         return ref(pos);
+      }
+
+      // TODO C++23: deducing this
+      auto at(size_type pos) const {
+         check_offset(pos);
+         return ref(pos);
+      }
+
+      auto front() { return ref(0); }
+
+      // TODO C++23: deducing this
+      auto front() const { return ref(0); }
+
+      auto back() { return ref(size() - 1); }
+
+      // TODO C++23: deducing this
+      auto back() const { return ref(size() - 1); }
+
+      /**
+       * Sets the bit at position @p pos.
+       * @throws Botan::Invalid_Argument if @p pos is out of range
+       */
+      bitvector_base& set(size_type pos) {
+         check_offset(pos);
+         ref(pos).set();
+         return *this;
+      }
+
+      /**
+       * Sets all currently allocated bits.
+       */
+      bitvector_base& set() {
+         full_range_operation(
+            [](std::unsigned_integral auto block) -> decltype(block) { return static_cast<decltype(block)>(~0); },
+            *this);
+         zero_unused_bits();
+         return *this;
+      }
+
+      /**
+       * Unsets the bit at position @p pos.
+       * @throws Botan::Invalid_Argument if @p pos is out of range
+       */
+      bitvector_base& unset(size_type pos) {
+         check_offset(pos);
+         ref(pos).unset();
+         return *this;
+      }
+
+      /**
+       * Unsets all currently allocated bits.
+       */
+      bitvector_base& unset() {
+         full_range_operation(
+            [](std::unsigned_integral auto block) -> decltype(block) { return static_cast<decltype(block)>(0); },
+            *this);
+         return *this;
+      }
+
+      /**
+       * Flips the bit at position @p pos.
+       * @throws Botan::Invalid_Argument if @p pos is out of range
+       */
+      bitvector_base& flip(size_type pos) {
+         check_offset(pos);
+         ref(pos).flip();
+         return *this;
+      }
+
+      /**
+       * Flips all currently allocated bits.
+       */
+      bitvector_base& flip() {
+         full_range_operation([](std::unsigned_integral auto block) -> decltype(block) { return ~block; }, *this);
+         zero_unused_bits();
+         return *this;
+      }
+
+      /**
+       * TODO: Maybe not CT, because working with booleans.
+       * @returns true iff no bit is set
+       */
+      bool none() const {
+         return full_range_operation([](std::unsigned_integral auto block) { return block == 0; }, *this);
+      }
+
+      /**
+       * @returns true iff at least one bit is set
+       */
+      bool any() const { return !none(); }
+
+      /**
+       * TODO: Maybe not CT, because working with booleans.
+       * @returns true iff all bits are set
+       */
+      bool all() const {
+         return full_range_operation(
+            []<std::unsigned_integral BlockT>(BlockT block, BlockT mask) { return block == mask; }, *this);
+      }
+
+      auto operator[](size_type pos) { return ref(pos); }
+
+      // TODO C++23: deducing this
+      bool operator[](size_type pos) const { return ref(pos); }
+
+      /// @}
+
+      /// @name Subvectors
+      /// @{
+
+      /**
+       * Creates a new bitvector with a subsection of this bitvector starting at
+       * @p pos copying exactly @p length bits.
+       */
+      template <template <typename> typename NewAllocatorT = AllocatorT>
+      auto subvector(size_type pos, std::optional<size_type> length = std::nullopt) const {
+         size_type bitlen = length.value_or(size() - pos);
+         BOTAN_ARG_CHECK(pos + bitlen <= size(), "Not enough bits to copy");
+
+         bitvector_base<NewAllocatorT> newvector(bitlen);
+
+         if(bitlen > 0) {
+            if(pos % 8 == 0) {
+               copy_mem(
+                  newvector.m_blocks,
+                  std::span{m_blocks}.subspan(block_index(pos), block_index(pos + bitlen - 1) - block_index(pos) + 1));
+            } else {
+               BitRangeOperator<const bitvector_base<AllocatorT>, BitRangeAlignment::no_alignment> from_op(
+                  *this, pos, bitlen);
+               BitRangeOperator<bitvector_base<NewAllocatorT>> to_op(newvector, 0, bitlen);
+               range_operation([](auto /* to */, auto from) { return from; }, to_op, from_op);
+            }
+
+            newvector.zero_unused_bits();
+         }
+
+         return newvector;
+      }
+
+      /// @}
+
+      /// @name Operators
+      ///
+      /// @{
+
+      auto operator~() {
+         auto newbv = *this;
+         newbv.flip();
+         return newbv;
+      }
+
+      template <template <typename> typename OtherAllocatorT>
+      auto& operator|=(const bitvector_base<OtherAllocatorT>& other) {
+         full_range_operation(
+            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs | rhs; }, *this, other);
+         return *this;
+      }
+
+      template <template <typename> typename OtherAllocatorT>
+      auto& operator&=(const bitvector_base<OtherAllocatorT>& other) {
+         full_range_operation(
+            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs & rhs; }, *this, other);
+         return *this;
+      }
+
+      template <template <typename> typename OtherAllocatorT>
+      auto& operator^=(const bitvector_base<OtherAllocatorT>& other) {
+         full_range_operation(
+            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs ^ rhs; }, *this, other);
+         return *this;
+      }
+
+      /// @}
+
+      /// @name Constant Time Operations
+      ///
+      /// @{
+
+      /**
+       * Implements::
+       *
+       *    if(condition) {
+       *       *this ^= other;
+       *    }
+       *
+       * omitting runtime dependence on any of the parameters.
+       */
+      template <template <typename> typename OtherAllocatorT>
+      void ct_conditional_xor(bool condition, const bitvector_base<OtherAllocatorT>& other) {
+         BOTAN_ASSERT_NOMSG(m_bits == other.m_bits);
+         BOTAN_ASSERT_NOMSG(m_blocks.size() == other.m_blocks.size());
+
+         auto maybe_xor = overloaded{
+            [m = CT::Mask<uint64_t>::expand(condition)](uint64_t lhs, uint64_t rhs) -> uint64_t {
+               return lhs ^ m.if_set_return(rhs);
+            },
+            [m = CT::Mask<uint32_t>::expand(condition)](uint32_t lhs, uint32_t rhs) -> uint32_t {
+               return lhs ^ m.if_set_return(rhs);
+            },
+            [m = CT::Mask<uint16_t>::expand(condition)](uint16_t lhs, uint16_t rhs) -> uint16_t {
+               return lhs ^ m.if_set_return(rhs);
+            },
+            [m = CT::Mask<uint8_t>::expand(condition)](uint8_t lhs, uint8_t rhs) -> uint8_t {
+               return lhs ^ m.if_set_return(rhs);
+            },
+         };
+
+         full_range_operation(maybe_xor, *this, other);
+      }
+
+      /// @}
+
+   private:
+      void check_offset(size_type pos) const { BOTAN_ARG_CHECK(pos < m_bits, "Out of range"); }
+
+      void zero_unused_bits() {
+         const auto first_unused_bit = size();
+
+         // Zero out any unused bits in the last block
+         if(first_unused_bit % block_size_bits != 0) {
+            const block_type mask = (one << block_offset(first_unused_bit)) - one;
+            m_blocks[block_index(first_unused_bit)] &= mask;
+         }
+      }
+
+      static constexpr size_type ceil_toblocks(size_type bits) {
+         return (bits + block_size_bits - 1) / block_size_bits;
+      }
+
+      auto ref(size_type pos) const { return bitref<const block_type>(m_blocks, pos); }
+
+      auto ref(size_type pos) { return bitref<block_type>(m_blocks, pos); }
+
+   private:
+      enum class BitRangeAlignment { byte_aligned, no_alignment };
+
+      /**
+       * Helper construction to implement bit range operations on the bitvector.
+       * It basically implements an iterator to read and write blocks of bits
+       * from the underlying bitvector. Where "blocks of bits" are unsigned
+       * integers of varying bit lengths.
+       *
+       * If the iteration starts at a byte boundary in the underlying bitvector,
+       * this applies certain optimizations (i.e. loading blocks of bits straight
+       * from the underlying byte buffer). The optimizations are enabled at
+       * compile time (with the template parameter `alignment`).
+       */
+      template <typename BitvectorT, auto alignment = BitRangeAlignment::byte_aligned>
+      class BitRangeOperator {
+         private:
+            constexpr static bool is_const() { return std::is_const_v<BitvectorT>; }
+
+         public:
+            BitRangeOperator(BitvectorT& source, size_type start_bitoffset, size_type bitlength) :
+                  m_source(source),
+                  m_start_bitoffset(start_bitoffset),
+                  m_bitlength(bitlength),
+                  m_read_bitpos(start_bitoffset),
+                  m_write_bitpos(start_bitoffset) {
+               BOTAN_ASSERT(is_byte_aligned() == (m_start_bitoffset % 8 == 0), "byte alignment guarantee");
+               BOTAN_ASSERT(m_source.size() >= m_start_bitoffset + m_bitlength, "enough bytes in underlying source");
+            }
+
+            BitRangeOperator(BitvectorT& source) : BitRangeOperator(source, 0, source.size()) {}
+
+            static constexpr bool is_byte_aligned() { return alignment == BitRangeAlignment::byte_aligned; }
+
+            /**
+             * @returns the overall number of bits to be iterated with this operator
+             */
+            size_type size() const { return m_bitlength; }
+
+            /**
+             * @returns the number of bits not yet read from this operator
+             */
+            size_type bits_to_read() const { return m_bitlength - m_read_bitpos + m_start_bitoffset; }
+
+            /**
+             * @returns the number of bits still to be written into this operator
+             */
+            size_type bits_to_write() const { return m_bitlength - m_write_bitpos + m_start_bitoffset; }
+
+            /**
+             * Loads the next block of bits from the underlying bitvector. No
+             * bounds checks are performed. The caller can define the size of
+             * the resulting unsigned integer block.
+             */
+            template <std::unsigned_integral BlockT>
+            BlockT load_next() const {
+               constexpr size_type block_size = sizeof(BlockT);
+               constexpr size_type block_bits = block_size * 8;
+               const auto bits_remaining = bits_to_read();
+
+               BlockT result_block = 0;
+               if constexpr(is_byte_aligned()) {
+                  result_block = load_le(m_source.as_byte_span().subspan(read_bytepos()).template first<block_size>());
+               } else {
+                  const size_type byte_pos = read_bytepos();
+
+                  const size_type bits_to_ignore_in_carry = m_start_bitoffset % 8;
+                  const size_type bits_in_carry = 8 - bits_to_ignore_in_carry;
+                  const size_type bits_to_collect =
+                     std::min(block_bits, m_start_bitoffset + m_bitlength - m_read_bitpos);
+
+                  const uint8_t carry = m_source.as_byte_span()[byte_pos];
+
+                  // Initialize the left-most bits with the carry.
+                  result_block = BlockT(carry) >> bits_to_ignore_in_carry;
+
+                  // If more bits are needed, we pull them from the remaining bytes.
+                  if(bits_in_carry < bits_to_collect) {
+                     const BlockT block =
+                        load_le(m_source.as_byte_span().subspan(byte_pos + 1).template first<block_size>());
+                     result_block |= block << bits_in_carry;
+                  }
+               }
+
+               m_read_bitpos += std::min(block_bits, bits_remaining);
+               return result_block;
+            }
+
+            /**
+             * Stores the next block of bits into the underlying bitvector.
+             * No bounds checks are performed. Storing bit blocks that are not
+             * aligned at a byte-boundary in the underlying bitvector is
+             * currently not implemented.
+             */
+            template <std::unsigned_integral BlockT>
+               requires(!is_const())
+            void store_next(BlockT block) {
+               constexpr size_type block_size = sizeof(BlockT);
+               constexpr size_type block_bits = block_size * 8;
+
+               if constexpr(is_byte_aligned()) {
+                  auto sink = m_source.as_byte_span().subspan(write_bytepos()).template first<block_size>();
+                  store_le(sink, block);
+                  m_write_bitpos += std::min(block_bits, bits_to_write());
+               } else {
+                  throw Not_Implemented("Storing out-of-alignment blocks is NYI");
+               }
+            }
+
+            template <std::unsigned_integral BlockT>
+               requires(is_byte_aligned() && !is_const())
+            std::span<BlockT> span(size_type blocks) const {
+               BOTAN_DEBUG_ASSERT(blocks == 0 || is_memory_aligned_to<BlockT>());
+               BOTAN_DEBUG_ASSERT(read_bytepos() % sizeof(BlockT) == 0);
+               // Intermittently casting to void* to avoid a compiler warning
+               void* ptr = reinterpret_cast<void*>(m_source.as_byte_span().data() + read_bytepos());
+               return {reinterpret_cast<BlockT*>(ptr), blocks};
+            }
+
+            template <std::unsigned_integral BlockT>
+               requires(is_byte_aligned() && is_const())
+            std::span<const BlockT> span(size_type blocks) const {
+               BOTAN_DEBUG_ASSERT(blocks == 0 || is_memory_aligned_to<BlockT>());
+               BOTAN_DEBUG_ASSERT(read_bytepos() % sizeof(BlockT) == 0);
+               // Intermittently casting to void* to avoid a compiler warning
+               const void* ptr = reinterpret_cast<const void*>(m_source.as_byte_span().data() + read_bytepos());
+               return {reinterpret_cast<const BlockT*>(ptr), blocks};
+            }
+
+            void advance(size_type bytes)
+               requires(is_byte_aligned())
+            {
+               m_read_bitpos += bytes * 8;
+               m_write_bitpos += bytes * 8;
+            }
+
+            template <std::unsigned_integral BlockT>
+               requires(is_byte_aligned())
+            size_t is_memory_aligned_to() const {
+               void* ptr = const_cast<void*>(static_cast<const void*>(m_source.as_byte_span().data() + read_bytepos()));
+               const auto ptr_before = ptr;
+               size_t size = sizeof(BlockT);
+               return ptr_before != nullptr && std::align(alignof(BlockT), size, ptr, size) == ptr_before;
+            }
+
+         private:
+            size_type read_bytepos() const { return m_read_bitpos / 8; }
+
+            size_type write_bytepos() const { return m_write_bitpos / 8; }
+
+         private:
+            BitvectorT& m_source;
+            size_type m_start_bitoffset;
+            size_type m_bitlength;
+
+            mutable size_type m_read_bitpos;
+            mutable size_type m_write_bitpos;
+      };
+
+      /**
+       * Helper struct for the low-level handling of blockwise operations
+       *
+       * This has two main code paths: Optimized for byte-aligned ranges that
+       * can simply be taken from memory as-is. And a generic implementation
+       * that must assemble blocks from unaligned bits before processing.
+       */
+      template <typename FnT, typename... ParamTs>
+         requires detail::blockwise_processing_callback<FnT, ParamTs...>
+      class blockwise_processing_callback_trait {
+         public:
+            constexpr static bool needs_mask = detail::blockwise_processing_callback_with_mask<FnT, ParamTs...>;
+            constexpr static bool is_manipulator = detail::manipulating_blockwise_processing_callback<FnT, ParamTs...>;
+            constexpr static bool is_predicate = detail::predicate_blockwise_processing_callback<FnT, ParamTs...>;
+            static_assert(!is_manipulator || !is_predicate, "cannot be manipulator and predicate at the same time");
+
+            /**
+             * Applies @p fn to the blocks provided in @p blocks by simply reading from
+             * memory without re-arranging any bits across byte-boundaries.
+             */
+            template <std::unsigned_integral... BlockTs>
+               requires(all_same_v<std::remove_cv_t<BlockTs>...> && sizeof...(BlockTs) == sizeof...(ParamTs))
+            constexpr static bool apply_on_full_blocks(FnT fn, std::span<BlockTs>... blocks) {
+               constexpr size_type bits = sizeof(detail::first_t<BlockTs...>) * 8;
+               const size_type iterations = detail::first(blocks...).size();
+               for(size_type i = 0; i < iterations; ++i) {
+                  if constexpr(is_predicate) {
+                     if(!apply(fn, bits, blocks[i]...)) {
+                        return false;
+                     }
+                  } else if constexpr(is_manipulator) {
+                     detail::first(blocks...)[i] = apply(fn, bits, blocks[i]...);
+                  } else {
+                     apply(fn, bits, blocks[i]...);
+                  }
+               }
+               return true;
+            }
+
+            /**
+             * Applies @p fn to as many blocks as @p ops provide for the given type.
+             */
+            template <std::unsigned_integral BlockT, typename... BitRangeOperatorTs>
+               requires(sizeof...(BitRangeOperatorTs) == sizeof...(ParamTs))
+            constexpr static bool apply_on_unaligned_blocks(FnT fn, BitRangeOperatorTs&... ops) {
+               constexpr size_type block_bits = sizeof(BlockT) * 8;
+               auto bits = detail::first(ops...).bits_to_read();
+               if(bits == 0) {
+                  return true;
+               }
+
+               bits += block_bits;  // avoid unsigned integer underflow in the following loop
+               while(bits > block_bits * 2 - 8) {
+                  bits -= block_bits;
+                  if constexpr(is_predicate) {
+                     if(!apply(fn, bits, ops.template load_next<BlockT>()...)) {
+                        return false;
+                     }
+                  } else if constexpr(is_manipulator) {
+                     detail::first(ops...).store_next(apply(fn, bits, ops.template load_next<BlockT>()...));
+                  } else {
+                     apply(fn, bits, ops.template load_next<BlockT>()...);
+                  }
+               }
+               return true;
+            }
+
+         private:
+            template <std::unsigned_integral... BlockTs>
+               requires(all_same_v<BlockTs...>)
+            constexpr static auto apply(FnT fn, size_type bits, BlockTs... blocks) {
+               if constexpr(needs_mask) {
+                  return fn(blocks..., make_mask<detail::first_t<BlockTs...>>(bits));
+               } else {
+                  return fn(blocks...);
+               }
+            }
+      };
+
+      /**
+       * Helper function of `full_range_operation` and `range_operation` that
+       * calls @p fn on a given aligned unsigned integer block as long as the
+       * underlying bit range contains enough bits to fill the block fully.
+       *
+       * This uses bare memory access to gain a speed up for aligned data.
+       */
+      template <std::unsigned_integral BlockT, typename FnT, typename... BitRangeOperatorTs>
+         requires(detail::blockwise_processing_callback<FnT, BitRangeOperatorTs...> &&
+                  sizeof...(BitRangeOperatorTs) > 0)
+      static bool _process_in_fully_aligned_blocks_of(FnT fn, BitRangeOperatorTs&... ops) {
+         constexpr size_type block_bytes = sizeof(BlockT);
+         constexpr size_type block_bits = block_bytes * 8;
+         const size_type blocks = detail::first(ops...).bits_to_read() / block_bits;
+
+         using callback_trait = blockwise_processing_callback_trait<FnT, BitRangeOperatorTs...>;
+         const auto result = callback_trait::apply_on_full_blocks(fn, ops.template span<BlockT>(blocks)...);
+         (ops.advance(block_bytes * blocks), ...);
+         return result;
+      }
+
+      /**
+       * Helper function of `full_range_operation` and `range_operation` that
+       * calls @p fn on a given unsigned integer block size as long as the
+       * underlying bit range contains enough bits to fill the block.
+       */
+      template <std::unsigned_integral BlockT, typename FnT, typename... BitRangeOperatorTs>
+         requires(detail::blockwise_processing_callback<FnT, BitRangeOperatorTs...>)
+      static bool _process_in_unaligned_blocks_of(FnT fn, BitRangeOperatorTs&... ops) {
+         using callback_trait = blockwise_processing_callback_trait<FnT, BitRangeOperatorTs...>;
+         return callback_trait::template apply_on_unaligned_blocks<BlockT>(fn, ops...);
+      }
+
+      /**
+       * Apply @p fn to all bits in the ranges defined by @p ops. If more than
+       * one range operator is passed to @p ops, @p fn receives corresponding
+       * blocks of bits from each operator. Therefore, all @p ops have to define
+       * the exact same length of their underlying ranges.
+       *
+       * @p fn may return a bit block that will be stored into the _first_ bit
+       * range passed into @p ops. If @p fn returns a boolean, and its value is
+       * `false`, the range operation is cancelled and `false` is returned.
+       *
+       * The implementation ensures to pull bits in the largest bit blocks
+       * possible and reverts to smaller bit blocks only when needed.
+       */
+      template <typename FnT, typename... BitRangeOperatorTs>
+         requires(detail::blockwise_processing_callback<FnT, BitRangeOperatorTs...> &&
+                  sizeof...(BitRangeOperatorTs) > 0)
+      static bool range_operation(FnT fn, BitRangeOperatorTs... ops) {
+         BOTAN_ASSERT(has_equal_lengths(ops...), "all BitRangeOperators have the same length");
+
+         if constexpr((BitRangeOperatorTs::is_byte_aligned() && ...)) {
+            // Note: At the moment we can assume that this will always be used
+            //       on the _entire_ bitvector. Therefore, we can safely assume
+            //       that the bitvectors' underlying buffers are properly aligned.
+            //       If this assumption changes, we need to add further handling
+            //       to process a byte padding at the beginning of the bitvector
+            //       until a memory alignment boundary is reached.
+            const bool alignment = (ops.template is_memory_aligned_to<uint64_t>() && ...);
+            BOTAN_ASSERT_NOMSG(alignment);
+
+            return _process_in_fully_aligned_blocks_of<uint64_t>(fn, ops...) &&
+                   _process_in_fully_aligned_blocks_of<uint32_t>(fn, ops...) &&
+                   _process_in_fully_aligned_blocks_of<uint16_t>(fn, ops...) &&
+                   _process_in_unaligned_blocks_of<uint8_t>(fn, ops...);
+         } else {
+            return _process_in_unaligned_blocks_of<uint64_t>(fn, ops...) &&
+                   _process_in_unaligned_blocks_of<uint32_t>(fn, ops...) &&
+                   _process_in_unaligned_blocks_of<uint16_t>(fn, ops...) &&
+                   _process_in_unaligned_blocks_of<uint8_t>(fn, ops...);
+         }
+      }
+
+      /**
+       * Apply @p fn to all bit blocks in the bitvector(s).
+       */
+      template <typename FnT, typename... BitvectorTs>
+         requires(detail::blockwise_processing_callback<FnT, BitvectorTs...>)
+      static bool full_range_operation(FnT&& fn, BitvectorTs&... bitvecs) {
+         BOTAN_ASSERT(has_equal_lengths(bitvecs...), "all bitvectors have the same length");
+         return range_operation(std::forward<FnT>(fn), BitRangeOperator<BitvectorTs>(bitvecs)...);
+      }
+
+      template <typename SomeT>
+      static bool has_equal_lengths(const SomeT&) {
+         return true;
+      }
+
+      template <typename SomeT, typename... SomeTs>
+      static bool has_equal_lengths(const SomeT& v, const SomeTs&... vs) {
+         return ((v.size() == vs.size()) && ...);
+      }
+
+      template <std::unsigned_integral T>
+      static constexpr T make_mask(size_type bits) {
+         const bool max = bits >= sizeof(T) * 8;
+         bits &= T(max - 1);
+         return (T(!max) << bits) - 1;
+      }
+
+      auto as_byte_span() { return std::span{m_blocks.data(), m_blocks.size() * sizeof(block_type)}; }
+
+      auto as_byte_span() const { return std::span{m_blocks.data(), m_blocks.size() * sizeof(block_type)}; }
+
+   private:
+      size_type m_bits;
+      std::vector<block_type, allocator_type> m_blocks;
+};
+
+using secure_bitvector = bitvector_base<secure_allocator>;
+using bitvector = bitvector_base<std::allocator>;
+
+namespace detail {
+
+/**
+ * If one of the allocators is a Botan::secure_allocator, this will always
+ * prefer it. Otherwise, the allocator of @p lhs will be used as a default.
+ */
+template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
+constexpr auto copy_lhs_allocator_aware(const bitvector_base<AllocatorT1>& lhs,
+                                        const bitvector_base<AllocatorT2>& rhs) {
+   constexpr bool needs_secure_allocator = std::remove_cvref_t<decltype(lhs)>::uses_secure_allocator ||
+                                           std::remove_cvref_t<decltype(rhs)>::uses_secure_allocator;
+
+   if constexpr(needs_secure_allocator) {
+      return lhs.as_locked();
+   } else {
+      return lhs;
+   }
+}
+
+}  // namespace detail
+
+template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
+auto operator|(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+   auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
+   res |= rhs;
+   return res;
+}
+
+template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
+auto operator&(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+   auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
+   res &= rhs;
+   return res;
+}
+
+template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
+auto operator^(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+   auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
+   res ^= rhs;
+   return res;
+}
+
+template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
+bool operator==(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+   return lhs.equals(rhs);
+}
+
+template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
+bool operator!=(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+   return lhs.equals(rhs);
+}
+
+}  // namespace Botan
+
+#endif
diff --git a/src/lib/utils/info.txt b/src/lib/utils/info.txt
index 11374c0c8f4..2a6ec6e67a6 100644
--- a/src/lib/utils/info.txt
+++ b/src/lib/utils/info.txt
@@ -27,6 +27,7 @@ version.h
 <header:internal>
 alignment_buffer.h
 bit_ops.h
+bitvector.h
 bswap.h
 calendar.h
 charset.h
diff --git a/src/tests/test_utils_bitvector.cpp b/src/tests/test_utils_bitvector.cpp
new file mode 100644
index 00000000000..d48f241176e
--- /dev/null
+++ b/src/tests/test_utils_bitvector.cpp
@@ -0,0 +1,808 @@
+/*
+ * (C) 2023 Jack Lloyd
+ * (C) 2023 René Meusel, Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ */
+
+#include "tests.h"
+
+#include <botan/internal/bitvector.h>
+#include <botan/internal/fmt.h>
+
+#include <algorithm>
+
+namespace Botan_Tests {
+
+namespace {
+
+std::vector<Test::Result> test_bitvector_bitwise_accessors() {
+   return {
+      Botan_Tests::CHECK("default constructed bitvector",
+                         [](auto& result) {
+                            Botan::bitvector bv;
+                            result.confirm("default constructed bitvector is empty", bv.empty());
+                            result.test_eq("default constructed bitvector has zero size", bv.size(), size_t(0));
+                         }),
+
+      Botan_Tests::CHECK("preallocated construction of bitvector",
+                         [](auto& result) {
+                            Botan::bitvector bv(10);
+                            result.confirm("allocated bitvector is not empty", !bv.empty());
+                            result.test_eq("allocated bitvector has allocated size", bv.size(), size_t(10));
+                            for(size_t i = 0; i < 10; ++i) {
+                               result.confirm("bit not set yet", !bv.at(i));
+                            }
+                         }),
+
+      Botan_Tests::CHECK("setting bits",
+                         [](auto& result) {
+                            Botan::bitvector bv(32);
+                            bv.set(1);
+                            bv.at(2) = true;
+                            bv.set(3);
+
+                            result.confirm("0", !bv.at(0));
+                            result.confirm("1", bv.at(1));
+                            result.confirm("2", bv.at(2));
+                            result.confirm("3", bv.at(3));
+                            result.confirm("4", !bv.at(4));
+                         }),
+
+      Botan_Tests::CHECK("unsetting bits",
+                         [](auto& result) {
+                            Botan::bitvector bv(32);
+                            bv.set(1).set(2).set(3).unset(2);
+                            bv.at(3) = false;
+
+                            result.confirm("0", !bv.at(0));
+                            result.confirm("1", bv.at(1));
+                            result.confirm("2", !bv.at(2));
+                            result.confirm("3", !bv.at(3));
+                            result.confirm("4", !bv.at(4));
+                         }),
+
+      Botan_Tests::CHECK("flipping bits",
+                         [](auto& result) {
+                            Botan::bitvector bv(32);
+                            bv.set(1).set(2).set(3).flip(2).flip(4);
+
+                            result.confirm("0", !bv.at(0));
+                            result.confirm("1", bv.at(1));
+                            result.confirm("2", !bv.at(2));
+                            result.confirm("3", bv.at(3));
+                            result.confirm("4", bv.at(4));
+                         }),
+
+      Botan_Tests::CHECK(
+         "accessors validate offsets",
+         [](auto& result) {
+            Botan::bitvector bv(10);
+            result.template test_throws<Botan::Invalid_Argument>(".at() const out of range",
+                                                                 [&] { const_cast<const decltype(bv)&>(bv).at(10); });
+            result.template test_throws<Botan::Invalid_Argument>(".at() out of range", [&] { bv.at(10); });
+            result.template test_throws<Botan::Invalid_Argument>(".set() out of range", [&] { bv.set(10); });
+            result.template test_throws<Botan::Invalid_Argument>(".unset() out of range", [&] { bv.unset(10); });
+            result.template test_throws<Botan::Invalid_Argument>(".flip() out of range", [&] { bv.flip(10); });
+         }),
+
+      Botan_Tests::CHECK("multiblock handling",
+                         [](auto& result) {
+                            Botan::bitvector bv(128);
+                            result.test_eq("has more than 64 bits", bv.size(), 128);
+                            bv.set(1).set(63).set(64).set(127);
+                            for(size_t i = 0; i < bv.size(); ++i) {
+                               bool expected = (i == 1 || i == 63 || i == 64 || i == 127);
+                               result.test_eq(Botan::fmt("bit {} in expected state", i), bv.at(i), expected);
+                            }
+                         }),
+
+      Botan_Tests::CHECK("subscript operator",
+                         [](auto& result) {
+                            Botan::bitvector bv(128);
+                            bv[0].set();
+                            bv[1] = true;
+                            bv[2].flip();
+                            bv[64] = true;
+                            bv[80] = true;
+                            result.confirm("bit 0", bv[0]);
+                            result.confirm("bit 1", bv[1]);
+                            result.confirm("bit 2", bv[2]);
+                            result.confirm("bit 3", !bv[3]);
+                            result.confirm("bit 64", bv[64]);
+                            result.confirm("bit 80", bv[80]);
+                         }),
+
+      Botan_Tests::CHECK("subscript operator does not validate offsets",
+                         [](auto& result) {
+                            Botan::bitvector bv(10);
+                            result.template test_throws<Botan::Invalid_Argument>(".at() out of range",
+                                                                                 [&] { bv.at(10); });
+                            // Technically the next line is undefined behaviour.
+                            // Though, the current implementation detail won't
+                            // cause issues, which might change!
+                            result.test_no_throw("subscript out of range", [&] { bv[10]; });
+                         }),
+
+      Botan_Tests::CHECK("bitwise assignment modifiers",
+                         [](auto& result) {
+                            Botan::bitvector bv(4);
+
+                            result.require("precondition", !bv[0] && !bv[1]);
+                            bv[0] &= 1;  // NOLINT(*-use-bool-literals)
+                            result.confirm("bv[0] still 0", !bv[0]);
+                            bv[0].set();
+                            bv[0] &= 1;  // NOLINT(*-use-bool-literals)
+                            result.confirm("bv[0] still 1", bv[0]);
+                            bv[0] &= false;
+                            result.confirm("bv[0] now 0 again", !bv[0]);
+                            bv[0] &= !bv[1];
+                            result.confirm("bv[0] still 0 once more", !bv[0]);
+
+                            result.require("precondition 2", !bv[1] && !bv[2]);
+                            bv[1] |= 1;  // NOLINT(modernize-use-bool-literals)
+                            result.confirm("bv[1] is now 1", bv[1]);
+                            bv[1] |= 0;  // NOLINT(modernize-use-bool-literals)
+                            result.confirm("bv[1] is still 1", bv[1]);
+                            bv[1].unset();
+                            bv[1] |= false;
+                            result.confirm("bv[1] is 0", !bv[1]);
+                            bv[1] |= !bv[2];
+                            result.confirm("bv[1] is 1 again", bv[1]);
+
+                            result.require("precondition 3", !bv[2] && !bv[3]);
+                            bv[2] ^= 0;  // NOLINT(modernize-use-bool-literals)
+                            result.confirm("bv[2] is still 0", !bv[2]);
+                            bv[2] ^= true;
+                            result.confirm("bv[2] is now 1", bv[2]);
+                            bv[2] ^= !bv[3];
+                            result.confirm("bv[2] is 0 again", !bv[2]);
+                         }),
+   };
+}
+
+std::vector<Test::Result> test_bitvector_capacity() {
+   return {
+      Botan_Tests::CHECK("default constructed bitvector",
+                         [](auto& result) {
+                            Botan::bitvector bv;
+                            result.confirm("empty", bv.empty());
+                            result.test_eq("no size", bv.size(), size_t(0));
+                            result.test_eq("no capacity", bv.capacity(), size_t(0));
+                         }),
+
+      Botan_Tests::CHECK("allocated bitvector has capacity",
+                         [](auto& result) {
+                            Botan::bitvector bv(1);
+                            result.confirm("empty", !bv.empty());
+                            result.test_eq("small size", bv.size(), size_t(1));
+                            result.test_gte("a little capacity", bv.capacity(), size_t(8));
+                         }),
+
+      Botan_Tests::CHECK("reserved bitvector has capacity",
+                         [](auto& result) {
+                            Botan::bitvector bv;
+                            result.test_eq("no size", bv.size(), size_t(0));
+                            result.test_eq("no capacity", bv.capacity(), size_t(0));
+
+                            bv.reserve(64);
+                            result.test_eq("no size", bv.size(), size_t(0));
+                            result.test_gte("no capacity", bv.capacity(), size_t(64));
+
+                            bv.reserve(128);
+                            result.test_eq("no size", bv.size(), size_t(0));
+                            result.test_gte("no capacity", bv.capacity(), size_t(128));
+                         }),
+
+      Botan_Tests::CHECK("push_back() extends bitvector",
+                         [](Test::Result& result) {
+                            Botan::bitvector bv;
+                            result.confirm("empty", bv.empty());
+                            result.test_eq("no size", bv.size(), size_t(0));
+
+                            bv.push_back(true);
+                            bv.push_back(false);
+                            bv.push_back(true);
+                            bv.push_back(false);
+
+                            result.confirm("not empty", !bv.empty());
+                            result.test_eq("some size", bv.size(), size_t(4));
+                            result.test_gte("capacity is typically bigger than size", bv.capacity(), size_t(8));
+
+                            result.confirm("bit 0", bv.at(0));
+                            result.confirm("bit 1", !bv.at(1));
+                            result.confirm("bit 2", bv.at(2));
+                            result.confirm("bit 3", !bv.at(3));
+
+                            result.test_throws("bit 4 is not yet allocated", [&] { bv.at(4); });
+                         }),
+
+      Botan_Tests::CHECK("pop_back() shortens bitvector",
+                         [](Test::Result& result) {
+                            Botan::bitvector bv;
+                            bv.push_back(true);
+                            bv.push_back(false);
+                            bv.push_back(true);
+                            bv.push_back(false);
+                            result.confirm("last is false", !bv.back());
+
+                            bv.pop_back();
+                            result.test_eq("size() == 3", bv.size(), 3);
+                            result.confirm("last is true", bv.back());
+
+                            bv.pop_back();
+                            result.test_eq("size() == 2", bv.size(), 2);
+                            result.confirm("last is false", !bv.back());
+
+                            bv.pop_back();
+                            result.test_eq("size() == 1", bv.size(), 1);
+                            result.confirm("last is true", bv.back());
+                            result.confirm("first is true", bv.front());
+
+                            bv.pop_back();
+                            result.confirm("empty", bv.empty());
+
+                            result.test_throws("bit 4 is not yet allocated", [&] { bv.at(4); });
+                         }),
+
+      Botan_Tests::CHECK("resize()",
+                         [](auto& result) {
+                            Botan::bitvector bv(10);
+                            bv[0] = true;
+                            bv[5] = true;
+                            bv[9] = true;
+
+                            bv.resize(8);
+                            result.test_eq("size is reduced", bv.size(), size_t(8));
+
+                            for(size_t i = 0; i < bv.size(); ++i) {
+                               const bool expected = (i == 0 || i == 5);
+                               result.test_eq(Botan::fmt("{} is as expected", i), bv[i], expected);
+                            }
+
+                            bv.resize(0);
+                            result.confirm("resize(0) empties buffer", bv.empty());
+
+                            bv.resize(8);
+                            result.confirm("0 is false", !bv[0]);
+                            result.confirm("5 is false", !bv[5]);
+                         }),
+   };
+}
+
+std::vector<Test::Result> test_bitvector_subvector() {
+   auto make_bitpattern = [](auto& bitvector) {
+      for(size_t i = 0; i < bitvector.size(); ++i) {
+         bitvector[i] = (i % 3);
+      }
+   };
+
+   auto check_bitpattern = [](auto& result, auto& bitvector, size_t offset) {
+      for(size_t i = 0; i < bitvector.size(); ++i) {
+         const bool expected = ((i + offset) % 3);
+         result.confirm(Botan::fmt("{} is as expected", i), bitvector[i], expected);
+      }
+   };
+
+   return {
+      Botan_Tests::CHECK(
+         "range errors are caught",
+         [&](auto& result) {
+            Botan::bitvector bv(100);
+            result.template test_throws<Botan::Invalid_Argument>("out of range", [&] { bv.subvector(0, 101); });
+            result.template test_throws<Botan::Invalid_Argument>("out of range", [&] { bv.subvector(90, 11); });
+            result.template test_throws<Botan::Invalid_Argument>("out of range", [&] { bv.subvector(100, 1); });
+            result.template test_throws<Botan::Invalid_Argument>("out of range", [&] { bv.subvector(101, 0); });
+         }),
+
+      Botan_Tests::CHECK("empty copy is allowed",
+                         [&](auto& result) {
+                            Botan::bitvector bv1(100);
+                            auto bv2 = bv1.subvector(0, 0);
+                            result.test_eq("empty at 0", bv2.size(), size_t(0));
+                            auto bv3 = bv1.subvector(10, 0);
+                            result.test_eq("empty at 10", bv3.size(), size_t(0));
+                            auto bv4 = bv1.subvector(100, 0);
+                            result.test_eq("empty at 100", bv3.size(), size_t(0));
+                         }),
+
+      Botan_Tests::CHECK("byte-aligned copy",
+                         [&](auto& result) {
+                            Botan::bitvector bv1(100);
+                            make_bitpattern(bv1);
+
+                            auto bv2 = bv1.subvector(16, 58);
+                            result.test_eq("size is as requested", bv2.size(), size_t(58));
+                            check_bitpattern(result, bv2, 16);
+
+                            auto bv3 = bv1.subvector(32);  // copy until the end
+                            result.test_eq("size is as expected", bv3.size(), size_t(68));
+                            check_bitpattern(result, bv3, 32);
+                         }),
+
+      Botan_Tests::CHECK("byte-aligned 2",
+                         [&](auto& result) {
+                            Botan::bitvector bv1(100);
+                            make_bitpattern(bv1);
+
+                            auto bv2 = bv1.subvector(8, 91);
+                            result.test_eq("size is as expected", bv2.size(), size_t(91));
+                            check_bitpattern(result, bv2, 8);
+
+                            auto bv3 = bv1.subvector(16, 58);
+                            result.test_eq("size is as requested", bv3.size(), size_t(58));
+                            check_bitpattern(result, bv3, 16);
+
+                            auto bv4 = bv1.subvector(24);  // copy until the end
+                            result.test_eq("size is as expected", bv4.size(), size_t(100 - 24));
+                            check_bitpattern(result, bv4, 24);
+
+                            auto bv5 = bv1.subvector(32);  // copy until the end
+                            result.test_eq("size is as expected", bv5.size(), size_t(100 - 32));
+                            check_bitpattern(result, bv5, 32);
+
+                            auto bv6 = bv1.subvector(48, 51);  // copy until the end
+                            result.test_eq("size is as expected", bv6.size(), size_t(51));
+                            check_bitpattern(result, bv6, 48);
+                         }),
+
+      Botan_Tests::CHECK("byte-aligned copy must zero-out unused bits",
+                         [&](auto& result) {
+                            Botan::bitvector bv1(100);
+                            make_bitpattern(bv1);
+
+                            auto bv2 = bv1.subvector(16, 17);
+                            result.test_eq("size is as requested", bv2.size(), size_t(17));
+                            check_bitpattern(result, bv2, 16);
+
+                            bv2.resize(32);
+                            for(size_t i = 17; i < bv2.size(); ++i) {
+                               result.confirm("tail is zero", !bv2[i]);
+                            }
+                         }),
+
+      Botan_Tests::CHECK("unaligned copy",
+                         [&](auto& result) {
+                            Botan::bitvector bv1(100);
+                            make_bitpattern(bv1);
+
+                            auto bv2 = bv1.subvector(19, 69);
+                            result.test_eq("size is as requested", bv2.size(), size_t(69));
+                            check_bitpattern(result, bv2, 19);
+
+                            auto bv3 = bv1.subvector(21);  // copy until the end
+                            result.test_eq("size is as expected", bv3.size(), size_t(79));
+                            check_bitpattern(result, bv3, 21);
+
+                            auto bv4 = bv1.subvector(1, 16);
+                            result.test_eq("size is as expected", bv4.size(), size_t(16));
+                            check_bitpattern(result, bv4, 1);
+
+                            auto bv5 = bv1.subvector(1, 32);
+                            result.test_eq("size is as expected", bv5.size(), size_t(32));
+                            check_bitpattern(result, bv5, 1);
+
+                            auto bv6 = bv5.subvector(1, 12);
+                            result.test_eq("size is as expected", bv6.size(), size_t(12));
+                            check_bitpattern(result, bv6, 1 + 1);
+
+                            auto bv7 = bv1.subvector(17, 67);
+                            result.test_eq("size is as expected", bv7.size(), size_t(67));
+                            check_bitpattern(result, bv7, 17);
+
+                            auto bv8 = bv1.subvector(33);  // copy until the end
+                            result.test_eq("size is as expected", bv8.size(), size_t(67));
+                            check_bitpattern(result, bv8, 33);
+                         }),
+   };
+}
+
+std::vector<Test::Result> test_bitvector_global_modifiers_and_predicates() {
+   auto make_bitpattern = [](auto& bitvector) {
+      for(size_t i = 0; i < bitvector.size(); ++i) {
+         bitvector[i] = (i % 5);
+      }
+   };
+
+   auto check_bitpattern = [](auto& result, auto& bitvector) {
+      for(size_t i = 0; i < bitvector.size(); ++i) {
+         const bool expected = (i % 5);
+         result.confirm(Botan::fmt("{} is as expected", i), bitvector[i], expected);
+      }
+   };
+
+   auto check_flipped_bitpattern = [](auto& result, auto& bitvector) {
+      for(size_t i = 0; i < bitvector.size(); ++i) {
+         const bool expected = (i % 5 == 0);
+         result.confirm(Botan::fmt("{} is as expected", i), bitvector[i], expected);
+      }
+   };
+
+   return {
+      Botan_Tests::CHECK("one bit",
+                         [](auto& result) {
+                            Botan::bitvector bv;
+                            bv.push_back(true);
+
+                            bv.flip();
+                            result.confirm("bit is flipped", !bv[0]);
+
+                            // check that unused bits aren't flipped
+                            bv.resize(8);
+                            for(size_t i = 0; i < bv.size(); ++i) {
+                               result.confirm("all bits are false", !bv[i]);
+                            }
+                            bv.resize(1);
+
+                            bv.flip();
+                            result.confirm("bit is flipped again", bv[0]);
+                         }),
+
+      Botan_Tests::CHECK("bits in many blocks",
+                         [&](auto& result) {
+                            Botan::bitvector bv(99);
+
+                            make_bitpattern(bv);
+                            bv.flip();
+                            check_flipped_bitpattern(result, bv);
+
+                            bv = ~bv;
+                            check_bitpattern(result, bv);
+
+                            bv.resize(112);
+                            for(size_t i = 99; i < bv.size(); ++i) {
+                               result.confirm("just-allocated bit is not set", !bv[i]);
+                            }
+                         }),
+
+      Botan_Tests::CHECK("set and unset",
+                         [&](auto& result) {
+                            Botan::bitvector bv(99);
+
+                            make_bitpattern(bv);
+                            bv.set();
+                            bv.resize(128);
+                            for(size_t i = 0; i < bv.size(); ++i) {
+                               const bool expected = (i < 99);
+                               result.test_eq("only set bits are set", bv[i], expected);
+                            }
+
+                            bv.unset();
+                            for(size_t i = 0; i < bv.size(); ++i) {
+                               result.confirm("bit is not set", !bv[i]);
+                            }
+                         }),
+
+      Botan_Tests::CHECK("any, none and all",
+                         [&](auto& result) {
+                            Botan::bitvector bv(99);
+
+                            result.confirm("default construction yields all-zero", bv.none());
+                            result.confirm("default construction yields all-zero 2", !bv.any());
+                            result.confirm("default construction yields all-zero 3", !bv.all());
+
+                            bv.set(42);
+                            result.confirm("setting a bit means there's a bit set", !bv.none());
+                            result.confirm("setting a bit means there's a bit set 2", bv.any());
+                            result.confirm("setting a bit means there's not all bits set", !bv.all());
+
+                            bv.set();
+                            result.confirm("setting all bits means there's a bit set", !bv.none());
+                            result.confirm("setting all bits means there's a bit set 2", bv.any());
+                            result.confirm("setting all bits means all bits are set", bv.all());
+
+                            bv.unset(97);
+                            result.confirm("a single 0 at the end means that there's a bit set", !bv.none());
+                            result.confirm("a single 0 at the end means that there are bits set", bv.any());
+                            result.confirm("a single 0 at the end means that there are not all bits set", !bv.all());
+
+                            bv.unset();
+                            result.confirm("unsetting all bits means there's no bit set", bv.none());
+                            result.confirm("unsetting all bits means there's no bit set 2", !bv.any());
+                            result.confirm("unsetting all bits means there's not all bits set", !bv.all());
+                         }),
+
+      Botan_Tests::CHECK("hamming weight oddness",
+                         [](auto& result) {
+                            const auto evn = Botan::hex_decode("FE3410CB0278E4D26602");
+                            const auto odd = Botan::hex_decode("BB2418C2B4F288921203");
+
+                            result.confirm("odd hamming", Botan::bitvector(odd).has_odd_hamming_weight());
+                            result.confirm("even hamming", !Botan::bitvector(evn).has_odd_hamming_weight());
+                         }),
+   };
+}
+
+std::vector<Test::Result> test_bitvector_binary_operators() {
+   auto check_set = [](auto& result, auto bits, std::vector<size_t> set_bits) {
+      for(size_t i = 0; i < bits.size(); ++i) {
+         const auto should_be_set = std::find(set_bits.begin(), set_bits.end(), i) != set_bits.end();
+         result.test_eq(Botan::fmt("{} should {}be set", i, (!should_be_set ? "not " : "")), bits[i], should_be_set);
+      }
+   };
+
+   auto is_secure_allocator = []<template <typename> typename AllocatorT>(auto& result,
+                                                                          const Botan::bitvector_base<AllocatorT>&) {
+      result.confirm("allocator is Botan::secure_allocator<>",
+                     std::same_as<Botan::secure_allocator<uint8_t>, AllocatorT<uint8_t>>);
+   };
+
+   auto is_standard_allocator = []<template <typename> typename AllocatorT>(auto& result,
+                                                                            const Botan::bitvector_base<AllocatorT>&) {
+      result.confirm("allocator is std::allocator<>", std::same_as<std::allocator<uint8_t>, AllocatorT<uint8_t>>);
+   };
+
+   return {
+      Botan_Tests::CHECK("bitwise OR",
+                         [&](auto& result) {
+                            Botan::bitvector lhs(20);
+                            lhs.set(0).set(4).set(15).set(16).set(19);
+                            Botan::bitvector rhs(20);
+                            rhs.set(1).set(4).set(16).set(17).set(18);
+                            Botan::bitvector unary(20);
+                            unary.set(8);
+
+                            Botan::bitvector res = lhs | rhs;
+                            check_set(result, res, {0, 1, 4, 15, 16, 17, 18, 19});
+
+                            res |= unary;
+                            check_set(result, res, {0, 1, 4, 8, 15, 16, 17, 18, 19});
+
+                            is_standard_allocator(result, res);
+                         }),
+
+      Botan_Tests::CHECK("bitwise AND",
+                         [&](auto& result) {
+                            Botan::bitvector lhs(20);
+                            lhs.set(0).set(4).set(15).set(16).set(18);
+                            Botan::bitvector rhs(20);
+                            rhs.set(1).set(4).set(16).set(17).set(18);
+                            Botan::bitvector unary(20);
+                            unary.set(8).set(16);
+
+                            Botan::bitvector res = lhs & rhs;
+                            check_set(result, res, {4, 16, 18});
+
+                            res &= unary;
+                            check_set(result, res, {16});
+
+                            is_standard_allocator(result, res);
+                         }),
+
+      Botan_Tests::CHECK("bitwise XOR",
+                         [&](auto& result) {
+                            Botan::bitvector lhs(20);
+                            lhs.set(0).set(4).set(15).set(16).set(18);
+                            Botan::bitvector rhs(20);
+                            rhs.set(1).set(4).set(16).set(17).set(18);
+                            Botan::bitvector unary(20);
+                            unary.set(8).set(16);
+
+                            Botan::bitvector res = lhs ^ rhs;
+                            check_set(result, res, {0, 1, 15, 17});
+
+                            res ^= unary;
+                            check_set(result, res, {0, 1, 8, 15, 16, 17});
+
+                            is_standard_allocator(result, res);
+                         }),
+
+      Botan_Tests::CHECK("bitwise operators with heterogeneous allocators",
+                         [&](auto& result) {
+                            Botan::bitvector lhs(20);
+                            lhs.set(0).set(4).set(15).set(16).set(18);
+                            Botan::secure_bitvector rhs(20);
+                            rhs.set(1).set(4).set(16).set(17).set(18);
+                            Botan::bitvector unary(20);
+                            unary.set(8).set(16);
+
+                            auto res1 = lhs | rhs;
+                            is_secure_allocator(result, res1);
+                            check_set(result, res1, {0, 1, 4, 15, 16, 17, 18, 20});
+
+                            auto res2 = rhs | lhs;
+                            is_secure_allocator(result, res2);
+                            check_set(result, res2, {0, 1, 4, 15, 16, 17, 18, 20});
+
+                            auto res3 = lhs & rhs;
+                            is_secure_allocator(result, res3);
+                            check_set(result, res3, {4, 16, 18});
+
+                            auto res4 = rhs & lhs;
+                            is_secure_allocator(result, res4);
+                            check_set(result, res4, {4, 16, 18});
+
+                            auto res5 = lhs ^ rhs;
+                            is_secure_allocator(result, res5);
+                            check_set(result, res5, {0, 1, 15, 17});
+
+                            auto res6 = rhs ^ lhs;
+                            is_secure_allocator(result, res6);
+                            check_set(result, res6, {0, 1, 15, 17});
+                         }),
+   };
+}
+
+std::vector<Test::Result> test_bitvector_serialization() {
+   constexpr uint8_t outlen = 64;
+   const auto bytearray = [] {
+      std::array<uint8_t, outlen> out;
+      for(uint8_t i = 0; i < outlen; ++i) {
+         out[i] = i;
+      }
+      return out;
+   }();
+
+   auto validate_bytewise = [](auto& result, const auto& bv, std::span<const uint8_t> bytes) {
+      for(size_t i = 0; i < bytes.size(); ++i) {
+         const uint8_t b = (static_cast<uint8_t>(bv[0 + i * 8]) << 0) | (static_cast<uint8_t>(bv[1 + i * 8]) << 1) |
+                           (static_cast<uint8_t>(bv[2 + i * 8]) << 2) | (static_cast<uint8_t>(bv[3 + i * 8]) << 3) |
+                           (static_cast<uint8_t>(bv[4 + i * 8]) << 4) | (static_cast<uint8_t>(bv[5 + i * 8]) << 5) |
+                           (static_cast<uint8_t>(bv[6 + i * 8]) << 6) | (static_cast<uint8_t>(bv[7 + i * 8]) << 7);
+
+         result.test_eq(Botan::fmt("byte {} is as expected", i), static_cast<size_t>(b), static_cast<size_t>(bytes[i]));
+      }
+   };
+
+   return {
+      Botan_Tests::CHECK("empty byte-array",
+                         [](auto& result) {
+                            std::vector<uint8_t> bytes;
+                            result.require("empty buffer", bytes.empty());
+
+                            Botan::bitvector bv(bytes);
+                            result.confirm("empty bit vector", bv.empty());
+
+                            auto rendered = bv.to_bytes();
+                            result.confirm("empty bit vector renders an empty buffer", rendered.empty());
+                         }),
+
+      Botan_Tests::CHECK("to_bytes() uses secure_allocator if necessary",
+                         [](auto& result) {
+                            Botan::bitvector bv;
+                            Botan::secure_bitvector sbv;
+
+                            auto rbv = bv.to_bytes();
+                            auto rsbv = sbv.to_bytes();
+
+                            result.confirm("ordinary bitvector uses ordinary std::vector",
+                                           std::is_same_v<std::vector<uint8_t>, decltype(rbv)>);
+                            result.confirm("secure bitvector uses secure_vector",
+                                           std::is_same_v<Botan::secure_vector<uint8_t>, decltype(rsbv)>);
+                         }),
+
+      Botan_Tests::CHECK("load all bits from byte-array (aligned data)",
+                         [&](auto& result) {
+                            Botan::bitvector bv(bytearray);
+                            validate_bytewise(result, bv, bytearray);
+
+                            const auto rbv = bv.to_bytes();
+                            result.confirm("uint8_t rendered correctly", std::ranges::equal(bytearray, rbv));
+                         }),
+
+      Botan_Tests::CHECK("load all bits from byte-array (unaligned blocks)",
+                         [&](auto& result) {
+                            std::array<uint8_t, 63> unaligned_bytearray;
+                            Botan::copy_mem(unaligned_bytearray,
+                                            std::span{bytearray}.first<unaligned_bytearray.size()>());
+
+                            Botan::bitvector bv(unaligned_bytearray);
+                            validate_bytewise(result, bv, unaligned_bytearray);
+
+                            const auto rbv = bv.to_bytes();
+                            result.confirm("uint8_t rendered correctly", std::ranges::equal(unaligned_bytearray, rbv));
+                         }),
+
+      Botan_Tests::CHECK("load bits from byte-array (unaligned data)",
+                         [&](auto& result) {
+                            constexpr size_t bits_to_load = 31;
+                            constexpr size_t bytes_to_load = Botan::ceil_tobytes(bits_to_load);
+
+                            Botan::bitvector bv(bytearray, bits_to_load);
+
+                            for(size_t i = 0; i < bits_to_load; ++i) {
+                               const bool expected = (i == 8) || (i == 17) || (i == 24) || (i == 25);
+                               result.test_eq(Botan::fmt("bit {} is correct", i), bv.at(i), expected);
+                            }
+
+                            const auto rbv = bv.to_bytes();
+                            std::array<uint8_t, bytes_to_load> expected_bytes;
+                            Botan::copy_mem(expected_bytes, std::span{bytearray}.first<bytes_to_load>());
+                            expected_bytes.back() &= (uint8_t(1) << (bits_to_load % 8)) - 1;
+                            result.confirm("uint8_t rendered correctly", std::ranges::equal(expected_bytes, rbv));
+                         }),
+   };
+}
+
+std::vector<Test::Result> test_bitvector_constant_time_operations() {
+   return {
+      Botan_Tests::CHECK("conditional XOR, block aligned",
+                         [](auto& result) {
+                            Botan::bitvector bv1(Botan::hex_decode("BAADF00DCAFEBEEF"));
+                            Botan::secure_bitvector bv2(Botan::hex_decode("CAFEBEEFC001B33F"));
+                            const auto initial_bv1 = bv1;
+                            const auto xor_result = bv1 ^ bv2;
+
+                            bv1.ct_conditional_xor(false, bv2);
+                            result.confirm("no change after false condition", bv1 == initial_bv1);
+
+                            bv1.ct_conditional_xor(true, bv2);
+                            result.confirm("XORed if condition was true", bv1 == xor_result);
+                         }),
+
+      Botan_Tests::CHECK("conditional XOR, byte aligned",
+                         [](auto& result) {
+                            Botan::bitvector bv1(Botan::hex_decode("BAADF00DCAFEBEEF42"));
+                            Botan::secure_bitvector bv2(Botan::hex_decode("CAFEBEEFC001B33F13"));
+                            const auto initial_bv1 = bv1;
+                            const auto xor_result = bv1 ^ bv2;
+
+                            bv1.ct_conditional_xor(false, bv2);
+                            result.confirm("no change after false condition", bv1 == initial_bv1);
+
+                            bv1.ct_conditional_xor(true, bv2);
+                            result.confirm("XORed if condition was true", bv1 == xor_result);
+                         }),
+
+      Botan_Tests::CHECK("conditional XOR, no alignment",
+                         [](auto& result) {
+                            Botan::bitvector bv1(Botan::hex_decode("BAADF00DCAFEBEEF42"));
+                            bv1.push_back(true);
+                            bv1.push_back(false);
+                            Botan::secure_bitvector bv2(Botan::hex_decode("CAFEBEEFC001B33F13"));
+                            bv2.push_back(false);
+                            bv2.push_back(false);
+
+                            const auto initial_bv1 = bv1;
+                            const auto xor_result = bv1 ^ bv2;
+
+                            bv1.ct_conditional_xor(false, bv2);
+                            result.confirm("no change after false condition", bv1 == initial_bv1);
+
+                            bv1.ct_conditional_xor(true, bv2);
+                            result.confirm("XORed if condition was true", bv1 == xor_result);
+                         }),
+   };
+}
+
+Test::Result test_bitvector_conditional_xor_workload() {
+   Test::Result res("Conditional XOR, Gauss Workload");
+
+   auto& rng = Test::rng();
+
+   const size_t matrix_rows = 1664;
+   const size_t matrix_columns = 8192;
+
+   std::vector<Botan::bitvector> bitvec_vec;
+   bitvec_vec.reserve(matrix_rows);
+   for(size_t i = 0; i < matrix_rows; ++i) {
+      bitvec_vec.push_back(Botan::bitvector(rng.random_vec(matrix_columns / 8)));
+   }
+
+   // Simulate #ops of Gaussian Elimination
+   const size_t total_iter = matrix_rows * (3 * matrix_rows - 1) / 2;
+   const auto start = Test::timestamp();
+   for(size_t i = 0; i < total_iter; ++i) {
+      bitvec_vec.at(i % matrix_rows)
+         .ct_conditional_xor(rng.next_byte() % 2, bitvec_vec.at(rng.next_byte() % matrix_rows));
+   }
+   res.set_ns_consumed(Test::timestamp() - start);
+
+   res.confirm("Prevent compiler from optimizing away", bitvec_vec.at(0).any() || bitvec_vec.at(0).none());
+   return res;
+}
+
+}  // namespace
+
+BOTAN_REGISTER_TEST_FN("utils",
+                       "bitvector",
+                       test_bitvector_bitwise_accessors,
+                       test_bitvector_capacity,
+                       test_bitvector_subvector,
+                       test_bitvector_global_modifiers_and_predicates,
+                       test_bitvector_binary_operators,
+                       test_bitvector_serialization,
+                       test_bitvector_constant_time_operations,
+                       test_bitvector_conditional_xor_workload);
+
+}  // namespace Botan_Tests

From 190261d30d2bea7f4c9feb174c2505ad2dc83a1d Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Fri, 19 Jan 2024 15:43:58 +0100
Subject: [PATCH 04/27] Classic McEliece implementation

This is an implementation of the Classic McEliece KEM according to the
NIST Round 4 submission and the ISO draft 20230419.

Co-Authored-By: Amos Treiber <amos.treiber@rohde-schwarz.com>
---
 doc/api_ref/pubkey.rst                        |  48 +++
 doc/dev_ref/oids.rst                          |  19 +
 src/build-data/oids.txt                       |  24 +-
 src/cli/speed.cpp                             |  44 ++
 src/lib/asn1/oid_maps.cpp                     |  34 +-
 src/lib/pubkey/classic_mceliece/cmce.cpp      | 172 ++++++++
 src/lib/pubkey/classic_mceliece/cmce.h        | 151 +++++++
 .../pubkey/classic_mceliece/cmce_decaps.cpp   | 166 ++++++++
 src/lib/pubkey/classic_mceliece/cmce_decaps.h |  84 ++++
 .../pubkey/classic_mceliece/cmce_encaps.cpp   | 126 ++++++
 src/lib/pubkey/classic_mceliece/cmce_encaps.h |  59 +++
 .../classic_mceliece/cmce_field_ordering.cpp  | 322 +++++++++++++++
 .../classic_mceliece/cmce_field_ordering.h    | 112 +++++
 src/lib/pubkey/classic_mceliece/cmce_gf.cpp   | 123 ++++++
 src/lib/pubkey/classic_mceliece/cmce_gf.h     | 191 +++++++++
 .../classic_mceliece/cmce_keys_internal.cpp   | 143 +++++++
 .../classic_mceliece/cmce_keys_internal.h     | 187 +++++++++
 .../pubkey/classic_mceliece/cmce_matrix.cpp   | 258 ++++++++++++
 src/lib/pubkey/classic_mceliece/cmce_matrix.h | 113 ++++++
 .../classic_mceliece/cmce_parameter_set.cpp   | 132 ++++++
 .../classic_mceliece/cmce_parameter_set.h     |  77 ++++
 .../classic_mceliece/cmce_parameters.cpp      | 149 +++++++
 .../pubkey/classic_mceliece/cmce_parameters.h | 293 ++++++++++++++
 src/lib/pubkey/classic_mceliece/cmce_poly.cpp | 175 ++++++++
 src/lib/pubkey/classic_mceliece/cmce_poly.h   | 174 ++++++++
 src/lib/pubkey/classic_mceliece/cmce_types.h  |  43 ++
 src/lib/pubkey/classic_mceliece/info.txt      |  31 ++
 src/lib/pubkey/pk_algs.cpp                    |  23 ++
 src/tests/data/pubkey/cmce_kat_hashed.vec     | 148 +++++++
 src/tests/data/pubkey/cmce_negative.vec       |  22 +
 src/tests/test_cmce.cpp                       | 383 ++++++++++++++++++
 31 files changed, 4022 insertions(+), 4 deletions(-)
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_decaps.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_encaps.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_field_ordering.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_gf.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_gf.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_matrix.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_parameter_set.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_parameters.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_poly.cpp
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_poly.h
 create mode 100644 src/lib/pubkey/classic_mceliece/cmce_types.h
 create mode 100644 src/lib/pubkey/classic_mceliece/info.txt
 create mode 100644 src/tests/data/pubkey/cmce_kat_hashed.vec
 create mode 100644 src/tests/data/pubkey/cmce_negative.vec
 create mode 100644 src/tests/test_cmce.cpp

diff --git a/doc/api_ref/pubkey.rst b/doc/api_ref/pubkey.rst
index 88f31c4c9d5..21f1045b6e8 100644
--- a/doc/api_ref/pubkey.rst
+++ b/doc/api_ref/pubkey.rst
@@ -142,6 +142,11 @@ McEliece
 Post-quantum secure key encapsulation scheme based on the hardness of certain
 decoding problems.
 
+Classic McEliece
+~~~~~~~~~~~~~~~~
+
+Post-quantum secure, code-based key encapsulation scheme.
+
 ElGamal
 ~~~~~~~~
 
@@ -1128,6 +1133,7 @@ Botan implements the following KEM schemes:
 #. Kyber
 #. FrodoKEM
 #. McEliece
+#. Classic McEliece
 
 .. _kyber_example:
 
@@ -1193,6 +1199,48 @@ parameters n and t, and have the corresponding key sizes listed:
 You can check the speed of McEliece with the suggested parameters above
 using ``botan speed McEliece``
 
+Classic McEliece KEM
+--------------------
+
+`Classic McEliece <https://classic.mceliece.org/>`_ is an IND-CCA2 secure key
+encapsulation algorithm based on the McEliece cryptosystem introduced in 1978.
+It is a code-based scheme that relies on conservative security assumptions and
+is considered secure against quantum computers. It is an alternative to
+lattice-based schemes.
+
+Other advantages of Classic McEliece are the small ciphertext size and the fast
+encapsulation. Key generation and decapsulation are slower than in lattice-based
+schemes. The main disadvantage of Classic McEliece is the large public key size,
+ranging from 0.26 MB to 1.36 MB, depending on the instance. Due to its large key
+size, Classic McEliece is recommended for applications where the public key is
+stored for a long time, and memory is not a critical resource. Usage with
+ephemeral keys is not recommended.
+
+Botan's implementation covers the parameter sets of the `NIST round 4
+specification <https://classic.mceliece.org/mceliece-spec-20221023.pdf#page=15>`_
+and the `Classic McEliece ISO draft specification
+<https://classic.mceliece.org/iso-mceliece-20230419.pdf#page=13>`_.
