diff --git a/.CMake/alg_support.cmake b/.CMake/alg_support.cmake
index 9fdf37cb1c..9afa6e4b15 100644
--- a/.CMake/alg_support.cmake
+++ b/.CMake/alg_support.cmake
@@ -137,11 +137,8 @@ cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3 "" ON "OQS_ENABLE_SIG_DILITHIU
cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
option(OQS_ENABLE_SIG_ML_DSA "Enable ml_dsa algorithm family" ON)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
-cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_ipd "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
option(OQS_ENABLE_SIG_FALCON "Enable falcon algorithm family" ON)
@@ -393,21 +390,18 @@ endif()
if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44_ipd" OFF)
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44" OFF)
endif()
endif()
if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_65_ipd" OFF)
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_65" OFF)
endif()
endif()
if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_87_ipd" OFF)
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_87_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_87" OFF)
endif()
endif()
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index f41d1b718a..9e2930d8c0 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -138,7 +138,7 @@ jobs:
path: build/*.deb
- name: Check STD algorithm and alias
if: matrix.name == 'jammy-std-openssl3'
- run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44-ipd:\n isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n isnull: false"'
+ run: 'tests/dump_alg_info | grep -zoP "ML-DSA-44:\n isnull: false" && tests/dump_alg_info | grep -zoP "ML-DSA-44:\n isnull: true" && tests/dump_alg_info | grep -zoP "ML-KEM-512:\n isnull: false"'
working-directory: build
linux_arm_emulated:
diff --git a/README.md b/README.md
index ecc62daee9..604b48fc04 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ Details on each supported algorithm can be found in the [docs/algorithms](https:
The list below indicates all algorithms currently supported by liboqs, including experimental algorithms and already excluding algorithm variants pruned during the NIST competition, such as Kyber-90s or Dilithium-AES.
-The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/ipd) (initial public draft) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes. For users interested in explicitly selecting the current "proposed draft standard" code, the variants with the suffix "-ipd" are made available. At this stage, "ml-dsa-ipd" and "ml-dsa" are functionally equivalent, denoted by the "alias" moniker below.
+The only algorithms in `liboqs` that implement NIST standards are the [`ML-KEM`](https://csrc.nist.gov/pubs/fips/203/final) (final standard) and [`ML-DSA`](https://csrc.nist.gov/pubs/fips/204/final) (final standard) variants with their respective different bit strengths. `liboqs` will retain these algorithm names selected by NIST throughout the finishing stages of the standardization process, so users can rely on their presence going forward. If NIST changes the implementation details of these algorithms, `liboqs` will adjust the implementation so that users are protected from such potential changes.
Falcon and SPHINCS+ have also been [selected for standardization](https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022), but the `liboqs` implementations of these algorithms are currently tracking Round 3 submissions and not NIST standards drafts.
@@ -65,7 +65,7 @@ All names other than `ML-KEM` and `ML-DSA` are subject to change. `liboqs` makes
- **CRYSTALS-Dilithium**: Dilithium2, Dilithium3, Dilithium5
- **Falcon**: Falcon-512, Falcon-1024, Falcon-padded-512, Falcon-padded-1024
- **MAYO**: MAYO-1, MAYO-2, MAYO-3, MAYO-5†
-- **ML-DSA**: ML-DSA-44-ipd (alias: ML-DSA-44), ML-DSA-65-ipd (alias: ML-DSA-65), ML-DSA-87-ipd (alias: ML-DSA-87)
+- **ML-DSA**: ML-DSA-44, ML-DSA-65, ML-DSA-87
- **SPHINCS+-SHA2**: SPHINCS+-SHA2-128f-simple, SPHINCS+-SHA2-128s-simple, SPHINCS+-SHA2-192f-simple, SPHINCS+-SHA2-192s-simple, SPHINCS+-SHA2-256f-simple, SPHINCS+-SHA2-256s-simple
- **SPHINCS+-SHAKE**: SPHINCS+-SHAKE-128f-simple, SPHINCS+-SHAKE-128s-simple, SPHINCS+-SHAKE-192f-simple, SPHINCS+-SHAKE-192s-simple, SPHINCS+-SHAKE-256f-simple, SPHINCS+-SHAKE-256s-simple
diff --git a/docs/algorithms/sig/ml_dsa.md b/docs/algorithms/sig/ml_dsa.md
index ab2b43488e..dc2cde8e71 100644
--- a/docs/algorithms/sig/ml_dsa.md
+++ b/docs/algorithms/sig/ml_dsa.md
@@ -4,10 +4,10 @@
- **Main cryptographic assumption**: hardness of lattice problems over module lattices.
- **Principal submitters**: Vadim Lyubashevsky.
- **Auxiliary submitters**: Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehlé.
-- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/ipd
-- **Specification version**: ML-DSA-ipd.
+- **Authors' website**: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/final
+- **Specification version**: ML-DSA.
- **Primary Source**:
- - **Source**: https://github.com/pq-crystals/dilithium/commit/e7bed6258b9a3703ce78d4ec38021c86382ce31c with copy_from_upstream patches
+ - **Source**: https://github.com/pq-crystals/dilithium/commit/cbcd8753a43402885c90343cd6335fb54712cda1 with copy_from_upstream patches
- **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
@@ -15,11 +15,11 @@
| Parameter set | Parameter set alias | Security model | Claimed NIST Level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-| ML-DSA-44-ipd | ML-DSA-44 | EUF-CMA | 2 | 1312 | 2560 | 2420 |
-| ML-DSA-65-ipd | ML-DSA-65 | EUF-CMA | 3 | 1952 | 4032 | 3309 |
-| ML-DSA-87-ipd | ML-DSA-87 | EUF-CMA | 5 | 2592 | 4896 | 4627 |
+| ML-DSA-44 | NA | EUF-CMA | 2 | 1312 | 2560 | 2420 |
+| ML-DSA-65 | NA | EUF-CMA | 3 | 1952 | 4032 | 3309 |
+| ML-DSA-87 | NA | EUF-CMA | 5 | 2592 | 4896 | 4627 |
-## ML-DSA-44-ipd implementation characteristics
+## ML-DSA-44 implementation characteristics
| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ |
|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
@@ -30,7 +30,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
-## ML-DSA-65-ipd implementation characteristics
+## ML-DSA-65 implementation characteristics
| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
@@ -39,7 +39,7 @@ Are implementations chosen based on runtime CPU feature detection? **Yes**.
Are implementations chosen based on runtime CPU feature detection? **Yes**.
-## ML-DSA-87-ipd implementation characteristics
+## ML-DSA-87 implementation characteristics
| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
|:---------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
diff --git a/docs/algorithms/sig/ml_dsa.yml b/docs/algorithms/sig/ml_dsa.yml
index c936883588..3a57995746 100644
--- a/docs/algorithms/sig/ml_dsa.yml
+++ b/docs/algorithms/sig/ml_dsa.yml
@@ -12,15 +12,14 @@ auxiliary-submitters:
- Damien Stehlé
crypto-assumption: hardness of lattice problems over module lattices
website: https://pq-crystals.org/dilithium/ and https://csrc.nist.gov/pubs/fips/204/ipd
-nist-round: ipd
-spec-version: ML-DSA-ipd
+nist-round: FIPS204
+spec-version: ML-DSA
primary-upstream:
- source: https://github.com/pq-crystals/dilithium/commit/e7bed6258b9a3703ce78d4ec38021c86382ce31c
+ source: https://github.com/pq-crystals/dilithium/commit/cbcd8753a43402885c90343cd6335fb54712cda1
with copy_from_upstream patches
spdx-license-identifier: CC0-1.0 or Apache-2.0
parameter-sets:
-- name: ML-DSA-44-ipd
- alias: ML-DSA-44
+- name: ML-DSA-44
claimed-nist-level: 2
claimed-security: EUF-CMA
length-public-key: 1312
@@ -51,8 +50,7 @@ parameter-sets:
no-secret-dependent-branching-claimed: true
no-secret-dependent-branching-checked-by-valgrind: true
large-stack-usage: false
-- name: ML-DSA-65-ipd
- alias: ML-DSA-65
+- name: ML-DSA-65
claimed-nist-level: 3
claimed-security: EUF-CMA
length-public-key: 1952
@@ -83,8 +81,7 @@ parameter-sets:
no-secret-dependent-branching-claimed: true
no-secret-dependent-branching-checked-by-valgrind: true
large-stack-usage: false
-- name: ML-DSA-87-ipd
- alias: ML-DSA-87
+- name: ML-DSA-87
claimed-nist-level: 5
claimed-security: EUF-CMA
length-public-key: 2592
diff --git a/docs/cbom.json b/docs/cbom.json
index d3bfad1d64..10bd100a05 100644
--- a/docs/cbom.json
+++ b/docs/cbom.json
@@ -1,23 +1,23 @@
{
"bomFormat": "CBOM",
"specVersion": "1.4-cbom-1.0",
- "serialNumber": "urn:uuid:b953d460-1246-4cbb-aff9-642a0308d18b",
+ "serialNumber": "urn:uuid:8ab32dcc-f97b-480a-840f-7aa14563ad9c",
"version": 1,
"metadata": {
- "timestamp": "2024-08-26T18:04:44.668645",
+ "timestamp": "2024-09-10T11:25:43.713773",
"component": {
"type": "library",
- "bom-ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
+ "bom-ref": "pkg:github/open-quantum-safe/liboqs@b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01",
"name": "liboqs",
- "version": "062e793edf54cbc1073b54d0689795063fd41910"
+ "version": "b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01"
}
},
"components": [
{
"type": "library",
- "bom-ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
+ "bom-ref": "pkg:github/open-quantum-safe/liboqs@b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01",
"name": "liboqs",
- "version": "062e793edf54cbc1073b54d0689795063fd41910"
+ "version": "b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01"
},
{
"type": "crypto-asset",
@@ -2501,12 +2501,12 @@
},
{
"type": "crypto-asset",
- "bom-ref": "alg:ML-DSA-44-ipd:generic",
+ "bom-ref": "alg:ML-DSA-44:generic",
"name": "ML-DSA",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
- "variant": "ML-DSA-44-ipd",
+ "variant": "ML-DSA-44",
"primitive": "signature",
"implementationLevel": "softwarePlainRam",
"cryptoFunctions": [
@@ -2521,12 +2521,12 @@
},
{
"type": "crypto-asset",
- "bom-ref": "alg:ML-DSA-44-ipd:x86_64",
+ "bom-ref": "alg:ML-DSA-44:x86_64",
"name": "ML-DSA",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
- "variant": "ML-DSA-44-ipd",
+ "variant": "ML-DSA-44",
"primitive": "signature",
"implementationLevel": "softwarePlainRam",
"cryptoFunctions": [
@@ -2541,12 +2541,12 @@
},
{
"type": "crypto-asset",
- "bom-ref": "alg:ML-DSA-65-ipd:generic",
+ "bom-ref": "alg:ML-DSA-65:generic",
"name": "ML-DSA",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
- "variant": "ML-DSA-65-ipd",
+ "variant": "ML-DSA-65",
"primitive": "signature",
"implementationLevel": "softwarePlainRam",
"cryptoFunctions": [
@@ -2561,12 +2561,12 @@
},
{
"type": "crypto-asset",
- "bom-ref": "alg:ML-DSA-65-ipd:x86_64",
+ "bom-ref": "alg:ML-DSA-65:x86_64",
"name": "ML-DSA",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
- "variant": "ML-DSA-65-ipd",
+ "variant": "ML-DSA-65",
"primitive": "signature",
"implementationLevel": "softwarePlainRam",
"cryptoFunctions": [
@@ -2581,12 +2581,12 @@
},
{
"type": "crypto-asset",
- "bom-ref": "alg:ML-DSA-87-ipd:generic",
+ "bom-ref": "alg:ML-DSA-87:generic",
"name": "ML-DSA",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
- "variant": "ML-DSA-87-ipd",
+ "variant": "ML-DSA-87",
"primitive": "signature",
"implementationLevel": "softwarePlainRam",
"cryptoFunctions": [
@@ -2601,12 +2601,12 @@
},
{
"type": "crypto-asset",
- "bom-ref": "alg:ML-DSA-87-ipd:x86_64",
+ "bom-ref": "alg:ML-DSA-87:x86_64",
"name": "ML-DSA",
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
- "variant": "ML-DSA-87-ipd",
+ "variant": "ML-DSA-87",
"primitive": "signature",
"implementationLevel": "softwarePlainRam",
"cryptoFunctions": [
@@ -3128,7 +3128,7 @@
],
"dependencies": [
{
- "ref": "pkg:github/open-quantum-safe/liboqs@062e793edf54cbc1073b54d0689795063fd41910",
+ "ref": "pkg:github/open-quantum-safe/liboqs@b37c937a649ec9cdb82c4964f97aa7d8ec0c9b01",
"dependsOn": [
"alg:BIKE-L1:x86_64",
"alg:BIKE-L3:x86_64",
@@ -3254,12 +3254,12 @@
"alg:MAYO-3:x86_64",
"alg:MAYO-5:generic",
"alg:MAYO-5:x86_64",
- "alg:ML-DSA-44-ipd:generic",
- "alg:ML-DSA-44-ipd:x86_64",
- "alg:ML-DSA-65-ipd:generic",
- "alg:ML-DSA-65-ipd:x86_64",
- "alg:ML-DSA-87-ipd:generic",
- "alg:ML-DSA-87-ipd:x86_64",
+ "alg:ML-DSA-44:generic",
+ "alg:ML-DSA-44:x86_64",
+ "alg:ML-DSA-65:generic",
+ "alg:ML-DSA-65:x86_64",
+ "alg:ML-DSA-87:generic",
+ "alg:ML-DSA-87:x86_64",
"alg:SPHINCS+-SHA2-128f-simple:generic",
"alg:SPHINCS+-SHA2-128f-simple:x86_64",
"alg:SPHINCS+-SHA2-128s-simple:generic",
@@ -4166,42 +4166,42 @@
"dependencyType": "uses"
},
{
- "ref": "alg:ML-DSA-44-ipd:generic",
+ "ref": "alg:ML-DSA-44:generic",
"dependsOn": [
"alg:sha3"
],
"dependencyType": "uses"
},
{
- "ref": "alg:ML-DSA-44-ipd:x86_64",
+ "ref": "alg:ML-DSA-44:x86_64",
"dependsOn": [
"alg:sha3"
],
"dependencyType": "uses"
},
{
- "ref": "alg:ML-DSA-65-ipd:generic",
+ "ref": "alg:ML-DSA-65:generic",
"dependsOn": [
"alg:sha3"
],
"dependencyType": "uses"
},
{
- "ref": "alg:ML-DSA-65-ipd:x86_64",
+ "ref": "alg:ML-DSA-65:x86_64",
"dependsOn": [
"alg:sha3"
],
"dependencyType": "uses"
},
{
- "ref": "alg:ML-DSA-87-ipd:generic",
+ "ref": "alg:ML-DSA-87:generic",
"dependsOn": [
"alg:sha3"
],
"dependencyType": "uses"
},
{
- "ref": "alg:ML-DSA-87-ipd:x86_64",
+ "ref": "alg:ML-DSA-87:x86_64",
"dependsOn": [
"alg:sha3"
],
diff --git a/scripts/copy_from_upstream/copy_from_upstream.yml b/scripts/copy_from_upstream/copy_from_upstream.yml
index a8d70af436..0a828febdb 100644
--- a/scripts/copy_from_upstream/copy_from_upstream.yml
+++ b/scripts/copy_from_upstream/copy_from_upstream.yml
@@ -48,11 +48,11 @@ upstreams:
-
name: pqcrystals-dilithium-standard
git_url: https://github.com/pq-crystals/dilithium.git
- git_branch: standard
- git_commit: e7bed6258b9a3703ce78d4ec38021c86382ce31c
+ git_branch: master
+ git_commit: cbcd8753a43402885c90343cd6335fb54712cda1
sig_meta_path: '{pretty_name_full}_META.yml'
sig_scheme_path: '.'
- patches: [pqcrystals-ml_dsa_ipd.patch]
+ patches: [pqcrystals-ml_dsa.patch]
-
name: pqmayo
git_url: https://github.com/PQCMayo/MAYO-C.git
@@ -171,17 +171,14 @@ kems:
scheme: "512"
pqclean_scheme: ml-kem-512
pretty_name_full: ML-KEM-512
- alias_pretty_name_full: ML-KEM-512
-
scheme: "768"
pqclean_scheme: ml-kem-768
pretty_name_full: ML-KEM-768
- alias_pretty_name_full: ML-KEM-768
-
scheme: "1024"
pqclean_scheme: ml-kem-1024
pretty_name_full: ML-KEM-1024
- alias_pretty_name_full: ML-KEM-1024
sigs:
-
name: dilithium
@@ -213,26 +210,20 @@ sigs:
upstream_location: pqcrystals-dilithium-standard
schemes:
-
- scheme: "44_ipd"
- pqclean_scheme: ml-dsa-44-ipd
- pretty_name_full: ML-DSA-44-ipd
+ scheme: "44"
+ pqclean_scheme: ml-dsa-44
+ pretty_name_full: ML-DSA-44
signed_msg_order: sig_then_msg
- alias_scheme: "44"
- alias_pretty_name_full: ML-DSA-44
-
- scheme: "65_ipd"
- pqclean_scheme: ml-dsa-65-ipd
- pretty_name_full: ML-DSA-65-ipd
+ scheme: "65"
+ pqclean_scheme: ml-dsa-65
+ pretty_name_full: ML-DSA-65
signed_msg_order: sig_then_msg
- alias_scheme: "65"
- alias_pretty_name_full: ML-DSA-65
-
- scheme: "87_ipd"
- pqclean_scheme: ml-dsa-87-ipd
- pretty_name_full: ML-DSA-87-ipd
+ scheme: "87"
+ pqclean_scheme: ml-dsa-87
+ pretty_name_full: ML-DSA-87
signed_msg_order: sig_then_msg
- alias_scheme: "87"
- alias_pretty_name_full: ML-DSA-87
-
name: falcon
default_implementation: clean
diff --git a/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa.patch b/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa.patch
new file mode 100644
index 0000000000..00ff269ef8
--- /dev/null
+++ b/scripts/copy_from_upstream/patches/pqcrystals-ml_dsa.patch
@@ -0,0 +1,1123 @@
+diff --git a/Dilithium2_META.yml b/ML-DSA-44_META.yml
+index 425606f..23fa5af 100644
+--- a/Dilithium2_META.yml
++++ b/ML-DSA-44_META.yml
+@@ -1,9 +1,10 @@
+-name: Dilithium2
++name: ML-DSA-44
+ type: signature
+ claimed-nist-level: 2
+ length-public-key: 1312
+ length-secret-key: 2560
+ length-signature: 2420
++nistkat-sha256: 9a196e7fb32fbc93757dc2d8dc1924460eab66303c0c08aeb8b798fb8d8f8cf3
+ testvectors-sha256: 5f0d135c0f7fd43f3fb9727265fcd6ec3651eb8c67c04ea5f3d8dfa1d99740d2
+ principal-submitters:
+ - Vadim Lyubashevsky
+@@ -19,20 +20,18 @@ implementations:
+ - name: ref
+ version: https://github.com/pq-crystals/dilithium/tree/master
+ folder_name: ref
+- compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
+- signature_keypair: pqcrystals_dilithium2_ref_keypair
+- signature_signature: pqcrystals_dilithium2_ref_signature
+- signature_verify: pqcrystals_dilithium2_ref_verify
+- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
+- common_dep: common_ref
++ compile_opts: -DDILITHIUM_MODE=2
++ signature_keypair: pqcrystals_ml_dsa_44_ref_keypair
++ signature_signature: pqcrystals_ml_dsa_44_ref_signature
++ signature_verify: pqcrystals_ml_dsa_44_ref_verify
++ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
+ - name: avx2
+ version: https://github.com/pq-crystals/dilithium/tree/master
+- compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
+- signature_keypair: pqcrystals_dilithium2_avx2_keypair
+- signature_signature: pqcrystals_dilithium2_avx2_signature
+- signature_verify: pqcrystals_dilithium2_avx2_verify
+- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
+- common_dep: common_avx2
++ compile_opts: -DDILITHIUM_MODE=2
++ signature_keypair: pqcrystals_ml_dsa_44_avx2_keypair
++ signature_signature: pqcrystals_ml_dsa_44_avx2_signature
++ signature_verify: pqcrystals_ml_dsa_44_avx2_verify
++ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
+ supported_platforms:
+ - architecture: x86_64
+ operating_systems:
+diff --git a/Dilithium3_META.yml b/ML-DSA-65_META.yml
+index 94b60c0..cc3e91c 100644
+--- a/Dilithium3_META.yml
++++ b/ML-DSA-65_META.yml
+@@ -1,9 +1,10 @@
+-name: Dilithium3
++name: ML-DSA-65
+ type: signature
+ claimed-nist-level: 3
+ length-public-key: 1952
+ length-secret-key: 4032
+ length-signature: 3309
++nistkat-sha256: 7cb96242eac9907a55b5c84c202f0ebd552419c50b2e986dc2e28f07ecebf072
+ testvectors-sha256: 14bf84918ee90e7afbd580191d3eb890d4557e0900b1145e39a8399ef7dd3fba
+ principal-submitters:
+ - Vadim Lyubashevsky
+@@ -19,20 +20,18 @@ implementations:
+ - name: ref
+ version: https://github.com/pq-crystals/dilithium/tree/master
+ folder_name: ref
+- compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
+- signature_keypair: pqcrystals_dilithium3_ref_keypair
+- signature_signature: pqcrystals_dilithium3_ref_signature
+- signature_verify: pqcrystals_dilithium3_ref_verify
+- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
+- common_dep: common_ref
++ compile_opts: -DDILITHIUM_MODE=3
++ signature_keypair: pqcrystals_ml_dsa_65_ref_keypair
++ signature_signature: pqcrystals_ml_dsa_65_ref_signature
++ signature_verify: pqcrystals_ml_dsa_65_ref_verify
++ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
+ - name: avx2
+ version: https://github.com/pq-crystals/dilithium/tree/master
+- compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
+- signature_keypair: pqcrystals_dilithium3_avx2_keypair
+- signature_signature: pqcrystals_dilithium3_avx2_signature
+- signature_verify: pqcrystals_dilithium3_avx2_verify
+- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
+- common_dep: common_avx2
++ compile_opts: -DDILITHIUM_MODE=3
++ signature_keypair: pqcrystals_ml_dsa_65_avx2_keypair
++ signature_signature: pqcrystals_ml_dsa_65_avx2_signature
++ signature_verify: pqcrystals_ml_dsa_65_avx2_verify
++ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
+ supported_platforms:
+ - architecture: x86_64
+ operating_systems:
+diff --git a/Dilithium5_META.yml b/ML-DSA-87_META.yml
+index 69e1c01..0c6b695 100644
+--- a/Dilithium5_META.yml
++++ b/ML-DSA-87_META.yml
+@@ -1,9 +1,10 @@
+-name: Dilithium5
++name: ML-DSA-87
+ type: signature
+ claimed-nist-level: 5
+ length-public-key: 2592
+ length-secret-key: 4896
+ length-signature: 4627
++nistkat-sha256: 4537905d2aabcf302fab2f242baed293459ecda7c230e6a67063b02c7e2840ed
+ testvectors-sha256: 759a3ba35210c7e27ff90a7ce5e399295533b82ef125e6ec98af158e00268e44
+ principal-submitters:
+ - Vadim Lyubashevsky
+@@ -19,20 +20,18 @@ implementations:
+ - name: ref
+ version: https://github.com/pq-crystals/dilithium/tree/master
+ folder_name: ref
+- compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
+- signature_keypair: pqcrystals_dilithium5_ref_keypair
+- signature_signature: pqcrystals_dilithium5_ref_signature
+- signature_verify: pqcrystals_dilithium5_ref_verify
+- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
+- common_dep: common_ref
++ compile_opts: -DDILITHIUM_MODE=5
++ signature_keypair: pqcrystals_ml_dsa_87_ref_keypair
++ signature_signature: pqcrystals_ml_dsa_87_ref_signature
++ signature_verify: pqcrystals_ml_dsa_87_ref_verify
++ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
+ - name: avx2
+ version: https://github.com/pq-crystals/dilithium/tree/master
+- compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
+- signature_keypair: pqcrystals_dilithium5_avx2_keypair
+- signature_signature: pqcrystals_dilithium5_avx2_signature
+- signature_verify: pqcrystals_dilithium5_avx2_verify
+- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
+- common_dep: common_avx2
++ compile_opts: -DDILITHIUM_MODE=5
++ signature_keypair: pqcrystals_ml_dsa_87_avx2_keypair
++ signature_signature: pqcrystals_ml_dsa_87_avx2_signature
++ signature_verify: pqcrystals_ml_dsa_87_avx2_verify
++ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
+ supported_platforms:
+ - architecture: x86_64
+ operating_systems:
+diff --git a/avx2/config.h b/avx2/config.h
+index a9facc0..3944cb4 100644
+--- a/avx2/config.h
++++ b/avx2/config.h
+@@ -11,17 +11,17 @@
+ #endif
+
+ #if DILITHIUM_MODE == 2
+-#define CRYPTO_ALGNAME "Dilithium2"
+-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
+-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_avx2_##s
++#define CRYPTO_ALGNAME "ML-DSA-44"
++#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_avx2
++#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_avx2_##s
+ #elif DILITHIUM_MODE == 3
+-#define CRYPTO_ALGNAME "Dilithium3"
+-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_avx2
+-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_avx2_##s
++#define CRYPTO_ALGNAME "ML-DSA-65"
++#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_avx2
++#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_avx2_##s
+ #elif DILITHIUM_MODE == 5
+-#define CRYPTO_ALGNAME "Dilithium5"
+-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
+-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
++#define CRYPTO_ALGNAME "ML-DSA-87"
++#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_avx2
++#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_avx2_##s
+ #endif
+
+ #endif
+diff --git a/avx2/poly.c b/avx2/poly.c
+index 340e91d..7bae495 100644
+--- a/avx2/poly.c
++++ b/avx2/poly.c
+@@ -401,6 +401,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
+ stream128_state state;
+ stream128_init(&state, seed, nonce);
+ poly_uniform_preinit(a, &state);
++ stream128_release(&state);
+ }
+
+ void poly_uniform_4x(poly *a0,
+@@ -415,7 +416,7 @@ void poly_uniform_4x(poly *a0,
+ {
+ unsigned int ctr0, ctr1, ctr2, ctr3;
+ ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
+- keccakx4_state state;
++ shake128x4incctx state;
+ __m256i f;
+
+ f = _mm256_loadu_si256((__m256i *)seed);
+@@ -433,6 +434,7 @@ void poly_uniform_4x(poly *a0,
+ buf[3].coeffs[SEEDBYTES+0] = nonce3;
+ buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
+
++ shake128x4_inc_init(&state);
+ shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
+ shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
+
+@@ -449,6 +451,7 @@ void poly_uniform_4x(poly *a0,
+ ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
+ ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
+ }
++ shake128x4_inc_ctx_release(&state);
+ }
+
+ /*************************************************
+@@ -530,6 +533,7 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
+ stream256_state state;
+ stream256_init(&state, seed, nonce);
+ poly_uniform_eta_preinit(a, &state);
++ stream256_release(&state);
+ }
+
+ void poly_uniform_eta_4x(poly *a0,
+@@ -546,7 +550,7 @@ void poly_uniform_eta_4x(poly *a0,
+ ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
+
+ __m256i f;
+- keccakx4_state state;
++ shake256x4incctx state;
+
+ f = _mm256_loadu_si256((__m256i *)&seed[0]);
+ _mm256_store_si256(&buf[0].vec[0],f);
+@@ -568,6 +572,7 @@ void poly_uniform_eta_4x(poly *a0,
+ buf[3].coeffs[64] = nonce3;
+ buf[3].coeffs[65] = nonce3 >> 8;
+
++ shake256x4_inc_init(&state);
+ shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
+ shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
+
+@@ -584,6 +589,7 @@ void poly_uniform_eta_4x(poly *a0,
+ ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
+ ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
+ }
++ shake256x4_inc_ctx_release(&state);
+ }
+
+ /*************************************************
+@@ -611,6 +617,7 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
+ stream256_state state;
+ stream256_init(&state, seed, nonce);
+ poly_uniform_gamma1_preinit(a, &state);
++ stream256_release(&state);
+ }
+
+ void poly_uniform_gamma1_4x(poly *a0,
+@@ -624,7 +631,7 @@ void poly_uniform_gamma1_4x(poly *a0,
+ uint16_t nonce3)
+ {
+ ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
+- keccakx4_state state;
++ shake256x4incctx state;
+ __m256i f;
+
+ f = _mm256_loadu_si256((__m256i *)&seed[0]);
+@@ -647,8 +654,10 @@ void poly_uniform_gamma1_4x(poly *a0,
+ buf[3].coeffs[64] = nonce3;
+ buf[3].coeffs[65] = nonce3 >> 8;
+
++ shake256x4_inc_init(&state);
+ shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
+ shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
++ shake256x4_inc_ctx_release(&state);
+
+ polyz_unpack(a0, buf[0].coeffs);
+ polyz_unpack(a1, buf[1].coeffs);
+@@ -670,12 +679,12 @@ void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
+ unsigned int i, b, pos;
+ uint64_t signs;
+ ALIGNED_UINT8(SHAKE256_RATE) buf;
+- keccak_state state;
++ shake256incctx state;
+
+- shake256_init(&state);
+- shake256_absorb(&state, seed, CTILDEBYTES);
+- shake256_finalize(&state);
+- shake256_squeezeblocks(buf.coeffs, 1, &state);
++ shake256_inc_init(&state);
++ shake256_inc_absorb(&state, seed, CTILDEBYTES);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
+
+ memcpy(&signs, buf.coeffs, 8);
+ pos = 8;
+@@ -695,6 +704,7 @@ void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
+ c->coeffs[b] = 1 - 2*(signs & 1);
+ signs >>= 1;
+ }
++ shake256_inc_ctx_release(&state);
+ }
+
+ /*************************************************
+diff --git a/avx2/sign.c b/avx2/sign.c
+index 7d70257..d1c747a 100644
+--- a/avx2/sign.c
++++ b/avx2/sign.c
+@@ -151,7 +151,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
+ *
+ * Returns 0 (success) or -1 (context string too long)
+ **************************************************/
+-int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen,
++static int crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *sk)
+ {
+ unsigned int i, n, pos;
+@@ -167,7 +167,7 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
+ polyvecl y;
+ polyveck w0;
+ } tmpv;
+- keccak_state state;
++ shake256incctx state;
+
+ if(ctxlen > 255)
+ return -1;
+@@ -181,15 +181,15 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
+ unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
+
+ /* Compute CRH(tr, 0, ctxlen, ctx, msg) */
+- shake256_init(&state);
+- shake256_absorb(&state, tr, TRBYTES);
++ shake256_inc_init(&state);
++ shake256_inc_absorb(&state, tr, TRBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+- shake256_absorb(&state, mu, 2);
+- shake256_absorb(&state, ctx, ctxlen);
+- shake256_absorb(&state, m, mlen);
+- shake256_finalize(&state);
+- shake256_squeeze(mu, CRHBYTES, &state);
++ shake256_inc_absorb(&state, mu, 2);
++ shake256_inc_absorb(&state, ctx, ctxlen);
++ shake256_inc_absorb(&state, m, mlen);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(mu, CRHBYTES, &state);
+
+ #ifdef DILITHIUM_RANDOMIZED_SIGNING
+ randombytes(rnd, RNDBYTES);
+@@ -236,11 +236,11 @@ rej:
+ polyveck_decompose(&w1, &tmpv.w0, &w1);
+ polyveck_pack_w1(sig, &w1);
+
+- shake256_init(&state);
+- shake256_absorb(&state, mu, CRHBYTES);
+- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
+- shake256_finalize(&state);
+- shake256_squeeze(sig, CTILDEBYTES, &state);
++ shake256_inc_ctx_reset(&state);
++ shake256_inc_absorb(&state, mu, CRHBYTES);
++ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
+ poly_challenge(&c, sig);
+ poly_ntt(&c);
+
+@@ -285,6 +285,7 @@ rej:
+ hint[OMEGA + i] = pos = pos + n;
+ }
+
++ shake256_inc_ctx_release(&state);
+ /* Pack z into signature */
+ for(i = 0; i < L; i++)
+ polyz_pack(sig + CTILDEBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
+@@ -293,6 +294,30 @@ rej:
+ return 0;
+ }
+
++/*************************************************
++* Name: crypto_sign_signature
++*
++* Description: Computes signature. Default with empty ctx.
++*
++* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
++* - size_t *siglen: pointer to output length of signature
++* - uint8_t *m: pointer to message to be signed
++* - size_t mlen: length of message
++* - uint8_t *sk: pointer to bit-packed secret key
++*
++* Returns 0 (success) or -1 (context string too long)
++**************************************************/
++int crypto_sign_signature(uint8_t *sig,
++ size_t *siglen,
++ const uint8_t *m,
++ size_t mlen,
++ const uint8_t *sk)
++{
++ return crypto_sign_signature_ctx(sig, siglen, m, mlen, NULL, 0, sk);
++}
++
++
++
+ /*************************************************
+ * Name: crypto_sign
+ *
+@@ -311,7 +336,7 @@ rej:
+ *
+ * Returns 0 (success)
+ **************************************************/
+-int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen,
++static int crypto_sign_ctx(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk)
+ {
+ size_t i;
+@@ -319,13 +344,38 @@ int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const
+
+ for(i = 0; i < mlen; ++i)
+ sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
+- ret = crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
++ ret = crypto_sign_signature_ctx(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
+ *smlen += mlen;
+ return ret;
+ }
+
+ /*************************************************
+-* Name: crypto_sign_verify
++* Name: crypto_sign
++*
++* Description: Compute signed message. Default with empty ctx.
++*
++* Arguments: - uint8_t *sm: pointer to output signed message (allocated
++* array with CRYPTO_BYTES + mlen bytes),
++* can be equal to m
++* - size_t *smlen: pointer to output length of signed
++* message
++* - const uint8_t *m: pointer to message to be signed
++* - size_t mlen: length of message
++* - const uint8_t *sk: pointer to bit-packed secret key
++*
++* Returns 0 (success) or -1 (context string too long)
++**************************************************/
++int crypto_sign(uint8_t *sm,
++ size_t *smlen,
++ const uint8_t *m,
++ size_t mlen,
++ const uint8_t *sk)
++{
++ return crypto_sign_ctx(sm, smlen, m, mlen, NULL, 0, sk);
++}
++
++/*************************************************
++* Name: crypto_sign_verify_ctx
+ *
+ * Description: Verifies signature.
+ *
+@@ -339,7 +389,7 @@ int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const
+ *
+ * Returns 0 if signature could be verified correctly and -1 otherwise
+ **************************************************/
+-int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen,
++static int crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *pk) {
+ unsigned int i, j, pos = 0;
+ /* polyw1_pack writes additional 14 bytes */
+@@ -350,22 +400,23 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
+ polyvecl *row = rowbuf;
+ polyvecl z;
+ poly c, w1, h;
+- keccak_state state;
++ shake256incctx state;
+
+ if(ctxlen > 255 || siglen != CRYPTO_BYTES)
+ return -1;
+
+ /* Compute CRH(H(rho, t1), msg) */
+ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+- shake256_init(&state);
+- shake256_absorb(&state, mu, CRHBYTES);
++ shake256_inc_init(&state);
++ shake256_inc_absorb(&state, mu, CRHBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+- shake256_absorb(&state, mu, 2);
+- shake256_absorb(&state, ctx, ctxlen);
+- shake256_absorb(&state, m, mlen);
+- shake256_finalize(&state);
+- shake256_squeeze(mu, CRHBYTES, &state);
++ shake256_inc_absorb(&state, mu, 2);
++ shake256_inc_absorb(&state, ctx, ctxlen);
++ shake256_inc_absorb(&state, m, mlen);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(mu, CRHBYTES, &state);
++ shake256_inc_ctx_release(&state);
+
+ /* Expand challenge */
+ poly_challenge(&c, sig);
+@@ -415,11 +466,12 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
+ if(hint[j]) return -1;
+
+ /* Call random oracle and verify challenge */
+- shake256_init(&state);
+- shake256_absorb(&state, mu, CRHBYTES);
+- shake256_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
+- shake256_finalize(&state);
+- shake256_squeeze(buf.coeffs, CTILDEBYTES, &state);
++ shake256_inc_init(&state);
++ shake256_inc_absorb(&state, mu, CRHBYTES);
++ shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(buf.coeffs, CTILDEBYTES, &state);
++ shake256_inc_ctx_release(&state);
+ for(i = 0; i < CTILDEBYTES; ++i)
+ if(buf.coeffs[i] != sig[i])
+ return -1;
+@@ -428,7 +480,29 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
+ }
+
+ /*************************************************
+-* Name: crypto_sign_open
++* Name: crypto_sign_verify
++*
++* Description: Verifies signature. With default context.
++*
++* Arguments: - uint8_t *m: pointer to input signature
++* - size_t siglen: length of signature
++* - const uint8_t *m: pointer to message
++* - size_t mlen: length of message
++* - const uint8_t *pk: pointer to bit-packed public key
++*
++* Returns 0 if signature could be verified correctly and -1 otherwise
++**************************************************/
++int crypto_sign_verify(const uint8_t *sig,
++ size_t siglen,
++ const uint8_t *m,
++ size_t mlen,
++ const uint8_t *pk)
++{
++ return crypto_sign_verify_ctx(sig, siglen, m, mlen, NULL, 0, pk);
++}
++
++/*************************************************
++* Name: crypto_sign_open_ctx
+ *
+ * Description: Verify signed message.
+ *
+@@ -443,7 +517,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
+ *
+ * Returns 0 if signed message could be verified correctly and -1 otherwise
+ **************************************************/
+-int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
++static int crypto_sign_open_ctx(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *pk) {
+ size_t i;
+
+@@ -451,7 +525,7 @@ int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
+ goto badsig;
+
+ *mlen = smlen - CRYPTO_BYTES;
+- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
++ if(crypto_sign_verify_ctx(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
+ goto badsig;
+ else {
+ /* All good, copy msg, return 0 */
+@@ -468,3 +542,26 @@ badsig:
+
+ return -1;
+ }
++
++/*************************************************
++* Name: crypto_sign_open
++*
++* Description: Verify signed message. Default with empty ctx.
++*
++* Arguments: - uint8_t *m: pointer to output message (allocated
++* array with smlen bytes), can be equal to sm
++* - size_t *mlen: pointer to output length of message
++* - const uint8_t *sm: pointer to signed message
++* - size_t smlen: length of signed message
++* - const uint8_t *pk: pointer to bit-packed public key
++*
++* Returns 0 if signed message could be verified correctly and -1 otherwise
++**************************************************/
++int crypto_sign_open(uint8_t *m,
++ size_t *mlen,
++ const uint8_t *sm,
++ size_t smlen,
++ const uint8_t *pk)
++{
++ return crypto_sign_open_ctx(m, mlen, sm, smlen, NULL, 0, pk);
++}
+diff --git a/avx2/symmetric.h b/avx2/symmetric.h
+index 8f3c3c5..fa49963 100644
+--- a/avx2/symmetric.h
++++ b/avx2/symmetric.h
+@@ -6,21 +6,23 @@
+
+ #include "fips202.h"
+
+-typedef keccak_state stream128_state;
+-typedef keccak_state stream256_state;
++typedef shake128incctx stream128_state;
++typedef shake256incctx stream256_state;
+
+ #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
+-void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
++void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
+
+ #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
+-void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
++void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
+
+ #define STREAM128_BLOCKBYTES SHAKE128_RATE
+ #define STREAM256_BLOCKBYTES SHAKE256_RATE
+
+ #define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
+ #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
++#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
+ #define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
+ #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
++#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
+
+ #endif
+diff --git a/ref/config.h b/ref/config.h
+index 98b8ccb..8008e11 100644
+--- a/ref/config.h
++++ b/ref/config.h
+@@ -11,17 +11,17 @@
+ #endif
+
+ #if DILITHIUM_MODE == 2
+-#define CRYPTO_ALGNAME "Dilithium2"
+-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
+-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_ref_##s
++#define CRYPTO_ALGNAME "ML-DSA-44"
++#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ref
++#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ref_##s
+ #elif DILITHIUM_MODE == 3
+-#define CRYPTO_ALGNAME "Dilithium3"
+-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_ref
+-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_ref_##s
++#define CRYPTO_ALGNAME "ML-DSA-65"
++#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ref
++#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ref_##s
+ #elif DILITHIUM_MODE == 5
+-#define CRYPTO_ALGNAME "Dilithium5"
+-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
+-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
++#define CRYPTO_ALGNAME "ML-DSA-87"
++#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ref
++#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ref_##s
+ #endif
+
+ #endif
+diff --git a/ref/poly.c b/ref/poly.c
+index 0db4f42..99405fa 100644
+--- a/ref/poly.c
++++ b/ref/poly.c
+@@ -365,6 +365,7 @@ void poly_uniform(poly *a,
+ buflen = STREAM128_BLOCKBYTES + off;
+ ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
+ }
++ stream128_release(&state);
+ }
+
+ /*************************************************
+@@ -450,6 +451,7 @@ void poly_uniform_eta(poly *a,
+ stream256_squeezeblocks(buf, 1, &state);
+ ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
+ }
++ stream256_release(&state);
+ }
+
+ /*************************************************
+@@ -473,6 +475,7 @@ void poly_uniform_gamma1(poly *a,
+
+ stream256_init(&state, seed, nonce);
+ stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
++ stream256_release(&state);
+ polyz_unpack(a, buf);
+ }
+
+@@ -490,11 +493,11 @@ void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
+ unsigned int i, b, pos;
+ uint64_t signs;
+ uint8_t buf[SHAKE256_RATE];
+- keccak_state state;
++ shake256incctx state;
+
+- shake256_init(&state);
+- shake256_absorb(&state, seed, CTILDEBYTES);
+- shake256_finalize(&state);
++ shake256_inc_init(&state);
++ shake256_inc_absorb(&state, seed, CTILDEBYTES);
++ shake256_inc_finalize(&state);
+ shake256_squeezeblocks(buf, 1, &state);
+
+ signs = 0;
+@@ -518,6 +521,7 @@ void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
+ c->coeffs[b] = 1 - 2*(signs & 1);
+ signs >>= 1;
+ }
++ shake256_inc_ctx_release(&state);
+ }
+
+ /*************************************************
+diff --git a/ref/sign.c b/ref/sign.c
+index b130da9..59df461 100644
+--- a/ref/sign.c
++++ b/ref/sign.c
+@@ -67,7 +67,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
+ }
+
+ /*************************************************
+-* Name: crypto_sign_signature
++* Name: crypto_sign_signatur_ctx
+ *
+ * Description: Computes signature.
+ *
+@@ -81,13 +81,13 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
+ *
+ * Returns 0 (success) or -1 (context string too long)
+ **************************************************/
+-int crypto_sign_signature(uint8_t *sig,
+- size_t *siglen,
+- const uint8_t *m,
+- size_t mlen,
+- const uint8_t *ctx,
+- size_t ctxlen,
+- const uint8_t *sk)
++static int crypto_sign_signature_ctx(uint8_t *sig,
++ size_t *siglen,
++ const uint8_t *m,
++ size_t mlen,
++ const uint8_t *ctx,
++ size_t ctxlen,
++ const uint8_t *sk)
+ {
+ unsigned int n;
+ uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
+@@ -96,7 +96,7 @@ int crypto_sign_signature(uint8_t *sig,
+ polyvecl mat[K], s1, y, z;
+ polyveck t0, s2, w1, w0, h;
+ poly cp;
+- keccak_state state;
++ shake256incctx state;
+
+ if(ctxlen > 255)
+ return -1;
+@@ -112,13 +112,13 @@ int crypto_sign_signature(uint8_t *sig,
+ /* Compute mu = CRH(tr, 0, ctxlen, ctx, msg) */
+ mu[0] = 0;
+ mu[1] = ctxlen;
+- shake256_init(&state);
+- shake256_absorb(&state, tr, TRBYTES);
+- shake256_absorb(&state, mu, 2);
+- shake256_absorb(&state, ctx, ctxlen);
+- shake256_absorb(&state, m, mlen);
+- shake256_finalize(&state);
+- shake256_squeeze(mu, CRHBYTES, &state);
++ shake256_inc_init(&state);
++ shake256_inc_absorb(&state, tr, TRBYTES);
++ shake256_inc_absorb(&state, mu, 2);
++ shake256_inc_absorb(&state, ctx, ctxlen);
++ shake256_inc_absorb(&state, m, mlen);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(mu, CRHBYTES, &state);
+
+ #ifdef DILITHIUM_RANDOMIZED_SIGNING
+ randombytes(rnd, RNDBYTES);
+@@ -150,11 +150,11 @@ rej:
+ polyveck_decompose(&w1, &w0, &w1);
+ polyveck_pack_w1(sig, &w1);
+
+- shake256_init(&state);
+- shake256_absorb(&state, mu, CRHBYTES);
+- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
+- shake256_finalize(&state);
+- shake256_squeeze(sig, CTILDEBYTES, &state);
++ shake256_inc_ctx_reset(&state);
++ shake256_inc_absorb(&state, mu, CRHBYTES);
++ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(sig, CTILDEBYTES, &state);
+ poly_challenge(&cp, sig);
+ poly_ntt(&cp);
+
+@@ -187,6 +187,8 @@ rej:
+ if(n > OMEGA)
+ goto rej;
+
++ shake256_inc_ctx_release(&state);
++
+ /* Write signature */
+ pack_sig(sig, sig, &z, &h);
+ *siglen = CRYPTO_BYTES;
+@@ -194,7 +196,29 @@ rej:
+ }
+
+ /*************************************************
+-* Name: crypto_sign
++* Name: crypto_sign_signature
++*
++* Description: Computes signature. Default with empty ctx.
