RubyGems - pq_crypto - Versions diffs - 0.3.1 → 0.4.2 - Mend

pq_crypto 0.3.1 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (117) hide show

data/ext/pqcrypto/pqcrypto_ruby_secure.c CHANGED Viewed

@@ -70,6 +70,12 @@ static VALUE ePQCryptoVerificationError;
 __attribute__((noreturn)) static void pq_raise_general_error(int err);
+static const char *const PQC_CONTAINER_ALGORITHMS[] = {
+    "ml_kem_768",
+    "ml_kem_768_x25519_xwing",
+    "ml_dsa_65",
+};
 static const char *pq_algorithm_symbol_to_cstr(VALUE algorithm) {
     ID id;
     if (SYMBOL_P(algorithm)) {
@@ -78,42 +84,64 @@ static const char *pq_algorithm_symbol_to_cstr(VALUE algorithm) {
         VALUE str = StringValue(algorithm);
         id = rb_intern_str(str);
     }
-    if (id == rb_intern("ml_kem_768"))
-        return "ml_kem_768";
-    if (id == rb_intern("ml_kem_768_x25519_xwing"))
-        return "ml_kem_768_x25519_xwing";
-    if (id == rb_intern("ml_dsa_65"))
-        return "ml_dsa_65";
+    for (size_t i = 0; i < sizeof(PQC_CONTAINER_ALGORITHMS) / sizeof(PQC_CONTAINER_ALGORITHMS[0]);
+         ++i) {
+        if (id == rb_intern(PQC_CONTAINER_ALGORITHMS[i])) {
+            return PQC_CONTAINER_ALGORITHMS[i];
+        }
+    }
     rb_raise(rb_eArgError, "Unsupported serialization algorithm");
 }
 static VALUE pq_algorithm_cstr_to_symbol(const char *algorithm) {
-    if (strcmp(algorithm, "ml_kem_768") == 0)
-        return ID2SYM(rb_intern("ml_kem_768"));
-    if (strcmp(algorithm, "ml_kem_768_x25519_xwing") == 0)
-        return ID2SYM(rb_intern("ml_kem_768_x25519_xwing"));
-    if (strcmp(algorithm, "ml_dsa_65") == 0)
-        return ID2SYM(rb_intern("ml_dsa_65"));
+    for (size_t i = 0; i < sizeof(PQC_CONTAINER_ALGORITHMS) / sizeof(PQC_CONTAINER_ALGORITHMS[0]);
+         ++i) {
+        if (strcmp(algorithm, PQC_CONTAINER_ALGORITHMS[i]) == 0) {
+            return ID2SYM(rb_intern(PQC_CONTAINER_ALGORITHMS[i]));
+        }
+    }
     rb_raise(rb_eArgError, "Unsupported serialization algorithm");
 }
-static void *pq_ml_kem_keypair_nogvl(void *arg) {
-    kem_keypair_call_t *call = (kem_keypair_call_t *)arg;
-    call->result = pq_mlkem_keypair(call->public_key, call->secret_key);
-    return NULL;
-}
+#define PQ_KEM_KEYPAIR_NOGVL_VARIANTS(X) \
+    X(ml_kem, mlkem)                     \
+    X(ml_kem_512, mlkem512)              \
+    X(ml_kem_1024, mlkem1024)
+#define PQ_DEFINE_KEM_KEYPAIR_NOGVL(rb_name, c_name)                                         \
+    static void *pq_##rb_name##_keypair_nogvl(void *arg) {                                   \
+        kem_keypair_call_t *call = (kem_keypair_call_t *)arg;                                \
+        call->result = pq_##c_name##_keypair(call->public_key, call->secret_key);            \
+        return NULL;                                                                         \
+    }                                                                                        \
+    static void *pq_##rb_name##_keypair_from_seed_nogvl(void *arg) {                         \
+        kem_keypair_call_t *call = (kem_keypair_call_t *)arg;                                \
+        call->result =                                                                       \
+            pq_##c_name##_keypair_from_seed(call->public_key, call->secret_key, call->seed); \
+        return NULL;                                                                         \
+    }
-static void *pq_ml_kem_encapsulate_nogvl(void *arg) {
-    kem_encapsulate_call_t *call = (kem_encapsulate_call_t *)arg;
-    call->result = pq_mlkem_encapsulate(call->ciphertext, call->shared_secret, call->public_key);
-    return NULL;
-}
+PQ_KEM_KEYPAIR_NOGVL_VARIANTS(PQ_DEFINE_KEM_KEYPAIR_NOGVL)
+#undef PQ_DEFINE_KEM_KEYPAIR_NOGVL
+#define PQ_DEFINE_KEM_ENCAP_DECAP_NOGVL(rb_name, c_name)                                        \
+    static void *pq_##rb_name##_encapsulate_nogvl(void *arg) {                                  \
+        kem_encapsulate_call_t *call = (kem_encapsulate_call_t *)arg;                           \
+        call->result =                                                                          \
+            pq_##c_name##_encapsulate(call->ciphertext, call->shared_secret, call->public_key); \
+        return NULL;                                                                            \
+    }                                                                                           \
+    static void *pq_##rb_name##_decapsulate_nogvl(void *arg) {                                  \
+        kem_decapsulate_call_t *call = (kem_decapsulate_call_t *)arg;                           \
+        call->result =                                                                          \
+            pq_##c_name##_decapsulate(call->shared_secret, call->ciphertext, call->secret_key); \
+        return NULL;                                                                            \
+    }
-static void *pq_ml_kem_decapsulate_nogvl(void *arg) {
-    kem_decapsulate_call_t *call = (kem_decapsulate_call_t *)arg;
-    call->result = pq_mlkem_decapsulate(call->shared_secret, call->ciphertext, call->secret_key);
-    return NULL;
-}
+PQ_KEM_KEYPAIR_NOGVL_VARIANTS(PQ_DEFINE_KEM_ENCAP_DECAP_NOGVL)
+#undef PQ_DEFINE_KEM_ENCAP_DECAP_NOGVL
 static void *pq_testing_ml_kem_keypair_nogvl(void *arg) {
     kem_keypair_call_t *call = (kem_keypair_call_t *)arg;
@@ -122,12 +150,17 @@ static void *pq_testing_ml_kem_keypair_nogvl(void *arg) {
     return NULL;
 }
-static void *pq_testing_ml_kem_encapsulate_nogvl(void *arg) {
-    kem_encapsulate_call_t *call = (kem_encapsulate_call_t *)arg;
-    call->result = pq_testing_mlkem_encapsulate_from_seed(
-        call->ciphertext, call->shared_secret, call->public_key, call->seed, call->seed_len);
-    return NULL;
-}
+#define PQ_DEFINE_KEM_TESTING_ENCAP_NOGVL(rb_name, c_name)                                        \
+    static void *pq_testing_##rb_name##_encapsulate_nogvl(void *arg) {                            \
