pq_crypto 0.6.1 → 0.6.2

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/sign.c

@@ -48,39 +48,43 @@
 #define mld_compute_pack_z MLD_ADD_PARAM_SET(mld_compute_pack_z)
 #define mld_attempt_signature_generation \
   MLD_ADD_PARAM_SET(mld_attempt_signature_generation) MLD_CONTEXT_PARAMETERS_8
-#define mld_compute_t0_t1_tr_from_sk_components              \
-  MLD_ADD_PARAM_SET(mld_compute_t0_t1_tr_from_sk_components) \
-  MLD_CONTEXT_PARAMETERS_7
-/* End of parameter set namespacing */
-
+#define mld_compute_pack_t0_t1 \
+  MLD_ADD_PARAM_SET(mld_compute_pack_t0_t1) MLD_CONTEXT_PARAMETERS_5
+#define mld_get_max_signing_attempts \
+  MLD_ADD_PARAM_SET(mld_get_max_signing_attempts)
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 static int mld_check_pct(uint8_t const pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
                          uint8_t const sk[MLDSA_CRYPTO_SECRETKEYBYTES],
                          MLD_CONFIG_CONTEXT_PARAMETER_TYPE context)
 __contract__(
   requires(memory_no_alias(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
   requires(memory_no_alias(sk, MLDSA_CRYPTO_SECRETKEYBYTES))
-  ensures(return_value == 0
-	  || return_value == MLD_ERR_FAIL
-	  || return_value == MLD_ERR_OUT_OF_MEMORY
-    || return_value == MLD_ERR_RNG_FAIL)
+  ensures(return_value == 0 || MLD_ANY_ERROR(return_value))
 );
 
 #if defined(MLD_CONFIG_KEYGEN_PCT)
-/*************************************************
- * @[FIPS140_3_IG]
- * (https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf)
+/**
+ * Pair-wise Consistency Test (PCT) for DSA keypairs.
+ *
+ * @[FIPS140_3_IG] TE10.35.02
+ * (https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf).
+ *
+ * Validates that a generated public/private key pair can correctly sign and
+ * verify data. Performs signature generation using the private key (sk),
+ * followed by signature verification using the public key (pk).
  *
- * TE10.35.02: Pair-wise Consistency Test (PCT) for DSA keypairs
+ * @note @[FIPS204] requires that public/private key pairs are to be used
+ * only for the calculation and/or verification of digital signatures.
  *
- * Purpose: Validates that a generated public/private key pair can correctly
- * sign and verify data. Test performs signature generation using the private
- * key (sk), followed by signature verification using the public key (pk).
- * Returns 0 if the signature was successfully verified, non-zero if it cannot.
+ * @param[in] pk      Public key.
+ * @param[in] sk      Secret key.
+ * @param     context Application context. Only present when
+ *                    MLD_CONFIG_CONTEXT_PARAMETER is defined; type set by
+ *                    MLD_CONFIG_CONTEXT_PARAMETER_TYPE.
  *
- * Note: @[FIPS204] requires that public/private key pairs are to be used only
- * for the calculation and/of verification of digital signatures.
- **************************************************/
+ * @return 0 if the signature was successfully verified, non-zero otherwise.
+ */
 static int mld_check_pct(uint8_t const pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
                          uint8_t const sk[MLDSA_CRYPTO_SECRETKEYBYTES],
                          MLD_CONFIG_CONTEXT_PARAMETER_TYPE context)
@@ -195,52 +199,56 @@ __contract__(
 #endif /* !MLD_CONFIG_SERIAL_FIPS202_ONLY */
 }
 
-/*************************************************
- * Name:        mld_compute_t0_t1_tr_from_sk_components
+/**
+ * Compute t = A*s1hat + s2 row by row, decompose each row into t0[k] and
+ * t1[k] via power2round, and bit-pack t1[k] into pk_t1 and t0[k] into the
+ * t0_packed buffer. Used by both keygen and pk_from_sk.
  *
- * Description: Computes t0, t1, tr, and pk from secret key components
- *              rho, s1, s2. This is the shared computation used by
- *              both keygen and generating the public key from the
- *              secret key.
+ * @param[out] pk_t1     Output buffer for packed t1 (size
+ *                       MLDSA_K * MLDSA_POLYT1_PACKEDBYTES; i.e. the t1
+ *                       region of pk).
+ * @param[out] t0_packed Output buffer for packed t0 (size
+ *                       MLDSA_K * MLDSA_POLYT0_PACKEDBYTES).
+ * @param[in]  s1hat     s1 in NTT domain.
+ * @param[in]  s2        s2.
+ * @param[in]  rho       Byte array containing seed rho.
+ * @param      context   Application context. Only present when
+ *                       MLD_CONFIG_CONTEXT_PARAMETER is defined; type set by
+ *                       MLD_CONFIG_CONTEXT_PARAMETER_TYPE.
  *
- * Arguments:   - mld_polyveck *t0: output t0
- *              - mld_polyveck *t1: output t1
- *              - uint8_t tr[MLDSA_TRBYTES]: output tr
- *              - uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES]: output public key
- *              - const uint8_t rho[MLDSA_SEEDBYTES]: input rho
- *              - const mld_polyvecl *s1: input s1
- *              - const mld_polyveck *s2: input s2
- **************************************************/
+ * @return - 0: Success.
+ *         - MLD_ERR_OUT_OF_MEMORY: If MLD_CONFIG_CUSTOM_ALLOC_FREE is used and
+ *           an allocation via MLD_CUSTOM_ALLOC returned NULL.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
-static int mld_compute_t0_t1_tr_from_sk_components(
-    mld_polyveck *t0, mld_polyveck *t1, uint8_t tr[MLDSA_TRBYTES],
-    uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[MLDSA_SEEDBYTES],
-    const mld_polyvecl *s1, const mld_polyveck *s2,
+static int mld_compute_pack_t0_t1(
+    uint8_t pk_t1[MLDSA_K * MLDSA_POLYT1_PACKEDBYTES],
+    uint8_t t0_packed[MLDSA_K * MLDSA_POLYT0_PACKEDBYTES],
+    const mld_polyvecl *s1hat, const mld_polyveck *s2,
+    const uint8_t rho[MLDSA_SEEDBYTES],
     MLD_CONFIG_CONTEXT_PARAMETER_TYPE context)
 __contract__(
-  requires(memory_no_alias(t0, sizeof(mld_polyveck)))
-  requires(memory_no_alias(t1, sizeof(mld_polyveck)))
-  requires(memory_no_alias(tr, MLDSA_TRBYTES))
-  requires(memory_no_alias(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
-  requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
-  requires(memory_no_alias(s1, sizeof(mld_polyvecl)))
+  requires(memory_no_alias(pk_t1, MLDSA_K * MLDSA_POLYT1_PACKEDBYTES))
+  requires(memory_no_alias(t0_packed, MLDSA_K * MLDSA_POLYT0_PACKEDBYTES))
+  requires(memory_no_alias(s1hat, sizeof(mld_polyvecl)))
   requires(memory_no_alias(s2, sizeof(mld_polyveck)))
-  requires(forall(l0, 0, MLDSA_L, array_bound(s1->vec[l0].coeffs, 0, MLDSA_N, MLD_POLYETA_UNPACK_LOWER_BOUND, MLDSA_ETA + 1)))
-  requires(forall(k0, 0, MLDSA_K, array_bound(s2->vec[k0].coeffs, 0, MLDSA_N, MLD_POLYETA_UNPACK_LOWER_BOUND, MLDSA_ETA + 1)))
-  assigns(memory_slice(t0, sizeof(mld_polyveck)))
-  assigns(memory_slice(t1, sizeof(mld_polyveck)))
-  assigns(memory_slice(tr, MLDSA_TRBYTES))
-  assigns(memory_slice(pk, MLDSA_CRYPTO_PUBLICKEYBYTES))
-  ensures(forall(k1, 0, MLDSA_K, array_bound(t0->vec[k1].coeffs, 0, MLDSA_N, -(1<<(MLDSA_D-1)) + 1, (1<<(MLDSA_D-1)) + 1)))
-  ensures(forall(k2, 0, MLDSA_K, array_bound(t1->vec[k2].coeffs, 0, MLDSA_N, 0, 1 << 10)))
+  requires(memory_no_alias(rho, MLDSA_SEEDBYTES))
+  requires(forall(l1, 0, MLDSA_L,
+    array_abs_bound(s1hat->vec[l1].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+  requires(forall(k2, 0, MLDSA_K,
+    array_bound(s2->vec[k2].coeffs, 0, MLDSA_N,
+      MLD_POLYETA_UNPACK_LOWER_BOUND, MLDSA_ETA + 1)))
+  assigns(memory_slice(pk_t1, MLDSA_K * MLDSA_POLYT1_PACKEDBYTES))
+  assigns(memory_slice(t0_packed, MLDSA_K * MLDSA_POLYT0_PACKEDBYTES))
   ensures(return_value == 0 || return_value == MLD_ERR_OUT_OF_MEMORY))
 {
+  unsigned int k;
   int ret;
   MLD_ALLOC(mat, mld_polymat, 1, context);
-  MLD_ALLOC(s1hat, mld_polyvecl, 1, context);
-  MLD_ALLOC(t, mld_polyveck, 1, context);
+  MLD_ALLOC(t0k, mld_poly, 1, context);
+  MLD_ALLOC(t1k, mld_poly, 1, context);
 
