pq_crypto 0.4.2 → 0.5.0

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/fips202.c

@@ -0,0 +1,277 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/* References
+ * ==========
+ *
+ * - [FIPS204]
+ *   FIPS 204 Module-Lattice-Based Digital Signature Standard
+ *   National Institute of Standards and Technology
+ *   https://csrc.nist.gov/pubs/fips/204/final
+ *
+ * - [mupq]
+ *   Common files for pqm4, pqm3, pqriscv
+ *   Kannwischer, Petri, Rijneveld, Schwabe, Stoffelen
+ *   https://github.com/mupq/mupq
+ *
+ * - [supercop]
+ *   SUPERCOP benchmarking framework
+ *   Daniel J. Bernstein
+ *   http://bench.cr.yp.to/supercop.html
+ *
+ * - [tweetfips]
+ *   'tweetfips202' FIPS202 implementation
+ *   Van Assche, Bernstein, Schwabe
+ *   https://keccak.team/2015/tweetfips202.html
+ */
+
+/* Based on the CC0 implementation from @[mupq] and the public domain
+ * implementation @[supercop, crypto_hash/keccakc512/simple/]
+ * by Ronny Van Keer, and the public domain @[tweetfips] implementation. */
+
+#include <stddef.h>
+
+#include "../common.h"
+#include "../ct.h"
+#include "fips202.h"
+#include "keccakf1600.h"
+#if !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
+
+/*************************************************
+ * Name:        keccak_init
+ *
+ * Description: Initializes the Keccak state.
+ *
+ * Arguments:   - uint64_t *s: pointer to Keccak state
+ **************************************************/
+static void keccak_init(uint64_t s[MLD_KECCAK_LANES])
+__contract__(
+  requires(memory_no_alias(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
+  assigns(memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
+)
+{
+  mld_memset(s, 0, sizeof(uint64_t) * MLD_KECCAK_LANES);
+}
+
+/*************************************************
+ * Name:        keccak_absorb
+ *
+ * Description: Absorb step of Keccak; incremental.
+ *
+ * Arguments:   - uint64_t *s: pointer to Keccak state
+ *              - unsigned int pos: position in current block to be absorbed
+ *              - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
+ *              - const uint8_t *in: pointer to input to be absorbed into s
+ *              - size_t inlen: length of input in bytes
+ *
+ * Returns new position pos in current block
+ **************************************************/
+static unsigned int keccak_absorb(uint64_t s[MLD_KECCAK_LANES],
+                                  unsigned int pos, unsigned int r,
+                                  const uint8_t *in, size_t inlen)
+__contract__(
+  requires(inlen <= MLD_MAX_BUFFER_SIZE)
+  requires(r > 0)
+  requires(r < sizeof(uint64_t) * MLD_KECCAK_LANES)
+  requires(pos <= r)
+  requires(memory_no_alias(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
+  requires(memory_no_alias(in, inlen))
+  assigns(memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
+  ensures(return_value < r))
+{
+  while (inlen >= r - pos)
+  __loop__(
+    assigns(pos, in, inlen,
+      memory_slice(s, sizeof(uint64_t) *  MLD_KECCAK_LANES))
+    invariant(inlen <= loop_entry(inlen))
+    invariant(pos <= r)
+    invariant(in == loop_entry(in) + (loop_entry(inlen) - inlen))
+    decreases(inlen + pos))
+  {
+    mld_keccakf1600_xor_bytes(s, in, pos, r - pos);
+    inlen -= r - pos;
+    in += r - pos;
+    mld_keccakf1600_permute(s);
+    pos = 0;
+  }
+  /* Safety: At this point, inlen < r, so the truncation to unsigned is safe. */
+  mld_keccakf1600_xor_bytes(s, in, pos, (unsigned)inlen);
+
+  /* Safety: At this point, inlen < r and pos <= r so the truncation to unsigned
+   * is safe. */
+  return (unsigned)(pos + inlen);
+}
+
+/*************************************************
+ * Name:        keccak_finalize
+ *
+ * Description: Finalize absorb step.