+These are the following:
+
++------------------+-------------------+-------------------+--------------------+-------------------+
+| Set without f/pc | Set with f        | Set with pc       | Set with pcf       | Public Key Size   |
++==================+===================+===================+====================+===================+
+|  mceliece348864  | mceliece348864f   |                   |                    | 0.26 MB           |
++------------------+-------------------+-------------------+--------------------+-------------------+
+| mceliece460896   | mceliece460896f   |                   |                    | 0.52 MB           |
++------------------+-------------------+-------------------+--------------------+-------------------+
+| mceliece6688128  | mceliece6688128f  | mceliece6688128pc | mceliece6688128pcf | 1.04 MB           |
++------------------+-------------------+-------------------+--------------------+-------------------+
+| mceliece6960119  | mceliece6960119f  | mceliece6960119pc | mceliece6960119pcf | 1.05 MB           |
++------------------+-------------------+-------------------+--------------------+-------------------+
+| mceliece8192128  | mceliece8192128f  | mceliece8192128pc | mceliece8192128pcf | 1.36 MB           |
++------------------+-------------------+-------------------+--------------------+-------------------+
+
+The instances with the suffix 'f' use a faster key generation algorithm that is more consistent in
+runtime. The instances with the suffix 'pc' use plaintext confirmation, which is only specified in
+the ISO document. The instances mceliece348864(f) and mceliece460896(f) are only defined in the
+NIST round 4 submission.
+
 
 eXtended Merkle Signature Scheme (XMSS)
 ----------------------------------------
diff --git a/doc/dev_ref/oids.rst b/doc/dev_ref/oids.rst
index 47683e9fc60..01dbc3c003e 100644
--- a/doc/dev_ref/oids.rst
+++ b/doc/dev_ref/oids.rst
@@ -84,6 +84,25 @@ Values currently assigned are::
   SphincsPlus-haraka-256s-r3.1 OBJECT IDENTIFIER ::= { SphincsPlus-haraka 5 }
   SphincsPlus-haraka-256f-r3.1  OBJECT IDENTIFIER ::= { SphincsPlus-haraka 6 }
 
+  mceliece OBJECT IDENTIFIER ::= { publicKey 18 }
+
+  mceliece348864      OBJECT IDENTIFIER ::= { mceliece 1 }
+  mceliece348864f     OBJECT IDENTIFIER ::= { mceliece 2 }
+  mceliece460896      OBJECT IDENTIFIER ::= { mceliece 3 }
+  mceliece460896f     OBJECT IDENTIFIER ::= { mceliece 4 }
+  mceliece6688128     OBJECT IDENTIFIER ::= { mceliece 5 }
+  mceliece6688128f    OBJECT IDENTIFIER ::= { mceliece 6 }
+  mceliece6688128pc   OBJECT IDENTIFIER ::= { mceliece 7 }
+  mceliece6688128pcf  OBJECT IDENTIFIER ::= { mceliece 8 }
+  mceliece6960119     OBJECT IDENTIFIER ::= { mceliece 9 }
+  mceliece6960119f    OBJECT IDENTIFIER ::= { mceliece 10 }
+  mceliece6960119pc   OBJECT IDENTIFIER ::= { mceliece 11 }
+  mceliece6960119pcf  OBJECT IDENTIFIER ::= { mceliece 12 }
+  mceliece8192128     OBJECT IDENTIFIER ::= { mceliece 13 }
+  mceliece8192128f    OBJECT IDENTIFIER ::= { mceliece 14 }
+  mceliece8192128pc   OBJECT IDENTIFIER ::= { mceliece 15 }
+  mceliece8192128pcf  OBJECT IDENTIFIER ::= { mceliece 16 }
+
   symmetricKey OBJECT IDENTIFIER ::= { randombit 3 }
 
   ocbModes OBJECT IDENTIFIER ::= { symmetricKey 2 }
diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt
index b3146f4d5fb..c1d18f7ceb2 100644
--- a/src/build-data/oids.txt
+++ b/src/build-data/oids.txt
@@ -1,6 +1,6 @@
-# Regenerate with ./src/scripts/dev_tools/oids.py oids > src/lib/asn1/oid_maps.cpp
-# AND             ./src/scripts/dev_tools/oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
-# (if you modified something under [dn]
+# Regenerate with ./src/scripts/dev_tools/gen_oids.py oids > src/lib/asn1/oid_maps.cpp
+# AND             ./src/scripts/dev_tools/gen_oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
+# (if you modified something under [dn])
 
 # Public key types
 [pubkey]
@@ -63,6 +63,24 @@
 1.3.6.1.4.1.25258.1.12.3.5 = SphincsPlus-haraka-256s-r3.1
 1.3.6.1.4.1.25258.1.12.3.6 = SphincsPlus-haraka-256f-r3.1
 
+# Classic McEliece OIDs are currently in Botan's private arc
+1.3.6.1.4.1.25258.1.18.1 = mceliece348864
+1.3.6.1.4.1.25258.1.18.2 = mceliece348864f
+1.3.6.1.4.1.25258.1.18.3 = mceliece460896
+1.3.6.1.4.1.25258.1.18.4 = mceliece460896f
+1.3.6.1.4.1.25258.1.18.5 = mceliece6688128
+1.3.6.1.4.1.25258.1.18.6 = mceliece6688128f
+1.3.6.1.4.1.25258.1.18.7 = mceliece6688128pc
+1.3.6.1.4.1.25258.1.18.8 = mceliece6688128pcf
+1.3.6.1.4.1.25258.1.18.9 = mceliece6960119
+1.3.6.1.4.1.25258.1.18.10 = mceliece6960119f
+1.3.6.1.4.1.25258.1.18.11 = mceliece6960119pc
+1.3.6.1.4.1.25258.1.18.12 = mceliece6960119pcf
+1.3.6.1.4.1.25258.1.18.13 = mceliece8192128
+1.3.6.1.4.1.25258.1.18.14 = mceliece8192128f
+1.3.6.1.4.1.25258.1.18.15 = mceliece8192128pc
+1.3.6.1.4.1.25258.1.18.16 = mceliece8192128pcf
+
 # XMSS
 1.3.6.1.4.1.25258.1.5 = XMSS-draft6
 1.3.6.1.4.1.25258.1.8 = XMSS-draft12
diff --git a/src/cli/speed.cpp b/src/cli/speed.cpp
index 746adfada0c..aa903e19094 100644
--- a/src/cli/speed.cpp
+++ b/src/cli/speed.cpp
@@ -132,6 +132,10 @@
    #include <botan/frodokem.h>
 #endif
 
+#if defined(BOTAN_HAS_CLASSICMCELIECE)
+   #include <botan/cmce.h>
+#endif
+
 #if defined(BOTAN_HAS_ECDSA)
    #include <botan/ecdsa.h>
 #endif
@@ -624,6 +628,11 @@ class Speed final : public Command {
                bench_frodokem(provider, msec);
             }
 #endif
+#if defined(BOTAN_HAS_CLASSICMCELIECE)
+            else if(algo == "ClassicMcEliece") {
+               bench_classic_mceliece(provider, msec);
+            }
+#endif
 #if defined(BOTAN_HAS_SCRYPT)
             else if(algo == "scrypt") {
                bench_scrypt(provider, msec);
@@ -2082,6 +2091,41 @@ class Speed final : public Command {
       }
 #endif
 
+#if defined(BOTAN_HAS_CLASSICMCELIECE)
+      void bench_classic_mceliece(const std::string& provider, std::chrono::milliseconds msec) {
+         std::vector<Botan::Classic_McEliece_Parameter_Set> cmce_param_sets{
+            Botan::Classic_McEliece_Parameter_Set::mceliece348864,
+            Botan::Classic_McEliece_Parameter_Set::mceliece348864f,
+            Botan::Classic_McEliece_Parameter_Set::mceliece460896,
+            Botan::Classic_McEliece_Parameter_Set::mceliece460896f,
+            Botan::Classic_McEliece_Parameter_Set::mceliece6688128,
+            Botan::Classic_McEliece_Parameter_Set::mceliece6688128f,
+            Botan::Classic_McEliece_Parameter_Set::mceliece6688128pc,
+            Botan::Classic_McEliece_Parameter_Set::mceliece6688128pcf,
+            Botan::Classic_McEliece_Parameter_Set::mceliece6960119,
+            Botan::Classic_McEliece_Parameter_Set::mceliece6960119f,
+            Botan::Classic_McEliece_Parameter_Set::mceliece6960119pc,
+            Botan::Classic_McEliece_Parameter_Set::mceliece6960119pcf,
+            Botan::Classic_McEliece_Parameter_Set::mceliece8192128,
+            Botan::Classic_McEliece_Parameter_Set::mceliece8192128f,
+            Botan::Classic_McEliece_Parameter_Set::mceliece8192128pc,
+            Botan::Classic_McEliece_Parameter_Set::mceliece8192128pcf,
+         };
+
+         for(auto cmce_set : cmce_param_sets) {
+            auto cmce_set_str = Botan::cmce_str_from_param_set(cmce_set);
+
+            auto keygen_timer = make_timer(cmce_set_str, provider, "keygen");
+
+            auto key = keygen_timer->run([&] { return Botan::Classic_McEliece_PrivateKey(rng(), cmce_set); });
+
+            record_result(keygen_timer);
+
+            bench_pk_kem(key, cmce_set_str, provider, "KDF2(SHA-256)", msec);
+         }
+      }
+#endif
+
 #if defined(BOTAN_HAS_XMSS_RFC8391)
       void bench_xmss(const std::string& provider, std::chrono::milliseconds msec) {
          /*
diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp
index d879c2fe6f3..451972542db 100644
--- a/src/lib/asn1/oid_maps.cpp
+++ b/src/lib/asn1/oid_maps.cpp
@@ -1,7 +1,7 @@
 /*
 * OID maps
 *
-* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2023-11-02
+* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2024-01-10
 *
 * All manual edits to this file will be lost. Edit the script
 * then regenerate this source file.
@@ -174,6 +174,22 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
       {"1.3.6.1.4.1.25258.1.17.1", "eFrodoKEM-640-AES"},
       {"1.3.6.1.4.1.25258.1.17.2", "eFrodoKEM-976-AES"},
       {"1.3.6.1.4.1.25258.1.17.3", "eFrodoKEM-1344-AES"},
+      {"1.3.6.1.4.1.25258.1.18.1", "mceliece348864"},
+      {"1.3.6.1.4.1.25258.1.18.10", "mceliece6960119f"},
+      {"1.3.6.1.4.1.25258.1.18.11", "mceliece6960119pc"},
+      {"1.3.6.1.4.1.25258.1.18.12", "mceliece6960119pcf"},
+      {"1.3.6.1.4.1.25258.1.18.13", "mceliece8192128"},
+      {"1.3.6.1.4.1.25258.1.18.14", "mceliece8192128f"},
+      {"1.3.6.1.4.1.25258.1.18.15", "mceliece8192128pc"},
+      {"1.3.6.1.4.1.25258.1.18.16", "mceliece8192128pcf"},
+      {"1.3.6.1.4.1.25258.1.18.2", "mceliece348864f"},
+      {"1.3.6.1.4.1.25258.1.18.3", "mceliece460896"},
+      {"1.3.6.1.4.1.25258.1.18.4", "mceliece460896f"},
+      {"1.3.6.1.4.1.25258.1.18.5", "mceliece6688128"},
+      {"1.3.6.1.4.1.25258.1.18.6", "mceliece6688128f"},
+      {"1.3.6.1.4.1.25258.1.18.7", "mceliece6688128pc"},
+      {"1.3.6.1.4.1.25258.1.18.8", "mceliece6688128pcf"},
+      {"1.3.6.1.4.1.25258.1.18.9", "mceliece6960119"},
       {"1.3.6.1.4.1.25258.1.3", "McEliece"},
       {"1.3.6.1.4.1.25258.1.5", "XMSS-draft6"},
       {"1.3.6.1.4.1.25258.1.6.1", "GOST-34.10-2012-256/SHA-256"},
@@ -569,6 +585,22 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
       {"gost_256B", OID({1, 2, 643, 7, 1, 2, 1, 1, 2})},
       {"gost_512A", OID({1, 2, 643, 7, 1, 2, 1, 2, 1})},
       {"gost_512B", OID({1, 2, 643, 7, 1, 2, 1, 2, 2})},
+      {"mceliece348864", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 1})},
+      {"mceliece348864f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 2})},
+      {"mceliece460896", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 3})},
+      {"mceliece460896f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 4})},
+      {"mceliece6688128", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 5})},
+      {"mceliece6688128f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 6})},
+      {"mceliece6688128pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 7})},
+      {"mceliece6688128pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 8})},
+      {"mceliece6960119", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 9})},
+      {"mceliece6960119f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 10})},
+      {"mceliece6960119pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 11})},
+      {"mceliece6960119pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 12})},
+      {"mceliece8192128", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 13})},
+      {"mceliece8192128f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 14})},
+      {"mceliece8192128pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 15})},
+      {"mceliece8192128pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 16})},
       {"secp160k1", OID({1, 3, 132, 0, 9})},
       {"secp160r1", OID({1, 3, 132, 0, 8})},
       {"secp160r2", OID({1, 3, 132, 0, 30})},
diff --git a/src/lib/pubkey/classic_mceliece/cmce.cpp b/src/lib/pubkey/classic_mceliece/cmce.cpp
new file mode 100644
index 00000000000..2a0e5dc0ebb
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce.cpp
@@ -0,0 +1,172 @@
+/*
+ * Classic McEliece Key Generation
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#include <botan/cmce.h>
+#include <botan/rng.h>
+#include <botan/internal/bitvector.h>
+#include <botan/internal/cmce_decaps.h>
+#include <botan/internal/cmce_encaps.h>
+#include <botan/internal/cmce_field_ordering.h>
+#include <botan/internal/cmce_keys_internal.h>
+#include <botan/internal/cmce_matrix.h>
+#include <botan/internal/pk_ops.h>
+#include <botan/internal/pk_ops_impl.h>
+
+#include <algorithm>
+
+namespace Botan {
+
+Classic_McEliece_PublicKey::Classic_McEliece_PublicKey(const AlgorithmIdentifier& alg_id,
+                                                       std::span<const uint8_t> key_bits) :
+      Classic_McEliece_PublicKey(key_bits, cmce_param_set_from_oid(alg_id.oid())) {}
+
+Classic_McEliece_PublicKey::Classic_McEliece_PublicKey(std::span<const uint8_t> key_bits,
+                                                       Classic_McEliece_Parameter_Set param_set) {
+   auto params = Classic_McEliece_Parameters::create(param_set);
+   BOTAN_ARG_CHECK(key_bits.size() == params.pk_size_bytes(), "Wrong public key length");
+   std::vector<uint8_t> key_bits_vec(key_bits.begin(), key_bits.end());
+   m_public = std::make_shared<Classic_McEliece_PublicKeyInternal>(
+      params, Classic_McEliece_Matrix(params, std::move(key_bits_vec)));
+}
+
+Classic_McEliece_PublicKey::Classic_McEliece_PublicKey(const Classic_McEliece_PublicKey& other) {
+   m_public = std::make_shared<Classic_McEliece_PublicKeyInternal>(*other.m_public);
+}
+
+Classic_McEliece_PublicKey& Classic_McEliece_PublicKey::operator=(const Classic_McEliece_PublicKey& other) {
+   if(this != &other) {
+      m_public = std::make_shared<Classic_McEliece_PublicKeyInternal>(*other.m_public);
+   }
+   return *this;
+}
+
+AlgorithmIdentifier Classic_McEliece_PublicKey::algorithm_identifier() const {
+   return AlgorithmIdentifier(object_identifier(), AlgorithmIdentifier::USE_EMPTY_PARAM);
+}
+
+OID Classic_McEliece_PublicKey::object_identifier() const {
+   return m_public->params().object_identifier();
+}
+
+size_t Classic_McEliece_PublicKey::key_length() const {
+   return m_public->matrix().bytes().size();
+}
+
+size_t Classic_McEliece_PublicKey::estimated_strength() const {
+   return m_public->params().estimated_strength();
+}
+
+std::vector<uint8_t> Classic_McEliece_PublicKey::public_key_bits() const {
+   return m_public->matrix().bytes();
+}
+
+bool Classic_McEliece_PublicKey::check_key(RandomNumberGenerator&, bool) const {
+   return true;
+}
+
+std::unique_ptr<Private_Key> Classic_McEliece_PublicKey::generate_another(RandomNumberGenerator& rng) const {
+   return std::make_unique<Classic_McEliece_PrivateKey>(rng, m_public->params().set());
+}
+
+std::unique_ptr<PK_Ops::KEM_Encryption> Classic_McEliece_PublicKey::create_kem_encryption_op(
+   std::string_view params, std::string_view provider) const {
+   if(provider.empty() || provider == "base") {
+      return std::make_unique<Classic_McEliece_Encryptor>(this->m_public, params);
+   }
+   throw Provider_Not_Found(algo_name(), provider);
+}
+
+Classic_McEliece_PrivateKey::Classic_McEliece_PrivateKey(RandomNumberGenerator& rng,
+                                                         Classic_McEliece_Parameter_Set param_set) {
+   auto params = Classic_McEliece_Parameters::create(param_set);
+   auto seed = rng.random_vec<Initial_Seed>(params.seed_len());
+   auto key_pair = Classic_McEliece_KeyPair_Internal::generate(params, seed);
+
+   m_private = key_pair.private_key;
+   m_public = key_pair.public_key;
+}
+
+Classic_McEliece_PrivateKey::Classic_McEliece_PrivateKey(std::span<const uint8_t> sk,
+                                                         Classic_McEliece_Parameter_Set param_set) {
+   auto params = Classic_McEliece_Parameters::create(param_set);
+   auto sk_internal = Classic_McEliece_PrivateKeyInternal::from_bytes(params, sk);
+   m_private = std::make_shared<Classic_McEliece_PrivateKeyInternal>(std::move(sk_internal));
+   // This creates and loads the public key, which is very large. Potentially, we could only load
+   // it on demand (since one may use the private key only for decapsulation without needing the public key).
+   m_public = Classic_McEliece_PublicKeyInternal::create_from_private_key(*m_private);
+}
+
+Classic_McEliece_PrivateKey::Classic_McEliece_PrivateKey(const AlgorithmIdentifier& alg_id,
+                                                         std::span<const uint8_t> key_bits) :
+      Classic_McEliece_PrivateKey(key_bits, cmce_param_set_from_oid(alg_id.oid())) {}
+
+std::unique_ptr<Public_Key> Classic_McEliece_PrivateKey::public_key() const {
+   return std::make_unique<Classic_McEliece_PublicKey>(*this);
+}
+
+secure_vector<uint8_t> Classic_McEliece_PrivateKey::private_key_bits() const {
+   return raw_private_key_bits();
+}
+
+secure_vector<uint8_t> Classic_McEliece_PrivateKey::raw_private_key_bits() const {
+   return m_private->serialize();
+}
+
+bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const {
+   auto prg = m_private->params().prg(m_private->delta());
+
+   auto s = prg->output<Rejection_Seed>(m_private->params().n() / 8);
+   auto ordering_seed =
+      prg->output<secure_vector<uint8_t>>((m_private->params().sigma2() * m_private->params().q()) / 8);
+   auto irreducible_seed =
+      prg->output<secure_vector<uint8_t>>((m_private->params().sigma1() * m_private->params().t()) / 8);
+
+   // Recomputing s as hash of delta
+   auto ret =
+      CT::Mask<size_t>::expand(CT::is_equal<uint8_t>(s.data(), m_private->s().data(), m_private->params().n() / 8));
+
+   // Checking weight of c
+   size_t c_hamming_weight = 0;
+   for(size_t i = 0; i < m_private->c().get().size(); ++i) {
+      c_hamming_weight += CT::Mask<size_t>::expand(m_private->c().get()[i]).if_set_return(1);
+   }
+
+   ret &= CT::Mask<size_t>::is_equal(c_hamming_weight, 32);
+
+   auto g = m_private->params().poly_ring().compute_minimal_polynomial(irreducible_seed);
+   if(g) {
+      for(size_t i = 0; i < g->degree() - 1; ++i) {
+         ret &= CT::Mask<size_t>::expand(GF_Mask::is_equal(g->coef_at(i), m_private->g().coef_at(i)).elem_mask());
+      }
+   } else {
+      ret = CT::Mask<size_t>::cleared();
+   }
+
+   // Check alpha control bits
+   auto field_ord_from_seed =
+      Classic_McEliece_Field_Ordering::create_field_ordering(m_private->params(), ordering_seed);
+   if(!field_ord_from_seed) {
+      ret = CT::Mask<size_t>::cleared();
+   } else {
+      field_ord_from_seed->permute_with_pivots(m_private->params(), m_private->c());
+      ret &= CT::Mask<size_t>::expand(field_ord_from_seed->ct_is_equal(m_private->field_ordering()));
+   }
+
+   return ret.as_bool();
+}
+
+std::unique_ptr<PK_Ops::KEM_Decryption> Classic_McEliece_PrivateKey::create_kem_decryption_op(
+   RandomNumberGenerator& rng, std::string_view params, std::string_view provider) const {
+   BOTAN_UNUSED(rng);
+   if(provider.empty() || provider == "base") {
+      return std::make_unique<Classic_McEliece_Decryptor>(this->m_private, params);
+   }
+   throw Provider_Not_Found(algo_name(), provider);
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce.h b/src/lib/pubkey/classic_mceliece/cmce.h
new file mode 100644
index 00000000000..7eabe49123f
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce.h
@@ -0,0 +1,151 @@
+/*
+ * Classic McEliece Key Generation
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_H_
+#define BOTAN_CMCE_H_
+
+#include <botan/pk_keys.h>
+
+#include <botan/cmce_parameter_set.h>
+
+namespace Botan {
+
+class Classic_McEliece_PublicKeyInternal;
+class Classic_McEliece_PrivateKeyInternal;
+
+/**
+ * Classic McEliece is a Code-Based KEM. It is a round 4 candidate in NIST's PQC competition.
+ * It is endorsed by the German Federal Office for Information Security for its conservative security
+ * assumptions and a corresponding draft for an ISO standard has been prepared. Both NIST and ISO parameter
+ * sets are implemented here.
+ *
+ * Advantages of Classic McEliece:
+ * - Conservative post-quantum security assumptions
+ * - Very fast encapsulation
+ * - Fast decapsulation
+ *
+ * Disadvantages of Classic McEliece:
+ * - Very large public keys (0.26 MB - 1.36 MB)
+ * - Relatively slow key generation
+ * - Algorithm is complex and hard to implement side-channel resistant
+ */
+class BOTAN_PUBLIC_API(3, 4) Classic_McEliece_PublicKey : public virtual Public_Key {
+   public:
+      /**
+       * @brief Load a Classic McEliece public key from bytes.
+       *
+       * @param alg_id The algorithm identifier
+       * @param key_bits The public key bytes
+       */
+      Classic_McEliece_PublicKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits);
+
+      /**
+       * @brief Load a Classic McEliece public key from bytes.
+       *
+       * @param key_bits The public key bytes
+       * @param param_set The parameter set
+       */
+      Classic_McEliece_PublicKey(std::span<const uint8_t> key_bits, Classic_McEliece_Parameter_Set param_set);
+
+      Classic_McEliece_PublicKey(const Classic_McEliece_PublicKey& other);
+      Classic_McEliece_PublicKey& operator=(const Classic_McEliece_PublicKey& other);
+      Classic_McEliece_PublicKey(Classic_McEliece_PublicKey&&) = default;
+      Classic_McEliece_PublicKey& operator=(Classic_McEliece_PublicKey&&) = default;
+
+      ~Classic_McEliece_PublicKey() override = default;
+
+      std::string algo_name() const override { return "ClassicMcEliece"; }  //TODO: Use "CMCE" or "Classic_McEliece"?
+
+      AlgorithmIdentifier algorithm_identifier() const override;
+
+      OID object_identifier() const override;
+
+      size_t key_length() const override;
+
+      size_t estimated_strength() const override;
+
+      std::vector<uint8_t> public_key_bits() const override;
+
+      bool check_key(RandomNumberGenerator&, bool) const override;
+
+      bool supports_operation(PublicKeyOperation op) const override {
+         return (op == PublicKeyOperation::KeyEncapsulation);
+      }
+
+      std::unique_ptr<Private_Key> generate_another(RandomNumberGenerator& rng) const final;
+
+      std::unique_ptr<PK_Ops::KEM_Encryption> create_kem_encryption_op(std::string_view params,
+                                                                       std::string_view provider) const override;
+
+   protected:
+      Classic_McEliece_PublicKey() = default;
+
+   protected:
+      std::shared_ptr<Classic_McEliece_PublicKeyInternal>
+         m_public;  // NOLINT(misc-non-private-member-variables-in-classes)
+};
+
+BOTAN_DIAGNOSTIC_PUSH
+BOTAN_DIAGNOSTIC_IGNORE_INHERITED_VIA_DOMINANCE
+
+class BOTAN_PUBLIC_API(3, 4) Classic_McEliece_PrivateKey final : public virtual Classic_McEliece_PublicKey,
+                                                                 public virtual Private_Key {
+   public:
+      /**
+       * @brief Create a new Classic McEliece private key for a specified parameter set.
+       *
+       * @param rng A random number generator
+       * @param param_set The parameter set to use
+       */
+      Classic_McEliece_PrivateKey(RandomNumberGenerator& rng, Classic_McEliece_Parameter_Set param_set);
+
+      /**
+       * @brief Load a Classic McEliece private key from bytes.
+       *
+       * @param sk The private key bytes
+       * @param param_set The parameter set to use
+       */
+      Classic_McEliece_PrivateKey(std::span<const uint8_t> sk, Classic_McEliece_Parameter_Set param_set);
+
+      /**
+       * @brief Load a Classic McEliece private key from bytes.
+       *
+       * @param alg_id The algorithm identifier
+       * @param key_bits The private key bytes
+       */
+      Classic_McEliece_PrivateKey(const AlgorithmIdentifier& alg_id, std::span<const uint8_t> key_bits);
+
+      std::unique_ptr<Public_Key> public_key() const override;
+
+      secure_vector<uint8_t> private_key_bits() const override;
+
+      secure_vector<uint8_t> raw_private_key_bits() const override;
+
+      /**
+       * @brief Checks the private key for consistency with the first component delta, i.e.,
+       * recomputes s as a hash of delta and checks equivalence with sk.s, checks the weight of c,
+       * and checks the control bits. It also recomputes beta based on delta and recomputes g based on beta,
+       * checking that g is equal to the value sk.s
+       *
+       * See NIST Impl. guide 6.3 Double-Checks on Private Keys.
+       */
+      bool check_key(RandomNumberGenerator&, bool) const override;
+
+      std::unique_ptr<PK_Ops::KEM_Decryption> create_kem_decryption_op(RandomNumberGenerator& rng,
+                                                                       std::string_view params,
+                                                                       std::string_view provider) const override;
+
+   private:
+      std::shared_ptr<Classic_McEliece_PrivateKeyInternal> m_private;
+};
+
+BOTAN_DIAGNOSTIC_POP
+
+}  // namespace Botan
+
+#endif  // BOTAN_CMCE_GF_H_
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
new file mode 100644
index 00000000000..0b27876faae
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
@@ -0,0 +1,166 @@
+/*
+ * Classic McEliece Decapsulation
+ * Based on the public domain reference implementation by the designers
+ * (https://classic.mceliece.org/impl.html - released in Oct 2022 for NISTPQC-R4)
+ *
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#include <botan/internal/cmce_decaps.h>
+
+namespace Botan {
+
+Classic_McEliece_Polynomial Classic_McEliece_Decryptor::compute_goppa_syndrome(
+   const Classic_McEliece_Parameters& params,
+   const Classic_McEliece_Minimal_Polynomial& goppa_poly,
+   const Classic_McEliece_Field_Ordering& ordering,
+   const secure_bitvector& code_word) {
+   BOTAN_ASSERT(params.n() == code_word.size(), "Correct code word size");
+   std::vector<Classic_McEliece_GF> syndrome(2 * params.t(), params.gf(GF_Elem(0)));
+
+   auto alphas = ordering.alphas(params.n());
+
+   for(size_t i = 0; i < params.n(); ++i) {
+      auto g_alpha = goppa_poly(alphas[i]);
+      auto r = (g_alpha * g_alpha).inv();
+
+      auto c_mask = GF_Mask(CT::Mask<uint16_t>::expand(code_word.at(i)));
+
+      for(size_t j = 0; j < 2 * params.t(); ++j) {
+         syndrome[j] += c_mask.if_set_return(r);
+         r = r * alphas[i];
+      }
+   }
+
+   return Classic_McEliece_Polynomial(syndrome);
+}
+
+Classic_McEliece_Polynomial Classic_McEliece_Decryptor::berlekamp_massey(const Classic_McEliece_Parameters& params,
+                                                                         const Classic_McEliece_Polynomial& syndrome) {
+   // Represents coefficients of corresponding polynomials
+   std::vector<Classic_McEliece_GF> big_c(params.t() + 1, params.gf(GF_Elem(0)));
+   std::vector<Classic_McEliece_GF> big_b(params.t() + 1, params.gf(GF_Elem(0)));
+
+   auto b = params.gf(GF_Elem(1));
+
+   // Start with x^m for m=1, see pseudocode of https://en.wikipedia.org/wiki/Berlekamp%E2%80%93Massey_algorithm
+   big_b.at(1) = GF_Elem(1);
+   big_c.at(0) = GF_Elem(1);
+
+   for(size_t big_n = 0, big_l = 0; big_n < 2 * params.t(); ++big_n) {
+      auto d = params.gf(GF_Elem(0));
+      for(size_t i = 0; i <= std::min(big_n, params.t()); ++i) {
+         d += big_c.at(i) * syndrome.coef_at(big_n - i);
+      }
+
+      // Pseudocode branch if (d == 0)
+      auto d_not_zero = GF_Mask::expand(d);
+
+      // Pseudocode branch else if (2* L <= N)
+      auto adjust_big_c = GF_Mask(CT::Mask<uint16_t>::is_lte(uint16_t(2 * big_l), uint16_t(big_n)));
+      adjust_big_c &= d_not_zero;
+
+      auto big_t = big_c;  // Copy
+      auto f = d / b;
+
+      for(size_t i = 0; i <= params.t(); ++i) {
+         // Occurs for all other d!=0 branches in the pseudocode
+         big_c.at(i) += d_not_zero.if_set_return((f * big_b.at(i)));
+      }
+
+      big_l = adjust_big_c.select(uint16_t((big_n + 1) - big_l), uint16_t(big_l));
+
+      for(size_t i = 0; i <= params.t(); ++i) {
+         big_b.at(i) = adjust_big_c.select(big_t.at(i), big_b.at(i));
+      }
+
+      b = adjust_big_c.select(d, b);
+
+      // Rotate big_b one to the right (multiplies with x), replaces increments of m in pseudocode
+      std::rotate(big_b.rbegin(), big_b.rbegin() + 1, big_b.rend());
+   }
+
+   std::reverse(big_c.begin(), big_c.end());
+
+   return Classic_McEliece_Polynomial(big_c);
+}
+
+std::pair<CT::Mask<uint8_t>, secure_bitvector> Classic_McEliece_Decryptor::decode(bitvector big_c) {
+   BOTAN_ASSERT(big_c.size() == m_key->params().m() * m_key->params().t(), "Correct ciphertext input size");
+   big_c.resize(m_key->params().n());
+
+   auto syndrome = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), big_c.as_locked());
+   auto locator = berlekamp_massey(m_key->params(), syndrome);
+
+   std::vector<Classic_McEliece_GF> images;
+   auto alphas = m_key->field_ordering().alphas(m_key->params().n());
+   std::transform(
+      alphas.begin(), alphas.end(), std::back_inserter(images), [&](const auto& alpha) { return locator(alpha); });
+
+   // Obtain e and check whether wt(e) = t. locator(alpha_i) = 0 <=> error at position i
+   secure_bitvector e;
+   size_t hamming_weight_e = 0;
+   auto decode_success = CT::Mask<uint8_t>::set();  // Avoid bool to avoid possible compiler optimizations
+   for(const auto& image : images) {
+      auto is_zero_mask = GF_Mask::is_zero(image);
+      e.push_back(is_zero_mask.as_bool());
+      hamming_weight_e += is_zero_mask.elem_mask().if_set_return(1);
+   }
+   decode_success &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(hamming_weight_e, m_key->params().t()));
+
+   // Check the error vector by checking H'C = H'e <=> H'(C + e) = 0; see guide for implementors Sec. 6.3
+   auto syndrome_from_e = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), e);
+   auto syndromes_are_eq = GF_Mask::set();
+   for(size_t i = 0; i < syndrome.degree() - 1; ++i) {
+      syndromes_are_eq &= GF_Mask::is_equal(syndrome.coef_at(i), syndrome_from_e.coef_at(i));
+   }
+
+   decode_success &= syndromes_are_eq.elem_mask();
+
+   return {decode_success, std::move(e)};
+}
+
+void Classic_McEliece_Decryptor::raw_kem_decrypt(std::span<uint8_t> out_shared_key,
+                                                 std::span<const uint8_t> encapsulated_key) {
+   BOTAN_ARG_CHECK(out_shared_key.size() == m_key->params().hash_out_bytes(), "Invalid shared key output size");
+   BOTAN_ARG_CHECK(encapsulated_key.size() == m_key->params().ciphertext_size(), "Invalid ciphertext size");
+
+   auto [ct, c1] = [&]() -> std::pair<bitvector, std::span<const uint8_t>> {
+      if(m_key->params().is_pc()) {
+         BufferSlicer encaps_key_slicer(encapsulated_key);
+         auto c0_ret = encaps_key_slicer.take(m_key->params().encode_out_size());
+         auto c1_ret = encaps_key_slicer.take(m_key->params().hash_out_bytes());
+         BOTAN_ASSERT_NOMSG(encaps_key_slicer.empty());
+         return {bitvector(c0_ret, m_key->params().m() * m_key->params().t()), c1_ret};
+      } else {
+         return {bitvector(encapsulated_key, m_key->params().m() * m_key->params().t()), {}};
+      }
+   }();
+
+   auto [decode_success_mask, maybe_e] = decode(ct);
+
+   secure_vector<uint8_t> e_bytes(m_key->s().size());
+   decode_success_mask.select_n(e_bytes.data(), maybe_e.to_bytes().data(), m_key->s().data(), m_key->s().size());
+   uint8_t b = decode_success_mask.select(1, 0);
+
+   auto hash_func = m_key->params().hash_func();
+
+   if(m_key->params().is_pc()) {
+      hash_func->update(2);
+      hash_func->update(e_bytes);
+      auto c1_p = hash_func->final_stdvec();
+      CT::Mask<uint8_t> eq_mask = CT::is_equal(c1.data(), c1_p.data(), c1.size());
+      eq_mask.select_n(e_bytes.data(), e_bytes.data(), m_key->s().data(), m_key->s().size());
+      b = eq_mask.select(b, 0);
+   }
+
+   hash_func->update(b);
+   hash_func->update(e_bytes);
+   hash_func->update(encapsulated_key);
+   hash_func->final(out_shared_key);
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.h b/src/lib/pubkey/classic_mceliece/cmce_decaps.h
new file mode 100644
index 00000000000..24eeab67689
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.h
@@ -0,0 +1,84 @@
+/*
+ * Classic McEliece Decapsulation
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_DECAPS_H_
+#define BOTAN_CMCE_DECAPS_H_
+
+#include <botan/cmce.h>
+#include <botan/rng.h>
+#include <botan/internal/bitvector.h>
+#include <botan/internal/cmce_field_ordering.h>
+#include <botan/internal/cmce_keys_internal.h>
+#include <botan/internal/cmce_matrix.h>
+#include <botan/internal/pk_ops.h>
+#include <botan/internal/pk_ops_impl.h>
+
+namespace Botan {
+
+/**
+ * Classic McEliece Decapsulation Operation
+ */
+class BOTAN_TEST_API Classic_McEliece_Decryptor final : public PK_Ops::KEM_Decryption_with_KDF {
+   public:
+      /**
+       * @brief Constructs a Classic_McEliece_Decryptor object with the given private key.
+       * @param key The private key used for decryption.
+       */
+      Classic_McEliece_Decryptor(std::shared_ptr<Classic_McEliece_PrivateKeyInternal> key, std::string_view kdf) :
+            KEM_Decryption_with_KDF(kdf), m_key(std::move(key)) {}
+
+      size_t raw_kem_shared_key_length() const override { return m_key->params().hash_out_bytes(); }
+
+      size_t encapsulated_key_length() const override { return m_key->params().ciphertext_size(); }
+
+      void raw_kem_decrypt(std::span<uint8_t> out_shared_key, std::span<const uint8_t> encapsulated_key) override;
+
+   private:
+      /**
+       * @brief Computes the syndrome of a code word.
+       *
+       * Corresponds to H' * code_word of the spec, where H' is the syndrome computation matrix used for the
+       * Berlekamp's method of decoding. See https://tungchou.github.io/papers/mcbits.pdf for more information.
+       *
+       * @param params The McEliece parameters.
+       * @param goppa_poly The Goppa polynomial.
+       * @param ordering The field ordering.
+       * @param code_word The code word.
+       * @return The syndrome S(x) of the code word.
+       */
+      Classic_McEliece_Polynomial compute_goppa_syndrome(const Classic_McEliece_Parameters& params,
+                                                         const Classic_McEliece_Minimal_Polynomial& goppa_poly,
+                                                         const Classic_McEliece_Field_Ordering& ordering,
+                                                         const secure_bitvector& code_word);
+
+      /**
+       * @brief Applies the Berlekamp-Massey algorithm to compute the error locator polynomial given a syndrome.
+       *
+       * The error locator polynomial C can be used for decoding, as C(a_i) = 0 <=> error at position i.
+       *
+       * @param params The McEliece parameters.
+       * @param syndrome The syndrome polynomial of the code word.
+       * @return The error locator polynomial.
+       */
+      Classic_McEliece_Polynomial berlekamp_massey(const Classic_McEliece_Parameters& params,
+                                                   const Classic_McEliece_Polynomial& syndrome);
+
+      /**
+       * @brief Decodes a code word using Berlekamp's method.
+       *
+       * @param big_c The code word.
+       * @return A pair containing the decoded message and the error pattern.
+       */
+      std::pair<CT::Mask<uint8_t>, secure_bitvector> decode(bitvector big_c);
+
+      std::shared_ptr<Classic_McEliece_PrivateKeyInternal> m_key;
+};
+
+}  // namespace Botan
+
+#endif  // BOTAN_CMCE_DECAPS_H_
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
new file mode 100644
index 00000000000..2734453f385
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
@@ -0,0 +1,126 @@
+/*
+ * Classic McEliece Encapsulation
+ * Based on the public domain reference implementation by the designers
+ * (https://classic.mceliece.org/impl.html - released in Oct 2022 for NISTPQC-R4)
+ *
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+#include <botan/internal/cmce_encaps.h>
+
+#include <botan/rng.h>
+#include <iostream>
+
+namespace Botan {
+
+bitvector Classic_McEliece_Encryptor::encode(const Classic_McEliece_Parameters& params,
+                                             const secure_bitvector& e,
+                                             const Classic_McEliece_Matrix& mat) {
+   return mat.mul(params, e);
+}
+
+std::optional<secure_bitvector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
+   const Classic_McEliece_Parameters& params, const secure_vector<uint8_t>& rand) {
+   BOTAN_ASSERT_NOMSG(rand.size() == params.tau() * (params.sigma1() / 8));
+   uint16_t mask_m = (uint32_t(1) << params.m()) - 1;  // Only take m least significant bits
+   secure_vector<uint16_t> a_values;
+   a_values.reserve(params.tau());
+   BufferSlicer rand_slicer(rand);
+
+   // Steps 2 & 3: Create d_j from uniform random bits. The first t d_j entries
+   //              in range {0,...,n-1} are defined as a_0,...,a_(t-1). ...
+   for(size_t j = 0; j < params.tau(); ++j) {
+      uint16_t d = load_le<uint16_t>(rand_slicer.take(params.sigma1() / 8).data(), 0);
+      // This is not CT, but neither is the reference implementation here.
+      // This side channel only leaks which random elements are selected and which are dropped,
+      // but no information about their content is leaked.
+      d &= mask_m;
+      if(d < params.n() && a_values.size() < params.t()) {
+         a_values.push_back(d);
+      }
+   }
+   if(a_values.size() < params.t()) {
+      // Step 3: ... If fewer than t of such elements exist restart
+      return std::nullopt;
+   }
+
+   // Step 4: Restart if not all a_i are distinct
+   for(size_t i = 1; i < params.t(); ++i) {
+      for(size_t j = 0; j < i; ++j) {
+         if(a_values.at(i) == a_values.at(j)) {
+            return std::nullopt;
+         }
+      }
+   }
+
+   secure_vector<uint8_t> a_value_byte(params.t());
+   secure_vector<uint8_t> e_bytes(ceil_tobytes(params.n()));
+
+   // Step 5: Set all bits of e at the positions of a_values
+   // Prepare the associated byte in e_bytes that is represented by each bit index in a_values
+   // if we e is represented as a byte vector
+   for(size_t j = 0; j < a_values.size(); ++j) {
+      a_value_byte[j] = 1 << (a_values[j] % 8);
+   }
+
+   for(size_t i = 0; i < params.n() / 8; ++i) {
+      for(size_t j = 0; j < a_values.size(); ++j) {
+         // If the current byte is the one that is represented by the current bit index in a_values
+         // then set the bit in e_bytes (in-byte position prepared above)
+         auto mask = CT::Mask<uint16_t>::is_equal(static_cast<uint16_t>(i), static_cast<uint16_t>(a_values[j] >> 3));
+         e_bytes[i] |= mask.if_set_return(a_value_byte[j]);
+      }
+   }
+
+   return secure_bitvector(e_bytes, params.n());
+}
+
+void Classic_McEliece_Encryptor::raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
+                                                 std::span<uint8_t> out_shared_key,
+                                                 RandomNumberGenerator& rng) {
+   BOTAN_ASSERT(out_encapsulated_key.size() == m_key->params().ciphertext_size(),
+                "Correct encapsulated key output length");
+   BOTAN_ASSERT(out_shared_key.size() == m_key->params().hash_out_bytes(), "Correct shared key output length");
+
+   auto& params = m_key->params();
+
+   // Call fixed_weight until it is successful to
+   // create a random error vector e of weight tau
+   secure_bitvector e = [&] {
+      // Emergency abort in case unexpected logical error to prevent endless loops
+      //   Success probability: >24% per attempt (25% that elements are distinct * 96% enough elements are in range)
+      //   => 203 attempts for 2^(-80) fail probability
+      const size_t MAX_ATTEMPTS = 203;
+      for(size_t attempt = 0; attempt < MAX_ATTEMPTS; ++attempt) {
+         if(auto maybe_e = fixed_weight_vector_gen(params, rng.random_vec((params.sigma1() / 8) * params.tau()))) {
+            return maybe_e.value();
+         }
+      }
+      throw Internal_Error("Cannot created fixed weight vector.");
+   }();
+
+   auto big_c = encode(params, e, m_key->matrix()).to_bytes();
+   auto hash_func = params.hash_func();
+
+   if(params.is_pc()) {
+      hash_func->update(2);
+      hash_func->update(e.to_bytes());
+      auto big_c_1 = hash_func->final_stdvec();
+      big_c = Botan::concat(big_c, big_c_1);
+      hash_func->clear();
+   }
+
+   hash_func->update(1);
+   hash_func->update(e.to_bytes());
+   hash_func->update(big_c);
+
+   auto big_k = hash_func->final<secure_vector<uint8_t>>();
+   hash_func->clear();
+
+   std::copy(big_c.begin(), big_c.end(), out_encapsulated_key.begin());
+   std::copy(big_k.begin(), big_k.end(), out_shared_key.begin());
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.h b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
new file mode 100644
index 00000000000..9320a14cea5
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
@@ -0,0 +1,59 @@
+/*
+* Classic McEliece Encapsulation
+* (C) 2023 Jack Lloyd
+*     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+**/
+
+#ifndef BOTAN_CMCE_ENCAPS_H_
+#define BOTAN_CMCE_ENCAPS_H_
+
+#include <botan/cmce.h>
+#include <botan/pk_keys.h>
+#include <botan/internal/cmce_field_ordering.h>
+#include <botan/internal/cmce_keys_internal.h>
+#include <botan/internal/cmce_matrix.h>
+#include <botan/internal/cmce_parameters.h>
+#include <botan/internal/cmce_poly.h>
+#include <botan/internal/pk_ops.h>
+#include <botan/internal/pk_ops_impl.h>
+
+namespace Botan {
+
+/**
+ * Classic McEliece Encapsulation Operation
+ */
+class BOTAN_TEST_API Classic_McEliece_Encryptor final : public PK_Ops::KEM_Encryption_with_KDF {
+   public:
+      Classic_McEliece_Encryptor(std::shared_ptr<Classic_McEliece_PublicKeyInternal> key, std::string_view kdf) :
+            KEM_Encryption_with_KDF(kdf), m_key(std::move(key)) {}
+
+      size_t raw_kem_shared_key_length() const override { return m_key->params().hash_out_bytes(); }
+
+      size_t encapsulated_key_length() const override { return m_key->params().ciphertext_size(); }
+
+      void raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
+                           std::span<uint8_t> out_shared_key,
+                           RandomNumberGenerator& rng) override;
+
+   private:
+      std::shared_ptr<Classic_McEliece_PublicKeyInternal> m_key;
+
+      /**
+       * @brief Encodes an error vector by multiplying it with the Classic McEliece matrix.
+       */
+      bitvector encode(const Classic_McEliece_Parameters& params,
+                       const secure_bitvector& e,
+                       const Classic_McEliece_Matrix& mat);
+
+      /**
+      * @brief Fixed-weight-vector generation algorithm according to ISO McEliece.
+      */
+      std::optional<secure_bitvector> fixed_weight_vector_gen(const Classic_McEliece_Parameters& params,
+                                                              const secure_vector<uint8_t>& rand);
+};
+
+}  // namespace Botan
+
+#endif  // BOTAN_CMCE_ENCAPS_H_
diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
new file mode 100644
index 00000000000..c6bc0af410c
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -0,0 +1,322 @@
+/*
+ * Classic McEliece Field Ordering Generation
+ * Based on the public domain reference implementation by the designers
+ * (https://classic.mceliece.org/impl.html - released in Oct 2022 for NISTPQC-R4)
+ *
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+#include <botan/internal/cmce_field_ordering.h>
+
+#include <botan/cmce.h>
+#include <botan/mem_ops.h>
+#include <botan/internal/loadstor.h>
+
+#include <iostream>
+#include <numeric>
+#include <utility>
+#include <vector>
+
+namespace Botan {
+
+namespace CMCE_CT {
+
+template <typename T1, typename T2>
+void cond_swap_pair(CT::Mask<uint64_t> cond_mask, std::pair<T1, T2>& a, std::pair<T1, T2>& b) {
+   static_assert(sizeof(T1) <= sizeof(uint64_t) && sizeof(T2) <= sizeof(uint64_t),
+                 "Types T1 and T2 must be at most 64 bits wide");
+   cond_mask.conditional_swap(a.first, b.first);
+   cond_mask.conditional_swap(a.second, b.second);
+}
+
+template <typename T1, typename T2>
+void compare_and_swap_pair(std::span<std::pair<T1, T2>> a, size_t i, size_t k, size_t l) {
+   static_assert(sizeof(T1) <= sizeof(uint64_t) && sizeof(T2) <= sizeof(uint64_t),
+                 "Types T1 and T2 must be at most 64 bits wide");
+   if((i & k) == 0) {  // i and k do not depend on secret data
+      auto swap_required_mask = CT::Mask<uint64_t>::is_lt(a[l].first, a[i].first);
+      cond_swap_pair(swap_required_mask, a[i], a[l]);
+   } else {
+      auto swap_required_mask = CT::Mask<uint64_t>::is_gt(a[l].first, a[i].first);
+      cond_swap_pair(swap_required_mask, a[i], a[l]);
+   }
+}
+
+// Sorts a vector of pairs after the first element
+template <typename T1, typename T2>
+void bitonic_sort_pair(std::span<std::pair<T1, T2>> a) {
+   size_t n = a.size();
+   BOTAN_ARG_CHECK(is_power_of_2(n), "Input vector size must be a power of 2");
+
+   for(size_t k = 2; k <= n; k *= 2) {
+      for(size_t j = k / 2; j > 0; j /= 2) {
+         for(size_t i = 0; i < n; i++) {
+            size_t l = i ^ j;
+            if(l > i) {
+               compare_and_swap_pair(a, i, k, l);
+            }
+         }
+      }
+   }
+}
+
+template <typename T>
+T min(const T& a, const T& b) {
+   auto mask = CT::Mask<T>::is_lt(a, b);
+   return mask.select(a, b);
+}
+
+}  // namespace CMCE_CT
+
+namespace {
+template <typename T1, typename T2>
+std::vector<std::pair<T1, T2>> zip(const secure_vector<T1>& vec_1, const secure_vector<T2>& vec_2) {
+   BOTAN_ARG_CHECK(vec_1.size() == vec_2.size(), "Vectors' dimensions do not match");
+   std::vector<std::pair<T1, T2>> vec_zipped;
+   vec_zipped.reserve(vec_1.size());
+   for(size_t i = 0; i < vec_1.size(); ++i) {
+      vec_zipped.push_back(std::make_pair(vec_1.at(i), vec_2.at(i)));
+   }
+   return vec_zipped;
+}
+
+template <typename T1, typename T2>
+std::pair<secure_vector<T1>, secure_vector<T2>> unzip(std::vector<std::pair<T1, T2>> vec_zipped) {
+   secure_vector<T1> vec_1;
+   secure_vector<T2> vec_2;
+
+   vec_1.reserve(vec_zipped.size());
+   vec_2.reserve(vec_zipped.size());
+
+   for(auto& [elem1, elem2] : vec_zipped) {
+      vec_1.push_back(elem1);
+      vec_2.push_back(elem2);
+   }
+   return std::make_pair(std::move(vec_1), std::move(vec_2));
+}
+
+/**
+* @brief Create permutation pi as in (Section 8.2, Step 3).
+*/
+Permutation create_pi(secure_vector<uint32_t>& a) {
+   Permutation pi(a.size());
+   std::iota(pi.begin(), pi.end(), 0);  // contains 0, 1, ..., q-1
+
+   auto a_pi_zipped = zip(a, pi.get());
+   CMCE_CT::bitonic_sort_pair(std::span(a_pi_zipped));
+
+   auto [a_sorted, pi_sorted] = unzip(std::move(a_pi_zipped));
+   a = std::move(a_sorted);
+
+   return Permutation(pi_sorted);
+}
+
+/**
+* @brief Create a GF element from pi as in (Section 8.2, Step 4).
+* Corresponds to the reverse bits of pi.
+*/
+Classic_McEliece_GF from_pi(Permutation_Element pi_elem, GF_Mod modulus, size_t m) {
+   std::bitset<16> bits(pi_elem.get());
+   std::bitset<16> reversed_bits;
+
+   for(int i = 0; i < 16; ++i) {
+      reversed_bits[i] = bits[15 - i];
+   }
+
+   reversed_bits >>= (sizeof(uint16_t) * 8 - m);
+
+   return Classic_McEliece_GF(GF_Elem(static_cast<uint16_t>(reversed_bits.to_ulong())), modulus);
+}
+
+/**
+ * @brief Part of field ordering generation according to ISO 9.2.10
+ */
+secure_vector<uint16_t> composeinv(const secure_vector<uint16_t>& c, const secure_vector<uint16_t>& pi) {
+   auto pi_c_zipped = zip(pi, c);
+   CMCE_CT::bitonic_sort_pair(std::span(pi_c_zipped));
+   auto [pi_sorted, c_sorted] = unzip(pi_c_zipped);
+
+   return c_sorted;
+}
+
+// p,q = composeinv(p,q),composeinv(q,p)
+void simultaneous_composeinv(secure_vector<uint16_t>& p, secure_vector<uint16_t>& q) {
+   auto p_new = composeinv(p, q);
+   q = composeinv(q, p);
+   p = std::move(p_new);
+}
+
+/**
+ * @brief Generate control bits as in ISO 9.2.10.
+ */
+secure_vector<uint16_t> generate_control_bits_internal(const secure_vector<uint16_t>& pi) {
+   auto n = pi.size();
+   size_t m = 1;
+
+   while(size_t(1) << m < n) {
+      m += 1;
+   }
+
+   BOTAN_ASSERT_NOMSG(size_t(1) << m == n);
+
+   if(m == 1) {
+      return secure_vector<uint16_t>({pi.at(0)});
+   }
+   secure_vector<uint16_t> p(n);
+   for(size_t x = 0; x < n; ++x) {
+      p.at(x) = pi.at(x ^ 1);
+   }
+   secure_vector<uint16_t> q(n);
+   for(size_t x = 0; x < n; ++x) {
+      q.at(x) = pi.at(x) ^ 1;
+   }
+
+   secure_vector<uint16_t> range_n(n);
+   std::iota(range_n.begin(), range_n.end(), 0);
+   auto piinv = composeinv(range_n, pi);
+
+   simultaneous_composeinv(p, q);
+
+   secure_vector<uint16_t> c(n);
+   for(uint16_t x = 0; size_t(x) < n; ++x) {
+      c.at(x) = CMCE_CT::min(x, p.at(x));
+   }
+
+   simultaneous_composeinv(p, q);
+
+   for(size_t i = 1; i < m - 1; ++i) {
+      auto cp = composeinv(c, q);
+      simultaneous_composeinv(p, q);
+      for(size_t x = 0; x < n; ++x) {
+         c.at(x) = CMCE_CT::min(c.at(x), cp.at(x));
+      }
+   }
+
+   secure_vector<uint16_t> f(n / 2);
+   for(size_t j = 0; j < n / 2; ++j) {
+      f.at(j) = c.at(2 * j) % 2;
+   }
+
+   secure_vector<uint16_t> big_f(n);
+   for(uint16_t x = 0; size_t(x) < n; ++x) {
+      big_f.at(x) = x ^ f.at(x / 2);
+   }
+
+   auto fpi = composeinv(big_f, piinv);
+
+   secure_vector<uint16_t> l(n / 2);
+   for(size_t k = 0; k < n / 2; ++k) {
+      l.at(k) = fpi.at(2 * k) % 2;
+   }
+
+   secure_vector<uint16_t> big_l(n);
+   for(uint16_t y = 0; size_t(y) < n; ++y) {
+      big_l.at(y) = y ^ l.at(y / 2);
+   }
+
+   auto big_m = composeinv(fpi, big_l);
+
+   secure_vector<uint16_t> subm0(n / 2);
+   secure_vector<uint16_t> subm1(n / 2);
+   for(size_t j = 0; j < n / 2; ++j) {
+      subm0.at(j) = big_m.at(2 * j) / 2;
+      subm1.at(j) = big_m.at(2 * j + 1) / 2;
+   }
+
+   auto subz0 = generate_control_bits_internal(subm0);
+   auto subz1 = generate_control_bits_internal(subm1);
+
+   secure_vector<uint16_t> z(subz0.size() + subz1.size());
+   for(size_t j = 0; j < subz0.size(); ++j) {
+      z.at(2 * j) = subz0.at(j);
+      z.at(2 * j + 1) = subz1.at(j);
+   }
+
+   return concat(f, z, l);
+}
+
+}  // anonymous namespace
+
+std::optional<Classic_McEliece_Field_Ordering> Classic_McEliece_Field_Ordering::create_field_ordering(
+   const Classic_McEliece_Parameters& params, std::span<const uint8_t> random_bits) {
+   BOTAN_ARG_CHECK(random_bits.size() == (params.sigma2() * params.q()) / 8, "Wrong random bits size");
+
+   secure_vector<uint32_t> a;  // contains a_0, a_1, ...
+   for(size_t i = 0; i < params.q(); ++i) {
+      a.push_back(load_le<uint32_t>(random_bits.data(), i));  // Utilizes sigma2 = 32
+   }
+
+   auto pi = create_pi(a);
+
+   for(size_t i = 1; i < params.q(); ++i) {
+      if(a.at(i - 1) == a.at(i)) {  // Check for duplicate elements utilizing sorting
+         return std::nullopt;       // Abort (Step 2)
+      }
+   }
+
+   return Classic_McEliece_Field_Ordering(std::move(pi), params.poly_f());
+}
+
+std::vector<Classic_McEliece_GF> Classic_McEliece_Field_Ordering::alphas(size_t n) const {
+   BOTAN_ASSERT_NOMSG(m_poly_f.get() != 0);
+   BOTAN_ASSERT_NOMSG(m_pi.size() >= n);
+
+   std::vector<Classic_McEliece_GF> n_alphas_vec;
+
+   std::transform(m_pi.begin(), m_pi.begin() + n, std::back_inserter(n_alphas_vec), [this](uint16_t pi_elem) {
+      return from_pi(Permutation_Element(pi_elem), m_poly_f, Classic_McEliece_GF::log_q_from_mod(m_poly_f));
+   });
+
+   return n_alphas_vec;
+}
+
+secure_bitvector Classic_McEliece_Field_Ordering::alphas_control_bits() const {
+   // Each vector element contains one bit of the control bits
+   auto control_bits_as_words = generate_control_bits_internal(m_pi.get());
+   auto control_bits = secure_bitvector(control_bits_as_words.size());
+   for(size_t i = 0; i < control_bits.size(); ++i) {
+      control_bits.at(i) = control_bits_as_words.at(i);
+   }
+
+   return control_bits;
+}
+
+// Based on the Python code "permutation(c)" from Bernstein
+// "Verified fast formulas for control bits for permutation networks"
+Classic_McEliece_Field_Ordering Classic_McEliece_Field_Ordering::create_from_control_bits(
+   const Classic_McEliece_Parameters& params, const secure_bitvector& control_bits) {
+   BOTAN_ASSERT_NOMSG(control_bits.size() == (2 * params.m() - 1) << (params.m() - 1));
+   uint16_t n = static_cast<uint16_t>(1) << params.m();
+   Permutation pi(n);
+   std::iota(pi.begin(), pi.end(), 0);
+   for(size_t i = 0; i < 2 * params.m() - 1; ++i) {
+      size_t gap = static_cast<size_t>(1) << std::min(i, 2 * params.m() - 2 - i);
+      for(size_t j = 0; j < size_t(n / 2); ++j) {
+         size_t pos = (j % gap) + 2 * gap * (j / gap);
+         auto mask = CT::Mask<uint16_t>::expand(control_bits[i * n / 2 + j]);
+         mask.conditional_swap(pi[pos], pi[pos + gap]);
+      }
+   }
+
+   return Classic_McEliece_Field_Ordering(std::move(pi), params.poly_f());
+}
+
+void Classic_McEliece_Field_Ordering::permute_with_pivots(const Classic_McEliece_Parameters& params,
+                                                          const Column_Selection& pivots) {
+   auto col_offset = params.pk_no_rows() - Classic_McEliece_Parameters::mu();
+
+   for(size_t p_idx = 1; p_idx <= Classic_McEliece_Parameters::mu(); ++p_idx) {
+      size_t p_counter = 0;
+      for(size_t col = 0; col < Classic_McEliece_Parameters::nu(); ++col) {
+         auto mask_is_pivot_set = CT::Mask<size_t>::expand(pivots.get().at(col));
+         p_counter += CT::Mask<size_t>::expand(pivots.get().at(col)).if_set_return(1);
+         auto mask_is_current_pivot = CT::Mask<size_t>::is_equal(p_idx, p_counter);
+         (mask_is_pivot_set & mask_is_current_pivot)
+            .conditional_swap(m_pi.get().at(col_offset + col), m_pi.get().at(col_offset + p_idx - 1));
+      }
+   }
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.h b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.h
new file mode 100644
index 00000000000..82796019351
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.h
@@ -0,0 +1,112 @@
+/*
+ * Classic McEliece Field Ordering Generation
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_FIELD_ORDERING_H_
+#define BOTAN_CMCE_FIELD_ORDERING_H_
+
+#include <botan/internal/cmce_parameters.h>
+#include <botan/internal/cmce_types.h>
+
+#include <numeric>
+
+namespace Botan {
+
+/**
+ * @brief Represents a field ordering for the Classic McEliece cryptosystem.
+ *
+ * Field ordering corresponds to the permutation pi defining the alpha sequence in
+ * the Classic McEliece specification (see Classic McEliece ISO Sec. 8.2.).
+ */
+class BOTAN_TEST_API Classic_McEliece_Field_Ordering {
+   public:
+      /**
+       * @brief Creates a field ordering from a random bit sequence. Corresponds to
+       *        the algorithm described in Classic McEliece ISO Sec. 8.2.
+       *
+       * @param params The McEliece parameters.
+       * @param random_bits The random bit sequence.
+       * @return The field ordering.
+       */
+      static std::optional<Classic_McEliece_Field_Ordering> create_field_ordering(
+         const Classic_McEliece_Parameters& params, std::span<const uint8_t> random_bits);
+
+      /**
+       * @brief Create the field ordering from the control bits of a benes network.
+       *
+       * @param params The McEliece parameters.
+       * @param control_bits The control bits of the benes network.
+       * @return The field ordering.
+       */
+      static Classic_McEliece_Field_Ordering create_from_control_bits(const Classic_McEliece_Parameters& params,
+                                                                      const secure_bitvector& control_bits);
+
+      /**
+       * @brief Returns the field ordering as a vector of all alphas from alpha_0 to alpha_{n-1}.
+       *
+       * @param n The number of alphas to return.
+       * @return the vector of n alphas.
+       */
+      std::vector<Classic_McEliece_GF> alphas(size_t n) const;
+
+      /**
+       * @brief Generates the control bits of the benes network corresponding to the field ordering.
+       *
+       * @return the control bits.
+       */
+      secure_bitvector alphas_control_bits() const;
+
+      /**
+       * @brief The pi values representing the field ordering.
+       *
+       * @return pi values.
+       */
+      Permutation& pi_ref() { return m_pi; }
+
+      /**
+       * @brief The pi values representing the field ordering.
+       *
+       * @return pi values.
+       */
+      const Permutation& pi_ref() const { return m_pi; }
+
+      /**
+       * @brief Constant time comparison of two field orderings.
+       *
+       * @param other The other field ordering.
+       * @return Mask of equality value
+       */
+      CT::Mask<uint16_t> ct_is_equal(const Classic_McEliece_Field_Ordering& other) const {
+         BOTAN_ARG_CHECK(other.pi_ref().size() == pi_ref().size(), "Field orderings must have the same size");
+         return CT::is_equal(pi_ref().data(), other.pi_ref().data(), pi_ref().size());
+      }
+
+      /**
+       * @brief Permute the field ordering with the given pivots.
+       *
+       * For example: If the pivot vector is 10101, the first, third and fifth element of the field ordering
+       * are permuted to positions 0, 1 and 2, respectively. The remaining elements are put at the end.
+       *
+       * The permutation is done for the elements from position m*t - mu,..., m*t + mu (excl.).
+       * This function implements Classic McEliece ISO Sec. 7.2.3 Steps 4-5.
+       *
+       * @param params The McEliece parameters.
+       * @param pivots The pivot vector.
+       */
+      void permute_with_pivots(const Classic_McEliece_Parameters& params, const Column_Selection& pivots);
+
+   private:
+      Classic_McEliece_Field_Ordering(Permutation pi, GF_Mod poly_f) : m_pi(std::move(pi)), m_poly_f(poly_f) {}
+
+   private:
+      Permutation m_pi;
+      GF_Mod m_poly_f;
+};
+
+}  // namespace Botan
+
+#endif
diff --git a/src/lib/pubkey/classic_mceliece/cmce_gf.cpp b/src/lib/pubkey/classic_mceliece/cmce_gf.cpp
new file mode 100644
index 00000000000..308027da0c0
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_gf.cpp
@@ -0,0 +1,123 @@
+/*
+* Classic McEliece GF arithmetic
+* Based on the public domain reference implementation by the designers
+* (https://classic.mceliece.org/impl.html - released in Oct 2022 for NISTPQC-R4)
+*
+* (C) 2023 Jack Lloyd
+*     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+**/
+
+#include <botan/internal/cmce_gf.h>
+
+namespace Botan {
+
+namespace {
+inline GF_Elem internal_reduce(uint32_t x, GF_Mod mod) {
+   // Optimization for the specific moduli used in Classic McEliece
+   // Taken from the reference implementation
+   if(mod == 0b0010000000011011) {
+      uint32_t t = x & 0x1FF0000;
+      x ^= (t >> 9) ^ (t >> 10) ^ (t >> 12) ^ (t >> 13);
+
+      t = x & 0x000E000;
+      x ^= (t >> 9) ^ (t >> 10) ^ (t >> 12) ^ (t >> 13);
+
+      return GF_Elem(x & 0x1fff);
+   } else if(mod == 0b0001000000001001) {
+      uint32_t t = x & 0x7FC000;
+      x ^= t >> 9;
+      x ^= t >> 12;
+
+      t = x & 0x3000;
+      x ^= t >> 9;
+      x ^= t >> 12;
+
+      x &= 0xfff;
+
+      return GF_Elem(static_cast<uint16_t>(x & 0xfff));
+   } else {
+      // TODO: Only for test instances. Remove on final PR
+      size_t m = Classic_McEliece_GF::log_q_from_mod(mod);
+
+      for(int i = static_cast<int>(m) - 2; i >= 0; --i) {
+         x ^= CT::Mask<uint32_t>::expand((uint32_t(1) << (i + m)) & x)
+                 .if_set_return(static_cast<uint32_t>(mod.get()) << i);
+      }
+
+      return GF_Elem(static_cast<uint16_t>(x));
+   }
+}
+
+}  // namespace
+
+Classic_McEliece_GF Classic_McEliece_GF::operator/(Classic_McEliece_GF other) const {
+   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+   return *this * other.inv();
+}
+
+Classic_McEliece_GF Classic_McEliece_GF::operator+(Classic_McEliece_GF other) const {
+   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+   return Classic_McEliece_GF(m_elem ^ other.m_elem, m_modulus);
+}
+
+Classic_McEliece_GF& Classic_McEliece_GF::operator+=(Classic_McEliece_GF other) {
+   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+   m_elem ^= other.m_elem;
+   return *this;
+}
+
+Classic_McEliece_GF& Classic_McEliece_GF::operator^=(GF_Elem other) {
+   m_elem ^= other;
+   return *this;
+}
+
+Classic_McEliece_GF& Classic_McEliece_GF::operator*=(Classic_McEliece_GF other) {
+   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+   *this = *this * other;
+   return *this;
+}
+
+Classic_McEliece_GF Classic_McEliece_GF::operator*(Classic_McEliece_GF other) const {
+   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+
+   uint32_t a = m_elem.get();
+   uint32_t b = other.m_elem.get();
+
+   uint32_t acc = a * (b & 1);
+
+   for(size_t i = 1; i < log_q(); i++) {
+      acc ^= (a * (b & (1 << i)));
+   }
+
+   return Classic_McEliece_GF(internal_reduce(acc, m_modulus), m_modulus);
+}
+
+Classic_McEliece_GF Classic_McEliece_GF::square() const {
+   return (*this) * (*this);
+}
+
+Classic_McEliece_GF Classic_McEliece_GF::inv() const {
+   // Compute the inverse using fermat's little theorem: a^(q-1) = 1 => a^(q-2) = a^-1
+
+   // exponent = (q-2). This is public information, therefore the workflow is constant time.