-  if (mat == NULL || s1hat == NULL || t == NULL)
+  if (mat == NULL || t0k == NULL || t1k == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
@@ -249,40 +257,52 @@ __contract__(
   /* Expand matrix */
   mld_polyvec_matrix_expand(mat, rho);
 
-  /* Matrix-vector multiplication */
-  *s1hat = *s1;
-  mld_polyvecl_ntt(s1hat);
-  mld_polyvec_matrix_pointwise_montgomery(t, mat, s1hat);
-  mld_polyveck_invntt_tomont(t);
-
-  /* Add error vector s2 */
-  mld_polyveck_add(t, s2);
-
-  /* Reference: The following reduction is not present in the reference
-   *            implementation. Omitting this reduction requires the output of
-   *            the invntt to be small enough such that the addition of s2 does
-   *            not result in absolute values >= MLDSA_Q. While our C, x86_64,
-   *            and AArch64 invntt implementations produce small enough
-   *            values for this to work out, it complicates the bounds
-   *            reasoning. We instead add an additional reduction, and can
-   *            consequently, relax the bounds requirements for the invntt.
-   */
-  mld_polyveck_reduce(t);
-
-  /* Decompose to get t1, t0 */
-  mld_polyveck_caddq(t);
-  mld_polyveck_power2round(t1, t0, t);
-
-  /* Pack public key and compute tr */
-  mld_pack_pk(pk, rho, t1);
-  mld_shake256(tr, MLDSA_TRBYTES, pk, MLDSA_CRYPTO_PUBLICKEYBYTES);
+  for (k = 0; k < MLDSA_K; k++)
+  __loop__(
+    assigns(k, memory_slice(pk_t1, MLDSA_K * MLDSA_POLYT1_PACKEDBYTES),
+            memory_slice(t0_packed, MLDSA_K * MLDSA_POLYT0_PACKEDBYTES),
+            memory_slice(t0k, sizeof(mld_poly)),
+            memory_slice(t1k, sizeof(mld_poly))
+            MLD_IF_REDUCE_RAM(, memory_slice(mat, sizeof(mld_polymat))))
+    invariant(k <= MLDSA_K)
+    decreases(MLDSA_K - k)
+  )
+  {
+    /* t0k = (A * s1hat)_k in NTT domain */
+    mld_polyvec_matrix_pointwise_montgomery_row(t0k, mat, s1hat, k);
+
+    /* t0k = invNTT(t0k) */
+    mld_poly_invntt_tomont(t0k);
+
+    /* t0k += s2[k] */
+    mld_poly_add(t0k, &s2->vec[k]);
+
+    /* Reference: The following reduction is not present in the reference
+     *            implementation. Omitting this reduction requires the output
+     *            of the invntt to be small enough such that the addition of
+     *            s2 does not result in absolute values >= MLDSA_Q. While our
+     *            C, x86_64, and AArch64 invntt implementations produce small
+     *            enough values for this to work out, it complicates the
+     *            bounds reasoning. We instead add an additional reduction,
+     *            and can consequently, relax the bounds requirements for the
+     *            invntt.
+     */
+    mld_poly_reduce(t0k);
+
+    /* Decompose into t1[k] and t0[k] (in place into t0k). */
+    mld_poly_caddq(t0k);
+    mld_poly_power2round(t1k, t0k, t0k);
+
+    /* Pack t1[k] into pk and t0[k] into the t0 output buffer. */
+    mld_polyt1_pack(pk_t1 + k * MLDSA_POLYT1_PACKEDBYTES, t1k);
+    mld_polyt0_pack(t0_packed + k * MLDSA_POLYT0_PACKEDBYTES, t0k);
+  }
 
   ret = 0;
-
 cleanup:
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  MLD_FREE(t, mld_polyveck, 1, context);
-  MLD_FREE(s1hat, mld_polyvecl, 1, context);
+  MLD_FREE(t1k, mld_poly, 1, context);
+  MLD_FREE(t0k, mld_poly, 1, context);
   MLD_FREE(mat, mld_polymat, 1, context);
   return ret;
 }
@@ -296,16 +316,15 @@ int mld_sign_keypair_internal(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
 {
   int ret;
   const uint8_t *rho, *rhoprime, *key;
+
   MLD_ALLOC(seedbuf, uint8_t, 2 * MLDSA_SEEDBYTES + MLDSA_CRHBYTES, context);
   MLD_ALLOC(inbuf, uint8_t, MLDSA_SEEDBYTES + 2, context);
   MLD_ALLOC(tr, uint8_t, MLDSA_TRBYTES, context);
   MLD_ALLOC(s1, mld_polyvecl, 1, context);
   MLD_ALLOC(s2, mld_polyveck, 1, context);
-  MLD_ALLOC(t1, mld_polyveck, 1, context);
-  MLD_ALLOC(t0, mld_polyveck, 1, context);
 
   if (seedbuf == NULL || inbuf == NULL || tr == NULL || s1 == NULL ||
-      s2 == NULL || t1 == NULL || t0 == NULL)
+      s2 == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
@@ -327,24 +346,38 @@ int mld_sign_keypair_internal(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
   /* Sample s1 and s2 */
   mld_sample_s1_s2(s1, s2, rhoprime);
 
-  /* Compute t0, t1, tr, and pk from rho, s1, s2 */
-  ret = mld_compute_t0_t1_tr_from_sk_components(t0, t1, tr, pk, rho, s1, s2,
-                                                context);
+  /* Pack s1 into sk before NTT */
+  mld_pack_sk_s1(sk, s1);
+
+  /* NTT s1 in place to use as s1hat */
+  mld_polyvecl_ntt(s1);
+
+  /* Pack rho into pk */
+  mld_memcpy(pk, rho, MLDSA_SEEDBYTES);
+
+  /* Compute t = A*s1hat + s2 row by row, decompose into t1/t0, and pack
+   * t1 into pk and t0 directly into the t0 region of sk. */
+  ret = mld_compute_pack_t0_t1(pk + MLDSA_SEEDBYTES,
+                               sk + 2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES +
+                                   MLDSA_L * MLDSA_POLYETA_PACKEDBYTES +
+                                   MLDSA_K * MLDSA_POLYETA_PACKEDBYTES,
+                               s1, s2, rho, context);
   if (ret != 0)
   {
     goto cleanup;
   }
 
-  /* Pack secret key */
-  mld_pack_sk(sk, rho, tr, key, t0, s1, s2);
+  /* Compute tr = H(pk) */
+  mld_shake256(tr, MLDSA_TRBYTES, pk, MLDSA_CRYPTO_PUBLICKEYBYTES);
+
+  /* Pack remaining secret key components (s1 and t0 already packed) */
+  mld_pack_sk_rho_key_tr_s2(sk, rho, tr, key, s2);
 
   /* Constant time: pk is the public key, inherently public data */
   MLD_CT_TESTING_DECLASSIFY(pk, MLDSA_CRYPTO_PUBLICKEYBYTES);
 
 cleanup:
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  MLD_FREE(t0, mld_polyveck, 1, context);
-  MLD_FREE(t1, mld_polyveck, 1, context);
   MLD_FREE(s2, mld_polyveck, 1, context);
   MLD_FREE(s1, mld_polyvecl, 1, context);
   MLD_FREE(tr, uint8_t, MLDSA_TRBYTES, context);
@@ -361,6 +394,7 @@ cleanup:
   return mld_check_pct(pk, sk, context);
 }
 
