pq_crypto 0.3.2 → 0.4.2

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/indcpa.c

@@ -0,0 +1,327 @@
+#include "indcpa.h"
+#include "ntt.h"
+#include "params.h"
+#include "poly.h"
+#include "polyvec.h"
+#include "randombytes.h"
+#include "symmetric.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+/*************************************************
+* Name:        pack_pk
+*
+* Description: Serialize the public key as concatenation of the
+*              serialized vector of polynomials pk
+*              and the public seed used to generate the matrix A.
+*
+* Arguments:   uint8_t *r: pointer to the output serialized public key
+*              polyvec *pk: pointer to the input public-key polyvec
+*              const uint8_t *seed: pointer to the input public seed
+**************************************************/
+static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES],
+                    polyvec *pk,
+                    const uint8_t seed[KYBER_SYMBYTES]) {
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_tobytes(r, pk);
+    memcpy(r + KYBER_POLYVECBYTES, seed, KYBER_SYMBYTES);
+}
+
+/*************************************************
+* Name:        unpack_pk
+*
+* Description: De-serialize public key from a byte array;
+*              approximate inverse of pack_pk
+*
+* Arguments:   - polyvec *pk: pointer to output public-key polynomial vector
+*              - uint8_t *seed: pointer to output seed to generate matrix A
+*              - const uint8_t *packedpk: pointer to input serialized public key
+**************************************************/
+static void unpack_pk(polyvec *pk,
+                      uint8_t seed[KYBER_SYMBYTES],
+                      const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) {
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_frombytes(pk, packedpk);
+    memcpy(seed, packedpk + KYBER_POLYVECBYTES, KYBER_SYMBYTES);
+}
+
+/*************************************************
+* Name:        pack_sk
+*
+* Description: Serialize the secret key
+*
+* Arguments:   - uint8_t *r: pointer to output serialized secret key
+*              - polyvec *sk: pointer to input vector of polynomials (secret key)
+**************************************************/
+static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) {
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_tobytes(r, sk);
+}
+
+/*************************************************
+* Name:        unpack_sk
+*
+* Description: De-serialize the secret key; inverse of pack_sk
+*
+* Arguments:   - polyvec *sk: pointer to output vector of polynomials (secret key)
+*              - const uint8_t *packedsk: pointer to input serialized secret key
+**************************************************/
+static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) {
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_frombytes(sk, packedsk);
+}
+
+/*************************************************
+* Name:        pack_ciphertext
+*
+* Description: Serialize the ciphertext as concatenation of the
+*              compressed and serialized vector of polynomials b
+*              and the compressed and serialized polynomial v
+*
+* Arguments:   uint8_t *r: pointer to the output serialized ciphertext
+*              poly *pk: pointer to the input vector of polynomials b
+*              poly *v: pointer to the input polynomial v
+**************************************************/
+static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) {
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_compress(r, b);
+    PQCLEAN_MLKEM1024_CLEAN_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v);
+}
+
+/*************************************************
+* Name:        unpack_ciphertext
+*
+* Description: De-serialize and decompress ciphertext from a byte array;
+*              approximate inverse of pack_ciphertext
+*
+* Arguments:   - polyvec *b: pointer to the output vector of polynomials b
+*              - poly *v: pointer to the output polynomial v
+*              - const uint8_t *c: pointer to the input serialized ciphertext
+**************************************************/
+static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) {
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_decompress(b, c);
+    PQCLEAN_MLKEM1024_CLEAN_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES);
+}
+
+/*************************************************
+* Name:        rej_uniform
+*
+* Description: Run rejection sampling on uniform random bytes to generate
+*              uniform random integers mod q
+*
+* Arguments:   - int16_t *r: pointer to output buffer
