pq_crypto 0.6.1 → 0.6.2

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/packing.h

@@ -6,113 +6,115 @@
 #define MLD_PACKING_H
 
 #include "polyvec.h"
+#include "polyvec_lazy.h"
 
-#define mld_pack_pk MLD_NAMESPACE_KL(pack_pk)
-/*************************************************
- * Name:        mld_pack_pk
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
+#define mld_pack_sk_s1 MLD_NAMESPACE_KL(pack_sk_s1)
+/**
+ * Bit-pack the s1 component into the secret key.
  *
- * Description: Bit-pack public key pk = (rho, t1).
- *
- * Arguments:   - uint8_t pk[]: output byte array
- *              - const uint8_t rho[]: byte array containing rho
- *              - const mld_polyveck *t1: pointer to vector t1
- **************************************************/
+ * @param[out] sk Output byte array.
+ * @param[in]  s1 Pointer to vector s1.
+ */
 MLD_INTERNAL_API
-void mld_pack_pk(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
-                 const uint8_t rho[MLDSA_SEEDBYTES], const mld_polyveck *t1)
+void mld_pack_sk_s1(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
+                    const mld_polyvecl *s1)
 __contract__(
-  requires(memory_no_alias(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
-  requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
-  requires(memory_no_alias(t1, sizeof(mld_polyveck)))
-  requires(forall(k0, 0, MLDSA_K,
-    array_bound(t1->vec[k0].coeffs, 0, MLDSA_N, 0, 1 << 10)))
-  assigns(memory_slice(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
+  requires(memory_no_alias(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
+  requires(memory_no_alias(s1, sizeof(mld_polyvecl)))
+  requires(forall(k1, 0, MLDSA_L,
+    array_abs_bound(s1->vec[k1].coeffs, 0, MLDSA_N, MLDSA_ETA + 1)))
+  assigns(memory_slice(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
 );
 
-
-#define mld_pack_sk MLD_NAMESPACE_KL(pack_sk)
-/*************************************************
- * Name:        mld_pack_sk
- *
- * Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
- *
- * Arguments:   - uint8_t sk[]: output byte array
- *              - const uint8_t rho[]: byte array containing rho
- *              - const uint8_t tr[]: byte array containing tr
- *              - const uint8_t key[]: byte array containing key
- *              - const mld_polyveck *t0: pointer to vector t0
- *              - const mld_polyvecl *s1: pointer to vector s1
- *              - const mld_polyveck *s2: pointer to vector s2
- **************************************************/
+#define mld_pack_sk_rho_key_tr_s2 MLD_NAMESPACE_KL(pack_sk_rho_key_tr_s2)
+/**
+ * Bit-pack rho, key, tr, s2 into the secret key.
+ *
+ * s1 must already be packed via mld_pack_sk_s1, and t0 via
+ * mld_compute_pack_t0_t1.
+ *
+ * @param[out] sk  Output byte array.
+ * @param[in]  rho Byte array containing rho.
+ * @param[in]  tr  Byte array containing tr.
+ * @param[in]  key Byte array containing key.
+ * @param[in]  s2  Pointer to vector s2.
+ */
 MLD_INTERNAL_API
-void mld_pack_sk(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
-                 const uint8_t rho[MLDSA_SEEDBYTES],
-                 const uint8_t tr[MLDSA_TRBYTES],
-                 const uint8_t key[MLDSA_SEEDBYTES], const mld_polyveck *t0,
-                 const mld_polyvecl *s1, const mld_polyveck *s2)
+void mld_pack_sk_rho_key_tr_s2(uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
+                               const uint8_t rho[MLDSA_SEEDBYTES],
+                               const uint8_t tr[MLDSA_TRBYTES],
+                               const uint8_t key[MLDSA_SEEDBYTES],
+                               const mld_polyveck *s2)
 __contract__(
   requires(memory_no_alias(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
   requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
   requires(memory_no_alias(tr, MLDSA_TRBYTES))
   requires(memory_no_alias(key, MLDSA_SEEDBYTES))
-  requires(memory_no_alias(t0, sizeof(mld_polyveck)))
-  requires(memory_no_alias(s1, sizeof(mld_polyvecl)))
   requires(memory_no_alias(s2, sizeof(mld_polyveck)))
-  requires(forall(k0, 0, MLDSA_K,
-    array_bound(t0->vec[k0].coeffs, 0, MLDSA_N, -(1<<(MLDSA_D-1)) + 1, (1<<(MLDSA_D-1)) + 1)))
-  requires(forall(k1, 0, MLDSA_L,
-    array_abs_bound(s1->vec[k1].coeffs, 0, MLDSA_N, MLDSA_ETA + 1)))
   requires(forall(k2, 0, MLDSA_K,
     array_abs_bound(s2->vec[k2].coeffs, 0, MLDSA_N, MLDSA_ETA + 1)))
   assigns(memory_slice(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
 );
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API */
 
