pq_crypto 0.3.2 → 0.4.2

data/lib/pq_crypto/spki.rb

@@ -0,0 +1,131 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module PQCrypto
+  module SPKI
+    PEM_LABEL = "PUBLIC KEY"
+    PEM_BEGIN = "-----BEGIN #{PEM_LABEL}-----"
+    PEM_END = "-----END #{PEM_LABEL}-----"
+
+    class << self
+      def encode_der(algorithm_symbol, public_key_bytes)
+        entry = AlgorithmRegistry.fetch(algorithm_symbol)
+        validate_public_key_algorithm!(algorithm_symbol, entry)
+
+        bytes = String(public_key_bytes).b
+        expected = entry.fetch(:public_key_bytes)
+        unless bytes.bytesize == expected
+          raise SerializationError,
+                "Invalid #{algorithm_symbol.inspect} public key length: expected #{expected}, got #{bytes.bytesize}"
+        end
+
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::ObjectId.new(AlgorithmRegistry.standard_oid(algorithm_symbol)),
+          ]),
+          OpenSSL::ASN1::BitString.new(bytes),
+        ]).to_der.b
+      rescue OpenSSL::ASN1::ASN1Error => e
+        raise SerializationError, e.message
+      end
+
+      def encode_pem(algorithm_symbol, public_key_bytes)
+        der = encode_der(algorithm_symbol, public_key_bytes)
+        body = encode_base64(der).scan(/.{1,64}/).join("\n")
+        "#{PEM_BEGIN}\n#{body}\n#{PEM_END}\n"
+      end
+
+      def decode_der(der)
+        input = String(der).b
+        outer = decode_asn1(input)
+        raise SerializationError, "SPKI DER contains trailing data" unless outer.to_der.b == input
+        raise SerializationError, "SPKI must be an ASN.1 SEQUENCE" unless outer.is_a?(OpenSSL::ASN1::Sequence)
+        raise SerializationError, "SPKI SEQUENCE must contain exactly 2 elements" unless outer.value.size == 2
+
+        algorithm_identifier, subject_public_key = outer.value
+        algorithm = decode_algorithm_identifier(algorithm_identifier)
+        entry = AlgorithmRegistry.fetch(algorithm)
+        validate_public_key_algorithm!(algorithm, entry)
+
+        unless subject_public_key.is_a?(OpenSSL::ASN1::BitString)
+          raise SerializationError, "SPKI subjectPublicKey must be a BIT STRING"
+        end
+        unless subject_public_key.unused_bits.zero?
+          raise SerializationError, "SPKI subjectPublicKey must have zero unused bits"
+        end
+
+        bytes = String(subject_public_key.value).b
+        expected = entry.fetch(:public_key_bytes)
+        unless bytes.bytesize == expected
+          raise SerializationError,
+                "Invalid #{algorithm.inspect} SPKI public key length: expected #{expected}, got #{bytes.bytesize}"
+        end
+
+        [algorithm, bytes]
+      end
+
+      def decode_pem(pem)
+        der = der_from_pem(pem)
+        decode_der(der)
+      end
+
+      private
+
+      def decode_asn1(der)
+        OpenSSL::ASN1.decode(der)
+      rescue OpenSSL::ASN1::ASN1Error => e
+        raise SerializationError, e.message
+      end
+
+      def decode_algorithm_identifier(value)
+        unless value.is_a?(OpenSSL::ASN1::Sequence)
+          raise SerializationError, "SPKI algorithm must be an AlgorithmIdentifier SEQUENCE"
+        end
+        unless value.value.size == 1
+          raise SerializationError, "SPKI AlgorithmIdentifier parameters must be absent"
+        end
+
+        oid = value.value.first
+        raise SerializationError, "SPKI AlgorithmIdentifier must contain an OBJECT IDENTIFIER" unless oid.is_a?(OpenSSL::ASN1::ObjectId)
+
+        algorithm = AlgorithmRegistry.by_standard_oid(oid.oid)
+        raise SerializationError, "Unsupported SPKI algorithm OID: #{oid.oid}" if algorithm.nil?
+
+        algorithm
+      end
+
+      def validate_public_key_algorithm!(algorithm_symbol, entry)
+        return if %i[ml_kem ml_dsa].include?(entry.fetch(:family))
+
+        raise SerializationError, "SPKI public key codec is not supported for #{algorithm_symbol.inspect}"
+      end
+
+      def encode_base64(bytes)
+        [String(bytes).b].pack("m0")
+      end
+
+      def decode_base64(body)
+        compact = body.gsub(/[\r\n]/, "")
+        unless compact.match?(/\A(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?\z/)
+          raise SerializationError, "Invalid SPKI PEM: invalid base64"
+        end
+
+        compact.unpack1("m0").b
+      rescue ArgumentError => e
+        raise SerializationError, e.message
+      end
+
+      def der_from_pem(pem)
+        text = String(pem)
+        match = text.match(/\A#{Regexp.escape(PEM_BEGIN)}\r?\n(?<body>[A-Za-z0-9+\/=\r\n]+)\r?\n#{Regexp.escape(PEM_END)}[ \t\r\n]*\z/)
+        raise SerializationError, "Invalid SPKI PEM: expected #{PEM_LABEL.inspect} label" unless match
+
+        body = match[:body]
+        raise SerializationError, "Invalid SPKI PEM: embedded NUL in body" if body.include?("\0")
+
+        decode_base64(body)
+      end
+    end
+  end
+end

