pq_crypto 0.3.0 → 0.3.2

data/ext/pqcrypto/pq_externalmu.c

@@ -0,0 +1,297 @@
+#include "pqcrypto_secure.h"
+
+#include <stdint.h>
+#include <stddef.h>
+#include <string.h>
+
+#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/params.h"
+#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/packing.h"
+#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/polyvec.h"
+#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/poly.h"
+#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/symmetric.h"
+#include "fips202.h"
+#include "randombytes.h"
+
+#if CRHBYTES != PQ_MLDSA_MUBYTES
+#error "PQ_MLDSA_MUBYTES must match PQClean's CRHBYTES"
+#endif
+#if TRBYTES != PQ_MLDSA_TRBYTES
+#error "PQ_MLDSA_TRBYTES must match PQClean's TRBYTES"
+#endif
+
+int pq_mldsa_extract_tr_from_secret_key(uint8_t *tr_out, const uint8_t *secret_key) {
+    if (tr_out == NULL || secret_key == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+
+    uint8_t rho[SEEDBYTES];
+    uint8_t key[SEEDBYTES];
+    polyveck t0;
+    polyvecl s1;
+    polyveck s2;
+
+    PQCLEAN_MLDSA65_CLEAN_unpack_sk(rho, tr_out, key, &t0, &s1, &s2, secret_key);
+
+    pq_secure_wipe(rho, sizeof(rho));
+    pq_secure_wipe(key, sizeof(key));
+    pq_secure_wipe(&t0, sizeof(t0));
+    pq_secure_wipe(&s1, sizeof(s1));
+    pq_secure_wipe(&s2, sizeof(s2));
+
+    return PQ_SUCCESS;
+}
+
+int pq_mldsa_compute_tr_from_public_key(uint8_t *tr_out, const uint8_t *public_key) {
+    if (tr_out == NULL || public_key == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+
+    shake256(tr_out, TRBYTES, public_key, PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES);
+    return PQ_SUCCESS;
+}
+
+int pq_sign_mu(uint8_t *signature, size_t *signature_len, const uint8_t *mu,
+               const uint8_t *secret_key) {
+    if (signature == NULL || signature_len == NULL || mu == NULL || secret_key == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+
+    unsigned int n;
+    uint8_t rho[SEEDBYTES];
+    uint8_t tr_unused[TRBYTES];
+    uint8_t key[SEEDBYTES];
+    uint8_t rnd[RNDBYTES];
+    uint8_t mu_local[CRHBYTES];
+    uint8_t rhoprime[CRHBYTES];
+    uint16_t nonce = 0;
+    polyvecl mat[K], s1, y, z;
+    polyveck t0, s2, w1, w0, h;
+    poly cp;
+    shake256incctx state;
+
+    PQCLEAN_MLDSA65_CLEAN_unpack_sk(rho, tr_unused, key, &t0, &s1, &s2, secret_key);
+    pq_secure_wipe(tr_unused, sizeof(tr_unused));
+
+    memcpy(mu_local, mu, CRHBYTES);
+
+    randombytes(rnd, RNDBYTES);
+
+    {
+        uint8_t kr[SEEDBYTES + RNDBYTES + CRHBYTES];
+        memcpy(kr, key, SEEDBYTES);
+        memcpy(kr + SEEDBYTES, rnd, RNDBYTES);
+        memcpy(kr + SEEDBYTES + RNDBYTES, mu_local, CRHBYTES);
+        shake256(rhoprime, CRHBYTES, kr, sizeof(kr));
+        pq_secure_wipe(kr, sizeof(kr));
+    }
+
+    PQCLEAN_MLDSA65_CLEAN_polyvec_matrix_expand(mat, rho);
+    PQCLEAN_MLDSA65_CLEAN_polyvecl_ntt(&s1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_ntt(&s2);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_ntt(&t0);
+
+rej:
+    PQCLEAN_MLDSA65_CLEAN_polyvecl_uniform_gamma1(&y, rhoprime, nonce++);
+
+    z = y;
+    PQCLEAN_MLDSA65_CLEAN_polyvecl_ntt(&z);
+    PQCLEAN_MLDSA65_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_reduce(&w1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_invntt_tomont(&w1);