+ *
+ * Arguments:   - uint64_t *s: pointer to Keccak state
+ *              - unsigned int pos: position in current block to be absorbed
+ *              - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
+ *              - uint8_t p: domain separation byte
+ **************************************************/
+static void keccak_finalize(uint64_t s[MLD_KECCAK_LANES], unsigned int pos,
+                            unsigned int r, uint8_t p)
+__contract__(
+  requires(pos <= r && r < sizeof(uint64_t) * MLD_KECCAK_LANES)
+  requires((r / 8) >= 1)
+  requires(memory_no_alias(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
+  assigns(memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
+)
+{
+  uint8_t b = 0x80;
+  mld_keccakf1600_xor_bytes(s, &p, pos, 1);
+  mld_keccakf1600_xor_bytes(s, &b, r - 1, 1);
+}
+
+/*************************************************
+ * Name:        keccak_squeeze
+ *
+ * Description: Squeeze step of Keccak. Squeezes arbitratrily many bytes.
+ *              Modifies the state. Can be called multiple times to keep
+ *              squeezing, i.e., is incremental.
+ *
+ * Arguments:   - uint8_t *out: pointer to output data
+ *              - size_t outlen: number of bytes to be squeezed (written to out)
+ *              - uint64_t *s: pointer to input/output Keccak state
+ *              - unsigned int pos: number of bytes in current block already
+ *squeezed
+ *              - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
+ *
+ * Returns new position pos in current block
+ **************************************************/
+static unsigned int keccak_squeeze(uint8_t *out, size_t outlen,
+                                   uint64_t s[MLD_KECCAK_LANES],
+                                   unsigned int pos, unsigned int r)
+__contract__(
+  requires((r == SHAKE128_RATE && pos <= SHAKE128_RATE) ||
+           (r == SHAKE256_RATE && pos <= SHAKE256_RATE) ||
+           (r == SHA3_512_RATE && pos <= SHA3_512_RATE))
+  requires(outlen <= 8 * r /* somewhat arbitrary bound */)
+  requires(memory_no_alias(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
+  requires(memory_no_alias(out, outlen))
+  assigns(memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
+  assigns(memory_slice(out, outlen))
+  ensures(return_value <= r))
+{
+  unsigned int i;
+  size_t out_offset = 0;
+
+  /* Reference: This code is re-factored from the reference implementation
+   * to facilitate proof with CBMC and to improve readability.
+   *
+   * Take a mutable copy of outlen to count down the number of bytes
+   * still to squeeze. The initial value of outlen is needed for the CBMC
+   * assigns() clauses. */
+  size_t bytes_to_go = outlen;
+
+  while (bytes_to_go > 0)
+  __loop__(
+    assigns(i, bytes_to_go, pos, out_offset, memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES), memory_slice(out, outlen))
+    invariant(bytes_to_go <= outlen)
+    invariant(out_offset == outlen - bytes_to_go)
+    invariant(pos <= r)
+    decreases(bytes_to_go)
+  )
+  {
+    if (pos == r)
+    {
+      mld_keccakf1600_permute(s);
+      pos = 0;
+    }
+    /* Safety: If bytes_to_go < r - pos, truncation to unsigned is safe. */
+    i = bytes_to_go < r - pos ? (unsigned)bytes_to_go : r - pos;
+    mld_keccakf1600_extract_bytes(s, out + out_offset, pos, i);
+    bytes_to_go -= i;
+    pos += i;
+    out_offset += i;
+  }
+
+  return pos;
+}
+
+MLD_INTERNAL_API
+void mld_shake128_init(mld_shake128ctx *state)
