├── auto.mk ├── examples ├── basic │ ├── auto.mk │ ├── mldsa_native │ │ ├── src │ │ ├── mldsa_native.h │ │ └── mldsa_native_config.h │ ├── .gitignore │ ├── test_only_rng │ │ └── notrandombytes.h │ └── README.md ├── custom_backend │ ├── auto.mk │ ├── mldsa_native │ │ ├── src │ │ │ ├── ct.c │ │ │ ├── ct.h │ │ │ ├── sys.h │ │ │ ├── cbmc.h │ │ │ ├── debug.c │ │ │ ├── debug.h │ │ │ ├── poly.c │ │ │ ├── poly.h │ │ │ ├── sign.c │ │ │ ├── sign.h │ │ │ ├── common.h │ │ │ ├── packing.c │ │ │ ├── packing.h │ │ │ ├── params.h │ │ │ ├── poly_kl.c │ │ │ ├── poly_kl.h │ │ │ ├── polyvec.c │ │ │ ├── polyvec.h │ │ │ ├── reduce.h │ │ │ ├── rounding.h │ │ │ ├── zetas.inc │ │ │ ├── symmetric.h │ │ │ ├── randombytes.h │ │ │ └── fips202 │ │ │ │ ├── fips202.c │ │ │ │ ├── fips202.h │ │ │ │ ├── fips202x4.c │ │ │ │ ├── fips202x4.h │ │ │ │ ├── keccakf1600.c │ │ │ │ ├── keccakf1600.h │ │ │ │ └── native │ │ │ │ ├── api.h │ │ │ │ └── custom │ │ │ │ ├── custom.h │ │ │ │ └── src │ │ │ │ ├── LICENSE │ │ │ │ └── sha3.h │ │ └── mldsa_native.h │ ├── expected_signatures.h │ ├── test_only_rng │ │ ├── notrandombytes.c │ │ └── notrandombytes.h │ └── .gitignore ├── basic_deterministic │ ├── auto.mk │ ├── mldsa_native │ │ ├── src │ │ └── mldsa_native.h │ ├── expected_signatures.h │ ├── .gitignore │ └── README.md ├── multilevel_build │ ├── auto.mk │ ├── mldsa_native │ │ ├── src │ │ └── mldsa_native.h │ ├── expected_signatures.h │ ├── test_only_rng │ │ ├── notrandombytes.c │ │ └── notrandombytes.h │ ├── .gitignore │ └── mldsa_native_all.h ├── bring_your_own_fips202 │ ├── auto.mk │ ├── expected_signatures.h │ ├── mldsa_native │ │ ├── src │ │ │ ├── cbmc.h │ │ │ ├── ct.c │ │ │ ├── ct.h │ │ │ ├── native │ │ │ ├── poly.c │ │ │ ├── poly.h │ │ │ ├── sign.c │ │ │ ├── sign.h │ │ │ ├── sys.h │ │ │ ├── common.h │ │ │ ├── debug.c │ │ │ ├── debug.h │ │ │ ├── fips202 │ │ │ ├── params.h │ │ │ ├── reduce.h │ │ │ ├── packing.c │ │ │ ├── packing.h │ │ │ ├── poly_kl.c │ │ │ ├── poly_kl.h │ │ │ ├── polyvec.c │ │ │ ├── polyvec.h │ │ │ ├── rounding.h │ │ │ ├── symmetric.h │ │ │ ├── zetas.inc │ │ │ └── randombytes.h │ │ └── mldsa_native.h │ ├── .gitignore │ ├── test_only_rng │ │ └── notrandombytes.h │ └── custom_fips202 │ │ └── tiny_sha3 │ │ └── sha3.h ├── monolithic_build │ ├── mldsa_native │ │ ├── src │ │ ├── mldsa_native.c │ │ └── mldsa_native.h │ ├── test_only_rng │ ├── expected_signatures.h │ └── .gitignore ├── monolithic_build_native │ ├── auto.mk │ ├── mldsa_native │ │ ├── src │ │ ├── mldsa_native.S │ │ ├── mldsa_native.c │ │ └── mldsa_native.h │ ├── test_only_rng │ ├── expected_signatures.h │ └── .gitignore ├── multilevel_build_native │ ├── auto.mk │ ├── mldsa_native │ │ ├── src │ │ └── mldsa_native.h │ ├── expected_signatures.h │ ├── test_only_rng │ │ ├── notrandombytes.c │ │ └── notrandombytes.h │ ├── .gitignore │ └── mldsa_native_all.h ├── bring_your_own_fips202_static │ ├── auto.mk │ ├── mldsa_native │ │ ├── src │ │ │ ├── ct.c │ │ │ ├── ct.h │ │ │ ├── sys.h │ │ │ ├── cbmc.h │ │ │ ├── debug.c │ │ │ ├── debug.h │ │ │ ├── fips202 │ │ │ ├── native │ │ │ ├── poly.c │ │ │ ├── poly.h │ │ │ ├── sign.c │ │ │ ├── sign.h │ │ │ ├── common.h │ │ │ ├── packing.c │ │ │ ├── packing.h │ │ │ ├── params.h │ │ │ ├── poly_kl.c │ │ │ ├── poly_kl.h │ │ │ ├── polyvec.c │ │ │ ├── polyvec.h │ │ │ ├── reduce.h │ │ │ ├── rounding.h │ │ │ ├── zetas.inc │ │ │ ├── symmetric.h │ │ │ └── randombytes.h │ │ └── mldsa_native.h │ ├── expected_signatures.h │ ├── custom_fips202 │ │ └── tiny_sha3 │ ├── .gitignore │ └── test_only_rng │ │ └── notrandombytes.h ├── monolithic_build_multilevel │ ├── mldsa_native │ │ ├── src │ │ ├── mldsa_native.S │ │ ├── mldsa_native.c │ │ └── mldsa_native.h │ ├── test_only_rng │ ├── .gitignore │ ├── mldsa_native_all.h │ └── mldsa_native_all.c └── monolithic_build_multilevel_native │ ├── auto.mk │ ├── mldsa_native │ ├── src │ ├── mldsa_native.S │ ├── mldsa_native.c │ └── mldsa_native.h │ ├── test_only_rng │ ├── expected_signatures.h │ ├── .gitignore │ └── mldsa_native_all.c ├── proofs ├── cbmc │ ├── lib │ │ ├── __init__.py │ │ ├── z3_no_bv_extract │ │ └── z3_smt_only │ ├── ct_get_optblocker_i64 │ │ └── ct_get_optblocker_i64_harness.c │ ├── ct_get_optblocker_u32 │ │ └── ct_get_optblocker_u32_harness.c │ ├── ct_abs_i32 │ │ └── ct_abs_i32_harness.c │ ├── poly_ntt │ │ └── poly_ntt_harness.c │ ├── caddq │ │ └── caddq_harness.c │ ├── poly_add │ │ └── poly_add_harness.c │ ├── poly_sub │ │ └── poly_sub_harness.c │ ├── poly_caddq │ │ └── poly_caddq_harness.c │ ├── poly_reduce │ │ └── poly_reduce_harness.c │ ├── poly_shiftl │ │ └── poly_shiftl_harness.c │ ├── poly_ntt_native │ │ └── poly_ntt_native_harness.c │ ├── reduce32 │ │ └── reduce32_harness.c │ ├── ct_cmask_neg_i32 │ │ └── ct_cmask_neg_i32_harness.c │ ├── polyveck_ntt │ │ └── polyveck_ntt_harness.c │ ├── polyvecl_ntt │ │ └── polyvecl_ntt_harness.c │ ├── use_hint │ │ └── use_hint_harness.c │ ├── value_barrier_i64 │ │ └── value_barrier_i64_harness.c │ ├── poly_caddq_native │ │ └── poly_caddq_native_harness.c │ ├── polyveck_add │ │ └── polyveck_add_harness.c │ ├── polyveck_caddq │ │ └── polyveck_caddq_harness.c │ ├── polyveck_reduce │ │ └── polyveck_reduce_harness.c │ ├── polyveck_shiftl │ │ └── polyveck_shiftl_harness.c │ ├── polyveck_sub │ │ └── polyveck_sub_harness.c │ ├── polyvecl_add │ │ └── polyvecl_add_harness.c │ ├── polyvecl_reduce │ │ └── polyvecl_reduce_harness.c │ ├── value_barrier_u32 │ │ └── value_barrier_u32_harness.c │ ├── polyt0_pack │ │ └── polyt0_pack_harness.c │ ├── polyt1_pack │ │ └── polyt1_pack_harness.c │ ├── polyz_pack │ │ └── polyz_pack_harness.c │ ├── make_hint │ │ └── make_hint_harness.c │ ├── poly_use_hint │ │ └── poly_use_hint_harness.c │ ├── polyeta_pack │ │ └── polyeta_pack_harness.c │ ├── polyt0_unpack │ │ └── polyt0_unpack_harness.c │ ├── polyt1_unpack │ │ └── polyt1_unpack_harness.c │ ├── polyw1_pack │ │ └── polyw1_pack_harness.c │ ├── polyz_unpack │ │ └── polyz_unpack_harness.c │ ├── ct_sel_int32 │ │ └── ct_sel_int32_harness.c │ ├── fqscale │ │ └── fqscale_harness.c │ ├── keccakf1600_permute │ │ └── keccakf1600_permute_harness.c │ ├── pack_pk │ │ └── pack_pk_harness.c │ ├── polyeta_unpack │ │ └── polyeta_unpack_harness.c │ ├── shake128_init │ │ └── shake128_init_harness.c │ ├── shake256_init │ │ └── shake256_init_harness.c │ ├── decompose │ │ └── decompose_harness.c │ ├── fqmul │ │ └── fqmul_harness.c │ ├── poly_decompose │ │ └── poly_decompose_harness.c │ ├── poly_invntt_tomont_native │ │ └── poly_invntt_tomont_native_harness.c │ ├── poly_power2round │ │ └── poly_power2round_harness.c │ ├── polyveck_use_hint │ │ └── polyveck_use_hint_harness.c │ ├── shake128_release │ │ └── shake128_release_harness.c │ ├── shake256_release │ │ └── shake256_release_harness.c │ ├── unpack_pk │ │ └── unpack_pk_harness.c │ ├── montgomery_reduce │ │ └── montgomery_reduce_harness.c │ ├── poly_use_hint_native │ │ └── poly_use_hint_native_harness.c │ ├── polyveck_pack_t0 │ │ └── polyveck_pack_t0_harness.c │ ├── polyveck_pack_w1 │ │ └── polyveck_pack_w1_harness.c │ ├── polyvecl_pack_z │ │ └── polyvecl_pack_z_harness.c │ ├── polyz_unpack_native │ │ └── polyz_unpack_native_harness.c │ ├── power2round │ │ └── power2round_harness.c │ ├── shake128_finalize │ │ └── shake128_finalize_harness.c │ ├── shake256_finalize │ │ └── shake256_finalize_harness.c │ ├── crypto_sign_keypair │ │ └── crypto_sign_keypair_harness.c │ ├── keccakf1600_permute_native │ │ └── keccakf1600_permute_native_harness.c │ ├── poly_challenge │ │ └── poly_challenge_harness.c │ ├── polyveck_decompose │ │ └── polyveck_decompose_harness.c │ ├── polyveck_pack_eta │ │ └── polyveck_pack_eta_harness.c │ ├── polyveck_power2round │ │ └── polyveck_power2round_harness.c │ ├── polyvecl_pack_eta │ │ └── polyvecl_pack_eta_harness.c │ ├── polyvecl_unpack_z │ │ └── polyvecl_unpack_z_harness.c │ ├── poly_decompose_native │ │ └── poly_decompose_native_harness.c │ ├── poly_make_hint │ │ └── poly_make_hint_harness.c │ ├── polyveck_unpack_eta │ │ └── polyveck_unpack_eta_harness.c │ ├── polyveck_unpack_t0 │ │ └── polyveck_unpack_t0_harness.c │ ├── polyvecl_unpack_eta │ │ └── polyvecl_unpack_eta_harness.c │ ├── poly_chknorm │ │ └── poly_chknorm_harness.c │ ├── poly_pointwise_montgomery │ │ └── poly_pointwise_montgomery_harness.c │ ├── polyvecl_chknorm │ │ └── polyvecl_chknorm_harness.c │ ├── crypto_sign_keypair_internal │ │ └── crypto_sign_keypair_internal_harness.c │ ├── ct_get_optblocker_u8 │ │ └── ct_get_optblocker_u8_harness.c │ ├── polyveck_chknorm │ │ └── polyveck_chknorm_harness.c │ ├── polyveck_make_hint │ │ └── polyveck_make_hint_harness.c │ ├── poly_chknorm_native │ │ └── poly_chknorm_native_harness.c │ ├── poly_invntt_tomont │ │ └── poly_invntt_tomont_harness.c │ ├── poly_pointwise_montgomery_native │ │ └── poly_pointwise_montgomery_native_harness.c │ ├── polyvec_matrix_expand │ │ └── polyvec_matrix_expand_harness.c │ ├── keccak_init │ │ └── keccak_init_harness.c │ ├── poly_uniform │ │ └── poly_uniform_harness.c │ ├── polyvec_matrix_expand_serial │ │ └── polyvec_matrix_expand_harness.c │ ├── pack_sk │ │ └── pack_sk_harness.c │ ├── poly_uniform_eta │ │ └── poly_uniform_eta_harness.c │ ├── pack_sig │ │ └── pack_sig_harness.c │ ├── poly_ntt_c │ │ └── poly_ntt_c_harness.c │ ├── value_barrier_u8 │ │ └── value_barrier_u8_harness.c │ ├── polyveck_invntt_tomont │ │ └── polyveck_invntt_tomont_harness.c │ ├── polyvecl_invntt_tomont │ │ └── polyvecl_invntt_tomont_harness.c │ ├── shake128_absorb │ │ └── shake128_absorb_harness.c │ ├── shake256_absorb │ │ └── shake256_absorb_harness.c │ ├── unpack_sk │ │ └── unpack_sk_harness.c │ ├── shake256 │ │ └── shake256_harness.c │ ├── poly_caddq_c │ │ └── poly_caddq_c_harness.c │ ├── polyvecl_pointwise_acc_montgomery │ │ └── polyvecl_pointwise_acc_montgomery_harness.c │ ├── shake128_squeeze │ │ └── shake128_squeeze_harness.c │ ├── shake256_squeeze │ │ └── shake256_squeeze_harness.c │ ├── unpack_sig │ │ └── unpack_sig_harness.c │ ├── polyveck_pointwise_poly_montgomery │ │ └── polyveck_pointwise_poly_montgomery_harness.c │ ├── polyvecl_pointwise_poly_montgomery │ │ └── polyvecl_pointwise_poly_montgomery_harness.c │ ├── polyvecl_uniform_gamma1 │ │ └── polyvecl_uniform_gamma1_harness.c │ ├── ntt_layer │ │ └── ntt_layer_harness.c │ ├── polyvecl_pointwise_acc_montgomery_native │ │ └── polyvecl_pointwise_acc_montgomery_native_harness.c │ ├── polyvecl_uniform_gamma1_serial │ │ └── polyvecl_uniform_gamma1_harness.c │ ├── ct_memcmp │ │ └── ct_memcmp_harness.c │ ├── invntt_layer │ │ └── invntt_layer_harness.c │ ├── list_proofs.sh │ ├── polyvec_matrix_pointwise_montgomery │ │ └── polyvec_matrix_pointwise_montgomery_harness.c │ ├── poly_uniform_eta_4x │ │ └── poly_uniform_eta_4x_harness.c │ ├── dummy_backend_fips202_x1.h │ ├── dummy_backend_fips202_x4.h │ ├── keccakf1600x4_permute │ │ └── keccakf1600x4_permute_harness.c │ ├── polymat_permute_bitrev_to_custom │ │ └── polymat_permute_bitrev_to_custom_harness.c │ ├── crypto_sign_signature_extmu │ │ └── crypto_sign_signature_extmu_harness.c │ ├── poly_uniform_gamma1_4x │ │ └── poly_uniform_gamma1_4x_harness.c │ ├── crypto_sign_verify_extmu │ │ └── crypto_sign_verify_extmu_harness.c │ ├── poly_uniform_4x │ │ └── poly_uniform_4x_harness.c │ ├── keccakf1600x4_permute_native │ │ └── keccakf1600x4_permute_native_harness.c │ ├── poly_chknorm_c │ │ └── poly_chknorm_c_harness.c │ ├── crypto_sign │ │ └── crypto_sign_harness.c │ ├── poly_invntt_tomont_c │ │ └── poly_invntt_tomont_c_harness.c │ ├── unpack_hints │ │ └── unpack_hints_harness.c │ ├── crypto_sign_open │ │ └── crypto_sign_open_harness.c │ ├── keccakf1600_extract_bytes │ │ └── keccakf1600_extract_bytes_harness.c │ ├── check_pct │ │ └── check_pct_harness.c │ ├── keccakf1600_extract_bytes_BE │ │ └── keccakf1600_extract_bytes_be_harness.c │ ├── poly_pointwise_montgomery_c │ │ └── poly_pointwise_montgomery_c_harness.c │ ├── crypto_sign_signature │ │ └── crypto_sign_signature_harness.c │ ├── sample_s1_s2 │ │ └── sample_s1_s2_harness.c │ ├── polyz_unpack_c │ │ └── polyz_unpack_c_harness.c │ ├── poly_use_hint_c │ │ └── poly_use_hint_c_harness.c │ ├── prepare_domain_separation_prefix │ │ ├── prepare_domain_separation_prefix_harness.c │ │ └── Makefile │ ├── sample_s1_s2_serial │ │ └── sample_s1_s2_harness.c │ ├── crypto_sign_verify │ │ └── crypto_sign_verify_harness.c │ ├── keccak_finalize │ │ └── keccak_finalize_harness.c │ ├── crypto_sign_pk_from_sk │ │ └── crypto_sign_pk_from_sk_harness.c │ ├── poly_decompose_c │ │ └── poly_decompose_c_harness.c │ ├── poly_uniform_gamma1 │ │ └── poly_uniform_gamma1_harness.c │ ├── keccakf1600_xor_bytes │ │ └── keccakf1600_xor_bytes_harness.c │ ├── keccakf1600_xor_bytes_BE │ │ └── keccakf1600_xor_bytes_be_harness.c │ ├── .gitignore │ ├── ntt_butterfly_block │ │ └── ntt_butterfly_block_harness.c │ ├── crypto_sign_verify_internal │ │ └── crypto_sign_verify_internal_harness.c │ ├── crypto_sign_verify_pre_hash_shake256 │ │ └── crypto_sign_verify_pre_hash_shake256_harness.c │ ├── keccak_squeeze │ │ └── keccak_squeeze_harness.c │ ├── shake128x4_absorb_once │ │ └── shake128x4_absorb_once_harness.c │ ├── shake256x4_absorb_once │ │ └── shake256x4_absorb_once_harness.c │ ├── crypto_sign_signature_internal │ │ └── crypto_sign_signature_internal_harness.c │ ├── keccakf1600x4_xor_bytes │ │ └── keccakf1600x4_xor_bytes_harness.c │ ├── rej_eta │ │ └── rej_eta_harness.c │ ├── crypto_sign_verify_pre_hash_internal │ │ └── crypto_sign_verify_pre_hash_internal_harness.c │ ├── keccakf1600x4_extract_bytes │ │ └── keccakf1600x4_extract_bytes_harness.c │ ├── crypto_sign_signature_pre_hash_shake256 │ │ └── crypto_sign_signature_pre_hash_shake256_harness.c │ ├── rej_eta_native │ │ └── rej_eta_native_harness.c │ ├── rej_uniform │ │ └── rej_uniform_harness.c │ ├── keccak_absorb │ │ └── keccak_absorb_harness.c │ ├── H │ │ └── H_harness.c │ ├── rej_uniform_c │ │ └── rej_uniform_c_harness.c │ ├── rej_uniform_native │ │ └── rej_uniform_native_harness.c │ ├── crypto_sign_signature_pre_hash_internal │ │ └── crypto_sign_signature_pre_hash_internal_harness.c │ ├── shake128x4_squeezeblocks │ │ └── shake128x4_squeezeblocks_harness.c │ ├── shake256x4_squeezeblocks │ │ └── shake256x4_squeezeblocks_harness.c │ ├── rej_eta_c │ │ └── rej_eta_c_harness.c │ ├── polyvecl_pointwise_acc_montgomery_c │ │ └── polyvecl_pointwise_acc_montgomery_c_harness.c │ ├── compute_t0_t1_tr_from_sk_components │ │ └── compute_t0_t1_tr_from_sk_components_harness.c │ ├── keccak_squeezeblocks_x4 │ │ └── keccak_squeezeblocks_x4_harness.c │ ├── Makefile_params.common │ ├── keccak_absorb_once_x4 │ │ └── keccak_absorb_once_x4_harness.c │ ├── attempt_signature_generation │ │ └── attempt_signature_generation_harness.c │ └── dummy_backend.h ├── hol_light │ ├── .gitignore │ └── x86_64 │ │ ├── list_proofs.sh │ │ └── proofs │ │ └── dump_bytecode.ml └── README.md ├── .gitignore ├── CODEOWNERS ├── .github ├── dependabot.yml ├── workflows │ ├── lint_markdown.yml │ ├── slothy.yml │ └── baremetal.yml └── actions │ ├── setup-yum │ └── action.yml │ ├── setup-brew │ └── action.yml │ ├── setup-apt │ └── action.yml │ ├── setup-oqs │ └── action.yml │ └── setup-os │ └── action.yml ├── dev ├── x86_64 │ ├── README.md │ └── src │ │ ├── align.h │ │ ├── consts.h │ │ └── poly_chknorm_avx2.c ├── fips202 │ └── aarch64 │ │ ├── x1_scalar.h │ │ ├── x4_v8a_scalar.h │ │ ├── x1_v84a.h │ │ ├── x4_v8a_v84a_scalar.h │ │ └── x2_v84a.h ├── aarch64_opt │ ├── src │ │ ├── README.md │ │ └── polyz_unpack_table.c │ └── README.md └── aarch64_clean │ └── src │ └── polyz_unpack_table.c ├── SECURITY.md ├── nix ├── valgrind │ ├── default.nix │ └── README.md ├── s2n_bignum │ └── default.nix ├── hol_light │ ├── 0006-Add-findlib-to-ocaml-hol.patch │ └── default.nix ├── cbmc │ ├── cbmc-viewer.nix │ ├── litani.nix │ └── default.nix ├── m55-an547-arm-none-eabi │ └── default.nix ├── aarch64_be-none-linux-gnu-gcc.nix └── slothy │ └── default.nix ├── .envrc ├── mldsa └── src │ ├── native │ ├── meta.h │ ├── x86_64 │ │ └── src │ │ │ ├── align.h │ │ │ ├── consts.h │ │ │ └── poly_chknorm_avx2.c │ └── aarch64 │ │ └── src │ │ ├── polyz_unpack_table.c │ │ ├── poly_caddq_asm.S │ │ └── poly_chknorm_asm.S │ ├── fips202 │ └── native │ │ ├── auto.h │ │ ├── x86_64 │ │ ├── src │ │ │ └── KeccakP_1600_times4_SIMD256.h │ │ └── xkcp.h │ │ └── aarch64 │ │ ├── x1_scalar.h │ │ ├── x4_v8a_scalar.h │ │ ├── x1_v84a.h │ │ ├── x4_v8a_v84a_scalar.h │ │ └── x2_v84a.h │ ├── ct.c │ └── randombytes.h ├── MAINTAINERS.md ├── scripts └── copy_nix_from_upstream ├── RELICENSE.md ├── test ├── notrandombytes │ └── notrandombytes.h ├── baremetal │ └── platform │ │ └── m55-an547 │ │ ├── exec_wrapper.py │ │ └── platform.mk └── hal │ └── hal.h ├── META.yml ├── integration └── liboqs │ ├── fips202_glue.h │ └── fips202x4_glue.h ├── META.sh ├── .clang-format └── STDLIB.md /auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/basic/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/basic/mldsa_native/src: -------------------------------------------------------------------------------- 1 | ../../../mldsa/src/ -------------------------------------------------------------------------------- /examples/custom_backend/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/basic_deterministic/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/multilevel_build/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/monolithic_build/mldsa_native/src: -------------------------------------------------------------------------------- 1 | ../../../mldsa/src/ -------------------------------------------------------------------------------- /examples/monolithic_build/test_only_rng: -------------------------------------------------------------------------------- 1 | ../basic/test_only_rng/ -------------------------------------------------------------------------------- /examples/monolithic_build_native/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/multilevel_build/mldsa_native/src: -------------------------------------------------------------------------------- 1 | ../../../mldsa/src/ -------------------------------------------------------------------------------- /examples/multilevel_build_native/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/basic_deterministic/mldsa_native/src: -------------------------------------------------------------------------------- 1 | ../../../mldsa/src/ -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/monolithic_build_native/mldsa_native/src: -------------------------------------------------------------------------------- 1 | ../../../mldsa/src/ -------------------------------------------------------------------------------- /examples/multilevel_build_native/mldsa_native/src: -------------------------------------------------------------------------------- 1 | ../../../mldsa/src/ -------------------------------------------------------------------------------- /examples/basic/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/ct.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/ct.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/ct.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/ct.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/sys.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sys.h -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel/mldsa_native/src: -------------------------------------------------------------------------------- 1 | ../../../mldsa/src/ -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel/test_only_rng: -------------------------------------------------------------------------------- 1 | ../basic/test_only_rng/ -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/auto.mk: -------------------------------------------------------------------------------- 1 | ../../test/mk/auto.mk -------------------------------------------------------------------------------- /examples/monolithic_build_native/test_only_rng: -------------------------------------------------------------------------------- 1 | ../basic/test_only_rng/ -------------------------------------------------------------------------------- /examples/custom_backend/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../basic/expected_signatures.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/cbmc.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/cbmc.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/debug.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/debug.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/debug.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/debug.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/poly.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/poly.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/sign.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sign.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/sign.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sign.h -------------------------------------------------------------------------------- /examples/monolithic_build/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../basic/expected_signatures.h -------------------------------------------------------------------------------- /examples/basic_deterministic/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../basic/expected_signatures.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../basic/expected_signatures.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/cbmc.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/cbmc.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/ct.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/ct.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/ct.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/ct.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/native: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/native -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/poly.