polyvecl_uniform_gamma1 implementation is different than FIPS204

[libo-wu]

Hi,

The function polyvecl_uniform_gamma1 is used in the MLDSA sign internal API to perform the ExpandMask functionality. But looks like the XOF input source is different than the FIPS 204 standard.

In FIPS204, ExpandMask(rho, mu) computes the vector y in the iteration over L:

𝑐 ← 1 + bitlen (𝛾1 − 1) 
for 𝑟 from 0 to ℓ − 1 do
  𝜌′ ← 𝜌||IntegerToBytes(𝜇 + 𝑟, 2)
  𝑣 ← H(𝜌′, 32𝑐) // seed depends on 𝜇 + 𝑟
  𝐲[𝑟] ← BitUnpack(𝑣, 𝛾1 − 1, 𝛾1)
  end for
return y

The XOF is performed on the rho || (mu + r).
But in the code polyvecl_uniform_gamma1, the XOF is performed on the rho || (L * mu + r):

void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
  unsigned int i;

  for(i = 0; i < L; ++i)
    poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
}

Could you help check? Thanks.