pq_crypto 0.5.1 → 0.5.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5949078149668609462a1e9a3df7b7f767499311b998e4dd651be1d7865ddfc
-  data.tar.gz: 600fc91b9614aec5f7f61d8c3ab6d11643bbbf919941faf0508384e7ede9dce0
+  metadata.gz: '0911b99fec80d68a6dff827829bbd77a28951d70c4a85f4fc68bc8c03bdffdda'
+  data.tar.gz: fb7f9e92387316b6641b191dc1d1f5c469f5297d866301a21d44d4eb789185e6
 SHA512:
-  metadata.gz: 2ac70b6f37460e0a56b1601b59ba5660dda7e4c0c87cc03211c9497261b06f632856079622546f6c8b6db6cfff97b1a9355db879958985f48dfe296c5d729b80
-  data.tar.gz: 9e89256c60b8153518520438b77632eb232660ff88d0b0668cfb8aeea7a50875c2c7297773f3d469952129ccceb6e604e4f619cc4cc2ebbd458fdca9d50e837f
+  metadata.gz: 0a614e2b3a645332a3543062efd754421a4a002f08b7b2b71463ee2817f5008a14e65745c66d0c24b5b11a1ecb020f4fe9d479ff59676ddf770186d8d286e26a
+  data.tar.gz: ef7bd96e717b4a99b74346dfd2c98c4787bc3b09b3a1199acfe01b0a22ea2f26cfd594499f3948241abf207dab9d5602f21aaa0a21c66742710637ce53f1a07f

data/.github/workflows/ci.yml

@@ -31,7 +31,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest]
-        ruby: ["3.4", "4.0"]
+        ruby: ["3.1", "3.4", "4.0"]
 
     steps:
       - name: Checkout
@@ -116,3 +116,50 @@ jobs:
             echo "OpenSSL 3.5 interop tests must NOT skip on this matrix entry."
             exit 1
           fi
+
+  linux-native-backend:
+    needs: test
+    name: linux-native-backend
+    runs-on: ubuntu-latest
+    env:
+      PQCRYPTO_NATIVE_ASM: "1"
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: "3.4"
+          bundler-cache: true
+
+      - name: Verify vendored sources
+        run: bundle exec rake vendor:verify
+
+      - name: Compile extension with native x86_64 backend
+        run: |
+          rm -rf tmp lib/pqcrypto/pqcrypto_secure.so
+          bundle exec rake compile
+
+      - name: Smoke native backend
+        run: |
+          bundle exec ruby -Ilib -e '
+            require "pq_crypto"
+
+            kem = PQCrypto::KEM.generate(:ml_kem_768)
+            enc = kem.public_key.encapsulate
+            raise "ML-KEM mismatch" unless kem.secret_key.decapsulate(enc.ciphertext) == enc.shared_secret
+
+            sig = PQCrypto::Signature.generate(:ml_dsa_65)
+            msg = "linux-native-backend".b
+            signature = sig.secret_key.sign(msg)
+            raise "ML-DSA verify failed" unless sig.public_key.verify(msg, signature)
+          '
+
+      - name: Verify AVX2 native symbols
+        run: |
+          set -euxo pipefail
+          so="lib/pqcrypto/pqcrypto_secure.so"
+          test -f "$so"
+          nm "$so" | grep -E "pqcr_(mlkem|mldsa).*avx2|keccak.*avx2"

