ml_dsa 0.1.0

data/ext/ml_dsa/fips202.c

@@ -0,0 +1,933 @@
+/* Based on the public domain implementation in
+ * crypto_hash/keccakc512/simple/ from http://bench.cr.yp.to/supercop.html
+ * by Ronny Van Keer
+ * and the public domain "TweetFips202" implementation
+ * from https://twitter.com/tweetfips202
+ * by Gilles Van Assche, Daniel J. Bernstein, and Peter Schwabe
+ *
+ * NOTE (ml_dsa gem): This is a vendored PQClean file.  malloc() failures
+ * in the incremental SHAKE context allocators call exit(111), which is
+ * treated as a fatal, unrecoverable error.  In practice, these allocations
+ * are small (~200 bytes) and OOM is extremely unlikely. */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "fips202.h"
+
+#define NROUNDS 24
+#define ROL(a, offset) (((a) << (offset)) ^ ((a) >> (64 - (offset))))
+
+/*************************************************
+ * Name:        load64
+ *
+ * Description: Load 8 bytes into uint64_t in little-endian order
+ *
+ * Arguments:   - const uint8_t *x: pointer to input byte array
+ *
+ * Returns the loaded 64-bit unsigned integer
+ **************************************************/
+static uint64_t load64(const uint8_t *x) {
+    uint64_t r = 0;
+    for (size_t i = 0; i < 8; ++i) {
+        r |= (uint64_t)x[i] << 8 * i;
+    }
+
+    return r;
+}
+
+/*************************************************
+ * Name:        store64
+ *
+ * Description: Store a 64-bit integer to a byte array in little-endian order
+ *
+ * Arguments:   - uint8_t *x: pointer to the output byte array
+ *              - uint64_t u: input 64-bit unsigned integer
+ **************************************************/
+static void store64(uint8_t *x, uint64_t u) {
+    for (size_t i = 0; i < 8; ++i) {
+        x[i] = (uint8_t) (u >> 8 * i);
+    }
+}
+
+/* Keccak round constants */
+static const uint64_t KeccakF_RoundConstants[NROUNDS] = {
+    0x0000000000000001ULL, 0x0000000000008082ULL,
+    0x800000000000808aULL, 0x8000000080008000ULL,
+    0x000000000000808bULL, 0x0000000080000001ULL,
+    0x8000000080008081ULL, 0x8000000000008009ULL,
+    0x000000000000008aULL, 0x0000000000000088ULL,
+    0x0000000080008009ULL, 0x000000008000000aULL,
+    0x000000008000808bULL, 0x800000000000008bULL,
+    0x8000000000008089ULL, 0x8000000000008003ULL,
+    0x8000000000008002ULL, 0x8000000000000080ULL,
+    0x000000000000800aULL, 0x800000008000000aULL,
+    0x8000000080008081ULL, 0x8000000000008080ULL,
+    0x0000000080000001ULL, 0x8000000080008008ULL
+};
+
+/*************************************************
+ * Name:        KeccakF1600_StatePermute
+ *
+ * Description: The Keccak F1600 Permutation
+ *
+ * Arguments:   - uint64_t *state: pointer to input/output Keccak state
+ **************************************************/
+static void KeccakF1600_StatePermute(uint64_t *state) {
+    int round;
+
+    uint64_t Aba, Abe, Abi, Abo, Abu;
+    uint64_t Aga, Age, Agi, Ago, Agu;
+    uint64_t Aka, Ake, Aki, Ako, Aku;
+    uint64_t Ama, Ame, Ami, Amo, Amu;
+    uint64_t Asa, Ase, Asi, Aso, Asu;
+    uint64_t BCa, BCe, BCi, BCo, BCu;
+    uint64_t Da, De, Di, Do, Du;