+*              - unsigned int len: requested number of 16-bit integers (uniform mod q)
+*              - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes)
+*              - unsigned int buflen: length of input buffer in bytes
+*
+* Returns number of sampled 16-bit integers (at most len)
+**************************************************/
+static unsigned int rej_uniform(int16_t *r,
+                                unsigned int len,
+                                const uint8_t *buf,
+                                unsigned int buflen) {
+    unsigned int ctr, pos;
+    uint16_t val0, val1;
+
+    ctr = pos = 0;
+    while (ctr < len && pos + 3 <= buflen) {
+        val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF;
+        val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF;
+        pos += 3;
+
+        if (val0 < KYBER_Q) {
+            r[ctr++] = val0;
+        }
+        if (ctr < len && val1 < KYBER_Q) {
+            r[ctr++] = val1;
+        }
+    }
+
+    return ctr;
+}
+
+#define gen_a(A,B)  PQCLEAN_MLKEM1024_CLEAN_gen_matrix(A,B,0)
+#define gen_at(A,B) PQCLEAN_MLKEM1024_CLEAN_gen_matrix(A,B,1)
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_gen_matrix
+*
+* Description: Deterministically generate matrix A (or the transpose of A)
+*              from a seed. Entries of the matrix are polynomials that look
+*              uniformly random. Performs rejection sampling on output of
+*              a XOF
+*
+* Arguments:   - polyvec *a: pointer to ouptput matrix A
+*              - const uint8_t *seed: pointer to input seed
+*              - int transposed: boolean deciding whether A or A^T is generated
+**************************************************/
+
+#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES)
+// Not static for benchmarking
+void PQCLEAN_MLKEM1024_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) {
+    unsigned int ctr, i, j;
+    unsigned int buflen;
+    uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES];
+    xof_state state;
+
+    for (i = 0; i < KYBER_K; i++) {
+        for (j = 0; j < KYBER_K; j++) {
+            if (transposed) {
+                xof_absorb(&state, seed, (uint8_t)i, (uint8_t)j);
+            } else {
+                xof_absorb(&state, seed, (uint8_t)j, (uint8_t)i);
+            }
+
+            xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state);
+            buflen = GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES;
+            ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen);
+
+            while (ctr < KYBER_N) {
+                xof_squeezeblocks(buf, 1, &state);
+                buflen = XOF_BLOCKBYTES;
+                ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen);
+            }
+            xof_ctx_release(&state);
+        }
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_indcpa_keypair_derand
+*
+* Description: Generates public and private key for the CPA-secure
+*              public-key encryption scheme underlying Kyber
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                             (of length KYBER_SYMBYTES bytes)
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+        uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+        const uint8_t coins[KYBER_SYMBYTES]) {
+    unsigned int i;
+    uint8_t buf[2 * KYBER_SYMBYTES];
+    const uint8_t *publicseed = buf;
+    const uint8_t *noiseseed = buf + KYBER_SYMBYTES;
+    uint8_t nonce = 0;
+    polyvec a[KYBER_K], e, pkpv, skpv;
+
+    memcpy(buf, coins, KYBER_SYMBYTES);
+    buf[KYBER_SYMBYTES] = KYBER_K;
+    hash_g(buf, buf, KYBER_SYMBYTES + 1);
+
+    gen_a(a, publicseed);
+
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM1024_CLEAN_poly_getnoise_eta1(&skpv.vec[i], noiseseed, nonce++);
+    }
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM1024_CLEAN_poly_getnoise_eta1(&e.vec[i], noiseseed, nonce++);
+    }
+
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_ntt(&skpv);
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_ntt(&e);
+
+    // matrix-vector multiplication
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM1024_CLEAN_polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv);
+        PQCLEAN_MLKEM1024_CLEAN_poly_tomont(&pkpv.vec[i]);
+    }
+
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_add(&pkpv, &pkpv, &e);
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_reduce(&pkpv);
+
+    pack_sk(sk, &skpv);
+    pack_pk(pk, &pkpv, publicseed);
+}
+
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_indcpa_enc
+*
+* Description: Encryption function of the CPA-secure
+*              public-key encryption scheme underlying Kyber.