data/CHANGELOG.md

@@ -1,5 +1,39 @@
 # Changelog
 
+## [0.5.3] - 2026-05-08
+
+### Compatibility
+
+- Lowered the minimum supported Ruby version from `>= 3.4.0` to `>= 3.1`.
+- Kept the Ruby 3.4+ optimized `rb_nogvl(..., RB_NOGVL_OFFLOAD_SAFE)` path intact.
+- Added explicit native build probes for `ruby/thread.h`, `rb_thread_call_without_gvl`, and `rb_nogvl`.
+- Ruby 3.1-3.3 now build the same selected `rb_nogvl` calls with a local `PQ_RB_NOGVL_OFFLOAD_SAFE` fallback of `0`, preserving ordinary no-GVL behavior without claiming scheduler offload guarantees.
+
+### CI
+
+- Added Ruby 3.1-3.3 compatibility coverage as compile + smoke checks while keeping full test coverage on Ruby 3.4 and 4.0.
+- Scoped the strict Async/Fiber Scheduler integration assertion to Ruby 3.4+ so compatibility runtimes do not claim `RB_NOGVL_OFFLOAD_SAFE` behavior.
+- Pinned the test-only `async` dependency to the Ruby 3.1-compatible `2.21.x` line, which still contains the worker-pool support needed for the Ruby 3.4+ offload test.
+
+### Documentation
+
+- Documented the Ruby 3.1+ support policy and the difference between compatibility no-GVL behavior and Ruby 3.4+ scheduler-aware offload.
+
+## [0.5.2] - 2026-05-06
+
+### Build
+
+- Added Linux/OpenSSL discovery via `OPENSSL_ROOT_DIR`, `OPENSSL_DIR`, and `pkg-config`.
+- Preserved `$(CFLAGS)`/`$(CCDLFLAGS)` for vendored native objects so Linux shared-object builds keep `-fPIC`.
+- Added opt-in Linux x86_64 native-backend support through `PQCRYPTO_NATIVE_ASM=1`.
+- Added x86_64 AVX2 vendor flags for mlkem-native/mldsa-native when native backends are explicitly enabled.
+- Added separate `PQCRYPTO_NATIVE_ARITH` and `PQCRYPTO_NATIVE_FIPS202` switches for native arithmetic and Keccak/FIPS202 backends.
+- Kept AArch64 native asm enabled by default; verified macOS arm64 still builds ML-KEM/ML-DSA native asm paths.
+
+### CI
+
+- Added a Linux native-backend job that compiles with `PQCRYPTO_NATIVE_ASM=1`, runs ML-KEM/ML-DSA smoke checks, and verifies AVX2 symbols in the extension.
+
 ## [0.5.1] - 2026-05-04
 
 ### Performance

data/GET_STARTED.md

@@ -379,11 +379,15 @@ PQCRYPTO_NATIVE_ASM=1 bundle exec rake compile
 
 ## 14. Async / Fiber scheduler behavior
 
-On Ruby 3.4, signing and verification use Ruby's scheduler-aware
+On Ruby 3.4 and later, signing and verification keep Ruby's scheduler-aware
 `rb_nogvl(..., RB_NOGVL_OFFLOAD_SAFE)` path automatically. With a scheduler
 that implements `blocking_operation_wait`, blocking native work can be moved
 off the event loop.
 
+Ruby 3.1-3.3 are supported as a compatibility path: native operations still
+release the GVL, but `RB_NOGVL_OFFLOAD_SAFE` is not available there, so the gem
+does not claim Fiber Scheduler offload guarantees on those runtimes.
+
 ## 15. Test-only deterministic helpers
 
 `PQCrypto::Testing` exposes deterministic helpers for regression tests:

data/README.md

@@ -63,7 +63,9 @@ original algorithms:
 
 ## Requirements
 
-- Ruby 3.4 or later
+- Ruby 3.1 or later
+  - Ruby 3.4+ keeps the optimized Fiber Scheduler offload path via `RB_NOGVL_OFFLOAD_SAFE`
+  - Ruby 3.1-3.3 use the compatibility no-GVL path without scheduler offload guarantees
 - a C toolchain with C11 support
 - OpenSSL 3.0 or later with SHA3-256 and SHAKE256 available
 - vendored minimal PQ Code Package native snapshot in `ext/pqcrypto/vendor`

data/ext/pqcrypto/extconf.rb

@@ -39,32 +39,31 @@ if SANITIZE && !SANITIZE.strip.empty?
   $LDFLAGS << " -fsanitize=#{sanitize}"
 end
 
-def native_asm_supported_by_default?
-  host_cpu = RbConfig::CONFIG.fetch("host_cpu", "")
-  host_os = RbConfig::CONFIG.fetch("host_os", "")
-  return false if host_os =~ /mswin|mingw|cygwin/i
+def host_cpu
+  RbConfig::CONFIG.fetch("host_cpu", "")
+end
 
-  host_cpu =~ /\A(?:arm64|aarch64)\z/i
+def host_os
+  RbConfig::CONFIG.fetch("host_os", "")
 end
 
-def parse_native_asm_env(value)
-  return native_asm_supported_by_default? if value.nil? || value.strip.empty? || value == "auto"
+def aarch64_host?
+  host_cpu =~ /\A(?:arm64|aarch64)\z/i
+end
 
