pq_crypto 0.6.1 → 0.6.2

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/fips202.h

@@ -18,26 +18,26 @@
 #define SHA3_512_HASHBYTES 64
 
 
+/** Context for the incremental SHAKE128 XOF. */
 typedef struct
 {
-  uint64_t s[MLD_KECCAK_LANES];
-  unsigned int pos;
+  uint64_t s[MLD_KECCAK_LANES]; /**< Keccak state. */
+  unsigned int pos; /**< Byte position within the current Keccak block. */
 } mld_shake128ctx;
 
+/** Context for the incremental SHAKE256 XOF. */
 typedef struct
 {
-  uint64_t s[MLD_KECCAK_LANES];
-  unsigned int pos;
+  uint64_t s[MLD_KECCAK_LANES]; /**< Keccak state. */
+  unsigned int pos; /**< Byte position within the current Keccak block. */
 } mld_shake256ctx;
 
 #define mld_shake128_init MLD_NAMESPACE(shake128_init)
-/*************************************************
- * Name:        mld_shake128_init
+/**
+ * Initializes state for use as SHAKE128 XOF.
  *
- * Description: Initializes state for use as SHAKE128 XOF
- *
- * Arguments:   - mld_shake128ctx *state: pointer to (uninitialized) state
- **************************************************/
+ * @param[out] state Pointer to (uninitialized) state.
+ */
 MLD_INTERNAL_API
 void mld_shake128_init(mld_shake128ctx *state)
 __contract__(
@@ -47,16 +47,14 @@ __contract__(
 );
 
 #define mld_shake128_absorb MLD_NAMESPACE(shake128_absorb)
-/*************************************************
- * Name:        mld_shake128_absorb
- *
- * Description: Absorb step of the SHAKE128 XOF. Absorbs arbitrarily many bytes.
- *              Can be called multiple times to absorb multiple chunks of data.
+/**
+ * Absorb step of the SHAKE128 XOF. Absorbs arbitrarily many bytes. Can be
+ * called multiple times to absorb multiple chunks of data.
  *
- * Arguments:   - mld_shake128ctx *state: pointer to (initialized) output state
- *              - const uint8_t *in: pointer to input to be absorbed into s
- *              - size_t inlen: length of input in bytes
- **************************************************/
+ * @param[in,out] state Pointer to (initialized) output state.
+ * @param[in]     in    Pointer to input to be absorbed into s.
+ * @param         inlen Length of input in bytes.
+ */
 MLD_INTERNAL_API
 void mld_shake128_absorb(mld_shake128ctx *state, const uint8_t *in,
                          size_t inlen)
@@ -70,13 +68,11 @@ __contract__(
 );
 
 #define mld_shake128_finalize MLD_NAMESPACE(shake128_finalize)
-/*************************************************
- * Name:        mld_shake128_finalize
- *
- * Description: Concludes the absorb phase of the SHAKE128 XOF.
+/**
+ * Concludes the absorb phase of the SHAKE128 XOF.
  *
- * Arguments:   - mld_shake128ctx *state: pointer to state
- **************************************************/
+ * @param[in,out] state Pointer to state.
+ */
 MLD_INTERNAL_API
 void mld_shake128_finalize(mld_shake128ctx *state)
 __contract__(
@@ -87,17 +83,14 @@ __contract__(
 );
 
 #define mld_shake128_squeeze MLD_NAMESPACE(shake128_squeeze)
-/*************************************************
- * Name:        mld_shake128_squeeze
+/**
+ * Squeeze step of SHAKE128 XOF. Squeezes arbitrarily many bytes. Can be
+ * called multiple times to keep squeezing.
  *
- * Description: Squeeze step of SHAKE128 XOF. Squeezes arbitrarily many
- *              bytes. Can be called multiple times to keep squeezing.
- *
- * Arguments:   - uint8_t *out: pointer to output blocks
- *              - size_t outlen : number of bytes to be squeezed (written to
- *output)
- *              - mld_shake128ctx *s: pointer to input/output state
- **************************************************/
+ * @param[out]    out    Pointer to output blocks.
+ * @param         outlen Number of bytes to be squeezed (written to output).
+ * @param[in,out] state  Pointer to input/output state.
+ */
 MLD_INTERNAL_API
 void mld_shake128_squeeze(uint8_t *out, size_t outlen, mld_shake128ctx *state)
 __contract__(
@@ -111,13 +104,11 @@ __contract__(
 );
 