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/poly.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/sign.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sign.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/sign.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sign.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/sys.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sys.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/common.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/common.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/packing.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/packing.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/packing.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/packing.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/params.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/params.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/poly_kl.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly_kl.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/poly_kl.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly_kl.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/polyvec.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/polyvec.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/polyvec.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/polyvec.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/reduce.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/reduce.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/rounding.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/rounding.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/zetas.inc: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/zetas.inc -------------------------------------------------------------------------------- /examples/monolithic_build/mldsa_native/mldsa_native.c: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.c -------------------------------------------------------------------------------- /examples/monolithic_build/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/mldsa_native/src: -------------------------------------------------------------------------------- 1 | ../../../mldsa/src/ -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/test_only_rng: -------------------------------------------------------------------------------- 1 | ../basic/test_only_rng/ -------------------------------------------------------------------------------- /examples/multilevel_build/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /proofs/cbmc/lib/__init__.py: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | -------------------------------------------------------------------------------- /examples/basic/mldsa_native/mldsa_native_config.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native_config.h -------------------------------------------------------------------------------- /examples/basic_deterministic/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/common.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/common.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/debug.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/debug.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/debug.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/debug.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/fips202: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/fips202 -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/params.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/params.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/reduce.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/reduce.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/ct.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/ct.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/ct.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/ct.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/sys.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sys.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/symmetric.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/symmetric.h -------------------------------------------------------------------------------- /examples/monolithic_build_native/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../basic/expected_signatures.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/packing.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/packing.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/packing.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/packing.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/poly_kl.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly_kl.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/poly_kl.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly_kl.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/polyvec.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/polyvec.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/polyvec.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/polyvec.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/rounding.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/rounding.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/symmetric.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/symmetric.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/zetas.inc: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/zetas.inc -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../basic/expected_signatures.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/cbmc.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/cbmc.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/debug.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/debug.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/debug.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/debug.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/fips202: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/fips202 -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/native: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/native -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/poly.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/poly.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/sign.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sign.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/sign.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/sign.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/randombytes.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/randombytes.h -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel/mldsa_native/mldsa_native.S: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.S -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel/mldsa_native/mldsa_native.c: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.c -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/monolithic_build_native/mldsa_native/mldsa_native.S: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.S -------------------------------------------------------------------------------- /examples/monolithic_build_native/mldsa_native/mldsa_native.c: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.c -------------------------------------------------------------------------------- /examples/monolithic_build_native/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/multilevel_build_native/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/basic/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build 4 | -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/mldsa_native/src/randombytes.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/randombytes.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/common.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/common.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/packing.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/packing.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/packing.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/packing.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/params.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/params.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/poly_kl.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly_kl.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/poly_kl.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/poly_kl.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/polyvec.c: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/polyvec.c -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/polyvec.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/polyvec.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/reduce.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/reduce.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/rounding.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/rounding.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/zetas.inc: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/zetas.inc -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/symmetric.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/symmetric.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/fips202.c: -------------------------------------------------------------------------------- 1 | ../../../../../mldsa/src/fips202/fips202.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/fips202.h: -------------------------------------------------------------------------------- 1 | ../../../../../mldsa/src/fips202/fips202.h -------------------------------------------------------------------------------- /examples/custom_backend/test_only_rng/notrandombytes.c: -------------------------------------------------------------------------------- 1 | ../../../test/notrandombytes/notrandombytes.c -------------------------------------------------------------------------------- /examples/custom_backend/test_only_rng/notrandombytes.h: -------------------------------------------------------------------------------- 1 | ../../../test/notrandombytes/notrandombytes.h -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/mldsa_native/mldsa_native.S: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.S -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/mldsa_native/mldsa_native.c: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.c -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/mldsa_native/mldsa_native.h: -------------------------------------------------------------------------------- 1 | ../../../mldsa/mldsa_native.h -------------------------------------------------------------------------------- /examples/multilevel_build/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../monolithic_build_multilevel/expected_signatures.h -------------------------------------------------------------------------------- /examples/multilevel_build/test_only_rng/notrandombytes.c: -------------------------------------------------------------------------------- 1 | ../../../test/notrandombytes/notrandombytes.c -------------------------------------------------------------------------------- /examples/multilevel_build/test_only_rng/notrandombytes.h: -------------------------------------------------------------------------------- 1 | ../../../test/notrandombytes/notrandombytes.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/mldsa_native/src/randombytes.h: -------------------------------------------------------------------------------- 1 | ../../../../mldsa/src/randombytes.h -------------------------------------------------------------------------------- /examples/custom_backend/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build 4 | -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/fips202x4.c: -------------------------------------------------------------------------------- 1 | ../../../../../mldsa/src/fips202/fips202x4.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/fips202x4.h: -------------------------------------------------------------------------------- 1 | ../../../../../mldsa/src/fips202/fips202x4.h -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/keccakf1600.c: -------------------------------------------------------------------------------- 1 | ../../../../../mldsa/src/fips202/keccakf1600.c -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/keccakf1600.h: -------------------------------------------------------------------------------- 1 | ../../../../../mldsa/src/fips202/keccakf1600.h -------------------------------------------------------------------------------- /examples/monolithic_build/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build 4 | -------------------------------------------------------------------------------- /examples/multilevel_build/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build 4 | -------------------------------------------------------------------------------- /examples/multilevel_build_native/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../monolithic_build_multilevel/expected_signatures.h -------------------------------------------------------------------------------- /examples/multilevel_build_native/test_only_rng/notrandombytes.c: -------------------------------------------------------------------------------- 1 | ../../../test/notrandombytes/notrandombytes.c -------------------------------------------------------------------------------- /examples/multilevel_build_native/test_only_rng/notrandombytes.h: -------------------------------------------------------------------------------- 1 | ../../../test/notrandombytes/notrandombytes.h -------------------------------------------------------------------------------- /examples/basic_deterministic/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build 4 | -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/native/api.h: -------------------------------------------------------------------------------- 1 | ../../../../../../mldsa/src/fips202/native/api.h -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/custom_fips202/tiny_sha3: -------------------------------------------------------------------------------- 1 | ../../bring_your_own_fips202/custom_fips202/tiny_sha3 -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/expected_signatures.h: -------------------------------------------------------------------------------- 1 | ../monolithic_build_multilevel/expected_signatures.h -------------------------------------------------------------------------------- /examples/monolithic_build_native/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build 4 | -------------------------------------------------------------------------------- /examples/multilevel_build_native/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build 4 | -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build/ 4 | *.d 5 | -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build/ 4 | *.d 5 | -------------------------------------------------------------------------------- /proofs/hol_light/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | **/*.o 3 | **/*.native 4 | **/*.correct 5 | -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build/ 4 | *.d 5 | -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | build/ 4 | *.d 5 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | 3 | test/build 4 | .direnv 5 | # Downloaded ACVP test data 6 | test/.acvp-data/ 7 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | # Last matching pattern has precedence 3 | 4 | * @pq-code-package/pqcp-mldsa-native-admin 5 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | 3 | version: 2 4 | updates: 5 | - package-ecosystem: github-actions 6 | directory: / 7 | schedule: 8 | interval: monthly 9 | 10 | -------------------------------------------------------------------------------- /proofs/cbmc/ct_get_optblocker_i64/ct_get_optblocker_i64_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "ct.h" 5 | 6 | void harness(void) { mld_ct_get_optblocker_i64(); } 7 | -------------------------------------------------------------------------------- /proofs/cbmc/ct_get_optblocker_u32/ct_get_optblocker_u32_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "ct.h" 5 | 6 | void harness(void) { mld_ct_get_optblocker_u32(); } 7 | -------------------------------------------------------------------------------- /proofs/cbmc/ct_abs_i32/ct_abs_i32_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "ct.h" 5 | 6 | void harness(void) 7 | { 8 | int32_t a; 9 | mld_ct_abs_i32(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_ntt/poly_ntt_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | mld_poly_ntt(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/caddq/caddq_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "reduce.h" 5 | 6 | void harness(void) 7 | { 8 | int32_t a; 9 | int32_t result = mld_caddq(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_add/poly_add_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *r, *b; 9 | mld_poly_add(r, b); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_sub/poly_sub_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *r, *b; 9 | mld_poly_sub(r, b); 10 | } 11 | -------------------------------------------------------------------------------- /dev/x86_64/README.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | This directory contains the native x86_64 arithmetic backend for ML-DSA provided by the official [AVX2 4 | implementation](https://github.com/pq-crystals/dilithium/blob/master/avx2) of the Dilithium team. 5 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_caddq/poly_caddq_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a; 10 | mld_poly_caddq(a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_reduce/poly_reduce_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | mld_poly_reduce(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_shiftl/poly_shiftl_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | mld_poly_shiftl(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_ntt_native/poly_ntt_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | mld_poly_ntt(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/reduce32/reduce32_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "reduce.h" 5 | 6 | void harness(void) 7 | { 8 | int32_t a; 9 | int32_t result = mld_reduce32(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/ct_cmask_neg_i32/ct_cmask_neg_i32_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "ct.h" 5 | 6 | void harness(void) 7 | { 8 | int32_t a; 9 | mld_ct_cmask_neg_i32(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_ntt/polyveck_ntt_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | mld_polyveck_ntt(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_ntt/polyvecl_ntt_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *a; 9 | mld_polyvecl_ntt(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/use_hint/use_hint_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "rounding.h" 5 | 6 | void harness(void) 7 | { 8 | int32_t a, r, hint; 9 | r = mld_use_hint(a, hint); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/value_barrier_i64/value_barrier_i64_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "ct.h" 5 | 6 | void harness(void) 7 | { 8 | int64_t a; 9 | mld_value_barrier_i64(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_caddq_native/poly_caddq_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a; 10 | mld_poly_caddq(a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_add/polyveck_add_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *r, *b; 9 | mld_polyveck_add(r, b); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_caddq/polyveck_caddq_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | mld_polyveck_caddq(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_reduce/polyveck_reduce_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | mld_polyveck_reduce(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_shiftl/polyveck_shiftl_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | mld_polyveck_shiftl(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_sub/polyveck_sub_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *u, *v; 9 | mld_polyveck_sub(u, v); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_add/polyvecl_add_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *r, *b; 9 | mld_polyvecl_add(r, b); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_reduce/polyvecl_reduce_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *a; 9 | mld_polyvecl_reduce(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/value_barrier_u32/value_barrier_u32_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "ct.h" 5 | 6 | void harness(void) 7 | { 8 | uint32_t a; 9 | mld_value_barrier_u32(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyt0_pack/polyt0_pack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyt0_pack(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyt1_pack/polyt1_pack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyt1_pack(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyz_pack/polyz_pack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyz_pack(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/make_hint/make_hint_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "rounding.h" 5 | 6 | void harness(void) 7 | { 8 | int32_t a, b; 9 | unsigned int r; 10 | r = mld_make_hint(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_use_hint/poly_use_hint_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a, *b, *h; 10 | mld_poly_use_hint(b, a, h); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyeta_pack/polyeta_pack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyeta_pack(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyt0_unpack/polyt0_unpack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyt0_unpack(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyt1_unpack/polyt1_unpack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyt1_unpack(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyw1_pack/polyw1_pack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyw1_pack(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyz_unpack/polyz_unpack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyz_unpack(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/ct_sel_int32/ct_sel_int32_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "ct.h" 5 | 6 | void harness(void) 7 | { 8 | int32_t a, b; 9 | uint32_t cond; 10 | mld_ct_sel_int32(a, b, cond); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/fqscale/fqscale_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | int32_t mld_fqscale(int32_t a); 7 | void harness(void) 8 | { 9 | int32_t a, r; 10 | r = mld_fqscale(a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600_permute/keccakf1600_permute_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | 6 | void harness(void) 7 | { 8 | uint64_t *a; 9 | mld_keccakf1600_permute(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/pack_pk/pack_pk_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "packing.