+
+    PQCLEAN_MLDSA65_CLEAN_polyveck_caddq(&w1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_decompose(&w1, &w0, &w1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_pack_w1(signature, &w1);
+
+    shake256_inc_init(&state);
+    shake256_inc_absorb(&state, mu_local, CRHBYTES);
+    shake256_inc_absorb(&state, signature, K * POLYW1_PACKEDBYTES);
+    shake256_inc_finalize(&state);
+    shake256_inc_squeeze(signature, CTILDEBYTES, &state);
+    shake256_inc_ctx_release(&state);
+
+    PQCLEAN_MLDSA65_CLEAN_poly_challenge(&cp, signature);
+    PQCLEAN_MLDSA65_CLEAN_poly_ntt(&cp);
+
+    PQCLEAN_MLDSA65_CLEAN_polyvecl_pointwise_poly_montgomery(&z, &cp, &s1);
+    PQCLEAN_MLDSA65_CLEAN_polyvecl_invntt_tomont(&z);
+    PQCLEAN_MLDSA65_CLEAN_polyvecl_add(&z, &z, &y);
+    PQCLEAN_MLDSA65_CLEAN_polyvecl_reduce(&z);
+    if (PQCLEAN_MLDSA65_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) {
+        goto rej;
+    }
+
+    PQCLEAN_MLDSA65_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &s2);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_invntt_tomont(&h);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_sub(&w0, &w0, &h);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_reduce(&w0);
+    if (PQCLEAN_MLDSA65_CLEAN_polyveck_chknorm(&w0, GAMMA2 - BETA)) {
+        goto rej;
+    }
+
+    PQCLEAN_MLDSA65_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &t0);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_invntt_tomont(&h);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_reduce(&h);
+    if (PQCLEAN_MLDSA65_CLEAN_polyveck_chknorm(&h, GAMMA2)) {
+        goto rej;
+    }
+
+    PQCLEAN_MLDSA65_CLEAN_polyveck_add(&w0, &w0, &h);
+    n = PQCLEAN_MLDSA65_CLEAN_polyveck_make_hint(&h, &w0, &w1);
+    if (n > OMEGA) {
+        goto rej;
+    }
+
+    PQCLEAN_MLDSA65_CLEAN_pack_sig(signature, signature, &z, &h);
+    *signature_len = PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES;
+
+    pq_secure_wipe(rho, sizeof(rho));
+    pq_secure_wipe(key, sizeof(key));
+    pq_secure_wipe(rnd, sizeof(rnd));
+    pq_secure_wipe(mu_local, sizeof(mu_local));
+    pq_secure_wipe(rhoprime, sizeof(rhoprime));
+    pq_secure_wipe(&s1, sizeof(s1));
+    pq_secure_wipe(&s2, sizeof(s2));
+    pq_secure_wipe(&t0, sizeof(t0));
+    pq_secure_wipe(&y, sizeof(y));
+    pq_secure_wipe(&z, sizeof(z));
+    pq_secure_wipe(&w0, sizeof(w0));
+    pq_secure_wipe(&cp, sizeof(cp));
+
+    return PQ_SUCCESS;
+}
+
+int pq_verify_mu(const uint8_t *signature, size_t signature_len, const uint8_t *mu,
+                 const uint8_t *public_key) {
+    if (signature == NULL || mu == NULL || public_key == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+    if (signature_len != PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES) {
+        return PQ_ERROR_VERIFY;
+    }
+
+    unsigned int i;
+    uint8_t buf[K * POLYW1_PACKEDBYTES];
+    uint8_t rho[SEEDBYTES];
+    uint8_t c[CTILDEBYTES];
+    uint8_t c2[CTILDEBYTES];
+    poly cp;
+    polyvecl mat[K], z;
+    polyveck t1, w1, h;
+    shake256incctx state;
+
+    PQCLEAN_MLDSA65_CLEAN_unpack_pk(rho, &t1, public_key);
+    if (PQCLEAN_MLDSA65_CLEAN_unpack_sig(c, &z, &h, signature)) {
+        return PQ_ERROR_VERIFY;
+    }
+    if (PQCLEAN_MLDSA65_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) {
