pq_crypto 0.4.2 → 0.5.0

data/ext/pqcrypto/mldsa_api.h

@@ -1,121 +1,4 @@
 #ifndef MLDSA_API_H
 #define MLDSA_API_H
-
-#ifdef HAVE_PQCLEAN
-#include <stddef.h>
-#include <stdint.h>
-
-#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_PUBLICKEYBYTES 1312
-#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_SECRETKEYBYTES 2560
-#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_BYTES          2420
-#define PQCLEAN_MLDSA44_CLEAN_CRYPTO_ALGNAME "ML-DSA-44"
-
-#define PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES 1952
-#define PQCLEAN_MLDSA65_CLEAN_CRYPTO_SECRETKEYBYTES 4032
-#define PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES          3309
-#define PQCLEAN_MLDSA65_CLEAN_CRYPTO_ALGNAME "ML-DSA-65"
-
-#define PQCLEAN_MLDSA87_CLEAN_CRYPTO_PUBLICKEYBYTES 2592
-#define PQCLEAN_MLDSA87_CLEAN_CRYPTO_SECRETKEYBYTES 4896
-#define PQCLEAN_MLDSA87_CLEAN_CRYPTO_BYTES          4627
-#define PQCLEAN_MLDSA87_CLEAN_CRYPTO_ALGNAME "ML-DSA-87"
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *sk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *sk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *sk);
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign_ctx(uint8_t *sm, size_t *smlen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *sk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign_ctx(uint8_t *sm, size_t *smlen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *sk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign_ctx(uint8_t *sm, size_t *smlen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *sk);
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *pk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *pk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *pk);
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign_open_ctx(uint8_t *m, size_t *mlen,
-        const uint8_t *sm, size_t smlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *pk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign_open_ctx(uint8_t *m, size_t *mlen,
-        const uint8_t *sm, size_t smlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *pk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign_open_ctx(uint8_t *m, size_t *mlen,
-        const uint8_t *sm, size_t smlen,
-        const uint8_t *ctx, size_t ctxlen,
-        const uint8_t *pk);
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *sk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *sk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign_signature(uint8_t *sig, size_t *siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *sk);
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen,
-                                      const uint8_t *m, size_t mlen,
-                                      const uint8_t *sk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen,
-                                      const uint8_t *m, size_t mlen,
-                                      const uint8_t *sk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign(uint8_t *sm, size_t *smlen,
-                                      const uint8_t *m, size_t mlen,
-                                      const uint8_t *sk);
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *pk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *pk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign_verify(const uint8_t *sig, size_t siglen,
-        const uint8_t *m, size_t mlen,
-        const uint8_t *pk);
-
-int PQCLEAN_MLDSA44_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen,
-        const uint8_t *sm, size_t smlen,
-        const uint8_t *pk);
-int PQCLEAN_MLDSA65_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen,
-        const uint8_t *sm, size_t smlen,
-        const uint8_t *pk);
-int PQCLEAN_MLDSA87_CLEAN_crypto_sign_open(uint8_t *m, size_t *mlen,
-        const uint8_t *sm, size_t smlen,
-        const uint8_t *pk);
-
-#endif
-
+#include "pqcrypto_native_api.h"
 #endif

