pq_crypto 0.4.2 → 0.5.1

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/debug.c

@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/* NOTE: You can remove this file unless you compile with MLKEM_DEBUG. */
+
+#include "common.h"
+
+#if !defined(MLK_CONFIG_MULTILEVEL_NO_SHARED) && defined(MLKEM_DEBUG)
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "debug.h"
+
+#define MLK_DEBUG_ERROR_HEADER "[ERROR:%s:%04d] "
+
+void mlk_debug_check_assert(const char *file, int line, const int val)
+{
+  if (val == 0)
+  {
+    fprintf(stderr, MLK_DEBUG_ERROR_HEADER "Assertion failed (value %d)\n",
+            file, line, val);
+    exit(1);
+  }
+}
+
+void mlk_debug_check_bounds(const char *file, int line, const int16_t *ptr,
+                            unsigned len, int lower_bound_exclusive,
+                            int upper_bound_exclusive)
+{
+  int err = 0;
+  unsigned i;
+  for (i = 0; i < len; i++)
+  {
+    int16_t val = ptr[i];
+    if (!(val > lower_bound_exclusive && val < upper_bound_exclusive))
+    {
+      fprintf(
+          stderr,
+          MLK_DEBUG_ERROR_HEADER
+          "Bounds assertion failed: Index %u, value %d out of bounds (%d,%d)\n",
+          file, line, i, (int)val, lower_bound_exclusive,
+          upper_bound_exclusive);
+      err = 1;
+    }
+  }
+
+  if (err == 1)
+  {
+    exit(1);
+  }
+}
+
+#else /* !MLK_CONFIG_MULTILEVEL_NO_SHARED && MLKEM_DEBUG */
+
+MLK_EMPTY_CU(debug)
+
+#endif /* !(!MLK_CONFIG_MULTILEVEL_NO_SHARED && MLKEM_DEBUG) */
+
+/* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
+ * Don't modify by hand -- this is auto-generated by scripts/autogen. */
+#undef MLK_DEBUG_ERROR_HEADER

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/debug.h

@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLK_DEBUG_H
+#define MLK_DEBUG_H
+#include "common.h"
+
+#if defined(MLKEM_DEBUG)
+
+/*************************************************
+ * Name:        mlk_assert
+ *
+ * Description: Check debug assertion
+ *
+ *              Prints an error message to stderr and calls
+ *              exit(1) if not.
+ *
+ * Arguments:   - file: filename
+ *              - line: line number
+ *              - val: Value asserted to be non-zero
+ **************************************************/
+#define mlk_debug_check_assert MLK_NAMESPACE(mlkem_debug_assert)
+void mlk_debug_check_assert(const char *file, int line, const int val);
+
+/*************************************************
+ * Name:        mlk_debug_check_bounds
+ *
+ * Description: Check whether values in an array of int16_t
+ *              are within specified bounds.
+ *
+ *              Prints an error message to stderr and calls
+ *              exit(1) if not.
+ *
+ * Arguments:   - file: filename
+ *              - line: line number
+ *              - ptr: Base of array to be checked
+ *              - len: Number of int16_t in ptr
+ *              - lower_bound_exclusive: Exclusive lower bound
+ *              - upper_bound_exclusive: Exclusive upper bound
+ **************************************************/
+#define mlk_debug_check_bounds MLK_NAMESPACE(mlkem_debug_check_bounds)
+void mlk_debug_check_bounds(const char *file, int line, const int16_t *ptr,
+                            unsigned len, int lower_bound_exclusive,
+                            int upper_bound_exclusive);
+
+/* Check assertion, calling exit() upon failure
+ *
+ * val: Value that's asserted to be non-zero
+ */
+#define mlk_assert(val) mlk_debug_check_assert(__FILE__, __LINE__, (val))
+
+/* Check bounds in array of int16_t's
+ * ptr: Base of int16_t array; will be explicitly cast to int16_t*,
+ *      so you may pass a byte-compatible type such as mlk_poly or mlk_polyvec.