-  case value.strip.downcase
-  when "1", "true", "yes", "on", "auto"
-    true
-  when "0", "false", "no", "off"
-    false
-  else
-    abort "Invalid PQCRYPTO_NATIVE_ASM=#{value.inspect}; use 1, 0, or auto"
-  end
+def x86_64_host?
+  host_cpu =~ /\A(?:x86_64|amd64|x64)\z/i
 end
 
-NATIVE_ASM = parse_native_asm_env(ENV["PQCRYPTO_NATIVE_ASM"])
+def native_asm_supported_by_default?
+  return false if host_os =~ /mswin|mingw|cygwin/i
 
-def parse_native_backend_env(name)
+  aarch64_host?
+end
+
+def env_bool(name, default)
   value = ENV[name]
-  return NATIVE_ASM if value.nil? || value.strip.empty? || value == "auto"
+  return default if value.nil? || value.strip.empty? || value.strip.downcase == "auto"
 
   case value.strip.downcase
   when "1", "true", "yes", "on"
@@ -72,19 +71,53 @@ def parse_native_backend_env(name)
   when "0", "false", "no", "off"
     false
   else
-    abort "Invalid #{name}=#{value.inspect}; use 1, 0, or auto"
+    abort "Invalid #{name}=#{value.inspect}; use 1, 0, true, false, or auto"
   end
 end
 
-NATIVE_ARITH = parse_native_backend_env("PQCRYPTO_NATIVE_ARITH")
-NATIVE_FIPS202 = parse_native_backend_env("PQCRYPTO_NATIVE_FIPS202")
+NATIVE_ASM = env_bool("PQCRYPTO_NATIVE_ASM", native_asm_supported_by_default?)
+NATIVE_ARITH = env_bool("PQCRYPTO_NATIVE_ARITH", NATIVE_ASM)
+NATIVE_FIPS202 = env_bool("PQCRYPTO_NATIVE_FIPS202", NATIVE_ASM)
+
+X86_VENDOR_ARCH_FLAGS = "-mavx2 -mbmi -mbmi2 -mpopcnt -maes -mssse3 -msse4.1 -msse4.2"
+
+VENDOR_C_ARCH_FLAGS = +""
+VENDOR_ASM_ARCH_FLAGS = +""
+
+if x86_64_host? && (NATIVE_ARITH || NATIVE_FIPS202)
+  VENDOR_C_ARCH_FLAGS << "#{X86_VENDOR_ARCH_FLAGS} -fno-tree-vectorize"
+  VENDOR_ASM_ARCH_FLAGS << X86_VENDOR_ARCH_FLAGS
+end
+
+if ENV["PQCRYPTO_NATIVE_TUNE"] == "1"
+  VENDOR_C_ARCH_FLAGS << " -march=native -mtune=native"
+  VENDOR_ASM_ARCH_FLAGS << " -march=native -mtune=native"
+end
 
 def configure_compiler_environment
-  return unless RUBY_PLATFORM.include?("darwin")
+  if RUBY_PLATFORM.include?("darwin")
+    dir_config("homebrew", "/opt/homebrew")
+    $CPPFLAGS << " -I/opt/homebrew/include"
+    $LDFLAGS << " -L/opt/homebrew/lib"
+    return
+  end
+
+  openssl_root = ENV["OPENSSL_ROOT_DIR"] || ENV["OPENSSL_DIR"]
+  if openssl_root && !openssl_root.strip.empty? && File.directory?(openssl_root)
+    $CPPFLAGS << " -I#{openssl_root}/include"
+    %w[lib64 lib].each do |suffix|
+      libdir = File.join(openssl_root, suffix)
+      next unless File.directory?(libdir)
 
-  dir_config("homebrew", "/opt/homebrew")
-  $CPPFLAGS << " -I/opt/homebrew/include"
-  $LDFLAGS << " -L/opt/homebrew/lib"
+      $LDFLAGS << " -L#{libdir} -Wl,-rpath,#{libdir}"
+      break
+    end
+  elsif find_executable("pkg-config")
+    cflags = `pkg-config --cflags openssl 2>/dev/null`.strip
+    libs = `pkg-config --libs-only-L openssl 2>/dev/null`.strip
+    $CPPFLAGS << " #{cflags}" unless cflags.empty?
+    $LDFLAGS << " #{libs}" unless libs.empty?
+  end
 end
 
 def native_vendor_sources_for(vendor_dir)
@@ -154,6 +187,12 @@ def find_vendor_dir
   candidates.find { |path| native_vendor_ready?(path) }
 end
 