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | uint8_t *a, *b; 10 | mld_polyveck *c; 11 | mld_pack_pk(a, b, c); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/polyeta_unpack/polyeta_unpack_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyeta_unpack(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/shake128_init/shake128_init_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | mld_shake128ctx *s; 9 | 10 | mld_shake128_init(s); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/shake256_init/shake256_init_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | mld_shake256ctx *s; 9 | 10 | mld_shake256_init(s); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/decompose/decompose_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "rounding.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | int32_t *a0, *a1; 10 | int32_t a; 11 | mld_decompose(a0, a1, a); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/fqmul/fqmul_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | int32_t mld_fqmul(int32_t a, int32_t b); 7 | void harness(void) 8 | { 9 | int32_t a, b, r; 10 | r = mld_fqmul(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_decompose/poly_decompose_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a0, *a1, *a; 10 | mld_poly_decompose(a1, a0, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_invntt_tomont_native/poly_invntt_tomont_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | mld_poly_invntt_tomont(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_power2round/poly_power2round_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a, *a0, *a1; 10 | mld_poly_power2round(a0, a1, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_use_hint/polyveck_use_hint_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a, *b, *c; 9 | mld_polyveck_use_hint(a, b, c); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/shake128_release/shake128_release_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | mld_shake128ctx *s; 9 | 10 | mld_shake128_release(s); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/shake256_release/shake256_release_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | mld_shake256ctx *s; 9 | 10 | mld_shake256_release(s); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/unpack_pk/unpack_pk_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "packing.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | uint8_t *a, *b; 10 | mld_polyveck *c; 11 | mld_unpack_pk(a, c, b); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/montgomery_reduce/montgomery_reduce_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "reduce.h" 5 | 6 | void harness(void) 7 | { 8 | int64_t a; 9 | int32_t r; 10 | r = mld_montgomery_reduce(a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_use_hint_native/poly_use_hint_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a, *b, *h; 10 | mld_poly_use_hint(b, a, h); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_pack_t0/polyveck_pack_t0_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | uint8_t *b; 10 | mld_polyveck_pack_t0(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_pack_w1/polyveck_pack_w1_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | uint8_t *b; 10 | mld_polyveck_pack_w1(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_pack_z/polyvecl_pack_z_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *a; 9 | uint8_t *b; 10 | mld_polyvecl_pack_z(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyz_unpack_native/polyz_unpack_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | uint8_t *b; 10 | mld_polyz_unpack(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/power2round/power2round_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "rounding.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | int32_t *a0, *a1; 10 | int32_t a; 11 | mld_power2round(a0, a1, a); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/shake128_finalize/shake128_finalize_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | mld_shake256ctx *s; 9 | 10 | mld_shake128_finalize(s); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/shake256_finalize/shake256_finalize_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | mld_shake256ctx *s; 9 | 10 | mld_shake256_finalize(s); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_keypair/crypto_sign_keypair_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *pk, *sk; 9 | int r; 10 | r = crypto_sign_keypair(pk, sk); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600_permute_native/keccakf1600_permute_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | 6 | void harness(void) 7 | { 8 | uint64_t *a; 9 | mld_keccakf1600_permute(a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_challenge/poly_challenge_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *c; 10 | uint8_t *seed; 11 | mld_poly_challenge(c, seed); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_decompose/polyveck_decompose_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a0, *a1, *a; 9 | mld_polyveck_decompose(a1, a0, a); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_pack_eta/polyveck_pack_eta_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | uint8_t *b; 10 | mld_polyveck_pack_eta(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_power2round/polyveck_power2round_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a, *b, *c; 9 | mld_polyveck_power2round(a, b, c); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_pack_eta/polyvecl_pack_eta_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *a; 9 | uint8_t *b; 10 | mld_polyvecl_pack_eta(b, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_unpack_z/polyvecl_unpack_z_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *a; 9 | uint8_t *b; 10 | mld_polyvecl_unpack_z(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_decompose_native/poly_decompose_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a0, *a1, *a; 10 | mld_poly_decompose(a1, a0, a); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_make_hint/poly_make_hint_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a, *b, *c; 9 | unsigned int r; 10 | r = mld_poly_make_hint(a, b, c); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_unpack_eta/polyveck_unpack_eta_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | uint8_t *b; 10 | mld_polyveck_unpack_eta(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_unpack_t0/polyveck_unpack_t0_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | uint8_t *b; 10 | mld_polyveck_unpack_t0(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_unpack_eta/polyvecl_unpack_eta_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *a; 9 | uint8_t *b; 10 | mld_polyvecl_unpack_eta(a, b); 11 | } 12 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | # Security Policy 4 | 5 | ## Reporting security bugs 6 | 7 | If you think you have found a security bug in mlkem-native, please report the vulnerability through 8 | Github's [private vulnerability reporting](https://github.com/pq-code-package/mldsa-native/security). 9 | -------------------------------------------------------------------------------- /nix/valgrind/default.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | { valgrind, ... }: 6 | valgrind.overrideAttrs (_: { 7 | patches = [ 8 | ./valgrind-varlat-patch-20240808.txt 9 | ]; 10 | }) 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_chknorm/poly_chknorm_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a; 10 | uint32_t r; 11 | int32_t B; 12 | r = mld_poly_chknorm(a, B); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_pointwise_montgomery/poly_pointwise_montgomery_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a, *b, *c; 9 | mld_poly_pointwise_montgomery(c, a, b); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_chknorm/polyvecl_chknorm_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *v; 9 | int32_t bound; 10 | 11 | mld_polyvecl_chknorm(v, bound); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_keypair_internal/crypto_sign_keypair_internal_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *a, *b, *c; 9 | crypto_sign_keypair_internal(a, b, c); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/ct_get_optblocker_u8/ct_get_optblocker_u8_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | // SPDX-License-Identifier: MIT-0 AND Apache-2.0 4 | 5 | #include "ct.h" 6 | 7 | void harness(void) { uint8_t x = mld_ct_get_optblocker_u8(); } 8 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_chknorm/polyveck_chknorm_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | int32_t b; 9 | mld_polyveck *v; 10 | uint32_t r; 11 | r = mld_polyveck_chknorm(v, b); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_make_hint/polyveck_make_hint_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a, *b, *c; 9 | unsigned int r; 10 | r = mld_polyveck_make_hint(a, b, c); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_chknorm_native/poly_chknorm_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a; 10 | uint32_t r; 11 | int32_t B; 12 | r = mld_poly_chknorm(a, B); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_invntt_tomont/poly_invntt_tomont_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | #include "params.h" 6 | #include "poly.h" 7 | 8 | void harness(void) 9 | { 10 | mld_poly *a; 11 | mld_poly_invntt_tomont(a); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_pointwise_montgomery_native/poly_pointwise_montgomery_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a, *b, *c; 9 | mld_poly_pointwise_montgomery(c, a, b); 10 | } 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvec_matrix_expand/polyvec_matrix_expand_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polymat *mat; 9 | uint8_t *rho; 10 | 11 | mld_polyvec_matrix_expand(mat, rho); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/keccak_init/keccak_init_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | extern void keccak_init(uint64_t s[MLD_KECCAK_LANES]); 7 | 8 | void harness(void) 9 | { 10 | uint64_t *s; 11 | 12 | keccak_init(s); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_uniform/poly_uniform_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | #include "poly.h" 6 | 7 | void harness(void) 8 | { 9 | mld_poly *a; 10 | const uint8_t *seed; 11 | 12 | mld_poly_uniform(a, seed); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvec_matrix_expand_serial/polyvec_matrix_expand_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polymat *mat; 9 | uint8_t *rho; 10 | 11 | mld_polyvec_matrix_expand(mat, rho); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/lib/z3_no_bv_extract: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) The mlkem-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | # Disable re-writing of bit-vector expressions within quantifiers. 6 | # Such re-writing can cause quantifier e-matching to fail in complex cases. 7 | z3 rewriter.bv_le2extract=false "$@" 8 | -------------------------------------------------------------------------------- /proofs/cbmc/pack_sk/pack_sk_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "packing.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | uint8_t *a, *b, *c, *d; 10 | mld_polyveck *t0, *s2; 11 | mld_polyvecl *s1; 12 | mld_pack_sk(a, b, c, d, t0, s1, s2); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_uniform_eta/poly_uniform_eta_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *r0; 9 | const uint8_t *seed; 10 | uint8_t n0; 11 | 12 | mld_poly_uniform_eta(r0, seed, n0); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/pack_sig/pack_sig_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "packing.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | uint8_t *a, *b; 10 | mld_polyveck *h; 11 | mld_polyvecl *z; 12 | unsigned int nh; 13 | mld_pack_sig(a, b, z, h, nh); 14 | } 15 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_ntt_c/poly_ntt_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | // Prototype for the function under test 7 | void mld_poly_ntt_c(mld_poly *p); 8 | 9 | void harness(void) 10 | { 11 | mld_poly *a; 12 | mld_poly_ntt_c(a); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/value_barrier_u8/value_barrier_u8_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | // SPDX-License-Identifier: MIT-0 AND Apache-2.0 4 | 5 | #include "ct.h" 6 | 7 | void harness(void) 8 | { 9 | uint8_t x, y; 10 | y = mld_value_barrier_u8(x); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_invntt_tomont/polyveck_invntt_tomont_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | #include "params.h" 6 | #include "polyvec.h" 7 | 8 | void harness(void) 9 | { 10 | mld_polyveck *v; 11 | mld_polyveck_invntt_tomont(v); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_invntt_tomont/polyvecl_invntt_tomont_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | #include "params.h" 6 | #include "polyvec.h" 7 | 8 | void harness(void) 9 | { 10 | mld_polyvecl *v; 11 | mld_polyvecl_invntt_tomont(v); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/shake128_absorb/shake128_absorb_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | mld_shake128ctx *s; 9 | const uint8_t *in; 10 | size_t inlen; 11 | 12 | mld_shake128_absorb(s, in, inlen); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/shake256_absorb/shake256_absorb_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | mld_shake256ctx *s; 9 | const uint8_t *in; 10 | size_t inlen; 11 | 12 | mld_shake256_absorb(s, in, inlen); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/unpack_sk/unpack_sk_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "packing.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | uint8_t *a, *b, *c, *d; 10 | mld_polyveck *t0, *s2; 11 | mld_polyvecl *s1; 12 | mld_unpack_sk(a, b, c, t0, s1, s2, d); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/shake256/shake256_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *out; 9 | size_t outlen; 10 | const uint8_t *in; 11 | size_t inlen; 12 | 13 | mld_shake256(out, outlen, in, inlen); 14 | } 15 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_caddq_c/poly_caddq_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | 7 | // Prototype for the function under test 8 | void mld_poly_caddq_c(mld_poly *p); 9 | 10 | void harness(void) 11 | { 12 | mld_poly *a; 13 | mld_poly_caddq_c(a); 14 | } 15 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_pointwise_acc_montgomery/polyvecl_pointwise_acc_montgomery_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | mld_polyvecl *b, *c; 10 | mld_polyvecl_pointwise_acc_montgomery(a, b, c); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/shake128_squeeze/shake128_squeeze_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *out; 9 | size_t outlen; 10 | mld_shake128ctx *state; 11 | 12 | mld_shake128_squeeze(out, outlen, state); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/shake256_squeeze/shake256_squeeze_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *out; 9 | size_t outlen; 10 | mld_shake256ctx *state; 11 | 12 | mld_shake256_squeeze(out, outlen, state); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/unpack_sig/unpack_sig_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "packing.h" 5 | 6 | 7 | void harness(void) 8 | { 9 | uint8_t *c; 10 | uint8_t *sig; 11 | mld_polyveck *h; 12 | mld_polyvecl *z; 13 | int r; 14 | r = mld_unpack_sig(c, z, h, sig); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/polyveck_pointwise_poly_montgomery/polyveck_pointwise_poly_montgomery_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a, *b; 9 | mld_poly *c; 10 | mld_polyveck_pointwise_poly_montgomery(a, c, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_pointwise_poly_montgomery/polyvecl_pointwise_poly_montgomery_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *a, *b; 9 | mld_poly *c; 10 | mld_polyvecl_pointwise_poly_montgomery(a, c, b); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/lib/z3_smt_only: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) The mldsa-native project authors 3 | # Copyright (c) The mlkem-native project authors 4 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | 6 | # Disable initial simplify tactic and go straight to main SMT tactic 7 | # This can prevent divergence of Z3 on different platforms 8 | z3 tactic.default_tactic=smt "$@" 9 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_uniform_gamma1/polyvecl_uniform_gamma1_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *v; 9 | const uint8_t *seed; 10 | uint16_t nonce; 11 | 12 | mld_polyvecl_uniform_gamma1(v, seed, nonce); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/ntt_layer/ntt_layer_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | #include "params.h" 6 | 7 | void mld_ntt_layer(int32_t r[MLDSA_N], unsigned layer); 8 | 9 | void harness(void) 10 | { 11 | int32_t *r; 12 | unsigned layer; 13 | mld_ntt_layer(r, layer); 14 | } 15 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_pointwise_acc_montgomery_native/polyvecl_pointwise_acc_montgomery_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *a; 9 | mld_polyvecl *b, *c; 10 | mld_polyvecl_pointwise_acc_montgomery(a, b, c); 11 | } 12 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_uniform_gamma1_serial/polyvecl_uniform_gamma1_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyvecl *v; 9 | const uint8_t *seed; 10 | uint16_t nonce; 11 | 12 | mld_polyvecl_uniform_gamma1(v, seed, nonce); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/ct_memcmp/ct_memcmp_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | // SPDX-License-Identifier: MIT-0 AND Apache-2.0 4 | 5 | #include "ct.h" 6 | 7 | void harness(void) 8 | { 9 | uint8_t *a; 10 | uint8_t *b; 11 | size_t len; 12 | int r; 13 | r = mld_ct_memcmp(a, b, len); 14 | } 15 | -------------------------------------------------------------------------------- /proofs/cbmc/invntt_layer/invntt_layer_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | #include "params.h" 6 | 7 | void mld_invntt_layer(int32_t r[MLDSA_N], unsigned layer); 8 | 9 | void harness(void) 10 | { 11 | int32_t *r; 12 | unsigned layer; 13 | mld_invntt_layer(r, layer); 14 | } 15 | -------------------------------------------------------------------------------- /.envrc: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | if ! has nix_direnv_version || ! nix_direnv_version 3.0.3; then 5 | source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.3/direnvrc" "sha256-0EVQVNSRQWsln+rgPW3mXVmnF5sfcmKEYOmOSfLYxHg=" 6 | fi 7 | 8 | use flake 9 | -------------------------------------------------------------------------------- /proofs/cbmc/list_proofs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | # 5 | # This tiny script just lists the proof directories in proof/cbmc, 6 | # which are those containing a *harness.c file. 7 | 8 | ROOT=$(git rev-parse --show-toplevel) 9 | cd $ROOT 10 | ls -1 proofs/cbmc/**/*harness.c | cut -d '/' -f 3 11 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvec_matrix_pointwise_montgomery/polyvec_matrix_pointwise_montgomery_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void harness(void) 7 | { 8 | mld_polyveck *a; 9 | mld_polymat *b; 10 | mld_polyvecl *c; 11 | mld_polyvec_matrix_pointwise_montgomery(a, b, c); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_uniform_eta_4x/poly_uniform_eta_4x_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *r0, *r1, *r2, *r3; 9 | const uint8_t *seed; 10 | uint8_t n0, n1, n2, n3; 11 | 12 | mld_poly_uniform_eta_4x(r0, r1, r2, r3, seed, n0, n1, n2, n3); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/dummy_backend_fips202_x1.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | #ifndef MLD_DUMMY_FIPS202X1_BACKEND_H 7 | #define MLD_DUMMY_FIPS202X1_BACKEND_H 8 | 9 | 10 | #define MLD_USE_FIPS202_X1_NATIVE 11 | 12 | #include "../../mldsa/src/fips202/native/api.h" 13 | 14 | #endif /* !MLD_DUMMY_FIPS202X1_BACKEND_H */ 15 | -------------------------------------------------------------------------------- /proofs/cbmc/dummy_backend_fips202_x4.