+        kem_encapsulate_call_t *call = (kem_encapsulate_call_t *)arg;                             \
+        call->result = pq_testing_##c_name##_encapsulate_from_seed(                               \
+            call->ciphertext, call->shared_secret, call->public_key, call->seed, call->seed_len); \
+        return NULL;                                                                              \
+    }
+PQ_KEM_KEYPAIR_NOGVL_VARIANTS(PQ_DEFINE_KEM_TESTING_ENCAP_NOGVL)
+#undef PQ_DEFINE_KEM_TESTING_ENCAP_NOGVL
 static void *pq_hybrid_kem_keypair_nogvl(void *arg) {
     kem_keypair_call_t *call = (kem_keypair_call_t *)arg;
@@ -149,18 +182,45 @@ static void *pq_hybrid_kem_decapsulate_nogvl(void *arg) {
     return NULL;
 }
-static void *pq_sign_keypair_nogvl(void *arg) {
-    sign_keypair_call_t *call = (sign_keypair_call_t *)arg;
-    call->result = pq_sign_keypair(call->public_key, call->secret_key);
-    return NULL;
-}
+#define PQ_DEFINE_SIGN_KEYPAIR_NOGVL(rb_name, c_call)              \
+    static void *pq_##rb_name##_nogvl(void *arg) {                 \
+        sign_keypair_call_t *call = (sign_keypair_call_t *)arg;    \
+        call->result = c_call(call->public_key, call->secret_key); \
+        return NULL;                                               \
+    }
-static void *pq_sign_nogvl(void *arg) {
-    sign_call_t *call = (sign_call_t *)arg;
-    call->result = pq_sign(call->signature, &call->signature_len, call->message, call->message_len,
-                           call->secret_key);
-    return NULL;
-}
+PQ_DEFINE_SIGN_KEYPAIR_NOGVL(sign_keypair, pq_sign_keypair)
+PQ_DEFINE_SIGN_KEYPAIR_NOGVL(mldsa_44_sign_keypair, pq_mldsa44_sign_keypair)
+PQ_DEFINE_SIGN_KEYPAIR_NOGVL(mldsa_87_sign_keypair, pq_mldsa87_sign_keypair)
+#undef PQ_DEFINE_SIGN_KEYPAIR_NOGVL
+#define PQ_DEFINE_SIGN_KEYPAIR_FROM_SEED_NOGVL(rb_name, c_call)                \
+    static void *pq_##rb_name##_nogvl(void *arg) {                             \
+        sign_keypair_call_t *call = (sign_keypair_call_t *)arg;                \
+        call->result = c_call(call->public_key, call->secret_key, call->seed); \
+        return NULL;                                                           \
+    }
+PQ_DEFINE_SIGN_KEYPAIR_FROM_SEED_NOGVL(mldsa_44_keypair_from_seed, pq_mldsa44_keypair_from_seed)
+PQ_DEFINE_SIGN_KEYPAIR_FROM_SEED_NOGVL(mldsa_keypair_from_seed, pq_mldsa_keypair_from_seed)
+PQ_DEFINE_SIGN_KEYPAIR_FROM_SEED_NOGVL(mldsa_87_keypair_from_seed, pq_mldsa87_keypair_from_seed)
+#undef PQ_DEFINE_SIGN_KEYPAIR_FROM_SEED_NOGVL
+#define PQ_DEFINE_SIGN_NOGVL(rb_name, c_call)                                       \
+    static void *pq_##rb_name##_nogvl(void *arg) {                                  \
+        sign_call_t *call = (sign_call_t *)arg;                                     \
+        call->result = c_call(call->signature, &call->signature_len, call->message, \
+                              call->message_len, call->secret_key);                 \
+        return NULL;                                                                \
+    }
+PQ_DEFINE_SIGN_NOGVL(sign, pq_sign)
+PQ_DEFINE_SIGN_NOGVL(mldsa_44_sign, pq_mldsa44_sign)
+PQ_DEFINE_SIGN_NOGVL(mldsa_87_sign, pq_mldsa87_sign)
+#undef PQ_DEFINE_SIGN_NOGVL
 static void *pq_testing_sign_keypair_nogvl(void *arg) {
     sign_keypair_call_t *call = (sign_keypair_call_t *)arg;
@@ -177,12 +237,43 @@ static void *pq_testing_sign_nogvl(void *arg) {
     return NULL;
 }
-static void *pq_verify_nogvl(void *arg) {
-    verify_call_t *call = (verify_call_t *)arg;
-    call->result = pq_verify(call->signature, call->signature_len, call->message, call->message_len,
-                             call->public_key);
-    return NULL;
-}
+#define PQ_DEFINE_TESTING_KEYPAIR_FROM_SEED(rb_name, c_call)                                   \
+    static void *pq_testing_##rb_name##_keypair_nogvl(void *arg) {                             \
+        sign_keypair_call_t *call = (sign_keypair_call_t *)arg;                                \
+        call->result = c_call(call->public_key, call->secret_key, call->seed, call->seed_len); \
+        return NULL;                                                                           \
+    }
+#define PQ_DEFINE_TESTING_SIGN_FROM_SEED(rb_name, c_call)                                       \
+    static void *pq_testing_##rb_name##_sign_nogvl(void *arg) {                                 \
+        sign_call_t *call = (sign_call_t *)arg;                                                 \
+        call->result = c_call(call->signature, &call->signature_len, call->message,             \
+                              call->message_len, call->secret_key, call->seed, call->seed_len); \
+        return NULL;                                                                            \
+    }
+PQ_DEFINE_TESTING_KEYPAIR_FROM_SEED(mldsa_44, pq_testing_mldsa44_keypair_from_seed)
+PQ_DEFINE_TESTING_KEYPAIR_FROM_SEED(mldsa_87, pq_testing_mldsa87_keypair_from_seed)
+PQ_DEFINE_TESTING_SIGN_FROM_SEED(mldsa_44, pq_testing_mldsa44_sign_from_seed)
+PQ_DEFINE_TESTING_SIGN_FROM_SEED(mldsa_87, pq_testing_mldsa87_sign_from_seed)
+#undef PQ_DEFINE_TESTING_KEYPAIR_FROM_SEED
+#undef PQ_DEFINE_TESTING_SIGN_FROM_SEED
+#define PQ_DEFINE_VERIFY_NOGVL(rb_name, c_call)                                    \
+    static void *pq_##rb_name##_nogvl(void *arg) {                                 \
+        verify_call_t *call = (verify_call_t *)arg;                                \
+        call->result = c_call(call->signature, call->signature_len, call->message, \
+                              call->message_len, call->public_key);                \
+        return NULL;                                                               \
+    }
+PQ_DEFINE_VERIFY_NOGVL(verify, pq_verify)
+PQ_DEFINE_VERIFY_NOGVL(mldsa_44_verify, pq_mldsa44_verify)
+PQ_DEFINE_VERIFY_NOGVL(mldsa_87_verify, pq_mldsa87_verify)
+#undef PQ_DEFINE_VERIFY_NOGVL
 static uint8_t *pq_alloc_buffer(size_t len) {
     if (len == 0) {
@@ -223,6 +314,10 @@ static void pq_wipe_and_free(uint8_t *buffer, size_t len) {
     }
 }
