Struct RingContext 

pub struct RingContext { /* private fields */ }

Runtime ring context that carries validated Params for operations in R_q = Z_q[x] / (f(x)).

Implementations

impl RingContext

pub fn new(params: Params) -> Self

Creates a context from already-validated Params.

pub fn from_parts( max_degree: usize, modulus: u64, modulus_poly_coeffs: &[u64], primitive_root: u64, ) -> Result<Self, ParamsError>

Builds and validates parameters, then returns a context.

Examples found in repository

examples/rlwe_pke.rs (line 97)

fn main() {
    // Ring modulus polynomial `x^32 + 1`.
    let mut modulus_poly = vec![0_u64; 32 + 1];
    modulus_poly[0] = 1;
    modulus_poly[32] = 1;
    // Standard NTT-friendly prime modulus used elsewhere in the crate examples.
    let ctx =
        RingContext::from_parts(32, 998_244_353, &modulus_poly, 3).expect("context should build");

    // Key generation randomness.
    let mut key_rng = ExampleRng::new(0xDEAD_BEEF_1234_0001);
    // Generates:
    // - public key (a, b = a*s + e)
    // - secret key (s)
    let (public_key, secret_key) =
        keygen_example(&ctx, 2, &mut key_rng).expect("keygen should work");

    // Message payload.
    let message = b"ok";
    // Encryption randomness must be independent from keygen randomness.
    let mut enc_rng = ExampleRng::new(0xFACE_CAFE_2222_0002);
    // Produces ciphertext (u, v).
    let ciphertext =
        encrypt_example(&ctx, &public_key, message, 2, &mut enc_rng).expect("encrypt should work");

    // Decrypt and verify.
    let decrypted = decrypt_example(&ctx, &secret_key, &ciphertext, message.len())
        .expect("decrypt should work");
    assert_eq!(decrypted, message);

    // Human-readable output for quick manual check.
    println!("message={:?}", String::from_utf8_lossy(message));
    println!("decrypted={:?}", String::from_utf8_lossy(&decrypted));
}

examples/helpers_codec.rs (line 49)

fn main() {
    // Use a power-of-two cyclotomic-style modulus polynomial `x^32 + 1`.
    let mut modulus_poly = vec![0_u64; 32 + 1];
    modulus_poly[0] = 1;
    modulus_poly[32] = 1;
    // Create validated context (n=32, q=998244353, primitive root=3).
    let ctx =
        RingContext::from_parts(32, 998_244_353, &modulus_poly, 3).expect("context should build");

    // Message to encode. Each bit maps into one coefficient slot.
    let message = b"Rust";
    // Encode bytes -> ring element with coefficients in `{0, floor((q+1)/2)}`.
    let encoded =
        encode_message_scaled_bits_example(&ctx, message).expect("message encoding should work");
    // Decode ring element -> bytes (threshold decoding in coefficient domain).
    let decoded = decode_message_scaled_bits_example(&encoded, message.len())
        .expect("message decoding should work");
    // End-to-end correctness check.
    assert_eq!(decoded, message);

    // Quantize coefficients to 11-bit buckets.
    let compressed = compress_ring_elem_example(&encoded, 11).expect("compression should work");
    // Lift quantized coefficients back into `Z_q`.
    let decompressed =
        decompress_ring_elem_example(&ctx, &compressed, 11).expect("decompression should work");

    // Print summary values to inspect behavior quickly.
    println!("decoded_message={:?}", String::from_utf8_lossy(&decoded));
    println!("compressed_coeffs={}", compressed.len());
    println!("decompressed_degree={:?}", decompressed.degree());
}

examples/helpers_sampling.rs (line 111)

fn main() {
    // Configure modulus polynomial `x^16 + 1`.
    //
    // We allocate `max_degree + 1` coefficients and set:
    // - constant term: 1
    // - x^16 term: 1
    // - all intermediate terms: 0
    let mut modulus_poly = vec![0_u64; 16 + 1];
    modulus_poly[0] = 1;
    modulus_poly[16] = 1;
    // Build validated ring context with NTT-friendly modulus and primitive root.
    let ctx =
        RingContext::from_parts(16, 998_244_353, &modulus_poly, 3).expect("context should build");