 
-#define mld_pack_sig_c_h MLD_NAMESPACE_KL(pack_sig_c_h)
-/*************************************************
- * Name:        mld_pack_sig_c_h
- *
- * Description: Bit-pack c and h component of sig = (c, z, h).
- *              The z component is packed separately using mld_pack_sig_z.
- *
- * Arguments:   - uint8_t sig[]: output byte array
- *              - const uint8_t *c:  pointer to challenge hash length
- *                                   MLDSA_SEEDBYTES
- *              - const mld_polyveck *h: pointer to hint vector h
- *              - const unsigned int number_of_hints: total
- *                                   hints in *h
+#if !defined(MLD_CONFIG_NO_SIGN_API)
+#define mld_pack_sig_c MLD_NAMESPACE_KL(pack_sig_c)
+/**
+ * Bit-pack challenge c into sig = (c, z, h).
  *
- * Note that the number_of_hints argument is not present
- * in the reference implementation. It is added here to ease
- * proof of type safety.
- **************************************************/
+ * @param[out] sig Output byte array.
+ * @param[in]  c   Pointer to challenge hash.
+ */
 MLD_INTERNAL_API
-void mld_pack_sig_c_h(uint8_t sig[MLDSA_CRYPTO_BYTES],
-                      const uint8_t c[MLDSA_CTILDEBYTES], const mld_polyveck *h,
-                      const unsigned int number_of_hints)
+void mld_pack_sig_c(uint8_t sig[MLDSA_CRYPTO_BYTES],
+                    const uint8_t c[MLDSA_CTILDEBYTES])
 __contract__(
   requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
   requires(memory_no_alias(c, MLDSA_CTILDEBYTES))
-  requires(memory_no_alias(h, sizeof(mld_polyveck)))
-  requires(forall(k1, 0, MLDSA_K,
-    array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
-  requires(number_of_hints <= MLDSA_OMEGA)
   assigns(memory_slice(sig, MLDSA_CRYPTO_BYTES))
 );
 
