From 3fe12801742b85d7b48b77276d69cbf77afe5bdf Mon Sep 17 00:00:00 2001
From: Amos Treiber <40764707+atreiber94@users.noreply.github.com>
Date: Thu, 2 May 2024 11:01:22 +0200
Subject: [PATCH] Apply suggestions from code review

Co-authored-by: weitkaemper-bsi <157401255+weitkaemper-bsi@users.noreply.github.com>
---
 docs/cryptodoc/src/05_10_cmce.rst | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/docs/cryptodoc/src/05_10_cmce.rst b/docs/cryptodoc/src/05_10_cmce.rst
index 66df61d6..10031b31 100644
--- a/docs/cryptodoc/src/05_10_cmce.rst
+++ b/docs/cryptodoc/src/05_10_cmce.rst
@@ -114,10 +114,10 @@ The GF elements support various operations such as addition, multiplication,
 and inversion. These operations are implemented in constant time for operands
 within the same field. Multiplication is performed using a constant-time
 long multiplication algorithm with a consecutive constant-time reduction.
-Inversion of an element :math:`a` is achieved using Fermat's little theorem:
-:math:`a^{-1} = a^{q-2}`.
-For that, exponentiation is implemented using a simple square-and-multiply
-algorithm.
+Inversion of an element :math:`a` is achieved using Lagrange's theorem,
+which implies that :math:`a^(q-1) = 1` for every non-zero GF element :math:`a`.
+Hence, :math:`a^{-1} = a^{q-2}`. The exponentiation :math:`a^{q-2}`
+is implemented using a simple square-and-multiply algorithm.
 
 .. _pubkey/cmce/field_ordering:
 
@@ -176,7 +176,7 @@ the minimal polynomial is computed by finding a unique
 solution to the equation :math:`g_0\beta^0 + ... + g_{t-1}\beta^{t-1} = \beta^t`.
 A constant-time Gaussian elimination algorithm is used to solve this equation.
 The algorithm aborts if the solution is non-unique. The minimal polynomial
-is then represented as a ``Classic_McEliece_Minimal_Polynomial`` object, 
+is then represented as a ``Classic_McEliece_Minimal_Polynomial`` object,
 a corresponding `Classic_McEliece_Polynomial` with additional logic
 for serialization and deserialization as described in
 Section 9.2.9 of [CMCE-ISO]_.
@@ -261,7 +261,7 @@ Key Pair
 
 Botan's key pair for Classic McEliece consists of two classes:
 ``Classic_McEliece_PrivateKeyInternal`` and ``Classic_McEliece_PublicKeyInternal``.
-As defined in Section 9.2.12, the private key stores the key generation seed,
+As defined in Section 9.2.12 of [CMCE-ISO]_, the private key stores the key generation seed,
 column selection, monic irreducible polynomial, field ordering control bits,
 and the seed for implicit rejection. The public key
 contains the sub-matrix :math:`T` of the binary parity check matrix
@@ -281,7 +281,7 @@ The class ``Classic_McEliece_Encryptor`` implements Botan's key
 encapsulation interface. Performing encapsulation requires two building blocks:
 Fixed-weight vector creation and error vector encoding.
 
-An error vector of fixed weight is created following the algorithm described in Section 8.4 of [CMCE-ISO]_ . 
+An error vector of fixed weight is created following the algorithm described in Section 8.4 of [CMCE-ISO]_.
 Random elements :math:`d_0,...,d_{\tau-1}` are
 generated, where the first :math:`t` elements smaller than :math:`n` are selected as
 :math:`a_0,...,a_{t-1}`. Note that side-channels may leak the information about which
@@ -466,7 +466,7 @@ The Classic McEliece decapsulation procedure of Botan follows Section 8.6 of
    1. Depending on whether the parameter set includes plaintext confirmation (suffix ``pc``):
 
        a. **Without pc:** ``c0 = encap_key``
-       b. **With pc:** ``c0, c1 = encap_key``, split after ``ceil(m*t/8)`` bytes
+       b. **With pc:** ``c0, c1 = encap_key``, split after :math:`\lceil \frac{mt}{8} \rceil` bytes
 
    2. | Decode ``c0`` to obtain ``e`` using Berlekamp's algorithm and set ``b = 1``
       | Upon failure set ``e = s`` and ``b = 0``