+ * len: Number of int16_t in array
+ * value_lb: Inclusive lower value bound
+ * value_ub: Exclusive upper value bound */
+#define mlk_assert_bound(ptr, len, value_lb, value_ub)                      \
+  mlk_debug_check_bounds(__FILE__, __LINE__, (const int16_t *)(ptr), (len), \
+                         (value_lb) - 1, (value_ub))
+
+/* Check absolute bounds in array of int16_t's
+ * ptr: Base of array, expression of type int16_t*
+ * len: Number of int16_t in array
+ * value_abs_bd: Exclusive absolute upper bound */
+#define mlk_assert_abs_bound(ptr, len, value_abs_bd) \
+  mlk_assert_bound((ptr), (len), (-(value_abs_bd) + 1), (value_abs_bd))
+
+/* Version of bounds assertions for 2-dimensional arrays */
+#define mlk_assert_bound_2d(ptr, len0, len1, value_lb, value_ub) \
+  mlk_assert_bound((ptr), ((len0) * (len1)), (value_lb), (value_ub))
+
+#define mlk_assert_abs_bound_2d(ptr, len0, len1, value_abs_bd) \
+  mlk_assert_abs_bound((ptr), ((len0) * (len1)), (value_abs_bd))
+
+/* When running CBMC, convert debug assertions into proof obligations */
+#elif defined(CBMC)
+#include "cbmc.h"
+
+#define mlk_assert(val) cassert(val)
+
+#define mlk_assert_bound(ptr, len, value_lb, value_ub) \
+  cassert(array_bound(((int16_t *)(ptr)), 0, (len), (value_lb), (value_ub)))
+
+#define mlk_assert_abs_bound(ptr, len, value_abs_bd) \
+  cassert(array_abs_bound(((int16_t *)(ptr)), 0, (len), (value_abs_bd)))
+
+/* Because of https://github.com/diffblue/cbmc/issues/8570, we can't
+ * just use a single flattened array_bound(...) here. */
+#define mlk_assert_bound_2d(ptr, M, N, value_lb, value_ub)              \
+  cassert(forall(kN, 0, (M),                                            \
+                 array_bound(&((int16_t (*)[(N)])(ptr))[kN][0], 0, (N), \
+                             (value_lb), (value_ub))))
+
+#define mlk_assert_abs_bound_2d(ptr, M, N, value_abs_bd)                    \
+  cassert(forall(kN, 0, (M),                                                \
+                 array_abs_bound(&((int16_t (*)[(N)])(ptr))[kN][0], 0, (N), \
+                                 (value_abs_bd))))
+
+#else /* !MLKEM_DEBUG && CBMC */
+
+#define mlk_assert(val) \
+  do                    \
+  {                     \
+  } while (0)
+#define mlk_assert_bound(ptr, len, value_lb, value_ub) \
+  do                                                   \
+  {                                                    \
+  } while (0)
+#define mlk_assert_abs_bound(ptr, len, value_abs_bd) \
+  do                                                 \
+  {                                                  \
+  } while (0)
+
+#define mlk_assert_bound_2d(ptr, len0, len1, value_lb, value_ub) \
+  do                                                             \
+  {                                                              \
+  } while (0)
+
+#define mlk_assert_abs_bound_2d(ptr, len0, len1, value_abs_bd) \
+  do                                                           \
+  {                                                            \
+  } while (0)
+
+
+#endif /* !MLKEM_DEBUG && !CBMC */
+#endif /* !MLK_DEBUG_H */

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/fips202/fips202.c

@@ -0,0 +1,251 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+
+/* References
+ * ==========
+ *
+ * - [FIPS203]
+ *   FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism Standard
+ *   National Institute of Standards and Technology
+ *   https://csrc.nist.gov/pubs/fips/203/final
+ *
+ * - [mupq]
+ *   Common files for pqm4, pqm3, pqriscv
+ *   Kannwischer, Petri, Rijneveld, Schwabe, Stoffelen
+ *   https://github.com/mupq/mupq
+ *
+ * - [supercop]
+ *   SUPERCOP benchmarking framework
+ *   Daniel J. Bernstein
+ *   http://bench.cr.yp.to/supercop.html
+ *
+ * - [tweetfips]
+ *   'tweetfips202' FIPS202 implementation
+ *   Van Assche, Bernstein, Schwabe
+ *   https://keccak.team/2015/tweetfips202.html
+ */
+
+/* Based on the CC0 implementation from @[mupq] and the public domain
+ * implementation @[supercop, crypto_hash/keccakc512/simple/]
+ * by Ronny Van Keer, and the public domain @[tweetfips] implementation. */
+
+#include "../common.h"
+#if !defined(MLK_CONFIG_MULTILEVEL_NO_SHARED)
+
+
+#include "../verify.h"
+#include "fips202.h"
+#include "keccakf1600.h"
+
+/*************************************************
+ * Name:        mlk_keccak_absorb_once
+ *
+ * Description: Absorb step of Keccak;
+ *              non-incremental, starts by zeroeing the state.
