pq_crypto 0.1.0

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/ntt.h

@@ -0,0 +1,14 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_NTT_H
+#define PQCLEAN_MLKEM768_CLEAN_NTT_H
+#include "params.h"
+#include <stdint.h>
+
+extern const int16_t PQCLEAN_MLKEM768_CLEAN_zetas[128];
+
+void PQCLEAN_MLKEM768_CLEAN_ntt(int16_t r[256]);
+
+void PQCLEAN_MLKEM768_CLEAN_invntt(int16_t r[256]);
+
+void PQCLEAN_MLKEM768_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/params.h

@@ -0,0 +1,36 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_PARAMS_H
+#define PQCLEAN_MLKEM768_CLEAN_PARAMS_H
+
+
+
+
+
+/* Don't change parameters below this line */
+
+#define KYBER_N 256
+#define KYBER_Q 3329
+
+#define KYBER_SYMBYTES 32   /* size in bytes of hashes, and seeds */
+#define KYBER_SSBYTES  32   /* size in bytes of shared key */
+
+#define KYBER_POLYBYTES     384
+#define KYBER_POLYVECBYTES  (KYBER_K * KYBER_POLYBYTES)
+
+#define KYBER_K 3
+#define KYBER_ETA1 2
+#define KYBER_POLYCOMPRESSEDBYTES    128
+#define KYBER_POLYVECCOMPRESSEDBYTES (KYBER_K * 320)
+
+#define KYBER_ETA2 2
+
+#define KYBER_INDCPA_MSGBYTES       (KYBER_SYMBYTES)
+#define KYBER_INDCPA_PUBLICKEYBYTES (KYBER_POLYVECBYTES + KYBER_SYMBYTES)
+#define KYBER_INDCPA_SECRETKEYBYTES (KYBER_POLYVECBYTES)
+#define KYBER_INDCPA_BYTES          (KYBER_POLYVECCOMPRESSEDBYTES + KYBER_POLYCOMPRESSEDBYTES)
+
+#define KYBER_PUBLICKEYBYTES  (KYBER_INDCPA_PUBLICKEYBYTES)
+/* 32 bytes of additional space to save H(pk) */
+#define KYBER_SECRETKEYBYTES  (KYBER_INDCPA_SECRETKEYBYTES + KYBER_INDCPA_PUBLICKEYBYTES + 2*KYBER_SYMBYTES)
+#define KYBER_CIPHERTEXTBYTES (KYBER_INDCPA_BYTES)
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/poly.c

@@ -0,0 +1,299 @@
+#include "cbd.h"
+#include "ntt.h"
+#include "params.h"
+#include "poly.h"
+#include "reduce.h"
+#include "symmetric.h"
+#include "verify.h"
+#include <stdint.h>
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_compress
+*
+* Description: Compression and subsequent serialization of a polynomial
+*
+* Arguments:   - uint8_t *r: pointer to output byte array
+*                            (of length KYBER_POLYCOMPRESSEDBYTES)
+*              - const poly *a: pointer to input polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a) {
+    unsigned int i, j;
+    int16_t u;
+    uint32_t d0;
+    uint8_t t[8];
+
+
+    for (i = 0; i < KYBER_N / 8; i++) {
+        for (j = 0; j < 8; j++) {
+            // map to positive standard representatives
+            u  = a->coeffs[8 * i + j];
+            u += (u >> 15) & KYBER_Q;
+            /*    t[j] = ((((uint16_t)u << 4) + KYBER_Q/2)/KYBER_Q) & 15; */
+            d0 = u << 4;
+            d0 += 1665;
+            d0 *= 80635;
+            d0 >>= 28;
+            t[j] = d0 & 0xf;
+        }
+
+        r[0] = t[0] | (t[1] << 4);
+        r[1] = t[2] | (t[3] << 4);
+        r[2] = t[4] | (t[5] << 4);
+        r[3] = t[6] | (t[7] << 4);
+        r += 4;
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_decompress
+*
+* Description: De-serialization and subsequent decompression of a polynomial;
+*              approximate inverse of PQCLEAN_MLKEM768_CLEAN_poly_compress
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *a: pointer to input byte array
+*                                  (of length KYBER_POLYCOMPRESSEDBYTES bytes)
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]) {
+    size_t i;
+
+    for (i = 0; i < KYBER_N / 2; i++) {
+        r->coeffs[2 * i + 0] = (((uint16_t)(a[0] & 15) * KYBER_Q) + 8) >> 4;