++*
++* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
++* - size_t *siglen: pointer to output length of signature
++* - uint8_t *m: pointer to message to be signed
++* - size_t mlen: length of message
++* - uint8_t *sk: pointer to bit-packed secret key
++*
++* Returns 0 (success) or -1 (context string too long)
++**************************************************/
++int crypto_sign_signature(uint8_t *sig,
++ size_t *siglen,
++ const uint8_t *m,
++ size_t mlen,
++ const uint8_t *sk)
++{
++ return crypto_sign_signature_ctx(sig, siglen, m, mlen, NULL, 0, sk);
++}
++
++/*************************************************
++* Name: crypto_sign_ctx
+ *
+ * Description: Compute signed message.
+ *
+@@ -211,26 +235,51 @@ rej:
+ *
+ * Returns 0 (success) or -1 (context string too long)
+ **************************************************/
+-int crypto_sign(uint8_t *sm,
+- size_t *smlen,
+- const uint8_t *m,
+- size_t mlen,
+- const uint8_t *ctx,
+- size_t ctxlen,
+- const uint8_t *sk)
++static int crypto_sign_ctx(uint8_t *sm,
++ size_t *smlen,
++ const uint8_t *m,
++ size_t mlen,
++ const uint8_t *ctx,
++ size_t ctxlen,
++ const uint8_t *sk)
+ {
+ int ret;
+ size_t i;
+
+ for(i = 0; i < mlen; ++i)
+ sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
+- ret = crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
++ ret = crypto_sign_signature_ctx(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
+ *smlen += mlen;
+ return ret;
+ }
+
+ /*************************************************
+-* Name: crypto_sign_verify
++* Name: crypto_sign
++*
++* Description: Compute signed message. Default with empty ctx.
++*
++* Arguments: - uint8_t *sm: pointer to output signed message (allocated
++* array with CRYPTO_BYTES + mlen bytes),
++* can be equal to m
++* - size_t *smlen: pointer to output length of signed
++* message
++* - const uint8_t *m: pointer to message to be signed
++* - size_t mlen: length of message
++* - const uint8_t *sk: pointer to bit-packed secret key
++*
++* Returns 0 (success) or -1 (context string too long)
++**************************************************/
++int crypto_sign(uint8_t *sm,
++ size_t *smlen,
++ const uint8_t *m,
++ size_t mlen,
++ const uint8_t *sk)
++{
++ return crypto_sign_ctx(sm, smlen, m, mlen, NULL, 0, sk);
++}
++
++/*************************************************
++* Name: crypto_sign_verify_ctx
+ *
+ * Description: Verifies signature.
+ *
+@@ -244,7 +293,7 @@ int crypto_sign(uint8_t *sm,
+ *
+ * Returns 0 if signature could be verified correctly and -1 otherwise
+ **************************************************/
+-int crypto_sign_verify(const uint8_t *sig,
++static int crypto_sign_verify_ctx(const uint8_t *sig,
+ size_t siglen,
+ const uint8_t *m,
+ size_t mlen,
+@@ -261,7 +310,7 @@ int crypto_sign_verify(const uint8_t *sig,
+ poly cp;
+ polyvecl mat[K], z;
+ polyveck t1, w1, h;
+- keccak_state state;
++ shake256incctx state;
+
+ if(ctxlen > 255 || siglen != CRYPTO_BYTES)
+ return -1;
+@@ -274,15 +323,15 @@ int crypto_sign_verify(const uint8_t *sig,
+
+ /* Compute CRH(H(rho, t1), msg) */
+ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+- shake256_init(&state);
+- shake256_absorb(&state, mu, TRBYTES);
++ shake256_inc_init(&state);
++ shake256_inc_absorb(&state, mu, TRBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+- shake256_absorb(&state, mu, 2);
+- shake256_absorb(&state, ctx, ctxlen);
+- shake256_absorb(&state, m, mlen);
+- shake256_finalize(&state);
+- shake256_squeeze(mu, CRHBYTES, &state);
++ shake256_inc_absorb(&state, mu, 2);
++ shake256_inc_absorb(&state, ctx, ctxlen);
++ shake256_inc_absorb(&state, m, mlen);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(mu, CRHBYTES, &state);
+
+ /* Matrix-vector multiplication; compute Az - c2^dt1 */
+ poly_challenge(&cp, c);
+@@ -306,11 +355,12 @@ int crypto_sign_verify(const uint8_t *sig,
+ polyveck_pack_w1(buf, &w1);
+
+ /* Call random oracle and verify challenge */
+- shake256_init(&state);
+- shake256_absorb(&state, mu, CRHBYTES);
+- shake256_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
+- shake256_finalize(&state);
+- shake256_squeeze(c2, CTILDEBYTES, &state);
++ shake256_inc_ctx_reset(&state);
++ shake256_inc_absorb(&state, mu, CRHBYTES);
++ shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
++ shake256_inc_finalize(&state);
++ shake256_inc_squeeze(c2, CTILDEBYTES, &state);
++ shake256_inc_ctx_release(&state);
+ for(i = 0; i < CTILDEBYTES; ++i)
+ if(c[i] != c2[i])
+ return -1;
+@@ -319,7 +369,29 @@ int crypto_sign_verify(const uint8_t *sig,
+ }
+
+ /*************************************************
+-* Name: crypto_sign_open
++* Name: crypto_sign_verify
++*
++* Description: Verifies signature. With default context.
++*
++* Arguments: - uint8_t *m: pointer to input signature
++* - size_t siglen: length of signature
++* - const uint8_t *m: pointer to message
++* - size_t mlen: length of message
++* - const uint8_t *pk: pointer to bit-packed public key
++*
++* Returns 0 if signature could be verified correctly and -1 otherwise
++**************************************************/
++int crypto_sign_verify(const uint8_t *sig,
++ size_t siglen,
++ const uint8_t *m,
++ size_t mlen,
++ const uint8_t *pk)
++{
++ return crypto_sign_verify_ctx(sig, siglen, m, mlen, NULL, 0, pk);
++}
++
++/*************************************************
++* Name: crypto_sign_open_ctx
+ *
+ * Description: Verify signed message.
+ *
+@@ -334,7 +406,7 @@ int crypto_sign_verify(const uint8_t *sig,
+ *
+ * Returns 0 if signed message could be verified correctly and -1 otherwise
+ **************************************************/
+-int crypto_sign_open(uint8_t *m,
++static int crypto_sign_open_ctx(uint8_t *m,
+ size_t *mlen,
+ const uint8_t *sm,
+ size_t smlen,
+@@ -348,7 +420,7 @@ int crypto_sign_open(uint8_t *m,
+ goto badsig;
+
+ *mlen = smlen - CRYPTO_BYTES;
+- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
++ if(crypto_sign_verify_ctx(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
+ goto badsig;
+ else {
+ /* All good, copy msg, return 0 */
+@@ -365,3 +437,26 @@ badsig:
+
+ return -1;
+ }
++
++/*************************************************
++* Name: crypto_sign_open
++*
++* Description: Verify signed message. Default with empty ctx.
++*
++* Arguments: - uint8_t *m: pointer to output message (allocated
++* array with smlen bytes), can be equal to sm
++* - size_t *mlen: pointer to output length of message
++* - const uint8_t *sm: pointer to signed message
++* - size_t smlen: length of signed message
++* - const uint8_t *pk: pointer to bit-packed public key
++*
++* Returns 0 if signed message could be verified correctly and -1 otherwise
++**************************************************/
++int crypto_sign_open(uint8_t *m,
++ size_t *mlen,
++ const uint8_t *sm,
++ size_t smlen,
++ const uint8_t *pk)
++{
++ return crypto_sign_open_ctx(m, mlen, sm, smlen, NULL, 0, pk);
++}
+diff --git a/ref/sign.h b/ref/sign.h
+index 91d2001..7f80213 100644
+--- a/ref/sign.h
++++ b/ref/sign.h
+@@ -13,25 +13,21 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
+ #define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
+ int crypto_sign_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+- const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+ #define crypto_sign DILITHIUM_NAMESPACETOP
+ int crypto_sign(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+- const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+ #define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
+ int crypto_sign_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+- const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+ #define crypto_sign_open DILITHIUM_NAMESPACE(open)
+ int crypto_sign_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+- const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+ #endif
+diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
+index 11ec09c..963f649 100644
+--- a/ref/symmetric-shake.c
++++ b/ref/symmetric-shake.c
+@@ -3,26 +3,26 @@
+ #include "symmetric.h"
+ #include "fips202.h"
+
+-void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
++void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
+ {
+ uint8_t t[2];
+ t[0] = nonce;
+ t[1] = nonce >> 8;
+
+- shake128_init(state);
+- shake128_absorb(state, seed, SEEDBYTES);
+- shake128_absorb(state, t, 2);
+- shake128_finalize(state);
++ shake128_inc_init(state);
++ shake128_inc_absorb(state, seed, SEEDBYTES);
++ shake128_inc_absorb(state, t, 2);
++ shake128_inc_finalize(state);
+ }
+
+-void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
++void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
+ {
+ uint8_t t[2];
+ t[0] = nonce;
+ t[1] = nonce >> 8;
+
+- shake256_init(state);
+- shake256_absorb(state, seed, CRHBYTES);
+- shake256_absorb(state, t, 2);
+- shake256_finalize(state);
++ shake256_inc_init(state);
++ shake256_inc_absorb(state, seed, CRHBYTES);
++ shake256_inc_absorb(state, t, 2);
++ shake256_inc_finalize(state);
+ }
+diff --git a/ref/symmetric.h b/ref/symmetric.h
+index cba12d1..b6c74b7 100644
+--- a/ref/symmetric.h
++++ b/ref/symmetric.h
+@@ -6,16 +6,16 @@
+
+ #include "fips202.h"
+
+-typedef keccak_state stream128_state;
+-typedef keccak_state stream256_state;
++typedef shake128incctx stream128_state;
++typedef shake256incctx stream256_state;
+
+ #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
+-void dilithium_shake128_stream_init(keccak_state *state,
++void dilithium_shake128_stream_init(shake128incctx *state,
+ const uint8_t seed[SEEDBYTES],
+ uint16_t nonce);
+
+ #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
+-void dilithium_shake256_stream_init(keccak_state *state,
++void dilithium_shake256_stream_init(shake256incctx *state,
+ const uint8_t seed[CRHBYTES],
+ uint16_t nonce);
+
+@@ -26,9 +26,12 @@ void dilithium_shake256_stream_init(keccak_state *state,
+ dilithium_shake128_stream_init(STATE, SEED, NONCE)
+ #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
+ shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
++#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
+ #define stream256_init(STATE, SEED, NONCE) \
+ dilithium_shake256_stream_init(STATE, SEED, NONCE)
+ #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
+ shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
++#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
++
+
+ #endif
diff --git a/src/oqsconfig.h.cmake b/src/oqsconfig.h.cmake
index dae1babad0..f1990e5897 100644
--- a/src/oqsconfig.h.cmake
+++ b/src/oqsconfig.h.cmake
@@ -131,17 +131,11 @@
#cmakedefine OQS_ENABLE_SIG_dilithium_5_aarch64 1
#cmakedefine OQS_ENABLE_SIG_ML_DSA 1
-#cmakedefine OQS_ENABLE_SIG_ml_dsa_44_ipd 1
#cmakedefine OQS_ENABLE_SIG_ml_dsa_44 1
-#cmakedefine OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2 1
#cmakedefine OQS_ENABLE_SIG_ml_dsa_44_avx2 1
-#cmakedefine OQS_ENABLE_SIG_ml_dsa_65_ipd 1
#cmakedefine OQS_ENABLE_SIG_ml_dsa_65 1
-#cmakedefine OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2 1
#cmakedefine OQS_ENABLE_SIG_ml_dsa_65_avx2 1
-#cmakedefine OQS_ENABLE_SIG_ml_dsa_87_ipd 1
#cmakedefine OQS_ENABLE_SIG_ml_dsa_87 1
-#cmakedefine OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2 1
#cmakedefine OQS_ENABLE_SIG_ml_dsa_87_avx2 1
#cmakedefine OQS_ENABLE_SIG_FALCON 1
diff --git a/src/sig/ml_dsa/CMakeLists.txt b/src/sig/ml_dsa/CMakeLists.txt
index f55d8fe486..37c1b373d7 100644
--- a/src/sig/ml_dsa/CMakeLists.txt
+++ b/src/sig/ml_dsa/CMakeLists.txt
@@ -5,58 +5,58 @@
set(_ML_DSA_OBJS "")
-if(OQS_ENABLE_SIG_ml_dsa_44_ipd OR OQS_ENABLE_SIG_ml_dsa_44)
- add_library(ml_dsa_44_ipd_ref OBJECT sig_ml_dsa_44_ipd.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/ntt.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/packing.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/poly.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/polyvec.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/reduce.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/rounding.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/sign.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/symmetric-shake.c)
- target_compile_options(ml_dsa_44_ipd_ref PUBLIC -DDILITHIUM_MODE=2)
- target_include_directories(ml_dsa_44_ipd_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref)
- target_include_directories(ml_dsa_44_ipd_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(ml_dsa_44_ipd_ref PUBLIC -DDILITHIUM_MODE=2)
- set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
+if(OQS_ENABLE_SIG_ml_dsa_44)
+ add_library(ml_dsa_44_ref OBJECT sig_ml_dsa_44.c pqcrystals-dilithium-standard_ml-dsa-44_ref/ntt.c pqcrystals-dilithium-standard_ml-dsa-44_ref/packing.c pqcrystals-dilithium-standard_ml-dsa-44_ref/poly.c pqcrystals-dilithium-standard_ml-dsa-44_ref/polyvec.c pqcrystals-dilithium-standard_ml-dsa-44_ref/reduce.c pqcrystals-dilithium-standard_ml-dsa-44_ref/rounding.c pqcrystals-dilithium-standard_ml-dsa-44_ref/sign.c pqcrystals-dilithium-standard_ml-dsa-44_ref/symmetric-shake.c)
+ target_compile_options(ml_dsa_44_ref PUBLIC -DDILITHIUM_MODE=2)
+ target_include_directories(ml_dsa_44_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-44_ref)
+ target_include_directories(ml_dsa_44_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
+ target_compile_options(ml_dsa_44_ref PUBLIC -DDILITHIUM_MODE=2)
+ set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
endif()
-if(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2 OR OQS_ENABLE_SIG_ml_dsa_44_avx2)
- add_library(ml_dsa_44_ipd_avx2 OBJECT pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/consts.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/invntt.S pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/ntt.S pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/packing.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/pointwise.S pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/poly.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/polyvec.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rejsample.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rounding.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/shuffle.S pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/symmetric-shake.c)
- target_include_directories(ml_dsa_44_ipd_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2)
- target_include_directories(ml_dsa_44_ipd_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(ml_dsa_44_ipd_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(ml_dsa_44_ipd_avx2 PUBLIC -DDILITHIUM_MODE=2)
- set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
+if(OQS_ENABLE_SIG_ml_dsa_44_avx2)
+ add_library(ml_dsa_44_avx2 OBJECT pqcrystals-dilithium-standard_ml-dsa-44_avx2/consts.c pqcrystals-dilithium-standard_ml-dsa-44_avx2/invntt.S pqcrystals-dilithium-standard_ml-dsa-44_avx2/ntt.S pqcrystals-dilithium-standard_ml-dsa-44_avx2/packing.c pqcrystals-dilithium-standard_ml-dsa-44_avx2/pointwise.S pqcrystals-dilithium-standard_ml-dsa-44_avx2/poly.c pqcrystals-dilithium-standard_ml-dsa-44_avx2/polyvec.c pqcrystals-dilithium-standard_ml-dsa-44_avx2/rejsample.c pqcrystals-dilithium-standard_ml-dsa-44_avx2/rounding.c pqcrystals-dilithium-standard_ml-dsa-44_avx2/shuffle.S pqcrystals-dilithium-standard_ml-dsa-44_avx2/sign.c pqcrystals-dilithium-standard_ml-dsa-44_avx2/symmetric-shake.c)
+ target_include_directories(ml_dsa_44_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-44_avx2)
+ target_include_directories(ml_dsa_44_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
+ target_compile_options(ml_dsa_44_avx2 PRIVATE -mavx2 -mpopcnt)
+ target_compile_options(ml_dsa_44_avx2 PUBLIC -DDILITHIUM_MODE=2)
+ set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
endif()
-if(OQS_ENABLE_SIG_ml_dsa_65_ipd OR OQS_ENABLE_SIG_ml_dsa_65)
- add_library(ml_dsa_65_ipd_ref OBJECT sig_ml_dsa_65_ipd.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/ntt.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/packing.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/poly.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/polyvec.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/reduce.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/rounding.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/sign.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/symmetric-shake.c)
- target_compile_options(ml_dsa_65_ipd_ref PUBLIC -DDILITHIUM_MODE=3)
- target_include_directories(ml_dsa_65_ipd_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref)
- target_include_directories(ml_dsa_65_ipd_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(ml_dsa_65_ipd_ref PUBLIC -DDILITHIUM_MODE=3)
- set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
+if(OQS_ENABLE_SIG_ml_dsa_65)
+ add_library(ml_dsa_65_ref OBJECT sig_ml_dsa_65.c pqcrystals-dilithium-standard_ml-dsa-65_ref/ntt.c pqcrystals-dilithium-standard_ml-dsa-65_ref/packing.c pqcrystals-dilithium-standard_ml-dsa-65_ref/poly.c pqcrystals-dilithium-standard_ml-dsa-65_ref/polyvec.c pqcrystals-dilithium-standard_ml-dsa-65_ref/reduce.c pqcrystals-dilithium-standard_ml-dsa-65_ref/rounding.c pqcrystals-dilithium-standard_ml-dsa-65_ref/sign.c pqcrystals-dilithium-standard_ml-dsa-65_ref/symmetric-shake.c)
+ target_compile_options(ml_dsa_65_ref PUBLIC -DDILITHIUM_MODE=3)
+ target_include_directories(ml_dsa_65_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-65_ref)
+ target_include_directories(ml_dsa_65_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
+ target_compile_options(ml_dsa_65_ref PUBLIC -DDILITHIUM_MODE=3)
+ set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
endif()
-if(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2 OR OQS_ENABLE_SIG_ml_dsa_65_avx2)
- add_library(ml_dsa_65_ipd_avx2 OBJECT pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/consts.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/invntt.S pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/ntt.S pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/packing.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/pointwise.S pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/poly.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/polyvec.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rejsample.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rounding.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/shuffle.S pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/sign.c pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/symmetric-shake.c)
- target_include_directories(ml_dsa_65_ipd_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2)
- target_include_directories(ml_dsa_65_ipd_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(ml_dsa_65_ipd_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(ml_dsa_65_ipd_avx2 PUBLIC -DDILITHIUM_MODE=3)
- set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
+if(OQS_ENABLE_SIG_ml_dsa_65_avx2)
+ add_library(ml_dsa_65_avx2 OBJECT pqcrystals-dilithium-standard_ml-dsa-65_avx2/consts.c pqcrystals-dilithium-standard_ml-dsa-65_avx2/invntt.S pqcrystals-dilithium-standard_ml-dsa-65_avx2/ntt.S pqcrystals-dilithium-standard_ml-dsa-65_avx2/packing.c pqcrystals-dilithium-standard_ml-dsa-65_avx2/pointwise.S pqcrystals-dilithium-standard_ml-dsa-65_avx2/poly.c pqcrystals-dilithium-standard_ml-dsa-65_avx2/polyvec.c pqcrystals-dilithium-standard_ml-dsa-65_avx2/rejsample.c pqcrystals-dilithium-standard_ml-dsa-65_avx2/rounding.c pqcrystals-dilithium-standard_ml-dsa-65_avx2/shuffle.S pqcrystals-dilithium-standard_ml-dsa-65_avx2/sign.c pqcrystals-dilithium-standard_ml-dsa-65_avx2/symmetric-shake.c)
+ target_include_directories(ml_dsa_65_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-65_avx2)
+ target_include_directories(ml_dsa_65_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
+ target_compile_options(ml_dsa_65_avx2 PRIVATE -mavx2 -mpopcnt)
+ target_compile_options(ml_dsa_65_avx2 PUBLIC -DDILITHIUM_MODE=3)
+ set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
endif()
-if(OQS_ENABLE_SIG_ml_dsa_87_ipd OR OQS_ENABLE_SIG_ml_dsa_87)
- add_library(ml_dsa_87_ipd_ref OBJECT sig_ml_dsa_87_ipd.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/ntt.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/packing.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/poly.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/polyvec.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/reduce.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/rounding.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/sign.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/symmetric-shake.c)
- target_compile_options(ml_dsa_87_ipd_ref PUBLIC -DDILITHIUM_MODE=5)
- target_include_directories(ml_dsa_87_ipd_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref)
- target_include_directories(ml_dsa_87_ipd_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(ml_dsa_87_ipd_ref PUBLIC -DDILITHIUM_MODE=5)
- set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
+if(OQS_ENABLE_SIG_ml_dsa_87)
+ add_library(ml_dsa_87_ref OBJECT sig_ml_dsa_87.c pqcrystals-dilithium-standard_ml-dsa-87_ref/ntt.c pqcrystals-dilithium-standard_ml-dsa-87_ref/packing.c pqcrystals-dilithium-standard_ml-dsa-87_ref/poly.c pqcrystals-dilithium-standard_ml-dsa-87_ref/polyvec.c pqcrystals-dilithium-standard_ml-dsa-87_ref/reduce.c pqcrystals-dilithium-standard_ml-dsa-87_ref/rounding.c pqcrystals-dilithium-standard_ml-dsa-87_ref/sign.c pqcrystals-dilithium-standard_ml-dsa-87_ref/symmetric-shake.c)
+ target_compile_options(ml_dsa_87_ref PUBLIC -DDILITHIUM_MODE=5)
+ target_include_directories(ml_dsa_87_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-87_ref)
+ target_include_directories(ml_dsa_87_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
+ target_compile_options(ml_dsa_87_ref PUBLIC -DDILITHIUM_MODE=5)
+ set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
endif()
-if(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2 OR OQS_ENABLE_SIG_ml_dsa_87_avx2)
- add_library(ml_dsa_87_ipd_avx2 OBJECT pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/consts.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/invntt.S pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/ntt.S pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/packing.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/pointwise.S pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/poly.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/polyvec.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rejsample.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rounding.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/shuffle.S pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/sign.c pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/symmetric-shake.c)
- target_include_directories(ml_dsa_87_ipd_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2)
- target_include_directories(ml_dsa_87_ipd_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(ml_dsa_87_ipd_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(ml_dsa_87_ipd_avx2 PUBLIC -DDILITHIUM_MODE=5)
- set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
+if(OQS_ENABLE_SIG_ml_dsa_87_avx2)
+ add_library(ml_dsa_87_avx2 OBJECT pqcrystals-dilithium-standard_ml-dsa-87_avx2/consts.c pqcrystals-dilithium-standard_ml-dsa-87_avx2/invntt.S pqcrystals-dilithium-standard_ml-dsa-87_avx2/ntt.S pqcrystals-dilithium-standard_ml-dsa-87_avx2/packing.c pqcrystals-dilithium-standard_ml-dsa-87_avx2/pointwise.S pqcrystals-dilithium-standard_ml-dsa-87_avx2/poly.c pqcrystals-dilithium-standard_ml-dsa-87_avx2/polyvec.c pqcrystals-dilithium-standard_ml-dsa-87_avx2/rejsample.c pqcrystals-dilithium-standard_ml-dsa-87_avx2/rounding.c pqcrystals-dilithium-standard_ml-dsa-87_avx2/shuffle.S pqcrystals-dilithium-standard_ml-dsa-87_avx2/sign.c pqcrystals-dilithium-standard_ml-dsa-87_avx2/symmetric-shake.c)
+ target_include_directories(ml_dsa_87_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium-standard_ml-dsa-87_avx2)
+ target_include_directories(ml_dsa_87_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
+ target_compile_options(ml_dsa_87_avx2 PRIVATE -mavx2 -mpopcnt)
+ target_compile_options(ml_dsa_87_avx2 PUBLIC -DDILITHIUM_MODE=5)
+ set(_ML_DSA_OBJS ${_ML_DSA_OBJS} $)
endif()
set(ML_DSA_OBJS ${_ML_DSA_OBJS} PARENT_SCOPE)
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/api.h
deleted file mode 100644
index 55b637669d..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/api.h
+++ /dev/null
@@ -1,88 +0,0 @@
-#ifndef API_H
-#define API_H
-
-#include
-#include
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
-#define pqcrystals_dilithium3_BYTES 3309
-
-#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
-#define pqcrystals_dilithium5_BYTES 4627
-
-#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/config.h
deleted file mode 100644
index e59f81a5e8..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/config.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "ML-DSA-44-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ipd_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "ML-DSA-65-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ipd_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "ML-DSA-87-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ipd_avx2_##s
-#endif
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/config.h
deleted file mode 100644
index eddf13f5ea..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/config.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "ML-DSA-44-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ipd_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "ML-DSA-65-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ipd_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "ML-DSA-87-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ipd_ref_##s
-#endif
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/LICENSE b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/LICENSE
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/LICENSE
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/LICENSE
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/align.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/align.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/align.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/align.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/api.h
new file mode 100644
index 0000000000..36ec622e5d
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/api.h
@@ -0,0 +1,100 @@
+#ifndef API_H
+#define API_H
+
+#include
+#include
+
+#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
+#define pqcrystals_dilithium2_BYTES 2420
+
+#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
+#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
+#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
+
+int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
+
+#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
+#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
+#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
+
+int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
+
+#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
+#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
+#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
+
+int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/config.h
new file mode 100644
index 0000000000..3944cb4412
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/config.h
@@ -0,0 +1,27 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+//#define DILITHIUM_MODE 2
+#define DILITHIUM_RANDOMIZED_SIGNING
+//#define USE_RDPMC
+//#define DBENCH
+
+#ifndef DILITHIUM_MODE
+#define DILITHIUM_MODE 2
+#endif
+
+#if DILITHIUM_MODE == 2
+#define CRYPTO_ALGNAME "ML-DSA-44"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_avx2_##s
+#elif DILITHIUM_MODE == 3
+#define CRYPTO_ALGNAME "ML-DSA-65"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_avx2_##s
+#elif DILITHIUM_MODE == 5
+#define CRYPTO_ALGNAME "ML-DSA-87"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_avx2_##s
+#endif
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/consts.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/consts.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/consts.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/consts.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/consts.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/consts.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/consts.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/consts.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/invntt.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/invntt.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/invntt.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/invntt.S
index 3e9864c994..d40ca133bf 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/invntt.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/invntt.S
@@ -236,3 +236,5 @@ levels6t7 2
levels6t7 3
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/ntt.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/ntt.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/ntt.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/ntt.S
index 38415de893..026f05765e 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/ntt.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/ntt.S
@@ -195,3 +195,4 @@ levels2t7 3
ret
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/ntt.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/ntt.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/ntt.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/ntt.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/packing.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/packing.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/packing.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/packing.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/packing.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/packing.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/packing.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/packing.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/params.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/params.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/params.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/params.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/pointwise.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/pointwise.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/pointwise.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/pointwise.S
index ae7ff7995c..6b687c7e1f 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/pointwise.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/pointwise.S
@@ -209,3 +209,5 @@ cmp $16,%eax
jb _looptop2
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/poly.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/poly.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/poly.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/poly.c
index 25d36828ad..0a4ecb6e1e 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/poly.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/poly.c
@@ -31,7 +31,7 @@ extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
* Name: poly_reduce
*
* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007]. Assumes input
+* representative in [-6283009,6283008]. Assumes input
* coefficients to be at most 2^31 - 2^22 - 1 in absolute value.