+#define mld_pack_sig_h MLD_NAMESPACE_KL(pack_sig_h)
+/**
+ * Compute hints from (w0, w1) and pack them into the hint section of sig.
+ *
+ * @param[in,out] sig Byte array containing signature.
+ * @param[in]     w0  Pointer to low part of input vector.
+ * @param[in]     w1  Pointer to high part of input vector.
+ *
+ * @retval 0            Success.
+ * @retval MLD_ERR_FAIL The total number of hints exceeds MLDSA_OMEGA. In this
+ *                      case the hint section of sig is left in a
+ *                      partially-written state and the caller must reject the
+ *                      signature.
+ */
+MLD_INTERNAL_API
+MLD_MUST_CHECK_RETURN_VALUE
+int mld_pack_sig_h(uint8_t sig[MLDSA_CRYPTO_BYTES], const mld_polyveck *w0,
+                   const mld_polyveck *w1)
+__contract__(
+  requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
+  requires(memory_no_alias(w0, sizeof(mld_polyveck)))
+  requires(memory_no_alias(w1, sizeof(mld_polyveck)))
+  assigns(memory_slice(
+    sig + MLDSA_CTILDEBYTES + MLDSA_L * MLDSA_POLYZ_PACKEDBYTES,
+    MLDSA_POLYVECH_PACKEDBYTES))
+  ensures(return_value == 0 || return_value == MLD_ERR_FAIL)
+);
+
 #define mld_pack_sig_z MLD_NAMESPACE_KL(pack_sig_z)
-/*************************************************
- * Name:        mld_pack_sig_z
+/**
+ * Bit-pack single polynomial of z component of sig = (c, z, h).
  *
- * Description: Bit-pack single polynomial of z component of sig = (c, z, h).
- *              The c and h components are packed separately using
- *              mld_pack_sig_c_h.
+ * The c and h components are packed separately using mld_pack_sig_c and
+ * mld_pack_sig_h.
  *
- * Arguments:   - uint8_t sig[]: output byte array
- *              - const mld_poly *zi: pointer to a single polynomial in z
- *              - const unsigned int i: index of zi in vector z
- *
- **************************************************/
+ * @param[in,out] sig Output byte array.
+ * @param[in]     zi  Pointer to a single polynomial in z.
+ * @param         i   Index of zi in vector z.
+ */
 MLD_INTERNAL_API
 void mld_pack_sig_z(uint8_t sig[MLDSA_CRYPTO_BYTES], const mld_poly *zi,
                     unsigned i)
@@ -123,102 +125,119 @@ __contract__(
   requires(array_bound(zi->coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1))
   assigns(memory_slice(sig, MLDSA_CRYPTO_BYTES))
 );
+#endif /* !MLD_CONFIG_NO_SIGN_API */
 
-#define mld_unpack_pk MLD_NAMESPACE_KL(unpack_pk)
-/*************************************************
- * Name:        mld_unpack_pk
- *
- * Description: Unpack public key pk = (rho, t1).
- *
- * Arguments:   - const uint8_t rho[]: output byte array for rho
- *              - const mld_polyveck *t1: pointer to output vector t1
- *              - uint8_t pk[]: byte array containing bit-packed pk
- **************************************************/
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
+#define mld_unpack_pk_t1 MLD_NAMESPACE_KL(unpack_pk_t1)
+/**
+ * Unpack a single polynomial of the t1 component of a public key
+ * pk = (rho, t1).
+ *
+ * @param[out] t1 Pointer to output polynomial t1[i].
+ * @param[in]  pk Byte array containing bit-packed pk.
+ * @param      i  Row index, must be < MLDSA_K.
+ */
 MLD_INTERNAL_API
-void mld_unpack_pk(uint8_t rho[MLDSA_SEEDBYTES], mld_polyveck *t1,
-                   const uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES])
+void mld_unpack_pk_t1(mld_poly *t1,
+                      const uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
+                      unsigned int i)
 __contract__(
   requires(memory_no_alias(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
-  requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
-  requires(memory_no_alias(t1, sizeof(mld_polyveck)))
-  assigns(memory_slice(rho, MLDSA_SEEDBYTES))
-  assigns(memory_slice(t1, sizeof(mld_polyveck)))
-  ensures(forall(k0, 0, MLDSA_K,
-    array_bound(t1->vec[k0].coeffs, 0, MLDSA_N, 0, 1 << 10)))
+  requires(memory_no_alias(t1, sizeof(mld_poly)))
+  requires(i < MLDSA_K)
+  assigns(memory_slice(t1, sizeof(mld_poly)))
+  ensures(array_bound(t1->coeffs, 0, MLDSA_N, 0, 1 << 10))
 );
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
 