+static void pq_free_buffer(uint8_t *buffer) {
+    free(buffer);
+}
 static void pq_validate_bytes_argument(VALUE value, size_t expected_len, const char *what) {
     StringValue(value);
     if ((size_t)RSTRING_LEN(value) != expected_len) {
@@ -465,24 +560,73 @@ __attribute__((noreturn)) static void pq_raise_general_error(int err) {
     }
 }
-static VALUE pqcrypto_ml_kem_keypair(VALUE self) {
-    (void)self;
-    return pq_run_kem_keypair(pq_ml_kem_keypair_nogvl, PQ_MLKEM_PUBLICKEYBYTES,
-                              PQ_MLKEM_SECRETKEYBYTES);
-}
+static VALUE pq_run_kem_keypair_from_seed(void *(*nogvl)(void *), VALUE seed, size_t public_key_len,
+                                          size_t secret_key_len) {
+    StringValue(seed);
-static VALUE pqcrypto_ml_kem_encapsulate(VALUE self, VALUE public_key) {
-    (void)self;
-    return pq_run_kem_encapsulate(pq_ml_kem_encapsulate_nogvl, public_key, PQ_MLKEM_PUBLICKEYBYTES,
-                                  PQ_MLKEM_CIPHERTEXTBYTES, PQ_MLKEM_SHAREDSECRETBYTES);
-}
+    if ((size_t)RSTRING_LEN(seed) != 64) {
+        rb_raise(rb_eArgError, "ML-KEM seed must be 64 bytes (FIPS 203 d||z)");
+    }
-static VALUE pqcrypto_ml_kem_decapsulate(VALUE self, VALUE ciphertext, VALUE secret_key) {
-    (void)self;
-    return pq_run_kem_decapsulate(pq_ml_kem_decapsulate_nogvl, ciphertext, PQ_MLKEM_CIPHERTEXTBYTES,
-                                  secret_key, PQ_MLKEM_SECRETKEYBYTES, PQ_MLKEM_SHAREDSECRETBYTES);
+    kem_keypair_call_t call = {0};
+    size_t seed_len = 0;
+    call.public_key = pq_alloc_buffer(public_key_len);
+    call.secret_key = pq_alloc_buffer(secret_key_len);
+    call.seed = pq_copy_ruby_string(seed, &seed_len);
+    call.seed_len = seed_len;
+    rb_thread_call_without_gvl(nogvl, &call, NULL, NULL);
+    pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);
+    if (call.result != PQ_SUCCESS) {
+        pq_wipe_and_free(call.secret_key, secret_key_len);
+        free(call.public_key);
+        pq_raise_general_error(call.result);
+    }
+    VALUE result = rb_ary_new2(2);
+    rb_ary_push(result, pq_string_from_buffer(call.public_key, public_key_len));
+    rb_ary_push(result, pq_string_from_buffer(call.secret_key, secret_key_len));
+    free(call.public_key);
+    pq_wipe_and_free(call.secret_key, secret_key_len);
+    return result;
 }
+#define PQ_RUBY_KEM_VARIANTS(X)                                                                   \
+    X(ml_kem, PQ_MLKEM_PUBLICKEYBYTES, PQ_MLKEM_SECRETKEYBYTES, PQ_MLKEM_CIPHERTEXTBYTES,         \
+      PQ_MLKEM_SHAREDSECRETBYTES)                                                                 \
+    X(ml_kem_512, MLKEM512_PUBLICKEYBYTES, MLKEM512_SECRETKEYBYTES, MLKEM512_CIPHERTEXTBYTES,     \
+      MLKEM512_SHAREDSECRETBYTES)                                                                 \
+    X(ml_kem_1024, MLKEM1024_PUBLICKEYBYTES, MLKEM1024_SECRETKEYBYTES, MLKEM1024_CIPHERTEXTBYTES, \
+      MLKEM1024_SHAREDSECRETBYTES)
+#define PQ_DEFINE_RUBY_KEM(rb_name, pk_bytes, sk_bytes, ct_bytes, ss_bytes)                   \
+    static VALUE pqcrypto_##rb_name##_keypair(VALUE self) {                                   \
+        (void)self;                                                                           \
+        return pq_run_kem_keypair(pq_##rb_name##_keypair_nogvl, pk_bytes, sk_bytes);          \
+    }                                                                                         \
+    static VALUE pqcrypto_##rb_name##_keypair_from_seed(VALUE self, VALUE seed) {             \
+        (void)self;                                                                           \
+        return pq_run_kem_keypair_from_seed(pq_##rb_name##_keypair_from_seed_nogvl, seed,     \
+                                            pk_bytes, sk_bytes);                              \
+    }                                                                                         \
+    static VALUE pqcrypto_##rb_name##_encapsulate(VALUE self, VALUE public_key) {             \
+        (void)self;                                                                           \
+        return pq_run_kem_encapsulate(pq_##rb_name##_encapsulate_nogvl, public_key, pk_bytes, \
+                                      ct_bytes, ss_bytes);                                    \
+    }                                                                                         \
+    static VALUE pqcrypto_##rb_name##_decapsulate(VALUE self, VALUE ciphertext,               \
+                                                  VALUE secret_key) {                         \
+        (void)self;                                                                           \
+        return pq_run_kem_decapsulate(pq_##rb_name##_decapsulate_nogvl, ciphertext, ct_bytes, \
+                                      secret_key, sk_bytes, ss_bytes);                        \
+    }
+PQ_RUBY_KEM_VARIANTS(PQ_DEFINE_RUBY_KEM)
+#undef PQ_DEFINE_RUBY_KEM
 static VALUE pqcrypto_hybrid_kem_keypair(VALUE self) {
     (void)self;
     return pq_run_kem_keypair(pq_hybrid_kem_keypair_nogvl, PQ_HYBRID_PUBLICKEYBYTES,
@@ -573,6 +717,61 @@ static VALUE pqcrypto__test_ml_kem_encapsulate_from_seed(VALUE self, VALUE publi
     return result;
 }
+static VALUE pq_run_test_kem_encapsulate_from_seed(void *(*nogvl)(void *), VALUE public_key,
+                                                   VALUE seed, size_t public_key_len,
+                                                   size_t ciphertext_len,
+                                                   size_t shared_secret_len) {
+    pq_validate_bytes_argument(public_key, public_key_len, "public key");
+    StringValue(seed);
+    if ((size_t)RSTRING_LEN(seed) != 32) {
+        rb_raise(rb_eArgError, "Deterministic test seed must be 32 bytes");
+    }
+    kem_encapsulate_call_t call = {0};
+    size_t public_key_copy_len = 0;
+    size_t seed_len = 0;
+    call.public_key = pq_copy_ruby_string(public_key, &public_key_copy_len);
+    call.ciphertext = pq_alloc_buffer(ciphertext_len);
