pq_crypto 0.4.2 → 0.5.0

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/symmetric.h

@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLD_SYMMETRIC_H
+#define MLD_SYMMETRIC_H
+
+#include "cbmc.h"
+#include "common.h"
+
+#include MLD_FIPS202_HEADER_FILE
+#if !defined(MLD_CONFIG_SERIAL_FIPS202_ONLY)
+#include MLD_FIPS202X4_HEADER_FILE
+#endif
+
+#define MLD_STREAM128_BLOCKBYTES SHAKE128_RATE
+#define MLD_STREAM256_BLOCKBYTES SHAKE256_RATE
+
+#define mld_xof256_ctx mld_shake256ctx
+#define mld_xof256_init(CTX) mld_shake256_init(CTX)
+
+#define mld_xof256_absorb_once(CTX, IN, INBYTES) \
+  do                                             \
+  {                                              \
+    mld_shake256_absorb(CTX, IN, INBYTES);       \
+    mld_shake256_finalize(CTX);                  \
+  } while (0)
+
+
+#define mld_xof256_release(CTX) mld_shake256_release(CTX)
+#define mld_xof256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
+  mld_shake256_squeeze(OUT, (OUTBLOCKS) * SHAKE256_RATE, STATE)
+
+#define mld_xof128_ctx mld_shake128ctx
+#define mld_xof128_init(CTX) mld_shake128_init(CTX)
+
+#define mld_xof128_absorb_once(CTX, IN, INBYTES) \
+  do                                             \
+  {                                              \
+    mld_shake128_absorb(CTX, IN, INBYTES);       \
+    mld_shake128_finalize(CTX);                  \
+  } while (0)
+
+#define mld_xof128_release(CTX) mld_shake128_release(CTX)
+#define mld_xof128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
+  mld_shake128_squeeze(OUT, (OUTBLOCKS) * SHAKE128_RATE, STATE)
+
+#define mld_xof256_x4_ctx mld_shake256x4ctx
+#define mld_xof256_x4_init(CTX) mld_shake256x4_init((CTX))
+#define mld_xof256_x4_absorb(CTX, IN, INBYTES)                          \
+  mld_shake256x4_absorb_once((CTX), (IN)[0], (IN)[1], (IN)[2], (IN)[3], \
+                             (INBYTES))
+#define mld_xof256_x4_squeezeblocks(BUF, NBLOCKS, CTX)                 \
+  mld_shake256x4_squeezeblocks((BUF)[0], (BUF)[1], (BUF)[2], (BUF)[3], \
+                               (NBLOCKS), (CTX))
+#define mld_xof256_x4_release(CTX) mld_shake256x4_release((CTX))
+
+#define mld_xof128_x4_ctx mld_shake128x4ctx
+#define mld_xof128_x4_init(CTX) mld_shake128x4_init((CTX))
+#define mld_xof128_x4_absorb(CTX, IN, INBYTES)                          \
+  mld_shake128x4_absorb_once((CTX), (IN)[0], (IN)[1], (IN)[2], (IN)[3], \
+                             (INBYTES))
+#define mld_xof128_x4_squeezeblocks(BUF, NBLOCKS, CTX)                 \
+  mld_shake128x4_squeezeblocks((BUF)[0], (BUF)[1], (BUF)[2], (BUF)[3], \
+                               (NBLOCKS), (CTX))
+#define mld_xof128_x4_release(CTX) mld_shake128x4_release((CTX))
+
+#endif /* !MLD_SYMMETRIC_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/sys.h

@@ -0,0 +1,268 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+#ifndef MLD_SYS_H
+#define MLD_SYS_H
+
+#if !defined(MLD_CONFIG_NO_ASM) && (defined(__GNUC__) || defined(__clang__))
+#define MLD_HAVE_INLINE_ASM
+#endif
+
+/* Try to find endianness, if not forced through CFLAGS already */
+#if !defined(MLD_SYS_LITTLE_ENDIAN) && !defined(MLD_SYS_BIG_ENDIAN)
+#if defined(__BYTE_ORDER__)
+#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
+#define MLD_SYS_LITTLE_ENDIAN
+#elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
+#define MLD_SYS_BIG_ENDIAN
+#else
+#error "__BYTE_ORDER__ defined, but don't recognize value."