+#if !defined(MLD_CONFIG_CORE_API_ONLY)
 #if !defined(MLD_CONFIG_NO_RANDOMIZED_API)
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
@@ -368,45 +402,48 @@ int mld_sign_keypair(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
                      uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
                      MLD_CONFIG_CONTEXT_PARAMETER_TYPE context)
 {
-  MLD_ALIGN uint8_t seed[MLDSA_SEEDBYTES];
   int ret;
+  MLD_ALLOC(seed, uint8_t, MLDSA_SEEDBYTES, context);
+
+  if (seed == NULL)
+  {
+    ret = MLD_ERR_OUT_OF_MEMORY;
+    goto cleanup;
+  }
+
   if (mld_randombytes(seed, MLDSA_SEEDBYTES) != 0)
   {
     ret = MLD_ERR_RNG_FAIL;
     goto cleanup;
   }
-  MLD_CT_TESTING_SECRET(seed, sizeof(seed));
+  MLD_CT_TESTING_SECRET(seed, MLDSA_SEEDBYTES);
   ret = mld_sign_keypair_internal(pk, sk, seed, context);
 
 cleanup:
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  mld_zeroize(seed, sizeof(seed));
+  MLD_FREE(seed, uint8_t, MLDSA_SEEDBYTES, context);
   return ret;
 }
 #endif /* !MLD_CONFIG_NO_RANDOMIZED_API */
+#endif /* !MLD_CONFIG_CORE_API_ONLY */
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API */
 
-/*************************************************
- * Name:        mld_H
- *
- * Description: Abstracts application of SHAKE256 to
- *              one, two or three blocks of data,
- *              yielding a user-requested size of
- *              output.
+#if !defined(MLD_CONFIG_NO_SIGN_API) || !defined(MLD_CONFIG_NO_VERIFY_API)
+/**
+ * Abstracts application of SHAKE256 to one, two or three blocks of data,
+ * yielding a user-requested size of output.
  *
- * Arguments:   - uint8_t *out: pointer to output
- *              - size_t outlen: requested output length in bytes
- *              - const uint8_t *in1: pointer to input block 1
- *                                    Must NOT be NULL
- *              - size_t in1len: length of input in1 bytes
- *              - const uint8_t *in2: pointer to input block 2
- *                                    May be NULL if in2len=0, in which case
- *                                    this block is ignored
- *              - size_t in2len: length of input in2 bytes
- *              - const uint8_t *in3: pointer to input block 3
- *                                    May be NULL if in3len=0, in which case
- *                                    this block is ignored
- *              - size_t in3len: length of input in3 bytes
- **************************************************/
+ * @param[out] out    Pointer to output.
+ * @param      outlen Requested output length in bytes.
+ * @param[in]  in1    Pointer to input block 1. Must NOT be NULL.
+ * @param      in1len Length of input in1 in bytes.
+ * @param[in]  in2    Pointer to input block 2. May be NULL if in2len == 0,
+ *                    in which case this block is ignored.
+ * @param      in2len Length of input in2 in bytes.
+ * @param[in]  in3    Pointer to input block 3. May be NULL if in3len == 0,
+ *                    in which case this block is ignored.
+ * @param      in3len Length of input in3 in bytes.
+ */
 static void mld_H(uint8_t *out, size_t outlen, const uint8_t *in1,
                   size_t in1len, const uint8_t *in2, size_t in2len,
                   const uint8_t *in3, size_t in3len)
@@ -440,44 +477,62 @@ __contract__(
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(&state, sizeof(state));
 }
+#endif /* !MLD_CONFIG_NO_SIGN_API || !MLD_CONFIG_NO_VERIFY_API */
 
-/*************************************************
- * Name:        mld_compute_pack_z
- *
- * Description: Computes z = y + s1*c, checks that z has coefficients smaller
- *              than MLDSA_GAMMA1 - MLDSA_BETA, and packs z into the
- *              signature buffer.
+#if !defined(MLD_CONFIG_NO_SIGN_API)
+/* Reference: The reference implementation does not explicitly check the
+ * maximum nonce value, but instead loops indefinitely (even when the nonce
+ * would overflow). Internally, sampling of y uses
+ * (nonce*L), (nonce*L+1), ..., (nonce*L + L - 1).
+ * Hence, there are no overflows if nonce < (UINT16_MAX - L)/L.
+ * Explicitly checking for this explicitly allows us to prove type-safety. */
+#define MLD_NONCE_UB ((UINT16_MAX - MLDSA_L) / MLDSA_L)
+
+/**
+ * Compute z = y + s1*c, check that z has coefficients smaller than
+ * MLDSA_GAMMA1 - MLDSA_BETA, and pack z into the signature buffer.
  *
- * Arguments:   - uint8_t *sig: output signature
- *              - const mld_poly *cp: challenge polynomial
- *              - const polyvecl *s1: secret vector s1
- *              - const polyvecl *y: masking vector y
+ * @reference{This function is inlined into mld_sign_signature in the
+ * reference implementation.}
  *
- * Returns:     - 0: Success (z has coefficients smaller than
- *                   MLDSA_GAMMA1 - MLDSA_BETA,)
- *              - MLD_ERR_FAIL: z rejected (norm check failed)
- *              - MLD_ERR_OUT_OF_MEMORY: If MLD_CONFIG_CUSTOM_ALLOC_FREE is
- *                  used and an allocation via MLD_CUSTOM_ALLOC returned NULL.
+ * @param[in,out] sig   Output signature.
+ * @param[in]     cp    Challenge polynomial.
+ * @param[in]     s1hat Secret vector s1 in NTT domain.
+ * @param[in]     y     Masking vector y (or seed in REDUCE_RAM mode).
+ * @param[out]    z     Scratch polynomial for z computation.
+ * @param[out]    tmp   Scratch polynomial.
  *
- * Reference: This function is inlined into mld_sign_signature in the
- *            reference implementation.
- **************************************************/
+ * @return - 0: Success (z has coefficients smaller than
+ *           MLDSA_GAMMA1 - MLDSA_BETA).
+ *         - MLD_ERR_FAIL: z rejected (norm check failed).
+ *         - MLD_ERR_OUT_OF_MEMORY: If MLD_CONFIG_CUSTOM_ALLOC_FREE is used and
+ *           an allocation via MLD_CUSTOM_ALLOC returned NULL.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static int mld_compute_pack_z(uint8_t sig[MLDSA_CRYPTO_BYTES],
-                              const mld_poly *cp, const mld_polyvecl *s1,
-                              const mld_polyvecl *y, mld_poly *z)
+                              const mld_poly *cp, const mld_sk_s1hat *s1hat,
+                              const mld_yvec *y, mld_poly *z, mld_poly *tmp)
 __contract__(
   requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
   requires(memory_no_alias(cp, sizeof(mld_poly)))
-  requires(memory_no_alias(s1, sizeof(mld_polyvecl)))
-  requires(memory_no_alias(y, sizeof(mld_polyvecl)))
+  requires(memory_no_alias(s1hat, sizeof(mld_sk_s1hat)))
+  requires(memory_no_alias(y, sizeof(mld_yvec)))
   requires(memory_no_alias(z, sizeof(mld_poly)))
+  requires(memory_no_alias(tmp, sizeof(mld_poly)))
   requires(array_abs_bound(cp->coeffs, 0, MLDSA_N, MLD_NTT_BOUND))
-  requires(forall(k0, 0, MLDSA_L,
-    array_bound(y->vec[k0].coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1)))
-  requires(forall(k1, 0, MLDSA_L, array_abs_bound(s1->vec[k1].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+  MLD_IF_NOT_REDUCE_RAM(
+    requires(forall(k0, 0, MLDSA_L,
+      array_bound(y->vec.vec[k0].coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1)))
+    requires(forall(k1, 0, MLDSA_L, array_abs_bound(s1hat->vec.vec[k1].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+  )
+  MLD_IF_REDUCE_RAM(
+    requires(memory_no_alias(s1hat->packed, MLDSA_L * MLDSA_POLYETA_PACKEDBYTES))
+    requires(memory_no_alias(y->rhoprime, MLDSA_CRHBYTES))
+    requires(y->nonce <= MLD_NONCE_UB)
+  )
   assigns(memory_slice(sig, MLDSA_CRYPTO_BYTES))
   assigns(memory_slice(z, sizeof(mld_poly)))
+  assigns(memory_slice(tmp, sizeof(mld_poly)))
   ensures(return_value == 0 || return_value == MLD_ERR_FAIL ||
           return_value == MLD_ERR_OUT_OF_MEMORY)
 )
@@ -486,14 +541,18 @@ __contract__(
   uint32_t z_invalid;
   for (i = 0; i < MLDSA_L; i++)
   __loop__(
-    assigns(i, memory_slice(z, sizeof(mld_poly)), memory_slice(sig, MLDSA_CRYPTO_BYTES))
+    assigns(i, memory_slice(z, sizeof(mld_poly)),
+            memory_slice(tmp, sizeof(mld_poly)),
+            memory_slice(sig, MLDSA_CRYPTO_BYTES))
     invariant(i <= MLDSA_L)
     decreases(MLDSA_L - i)
   )
   {
-    mld_poly_pointwise_montgomery(z, cp, &s1->vec[i]);
+    mld_sk_s1hat_get_poly(z, s1hat, i);
+    mld_poly_pointwise_montgomery(z, cp);
     mld_poly_invntt_tomont(z);
-    mld_poly_add(z, &y->vec[i]);
+    mld_yvec_get_poly(tmp, y, i);
+    mld_poly_add(z, tmp);
     mld_poly_reduce(z);
 
     z_invalid = mld_poly_chknorm(z, MLDSA_GAMMA1 - MLDSA_BETA);
@@ -521,118 +580,133 @@ __contract__(
   return 0;
 }
 