+    uint64_t Eba, Ebe, Ebi, Ebo, Ebu;
+    uint64_t Ega, Ege, Egi, Ego, Egu;
+    uint64_t Eka, Eke, Eki, Eko, Eku;
+    uint64_t Ema, Eme, Emi, Emo, Emu;
+    uint64_t Esa, Ese, Esi, Eso, Esu;
+
+    // copyFromState(A, state)
+    Aba = state[0];
+    Abe = state[1];
+    Abi = state[2];
+    Abo = state[3];
+    Abu = state[4];
+    Aga = state[5];
+    Age = state[6];
+    Agi = state[7];
+    Ago = state[8];
+    Agu = state[9];
+    Aka = state[10];
+    Ake = state[11];
+    Aki = state[12];
+    Ako = state[13];
+    Aku = state[14];
+    Ama = state[15];
+    Ame = state[16];
+    Ami = state[17];
+    Amo = state[18];
+    Amu = state[19];
+    Asa = state[20];
+    Ase = state[21];
+    Asi = state[22];
+    Aso = state[23];
+    Asu = state[24];
+
+    for (round = 0; round < NROUNDS; round += 2) {
+        //    prepareTheta
+        BCa = Aba ^ Aga ^ Aka ^ Ama ^ Asa;
+        BCe = Abe ^ Age ^ Ake ^ Ame ^ Ase;
+        BCi = Abi ^ Agi ^ Aki ^ Ami ^ Asi;
+        BCo = Abo ^ Ago ^ Ako ^ Amo ^ Aso;
+        BCu = Abu ^ Agu ^ Aku ^ Amu ^ Asu;
+
+        // thetaRhoPiChiIotaPrepareTheta(round  , A, E)
+        Da = BCu ^ ROL(BCe, 1);
+        De = BCa ^ ROL(BCi, 1);
+        Di = BCe ^ ROL(BCo, 1);
+        Do = BCi ^ ROL(BCu, 1);
+        Du = BCo ^ ROL(BCa, 1);
+
+        Aba ^= Da;
+        BCa = Aba;
+        Age ^= De;
+        BCe = ROL(Age, 44);
+        Aki ^= Di;
+        BCi = ROL(Aki, 43);
+        Amo ^= Do;
+        BCo = ROL(Amo, 21);
+        Asu ^= Du;
+        BCu = ROL(Asu, 14);
+        Eba = BCa ^ ((~BCe) & BCi);
+        Eba ^= KeccakF_RoundConstants[round];
+        Ebe = BCe ^ ((~BCi) & BCo);
+        Ebi = BCi ^ ((~BCo) & BCu);
+        Ebo = BCo ^ ((~BCu) & BCa);
+        Ebu = BCu ^ ((~BCa) & BCe);
+
+        Abo ^= Do;
+        BCa = ROL(Abo, 28);
+        Agu ^= Du;
+        BCe = ROL(Agu, 20);
+        Aka ^= Da;
+        BCi = ROL(Aka, 3);
+        Ame ^= De;
+        BCo = ROL(Ame, 45);
+        Asi ^= Di;
+        BCu = ROL(Asi, 61);
+        Ega = BCa ^ ((~BCe) & BCi);
+        Ege = BCe ^ ((~BCi) & BCo);
+        Egi = BCi ^ ((~BCo) & BCu);
+        Ego = BCo ^ ((~BCu) & BCa);
+        Egu = BCu ^ ((~BCa) & BCe);
+
+        Abe ^= De;
+        BCa = ROL(Abe, 1);
+        Agi ^= Di;
+        BCe = ROL(Agi, 6);
+        Ako ^= Do;
+        BCi = ROL(Ako, 25);
+        Amu ^= Du;
+        BCo = ROL(Amu, 8);
+        Asa ^= Da;
+        BCu = ROL(Asa, 18);
+        Eka = BCa ^ ((~BCe) & BCi);
+        Eke = BCe ^ ((~BCi) & BCo);
+        Eki = BCi ^ ((~BCo) & BCu);
+        Eko = BCo ^ ((~BCu) & BCa);
+        Eku = BCu ^ ((~BCa) & BCe);
+
+        Abu ^= Du;
+        BCa = ROL(Abu, 27);
+        Aga ^= Da;
+        BCe = ROL(Aga, 36);
+        Ake ^= De;
+        BCi = ROL(Ake, 10);
+        Ami ^= Di;
+        BCo = ROL(Ami, 15);
+        Aso ^= Do;
+        BCu = ROL(Aso, 56);
+        Ema = BCa ^ ((~BCe) & BCi);
+        Eme = BCe ^ ((~BCi) & BCo);
+        Emi = BCi ^ ((~BCo) & BCu);
+        Emo = BCo ^ ((~BCu) & BCa);
+        Emu = BCu ^ ((~BCa) & BCe);
+
+        Abi ^= Di;
