mldsa: optimize to read a block once

2025-06-29 00:37:51 +08:00 · 2025-05-28 16:13:40 +08:00 · 2025-05-28 16:13:40 +08:00 · 67ac5da71e
commit 67ac5da71e
parent 3c24ac0690
1 changed files with 24 additions and 18 deletions
--- a/mldsa/sample.go
+++ b/mldsa/sample.go
@ -17,26 +17,26 @@ func rejNTTPoly(rho []byte, s, r byte) nttElement {
 	G.Write(rho)
 	G.Write([]byte{s, r})
-	//TODO: optimize to read a block once
+	const blockSize = 168 // SHAKE128 block size in bytes
-	var buf [3]byte
+	var buf [blockSize]byte
 	var a nttElement
 	var j int
 	for {
 		G.Read(buf[:])
 		for i := 0; i < blockSize; i += 3 {
 			// Algorithm 14, CoeffFromThreeBytes()
-		d := uint32(buf[0]) | uint32(buf[1])<<8 | ((uint32(buf[2]) & 0x7f) << 16)
+			d := uint32(buf[i]) | uint32(buf[i+1])<<8 | ((uint32(buf[i+2]) & 0x7f) << 16)
 			if d < q {
 				a[j] = fieldElement(d)
 				j++
 			}
 			if j >= len(a) {
 			break
 		}
 	}
 				return a
 			}
 		}
 	}
 }
 // This is a constant time version of n % 5
@ -57,15 +57,17 @@ func rejBoundedPoly(rho []byte, eta int, highByte, lowByte byte) ringElement {
 	H.Write(rho)
 	H.Write([]byte{lowByte, highByte})
-	//TODO: optimize to read a block once
+	const blockSize = 136 // SHAKE256 block size in bytes
-	var buf [1]byte
+	var buf [blockSize]byte
 	var a ringElement
-	var j int
+	var offset, j int
 	H.Read(buf[:])
 	for {
-		H.Read(buf[:])
+		z0 := buf[offset] & 0xf
-		z0 := buf[0] & 0xf
+		z1 := buf[offset] >> 4
-		z1 := buf[0] >> 4
+		offset++
 		if eta == 2 {
 			if subtle.ConstantTimeByteEq(z0, 15) == 0 {
@ -98,6 +100,10 @@ func rejBoundedPoly(rho []byte, eta int, highByte, lowByte byte) ringElement {
 				}
 			}
 		}
 		if offset >= blockSize {
 			H.Read(buf[:])
 			offset = 0
 		}
 	}
 	return a
 }