pub fn sample_poly_cbd(eta: usize, bytes: &[u8]) -> [i16; 256]Expand description
Sample a polynomial from the centered binomial distribution CBD_eta (Algorithm 8).
For each of the 256 coefficients, sums eta random bits for x and
eta random bits for y, then computes (x - y) mod q. The result
lies in [-eta, eta] before reduction, corresponding to the centered
binomial distribution.
Fully constant-time: no branches depend on secret bit values. The branchless modular reduction adds q when the difference is negative using an arithmetic shift mask.
§Arguments
eta- The CBD parameter (2 or 3 for ML-KEM).bytes- Exactly64 * etabytes of PRF output.
§Returns
A 256-coefficient polynomial with coefficients in [0, q-1].
§Panics
Debug-asserts that bytes.len() == 64 * eta.