+        BCa = ROL(Abi, 62);
+        Ago ^= Do;
+        BCe = ROL(Ago, 55);
+        Aku ^= Du;
+        BCi = ROL(Aku, 39);
+        Ama ^= Da;
+        BCo = ROL(Ama, 41);
+        Ase ^= De;
+        BCu = ROL(Ase, 2);
+        Esa = BCa ^ ((~BCe) & BCi);
+        Ese = BCe ^ ((~BCi) & BCo);
+        Esi = BCi ^ ((~BCo) & BCu);
+        Eso = BCo ^ ((~BCu) & BCa);
+        Esu = BCu ^ ((~BCa) & BCe);
+
+        //    prepareTheta
+        BCa = Eba ^ Ega ^ Eka ^ Ema ^ Esa;
+        BCe = Ebe ^ Ege ^ Eke ^ Eme ^ Ese;
+        BCi = Ebi ^ Egi ^ Eki ^ Emi ^ Esi;
+        BCo = Ebo ^ Ego ^ Eko ^ Emo ^ Eso;
+        BCu = Ebu ^ Egu ^ Eku ^ Emu ^ Esu;
+
+        // thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
+        Da = BCu ^ ROL(BCe, 1);
+        De = BCa ^ ROL(BCi, 1);
+        Di = BCe ^ ROL(BCo, 1);
+        Do = BCi ^ ROL(BCu, 1);
+        Du = BCo ^ ROL(BCa, 1);
+
+        Eba ^= Da;
+        BCa = Eba;
+        Ege ^= De;
+        BCe = ROL(Ege, 44);
+        Eki ^= Di;
+        BCi = ROL(Eki, 43);
+        Emo ^= Do;
+        BCo = ROL(Emo, 21);
+        Esu ^= Du;
+        BCu = ROL(Esu, 14);
+        Aba = BCa ^ ((~BCe) & BCi);
+        Aba ^= KeccakF_RoundConstants[round + 1];
+        Abe = BCe ^ ((~BCi) & BCo);
+        Abi = BCi ^ ((~BCo) & BCu);
+        Abo = BCo ^ ((~BCu) & BCa);
+        Abu = BCu ^ ((~BCa) & BCe);
+
+        Ebo ^= Do;
+        BCa = ROL(Ebo, 28);
+        Egu ^= Du;
+        BCe = ROL(Egu, 20);
+        Eka ^= Da;
+        BCi = ROL(Eka, 3);
+        Eme ^= De;
+        BCo = ROL(Eme, 45);
+        Esi ^= Di;
+        BCu = ROL(Esi, 61);
+        Aga = BCa ^ ((~BCe) & BCi);
+        Age = BCe ^ ((~BCi) & BCo);
+        Agi = BCi ^ ((~BCo) & BCu);
+        Ago = BCo ^ ((~BCu) & BCa);
+        Agu = BCu ^ ((~BCa) & BCe);
+
+        Ebe ^= De;
+        BCa = ROL(Ebe, 1);
+        Egi ^= Di;
+        BCe = ROL(Egi, 6);
+        Eko ^= Do;
+        BCi = ROL(Eko, 25);
+        Emu ^= Du;
+        BCo = ROL(Emu, 8);
+        Esa ^= Da;
+        BCu = ROL(Esa, 18);
+        Aka = BCa ^ ((~BCe) & BCi);
+        Ake = BCe ^ ((~BCi) & BCo);
+        Aki = BCi ^ ((~BCo) & BCu);
+        Ako = BCo ^ ((~BCu) & BCa);
+        Aku = BCu ^ ((~BCa) & BCe);
+
+        Ebu ^= Du;
+        BCa = ROL(Ebu, 27);
+        Ega ^= Da;
+        BCe = ROL(Ega, 36);
+        Eke ^= De;
+        BCi = ROL(Eke, 10);
+        Emi ^= Di;
+        BCo = ROL(Emi, 15);
+        Eso ^= Do;
+        BCu = ROL(Eso, 56);
+        Ama = BCa ^ ((~BCe) & BCi);
+        Ame = BCe ^ ((~BCi) & BCo);
+        Ami = BCi ^ ((~BCo) & BCu);
+        Amo = BCo ^ ((~BCu) & BCa);
+        Amu = BCu ^ ((~BCa) & BCe);
+
+        Ebi ^= Di;
+        BCa = ROL(Ebi, 62);
+        Ego ^= Do;
+        BCe = ROL(Ego, 55);
+        Eku ^= Du;
+        BCi = ROL(Eku, 39);
+        Ema ^= Da;
+        BCo = ROL(Ema, 41);
+        Ese ^= De;
+        BCu = ROL(Ese, 2);
+        Asa = BCa ^ ((~BCe) & BCi);
+        Ase = BCe ^ ((~BCi) & BCo);
+        Asi = BCi ^ ((~BCo) & BCu);
+        Aso = BCo ^ ((~BCu) & BCa);
+        Asu = BCu ^ ((~BCa) & BCe);
+    }
+