+*
+* Arguments:   - uint8_t *c: pointer to output ciphertext
+*                            (of length KYBER_INDCPA_BYTES bytes)
+*              - const uint8_t *m: pointer to input message
+*                                  (of length KYBER_INDCPA_MSGBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                                   (of length KYBER_INDCPA_PUBLICKEYBYTES)
+*              - const uint8_t *coins: pointer to input random coins used as seed
+*                                      (of length KYBER_SYMBYTES) to deterministically
+*                                      generate all randomness
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
+                                        const uint8_t m[KYBER_INDCPA_MSGBYTES],
+                                        const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                                        const uint8_t coins[KYBER_SYMBYTES]) {
+    unsigned int i;
+    uint8_t seed[KYBER_SYMBYTES];
+    uint8_t nonce = 0;
+    polyvec sp, pkpv, ep, at[KYBER_K], b;
+    poly v, k, epp;
+
+    unpack_pk(&pkpv, seed, pk);
+    PQCLEAN_MLKEM1024_CLEAN_poly_frommsg(&k, m);
+    gen_at(at, seed);
+
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM1024_CLEAN_poly_getnoise_eta1(sp.vec + i, coins, nonce++);
+    }
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM1024_CLEAN_poly_getnoise_eta2(ep.vec + i, coins, nonce++);
+    }
+    PQCLEAN_MLKEM1024_CLEAN_poly_getnoise_eta2(&epp, coins, nonce++);
+
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_ntt(&sp);
+
+    // matrix-vector multiplication
+    for (i = 0; i < KYBER_K; i++) {
+        PQCLEAN_MLKEM1024_CLEAN_polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp);
+    }
+
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_basemul_acc_montgomery(&v, &pkpv, &sp);
+
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_invntt_tomont(&b);
+    PQCLEAN_MLKEM1024_CLEAN_poly_invntt_tomont(&v);
+
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_add(&b, &b, &ep);
+    PQCLEAN_MLKEM1024_CLEAN_poly_add(&v, &v, &epp);
+    PQCLEAN_MLKEM1024_CLEAN_poly_add(&v, &v, &k);
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_reduce(&b);
+    PQCLEAN_MLKEM1024_CLEAN_poly_reduce(&v);
+
+    pack_ciphertext(c, &b, &v);
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_indcpa_dec
+*
+* Description: Decryption function of the CPA-secure
+*              public-key encryption scheme underlying Kyber.
+*
+* Arguments:   - uint8_t *m: pointer to output decrypted message
+*                            (of length KYBER_INDCPA_MSGBYTES)
+*              - const uint8_t *c: pointer to input ciphertext
+*                                  (of length KYBER_INDCPA_BYTES)
+*              - const uint8_t *sk: pointer to input secret key
+*                                   (of length KYBER_INDCPA_SECRETKEYBYTES)
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES],
+                                        const uint8_t c[KYBER_INDCPA_BYTES],
+                                        const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) {
+    polyvec b, skpv;
+    poly v, mp;
+
+    unpack_ciphertext(&b, &v, c);
+    unpack_sk(&skpv, sk);
+
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_ntt(&b);
+    PQCLEAN_MLKEM1024_CLEAN_polyvec_basemul_acc_montgomery(&mp, &skpv, &b);
+    PQCLEAN_MLKEM1024_CLEAN_poly_invntt_tomont(&mp);
+
+    PQCLEAN_MLKEM1024_CLEAN_poly_sub(&mp, &v, &mp);
+    PQCLEAN_MLKEM1024_CLEAN_poly_reduce(&mp);
+
+    PQCLEAN_MLKEM1024_CLEAN_poly_tomsg(m, &mp);
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/indcpa.h

@@ -0,0 +1,22 @@
+#ifndef PQCLEAN_MLKEM1024_CLEAN_INDCPA_H
+#define PQCLEAN_MLKEM1024_CLEAN_INDCPA_H
+#include "params.h"
+#include "polyvec.h"
+#include <stdint.h>
+
+void PQCLEAN_MLKEM1024_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed);
+
+void PQCLEAN_MLKEM1024_CLEAN_indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+        uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
+        const uint8_t coins[KYBER_SYMBYTES]);
+
+void PQCLEAN_MLKEM1024_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
+                                        const uint8_t m[KYBER_INDCPA_MSGBYTES],
+                                        const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
