Skip to main content

Module shuffle

quantica::ml_dsa

Module shuffle 

Source
Expand description

Fisher-Yates shuffled NTT for ML-DSA secret polynomials (SPA / trace-alignment countermeasure). Available with the sca-protected Cargo feature. Fisher-Yates shuffle for ML-DSA NTT butterfly index randomization (countermeasure: SPA / SEMA on secret-polynomial NTT).

Same principle as the ML-KEM shuffle module, ported to the ML-DSA arithmetic (q = 8 380 417, i32 coefficients, 256-coefficient polynomials, NTT all the way down to length-1).

§Principle

Within a given NTT level, all butterfly groups (and all butterflies within a group) are independent — permuting their execution order does not affect correctness, only the pattern of memory accesses and instantaneous power consumption. By drawing a fresh permutation per level and per group from an SCA-dedicated CSPRNG, two successive NTTs on the same input produce different power / EM traces, defeating trace-alignment-based SPA and template attacks. The CSPRNG (ScaRng) is seeded with K ‖ rnd ‖ tr ‖ M' inside crate::ml_dsa::dsa::sign_internal.

Applied to s1, s2, t0 (the three secret vectors). The public matrix A keeps the classical NTT for performance — public values need no shuffling.

The primary entry point is ntt_shuffled, a drop-in replacement for super::ntt::ntt that draws from a CryptoRng.

§References

  • Hardware NTT shuffling as a lightweight countermeasure for ML-KEM (arXiv, 2024) — original shuffling analysis; the construction transfers directly to ML-DSA.
  • Slothy-assisted Cortex-M4/M7 implementations of ML-DSA (IACR ePrint 2025) — performance measurements for the shuffled variant.
  • Physical security considerations for ML-DSA (NIST, 2025) — recommended posture including shuffling as an SPA mitigation.

§Where to look next

  • Countermeasure description and threat analysis: doc/sca/countermeasures/ml_dsa.rst, section SPA / SEMA — Fisher-Yates shuffled NTT.
  • Call site: crate::ml_dsa::dsa::sign_internal, Step 1 of the protected branch (three for loops applying ntt_shuffled to each polynomial of s1_hat, s2_hat, t0_hat).

Functions§

generate_permutation
Generate a uniform random permutation of 0..n in-place using Fisher-Yates with rejection sampling on 16-bit RNG output.
ntt_shuffled
Forward NTT with randomized butterfly ordering (SPA countermeasure).