WIP

src/lib/pubkey/dilithium/dilithium_common/dilithium_polynomial.h

@@ -23,9 +23,6 @@ class DilithiumPolyTraits final : public CRYSTALS::Trait_Base<DilithiumConstants
    private:
       friend class CRYSTALS::Trait_Base<DilithiumConstants, DilithiumPolyTraits>;
 
-      /**
-       * NIST FIPS 204 IPD, Algorithm 37 (Montgomery_Reduce)
-       */
       static constexpr T montgomery_reduce_coefficient(T2 a) {
          const T2 t = static_cast<T>(static_cast<T2>(static_cast<T>(a)) * Q_inverse);
          return (a - static_cast<T2>(t) * Q) >> (sizeof(T) * 8);
@@ -40,7 +37,7 @@ class DilithiumPolyTraits final : public CRYSTALS::Trait_Base<DilithiumConstants
 
    public:
       /**
-       * NIST FIPS 204 IPD, Algorithm 35 (NTT)
+       * NIST FIPS 204, Algorithm 41 (NTT)
        *
        * Note: ntt(), inverse_ntt() and operator* have side effects on the
        *       montgomery factor of the involved coefficients!
@@ -68,7 +65,7 @@ class DilithiumPolyTraits final : public CRYSTALS::Trait_Base<DilithiumConstants
       }
 
       /**
-       * NIST FIPS 204 IPD, Algorithm 36 (NTT^-1).
+       * NIST FIPS 204, Algorithm 42 (NTT^-1).
        *
        * The output is effectively multiplied by the montgomery parameter 2^32
        * mod q so that the input factors 2^(-32) mod q are eliminated. Note

src/lib/pubkey/dilithium/dilithium_modern/ml_dsa_ipd/ml_dsa_ipd.h

@@ -56,7 +56,8 @@ class Dilithium_ML_DSA_IPD_Symmetric_Primitives : public Dilithium_Common_Symmet
 
       StrongSpan<const DilithiumCommitmentHash> truncate_commitment_hash(
          StrongSpan<const DilithiumCommitmentHash> seed) const override {
-         // TODO: ML-DSA does not truncate the commitment hash
+         // TODO: ML-DSA does not truncate the commitment hash, so we could
+         //       simply "return seed" here;
          return StrongSpan<const DilithiumCommitmentHash>(
             seed.get().first(DilithiumConstants::COMMITMENT_HASH_C1_BYTES));
       };