+def configure_ruby_c_api!
+  abort "ruby/thread.h is required" unless have_header("ruby/thread.h")
+  abort "rb_thread_call_without_gvl is required" unless have_func("rb_thread_call_without_gvl", "ruby/thread.h")
+  abort "rb_nogvl is required" unless have_func("rb_nogvl", "ruby/thread.h")
+end
+
 def configure_openssl!
   configure_compiler_environment
 
@@ -270,7 +309,7 @@ def inject_native_sources!(config)
     build_rules << <<~RULE
       #{object}: #{source}
       	$(ECHO) compiling #{source} [#{kind}-#{level}]
-      	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{VENDOR_ONLY_CFLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
+      	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) $(CCDLFLAGS) #{VENDOR_ONLY_CFLAGS} #{VENDOR_C_ARCH_FLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
     RULE
   end
 
@@ -291,7 +330,7 @@ def inject_native_sources!(config)
       build_rules << <<~RULE
         #{object}: #{source}
         	$(ECHO) assembling #{source} [#{kind}-#{level}]
-        	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) #{VENDOR_ONLY_CFLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
+        	$(Q) $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) $(CCDLFLAGS) #{VENDOR_ONLY_CFLAGS} #{VENDOR_ASM_ARCH_FLAGS} #{flags} $(COUTFLAG)$@ -c $(CSRCFLAG)$<
       RULE
     end
   end
@@ -316,14 +355,21 @@ vendor_dir = find_vendor_dir
 
 puts
 puts "=== PQCrypto build configuration ==="
+configure_ruby_c_api!
 configure_openssl!
 native_config = native_vendor_config(vendor_dir)
 puts "OpenSSL: system"
 puts "ML-KEM: mlkem-native vendored"
 puts "ML-DSA: mldsa-native vendored"
+puts "Host CPU: #{host_cpu} (#{host_os})"
 puts "Native asm auto/forced: #{NATIVE_ASM ? 'enabled' : 'disabled'}"
 puts "Native arithmetic backend: #{NATIVE_ARITH ? 'enabled' : 'disabled'}"
 puts "Native FIPS202 backend: #{NATIVE_FIPS202 ? 'enabled' : 'disabled'}"
+puts "Vendor C arch flags: #{VENDOR_C_ARCH_FLAGS.empty? ? '(none)' : VENDOR_C_ARCH_FLAGS}"
+puts "Vendor ASM arch flags: #{VENDOR_ASM_ARCH_FLAGS.empty? ? '(none)' : VENDOR_ASM_ARCH_FLAGS}"
+if x86_64_host? && (NATIVE_ARITH || NATIVE_FIPS202)
+  puts "x86_64 native backend: AVX2 build flags enabled"
+end
 puts "PQClean fallback: removed"
 puts "Output: pqcrypto/pqcrypto_secure"
 puts "===================================="

data/ext/pqcrypto/pqcrypto_ruby_secure.c

@@ -1,6 +1,13 @@
+#if defined(__clang__) || defined(__GNUC__)
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-parameter"
+#endif
 #include <ruby.h>
 #include <ruby/thread.h>
 #include <ruby/encoding.h>
+#if defined(__clang__) || defined(__GNUC__)
+#pragma GCC diagnostic pop
+#endif
 #include <stdlib.h>
 #include <string.h>
 
@@ -10,7 +17,9 @@
 #include "pqcrypto_secure.h"
 
 #ifndef RB_NOGVL_OFFLOAD_SAFE
-#define RB_NOGVL_OFFLOAD_SAFE 0
+#define PQ_RB_NOGVL_OFFLOAD_SAFE 0
+#else
+#define PQ_RB_NOGVL_OFFLOAD_SAFE RB_NOGVL_OFFLOAD_SAFE
 #endif
 