 #define mld_shake128_release MLD_NAMESPACE(shake128_release)
-/*************************************************
- * Name:        mld_shake128_release
- *
- * Description: Release and securely zero the SHAKE128 state.
+/**
+ * Release and securely zero the SHAKE128 state.
  *
- * Arguments:   - mld_shake128ctx *state: pointer to state
- **************************************************/
+ * @param[in,out] state Pointer to state.
+ */
 MLD_INTERNAL_API
 void mld_shake128_release(mld_shake128ctx *state)
 __contract__(
@@ -126,13 +117,11 @@ __contract__(
 );
 
 #define mld_shake256_init MLD_NAMESPACE(shake256_init)
-/*************************************************
- * Name:        mld_shake256_init
- *
- * Description: Initializes state for use as SHAKE256 XOF
+/**
+ * Initializes state for use as SHAKE256 XOF.
  *
- * Arguments:   - mld_shake256ctx *state: pointer to (uninitialized) state
- **************************************************/
+ * @param[out] state Pointer to (uninitialized) state.
+ */
 MLD_INTERNAL_API
 void mld_shake256_init(mld_shake256ctx *state)
 __contract__(
@@ -142,16 +131,14 @@ __contract__(
 );
 
 #define mld_shake256_absorb MLD_NAMESPACE(shake256_absorb)
-/*************************************************
- * Name:        mld_shake256_absorb
- *
- * Description: Absorb step of the SHAKE256 XOF. Absorbs arbitrarily many bytes.
- *              Can be called multiple times to absorb multiple chunks of data.
+/**
+ * Absorb step of the SHAKE256 XOF. Absorbs arbitrarily many bytes. Can be
+ * called multiple times to absorb multiple chunks of data.
  *
- * Arguments:   - mld_shake256ctx *state: pointer to (initialized) output state
- *              - const uint8_t *in: pointer to input to be absorbed into s
- *              - size_t inlen: length of input in bytes
- **************************************************/
+ * @param[in,out] state Pointer to (initialized) output state.
+ * @param[in]     in    Pointer to input to be absorbed into s.
+ * @param         inlen Length of input in bytes.
+ */
 MLD_INTERNAL_API
 void mld_shake256_absorb(mld_shake256ctx *state, const uint8_t *in,
                          size_t inlen)
@@ -165,13 +152,11 @@ __contract__(
 );
 
 #define mld_shake256_finalize MLD_NAMESPACE(shake256_finalize)
-/*************************************************
- * Name:        mld_shake256_finalize
+/**
+ * Concludes the absorb phase of the SHAKE256 XOF.
  *
- * Description: Concludes the absorb phase of the SHAKE256 XOF.
- *
- * Arguments:   - mld_shake256ctx *state: pointer to state
- **************************************************/
+ * @param[in,out] state Pointer to state.
+ */
 MLD_INTERNAL_API
 void mld_shake256_finalize(mld_shake256ctx *state)
 __contract__(
@@ -182,17 +167,14 @@ __contract__(
 );
 
 #define mld_shake256_squeeze MLD_NAMESPACE(shake256_squeeze)
-/*************************************************
- * Name:        mld_shake256_squeeze
- *
- * Description: Squeeze step of SHAKE256 XOF. Squeezes arbitrarily many
- *              bytes. Can be called multiple times to keep squeezing.
+/**
+ * Squeeze step of SHAKE256 XOF. Squeezes arbitrarily many bytes. Can be
+ * called multiple times to keep squeezing.
  *
- * Arguments:   - uint8_t *out: pointer to output blocks
- *              - size_t outlen : number of bytes to be squeezed (written to
- *output)
- *              - mld_shake256ctx *s: pointer to input/output state
- **************************************************/
+ * @param[out]    out    Pointer to output blocks.
+ * @param         outlen Number of bytes to be squeezed (written to output).
+ * @param[in,out] state  Pointer to input/output state.
+ */
 MLD_INTERNAL_API
 void mld_shake256_squeeze(uint8_t *out, size_t outlen, mld_shake256ctx *state)
 __contract__(
@@ -206,13 +188,11 @@ __contract__(
 );
 
