ml_dsa 0.1.0

data/ext/ml_dsa/ml-dsa-87/clean/poly.h

@@ -0,0 +1,52 @@
+#ifndef PQCLEAN_MLDSA87_CLEAN_POLY_H
+#define PQCLEAN_MLDSA87_CLEAN_POLY_H
+#include "params.h"
+#include <stdint.h>
+
+typedef struct {
+    int32_t coeffs[N];
+} poly;
+
+void PQCLEAN_MLDSA87_CLEAN_poly_reduce(poly *a);
+void PQCLEAN_MLDSA87_CLEAN_poly_caddq(poly *a);
+
+void PQCLEAN_MLDSA87_CLEAN_poly_add(poly *c, const poly *a, const poly *b);
+void PQCLEAN_MLDSA87_CLEAN_poly_sub(poly *c, const poly *a, const poly *b);
+void PQCLEAN_MLDSA87_CLEAN_poly_shiftl(poly *a);
+
+void PQCLEAN_MLDSA87_CLEAN_poly_ntt(poly *a);
+void PQCLEAN_MLDSA87_CLEAN_poly_invntt_tomont(poly *a);
+void PQCLEAN_MLDSA87_CLEAN_poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
+
+void PQCLEAN_MLDSA87_CLEAN_poly_power2round(poly *a1, poly *a0, const poly *a);
+void PQCLEAN_MLDSA87_CLEAN_poly_decompose(poly *a1, poly *a0, const poly *a);
+unsigned int PQCLEAN_MLDSA87_CLEAN_poly_make_hint(poly *h, const poly *a0, const poly *a1);
+void PQCLEAN_MLDSA87_CLEAN_poly_use_hint(poly *b, const poly *a, const poly *h);
+
+int PQCLEAN_MLDSA87_CLEAN_poly_chknorm(const poly *a, int32_t B);
+void PQCLEAN_MLDSA87_CLEAN_poly_uniform(poly *a,
+                                        const uint8_t seed[SEEDBYTES],
+                                        uint16_t nonce);
+void PQCLEAN_MLDSA87_CLEAN_poly_uniform_eta(poly *a,
+        const uint8_t seed[CRHBYTES],
+        uint16_t nonce);
+void PQCLEAN_MLDSA87_CLEAN_poly_uniform_gamma1(poly *a,
+        const uint8_t seed[CRHBYTES],
+        uint16_t nonce);
+void PQCLEAN_MLDSA87_CLEAN_poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
+
+void PQCLEAN_MLDSA87_CLEAN_polyeta_pack(uint8_t *r, const poly *a);
+void PQCLEAN_MLDSA87_CLEAN_polyeta_unpack(poly *r, const uint8_t *a);
+
+void PQCLEAN_MLDSA87_CLEAN_polyt1_pack(uint8_t *r, const poly *a);
+void PQCLEAN_MLDSA87_CLEAN_polyt1_unpack(poly *r, const uint8_t *a);
+
+void PQCLEAN_MLDSA87_CLEAN_polyt0_pack(uint8_t *r, const poly *a);
+void PQCLEAN_MLDSA87_CLEAN_polyt0_unpack(poly *r, const uint8_t *a);
+
+void PQCLEAN_MLDSA87_CLEAN_polyz_pack(uint8_t *r, const poly *a);
+void PQCLEAN_MLDSA87_CLEAN_polyz_unpack(poly *r, const uint8_t *a);
+
+void PQCLEAN_MLDSA87_CLEAN_polyw1_pack(uint8_t *r, const poly *a);
+
+#endif