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | #ifndef MLD_DUMMY_FIPS202X4_BACKEND_H 7 | #define MLD_DUMMY_FIPS202X4_BACKEND_H 8 | 9 | 10 | #define MLD_USE_FIPS202_X4_NATIVE 11 | 12 | #include "../../mldsa/src/fips202/native/api.h" 13 | 14 | #endif /* !MLD_DUMMY_FIPS202X4_BACKEND_H */ 15 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600x4_permute/keccakf1600x4_permute_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | 8 | void harness(void) 9 | { 10 | uint64_t *s; 11 | mld_keccakf1600x4_permute(s); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/polymat_permute_bitrev_to_custom/polymat_permute_bitrev_to_custom_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | void mld_polymat_permute_bitrev_to_custom(mld_polymat *mat); 7 | 8 | void harness(void) 9 | { 10 | mld_polymat *mat; 11 | mld_polymat_permute_bitrev_to_custom(mat); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_signature_extmu/crypto_sign_signature_extmu_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *sig; 9 | size_t *siglen; 10 | uint8_t *mu; 11 | uint8_t *sk; 12 | int r; 13 | 14 | r = crypto_sign_signature_extmu(sig, siglen, mu, sk); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_uniform_gamma1_4x/poly_uniform_gamma1_4x_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *r0, *r1, *r2, *r3; 9 | const uint8_t *seed; 10 | uint16_t n0, n1, n2, n3; 11 | 12 | mld_poly_uniform_gamma1_4x(r0, r1, r2, r3, seed, n0, n1, n2, n3); 13 | } 14 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_verify_extmu/crypto_sign_verify_extmu_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | 7 | 8 | void harness(void) 9 | { 10 | uint8_t *sig; 11 | size_t siglen; 12 | uint8_t *mu; 13 | uint8_t *pk; 14 | 15 | int r; 16 | 17 | r = crypto_sign_verify_extmu(sig, siglen, mu, pk); 18 | } 19 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_uniform_4x/poly_uniform_4x_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | void harness(void) 7 | { 8 | mld_poly *r0; 9 | mld_poly *r1; 10 | mld_poly *r2; 11 | mld_poly *r3; 12 | uint8_t(*seed)[MLD_ALIGN_UP(MLDSA_SEEDBYTES + 2)]; 13 | 14 | mld_poly_uniform_4x(r0, r1, r2, r3, seed); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600x4_permute_native/keccakf1600x4_permute_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | 8 | void harness(void) 9 | { 10 | uint64_t *s; 11 | mld_keccakf1600x4_permute(s); 12 | } 13 | -------------------------------------------------------------------------------- /proofs/hol_light/x86_64/list_proofs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | # 5 | # This tiny script just lists the names of source files for which 6 | # we have a spec and proof in HOL-Light. 7 | 8 | ROOT=$(git rev-parse --show-toplevel) 9 | cd $ROOT 10 | ls -1 proofs/hol_light/x86_64/mldsa/*.S | cut -d '/' -f 5 | sed 's/\.S//' 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_chknorm_c/poly_chknorm_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | // Prototype for the function under test 7 | uint32_t mld_poly_chknorm_c(mld_poly *a, int32_t B); 8 | 9 | void harness(void) 10 | { 11 | mld_poly *a; 12 | uint32_t r; 13 | int32_t B; 14 | r = mld_poly_chknorm_c(a, B); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign/crypto_sign_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *sm; 9 | size_t *smlen; 10 | uint8_t *m; 11 | size_t mlen; 12 | uint8_t *ctx; 13 | size_t ctxlen; 14 | uint8_t *sk; 15 | int r; 16 | 17 | r = crypto_sign(sm, smlen, m, mlen, ctx, ctxlen, sk); 18 | } 19 | -------------------------------------------------------------------------------- /proofs/hol_light/x86_64/proofs/dump_bytecode.ml: -------------------------------------------------------------------------------- 1 | (* 2 | * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT-0 4 | *) 5 | 6 | needs "x86/proofs/base.ml";; 7 | 8 | print_string "=== bytecode start: mldsa/mldsa_ntt.o ================\n";; 9 | print_literal_from_elf "mldsa/mldsa_ntt.o";; 10 | print_string "==== bytecode end =====================================\n\n";; 11 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_invntt_tomont_c/poly_invntt_tomont_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | #include "params.h" 6 | #include "poly.h" 7 | 8 | // Prototype for the function under test 9 | void mld_poly_invntt_tomont_c(mld_poly *p); 10 | 11 | 12 | void harness(void) 13 | { 14 | mld_poly *a; 15 | mld_poly_invntt_tomont_c(a); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/unpack_hints/unpack_hints_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "packing.h" 5 | 6 | int mld_unpack_hints(mld_polyveck *h, 7 | const uint8_t packed_hints[MLDSA_POLYVECH_PACKEDBYTES]); 8 | 9 | void harness(void) 10 | { 11 | uint8_t *sig; 12 | mld_polyveck *h; 13 | int r; 14 | r = mld_unpack_hints(h, sig); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_open/crypto_sign_open_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *m; 9 | size_t *mlen; 10 | const uint8_t *sm; 11 | size_t smlen; 12 | const uint8_t *ctx; 13 | size_t ctxlen; 14 | const uint8_t *pk; 15 | 16 | crypto_sign_open(m, mlen, sm, smlen, ctx, ctxlen, pk); 17 | } 18 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600_extract_bytes/keccakf1600_extract_bytes_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | #include 7 | 8 | void harness(void) 9 | { 10 | uint64_t *state; 11 | unsigned char *data; 12 | unsigned offset; 13 | unsigned length; 14 | mld_keccakf1600_extract_bytes(state, data, offset, length); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/check_pct/check_pct_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | // SPDX-License-Identifier: MIT-0 4 | 5 | #include "sign.h" 6 | 7 | int mld_check_pct(uint8_t const pk[MLDSA_CRYPTO_PUBLICKEYBYTES], 8 | uint8_t const sk[MLDSA_CRYPTO_SECRETKEYBYTES]); 9 | 10 | void harness(void) 11 | { 12 | uint8_t *a, *b; 13 | mld_check_pct(a, b); 14 | } 15 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600_extract_bytes_BE/keccakf1600_extract_bytes_be_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | #include 7 | 8 | void harness(void) 9 | { 10 | uint64_t *state; 11 | unsigned char *data; 12 | unsigned offset; 13 | unsigned length; 14 | mld_keccakf1600_extract_bytes(state, data, offset, length); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_pointwise_montgomery_c/poly_pointwise_montgomery_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | // Prototype for the function under test 7 | void mld_poly_pointwise_montgomery_c(mld_poly *c, mld_poly *a, mld_poly *b); 8 | 9 | 10 | void harness(void) 11 | { 12 | mld_poly *a, *b, *c; 13 | mld_poly_pointwise_montgomery_c(c, a, b); 14 | } 15 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_signature/crypto_sign_signature_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *sig; 9 | size_t *siglen; 10 | uint8_t *m; 11 | size_t mlen; 12 | uint8_t *ctx; 13 | size_t ctxlen; 14 | uint8_t *sk; 15 | int r; 16 | 17 | r = crypto_sign_signature(sig, siglen, m, mlen, ctx, ctxlen, sk); 18 | } 19 | -------------------------------------------------------------------------------- /proofs/cbmc/sample_s1_s2/sample_s1_s2_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | static void mld_sample_s1_s2(mld_polyvecl *s1, mld_polyveck *s2, 7 | const uint8_t seed[MLDSA_CRHBYTES]); 8 | 9 | void harness(void) 10 | { 11 | mld_polyvecl *s1; 12 | mld_polyveck *s2; 13 | uint8_t *seed; 14 | 15 | mld_sample_s1_s2(s1, s2, seed); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/polyz_unpack_c/polyz_unpack_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | 7 | // Prototype for the function under test 8 | #define mld_polyz_unpack_c MLD_ADD_PARAM_SET(mld_polyz_unpack_c) 9 | void mld_polyz_unpack_c(mld_poly *a, uint8_t *b); 10 | 11 | 12 | void harness(void) 13 | { 14 | mld_poly *a; 15 | uint8_t *b; 16 | mld_polyz_unpack_c(a, b); 17 | } 18 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_use_hint_c/poly_use_hint_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | // Prototype for the function under test 7 | #define mld_poly_use_hint_c MLD_ADD_PARAM_SET(mld_poly_use_hint_c) 8 | void mld_poly_use_hint_c(mld_poly *b, mld_poly *a, mld_poly *h); 9 | 10 | 11 | void harness(void) 12 | { 13 | mld_poly *a, *b, *h; 14 | mld_poly_use_hint_c(b, a, h); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/prepare_domain_separation_prefix/prepare_domain_separation_prefix_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *prefix; 9 | const uint8_t *ph; 10 | size_t phlen; 11 | const uint8_t *ctx; 12 | size_t ctxlen; 13 | int hashalg; 14 | 15 | mld_prepare_domain_separation_prefix(prefix, ph, phlen, ctx, ctxlen, hashalg); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/sample_s1_s2_serial/sample_s1_s2_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | static void mld_sample_s1_s2(mld_polyvecl *s1, mld_polyveck *s2, 7 | const uint8_t seed[MLDSA_CRHBYTES]); 8 | 9 | void harness(void) 10 | { 11 | mld_polyvecl *s1; 12 | mld_polyveck *s2; 13 | uint8_t *seed; 14 | 15 | mld_sample_s1_s2(s1, s2, seed); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_verify/crypto_sign_verify_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | const uint8_t sig; 9 | size_t siglen; 10 | const uint8_t *m; 11 | size_t mlen; 12 | const uint8_t *ctx; 13 | size_t ctxlen; 14 | const uint8_t *pk; 15 | 16 | int r; 17 | 18 | r = crypto_sign_verify(sig, siglen, m, mlen, ctx, ctxlen, pk); 19 | } 20 | -------------------------------------------------------------------------------- /proofs/cbmc/keccak_finalize/keccak_finalize_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | extern void keccak_finalize(uint64_t s[MLD_KECCAK_LANES], unsigned int pos, 7 | unsigned int r, uint8_t p); 8 | 9 | void harness(void) 10 | { 11 | uint64_t *s; 12 | unsigned int pos, r; 13 | uint8_t p; 14 | 15 | keccak_finalize(s, pos, r, p); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_pk_from_sk/crypto_sign_pk_from_sk_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | int crypto_sign_pk_from_sk(uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES], 7 | const uint8_t sk[MLDSA_CRYPTO_SECRETKEYBYTES]); 8 | 9 | void harness(void) 10 | { 11 | uint8_t *pk; 12 | uint8_t *sk; 13 | 14 | int r; 15 | r = crypto_sign_pk_from_sk(pk, sk); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_decompose_c/poly_decompose_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | // Prototype for the function under test 7 | #define mld_poly_decompose_c MLD_ADD_PARAM_SET(mld_poly_decompose_c) 8 | void mld_poly_decompose_c(mld_poly *a1, mld_poly *a0, mld_poly *a); 9 | 10 | void harness(void) 11 | { 12 | mld_poly *a0, *a1, *a; 13 | mld_poly_decompose_c(a1, a0, a); 14 | } 15 | -------------------------------------------------------------------------------- /proofs/cbmc/poly_uniform_gamma1/poly_uniform_gamma1_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly_kl.h" 5 | 6 | void harness(void) 7 | { 8 | /* mld_poly_uniform_gamma1 is only defined for ML-DSA-65 */ 9 | #if MLD_CONFIG_PARAMETER_SET == 65 10 | mld_poly *a; 11 | const uint8_t *seed; 12 | uint16_t nonce; 13 | 14 | mld_poly_uniform_gamma1(a, seed, nonce); 15 | #endif /* MLD_CONFIG_PARAMETER_SET == 65 */ 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600_xor_bytes/keccakf1600_xor_bytes_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | 8 | void harness(void) 9 | { 10 | uint64_t *state; 11 | const unsigned char *data; 12 | unsigned offset; 13 | unsigned length; 14 | mld_keccakf1600_xor_bytes(state, data, offset, length); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600_xor_bytes_BE/keccakf1600_xor_bytes_be_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | 8 | void harness(void) 9 | { 10 | uint64_t *state; 11 | const unsigned char *data; 12 | unsigned offset; 13 | unsigned length; 14 | mld_keccakf1600_xor_bytes(state, data, offset, length); 15 | } 16 | -------------------------------------------------------------------------------- /proofs/cbmc/.gitignore: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | # Emitted when running CBMC proofs 6 | **/logs 7 | **/gotos 8 | **/report 9 | **/html 10 | output 11 | 12 | # Emitted by CBMC Viewer 13 | TAGS-* 14 | 15 | # Emitted by litani 16 | .ninja_deps 17 | .ninja_log 18 | .litani_cache_dir 19 | 20 | # These files should be overwritten whenever prepare.py runs 21 | cbmc-batch.yaml 22 | 23 | __pycache__/ 24 | -------------------------------------------------------------------------------- /mldsa/src/native/meta.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_NATIVE_META_H 8 | #define MLD_NATIVE_META_H 9 | 10 | /* 11 | * Default arithmetic backend 12 | */ 13 | #include "../sys.h" 14 | 15 | #ifdef MLD_SYS_AARCH64 16 | #include "aarch64/meta.h" 17 | #endif 18 | 19 | #ifdef MLD_SYS_X86_64_AVX2 20 | #include "x86_64/meta.h" 21 | #endif 22 | 23 | #endif /* !MLD_NATIVE_META_H */ 24 | -------------------------------------------------------------------------------- /.github/workflows/lint_markdown.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | name: Lint-Markdown 5 | permissions: 6 | contents: read 7 | on: 8 | workflow_call: 9 | workflow_dispatch: 10 | 11 | jobs: 12 | lint-markdown-link: 13 | runs-on: ubuntu-latest 14 | steps: 15 | - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 16 | - uses: gaurav-nelson/github-action-markdown-link-check@3c3b66f1f7d0900e37b71eca45b63ea9eedfce31 # v1.0.17 17 | -------------------------------------------------------------------------------- /proofs/cbmc/ntt_butterfly_block/ntt_butterfly_block_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include 5 | #include "params.h" 6 | 7 | void mld_ntt_butterfly_block(int32_t r[MLDSA_N], int32_t zeta, unsigned start, 8 | unsigned len, unsigned bound); 9 | 10 | void harness(void) 11 | { 12 | int32_t *r, zeta; 13 | unsigned start, len; 14 | unsigned bound; 15 | mld_ntt_butterfly_block(r, zeta, start, len, bound); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_verify_internal/crypto_sign_verify_internal_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | const uint8_t *sig; 9 | size_t siglen; 10 | const uint8_t *m; 11 | size_t mlen; 12 | const uint8_t *pre; 13 | size_t prelen; 14 | const uint8_t *pk; 15 | int externalmu; 16 | 17 | crypto_sign_verify_internal(sig, siglen, m, mlen, pre, prelen, pk, 18 | externalmu); 19 | } 20 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_verify_pre_hash_shake256/crypto_sign_verify_pre_hash_shake256_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | const uint8_t *sig; 9 | size_t siglen; 10 | const uint8_t *m; 11 | size_t mlen; 12 | const uint8_t *ctx; 13 | size_t ctxlen; 14 | const uint8_t *pk; 15 | int r; 16 | r = crypto_sign_verify_pre_hash_shake256(sig, siglen, m, mlen, ctx, ctxlen, 17 | pk); 18 | } 19 | -------------------------------------------------------------------------------- /proofs/cbmc/keccak_squeeze/keccak_squeeze_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | static unsigned int keccak_squeeze(uint8_t *out, size_t outlen, 7 | uint64_t s[MLD_KECCAK_LANES], 8 | unsigned int pos, unsigned int r); 9 | 10 | void harness(void) 11 | { 12 | uint8_t *out; 13 | size_t outlen; 14 | uint64_t *s; 15 | unsigned int pos, r; 16 | 17 | keccak_squeeze(out, outlen, s, pos, r); 18 | } 19 | -------------------------------------------------------------------------------- /proofs/cbmc/shake128x4_absorb_once/shake128x4_absorb_once_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | void harness(void) 12 | { 13 | mld_shake128x4ctx *state; 14 | const uint8_t *in0, in1, in2, in3; 15 | size_t inlen; 16 | mld_shake128x4_absorb_once(state, in0, in1, in2, in3, inlen); 17 | } 18 | -------------------------------------------------------------------------------- /proofs/cbmc/shake256x4_absorb_once/shake256x4_absorb_once_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | void harness(void) 12 | { 13 | mld_shake256x4ctx *state; 14 | const uint8_t *in0, in1, in2, in3; 15 | size_t inlen; 16 | mld_shake256x4_absorb_once(state, in0, in1, in2, in3, inlen); 17 | } 18 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_signature_internal/crypto_sign_signature_internal_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *sig; 9 | size_t *siglen; 10 | uint8_t *m; 11 | size_t mlen; 12 | uint8_t *pre; 13 | size_t prelen; 14 | uint8_t *rnd; 15 | uint8_t *sk; 16 | int externalmu; 17 | int r; 18 | r = crypto_sign_signature_internal(sig, siglen, m, mlen, pre, prelen, rnd, sk, 19 | externalmu); 20 | } 21 | -------------------------------------------------------------------------------- /nix/valgrind/README.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | This patch to Valgrind allows detecting secret-dependent division 4 | instructions by flagging variable-latency instruction depending 5 | on uninitialized data. 6 | 7 | It is part of the KyberSlash paper[^KyberSlash]. 8 | 9 | 10 | [^KyberSlash]: Bernstein, Bhargavan, Bhasin, Chattopadhyay, Chia, Kannwischer, Kiefer, Paiva, Ravi, Tamvada: KyberSlash: Exploiting secret-dependent division timings in Kyber implementations, [https://kyberslash.cr.yp.to/papers.html](https://kyberslash.cr.yp.to/papers.html) 11 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600x4_xor_bytes/keccakf1600x4_xor_bytes_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | 8 | void harness(void) 9 | { 10 | uint64_t *state; 11 | const unsigned char *data0, *data1, *data2, *data3; 12 | unsigned offset; 13 | unsigned length; 14 | mld_keccakf1600x4_xor_bytes(state, data0, data1, data2, data3, offset, 15 | length); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/rej_eta/rej_eta_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | static unsigned int mld_rej_eta(int32_t *a, unsigned int target, 7 | unsigned int offset, const uint8_t *buf, 8 | unsigned int buflen); 9 | 10 | void harness(void) 11 | { 12 | int32_t *a; 13 | unsigned int target; 14 | unsigned int offset; 15 | const uint8_t *buf; 16 | unsigned int buflen; 17 | 18 | mld_rej_eta(a, target, offset, buf, buflen); 19 | } 20 | -------------------------------------------------------------------------------- /mldsa/src/fips202/native/auto.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AUTO_H 8 | #define MLD_FIPS202_NATIVE_AUTO_H 9 | 10 | /* 11 | * Default FIPS202 backend 12 | */ 13 | #include "../../sys.h" 14 | 15 | #if defined(MLD_SYS_AARCH64) 16 | #include "aarch64/auto.h" 17 | #endif 18 | 19 | #if defined(MLD_SYS_X86_64) && defined(MLD_SYS_X86_64_AVX2) 20 | #include "x86_64/xkcp.h" 21 | #endif 22 | 23 | #endif /* !MLD_FIPS202_NATIVE_AUTO_H */ 24 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_verify_pre_hash_internal/crypto_sign_verify_pre_hash_internal_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | const uint8_t *sig; 9 | size_t siglen; 10 | const uint8_t *ph; 11 | size_t phlen; 12 | const uint8_t *ctx; 13 | size_t ctxlen; 14 | const uint8_t *pk; 15 | int hashalg; 16 | int r; 17 | r = crypto_sign_verify_pre_hash_internal(sig, siglen, ph, phlen, ctx, ctxlen, 18 | pk, hashalg); 19 | } 20 | -------------------------------------------------------------------------------- /proofs/cbmc/keccakf1600x4_extract_bytes/keccakf1600x4_extract_bytes_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | 8 | void harness(void) 9 | { 10 | uint64_t *state; 11 | unsigned char *data0, *data1, *data2, *data3; 12 | unsigned offset; 13 | unsigned length; 14 | mld_keccakf1600x4_extract_bytes(state, data0, data1, data2, data3, offset, 15 | length); 16 | } 17 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_signature_pre_hash_shake256/crypto_sign_signature_pre_hash_shake256_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *sig; 9 | size_t *siglen; 10 | const uint8_t *m; 11 | size_t mlen; 12 | const uint8_t *ctx; 13 | size_t ctxlen; 14 | const uint8_t *rnd; 15 | const uint8_t *sk; 16 | int r; 17 | r = crypto_sign_signature_pre_hash_shake256(sig, siglen, m, mlen, ctx, ctxlen, 18 | rnd, sk); 19 | } 20 | -------------------------------------------------------------------------------- /proofs/cbmc/rej_eta_native/rej_eta_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | static unsigned int mld_rej_eta(int32_t *a, unsigned int target, 7 | unsigned int offset, const uint8_t *buf, 8 | unsigned int buflen); 9 | 10 | void harness(void) 11 | { 12 | int32_t *a; 13 | unsigned int target; 14 | unsigned int offset; 15 | const uint8_t *buf; 16 | unsigned int buflen; 17 | 18 | mld_rej_eta(a, target, offset, buf, buflen); 19 | } 20 | -------------------------------------------------------------------------------- /MAINTAINERS.