+    call.shared_secret = pq_alloc_buffer(shared_secret_len);
+    call.seed = pq_copy_ruby_string(seed, &seed_len);
+    call.seed_len = seed_len;
+    rb_thread_call_without_gvl(nogvl, &call, NULL, NULL);
+    pq_wipe_and_free((uint8_t *)call.public_key, public_key_copy_len);
+    pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);
+    if (call.result != PQ_SUCCESS) {
+        pq_wipe_and_free(call.shared_secret, shared_secret_len);
+        free(call.ciphertext);
+        pq_raise_general_error(call.result);
+    }
+    VALUE result = rb_ary_new2(2);
+    rb_ary_push(result, pq_string_from_buffer(call.ciphertext, ciphertext_len));
+    rb_ary_push(result, pq_string_from_buffer(call.shared_secret, shared_secret_len));
+    free(call.ciphertext);
+    pq_wipe_and_free(call.shared_secret, shared_secret_len);
+    return result;
+}
+static VALUE pqcrypto__test_ml_kem_512_encapsulate_from_seed(VALUE self, VALUE public_key,
+                                                             VALUE seed) {
+    (void)self;
+    return pq_run_test_kem_encapsulate_from_seed(
+        pq_testing_ml_kem_512_encapsulate_nogvl, public_key, seed, MLKEM512_PUBLICKEYBYTES,
+        MLKEM512_CIPHERTEXTBYTES, MLKEM512_SHAREDSECRETBYTES);
+}
+static VALUE pqcrypto__test_ml_kem_1024_encapsulate_from_seed(VALUE self, VALUE public_key,
+                                                              VALUE seed) {
+    (void)self;
+    return pq_run_test_kem_encapsulate_from_seed(
+        pq_testing_ml_kem_1024_encapsulate_nogvl, public_key, seed, MLKEM1024_PUBLICKEYBYTES,
+        MLKEM1024_CIPHERTEXTBYTES, MLKEM1024_SHAREDSECRETBYTES);
+}
 static VALUE pqcrypto__test_sign_keypair_from_seed(VALUE self, VALUE seed) {
     (void)self;
     StringValue(seed);
@@ -628,56 +827,187 @@ static VALUE pqcrypto__test_sign_from_seed(VALUE self, VALUE message, VALUE secr
     rb_thread_call_without_gvl(pq_testing_sign_nogvl, &call, NULL, NULL);
-    pq_wipe_and_free(call.message, call.message_len);
+    pq_free_buffer(call.message);
     pq_wipe_and_free((uint8_t *)call.secret_key, secret_key_len);
     pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);
     if (call.result != PQ_SUCCESS) {
-        pq_wipe_and_free(call.signature, PQ_MLDSA_BYTES);
+        pq_free_buffer(call.signature);
         pq_raise_general_error(call.result);
     }
     VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
-    pq_wipe_and_free(call.signature, PQ_MLDSA_BYTES);
+    pq_free_buffer(call.signature);
     return result;
 }
-static VALUE pqcrypto_sign_keypair(VALUE self) {
+static VALUE pq_run_test_sign_keypair_from_seed(void *(*nogvl)(void *), VALUE seed,
+                                                size_t public_key_len, size_t secret_key_len) {
+    StringValue(seed);
+    if ((size_t)RSTRING_LEN(seed) != 32) {
+        rb_raise(rb_eArgError, "Deterministic test seed must be 32 bytes");
+    }
+    sign_keypair_call_t call = {0};
+    size_t seed_len = 0;
+    call.public_key = pq_alloc_buffer(public_key_len);
+    call.secret_key = pq_alloc_buffer(secret_key_len);
+    call.seed = pq_copy_ruby_string(seed, &seed_len);
+    call.seed_len = seed_len;
+    rb_thread_call_without_gvl(nogvl, &call, NULL, NULL);
+    pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);
+    if (call.result != PQ_SUCCESS) {
+        pq_wipe_and_free(call.secret_key, secret_key_len);
+        free(call.public_key);
+        pq_raise_general_error(call.result);
+    }
+    VALUE result = rb_ary_new2(2);
+    rb_ary_push(result, pq_string_from_buffer(call.public_key, public_key_len));
+    rb_ary_push(result, pq_string_from_buffer(call.secret_key, secret_key_len));
+    free(call.public_key);
+    pq_wipe_and_free(call.secret_key, secret_key_len);
+    return result;
+}
+static VALUE pqcrypto__test_ml_dsa_44_keypair_from_seed(VALUE self, VALUE seed) {
     (void)self;
-    return pq_run_sign_keypair(pq_sign_keypair_nogvl, PQ_MLDSA_PUBLICKEYBYTES,
-                               PQ_MLDSA_SECRETKEYBYTES);
+    return pq_run_test_sign_keypair_from_seed(pq_testing_mldsa_44_keypair_nogvl, seed,
+                                              MLDSA44_PUBLICKEYBYTES, MLDSA44_SECRETKEYBYTES);
 }
-static VALUE pqcrypto_sign(VALUE self, VALUE message, VALUE secret_key) {
+static VALUE pqcrypto__test_ml_dsa_87_keypair_from_seed(VALUE self, VALUE seed) {
     (void)self;
-    pq_validate_bytes_argument(secret_key, PQ_MLDSA_SECRETKEYBYTES, "secret key");
+    return pq_run_test_sign_keypair_from_seed(pq_testing_mldsa_87_keypair_nogvl, seed,
+                                              MLDSA87_PUBLICKEYBYTES, MLDSA87_SECRETKEYBYTES);
+}
+#define PQ_RUBY_MLDSA_KEYPAIR_FROM_SEED_VARIANTS(X)                                          \
+    X(ml_dsa_44, mldsa_44_keypair_from_seed, MLDSA44_PUBLICKEYBYTES, MLDSA44_SECRETKEYBYTES) \
+    X(ml_dsa, mldsa_keypair_from_seed, PQ_MLDSA_PUBLICKEYBYTES, PQ_MLDSA_SECRETKEYBYTES)     \
+    X(ml_dsa_87, mldsa_87_keypair_from_seed, MLDSA87_PUBLICKEYBYTES, MLDSA87_SECRETKEYBYTES)
+#define PQ_DEFINE_RUBY_MLDSA_KEYPAIR_FROM_SEED(rb_name, nogvl_suffix, pk_bytes, sk_bytes)    \
+    static VALUE pqcrypto_##rb_name##_keypair_from_seed(VALUE self, VALUE seed) {            \
+        (void)self;                                                                          \
+        return pq_run_test_sign_keypair_from_seed(pq_##nogvl_suffix##_nogvl, seed, pk_bytes, \
+                                                  sk_bytes);                                 \
+    }
+PQ_RUBY_MLDSA_KEYPAIR_FROM_SEED_VARIANTS(PQ_DEFINE_RUBY_MLDSA_KEYPAIR_FROM_SEED)
+#undef PQ_DEFINE_RUBY_MLDSA_KEYPAIR_FROM_SEED
+static VALUE pq_run_test_sign_from_seed(void *(*nogvl)(void *), VALUE message, VALUE secret_key,
+                                        VALUE seed, size_t secret_key_len, size_t signature_len) {
+    pq_validate_bytes_argument(secret_key, secret_key_len, "secret key");
+    StringValue(seed);
+    if ((size_t)RSTRING_LEN(seed) != 32) {
+        rb_raise(rb_eArgError, "Deterministic test seed must be 32 bytes");
+    }