    // Deterministic seed makes this executable reproducible.
    let mut rng = ExampleRng::new(0xA11C_E123_0000_0001);

    // Uniform sample in `R_q`: every coefficient is sampled independently in `[0, q)`.
    let uniform =
        sample_uniform_poly_example(&ctx, &mut rng).expect("uniform sampling should work");
    // Centered-binomial sample: each coefficient is small noise around 0.
    let cbd = sample_cbd_poly_example(&ctx, 3, &mut rng).expect("CBD sampling should work");
    // Gaussian-like sample from Box-Muller + integer rounding.
    let gaussian =
        sample_discrete_gaussian_poly_example(&ctx, 2.5, &mut rng).expect("gaussian should work");
    // Raw integer rejection sample in `[0, 1000)`.
    let below = sample_rejection_u64_below_example(1_000, &mut rng).expect("rejection should work");

    // Print concise observable properties so this can be used as a smoke run.
    println!("uniform_degree={:?}", uniform.degree());
    println!("cbd_degree={:?}", cbd.degree());
    println!("gaussian_degree={:?}", gaussian.degree());
    println!("sample_below_1000={below}");
}

pub fn params(&self) -> &Params

Returns validated parameters.

Examples found in repository

examples/common/pke.rs (line 181)

fn ensure_element_matches_context(
    ctx: &RingContext,
    element: &RingElem,
) -> Result<(), ExamplePkeError> {
    // Structural parameter equality check.
    if element.params() != ctx.params() {
        return Err(ExamplePkeError::ParameterMismatch);
    }
    Ok(())
}

pub fn max_degree(&self) -> usize

Maximum supported polynomial degree.

Examples found in repository

examples/common/sampling.rs (line 101)

pub fn sample_uniform_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // Independent uniform sampling for each coefficient.
        *coeff = sample_rejection_u64_below_example(ctx.modulus(), rng)?;
    }
    // `ctx.element(...)` canonicalizes modulo the ring polynomial.
    Ok(ctx.element(&coeffs)?)
}

/// Samples one polynomial with centered-binomial noise of parameter `eta`.
///
/// Each coefficient is generated as `sum(a_i) - sum(b_i)` over `eta` Bernoulli bits,
/// then mapped into `Z_q`.
pub fn sample_cbd_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    eta: u8,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    if eta == 0 {
        return Err(SamplingError::InvalidEta);
    }

    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // CBD(eta): difference between two eta-bit Hamming weights.
        let mut a = 0_i64;
        let mut b = 0_i64;
        for _ in 0..eta {
            a += (rng.next_u32() & 1) as i64;
            b += (rng.next_u32() & 1) as i64;
        }
        // Map signed noise into `[0, q)` representation.
        *coeff = wrap_signed_to_modulus(a - b, ctx.modulus());
    }

    Ok(ctx.element(&coeffs)?)
}

/// Samples one polynomial with approximate discrete Gaussian coefficients.
///
/// This example helper uses a Box-Muller normal sampler and rounds to nearest integer.
pub fn sample_discrete_gaussian_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    sigma: f64,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    if !(sigma.is_finite() && sigma > 0.0) {
        return Err(SamplingError::InvalidSigma);
    }

    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // Sample one integer noise value and wrap it into `Z_q`.
        let sampled = sample_box_muller_integer(rng, sigma);
        *coeff = wrap_signed_to_modulus(sampled, ctx.modulus());
    }

    Ok(ctx.element(&coeffs)?)
}

examples/common/codec.rs (line 100)

pub fn encode_message_scaled_bits_example(
    ctx: &RingContext,
    message: &[u8],
) -> Result<RingElem, CodecError> {
    // In quotient rings like `Z_q[x]/(x^n+1)`, we treat `n` as the usable bit capacity.
    // Coefficient index `i` stores bit `i`.
    let capacity_bits = ctx.max_degree();
    let message_bits = message.len().saturating_mul(8);
    if message_bits > capacity_bits {
        return Err(CodecError::MessageTooLong {
            message_bits,
            capacity_bits,
        });
    }

