pq_crypto 0.6.1 → 0.6.2

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/cbmc.h

@@ -5,6 +5,7 @@
 
 #ifndef MLD_CBMC_H
 #define MLD_CBMC_H
+
 /***************************************************
  * Basic replacements for __CPROVER_XXX contracts
  ***************************************************/
@@ -20,6 +21,15 @@
 #define __contract__(x) x
 #define __loop__(x) x
 
+/* Conditionally expand to __VA_ARGS__ depending on MLD_CONFIG_REDUCE_RAM. */
+#if defined(MLD_CONFIG_REDUCE_RAM)
+#define MLD_IF_REDUCE_RAM(...) __VA_ARGS__
+#define MLD_IF_NOT_REDUCE_RAM(...)
+#else
+#define MLD_IF_REDUCE_RAM(...)
+#define MLD_IF_NOT_REDUCE_RAM(...) __VA_ARGS__
+#endif
+
 /* https://diffblue.github.io/cbmc/contracts-assigns.html */
 #define assigns(...) __CPROVER_assigns(__VA_ARGS__)
 
@@ -83,24 +93,36 @@
  * Quantifiers
  * Note that the range on qvar is _exclusive_ between qvar_lb .. qvar_ub
  * https://diffblue.github.io/cbmc/contracts-quantifiers.html
+ *
+ * The quantified variable is declared as uint32_t, so these macros
+ * quantify only over indices in [0, UINT32_MAX). Bounds larger than
+ * UINT32_MAX (4 GiB) are NOT supported: the explicit (uint32_t) casts
+ * on the bounds will trigger CBMC's conversion check if a wider bound
+ * (e.g. a size_t > UINT32_MAX) is passed.
+ *
+ * Quantifying over size_t (64-bit) was found to blow up SMT proof
+ * times, so we deliberately keep the index width at 32 bits. Callers
+ * dealing with size_t-typed buffers must add an explicit
+ *   requires(len <= UINT32_MAX)
+ * precondition.
  */
 
 /*
  * Prevent clang-format from corrupting CBMC's special ==> operator
  */
 /* clang-format off */
-#define forall(qvar, qvar_lb, qvar_ub, predicate)                 \
-  __CPROVER_forall                                                \
-  {                                                               \
-    unsigned qvar;                                                \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==> (predicate)   \
+#define forall(qvar, qvar_lb, qvar_ub, predicate)                              \
+  __CPROVER_forall                                                             \
+  {                                                                            \
+    uint32_t qvar;                                                             \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) ==> (predicate) \
   }
 
-#define exists(qvar, qvar_lb, qvar_ub, predicate)         \
-  __CPROVER_exists                                              \
-  {                                                             \
-    unsigned qvar;                                              \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) && (predicate)  \
+#define exists(qvar, qvar_lb, qvar_ub, predicate)                              \
+  __CPROVER_exists                                                             \
+  {                                                                            \
+    uint32_t qvar;                                                             \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) && (predicate) \
   }
 /* clang-format on */
 
@@ -118,32 +140,32 @@
                          value_lb, value_ub)                           \
   __CPROVER_forall                                                     \
   {                                                                    \
-    unsigned qvar;                                                     \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
-        (((int)(value_lb) <= ((array_var)[(qvar)])) &&		       \
-         (((array_var)[(qvar)]) < (int)(value_ub)))		       \
+    uint32_t qvar;                                                     \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) ==> \
+        (((int)(value_lb) <= ((array_var)[(qvar)])) &&                 \
+         (((array_var)[(qvar)]) < (int)(value_ub)))                    \
   }
 
 #define array_bound(array_var, qvar_lb, qvar_ub, value_lb, value_ub) \
-  array_bound_core(CBMC_CONCAT(_cbmc_idx, __COUNTER__), (qvar_lb),      \
+  array_bound_core(CBMC_CONCAT(_cbmc_idx, __COUNTER__), (qvar_lb),   \
       (qvar_ub), (array_var), (value_lb), (value_ub))
 