+   size_t exponent = (size_t(1) << log_q()) - 2;
+   Classic_McEliece_GF base = *this;
+
+   // Compute base^exponent using the square-and-multiply algorithm
+   Classic_McEliece_GF result = {GF_Elem(1), m_modulus};
+   while(exponent > 0) {
+      if(exponent % 2 == 1) {
+         // multiply
+         result = (result * base);
+      }
+      // square
+      base = base.square();
+      exponent /= 2;
+   }
+
+   return result;
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_gf.h b/src/lib/pubkey/classic_mceliece/cmce_gf.h
new file mode 100644
index 00000000000..73b16fd2a4e
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_gf.h
@@ -0,0 +1,191 @@
+/*
+ * Classic McEliece GF arithmetic
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_GF_H_
+#define BOTAN_CMCE_GF_H_
+
+#include <botan/internal/bit_ops.h>
+#include <botan/internal/cmce_types.h>
+#include <botan/internal/ct_utils.h>
+#include <botan/internal/stl_util.h>
+
+#include <bitset>
+
+namespace Botan {
+
+/**
+ * @brief Represents an element of the finite field GF(q) for q = 2^m.
+ *
+ * This class implements the finite field GF(q) for q = 2^m via the irreducible
+ * polynomial f(z) of degree m. The elements of GF(q) are represented as polynomials
+ * of degree m-1 with coefficients in GF(2). Each element and the modulus is
+ * represented by a uint16_t, where the i-th least significant bit corresponds to
+ * the coefficient of z^i. For example, the element (z^3 + z^2 + 1) is represented
+ * by the uint16_t 0b1101.
+ */
+class BOTAN_TEST_API Classic_McEliece_GF {
+   public:
+      /**
+       * @brief Creates an element of GF(q) from a uint16_t.
+       *
+       * Each element and the modulus is represented by a uint16_t, where the i-th least significant bit
+       * corresponds to the coefficient of z^i.
+       *
+       * @param elem The element as a uint16_t.
+       * @param modulus The modulus of GF(q).
+       */
+      Classic_McEliece_GF(GF_Elem elem, GF_Mod modulus) : m_elem(elem), m_modulus(modulus) {
+         m_elem &= GF_Elem((size_t(1) << log_q()) - 1);
+      }
+
+      /**
+       * @brief Get m.
+       *
+       * For a given irreducible polynomial @p modulus f(z) representing the modulus of a finite field GF(q) = GF(2^m),
+       * get the degree log_q of f(z) which corresponds to m.
+       *
+       * @param modulus The modulus of GF(q).
+       * @return size_t The degree log_q of the modulus (m for GF(2^m)).
+       */
+      static size_t log_q_from_mod(GF_Mod modulus) { return floor_log2(modulus.get()); }
+
+      /**
+       * @brief Get m, the degree of the element's modulus.
+       *
+       * @return size_t The degree log_q of the modulus (m for GF(2^m)).
+       */
+      size_t log_q() const { return log_q_from_mod(m_modulus); }
+
+      /**
+       * @brief Get the GF(q) element as a GF_Elem.
+       *
+       * @return the element as a GF_Elem.
+       */
+      GF_Elem elem() const { return m_elem; }
+
+      /**
+       * @brief Get the modulus f(z) of GF(q) as a GF_Mod.
+       *
+       * @return the modulus as a GF_Mod.
+       */
+      GF_Mod modulus() const { return m_modulus; }
+
+      /**
+       * @brief Change the element to @p elem.
+       */
+      Classic_McEliece_GF& operator=(const GF_Elem elem) {
+         m_elem = elem & GF_Elem((size_t(1) << log_q()) - 1);
+         return *this;
+      }
+
+      /**
+       * @brief Divide the element by @p other in GF(q). Constant time.
+       */
+      Classic_McEliece_GF operator/(Classic_McEliece_GF other) const;
+
+      /**
+       * @brief Add @p other to the element. Constant time.
+       */
+      Classic_McEliece_GF operator+(Classic_McEliece_GF other) const;
+
+      /**
+       * @brief Add @p other to the element. Constant time.
+       */
+      Classic_McEliece_GF& operator+=(Classic_McEliece_GF other);
+
+      /**
+       * @brief XOR assign a GF_Elem to the element of this. Constant time.
+       */
+      Classic_McEliece_GF& operator^=(GF_Elem other);
+
+      /**
+       * @brief Multiply the element by @p other in GF(q). Constant time.
+       */
+      Classic_McEliece_GF& operator*=(Classic_McEliece_GF other);
+
+      /**
+       * @brief Multiply the element by @p other in GF(q). Constant time.
+       */
+      Classic_McEliece_GF operator*(Classic_McEliece_GF other) const;
+
+      /**
+       * @brief Check if the element is equal to @p other. Modulus is ignored.
+       */
+      bool operator==(Classic_McEliece_GF other) const { return elem() == other.elem(); }
+
+      /**
+       * @brief Square the element. Constant time.
+       */
+      Classic_McEliece_GF square() const;
+
+      /**
+       * @brief Invert the element. Constant time.
+       */
+      Classic_McEliece_GF inv() const;
+
+      /**
+      * @brief Check if the element is zero.
+      */
+      bool is_zero() const { return elem() == 0; }
+
+   private:
+      GF_Elem m_elem;
+
+      GF_Mod m_modulus;
+};
+
+/**
+ * @brief Constant time mask wrapper for GF(q) elements.
+ */
+class BOTAN_TEST_API GF_Mask final {
+   public:
+      static GF_Mask expand(Classic_McEliece_GF v) { return GF_Mask(CT::Mask<uint16_t>::expand(v.elem().get())); }
+
+      static GF_Mask is_zero(Classic_McEliece_GF v) { return GF_Mask(CT::Mask<uint16_t>::is_zero(v.elem().get())); }
+
+      static GF_Mask is_lte(Classic_McEliece_GF a, Classic_McEliece_GF b) {
+         return GF_Mask(CT::Mask<uint16_t>::is_lte(a.elem().get(), b.elem().get()));
+      }
+
+      static GF_Mask is_equal(Classic_McEliece_GF a, Classic_McEliece_GF b) {
+         return GF_Mask(CT::Mask<uint16_t>::is_equal(a.elem().get(), b.elem().get()));
+      }
+
+      static GF_Mask set() { return GF_Mask(CT::Mask<uint16_t>::set()); }
+
+      GF_Mask(CT::Mask<uint16_t> underlying_mask) : m_mask(underlying_mask) {}
+
+      Classic_McEliece_GF if_set_return(const Classic_McEliece_GF x) const {
+         return Classic_McEliece_GF(GF_Elem(m_mask.if_set_return(x.elem().get())), x.modulus());
+      }
+
+      Classic_McEliece_GF select(const Classic_McEliece_GF x, const Classic_McEliece_GF y) const {
+         return Classic_McEliece_GF(GF_Elem(m_mask.select(x.elem().get(), y.elem().get())), x.modulus());
+      }
+
+      Classic_McEliece_GF select(const Classic_McEliece_GF x, GF_Elem y) const {
+         return Classic_McEliece_GF(GF_Elem(m_mask.select(x.elem().get(), y.get())), x.modulus());
+      }
+
+      uint16_t select(uint16_t x, uint16_t y) const { return m_mask.select(x, y); }
+
+      GF_Mask& operator&=(const GF_Mask& o) {
+         m_mask &= o.m_mask;
+         return (*this);
+      }
+
+      bool as_bool() { return m_mask.as_bool(); }
+
+      CT::Mask<uint16_t>& elem_mask() { return m_mask; }
+
+   private:
+      CT::Mask<uint16_t> m_mask;
+};
+
+}  // namespace Botan
+#endif
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
new file mode 100644
index 00000000000..88087ce5d34
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
@@ -0,0 +1,143 @@
+/*
+ * Classic McEliece key generation with Internal Private and Public Key classes
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#include <botan/internal/cmce_keys_internal.h>
+
+namespace Botan {
+
+namespace {
+
+/**
+ * @brief Try to generate a Classic McEliece keypair for a given seed.
+ *
+ * @param[out] out_next_seed The next seed to use for key generation, if this iteration fails
+ * @param params Classic McEliece parameters
+ * @param seed The seed to used for this key generation iteration
+ * @return a keypair on success, std::nullopt otherwise
+ */
+std::optional<Classic_McEliece_KeyPair_Internal> try_generate_keypair(std::span<uint8_t> out_next_seed,
+                                                                      const Classic_McEliece_Parameters& params,
+                                                                      Key_Gen_Seed seed) {
+   BOTAN_ASSERT_EQUAL(seed.size(), 32, "Valid seed length");
+   BOTAN_ASSERT_EQUAL(out_next_seed.size(), 32, "Valid output seed length");
+
+   auto ring = params.poly_ring();
+
+   auto big_e_xof = params.prg(seed);
+
+   auto s = big_e_xof->output<Rejection_Seed>(params.n() / 8);
+   auto ordering_seed = big_e_xof->output<secure_vector<uint8_t>>((params.sigma2() * params.q()) / 8);
+   auto irreducible_seed = big_e_xof->output<secure_vector<uint8_t>>((params.sigma1() * params.t()) / 8);
+   big_e_xof->output(out_next_seed);
+
+   // Field-ordering generation - Classic McEliece ISO 8.2
+   auto field_ordering = Classic_McEliece_Field_Ordering::create_field_ordering(params, ordering_seed);
+   if(!field_ordering) {
+      return std::nullopt;
+   }
+
+   // Irreducible-polynomial generation - Classic McEliece ISO 8.1
+   auto g = params.poly_ring().compute_minimal_polynomial(irreducible_seed);
+   if(!g) {
+      return std::nullopt;
+   }
+
+   // Matrix generation for Goppa codes - Classic McEliece ISO 7.2
+   auto pk_matrix_and_pivots =
+      Classic_McEliece_Matrix::create_matrix_and_apply_pivots(params, field_ordering.value(), g.value());
+   if(!pk_matrix_and_pivots) {
+      return std::nullopt;
+   }
+   auto& [pk_matrix, pivots] = pk_matrix_and_pivots.value();
+
+   // Key generation was successful - Create and return keys
+   auto sk = std::make_shared<Classic_McEliece_PrivateKeyInternal>(
+      params, std::move(seed), pivots, std::move(g.value()), std::move(field_ordering.value()), std::move(s));
+
+   auto pk = std::make_shared<Classic_McEliece_PublicKeyInternal>(params, std::move(pk_matrix));
+
+   return Classic_McEliece_KeyPair_Internal{.private_key = sk, .public_key = pk};
+}
+
+}  // namespace
+
+Classic_McEliece_PrivateKeyInternal Classic_McEliece_PrivateKeyInternal::from_bytes(
+   const Classic_McEliece_Parameters& params, std::span<const uint8_t> sk_bytes) {
+   BOTAN_ASSERT(sk_bytes.size() == params.sk_size_bytes(), "Valid private key size");
+   BufferSlicer sk_slicer(sk_bytes);
+
+   auto delta = sk_slicer.copy<Key_Gen_Seed>(params.seed_len());
+   auto c = Column_Selection(sk_slicer.take(params.sk_c_bytes()));
+   auto g = Classic_McEliece_Minimal_Polynomial::from_bytes(sk_slicer.take(params.sk_poly_g_bytes()), params.poly_f());
+   auto field_ordering = Classic_McEliece_Field_Ordering::create_from_control_bits(
+      params, secure_bitvector(sk_slicer.take(params.sk_alpha_control_bytes())));
+   auto s = sk_slicer.copy<Rejection_Seed>(params.sk_s_bytes());
+   BOTAN_ASSERT_NOMSG(sk_slicer.empty());
+
+   return Classic_McEliece_PrivateKeyInternal(
+      params, std::move(delta), std::move(c), std::move(g), std::move(field_ordering), std::move(s));
+}
+
+secure_vector<uint8_t> Classic_McEliece_PrivateKeyInternal::serialize() const {
+   auto control_bits = m_field_ordering.alphas_control_bits();
+
+   /* NIST Impl. guide 6.1 Control-Bit Gen:
+    *     As low-cost protection against faults in the control-bit computation, implementors are advised
+    *     to check after the computation that applying the Benes network produces pi, and to
+    *     restart key generation if this test fails; applying the Benes network is very fast.
+    *
+    * Here, we just assert that applying the Benes network produces pi.
+    */
+   BOTAN_ASSERT(Classic_McEliece_Field_Ordering::create_from_control_bits(m_params, control_bits)
+                   .ct_is_equal(m_field_ordering)
+                   .as_bool(),
+                "Control Bit Computation Check");
+
+   return concat(m_delta.get(), m_c.get().to_bytes(), m_g.serialize(), control_bits.to_bytes(), m_s);
+}
+
+std::shared_ptr<Classic_McEliece_PublicKeyInternal> Classic_McEliece_PublicKeyInternal::create_from_private_key(
+   const Classic_McEliece_PrivateKeyInternal& sk) {
+   auto pk_matrix_and_pivot = Classic_McEliece_Matrix::create_matrix(sk.params(), sk.field_ordering(), sk.g());
+   if(!pk_matrix_and_pivot.has_value()) {
+      throw Decoding_Error("Cannot create public key from private key. Private key is invalid.");
+   }
+   auto& [pk_matrix, pivot] = pk_matrix_and_pivot.value();
+   if(!pivot.get().subvector(0, pivot.get().size() / 2).all() ||
+      !pivot.get().subvector(pivot.get().size() / 2).none()) {
+      // There should not be a pivot other than 0xff ff ff ff 00 00 00 00. Otherwise
+      // the gauss algorithm failed effectively.
+      throw Decoding_Error("Cannot create public key from private key. Private key is invalid.");
+   }
+
+   auto pk = std::make_shared<Classic_McEliece_PublicKeyInternal>(sk.params(), std::move(pk_matrix));
+
+   return pk;
+}
+
+Classic_McEliece_KeyPair_Internal Classic_McEliece_KeyPair_Internal::generate(const Classic_McEliece_Parameters& params,
+                                                                              StrongSpan<const Initial_Seed> seed) {
+   BOTAN_ASSERT_EQUAL(seed.size(), params.seed_len(), "Valid seed length");
+
+   Key_Gen_Seed next_seed(seed.size());
+   Key_Gen_Seed current_seed(seed.begin(), seed.end());
+
+   // Emergency abort in case unexpected logical error to prevent endless loops
+   //   Success probability: >29% per attempt [>98% for 'f' instances]
+   //   => 162 [15] attempts for 2^(-80) fail probability
+   const size_t MAX_ATTEMPTS = params.is_f() ? 15 : 162;
+   for(size_t attempt = 0; attempt < MAX_ATTEMPTS; ++attempt) {
+      if(auto keypair = try_generate_keypair(next_seed, params, std::move(current_seed))) {
+         return keypair.value();
+      }
+      current_seed = next_seed;
+   }
+   throw Internal_Error("Key generation fails consistently. Something went wrong.");
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
new file mode 100644
index 00000000000..061bae72216
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
@@ -0,0 +1,187 @@
+/*
+ * Classic McEliece key generation with Internal Private and Public Key classes
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_KEYS_INTERNAL_H_
+#define BOTAN_CMCE_KEYS_INTERNAL_H_
+
+#include <botan/internal/cmce_field_ordering.h>
+#include <botan/internal/cmce_matrix.h>
+#include <botan/internal/cmce_parameters.h>
+#include <botan/internal/cmce_poly.h>
+#include <botan/internal/cmce_types.h>
+
+namespace Botan {
+
+class Classic_McEliece_PrivateKeyInternal;
+
+/**
+ * @brief Representation of a Classic McEliece public key.
+ *
+ * This class represents a Classic McEliece public key. It is used internally by the Classic McEliece
+ * public key class and contains the following data:
+ * - The Classic McEliece parameters
+ * - The public key matrix
+ */
+class BOTAN_TEST_API Classic_McEliece_PublicKeyInternal {
+   public:
+      /**
+       * @brief Construct a Classic McEliece public key.
+       *
+       * @param params The Classic McEliece parameters
+       * @param matrix The public key matrix
+       */
+      Classic_McEliece_PublicKeyInternal(const Classic_McEliece_Parameters& params, Classic_McEliece_Matrix matrix) :
+            m_params(params), m_matrix(std::move(matrix)) {
+         BOTAN_ASSERT_NOMSG(m_matrix.bytes().size() == m_params.pk_size_bytes());
+      }
+
+      /**
+       * @brief Create a Classic McEliece public key from a private key.
+       *
+       * Create the matrix from the private key values. Expects that the private key is valid, i.e.
+       * the matrix creation works.
+       *
+       * @param sk The private key
+       * @return The public key as a shared pointer
+       */
+      static std::shared_ptr<Classic_McEliece_PublicKeyInternal> create_from_private_key(
+         const Classic_McEliece_PrivateKeyInternal& sk);
+
+      /**
+       * @brief Serializes the Classic McEliece public key as defined in Classic McEliece ISO Section 9.2.7.
+       */
+      std::vector<uint8_t> serialize() const { return m_matrix.bytes(); }
+
+      /**
+       * @brief The Classic McEliece matrix.
+       */
+      const Classic_McEliece_Matrix& matrix() const { return m_matrix; }
+
+      /**
+       * @brief The Classic McEliece parameters.
+       */
+      const Classic_McEliece_Parameters& params() const { return m_params; }
+
+   private:
+      Classic_McEliece_Parameters m_params;
+      Classic_McEliece_Matrix m_matrix;
+};
+
+/**
+ * @brief Representation of a Classic McEliece private key.
+ *
+ * This class represents a Classic McEliece private key. It is used internally by the Classic McEliece
+ * private key class and contains the following data (see Classic McEliece ISO Section 9.2.12):
+ * - The Classic McEliece parameters
+ * - The seed delta
+ * - The column selection pivot vector c
+ * - The minimal polynomial g
+ * - The field ordering alpha
+ * - The seed s for implicit rejection
+ */
+class BOTAN_TEST_API Classic_McEliece_PrivateKeyInternal {
+   public:
+      /**
+       * @brief Construct a Classic McEliece private key.
+       *
+       * @param params The Classic McEliece parameters
+       * @param delta The seed delta
+       * @param c The column selection pivot vector c
+       * @param g The minimal polynomial g
+       * @param alpha The field ordering alpha
+       * @param s The seed s for implicit rejection
+       */
+      Classic_McEliece_PrivateKeyInternal(const Classic_McEliece_Parameters& params,
+                                          Key_Gen_Seed delta,
+                                          Column_Selection c,
+                                          Classic_McEliece_Minimal_Polynomial g,
+                                          Classic_McEliece_Field_Ordering alpha,
+                                          Rejection_Seed s) :
+            m_params(params),
+            m_delta(std::move(delta)),
+            m_c(std::move(c)),
+            m_g(std::move(g)),
+            m_field_ordering(std::move(alpha)),
+            m_s(std::move(s)) {}
+
+      /**
+       * @brief Parses a Classic McEliece private key from a byte sequence.
+       *
+       * It also creates the field ordering from the control bits in @p sk_bytes.
+       *
+       * @param params The Classic McEliece parameters
+       * @param sk_bytes The secret key byte sequence
+       * @return the Classic McEliece private key
+       */
+      static Classic_McEliece_PrivateKeyInternal from_bytes(const Classic_McEliece_Parameters& params,
+                                                            std::span<const uint8_t> sk_bytes);
+
+      /**
+       * @brief Serializes the Classic McEliece private key as defined in Classic McEliece ISO Section 9.2.12.
+       *
+       * @return the serialized Classic McEliece private key
+       */
+      secure_vector<uint8_t> serialize() const;
+
+      /**
+       * @brief The seed delta that was used to create the private key.
+       */
+      const Key_Gen_Seed& delta() const { return m_delta; }
+
+      /**
+       * @brief The column selection pivot vector c as defined in Classic McEliece ISO Section 9.2.11.
+       */
+      const Column_Selection& c() const { return m_c; }
+
+      /**
+       * @brief The minimal polynomial g.
+       */
+      const Classic_McEliece_Minimal_Polynomial& g() const { return m_g; }
+
+      /**
+       * @brief The field ordering alpha.
+       */
+      const Classic_McEliece_Field_Ordering& field_ordering() const { return m_field_ordering; }
+
+      /**
+       * @brief The seed s for implicit rejection on decryption failure.
+       */
+      const Rejection_Seed& s() const { return m_s; }
+
+      /**
+       * @brief The Classic McEliece parameters.
+       */
+      const Classic_McEliece_Parameters& params() const { return m_params; }
+
+   private:
+      Classic_McEliece_Parameters m_params;
+      Key_Gen_Seed m_delta;
+      Column_Selection m_c;
+      Classic_McEliece_Minimal_Polynomial m_g;
+      Classic_McEliece_Field_Ordering m_field_ordering;
+      Rejection_Seed m_s;
+};
+
+/**
+ * @brief Representation of a Classic McEliece key pair.
+ */
+struct BOTAN_TEST_API Classic_McEliece_KeyPair_Internal {
+      std::shared_ptr<Classic_McEliece_PrivateKeyInternal> private_key;
+      std::shared_ptr<Classic_McEliece_PublicKeyInternal> public_key;
+
+      /**
+       * @brief Generate a Classic McEliece key pair using the algorithm described
+       * in Classic McEliece ISO Section 8.3
+       */
+      static Classic_McEliece_KeyPair_Internal generate(const Classic_McEliece_Parameters& params,
+                                                        StrongSpan<const Initial_Seed> seed);
+};
+
+}  // namespace Botan
+
+#endif  // BOTAN_CMCE_KEYS_INTERNAL_H_
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
new file mode 100644
index 00000000000..e8c3637b771
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -0,0 +1,258 @@
+/*
+ * Classic McEliece Matrix Logic
+ * Based on the public domain reference implementation by the designers
+ * (https://classic.mceliece.org/impl.html - released in Oct 2022 for NISTPQC-R4)
+ *
+ *
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#include <botan/internal/cmce_matrix.h>
+
+namespace {
+using word_t = uint64_t;
+
+}  // Anonymous namespace
+
+namespace Botan {
+
+//TODO Renéquest: This file could use MatrixRow and Matrix strong types that implement .at() etc.
+namespace {
+size_t count_lsb_zeros(secure_bitvector n) {
+   size_t res = 0;
+   auto found_only_zeros = Botan::CT::Mask<size_t>::set();
+   for(size_t bit_pos = 0; bit_pos < n.size(); ++bit_pos) {
+      auto bit_set_mask = Botan::CT::Mask<size_t>::expand(n.at(bit_pos));
+      found_only_zeros &= ~bit_set_mask;
+      res += found_only_zeros.if_set_return(size_t(1));
+   }
+
+   return res;
+}
+
+std::vector<secure_bitvector> init_matrix_with_alphas(const Classic_McEliece_Parameters& params,
+                                                      const Classic_McEliece_Field_Ordering& field_ordering,
+                                                      const Classic_McEliece_Minimal_Polynomial& g) {
+   auto alphas = field_ordering.alphas(params.n());
+   std::vector<Classic_McEliece_GF> inv_g_of_alpha;
+   inv_g_of_alpha.reserve(params.n());
+   for(const auto& alpha : alphas) {
+      inv_g_of_alpha.push_back(g(alpha).inv());
+   }
+   std::vector<secure_bitvector> mat(params.pk_no_rows(), secure_bitvector(params.n()));
+
+   for(size_t i = 0; i < params.t(); ++i) {
+      for(size_t j = 0; j < params.n(); ++j) {
+         for(size_t alpha_i_j_bit = 0; alpha_i_j_bit < params.m(); ++alpha_i_j_bit) {
+            mat[i * params.m() + alpha_i_j_bit][j] = (uint16_t(1) << alpha_i_j_bit) & inv_g_of_alpha[j].elem().get();
+         }
+      }
+      // Update for the next i so that:
+      // inv_g_of_alpha[j] = h_i_j = alpha_j^i/g(alpha_j)
+      for(size_t j = 0; j < params.n(); ++j) {
+         inv_g_of_alpha.at(j) *= alphas.at(j);
+      }
+   }
+
+   return mat;
+}
+
+std::optional<Column_Selection> move_columns(std::vector<secure_bitvector>& mat,
+                                             const Classic_McEliece_Parameters& params) {
+   static_assert(Classic_McEliece_Parameters::nu() == 64,
+                 "nu needs to be 64");  // Since we use uint64_t to represent rows in the mu x nu sub-matrix
+   // A 32x64 sub-matrix of mat containing the elements mat[m*t-32][m*t-32] at the top left
+   std::vector<secure_bitvector> sub_mat(Classic_McEliece_Parameters::mu(), secure_bitvector());
+
+   size_t pos_offset = params.pk_no_rows() - Classic_McEliece_Parameters::mu();
+
+   // Extract the bottom mu x nu matrix at offset row_offset
+   for(size_t i = 0; i < 32; i++) {
+      sub_mat.at(i) = mat.at(pos_offset + i).subvector(pos_offset, Classic_McEliece_Parameters::nu());
+   }
+
+   std::array<size_t, Classic_McEliece_Parameters::mu()> pivot_indices = {0};  // ctz_list
+
+   // Identify the pivot indices, i.e., the indices of the leading ones for all rows
+   // when transforming the matrix into semi-systematic form. This algorithm is a modified
+   // Gauss algorithm.
+   for(size_t row_idx = 0; row_idx < 32; ++row_idx) {
+      // Identify pivots (index of first 1) by OR-ing all subsequent rows into row_acc
+      auto row_acc = sub_mat.at(row_idx);
+      for(size_t next_row = row_idx + 1; next_row < 32; ++next_row) {
+         row_acc |= sub_mat.at(next_row);
+      }
+
+      if(row_acc.none()) {
+         // If the current row and all subsequent rows are zero
+         // we cannot create a semi-systematic matrix
+         return std::nullopt;
+      }
+
+      // Using the row accumulator we can predict the index of the pivot
+      // bit for the current row, i.e., the first index where we can set
+      // the bit to one row by adding any subsequent row
+      pivot_indices.at(row_idx) = count_lsb_zeros(row_acc);
+
+      // Add subsequent rows to the current row, until the pivot
+      // bit is set.
+      for(size_t next_row = row_idx + 1; next_row < Classic_McEliece_Parameters::mu(); ++next_row) {
+         sub_mat.at(row_idx).ct_conditional_xor(!sub_mat.at(row_idx).at(pivot_indices.at(row_idx)),
+                                                sub_mat.at(next_row));
+      }
+
+      // Add the (new) current row to all subsequent rows, where the leading
+      // bit of the current bit is one. Therefore, the column of the leading
+      // bit becomes zero.
+      // Note: In normal gauss, we would also add the current row to rows
+      //       above the current one. However, here we only need to identify
+      //       the columns to swap. Therefore, we can ignore the upper rows.
+      for(size_t next_row = row_idx + 1; next_row < Classic_McEliece_Parameters::mu(); ++next_row) {
+         sub_mat.at(next_row).ct_conditional_xor(sub_mat.at(next_row).at(pivot_indices.at(row_idx)),
+                                                 sub_mat.at(row_idx));
+      }
+   }
+
+   // Create pivot bitvector from the pivot index vector
+   Column_Selection pivots((secure_bitvector(Classic_McEliece_Parameters::nu())));
+   for(auto pivot_idx : pivot_indices) {
+      for(size_t i = 0; i < Classic_McEliece_Parameters::nu(); ++i) {
+         auto mask_is_at_current_idx = Botan::CT::Mask<size_t>::is_equal(i, pivot_idx);
+         pivots.get().at(i) = mask_is_at_current_idx.select(1, pivots.get().at(i));
+      }
+   }
+
+   // Update matrix by swapping columns
+   for(size_t mat_row = 0; mat_row < params.pk_no_rows(); ++mat_row) {
+      for(size_t j = 0; j < Classic_McEliece_Parameters::mu(); ++j) {
+         // Swap bit j with bit pivot_indices[j]
+         size_t col_j = pos_offset + j;
+         size_t col_pivot_j = pos_offset + pivot_indices.at(j);
+         // TODO: uint8_t instead of bool (also in bitvector)
+         auto sum = mat.at(mat_row).at(col_j) ^ mat.at(mat_row).at(col_pivot_j);
+         mat.at(mat_row).at(col_j) = mat.at(mat_row).at(col_j) ^ sum;
+         mat.at(mat_row).at(col_pivot_j) = mat.at(mat_row).at(col_pivot_j) ^ sum;
+      }
+   }
+
+   return pivots;
+}
+
+std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& params,
+                                            std::vector<secure_bitvector>& mat) {
+   // Initialized for systematic form instances
+   // Is overridden for semi systematic instances
+   auto pivots = Column_Selection(secure_bitvector(std::vector<uint8_t>({0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0}), 64));
+
+   // Gaussian Elimination
+   for(size_t diag_pos = 0; diag_pos < params.pk_no_rows(); ++diag_pos) {
+      if(params.is_f() && diag_pos == params.pk_no_rows() - params.mu()) {
+         auto ret_pivots = move_columns(mat, params);
+         if(!ret_pivots) {
+            return std::nullopt;
+         } else {
+            pivots = std::move(ret_pivots.value());
+         }
+      }
+
+      // Iterates over all rows k under r. If the bit at column
+      // word_bits*i+j differs between row r and k, row k is added to row r.
+      // This achieves that the respective bit at the diagonal becomes 1
+      // (if mat is systematic)
+      for(size_t next_row = diag_pos + 1; next_row < params.pk_no_rows(); ++next_row) {
+         mat.at(diag_pos).ct_conditional_xor(!mat.at(diag_pos).at(diag_pos), mat.at(next_row));
+      }
+
+      // If the current bit on the diagonal is not set at this point
+      // the matrix is not systematic. We abort the computation in this case.
+      if(!mat.at(diag_pos).at(diag_pos)) {
+         return std::nullopt;
+      }
+
+      // Now the new row is added to all other rows, where the
+      // bit in the column of the current postion on the diagonal
+      // is still one
+      for(size_t row = 0; row < params.pk_no_rows(); ++row) {
+         if(row != diag_pos) {
+            mat.at(row).ct_conditional_xor(mat.at(row).at(diag_pos), mat.at(diag_pos));
+         }
+      }
+   }
+
+   return pivots;
+}
+
+std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Parameters& params,
+                                                  const std::vector<secure_bitvector>& mat) {
+   // Store T of the matrix (I_mt|T) as a linear vector to represent the
+   // public key as defined in McEliece ISO 9.2.7
+   std::vector<uint8_t> big_t(params.pk_size_bytes());
+   auto big_t_stuffer = BufferStuffer(big_t);
+
+   for(size_t row = 0; row < params.pk_no_rows(); ++row) {
+      auto pk_row_bits = mat.at(row).subvector(params.pk_no_rows());
+      auto row_bytes = pk_row_bits.to_bytes();
+
+      big_t_stuffer.append(row_bytes);
+   }
+
+   BOTAN_ASSERT_NOMSG(big_t_stuffer.full());
+
+   return big_t;
+}
+
+}  // namespace
+
+std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>> Classic_McEliece_Matrix::create_matrix(
+   const Classic_McEliece_Parameters& params,
+   const Classic_McEliece_Field_Ordering& field_ordering,
+   const Classic_McEliece_Minimal_Polynomial& g) {
+   auto mat = init_matrix_with_alphas(params, field_ordering, g);
+   auto pivots = apply_gauss(params, mat);
+
+   if(!pivots) {
+      return std::nullopt;
+   }
+
+   auto pk_mat_bytes = extract_pk_bytes_from_matrix(params, mat);
+   return std::make_pair(Classic_McEliece_Matrix(params, std::move(pk_mat_bytes)), pivots.value());
+}
+
+std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>>
+Classic_McEliece_Matrix::create_matrix_and_apply_pivots(const Classic_McEliece_Parameters& params,
+                                                        Classic_McEliece_Field_Ordering& field_ordering,
+                                                        const Classic_McEliece_Minimal_Polynomial& g) {
+   auto pk_matrix_and_pivots = create_matrix(params, field_ordering, g);
+
+   if(!pk_matrix_and_pivots) {
+      return std::nullopt;
+   }
+
+   auto& [_, pivots] = pk_matrix_and_pivots.value();
+
+   if(params.is_f()) {
+      field_ordering.permute_with_pivots(params, pivots);
+   }
+
+   return pk_matrix_and_pivots;
+}
+
+bitvector Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params, const secure_bitvector& e) const {
+   auto s = e.subvector(0, params.pk_no_rows());
+   auto e_T = e.subvector(params.pk_no_rows());
+   auto pk_slicer = BufferSlicer(m_mat_bytes);
+
+   for(size_t i = 0; i < params.pk_no_rows(); ++i) {
+      auto pk_current_bytes = pk_slicer.take(params.pk_row_size_bytes());
+      auto row = secure_bitvector(pk_current_bytes, params.n() - params.pk_no_rows());
+      row &= e_T;
+      s.at(i) = s.at(i) ^ row.has_odd_hamming_weight();
+   }
+
+   BOTAN_ASSERT_NOMSG(pk_slicer.empty());
+   return s.as_unlocked();
+}
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.h b/src/lib/pubkey/classic_mceliece/cmce_matrix.h
new file mode 100644
index 00000000000..efa15ad9915
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.h
@@ -0,0 +1,113 @@
+/*
+ * Classic McEliece Matrix Logic
+ *
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_MATRIX_H_
+#define BOTAN_CMCE_MATRIX_H_
+
+#include <botan/internal/bitvector.h>
+#include <botan/internal/cmce_field_ordering.h>
+#include <botan/internal/cmce_parameters.h>
+#include <botan/internal/cmce_poly.h>
+
+namespace Botan {
+
+/**
+ * @brief Representation of the binary Classic McEliece matrix H, with H = (I_mt | T).
+ *
+ * Only the bytes of the submatrix T are stored.
+ */
+class BOTAN_TEST_API Classic_McEliece_Matrix {
+   public:
+      /**
+       * @brief Create the matrix H for a Classic McEliece instance given its
+       * parameters, field ordering and minimal polynomial.
+       *
+       * Output is a pair of the matrix and the pivot vector c that was used to
+       * create it in the semi-systematic form as described in Classic McEliece ISO
+       * Section 9.2.11.
+       *
+       * The update of alpha values as per Classic McEliece ISO Section 7.2.3 Step 5
+       * is not performed by this method because it is only used for public key loading
+       * where the values are already permuted and field_ordering cannot be altered.
+       *
+       * @param params Classic McEliece parameters
+       * @param field_ordering Field ordering
+       * @param g Minimal polynomial
+       * @return Pair(the matrix H, pivot vector c)
+       */
+      static std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>> create_matrix(
+         const Classic_McEliece_Parameters& params,
+         const Classic_McEliece_Field_Ordering& field_ordering,
+         const Classic_McEliece_Minimal_Polynomial& g);
+
+      /**
+       * @brief Create the matrix H for a Classic McEliece instance given its
+       * parameters, field ordering and minimal polynomial.
+       *
+       * Output is a pair of the matrix and the pivot vector c that was used to
+       * create it in the semi-systematic form as described in Classic McEliece ISO
+       * Section 9.2.11.
+       *
+       * This method directly updates the field ordering values as described in Classic McEliece
+       * ISO Section 7.2.3 Step 5 (for f parameter sets).
+       *
+       * @param params Classic McEliece parameters
+       * @param field_ordering Field ordering (will be updated)
+       * @param g Minimal polynomial
+       * @return Pair(the matrix H, pivot vector c)
+       */
+      static std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>> create_matrix_and_apply_pivots(
+         const Classic_McEliece_Parameters& params,
+         Classic_McEliece_Field_Ordering& field_ordering,
+         const Classic_McEliece_Minimal_Polynomial& g);
+
+      /**
+       * @brief The bytes of the submatrix T, with H=(I_mt, T) as defined in Classic
+       * McEliece ISO Section 9.2.7.
+       *
+       * @return The matrix bytes
+       */
+      std::vector<uint8_t> bytes() const { return m_mat_bytes; }
+
+      /**
+       * @brief Create a Classic_McEliece_Matrix from bytes.
+       *
+       * @param mat_bytes The bytes of the submatrix T as defined in Classic McEliece ISO Section 9.2.7.
+       */
+      Classic_McEliece_Matrix(const Classic_McEliece_Parameters& params, std::vector<uint8_t> mat_bytes) :
+            m_mat_bytes(std::move(mat_bytes)) {
+         BOTAN_ARG_CHECK(m_mat_bytes.size() == params.pk_size_bytes(), "Invalid byte size for matrix");
+         if(params.pk_no_cols() % 8 == 0) {
+            return;
+         }
+         // Check padding of mat_bytes rows
+         BOTAN_ASSERT_NOMSG(m_mat_bytes.size() == params.pk_no_rows() * params.pk_row_size_bytes());
+         for(size_t row = 0; row < params.pk_no_rows(); ++row) {
+            uint8_t padded_byte = m_mat_bytes[(row + 1) * params.pk_row_size_bytes() - 1];
+            BOTAN_ARG_CHECK(padded_byte >> (params.pk_no_cols() % 8) == 0, "Valid padding of unused bytes");
+         }
+      }
+
+      /**
+       * @brief Multiply the Classic McEliece matrix H with a bitvector e.
+       *
+       * @param params Classic McEliece parameters
+       * @param e The bitvector e
+       * @return H*e
+       */
+      bitvector mul(const Classic_McEliece_Parameters& params, const secure_bitvector& e) const;
+
+   private:
+      /// The bytes of the submatrix T
+      const std::vector<uint8_t> m_mat_bytes;  // can we use bitvector?
+};
+
+}  // namespace Botan
+
+#endif  // BOTAN_CMCE_MATRIX_H_
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameter_set.cpp b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.cpp
new file mode 100644
index 00000000000..cf407016b03
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.cpp
@@ -0,0 +1,132 @@
+/*
+ * Classic McEliece Parameters
+ * (C) 2024 Jack Lloyd
+ *     2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#include <botan/cmce_parameter_set.h>
+
+namespace Botan {
+
+Classic_McEliece_Parameter_Set cmce_param_set_from_str(std::string_view param_name) {
+   if(param_name == "mceliece348864") {
+      return Classic_McEliece_Parameter_Set::mceliece348864;
+   }
+   if(param_name == "mceliece348864f") {
+      return Classic_McEliece_Parameter_Set::mceliece348864f;
+   }
+   if(param_name == "mceliece460896") {
+      return Classic_McEliece_Parameter_Set::mceliece460896;
+   }
+   if(param_name == "mceliece460896f") {
+      return Classic_McEliece_Parameter_Set::mceliece460896f;
+   }
+   if(param_name == "mceliece6688128") {
+      return Classic_McEliece_Parameter_Set::mceliece6688128;
+   }
+   if(param_name == "mceliece6688128f") {
+      return Classic_McEliece_Parameter_Set::mceliece6688128f;
+   }
+   if(param_name == "mceliece6688128pc") {
+      return Classic_McEliece_Parameter_Set::mceliece6688128pc;
+   }
+   if(param_name == "mceliece6688128pcf") {
+      return Classic_McEliece_Parameter_Set::mceliece6688128pcf;
+   }
+   if(param_name == "mceliece6960119") {
+      return Classic_McEliece_Parameter_Set::mceliece6960119;
+   }
+   if(param_name == "mceliece6960119f") {
+      return Classic_McEliece_Parameter_Set::mceliece6960119f;
+   }
+   if(param_name == "mceliece6960119pc") {
+      return Classic_McEliece_Parameter_Set::mceliece6960119pc;
+   }
+   if(param_name == "mceliece6960119pcf") {
+      return Classic_McEliece_Parameter_Set::mceliece6960119pcf;
+   }
+   if(param_name == "mceliece8192128") {
+      return Classic_McEliece_Parameter_Set::mceliece8192128;
+   }
+   if(param_name == "mceliece8192128f") {
+      return Classic_McEliece_Parameter_Set::mceliece8192128f;
+   }
+   if(param_name == "mceliece8192128pc") {
+      return Classic_McEliece_Parameter_Set::mceliece8192128pc;
+   }
+   if(param_name == "mceliece8192128pcf") {
+      return Classic_McEliece_Parameter_Set::mceliece8192128pcf;
+   }
+   // TODO: Remove on final PR
+   if(param_name == "test") {
+      return Classic_McEliece_Parameter_Set::test;
+   }
+   if(param_name == "testf") {
+      return Classic_McEliece_Parameter_Set::testf;
+   }
+   if(param_name == "testpc") {
+      return Classic_McEliece_Parameter_Set::testpc;
+   }
+   if(param_name == "testpcf") {
+      return Classic_McEliece_Parameter_Set::testpcf;
+   }
+
+   throw Decoding_Error("Cannot convert string to CMCE parameter set");
+}
+
+std::string cmce_str_from_param_set(Classic_McEliece_Parameter_Set param) {
+   switch(param) {
+      case Classic_McEliece_Parameter_Set::mceliece348864:
+         return "mceliece348864";
+      case Classic_McEliece_Parameter_Set::mceliece348864f:
+         return "mceliece348864f";
+      case Classic_McEliece_Parameter_Set::mceliece460896:
+         return "mceliece460896";
+      case Classic_McEliece_Parameter_Set::mceliece460896f:
+         return "mceliece460896f";
+      case Classic_McEliece_Parameter_Set::mceliece6688128:
+         return "mceliece6688128";
+      case Classic_McEliece_Parameter_Set::mceliece6688128f:
+         return "mceliece6688128f";
+      case Classic_McEliece_Parameter_Set::mceliece6688128pc:
+         return "mceliece6688128pc";
+      case Classic_McEliece_Parameter_Set::mceliece6688128pcf:
+         return "mceliece6688128pcf";
+      case Classic_McEliece_Parameter_Set::mceliece6960119:
+         return "mceliece6960119";
+      case Classic_McEliece_Parameter_Set::mceliece6960119f:
+         return "mceliece6960119f";
+      case Classic_McEliece_Parameter_Set::mceliece6960119pc:
+         return "mceliece6960119pc";
+      case Classic_McEliece_Parameter_Set::mceliece6960119pcf:
+         return "mceliece6960119pcf";
+      case Classic_McEliece_Parameter_Set::mceliece8192128:
+         return "mceliece8192128";
+      case Classic_McEliece_Parameter_Set::mceliece8192128f:
+         return "mceliece8192128f";
+      case Classic_McEliece_Parameter_Set::mceliece8192128pc:
+         return "mceliece8192128pc";
+      case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
+         return "mceliece8192128pcf";
+      // TODO: Remove on final PR
+      case Classic_McEliece_Parameter_Set::test:
+         return "test";
+      case Classic_McEliece_Parameter_Set::testf:
+         return "testf";
+      case Classic_McEliece_Parameter_Set::testpc:
+         return "testpc";
+      case Classic_McEliece_Parameter_Set::testpcf:
+         return "testpcf";
+      default:
+         throw Decoding_Error("Parameter set not supported");
+   }
+   BOTAN_ASSERT_UNREACHABLE();
+}
+
+Classic_McEliece_Parameter_Set cmce_param_set_from_oid(const OID& oid) {
+   return cmce_param_set_from_str(oid.to_formatted_string());
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
new file mode 100644
index 00000000000..c680d918be3
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
@@ -0,0 +1,77 @@
+/*
+ * Classic McEliece Parameters
+ * (C) 2024 Jack Lloyd
+ *     2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_PARAMETER_SET_H_
+#define BOTAN_CMCE_PARAMETER_SET_H_
+
+#include <botan/oids.h>
+
+namespace Botan {
+
+/**
+ * All Classic McEliece parameter sets defined in the NIST Round 4
+ * submission and the Classic McEliece ISO Draft.
+ *
+ * Instances are defined in the following format:
+ * mceliece{n}{t}{[pc]}{[f]}
+ *
+ * Instance with 'pc' use plaintext confirmation as defined in the ISO Draft.
+ * Instance with 'f' use matrix reduction with the semi-systematic form.
+ */
+enum class Classic_McEliece_Parameter_Set {
+   mceliece348864,   // NIST
+   mceliece348864f,  // NIST
+
+   mceliece460896,   // NIST
+   mceliece460896f,  // NIST
+
+   mceliece6688128,     // ISO + NIST
+   mceliece6688128f,    // ISO + NIST
+   mceliece6688128pc,   // ISO
+   mceliece6688128pcf,  // ISO
+
+   mceliece6960119,     // ISO + NIST
+   mceliece6960119f,    // ISO + NIST
+   mceliece6960119pc,   // ISO
+   mceliece6960119pcf,  // ISO
+
+   mceliece8192128,     // ISO + NIST
+   mceliece8192128f,    // ISO + NIST
+   mceliece8192128pc,   // ISO
+   mceliece8192128pcf,  // ISO
+
+   /// Reduced instances for side channel analysis (Self-created test instance with
+   /// m=8, n=128, t=8, f(z)=z^8+z^7+z^2+z+1, F(y)=y^8+y^4+y^3+y^2+1)
+   /// Minimal instance without semi-systematic matrix creation and no plaintext confirmation
+   test,
+   /// Minimal instance with semi-systematic matrix creation and no plaintext confirmation
+   testf,
+   /// Minimal instance without semi-systematic matrix creation and with plaintext confirmation
+   testpc,
+   /// Minimal instance with semi-systematic matrix creation and with plaintext confirmation
+   testpcf
+};
+
+/**
+ * @brief Get the parameter set for a given parameter set name.
+ */
+BOTAN_TEST_API Classic_McEliece_Parameter_Set cmce_param_set_from_str(std::string_view param_name);
+
+/**
+ * @brief Get the parameter set name for a given parameter set.
+ */
+BOTAN_TEST_API std::string cmce_str_from_param_set(Classic_McEliece_Parameter_Set param);
+
+/**
+ * @brief Get the parameter set for a given OID.
+ */
+BOTAN_TEST_API Classic_McEliece_Parameter_Set cmce_param_set_from_oid(const OID& oid);
+
+}  // namespace Botan
+
+#endif  //  BOTAN_CMCE_PARAMETER_SET_H_
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp b/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
new file mode 100644
index 00000000000..7c35f7bd512
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
@@ -0,0 +1,149 @@
+/*
+ * Classic McEliece Parameters
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#include <botan/internal/cmce_parameters.h>
+#include <botan/internal/cmce_poly.h>
+
+namespace Botan {
+
+namespace {
+
+std::vector<Classic_McEliece_Polynomial_Ring::Big_F_Coefficient> determine_big_f_coef(size_t t, GF_Mod modulus) {
+   std::vector<Classic_McEliece_Polynomial_Ring::Big_F_Coefficient> big_f_coef;
+   switch(t) {
+      // TODO: Remove test instance on final PR
+      case 8:  //y^8 + y^4 + y^3 + y^2 + 1 (test instances)
+         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({2, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({3, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({4, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         break;
+      case 64:  //y^64 + y^3 + y + z
+         big_f_coef.push_back({3, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({1, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(2), modulus)});
+         break;
+      case 96:  //y^96 + y^10 + y^9 + y^6 + 1
+         big_f_coef.push_back({10, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({9, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({6, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         break;
+      case 119:  //y^119 + y^8 + 1
+         big_f_coef.push_back({8, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         break;
+      case 128:  // y^128 + y^7 + y^2 + y + 1
+         big_f_coef.push_back({7, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({2, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({1, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(1), modulus)});
+         break;
+      default:
+         throw Decoding_Error("No instance with this t value is supported");
+   }
+
+   return big_f_coef;
+}
+}  //namespace
+
+Classic_McEliece_Parameters Classic_McEliece_Parameters::create(Classic_McEliece_Parameter_Set set) {
+   switch(set) {
+      case Classic_McEliece_Parameter_Set::mceliece348864:
+      case Classic_McEliece_Parameter_Set::mceliece348864f:
+         return Classic_McEliece_Parameters(set, 12, 3488, 64, GF_Mod(0b0001000000001001));
+
+      case Classic_McEliece_Parameter_Set::mceliece460896:
+      case Classic_McEliece_Parameter_Set::mceliece460896f:
+         return Classic_McEliece_Parameters(set, 13, 4608, 96, GF_Mod(0b0010000000011011));
+
+      case Classic_McEliece_Parameter_Set::mceliece6688128:
+      case Classic_McEliece_Parameter_Set::mceliece6688128f:
+      case Classic_McEliece_Parameter_Set::mceliece6688128pc:
+      case Classic_McEliece_Parameter_Set::mceliece6688128pcf:
+         return Classic_McEliece_Parameters(set, 13, 6688, 128, GF_Mod(0b0010000000011011));
+
+      case Classic_McEliece_Parameter_Set::mceliece6960119:
+      case Classic_McEliece_Parameter_Set::mceliece6960119f:
+      case Classic_McEliece_Parameter_Set::mceliece6960119pc:
+      case Classic_McEliece_Parameter_Set::mceliece6960119pcf:
+         return Classic_McEliece_Parameters(set, 13, 6960, 119, GF_Mod(0b0010000000011011));
+
+      case Classic_McEliece_Parameter_Set::mceliece8192128:
+      case Classic_McEliece_Parameter_Set::mceliece8192128f:
+      case Classic_McEliece_Parameter_Set::mceliece8192128pc:
+      case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
+         return Classic_McEliece_Parameters(set, 13, 8192, 128, GF_Mod(0b0010000000011011));
+
+      // TODO: Remove on final PR
+      case Botan::Classic_McEliece_Parameter_Set::test:
+      case Botan::Classic_McEliece_Parameter_Set::testf:
+      case Botan::Classic_McEliece_Parameter_Set::testpc:
+      case Botan::Classic_McEliece_Parameter_Set::testpcf:
+         return Classic_McEliece_Parameters(set, 8, 128, 8, GF_Mod(0b0000000110000111));
+   }
+
+   BOTAN_ASSERT_UNREACHABLE();
+}
+
+Classic_McEliece_Parameters Classic_McEliece_Parameters::create(std::string_view name) {
+   return Classic_McEliece_Parameters::create(cmce_param_set_from_str(name));
+}
+
+Classic_McEliece_Parameters Classic_McEliece_Parameters::create(const OID& oid) {
+   auto param_set = cmce_param_set_from_oid(oid);
+   return create(param_set);
+}
+
+OID Classic_McEliece_Parameters::object_identifier() const {
+   return OID::from_string(cmce_str_from_param_set(m_set));
+}
+
+Classic_McEliece_Parameters::Classic_McEliece_Parameters(
+   Classic_McEliece_Parameter_Set param_set, size_t m, size_t n, size_t t, GF_Mod poly_f) :
+      m_set(param_set),
+      m_m(m),
+      m_n(n),
+      m_t(t),
+      m_poly_f(poly_f),
+      m_poly_ring(determine_big_f_coef(t, poly_f), poly_f, t) {
+   BOTAN_ASSERT(n % 8 == 0, "We require that n is a multiple of 8");
+}
+
+size_t Classic_McEliece_Parameters::estimated_strength() const {
+   // Classic McEliece NIST Round 4 submission, Guide for security reviewers, Table 1:
+   // For each instance, the minimal strength against the best attack (with free memory access)
+   // is used as the overall security strength estimate. The strength is capped at 256, since the
+   // seed is only 256 bits long.
+   switch(n()) {
+      case 3488:
+         return 140;
+      case 4608:
+         return 179;
+      case 6688:
+         return 246;
+      case 6960:
+         return 245;
+      case 8192:
+         return 256;  // 275 in the document. Capped at 256 because of the seed length.
+      default:
+         throw Decoding_Error("Strength for parameter set ist not registed.");
+   }
+}
+
+std::unique_ptr<XOF> Classic_McEliece_Parameters::prg(std::span<const uint8_t> seed) const {
+   BOTAN_ASSERT_EQUAL(seed.size(), 32, "Valid seed length");
+   auto xof = XOF::create_or_throw("SHAKE-256");
+
+   xof->update(std::array<uint8_t, 1>({64}));
+   xof->update(seed);
+
+   return xof;
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameters.h b/src/lib/pubkey/classic_mceliece/cmce_parameters.h
new file mode 100644
index 00000000000..138cb29eb5e
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameters.h
@@ -0,0 +1,293 @@
+/*
+ * Classic McEliece Parameters
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_PARAMS_H_
+#define BOTAN_CMCE_PARAMS_H_
+
+#include <botan/cmce_parameter_set.h>
+#include <botan/hash.h>
+#include <botan/oids.h>
+#include <botan/xof.h>
+#include <botan/internal/bitvector.h>
+#include <botan/internal/cmce_gf.h>
+#include <botan/internal/cmce_poly.h>
+
+#include <string_view>
+
+namespace Botan {
+
+struct Classic_McEliece_Big_F_Coefficient;
+class Classic_McEliece_Polynomial_Ring;
+
+/**
+ * @returns ceil(n/d)
+ * TODO: Remove once LMS is merged
+ */
+constexpr size_t ceil_div(size_t n, size_t d) {
+   return (n + d - 1) / d;
+}
+
+/**
+ * Container for all Classic McEliece parameters.
+ */
+class BOTAN_TEST_API Classic_McEliece_Parameters final {
+   public:
+      /**
+       * @brief Create Classic McEliece parameters from a parameter set.
+       */
+      static Classic_McEliece_Parameters create(Classic_McEliece_Parameter_Set set);
+
+      /**
+       * @brief Create Classic McEliece parameters from a parameter set name.
+       */
+      static Classic_McEliece_Parameters create(std::string_view name);
+
+      /**
+       * @brief Create Classic McEliece parameters from an OID.
+       */
+      static Classic_McEliece_Parameters create(const OID& oid);
+
+      /**
+       * @brief The parameter set for this Classic McEliece instance.
+       */
+      Classic_McEliece_Parameter_Set set() const { return m_set; }
+
+      /**
+       * @brief The OID for the Classic McEliece instance.
+       */
+      OID object_identifier() const;
+
+      /**
+       * @returns true iff the instance is a plaintext confirmation (PC) instance.
+       */
+      bool is_pc() const {
+         return (m_set == Classic_McEliece_Parameter_Set::mceliece6688128pc) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece6688128pcf) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece6960119pc) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece6960119pcf) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece8192128pc) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece8192128pcf) ||
+                (m_set == Classic_McEliece_Parameter_Set::testpc);
+      }
+
+      /**
+       * @returns true iff the instance is a fast (F) instance, i.e. if the semi-systematic
+       * matrix creation is used.
+       */
+      bool is_f() const {
+         return (m_set == Classic_McEliece_Parameter_Set::mceliece348864f) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece460896f) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece6688128f) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece6688128pcf) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece6960119f) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece6960119pcf) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece8192128f) ||
+                (m_set == Classic_McEliece_Parameter_Set::mceliece8192128pcf) ||
+                (m_set == Classic_McEliece_Parameter_Set::testf);
+      }
+
+      /**
+       * @brief The degree of the Classic McEliece instance's underlying Galois Field, i.e. GF(q) = GF(2^m).
+       */
+      size_t m() const { return m_m; }
+
+      /**
+       * @brief The field size of the Classic McEliece instance's underlying Galois Field, i.e.
+       * GF(q) is the underlying field.
+       */
+      size_t q() const { return (size_t(1) << m_m); }
+
+      /**
+       * @brief The code length of the Classic McEliece instance.
+       *
+       * E.g. the Classic McEliece matrix H is of size m*t x n,
+       * the encoded error vector is, therefore, of size n.
+       */
+      size_t n() const { return m_n; }
+
+      /**
+       * @brief The weight of the error vector e.
+       */
+      size_t t() const { return m_t; }
+
+      /**
+       * @brief Bit output length of the hash function H.
+       */
+      static constexpr size_t ell() { return 256; }
+
+      /**
+       * @brief The number of bits each GF element is encoded with.
+       */
+      static constexpr size_t sigma1() { return 16; }
+
+      /**
+       * @brief Constant for field-ordering generation. (see Classic McEliece ISO 8.2)
+       */
+      static constexpr size_t sigma2() { return 32; }
+
+      /**
+       * @brief Constant mu for semi-systematic matrix creation. (see Classic McEliece ISO 7.2.3)
+       */
+      static constexpr size_t mu() { return 32; }
+
+      /**
+       * @brief Constant nu for semi-systematic matrix creation. (see Classic McEliece ISO 7.2.3)
+       */
+      static constexpr size_t nu() { return 64; }
+
+      /**
+       * @brief Constant tau for fixed-weight vector generation. (see Classic McEliece ISO 8.4)
+       */
+      size_t tau() const {
+         // Section 8.4 of ISO:
+         // The integer tau is defined as t if n=q; as 2t if q/2<=n<q; as 4t if q/4<=n<q/2; etc
+         size_t tau_fact = size_t(1) << (m() - floor_log2(n()));
+         return tau_fact * t();
+      }
+
+      /**
+       * @brief The monic irreducible polynomial f(z) of degree m over GF(2). Used for modular
+       * reduction in GF(2^m).
+       */
+      GF_Mod poly_f() const { return m_poly_f; }
+
+      /**
+       * @brief The estimated bit security strength of the Classic McEliece instance.
+       *
+       * Reference: Classic McEliece NIST Round 4 submission, Guide for security reviewers
+       */
+      size_t estimated_strength() const;
+
+      /**
+       * @brief The byte length of the seed delta. See ISO 9.2.12.
+       */
+      static constexpr size_t seed_len() { return ell() / 8; }
+
+      /**
+       * @brief The byte length of the column selection c. See ISO 9.2.12.
+       */
+      static constexpr size_t sk_c_bytes() { return 8; }
+
+      /**
+       * @brief The length of the byte representation of the minimal polynomial g. See ISO 9.2.12.
+       */
+      size_t sk_poly_g_bytes() const { return t() * sizeof(uint16_t); }
+
+      /**
+       * @brief The length of the byte representation of the field ordering's control bits. See ISO 9.2.12.
+       */
+      size_t sk_alpha_control_bytes() const { return (2 * m() - 1) * (size_t(1) << (m() - 4)); }
+
+      /**
+       * @brief The byte length of the seed s. s is used for implicit rejection. See ISO 9.2.12.
+       */
+      size_t sk_s_bytes() const { return n() / 8; }
+
+      /**
+       * @brief The byte length of the secret key sk. See ISO 9.2.12.
+       */
+      size_t sk_size_bytes() const {
+         // ISO 9.2.12: sk = (delta, c, g, alpha(control bits), s)
+         return seed_len() + sk_c_bytes() + sk_poly_g_bytes() + sk_alpha_control_bytes() + sk_s_bytes();
+      }
+
+      /**
+       * @brief The number of rows in the public key's matrix.
+       */
+      size_t pk_no_rows() const { return t() * m(); }
+
+      /**
+       * @brief The number of columns in the public key's matrix.
+       *
+       * Note that this is only the column number of the submatrix T (with H = (I_mt | T)),
+       * which is stored in the public key. The column number of the whole matrix H is n.
+       * This constant is also denoted as k in the spec.
+       */
+      size_t pk_no_cols() const { return n() - pk_no_rows(); }
+
+      /**
+       * @brief The number of bytes for each row in the public key's matrix.
+       */
+      size_t pk_row_size_bytes() const { return (pk_no_cols() + 7) / 8; }
+
+      /**
+       * @brief The number of bytes for the public key.
+       *
+       * Equal to the byte size of the CMCE matrix.
+       */
+      size_t pk_size_bytes() const { return pk_no_rows() * pk_row_size_bytes(); }
+
+      /**
+       * @brief The output byte size of the encoding algorithm. See ISO 7.3
+       */
+      size_t encode_out_size() const { return ceil_div(m() * t(), 8); }
+
+      /**
+       * @brief The byte size of the hash output.
+       *
+       * This is also the size of the shared key K that is a hash output.
+       */
+      static constexpr size_t hash_out_bytes() { return ell() / 8; }
+
+      /**
+       * @brief The byte size of the ciphertext.
+       */
+      size_t ciphertext_size() const {
+         if(is_pc()) {
+            // C_0 + C_1
+            return encode_out_size() + hash_out_bytes();
+         } else {
+            return encode_out_size();
+         }
+      }
+
+      /**
+       * @brief The underlying polynomial ring.
+       */
+      const Classic_McEliece_Polynomial_Ring& poly_ring() const { return m_poly_ring; }
+
+      /**
+       * @brief Create a seeded XOF object representing Classic McEliece's PRG.
+       * See Classic McEliece ISO 9.1.
+       *
+       * @param seed The seed used for the XOF.
+       */
+      std::unique_ptr<XOF> prg(std::span<const uint8_t> seed) const;
+
+      /**
+       * @brief Create an instance of the hash function Hash(x) used in Classic McEliece's
+       * Decaps and Encaps algorithms.
+       *
+       * @return a new instance of the hash function.
+       */
+      std::unique_ptr<HashFunction> hash_func() const { return HashFunction::create_or_throw("SHAKE-256(256)"); }
+
+      /**
+       * @brief Create a GF(q) element using the modulus for the current instance.
+       *
+       * @param elem The GF(q) element value.
+       * @return The GF(q) element.
+       */
+      Classic_McEliece_GF gf(GF_Elem elem) const { return Classic_McEliece_GF(elem, m_poly_f); }
+
+   private:
+      Classic_McEliece_Parameters(
+         Classic_McEliece_Parameter_Set param_set, size_t m, size_t n, size_t t, GF_Mod poly_f);
+
+      Classic_McEliece_Parameter_Set m_set;
+
+      size_t m_m;
+      size_t m_n;
+      size_t m_t;
+      GF_Mod m_poly_f;
+      Classic_McEliece_Polynomial_Ring m_poly_ring;
+};
+
+}  // namespace Botan
+
+#endif
diff --git a/src/lib/pubkey/classic_mceliece/cmce_poly.cpp b/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
new file mode 100644
index 00000000000..9f5807edb91
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
@@ -0,0 +1,175 @@
+/*
+ * Classic McEliece Polynomials
+ * Based on the public domain reference implementation by the designers
+ * (https://classic.mceliece.org/impl.html - released in Oct 2022 for NISTPQC-R4)
+ *
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#include <botan/internal/cmce_poly.h>
+#include <botan/internal/ct_utils.h>
+#include <botan/internal/stl_util.h>
+
+namespace Botan {
+
+namespace {
+
+/**
+ * @brief loads @p bytes into a GF_Elem vector in Little Endian.
