pq_crypto 0.1.0

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/symmetric-shake.c

@@ -0,0 +1,71 @@
+#include "fips202.h"
+#include "params.h"
+#include "symmetric.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_kyber_shake128_absorb
+*
+* Description: Absorb step of the SHAKE128 specialized for the Kyber context.
+*
+* Arguments:   - xof_state *state: pointer to (uninitialized) output Keccak state
+*              - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be absorbed into state
+*              - uint8_t i: additional byte of input
+*              - uint8_t j: additional byte of input
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_kyber_shake128_absorb(xof_state *state,
+        const uint8_t seed[KYBER_SYMBYTES],
+        uint8_t x,
+        uint8_t y) {
+    uint8_t extseed[KYBER_SYMBYTES + 2];
+
+    memcpy(extseed, seed, KYBER_SYMBYTES);
+    extseed[KYBER_SYMBYTES + 0] = x;
+    extseed[KYBER_SYMBYTES + 1] = y;
+
+    shake128_absorb(state, extseed, sizeof(extseed));
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) {
+    uint8_t extkey[KYBER_SYMBYTES + 1];
+
+    memcpy(extkey, key, KYBER_SYMBYTES);
+    extkey[KYBER_SYMBYTES] = nonce;
+
+    shake256(out, outlen, extkey, sizeof(extkey));
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_kyber_shake256_prf
+*
+* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
+*              and then generates outlen bytes of SHAKE256 output
+*
+* Arguments:   - uint8_t *out: pointer to output
+*              - size_t outlen: number of requested output bytes
+*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
+*              - uint8_t nonce: single-byte nonce (public PRF input)
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]) {
+    shake256incctx s;
+
+    shake256_inc_init(&s);
+    shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
+    shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
+    shake256_inc_finalize(&s);
+    shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
+    shake256_inc_ctx_release(&s);
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/symmetric.h

@@ -0,0 +1,30 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_SYMMETRIC_H
+#define PQCLEAN_MLKEM768_CLEAN_SYMMETRIC_H
+#include "fips202.h"
+#include "params.h"
+#include <stddef.h>
+#include <stdint.h>
+
+
+typedef shake128ctx xof_state;
+
+void PQCLEAN_MLKEM768_CLEAN_kyber_shake128_absorb(xof_state *s,
+        const uint8_t seed[KYBER_SYMBYTES],
+        uint8_t x,
+        uint8_t y);
+
+void PQCLEAN_MLKEM768_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
+
+void PQCLEAN_MLKEM768_CLEAN_kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
+
+#define XOF_BLOCKBYTES SHAKE128_RATE
+
+#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
+#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
+#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_MLKEM768_CLEAN_kyber_shake128_absorb(STATE, SEED, X, Y)
+#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
+#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
+#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_MLKEM768_CLEAN_kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
+#define rkprf(OUT, KEY, INPUT) PQCLEAN_MLKEM768_CLEAN_kyber_shake256_rkprf(OUT, KEY, INPUT)
+
+#endif /* SYMMETRIC_H */