 #define mld_shake256_release MLD_NAMESPACE(shake256_release)
-/*************************************************
- * Name:        mld_shake256_release
- *
- * Description: Release and securely zero the SHAKE256 state.
+/**
+ * Release and securely zero the SHAKE256 state.
  *
- * Arguments:   - mld_shake256ctx *state: pointer to state
- **************************************************/
+ * @param[in,out] state Pointer to state.
+ */
 MLD_INTERNAL_API
 void mld_shake256_release(mld_shake256ctx *state)
 __contract__(
@@ -220,17 +200,16 @@ __contract__(
   assigns(memory_slice(state, sizeof(mld_shake256ctx)))
 );
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_CORE_API_ONLY)
 #define mld_shake256 MLD_NAMESPACE(shake256)
-/*************************************************
- * Name:        mld_shake256
+/**
+ * SHAKE256 XOF with non-incremental API.
  *
- * Description: SHAKE256 XOF with non-incremental API
- *
- * Arguments:   - uint8_t *out: pointer to output
- *              - size_t outlen: requested output length in bytes
- *              - const uint8_t *in: pointer to input
- *              - size_t inlen: length of input in bytes
- **************************************************/
+ * @param[out] out    Pointer to output.
+ * @param      outlen Requested output length in bytes.
+ * @param[in]  in     Pointer to input.
+ * @param      inlen  Length of input in bytes.
+ */
 MLD_INTERNAL_API
 void mld_shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen)
 __contract__(
@@ -240,5 +219,6 @@ __contract__(
   requires(memory_no_alias(out, outlen))
   assigns(memory_slice(out, outlen))
 );
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_CORE_API_ONLY */
 
 #endif /* !MLD_FIPS202_FIPS202_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/fips202x4.c

@@ -22,6 +22,8 @@
 #include "fips202x4.h"
 #include "keccakf1600.h"
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_REDUCE_RAM) || \
+    defined(MLD_UNIT_TEST)
 static void mld_keccak_absorb_once_x4(uint64_t *s, uint32_t r,
                                       const uint8_t *in0, const uint8_t *in1,
                                       const uint8_t *in2, const uint8_t *in3,
@@ -94,33 +96,31 @@ __contract__(
     assigns(memory_slice(out2, nblocks * r))
     assigns(memory_slice(out3, nblocks * r)))
 {
+  size_t current_offset = 0;
   while (nblocks > 0)
   __loop__(
-    assigns(out0, out1, out2, out3, nblocks,
+    assigns(nblocks, current_offset,
             memory_slice(s, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY),
             memory_slice(out0, nblocks * r),
             memory_slice(out1, nblocks * r),
             memory_slice(out2, nblocks * r),
             memory_slice(out3, nblocks * r))
-    invariant(nblocks <= loop_entry(nblocks) &&
-      out0 == loop_entry(out0) + r * (loop_entry(nblocks) - nblocks) &&
-      out1 == loop_entry(out1) + r * (loop_entry(nblocks) - nblocks) &&
-      out2 == loop_entry(out2) + r * (loop_entry(nblocks) - nblocks) &&
-      out3 == loop_entry(out3) + r * (loop_entry(nblocks) - nblocks))
+    invariant(nblocks <= loop_entry(nblocks))
+    invariant(current_offset == (loop_entry(nblocks) - nblocks) * r)
     decreases(nblocks))
   {
     mld_keccakf1600x4_permute(s);
-    mld_keccakf1600x4_extract_bytes(s, out0, out1, out2, out3, 0, r);
-
-    out0 += r;
-    out1 += r;
-    out2 += r;
-    out3 += r;
+    mld_keccakf1600x4_extract_bytes(
+        s, &out0[current_offset], &out1[current_offset], &out2[current_offset],
+        &out3[current_offset], 0, r);
+    current_offset += r;
     nblocks--;
   }
 }
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_REDUCE_RAM || \
+          MLD_UNIT_TEST */
 