+ *
+ * Replaces load_le<GF_Elem> as it cannot be compiled on Big Endian architectures
+ *
+ * @param bytes input bytes
+ * @return The vector of GF_Elem elements
+ */
+std::vector<GF_Elem> load_le_gf_vec(std::span<const uint8_t> bytes) {
+   std::vector<GF_Elem> result;
+   BufferSlicer bs(bytes);
+   result.reserve(bytes.size() / sizeof(GF_Elem));
+   for(size_t i = 0; i < bytes.size() / sizeof(GF_Elem); ++i) {
+      result.emplace_back(load_le<uint16_t>(bs.take<sizeof(GF_Elem)>()));
+   }
+   return result;
+}
+
+}  // namespace
+
+Classic_McEliece_GF Classic_McEliece_Polynomial::operator()(Classic_McEliece_GF a) const {
+   BOTAN_ASSERT(a.modulus() == coef_at(0).modulus(), "Unmatching Galois fields");
+
+   Classic_McEliece_GF r(GF_Elem(0), a.modulus());
+   for(auto it = m_coef.rbegin(); it != m_coef.rend(); ++it) {
+      r *= a;
+      r += *it;
+   }
+
+   return r;
+}
+
+Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::multiply(const Classic_McEliece_Polynomial& a,
+                                                                       const Classic_McEliece_Polynomial& b) const {
+   std::vector<Classic_McEliece_GF> prod(m_t * 2 - 1, {GF_Elem(0), m_poly_f});
+
+   for(size_t i = 0; i < m_t; ++i) {
+      for(size_t j = 0; j < m_t; ++j) {
+         prod.at(i + j) += (a.coef_at(i) * b.coef_at(j));
+      }
+   }
+
+   for(size_t i = (m_t - 1) * 2; i >= m_t; --i) {
+      for(auto& [idx, coef] : m_position_map) {
+         prod.at(i - m_t + idx) += coef * prod.at(i);
+      }
+   }
+
+   prod.erase(prod.begin() + m_t, prod.end());
+
+   return Classic_McEliece_Polynomial(prod);
+}
+
+Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_from_bytes(
+   std::span<const uint8_t> bytes) const {
+   BOTAN_ARG_CHECK(bytes.size() == m_t * 2, "Correct input size");
+   auto coef = load_le_gf_vec(bytes);
+   return create_element_from_coef(coef);
+}
+
+Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_from_coef(
+   const std::vector<GF_Elem>& coeff_vec) const {
+   std::vector<Classic_McEliece_GF> coeff_vec_gf;
+   std::transform(coeff_vec.begin(), coeff_vec.end(), std::back_inserter(coeff_vec_gf), [this](auto& coeff) {
+      return Classic_McEliece_GF(coeff, m_poly_f);
+   });
+   return Classic_McEliece_Polynomial(coeff_vec_gf);
+}
+
+bool operator==(const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& lhs,
+                const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& rhs) {
+   return lhs.coeff == rhs.coeff && lhs.idx == rhs.idx;
+}
+
+std::optional<Classic_McEliece_Minimal_Polynomial> Classic_McEliece_Polynomial_Ring::compute_minimal_polynomial(
+   std::span<const uint8_t> seed) const {
+   auto polynomial = create_element_from_bytes(seed);
+   std::vector<Classic_McEliece_Polynomial> mat;
+
+   mat.push_back(create_element_from_coef(concat_as<std::vector<GF_Elem>>(
+      std::vector<GF_Elem>{GF_Elem(1)}, std::vector<GF_Elem>(degree() - 1, GF_Elem(0)))));
+
+   mat.emplace_back(polynomial);
+
+   for(size_t j = 2; j <= degree(); ++j) {
+      mat.push_back(multiply(mat.at(j - 1), polynomial));
+   }
+
+   // Gaussian
+   for(size_t j = 0; j < degree(); ++j) {
+      for(size_t k = j + 1; k < degree(); ++k) {
+         auto cond = GF_Mask::is_zero(mat.at(j).coef_at(j));
+
+         for(size_t c = j; c < degree() + 1; ++c) {
+            mat.at(c).coef_at(j) += cond.if_set_return(mat.at(c).coef_at(k));
+         }
+      }
+
+      if(mat.at(j).coef_at(j).is_zero()) {
+         // Fail if not systematic.
+         return std::nullopt;
+      }
+
+      auto inv = mat.at(j).coef_at(j).inv();
+
+      for(size_t c = j; c < degree() + 1; ++c) {
+         mat.at(c).coef_at(j) *= inv;
+      }
+
+      for(size_t k = 0; k < degree(); ++k) {
+         if(k != j) {
+            auto t = mat.at(j).coef_at(k);
+
+            for(size_t c = j; c < degree() + 1; ++c) {
+               mat.at(c).coef_at(k) += mat.at(c).coef_at(j) * t;
+            }
+         }
+      }
+   }
+
+   auto minimal_poly_coeffs = mat.at(degree()).coef();
+   // Add coefficient 1 since polynomial is monic
+   minimal_poly_coeffs.emplace_back(GF_Elem(1), poly_f());
+
+   return Classic_McEliece_Minimal_Polynomial(std::move(minimal_poly_coeffs));
+}
+
+secure_vector<uint8_t> Classic_McEliece_Minimal_Polynomial::serialize() const {
+   BOTAN_ASSERT_NOMSG(!coef().empty());
+   auto& all_coeffs = coef();
+   // Store all except coef for monomial x^t since polynomial is monic (ISO Spec Section 9.2.9)
+   auto coeffs_to_store = std::span(all_coeffs).subspan(0, all_coeffs.size() - 1);
+   secure_vector<uint8_t> bytes(sizeof(uint16_t) * coeffs_to_store.size());
+   BufferStuffer bytes_stuf(bytes);
+   for(auto& coef : coeffs_to_store) {
+      store_le(coef.elem().get(), bytes_stuf.next(sizeof(GF_Elem)).data());
+   }
+   BOTAN_ASSERT_NOMSG(bytes_stuf.full());
+   return bytes;
+}
+
+Classic_McEliece_Minimal_Polynomial Classic_McEliece_Minimal_Polynomial::from_bytes(std::span<const uint8_t> bytes,
+                                                                                    GF_Mod poly_f) {
+   BOTAN_ASSERT_NOMSG(bytes.size() % 2 == 0);
+   auto coef_vec = load_le_gf_vec(bytes);
+   std::vector<Classic_McEliece_GF> coeff_vec_gf;
+   std::transform(coef_vec.begin(), coef_vec.end(), std::back_inserter(coeff_vec_gf), [poly_f](auto& coeff) {
+      return Classic_McEliece_GF(coeff, poly_f);
+   });
+
+   coeff_vec_gf.emplace_back(GF_Elem(1), poly_f);  // x^t as polynomial is monic
+
+   return Classic_McEliece_Minimal_Polynomial(coeff_vec_gf);
+}
+
+}  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_poly.h b/src/lib/pubkey/classic_mceliece/cmce_poly.h
new file mode 100644
index 00000000000..4645263aedb
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_poly.h
@@ -0,0 +1,174 @@
+/*
+ * Classic McEliece Polynomials
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_POLY_H_
+#define BOTAN_CMCE_POLY_H_
+
+#include <botan/secmem.h>
+#include <botan/internal/cmce_gf.h>
+#include <botan/internal/loadstor.h>
+
+#include <optional>
+
+namespace Botan {
+
+/**
+ * @brief Representation of a Classic McEliece polynomial.
+ *
+ * This class represents a polynomial in the ring GF(q)[y]. E.g an example element of degree 2 could be:
+ * a = (z^3+1)y^2 + (z)y + (z^4+z^3)
+ * The degree of the polynomial is given by the size of the coefficient vector given to
+ * the constructor, even if the leading coefficient is zero. Coefficients are stored from
+ * lowest to highest monomial degree (coef_at(0) = (z^4+z^3) in the example above).
+ *
+ * This class is merely a container. The modulus and the operations with Polynomials (e.g. multiplication)
+ * is handled by the Classic_McEliece_Polynomial_Ring class.
+ */
+class BOTAN_TEST_API Classic_McEliece_Polynomial {
+   public:
+      /**
+       * @brief Construct a polynomial given its coefficients.
+       *
+       * @param coef The coefficients of the polynomial. The first element is the coefficient of the lowest monomial.
+       */
+      Classic_McEliece_Polynomial(std::vector<Classic_McEliece_GF> coef) : m_coef(std::move(coef)) {}
+
+      /**
+       * @brief Evaluate the polynomial P(x) at a given point a, i.e., compute P(a).
+       */
+      Classic_McEliece_GF operator()(Classic_McEliece_GF a) const;
+
+      /**
+       * @brief Get the coefficient of the i-th monomial as a reference (from low to high degree).
+       */
+      Classic_McEliece_GF& coef_at(size_t i) { return m_coef.at(i); }
+
+      /**
+       * @brief Get the coefficient of the i-th monomial (from low to high degree).
+       */
+      const Classic_McEliece_GF& coef_at(size_t i) const { return m_coef.at(i); }
+
+      /**
+       * @brief Get the entire coefficients vector of the polynomial.
+       */
+      const std::vector<Classic_McEliece_GF>& coef() const { return m_coef; }
+
+      /**
+       * @brief Get the degree of the polynomial.
+       *
+       * Note that the degree is given by the size of the coefficient vector, even if the leading coefficient is zero.
+       */
+      size_t degree() const { return m_coef.size() + 1; }
+
+   private:
+      std::vector<Classic_McEliece_GF> m_coef;
+};
+
+/**
+ * @brief Representation of a minimal polynomial in GF(q)[y].
+ *
+ * It represents the monic irreducible degree-t polynomial of the goppa code.
+ */
+class BOTAN_TEST_API Classic_McEliece_Minimal_Polynomial : public Classic_McEliece_Polynomial {
+   public:
+      Classic_McEliece_Minimal_Polynomial(std::vector<Classic_McEliece_GF> coef) :
+            Classic_McEliece_Polynomial(std::move(coef)) {}
+
+      /**
+       * @brief Serialize the polynomial to bytes according to ISO Section 9.2.9.
+       */
+      secure_vector<uint8_t> serialize() const;
+
+      /**
+       * @brief Create a polynomial from bytes according to ISO Section 9.2.9.
+       */
+      static Classic_McEliece_Minimal_Polynomial from_bytes(std::span<const uint8_t> bytes, GF_Mod poly_f);
+};
+
+// Stores all auxiliary information and logic of FF_(q^t) via FF_q[y]/F(y)
+/**
+ * @brief Represents the polynomial ring GF(q)[y]/F(y) where F(y) is the modulus polynomial in
+ * GF(q)[y] of degree t.
+ *
+ * This class contains a modulus polynomial F(y) and the GF(q) modulus f(z). It is used
+ * to create and operate with Classic_McEliece_Polynomials.
+ *
+ */
+class BOTAN_TEST_API Classic_McEliece_Polynomial_Ring {
+   public:
+      /**
+       * @brief Represents a non-zero coefficient of the modulus F(y) (which is in GF(q)[y]).
+       *
+       * E.g. {.idx = 4, .coeff = (z+1)} represents the monomial (z+1)y^4.
+       */
+      struct BOTAN_TEST_API Big_F_Coefficient {
+            size_t idx;
+            Classic_McEliece_GF coeff;
+      };
+
+      /**
+       * @brief Construct a polynomial ring GF(q)[y]/F(y) by defining the polynomial modulus F(y),
+       * the GF(q) modulus f(z) and the degree of F(y).
+       *
+       * F(y) is given by a vector of Big_F_Coefficients, where each one represents a monomial of F(y).
+       * However, the highest monomial must not be specified, since it is always 1.
+       *
+       * @param poly_big_f_coef The non-zero coefficients of F(y) in GF(q)[y] WITHOUT the highest monomial.
+       * @param poly_f The modulus f(z) of GF(q).
+       * @param t The polynomial degree of the ring (and of F(y)).
+       */
+      Classic_McEliece_Polynomial_Ring(const std::vector<Big_F_Coefficient>& poly_big_f_coef, GF_Mod poly_f, size_t t) :
+            m_position_map(poly_big_f_coef), m_t(t), m_poly_f(poly_f) {}
+
+      GF_Mod poly_f() const { return m_poly_f; }
+
+      /**
+       * @brief The degree of polynomials in this ring (and of F(y)).
+       */
+      size_t degree() const { return m_t; }
+
+      /**
+       * @returns a*b over GF(q)[y]/F(y).
+       */
+      Classic_McEliece_Polynomial multiply(const Classic_McEliece_Polynomial& a,
+                                           const Classic_McEliece_Polynomial& b) const;
+
+      /**
+       * @brief Compute the minimal polynomial g of polynomial created from a @p seed.
+       *
+       * @param seed over the ring GF(q)[y] according to ISO Section 8.1 Step 3.
+       *
+       * @return g or std::nullopt if g has not full degree.
+       */
+      std::optional<Classic_McEliece_Minimal_Polynomial> compute_minimal_polynomial(
+         std::span<const uint8_t> seed) const;
+
+   private:
+      // Creates a ring element from a coefficient vector
+      Classic_McEliece_Polynomial create_element_from_coef(const std::vector<GF_Elem>& coeff_vec) const;
+
+      /**
+       * @brief Create a polynomial from bytes according to ISO Section 8.1 step 1 and 2.
+       */
+      Classic_McEliece_Polynomial create_element_from_bytes(std::span<const uint8_t> bytes) const;
+
+      /// Represents F(y) by storing the non-zero terms
+      std::vector<Big_F_Coefficient> m_position_map;
+
+      /// t in spec, i.e., degree of F(y)
+      size_t m_t;
+
+      // f(z) in spec
+      GF_Mod m_poly_f;
+};
+
+bool operator==(const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& lhs,
+                const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& rhs);
+
+}  // namespace Botan
+#endif
diff --git a/src/lib/pubkey/classic_mceliece/cmce_types.h b/src/lib/pubkey/classic_mceliece/cmce_types.h
new file mode 100644
index 00000000000..6813a20f2c2
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/cmce_types.h
@@ -0,0 +1,43 @@
+/*
+ * Classic McEliece Types
+ * (C) 2023 Jack Lloyd
+ *     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+ *
+ * Botan is released under the Simplified BSD License (see license.txt)
+ **/
+
+#ifndef BOTAN_CMCE_TYPES_H_
+#define BOTAN_CMCE_TYPES_H_
+
+#include <botan/secmem.h>
+#include <botan/strong_type.h>
+#include <botan/internal/bitvector.h>
+
+namespace Botan {
+
+/// Represents a GF(q) element
+using GF_Elem = Strong<uint16_t, struct GF_Elem_>;
+
+/// Represents a GF(q) modulus
+using GF_Mod = Strong<uint16_t, struct GF_Mod_>;
+
+/// Represents an element of a permuation (pi in spec). Used in field ordering creation.
+using Permutation_Element = Strong<uint16_t, struct GF_Elem_>;
+
+/// Represents a permutation (pi in spec). Used in field ordering creation.
+using Permutation = Strong<secure_vector<uint16_t>, struct GF_Elem_>;
+
+/// Represents initial delta of keygen
+using Initial_Seed = Strong<secure_vector<uint8_t>, struct Initial_Seed_>;
+
+/// Represents a delta (can be altered; final value stored in private key)
+using Key_Gen_Seed = Strong<secure_vector<uint8_t>, struct Key_Gen_Seed_>;
+
+/// Represents c of private key
+using Column_Selection = Strong<secure_bitvector, struct Column_Selection_>;
+
+/// Represents s of private key
+using Rejection_Seed = Strong<secure_vector<uint8_t>, struct Rejection_Seed_>;
+
+}  // namespace Botan
+#endif  // BOTAN_CMCE_TYPES_H_
diff --git a/src/lib/pubkey/classic_mceliece/info.txt b/src/lib/pubkey/classic_mceliece/info.txt
new file mode 100644
index 00000000000..c537b5e628b
--- /dev/null
+++ b/src/lib/pubkey/classic_mceliece/info.txt
@@ -0,0 +1,31 @@
+<defines>
+CLASSICMCELIECE -> 20231023
+</defines>
+
+<module_info>
+name -> "Classic McEliece"
+</module_info>
+
+<requires>
+xof
+shake
+shake_xof
+</requires>
+
+<header:internal>
+cmce_parameters.h
+cmce_poly.h
+cmce_matrix.h
+cmce_gf.h
+cmce_field_ordering.h
+cmce_encaps.h
+cmce_decaps.h
+cmce_keys_internal.h
+cmce_types.h
+</header:internal>
+
+<header:public>
+cmce.h
+cmce_parameter_set.h
+</header:public>
+
diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp
index 4f62db6150d..1c549212e20 100644
--- a/src/lib/pubkey/pk_algs.cpp
+++ b/src/lib/pubkey/pk_algs.cpp
@@ -14,6 +14,10 @@
    #include <botan/rsa.h>
 #endif
 
+#if defined(BOTAN_HAS_CLASSICMCELIECE)
+   #include <botan/cmce.h>
+#endif
+
 #if defined(BOTAN_HAS_DSA)
    #include <botan/dsa.h>
 #endif
@@ -206,6 +210,12 @@ std::unique_ptr<Public_Key> load_public_key(const AlgorithmIdentifier& alg_id,
    }
 #endif
 
+#if defined(BOTAN_HAS_CLASSICMCELIECE) || defined(BOTAN_HAS_CLASSICMCELIECE)
+   if(alg_name.starts_with("mceliece")) {
+      return std::make_unique<Classic_McEliece_PublicKey>(alg_id, key_bits);
+   }
+#endif
+
    throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name));
 }
 
@@ -323,6 +333,12 @@ std::unique_ptr<Private_Key> load_private_key(const AlgorithmIdentifier& alg_id,
    }
 #endif
 
+#if defined(BOTAN_HAS_CLASSICMCELIECE) || defined(BOTAN_HAS_CLASSICMCELIECE)
+   if(alg_name.starts_with("mceliece")) {
+      return std::make_unique<Classic_McEliece_PrivateKey>(alg_id, key_bits);
+   }
+#endif
+
    throw Decoding_Error(fmt("Unknown or unavailable public key algorithm '{}'", alg_name));
 }
 
@@ -413,6 +429,13 @@ std::unique_ptr<Private_Key> create_private_key(std::string_view alg_name,
       return std::make_unique<McEliece_PrivateKey>(rng, n, t);
    }
 #endif
+#if defined(BOTAN_HAS_CLASSICMCELIECE)
+   if(alg_name == "ClassicMcEliece") {
+      auto cmce_params_set = cmce_param_set_from_str(params);
+
+      return std::make_unique<Classic_McEliece_PrivateKey>(rng, cmce_params_set);
+   }
+#endif
 
 #if defined(BOTAN_HAS_FRODOKEM)
    if(alg_name == "FrodoKEM") {
diff --git a/src/tests/data/pubkey/cmce_kat_hashed.vec b/src/tests/data/pubkey/cmce_kat_hashed.vec
new file mode 100644
index 00000000000..5d5f6852b31
--- /dev/null
+++ b/src/tests/data/pubkey/cmce_kat_hashed.vec
@@ -0,0 +1,148 @@
+# The first KAT for all ClaSSic McEliece instances (source: https://claSSic.mceliece.org/nist.html)
+# The plaintext confirmation (pc) KATs are created using a modified reference implementation
+# The public and secret keys are hashed via SHAKE256(512)
+
+[mceliece348864]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = B4F9FF1E4390E3BE0BBCEBFF9A525AE83B191211896AA8786CE8BC511C9F78C3
+PK = 2615e458cdda9626d09719ae81a1abf2ca9295d51b256843eb73faead8bcad60ee4fbe5419b2c906ae00d9c60328ff835697b19f78a6974269e8dd7c89027ca8
+SK = e7a139f9670fff672f75b37b303a289fa45e50acb038d43f655a475053d130334713d965f0c55741d1d866321a17b7918b759ceb235be5368844ad532264b568
+CT = DEF61908A70A3099E45B4D5D91957ADE70F571D210D525D655DB7294515F91D97795F2353615BC7CDF13502181E5BCC8C9ABFEF31819D66DD2760363694F789602264A3E24445681A0183CE343A2264FDFF96C82AB318AE888D105D52D59BC1B
+
+[mceliece348864f]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 4B5EA75DD51BE56BE739F6EC6BABC2CBE538683303B05934D33D93256D1AB6EF
+PK = 77bdeafa05a162bc2ceb46b8e548022684eaef422e6ce123cb990edf44093fd225dc0d4045be3162c8f7062f545217a2858b41c092c915d5f15b05954c0360dd
+SK = 3617d714cd395b19d4f08c6bc255666444c3f40a07f02d32abe725db1fbb7db2ef9b3e17f723c5f20c8b1e256738383442e634111320fb751f44b8fe858a1d6b
+CT = E205BB2814DED1582864F2B1D2A26397411EE4E61F6998FF61CD55E4C4FB35AB99788D00F42D2D3B79B0820035749776CAA82730B1EBE2B81230424FCBCB8B5A804B0FA3025B108175456F80F4ABD1786C5DB02C6564333DE9FE67ED4A92D6FE
+
+# TODO: Not standardized
+# [mceliece348864pc]
+# Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+# SS = 56EA8D2982F408DF1DE8465FFD9A77DE027CC22374C007809F3691D97613812C
+# PK = 2615e458cdda9626d09719ae81a1abf2ca9295d51b256843eb73faead8bcad60ee4fbe5419b2c906ae00d9c60328ff835697b19f78a6974269e8dd7c89027ca8
+# SK = e7a139f9670fff672f75b37b303a289fa45e50acb038d43f655a475053d130334713d965f0c55741d1d866321a17b7918b759ceb235be5368844ad532264b568
+# CT = DEF61908A70A3099E45B4D5D91957ADE70F571D210D525D655DB7294515F91D97795F2353615BC7CDF13502181E5BCC8C9ABFEF31819D66DD2760363694F789602264A3E24445681A0183CE343A2264FDFF96C82AB318AE888D105D52D59BC1BB2A44DB7A3CF1FBFFFEB7E0625701D97B78638E8ECC3E91FEF7327CD118397C0
+
+# TODO: Not standardized
+# [mceliece348864pcf]
+# Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+# SS = 5EA83EC4E9A96CC843CDDD0B9133134FB59EC348EB53440844A2C6D634FE677C
+# PK = 77bdeafa05a162bc2ceb46b8e548022684eaef422e6ce123cb990edf44093fd225dc0d4045be3162c8f7062f545217a2858b41c092c915d5f15b05954c0360dd
+# SK = 3617d714cd395b19d4f08c6bc255666444c3f40a07f02d32abe725db1fbb7db2ef9b3e17f723c5f20c8b1e256738383442e634111320fb751f44b8fe858a1d6b
+# CT = E205BB2814DED1582864F2B1D2A26397411EE4E61F6998FF61CD55E4C4FB35AB99788D00F42D2D3B79B0820035749776CAA82730B1EBE2B81230424FCBCB8B5A804B0FA3025B108175456F80F4ABD1786C5DB02C6564333DE9FE67ED4A92D6FEB2A44DB7A3CF1FBFFFEB7E0625701D97B78638E8ECC3E91FEF7327CD118397C0
+
+[mceliece460896]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 132D477D0C24306181C6AD01590D39BE9B2404ED32CCBE0EB1F169680212CC1C
+PK = 9b3fdd46b5c7bd7aa0c637b37675af5cc376a6f7fcf0bde389c8cedaa764913a0c3a22044e70b56f54f456db717f985d3f3894d65ff2010d7727b3ab8c2e01ed
+SK = 1b3274243449643ed4d7cb4364cd094a3f602a9c3d9762896d215df673ee3460ae8dd85022d217bef729e5eb279f2e6c40745e38ef2c4db3d70de1cd1489e573
+CT = CF78C42A38795E0F5D6BAC38ACDEE6C4C9536F93BCC32E08B8CE0B886E737AA5AD51CC0E2E5B9176B67F0327EA117334DCD5664ADCFFB39F1932C498B210A56EB5C9E9C7C5DB03DC46C5D2450D1F05C152533BE30AA544F20FF11CAC1FFEBB919D69B033642AC0ABC1C174AFCBE9F22433A5D3E2048621A7982CC08D5D9E37BC65ABE96DF8A651758894B6E58A34E42CB82798BE3FD7B3D96DE27E65
+
+[mceliece460896f]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 89F6BDB539A46E0DF0D8BE3BEDABCF11A1D0C8F68E707F97081826B5A78A7EA5
+PK = ef60b9e0d9b8b34ec6001c4711d66daeadf41198746869b10baf63c0e5a24ac184b5a1cc595c56bdb696651032cbcf038cd2da5da5448cb9bdcfe42cf945ae61
+SK = e51b4f6e8c8e61d3b9c751fde190b17ba899f96803f73b85613d62a650492af4c7829341befee710105ed5713f01a5035ed9b6aed4dfcb94c818c680c8466778
+CT = BCF3C98E2EC96F127540B844F4DF0B176E2460C97D6EB82423B3833AEFF0680FC4B3F758E3A6FA03A23D8419CA0B464191AB245CA5C7E112DF24FCE728C40B414DA2F6B058796774DA463966AC5FD21476350E46C3CCD07A317A33DC29132809BAA255A41D6456D01301AC08C94B2D57148CEA41E7AFE036F17D3CE62F46EC31C7FEB07DED1767F861389EC89180E107698AFAFA0976381F04A0CA06
+
+# TODO: Not standardized
+# [mceliece460896pc]
+# Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+# SS = F6EB7975CC7AD7438DBE220C72DE9FDB7717161D8A6AA461666B767455847EE9
+# PK = 9b3fdd46b5c7bd7aa0c637b37675af5cc376a6f7fcf0bde389c8cedaa764913a0c3a22044e70b56f54f456db717f985d3f3894d65ff2010d7727b3ab8c2e01ed
+# SK = 1b3274243449643ed4d7cb4364cd094a3f602a9c3d9762896d215df673ee3460ae8dd85022d217bef729e5eb279f2e6c40745e38ef2c4db3d70de1cd1489e573
+# CT = CF78C42A38795E0F5D6BAC38ACDEE6C4C9536F93BCC32E08B8CE0B886E737AA5AD51CC0E2E5B9176B67F0327EA117334DCD5664ADCFFB39F1932C498B210A56EB5C9E9C7C5DB03DC46C5D2450D1F05C152533BE30AA544F20FF11CAC1FFEBB919D69B033642AC0ABC1C174AFCBE9F22433A5D3E2048621A7982CC08D5D9E37BC65ABE96DF8A651758894B6E58A34E42CB82798BE3FD7B3D96DE27E651585121A060E712178A6218AF3907BC3F8BCDE02E8EAF5769C9E790274267B37
+
+# TODO: Not standardized
+# [mceliece460896pcf]
+# Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+# SS = 5ADC9C0EE763A675F49DD50B9B59C9C6F920D6B9BD298F6106A40E19B5CAD2AC
+# PK = ef60b9e0d9b8b34ec6001c4711d66daeadf41198746869b10baf63c0e5a24ac184b5a1cc595c56bdb696651032cbcf038cd2da5da5448cb9bdcfe42cf945ae61
+# SK = e51b4f6e8c8e61d3b9c751fde190b17ba899f96803f73b85613d62a650492af4c7829341befee710105ed5713f01a5035ed9b6aed4dfcb94c818c680c8466778
+# CT = BCF3C98E2EC96F127540B844F4DF0B176E2460C97D6EB82423B3833AEFF0680FC4B3F758E3A6FA03A23D8419CA0B464191AB245CA5C7E112DF24FCE728C40B414DA2F6B058796774DA463966AC5FD21476350E46C3CCD07A317A33DC29132809BAA255A41D6456D01301AC08C94B2D57148CEA41E7AFE036F17D3CE62F46EC31C7FEB07DED1767F861389EC89180E107698AFAFA0976381F04A0CA061585121A060E712178A6218AF3907BC3F8BCDE02E8EAF5769C9E790274267B37
+
+[mceliece6688128]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 7B35200A8387A2BB376394A68473E7ABE5CE392484DABE6C1EF0EE2CD9F68022
+PK = 46489d7bd19b860311fdb17693b920ebd58e356ca01a2c157e00c15fe2be6e0ceac35f767b812464ce9f14a87f4b5d0d1cb8ae5c7daed6a952d3eee732ea60f7
+SK = 024c1f80388fa4f60dd19e12eef03f1435cd173b891dfdd4586fb75eecfde6fb1868b979485268df3c075f2faf248b8e160606252b45ccd9a396316a00fb8ec0
+CT = 01278F7400972FD05AA6368A4F8662497A5A31A3E968BF81B49EBDFB8331769EA1BB5275AD46D33F8D6624C2F305F961DC8812850B20C2FE3C7E8FB0393BBBFFFC0458A01765EC519AB332DA952047B8A87C618D3BF28046B94F82872A75D1C090DBE768168DF6D7D6755FAFB5AE050AE520BF7ED641C90161DFB70E4A5EF9A8D64856CAC821D98B00E8145D3462A4DB6CF2E0C002DBA11257D7716E22F18F8E28113CDF5FE7581CC82854165AB93E36D4080F8E7B8116667E9C12D515A443EA002E609C6F5EE839FF282D8EAAF6BB8C
+
+[mceliece6688128f]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 29F45674CFB52E295CD31E5303B7387515699A764777742B5A487798D41218C8
+PK = 0c453cc87eb310694cad01065624cdf723b42b7ffc7aa72afa86956013427e83c23c1061ed9c8393e07e37b2186286a096140b2e571deaf4d037deafb41d7235
+SK = 9c02fbffd0401c9dcae1a977cd0d52d59178357fcc055e2ba5c6691bb9fbcd3cf7e3d6ccc3ca23213f6cdefb4823e592dff809e1ea8df55f78636da17c8cfd78
+CT = 640B4DA81C3198D4707E02CAD713E8EB6BE431076E3EE7D6AA5323A9C551FEFE8BDC978052A55244D9347C2DB4A5EF76C6FFF4EE3F3E973ACBD58C0E03665DAF1857B2987CF463994CC31E95645F81CF2E18F7D5EBBC1212689B6F8765692DDD0F7852FACED8471BDA55737ED4E3129ADE84E246C20D02780D590D47D6D90BB2A6FA7141B72290DB4EE1478E09B1B48B7D8CCE4F37E329A1ED8F9BBAC4DAC6040358CED8B4B96289AB5BE27A95FB35A0D603DCC7E94D8C9A9728A3896D1EE556F5E185DC542DA1CB07A7480D5618D647
+
+[mceliece6688128pc]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 18A3E9906E03926AA87E0E910C570F5874549B0B1DE9E60D50C4031B5EB0B0F6
+PK = 46489d7bd19b860311fdb17693b920ebd58e356ca01a2c157e00c15fe2be6e0ceac35f767b812464ce9f14a87f4b5d0d1cb8ae5c7daed6a952d3eee732ea60f7
+SK = 024c1f80388fa4f60dd19e12eef03f1435cd173b891dfdd4586fb75eecfde6fb1868b979485268df3c075f2faf248b8e160606252b45ccd9a396316a00fb8ec0
+CT = 01278F7400972FD05AA6368A4F8662497A5A31A3E968BF81B49EBDFB8331769EA1BB5275AD46D33F8D6624C2F305F961DC8812850B20C2FE3C7E8FB0393BBBFFFC0458A01765EC519AB332DA952047B8A87C618D3BF28046B94F82872A75D1C090DBE768168DF6D7D6755FAFB5AE050AE520BF7ED641C90161DFB70E4A5EF9A8D64856CAC821D98B00E8145D3462A4DB6CF2E0C002DBA11257D7716E22F18F8E28113CDF5FE7581CC82854165AB93E36D4080F8E7B8116667E9C12D515A443EA002E609C6F5EE839FF282D8EAAF6BB8CEA79099D6282BAD1AF5B0CA919D112A35B12FD483FA90F9FD8B72D15E668E442
+
+[mceliece6688128pcf]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = B954FAD8A4BD4905AD0D2D30E1AF7A7ECD705B94F7BAA713FFEA1583C96DE70F
+PK = 0c453cc87eb310694cad01065624cdf723b42b7ffc7aa72afa86956013427e83c23c1061ed9c8393e07e37b2186286a096140b2e571deaf4d037deafb41d7235
+SK = 9c02fbffd0401c9dcae1a977cd0d52d59178357fcc055e2ba5c6691bb9fbcd3cf7e3d6ccc3ca23213f6cdefb4823e592dff809e1ea8df55f78636da17c8cfd78
+CT = 640B4DA81C3198D4707E02CAD713E8EB6BE431076E3EE7D6AA5323A9C551FEFE8BDC978052A55244D9347C2DB4A5EF76C6FFF4EE3F3E973ACBD58C0E03665DAF1857B2987CF463994CC31E95645F81CF2E18F7D5EBBC1212689B6F8765692DDD0F7852FACED8471BDA55737ED4E3129ADE84E246C20D02780D590D47D6D90BB2A6FA7141B72290DB4EE1478E09B1B48B7D8CCE4F37E329A1ED8F9BBAC4DAC6040358CED8B4B96289AB5BE27A95FB35A0D603DCC7E94D8C9A9728A3896D1EE556F5E185DC542DA1CB07A7480D5618D647EA79099D6282BAD1AF5B0CA919D112A35B12FD483FA90F9FD8B72D15E668E442
+
+[mceliece6960119]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = ACE16B9D437E56401128EDE4EE3A1C45CFE13D8E8288A3754DB4D9B78C5A3DDF
+PK = 52244c54404fa392d586faec5a55ebe48c78386a3efce108684b89cc9b9c173a57ccfd6748712fcb6226f7a2add4506e1483107b88172e88589dfdaecd3a0948
+SK = 53ca3551c31cd51be0074fc928264765de6bdef00810fc6bdb63ccd69d9e15b168c45a9dfce7bb48dbb131bbe772371b100285d2b282bad4f50b328b81e84826
+CT = 63C39D29314866A0FE528B3D5DE37D5C6F72279EE711036198B0C2CA1F293D3541E0D1467D63D2E5C92B8060001CF002017F60B954C5DC457BA63C59BBE330BB66BC8726E605ACD0E90CD7167376F68CC071D4F931349564EF28D7EAB3D1FF61563EE1DEFD95A548004979736AB1B39BE08D57A49F39988F23574A5A06FC4C317F08C1B842EF844773BE74701E57EC91107DE40C6EEB222630621A6FBF2A4CB8CCB9C395ABD85FDC03C0FBE0E56EC9F7052B90608E21653FA2DE1AD62C68C2656C06
+
+[mceliece6960119f]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 2FDCA51B72431A9534E670D9ED6C8C085D57AA409C41E21668E03ED0C569BA43
+PK = da30411922f1c72600f5e5846f6d0815f41fee4aed87226e61a6d8c28045fe332859f24e9245f095f253ae30ac70b220436ee21d14f58859aa5da5c0fa61b8be
+SK = 0f9a9255f9d120d3b53e87032baeaf7802db8abd5a24de9def0a1a2b3934737da5e48c1236bd75ff1811aa63e66a5c16b4c272f480c7c260c36d184c615d67a5
+CT = 39444056B95687CF222EFC56C4FEBD99D0EF6EF718376889840DCB35721B04960FEF47473B538C512D3CFB2E78A378CAA7B20986ED4F0D13670282DD64110E06C71ECE1B05E0D0CDFA0389EEDC1454F8D14430CB3C3339C754FDB36B8EBE611D12A6117751FD2A834444B0B0ED1AD8464C328424958BF8B75A2AB8E7D537E40ABB33FC775F4BEE8EA92C8439698C99105D7B520D6398684C1DB9B0421A89AB514C75914B5D8C3C511E0B55BBA6F2B5E27C64D8C2E2AFA5A12B66DF5946BAEBD28804
+
+[mceliece6960119pc]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 35D4BE047205AFF8339FCF19935D5F3F3C09BAFC6E418448214D5F159915DED7
+PK = 52244c54404fa392d586faec5a55ebe48c78386a3efce108684b89cc9b9c173a57ccfd6748712fcb6226f7a2add4506e1483107b88172e88589dfdaecd3a0948
+SK = 53ca3551c31cd51be0074fc928264765de6bdef00810fc6bdb63ccd69d9e15b168c45a9dfce7bb48dbb131bbe772371b100285d2b282bad4f50b328b81e84826
+CT = 63C39D29314866A0FE528B3D5DE37D5C6F72279EE711036198B0C2CA1F293D3541E0D1467D63D2E5C92B8060001CF002017F60B954C5DC457BA63C59BBE330BB66BC8726E605ACD0E90CD7167376F68CC071D4F931349564EF28D7EAB3D1FF61563EE1DEFD95A548004979736AB1B39BE08D57A49F39988F23574A5A06FC4C317F08C1B842EF844773BE74701E57EC91107DE40C6EEB222630621A6FBF2A4CB8CCB9C395ABD85FDC03C0FBE0E56EC9F7052B90608E21653FA2DE1AD62C68C2656C068CC5C37FC0AFD9B145CB3C4E7C30EF4D4C9F404E6FFFFB179AED0CF18B3BDA14
+
+[mceliece6960119pcf]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 7ADF6895DBBC6AC1621374116E0D9EA53184601EDF88B53E55BEC013103F9269
+PK = da30411922f1c72600f5e5846f6d0815f41fee4aed87226e61a6d8c28045fe332859f24e9245f095f253ae30ac70b220436ee21d14f58859aa5da5c0fa61b8be
+SK = 0f9a9255f9d120d3b53e87032baeaf7802db8abd5a24de9def0a1a2b3934737da5e48c1236bd75ff1811aa63e66a5c16b4c272f480c7c260c36d184c615d67a5
+CT = 39444056B95687CF222EFC56C4FEBD99D0EF6EF718376889840DCB35721B04960FEF47473B538C512D3CFB2E78A378CAA7B20986ED4F0D13670282DD64110E06C71ECE1B05E0D0CDFA0389EEDC1454F8D14430CB3C3339C754FDB36B8EBE611D12A6117751FD2A834444B0B0ED1AD8464C328424958BF8B75A2AB8E7D537E40ABB33FC775F4BEE8EA92C8439698C99105D7B520D6398684C1DB9B0421A89AB514C75914B5D8C3C511E0B55BBA6F2B5E27C64D8C2E2AFA5A12B66DF5946BAEBD288048CC5C37FC0AFD9B145CB3C4E7C30EF4D4C9F404E6FFFFB179AED0CF18B3BDA14
+
+[mceliece8192128]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 82351702A2C3973644CB735FC9B6CEA8FE526D7D729EE134FC12C0201690E854
+PK = d9c71f2e10a72ff75517b6b209e2826e53ab8d1f4c16985ae039413a1b117713c668dd8c24ca53d0b0089664a419eeadc7778ad13ccc27ea9dc6b25b1ce290fb
+SK = 705a3860712eadd0fbd892b10e46e82d32e678080165a4ec6b5b22ffc878e62d157b18ca7513dbafca4b7abb5f2f34992cb003d9617230f0d7de62ea7b63e806
+CT = AD9728E7519C5F851FDA1148CF652893C8884288930995416F95798C4F2E0151FF617828CBCBC74BA3870D04E41FB875BE651A8070E23B89D47362833D899ABB57D25886FD9B71C2027C3F32FB5D699922053BA4E7297E9EE87838DBC06677E0B4EB4D9EDEA0945A6D0A01020BB30C33CF0498373B9AF3517DD20331FFB1F8177946251EFA80BE477E96D8ACAF5F2AB93DE67868DE506B44E0A1FA058176450A380901A5AA0E033642A7ECCD50C77916268AD225AFB3B7A1560FAF4CF476ACFFBBFA30D1EFF17FBD73B109CF9FF2ECC0
+
+[mceliece8192128f]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = BC1E92FBD34B7907C0FA2568C5E5FA936AF7A6F0C2EE642BDFC760D894683F92
+PK = 490df50a0c816ea209ef617e9eebe374cbac7fc8c26b4be415f499630fda470db300fade9d7a07da1f6f6548c6e6db779ca6300a9ba07981bf4dbe7b2f393f05
+SK = 1b15567eacdd9608decd182a295d8753c048a898df84d1d6b731e4012c1dd64396801c2d423e2baf10f5b37372dcb214ee4b9b23e4167a8535fde363d30a7b8f
+CT = F220F073D58E77C3AF5C366C94CEDFF259E4144C8FBA8ECBF833582C2922429431D7BCCA15D587405CF646411CE113950DE7B15E92ACFF8BDB99385BE1917F7EE68CBA58C32505282C568D67EE29C84B07988C9D4D02CD5A21544A3050D24B7001B3232FBC534F2033AB7A10AB4E5C816A0CE7B1FBDB46D2DBB5FAC934BCFA57C675265564AF3400EA4DCED7E68BEDB0AF4C52A25BFBA6BE2162AA7ADB8EF685EFBC119407A6938AF904630B7E755A9D2F7496F06129EE7538D09144107BD51BC725D6D5A73F419D8277BBC195FF4C7F
+
+[mceliece8192128pc]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = 870B2D45FA3CCEA8186F3929DE0B68798F65A34D01353B2EBFD6B1FBC2707897
+PK = d9c71f2e10a72ff75517b6b209e2826e53ab8d1f4c16985ae039413a1b117713c668dd8c24ca53d0b0089664a419eeadc7778ad13ccc27ea9dc6b25b1ce290fb
+SK = 705a3860712eadd0fbd892b10e46e82d32e678080165a4ec6b5b22ffc878e62d157b18ca7513dbafca4b7abb5f2f34992cb003d9617230f0d7de62ea7b63e806
+CT = AD9728E7519C5F851FDA1148CF652893C8884288930995416F95798C4F2E0151FF617828CBCBC74BA3870D04E41FB875BE651A8070E23B89D47362833D899ABB57D25886FD9B71C2027C3F32FB5D699922053BA4E7297E9EE87838DBC06677E0B4EB4D9EDEA0945A6D0A01020BB30C33CF0498373B9AF3517DD20331FFB1F8177946251EFA80BE477E96D8ACAF5F2AB93DE67868DE506B44E0A1FA058176450A380901A5AA0E033642A7ECCD50C77916268AD225AFB3B7A1560FAF4CF476ACFFBBFA30D1EFF17FBD73B109CF9FF2ECC03EDD086216C90F28C78E03C496B56E6659DC95C5F7C51A371D36BAD9BC1757C2
+
+[mceliece8192128pcf]
+Seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+SS = EC35D8E55EB7ACE9866694FC0915402EA0720A85C5A3DB8A93D627F0432A452E
+PK = 490df50a0c816ea209ef617e9eebe374cbac7fc8c26b4be415f499630fda470db300fade9d7a07da1f6f6548c6e6db779ca6300a9ba07981bf4dbe7b2f393f05
+SK = 1b15567eacdd9608decd182a295d8753c048a898df84d1d6b731e4012c1dd64396801c2d423e2baf10f5b37372dcb214ee4b9b23e4167a8535fde363d30a7b8f
+CT = F220F073D58E77C3AF5C366C94CEDFF259E4144C8FBA8ECBF833582C2922429431D7BCCA15D587405CF646411CE113950DE7B15E92ACFF8BDB99385BE1917F7EE68CBA58C32505282C568D67EE29C84B07988C9D4D02CD5A21544A3050D24B7001B3232FBC534F2033AB7A10AB4E5C816A0CE7B1FBDB46D2DBB5FAC934BCFA57C675265564AF3400EA4DCED7E68BEDB0AF4C52A25BFBA6BE2162AA7ADB8EF685EFBC119407A6938AF904630B7E755A9D2F7496F06129EE7538D09144107BD51BC725D6D5A73F419D8277BBC195FF4C7F3EDD086216C90F28C78E03C496B56E6659DC95C5F7C51A371D36BAD9BC1757C2
+
diff --git a/src/tests/data/pubkey/cmce_negative.vec b/src/tests/data/pubkey/cmce_negative.vec
new file mode 100644
index 00000000000..3763b2c6860
--- /dev/null
+++ b/src/tests/data/pubkey/cmce_negative.vec
@@ -0,0 +1,22 @@
+
+# Test the decapsulation of invalid keys. Test vectors are based on the first KAT
+# some Classic McEliece instances (source: https://classic.mceliece.org/nist.html), where one bit
+# is flipped in the (valid) ciphertext, invalidating it. These test vectors were created using
+# a modification of the reference implementation. Private keys are created from the seed as in NIST's KAT
+# tests.
+#
+# Note: For plaintext confirmation instances, an additional pair of invalid ciphertext and corresponding
+#       output shared secret is given (ct_invalid_c1/ss_invalid_c1), where one bit of C_1 is flipped
+#       (ciphertext = C_0 || C_1), which is handled by plaintext confirmation.
+
+[mceliece348864f]
+seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+ct_invalid = E305BB2814DED1582864F2B1D2A26397411EE4E61F6998FF61CD55E4C4FB35AB99788D00F42D2D3B79B0820035749776CAA82730B1EBE2B81230424FCBCB8B5A804B0FA3025B108175456F80F4ABD1786C5DB02C6564333DE9FE67ED4A92D6FE
+ss_invalid = 9AADA66ACAA96C4BCD5059155B23BE5DF7BC22527FE19161AAF0BF712F4F07EE
+
+[mceliece6688128pcf]
+seed = 061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1
+ct_invalid_c1 = 640B4DA81C3198D4707E02CAD713E8EB6BE431076E3EE7D6AA5323A9C551FEFE8BDC978052A55244D9347C2DB4A5EF76C6FFF4EE3F3E973ACBD58C0E03665DAF1857B2987CF463994CC31E95645F81CF2E18F7D5EBBC1212689B6F8765692DDD0F7852FACED8471BDA55737ED4E3129ADE84E246C20D02780D590D47D6D90BB2A6FA7141B72290DB4EE1478E09B1B48B7D8CCE4F37E329A1ED8F9BBAC4DAC6040358CED8B4B96289AB5BE27A95FB35A0D603DCC7E94D8C9A9728A3896D1EE556F5E185DC542DA1CB07A7480D5618D647EA79099D6282BAD1AF5B0CA919D112A35B12FD483FA90F9FD8B72D15E668E443
+ss_invalid_c1 = F9EC0EA86FDCCEBBD90EF0394054F4631E187119B6379B2E2BC46986DD6D280A
+ct_invalid = 650B4DA81C3198D4707E02CAD713E8EB6BE431076E3EE7D6AA5323A9C551FEFE8BDC978052A55244D9347C2DB4A5EF76C6FFF4EE3F3E973ACBD58C0E03665DAF1857B2987CF463994CC31E95645F81CF2E18F7D5EBBC1212689B6F8765692DDD0F7852FACED8471BDA55737ED4E3129ADE84E246C20D02780D590D47D6D90BB2A6FA7141B72290DB4EE1478E09B1B48B7D8CCE4F37E329A1ED8F9BBAC4DAC6040358CED8B4B96289AB5BE27A95FB35A0D603DCC7E94D8C9A9728A3896D1EE556F5E185DC542DA1CB07A7480D5618D647EA79099D6282BAD1AF5B0CA919D112A35B12FD483FA90F9FD8B72D15E668E442
+ss_invalid = B3E19CD4BED97A32B6DE87E006902DCB8DAAC069C8CF1B2C662911FCE5A24487
diff --git a/src/tests/test_cmce.cpp b/src/tests/test_cmce.cpp
new file mode 100644
index 00000000000..c1d802fcdce
--- /dev/null
+++ b/src/tests/test_cmce.cpp
@@ -0,0 +1,383 @@
+/*
+* Tests for Classic McEliece
+*
+* (C) 2023 Jack Lloyd
+*     2023,2024 Fabian Albert, Amos Treiber - Rohde & Schwarz Cybersecurity
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include "test_pubkey.h"
+#include "test_pubkey_pqc.h"
+#include "test_rng.h"
+#include "tests.h"
+
+#if defined(BOTAN_HAS_CLASSICMCELIECE)
+
+   #include <botan/cmce.h>
+   #include <botan/hash.h>
+   #include <botan/pk_algs.h>
+   #include <botan/pubkey.h>
+   #include <botan/internal/cmce_decaps.h>
+   #include <botan/internal/cmce_encaps.h>
+   #include <botan/internal/cmce_field_ordering.h>
+   #include <botan/internal/cmce_gf.h>
+   #include <botan/internal/cmce_keys_internal.h>
+   #include <botan/internal/cmce_parameters.h>
+   #include <botan/internal/cmce_poly.h>
+
+   #include <iostream>
+   #include <set>
+
+namespace Botan_Tests {
+
+namespace {
+
+Botan::Classic_McEliece_Polynomial create_element_from_bytes(std::span<const uint8_t> bytes,
+                                                             const Botan::Classic_McEliece_Polynomial_Ring& ring) {
+   BOTAN_ARG_CHECK(bytes.size() == ring.degree() * 2, "Correct input size");
+   std::vector<uint16_t> coef(ring.degree());
+   Botan::load_le<uint16_t>(coef.data(), bytes.data(), ring.degree());
+
+   std::vector<Botan::Classic_McEliece_GF> coeff_vec_gf;
+   std::transform(coef.begin(), coef.end(), std::back_inserter(coeff_vec_gf), [&](auto& coeff) {
+      return Botan::Classic_McEliece_GF(Botan::GF_Elem(coeff), ring.poly_f());
+   });
+   return Botan::Classic_McEliece_Polynomial(coeff_vec_gf);
+}
+
+std::vector<Botan::Classic_McEliece_Parameter_Set> get_test_instances_all() {
+   return {// All instances
+           Botan::Classic_McEliece_Parameter_Set::mceliece348864,
+           Botan::Classic_McEliece_Parameter_Set::mceliece348864f,
+
+           Botan::Classic_McEliece_Parameter_Set::mceliece460896,
+           Botan::Classic_McEliece_Parameter_Set::mceliece460896f,
+
+           Botan::Classic_McEliece_Parameter_Set::mceliece6688128,
+           Botan::Classic_McEliece_Parameter_Set::mceliece6688128f,
+           Botan::Classic_McEliece_Parameter_Set::mceliece6688128pc,
+           Botan::Classic_McEliece_Parameter_Set::mceliece6688128pcf,
+
+           Botan::Classic_McEliece_Parameter_Set::mceliece6960119,
+           Botan::Classic_McEliece_Parameter_Set::mceliece6960119f,
+           Botan::Classic_McEliece_Parameter_Set::mceliece6960119pc,
+           Botan::Classic_McEliece_Parameter_Set::mceliece6960119pcf,
+
+           Botan::Classic_McEliece_Parameter_Set::mceliece8192128,
+           Botan::Classic_McEliece_Parameter_Set::mceliece8192128f,
+           Botan::Classic_McEliece_Parameter_Set::mceliece8192128pc,
+           Botan::Classic_McEliece_Parameter_Set::mceliece8192128pcf};
+}
+
+std::vector<Botan::Classic_McEliece_Parameter_Set> get_test_instances_min() {
+   return {// Testing with and without pc and f. Also testing 6960119 with m*t mod 8 != 0.
+           Botan::Classic_McEliece_Parameter_Set::mceliece348864,
+           Botan::Classic_McEliece_Parameter_Set::mceliece6960119pcf};
+}
+
+std::vector<Botan::Classic_McEliece_Parameter_Set> instances_to_test() {
+   if(Test::run_long_tests()) {
+      return get_test_instances_all();
+   } else {
+      return get_test_instances_min();
+   }
+}
+
+bool skip_cmce_test(const std::string& params_str) {
+   auto params = Botan::Classic_McEliece_Parameters::create(params_str);
+   auto to_test = instances_to_test();
+   return std::find(to_test.begin(), to_test.end(), params.set()) == to_test.end();
+}
+}  // namespace
+
+class CMCE_Utility_Tests final : public Test {
+   public:
+      Test::Result expand_seed_test() {
+         Test::Result result("Seed expansion");
+
+         auto params =
+            Botan::Classic_McEliece_Parameters::create(Botan::Classic_McEliece_Parameter_Set::mceliece348864);
+
+         // Created using the reference implementation
+         auto seed = Botan::hex_decode_locked("0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f20");
+
+         auto exp_first_and_last_bytes = Botan::hex_decode(
+            "543e2791fd98dbc1"    // first 8 bytes
+            "d332a7c40776ca01");  // last 8 bytes
+
+         size_t byte_length =
+            (params.n() + params.sigma2() * params.q() + params.sigma1() * params.t() + params.ell()) / 8;
+
+         auto rand = params.prg(seed)->output_stdvec(byte_length);
+         rand.erase(rand.begin() + 8, rand.end() - 8);
+
+         result.test_is_eq("Seed expansion", rand, exp_first_and_last_bytes);
+
+         return result;
+      }
+
+      Test::Result irreducible_poly_gen_test() {
+         Test::Result result("Irreducible Polynomial Generation");
+
+         auto params =
+            Botan::Classic_McEliece_Parameters::create(Botan::Classic_McEliece_Parameter_Set::mceliece348864);
+
+         // Created using the reference implementation
+         auto random_bits = Botan::hex_decode(
+            "d9b8bb962a3f9dac0f832d243def581e7d26f4028de1ff9cd168460e5050ab095a32a372b40d720bd5d75389a6b3f08fa1d13cec60a4b716d4d6c240f2f80cd3"
+            "cbc76ae0dddca164c1130da185bd04e890f2256fb9f4754864811e14ea5a43b8b3612d59cecde1b2fdb6362659a0193d2b7d4b9d79aa1801dde3ca90dc300773");
+
+         auto exp_g = Botan::Classic_McEliece_Minimal_Polynomial::from_bytes(
+            Botan::hex_decode(
+               "8d00a50f520a0307b8007c06cb04b9073b0f4a0f800fb706a60f2a05910a670b460375091209fc060a09ab036c09e5085a0df90d3506b404a30fda041d09970f"
+               "1206d000e00aac01c00dc80f490cd80b4108330c0208cf00d602450ec00a21079806eb093f00de015f052905560917081b09270c820af002000c34094504cd03"),
+            params.poly_f());
+
+         auto g = params.poly_ring().compute_minimal_polynomial(random_bits);
+         result.confirm("Minimize polynomial successful", g.has_value());
+         result.test_is_eq("Minimize polynomial", g.value().coef(), exp_g.coef());
+
+         return result;
+      }
+
+      Test::Result gf_test() {
+         Test::Result result("GF test");
+
+         auto exp_mul = Botan::GF_Elem(0x001e);  //00011110
+
+         auto val1 = Botan::Classic_McEliece_GF(Botan::GF_Elem(0b00000000010110111), Botan::GF_Mod(0b100011011));
+         auto val2 = Botan::Classic_McEliece_GF(Botan::GF_Elem(0b00000000011001001), Botan::GF_Mod(0b100011011));
+         auto mul = val1 * val2;
+         result.test_is_eq("Control bits creation", mul.elem(), exp_mul);
+
+         return result;
+      }
+
+      Test::Result gf_inv_test() {
+         Test::Result result("GF inv test");
+
+         auto params =
+            Botan::Classic_McEliece_Parameters::create(Botan::Classic_McEliece_Parameter_Set::mceliece348864);
+
+         auto v = params.gf(Botan::GF_Elem(42));
+         auto v_inv = v.inv();
+         result.test_is_eq("Control bits creation", (v * v_inv).elem(), Botan::GF_Elem(1));
+
+         return result;
+      }
+
+      Test::Result gf_poly_mul_test() {
+         Test::Result result("GF Poly Mul");
+
+         auto params =
+            Botan::Classic_McEliece_Parameters::create(Botan::Classic_McEliece_Parameter_Set::mceliece348864);
+
+         const auto& field = params.poly_ring();
+
+         auto val1 = create_element_from_bytes(
+            Botan::hex_decode(
+               "bb02d40437094c0ae4034c00b10fed090a04850f660c3b0e110eb409810a86015b0f5804ca0e78089806e20b5b03aa0bc2020b05ea03710da902340c390f630b"
+               "bc07a70db20b9e0ee4038905a00a09090a0521045e0a0706370b5a00050a4100480c4d0e8f00730692093701fe04650dbe0fd00702011a04910360023f04fb0a"),
+            field);
+
+         auto val2 = create_element_from_bytes(
+            Botan::hex_decode(
+               "060c630b170abb00020fef03e501020e89098108bf01f30dd30900000e0d3d0ca404ec01190760021f088c09b90b0a06a702d104500f0f02f00a580287010a09"
+               "4e01490d270c73051800bc0af303b901b202b50321002802b903ce0ab40806083f0a2d06d002df0f260811005c02a10b300e5c0ba20d14045003c50f2f02de02"),
+            field);
+
+         auto exp_mul = create_element_from_bytes(
+            Botan::hex_decode(
+               "370d090b19008f0efb01f5011b04f9054b0d1f071d0457011e09cd0dfa093c004f08500e670abb0567090000f603770a3905bf044408b8025805930b25012201"
+               "8d0a560e840d960d9d0a280d1d06fc08d5078c06fe0cb406d0061e02c6090507d20eb10cb90146085c042e030c0e1a07910fcd0c5f0fda066c0cee061d01f40f"),
+            field);
+
+         auto mul = field.multiply(val1, val2);  // val1 * val2;
+         result.test_is_eq("GF multiplication", mul.coef(), exp_mul.coef());
+
+         return result;
+      }
+
+      std::vector<Test::Result> run() override {
+         return {expand_seed_test(), irreducible_poly_gen_test(), gf_test(), gf_inv_test(), gf_poly_mul_test()};
+      }
+};
+
+   #if defined(BOTAN_HAS_AES)
+class CMCE_Invalid_Test : public Text_Based_Test {
+   public:
+      CMCE_Invalid_Test() :
+            Text_Based_Test("pubkey/cmce_negative.vec", "seed,ct_invalid,ss_invalid", "ct_invalid_c1,ss_invalid_c1") {}
+
+      Test::Result run_one_test(const std::string& params_str, const VarMap& vars) override {
+         Test::Result result("CMCE Invalid Ciphertext Test");
+
+         auto params = Botan::Classic_McEliece_Parameters::create(params_str);
+
+         const auto kat_seed = Botan::lock(vars.get_req_bin("seed"));
+         const auto ct_invalid = vars.get_req_bin("ct_invalid");
+         const auto ref_ss_invalid = Botan::lock(vars.get_req_bin("ss_invalid"));
+
+         const auto test_rng = std::make_unique<CTR_DRBG_AES256>(kat_seed);
+
+         auto private_key = Botan::create_private_key("ClassicMcEliece", *test_rng, params_str);
+
+         // Decaps an invalid ciphertext
+         auto dec = Botan::PK_KEM_Decryptor(*private_key, *test_rng, "Raw");
+         auto decaps_ct_invalid = dec.decrypt(ct_invalid);
+
+         result.test_is_eq("Decaps an invalid encapsulated key", decaps_ct_invalid, ref_ss_invalid);
+
+         if(params.is_pc()) {
+            // For pc variants, additionally check the plaintext confirmation (pc) logic by
+            // flipping a bit in the second part of the ciphertext (C_1 in pc). In this case
+            // C_0 is decoded correctly, but pc will change the shared secret, since C_1' != C_1.
+            const auto ct_invalid_c1 = vars.get_opt_bin("ct_invalid_c1");
+            const auto ref_ss_invalid_c1 = Botan::lock(vars.get_opt_bin("ss_invalid_c1"));
+            auto decaps_ct_invalid_c1 = dec.decrypt(ct_invalid_c1);
+
+            result.test_is_eq("Decaps with invalid C_1 in pc", decaps_ct_invalid_c1, ref_ss_invalid_c1);
+         }
+
+         return result;
+      }
+};
+   #endif  // BOTAN_HAS_AES
+
+class CMCE_Generic_Keygen_Tests final : public PK_Key_Generation_Test {
+   public:
+      std::vector<std::string> keygen_params() const override {
+         auto to_test = instances_to_test();
+
+         std::vector<std::string> res;
+         std::transform(to_test.begin(), to_test.end(), std::back_inserter(res), [](auto& param_set) {
+            return Botan::cmce_str_from_param_set(param_set);
+         });
+
+         return res;
+      }
+
+      std::string algo_name() const override { return "ClassicMcEliece"; }
+};
+
+class Classic_McEliece_KAT_Tests final : public Botan_Tests::PK_PQC_KEM_KAT_Test {
+   public:
+      Classic_McEliece_KAT_Tests() : PK_PQC_KEM_KAT_Test("ClassicMcEliece", "pubkey/cmce_kat_hashed.vec") {}
+
+   private:
+      Botan::Classic_McEliece_Parameters get_params(const std::string& header) const {
+         return Botan::Classic_McEliece_Parameters::create(Botan::cmce_param_set_from_str(header));
+      }
+
+      bool is_available(const std::string& alg_name) const final { return !skip_cmce_test(alg_name); }
+
+      std::vector<uint8_t> map_value(const std::string&, std::span<const uint8_t> value, VarType var_type) const final {
+         if(var_type == VarType::Ciphertext || var_type == VarType::SharedSecret) {
+            return {value.begin(), value.end()};
+         }
+         auto hash = Botan::HashFunction::create_or_throw("SHAKE-256(512)");
+         return hash->process<std::vector<uint8_t>>(value);
+      }
+
+      Fixed_Output_RNG rng_for_keygen(const std::string&, Botan::RandomNumberGenerator& rng) const final {
+         const auto seed = rng.random_vec(Botan::Classic_McEliece_Parameters::seed_len());
+         return Fixed_Output_RNG(seed);
+      }
+
+      Fixed_Output_RNG rng_for_encapsulation(const std::string& alg_name,
+                                             Botan::RandomNumberGenerator& rng) const final {
+         // There is no way to tell exacly how much randomness is
+         // needed for encapsulation (rejection sampling)
+         // For testing we use a number that fits for all test cases
+         auto params = get_params(alg_name);
+         const size_t max_attempts = 100;
+         const size_t bits_per_attempt = (params.sigma1() / 8) * params.tau();
+
+         std::vector<uint8_t> rand_buffer;
+         for(size_t attempt = 0; attempt < max_attempts; ++attempt) {
+            auto random_bytes = rng.random_vec(bits_per_attempt);
+            rand_buffer.insert(rand_buffer.end(), random_bytes.begin(), random_bytes.end());
+         }
+
+         return Fixed_Output_RNG(rand_buffer);
+      }
+
+      void inspect_rng_after_encaps(const std::string&, const Fixed_Output_RNG&, Test::Result&) const final {
+         // Encaps uses any number of random bytes, so we cannot check the RNG
+      }
+};
+
+/**
+ * TODO: Remove on final PR
+ * This is a test using a minimal instance. Since this instance is self constructed,
+ * we have no known answer to check against. However, this test may be useful for
+ * side channel analysis.
+ *
+ * Hints for SCA:
+ * Build only ClassicMcEliece with (for example):
+ *    ./configure.py --compiler-cache=ccache --minimized-build --enable-modules=classic_mceliece --build-targets=static,tests --without-documentation --build-tool=ninja && ninja
+ * Run only this test without prints:
+ *    ./botan-test cmce_minimal --test-threads=1 --no-stdout
+ */
+class CMCE_Minimal_Test final : public Test {
+   public:
+      Test::Result run_minimal_keygen_test(std::string_view param_set) {
+         Test::Result result("Minimal KeyGen Test");
+
+         const Botan::secure_vector<uint8_t> rng_seed(48, 0);
+         const auto test_rng = std::make_unique<CTR_DRBG_AES256>(rng_seed);
+
+         // Test Keygen
+         std::unique_ptr<Botan::Private_Key> private_key;
+         result.test_no_throw("Key Generation", [&] {
+            private_key = Botan::create_private_key("ClassicMcEliece", *test_rng, param_set);
+         });
+         if(!private_key) {
+            // Keygen failed
+            return result;
+         }
+
+         // Test Encapsulation
+         std::optional<Botan::KEM_Encapsulation> encaps = std::nullopt;
+         result.test_no_throw("Encapsulation", [&] {
+            auto enc = Botan::PK_KEM_Encryptor(*private_key, "Raw", "base");
+            encaps = enc.encrypt(*test_rng);
+         });
+
+         // Test Decapsulation
+         Botan::secure_vector<uint8_t> decaps;
+         result.test_no_throw("Decapsulation", [&] {
+            auto dec = Botan::PK_KEM_Decryptor(*private_key, *test_rng, "Raw");
+            decaps = dec.decrypt(encaps->encapsulated_shared_key());
+         });
+
+         result.test_is_eq("Decapsulated secret is correct", decaps, encaps->shared_key());
+
+         return result;
+      }
+
+      std::vector<Test::Result> run() override {
+         std::vector<Test::Result> results;
+         // The parameter decides which instance is tested, i.e. with our without
+         // semi-systematic gauss or plaintext confirmation.