    // Allocate full polynomial width (`n + 1` slots in this crate's dense representation).
    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    // Encoding for bit=1 is midpoint-ish so threshold decoding is robust to moderate noise.
    let one_value = (ctx.modulus() + 1) / 2;

    // Little-endian bit order per byte:
    // - bit 0 goes to lower coefficient index,
    // - bit 7 goes to higher coefficient index.
    for (byte_idx, &byte) in message.iter().enumerate() {
        for bit_idx in 0..8 {
            if (byte >> bit_idx) & 1 == 1 {
                coeffs[byte_idx * 8 + bit_idx] = one_value;
            }
        }
    }

    // Canonicalize into ring representation.
    Ok(ctx.element(&coeffs)?)
}

/// Decodes bytes from a scaled-bit ring element using quarter-range thresholding.
///
/// Coefficients in `[q/4, 3q/4)` decode to bit `1`, and the rest decode to `0`.
pub fn decode_message_scaled_bits_example(
    element: &RingElem,
    output_len_bytes: usize,
) -> Result<Vec<u8>, CodecError> {
    // Decode limit follows the same bit-capacity convention used at encode time.
    let capacity_bits = element.params().max_degree();
    let requested_bits = output_len_bytes.saturating_mul(8);
    if requested_bits > capacity_bits {
        return Err(CodecError::DecodeLengthTooLong {
            requested_bits,
            capacity_bits,
        });
    }

    let q = element.params().modulus();
    // Threshold window near middle of modulus range.
    // Values in `[q/4, 3q/4)` decode to 1; others decode to 0.
    let lower = q / 4;
    let upper = (3 * q) / 4;

    let mut out = vec![0_u8; output_len_bytes];
    for bit_index in 0..requested_bits {
        let coeff = element.coefficients()[bit_index];
        let bit = coeff >= lower && coeff < upper;
        if bit {
            // Restore little-endian bit position.
            out[bit_index / 8] |= 1_u8 << (bit_index % 8);
        }
    }

    Ok(out)
}

/// Compresses one coefficient into `bits` bits.
pub fn compress_coefficient_example(value: u64, modulus: u64, bits: u8) -> Result<u16, CodecError> {
    validate_compression_bits(bits)?;

    // Quantization levels = 2^bits.
    let levels = 1_u128 << bits;
    let q = modulus as u128;
    let v = (value % modulus) as u128;

    // Rounded scaling from `[0, q)` into `[0, 2^bits)`.
    let compressed = ((v * levels + (q / 2)) / q) % levels;
    Ok(compressed as u16)
}

/// Decompresses one `bits`-bit coefficient back into `Z_q`.
pub fn decompress_coefficient_example(
    compressed: u16,
    modulus: u64,
    bits: u8,
) -> Result<u64, CodecError> {
    validate_compression_bits(bits)?;

    let levels = 1_u128 << bits;
    let q = modulus as u128;
    let c = (compressed as u128) % levels;

    // Rounded inverse scaling from `[0, 2^bits)` back into `[0, q)`.
    let decompressed = (c * q + (levels / 2)) / levels;
    Ok((decompressed % q) as u64)
}

/// Compresses all coefficients of a ring element into `bits` bits each.
pub fn compress_ring_elem_example(element: &RingElem, bits: u8) -> Result<Vec<u16>, CodecError> {
    validate_compression_bits(bits)?;

    let q = element.params().modulus();
    // Compress each coefficient independently.
    let mut packed = Vec::with_capacity(element.coefficients().len());
    for &coeff in element.coefficients() {
        packed.push(compress_coefficient_example(coeff, q, bits)?);
    }
    Ok(packed)
}

/// Decompresses packed coefficients into a canonical ring element.
pub fn decompress_ring_elem_example(
    ctx: &RingContext,
    packed: &[u16],
    bits: u8,
) -> Result<RingElem, CodecError> {
    validate_compression_bits(bits)?;

    // Packed vector must match dense polynomial width.
    let expected = ctx.max_degree() + 1;
    if packed.len() != expected {
        return Err(CodecError::CompressedLengthMismatch {
            expected,
            actual: packed.len(),
        });
    }

    // Decompress each coefficient independently and rebuild ring element.
    let mut coeffs = vec![0_u64; expected];
    for (index, &coeff) in packed.iter().enumerate() {
        coeffs[index] = decompress_coefficient_example(coeff, ctx.modulus(), bits)?;
    }

    Ok(ctx.element(&coeffs)?)
}

pub fn modulus(&self) -> u64

Coefficient modulus q.

