Refactor FrodoMatrixGenerator (performance)

peterdettman · peterdettman · commit 3831056e020c · 2022-10-13T00:16:58.000+07:00
diff --git a/core/src/main/java/org/bouncycastle/pqc/crypto/frodo/FrodoMatrixGenerator.java b/core/src/main/java/org/bouncycastle/pqc/crypto/frodo/FrodoMatrixGenerator.java
@@ -5,7 +5,6 @@
 import org.bouncycastle.crypto.digests.SHAKEDigest;
 import org.bouncycastle.crypto.engines.AESEngine;
 import org.bouncycastle.crypto.params.KeyParameter;
-import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.Pack;
 
 abstract class FrodoMatrixGenerator
@@ -33,33 +32,35 @@ short[] genMatrix(byte[] seedA)
         {
             short[] A = new short[n*n];
             short i, j;
-            byte[] b, tmp = new byte[(16 * n) / 8];
+            byte[] tmp = new byte[(16 * n) / 8];
+            byte[] b = new byte[2 + seedA.length];
+            System.arraycopy(seedA, 0, b, 2, seedA.length);
+
+            Xof digest = new SHAKEDigest(128);
+
             for (i = 0; i < n; i++)
             {
                 // 1. b = i || seedA in {0,1}^{16 + len_seedA}, where i is encoded as a 16-bit integer in little-endian byte order
-                b = Arrays.concatenate(Pack.shortToLittleEndian(i), seedA);
+                Pack.shortToLittleEndian(i, b, 0);
 
                 // 2. c_{i,0} || c_{i,1} || ... || c_{i,n-1} = SHAKE128(b, 16n) (length in bits) where each c_{i,j} is parsed as a 16-bit integer in little-endian byte order format
-                Xof digest = new SHAKEDigest(128);
                 digest.update(b, 0, b.length);
                 digest.doFinal(tmp, 0, tmp.length);
                 for (j = 0; j < n; j++)
                 {
-                    A[i*n+j] = (short) (Pack.littleEndianToShort(tmp, 2 * j) % q);
+                    A[i*n+j] = (short) (Pack.littleEndianToShort(tmp, 2 * j) & (q - 1));
                 }
             }
             return A;
         }
-
     }
+
     static class Aes128MatrixGenerator
             extends FrodoMatrixGenerator
     {
-        private final BlockCipher cipher;
         public Aes128MatrixGenerator(int n, int q)
         {
             super(n, q);
-            cipher = new AESEngine();
         }
 
         short[] genMatrix(byte[] seedA)
@@ -70,29 +71,25 @@ short[] genMatrix(byte[] seedA)
             byte[] b = new byte[16];
             byte[] c = new byte[16];
 
-            KeyParameter kp = new KeyParameter(seedA);
-            cipher.init(true, kp);
+            BlockCipher cipher = new AESEngine();
+            cipher.init(true, new KeyParameter(seedA));
 
             // 1. for i = 0; i < n; i += 1
             for (int i = 0; i < n; i++)
             {
                 // 2. for j = 0; j < n; j += 8
                 for (int j = 0; j < n; j+=8)
                 {
-
                     // 3. b = i || j || 0 || ... || 0 in {0,1}^128, where i and j are encoded as 16-bit integers in little-endian byte order
-                    System.arraycopy(Pack.shortToLittleEndian((short) (i&0xffff)), 0, b, 0, 2);
-                    System.arraycopy(Pack.shortToLittleEndian((short) (j&0xffff)), 0, b, 2, 2);
-                    //                b = bytearray(16)
-                    //                struct.pack_into('<H', b, 0, i)
-                    //                struct.pack_into('<H', b, 2, j)
+                    Pack.shortToLittleEndian((short)i, b, 0);
+                    Pack.shortToLittleEndian((short)j, b, 2);
                     // 4. c = AES128(seedA, b)
                     cipher.processBlock(b, 0, c, 0);
                     // 5. for k = 0; k < 8; k += 1
                     for (int k = 0; k < 8; k++)
                     {
                         // 6. A[i][j+k] = c[k] where c is treated as a sequence of 8 16-bit integers each in little-endian byte order
-                        A[i*n+ j + k] = (short) (Pack.littleEndianToShort(c, 2 * k) % q);
+                        A[i*n+ j + k] = (short) (Pack.littleEndianToShort(c, 2 * k) & (q - 1));
                     }
                 }
             }