data/ext/ml_dsa/ml-dsa-87/clean/polyvec.c

@@ -0,0 +1,415 @@
+#include "params.h"
+#include "poly.h"
+#include "polyvec.h"
+#include <stdint.h>
+
+/*************************************************
+* Name:        expand_mat
+*
+* Description: Implementation of ExpandA. Generates matrix A with uniformly
+*              random coefficients a_{i,j} by performing rejection
+*              sampling on the output stream of SHAKE128(rho|j|i)
+*
+* Arguments:   - polyvecl mat[K]: output matrix
+*              - const uint8_t rho[]: byte array containing seed rho
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
+    unsigned int i, j;
+
+    for (i = 0; i < K; ++i) {
+        for (j = 0; j < L; ++j) {
+            PQCLEAN_MLDSA87_CLEAN_poly_uniform(&mat[i].vec[j], rho, (uint16_t) ((i << 8) + j));
+        }
+    }
+}
+
+void PQCLEAN_MLDSA87_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
+    }
+}
+
+/**************************************************************/
+/************ Vectors of polynomials of length L **************/
+/**************************************************************/
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
+    unsigned int i;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_uniform_eta(&v->vec[i], seed, nonce++);
+    }
+}
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
+    unsigned int i;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_uniform_gamma1(&v->vec[i], seed, (uint16_t) (L * nonce + i));
+    }
+}
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_reduce(polyvecl *v) {
+    unsigned int i;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_reduce(&v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyvecl_add
+*
+* Description: Add vectors of polynomials of length L.
+*              No modular reduction is performed.
+*
+* Arguments:   - polyvecl *w: pointer to output vector
+*              - const polyvecl *u: pointer to first summand
+*              - const polyvecl *v: pointer to second summand
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
+    unsigned int i;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyvecl_ntt
+*
+* Description: Forward NTT of all polynomials in vector of length L. Output
+*              coefficients can be up to 16*Q larger than input coefficients.
+*
+* Arguments:   - polyvecl *v: pointer to input/output vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_ntt(polyvecl *v) {
+    unsigned int i;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_ntt(&v->vec[i]);
+    }
+}
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_invntt_tomont(polyvecl *v) {
+    unsigned int i;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_invntt_tomont(&v->vec[i]);
+    }
+}
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
+    unsigned int i;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyvecl_pointwise_acc_montgomery
+*
+* Description: Pointwise multiply vectors of polynomials of length L, multiply
+*              resulting vector by 2^{-32} and add (accumulate) polynomials
+*              in it. Input/output vectors are in NTT domain representation.
+*
+* Arguments:   - poly *w: output polynomial
+*              - const polyvecl *u: pointer to first input vector
+*              - const polyvecl *v: pointer to second input vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_pointwise_acc_montgomery(poly *w,
+        const polyvecl *u,
+        const polyvecl *v) {
+    unsigned int i;
+    poly t;
+
+    PQCLEAN_MLDSA87_CLEAN_poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]);
+    for (i = 1; i < L; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]);
+        PQCLEAN_MLDSA87_CLEAN_poly_add(w, w, &t);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyvecl_chknorm
+*
+* Description: Check infinity norm of polynomials in vector of length L.
+*              Assumes input polyvecl to be reduced by PQCLEAN_MLDSA87_CLEAN_polyvecl_reduce().
+*
+* Arguments:   - const polyvecl *v: pointer to vector
+*              - int32_t B: norm bound
+*
+* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
+* and 1 otherwise.
+**************************************************/
+int PQCLEAN_MLDSA87_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t bound)  {
+    unsigned int i;
+
+    for (i = 0; i < L; ++i) {
+        if (PQCLEAN_MLDSA87_CLEAN_poly_chknorm(&v->vec[i], bound)) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+/**************************************************************/
+/************ Vectors of polynomials of length K **************/
+/**************************************************************/
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_uniform_eta(&v->vec[i], seed, nonce++);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_reduce
+*
+* Description: Reduce coefficients of polynomials in vector of length K
+*              to representatives in [-6283008,6283008].
+*
+* Arguments:   - polyveck *v: pointer to input/output vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_reduce(polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_reduce(&v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_caddq
+*
+* Description: For all coefficients of polynomials in vector of length K
+*              add Q if coefficient is negative.
+*
+* Arguments:   - polyveck *v: pointer to input/output vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_caddq(polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_caddq(&v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_add
+*
+* Description: Add vectors of polynomials of length K.
