pub fn ntt_shuffled(
f: &mut [i32; 256],
rng: &mut dyn CryptoRng,
) -> Result<(), MlDsaError>Expand description
Forward NTT with randomized butterfly ordering (SPA countermeasure).
Functionally equivalent to super::ntt::ntt but draws fresh
random permutations from rng for both the inter-group and
intra-group butterfly orderings at each NTT level.
Uses the non-Montgomery ZETAS table together with the public
mul_mod_q helper, so the implementation is fully self-contained
— at the cost of being slightly slower than the in-place
Montgomery butterflies in super::ntt::ntt. Acceptable for the
SCA-protected build because the shuffled NTT only runs three times
per signature (on s1, s2, t0), once at the start of
sign_internal and never inside the rejection loop.
Output coefficients are in [0, q-1], matching the regular NTT.