+{
+  keccak_init(state->s);
+  state->pos = 0;
+}
+
+MLD_INTERNAL_API
+void mld_shake128_absorb(mld_shake128ctx *state, const uint8_t *in,
+                         size_t inlen)
+{
+  state->pos = keccak_absorb(state->s, state->pos, SHAKE128_RATE, in, inlen);
+}
+
+MLD_INTERNAL_API
+void mld_shake128_finalize(mld_shake128ctx *state)
+{
+  keccak_finalize(state->s, state->pos, SHAKE128_RATE, 0x1F);
+  state->pos = SHAKE128_RATE;
+}
+
+MLD_INTERNAL_API
+void mld_shake128_squeeze(uint8_t *out, size_t outlen, mld_shake128ctx *state)
+{
+  state->pos = keccak_squeeze(out, outlen, state->s, state->pos, SHAKE128_RATE);
+}
+
+MLD_INTERNAL_API
+void mld_shake128_release(mld_shake128ctx *state)
+{
+  /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
+  mld_zeroize(state, sizeof(mld_shake128ctx));
+}
+
+MLD_INTERNAL_API
+void mld_shake256_init(mld_shake256ctx *state)
+{
+  keccak_init(state->s);
+  state->pos = 0;
+}
+
+MLD_INTERNAL_API
+void mld_shake256_absorb(mld_shake256ctx *state, const uint8_t *in,
+                         size_t inlen)
+{
+  state->pos = keccak_absorb(state->s, state->pos, SHAKE256_RATE, in, inlen);
+}
+
+MLD_INTERNAL_API
+void mld_shake256_finalize(mld_shake256ctx *state)
+{
+  keccak_finalize(state->s, state->pos, SHAKE256_RATE, 0x1F);
+  state->pos = SHAKE256_RATE;
+}
+
+MLD_INTERNAL_API
+void mld_shake256_squeeze(uint8_t *out, size_t outlen, mld_shake256ctx *state)
+{
+  state->pos = keccak_squeeze(out, outlen, state->s, state->pos, SHAKE256_RATE);
+}
+
+MLD_INTERNAL_API
+void mld_shake256_release(mld_shake256ctx *state)
+{
+  /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
+  mld_zeroize(state, sizeof(mld_shake256ctx));
+}
+
+MLD_INTERNAL_API
+void mld_shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen)
+{
+  mld_shake256ctx state;
+
+  mld_shake256_init(&state);
+  mld_shake256_absorb(&state, in, inlen);
+  mld_shake256_finalize(&state);
+  mld_shake256_squeeze(out, outlen, &state);
+  mld_shake256_release(&state);
+}
+
+#endif /* !MLD_CONFIG_MULTILEVEL_NO_SHARED */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/fips202.h

@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLD_FIPS202_FIPS202_H
+#define MLD_FIPS202_FIPS202_H
+
+#include <stddef.h>
+#include "../cbmc.h"
+#include "../common.h"
+
+#define SHAKE128_RATE 168
+#define SHAKE256_RATE 136
+#define SHA3_256_RATE 136
+#define SHA3_512_RATE 72
+#define MLD_KECCAK_LANES 25
+#define SHA3_256_HASHBYTES 32
+#define SHA3_512_HASHBYTES 64
+
+
+typedef struct
+{
+  uint64_t s[MLD_KECCAK_LANES];
+  unsigned int pos;
+} mld_shake128ctx;
+
+typedef struct
+{
+  uint64_t s[MLD_KECCAK_LANES];
+  unsigned int pos;
+} mld_shake256ctx;
+
+#define mld_shake128_init MLD_NAMESPACE(shake128_init)
+/*************************************************
+ * Name:        mld_shake128_init
+ *
+ * Description: Initializes state for use as SHAKE128 XOF
+ *
+ * Arguments:   - mld_shake128ctx *state: pointer to (uninitialized) state
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake128_init(mld_shake128ctx *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(mld_shake128ctx)))
+  assigns(memory_slice(state, sizeof(mld_shake128ctx)))
+  ensures(state->pos == 0)
+);
+
+#define mld_shake128_absorb MLD_NAMESPACE(shake128_absorb)
+/*************************************************
+ * Name:        mld_shake128_absorb
+ *
+ * Description: Absorb step of the SHAKE128 XOF. Absorbs arbitrarily many bytes.