+    // copyToState(state, A)
+    state[0] = Aba;
+    state[1] = Abe;
+    state[2] = Abi;
+    state[3] = Abo;
+    state[4] = Abu;
+    state[5] = Aga;
+    state[6] = Age;
+    state[7] = Agi;
+    state[8] = Ago;
+    state[9] = Agu;
+    state[10] = Aka;
+    state[11] = Ake;
+    state[12] = Aki;
+    state[13] = Ako;
+    state[14] = Aku;
+    state[15] = Ama;
+    state[16] = Ame;
+    state[17] = Ami;
+    state[18] = Amo;
+    state[19] = Amu;
+    state[20] = Asa;
+    state[21] = Ase;
+    state[22] = Asi;
+    state[23] = Aso;
+    state[24] = Asu;
+}
+
+/*************************************************
+ * Name:        keccak_absorb
+ *
+ * Description: Absorb step of Keccak;
+ *              non-incremental, starts by zeroeing the state.
+ *
+ * Arguments:   - uint64_t *s: pointer to (uninitialized) output Keccak state
+ *              - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
+ *              - const uint8_t *m: pointer to input to be absorbed into s
+ *              - size_t mlen: length of input in bytes
+ *              - uint8_t p: domain-separation byte for different
+ *                                 Keccak-derived functions
+ **************************************************/
+static void keccak_absorb(uint64_t *s, uint32_t r, const uint8_t *m,
+                          size_t mlen, uint8_t p) {
+    size_t i;
+    uint8_t t[200];
+
+    /* Zero state */
+    for (i = 0; i < 25; ++i) {
+        s[i] = 0;
+    }
+
+    while (mlen >= r) {
+        for (i = 0; i < r / 8; ++i) {
+            s[i] ^= load64(m + 8 * i);
+        }
+
+        KeccakF1600_StatePermute(s);
+        mlen -= r;
+        m += r;
+    }
+
+    for (i = 0; i < r; ++i) {
+        t[i] = 0;
+    }
+    for (i = 0; i < mlen; ++i) {
+        t[i] = m[i];
+    }
+    t[i] = p;
+    t[r - 1] |= 128;
+    for (i = 0; i < r / 8; ++i) {
+        s[i] ^= load64(t + 8 * i);
+    }
+}
+
+/*************************************************
+ * Name:        keccak_squeezeblocks
+ *
+ * Description: Squeeze step of Keccak. Squeezes full blocks of r bytes each.
+ *              Modifies the state. Can be called multiple times to keep
+ *              squeezing, i.e., is incremental.
+ *
+ * Arguments:   - uint8_t *h: pointer to output blocks
+ *              - size_t nblocks: number of blocks to be
+ *                                                squeezed (written to h)
+ *              - uint64_t *s: pointer to input/output Keccak state
+ *              - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
+ **************************************************/
+static void keccak_squeezeblocks(uint8_t *h, size_t nblocks,
+                                 uint64_t *s, uint32_t r) {
+    while (nblocks > 0) {
+        KeccakF1600_StatePermute(s);
+        for (size_t i = 0; i < (r >> 3); i++) {
+            store64(h + 8 * i, s[i]);
+        }
+        h += r;
+        nblocks--;
+    }
+}
+
+/*************************************************
+ * Name:        keccak_inc_init
+ *
+ * Description: Initializes the incremental Keccak state to zero.