+                                        const uint8_t coins[KYBER_SYMBYTES]);
+
+void PQCLEAN_MLKEM1024_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES],
+                                        const uint8_t c[KYBER_INDCPA_BYTES],
+                                        const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/kem.c

@@ -0,0 +1,164 @@
+#include "indcpa.h"
+#include "kem.h"
+#include "params.h"
+#include "randombytes.h"
+#include "symmetric.h"
+#include "verify.h"
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair_derand
+*
+* Description: Generates public and private key
+*              for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*              - uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with 2*KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair_derand(uint8_t *pk,
+        uint8_t *sk,
+        const uint8_t *coins) {
+    PQCLEAN_MLKEM1024_CLEAN_indcpa_keypair_derand(pk, sk, coins);
+    memcpy(sk + KYBER_INDCPA_SECRETKEYBYTES, pk, KYBER_PUBLICKEYBYTES);
+    hash_h(sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+    /* Value z for pseudo-random output on reject */
+    memcpy(sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, coins + KYBER_SYMBYTES, KYBER_SYMBYTES);
+    return 0;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair
+*
+* Description: Generates public and private key
+*              for CCA-secure Kyber key encapsulation mechanism
+*
+* Arguments:   - uint8_t *pk: pointer to output public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - uint8_t *sk: pointer to output private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair(uint8_t *pk,
+        uint8_t *sk) {
+    uint8_t coins[2 * KYBER_SYMBYTES];
+    randombytes(coins, 2 * KYBER_SYMBYTES);
+    PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair_derand(pk, sk, coins);
+    return 0;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc_derand
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - uint8_t *ct: pointer to output cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*              - const uint8_t *coins: pointer to input randomness
+*                (an already allocated array filled with KYBER_SYMBYTES random bytes)
+**
+* Returns 0 (success)
+**************************************************/
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc_derand(uint8_t *ct,
+        uint8_t *ss,
+        const uint8_t *pk,
+        const uint8_t *coins) {
+    uint8_t buf[2 * KYBER_SYMBYTES];
+    /* Will contain key, coins */
+    uint8_t kr[2 * KYBER_SYMBYTES];
+
+    memcpy(buf, coins, KYBER_SYMBYTES);
+
+    /* Multitarget countermeasure for coins + contributory KEM */
+    hash_h(buf + KYBER_SYMBYTES, pk, KYBER_PUBLICKEYBYTES);
+    hash_g(kr, buf, 2 * KYBER_SYMBYTES);
+
+    /* coins are in kr+KYBER_SYMBYTES */
+    PQCLEAN_MLKEM1024_CLEAN_indcpa_enc(ct, buf, pk, kr + KYBER_SYMBYTES);
+
+    memcpy(ss, kr, KYBER_SYMBYTES);
+    return 0;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc
+*
+* Description: Generates cipher text and shared
+*              secret for given public key
+*
+* Arguments:   - uint8_t *ct: pointer to output cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *pk: pointer to input public key
+*                (an already allocated array of KYBER_PUBLICKEYBYTES bytes)
+*
+* Returns 0 (success)
+**************************************************/
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc(uint8_t *ct,
+        uint8_t *ss,
+        const uint8_t *pk) {
+    uint8_t coins[KYBER_SYMBYTES];
+    randombytes(coins, KYBER_SYMBYTES);
+    PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc_derand(ct, ss, pk, coins);
+    return 0;
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_crypto_kem_dec
+*
+* Description: Generates shared secret for given
+*              cipher text and private key
+*
+* Arguments:   - uint8_t *ss: pointer to output shared secret
+*                (an already allocated array of KYBER_SSBYTES bytes)
+*              - const uint8_t *ct: pointer to input cipher text
+*                (an already allocated array of KYBER_CIPHERTEXTBYTES bytes)
+*              - const uint8_t *sk: pointer to input private key
+*                (an already allocated array of KYBER_SECRETKEYBYTES bytes)
+*
+* Returns 0.
+*
+* On failure, ss will contain a pseudo-random value.