-#define array_unchanged_core(qvar, qvar_lb, qvar_ub, array_var)        \
-  __CPROVER_forall                                                     \
-  {                                                                    \
-    unsigned qvar;                                                     \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
+#define array_unchanged_core(qvar, qvar_lb, qvar_ub, array_var)                   \
+  __CPROVER_forall                                                                \
+  {                                                                               \
+    uint32_t qvar;                                                                \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) ==>         \
     ((array_var)[(qvar)]) == (old(* (int32_t (*)[(qvar_ub)])(array_var)))[(qvar)] \
   }
 
 #define array_unchanged(array_var, N) \
     array_unchanged_core(CBMC_CONCAT(_cbmc_idx, __COUNTER__), 0, (N), (array_var))
 
-#define array_unchanged_u64_core(qvar, qvar_lb, qvar_ub, array_var)        \
-  __CPROVER_forall                                                     \
-  {                                                                    \
-    unsigned qvar;                                                     \
-    ((qvar_lb) <= (qvar) && (qvar) < (qvar_ub)) ==>                    \
+#define array_unchanged_u64_core(qvar, qvar_lb, qvar_ub, array_var)                \
+  __CPROVER_forall                                                                 \
+  {                                                                                \
+    uint32_t qvar;                                                                 \
+    ((uint32_t) (qvar_lb) <= (qvar) && (qvar) < (uint32_t) (qvar_ub)) ==>          \
     ((array_var)[(qvar)]) == (old(* (uint64_t (*)[(qvar_ub)])(array_var)))[(qvar)] \
   }
 

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/common.h

@@ -26,8 +26,12 @@
  * this can be overwritten by the user, e.g. for single-CU builds. */
 #if !defined(MLD_CONFIG_INTERNAL_API_QUALIFIER)
 #define MLD_INTERNAL_API
+#define MLD_INTERNAL_DATA_DECLARATION extern
+#define MLD_INTERNAL_DATA_DEFINITION
 #else
 #define MLD_INTERNAL_API MLD_CONFIG_INTERNAL_API_QUALIFIER
+#define MLD_INTERNAL_DATA_DECLARATION MLD_CONFIG_INTERNAL_API_QUALIFIER
+#define MLD_INTERNAL_DATA_DEFINITION MLD_CONFIG_INTERNAL_API_QUALIFIER
 #endif
 
 #if !defined(MLD_CONFIG_EXTERNAL_API_QUALIFIER)
@@ -128,6 +132,14 @@
 #error Bad configuration: MLD_CONFIG_NO_RANDOMIZED_API is incompatible with MLD_CONFIG_KEYGEN_PCT as the current PCT implementation requires crypto_sign_signature()
 #endif
 
+#if defined(MLD_CONFIG_NO_SIGN_API) && defined(MLD_CONFIG_KEYGEN_PCT)
+#error Bad configuration: MLD_CONFIG_NO_SIGN_API is incompatible with MLD_CONFIG_KEYGEN_PCT as the current PCT implementation requires crypto_sign_signature()
+#endif
+
+#if defined(MLD_CONFIG_NO_VERIFY_API) && defined(MLD_CONFIG_KEYGEN_PCT)
+#error Bad configuration: MLD_CONFIG_NO_VERIFY_API is incompatible with MLD_CONFIG_KEYGEN_PCT as the current PCT implementation requires crypto_sign_verify()
+#endif
+
 #if defined(MLD_CONFIG_USE_NATIVE_BACKEND_ARITH)
 #include MLD_CONFIG_ARITH_BACKEND_FILE
 /* Include to enforce consistency of API and implementation,
@@ -290,20 +302,6 @@
 
 #endif /* MLD_CONFIG_CUSTOM_ALLOC_FREE */
 
-/*
- * We are facing severe CBMC performance issues when using unions.
- * As a temporary workaround, we use unions only when MLD_CONFIG_REDUCE_RAM is
- * set.
- * TODO: Remove the workaround once
- * https://github.com/diffblue/cbmc/issues/8813
- * is resolved
- */
-#if defined(MLD_CONFIG_REDUCE_RAM)
-#define MLD_UNION_OR_STRUCT union
-#else
-#define MLD_UNION_OR_STRUCT struct
-#endif
-
 /****************************** Error codes ***********************************/
 