+ *
+ * Arguments:   - uint64_t *s_inc: pointer to input/output incremental state
+ *                First 25 values represent Keccak state.
+ *                26th value represents either the number of absorbed bytes
+ *                that have not been permuted, or not-yet-squeezed bytes.
+ **************************************************/
+static void keccak_inc_init(uint64_t *s_inc) {
+    size_t i;
+
+    for (i = 0; i < 25; ++i) {
+        s_inc[i] = 0;
+    }
+    s_inc[25] = 0;
+}
+
+/*************************************************
+ * Name:        keccak_inc_absorb
+ *
+ * Description: Incremental keccak absorb
+ *              Preceded by keccak_inc_init, succeeded by keccak_inc_finalize
+ *
+ * Arguments:   - uint64_t *s_inc: pointer to input/output incremental state
+ *                First 25 values represent Keccak state.
+ *                26th value represents either the number of absorbed bytes
+ *                that have not been permuted, or not-yet-squeezed bytes.
+ *              - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
+ *              - const uint8_t *m: pointer to input to be absorbed into s
+ *              - size_t mlen: length of input in bytes
+ **************************************************/
+static void keccak_inc_absorb(uint64_t *s_inc, uint32_t r, const uint8_t *m,
+                              size_t mlen) {
+    size_t i;
+
+    /* Recall that s_inc[25] is the non-absorbed bytes xored into the state */
+    while (mlen + s_inc[25] >= r) {
+        for (i = 0; i < r - (uint32_t)s_inc[25]; i++) {
+            /* Take the i'th byte from message
+               xor with the s_inc[25] + i'th byte of the state; little-endian */
+            s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07));
+        }
+        mlen -= (size_t)(r - s_inc[25]);
+        m += r - s_inc[25];
+        s_inc[25] = 0;
+
+        KeccakF1600_StatePermute(s_inc);
+    }
+
+    for (i = 0; i < mlen; i++) {
+        s_inc[(s_inc[25] + i) >> 3] ^= (uint64_t)m[i] << (8 * ((s_inc[25] + i) & 0x07));
+    }
+    s_inc[25] += mlen;
+}
+
+/*************************************************
+ * Name:        keccak_inc_finalize
+ *
+ * Description: Finalizes Keccak absorb phase, prepares for squeezing
+ *
+ * Arguments:   - uint64_t *s_inc: pointer to input/output incremental state
+ *                First 25 values represent Keccak state.
+ *                26th value represents either the number of absorbed bytes
+ *                that have not been permuted, or not-yet-squeezed bytes.
+ *              - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
+ *              - uint8_t p: domain-separation byte for different
+ *                                 Keccak-derived functions
+ **************************************************/
+static void keccak_inc_finalize(uint64_t *s_inc, uint32_t r, uint8_t p) {
+    /* After keccak_inc_absorb, we are guaranteed that s_inc[25] < r,
+       so we can always use one more byte for p in the current state. */
+    s_inc[s_inc[25] >> 3] ^= (uint64_t)p << (8 * (s_inc[25] & 0x07));
+    s_inc[(r - 1) >> 3] ^= (uint64_t)128 << (8 * ((r - 1) & 0x07));
+    s_inc[25] = 0;
+}
+
+/*************************************************
+ * Name:        keccak_inc_squeeze
+ *
+ * Description: Incremental Keccak squeeze; can be called on byte-level
+ *
+ * Arguments:   - uint8_t *h: pointer to output bytes
+ *              - size_t outlen: number of bytes to be squeezed
+ *              - uint64_t *s_inc: pointer to input/output incremental state
+ *                First 25 values represent Keccak state.
+ *                26th value represents either the number of absorbed bytes
+ *                that have not been permuted, or not-yet-squeezed bytes.
