pq_crypto 0.3.1 → 0.4.2

data/lib/pq_crypto/signature.rb

@@ -6,22 +6,33 @@ module PQCrypto
   module Signature
     CANONICAL_ALGORITHM = :ml_dsa_65
 
-    DETAILS = {
-      CANONICAL_ALGORITHM => {
-        name: CANONICAL_ALGORITHM,
-        family: Serialization.algorithm_to_family(CANONICAL_ALGORITHM),
-        oid: Serialization.algorithm_to_oid(CANONICAL_ALGORITHM),
-        public_key_bytes: SIGN_PUBLIC_KEY_BYTES,
-        secret_key_bytes: SIGN_SECRET_KEY_BYTES,
-        signature_bytes: SIGN_BYTES,
-        description: "ML-DSA-65 signature primitive (FIPS 204).",
+    DETAILS = AlgorithmRegistry.details_for_family(:ml_dsa).freeze
+
+    NATIVE_DISPATCH = {
+      ml_dsa_44: {
+        keypair: :native_ml_dsa_44_keypair,
+        sign: :native_ml_dsa_44_sign,
+        verify: :native_ml_dsa_44_verify,
+        keypair_from_seed: :native_ml_dsa_44_keypair_from_seed,
+      }.freeze,
+      ml_dsa_65: {
+        keypair: :native_sign_keypair,
+        sign: :native_sign,
+        verify: :native_verify,
+        keypair_from_seed: :native_ml_dsa_keypair_from_seed,
+      }.freeze,
+      ml_dsa_87: {
+        keypair: :native_ml_dsa_87_keypair,
+        sign: :native_ml_dsa_87_sign,
+        verify: :native_ml_dsa_87_verify,
+        keypair_from_seed: :native_ml_dsa_87_keypair_from_seed,
       }.freeze,
     }.freeze
 
     class << self
       def generate(algorithm = CANONICAL_ALGORITHM)
-        resolve_algorithm!(algorithm)
-        public_key, secret_key = PQCrypto.__send__(:native_sign_keypair)
+        algorithm = resolve_algorithm!(algorithm)
+        public_key, secret_key = PQCrypto.__send__(native_method_for(algorithm, :keypair))
         Keypair.new(PublicKey.new(algorithm, public_key), SecretKey.new(algorithm, secret_key))
       end
 
@@ -59,6 +70,26 @@ module PQCrypto
         SecretKey.new(resolved_algorithm, bytes)
       end
 
+      def public_key_from_spki_der(der, algorithm: nil)
+        resolved_algorithm, bytes = SPKI.decode_der(der)
+        validate_algorithm_match!(algorithm, resolved_algorithm) if algorithm
+        PublicKey.new(resolve_algorithm!(resolved_algorithm), bytes)
+      end
+
+      def public_key_from_spki_pem(pem, algorithm: nil)
+        resolved_algorithm, bytes = SPKI.decode_pem(pem)
+        validate_algorithm_match!(algorithm, resolved_algorithm) if algorithm
+        PublicKey.new(resolve_algorithm!(resolved_algorithm), bytes)
+      end
+
+      def secret_key_from_pkcs8_der(der)
+        secret_key_from_decoded_pkcs8(*PKCS8.decode_der(der))
+      end
+
+      def secret_key_from_pkcs8_pem(pem)
+        secret_key_from_decoded_pkcs8(*PKCS8.decode_pem(pem))
+      end
+
       def details(algorithm)
         DETAILS.fetch(resolve_algorithm!(algorithm)).dup
       end
@@ -74,6 +105,138 @@ module PQCrypto
 