+ *
+ *              WARNING: Must only be called once.
+ *
+ * Arguments:   - uint64_t *s:       pointer to (uninitialized) output Keccak
+ *                                   state
+ *              - unsigned r:        rate in bytes (e.g., 168 for SHAKE128)
+ *              - const uint8_t *m:  pointer to input to be absorbed into s
+ *              - size_t mlen:       length of input in bytes
+ *              - uint8_t p:         domain-separation byte for different
+ *                                   Keccak-derived functions
+ **************************************************/
+static void mlk_keccak_absorb_once(uint64_t *s, unsigned r, const uint8_t *m,
+                                   size_t mlen, uint8_t p)
+__contract__(
+    requires(mlen <= MLK_MAX_BUFFER_SIZE)
+    requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
+    requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
+    requires(memory_no_alias(m, mlen))
+    assigns(memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES)))
+{
+  /* Initialize state */
+  size_t i;
+  for (i = 0; i < 25; ++i)
+  __loop__(invariant(i <= 25))
+  {
+    s[i] = 0;
+  }
+
+  while (mlen >= r)
+  __loop__(
+    assigns(mlen, m, memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
+    invariant(mlen <= loop_entry(mlen))
+    invariant(m == loop_entry(m) + (loop_entry(mlen) - mlen)))
+  {
+    mlk_keccakf1600_xor_bytes(s, m, 0, r);
+    mlk_keccakf1600_permute(s);
+    mlen -= r;
+    m += r;
+  }
+
+  /* At this point, mlen < r, so the truncations to unsigned are safe below. */
+
+  if (mlen > 0)
+  {
+    mlk_keccakf1600_xor_bytes(s, m, 0, (unsigned int)mlen);
+  }
+
+  if (mlen == r - 1)
+  {
+    p |= 128;
+    mlk_keccakf1600_xor_bytes(s, &p, (unsigned int)mlen, 1);
+  }
+  else
+  {
+    mlk_keccakf1600_xor_bytes(s, &p, (unsigned int)mlen, 1);
+    p = 128;
+    mlk_keccakf1600_xor_bytes(s, &p, r - 1, 1);
+  }
+}
+
+/*************************************************
+ * Name:        mlk_keccak_squeezeblocks
+ *
+ * Description: block-level Keccak squeeze
+ *
+ * Arguments:   - uint8_t *h: pointer to output bytes
+ *              - size_t nblocks: number of blocks to be squeezed
+ *              - uint64_t *s_inc: pointer to input/output state
+ *              - unsigned r: rate in bytes (e.g., 168 for SHAKE128)
+ **************************************************/
+static void mlk_keccak_squeezeblocks(uint8_t *h, size_t nblocks, uint64_t *s,
+                                     unsigned r)
+__contract__(
+    requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
+    requires(nblocks <= 8 /* somewhat arbitrary bound */)
+    requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
+    requires(memory_no_alias(h, nblocks * r))
+    assigns(memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
+    assigns(memory_slice(h, nblocks * r)))
+{
+  while (nblocks > 0)
+  __loop__(
+    assigns(h, nblocks,
+      memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES),
+      memory_slice(h, nblocks * r))
+    invariant(nblocks <= loop_entry(nblocks) &&
+      h == loop_entry(h) + r * (loop_entry(nblocks) - nblocks)))
+  {
+    mlk_keccakf1600_permute(s);
+    mlk_keccakf1600_extract_bytes(s, h, 0, r);
+    h += r;
+    nblocks--;
+  }
+}
+
+/*************************************************
+ * Name:        mlk_keccak_squeeze_once
+ *
+ * Description: Keccak squeeze; can be called on byte-level
+ *
+ *              WARNING: This must only be called once.