+#endif
+#endif /* __BYTE_ORDER__ */
+
+/* MSVC does not define __BYTE_ORDER__. However, MSVC only supports
+ * little endian x86, x86_64, and AArch64. It is, hence, safe to assume
+ * little endian. */
+#if defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || \
+                          defined(_M_IX86) || defined(_M_ARM64))
+#define MLD_SYS_LITTLE_ENDIAN
+#endif
+
+#endif /* !MLD_SYS_LITTLE_ENDIAN && !MLD_SYS_BIG_ENDIAN */
+
+/* Check if we're running on an AArch64 little endian system. _M_ARM64 is set by
+ * MSVC. */
+#if defined(__AARCH64EL__) || defined(_M_ARM64)
+#define MLD_SYS_AARCH64
+#endif
+
+/* Check if we're running on an AArch64 big endian system. */
+#if defined(__AARCH64EB__)
+#define MLD_SYS_AARCH64_EB
+#endif
+
+/* Check if we're running on an Armv8.1-M system with MVE */
+#if defined(__ARM_ARCH_8_1M_MAIN__) || defined(__ARM_FEATURE_MVE)
+#define MLD_SYS_ARMV81M_MVE
+#endif
+
+#if defined(__x86_64__)
+#define MLD_SYS_X86_64
+#if defined(__AVX2__)
+#define MLD_SYS_X86_64_AVX2
+#endif
+#endif /* __x86_64__ */
+
+#if defined(MLD_SYS_LITTLE_ENDIAN) && defined(__powerpc64__)
+#define MLD_SYS_PPC64LE
+#endif
+
+#if defined(__riscv) && defined(__riscv_xlen) && __riscv_xlen == 64
+#define MLD_SYS_RISCV64
+#endif
+
+#if defined(MLD_SYS_RISCV64) && defined(__riscv_vector) && \
+    defined(__riscv_v_intrinsic)
+#define MLD_SYS_RISCV64_RVV
+#endif
+
+#if defined(__riscv) && defined(__riscv_xlen) && __riscv_xlen == 32
+#define MLD_SYS_RISCV32
+#endif
+
+#if defined(_WIN64) || defined(_WIN32)
+#define MLD_SYS_WINDOWS
+#endif
+
+#if defined(__linux__)
+#define MLD_SYS_LINUX
+#endif
+
+#if defined(__APPLE__)
+#define MLD_SYS_APPLE
+#endif
+
+/* If MLD_FORCE_AARCH64 is set, assert that we're indeed on an AArch64 system.
+ */
+#if defined(MLD_FORCE_AARCH64) && !defined(MLD_SYS_AARCH64)
+#error "MLD_FORCE_AARCH64 is set, but we don't seem to be on an AArch64 system."
+#endif
+
+/* If MLD_FORCE_AARCH64_EB is set, assert that we're indeed on a big endian
+ * AArch64 system. */
+#if defined(MLD_FORCE_AARCH64_EB) && !defined(MLD_SYS_AARCH64_EB)
+#error \
+    "MLD_FORCE_AARCH64_EB is set, but we don't seem to be on an AArch64 system."
+#endif
+
+/* If MLD_FORCE_X86_64 is set, assert that we're indeed on an X86_64 system. */
+#if defined(MLD_FORCE_X86_64) && !defined(MLD_SYS_X86_64)
+#error "MLD_FORCE_X86_64 is set, but we don't seem to be on an X86_64 system."
+#endif
+
+#if defined(MLD_FORCE_PPC64LE) && !defined(MLD_SYS_PPC64LE)
+#error "MLD_FORCE_PPC64LE is set, but we don't seem to be on a PPC64LE system."
+#endif
+
+#if defined(MLD_FORCE_RISCV64) && !defined(MLD_SYS_RISCV64)
+#error "MLD_FORCE_RISCV64 is set, but we don't seem to be on a RISCV64 system."
+#endif
+
+#if defined(MLD_FORCE_RISCV32) && !defined(MLD_SYS_RISCV32)
+#error "MLD_FORCE_RISCV32 is set, but we don't seem to be on a RISCV32 system."
+#endif
+
+/*
+ * MLD_INLINE: Hint for inlining.
+ * - MSVC: __inline
+ * - C99+: inline
+ * - GCC/Clang C90: __attribute__((unused)) to silence warnings
+ * - Other C90: empty
+ */
+#if !defined(MLD_INLINE)
+#if defined(_MSC_VER)
+#define MLD_INLINE __inline
+#elif defined(inline) || \
+    (defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L)
+#define MLD_INLINE inline
+#elif defined(__GNUC__) || defined(__clang__)
+#define MLD_INLINE __attribute__((unused))
+#else
+#define MLD_INLINE
+#endif
+#endif /* !MLD_INLINE */
+
+/*
+ * MLD_ALWAYS_INLINE: Force inlining.