+        r->coeffs[2 * i + 1] = (((uint16_t)(a[0] >> 4) * KYBER_Q) + 8) >> 4;
+        a += 1;
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_tobytes
+*
+* Description: Serialization of a polynomial
+*
+* Arguments:   - uint8_t *r: pointer to output byte array
+*                            (needs space for KYBER_POLYBYTES bytes)
+*              - const poly *a: pointer to input polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a) {
+    size_t i;
+    uint16_t t0, t1;
+
+    for (i = 0; i < KYBER_N / 2; i++) {
+        // map to positive standard representatives
+        t0  = a->coeffs[2 * i];
+        t0 += ((int16_t)t0 >> 15) & KYBER_Q;
+        t1 = a->coeffs[2 * i + 1];
+        t1 += ((int16_t)t1 >> 15) & KYBER_Q;
+        r[3 * i + 0] = (uint8_t)(t0 >> 0);
+        r[3 * i + 1] = (uint8_t)((t0 >> 8) | (t1 << 4));
+        r[3 * i + 2] = (uint8_t)(t1 >> 4);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_frombytes
+*
+* Description: De-serialization of a polynomial;
+*              inverse of PQCLEAN_MLKEM768_CLEAN_poly_tobytes
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *a: pointer to input byte array
+*                                  (of KYBER_POLYBYTES bytes)
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]) {
+    size_t i;
+    for (i = 0; i < KYBER_N / 2; i++) {
+        r->coeffs[2 * i]   = ((a[3 * i + 0] >> 0) | ((uint16_t)a[3 * i + 1] << 8)) & 0xFFF;
+        r->coeffs[2 * i + 1] = ((a[3 * i + 1] >> 4) | ((uint16_t)a[3 * i + 2] << 4)) & 0xFFF;
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_frommsg
+*
+* Description: Convert 32-byte message to polynomial
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *msg: pointer to input message
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]) {
+    size_t i, j;
+
+    for (i = 0; i < KYBER_N / 8; i++) {
+        for (j = 0; j < 8; j++) {
+            r->coeffs[8 * i + j] = 0;
+            PQCLEAN_MLKEM768_CLEAN_cmov_int16(r->coeffs + 8 * i + j, ((KYBER_Q + 1) / 2), (msg[i] >> j) & 1);
+        }
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_tomsg
+*
+* Description: Convert polynomial to 32-byte message
+*
+* Arguments:   - uint8_t *msg: pointer to output message
+*              - const poly *a: pointer to input polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a) {
+    unsigned int i, j;
+    uint32_t t;
+
+    for (i = 0; i < KYBER_N / 8; i++) {
+        msg[i] = 0;
+        for (j = 0; j < 8; j++) {
+            t  = a->coeffs[8 * i + j];
+            // t += ((int16_t)t >> 15) & KYBER_Q;
+            // t  = (((t << 1) + KYBER_Q/2)/KYBER_Q) & 1;
+            t <<= 1;
+            t += 1665;
+            t *= 80635;
+            t >>= 28;
+            t &= 1;
+            msg[i] |= t << j;
+        }
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta1
+*
+* Description: Sample a polynomial deterministically from a seed and a nonce,
+*              with output polynomial close to centered binomial distribution
+*              with parameter KYBER_ETA1
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *seed: pointer to input seed
+*                                     (of length KYBER_SYMBYTES bytes)
+*              - uint8_t nonce: one-byte input nonce
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) {
+    uint8_t buf[KYBER_ETA1 * KYBER_N / 4];
+    prf(buf, sizeof(buf), seed, nonce);
+    PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta1(r, buf);
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta2
+*