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/verify.c

@@ -0,0 +1,67 @@
+#include "compat.h"
+#include "verify.h"
+#include <stddef.h>
+#include <stdint.h>
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_verify
+*
+* Description: Compare two arrays for equality in constant time.
+*
+* Arguments:   const uint8_t *a: pointer to first byte array
+*              const uint8_t *b: pointer to second byte array
+*              size_t len:       length of the byte arrays
+*
+* Returns 0 if the byte arrays are equal, 1 otherwise
+**************************************************/
+int PQCLEAN_MLKEM768_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) {
+    size_t i;
+    uint8_t r = 0;
+
+    for (i = 0; i < len; i++) {
+        r |= a[i] ^ b[i];
+    }
+
+    return (-(uint64_t)r) >> 63;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_cmov
+*
+* Description: Copy len bytes from x to r if b is 1;
+*              don't modify x if b is 0. Requires b to be in {0,1};
+*              assumes two's complement representation of negative integers.
+*              Runs in constant time.
+*
+* Arguments:   uint8_t *r:       pointer to output byte array
+*              const uint8_t *x: pointer to input byte array
+*              size_t len:       Amount of bytes to be copied
+*              uint8_t b:        Condition bit; has to be in {0,1}
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) {
+    size_t i;
+
+    PQCLEAN_PREVENT_BRANCH_HACK(b);
+
+    b = -b;
+    for (i = 0; i < len; i++) {
+        r[i] ^= b & (r[i] ^ x[i]);
+    }
+}
+
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM768_CLEAN_cmov_int16
+*
+* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
+*              Requires b to be in {0,1};
+*              Runs in constant time.
+*
+* Arguments:   int16_t *r:       pointer to output int16_t
+*              int16_t v:        input int16_t
+*              uint8_t b:        Condition bit; has to be in {0,1}
+**************************************************/
+void PQCLEAN_MLKEM768_CLEAN_cmov_int16(int16_t *r, int16_t v, uint16_t b) {
+    b = -b;
+    *r ^= b & ((*r) ^ v);
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/verify.h

@@ -0,0 +1,13 @@
+#ifndef PQCLEAN_MLKEM768_CLEAN_VERIFY_H
+#define PQCLEAN_MLKEM768_CLEAN_VERIFY_H
+#include "params.h"
+#include <stddef.h>
+#include <stdint.h>
+
+int PQCLEAN_MLKEM768_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len);
+
+void PQCLEAN_MLKEM768_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
+
+void PQCLEAN_MLKEM768_CLEAN_cmov_int16(int16_t *r, int16_t v, uint16_t b);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/LICENSE

@@ -0,0 +1,5 @@
+Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)
+
+For Keccak and AES we are using public-domain
+code from sources and by authors listed in
+comments on top of the respective files.

data/ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/Makefile

@@ -0,0 +1,19 @@
+# This Makefile can be used with GNU Make or BSD Make
+
+LIB=libml-dsa-65_clean.a
+HEADERS=api.h ntt.h packing.h params.h poly.h polyvec.h reduce.h rounding.h sign.h symmetric.h 
+OBJECTS=ntt.o packing.o poly.o polyvec.o reduce.o rounding.o sign.o symmetric-shake.o 
+
+CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS)
+
+all: $(LIB)
+
+%.o: %.c $(HEADERS)
+	$(CC) $(CFLAGS) -c -o $@ $<
+
+$(LIB): $(OBJECTS)
+	$(AR) -r $@ $(OBJECTS)
+
+clean:
+	$(RM) $(OBJECTS)
+	$(RM) $(LIB)

data/ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/Makefile.Microsoft_nmake

@@ -0,0 +1,23 @@
+# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
+#    nmake /f Makefile.Microsoft_nmake
+
+LIBRARY=libml-dsa-65_clean.lib
+OBJECTS=ntt.obj packing.obj poly.obj polyvec.obj reduce.obj rounding.obj sign.obj symmetric-shake.obj 
+
+# Warning C4146 is raised when a unary minus operator is applied to an
+# unsigned type; this has nonetheless been standard and portable for as
+# long as there has been a C standard, and we need it for constant-time
+# computations. Thus, we disable that spurious warning.
+CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146
+
+all: $(LIBRARY)
+
+# Make sure objects are recompiled if headers change.
+$(OBJECTS): *.h
+
+$(LIBRARY): $(OBJECTS)
+    LIB.EXE /NOLOGO /WX /OUT:$@ $**
+
+clean:
+    -DEL $(OBJECTS)
+    -DEL $(LIBRARY)