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,6 @@`
`5`	`5`	`import org.bouncycastle.crypto.digests.SHAKEDigest;`
`6`	`6`	`import org.bouncycastle.crypto.engines.AESEngine;`
`7`	`7`	`import org.bouncycastle.crypto.params.KeyParameter;`
`8`		`-import org.bouncycastle.util.Arrays;`
`9`	`8`	`import org.bouncycastle.util.Pack;`
`10`	`9`
`11`	`10`	`abstract class FrodoMatrixGenerator`
`@@ -33,33 +32,35 @@ short[] genMatrix(byte[] seedA)`
`33`	`32`	`{`
`34`	`33`	`short[] A = new short[n*n];`
`35`	`34`	`short i, j;`
`36`		`- byte[] b, tmp = new byte[(16 * n) / 8];`
	`35`	`+ byte[] tmp = new byte[(16 * n) / 8];`
	`36`	`+ byte[] b = new byte[2 + seedA.length];`
	`37`	`+ System.arraycopy(seedA, 0, b, 2, seedA.length);`
	`38`	`+`
	`39`	`+ Xof digest = new SHAKEDigest(128);`
	`40`	`+`
`37`	`41`	`for (i = 0; i < n; i++)`
`38`	`42`	`{`
`39`	`43`	`// 1. b = i \|\| seedA in {0,1}^{16 + len_seedA}, where i is encoded as a 16-bit integer in little-endian byte order`
`40`		`- b = Arrays.concatenate(Pack.shortToLittleEndian(i), seedA);`
	`44`	`+ Pack.shortToLittleEndian(i, b, 0);`
`41`	`45`
`42`	`46`	`// 2. c_{i,0} \|\| c_{i,1} \|\| ... \|\| c_{i,n-1} = SHAKE128(b, 16n) (length in bits) where each c_{i,j} is parsed as a 16-bit integer in little-endian byte order format`
`43`		`- Xof digest = new SHAKEDigest(128);`
`44`	`47`	`digest.update(b, 0, b.length);`
`45`	`48`	`digest.doFinal(tmp, 0, tmp.length);`
`46`	`49`	`for (j = 0; j < n; j++)`
`47`	`50`	`{`
`48`		`- A[in+j] = (short) (Pack.littleEndianToShort(tmp, 2 j) % q);`
	`51`	`+ A[in+j] = (short) (Pack.littleEndianToShort(tmp, 2 j) & (q - 1));`
`49`	`52`	`}`
`50`	`53`	`}`
`51`	`54`	`return A;`
`52`	`55`	`}`
`53`		`-`
`54`	`56`	`}`
	`57`	`+`
`55`	`58`	`static class Aes128MatrixGenerator`
`56`	`59`	`extends FrodoMatrixGenerator`
`57`	`60`	`{`
`58`		`- private final BlockCipher cipher;`
`59`	`61`	`public Aes128MatrixGenerator(int n, int q)`
`60`	`62`	`{`
`61`	`63`	`super(n, q);`
`62`		`- cipher = new AESEngine();`
`63`	`64`	`}`
`64`	`65`
`65`	`66`	`short[] genMatrix(byte[] seedA)`
`@@ -70,29 +71,25 @@ short[] genMatrix(byte[] seedA)`
`70`	`71`	`byte[] b = new byte[16];`
`71`	`72`	`byte[] c = new byte[16];`
`72`	`73`
`73`		`- KeyParameter kp = new KeyParameter(seedA);`
`74`		`- cipher.init(true, kp);`
	`74`	`+ BlockCipher cipher = new AESEngine();`
	`75`	`+ cipher.init(true, new KeyParameter(seedA));`
`75`	`76`
`76`	`77`	`// 1. for i = 0; i < n; i += 1`
`77`	`78`	`for (int i = 0; i < n; i++)`
`78`	`79`	`{`
`79`	`80`	`// 2. for j = 0; j < n; j += 8`
`80`	`81`	`for (int j = 0; j < n; j+=8)`
`81`	`82`	`{`
`82`		`-`
`83`	`83`	`// 3. b = i \|\| j \|\| 0 \|\| ... \|\| 0 in {0,1}^128, where i and j are encoded as 16-bit integers in little-endian byte order`
`84`		`- System.arraycopy(Pack.shortToLittleEndian((short) (i&0xffff)), 0, b, 0, 2);`
`85`		`- System.arraycopy(Pack.shortToLittleEndian((short) (j&0xffff)), 0, b, 2, 2);`
`86`		`- // b = bytearray(16)`
`87`		`- // struct.pack_into('<H', b, 0, i)`
`88`		`- // struct.pack_into('<H', b, 2, j)`
	`84`	`+ Pack.shortToLittleEndian((short)i, b, 0);`
	`85`	`+ Pack.shortToLittleEndian((short)j, b, 2);`
`89`	`86`	`// 4. c = AES128(seedA, b)`
`90`	`87`	`cipher.processBlock(b, 0, c, 0);`
`91`	`88`	`// 5. for k = 0; k < 8; k += 1`
`92`	`89`	`for (int k = 0; k < 8; k++)`
`93`	`90`	`{`
`94`	`91`	`// 6. A[i][j+k] = c[k] where c is treated as a sequence of 8 16-bit integers each in little-endian byte order`
`95`		`- A[in+ j + k] = (short) (Pack.littleEndianToShort(c, 2 k) % q);`
	`92`	`+ A[in+ j + k] = (short) (Pack.littleEndianToShort(c, 2 k) & (q - 1));`
`96`	`93`	`}`
`97`	`94`	`}`
`98`	`95`	`}`