+*              No modular reduction is performed.
+*
+* Arguments:   - polyveck *w: pointer to output vector
+*              - const polyveck *u: pointer to first summand
+*              - const polyveck *v: pointer to second summand
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_sub
+*
+* Description: Subtract vectors of polynomials of length K.
+*              No modular reduction is performed.
+*
+* Arguments:   - polyveck *w: pointer to output vector
+*              - const polyveck *u: pointer to first input vector
+*              - const polyveck *v: pointer to second input vector to be
+*                                   subtracted from first input vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_shiftl
+*
+* Description: Multiply vector of polynomials of Length K by 2^D without modular
+*              reduction. Assumes input coefficients to be less than 2^{31-D}.
+*
+* Arguments:   - polyveck *v: pointer to input/output vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_shiftl(polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_shiftl(&v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_ntt
+*
+* Description: Forward NTT of all polynomials in vector of length K. Output
+*              coefficients can be up to 16*Q larger than input coefficients.
+*
+* Arguments:   - polyveck *v: pointer to input/output vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_ntt(polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_ntt(&v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_invntt_tomont
+*
+* Description: Inverse NTT and multiplication by 2^{32} of polynomials
+*              in vector of length K. Input coefficients need to be less
+*              than 2*Q.
+*
+* Arguments:   - polyveck *v: pointer to input/output vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_invntt_tomont(polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_invntt_tomont(&v->vec[i]);
+    }
+}
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
+    }
+}
+
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_chknorm
+*
+* Description: Check infinity norm of polynomials in vector of length K.
+*              Assumes input polyveck to be reduced by PQCLEAN_MLDSA87_CLEAN_polyveck_reduce().
+*
+* Arguments:   - const polyveck *v: pointer to vector
+*              - int32_t B: norm bound
+*
+* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
+* and 1 otherwise.
+**************************************************/
+int PQCLEAN_MLDSA87_CLEAN_polyveck_chknorm(const polyveck *v, int32_t bound) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        if (PQCLEAN_MLDSA87_CLEAN_poly_chknorm(&v->vec[i], bound)) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_power2round
+*
+* Description: For all coefficients a of polynomials in vector of length K,
+*              compute a0, a1 such that a mod^+ Q = a1*2^D + a0
+*              with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
+*              standard representatives.
+*
+* Arguments:   - polyveck *v1: pointer to output vector of polynomials with
+*                              coefficients a1
+*              - polyveck *v0: pointer to output vector of polynomials with
+*                              coefficients a0
+*              - const polyveck *v: pointer to input vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_decompose
+*
+* Description: For all coefficients a of polynomials in vector of length K,
+*              compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
+*              with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
+*              set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
+*              Assumes coefficients to be standard representatives.
+*
+* Arguments:   - polyveck *v1: pointer to output vector of polynomials with
+*                              coefficients a1
+*              - polyveck *v0: pointer to output vector of polynomials with
+*                              coefficients a0
+*              - const polyveck *v: pointer to input vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_make_hint
+*
+* Description: Compute hint vector.
+*
+* Arguments:   - polyveck *h: pointer to output vector
+*              - const polyveck *v0: pointer to low part of input vector
+*              - const polyveck *v1: pointer to high part of input vector
+*
+* Returns number of 1 bits.
+**************************************************/
+unsigned int PQCLEAN_MLDSA87_CLEAN_polyveck_make_hint(polyveck *h,
+        const polyveck *v0,
+        const polyveck *v1) {
+    unsigned int i, s = 0;
+
+    for (i = 0; i < K; ++i) {
+        s += PQCLEAN_MLDSA87_CLEAN_poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]);
+    }
+
+    return s;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_polyveck_use_hint
+*
+* Description: Use hint vector to correct the high bits of input vector.
+*
+* Arguments:   - polyveck *w: pointer to output vector of polynomials with
+*                             corrected high bits
+*              - const polyveck *u: pointer to input vector
+*              - const polyveck *h: pointer to input hint vector
+**************************************************/
+void PQCLEAN_MLDSA87_CLEAN_polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_poly_use_hint(&w->vec[i], &v->vec[i], &h->vec[i]);
+    }
+}
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) {
+    unsigned int i;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA87_CLEAN_polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]);
+    }
+}

