lowRISC
diff --git a/‎sw/otbn/crypto/mldsa87/keygen/mldsa87_keygen_ops.s‎
Lines changed: 56 additions & 0 deletions b/‎sw/otbn/crypto/mldsa87/keygen/mldsa87_keygen_ops.s‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎sw/otbn/crypto/mldsa87/keygen/tests/BUILD‎
Lines changed: 1 addition & 0 deletions b/‎sw/otbn/crypto/mldsa87/keygen/tests/BUILD‎
Lines changed: 1 addition & 0 deletions
@@ -6,6 +6,7 @@
 
 .globl sample_s
 .globl compute_t
+.globl encode_t
 
 .text
 
@@ -261,3 +262,58 @@ compute_t:
     /* End of loop */
 
   ret
+
+/**
+ * Round and encode T.
+ *
+ * This routine unmasks the arithmetically shared vector T, rounds it to T0 and
+ * T1 vectors which are then encoded on-the-fly.
+ *
+ * Two polynomial slots are required for the storage of intermediate results.
+ *
+ * @param[in] x2: DMEM address of the first arithmetic share of T (8192 bytes).
+ * @param[in] x3: DMEM address of the second arithmetic share of T (8192 bytes).
+ * @param[in] x4: DMEM address of the encoded T0 vector (3328 bytes).
+ * @param[in] x5: DMEM address of the encoded T1 vector (2560 bytes).
+ * @param[in] x6: DMEM address of polynomial slot 0 (1024 bytes).
+ * @param[in] x7: DMEM address of polynomial slot 1 (1024 bytes).
+ */
+encode_t:
+  /* Prepare DMEM address registers. */
+  addi x8, x2, 0  /* T (share 0) */
+  addi x9, x3, 0  /* T (share 1) */
+  addi x10, x4, 0 /* T0_enc */
+  addi x11, x5, 0 /* T1_enc */
+
+  /* Unmask, round and encode each T polynomial. */
+  loopi 8, 18
+    /* Securely unmask T into slot 0. */
+    addi x2, x8, 0
+    addi x3, x9, 0
+    addi x4, x6, 0
+    jal x1, sec_unmask
+
+    /* Split T into T0 and T1 in slots 0 and 1. */
+    addi x2, x6, 0
+    addi x3, x6, 0
+    addi x4, x7, 0
+    jal x1, power2round
+
+    /* Encode T0 into the output location. */
+    addi x2, x6, 0
+    addi x3, x10, 0
+    jal x1, encode_t0
+
+    /* Encode T1 into the output location. */
+    addi x2, x7, 0
+    addi x3, x11, 0
+    jal x1, encode_t1
+
+    /* Advance T and output pointers.*/
+    addi x8, x8, 1024
+    addi x9, x9, 1024
+    addi x10, x10, 416
+    addi x11, x11, 320
+    /* End of loop */
+
+  ret
@@ -33,6 +33,7 @@ unit_tests = [
     "mldsa87_keygen_encode_s_test",
     "mldsa87_keygen_sample_s_test",
     "mldsa87_keygen_compute_t_test",
+    "mldsa87_keygen_encode_t_test",
 ]
 
 [
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ unit_tests = [`
`33`	`33`	`"mldsa87_keygen_encode_s_test",`
`34`	`34`	`"mldsa87_keygen_sample_s_test",`
`35`	`35`	`"mldsa87_keygen_compute_t_test",`
	`36`	`+ "mldsa87_keygen_encode_t_test",`
`36`	`37`	`]`
`37`	`38`
`38`	`39`	`[`