 /* Generic failure condition */
@@ -314,6 +312,20 @@
 /* An rng failure occured. Might be due to insufficient entropy or
  * system misconfiguration. */
 #define MLD_ERR_RNG_FAIL -3
+/* The signing rejection-sampling loop exceeded
+ * MLD_CONFIG_MAX_SIGNING_ATTEMPTS iterations without producing a valid
+ * signature. With a FIPS 204 Appendix C compliant bound (>= 814) this
+ * has probability < 2^-256. */
+#define MLD_ERR_SIGN_ATTEMPTS_EXHAUSTED -4
+
+/* Disjunction over the full set of MLD_ERR_XXX failure codes.
+ *
+ * Intended for use in top-level `ensures` clauses that admit every
+ * possible error. Narrower contracts should enumerate only the
+ * specific errors they can actually return. */
+#define MLD_ANY_ERROR(err)                                    \
+  ((err) == MLD_ERR_FAIL || (err) == MLD_ERR_OUT_OF_MEMORY || \
+   (err) == MLD_ERR_RNG_FAIL || (err) == MLD_ERR_SIGN_ATTEMPTS_EXHAUSTED)
 
 
 #endif /* !__ASSEMBLER__ */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/ct.h

@@ -143,19 +143,16 @@ __contract__(ensures(return_value == b))
 #pragma CPROVER check disable "conversion"
 #endif
 
-/*************************************************
- * Name:        mld_cast_uint32_to_int32
+/**
+ * Cast uint32 value to int32.
  *
- * Description: Cast uint32 value to int32
+ * @param x Input value.
  *
- * Returns:     For uint32_t x, the unique y in int32_t
- *              so that x == y mod 2^32.
- *
- *              Concretely:
- *              - x <  2^31: returns x
- *              - x >= 2^31: returns x - 2^31
- *
- **************************************************/
+ * @return For uint32_t x, the unique y in int32_t so that x == y mod 2^32.
+ *         Concretely:
+ *         - x <  2^31: returns x
+ *         - x >= 2^31: returns x - 2^31
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_ALWAYS_INLINE int32_t mld_cast_uint32_to_int32(uint32_t x)
 {
@@ -174,47 +171,42 @@ static MLD_ALWAYS_INLINE int32_t mld_cast_uint32_to_int32(uint32_t x)
 #endif
 
 
-/*************************************************
- * Name:        mld_cast_int64_to_uint32
+/**
+ * Cast int64 value to uint32 as per C standard.
  *
- * Description: Cast int64 value to uint32 as per C standard.
+ * @param x Input value.
  *
- * Returns:     For int64_t x, the unique y in uint32_t
- *              so that x == y mod 2^32.
- **************************************************/
+ * @return For int64_t x, the unique y in uint32_t so that x == y mod 2^32.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_ALWAYS_INLINE uint32_t mld_cast_int64_to_uint32(int64_t x)
 {
   return (uint32_t)(x & (int64_t)UINT32_MAX);
 }
 
-/*************************************************
- * Name:        mld_cast_int32_to_uint32
+/**
+ * Cast int32 value to uint32 as per C standard.
  *
- * Description: Cast int32 value to uint32 as per C standard.
+ * @param x Input value.
  *
- * Returns:     For int32_t x, the unique y in uint32_t
- *              so that x == y mod 2^32.
- **************************************************/
+ * @return For int32_t x, the unique y in uint32_t so that x == y mod 2^32.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_ALWAYS_INLINE uint32_t mld_cast_int32_to_uint32(int32_t x)
 {
   return mld_cast_int64_to_uint32((int64_t)x);
 }
 
