ml_dsa 0.1.0

data/ext/ml_dsa/fips202.h

@@ -0,0 +1,166 @@
+#ifndef FIPS202_H
+#define FIPS202_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define SHAKE128_RATE 168
+#define SHAKE256_RATE 136
+#define SHA3_256_RATE 136
+#define SHA3_384_RATE 104
+#define SHA3_512_RATE 72
+
+#define PQC_SHAKEINCCTX_BYTES (sizeof(uint64_t)*26)
+#define PQC_SHAKECTX_BYTES (sizeof(uint64_t)*25)
+
+// Context for incremental API
+typedef struct {
+    uint64_t *ctx;
+} shake128incctx;
+
+// Context for non-incremental API
+typedef struct {
+    uint64_t *ctx;
+} shake128ctx;
+
+// Context for incremental API
+typedef struct {
+    uint64_t *ctx;
+} shake256incctx;
+
+// Context for non-incremental API
+typedef struct {
+    uint64_t *ctx;
+} shake256ctx;
+
+// Context for incremental API
+typedef struct {
+    uint64_t *ctx;
+} sha3_256incctx;
+
+// Context for incremental API
+typedef struct {
+    uint64_t *ctx;
+} sha3_384incctx;
+
+// Context for incremental API
+typedef struct {
+    uint64_t *ctx;
+} sha3_512incctx;
+
+/* Initialize the state and absorb the provided input.
+ *
+ * This function does not support being called multiple times
+ * with the same state.
+ */
+void shake128_absorb(shake128ctx *state, const uint8_t *input, size_t inlen);
+/* Squeeze output out of the sponge.
+ *
+ * Supports being called multiple times
+ */
+void shake128_squeezeblocks(uint8_t *output, size_t nblocks, shake128ctx *state);
+/* Free the state */
+void shake128_ctx_release(shake128ctx *state);
+/* Copy the state. */
+void shake128_ctx_clone(shake128ctx *dest, const shake128ctx *src);
+
+/* Initialize incremental hashing API */
+void shake128_inc_init(shake128incctx *state);
+/* Absorb more information into the XOF.
+ *
+ * Can be called multiple times.
+ */
+void shake128_inc_absorb(shake128incctx *state, const uint8_t *input, size_t inlen);
+/* Finalize the XOF for squeezing */
+void shake128_inc_finalize(shake128incctx *state);
+/* Squeeze output out of the sponge.
+ *
+ * Supports being called multiple times
+ */
+void shake128_inc_squeeze(uint8_t *output, size_t outlen, shake128incctx *state);
+/* Copy the context of the SHAKE128 XOF */
+void shake128_inc_ctx_clone(shake128incctx *dest, const shake128incctx *src);
+/* Free the context of the SHAKE128 XOF */
+void shake128_inc_ctx_release(shake128incctx *state);
+
+/* Initialize the state and absorb the provided input.
+ *
+ * This function does not support being called multiple times
+ * with the same state.
+ */
+void shake256_absorb(shake256ctx *state, const uint8_t *input, size_t inlen);
+/* Squeeze output out of the sponge.
+ *
+ * Supports being called multiple times
+ */
+void shake256_squeezeblocks(uint8_t *output, size_t nblocks, shake256ctx *state);
+/* Free the context held by this XOF */
+void shake256_ctx_release(shake256ctx *state);
+/* Copy the context held by this XOF */
+void shake256_ctx_clone(shake256ctx *dest, const shake256ctx *src);
+
+/* Initialize incremental hashing API */
+void shake256_inc_init(shake256incctx *state);
+void shake256_inc_absorb(shake256incctx *state, const uint8_t *input, size_t inlen);
+/* Prepares for squeeze phase */
+void shake256_inc_finalize(shake256incctx *state);
+/* Squeeze output out of the sponge.
+ *
+ * Supports being called multiple times
+ */
+void shake256_inc_squeeze(uint8_t *output, size_t outlen, shake256incctx *state);
+/* Copy the state */
+void shake256_inc_ctx_clone(shake256incctx *dest, const shake256incctx *src);
+/* Free the state */
+void shake256_inc_ctx_release(shake256incctx *state);
+
+/* One-stop SHAKE128 call */
+void shake128(uint8_t *output, size_t outlen,
+              const uint8_t *input, size_t inlen);
+
+/* One-stop SHAKE256 call */
+void shake256(uint8_t *output, size_t outlen,
+              const uint8_t *input, size_t inlen);
+
+/* Initialize the incremental hashing state */
+void sha3_256_inc_init(sha3_256incctx *state);
+/* Absorb blocks into SHA3 */
+void sha3_256_inc_absorb(sha3_256incctx *state, const uint8_t *input, size_t inlen);
+/* Obtain the output of the function and free `state` */
+void sha3_256_inc_finalize(uint8_t *output, sha3_256incctx *state);
+/* Copy the context */
+void sha3_256_inc_ctx_clone(sha3_256incctx *dest, const sha3_256incctx *src);
+/* Release the state, don't use if `_finalize` has been used */
+void sha3_256_inc_ctx_release(sha3_256incctx *state);
+
+void sha3_256(uint8_t *output, const uint8_t *input, size_t inlen);
+
+/* Initialize the incremental hashing state */
+void sha3_384_inc_init(sha3_384incctx *state);
+/* Absorb blocks into SHA3 */
+void sha3_384_inc_absorb(sha3_384incctx *state, const uint8_t *input, size_t inlen);
+/* Obtain the output of the function and free `state` */
+void sha3_384_inc_finalize(uint8_t *output, sha3_384incctx *state);
+/* Copy the context */
+void sha3_384_inc_ctx_clone(sha3_384incctx *dest, const sha3_384incctx *src);
+/* Release the state, don't use if `_finalize` has been used */
+void sha3_384_inc_ctx_release(sha3_384incctx *state);
+
+/* One-stop SHA3-384 shop */
+void sha3_384(uint8_t *output, const uint8_t *input, size_t inlen);
+
+/* Initialize the incremental hashing state */
+void sha3_512_inc_init(sha3_512incctx *state);
+/* Absorb blocks into SHA3 */
+void sha3_512_inc_absorb(sha3_512incctx *state, const uint8_t *input, size_t inlen);
+/* Obtain the output of the function and free `state` */
+void sha3_512_inc_finalize(uint8_t *output, sha3_512incctx *state);
+/* Copy the context */
+void sha3_512_inc_ctx_clone(sha3_512incctx *dest, const sha3_512incctx *src);
+/* Release the state, don't use if `_finalize` has been used */
+void sha3_512_inc_ctx_release(sha3_512incctx *state);
+
+/* One-stop SHA3-512 shop */
+void sha3_512(uint8_t *output, const uint8_t *input, size_t inlen);
+
+#endif