+**************************************************/
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_dec(uint8_t *ss,
+        const uint8_t *ct,
+        const uint8_t *sk) {
+    int fail;
+    uint8_t buf[2 * KYBER_SYMBYTES];
+    /* Will contain key, coins */
+    uint8_t kr[2 * KYBER_SYMBYTES];
+    uint8_t cmp[KYBER_CIPHERTEXTBYTES + KYBER_SYMBYTES];
+    const uint8_t *pk = sk + KYBER_INDCPA_SECRETKEYBYTES;
+
+    PQCLEAN_MLKEM1024_CLEAN_indcpa_dec(buf, ct, sk);
+
+    /* Multitarget countermeasure for coins + contributory KEM */
+    memcpy(buf + KYBER_SYMBYTES, sk + KYBER_SECRETKEYBYTES - 2 * KYBER_SYMBYTES, KYBER_SYMBYTES);
+    hash_g(kr, buf, 2 * KYBER_SYMBYTES);
+
+    /* coins are in kr+KYBER_SYMBYTES */
+    PQCLEAN_MLKEM1024_CLEAN_indcpa_enc(cmp, buf, pk, kr + KYBER_SYMBYTES);
+
+    fail = PQCLEAN_MLKEM1024_CLEAN_verify(ct, cmp, KYBER_CIPHERTEXTBYTES);
+
+    /* Compute rejection key */
+    rkprf(ss, sk + KYBER_SECRETKEYBYTES - KYBER_SYMBYTES, ct);
+
+    /* Copy true key to return buffer if fail is false */
+    PQCLEAN_MLKEM1024_CLEAN_cmov(ss, kr, KYBER_SYMBYTES, (uint8_t) (1 - fail));
+
+    return 0;
+}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/kem.h

@@ -0,0 +1,23 @@
+#ifndef PQCLEAN_MLKEM1024_CLEAN_KEM_H
+#define PQCLEAN_MLKEM1024_CLEAN_KEM_H
+#include "params.h"
+#include <stdint.h>
+
+#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_SECRETKEYBYTES  KYBER_SECRETKEYBYTES
+#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_PUBLICKEYBYTES  KYBER_PUBLICKEYBYTES
+#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_CIPHERTEXTBYTES KYBER_CIPHERTEXTBYTES
+#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_BYTES           KYBER_SSBYTES
+
+#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_ALGNAME "ML-KEM-1024"
+
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
+
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
+
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
+
+int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+
+#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-1024/clean/ntt.c

@@ -0,0 +1,146 @@
+#include "ntt.h"
+#include "params.h"
+#include "reduce.h"
+#include <stdint.h>
+
+/* Code to generate PQCLEAN_MLKEM1024_CLEAN_zetas and zetas_inv used in the number-theoretic transform:
+
+#define KYBER_ROOT_OF_UNITY 17
+
+static const uint8_t tree[128] = {
+  0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120,
+  4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124,
+  2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122,
+  6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126,
+  1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121,
+  5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125,
+  3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123,
+  7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127
+};
+
+void init_ntt() {
+  unsigned int i;
+  int16_t tmp[128];
+
+  tmp[0] = MONT;
+  for(i=1;i<128;i++)
+    tmp[i] = fqmul(tmp[i-1],MONT*KYBER_ROOT_OF_UNITY % KYBER_Q);
+
+  for(i=0;i<128;i++) {
+    PQCLEAN_MLKEM1024_CLEAN_zetas[i] = tmp[tree[i]];
+    if(PQCLEAN_MLKEM1024_CLEAN_zetas[i] > KYBER_Q/2)
+      PQCLEAN_MLKEM1024_CLEAN_zetas[i] -= KYBER_Q;
+    if(PQCLEAN_MLKEM1024_CLEAN_zetas[i] < -KYBER_Q/2)
+      PQCLEAN_MLKEM1024_CLEAN_zetas[i] += KYBER_Q;
+  }
+}
+*/
+
+const int16_t PQCLEAN_MLKEM1024_CLEAN_zetas[128] = {
+    -1044,  -758,  -359, -1517,  1493,  1422,   287,   202,
+    -171,   622,  1577,   182,   962, -1202, -1474,  1468,
+    573, -1325,   264,   383,  -829,  1458, -1602,  -130,
+    -681,  1017,   732,   608, -1542,   411,  -205, -1571,
+    1223,   652,  -552,  1015, -1293,  1491,  -282, -1544,
+    516,    -8,  -320,  -666, -1618, -1162,   126,  1469,