+* Description: Sample a polynomial deterministically from a seed and a nonce,
+*              with output polynomial close to centered binomial distribution
+*              with parameter KYBER_ETA2
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const uint8_t *seed: pointer to input seed
+*                                     (of length KYBER_SYMBYTES bytes)
+*              - uint8_t nonce: one-byte input nonce
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce) {
+    uint8_t buf[KYBER_ETA2 * KYBER_N / 4];
+    prf(buf, sizeof(buf), seed, nonce);
+    PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta2(r, buf);
+}
+
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_ntt
+*
+* Description: Computes negacyclic number-theoretic transform (NTT) of
+*              a polynomial in place;
+*              inputs assumed to be in normal order, output in bitreversed order
+*
+* Arguments:   - uint16_t *r: pointer to in/output polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_ntt(poly *r) {
+    PQCLEAN_MLKEM768_CLEAN_ntt(r->coeffs);
+    PQCLEAN_MLKEM768_CLEAN_poly_reduce(r);
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_invntt_tomont
+*
+* Description: Computes inverse of negacyclic number-theoretic transform (NTT)
+*              of a polynomial in place;
+*              inputs assumed to be in bitreversed order, output in normal order
+*
+* Arguments:   - uint16_t *a: pointer to in/output polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_invntt_tomont(poly *r) {
+    PQCLEAN_MLKEM768_CLEAN_invntt(r->coeffs);
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_basemul_montgomery
+*
+* Description: Multiplication of two polynomials in NTT domain
+*
+* Arguments:   - poly *r: pointer to output polynomial
+*              - const poly *a: pointer to first input polynomial
+*              - const poly *b: pointer to second input polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b) {
+    size_t i;
+    for (i = 0; i < KYBER_N / 4; i++) {
+        PQCLEAN_MLKEM768_CLEAN_basemul(&r->coeffs[4 * i], &a->coeffs[4 * i], &b->coeffs[4 * i], PQCLEAN_MLKEM768_CLEAN_zetas[64 + i]);
+        PQCLEAN_MLKEM768_CLEAN_basemul(&r->coeffs[4 * i + 2], &a->coeffs[4 * i + 2], &b->coeffs[4 * i + 2], -PQCLEAN_MLKEM768_CLEAN_zetas[64 + i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_tomont
+*
+* Description: Inplace conversion of all coefficients of a polynomial
+*              from normal domain to Montgomery domain
+*
+* Arguments:   - poly *r: pointer to input/output polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_tomont(poly *r) {
+    size_t i;
+    const int16_t f = (1ULL << 32) % KYBER_Q;
+    for (i = 0; i < KYBER_N; i++) {
+        r->coeffs[i] = PQCLEAN_MLKEM768_CLEAN_montgomery_reduce((int32_t)r->coeffs[i] * f);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_reduce
+*
+* Description: Applies Barrett reduction to all coefficients of a polynomial
+*              for details of the Barrett reduction see comments in reduce.c
+*
+* Arguments:   - poly *r: pointer to input/output polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_reduce(poly *r) {
+    size_t i;
+    for (i = 0; i < KYBER_N; i++) {
+        r->coeffs[i] = PQCLEAN_MLKEM768_CLEAN_barrett_reduce(r->coeffs[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_add
+*
+* Description: Add two polynomials; no modular reduction is performed
+*
+* Arguments: - poly *r: pointer to output polynomial
+*            - const poly *a: pointer to first input polynomial