*
* Arguments: - poly *a: pointer to input/output polynomial
@@ -673,16 +673,16 @@ void poly_uniform_gamma1_4x(poly *a0,
* SHAKE256(seed).
*
* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
+* - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES
**************************************************/
-void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
+void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
unsigned int i, b, pos;
uint64_t signs;
ALIGNED_UINT8(SHAKE256_RATE) buf;
shake256incctx state;
shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
+ shake256_inc_absorb(&state, seed, CTILDEBYTES);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/poly.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/poly.h
similarity index 98%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/poly.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/poly.h
index 7bcd8e5e03..7d93088549 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/poly.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/poly.h
@@ -53,7 +53,7 @@ void poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
void poly_uniform_4x(poly *a0,
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/polyvec.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/polyvec.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/polyvec.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/polyvec.c
index 6e2302168e..0db351496c 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/polyvec.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/polyvec.c
@@ -363,7 +363,7 @@ void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t no
* Name: polyveck_reduce
*
* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
+* to representatives in [-6283009,6283008].
*
* Arguments: - polyveck *v: pointer to input/output vector
**************************************************/
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/polyvec.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/polyvec.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/polyvec.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/polyvec.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rejsample.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/rejsample.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rejsample.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/rejsample.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rejsample.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/rejsample.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rejsample.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/rejsample.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rounding.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/rounding.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rounding.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/rounding.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rounding.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/rounding.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/rounding.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/rounding.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/shuffle.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/shuffle.S
similarity index 95%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/shuffle.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/shuffle.S
index 133e05132b..08c757c73f 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/shuffle.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/shuffle.S
@@ -50,3 +50,5 @@ call nttunpack128_avx
add $256,%rdi
call nttunpack128_avx
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/shuffle.inc b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/shuffle.inc
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/shuffle.inc
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/shuffle.inc
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/sign.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/sign.c
similarity index 69%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/sign.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/sign.c
index a39f8515c4..e571b058ee 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/sign.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/sign.c
@@ -74,7 +74,9 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Get randomness for rho, rhoprime and key */
randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
+ seedbuf[SEEDBYTES+0] = K;
+ seedbuf[SEEDBYTES+1] = L;
+ shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES+2);
rho = seedbuf;
rhoprime = rho + SEEDBYTES;
key = rhoprime + CRHBYTES;
@@ -143,11 +145,15 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
* - size_t *siglen: pointer to output length of signature
* - uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
+static int crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *sk)
+{
unsigned int i, n, pos;
uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
uint8_t *rho, *tr, *key, *rnd, *mu, *rhoprime;
@@ -163,6 +169,9 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
} tmpv;
shake256incctx state;
+ if(ctxlen > 255)
+ return -1;
+
rho = seedbuf;
tr = rho + SEEDBYTES;
key = tr + TRBYTES;
@@ -171,9 +180,13 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
- /* Compute CRH(tr, msg) */
+ /* Compute CRH(tr, 0, ctxlen, ctx, msg) */
shake256_inc_init(&state);
shake256_inc_absorb(&state, tr, TRBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -281,6 +294,30 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
return 0;
}
+/*************************************************
+* Name: crypto_sign_signature
+*
+* Description: Computes signature. Default with empty ctx.
+*
+* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
+* - size_t *siglen: pointer to output length of signature
+* - uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign_signature(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_signature_ctx(sig, siglen, m, mlen, NULL, 0, sk);
+}
+
+
+
/*************************************************
* Name: crypto_sign
*
@@ -293,22 +330,52 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
* message
* - const uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *sk: pointer to bit-packed secret key
*
* Returns 0 (success)
**************************************************/
-int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
+static int crypto_sign_ctx(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk)
+{
size_t i;
+ int ret;
for(i = 0; i < mlen; ++i)
sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
+ ret = crypto_sign_signature_ctx(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
*smlen += mlen;
- return 0;
+ return ret;
}
/*************************************************
-* Name: crypto_sign_verify
+* Name: crypto_sign
+*
+* Description: Compute signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *sm: pointer to output signed message (allocated
+* array with CRYPTO_BYTES + mlen bytes),
+* can be equal to m
+* - size_t *smlen: pointer to output length of signed
+* message
+* - const uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - const uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_ctx(sm, smlen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_verify_ctx
*
* Description: Verifies signature.
*
@@ -316,11 +383,14 @@ int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const
* - size_t siglen: length of signature
* - const uint8_t *m: pointer to message
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signature could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) {
+static int crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *pk) {
unsigned int i, j, pos = 0;
/* polyw1_pack writes additional 14 bytes */
ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
@@ -332,13 +402,17 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
poly c, w1, h;
shake256incctx state;
- if(siglen != CRYPTO_BYTES)
+ if(ctxlen > 255 || siglen != CRYPTO_BYTES)
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
shake256_inc_absorb(&state, mu, CRHBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -406,7 +480,29 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
}
/*************************************************
-* Name: crypto_sign_open
+* Name: crypto_sign_verify
+*
+* Description: Verifies signature. With default context.
+*
+* Arguments: - uint8_t *m: pointer to input signature
+* - size_t siglen: length of signature
+* - const uint8_t *m: pointer to message
+* - size_t mlen: length of message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signature could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_verify(const uint8_t *sig,
+ size_t siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_verify_ctx(sig, siglen, m, mlen, NULL, 0, pk);
+}
+
+/*************************************************
+* Name: crypto_sign_open_ctx
*
* Description: Verify signed message.
*
@@ -415,18 +511,21 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
* - size_t *mlen: pointer to output length of message
* - const uint8_t *sm: pointer to signed message
* - size_t smlen: length of signed message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signed message could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) {
+static int crypto_sign_open_ctx(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *pk) {
size_t i;
if(smlen < CRYPTO_BYTES)
goto badsig;
*mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
+ if(crypto_sign_verify_ctx(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
goto badsig;
else {
/* All good, copy msg, return 0 */
@@ -437,9 +536,32 @@ int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
badsig:
/* Signature verification failed */
- *mlen = -1;
+ *mlen = 0;
for(i = 0; i < smlen; ++i)
m[i] = 0;
return -1;
}
+
+/*************************************************
+* Name: crypto_sign_open
+*
+* Description: Verify signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *m: pointer to output message (allocated
+* array with smlen bytes), can be equal to sm
+* - size_t *mlen: pointer to output length of message
+* - const uint8_t *sm: pointer to signed message
+* - size_t smlen: length of signed message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signed message could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_open(uint8_t *m,
+ size_t *mlen,
+ const uint8_t *sm,
+ size_t smlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_open_ctx(m, mlen, sm, smlen, NULL, 0, pk);
+}
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/sign.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/sign.h
similarity index 90%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/sign.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/sign.h
index 295f378c00..7f802133d8 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/sign.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/sign.h
@@ -7,9 +7,6 @@
#include "polyvec.h"
#include "poly.h"
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/symmetric-shake.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/symmetric-shake.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/symmetric-shake.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/symmetric-shake.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/symmetric.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/symmetric.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/symmetric.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_avx2/symmetric.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/LICENSE b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/LICENSE
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/LICENSE
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/LICENSE
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/api.h
similarity index 81%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/api.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/api.h
index 78caa5c728..032fa9f9bb 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/api.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/api.h
@@ -16,21 +16,24 @@ int pqcrystals_dilithium2_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium2_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium2_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium2_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
-
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
#define pqcrystals_dilithium3_BYTES 3309
@@ -43,21 +46,24 @@ int pqcrystals_dilithium3_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium3_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium3_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium3_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
-
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
#define pqcrystals_dilithium5_BYTES 4627
@@ -70,18 +76,22 @@ int pqcrystals_dilithium5_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium5_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium5_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium5_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/config.h
new file mode 100644
index 0000000000..8008e11a92
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/config.h
@@ -0,0 +1,27 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+//#define DILITHIUM_MODE 2
+#define DILITHIUM_RANDOMIZED_SIGNING
+//#define USE_RDPMC
+//#define DBENCH
+
+#ifndef DILITHIUM_MODE
+#define DILITHIUM_MODE 2
+#endif
+
+#if DILITHIUM_MODE == 2
+#define CRYPTO_ALGNAME "ML-DSA-44"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ref_##s
+#elif DILITHIUM_MODE == 3
+#define CRYPTO_ALGNAME "ML-DSA-65"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ref_##s
+#elif DILITHIUM_MODE == 5
+#define CRYPTO_ALGNAME "ML-DSA-87"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ref_##s
+#endif
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/ntt.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/ntt.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/ntt.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/ntt.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/ntt.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/ntt.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/ntt.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/ntt.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/packing.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/packing.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/packing.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/packing.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/packing.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/packing.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/packing.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/packing.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/params.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/params.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/params.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/params.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/poly.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/poly.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/poly.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/poly.c
index 7983aacdd1..691b5e8909 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/poly.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/poly.c
@@ -21,7 +21,7 @@ extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
* Name: poly_reduce
*
* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
+* representative in [-6283008,6283008].
*
* Arguments: - poly *a: pointer to input/output polynomial
**************************************************/
@@ -335,7 +335,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce)
+* output stream of SHAKE128(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -487,16 +487,16 @@ void poly_uniform_gamma1(poly *a,
* SHAKE256(seed).
*
* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
+* - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES
**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
unsigned int i, b, pos;
uint64_t signs;
uint8_t buf[SHAKE256_RATE];
shake256incctx state;
shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
+ shake256_inc_absorb(&state, seed, CTILDEBYTES);
shake256_inc_finalize(&state);
shake256_squeezeblocks(buf, 1, &state);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/poly.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/poly.h
similarity index 97%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/poly.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/poly.h
index d2fd989b6a..904baa1ca4 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/poly.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/poly.h
@@ -51,7 +51,7 @@ void poly_uniform_gamma1(poly *a,
const uint8_t seed[CRHBYTES],
uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
void polyeta_pack(uint8_t *r, const poly *a);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/polyvec.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/polyvec.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/polyvec.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/polyvec.c
index 40032b656b..241f618187 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/polyvec.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/polyvec.c
@@ -161,7 +161,7 @@ void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t no
* Name: polyveck_reduce
*
* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
+* to representatives in [-6283008,6283008].
*
* Arguments: - polyveck *v: pointer to input/output vector
**************************************************/
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/polyvec.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/polyvec.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/polyvec.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/polyvec.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/reduce.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/reduce.c
similarity index 95%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/reduce.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/reduce.c
index 75feff8bc5..8479a222cd 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/reduce.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/reduce.c
@@ -24,7 +24,7 @@ int32_t montgomery_reduce(int64_t a) {
* Name: reduce32
*
* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
+* compute r \equiv a (mod Q) such that -6283008 <= r <= 6283008.
*
* Arguments: - int32_t: finite field element a
*
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/reduce.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/reduce.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/reduce.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/reduce.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/rounding.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/rounding.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/rounding.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/rounding.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/rounding.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/rounding.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/rounding.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/rounding.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/sign.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/sign.c
similarity index 60%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/sign.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/sign.c
index 9298ad2177..cb3d6f3de9 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/sign.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/sign.c
@@ -30,7 +30,9 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Get randomness for rho, rhoprime and key */
randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
+ seedbuf[SEEDBYTES+0] = K;
+ seedbuf[SEEDBYTES+1] = L;
+ shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES+2);
rho = seedbuf;
rhoprime = rho + SEEDBYTES;
key = rhoprime + CRHBYTES;
@@ -65,7 +67,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
}
/*************************************************
-* Name: crypto_sign_signature
+* Name: crypto_sign_signatur_ctx
*
* Description: Computes signature.
*
@@ -73,15 +75,19 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
* - size_t *siglen: pointer to output length of signature
* - uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
+static int crypto_sign_signature_ctx(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
+ const uint8_t *sk)
{
unsigned int n;
uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
@@ -92,6 +98,9 @@ int crypto_sign_signature(uint8_t *sig,
poly cp;
shake256incctx state;
+ if(ctxlen > 255)
+ return -1;
+
rho = seedbuf;
tr = rho + SEEDBYTES;
key = tr + TRBYTES;
@@ -100,10 +109,13 @@ int crypto_sign_signature(uint8_t *sig,
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute mu = CRH(tr, msg) */
+ /* Compute mu = CRH(tr, 0, ctxlen, ctx, msg) */
+ mu[0] = 0;
+ mu[1] = ctxlen;
shake256_inc_init(&state);
shake256_inc_absorb(&state, tr, TRBYTES);
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -143,7 +155,7 @@ int crypto_sign_signature(uint8_t *sig,
shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
shake256_inc_squeeze(sig, CTILDEBYTES, &state);
- poly_challenge(&cp, sig); /* uses only the first SEEDBYTES bytes of sig */
+ poly_challenge(&cp, sig);
poly_ntt(&cp);
/* Compute z, reject if it reveals secret */
@@ -184,7 +196,29 @@ int crypto_sign_signature(uint8_t *sig,
}
/*************************************************
-* Name: crypto_sign
+* Name: crypto_sign_signature
+*
+* Description: Computes signature. Default with empty ctx.
+*
+* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
+* - size_t *siglen: pointer to output length of signature
+* - uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign_signature(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_signature_ctx(sig, siglen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_ctx
*
* Description: Compute signed message.
*
@@ -195,27 +229,57 @@ int crypto_sign_signature(uint8_t *sig,
* message
* - const uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
+static int crypto_sign_ctx(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
+ const uint8_t *sk)
{
+ int ret;
size_t i;
for(i = 0; i < mlen; ++i)
sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
+ ret = crypto_sign_signature_ctx(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
*smlen += mlen;
- return 0;
+ return ret;
}
/*************************************************
-* Name: crypto_sign_verify
+* Name: crypto_sign
+*
+* Description: Compute signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *sm: pointer to output signed message (allocated
+* array with CRYPTO_BYTES + mlen bytes),
+* can be equal to m
+* - size_t *smlen: pointer to output length of signed
+* message
+* - const uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - const uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_ctx(sm, smlen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_verify_ctx
*
* Description: Verifies signature.
*
@@ -223,14 +287,18 @@ int crypto_sign(uint8_t *sm,
* - size_t siglen: length of signature
* - const uint8_t *m: pointer to message
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signature could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
+static int crypto_sign_verify_ctx(const uint8_t *sig,
size_t siglen,
const uint8_t *m,
size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
const uint8_t *pk)
{
unsigned int i;
@@ -244,7 +312,7 @@ int crypto_sign_verify(const uint8_t *sig,
polyveck t1, w1, h;
shake256incctx state;
- if(siglen != CRYPTO_BYTES)
+ if(ctxlen > 255 || siglen != CRYPTO_BYTES)
return -1;
unpack_pk(rho, &t1, pk);
@@ -254,15 +322,19 @@ int crypto_sign_verify(const uint8_t *sig,
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, mu, TRBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
/* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c); /* uses only the first SEEDBYTES bytes of c */
+ poly_challenge(&cp, c);
polyvec_matrix_expand(mat, rho);
polyvecl_ntt(&z);
@@ -297,7 +369,29 @@ int crypto_sign_verify(const uint8_t *sig,
}
/*************************************************
-* Name: crypto_sign_open
+* Name: crypto_sign_verify
+*
+* Description: Verifies signature. With default context.
+*
+* Arguments: - uint8_t *m: pointer to input signature
+* - size_t siglen: length of signature
+* - const uint8_t *m: pointer to message
+* - size_t mlen: length of message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signature could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_verify(const uint8_t *sig,
+ size_t siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_verify_ctx(sig, siglen, m, mlen, NULL, 0, pk);
+}
+
+/*************************************************
+* Name: crypto_sign_open_ctx
*
* Description: Verify signed message.