+    sign_call_t call = {0};
+    size_t secret_key_copy_len = 0;
+    size_t seed_len = 0;
+    call.secret_key = pq_copy_ruby_string(secret_key, &secret_key_copy_len);
+    call.signature_len = signature_len;
+    call.signature = pq_alloc_buffer(signature_len);
+    call.message = pq_copy_ruby_string(message, &call.message_len);
+    call.seed = pq_copy_ruby_string(seed, &seed_len);
+    call.seed_len = seed_len;
+    rb_thread_call_without_gvl(nogvl, &call, NULL, NULL);
+    pq_free_buffer(call.message);
+    pq_wipe_and_free((uint8_t *)call.secret_key, secret_key_copy_len);
+    pq_wipe_and_free((uint8_t *)call.seed, call.seed_len);
+    if (call.result != PQ_SUCCESS) {
+        pq_free_buffer(call.signature);
+        pq_raise_general_error(call.result);
+    }
+    VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
+    pq_free_buffer(call.signature);
+    return result;
+}
+static VALUE pqcrypto__test_ml_dsa_44_sign_from_seed(VALUE self, VALUE message, VALUE secret_key,
+                                                     VALUE seed) {
+    (void)self;
+    return pq_run_test_sign_from_seed(pq_testing_mldsa_44_sign_nogvl, message, secret_key, seed,
+                                      MLDSA44_SECRETKEYBYTES, MLDSA44_BYTES);
+}
+static VALUE pqcrypto__test_ml_dsa_87_sign_from_seed(VALUE self, VALUE message, VALUE secret_key,
+                                                     VALUE seed) {
+    (void)self;
+    return pq_run_test_sign_from_seed(pq_testing_mldsa_87_sign_nogvl, message, secret_key, seed,
+                                      MLDSA87_SECRETKEYBYTES, MLDSA87_BYTES);
+}
+#define PQ_DEFINE_RUBY_MLDSA_KEYPAIR(rb_name, nogvl_stem, pk_bytes, sk_bytes)    \
+    static VALUE pqcrypto_##rb_name(VALUE self) {                                \
+        (void)self;                                                              \
+        return pq_run_sign_keypair(pq_##nogvl_stem##_nogvl, pk_bytes, sk_bytes); \
+    }
+PQ_DEFINE_RUBY_MLDSA_KEYPAIR(sign_keypair, sign_keypair, PQ_MLDSA_PUBLICKEYBYTES,
+                             PQ_MLDSA_SECRETKEYBYTES)
+PQ_DEFINE_RUBY_MLDSA_KEYPAIR(ml_dsa_44_keypair, mldsa_44_sign_keypair, MLDSA44_PUBLICKEYBYTES,
+                             MLDSA44_SECRETKEYBYTES)
+PQ_DEFINE_RUBY_MLDSA_KEYPAIR(ml_dsa_87_keypair, mldsa_87_sign_keypair, MLDSA87_PUBLICKEYBYTES,
+                             MLDSA87_SECRETKEYBYTES)
+#undef PQ_DEFINE_RUBY_MLDSA_KEYPAIR
+static VALUE pq_run_sign(void *(*nogvl)(void *), VALUE message, VALUE secret_key,
+                         size_t secret_key_len_expected, size_t signature_len_expected) {
+    pq_validate_bytes_argument(secret_key, secret_key_len_expected, "secret key");
     sign_call_t call = {0};
     size_t secret_key_len = 0;
     call.secret_key = pq_copy_ruby_string(secret_key, &secret_key_len);
-    call.signature_len = PQ_MLDSA_BYTES;
-    call.signature = pq_alloc_buffer(PQ_MLDSA_BYTES);
+    call.signature_len = signature_len_expected;
+    call.signature = pq_alloc_buffer(signature_len_expected);
     call.message = pq_copy_ruby_string(message, &call.message_len);
-    rb_nogvl(pq_sign_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    rb_nogvl(nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
-    pq_wipe_and_free(call.message, call.message_len);
+    pq_free_buffer(call.message);
     pq_wipe_and_free((uint8_t *)call.secret_key, secret_key_len);
     if (call.result != PQ_SUCCESS) {
-        pq_wipe_and_free(call.signature, PQ_MLDSA_BYTES);
+        pq_free_buffer(call.signature);
         pq_raise_general_error(call.result);
     }
     VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
-    free(call.signature);
+    pq_free_buffer(call.signature);
     return result;
 }
-static VALUE pqcrypto_verify(VALUE self, VALUE message, VALUE signature, VALUE public_key) {
-    (void)self;
+#define PQ_DEFINE_RUBY_MLDSA_SIGN(rb_name, nogvl_stem, sk_bytes, sig_bytes)                    \
+    static VALUE pqcrypto_##rb_name(VALUE self, VALUE message, VALUE secret_key) {             \
+        (void)self;                                                                            \
+        return pq_run_sign(pq_##nogvl_stem##_nogvl, message, secret_key, sk_bytes, sig_bytes); \
+    }
+PQ_DEFINE_RUBY_MLDSA_SIGN(sign, sign, PQ_MLDSA_SECRETKEYBYTES, PQ_MLDSA_BYTES)
+PQ_DEFINE_RUBY_MLDSA_SIGN(ml_dsa_44_sign, mldsa_44_sign, MLDSA44_SECRETKEYBYTES, MLDSA44_BYTES)
+PQ_DEFINE_RUBY_MLDSA_SIGN(ml_dsa_87_sign, mldsa_87_sign, MLDSA87_SECRETKEYBYTES, MLDSA87_BYTES)
+#undef PQ_DEFINE_RUBY_MLDSA_SIGN
+static VALUE pq_run_verify(void *(*nogvl)(void *), VALUE message, VALUE signature, VALUE public_key,
+                           size_t public_key_len_expected) {
     StringValue(signature);
-    pq_validate_bytes_argument(public_key, PQ_MLDSA_PUBLICKEYBYTES, "public key");
+    pq_validate_bytes_argument(public_key, public_key_len_expected, "public key");
     verify_call_t call = {0};
     size_t public_key_len = 0;
@@ -687,11 +1017,11 @@ static VALUE pqcrypto_verify(VALUE self, VALUE message, VALUE signature, VALUE p
     call.signature_len = signature_len;
     call.message = pq_copy_ruby_string(message, &call.message_len);
-    rb_nogvl(pq_verify_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    rb_nogvl(nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
-    pq_wipe_and_free(call.message, call.message_len);
-    pq_wipe_and_free((uint8_t *)call.public_key, public_key_len);
-    pq_wipe_and_free((uint8_t *)call.signature, signature_len);
+    pq_free_buffer(call.message);
+    pq_free_buffer((uint8_t *)call.public_key);
+    pq_free_buffer((uint8_t *)call.signature);
     if (call.result == PQ_SUCCESS) {
         return Qtrue;
@@ -702,6 +1032,19 @@ static VALUE pqcrypto_verify(VALUE self, VALUE message, VALUE signature, VALUE p
     pq_raise_general_error(call.result);
 }
+#define PQ_DEFINE_RUBY_MLDSA_VERIFY(rb_name, nogvl_stem, pk_bytes)                               \
+    static VALUE pqcrypto_##rb_name(VALUE self, VALUE message, VALUE signature,                  \