data/ext/pqcrypto/mlkem_api.h

@@ -1,45 +1,4 @@
 #ifndef MLKEM_API_H
 #define MLKEM_API_H
-
-#ifdef HAVE_PQCLEAN
-#include <stdint.h>
-
-#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_SECRETKEYBYTES  1632
-#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_PUBLICKEYBYTES  800
-#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_CIPHERTEXTBYTES 768
-#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_BYTES           32
-#define PQCLEAN_MLKEM512_CLEAN_CRYPTO_ALGNAME "ML-KEM-512"
-
-int PQCLEAN_MLKEM512_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-int PQCLEAN_MLKEM512_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int PQCLEAN_MLKEM512_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-int PQCLEAN_MLKEM512_CLEAN_crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
-int PQCLEAN_MLKEM512_CLEAN_crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
-
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_SECRETKEYBYTES  2400
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_PUBLICKEYBYTES  1184
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_CIPHERTEXTBYTES 1088
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_BYTES           32
-#define PQCLEAN_MLKEM768_CLEAN_CRYPTO_ALGNAME "ML-KEM-768"
-
-int PQCLEAN_MLKEM768_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-int PQCLEAN_MLKEM768_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int PQCLEAN_MLKEM768_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-int PQCLEAN_MLKEM768_CLEAN_crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
-int PQCLEAN_MLKEM768_CLEAN_crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
-
-#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_SECRETKEYBYTES  3168
-#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_PUBLICKEYBYTES  1568
-#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_CIPHERTEXTBYTES 1568
-#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_BYTES           32
-#define PQCLEAN_MLKEM1024_CLEAN_CRYPTO_ALGNAME "ML-KEM-1024"
-
-int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair(uint8_t *pk, uint8_t *sk);
-int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
-int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
-int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
-int PQCLEAN_MLKEM1024_CLEAN_crypto_kem_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
-
-#endif
-
+#include "pqcrypto_native_api.h"
 #endif

data/ext/pqcrypto/pq_externalmu.c

@@ -1,48 +1,57 @@
 #include "pqcrypto_secure.h"
 
-#undef PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES
-#undef PQCLEAN_MLDSA65_CLEAN_CRYPTO_SECRETKEYBYTES
-#undef PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES
+#include <openssl/evp.h>
 
 #include <stdint.h>
 #include <stddef.h>
+#include <stdlib.h>
 #include <string.h>
 
-#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/params.h"
-#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/packing.h"
-#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/polyvec.h"
-#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/poly.h"
-#include "vendor/pqclean/crypto_sign/ml-dsa-65/clean/symmetric.h"
-#include "fips202.h"
-#include "randombytes.h"
+typedef struct {
+    EVP_MD_CTX *ctx;
+} pq_mu_builder_t;
 
-#if CRHBYTES != PQ_MLDSA_MUBYTES
-#error "PQ_MLDSA_MUBYTES must match PQClean's CRHBYTES"
-#endif
-#if TRBYTES != PQ_MLDSA_TRBYTES
-#error "PQ_MLDSA_TRBYTES must match PQClean's TRBYTES"
-#endif
+static int pq_shake256(uint8_t *out, size_t out_len, const uint8_t *in, size_t in_len) {
+    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+    int ret = PQ_ERROR_OPENSSL;
+
+    if (!ctx) {
+        return PQ_ERROR_OPENSSL;
+    }
+    if (EVP_DigestInit_ex(ctx, EVP_shake256(), NULL) != 1) {
+        goto cleanup;
+    }
+    if (in_len > 0 && EVP_DigestUpdate(ctx, in, in_len) != 1) {
+        goto cleanup;
+    }
+    if (EVP_DigestFinalXOF(ctx, out, out_len) != 1) {
+        goto cleanup;
+    }
+    ret = PQ_SUCCESS;
+
+cleanup:
+    EVP_MD_CTX_free(ctx);
+    return ret;
+}
 
 int pq_mldsa_extract_tr_from_secret_key(uint8_t *tr_out, const uint8_t *secret_key) {
+    uint8_t public_key[MLDSA_PUBLICKEYBYTES];
+    int rc;
+
     if (tr_out == NULL || secret_key == NULL) {
         return PQ_ERROR_BUFFER;
     }
 