+         results.push_back(run_minimal_keygen_test("test"));
+         results.push_back(run_minimal_keygen_test("testf"));
+         results.push_back(run_minimal_keygen_test("testpc"));
+         results.push_back(run_minimal_keygen_test("testpcf"));
+
+         return results;
+      }
+};
+
+BOTAN_REGISTER_TEST("cmce", "cmce_utility", CMCE_Utility_Tests);
+BOTAN_REGISTER_TEST("cmce", "cmce_generic_keygen", CMCE_Generic_Keygen_Tests);
+BOTAN_REGISTER_TEST("cmce", "cmce_generic_kat", Classic_McEliece_KAT_Tests);
+   #if defined(BOTAN_HAS_AES)
+BOTAN_REGISTER_TEST("cmce", "cmce_invalid", CMCE_Invalid_Test);
+   #endif
+BOTAN_REGISTER_TEST("cmce", "cmce_minimal", CMCE_Minimal_Test);
+
+}  // namespace Botan_Tests
+
+#endif  // BOTAN_HAS_CLASSICMCELIECE

From f6ee2a0b63c6d481e1e013e9fcbfe36dbb0e2f26 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Mon, 22 Jan 2024 13:34:16 +0100
Subject: [PATCH 05/27] bitvector<>::bitref<>::as<T>()

---
 src/lib/pubkey/classic_mceliece/cmce.cpp            |  2 +-
 src/lib/pubkey/classic_mceliece/cmce_decaps.cpp     |  2 +-
 .../pubkey/classic_mceliece/cmce_field_ordering.cpp |  6 +++---
 src/lib/pubkey/classic_mceliece/cmce_matrix.cpp     |  5 ++---
 src/lib/utils/bitvector.h                           | 13 +++++++++----
 5 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce.cpp b/src/lib/pubkey/classic_mceliece/cmce.cpp
index 2a0e5dc0ebb..5d878493a1c 100644
--- a/src/lib/pubkey/classic_mceliece/cmce.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce.cpp
@@ -133,7 +133,7 @@ bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const
    // Checking weight of c
    size_t c_hamming_weight = 0;
    for(size_t i = 0; i < m_private->c().get().size(); ++i) {
-      c_hamming_weight += CT::Mask<size_t>::expand(m_private->c().get()[i]).if_set_return(1);
+      c_hamming_weight += CT::Mask<size_t>::expand(m_private->c().get()[i].as<size_t>()).if_set_return(1);
    }
 
    ret &= CT::Mask<size_t>::is_equal(c_hamming_weight, 32);
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
index 0b27876faae..790c22a3ba5 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
@@ -27,7 +27,7 @@ Classic_McEliece_Polynomial Classic_McEliece_Decryptor::compute_goppa_syndrome(
       auto g_alpha = goppa_poly(alphas[i]);
       auto r = (g_alpha * g_alpha).inv();
 
-      auto c_mask = GF_Mask(CT::Mask<uint16_t>::expand(code_word.at(i)));
+      auto c_mask = GF_Mask(CT::Mask<uint16_t>::expand(code_word.at(i).as<uint16_t>()));
 
       for(size_t j = 0; j < 2 * params.t(); ++j) {
          syndrome[j] += c_mask.if_set_return(r);
diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
index c6bc0af410c..386d3f37a91 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -295,7 +295,7 @@ Classic_McEliece_Field_Ordering Classic_McEliece_Field_Ordering::create_from_con
       size_t gap = static_cast<size_t>(1) << std::min(i, 2 * params.m() - 2 - i);
       for(size_t j = 0; j < size_t(n / 2); ++j) {
          size_t pos = (j % gap) + 2 * gap * (j / gap);
-         auto mask = CT::Mask<uint16_t>::expand(control_bits[i * n / 2 + j]);
+         auto mask = CT::Mask<uint16_t>::expand(control_bits[i * n / 2 + j].as<uint16_t>());
          mask.conditional_swap(pi[pos], pi[pos + gap]);
       }
    }
@@ -310,8 +310,8 @@ void Classic_McEliece_Field_Ordering::permute_with_pivots(const Classic_McEliece
    for(size_t p_idx = 1; p_idx <= Classic_McEliece_Parameters::mu(); ++p_idx) {
       size_t p_counter = 0;
       for(size_t col = 0; col < Classic_McEliece_Parameters::nu(); ++col) {
-         auto mask_is_pivot_set = CT::Mask<size_t>::expand(pivots.get().at(col));
-         p_counter += CT::Mask<size_t>::expand(pivots.get().at(col)).if_set_return(1);
+         auto mask_is_pivot_set = CT::Mask<size_t>::expand(pivots.get().at(col).as<size_t>());
+         p_counter += CT::Mask<size_t>::expand(pivots.get().at(col).as<size_t>()).if_set_return(1);
          auto mask_is_current_pivot = CT::Mask<size_t>::is_equal(p_idx, p_counter);
          (mask_is_pivot_set & mask_is_current_pivot)
             .conditional_swap(m_pi.get().at(col_offset + col), m_pi.get().at(col_offset + p_idx - 1));
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
index e8c3637b771..9d9c141845c 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -25,7 +25,7 @@ size_t count_lsb_zeros(secure_bitvector n) {
    size_t res = 0;
    auto found_only_zeros = Botan::CT::Mask<size_t>::set();
    for(size_t bit_pos = 0; bit_pos < n.size(); ++bit_pos) {
-      auto bit_set_mask = Botan::CT::Mask<size_t>::expand(n.at(bit_pos));
+      auto bit_set_mask = Botan::CT::Mask<size_t>::expand(n.at(bit_pos).as<size_t>());
       found_only_zeros &= ~bit_set_mask;
       res += found_only_zeros.if_set_return(size_t(1));
    }
@@ -121,7 +121,7 @@ std::optional<Column_Selection> move_columns(std::vector<secure_bitvector>& mat,
    for(auto pivot_idx : pivot_indices) {
       for(size_t i = 0; i < Classic_McEliece_Parameters::nu(); ++i) {
          auto mask_is_at_current_idx = Botan::CT::Mask<size_t>::is_equal(i, pivot_idx);
-         pivots.get().at(i) = mask_is_at_current_idx.select(1, pivots.get().at(i));
+         pivots.get().at(i) = mask_is_at_current_idx.select(1, pivots.get().at(i).as<size_t>());
       }
    }
 
@@ -131,7 +131,6 @@ std::optional<Column_Selection> move_columns(std::vector<secure_bitvector>& mat,
          // Swap bit j with bit pivot_indices[j]
          size_t col_j = pos_offset + j;
          size_t col_pivot_j = pos_offset + pivot_indices.at(j);
-         // TODO: uint8_t instead of bool (also in bitvector)
          auto sum = mat.at(mat_row).at(col_j) ^ mat.at(mat_row).at(col_pivot_j);
          mat.at(mat_row).at(col_j) = mat.at(mat_row).at(col_j) ^ sum;
          mat.at(mat_row).at(col_pivot_j) = mat.at(mat_row).at(col_pivot_j) ^ sum;
diff --git a/src/lib/utils/bitvector.h b/src/lib/utils/bitvector.h
index 763adce3dc1..5a48680d7c1 100644
--- a/src/lib/utils/bitvector.h
+++ b/src/lib/utils/bitvector.h
@@ -158,6 +158,11 @@ class bitvector_base final {
 
             constexpr bool is_set() const noexcept { return (m_block & m_mask) > 0; }
 
+            template <std::integral T>
+            constexpr T as() const noexcept {
+               return static_cast<T>(is_set());
+            }
+
          protected:
             BlockT& m_block;  // NOLINT(*-non-private-member-variables-in-classes)
             BlockT m_mask;    // NOLINT(*-non-private-member-variables-in-classes)
@@ -346,7 +351,7 @@ class bitvector_base final {
 
          // copy remaining unaligned data
          for(size_type i = verbatim_bytes * 8; i < m_bits; ++i) {
-            out[i >> 3] |= static_cast<uint8_t>(ref(i)) << (i & 7);
+            out[i >> 3] |= ref(i).template as<uint8_t>() << (i & 7);
          }
       }
 
@@ -505,7 +510,7 @@ class bitvector_base final {
       auto operator[](size_type pos) { return ref(pos); }
 
       // TODO C++23: deducing this
-      bool operator[](size_type pos) const { return ref(pos); }
+      auto operator[](size_type pos) const { return ref(pos); }
 
       /// @}
 
@@ -999,9 +1004,9 @@ constexpr auto copy_lhs_allocator_aware(const bitvector_base<AllocatorT1>& lhs,
                                            std::remove_cvref_t<decltype(rhs)>::uses_secure_allocator;
 
    if constexpr(needs_secure_allocator) {
-      return lhs.as_locked();
+      return lhs.template as<secure_bitvector>();
    } else {
-      return lhs;
+      return lhs.template as<bitvector>();
    }
 }
 

From 6b64f5481c6a0c33bea1fef9775ef154aaf60e71 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Mon, 22 Jan 2024 14:14:33 +0100
Subject: [PATCH 06/27] bitvector now models concepts::container

... which simplifies the usage with Strong<> types significantly and
provides a bidirectional iterator for bitvector objects.
---
 src/lib/pubkey/classic_mceliece/cmce.cpp      |   4 +-
 .../classic_mceliece/cmce_keys_internal.cpp   |   3 +-
 .../pubkey/classic_mceliece/cmce_matrix.cpp   |   4 +-
 src/lib/utils/bitvector.h                     | 112 +++++++++++++++-
 src/lib/utils/concepts.h                      |   2 +
 src/lib/utils/strong_type.h                   |  64 ++++-----
 src/tests/test_utils_bitvector.cpp            | 121 +++++++++++++++++-
 7 files changed, 271 insertions(+), 39 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce.cpp b/src/lib/pubkey/classic_mceliece/cmce.cpp
index 5d878493a1c..1bce87b07e8 100644
--- a/src/lib/pubkey/classic_mceliece/cmce.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce.cpp
@@ -132,8 +132,8 @@ bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const
 
    // Checking weight of c
    size_t c_hamming_weight = 0;
-   for(size_t i = 0; i < m_private->c().get().size(); ++i) {
-      c_hamming_weight += CT::Mask<size_t>::expand(m_private->c().get()[i].as<size_t>()).if_set_return(1);
+   for(size_t i = 0; i < m_private->c().size(); ++i) {
+      c_hamming_weight += CT::Mask<size_t>::expand(m_private->c()[i].as<size_t>()).if_set_return(1);
    }
 
    ret &= CT::Mask<size_t>::is_equal(c_hamming_weight, 32);
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
index 88087ce5d34..56d0cd42bf2 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
@@ -108,8 +108,7 @@ std::shared_ptr<Classic_McEliece_PublicKeyInternal> Classic_McEliece_PublicKeyIn
       throw Decoding_Error("Cannot create public key from private key. Private key is invalid.");
    }
    auto& [pk_matrix, pivot] = pk_matrix_and_pivot.value();
-   if(!pivot.get().subvector(0, pivot.get().size() / 2).all() ||
-      !pivot.get().subvector(pivot.get().size() / 2).none()) {
+   if(!pivot.get().subvector(0, pivot.size() / 2).all() || !pivot.get().subvector(pivot.size() / 2).none()) {
       // There should not be a pivot other than 0xff ff ff ff 00 00 00 00. Otherwise
       // the gauss algorithm failed effectively.
       throw Decoding_Error("Cannot create public key from private key. Private key is invalid.");
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
index 9d9c141845c..3910afaa6ca 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -117,7 +117,7 @@ std::optional<Column_Selection> move_columns(std::vector<secure_bitvector>& mat,
    }
 
    // Create pivot bitvector from the pivot index vector
-   Column_Selection pivots((secure_bitvector(Classic_McEliece_Parameters::nu())));
+   Column_Selection pivots(Classic_McEliece_Parameters::nu());
    for(auto pivot_idx : pivot_indices) {
       for(size_t i = 0; i < Classic_McEliece_Parameters::nu(); ++i) {
          auto mask_is_at_current_idx = Botan::CT::Mask<size_t>::is_equal(i, pivot_idx);
@@ -144,7 +144,7 @@ std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& p
                                             std::vector<secure_bitvector>& mat) {
    // Initialized for systematic form instances
    // Is overridden for semi systematic instances
-   auto pivots = Column_Selection(secure_bitvector(std::vector<uint8_t>({0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0}), 64));
+   auto pivots = Column_Selection({0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0});
 
    // Gaussian Elimination
    for(size_t diag_pos = 0; diag_pos < params.pk_no_rows(); ++diag_pos) {
diff --git a/src/lib/utils/bitvector.h b/src/lib/utils/bitvector.h
index 5a48680d7c1..2c127191722 100644
--- a/src/lib/utils/bitvector.h
+++ b/src/lib/utils/bitvector.h
@@ -96,6 +96,90 @@ concept predicate_blockwise_processing_callback =
    (blockwise_processing_callback_with_mask<FnT, ParamTs...> &&
     std::same_as<bool, blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs..., first_t<ParamTs...>>>);
 
+template <typename T>
+class bitvector_iterator {
+   private:
+      using size_type = typename T::size_type;
+
+   public:
+      using difference_type = std::make_signed_t<size_type>;
+      using value_type = std::remove_const_t<decltype(std::declval<T>().at(0))>;
+      using pointer = value_type*;
+      using reference = value_type&;
+
+      // TODO: technically, this could be a random access iterator
+      using iterator_category = std::bidirectional_iterator_tag;
+
+   public:
+      bitvector_iterator() = default;
+      ~bitvector_iterator() = default;
+
+      bitvector_iterator(T* bitvector, size_t offset) : m_bitvector(bitvector) { update(offset); }
+
+      bitvector_iterator(const bitvector_iterator& other) noexcept : m_bitvector(other.m_bitvector) {
+         update(other.m_offset);
+      }
+
+      bitvector_iterator(bitvector_iterator&& other) noexcept : m_bitvector(other.m_bitvector) {
+         update(other.m_offset);
+      }
+
+      bitvector_iterator& operator=(const bitvector_iterator& other) noexcept {
+         if(this != &other) {
+            m_bitvector = other.m_bitvector;
+            update(other.m_offset);
+         }
+         return *this;
+      }
+
+      bitvector_iterator& operator=(bitvector_iterator&& other) noexcept {
+         m_bitvector = other.m_bitvector;
+         update(other.m_offset);
+         return *this;
+      }
+
+      bitvector_iterator& operator++() noexcept {
+         update(signed_offset() + 1);
+         return *this;
+      }
+
+      bitvector_iterator operator++(int) noexcept {
+         auto copy = *this;
+         update(signed_offset() + 1);
+         return copy;
+      }
+
+      bitvector_iterator& operator--() noexcept {
+         update(signed_offset() - 1);
+         return *this;
+      }
+
+      bitvector_iterator operator--(int) noexcept {
+         auto copy = *this;
+         update(signed_offset() - 1);
+         return copy;
+      }
+
+      auto operator<=>(const bitvector_iterator& other) const noexcept = default;
+
+      reference operator*() const { return *m_bitref; }
+
+      pointer operator->() const { return &(*m_bitref); }
+
+   private:
+      void update(size_type new_offset) {
+         m_offset = new_offset;
+         m_bitref.emplace((*m_bitvector)[new_offset]);
+      }
+
+      difference_type signed_offset() const { return static_cast<difference_type>(m_offset); }
+
+   private:
+      T* m_bitvector;
+      size_type m_offset;
+      mutable std::optional<value_type> m_bitref;
+};
+
 }  // namespace detail
 
 /**
@@ -112,6 +196,9 @@ class bitvector_base final {
       using block_type = uint8_t;
       using size_type = size_t;
       using allocator_type = AllocatorT<block_type>;
+      using value_type = block_type;
+      using iterator = detail::bitvector_iterator<bitvector_base<AllocatorT>>;
+      using const_iterator = detail::bitvector_iterator<const bitvector_base<AllocatorT>>;
 
       static constexpr size_type block_size_bytes = sizeof(block_type);
       static constexpr size_type block_size_bits = block_size_bytes * 8;
@@ -141,7 +228,7 @@ class bitvector_base final {
          private:
             friend class bitvector_base<AllocatorT>;
 
-            constexpr bitref_base(std::span<BlockT> blocks, size_type pos) :
+            constexpr bitref_base(std::span<BlockT> blocks, size_type pos) noexcept :
                   m_block(blocks[block_index(pos)]), m_mask(one << block_offset(pos)) {}
 
          public:
@@ -250,6 +337,9 @@ class bitvector_base final {
          from_bytes(bytes, bits);
       }
 
+      bitvector_base(std::initializer_list<block_type> blocks, std::optional<size_type> bits = std::nullopt) :
+            m_bits(bits.value_or(blocks.size() * block_size_bits)), m_blocks(blocks.begin(), blocks.end()) {}
+
       bool empty() const { return m_bits == 0; }
 
       size_type size() const { return m_bits; }
@@ -359,8 +449,6 @@ class bitvector_base final {
        * Renders this bitvector into a sequence of "0"s and "1"s.
        */
       std::string to_string() const {
-         // TODO: if we introduce iterators for the bitvector class
-         //       we might be able to move this into a cpp file.
          std::stringstream ss;
          for(size_type i = 0; i < size(); ++i) {
             ss << ref(i);
@@ -619,6 +707,24 @@ class bitvector_base final {
 
       /// @}
 
+      /// @name Iterators
+      ///
+      /// @{
+
+      iterator begin() noexcept { return iterator(this, 0); }
+
+      const_iterator begin() const noexcept { return const_iterator(this, 0); }
+
+      const_iterator cbegin() const noexcept { return const_iterator(this, 0); }
+
+      iterator end() noexcept { return iterator(this, size()); }
+
+      const_iterator end() const noexcept { return const_iterator(this, size()); }
+
+      const_iterator cend() noexcept { return const_iterator(this, size()); }
+
+      /// @}
+
    private:
       void check_offset(size_type pos) const { BOTAN_ARG_CHECK(pos < m_bits, "Out of range"); }
 
diff --git a/src/lib/utils/concepts.h b/src/lib/utils/concepts.h
index 595d186144f..dbf5391aa34 100644
--- a/src/lib/utils/concepts.h
+++ b/src/lib/utils/concepts.h
@@ -181,6 +181,8 @@ concept container = requires(T a) {
 template <typename T>
 concept contiguous_container = container<T> && requires(T a) {
                                                   { a.data() } -> container_pointer<T>;
+                                                  typename T::pointer;
+                                                  typename T::const_pointer;
                                                };
 
 template <typename T>
diff --git a/src/lib/utils/strong_type.h b/src/lib/utils/strong_type.h
index a1fb4544115..b235677d262 100644
--- a/src/lib/utils/strong_type.h
+++ b/src/lib/utils/strong_type.h
@@ -65,35 +65,22 @@ class Strong_Adapter<T> : public Strong_Base<T> {
 };
 
 template <concepts::container T>
-class Strong_Adapter<T> : public Strong_Base<T> {
+class Container_Strong_Adapter_Base : public Strong_Base<T> {
    public:
       using value_type = typename T::value_type;
       using size_type = typename T::size_type;
       using iterator = typename T::iterator;
       using const_iterator = typename T::const_iterator;
-      using pointer = typename T::pointer;
-      using const_pointer = typename T::const_pointer;
 
    public:
       using Strong_Base<T>::Strong_Base;
 
-      explicit Strong_Adapter(std::span<const value_type> span)
-         requires(concepts::contiguous_container<T>)
-            : Strong_Adapter(T(span.begin(), span.end())) {}
-
-      explicit Strong_Adapter(size_t size)
+      explicit Container_Strong_Adapter_Base(size_t size)
          requires(concepts::resizable_container<T>)
-            : Strong_Adapter(T(size)) {}
+            : Container_Strong_Adapter_Base(T(size)) {}
 
       template <typename InputIt>
-      Strong_Adapter(InputIt begin, InputIt end) : Strong_Adapter(T(begin, end)) {}
-
-      // Disambiguates the usage of string literals, otherwise:
-      // Strong_Adapter(std::span<>) and Strong_Adapter(const char*)
-      // would be ambiguous.
-      explicit Strong_Adapter(const char* str)
-         requires(std::same_as<T, std::string>)
-            : Strong_Adapter(std::string(str)) {}
+      Container_Strong_Adapter_Base(InputIt begin, InputIt end) : Container_Strong_Adapter_Base(T(begin, end)) {}
 
    public:
       decltype(auto) begin() noexcept(noexcept(this->get().begin())) { return this->get().begin(); }
@@ -114,18 +101,6 @@ class Strong_Adapter<T> : public Strong_Base<T> {
 
       size_type size() const noexcept(noexcept(this->get().size())) { return this->get().size(); }
 
-      decltype(auto) data() noexcept(noexcept(this->get().data()))
-         requires(concepts::contiguous_container<T>)
-      {
-         return this->get().data();
-      }
-
-      decltype(auto) data() const noexcept(noexcept(this->get().data()))
-         requires(concepts::contiguous_container<T>)
-      {
-         return this->get().data();
-      }
-
       bool empty() const noexcept(noexcept(this->get().empty()))
          requires(concepts::has_empty<T>)
       {
@@ -145,6 +120,37 @@ class Strong_Adapter<T> : public Strong_Base<T> {
       decltype(auto) operator[](size_type i) noexcept(noexcept(this->get().operator[](i))) { return this->get()[i]; }
 };
 
+template <concepts::container T>
+class Strong_Adapter<T> : public Container_Strong_Adapter_Base<T> {
+   public:
+      using Container_Strong_Adapter_Base<T>::Container_Strong_Adapter_Base;
+};
+
+template <concepts::contiguous_container T>
+class Strong_Adapter<T> : public Container_Strong_Adapter_Base<T> {
+   public:
+      using pointer = typename T::pointer;
+      using const_pointer = typename T::const_pointer;
+
+   public:
+      using Container_Strong_Adapter_Base<T>::Container_Strong_Adapter_Base;
+
+      explicit Strong_Adapter(std::span<const typename Container_Strong_Adapter_Base<T>::value_type> span) :
+            Strong_Adapter(T(span.begin(), span.end())) {}
+
+      // Disambiguates the usage of string literals, otherwise:
+      // Strong_Adapter(std::span<>) and Strong_Adapter(const char*)
+      // would be ambiguous.
+      explicit Strong_Adapter(const char* str)
+         requires(std::same_as<T, std::string>)
+            : Strong_Adapter(std::string(str)) {}
+
+   public:
+      decltype(auto) data() noexcept(noexcept(this->get().data())) { return this->get().data(); }
+
+      decltype(auto) data() const noexcept(noexcept(this->get().data())) { return this->get().data(); }
+};
+
 }  // namespace detail
 
 /**
diff --git a/src/tests/test_utils_bitvector.cpp b/src/tests/test_utils_bitvector.cpp
index d48f241176e..8199a01bd80 100644
--- a/src/tests/test_utils_bitvector.cpp
+++ b/src/tests/test_utils_bitvector.cpp
@@ -792,6 +792,124 @@ Test::Result test_bitvector_conditional_xor_workload() {
    return res;
 }
 
+std::vector<Test::Result> test_bitvector_iterators() {
+   return {
+      Botan_Tests::CHECK("Iterators: range-based for loop",
+                         [](auto& result) {
+                            Botan::bitvector bv(6);
+                            bv.set(0).set(3).set(4);
+
+                            for(size_t i = 0; auto& ref : bv) {
+                               const bool expected = i == 0 || i == 3 || i == 4;
+                               result.test_eq(Botan::fmt("bit {} is as expected", i), ref, expected);
+                               ++i;
+                            }
+
+                            for(size_t i = 0; const auto& ref : bv) {
+                               const bool expected = i == 0 || i == 3 || i == 4;
+                               result.test_eq(Botan::fmt("const bit {} is as expected", i), ref, expected);
+                               ++i;
+                            }
+
+                            for(auto ref : bv) {
+                               ref = true;
+                            }
+
+                            result.confirm("all bits are set", bv.all());
+                         }),
+
+      Botan_Tests::CHECK("Iterators: bare usage",
+                         [](auto& result) {
+                            Botan::bitvector bv(6);
+                            bv.set(0).set(3).set(4);
+
+                            size_t i = 0;
+                            for(auto itr = bv.begin(); itr != bv.end(); ++itr, ++i) {
+                               const bool expected = i == 0 || i == 3 || i == 4;
+                               result.test_eq(Botan::fmt("bit {} is as expected", i), *itr, expected);
+                            }
+
+                            i = 0;
+                            for(auto itr = bv.cbegin(); itr != bv.cend(); itr++, ++i) {
+                               const bool expected = i == 0 || i == 3 || i == 4;
+                               result.test_eq(Botan::fmt("const bit {} is as expected", i), itr->is_set(), expected);
+                            }
+
+                            i = 6;
+                            auto ritr = bv.end();
+                            do {
+                               --ritr;
+                               --i;
+                               const bool expected = i == 0 || i == 3 || i == 4;
+                               result.test_eq(Botan::fmt("reverse bit {} is as expected", i), *ritr, expected);
+                            } while(ritr != bv.begin());
+
+                            for(auto itr = bv.begin(); itr != bv.end(); ++itr) {
+                               itr->flip();
+                            }
+
+                            i = 0;
+                            for(auto itr = bv.begin(); itr != bv.end(); ++itr, ++i) {
+                               const bool expected = i == 1 || i == 2 || i == 5;
+                               result.test_eq(Botan::fmt("flipped bit {} is as expected", i), *itr, expected);
+                            }
+                         }),
+
+      Botan_Tests::CHECK("Iterators: std::distance and std::advance",
+                         [](auto& result) {
+                            Botan::bitvector bv(6);
+                            using signed_size_t = std::make_signed_t<size_t>;
+
+                            result.test_is_eq("distance", std::distance(bv.begin(), bv.end()), signed_size_t(6));
+                            result.test_is_eq(
+                               "const distance", std::distance(bv.cbegin(), bv.cend()), signed_size_t(6));
+
+                            auto b = bv.begin();
+                            std::advance(b, 3);
+                            result.test_is_eq("half distance", std::distance(bv.begin(), b), signed_size_t(3));
+                         }),
+
+      Botan_Tests::CHECK("Iterators: large bitvector",
+                         [](auto& result) {
+                            Botan::bitvector bv(500);
+
+                            for(auto itr = bv.begin(); itr != bv.end(); ++itr) {
+                               if(std::distance(bv.begin(), itr) % 2 == 0) {
+                                  itr->set();
+                               }
+                               if(std::distance(bv.begin(), itr) % 3 == 0) {
+                                  *itr = true;
+                               }
+                            }
+
+                            for(size_t i = 0; const auto& bit : bv) {
+                               const bool expected = (i % 2 == 0) || (i % 3 == 0);
+                               result.test_eq(Botan::fmt("bit {} is as expected", i), bit, expected);
+                               ++i;
+                            }
+                         }),
+
+      Botan_Tests::CHECK("Iterators: satiesfies C++20 concepts",
+                         [](auto& result) {
+                            Botan::secure_bitvector bv(42);
+                            auto ro_itr = bv.cbegin();
+                            auto rw_itr = bv.begin();
+
+                            using ro = decltype(ro_itr);
+                            using rw = decltype(rw_itr);
+
+                            result.confirm("ro input iterator", std::input_iterator<ro>);
+                            result.confirm("rw input iterator", std::input_iterator<rw>);
+                            result.confirm("ro is not an output iterator", !std::output_iterator<ro, bool>);
+                            result.confirm("rw output iterator", std::output_iterator<rw, bool>);
+                            result.confirm("ro bidirectional iterator", std::bidirectional_iterator<ro>);
+                            result.confirm("rw bidirectional iterator", std::bidirectional_iterator<rw>);
+                            result.confirm("ro not a contiguous iterator", !std::contiguous_iterator<ro>);
+                            result.confirm("rw not a contiguous iterator", !std::contiguous_iterator<rw>);
+                         }),
+   };
+}
+
 }  // namespace
 
 BOTAN_REGISTER_TEST_FN("utils",
@@ -803,6 +921,7 @@ BOTAN_REGISTER_TEST_FN("utils",
                        test_bitvector_binary_operators,
                        test_bitvector_serialization,
                        test_bitvector_constant_time_operations,
-                       test_bitvector_conditional_xor_workload);
+                       test_bitvector_conditional_xor_workload,
+                       test_bitvector_iterators);
 
 }  // namespace Botan_Tests

From 2a3e60f45d6d91f1c3bfcff45f38706cc07ce773 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Tue, 23 Jan 2024 10:29:02 +0100
Subject: [PATCH 07/27] StrongAdapter<> for bitvector

---
 .../pubkey/classic_mceliece/cmce_decaps.cpp   |   3 +-
 .../classic_mceliece/cmce_field_ordering.cpp  |   4 +-
 .../classic_mceliece/cmce_keys_internal.cpp   |   2 +-
 .../pubkey/classic_mceliece/cmce_matrix.cpp   |   4 +-
 src/lib/utils/bitvector.h                     | 218 ++++++++++++++----
 src/tests/test_utils_bitvector.cpp            |  63 ++++-
 6 files changed, 236 insertions(+), 58 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
index 790c22a3ba5..08230b9282c 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
@@ -92,7 +92,8 @@ std::pair<CT::Mask<uint8_t>, secure_bitvector> Classic_McEliece_Decryptor::decod
    BOTAN_ASSERT(big_c.size() == m_key->params().m() * m_key->params().t(), "Correct ciphertext input size");
    big_c.resize(m_key->params().n());
 
-   auto syndrome = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), big_c.as_locked());
+   auto syndrome =
+      compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), big_c.as<secure_bitvector>());
    auto locator = berlekamp_massey(m_key->params(), syndrome);
 
    std::vector<Classic_McEliece_GF> images;
diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
index 386d3f37a91..c80969066dc 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -310,8 +310,8 @@ void Classic_McEliece_Field_Ordering::permute_with_pivots(const Classic_McEliece
    for(size_t p_idx = 1; p_idx <= Classic_McEliece_Parameters::mu(); ++p_idx) {
       size_t p_counter = 0;
       for(size_t col = 0; col < Classic_McEliece_Parameters::nu(); ++col) {
-         auto mask_is_pivot_set = CT::Mask<size_t>::expand(pivots.get().at(col).as<size_t>());
-         p_counter += CT::Mask<size_t>::expand(pivots.get().at(col).as<size_t>()).if_set_return(1);
+         auto mask_is_pivot_set = CT::Mask<size_t>::expand(pivots.at(col).as<size_t>());
+         p_counter += CT::Mask<size_t>::expand(pivots.at(col).as<size_t>()).if_set_return(1);
          auto mask_is_current_pivot = CT::Mask<size_t>::is_equal(p_idx, p_counter);
          (mask_is_pivot_set & mask_is_current_pivot)
             .conditional_swap(m_pi.get().at(col_offset + col), m_pi.get().at(col_offset + p_idx - 1));
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
index 56d0cd42bf2..6e0bc36897c 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
@@ -108,7 +108,7 @@ std::shared_ptr<Classic_McEliece_PublicKeyInternal> Classic_McEliece_PublicKeyIn
       throw Decoding_Error("Cannot create public key from private key. Private key is invalid.");
    }
    auto& [pk_matrix, pivot] = pk_matrix_and_pivot.value();
-   if(!pivot.get().subvector(0, pivot.size() / 2).all() || !pivot.get().subvector(pivot.size() / 2).none()) {
+   if(!pivot.subvector(0, pivot.size() / 2).all() || !pivot.subvector(pivot.size() / 2).none()) {
       // There should not be a pivot other than 0xff ff ff ff 00 00 00 00. Otherwise
       // the gauss algorithm failed effectively.
       throw Decoding_Error("Cannot create public key from private key. Private key is invalid.");
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
index 3910afaa6ca..eea7185f77d 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -121,7 +121,7 @@ std::optional<Column_Selection> move_columns(std::vector<secure_bitvector>& mat,
    for(auto pivot_idx : pivot_indices) {
       for(size_t i = 0; i < Classic_McEliece_Parameters::nu(); ++i) {
          auto mask_is_at_current_idx = Botan::CT::Mask<size_t>::is_equal(i, pivot_idx);
-         pivots.get().at(i) = mask_is_at_current_idx.select(1, pivots.get().at(i).as<size_t>());
+         pivots.at(i) = mask_is_at_current_idx.select(1, pivots.at(i).as<size_t>());
       }
    }
 
@@ -252,6 +252,6 @@ bitvector Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params
    }
 
    BOTAN_ASSERT_NOMSG(pk_slicer.empty());
-   return s.as_unlocked();
+   return s.as<bitvector>();
 }
 }  // namespace Botan
diff --git a/src/lib/utils/bitvector.h b/src/lib/utils/bitvector.h
index 2c127191722..5a6c6020ab5 100644
--- a/src/lib/utils/bitvector.h
+++ b/src/lib/utils/bitvector.h
@@ -2,8 +2,8 @@
  * An abstraction for an arbitrarily large bitvector that can
  * optionally use the secure_allocator.
  *
- * (C) 2023 Jack Lloyd
- * (C) 2023 René Meusel, Rohde & Schwarz Cybersecurity
+ * (C) 2023-2024 Jack Lloyd
+ * (C) 2023-2024 René Meusel, Rohde & Schwarz Cybersecurity
  *
  * Botan is released under the Simplified BSD License (see license.txt)
  */
@@ -15,6 +15,7 @@
 #include <botan/exceptn.h>
 #include <botan/mem_ops.h>
 #include <botan/secmem.h>
+#include <botan/strong_type.h>
 #include <botan/internal/bit_ops.h>
 #include <botan/internal/ct_utils.h>
 #include <botan/internal/loadstor.h>
@@ -29,6 +30,21 @@
 
 namespace Botan {
 
+template <template <typename> typename AllocatorT>
+class bitvector_base;
+
+template <typename T>
+struct is_bitvector : std::false_type {};
+
+template <template <typename> typename T>
+struct is_bitvector<bitvector_base<T>> : std::true_type {};
+
+template <typename T>
+constexpr static bool is_bitvector_v = is_bitvector<T>::value;
+
+template <typename T>
+concept bitvectorish = is_bitvector_v<T> || (is_strong_type_v<T> && is_bitvector_v<typename T::wrapped_type>);
+
 namespace detail {
 
 template <typename T0, typename... Ts>
@@ -96,6 +112,24 @@ concept predicate_blockwise_processing_callback =
    (blockwise_processing_callback_with_mask<FnT, ParamTs...> &&
     std::same_as<bool, blockwise_processing_callback_return_type<FnT, uint32_t, ParamTs..., first_t<ParamTs...>>>);
 
+template <bitvectorish T>
+auto& unwrap(T& bv) {
+   if constexpr(is_bitvector_v<T>) {
+      return bv;
+   } else {
+      return bv.get();
+   }
+}
+
+template <bitvectorish T>
+const auto& unwrap(const T& bv) {
+   if constexpr(is_bitvector_v<T>) {
+      return bv;
+   } else {
+      return bv.get();
+   }
+}
+
 template <typename T>
 class bitvector_iterator {
    private:
@@ -361,23 +395,22 @@ class bitvector_base final {
       }
 
       /**
-       * @returns a copy of this bitvector as a secure_bitvector
+       * @returns copies this bitvector into a new bitvector of type @p OutT
        */
-      auto as_locked() const { return subvector<secure_allocator>(0, size()); }
-
-      /**
-       * @returns a copy of this bitvector as a standard-allocated bitvector
-       */
-      auto as_unlocked() const { return subvector<std::allocator>(0, size()); }
+      template <bitvectorish OutT>
+      OutT as() const {
+         return subvector<OutT>(0, size());
+      }
 
       /**
        * @returns true if @p other contains the same bit pattern as this
        */
-      template <template <typename> typename OtherAllocatorT>
-      bool equals(const bitvector_base<OtherAllocatorT>& other) const noexcept {
+      template <bitvectorish OtherT>
+      bool equals(const OtherT& other) const noexcept {
          return size() == other.size() &&
-                full_range_operation(
-                   []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) { return lhs == rhs; }, *this, other);
+                full_range_operation([]<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) { return lhs == rhs; },
+                                     *this,
+                                     detail::unwrap(other));
       }
 
       /// @name Serialization
@@ -609,26 +642,31 @@ class bitvector_base final {
        * Creates a new bitvector with a subsection of this bitvector starting at
        * @p pos copying exactly @p length bits.
        */
-      template <template <typename> typename NewAllocatorT = AllocatorT>
+      template <bitvectorish OutT = bitvector_base<AllocatorT>>
       auto subvector(size_type pos, std::optional<size_type> length = std::nullopt) const {
          size_type bitlen = length.value_or(size() - pos);
          BOTAN_ARG_CHECK(pos + bitlen <= size(), "Not enough bits to copy");
 
-         bitvector_base<NewAllocatorT> newvector(bitlen);
+         OutT newvector(bitlen);
+
+         // Handle bitvectors that are wrapped in strong types
+         auto& newvector_unwrapped = detail::unwrap(newvector);
+         using unwrapped_type = std::remove_cvref_t<decltype(newvector_unwrapped)>;
+         static_assert(is_bitvector_v<unwrapped_type>);
 
          if(bitlen > 0) {
             if(pos % 8 == 0) {
                copy_mem(
-                  newvector.m_blocks,
+                  newvector_unwrapped.m_blocks,
                   std::span{m_blocks}.subspan(block_index(pos), block_index(pos + bitlen - 1) - block_index(pos) + 1));
             } else {
                BitRangeOperator<const bitvector_base<AllocatorT>, BitRangeAlignment::no_alignment> from_op(
                   *this, pos, bitlen);
-               BitRangeOperator<bitvector_base<NewAllocatorT>> to_op(newvector, 0, bitlen);
+               BitRangeOperator<unwrapped_type> to_op(detail::unwrap(newvector_unwrapped), 0, bitlen);
                range_operation([](auto /* to */, auto from) { return from; }, to_op, from_op);
             }
 
-            newvector.zero_unused_bits();
+            newvector_unwrapped.zero_unused_bits();
          }
 
          return newvector;
@@ -646,24 +684,27 @@ class bitvector_base final {
          return newbv;
       }
 
-      template <template <typename> typename OtherAllocatorT>
-      auto& operator|=(const bitvector_base<OtherAllocatorT>& other) {
-         full_range_operation(
-            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs | rhs; }, *this, other);
+      template <bitvectorish OtherT>
+      auto& operator|=(const OtherT& other) {
+         full_range_operation([]<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs | rhs; },
+                              *this,
+                              detail::unwrap(other));
          return *this;
       }
 
-      template <template <typename> typename OtherAllocatorT>
-      auto& operator&=(const bitvector_base<OtherAllocatorT>& other) {
-         full_range_operation(
-            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs & rhs; }, *this, other);
+      template <bitvectorish OtherT>
+      auto& operator&=(const OtherT& other) {
+         full_range_operation([]<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs & rhs; },
+                              *this,
+                              detail::unwrap(other));
          return *this;
       }
 
-      template <template <typename> typename OtherAllocatorT>
-      auto& operator^=(const bitvector_base<OtherAllocatorT>& other) {
-         full_range_operation(
-            []<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs ^ rhs; }, *this, other);
+      template <bitvectorish OtherT>
+      auto& operator^=(const OtherT& other) {
+         full_range_operation([]<std::unsigned_integral BlockT>(BlockT lhs, BlockT rhs) -> BlockT { return lhs ^ rhs; },
+                              *this,
+                              detail::unwrap(other));
          return *this;
       }
 
@@ -682,8 +723,8 @@ class bitvector_base final {
        *
        * omitting runtime dependence on any of the parameters.
        */
-      template <template <typename> typename OtherAllocatorT>
-      void ct_conditional_xor(bool condition, const bitvector_base<OtherAllocatorT>& other) {
+      template <bitvectorish OtherT>
+      void ct_conditional_xor(bool condition, const OtherT& other) {
          BOTAN_ASSERT_NOMSG(m_bits == other.m_bits);
          BOTAN_ASSERT_NOMSG(m_blocks.size() == other.m_blocks.size());
 
@@ -702,7 +743,7 @@ class bitvector_base final {
             },
          };
 
-         full_range_operation(maybe_xor, *this, other);
+         full_range_operation(maybe_xor, *this, detail::unwrap(other));
       }
 
       /// @}
@@ -761,6 +802,7 @@ class bitvector_base final {
        * compile time (with the template parameter `alignment`).
        */
       template <typename BitvectorT, auto alignment = BitRangeAlignment::byte_aligned>
+         requires is_bitvector_v<std::remove_cvref_t<BitvectorT>>
       class BitRangeOperator {
          private:
             constexpr static bool is_const() { return std::is_const_v<BitvectorT>; }
@@ -1062,7 +1104,8 @@ class bitvector_base final {
        * Apply @p fn to all bit blocks in the bitvector(s).
        */
       template <typename FnT, typename... BitvectorTs>
-         requires(detail::blockwise_processing_callback<FnT, BitvectorTs...>)
+         requires(detail::blockwise_processing_callback<FnT, BitvectorTs...> &&
+                  (is_bitvector_v<std::remove_cvref_t<BitvectorTs>> && ... && true))
       static bool full_range_operation(FnT&& fn, BitvectorTs&... bitvecs) {
          BOTAN_ASSERT(has_equal_lengths(bitvecs...), "all bitvectors have the same length");
          return range_operation(std::forward<FnT>(fn), BitRangeOperator<BitvectorTs>(bitvecs)...);
@@ -1103,11 +1146,12 @@ namespace detail {
  * If one of the allocators is a Botan::secure_allocator, this will always
  * prefer it. Otherwise, the allocator of @p lhs will be used as a default.
  */
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-constexpr auto copy_lhs_allocator_aware(const bitvector_base<AllocatorT1>& lhs,
-                                        const bitvector_base<AllocatorT2>& rhs) {
-   constexpr bool needs_secure_allocator = std::remove_cvref_t<decltype(lhs)>::uses_secure_allocator ||
-                                           std::remove_cvref_t<decltype(rhs)>::uses_secure_allocator;
+template <bitvectorish T1, bitvectorish T2>
+constexpr auto copy_lhs_allocator_aware(const T1& lhs, const T2& rhs) {
+   const auto& lhs_unwrapped = detail::unwrap(lhs);
+   const auto& rhs_unwrapped = detail::unwrap(rhs);
+   constexpr bool needs_secure_allocator = std::remove_cvref_t<decltype(lhs_unwrapped)>::uses_secure_allocator ||
+                                           std::remove_cvref_t<decltype(rhs_unwrapped)>::uses_secure_allocator;
 
    if constexpr(needs_secure_allocator) {
       return lhs.template as<secure_bitvector>();
@@ -1118,37 +1162,113 @@ constexpr auto copy_lhs_allocator_aware(const bitvector_base<AllocatorT1>& lhs,
 
 }  // namespace detail
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-auto operator|(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+auto operator|(const T1& lhs, const T2& rhs) {
    auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
    res |= rhs;
    return res;
 }
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-auto operator&(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+auto operator&(const T1& lhs, const T2& rhs) {
    auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
    res &= rhs;
    return res;
 }
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-auto operator^(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+auto operator^(const T1& lhs, const T2& rhs) {
    auto res = detail::copy_lhs_allocator_aware(lhs, rhs);
    res ^= rhs;
    return res;
 }
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-bool operator==(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+bool operator==(const T1& lhs, const T2& rhs) {
    return lhs.equals(rhs);
 }
 
-template <template <typename> typename AllocatorT1, template <typename> typename AllocatorT2>
-bool operator!=(const bitvector_base<AllocatorT1>& lhs, const bitvector_base<AllocatorT2>& rhs) {
+template <bitvectorish T1, bitvectorish T2>
+bool operator!=(const T1& lhs, const T2& rhs) {
    return lhs.equals(rhs);
 }
 
+namespace detail {
+
+/**
+ * A Strong<> adapter for arbitrarily large bitvectors
+ */
+template <concepts::container T>
+   requires is_bitvector_v<T>
+class Strong_Adapter<T> : public Container_Strong_Adapter_Base<T> {
+   public:
+      using size_type = typename T::size_type;
+
+   public:
+      using Container_Strong_Adapter_Base<T>::Container_Strong_Adapter_Base;
+
+      auto at(size_type i) const { return this->get().at(i); }
+
+      auto at(size_type i) { return this->get().at(i); }
+
+      auto set(size_type i) { return this->get().set(i); }
+
+      auto unset(size_type i) { return this->get().unset(i); }
+
+      auto flip(size_type i) { return this->get().flip(i); }
+
+      auto flip() { return this->get().flip(); }
+
+      template <typename OutT>
+      auto as() const {
+         return this->get().template as<OutT>();
+      }
+
+      template <typename OutT = T>
+      auto subvector(size_type pos, std::optional<size_type> length = std::nullopt) const {
+         return this->get().template subvector<OutT>(pos, length);
+      }
+
+      auto push_back(bool b) { return this->get().push_back(b); }
+
+      auto pop_back() { return this->get().pop_back(); }
+
+      auto front() const { return this->get().front(); }
+
+      auto front() { return this->get().front(); }
+
+      auto back() const { return this->get().back(); }
+
+      auto back() { return this->get().back(); }
+
+      auto any() const { return this->get().any(); }
+
+      auto all() const { return this->get().all(); }
+
+      auto none() const { return this->get().none(); }
+
+      auto has_odd_hamming_weight() const { return this->get().has_odd_hamming_weight(); }
+
+      auto from_bytes(std::span<const uint8_t> bytes, std::optional<size_type> bits = std::nullopt) {
+         return this->get().from_bytes(bytes, bits);
+      }
+
+      template <typename OutT = T>
+      auto to_bytes() const {
+         return this->get().template to_bytes<OutT>();
+      }
+
+      auto to_bytes(std::span<uint8_t> out) const { return this->get().to_bytes(out); }
+
+      auto to_string() const { return this->get().to_string(); }
+
+      auto capacity() const { return this->get().capacity(); }
+
+      auto reserve(size_type n) { return this->get().reserve(n); }
+};
+
+}  // namespace detail
+
 }  // namespace Botan
 
 #endif
diff --git a/src/tests/test_utils_bitvector.cpp b/src/tests/test_utils_bitvector.cpp
index 8199a01bd80..8dba40ac399 100644
--- a/src/tests/test_utils_bitvector.cpp
+++ b/src/tests/test_utils_bitvector.cpp
@@ -1,6 +1,6 @@
 /*
- * (C) 2023 Jack Lloyd
- * (C) 2023 René Meusel, Rohde & Schwarz Cybersecurity
+ * (C) 2023-2024 Jack Lloyd
+ * (C) 2023-2024 René Meusel, Rohde & Schwarz Cybersecurity
  *
  * Botan is released under the Simplified BSD License (see license.txt)
  */
@@ -910,6 +910,62 @@ std::vector<Test::Result> test_bitvector_iterators() {
    };
 }
 
+using TestBitvector = Botan::Strong<Botan::bitvector, struct TestBitvector_>;
+using TestSecureBitvector = Botan::Strong<Botan::secure_bitvector, struct TestBitvector_>;
+
+Test::Result test_bitvector_strongtype_adapter() {
+   Test::Result result("Bitvector in strong type");
+
+   TestBitvector bv1(10);
+
+   result.confirm("bv1 is not empty", !bv1.empty());
+   result.test_eq("bv1 has size 10", bv1.size(), size_t(10));
+
+   bv1[0] = true;
+   bv1.at(1) = true;
+   bv1.set(2);
+   bv1.unset(3);
+   bv1.flip(4);
+   bv1.push_back(true);
+   bv1.push_back(false);
+   bv1.pop_back();
+
+   result.confirm("bv1 front is set", bv1.front());
+   result.confirm("bv1 back is set", bv1.back());
+   result.confirm("bv1 has some one bits", bv1.any());
+   result.confirm("bv1 is not all zero", !bv1.none());
+   result.confirm("bv1 is not all one", !bv1.all());
+
+   result.test_eq("hamming weight of bv1", bv1.has_odd_hamming_weight(), true);
+
+   for(size_t i = 0; auto bit : bv1) {
+      const bool expected = (i == 0 || i == 1 || i == 2 || i == 4 || i == 10);
+      result.confirm(Botan::fmt("bv1 bit {} is set", i), bit == expected);
+      ++i;
+   }
+
+   bv1.flip();
+
+   for(size_t i = 0; auto bit : bv1) {
+      const bool expected = (i == 0 || i == 1 || i == 2 || i == 4 || i == 10);
+      result.confirm(Botan::fmt("bv1 bit {} is set", i), bit != expected);
+      ++i;
+   }
+
+   auto bv2 = bv1.as<TestSecureBitvector>();
+
+   auto bv3 = bv1 | bv2;
+   result.confirm("bv3 is a secure_bitvector", std::same_as<Botan::secure_bitvector, decltype(bv3)>);
+
+   auto bv4 = bv2.subvector<TestSecureBitvector>(0, 5);
+   result.confirm("bv4 is a TestSecureBitvector", std::same_as<TestSecureBitvector, decltype(bv4)>);
+
+   const auto str = bv4.to_string();
+   result.test_eq("bv4 to_string", str, "00010");
+
+   return result;
+}
+
 }  // namespace
 
 BOTAN_REGISTER_TEST_FN("utils",
@@ -922,6 +978,7 @@ BOTAN_REGISTER_TEST_FN("utils",
                        test_bitvector_serialization,
                        test_bitvector_constant_time_operations,
                        test_bitvector_conditional_xor_workload,
-                       test_bitvector_iterators);
+                       test_bitvector_iterators,
+                       test_bitvector_strongtype_adapter);
 
 }  // namespace Botan_Tests

From 4980868cbf1c5ff7c73b782c973bbb23d323c5a8 Mon Sep 17 00:00:00 2001
From: Amos Treiber <amos.treiber@rohde-schwarz.com>
Date: Tue, 23 Jan 2024 14:56:47 +0100
Subject: [PATCH 08/27] more strong types

---
 .../pubkey/classic_mceliece/cmce_decaps.cpp   | 14 +++----
 src/lib/pubkey/classic_mceliece/cmce_decaps.h |  3 +-
 .../pubkey/classic_mceliece/cmce_encaps.cpp   | 16 ++++----
 src/lib/pubkey/classic_mceliece/cmce_encaps.h |  9 ++--
 .../pubkey/classic_mceliece/cmce_matrix.cpp   | 41 ++++++++++---------
 src/lib/pubkey/classic_mceliece/cmce_matrix.h |  3 +-
 src/lib/pubkey/classic_mceliece/cmce_types.h  |  6 +++
 src/lib/utils/strong_type.h                   |  4 ++
 8 files changed, 55 insertions(+), 41 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
index 08230b9282c..761089a0ce4 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
@@ -88,7 +88,7 @@ Classic_McEliece_Polynomial Classic_McEliece_Decryptor::berlekamp_massey(const C
    return Classic_McEliece_Polynomial(big_c);
 }
 
-std::pair<CT::Mask<uint8_t>, secure_bitvector> Classic_McEliece_Decryptor::decode(bitvector big_c) {
+std::pair<CT::Mask<uint8_t>, Error_Vector> Classic_McEliece_Decryptor::decode(Code_Word big_c) {
    BOTAN_ASSERT(big_c.size() == m_key->params().m() * m_key->params().t(), "Correct ciphertext input size");
    big_c.resize(m_key->params().n());
 
@@ -102,7 +102,7 @@ std::pair<CT::Mask<uint8_t>, secure_bitvector> Classic_McEliece_Decryptor::decod
       alphas.begin(), alphas.end(), std::back_inserter(images), [&](const auto& alpha) { return locator(alpha); });
 
    // Obtain e and check whether wt(e) = t. locator(alpha_i) = 0 <=> error at position i
-   secure_bitvector e;
+   Error_Vector e;
    size_t hamming_weight_e = 0;
    auto decode_success = CT::Mask<uint8_t>::set();  // Avoid bool to avoid possible compiler optimizations
    for(const auto& image : images) {
@@ -113,7 +113,7 @@ std::pair<CT::Mask<uint8_t>, secure_bitvector> Classic_McEliece_Decryptor::decod
    decode_success &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(hamming_weight_e, m_key->params().t()));
 
    // Check the error vector by checking H'C = H'e <=> H'(C + e) = 0; see guide for implementors Sec. 6.3
-   auto syndrome_from_e = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), e);
+   auto syndrome_from_e = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), e.get());
    auto syndromes_are_eq = GF_Mask::set();
    for(size_t i = 0; i < syndrome.degree() - 1; ++i) {
       syndromes_are_eq &= GF_Mask::is_equal(syndrome.coef_at(i), syndrome_from_e.coef_at(i));
@@ -129,22 +129,22 @@ void Classic_McEliece_Decryptor::raw_kem_decrypt(std::span<uint8_t> out_shared_k
    BOTAN_ARG_CHECK(out_shared_key.size() == m_key->params().hash_out_bytes(), "Invalid shared key output size");
    BOTAN_ARG_CHECK(encapsulated_key.size() == m_key->params().ciphertext_size(), "Invalid ciphertext size");
 
-   auto [ct, c1] = [&]() -> std::pair<bitvector, std::span<const uint8_t>> {
+   auto [ct, c1] = [&]() -> std::pair<Code_Word, std::span<const uint8_t>> {
       if(m_key->params().is_pc()) {
          BufferSlicer encaps_key_slicer(encapsulated_key);
          auto c0_ret = encaps_key_slicer.take(m_key->params().encode_out_size());
          auto c1_ret = encaps_key_slicer.take(m_key->params().hash_out_bytes());
          BOTAN_ASSERT_NOMSG(encaps_key_slicer.empty());
-         return {bitvector(c0_ret, m_key->params().m() * m_key->params().t()), c1_ret};
+         return {Code_Word(secure_bitvector(c0_ret, m_key->params().m() * m_key->params().t())), c1_ret};
       } else {
-         return {bitvector(encapsulated_key, m_key->params().m() * m_key->params().t()), {}};
+         return {Code_Word(secure_bitvector(encapsulated_key, m_key->params().m() * m_key->params().t())), {}};
       }
    }();
 
    auto [decode_success_mask, maybe_e] = decode(ct);
 
    secure_vector<uint8_t> e_bytes(m_key->s().size());
-   decode_success_mask.select_n(e_bytes.data(), maybe_e.to_bytes().data(), m_key->s().data(), m_key->s().size());
+   decode_success_mask.select_n(e_bytes.data(), maybe_e.get().to_bytes().data(), m_key->s().data(), m_key->s().size());
    uint8_t b = decode_success_mask.select(1, 0);
 
    auto hash_func = m_key->params().hash_func();
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.h b/src/lib/pubkey/classic_mceliece/cmce_decaps.h
index 24eeab67689..1babd267984 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.h
@@ -15,6 +15,7 @@
 #include <botan/internal/cmce_field_ordering.h>
 #include <botan/internal/cmce_keys_internal.h>
 #include <botan/internal/cmce_matrix.h>
+#include <botan/internal/cmce_types.h>
 #include <botan/internal/pk_ops.h>
 #include <botan/internal/pk_ops_impl.h>
 
@@ -74,7 +75,7 @@ class BOTAN_TEST_API Classic_McEliece_Decryptor final : public PK_Ops::KEM_Decry
        * @param big_c The code word.
        * @return A pair containing the decoded message and the error pattern.
        */
-      std::pair<CT::Mask<uint8_t>, secure_bitvector> decode(bitvector big_c);
+      std::pair<CT::Mask<uint8_t>, Error_Vector> decode(Code_Word big_c);
 
       std::shared_ptr<Classic_McEliece_PrivateKeyInternal> m_key;
 };
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
index 2734453f385..e32731e27e0 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
@@ -15,13 +15,13 @@
 
 namespace Botan {
 
-bitvector Classic_McEliece_Encryptor::encode(const Classic_McEliece_Parameters& params,
-                                             const secure_bitvector& e,
+Code_Word Classic_McEliece_Encryptor::encode(const Classic_McEliece_Parameters& params,
+                                             const Error_Vector& e,
                                              const Classic_McEliece_Matrix& mat) {
    return mat.mul(params, e);
 }
 
-std::optional<secure_bitvector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
+std::optional<Error_Vector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
    const Classic_McEliece_Parameters& params, const secure_vector<uint8_t>& rand) {
    BOTAN_ASSERT_NOMSG(rand.size() == params.tau() * (params.sigma1() / 8));
    uint16_t mask_m = (uint32_t(1) << params.m()) - 1;  // Only take m least significant bits
@@ -74,7 +74,7 @@ std::optional<secure_bitvector> Classic_McEliece_Encryptor::fixed_weight_vector_
       }
    }
 
-   return secure_bitvector(e_bytes, params.n());
+   return Error_Vector(secure_bitvector(e_bytes, params.n()));
 }
 
 void Classic_McEliece_Encryptor::raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
@@ -88,7 +88,7 @@ void Classic_McEliece_Encryptor::raw_kem_encrypt(std::span<uint8_t> out_encapsul
 
    // Call fixed_weight until it is successful to
    // create a random error vector e of weight tau
-   secure_bitvector e = [&] {
+   Error_Vector e = [&] {
       // Emergency abort in case unexpected logical error to prevent endless loops
       //   Success probability: >24% per attempt (25% that elements are distinct * 96% enough elements are in range)
       //   => 203 attempts for 2^(-80) fail probability
@@ -101,19 +101,19 @@ void Classic_McEliece_Encryptor::raw_kem_encrypt(std::span<uint8_t> out_encapsul
       throw Internal_Error("Cannot created fixed weight vector.");
    }();
 
-   auto big_c = encode(params, e, m_key->matrix()).to_bytes();
+   auto big_c = encode(params, e, m_key->matrix()).get().to_bytes();
    auto hash_func = params.hash_func();
 
    if(params.is_pc()) {
       hash_func->update(2);
-      hash_func->update(e.to_bytes());
+      hash_func->update(e.get().to_bytes());
       auto big_c_1 = hash_func->final_stdvec();
       big_c = Botan::concat(big_c, big_c_1);
       hash_func->clear();
    }
 
    hash_func->update(1);
-   hash_func->update(e.to_bytes());
+   hash_func->update(e.get().to_bytes());
    hash_func->update(big_c);
 
    auto big_k = hash_func->final<secure_vector<uint8_t>>();
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.h b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
index 9320a14cea5..f26c8277ffa 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_encaps.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
@@ -16,6 +16,7 @@
 #include <botan/internal/cmce_matrix.h>
 #include <botan/internal/cmce_parameters.h>
 #include <botan/internal/cmce_poly.h>
+#include <botan/internal/cmce_types.h>
 #include <botan/internal/pk_ops.h>
 #include <botan/internal/pk_ops_impl.h>
 
@@ -43,15 +44,15 @@ class BOTAN_TEST_API Classic_McEliece_Encryptor final : public PK_Ops::KEM_Encry
       /**
        * @brief Encodes an error vector by multiplying it with the Classic McEliece matrix.
        */
-      bitvector encode(const Classic_McEliece_Parameters& params,
-                       const secure_bitvector& e,
+      Code_Word encode(const Classic_McEliece_Parameters& params,
+                       const Error_Vector& e,
                        const Classic_McEliece_Matrix& mat);
 
       /**
       * @brief Fixed-weight-vector generation algorithm according to ISO McEliece.
       */
-      std::optional<secure_bitvector> fixed_weight_vector_gen(const Classic_McEliece_Parameters& params,
-                                                              const secure_vector<uint8_t>& rand);
+      std::optional<Error_Vector> fixed_weight_vector_gen(const Classic_McEliece_Parameters& params,
+                                                          const secure_vector<uint8_t>& rand);
 };
 
 }  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
index eea7185f77d..75cf15ddcef 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -12,14 +12,18 @@
 
 #include <botan/internal/cmce_matrix.h>
 
+#include <botan/strong_type.h>
+
+namespace Botan {
+
 namespace {
-using word_t = uint64_t;
 
-}  // Anonymous namespace
+// Strong types for matrix used internally by Classic_McEliece_Matrix
+using MatrixRow = Strong<secure_bitvector, struct MatrixRow_>;
+using Matrix = Strong<std::vector<MatrixRow>, struct Matrix_>;
 
-namespace Botan {
+}  // Anonymous namespace
 
-//TODO Renéquest: This file could use MatrixRow and Matrix strong types that implement .at() etc.
 namespace {
 size_t count_lsb_zeros(secure_bitvector n) {
    size_t res = 0;
@@ -33,16 +37,16 @@ size_t count_lsb_zeros(secure_bitvector n) {
    return res;
 }
 
-std::vector<secure_bitvector> init_matrix_with_alphas(const Classic_McEliece_Parameters& params,
-                                                      const Classic_McEliece_Field_Ordering& field_ordering,
-                                                      const Classic_McEliece_Minimal_Polynomial& g) {
+Matrix init_matrix_with_alphas(const Classic_McEliece_Parameters& params,
+                               const Classic_McEliece_Field_Ordering& field_ordering,
+                               const Classic_McEliece_Minimal_Polynomial& g) {
    auto alphas = field_ordering.alphas(params.n());
    std::vector<Classic_McEliece_GF> inv_g_of_alpha;
    inv_g_of_alpha.reserve(params.n());
    for(const auto& alpha : alphas) {
       inv_g_of_alpha.push_back(g(alpha).inv());
    }
-   std::vector<secure_bitvector> mat(params.pk_no_rows(), secure_bitvector(params.n()));
+   Matrix mat(std::vector<MatrixRow>(params.pk_no_rows(), MatrixRow(params.n())));
 
    for(size_t i = 0; i < params.t(); ++i) {
       for(size_t j = 0; j < params.n(); ++j) {
@@ -60,8 +64,7 @@ std::vector<secure_bitvector> init_matrix_with_alphas(const Classic_McEliece_Par
    return mat;
 }
 
-std::optional<Column_Selection> move_columns(std::vector<secure_bitvector>& mat,
-                                             const Classic_McEliece_Parameters& params) {
+std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece_Parameters& params) {
    static_assert(Classic_McEliece_Parameters::nu() == 64,
                  "nu needs to be 64");  // Since we use uint64_t to represent rows in the mu x nu sub-matrix
    // A 32x64 sub-matrix of mat containing the elements mat[m*t-32][m*t-32] at the top left
@@ -140,8 +143,7 @@ std::optional<Column_Selection> move_columns(std::vector<secure_bitvector>& mat,
    return pivots;
 }
 
-std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& params,
-                                            std::vector<secure_bitvector>& mat) {
+std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& params, Matrix& mat) {
    // Initialized for systematic form instances
    // Is overridden for semi systematic instances
    auto pivots = Column_Selection({0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0});
@@ -157,12 +159,12 @@ std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& p
          }
       }
 
-      // Iterates over all rows k under r. If the bit at column
-      // word_bits*i+j differs between row r and k, row k is added to row r.
+      // Iterates over all rows next_row under row diag_pos. If the bit at column
+      // diag_pos differs between row diag_pos and row next_row, row next_row is added to row diag_pos.
       // This achieves that the respective bit at the diagonal becomes 1
       // (if mat is systematic)
       for(size_t next_row = diag_pos + 1; next_row < params.pk_no_rows(); ++next_row) {
-         mat.at(diag_pos).ct_conditional_xor(!mat.at(diag_pos).at(diag_pos), mat.at(next_row));
+         mat.at(diag_pos).get().ct_conditional_xor(!mat.at(diag_pos).at(diag_pos), mat.at(next_row).get());
       }
 
       // If the current bit on the diagonal is not set at this point
@@ -176,7 +178,7 @@ std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& p
       // is still one
       for(size_t row = 0; row < params.pk_no_rows(); ++row) {
          if(row != diag_pos) {
-            mat.at(row).ct_conditional_xor(mat.at(row).at(diag_pos), mat.at(diag_pos));
+            mat.at(row).get().ct_conditional_xor(mat.at(row).at(diag_pos), mat.at(diag_pos).get());
          }
       }
    }
@@ -184,8 +186,7 @@ std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& p
    return pivots;
 }
 
-std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Parameters& params,
-                                                  const std::vector<secure_bitvector>& mat) {
+std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Parameters& params, const Matrix& mat) {
    // Store T of the matrix (I_mt|T) as a linear vector to represent the
    // public key as defined in McEliece ISO 9.2.7
    std::vector<uint8_t> big_t(params.pk_size_bytes());
@@ -239,7 +240,7 @@ Classic_McEliece_Matrix::create_matrix_and_apply_pivots(const Classic_McEliece_P
    return pk_matrix_and_pivots;
 }
 
-bitvector Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params, const secure_bitvector& e) const {
+Code_Word Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params, const Error_Vector& e) const {
    auto s = e.subvector(0, params.pk_no_rows());
    auto e_T = e.subvector(params.pk_no_rows());
    auto pk_slicer = BufferSlicer(m_mat_bytes);
@@ -252,6 +253,6 @@ bitvector Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params
    }
 
    BOTAN_ASSERT_NOMSG(pk_slicer.empty());
-   return s.as<bitvector>();
+   return s.as<Code_Word>();
 }
 }  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.h b/src/lib/pubkey/classic_mceliece/cmce_matrix.h
index efa15ad9915..5a4fd11c3d1 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.h
@@ -14,6 +14,7 @@
 #include <botan/internal/cmce_field_ordering.h>
 #include <botan/internal/cmce_parameters.h>
 #include <botan/internal/cmce_poly.h>
+#include <botan/internal/cmce_types.h>
 
 namespace Botan {
 
@@ -101,7 +102,7 @@ class BOTAN_TEST_API Classic_McEliece_Matrix {
        * @param e The bitvector e
        * @return H*e
        */
-      bitvector mul(const Classic_McEliece_Parameters& params, const secure_bitvector& e) const;
+      Code_Word mul(const Classic_McEliece_Parameters& params, const Error_Vector& e) const;
 
    private:
       /// The bytes of the submatrix T
diff --git a/src/lib/pubkey/classic_mceliece/cmce_types.h b/src/lib/pubkey/classic_mceliece/cmce_types.h
index 6813a20f2c2..67f1409deab 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_types.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_types.h
@@ -39,5 +39,11 @@ using Column_Selection = Strong<secure_bitvector, struct Column_Selection_>;
 /// Represents s of private key
 using Rejection_Seed = Strong<secure_vector<uint8_t>, struct Rejection_Seed_>;
 
+/// Represents e of encapsulation
+using Error_Vector = Strong<secure_bitvector, struct Error_Vector_>;
+
+/// Represents C of decapsulation
+using Code_Word = Strong<secure_bitvector, struct Code_Word_>;
+
 }  // namespace Botan
 #endif  // BOTAN_CMCE_TYPES_H_
diff --git a/src/lib/utils/strong_type.h b/src/lib/utils/strong_type.h
index b235677d262..c401e38fc99 100644
--- a/src/lib/utils/strong_type.h
+++ b/src/lib/utils/strong_type.h
@@ -118,6 +118,10 @@ class Container_Strong_Adapter_Base : public Strong_Base<T> {
       }
 
       decltype(auto) operator[](size_type i) noexcept(noexcept(this->get().operator[](i))) { return this->get()[i]; }
+
+      decltype(auto) at(size_type i) const { return this->get().at(i); }
+
+      decltype(auto) at(size_type i) { return this->get().at(i); }
 };
 
 template <concepts::container T>

From 202d5aacc374a3959f228b7aeaf6a2e6a2c66169 Mon Sep 17 00:00:00 2001
From: Amos Treiber <amos.treiber@rohde-schwarz.com>
Date: Thu, 25 Jan 2024 12:16:10 +0100
Subject: [PATCH 09/27] remove .at() for matrix strong type

---
 .../pubkey/classic_mceliece/cmce_matrix.cpp   | 20 +++++++++++--------
 src/lib/utils/strong_type.h                   |  4 ----
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
index 75cf15ddcef..91e27deb183 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -65,6 +65,8 @@ Matrix init_matrix_with_alphas(const Classic_McEliece_Parameters& params,
 }
 
 std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece_Parameters& params) {
+   BOTAN_ASSERT(mat.size() == params.pk_no_rows(), "Matrix has incorrect number of rows");
+   BOTAN_ASSERT(mat.get().at(0).size() == params.n(), "Matrix has incorrect number of columns");
    static_assert(Classic_McEliece_Parameters::nu() == 64,
                  "nu needs to be 64");  // Since we use uint64_t to represent rows in the mu x nu sub-matrix
    // A 32x64 sub-matrix of mat containing the elements mat[m*t-32][m*t-32] at the top left
@@ -74,7 +76,7 @@ std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece
 
    // Extract the bottom mu x nu matrix at offset row_offset
    for(size_t i = 0; i < 32; i++) {
-      sub_mat.at(i) = mat.at(pos_offset + i).subvector(pos_offset, Classic_McEliece_Parameters::nu());
+      sub_mat.at(i) = mat[pos_offset + i].subvector(pos_offset, Classic_McEliece_Parameters::nu());
    }
 
    std::array<size_t, Classic_McEliece_Parameters::mu()> pivot_indices = {0};  // ctz_list
@@ -134,9 +136,9 @@ std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece
          // Swap bit j with bit pivot_indices[j]
          size_t col_j = pos_offset + j;
          size_t col_pivot_j = pos_offset + pivot_indices.at(j);
-         auto sum = mat.at(mat_row).at(col_j) ^ mat.at(mat_row).at(col_pivot_j);
-         mat.at(mat_row).at(col_j) = mat.at(mat_row).at(col_j) ^ sum;
-         mat.at(mat_row).at(col_pivot_j) = mat.at(mat_row).at(col_pivot_j) ^ sum;
+         auto sum = mat[mat_row][col_j] ^ mat[mat_row][col_pivot_j];
+         mat[mat_row][col_j] = mat[mat_row][col_j] ^ sum;
+         mat[mat_row][col_pivot_j] = mat[mat_row][col_pivot_j] ^ sum;
       }
    }
 
@@ -144,6 +146,8 @@ std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece
 }
 
 std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& params, Matrix& mat) {
+   BOTAN_ASSERT(mat.size() == params.pk_no_rows(), "Matrix has incorrect number of rows");
+   BOTAN_ASSERT(mat.get().at(0).size() == params.n(), "Matrix has incorrect number of columns");
    // Initialized for systematic form instances
    // Is overridden for semi systematic instances
    auto pivots = Column_Selection({0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0});
@@ -164,12 +168,12 @@ std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& p
       // This achieves that the respective bit at the diagonal becomes 1
       // (if mat is systematic)
       for(size_t next_row = diag_pos + 1; next_row < params.pk_no_rows(); ++next_row) {
-         mat.at(diag_pos).get().ct_conditional_xor(!mat.at(diag_pos).at(diag_pos), mat.at(next_row).get());
+         mat[diag_pos].get().ct_conditional_xor(!mat[diag_pos].at(diag_pos), mat[next_row].get());
       }
 
       // If the current bit on the diagonal is not set at this point
       // the matrix is not systematic. We abort the computation in this case.