         raise UnsupportedAlgorithmError, "Unsupported signature algorithm: #{algorithm.inspect}"
       end
+
+      def secret_key_from_decoded_pkcs8(algorithm, format, material)
+        algorithm = resolve_algorithm!(algorithm)
+
+        case format
+        when :expanded
+          SecretKey.new(algorithm, material)
+        when :seed
+          _public_key, expanded = PQCrypto.__send__(native_method_for(algorithm, :keypair_from_seed), material)
+          SecretKey.new(algorithm, expanded)
+        when :both
+          _seed, expanded = material
+          SecretKey.new(algorithm, expanded)
+        else
+          raise SerializationError, "Unsupported ML-DSA PKCS#8 private key format: #{format.inspect}"
+        end
+      rescue ArgumentError => e
+        raise InvalidKeyError, e.message
+      end
+
+      def native_method_for(algorithm, operation)
+        NATIVE_DISPATCH.fetch(resolve_algorithm!(algorithm)).fetch(operation)
+      end
+
+      def validate_algorithm_match!(expected_algorithm, actual_algorithm)
+        expected = resolve_algorithm!(expected_algorithm)
+        return if expected == actual_algorithm
+
+        raise SerializationError,
+              "Expected #{expected.inspect}, got #{actual_algorithm.inspect} (SPKI key algorithm mismatch)"
+      rescue UnsupportedAlgorithmError => e
+        raise SerializationError, e.message
+      end
+
+      def _streaming_sign(secret_key, io, chunk_size, context)
+        validate_streaming_algorithm!(secret_key.algorithm)
+        validate_chunk_size!(chunk_size)
+        context = validate_context!(context)
+        validate_io!(io)
+
+        sk_bytes = secret_key.__send__(:bytes_for_native)
+        begin
+          tr = PQCrypto.__send__(:_native_mldsa_extract_tr, sk_bytes)
+        rescue ArgumentError => e
+          raise InvalidKeyError, e.message
+        end
+
+        builder = PQCrypto.__send__(:_native_mldsa_mu_builder_new, tr, context)
+        builder_consumed = false
+        mu = nil
+        begin
+          _drain_io_into_builder(io, builder, chunk_size)
+          mu = PQCrypto.__send__(:_native_mldsa_mu_builder_finalize, builder)
+          builder_consumed = true
+          PQCrypto.__send__(:_native_mldsa_sign_mu, mu, sk_bytes)
+        ensure
+          PQCrypto.__send__(:_native_mldsa_mu_builder_release, builder) unless builder_consumed
+          PQCrypto.secure_wipe(tr) if tr && !tr.frozen?
+          PQCrypto.secure_wipe(mu) if mu && !mu.frozen?
+        end
+      end
+
+      def _streaming_verify(public_key, io, signature, chunk_size, context)
+        validate_streaming_algorithm!(public_key.algorithm)
+        validate_chunk_size!(chunk_size)
+        context = validate_context!(context)
+        validate_io!(io)
+
+        pk_bytes = public_key.__send__(:bytes_for_native)
+        begin
+          tr = PQCrypto.__send__(:_native_mldsa_compute_tr, pk_bytes)
+        rescue ArgumentError => e
+          raise InvalidKeyError, e.message
+        end
+
+        builder = PQCrypto.__send__(:_native_mldsa_mu_builder_new, tr, context)
+        builder_consumed = false
+        mu = nil
+        sig_bytes = String(signature).b
+        begin
+          _drain_io_into_builder(io, builder, chunk_size)
+          mu = PQCrypto.__send__(:_native_mldsa_mu_builder_finalize, builder)
+          builder_consumed = true
+          PQCrypto.__send__(:_native_mldsa_verify_mu, mu, sig_bytes, pk_bytes)
+        ensure
+          PQCrypto.__send__(:_native_mldsa_mu_builder_release, builder) unless builder_consumed
+
+          PQCrypto.secure_wipe(tr) if tr && !tr.frozen?
+          PQCrypto.secure_wipe(mu) if mu && !mu.frozen?
+        end
+      end
+
+      def _drain_io_into_builder(io, builder, chunk_size)
+        buffer = String.new(capacity: chunk_size).b
+        loop do
+          result = io.read(chunk_size, buffer)
+          break if result.nil?
+
+          chunk = result.equal?(buffer) ? buffer : result
+          chunk_bytes = chunk.encoding == Encoding::BINARY ? chunk : chunk.b
+          break if chunk_bytes.bytesize.zero?
+
+          PQCrypto.__send__(:_native_mldsa_mu_builder_update, builder, chunk_bytes)
+        end
+      end
+
+      def validate_io!(io)
+        unless io.respond_to?(:read)
+          raise ArgumentError, "io must respond to #read"
+        end
+      end
+
+      def validate_chunk_size!(chunk_size)
+        unless chunk_size.is_a?(Integer) && chunk_size > 0
+          raise ArgumentError, "chunk_size must be a positive Integer"
+        end
+      end
+
+      def validate_context!(context)
+        ctx = String(context).b
+        if ctx.bytesize > 255
+          raise ArgumentError, "context must be at most 255 bytes (FIPS 204)"
+        end
+        ctx
+      end
+
+      def validate_streaming_algorithm!(algorithm)
+        return if resolve_algorithm!(algorithm) == CANONICAL_ALGORITHM
+
+        raise UnsupportedAlgorithmError,
+              "Streaming sign_io/verify_io currently supports only #{CANONICAL_ALGORITHM.inspect}"
+      end
     end
 
     class Keypair
@@ -114,8 +277,16 @@ module PQCrypto
         Serialization.public_key_to_pqc_container_pem(@algorithm, @bytes)
       end
 