+ * - MSVC: __forceinline
+ * - GCC/Clang C99+: MLD_INLINE __attribute__((always_inline))
+ * - Other: MLD_INLINE (no forced inlining)
+ */
+#if !defined(MLD_ALWAYS_INLINE)
+#if defined(_MSC_VER)
+#define MLD_ALWAYS_INLINE __forceinline
+#elif (defined(__GNUC__) || defined(__clang__)) && \
+    (defined(inline) ||                            \
+     (defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L))
+#define MLD_ALWAYS_INLINE MLD_INLINE __attribute__((always_inline))
+#else
+#define MLD_ALWAYS_INLINE MLD_INLINE
+#endif
+#endif /* !MLD_ALWAYS_INLINE */
+
+#ifndef MLD_STATIC_TESTABLE
+#define MLD_STATIC_TESTABLE static
+#endif
+
+/*
+ * C90 does not have the restrict compiler directive yet.
+ * We don't use it in C90 builds.
+ */
+#if !defined(restrict)
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L
+#define MLD_RESTRICT restrict
+#else
+#define MLD_RESTRICT
+#endif
+
+#else /* !restrict */
+
+#define MLD_RESTRICT restrict
+#endif /* restrict */
+
+#define MLD_DEFAULT_ALIGN 32
+#define MLD_ALIGN_UP(N) \
+  ((((N) + (MLD_DEFAULT_ALIGN - 1)) / MLD_DEFAULT_ALIGN) * MLD_DEFAULT_ALIGN)
+#if defined(__GNUC__)
+#define MLD_ALIGN __attribute__((aligned(MLD_DEFAULT_ALIGN)))
+#elif defined(_MSC_VER)
+#define MLD_ALIGN __declspec(align(MLD_DEFAULT_ALIGN))
+#else
+#define MLD_ALIGN /* No known support for alignment constraints */
+#endif
+
+
+/* New X86_64 CPUs support Conflow-flow protection using the CET instructions.
+ * When enabled (through -fcf-protection=), all compilation units (including
+ * empty ones) need to support CET for this to work.
+ * For assembly, this means that source files need to signal support for
+ * CET by setting the appropriate note.gnu.property section.
+ * This can be achieved by including the <cet.h> header in all assembly file.
+ * This file also provides the _CET_ENDBR macro which needs to be placed at
+ * every potential target of an indirect branch.
+ * If CET is enabled _CET_ENDBR maps to the endbr64 instruction, otherwise
+ * it is empty.
+ * In case the compiler does not support CET (e.g., <gcc8, <clang11),
+ * the __CET__ macro is not set and we default to nothing.
+ * Note that we only issue _CET_ENDBR instructions through the MLD_ASM_FN_SYMBOL
+ * macro as the global symbols are the only possible targets of indirect
+ * branches in our code.
+ */
+#if defined(MLD_SYS_X86_64)
+#if defined(__CET__)
+#include <cet.h>
+#define MLD_CET_ENDBR _CET_ENDBR
+#else
+#define MLD_CET_ENDBR
+#endif
+#endif /* MLD_SYS_X86_64 */
+
+#if defined(MLD_CONFIG_CT_TESTING_ENABLED) && !defined(__ASSEMBLER__)
+#include <valgrind/memcheck.h>
+#define MLD_CT_TESTING_SECRET(ptr, len) \
+  VALGRIND_MAKE_MEM_UNDEFINED((ptr), (len))
+#define MLD_CT_TESTING_DECLASSIFY(ptr, len) \
+  VALGRIND_MAKE_MEM_DEFINED((ptr), (len))
+#else /* MLD_CONFIG_CT_TESTING_ENABLED && !__ASSEMBLER__ */
+#define MLD_CT_TESTING_SECRET(ptr, len) \
+  do                                    \
+  {                                     \
+  } while (0)
+#define MLD_CT_TESTING_DECLASSIFY(ptr, len) \
+  do                                        \
+  {                                         \
+  } while (0)
+#endif /* !(MLD_CONFIG_CT_TESTING_ENABLED && !__ASSEMBLER__) */
+
+#if defined(__GNUC__) || defined(__clang__)
+#define MLD_MUST_CHECK_RETURN_VALUE __attribute__((warn_unused_result))
+#else
+#define MLD_MUST_CHECK_RETURN_VALUE
+#endif
+
+
+#if !defined(__ASSEMBLER__)
+/* System capability enumeration */
+typedef enum
+{
+  /* x86_64 */
+  MLD_SYS_CAP_AVX2,
+  /* AArch64 */
+  MLD_SYS_CAP_SHA3
+} mld_sys_cap;
+
+#if !defined(MLD_CONFIG_CUSTOM_CAPABILITY_FUNC)
+#include "cbmc.h"
+
+MLD_MUST_CHECK_RETURN_VALUE
+static MLD_INLINE int mld_sys_check_capability(mld_sys_cap cap)
+__contract__(
+  ensures(return_value == 0 || return_value == 1)
+)
+{
+  /* By default, we rely on compile-time feature detection/specification:
+   * If a feature is enabled at compile-time, we assume it is supported by
+   * the host that the resulting library/binary will be built on.