+ *              Can be called multiple times to absorb multiple chunks of data.
+ *
+ * Arguments:   - mld_shake128ctx *state: pointer to (initialized) output state
+ *              - const uint8_t *in: pointer to input to be absorbed into s
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake128_absorb(mld_shake128ctx *state, const uint8_t *in,
+                         size_t inlen)
+__contract__(
+  requires(inlen <= MLD_MAX_BUFFER_SIZE)
+  requires(memory_no_alias(state, sizeof(mld_shake128ctx)))
+  requires(memory_no_alias(in, inlen))
+  requires(state->pos <= SHAKE128_RATE)
+  assigns(memory_slice(state, sizeof(mld_shake128ctx)))
+  ensures(state->pos <= SHAKE128_RATE)
+);
+
+#define mld_shake128_finalize MLD_NAMESPACE(shake128_finalize)
+/*************************************************
+ * Name:        mld_shake128_finalize
+ *
+ * Description: Concludes the absorb phase of the SHAKE128 XOF.
+ *
+ * Arguments:   - mld_shake128ctx *state: pointer to state
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake128_finalize(mld_shake128ctx *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(mld_shake128ctx)))
+  requires(state->pos <= SHAKE128_RATE)
+  assigns(memory_slice(state, sizeof(mld_shake128ctx)))
+  ensures(state->pos <= SHAKE128_RATE)
+);
+
+#define mld_shake128_squeeze MLD_NAMESPACE(shake128_squeeze)
+/*************************************************
+ * Name:        mld_shake128_squeeze
+ *
+ * Description: Squeeze step of SHAKE128 XOF. Squeezes arbitrarily many
+ *              bytes. Can be called multiple times to keep squeezing.
+ *
+ * Arguments:   - uint8_t *out: pointer to output blocks
+ *              - size_t outlen : number of bytes to be squeezed (written to
+ *output)
+ *              - mld_shake128ctx *s: pointer to input/output state
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake128_squeeze(uint8_t *out, size_t outlen, mld_shake128ctx *state)
+__contract__(
+  requires(outlen <= 8 * SHAKE128_RATE /* somewhat arbitrary bound */)
+  requires(memory_no_alias(state, sizeof(mld_shake128ctx)))
+  requires(memory_no_alias(out, outlen))
+  requires(state->pos <= SHAKE128_RATE)
+  assigns(memory_slice(state, sizeof(mld_shake128ctx)))
+  assigns(memory_slice(out, outlen))
+  ensures(state->pos <= SHAKE128_RATE)
+);
+
+#define mld_shake128_release MLD_NAMESPACE(shake128_release)
+/*************************************************
+ * Name:        mld_shake128_release
+ *
+ * Description: Release and securely zero the SHAKE128 state.
+ *
+ * Arguments:   - mld_shake128ctx *state: pointer to state
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake128_release(mld_shake128ctx *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(mld_shake128ctx)))
+  assigns(memory_slice(state, sizeof(mld_shake128ctx)))
+);
+
+#define mld_shake256_init MLD_NAMESPACE(shake256_init)
+/*************************************************
+ * Name:        mld_shake256_init
+ *
+ * Description: Initializes state for use as SHAKE256 XOF
+ *
+ * Arguments:   - mld_shake256ctx *state: pointer to (uninitialized) state
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake256_init(mld_shake256ctx *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(mld_shake256ctx)))
+  assigns(memory_slice(state, sizeof(mld_shake256ctx)))
+  ensures(state->pos == 0)
+);
+
+#define mld_shake256_absorb MLD_NAMESPACE(shake256_absorb)
+/*************************************************
+ * Name:        mld_shake256_absorb
+ *
+ * Description: Absorb step of the SHAKE256 XOF. Absorbs arbitrarily many bytes.