+      def to_spki_der
+        SPKI.encode_der(@algorithm, @bytes)
+      end
+
+      def to_spki_pem
+        SPKI.encode_pem(@algorithm, @bytes)
+      end
+
       def verify(message, signature)
-        PQCrypto.__send__(:native_verify, String(message).b, String(signature).b, @bytes)
+        PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :verify), String(message).b, String(signature).b, @bytes)
       rescue ArgumentError => e
         raise InvalidKeyError, e.message
       end
@@ -125,6 +296,17 @@ module PQCrypto
         true
       end
 
+      def verify_io(io, signature, chunk_size: 1 << 20, context: "".b)
+        Signature.send(:_streaming_verify, self, io, signature, chunk_size, context)
+      end
+
+      def verify_io!(io, signature, chunk_size: 1 << 20, context: "".b)
+        unless verify_io(io, signature, chunk_size: chunk_size, context: context)
+          raise PQCrypto::VerificationError, "Verification failed"
+        end
+        true
+      end
+
       def ==(other)
         return false unless other.is_a?(PublicKey) && other.algorithm == algorithm
         PQCrypto.__send__(:native_ct_equals, other.to_bytes, @bytes)
@@ -142,6 +324,10 @@ module PQCrypto
 
       private
 
+      def bytes_for_native
+        @bytes
+      end
+
       def validate_length!
         expected = Signature.details(@algorithm).fetch(:public_key_bytes)
         raise InvalidKeyError, "Invalid signature public key length" unless @bytes.bytesize == expected
@@ -169,12 +355,40 @@ module PQCrypto
         Serialization.secret_key_to_pqc_container_pem(@algorithm, @bytes)
       end
 
+      def to_pkcs8_der(format: :expanded)
+        case format
+        when :expanded
+          PKCS8.encode_der(@algorithm, @bytes, format: :expanded)
+        when :seed, :both
+          raise SerializationError,
+                "ML-DSA seed/both PKCS#8 export requires original seed material; use PQCrypto::PKCS8.encode_der/encode_pem directly"
+        else
+          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
+        end
+      end
+
+      def to_pkcs8_pem(format: :expanded)
+        case format
+        when :expanded
+          PKCS8.encode_pem(@algorithm, @bytes, format: :expanded)
+        when :seed, :both
+          raise SerializationError,
+                "ML-DSA seed/both PKCS#8 export requires original seed material; use PQCrypto::PKCS8.encode_der/encode_pem directly"
+        else
+          raise SerializationError, "Unsupported PKCS#8 private key format: #{format.inspect}"
+        end
+      end
+
       def sign(message)
-        PQCrypto.__send__(:native_sign, String(message).b, @bytes)
+        PQCrypto.__send__(Signature.send(:native_method_for, @algorithm, :sign), String(message).b, @bytes)
       rescue ArgumentError => e
         raise InvalidKeyError, e.message
       end
 
+      def sign_io(io, chunk_size: 1 << 20, context: "".b)
+        Signature.send(:_streaming_sign, self, io, chunk_size, context)
+      end
+
       def wipe!
         PQCrypto.secure_wipe(@bytes)
         self
@@ -197,6 +411,10 @@ module PQCrypto
 
       private
 
+      def bytes_for_native
+        @bytes
+      end
+
       def validate_length!
         expected = Signature.details(@algorithm).fetch(:secret_key_bytes)
         raise InvalidKeyError, "Invalid signature secret key length" unless @bytes.bytesize == expected

