Skip to content

Comments

[crypto] ML-DSA-87: backward number-theoretic transform (3/24)#29334

Merged
nasahlpa merged 2 commits intolowRISC:masterfrom
andrea-caforio:mldsa87-verify-3
Feb 19, 2026
Merged

[crypto] ML-DSA-87: backward number-theoretic transform (3/24)#29334
nasahlpa merged 2 commits intolowRISC:masterfrom
andrea-caforio:mldsa87-verify-3

Conversation

@andrea-caforio
Copy link
Contributor

@andrea-caforio andrea-caforio commented Feb 18, 2026
edited
Loading

This is an implementation of the backward number-theoretic transform over the
polynomial ring Z_q[X] / (X^256 + 1) using the 512-th root of unity 1753
(see #29333 for the forward variant).

Design rationale (from mldsa87_ntt.s):

A NTT operation over a polynomial of 256 32-bit coefficients consists of 8
layers with each layer computing 128 butterflies, i.e., the twiddle factors are
multiplied with 128 coefficients. The 32 WDRs in OTBN can hold 128 coefficients
in 16 WDRs with the rest being used to hold twiddle factors and intermediate
results. This means that with the exception of Layer 1, one half of each
each subsequent Layer 2-8 can be computed completely in-register without the
need to store and load results to DMEM. This 7x1 decomposition of a 8-layer NTT
differs from the 4x4 decomposition first proposed by Becker et al. [1] as it is
more intutive and makes betters use of the register structure of the OTBN.

[1]  https://doi.org/10.46586/tches.v2022.i1.221-244

This is a series of PRs that in their composition result in FIPS-204-compliant OTBN implementation of ML-DSA-87 verify.

Resources

Preamble

  1. doc [crypto] ML-DSA-87 verify (1/24) #29299

Number-theoretic transform

  1. NTT [crypto] ML-DSA-87: forward number-theoretic transform (2/24) #29333
  2. INTT

Polynomial arithmetic

  1. poly_add, poly_sub, poly_mul
  2. poly_mul_add

XOF

  1. xof_init, xof_poll, xof_finish
  2. xof_absorb
  3. xof_squeeze

Rounding

  1. shift_left
  2. decompose

Reduction

  1. reduce

Infinity norm

  1. norm_check

Sampling

  1. rej_ntt_poly, expand_a
  2. sample_in-ball
  3. challenge_hash

Encoding

  1. decode_z
  2. decode_t1
  3. decode_hint
  4. encode_w1

Vector operations

  1. sig_decode
  2. norm_check_z
  3. A*z, c * t1, Az - ct1
  4. use_hint

Epilogue

  1. app

@andrea-caforio andrea-caforio self-assigned this Feb 18, 2026
@andrea-caforio andrea-caforio added Type:Enhancement Feature requests, enhancements SW:cryptolib Crypto library labels Feb 18, 2026
nasahlpa
nasahlpa reviewed Feb 19, 2026
View reviewed changes
@andrea-caforio andrea-caforio marked this pull request as ready for review February 19, 2026 12:30
etterli
etterli approved these changes Feb 19, 2026
View reviewed changes
Copy link
Contributor

@etterli etterli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

@andrea-caforio
[crypto] ML-DSA-87: backward number-theoretic transform
6ff1150 
This is an implementation of the backward number-theoretic transform
over the polynomial ring Z_q[X] / (X^256 + 1) using the 512-th root of
unity 1753.

Signed-off-by: Andrea Caforio <andrea.caforio@lowrisc.org>
@andrea-caforio
[crypto] ML-DSA-87: Unit test to verify INTT(NTT(x)) = x
68f400c 
The composition of the forward and backward NTT must result in the
identity function.

Signed-off-by: Andrea Caforio <andrea.caforio@lowrisc.org>
nasahlpa
nasahlpa approved these changes Feb 19, 2026
View reviewed changes
Copy link
Member

@nasahlpa nasahlpa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@nasahlpa nasahlpa added this pull request to the merge queue Feb 19, 2026
Merged via the queue into lowRISC:master with commit 4c4db5d Feb 19, 2026
46 checks passed
This was referenced Feb 19, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nasahlpa nasahlpa nasahlpa approved these changes

@andreaskurth andreaskurth Awaiting requested review from andreaskurth

@siemen11 siemen11 Awaiting requested review from siemen11

@vogelpi vogelpi Awaiting requested review from vogelpi

@h-filali h-filali Awaiting requested review from h-filali

@johannheyszl johannheyszl Awaiting requested review from johannheyszl

+1 more reviewer

@etterli etterli etterli approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@andrea-caforio andrea-caforio

Labels

SW:cryptolib Crypto library Type:Enhancement Feature requests, enhancements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrea-caforio @nasahlpa @etterli