+ *
+ * Arguments:   - uint8_t *h: pointer to output bytes
+ *              - size_t outlen: number of bytes to be squeezed
+ *              - uint64_t *s_inc: pointer to Keccak state
+ *              - unsigned r: rate in bytes (e.g., 168 for SHAKE128)
+ **************************************************/
+static void mlk_keccak_squeeze_once(uint8_t *h, size_t outlen, uint64_t *s,
+                                    unsigned r)
+__contract__(
+    requires(outlen <= MLK_MAX_BUFFER_SIZE)
+    requires(r <= sizeof(uint64_t) * MLK_KECCAK_LANES)
+    requires(memory_no_alias(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
+    requires(memory_no_alias(h, outlen))
+    assigns(memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES))
+    assigns(memory_slice(h, outlen)))
+{
+  size_t len;
+  while (outlen > 0)
+  __loop__(
+    assigns(len, h, outlen,
+      memory_slice(s, sizeof(uint64_t) * MLK_KECCAK_LANES),
+      memory_slice(h, outlen))
+    invariant(outlen <= loop_entry(outlen) &&
+      h == loop_entry(h) + (loop_entry(outlen) - outlen)))
+  {
+    mlk_keccakf1600_permute(s);
+
+    if (outlen < r)
+    {
+      len = outlen;
+    }
+    else
+    {
+      len = r;
+    }
+    mlk_keccakf1600_extract_bytes(s, h, 0, (unsigned int)len);
+    h += len;
+    outlen -= len;
+  }
+}
+
+void mlk_shake128_absorb_once(mlk_shake128ctx *state, const uint8_t *input,
+                              size_t inlen)
+{
+  mlk_keccak_absorb_once(state->ctx, SHAKE128_RATE, input, inlen, 0x1F);
+}
+
+void mlk_shake128_squeezeblocks(uint8_t *output, size_t nblocks,
+                                mlk_shake128ctx *state)
+{
+  mlk_keccak_squeezeblocks(output, nblocks, state->ctx, SHAKE128_RATE);
+}
+
+void mlk_shake128_init(mlk_shake128ctx *state) { (void)state; }
+void mlk_shake128_release(mlk_shake128ctx *state)
+{
+  /* Specification: Partially implements
+   * @[FIPS203, Section 3.3, Destruction of intermediate values] */
+  mlk_zeroize(state, sizeof(mlk_shake128ctx));
+}
+
+typedef mlk_shake128ctx mlk_shake256ctx;
+void mlk_shake256(uint8_t *output, size_t outlen, const uint8_t *input,
+                  size_t inlen)
+{
+  mlk_shake256ctx state;
+  /* Absorb input */
+  mlk_keccak_absorb_once(state.ctx, SHAKE256_RATE, input, inlen, 0x1F);
+  /* Squeeze output */
+  mlk_keccak_squeeze_once(output, outlen, state.ctx, SHAKE256_RATE);
+  /* Specification: Partially implements
+   * @[FIPS203, Section 3.3, Destruction of intermediate values] */
+  mlk_zeroize(&state, sizeof(state));
+}
+
+void mlk_sha3_256(uint8_t *output, const uint8_t *input, size_t inlen)
+{
+  uint64_t ctx[25];
+  /* Absorb input */
+  mlk_keccak_absorb_once(ctx, SHA3_256_RATE, input, inlen, 0x06);
+  /* Squeeze output */
+  mlk_keccak_squeeze_once(output, 32, ctx, SHA3_256_RATE);
+  /* Specification: Partially implements
+   * @[FIPS203, Section 3.3, Destruction of intermediate values] */
+  mlk_zeroize(ctx, sizeof(ctx));