data/ext/ml_dsa/ml-dsa-44/clean/api.h

@@ -0,0 +1,52 @@
+#ifndef PQCLEAN_MLDSA44_CLEAN_API_H
+#define PQCLEAN_MLDSA44_CLEAN_API_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_PUBLICKEYBYTES 1312
+#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_SECRETKEYBYTES 2560
+#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_BYTES 2420
+#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_ALGNAME "ML-DSA-44"
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk,
+        const uint8_t *seed_in);
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *ctx, size_t ctxlen,
+        const uint8_t *sk,
+        const uint8_t *rnd_in);
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign_ctx(uint8_t *sm, size_t *smlen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *ctx, size_t ctxlen,
+        const uint8_t *sk);
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *ctx, size_t ctxlen,
+        const uint8_t *pk);
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign_open_ctx(uint8_t *m, size_t *mlen,
+        const uint8_t *sm, size_t smlen,
+        const uint8_t *ctx, size_t ctxlen,
+        const uint8_t *pk);
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *sk);
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen,
+                                      const uint8_t *m, size_t mlen,
+                                      const uint8_t *sk);
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *pk);
+
+int PQCLEAN_MLDSA44_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen,
+        const uint8_t *sm, size_t smlen,
+        const uint8_t *pk);
+
+#endif