+*            - const poly *b: pointer to second input polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_add(poly *r, const poly *a, const poly *b) {
+    size_t i;
+    for (i = 0; i < KYBER_N; i++) {
+        r->coeffs[i] = a->coeffs[i] + b->coeffs[i];
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_poly_sub
+*
+* Description: Subtract two polynomials; no modular reduction is performed
+*
+* Arguments: - poly *r:       pointer to output polynomial
+*            - const poly *a: pointer to first input polynomial
+*            - const poly *b: pointer to second input polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_poly_sub(poly *r, const poly *a, const poly *b) {
+    size_t i;
+    for (i = 0; i < KYBER_N; i++) {
+        r->coeffs[i] = a->coeffs[i] - b->coeffs[i];
+    }
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/poly.h

@@ -0,0 +1,37 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_POLY_H
+#define PQCLEAN_MLKEM768_CLEAN_POLY_H
+#include "params.h"
+#include <stdint.h>
+
+/*
+ * Elements of R_q = Z_q[X]/(X^n + 1). Represents polynomial
+ * coeffs[0] + X*coeffs[1] + X^2*coeffs[2] + ... + X^{n-1}*coeffs[n-1]
+ */
+typedef struct {
+    int16_t coeffs[KYBER_N];
+} poly;
+
+void PQCLEAN_MLKEM768_CLEAN_poly_compress(uint8_t r[KYBER_POLYCOMPRESSEDBYTES], const poly *a);
+void PQCLEAN_MLKEM768_CLEAN_poly_decompress(poly *r, const uint8_t a[KYBER_POLYCOMPRESSEDBYTES]);
+
+void PQCLEAN_MLKEM768_CLEAN_poly_tobytes(uint8_t r[KYBER_POLYBYTES], const poly *a);
+void PQCLEAN_MLKEM768_CLEAN_poly_frombytes(poly *r, const uint8_t a[KYBER_POLYBYTES]);
+
+void PQCLEAN_MLKEM768_CLEAN_poly_frommsg(poly *r, const uint8_t msg[KYBER_INDCPA_MSGBYTES]);
+void PQCLEAN_MLKEM768_CLEAN_poly_tomsg(uint8_t msg[KYBER_INDCPA_MSGBYTES], const poly *a);
+
+void PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta1(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce);
+
+void PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta2(poly *r, const uint8_t seed[KYBER_SYMBYTES], uint8_t nonce);
+
+void PQCLEAN_MLKEM768_CLEAN_poly_ntt(poly *r);
+void PQCLEAN_MLKEM768_CLEAN_poly_invntt_tomont(poly *r);
+void PQCLEAN_MLKEM768_CLEAN_poly_basemul_montgomery(poly *r, const poly *a, const poly *b);
+void PQCLEAN_MLKEM768_CLEAN_poly_tomont(poly *r);
+
+void PQCLEAN_MLKEM768_CLEAN_poly_reduce(poly *r);
+
+void PQCLEAN_MLKEM768_CLEAN_poly_add(poly *r, const poly *a, const poly *b);
+void PQCLEAN_MLKEM768_CLEAN_poly_sub(poly *r, const poly *a, const poly *b);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/polyvec.c

@@ -0,0 +1,188 @@
+#include "params.h"
+#include "poly.h"
+#include "polyvec.h"
+#include <stdint.h>
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_compress
+*
+* Description: Compress and serialize vector of polynomials
+*
+* Arguments:   - uint8_t *r: pointer to output byte array
+*                            (needs space for KYBER_POLYVECCOMPRESSEDBYTES)
+*              - const polyvec *a: pointer to input vector of polynomials
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a) {
+    unsigned int i, j, k;
+    uint64_t d0;
+
+    uint16_t t[4];
+    for (i = 0; i < KYBER_K; i++) {
+        for (j = 0; j < KYBER_N / 4; j++) {
+            for (k = 0; k < 4; k++) {
+                t[k]  = a->vec[i].coeffs[4 * j + k];
+                t[k] += ((int16_t)t[k] >> 15) & KYBER_Q;
+                /*      t[k]  = ((((uint32_t)t[k] << 10) + KYBER_Q/2)/ KYBER_Q) & 0x3ff; */
+                d0 = t[k];
+                d0 <<= 10;
+                d0 += 1665;
+                d0 *= 1290167;