+}
+
+void mlk_sha3_512(uint8_t *output, const uint8_t *input, size_t inlen)
+{
+  uint64_t ctx[25];
+  /* Absorb input */
+  mlk_keccak_absorb_once(ctx, SHA3_512_RATE, input, inlen, 0x06);
+  /* Squeeze output */
+  mlk_keccak_squeeze_once(output, 64, ctx, SHA3_512_RATE);
+  /* Specification: Partially implements
+   * @[FIPS203, Section 3.3, Destruction of intermediate values] */
+  mlk_zeroize(ctx, sizeof(ctx));
+}
+
+#else /* !MLK_CONFIG_MULTILEVEL_NO_SHARED */
+
+MLK_EMPTY_CU(fips202)
+
+#endif /* MLK_CONFIG_MULTILEVEL_NO_SHARED */

data/ext/pqcrypto/vendor/mlkem-native/mlkem/src/fips202/fips202.h

@@ -0,0 +1,158 @@
+/*
+ * Copyright (c) The mlkem-native project authors
+ * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+ */
+#ifndef MLK_FIPS202_FIPS202_H
+#define MLK_FIPS202_FIPS202_H
+
+#include "../cbmc.h"
+#include "../common.h"
+
+#define SHAKE128_RATE 168
+#define SHAKE256_RATE 136
+#define SHA3_256_RATE 136
+#define SHA3_384_RATE 104
+#define SHA3_512_RATE 72
+
+/* Context for non-incremental API */
+typedef struct
+{
+  uint64_t ctx[25];
+} MLK_ALIGN mlk_shake128ctx;
+
+#define mlk_shake128_absorb_once MLK_NAMESPACE(shake128_absorb_once)
+/*************************************************
+ * Name:        mlk_shake128_absorb_once
+ *
+ * Description: One-shot absorb step of the SHAKE128 XOF.
+ *
+ *              For call-sites (in mlkem-native):
+ *              - This function MUST ONLY be called straight after
+ *                mlk_shake128_init().
+ *              - This function MUST ONLY be called once.
+ *
+ *              Consequently, for providers of custom FIPS202 code
+ *              to be used with mlkem-native:
+ *              - You may assume that the input context is
+ *                freshly initialized via mlk_shake128_init().
+ *              - You may assume that this function is
+ *                called exactly once.
+ *
+ * Arguments:   - mlk_shake128ctx *state:   pointer to SHAKE128 context
+ *              - const uint8_t *input: pointer to input to be absorbed into
+ *                                      the state
+ *              - size_t inlen:         length of input in bytes
+ **************************************************/
+void mlk_shake128_absorb_once(mlk_shake128ctx *state, const uint8_t *input,
+                              size_t inlen)
+__contract__(
+  requires(inlen <= MLK_MAX_BUFFER_SIZE)
+  requires(memory_no_alias(state, sizeof(mlk_shake128ctx)))
+  requires(memory_no_alias(input, inlen))
+  assigns(memory_slice(state, sizeof(mlk_shake128ctx)))
+);
+
+#define mlk_shake128_squeezeblocks MLK_NAMESPACE(shake128_squeezeblocks)
+/*************************************************
+ * Name:        mlk_shake128_squeezeblocks
+ *
+ * Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
+ *              SHAKE128_RATE bytes each. Modifies the state. Can be called
+ *              multiple times to keep squeezing, i.e., is incremental.