data/lib/pq_crypto/spki.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module PQCrypto
+  module SPKI
+    PEM_LABEL = "PUBLIC KEY"
+    PEM_BEGIN = "-----BEGIN #{PEM_LABEL}-----"
+    PEM_END = "-----END #{PEM_LABEL}-----"
+
+    class << self
+      def encode_der(algorithm_symbol, public_key_bytes)
+        entry = AlgorithmRegistry.fetch(algorithm_symbol)
+        validate_public_key_algorithm!(algorithm_symbol, entry)
+
+        bytes = String(public_key_bytes).b
+        expected = entry.fetch(:public_key_bytes)
+        unless bytes.bytesize == expected
+          raise SerializationError,
+                "Invalid #{algorithm_symbol.inspect} public key length: expected #{expected}, got #{bytes.bytesize}"
+        end
+
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::ObjectId.new(AlgorithmRegistry.standard_oid(algorithm_symbol)),
+          ]),
+          OpenSSL::ASN1::BitString.new(bytes),
+        ]).to_der.b
+      rescue OpenSSL::ASN1::ASN1Error => e
+        raise SerializationError, e.message
+      end
+
+      def encode_pem(algorithm_symbol, public_key_bytes)
+        der = encode_der(algorithm_symbol, public_key_bytes)
+        body = encode_base64(der).scan(/.{1,64}/).join("\n")
+        "#{PEM_BEGIN}\n#{body}\n#{PEM_END}\n"
+      end
+
+      def decode_der(der)
+        input = String(der).b
+        outer = decode_asn1(input)
+        raise SerializationError, "SPKI DER contains trailing data" unless outer.to_der.b == input
+        raise SerializationError, "SPKI must be an ASN.1 SEQUENCE" unless outer.is_a?(OpenSSL::ASN1::Sequence)
+        raise SerializationError, "SPKI SEQUENCE must contain exactly 2 elements" unless outer.value.size == 2
+
+        algorithm_identifier, subject_public_key = outer.value
+        algorithm = decode_algorithm_identifier(algorithm_identifier)
+        entry = AlgorithmRegistry.fetch(algorithm)
+        validate_public_key_algorithm!(algorithm, entry)
+
+        unless subject_public_key.is_a?(OpenSSL::ASN1::BitString)
+          raise SerializationError, "SPKI subjectPublicKey must be a BIT STRING"
+        end
+        unless subject_public_key.unused_bits.zero?
+          raise SerializationError, "SPKI subjectPublicKey must have zero unused bits"
+        end
+
+        bytes = String(subject_public_key.value).b
+        expected = entry.fetch(:public_key_bytes)
+        unless bytes.bytesize == expected
+          raise SerializationError,
+                "Invalid #{algorithm.inspect} SPKI public key length: expected #{expected}, got #{bytes.bytesize}"
+        end
+
+        [algorithm, bytes]
+      end
+
+      def decode_pem(pem)
+        der = der_from_pem(pem)
+        decode_der(der)
+      end
+
+      private
+
+      def decode_asn1(der)
+        OpenSSL::ASN1.decode(der)
+      rescue OpenSSL::ASN1::ASN1Error => e
+        raise SerializationError, e.message
+      end
+
+      def decode_algorithm_identifier(value)
+        unless value.is_a?(OpenSSL::ASN1::Sequence)
+          raise SerializationError, "SPKI algorithm must be an AlgorithmIdentifier SEQUENCE"
+        end
+        unless value.value.size == 1
+          raise SerializationError, "SPKI AlgorithmIdentifier parameters must be absent"
+        end
+
+        oid = value.value.first
+        raise SerializationError, "SPKI AlgorithmIdentifier must contain an OBJECT IDENTIFIER" unless oid.is_a?(OpenSSL::ASN1::ObjectId)
+
+        algorithm = AlgorithmRegistry.by_standard_oid(oid.oid)
+        raise SerializationError, "Unsupported SPKI algorithm OID: #{oid.oid}" if algorithm.nil?
+
+        algorithm
+      end
+
+      def validate_public_key_algorithm!(algorithm_symbol, entry)
+        return if %i[ml_kem ml_dsa].include?(entry.fetch(:family))
+
+        raise SerializationError, "SPKI public key codec is not supported for #{algorithm_symbol.inspect}"
+      end
+
+      def encode_base64(bytes)
+        [String(bytes).b].pack("m0")
+      end
+
+      def decode_base64(body)
+        compact = body.gsub(/[\r\n]/, "")
+        unless compact.match?(/\A(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?\z/)
+          raise SerializationError, "Invalid SPKI PEM: invalid base64"
+        end
+
+        compact.unpack1("m0").b
+      rescue ArgumentError => e
+        raise SerializationError, e.message
+      end
+
+      def der_from_pem(pem)
+        text = String(pem)
+        match = text.match(/\A#{Regexp.escape(PEM_BEGIN)}\r?\n(?<body>[A-Za-z0-9+\/=\r\n]+)\r?\n#{Regexp.escape(PEM_END)}[ \t\r\n]*\z/)
+        raise SerializationError, "Invalid SPKI PEM: expected #{PEM_LABEL.inspect} label" unless match
+
+        body = match[:body]
+        raise SerializationError, "Invalid SPKI PEM: embedded NUL in body" if body.include?("\0")
+
+        decode_base64(body)
+      end
+    end
+  end
+end