+   * If this assumption is not true, you MUST overwrite this function.
+   * See the documentation of MLD_CONFIG_CUSTOM_CAPABILITY_FUNC in
+   * mldsa_native_config.h for more information. */
+  (void)cap;
+  return 1;
+}
+#endif /* !MLD_CONFIG_CUSTOM_CAPABILITY_FUNC */
+#endif /* !__ASSEMBLER__ */
+
+#endif /* !MLD_SYS_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/zetas.inc

@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) The mldsa-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/*
+ * WARNING: This file is auto-generated from scripts/autogen
+ *          in the mldsa-native repository.
+ *          Do not modify it directly.
+ */
+
+
+/*
+ * Table of zeta values used in the reference NTT and inverse NTT.
+ * See autogen for details.
+ */
+static const int32_t mld_zetas[MLDSA_N] = {
+    0,        25847,    -2608894, -518909,  237124,   -777960,  -876248,
+    466468,   1826347,  2353451,  -359251,  -2091905, 3119733,  -2884855,
+    3111497,  2680103,  2725464,  1024112,  -1079900, 3585928,  -549488,
+    -1119584, 2619752,  -2108549, -2118186, -3859737, -1399561, -3277672,
+    1757237,  -19422,   4010497,  280005,   2706023,  95776,    3077325,
+    3530437,  -1661693, -3592148, -2537516, 3915439,  -3861115, -3043716,
+    3574422,  -2867647, 3539968,  -300467,  2348700,  -539299,  -1699267,
+    -1643818, 3505694,  -3821735, 3507263,  -2140649, -1600420, 3699596,
+    811944,   531354,   954230,   3881043,  3900724,  -2556880, 2071892,
+    -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950,
+    2176455,  -1585221, -1257611, 1939314,  -4083598, -1000202, -3190144,
+    -3157330, -3632928, 126922,   3412210,  -983419,  2147896,  2715295,
+    -2967645, -3693493, -411027,  -2477047, -671102,  -1228525, -22981,
+    -1308169, -381987,  1349076,  1852771,  -1430430, -3343383, 264944,
+    508951,   3097992,  44288,    -1100098, 904516,   3958618,  -3724342,
+    -8578,    1653064,  -3249728, 2389356,  -210977,  759969,   -1316856,
+    189548,   -3553272, 3159746,  -1851402, -2409325, -177440,  1315589,
+    1341330,  1285669,  -1584928, -812732,  -1439742, -3019102, -3881060,
+    -3628969, 3839961,  2091667,  3407706,  2316500,  3817976,  -3342478,
+    2244091,  -2446433, -3562462, 266997,   2434439,  -1235728, 3513181,
+    -3520352, -3759364, -1197226, -3193378, 900702,   1859098,  909542,
+    819034,   495491,   -1613174, -43260,   -522500,  -655327,  -3122442,
+    2031748,  3207046,  -3556995, -525098,  -768622,  -3595838, 342297,
+    286988,   -2437823, 4108315,  3437287,  -3342277, 1735879,  203044,
+    2842341,  2691481,  -2590150, 1265009,  4055324,  1247620,  2486353,
+    1595974,  -3767016, 1250494,  2635921,  -3548272, -2994039, 1869119,
+    1903435,  -1050970, -1333058, 1237275,  -3318210, -1430225, -451100,
+    1312455,  3306115,  -1962642, -1279661, 1917081,  -2546312, -1374803,
+    1500165,  777191,   2235880,  3406031,  -542412,  -2831860, -1671176,
+    -1846953, -2584293, -3724270, 594136,   -3776993, -2013608, 2432395,
+    2454455,  -164721,  1957272,  3369112,  185531,   -1207385, -3183426,
+    162844,   1616392,  3014001,  810149,   1652634,  -3694233, -1799107,
+    -3038916, 3523897,  3866901,  269760,   2213111,  -975884,  1717735,
+    472078,   -426683,  1723600,  -1803090, 1910376,  -1667432, -1104333,
+    -260646,  -3833893, -2939036, -2235985, -420899,  -2286327, 183443,
+    -976891,  1612842,  -3545687, -554416,  3919660,  -48306,   -1362209,
+    3937738,  1400424,  -846154,  1976782,
+};

data/ext/pqcrypto/vendor/mlkem-native/BUILDING.md

@@ -0,0 +1,104 @@
+[//]: # (SPDX-License-Identifier: CC-BY-4.0)
+
+# Building mlkem-native
+
+### Prerequisites
+
+To build **mlkem-native**, you need `make` and a C90 compiler. To use the test scripts, you need Python3 (>= 3.7).
