mldsa: optimize to read a block once

2025-06-28 08:23:26 +08:00 · 2025-05-28 16:13:40 +08:00 · 2025-05-28 16:13:40 +08:00 · 67ac5da71e
commit 67ac5da71e
parent 3c24ac0690
1 changed files with 24 additions and 18 deletions
--- a/mldsa/sample.go
+++ b/mldsa/sample.go
@ -17,27 +17,27 @@ func rejNTTPoly(rho []byte, s, r byte) nttElement {
 	G.Write(rho)
 	G.Write([]byte{s, r})

-	//TODO: optimize to read a block once
-	var buf [3]byte
+	const blockSize = 168 // SHAKE128 block size in bytes
+	var buf [blockSize]byte

 	var a nttElement
 	var j int

 	for {
 		G.Read(buf[:])
+		for i := 0; i < blockSize; i += 3 {
 			// Algorithm 14, CoeffFromThreeBytes()
-		d := uint32(buf[0]) | uint32(buf[1])<<8 | ((uint32(buf[2]) & 0x7f) << 16)
+			d := uint32(buf[i]) | uint32(buf[i+1])<<8 | ((uint32(buf[i+2]) & 0x7f) << 16)
 			if d < q {
 				a[j] = fieldElement(d)
 				j++
 			}
 			if j >= len(a) {
-			break
-		}
-	}
-
 				return a
 			}
+		}
+	}
+}

 // This is a constant time version of n % 5
 // Note that 0xFFFF / 5 = 0x3333, 2 is added to make an over-estimate of 1/5
@ -57,15 +57,17 @@ func rejBoundedPoly(rho []byte, eta int, highByte, lowByte byte) ringElement {
 	H.Write(rho)
 	H.Write([]byte{lowByte, highByte})

-	//TODO: optimize to read a block once
-	var buf [1]byte
+	const blockSize = 136 // SHAKE256 block size in bytes
+	var buf [blockSize]byte
 	var a ringElement
-	var j int
+	var offset, j int
+
+	H.Read(buf[:])

 	for {
-		H.Read(buf[:])
-		z0 := buf[0] & 0xf
-		z1 := buf[0] >> 4
+		z0 := buf[offset] & 0xf
+		z1 := buf[offset] >> 4
+		offset++

 		if eta == 2 {
 			if subtle.ConstantTimeByteEq(z0, 15) == 0 {
@ -98,6 +100,10 @@ func rejBoundedPoly(rho []byte, eta int, highByte, lowByte byte) ringElement {
 				}
 			}
 		}
+		if offset >= blockSize {
+			H.Read(buf[:])
+			offset = 0
+		}
 	}
 	return a
 }