data/ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/api.h

@@ -0,0 +1,50 @@
+#ifndef PQCLEAN_MLDSA65_CLEAN_API_H
+#define PQCLEAN_MLDSA65_CLEAN_API_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES 1952
+#define PQCLEAN_MLDSA65_CLEAN_CRYPTO_SECRETKEYBYTES 4032
+#define PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES 3309
+#define PQCLEAN_MLDSA65_CLEAN_CRYPTO_ALGNAME "ML-DSA-65"
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *ctx, size_t ctxlen,
+        const uint8_t *sk);
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign_ctx(uint8_t *sm, size_t *smlen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *ctx, size_t ctxlen,
+        const uint8_t *sk);
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *ctx, size_t ctxlen,
+        const uint8_t *pk);
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign_open_ctx(uint8_t *m, size_t *mlen,
+        const uint8_t *sm, size_t smlen,
+        const uint8_t *ctx, size_t ctxlen,
+        const uint8_t *pk);
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *sk);
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen,
+                                      const uint8_t *m, size_t mlen,
+                                      const uint8_t *sk);
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen,
+        const uint8_t *m, size_t mlen,
+        const uint8_t *pk);
+
+int PQCLEAN_MLDSA65_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen,
+        const uint8_t *sm, size_t smlen,
+        const uint8_t *pk);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/ntt.c

@@ -0,0 +1,98 @@
+#include "ntt.h"
+#include "params.h"
+#include "reduce.h"
+#include <stdint.h>
+
+static const int32_t zetas[N] = {
+    0,    25847, -2608894, -518909,   237124, -777960, -876248,   466468,
+    1826347,  2353451, -359251, -2091905,  3119733, -2884855,  3111497,  2680103,
+    2725464,  1024112, -1079900,  3585928, -549488, -1119584,  2619752, -2108549,
+    -2118186, -3859737, -1399561, -3277672,  1757237, -19422,  4010497,   280005,
+    2706023,    95776,  3077325,  3530437, -1661693, -3592148, -2537516,  3915439,
+    -3861115, -3043716,  3574422, -2867647,  3539968, -300467,  2348700, -539299,
+    -1699267, -1643818,  3505694, -3821735,  3507263, -2140649, -1600420,  3699596,
+    811944,   531354,   954230,  3881043,  3900724, -2556880,  2071892, -2797779,
+    -3930395, -1528703, -3677745, -3041255, -1452451,  3475950,  2176455, -1585221,
+    -1257611,  1939314, -4083598, -1000202, -3190144, -3157330, -3632928,   126922,
+    3412210, -983419,  2147896,  2715295, -2967645, -3693493, -411027, -2477047,
+    -671102, -1228525, -22981, -1308169, -381987,  1349076,  1852771, -1430430,
+    -3343383,   264944,   508951,  3097992,    44288, -1100098,   904516,  3958618,
+    -3724342, -8578,  1653064, -3249728,  2389356, -210977,   759969, -1316856,
+    189548, -3553272,  3159746, -1851402, -2409325, -177440,  1315589,  1341330,
+    1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969,  3839961,
+    2091667,  3407706,  2316500,  3817976, -3342478,  2244091, -2446433, -3562462,
+    266997,  2434439, -1235728,  3513181, -3520352, -3759364, -1197226, -3193378,
+    900702,  1859098,   909542,   819034,   495491, -1613174, -43260, -522500,
+    -655327, -3122442,  2031748,  3207046, -3556995, -525098, -768622, -3595838,
+    342297,   286988, -2437823,  4108315,  3437287, -3342277,  1735879,   203044,
+    2842341,  2691481, -2590150,  1265009,  4055324,  1247620,  2486353,  1595974,
+    -3767016,  1250494,  2635921, -3548272, -2994039,  1869119,  1903435, -1050970,
+    -1333058,  1237275, -3318210, -1430225, -451100,  1312455,  3306115, -1962642,
+    -1279661,  1917081, -2546312, -1374803,  1500165,   777191,  2235880,  3406031,
+    -542412, -2831860, -1671176, -1846953, -2584293, -3724270,   594136, -3776993,
+    -2013608,  2432395,  2454455, -164721,  1957272,  3369112,   185531, -1207385,
+    -3183426,   162844,  1616392,  3014001,   810149,  1652634, -3694233, -1799107,
+    -3038916,  3523897,  3866901,   269760,  2213111, -975884,  1717735,   472078,
+    -426683,  1723600, -1803090,  1910376, -1667432, -1104333, -260646, -3833893,
+    -2939036, -2235985, -420899, -2286327,   183443, -976891,  1612842, -3545687,
+    -554416,  3919660, -48306, -1362209,  3937738,  1400424, -846154,  1976782
+};
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA65_CLEAN_ntt
+*
+* Description: Forward NTT, in-place. No modular reduction is performed after
+*              additions or subtractions. Output vector is in bitreversed order.
+*
+* Arguments:   - uint32_t p[N]: input/output coefficient array
+**************************************************/
+void PQCLEAN_MLDSA65_CLEAN_ntt(int32_t a[N]) {
+    unsigned int len, start, j, k;
+    int32_t zeta, t;
+
+    k = 0;
+    for (len = 128; len > 0; len >>= 1) {
+        for (start = 0; start < N; start = j + len) {
+            zeta = zetas[++k];
+            for (j = start; j < start + len; ++j) {
+                t = PQCLEAN_MLDSA65_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]);
+                a[j + len] = a[j] - t;
+                a[j] = a[j] + t;
+            }
+        }
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA65_CLEAN_invntt_tomont
+*
+* Description: Inverse NTT and multiplication by Montgomery factor 2^32.
+*              In-place. No modular reductions after additions or
+*              subtractions; input coefficients need to be smaller than
+*              Q in absolute value. Output coefficient are smaller than Q in
+*              absolute value.
+*
+* Arguments:   - uint32_t p[N]: input/output coefficient array
+**************************************************/
+void PQCLEAN_MLDSA65_CLEAN_invntt_tomont(int32_t a[N]) {
+    unsigned int start, len, j, k;
+    int32_t t, zeta;
+    const int32_t f = 41978; // mont^2/256
+
+    k = 256;
+    for (len = 1; len < N; len <<= 1) {
+        for (start = 0; start < N; start = j + len) {
+            zeta = -zetas[--k];
+            for (j = start; j < start + len; ++j) {
+                t = a[j];
+                a[j] = t + a[j + len];
+                a[j + len] = t - a[j + len];
+                a[j + len] = PQCLEAN_MLDSA65_CLEAN_montgomery_reduce((int64_t)zeta * a[j + len]);
+            }
+        }
+    }
+
+    for (j = 0; j < N; ++j) {
+        a[j] = PQCLEAN_MLDSA65_CLEAN_montgomery_reduce((int64_t)f * a[j]);
+    }
+}