-/* Reference: The reference implementation does not explicitly check the
- * maximum nonce value, but instead loops indefinitely (even when the nonce
- * would overflow). Internally, sampling of y uses
- * (nonceL), (nonceL+1), ... (nonce*L+L-1).
- * Hence, there are no overflows if nonce < (UINT16_MAX - L)/L.
- * Explicitly checking for this explicitly allows us to prove type-safety.
- * Note that FIPS204 explicitly allows an upper-bound this loop of
- * 814 (< (UINT16_MAX - L)/L) - see @[FIPS204, Appendix C]. */
-#define MLD_NONCE_UB ((UINT16_MAX - MLDSA_L) / MLDSA_L)
+/* User-facing bound on signing attempts. See MLD_CONFIG_MAX_SIGNING_ATTEMPTS
+ * in mldsa_native_config.h. Default is chosen so that failure probability
+ * is < 2^{-256}, that is, signatures will practically always succeed. */
+#ifndef MLD_CONFIG_MAX_SIGNING_ATTEMPTS
+#define MLD_CONFIG_MAX_SIGNING_ATTEMPTS MLD_NONCE_UB
+#endif
 
-/*************************************************
- * Name:        attempt_signature_generation
- *
- * Description: Attempts to generate a single signature.
+#if !defined(MLD_ALLOW_NONCOMPLIANT_SIGNING_BOUND) && \
+    MLD_CONFIG_MAX_SIGNING_ATTEMPTS < 814
+#error Bad configuration: MLD_CONFIG_MAX_SIGNING_ATTEMPTS must be >= 814 for FIPS 204 compliance @[FIPS204, Appendix C]
+#endif
+
+#if MLD_CONFIG_MAX_SIGNING_ATTEMPTS < 1
+#error Bad configuration: MLD_CONFIG_MAX_SIGNING_ATTEMPTS must be >= 1
+#endif
+
+#if MLD_CONFIG_MAX_SIGNING_ATTEMPTS > MLD_NONCE_UB
+#error Bad configuration: MLD_CONFIG_MAX_SIGNING_ATTEMPTS exceeds the maximum allowed value.
+#endif
+
+MLD_MUST_CHECK_RETURN_VALUE
+static MLD_INLINE uint16_t mld_get_max_signing_attempts(void)
+__contract__(
+  ensures(return_value >= 1)
+  ensures(return_value <= MLD_NONCE_UB)
+)
+{
+  /* cassert(0) ensures CBMC uses the contract rather than inlining the body,
+   * keeping proofs agnostic of the configured value. */
+  cassert(0);
+  return MLD_CONFIG_MAX_SIGNING_ATTEMPTS;
+}
+
+/**
+ * Attempt to generate a single signature.
  *
- * Arguments:   - uint8_t *sig: pointer to output signature
- *              - const uint8_t *mu: pointer to message or hash
- *                                   of exactly MLDSA_CRHBYTES bytes
- *              - const uint8_t *rhoprime: pointer to randomness seed
- *              - uint16_t nonce: current nonce value
- *              - const mld_polymat *mat: expanded matrix
- *              - const polyvecl *s1: secret vector s1
- *              - const polyveck *s2: secret vector s2
- *              - const polyveck *t0: vector t0
+ * @reference{This code differs from the reference implementation in that it
+ * factors out the core signature generation step into a distinct function
+ * here in order to improve efficiency of CBMC proof.}
  *
- * Returns:     - 0: Signature generation succeeded
- *              - MLD_ERR_FAIL: Signature rejected (norm check failed)
- *              - MLD_ERR_OUT_OF_MEMORY: If MLD_CONFIG_CUSTOM_ALLOC_FREE is
- *                  used and an allocation via MLD_CUSTOM_ALLOC returned NULL.
+ * @param[out] sig      Pointer to output signature.
+ * @param[in]  mu       Pointer to message or hash of exactly MLDSA_CRHBYTES
+ *                      bytes.
+ * @param[in]  rhoprime Pointer to randomness seed.
+ * @param      nonce    Current nonce value.
+ * @param[in]  mat      Expanded matrix.
+ * @param[in]  s1hat    Secret vector s1 in NTT domain.
+ * @param[in]  s2hat    Secret vector s2 in NTT domain.
+ * @param[in]  t0hat    Vector t0 in NTT domain.
+ * @param      context  Application context. Only present when
+ *                      MLD_CONFIG_CONTEXT_PARAMETER is defined; type set by
+ *                      MLD_CONFIG_CONTEXT_PARAMETER_TYPE.
  *
- * Reference: This code differs from the reference implementation
- *            in that it factors out the core signature generation
- *            step into a distinct function here in order to improve
- *            efficiency of CBMC proof.
- **************************************************/
+ * @return - 0: Signature generation succeeded.
+ *         - MLD_ERR_FAIL: Signature rejected (norm check failed).
+ *         - MLD_ERR_OUT_OF_MEMORY: If MLD_CONFIG_CUSTOM_ALLOC_FREE is used and
+ *           an allocation via MLD_CUSTOM_ALLOC returned NULL.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static int mld_attempt_signature_generation(
     uint8_t sig[MLDSA_CRYPTO_BYTES], const uint8_t *mu,
     const uint8_t rhoprime[MLDSA_CRHBYTES], uint16_t nonce, mld_polymat *mat,
-    const mld_polyvecl *s1, const mld_polyveck *s2, const mld_polyveck *t0,
-    MLD_CONFIG_CONTEXT_PARAMETER_TYPE context)
+    const mld_sk_s1hat *s1hat, const mld_sk_s2hat *s2hat,
+    const mld_sk_t0hat *t0hat, MLD_CONFIG_CONTEXT_PARAMETER_TYPE context)
 __contract__(
   requires(memory_no_alias(sig, MLDSA_CRYPTO_BYTES))
   requires(memory_no_alias(mu, MLDSA_CRHBYTES))
   requires(memory_no_alias(rhoprime, MLDSA_CRHBYTES))
   requires(memory_no_alias(mat, sizeof(mld_polymat)))
-  requires(memory_no_alias(s1, sizeof(mld_polyvecl)))
-  requires(memory_no_alias(s2, sizeof(mld_polyveck)))
-  requires(memory_no_alias(t0, sizeof(mld_polyveck)))
+  requires(memory_no_alias(s1hat, sizeof(mld_sk_s1hat)))
+  requires(memory_no_alias(s2hat, sizeof(mld_sk_s2hat)))
+  requires(memory_no_alias(t0hat, sizeof(mld_sk_t0hat)))
   requires(nonce <= MLD_NONCE_UB)
-  requires(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-                                         array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
-  requires(forall(k2, 0, MLDSA_K, array_abs_bound(t0->vec[k2].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
-  requires(forall(k3, 0, MLDSA_L, array_abs_bound(s1->vec[k3].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
-  requires(forall(k4, 0, MLDSA_K, array_abs_bound(s2->vec[k4].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+  MLD_IF_NOT_REDUCE_RAM(
+    requires(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
+                                           array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+    requires(forall(k2, 0, MLDSA_K, array_abs_bound(t0hat->vec.vec[k2].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+    requires(forall(k3, 0, MLDSA_L, array_abs_bound(s1hat->vec.vec[k3].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+    requires(forall(k4, 0, MLDSA_K, array_abs_bound(s2hat->vec.vec[k4].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+  )
+  MLD_IF_REDUCE_RAM(
+    requires(memory_no_alias(s1hat->packed, MLDSA_L * MLDSA_POLYETA_PACKEDBYTES))
+    requires(memory_no_alias(s2hat->packed, MLDSA_K * MLDSA_POLYETA_PACKEDBYTES))
+    requires(memory_no_alias(t0hat->packed, MLDSA_K * MLDSA_POLYT0_PACKEDBYTES))
+  )
   assigns(memory_slice(sig, MLDSA_CRYPTO_BYTES))
+  MLD_IF_REDUCE_RAM(
+    assigns(memory_slice(mat, sizeof(mld_polymat)))
+  )
   ensures(return_value == 0 || return_value == MLD_ERR_FAIL ||
           return_value == MLD_ERR_OUT_OF_MEMORY)
 )
 {
-  unsigned int n;
+  unsigned int k;
   uint32_t w0_invalid, h_invalid;
   int ret;
-  /* TODO: Remove the following workaround for
-   * https://github.com/diffblue/cbmc/issues/8813 */
-  typedef MLD_UNION_OR_STRUCT
-  {
-    mld_polyvecl y;
-    mld_polyveck h;
-  }
-  yh_u;
-  mld_polyvecl *y;
-  mld_polyveck *h;
 