-    uint8_t rho[SEEDBYTES];
-    uint8_t key[SEEDBYTES];
-    polyveck t0;
-    polyvecl s1;
-    polyveck s2;
-
-    PQCLEAN_MLDSA65_CLEAN_unpack_sk(rho, tr_out, key, &t0, &s1, &s2, secret_key);
-
-    pq_secure_wipe(rho, sizeof(rho));
-    pq_secure_wipe(key, sizeof(key));
-    pq_secure_wipe(&t0, sizeof(t0));
-    pq_secure_wipe(&s1, sizeof(s1));
-    pq_secure_wipe(&s2, sizeof(s2));
+    memset(public_key, 0, sizeof(public_key));
+    rc = pqcr_mldsa65_pk_from_sk(public_key, secret_key);
+    if (rc != 0) {
+        pq_secure_wipe(public_key, sizeof(public_key));
+        return PQ_ERROR_KEYPAIR;
+    }
 
-    return PQ_SUCCESS;
+    rc = pq_shake256(tr_out, PQ_MLDSA_TRBYTES, public_key, sizeof(public_key));
+    pq_secure_wipe(public_key, sizeof(public_key));
+    return rc;
 }
 
 int pq_mldsa_compute_tr_from_public_key(uint8_t *tr_out, const uint8_t *public_key) {
@@ -50,8 +59,7 @@ int pq_mldsa_compute_tr_from_public_key(uint8_t *tr_out, const uint8_t *public_k
         return PQ_ERROR_BUFFER;
     }
 
-    shake256(tr_out, TRBYTES, public_key, PQCLEAN_MLDSA65_CLEAN_CRYPTO_PUBLICKEYBYTES);
-    return PQ_SUCCESS;
+    return pq_shake256(tr_out, PQ_MLDSA_TRBYTES, public_key, MLDSA_PUBLICKEYBYTES);
 }
 
 int pq_sign_mu(uint8_t *signature, size_t *signature_len, const uint8_t *mu,
@@ -60,118 +68,9 @@ int pq_sign_mu(uint8_t *signature, size_t *signature_len, const uint8_t *mu,
         return PQ_ERROR_BUFFER;
     }
 