data/ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/ntt.h

@@ -0,0 +1,10 @@
+#ifndef PQCLEAN_MLDSA65_CLEAN_NTT_H
+#define PQCLEAN_MLDSA65_CLEAN_NTT_H
+#include "params.h"
+#include <stdint.h>
+
+void PQCLEAN_MLDSA65_CLEAN_ntt(int32_t a[N]);
+
+void PQCLEAN_MLDSA65_CLEAN_invntt_tomont(int32_t a[N]);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/packing.c

@@ -0,0 +1,261 @@
+#include "packing.h"
+#include "params.h"
+#include "poly.h"
+#include "polyvec.h"
+
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA65_CLEAN_pack_pk
+*
+* Description: Bit-pack public key pk = (rho, t1).
+*
+* Arguments:   - uint8_t pk[]: output byte array
+*              - const uint8_t rho[]: byte array containing rho
+*              - const polyveck *t1: pointer to vector t1
+**************************************************/
+void PQCLEAN_MLDSA65_CLEAN_pack_pk(uint8_t pk[PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES],
+                                   const uint8_t rho[SEEDBYTES],
+                                   const polyveck *t1) {
+    unsigned int i;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        pk[i] = rho[i];
+    }
+    pk += SEEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA65_CLEAN_unpack_pk
+*
+* Description: Unpack public key pk = (rho, t1).
+*
+* Arguments:   - const uint8_t rho[]: output byte array for rho
+*              - const polyveck *t1: pointer to output vector t1
+*              - uint8_t pk[]: byte array containing bit-packed pk
+**************************************************/
+void PQCLEAN_MLDSA65_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES],
+                                     polyveck *t1,
+                                     const uint8_t pk[PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES]) {
+    unsigned int i;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        rho[i] = pk[i];
+    }
+    pk += SEEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA65_CLEAN_pack_sk
+*
+* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
+*
+* Arguments:   - uint8_t sk[]: output byte array
+*              - const uint8_t rho[]: byte array containing rho
+*              - const uint8_t tr[]: byte array containing tr
+*              - const uint8_t key[]: byte array containing key
+*              - const polyveck *t0: pointer to vector t0
+*              - const polyvecl *s1: pointer to vector s1
+*              - const polyveck *s2: pointer to vector s2
+**************************************************/
+void PQCLEAN_MLDSA65_CLEAN_pack_sk(uint8_t sk[PQCLEAN_MLDSA65_CLEAN_CRYPTO_SECRETKEYBYTES],
+                                   const uint8_t rho[SEEDBYTES],
+                                   const uint8_t tr[TRBYTES],
+                                   const uint8_t key[SEEDBYTES],
+                                   const polyveck *t0,
+                                   const polyvecl *s1,
+                                   const polyveck *s2) {
+    unsigned int i;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        sk[i] = rho[i];
+    }
+    sk += SEEDBYTES;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        sk[i] = key[i];
+    }
+    sk += SEEDBYTES;
+
+    for (i = 0; i < TRBYTES; ++i) {
+        sk[i] = tr[i];
+    }
+    sk += TRBYTES;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
+    }
+    sk += L * POLYETA_PACKEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]);
+    }
+    sk += K * POLYETA_PACKEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA65_CLEAN_unpack_sk
+*
+* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
+*
+* Arguments:   - const uint8_t rho[]: output byte array for rho
+*              - const uint8_t tr[]: output byte array for tr
+*              - const uint8_t key[]: output byte array for key
+*              - const polyveck *t0: pointer to output vector t0
+*              - const polyvecl *s1: pointer to output vector s1
+*              - const polyveck *s2: pointer to output vector s2
+*              - uint8_t sk[]: byte array containing bit-packed sk
+**************************************************/