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | # Maintainers 4 | 5 | ## Active Maintainers 6 | 7 | | Name | GitHub | Affliation 8 | |-------------------------|-------------------------------------------------|---------------------- 9 | | Hanno Becker | [hanno-becker](https://github.com/hanno-becker) | AWS | 10 | | Matthias J. Kannwischer | [mkannwischer](https://github.com/mkannwischer) | Chelpis Quantum Corp | 11 | | Jake Massimo | [jakemas](https://github.com/jakemas) | AWS | 12 | -------------------------------------------------------------------------------- /proofs/cbmc/rej_uniform/rej_uniform_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | static unsigned int mld_rej_uniform(int32_t *a, unsigned int target, 7 | unsigned int offset, const uint8_t *buf, 8 | unsigned int buflen); 9 | 10 | void harness(void) 11 | { 12 | int32_t *a; 13 | unsigned int target; 14 | unsigned int offset; 15 | const uint8_t *buf; 16 | unsigned int buflen; 17 | 18 | mld_rej_uniform(a, target, offset, buf, buflen); 19 | } 20 | -------------------------------------------------------------------------------- /proofs/cbmc/keccak_absorb/keccak_absorb_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "fips202/fips202.h" 5 | 6 | extern unsigned int keccak_absorb(uint64_t s[MLD_KECCAK_LANES], 7 | unsigned int pos, unsigned int r, 8 | const uint8_t *in, size_t inlen); 9 | 10 | void harness(void) 11 | { 12 | uint64_t *s; 13 | unsigned int pos; 14 | const unsigned int r; 15 | const uint8_t *in; 16 | size_t inlen; 17 | uint8_t p; 18 | 19 | keccak_absorb(s, pos, r, in, inlen); 20 | } 21 | -------------------------------------------------------------------------------- /proofs/cbmc/H/H_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void mld_H(uint8_t *out, size_t outlen, const uint8_t *in1, size_t in1len, 7 | const uint8_t *in2, size_t in2len, const uint8_t *in3, 8 | size_t in3len); 9 | 10 | void harness(void) 11 | { 12 | uint8_t *out; 13 | size_t outlen; 14 | const uint8_t *in1; 15 | size_t in1len; 16 | const uint8_t *in2; 17 | size_t in2len; 18 | const uint8_t *in3; 19 | size_t in3len; 20 | 21 | mld_H(out, outlen, in1, in1len, in2, in2len, in3, in3len); 22 | } 23 | -------------------------------------------------------------------------------- /proofs/cbmc/rej_uniform_c/rej_uniform_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | static unsigned int mld_rej_uniform_c(int32_t *a, unsigned int target, 7 | unsigned int offset, const uint8_t *buf, 8 | unsigned int buflen); 9 | 10 | void harness(void) 11 | { 12 | int32_t *a; 13 | unsigned int target; 14 | unsigned int offset; 15 | const uint8_t *buf; 16 | unsigned int buflen; 17 | 18 | mld_rej_uniform_c(a, target, offset, buf, buflen); 19 | } 20 | -------------------------------------------------------------------------------- /proofs/cbmc/rej_uniform_native/rej_uniform_native_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | static unsigned int mld_rej_uniform(int32_t *a, unsigned int target, 7 | unsigned int offset, const uint8_t *buf, 8 | unsigned int buflen); 9 | 10 | void harness(void) 11 | { 12 | int32_t *a; 13 | unsigned int target; 14 | unsigned int offset; 15 | const uint8_t *buf; 16 | unsigned int buflen; 17 | 18 | mld_rej_uniform(a, target, offset, buf, buflen); 19 | } 20 | -------------------------------------------------------------------------------- /proofs/cbmc/crypto_sign_signature_pre_hash_internal/crypto_sign_signature_pre_hash_internal_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void harness(void) 7 | { 8 | uint8_t *sig; 9 | size_t *siglen; 10 | const uint8_t *ph; 11 | size_t phlen; 12 | const uint8_t *ctx; 13 | size_t ctxlen; 14 | const uint8_t *rnd; 15 | const uint8_t *sk; 16 | int hashalg; 17 | int r; 18 | r = crypto_sign_signature_pre_hash_internal(sig, siglen, ph, phlen, ctx, 19 | ctxlen, rnd, sk, hashalg); 20 | } 21 | -------------------------------------------------------------------------------- /proofs/cbmc/shake128x4_squeezeblocks/shake128x4_squeezeblocks_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | void harness(void) 12 | { 13 | uint8_t *output0, output1, output2, output3; 14 | size_t nblocks; 15 | mld_shake128x4ctx *state; 16 | mld_shake128x4_squeezeblocks(output0, output1, output2, output3, nblocks, 17 | state); 18 | } 19 | -------------------------------------------------------------------------------- /proofs/cbmc/shake256x4_squeezeblocks/shake256x4_squeezeblocks_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | void harness(void) 12 | { 13 | uint8_t *output0, output1, output2, output3; 14 | size_t nblocks; 15 | mld_shake256x4ctx *state; 16 | mld_shake256x4_squeezeblocks(output0, output1, output2, output3, nblocks, 17 | state); 18 | } 19 | -------------------------------------------------------------------------------- /mldsa/src/fips202/native/x86_64/src/KeccakP_1600_times4_SIMD256.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_X86_64_SRC_KECCAKP_1600_TIMES4_SIMD256_H 8 | #define MLD_FIPS202_NATIVE_X86_64_SRC_KECCAKP_1600_TIMES4_SIMD256_H 9 | 10 | #include "../../../../common.h" 11 | 12 | #define mld_keccakf1600x4_permute24 \ 13 | MLD_NAMESPACE(KeccakP1600times4_PermuteAll_24rounds) 14 | void mld_keccakf1600x4_permute24(void *states); 15 | 16 | #endif /* !MLD_FIPS202_NATIVE_X86_64_SRC_KECCAKP_1600_TIMES4_SIMD256_H */ 17 | -------------------------------------------------------------------------------- /proofs/cbmc/rej_eta_c/rej_eta_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "poly.h" 5 | 6 | #define mld_rej_eta_c MLD_ADD_PARAM_SET(mld_rej_eta_c) 7 | static unsigned int mld_rej_eta_c(int32_t *a, unsigned int target, 8 | unsigned int offset, const uint8_t *buf, 9 | unsigned int buflen); 10 | 11 | void harness(void) 12 | { 13 | int32_t *a; 14 | unsigned int target; 15 | unsigned int offset; 16 | const uint8_t *buf; 17 | unsigned int buflen; 18 | 19 | mld_rej_eta_c(a, target, offset, buf, buflen); 20 | } 21 | -------------------------------------------------------------------------------- /proofs/cbmc/polyvecl_pointwise_acc_montgomery_c/polyvecl_pointwise_acc_montgomery_c_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "polyvec.h" 5 | 6 | 7 | // Prototype for the function under test 8 | #define mld_polyvecl_pointwise_acc_montgomery_c \ 9 | MLD_ADD_PARAM_SET(mld_polyvecl_pointwise_acc_montgomery_c) 10 | void mld_polyvecl_pointwise_acc_montgomery_c(mld_poly *a, mld_polyvecl *b, 11 | mld_polyvecl *c); 12 | 13 | void harness(void) 14 | { 15 | mld_poly *a; 16 | mld_polyvecl *b, *c; 17 | mld_polyvecl_pointwise_acc_montgomery_c(a, b, c); 18 | } 19 | -------------------------------------------------------------------------------- /scripts/copy_nix_from_upstream: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | ROOT="$(realpath "$(dirname "$0")"/../)" 6 | TMP="$(mktemp -u)-mlkem-native" 7 | 8 | if [[ -d $TMP ]]; then 9 | echo "$TMP already exists please remove it first" 10 | exit 1 11 | fi 12 | 13 | git clone --depth=1 https://github.com/pq-code-package/mlkem-native.git "$TMP" 14 | 15 | echo "Copying nix related files from $TMP ..." 16 | cp -R "$TMP/nix" "$ROOT" 17 | cp -R "$TMP/.github/actions/setup-nix" "$ROOT/.github/actions/" 18 | cp "$TMP/.github/workflows/nix.yml" "$ROOT/.github/workflows/nix.yml" 19 | cp "$TMP/flake.lock" "$ROOT" 20 | -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/native/custom/custom.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | #if !defined(MLD_FIPS202_CUSTOM_TINY_SHA3_H) 7 | #define MLD_FIPS202_CUSTOM_TINY_SHA3_H 8 | 9 | #if !defined(__ASSEMBLER__) 10 | #include "../api.h" 11 | #include "src/sha3.h" 12 | /* Replace (single) Keccak-F1600 by tiny-SHA3's */ 13 | #define MLD_USE_FIPS202_X1_NATIVE 14 | static MLD_INLINE int mld_keccak_f1600_x1_native(uint64_t *state) 15 | { 16 | tiny_sha3_keccakf(state); 17 | 18 | return MLD_NATIVE_FUNC_SUCCESS; 19 | } 20 | #endif /* !__ASSEMBLER__ */ 21 | 22 | #endif /* !MLD_FIPS202_CUSTOM_TINY_SHA3_H */ 23 | -------------------------------------------------------------------------------- /mldsa/src/ct.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | #include "ct.h" 7 | 8 | #if !defined(MLD_USE_ASM_VALUE_BARRIER) && \ 9 | !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) 10 | /* 11 | * Masking value used in constant-time functions from 12 | * ct.h to block the compiler's range analysis and 13 | * thereby reduce the risk of compiler-introduced branches. 14 | */ 15 | volatile uint64_t mld_ct_opt_blocker_u64 = 0; 16 | 17 | #else /* !MLD_USE_ASM_VALUE_BARRIER && !MLD_CONFIG_MULTILEVEL_NO_SHARED */ 18 | 19 | MLD_EMPTY_CU(ct) 20 | 21 | #endif /* !(!MLD_USE_ASM_VALUE_BARRIER && !MLD_CONFIG_MULTILEVEL_NO_SHARED) */ 22 | -------------------------------------------------------------------------------- /examples/multilevel_build_native/mldsa_native_all.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | #ifndef MLD_ALL_H 7 | #define MLD_ALL_H 8 | 9 | /* API for MLDSA-44 */ 10 | #define MLD_CONFIG_PARAMETER_SET 44 11 | #include "mldsa_native/mldsa_native.h" 12 | #undef MLD_CONFIG_PARAMETER_SET 13 | #undef MLD_H 14 | 15 | /* API for MLDSA-65 */ 16 | #define MLD_CONFIG_PARAMETER_SET 65 17 | #include "mldsa_native/mldsa_native.h" 18 | #undef MLD_CONFIG_PARAMETER_SET 19 | #undef MLD_H 20 | 21 | /* API for MLDSA-87 */ 22 | #define MLD_CONFIG_PARAMETER_SET 87 23 | #include "mldsa_native/mldsa_native.h" 24 | #undef MLD_CONFIG_PARAMETER_SET 25 | #undef MLD_H 26 | 27 | #endif /* !MLD_ALL_H */ 28 | -------------------------------------------------------------------------------- /nix/s2n_bignum/default.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | { stdenv, fetchFromGitHub, writeText, ... }: 5 | stdenv.mkDerivation rec { 6 | pname = "s2n_bignum"; 7 | version = "2ab2252b8505e58a7c3392f8ad823782032b61e7"; 8 | src = fetchFromGitHub { 9 | owner = "awslabs"; 10 | repo = "s2n-bignum"; 11 | rev = "${version}"; 12 | hash = "sha256-7lil3jAFo5NiyNOSBYZcRjduXkotV3x4PlxXSKt63M8="; 13 | }; 14 | setupHook = writeText "setup-hook.sh" '' 15 | export S2N_BIGNUM_DIR="$1" 16 | ''; 17 | patches = [ ]; 18 | dontBuild = true; 19 | installPhase = '' 20 | mkdir -p $out 21 | cp -a . $out/ 22 | ''; 23 | } 24 | -------------------------------------------------------------------------------- /proofs/cbmc/compute_t0_t1_tr_from_sk_components/compute_t0_t1_tr_from_sk_components_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | void mld_compute_t0_t1_tr_from_sk_components( 7 | mld_polyveck *t0, mld_polyveck *t1, uint8_t tr[MLDSA_TRBYTES], 8 | uint8_t pk[MLDSA_CRYPTO_PUBLICKEYBYTES], const uint8_t rho[MLDSA_SEEDBYTES], 9 | const mld_polyvecl *s1, const mld_polyveck *s2); 10 | 11 | void harness(void) 12 | { 13 | mld_polyveck *t0; 14 | mld_polyveck *t1; 15 | uint8_t *tr; 16 | uint8_t *pk; 17 | uint8_t *rho; 18 | mld_polyvecl *s1; 19 | mld_polyveck *s2; 20 | 21 | mld_compute_t0_t1_tr_from_sk_components(t0, t1, tr, pk, rho, s1, s2); 22 | } 23 | -------------------------------------------------------------------------------- /mldsa/src/randombytes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | #ifndef MLD_RANDOMBYTES_H 6 | #define MLD_RANDOMBYTES_H 7 | 8 | #include 9 | #include 10 | 11 | #include "cbmc.h" 12 | #include "common.h" 13 | 14 | #if !defined(MLD_CONFIG_NO_RANDOMIZED_API) 15 | #if !defined(MLD_CONFIG_CUSTOM_RANDOMBYTES) 16 | void randombytes(uint8_t *out, size_t outlen); 17 | static MLD_INLINE void mld_randombytes(uint8_t *out, size_t outlen) 18 | __contract__( 19 | requires(memory_no_alias(out, outlen)) 20 | assigns(memory_slice(out, outlen)) 21 | ) { randombytes(out, outlen); } 22 | #endif /* !MLD_CONFIG_CUSTOM_RANDOMBYTES */ 23 | #endif /* !MLD_CONFIG_NO_RANDOMIZED_API */ 24 | #endif /* !MLD_RANDOMBYTES_H */ 25 | -------------------------------------------------------------------------------- /examples/multilevel_build/mldsa_native_all.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_ALL_H 8 | #define MLD_ALL_H 9 | 10 | 11 | /* API for MLDSA-44 */ 12 | #define MLD_CONFIG_PARAMETER_SET 44 13 | #include "mldsa_native/mldsa_native.h" 14 | #undef MLD_CONFIG_PARAMETER_SET 15 | #undef MLD_H 16 | 17 | /* API for MLDSA-65 */ 18 | #define MLD_CONFIG_PARAMETER_SET 65 19 | #include "mldsa_native/mldsa_native.h" 20 | #undef MLD_CONFIG_PARAMETER_SET 21 | #undef MLD_H 22 | 23 | /* API for MLDSA-87 */ 24 | #define MLD_CONFIG_PARAMETER_SET 87 25 | #include "mldsa_native/mldsa_native.h" 26 | #undef MLD_CONFIG_PARAMETER_SET 27 | #undef MLD_H 28 | 29 | #endif /* !MLD_ALL_H */ 30 | -------------------------------------------------------------------------------- /proofs/cbmc/keccak_squeezeblocks_x4/keccak_squeezeblocks_x4_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | void mld_keccak_squeezeblocks_x4(uint8_t *out0, uint8_t *out1, uint8_t *out2, 13 | uint8_t *out3, size_t nblocks, uint64_t *s, 14 | uint32_t r); 15 | 16 | void harness(void) 17 | { 18 | uint8_t *out0, out1, out2, out3; 19 | size_t nblocks; 20 | uint64_t *s; 21 | uint32_t r; 22 | mld_keccak_squeezeblocks_x4(out0, out1, out2, out3, nblocks, s, r); 23 | } 24 | -------------------------------------------------------------------------------- /RELICENSE.md: -------------------------------------------------------------------------------- 1 | # Relicensing mldsa-native 2 | 3 | This document gathers consent by mldsa-native contributors to relicense 4 | mldsa-native from `Apache-2.0` to `Apache-2.0 OR ISC OR MIT`. 5 | 6 | The relicensing itself is intended to be carried out once all contributors 7 | have given consent to the relicensing. 8 | 9 | ## Contributors agreeing to relicensing 10 | 11 | By adding my name to the list below, I agree to relicense all my contributions 12 | in the mldsa-native project under `Apache-2.0 OR ISC OR MIT`. 13 | 14 | - Hanno Becker 15 | - Matthias Kannwischer 16 | - Rod Chapman 17 | - Jake Massimo 18 | - Pravek Sharma 19 | - Mila Anastasova 20 | - Thing Han, Lim potsrevenmil@gmail.com 21 | -------------------------------------------------------------------------------- /nix/hol_light/0006-Add-findlib-to-ocaml-hol.patch: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 2 | diff --git a/Makefile b/Makefile 3 | index abc1234..def5678 100644 4 | --- a/Makefile 5 | +++ b/Makefile 6 | @@ -100,7 +100,7 @@ hol.sh: pa_j.cmo ${HOLSRC} bignum.cmo hol_loader.cmo update_database.ml 7 | if [ `uname` = "Linux" ] || [ `uname` = "Darwin" ] ; then \ 8 | if [ ${OCAML_UNARY_VERSION} = "5" ] || [ ${OCAML_VERSION} = "4.14" ] ; then \ 9 | - ocamlfind ocamlmktop -package zarith -o ocaml-hol zarith.cma bignum.cmo hol_loader.cmo ; \ 10 | + ocamlfind ocamlmktop -package zarith,findlib -o ocaml-hol zarith.cma bignum.cmo hol_loader.cmo ; \ 11 | sed "s^__DIR__^`pwd`^g; s^__USE_MODULE__^$(HOLLIGHT_USE_MODULE)^g" hol_4.14.sh > hol.sh ; \ 12 | else \ 13 | ocamlmktop -o ocaml-hol nums.cma bignum.cmo hol_loader.cmo ; \ 14 | -------------------------------------------------------------------------------- /test/notrandombytes/notrandombytes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MIT 4 | */ 5 | 6 | /* References 7 | * ========== 8 | * 9 | * - [surf] 10 | * SURF: Simple Unpredictable Random Function 11 | * Daniel J. Bernstein 12 | * https://cr.yp.to/papers.html#surf 13 | */ 14 | 15 | /* Based on @[surf]. */ 16 | 17 | #ifndef NOTRANDOMBYTES_H 18 | #define NOTRANDOMBYTES_H 19 | 20 | #include 21 | #include 22 | 23 | /** 24 | * WARNING 25 | * 26 | * The randombytes() implementation in this file is for TESTING ONLY. 27 | * You MUST NOT use this implementation outside of testing. 28 | * 29 | */ 30 | 31 | void randombytes_reset(void); 32 | void randombytes(uint8_t *buf, size_t n); 33 | 34 | #endif /* !NOTRANDOMBYTES_H */ 35 | -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel/mldsa_native_all.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_ALL_H 8 | #define MLD_ALL_H 9 | 10 | #define MLD_CONFIG_NO_SUPERCOP 11 | 12 | /* API for MLDSA-44 */ 13 | #define MLD_CONFIG_PARAMETER_SET 44 14 | #include 15 | #undef MLD_CONFIG_PARAMETER_SET 16 | #undef MLD_H 17 | 18 | /* API for MLDSA-65 */ 19 | #define MLD_CONFIG_PARAMETER_SET 65 20 | #include 21 | #undef MLD_CONFIG_PARAMETER_SET 22 | #undef MLD_H 23 | 24 | /* API for MLDSA-87 */ 25 | #define MLD_CONFIG_PARAMETER_SET 87 26 | #include 27 | #undef MLD_CONFIG_PARAMETER_SET 28 | #undef MLD_CONFIG_NO_SUPERCOP 29 | #undef MLD_H 30 | 31 | #endif /* !MLD_ALL_H */ 32 | -------------------------------------------------------------------------------- /proofs/cbmc/Makefile_params.common: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | ifndef MLD_CONFIG_PARAMETER_SET 5 | $(warning MLD_CONFIG_PARAMETER_SET not set -- defaulting to MLD_CONFIG_PARAMETER_SET=65) 6 | endif 7 | 8 | MLD_CONFIG_PARAMETER_SET ?= 65 9 | 10 | ifeq ($(MLD_CONFIG_PARAMETER_SET),44) 11 | MLD_NAMESPACE_KL=PQCP_MLDSA_NATIVE_MLDSA44_ 12 | MLD_NAMESPACE=PQCP_MLDSA_NATIVE_MLDSA44_ 13 | else ifeq ($(MLD_CONFIG_PARAMETER_SET),65) 14 | MLD_NAMESPACE_KL=PQCP_MLDSA_NATIVE_MLDSA65_ 15 | MLD_NAMESPACE=PQCP_MLDSA_NATIVE_MLDSA65_ 16 | else ifeq ($(MLD_CONFIG_PARAMETER_SET),87) 17 | MLD_NAMESPACE_KL=PQCP_MLDSA_NATIVE_MLDSA87_ 18 | MLD_NAMESPACE=PQCP_MLDSA_NATIVE_MLDSA87_ 19 | else 20 | $(error Invalid value of MLD_CONFIG_PARAMETER_SET) 21 | endif 22 | -------------------------------------------------------------------------------- /proofs/cbmc/keccak_absorb_once_x4/keccak_absorb_once_x4_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // Copyright (c) The mlkem-native project authors 3 | // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 4 | // SPDX-License-Identifier: MIT-0 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | void mld_keccak_absorb_once_x4(uint64_t *s, uint32_t r, const uint8_t *in0, 13 | const uint8_t *in1, const uint8_t *in2, 14 | const uint8_t *in3, size_t inlen, uint8_t p); 15 | 16 | void harness(void) 17 | { 18 | uint64_t *s; 19 | uint32_t r; 20 | const uint8_t *in0, *in1, *in2, *in3; 21 | size_t inlen; 22 | uint8_t p; 23 | mld_keccak_absorb_once_x4(s, r, in0, in1, in2, in3, inlen, p); 24 | } 25 | -------------------------------------------------------------------------------- /dev/fips202/aarch64/x1_scalar.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X1_SCALAR_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X1_SCALAR_H 9 | 10 | /* Part of backend API */ 11 | #define MLD_USE_FIPS202_X1_NATIVE 12 | /* Guard for assembly file */ 13 | #define MLD_FIPS202_AARCH64_NEED_X1_SCALAR 14 | 15 | #if !defined(__ASSEMBLER__) 16 | #include "../api.h" 17 | #include "src/fips202_native_aarch64.h" 18 | static MLD_INLINE int mld_keccak_f1600_x1_native(uint64_t *state) 19 | { 20 | mld_keccak_f1600_x1_scalar_asm(state, mld_keccakf1600_round_constants); 21 | return MLD_NATIVE_FUNC_SUCCESS; 22 | } 23 | #endif /* !__ASSEMBLER__ */ 24 | 25 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X1_SCALAR_H */ 26 | -------------------------------------------------------------------------------- /META.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | name: ML-DSA 5 | type: signature 6 | implementations: 7 | - name: ML-DSA-44 8 | claimed-nist-level: 2 9 | length-public-key: 1312 10 | length-secret-key: 2560 11 | length-signature: 2420 12 | kat-sha256: 33e7eb7e3b4965fc8b8274ebf8a222c519008ec242b3f753d1bc240f1ee3cb1f 13 | - name: ML-DSA-65 14 | claimed-nist-level: 3 15 | length-public-key: 1952 16 | length-secret-key: 4032 17 | length-signature: 3309 18 | kat-sha256: 2ff0ddcd0dc08b746aa04853d6f84c82c6c8ac38783c9061aed78e29c1698ae5 19 | - name: ML-DSA-87 20 | claimed-nist-level: 5 21 | length-public-key: 2592 22 | length-secret-key: 4896 23 | length-signature: 4627 24 | kat-sha256: 1bfb25b29f6f2bc89057e3bddee055a8f7df563b0e747004b2968159f7739afa 25 | -------------------------------------------------------------------------------- /mldsa/src/fips202/native/aarch64/x1_scalar.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X1_SCALAR_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X1_SCALAR_H 9 | 10 | /* Part of backend API */ 11 | #define MLD_USE_FIPS202_X1_NATIVE 12 | /* Guard for assembly file */ 13 | #define MLD_FIPS202_AARCH64_NEED_X1_SCALAR 14 | 15 | #if !defined(__ASSEMBLER__) 16 | #include "../api.h" 17 | #include "src/fips202_native_aarch64.h" 18 | static MLD_INLINE int mld_keccak_f1600_x1_native(uint64_t *state) 19 | { 20 | mld_keccak_f1600_x1_scalar_asm(state, mld_keccakf1600_round_constants); 21 | return MLD_NATIVE_FUNC_SUCCESS; 22 | } 23 | #endif /* !__ASSEMBLER__ */ 24 | 25 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X1_SCALAR_H */ 26 | -------------------------------------------------------------------------------- /.github/actions/setup-yum/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | name: Dependencies (yum) 6 | description: Install dependencies via yum 7 | 8 | inputs: 9 | packages: 10 | description: Space-separated list of additional packages to install 11 | required: false 12 | default: '' 13 | sudo: 14 | required: false 15 | default: 'sudo' 16 | 17 | runs: 18 | using: composite 19 | steps: 20 | - name: Install base packages 21 | shell: bash 22 | run: | 23 | ${{ inputs.sudo }} yum install make gcc python3 git -y 24 | - name: Install additional packages 25 | if: ${{ inputs.packages != ''}} 26 | shell: bash 27 | run: | 28 | ${{ inputs.sudo }} yum install ${{ inputs.packages }} -y 29 | -------------------------------------------------------------------------------- /.github/workflows/slothy.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | name: SLOTHY re-optimization tests 6 | permissions: 7 | contents: read 8 | on: 9 | workflow_call: 10 | workflow_dispatch: 11 | 12 | jobs: 13 | slothy: 14 | name: SLOTHY 15 | if: ${{ github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork }} 16 | permissions: 17 | contents: 'read' 18 | id-token: 'write' 19 | uses: ./.github/workflows/ci_ec2_reusable.yml 20 | with: 21 | name: SLOTHY 22 | ec2_instance_type: c8g.8xlarge 23 | ec2_ami: ubuntu-latest (aarch64) 24 | ec2_volume_size: 20 25 | lint: false 26 | test: false 27 | cbmc: false 28 | slothy: true 29 | secrets: inherit 30 | -------------------------------------------------------------------------------- /examples/basic/test_only_rng/notrandombytes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MI 5 | */ 6 | 7 | /* References 8 | * ========== 9 | * 10 | * - [surf] 11 | * SURF: Simple Unpredictable Random Function 12 | * Daniel J. Bernstein 13 | * https://cr.yp.to/papers.html#surf 14 | */ 15 | 16 | /* Based on @[surf]. */ 17 | 18 | #ifndef NOTRANDOMBYTES_H 19 | #define NOTRANDOMBYTES_H 20 | 21 | #include 22 | #include 23 | 24 | /** 25 | * WARNING 26 | * 27 | * The randombytes() implementation in this file is for TESTING ONLY. 28 | * You MUST NOT use this implementation outside of testing. 