-      if(!mat.at(diag_pos).at(diag_pos)) {
+      if(!mat[diag_pos].at(diag_pos)) {
          return std::nullopt;
       }
 
@@ -178,7 +182,7 @@ std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& p
       // is still one
       for(size_t row = 0; row < params.pk_no_rows(); ++row) {
          if(row != diag_pos) {
-            mat.at(row).get().ct_conditional_xor(mat.at(row).at(diag_pos), mat.at(diag_pos).get());
+            mat[row].get().ct_conditional_xor(mat[row].at(diag_pos), mat[diag_pos].get());
          }
       }
    }
@@ -193,7 +197,7 @@ std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Paramet
    auto big_t_stuffer = BufferStuffer(big_t);
 
    for(size_t row = 0; row < params.pk_no_rows(); ++row) {
-      auto pk_row_bits = mat.at(row).subvector(params.pk_no_rows());
+      auto pk_row_bits = mat[row].subvector(params.pk_no_rows());
       auto row_bytes = pk_row_bits.to_bytes();
 
       big_t_stuffer.append(row_bytes);
diff --git a/src/lib/utils/strong_type.h b/src/lib/utils/strong_type.h
index c401e38fc99..b235677d262 100644
--- a/src/lib/utils/strong_type.h
+++ b/src/lib/utils/strong_type.h
@@ -118,10 +118,6 @@ class Container_Strong_Adapter_Base : public Strong_Base<T> {
       }
 
       decltype(auto) operator[](size_type i) noexcept(noexcept(this->get().operator[](i))) { return this->get()[i]; }
-
-      decltype(auto) at(size_type i) const { return this->get().at(i); }
-
-      decltype(auto) at(size_type i) { return this->get().at(i); }
 };
 
 template <concepts::container T>

From 7ead05f28b89916333a537df9befc06494aa4b00 Mon Sep 17 00:00:00 2001
From: Amos Treiber <amos.treiber@rohde-schwarz.com>
Date: Thu, 25 Jan 2024 12:31:49 +0100
Subject: [PATCH 10/27] update credits.rst

---
 doc/credits.rst | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/credits.rst b/doc/credits.rst
index 5592a41bca9..4a1f7f40580 100644
--- a/doc/credits.rst
+++ b/doc/credits.rst
@@ -175,5 +175,11 @@ snail-mail address (S), and Bitcoin address (B).
   N: Fabian Albert
   E: fabian.albert@rohde-schwarz.com
   W: https://www.rohde-schwarz.com/cybersecurity
-  D: SPHINCS+
+  D: SPHINCS+, HSS/LMS, Classic McEliece
   S: Bochum, Germany
+
+  N: Amos Treiber
+  E: amos.treiber@rohde-schwarz.com
+  W: https://www.rohde-schwarz.com/cybersecurity
+  D: SPHINCS+, FrodoKEM, Classic McEliece
+  S: Cologne, Germany

From 943bf525c6463e1fd205ee2946fdfb951e8d87df Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Thu, 25 Jan 2024 19:09:25 +0100
Subject: [PATCH 11/27] bitvector::ct_hamming_weight()

---
 src/lib/utils/bit_ops.h            | 34 ++++++++++++++++++++++
 src/lib/utils/bitvector.h          | 12 ++++++++
 src/tests/test_utils.cpp           | 46 ++++++++++++++++++++++++++++++
 src/tests/test_utils_bitvector.cpp | 32 +++++++++++++++++++++
 4 files changed, 124 insertions(+)

diff --git a/src/lib/utils/bit_ops.h b/src/lib/utils/bit_ops.h
index 53a60d663d2..d3de9856a83 100644
--- a/src/lib/utils/bit_ops.h
+++ b/src/lib/utils/bit_ops.h
@@ -204,6 +204,40 @@ inline constexpr T majority(T a, T b, T c) {
    return choose(a ^ b, c, b);
 }
 
+/**
+ * Calculates the number of 1-bits in an unsigned integer in constant-time.
+ * This operation is also known as "population count" or hamming weight.
+ *
+ * Modern compilers will recognize this pattern and replace it by a hardware
+ * instruction, if available. This is the SWAR (SIMD within a register)
+ * algorithm. See: https://nimrod.blog/posts/algorithms-behind-popcount/#swar-algorithm
+ *
+ * Note: C++20 provides std::popcount(), but there's no gurantee that this
+ *       is implemented in constant-time.
+ *
+ * @param x an unsigned integer
+ * @returns the number of 1-bits in the provided value
+ */
+template <std::unsigned_integral T>
+inline constexpr uint8_t ct_popcount(T x) {
+   constexpr size_t s = sizeof(T);
+   if constexpr(s < 4) {
+      return ct_popcount(static_cast<uint32_t>(x));
+   } else if constexpr(s == 4) {
+      x = x - ((x >> 1) & 0x55555555);
+      x = (x & 0x33333333) + ((x >> 2) & 0x33333333);
+      x = (x + (x >> 4)) & 0x0F0F0F0F;
+      return (x * 0x01010101) >> 24;
+   } else if constexpr(s == 8) {
+      x = x - ((x >> 1) & 0x5555555555555555);
+      x = (x & 0x3333333333333333) + ((x >> 2) & 0x3333333333333333);
+      x = (x + (x >> 4)) & 0xF0F0F0F0F0F0F0F;
+      return (x * 0x101010101010101) >> 56;
+   } else {
+      static_assert(!std::unsigned_integral<T>, "T is not a suitable unsigned integer value");
+   }
+}
+
 }  // namespace Botan
 
 #endif
diff --git a/src/lib/utils/bitvector.h b/src/lib/utils/bitvector.h
index 5a6c6020ab5..d70c2f913f3 100644
--- a/src/lib/utils/bitvector.h
+++ b/src/lib/utils/bitvector.h
@@ -394,6 +394,16 @@ class bitvector_base final {
          return acc == 1;
       }
 
+      /**
+       * Counts the number of 1-bits in the bitvector.
+       * @returns the "population count" (or hamming weight) of the bitvector
+       */
+      size_type ct_hamming_weight() const {
+         size_type acc = 0;
+         full_range_operation([&](std::unsigned_integral auto block) { acc += ct_popcount(block); }, *this);
+         return acc;
+      }
+
       /**
        * @returns copies this bitvector into a new bitvector of type @p OutT
        */
@@ -1249,6 +1259,8 @@ class Strong_Adapter<T> : public Container_Strong_Adapter_Base<T> {
 
       auto has_odd_hamming_weight() const { return this->get().has_odd_hamming_weight(); }
 
+      auto ct_hamming_weight() const { return this->get().ct_hamming_weight(); }
+
       auto from_bytes(std::span<const uint8_t> bytes, std::optional<size_type> bits = std::nullopt) {
          return this->get().from_bytes(bytes, bits);
       }
diff --git a/src/tests/test_utils.cpp b/src/tests/test_utils.cpp
index 604bd782fb1..3ec253df6ec 100644
--- a/src/tests/test_utils.cpp
+++ b/src/tests/test_utils.cpp
@@ -17,6 +17,7 @@
 #include <botan/internal/loadstor.h>
 #include <botan/internal/parsing.h>
 #include <botan/internal/rounding.h>
+#include <bit>
 #include <ctime>
 #include <functional>
 
@@ -287,6 +288,7 @@ class BitOps_Tests final : public Test {
          results.push_back(test_power_of_2());
          results.push_back(test_ctz());
          results.push_back(test_sig_bytes());
+         results.push_back(test_popcount());
 
          return results;
       }
@@ -362,6 +364,50 @@ class BitOps_Tests final : public Test {
 
          return result;
       }
+
+      template <typename T>
+      auto pc(T val) -> decltype(Botan::ct_popcount(val)) {
+         return Botan::ct_popcount(val);
+      }
+
+      template <typename T>
+      auto random_pc(Test::Result& result) {
+         std::array<uint8_t, sizeof(T)> buf;
+         Test::rng().randomize(buf);
+         auto n = Botan::load_le<T>(buf);
+         result.test_is_eq<size_t>(Botan::fmt("popcount({}) == {}", n, std::popcount(n)), pc(n), std::popcount(n));
+      }
+
+      Test::Result test_popcount() {
+         Test::Result result("popcount");
+
+         result.test_is_eq<uint8_t>("popcount<uint8_t>(0)", pc<uint8_t>(0), 0);
+         result.test_is_eq<uint8_t>("popcount<uint16_t>(0)", pc<uint16_t>(0), 0);
+         result.test_is_eq<uint8_t>("popcount<uint32_t>(0)", pc<uint32_t>(0), 0);
+         result.test_is_eq<uint8_t>("popcount<uint64_t>(0)", pc<uint64_t>(0), 0);
+
+         result.test_is_eq<uint8_t>("popcount<uint8_t>(1)", pc<uint8_t>(1), 1);
+         result.test_is_eq<uint8_t>("popcount<uint16_t>(1)", pc<uint16_t>(1), 1);
+         result.test_is_eq<uint8_t>("popcount<uint32_t>(1)", pc<uint32_t>(1), 1);
+         result.test_is_eq<uint8_t>("popcount<uint64_t>(1)", pc<uint64_t>(1), 1);
+
+         result.test_is_eq<uint8_t>("popcount<uint8_t>(0xAA)", pc<uint8_t>(0xAA), 4);
+         result.test_is_eq<uint8_t>("popcount<uint16_t>(0xAAAA)", pc<uint16_t>(0xAAAA), 8);
+         result.test_is_eq<uint8_t>("popcount<uint32_t>(0xAAAA...)", pc<uint32_t>(0xAAAAAAAA), 16);
+         result.test_is_eq<uint8_t>("popcount<uint64_t>(0xAAAA...)", pc<uint64_t>(0xAAAAAAAAAAAAAAAA), 32);
+
+         result.test_is_eq<uint8_t>("popcount<uint8_t>(0xFF)", pc<uint8_t>(0xFF), 8);
+         result.test_is_eq<uint8_t>("popcount<uint16_t>(0xFFFF)", pc<uint16_t>(0xFFFF), 16);
+         result.test_is_eq<uint8_t>("popcount<uint32_t>(0xFFFF...)", pc<uint32_t>(0xFFFFFFFF), 32);
+         result.test_is_eq<uint8_t>("popcount<uint64_t>(0xFFFF...)", pc<uint64_t>(0xFFFFFFFFFFFFFFFF), 64);
+
+         random_pc<uint8_t>(result);
+         random_pc<uint16_t>(result);
+         random_pc<uint32_t>(result);
+         random_pc<uint64_t>(result);
+
+         return result;
+      }
 };
 
 BOTAN_REGISTER_TEST("utils", "bit_ops", BitOps_Tests);
diff --git a/src/tests/test_utils_bitvector.cpp b/src/tests/test_utils_bitvector.cpp
index 8dba40ac399..86c1a4dfc29 100644
--- a/src/tests/test_utils_bitvector.cpp
+++ b/src/tests/test_utils_bitvector.cpp
@@ -510,6 +510,38 @@ std::vector<Test::Result> test_bitvector_global_modifiers_and_predicates() {
                             result.confirm("odd hamming", Botan::bitvector(odd).has_odd_hamming_weight());
                             result.confirm("even hamming", !Botan::bitvector(evn).has_odd_hamming_weight());
                          }),
+
+      Botan_Tests::CHECK("hamming weight",
+                         [](auto& result) {
+                            auto naive_count = [](auto& v) {
+                               size_t weight = 0;
+                               for(const auto& bit : v) {
+                                  weight += bit.template as<size_t>();
+                               }
+                               return weight;
+                            };
+
+                            // the last three bits of this bitvector are set, then there's a gap
+                            auto bv = Botan::bitvector(Botan::hex_decode("FE3410CB0278E4D26602E0"));
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), size_t(37));
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), naive_count(bv));
+
+                            bv.pop_back();
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), size_t(36));
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), naive_count(bv));
+
+                            bv.pop_back();
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), size_t(35));
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), naive_count(bv));
+
+                            bv.pop_back();
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), size_t(34));
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), naive_count(bv));
+
+                            bv.pop_back();
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), size_t(34));
+                            result.test_eq("hamming weight", bv.ct_hamming_weight(), naive_count(bv));
+                         }),
    };
 }
 

From 04e90afa2fdbcce19a5a5c5b876f3b16f312bf27 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Fri, 26 Jan 2024 08:45:54 +0100
Subject: [PATCH 12/27] FIX: comparison operators of bitvector iterator

---
 src/lib/utils/bitvector.h | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/lib/utils/bitvector.h b/src/lib/utils/bitvector.h
index d70c2f913f3..f4d22f8b5c6 100644
--- a/src/lib/utils/bitvector.h
+++ b/src/lib/utils/bitvector.h
@@ -194,7 +194,17 @@ class bitvector_iterator {
          return copy;
       }
 
-      auto operator<=>(const bitvector_iterator& other) const noexcept = default;
+      std::partial_ordering operator<=>(const bitvector_iterator& other) const noexcept {
+         if(m_bitvector == other.m_bitvector) {
+            return m_offset <=> other.m_offset;
+         } else {
+            return std::partial_ordering::unordered;
+         }
+      }
+
+      bool operator==(const bitvector_iterator& other) const noexcept {
+         return m_bitvector == other.m_bitvector && m_offset == other.m_offset;
+      }
 
       reference operator*() const { return *m_bitref; }
 

From 2e9382f1ee5609e486d576bcce5e0c1742253eb9 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Fri, 26 Jan 2024 09:07:50 +0100
Subject: [PATCH 13/27] use bitvector::ct_hamming_weight()

---
 src/lib/pubkey/classic_mceliece/cmce.cpp        | 7 +------
 src/lib/pubkey/classic_mceliece/cmce_decaps.cpp | 7 ++-----
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce.cpp b/src/lib/pubkey/classic_mceliece/cmce.cpp
index 1bce87b07e8..8dced139fdc 100644
--- a/src/lib/pubkey/classic_mceliece/cmce.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce.cpp
@@ -131,12 +131,7 @@ bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const
       CT::Mask<size_t>::expand(CT::is_equal<uint8_t>(s.data(), m_private->s().data(), m_private->params().n() / 8));
 
    // Checking weight of c
-   size_t c_hamming_weight = 0;
-   for(size_t i = 0; i < m_private->c().size(); ++i) {
-      c_hamming_weight += CT::Mask<size_t>::expand(m_private->c()[i].as<size_t>()).if_set_return(1);
-   }
-
-   ret &= CT::Mask<size_t>::is_equal(c_hamming_weight, 32);
+   ret &= CT::Mask<size_t>::is_equal(m_private->c().ct_hamming_weight(), 32);
 
    auto g = m_private->params().poly_ring().compute_minimal_polynomial(irreducible_seed);
    if(g) {
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
index 761089a0ce4..88dcbe81ef2 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
@@ -103,14 +103,11 @@ std::pair<CT::Mask<uint8_t>, Error_Vector> Classic_McEliece_Decryptor::decode(Co
 
    // Obtain e and check whether wt(e) = t. locator(alpha_i) = 0 <=> error at position i
    Error_Vector e;
-   size_t hamming_weight_e = 0;
    auto decode_success = CT::Mask<uint8_t>::set();  // Avoid bool to avoid possible compiler optimizations
    for(const auto& image : images) {
-      auto is_zero_mask = GF_Mask::is_zero(image);
-      e.push_back(is_zero_mask.as_bool());
-      hamming_weight_e += is_zero_mask.elem_mask().if_set_return(1);
+      e.push_back(GF_Mask::is_zero(image).as_bool());
    }
-   decode_success &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(hamming_weight_e, m_key->params().t()));
+   decode_success &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(e.ct_hamming_weight(), m_key->params().t()));
 
    // Check the error vector by checking H'C = H'e <=> H'(C + e) = 0; see guide for implementors Sec. 6.3
    auto syndrome_from_e = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), e.get());

From 4d177c71255e8f046fe4e76c51ef433a7105238f Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Fri, 26 Jan 2024 09:36:44 +0100
Subject: [PATCH 14/27] add Strong<container>::at()

---
 src/lib/utils/concepts.h       | 13 +++++++++++++
 src/lib/utils/strong_type.h    | 12 ++++++++++++
 src/tests/test_strong_type.cpp | 16 ++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/src/lib/utils/concepts.h b/src/lib/utils/concepts.h
index dbf5391aa34..59a0c983346 100644
--- a/src/lib/utils/concepts.h
+++ b/src/lib/utils/concepts.h
@@ -190,6 +190,19 @@ concept has_empty = requires(T a) {
                        { a.empty() } -> std::same_as<bool>;
                     };
 
+// clang-format off
+template <typename T>
+concept has_bounds_checked_accessors = container<T> && (
+                                          requires(T a, const T ac, typename T::size_type s) {
+                                             { a.at(s) } -> std::same_as<typename T::value_type&>;
+                                             { ac.at(s) } -> std::same_as<const typename T::value_type&>;
+                                          } ||
+                                          requires(T a, const T ac, typename T::key_type k) {
+                                             { a.at(k) } -> std::same_as<typename T::mapped_type&>;
+                                             { ac.at(k) } -> std::same_as<const typename T::mapped_type&>;
+                                          });
+// clang-format on
+
 template <typename T>
 concept resizable_container = container<T> && requires(T& c, typename T::size_type s) {
                                                  T(s);
diff --git a/src/lib/utils/strong_type.h b/src/lib/utils/strong_type.h
index b235677d262..8c2fb0865f3 100644
--- a/src/lib/utils/strong_type.h
+++ b/src/lib/utils/strong_type.h
@@ -118,6 +118,18 @@ class Container_Strong_Adapter_Base : public Strong_Base<T> {
       }
 
       decltype(auto) operator[](size_type i) noexcept(noexcept(this->get().operator[](i))) { return this->get()[i]; }
+
+      decltype(auto) at(size_type i) const noexcept(noexcept(this->get().at(i)))
+         requires(concepts::has_bounds_checked_accessors<T>)
+      {
+         return this->get().at(i);
+      }
+
+      decltype(auto) at(size_type i) noexcept(noexcept(this->get().at(i)))
+         requires(concepts::has_bounds_checked_accessors<T>)
+      {
+         return this->get().at(i);
+      }
 };
 
 template <concepts::container T>
diff --git a/src/tests/test_strong_type.cpp b/src/tests/test_strong_type.cpp
index 91e8277bc03..754522485b0 100644
--- a/src/tests/test_strong_type.cpp
+++ b/src/tests/test_strong_type.cpp
@@ -192,6 +192,22 @@ std::vector<Test::Result> test_container_strong_type() {
             result.test_eq(
                "generated expected fixed output", std::vector(tfa.begin(), tfa.end()), Botan::hex_decode("baadf00d"));
          }),
+
+      Botan_Tests::CHECK("bounds-checked accessors are exposed opportunistically",
+                         [](Test::Result& result) {
+                            using Test_Array = Botan::Strong<std::array<uint8_t, 4>, struct Test_Array_>;
+                            using Test_Map = Botan::Strong<std::map<int, std::string>, struct Test_Map_>;
+                            using Test_Vector = Botan::Strong<std::vector<uint8_t>, struct Test_Vector_>;
+
+                            Test_Array a({1, 2, 3, 4});
+                            result.test_is_eq<uint8_t>("at() returns 3", a.at(2), 3);
+
+                            Test_Map m({{1, "one"}, {2, "two"}, {3, "three"}});
+                            result.test_is_eq<std::string>("at() returns 'two'", m.at(2), "two");
+
+                            Test_Vector v({1, 2, 3, 4});
+                            result.test_is_eq<uint8_t>("at() returns 2", v.at(1), 2);
+                         }),
    };
 }
 

From 3022fe513c1db5d199613bfd5f57519ca2433937 Mon Sep 17 00:00:00 2001
From: Rene Meusel <rene.meusel@rohde-schwarz.com>
Date: Fri, 26 Jan 2024 09:53:03 +0100
Subject: [PATCH 15/27] FIX: accessor param was too narrow-minded

---
 src/lib/utils/strong_type.h    | 20 +++++++++++++-------
 src/tests/test_strong_type.cpp | 19 +++++++++++++++++++
 2 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/src/lib/utils/strong_type.h b/src/lib/utils/strong_type.h
index 8c2fb0865f3..e311d141354 100644
--- a/src/lib/utils/strong_type.h
+++ b/src/lib/utils/strong_type.h
@@ -113,22 +113,28 @@ class Container_Strong_Adapter_Base : public Strong_Base<T> {
          this->get().resize(size);
       }
 
-      decltype(auto) operator[](size_type i) const noexcept(noexcept(this->get().operator[](i))) {
-         return this->get()[i];
+      template <typename U>
+      decltype(auto) operator[](U&& i) const noexcept(noexcept(this->get().operator[](i))) {
+         return this->get()[std::forward<U>(i)];
       }
 
-      decltype(auto) operator[](size_type i) noexcept(noexcept(this->get().operator[](i))) { return this->get()[i]; }
+      template <typename U>
+      decltype(auto) operator[](U&& i) noexcept(noexcept(this->get().operator[](i))) {
+         return this->get()[std::forward<U>(i)];
+      }
 
-      decltype(auto) at(size_type i) const noexcept(noexcept(this->get().at(i)))
+      template <typename U>
+      decltype(auto) at(U&& i) const noexcept(noexcept(this->get().at(i)))
          requires(concepts::has_bounds_checked_accessors<T>)
       {
-         return this->get().at(i);
+         return this->get().at(std::forward<U>(i));
       }
 
-      decltype(auto) at(size_type i) noexcept(noexcept(this->get().at(i)))
+      template <typename U>
+      decltype(auto) at(U&& i) noexcept(noexcept(this->get().at(i)))
          requires(concepts::has_bounds_checked_accessors<T>)
       {
-         return this->get().at(i);
+         return this->get().at(std::forward<U>(i));
       }
 };
 
diff --git a/src/tests/test_strong_type.cpp b/src/tests/test_strong_type.cpp
index 754522485b0..7bf373bedaf 100644
--- a/src/tests/test_strong_type.cpp
+++ b/src/tests/test_strong_type.cpp
@@ -201,12 +201,31 @@ std::vector<Test::Result> test_container_strong_type() {
 
                             Test_Array a({1, 2, 3, 4});
                             result.test_is_eq<uint8_t>("at() returns 3", a.at(2), 3);
+                            result.test_throws("at() throws on out-of-bounds access", [&a]() { a.at(4); });
 
                             Test_Map m({{1, "one"}, {2, "two"}, {3, "three"}});
                             result.test_is_eq<std::string>("at() returns 'two'", m.at(2), "two");
+                            result.test_throws("at() throws on out-of-bounds access", [&m]() { m.at(4); });
 
                             Test_Vector v({1, 2, 3, 4});
                             result.test_is_eq<uint8_t>("at() returns 2", v.at(1), 2);
+                            result.test_throws("at() throws on out-of-bounds access", [&v]() { v.at(4); });
+                         }),
+
+      Botan_Tests::CHECK("subscript accessors are exposed",
+                         [](Test::Result& result) {
+                            using Test_Array = Botan::Strong<std::array<uint8_t, 4>, struct Test_Array_>;
+                            using Test_Map = Botan::Strong<std::map<int, std::string>, struct Test_Map_>;
+                            using Test_Vector = Botan::Strong<std::vector<uint8_t>, struct Test_Vector_>;
+
+                            Test_Array a({1, 2, 3, 4});
+                            result.test_is_eq<uint8_t>("[] returns 3", a[2], 3);
+
+                            Test_Map m({{1, "one"}, {2, "two"}, {3, "three"}});
+                            result.test_is_eq<std::string>("[] returns 'two'", m[2], "two");
+
+                            Test_Vector v({1, 2, 3, 4});
+                            result.test_is_eq<uint8_t>("[] returns 2", v[1], 2);
                          }),
    };
 }

From 5a02584cf86e7e1221be8f74ad9b4a7b39035203 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Thu, 1 Feb 2024 16:04:59 +0100
Subject: [PATCH 16/27] OIDs from IETF-Hackathon

---
 doc/dev_ref/oids.rst      | 22 ++++---------
 src/build-data/oids.txt   | 36 +++++++++++----------
 src/lib/asn1/oid_maps.cpp | 66 +++++++++++++++++++--------------------
 3 files changed, 58 insertions(+), 66 deletions(-)

diff --git a/doc/dev_ref/oids.rst b/doc/dev_ref/oids.rst
index 01dbc3c003e..2397b7dafb2 100644
--- a/doc/dev_ref/oids.rst
+++ b/doc/dev_ref/oids.rst
@@ -86,22 +86,12 @@ Values currently assigned are::
 
   mceliece OBJECT IDENTIFIER ::= { publicKey 18 }
 
-  mceliece348864      OBJECT IDENTIFIER ::= { mceliece 1 }
-  mceliece348864f     OBJECT IDENTIFIER ::= { mceliece 2 }
-  mceliece460896      OBJECT IDENTIFIER ::= { mceliece 3 }
-  mceliece460896f     OBJECT IDENTIFIER ::= { mceliece 4 }
-  mceliece6688128     OBJECT IDENTIFIER ::= { mceliece 5 }
-  mceliece6688128f    OBJECT IDENTIFIER ::= { mceliece 6 }
-  mceliece6688128pc   OBJECT IDENTIFIER ::= { mceliece 7 }
-  mceliece6688128pcf  OBJECT IDENTIFIER ::= { mceliece 8 }
-  mceliece6960119     OBJECT IDENTIFIER ::= { mceliece 9 }
-  mceliece6960119f    OBJECT IDENTIFIER ::= { mceliece 10 }
-  mceliece6960119pc   OBJECT IDENTIFIER ::= { mceliece 11 }
-  mceliece6960119pcf  OBJECT IDENTIFIER ::= { mceliece 12 }
-  mceliece8192128     OBJECT IDENTIFIER ::= { mceliece 13 }
-  mceliece8192128f    OBJECT IDENTIFIER ::= { mceliece 14 }
-  mceliece8192128pc   OBJECT IDENTIFIER ::= { mceliece 15 }
-  mceliece8192128pcf  OBJECT IDENTIFIER ::= { mceliece 16 }
+  mceliece6688128pc   OBJECT IDENTIFIER ::= { mceliece 1 }
+  mceliece6688128pcf  OBJECT IDENTIFIER ::= { mceliece 2 }
+  mceliece6960119pc   OBJECT IDENTIFIER ::= { mceliece 3 }
+  mceliece6960119pcf  OBJECT IDENTIFIER ::= { mceliece 4 }
+  mceliece8192128pc   OBJECT IDENTIFIER ::= { mceliece 5 }
+  mceliece8192128pcf  OBJECT IDENTIFIER ::= { mceliece 6 }
 
   symmetricKey OBJECT IDENTIFIER ::= { randombit 3 }
 
diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt
index c1d18f7ceb2..a018f2b9e05 100644
--- a/src/build-data/oids.txt
+++ b/src/build-data/oids.txt
@@ -63,23 +63,25 @@
 1.3.6.1.4.1.25258.1.12.3.5 = SphincsPlus-haraka-256s-r3.1
 1.3.6.1.4.1.25258.1.12.3.6 = SphincsPlus-haraka-256f-r3.1
 
-# Classic McEliece OIDs are currently in Botan's private arc
-1.3.6.1.4.1.25258.1.18.1 = mceliece348864
-1.3.6.1.4.1.25258.1.18.2 = mceliece348864f
-1.3.6.1.4.1.25258.1.18.3 = mceliece460896
-1.3.6.1.4.1.25258.1.18.4 = mceliece460896f
-1.3.6.1.4.1.25258.1.18.5 = mceliece6688128
-1.3.6.1.4.1.25258.1.18.6 = mceliece6688128f
-1.3.6.1.4.1.25258.1.18.7 = mceliece6688128pc
-1.3.6.1.4.1.25258.1.18.8 = mceliece6688128pcf
-1.3.6.1.4.1.25258.1.18.9 = mceliece6960119
-1.3.6.1.4.1.25258.1.18.10 = mceliece6960119f
-1.3.6.1.4.1.25258.1.18.11 = mceliece6960119pc
-1.3.6.1.4.1.25258.1.18.12 = mceliece6960119pcf
-1.3.6.1.4.1.25258.1.18.13 = mceliece8192128
-1.3.6.1.4.1.25258.1.18.14 = mceliece8192128f
-1.3.6.1.4.1.25258.1.18.15 = mceliece8192128pc
-1.3.6.1.4.1.25258.1.18.16 = mceliece8192128pcf
+# Classic McEliece OID selection from IETF Hackathon/BouncyCastle for non PC instances
+1.3.6.1.4.1.22554.5.1.1  = mceliece348864
+1.3.6.1.4.1.22554.5.1.2 = mceliece348864f
+1.3.6.1.4.1.22554.5.1.3 = mceliece460896
+1.3.6.1.4.1.22554.5.1.4 = mceliece460896f
+1.3.6.1.4.1.22554.5.1.5 = mceliece6688128
+1.3.6.1.4.1.22554.5.1.6 = mceliece6688128f
+1.3.6.1.4.1.22554.5.1.7 = mceliece6960119
+1.3.6.1.4.1.22554.5.1.8 = mceliece6960119f
+1.3.6.1.4.1.22554.5.1.9 = mceliece8192128
+1.3.6.1.4.1.22554.5.1.10 = mceliece8192128f
+
+# Classic McEliece PC OIDs are currently in Botan's private arc
+1.3.6.1.4.1.25258.1.18.1 = mceliece6688128pc
+1.3.6.1.4.1.25258.1.18.2 = mceliece6688128pcf
+1.3.6.1.4.1.25258.1.18.3 = mceliece6960119pc
+1.3.6.1.4.1.25258.1.18.4 = mceliece6960119pcf
+1.3.6.1.4.1.25258.1.18.5 = mceliece8192128pc
+1.3.6.1.4.1.25258.1.18.6 = mceliece8192128pcf
 
 # XMSS
 1.3.6.1.4.1.25258.1.5 = XMSS-draft6
diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp
index 451972542db..96289444e84 100644
--- a/src/lib/asn1/oid_maps.cpp
+++ b/src/lib/asn1/oid_maps.cpp
@@ -1,7 +1,7 @@
 /*
 * OID maps
 *
-* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2024-01-10
+* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2024-02-01
 *
 * All manual edits to this file will be lost. Edit the script
 * then regenerate this source file.
@@ -138,6 +138,16 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
       {"1.3.36.3.3.2.8.1.1.9", "brainpool320r1"},
       {"1.3.6.1.4.1.11591.15.1", "OpenPGP.Ed25519"},
       {"1.3.6.1.4.1.11591.4.11", "Scrypt"},
+      {"1.3.6.1.4.1.22554.5.1.1", "mceliece348864"},
+      {"1.3.6.1.4.1.22554.5.1.10", "mceliece8192128f"},
+      {"1.3.6.1.4.1.22554.5.1.2", "mceliece348864f"},
+      {"1.3.6.1.4.1.22554.5.1.3", "mceliece460896"},
+      {"1.3.6.1.4.1.22554.5.1.4", "mceliece460896f"},
+      {"1.3.6.1.4.1.22554.5.1.5", "mceliece6688128"},
+      {"1.3.6.1.4.1.22554.5.1.6", "mceliece6688128f"},
+      {"1.3.6.1.4.1.22554.5.1.7", "mceliece6960119"},
+      {"1.3.6.1.4.1.22554.5.1.8", "mceliece6960119f"},
+      {"1.3.6.1.4.1.22554.5.1.9", "mceliece8192128"},
       {"1.3.6.1.4.1.25258.1.10.1", "Dilithium-4x4-AES-r3"},
       {"1.3.6.1.4.1.25258.1.10.2", "Dilithium-6x5-AES-r3"},
       {"1.3.6.1.4.1.25258.1.10.3", "Dilithium-8x7-AES-r3"},
@@ -174,22 +184,12 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
       {"1.3.6.1.4.1.25258.1.17.1", "eFrodoKEM-640-AES"},
       {"1.3.6.1.4.1.25258.1.17.2", "eFrodoKEM-976-AES"},
       {"1.3.6.1.4.1.25258.1.17.3", "eFrodoKEM-1344-AES"},
-      {"1.3.6.1.4.1.25258.1.18.1", "mceliece348864"},
-      {"1.3.6.1.4.1.25258.1.18.10", "mceliece6960119f"},
-      {"1.3.6.1.4.1.25258.1.18.11", "mceliece6960119pc"},
-      {"1.3.6.1.4.1.25258.1.18.12", "mceliece6960119pcf"},
-      {"1.3.6.1.4.1.25258.1.18.13", "mceliece8192128"},
-      {"1.3.6.1.4.1.25258.1.18.14", "mceliece8192128f"},
-      {"1.3.6.1.4.1.25258.1.18.15", "mceliece8192128pc"},
-      {"1.3.6.1.4.1.25258.1.18.16", "mceliece8192128pcf"},
-      {"1.3.6.1.4.1.25258.1.18.2", "mceliece348864f"},
-      {"1.3.6.1.4.1.25258.1.18.3", "mceliece460896"},
-      {"1.3.6.1.4.1.25258.1.18.4", "mceliece460896f"},
-      {"1.3.6.1.4.1.25258.1.18.5", "mceliece6688128"},
-      {"1.3.6.1.4.1.25258.1.18.6", "mceliece6688128f"},
-      {"1.3.6.1.4.1.25258.1.18.7", "mceliece6688128pc"},
-      {"1.3.6.1.4.1.25258.1.18.8", "mceliece6688128pcf"},
-      {"1.3.6.1.4.1.25258.1.18.9", "mceliece6960119"},
+      {"1.3.6.1.4.1.25258.1.18.1", "mceliece6688128pc"},
+      {"1.3.6.1.4.1.25258.1.18.2", "mceliece6688128pcf"},
+      {"1.3.6.1.4.1.25258.1.18.3", "mceliece6960119pc"},
+      {"1.3.6.1.4.1.25258.1.18.4", "mceliece6960119pcf"},
+      {"1.3.6.1.4.1.25258.1.18.5", "mceliece8192128pc"},
+      {"1.3.6.1.4.1.25258.1.18.6", "mceliece8192128pcf"},
       {"1.3.6.1.4.1.25258.1.3", "McEliece"},
       {"1.3.6.1.4.1.25258.1.5", "XMSS-draft6"},
       {"1.3.6.1.4.1.25258.1.6.1", "GOST-34.10-2012-256/SHA-256"},
@@ -585,22 +585,22 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
       {"gost_256B", OID({1, 2, 643, 7, 1, 2, 1, 1, 2})},
       {"gost_512A", OID({1, 2, 643, 7, 1, 2, 1, 2, 1})},
       {"gost_512B", OID({1, 2, 643, 7, 1, 2, 1, 2, 2})},
-      {"mceliece348864", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 1})},
-      {"mceliece348864f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 2})},
-      {"mceliece460896", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 3})},
-      {"mceliece460896f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 4})},
-      {"mceliece6688128", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 5})},
-      {"mceliece6688128f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 6})},
-      {"mceliece6688128pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 7})},
-      {"mceliece6688128pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 8})},
-      {"mceliece6960119", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 9})},
-      {"mceliece6960119f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 10})},
-      {"mceliece6960119pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 11})},
-      {"mceliece6960119pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 12})},
-      {"mceliece8192128", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 13})},
-      {"mceliece8192128f", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 14})},
-      {"mceliece8192128pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 15})},
-      {"mceliece8192128pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 16})},
+      {"mceliece348864", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 1})},
+      {"mceliece348864f", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 2})},
+      {"mceliece460896", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 3})},
+      {"mceliece460896f", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 4})},
+      {"mceliece6688128", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 5})},
+      {"mceliece6688128f", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 6})},
+      {"mceliece6688128pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 1})},
+      {"mceliece6688128pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 2})},
+      {"mceliece6960119", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 7})},
+      {"mceliece6960119f", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 8})},
+      {"mceliece6960119pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 3})},
+      {"mceliece6960119pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 4})},
+      {"mceliece8192128", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 9})},
+      {"mceliece8192128f", OID({1, 3, 6, 1, 4, 1, 22554, 5, 1, 10})},
+      {"mceliece8192128pc", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 5})},
+      {"mceliece8192128pcf", OID({1, 3, 6, 1, 4, 1, 25258, 1, 18, 6})},
       {"secp160k1", OID({1, 3, 132, 0, 9})},
       {"secp160r1", OID({1, 3, 132, 0, 8})},
       {"secp160r2", OID({1, 3, 132, 0, 30})},

From 19f2559e5ee3e401f9eb64a358a76a287362cb01 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Thu, 1 Feb 2024 16:59:54 +0100
Subject: [PATCH 17/27] Fix of some review suggestions

---
 src/lib/pubkey/classic_mceliece/cmce.cpp      | 22 ++++++++----------
 src/lib/pubkey/classic_mceliece/cmce.h        |  6 ++---
 .../pubkey/classic_mceliece/cmce_decaps.cpp   | 23 ++++++++++---------
 src/lib/pubkey/classic_mceliece/cmce_decaps.h |  6 ++---
 .../pubkey/classic_mceliece/cmce_encaps.cpp   | 19 ++++++++-------
 src/lib/pubkey/classic_mceliece/cmce_encaps.h |  4 ++--
 .../classic_mceliece/cmce_field_ordering.cpp  |  1 -
 src/lib/pubkey/pk_algs.cpp                    |  4 ++--
 src/lib/utils/types.h                         |  2 +-
 src/tests/test_cmce.cpp                       |  3 ---
 src/tests/unit_x509.cpp                       |  4 ++--
 11 files changed, 44 insertions(+), 50 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce.cpp b/src/lib/pubkey/classic_mceliece/cmce.cpp
index 8dced139fdc..2287cf11dce 100644
--- a/src/lib/pubkey/classic_mceliece/cmce.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce.cpp
@@ -29,9 +29,8 @@ Classic_McEliece_PublicKey::Classic_McEliece_PublicKey(std::span<const uint8_t>
                                                        Classic_McEliece_Parameter_Set param_set) {
    auto params = Classic_McEliece_Parameters::create(param_set);
    BOTAN_ARG_CHECK(key_bits.size() == params.pk_size_bytes(), "Wrong public key length");
-   std::vector<uint8_t> key_bits_vec(key_bits.begin(), key_bits.end());
    m_public = std::make_shared<Classic_McEliece_PublicKeyInternal>(
-      params, Classic_McEliece_Matrix(params, std::move(key_bits_vec)));
+      params, Classic_McEliece_Matrix(params, {key_bits.begin(), key_bits.end()}));
 }
 
 Classic_McEliece_PublicKey::Classic_McEliece_PublicKey(const Classic_McEliece_PublicKey& other) {
@@ -98,6 +97,7 @@ Classic_McEliece_PrivateKey::Classic_McEliece_PrivateKey(std::span<const uint8_t
    m_private = std::make_shared<Classic_McEliece_PrivateKeyInternal>(std::move(sk_internal));
    // This creates and loads the public key, which is very large. Potentially, we could only load
    // it on demand (since one may use the private key only for decapsulation without needing the public key).
+   // TODO: consider building a load-on-demand mechanism for the public key
    m_public = Classic_McEliece_PublicKeyInternal::create_from_private_key(*m_private);
 }
 
@@ -120,10 +120,10 @@ secure_vector<uint8_t> Classic_McEliece_PrivateKey::raw_private_key_bits() const
 bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const {
    auto prg = m_private->params().prg(m_private->delta());
 
-   auto s = prg->output<Rejection_Seed>(m_private->params().n() / 8);
-   auto ordering_seed =
+   const auto s = prg->output<Rejection_Seed>(m_private->params().n() / 8);
+   const auto ordering_seed =
       prg->output<secure_vector<uint8_t>>((m_private->params().sigma2() * m_private->params().q()) / 8);
-   auto irreducible_seed =
+   const auto irreducible_seed =
       prg->output<secure_vector<uint8_t>>((m_private->params().sigma1() * m_private->params().t()) / 8);
 
    // Recomputing s as hash of delta
@@ -133,8 +133,7 @@ bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const
    // Checking weight of c
    ret &= CT::Mask<size_t>::is_equal(m_private->c().ct_hamming_weight(), 32);
 
-   auto g = m_private->params().poly_ring().compute_minimal_polynomial(irreducible_seed);
-   if(g) {
+   if(auto g = m_private->params().poly_ring().compute_minimal_polynomial(irreducible_seed)) {
       for(size_t i = 0; i < g->degree() - 1; ++i) {
          ret &= CT::Mask<size_t>::expand(GF_Mask::is_equal(g->coef_at(i), m_private->g().coef_at(i)).elem_mask());
       }
@@ -143,13 +142,12 @@ bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const
    }
 
    // Check alpha control bits
-   auto field_ord_from_seed =
-      Classic_McEliece_Field_Ordering::create_field_ordering(m_private->params(), ordering_seed);
-   if(!field_ord_from_seed) {
-      ret = CT::Mask<size_t>::cleared();
-   } else {
+   if(auto field_ord_from_seed =
+         Classic_McEliece_Field_Ordering::create_field_ordering(m_private->params(), ordering_seed)) {
       field_ord_from_seed->permute_with_pivots(m_private->params(), m_private->c());
       ret &= CT::Mask<size_t>::expand(field_ord_from_seed->ct_is_equal(m_private->field_ordering()));
+   } else {
+      ret = CT::Mask<size_t>::cleared();
    }
 
    return ret.as_bool();
diff --git a/src/lib/pubkey/classic_mceliece/cmce.h b/src/lib/pubkey/classic_mceliece/cmce.h
index 7eabe49123f..8fd160f55ee 100644
--- a/src/lib/pubkey/classic_mceliece/cmce.h
+++ b/src/lib/pubkey/classic_mceliece/cmce.h
@@ -20,9 +20,9 @@ class Classic_McEliece_PrivateKeyInternal;
 
 /**
  * Classic McEliece is a Code-Based KEM. It is a round 4 candidate in NIST's PQC competition.
- * It is endorsed by the German Federal Office for Information Security for its conservative security
+ * It is endorsed by the German Federal Office for Information Security (BSI) for its conservative security
  * assumptions and a corresponding draft for an ISO standard has been prepared. Both NIST and ISO parameter
- * sets are implemented here.
+ * sets are implemented here. See https://classic.mceliece.org/ for the specifications and other details.
  *
  * Advantages of Classic McEliece:
  * - Conservative post-quantum security assumptions
@@ -59,7 +59,7 @@ class BOTAN_PUBLIC_API(3, 4) Classic_McEliece_PublicKey : public virtual Public_
 
       ~Classic_McEliece_PublicKey() override = default;
 
-      std::string algo_name() const override { return "ClassicMcEliece"; }  //TODO: Use "CMCE" or "Classic_McEliece"?
+      std::string algo_name() const override { return "ClassicMcEliece"; }
 
       AlgorithmIdentifier algorithm_identifier() const override;
 
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
index 88dcbe81ef2..ef1b1792ae1 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
@@ -17,7 +17,7 @@ Classic_McEliece_Polynomial Classic_McEliece_Decryptor::compute_goppa_syndrome(
    const Classic_McEliece_Parameters& params,
    const Classic_McEliece_Minimal_Polynomial& goppa_poly,
    const Classic_McEliece_Field_Ordering& ordering,
-   const secure_bitvector& code_word) {
+   const secure_bitvector& code_word) const {
    BOTAN_ASSERT(params.n() == code_word.size(), "Correct code word size");
    std::vector<Classic_McEliece_GF> syndrome(2 * params.t(), params.gf(GF_Elem(0)));
 
@@ -38,8 +38,8 @@ Classic_McEliece_Polynomial Classic_McEliece_Decryptor::compute_goppa_syndrome(
    return Classic_McEliece_Polynomial(syndrome);
 }
 
-Classic_McEliece_Polynomial Classic_McEliece_Decryptor::berlekamp_massey(const Classic_McEliece_Parameters& params,
-                                                                         const Classic_McEliece_Polynomial& syndrome) {
+Classic_McEliece_Polynomial Classic_McEliece_Decryptor::berlekamp_massey(
+   const Classic_McEliece_Parameters& params, const Classic_McEliece_Polynomial& syndrome) const {
    // Represents coefficients of corresponding polynomials
    std::vector<Classic_McEliece_GF> big_c(params.t() + 1, params.gf(GF_Elem(0)));
    std::vector<Classic_McEliece_GF> big_b(params.t() + 1, params.gf(GF_Elem(0)));
@@ -88,21 +88,22 @@ Classic_McEliece_Polynomial Classic_McEliece_Decryptor::berlekamp_massey(const C
    return Classic_McEliece_Polynomial(big_c);
 }
 
-std::pair<CT::Mask<uint8_t>, Error_Vector> Classic_McEliece_Decryptor::decode(Code_Word big_c) {
+std::pair<CT::Mask<uint8_t>, Error_Vector> Classic_McEliece_Decryptor::decode(Code_Word big_c) const {
    BOTAN_ASSERT(big_c.size() == m_key->params().m() * m_key->params().t(), "Correct ciphertext input size");
    big_c.resize(m_key->params().n());
 
-   auto syndrome =
+   const auto syndrome =
       compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), big_c.as<secure_bitvector>());
-   auto locator = berlekamp_massey(m_key->params(), syndrome);
+   const auto locator = berlekamp_massey(m_key->params(), syndrome);
 
    std::vector<Classic_McEliece_GF> images;
-   auto alphas = m_key->field_ordering().alphas(m_key->params().n());
+   const auto alphas = m_key->field_ordering().alphas(m_key->params().n());
    std::transform(
       alphas.begin(), alphas.end(), std::back_inserter(images), [&](const auto& alpha) { return locator(alpha); });
 
    // Obtain e and check whether wt(e) = t. locator(alpha_i) = 0 <=> error at position i
    Error_Vector e;
+   e.get().reserve(m_key->params().n());
    auto decode_success = CT::Mask<uint8_t>::set();  // Avoid bool to avoid possible compiler optimizations
    for(const auto& image : images) {
       e.push_back(GF_Mask::is_zero(image).as_bool());
@@ -110,7 +111,7 @@ std::pair<CT::Mask<uint8_t>, Error_Vector> Classic_McEliece_Decryptor::decode(Co
    decode_success &= CT::Mask<uint8_t>(CT::Mask<size_t>::is_equal(e.ct_hamming_weight(), m_key->params().t()));
 
    // Check the error vector by checking H'C = H'e <=> H'(C + e) = 0; see guide for implementors Sec. 6.3
-   auto syndrome_from_e = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), e.get());
+   const auto syndrome_from_e = compute_goppa_syndrome(m_key->params(), m_key->g(), m_key->field_ordering(), e.get());
    auto syndromes_are_eq = GF_Mask::set();
    for(size_t i = 0; i < syndrome.degree() - 1; ++i) {
       syndromes_are_eq &= GF_Mask::is_equal(syndrome.coef_at(i), syndrome_from_e.coef_at(i));
@@ -147,10 +148,10 @@ void Classic_McEliece_Decryptor::raw_kem_decrypt(std::span<uint8_t> out_shared_k
    auto hash_func = m_key->params().hash_func();
 
    if(m_key->params().is_pc()) {
-      hash_func->update(2);
+      hash_func->update(0x02);
       hash_func->update(e_bytes);
-      auto c1_p = hash_func->final_stdvec();
-      CT::Mask<uint8_t> eq_mask = CT::is_equal(c1.data(), c1_p.data(), c1.size());
+      const auto c1_p = hash_func->final_stdvec();
+      const CT::Mask<uint8_t> eq_mask = CT::is_equal(c1.data(), c1_p.data(), c1.size());
       eq_mask.select_n(e_bytes.data(), e_bytes.data(), m_key->s().data(), m_key->s().size());
       b = eq_mask.select(b, 0);
    }
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.h b/src/lib/pubkey/classic_mceliece/cmce_decaps.h
index 1babd267984..283a8634a29 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.h
@@ -55,7 +55,7 @@ class BOTAN_TEST_API Classic_McEliece_Decryptor final : public PK_Ops::KEM_Decry
       Classic_McEliece_Polynomial compute_goppa_syndrome(const Classic_McEliece_Parameters& params,
                                                          const Classic_McEliece_Minimal_Polynomial& goppa_poly,
                                                          const Classic_McEliece_Field_Ordering& ordering,
-                                                         const secure_bitvector& code_word);
+                                                         const secure_bitvector& code_word) const;
 
       /**
        * @brief Applies the Berlekamp-Massey algorithm to compute the error locator polynomial given a syndrome.
@@ -67,7 +67,7 @@ class BOTAN_TEST_API Classic_McEliece_Decryptor final : public PK_Ops::KEM_Decry
        * @return The error locator polynomial.
        */
       Classic_McEliece_Polynomial berlekamp_massey(const Classic_McEliece_Parameters& params,
-                                                   const Classic_McEliece_Polynomial& syndrome);
+                                                   const Classic_McEliece_Polynomial& syndrome) const;
 
       /**
        * @brief Decodes a code word using Berlekamp's method.
@@ -75,7 +75,7 @@ class BOTAN_TEST_API Classic_McEliece_Decryptor final : public PK_Ops::KEM_Decry
        * @param big_c The code word.
        * @return A pair containing the decoded message and the error pattern.
        */
-      std::pair<CT::Mask<uint8_t>, Error_Vector> decode(Code_Word big_c);
+      std::pair<CT::Mask<uint8_t>, Error_Vector> decode(Code_Word big_c) const;
 
       std::shared_ptr<Classic_McEliece_PrivateKeyInternal> m_key;
 };
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
index e32731e27e0..e2d32ec3525 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
@@ -11,18 +11,17 @@
 #include <botan/internal/cmce_encaps.h>
 
 #include <botan/rng.h>
-#include <iostream>
 
 namespace Botan {
 
 Code_Word Classic_McEliece_Encryptor::encode(const Classic_McEliece_Parameters& params,
                                              const Error_Vector& e,
-                                             const Classic_McEliece_Matrix& mat) {
+                                             const Classic_McEliece_Matrix& mat) const {
    return mat.mul(params, e);
 }
 
 std::optional<Error_Vector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
-   const Classic_McEliece_Parameters& params, const secure_vector<uint8_t>& rand) {
+   const Classic_McEliece_Parameters& params, const secure_vector<uint8_t>& rand) const {
    BOTAN_ASSERT_NOMSG(rand.size() == params.tau() * (params.sigma1() / 8));
    uint16_t mask_m = (uint32_t(1) << params.m()) - 1;  // Only take m least significant bits
    secure_vector<uint16_t> a_values;
@@ -80,25 +79,25 @@ std::optional<Error_Vector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
 void Classic_McEliece_Encryptor::raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
                                                  std::span<uint8_t> out_shared_key,
                                                  RandomNumberGenerator& rng) {
-   BOTAN_ASSERT(out_encapsulated_key.size() == m_key->params().ciphertext_size(),
-                "Correct encapsulated key output length");
-   BOTAN_ASSERT(out_shared_key.size() == m_key->params().hash_out_bytes(), "Correct shared key output length");
+   BOTAN_ARG_CHECK(out_encapsulated_key.size() == m_key->params().ciphertext_size(),
+                   "Incorrect encapsulated key output length");
+   BOTAN_ARG_CHECK(out_shared_key.size() == m_key->params().hash_out_bytes(), "Incorrect shared key output length");
 
-   auto& params = m_key->params();
+   const auto& params = m_key->params();
 
    // Call fixed_weight until it is successful to
    // create a random error vector e of weight tau
-   Error_Vector e = [&] {
+   const Error_Vector e = [&] {
       // Emergency abort in case unexpected logical error to prevent endless loops
       //   Success probability: >24% per attempt (25% that elements are distinct * 96% enough elements are in range)
       //   => 203 attempts for 2^(-80) fail probability
-      const size_t MAX_ATTEMPTS = 203;
+      constexpr size_t MAX_ATTEMPTS = 203;
       for(size_t attempt = 0; attempt < MAX_ATTEMPTS; ++attempt) {
          if(auto maybe_e = fixed_weight_vector_gen(params, rng.random_vec((params.sigma1() / 8) * params.tau()))) {
             return maybe_e.value();
          }
       }
-      throw Internal_Error("Cannot created fixed weight vector.");
+      throw Internal_Error("Cannot created fixed weight vector. Is your RNG broken?");
    }();
 
    auto big_c = encode(params, e, m_key->matrix()).get().to_bytes();
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.h b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
index f26c8277ffa..30eaa1566ca 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_encaps.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
@@ -46,13 +46,13 @@ class BOTAN_TEST_API Classic_McEliece_Encryptor final : public PK_Ops::KEM_Encry
        */
       Code_Word encode(const Classic_McEliece_Parameters& params,
                        const Error_Vector& e,
-                       const Classic_McEliece_Matrix& mat);
+                       const Classic_McEliece_Matrix& mat) const;
 
       /**
       * @brief Fixed-weight-vector generation algorithm according to ISO McEliece.
       */
       std::optional<Error_Vector> fixed_weight_vector_gen(const Classic_McEliece_Parameters& params,
-                                                          const secure_vector<uint8_t>& rand);
+                                                          const secure_vector<uint8_t>& rand) const;
 };
 
 }  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
index c80969066dc..e63367135c0 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -14,7 +14,6 @@
 #include <botan/mem_ops.h>
 #include <botan/internal/loadstor.h>
 
-#include <iostream>
 #include <numeric>
 #include <utility>
 #include <vector>
diff --git a/src/lib/pubkey/pk_algs.cpp b/src/lib/pubkey/pk_algs.cpp
index 1c549212e20..a58b882bac0 100644
--- a/src/lib/pubkey/pk_algs.cpp
+++ b/src/lib/pubkey/pk_algs.cpp
@@ -431,8 +431,8 @@ std::unique_ptr<Private_Key> create_private_key(std::string_view alg_name,
 #endif
 #if defined(BOTAN_HAS_CLASSICMCELIECE)
    if(alg_name == "ClassicMcEliece") {
-      auto cmce_params_set = cmce_param_set_from_str(params);
-
+      auto cmce_params_set =
+         params.empty() ? Classic_McEliece_Parameter_Set::mceliece6960119f : cmce_param_set_from_str(params);
       return std::make_unique<Classic_McEliece_PrivateKey>(rng, cmce_params_set);
    }
 #endif
diff --git a/src/lib/utils/types.h b/src/lib/utils/types.h
index 5d53cbf855e..3a14a0725b3 100644
--- a/src/lib/utils/types.h
+++ b/src/lib/utils/types.h
@@ -57,7 +57,7 @@ namespace Botan {
 *        @ref dlies.h "DLIES", @ref ecies.h "ECIES", @ref elgamal.h "ElGamal",
 *        @ref rsa.h "RSA", @ref mceliece.h "McEliece", @ref sm2.h "SM2"
 * <dt>Key Encapsulation Mechanisms<dd>
-*        @ref kyber.h "Kyber", @ref rsa.h "RSA"
+*        @ref cmce.h "Classic McEliece", @ref frodokem.h "FrodoKEM", @ref kyber.h "Kyber", @ref rsa.h "RSA"
 * <dt>Public Key Signature Schemes<dd>
 *        @ref dsa.h "DSA", @ref dilithium.h "Dilithium", @ref ecdsa.h "ECDSA", @ref ecgdsa.h "ECGDSA",
 *        @ref eckcdsa.h "ECKCDSA", @ref gost_3410.h "GOST 34.10-2001", @ref sm2.h "SM2", @ref sphincsplus.h "SPHINCS+",
diff --git a/src/tests/test_cmce.cpp b/src/tests/test_cmce.cpp
index c1d802fcdce..70e6671ce9a 100644
--- a/src/tests/test_cmce.cpp
+++ b/src/tests/test_cmce.cpp
@@ -26,9 +26,6 @@
    #include <botan/internal/cmce_parameters.h>
    #include <botan/internal/cmce_poly.h>
 
-   #include <iostream>
-   #include <set>
-
 namespace Botan_Tests {
 
 namespace {
diff --git a/src/tests/unit_x509.cpp b/src/tests/unit_x509.cpp
index 7b96c3802e0..f044966fa4e 100644
--- a/src/tests/unit_x509.cpp
+++ b/src/tests/unit_x509.cpp
@@ -1174,7 +1174,7 @@ Test::Result test_valid_constraints(const Botan::Private_Key& key, const std::st
       result.test_eq("usage acceptable", key_agreement_decipher_only.compatible_with(key), true);
       result.test_eq("crl sign not permitted", crl_sign.compatible_with(key), false);
       result.test_eq("sign", sign_everything.compatible_with(key), false);
-   } else if(pk_algo == "Kyber" || pk_algo == "FrodoKEM") {
+   } else if(pk_algo == "Kyber" || pk_algo == "FrodoKEM" || pk_algo == "ClassicMcEliece") {
       // KEMs can encrypt and agree
       result.test_eq("all constraints not permitted", all.compatible_with(key), false);
       result.test_eq("cert sign not permitted", ca.compatible_with(key), false);
@@ -1596,7 +1596,7 @@ class X509_Cert_Unit_Tests final : public Test {
          /*
          These are algos which cannot sign but can be included in certs
          */
-         const std::vector<std::string> enc_algos = {"DH", "ECDH", "ElGamal", "Kyber", "FrodoKEM"};
+         const std::vector<std::string> enc_algos = {"DH", "ECDH", "ElGamal", "Kyber", "FrodoKEM", "ClassicMcEliece"};
 
          for(const std::string& algo : enc_algos) {
             auto key = make_a_private_key(algo);

From 9173e0f4c9045749d65987a1927fd8049e2f5cef Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Fri, 2 Feb 2024 12:16:37 +0100
Subject: [PATCH 18/27] Address Review Suggestions

---
 .../pubkey/classic_mceliece/cmce_encaps.cpp   | 38 +++++++++----------
 src/lib/pubkey/classic_mceliece/cmce_encaps.h |  2 +-
 .../classic_mceliece/cmce_keys_internal.cpp   |  7 +---
 3 files changed, 21 insertions(+), 26 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
index e2d32ec3525..eac3fd9cfe7 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
@@ -21,8 +21,8 @@ Code_Word Classic_McEliece_Encryptor::encode(const Classic_McEliece_Parameters&
 }
 
 std::optional<Error_Vector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
-   const Classic_McEliece_Parameters& params, const secure_vector<uint8_t>& rand) const {
-   BOTAN_ASSERT_NOMSG(rand.size() == params.tau() * (params.sigma1() / 8));
+   const Classic_McEliece_Parameters& params, RandomNumberGenerator& rng) const {
+   const auto rand = rng.random_vec((params.sigma1() / 8) * params.tau());
    uint16_t mask_m = (uint32_t(1) << params.m()) - 1;  // Only take m least significant bits
    secure_vector<uint16_t> a_values;
    a_values.reserve(params.tau());
@@ -31,7 +31,7 @@ std::optional<Error_Vector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
    // Steps 2 & 3: Create d_j from uniform random bits. The first t d_j entries
    //              in range {0,...,n-1} are defined as a_0,...,a_(t-1). ...
    for(size_t j = 0; j < params.tau(); ++j) {
-      uint16_t d = load_le<uint16_t>(rand_slicer.take(params.sigma1() / 8).data(), 0);
+      auto d = load_le<uint16_t>(rand_slicer.take(params.sigma1() / 8).data(), 0);
       // This is not CT, but neither is the reference implementation here.
       // This side channel only leaks which random elements are selected and which are dropped,
       // but no information about their content is leaked.
@@ -93,33 +93,33 @@ void Classic_McEliece_Encryptor::raw_kem_encrypt(std::span<uint8_t> out_encapsul
       //   => 203 attempts for 2^(-80) fail probability
       constexpr size_t MAX_ATTEMPTS = 203;
       for(size_t attempt = 0; attempt < MAX_ATTEMPTS; ++attempt) {
-         if(auto maybe_e = fixed_weight_vector_gen(params, rng.random_vec((params.sigma1() / 8) * params.tau()))) {
+         if(auto maybe_e = fixed_weight_vector_gen(params, rng)) {
             return maybe_e.value();
          }
       }
       throw Internal_Error("Cannot created fixed weight vector. Is your RNG broken?");
    }();
 
-   auto big_c = encode(params, e, m_key->matrix()).get().to_bytes();
    auto hash_func = params.hash_func();
 
+   BufferStuffer big_c_stuf(out_encapsulated_key);
+   const auto e_bytes = e.get().to_bytes();
+   // Compute and store ciphertext C/C_0 from spec
+   const auto big_c_0 = encode(params, e, m_key->matrix());
+   big_c_0.to_bytes(big_c_stuf.next(ceil_tobytes(big_c_0.size())));
    if(params.is_pc()) {
-      hash_func->update(2);
-      hash_func->update(e.get().to_bytes());
-      auto big_c_1 = hash_func->final_stdvec();
-      big_c = Botan::concat(big_c, big_c_1);
-      hash_func->clear();
+      // Compute and store ciphertext C_1 from spec
+      hash_func->update(0x02);
+      hash_func->update(e_bytes);
+      hash_func->final(big_c_stuf.next(hash_func->output_length()));
    }
+   BOTAN_ASSERT_NOMSG(big_c_stuf.full());
 
-   hash_func->update(1);
-   hash_func->update(e.get().to_bytes());
-   hash_func->update(big_c);
-
-   auto big_k = hash_func->final<secure_vector<uint8_t>>();
-   hash_func->clear();
-
-   std::copy(big_c.begin(), big_c.end(), out_encapsulated_key.begin());
-   std::copy(big_k.begin(), big_k.end(), out_shared_key.begin());
+   // Compute K = Hash(1,e,C) from spec
+   hash_func->update(0x01);
+   hash_func->update(e_bytes);
+   hash_func->update(out_encapsulated_key);
+   hash_func->final(out_shared_key);
 }
 
 }  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.h b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
index 30eaa1566ca..686b23757ab 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_encaps.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
@@ -52,7 +52,7 @@ class BOTAN_TEST_API Classic_McEliece_Encryptor final : public PK_Ops::KEM_Encry
       * @brief Fixed-weight-vector generation algorithm according to ISO McEliece.