+        return PQ_ERROR_VERIFY;
+    }
+
+    PQCLEAN_MLDSA65_CLEAN_poly_challenge(&cp, c);
+    PQCLEAN_MLDSA65_CLEAN_polyvec_matrix_expand(mat, rho);
+
+    PQCLEAN_MLDSA65_CLEAN_polyvecl_ntt(&z);
+    PQCLEAN_MLDSA65_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
+
+    PQCLEAN_MLDSA65_CLEAN_poly_ntt(&cp);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_shiftl(&t1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_ntt(&t1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_pointwise_poly_montgomery(&t1, &cp, &t1);
+
+    PQCLEAN_MLDSA65_CLEAN_polyveck_sub(&w1, &w1, &t1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_reduce(&w1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_invntt_tomont(&w1);
+
+    PQCLEAN_MLDSA65_CLEAN_polyveck_caddq(&w1);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_use_hint(&w1, &w1, &h);
+    PQCLEAN_MLDSA65_CLEAN_polyveck_pack_w1(buf, &w1);
+
+    shake256_inc_init(&state);
+    shake256_inc_absorb(&state, mu, CRHBYTES);
+    shake256_inc_absorb(&state, buf, K * POLYW1_PACKEDBYTES);
+    shake256_inc_finalize(&state);
+    shake256_inc_squeeze(c2, CTILDEBYTES, &state);
+    shake256_inc_ctx_release(&state);
+
+    for (i = 0; i < CTILDEBYTES; ++i) {
+        if (c[i] != c2[i]) {
+            return PQ_ERROR_VERIFY;
+        }
+    }
+
+    return PQ_SUCCESS;
+}
+
+void *pq_mu_builder_new(void) {
+    shake256incctx *state = (shake256incctx *)malloc(sizeof(shake256incctx));
+    if (state == NULL) {
+        return NULL;
+    }
+
+    shake256_inc_init(state);
+    return state;
+}
+
+int pq_mu_builder_init(void *state_ptr, const uint8_t *tr, const uint8_t *ctx, size_t ctxlen) {
+    if (state_ptr == NULL || tr == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+    if (ctxlen > 255) {
+        return PQ_ERROR_BUFFER;
+    }
+    if (ctxlen > 0 && ctx == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+
+    shake256incctx *state = (shake256incctx *)state_ptr;
+
+    uint8_t prefix[2];
+    prefix[0] = 0x00;
+    prefix[1] = (uint8_t)ctxlen;
+
+    shake256_inc_absorb(state, tr, TRBYTES);
+    shake256_inc_absorb(state, prefix, sizeof(prefix));
+    if (ctxlen > 0) {
+        shake256_inc_absorb(state, ctx, ctxlen);
+    }
+    return PQ_SUCCESS;
+}
+
+int pq_mu_builder_absorb(void *state_ptr, const uint8_t *chunk, size_t chunk_len) {
+    if (state_ptr == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+    if (chunk_len == 0) {
+        return PQ_SUCCESS;
+    }
+    if (chunk == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+
+    shake256incctx *state = (shake256incctx *)state_ptr;
+    shake256_inc_absorb(state, chunk, chunk_len);
+    return PQ_SUCCESS;
+}
+
+int pq_mu_builder_finalize(void *state_ptr, uint8_t *mu_out) {
+    if (state_ptr == NULL || mu_out == NULL) {
+        return PQ_ERROR_BUFFER;
+    }
+
+    shake256incctx *state = (shake256incctx *)state_ptr;
+    shake256_inc_finalize(state);
+    shake256_inc_squeeze(mu_out, CRHBYTES, state);
+    shake256_inc_ctx_release(state);
+    free(state);
+    return PQ_SUCCESS;
+}
+
+void pq_mu_builder_release(void *state_ptr) {
+    if (state_ptr == NULL) {
+        return;
+    }
+    shake256incctx *state = (shake256incctx *)state_ptr;
+    shake256_inc_ctx_release(state);
+    free(state);
+}