-    unsigned int n;
-    uint8_t rho[SEEDBYTES];
-    uint8_t tr_unused[TRBYTES];
-    uint8_t key[SEEDBYTES];
-    uint8_t rnd[RNDBYTES];
-    uint8_t mu_local[CRHBYTES];
-    uint8_t rhoprime[CRHBYTES];
-    uint16_t nonce = 0;
-    polyvecl mat[K], s1, y, z;
-    polyveck t0, s2, w1, w0, h;
-    poly cp;
-    shake256incctx state;
-
-    PQCLEAN_MLDSA65_CLEAN_unpack_sk(rho, tr_unused, key, &t0, &s1, &s2, secret_key);
-    pq_secure_wipe(tr_unused, sizeof(tr_unused));
-
-    memcpy(mu_local, mu, CRHBYTES);
-
-    if (randombytes(rnd, RNDBYTES) != 0) {
-        pq_secure_wipe(rho, sizeof(rho));
-        pq_secure_wipe(key, sizeof(key));
-        pq_secure_wipe(rnd, sizeof(rnd));
-        pq_secure_wipe(mu_local, sizeof(mu_local));
-        pq_secure_wipe(&s1, sizeof(s1));
-        pq_secure_wipe(&s2, sizeof(s2));
-        pq_secure_wipe(&t0, sizeof(t0));
-        return PQ_ERROR_RANDOM;
-    }
-
-    {
-        uint8_t kr[SEEDBYTES + RNDBYTES + CRHBYTES];
-        memcpy(kr, key, SEEDBYTES);
-        memcpy(kr + SEEDBYTES, rnd, RNDBYTES);
-        memcpy(kr + SEEDBYTES + RNDBYTES, mu_local, CRHBYTES);
-        shake256(rhoprime, CRHBYTES, kr, sizeof(kr));
-        pq_secure_wipe(kr, sizeof(kr));
-    }
-
-    PQCLEAN_MLDSA65_CLEAN_polyvec_matrix_expand(mat, rho);
-    PQCLEAN_MLDSA65_CLEAN_polyvecl_ntt(&s1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_ntt(&s2);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_ntt(&t0);
-
-rej:
-    PQCLEAN_MLDSA65_CLEAN_polyvecl_uniform_gamma1(&y, rhoprime, nonce++);
-
-    z = y;
-    PQCLEAN_MLDSA65_CLEAN_polyvecl_ntt(&z);
-    PQCLEAN_MLDSA65_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_reduce(&w1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_invntt_tomont(&w1);
-
-    PQCLEAN_MLDSA65_CLEAN_polyveck_caddq(&w1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_decompose(&w1, &w0, &w1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_pack_w1(signature, &w1);
-
-    shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu_local, CRHBYTES);
-    shake256_inc_absorb(&state, signature, K * POLYW1_PACKEDBYTES);
-    shake256_inc_finalize(&state);
-    shake256_inc_squeeze(signature, CTILDEBYTES, &state);
-    shake256_inc_ctx_release(&state);
-
-    PQCLEAN_MLDSA65_CLEAN_poly_challenge(&cp, signature);
-    PQCLEAN_MLDSA65_CLEAN_poly_ntt(&cp);
-
-    PQCLEAN_MLDSA65_CLEAN_polyvecl_pointwise_poly_montgomery(&z, &cp, &s1);
-    PQCLEAN_MLDSA65_CLEAN_polyvecl_invntt_tomont(&z);
-    PQCLEAN_MLDSA65_CLEAN_polyvecl_add(&z, &z, &y);
-    PQCLEAN_MLDSA65_CLEAN_polyvecl_reduce(&z);
-    if (PQCLEAN_MLDSA65_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) {
-        goto rej;
-    }
-
-    PQCLEAN_MLDSA65_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &s2);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_invntt_tomont(&h);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_sub(&w0, &w0, &h);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_reduce(&w0);
-    if (PQCLEAN_MLDSA65_CLEAN_polyveck_chknorm(&w0, GAMMA2 - BETA)) {
-        goto rej;
-    }
-
-    PQCLEAN_MLDSA65_CLEAN_polyveck_pointwise_poly_montgomery(&h, &cp, &t0);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_invntt_tomont(&h);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_reduce(&h);
-    if (PQCLEAN_MLDSA65_CLEAN_polyveck_chknorm(&h, GAMMA2)) {
-        goto rej;
-    }
-
-    PQCLEAN_MLDSA65_CLEAN_polyveck_add(&w0, &w0, &h);
-    n = PQCLEAN_MLDSA65_CLEAN_polyveck_make_hint(&h, &w0, &w1);
-    if (n > OMEGA) {
-        goto rej;
-    }
-
-    PQCLEAN_MLDSA65_CLEAN_pack_sig(signature, signature, &z, &h);
-    *signature_len = PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES;
-
-    pq_secure_wipe(rho, sizeof(rho));
-    pq_secure_wipe(key, sizeof(key));
-    pq_secure_wipe(rnd, sizeof(rnd));
-    pq_secure_wipe(mu_local, sizeof(mu_local));
-    pq_secure_wipe(rhoprime, sizeof(rhoprime));
-    pq_secure_wipe(&s1, sizeof(s1));
-    pq_secure_wipe(&s2, sizeof(s2));
-    pq_secure_wipe(&t0, sizeof(t0));
-    pq_secure_wipe(&y, sizeof(y));
-    pq_secure_wipe(&z, sizeof(z));
-    pq_secure_wipe(&w0, sizeof(w0));
-    pq_secure_wipe(&cp, sizeof(cp));
-
-    return PQ_SUCCESS;
+    return pqcr_mldsa65_signature_extmu(signature, signature_len, mu, secret_key) == 0
+               ? PQ_SUCCESS
+               : PQ_ERROR_SIGN;
 }
 
 int pq_verify_mu(const uint8_t *signature, size_t signature_len, const uint8_t *mu,
@@ -179,71 +78,33 @@ int pq_verify_mu(const uint8_t *signature, size_t signature_len, const uint8_t *
     if (signature == NULL || mu == NULL || public_key == NULL) {
         return PQ_ERROR_BUFFER;
     }
-    if (signature_len != PQCLEAN_MLDSA65_CLEAN_CRYPTO_BYTES) {
+    if (signature_len != MLDSA_BYTES) {
         return PQ_ERROR_VERIFY;
     }
 