-  /* TODO: Remove the following workaround for
-   * https://github.com/diffblue/cbmc/issues/8813 */
-  typedef MLD_UNION_OR_STRUCT
+  typedef union
   {
     mld_polyveck w1;
     mld_polyvecl tmp;
-  }
-  w1tmp_u;
+  } w1tmp_u;
   mld_polyveck *w1;
   mld_polyvecl *tmp;
 
   MLD_ALLOC(challenge_bytes, uint8_t, MLDSA_CTILDEBYTES, context);
-  MLD_ALLOC(yh, yh_u, 1, context);
+  MLD_ALLOC(y, mld_yvec, 1, context);
   MLD_ALLOC(z, mld_poly, 1, context);
   MLD_ALLOC(w1tmp, w1tmp_u, 1, context);
   MLD_ALLOC(w0, mld_polyveck, 1, context);
   MLD_ALLOC(cp, mld_poly, 1, context);
   MLD_ALLOC(t, mld_poly, 1, context);
 
-  if (challenge_bytes == NULL || yh == NULL || z == NULL || w1tmp == NULL ||
+  if (challenge_bytes == NULL || y == NULL || z == NULL || w1tmp == NULL ||
       w0 == NULL || cp == NULL || t == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
   }
-  y = &yh->y;
-  h = &yh->h;
   w1 = &w1tmp->w1;
   tmp = &w1tmp->tmp;
 
-  /* Sample intermediate vector y */
-  mld_polyvecl_uniform_gamma1(y, rhoprime, nonce);
+  /* Sample/initialize intermediate vector y */
+  mld_yvec_init(y, rhoprime, nonce);
 
-  /* Matrix-vector multiplication */
-  *tmp = *y;
-  mld_polyvecl_ntt(tmp);
-  mld_polyvec_matrix_pointwise_montgomery(w0, mat, tmp);
-  mld_polyveck_invntt_tomont(w0);
+  /* Matrix-vector multiplication, fused with y sampling in REDUCE_RAM mode */
+  mld_polyvec_matrix_pointwise_montgomery_yvec(w0, mat, y, tmp);
 
   /* Decompose w and call the random oracle */
   mld_polyveck_caddq(w0);
@@ -650,63 +724,84 @@ __contract__(
   mld_poly_ntt(cp);
 
   /* Compute z, reject if it reveals secret */
-  ret = mld_compute_pack_z(sig, cp, s1, y, t);
-  if (ret)
+  ret = mld_compute_pack_z(sig, cp, s1hat, y, t, z);
+  if (ret != 0)
   {
     goto cleanup;
   }
 
-  /* Check that subtracting cs2 does not change high bits of w and low bits
-   * do not reveal secret information */
-  mld_polyveck_pointwise_poly_montgomery(h, cp, s2);
-  mld_polyveck_invntt_tomont(h);
-  mld_polyveck_sub(w0, h);
-  mld_polyveck_reduce(w0);
-
-  w0_invalid = mld_polyveck_chknorm(w0, MLDSA_GAMMA2 - MLDSA_BETA);
-  /* Constant time: w0_invalid may be leaked - see comment for z_invalid. */
-  MLD_CT_TESTING_DECLASSIFY(&w0_invalid, sizeof(uint32_t));
-  if (w0_invalid)
+  /* Compute w0 - cs2 + ct0 per-component, checking norms incrementally.
+   * This avoids allocating a full polyveck for h. */
+  for (k = 0; k < MLDSA_K; k++)
+  __loop__(
+    assigns(k,
+            object_whole(z),
+            object_whole(w0))
+    invariant(k <= MLDSA_K)
+    invariant(forall(k0, k, MLDSA_K,
+      array_abs_bound(w0->vec[k0].coeffs, 0, MLDSA_N, MLDSA_GAMMA2 + 1)))
+    decreases(MLDSA_K - k)
+  )
   {
-    ret = MLD_ERR_FAIL; /* reject */
-    goto cleanup;
-  }
+    /* Compute cs2[k] and subtract from w0[k] */
+    mld_sk_s2hat_get_poly(z, s2hat, k);
+    mld_poly_pointwise_montgomery(z, cp);
+    mld_poly_invntt_tomont(z);
 
-  /* Compute hints for w1 */
-  mld_polyveck_pointwise_poly_montgomery(h, cp, t0);
-  mld_polyveck_invntt_tomont(h);
-  mld_polyveck_reduce(h);
+    mld_poly_sub(&w0->vec[k], z);
+    mld_poly_reduce(&w0->vec[k]);
 
-  h_invalid = mld_polyveck_chknorm(h, MLDSA_GAMMA2);
-  /* Constant time: h_invalid may be leaked - see comment for z_invalid. */
-  MLD_CT_TESTING_DECLASSIFY(&h_invalid, sizeof(uint32_t));
-  if (h_invalid)
-  {
-    ret = MLD_ERR_FAIL; /* reject */
-    goto cleanup;
-  }
+    /* Check that subtracting cs2 does not change high bits of w and low bits
+     * do not reveal secret information */
+    w0_invalid = mld_poly_chknorm(&w0->vec[k], MLDSA_GAMMA2 - MLDSA_BETA);
+    /* Constant time: w0_invalid may be leaked - see comment for z_invalid. */
+    MLD_CT_TESTING_DECLASSIFY(&w0_invalid, sizeof(uint32_t));
+    if (w0_invalid)
+    {
+      ret = MLD_ERR_FAIL; /* reject */
+      goto cleanup;
+    }
 
-  mld_polyveck_add(w0, h);
+    /* Compute ct0[k], check norm, and add to w0[k] */
+    mld_sk_t0hat_get_poly(z, t0hat, k);
+    mld_poly_pointwise_montgomery(z, cp);
+    mld_poly_invntt_tomont(z);
+    mld_poly_reduce(z);
+
+    h_invalid = mld_poly_chknorm(z, MLDSA_GAMMA2);
+    /* Constant time: h_invalid may be leaked - see comment for z_invalid. */
+    MLD_CT_TESTING_DECLASSIFY(&h_invalid, sizeof(uint32_t));
+    if (h_invalid)
+    {
+      ret = MLD_ERR_FAIL; /* reject */
+      goto cleanup;
+    }
+
+    mld_poly_add(&w0->vec[k], z);
+  }
 
   /* Constant time: At this point all norm checks have passed and we, hence,
    * know that the signature does not leak any secret information.
    * Consequently, any value that can be computed from the signature and public
    * key is considered public.
    * w0 and w1 are public as they can be computed from Az - ct = \alpha w1 + w0.
-   * h=c*t0 is public as both c and t0 are public.
-   * For a more detailed discussion, refer to https://eprint.iacr.org/2022/1406.
+   * h=c*t0 is public as both c and t0 are considered public.
+   * While t0 is not part of the public key, it can be reconstructed from
+   * a small number of signatures and need not be regarded as secret
+   * (see @[FIPS204, Section 6.1]).
    */
   MLD_CT_TESTING_DECLASSIFY(w0, sizeof(*w0));
   MLD_CT_TESTING_DECLASSIFY(w1, sizeof(*w1));
-  n = mld_polyveck_make_hint(h, w0, w1);
-  if (n > MLDSA_OMEGA)
+
+  /* Pack challenge bytes and hints. */
+  mld_pack_sig_c(sig, challenge_bytes);
+
+  ret = mld_pack_sig_h(sig, w0, w1);
+  if (ret != 0)
   {
-    ret = MLD_ERR_FAIL; /* reject */
     goto cleanup;
   }
 