-#if !defined(MLD_CONFIG_REDUCE_RAM)
+#if !defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)
 MLD_INTERNAL_API
 void mld_shake128x4_absorb_once(mld_shake128x4ctx *state, const uint8_t *in0,
                                 const uint8_t *in1, const uint8_t *in2,
@@ -148,8 +148,11 @@ void mld_shake128x4_release(mld_shake128x4ctx *state)
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(state, sizeof(mld_shake128x4ctx));
 }
-#endif /* !MLD_CONFIG_REDUCE_RAM */
+#endif /* !MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) ||                                  \
+    (!defined(MLD_CONFIG_NO_SIGN_API) &&                                    \
+     (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)))
 MLD_INTERNAL_API
 void mld_shake256x4_absorb_once(mld_shake256x4ctx *state, const uint8_t *in0,
                                 const uint8_t *in1, const uint8_t *in2,
@@ -177,6 +180,8 @@ void mld_shake256x4_release(mld_shake256x4ctx *state)
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(state, sizeof(mld_shake256x4ctx));
 }
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || (!MLD_CONFIG_NO_SIGN_API && \
+          (!MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST)) */
 
 #endif /* !MLD_CONFIG_MULTILEVEL_NO_SHARED && !MLD_CONFIG_SERIAL_FIPS202_ONLY \
         */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/fips202x4.h

@@ -16,18 +16,21 @@
 #include "fips202.h"
 #include "keccakf1600.h"
 
-/* Context for non-incremental API */
+/** Context for the non-incremental 4-way SHAKE128 API. */
 typedef struct
 {
-  uint64_t ctx[MLD_KECCAK_LANES * MLD_KECCAK_WAY];
+  uint64_t ctx[MLD_KECCAK_LANES *
+               MLD_KECCAK_WAY]; /**< 4-way Keccak state, stored sequentially. */
 } mld_shake128x4ctx;
 
+/** Context for the 4-way batched SHAKE256 XOF. */
 typedef struct
 {
-  uint64_t ctx[MLD_KECCAK_LANES * MLD_KECCAK_WAY];
+  uint64_t ctx[MLD_KECCAK_LANES *
+               MLD_KECCAK_WAY]; /**< Interleaved 4-way Keccak state. */
 } mld_shake256x4ctx;
 
-#if !defined(MLD_CONFIG_REDUCE_RAM)
+#if !defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)
 #define mld_shake128x4_absorb_once MLD_NAMESPACE(shake128x4_absorb_once)
 MLD_INTERNAL_API
 void mld_shake128x4_absorb_once(mld_shake128x4ctx *state, const uint8_t *in0,
@@ -69,8 +72,11 @@ void mld_shake128x4_init(mld_shake128x4ctx *state);
 #define mld_shake128x4_release MLD_NAMESPACE(shake128x4_release)
 MLD_INTERNAL_API
 void mld_shake128x4_release(mld_shake128x4ctx *state);
-#endif /* !MLD_CONFIG_REDUCE_RAM */
+#endif /* !MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || \
+    (!defined(MLD_CONFIG_NO_SIGN_API) &&   \
+     (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)))
 #define mld_shake256x4_absorb_once MLD_NAMESPACE(shake256x4_absorb_once)
 MLD_INTERNAL_API
 void mld_shake256x4_absorb_once(mld_shake256x4ctx *state, const uint8_t *in0,
@@ -112,6 +118,8 @@ void mld_shake256x4_init(mld_shake256x4ctx *state);
 #define mld_shake256x4_release MLD_NAMESPACE(shake256x4_release)
 MLD_INTERNAL_API
 void mld_shake256x4_release(mld_shake256x4ctx *state);
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || (!MLD_CONFIG_NO_SIGN_API && \
+          (!MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST)) */
 
 #endif /* !MLD_CONFIG_SERIAL_FIPS202_ONLY */
 #endif /* !MLD_FIPS202_FIPS202X4_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/keccakf1600.c

@@ -84,11 +84,28 @@ void mld_keccakf1600_xor_bytes(uint64_t *state, const unsigned char *data,
 #endif /* !MLD_SYS_LITTLE_ENDIAN */
 }
 
