[crypto] ML-DSA-87: forward number-theoretic transform (2/24)

[andrea-caforio]

This is an implementation of the forward number-theoretic transform over the
polynomial ring Z_q[X] / (X^256 + 1) using the 512-th root of unity 1753.

Design rationale (from mldsa87_ntt.s):

A NTT operation over a polynomial of 256 32-bit coefficients consists of 8
layers with each layer computing 128 butterflies, i.e., the twiddle factors are
multiplied with 128 coefficients. The 32 WDRs in OTBN can hold 128 coefficients
in 16 WDRs with the rest being used to hold twiddle factors and intermediate
results. This means that with the exception of Layer 1, one half of each
each subsequent Layer 2-8 can be computed completely in-register without the
need to store and load results to DMEM. This 7x1 decomposition of a 8-layer NTT
differs from the 4x4 decomposition first proposed by Becker et al. [1] as it is
more intutive and makes betters use of the register structure of the OTBN.

[1]  https://doi.org/10.46586/tches.v2022.i1.221-244

---

This is a series of PRs that in their composition result in FIPS-204-compliant OTBN implementation of ML-DSA-87 verify.

Resources

• https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf
• https://tches.iacr.org/index.php/TCHES/article/view/11158/10597
• https://github.com/pq-crystals/dilithium

Preamble

1. doc [crypto] ML-DSA-87 verify (1/24) #29299

Number-theoretic transform

2. NTT
3. INTT

Polynomial arithmetic

4. poly_add, poly_sub, poly_mul
5. poly_mul_add

XOF

6. xof_init, xof_poll, xof_finish
7. xof_absorb
8. xof_squeeze

Rounding

9. shift_left
10. decompose

Reduction

11. reduce

Infinity norm

12. norm_check

Sampling

13. rej_ntt_poly, expand_a
14. sample_in-ball
15. challenge_hash

Encoding

16. decode_z
17. decode_t1
18. decode_hint
19. encode_w1

Vector operations

20. sig_decode
21. norm_check_z
22. A*z, c * t1, Az - ct1
23. use_hint

Epilogue

24. app

[etterli]

Looks nice, especially due to the nice modularization.

[etterli]

How can this be ensured?

[andrea-caforio]

You can specify the order the input files to gnu-as, for example:

otbn_sim_test(
     name = "mldsa87_keygen_wycheproof_g1_test",
     srcs = mldsa87_srcs + [
         # This is a top-level OTBN application test.
         # Make sure the memory file is placed after all the sources.
         "//sw/otbn/crypto/mldsa87:mldsa87_keygen.s",
         "//sw/otbn/crypto/mldsa87:mldsa87_keygen_mem.s",
         "mldsa87_keygen_test.s",
     ],
     testcase = "mldsa87_keygen_wycheproof_g1_test.hjson",
 )

[etterli]

Ok. Maybe that the location of mldsa87_ntt.s must not be there is something worth to add to the readme?

[andrea-caforio]

Right. It should be there. Let me fix it.

[nasahlpa]

Thanks for the comprehensive documentation, this makes it easier to review :-)