 #define PQ_MU_ABSORB_NOGVL_MIN_BYTES 16384
@@ -154,8 +163,8 @@ static void pq_init_algorithm_ids(void) {
 static const char *pq_algorithm_symbol_to_cstr(VALUE algorithm) {
     if (SYMBOL_P(algorithm)) {
         ID id = SYM2ID(algorithm);
-        for (size_t i = 0; i < sizeof(PQC_CONTAINER_ALGORITHMS) / sizeof(PQC_CONTAINER_ALGORITHMS[0]);
-             ++i) {
+        for (size_t i = 0;
+             i < sizeof(PQC_CONTAINER_ALGORITHMS) / sizeof(PQC_CONTAINER_ALGORITHMS[0]); ++i) {
             if (id == pqc_container_algorithm_ids[i]) {
                 return PQC_CONTAINER_ALGORITHMS[i];
             }
@@ -164,8 +173,8 @@ static const char *pq_algorithm_symbol_to_cstr(VALUE algorithm) {
         VALUE str = StringValue(algorithm);
         const char *ptr = RSTRING_PTR(str);
         size_t len = (size_t)RSTRING_LEN(str);
-        for (size_t i = 0; i < sizeof(PQC_CONTAINER_ALGORITHMS) / sizeof(PQC_CONTAINER_ALGORITHMS[0]);
-             ++i) {
+        for (size_t i = 0;
+             i < sizeof(PQC_CONTAINER_ALGORITHMS) / sizeof(PQC_CONTAINER_ALGORITHMS[0]); ++i) {
             size_t algorithm_len = strlen(PQC_CONTAINER_ALGORITHMS[i]);
             if (len == algorithm_len && memcmp(ptr, PQC_CONTAINER_ALGORITHMS[i], len) == 0) {
                 return PQC_CONTAINER_ALGORITHMS[i];
@@ -272,16 +281,16 @@ static void *pq_hybrid_kem_decapsulate_nogvl(void *arg) {
 
 static void *pq_hybrid_kem_decapsulate_expanded_nogvl(void *arg) {
     kem_decapsulate_call_t *call = (kem_decapsulate_call_t *)arg;
-    call->result = pq_hybrid_kem_decapsulate_expanded(call->shared_secret, call->ciphertext,
-                                                      call->secret_key);
+    call->result =
+        pq_hybrid_kem_decapsulate_expanded(call->shared_secret, call->ciphertext, call->secret_key);
     return NULL;
 }
 
 static void *pq_hybrid_kem_decapsulate_expanded_pkey_nogvl(void *arg) {
-    hybrid_decapsulate_expanded_pkey_call_t *call =
-        (hybrid_decapsulate_expanded_pkey_call_t *)arg;
-    call->result = pq_hybrid_kem_decapsulate_expanded_pkey(
-        call->shared_secret, call->ciphertext, call->expanded_secret_key, call->x25519_private_pkey);
+    hybrid_decapsulate_expanded_pkey_call_t *call = (hybrid_decapsulate_expanded_pkey_call_t *)arg;
+    call->result = pq_hybrid_kem_decapsulate_expanded_pkey(call->shared_secret, call->ciphertext,
+                                                           call->expanded_secret_key,
+                                                           call->x25519_private_pkey);
     return NULL;
 }
 
@@ -815,12 +824,11 @@ static VALUE pqcrypto_hybrid_kem_decapsulate_expanded(VALUE self, VALUE cipherte
     (void)self;
     return pq_run_kem_decapsulate(pq_hybrid_kem_decapsulate_expanded_nogvl, ciphertext,
                                   PQ_HYBRID_CIPHERTEXTBYTES, expanded_secret_key,
-                                  PQ_HYBRID_EXPANDED_SECRETKEYBYTES,
-                                  PQ_HYBRID_SHAREDSECRETBYTES);
+                                  PQ_HYBRID_EXPANDED_SECRETKEYBYTES, PQ_HYBRID_SHAREDSECRETBYTES);
 }
 
 static VALUE pqcrypto_hybrid_kem_decapsulate_expanded_object(VALUE self, VALUE ciphertext,
-                                                            VALUE expanded_secret_key_obj) {
+                                                             VALUE expanded_secret_key_obj) {
     (void)self;
     hybrid_expanded_key_wrapper_t *wrapper = hybrid_expanded_key_unwrap(expanded_secret_key_obj);
     hybrid_decapsulate_expanded_pkey_call_t call = {0};
@@ -1184,7 +1192,7 @@ static VALUE pq_run_sign(void *(*nogvl)(void *), VALUE message, VALUE secret_key
     call.signature = pq_alloc_buffer(signature_len_expected);
     call.message = pq_copy_ruby_string(message, &call.message_len);
 