+ *              - uint32_t r: rate in bytes (e.g., 168 for SHAKE128)
+ **************************************************/
+static void keccak_inc_squeeze(uint8_t *h, size_t outlen,
+                               uint64_t *s_inc, uint32_t r) {
+    size_t i;
+
+    /* First consume any bytes we still have sitting around */
+    for (i = 0; i < outlen && i < s_inc[25]; i++) {
+        /* There are s_inc[25] bytes left, so r - s_inc[25] is the first
+           available byte. We consume from there, i.e., up to r. */
+        h[i] = (uint8_t)(s_inc[(r - s_inc[25] + i) >> 3] >> (8 * ((r - s_inc[25] + i) & 0x07)));
+    }
+    h += i;
+    outlen -= i;
+    s_inc[25] -= i;
+
+    /* Then squeeze the remaining necessary blocks */
+    while (outlen > 0) {
+        KeccakF1600_StatePermute(s_inc);
+
+        for (i = 0; i < outlen && i < r; i++) {
+            h[i] = (uint8_t)(s_inc[i >> 3] >> (8 * (i & 0x07)));
+        }
+        h += i;
+        outlen -= i;
+        s_inc[25] = r - i;
+    }
+}
+
+void shake128_inc_init(shake128incctx *state) {
+    state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (state->ctx == NULL) {
+        exit(111);
+    }
+    keccak_inc_init(state->ctx);
+}
+
+void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen) {
+    keccak_inc_absorb(state->ctx, SHAKE128_RATE, input, inlen);
+}
+
+void shake128_inc_finalize(shake128incctx *state) {
+    keccak_inc_finalize(state->ctx, SHAKE128_RATE, 0x1F);
+}
+
+void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state) {
+    keccak_inc_squeeze(output, outlen, state->ctx, SHAKE128_RATE);
+}
+
+void shake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src) {
+    dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (dest->ctx == NULL) {
+        exit(111);
+    }
+    memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
+}
+
+void shake128_inc_ctx_release(shake128incctx *state) {
+    free(state->ctx);
+}
+
+void shake256_inc_init(shake256incctx *state) {
+    state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (state->ctx == NULL) {
+        exit(111);
+    }
+    keccak_inc_init(state->ctx);
+}
+
+void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen) {
+    keccak_inc_absorb(state->ctx, SHAKE256_RATE, input, inlen);
+}
+
+void shake256_inc_finalize(shake256incctx *state) {
+    keccak_inc_finalize(state->ctx, SHAKE256_RATE, 0x1F);
+}
+
+void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state) {
+    keccak_inc_squeeze(output, outlen, state->ctx, SHAKE256_RATE);
+}
+
+void shake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src) {
+    dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (dest->ctx == NULL) {
+        exit(111);
+    }
+    memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
+}
+
+void shake256_inc_ctx_release(shake256incctx *state) {
+    free(state->ctx);
+}
+
+/*************************************************
+ * Name:        shake128_absorb
+ *
+ * Description: Absorb step of the SHAKE128 XOF.
+ *              non-incremental, starts by zeroeing the state.
+ *
+ * Arguments:   - uint64_t *s: pointer to (uninitialized) output Keccak state
+ *              - const uint8_t *input: pointer to input to be absorbed
+ *                                            into s
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen) {
+    state->ctx = malloc(PQC_SHAKECTX_BYTES);
+    if (state->ctx == NULL) {
+        exit(111);
+    }
+    keccak_absorb(state->ctx, SHAKE128_RATE, input, inlen, 0x1F);
+}
+
+/*************************************************
+ * Name:        shake128_squeezeblocks
+ *
+ * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
+ *              SHAKE128_RATE bytes each. Modifies the state. Can be called
+ *              multiple times to keep squeezing, i.e., is incremental.
+ *
+ * Arguments:   - uint8_t *output: pointer to output blocks
+ *              - size_t nblocks: number of blocks to be squeezed
+ *                                            (written to output)
+ *              - shake128ctx *state: pointer to input/output Keccak state
+ **************************************************/
+void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state) {
+    keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
+}
+
+void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src) {
+    dest->ctx = malloc(PQC_SHAKECTX_BYTES);
+    if (dest->ctx == NULL) {
+        exit(111);
+    }
+    memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES);
+}
+
+/** Release the allocated state. Call only once. */
+void shake128_ctx_release(shake128ctx *state) {
+    free(state->ctx);
+}
+
+/*************************************************
+ * Name:        shake256_absorb
+ *
+ * Description: Absorb step of the SHAKE256 XOF.
+ *              non-incremental, starts by zeroeing the state.