+                                    VALUE public_key) {                                          \
+        (void)self;                                                                              \
+        return pq_run_verify(pq_##nogvl_stem##_nogvl, message, signature, public_key, pk_bytes); \
+    }
+PQ_DEFINE_RUBY_MLDSA_VERIFY(verify, verify, PQ_MLDSA_PUBLICKEYBYTES)
+PQ_DEFINE_RUBY_MLDSA_VERIFY(ml_dsa_44_verify, mldsa_44_verify, MLDSA44_PUBLICKEYBYTES)
+PQ_DEFINE_RUBY_MLDSA_VERIFY(ml_dsa_87_verify, mldsa_87_verify, MLDSA87_PUBLICKEYBYTES)
+#undef PQ_DEFINE_RUBY_MLDSA_VERIFY
 static VALUE pqcrypto_ct_equals(VALUE self, VALUE a, VALUE b) {
     (void)self;
     StringValue(a);
@@ -731,19 +1074,319 @@ static VALUE pqcrypto_version(VALUE self) {
     return rb_str_new_cstr(pq_version());
 }
+typedef struct {
+    void *builder;
+} mu_builder_wrapper_t;
+typedef struct {
+    int result;
+    void *builder;
+    const uint8_t *chunk;
+    size_t chunk_len;
+} mu_absorb_call_t;
+typedef struct {
+    int result;
+    void *builder;
+    uint8_t *mu_out;
+} mu_finalize_call_t;
+typedef struct {
+    int result;
+    uint8_t *signature;
+    size_t signature_len;
+    const uint8_t *mu;
+    const uint8_t *secret_key;
+} sign_mu_call_t;
+typedef struct {
+    int result;
+    const uint8_t *signature;
+    size_t signature_len;
+    const uint8_t *mu;
+    const uint8_t *public_key;
+} verify_mu_call_t;
+static void mu_builder_wrapper_free(void *ptr) {
+    mu_builder_wrapper_t *wrapper = (mu_builder_wrapper_t *)ptr;
+    if (wrapper == NULL) {
+        return;
+    }
+    if (wrapper->builder != NULL) {
+        pq_mu_builder_release(wrapper->builder);
+        wrapper->builder = NULL;
+    }
+    xfree(wrapper);
+}
+static size_t mu_builder_wrapper_size(const void *ptr) {
+    (void)ptr;
+    return sizeof(mu_builder_wrapper_t);
+}
+static const rb_data_type_t mu_builder_data_type = {
+    .wrap_struct_name = "PQCrypto::MLDSA::MuBuilder",
+    .function =
+        {
+            .dmark = NULL,
+            .dfree = mu_builder_wrapper_free,
+            .dsize = mu_builder_wrapper_size,
+            .dcompact = NULL,
+            .reserved = {NULL},
+        },
+    .parent = NULL,
+    .data = NULL,
+    .flags = RUBY_TYPED_FREE_IMMEDIATELY,
+};
+static mu_builder_wrapper_t *mu_builder_unwrap(VALUE obj) {
+    mu_builder_wrapper_t *wrapper;
+    TypedData_Get_Struct(obj, mu_builder_wrapper_t, &mu_builder_data_type, wrapper);
+    if (wrapper == NULL || wrapper->builder == NULL) {
+        rb_raise(ePQCryptoError, "mu builder used after release");
+    }
+    return wrapper;
+}
+static VALUE pqcrypto__native_mldsa_extract_tr(VALUE self, VALUE secret_key) {
+    (void)self;
+    pq_validate_bytes_argument(secret_key, PQ_MLDSA_SECRETKEYBYTES, "secret key");
+    uint8_t tr[PQ_MLDSA_TRBYTES];
+    int rc = pq_mldsa_extract_tr_from_secret_key(tr, (const uint8_t *)RSTRING_PTR(secret_key));
+    if (rc != PQ_SUCCESS) {
+        pq_secure_wipe(tr, sizeof(tr));
+        pq_raise_general_error(rc);
+    }
+    VALUE result = pq_string_from_buffer(tr, sizeof(tr));
+    pq_secure_wipe(tr, sizeof(tr));
+    return result;
+}
+static VALUE pqcrypto__native_mldsa_compute_tr(VALUE self, VALUE public_key) {
+    (void)self;
+    pq_validate_bytes_argument(public_key, PQ_MLDSA_PUBLICKEYBYTES, "public key");
+    uint8_t tr[PQ_MLDSA_TRBYTES];
+    int rc = pq_mldsa_compute_tr_from_public_key(tr, (const uint8_t *)RSTRING_PTR(public_key));
+    if (rc != PQ_SUCCESS) {
+        pq_raise_general_error(rc);
+    }
+    return pq_string_from_buffer(tr, sizeof(tr));
+}
+static VALUE pqcrypto__native_mldsa_mu_builder_new(VALUE self, VALUE tr, VALUE ctx) {
+    (void)self;
+    pq_validate_bytes_argument(tr, PQ_MLDSA_TRBYTES, "tr");
+    StringValue(ctx);
+    size_t ctxlen = (size_t)RSTRING_LEN(ctx);
+    if (ctxlen > 255) {
+        rb_raise(rb_eArgError, "ML-DSA context length must be <= 255 bytes");
+    }
+    void *builder = pq_mu_builder_new();
+    if (builder == NULL) {
+        rb_raise(rb_eNoMemError, "Memory allocation failed (mu builder)");
+    }
+    int rc = pq_mu_builder_init(builder, (const uint8_t *)RSTRING_PTR(tr),
+                                (const uint8_t *)RSTRING_PTR(ctx), ctxlen);
+    if (rc != PQ_SUCCESS) {
+        pq_mu_builder_release(builder);
+        pq_raise_general_error(rc);
+    }
+    mu_builder_wrapper_t *wrapper;
+    VALUE obj =
+        TypedData_Make_Struct(rb_cObject, mu_builder_wrapper_t, &mu_builder_data_type, wrapper);
+    wrapper->builder = builder;
+    return obj;
+}
+static void *pq_mu_absorb_nogvl(void *arg) {
+    mu_absorb_call_t *call = (mu_absorb_call_t *)arg;
+    call->result = pq_mu_builder_absorb(call->builder, call->chunk, call->chunk_len);
+    return NULL;
+}
+static VALUE pqcrypto__native_mldsa_mu_builder_update(VALUE self, VALUE builder_obj, VALUE chunk) {
+    (void)self;
+    mu_builder_wrapper_t *wrapper = mu_builder_unwrap(builder_obj);
+    StringValue(chunk);
+    size_t chunk_len = (size_t)RSTRING_LEN(chunk);
+    if (chunk_len == 0) {
+        return Qnil;
+    }
+    uint8_t *copy = pq_alloc_buffer(chunk_len);
+    memcpy(copy, RSTRING_PTR(chunk), chunk_len);
+    mu_absorb_call_t call = {0};
+    call.builder = wrapper->builder;
+    call.chunk = copy;
+    call.chunk_len = chunk_len;
+    rb_nogvl(pq_mu_absorb_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    free(copy);
+    if (call.result != PQ_SUCCESS) {
+        pq_raise_general_error(call.result);
+    }
+    return Qnil;
+}
+static void *pq_mu_finalize_nogvl(void *arg) {
+    mu_finalize_call_t *call = (mu_finalize_call_t *)arg;
+    call->result = pq_mu_builder_finalize(call->builder, call->mu_out);
+    return NULL;
+}
+static VALUE pqcrypto__native_mldsa_mu_builder_finalize(VALUE self, VALUE builder_obj) {
+    (void)self;
+    mu_builder_wrapper_t *wrapper = mu_builder_unwrap(builder_obj);
+    uint8_t mu[PQ_MLDSA_MUBYTES];
+    mu_finalize_call_t call = {0};
+    call.builder = wrapper->builder;
+    call.mu_out = mu;