-    unsigned int i;
-    uint8_t buf[K * POLYW1_PACKEDBYTES];
-    uint8_t rho[SEEDBYTES];
-    uint8_t c[CTILDEBYTES];
-    uint8_t c2[CTILDEBYTES];
-    poly cp;
-    polyvecl mat[K], z;
-    polyveck t1, w1, h;
-    shake256incctx state;
+    return pqcr_mldsa65_verify_extmu(signature, signature_len, mu, public_key) == 0
+               ? PQ_SUCCESS
+               : PQ_ERROR_VERIFY;
+}
 
-    PQCLEAN_MLDSA65_CLEAN_unpack_pk(rho, &t1, public_key);
-    if (PQCLEAN_MLDSA65_CLEAN_unpack_sig(c, &z, &h, signature)) {
-        return PQ_ERROR_VERIFY;
-    }
-    if (PQCLEAN_MLDSA65_CLEAN_polyvecl_chknorm(&z, GAMMA1 - BETA)) {
-        return PQ_ERROR_VERIFY;
+void *pq_mu_builder_new(void) {
+    pq_mu_builder_t *builder = (pq_mu_builder_t *)calloc(1, sizeof(*builder));
+    if (builder == NULL) {
+        return NULL;
     }
 
-    PQCLEAN_MLDSA65_CLEAN_poly_challenge(&cp, c);
-    PQCLEAN_MLDSA65_CLEAN_polyvec_matrix_expand(mat, rho);
-
-    PQCLEAN_MLDSA65_CLEAN_polyvecl_ntt(&z);
-    PQCLEAN_MLDSA65_CLEAN_polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
-
-    PQCLEAN_MLDSA65_CLEAN_poly_ntt(&cp);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_shiftl(&t1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_ntt(&t1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_pointwise_poly_montgomery(&t1, &cp, &t1);
-
-    PQCLEAN_MLDSA65_CLEAN_polyveck_sub(&w1, &w1, &t1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_reduce(&w1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_invntt_tomont(&w1);
-
-    PQCLEAN_MLDSA65_CLEAN_polyveck_caddq(&w1);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_use_hint(&w1, &w1, &h);
-    PQCLEAN_MLDSA65_CLEAN_polyveck_pack_w1(buf, &w1);
-
-    shake256_inc_init(&state);
-    shake256_inc_absorb(&state, mu, CRHBYTES);
-    shake256_inc_absorb(&state, buf, K * POLYW1_PACKEDBYTES);
-    shake256_inc_finalize(&state);
-    shake256_inc_squeeze(c2, CTILDEBYTES, &state);
-    shake256_inc_ctx_release(&state);
-
-    for (i = 0; i < CTILDEBYTES; ++i) {
-        if (c[i] != c2[i]) {
-            return PQ_ERROR_VERIFY;
-        }
+    builder->ctx = EVP_MD_CTX_new();
+    if (builder->ctx == NULL) {
+        free(builder);
+        return NULL;
     }
-
-    return PQ_SUCCESS;
-}
-
-void *pq_mu_builder_new(void) {
-    shake256incctx *state = (shake256incctx *)malloc(sizeof(shake256incctx));
-    if (state == NULL) {
+    if (EVP_DigestInit_ex(builder->ctx, EVP_shake256(), NULL) != 1) {
+        EVP_MD_CTX_free(builder->ctx);
+        free(builder);
         return NULL;
     }
 
-    shake256_inc_init(state);
-    return state;
+    return builder;
 }
 
 int pq_mu_builder_init(void *state_ptr, const uint8_t *tr, const uint8_t *ctx, size_t ctxlen) {
@@ -257,16 +118,19 @@ int pq_mu_builder_init(void *state_ptr, const uint8_t *tr, const uint8_t *ctx, s
         return PQ_ERROR_BUFFER;
     }
 