data/lib/pq_crypto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PQCrypto
-  VERSION = "0.3.2"
+  VERSION = "0.4.2"
 end

data/lib/pq_crypto.rb

@@ -1,12 +1,10 @@
 # frozen_string_literal: true
 
-require "rbconfig"
-require_relative "pq_crypto/version"
-require_relative "pq_crypto/errors"
-
 begin
-  require "pqcrypto/pqcrypto_secure"
+  require "pqcrypto/pqcrypto_secure" # native extension first
 rescue LoadError => original_error
+  require "rbconfig"
+
   ext_dir = File.expand_path("pqcrypto", __dir__)
   extensions = [".#{RbConfig::CONFIG.fetch('DLEXT')}", ".bundle", ".so"].uniq
   search_dirs = [ext_dir, File.join(ext_dir, "pqcrypto")].uniq
@@ -30,13 +28,21 @@ rescue LoadError => original_error
   raise original_error unless loaded
 end
 
+require_relative "pq_crypto/errors"
+require_relative "pq_crypto/version"
+require_relative "pq_crypto/algorithm_registry"
 require_relative "pq_crypto/serialization"
+require_relative "pq_crypto/spki"
+require_relative "pq_crypto/pkcs8"
+require_relative "pq_crypto/kem"
+require_relative "pq_crypto/signature"
+require_relative "pq_crypto/hybrid_kem"
 
 module PQCrypto
   SUITES = {
-    kem: [:ml_kem_768].freeze,
-    hybrid_kem: [:ml_kem_768_x25519_xwing].freeze,
-    signature: [:ml_dsa_65].freeze,
+    kem: AlgorithmRegistry.supported_kems,
+    hybrid_kem: AlgorithmRegistry.supported_hybrid_kems,
+    signature: AlgorithmRegistry.supported_signatures,
   }.freeze
 
   NATIVE_EXTENSION_LOADED = true
@@ -44,14 +50,32 @@ module PQCrypto
   module NativeBindings
     NATIVE_METHODS = %i[
       ml_kem_keypair
+      ml_kem_keypair_from_seed
       ml_kem_encapsulate
       ml_kem_decapsulate
+      ml_kem_512_keypair
+      ml_kem_512_keypair_from_seed
+      ml_kem_512_encapsulate
+      ml_kem_512_decapsulate
+      ml_kem_1024_keypair
+      ml_kem_1024_keypair_from_seed
+      ml_kem_1024_encapsulate
+      ml_kem_1024_decapsulate
       hybrid_kem_keypair
       hybrid_kem_encapsulate
       hybrid_kem_decapsulate
       sign_keypair
       sign
       verify
+      ml_dsa_44_keypair
+      ml_dsa_44_keypair_from_seed
+      ml_dsa_keypair_from_seed
+      ml_dsa_44_sign
+      ml_dsa_44_verify
+      ml_dsa_87_keypair
+      ml_dsa_87_keypair_from_seed
+      ml_dsa_87_sign
+      ml_dsa_87_verify
       ct_equals
       secure_wipe
       version
@@ -65,8 +89,14 @@ module PQCrypto
       secret_key_from_pqc_container_pem
       __test_ml_kem_keypair_from_seed
       __test_ml_kem_encapsulate_from_seed
+      __test_ml_kem_512_encapsulate_from_seed
+      __test_ml_kem_1024_encapsulate_from_seed
       __test_sign_keypair_from_seed
+      __test_ml_dsa_44_keypair_from_seed
+      __test_ml_dsa_87_keypair_from_seed
       __test_sign_from_seed
+      __test_ml_dsa_44_sign_from_seed
+      __test_ml_dsa_87_sign_from_seed
     ].freeze
 