*
@@ -306,14 +400,18 @@ int crypto_sign_verify(const uint8_t *sig,
* - size_t *mlen: pointer to output length of message
* - const uint8_t *sm: pointer to signed message
* - size_t smlen: length of signed message
+* - const uint8_t *ctx: pointer to context tring
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signed message could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_open(uint8_t *m,
+static int crypto_sign_open_ctx(uint8_t *m,
size_t *mlen,
const uint8_t *sm,
size_t smlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
const uint8_t *pk)
{
size_t i;
@@ -322,7 +420,7 @@ int crypto_sign_open(uint8_t *m,
goto badsig;
*mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
+ if(crypto_sign_verify_ctx(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
goto badsig;
else {
/* All good, copy msg, return 0 */
@@ -333,9 +431,32 @@ int crypto_sign_open(uint8_t *m,
badsig:
/* Signature verification failed */
- *mlen = -1;
+ *mlen = 0;
for(i = 0; i < smlen; ++i)
m[i] = 0;
return -1;
}
+
+/*************************************************
+* Name: crypto_sign_open
+*
+* Description: Verify signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *m: pointer to output message (allocated
+* array with smlen bytes), can be equal to sm
+* - size_t *mlen: pointer to output length of message
+* - const uint8_t *sm: pointer to signed message
+* - size_t smlen: length of signed message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signed message could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_open(uint8_t *m,
+ size_t *mlen,
+ const uint8_t *sm,
+ size_t smlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_open_ctx(m, mlen, sm, smlen, NULL, 0, pk);
+}
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/sign.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/sign.h
similarity index 90%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/sign.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/sign.h
index 295f378c00..7f802133d8 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/sign.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/sign.h
@@ -7,9 +7,6 @@
#include "polyvec.h"
#include "poly.h"
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/symmetric-shake.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/symmetric-shake.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/symmetric-shake.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/symmetric-shake.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/symmetric.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/symmetric.h
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/symmetric.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/symmetric.h
index 211de3b860..b6c74b7702 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/symmetric.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44_ref/symmetric.h
@@ -33,4 +33,5 @@ void dilithium_shake256_stream_init(shake256incctx *state,
shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
+
#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/api.h
deleted file mode 100644
index 55b637669d..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/api.h
+++ /dev/null
@@ -1,88 +0,0 @@
-#ifndef API_H
-#define API_H
-
-#include
-#include
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
-#define pqcrystals_dilithium3_BYTES 3309
-
-#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
-#define pqcrystals_dilithium5_BYTES 4627
-
-#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/config.h
deleted file mode 100644
index e59f81a5e8..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/config.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "ML-DSA-44-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ipd_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "ML-DSA-65-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ipd_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "ML-DSA-87-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ipd_avx2_##s
-#endif
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/config.h
deleted file mode 100644
index eddf13f5ea..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/config.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "ML-DSA-44-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ipd_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "ML-DSA-65-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ipd_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "ML-DSA-87-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ipd_ref_##s
-#endif
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/LICENSE b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/LICENSE
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/LICENSE
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/LICENSE
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/align.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/align.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/align.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/align.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/api.h
new file mode 100644
index 0000000000..36ec622e5d
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/api.h
@@ -0,0 +1,100 @@
+#ifndef API_H
+#define API_H
+
+#include
+#include
+
+#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
+#define pqcrystals_dilithium2_BYTES 2420
+
+#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
+#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
+#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
+
+int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
+
+#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
+#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
+#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
+
+int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
+
+#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
+#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
+#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
+
+int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/config.h
new file mode 100644
index 0000000000..3944cb4412
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/config.h
@@ -0,0 +1,27 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+//#define DILITHIUM_MODE 2
+#define DILITHIUM_RANDOMIZED_SIGNING
+//#define USE_RDPMC
+//#define DBENCH
+
+#ifndef DILITHIUM_MODE
+#define DILITHIUM_MODE 2
+#endif
+
+#if DILITHIUM_MODE == 2
+#define CRYPTO_ALGNAME "ML-DSA-44"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_avx2_##s
+#elif DILITHIUM_MODE == 3
+#define CRYPTO_ALGNAME "ML-DSA-65"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_avx2_##s
+#elif DILITHIUM_MODE == 5
+#define CRYPTO_ALGNAME "ML-DSA-87"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_avx2_##s
+#endif
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/consts.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/consts.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/consts.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/consts.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/consts.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/consts.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/consts.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/consts.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/invntt.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/invntt.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/invntt.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/invntt.S
index 3e9864c994..d40ca133bf 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/invntt.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/invntt.S
@@ -236,3 +236,5 @@ levels6t7 2
levels6t7 3
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/ntt.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/ntt.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/ntt.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/ntt.S
index 38415de893..026f05765e 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/ntt.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/ntt.S
@@ -195,3 +195,4 @@ levels2t7 3
ret
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/ntt.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/ntt.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/ntt.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/ntt.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/packing.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/packing.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/packing.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/packing.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/packing.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/packing.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/packing.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/packing.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/params.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/params.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/params.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/params.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/pointwise.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/pointwise.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/pointwise.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/pointwise.S
index ae7ff7995c..6b687c7e1f 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/pointwise.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/pointwise.S
@@ -209,3 +209,5 @@ cmp $16,%eax
jb _looptop2
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/poly.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/poly.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/poly.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/poly.c
index 25d36828ad..0a4ecb6e1e 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/poly.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/poly.c
@@ -31,7 +31,7 @@ extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
* Name: poly_reduce
*
* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007]. Assumes input
+* representative in [-6283009,6283008]. Assumes input
* coefficients to be at most 2^31 - 2^22 - 1 in absolute value.
*
* Arguments: - poly *a: pointer to input/output polynomial
@@ -673,16 +673,16 @@ void poly_uniform_gamma1_4x(poly *a0,
* SHAKE256(seed).
*
* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
+* - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES
**************************************************/
-void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
+void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
unsigned int i, b, pos;
uint64_t signs;
ALIGNED_UINT8(SHAKE256_RATE) buf;
shake256incctx state;
shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
+ shake256_inc_absorb(&state, seed, CTILDEBYTES);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/poly.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/poly.h
similarity index 98%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/poly.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/poly.h
index 7bcd8e5e03..7d93088549 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/poly.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/poly.h
@@ -53,7 +53,7 @@ void poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
void poly_uniform_4x(poly *a0,
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/polyvec.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/polyvec.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/polyvec.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/polyvec.c
index 6e2302168e..0db351496c 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/polyvec.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/polyvec.c
@@ -363,7 +363,7 @@ void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t no
* Name: polyveck_reduce
*
* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
+* to representatives in [-6283009,6283008].
*
* Arguments: - polyveck *v: pointer to input/output vector
**************************************************/
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/polyvec.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/polyvec.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/polyvec.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/polyvec.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rejsample.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/rejsample.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rejsample.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/rejsample.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rejsample.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/rejsample.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rejsample.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/rejsample.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rounding.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/rounding.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rounding.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/rounding.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rounding.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/rounding.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/rounding.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/rounding.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/shuffle.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/shuffle.S
similarity index 95%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/shuffle.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/shuffle.S
index 133e05132b..08c757c73f 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/shuffle.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/shuffle.S
@@ -50,3 +50,5 @@ call nttunpack128_avx
add $256,%rdi
call nttunpack128_avx
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/shuffle.inc b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/shuffle.inc
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/shuffle.inc
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/shuffle.inc
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/sign.c
similarity index 69%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/sign.c
index a39f8515c4..e571b058ee 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/sign.c
@@ -74,7 +74,9 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Get randomness for rho, rhoprime and key */
randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
+ seedbuf[SEEDBYTES+0] = K;
+ seedbuf[SEEDBYTES+1] = L;
+ shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES+2);
rho = seedbuf;
rhoprime = rho + SEEDBYTES;
key = rhoprime + CRHBYTES;
@@ -143,11 +145,15 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
* - size_t *siglen: pointer to output length of signature
* - uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
+static int crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *sk)
+{
unsigned int i, n, pos;
uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
uint8_t *rho, *tr, *key, *rnd, *mu, *rhoprime;
@@ -163,6 +169,9 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
} tmpv;
shake256incctx state;
+ if(ctxlen > 255)
+ return -1;
+
rho = seedbuf;
tr = rho + SEEDBYTES;
key = tr + TRBYTES;
@@ -171,9 +180,13 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
- /* Compute CRH(tr, msg) */
+ /* Compute CRH(tr, 0, ctxlen, ctx, msg) */
shake256_inc_init(&state);
shake256_inc_absorb(&state, tr, TRBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -281,6 +294,30 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
return 0;
}
+/*************************************************
+* Name: crypto_sign_signature
+*
+* Description: Computes signature. Default with empty ctx.
+*
+* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
+* - size_t *siglen: pointer to output length of signature
+* - uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign_signature(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_signature_ctx(sig, siglen, m, mlen, NULL, 0, sk);
+}
+
+
+
/*************************************************
* Name: crypto_sign
*
@@ -293,22 +330,52 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
* message
* - const uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *sk: pointer to bit-packed secret key
*
* Returns 0 (success)
**************************************************/
-int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
+static int crypto_sign_ctx(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk)
+{
size_t i;
+ int ret;
for(i = 0; i < mlen; ++i)
sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
+ ret = crypto_sign_signature_ctx(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
*smlen += mlen;
- return 0;
+ return ret;
}
/*************************************************
-* Name: crypto_sign_verify
+* Name: crypto_sign
+*
+* Description: Compute signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *sm: pointer to output signed message (allocated
+* array with CRYPTO_BYTES + mlen bytes),
+* can be equal to m
+* - size_t *smlen: pointer to output length of signed
+* message
+* - const uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - const uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_ctx(sm, smlen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_verify_ctx
*
* Description: Verifies signature.
*
@@ -316,11 +383,14 @@ int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const
* - size_t siglen: length of signature
* - const uint8_t *m: pointer to message
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signature could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) {
+static int crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *pk) {
unsigned int i, j, pos = 0;
/* polyw1_pack writes additional 14 bytes */
ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
@@ -332,13 +402,17 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
poly c, w1, h;
shake256incctx state;
- if(siglen != CRYPTO_BYTES)
+ if(ctxlen > 255 || siglen != CRYPTO_BYTES)
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
shake256_inc_absorb(&state, mu, CRHBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -406,7 +480,29 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
}
/*************************************************
-* Name: crypto_sign_open
+* Name: crypto_sign_verify
+*
+* Description: Verifies signature. With default context.
+*
+* Arguments: - uint8_t *m: pointer to input signature
+* - size_t siglen: length of signature
+* - const uint8_t *m: pointer to message
+* - size_t mlen: length of message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signature could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_verify(const uint8_t *sig,
+ size_t siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_verify_ctx(sig, siglen, m, mlen, NULL, 0, pk);
+}
+
+/*************************************************
+* Name: crypto_sign_open_ctx
*
* Description: Verify signed message.
*
@@ -415,18 +511,21 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
* - size_t *mlen: pointer to output length of message
* - const uint8_t *sm: pointer to signed message
* - size_t smlen: length of signed message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signed message could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) {
+static int crypto_sign_open_ctx(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *pk) {
size_t i;
if(smlen < CRYPTO_BYTES)
goto badsig;
*mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
+ if(crypto_sign_verify_ctx(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
goto badsig;
else {
/* All good, copy msg, return 0 */
@@ -437,9 +536,32 @@ int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
badsig:
/* Signature verification failed */
- *mlen = -1;
+ *mlen = 0;
for(i = 0; i < smlen; ++i)
m[i] = 0;
return -1;
}
+
+/*************************************************
+* Name: crypto_sign_open
+*
+* Description: Verify signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *m: pointer to output message (allocated
+* array with smlen bytes), can be equal to sm
+* - size_t *mlen: pointer to output length of message
+* - const uint8_t *sm: pointer to signed message
+* - size_t smlen: length of signed message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signed message could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_open(uint8_t *m,
+ size_t *mlen,
+ const uint8_t *sm,
+ size_t smlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_open_ctx(m, mlen, sm, smlen, NULL, 0, pk);
+}
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/sign.h
similarity index 90%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/sign.h
index 295f378c00..7f802133d8 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/sign.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/sign.h
@@ -7,9 +7,6 @@
#include "polyvec.h"
#include "poly.h"
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/symmetric-shake.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/symmetric-shake.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/symmetric-shake.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/symmetric-shake.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/symmetric.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/symmetric.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/symmetric.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_avx2/symmetric.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/LICENSE b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/LICENSE
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/LICENSE
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/LICENSE
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/api.h
similarity index 81%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/api.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/api.h
index 78caa5c728..032fa9f9bb 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/api.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/api.h
@@ -16,21 +16,24 @@ int pqcrystals_dilithium2_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium2_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium2_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium2_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
-
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
#define pqcrystals_dilithium3_BYTES 3309
@@ -43,21 +46,24 @@ int pqcrystals_dilithium3_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium3_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium3_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium3_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
-
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
#define pqcrystals_dilithium5_BYTES 4627
@@ -70,18 +76,22 @@ int pqcrystals_dilithium5_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium5_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium5_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium5_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/config.h
new file mode 100644
index 0000000000..8008e11a92
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/config.h
@@ -0,0 +1,27 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+//#define DILITHIUM_MODE 2
+#define DILITHIUM_RANDOMIZED_SIGNING
+//#define USE_RDPMC
+//#define DBENCH
+
+#ifndef DILITHIUM_MODE
+#define DILITHIUM_MODE 2
+#endif
+
+#if DILITHIUM_MODE == 2
+#define CRYPTO_ALGNAME "ML-DSA-44"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ref_##s
+#elif DILITHIUM_MODE == 3
+#define CRYPTO_ALGNAME "ML-DSA-65"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ref_##s
+#elif DILITHIUM_MODE == 5
+#define CRYPTO_ALGNAME "ML-DSA-87"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ref_##s
+#endif
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/ntt.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/ntt.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/ntt.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/ntt.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/ntt.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/ntt.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/ntt.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/ntt.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/packing.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/packing.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/packing.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/packing.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/packing.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/packing.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/packing.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/packing.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/params.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/params.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/params.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/params.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/poly.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/poly.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/poly.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/poly.c
index 7983aacdd1..691b5e8909 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/poly.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/poly.c
@@ -21,7 +21,7 @@ extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
* Name: poly_reduce
*
* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
+* representative in [-6283008,6283008].
*
* Arguments: - poly *a: pointer to input/output polynomial
**************************************************/
@@ -335,7 +335,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce)
+* output stream of SHAKE128(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -487,16 +487,16 @@ void poly_uniform_gamma1(poly *a,
* SHAKE256(seed).
*
* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
+* - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES
**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
unsigned int i, b, pos;
uint64_t signs;
uint8_t buf[SHAKE256_RATE];
shake256incctx state;
shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
+ shake256_inc_absorb(&state, seed, CTILDEBYTES);
shake256_inc_finalize(&state);
shake256_squeezeblocks(buf, 1, &state);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/poly.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/poly.h
similarity index 97%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/poly.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/poly.h
index d2fd989b6a..904baa1ca4 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/poly.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/poly.h
@@ -51,7 +51,7 @@ void poly_uniform_gamma1(poly *a,
const uint8_t seed[CRHBYTES],
uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
void polyeta_pack(uint8_t *r, const poly *a);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/polyvec.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/polyvec.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/polyvec.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/polyvec.c
index 40032b656b..241f618187 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/polyvec.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/polyvec.c
@@ -161,7 +161,7 @@ void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t no
* Name: polyveck_reduce
*
* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
+* to representatives in [-6283008,6283008].
*
* Arguments: - polyveck *v: pointer to input/output vector
**************************************************/
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/polyvec.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/polyvec.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/polyvec.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/polyvec.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/reduce.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/reduce.c
similarity index 95%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/reduce.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/reduce.c
index 75feff8bc5..8479a222cd 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/reduce.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/reduce.c
@@ -24,7 +24,7 @@ int32_t montgomery_reduce(int64_t a) {
* Name: reduce32
*
* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
+* compute r \equiv a (mod Q) such that -6283008 <= r <= 6283008.
*
* Arguments: - int32_t: finite field element a
*
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/reduce.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/reduce.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/reduce.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/reduce.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/rounding.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/rounding.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/rounding.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/rounding.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/rounding.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/rounding.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/rounding.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/rounding.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/sign.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/sign.c
similarity index 60%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/sign.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/sign.c
index 9298ad2177..cb3d6f3de9 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/sign.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/sign.c
@@ -30,7 +30,9 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Get randomness for rho, rhoprime and key */
randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
+ seedbuf[SEEDBYTES+0] = K;
+ seedbuf[SEEDBYTES+1] = L;
+ shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES+2);
rho = seedbuf;
rhoprime = rho + SEEDBYTES;
key = rhoprime + CRHBYTES;
@@ -65,7 +67,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
}
/*************************************************
-* Name: crypto_sign_signature
+* Name: crypto_sign_signatur_ctx
*
* Description: Computes signature.
*
@@ -73,15 +75,19 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
* - size_t *siglen: pointer to output length of signature
* - uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
+static int crypto_sign_signature_ctx(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
+ const uint8_t *sk)
{
unsigned int n;
uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
@@ -92,6 +98,9 @@ int crypto_sign_signature(uint8_t *sig,
poly cp;
shake256incctx state;
+ if(ctxlen > 255)
+ return -1;
+
rho = seedbuf;
tr = rho + SEEDBYTES;
key = tr + TRBYTES;
@@ -100,10 +109,13 @@ int crypto_sign_signature(uint8_t *sig,
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute mu = CRH(tr, msg) */
+ /* Compute mu = CRH(tr, 0, ctxlen, ctx, msg) */
+ mu[0] = 0;
+ mu[1] = ctxlen;
shake256_inc_init(&state);
shake256_inc_absorb(&state, tr, TRBYTES);
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -143,7 +155,7 @@ int crypto_sign_signature(uint8_t *sig,
shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
shake256_inc_squeeze(sig, CTILDEBYTES, &state);
- poly_challenge(&cp, sig); /* uses only the first SEEDBYTES bytes of sig */
+ poly_challenge(&cp, sig);
poly_ntt(&cp);
/* Compute z, reject if it reveals secret */
@@ -184,7 +196,29 @@ int crypto_sign_signature(uint8_t *sig,
}
/*************************************************
-* Name: crypto_sign
+* Name: crypto_sign_signature
+*
+* Description: Computes signature. Default with empty ctx.
+*
+* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
+* - size_t *siglen: pointer to output length of signature
+* - uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign_signature(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_signature_ctx(sig, siglen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_ctx
*
* Description: Compute signed message.
*
@@ -195,27 +229,57 @@ int crypto_sign_signature(uint8_t *sig,
* message
* - const uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
+static int crypto_sign_ctx(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
+ const uint8_t *sk)
{
+ int ret;
size_t i;
for(i = 0; i < mlen; ++i)
sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
+ ret = crypto_sign_signature_ctx(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
*smlen += mlen;
- return 0;
+ return ret;
}
/*************************************************
-* Name: crypto_sign_verify
+* Name: crypto_sign
+*
+* Description: Compute signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *sm: pointer to output signed message (allocated
+* array with CRYPTO_BYTES + mlen bytes),
+* can be equal to m
+* - size_t *smlen: pointer to output length of signed
+* message
+* - const uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - const uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_ctx(sm, smlen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_verify_ctx
*
* Description: Verifies signature.
*
@@ -223,14 +287,18 @@ int crypto_sign(uint8_t *sm,
* - size_t siglen: length of signature
* - const uint8_t *m: pointer to message
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signature could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
+static int crypto_sign_verify_ctx(const uint8_t *sig,
size_t siglen,
const uint8_t *m,
size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
const uint8_t *pk)
{
unsigned int i;
@@ -244,7 +312,7 @@ int crypto_sign_verify(const uint8_t *sig,
polyveck t1, w1, h;
shake256incctx state;
- if(siglen != CRYPTO_BYTES)
+ if(ctxlen > 255 || siglen != CRYPTO_BYTES)
return -1;
unpack_pk(rho, &t1, pk);
@@ -254,15 +322,19 @@ int crypto_sign_verify(const uint8_t *sig,
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, mu, TRBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
/* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c); /* uses only the first SEEDBYTES bytes of c */
+ poly_challenge(&cp, c);
polyvec_matrix_expand(mat, rho);
polyvecl_ntt(&z);
@@ -297,7 +369,29 @@ int crypto_sign_verify(const uint8_t *sig,
}
/*************************************************
-* Name: crypto_sign_open
+* Name: crypto_sign_verify
+*
+* Description: Verifies signature. With default context.
+*
+* Arguments: - uint8_t *m: pointer to input signature
+* - size_t siglen: length of signature
+* - const uint8_t *m: pointer to message
+* - size_t mlen: length of message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signature could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_verify(const uint8_t *sig,
+ size_t siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_verify_ctx(sig, siglen, m, mlen, NULL, 0, pk);
+}
+
+/*************************************************
+* Name: crypto_sign_open_ctx
*
* Description: Verify signed message.
*
@@ -306,14 +400,18 @@ int crypto_sign_verify(const uint8_t *sig,
* - size_t *mlen: pointer to output length of message
* - const uint8_t *sm: pointer to signed message
* - size_t smlen: length of signed message
+* - const uint8_t *ctx: pointer to context tring
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signed message could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_open(uint8_t *m,
+static int crypto_sign_open_ctx(uint8_t *m,
size_t *mlen,
const uint8_t *sm,
size_t smlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
const uint8_t *pk)
{
size_t i;
@@ -322,7 +420,7 @@ int crypto_sign_open(uint8_t *m,
goto badsig;
*mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
+ if(crypto_sign_verify_ctx(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
goto badsig;
else {
/* All good, copy msg, return 0 */
@@ -333,9 +431,32 @@ int crypto_sign_open(uint8_t *m,
badsig:
/* Signature verification failed */
- *mlen = -1;
+ *mlen = 0;
for(i = 0; i < smlen; ++i)
m[i] = 0;
return -1;
}
+
+/*************************************************
+* Name: crypto_sign_open
+*
+* Description: Verify signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *m: pointer to output message (allocated
+* array with smlen bytes), can be equal to sm
+* - size_t *mlen: pointer to output length of message
+* - const uint8_t *sm: pointer to signed message
+* - size_t smlen: length of signed message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signed message could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_open(uint8_t *m,
+ size_t *mlen,
+ const uint8_t *sm,
+ size_t smlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_open_ctx(m, mlen, sm, smlen, NULL, 0, pk);
+}
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/sign.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/sign.h
similarity index 90%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/sign.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/sign.h
index 295f378c00..7f802133d8 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/sign.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/sign.h
@@ -7,9 +7,6 @@
#include "polyvec.h"
#include "poly.h"
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/symmetric-shake.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/symmetric-shake.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/symmetric-shake.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/symmetric-shake.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/symmetric.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/symmetric.h
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/symmetric.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/symmetric.h
index 211de3b860..b6c74b7702 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/symmetric.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65_ref/symmetric.h
@@ -33,4 +33,5 @@ void dilithium_shake256_stream_init(shake256incctx *state,
shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
+
#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/api.h
deleted file mode 100644
index 55b637669d..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/api.h
+++ /dev/null
@@ -1,88 +0,0 @@
-#ifndef API_H
-#define API_H
-
-#include
-#include
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
-#define pqcrystals_dilithium3_BYTES 3309
-
-#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
-#define pqcrystals_dilithium5_BYTES 4627
-
-#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/config.h
deleted file mode 100644
index e59f81a5e8..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/config.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "ML-DSA-44-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ipd_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "ML-DSA-65-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ipd_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "ML-DSA-87-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ipd_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ipd_avx2_##s
-#endif
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/sign.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/sign.h
deleted file mode 100644
index 295f378c00..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/sign.h
+++ /dev/null
@@ -1,36 +0,0 @@
-#ifndef SIGN_H
-#define SIGN_H
-
-#include
-#include
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/config.h
deleted file mode 100644
index eddf13f5ea..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/config.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "ML-DSA-44-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ipd_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "ML-DSA-65-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ipd_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "ML-DSA-87-ipd"
-#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ipd_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ipd_ref_##s
-#endif
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/sign.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/sign.h
deleted file mode 100644
index 295f378c00..0000000000
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/sign.h
+++ /dev/null
@@ -1,36 +0,0 @@
-#ifndef SIGN_H
-#define SIGN_H
-
-#include
-#include
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/LICENSE b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/LICENSE
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/LICENSE
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/LICENSE
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/align.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/align.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/align.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/align.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/api.h
new file mode 100644
index 0000000000..36ec622e5d
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/api.h
@@ -0,0 +1,100 @@
+#ifndef API_H
+#define API_H
+
+#include
+#include
+
+#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
+#define pqcrystals_dilithium2_SECRETKEYBYTES 2560
+#define pqcrystals_dilithium2_BYTES 2420
+
+#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
+#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
+#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
+
+int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
+#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
+#define pqcrystals_dilithium3_BYTES 3309
+
+#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
+#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
+#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
+
+int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
+#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
+#define pqcrystals_dilithium5_BYTES 4627
+
+#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
+#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
+#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
+
+int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk);
+
+int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *pk);
+
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/config.h
new file mode 100644
index 0000000000..3944cb4412
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/config.h
@@ -0,0 +1,27 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+//#define DILITHIUM_MODE 2
+#define DILITHIUM_RANDOMIZED_SIGNING
+//#define USE_RDPMC
+//#define DBENCH
+
+#ifndef DILITHIUM_MODE
+#define DILITHIUM_MODE 2
+#endif
+
+#if DILITHIUM_MODE == 2
+#define CRYPTO_ALGNAME "ML-DSA-44"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_avx2_##s
+#elif DILITHIUM_MODE == 3
+#define CRYPTO_ALGNAME "ML-DSA-65"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_avx2_##s
+#elif DILITHIUM_MODE == 5
+#define CRYPTO_ALGNAME "ML-DSA-87"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_avx2
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_avx2_##s
+#endif
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/consts.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/consts.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/consts.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/consts.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/consts.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/consts.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/consts.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/consts.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/invntt.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/invntt.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/invntt.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/invntt.S
index 3e9864c994..d40ca133bf 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/invntt.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/invntt.S
@@ -236,3 +236,5 @@ levels6t7 2
levels6t7 3
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/ntt.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/ntt.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/ntt.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/ntt.S
index 38415de893..026f05765e 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/ntt.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/ntt.S
@@ -195,3 +195,4 @@ levels2t7 3
ret
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/ntt.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/ntt.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/ntt.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/ntt.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/packing.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/packing.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/packing.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/packing.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/packing.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/packing.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/packing.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/packing.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/params.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/params.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/params.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/params.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/pointwise.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/pointwise.S
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/pointwise.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/pointwise.S
index ae7ff7995c..6b687c7e1f 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/pointwise.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/pointwise.S
@@ -209,3 +209,5 @@ cmp $16,%eax
jb _looptop2
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/poly.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/poly.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/poly.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/poly.c
index 25d36828ad..0a4ecb6e1e 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/poly.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/poly.c
@@ -31,7 +31,7 @@ extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
* Name: poly_reduce
*
* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007]. Assumes input
+* representative in [-6283009,6283008]. Assumes input
* coefficients to be at most 2^31 - 2^22 - 1 in absolute value.
