RFR: 8298387: Implementing ML-DSA signature algorithm [v3]
Ferenc Rakoczi
duke at openjdk.org
Fri Oct 11 11:36:13 UTC 2024
On Thu, 10 Oct 2024 15:43:18 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Ben Perez has updated the pull request incrementally with one additional commit since the last revision:
>>
>> renamed internal keyGen/sign/verify functions to be same as spec
>
> src/java.base/share/classes/sun/security/provider/ML_DSA.java line 1202:
>
>> 1200: public static int[] mlDsaInverseNtt(int[] coeffs) {
>> 1201: int result = implMlDsaAlmostInverseNtt(coeffs, montZetasForVectorInverseNtt);
>> 1202: result = implMlDsaMontMulByConstant(coeffs, montDimInverse);
>
> In FIPS 204, the constant is 8347681. Why do you use 16382?
The same thing is happening here as with the NTT, except we are not multiplying with 1 but 2^-256 using Montgomery multiplication combined with the conversion back to "normal domain", that is why the variable name is montDimInverse. In the standard, they have dinInverse.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21364#discussion_r1796827653
More information about the security-dev
mailing list