pq_crypto 0.4.2 → 0.5.0

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/symmetric-shake.c

@@ -1,71 +0,0 @@
-#include "fips202.h"
-#include "params.h"
-#include "symmetric.h"
-#include <stddef.h>
-#include <stdint.h>
-#include <string.h>
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM512_CLEAN_kyber_shake128_absorb
-*
-* Description: Absorb step of the SHAKE128 specialized for the Kyber context.
-*
-* Arguments:   - xof_state *state: pointer to (uninitialized) output Keccak state
-*              - const uint8_t *seed: pointer to KYBER_SYMBYTES input to be absorbed into state
-*              - uint8_t i: additional byte of input
-*              - uint8_t j: additional byte of input
-**************************************************/
-void PQCLEAN_MLKEM512_CLEAN_kyber_shake128_absorb(xof_state *state,
-        const uint8_t seed[KYBER_SYMBYTES],
-        uint8_t x,
-        uint8_t y) {
-    uint8_t extseed[KYBER_SYMBYTES + 2];
-
-    memcpy(extseed, seed, KYBER_SYMBYTES);
-    extseed[KYBER_SYMBYTES + 0] = x;
-    extseed[KYBER_SYMBYTES + 1] = y;
-
-    shake128_absorb(state, extseed, sizeof(extseed));
-}
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM512_CLEAN_kyber_shake256_prf
-*
-* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
-*              and then generates outlen bytes of SHAKE256 output
-*
-* Arguments:   - uint8_t *out: pointer to output
-*              - size_t outlen: number of requested output bytes
-*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
-*              - uint8_t nonce: single-byte nonce (public PRF input)
-**************************************************/
-void PQCLEAN_MLKEM512_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce) {
-    uint8_t extkey[KYBER_SYMBYTES + 1];
-
-    memcpy(extkey, key, KYBER_SYMBYTES);
-    extkey[KYBER_SYMBYTES] = nonce;
-
-    shake256(out, outlen, extkey, sizeof(extkey));
-}
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM512_CLEAN_kyber_shake256_prf
-*
-* Description: Usage of SHAKE256 as a PRF, concatenates secret and public input
-*              and then generates outlen bytes of SHAKE256 output
-*
-* Arguments:   - uint8_t *out: pointer to output
-*              - size_t outlen: number of requested output bytes
-*              - const uint8_t *key: pointer to the key (of length KYBER_SYMBYTES)
-*              - uint8_t nonce: single-byte nonce (public PRF input)
-**************************************************/
-void PQCLEAN_MLKEM512_CLEAN_kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]) {
-    shake256incctx s;
-
-    shake256_inc_init(&s);
-    shake256_inc_absorb(&s, key, KYBER_SYMBYTES);
-    shake256_inc_absorb(&s, input, KYBER_CIPHERTEXTBYTES);
-    shake256_inc_finalize(&s);
-    shake256_inc_squeeze(out, KYBER_SSBYTES, &s);
-    shake256_inc_ctx_release(&s);
-}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/symmetric.h

@@ -1,30 +0,0 @@
-#ifndef PQCLEAN_MLKEM512_CLEAN_SYMMETRIC_H
-#define PQCLEAN_MLKEM512_CLEAN_SYMMETRIC_H
-#include "fips202.h"
-#include "params.h"
-#include <stddef.h>
-#include <stdint.h>
-
-
-typedef shake128ctx xof_state;
-
-void PQCLEAN_MLKEM512_CLEAN_kyber_shake128_absorb(xof_state *s,
-        const uint8_t seed[KYBER_SYMBYTES],
-        uint8_t x,
-        uint8_t y);
-
-void PQCLEAN_MLKEM512_CLEAN_kyber_shake256_prf(uint8_t *out, size_t outlen, const uint8_t key[KYBER_SYMBYTES], uint8_t nonce);
-
-void PQCLEAN_MLKEM512_CLEAN_kyber_shake256_rkprf(uint8_t out[KYBER_SSBYTES], const uint8_t key[KYBER_SYMBYTES], const uint8_t input[KYBER_CIPHERTEXTBYTES]);
-
-#define XOF_BLOCKBYTES SHAKE128_RATE
-
-#define hash_h(OUT, IN, INBYTES) sha3_256(OUT, IN, INBYTES)
-#define hash_g(OUT, IN, INBYTES) sha3_512(OUT, IN, INBYTES)
-#define xof_absorb(STATE, SEED, X, Y) PQCLEAN_MLKEM512_CLEAN_kyber_shake128_absorb(STATE, SEED, X, Y)
-#define xof_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define xof_ctx_release(STATE) shake128_ctx_release(STATE)
-#define prf(OUT, OUTBYTES, KEY, NONCE) PQCLEAN_MLKEM512_CLEAN_kyber_shake256_prf(OUT, OUTBYTES, KEY, NONCE)
-#define rkprf(OUT, KEY, INPUT) PQCLEAN_MLKEM512_CLEAN_kyber_shake256_rkprf(OUT, KEY, INPUT)
-
-#endif /* SYMMETRIC_H */