-/*************************************************
- * Name:        mld_ct_sel_int32
- *
- * Description: Functionally equivalent to cond ? a : b,
- *              but implemented with guards against
- *              compiler-introduced branches.
+/**
+ * Functionally equivalent to cond ? a : b, but implemented with guards against
+ * compiler-introduced branches.
  *
- * Arguments:   int32_t a:       First alternative
- *              int32_t b:       Second alternative
- *              uint32_t cond:   Condition variable.
+ * @param a    First alternative.
+ * @param b    Second alternative.
+ * @param cond Condition variable.
  *
- *
- **************************************************/
+ * @return a if cond is 0xFFFFFFFF, b if cond is 0.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_INLINE int32_t mld_ct_sel_int32(int32_t a, int32_t b, uint32_t cond)
 __contract__(
@@ -228,14 +220,11 @@ __contract__(
   return mld_cast_uint32_to_int32(res);
 }
 
-/*************************************************
- * Name:        mld_ct_cmask_nonzero_u32
- *
- * Description: Return 0 if input is zero, and -1 otherwise.
+/**
+ * Return 0 if input is zero, and -1 otherwise.
  *
- * Arguments:   uint32_t x: Value to be converted into a mask
- *
- **************************************************/
+ * @param x Value to be converted into a mask.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_INLINE uint32_t mld_ct_cmask_nonzero_u32(uint32_t x)
 __contract__(ensures(return_value == ((x == 0) ? 0 : 0xFFFFFFFF)))
@@ -245,14 +234,11 @@ __contract__(ensures(return_value == ((x == 0) ? 0 : 0xFFFFFFFF)))
   return mld_cast_int64_to_uint32(tmp);
 }
 
-/*************************************************
- * Name:        mld_ct_cmask_nonzero_u8
- *
- * Description: Return 0 if input is zero, and -1 otherwise.
+/**
+ * Return 0 if input is zero, and -1 otherwise.
  *
- * Arguments:   uint8_t x: Value to be converted into a mask
- *
- **************************************************/
+ * @param x Value to be converted into a mask.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_INLINE uint8_t mld_ct_cmask_nonzero_u8(uint8_t x)
 __contract__(ensures(return_value == ((x == 0) ? 0 : 0xFF)))
@@ -261,14 +247,11 @@ __contract__(ensures(return_value == ((x == 0) ? 0 : 0xFF)))
   return (uint8_t)(mask & 0xFF);
 }
 
-/*************************************************
- * Name:        mld_ct_cmask_neg_i32
- *
- * Description: Return 0 if input is non-negative, and -1 otherwise.
+/**
+ * Return 0 if input is non-negative, and -1 otherwise.
  *
- * Arguments:   int32_t x: Value to be converted into a mask
- *
- **************************************************/
+ * @param x Value to be converted into a mask.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_INLINE uint32_t mld_ct_cmask_neg_i32(int32_t x)
 __contract__(
@@ -280,14 +263,11 @@ __contract__(
   return mld_cast_int64_to_uint32(tmp);
 }
 
-/*************************************************
- * Name:        mld_ct_abs_i32
- *
- * Description: Return -x if x<0, x otherwise
+/**
+ * Return -x if x<0, x otherwise.
  *
- * Arguments:   int32_t x: Input value
- *
- **************************************************/
+ * @param x Input value.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_INLINE int32_t mld_ct_abs_i32(int32_t x)
 __contract__(
@@ -298,19 +278,16 @@ __contract__(
   return mld_ct_sel_int32(-x, x, mld_ct_cmask_neg_i32(x));
 }
 
-/*************************************************
- * Name:        mld_ct_memcmp
- *
- * Description: Compare two arrays for equality in constant time.
+/**
+ * Compare two arrays for equality in constant time.
  *
- * Arguments:   const uint8_t *a: pointer to first byte array
- *              const uint8_t *b: pointer to second byte array
- *              size_t len:       length of the byte arrays, upper-bounded
- *                                to UINT16_MAX to control proof complexity
- *                                only.
+ * @param[in] a   Pointer to first byte array.
+ * @param[in] b   Pointer to second byte array.
+ * @param     len Length of the byte arrays, upper-bounded to UINT16_MAX to
+ *                control proof complexity only.
  *
- * Returns 0 if the byte arrays are equal, 0xFF otherwise.
- **************************************************/
+ * @return 0 if the byte arrays are equal, 0xFF otherwise.
+ */
 MLD_MUST_CHECK_RETURN_VALUE
 static MLD_INLINE uint8_t mld_ct_memcmp(const uint8_t *a, const uint8_t *b,
                                         const size_t len)
@@ -345,16 +322,14 @@ __contract__(
   return (mld_value_barrier_u8(mld_ct_cmask_nonzero_u8(r) ^ s) ^ s);
 }
 