-  /* All is well - write signature */
-  mld_pack_sig_c_h(sig, challenge_bytes, h, n);
   /* Constant time: At this point it is clear that the signature is valid - it
    * can, hence, be considered public. */
   MLD_CT_TESTING_DECLASSIFY(sig, MLDSA_CRYPTO_BYTES);
@@ -719,7 +814,7 @@ cleanup:
   MLD_FREE(w0, mld_polyveck, 1, context);
   MLD_FREE(w1tmp, w1tmp_u, 1, context);
   MLD_FREE(z, mld_poly, 1, context);
-  MLD_FREE(yh, yh_u, 1, context);
+  MLD_FREE(y, mld_yvec, 1, context);
   MLD_FREE(challenge_bytes, uint8_t, MLDSA_CTILDEBYTES, context);
 
   return ret;
@@ -737,14 +832,16 @@ int mld_sign_signature_internal(uint8_t sig[MLDSA_CRYPTO_BYTES], size_t *siglen,
   int ret;
   uint8_t *rho, *tr, *key, *mu, *rhoprime;
   uint16_t nonce = 0;
+  const uint16_t nonce_limit = mld_get_max_signing_attempts();
   MLD_ALLOC(seedbuf, uint8_t,
             2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES + 2 * MLDSA_CRHBYTES, context);
   MLD_ALLOC(mat, mld_polymat, 1, context);
-  MLD_ALLOC(s1, mld_polyvecl, 1, context);
-  MLD_ALLOC(t0, mld_polyveck, 1, context);
-  MLD_ALLOC(s2, mld_polyveck, 1, context);
+  MLD_ALLOC(s1hat, mld_sk_s1hat, 1, context);
+  MLD_ALLOC(t0hat, mld_sk_t0hat, 1, context);
+  MLD_ALLOC(s2hat, mld_sk_s2hat, 1, context);
 
-  if (seedbuf == NULL || mat == NULL || s1 == NULL || t0 == NULL || s2 == NULL)
+  if (seedbuf == NULL || mat == NULL || s1hat == NULL || t0hat == NULL ||
+      s2hat == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
@@ -755,7 +852,7 @@ int mld_sign_signature_internal(uint8_t sig[MLDSA_CRYPTO_BYTES], size_t *siglen,
   key = tr + MLDSA_TRBYTES;
   mu = key + MLDSA_SEEDBYTES;
   rhoprime = mu + MLDSA_CRHBYTES;
-  mld_unpack_sk(rho, tr, key, t0, s1, s2, sk);
+  mld_unpack_sk(rho, tr, key, t0hat, s1hat, s2hat, sk);
 
   if (!externalmu)
   {
@@ -776,47 +873,46 @@ int mld_sign_signature_internal(uint8_t sig[MLDSA_CRYPTO_BYTES], size_t *siglen,
   MLD_CT_TESTING_DECLASSIFY(rho, MLDSA_SEEDBYTES);
   /* Expand matrix and transform vectors */
   mld_polyvec_matrix_expand(mat, rho);
-  mld_polyvecl_ntt(s1);
-  mld_polyveck_ntt(s2);
-  mld_polyveck_ntt(t0);
-
-  /* By default, return failure. Flip to success and write output
-   * once signature generation succeeds. */
-  ret = MLD_ERR_FAIL;
 
   /* Reference: This code is re-structured using a while(1),  */
   /* with explicit "continue" statements (rather than "goto") */
   /* to implement rejection of invalid signatures.            */
   while (1)
   __loop__(
-    assigns(nonce, ret, object_whole(siglen), memory_slice(sig, MLDSA_CRYPTO_BYTES))
-    invariant(nonce <= MLD_NONCE_UB)
+    MLD_IF_NOT_REDUCE_RAM(
+      assigns(nonce, ret, object_whole(siglen), memory_slice(sig, MLDSA_CRYPTO_BYTES))
+    )
+    MLD_IF_REDUCE_RAM(
+      assigns(nonce, ret, object_whole(siglen), memory_slice(sig, MLDSA_CRYPTO_BYTES),
+              memory_slice(mat, sizeof(mld_polymat)))
+    )
+    invariant(nonce <= nonce_limit)
 
     /* t0, s1, s2, and mat are initialized above and are NOT changed by this */
     /* loop. We can therefore re-assert their bounds here as part of the     */
     /* loop invariant. This makes proof noticeably faster with CBMC          */
-    invariant(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
-              array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
-    invariant(forall(k2, 0, MLDSA_K, array_abs_bound(t0->vec[k2].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
-    invariant(forall(k3, 0, MLDSA_L, array_abs_bound(s1->vec[k3].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
-    invariant(forall(k4, 0, MLDSA_K, array_abs_bound(s2->vec[k4].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
-    invariant(ret == MLD_ERR_FAIL)
-    decreases(MLD_NONCE_UB - nonce)
+    MLD_IF_NOT_REDUCE_RAM(
+      invariant(forall(k1, 0, MLDSA_K, forall(l1, 0, MLDSA_L,
+                array_bound(mat->vec[k1].vec[l1].coeffs, 0, MLDSA_N, 0, MLDSA_Q))))
+      invariant(forall(k2, 0, MLDSA_K, array_abs_bound(t0hat->vec.vec[k2].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+      invariant(forall(k3, 0, MLDSA_L, array_abs_bound(s1hat->vec.vec[k3].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+      invariant(forall(k4, 0, MLDSA_K, array_abs_bound(s2hat->vec.vec[k4].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
+    )
+    decreases(nonce_limit - nonce)
   )
   {
-    /* Reference: this code explicitly checks for exhaustion of nonce     */
-    /* values to provide predictable termination and results in that case */
-    /* Checking here also means that incrementing nonce below can also    */
-    /* be proven to be type-safe.                                         */
-    if (nonce == MLD_NONCE_UB)
+    /* Reference: this code explicitly checks for exhaustion of signing */
+    /* attempts to provide predictable termination and results in that  */
+    /* case. Checking here also means that incrementing nonce below can */
+    /* be proven to be type-safe.                                       */
+    if (nonce == nonce_limit)
     {
-      /* Note that ret == MLD_ERR_FAIL by default, so we
-       * don't need to set it here. */
+      ret = MLD_ERR_SIGN_ATTEMPTS_EXHAUSTED;
       break;
     }
 
-    ret = mld_attempt_signature_generation(sig, mu, rhoprime, nonce, mat, s1,
-                                           s2, t0, context);
+    ret = mld_attempt_signature_generation(sig, mu, rhoprime, nonce, mat, s1hat,
+                                           s2hat, t0hat, context);
     nonce++;
     if (ret == 0)
     {
@@ -842,15 +938,16 @@ cleanup:
   }
 
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  MLD_FREE(s2, mld_polyveck, 1, context);
-  MLD_FREE(t0, mld_polyveck, 1, context);
-  MLD_FREE(s1, mld_polyvecl, 1, context);
+  MLD_FREE(s2hat, mld_sk_s2hat, 1, context);
+  MLD_FREE(t0hat, mld_sk_t0hat, 1, context);
+  MLD_FREE(s1hat, mld_sk_s1hat, 1, context);
   MLD_FREE(mat, mld_polymat, 1, context);
   MLD_FREE(seedbuf, uint8_t,
            2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES + 2 * MLDSA_CRHBYTES, context);
   return ret;
 }
 
+#if !defined(MLD_CONFIG_CORE_API_ONLY)
 #if !defined(MLD_CONFIG_NO_RANDOMIZED_API)
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
@@ -887,7 +984,7 @@ int mld_sign_signature(uint8_t sig[MLDSA_CRYPTO_BYTES], size_t *siglen,
     ret = MLD_ERR_RNG_FAIL;
     goto cleanup;
   }
-  MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
+  MLD_CT_TESTING_SECRET(rnd, MLDSA_RNDBYTES);
 
   ret = mld_sign_signature_internal(sig, siglen, m, mlen, pre, pre_len, rnd, sk,
                                     0, context);
@@ -921,8 +1018,15 @@ int mld_sign_signature_extmu(uint8_t sig[MLDSA_CRYPTO_BYTES], size_t *siglen,
                              const uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
                              MLD_CONFIG_CONTEXT_PARAMETER_TYPE context)
 {
-  MLD_ALIGN uint8_t rnd[MLDSA_RNDBYTES];
   int ret;
+  MLD_ALLOC(rnd, uint8_t, MLDSA_RNDBYTES, context);
+
+  if (rnd == NULL)
+  {
+    *siglen = 0;
+    ret = MLD_ERR_OUT_OF_MEMORY;
+    goto cleanup;
+  }
 
