longfellow 0.1.0

data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_44_witness_test.cc

@@ -0,0 +1,49 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/tests/pq/ml_dsa/ml_dsa_44_witness.h"
+
+#include <cstdint>
+
+#include "circuits/tests/pq/ml_dsa/ml_dsa_44_types.h"
+#include "gtest/gtest.h"
+
+namespace proofs {
+namespace {
+
+TEST(MlDsa44WitnessTest, SymmetricReduce) {
+  // Case 1: delta < Q/2, positive
+  EXPECT_EQ(ml_dsa_44_witness::SymmetricReduce(100), 100);
+
+  // Case 2: delta = 0
+  EXPECT_EQ(ml_dsa_44_witness::SymmetricReduce(0), 0);
+
+  // Case 3: delta > Q/2 (e.g. Q-1)
+  // This triggers the delta -= Q branch
+  int64_t q = static_cast<int64_t>(ml_dsa::Q);
+  EXPECT_EQ(ml_dsa_44_witness::SymmetricReduce(q - 1), -1);
+
+  // Case 4: delta near Q/2
+  EXPECT_EQ(ml_dsa_44_witness::SymmetricReduce(q / 2), q / 2);
+  EXPECT_EQ(ml_dsa_44_witness::SymmetricReduce(q / 2 + 1), q / 2 + 1 - q);
+
+  // Case 5: delta is negative but > -Q/2
+  EXPECT_EQ(ml_dsa_44_witness::SymmetricReduce(-100), -100);
+
+  // Case 6: delta is exactly -Q/2
+  EXPECT_EQ(ml_dsa_44_witness::SymmetricReduce(-q / 2), -q / 2);
+}
+
+}  // namespace
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.cc

@@ -0,0 +1,458 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "circuits/tests/pq/ml_dsa/ml_dsa_ref.h"
+
+#include <algorithm>
+#include <array>
+#include <cstddef>
+#include <cstdint>
+#include <optional>
+#include <utility>
+#include <vector>
+
+#include "circuits/tests/pq/ml_dsa/ml_dsa_44_types.h"
+#include "circuits/tests/sha3/sha3_reference.h"
+#include "util/panic.h"
+
+namespace proofs {
+namespace ml_dsa {
+
+// Defined as SHAKE128(str, 8 * len) bits
+void G(const std::vector<uint8_t>& in, size_t len, std::vector<uint8_t>& out) {
+  out.resize(len);
+  Sha3Reference::shake128Hash(in.data(), in.size(), out.data(), len);
+}
+
+Rq mulf(Rq a, const Rq& b) {
+  for (int i = 0; i < 256; ++i) {
+    a[i] = Fq.mulf(a[i], b[i]);
+  }
+  return a;
+}
+
+Rq addf(Rq a, const Rq& b) {
+  for (int i = 0; i < 256; ++i) {
+    a[i] = Fq.addf(a[i], b[i]);
+  }
+  return a;
+}
+
+Rq subf(Rq a, const Rq& b) {
+  for (int i = 0; i < 256; ++i) {
+    a[i] = Fq.subf(a[i], b[i]);
+  }
+  return a;
+}
+
+Rq scalef(Rq a, const Elt& s) {
+  for (int i = 0; i < 256; ++i) {
+    a[i] = Fq.mulf(a[i], s);
+  }
+  return a;
+}
+
+// Algorithm 41 NTT(𝑤)
+void Ntt(Rq& a) {
+  const auto& zetas = kZetas;
+  int k = 1;
+  for (int len = 128; len >= 1; len >>= 1) {
+    for (int start = 0; start < 256; start += 2 * len) {
+      Elt zeta = Fq.of_scalar(zetas[k++]);
+      for (int j = start; j < start + len; ++j) {
+        Elt t = Fq.mulf(zeta, a[j + len]);
+        a[j + len] = Fq.subf(a[j], t);
+        a[j] = Fq.addf(a[j], t);
+      }
+    }
+  }
+}
+
+// Algorithm 42 NTT−1(𝑤)̂
+// Computes the inverse of the NTT.