data/lib/pq_crypto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PQCrypto
-  VERSION = "0.3.1"
+  VERSION = "0.4.2"
 end

data/lib/pq_crypto.rb

@@ -1,12 +1,10 @@
 # frozen_string_literal: true
 
-require "rbconfig"
-require_relative "pq_crypto/version"
-require_relative "pq_crypto/errors"
-
 begin
-  require "pqcrypto/pqcrypto_secure"
+  require "pqcrypto/pqcrypto_secure" # native extension first
 rescue LoadError => original_error
+  require "rbconfig"
+
   ext_dir = File.expand_path("pqcrypto", __dir__)
   extensions = [".#{RbConfig::CONFIG.fetch('DLEXT')}", ".bundle", ".so"].uniq
   search_dirs = [ext_dir, File.join(ext_dir, "pqcrypto")].uniq
@@ -30,13 +28,21 @@ rescue LoadError => original_error
   raise original_error unless loaded
 end
 
+require_relative "pq_crypto/errors"
+require_relative "pq_crypto/version"
+require_relative "pq_crypto/algorithm_registry"
 require_relative "pq_crypto/serialization"
+require_relative "pq_crypto/spki"
+require_relative "pq_crypto/pkcs8"
+require_relative "pq_crypto/kem"
+require_relative "pq_crypto/signature"
+require_relative "pq_crypto/hybrid_kem"
 
 module PQCrypto
   SUITES = {
-    kem: [:ml_kem_768].freeze,
-    hybrid_kem: [:ml_kem_768_x25519_xwing].freeze,
-    signature: [:ml_dsa_65].freeze,
+    kem: AlgorithmRegistry.supported_kems,
+    hybrid_kem: AlgorithmRegistry.supported_hybrid_kems,
+    signature: AlgorithmRegistry.supported_signatures,
   }.freeze
 
   NATIVE_EXTENSION_LOADED = true
@@ -44,14 +50,32 @@ module PQCrypto
   module NativeBindings
     NATIVE_METHODS = %i[
       ml_kem_keypair
+      ml_kem_keypair_from_seed
       ml_kem_encapsulate
       ml_kem_decapsulate
+      ml_kem_512_keypair
+      ml_kem_512_keypair_from_seed
+      ml_kem_512_encapsulate
+      ml_kem_512_decapsulate
+      ml_kem_1024_keypair
+      ml_kem_1024_keypair_from_seed
+      ml_kem_1024_encapsulate
+      ml_kem_1024_decapsulate
       hybrid_kem_keypair
       hybrid_kem_encapsulate
       hybrid_kem_decapsulate
       sign_keypair
       sign
       verify
+      ml_dsa_44_keypair
+      ml_dsa_44_keypair_from_seed
+      ml_dsa_keypair_from_seed
+      ml_dsa_44_sign
+      ml_dsa_44_verify
+      ml_dsa_87_keypair
+      ml_dsa_87_keypair_from_seed
+      ml_dsa_87_sign
+      ml_dsa_87_verify
       ct_equals
       secure_wipe
       version
@@ -65,8 +89,25 @@ module PQCrypto
       secret_key_from_pqc_container_pem
       __test_ml_kem_keypair_from_seed
       __test_ml_kem_encapsulate_from_seed
+      __test_ml_kem_512_encapsulate_from_seed
+      __test_ml_kem_1024_encapsulate_from_seed
       __test_sign_keypair_from_seed
+      __test_ml_dsa_44_keypair_from_seed
+      __test_ml_dsa_87_keypair_from_seed
       __test_sign_from_seed
+      __test_ml_dsa_44_sign_from_seed
+      __test_ml_dsa_87_sign_from_seed
+    ].freeze
+
+    EXTERNAL_MU_METHODS = %i[
+      _native_mldsa_extract_tr
+      _native_mldsa_compute_tr
+      _native_mldsa_mu_builder_new
+      _native_mldsa_mu_builder_update
+      _native_mldsa_mu_builder_finalize
+      _native_mldsa_mu_builder_release
+      _native_mldsa_sign_mu
+      _native_mldsa_verify_mu
     ].freeze
 
     class << PQCrypto
@@ -78,6 +119,7 @@ module PQCrypto
 
       private(*NativeBindings::NATIVE_METHODS)
       private(*NativeBindings::NATIVE_METHODS.map { |n| :"native_#{n.to_s.sub(/\A__/, '')}" })
+      private(*NativeBindings::EXTERNAL_MU_METHODS)
     end
   end
 
