RFR: 8298387: Implementing ML-DSA signature algorithm [v3]
Ferenc Rakoczi
duke at openjdk.org
Fri Oct 11 11:32:12 UTC 2024
On Thu, 10 Oct 2024 15:42:21 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Ben Perez has updated the pull request incrementally with one additional commit since the last revision:
>>
>> renamed internal keyGen/sign/verify functions to be same as spec
>
> src/java.base/share/classes/sun/security/provider/ML_DSA.java line 1174:
>
>> 1172: int result = implMlDsaAlmostNtt(coeffs, montZetasForVectorNtt);
>> 1173: int[] check = coeffs.clone();
>> 1174: result = implMlDsaMontMulByConstant(coeffs, montRModQ);
>
> In FIPS 204, NTT does not end with multiplying a constant. Why do you need one?
That is the step that brings the result to the required range. The mod q computations are done using Montgomery multiplications and with the additions subtractions the results after each iteration of the loop may go outside the [-q, q] range, but this final step brings them back. It is basically a Montgomery multiplication by 1 and a conversion back from "Montgomery domain" to "normal domain", so the result does not change modulo q, and it will be in [-q, q].
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21364#discussion_r1796823624
More information about the security-dev
mailing list