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/verify.c

@@ -1,67 +0,0 @@
-#include "compat.h"
-#include "verify.h"
-#include <stddef.h>
-#include <stdint.h>
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM512_CLEAN_verify
-*
-* Description: Compare two arrays for equality in constant time.
-*
-* Arguments:   const uint8_t *a: pointer to first byte array
-*              const uint8_t *b: pointer to second byte array
-*              size_t len:       length of the byte arrays
-*
-* Returns 0 if the byte arrays are equal, 1 otherwise
-**************************************************/
-int PQCLEAN_MLKEM512_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len) {
-    size_t i;
-    uint8_t r = 0;
-
-    for (i = 0; i < len; i++) {
-        r |= a[i] ^ b[i];
-    }
-
-    return (-(uint64_t)r) >> 63;
-}
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM512_CLEAN_cmov
-*
-* Description: Copy len bytes from x to r if b is 1;
-*              don't modify x if b is 0. Requires b to be in {0,1};
-*              assumes two's complement representation of negative integers.
-*              Runs in constant time.
-*
-* Arguments:   uint8_t *r:       pointer to output byte array
-*              const uint8_t *x: pointer to input byte array
-*              size_t len:       Amount of bytes to be copied
-*              uint8_t b:        Condition bit; has to be in {0,1}
-**************************************************/
-void PQCLEAN_MLKEM512_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b) {
-    size_t i;
-
-    PQCLEAN_PREVENT_BRANCH_HACK(b);
-
-    b = -b;
-    for (i = 0; i < len; i++) {
-        r[i] ^= b & (r[i] ^ x[i]);
-    }
-}
-
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM512_CLEAN_cmov_int16
-*
-* Description: Copy input v to *r if b is 1, don't modify *r if b is 0.
-*              Requires b to be in {0,1};
-*              Runs in constant time.
-*
-* Arguments:   int16_t *r:       pointer to output int16_t
-*              int16_t v:        input int16_t
-*              uint8_t b:        Condition bit; has to be in {0,1}
-**************************************************/
-void PQCLEAN_MLKEM512_CLEAN_cmov_int16(int16_t *r, int16_t v, uint16_t b) {
-    b = -b;
-    *r ^= b & ((*r) ^ v);
-}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-512/clean/verify.h

@@ -1,13 +0,0 @@
-#ifndef PQCLEAN_MLKEM512_CLEAN_VERIFY_H
-#define PQCLEAN_MLKEM512_CLEAN_VERIFY_H
-#include "params.h"
-#include <stddef.h>
-#include <stdint.h>
-
-int PQCLEAN_MLKEM512_CLEAN_verify(const uint8_t *a, const uint8_t *b, size_t len);
-
-void PQCLEAN_MLKEM512_CLEAN_cmov(uint8_t *r, const uint8_t *x, size_t len, uint8_t b);
-
-void PQCLEAN_MLKEM512_CLEAN_cmov_int16(int16_t *r, int16_t v, uint16_t b);
-
-#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/LICENSE

@@ -1,5 +0,0 @@
-Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/)
-
-For Keccak and AES we are using public-domain
-code from sources and by authors listed in
-comments on top of the respective files.