+ *              Can be called multiple times to absorb multiple chunks of data.
+ *
+ * Arguments:   - mld_shake256ctx *state: pointer to (initialized) output state
+ *              - const uint8_t *in: pointer to input to be absorbed into s
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake256_absorb(mld_shake256ctx *state, const uint8_t *in,
+                         size_t inlen)
+__contract__(
+  requires(inlen <= MLD_MAX_BUFFER_SIZE)
+  requires(memory_no_alias(state, sizeof(mld_shake256ctx)))
+  requires(memory_no_alias(in, inlen))
+  requires(state->pos <= SHAKE256_RATE)
+  assigns(memory_slice(state, sizeof(mld_shake256ctx)))
+  ensures(state->pos <= SHAKE256_RATE)
+);
+
+#define mld_shake256_finalize MLD_NAMESPACE(shake256_finalize)
+/*************************************************
+ * Name:        mld_shake256_finalize
+ *
+ * Description: Concludes the absorb phase of the SHAKE256 XOF.
+ *
+ * Arguments:   - mld_shake256ctx *state: pointer to state
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake256_finalize(mld_shake256ctx *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(mld_shake256ctx)))
+  requires(state->pos <= SHAKE256_RATE)
+  assigns(memory_slice(state, sizeof(mld_shake256ctx)))
+  ensures(state->pos <= SHAKE256_RATE)
+);
+
+#define mld_shake256_squeeze MLD_NAMESPACE(shake256_squeeze)
+/*************************************************
+ * Name:        mld_shake256_squeeze
+ *
+ * Description: Squeeze step of SHAKE256 XOF. Squeezes arbitrarily many
+ *              bytes. Can be called multiple times to keep squeezing.
+ *
+ * Arguments:   - uint8_t *out: pointer to output blocks
+ *              - size_t outlen : number of bytes to be squeezed (written to
+ *output)
+ *              - mld_shake256ctx *s: pointer to input/output state
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake256_squeeze(uint8_t *out, size_t outlen, mld_shake256ctx *state)
+__contract__(
+  requires(outlen <= 8 * SHAKE256_RATE /* somewhat arbitrary bound */)
+  requires(memory_no_alias(state, sizeof(mld_shake256ctx)))
+  requires(memory_no_alias(out, outlen))
+  requires(state->pos <= SHAKE256_RATE)
+  assigns(memory_slice(state, sizeof(mld_shake256ctx)))
+  assigns(memory_slice(out, outlen))
+  ensures(state->pos <= SHAKE256_RATE)
+);
+
+#define mld_shake256_release MLD_NAMESPACE(shake256_release)
+/*************************************************
+ * Name:        mld_shake256_release
+ *
+ * Description: Release and securely zero the SHAKE256 state.