+void InvNtt(Rq& a) {
+  const auto& zetas = kZetas;
+  int k = 255;
+  for (int len = 1; len < 256; len <<= 1) {
+    for (int start = 0; start < 256; start += 2 * len) {
+      Elt zeta = Fq.negf(Fq.of_scalar(zetas[k--]));
+      for (int j = start; j < start + len; ++j) {
+        Elt t = a[j];
+        a[j] = Fq.addf(t, a[j + len]);
+        a[j + len] = Fq.mulf(Fq.subf(t, a[j + len]), zeta);
+      }
+    }
+  }
+  // Multiply by 256^-1
+  Elt f = Fq.of_scalar(8347681);  // 256^-1 mod 8380417
+  for (int i = 0; i < 256; ++i) {
+    a[i] = Fq.mulf(a[i], f);
+  }
+}
+
+Rq RejNTTPoly(const std::vector<uint8_t>& rho, size_t num_blocks) {
+  std::vector<uint8_t> out;
+  // G is SHAKE128, which has a block size of 168 bytes
+  size_t extract_len = num_blocks * 168;
+  G(rho, extract_len, out);
+
+  Rq a;
+  size_t j = 0;
+  for (size_t i = 0; i + 2 < out.size() && j < 256; i += 3) {
+    uint8_t buf[8] = {0};
+    buf[0] = out[i];
+    buf[1] = out[i + 1];
+    buf[2] = out[i + 2] & 0x7F;
+    auto maybe_z = Fq.of_bytes_field(buf);
+    if (maybe_z.has_value()) {
+      a[j] = maybe_z.value();
+      j++;
+    }
+  }
+  check(j >= 256, "Failed to sample polynomial");
+  return a;
+}
+
+// Algorithm 29 SampleInBall(rho)
+// Samples a polynomial c in R with coefficients from {-1, 0, 1} and Hamming
+// weight tau.
+Rq SampleInBall(const std::array<uint8_t, 32>& rho) {
+  std::array<uint8_t, 136> out;
+  std::vector<uint8_t> rho_vec(rho.begin(), rho.end());
+  H(rho_vec, out);
+
+  Rq c;
+  for (size_t k = 0; k < N; ++k) {
+    c[k] = Fq.zero();
+  }
+
+  size_t out_idx = 8;
+  for (size_t i = 256 - TAU; i < 256; ++i) {
+    uint8_t j;
+    do {
+      check(out_idx < out.size(),
+            "SampleInBall: Not enough pseudorandom bytes");
+      j = out[out_idx++];
+    } while (j > i);
+
+    c[i] = c[j];
+
+    size_t bit_idx = i + TAU - 256;
+    size_t byte_idx = bit_idx / 8;
+    size_t bit_shift = bit_idx % 8;
+    uint8_t bit = (out[byte_idx] >> bit_shift) & 1;
+
+    if (bit == 1) {
+      c[j] = Fq.mone();
+    } else {
+      c[j] = Fq.one();
+    }
+  }
+  return c;
+}
+
+// Algorithm 32 ExpandA(rho)
+// Samples a K x L matrix A_hat of elements of T_q.
+// Input: A seed rho (32 bytes).
+// Output: Matrix A_hat in (T_q)^(K x L).
+MatrixA ExpandA(const std::vector<uint8_t>& rho) {
+  MatrixA A_hat;
+  for (uint8_t r = 0; r < K; ++r) {
+    for (uint8_t s = 0; s < L; ++s) {
+      std::vector<uint8_t> rho_prime = rho;
+      // IntegerToBytes(s, 1) || IntegerToBytes(r, 1)
+      // Little-endian
+      rho_prime.push_back(s);
+      rho_prime.push_back(r);
+      // Samples a polynomial in T_q. Using 5 blocks (168 * 5 = 840 bytes)
+      // should be overwhelmingly sufficient for rejection sampling 256
+      // coefficients.
+      A_hat[r][s] = RejNTTPoly(rho_prime, 5);
+    }
+  }
+  return A_hat;
+}
+
+std::pair<int32_t, int32_t> Decompose(int32_t r) {
+  // Handle the case that r < 0 or r > q by
+  // normalizing r_plus in the range [0, q-1].