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/Makefile

@@ -1,19 +0,0 @@
-# This Makefile can be used with GNU Make or BSD Make
-
-LIB=libml-kem-768_clean.a
-HEADERS=api.h cbd.h indcpa.h kem.h ntt.h params.h poly.h polyvec.h reduce.h symmetric.h verify.h 
-OBJECTS=cbd.o indcpa.o kem.o ntt.o poly.o polyvec.o reduce.o symmetric-shake.o verify.o 
-
-CFLAGS=-O3 -Wall -Wextra -Wpedantic -Werror -Wmissing-prototypes -Wredundant-decls -std=c99 -I../../../common $(EXTRAFLAGS)
-
-all: $(LIB)
-
-%.o: %.c $(HEADERS)
-	$(CC) $(CFLAGS) -c -o $@ $<
-
-$(LIB): $(OBJECTS)
-	$(AR) -r $@ $(OBJECTS)
-
-clean:
-	$(RM) $(OBJECTS)
-	$(RM) $(LIB)

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/Makefile.Microsoft_nmake

@@ -1,23 +0,0 @@
-# This Makefile can be used with Microsoft Visual Studio's nmake using the command:
-#    nmake /f Makefile.Microsoft_nmake
-
-LIBRARY=libml-kem-768_clean.lib
-OBJECTS=cbd.obj indcpa.obj kem.obj ntt.obj poly.obj polyvec.obj reduce.obj symmetric-shake.obj verify.obj 
-
-# Warning C4146 is raised when a unary minus operator is applied to an
-# unsigned type; this has nonetheless been standard and portable for as
-# long as there has been a C standard, and we need it for constant-time
-# computations. Thus, we disable that spurious warning.
-CFLAGS=/nologo /O2 /I ..\..\..\common /W4 /WX /wd4146
-
-all: $(LIBRARY)
-
-# Make sure objects are recompiled if headers change.
-$(OBJECTS): *.h
-
-$(LIBRARY): $(OBJECTS)
-    LIB.EXE /NOLOGO /WX /OUT:$@ $**
-
-clean:
-    -DEL $(OBJECTS)
-    -DEL $(LIBRARY)

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/api.h

@@ -1,18 +0,0 @@
-#ifndef PQCLEAN_MLKEM768_CLEAN_API_H
-#define PQCLEAN_MLKEM768_CLEAN_API_H
-
-#include <stdint.h>
-
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_SECRETKEYBYTES  2400
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_PUBLICKEYBYTES  1184
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_CIPHERTEXTBYTES 1088
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_BYTES           32
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_ALGNAME "ML-KEM-768"
-
-int PQCLEAN_MLKEM768_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-
-int PQCLEAN_MLKEM768_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-
-int PQCLEAN_MLKEM768_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-
-#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/cbd.c

@@ -1,83 +0,0 @@
-#include "cbd.h"
-#include "params.h"
-#include <stdint.h>
-
-/*************************************************
-* Name:        load32_littleendian
-*
-* Description: load 4 bytes into a 32-bit integer
-*              in little-endian order
-*
-* Arguments:   - const uint8_t *x: pointer to input byte array
-*
-* Returns 32-bit unsigned integer loaded from x
-**************************************************/
-static uint32_t load32_littleendian(const uint8_t x[4]) {
-    uint32_t r;
-    r  = (uint32_t)x[0];
-    r |= (uint32_t)x[1] << 8;
-    r |= (uint32_t)x[2] << 16;
-    r |= (uint32_t)x[3] << 24;
-    return r;
-}
-
-/*************************************************
-* Name:        load24_littleendian
-*
-* Description: load 3 bytes into a 32-bit integer
-*              in little-endian order.
-*              This function is only needed for Kyber-512
-*
-* Arguments:   - const uint8_t *x: pointer to input byte array
-*
-* Returns 32-bit unsigned integer loaded from x (most significant byte is zero)
-**************************************************/
-
-
-/*************************************************
-* Name:        cbd2
-*
-* Description: Given an array of uniformly random bytes, compute
-*              polynomial with coefficients distributed according to
-*              a centered binomial distribution with parameter eta=2
-*
-* Arguments:   - poly *r: pointer to output polynomial
-*              - const uint8_t *buf: pointer to input byte array
-**************************************************/
-static void cbd2(poly *r, const uint8_t buf[2 * KYBER_N / 4]) {
-    unsigned int i, j;
-    uint32_t t, d;
-    int16_t a, b;
-
-    for (i = 0; i < KYBER_N / 8; i++) {
-        t  = load32_littleendian(buf + 4 * i);
-        d  = t & 0x55555555;
-        d += (t >> 1) & 0x55555555;
-
-        for (j = 0; j < 8; j++) {
-            a = (d >> (4 * j + 0)) & 0x3;
-            b = (d >> (4 * j + 2)) & 0x3;
-            r->coeffs[8 * i + j] = a - b;
-        }
-    }
-}
-
-/*************************************************
-* Name:        cbd3
-*
-* Description: Given an array of uniformly random bytes, compute
-*              polynomial with coefficients distributed according to
-*              a centered binomial distribution with parameter eta=3.
-*              This function is only needed for Kyber-512
-*
-* Arguments:   - poly *r: pointer to output polynomial
-*              - const uint8_t *buf: pointer to input byte array
-**************************************************/
-
-void PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]) {
-    cbd2(r, buf);
-}
-
-void PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]) {
-    cbd2(r, buf);
-}