-    shake256incctx *state = (shake256incctx *)state_ptr;
-
+    pq_mu_builder_t *builder = (pq_mu_builder_t *)state_ptr;
     uint8_t prefix[2];
     prefix[0] = 0x00;
     prefix[1] = (uint8_t)ctxlen;
 
-    shake256_inc_absorb(state, tr, TRBYTES);
-    shake256_inc_absorb(state, prefix, sizeof(prefix));
-    if (ctxlen > 0) {
-        shake256_inc_absorb(state, ctx, ctxlen);
+    if (EVP_DigestUpdate(builder->ctx, tr, PQ_MLDSA_TRBYTES) != 1) {
+        return PQ_ERROR_OPENSSL;
+    }
+    if (EVP_DigestUpdate(builder->ctx, prefix, sizeof(prefix)) != 1) {
+        return PQ_ERROR_OPENSSL;
+    }
+    if (ctxlen > 0 && EVP_DigestUpdate(builder->ctx, ctx, ctxlen) != 1) {
+        return PQ_ERROR_OPENSSL;
     }
     return PQ_SUCCESS;
 }
@@ -282,9 +146,8 @@ int pq_mu_builder_absorb(void *state_ptr, const uint8_t *chunk, size_t chunk_len
         return PQ_ERROR_BUFFER;
     }
 
-    shake256incctx *state = (shake256incctx *)state_ptr;
-    shake256_inc_absorb(state, chunk, chunk_len);
-    return PQ_SUCCESS;
+    pq_mu_builder_t *builder = (pq_mu_builder_t *)state_ptr;
+    return EVP_DigestUpdate(builder->ctx, chunk, chunk_len) == 1 ? PQ_SUCCESS : PQ_ERROR_OPENSSL;
 }
 
 int pq_mu_builder_finalize(void *state_ptr, uint8_t *mu_out) {
@@ -292,11 +155,17 @@ int pq_mu_builder_finalize(void *state_ptr, uint8_t *mu_out) {
         return PQ_ERROR_BUFFER;
     }
 
-    shake256incctx *state = (shake256incctx *)state_ptr;
-    shake256_inc_finalize(state);
-    shake256_inc_squeeze(mu_out, CRHBYTES, state);
-    shake256_inc_ctx_release(state);
-    free(state);
+    pq_mu_builder_t *builder = (pq_mu_builder_t *)state_ptr;
+    if (EVP_DigestFinalXOF(builder->ctx, mu_out, PQ_MLDSA_MUBYTES) != 1) {
+        EVP_MD_CTX_free(builder->ctx);
+        builder->ctx = NULL;
+        free(builder);
+        return PQ_ERROR_OPENSSL;
+    }
+
+    EVP_MD_CTX_free(builder->ctx);
+    builder->ctx = NULL;
+    free(builder);
     return PQ_SUCCESS;
 }
 
@@ -304,7 +173,10 @@ void pq_mu_builder_release(void *state_ptr) {
     if (state_ptr == NULL) {
         return;
     }
-    shake256incctx *state = (shake256incctx *)state_ptr;
-    shake256_inc_ctx_release(state);
-    free(state);
+    pq_mu_builder_t *builder = (pq_mu_builder_t *)state_ptr;
+    if (builder->ctx != NULL) {
+        EVP_MD_CTX_free(builder->ctx);
+        builder->ctx = NULL;
+    }
+    free(builder);
 }