data/ext/ml_dsa/ml-dsa-44/clean/ntt.c

@@ -0,0 +1,98 @@
+#include "ntt.h"
+#include "params.h"
+#include "reduce.h"
+#include <stdint.h>
+
+static const int32_t zetas[N] = {
+    0,    25847, -2608894, -518909,   237124, -777960, -876248,   466468,
+    1826347,  2353451, -359251, -2091905,  3119733, -2884855,  3111497,  2680103,
+    2725464,  1024112, -1079900,  3585928, -549488, -1119584,  2619752, -2108549,
+    -2118186, -3859737, -1399561, -3277672,  1757237, -19422,  4010497,   280005,
+    2706023,    95776,  3077325,  3530437, -1661693, -3592148, -2537516,  3915439,
+    -3861115, -3043716,  3574422, -2867647,  3539968, -300467,  2348700, -539299,
+    -1699267, -1643818,  3505694, -3821735,  3507263, -2140649, -1600420,  3699596,
+    811944,   531354,   954230,  3881043,  3900724, -2556880,  2071892, -2797779,
+    -3930395, -1528703, -3677745, -3041255, -1452451,  3475950,  2176455, -1585221,
+    -1257611,  1939314, -4083598, -1000202, -3190144, -3157330, -3632928,   126922,
+    3412210, -983419,  2147896,  2715295, -2967645, -3693493, -411027, -2477047,
+    -671102, -1228525, -22981, -1308169, -381987,  1349076,  1852771, -1430430,
+    -3343383,   264944,   508951,  3097992,    44288, -1100098,   904516,  3958618,
+    -3724342, -8578,  1653064, -3249728,  2389356, -210977,   759969, -1316856,
+    189548, -3553272,  3159746, -1851402, -2409325, -177440,  1315589,  1341330,
+    1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969,  3839961,
+    2091667,  3407706,  2316500,  3817976, -3342478,  2244091, -2446433, -3562462,
+    266997,  2434439, -1235728,  3513181, -3520352, -3759364, -1197226, -3193378,
+    900702,  1859098,   909542,   819034,   495491, -1613174, -43260, -522500,
+    -655327, -3122442,  2031748,  3207046, -3556995, -525098, -768622, -3595838,
+    342297,   286988, -2437823,  4108315,  3437287, -3342277,  1735879,   203044,
+    2842341,  2691481, -2590150,  1265009,  4055324,  1247620,  2486353,  1595974,
+    -3767016,  1250494,  2635921, -3548272, -2994039,  1869119,  1903435, -1050970,
+    -1333058,  1237275, -3318210, -1430225, -451100,  1312455,  3306115, -1962642,
+    -1279661,  1917081, -2546312, -1374803,  1500165,   777191,  2235880,  3406031,
+    -542412, -2831860, -1671176, -1846953, -2584293, -3724270,   594136, -3776993,
+    -2013608,  2432395,  2454455, -164721,  1957272,  3369112,   185531, -1207385,
+    -3183426,   162844,  1616392,  3014001,   810149,  1652634, -3694233, -1799107,
+    -3038916,  3523897,  3866901,   269760,  2213111, -975884,  1717735,   472078,
+    -426683,  1723600, -1803090,  1910376, -1667432, -1104333, -260646, -3833893,
+    -2939036, -2235985, -420899, -2286327,   183443, -976891,  1612842, -3545687,
+    -554416,  3919660, -48306, -1362209,  3937738,  1400424, -846154,  1976782
+};
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA44_CLEAN_ntt
+*
+* Description: Forward NTT, in-place. No modular reduction is performed after
+*              additions or subtractions. Output vector is in bitreversed order.
+*
+* Arguments:   - uint32_t p[N]: input/output coefficient array
+**************************************************/
+void PQCLEAN_MLDSA44_CLEAN_ntt(int32_t a[N]) {
+    unsigned int len, start, j, k;
+    int32_t zeta, t;
+
+    k = 0;
+    for (len = 128; len > 0; len >>= 1) {
+        for (start = 0; start < N; start = j + len) {
+            zeta = zetas[++k];
+            for (j = start; j < start + len; ++j) {
+                t = PQCLEAN_MLDSA44_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]);
+                a[j + len] = a[j] - t;
+                a[j] = a[j] + t;
+            }
+        }
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA44_CLEAN_invntt_tomont
+*
+* Description: Inverse NTT and multiplication by Montgomery factor 2^32.
+*              In-place. No modular reductions after additions or
+*              subtractions; input coefficients need to be smaller than
+*              Q in absolute value. Output coefficient are smaller than Q in
+*              absolute value.
+*
+* Arguments:   - uint32_t p[N]: input/output coefficient array
+**************************************************/
+void PQCLEAN_MLDSA44_CLEAN_invntt_tomont(int32_t a[N]) {
+    unsigned int start, len, j, k;
+    int32_t t, zeta;
+    const int32_t f = 41978; // mont^2/256
+
+    k = 256;
+    for (len = 1; len < N; len <<= 1) {
+        for (start = 0; start < N; start = j + len) {
+            zeta = -zetas[--k];
+            for (j = start; j < start + len; ++j) {
+                t = a[j];
+                a[j] = t + a[j + len];
+                a[j + len] = t - a[j + len];
+                a[j + len] = PQCLEAN_MLDSA44_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]);
+            }
+        }
+    }
+
+    for (j = 0; j < N; ++j) {
+        a[j] = PQCLEAN_MLDSA44_CLEAN_montgomery_reduce((int64_t)f * a[j]);
+    }
+}