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/cbd.h

@@ -1,11 +0,0 @@
-#ifndef PQCLEAN_MLKEM768_CLEAN_CBD_H
-#define PQCLEAN_MLKEM768_CLEAN_CBD_H
-#include "params.h"
-#include "poly.h"
-#include <stdint.h>
-
-void PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta1(poly *r, const uint8_t buf[KYBER_ETA1 * KYBER_N / 4]);
-
-void PQCLEAN_MLKEM768_CLEAN_poly_cbd_eta2(poly *r, const uint8_t buf[KYBER_ETA2 * KYBER_N / 4]);
-
-#endif

data/ext/pqcrypto/vendor/pqclean/crypto_kem/ml-kem-768/clean/indcpa.c

@@ -1,327 +0,0 @@
-#include "indcpa.h"
-#include "ntt.h"
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include "randombytes.h"
-#include "symmetric.h"
-#include <stddef.h>
-#include <stdint.h>
-#include <string.h>
-
-/*************************************************
-* Name:        pack_pk
-*
-* Description: Serialize the public key as concatenation of the
-*              serialized vector of polynomials pk
-*              and the public seed used to generate the matrix A.
-*
-* Arguments:   uint8_t *r: pointer to the output serialized public key
-*              polyvec *pk: pointer to the input public-key polyvec
-*              const uint8_t *seed: pointer to the input public seed
-**************************************************/
-static void pack_pk(uint8_t r[KYBER_INDCPA_PUBLICKEYBYTES],
-                    polyvec *pk,
-                    const uint8_t seed[KYBER_SYMBYTES]) {
-    PQCLEAN_MLKEM768_CLEAN_polyvec_tobytes(r, pk);
-    memcpy(r + KYBER_POLYVECBYTES, seed, KYBER_SYMBYTES);
-}
-
-/*************************************************
-* Name:        unpack_pk
-*
-* Description: De-serialize public key from a byte array;
-*              approximate inverse of pack_pk
-*
-* Arguments:   - polyvec *pk: pointer to output public-key polynomial vector
-*              - uint8_t *seed: pointer to output seed to generate matrix A
-*              - const uint8_t *packedpk: pointer to input serialized public key
-**************************************************/
-static void unpack_pk(polyvec *pk,
-                      uint8_t seed[KYBER_SYMBYTES],
-                      const uint8_t packedpk[KYBER_INDCPA_PUBLICKEYBYTES]) {
-    PQCLEAN_MLKEM768_CLEAN_polyvec_frombytes(pk, packedpk);
-    memcpy(seed, packedpk + KYBER_POLYVECBYTES, KYBER_SYMBYTES);
-}
-
-/*************************************************
-* Name:        pack_sk
-*
-* Description: Serialize the secret key
-*
-* Arguments:   - uint8_t *r: pointer to output serialized secret key
-*              - polyvec *sk: pointer to input vector of polynomials (secret key)
-**************************************************/
-static void pack_sk(uint8_t r[KYBER_INDCPA_SECRETKEYBYTES], polyvec *sk) {
-    PQCLEAN_MLKEM768_CLEAN_polyvec_tobytes(r, sk);
-}
-
-/*************************************************
-* Name:        unpack_sk
-*
-* Description: De-serialize the secret key; inverse of pack_sk
-*
-* Arguments:   - polyvec *sk: pointer to output vector of polynomials (secret key)
-*              - const uint8_t *packedsk: pointer to input serialized secret key
-**************************************************/
-static void unpack_sk(polyvec *sk, const uint8_t packedsk[KYBER_INDCPA_SECRETKEYBYTES]) {
-    PQCLEAN_MLKEM768_CLEAN_polyvec_frombytes(sk, packedsk);
-}
-
-/*************************************************
-* Name:        pack_ciphertext
-*
-* Description: Serialize the ciphertext as concatenation of the