Examples found in repository

examples/common/sampling.rs (line 104)

pub fn sample_uniform_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // Independent uniform sampling for each coefficient.
        *coeff = sample_rejection_u64_below_example(ctx.modulus(), rng)?;
    }
    // `ctx.element(...)` canonicalizes modulo the ring polynomial.
    Ok(ctx.element(&coeffs)?)
}

/// Samples one polynomial with centered-binomial noise of parameter `eta`.
///
/// Each coefficient is generated as `sum(a_i) - sum(b_i)` over `eta` Bernoulli bits,
/// then mapped into `Z_q`.
pub fn sample_cbd_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    eta: u8,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    if eta == 0 {
        return Err(SamplingError::InvalidEta);
    }

    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // CBD(eta): difference between two eta-bit Hamming weights.
        let mut a = 0_i64;
        let mut b = 0_i64;
        for _ in 0..eta {
            a += (rng.next_u32() & 1) as i64;
            b += (rng.next_u32() & 1) as i64;
        }
        // Map signed noise into `[0, q)` representation.
        *coeff = wrap_signed_to_modulus(a - b, ctx.modulus());
    }

    Ok(ctx.element(&coeffs)?)
}

/// Samples one polynomial with approximate discrete Gaussian coefficients.
///
/// This example helper uses a Box-Muller normal sampler and rounds to nearest integer.
pub fn sample_discrete_gaussian_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    sigma: f64,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    if !(sigma.is_finite() && sigma > 0.0) {
        return Err(SamplingError::InvalidSigma);
    }

    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // Sample one integer noise value and wrap it into `Z_q`.
        let sampled = sample_box_muller_integer(rng, sigma);
        *coeff = wrap_signed_to_modulus(sampled, ctx.modulus());
    }

    Ok(ctx.element(&coeffs)?)
}

examples/common/codec.rs (line 112)

pub fn encode_message_scaled_bits_example(
    ctx: &RingContext,
    message: &[u8],
) -> Result<RingElem, CodecError> {
    // In quotient rings like `Z_q[x]/(x^n+1)`, we treat `n` as the usable bit capacity.
    // Coefficient index `i` stores bit `i`.
    let capacity_bits = ctx.max_degree();
    let message_bits = message.len().saturating_mul(8);
    if message_bits > capacity_bits {
        return Err(CodecError::MessageTooLong {
            message_bits,
            capacity_bits,
        });
    }

    // Allocate full polynomial width (`n + 1` slots in this crate's dense representation).
    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    // Encoding for bit=1 is midpoint-ish so threshold decoding is robust to moderate noise.
    let one_value = (ctx.modulus() + 1) / 2;

    // Little-endian bit order per byte:
    // - bit 0 goes to lower coefficient index,
    // - bit 7 goes to higher coefficient index.
    for (byte_idx, &byte) in message.iter().enumerate() {
        for bit_idx in 0..8 {
            if (byte >> bit_idx) & 1 == 1 {
                coeffs[byte_idx * 8 + bit_idx] = one_value;
            }
        }
    }

    // Canonicalize into ring representation.
    Ok(ctx.element(&coeffs)?)
}

/// Decodes bytes from a scaled-bit ring element using quarter-range thresholding.
///
/// Coefficients in `[q/4, 3q/4)` decode to bit `1`, and the rest decode to `0`.
pub fn decode_message_scaled_bits_example(
    element: &RingElem,
    output_len_bytes: usize,
) -> Result<Vec<u8>, CodecError> {
    // Decode limit follows the same bit-capacity convention used at encode time.
    let capacity_bits = element.params().max_degree();
    let requested_bits = output_len_bytes.saturating_mul(8);
    if requested_bits > capacity_bits {
        return Err(CodecError::DecodeLengthTooLong {
            requested_bits,
            capacity_bits,
        });
    }