+                d0 >>= 32;
+                t[k] = d0 & 0x3ff;
+            }
+
+            r[0] = (uint8_t)(t[0] >> 0);
+            r[1] = (uint8_t)((t[0] >> 8) | (t[1] << 2));
+            r[2] = (uint8_t)((t[1] >> 6) | (t[2] << 4));
+            r[3] = (uint8_t)((t[2] >> 4) | (t[3] << 6));
+            r[4] = (uint8_t)(t[3] >> 2);
+            r += 5;
+        }
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_decompress
+*
+* Description: De-serialize and decompress vector of polynomials;
+*              approximate inverse of PQCLEAN_MLKEM768_CLEAN_polyvec_compress
+*
+* Arguments:   - polyvec *r:       pointer to output vector of polynomials
+*              - const uint8_t *a: pointer to input byte array
+*                                  (of length KYBER_POLYVECCOMPRESSEDBYTES)
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]) {
+    unsigned int i, j, k;
+
+    uint16_t t[4];
+    for (i = 0; i < KYBER_K; i++) {
+        for (j = 0; j < KYBER_N / 4; j++) {
+            t[0] = (a[0] >> 0) | ((uint16_t)a[1] << 8);
+            t[1] = (a[1] >> 2) | ((uint16_t)a[2] << 6);
+            t[2] = (a[2] >> 4) | ((uint16_t)a[3] << 4);
+            t[3] = (a[3] >> 6) | ((uint16_t)a[4] << 2);
+            a += 5;
+
+            for (k = 0; k < 4; k++) {
+                r->vec[i].coeffs[4 * j + k] = ((uint32_t)(t[k] & 0x3FF) * KYBER_Q + 512) >> 10;
+            }
+        }
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_tobytes
+*
+* Description: Serialize vector of polynomials
+*
+* Arguments:   - uint8_t *r: pointer to output byte array
+*                            (needs space for KYBER_POLYVECBYTES)
+*              - const polyvec *a: pointer to input vector of polynomials
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a) {
+    unsigned int i;
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM768_CLEAN_poly_tobytes(r + i * KYBER_POLYBYTES, &a->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_frombytes
+*
+* Description: De-serialize vector of polynomials;
+*              inverse of PQCLEAN_MLKEM768_CLEAN_polyvec_tobytes
+*
+* Arguments:   - uint8_t *r:       pointer to output byte array
+*              - const polyvec *a: pointer to input vector of polynomials
+*                                  (of length KYBER_POLYVECBYTES)
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]) {
+    unsigned int i;
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM768_CLEAN_poly_frombytes(&r->vec[i], a + i * KYBER_POLYBYTES);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_ntt
+*
+* Description: Apply forward NTT to all elements of a vector of polynomials
+*
+* Arguments:   - polyvec *r: pointer to in/output vector of polynomials
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_ntt(polyvec *r) {
+    unsigned int i;
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM768_CLEAN_poly_ntt(&r->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_invntt_tomont
+*
+* Description: Apply inverse NTT to all elements of a vector of polynomials
+*              and multiply by Montgomery factor 2^16
+*
+* Arguments:   - polyvec *r: pointer to in/output vector of polynomials
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_invntt_tomont(polyvec *r) {
+    unsigned int i;
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM768_CLEAN_poly_invntt_tomont(&r->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_basemul_acc_montgomery
+*
+* Description: Multiply elements of a and b in NTT domain, accumulate into r,
+*              and multiply by 2^-16.