data/ext/ml_dsa/ml-dsa-44/clean/ntt.h

@@ -0,0 +1,10 @@
+#ifndef PQCLEAN_MLDSA44_CLEAN_NTT_H
+#define PQCLEAN_MLDSA44_CLEAN_NTT_H
+#include "params.h"
+#include <stdint.h>
+
+void PQCLEAN_MLDSA44_CLEAN_ntt(int32_t a[N]);
+
+void PQCLEAN_MLDSA44_CLEAN_invntt_tomont(int32_t a[N]);
+
+#endif

data/ext/ml_dsa/ml-dsa-44/clean/packing.c

@@ -0,0 +1,261 @@
+#include "packing.h"
+#include "params.h"
+#include "poly.h"
+#include "polyvec.h"
+
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA44_CLEAN_pack_pk
+*
+* Description: Bit-pack public key pk = (rho, t1).
+*
+* Arguments:   - uint8_t pk[]: output byte array
+*              - const uint8_t rho[]: byte array containing rho
+*              - const polyveck *t1: pointer to vector t1
+**************************************************/
+void PQCLEAN_MLDSA44_CLEAN_pack_pk(uint8_t pk[PQCLEAN_MLDSA44_CLEAN_CRYPTO_PUBLICKEYBYTES],
+                                   const uint8_t rho[SEEDBYTES],
+                                   const polyveck *t1) {
+    unsigned int i;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        pk[i] = rho[i];
+    }
+    pk += SEEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA44_CLEAN_unpack_pk
+*
+* Description: Unpack public key pk = (rho, t1).
+*
+* Arguments:   - const uint8_t rho[]: output byte array for rho
+*              - const polyveck *t1: pointer to output vector t1
+*              - uint8_t pk[]: byte array containing bit-packed pk
+**************************************************/
+void PQCLEAN_MLDSA44_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES],
+                                     polyveck *t1,
+                                     const uint8_t pk[PQCLEAN_MLDSA44_CLEAN_CRYPTO_PUBLICKEYBYTES]) {
+    unsigned int i;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        rho[i] = pk[i];
+    }
+    pk += SEEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA44_CLEAN_pack_sk
+*
+* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
+*
+* Arguments:   - uint8_t sk[]: output byte array
+*              - const uint8_t rho[]: byte array containing rho
+*              - const uint8_t tr[]: byte array containing tr
+*              - const uint8_t key[]: byte array containing key
+*              - const polyveck *t0: pointer to vector t0
+*              - const polyvecl *s1: pointer to vector s1
+*              - const polyveck *s2: pointer to vector s2
+**************************************************/
+void PQCLEAN_MLDSA44_CLEAN_pack_sk(uint8_t sk[PQCLEAN_MLDSA44_CLEAN_CRYPTO_SECRETKEYBYTES],
+                                   const uint8_t rho[SEEDBYTES],
+                                   const uint8_t tr[TRBYTES],
+                                   const uint8_t key[SEEDBYTES],
+                                   const polyveck *t0,
+                                   const polyvecl *s1,
+                                   const polyveck *s2) {
+    unsigned int i;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        sk[i] = rho[i];
+    }
+    sk += SEEDBYTES;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        sk[i] = key[i];
+    }
+    sk += SEEDBYTES;
+
+    for (i = 0; i < TRBYTES; ++i) {
+        sk[i] = tr[i];
+    }
+    sk += TRBYTES;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
+    }
+    sk += L * POLYETA_PACKEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]);
+    }
+    sk += K * POLYETA_PACKEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA44_CLEAN_unpack_sk
+*
+* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
+*
+* Arguments:   - const uint8_t rho[]: output byte array for rho
+*              - const uint8_t tr[]: output byte array for tr
+*              - const uint8_t key[]: output byte array for key
+*              - const polyveck *t0: pointer to output vector t0
+*              - const polyvecl *s1: pointer to output vector s1
+*              - const polyveck *s2: pointer to output vector s2
+*              - uint8_t sk[]: byte array containing bit-packed sk