-
+#if !defined(MLD_CONFIG_NO_SIGN_API)
 #define mld_unpack_sk MLD_NAMESPACE_KL(unpack_sk)
-/*************************************************
- * Name:        mld_unpack_sk
- *
- * Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
- *
- * Arguments:   - const uint8_t rho[]: output byte array for rho
- *              - const uint8_t tr[]: output byte array for tr
- *              - const uint8_t key[]: output byte array for key
- *              - const mld_polyveck *t0: pointer to output vector t0
- *              - const mld_polyvecl *s1: pointer to output vector s1
- *              - const mld_polyveck *s2: pointer to output vector s2
- *              - uint8_t sk[]: byte array containing bit-packed sk
- **************************************************/
+/**
+ * Unpack secret key sk = (rho, tr, key, t0, s1, s2).
+ *
+ * NOTE: In REDUCE_RAM mode, s1/s2/t0 borrow from sk rather than copying.
+ *
+ * @param[out] rho Output byte array for rho.
+ * @param[out] tr  Output byte array for tr.
+ * @param[out] key Output byte array for key.
+ * @param[out] t0  Pointer to output vector t0.
+ * @param[out] s1  Pointer to output vector s1.
+ * @param[out] s2  Pointer to output vector s2.
+ * @param[in]  sk  Byte array containing bit-packed sk.
+ */
 MLD_INTERNAL_API
 void mld_unpack_sk(uint8_t rho[MLDSA_SEEDBYTES], uint8_t tr[MLDSA_TRBYTES],
-                   uint8_t key[MLDSA_SEEDBYTES], mld_polyveck *t0,
-                   mld_polyvecl *s1, mld_polyveck *s2,
+                   uint8_t key[MLDSA_SEEDBYTES], mld_sk_t0hat *t0,
+                   mld_sk_s1hat *s1, mld_sk_s2hat *s2,
                    const uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES])
 __contract__(
   requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
   requires(memory_no_alias(tr, MLDSA_TRBYTES))
   requires(memory_no_alias(key, MLDSA_SEEDBYTES))
-  requires(memory_no_alias(t0, sizeof(mld_polyveck)))
-  requires(memory_no_alias(s1, sizeof(mld_polyvecl)))
-  requires(memory_no_alias(s2, sizeof(mld_polyveck)))
+  requires(memory_no_alias(t0, sizeof(mld_sk_t0hat)))
+  requires(memory_no_alias(s1, sizeof(mld_sk_s1hat)))
+  requires(memory_no_alias(s2, sizeof(mld_sk_s2hat)))
   requires(memory_no_alias(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
   assigns(memory_slice(rho, MLDSA_SEEDBYTES))
   assigns(memory_slice(tr, MLDSA_TRBYTES))
   assigns(memory_slice(key, MLDSA_SEEDBYTES))
-  assigns(memory_slice(t0, sizeof(mld_polyveck)))
-  assigns(memory_slice(s1, sizeof(mld_polyvecl)))
-  assigns(memory_slice(s2, sizeof(mld_polyveck)))
-  ensures(forall(k0, 0, MLDSA_K,
-    array_bound(t0->vec[k0].coeffs, 0, MLDSA_N, -(1<<(MLDSA_D-1)) + 1, (1<<(MLDSA_D-1)) + 1)))
-  ensures(forall(k1, 0, MLDSA_L,
-    array_bound(s1->vec[k1].coeffs, 0, MLDSA_N, MLD_POLYETA_UNPACK_LOWER_BOUND, MLDSA_ETA + 1)))
-  ensures(forall(k2, 0, MLDSA_K,
-    array_bound(s2->vec[k2].coeffs, 0, MLDSA_N, MLD_POLYETA_UNPACK_LOWER_BOUND, MLDSA_ETA + 1)))
+  assigns(memory_slice(t0, sizeof(mld_sk_t0hat)))
+  assigns(memory_slice(s1, sizeof(mld_sk_s1hat)))
+  assigns(memory_slice(s2, sizeof(mld_sk_s2hat)))
+  MLD_IF_NOT_REDUCE_RAM(
+    ensures(forall(k0, 0, MLDSA_K,
+      array_abs_bound(t0->vec.vec[k0].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+    ensures(forall(k1, 0, MLDSA_L,
+      array_abs_bound(s1->vec.vec[k1].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+    ensures(forall(k2, 0, MLDSA_K,
+      array_abs_bound(s2->vec.vec[k2].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+  )
+  MLD_IF_REDUCE_RAM(
+    ensures(s1->packed == old(sk) + 2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES)
+    ensures(s2->packed == old(sk) + 2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES +
+                          MLDSA_L * MLDSA_POLYETA_PACKEDBYTES)
+    ensures(t0->packed == old(sk) + 2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES +
+                          (MLDSA_L + MLDSA_K) * MLDSA_POLYETA_PACKEDBYTES)
+  )
 );
+#endif /* !MLD_CONFIG_NO_SIGN_API */
 