+  int32_t r_plus = r % ml_dsa::Q;
+  if (r_plus < 0) {
+    r_plus += ml_dsa::Q;
+  }
+
+  constexpr int32_t alpha = 2 * GAMMA_2;
+  constexpr int32_t half_alpha = alpha / 2;
+  int32_t r0 = r_plus % alpha;
+  if (r0 > half_alpha) {
+    r0 -= alpha;
+  }
+
+  int32_t r1;
+  if (r_plus - r0 == ml_dsa::Q - 1) {
+    r1 = 0;
+    r0 = r0 - 1;
+  } else {
+    r1 = (r_plus - r0) / alpha;
+  }
+  return {r1, r0};
+}
+
+uint32_t UseHint(bool h, int32_t r) {
+  constexpr int32_t m = (ml_dsa::Q - 1) / (2 * GAMMA_2);
+  auto [r1, r0] = Decompose(r);
+
+  if (h && r0 > 0) {
+    return (r1 + 1) % m;
+  }
+  if (h && r0 <= 0) {
+    int32_t res = (r1 - 1) % m;
+    if (res < 0) res += m;
+    return res;
+  }
+  return r1;
+}
+
+// Algorithm 19 BitUnpack(v, a, b)
+// a = gamma1 - 1, b = gamma1
+// gamma1 = 131072
+// c = bitlen(a+b) = bitlen(262143) = 18.
+std::optional<Rq> BitUnpack(const std::vector<uint8_t>& v, uint32_t a,
+                            uint32_t b) {
+  Rq w;
+  uint32_t c = 18;  // Only supporting the ML-DSA-44 specific c
+  if (v.size() != 32 * c) return std::nullopt;
+
+  // Reversing the BitPack procedure
+  // Extract 18 bits at a time
+  for (size_t i = 0; i < N; ++i) {
+    size_t bit_offset = i * c;
+    size_t byte_offset = bit_offset / 8;
+    size_t shift = bit_offset % 8;
+
+    uint32_t val = 0;
+    // We need 18 bits. This will touch at most 4 bytes.
+    for (size_t k = 0; k < 4 && byte_offset + k < v.size(); ++k) {
+      val |= (static_cast<uint32_t>(v[byte_offset + k]) << (8 * k));
+    }
+
+    val >>= shift;
+    val &= ((1 << c) - 1);  // Mask out 18 bits
+
+    // w_i = b - val
+    int32_t wi = b - val;
+    // Map to [0, q-1]
+    if (wi < 0) {
+      wi += ml_dsa::Q;
+    }
+    w[i] = Fq.of_scalar(wi);
+  }
+  return w;
+}
+
+// Algorithm 21 HintBitUnpack(y)
+std::optional<std::array<std::array<bool, N>, K>> HintBitUnpack(
+    const std::vector<uint8_t>& y) {
+  std::array<std::array<bool, N>, K> h = {};
+  for (size_t i = 0; i < K; ++i) {
+    for (size_t j = 0; j < N; ++j) {
+      h[i][j] = false;
+    }
+  }
+
+  size_t index = 0;
+  for (size_t i = 0; i < K; ++i) {
+    int limit = y[OMEGA + i];
+    if (limit < index || limit > OMEGA) return std::nullopt;
+
+    int last = -1;
+    while (index < limit) {
+      int byte = y[index++];
+      if (last > 0 && byte <= last) {
+        return std::nullopt;
+      }
+      last = byte;
+      h[i][byte] = true;
+    }
+  }
+  for (; index < OMEGA; ++index) {
+    if (y[index] != 0) {
+      return std::nullopt;
+    }
+  }
+
+  return h;
+}
+
+// Algorithm 27 sigDecode(sigma)
+std::optional<Signature> sigDecode(const std::vector<uint8_t>& sigma) {
+  Signature sig;
+
+  size_t expected_size = C_TILDE_BYTES + L * 32 * 18 + OMEGA + K;
+  if (sigma.size() < expected_size) return std::nullopt;
+
+  size_t offset = 0;
+
+  // 1. Extract c_tilde
+  std::copy(sigma.begin() + offset, sigma.begin() + offset + C_TILDE_BYTES,
+            sig.c_tilde.begin());
+  offset += C_TILDE_BYTES;
+
+  // 2. Extract z_i
+  // gamma1 = 131072, a = gamma1 - 1, b = gamma1. c = 18.