+**************************************************/
+void PQCLEAN_MLDSA44_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
+                                     uint8_t tr[TRBYTES],
+                                     uint8_t key[SEEDBYTES],
+                                     polyveck *t0,
+                                     polyvecl *s1,
+                                     polyveck *s2,
+                                     const uint8_t sk[PQCLEAN_MLDSA44_CLEAN_CRYPTO_SECRETKEYBYTES]) {
+    unsigned int i;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        rho[i] = sk[i];
+    }
+    sk += SEEDBYTES;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        key[i] = sk[i];
+    }
+    sk += SEEDBYTES;
+
+    for (i = 0; i < TRBYTES; ++i) {
+        tr[i] = sk[i];
+    }
+    sk += TRBYTES;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);
+    }
+    sk += L * POLYETA_PACKEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES);
+    }
+    sk += K * POLYETA_PACKEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA44_CLEAN_pack_sig
+*
+* Description: Bit-pack signature sig = (c, z, h).
+*
+* Arguments:   - uint8_t sig[]: output byte array
+*              - const uint8_t *c: pointer to challenge hash length SEEDBYTES
+*              - const polyvecl *z: pointer to vector z
+*              - const polyveck *h: pointer to hint vector h
+**************************************************/
+void PQCLEAN_MLDSA44_CLEAN_pack_sig(uint8_t sig[PQCLEAN_MLDSA44_CLEAN_CRYPTO_BYTES],
+                                    const uint8_t c[CTILDEBYTES],
+                                    const polyvecl *z,
+                                    const polyveck *h) {
+    unsigned int i, j, k;
+
+    for (i = 0; i < CTILDEBYTES; ++i) {
+        sig[i] = c[i];
+    }
+    sig += CTILDEBYTES;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]);
+    }
+    sig += L * POLYZ_PACKEDBYTES;
+
+    /* Encode h */
+    for (i = 0; i < OMEGA + K; ++i) {
+        sig[i] = 0;
+    }
+
+    k = 0;
+    for (i = 0; i < K; ++i) {
+        for (j = 0; j < N; ++j) {
+            if (h->vec[i].coeffs[j] != 0) {
+                sig[k++] = (uint8_t) j;
+            }
+        }
+
+        sig[OMEGA + i] = (uint8_t) k;
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA44_CLEAN_unpack_sig
+*
+* Description: Unpack signature sig = (c, z, h).
+*
+* Arguments:   - uint8_t *c: pointer to output challenge hash
+*              - polyvecl *z: pointer to output vector z
+*              - polyveck *h: pointer to output hint vector h
+*              - const uint8_t sig[]: byte array containing
+*                bit-packed signature
+*
+* Returns 1 in case of malformed signature; otherwise 0.
+**************************************************/
+int PQCLEAN_MLDSA44_CLEAN_unpack_sig(uint8_t c[CTILDEBYTES],
+                                     polyvecl *z,
+                                     polyveck *h,
+                                     const uint8_t sig[PQCLEAN_MLDSA44_CLEAN_CRYPTO_BYTES]) {
+    unsigned int i, j, k;
+
+    for (i = 0; i < CTILDEBYTES; ++i) {
+        c[i] = sig[i];
+    }
+    sig += CTILDEBYTES;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA44_CLEAN_polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES);
+    }
+    sig += L * POLYZ_PACKEDBYTES;
+
+    /* Decode h */
+    k = 0;
+    for (i = 0; i < K; ++i) {
+        for (j = 0; j < N; ++j) {
+            h->vec[i].coeffs[j] = 0;
+        }
+
+        if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) {
+            return 1;
+        }
+
+        for (j = k; j < sig[OMEGA + i]; ++j) {
+            /* Coefficients are ordered for strong unforgeability */
+            if (j > k && sig[j] <= sig[j - 1]) {
+                return 1;
+            }
+            h->vec[i].coeffs[sig[j]] = 1;
+        }
+
+        k = sig[OMEGA + i];
+    }
+
+    /* Extra indices are zero for strong unforgeability */
+    for (j = k; j < OMEGA; ++j) {
+        if (sig[j]) {
+            return 1;
+        }
+    }
+
+    return 0;
+}