-#define mld_unpack_sig MLD_NAMESPACE_KL(unpack_sig)
-/*************************************************
- * Name:        mld_unpack_sig
- *
- * Description: Unpack signature sig = (c, z, h).
- *
- * Arguments:   - uint8_t *c: pointer to output challenge hash
- *              - mld_polyvecl *z: pointer to output vector z
- *              - mld_polyveck *h: pointer to output hint vector h
- *              - const uint8_t sig[]: byte array containing
- *                bit-packed signature
- *
- * Returns 1 in case of malformed signature; otherwise 0.
- **************************************************/
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
+#define mld_sig_unpack_hints MLD_NAMESPACE_KL(sig_unpack_hints)
+/**
+ * Decode and validate a single row of the hint vector h from a signature
+ * buffer.
+ *
+ * The hint encoding is shared across all rows (a count array followed by a
+ * single index list), so this function performs the validation relevant to
+ * row i:
+ *   - the i'th hint count is non-decreasing and bounded by MLDSA_OMEGA;
+ *   - the indices for row i are strictly ascending;
+ *   - on i == MLDSA_K - 1, the trailing index slots are zero.
+ *
+ * Callers must invoke this for every i in [0, 1, .., MLDSA_K - 1]; if any
+ * call returns MLD_ERR_FAIL the encoding is malformed and the signature must
+ * be rejected.
+ *
+ * @param[out] h   Pointer to output polynomial h[i].
+ * @param[in]  sig Signature buffer.
+ * @param      i   Row index, must be < MLDSA_K.
+ *
+ * @retval 0            Hints were decoded successfully.
+ * @retval MLD_ERR_FAIL Hints are malformed.
+ */
 MLD_INTERNAL_API
 MLD_MUST_CHECK_RETURN_VALUE
-int mld_unpack_sig(uint8_t c[MLDSA_CTILDEBYTES], mld_polyvecl *z,
-                   mld_polyveck *h, const uint8_t sig[MLDSA_CRYPTO_BYTES])
+int mld_sig_unpack_hints(mld_poly *h, const uint8_t sig[MLDSA_CRYPTO_BYTES],
+                         unsigned int i)
 __contract__(
   requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
-  requires(memory_no_alias(c, MLDSA_CTILDEBYTES))
-  requires(memory_no_alias(z, sizeof(mld_polyvecl)))
-  requires(memory_no_alias(h, sizeof(mld_polyveck)))
-  assigns(memory_slice(c, MLDSA_CTILDEBYTES))
-  assigns(memory_slice(z, sizeof(mld_polyvecl)))
-  assigns(memory_slice(h, sizeof(mld_polyveck)))
-  ensures(forall(k0, 0, MLDSA_L,
-    array_bound(z->vec[k0].coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1)))
-  ensures(forall(k1, 0, MLDSA_K,
-    array_bound(h->vec[k1].coeffs, 0, MLDSA_N, 0, 2)))
-  ensures(return_value >= 0 && return_value <= 1)
+  requires(memory_no_alias(h, sizeof(mld_poly)))
+  requires(i < MLDSA_K)
+  assigns(memory_slice(h, sizeof(mld_poly)))
+  ensures(return_value == 0 || return_value == MLD_ERR_FAIL)
+  ensures(return_value == 0 ==> array_bound(h->coeffs, 0, MLDSA_N, 0, 2))
 );
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
+
 #endif /* !MLD_PACKING_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/poly.c