    let q = element.params().modulus();
    // Threshold window near middle of modulus range.
    // Values in `[q/4, 3q/4)` decode to 1; others decode to 0.
    let lower = q / 4;
    let upper = (3 * q) / 4;

    let mut out = vec![0_u8; output_len_bytes];
    for bit_index in 0..requested_bits {
        let coeff = element.coefficients()[bit_index];
        let bit = coeff >= lower && coeff < upper;
        if bit {
            // Restore little-endian bit position.
            out[bit_index / 8] |= 1_u8 << (bit_index % 8);
        }
    }

    Ok(out)
}

/// Compresses one coefficient into `bits` bits.
pub fn compress_coefficient_example(value: u64, modulus: u64, bits: u8) -> Result<u16, CodecError> {
    validate_compression_bits(bits)?;

    // Quantization levels = 2^bits.
    let levels = 1_u128 << bits;
    let q = modulus as u128;
    let v = (value % modulus) as u128;

    // Rounded scaling from `[0, q)` into `[0, 2^bits)`.
    let compressed = ((v * levels + (q / 2)) / q) % levels;
    Ok(compressed as u16)
}

/// Decompresses one `bits`-bit coefficient back into `Z_q`.
pub fn decompress_coefficient_example(
    compressed: u16,
    modulus: u64,
    bits: u8,
) -> Result<u64, CodecError> {
    validate_compression_bits(bits)?;

    let levels = 1_u128 << bits;
    let q = modulus as u128;
    let c = (compressed as u128) % levels;

    // Rounded inverse scaling from `[0, 2^bits)` back into `[0, q)`.
    let decompressed = (c * q + (levels / 2)) / levels;
    Ok((decompressed % q) as u64)
}

/// Compresses all coefficients of a ring element into `bits` bits each.
pub fn compress_ring_elem_example(element: &RingElem, bits: u8) -> Result<Vec<u16>, CodecError> {
    validate_compression_bits(bits)?;

    let q = element.params().modulus();
    // Compress each coefficient independently.
    let mut packed = Vec::with_capacity(element.coefficients().len());
    for &coeff in element.coefficients() {
        packed.push(compress_coefficient_example(coeff, q, bits)?);
    }
    Ok(packed)
}

/// Decompresses packed coefficients into a canonical ring element.
pub fn decompress_ring_elem_example(
    ctx: &RingContext,
    packed: &[u16],
    bits: u8,
) -> Result<RingElem, CodecError> {
    validate_compression_bits(bits)?;

    // Packed vector must match dense polynomial width.
    let expected = ctx.max_degree() + 1;
    if packed.len() != expected {
        return Err(CodecError::CompressedLengthMismatch {
            expected,
            actual: packed.len(),
        });
    }

    // Decompress each coefficient independently and rebuild ring element.
    let mut coeffs = vec![0_u64; expected];
    for (index, &coeff) in packed.iter().enumerate() {
        coeffs[index] = decompress_coefficient_example(coeff, ctx.modulus(), bits)?;
    }

    Ok(ctx.element(&coeffs)?)
}

pub fn modulus_poly(&self) -> &Polynomial

Ring modulus polynomial f(x).

pub fn primitive_root(&self) -> u64

Primitive root used by NTT-based operations.

pub fn ntt_length(&self) -> usize

Derived NTT transform length.

pub fn polynomial(&self, coeffs: &[u64]) -> Result<Polynomial, PolynomialError>

Builds a polynomial compatible with this context.

pub fn zero(&self) -> Polynomial

Returns additive identity in this ring.

pub fn one(&self) -> Polynomial

Returns multiplicative identity in this ring.

pub fn element(&self, coeffs: &[u64]) -> Result<RingElem, PolynomialError>

Builds a canonical ring element from coefficients by reducing modulo f(x).