+void PQCLEAN_MLDSA65_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
+                                     uint8_t tr[TRBYTES],
+                                     uint8_t key[SEEDBYTES],
+                                     polyveck *t0,
+                                     polyvecl *s1,
+                                     polyveck *s2,
+                                     const uint8_t sk[PQCLEAN_MLDSA65_CLEAN_CRYPTO_SECRETKEYBYTES]) {
+    unsigned int i;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        rho[i] = sk[i];
+    }
+    sk += SEEDBYTES;
+
+    for (i = 0; i < SEEDBYTES; ++i) {
+        key[i] = sk[i];
+    }
+    sk += SEEDBYTES;
+
+    for (i = 0; i < TRBYTES; ++i) {
+        tr[i] = sk[i];
+    }
+    sk += TRBYTES;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);
+    }
+    sk += L * POLYETA_PACKEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES);
+    }
+    sk += K * POLYETA_PACKEDBYTES;
+
+    for (i = 0; i < K; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA65_CLEAN_pack_sig
+*
+* Description: Bit-pack signature sig = (c, z, h).
+*
+* Arguments:   - uint8_t sig[]: output byte array
+*              - const uint8_t *c: pointer to challenge hash length SEEDBYTES
+*              - const polyvecl *z: pointer to vector z
+*              - const polyveck *h: pointer to hint vector h
+**************************************************/
+void PQCLEAN_MLDSA65_CLEAN_pack_sig(uint8_t sig[PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES],
+                                    const uint8_t c[CTILDEBYTES],
+                                    const polyvecl *z,
+                                    const polyveck *h) {
+    unsigned int i, j, k;
+
+    for (i = 0; i < CTILDEBYTES; ++i) {
+        sig[i] = c[i];
+    }
+    sig += CTILDEBYTES;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]);
+    }
+    sig += L * POLYZ_PACKEDBYTES;
+
+    /* Encode h */
+    for (i = 0; i < OMEGA + K; ++i) {
+        sig[i] = 0;
+    }
+
+    k = 0;
+    for (i = 0; i < K; ++i) {
+        for (j = 0; j < N; ++j) {
+            if (h->vec[i].coeffs[j] != 0) {
+                sig[k++] = (uint8_t) j;
+            }
+        }
+
+        sig[OMEGA + i] = (uint8_t) k;
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLDSA65_CLEAN_unpack_sig
+*
+* Description: Unpack signature sig = (c, z, h).
+*
+* Arguments:   - uint8_t *c: pointer to output challenge hash
+*              - polyvecl *z: pointer to output vector z
+*              - polyveck *h: pointer to output hint vector h
+*              - const uint8_t sig[]: byte array containing
+*                bit-packed signature
+*
+* Returns 1 in case of malformed signature; otherwise 0.
+**************************************************/
+int PQCLEAN_MLDSA65_CLEAN_unpack_sig(uint8_t c[CTILDEBYTES],
+                                     polyvecl *z,
+                                     polyveck *h,
+                                     const uint8_t sig[PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES]) {
+    unsigned int i, j, k;
+
+    for (i = 0; i < CTILDEBYTES; ++i) {
+        c[i] = sig[i];
+    }
+    sig += CTILDEBYTES;
+
+    for (i = 0; i < L; ++i) {
+        PQCLEAN_MLDSA65_CLEAN_polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES);
+    }
+    sig += L * POLYZ_PACKEDBYTES;
+
+    /* Decode h */
+    k = 0;
+    for (i = 0; i < K; ++i) {
+        for (j = 0; j < N; ++j) {
+            h->vec[i].coeffs[j] = 0;
+        }
+
+        if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) {
+            return 1;
+        }
+
+        for (j = k; j < sig[OMEGA + i]; ++j) {
+            /* Coefficients are ordered for strong unforgeability */
+            if (j > k && sig[j] <= sig[j - 1]) {
+                return 1;
+            }
+            h->vec[i].coeffs[sig[j]] = 1;
+        }
+
+        k = sig[OMEGA + i];
+    }
+
+    /* Extra indices are zero for strong unforgeability */
+    for (j = k; j < OMEGA; ++j) {
+        if (sig[j]) {
+            return 1;
+        }
+    }
+
+    return 0;
+}