-*              compressed and serialized vector of polynomials b
-*              and the compressed and serialized polynomial v
-*
-* Arguments:   uint8_t *r: pointer to the output serialized ciphertext
-*              poly *pk: pointer to the input vector of polynomials b
-*              poly *v: pointer to the input polynomial v
-**************************************************/
-static void pack_ciphertext(uint8_t r[KYBER_INDCPA_BYTES], polyvec *b, poly *v) {
-    PQCLEAN_MLKEM768_CLEAN_polyvec_compress(r, b);
-    PQCLEAN_MLKEM768_CLEAN_poly_compress(r + KYBER_POLYVECCOMPRESSEDBYTES, v);
-}
-
-/*************************************************
-* Name:        unpack_ciphertext
-*
-* Description: De-serialize and decompress ciphertext from a byte array;
-*              approximate inverse of pack_ciphertext
-*
-* Arguments:   - polyvec *b: pointer to the output vector of polynomials b
-*              - poly *v: pointer to the output polynomial v
-*              - const uint8_t *c: pointer to the input serialized ciphertext
-**************************************************/
-static void unpack_ciphertext(polyvec *b, poly *v, const uint8_t c[KYBER_INDCPA_BYTES]) {
-    PQCLEAN_MLKEM768_CLEAN_polyvec_decompress(b, c);
-    PQCLEAN_MLKEM768_CLEAN_poly_decompress(v, c + KYBER_POLYVECCOMPRESSEDBYTES);
-}
-
-/*************************************************
-* Name:        rej_uniform
-*
-* Description: Run rejection sampling on uniform random bytes to generate
-*              uniform random integers mod q
-*
-* Arguments:   - int16_t *r: pointer to output buffer
-*              - unsigned int len: requested number of 16-bit integers (uniform mod q)
-*              - const uint8_t *buf: pointer to input buffer (assumed to be uniformly random bytes)
-*              - unsigned int buflen: length of input buffer in bytes
-*
-* Returns number of sampled 16-bit integers (at most len)
-**************************************************/
-static unsigned int rej_uniform(int16_t *r,
-                                unsigned int len,
-                                const uint8_t *buf,
-                                unsigned int buflen) {
-    unsigned int ctr, pos;
-    uint16_t val0, val1;
-
-    ctr = pos = 0;
-    while (ctr < len && pos + 3 <= buflen) {
-        val0 = ((buf[pos + 0] >> 0) | ((uint16_t)buf[pos + 1] << 8)) & 0xFFF;
-        val1 = ((buf[pos + 1] >> 4) | ((uint16_t)buf[pos + 2] << 4)) & 0xFFF;
-        pos += 3;
-
-        if (val0 < KYBER_Q) {
-            r[ctr++] = val0;
-        }
-        if (ctr < len && val1 < KYBER_Q) {
-            r[ctr++] = val1;
-        }
-    }
-
-    return ctr;
-}
-
-#define gen_a(A,B)  PQCLEAN_MLKEM768_CLEAN_gen_matrix(A,B,0)
-#define gen_at(A,B) PQCLEAN_MLKEM768_CLEAN_gen_matrix(A,B,1)
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM768_CLEAN_gen_matrix
-*
-* Description: Deterministically generate matrix A (or the transpose of A)
-*              from a seed. Entries of the matrix are polynomials that look
-*              uniformly random. Performs rejection sampling on output of
-*              a XOF
-*
-* Arguments:   - polyvec *a: pointer to ouptput matrix A
-*              - const uint8_t *seed: pointer to input seed
-*              - int transposed: boolean deciding whether A or A^T is generated
-**************************************************/
-
-#define GEN_MATRIX_NBLOCKS ((12*KYBER_N/8*(1 << 12)/KYBER_Q + XOF_BLOCKBYTES)/XOF_BLOCKBYTES)
-// Not static for benchmarking