Examples found in repository

examples/common/sampling.rs (line 107)

pub fn sample_uniform_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // Independent uniform sampling for each coefficient.
        *coeff = sample_rejection_u64_below_example(ctx.modulus(), rng)?;
    }
    // `ctx.element(...)` canonicalizes modulo the ring polynomial.
    Ok(ctx.element(&coeffs)?)
}

/// Samples one polynomial with centered-binomial noise of parameter `eta`.
///
/// Each coefficient is generated as `sum(a_i) - sum(b_i)` over `eta` Bernoulli bits,
/// then mapped into `Z_q`.
pub fn sample_cbd_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    eta: u8,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    if eta == 0 {
        return Err(SamplingError::InvalidEta);
    }

    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // CBD(eta): difference between two eta-bit Hamming weights.
        let mut a = 0_i64;
        let mut b = 0_i64;
        for _ in 0..eta {
            a += (rng.next_u32() & 1) as i64;
            b += (rng.next_u32() & 1) as i64;
        }
        // Map signed noise into `[0, q)` representation.
        *coeff = wrap_signed_to_modulus(a - b, ctx.modulus());
    }

    Ok(ctx.element(&coeffs)?)
}

/// Samples one polynomial with approximate discrete Gaussian coefficients.
///
/// This example helper uses a Box-Muller normal sampler and rounds to nearest integer.
pub fn sample_discrete_gaussian_poly_example<R: CryptoRng>(
    ctx: &RingContext,
    sigma: f64,
    rng: &mut R,
) -> Result<RingElem, SamplingError> {
    if !(sigma.is_finite() && sigma > 0.0) {
        return Err(SamplingError::InvalidSigma);
    }

    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    for coeff in &mut coeffs {
        // Sample one integer noise value and wrap it into `Z_q`.
        let sampled = sample_box_muller_integer(rng, sigma);
        *coeff = wrap_signed_to_modulus(sampled, ctx.modulus());
    }

    Ok(ctx.element(&coeffs)?)
}

examples/common/codec.rs (line 126)

pub fn encode_message_scaled_bits_example(
    ctx: &RingContext,
    message: &[u8],
) -> Result<RingElem, CodecError> {
    // In quotient rings like `Z_q[x]/(x^n+1)`, we treat `n` as the usable bit capacity.
    // Coefficient index `i` stores bit `i`.
    let capacity_bits = ctx.max_degree();
    let message_bits = message.len().saturating_mul(8);
    if message_bits > capacity_bits {
        return Err(CodecError::MessageTooLong {
            message_bits,
            capacity_bits,
        });
    }

    // Allocate full polynomial width (`n + 1` slots in this crate's dense representation).
    let mut coeffs = vec![0_u64; ctx.max_degree() + 1];
    // Encoding for bit=1 is midpoint-ish so threshold decoding is robust to moderate noise.
    let one_value = (ctx.modulus() + 1) / 2;

    // Little-endian bit order per byte:
    // - bit 0 goes to lower coefficient index,
    // - bit 7 goes to higher coefficient index.
    for (byte_idx, &byte) in message.iter().enumerate() {
        for bit_idx in 0..8 {
            if (byte >> bit_idx) & 1 == 1 {
                coeffs[byte_idx * 8 + bit_idx] = one_value;
            }
        }
    }

    // Canonicalize into ring representation.
    Ok(ctx.element(&coeffs)?)
}

/// Decodes bytes from a scaled-bit ring element using quarter-range thresholding.
///
/// Coefficients in `[q/4, 3q/4)` decode to bit `1`, and the rest decode to `0`.
pub fn decode_message_scaled_bits_example(
    element: &RingElem,
    output_len_bytes: usize,
) -> Result<Vec<u8>, CodecError> {
    // Decode limit follows the same bit-capacity convention used at encode time.
    let capacity_bits = element.params().max_degree();
    let requested_bits = output_len_bytes.saturating_mul(8);
    if requested_bits > capacity_bits {
        return Err(CodecError::DecodeLengthTooLong {
            requested_bits,
            capacity_bits,
        });
    }

    let q = element.params().modulus();
    // Threshold window near middle of modulus range.
    // Values in `[q/4, 3q/4)` decode to 1; others decode to 0.
    let lower = q / 4;
    let upper = (3 * q) / 4;

    let mut out = vec![0_u8; output_len_bytes];
    for bit_index in 0..requested_bits {
        let coeff = element.coefficients()[bit_index];
        let bit = coeff >= lower && coeff < upper;
        if bit {
            // Restore little-endian bit position.
            out[bit_index / 8] |= 1_u8 << (bit_index % 8);
        }
    }