data/ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/packing.h

@@ -0,0 +1,31 @@
+#ifndef PQCLEAN_MLDSA65_CLEAN_PACKING_H
+#define PQCLEAN_MLDSA65_CLEAN_PACKING_H
+#include "params.h"
+#include "polyvec.h"
+#include <stdint.h>
+
+void PQCLEAN_MLDSA65_CLEAN_pack_pk(uint8_t pk[PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
+
+void PQCLEAN_MLDSA65_CLEAN_pack_sk(uint8_t sk[PQCLEAN_MLDSA65_CLEAN_CRYPTO_SECRETKEYBYTES],
+                                   const uint8_t rho[SEEDBYTES],
+                                   const uint8_t tr[TRBYTES],
+                                   const uint8_t key[SEEDBYTES],
+                                   const polyveck *t0,
+                                   const polyvecl *s1,
+                                   const polyveck *s2);
+
+void PQCLEAN_MLDSA65_CLEAN_pack_sig(uint8_t sig[PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES], const uint8_t c[CTILDEBYTES], const polyvecl *z, const polyveck *h);
+
+void PQCLEAN_MLDSA65_CLEAN_unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES]);
+
+void PQCLEAN_MLDSA65_CLEAN_unpack_sk(uint8_t rho[SEEDBYTES],
+                                     uint8_t tr[TRBYTES],
+                                     uint8_t key[SEEDBYTES],
+                                     polyveck *t0,
+                                     polyvecl *s1,
+                                     polyveck *s2,
+                                     const uint8_t sk[PQCLEAN_MLDSA65_CLEAN_CRYPTO_SECRETKEYBYTES]);
+
+int PQCLEAN_MLDSA65_CLEAN_unpack_sig(uint8_t c[CTILDEBYTES], polyvecl *z, polyveck *h, const uint8_t sig[PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES]);
+
+#endif