This replaces the periodic recalculation of error correlations and the syndrome
by in-place modification. Bit flip is therefore a bit slower, but overall
decoding of the 256-bit secure variant fits in 200ms, and 128-bit variant
decodes under 20ms.
There still could be some (blatantly nondeterministic) method to do this using
FFT, research underway.
A minor bug was discovered in padding of short message signatures. If is
silently fixed, causing some (very minor) incompatibility of signatures
with previous versions.
Okay, this thing got public so it's time to make the RC4 rugged. Not
that I'd know about something that would break current implementation,
but it's nice to at least do the recommended discard correctly.
We'll probably be adding better symmetric ciphers anyway.
Note that this is an incompatible change (again). FMTSeq private keys
will need to be replaced. Existing signature validity doesn't change.
Encrypted messages will not be possible to decrypt.
to avoid possible known plaintext attacks on the symmetric cipher when
beginning of the ciphertext is known (which is a common situation, e.g.
when sign+encrypting)