       */
       std::optional<Error_Vector> fixed_weight_vector_gen(const Classic_McEliece_Parameters& params,
-                                                          const secure_vector<uint8_t>& rand) const;
+                                                          RandomNumberGenerator& rng) const;
 };
 
 }  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
index 6e0bc36897c..a7e466f578d 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
@@ -126,17 +126,12 @@ Classic_McEliece_KeyPair_Internal Classic_McEliece_KeyPair_Internal::generate(co
    Key_Gen_Seed next_seed(seed.size());
    Key_Gen_Seed current_seed(seed.begin(), seed.end());
 
-   // Emergency abort in case unexpected logical error to prevent endless loops
-   //   Success probability: >29% per attempt [>98% for 'f' instances]
-   //   => 162 [15] attempts for 2^(-80) fail probability
-   const size_t MAX_ATTEMPTS = params.is_f() ? 15 : 162;
-   for(size_t attempt = 0; attempt < MAX_ATTEMPTS; ++attempt) {
+   while(true) {
       if(auto keypair = try_generate_keypair(next_seed, params, std::move(current_seed))) {
          return keypair.value();
       }
       current_seed = next_seed;
    }
-   throw Internal_Error("Key generation fails consistently. Something went wrong.");
 }
 
 }  // namespace Botan

From 6b111c2da7dd1cbb060754d1e528c0d63aac1820 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Fri, 2 Feb 2024 15:04:07 +0100
Subject: [PATCH 19/27] Apply field_ordering review

---
 .../classic_mceliece/cmce_field_ordering.cpp  | 98 ++++++++++---------
 1 file changed, 51 insertions(+), 47 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
index e63367135c0..156b2ab4d98 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -22,15 +22,14 @@ namespace Botan {
 
 namespace CMCE_CT {
 
-template <typename T1, typename T2>
+template <std::unsigned_integral T1, std::unsigned_integral T2>
+   requires(sizeof(T1) <= 8 && sizeof(T2) <= 8)
 void cond_swap_pair(CT::Mask<uint64_t> cond_mask, std::pair<T1, T2>& a, std::pair<T1, T2>& b) {
-   static_assert(sizeof(T1) <= sizeof(uint64_t) && sizeof(T2) <= sizeof(uint64_t),
-                 "Types T1 and T2 must be at most 64 bits wide");
    cond_mask.conditional_swap(a.first, b.first);
    cond_mask.conditional_swap(a.second, b.second);
 }
 
-template <typename T1, typename T2>
+template <std::unsigned_integral T1, std::unsigned_integral T2>
 void compare_and_swap_pair(std::span<std::pair<T1, T2>> a, size_t i, size_t k, size_t l) {
    static_assert(sizeof(T1) <= sizeof(uint64_t) && sizeof(T2) <= sizeof(uint64_t),
                  "Types T1 and T2 must be at most 64 bits wide");
@@ -44,15 +43,15 @@ void compare_and_swap_pair(std::span<std::pair<T1, T2>> a, size_t i, size_t k, s
 }
 
 // Sorts a vector of pairs after the first element
-template <typename T1, typename T2>
+template <std::unsigned_integral T1, std::unsigned_integral T2>
 void bitonic_sort_pair(std::span<std::pair<T1, T2>> a) {
-   size_t n = a.size();
+   const size_t n = a.size();
    BOTAN_ARG_CHECK(is_power_of_2(n), "Input vector size must be a power of 2");
 
    for(size_t k = 2; k <= n; k *= 2) {
       for(size_t j = k / 2; j > 0; j /= 2) {
-         for(size_t i = 0; i < n; i++) {
-            size_t l = i ^ j;
+         for(size_t i = 0; i < n; ++i) {
+            const size_t l = i ^ j;
             if(l > i) {
                compare_and_swap_pair(a, i, k, l);
             }
@@ -61,7 +60,7 @@ void bitonic_sort_pair(std::span<std::pair<T1, T2>> a) {
    }
 }
 
-template <typename T>
+template <std::unsigned_integral T>
 T min(const T& a, const T& b) {
    auto mask = CT::Mask<T>::is_lt(a, b);
    return mask.select(a, b);
@@ -70,46 +69,53 @@ T min(const T& a, const T& b) {
 }  // namespace CMCE_CT
 
 namespace {
-template <typename T1, typename T2>
+template <std::unsigned_integral T1, std::unsigned_integral T2>
 std::vector<std::pair<T1, T2>> zip(const secure_vector<T1>& vec_1, const secure_vector<T2>& vec_2) {
    BOTAN_ARG_CHECK(vec_1.size() == vec_2.size(), "Vectors' dimensions do not match");
    std::vector<std::pair<T1, T2>> vec_zipped;
    vec_zipped.reserve(vec_1.size());
    for(size_t i = 0; i < vec_1.size(); ++i) {
-      vec_zipped.push_back(std::make_pair(vec_1.at(i), vec_2.at(i)));
+      vec_zipped.push_back(std::make_pair(vec_1[i], vec_2[i]));
    }
    return vec_zipped;
 }
 
-template <typename T1, typename T2>
-std::pair<secure_vector<T1>, secure_vector<T2>> unzip(std::vector<std::pair<T1, T2>> vec_zipped) {
-   secure_vector<T1> vec_1;
-   secure_vector<T2> vec_2;
+template <std::unsigned_integral T1, std::unsigned_integral T2>
+std::pair<secure_vector<T1>, secure_vector<T2>> unzip(const std::vector<std::pair<T1, T2>>& vec_zipped) {
+   std::pair<secure_vector<T1>, secure_vector<T2>> res;
 
-   vec_1.reserve(vec_zipped.size());
-   vec_2.reserve(vec_zipped.size());
+   res.first.reserve(vec_zipped.size());
+   res.second.reserve(vec_zipped.size());
 
-   for(auto& [elem1, elem2] : vec_zipped) {
-      vec_1.push_back(elem1);
-      vec_2.push_back(elem2);
+   for(const auto& [elem1, elem2] : vec_zipped) {
+      res.first.push_back(elem1);
+      res.second.push_back(elem2);
    }
-   return std::make_pair(std::move(vec_1), std::move(vec_2));
+   return res;
+}
+
+/// @returns (vec[0],0), ..., (vec[n-1],n-1)
+std::vector<std::pair<uint32_t, uint16_t>> enumerate(std::span<const uint32_t> vec) {
+   std::vector<std::pair<uint32_t, uint16_t>> enumerated;
+
+   std::transform(vec.begin(), vec.end(), std::back_inserter(enumerated), [ctr = uint16_t(0)](uint32_t elem) mutable {
+      return std::make_pair(elem, ctr++);
+   });
+
+   return enumerated;
 }
 
 /**
 * @brief Create permutation pi as in (Section 8.2, Step 3).
 */
 Permutation create_pi(secure_vector<uint32_t>& a) {
-   Permutation pi(a.size());
-   std::iota(pi.begin(), pi.end(), 0);  // contains 0, 1, ..., q-1
-
-   auto a_pi_zipped = zip(a, pi.get());
+   auto a_pi_zipped = enumerate(a);
    CMCE_CT::bitonic_sort_pair(std::span(a_pi_zipped));
 
-   auto [a_sorted, pi_sorted] = unzip(std::move(a_pi_zipped));
-   a = std::move(a_sorted);
+   Permutation pi_sorted;
+   std::tie(a, pi_sorted.get()) = unzip(a_pi_zipped);
 
-   return Permutation(pi_sorted);
+   return pi_sorted;
 }
 
 /**
@@ -135,7 +141,11 @@ Classic_McEliece_GF from_pi(Permutation_Element pi_elem, GF_Mod modulus, size_t
 secure_vector<uint16_t> composeinv(const secure_vector<uint16_t>& c, const secure_vector<uint16_t>& pi) {
    auto pi_c_zipped = zip(pi, c);
    CMCE_CT::bitonic_sort_pair(std::span(pi_c_zipped));
-   auto [pi_sorted, c_sorted] = unzip(pi_c_zipped);
+   // Extract c from the sorted vector
+   secure_vector<uint16_t> c_sorted;
+   std::transform(pi_c_zipped.begin(), pi_c_zipped.end(), std::back_inserter(c_sorted), [](const auto& pair) {
+      return pair.second;
+   });
 
    return c_sorted;
 }
@@ -149,16 +159,13 @@ void simultaneous_composeinv(secure_vector<uint16_t>& p, secure_vector<uint16_t>
 
 /**
  * @brief Generate control bits as in ISO 9.2.10.
+ *
+ * TODO: This function can be optimized
  */
 secure_vector<uint16_t> generate_control_bits_internal(const secure_vector<uint16_t>& pi) {
-   auto n = pi.size();
-   size_t m = 1;
-
-   while(size_t(1) << m < n) {
-      m += 1;
-   }
-
-   BOTAN_ASSERT_NOMSG(size_t(1) << m == n);
+   const auto n = pi.size();
+   BOTAN_ASSERT_NOMSG(is_power_of_2(n));
+   const size_t m = ceil_log2(n);
 
    if(m == 1) {
       return secure_vector<uint16_t>({pi.at(0)});
@@ -179,7 +186,7 @@ secure_vector<uint16_t> generate_control_bits_internal(const secure_vector<uint1
    simultaneous_composeinv(p, q);
 
    secure_vector<uint16_t> c(n);
-   for(uint16_t x = 0; size_t(x) < n; ++x) {
+   for(uint16_t x = 0; x < n; ++x) {
       c.at(x) = CMCE_CT::min(x, p.at(x));
    }
 
@@ -248,11 +255,8 @@ std::optional<Classic_McEliece_Field_Ordering> Classic_McEliece_Field_Ordering::
    }
 
    auto pi = create_pi(a);
-
-   for(size_t i = 1; i < params.q(); ++i) {
-      if(a.at(i - 1) == a.at(i)) {  // Check for duplicate elements utilizing sorting
-         return std::nullopt;       // Abort (Step 2)
-      }
+   if(std::adjacent_find(a.begin(), a.end()) != a.end()) {
+      return std::nullopt;
    }
 
    return Classic_McEliece_Field_Ordering(std::move(pi), params.poly_f());
@@ -273,7 +277,7 @@ std::vector<Classic_McEliece_GF> Classic_McEliece_Field_Ordering::alphas(size_t
 
 secure_bitvector Classic_McEliece_Field_Ordering::alphas_control_bits() const {
    // Each vector element contains one bit of the control bits
-   auto control_bits_as_words = generate_control_bits_internal(m_pi.get());
+   const auto control_bits_as_words = generate_control_bits_internal(m_pi.get());
    auto control_bits = secure_bitvector(control_bits_as_words.size());
    for(size_t i = 0; i < control_bits.size(); ++i) {
       control_bits.at(i) = control_bits_as_words.at(i);
@@ -287,13 +291,13 @@ secure_bitvector Classic_McEliece_Field_Ordering::alphas_control_bits() const {
 Classic_McEliece_Field_Ordering Classic_McEliece_Field_Ordering::create_from_control_bits(
    const Classic_McEliece_Parameters& params, const secure_bitvector& control_bits) {
    BOTAN_ASSERT_NOMSG(control_bits.size() == (2 * params.m() - 1) << (params.m() - 1));
-   uint16_t n = static_cast<uint16_t>(1) << params.m();
+   const uint16_t n = uint16_t(1) << params.m();
    Permutation pi(n);
    std::iota(pi.begin(), pi.end(), 0);
    for(size_t i = 0; i < 2 * params.m() - 1; ++i) {
-      size_t gap = static_cast<size_t>(1) << std::min(i, 2 * params.m() - 2 - i);
+      const size_t gap = size_t(1) << std::min(i, 2 * params.m() - 2 - i);
       for(size_t j = 0; j < size_t(n / 2); ++j) {
-         size_t pos = (j % gap) + 2 * gap * (j / gap);
+         const size_t pos = (j % gap) + 2 * gap * (j / gap);
          auto mask = CT::Mask<uint16_t>::expand(control_bits[i * n / 2 + j].as<uint16_t>());
          mask.conditional_swap(pi[pos], pi[pos + gap]);
       }

From 76f420b0f98315c0edbce5b4f09cbaef6e44d8a2 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Fri, 2 Feb 2024 17:04:48 +0100
Subject: [PATCH 20/27] Review suggestions

---
 .../classic_mceliece/cmce_field_ordering.cpp  |  1 +
 src/lib/pubkey/classic_mceliece/cmce_gf.cpp   | 31 ---------------
 src/lib/pubkey/classic_mceliece/cmce_gf.h     | 38 +++++++++++++------
 .../classic_mceliece/cmce_keys_internal.cpp   | 12 ++----
 .../pubkey/classic_mceliece/cmce_matrix.cpp   | 29 +++++++-------
 src/lib/pubkey/classic_mceliece/cmce_matrix.h |  2 +-
 src/lib/pubkey/classic_mceliece/cmce_poly.cpp |  5 ++-
 7 files changed, 49 insertions(+), 69 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
index 156b2ab4d98..653a121cf85 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -14,6 +14,7 @@
 #include <botan/mem_ops.h>
 #include <botan/internal/loadstor.h>
 
+#include <bitset>
 #include <numeric>
 #include <utility>
 #include <vector>
diff --git a/src/lib/pubkey/classic_mceliece/cmce_gf.cpp b/src/lib/pubkey/classic_mceliece/cmce_gf.cpp
index 308027da0c0..d23e144109e 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_gf.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_gf.cpp
@@ -52,33 +52,6 @@ inline GF_Elem internal_reduce(uint32_t x, GF_Mod mod) {
 
 }  // namespace
 
-Classic_McEliece_GF Classic_McEliece_GF::operator/(Classic_McEliece_GF other) const {
-   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
-   return *this * other.inv();
-}
-
-Classic_McEliece_GF Classic_McEliece_GF::operator+(Classic_McEliece_GF other) const {
-   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
-   return Classic_McEliece_GF(m_elem ^ other.m_elem, m_modulus);
-}
-
-Classic_McEliece_GF& Classic_McEliece_GF::operator+=(Classic_McEliece_GF other) {
-   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
-   m_elem ^= other.m_elem;
-   return *this;
-}
-
-Classic_McEliece_GF& Classic_McEliece_GF::operator^=(GF_Elem other) {
-   m_elem ^= other;
-   return *this;
-}
-
-Classic_McEliece_GF& Classic_McEliece_GF::operator*=(Classic_McEliece_GF other) {
-   BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
-   *this = *this * other;
-   return *this;
-}
-
 Classic_McEliece_GF Classic_McEliece_GF::operator*(Classic_McEliece_GF other) const {
    BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
 
@@ -94,10 +67,6 @@ Classic_McEliece_GF Classic_McEliece_GF::operator*(Classic_McEliece_GF other) co
    return Classic_McEliece_GF(internal_reduce(acc, m_modulus), m_modulus);
 }
 
-Classic_McEliece_GF Classic_McEliece_GF::square() const {
-   return (*this) * (*this);
-}
-
 Classic_McEliece_GF Classic_McEliece_GF::inv() const {
    // Compute the inverse using fermat's little theorem: a^(q-1) = 1 => a^(q-2) = a^-1
 
diff --git a/src/lib/pubkey/classic_mceliece/cmce_gf.h b/src/lib/pubkey/classic_mceliece/cmce_gf.h
index 73b16fd2a4e..ccbc799a979 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_gf.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_gf.h
@@ -9,13 +9,12 @@
 #ifndef BOTAN_CMCE_GF_H_
 #define BOTAN_CMCE_GF_H_
 
+#include <botan/assert.h>
 #include <botan/internal/bit_ops.h>
 #include <botan/internal/cmce_types.h>
 #include <botan/internal/ct_utils.h>
 #include <botan/internal/stl_util.h>
 
-#include <bitset>
-
 namespace Botan {
 
 /**
@@ -36,11 +35,11 @@ class BOTAN_TEST_API Classic_McEliece_GF {
        * Each element and the modulus is represented by a uint16_t, where the i-th least significant bit
        * corresponds to the coefficient of z^i.
        *
-       * @param elem The element as a uint16_t.
+       * @param elem The element as a uint16_t. Must be less than 2^m.
        * @param modulus The modulus of GF(q).
        */
       Classic_McEliece_GF(GF_Elem elem, GF_Mod modulus) : m_elem(elem), m_modulus(modulus) {
-         m_elem &= GF_Elem((size_t(1) << log_q()) - 1);
+         BOTAN_DEBUG_ASSERT(elem <= (size_t(1) << log_q()) - 1);
       }
 
       /**
@@ -86,27 +85,44 @@ class BOTAN_TEST_API Classic_McEliece_GF {
       /**
        * @brief Divide the element by @p other in GF(q). Constant time.
        */
-      Classic_McEliece_GF operator/(Classic_McEliece_GF other) const;
+      Classic_McEliece_GF operator/(Classic_McEliece_GF other) const {
+         BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+         return *this * other.inv();
+      }
 
       /**
        * @brief Add @p other to the element. Constant time.
        */
-      Classic_McEliece_GF operator+(Classic_McEliece_GF other) const;
+      Classic_McEliece_GF operator+(Classic_McEliece_GF other) const {
+         BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+         return Classic_McEliece_GF(m_elem ^ other.m_elem, m_modulus);
+      }
 
       /**
        * @brief Add @p other to the element. Constant time.
        */
-      Classic_McEliece_GF& operator+=(Classic_McEliece_GF other);
+      Classic_McEliece_GF& operator+=(Classic_McEliece_GF other) {
+         BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+         m_elem ^= other.m_elem;
+         return *this;
+      }
 
       /**
        * @brief XOR assign a GF_Elem to the element of this. Constant time.
        */
-      Classic_McEliece_GF& operator^=(GF_Elem other);
+      Classic_McEliece_GF& operator^=(GF_Elem other) {
+         m_elem ^= other;
+         return *this;
+      }
 
       /**
        * @brief Multiply the element by @p other in GF(q). Constant time.
        */
-      Classic_McEliece_GF& operator*=(Classic_McEliece_GF other);
+      Classic_McEliece_GF& operator*=(Classic_McEliece_GF other) {
+         BOTAN_ASSERT_NOMSG(m_modulus == other.m_modulus);
+         *this = *this * other;
+         return *this;
+      }
 
       /**
        * @brief Multiply the element by @p other in GF(q). Constant time.
@@ -121,7 +137,7 @@ class BOTAN_TEST_API Classic_McEliece_GF {
       /**
        * @brief Square the element. Constant time.
        */
-      Classic_McEliece_GF square() const;
+      Classic_McEliece_GF square() const { return (*this) * (*this); }
 
       /**
        * @brief Invert the element. Constant time.
@@ -179,7 +195,7 @@ class BOTAN_TEST_API GF_Mask final {
          return (*this);
       }
 
-      bool as_bool() { return m_mask.as_bool(); }
+      bool as_bool() const { return m_mask.as_bool(); }
 
       CT::Mask<uint16_t>& elem_mask() { return m_mask; }
 
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
index a7e466f578d..74943156421 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
@@ -26,8 +26,6 @@ std::optional<Classic_McEliece_KeyPair_Internal> try_generate_keypair(std::span<
    BOTAN_ASSERT_EQUAL(seed.size(), 32, "Valid seed length");
    BOTAN_ASSERT_EQUAL(out_next_seed.size(), 32, "Valid output seed length");
 
-   auto ring = params.poly_ring();
-
    auto big_e_xof = params.prg(seed);
 
    auto s = big_e_xof->output<Rejection_Seed>(params.n() / 8);
@@ -56,12 +54,10 @@ std::optional<Classic_McEliece_KeyPair_Internal> try_generate_keypair(std::span<
    auto& [pk_matrix, pivots] = pk_matrix_and_pivots.value();
 
    // Key generation was successful - Create and return keys
-   auto sk = std::make_shared<Classic_McEliece_PrivateKeyInternal>(
-      params, std::move(seed), pivots, std::move(g.value()), std::move(field_ordering.value()), std::move(s));
-
-   auto pk = std::make_shared<Classic_McEliece_PublicKeyInternal>(params, std::move(pk_matrix));
-
-   return Classic_McEliece_KeyPair_Internal{.private_key = sk, .public_key = pk};
+   return Classic_McEliece_KeyPair_Internal{
+      .private_key = std::make_shared<Classic_McEliece_PrivateKeyInternal>(
+         params, std::move(seed), pivots, std::move(g.value()), std::move(field_ordering.value()), std::move(s)),
+      .public_key = std::make_shared<Classic_McEliece_PublicKeyInternal>(params, std::move(pk_matrix))};
 }
 
 }  // namespace
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
index 91e27deb183..fc9380dbb79 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -25,13 +25,13 @@ using Matrix = Strong<std::vector<MatrixRow>, struct Matrix_>;
 }  // Anonymous namespace
 
 namespace {
-size_t count_lsb_zeros(secure_bitvector n) {
+size_t count_lsb_zeros(const secure_bitvector& n) {
    size_t res = 0;
    auto found_only_zeros = Botan::CT::Mask<size_t>::set();
-   for(size_t bit_pos = 0; bit_pos < n.size(); ++bit_pos) {
-      auto bit_set_mask = Botan::CT::Mask<size_t>::expand(n.at(bit_pos).as<size_t>());
+   for(const auto& bit : n) {
+      auto bit_set_mask = Botan::CT::Mask<size_t>::expand(bit.as<size_t>());
       found_only_zeros &= ~bit_set_mask;
-      res += found_only_zeros.if_set_return(size_t(1));
+      res += found_only_zeros.if_set_return(1);
    }
 
    return res;
@@ -72,10 +72,10 @@ std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece
    // A 32x64 sub-matrix of mat containing the elements mat[m*t-32][m*t-32] at the top left
    std::vector<secure_bitvector> sub_mat(Classic_McEliece_Parameters::mu(), secure_bitvector());
 
-   size_t pos_offset = params.pk_no_rows() - Classic_McEliece_Parameters::mu();
+   const size_t pos_offset = params.pk_no_rows() - Classic_McEliece_Parameters::mu();
 
-   // Extract the bottom mu x nu matrix at offset row_offset
-   for(size_t i = 0; i < 32; i++) {
+   // Extract the bottom mu x nu matrix at offset pos_offset
+   for(size_t i = 0; i < Classic_McEliece_Parameters::mu(); i++) {
       sub_mat.at(i) = mat[pos_offset + i].subvector(pos_offset, Classic_McEliece_Parameters::nu());
    }
 
@@ -84,10 +84,10 @@ std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece
    // Identify the pivot indices, i.e., the indices of the leading ones for all rows
    // when transforming the matrix into semi-systematic form. This algorithm is a modified
    // Gauss algorithm.
-   for(size_t row_idx = 0; row_idx < 32; ++row_idx) {
+   for(size_t row_idx = 0; row_idx < Classic_McEliece_Parameters::mu(); ++row_idx) {
       // Identify pivots (index of first 1) by OR-ing all subsequent rows into row_acc
       auto row_acc = sub_mat.at(row_idx);
-      for(size_t next_row = row_idx + 1; next_row < 32; ++next_row) {
+      for(size_t next_row = row_idx + 1; next_row < Classic_McEliece_Parameters::mu(); ++next_row) {
          row_acc |= sub_mat.at(next_row);
       }
 
@@ -197,10 +197,7 @@ std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Paramet
    auto big_t_stuffer = BufferStuffer(big_t);
 
    for(size_t row = 0; row < params.pk_no_rows(); ++row) {
-      auto pk_row_bits = mat[row].subvector(params.pk_no_rows());
-      auto row_bytes = pk_row_bits.to_bytes();
-
-      big_t_stuffer.append(row_bytes);
+      mat[row].subvector(params.pk_no_rows()).to_bytes(big_t_stuffer.next(params.pk_row_size_bytes()));
    }
 
    BOTAN_ASSERT_NOMSG(big_t_stuffer.full());
@@ -245,7 +242,7 @@ Classic_McEliece_Matrix::create_matrix_and_apply_pivots(const Classic_McEliece_P
 }
 
 Code_Word Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params, const Error_Vector& e) const {
-   auto s = e.subvector(0, params.pk_no_rows());
+   auto s = e.subvector<Code_Word>(0, params.pk_no_rows());
    auto e_T = e.subvector(params.pk_no_rows());
    auto pk_slicer = BufferSlicer(m_mat_bytes);
 
@@ -253,10 +250,10 @@ Code_Word Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params
       auto pk_current_bytes = pk_slicer.take(params.pk_row_size_bytes());
       auto row = secure_bitvector(pk_current_bytes, params.n() - params.pk_no_rows());
       row &= e_T;
-      s.at(i) = s.at(i) ^ row.has_odd_hamming_weight();
+      s[i] ^= row.has_odd_hamming_weight();
    }
 
    BOTAN_ASSERT_NOMSG(pk_slicer.empty());
-   return s.as<Code_Word>();
+   return s;
 }
 }  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.h b/src/lib/pubkey/classic_mceliece/cmce_matrix.h
index 5a4fd11c3d1..7777420244d 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.h
@@ -74,7 +74,7 @@ class BOTAN_TEST_API Classic_McEliece_Matrix {
        *
        * @return The matrix bytes
        */
-      std::vector<uint8_t> bytes() const { return m_mat_bytes; }
+      const std::vector<uint8_t>& bytes() const { return m_mat_bytes; }
 
       /**
        * @brief Create a Classic_McEliece_Matrix from bytes.
diff --git a/src/lib/pubkey/classic_mceliece/cmce_poly.cpp b/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
index 9f5807edb91..cf718582d0e 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
@@ -80,8 +80,9 @@ Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_fro
 Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_from_coef(
    const std::vector<GF_Elem>& coeff_vec) const {
    std::vector<Classic_McEliece_GF> coeff_vec_gf;
-   std::transform(coeff_vec.begin(), coeff_vec.end(), std::back_inserter(coeff_vec_gf), [this](auto& coeff) {
-      return Classic_McEliece_GF(coeff, m_poly_f);
+   GF_Elem coeff_mask = GF_Elem((uint16_t(1) << Classic_McEliece_GF::log_q_from_mod(m_poly_f)) - 1);
+   std::transform(coeff_vec.begin(), coeff_vec.end(), std::back_inserter(coeff_vec_gf), [&](auto& coeff) {
+      return Classic_McEliece_GF(coeff & coeff_mask, m_poly_f);
    });
    return Classic_McEliece_Polynomial(coeff_vec_gf);
 }

From 093b5e530f53aa4d48794ba60cf44218d6faa497 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Fri, 2 Feb 2024 17:08:39 +0100
Subject: [PATCH 21/27] Fix CodeQL

---
 src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
index 653a121cf85..67eff4a626b 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -187,7 +187,7 @@ secure_vector<uint16_t> generate_control_bits_internal(const secure_vector<uint1
    simultaneous_composeinv(p, q);
 
    secure_vector<uint16_t> c(n);
-   for(uint16_t x = 0; x < n; ++x) {
+   for(uint16_t x = 0; static_cast<size_t>(x) < n; ++x) {
       c.at(x) = CMCE_CT::min(x, p.at(x));
    }
 

From f5cae78afb3bdad3e7f8670d6a4c469a13ebb6fe Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Mon, 5 Feb 2024 10:47:35 +0100
Subject: [PATCH 22/27] cmce_parameters refactoring

---
 src/lib/pubkey/classic_mceliece/cmce.cpp      |   2 +-
 .../classic_mceliece/cmce_parameter_set.h     |   2 +-
 .../classic_mceliece/cmce_parameters.cpp      | 190 ++++++++++++------
 .../pubkey/classic_mceliece/cmce_parameters.h |  19 +-
 src/tests/test_cmce.cpp                       |   2 +-
 5 files changed, 143 insertions(+), 72 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce.cpp b/src/lib/pubkey/classic_mceliece/cmce.cpp
index 2287cf11dce..9bbaa1d19dc 100644
--- a/src/lib/pubkey/classic_mceliece/cmce.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce.cpp
@@ -69,7 +69,7 @@ bool Classic_McEliece_PublicKey::check_key(RandomNumberGenerator&, bool) const {
 }
 
 std::unique_ptr<Private_Key> Classic_McEliece_PublicKey::generate_another(RandomNumberGenerator& rng) const {
-   return std::make_unique<Classic_McEliece_PrivateKey>(rng, m_public->params().set());
+   return std::make_unique<Classic_McEliece_PrivateKey>(rng, m_public->params().parameter_set());
 }
 
 std::unique_ptr<PK_Ops::KEM_Encryption> Classic_McEliece_PublicKey::create_kem_encryption_op(
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
index c680d918be3..d06da313210 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
@@ -9,7 +9,7 @@
 #ifndef BOTAN_CMCE_PARAMETER_SET_H_
 #define BOTAN_CMCE_PARAMETER_SET_H_
 
-#include <botan/oids.h>
+#include <botan/asn1_obj.h>
 
 namespace Botan {
 
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp b/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
index 7c35f7bd512..36951ed3b72 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
@@ -13,81 +13,141 @@ namespace Botan {
 
 namespace {
 
-std::vector<Classic_McEliece_Polynomial_Ring::Big_F_Coefficient> determine_big_f_coef(size_t t, GF_Mod modulus) {
-   std::vector<Classic_McEliece_Polynomial_Ring::Big_F_Coefficient> big_f_coef;
-   switch(t) {
-      // TODO: Remove test instance on final PR
-      case 8:  //y^8 + y^4 + y^3 + y^2 + 1 (test instances)
-         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({2, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({3, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({4, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         break;
-      case 64:  //y^64 + y^3 + y + z
-         big_f_coef.push_back({3, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({1, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(2), modulus)});
-         break;
-      case 96:  //y^96 + y^10 + y^9 + y^6 + 1
-         big_f_coef.push_back({10, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({9, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({6, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         break;
-      case 119:  //y^119 + y^8 + 1
-         big_f_coef.push_back({8, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         break;
-      case 128:  // y^128 + y^7 + y^2 + y + 1
-         big_f_coef.push_back({7, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({2, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({1, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         big_f_coef.push_back({0, Classic_McEliece_GF(GF_Elem(1), modulus)});
-         break;
-      default:
-         throw Decoding_Error("No instance with this t value is supported");
+GF_Mod determine_poly_f(Classic_McEliece_Parameter_Set param_set) {
+   switch(param_set) {
+      case Classic_McEliece_Parameter_Set::mceliece348864:
+      case Classic_McEliece_Parameter_Set::mceliece348864f:
+         // z^12 + z^3 + 1
+         return GF_Mod(0b0001000000001001);
+      case Classic_McEliece_Parameter_Set::mceliece460896:
+      case Classic_McEliece_Parameter_Set::mceliece460896f:
+      case Classic_McEliece_Parameter_Set::mceliece6688128:
+      case Classic_McEliece_Parameter_Set::mceliece6688128f:
+      case Classic_McEliece_Parameter_Set::mceliece6688128pc:
+      case Classic_McEliece_Parameter_Set::mceliece6688128pcf:
+      case Classic_McEliece_Parameter_Set::mceliece6960119:
+      case Classic_McEliece_Parameter_Set::mceliece6960119f:
+      case Classic_McEliece_Parameter_Set::mceliece6960119pc:
+      case Classic_McEliece_Parameter_Set::mceliece6960119pcf:
+      case Classic_McEliece_Parameter_Set::mceliece8192128:
+      case Classic_McEliece_Parameter_Set::mceliece8192128f:
+      case Classic_McEliece_Parameter_Set::mceliece8192128pc:
+      case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
+         // z^12 + z^3 + 1
+         return GF_Mod(0b0010000000011011);
+      // TODO: Remove on final PR
+      case Botan::Classic_McEliece_Parameter_Set::test:
+      case Botan::Classic_McEliece_Parameter_Set::testf:
+      case Botan::Classic_McEliece_Parameter_Set::testpc:
+      case Botan::Classic_McEliece_Parameter_Set::testpcf:
+         // z^8 + z^7 + z^2 + z + 1 (test instance)
+         return GF_Mod(0b0000000110000111);
    }
+   BOTAN_ASSERT_UNREACHABLE();
+}
 
-   return big_f_coef;
+Classic_McEliece_Polynomial_Ring determine_poly_ring(Classic_McEliece_Parameter_Set param_set) {
+   GF_Mod poly_f = determine_poly_f(param_set);
+
+   switch(param_set) {
+      // TODO: Remove test instance on final PR
+      case Botan::Classic_McEliece_Parameter_Set::test:
+      case Botan::Classic_McEliece_Parameter_Set::testf:
+      case Botan::Classic_McEliece_Parameter_Set::testpc:
+      case Botan::Classic_McEliece_Parameter_Set::testpcf:
+         // y^8 + y^4 + y^3 + y^2 + 1 (test instances)
+         return {{{0, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {2, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {3, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {4, Classic_McEliece_GF(GF_Elem(1), poly_f)}},
+                 poly_f,
+                 8};
+      case Classic_McEliece_Parameter_Set::mceliece348864:
+      case Classic_McEliece_Parameter_Set::mceliece348864f:
+         // y^64 + y^3 + y + z
+         return {{{3, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {1, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {0, Classic_McEliece_GF(GF_Elem(2), poly_f)}},
+                 poly_f,
+                 64};
+      case Classic_McEliece_Parameter_Set::mceliece460896:
+      case Classic_McEliece_Parameter_Set::mceliece460896f:
+         // y^96 + y^10 + y^9 + y^6 + 1
+         return {{{10, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {9, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {6, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {0, Classic_McEliece_GF(GF_Elem(1), poly_f)}},
+                 poly_f,
+                 96};
+      case Classic_McEliece_Parameter_Set::mceliece6960119:
+      case Classic_McEliece_Parameter_Set::mceliece6960119f:
+      case Classic_McEliece_Parameter_Set::mceliece6960119pc:
+      case Classic_McEliece_Parameter_Set::mceliece6960119pcf:
+         // y^119 + y^8 + 1
+         // clang-format off
+         return {{{8, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {0, Classic_McEliece_GF(GF_Elem(1), poly_f)}},
+                  poly_f,
+                  119};
+         // clang-format on
+      case Classic_McEliece_Parameter_Set::mceliece6688128:
+      case Classic_McEliece_Parameter_Set::mceliece6688128f:
+      case Classic_McEliece_Parameter_Set::mceliece6688128pc:
+      case Classic_McEliece_Parameter_Set::mceliece6688128pcf:
+      case Classic_McEliece_Parameter_Set::mceliece8192128:
+      case Classic_McEliece_Parameter_Set::mceliece8192128f:
+      case Classic_McEliece_Parameter_Set::mceliece8192128pc:
+      case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
+         // y^128 + y^7 + y^2 + y + 1
+         return {{{7, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {2, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {1, Classic_McEliece_GF(GF_Elem(1), poly_f)},
+                  {0, Classic_McEliece_GF(GF_Elem(1), poly_f)}},
+                 poly_f,
+                 128};
+   }
+   BOTAN_ASSERT_UNREACHABLE();
 }
+
 }  //namespace
 
 Classic_McEliece_Parameters Classic_McEliece_Parameters::create(Classic_McEliece_Parameter_Set set) {
+   auto poly_ring = determine_poly_ring(set);
+
    switch(set) {
       case Classic_McEliece_Parameter_Set::mceliece348864:
       case Classic_McEliece_Parameter_Set::mceliece348864f:
-         return Classic_McEliece_Parameters(set, 12, 3488, 64, GF_Mod(0b0001000000001001));
+         return Classic_McEliece_Parameters(set, 12, 3488, std::move(poly_ring));
 
       case Classic_McEliece_Parameter_Set::mceliece460896:
       case Classic_McEliece_Parameter_Set::mceliece460896f:
-         return Classic_McEliece_Parameters(set, 13, 4608, 96, GF_Mod(0b0010000000011011));
+         return Classic_McEliece_Parameters(set, 13, 4608, std::move(poly_ring));
 
       case Classic_McEliece_Parameter_Set::mceliece6688128:
       case Classic_McEliece_Parameter_Set::mceliece6688128f:
       case Classic_McEliece_Parameter_Set::mceliece6688128pc:
       case Classic_McEliece_Parameter_Set::mceliece6688128pcf:
-         return Classic_McEliece_Parameters(set, 13, 6688, 128, GF_Mod(0b0010000000011011));
+         return Classic_McEliece_Parameters(set, 13, 6688, std::move(poly_ring));
 
       case Classic_McEliece_Parameter_Set::mceliece6960119:
       case Classic_McEliece_Parameter_Set::mceliece6960119f:
       case Classic_McEliece_Parameter_Set::mceliece6960119pc:
       case Classic_McEliece_Parameter_Set::mceliece6960119pcf:
-         return Classic_McEliece_Parameters(set, 13, 6960, 119, GF_Mod(0b0010000000011011));
+         return Classic_McEliece_Parameters(set, 13, 6960, std::move(poly_ring));
 
       case Classic_McEliece_Parameter_Set::mceliece8192128:
       case Classic_McEliece_Parameter_Set::mceliece8192128f:
       case Classic_McEliece_Parameter_Set::mceliece8192128pc:
       case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
-         return Classic_McEliece_Parameters(set, 13, 8192, 128, GF_Mod(0b0010000000011011));
+         return Classic_McEliece_Parameters(set, 13, 8192, std::move(poly_ring));
 
       // TODO: Remove on final PR
       case Botan::Classic_McEliece_Parameter_Set::test:
       case Botan::Classic_McEliece_Parameter_Set::testf:
       case Botan::Classic_McEliece_Parameter_Set::testpc:
       case Botan::Classic_McEliece_Parameter_Set::testpcf:
-         return Classic_McEliece_Parameters(set, 8, 128, 8, GF_Mod(0b0000000110000111));
+         return Classic_McEliece_Parameters(set, 8, 128, std::move(poly_ring));
    }
-
    BOTAN_ASSERT_UNREACHABLE();
 }
 
@@ -96,22 +156,18 @@ Classic_McEliece_Parameters Classic_McEliece_Parameters::create(std::string_view
 }
 
 Classic_McEliece_Parameters Classic_McEliece_Parameters::create(const OID& oid) {
-   auto param_set = cmce_param_set_from_oid(oid);
-   return create(param_set);
+   return create(cmce_param_set_from_oid(oid));
 }
 
 OID Classic_McEliece_Parameters::object_identifier() const {
    return OID::from_string(cmce_str_from_param_set(m_set));
 }
 
-Classic_McEliece_Parameters::Classic_McEliece_Parameters(
-   Classic_McEliece_Parameter_Set param_set, size_t m, size_t n, size_t t, GF_Mod poly_f) :
-      m_set(param_set),
-      m_m(m),
-      m_n(n),
-      m_t(t),
-      m_poly_f(poly_f),
-      m_poly_ring(determine_big_f_coef(t, poly_f), poly_f, t) {
+Classic_McEliece_Parameters::Classic_McEliece_Parameters(Classic_McEliece_Parameter_Set param_set,
+                                                         size_t m,
+                                                         size_t n,
+                                                         Classic_McEliece_Polynomial_Ring poly_ring) :
+      m_set(param_set), m_m(m), m_n(n), m_poly_ring(std::move(poly_ring)) {
    BOTAN_ASSERT(n % 8 == 0, "We require that n is a multiple of 8");
 }
 
@@ -120,20 +176,36 @@ size_t Classic_McEliece_Parameters::estimated_strength() const {
    // For each instance, the minimal strength against the best attack (with free memory access)
    // is used as the overall security strength estimate. The strength is capped at 256, since the
    // seed is only 256 bits long.
-   switch(n()) {
-      case 3488:
+   switch(m_set) {
+      case Botan::Classic_McEliece_Parameter_Set::mceliece348864:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece348864f:
          return 140;
-      case 4608:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece460896:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece460896f:
          return 179;
-      case 6688:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece6688128:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece6688128f:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece6688128pc:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece6688128pcf:
          return 246;
-      case 6960:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece6960119:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece6960119f:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece6960119pc:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece6960119pcf:
          return 245;
-      case 8192:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece8192128:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece8192128f:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece8192128pc:
+      case Botan::Classic_McEliece_Parameter_Set::mceliece8192128pcf:
          return 256;  // 275 in the document. Capped at 256 because of the seed length.
-      default:
-         throw Decoding_Error("Strength for parameter set ist not registed.");
+      // TODO: Remove on final PR
+      case Botan::Classic_McEliece_Parameter_Set::test:
+      case Botan::Classic_McEliece_Parameter_Set::testf:
+      case Botan::Classic_McEliece_Parameter_Set::testpc:
+      case Botan::Classic_McEliece_Parameter_Set::testpcf:
+         return 0;
    }
+   BOTAN_ASSERT_UNREACHABLE();
 }
 
 std::unique_ptr<XOF> Classic_McEliece_Parameters::prg(std::span<const uint8_t> seed) const {
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameters.h b/src/lib/pubkey/classic_mceliece/cmce_parameters.h
index 138cb29eb5e..edfa30ad3f8 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameters.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameters.h
@@ -9,9 +9,9 @@
 #ifndef BOTAN_CMCE_PARAMS_H_
 #define BOTAN_CMCE_PARAMS_H_
 
+#include <botan/asn1_obj.h>
 #include <botan/cmce_parameter_set.h>
 #include <botan/hash.h>
-#include <botan/oids.h>
 #include <botan/xof.h>
 #include <botan/internal/bitvector.h>
 #include <botan/internal/cmce_gf.h>
@@ -55,7 +55,7 @@ class BOTAN_TEST_API Classic_McEliece_Parameters final {
       /**
        * @brief The parameter set for this Classic McEliece instance.
        */
-      Classic_McEliece_Parameter_Set set() const { return m_set; }
+      Classic_McEliece_Parameter_Set parameter_set() const { return m_set; }
 
       /**
        * @brief The OID for the Classic McEliece instance.
@@ -113,7 +113,7 @@ class BOTAN_TEST_API Classic_McEliece_Parameters final {
       /**
        * @brief The weight of the error vector e.
        */
-      size_t t() const { return m_t; }
+      size_t t() const { return m_poly_ring.degree(); }
 
       /**
        * @brief Bit output length of the hash function H.
@@ -154,7 +154,7 @@ class BOTAN_TEST_API Classic_McEliece_Parameters final {
        * @brief The monic irreducible polynomial f(z) of degree m over GF(2). Used for modular
        * reduction in GF(2^m).
        */
-      GF_Mod poly_f() const { return m_poly_f; }
+      GF_Mod poly_f() const { return m_poly_ring.poly_f(); }
 
       /**
        * @brief The estimated bit security strength of the Classic McEliece instance.
@@ -273,18 +273,17 @@ class BOTAN_TEST_API Classic_McEliece_Parameters final {
        * @param elem The GF(q) element value.
        * @return The GF(q) element.
        */
-      Classic_McEliece_GF gf(GF_Elem elem) const { return Classic_McEliece_GF(elem, m_poly_f); }
+      Classic_McEliece_GF gf(GF_Elem elem) const { return Classic_McEliece_GF(elem, poly_f()); }
 
    private:
-      Classic_McEliece_Parameters(
-         Classic_McEliece_Parameter_Set param_set, size_t m, size_t n, size_t t, GF_Mod poly_f);
+      Classic_McEliece_Parameters(Classic_McEliece_Parameter_Set param_set,
+                                  size_t m,
+                                  size_t n,
+                                  Classic_McEliece_Polynomial_Ring poly_ring);
 
       Classic_McEliece_Parameter_Set m_set;
-
       size_t m_m;
       size_t m_n;
-      size_t m_t;
-      GF_Mod m_poly_f;
       Classic_McEliece_Polynomial_Ring m_poly_ring;
 };
 
diff --git a/src/tests/test_cmce.cpp b/src/tests/test_cmce.cpp
index 70e6671ce9a..2e910cba7b9 100644
--- a/src/tests/test_cmce.cpp
+++ b/src/tests/test_cmce.cpp
@@ -84,7 +84,7 @@ std::vector<Botan::Classic_McEliece_Parameter_Set> instances_to_test() {
 bool skip_cmce_test(const std::string& params_str) {
    auto params = Botan::Classic_McEliece_Parameters::create(params_str);
    auto to_test = instances_to_test();
-   return std::find(to_test.begin(), to_test.end(), params.set()) == to_test.end();
+   return std::find(to_test.begin(), to_test.end(), params.parameter_set()) == to_test.end();
 }
 }  // namespace
 

From 1089ca37b68614ab64c39a35cf7a5d4474104378 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Mon, 5 Feb 2024 10:48:40 +0100
Subject: [PATCH 23/27] Apply review suggestions

---
 src/lib/pubkey/classic_mceliece/cmce_poly.cpp | 12 ++++++------
 src/lib/pubkey/classic_mceliece/cmce_poly.h   |  6 ++----
 src/lib/pubkey/classic_mceliece/info.txt      |  1 -
 src/lib/utils/bit_ops.h                       |  2 +-
 4 files changed, 9 insertions(+), 12 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_poly.cpp b/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
index cf718582d0e..fa2a366aaef 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
@@ -38,7 +38,7 @@ std::vector<GF_Elem> load_le_gf_vec(std::span<const uint8_t> bytes) {
 }  // namespace
 
 Classic_McEliece_GF Classic_McEliece_Polynomial::operator()(Classic_McEliece_GF a) const {
-   BOTAN_ASSERT(a.modulus() == coef_at(0).modulus(), "Unmatching Galois fields");
+   BOTAN_ASSERT(a.modulus() == coef_at(0).modulus(), "Galois fields match");
 
    Classic_McEliece_GF r(GF_Elem(0), a.modulus());
    for(auto it = m_coef.rbegin(); it != m_coef.rend(); ++it) {
@@ -67,7 +67,7 @@ Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::multiply(const Cla
 
    prod.erase(prod.begin() + m_t, prod.end());
 
-   return Classic_McEliece_Polynomial(prod);
+   return Classic_McEliece_Polynomial(std::move(prod));
 }
 
 Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_from_bytes(
@@ -100,7 +100,7 @@ std::optional<Classic_McEliece_Minimal_Polynomial> Classic_McEliece_Polynomial_R
    mat.push_back(create_element_from_coef(concat_as<std::vector<GF_Elem>>(
       std::vector<GF_Elem>{GF_Elem(1)}, std::vector<GF_Elem>(degree() - 1, GF_Elem(0)))));
 
-   mat.emplace_back(polynomial);
+   mat.push_back(polynomial);
 
    for(size_t j = 2; j <= degree(); ++j) {
       mat.push_back(multiply(mat.at(j - 1), polynomial));
@@ -129,7 +129,7 @@ std::optional<Classic_McEliece_Minimal_Polynomial> Classic_McEliece_Polynomial_R
 
       for(size_t k = 0; k < degree(); ++k) {
          if(k != j) {
-            auto t = mat.at(j).coef_at(k);
+            const auto t = mat.at(j).coef_at(k);
 
             for(size_t c = j; c < degree() + 1; ++c) {
                mat.at(c).coef_at(k) += mat.at(c).coef_at(j) * t;
@@ -149,11 +149,11 @@ secure_vector<uint8_t> Classic_McEliece_Minimal_Polynomial::serialize() const {
    BOTAN_ASSERT_NOMSG(!coef().empty());
    auto& all_coeffs = coef();
    // Store all except coef for monomial x^t since polynomial is monic (ISO Spec Section 9.2.9)
-   auto coeffs_to_store = std::span(all_coeffs).subspan(0, all_coeffs.size() - 1);
+   auto coeffs_to_store = std::span(all_coeffs).first(all_coeffs.size() - 1);
    secure_vector<uint8_t> bytes(sizeof(uint16_t) * coeffs_to_store.size());
    BufferStuffer bytes_stuf(bytes);
    for(auto& coef : coeffs_to_store) {
-      store_le(coef.elem().get(), bytes_stuf.next(sizeof(GF_Elem)).data());
+      store_le(bytes_stuf.next<sizeof(GF_Elem)>(), coef.elem().get());
    }
    BOTAN_ASSERT_NOMSG(bytes_stuf.full());
    return bytes;
diff --git a/src/lib/pubkey/classic_mceliece/cmce_poly.h b/src/lib/pubkey/classic_mceliece/cmce_poly.h
index 4645263aedb..ffd189675aa 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_poly.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_poly.h
@@ -90,14 +90,12 @@ class BOTAN_TEST_API Classic_McEliece_Minimal_Polynomial : public Classic_McElie
       static Classic_McEliece_Minimal_Polynomial from_bytes(std::span<const uint8_t> bytes, GF_Mod poly_f);
 };
 
-// Stores all auxiliary information and logic of FF_(q^t) via FF_q[y]/F(y)
 /**
  * @brief Represents the polynomial ring GF(q)[y]/F(y) where F(y) is the modulus polynomial in
  * GF(q)[y] of degree t.
  *
  * This class contains a modulus polynomial F(y) and the GF(q) modulus f(z). It is used
  * to create and operate with Classic_McEliece_Polynomials.
- *
  */
 class BOTAN_TEST_API Classic_McEliece_Polynomial_Ring {
    public:
@@ -122,8 +120,8 @@ class BOTAN_TEST_API Classic_McEliece_Polynomial_Ring {
        * @param poly_f The modulus f(z) of GF(q).
        * @param t The polynomial degree of the ring (and of F(y)).
        */
-      Classic_McEliece_Polynomial_Ring(const std::vector<Big_F_Coefficient>& poly_big_f_coef, GF_Mod poly_f, size_t t) :
-            m_position_map(poly_big_f_coef), m_t(t), m_poly_f(poly_f) {}
+      Classic_McEliece_Polynomial_Ring(std::vector<Big_F_Coefficient> poly_big_f_coef, GF_Mod poly_f, size_t t) :
+            m_position_map(std::move(poly_big_f_coef)), m_t(t), m_poly_f(poly_f) {}
 
       GF_Mod poly_f() const { return m_poly_f; }
 
diff --git a/src/lib/pubkey/classic_mceliece/info.txt b/src/lib/pubkey/classic_mceliece/info.txt
index c537b5e628b..85472dad2f5 100644
--- a/src/lib/pubkey/classic_mceliece/info.txt
+++ b/src/lib/pubkey/classic_mceliece/info.txt
@@ -7,7 +7,6 @@ name -> "Classic McEliece"
 </module_info>
 
 <requires>
-xof
 shake
 shake_xof
 </requires>
diff --git a/src/lib/utils/bit_ops.h b/src/lib/utils/bit_ops.h
index d3de9856a83..888192b6583 100644
--- a/src/lib/utils/bit_ops.h
+++ b/src/lib/utils/bit_ops.h
@@ -212,7 +212,7 @@ inline constexpr T majority(T a, T b, T c) {
  * instruction, if available. This is the SWAR (SIMD within a register)
  * algorithm. See: https://nimrod.blog/posts/algorithms-behind-popcount/#swar-algorithm
  *
- * Note: C++20 provides std::popcount(), but there's no gurantee that this
+ * Note: C++20 provides std::popcount(), but there's no guarantee that this
  *       is implemented in constant-time.
  *
  * @param x an unsigned integer

From c218cdde4285f2268eae0fe6ea9b2853a933681a Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Mon, 5 Feb 2024 12:06:16 +0100
Subject: [PATCH 24/27] Add rigged RNG encryption test

---
 src/tests/test_cmce.cpp | 37 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/tests/test_cmce.cpp b/src/tests/test_cmce.cpp
index 2e910cba7b9..18c1880aeaa 100644
--- a/src/tests/test_cmce.cpp
+++ b/src/tests/test_cmce.cpp
@@ -196,8 +196,43 @@ class CMCE_Utility_Tests final : public Test {
          return result;
       }
 
+      Test::Result rigged_rng_encryption_test() {
+         // RNG that always returns zero bytes
+         class All_Zero_RNG : public Botan::RandomNumberGenerator {
+            public:
+               void fill_bytes_with_input(std::span<uint8_t> output, std::span<const uint8_t> /* ignored */) override {
+                  std::fill(output.begin(), output.end(), 0);
+               }
+
+               std::string name() const override { return "All_Zero_RNG"; }
+
+               bool accepts_input() const override { return false; }
+
+               void clear() override {}
+
+               bool is_seeded() const override { return true; }
+         } rigged_rng;
+
+         Test::Result result("No endless loop with rigged RNG");
+         // Key creation should work even with a rigged RNG (PRNG is not used for key creation)
+         auto private_key = Botan::create_private_key("ClassicMcEliece", rigged_rng, "mceliece348864f");
+         if(!private_key) {
+            result.test_failure("Key generation failed");
+            return result;
+         }
+         auto enc = Botan::PK_KEM_Encryptor(*private_key, "Raw");
+         result.test_throws("Many failed encryption attempts throws exception", [&] { enc.encrypt(rigged_rng); });
+
+         return result;
+      }
+
       std::vector<Test::Result> run() override {
-         return {expand_seed_test(), irreducible_poly_gen_test(), gf_test(), gf_inv_test(), gf_poly_mul_test()};
+         return {expand_seed_test(),
+                 irreducible_poly_gen_test(),
+                 gf_test(),
+                 gf_inv_test(),
+                 gf_poly_mul_test(),
+                 rigged_rng_encryption_test()};
       }
 };
 

From c1dd5aba574d609bc5a229b7f31545b19e8602e6 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Mon, 5 Feb 2024 12:41:21 +0100
Subject: [PATCH 25/27] Use std::tie for CMCE keypair

---
 src/lib/pubkey/classic_mceliece/cmce.cpp             | 5 +----
 src/lib/pubkey/classic_mceliece/cmce_keys_internal.h | 9 +++++++++
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce.cpp b/src/lib/pubkey/classic_mceliece/cmce.cpp
index 9bbaa1d19dc..4872cad0f40 100644
--- a/src/lib/pubkey/classic_mceliece/cmce.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce.cpp
@@ -84,10 +84,7 @@ Classic_McEliece_PrivateKey::Classic_McEliece_PrivateKey(RandomNumberGenerator&
                                                          Classic_McEliece_Parameter_Set param_set) {
    auto params = Classic_McEliece_Parameters::create(param_set);
    auto seed = rng.random_vec<Initial_Seed>(params.seed_len());
-   auto key_pair = Classic_McEliece_KeyPair_Internal::generate(params, seed);
-
-   m_private = key_pair.private_key;
-   m_public = key_pair.public_key;
+   std::tie(m_private, m_public) = Classic_McEliece_KeyPair_Internal::generate(params, seed).decompose_to_pair();
 }
 
 Classic_McEliece_PrivateKey::Classic_McEliece_PrivateKey(std::span<const uint8_t> sk,
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
index 061bae72216..10bca143439 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
@@ -180,6 +180,15 @@ struct BOTAN_TEST_API Classic_McEliece_KeyPair_Internal {
        */
       static Classic_McEliece_KeyPair_Internal generate(const Classic_McEliece_Parameters& params,
                                                         StrongSpan<const Initial_Seed> seed);
+
+      /**
+       * @brief Decompose the key pair into a pair of shared pointers to the private and public key.
+       */
+      std::pair<std::shared_ptr<Classic_McEliece_PrivateKeyInternal>,
+                std::shared_ptr<Classic_McEliece_PublicKeyInternal>>
+      decompose_to_pair() && {
+         return {std::move(private_key), std::move(public_key)};
+      }
 };
 
 }  // namespace Botan

From 8550cd37e484b9cd6c3ada45ba6555fc1cd475d6 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Mon, 5 Feb 2024 15:16:57 +0100
Subject: [PATCH 26/27] Rename and addition of strong types

---
 src/lib/pubkey/classic_mceliece/cmce.cpp      | 16 +++----
 .../pubkey/classic_mceliece/cmce_decaps.cpp   | 24 +++++-----
 src/lib/pubkey/classic_mceliece/cmce_decaps.h |  2 +-
 .../pubkey/classic_mceliece/cmce_encaps.cpp   | 12 ++---
 src/lib/pubkey/classic_mceliece/cmce_encaps.h | 10 ++---
 .../classic_mceliece/cmce_field_ordering.cpp  | 16 +++----
 .../classic_mceliece/cmce_field_ordering.h    | 14 +++---
 src/lib/pubkey/classic_mceliece/cmce_gf.cpp   | 10 ++---
 src/lib/pubkey/classic_mceliece/cmce_gf.h     | 26 +++++------
 .../classic_mceliece/cmce_keys_internal.cpp   | 24 +++++-----
 .../classic_mceliece/cmce_keys_internal.h     | 20 ++++-----
 .../pubkey/classic_mceliece/cmce_matrix.cpp   | 30 ++++++-------
 src/lib/pubkey/classic_mceliece/cmce_matrix.h |  6 +--
 .../classic_mceliece/cmce_parameters.cpp      | 44 +++++++++----------
 .../pubkey/classic_mceliece/cmce_parameters.h |  4 +-
 src/lib/pubkey/classic_mceliece/cmce_poly.cpp | 32 +++++++-------
 src/lib/pubkey/classic_mceliece/cmce_poly.h   | 12 ++---
 src/lib/pubkey/classic_mceliece/cmce_types.h  | 28 +++++++-----
 src/tests/test_cmce.cpp                       | 16 +++----
 19 files changed, 176 insertions(+), 170 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce.cpp b/src/lib/pubkey/classic_mceliece/cmce.cpp
index 4872cad0f40..e67028161a5 100644
--- a/src/lib/pubkey/classic_mceliece/cmce.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce.cpp
@@ -83,7 +83,7 @@ std::unique_ptr<PK_Ops::KEM_Encryption> Classic_McEliece_PublicKey::create_kem_e
 Classic_McEliece_PrivateKey::Classic_McEliece_PrivateKey(RandomNumberGenerator& rng,
                                                          Classic_McEliece_Parameter_Set param_set) {
    auto params = Classic_McEliece_Parameters::create(param_set);
-   auto seed = rng.random_vec<Initial_Seed>(params.seed_len());
+   auto seed = rng.random_vec<CmceInitialSeed>(params.seed_len());
    std::tie(m_private, m_public) = Classic_McEliece_KeyPair_Internal::generate(params, seed).decompose_to_pair();
 }
 
@@ -117,11 +117,11 @@ secure_vector<uint8_t> Classic_McEliece_PrivateKey::raw_private_key_bits() const
 bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const {
    auto prg = m_private->params().prg(m_private->delta());
 
-   const auto s = prg->output<Rejection_Seed>(m_private->params().n() / 8);
-   const auto ordering_seed =
-      prg->output<secure_vector<uint8_t>>((m_private->params().sigma2() * m_private->params().q()) / 8);
-   const auto irreducible_seed =
-      prg->output<secure_vector<uint8_t>>((m_private->params().sigma1() * m_private->params().t()) / 8);
+   const auto s = prg->output<CmceRejectionSeed>(m_private->params().n() / 8);
+   const auto ordering_bits =
+      prg->output<CmceOrderingBits>((m_private->params().sigma2() * m_private->params().q()) / 8);
+   const auto irreducible_bits =
+      prg->output<CmceIrreducibleBits>((m_private->params().sigma1() * m_private->params().t()) / 8);
 
    // Recomputing s as hash of delta
    auto ret =
@@ -130,7 +130,7 @@ bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const
    // Checking weight of c
    ret &= CT::Mask<size_t>::is_equal(m_private->c().ct_hamming_weight(), 32);
 
-   if(auto g = m_private->params().poly_ring().compute_minimal_polynomial(irreducible_seed)) {
+   if(auto g = m_private->params().poly_ring().compute_minimal_polynomial(irreducible_bits)) {
       for(size_t i = 0; i < g->degree() - 1; ++i) {
          ret &= CT::Mask<size_t>::expand(GF_Mask::is_equal(g->coef_at(i), m_private->g().coef_at(i)).elem_mask());
       }
@@ -140,7 +140,7 @@ bool Classic_McEliece_PrivateKey::check_key(RandomNumberGenerator&, bool) const
 
    // Check alpha control bits
    if(auto field_ord_from_seed =
-         Classic_McEliece_Field_Ordering::create_field_ordering(m_private->params(), ordering_seed)) {
+         Classic_McEliece_Field_Ordering::create_field_ordering(m_private->params(), ordering_bits)) {
       field_ord_from_seed->permute_with_pivots(m_private->params(), m_private->c());
       ret &= CT::Mask<size_t>::expand(field_ord_from_seed->ct_is_equal(m_private->field_ordering()));
    } else {
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
index ef1b1792ae1..9133ee8f749 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.cpp
@@ -19,7 +19,7 @@ Classic_McEliece_Polynomial Classic_McEliece_Decryptor::compute_goppa_syndrome(
    const Classic_McEliece_Field_Ordering& ordering,
    const secure_bitvector& code_word) const {
    BOTAN_ASSERT(params.n() == code_word.size(), "Correct code word size");
-   std::vector<Classic_McEliece_GF> syndrome(2 * params.t(), params.gf(GF_Elem(0)));
+   std::vector<Classic_McEliece_GF> syndrome(2 * params.t(), params.gf(CmceGfElem(0)));
 
    auto alphas = ordering.alphas(params.n());
 
@@ -41,17 +41,17 @@ Classic_McEliece_Polynomial Classic_McEliece_Decryptor::compute_goppa_syndrome(
 Classic_McEliece_Polynomial Classic_McEliece_Decryptor::berlekamp_massey(
    const Classic_McEliece_Parameters& params, const Classic_McEliece_Polynomial& syndrome) const {
    // Represents coefficients of corresponding polynomials
-   std::vector<Classic_McEliece_GF> big_c(params.t() + 1, params.gf(GF_Elem(0)));
-   std::vector<Classic_McEliece_GF> big_b(params.t() + 1, params.gf(GF_Elem(0)));
+   std::vector<Classic_McEliece_GF> big_c(params.t() + 1, params.gf(CmceGfElem(0)));
+   std::vector<Classic_McEliece_GF> big_b(params.t() + 1, params.gf(CmceGfElem(0)));
 
-   auto b = params.gf(GF_Elem(1));
+   auto b = params.gf(CmceGfElem(1));
 
    // Start with x^m for m=1, see pseudocode of https://en.wikipedia.org/wiki/Berlekamp%E2%80%93Massey_algorithm
-   big_b.at(1) = GF_Elem(1);
-   big_c.at(0) = GF_Elem(1);
+   big_b.at(1) = CmceGfElem(1);
+   big_c.at(0) = CmceGfElem(1);
 
    for(size_t big_n = 0, big_l = 0; big_n < 2 * params.t(); ++big_n) {
-      auto d = params.gf(GF_Elem(0));
+      auto d = params.gf(CmceGfElem(0));
       for(size_t i = 0; i <= std::min(big_n, params.t()); ++i) {
          d += big_c.at(i) * syndrome.coef_at(big_n - i);
       }
@@ -88,7 +88,7 @@ Classic_McEliece_Polynomial Classic_McEliece_Decryptor::berlekamp_massey(
    return Classic_McEliece_Polynomial(big_c);
 }
 
-std::pair<CT::Mask<uint8_t>, Error_Vector> Classic_McEliece_Decryptor::decode(Code_Word big_c) const {
+std::pair<CT::Mask<uint8_t>, CmceErrorVector> Classic_McEliece_Decryptor::decode(CmceCodeWord big_c) const {
    BOTAN_ASSERT(big_c.size() == m_key->params().m() * m_key->params().t(), "Correct ciphertext input size");
    big_c.resize(m_key->params().n());
 
@@ -102,7 +102,7 @@ std::pair<CT::Mask<uint8_t>, Error_Vector> Classic_McEliece_Decryptor::decode(Co
       alphas.begin(), alphas.end(), std::back_inserter(images), [&](const auto& alpha) { return locator(alpha); });
 
    // Obtain e and check whether wt(e) = t. locator(alpha_i) = 0 <=> error at position i
-   Error_Vector e;
+   CmceErrorVector e;
    e.get().reserve(m_key->params().n());
    auto decode_success = CT::Mask<uint8_t>::set();  // Avoid bool to avoid possible compiler optimizations
    for(const auto& image : images) {
@@ -127,15 +127,15 @@ void Classic_McEliece_Decryptor::raw_kem_decrypt(std::span<uint8_t> out_shared_k
    BOTAN_ARG_CHECK(out_shared_key.size() == m_key->params().hash_out_bytes(), "Invalid shared key output size");
    BOTAN_ARG_CHECK(encapsulated_key.size() == m_key->params().ciphertext_size(), "Invalid ciphertext size");
 
-   auto [ct, c1] = [&]() -> std::pair<Code_Word, std::span<const uint8_t>> {
+   auto [ct, c1] = [&]() -> std::pair<CmceCodeWord, std::span<const uint8_t>> {
       if(m_key->params().is_pc()) {
          BufferSlicer encaps_key_slicer(encapsulated_key);
          auto c0_ret = encaps_key_slicer.take(m_key->params().encode_out_size());
          auto c1_ret = encaps_key_slicer.take(m_key->params().hash_out_bytes());
          BOTAN_ASSERT_NOMSG(encaps_key_slicer.empty());
-         return {Code_Word(secure_bitvector(c0_ret, m_key->params().m() * m_key->params().t())), c1_ret};
+         return {CmceCodeWord(secure_bitvector(c0_ret, m_key->params().m() * m_key->params().t())), c1_ret};
       } else {
-         return {Code_Word(secure_bitvector(encapsulated_key, m_key->params().m() * m_key->params().t())), {}};
+         return {CmceCodeWord(secure_bitvector(encapsulated_key, m_key->params().m() * m_key->params().t())), {}};
       }
    }();
 
diff --git a/src/lib/pubkey/classic_mceliece/cmce_decaps.h b/src/lib/pubkey/classic_mceliece/cmce_decaps.h
index 283a8634a29..41c57d4b025 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_decaps.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_decaps.h
@@ -75,7 +75,7 @@ class BOTAN_TEST_API Classic_McEliece_Decryptor final : public PK_Ops::KEM_Decry
        * @param big_c The code word.
        * @return A pair containing the decoded message and the error pattern.