+ *
+ * Arguments:   - mld_shake256ctx *state: pointer to state
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake256_release(mld_shake256ctx *state)
+__contract__(
+  requires(memory_no_alias(state, sizeof(mld_shake256ctx)))
+  assigns(memory_slice(state, sizeof(mld_shake256ctx)))
+);
+
+#define mld_shake256 MLD_NAMESPACE(shake256)
+/*************************************************
+ * Name:        mld_shake256
+ *
+ * Description: SHAKE256 XOF with non-incremental API
+ *
+ * Arguments:   - uint8_t *out: pointer to output
+ *              - size_t outlen: requested output length in bytes
+ *              - const uint8_t *in: pointer to input
+ *              - size_t inlen: length of input in bytes
+ **************************************************/
+MLD_INTERNAL_API
+void mld_shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen)
+__contract__(
+  requires(inlen <= MLD_MAX_BUFFER_SIZE)
+  requires(outlen <= 8 * SHAKE256_RATE /* somewhat arbitrary bound */)
+  requires(memory_no_alias(in, inlen))
+  requires(memory_no_alias(out, outlen))
+  assigns(memory_slice(out, outlen))
+);
+
+#endif /* !MLD_FIPS202_FIPS202_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/fips202x4.c

@@ -0,0 +1,182 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/* References
+ * ==========
+ *
+ * - [FIPS204]
+ *   FIPS 204 Module-Lattice-Based Digital Signature Standard
+ *   National Institute of Standards and Technology
+ *   https://csrc.nist.gov/pubs/fips/204/final
+ */
+
+#include "../common.h"
+#if !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) && \
+    !defined(MLD_CONFIG_SERIAL_FIPS202_ONLY)
+
+#include "../ct.h"
+#include "fips202.h"
+#include "fips202x4.h"
+#include "keccakf1600.h"
+
+static void mld_keccak_absorb_once_x4(uint64_t *s, uint32_t r,
+                                      const uint8_t *in0, const uint8_t *in1,
+                                      const uint8_t *in2, const uint8_t *in3,
+                                      size_t inlen, uint8_t p)
+__contract__(
+  requires(inlen <= MLD_MAX_BUFFER_SIZE)
+  requires(memory_no_alias(s, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
+  requires(r > 0)
+  requires(r <= sizeof(uint64_t) * MLD_KECCAK_LANES)
+  requires(memory_no_alias(in0, inlen))
+  requires(memory_no_alias(in1, inlen))
+  requires(memory_no_alias(in2, inlen))
+  requires(memory_no_alias(in3, inlen))
+  assigns(memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY)))
+{
+  while (inlen >= r)
+  __loop__(
+    assigns(inlen, in0, in1, in2, in3, memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
+    invariant(inlen <= loop_entry(inlen))
+    invariant(in0 == loop_entry(in0) + (loop_entry(inlen) - inlen))
+    invariant(in1 == loop_entry(in1) + (loop_entry(inlen) - inlen))
+    invariant(in2 == loop_entry(in2) + (loop_entry(inlen) - inlen))
+    invariant(in3 == loop_entry(in3) + (loop_entry(inlen) - inlen))
+    decreases(inlen))
+  {
+    mld_keccakf1600x4_xor_bytes(s, in0, in1, in2, in3, 0, r);
+    mld_keccakf1600x4_permute(s);
+
+    in0 += r;
+    in1 += r;
+    in2 += r;
+    in3 += r;
+    inlen -= r;
+  }
+
+  /* Safety: At this point, inlen < r, so the truncations to unsigned are safe
+   * below. */
+  if (inlen > 0)
+  {
+    mld_keccakf1600x4_xor_bytes(s, in0, in1, in2, in3, 0, (unsigned)inlen);
+  }
+
+  if (inlen == r - 1)
+  {
+    p |= 128;
+    mld_keccakf1600x4_xor_bytes(s, &p, &p, &p, &p, (unsigned)inlen, 1);
+  }
+  else
+  {
+    mld_keccakf1600x4_xor_bytes(s, &p, &p, &p, &p, (unsigned)inlen, 1);
+    p = 128;
+    mld_keccakf1600x4_xor_bytes(s, &p, &p, &p, &p, r - 1, 1);
+  }
+}
+
+static void mld_keccak_squeezeblocks_x4(uint8_t *out0, uint8_t *out1,
+                                        uint8_t *out2, uint8_t *out3,
+                                        size_t nblocks, uint64_t *s, uint32_t r)