@@ -115,32 +157,61 @@ module PQCrypto
   end
 
   module Testing
-    def self.ml_kem_keypair_from_seed(seed)
-      PQCrypto.__send__(:native_test_ml_kem_keypair_from_seed, String(seed).b)
+    KEM_KEYPAIR_METHODS = {
+      ml_kem_512: :native_ml_kem_512_keypair_from_seed,
+      ml_kem_768: :native_ml_kem_keypair_from_seed,
+      ml_kem_1024: :native_ml_kem_1024_keypair_from_seed,
+    }.freeze
+
+    KEM_ENCAPSULATE_METHODS = {
+      ml_kem_512: :native_test_ml_kem_512_encapsulate_from_seed,
+      ml_kem_768: :native_test_ml_kem_encapsulate_from_seed,
+      ml_kem_1024: :native_test_ml_kem_1024_encapsulate_from_seed,
+    }.freeze
+
+    MLDSA_KEYPAIR_METHODS = {
+      ml_dsa_44: :native_test_ml_dsa_44_keypair_from_seed,
+      ml_dsa_65: :native_test_sign_keypair_from_seed,
+      ml_dsa_87: :native_test_ml_dsa_87_keypair_from_seed,
+    }.freeze
+
+    MLDSA_SIGN_METHODS = {
+      ml_dsa_44: :native_test_ml_dsa_44_sign_from_seed,
+      ml_dsa_65: :native_test_sign_from_seed,
+      ml_dsa_87: :native_test_ml_dsa_87_sign_from_seed,
+    }.freeze
+
+    def self.ml_kem_keypair_from_seed(seed, algorithm: :ml_kem_768)
+      PQCrypto.__send__(KEM_KEYPAIR_METHODS.fetch(algorithm), String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-KEM KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
 
-    def self.ml_kem_encapsulate_from_seed(public_key, seed)
-      PQCrypto.__send__(:native_test_ml_kem_encapsulate_from_seed, String(public_key).b, String(seed).b)
+    def self.ml_kem_encapsulate_from_seed(public_key, seed, algorithm: :ml_kem_768)
+      PQCrypto.__send__(KEM_ENCAPSULATE_METHODS.fetch(algorithm), String(public_key).b, String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-KEM KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
 
-    def self.ml_dsa_keypair_from_seed(seed)
-      PQCrypto.__send__(:native_test_sign_keypair_from_seed, String(seed).b)
+    def self.ml_dsa_keypair_from_seed(seed, algorithm: :ml_dsa_65)
+      PQCrypto.__send__(MLDSA_KEYPAIR_METHODS.fetch(algorithm), String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-DSA KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
 
-    def self.ml_dsa_sign_from_seed(message, secret_key, seed)
-      PQCrypto.__send__(:native_test_sign_from_seed, String(message).b, String(secret_key).b, String(seed).b)
+    def self.ml_dsa_sign_from_seed(message, secret_key, seed, algorithm: :ml_dsa_65)
+      PQCrypto.__send__(MLDSA_SIGN_METHODS.fetch(algorithm), String(message).b, String(secret_key).b, String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-DSA KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
   end
 end
 
-require_relative "pq_crypto/kem"
-require_relative "pq_crypto/hybrid_kem"
-require_relative "pq_crypto/signature"

data/script/vendor_libs.rb

@@ -19,8 +19,12 @@ DEFAULT_PQCLEAN = {
 }.freeze
 
 KEEP_DIRS = %w[
+  crypto_kem/ml-kem-512/clean
   crypto_kem/ml-kem-768/clean
+  crypto_kem/ml-kem-1024/clean
+  crypto_sign/ml-dsa-44/clean
   crypto_sign/ml-dsa-65/clean
+  crypto_sign/ml-dsa-87/clean
   common
 ].freeze