+
+### By hand
+
+See [mlkem](mlkem).
+
+### Using `make`
+
+You can build and test **mlkem-native** as follows:
+
+```bash
+make test       # With native code backend (if available)
+make OPT=0 test # With C backend
+```
+
+To merely build test components, use the following `make` targets:
+
+```bash
+make func
+make kat
+make acvp
+```
+
+To run them, add `run_`:
+
+```bash
+make run_func
+make run_kat
+make run_acvp
+```
+
+The resulting binaries can be found in `test/build` (their full path is printed by `make`).
+
+For benchmarking, specify the cycle counting method. Currently, **mlkem-native** is supporting NO, PERF, PMU, and MAC:
+* `NO` means that no cycle counting will be used; this can be used to confirm that benchmarks compile fine.
+* `PERF` uses the `perf` kernel module for cycle counting. Does not work on Apple platforms.
+* `PMU` uses direct PMU access if available. On AArch64, this may require you to load a kernel module first, see [here](https://github.com/mupq/pqax?tab=readme-ov-file#enable-access-to-performance-counters). Does not work on Apple platforms.
+* `MAC` is `perf`-based and works on some Apple platforms, at least Apple M1.
+
+```
+# CYCLES has to be one of PERF, PMU, MAC, NO
+sudo make run_bench CYCLES=PERF
+sudo make run_bench_components CYCLES=PERF
+```
+
+### Using `tests` script
+
+For convenience, you can also use the [`./scripts/tests`](scripts/tests) script as a wrapper around `make`. For
+example,
+
+```bash
+./scripts/tests func
+```
+
+will compile and run functionality tests. Similarly,
+
+```bash
+./scripts/tests bench -c PERF -r
+```
+
+will compile and run benchmarks, using PERF for cycle counting (`-c PERF`) and running as root (`-r`).
+
+For detailed information on how to use the script, please refer to
+`./scripts/tests --help`.
+
+### Windows
+
+You can also build **mlkem-native** on Windows using `nmake` and an MSVC compiler.
+
+To build and run the tests (only support functional testing for non-opt implementation for now), use the following `nmake` targets:
+```powershell
+nmke /f .\Makefile.Microsoft_nmake quickcheck
+```
+
+# Checking the proofs
+
+## CBMC
+
+### Prerequisites
+
+To run the CBMC proofs, you need specific versions of CBMC and the underlying solvers, e.g. as specified in our `nix` environment; see [nix/cbmc](nix/cbmc/).
+See [CONTRIBUTING.md](CONTRIBUTING.md) for instructions on how to setup and use `nix`.
+
+### Running the CBMC proofs
+
+Once you are in the `nix` shell or have all tools setup by hand, use `./scripts/tests cbmc` (or just `tests cbmc` in the `nix` shell) to re-check the CBMC proofs.
+See `tests cbmc --help` for details on the command line options, and [proofs/cbmc](proofs/cbmc) for more details on the CBMC proofs in general.
+
+## HOL-Light
+
+### Prerequisites
+
+To run the HOL-Light proofs, you need recent versions of HOL-Light and s2n-bignum, e.g. as specified in our `nix` environment; see [nix/s2n_bignum](nix/s2n_bignum) and [nix/hol_light](nix/hol_light).
+See [CONTRIBUTING.md](CONTRIBUTING.md) for instructions on how to setup and use `nix`.
+
+### Running the HOL-Light proofs
+
+Once you are in the `nix` shell or have all tools setup by hand, use `./scripts/tests hol_light` (or just `tests hol_light` in the `nix` shell) to re-check the HOL-Light proofs. Note that depending on the function, they will take a long time. See `tests hol_light --help` for details on the command line options, and [proofs/hol_light](proofs/hol_light) for more details on the HOL-Light proofs in general.