@@ -91,6 +91,8 @@ void mld_poly_caddq(mld_poly *a)
   mld_poly_caddq_c(a);
 }
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_NO_SIGN_API) || \
+    defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)
 /* Reference: We use destructive version (output=first input) to avoid
  *            reasoning about aliasing in the CBMC specification */
 MLD_INTERNAL_API
@@ -111,7 +113,10 @@ void mld_poly_add(mld_poly *r, const mld_poly *b)
     r->coeffs[i] = r->coeffs[i] + b->coeffs[i];
   }
 }
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_NO_SIGN_API || \
+          MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
+#if !defined(MLD_CONFIG_NO_SIGN_API) || !defined(MLD_CONFIG_NO_VERIFY_API)
 /* Reference: We use destructive version (output=first input) to avoid
  *            reasoning about aliasing in the CBMC specification */
 MLD_INTERNAL_API
@@ -134,7 +139,9 @@ void mld_poly_sub(mld_poly *r, const mld_poly *b)
 
   mld_assert_bound(r->coeffs, MLDSA_N, INT32_MIN, MLD_REDUCE32_DOMAIN_MAX);
 }
+#endif /* !MLD_CONFIG_NO_SIGN_API || !MLD_CONFIG_NO_VERIFY_API */
 
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
 MLD_INTERNAL_API
 void mld_poly_shiftl(mld_poly *a)
 {
@@ -155,7 +162,7 @@ void mld_poly_shiftl(mld_poly *a)
   }
   mld_assert_bound(a->coeffs, MLDSA_N, 0, MLDSA_Q);
 }
-
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
 
 static MLD_INLINE int32_t mld_fqmul(int32_t a, int32_t b)
 __contract__(
@@ -324,17 +331,15 @@ void mld_poly_ntt(mld_poly *a)
   mld_poly_ntt_c(a);
 }
 
-/*************************************************
- * Name:        mld_fqscale
+/**
+ * Scale a field element by mont/256, i.e., perform Montgomery multiplication
+ * by mont^2/256.
  *
- * Description: Scales a field element by mont/256 , i.e., performs Montgomery
- *              multiplication by mont^2/256.
- *              Input is expected to have absolute value smaller than
- *              256 * MLDSA_Q.
- *              Output has absolute value smaller than MLD_INTT_BOUND.
+ * Input is expected to have absolute value smaller than 256 * MLDSA_Q. Output
+ * has absolute value smaller than MLD_INTT_BOUND.
  *
- * Arguments:   - int32_t a: Field element to be scaled.
- **************************************************/
+ * @param a Field element to be scaled.
+ */
 static MLD_INLINE int32_t mld_fqscale(int32_t a)
 __contract__(
   requires(a > -256*MLDSA_Q && a < 256*MLDSA_Q)
@@ -451,17 +456,17 @@ void mld_poly_invntt_tomont(mld_poly *a)
   mld_poly_invntt_tomont_c(a);
 }
 
-MLD_STATIC_TESTABLE void mld_poly_pointwise_montgomery_c(mld_poly *c,
-                                                         const mld_poly *a,
+#if !defined(MLD_CONFIG_NO_SIGN_API) || !defined(MLD_CONFIG_NO_VERIFY_API) || \
+    defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)
+MLD_STATIC_TESTABLE void mld_poly_pointwise_montgomery_c(mld_poly *a,
                                                          const mld_poly *b)
 __contract__(
   requires(memory_no_alias(a, sizeof(mld_poly)))
   requires(memory_no_alias(b, sizeof(mld_poly)))
-  requires(memory_no_alias(c, sizeof(mld_poly)))
   requires(array_abs_bound(a->coeffs, 0, MLDSA_N, MLD_NTT_BOUND))
   requires(array_abs_bound(b->coeffs, 0, MLDSA_N, MLD_NTT_BOUND))
-  assigns(memory_slice(c, sizeof(mld_poly)))
-  ensures(array_abs_bound(c->coeffs, 0, MLDSA_N, MLDSA_Q))
+  assigns(memory_slice(a, sizeof(mld_poly)))
+  ensures(array_abs_bound(a->coeffs, 0, MLDSA_N, MLDSA_Q))
 )
 {
   unsigned int i;
@@ -471,33 +476,36 @@ __contract__(
   for (i = 0; i < MLDSA_N; ++i)
   __loop__(
     invariant(i <= MLDSA_N)
-    invariant(array_abs_bound(c->coeffs, 0, i, MLDSA_Q))
+    invariant(array_abs_bound(a->coeffs, 0, i, MLDSA_Q))
+    invariant(array_abs_bound(a->coeffs, i, MLDSA_N, MLD_NTT_BOUND))
     decreases(MLDSA_N - i)
   )
   {
-    c->coeffs[i] = mld_montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]);
+    a->coeffs[i] = mld_montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]);
   }
-  mld_assert_abs_bound(c->coeffs, MLDSA_N, MLDSA_Q);
+  mld_assert_abs_bound(a->coeffs, MLDSA_N, MLDSA_Q);
 }
 