data/ext/pqcrypto/pqcrypto_ruby_secure.c

@@ -8,6 +8,10 @@
 
 #include "pqcrypto_secure.h"
 
+#ifndef RB_NOGVL_OFFLOAD_SAFE
+#define RB_NOGVL_OFFLOAD_SAFE 0
+#endif
+
 typedef struct {
     int result;
     uint8_t *public_key;
@@ -219,6 +223,10 @@ static void pq_wipe_and_free(uint8_t *buffer, size_t len) {
     }
 }
 
+static void pq_free_buffer(uint8_t *buffer) {
+    free(buffer);
+}
+
 static void pq_validate_bytes_argument(VALUE value, size_t expected_len, const char *what) {
     StringValue(value);
     if ((size_t)RSTRING_LEN(value) != expected_len) {
@@ -624,17 +632,17 @@ static VALUE pqcrypto__test_sign_from_seed(VALUE self, VALUE message, VALUE secr
 
     rb_thread_call_without_gvl(pq_testing_sign_nogvl, &call, NULL, NULL);
 
-    pq_wipe_and_free(call.message, call.message_len);
+    pq_free_buffer(call.message);
     pq_wipe_and_free((uint8_t *)call.secret_key, secret_key_len);
     pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);
 
     if (call.result != PQ_SUCCESS) {
-        pq_wipe_and_free(call.signature, PQ_MLDSA_BYTES);
+        pq_free_buffer(call.signature);
         pq_raise_general_error(call.result);
     }
 
     VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
-    pq_wipe_and_free(call.signature, PQ_MLDSA_BYTES);
+    pq_free_buffer(call.signature);
     return result;
 }
 
@@ -657,16 +665,16 @@ static VALUE pqcrypto_sign(VALUE self, VALUE message, VALUE secret_key) {
 
     rb_nogvl(pq_sign_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
 
-    pq_wipe_and_free(call.message, call.message_len);
+    pq_free_buffer(call.message);
     pq_wipe_and_free((uint8_t *)call.secret_key, secret_key_len);
 
     if (call.result != PQ_SUCCESS) {
-        pq_wipe_and_free(call.signature, PQ_MLDSA_BYTES);
+        pq_free_buffer(call.signature);
         pq_raise_general_error(call.result);
     }
 
     VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
-    free(call.signature);
+    pq_free_buffer(call.signature);
     return result;
 }
 
@@ -685,9 +693,9 @@ static VALUE pqcrypto_verify(VALUE self, VALUE message, VALUE signature, VALUE p
 
     rb_nogvl(pq_verify_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
 
-    pq_wipe_and_free(call.message, call.message_len);
-    pq_wipe_and_free((uint8_t *)call.public_key, public_key_len);
-    pq_wipe_and_free((uint8_t *)call.signature, signature_len);
+    pq_free_buffer(call.message);
+    pq_free_buffer((uint8_t *)call.public_key);
+    pq_free_buffer((uint8_t *)call.signature);
 
     if (call.result == PQ_SUCCESS) {
         return Qtrue;
@@ -727,6 +735,282 @@ static VALUE pqcrypto_version(VALUE self) {
     return rb_str_new_cstr(pq_version());
 }
 