   /* Randomized variant of ML-DSA. If you need the deterministic variant,
    * call mld_sign_signature_internal directly with all-zero rnd. */
@@ -932,14 +1036,14 @@ int mld_sign_signature_extmu(uint8_t sig[MLDSA_CRYPTO_BYTES], size_t *siglen,
     ret = MLD_ERR_RNG_FAIL;
     goto cleanup;
   }
-  MLD_CT_TESTING_SECRET(rnd, sizeof(rnd));
+  MLD_CT_TESTING_SECRET(rnd, MLDSA_RNDBYTES);
 
   ret = mld_sign_signature_internal(sig, siglen, mu, MLDSA_CRHBYTES, NULL, 0,
                                     rnd, sk, 1, context);
 
 cleanup:
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  mld_zeroize(rnd, sizeof(rnd));
+  MLD_FREE(rnd, uint8_t, MLDSA_RNDBYTES, context);
 
   return ret;
 }
@@ -967,11 +1071,17 @@ int mld_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen,
   }
   ret = mld_sign_signature(sm, smlen, sm + MLDSA_CRYPTO_BYTES, mlen, ctx,
                            ctxlen, sk, context);
-  *smlen += mlen;
+  if (ret == 0)
+  {
+    *smlen += mlen;
+  }
   return ret;
 }
 #endif /* !MLD_CONFIG_NO_RANDOMIZED_API */
+#endif /* !MLD_CONFIG_CORE_API_ONLY */
+#endif /* !MLD_CONFIG_NO_SIGN_API */
 
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
@@ -982,39 +1092,24 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
                              MLD_CONFIG_CONTEXT_PARAMETER_TYPE context)
 {
   int ret, cmp;
-
-  /* TODO: Remove the following workaround for
-   * https://github.com/diffblue/cbmc/issues/8813 */
-  typedef MLD_UNION_OR_STRUCT
-  {
-    mld_polyveck t1;
-    mld_polyveck w1;
-  }
-  t1w1_u;
-  mld_polyveck *t1;
-  mld_polyveck *w1;
+  unsigned int i;
 
   MLD_ALLOC(buf, uint8_t, (MLDSA_K * MLDSA_POLYW1_PACKEDBYTES), context);
-  MLD_ALLOC(rho, uint8_t, MLDSA_SEEDBYTES, context);
   MLD_ALLOC(mu, uint8_t, MLDSA_CRHBYTES, context);
   MLD_ALLOC(c, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_ALLOC(c2, uint8_t, MLDSA_CTILDEBYTES, context);
+  MLD_ALLOC(z, mld_polyvecl, 1, context);
   MLD_ALLOC(cp, mld_poly, 1, context);
   MLD_ALLOC(mat, mld_polymat, 1, context);
-  MLD_ALLOC(z, mld_polyvecl, 1, context);
-  MLD_ALLOC(t1w1, t1w1_u, 1, context);
-  MLD_ALLOC(tmp, mld_polyveck, 1, context);
-  MLD_ALLOC(h, mld_polyveck, 1, context);
+  MLD_ALLOC(w1, mld_poly, 1, context);
+  MLD_ALLOC(tmp, mld_poly, 1, context);
 
-  if (buf == NULL || rho == NULL || mu == NULL || c == NULL || c2 == NULL ||
-      cp == NULL || mat == NULL || z == NULL || t1w1 == NULL || tmp == NULL ||
-      h == NULL)
+  if (buf == NULL || mu == NULL || c == NULL || c2 == NULL || z == NULL ||
+      cp == NULL || mat == NULL || w1 == NULL || tmp == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
   }
-  t1 = &t1w1->t1;
-  w1 = &t1w1->w1;
 
   if (siglen != MLDSA_CRYPTO_BYTES)
   {
@@ -1022,16 +1117,11 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
     goto cleanup;
   }
 
-  mld_unpack_pk(rho, t1, pk);
+  mld_memcpy(c, sig, MLDSA_CTILDEBYTES);
+  mld_polyvecl_unpack_z(z, sig + MLDSA_CTILDEBYTES);
 
-  /* mld_unpack_sig and mld_polyvecl_chknorm signal failure through a
-   * single non-zero error code that's not yet aligned with MLD_ERR_XXX.
-   * Map it to MLD_ERR_FAIL explicitly. */
-  if (mld_unpack_sig(c, z, h, sig))
-  {
-    ret = MLD_ERR_FAIL;
-    goto cleanup;
-  }
+  /* mld_polyvecl_chknorm signals failure through a single non-zero error code
+   * that's not yet aligned with MLD_ERR_XXX. Map it to MLD_ERR_FAIL. */
   if (mld_polyvecl_chknorm(z, MLDSA_GAMMA1 - MLDSA_BETA))
   {
     ret = MLD_ERR_FAIL;
@@ -1055,24 +1145,51 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
     mld_memcpy(mu, m, MLDSA_CRHBYTES);
   }
 
-  /* Matrix-vector multiplication; compute Az - c2^dt1 */
+  /* Matrix-vector multiplication and per-row reconstruction of w1. */
+  mld_polyvecl_ntt(z);
+  mld_polyvec_matrix_expand(mat, pk);
   mld_poly_challenge(cp, c);
   mld_poly_ntt(cp);
-  mld_polyveck_shiftl(t1);
-  mld_polyveck_ntt(t1);
-  mld_polyveck_pointwise_poly_montgomery(tmp, cp, t1);
 
-  mld_polyvec_matrix_expand(mat, rho);
-  mld_polyvecl_ntt(z);
-  mld_polyvec_matrix_pointwise_montgomery(w1, mat, z);
-  mld_polyveck_sub(w1, tmp);
-  mld_polyveck_reduce(w1);
-  mld_polyveck_invntt_tomont(w1);
-
-  /* Reconstruct w1 */
-  mld_polyveck_caddq(w1);
-  mld_polyveck_use_hint(tmp, w1, h);
-  mld_polyveck_pack_w1(buf, tmp);
+  for (i = 0; i < MLDSA_K; ++i)
+  __loop__(
+    assigns(MLD_IF_REDUCE_RAM(memory_slice(mat, sizeof(mld_polymat)),)
+            i, ret,
+            memory_slice(w1, sizeof(mld_poly)),
+            memory_slice(tmp, sizeof(mld_poly)),
+            memory_slice(buf, MLDSA_K * MLDSA_POLYW1_PACKEDBYTES)
+    )
+    invariant(i <= MLDSA_K)
+    decreases(MLDSA_K - i)
+  )
+  {
+    /* w1 = (A * z)_i in NTT domain */
+    mld_polyvec_matrix_pointwise_montgomery_row(w1, mat, z, i);
+
+    /* tmp = c * t1_i * 2^d in NTT domain */
+    mld_unpack_pk_t1(tmp, pk, i);
+    mld_poly_shiftl(tmp);
+    mld_poly_ntt(tmp);
+    mld_poly_pointwise_montgomery(tmp, cp);
+
+    /* w1 = invNTT(w1 - c * t1_i * 2^d) */
+    mld_poly_sub(w1, tmp);
+    mld_poly_reduce(w1);
+    mld_poly_invntt_tomont(w1);
+    mld_poly_caddq(w1);
+
+    /* tmp = h_i (decoded and validated from signature) */
+    ret = mld_sig_unpack_hints(tmp, sig, i);
+    if (ret != 0)
+    {
+      goto cleanup;
+    }
+
+    /* w1 = use_hint(w1, tmp), then pack into buf[i] */
+    mld_poly_use_hint(w1, tmp);
+    mld_polyw1_pack(buf + i * MLDSA_POLYW1_PACKEDBYTES, w1);
+  }
+
   /* Call random oracle and verify challenge */
   mld_H(c2, MLDSA_CTILDEBYTES, mu, MLDSA_CRHBYTES, buf,
         MLDSA_K * MLDSA_POLYW1_PACKEDBYTES, NULL, 0);
@@ -1086,20 +1203,19 @@ int mld_sign_verify_internal(const uint8_t *sig, size_t siglen,
 
 cleanup:
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  MLD_FREE(h, mld_polyveck, 1, context);
-  MLD_FREE(tmp, mld_polyveck, 1, context);
-  MLD_FREE(t1w1, t1w1_u, 1, context);
-  MLD_FREE(z, mld_polyvecl, 1, context);
+  MLD_FREE(tmp, mld_poly, 1, context);
+  MLD_FREE(w1, mld_poly, 1, context);
   MLD_FREE(mat, mld_polymat, 1, context);
   MLD_FREE(cp, mld_poly, 1, context);
+  MLD_FREE(z, mld_polyvecl, 1, context);
   MLD_FREE(c2, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_FREE(c, uint8_t, MLDSA_CTILDEBYTES, context);
   MLD_FREE(mu, uint8_t, MLDSA_CRHBYTES, context);
-  MLD_FREE(rho, uint8_t, MLDSA_SEEDBYTES, context);
   MLD_FREE(buf, uint8_t, (MLDSA_K * MLDSA_POLYW1_PACKEDBYTES), context);
   return ret;
 }
 