 MLD_INTERNAL_API
-void mld_poly_pointwise_montgomery(mld_poly *c, const mld_poly *a,
-                                   const mld_poly *b)
+void mld_poly_pointwise_montgomery(mld_poly *a, const mld_poly *b)
 {
 #if defined(MLD_USE_NATIVE_POINTWISE_MONTGOMERY)
   int ret;
   mld_assert_abs_bound(a->coeffs, MLDSA_N, MLD_NTT_BOUND);
   mld_assert_abs_bound(b->coeffs, MLDSA_N, MLD_NTT_BOUND);
-  ret = mld_poly_pointwise_montgomery_native(c->coeffs, a->coeffs, b->coeffs);
+  ret = mld_poly_pointwise_montgomery_native(a->coeffs, b->coeffs);
   if (ret == MLD_NATIVE_FUNC_SUCCESS)
   {
-    mld_assert_abs_bound(c->coeffs, MLDSA_N, MLDSA_Q);
+    mld_assert_abs_bound(a->coeffs, MLDSA_N, MLDSA_Q);
     return;
   }
 #endif /* MLD_USE_NATIVE_POINTWISE_MONTGOMERY */
-  mld_poly_pointwise_montgomery_c(c, a, b);
+  mld_poly_pointwise_montgomery_c(a, b);
 }
+#endif /* !MLD_CONFIG_NO_SIGN_API || !MLD_CONFIG_NO_VERIFY_API || \
+          MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 MLD_INTERNAL_API
 void mld_poly_power2round(mld_poly *a1, mld_poly *a0, const mld_poly *a)
 {
@@ -508,6 +516,7 @@ void mld_poly_power2round(mld_poly *a1, mld_poly *a0, const mld_poly *a)
   __loop__(
     assigns(i, memory_slice(a0, sizeof(mld_poly)), memory_slice(a1, sizeof(mld_poly)))
     invariant(i <= MLDSA_N)
+    invariant(forall(k0, i, MLDSA_N, a->coeffs[k0] == loop_entry(*a).coeffs[k0]))
     invariant(array_bound(a0->coeffs, 0, i, -(MLD_2_POW_D/2)+1, (MLD_2_POW_D/2)+1))
     invariant(array_bound(a1->coeffs, 0, i, 0, ((MLDSA_Q - 1) / MLD_2_POW_D) + 1))
     decreases(MLDSA_N - i)
@@ -520,6 +529,7 @@ void mld_poly_power2round(mld_poly *a1, mld_poly *a0, const mld_poly *a)
                    (MLD_2_POW_D / 2) + 1);
   mld_assert_bound(a1->coeffs, MLDSA_N, 0, ((MLDSA_Q - 1) / MLD_2_POW_D) + 1);
 }
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API */
 
 #ifndef MLD_POLY_UNIFORM_NBLOCKS
 #define MLD_POLY_UNIFORM_NBLOCKS \
@@ -575,23 +585,19 @@ __contract__(
 
   return ctr;
 }
-/*************************************************
- * Name:        mld_rej_uniform
- *
- * Description: Sample uniformly random coefficients in [0, MLDSA_Q-1] by
- *              performing rejection sampling on array of random bytes.
+/**
+ * Sample uniformly random coefficients in [0, MLDSA_Q-1] by performing
+ * rejection sampling on an array of random bytes.
  *
- * Arguments:   - int32_t *a: pointer to output array (allocated)
- *              - unsigned int target:  requested number of coefficients to
- *sample
- *              - unsigned int offset:  number of coefficients already sampled
- *              - const uint8_t *buf: array of random bytes to sample from
- *              - unsigned int buflen: length of array of random bytes (must be
- *                multiple of 3)
+ * @param[out] a      Pointer to output array (allocated).
+ * @param      target Requested number of coefficients to sample.
+ * @param      offset Number of coefficients already sampled.
+ * @param[in]  buf    Array of random bytes to sample from.
+ * @param      buflen Length of array of random bytes (must be multiple of 3).
  *
- * Returns number of sampled coefficients. Can be smaller than len if not enough
- * random bytes were given.
- **************************************************/
+ * @return Number of sampled coefficients. Can be smaller than len if not
+ *         enough random bytes were given.
+ */
 