-/*************************************************
- * Name:        mld_zeroize
+/**
+ * Force-zeroize a buffer.
  *
- * Description: Force-zeroize a buffer.
- *              @[FIPS204, Section 3.6.3] Destruction of intermediate
- *              values.
+ * @[FIPS204, Section 3.6.3] Destruction of intermediate values.
  *
- * Arguments:   void *ptr: pointer to buffer to be zeroed
- *              size_t len: Amount of bytes to be zeroed
- **************************************************/
+ * @param[out] ptr Pointer to buffer to be zeroed.
+ * @param      len Amount of bytes to be zeroed.
+ */
 #if !defined(MLD_CONFIG_CUSTOM_ZEROIZE)
 #if defined(MLD_SYS_WINDOWS)
 #include <windows.h>

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/debug.h

@@ -9,37 +9,30 @@
 
 #if defined(MLDSA_DEBUG)
 
-/*************************************************
- * Name:        mld_assert
+/**
+ * Check debug assertion.
  *
- * Description: Check debug assertion
+ * Prints an error message to stderr and calls exit(1) if not.
  *
- *              Prints an error message to stderr and calls
- *              exit(1) if not.
- *
- * Arguments:   - file: filename
- *              - line: line number
- *              - val: Value asserted to be non-zero
- **************************************************/
+ * @param file Filename.
+ * @param line Line number.
+ * @param val  Value asserted to be non-zero.
+ */
 #define mld_debug_check_assert MLD_NAMESPACE(mldsa_debug_assert)
 void mld_debug_check_assert(const char *file, int line, const int val);
 
-/*************************************************
- * Name:        mld_debug_check_bounds
+/**
+ * Check whether values in an array of int32_t are within specified bounds.
  *
- * Description: Check whether values in an array of int32_t
- *              are within specified bounds.
+ * Prints an error message to stderr and calls exit(1) if not.
  *
- *              Prints an error message to stderr and calls
- *              exit(1) if not.
- *
- * Arguments:   - file: filename
- *              - line: line number
- *              - ptr: Base of array to be checked
- *              - len: Number of int32_t in ptr
- *              - lower_bound_exclusive: Exclusive lower bound
- *              - upper_bound_exclusive: Exclusive upper bound
- **************************************************/
+ * @param     file                  Filename.
+ * @param     line                  Line number.
+ * @param[in] ptr                   Base of array to be checked.
+ * @param     len                   Number of int32_t in ptr.
+ * @param     lower_bound_exclusive Exclusive lower bound.
+ * @param     upper_bound_exclusive Exclusive upper bound.
+ */
 #define mld_debug_check_bounds MLD_NAMESPACE(mldsa_debug_check_bounds)
 void mld_debug_check_bounds(const char *file, int line, const int32_t *ptr,
                             unsigned len, int64_t lower_bound_exclusive,

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/fips202.c

@@ -39,13 +39,11 @@
 #include "keccakf1600.h"
 #if !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
 
-/*************************************************
- * Name:        keccak_init
+/**
+ * Initializes the Keccak state.
  *
- * Description: Initializes the Keccak state.
- *
- * Arguments:   - uint64_t *s: pointer to Keccak state
- **************************************************/
+ * @param[out] s Pointer to Keccak state.
+ */
 static void keccak_init(uint64_t s[MLD_KECCAK_LANES])
 __contract__(
   requires(memory_no_alias(s, sizeof(uint64_t) * MLD_KECCAK_LANES))
@@ -55,19 +53,17 @@ __contract__(
   mld_memset(s, 0, sizeof(uint64_t) * MLD_KECCAK_LANES);
 }
 