    Ok(out)
}

/// Compresses one coefficient into `bits` bits.
pub fn compress_coefficient_example(value: u64, modulus: u64, bits: u8) -> Result<u16, CodecError> {
    validate_compression_bits(bits)?;

    // Quantization levels = 2^bits.
    let levels = 1_u128 << bits;
    let q = modulus as u128;
    let v = (value % modulus) as u128;

    // Rounded scaling from `[0, q)` into `[0, 2^bits)`.
    let compressed = ((v * levels + (q / 2)) / q) % levels;
    Ok(compressed as u16)
}

/// Decompresses one `bits`-bit coefficient back into `Z_q`.
pub fn decompress_coefficient_example(
    compressed: u16,
    modulus: u64,
    bits: u8,
) -> Result<u64, CodecError> {
    validate_compression_bits(bits)?;

    let levels = 1_u128 << bits;
    let q = modulus as u128;
    let c = (compressed as u128) % levels;

    // Rounded inverse scaling from `[0, 2^bits)` back into `[0, q)`.
    let decompressed = (c * q + (levels / 2)) / levels;
    Ok((decompressed % q) as u64)
}

/// Compresses all coefficients of a ring element into `bits` bits each.
pub fn compress_ring_elem_example(element: &RingElem, bits: u8) -> Result<Vec<u16>, CodecError> {
    validate_compression_bits(bits)?;

    let q = element.params().modulus();
    // Compress each coefficient independently.
    let mut packed = Vec::with_capacity(element.coefficients().len());
    for &coeff in element.coefficients() {
        packed.push(compress_coefficient_example(coeff, q, bits)?);
    }
    Ok(packed)
}

/// Decompresses packed coefficients into a canonical ring element.
pub fn decompress_ring_elem_example(
    ctx: &RingContext,
    packed: &[u16],
    bits: u8,
) -> Result<RingElem, CodecError> {
    validate_compression_bits(bits)?;

    // Packed vector must match dense polynomial width.
    let expected = ctx.max_degree() + 1;
    if packed.len() != expected {
        return Err(CodecError::CompressedLengthMismatch {
            expected,
            actual: packed.len(),
        });
    }

    // Decompress each coefficient independently and rebuild ring element.
    let mut coeffs = vec![0_u64; expected];
    for (index, &coeff) in packed.iter().enumerate() {
        coeffs[index] = decompress_coefficient_example(coeff, ctx.modulus(), bits)?;
    }

    Ok(ctx.element(&coeffs)?)
}

pub fn element_from_polynomial( &self, poly: Polynomial, ) -> Result<RingElem, PolynomialError>

Converts a compatible polynomial into a canonical ring element.

pub fn zero_element(&self) -> RingElem

Returns additive identity as a canonical ring element.

pub fn one_element(&self) -> RingElem

Returns multiplicative identity as a canonical ring element.

pub fn reduce(&self, poly: &Polynomial) -> Result<Polynomial, PolynomialError>

Reduces polynomial modulo the configured ring polynomial.

pub fn add( &self, lhs: &Polynomial, rhs: &Polynomial, ) -> Result<Polynomial, PolynomialError>

Adds two ring elements and reduces modulo f(x).

pub fn sub( &self, lhs: &Polynomial, rhs: &Polynomial, ) -> Result<Polynomial, PolynomialError>

Subtracts two ring elements and reduces modulo f(x).

pub fn mul( &self, lhs: &Polynomial, rhs: &Polynomial, ) -> Result<Polynomial, PolynomialError>

Multiplies two ring elements and reduces modulo f(x).

Trait Implementations

impl Clone for RingContext

fn clone(&self) -> RingContext

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for RingContext

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl PartialEq for RingContext

fn eq(&self, other: &RingContext) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Eq for RingContext

impl StructuralPartialEq for RingContext