+  size_t z_bytes = 32 * 18;
+  for (size_t i = 0; i < L; ++i) {
+    std::vector<uint8_t> v(sigma.begin() + offset,
+                           sigma.begin() + offset + z_bytes);
+    auto maybe_z = BitUnpack(v, GAMMA_1 - 1, GAMMA_1);
+    if (!maybe_z.has_value()) return std::nullopt;
+    sig.z[i] = maybe_z.value();
+    offset += z_bytes;
+  }
+
+  // 3. Extract h
+  std::vector<uint8_t> y(sigma.begin() + offset,
+                         sigma.begin() + offset + OMEGA + K);
+  auto maybe_h = HintBitUnpack(y);
+  if (!maybe_h.has_value()) return std::nullopt;
+  sig.h = maybe_h.value();
+  offset += OMEGA + K;
+
+  return sig;
+}
+
+// Algorithm 18 SimpleBitUnpack(v, b)
+// Extracts coefficients from a byte array. For ML-DSA-44 b = 1023 (10 bits).
+Rq SimpleBitUnpack(const std::vector<uint8_t>& v, uint32_t b) {
+  Rq w;
+  uint32_t c = 10;  // Only supporting ML-DSA-44 specific c
+  check(v.size() == 32 * c, "SimpleBitUnpack input size mismatch");
+
+  // Extract 10 bits at a time
+  for (size_t i = 0; i < N; ++i) {
+    size_t bit_offset = i * c;
+    size_t byte_offset = bit_offset / 8;
+    size_t shift = bit_offset % 8;
+
+    uint32_t val = 0;
+    // We need 10 bits. This will touch at most 2 bytes.
+    for (size_t k = 0; k < 2 && byte_offset + k < v.size(); ++k) {
+      val |= (static_cast<uint32_t>(v[byte_offset + k]) << (8 * k));
+    }
+
+    val >>= shift;
+    val &= ((1 << c) - 1);  // Mask out 10 bits
+
+    w[i] = Fq.of_scalar(val);
+  }
+  return w;
+}
+
+// Algorithm 23 pkDecode(pk)
+// Reverses the procedure pkEncode, expanding rho to a_hat and unpacking t1.
+PublicKey pkDecode(const std::vector<uint8_t>& pk) {
+  PublicKey pub_key;
+
+  // pk is 32 + 32 * K * c bytes where c = 10 for ML-DSA-44
+  size_t expected_size = 32 + 32 * K * 10;
+  check(pk.size() >= expected_size, "pkDecode public key too short");
+
+  size_t offset = 0;
+
+  // 1. Extract rho
+  std::vector<uint8_t> rho(pk.begin() + offset, pk.begin() + offset + 32);
+  offset += 32;
+
+  // 2. Expand a_hat from rho
+  pub_key.a_hat = ExpandA(rho);
+
+  // 3. Extract t1
+  size_t t1_bytes = 32 * 10;
+  for (size_t i = 0; i < K; ++i) {
+    std::vector<uint8_t> v(pk.begin() + offset, pk.begin() + offset + t1_bytes);
+    pub_key.t1[i] = SimpleBitUnpack(v, 1023);
+    offset += t1_bytes;
+  }
+
+  // 4. Compute tr = SHAKE256(pk, 64)
+  H(pk, pub_key.tr);
+
+  return pub_key;
+}
+
+// Algorithm 18 SimpleBitPack(w, b)
+std::vector<uint8_t> SimpleBitPack(const Rq& w, uint32_t b) {
+  // Determine bitlen
+  uint32_t bitlen = 0;
+  uint32_t val = b;
+  while (val > 0) {
+    bitlen++;
+    val >>= 1;
+  }
+  if (b == 0) bitlen = 1;
+
+  // Total bits = 256 * bitlen
+  // Total bytes = ceil(Total bits / 8)
+  size_t total_bits = 256 * bitlen;
+  size_t total_bytes = (total_bits + 7) / 8;
+  std::vector<uint8_t> z(total_bytes, 0);
+
+  size_t current_bit = 0;
+  for (size_t i = 0; i < N; ++i) {
+    // Assuming w[i] is already reduced and positive.