+typedef struct {
+    void *builder;
+} mu_builder_wrapper_t;
+
+typedef struct {
+    int result;
+    void *builder;
+    const uint8_t *chunk;
+    size_t chunk_len;
+} mu_absorb_call_t;
+
+typedef struct {
+    int result;
+    void *builder;
+    uint8_t *mu_out;
+} mu_finalize_call_t;
+
+typedef struct {
+    int result;
+    uint8_t *signature;
+    size_t signature_len;
+    const uint8_t *mu;
+    const uint8_t *secret_key;
+} sign_mu_call_t;
+
+typedef struct {
+    int result;
+    const uint8_t *signature;
+    size_t signature_len;
+    const uint8_t *mu;
+    const uint8_t *public_key;
+} verify_mu_call_t;
+
+static void mu_builder_wrapper_free(void *ptr) {
+    mu_builder_wrapper_t *wrapper = (mu_builder_wrapper_t *)ptr;
+    if (wrapper == NULL) {
+        return;
+    }
+    if (wrapper->builder != NULL) {
+        pq_mu_builder_release(wrapper->builder);
+        wrapper->builder = NULL;
+    }
+    xfree(wrapper);
+}
+
+static size_t mu_builder_wrapper_size(const void *ptr) {
+    (void)ptr;
+    return sizeof(mu_builder_wrapper_t);
+}
+
+static const rb_data_type_t mu_builder_data_type = {
+    "PQCrypto::MLDSA::MuBuilder",
+    {NULL, mu_builder_wrapper_free, mu_builder_wrapper_size},
+    NULL,
+    NULL,
+    RUBY_TYPED_FREE_IMMEDIATELY};
+
+static mu_builder_wrapper_t *mu_builder_unwrap(VALUE obj) {
+    mu_builder_wrapper_t *wrapper;
+    TypedData_Get_Struct(obj, mu_builder_wrapper_t, &mu_builder_data_type, wrapper);
+    if (wrapper == NULL || wrapper->builder == NULL) {
+        rb_raise(ePQCryptoError, "mu builder used after release");
+    }
+    return wrapper;
+}
+
+static VALUE pqcrypto__native_mldsa_extract_tr(VALUE self, VALUE secret_key) {
+    (void)self;
+    pq_validate_bytes_argument(secret_key, PQ_MLDSA_SECRETKEYBYTES, "secret key");
+
+    uint8_t tr[PQ_MLDSA_TRBYTES];
+    int rc = pq_mldsa_extract_tr_from_secret_key(tr, (const uint8_t *)RSTRING_PTR(secret_key));
+    if (rc != PQ_SUCCESS) {
+        pq_secure_wipe(tr, sizeof(tr));
+        pq_raise_general_error(rc);
+    }
+    VALUE result = pq_string_from_buffer(tr, sizeof(tr));
+    pq_secure_wipe(tr, sizeof(tr));
+    return result;
+}
+
+static VALUE pqcrypto__native_mldsa_compute_tr(VALUE self, VALUE public_key) {
+    (void)self;
+    pq_validate_bytes_argument(public_key, PQ_MLDSA_PUBLICKEYBYTES, "public key");
+
+    uint8_t tr[PQ_MLDSA_TRBYTES];
+    int rc = pq_mldsa_compute_tr_from_public_key(tr, (const uint8_t *)RSTRING_PTR(public_key));
+    if (rc != PQ_SUCCESS) {
+        pq_raise_general_error(rc);
+    }
+    return pq_string_from_buffer(tr, sizeof(tr));
+}
+
+static VALUE pqcrypto__native_mldsa_mu_builder_new(VALUE self, VALUE tr, VALUE ctx) {
+    (void)self;
+    pq_validate_bytes_argument(tr, PQ_MLDSA_TRBYTES, "tr");
+    StringValue(ctx);
+
+    size_t ctxlen = (size_t)RSTRING_LEN(ctx);
+    if (ctxlen > 255) {
+        rb_raise(rb_eArgError, "ML-DSA context length must be <= 255 bytes");
+    }
+
+    void *builder = pq_mu_builder_new();
+    if (builder == NULL) {
+        rb_raise(rb_eNoMemError, "Memory allocation failed (mu builder)");
+    }
+
+    int rc = pq_mu_builder_init(builder, (const uint8_t *)RSTRING_PTR(tr),
+                                (const uint8_t *)RSTRING_PTR(ctx), ctxlen);
+    if (rc != PQ_SUCCESS) {
+        pq_mu_builder_release(builder);
+        pq_raise_general_error(rc);
+    }
+
+    mu_builder_wrapper_t *wrapper;