data/ext/ml_dsa/ml-dsa-87/clean/polyvec.h

@@ -0,0 +1,65 @@
+#ifndef PQCLEAN_MLDSA87_CLEAN_POLYVEC_H
+#define PQCLEAN_MLDSA87_CLEAN_POLYVEC_H
+#include "params.h"
+#include "poly.h"
+#include <stdint.h>
+
+/* Vectors of polynomials of length L */
+typedef struct {
+    poly vec[L];
+} polyvecl;
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_reduce(polyvecl *v);
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
+
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_ntt(polyvecl *v);
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_invntt_tomont(polyvecl *v);
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
+void PQCLEAN_MLDSA87_CLEAN_polyvecl_pointwise_acc_montgomery(poly *w,
+        const polyvecl *u,
+        const polyvecl *v);
+
+
+int PQCLEAN_MLDSA87_CLEAN_polyvecl_chknorm(const polyvecl *v, int32_t B);
+
+
+
+/* Vectors of polynomials of length K */
+typedef struct {
+    poly vec[K];
+} polyveck;
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_reduce(polyveck *v);
+void PQCLEAN_MLDSA87_CLEAN_polyveck_caddq(polyveck *v);
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
+void PQCLEAN_MLDSA87_CLEAN_polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
+void PQCLEAN_MLDSA87_CLEAN_polyveck_shiftl(polyveck *v);
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_ntt(polyveck *v);
+void PQCLEAN_MLDSA87_CLEAN_polyveck_invntt_tomont(polyveck *v);
+void PQCLEAN_MLDSA87_CLEAN_polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
+
+int PQCLEAN_MLDSA87_CLEAN_polyveck_chknorm(const polyveck *v, int32_t B);
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
+void PQCLEAN_MLDSA87_CLEAN_polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
+unsigned int PQCLEAN_MLDSA87_CLEAN_polyveck_make_hint(polyveck *h,
+        const polyveck *v0,
+        const polyveck *v1);
+void PQCLEAN_MLDSA87_CLEAN_polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
+
+void PQCLEAN_MLDSA87_CLEAN_polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1);
+
+void PQCLEAN_MLDSA87_CLEAN_polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
+
+void PQCLEAN_MLDSA87_CLEAN_polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
+
+#endif

data/ext/ml_dsa/ml-dsa-87/clean/reduce.c

@@ -0,0 +1,69 @@
+#include "params.h"
+#include "reduce.h"
+#include <stdint.h>
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_montgomery_reduce
+*
+* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31,
+*              compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q.
+*
+* Arguments:   - int64_t: finite field element a
+*
+* Returns r.
+**************************************************/
+int32_t PQCLEAN_MLDSA87_CLEAN_montgomery_reduce(int64_t a) {
+    int32_t t;
+
+    t = (int32_t)((uint64_t)a * (uint64_t)QINV);
+    t = (a - (int64_t)t * Q) >> 32;
+    return t;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_reduce32
+*
+* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
+*              compute r \equiv a (mod Q) such that -6283008 <= r <= 6283008.
+*
+* Arguments:   - int32_t: finite field element a
+*
+* Returns r.
+**************************************************/
+int32_t PQCLEAN_MLDSA87_CLEAN_reduce32(int32_t a) {
+    int32_t t;
+
+    t = (a + (1 << 22)) >> 23;
+    t = a - t * Q;
+    return t;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_caddq
+*
+* Description: Add Q if input coefficient is negative.
+*
+* Arguments:   - int32_t: finite field element a
+*
+* Returns r.
+**************************************************/
+int32_t PQCLEAN_MLDSA87_CLEAN_caddq(int32_t a) {
+    a += (a >> 31) & Q;
+    return a;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA87_CLEAN_freeze
+*
+* Description: For finite field element a, compute standard
+*              representative r = a mod^+ Q.
+*
+* Arguments:   - int32_t: finite field element a
+*
+* Returns r.
+**************************************************/
+int32_t PQCLEAN_MLDSA87_CLEAN_freeze(int32_t a) {
+    a = PQCLEAN_MLDSA87_CLEAN_reduce32(a);
+    a = PQCLEAN_MLDSA87_CLEAN_caddq(a);
+    return a;
+}

data/ext/ml_dsa/ml-dsa-87/clean/reduce.h

@@ -0,0 +1,17 @@
+#ifndef PQCLEAN_MLDSA87_CLEAN_REDUCE_H
+#define PQCLEAN_MLDSA87_CLEAN_REDUCE_H
+#include "params.h"
+#include <stdint.h>
+
+#define MONT (-4186625) // 2^32 % Q
+#define QINV 58728449 // q^(-1) mod 2^32
+
+int32_t PQCLEAN_MLDSA87_CLEAN_montgomery_reduce(int64_t a);
+
+int32_t PQCLEAN_MLDSA87_CLEAN_reduce32(int32_t a);
+
+int32_t PQCLEAN_MLDSA87_CLEAN_caddq(int32_t a);
+
+int32_t PQCLEAN_MLDSA87_CLEAN_freeze(int32_t a);
+
+#endif