*
* Arguments: - poly *a: pointer to input/output polynomial
@@ -673,16 +673,16 @@ void poly_uniform_gamma1_4x(poly *a0,
* SHAKE256(seed).
*
* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
+* - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES
**************************************************/
-void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
+void poly_challenge(poly * restrict c, const uint8_t seed[CTILDEBYTES]) {
unsigned int i, b, pos;
uint64_t signs;
ALIGNED_UINT8(SHAKE256_RATE) buf;
shake256incctx state;
shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
+ shake256_inc_absorb(&state, seed, CTILDEBYTES);
shake256_inc_finalize(&state);
shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/poly.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/poly.h
similarity index 98%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/poly.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/poly.h
index 7bcd8e5e03..7d93088549 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_avx2/poly.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/poly.h
@@ -53,7 +53,7 @@ void poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
void poly_uniform_4x(poly *a0,
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/polyvec.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/polyvec.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/polyvec.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/polyvec.c
index 6e2302168e..0db351496c 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/polyvec.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/polyvec.c
@@ -363,7 +363,7 @@ void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t no
* Name: polyveck_reduce
*
* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
+* to representatives in [-6283009,6283008].
*
* Arguments: - polyveck *v: pointer to input/output vector
**************************************************/
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/polyvec.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/polyvec.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/polyvec.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/polyvec.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rejsample.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/rejsample.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rejsample.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/rejsample.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rejsample.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/rejsample.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rejsample.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/rejsample.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rounding.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/rounding.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rounding.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/rounding.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rounding.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/rounding.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/rounding.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/rounding.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/shuffle.S b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/shuffle.S
similarity index 95%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/shuffle.S
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/shuffle.S
index 133e05132b..08c757c73f 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_avx2/shuffle.S
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/shuffle.S
@@ -50,3 +50,5 @@ call nttunpack128_avx
add $256,%rdi
call nttunpack128_avx
ret
+
+.section .note.GNU-stack,"",@progbits
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/shuffle.inc b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/shuffle.inc
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/shuffle.inc
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/shuffle.inc
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/sign.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/sign.c
similarity index 69%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/sign.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/sign.c
index a39f8515c4..e571b058ee 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/sign.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/sign.c
@@ -74,7 +74,9 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Get randomness for rho, rhoprime and key */
randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
+ seedbuf[SEEDBYTES+0] = K;
+ seedbuf[SEEDBYTES+1] = L;
+ shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES+2);
rho = seedbuf;
rhoprime = rho + SEEDBYTES;
key = rhoprime + CRHBYTES;
@@ -143,11 +145,15 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
* - size_t *siglen: pointer to output length of signature
* - uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
+static int crypto_sign_signature_ctx(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *sk)
+{
unsigned int i, n, pos;
uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
uint8_t *rho, *tr, *key, *rnd, *mu, *rhoprime;
@@ -163,6 +169,9 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
} tmpv;
shake256incctx state;
+ if(ctxlen > 255)
+ return -1;
+
rho = seedbuf;
tr = rho + SEEDBYTES;
key = tr + TRBYTES;
@@ -171,9 +180,13 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
- /* Compute CRH(tr, msg) */
+ /* Compute CRH(tr, 0, ctxlen, ctx, msg) */
shake256_inc_init(&state);
shake256_inc_absorb(&state, tr, TRBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -281,6 +294,30 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
return 0;
}
+/*************************************************
+* Name: crypto_sign_signature
+*
+* Description: Computes signature. Default with empty ctx.
+*
+* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
+* - size_t *siglen: pointer to output length of signature
+* - uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign_signature(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_signature_ctx(sig, siglen, m, mlen, NULL, 0, sk);
+}
+
+
+
/*************************************************
* Name: crypto_sign
*
@@ -293,22 +330,52 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
* message
* - const uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *sk: pointer to bit-packed secret key
*
* Returns 0 (success)
**************************************************/
-int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
+static int crypto_sign_ctx(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *ctx, size_t ctxlen,
+ const uint8_t *sk)
+{
size_t i;
+ int ret;
for(i = 0; i < mlen; ++i)
sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
+ ret = crypto_sign_signature_ctx(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
*smlen += mlen;
- return 0;
+ return ret;
}
/*************************************************
-* Name: crypto_sign_verify
+* Name: crypto_sign
+*
+* Description: Compute signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *sm: pointer to output signed message (allocated
+* array with CRYPTO_BYTES + mlen bytes),
+* can be equal to m
+* - size_t *smlen: pointer to output length of signed
+* message
+* - const uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - const uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_ctx(sm, smlen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_verify_ctx
*
* Description: Verifies signature.
*
@@ -316,11 +383,14 @@ int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const
* - size_t siglen: length of signature
* - const uint8_t *m: pointer to message
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signature could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) {
+static int crypto_sign_verify_ctx(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *pk) {
unsigned int i, j, pos = 0;
/* polyw1_pack writes additional 14 bytes */
ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
@@ -332,13 +402,17 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
poly c, w1, h;
shake256incctx state;
- if(siglen != CRYPTO_BYTES)
+ if(ctxlen > 255 || siglen != CRYPTO_BYTES)
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
shake256_inc_absorb(&state, mu, CRHBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -406,7 +480,29 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
}
/*************************************************
-* Name: crypto_sign_open
+* Name: crypto_sign_verify
+*
+* Description: Verifies signature. With default context.
+*
+* Arguments: - uint8_t *m: pointer to input signature
+* - size_t siglen: length of signature
+* - const uint8_t *m: pointer to message
+* - size_t mlen: length of message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signature could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_verify(const uint8_t *sig,
+ size_t siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_verify_ctx(sig, siglen, m, mlen, NULL, 0, pk);
+}
+
+/*************************************************
+* Name: crypto_sign_open_ctx
*
* Description: Verify signed message.
*
@@ -415,18 +511,21 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
* - size_t *mlen: pointer to output length of message
* - const uint8_t *sm: pointer to signed message
* - size_t smlen: length of signed message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signed message could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) {
+static int crypto_sign_open_ctx(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen, const uint8_t *pk) {
size_t i;
if(smlen < CRYPTO_BYTES)
goto badsig;
*mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
+ if(crypto_sign_verify_ctx(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
goto badsig;
else {
/* All good, copy msg, return 0 */
@@ -437,9 +536,32 @@ int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen,
badsig:
/* Signature verification failed */
- *mlen = -1;
+ *mlen = 0;
for(i = 0; i < smlen; ++i)
m[i] = 0;
return -1;
}
+
+/*************************************************
+* Name: crypto_sign_open
+*
+* Description: Verify signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *m: pointer to output message (allocated
+* array with smlen bytes), can be equal to sm
+* - size_t *mlen: pointer to output length of message
+* - const uint8_t *sm: pointer to signed message
+* - size_t smlen: length of signed message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signed message could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_open(uint8_t *m,
+ size_t *mlen,
+ const uint8_t *sm,
+ size_t smlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_open_ctx(m, mlen, sm, smlen, NULL, 0, pk);
+}
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/sign.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/sign.h
new file mode 100644
index 0000000000..7f802133d8
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/sign.h
@@ -0,0 +1,33 @@
+#ifndef SIGN_H
+#define SIGN_H
+
+#include
+#include
+#include "params.h"
+#include "polyvec.h"
+#include "poly.h"
+
+#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
+int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
+
+#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
+int crypto_sign_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *sk);
+
+#define crypto_sign DILITHIUM_NAMESPACETOP
+int crypto_sign(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *sk);
+
+#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
+int crypto_sign_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *pk);
+
+#define crypto_sign_open DILITHIUM_NAMESPACE(open)
+int crypto_sign_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *pk);
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/symmetric-shake.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/symmetric-shake.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/symmetric-shake.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/symmetric-shake.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/symmetric.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/symmetric.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_avx2/symmetric.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_avx2/symmetric.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/LICENSE b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/LICENSE
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/LICENSE
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/LICENSE
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/api.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/api.h
similarity index 81%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/api.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/api.h
index 78caa5c728..032fa9f9bb 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/api.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/api.h
@@ -16,21 +16,24 @@ int pqcrystals_dilithium2_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium2_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium2_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium2_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
-
#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
#define pqcrystals_dilithium3_SECRETKEYBYTES 4032
#define pqcrystals_dilithium3_BYTES 3309
@@ -43,21 +46,24 @@ int pqcrystals_dilithium3_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium3_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium3_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium3_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
-
#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
#define pqcrystals_dilithium5_SECRETKEYBYTES 4896
#define pqcrystals_dilithium5_BYTES 4627
@@ -70,18 +76,22 @@ int pqcrystals_dilithium5_ref_keypair(uint8_t *pk, uint8_t *sk);
int pqcrystals_dilithium5_ref_signature(uint8_t *sig, size_t *siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium5_ref(uint8_t *sm, size_t *smlen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *sk);
int pqcrystals_dilithium5_ref_verify(const uint8_t *sig, size_t siglen,
const uint8_t *m, size_t mlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
const uint8_t *sm, size_t smlen,
+ const uint8_t *ctx, size_t ctxlen,
const uint8_t *pk);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/config.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/config.h
new file mode 100644
index 0000000000..8008e11a92
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/config.h
@@ -0,0 +1,27 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+//#define DILITHIUM_MODE 2
+#define DILITHIUM_RANDOMIZED_SIGNING
+//#define USE_RDPMC
+//#define DBENCH
+
+#ifndef DILITHIUM_MODE
+#define DILITHIUM_MODE 2
+#endif
+
+#if DILITHIUM_MODE == 2
+#define CRYPTO_ALGNAME "ML-DSA-44"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_44_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_44_ref_##s
+#elif DILITHIUM_MODE == 3
+#define CRYPTO_ALGNAME "ML-DSA-65"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_65_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_65_ref_##s
+#elif DILITHIUM_MODE == 5
+#define CRYPTO_ALGNAME "ML-DSA-87"
+#define DILITHIUM_NAMESPACETOP pqcrystals_ml_dsa_87_ref
+#define DILITHIUM_NAMESPACE(s) pqcrystals_ml_dsa_87_ref_##s
+#endif
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/ntt.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/ntt.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/ntt.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/ntt.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/ntt.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/ntt.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/ntt.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/ntt.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/packing.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/packing.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/packing.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/packing.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/packing.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/packing.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/packing.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/packing.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/params.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/params.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/params.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/params.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/poly.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/poly.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/poly.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/poly.c
index 7983aacdd1..691b5e8909 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/poly.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/poly.c
@@ -21,7 +21,7 @@ extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
* Name: poly_reduce
*
* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
+* representative in [-6283008,6283008].
*
* Arguments: - poly *a: pointer to input/output polynomial
**************************************************/
@@ -335,7 +335,7 @@ static unsigned int rej_uniform(int32_t *a,
*
* Description: Sample polynomial with uniformly random coefficients
* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce)
+* output stream of SHAKE128(seed|nonce)
*
* Arguments: - poly *a: pointer to output polynomial
* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
@@ -487,16 +487,16 @@ void poly_uniform_gamma1(poly *a,
* SHAKE256(seed).
*
* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
+* - const uint8_t mu[]: byte array containing seed of length CTILDEBYTES
**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]) {
unsigned int i, b, pos;
uint64_t signs;
uint8_t buf[SHAKE256_RATE];
shake256incctx state;
shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
+ shake256_inc_absorb(&state, seed, CTILDEBYTES);
shake256_inc_finalize(&state);
shake256_squeezeblocks(buf, 1, &state);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/poly.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/poly.h
similarity index 97%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/poly.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/poly.h
index d2fd989b6a..904baa1ca4 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/poly.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/poly.h
@@ -51,7 +51,7 @@ void poly_uniform_gamma1(poly *a,
const uint8_t seed[CRHBYTES],
uint16_t nonce);
#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
+void poly_challenge(poly *c, const uint8_t seed[CTILDEBYTES]);
#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
void polyeta_pack(uint8_t *r, const poly *a);
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/polyvec.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/polyvec.c
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/polyvec.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/polyvec.c
index 40032b656b..241f618187 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/polyvec.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/polyvec.c
@@ -161,7 +161,7 @@ void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t no
* Name: polyveck_reduce
*
* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
+* to representatives in [-6283008,6283008].
*
* Arguments: - polyveck *v: pointer to input/output vector
**************************************************/
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/polyvec.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/polyvec.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/polyvec.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/polyvec.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/reduce.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/reduce.c
similarity index 95%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/reduce.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/reduce.c
index 75feff8bc5..8479a222cd 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-44-ipd_ref/reduce.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/reduce.c
@@ -24,7 +24,7 @@ int32_t montgomery_reduce(int64_t a) {
* Name: reduce32
*
* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
+* compute r \equiv a (mod Q) such that -6283008 <= r <= 6283008.
*
* Arguments: - int32_t: finite field element a
*
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/reduce.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/reduce.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/reduce.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/reduce.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/rounding.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/rounding.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/rounding.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/rounding.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/rounding.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/rounding.h
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/rounding.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/rounding.h
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/sign.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/sign.c
similarity index 60%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/sign.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/sign.c
index 9298ad2177..cb3d6f3de9 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-65-ipd_ref/sign.c
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/sign.c
@@ -30,7 +30,9 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
/* Get randomness for rho, rhoprime and key */
randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
+ seedbuf[SEEDBYTES+0] = K;
+ seedbuf[SEEDBYTES+1] = L;
+ shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES+2);
rho = seedbuf;
rhoprime = rho + SEEDBYTES;
key = rhoprime + CRHBYTES;
@@ -65,7 +67,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
}
/*************************************************
-* Name: crypto_sign_signature
+* Name: crypto_sign_signatur_ctx
*
* Description: Computes signature.
*
@@ -73,15 +75,19 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
* - size_t *siglen: pointer to output length of signature
* - uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
+static int crypto_sign_signature_ctx(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
+ const uint8_t *sk)
{
unsigned int n;
uint8_t seedbuf[2*SEEDBYTES + TRBYTES + RNDBYTES + 2*CRHBYTES];
@@ -92,6 +98,9 @@ int crypto_sign_signature(uint8_t *sig,
poly cp;
shake256incctx state;
+ if(ctxlen > 255)
+ return -1;
+
rho = seedbuf;
tr = rho + SEEDBYTES;
key = tr + TRBYTES;
@@ -100,10 +109,13 @@ int crypto_sign_signature(uint8_t *sig,
rhoprime = mu + CRHBYTES;
unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute mu = CRH(tr, msg) */
+ /* Compute mu = CRH(tr, 0, ctxlen, ctx, msg) */
+ mu[0] = 0;
+ mu[1] = ctxlen;
shake256_inc_init(&state);
shake256_inc_absorb(&state, tr, TRBYTES);
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
@@ -143,7 +155,7 @@ int crypto_sign_signature(uint8_t *sig,
shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
shake256_inc_finalize(&state);
shake256_inc_squeeze(sig, CTILDEBYTES, &state);
- poly_challenge(&cp, sig); /* uses only the first SEEDBYTES bytes of sig */
+ poly_challenge(&cp, sig);
poly_ntt(&cp);
/* Compute z, reject if it reveals secret */
@@ -184,7 +196,29 @@ int crypto_sign_signature(uint8_t *sig,
}
/*************************************************
-* Name: crypto_sign
+* Name: crypto_sign_signature
+*
+* Description: Computes signature. Default with empty ctx.
+*
+* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
+* - size_t *siglen: pointer to output length of signature
+* - uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign_signature(uint8_t *sig,
+ size_t *siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_signature_ctx(sig, siglen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_ctx
*
* Description: Compute signed message.
*
@@ -195,27 +229,57 @@ int crypto_sign_signature(uint8_t *sig,
* message
* - const uint8_t *m: pointer to message to be signed
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *sk: pointer to bit-packed secret key
*
-* Returns 0 (success)
+* Returns 0 (success) or -1 (context string too long)
**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
+static int crypto_sign_ctx(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
+ const uint8_t *sk)
{
+ int ret;
size_t i;
for(i = 0; i < mlen; ++i)
sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
+ ret = crypto_sign_signature_ctx(sm, smlen, sm + CRYPTO_BYTES, mlen, ctx, ctxlen, sk);
*smlen += mlen;
- return 0;
+ return ret;
}
/*************************************************
-* Name: crypto_sign_verify
+* Name: crypto_sign
+*
+* Description: Compute signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *sm: pointer to output signed message (allocated
+* array with CRYPTO_BYTES + mlen bytes),
+* can be equal to m
+* - size_t *smlen: pointer to output length of signed
+* message
+* - const uint8_t *m: pointer to message to be signed
+* - size_t mlen: length of message
+* - const uint8_t *sk: pointer to bit-packed secret key
+*
+* Returns 0 (success) or -1 (context string too long)
+**************************************************/
+int crypto_sign(uint8_t *sm,
+ size_t *smlen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *sk)
+{
+ return crypto_sign_ctx(sm, smlen, m, mlen, NULL, 0, sk);
+}
+
+/*************************************************
+* Name: crypto_sign_verify_ctx
*
* Description: Verifies signature.
*
@@ -223,14 +287,18 @@ int crypto_sign(uint8_t *sm,
* - size_t siglen: length of signature
* - const uint8_t *m: pointer to message
* - size_t mlen: length of message
+* - const uint8_t *ctx: pointer to context string
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signature could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
+static int crypto_sign_verify_ctx(const uint8_t *sig,
size_t siglen,
const uint8_t *m,
size_t mlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
const uint8_t *pk)
{
unsigned int i;
@@ -244,7 +312,7 @@ int crypto_sign_verify(const uint8_t *sig,
polyveck t1, w1, h;
shake256incctx state;
- if(siglen != CRYPTO_BYTES)
+ if(ctxlen > 255 || siglen != CRYPTO_BYTES)
return -1;
unpack_pk(rho, &t1, pk);
@@ -254,15 +322,19 @@ int crypto_sign_verify(const uint8_t *sig,
return -1;
/* Compute CRH(H(rho, t1), msg) */
- shake256(mu, CRHBYTES, pk, CRYPTO_PUBLICKEYBYTES);
+ shake256(mu, TRBYTES, pk, CRYPTO_PUBLICKEYBYTES);
shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
+ shake256_inc_absorb(&state, mu, TRBYTES);
+ mu[0] = 0;
+ mu[1] = ctxlen;
+ shake256_inc_absorb(&state, mu, 2);
+ shake256_inc_absorb(&state, ctx, ctxlen);
shake256_inc_absorb(&state, m, mlen);
shake256_inc_finalize(&state);
shake256_inc_squeeze(mu, CRHBYTES, &state);
/* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c); /* uses only the first SEEDBYTES bytes of c */
+ poly_challenge(&cp, c);
polyvec_matrix_expand(mat, rho);
polyvecl_ntt(&z);
@@ -297,7 +369,29 @@ int crypto_sign_verify(const uint8_t *sig,
}
/*************************************************
-* Name: crypto_sign_open
+* Name: crypto_sign_verify
+*
+* Description: Verifies signature. With default context.
+*
+* Arguments: - uint8_t *m: pointer to input signature
+* - size_t siglen: length of signature
+* - const uint8_t *m: pointer to message
+* - size_t mlen: length of message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signature could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_verify(const uint8_t *sig,
+ size_t siglen,
+ const uint8_t *m,
+ size_t mlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_verify_ctx(sig, siglen, m, mlen, NULL, 0, pk);
+}
+
+/*************************************************
+* Name: crypto_sign_open_ctx
*
* Description: Verify signed message.