data/ext/pqcrypto/pqcrypto_native_api.h

@@ -0,0 +1,129 @@
+#ifndef PQCRYPTO_NATIVE_API_H
+#define PQCRYPTO_NATIVE_API_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+/*
+ * pq_crypto now builds only against PQ Code Package native libraries:
+ *   vendor/mlkem-native/mlkem
+ *   vendor/mldsa-native/mldsa
+ *
+ * The concrete public symbols below are produced by compiling each package as a
+ * multi-level build with:
+ *   MLK_CONFIG_NAMESPACE_PREFIX=pqcr_mlkem
+ *   MLD_CONFIG_NAMESPACE_PREFIX=pqcr_mldsa
+ * and MLK/MLD_CONFIG_MULTILEVEL_BUILD enabled. Do not add PQClean aliases here:
+ * we want one backend only so build/runtime failures point at the new stack.
+ */
+
+#define MLKEM512_SECRETKEYBYTES     1632
+#define MLKEM512_PUBLICKEYBYTES     800
+#define MLKEM512_CIPHERTEXTBYTES    768
+#define MLKEM512_SHAREDSECRETBYTES  32
+
+#define MLKEM768_SECRETKEYBYTES     2400
+#define MLKEM768_PUBLICKEYBYTES     1184
+#define MLKEM768_CIPHERTEXTBYTES    1088
+#define MLKEM768_SHAREDSECRETBYTES  32
+
+#define MLKEM1024_SECRETKEYBYTES    3168
+#define MLKEM1024_PUBLICKEYBYTES    1568
+#define MLKEM1024_CIPHERTEXTBYTES   1568
+#define MLKEM1024_SHAREDSECRETBYTES 32
+
+#define MLKEM_PUBLICKEYBYTES        MLKEM768_PUBLICKEYBYTES
+#define MLKEM_SECRETKEYBYTES        MLKEM768_SECRETKEYBYTES
+#define MLKEM_CIPHERTEXTBYTES       MLKEM768_CIPHERTEXTBYTES
+#define MLKEM_SHAREDSECRETBYTES     MLKEM768_SHAREDSECRETBYTES
+
+#define MLDSA44_SECRETKEYBYTES      2560
+#define MLDSA44_PUBLICKEYBYTES      1312
+#define MLDSA44_BYTES               2420
+
+#define MLDSA65_SECRETKEYBYTES      4032
+#define MLDSA65_PUBLICKEYBYTES      1952
+#define MLDSA65_BYTES               3309
+
+#define MLDSA87_SECRETKEYBYTES      4896
+#define MLDSA87_PUBLICKEYBYTES      2592
+#define MLDSA87_BYTES               4627
+
+#define MLDSA_PUBLICKEYBYTES        MLDSA65_PUBLICKEYBYTES
+#define MLDSA_SECRETKEYBYTES        MLDSA65_SECRETKEYBYTES
+#define MLDSA_BYTES                 MLDSA65_BYTES
+#define MLDSA_SEEDBYTES             32
+#define MLDSA_RNDBYTES              32
+#define MLDSA_TRBYTES               64
+#define MLDSA_CRHBYTES              64
+#define MLDSA_DOMAIN_SEPARATION_MAX_BYTES (2 + 255 + 11 + 64)
+#define MLDSA_PREHASH_NONE          0
+
+/* mlkem-native symbols: namespace prefix pqcr_mlkem + level suffix. */
+int pqcr_mlkem512_keypair(uint8_t *pk, uint8_t *sk);
+int pqcr_mlkem512_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
+int pqcr_mlkem512_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
+int pqcr_mlkem512_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+int pqcr_mlkem512_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+
+int pqcr_mlkem768_keypair(uint8_t *pk, uint8_t *sk);
+int pqcr_mlkem768_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
+int pqcr_mlkem768_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
+int pqcr_mlkem768_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+int pqcr_mlkem768_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+
+int pqcr_mlkem1024_keypair(uint8_t *pk, uint8_t *sk);
+int pqcr_mlkem1024_keypair_derand(uint8_t *pk, uint8_t *sk, const uint8_t *coins);
+int pqcr_mlkem1024_enc(uint8_t *ct, uint8_t *ss, const uint8_t *pk);
+int pqcr_mlkem1024_enc_derand(uint8_t *ct, uint8_t *ss, const uint8_t *pk, const uint8_t *coins);
+int pqcr_mlkem1024_dec(uint8_t *ss, const uint8_t *ct, const uint8_t *sk);