data/ext/ml_dsa/ml-dsa-44/clean/packing.h

@@ -0,0 +1,31 @@
+#ifndef PQCLEAN_MLDSA44_CLEAN_PACKING_H
+#define PQCLEAN_MLDSA44_CLEAN_PACKING_H
+#include "params.h"
+#include "polyvec.h"
+#include <stdint.h>
+
+void PQCLEAN_MLDSA44_CLEAN_pack_pk(uint8_t pk[PQCLEAN_MLDSA44_CLEAN_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
+
+void PQCLEAN_MLDSA44_CLEAN_pack_sk(uint8_t sk[PQCLEAN_MLDSA44_CLEAN_CRYPTO_SECRETKEYBYTES],
+                                   const uint8_t rho[SEEDBYTES],
+                                   const uint8_t tr[TRBYTES],
+                                   const uint8_t key[SEEDBYTES],
+                                   const polyveck *t0,
+                                   const polyvecl *s1,
+                                   const polyveck *s2);
+
+void PQCLEAN_MLDSA44_CLEAN_pack_sig(uint8_t sig[PQCLEAN_MLDSA44_CLEAN_CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
+
+void PQCLEAN_MLDSA44_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_MLDSA44_CLEAN_CRYPTO_PUBLICKEYBYTES]);
+
+void PQCLEAN_MLDSA44_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
+                                     uint8_t tr[TRBYTES],
+                                     uint8_t key[SEEDBYTES],
+                                     polyveck *t0,
+                                     polyvecl *s1,
+                                     polyveck *s2,
+                                     const uint8_t sk[PQCLEAN_MLDSA44_CLEAN_CRYPTO_SECRETKEYBYTES]);
+
+int PQCLEAN_MLDSA44_CLEAN_unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[PQCLEAN_MLDSA44_CLEAN_CRYPTO_BYTES]);
+
+#endif

data/ext/ml_dsa/ml-dsa-44/clean/params.h

@@ -0,0 +1,44 @@
+#ifndef PQCLEAN_MLDSA44_CLEAN_PARAMS_H
+#define PQCLEAN_MLDSA44_CLEAN_PARAMS_H
+
+
+
+#define SEEDBYTES 32
+#define CRHBYTES 64
+#define TRBYTES 64
+#define RNDBYTES 32
+#define N 256
+#define Q 8380417
+#define D 13
+#define ROOT_OF_UNITY 1753
+
+#define K 4
+#define L 4
+#define ETA 2
+#define TAU 39
+#define BETA 78
+#define GAMMA1 (1 << 17)
+#define GAMMA2 ((Q-1)/88)
+#define OMEGA 80
+#define CTILDEBYTES 32
+
+
+#define POLYT1_PACKEDBYTES  320
+#define POLYT0_PACKEDBYTES  416
+#define POLYVECH_PACKEDBYTES (OMEGA + K)
+
+#define POLYZ_PACKEDBYTES   576
+
+#define POLYW1_PACKEDBYTES  192
+
+#define POLYETA_PACKEDBYTES  96
+
+#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
+#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_SECRETKEYBYTES (2*SEEDBYTES \
+        + TRBYTES \
+        + L*POLYETA_PACKEDBYTES \
+        + K*POLYETA_PACKEDBYTES \
+        + K*POLYT0_PACKEDBYTES)
+#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_BYTES (CTILDEBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
+
+#endif