29 | * 30 | */ 31 | 32 | void randombytes_reset(void); 33 | void randombytes(uint8_t *buf, size_t n); 34 | 35 | #endif /* !NOTRANDOMBYTES_H */ 36 | -------------------------------------------------------------------------------- /proofs/cbmc/prepare_domain_separation_prefix/Makefile: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | include ../Makefile_params.common 5 | 6 | HARNESS_ENTRY = harness 7 | HARNESS_FILE = prepare_domain_separation_prefix_harness 8 | 9 | PROOF_UID = mld_prepare_domain_separation_prefix 10 | 11 | DEFINES += 12 | INCLUDES += 13 | 14 | REMOVE_FUNCTION_BODY += 15 | UNWINDSET += 16 | 17 | PROOF_SOURCES += $(PROOFDIR)/$(HARNESS_FILE).c 18 | PROJECT_SOURCES += $(SRCDIR)/mldsa/src/sign.c 19 | 20 | CHECK_FUNCTION_CONTRACTS=$(MLD_NAMESPACE)prepare_domain_separation_prefix 21 | USE_FUNCTION_CONTRACTS= 22 | APPLY_LOOP_CONTRACTS=on 23 | USE_DYNAMIC_FRAMES=1 24 | 25 | FUNCTION_NAME = prepare_domain_separation_prefix 26 | 27 | EXTERNAL_SAT_SOLVER= 28 | CBMCFLAGS=--smt2 29 | CBMCFLAGS += --slice-formula 30 | 31 | CBMC_OBJECT_BITS = 8 32 | 33 | include ../Makefile.common 34 | -------------------------------------------------------------------------------- /.github/actions/setup-brew/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | name: Dependencies (apt) 6 | description: Install dependencies via brew 7 | 8 | inputs: 9 | packages: 10 | description: Space-separated list of additional packages to install 11 | required: false 12 | default: '' 13 | sudo: 14 | required: false 15 | default: 'sudo' 16 | 17 | runs: 18 | using: composite 19 | steps: 20 | - name: Update package repository 21 | shell: bash 22 | run: | 23 | brew update 24 | - name: Install base packages 25 | shell: bash 26 | run: | 27 | brew install make 28 | - name: Install additional packages 29 | if: ${{ inputs.packages != ''}} 30 | shell: bash 31 | run: | 32 | brew install ${{ inputs.packages }} 33 | -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/test_only_rng/notrandombytes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MI 5 | */ 6 | 7 | /* References 8 | * ========== 9 | * 10 | * - [surf] 11 | * SURF: Simple Unpredictable Random Function 12 | * Daniel J. Bernstein 13 | * https://cr.yp.to/papers.html#surf 14 | */ 15 | 16 | /* Based on @[surf]. */ 17 | 18 | #ifndef NOTRANDOMBYTES_H 19 | #define NOTRANDOMBYTES_H 20 | 21 | #include 22 | #include 23 | 24 | /** 25 | * WARNING 26 | * 27 | * The randombytes() implementation in this file is for TESTING ONLY. 28 | * You MUST NOT use this implementation outside of testing. 29 | * 30 | */ 31 | 32 | void randombytes_reset(void); 33 | void randombytes(uint8_t *buf, size_t n); 34 | 35 | #endif /* !NOTRANDOMBYTES_H */ 36 | -------------------------------------------------------------------------------- /mldsa/src/fips202/native/x86_64/xkcp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_X86_64_XKCP_H 8 | #define MLD_FIPS202_NATIVE_X86_64_XKCP_H 9 | 10 | #include "../../../common.h" 11 | 12 | #define MLD_FIPS202_X86_64_XKCP 13 | 14 | #if !defined(__ASSEMBLER__) 15 | #include 16 | #include "../api.h" 17 | #include "src/KeccakP_1600_times4_SIMD256.h" 18 | 19 | #define MLD_USE_FIPS202_X4_NATIVE 20 | static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state) 21 | { 22 | if (!mld_sys_check_capability(MLD_SYS_CAP_AVX2)) 23 | { 24 | return MLD_NATIVE_FUNC_FALLBACK; 25 | } 26 | mld_keccakf1600x4_permute24(state); 27 | return MLD_NATIVE_FUNC_SUCCESS; 28 | } 29 | #endif /* !__ASSEMBLER__ */ 30 | 31 | #endif /* !MLD_FIPS202_NATIVE_X86_64_XKCP_H */ 32 | -------------------------------------------------------------------------------- /examples/bring_your_own_fips202_static/test_only_rng/notrandombytes.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: LicenseRef-PD-hp OR CC0-1.0 OR 0BSD OR MIT-0 OR MI 5 | */ 6 | 7 | /* References 8 | * ========== 9 | * 10 | * - [surf] 11 | * SURF: Simple Unpredictable Random Function 12 | * Daniel J. Bernstein 13 | * https://cr.yp.to/papers.html#surf 14 | */ 15 | 16 | /* Based on @[surf]. */ 17 | 18 | #ifndef NOTRANDOMBYTES_H 19 | #define NOTRANDOMBYTES_H 20 | 21 | #include 22 | #include 23 | 24 | /** 25 | * WARNING 26 | * 27 | * The randombytes() implementation in this file is for TESTING ONLY. 28 | * You MUST NOT use this implementation outside of testing. 29 | * 30 | */ 31 | 32 | void randombytes_reset(void); 33 | void randombytes(uint8_t *buf, size_t n); 34 | 35 | #endif /* !NOTRANDOMBYTES_H */ 36 | -------------------------------------------------------------------------------- /dev/fips202/aarch64/x4_v8a_scalar.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X4_V8A_SCALAR_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X4_V8A_SCALAR_H 9 | 10 | /* Part of backend API */ 11 | #define MLD_USE_FIPS202_X4_NATIVE 12 | /* Guard for assembly file */ 13 | #define MLD_FIPS202_AARCH64_NEED_X4_V8A_SCALAR_HYBRID 14 | 15 | #if !defined(__ASSEMBLER__) 16 | #include "../api.h" 17 | #include "src/fips202_native_aarch64.h" 18 | static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state) 19 | { 20 | mld_keccak_f1600_x4_scalar_v8a_hybrid_asm(state, 21 | mld_keccakf1600_round_constants); 22 | return MLD_NATIVE_FUNC_SUCCESS; 23 | } 24 | #endif /* !__ASSEMBLER__ */ 25 | 26 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X4_V8A_SCALAR_H */ 27 | -------------------------------------------------------------------------------- /dev/aarch64_opt/src/README.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | # mldsa-native AArch64 backend SLOTHY-optimized code 4 | 5 | This directory contains the AArch64 backend after it has been optimized by [SLOTHY](https://github.com/slothy-optimizer/slothy/). 6 | 7 | ## Re-running SLOTHY 8 | 9 | If the "clean" sources [`../../aarch64_clean/src/*.S`](../../aarch64_clean/src/) change, take the following steps to re-optimize and install them into the main source tree: 10 | 11 | 1. Run `make` to re-generate the optimized sources using SLOTHY. This assumes a working SLOTHY setup, as established e.g. by the default nix shell for mldsa-native. See also the [SLOTHY README](https://github.com/slothy-optimizer/slothy/). 12 | 13 | 2. Run `autogen` to transfer the newly optimized files into the main source tree [mldsa/src/native](../../../mldsa/src/native). 14 | 15 | 3. Run `./scripts/tests all --opt=OPT` to check that the new assembly is still functional. 16 | -------------------------------------------------------------------------------- /nix/cbmc/cbmc-viewer.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | { python3Packages 5 | , fetchurl 6 | }: 7 | 8 | python3Packages.buildPythonApplication rec { 9 | pname = "cbmc-viewer"; 10 | version = "3.11"; 11 | src = fetchurl { 12 | url = "https://github.com/model-checking/${pname}/releases/download/viewer-${version}/cbmc_viewer-${version}-py3-none-any.whl"; 13 | hash = "sha256-Oy51I64KMbtE8lG8xuFXdK4RvXFvWt4zYKBlcXqwILg="; 14 | }; 15 | format = "wheel"; 16 | dontUseSetuptoolsCheck = true; 17 | 18 | propagatedBuildInputs = [ 19 | python3Packages.voluptuous 20 | python3Packages.setuptools 21 | python3Packages.jinja2 22 | ]; 23 | 24 | meta = { 25 | description = "CBMC Viewer is a tool that scans the output of CBMC"; 26 | homepage = "https://model-checking.github.io/cbmc-viewer/"; 27 | }; 28 | } 29 | -------------------------------------------------------------------------------- /mldsa/src/fips202/native/aarch64/x4_v8a_scalar.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X4_V8A_SCALAR_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X4_V8A_SCALAR_H 9 | 10 | /* Part of backend API */ 11 | #define MLD_USE_FIPS202_X4_NATIVE 12 | /* Guard for assembly file */ 13 | #define MLD_FIPS202_AARCH64_NEED_X4_V8A_SCALAR_HYBRID 14 | 15 | #if !defined(__ASSEMBLER__) 16 | #include "../api.h" 17 | #include "src/fips202_native_aarch64.h" 18 | static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state) 19 | { 20 | mld_keccak_f1600_x4_scalar_v8a_hybrid_asm(state, 21 | mld_keccakf1600_round_constants); 22 | return MLD_NATIVE_FUNC_SUCCESS; 23 | } 24 | #endif /* !__ASSEMBLER__ */ 25 | 26 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X4_V8A_SCALAR_H */ 27 | -------------------------------------------------------------------------------- /dev/x86_64/src/align.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | /* References 8 | * ========== 9 | * 10 | * - [REF_AVX2] 11 | * CRYSTALS-Dilithium optimized AVX2 implementation 12 | * Bai, Ducas, Kiltz, Lepoint, Lyubashevsky, Schwabe, Seiler, Stehlé 13 | * https://github.com/pq-crystals/dilithium/tree/master/avx2 14 | */ 15 | 16 | #ifndef MLD_NATIVE_X86_64_SRC_ALIGN_H 17 | #define MLD_NATIVE_X86_64_SRC_ALIGN_H 18 | 19 | /* 20 | * This file is derived from the public domain 21 | * AVX2 Dilithium implementation @[REF_AVX2]. 22 | */ 23 | 24 | #include 25 | #include 26 | 27 | #define MLD_ALIGNED_INT32(N) \ 28 | union \ 29 | { \ 30 | int32_t coeffs[N]; \ 31 | __m256i vec[(N + 7) / 8]; \ 32 | } 33 | 34 | #endif /* !MLD_NATIVE_X86_64_SRC_ALIGN_H */ 35 | -------------------------------------------------------------------------------- /mldsa/src/native/x86_64/src/align.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | /* References 8 | * ========== 9 | * 10 | * - [REF_AVX2] 11 | * CRYSTALS-Dilithium optimized AVX2 implementation 12 | * Bai, Ducas, Kiltz, Lepoint, Lyubashevsky, Schwabe, Seiler, Stehlé 13 | * https://github.com/pq-crystals/dilithium/tree/master/avx2 14 | */ 15 | 16 | #ifndef MLD_NATIVE_X86_64_SRC_ALIGN_H 17 | #define MLD_NATIVE_X86_64_SRC_ALIGN_H 18 | 19 | /* 20 | * This file is derived from the public domain 21 | * AVX2 Dilithium implementation @[REF_AVX2]. 22 | */ 23 | 24 | #include 25 | #include 26 | 27 | #define MLD_ALIGNED_INT32(N) \ 28 | union \ 29 | { \ 30 | int32_t coeffs[N]; \ 31 | __m256i vec[(N + 7) / 8]; \ 32 | } 33 | 34 | #endif /* !MLD_NATIVE_X86_64_SRC_ALIGN_H */ 35 | -------------------------------------------------------------------------------- /proofs/README.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | # Proofs for mldsa-native 4 | 5 | This directory contains material related to the formal verification of the source code of mldsa-native. 6 | 7 | ## C verification: CBMC 8 | 9 | We use the [C Bounded Model Checker (CBMC)](https://github.com/diffblue/cbmc) to show the absence of various classes of undefined behaviour in the mldsa-native C source, including out of bounds memory accesses and integer overflows. See [proofs/cbmc](cbmc), or the [proof_guide](https://github.com/pq-code-package/mlkem-native/blob/main/proofs/cbmc/proof_guide.md). 10 | 11 | ## Assembly verification: HOL-Light 12 | 13 | We use the [HOL-Light](https://github.com/jrh13/hol-light) interactive theorem prover alongside the verification infrastructure from [s2n-bignum](https://github.com/awslabs/s2n-bignum) to show the functional correctness of highly optimized assembly routines in mlkem-native at the object-code level. See [proofs/hol_light/x86_64](hol_light/x86_64). 14 | -------------------------------------------------------------------------------- /.github/actions/setup-apt/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | name: Dependencies (apt) 6 | description: Install dependencies via apt 7 | 8 | inputs: 9 | packages: 10 | description: Space-separated list of additional packages to install 11 | required: false 12 | default: '' 13 | sudo: 14 | required: false 15 | default: 'sudo' 16 | 17 | runs: 18 | using: composite 19 | steps: 20 | - name: Update package repository 21 | shell: bash 22 | run: | 23 | ${{ inputs.sudo }} apt-get update 24 | - name: Install base packages 25 | shell: bash 26 | run: | 27 | ${{ inputs.sudo }} apt-get install make gcc python3 -y 28 | - name: Install additional packages 29 | if: ${{ inputs.packages != ''}} 30 | shell: bash 31 | run: | 32 | ${{ inputs.sudo }} apt-get install ${{ inputs.packages }} -y 33 | -------------------------------------------------------------------------------- /proofs/cbmc/attempt_signature_generation/attempt_signature_generation_harness.c: -------------------------------------------------------------------------------- 1 | // Copyright (c) The mldsa-native project authors 2 | // SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | #include "sign.h" 5 | 6 | int mld_attempt_signature_generation(uint8_t *sig, const uint8_t *mu, 7 | const uint8_t rhoprime[MLDSA_CRHBYTES], 8 | uint16_t nonce, mld_polymat *mat, 9 | const mld_polyvecl *s1, 10 | const mld_polyveck *s2, 11 | const mld_polyveck *t0); 12 | 13 | void harness(void) 14 | { 15 | uint8_t *sig; 16 | uint8_t *mu; 17 | uint8_t *rhoprime; 18 | uint16_t nonce; 19 | mld_polymat *mat; 20 | mld_polyvecl *s1; 21 | mld_polyveck *s2; 22 | mld_polyveck *t0; 23 | 24 | int r; 25 | r = mld_attempt_signature_generation(sig, mu, rhoprime, nonce, mat, s1, s2, 26 | t0); 27 | } 28 | -------------------------------------------------------------------------------- /integration/liboqs/fips202_glue.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | #ifndef MLD_INTEGRATION_LIBOQS_FIPS202_GLUE_H 6 | #define MLD_INTEGRATION_LIBOQS_FIPS202_GLUE_H 7 | 8 | /* Include OQS's own FIPS202 header */ 9 | #include "fips202.h" 10 | 11 | #define mld_shake128ctx shake128incctx 12 | #define mld_shake128_init shake128_inc_init 13 | #define mld_shake128_absorb shake128_inc_absorb 14 | #define mld_shake128_finalize shake128_inc_finalize 15 | #define mld_shake128_squeeze shake128_inc_squeeze 16 | #define mld_shake128_release shake128_inc_ctx_release 17 | 18 | #define mld_shake256ctx shake256incctx 19 | #define mld_shake256_init shake256_inc_init 20 | #define mld_shake256_absorb shake256_inc_absorb 21 | #define mld_shake256_finalize shake256_inc_finalize 22 | #define mld_shake256_squeeze shake256_inc_squeeze 23 | #define mld_shake256_release shake256_inc_ctx_release 24 | 25 | #define mld_shake256 shake256 26 | 27 | #endif /* !MLD_INTEGRATION_LIBOQS_FIPS202_GLUE_H */ 28 | -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel/mldsa_native_all.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | /* Three instances of mldsa-native for all security levels */ 8 | 9 | /* Include level-independent code */ 10 | #define MLD_CONFIG_MULTILEVEL_WITH_SHARED 11 | /* Keep level-independent headers at the end of monobuild file */ 12 | #define MLD_CONFIG_MONOBUILD_KEEP_SHARED_HEADERS 13 | #define MLD_CONFIG_PARAMETER_SET 44 14 | #include "mldsa_native.c" 15 | #undef MLD_CONFIG_PARAMETER_SET 16 | #undef MLD_CONFIG_MULTILEVEL_WITH_SHARED 17 | 18 | /* Exclude level-independent code */ 19 | #define MLD_CONFIG_MULTILEVEL_NO_SHARED 20 | #define MLD_CONFIG_PARAMETER_SET 65 21 | #include "mldsa_native.c" 22 | #undef MLD_CONFIG_PARAMETER_SET 23 | /* `#undef` all headers at the and of the monobuild file */ 24 | #undef MLD_CONFIG_MONOBUILD_KEEP_SHARED_HEADERS 25 | 26 | #define MLD_CONFIG_PARAMETER_SET 87 27 | #include "mldsa_native.c" 28 | #undef MLD_CONFIG_PARAMETER_SET 29 | -------------------------------------------------------------------------------- /examples/monolithic_build_multilevel_native/mldsa_native_all.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | /* Three instances of mldsa-native for all security levels */ 8 | 9 | /* Include level-independent code */ 10 | #define MLD_CONFIG_MULTILEVEL_WITH_SHARED 1 11 | /* Keep level-independent headers at the end of monobuild file */ 12 | #define MLD_CONFIG_MONOBUILD_KEEP_SHARED_HEADERS 13 | #define MLD_CONFIG_PARAMETER_SET 44 14 | #include "mldsa_native.c" 15 | #undef MLD_CONFIG_MULTILEVEL_WITH_SHARED 16 | #undef MLD_CONFIG_PARAMETER_SET 17 | 18 | /* Exclude level-independent code */ 19 | #define MLD_CONFIG_MULTILEVEL_NO_SHARED 20 | #define MLD_CONFIG_PARAMETER_SET 65 21 | #include "mldsa_native.c" 22 | /* `#undef` all headers at the and of the monobuild file */ 23 | #undef MLD_CONFIG_MONOBUILD_KEEP_SHARED_HEADERS 24 | #undef MLD_CONFIG_PARAMETER_SET 25 | 26 | #define MLD_CONFIG_PARAMETER_SET 87 27 | #include "mldsa_native.c" 28 | #undef MLD_CONFIG_PARAMETER_SET 29 | -------------------------------------------------------------------------------- /dev/fips202/aarch64/x1_v84a.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X1_V84A_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X1_V84A_H 9 | 10 | #if !defined(__ARM_FEATURE_SHA3) 11 | #error This backend can only be used if SHA3 extensions are available. 12 | #endif 13 | 14 | /* Part of backend API */ 15 | #define MLD_USE_FIPS202_X1_NATIVE 16 | /* Guard for assembly file */ 17 | #define MLD_FIPS202_AARCH64_NEED_X1_V84A 18 | 19 | #if !defined(__ASSEMBLER__) 20 | #include "../api.h" 21 | #include "src/fips202_native_aarch64.h" 22 | static MLD_INLINE int mld_keccak_f1600_x1_native(uint64_t *state) 23 | { 24 | if (!mld_sys_check_capability(MLD_SYS_CAP_SHA3)) 25 | { 26 | return MLD_NATIVE_FUNC_FALLBACK; 27 | } 28 | 29 | mld_keccak_f1600_x1_v84a_asm(state, mld_keccakf1600_round_constants); 30 | return MLD_NATIVE_FUNC_SUCCESS; 31 | } 32 | #endif /* !__ASSEMBLER__ */ 33 | 34 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X1_V84A_H */ 35 | -------------------------------------------------------------------------------- /integration/liboqs/fips202x4_glue.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | #ifndef MLD_INTEGRATION_LIBOQS_FIPS202X4_GLUE_H 6 | #define MLD_INTEGRATION_LIBOQS_FIPS202X4_GLUE_H 7 | 8 | /* Include OQS's own FIPS202_X4 header */ 9 | #include "fips202x4.h" 10 | 11 | /* OQS's FIPS202_X4 is as-is compatible with the one expected 12 | * by mldsa-native, so just remove the mld_xxx prefix. */ 13 | #define mld_shake128x4ctx shake128x4incctx 14 | #define mld_shake128x4_absorb_once shake128x4_absorb_once 15 | #define mld_shake128x4_squeezeblocks shake128x4_squeezeblocks 16 | #define mld_shake128x4_init shake128x4_inc_init 17 | #define mld_shake128x4_release shake128x4_inc_ctx_release 18 | 19 | #define mld_shake256x4ctx shake256x4incctx 20 | #define mld_shake256x4_absorb_once shake256x4_absorb_once 21 | #define mld_shake256x4_squeezeblocks shake256x4_squeezeblocks 22 | #define mld_shake256x4_init shake256x4_inc_init 23 | #define mld_shake256x4_release shake256x4_inc_ctx_release 24 | 25 | #endif /* !MLD_INTEGRATION_LIBOQS_FIPS202X4_GLUE_H */ 26 | -------------------------------------------------------------------------------- /proofs/cbmc/dummy_backend.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | #ifndef MLD_DUMMY_ARITH_BACKEND_H 7 | #define MLD_DUMMY_ARITH_BACKEND_H 8 | 9 | 10 | #define MLD_USE_NATIVE_NTT 11 | #define MLD_USE_NATIVE_INTT 12 | #define MLD_USE_NATIVE_REJ_UNIFORM 13 | #define MLD_USE_NATIVE_REJ_UNIFORM_ETA2 14 | #define MLD_USE_NATIVE_REJ_UNIFORM_ETA4 15 | #define MLD_USE_NATIVE_POLY_DECOMPOSE_32 16 | #define MLD_USE_NATIVE_POLY_DECOMPOSE_88 17 | #define MLD_USE_NATIVE_POLY_CADDQ 18 | #define MLD_USE_NATIVE_POLY_USE_HINT_32 19 | #define MLD_USE_NATIVE_POLY_USE_HINT_88 20 | #define MLD_USE_NATIVE_POLY_CHKNORM 21 | #define MLD_USE_NATIVE_POLYZ_UNPACK_17 22 | #define MLD_USE_NATIVE_POLYZ_UNPACK_19 23 | #define MLD_USE_NATIVE_POINTWISE_MONTGOMERY 24 | #define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L4 25 | #define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5 26 | #define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7 27 | 28 | #include "../../mldsa/src/native/api.h" 29 | 30 | #endif /* !MLD_DUMMY_ARITH_BACKEND_H */ 31 | -------------------------------------------------------------------------------- /mldsa/src/fips202/native/aarch64/x1_v84a.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X1_V84A_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X1_V84A_H 9 | 10 | #if !defined(__ARM_FEATURE_SHA3) 11 | #error This backend can only be used if SHA3 extensions are available. 12 | #endif 13 | 14 | /* Part of backend API */ 15 | #define MLD_USE_FIPS202_X1_NATIVE 16 | /* Guard for assembly file */ 17 | #define MLD_FIPS202_AARCH64_NEED_X1_V84A 18 | 19 | #if !defined(__ASSEMBLER__) 20 | #include "../api.h" 21 | #include "src/fips202_native_aarch64.h" 22 | static MLD_INLINE int mld_keccak_f1600_x1_native(uint64_t *state) 23 | { 24 | if (!mld_sys_check_capability(MLD_SYS_CAP_SHA3)) 25 | { 26 | return MLD_NATIVE_FUNC_FALLBACK; 27 | } 28 | 29 | mld_keccak_f1600_x1_v84a_asm(state, mld_keccakf1600_round_constants); 30 | return MLD_NATIVE_FUNC_SUCCESS; 31 | } 32 | #endif /* !__ASSEMBLER__ */ 33 | 34 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X1_V84A_H */ 35 | -------------------------------------------------------------------------------- /nix/cbmc/litani.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | { stdenvNoCC 6 | , fetchFromGitHub 7 | , python3Packages 8 | }: 9 | 10 | stdenvNoCC.mkDerivation { 11 | pname = "litani"; 12 | version = "8002c240ef4f424039ed3cc32e076c0234d01768"; 13 | src = fetchFromGitHub { 14 | owner = "awslabs"; 15 | repo = "aws-build-accumulator"; 16 | rev = "8002c240ef4f424039ed3cc32e076c0234d01768"; 17 | sha256 = "sha256-UwF/B6lpsjpQn8SW+tCfOXTp14pNBr2sRGujJH3iPLk="; 18 | }; 19 | dontConfigure = true; 20 | installPhase = '' 21 | mkdir -p $out/bin 22 | install -Dm755 litani $out/bin/litani 23 | cp -r lib $out/bin 24 | cp -r templates $out/bin 25 | ''; 26 | dontStrip = true; 27 | noAuditTmpdir = true; 28 | propagatedBuildInputs = [ 29 | (python3Packages.python.withPackages 30 | (pythonPackages: [ pythonPackages.jinja2 ]) 31 | ) 32 | ]; 33 | 34 | meta = { 35 | description = "Litani metabuild system"; 36 | homepage = "https://awslabs.github.io/aws-build-accumulator/"; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /.github/actions/setup-oqs/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | name: Setup libOQS 5 | description: Setup libOQS 6 | 7 | inputs: 8 | dir: 9 | description: Directory to fetch libOQS into 10 | default: 'libOQS' 11 | repository: 12 | description: Repository to fetch from 13 | default: 'open-quantum-safe/libOQS' 14 | commit: 15 | description: Commit to fetch 16 | default: 'HEAD' 17 | gh_token: 18 | description: Github access token to use 19 | required: true 20 | 21 | runs: 22 | using: composite 23 | steps: 24 | - name: Fetch libOQS 25 | shell: bash 26 | run: | 27 | mkdir ${{ inputs.dir }} && cd ${{ inputs.dir }} 28 | git config --global --add safe.directory $GITHUB_WORKSPACE/${{ inputs.dir }} 29 | git init 30 | git remote add origin $GITHUB_SERVER_URL/${{ inputs.repository }} 31 | git fetch origin --depth 1 ${{ inputs.commit }} 32 | git checkout FETCH_HEAD 33 | 34 | # Remember libOQS directory 35 | echo LIBOQS_DIR="$GITHUB_WORKSPACE/${{ inputs.dir }}" >> $GITHUB_ENV 36 | -------------------------------------------------------------------------------- /nix/m55-an547-arm-none-eabi/default.