+ *
+ * Arguments:   - shake256ctx *state: pointer to (uninitialized) output Keccak state
+ *              - const uint8_t *input: pointer to input to be absorbed
+ *                                            into s
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen) {
+    state->ctx = malloc(PQC_SHAKECTX_BYTES);
+    if (state->ctx == NULL) {
+        exit(111);
+    }
+    keccak_absorb(state->ctx, SHAKE256_RATE, input, inlen, 0x1F);
+}
+
+/*************************************************
+ * Name:        shake256_squeezeblocks
+ *
+ * Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of
+ *              SHAKE256_RATE bytes each. Modifies the state. Can be called
+ *              multiple times to keep squeezing, i.e., is incremental.
+ *
+ * Arguments:   - uint8_t *output: pointer to output blocks
+ *              - size_t nblocks: number of blocks to be squeezed
+ *                                (written to output)
+ *              - shake256ctx *state: pointer to input/output Keccak state
+ **************************************************/
+void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state) {
+    keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE256_RATE);
+}
+
+void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src) {
+    dest->ctx = malloc(PQC_SHAKECTX_BYTES);
+    if (dest->ctx == NULL) {
+        exit(111);
+    }
+    memcpy(dest->ctx, src->ctx, PQC_SHAKECTX_BYTES);
+}
+
+/** Release the allocated state. Call only once. */
+void shake256_ctx_release(shake256ctx *state) {
+    free(state->ctx);
+}
+
+/*************************************************
+ * Name:        shake128
+ *
+ * Description: SHAKE128 XOF with non-incremental API
+ *
+ * Arguments:   - uint8_t *output: pointer to output
+ *              - size_t outlen: requested output length in bytes
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+void shake128(uint8_t *output, size_t outlen,
+              const uint8_t *input, size_t inlen) {
+    size_t nblocks = outlen / SHAKE128_RATE;
+    uint8_t t[SHAKE128_RATE];
+    shake128ctx s;
+
+    shake128_absorb(&s, input, inlen);
+    shake128_squeezeblocks(output, nblocks, &s);
+
+    output += nblocks * SHAKE128_RATE;
+    outlen -= nblocks * SHAKE128_RATE;
+
+    if (outlen) {
+        shake128_squeezeblocks(t, 1, &s);
+        for (size_t i = 0; i < outlen; ++i) {
+            output[i] = t[i];
+        }
+    }
+    shake128_ctx_release(&s);
+}
+
+/*************************************************
+ * Name:        shake256
+ *
+ * Description: SHAKE256 XOF with non-incremental API
+ *
+ * Arguments:   - uint8_t *output: pointer to output
+ *              - size_t outlen: requested output length in bytes
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+void shake256(uint8_t *output, size_t outlen,
+              const uint8_t *input, size_t inlen) {
+    size_t nblocks = outlen / SHAKE256_RATE;
+    uint8_t t[SHAKE256_RATE];
+    shake256ctx s;
+
+    shake256_absorb(&s, input, inlen);
+    shake256_squeezeblocks(output, nblocks, &s);
+
+    output += nblocks * SHAKE256_RATE;
+    outlen -= nblocks * SHAKE256_RATE;
+
+    if (outlen) {
+        shake256_squeezeblocks(t, 1, &s);
+        for (size_t i = 0; i < outlen; ++i) {
+            output[i] = t[i];
+        }
+    }
+    shake256_ctx_release(&s);
+}
+
+void sha3_256_inc_init(sha3_256incctx *state) {
+    state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (state->ctx == NULL) {
+        exit(111);
+    }
+    keccak_inc_init(state->ctx);
+}
+
+void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src) {
+    dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (dest->ctx == NULL) {
+        exit(111);
+    }
+    memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
+}
+
+void sha3_256_inc_ctx_release(sha3_256incctx *state) {
+    free(state->ctx);
+}
+
+void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen) {
+    keccak_inc_absorb(state->ctx, SHA3_256_RATE, input, inlen);
+}
+
+void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state) {
+    uint8_t t[SHA3_256_RATE];
+    keccak_inc_finalize(state->ctx, SHA3_256_RATE, 0x06);
+
+    keccak_squeezeblocks(t, 1, state->ctx, SHA3_256_RATE);