*
@@ -306,14 +400,18 @@ int crypto_sign_verify(const uint8_t *sig,
* - size_t *mlen: pointer to output length of message
* - const uint8_t *sm: pointer to signed message
* - size_t smlen: length of signed message
+* - const uint8_t *ctx: pointer to context tring
+* - size_t ctxlen: length of context string
* - const uint8_t *pk: pointer to bit-packed public key
*
* Returns 0 if signed message could be verified correctly and -1 otherwise
**************************************************/
-int crypto_sign_open(uint8_t *m,
+static int crypto_sign_open_ctx(uint8_t *m,
size_t *mlen,
const uint8_t *sm,
size_t smlen,
+ const uint8_t *ctx,
+ size_t ctxlen,
const uint8_t *pk)
{
size_t i;
@@ -322,7 +420,7 @@ int crypto_sign_open(uint8_t *m,
goto badsig;
*mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
+ if(crypto_sign_verify_ctx(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, ctx, ctxlen, pk))
goto badsig;
else {
/* All good, copy msg, return 0 */
@@ -333,9 +431,32 @@ int crypto_sign_open(uint8_t *m,
badsig:
/* Signature verification failed */
- *mlen = -1;
+ *mlen = 0;
for(i = 0; i < smlen; ++i)
m[i] = 0;
return -1;
}
+
+/*************************************************
+* Name: crypto_sign_open
+*
+* Description: Verify signed message. Default with empty ctx.
+*
+* Arguments: - uint8_t *m: pointer to output message (allocated
+* array with smlen bytes), can be equal to sm
+* - size_t *mlen: pointer to output length of message
+* - const uint8_t *sm: pointer to signed message
+* - size_t smlen: length of signed message
+* - const uint8_t *pk: pointer to bit-packed public key
+*
+* Returns 0 if signed message could be verified correctly and -1 otherwise
+**************************************************/
+int crypto_sign_open(uint8_t *m,
+ size_t *mlen,
+ const uint8_t *sm,
+ size_t smlen,
+ const uint8_t *pk)
+{
+ return crypto_sign_open_ctx(m, mlen, sm, smlen, NULL, 0, pk);
+}
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/sign.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/sign.h
new file mode 100644
index 0000000000..7f802133d8
--- /dev/null
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/sign.h
@@ -0,0 +1,33 @@
+#ifndef SIGN_H
+#define SIGN_H
+
+#include
+#include
+#include "params.h"
+#include "polyvec.h"
+#include "poly.h"
+
+#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
+int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
+
+#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
+int crypto_sign_signature(uint8_t *sig, size_t *siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *sk);
+
+#define crypto_sign DILITHIUM_NAMESPACETOP
+int crypto_sign(uint8_t *sm, size_t *smlen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *sk);
+
+#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
+int crypto_sign_verify(const uint8_t *sig, size_t siglen,
+ const uint8_t *m, size_t mlen,
+ const uint8_t *pk);
+
+#define crypto_sign_open DILITHIUM_NAMESPACE(open)
+int crypto_sign_open(uint8_t *m, size_t *mlen,
+ const uint8_t *sm, size_t smlen,
+ const uint8_t *pk);
+
+#endif
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/symmetric-shake.c b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/symmetric-shake.c
similarity index 100%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/symmetric-shake.c
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/symmetric-shake.c
diff --git a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/symmetric.h b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/symmetric.h
similarity index 99%
rename from src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/symmetric.h
rename to src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/symmetric.h
index 211de3b860..b6c74b7702 100644
--- a/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87-ipd_ref/symmetric.h
+++ b/src/sig/ml_dsa/pqcrystals-dilithium-standard_ml-dsa-87_ref/symmetric.h
@@ -33,4 +33,5 @@ void dilithium_shake256_stream_init(shake256incctx *state,
shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
+
#endif
diff --git a/src/sig/ml_dsa/sig_ml_dsa.h b/src/sig/ml_dsa/sig_ml_dsa.h
index fe95a2d7cf..1c6b02369b 100644
--- a/src/sig/ml_dsa/sig_ml_dsa.h
+++ b/src/sig/ml_dsa/sig_ml_dsa.h
@@ -5,61 +5,37 @@
#include
-#if defined(OQS_ENABLE_SIG_ml_dsa_44_ipd) || defined(OQS_ENABLE_SIG_ml_dsa_44)
-#define OQS_SIG_ml_dsa_44_ipd_length_public_key 1312
-#define OQS_SIG_ml_dsa_44_ipd_length_secret_key 2560
-#define OQS_SIG_ml_dsa_44_ipd_length_signature 2420
+#if defined(OQS_ENABLE_SIG_ml_dsa_44)
+#define OQS_SIG_ml_dsa_44_length_public_key 1312
+#define OQS_SIG_ml_dsa_44_length_secret_key 2560
+#define OQS_SIG_ml_dsa_44_length_signature 2420
-OQS_SIG *OQS_SIG_ml_dsa_44_ipd_new(void);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_ipd_keypair(uint8_t *public_key, uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_ipd_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_ipd_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
-
-#define OQS_SIG_ml_dsa_44_length_public_key OQS_SIG_ml_dsa_44_ipd_length_public_key
-#define OQS_SIG_ml_dsa_44_length_secret_key OQS_SIG_ml_dsa_44_ipd_length_secret_key
-#define OQS_SIG_ml_dsa_44_length_signature OQS_SIG_ml_dsa_44_ipd_length_signature
OQS_SIG *OQS_SIG_ml_dsa_44_new(void);
-#define OQS_SIG_ml_dsa_44_keypair OQS_SIG_ml_dsa_44_ipd_keypair
-#define OQS_SIG_ml_dsa_44_sign OQS_SIG_ml_dsa_44_ipd_sign
-#define OQS_SIG_ml_dsa_44_verify OQS_SIG_ml_dsa_44_ipd_verify
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_keypair(uint8_t *public_key, uint8_t *secret_key);
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
#endif
-#if defined(OQS_ENABLE_SIG_ml_dsa_65_ipd) || defined(OQS_ENABLE_SIG_ml_dsa_65)
-#define OQS_SIG_ml_dsa_65_ipd_length_public_key 1952
-#define OQS_SIG_ml_dsa_65_ipd_length_secret_key 4032
-#define OQS_SIG_ml_dsa_65_ipd_length_signature 3309
-
-OQS_SIG *OQS_SIG_ml_dsa_65_ipd_new(void);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_ipd_keypair(uint8_t *public_key, uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_ipd_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_ipd_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
+#if defined(OQS_ENABLE_SIG_ml_dsa_65)
+#define OQS_SIG_ml_dsa_65_length_public_key 1952
+#define OQS_SIG_ml_dsa_65_length_secret_key 4032
+#define OQS_SIG_ml_dsa_65_length_signature 3309
-#define OQS_SIG_ml_dsa_65_length_public_key OQS_SIG_ml_dsa_65_ipd_length_public_key
-#define OQS_SIG_ml_dsa_65_length_secret_key OQS_SIG_ml_dsa_65_ipd_length_secret_key
-#define OQS_SIG_ml_dsa_65_length_signature OQS_SIG_ml_dsa_65_ipd_length_signature
OQS_SIG *OQS_SIG_ml_dsa_65_new(void);
-#define OQS_SIG_ml_dsa_65_keypair OQS_SIG_ml_dsa_65_ipd_keypair
-#define OQS_SIG_ml_dsa_65_sign OQS_SIG_ml_dsa_65_ipd_sign
-#define OQS_SIG_ml_dsa_65_verify OQS_SIG_ml_dsa_65_ipd_verify
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_keypair(uint8_t *public_key, uint8_t *secret_key);
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
#endif
-#if defined(OQS_ENABLE_SIG_ml_dsa_87_ipd) || defined(OQS_ENABLE_SIG_ml_dsa_87)
-#define OQS_SIG_ml_dsa_87_ipd_length_public_key 2592
-#define OQS_SIG_ml_dsa_87_ipd_length_secret_key 4896
-#define OQS_SIG_ml_dsa_87_ipd_length_signature 4627
-
-OQS_SIG *OQS_SIG_ml_dsa_87_ipd_new(void);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_ipd_keypair(uint8_t *public_key, uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_ipd_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_ipd_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
+#if defined(OQS_ENABLE_SIG_ml_dsa_87)
+#define OQS_SIG_ml_dsa_87_length_public_key 2592
+#define OQS_SIG_ml_dsa_87_length_secret_key 4896
+#define OQS_SIG_ml_dsa_87_length_signature 4627
-#define OQS_SIG_ml_dsa_87_length_public_key OQS_SIG_ml_dsa_87_ipd_length_public_key
-#define OQS_SIG_ml_dsa_87_length_secret_key OQS_SIG_ml_dsa_87_ipd_length_secret_key
-#define OQS_SIG_ml_dsa_87_length_signature OQS_SIG_ml_dsa_87_ipd_length_signature
OQS_SIG *OQS_SIG_ml_dsa_87_new(void);
-#define OQS_SIG_ml_dsa_87_keypair OQS_SIG_ml_dsa_87_ipd_keypair
-#define OQS_SIG_ml_dsa_87_sign OQS_SIG_ml_dsa_87_ipd_sign
-#define OQS_SIG_ml_dsa_87_verify OQS_SIG_ml_dsa_87_ipd_verify
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_keypair(uint8_t *public_key, uint8_t *secret_key);
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
#endif
#endif
diff --git a/src/sig/ml_dsa/sig_ml_dsa_44.c b/src/sig/ml_dsa/sig_ml_dsa_44.c
new file mode 100644
index 0000000000..0dc6eaec4f
--- /dev/null
+++ b/src/sig/ml_dsa/sig_ml_dsa_44.c
@@ -0,0 +1,90 @@
+// SPDX-License-Identifier: MIT
+
+#include
+
+#include
+
+#if defined(OQS_ENABLE_SIG_ml_dsa_44)
+
+OQS_SIG *OQS_SIG_ml_dsa_44_new(void) {
+
+ OQS_SIG *sig = malloc(sizeof(OQS_SIG));
+ if (sig == NULL) {
+ return NULL;
+ }
+ sig->method_name = OQS_SIG_alg_ml_dsa_44;
+ sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/master";
+
+ sig->claimed_nist_level = 2;
+ sig->euf_cma = true;
+
+ sig->length_public_key = OQS_SIG_ml_dsa_44_length_public_key;
+ sig->length_secret_key = OQS_SIG_ml_dsa_44_length_secret_key;
+ sig->length_signature = OQS_SIG_ml_dsa_44_length_signature;
+
+ sig->keypair = OQS_SIG_ml_dsa_44_keypair;
+ sig->sign = OQS_SIG_ml_dsa_44_sign;
+ sig->verify = OQS_SIG_ml_dsa_44_verify;
+
+ return sig;
+}
+
+extern int pqcrystals_ml_dsa_44_ref_keypair(uint8_t *pk, uint8_t *sk);
+extern int pqcrystals_ml_dsa_44_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
+extern int pqcrystals_ml_dsa_44_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
+
+#if defined(OQS_ENABLE_SIG_ml_dsa_44_avx2)
+extern int pqcrystals_ml_dsa_44_avx2_keypair(uint8_t *pk, uint8_t *sk);
+extern int pqcrystals_ml_dsa_44_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
+extern int pqcrystals_ml_dsa_44_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
+#endif
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_keypair(uint8_t *public_key, uint8_t *secret_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_44_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_avx2_keypair(public_key, secret_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_ref_keypair(public_key, secret_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_ref_keypair(public_key, secret_key);
+#endif
+}
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_44_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_avx2_signature(signature, signature_len, message, message_len, secret_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_ref_signature(signature, signature_len, message, message_len, secret_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_ref_signature(signature, signature_len, message, message_len, secret_key);
+#endif
+}
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_44_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_avx2_verify(signature, signature_len, message, message_len, public_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_ref_verify(signature, signature_len, message, message_len, public_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_44_ref_verify(signature, signature_len, message, message_len, public_key);
+#endif
+}
+
+#endif
diff --git a/src/sig/ml_dsa/sig_ml_dsa_44_ipd.c b/src/sig/ml_dsa/sig_ml_dsa_44_ipd.c
deleted file mode 100644
index 6d3f1e2cc2..0000000000
--- a/src/sig/ml_dsa/sig_ml_dsa_44_ipd.c
+++ /dev/null
@@ -1,119 +0,0 @@
-// SPDX-License-Identifier: MIT
-
-#include
-
-#include
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_44_ipd) || defined(OQS_ENABLE_SIG_ml_dsa_44)
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_44_ipd)
-
-OQS_SIG *OQS_SIG_ml_dsa_44_ipd_new(void) {
-
- OQS_SIG *sig = malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_ml_dsa_44_ipd;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
-
- sig->claimed_nist_level = 2;
- sig->euf_cma = true;
-
- sig->length_public_key = OQS_SIG_ml_dsa_44_ipd_length_public_key;
- sig->length_secret_key = OQS_SIG_ml_dsa_44_ipd_length_secret_key;
- sig->length_signature = OQS_SIG_ml_dsa_44_ipd_length_signature;
-
- sig->keypair = OQS_SIG_ml_dsa_44_ipd_keypair;
- sig->sign = OQS_SIG_ml_dsa_44_ipd_sign;
- sig->verify = OQS_SIG_ml_dsa_44_ipd_verify;
-
- return sig;
-}
-#endif
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_44)
-/** Alias */
-OQS_SIG *OQS_SIG_ml_dsa_44_new(void) {
-
- OQS_SIG *sig = malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_ml_dsa_44;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
-
- sig->claimed_nist_level = 2;
- sig->euf_cma = true;
-
- sig->length_public_key = OQS_SIG_ml_dsa_44_ipd_length_public_key;
- sig->length_secret_key = OQS_SIG_ml_dsa_44_ipd_length_secret_key;
- sig->length_signature = OQS_SIG_ml_dsa_44_ipd_length_signature;
-
- sig->keypair = OQS_SIG_ml_dsa_44_ipd_keypair;
- sig->sign = OQS_SIG_ml_dsa_44_ipd_sign;
- sig->verify = OQS_SIG_ml_dsa_44_ipd_verify;
-
- return sig;
-}
-#endif
-
-extern int pqcrystals_ml_dsa_44_ipd_ref_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_ml_dsa_44_ipd_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_ml_dsa_44_ipd_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_44_avx2)
-extern int pqcrystals_ml_dsa_44_ipd_avx2_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_ml_dsa_44_ipd_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_ml_dsa_44_ipd_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_ipd_keypair(uint8_t *public_key, uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_44_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_avx2_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_ref_keypair(public_key, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_ipd_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_44_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_avx2_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_ref_signature(signature, signature_len, message, message_len, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_44_ipd_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_44_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_44_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_avx2_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_44_ipd_ref_verify(signature, signature_len, message, message_len, public_key);
-#endif
-}
-
-#endif
diff --git a/src/sig/ml_dsa/sig_ml_dsa_65.c b/src/sig/ml_dsa/sig_ml_dsa_65.c
new file mode 100644
index 0000000000..0d9b2b71bf
--- /dev/null
+++ b/src/sig/ml_dsa/sig_ml_dsa_65.c
@@ -0,0 +1,90 @@
+// SPDX-License-Identifier: MIT
+
+#include
+
+#include
+
+#if defined(OQS_ENABLE_SIG_ml_dsa_65)
+
+OQS_SIG *OQS_SIG_ml_dsa_65_new(void) {
+
+ OQS_SIG *sig = malloc(sizeof(OQS_SIG));
+ if (sig == NULL) {
+ return NULL;
+ }
+ sig->method_name = OQS_SIG_alg_ml_dsa_65;
+ sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/master";
+
+ sig->claimed_nist_level = 3;
+ sig->euf_cma = true;
+
+ sig->length_public_key = OQS_SIG_ml_dsa_65_length_public_key;
+ sig->length_secret_key = OQS_SIG_ml_dsa_65_length_secret_key;
+ sig->length_signature = OQS_SIG_ml_dsa_65_length_signature;
+
+ sig->keypair = OQS_SIG_ml_dsa_65_keypair;
+ sig->sign = OQS_SIG_ml_dsa_65_sign;
+ sig->verify = OQS_SIG_ml_dsa_65_verify;
+
+ return sig;
+}
+
+extern int pqcrystals_ml_dsa_65_ref_keypair(uint8_t *pk, uint8_t *sk);
+extern int pqcrystals_ml_dsa_65_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
+extern int pqcrystals_ml_dsa_65_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
+
+#if defined(OQS_ENABLE_SIG_ml_dsa_65_avx2)
+extern int pqcrystals_ml_dsa_65_avx2_keypair(uint8_t *pk, uint8_t *sk);
+extern int pqcrystals_ml_dsa_65_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
+extern int pqcrystals_ml_dsa_65_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
+#endif
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_keypair(uint8_t *public_key, uint8_t *secret_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_65_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_avx2_keypair(public_key, secret_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_ref_keypair(public_key, secret_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_ref_keypair(public_key, secret_key);
+#endif
+}
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_65_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_avx2_signature(signature, signature_len, message, message_len, secret_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_ref_signature(signature, signature_len, message, message_len, secret_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_ref_signature(signature, signature_len, message, message_len, secret_key);
+#endif
+}
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_65_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_avx2_verify(signature, signature_len, message, message_len, public_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_ref_verify(signature, signature_len, message, message_len, public_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_65_ref_verify(signature, signature_len, message, message_len, public_key);
+#endif
+}
+
+#endif
diff --git a/src/sig/ml_dsa/sig_ml_dsa_65_ipd.c b/src/sig/ml_dsa/sig_ml_dsa_65_ipd.c
deleted file mode 100644
index 4c175d680c..0000000000
--- a/src/sig/ml_dsa/sig_ml_dsa_65_ipd.c
+++ /dev/null
@@ -1,119 +0,0 @@
-// SPDX-License-Identifier: MIT
-
-#include
-
-#include
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_65_ipd) || defined(OQS_ENABLE_SIG_ml_dsa_65)
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_65_ipd)
-
-OQS_SIG *OQS_SIG_ml_dsa_65_ipd_new(void) {
-
- OQS_SIG *sig = malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_ml_dsa_65_ipd;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
-
- sig->claimed_nist_level = 3;
- sig->euf_cma = true;
-
- sig->length_public_key = OQS_SIG_ml_dsa_65_ipd_length_public_key;
- sig->length_secret_key = OQS_SIG_ml_dsa_65_ipd_length_secret_key;
- sig->length_signature = OQS_SIG_ml_dsa_65_ipd_length_signature;
-
- sig->keypair = OQS_SIG_ml_dsa_65_ipd_keypair;
- sig->sign = OQS_SIG_ml_dsa_65_ipd_sign;
- sig->verify = OQS_SIG_ml_dsa_65_ipd_verify;
-
- return sig;
-}
-#endif
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_65)
-/** Alias */
-OQS_SIG *OQS_SIG_ml_dsa_65_new(void) {
-
- OQS_SIG *sig = malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_ml_dsa_65;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
-
- sig->claimed_nist_level = 3;
- sig->euf_cma = true;
-
- sig->length_public_key = OQS_SIG_ml_dsa_65_ipd_length_public_key;
- sig->length_secret_key = OQS_SIG_ml_dsa_65_ipd_length_secret_key;
- sig->length_signature = OQS_SIG_ml_dsa_65_ipd_length_signature;
-
- sig->keypair = OQS_SIG_ml_dsa_65_ipd_keypair;
- sig->sign = OQS_SIG_ml_dsa_65_ipd_sign;
- sig->verify = OQS_SIG_ml_dsa_65_ipd_verify;
-
- return sig;
-}
-#endif
-
-extern int pqcrystals_ml_dsa_65_ipd_ref_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_ml_dsa_65_ipd_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_ml_dsa_65_ipd_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_65_avx2)
-extern int pqcrystals_ml_dsa_65_ipd_avx2_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_ml_dsa_65_ipd_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_ml_dsa_65_ipd_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_ipd_keypair(uint8_t *public_key, uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_65_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_avx2_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_ref_keypair(public_key, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_ipd_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_65_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_avx2_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_ref_signature(signature, signature_len, message, message_len, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_65_ipd_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_65_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_65_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_avx2_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_65_ipd_ref_verify(signature, signature_len, message, message_len, public_key);
