ML-DSA Signature Code reference not aligned with FIPS204 final ?

[carine lefort]

Hello,

I note  the FIPS204 final / page 25  - Algorithm 7 ML-DSA.Sign_internal indicates

 line 21 :  𝐫0 ← LowBits(𝐰 − ⟨⟨𝑐𝐬2⟩⟩)  

but the reference code (dilithium/ref/sign.c at master · pq-crystals/dilithium · GitHub) performs firstly the decompose (or Lowbits) operation   and after the subtraction operation  as following:

 

int crypto_sign_signature_internal(uint8_t *sig,
                                   size_t *siglen,
                                   const uint8_t *m,
                                   size_t mlen,
                                   const uint8_t *pre,
                                   size_t prelen,
                                   const uint8_t rnd[RNDBYTES],
                                   const uint8_t *sk)

....

polyveck_decompose(&w1, &w0, &w1);   // Lowbits(w)

 .....

 polyveck_sub(&w0, &w0, &h) ;  //  Lowbits(w) − ⟨⟨𝑐𝐬2⟩⟩

is what someone also saw this difference ? is it a mistake in FISP204 ?

Thank you for your feedback,

Carine

[Bobby McGee]

See Section 5.1 of the [Dilithium 3.1 specs](https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf), which is also referenced at the end of Section 6.2 of FIPS 204.  Calling Decompose four times (as one might do if blindly following pseudocode in FIPS 204) is pretty inefficient.