     EXTERNAL_MU_METHODS = %i[
@@ -127,32 +157,61 @@ module PQCrypto
   end
 
   module Testing
-    def self.ml_kem_keypair_from_seed(seed)
-      PQCrypto.__send__(:native_test_ml_kem_keypair_from_seed, String(seed).b)
+    KEM_KEYPAIR_METHODS = {
+      ml_kem_512: :native_ml_kem_512_keypair_from_seed,
+      ml_kem_768: :native_ml_kem_keypair_from_seed,
+      ml_kem_1024: :native_ml_kem_1024_keypair_from_seed,
+    }.freeze
+
+    KEM_ENCAPSULATE_METHODS = {
+      ml_kem_512: :native_test_ml_kem_512_encapsulate_from_seed,
+      ml_kem_768: :native_test_ml_kem_encapsulate_from_seed,
+      ml_kem_1024: :native_test_ml_kem_1024_encapsulate_from_seed,
+    }.freeze
+
+    MLDSA_KEYPAIR_METHODS = {
+      ml_dsa_44: :native_test_ml_dsa_44_keypair_from_seed,
+      ml_dsa_65: :native_test_sign_keypair_from_seed,
+      ml_dsa_87: :native_test_ml_dsa_87_keypair_from_seed,
+    }.freeze
+
+    MLDSA_SIGN_METHODS = {
+      ml_dsa_44: :native_test_ml_dsa_44_sign_from_seed,
+      ml_dsa_65: :native_test_sign_from_seed,
+      ml_dsa_87: :native_test_ml_dsa_87_sign_from_seed,
+    }.freeze
+
+    def self.ml_kem_keypair_from_seed(seed, algorithm: :ml_kem_768)
+      PQCrypto.__send__(KEM_KEYPAIR_METHODS.fetch(algorithm), String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-KEM KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
 
-    def self.ml_kem_encapsulate_from_seed(public_key, seed)
-      PQCrypto.__send__(:native_test_ml_kem_encapsulate_from_seed, String(public_key).b, String(seed).b)
+    def self.ml_kem_encapsulate_from_seed(public_key, seed, algorithm: :ml_kem_768)
+      PQCrypto.__send__(KEM_ENCAPSULATE_METHODS.fetch(algorithm), String(public_key).b, String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-KEM KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
 
-    def self.ml_dsa_keypair_from_seed(seed)
-      PQCrypto.__send__(:native_test_sign_keypair_from_seed, String(seed).b)
+    def self.ml_dsa_keypair_from_seed(seed, algorithm: :ml_dsa_65)
+      PQCrypto.__send__(MLDSA_KEYPAIR_METHODS.fetch(algorithm), String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-DSA KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
 
-    def self.ml_dsa_sign_from_seed(message, secret_key, seed)
-      PQCrypto.__send__(:native_test_sign_from_seed, String(message).b, String(secret_key).b, String(seed).b)
+    def self.ml_dsa_sign_from_seed(message, secret_key, seed, algorithm: :ml_dsa_65)
+      PQCrypto.__send__(MLDSA_SIGN_METHODS.fetch(algorithm), String(message).b, String(secret_key).b, String(seed).b)
+    rescue KeyError
+      raise UnsupportedAlgorithmError, "Unsupported ML-DSA KAT algorithm: #{algorithm.inspect}"
     rescue ArgumentError => e
       raise InvalidKeyError, e.message
     end
   end
 end
 