+    rb_nogvl(pq_mu_finalize_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    if (call.result != PQ_SUCCESS) {
+        pq_mu_builder_release(wrapper->builder);
+    }
+    wrapper->builder = NULL;
+    if (call.result != PQ_SUCCESS) {
+        pq_secure_wipe(mu, sizeof(mu));
+        pq_raise_general_error(call.result);
+    }
+    VALUE result = pq_string_from_buffer(mu, sizeof(mu));
+    pq_secure_wipe(mu, sizeof(mu));
+    return result;
+}
+static VALUE pqcrypto__native_mldsa_mu_builder_release(VALUE self, VALUE builder_obj) {
+    (void)self;
+    mu_builder_wrapper_t *wrapper;
+    TypedData_Get_Struct(builder_obj, mu_builder_wrapper_t, &mu_builder_data_type, wrapper);
+    if (wrapper != NULL && wrapper->builder != NULL) {
+        pq_mu_builder_release(wrapper->builder);
+        wrapper->builder = NULL;
+    }
+    return Qnil;
+}
+static void *pq_sign_mu_nogvl(void *arg) {
+    sign_mu_call_t *call = (sign_mu_call_t *)arg;
+    call->result = pq_sign_mu(call->signature, &call->signature_len, call->mu, call->secret_key);
+    return NULL;
+}
+static VALUE pqcrypto__native_mldsa_sign_mu(VALUE self, VALUE mu, VALUE secret_key) {
+    (void)self;
+    pq_validate_bytes_argument(mu, PQ_MLDSA_MUBYTES, "mu");
+    pq_validate_bytes_argument(secret_key, PQ_MLDSA_SECRETKEYBYTES, "secret key");
+    sign_mu_call_t call = {0};
+    size_t secret_key_len = 0;
+    size_t mu_len = 0;
+    uint8_t *mu_copy = pq_copy_ruby_string(mu, &mu_len);
+    uint8_t *sk_copy = pq_copy_ruby_string(secret_key, &secret_key_len);
+    call.mu = mu_copy;
+    call.secret_key = sk_copy;
+    call.signature_len = PQ_MLDSA_BYTES;
+    call.signature = pq_alloc_buffer(PQ_MLDSA_BYTES);
+    rb_nogvl(pq_sign_mu_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    pq_wipe_and_free(mu_copy, mu_len);
+    pq_wipe_and_free(sk_copy, secret_key_len);
+    if (call.result != PQ_SUCCESS) {
+        pq_free_buffer(call.signature);
+        pq_raise_general_error(call.result);
+    }
+    VALUE result = pq_string_from_buffer(call.signature, call.signature_len);
+    pq_free_buffer(call.signature);
+    return result;
+}
+static void *pq_verify_mu_nogvl(void *arg) {
+    verify_mu_call_t *call = (verify_mu_call_t *)arg;
+    call->result = pq_verify_mu(call->signature, call->signature_len, call->mu, call->public_key);
+    return NULL;
+}
+static VALUE pqcrypto__native_mldsa_verify_mu(VALUE self, VALUE mu, VALUE signature,
+                                              VALUE public_key) {
+    (void)self;
+    StringValue(signature);
+    pq_validate_bytes_argument(mu, PQ_MLDSA_MUBYTES, "mu");
+    pq_validate_bytes_argument(public_key, PQ_MLDSA_PUBLICKEYBYTES, "public key");
+    verify_mu_call_t call = {0};
+    size_t public_key_len = 0;
+    size_t signature_len = 0;
+    size_t mu_len = 0;
+    uint8_t *mu_copy = pq_copy_ruby_string(mu, &mu_len);
+    uint8_t *pk_copy = pq_copy_ruby_string(public_key, &public_key_len);
+    uint8_t *sig_copy = pq_copy_ruby_string(signature, &signature_len);
+    call.mu = mu_copy;
+    call.public_key = pk_copy;
+    call.signature = sig_copy;
+    call.signature_len = signature_len;
+    rb_nogvl(pq_verify_mu_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    pq_wipe_and_free(mu_copy, mu_len);
+    pq_free_buffer(pk_copy);
+    pq_free_buffer(sig_copy);
+    if (call.result == PQ_SUCCESS) {
+        return Qtrue;
+    }
+    if (call.result == PQ_ERROR_VERIFY) {
+        return Qfalse;
+    }
+    pq_raise_general_error(call.result);
+}
 static void define_constants(void) {
+    rb_define_const(mPQCrypto, "ML_KEM_512_PUBLIC_KEY_BYTES", INT2NUM(MLKEM512_PUBLICKEYBYTES));
+    rb_define_const(mPQCrypto, "ML_KEM_512_SECRET_KEY_BYTES", INT2NUM(MLKEM512_SECRETKEYBYTES));
+    rb_define_const(mPQCrypto, "ML_KEM_512_CIPHERTEXT_BYTES", INT2NUM(MLKEM512_CIPHERTEXTBYTES));
+    rb_define_const(mPQCrypto, "ML_KEM_512_SHARED_SECRET_BYTES",
+                    INT2NUM(MLKEM512_SHAREDSECRETBYTES));
     rb_define_const(mPQCrypto, "ML_KEM_PUBLIC_KEY_BYTES", INT2NUM(PQ_MLKEM_PUBLICKEYBYTES));
     rb_define_const(mPQCrypto, "ML_KEM_SECRET_KEY_BYTES", INT2NUM(PQ_MLKEM_SECRETKEYBYTES));
     rb_define_const(mPQCrypto, "ML_KEM_CIPHERTEXT_BYTES", INT2NUM(PQ_MLKEM_CIPHERTEXTBYTES));
     rb_define_const(mPQCrypto, "ML_KEM_SHARED_SECRET_BYTES", INT2NUM(PQ_MLKEM_SHAREDSECRETBYTES));
+    rb_define_const(mPQCrypto, "ML_KEM_1024_PUBLIC_KEY_BYTES", INT2NUM(MLKEM1024_PUBLICKEYBYTES));
+    rb_define_const(mPQCrypto, "ML_KEM_1024_SECRET_KEY_BYTES", INT2NUM(MLKEM1024_SECRETKEYBYTES));
+    rb_define_const(mPQCrypto, "ML_KEM_1024_CIPHERTEXT_BYTES", INT2NUM(MLKEM1024_CIPHERTEXTBYTES));
+    rb_define_const(mPQCrypto, "ML_KEM_1024_SHARED_SECRET_BYTES",
+                    INT2NUM(MLKEM1024_SHAREDSECRETBYTES));
     rb_define_const(mPQCrypto, "HYBRID_KEM_PUBLIC_KEY_BYTES", INT2NUM(PQ_HYBRID_PUBLICKEYBYTES));
     rb_define_const(mPQCrypto, "HYBRID_KEM_SECRET_KEY_BYTES", INT2NUM(PQ_HYBRID_SECRETKEYBYTES));
     rb_define_const(mPQCrypto, "HYBRID_KEM_CIPHERTEXT_BYTES", INT2NUM(PQ_HYBRID_CIPHERTEXTBYTES));
     rb_define_const(mPQCrypto, "HYBRID_KEM_SHARED_SECRET_BYTES",
                     INT2NUM(PQ_HYBRID_SHAREDSECRETBYTES));
+    rb_define_const(mPQCrypto, "SIGN_44_PUBLIC_KEY_BYTES", INT2NUM(MLDSA44_PUBLICKEYBYTES));
+    rb_define_const(mPQCrypto, "SIGN_44_SECRET_KEY_BYTES", INT2NUM(MLDSA44_SECRETKEYBYTES));
+    rb_define_const(mPQCrypto, "SIGN_44_BYTES", INT2NUM(MLDSA44_BYTES));
     rb_define_const(mPQCrypto, "SIGN_PUBLIC_KEY_BYTES", INT2NUM(PQ_MLDSA_PUBLICKEYBYTES));
     rb_define_const(mPQCrypto, "SIGN_SECRET_KEY_BYTES", INT2NUM(PQ_MLDSA_SECRETKEYBYTES));
     rb_define_const(mPQCrypto, "SIGN_BYTES", INT2NUM(PQ_MLDSA_BYTES));
+    rb_define_const(mPQCrypto, "SIGN_87_PUBLIC_KEY_BYTES", INT2NUM(MLDSA87_PUBLICKEYBYTES));
+    rb_define_const(mPQCrypto, "SIGN_87_SECRET_KEY_BYTES", INT2NUM(MLDSA87_SECRETKEYBYTES));
+    rb_define_const(mPQCrypto, "SIGN_87_BYTES", INT2NUM(MLDSA87_BYTES));
 }
 static VALUE pqcrypto_public_key_to_pqc_container_der(VALUE self, VALUE algorithm,
@@ -801,12 +1444,40 @@ void Init_pqcrypto_secure(void) {