-void PQCLEAN_MLKEM768_CLEAN_gen_matrix(polyvec *a, const uint8_t seed[KYBER_SYMBYTES], int transposed) {
-    unsigned int ctr, i, j;
-    unsigned int buflen;
-    uint8_t buf[GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES];
-    xof_state state;
-
-    for (i = 0; i < KYBER_K; i++) {
-        for (j = 0; j < KYBER_K; j++) {
-            if (transposed) {
-                xof_absorb(&state, seed, (uint8_t)i, (uint8_t)j);
-            } else {
-                xof_absorb(&state, seed, (uint8_t)j, (uint8_t)i);
-            }
-
-            xof_squeezeblocks(buf, GEN_MATRIX_NBLOCKS, &state);
-            buflen = GEN_MATRIX_NBLOCKS * XOF_BLOCKBYTES;
-            ctr = rej_uniform(a[i].vec[j].coeffs, KYBER_N, buf, buflen);
-
-            while (ctr < KYBER_N) {
-                xof_squeezeblocks(buf, 1, &state);
-                buflen = XOF_BLOCKBYTES;
-                ctr += rej_uniform(a[i].vec[j].coeffs + ctr, KYBER_N - ctr, buf, buflen);
-            }
-            xof_ctx_release(&state);
-        }
-    }
-}
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM768_CLEAN_indcpa_keypair_derand
-*
-* Description: Generates public and private key for the CPA-secure
-*              public-key encryption scheme underlying Kyber
-*
-* Arguments:   - uint8_t *pk: pointer to output public key
-*                             (of length KYBER_INDCPA_PUBLICKEYBYTES bytes)
-*              - uint8_t *sk: pointer to output private key
-*                             (of length KYBER_INDCPA_SECRETKEYBYTES bytes)
-*              - const uint8_t *coins: pointer to input randomness
-*                             (of length KYBER_SYMBYTES bytes)
-**************************************************/
-void PQCLEAN_MLKEM768_CLEAN_indcpa_keypair_derand(uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-        uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES],
-        const uint8_t coins[KYBER_SYMBYTES]) {
-    unsigned int i;
-    uint8_t buf[2 * KYBER_SYMBYTES];
-    const uint8_t *publicseed = buf;
-    const uint8_t *noiseseed = buf + KYBER_SYMBYTES;
-    uint8_t nonce = 0;
-    polyvec a[KYBER_K], e, pkpv, skpv;
-
-    memcpy(buf, coins, KYBER_SYMBYTES);
-    buf[KYBER_SYMBYTES] = KYBER_K;
-    hash_g(buf, buf, KYBER_SYMBYTES + 1);
-
-    gen_a(a, publicseed);
-
-    for (i = 0; i < KYBER_K; i++) {
-        PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta1(&skpv.vec[i], noiseseed, nonce++);
-    }
-    for (i = 0; i < KYBER_K; i++) {
-        PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta1(&e.vec[i], noiseseed, nonce++);
-    }
-
-    PQCLEAN_MLKEM768_CLEAN_polyvec_ntt(&skpv);
-    PQCLEAN_MLKEM768_CLEAN_polyvec_ntt(&e);
-
-    // matrix-vector multiplication
-    for (i = 0; i < KYBER_K; i++) {
-        PQCLEAN_MLKEM768_CLEAN_polyvec_basemul_acc_montgomery(&pkpv.vec[i], &a[i], &skpv);
-        PQCLEAN_MLKEM768_CLEAN_poly_tomont(&pkpv.vec[i]);
-    }
-
-    PQCLEAN_MLKEM768_CLEAN_polyvec_add(&pkpv, &pkpv, &e);
-    PQCLEAN_MLKEM768_CLEAN_polyvec_reduce(&pkpv);
-
-    pack_sk(sk, &skpv);
-    pack_pk(pk, &pkpv, publicseed);
-}
-
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM768_CLEAN_indcpa_enc
-*
-* Description: Encryption function of the CPA-secure
-*              public-key encryption scheme underlying Kyber.
-*
-* Arguments:   - uint8_t *c: pointer to output ciphertext
-*                            (of length KYBER_INDCPA_BYTES bytes)
-*              - const uint8_t *m: pointer to input message