+
+    sha3_256_inc_ctx_release(state);
+
+    for (size_t i = 0; i < 32; i++) {
+        output[i] = t[i];
+    }
+}
+
+/*************************************************
+ * Name:        sha3_256
+ *
+ * Description: SHA3-256 with non-incremental API
+ *
+ * Arguments:   - uint8_t *output:      pointer to output
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen:   length of input in bytes
+ **************************************************/
+void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen) {
+    uint64_t s[25];
+    uint8_t t[SHA3_256_RATE];
+
+    /* Absorb input */
+    keccak_absorb(s, SHA3_256_RATE, input, inlen, 0x06);
+
+    /* Squeeze output */
+    keccak_squeezeblocks(t, 1, s, SHA3_256_RATE);
+
+    for (size_t i = 0; i < 32; i++) {
+        output[i] = t[i];
+    }
+}
+
+void sha3_384_inc_init(sha3_384incctx *state) {
+    state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (state->ctx == NULL) {
+        exit(111);
+    }
+    keccak_inc_init(state->ctx);
+}
+
+void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src) {
+    dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (dest->ctx == NULL) {
+        exit(111);
+    }
+    memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
+}
+
+void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen) {
+    keccak_inc_absorb(state->ctx, SHA3_384_RATE, input, inlen);
+}
+
+void sha3_384_inc_ctx_release(sha3_384incctx *state) {
+    free(state->ctx);
+}
+
+void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state) {
+    uint8_t t[SHA3_384_RATE];
+    keccak_inc_finalize(state->ctx, SHA3_384_RATE, 0x06);
+
+    keccak_squeezeblocks(t, 1, state->ctx, SHA3_384_RATE);
+
+    sha3_384_inc_ctx_release(state);
+
+    for (size_t i = 0; i < 48; i++) {
+        output[i] = t[i];
+    }
+}
+
+/*************************************************
+ * Name:        sha3_384
+ *
+ * Description: SHA3-256 with non-incremental API
+ *
+ * Arguments:   - uint8_t *output:      pointer to output
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen:   length of input in bytes
+ **************************************************/
+void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen) {
+    uint64_t s[25];
+    uint8_t t[SHA3_384_RATE];
+
+    /* Absorb input */
+    keccak_absorb(s, SHA3_384_RATE, input, inlen, 0x06);
+
+    /* Squeeze output */
+    keccak_squeezeblocks(t, 1, s, SHA3_384_RATE);
+
+    for (size_t i = 0; i < 48; i++) {
+        output[i] = t[i];
+    }
+}
+
+void sha3_512_inc_init(sha3_512incctx *state) {
+    state->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (state->ctx == NULL) {
+        exit(111);
+    }
+    keccak_inc_init(state->ctx);
+}
+
+void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src) {
+    dest->ctx = malloc(PQC_SHAKEINCCTX_BYTES);
+    if (dest->ctx == NULL) {
+        exit(111);
+    }
+    memcpy(dest->ctx, src->ctx, PQC_SHAKEINCCTX_BYTES);
+}
+
+void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen) {
+    keccak_inc_absorb(state->ctx, SHA3_512_RATE, input, inlen);
+}
+
+void sha3_512_inc_ctx_release(sha3_512incctx *state) {
+    free(state->ctx);
+}
+
+void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state) {
+    uint8_t t[SHA3_512_RATE];
+    keccak_inc_finalize(state->ctx, SHA3_512_RATE, 0x06);
+
+    keccak_squeezeblocks(t, 1, state->ctx, SHA3_512_RATE);
+
+    sha3_512_inc_ctx_release(state);
+
+    for (size_t i = 0; i < 64; i++) {
+        output[i] = t[i];
+    }
+}
+
+/*************************************************
+ * Name:        sha3_512
+ *
+ * Description: SHA3-512 with non-incremental API
+ *
+ * Arguments:   - uint8_t *output:      pointer to output
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen:   length of input in bytes
+ **************************************************/
+void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen) {
+    uint64_t s[25];
+    uint8_t t[SHA3_512_RATE];
+
+    /* Absorb input */
+    keccak_absorb(s, SHA3_512_RATE, input, inlen, 0x06);
+
+    /* Squeeze output */
+    keccak_squeezeblocks(t, 1, s, SHA3_512_RATE);
+
+    for (size_t i = 0; i < 64; i++) {
+        output[i] = t[i];
+    }
+}