-/*************************************************
- * Name:        keccak_absorb
+/**
+ * Absorb step of Keccak; incremental.
  *
- * Description: Absorb step of Keccak; incremental.
+ * @param[in,out] s     Pointer to Keccak state.
+ * @param         pos   Position in current block to be absorbed.
+ * @param         r     Rate in bytes (e.g., 168 for SHAKE128).
+ * @param[in]     in    Pointer to input to be absorbed into s.
+ * @param         inlen Length of input in bytes.
  *
- * Arguments:   - uint64_t *s: pointer to Keccak state
- *              - unsigned int pos: position in current block to be absorbed
- *              - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
- *              - const uint8_t *in: pointer to input to be absorbed into s
- *              - size_t inlen: length of input in bytes
- *
- * Returns new position pos in current block
- **************************************************/
+ * @return New position pos in current block.
+ */
 static unsigned int keccak_absorb(uint64_t s[MLD_KECCAK_LANES],
                                   unsigned int pos, unsigned int r,
                                   const uint8_t *in, size_t inlen)
@@ -104,16 +100,14 @@ __contract__(
   return (unsigned)(pos + inlen);
 }
 
-/*************************************************
- * Name:        keccak_finalize
+/**
+ * Finalize absorb step.
  *
- * Description: Finalize absorb step.
- *
- * Arguments:   - uint64_t *s: pointer to Keccak state
- *              - unsigned int pos: position in current block to be absorbed
- *              - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
- *              - uint8_t p: domain separation byte
- **************************************************/
+ * @param[in,out] s   Pointer to Keccak state.
+ * @param         pos Position in current block to be absorbed.
+ * @param         r   Rate in bytes (e.g., 168 for SHAKE128).
+ * @param         p   Domain separation byte.
+ */
 static void keccak_finalize(uint64_t s[MLD_KECCAK_LANES], unsigned int pos,
                             unsigned int r, uint8_t p)
 __contract__(
@@ -128,22 +122,19 @@ __contract__(
   mld_keccakf1600_xor_bytes(s, &b, r - 1, 1);
 }
 
-/*************************************************
- * Name:        keccak_squeeze
+/**
+ * Squeeze step of Keccak. Squeezes arbitrarily many bytes. Modifies the
+ * state. Can be called multiple times to keep squeezing, i.e., is
+ * incremental.
  *
- * Description: Squeeze step of Keccak. Squeezes arbitratrily many bytes.
- *              Modifies the state. Can be called multiple times to keep
- *              squeezing, i.e., is incremental.
+ * @param[out]    out    Pointer to output data.
+ * @param         outlen Number of bytes to be squeezed (written to out).
+ * @param[in,out] s      Pointer to input/output Keccak state.
+ * @param         pos    Number of bytes in current block already squeezed.
+ * @param         r      Rate in bytes (e.g., 168 for SHAKE128).
  *
- * Arguments:   - uint8_t *out: pointer to output data
- *              - size_t outlen: number of bytes to be squeezed (written to out)
- *              - uint64_t *s: pointer to input/output Keccak state
- *              - unsigned int pos: number of bytes in current block already
- *squeezed
- *              - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
- *
- * Returns new position pos in current block
- **************************************************/
+ * @return New position pos in current block.
+ */
 static unsigned int keccak_squeeze(uint8_t *out, size_t outlen,
                                    uint64_t s[MLD_KECCAK_LANES],
                                    unsigned int pos, unsigned int r)
@@ -262,6 +253,7 @@ void mld_shake256_release(mld_shake256ctx *state)
   mld_zeroize(state, sizeof(mld_shake256ctx));
 }
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_CORE_API_ONLY)
 MLD_INTERNAL_API
 void mld_shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen)
 {
@@ -273,5 +265,6 @@ void mld_shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen)
   mld_shake256_squeeze(out, outlen, &state);
   mld_shake256_release(&state);
 }
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_CORE_API_ONLY */
 
 #endif /* !MLD_CONFIG_MULTILEVEL_NO_SHARED */