-#endif
-}
-
-#endif
diff --git a/src/sig/ml_dsa/sig_ml_dsa_87.c b/src/sig/ml_dsa/sig_ml_dsa_87.c
new file mode 100644
index 0000000000..fcd9ee0d1a
--- /dev/null
+++ b/src/sig/ml_dsa/sig_ml_dsa_87.c
@@ -0,0 +1,90 @@
+// SPDX-License-Identifier: MIT
+
+#include
+
+#include
+
+#if defined(OQS_ENABLE_SIG_ml_dsa_87)
+
+OQS_SIG *OQS_SIG_ml_dsa_87_new(void) {
+
+ OQS_SIG *sig = malloc(sizeof(OQS_SIG));
+ if (sig == NULL) {
+ return NULL;
+ }
+ sig->method_name = OQS_SIG_alg_ml_dsa_87;
+ sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/master";
+
+ sig->claimed_nist_level = 5;
+ sig->euf_cma = true;
+
+ sig->length_public_key = OQS_SIG_ml_dsa_87_length_public_key;
+ sig->length_secret_key = OQS_SIG_ml_dsa_87_length_secret_key;
+ sig->length_signature = OQS_SIG_ml_dsa_87_length_signature;
+
+ sig->keypair = OQS_SIG_ml_dsa_87_keypair;
+ sig->sign = OQS_SIG_ml_dsa_87_sign;
+ sig->verify = OQS_SIG_ml_dsa_87_verify;
+
+ return sig;
+}
+
+extern int pqcrystals_ml_dsa_87_ref_keypair(uint8_t *pk, uint8_t *sk);
+extern int pqcrystals_ml_dsa_87_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
+extern int pqcrystals_ml_dsa_87_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
+
+#if defined(OQS_ENABLE_SIG_ml_dsa_87_avx2)
+extern int pqcrystals_ml_dsa_87_avx2_keypair(uint8_t *pk, uint8_t *sk);
+extern int pqcrystals_ml_dsa_87_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
+extern int pqcrystals_ml_dsa_87_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
+#endif
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_keypair(uint8_t *public_key, uint8_t *secret_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_87_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_avx2_keypair(public_key, secret_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_ref_keypair(public_key, secret_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_ref_keypair(public_key, secret_key);
+#endif
+}
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_87_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_avx2_signature(signature, signature_len, message, message_len, secret_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_ref_signature(signature, signature_len, message, message_len, secret_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_ref_signature(signature, signature_len, message, message_len, secret_key);
+#endif
+}
+
+OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
+#if defined(OQS_ENABLE_SIG_ml_dsa_87_avx2)
+#if defined(OQS_DIST_BUILD)
+ if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
+#endif /* OQS_DIST_BUILD */
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_avx2_verify(signature, signature_len, message, message_len, public_key);
+#if defined(OQS_DIST_BUILD)
+ } else {
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_ref_verify(signature, signature_len, message, message_len, public_key);
+ }
+#endif /* OQS_DIST_BUILD */
+#else
+ return (OQS_STATUS) pqcrystals_ml_dsa_87_ref_verify(signature, signature_len, message, message_len, public_key);
+#endif
+}
+
+#endif
diff --git a/src/sig/ml_dsa/sig_ml_dsa_87_ipd.c b/src/sig/ml_dsa/sig_ml_dsa_87_ipd.c
deleted file mode 100644
index 2ba18d57c5..0000000000
--- a/src/sig/ml_dsa/sig_ml_dsa_87_ipd.c
+++ /dev/null
@@ -1,119 +0,0 @@
-// SPDX-License-Identifier: MIT
-
-#include
-
-#include
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_87_ipd) || defined(OQS_ENABLE_SIG_ml_dsa_87)
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_87_ipd)
-
-OQS_SIG *OQS_SIG_ml_dsa_87_ipd_new(void) {
-
- OQS_SIG *sig = malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_ml_dsa_87_ipd;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
-
- sig->claimed_nist_level = 5;
- sig->euf_cma = true;
-
- sig->length_public_key = OQS_SIG_ml_dsa_87_ipd_length_public_key;
- sig->length_secret_key = OQS_SIG_ml_dsa_87_ipd_length_secret_key;
- sig->length_signature = OQS_SIG_ml_dsa_87_ipd_length_signature;
-
- sig->keypair = OQS_SIG_ml_dsa_87_ipd_keypair;
- sig->sign = OQS_SIG_ml_dsa_87_ipd_sign;
- sig->verify = OQS_SIG_ml_dsa_87_ipd_verify;
-
- return sig;
-}
-#endif
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_87)
-/** Alias */
-OQS_SIG *OQS_SIG_ml_dsa_87_new(void) {
-
- OQS_SIG *sig = malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_ml_dsa_87;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/tree/standard";
-
- sig->claimed_nist_level = 5;
- sig->euf_cma = true;
-
- sig->length_public_key = OQS_SIG_ml_dsa_87_ipd_length_public_key;
- sig->length_secret_key = OQS_SIG_ml_dsa_87_ipd_length_secret_key;
- sig->length_signature = OQS_SIG_ml_dsa_87_ipd_length_signature;
-
- sig->keypair = OQS_SIG_ml_dsa_87_ipd_keypair;
- sig->sign = OQS_SIG_ml_dsa_87_ipd_sign;
- sig->verify = OQS_SIG_ml_dsa_87_ipd_verify;
-
- return sig;
-}
-#endif
-
-extern int pqcrystals_ml_dsa_87_ipd_ref_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_ml_dsa_87_ipd_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_ml_dsa_87_ipd_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-#if defined(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_87_avx2)
-extern int pqcrystals_ml_dsa_87_ipd_avx2_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_ml_dsa_87_ipd_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_ml_dsa_87_ipd_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_ipd_keypair(uint8_t *public_key, uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_87_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_avx2_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_ref_keypair(public_key, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_ipd_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_87_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_avx2_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_ref_signature(signature, signature_len, message, message_len, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_ml_dsa_87_ipd_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
-#if defined(OQS_ENABLE_SIG_ml_dsa_87_ipd_avx2) || defined(OQS_ENABLE_SIG_ml_dsa_87_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_avx2_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_ml_dsa_87_ipd_ref_verify(signature, signature_len, message, message_len, public_key);
-#endif
-}
-
-#endif
diff --git a/src/sig/sig.c b/src/sig/sig.c
index 48a710e861..6778960afe 100644
--- a/src/sig/sig.c
+++ b/src/sig/sig.c
@@ -18,11 +18,8 @@ OQS_API const char *OQS_SIG_alg_identifier(size_t i) {
OQS_SIG_alg_dilithium_2,
OQS_SIG_alg_dilithium_3,
OQS_SIG_alg_dilithium_5,
- OQS_SIG_alg_ml_dsa_44_ipd,
OQS_SIG_alg_ml_dsa_44,
- OQS_SIG_alg_ml_dsa_65_ipd,
OQS_SIG_alg_ml_dsa_65,
- OQS_SIG_alg_ml_dsa_87_ipd,
OQS_SIG_alg_ml_dsa_87,
OQS_SIG_alg_falcon_512,
OQS_SIG_alg_falcon_1024,
@@ -101,13 +98,6 @@ OQS_API int OQS_SIG_alg_is_enabled(const char *method_name) {
return 0;
#endif
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_44_ipd)) {
-#ifdef OQS_ENABLE_SIG_ml_dsa_44_ipd
- return 1;
-#else
- return 0;
-#endif
-
} else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_44)) {
#ifdef OQS_ENABLE_SIG_ml_dsa_44
return 1;
@@ -115,13 +105,6 @@ OQS_API int OQS_SIG_alg_is_enabled(const char *method_name) {
return 0;
#endif
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_65_ipd)) {
-#ifdef OQS_ENABLE_SIG_ml_dsa_65_ipd
- return 1;
-#else
- return 0;
-#endif
-
} else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_65)) {
#ifdef OQS_ENABLE_SIG_ml_dsa_65
return 1;
@@ -129,13 +112,6 @@ OQS_API int OQS_SIG_alg_is_enabled(const char *method_name) {
return 0;
#endif
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_87_ipd)) {
-#ifdef OQS_ENABLE_SIG_ml_dsa_87_ipd
- return 1;
-#else
- return 0;
-#endif
-
} else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_87)) {
#ifdef OQS_ENABLE_SIG_ml_dsa_87
return 1;
@@ -441,13 +417,6 @@ OQS_API OQS_SIG *OQS_SIG_new(const char *method_name) {
return NULL;
#endif
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_44_ipd)) {
-#ifdef OQS_ENABLE_SIG_ml_dsa_44_ipd
- return OQS_SIG_ml_dsa_44_ipd_new();
-#else
- return NULL;
-#endif
-
} else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_44)) {
#ifdef OQS_ENABLE_SIG_ml_dsa_44
return OQS_SIG_ml_dsa_44_new();
@@ -455,13 +424,6 @@ OQS_API OQS_SIG *OQS_SIG_new(const char *method_name) {
return NULL;
#endif
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_65_ipd)) {
-#ifdef OQS_ENABLE_SIG_ml_dsa_65_ipd
- return OQS_SIG_ml_dsa_65_ipd_new();
-#else
- return NULL;
-#endif
-
} else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_65)) {
#ifdef OQS_ENABLE_SIG_ml_dsa_65
return OQS_SIG_ml_dsa_65_new();
@@ -469,13 +431,6 @@ OQS_API OQS_SIG *OQS_SIG_new(const char *method_name) {
return NULL;
#endif
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_87_ipd)) {
-#ifdef OQS_ENABLE_SIG_ml_dsa_87_ipd
- return OQS_SIG_ml_dsa_87_ipd_new();
-#else
- return NULL;
-#endif
-
} else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_87)) {
#ifdef OQS_ENABLE_SIG_ml_dsa_87
return OQS_SIG_ml_dsa_87_new();
diff --git a/src/sig/sig.h b/src/sig/sig.h
index 9fd97f27ce..45bd2da762 100644
--- a/src/sig/sig.h
+++ b/src/sig/sig.h
@@ -38,17 +38,11 @@ extern "C" {
#define OQS_SIG_alg_dilithium_3 "Dilithium3"
/** Algorithm identifier for Dilithium5 */
#define OQS_SIG_alg_dilithium_5 "Dilithium5"
-/** Algorithm identifier for ML-DSA-44-ipd */
-#define OQS_SIG_alg_ml_dsa_44_ipd "ML-DSA-44-ipd"
-/** Algorithm identifier for ML-DSA-44 SIG. */
+/** Algorithm identifier for ML-DSA-44 */
#define OQS_SIG_alg_ml_dsa_44 "ML-DSA-44"
-/** Algorithm identifier for ML-DSA-65-ipd */
-#define OQS_SIG_alg_ml_dsa_65_ipd "ML-DSA-65-ipd"
-/** Algorithm identifier for ML-DSA-65 SIG. */
+/** Algorithm identifier for ML-DSA-65 */
#define OQS_SIG_alg_ml_dsa_65 "ML-DSA-65"
-/** Algorithm identifier for ML-DSA-87-ipd */
-#define OQS_SIG_alg_ml_dsa_87_ipd "ML-DSA-87-ipd"
-/** Algorithm identifier for ML-DSA-87 SIG. */
+/** Algorithm identifier for ML-DSA-87 */
#define OQS_SIG_alg_ml_dsa_87 "ML-DSA-87"
/** Algorithm identifier for Falcon-512 */
#define OQS_SIG_alg_falcon_512 "Falcon-512"
@@ -131,7 +125,7 @@ extern "C" {
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALGS_LENGTH_START
/** Number of algorithm identifiers above. */
-#define OQS_SIG_algs_length 47
+#define OQS_SIG_algs_length 44
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALGS_LENGTH_END
/**
diff --git a/tests/KATs/sig/kats.json b/tests/KATs/sig/kats.json
index 20bf93e658..086d1df6d6 100644
--- a/tests/KATs/sig/kats.json
+++ b/tests/KATs/sig/kats.json
@@ -45,27 +45,15 @@
},
"ML-DSA-44": {
"all": "183bc0c4398ade4fc17b6a7d876b82545a96331139a4f27269c95664b8c483f9",
- "single": "e6f3ec4dc0b02dd3bcbbc6b105190e1890ca0bb3f802e2b571f0d70f3993a2e1"
- },
- "ML-DSA-44-ipd": {
- "all": "183bc0c4398ade4fc17b6a7d876b82545a96331139a4f27269c95664b8c483f9",
- "single": "e6f3ec4dc0b02dd3bcbbc6b105190e1890ca0bb3f802e2b571f0d70f3993a2e1"
+ "single": "9a196e7fb32fbc93757dc2d8dc1924460eab66303c0c08aeb8b798fb8d8f8cf3"
},
"ML-DSA-65": {
"all": "3af4bdd2567fca1016583f917067dd5624bba2df2210934f62b2f6127cf88547",
- "single": "7225c4531086d88c9b7fa18101b0f78dda2d38df88812c65ddc1ae94fe3c01a7"
- },
- "ML-DSA-65-ipd": {
- "all": "3af4bdd2567fca1016583f917067dd5624bba2df2210934f62b2f6127cf88547",
- "single": "7225c4531086d88c9b7fa18101b0f78dda2d38df88812c65ddc1ae94fe3c01a7"
+ "single": "7cb96242eac9907a55b5c84c202f0ebd552419c50b2e986dc2e28f07ecebf072"
},
"ML-DSA-87": {
"all": "cfd95d8ff8b92173685805ad8e3380095e4991bb3947b73f4c7e108ab47c5052",
- "single": "f5cb5ed44a261a4118f9cfd5d55b4210939cb5b8531968a10c37060551a8927f"
- },
- "ML-DSA-87-ipd": {
- "all": "cfd95d8ff8b92173685805ad8e3380095e4991bb3947b73f4c7e108ab47c5052",
- "single": "f5cb5ed44a261a4118f9cfd5d55b4210939cb5b8531968a10c37060551a8927f"
+ "single": "4537905d2aabcf302fab2f242baed293459ecda7c230e6a67063b02c7e2840ed"
},
"SPHINCS+-SHA2-128f-simple": {
"all": "4437eb44516630184c3cb5d3a4392e8bb955c2bf59ad17ab3c607fb7b7285780",
diff --git a/tests/constant_time/sig/issues.json b/tests/constant_time/sig/issues.json
index aa5102178e..4ff0064096 100644
--- a/tests/constant_time/sig/issues.json
+++ b/tests/constant_time/sig/issues.json
@@ -28,9 +28,6 @@
"MAYO_1": [],
"MAYO_2": [],
"MAYO_3": [],
- "ML-DSA-44-ipd": [],
- "ML-DSA-65-ipd": [],
- "ML-DSA-87-ipd": [],
"ML-DSA-44": [],
"ML-DSA-65": [],
"ML-DSA-87": [],
diff --git a/tests/constant_time/sig/passes.json b/tests/constant_time/sig/passes.json
index 65247af661..ed2f1d9dc5 100644
--- a/tests/constant_time/sig/passes.json
+++ b/tests/constant_time/sig/passes.json
@@ -29,9 +29,6 @@
"MAYO-2": ["mayo"],
"MAYO-3": ["mayo"],
"MAYO-5": ["mayo"],
- "ML-DSA-44-ipd": ["ml_dsa", "ml_dsa-avx2"],
- "ML-DSA-65-ipd": ["ml_dsa", "ml_dsa-avx2"],
- "ML-DSA-87-ipd": ["ml_dsa", "ml_dsa-avx2"],
"ML-DSA-44": ["ml_dsa", "ml_dsa-avx2"],
"ML-DSA-65": ["ml_dsa", "ml_dsa-avx2"],
"ML-DSA-87": ["ml_dsa", "ml_dsa-avx2"],
diff --git a/tests/constant_time/sig/passes/ml_dsa b/tests/constant_time/sig/passes/ml_dsa
index f38940135b..69cc9ab23b 100644
--- a/tests/constant_time/sig/passes/ml_dsa
+++ b/tests/constant_time/sig/passes/ml_dsa
@@ -18,53 +18,53 @@
Memcheck:Cond
fun:rej_gamma1m1
fun:pqcrystals_ml_dsa*_ref_poly_uniform_gamma1m1
- fun:pqcrystals_ml_dsa*_ref_signature
+ fun:crypto_sign_signature_ctx
}
{
Rejection sampling for challenge
Memcheck:Cond
fun:pqcrystals_ml_dsa*_ref_poly_challenge
- fun:pqcrystals_ml_dsa*_ref_signature
+ fun:crypto_sign_signature_ctx
}
{
Rejection sampling for challenge
Memcheck:Value8
fun:pqcrystals_ml_dsa*_ref_poly_challenge
- fun:pqcrystals_ml_dsa*_ref_signature
+ fun:crypto_sign_signature_ctx
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:154 # Call to polyvecl_chknorm
+ src:sign.c:166 # Call to polyvecl_chknorm
# fun:pqcrystals_ml_dsa*_ref_signature
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:163 # Call to polyveck_chknorm
+ src:sign.c:175 # Call to polyveck_chknorm
# fun:pqcrystals_ml_dsa*_ref_signature
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:170 # Call to polyveck_chknorm
+ src:sign.c:182 # Call to polyveck_chknorm
# fun:pqcrystals_ml_dsa*_ref_signature
}
{
Hint does not need to be computed in constant time
Memcheck:Cond
...
- src:sign.c:174 # Call to polyveck_make_hint
+ src:sign.c:186 # Call to polyveck_make_hint
# fun:pqcrystals_ml_dsa*_ref_signature
}
{
Rejection sampling for hint
Memcheck:Cond
...
- src:sign.c:175 # Checking number of 1 bits in hint
+ src:sign.c:187 # Checking number of 1 bits in hint
# fun:pqcrystals_ml_dsa*_ref_signature
}
{
diff --git a/tests/constant_time/sig/passes/ml_dsa-avx2 b/tests/constant_time/sig/passes/ml_dsa-avx2
index a9ad9fb3d1..d13da32342 100644
--- a/tests/constant_time/sig/passes/ml_dsa-avx2
+++ b/tests/constant_time/sig/passes/ml_dsa-avx2
@@ -34,14 +34,14 @@
Memcheck:Cond
...
fun:pqcrystals_ml_dsa*_avx2_poly_uniform_gamma1m1_4x
- fun:pqcrystals_ml_dsa*_avx2_signature
+ fun:crypto_sign_signature_ctx
}
{
Rejection sampling for y
Memcheck:Value8
...
fun:pqcrystals_ml_dsa*_avx2_poly_uniform_gamma1m1_4x
- fun:pqcrystals_ml_dsa*_avx2_signature
+ fun:crypto_sign_signature_ctx
}
{
Rejection sampling for s1 and s2
@@ -65,7 +65,7 @@
...
fun:pqcrystals_ml_dsa*_avx2_poly_uniform_gamma1m1_preinit
fun:pqcrystals_ml_dsa*_avx2_poly_uniform_gamma1m1
- fun:pqcrystals_ml_dsa*_avx2_signature
+ fun:crypto_sign_signature_ctx
}
{
Rejection sampling for y
@@ -73,7 +73,7 @@
...
fun:pqcrystals_ml_dsa*_avx2_poly_uniform_gamma1m1_preinit
fun:pqcrystals_ml_dsa*_avx2_poly_uniform_gamma1m1
- fun:pqcrystals_ml_dsa*_avx2_signature
+ fun:crypto_sign_signature_ctx
}
{
Rejection sampling for challenge
@@ -89,21 +89,21 @@
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:240 # Call to poly_chknorm
+ src:sign.c:253 # Call to poly_chknorm
# fun:pqcrystals_ml_dsa*_avx2_signature
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:255 # Call to poly_chknorm
+ src:sign.c:268 # Call to poly_chknorm
# fun:pqcrystals_ml_dsa*_avx2_signature
}
{
Rejection sampling for signature distribution
Memcheck:Cond
...
- src:sign.c:262 # Call to poly_chknorm
+ src:sign.c:275 # Call to poly_chknorm
# fun:pqcrystals_ml_dsa*_avx2_signature
}
{
@@ -111,34 +111,34 @@
Memcheck:Cond
...
fun:pqcrystals_ml_dsa*_avx2_poly_make_hint
- src:sign.c:266 # fun:pqcrystals_ml_dsa*_ref_signature
+ src:sign.c:279 # fun:pqcrystals_ml_dsa*_ref_signature
}
{
Hint does not need to be computed in constant time
Memcheck:Value8
...
fun:pqcrystals_ml_dsa*_avx2_poly_make_hint
- src:sign.c:266 # fun:pqcrystals_ml_dsa*_ref_signature
+ src:sign.c:279 # fun:pqcrystals_ml_dsa*_ref_signature
}
{
Rejection sampling for hint
Memcheck:Cond
...
- src:sign.c:267 # Checking number of 1 bits in hint
+ src:sign.c:280 # Checking number of 1 bits in hint
# fun:pqcrystals_ml_dsa*_avx2_signature
}
{
Hint positions are not secret
Memcheck:Cond
...
- src:sign.c:271 # memcpy
+ src:sign.c:284 # memcpy
# fun:pqcrystals_ml_dsa*_avx2_signature
}
{
Hint positions are not secret
Memcheck:Value8
...
- src:sign.c:271 # memcpy
+ src:sign.c:284 # memcpy
# fun:pqcrystals_ml_dsa*_avx2_signature
}
{
diff --git a/tests/kat_sig.c b/tests/kat_sig.c
index 0c873afc97..fef7261585 100644
--- a/tests/kat_sig.c
+++ b/tests/kat_sig.c
@@ -62,7 +62,7 @@ OQS_STATUS combine_message_signature(uint8_t **signed_msg, size_t *signed_msg_le
memcpy(*signed_msg, signature, signature_len);
memcpy(*signed_msg + signature_len, msg, msg_len);
return OQS_SUCCESS;
- } else if (0 == strcmp(sig->method_name, "ML-DSA-44-ipd") || 0 == strcmp(sig->method_name, "ML-DSA-44")) {
+ } else if (0 == strcmp(sig->method_name, "ML-DSA-44")) {
// signed_msg = signature || msg
*signed_msg_len = signature_len + msg_len;
*signed_msg = malloc(*signed_msg_len);
@@ -72,7 +72,7 @@ OQS_STATUS combine_message_signature(uint8_t **signed_msg, size_t *signed_msg_le
memcpy(*signed_msg, signature, signature_len);
memcpy(*signed_msg + signature_len, msg, msg_len);
return OQS_SUCCESS;
- } else if (0 == strcmp(sig->method_name, "ML-DSA-65-ipd") || 0 == strcmp(sig->method_name, "ML-DSA-65")) {
+ } else if (0 == strcmp(sig->method_name, "ML-DSA-65")) {
// signed_msg = signature || msg
*signed_msg_len = signature_len + msg_len;
*signed_msg = malloc(*signed_msg_len);
@@ -82,7 +82,7 @@ OQS_STATUS combine_message_signature(uint8_t **signed_msg, size_t *signed_msg_le
memcpy(*signed_msg, signature, signature_len);
memcpy(*signed_msg + signature_len, msg, msg_len);
return OQS_SUCCESS;
- } else if (0 == strcmp(sig->method_name, "ML-DSA-87-ipd") || 0 == strcmp(sig->method_name, "ML-DSA-87")) {
+ } else if (0 == strcmp(sig->method_name, "ML-DSA-87")) {
// signed_msg = signature || msg
*signed_msg_len = signature_len + msg_len;
*signed_msg = malloc(*signed_msg_len);
diff --git a/tests/vectors_sig.c b/tests/vectors_sig.c
index 04652498a9..fcbd6a5828 100644
--- a/tests/vectors_sig.c
+++ b/tests/vectors_sig.c
@@ -60,10 +60,7 @@ static void hexStringToByteArray(const char *hexString, uint8_t *byteArray) {
/* HQC-specific functions */
static inline bool is_ml_dsa(const char *method_name) {
- return (0 == strcmp(method_name, OQS_SIG_alg_ml_dsa_44_ipd))
- || (0 == strcmp(method_name, OQS_SIG_alg_ml_dsa_65_ipd))
- || (0 == strcmp(method_name, OQS_SIG_alg_ml_dsa_87_ipd))
- || (0 == strcmp(method_name, OQS_SIG_alg_ml_dsa_44))
+ return (0 == strcmp(method_name, OQS_SIG_alg_ml_dsa_44))
|| (0 == strcmp(method_name, OQS_SIG_alg_ml_dsa_65))
|| (0 == strcmp(method_name, OQS_SIG_alg_ml_dsa_87));
}
diff --git a/zephyr/Kconfig b/zephyr/Kconfig
index 9ad402f4db..48d76fd4a8 100644
--- a/zephyr/Kconfig
+++ b/zephyr/Kconfig
@@ -42,7 +42,7 @@ config LIBOQS_ENABLE_KEM_KYBER
depends on LIBOQS
config LIBOQS_ENABLE_KEM_ML_KEM
- bool "Enable the ML-KEM algorithm (ML-KEM-ipd)"
+ bool "Enable the ML-KEM algorithm (ML-KEM)"
default y
depends on LIBOQS
@@ -52,7 +52,7 @@ config LIBOQS_ENABLE_SIG_DILITHIUM
depends on LIBOQS
config LIBOQS_ENABLE_SIG_ML_DSA
- bool "Enable the ML-DSA signature algorithm (ML-DSA-ipd)"
+ bool "Enable the ML-DSA signature algorithm (ML-DSA)"
default y
depends on LIBOQS