+*
+* Arguments: - poly *r: pointer to output polynomial
+*            - const polyvec *a: pointer to first input vector of polynomials
+*            - const polyvec *b: pointer to second input vector of polynomials
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b) {
+    unsigned int i;
+    poly t;
+
+    PQCLEAN_MLKEM768_CLEAN_poly_basemul_montgomery(r, &a->vec[0], &b->vec[0]);
+    for (i = 1; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM768_CLEAN_poly_basemul_montgomery(&t, &a->vec[i], &b->vec[i]);
+        PQCLEAN_MLKEM768_CLEAN_poly_add(r, r, &t);
+    }
+
+    PQCLEAN_MLKEM768_CLEAN_poly_reduce(r);
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_reduce
+*
+* Description: Applies Barrett reduction to each coefficient
+*              of each element of a vector of polynomials;
+*              for details of the Barrett reduction see comments in reduce.c
+*
+* Arguments:   - polyvec *r: pointer to input/output polynomial
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_reduce(polyvec *r) {
+    unsigned int i;
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM768_CLEAN_poly_reduce(&r->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_polyvec_add
+*
+* Description: Add vectors of polynomials
+*
+* Arguments: - polyvec *r: pointer to output vector of polynomials
+*            - const polyvec *a: pointer to first input vector of polynomials
+*            - const polyvec *b: pointer to second input vector of polynomials
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b) {
+    unsigned int i;
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM768_CLEAN_poly_add(&r->vec[i], &a->vec[i], &b->vec[i]);
+    }
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/polyvec.h

@@ -0,0 +1,26 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_POLYVEC_H
+#define PQCLEAN_MLKEM768_CLEAN_POLYVEC_H
+#include "params.h"
+#include "poly.h"
+#include <stdint.h>
+
+typedef struct {
+    poly vec[KYBER_K];
+} polyvec;
+
+void PQCLEAN_MLKEM768_CLEAN_polyvec_compress(uint8_t r[KYBER_POLYVECCOMPRESSEDBYTES], const polyvec *a);
+void PQCLEAN_MLKEM768_CLEAN_polyvec_decompress(polyvec *r, const uint8_t a[KYBER_POLYVECCOMPRESSEDBYTES]);
+
+void PQCLEAN_MLKEM768_CLEAN_polyvec_tobytes(uint8_t r[KYBER_POLYVECBYTES], const polyvec *a);
+void PQCLEAN_MLKEM768_CLEAN_polyvec_frombytes(polyvec *r, const uint8_t a[KYBER_POLYVECBYTES]);
+
+void PQCLEAN_MLKEM768_CLEAN_polyvec_ntt(polyvec *r);
+void PQCLEAN_MLKEM768_CLEAN_polyvec_invntt_tomont(polyvec *r);
+
+void PQCLEAN_MLKEM768_CLEAN_polyvec_basemul_acc_montgomery(poly *r, const polyvec *a, const polyvec *b);
+
+void PQCLEAN_MLKEM768_CLEAN_polyvec_reduce(polyvec *r);
+
+void PQCLEAN_MLKEM768_CLEAN_polyvec_add(polyvec *r, const polyvec *a, const polyvec *b);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/reduce.c

@@ -0,0 +1,41 @@
+#include "params.h"
+#include "reduce.h"
+#include <stdint.h>
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_montgomery_reduce
+*
+* Description: Montgomery reduction; given a 32-bit integer a, computes
+*              16-bit integer congruent to a * R^-1 mod q, where R=2^16
+*
+* Arguments:   - int32_t a: input integer to be reduced;
+*                           has to be in {-q2^15,...,q2^15-1}
+*
+* Returns:     integer in {-q+1,...,q-1} congruent to a * R^-1 modulo q.
+**************************************************/
+int16_t PQCLEAN_MLKEM768_CLEAN_montgomery_reduce(int32_t a) {
+    int16_t t;
+
+    t = (int16_t)a * QINV;
+    t = (a - (int32_t)t * KYBER_Q) >> 16;
+    return t;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_barrett_reduce
+*
+* Description: Barrett reduction; given a 16-bit integer a, computes
+*              centered representative congruent to a mod q in {-(q-1)/2,...,(q-1)/2}
+*
+* Arguments:   - int16_t a: input integer to be reduced
+*
+* Returns:     integer in {-(q-1)/2,...,(q-1)/2} congruent to a modulo q.
+**************************************************/
+int16_t PQCLEAN_MLKEM768_CLEAN_barrett_reduce(int16_t a) {
+    int16_t t;
+    const int16_t v = ((1 << 26) + KYBER_Q / 2) / KYBER_Q;
+
+    t  = ((int32_t)v * a + (1 << 25)) >> 26;
+    t *= KYBER_Q;
+    return a - t;
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/reduce.h

@@ -0,0 +1,13 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_REDUCE_H
+#define PQCLEAN_MLKEM768_CLEAN_REDUCE_H
+#include "params.h"
+#include <stdint.h>
+
+#define MONT (-1044) // 2^16 mod q
+#define QINV (-3327) // q^-1 mod 2^16
+
+int16_t PQCLEAN_MLKEM768_CLEAN_montgomery_reduce(int32_t a);
+
+int16_t PQCLEAN_MLKEM768_CLEAN_barrett_reduce(int16_t a);
+
+#endif