+ *
+ * Arguments:   - uint8_t *output:     pointer to output blocks
+ *              - size_t nblocks:      number of blocks to be squeezed (written
+ *                                     to output)
+ *              - mlk_shake128ctx *state:  pointer to in/output Keccak state
+ **************************************************/
+void mlk_shake128_squeezeblocks(uint8_t *output, size_t nblocks,
+                                mlk_shake128ctx *state)
+__contract__(
+  requires(nblocks <= 8 /* somewhat arbitrary bound */)
+  requires(memory_no_alias(state, sizeof(mlk_shake128ctx)))
+  requires(memory_no_alias(output, nblocks * SHAKE128_RATE))
+  assigns(memory_slice(output, nblocks * SHAKE128_RATE), memory_slice(state, sizeof(mlk_shake128ctx)))
+);
+
+#define mlk_shake128_init MLK_NAMESPACE(shake128_init)
+void mlk_shake128_init(mlk_shake128ctx *state);
+
+#define mlk_shake128_release MLK_NAMESPACE(shake128_release)
+void mlk_shake128_release(mlk_shake128ctx *state);
+
+/* One-stop SHAKE256 call. Aliasing between input and
+ * output is not permitted */
+#define mlk_shake256 MLK_NAMESPACE(shake256)
+/*************************************************
+ * Name:        mlk_shake256
+ *
+ * Description: SHAKE256 XOF with non-incremental API
+ *
+ * Arguments:   - uint8_t *output:      pointer to output
+ *              - size_t outlen:        requested output length in bytes
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen:         length of input in bytes
+ **************************************************/
+void mlk_shake256(uint8_t *output, size_t outlen, const uint8_t *input,
+                  size_t inlen)
+__contract__(
+  requires(inlen <= MLK_MAX_BUFFER_SIZE)
+  requires(outlen <= MLK_MAX_BUFFER_SIZE)
+  requires(memory_no_alias(input, inlen))
+  requires(memory_no_alias(output, outlen))
+  assigns(memory_slice(output, outlen))
+);
+
+/* One-stop SHA3_256 call. Aliasing between input and
+ * output is not permitted */
+#define SHA3_256_HASHBYTES 32
+#define mlk_sha3_256 MLK_NAMESPACE(sha3_256)
+/*************************************************
+ * Name:        mlk_sha3_256
+ *
+ * Description: SHA3-256 with non-incremental API
+ *
+ * Arguments:   - uint8_t *output:      pointer to output
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen:         length of input in bytes
+ **************************************************/
+void mlk_sha3_256(uint8_t *output, const uint8_t *input, size_t inlen)
+__contract__(
+  requires(inlen <= MLK_MAX_BUFFER_SIZE)
+  requires(memory_no_alias(input, inlen))
+  requires(memory_no_alias(output, SHA3_256_HASHBYTES))
+  assigns(memory_slice(output, SHA3_256_HASHBYTES))
+);
+
+/* One-stop SHA3_512 call. Aliasing between input and
+ * output is not permitted */
+#define SHA3_512_HASHBYTES 64
+#define mlk_sha3_512 MLK_NAMESPACE(sha3_512)
+/*************************************************
+ * Name:        mlk_sha3_512
+ *
+ * Description: SHA3-512 with non-incremental API
+ *
+ * Arguments:   - uint8_t *output:      pointer to output
+ *              - const uint8_t *input: pointer to input
+ *              - size_t inlen:         length of input in bytes
+ **************************************************/
+void mlk_sha3_512(uint8_t *output, const uint8_t *input, size_t inlen)
+__contract__(
+  requires(inlen <= MLK_MAX_BUFFER_SIZE)
+  requires(memory_no_alias(input, inlen))
+  requires(memory_no_alias(output, SHA3_512_HASHBYTES))
+  assigns(memory_slice(output, SHA3_512_HASHBYTES))
+);
+
+#if !defined(MLK_CONFIG_USE_NATIVE_BACKEND_FIPS202) || \
+    !defined(MLK_USE_FIPS202_X4_NATIVE)
+/* If you provide your own FIPS-202 implementation where the x4-
+ * Keccak-f1600-x4 implementation falls back to 4-fold Keccak-f1600,
+ * set this to gain a small speedup. */
+#define FIPS202_X4_DEFAULT_IMPLEMENTATION
+#endif /* !MLK_CONFIG_USE_NATIVE_BACKEND_FIPS202 || !MLK_USE_FIPS202_X4_NATIVE \
+        */
+
+
+#endif /* !MLK_FIPS202_FIPS202_H */