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | { stdenvNoCC 5 | , fetchFromGitHub 6 | , writeText 7 | }: 8 | 9 | stdenvNoCC.mkDerivation { 10 | pname = "mldsa-native-m55-an547"; 11 | version = "main-2025-10-02"; 12 | 13 | 14 | # Fetch platform files from pqmx (envs/m55-an547) 15 | src = fetchFromGitHub { 16 | owner = "slothy-optimizer"; 17 | repo = "pqmx"; 18 | rev = "4ed493d3cf2af62a08fd9fe36c3472a0dc50ad9f"; 19 | hash = "sha256-jLIqwknjRwcoDeEAETlMhRqZQ5a3QGCDZX9DENelGeQ="; 20 | }; 21 | 22 | dontBuild = true; 23 | 24 | installPhase = '' 25 | mkdir -p $out/platform/m55-an547/src/platform/ 26 | cp -r envs/m55-an547/src/platform/. $out/platform/m55-an547/src/platform/ 27 | cp integration/*.c $out/platform/m55-an547/src/platform/ 28 | ''; 29 | 30 | setupHook = writeText "setup-hook.sh" '' 31 | export M55_AN547_PATH="$1/platform/m55-an547/src/platform/" 32 | ''; 33 | 34 | meta = { 35 | description = "Platform files for the Cortex-M55 (AN547)"; 36 | homepage = "https://github.com/slothy-optimizer/pqmx"; 37 | }; 38 | } 39 | -------------------------------------------------------------------------------- /dev/fips202/aarch64/x4_v8a_v84a_scalar.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X4_V8A_V84A_SCALAR_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X4_V8A_V84A_SCALAR_H 9 | 10 | #if !defined(__ARM_FEATURE_SHA3) 11 | #error This backend can only be used if SHA3 extensions are available. 12 | #endif 13 | 14 | /* Part of backend API */ 15 | #define MLD_USE_FIPS202_X4_NATIVE 16 | /* Guard for assembly file */ 17 | #define MLD_FIPS202_AARCH64_NEED_X4_V8A_V84A_SCALAR_HYBRID 18 | 19 | #if !defined(__ASSEMBLER__) 20 | #include "../api.h" 21 | #include "src/fips202_native_aarch64.h" 22 | static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state) 23 | { 24 | if (!mld_sys_check_capability(MLD_SYS_CAP_SHA3)) 25 | { 26 | return MLD_NATIVE_FUNC_FALLBACK; 27 | } 28 | 29 | mld_keccak_f1600_x4_scalar_v8a_v84a_hybrid_asm( 30 | state, mld_keccakf1600_round_constants); 31 | return MLD_NATIVE_FUNC_SUCCESS; 32 | } 33 | #endif /* !__ASSEMBLER__ */ 34 | 35 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X4_V8A_V84A_SCALAR_H */ 36 | -------------------------------------------------------------------------------- /mldsa/src/fips202/native/aarch64/x4_v8a_v84a_scalar.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X4_V8A_V84A_SCALAR_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X4_V8A_V84A_SCALAR_H 9 | 10 | #if !defined(__ARM_FEATURE_SHA3) 11 | #error This backend can only be used if SHA3 extensions are available. 12 | #endif 13 | 14 | /* Part of backend API */ 15 | #define MLD_USE_FIPS202_X4_NATIVE 16 | /* Guard for assembly file */ 17 | #define MLD_FIPS202_AARCH64_NEED_X4_V8A_V84A_SCALAR_HYBRID 18 | 19 | #if !defined(__ASSEMBLER__) 20 | #include "../api.h" 21 | #include "src/fips202_native_aarch64.h" 22 | static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state) 23 | { 24 | if (!mld_sys_check_capability(MLD_SYS_CAP_SHA3)) 25 | { 26 | return MLD_NATIVE_FUNC_FALLBACK; 27 | } 28 | 29 | mld_keccak_f1600_x4_scalar_v8a_v84a_hybrid_asm( 30 | state, mld_keccakf1600_round_constants); 31 | return MLD_NATIVE_FUNC_SUCCESS; 32 | } 33 | #endif /* !__ASSEMBLER__ */ 34 | 35 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X4_V8A_V84A_SCALAR_H */ 36 | -------------------------------------------------------------------------------- /.github/workflows/baremetal.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | name: Baremetal 5 | permissions: 6 | contents: read 7 | on: 8 | workflow_call: 9 | workflow_dispatch: 10 | 11 | jobs: 12 | baremetal_tests: 13 | name: Baremetal tests (${{ matrix.target.name }}) 14 | strategy: 15 | fail-fast: false 16 | matrix: 17 | target: 18 | - runner: ubuntu-latest 19 | name: 'M55-AN547' 20 | makefile: test/baremetal/platform/m55-an547/platform.mk 21 | nix-shell: arm-embedded 22 | runs-on: ${{ matrix.target.runner }} 23 | steps: 24 | - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 25 | - name: baremetal build + test 26 | uses: ./.github/actions/functest 27 | env: 28 | EXTRA_MAKEFILE: ${{ matrix.target.makefile }} 29 | with: 30 | nix-shell: ${{ matrix.target.nix-shell }} 31 | gh_token: ${{ secrets.GITHUB_TOKEN }} 32 | opt: no_opt 33 | func: true 34 | kat: true 35 | acvp: true 36 | examples: false 37 | stack: false 38 | -------------------------------------------------------------------------------- /dev/fips202/aarch64/x2_v84a.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X2_V84A_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X2_V84A_H 9 | 10 | #if !defined(__ARM_FEATURE_SHA3) 11 | #error This backend can only be used if SHA3 extensions are available. 12 | #endif 13 | 14 | /* Part of backend API */ 15 | #define MLD_USE_FIPS202_X4_NATIVE 16 | /* Guard for assembly file */ 17 | #define MLD_FIPS202_AARCH64_NEED_X2_V84A 18 | 19 | #if !defined(__ASSEMBLER__) 20 | #include "../api.h" 21 | #include "src/fips202_native_aarch64.h" 22 | 23 | 24 | static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state) 25 | { 26 | if (!mld_sys_check_capability(MLD_SYS_CAP_SHA3)) 27 | { 28 | return MLD_NATIVE_FUNC_FALLBACK; 29 | } 30 | 31 | mld_keccak_f1600_x2_v84a_asm(state + 0 * 25, mld_keccakf1600_round_constants); 32 | mld_keccak_f1600_x2_v84a_asm(state + 2 * 25, mld_keccakf1600_round_constants); 33 | return MLD_NATIVE_FUNC_SUCCESS; 34 | } 35 | #endif /* !__ASSEMBLER__ */ 36 | 37 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X2_V84A_H */ 38 | -------------------------------------------------------------------------------- /mldsa/src/fips202/native/aarch64/x2_v84a.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | #ifndef MLD_FIPS202_NATIVE_AARCH64_X2_V84A_H 8 | #define MLD_FIPS202_NATIVE_AARCH64_X2_V84A_H 9 | 10 | #if !defined(__ARM_FEATURE_SHA3) 11 | #error This backend can only be used if SHA3 extensions are available. 12 | #endif 13 | 14 | /* Part of backend API */ 15 | #define MLD_USE_FIPS202_X4_NATIVE 16 | /* Guard for assembly file */ 17 | #define MLD_FIPS202_AARCH64_NEED_X2_V84A 18 | 19 | #if !defined(__ASSEMBLER__) 20 | #include "../api.h" 21 | #include "src/fips202_native_aarch64.h" 22 | 23 | 24 | static MLD_INLINE int mld_keccak_f1600_x4_native(uint64_t *state) 25 | { 26 | if (!mld_sys_check_capability(MLD_SYS_CAP_SHA3)) 27 | { 28 | return MLD_NATIVE_FUNC_FALLBACK; 29 | } 30 | 31 | mld_keccak_f1600_x2_v84a_asm(state + 0 * 25, mld_keccakf1600_round_constants); 32 | mld_keccak_f1600_x2_v84a_asm(state + 2 * 25, mld_keccakf1600_round_constants); 33 | return MLD_NATIVE_FUNC_SUCCESS; 34 | } 35 | #endif /* !__ASSEMBLER__ */ 36 | 37 | #endif /* !MLD_FIPS202_NATIVE_AARCH64_X2_V84A_H */ 38 | -------------------------------------------------------------------------------- /META.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # Copyright (c) The mlkem-native project authors 3 | # Copyright (c) The mldsa-native project authors 4 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | 6 | # Helper script to query META.yml 7 | # 8 | # Arguments 9 | # - Scheme to query: ML-DSA-44, ML-DSA-65, ML-DSA-87 10 | # - Field to query, e.g. "kat-sha256" 11 | # 12 | # Optional: 13 | # - Value to compare against 14 | 15 | META=META.yml 16 | 17 | # Manual extraction of metadata with basic cmd line tools 18 | VAL=$(cat $META | 19 | grep "name\|$2" | 20 | grep $1 -A 1 | 21 | grep $2 | 22 | cut -d ":" -f 2 | tr -d ' ') 23 | 24 | # More robust extraction using yq 25 | if (which yq 2>&1 >/dev/null); then 26 | QUERY=".implementations | .[] | select(.name==\"$1\") | .\"$2\"" 27 | echo "cat $META | yq "$QUERY" -r" 28 | VAL_JQ=$(cat $META | yq "$QUERY" -r) 29 | 30 | if [[ $VAL_JQ != $VAL ]]; then 31 | echo "ERROR parsing metadata file $META" 32 | exit 1 33 | fi 34 | fi 35 | 36 | INPUT=$3 37 | if [[ $INPUT != "" ]]; then 38 | if [[ $INPUT != "$VAL" ]]; then 39 | echo "$META $1 $2: FAIL ($VAL != $INPUT)" 40 | exit 1 41 | else 42 | echo "$META $1 $2: OK" 43 | exit 0 44 | fi 45 | else 46 | echo $VAL 47 | fi 48 | -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/native/custom/src/LICENSE: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | The MIT License (MIT) 4 | 5 | Copyright (c) 2015 Markku-Juhani O. Saarinen 6 | 7 | Permission is hereby granted, free of charge, to any person obtaining a copy 8 | of this software and associated documentation files (the "Software"), to deal 9 | in the Software without restriction, including without limitation the rights 10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | copies of the Software, and to permit persons to whom the Software is 12 | furnished to do so, subject to the following conditions: 13 | 14 | The above copyright notice and this permission notice shall be included in all 15 | copies or substantial portions of the Software. 16 | 17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 | SOFTWARE. 24 | -------------------------------------------------------------------------------- /nix/aarch64_be-none-linux-gnu-gcc.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | { stdenvNoCC 6 | , fetchurl 7 | }: 8 | 9 | stdenvNoCC.mkDerivation rec { 10 | pname = "aarch64_be-none-linux-gnu"; 11 | version = "10.3.2021.07"; 12 | 13 | platform = { 14 | x86_64-linux = "x86_64"; 15 | }.${stdenvNoCC.hostPlatform.system} or (throw "Unsupported system: ${stdenvNoCC.hostPlatform.system}"); 16 | 17 | platform_suffix = { 18 | x86_64-linux = "linux-gnu"; 19 | }.${stdenvNoCC.hostPlatform.system} or (throw "Unsupported system: ${stdenvNoCC.hostPlatform.system}"); 20 | 21 | src = fetchurl { 22 | url = "https://developer.arm.com/-/media/Files/downloads/gnu-a/10.3-2021.07/binrel/gcc-arm-10.3-2021.07-x86_64-aarch64_be-none-linux-gnu.tar.xz"; 23 | sha256 = { 24 | x86_64-linux = "sha256-Y8NMrAfOrddGIOqH8nrxqmpvVcIKW8EWryGlndtramo"; 25 | }.${stdenvNoCC.hostPlatform.system} or (throw "Unsupported system: ${stdenvNoCC.hostPlatform.system}"); 26 | }; 27 | 28 | dontConfigure = true; 29 | dontBuild = true; 30 | dontPatchELF = true; 31 | dontStrip = true; 32 | 33 | installPhase = '' 34 | mkdir -p $out 35 | cp -r * $out 36 | ''; 37 | } 38 | -------------------------------------------------------------------------------- /dev/x86_64/src/consts.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | /* References 8 | * ========== 9 | * 10 | * - [REF_AVX2] 11 | * CRYSTALS-Dilithium optimized AVX2 implementation 12 | * Bai, Ducas, Kiltz, Lepoint, Lyubashevsky, Schwabe, Seiler, Stehlé 13 | * https://github.com/pq-crystals/dilithium/tree/master/avx2 14 | */ 15 | 16 | #ifndef MLD_NATIVE_X86_64_SRC_CONSTS_H 17 | #define MLD_NATIVE_X86_64_SRC_CONSTS_H 18 | /* 19 | * This file is derived from the public domain 20 | * AVX2 Dilithium implementation @[REF_AVX2]. 21 | */ 22 | 23 | #include "../../../common.h" 24 | #define MLD_AVX2_BACKEND_DATA_OFFSET_8XQ 0 25 | #define MLD_AVX2_BACKEND_DATA_OFFSET_8XQINV 8 26 | #define MLD_AVX2_BACKEND_DATA_OFFSET_8XDIV_QINV 16 27 | #define MLD_AVX2_BACKEND_DATA_OFFSET_8XDIV 24 28 | #define MLD_AVX2_BACKEND_DATA_OFFSET_ZETAS_QINV 32 29 | #define MLD_AVX2_BACKEND_DATA_OFFSET_ZETAS 328 30 | 31 | 32 | #ifndef __ASSEMBLER__ 33 | #include "align.h" 34 | typedef MLD_ALIGNED_INT32(624) qdata_t; 35 | #define mld_qdata MLD_NAMESPACE(qdata) 36 | extern const qdata_t mld_qdata; 37 | #endif /* !__ASSEMBLER__ */ 38 | 39 | #endif /* !MLD_NATIVE_X86_64_SRC_CONSTS_H */ 40 | -------------------------------------------------------------------------------- /.clang-format: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | # 5 | # clang-format style file for mldsa-native 6 | # 7 | BasedOnStyle: Google 8 | MaxEmptyLinesToKeep: 3 9 | AllowShortIfStatementsOnASingleLine: false 10 | AllowShortLoopsOnASingleLine: false 11 | DerivePointerAlignment: false 12 | PointerAlignment: Right 13 | # TODO(davidben): The default for Google style is now Regroup, but the default 14 | # IncludeCategories does not recognize . We should 15 | # reconfigure IncludeCategories to match. For now, keep it at Preserve. 16 | IncludeBlocks: Preserve 17 | 18 | # Designate CBMC contracts/macros that appear in .h files 19 | # as "attributes" so they don't get increasingly indented line after line 20 | BreakBeforeBraces: Allman 21 | InsertBraces: true 22 | WhitespaceSensitiveMacros: ['__contract__', '__loop__' ] 23 | Macros: 24 | # Make this artifically long to avoid function bodies after short contracts 25 | - __contract__(x)={ void a; void b; void c; void d; void e; void f; } void abcdefghijklmnopqrstuvw() 26 | - __loop__(x)={} do 27 | # Make this artifically long to force line break 28 | - MLK_INTERNAL_API=void abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefg(); 29 | -------------------------------------------------------------------------------- /examples/basic_deterministic/README.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | 4 | This directory contains a minimal example for building mldsa-native using only the deterministic API, 5 | without requiring a `randombytes()` implementation. 6 | 7 | ## Use Case 8 | 9 | Use this approach when: 10 | - Your application manages its own entropy/randomness externally 11 | - You only need `crypto_sign_keypair_internal` and `crypto_sign_signature_internal` (deterministic variants) 12 | 13 | ## Components 14 | 15 | 1. mldsa-native source tree: [`mldsa/src/`](../../mldsa/src) and [`mldsa/src/fips202/`](../../mldsa/src/fips202) 16 | 2. Your application source code 17 | 18 | No `randombytes()` implementation is required. 19 | 20 | ## Configuration 21 | 22 | The configuration file [mldsa_native_config.h](mldsa_native/mldsa_native_config.h) sets: 23 | - `MLD_CONFIG_NO_RANDOMIZED_API`: Disables `crypto_sign_keypair`, `crypto_sign_signature`, etc. 24 | - `MLD_CONFIG_PARAMETER_SET`: Security level (default 65) 25 | - `MLD_CONFIG_NAMESPACE_PREFIX`: Symbol prefix (set to `mldsa`) 26 | 27 | ## Notes 28 | 29 | - This is incompatible with `MLD_CONFIG_KEYGEN_PCT` (pairwise consistency test) 30 | 31 | ## Usage 32 | 33 | ```bash 34 | make build # Build the example 35 | make run # Run the example 36 | ``` 37 | -------------------------------------------------------------------------------- /mldsa/src/native/x86_64/src/consts.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mlkem-native project authors 3 | * Copyright (c) The mldsa-native project authors 4 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 5 | */ 6 | 7 | /* References 8 | * ========== 9 | * 10 | * - [REF_AVX2] 11 | * CRYSTALS-Dilithium optimized AVX2 implementation 12 | * Bai, Ducas, Kiltz, Lepoint, Lyubashevsky, Schwabe, Seiler, Stehlé 13 | * https://github.com/pq-crystals/dilithium/tree/master/avx2 14 | */ 15 | 16 | #ifndef MLD_NATIVE_X86_64_SRC_CONSTS_H 17 | #define MLD_NATIVE_X86_64_SRC_CONSTS_H 18 | /* 19 | * This file is derived from the public domain 20 | * AVX2 Dilithium implementation @[REF_AVX2]. 21 | */ 22 | 23 | #include "../../../common.h" 24 | #define MLD_AVX2_BACKEND_DATA_OFFSET_8XQ 0 25 | #define MLD_AVX2_BACKEND_DATA_OFFSET_8XQINV 8 26 | #define MLD_AVX2_BACKEND_DATA_OFFSET_8XDIV_QINV 16 27 | #define MLD_AVX2_BACKEND_DATA_OFFSET_8XDIV 24 28 | #define MLD_AVX2_BACKEND_DATA_OFFSET_ZETAS_QINV 32 29 | #define MLD_AVX2_BACKEND_DATA_OFFSET_ZETAS 328 30 | 31 | 32 | #ifndef __ASSEMBLER__ 33 | #include "align.h" 34 | typedef MLD_ALIGNED_INT32(624) qdata_t; 35 | #define mld_qdata MLD_NAMESPACE(qdata) 36 | extern const qdata_t mld_qdata; 37 | #endif /* !__ASSEMBLER__ */ 38 | 39 | #endif /* !MLD_NATIVE_X86_64_SRC_CONSTS_H */ 40 | -------------------------------------------------------------------------------- /nix/cbmc/default.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | { buildEnv 5 | , cbmc 6 | , fetchFromGitHub 7 | , callPackage 8 | , bitwuzla 9 | , ninja 10 | , cadical 11 | , z3 12 | , cudd 13 | , replaceVars 14 | , fetchpatch 15 | }: 16 | 17 | buildEnv { 18 | name = "pqcp-cbmc"; 19 | paths = 20 | builtins.attrValues { 21 | cbmc = cbmc.overrideAttrs (old: rec { 22 | version = "6.8.0"; 23 | src = fetchFromGitHub { 24 | owner = "diffblue"; 25 | repo = "cbmc"; 26 | hash = "sha256-PT6AYiwkplCeyMREZnGZA0BKl4ZESRC02/9ibKg7mYU="; 27 | tag = "cbmc-6.8.0"; 28 | }; 29 | }); 30 | litani = callPackage ./litani.nix { }; # 1.29.0 31 | cbmc-viewer = callPackage ./cbmc-viewer.nix { }; # 3.11 32 | z3 = z3.overrideAttrs (old: rec { 33 | version = "4.15.3"; 34 | src = fetchFromGitHub { 35 | owner = "Z3Prover"; 36 | repo = "z3"; 37 | rev = "z3-4.15.3"; 38 | hash = "sha256-Lw037Z0t0ySxkgMXkbjNW5CB4QQLRrrSEBsLJqiomZ4="; 39 | }; 40 | }); 41 | 42 | inherit 43 | cadical#2.1.3 44 | bitwuzla# 0.8.2 45 | ninja; # 1.12.1 46 | }; 47 | } 48 | -------------------------------------------------------------------------------- /nix/hol_light/default.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | { hol_light, fetchFromGitHub, writeText, ocamlPackages, ledit, ... }: 6 | hol_light.overrideAttrs (old: { 7 | setupHook = writeText "setup-hook.sh" '' 8 | export HOLDIR="$1/lib/hol_light" 9 | export HOLLIGHT_DIR="$1/lib/hol_light" 10 | export PATH="$1/lib/hol_light:$PATH" 11 | ''; 12 | version = "unstable-2025-09-22"; 13 | src = fetchFromGitHub { 14 | owner = "jrh13"; 15 | repo = "hol-light"; 16 | rev = "bed58fa74649fa74015176f8f90e77f7af5cf8e3"; 17 | hash = "sha256-QDubbUUChvv04239BdcKPSU+E2gdSzqAWfAETK2Xtg0="; 18 | }; 19 | patches = [ 20 | ./0005-Configure-hol-sh-for-mldsa-native.patch 21 | ./0006-Add-findlib-to-ocaml-hol.patch 22 | ]; 23 | propagatedBuildInputs = old.propagatedBuildInputs ++ old.nativeBuildInputs ++ [ ocamlPackages.pcre2 ledit ]; 24 | buildPhase = '' 25 | HOLLIGHT_USE_MODULE=1 make hol.sh 26 | patchShebangs hol.sh 27 | HOLLIGHT_USE_MODULE=1 make 28 | ''; 29 | installPhase = '' 30 | mkdir -p "$out/lib/hol_light" 31 | cp -a . $out/lib/hol_light 32 | sed "s^__DIR__^$out/lib/hol_light^g; s^__USE_MODULE__^1^g" hol_4.14.sh > hol.sh 33 | mv hol.sh $out/lib/hol_light/ 34 | ''; 35 | }) 36 | -------------------------------------------------------------------------------- /nix/slothy/default.nix: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | { stdenvNoCC 6 | , fetchFromGitHub 7 | , python3 8 | , pkgs 9 | , llvm 10 | , gcc 11 | }: 12 | 13 | let 14 | pythonEnv = python3.withPackages (ps: with ps; [ 15 | ortools 16 | sympy 17 | unicorn 18 | ]); 19 | in 20 | stdenvNoCC.mkDerivation rec { 21 | pname = "slothy-cli"; 22 | version = "08ead1f2e5d07617025e00152d1a701fb1195eb9"; 23 | src = fetchFromGitHub { 24 | owner = "slothy-optimizer"; 25 | repo = "slothy"; 26 | rev = version; 27 | sha256 = "sha256-yZ4ZW2S946VJUNNHlO4hFBNpPfIJpCjNbaWTiLmz/Js="; 28 | }; 29 | 30 | nativeBuildInputs = [ pkgs.makeWrapper ]; 31 | dontConfigure = true; 32 | 33 | installPhase = '' 34 | mkdir -p $out/bin 35 | cp slothy-cli $out/bin/ 36 | cp -r slothy $out/bin 37 | wrapProgram $out/bin/slothy-cli \ 38 | --set DYLD_LIBRARY_PATH ${pythonEnv}/lib \ 39 | --set PYTHONPATH ${pythonEnv}/bin \ 40 | --run exec 41 | ''; 42 | 43 | dontStrip = true; 44 | noAuditTmpdir = true; 45 | propagatedBuildInputs = [ pythonEnv llvm gcc ]; 46 | 47 | meta = { 48 | description = "Slothy: assembly-level superoptimizer"; 49 | homepage = "https://slothy-optimizer.github.io/slothy/"; 50 | }; 51 | } 52 | -------------------------------------------------------------------------------- /dev/aarch64_opt/src/polyz_unpack_table.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | #include "../../../common.h" 7 | 8 | #if defined(MLD_ARITH_BACKEND_AARCH64) && \ 9 | !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) 10 | 11 | #include 12 | #include "arith_native_aarch64.h" 13 | 14 | /* Table of indices used for tbl instructions in polyz_unpack_{17,19}. */ 15 | 16 | MLD_ALIGN const uint8_t mld_polyz_unpack_17_indices[] = { 17 | 0, 1, 2, 255, 2, 3, 4, 255, 4, 5, 6, 255, 6, 7, 8, 255, 18 | 9, 10, 11, 255, 11, 12, 13, 255, 13, 14, 15, 255, 15, 16, 17, 255, 19 | 2, 3, 4, 255, 4, 5, 6, 255, 6, 7, 8, 255, 8, 9, 10, 255, 20 | 11, 12, 13, 255, 13, 14, 15, 255, 15, 16, 17, 255, 17, 18, 19, 255, 21 | }; 22 | 23 | MLD_ALIGN const uint8_t mld_polyz_unpack_19_indices[] = { 24 | 0, 1, 2, 255, 2, 3, 4, 255, 5, 6, 7, 255, 7, 8, 9, 255, 25 | 10, 11, 12, 255, 12, 13, 14, 255, 15, 16, 17, 255, 17, 18, 19, 255, 26 | 4, 5, 6, 255, 6, 7, 8, 255, 9, 10, 11, 255, 11, 12, 13, 255, 27 | 14, 15, 16, 255, 16, 17, 18, 255, 19, 20, 21, 255, 21, 22, 23, 255, 28 | }; 29 | 30 | #else /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED */ 31 | 32 | MLD_EMPTY_CU(aarch64_polyz_unpack_table) 33 | 34 | #endif /* !(MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED) */ 35 | -------------------------------------------------------------------------------- /dev/aarch64_clean/src/polyz_unpack_table.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | #include "../../../common.h" 7 | 8 | #if defined(MLD_ARITH_BACKEND_AARCH64) && \ 9 | !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) 10 | 11 | #include 12 | #include "arith_native_aarch64.h" 13 | 14 | /* Table of indices used for tbl instructions in polyz_unpack_{17,19}. */ 15 | 16 | MLD_ALIGN const uint8_t mld_polyz_unpack_17_indices[] = { 17 | 0, 1, 2, 255, 2, 3, 4, 255, 4, 5, 6, 255, 6, 7, 8, 255, 18 | 9, 10, 11, 255, 11, 12, 13, 255, 13, 14, 15, 255, 15, 16, 17, 255, 19 | 2, 3, 4, 255, 4, 5, 6, 255, 6, 7, 8, 255, 8, 9, 10, 255, 20 | 11, 12, 13, 255, 13, 14, 15, 255, 15, 16, 17, 255, 17, 18, 19, 255, 21 | }; 22 | 23 | MLD_ALIGN const uint8_t mld_polyz_unpack_19_indices[] = { 24 | 0, 1, 2, 255, 2, 3, 4, 255, 5, 6, 7, 255, 7, 8, 9, 255, 25 | 10, 11, 12, 255, 12, 13, 14, 255, 15, 16, 17, 255, 17, 18, 19, 255, 26 | 4, 5, 6, 255, 6, 7, 8, 255, 9, 10, 11, 255, 11, 12, 13, 255, 27 | 14, 15, 16, 255, 16, 17, 18, 255, 19, 20, 21, 255, 21, 22, 23, 255, 28 | }; 29 | 30 | #else /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED */ 31 | 32 | MLD_EMPTY_CU(aarch64_polyz_unpack_table) 33 | 34 | #endif /* !(MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED) */ 35 | -------------------------------------------------------------------------------- /mldsa/src/native/aarch64/src/polyz_unpack_table.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | #include "../../../common.h" 7 | 8 | #if defined(MLD_ARITH_BACKEND_AARCH64) && \ 9 | !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) 10 | 11 | #include 12 | #include "arith_native_aarch64.h" 13 | 14 | /* Table of indices used for tbl instructions in polyz_unpack_{17,19}. */ 15 | 16 | MLD_ALIGN const uint8_t mld_polyz_unpack_17_indices[] = { 17 | 0, 1, 2, 255, 2, 3, 4, 255, 4, 5, 6, 255, 6, 7, 8, 255, 18 | 9, 10, 11, 255, 11, 12, 13, 255, 13, 14, 15, 255, 15, 16, 17, 255, 19 | 2, 3, 4, 255, 4, 5, 6, 255, 6, 7, 8, 255, 8, 9, 10, 255, 20 | 11, 12, 13, 255, 13, 14, 15, 255, 15, 16, 17, 255, 17, 18, 19, 255, 21 | }; 22 | 23 | MLD_ALIGN const uint8_t mld_polyz_unpack_19_indices[] = { 24 | 0, 1, 2, 255, 2, 3, 4, 255, 5, 6, 7, 255, 7, 8, 9, 255, 25 | 10, 11, 12, 255, 12, 13, 14, 255, 15, 16, 17, 255, 17, 18, 19, 255, 26 | 4, 5, 6, 255, 6, 7, 8, 255, 9, 10, 11, 255, 11, 12, 13, 255, 27 | 14, 15, 16, 255, 16, 17, 18, 255, 19, 20, 21, 255, 21, 22, 23, 255, 28 | }; 29 | 30 | #else /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED */ 31 | 32 | MLD_EMPTY_CU(aarch64_polyz_unpack_table) 33 | 34 | #endif /* !(MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED) */ 35 | -------------------------------------------------------------------------------- /examples/basic/README.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | # Basic build 4 | 5 | This directory contains a minimal example for how to build mldsa-native for a single security level. 6 | 7 | ## Use Case 8 | 9 | Use this approach when: 10 | - You need only one ML-DSA parameter set (44, 65, or 87) 11 | - You want to build the mldsa-native C files separately, not as a single compilation unit. 12 | - You're using C only, no native backends. 13 | 14 | ## Components 15 | 16 | 1. mldsa-native source tree: [`mldsa/src/`](../../mldsa/src) and [`mldsa/src/fips202/`](../../mldsa/src/fips202) 17 | 2. A secure random number generator implementing [`randombytes.h`](../../mldsa/src/randombytes.h) 18 | 3. Your application source code 19 | 20 | ## Configuration 21 | 22 | The configuration file [mldsa_native_config.h](mldsa_native/mldsa_native_config.h) sets: 23 | - `MLD_CONFIG_PARAMETER_SET`: Security level (44, 65, or 87). Default is 65. 24 | - `MLD_CONFIG_NAMESPACE_PREFIX`: Symbol prefix for the API. Set to `mldsa` in this example. 25 | 26 | To change the security level, modify `MLD_CONFIG_PARAMETER_SET` in the config file or pass it via CFLAGS. 27 | 28 | ## Usage 29 | 30 | ```bash 31 | make build # Build the example 32 | make run # Run the example 33 | ``` 34 | 35 | ## Warning 36 | 37 | The `randombytes()` implementation in `test_only_rng/` is for TESTING ONLY. 38 | You MUST provide a cryptographically secure RNG for production use. 39 | -------------------------------------------------------------------------------- /dev/aarch64_opt/README.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | # AArch64 backend (little endian) 4 | 5 | This directory contains a native backend for little endian AArch64 systems. It is derived from [^NeonNTT] [^SLOTHY_Paper]. 6 | 7 | ## Variants 8 | 9 | This backend comes in two versions: "clean" and optimized. The "clean" backend is handwritten and meant to be easy to read and modify; for example, it heavily leverages register aliases and assembly macros. This directory contains the optimized version, which is automatically generated from the clean one via [SLOTHY](https://github.com/slothy-optimizer/slothy). Currently, the target architecture is Neoverse N1, but you can easily re-optimize the code for a different microarchitecture supported by SLOTHY, by adjusting the parameters in the [Makefile](src/Makefile). 10 | 11 | Performance on in-order CPUs such as the Arm Cortex-A55 can be significantly improved by re-optimizing for the specific CPU which may, however, degrade performance on other CPUs. 12 | 13 | 14 | [^NeonNTT]: Becker, Hwang, Kannwischer, Yang, Yang: Neon NTT: Faster Dilithium, Kyber, and Saber on Cortex-A72 and Apple M1, [https://eprint.iacr.org/2021/986](https://eprint.iacr.org/2021/986) 15 | [^SLOTHY_Paper]: Abdulrahman, Becker, Kannwischer, Klein: Fast and Clean: Auditable high-performance assembly via constraint solving, [https://eprint.iacr.org/2022/1303](https://eprint.iacr.org/2022/1303) 16 | -------------------------------------------------------------------------------- /test/baremetal/platform/m55-an547/exec_wrapper.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | import struct as st 6 | import sys 7 | import subprocess 8 | import tempfile 9 | import os 10 | 11 | 12 | def err(msg, **kwargs): 13 | print(msg, file=sys.stderr, **kwargs) 14 | 15 | 16 | binpath = sys.argv[1] 17 | args = sys.argv[1:] 18 | cmdline_offset = 0x70000 19 | 20 | arg0_offset = cmdline_offset + 4 + len(args) * 4 21 | 22 | arg_offsets = [sum(map(len, args[:i])) + i + arg0_offset for i in range(len(args))] 23 | 24 | binargs = st.pack( 25 | f"<{1+len(args)}I" + "".join(f"{len(a)+1}s" for a in args), 26 | len(args), 27 | *arg_offsets, 28 | *map(lambda x: x.encode("utf-8"), args), 29 | ) 30 | 31 | with tempfile.NamedTemporaryFile(mode="wb", delete=False, suffix=".bin") as fd: 32 | args_file = fd.name 33 | fd.write(binargs) 34 | 35 | try: 36 | qemu_cmd = f"qemu-system-arm -M mps3-an547 -nographic -semihosting -kernel {binpath} -device loader,file={args_file},addr=0x{cmdline_offset:x}".split() 37 | result = subprocess.run(qemu_cmd, encoding="utf-8", capture_output=True) 38 | finally: 39 | os.unlink(args_file) 40 | if result.returncode != 0: 41 | err("FAIL!") 42 | err(f"{qemu_cmd} failed with error code {result.returncode}") 43 | err(result.stderr) 44 | exit(1) 45 | 46 | for line in result.stdout.splitlines(): 47 | print(line) 48 | -------------------------------------------------------------------------------- /.github/actions/setup-os/action.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mlkem-native project authors 2 | # Copyright (c) The mldsa-native project authors 3 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | 5 | name: Setup OS 6 | description: Setup OS 7 | 8 | inputs: 9 | packages: 10 | description: Space-separated list of additional packages to install 11 | required: false 12 | default: '' 13 | sudo: 14 | required: false 15 | default: 'sudo' 16 | 17 | runs: 18 | using: composite 19 | steps: 20 | - name: Detect OS 21 | shell: bash 22 | run: | 23 | if (which yum > /dev/null); then 24 | echo PKG="yum" >> $GITHUB_ENV 25 | elif (which brew > /dev/null); then 26 | echo PKG="brew" >> $GITHUB_ENV 27 | elif (which apt > /dev/null); then 28 | echo PKG="apt" >> $GITHUB_ENV 29 | fi 30 | - name: Setup via yum 31 | if: ${{ env.PKG == 'yum' }} 32 | uses: ./.github/actions/setup-yum 33 | with: 34 | packages: ${{ inputs.packages }} 35 | sudo: ${{ inputs.sudo }} 36 | - name: Setup via apt 37 | if: ${{ env.PKG == 'apt' }} 38 | uses: ./.github/actions/setup-apt 39 | with: 40 | packages: ${{ inputs.packages }} 41 | sudo: ${{ inputs.sudo }} 42 | - name: Setup via brew 43 | if: ${{ env.PKG == 'brew' }} 44 | uses: ./.github/actions/setup-brew 45 | with: 46 | packages: ${{ inputs.packages }} 47 | sudo: ${{ inputs.sudo }} 48 | -------------------------------------------------------------------------------- /examples/bring_your_own_fips202/custom_fips202/tiny_sha3/sha3.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: MIT 2 | * 3 | * sha3.h 4 | * 19-Nov-11 Markku-Juhani O. Saarinen */ 5 | 6 | #ifndef SHA3_H 7 | #define SHA3_H 8 | 9 | #include 10 | #include 11 | 12 | #ifndef KECCAKF_ROUNDS 13 | #define KECCAKF_ROUNDS 24 14 | #endif 15 | 16 | #ifndef ROTL64 17 | #define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) 18 | #endif 19 | 20 | /* state context */ 21 | typedef struct 22 | { 23 | union 24 | { /* state: */ 25 | uint8_t b[200]; /* 8-bit bytes */ 26 | uint64_t q[25]; /* 64-bit words */ 27 | } st; 28 | int pt, rsiz, mdlen; /* these don't overflow */ 29 | } sha3_ctx_t; 30 | 31 | /* Compression function. */ 32 | void sha3_keccakf(uint64_t st[25]); 33 | 34 | /* OpenSSL - like interfece */ 35 | int sha3_init(sha3_ctx_t *c, int mdlen); /* mdlen = hash output in bytes */ 36 | int sha3_update(sha3_ctx_t *c, const void *data, size_t len); 37 | int sha3_final(void *md, sha3_ctx_t *c); /* digest goes to md */ 38 | 39 | /* compute a sha3 hash (md) of given byte length from "in" */ 40 | void *sha3(const void *in, size_t inlen, void *md, int mdlen); 41 | 42 | /* SHAKE128 and SHAKE256 extensible-output functions */ 43 | #define shake128_init(c) sha3_init(c, 16) 44 | #define shake256_init(c) sha3_init(c, 32) 45 | #define shake_update sha3_update 46 | 47 | void shake_xof(sha3_ctx_t *c); 48 | void shake_out(sha3_ctx_t *c, void *out, size_t len); 49 | 50 | #endif /* !SHA3_H */ 51 | -------------------------------------------------------------------------------- /dev/x86_64/src/poly_chknorm_avx2.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | /* References 7 | * ========== 8 | * 9 | * - [REF_AVX2] 10 | * CRYSTALS-Dilithium optimized AVX2 implementation 11 | * Bai, Ducas, Kiltz, Lepoint, Lyubashevsky, Schwabe, Seiler, Stehlé 12 | * https://github.com/pq-crystals/dilithium/tree/master/avx2 13 | */ 14 | 15 | /* 16 | * This file is derived from the public domain 17 | * AVX2 Dilithium implementation @[REF_AVX2]. 18 | */ 19 | 20 | #include "../../../common.h" 21 | 22 | #if defined(MLD_ARITH_BACKEND_X86_64_DEFAULT) && \ 23 | !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) 24 | 25 | #include 26 | #include 27 | #include "arith_native_x86_64.h" 28 | 29 | int mld_poly_chknorm_avx2(const __m256i *a, int32_t B) 30 | { 31 | unsigned int i; 32 | __m256i f, t; 33 | const __m256i bound = _mm256_set1_epi32(B - 1); 34 | 35 | t = _mm256_setzero_si256(); 36 | for (i = 0; i < MLDSA_N / 8; i++) 37 | { 38 | f = _mm256_load_si256(&a[i]); 39 | f = _mm256_abs_epi32(f); 40 | f = _mm256_cmpgt_epi32(f, bound); 41 | t = _mm256_or_si256(t, f); 42 | } 43 | 44 | return 1 - _mm256_testz_si256(t, t); 45 | } 46 | 47 | #else /* MLD_ARITH_BACKEND_X86_64_DEFAULT && !MLD_CONFIG_MULTILEVEL_NO_SHARED \ 48 | */ 49 | 50 | MLD_EMPTY_CU(avx2_poly_chknorm) 51 | 52 | #endif /* !(MLD_ARITH_BACKEND_X86_64_DEFAULT && \ 53 | !MLD_CONFIG_MULTILEVEL_NO_SHARED) */ 54 | -------------------------------------------------------------------------------- /mldsa/src/native/x86_64/src/poly_chknorm_avx2.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | 6 | /* References 7 | * ========== 8 | * 9 | * - [REF_AVX2] 10 | * CRYSTALS-Dilithium optimized AVX2 implementation 11 | * Bai, Ducas, Kiltz, Lepoint, Lyubashevsky, Schwabe, Seiler, Stehlé 12 | * https://github.com/pq-crystals/dilithium/tree/master/avx2 13 | */ 14 | 15 | /* 16 | * This file is derived from the public domain 17 | * AVX2 Dilithium implementation @[REF_AVX2]. 18 | */ 19 | 20 | #include "../../../common.h" 21 | 22 | #if defined(MLD_ARITH_BACKEND_X86_64_DEFAULT) && \ 23 | !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) 24 | 25 | #include 26 | #include 27 | #include "arith_native_x86_64.h" 28 | 29 | int mld_poly_chknorm_avx2(const __m256i *a, int32_t B) 30 | { 31 | unsigned int i; 32 | __m256i f, t; 33 | const __m256i bound = _mm256_set1_epi32(B - 1); 34 | 35 | t = _mm256_setzero_si256(); 36 | for (i = 0; i < MLDSA_N / 8; i++) 37 | { 38 | f = _mm256_load_si256(&a[i]); 39 | f = _mm256_abs_epi32(f); 40 | f = _mm256_cmpgt_epi32(f, bound); 41 | t = _mm256_or_si256(t, f); 42 | } 43 | 44 | return 1 - _mm256_testz_si256(t, t); 45 | } 46 | 47 | #else /* MLD_ARITH_BACKEND_X86_64_DEFAULT && !MLD_CONFIG_MULTILEVEL_NO_SHARED \ 48 | */ 49 | 50 | MLD_EMPTY_CU(avx2_poly_chknorm) 51 | 52 | #endif /* !(MLD_ARITH_BACKEND_X86_64_DEFAULT && \ 53 | !MLD_CONFIG_MULTILEVEL_NO_SHARED) */ 54 | -------------------------------------------------------------------------------- /STDLIB.md: -------------------------------------------------------------------------------- 1 | [//]: # (SPDX-License-Identifier: CC-BY-4.0) 2 | 3 | # Standard Library Dependencies 4 | 5 | mldsa-native has minimal dependencies on the C standard library. This document lists all stdlib functions used and configuration options for custom replacements. 6 | 7 | ## Dependencies 8 | 9 | ### Memory Functions 10 | - **memcpy**: Used extensively for copying data structures, keys, and intermediate values (40+ occurrences) 11 | - **memset**: Used for zeroing state structures and buffers (3 occurrences). **Note**: This is NOT used for security-critical zeroing - that is handled by `mld_zeroize` which has its own custom replacement mechanism 12 | 13 | ### Debug Functions (MLDSA_DEBUG builds only) 14 | - **fprintf**: Used in debug.c for error reporting to stderr 15 | - **exit**: Used in debug.c to terminate on assertion failures 16 | 17 | ## Custom Replacements 18 | 19 | Custom replacements can be provided for memory functions using the configuration options in `mldsa/src/config.h`: 20 | 21 | ### MLD_CONFIG_CUSTOM_MEMCPY 22 | Replaces all `memcpy` calls with a custom implementation. When enabled, you must define a `mld_memcpy` function with the same signature as the standard `memcpy`. 23 | 24 | ### MLD_CONFIG_CUSTOM_MEMSET 25 | Replaces all `memset` calls with a custom implementation. When enabled, you must define a `mld_memset` function with the same signature as the standard `memset`. 26 | 27 | See the configuration examples in `mldsa/src/config.h` and test configurations in `test/custom_*_config.h` for usage examples and implementation requirements. 28 | -------------------------------------------------------------------------------- /test/hal/hal.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * Copyright (c) The mlkem-native project authors 4 | * Copyright (c) 2022 Arm Limited 5 | * SPDX-License-Identifier: MIT 6 | * 7 | * Permission is hereby granted, free of charge, to any person obtaining a copy 8 | * of this software and associated documentation files (the "Software"), to deal 9 | * in the Software without restriction, including without limitation the rights 10 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 11 | * copies of the Software, and to permit persons to whom the Software is 12 | * furnished to do so, subject to the following conditions: 13 | * 14 | * The above copyright notice and this permission notice shall be included in 15 | * all copies or substantial portions of the Software. 16 | * 17 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 22 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 23 | * SOFTWARE. 24 | * 25 | */ 26 | #ifndef HAL_H 27 | #define HAL_H 28 | 29 | #include 30 | 31 | void enable_cyclecounter(void); 32 | void disable_cyclecounter(void); 33 | uint64_t get_cyclecounter(void); 34 | 35 | #endif /* !HAL_H */ 36 | -------------------------------------------------------------------------------- /examples/custom_backend/mldsa_native/src/fips202/native/custom/src/sha3.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: MIT 2 | * 3 | * sha3.h 4 | * 19-Nov-11 Markku-Juhani O. Saarinen */ 5 | 6 | #ifndef SHA3_H 7 | #define SHA3_H 8 | 9 | #include 10 | #include 11 | 12 | #ifndef KECCAKF_ROUNDS 13 | #define KECCAKF_ROUNDS 24 14 | #endif 15 | 16 | #ifndef ROTL64 17 | #define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) 18 | #endif 19 | 20 | /* state context */ 21 | typedef struct 22 | { 23 | union 24 | { /* state: */ 25 | uint8_t b[200]; /* 8-bit bytes */ 26 | uint64_t q[25]; /* 64-bit words */ 27 | } st; 28 | int pt, rsiz, mdlen; /* these don't overflow */ 29 | } sha3_ctx_t; 30 | 31 | /* Compression function. */ 32 | void tiny_sha3_keccakf(uint64_t st[25]); 33 | 34 | /* OpenSSL - like interfece */ 35 | int tiny_sha3_init(sha3_ctx_t *c, int mdlen); /* mdlen = hash output in bytes */ 36 | int tiny_sha3_update(sha3_ctx_t *c, const void *data, size_t len); 37 | int tiny_sha3_final(void *md, sha3_ctx_t *c); /* digest goes to md */ 38 | 39 | /* compute a sha3 hash (md) of given byte length from "in" */ 40 | void *tiny_sha3(const void *in, size_t inlen, void *md, int mdlen); 41 | 42 | /* SHAKE128 and SHAKE256 extensible-output functions */ 43 | #define tiny_shake128_init(c) tiny_sha3_init(c, 16) 44 | #define tiny_shake256_init(c) tiny_sha3_init(c, 32) 45 | #define tiny_shake_update tiny_sha3_update 46 | 47 | void tiny_shake_xof(sha3_ctx_t *c); 48 | void tiny_shake_out(sha3_ctx_t *c, void *out, size_t len); 49 | 50 | #endif /* !SHA3_H */ 51 | -------------------------------------------------------------------------------- /mldsa/src/native/aarch64/src/poly_caddq_asm.S: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | #include "../../../common.h" 6 | 7 | #if defined(MLD_ARITH_BACKEND_AARCH64) && !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) 8 | 9 | /* 10 | * WARNING: This file is auto-derived from the mldsa-native source file 11 | * dev/aarch64_opt/src/poly_caddq_asm.S using scripts/simpasm. Do not modify it directly. 12 | */ 13 | 14 | #if defined(__ELF__) 15 | .section .note.GNU-stack,"",@progbits 16 | #endif 17 | 18 | .text 19 | .balign 4 20 | .global MLD_ASM_NAMESPACE(poly_caddq_asm) 21 | MLD_ASM_FN_SYMBOL(poly_caddq_asm) 22 | 23 | .cfi_startproc 24 | mov w9, #0xe001 // =57345 25 | movk w9, #0x7f, lsl #16 26 | dup v4.4s, w9 27 | mov x1, #0x10 // =16 28 | 29 | Lpoly_caddq_loop: 30 | ldr q0, [x0] 31 | ldr q1, [x0, #0x10] 32 | ldr q2, [x0, #0x20] 33 | ldr q3, [x0, #0x30] 34 | ushr v5.4s, v0.4s, #0x1f 35 | mla v0.4s, v5.4s, v4.4s 36 | ushr v5.4s, v1.4s, #0x1f 37 | mla v1.4s, v5.4s, v4.4s 38 | ushr v5.4s, v2.4s, #0x1f 39 | mla v2.4s, v5.4s, v4.4s 40 | ushr v5.4s, v3.4s, #0x1f 41 | mla v3.4s, v5.4s, v4.4s 42 | str q1, [x0, #0x10] 43 | str q2, [x0, #0x20] 44 | str q3, [x0, #0x30] 45 | str q0, [x0], #0x40 46 | subs x1, x1, #0x1 47 | b.ne Lpoly_caddq_loop 48 | ret 49 | .cfi_endproc 50 | 51 | #endif /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED */ 52 | -------------------------------------------------------------------------------- /test/baremetal/platform/m55-an547/platform.mk: -------------------------------------------------------------------------------- 1 | # Copyright (c) The mldsa-native project authors 2 | # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 3 | 4 | PLATFORM_PATH:=test/baremetal/platform/m55-an547 5 | 6 | CROSS_PREFIX=arm-none-eabi- 7 | CC=gcc 8 | 9 | CFLAGS += \ 10 | -O3 \ 11 | -Wall -Wextra -Wshadow \ 12 | -Wno-pedantic \ 13 | -Wno-redundant-decls \ 14 | -Wno-missing-prototypes \ 15 | -fno-common \ 16 | -ffunction-sections \ 17 | -fdata-sections \ 18 | --sysroot=$(SYSROOT) \ 19 | -DDEVICE=an547 \ 20 | -I$(M55_AN547_PATH) \ 21 | -DARMCM55 \ 22 | -DSEMIHOSTING 23 | 24 | ARCH_FLAGS += \ 25 | -march=armv8.1-m.main+mve.fp \ 26 | -mcpu=cortex-m55 \ 27 | -mthumb \ 28 | -mfloat-abi=hard -mfpu=fpv4-sp-d16 29 | 30 | CFLAGS += \ 31 | $(ARCH_FLAGS) \ 32 | --specs=nosys.specs 33 | 34 | CFLAGS += $(CFLAGS_EXTRA) 35 | 36 | LDSCRIPT = $(M55_AN547_PATH)/mps3.ld 37 | 38 | LDFLAGS += \ 39 | -Wl,--gc-sections \ 40 | -Wl,--no-warn-rwx-segments \ 41 | -L. 42 | 43 | LDFLAGS += \ 44 | --specs=nosys.specs \ 45 | -Wl,--wrap=_open \ 46 | -Wl,--wrap=_close \ 47 | -Wl,--wrap=_read \ 48 | -Wl,--wrap=_write \ 49 | -Wl,--wrap=_fstat \ 50 | -Wl,--wrap=_getpid \ 51 | -Wl,--wrap=_isatty \ 52 | -Wl,--wrap=_kill \ 53 | -Wl,--wrap=_lseek \ 54 | -Wl,--wrap=main \ 55 | -ffreestanding \ 56 | -T$(LDSCRIPT) \ 57 | $(ARCH_FLAGS) 58 | 59 | # Extra sources to be included in test binaries 60 | EXTRA_SOURCES = $(wildcard $(M55_AN547_PATH)/*.c) 61 | # The CMSIS files fail compilation if conversion warnings are enabled 62 | EXTRA_SOURCES_CFLAGS = -Wno-conversion -Wno-sign-conversion 63 | 64 | EXEC_WRAPPER := $(realpath $(PLATFORM_PATH)/exec_wrapper.py) 65 | -------------------------------------------------------------------------------- /mldsa/src/native/aarch64/src/poly_chknorm_asm.S: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) The mldsa-native project authors 3 | * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT 4 | */ 5 | #include "../../../common.h" 6 | 7 | #if defined(MLD_ARITH_BACKEND_AARCH64) && !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED) 8 | 9 | /* 10 | * WARNING: This file is auto-derived from the mldsa-native source file 11 | * dev/aarch64_opt/src/poly_chknorm_asm.S using scripts/simpasm. Do not modify it directly. 12 | */ 13 | 14 | #if defined(__ELF__) 15 | .section .note.GNU-stack,"",@progbits 16 | #endif 17 | 18 | .text 19 | .balign 4 20 | .global MLD_ASM_NAMESPACE(poly_chknorm_asm) 21 | MLD_ASM_FN_SYMBOL(poly_chknorm_asm) 22 | 23 | .cfi_startproc 24 | dup v20.4s, w1 25 | movi v21.4s, #0x0 26 | mov x2, #0x10 // =16 27 | 28 | Lpoly_chknorm_loop: 29 | ldr q1, [x0, #0x10] 30 | ldr q2, [x0, #0x20] 31 | ldr q3, [x0, #0x30] 32 | ldr q0, [x0], #0x40 33 | abs v1.4s, v1.4s 34 | cmge v1.4s, v1.4s, v20.4s 35 | orr v21.16b, v21.16b, v1.16b 36 | abs v2.4s, v2.4s 37 | cmge v2.4s, v2.4s, v20.4s 38 | orr v21.16b, v21.16b, v2.16b 39 | abs v3.4s, v3.4s 40 | cmge v3.4s, v3.4s, v20.4s 41 | orr v21.16b, v21.16b, v3.16b 42 | abs v0.4s, v0.4s 43 | cmge v0.4s, v0.4s, v20.4s 44 | orr v21.16b, v21.16b, v0.16b 45 | subs x2, x2, #0x1 46 | b.ne Lpoly_chknorm_loop 47 | umaxv s21, v21.4s 48 | fmov w0, s21 49 | and w0, w0, #0x1 50 | ret 51 | .cfi_endproc 52 | 53 | #endif /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED */ 54 | --------------------------------------------------------------------------------