On Thu, 10 Oct 2024 15:42:21 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Ben Perez has updated the pull request incrementally with one additional >> commit since the last revision: >> >> renamed internal keyGen/sign/verify functions to be same as spec > > src/java.base/share/classes/sun/security/provider/ML_DSA.java line 1174: > >> 1172: int result = implMlDsaAlmostNtt(coeffs, montZetasForVectorNtt); >> 1173: int[] check = coeffs.clone(); >> 1174: result = implMlDsaMontMulByConstant(coeffs, montRModQ); > > In FIPS 204, NTT does not end with multiplying a constant. Why do you need > one? That is the step that brings the result to the required range. The mod q computations are done using Montgomery multiplications and with the additions subtractions the results after each iteration of the loop may go outside the [-q, q] range, but this final step brings them back. It is basically a Montgomery multiplication by 1 and a conversion back from "Montgomery domain" to "normal domain", so the result does not change modulo q, and it will be in [-q, q]. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/21364#discussion_r1796823624