+    // Use Fq.from_montgomery(w[i]) to get canonical representation.
+    uint64_t wi_long = Fq.from_montgomery(w[i]).limb_[0];
+    uint32_t wi = static_cast<uint32_t>(wi_long);
+
+    // Should verify wi <= b, but input assumes it is.
+
+    for (size_t k = 0; k < bitlen; ++k) {
+      if ((wi >> k) & 1) {
+        size_t byte_idx = current_bit / 8;
+        size_t bit_idx = current_bit % 8;
+        z[byte_idx] |= (1 << bit_idx);
+      }
+      current_bit++;
+    }
+  }
+  return z;
+}
+
+std::array<uint8_t, K * 192> w1Encode(const std::array<Rq, K>& w1) {
+  std::array<uint8_t, K * 192> w1_tilde;
+  // (q-1)/(2*gamma2) - 1 = 8380416 / 190464 - 1 = 43
+  constexpr uint32_t b = 43;
+
+  size_t offset = 0;
+  for (size_t i = 0; i < K; ++i) {
+    std::vector<uint8_t> packed = SimpleBitPack(w1[i], b);
+    std::copy(packed.begin(), packed.end(), w1_tilde.begin() + offset);
+    offset += packed.size();
+  }
+  return w1_tilde;
+}
+
+std::vector<uint8_t> preprocess_message(const std::vector<uint8_t>& msg,
+                                        const std::vector<uint8_t>& ctx) {
+  std::vector<uint8_t> res;
+  res.reserve(2 + ctx.size() + msg.size());
+  res.push_back(0);
+  res.push_back(ctx.size());
+  res.insert(res.end(), ctx.begin(), ctx.end());
+  res.insert(res.end(), msg.begin(), msg.end());
+  return res;
+}
+
+}  // namespace ml_dsa
+}  // namespace proofs

data/vendor/longfellow-zk/lib/circuits/tests/pq/ml_dsa/ml_dsa_ref.h

@@ -0,0 +1,150 @@
+// Copyright 2026 Google LLC.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_PQ_ML_DSA_ML_DSA_REF_H_
+#define PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_PQ_ML_DSA_ML_DSA_REF_H_
+
+#include <array>
+#include <cstddef>
+#include <cstdint>
+#include <optional>
+#include <utility>
+#include <vector>
+
+#include "circuits/tests/pq/ml_dsa/ml_dsa_44_types.h"
+#include "circuits/tests/sha3/sha3_reference.h"
+
+// ----------------------------------------------------------------------------
+//
+// !!!!! DO NOT USE IN PRODUCTION !!!!!
+//
+// This ML-DSA circuit is an experimental implementation for research purposes.
+// It has not been fully vetted and is not recommended for production use cases
+// at this time.
+//
+// ML-DSA is specified in
+//
+//      FIPS 204
+//      Federal Information Processing Standards Publication
+//      Module-Lattice-Based Digital
+//      Signature Standard
+//      https://csrc.nist.gov/pubs/fips/204/final
+//
+// ----------------------------------------------------------------------------
+
+namespace proofs {
+namespace ml_dsa {
+
+// Defined as SHAKE256(str, 8 * len) bits
+template <size_t N>
+void H(const std::vector<uint8_t>& in, std::array<uint8_t, N>& out) {
+  Sha3Reference::shake256Hash(in.data(), in.size(), out.data(), out.size());
+}
+
+// Defined as SHAKE128(str, 8 * len) bits
+void G(const std::vector<uint8_t>& in, size_t len, std::vector<uint8_t>& out);
+
+Rq mulf(Rq a, const Rq& b);
+Rq addf(Rq a, const Rq& b);
+Rq subf(Rq a, const Rq& b);
+Rq scalef(Rq a, const Elt& s);
+
+// Inplace versions of
+// Algorithm 41 NTT(𝑤)
+// Algorithm 42 NTT−1(𝑤)̂
+void Ntt(Rq& a);
+void InvNtt(Rq& a);
+
+// Algorithm 30 RejNTTPoly(𝜌)
+// Samples a polynomial in T_q.