+    -853,   -90,  -271,   830,   107, -1421,  -247,  -951,
+    -398,   961, -1508,  -725,   448, -1065,   677, -1275,
+    -1103,   430,   555,   843, -1251,   871,  1550,   105,
+    422,   587,   177,  -235,  -291,  -460,  1574,  1653,
+    -246,   778,  1159,  -147,  -777,  1483,  -602,  1119,
+    -1590,   644,  -872,   349,   418,   329,  -156,   -75,
+    817,  1097,   603,   610,  1322, -1285, -1465,   384,
+    -1215,  -136,  1218, -1335,  -874,   220, -1187, -1659,
+    -1185, -1530, -1278,   794, -1510,  -854,  -870,   478,
+    -108,  -308,   996,   991,   958, -1460,  1522,  1628
+};
+
+/*************************************************
+* Name:        fqmul
+*
+* Description: Multiplication followed by Montgomery reduction
+*
+* Arguments:   - int16_t a: first factor
+*              - int16_t b: second factor
+*
+* Returns 16-bit integer congruent to a*b*R^{-1} mod q
+**************************************************/
+static int16_t fqmul(int16_t a, int16_t b) {
+    return PQCLEAN_MLKEM1024_CLEAN_montgomery_reduce((int32_t)a * b);
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_ntt
+*
+* Description: Inplace number-theoretic transform (NTT) in Rq.
+*              input is in standard order, output is in bitreversed order
+*
+* Arguments:   - int16_t r[256]: pointer to input/output vector of elements of Zq
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_ntt(int16_t r[256]) {
+    unsigned int len, start, j, k;
+    int16_t t, zeta;
+
+    k = 1;
+    for (len = 128; len >= 2; len >>= 1) {
+        for (start = 0; start < 256; start = j + len) {
+            zeta = PQCLEAN_MLKEM1024_CLEAN_zetas[k++];
+            for (j = start; j < start + len; j++) {
+                t = fqmul(zeta, r[j + len]);
+                r[j + len] = r[j] - t;
+                r[j] = r[j] + t;
+            }
+        }
+    }
+}
+
+/*************************************************
+* Name:        invntt_tomont
+*
+* Description: Inplace inverse number-theoretic transform in Rq and
+*              multiplication by Montgomery factor 2^16.
+*              Input is in bitreversed order, output is in standard order
+*
+* Arguments:   - int16_t r[256]: pointer to input/output vector of elements of Zq
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_invntt(int16_t r[256]) {
+    unsigned int start, len, j, k;
+    int16_t t, zeta;
+    const int16_t f = 1441; // mont^2/128
+
+    k = 127;
+    for (len = 2; len <= 128; len <<= 1) {
+        for (start = 0; start < 256; start = j + len) {
+            zeta = PQCLEAN_MLKEM1024_CLEAN_zetas[k--];
+            for (j = start; j < start + len; j++) {
+                t = r[j];
+                r[j] = PQCLEAN_MLKEM1024_CLEAN_barrett_reduce(t + r[j + len]);
+                r[j + len] = r[j + len] - t;
+                r[j + len] = fqmul(zeta, r[j + len]);
+            }
+        }
+    }
+
+    for (j = 0; j < 256; j++) {
+        r[j] = fqmul(r[j], f);
+    }
+}
+
+/*************************************************
+* Name:        PQCLEAN_MLKEM1024_CLEAN_basemul
+*
+* Description: Multiplication of polynomials in Zq[X]/(X^2-zeta)
+*              used for multiplication of elements in Rq in NTT domain
+*
+* Arguments:   - int16_t r[2]: pointer to the output polynomial
+*              - const int16_t a[2]: pointer to the first factor
+*              - const int16_t b[2]: pointer to the second factor
+*              - int16_t zeta: integer defining the reduction polynomial
+**************************************************/
+void PQCLEAN_MLKEM1024_CLEAN_basemul(int16_t r[2], const int16_t a[2], const int16_t b[2], int16_t zeta) {
+    r[0]  = fqmul(a[1], b[1]);
+    r[0]  = fqmul(r[0], zeta);
+    r[0] += fqmul(a[0], b[0]);
+    r[1]  = fqmul(a[0], b[1]);
+    r[1] += fqmul(a[1], b[0]);
+}