+
+/* mldsa-native symbols: namespace prefix pqcr_mldsa + level suffix. */
+int pqcr_mldsa44_keypair(uint8_t *pk, uint8_t *sk);
+int pqcr_mldsa44_keypair_internal(uint8_t *pk, uint8_t *sk, const uint8_t seed[MLDSA_SEEDBYTES]);
+int pqcr_mldsa44_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen,
+                           const uint8_t *ctx, size_t ctxlen, const uint8_t *sk);
+int pqcr_mldsa44_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t *m,
+                                    size_t mlen, const uint8_t *pre, size_t prelen,
+                                    const uint8_t rnd[MLDSA_RNDBYTES], const uint8_t *sk,
+                                    int externalmu);
+int pqcr_mldsa44_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen,
+                        const uint8_t *ctx, size_t ctxlen, const uint8_t *pk);
+size_t pqcr_mldsa44_prepare_domain_separation_prefix(
+    uint8_t prefix[MLDSA_DOMAIN_SEPARATION_MAX_BYTES], const uint8_t *ph, size_t phlen,
+    const uint8_t *ctx, size_t ctxlen, int hashalg);
+
+int pqcr_mldsa65_keypair(uint8_t *pk, uint8_t *sk);
+int pqcr_mldsa65_keypair_internal(uint8_t *pk, uint8_t *sk, const uint8_t seed[MLDSA_SEEDBYTES]);
+int pqcr_mldsa65_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen,
+                           const uint8_t *ctx, size_t ctxlen, const uint8_t *sk);
+int pqcr_mldsa65_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t *m,
+                                    size_t mlen, const uint8_t *pre, size_t prelen,
+                                    const uint8_t rnd[MLDSA_RNDBYTES], const uint8_t *sk,
+                                    int externalmu);
+int pqcr_mldsa65_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen,
+                        const uint8_t *ctx, size_t ctxlen, const uint8_t *pk);
+size_t pqcr_mldsa65_prepare_domain_separation_prefix(
+    uint8_t prefix[MLDSA_DOMAIN_SEPARATION_MAX_BYTES], const uint8_t *ph, size_t phlen,
+    const uint8_t *ctx, size_t ctxlen, int hashalg);
+int pqcr_mldsa65_signature_extmu(uint8_t *sig, size_t *siglen, const uint8_t mu[MLDSA_CRHBYTES],
+                                 const uint8_t *sk);
+int pqcr_mldsa65_verify_extmu(const uint8_t *sig, size_t siglen, const uint8_t mu[MLDSA_CRHBYTES],
+                              const uint8_t *pk);
+int pqcr_mldsa65_pk_from_sk(uint8_t *pk, const uint8_t *sk);
+
+int pqcr_mldsa87_keypair(uint8_t *pk, uint8_t *sk);
+int pqcr_mldsa87_keypair_internal(uint8_t *pk, uint8_t *sk, const uint8_t seed[MLDSA_SEEDBYTES]);
+int pqcr_mldsa87_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen,
+                           const uint8_t *ctx, size_t ctxlen, const uint8_t *sk);
+int pqcr_mldsa87_signature_internal(uint8_t *sig, size_t *siglen, const uint8_t *m,
+                                    size_t mlen, const uint8_t *pre, size_t prelen,
+                                    const uint8_t rnd[MLDSA_RNDBYTES], const uint8_t *sk,
+                                    int externalmu);
+int pqcr_mldsa87_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen,
+                        const uint8_t *ctx, size_t ctxlen, const uint8_t *pk);
+size_t pqcr_mldsa87_prepare_domain_separation_prefix(
+    uint8_t prefix[MLDSA_DOMAIN_SEPARATION_MAX_BYTES], const uint8_t *ph, size_t phlen,
+    const uint8_t *ctx, size_t ctxlen, int hashalg);
+
+#endif