I was going through Kyber specification mentioned here - https://csrc.nist.gov/pubs/fips/203/ipd
The SampleNTT is an algo used for matrix A calculation that takes XOF(p,i,j) as input.
If the input is a stream of uniformly random bytes, the output is a uniformly random element of Tq.
1: i ← 0
2: j ← 0
3: while j < 256 do
4: d1 ← B[i] +256 ·(B[i+1] mod 16)
5: d2 ← ⌊B[i+1]/16⌋+16 ·B[i+2]
6: if d1 < q then
a ∈ Z256 7: aˆ[ j] ← d1 ▷ ˆ q
8: j ← j +1
9: end if
10: if d2 < q and j < 256 then
11: aˆ[ j] ← d2
12: j ← j +1
13: end if
14: i ← i+3
15: end while
16: return aˆ
XOF outputs in 168 bytes block size. Suppose I use 2 blocks that would give me 336 bytes.
Incase the algorithm does not find 256 elements after processing all the 336 bytes, how is the handling suppose to be done ? specifically how does step 14 i = i + 3 execute if i = 335 ?