                               pqcrypto__test_ml_kem_keypair_from_seed, 1);
     rb_define_module_function(mPQCrypto, "__test_ml_kem_encapsulate_from_seed",
                               pqcrypto__test_ml_kem_encapsulate_from_seed, 2);
+    rb_define_module_function(mPQCrypto, "__test_ml_kem_512_encapsulate_from_seed",
+                              pqcrypto__test_ml_kem_512_encapsulate_from_seed, 2);
+    rb_define_module_function(mPQCrypto, "__test_ml_kem_1024_encapsulate_from_seed",
+                              pqcrypto__test_ml_kem_1024_encapsulate_from_seed, 2);
     rb_define_module_function(mPQCrypto, "__test_sign_keypair_from_seed",
                               pqcrypto__test_sign_keypair_from_seed, 1);
+    rb_define_module_function(mPQCrypto, "__test_ml_dsa_44_keypair_from_seed",
+                              pqcrypto__test_ml_dsa_44_keypair_from_seed, 1);
+    rb_define_module_function(mPQCrypto, "__test_ml_dsa_87_keypair_from_seed",
+                              pqcrypto__test_ml_dsa_87_keypair_from_seed, 1);
     rb_define_module_function(mPQCrypto, "__test_sign_from_seed", pqcrypto__test_sign_from_seed, 3);
+    rb_define_module_function(mPQCrypto, "__test_ml_dsa_44_sign_from_seed",
+                              pqcrypto__test_ml_dsa_44_sign_from_seed, 3);
+    rb_define_module_function(mPQCrypto, "__test_ml_dsa_87_sign_from_seed",
+                              pqcrypto__test_ml_dsa_87_sign_from_seed, 3);
     rb_define_module_function(mPQCrypto, "ml_kem_keypair", pqcrypto_ml_kem_keypair, 0);
+    rb_define_module_function(mPQCrypto, "ml_kem_keypair_from_seed",
+                              pqcrypto_ml_kem_keypair_from_seed, 1);
     rb_define_module_function(mPQCrypto, "ml_kem_encapsulate", pqcrypto_ml_kem_encapsulate, 1);
     rb_define_module_function(mPQCrypto, "ml_kem_decapsulate", pqcrypto_ml_kem_decapsulate, 2);
+    rb_define_module_function(mPQCrypto, "ml_kem_512_keypair", pqcrypto_ml_kem_512_keypair, 0);
+    rb_define_module_function(mPQCrypto, "ml_kem_512_keypair_from_seed",
+                              pqcrypto_ml_kem_512_keypair_from_seed, 1);
+    rb_define_module_function(mPQCrypto, "ml_kem_512_encapsulate", pqcrypto_ml_kem_512_encapsulate,
+                              1);
+    rb_define_module_function(mPQCrypto, "ml_kem_512_decapsulate", pqcrypto_ml_kem_512_decapsulate,
+                              2);
+    rb_define_module_function(mPQCrypto, "ml_kem_1024_keypair", pqcrypto_ml_kem_1024_keypair, 0);
+    rb_define_module_function(mPQCrypto, "ml_kem_1024_keypair_from_seed",
+                              pqcrypto_ml_kem_1024_keypair_from_seed, 1);
+    rb_define_module_function(mPQCrypto, "ml_kem_1024_encapsulate",
+                              pqcrypto_ml_kem_1024_encapsulate, 1);
+    rb_define_module_function(mPQCrypto, "ml_kem_1024_decapsulate",
+                              pqcrypto_ml_kem_1024_decapsulate, 2);
     rb_define_module_function(mPQCrypto, "hybrid_kem_keypair", pqcrypto_hybrid_kem_keypair, 0);
     rb_define_module_function(mPQCrypto, "hybrid_kem_encapsulate", pqcrypto_hybrid_kem_encapsulate,
                               1);
@@ -815,6 +1486,18 @@ void Init_pqcrypto_secure(void) {
     rb_define_module_function(mPQCrypto, "sign_keypair", pqcrypto_sign_keypair, 0);
     rb_define_module_function(mPQCrypto, "sign", pqcrypto_sign, 2);
     rb_define_module_function(mPQCrypto, "verify", pqcrypto_verify, 3);
+    rb_define_module_function(mPQCrypto, "ml_dsa_44_keypair", pqcrypto_ml_dsa_44_keypair, 0);
+    rb_define_module_function(mPQCrypto, "ml_dsa_44_keypair_from_seed",
+                              pqcrypto_ml_dsa_44_keypair_from_seed, 1);
+    rb_define_module_function(mPQCrypto, "ml_dsa_keypair_from_seed",
+                              pqcrypto_ml_dsa_keypair_from_seed, 1);
+    rb_define_module_function(mPQCrypto, "ml_dsa_44_sign", pqcrypto_ml_dsa_44_sign, 2);
+    rb_define_module_function(mPQCrypto, "ml_dsa_44_verify", pqcrypto_ml_dsa_44_verify, 3);
+    rb_define_module_function(mPQCrypto, "ml_dsa_87_keypair", pqcrypto_ml_dsa_87_keypair, 0);
+    rb_define_module_function(mPQCrypto, "ml_dsa_87_keypair_from_seed",
+                              pqcrypto_ml_dsa_87_keypair_from_seed, 1);
+    rb_define_module_function(mPQCrypto, "ml_dsa_87_sign", pqcrypto_ml_dsa_87_sign, 2);
+    rb_define_module_function(mPQCrypto, "ml_dsa_87_verify", pqcrypto_ml_dsa_87_verify, 3);
     rb_define_module_function(mPQCrypto, "ct_equals", pqcrypto_ct_equals, 2);
     rb_define_module_function(mPQCrypto, "secure_wipe", pqcrypto_secure_wipe, 1);
     rb_define_module_function(mPQCrypto, "version", pqcrypto_version, 0);
@@ -834,6 +1517,22 @@ void Init_pqcrypto_secure(void) {
                               pqcrypto_secret_key_from_pqc_container_der, 1);
     rb_define_module_function(mPQCrypto, "secret_key_from_pqc_container_pem",
                               pqcrypto_secret_key_from_pqc_container_pem, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_extract_tr",
+                              pqcrypto__native_mldsa_extract_tr, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_compute_tr",
+                              pqcrypto__native_mldsa_compute_tr, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_mu_builder_new",
+                              pqcrypto__native_mldsa_mu_builder_new, 2);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_mu_builder_update",
+                              pqcrypto__native_mldsa_mu_builder_update, 2);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_mu_builder_finalize",
+                              pqcrypto__native_mldsa_mu_builder_finalize, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_mu_builder_release",
+                              pqcrypto__native_mldsa_mu_builder_release, 1);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_sign_mu", pqcrypto__native_mldsa_sign_mu,
+                              2);
+    rb_define_module_function(mPQCrypto, "_native_mldsa_verify_mu",
+                              pqcrypto__native_mldsa_verify_mu, 3);
     define_constants();
 }