-require_relative "pq_crypto/kem"
-require_relative "pq_crypto/hybrid_kem"
-require_relative "pq_crypto/signature"

data/script/vendor_libs.rb

@@ -19,8 +19,12 @@ DEFAULT_PQCLEAN = {
 }.freeze
 
 KEEP_DIRS = %w[
+  crypto_kem/ml-kem-512/clean
   crypto_kem/ml-kem-768/clean
+  crypto_kem/ml-kem-1024/clean
+  crypto_sign/ml-dsa-44/clean
   crypto_sign/ml-dsa-65/clean
+  crypto_sign/ml-dsa-87/clean
   common
 ].freeze
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pq_crypto
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.4.2
 platform: ruby
 authors:
 - Roman Haydarov
@@ -51,8 +51,8 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5.0'
-description: Native Ruby wrapper around ML-KEM-768, ML-DSA-65, and an optional hybrid
-  ML-KEM-768+X25519 KEM, backed by PQClean and OpenSSL.
+description: Native Ruby wrapper around ML-KEM, ML-DSA, and an optional hybrid ML-KEM-768+X25519
+  KEM, backed by PQClean and OpenSSL.
 email:
 - romanhajdarov@gmail.com
 executables: []
@@ -74,6 +74,7 @@ files:
 - ext/pqcrypto/pqcrypto_ruby_secure.c
 - ext/pqcrypto/pqcrypto_secure.c
 - ext/pqcrypto/pqcrypto_secure.h
+- ext/pqcrypto/pqcrypto_version.h
 - ext/pqcrypto/vendor/.vendored
 - ext/pqcrypto/vendor/pqclean/common/aes.c
 - ext/pqcrypto/vendor/pqclean/common/aes.h
@@ -100,6 +101,52 @@ files:
 - ext/pqcrypto/vendor/pqclean/common/sha2.h
 - ext/pqcrypto/vendor/pqclean/common/sp800-185.c
 - ext/pqcrypto/vendor/pqclean/common/sp800-185.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/LICENSE
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/Makefile
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/Makefile.Microsoft_nmake
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/api.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/cbd.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/cbd.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/indcpa.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/indcpa.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/kem.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/kem.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/ntt.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/ntt.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/params.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/poly.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/poly.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/polyvec.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/polyvec.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/reduce.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/reduce.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/symmetric-shake.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/symmetric.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/verify.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/verify.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/LICENSE
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/Makefile
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/Makefile.Microsoft_nmake
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/api.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/cbd.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/cbd.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/indcpa.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/indcpa.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/kem.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/kem.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/ntt.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/ntt.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/params.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/poly.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/poly.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/polyvec.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/polyvec.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/reduce.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/reduce.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/symmetric-shake.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/symmetric.h
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/verify.c
+- ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/verify.h
 - ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/LICENSE
 - ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/Makefile
 - ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/Makefile.Microsoft_nmake
@@ -123,6 +170,27 @@ files:
 - ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/symmetric.h
 - ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/verify.c
 - ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/verify.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/LICENSE
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/Makefile
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/Makefile.Microsoft_nmake
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/api.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/ntt.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/ntt.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/packing.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/packing.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/params.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/poly.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/poly.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/polyvec.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/polyvec.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/reduce.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/reduce.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/rounding.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/rounding.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/sign.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/sign.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/symmetric-shake.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-44/clean/symmetric.h
 - ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/LICENSE
 - ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/Makefile
 - ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/Makefile.Microsoft_nmake
@@ -144,12 +212,36 @@ files:
 - ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/sign.h
 - ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/symmetric-shake.c
 - ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-65/clean/symmetric.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/LICENSE
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/Makefile
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/Makefile.Microsoft_nmake
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/api.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/ntt.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/ntt.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/packing.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/packing.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/params.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/poly.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/poly.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/polyvec.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/polyvec.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/reduce.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/reduce.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/rounding.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/rounding.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/sign.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/sign.h
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/symmetric-shake.c
+- ext/pqcrypto/vendor/pqclean/crypto_sign/ml-dsa-87/clean/symmetric.h
 - lib/pq_crypto.rb
+- lib/pq_crypto/algorithm_registry.rb
 - lib/pq_crypto/errors.rb
 - lib/pq_crypto/hybrid_kem.rb
 - lib/pq_crypto/kem.rb
+- lib/pq_crypto/pkcs8.rb
 - lib/pq_crypto/serialization.rb
 - lib/pq_crypto/signature.rb
+- lib/pq_crypto/spki.rb
 - lib/pq_crypto/version.rb
 - lib/pqcrypto.rb
 - script/vendor_libs.rb