+#if !defined(MLD_CONFIG_CORE_API_ONLY)
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int mld_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m,
@@ -1184,8 +1300,11 @@ cleanup:
 
   return ret;
 }
+#endif /* !MLD_CONFIG_CORE_API_ONLY */
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
 
-
+#if !defined(MLD_CONFIG_CORE_API_ONLY)
+#if !defined(MLD_CONFIG_NO_SIGN_API)
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int mld_sign_signature_pre_hash_internal(
@@ -1226,7 +1345,9 @@ cleanup:
   mld_zeroize(pre, sizeof(pre));
   return ret;
 }
+#endif /* !MLD_CONFIG_NO_SIGN_API */
 
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int mld_sign_verify_pre_hash_internal(
@@ -1255,7 +1376,9 @@ cleanup:
   mld_zeroize(pre, sizeof(pre));
   return ret;
 }
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
 
+#if !defined(MLD_CONFIG_NO_SIGN_API)
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int mld_sign_signature_pre_hash_shake256(
@@ -1275,7 +1398,9 @@ int mld_sign_signature_pre_hash_shake256(
   mld_zeroize(ph, sizeof(ph));
   return ret;
 }
+#endif /* !MLD_CONFIG_NO_SIGN_API */
 
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
 MLD_MUST_CHECK_RETURN_VALUE
 MLD_EXTERNAL_API
 int mld_sign_verify_pre_hash_shake256(
@@ -1294,19 +1419,17 @@ int mld_sign_verify_pre_hash_shake256(
   mld_zeroize(ph, sizeof(ph));
   return ret;
 }
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
 
-
+#if !defined(MLD_CONFIG_NO_SIGN_API) || !defined(MLD_CONFIG_NO_VERIFY_API)
 #define MLD_PRE_HASH_OID_LEN 11
 
-/*************************************************
- * Name:        mld_get_hash_oid
- *
- * Description: Returns the OID of a given SHA-2/SHA-3 hash function.
+/**
+ * Return the OID of a given SHA-2/SHA-3 hash function.
  *
- * Arguments:   - uint8_t oid[11]: pointer to output oid
- *              - int hashalg: hash algorithm constant (MLD_PREHASH_*)
- *
- ***************************************************/
+ * @param[out] oid     Pointer to output OID.
+ * @param      hashalg Hash algorithm constant (MLD_PREHASH_*).
+ */
 static void mld_get_hash_oid(uint8_t oid[MLD_PRE_HASH_OID_LEN], int hashalg)
 {
   unsigned int i;
@@ -1421,7 +1544,9 @@ size_t mld_prepare_domain_separation_prefix(
   mld_memcpy(prefix + 2 + ctxlen + MLD_PRE_HASH_OID_LEN, ph, phlen);
   return 2 + ctxlen + MLD_PRE_HASH_OID_LEN + phlen;
 }
+#endif /* !MLD_CONFIG_NO_SIGN_API || !MLD_CONFIG_NO_VERIFY_API */
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 MLD_EXTERNAL_API
 int mld_sign_pk_from_sk(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
                         const uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES],
@@ -1435,36 +1560,53 @@ int mld_sign_pk_from_sk(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES],
   MLD_ALLOC(key, uint8_t, MLDSA_SEEDBYTES, context);
   MLD_ALLOC(s1, mld_polyvecl, 1, context);
   MLD_ALLOC(s2, mld_polyveck, 1, context);
-  MLD_ALLOC(t0, mld_polyveck, 1, context);
-  MLD_ALLOC(t0_computed, mld_polyveck, 1, context);
-  MLD_ALLOC(t1, mld_polyveck, 1, context);
+  MLD_ALLOC(t0_packed, uint8_t, MLDSA_K *MLDSA_POLYT0_PACKEDBYTES, context);
 
   if (rho == NULL || tr == NULL || tr_computed == NULL || key == NULL ||
-      s1 == NULL || s2 == NULL || t0 == NULL || t0_computed == NULL ||
-      t1 == NULL)
+      s1 == NULL || s2 == NULL || t0_packed == NULL)
   {
     ret = MLD_ERR_OUT_OF_MEMORY;
     goto cleanup;
   }
 
-  /* Unpack secret key */
-  mld_unpack_sk(rho, tr, key, t0, s1, s2, sk);
+  /* Inline unpack_sk: mld_unpack_sk uses lazy types for s1/s2/t0 which
+   * we cannot use here. t0 stays in packed form -- we compare it against
+   * the recomputed value below. */
+  mld_memcpy(rho, sk, MLDSA_SEEDBYTES);
+  mld_memcpy(key, sk + MLDSA_SEEDBYTES, MLDSA_SEEDBYTES);
+  mld_memcpy(tr, sk + 2 * MLDSA_SEEDBYTES, MLDSA_TRBYTES);
+  mld_polyvecl_unpack_eta(s1, sk + 2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES);
+  mld_polyveck_unpack_eta(s2, sk + 2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES +
+                                  MLDSA_L * MLDSA_POLYETA_PACKEDBYTES);
 
   /* Validate s1 and s2 coefficients are within [-MLDSA_ETA, MLDSA_ETA] */
   chk1 = mld_polyvecl_chknorm(s1, MLDSA_ETA + 1) & 0xFF;
   chk2 = mld_polyveck_chknorm(s2, MLDSA_ETA + 1) & 0xFF;
 
-  /* Recompute t0, t1, tr, and pk from rho, s1, s2 */
-  ret = mld_compute_t0_t1_tr_from_sk_components(t0_computed, t1, tr_computed,
-                                                pk, rho, s1, s2, context);
+  /* NTT s1 in place to use as s1hat */
+  mld_polyvecl_ntt(s1);
+
+  /* Pack rho into pk */
+  mld_memcpy(pk, rho, MLDSA_SEEDBYTES);
+
+  /* Recompute t row by row, decompose, and pack t1 into pk and t0 into
+   * t0_packed. */
+  ret = mld_compute_pack_t0_t1(pk + MLDSA_SEEDBYTES, t0_packed, s1, s2, rho,
+                               context);
   if (ret != 0)
   {
     goto cleanup;
   }
 
-  /* Validate t0 and tr using constant-time comparisons */
-  cmp0 = mld_ct_memcmp((const uint8_t *)t0, (const uint8_t *)t0_computed,
-                       sizeof(mld_polyveck));
+  /* Compare recomputed packed t0 against the t0 region of sk. */
+  cmp0 = mld_ct_memcmp(t0_packed,
+                       sk + 2 * MLDSA_SEEDBYTES + MLDSA_TRBYTES +
+                           MLDSA_L * MLDSA_POLYETA_PACKEDBYTES +
+                           MLDSA_K * MLDSA_POLYETA_PACKEDBYTES,
+                       MLDSA_K * MLDSA_POLYT0_PACKEDBYTES);
+
+  /* Compute tr_computed = H(pk) and compare to the stored tr */
+  mld_shake256(tr_computed, MLDSA_TRBYTES, pk, MLDSA_CRYPTO_PUBLICKEYBYTES);
   cmp1 = mld_ct_memcmp((const uint8_t *)tr, (const uint8_t *)tr_computed,
                        MLDSA_TRBYTES);
   check = mld_value_barrier_u8(cmp0 | cmp1 | chk1 | chk2);
@@ -1484,9 +1626,7 @@ cleanup:
   MLD_CT_TESTING_DECLASSIFY(pk, MLDSA_CRYPTO_PUBLICKEYBYTES);
 
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
-  MLD_FREE(t1, mld_polyveck, 1, context);
-  MLD_FREE(t0_computed, mld_polyveck, 1, context);
-  MLD_FREE(t0, mld_polyveck, 1, context);
+  MLD_FREE(t0_packed, uint8_t, MLDSA_K *MLDSA_POLYT0_PACKEDBYTES, context);
   MLD_FREE(s2, mld_polyveck, 1, context);
   MLD_FREE(s1, mld_polyvecl, 1, context);
   MLD_FREE(key, uint8_t, MLDSA_SEEDBYTES, context);
@@ -1496,6 +1636,8 @@ cleanup:
 
   return ret;
 }
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API */
+#endif /* !MLD_CONFIG_CORE_API_ONLY */
 
 /* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
  * Don't modify by hand -- this is auto-generated by scripts/autogen. */
@@ -1506,6 +1648,8 @@ cleanup:
 #undef mld_H
 #undef mld_compute_pack_z
 #undef mld_attempt_signature_generation
-#undef mld_compute_t0_t1_tr_from_sk_components
+#undef mld_compute_pack_t0_t1
+#undef mld_get_max_signing_attempts
 #undef MLD_NONCE_UB
+#undef MLD_CONFIG_MAX_SIGNING_ATTEMPTS
 #undef MLD_PRE_HASH_OID_LEN