+    VALUE obj =
+        TypedData_Make_Struct(rb_cObject, mu_builder_wrapper_t, &mu_builder_data_type, wrapper);
+    wrapper->builder = builder;
+    return obj;
+}
+
+static void *pq_mu_absorb_nogvl(void *arg) {
+    mu_absorb_call_t *call = (mu_absorb_call_t *)arg;
+    call->result = pq_mu_builder_absorb(call->builder, call->chunk, call->chunk_len);
+    return NULL;
+}
+
+static VALUE pqcrypto__native_mldsa_mu_builder_update(VALUE self, VALUE builder_obj, VALUE chunk) {
+    (void)self;
+    mu_builder_wrapper_t *wrapper = mu_builder_unwrap(builder_obj);
+    StringValue(chunk);
+
+    size_t chunk_len = (size_t)RSTRING_LEN(chunk);
+    if (chunk_len == 0) {
+        return Qnil;
+    }
+
+    uint8_t *copy = pq_alloc_buffer(chunk_len);
+    memcpy(copy, RSTRING_PTR(chunk), chunk_len);
+
+    mu_absorb_call_t call = {0};
+    call.builder = wrapper->builder;
+    call.chunk = copy;
+    call.chunk_len = chunk_len;
+
+    rb_nogvl(pq_mu_absorb_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    free(copy);
+
+    if (call.result != PQ_SUCCESS) {
+        pq_raise_general_error(call.result);
+    }
+    return Qnil;
+}
+
+static void *pq_mu_finalize_nogvl(void *arg) {
+    mu_finalize_call_t *call = (mu_finalize_call_t *)arg;
+    call->result = pq_mu_builder_finalize(call->builder, call->mu_out);
+    return NULL;
+}
+
+static VALUE pqcrypto__native_mldsa_mu_builder_finalize(VALUE self, VALUE builder_obj) {
+    (void)self;
+    mu_builder_wrapper_t *wrapper = mu_builder_unwrap(builder_obj);
+
+    uint8_t mu[PQ_MLDSA_MUBYTES];
+
+    mu_finalize_call_t call = {0};
+    call.builder = wrapper->builder;
+    call.mu_out = mu;
+
+    rb_nogvl(pq_mu_finalize_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+
+    if (call.result != PQ_SUCCESS) {
+        pq_mu_builder_release(wrapper->builder);
+    }
+    wrapper->builder = NULL;
+
+    if (call.result != PQ_SUCCESS) {
+        pq_secure_wipe(mu, sizeof(mu));
+        pq_raise_general_error(call.result);
+    }
+
+    VALUE result = pq_string_from_buffer(mu, sizeof(mu));
+    pq_secure_wipe(mu, sizeof(mu));
+    return result;
+}
+
+static VALUE pqcrypto__native_mldsa_mu_builder_release(VALUE self, VALUE builder_obj) {
+    (void)self;
+    mu_builder_wrapper_t *wrapper;
+    TypedData_Get_Struct(builder_obj, mu_builder_wrapper_t, &mu_builder_data_type, wrapper);
+    if (wrapper != NULL && wrapper->builder != NULL) {
+        pq_mu_builder_release(wrapper->builder);
+        wrapper->builder = NULL;
+    }
+    return Qnil;
+}
+
+static void *pq_sign_mu_nogvl(void *arg) {
+    sign_mu_call_t *call = (sign_mu_call_t *)arg;
+    call->result = pq_sign_mu(call->signature, &call->signature_len, call->mu, call->secret_key);
+    return NULL;
+}
+
+static VALUE pqcrypto__native_mldsa_sign_mu(VALUE self, VALUE mu, VALUE secret_key) {
+    (void)self;
+    pq_validate_bytes_argument(mu, PQ_MLDSA_MUBYTES, "mu");
+    pq_validate_bytes_argument(secret_key, PQ_MLDSA_SECRETKEYBYTES, "secret key");
+
+    sign_mu_call_t call = {0};
+    size_t secret_key_len = 0;
+    size_t mu_len = 0;
+    uint8_t *mu_copy = pq_copy_ruby_string(mu, &mu_len);
+    uint8_t *sk_copy = pq_copy_ruby_string(secret_key, &secret_key_len);
+
+    call.mu = mu_copy;
+    call.secret_key = sk_copy;
+    call.signature_len = PQ_MLDSA_BYTES;
+    call.signature = pq_alloc_buffer(PQ_MLDSA_BYTES);
+
+    rb_nogvl(pq_sign_mu_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+