-MLD_INTERNAL_API
-void mld_keccakf1600x4_extract_bytes(uint64_t *state, unsigned char *data0,
-                                     unsigned char *data1, unsigned char *data2,
-                                     unsigned char *data3, unsigned offset,
-                                     unsigned length)
+#if (!defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_REDUCE_RAM) || \
+     defined(MLD_UNIT_TEST)) &&                                                \
+    !defined(MLD_CONFIG_SERIAL_FIPS202_ONLY)
+static void mld_keccakf1600x4_extract_bytes_c(uint64_t *state,
+                                              unsigned char *data0,
+                                              unsigned char *data1,
+                                              unsigned char *data2,
+                                              unsigned char *data3,
+                                              unsigned offset, unsigned length)
+__contract__(
+    requires(0 <= offset && offset <= MLD_KECCAK_LANES * sizeof(uint64_t) &&
+         0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
+    requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
+    requires(memory_no_alias(data0, length))
+    requires(memory_no_alias(data1, length))
+    requires(memory_no_alias(data2, length))
+    requires(memory_no_alias(data3, length))
+    assigns(memory_slice(data0, length))
+    assigns(memory_slice(data1, length))
+    assigns(memory_slice(data2, length))
+    assigns(memory_slice(data3, length))
+)
 {
   mld_keccakf1600_extract_bytes(state + MLD_KECCAK_LANES * 0, data0, offset,
                                 length);
@@ -101,11 +118,43 @@ void mld_keccakf1600x4_extract_bytes(uint64_t *state, unsigned char *data0,
 }
 
 MLD_INTERNAL_API
-void mld_keccakf1600x4_xor_bytes(uint64_t *state, const unsigned char *data0,
-                                 const unsigned char *data1,
-                                 const unsigned char *data2,
-                                 const unsigned char *data3, unsigned offset,
-                                 unsigned length)
+void mld_keccakf1600x4_extract_bytes(uint64_t *state, unsigned char *data0,
+                                     unsigned char *data1, unsigned char *data2,
+                                     unsigned char *data3, unsigned offset,
+                                     unsigned length)
+{
+#if defined(MLD_USE_FIPS202_X4_EXTRACT_BYTES_NATIVE)
+  if (mld_keccakf1600_extract_bytes_x4_native(state, data0, data1, data2, data3,
+                                              offset, length) ==
+      MLD_NATIVE_FUNC_SUCCESS)
+  {
+    return;
+  }
+#endif /* MLD_USE_FIPS202_X4_EXTRACT_BYTES_NATIVE */
+  mld_keccakf1600x4_extract_bytes_c(state, data0, data1, data2, data3, offset,
+                                    length);
+}
+
+static void mld_keccakf1600x4_xor_bytes_c(uint64_t *state,
+                                          const unsigned char *data0,
+                                          const unsigned char *data1,
+                                          const unsigned char *data2,
+                                          const unsigned char *data3,
+                                          unsigned offset, unsigned length)
+__contract__(
+    requires(0 <= offset && offset <= MLD_KECCAK_LANES * sizeof(uint64_t) &&
+         0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
+    requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
+    requires(memory_no_alias(data0, length))
+    /* Case 1: all input buffers are distinct; Case 2: All input buffers are the same */
+    requires((data0 == data1 &&
+              data0 == data2 &&
+              data0 == data3) ||
+         (memory_no_alias(data1, length) &&
+              memory_no_alias(data2, length) &&
+              memory_no_alias(data3, length)))
+    assigns(memory_slice(state, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
+)
 {
   mld_keccakf1600_xor_bytes(state + MLD_KECCAK_LANES * 0, data0, offset,
                             length);
@@ -117,6 +166,25 @@ void mld_keccakf1600x4_xor_bytes(uint64_t *state, const unsigned char *data0,
                             length);
 }
 
+MLD_INTERNAL_API
+void mld_keccakf1600x4_xor_bytes(uint64_t *state, const unsigned char *data0,
+                                 const unsigned char *data1,
+                                 const unsigned char *data2,
+                                 const unsigned char *data3, unsigned offset,
+                                 unsigned length)
+{
+#if defined(MLD_USE_FIPS202_X4_XOR_BYTES_NATIVE)
+  if (mld_keccakf1600_xor_bytes_x4_native(state, data0, data1, data2, data3,
+                                          offset,
+                                          length) == MLD_NATIVE_FUNC_SUCCESS)
+  {
+    return;
+  }
+#endif /* MLD_USE_FIPS202_X4_XOR_BYTES_NATIVE */
+  mld_keccakf1600x4_xor_bytes_c(state, data0, data1, data2, data3, offset,
+                                length);
+}
+
 MLD_INTERNAL_API
 void mld_keccakf1600x4_permute(uint64_t *state)
 {
@@ -131,6 +199,8 @@ void mld_keccakf1600x4_permute(uint64_t *state)
   mld_keccakf1600_permute(state + MLD_KECCAK_LANES * 2);
   mld_keccakf1600_permute(state + MLD_KECCAK_LANES * 3);
 }
+#endif /* (!MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_REDUCE_RAM || \
+          MLD_UNIT_TEST) && !MLD_CONFIG_SERIAL_FIPS202_ONLY */
 
 static const uint64_t mld_KeccakF_RoundConstants[MLD_KECCAK_NROUNDS] = {
     (uint64_t)0x0000000000000001ULL, (uint64_t)0x0000000000008082ULL,
@@ -148,6 +218,10 @@ static const uint64_t mld_KeccakF_RoundConstants[MLD_KECCAK_NROUNDS] = {
 