        */
-      std::pair<CT::Mask<uint8_t>, Error_Vector> decode(Code_Word big_c) const;
+      std::pair<CT::Mask<uint8_t>, CmceErrorVector> decode(CmceCodeWord big_c) const;
 
       std::shared_ptr<Classic_McEliece_PrivateKeyInternal> m_key;
 };
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
index eac3fd9cfe7..e1a5570f206 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.cpp
@@ -14,13 +14,13 @@
 
 namespace Botan {
 
-Code_Word Classic_McEliece_Encryptor::encode(const Classic_McEliece_Parameters& params,
-                                             const Error_Vector& e,
-                                             const Classic_McEliece_Matrix& mat) const {
+CmceCodeWord Classic_McEliece_Encryptor::encode(const Classic_McEliece_Parameters& params,
+                                                const CmceErrorVector& e,
+                                                const Classic_McEliece_Matrix& mat) const {
    return mat.mul(params, e);
 }
 
-std::optional<Error_Vector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
+std::optional<CmceErrorVector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
    const Classic_McEliece_Parameters& params, RandomNumberGenerator& rng) const {
    const auto rand = rng.random_vec((params.sigma1() / 8) * params.tau());
    uint16_t mask_m = (uint32_t(1) << params.m()) - 1;  // Only take m least significant bits
@@ -73,7 +73,7 @@ std::optional<Error_Vector> Classic_McEliece_Encryptor::fixed_weight_vector_gen(
       }
    }
 
-   return Error_Vector(secure_bitvector(e_bytes, params.n()));
+   return CmceErrorVector(secure_bitvector(e_bytes, params.n()));
 }
 
 void Classic_McEliece_Encryptor::raw_kem_encrypt(std::span<uint8_t> out_encapsulated_key,
@@ -87,7 +87,7 @@ void Classic_McEliece_Encryptor::raw_kem_encrypt(std::span<uint8_t> out_encapsul
 
    // Call fixed_weight until it is successful to
    // create a random error vector e of weight tau
-   const Error_Vector e = [&] {
+   const CmceErrorVector e = [&] {
       // Emergency abort in case unexpected logical error to prevent endless loops
       //   Success probability: >24% per attempt (25% that elements are distinct * 96% enough elements are in range)
       //   => 203 attempts for 2^(-80) fail probability
diff --git a/src/lib/pubkey/classic_mceliece/cmce_encaps.h b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
index 686b23757ab..ef7b18a679b 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_encaps.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_encaps.h
@@ -44,15 +44,15 @@ class BOTAN_TEST_API Classic_McEliece_Encryptor final : public PK_Ops::KEM_Encry
       /**
        * @brief Encodes an error vector by multiplying it with the Classic McEliece matrix.
        */
-      Code_Word encode(const Classic_McEliece_Parameters& params,
-                       const Error_Vector& e,
-                       const Classic_McEliece_Matrix& mat) const;
+      CmceCodeWord encode(const Classic_McEliece_Parameters& params,
+                          const CmceErrorVector& e,
+                          const Classic_McEliece_Matrix& mat) const;
 
       /**
       * @brief Fixed-weight-vector generation algorithm according to ISO McEliece.
       */
-      std::optional<Error_Vector> fixed_weight_vector_gen(const Classic_McEliece_Parameters& params,
-                                                          RandomNumberGenerator& rng) const;
+      std::optional<CmceErrorVector> fixed_weight_vector_gen(const Classic_McEliece_Parameters& params,
+                                                             RandomNumberGenerator& rng) const;
 };
 
 }  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
index 67eff4a626b..dfa5f5c47e6 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.cpp
@@ -109,11 +109,11 @@ std::vector<std::pair<uint32_t, uint16_t>> enumerate(std::span<const uint32_t> v
 /**
 * @brief Create permutation pi as in (Section 8.2, Step 3).
 */
-Permutation create_pi(secure_vector<uint32_t>& a) {
+CmcePermutation create_pi(secure_vector<uint32_t>& a) {
    auto a_pi_zipped = enumerate(a);
    CMCE_CT::bitonic_sort_pair(std::span(a_pi_zipped));
 
-   Permutation pi_sorted;
+   CmcePermutation pi_sorted;
    std::tie(a, pi_sorted.get()) = unzip(a_pi_zipped);
 
    return pi_sorted;
@@ -123,7 +123,7 @@ Permutation create_pi(secure_vector<uint32_t>& a) {
 * @brief Create a GF element from pi as in (Section 8.2, Step 4).
 * Corresponds to the reverse bits of pi.
 */
-Classic_McEliece_GF from_pi(Permutation_Element pi_elem, GF_Mod modulus, size_t m) {
+Classic_McEliece_GF from_pi(CmcePermutationElement pi_elem, CmceGfMod modulus, size_t m) {
    std::bitset<16> bits(pi_elem.get());
    std::bitset<16> reversed_bits;
 
@@ -133,7 +133,7 @@ Classic_McEliece_GF from_pi(Permutation_Element pi_elem, GF_Mod modulus, size_t
 
    reversed_bits >>= (sizeof(uint16_t) * 8 - m);
 
-   return Classic_McEliece_GF(GF_Elem(static_cast<uint16_t>(reversed_bits.to_ulong())), modulus);
+   return Classic_McEliece_GF(CmceGfElem(static_cast<uint16_t>(reversed_bits.to_ulong())), modulus);
 }
 
 /**
@@ -247,7 +247,7 @@ secure_vector<uint16_t> generate_control_bits_internal(const secure_vector<uint1
 }  // anonymous namespace
 
 std::optional<Classic_McEliece_Field_Ordering> Classic_McEliece_Field_Ordering::create_field_ordering(
-   const Classic_McEliece_Parameters& params, std::span<const uint8_t> random_bits) {
+   const Classic_McEliece_Parameters& params, StrongSpan<const CmceOrderingBits> random_bits) {
    BOTAN_ARG_CHECK(random_bits.size() == (params.sigma2() * params.q()) / 8, "Wrong random bits size");
 
    secure_vector<uint32_t> a;  // contains a_0, a_1, ...
@@ -270,7 +270,7 @@ std::vector<Classic_McEliece_GF> Classic_McEliece_Field_Ordering::alphas(size_t
    std::vector<Classic_McEliece_GF> n_alphas_vec;
 
    std::transform(m_pi.begin(), m_pi.begin() + n, std::back_inserter(n_alphas_vec), [this](uint16_t pi_elem) {
-      return from_pi(Permutation_Element(pi_elem), m_poly_f, Classic_McEliece_GF::log_q_from_mod(m_poly_f));
+      return from_pi(CmcePermutationElement(pi_elem), m_poly_f, Classic_McEliece_GF::log_q_from_mod(m_poly_f));
    });
 
    return n_alphas_vec;
@@ -293,7 +293,7 @@ Classic_McEliece_Field_Ordering Classic_McEliece_Field_Ordering::create_from_con
    const Classic_McEliece_Parameters& params, const secure_bitvector& control_bits) {
    BOTAN_ASSERT_NOMSG(control_bits.size() == (2 * params.m() - 1) << (params.m() - 1));
    const uint16_t n = uint16_t(1) << params.m();
-   Permutation pi(n);
+   CmcePermutation pi(n);
    std::iota(pi.begin(), pi.end(), 0);
    for(size_t i = 0; i < 2 * params.m() - 1; ++i) {
       const size_t gap = size_t(1) << std::min(i, 2 * params.m() - 2 - i);
@@ -308,7 +308,7 @@ Classic_McEliece_Field_Ordering Classic_McEliece_Field_Ordering::create_from_con
 }
 
 void Classic_McEliece_Field_Ordering::permute_with_pivots(const Classic_McEliece_Parameters& params,
-                                                          const Column_Selection& pivots) {
+                                                          const CmceColumnSelection& pivots) {
    auto col_offset = params.pk_no_rows() - Classic_McEliece_Parameters::mu();
 
    for(size_t p_idx = 1; p_idx <= Classic_McEliece_Parameters::mu(); ++p_idx) {
diff --git a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.h b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.h
index 82796019351..c5b366e2628 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_field_ordering.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_field_ordering.h
@@ -33,7 +33,7 @@ class BOTAN_TEST_API Classic_McEliece_Field_Ordering {
        * @return The field ordering.
        */
       static std::optional<Classic_McEliece_Field_Ordering> create_field_ordering(
-         const Classic_McEliece_Parameters& params, std::span<const uint8_t> random_bits);
+         const Classic_McEliece_Parameters& params, StrongSpan<const CmceOrderingBits> random_bits);
 
       /**
        * @brief Create the field ordering from the control bits of a benes network.
@@ -65,14 +65,14 @@ class BOTAN_TEST_API Classic_McEliece_Field_Ordering {
        *
        * @return pi values.
        */
-      Permutation& pi_ref() { return m_pi; }
+      CmcePermutation& pi_ref() { return m_pi; }
 
       /**
        * @brief The pi values representing the field ordering.
        *
        * @return pi values.
        */
-      const Permutation& pi_ref() const { return m_pi; }
+      const CmcePermutation& pi_ref() const { return m_pi; }
 
       /**
        * @brief Constant time comparison of two field orderings.
@@ -97,14 +97,14 @@ class BOTAN_TEST_API Classic_McEliece_Field_Ordering {
        * @param params The McEliece parameters.
        * @param pivots The pivot vector.
        */
-      void permute_with_pivots(const Classic_McEliece_Parameters& params, const Column_Selection& pivots);
+      void permute_with_pivots(const Classic_McEliece_Parameters& params, const CmceColumnSelection& pivots);
 
    private:
-      Classic_McEliece_Field_Ordering(Permutation pi, GF_Mod poly_f) : m_pi(std::move(pi)), m_poly_f(poly_f) {}
+      Classic_McEliece_Field_Ordering(CmcePermutation pi, CmceGfMod poly_f) : m_pi(std::move(pi)), m_poly_f(poly_f) {}
 
    private:
-      Permutation m_pi;
-      GF_Mod m_poly_f;
+      CmcePermutation m_pi;
+      CmceGfMod m_poly_f;
 };
 
 }  // namespace Botan
diff --git a/src/lib/pubkey/classic_mceliece/cmce_gf.cpp b/src/lib/pubkey/classic_mceliece/cmce_gf.cpp
index d23e144109e..508233df3a7 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_gf.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_gf.cpp
@@ -14,7 +14,7 @@
 namespace Botan {
 
 namespace {
-inline GF_Elem internal_reduce(uint32_t x, GF_Mod mod) {
+inline CmceGfElem internal_reduce(uint32_t x, CmceGfMod mod) {
    // Optimization for the specific moduli used in Classic McEliece
    // Taken from the reference implementation
    if(mod == 0b0010000000011011) {
@@ -24,7 +24,7 @@ inline GF_Elem internal_reduce(uint32_t x, GF_Mod mod) {
       t = x & 0x000E000;
       x ^= (t >> 9) ^ (t >> 10) ^ (t >> 12) ^ (t >> 13);
 
-      return GF_Elem(x & 0x1fff);
+      return CmceGfElem(x & 0x1fff);
    } else if(mod == 0b0001000000001001) {
       uint32_t t = x & 0x7FC000;
       x ^= t >> 9;
@@ -36,7 +36,7 @@ inline GF_Elem internal_reduce(uint32_t x, GF_Mod mod) {
 
       x &= 0xfff;
 
-      return GF_Elem(static_cast<uint16_t>(x & 0xfff));
+      return CmceGfElem(static_cast<uint16_t>(x & 0xfff));
    } else {
       // TODO: Only for test instances. Remove on final PR
       size_t m = Classic_McEliece_GF::log_q_from_mod(mod);
@@ -46,7 +46,7 @@ inline GF_Elem internal_reduce(uint32_t x, GF_Mod mod) {
                  .if_set_return(static_cast<uint32_t>(mod.get()) << i);
       }
 
-      return GF_Elem(static_cast<uint16_t>(x));
+      return CmceGfElem(static_cast<uint16_t>(x));
    }
 }
 
@@ -75,7 +75,7 @@ Classic_McEliece_GF Classic_McEliece_GF::inv() const {
    Classic_McEliece_GF base = *this;
 
    // Compute base^exponent using the square-and-multiply algorithm
-   Classic_McEliece_GF result = {GF_Elem(1), m_modulus};
+   Classic_McEliece_GF result = {CmceGfElem(1), m_modulus};
    while(exponent > 0) {
       if(exponent % 2 == 1) {
          // multiply
diff --git a/src/lib/pubkey/classic_mceliece/cmce_gf.h b/src/lib/pubkey/classic_mceliece/cmce_gf.h
index ccbc799a979..722221d8b0e 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_gf.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_gf.h
@@ -38,7 +38,7 @@ class BOTAN_TEST_API Classic_McEliece_GF {
        * @param elem The element as a uint16_t. Must be less than 2^m.
        * @param modulus The modulus of GF(q).
        */
-      Classic_McEliece_GF(GF_Elem elem, GF_Mod modulus) : m_elem(elem), m_modulus(modulus) {
+      Classic_McEliece_GF(CmceGfElem elem, CmceGfMod modulus) : m_elem(elem), m_modulus(modulus) {
          BOTAN_DEBUG_ASSERT(elem <= (size_t(1) << log_q()) - 1);
       }
 
@@ -51,7 +51,7 @@ class BOTAN_TEST_API Classic_McEliece_GF {
        * @param modulus The modulus of GF(q).
        * @return size_t The degree log_q of the modulus (m for GF(2^m)).
        */
-      static size_t log_q_from_mod(GF_Mod modulus) { return floor_log2(modulus.get()); }
+      static size_t log_q_from_mod(CmceGfMod modulus) { return floor_log2(modulus.get()); }
 
       /**
        * @brief Get m, the degree of the element's modulus.
@@ -65,20 +65,20 @@ class BOTAN_TEST_API Classic_McEliece_GF {
        *
        * @return the element as a GF_Elem.
        */
-      GF_Elem elem() const { return m_elem; }
+      CmceGfElem elem() const { return m_elem; }
 
       /**
        * @brief Get the modulus f(z) of GF(q) as a GF_Mod.
        *
        * @return the modulus as a GF_Mod.
        */
-      GF_Mod modulus() const { return m_modulus; }
+      CmceGfMod modulus() const { return m_modulus; }
 
       /**
        * @brief Change the element to @p elem.
        */
-      Classic_McEliece_GF& operator=(const GF_Elem elem) {
-         m_elem = elem & GF_Elem((size_t(1) << log_q()) - 1);
+      Classic_McEliece_GF& operator=(const CmceGfElem elem) {
+         m_elem = elem & CmceGfElem((size_t(1) << log_q()) - 1);
          return *this;
       }
 
@@ -110,7 +110,7 @@ class BOTAN_TEST_API Classic_McEliece_GF {
       /**
        * @brief XOR assign a GF_Elem to the element of this. Constant time.
        */
-      Classic_McEliece_GF& operator^=(GF_Elem other) {
+      Classic_McEliece_GF& operator^=(CmceGfElem other) {
          m_elem ^= other;
          return *this;
       }
@@ -150,9 +150,9 @@ class BOTAN_TEST_API Classic_McEliece_GF {
       bool is_zero() const { return elem() == 0; }
 
    private:
-      GF_Elem m_elem;
+      CmceGfElem m_elem;
 
-      GF_Mod m_modulus;
+      CmceGfMod m_modulus;
 };
 
 /**
@@ -177,15 +177,15 @@ class BOTAN_TEST_API GF_Mask final {
       GF_Mask(CT::Mask<uint16_t> underlying_mask) : m_mask(underlying_mask) {}
 
       Classic_McEliece_GF if_set_return(const Classic_McEliece_GF x) const {
-         return Classic_McEliece_GF(GF_Elem(m_mask.if_set_return(x.elem().get())), x.modulus());
+         return Classic_McEliece_GF(CmceGfElem(m_mask.if_set_return(x.elem().get())), x.modulus());
       }
 
       Classic_McEliece_GF select(const Classic_McEliece_GF x, const Classic_McEliece_GF y) const {
-         return Classic_McEliece_GF(GF_Elem(m_mask.select(x.elem().get(), y.elem().get())), x.modulus());
+         return Classic_McEliece_GF(CmceGfElem(m_mask.select(x.elem().get(), y.elem().get())), x.modulus());
       }
 
-      Classic_McEliece_GF select(const Classic_McEliece_GF x, GF_Elem y) const {
-         return Classic_McEliece_GF(GF_Elem(m_mask.select(x.elem().get(), y.get())), x.modulus());
+      Classic_McEliece_GF select(const Classic_McEliece_GF x, CmceGfElem y) const {
+         return Classic_McEliece_GF(CmceGfElem(m_mask.select(x.elem().get(), y.get())), x.modulus());
       }
 
       uint16_t select(uint16_t x, uint16_t y) const { return m_mask.select(x, y); }
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
index 74943156421..29b08b9f4f3 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.cpp
@@ -22,25 +22,25 @@ namespace {
  */
 std::optional<Classic_McEliece_KeyPair_Internal> try_generate_keypair(std::span<uint8_t> out_next_seed,
                                                                       const Classic_McEliece_Parameters& params,
-                                                                      Key_Gen_Seed seed) {
+                                                                      CmceKeyGenSeed seed) {
    BOTAN_ASSERT_EQUAL(seed.size(), 32, "Valid seed length");
    BOTAN_ASSERT_EQUAL(out_next_seed.size(), 32, "Valid output seed length");
 
    auto big_e_xof = params.prg(seed);
 
-   auto s = big_e_xof->output<Rejection_Seed>(params.n() / 8);
-   auto ordering_seed = big_e_xof->output<secure_vector<uint8_t>>((params.sigma2() * params.q()) / 8);
-   auto irreducible_seed = big_e_xof->output<secure_vector<uint8_t>>((params.sigma1() * params.t()) / 8);
+   auto s = big_e_xof->output<CmceRejectionSeed>(params.n() / 8);
+   auto ordering_bits = big_e_xof->output<CmceOrderingBits>((params.sigma2() * params.q()) / 8);
+   auto irreducible_bits = big_e_xof->output<CmceIrreducibleBits>((params.sigma1() * params.t()) / 8);
    big_e_xof->output(out_next_seed);
 
    // Field-ordering generation - Classic McEliece ISO 8.2
-   auto field_ordering = Classic_McEliece_Field_Ordering::create_field_ordering(params, ordering_seed);
+   auto field_ordering = Classic_McEliece_Field_Ordering::create_field_ordering(params, ordering_bits);
    if(!field_ordering) {
       return std::nullopt;
    }
 
    // Irreducible-polynomial generation - Classic McEliece ISO 8.1
-   auto g = params.poly_ring().compute_minimal_polynomial(irreducible_seed);
+   auto g = params.poly_ring().compute_minimal_polynomial(irreducible_bits);
    if(!g) {
       return std::nullopt;
    }
@@ -67,12 +67,12 @@ Classic_McEliece_PrivateKeyInternal Classic_McEliece_PrivateKeyInternal::from_by
    BOTAN_ASSERT(sk_bytes.size() == params.sk_size_bytes(), "Valid private key size");
    BufferSlicer sk_slicer(sk_bytes);
 
-   auto delta = sk_slicer.copy<Key_Gen_Seed>(params.seed_len());
-   auto c = Column_Selection(sk_slicer.take(params.sk_c_bytes()));
+   auto delta = sk_slicer.copy<CmceKeyGenSeed>(params.seed_len());
+   auto c = CmceColumnSelection(sk_slicer.take(params.sk_c_bytes()));
    auto g = Classic_McEliece_Minimal_Polynomial::from_bytes(sk_slicer.take(params.sk_poly_g_bytes()), params.poly_f());
    auto field_ordering = Classic_McEliece_Field_Ordering::create_from_control_bits(
       params, secure_bitvector(sk_slicer.take(params.sk_alpha_control_bytes())));
-   auto s = sk_slicer.copy<Rejection_Seed>(params.sk_s_bytes());
+   auto s = sk_slicer.copy<CmceRejectionSeed>(params.sk_s_bytes());
    BOTAN_ASSERT_NOMSG(sk_slicer.empty());
 
    return Classic_McEliece_PrivateKeyInternal(
@@ -116,11 +116,11 @@ std::shared_ptr<Classic_McEliece_PublicKeyInternal> Classic_McEliece_PublicKeyIn
 }
 
 Classic_McEliece_KeyPair_Internal Classic_McEliece_KeyPair_Internal::generate(const Classic_McEliece_Parameters& params,
-                                                                              StrongSpan<const Initial_Seed> seed) {
+                                                                              StrongSpan<const CmceInitialSeed> seed) {
    BOTAN_ASSERT_EQUAL(seed.size(), params.seed_len(), "Valid seed length");
 
-   Key_Gen_Seed next_seed(seed.size());
-   Key_Gen_Seed current_seed(seed.begin(), seed.end());
+   CmceKeyGenSeed next_seed(seed.size());
+   CmceKeyGenSeed current_seed(seed.begin(), seed.end());
 
    while(true) {
       if(auto keypair = try_generate_keypair(next_seed, params, std::move(current_seed))) {
diff --git a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
index 10bca143439..a4fc84d3b53 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_keys_internal.h
@@ -97,11 +97,11 @@ class BOTAN_TEST_API Classic_McEliece_PrivateKeyInternal {
        * @param s The seed s for implicit rejection
        */
       Classic_McEliece_PrivateKeyInternal(const Classic_McEliece_Parameters& params,
-                                          Key_Gen_Seed delta,
-                                          Column_Selection c,
+                                          CmceKeyGenSeed delta,
+                                          CmceColumnSelection c,
                                           Classic_McEliece_Minimal_Polynomial g,
                                           Classic_McEliece_Field_Ordering alpha,
-                                          Rejection_Seed s) :
+                                          CmceRejectionSeed s) :
             m_params(params),
             m_delta(std::move(delta)),
             m_c(std::move(c)),
@@ -131,12 +131,12 @@ class BOTAN_TEST_API Classic_McEliece_PrivateKeyInternal {
       /**
        * @brief The seed delta that was used to create the private key.
        */
-      const Key_Gen_Seed& delta() const { return m_delta; }
+      const CmceKeyGenSeed& delta() const { return m_delta; }
 
       /**
        * @brief The column selection pivot vector c as defined in Classic McEliece ISO Section 9.2.11.
        */
-      const Column_Selection& c() const { return m_c; }
+      const CmceColumnSelection& c() const { return m_c; }
 
       /**
        * @brief The minimal polynomial g.
@@ -151,7 +151,7 @@ class BOTAN_TEST_API Classic_McEliece_PrivateKeyInternal {
       /**
        * @brief The seed s for implicit rejection on decryption failure.
        */
-      const Rejection_Seed& s() const { return m_s; }
+      const CmceRejectionSeed& s() const { return m_s; }
 
       /**
        * @brief The Classic McEliece parameters.
@@ -160,11 +160,11 @@ class BOTAN_TEST_API Classic_McEliece_PrivateKeyInternal {
 
    private:
       Classic_McEliece_Parameters m_params;
-      Key_Gen_Seed m_delta;
-      Column_Selection m_c;
+      CmceKeyGenSeed m_delta;
+      CmceColumnSelection m_c;
       Classic_McEliece_Minimal_Polynomial m_g;
       Classic_McEliece_Field_Ordering m_field_ordering;
-      Rejection_Seed m_s;
+      CmceRejectionSeed m_s;
 };
 
 /**
@@ -179,7 +179,7 @@ struct BOTAN_TEST_API Classic_McEliece_KeyPair_Internal {
        * in Classic McEliece ISO Section 8.3
        */
       static Classic_McEliece_KeyPair_Internal generate(const Classic_McEliece_Parameters& params,
-                                                        StrongSpan<const Initial_Seed> seed);
+                                                        StrongSpan<const CmceInitialSeed> seed);
 
       /**
        * @brief Decompose the key pair into a pair of shared pointers to the private and public key.
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
index fc9380dbb79..f6f826f9c03 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.cpp
@@ -19,8 +19,8 @@ namespace Botan {
 namespace {
 
 // Strong types for matrix used internally by Classic_McEliece_Matrix
-using MatrixRow = Strong<secure_bitvector, struct MatrixRow_>;
-using Matrix = Strong<std::vector<MatrixRow>, struct Matrix_>;
+using CmceMatrixRow = Strong<secure_bitvector, struct CmceMatrixRow_>;
+using CmceMatrix = Strong<std::vector<CmceMatrixRow>, struct CmceMatrix_>;
 
 }  // Anonymous namespace
 
@@ -37,16 +37,16 @@ size_t count_lsb_zeros(const secure_bitvector& n) {
    return res;
 }
 
-Matrix init_matrix_with_alphas(const Classic_McEliece_Parameters& params,
-                               const Classic_McEliece_Field_Ordering& field_ordering,
-                               const Classic_McEliece_Minimal_Polynomial& g) {
+CmceMatrix init_matrix_with_alphas(const Classic_McEliece_Parameters& params,
+                                   const Classic_McEliece_Field_Ordering& field_ordering,
+                                   const Classic_McEliece_Minimal_Polynomial& g) {
    auto alphas = field_ordering.alphas(params.n());
    std::vector<Classic_McEliece_GF> inv_g_of_alpha;
    inv_g_of_alpha.reserve(params.n());
    for(const auto& alpha : alphas) {
       inv_g_of_alpha.push_back(g(alpha).inv());
    }
-   Matrix mat(std::vector<MatrixRow>(params.pk_no_rows(), MatrixRow(params.n())));
+   CmceMatrix mat(std::vector<CmceMatrixRow>(params.pk_no_rows(), CmceMatrixRow(params.n())));
 
    for(size_t i = 0; i < params.t(); ++i) {
       for(size_t j = 0; j < params.n(); ++j) {
@@ -64,7 +64,7 @@ Matrix init_matrix_with_alphas(const Classic_McEliece_Parameters& params,
    return mat;
 }
 
-std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece_Parameters& params) {
+std::optional<CmceColumnSelection> move_columns(CmceMatrix& mat, const Classic_McEliece_Parameters& params) {
    BOTAN_ASSERT(mat.size() == params.pk_no_rows(), "Matrix has incorrect number of rows");
    BOTAN_ASSERT(mat.get().at(0).size() == params.n(), "Matrix has incorrect number of columns");
    static_assert(Classic_McEliece_Parameters::nu() == 64,
@@ -122,7 +122,7 @@ std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece
    }
 
    // Create pivot bitvector from the pivot index vector
-   Column_Selection pivots(Classic_McEliece_Parameters::nu());
+   CmceColumnSelection pivots(Classic_McEliece_Parameters::nu());
    for(auto pivot_idx : pivot_indices) {
       for(size_t i = 0; i < Classic_McEliece_Parameters::nu(); ++i) {
          auto mask_is_at_current_idx = Botan::CT::Mask<size_t>::is_equal(i, pivot_idx);
@@ -145,12 +145,12 @@ std::optional<Column_Selection> move_columns(Matrix& mat, const Classic_McEliece
    return pivots;
 }
 
-std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& params, Matrix& mat) {
+std::optional<CmceColumnSelection> apply_gauss(const Classic_McEliece_Parameters& params, CmceMatrix& mat) {
    BOTAN_ASSERT(mat.size() == params.pk_no_rows(), "Matrix has incorrect number of rows");
    BOTAN_ASSERT(mat.get().at(0).size() == params.n(), "Matrix has incorrect number of columns");
    // Initialized for systematic form instances
    // Is overridden for semi systematic instances
-   auto pivots = Column_Selection({0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0});
+   auto pivots = CmceColumnSelection({0xFF, 0xFF, 0xFF, 0xFF, 0, 0, 0, 0});
 
    // Gaussian Elimination
    for(size_t diag_pos = 0; diag_pos < params.pk_no_rows(); ++diag_pos) {
@@ -190,7 +190,7 @@ std::optional<Column_Selection> apply_gauss(const Classic_McEliece_Parameters& p
    return pivots;
 }
 
-std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Parameters& params, const Matrix& mat) {
+std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Parameters& params, const CmceMatrix& mat) {
    // Store T of the matrix (I_mt|T) as a linear vector to represent the
    // public key as defined in McEliece ISO 9.2.7
    std::vector<uint8_t> big_t(params.pk_size_bytes());
@@ -207,7 +207,7 @@ std::vector<uint8_t> extract_pk_bytes_from_matrix(const Classic_McEliece_Paramet
 
 }  // namespace
 
-std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>> Classic_McEliece_Matrix::create_matrix(
+std::optional<std::pair<Classic_McEliece_Matrix, CmceColumnSelection>> Classic_McEliece_Matrix::create_matrix(
    const Classic_McEliece_Parameters& params,
    const Classic_McEliece_Field_Ordering& field_ordering,
    const Classic_McEliece_Minimal_Polynomial& g) {
@@ -222,7 +222,7 @@ std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>> Classic_McEl
    return std::make_pair(Classic_McEliece_Matrix(params, std::move(pk_mat_bytes)), pivots.value());
 }
 
-std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>>
+std::optional<std::pair<Classic_McEliece_Matrix, CmceColumnSelection>>
 Classic_McEliece_Matrix::create_matrix_and_apply_pivots(const Classic_McEliece_Parameters& params,
                                                         Classic_McEliece_Field_Ordering& field_ordering,
                                                         const Classic_McEliece_Minimal_Polynomial& g) {
@@ -241,8 +241,8 @@ Classic_McEliece_Matrix::create_matrix_and_apply_pivots(const Classic_McEliece_P
    return pk_matrix_and_pivots;
 }
 
-Code_Word Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params, const Error_Vector& e) const {
-   auto s = e.subvector<Code_Word>(0, params.pk_no_rows());
+CmceCodeWord Classic_McEliece_Matrix::mul(const Classic_McEliece_Parameters& params, const CmceErrorVector& e) const {
+   auto s = e.subvector<CmceCodeWord>(0, params.pk_no_rows());
    auto e_T = e.subvector(params.pk_no_rows());
    auto pk_slicer = BufferSlicer(m_mat_bytes);
 
diff --git a/src/lib/pubkey/classic_mceliece/cmce_matrix.h b/src/lib/pubkey/classic_mceliece/cmce_matrix.h
index 7777420244d..fde27b36f5c 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_matrix.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_matrix.h
@@ -42,7 +42,7 @@ class BOTAN_TEST_API Classic_McEliece_Matrix {
        * @param g Minimal polynomial
        * @return Pair(the matrix H, pivot vector c)
        */
-      static std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>> create_matrix(
+      static std::optional<std::pair<Classic_McEliece_Matrix, CmceColumnSelection>> create_matrix(
          const Classic_McEliece_Parameters& params,
          const Classic_McEliece_Field_Ordering& field_ordering,
          const Classic_McEliece_Minimal_Polynomial& g);
@@ -63,7 +63,7 @@ class BOTAN_TEST_API Classic_McEliece_Matrix {
        * @param g Minimal polynomial
        * @return Pair(the matrix H, pivot vector c)
        */
-      static std::optional<std::pair<Classic_McEliece_Matrix, Column_Selection>> create_matrix_and_apply_pivots(
+      static std::optional<std::pair<Classic_McEliece_Matrix, CmceColumnSelection>> create_matrix_and_apply_pivots(
          const Classic_McEliece_Parameters& params,
          Classic_McEliece_Field_Ordering& field_ordering,
          const Classic_McEliece_Minimal_Polynomial& g);
@@ -102,7 +102,7 @@ class BOTAN_TEST_API Classic_McEliece_Matrix {
        * @param e The bitvector e
        * @return H*e
        */
-      Code_Word mul(const Classic_McEliece_Parameters& params, const Error_Vector& e) const;
+      CmceCodeWord mul(const Classic_McEliece_Parameters& params, const CmceErrorVector& e) const;
 
    private:
       /// The bytes of the submatrix T
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp b/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
index 36951ed3b72..14a824df721 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
@@ -13,12 +13,12 @@ namespace Botan {
 
 namespace {
 
-GF_Mod determine_poly_f(Classic_McEliece_Parameter_Set param_set) {
+CmceGfMod determine_poly_f(Classic_McEliece_Parameter_Set param_set) {
    switch(param_set) {
       case Classic_McEliece_Parameter_Set::mceliece348864:
       case Classic_McEliece_Parameter_Set::mceliece348864f:
          // z^12 + z^3 + 1
-         return GF_Mod(0b0001000000001001);
+         return CmceGfMod(0b0001000000001001);
       case Classic_McEliece_Parameter_Set::mceliece460896:
       case Classic_McEliece_Parameter_Set::mceliece460896f:
       case Classic_McEliece_Parameter_Set::mceliece6688128:
@@ -34,20 +34,20 @@ GF_Mod determine_poly_f(Classic_McEliece_Parameter_Set param_set) {
       case Classic_McEliece_Parameter_Set::mceliece8192128pc:
       case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
          // z^12 + z^3 + 1
-         return GF_Mod(0b0010000000011011);
+         return CmceGfMod(0b0010000000011011);
       // TODO: Remove on final PR
       case Botan::Classic_McEliece_Parameter_Set::test:
       case Botan::Classic_McEliece_Parameter_Set::testf:
       case Botan::Classic_McEliece_Parameter_Set::testpc:
       case Botan::Classic_McEliece_Parameter_Set::testpcf:
          // z^8 + z^7 + z^2 + z + 1 (test instance)
-         return GF_Mod(0b0000000110000111);
+         return CmceGfMod(0b0000000110000111);
    }
    BOTAN_ASSERT_UNREACHABLE();
 }
 
 Classic_McEliece_Polynomial_Ring determine_poly_ring(Classic_McEliece_Parameter_Set param_set) {
-   GF_Mod poly_f = determine_poly_f(param_set);
+   CmceGfMod poly_f = determine_poly_f(param_set);
 
    switch(param_set) {
       // TODO: Remove test instance on final PR
@@ -56,27 +56,27 @@ Classic_McEliece_Polynomial_Ring determine_poly_ring(Classic_McEliece_Parameter_
       case Botan::Classic_McEliece_Parameter_Set::testpc:
       case Botan::Classic_McEliece_Parameter_Set::testpcf:
          // y^8 + y^4 + y^3 + y^2 + 1 (test instances)
-         return {{{0, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {2, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {3, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {4, Classic_McEliece_GF(GF_Elem(1), poly_f)}},
+         return {{{0, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {2, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {3, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {4, Classic_McEliece_GF(CmceGfElem(1), poly_f)}},
                  poly_f,
                  8};
       case Classic_McEliece_Parameter_Set::mceliece348864:
       case Classic_McEliece_Parameter_Set::mceliece348864f:
          // y^64 + y^3 + y + z
-         return {{{3, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {1, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {0, Classic_McEliece_GF(GF_Elem(2), poly_f)}},
+         return {{{3, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {1, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {0, Classic_McEliece_GF(CmceGfElem(2), poly_f)}},
                  poly_f,
                  64};
       case Classic_McEliece_Parameter_Set::mceliece460896:
       case Classic_McEliece_Parameter_Set::mceliece460896f:
          // y^96 + y^10 + y^9 + y^6 + 1
-         return {{{10, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {9, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {6, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {0, Classic_McEliece_GF(GF_Elem(1), poly_f)}},
+         return {{{10, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {9, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {6, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {0, Classic_McEliece_GF(CmceGfElem(1), poly_f)}},
                  poly_f,
                  96};
       case Classic_McEliece_Parameter_Set::mceliece6960119:
@@ -85,8 +85,8 @@ Classic_McEliece_Polynomial_Ring determine_poly_ring(Classic_McEliece_Parameter_
       case Classic_McEliece_Parameter_Set::mceliece6960119pcf:
          // y^119 + y^8 + 1
          // clang-format off
-         return {{{8, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {0, Classic_McEliece_GF(GF_Elem(1), poly_f)}},
+         return {{{8, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {0, Classic_McEliece_GF(CmceGfElem(1), poly_f)}},
                   poly_f,
                   119};
          // clang-format on
@@ -99,10 +99,10 @@ Classic_McEliece_Polynomial_Ring determine_poly_ring(Classic_McEliece_Parameter_
       case Classic_McEliece_Parameter_Set::mceliece8192128pc:
       case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
          // y^128 + y^7 + y^2 + y + 1
-         return {{{7, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {2, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {1, Classic_McEliece_GF(GF_Elem(1), poly_f)},
-                  {0, Classic_McEliece_GF(GF_Elem(1), poly_f)}},
+         return {{{7, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {2, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {1, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
+                  {0, Classic_McEliece_GF(CmceGfElem(1), poly_f)}},
                  poly_f,
                  128};
    }
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameters.h b/src/lib/pubkey/classic_mceliece/cmce_parameters.h
index edfa30ad3f8..1f5fef38d26 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameters.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameters.h
@@ -154,7 +154,7 @@ class BOTAN_TEST_API Classic_McEliece_Parameters final {
        * @brief The monic irreducible polynomial f(z) of degree m over GF(2). Used for modular
        * reduction in GF(2^m).
        */
-      GF_Mod poly_f() const { return m_poly_ring.poly_f(); }
+      CmceGfMod poly_f() const { return m_poly_ring.poly_f(); }
 
       /**
        * @brief The estimated bit security strength of the Classic McEliece instance.
@@ -273,7 +273,7 @@ class BOTAN_TEST_API Classic_McEliece_Parameters final {
        * @param elem The GF(q) element value.
        * @return The GF(q) element.
        */
-      Classic_McEliece_GF gf(GF_Elem elem) const { return Classic_McEliece_GF(elem, poly_f()); }
+      Classic_McEliece_GF gf(CmceGfElem elem) const { return Classic_McEliece_GF(elem, poly_f()); }
 
    private:
       Classic_McEliece_Parameters(Classic_McEliece_Parameter_Set param_set,
diff --git a/src/lib/pubkey/classic_mceliece/cmce_poly.cpp b/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
index fa2a366aaef..30b76754610 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_poly.cpp
@@ -25,12 +25,12 @@ namespace {
  * @param bytes input bytes
  * @return The vector of GF_Elem elements
  */
-std::vector<GF_Elem> load_le_gf_vec(std::span<const uint8_t> bytes) {
-   std::vector<GF_Elem> result;
+std::vector<CmceGfElem> load_le_gf_vec(std::span<const uint8_t> bytes) {
+   std::vector<CmceGfElem> result;
    BufferSlicer bs(bytes);
-   result.reserve(bytes.size() / sizeof(GF_Elem));
-   for(size_t i = 0; i < bytes.size() / sizeof(GF_Elem); ++i) {
-      result.emplace_back(load_le<uint16_t>(bs.take<sizeof(GF_Elem)>()));
+   result.reserve(bytes.size() / sizeof(CmceGfElem));
+   for(size_t i = 0; i < bytes.size() / sizeof(CmceGfElem); ++i) {
+      result.emplace_back(load_le<uint16_t>(bs.take<sizeof(CmceGfElem)>()));
    }
    return result;
 }
@@ -40,7 +40,7 @@ std::vector<GF_Elem> load_le_gf_vec(std::span<const uint8_t> bytes) {
 Classic_McEliece_GF Classic_McEliece_Polynomial::operator()(Classic_McEliece_GF a) const {
    BOTAN_ASSERT(a.modulus() == coef_at(0).modulus(), "Galois fields match");
 
-   Classic_McEliece_GF r(GF_Elem(0), a.modulus());
+   Classic_McEliece_GF r(CmceGfElem(0), a.modulus());
    for(auto it = m_coef.rbegin(); it != m_coef.rend(); ++it) {
       r *= a;
       r += *it;
@@ -51,7 +51,7 @@ Classic_McEliece_GF Classic_McEliece_Polynomial::operator()(Classic_McEliece_GF
 
 Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::multiply(const Classic_McEliece_Polynomial& a,
                                                                        const Classic_McEliece_Polynomial& b) const {
-   std::vector<Classic_McEliece_GF> prod(m_t * 2 - 1, {GF_Elem(0), m_poly_f});
+   std::vector<Classic_McEliece_GF> prod(m_t * 2 - 1, {CmceGfElem(0), m_poly_f});
 
    for(size_t i = 0; i < m_t; ++i) {
       for(size_t j = 0; j < m_t; ++j) {
@@ -78,9 +78,9 @@ Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_fro
 }
 
 Classic_McEliece_Polynomial Classic_McEliece_Polynomial_Ring::create_element_from_coef(
-   const std::vector<GF_Elem>& coeff_vec) const {
+   const std::vector<CmceGfElem>& coeff_vec) const {
    std::vector<Classic_McEliece_GF> coeff_vec_gf;
-   GF_Elem coeff_mask = GF_Elem((uint16_t(1) << Classic_McEliece_GF::log_q_from_mod(m_poly_f)) - 1);
+   CmceGfElem coeff_mask = CmceGfElem((uint16_t(1) << Classic_McEliece_GF::log_q_from_mod(m_poly_f)) - 1);
    std::transform(coeff_vec.begin(), coeff_vec.end(), std::back_inserter(coeff_vec_gf), [&](auto& coeff) {
       return Classic_McEliece_GF(coeff & coeff_mask, m_poly_f);
    });
@@ -93,12 +93,12 @@ bool operator==(const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& lhs,
 }
 
 std::optional<Classic_McEliece_Minimal_Polynomial> Classic_McEliece_Polynomial_Ring::compute_minimal_polynomial(
-   std::span<const uint8_t> seed) const {
+   StrongSpan<const CmceIrreducibleBits> seed) const {
    auto polynomial = create_element_from_bytes(seed);
    std::vector<Classic_McEliece_Polynomial> mat;
 
-   mat.push_back(create_element_from_coef(concat_as<std::vector<GF_Elem>>(
-      std::vector<GF_Elem>{GF_Elem(1)}, std::vector<GF_Elem>(degree() - 1, GF_Elem(0)))));
+   mat.push_back(create_element_from_coef(concat_as<std::vector<CmceGfElem>>(
+      std::vector<CmceGfElem>{CmceGfElem(1)}, std::vector<CmceGfElem>(degree() - 1, CmceGfElem(0)))));
 
    mat.push_back(polynomial);
 
@@ -140,7 +140,7 @@ std::optional<Classic_McEliece_Minimal_Polynomial> Classic_McEliece_Polynomial_R
 
    auto minimal_poly_coeffs = mat.at(degree()).coef();
    // Add coefficient 1 since polynomial is monic
-   minimal_poly_coeffs.emplace_back(GF_Elem(1), poly_f());
+   minimal_poly_coeffs.emplace_back(CmceGfElem(1), poly_f());
 
    return Classic_McEliece_Minimal_Polynomial(std::move(minimal_poly_coeffs));
 }
@@ -153,14 +153,14 @@ secure_vector<uint8_t> Classic_McEliece_Minimal_Polynomial::serialize() const {
    secure_vector<uint8_t> bytes(sizeof(uint16_t) * coeffs_to_store.size());
    BufferStuffer bytes_stuf(bytes);
    for(auto& coef : coeffs_to_store) {
-      store_le(bytes_stuf.next<sizeof(GF_Elem)>(), coef.elem().get());
+      store_le(bytes_stuf.next<sizeof(CmceGfElem)>(), coef.elem().get());
    }
    BOTAN_ASSERT_NOMSG(bytes_stuf.full());
    return bytes;
 }
 
 Classic_McEliece_Minimal_Polynomial Classic_McEliece_Minimal_Polynomial::from_bytes(std::span<const uint8_t> bytes,
-                                                                                    GF_Mod poly_f) {
+                                                                                    CmceGfMod poly_f) {
    BOTAN_ASSERT_NOMSG(bytes.size() % 2 == 0);
    auto coef_vec = load_le_gf_vec(bytes);
    std::vector<Classic_McEliece_GF> coeff_vec_gf;
@@ -168,7 +168,7 @@ Classic_McEliece_Minimal_Polynomial Classic_McEliece_Minimal_Polynomial::from_by
       return Classic_McEliece_GF(coeff, poly_f);
    });
 
-   coeff_vec_gf.emplace_back(GF_Elem(1), poly_f);  // x^t as polynomial is monic
+   coeff_vec_gf.emplace_back(CmceGfElem(1), poly_f);  // x^t as polynomial is monic
 
    return Classic_McEliece_Minimal_Polynomial(coeff_vec_gf);
 }
diff --git a/src/lib/pubkey/classic_mceliece/cmce_poly.h b/src/lib/pubkey/classic_mceliece/cmce_poly.h
index ffd189675aa..d16b275774c 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_poly.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_poly.h
@@ -87,7 +87,7 @@ class BOTAN_TEST_API Classic_McEliece_Minimal_Polynomial : public Classic_McElie
       /**
        * @brief Create a polynomial from bytes according to ISO Section 9.2.9.
        */
-      static Classic_McEliece_Minimal_Polynomial from_bytes(std::span<const uint8_t> bytes, GF_Mod poly_f);
+      static Classic_McEliece_Minimal_Polynomial from_bytes(std::span<const uint8_t> bytes, CmceGfMod poly_f);
 };
 
 /**
@@ -120,10 +120,10 @@ class BOTAN_TEST_API Classic_McEliece_Polynomial_Ring {
        * @param poly_f The modulus f(z) of GF(q).
        * @param t The polynomial degree of the ring (and of F(y)).
        */
-      Classic_McEliece_Polynomial_Ring(std::vector<Big_F_Coefficient> poly_big_f_coef, GF_Mod poly_f, size_t t) :
+      Classic_McEliece_Polynomial_Ring(std::vector<Big_F_Coefficient> poly_big_f_coef, CmceGfMod poly_f, size_t t) :
             m_position_map(std::move(poly_big_f_coef)), m_t(t), m_poly_f(poly_f) {}
 
-      GF_Mod poly_f() const { return m_poly_f; }
+      CmceGfMod poly_f() const { return m_poly_f; }
 
       /**
        * @brief The degree of polynomials in this ring (and of F(y)).
@@ -144,11 +144,11 @@ class BOTAN_TEST_API Classic_McEliece_Polynomial_Ring {
        * @return g or std::nullopt if g has not full degree.
        */
       std::optional<Classic_McEliece_Minimal_Polynomial> compute_minimal_polynomial(
-         std::span<const uint8_t> seed) const;
+         StrongSpan<const CmceIrreducibleBits> seed) const;
 
    private:
       // Creates a ring element from a coefficient vector
-      Classic_McEliece_Polynomial create_element_from_coef(const std::vector<GF_Elem>& coeff_vec) const;
+      Classic_McEliece_Polynomial create_element_from_coef(const std::vector<CmceGfElem>& coeff_vec) const;
 
       /**
        * @brief Create a polynomial from bytes according to ISO Section 8.1 step 1 and 2.
@@ -162,7 +162,7 @@ class BOTAN_TEST_API Classic_McEliece_Polynomial_Ring {
       size_t m_t;
 
       // f(z) in spec
-      GF_Mod m_poly_f;
+      CmceGfMod m_poly_f;
 };
 
 bool operator==(const Classic_McEliece_Polynomial_Ring::Big_F_Coefficient& lhs,
diff --git a/src/lib/pubkey/classic_mceliece/cmce_types.h b/src/lib/pubkey/classic_mceliece/cmce_types.h
index 67f1409deab..3754902bb5f 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_types.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_types.h
@@ -16,34 +16,40 @@
 namespace Botan {
 
 /// Represents a GF(q) element
-using GF_Elem = Strong<uint16_t, struct GF_Elem_>;
+using CmceGfElem = Strong<uint16_t, struct CmceGfElem_>;
 
 /// Represents a GF(q) modulus
-using GF_Mod = Strong<uint16_t, struct GF_Mod_>;
+using CmceGfMod = Strong<uint16_t, struct CmceGfMod_>;
 
 /// Represents an element of a permuation (pi in spec). Used in field ordering creation.
-using Permutation_Element = Strong<uint16_t, struct GF_Elem_>;
+using CmcePermutationElement = Strong<uint16_t, struct CmcePermutationElement_>;
 
 /// Represents a permutation (pi in spec). Used in field ordering creation.
-using Permutation = Strong<secure_vector<uint16_t>, struct GF_Elem_>;
+using CmcePermutation = Strong<secure_vector<uint16_t>, struct CmcePermutation_>;
 
 /// Represents initial delta of keygen
-using Initial_Seed = Strong<secure_vector<uint8_t>, struct Initial_Seed_>;
+using CmceInitialSeed = Strong<secure_vector<uint8_t>, struct CmceInitialSeed_>;
 
 /// Represents a delta (can be altered; final value stored in private key)
-using Key_Gen_Seed = Strong<secure_vector<uint8_t>, struct Key_Gen_Seed_>;
+using CmceKeyGenSeed = Strong<secure_vector<uint8_t>, struct CmceKeyGenSeed_>;
 
-/// Represents c of private key
-using Column_Selection = Strong<secure_bitvector, struct Column_Selection_>;
+// Represents the sigma_2*q bits of E=PRG(delta) used by the field ordering algorithm (see CMCE ISO 8.3 Step 4)
+using CmceOrderingBits = Strong<secure_vector<uint8_t>, struct CmceOrderingBits_>;
+
+// Represents the sigma_1*t bits of E=PRG(delta) used by the irreducible algorithm (see CMCE ISO 8.3 Step 5)
+using CmceIrreducibleBits = Strong<secure_vector<uint8_t>, struct CmceIrreducibleBits_>;
 
 /// Represents s of private key
-using Rejection_Seed = Strong<secure_vector<uint8_t>, struct Rejection_Seed_>;
+using CmceRejectionSeed = Strong<secure_vector<uint8_t>, struct CmceRejectionSeed_>;
+
+/// Represents c of private key
+using CmceColumnSelection = Strong<secure_bitvector, struct CmceColumnSelection_>;
 
 /// Represents e of encapsulation
-using Error_Vector = Strong<secure_bitvector, struct Error_Vector_>;
+using CmceErrorVector = Strong<secure_bitvector, struct CmceErrorVector_>;
 
 /// Represents C of decapsulation
-using Code_Word = Strong<secure_bitvector, struct Code_Word_>;
+using CmceCodeWord = Strong<secure_bitvector, struct CmceCodeWord_>;
 
 }  // namespace Botan
 #endif  // BOTAN_CMCE_TYPES_H_
diff --git a/src/tests/test_cmce.cpp b/src/tests/test_cmce.cpp
index 18c1880aeaa..ca62e471849 100644
--- a/src/tests/test_cmce.cpp
+++ b/src/tests/test_cmce.cpp
@@ -38,7 +38,7 @@ Botan::Classic_McEliece_Polynomial create_element_from_bytes(std::span<const uin
 
    std::vector<Botan::Classic_McEliece_GF> coeff_vec_gf;
    std::transform(coef.begin(), coef.end(), std::back_inserter(coeff_vec_gf), [&](auto& coeff) {
-      return Botan::Classic_McEliece_GF(Botan::GF_Elem(coeff), ring.poly_f());
+      return Botan::Classic_McEliece_GF(Botan::CmceGfElem(coeff), ring.poly_f());
    });
    return Botan::Classic_McEliece_Polynomial(coeff_vec_gf);
 }
@@ -121,9 +121,9 @@ class CMCE_Utility_Tests final : public Test {
             Botan::Classic_McEliece_Parameters::create(Botan::Classic_McEliece_Parameter_Set::mceliece348864);
 
          // Created using the reference implementation
-         auto random_bits = Botan::hex_decode(
+         auto random_bits = Botan::CmceIrreducibleBits(Botan::hex_decode(
             "d9b8bb962a3f9dac0f832d243def581e7d26f4028de1ff9cd168460e5050ab095a32a372b40d720bd5d75389a6b3f08fa1d13cec60a4b716d4d6c240f2f80cd3"
-            "cbc76ae0dddca164c1130da185bd04e890f2256fb9f4754864811e14ea5a43b8b3612d59cecde1b2fdb6362659a0193d2b7d4b9d79aa1801dde3ca90dc300773");
+            "cbc76ae0dddca164c1130da185bd04e890f2256fb9f4754864811e14ea5a43b8b3612d59cecde1b2fdb6362659a0193d2b7d4b9d79aa1801dde3ca90dc300773"));
 
          auto exp_g = Botan::Classic_McEliece_Minimal_Polynomial::from_bytes(
             Botan::hex_decode(
@@ -141,10 +141,10 @@ class CMCE_Utility_Tests final : public Test {
       Test::Result gf_test() {
          Test::Result result("GF test");
 
-         auto exp_mul = Botan::GF_Elem(0x001e);  //00011110
+         auto exp_mul = Botan::CmceGfElem(0x001e);  //00011110
 
-         auto val1 = Botan::Classic_McEliece_GF(Botan::GF_Elem(0b00000000010110111), Botan::GF_Mod(0b100011011));
-         auto val2 = Botan::Classic_McEliece_GF(Botan::GF_Elem(0b00000000011001001), Botan::GF_Mod(0b100011011));
+         auto val1 = Botan::Classic_McEliece_GF(Botan::CmceGfElem(0b00000000010110111), Botan::CmceGfMod(0b100011011));
+         auto val2 = Botan::Classic_McEliece_GF(Botan::CmceGfElem(0b00000000011001001), Botan::CmceGfMod(0b100011011));
          auto mul = val1 * val2;
          result.test_is_eq("Control bits creation", mul.elem(), exp_mul);
 
@@ -157,9 +157,9 @@ class CMCE_Utility_Tests final : public Test {
          auto params =
             Botan::Classic_McEliece_Parameters::create(Botan::Classic_McEliece_Parameter_Set::mceliece348864);
 
-         auto v = params.gf(Botan::GF_Elem(42));
+         auto v = params.gf(Botan::CmceGfElem(42));
          auto v_inv = v.inv();
-         result.test_is_eq("Control bits creation", (v * v_inv).elem(), Botan::GF_Elem(1));
+         result.test_is_eq("Control bits creation", (v * v_inv).elem(), Botan::CmceGfElem(1));
 
          return result;
       }

From 0365a731f1304ca81ad90fb32ecd470681318c24 Mon Sep 17 00:00:00 2001
From: Fabian Albert <fabian.albert@rohde-schwarz.com>
Date: Mon, 5 Feb 2024 15:31:47 +0100
Subject: [PATCH 27/27] Remove minimal SCA test instance

---
 .../classic_mceliece/cmce_parameter_set.cpp   | 24 -------
 .../classic_mceliece/cmce_parameter_set.h     | 11 ----
 .../classic_mceliece/cmce_parameters.cpp      | 32 ----------
 .../pubkey/classic_mceliece/cmce_parameters.h |  6 +-
 src/tests/test_cmce.cpp                       | 63 -------------------
 5 files changed, 2 insertions(+), 134 deletions(-)

diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameter_set.cpp b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.cpp
index cf407016b03..a9b41042447 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameter_set.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.cpp
@@ -59,19 +59,6 @@ Classic_McEliece_Parameter_Set cmce_param_set_from_str(std::string_view param_na
    if(param_name == "mceliece8192128pcf") {
       return Classic_McEliece_Parameter_Set::mceliece8192128pcf;
    }
-   // TODO: Remove on final PR
-   if(param_name == "test") {
-      return Classic_McEliece_Parameter_Set::test;
-   }
-   if(param_name == "testf") {
-      return Classic_McEliece_Parameter_Set::testf;
-   }
-   if(param_name == "testpc") {
-      return Classic_McEliece_Parameter_Set::testpc;
-   }
-   if(param_name == "testpcf") {
-      return Classic_McEliece_Parameter_Set::testpcf;
-   }
 
    throw Decoding_Error("Cannot convert string to CMCE parameter set");
 }
@@ -110,17 +97,6 @@ std::string cmce_str_from_param_set(Classic_McEliece_Parameter_Set param) {
          return "mceliece8192128pc";
       case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
          return "mceliece8192128pcf";
-      // TODO: Remove on final PR
-      case Classic_McEliece_Parameter_Set::test:
-         return "test";
-      case Classic_McEliece_Parameter_Set::testf:
-         return "testf";
-      case Classic_McEliece_Parameter_Set::testpc:
-         return "testpc";
-      case Classic_McEliece_Parameter_Set::testpcf:
-         return "testpcf";
-      default:
-         throw Decoding_Error("Parameter set not supported");
    }
    BOTAN_ASSERT_UNREACHABLE();
 }
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
index d06da313210..4f93d1112ab 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameter_set.h
@@ -44,17 +44,6 @@ enum class Classic_McEliece_Parameter_Set {
    mceliece8192128f,    // ISO + NIST
    mceliece8192128pc,   // ISO
    mceliece8192128pcf,  // ISO
-
-   /// Reduced instances for side channel analysis (Self-created test instance with
-   /// m=8, n=128, t=8, f(z)=z^8+z^7+z^2+z+1, F(y)=y^8+y^4+y^3+y^2+1)
-   /// Minimal instance without semi-systematic matrix creation and no plaintext confirmation
-   test,
-   /// Minimal instance with semi-systematic matrix creation and no plaintext confirmation
-   testf,
-   /// Minimal instance without semi-systematic matrix creation and with plaintext confirmation
-   testpc,
-   /// Minimal instance with semi-systematic matrix creation and with plaintext confirmation
-   testpcf
 };
 
 /**
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp b/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
index 14a824df721..c96f81b2299 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameters.cpp
@@ -35,13 +35,6 @@ CmceGfMod determine_poly_f(Classic_McEliece_Parameter_Set param_set) {
       case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
          // z^12 + z^3 + 1
          return CmceGfMod(0b0010000000011011);
-      // TODO: Remove on final PR
-      case Botan::Classic_McEliece_Parameter_Set::test:
-      case Botan::Classic_McEliece_Parameter_Set::testf:
-      case Botan::Classic_McEliece_Parameter_Set::testpc:
-      case Botan::Classic_McEliece_Parameter_Set::testpcf:
-         // z^8 + z^7 + z^2 + z + 1 (test instance)
-         return CmceGfMod(0b0000000110000111);
    }
    BOTAN_ASSERT_UNREACHABLE();
 }
@@ -50,18 +43,6 @@ Classic_McEliece_Polynomial_Ring determine_poly_ring(Classic_McEliece_Parameter_
    CmceGfMod poly_f = determine_poly_f(param_set);
 
    switch(param_set) {
-      // TODO: Remove test instance on final PR
-      case Botan::Classic_McEliece_Parameter_Set::test:
-      case Botan::Classic_McEliece_Parameter_Set::testf:
-      case Botan::Classic_McEliece_Parameter_Set::testpc:
-      case Botan::Classic_McEliece_Parameter_Set::testpcf:
-         // y^8 + y^4 + y^3 + y^2 + 1 (test instances)
-         return {{{0, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
-                  {2, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
-                  {3, Classic_McEliece_GF(CmceGfElem(1), poly_f)},
-                  {4, Classic_McEliece_GF(CmceGfElem(1), poly_f)}},
-                 poly_f,
-                 8};
       case Classic_McEliece_Parameter_Set::mceliece348864:
       case Classic_McEliece_Parameter_Set::mceliece348864f:
          // y^64 + y^3 + y + z
@@ -140,13 +121,6 @@ Classic_McEliece_Parameters Classic_McEliece_Parameters::create(Classic_McEliece
       case Classic_McEliece_Parameter_Set::mceliece8192128pc:
       case Classic_McEliece_Parameter_Set::mceliece8192128pcf:
          return Classic_McEliece_Parameters(set, 13, 8192, std::move(poly_ring));
-
-      // TODO: Remove on final PR
-      case Botan::Classic_McEliece_Parameter_Set::test:
-      case Botan::Classic_McEliece_Parameter_Set::testf:
-      case Botan::Classic_McEliece_Parameter_Set::testpc:
-      case Botan::Classic_McEliece_Parameter_Set::testpcf:
-         return Classic_McEliece_Parameters(set, 8, 128, std::move(poly_ring));
    }
    BOTAN_ASSERT_UNREACHABLE();
 }
@@ -198,12 +172,6 @@ size_t Classic_McEliece_Parameters::estimated_strength() const {
       case Botan::Classic_McEliece_Parameter_Set::mceliece8192128pc:
       case Botan::Classic_McEliece_Parameter_Set::mceliece8192128pcf:
          return 256;  // 275 in the document. Capped at 256 because of the seed length.
-      // TODO: Remove on final PR
-      case Botan::Classic_McEliece_Parameter_Set::test:
-      case Botan::Classic_McEliece_Parameter_Set::testf:
-      case Botan::Classic_McEliece_Parameter_Set::testpc:
-      case Botan::Classic_McEliece_Parameter_Set::testpcf:
-         return 0;
    }
    BOTAN_ASSERT_UNREACHABLE();
 }
diff --git a/src/lib/pubkey/classic_mceliece/cmce_parameters.h b/src/lib/pubkey/classic_mceliece/cmce_parameters.h
index 1f5fef38d26..ea224642b22 100644
--- a/src/lib/pubkey/classic_mceliece/cmce_parameters.h
+++ b/src/lib/pubkey/classic_mceliece/cmce_parameters.h
@@ -71,8 +71,7 @@ class BOTAN_TEST_API Classic_McEliece_Parameters final {
                 (m_set == Classic_McEliece_Parameter_Set::mceliece6960119pc) ||
                 (m_set == Classic_McEliece_Parameter_Set::mceliece6960119pcf) ||
                 (m_set == Classic_McEliece_Parameter_Set::mceliece8192128pc) ||
-                (m_set == Classic_McEliece_Parameter_Set::mceliece8192128pcf) ||
-                (m_set == Classic_McEliece_Parameter_Set::testpc);
+                (m_set == Classic_McEliece_Parameter_Set::mceliece8192128pcf);
       }
 
       /**
@@ -87,8 +86,7 @@ class BOTAN_TEST_API Classic_McEliece_Parameters final {
                 (m_set == Classic_McEliece_Parameter_Set::mceliece6960119f) ||
                 (m_set == Classic_McEliece_Parameter_Set::mceliece6960119pcf) ||
                 (m_set == Classic_McEliece_Parameter_Set::mceliece8192128f) ||
-                (m_set == Classic_McEliece_Parameter_Set::mceliece8192128pcf) ||
-                (m_set == Classic_McEliece_Parameter_Set::testf);
+                (m_set == Classic_McEliece_Parameter_Set::mceliece8192128pcf);
       }
 
       /**
diff --git a/src/tests/test_cmce.cpp b/src/tests/test_cmce.cpp
index ca62e471849..6b4750f6803 100644
--- a/src/tests/test_cmce.cpp
+++ b/src/tests/test_cmce.cpp
@@ -340,75 +340,12 @@ class Classic_McEliece_KAT_Tests final : public Botan_Tests::PK_PQC_KEM_KAT_Test
       }
 };
 
-/**
- * TODO: Remove on final PR
- * This is a test using a minimal instance. Since this instance is self constructed,
- * we have no known answer to check against. However, this test may be useful for
- * side channel analysis.
- *
- * Hints for SCA:
- * Build only ClassicMcEliece with (for example):
- *    ./configure.py --compiler-cache=ccache --minimized-build --enable-modules=classic_mceliece --build-targets=static,tests --without-documentation --build-tool=ninja && ninja
- * Run only this test without prints:
- *    ./botan-test cmce_minimal --test-threads=1 --no-stdout
- */
-class CMCE_Minimal_Test final : public Test {
-   public:
-      Test::Result run_minimal_keygen_test(std::string_view param_set) {
-         Test::Result result("Minimal KeyGen Test");
-
-         const Botan::secure_vector<uint8_t> rng_seed(48, 0);
-         const auto test_rng = std::make_unique<CTR_DRBG_AES256>(rng_seed);
-
-         // Test Keygen
-         std::unique_ptr<Botan::Private_Key> private_key;
-         result.test_no_throw("Key Generation", [&] {
-            private_key = Botan::create_private_key("ClassicMcEliece", *test_rng, param_set);
-         });
-         if(!private_key) {
-            // Keygen failed
-            return result;
-         }
-
-         // Test Encapsulation
-         std::optional<Botan::KEM_Encapsulation> encaps = std::nullopt;
-         result.test_no_throw("Encapsulation", [&] {
-            auto enc = Botan::PK_KEM_Encryptor(*private_key, "Raw", "base");
-            encaps = enc.encrypt(*test_rng);
-         });
-
-         // Test Decapsulation
-         Botan::secure_vector<uint8_t> decaps;
-         result.test_no_throw("Decapsulation", [&] {
-            auto dec = Botan::PK_KEM_Decryptor(*private_key, *test_rng, "Raw");
-            decaps = dec.decrypt(encaps->encapsulated_shared_key());
-         });
-
-         result.test_is_eq("Decapsulated secret is correct", decaps, encaps->shared_key());
-
-         return result;
-      }
-
-      std::vector<Test::Result> run() override {
-         std::vector<Test::Result> results;
-         // The parameter decides which instance is tested, i.e. with our without
-         // semi-systematic gauss or plaintext confirmation.
-         results.push_back(run_minimal_keygen_test("test"));
-         results.push_back(run_minimal_keygen_test("testf"));
-         results.push_back(run_minimal_keygen_test("testpc"));
-         results.push_back(run_minimal_keygen_test("testpcf"));
-
-         return results;
-      }
-};
-
 BOTAN_REGISTER_TEST("cmce", "cmce_utility", CMCE_Utility_Tests);
 BOTAN_REGISTER_TEST("cmce", "cmce_generic_keygen", CMCE_Generic_Keygen_Tests);
 BOTAN_REGISTER_TEST("cmce", "cmce_generic_kat", Classic_McEliece_KAT_Tests);
    #if defined(BOTAN_HAS_AES)
 BOTAN_REGISTER_TEST("cmce", "cmce_invalid", CMCE_Invalid_Test);
    #endif
-BOTAN_REGISTER_TEST("cmce", "cmce_minimal", CMCE_Minimal_Test);
 
 }  // namespace Botan_Tests