-*                                  (of length KYBER_INDCPA_MSGBYTES bytes)
-*              - const uint8_t *pk: pointer to input public key
-*                                   (of length KYBER_INDCPA_PUBLICKEYBYTES)
-*              - const uint8_t *coins: pointer to input random coins used as seed
-*                                      (of length KYBER_SYMBYTES) to deterministically
-*                                      generate all randomness
-**************************************************/
-void PQCLEAN_MLKEM768_CLEAN_indcpa_enc(uint8_t c[KYBER_INDCPA_BYTES],
-                                       const uint8_t m[KYBER_INDCPA_MSGBYTES],
-                                       const uint8_t pk[KYBER_INDCPA_PUBLICKEYBYTES],
-                                       const uint8_t coins[KYBER_SYMBYTES]) {
-    unsigned int i;
-    uint8_t seed[KYBER_SYMBYTES];
-    uint8_t nonce = 0;
-    polyvec sp, pkpv, ep, at[KYBER_K], b;
-    poly v, k, epp;
-
-    unpack_pk(&pkpv, seed, pk);
-    PQCLEAN_MLKEM768_CLEAN_poly_frommsg(&k, m);
-    gen_at(at, seed);
-
-    for (i = 0; i < KYBER_K; i++) {
-        PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta1(sp.vec + i, coins, nonce++);
-    }
-    for (i = 0; i < KYBER_K; i++) {
-        PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta2(ep.vec + i, coins, nonce++);
-    }
-    PQCLEAN_MLKEM768_CLEAN_poly_getnoise_eta2(&epp, coins, nonce++);
-
-    PQCLEAN_MLKEM768_CLEAN_polyvec_ntt(&sp);
-
-    // matrix-vector multiplication
-    for (i = 0; i < KYBER_K; i++) {
-        PQCLEAN_MLKEM768_CLEAN_polyvec_basemul_acc_montgomery(&b.vec[i], &at[i], &sp);
-    }
-
-    PQCLEAN_MLKEM768_CLEAN_polyvec_basemul_acc_montgomery(&v, &pkpv, &sp);
-
-    PQCLEAN_MLKEM768_CLEAN_polyvec_invntt_tomont(&b);
-    PQCLEAN_MLKEM768_CLEAN_poly_invntt_tomont(&v);
-
-    PQCLEAN_MLKEM768_CLEAN_polyvec_add(&b, &b, &ep);
-    PQCLEAN_MLKEM768_CLEAN_poly_add(&v, &v, &epp);
-    PQCLEAN_MLKEM768_CLEAN_poly_add(&v, &v, &k);
-    PQCLEAN_MLKEM768_CLEAN_polyvec_reduce(&b);
-    PQCLEAN_MLKEM768_CLEAN_poly_reduce(&v);
-
-    pack_ciphertext(c, &b, &v);
-}
-
-/*************************************************
-* Name:        PQCLEAN_MLKEM768_CLEAN_indcpa_dec
-*
-* Description: Decryption function of the CPA-secure
-*              public-key encryption scheme underlying Kyber.
-*
-* Arguments:   - uint8_t *m: pointer to output decrypted message
-*                            (of length KYBER_INDCPA_MSGBYTES)
-*              - const uint8_t *c: pointer to input ciphertext
-*                                  (of length KYBER_INDCPA_BYTES)
-*              - const uint8_t *sk: pointer to input secret key
-*                                   (of length KYBER_INDCPA_SECRETKEYBYTES)
-**************************************************/
-void PQCLEAN_MLKEM768_CLEAN_indcpa_dec(uint8_t m[KYBER_INDCPA_MSGBYTES],
-                                       const uint8_t c[KYBER_INDCPA_BYTES],
-                                       const uint8_t sk[KYBER_INDCPA_SECRETKEYBYTES]) {
-    polyvec b, skpv;
-    poly v, mp;
-
-    unpack_ciphertext(&b, &v, c);
-    unpack_sk(&skpv, sk);
-
-    PQCLEAN_MLKEM768_CLEAN_polyvec_ntt(&b);
-    PQCLEAN_MLKEM768_CLEAN_polyvec_basemul_acc_montgomery(&mp, &skpv, &b);
-    PQCLEAN_MLKEM768_CLEAN_poly_invntt_tomont(&mp);
-
-    PQCLEAN_MLKEM768_CLEAN_poly_sub(&mp, &v, &mp);
-    PQCLEAN_MLKEM768_CLEAN_poly_reduce(&mp);
-
-    PQCLEAN_MLKEM768_CLEAN_poly_tomsg(m, &mp);
-}