 MLD_STATIC_TESTABLE
 void mld_keccakf1600_permute_c(uint64_t *state)
+__contract__(
+    requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
+    assigns(memory_slice(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
+)
 {
   unsigned round;
 

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/keccakf1600.h

@@ -25,7 +25,7 @@ void mld_keccakf1600_extract_bytes(uint64_t *state, unsigned char *data,
                                    unsigned offset, unsigned length)
 __contract__(
     requires(0 <= offset && offset <= MLD_KECCAK_LANES * sizeof(uint64_t) &&
-	     0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
+         0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
     requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
     requires(memory_no_alias(data, length))
     assigns(memory_slice(data, length))
@@ -37,12 +37,15 @@ void mld_keccakf1600_xor_bytes(uint64_t *state, const unsigned char *data,
                                unsigned offset, unsigned length)
 __contract__(
     requires(0 <= offset && offset <= MLD_KECCAK_LANES * sizeof(uint64_t) &&
-	     0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
+         0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
     requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
     requires(memory_no_alias(data, length))
     assigns(memory_slice(state, sizeof(uint64_t) * MLD_KECCAK_LANES))
 );
 
+#if (!defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_REDUCE_RAM) || \
+     defined(MLD_UNIT_TEST)) &&                                                \
+    !defined(MLD_CONFIG_SERIAL_FIPS202_ONLY)
 #define mld_keccakf1600x4_extract_bytes \
   MLD_NAMESPACE(keccakf1600x4_extract_bytes)
 MLD_INTERNAL_API
@@ -52,7 +55,7 @@ void mld_keccakf1600x4_extract_bytes(uint64_t *state, unsigned char *data0,
                                      unsigned length)
 __contract__(
     requires(0 <= offset && offset <= MLD_KECCAK_LANES * sizeof(uint64_t) &&
-	     0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
+         0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
     requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
     requires(memory_no_alias(data0, length))
     requires(memory_no_alias(data1, length))
@@ -73,14 +76,14 @@ void mld_keccakf1600x4_xor_bytes(uint64_t *state, const unsigned char *data0,
                                  unsigned length)
 __contract__(
     requires(0 <= offset && offset <= MLD_KECCAK_LANES * sizeof(uint64_t) &&
-	     0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
+         0 <= length && length <= MLD_KECCAK_LANES * sizeof(uint64_t) - offset)
     requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
     requires(memory_no_alias(data0, length))
     /* Case 1: all input buffers are distinct; Case 2: All input buffers are the same */
     requires((data0 == data1 &&
               data0 == data2 &&
               data0 == data3) ||
-	     (memory_no_alias(data1, length) &&
+         (memory_no_alias(data1, length) &&
               memory_no_alias(data2, length) &&
               memory_no_alias(data3, length)))
     assigns(memory_slice(state, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
@@ -93,6 +96,8 @@ __contract__(
     requires(memory_no_alias(state, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
     assigns(memory_slice(state, sizeof(uint64_t) * MLD_KECCAK_LANES * MLD_KECCAK_WAY))
 );
+#endif /* (!MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_REDUCE_RAM || \
+          MLD_UNIT_TEST) && !MLD_CONFIG_SERIAL_FIPS202_ONLY */
 
 #define mld_keccakf1600_permute MLD_NAMESPACE(keccakf1600_permute)
 MLD_INTERNAL_API

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/auto.h

@@ -37,6 +37,9 @@
 #include "x1_scalar.h"
 #endif
 
+#if (!defined(MLD_CONFIG_NO_KEYPAIR_API) ||                                  \
+     !defined(MLD_CONFIG_NO_SIGN_API) || !defined(MLD_CONFIG_REDUCE_RAM)) && \
+    !defined(MLD_CONFIG_SERIAL_FIPS202_ONLY)
 /*
  * Keccak-f1600x2/x4
  *
@@ -68,4 +71,7 @@
 