-    rb_nogvl(nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    rb_nogvl(nogvl, &call, NULL, NULL, PQ_RB_NOGVL_OFFLOAD_SAFE);
 
     pq_free_buffer(call.message);
     pq_wipe_and_free((uint8_t *)call.secret_key, secret_key_len);
@@ -1224,7 +1232,7 @@ static VALUE pq_run_verify(void *(*nogvl)(void *), VALUE message, VALUE signatur
     call.signature_len = signature_len;
     call.message = pq_copy_ruby_string(message, &call.message_len);
 
-    rb_nogvl(nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    rb_nogvl(nogvl, &call, NULL, NULL, PQ_RB_NOGVL_OFFLOAD_SAFE);
 
     pq_free_buffer(call.message);
     pq_free_buffer((uint8_t *)call.public_key);
@@ -1428,8 +1436,8 @@ static VALUE pqcrypto__native_mldsa_mu_builder_update(VALUE self, VALUE builder_
     }
 
     if (chunk_len < PQ_MU_ABSORB_NOGVL_MIN_BYTES) {
-        int rc = pq_mu_builder_absorb(wrapper->builder, (const uint8_t *)RSTRING_PTR(chunk),
-                                      chunk_len);
+        int rc =
+            pq_mu_builder_absorb(wrapper->builder, (const uint8_t *)RSTRING_PTR(chunk), chunk_len);
         if (rc != PQ_SUCCESS) {
             pq_raise_general_error(rc);
         }
@@ -1444,7 +1452,7 @@ static VALUE pqcrypto__native_mldsa_mu_builder_update(VALUE self, VALUE builder_
     call.chunk = copy;
     call.chunk_len = chunk_len;
 
-    rb_nogvl(pq_mu_absorb_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    rb_nogvl(pq_mu_absorb_nogvl, &call, NULL, NULL, PQ_RB_NOGVL_OFFLOAD_SAFE);
     free(copy);
 
     if (call.result != PQ_SUCCESS) {
@@ -1469,7 +1477,7 @@ static VALUE pqcrypto__native_mldsa_mu_builder_finalize(VALUE self, VALUE builde
     call.builder = wrapper->builder;
     call.mu_out = mu;
 
-    rb_nogvl(pq_mu_finalize_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    rb_nogvl(pq_mu_finalize_nogvl, &call, NULL, NULL, PQ_RB_NOGVL_OFFLOAD_SAFE);
 
     wrapper->builder = NULL;
 
@@ -1516,7 +1524,7 @@ static VALUE pqcrypto__native_mldsa_sign_mu(VALUE self, VALUE mu, VALUE secret_k
     call.signature_len = PQ_MLDSA_BYTES;
     call.signature = pq_alloc_buffer(PQ_MLDSA_BYTES);
 
-    rb_nogvl(pq_sign_mu_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    rb_nogvl(pq_sign_mu_nogvl, &call, NULL, NULL, PQ_RB_NOGVL_OFFLOAD_SAFE);
 
     pq_wipe_and_free(mu_copy, mu_len);
     pq_wipe_and_free(sk_copy, secret_key_len);
@@ -1557,7 +1565,7 @@ static VALUE pqcrypto__native_mldsa_verify_mu(VALUE self, VALUE mu, VALUE signat
     call.signature = sig_copy;
     call.signature_len = signature_len;
 
-    rb_nogvl(pq_verify_mu_nogvl, &call, NULL, NULL, RB_NOGVL_OFFLOAD_SAFE);
+    rb_nogvl(pq_verify_mu_nogvl, &call, NULL, NULL, PQ_RB_NOGVL_OFFLOAD_SAFE);
     pq_wipe_and_free(mu_copy, mu_len);
     pq_free_buffer(pk_copy);
     pq_free_buffer(sig_copy);

data/ext/pqcrypto/pqcrypto_version.h

@@ -2,6 +2,6 @@
 #ifndef PQCRYPTO_VERSION_H
 #define PQCRYPTO_VERSION_H
 
-#define PQCRYPTO_VERSION "0.5.1"
+#define PQCRYPTO_VERSION "0.5.3"
 
 #endif

data/lib/pq_crypto/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PQCrypto
-  VERSION = "0.5.1"
+  VERSION = "0.5.3"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pq_crypto
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.5.3
 platform: ruby
 authors:
 - Roman Haydarov
@@ -335,7 +335,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.4.0
+      version: '3.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="