+__contract__(
+    requires(r <= sizeof(uint64_t) * MLD_KECCAK_LANES)
+    requires(nblocks <= 8 /* somewhat arbitrary bound */)
+    requires(memory_no_alias(s, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
+    requires(memory_no_alias(out0, nblocks * r))
+    requires(memory_no_alias(out1, nblocks * r))
+    requires(memory_no_alias(out2, nblocks * r))
+    requires(memory_no_alias(out3, nblocks * r))
+    assigns(memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
+    assigns(memory_slice(out0, nblocks * r))
+    assigns(memory_slice(out1, nblocks * r))
+    assigns(memory_slice(out2, nblocks * r))
+    assigns(memory_slice(out3, nblocks * r)))
+{
+  while (nblocks > 0)
+  __loop__(
+    assigns(out0, out1, out2, out3, nblocks,
+            memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY),
+            memory_slice(out0, nblocks * r),
+            memory_slice(out1, nblocks * r),
+            memory_slice(out2, nblocks * r),
+            memory_slice(out3, nblocks * r))
+    invariant(nblocks <= loop_entry(nblocks) &&
+      out0 == loop_entry(out0) + r * (loop_entry(nblocks) - nblocks) &&
+      out1 == loop_entry(out1) + r * (loop_entry(nblocks) - nblocks) &&
+      out2 == loop_entry(out2) + r * (loop_entry(nblocks) - nblocks) &&
+      out3 == loop_entry(out3) + r * (loop_entry(nblocks) - nblocks))
+    decreases(nblocks))
+  {
+    mld_keccakf1600x4_permute(s);
+    mld_keccakf1600x4_extract_bytes(s, out0, out1, out2, out3, 0, r);
+
+    out0 += r;
+    out1 += r;
+    out2 += r;
+    out3 += r;
+    nblocks--;
+  }
+}
+
+#if !defined(MLD_CONFIG_REDUCE_RAM)
+MLD_INTERNAL_API
+void mld_shake128x4_absorb_once(mld_shake128x4ctx *state, const uint8_t *in0,
+                                const uint8_t *in1, const uint8_t *in2,
+                                const uint8_t *in3, size_t inlen)
+{
+  mld_memset(state, 0, sizeof(mld_shake128x4ctx));
+  mld_keccak_absorb_once_x4(state->ctx, SHAKE128_RATE, in0, in1, in2, in3,
+                            inlen, 0x1F);
+}
+
+MLD_INTERNAL_API
+void mld_shake128x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2,
+                                  uint8_t *out3, size_t nblocks,
+                                  mld_shake128x4ctx *state)
+{
+  mld_keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, state->ctx,
+                              SHAKE128_RATE);
+}
+
+MLD_INTERNAL_API
+void mld_shake128x4_init(mld_shake128x4ctx *state) { (void)state; }
+MLD_INTERNAL_API
+void mld_shake128x4_release(mld_shake128x4ctx *state)
+{
+  /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
+  mld_zeroize(state, sizeof(mld_shake128x4ctx));
+}
+#endif /* !MLD_CONFIG_REDUCE_RAM */
+
+MLD_INTERNAL_API
+void mld_shake256x4_absorb_once(mld_shake256x4ctx *state, const uint8_t *in0,
+                                const uint8_t *in1, const uint8_t *in2,
+                                const uint8_t *in3, size_t inlen)
+{
+  mld_memset(state, 0, sizeof(mld_shake256x4ctx));
+  mld_keccak_absorb_once_x4(state->ctx, SHAKE256_RATE, in0, in1, in2, in3,
+                            inlen, 0x1F);
+}
+
+MLD_INTERNAL_API
+void mld_shake256x4_squeezeblocks(uint8_t *out0, uint8_t *out1, uint8_t *out2,
+                                  uint8_t *out3, size_t nblocks,
+                                  mld_shake256x4ctx *state)
+{
+  mld_keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, state->ctx,
+                              SHAKE256_RATE);
+}
+
+MLD_INTERNAL_API
+void mld_shake256x4_init(mld_shake256x4ctx *state) { (void)state; }
+MLD_INTERNAL_API
+void mld_shake256x4_release(mld_shake256x4ctx *state)
+{
+  /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
+  mld_zeroize(state, sizeof(mld_shake256x4ctx));
+}
+
+#endif /* !MLD_CONFIG_MULTILEVEL_NO_SHARED && !MLD_CONFIG_SERIAL_FIPS202_ONLY \
+        */