+Rq RejNTTPoly(const std::vector<uint8_t>& rho, size_t num_blocks);
+
+// Algorithm 29 SampleInBall(rho)
+// Samples a polynomial c in R with coefficients from {-1, 0, 1} and Hamming
+// weight tau.
+Rq SampleInBall(const std::array<uint8_t, 32>& rho);
+
+// Algorithm 32 ExpandA(rho)
+// Samples a K x L matrix A_hat of elements of T_q.
+// Input: A seed rho (32 bytes).
+// Output: Matrix A_hat in (T_q)^(K x L).
+MatrixA ExpandA(const std::vector<uint8_t>& rho);
+
+// Algorithm 36 Decompose(r)
+// Decomposes r into (r1, r0) such that r = r1*(2*gamma2) + r0 mod q
+std::pair<int32_t, int32_t> Decompose(int32_t r);
+
+// Algorithm 40 UseHint(h, r)
+// Returns the high bits of r adjusted according to hint h.
+// Input: Boolean h, r in Z_q.
+// Output: r1 in Z with 0 <= r1 <= (q-1)/(2*gamma2).
+uint32_t UseHint(bool h, int32_t r);
+
+// Algorithm 19 BitUnpack(v, a, b)
+// Reverses the procedure BitPack. For ML-DSA-44, used for unpacking z with b =
+// gamma1
+std::optional<Rq> BitUnpack(const std::vector<uint8_t>& v, uint32_t a,
+                            uint32_t b);
+
+// Algorithm 21 HintBitUnpack(y)
+// Reverses the procedure HintBitPack.
+std::optional<std::array<std::array<bool, N>, K>> HintBitUnpack(
+    const std::vector<uint8_t>& y);
+
+// Struct to hold expanded ML-DSA-44 public key elements
+struct PublicKey {
+  MatrixA a_hat;
+  std::array<Rq, K> t1;
+  std::array<uint8_t, 64> tr;
+};
+
+// Struct to hold ML-DSA-44 signature elements
+struct Signature {
+  std::array<uint8_t, 32> c_tilde;
+  std::array<Rq, L> z;
+  std::array<std::array<bool, N>, K> h;
+};
+
+// Algorithm 27 sigDecode(sigma)
+// Reverses the procedure sigEncode.
+std::optional<Signature> sigDecode(const std::vector<uint8_t>& sigma);
+
+// Algorithm 18 SimpleBitUnpack(v, b)
+// Extracts coefficients from a byte array. For ML-DSA-44 b = 1023 (10 bits).
+Rq SimpleBitUnpack(const std::vector<uint8_t>& v, uint32_t b);
+
+// Algorithm 23 pkDecode(pk)
+// Reverses the procedure pkEncode, expanding rho to a_hat and unpacking t1.
+PublicKey pkDecode(const std::vector<uint8_t>& pk);
+
+// Algorithm 18 SimpleBitPack(w, b)
+// Packs coefficients into a byte array. For ML-DSA-44 w1Encode, b = 43 (6
+// bits).
+std::vector<uint8_t> SimpleBitPack(const Rq& w, uint32_t b);
+
+// Algorithm 28 w1Encode(w1)
+// Encodes a polynomial vector w1 into a byte string.
+// Input: w1 in R_q^k with coefficients in [0, (q-1)/(2*gamma2) - 1].
+// Output: A byte string representation w1_tilde.
+std::array<uint8_t, K * 192> w1Encode(const std::array<Rq, K>& w1);
+
+// Preprocesses the message by binding the context to it:
+// M' = 0x00 || |ctx| || ctx || msg
+std::vector<uint8_t> preprocess_message(const std::vector<uint8_t>& msg,
+                                        const std::vector<uint8_t>& ctx);
+
+}  // namespace ml_dsa
+}  // namespace proofs
+
+#endif  // PRIVACY_PROOFS_ZK_LIB_CIRCUITS_TESTS_PQ_ML_DSA_ML_DSA_REF_H_