 /* Reference: `mld_rej_uniform()` in the reference implementation @[REF].
  *            - Our signature differs from the reference implementation
@@ -670,7 +676,8 @@ void mld_poly_uniform(mld_poly *a, const uint8_t seed[MLDSA_SEEDBYTES + 2])
   mld_zeroize(buf, sizeof(buf));
 }
 
-#if !defined(MLD_CONFIG_SERIAL_FIPS202_ONLY) && !defined(MLD_CONFIG_REDUCE_RAM)
+#if !defined(MLD_CONFIG_SERIAL_FIPS202_ONLY) && \
+    (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST))
 MLD_INTERNAL_API
 void mld_poly_uniform_4x(mld_poly *vec0, mld_poly *vec1, mld_poly *vec2,
                          mld_poly *vec3,
@@ -735,8 +742,10 @@ void mld_poly_uniform_4x(mld_poly *vec0, mld_poly *vec1, mld_poly *vec2,
   mld_zeroize(buf, sizeof(buf));
 }
 
-#endif /* !MLD_CONFIG_SERIAL_FIPS202_ONLY && !MLD_CONFIG_REDUCE_RAM */
+#endif /* !MLD_CONFIG_SERIAL_FIPS202_ONLY && (!MLD_CONFIG_REDUCE_RAM || \
+          MLD_UNIT_TEST) */
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 MLD_INTERNAL_API
 void mld_polyt1_pack(uint8_t r[MLDSA_POLYT1_PACKEDBYTES], const mld_poly *a)
 {
@@ -761,7 +770,9 @@ void mld_polyt1_pack(uint8_t r[MLDSA_POLYT1_PACKEDBYTES], const mld_poly *a)
     r[5 * i + 4] = (uint8_t)((a->coeffs[4 * i + 3] >> 2) & 0xFF);
   }
 }
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API */
 
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
 MLD_INTERNAL_API
 void mld_polyt1_unpack(mld_poly *r, const uint8_t a[MLDSA_POLYT1_PACKEDBYTES])
 {
@@ -785,7 +796,9 @@ void mld_polyt1_unpack(mld_poly *r, const uint8_t a[MLDSA_POLYT1_PACKEDBYTES])
 
   mld_assert_bound(r->coeffs, MLDSA_N, 0, 1 << 10);
 }
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 MLD_INTERNAL_API
 void mld_polyt0_pack(uint8_t r[MLDSA_POLYT0_PACKEDBYTES], const mld_poly *a)
 {
@@ -833,7 +846,9 @@ void mld_polyt0_pack(uint8_t r[MLDSA_POLYT0_PACKEDBYTES], const mld_poly *a)
     r[13 * i + 12] = (uint8_t)((t[7] >> 5) & 0xFF);
   }
 }
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API */
 
+#if !defined(MLD_CONFIG_NO_SIGN_API) || defined(MLD_UNIT_TEST)
 MLD_INTERNAL_API
 void mld_polyt0_unpack(mld_poly *r, const uint8_t a[MLDSA_POLYT0_PACKEDBYTES])
 {
@@ -894,6 +909,7 @@ void mld_polyt0_unpack(mld_poly *r, const uint8_t a[MLDSA_POLYT0_PACKEDBYTES])
   mld_assert_bound(r->coeffs, MLDSA_N, -(1 << (MLDSA_D - 1)) + 1,
                    (1 << (MLDSA_D - 1)) + 1);
 }
+#endif /* !MLD_CONFIG_NO_SIGN_API || MLD_UNIT_TEST */
 
 MLD_STATIC_TESTABLE uint32_t mld_poly_chknorm_c(const mld_poly *a, int32_t B)
 __contract__(