 #endif /* !__ARM_FEATURE_SHA3 */
 
+#endif /* (!MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_NO_SIGN_API || \
+          !MLD_CONFIG_REDUCE_RAM) && !MLD_CONFIG_SERIAL_FIPS202_ONLY */
+
 #endif /* !MLD_FIPS202_NATIVE_AARCH64_AUTO_H */

data/ext/pqcrypto/vendor/mldsa-native/mldsa/src/fips202/native/aarch64/src/fips202_native_aarch64.h

@@ -13,46 +13,53 @@
 
 #define mld_keccakf1600_round_constants \
   MLD_NAMESPACE(keccakf1600_round_constants)
-extern const uint64_t mld_keccakf1600_round_constants[];
+MLD_INTERNAL_DATA_DECLARATION const uint64_t
+    mld_keccakf1600_round_constants[24];
 
-#define mld_keccak_f1600_x1_scalar_asm MLD_NAMESPACE(keccak_f1600_x1_scalar_asm)
-void mld_keccak_f1600_x1_scalar_asm(uint64_t state[25], const uint64_t rc[24])
+#define mld_keccak_f1600_x1_scalar_aarch64_asm \
+  MLD_NAMESPACE(keccak_f1600_x1_scalar_aarch64_asm)
+void mld_keccak_f1600_x1_scalar_aarch64_asm(uint64_t state[25],
+                                            const uint64_t rc[24])
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
   requires(rc == mld_keccakf1600_round_constants)
   assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
 );
 
-#define mld_keccak_f1600_x1_v84a_asm MLD_NAMESPACE(keccak_f1600_x1_v84a_asm)
-void mld_keccak_f1600_x1_v84a_asm(uint64_t state[25], const uint64_t rc[24])
+#define mld_keccak_f1600_x1_v84a_aarch64_asm \
+  MLD_NAMESPACE(keccak_f1600_x1_v84a_aarch64_asm)
+void mld_keccak_f1600_x1_v84a_aarch64_asm(uint64_t state[25],
+                                          const uint64_t rc[24])
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 1))
   requires(rc == mld_keccakf1600_round_constants)
   assigns(memory_slice(state, sizeof(uint64_t) * 25 * 1))
 );
 
-#define mld_keccak_f1600_x2_v84a_asm MLD_NAMESPACE(keccak_f1600_x2_v84a_asm)
-void mld_keccak_f1600_x2_v84a_asm(uint64_t state[50], const uint64_t rc[24])
+#define mld_keccak_f1600_x2_v84a_aarch64_asm \
+  MLD_NAMESPACE(keccak_f1600_x2_v84a_aarch64_asm)
+void mld_keccak_f1600_x2_v84a_aarch64_asm(uint64_t state[50],
+                                          const uint64_t rc[24])
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 2))
   requires(rc == mld_keccakf1600_round_constants)
   assigns(memory_slice(state, sizeof(uint64_t) * 25 * 2))
 );
 
-#define mld_keccak_f1600_x4_v8a_scalar_hybrid_asm \
-  MLD_NAMESPACE(keccak_f1600_x4_v8a_scalar_hybrid_asm)
-void mld_keccak_f1600_x4_v8a_scalar_hybrid_asm(uint64_t state[100],
-                                               const uint64_t rc[24])
+#define mld_keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm \
+  MLD_NAMESPACE(keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm)
+void mld_keccak_f1600_x4_v8a_scalar_hybrid_aarch64_asm(uint64_t state[100],
+                                                       const uint64_t rc[24])
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
   requires(rc == mld_keccakf1600_round_constants)
   assigns(memory_slice(state, sizeof(uint64_t) * 25 * 4))
 );
 
-#define mld_keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm \
-  MLD_NAMESPACE(keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm)
-void mld_keccak_f1600_x4_v8a_v84a_scalar_hybrid_asm(uint64_t state[100],
-                                                    const uint64_t rc[24])
+#define mld_keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm \
+  MLD_NAMESPACE(keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm)
+void mld_keccak_f1600_x4_v8a_v84a_scalar_hybrid_aarch64_asm(
+    uint64_t state[100], const uint64_t rc[24])
 __contract__(
   requires(memory_no_alias(state, sizeof(uint64_t) * 25 * 4))
   requires(rc == mld_keccakf1600_round_constants)