+    pq_wipe_and_free(mu_copy, mu_len);
+    pq_wipe_and_free(sk_copy, secret_key_len);
+
+    if (call.result != PQ_SUCCESS) {
+        pq_free_buffer(call.signature);
+        pq_raise_general_error(call.result);
+    }
+
+    VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
+    pq_free_buffer(call.signature);
+    return result;
+}
+
+static void *pq_verify_mu_nogvl(void *arg) {
+    verify_mu_call_t *call = (verify_mu_call_t *)arg;
+    call->result = pq_verify_mu(call->signature, call->signature_len, call->mu, call->public_key);
+    return NULL;
+}
+
+static VALUE pqcrypto__native_mldsa_verify_mu(VALUE self, VALUE mu, VALUE signature,
+                                              VALUE public_key) {
+    (void)self;
+    StringValue(signature);
+    pq_validate_bytes_argument(mu, PQ_MLDSA_MUBYTES, "mu");
+    pq_validate_bytes_argument(public_key, PQ_MLDSA_PUBLICKEYBYTES, "public key");
+
+    verify_mu_call_t call = {0};
+    size_t public_key_len = 0;
+    size_t signature_len = 0;
+    size_t mu_len = 0;
+    uint8_t *mu_copy = pq_copy_ruby_string(mu, &mu_len);
+    uint8_t *pk_copy = pq_copy_ruby_string(public_key, &public_key_len);
+    uint8_t *sig_copy = pq_copy_ruby_string(signature, &signature_len);
+
+    call.mu = mu_copy;
+    call.public_key = pk_copy;
+    call.signature = sig_copy;
+    call.signature_len = signature_len;
+
+    rb_nogvl(pq_verify_mu_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    pq_wipe_and_free(mu_copy, mu_len);
+    pq_free_buffer(pk_copy);
+    pq_free_buffer(sig_copy);
+
+    if (call.result == PQ_SUCCESS) {
+        return Qtrue;
+    }
+    if (call.result == PQ_ERROR_VERIFY) {
+        return Qfalse;
+    }
+    pq_raise_general_error(call.result);
+}
+
 static void define_constants(void) {
     rb_define_const(mPQCrypto, "ML_KEM_PUBLIC_KEY_BYTES", INT2NUM(PQ_MLKEM_PUBLICKEYBYTES));
     rb_define_const(mPQCrypto, "ML_KEM_SECRET_KEY_BYTES", INT2NUM(PQ_MLKEM_SECRETKEYBYTES));
@@ -830,6 +1114,22 @@ void Init_pqcrypto_secure(void) {
                               pqcrypto_secret_key_from_pqc_container_der, 1);
     rb_define_module_function(mPQCrypto, "secret_key_from_pqc_container_pem",
                               pqcrypto_secret_key_from_pqc_container_pem, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_extract_tr",
+                              pqcrypto__native_mldsa_extract_tr, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_compute_tr",
+                              pqcrypto__native_mldsa_compute_tr, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_mu_builder_new",
+                              pqcrypto__native_mldsa_mu_builder_new, 2);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_mu_builder_update",
+                              pqcrypto__native_mldsa_mu_builder_update, 2);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_mu_builder_finalize",
+                              pqcrypto__native_mldsa_mu_builder_finalize, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_mu_builder_release",
+                              pqcrypto__native_mldsa_mu_builder_release, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_sign_mu", pqcrypto__native_mldsa_sign_mu,
+                              2);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_verify_mu",
+                              pqcrypto__native_mldsa_verify_mu, 3);
 
     define_constants();
 }