diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index d981ad3a3c9..229bd5f8fb5 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -649,9 +649,6 @@ WC_ASYNC_NO_SHA512 WC_ASYNC_NO_X25519 WC_ASYNC_THREAD_BIND WC_CACHE_RESISTANT_BASE64_TABLE -WC_DILITHIUM_CACHE_PRIV_VECTORS -WC_DILITHIUM_CACHE_PUB_VECTORS -WC_DILITHIUM_FIXED_ARRAY WC_DISABLE_RADIX_ZERO_PAD WC_FLAG_DONT_USE_AESNI WC_FORCE_LINUXKM_FORTIFY_SOURCE @@ -739,16 +736,6 @@ WOLFSSL_CLANG_TIDY WOLFSSL_CLIENT_EXAMPLE WOLFSSL_CONTIKI WOLFSSL_CRL_ALLOW_MISSING_CDP -WOLFSSL_DILITHIUM_ASSIGN_KEY -WOLFSSL_DILITHIUM_NO_ASN1 -WOLFSSL_DILITHIUM_NO_CHECK_KEY -WOLFSSL_DILITHIUM_NO_MAKE -WOLFSSL_DILITHIUM_REVERSE_HASH_OID -WOLFSSL_DILITHIUM_SIGN_CHECK_W0 -WOLFSSL_DILITHIUM_SIGN_CHECK_Y -WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC -WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A -WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 WOLFSSL_DISABLE_EARLY_SANITY_CHECKS WOLFSSL_DRBG_SHA256 WOLFSSL_DTLS_DISALLOW_FUTURE @@ -836,6 +823,8 @@ WOLFSSL_NO_DEBUG_CERTS WOLFSSL_NO_DECODE_EXTRA WOLFSSL_NO_DER_TO_PEM WOLFSSL_NO_DH186 +WOLFSSL_NO_DILITHIUM_LEGACY_GATES +WOLFSSL_NO_DILITHIUM_LEGACY_NAMES WOLFSSL_NO_DTLS_SIZE_CHECK WOLFSSL_NO_ETM_ALERT WOLFSSL_NO_FENCE diff --git a/CMakeLists.txt b/CMakeLists.txt index b9157ec0ab4..4c7ea22d1fc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -673,21 +673,31 @@ if (WOLFSSL_PQC_HYBRIDS) list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_PQC_HYBRIDS") endif() -# Dilithium +# ML-DSA (FIPS 204) +add_option(WOLFSSL_MLDSA + "Enable the wolfSSL PQ ML-DSA (FIPS 204) implementation (default: disabled)" + "no" "yes;no") +# Legacy alias: WOLFSSL_DILITHIUM. Kept for backward compatibility. add_option(WOLFSSL_DILITHIUM - "Enable the wolfSSL PQ Dilithium (ML-DSA) implementation (default: disabled)" + "Legacy alias for WOLFSSL_MLDSA (default: disabled)" "no" "yes;no") if (WOLFSSL_DILITHIUM) - list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_DILITHIUM") + message(DEPRECATION + "WOLFSSL_DILITHIUM is the legacy alias for WOLFSSL_MLDSA and will be " + "removed in a future release. Set -DWOLFSSL_MLDSA=yes instead.") +endif() + +if (WOLFSSL_MLDSA OR WOLFSSL_DILITHIUM) + list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_HAVE_MLDSA") list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA3") list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE128") list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHAKE256") - set_wolfssl_definitions("HAVE_DILITHIUM" RESULT) - set_wolfssl_definitions("WOLFSSL_SHA3" RESULT) - set_wolfssl_definitions("WOLFSSL_SHAKE128" RESULT) - set_wolfssl_definitions("WOLFSSL_SHAKE256" RESULT) + set_wolfssl_definitions("WOLFSSL_HAVE_MLDSA" RESULT) + set_wolfssl_definitions("WOLFSSL_SHA3" RESULT) + set_wolfssl_definitions("WOLFSSL_SHAKE128" RESULT) + set_wolfssl_definitions("WOLFSSL_SHAKE256" RESULT) endif() # LMS diff --git a/ChangeLog.md b/ChangeLog.md index 6e09b1e8924..c06f01561aa 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,19 @@ ## Enhancements +* Renamed the post-quantum signature implementation from its + pre-standardization name *Dilithium* to its NIST-standardized name + **ML-DSA** (FIPS 204), mirroring the earlier Kyber → ML-KEM rename + in `wc_mlkem.{h,c}`. The legacy `` + header, `dilithium_key` type, `wc_dilithium_*` / `wc_Dilithium_*` + functions, and `HAVE_DILITHIUM` / `WOLFSSL_DILITHIUM_*` / + `WC_DILITHIUM_*` build gates remain available through a temporary + compatibility shim, so application code keeps compiling unchanged. + See [doc/dilithium-to-mldsa-migration.md](doc/dilithium-to-mldsa-migration.md) + for the full list of renamed symbols, the new `WOLFSSL_MLDSA` cmake + option / `--enable-mldsa` configure switch, and the migration steps + for moving consumer code to the canonical API. + * TLS 1.3: zero traffic key staging buffers in `SetKeysSide()` once a CryptoCB callback has imported the AES key into a Secure Element (`aes->devCtx != NULL`). Clears `keys->{client,server}_write_key` diff --git a/IDE/INTIME-RTOS/libwolfssl.vcxproj b/IDE/INTIME-RTOS/libwolfssl.vcxproj index 03aa6f973e4..28671f46d6d 100644 --- a/IDE/INTIME-RTOS/libwolfssl.vcxproj +++ b/IDE/INTIME-RTOS/libwolfssl.vcxproj @@ -42,7 +42,7 @@ - + diff --git a/IDE/INTIME-RTOS/wolfssl-lib.vcxproj b/IDE/INTIME-RTOS/wolfssl-lib.vcxproj index 9564c6ae660..4d711e21023 100644 --- a/IDE/INTIME-RTOS/wolfssl-lib.vcxproj +++ b/IDE/INTIME-RTOS/wolfssl-lib.vcxproj @@ -79,7 +79,7 @@ - + diff --git a/IDE/WIN10/wolfssl-fips.vcxproj b/IDE/WIN10/wolfssl-fips.vcxproj index 721bf088ef2..2ae14cc3b16 100644 --- a/IDE/WIN10/wolfssl-fips.vcxproj +++ b/IDE/WIN10/wolfssl-fips.vcxproj @@ -318,7 +318,7 @@ - + diff --git a/IDE/XCODE/wolfssl-FIPS.xcodeproj/project.pbxproj b/IDE/XCODE/wolfssl-FIPS.xcodeproj/project.pbxproj index ab2f56cfdb4..dcd3339bcde 100644 --- a/IDE/XCODE/wolfssl-FIPS.xcodeproj/project.pbxproj +++ b/IDE/XCODE/wolfssl-FIPS.xcodeproj/project.pbxproj @@ -122,6 +122,7 @@ 700F0CF22A2FC11300755BA7 /* curve448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD32A2FC0D500755BA7 /* curve448.h */; }; 700F0CF32A2FC11300755BA7 /* curve25519.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CC82A2FC0D500755BA7 /* curve25519.h */; }; 700F0CF42A2FC11300755BA7 /* dilithium.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE52A2FC0D500755BA7 /* dilithium.h */; }; + 700F0CE52A2FC0D500755BC0 /* wc_mldsa.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE52A2FC0D500755BC1 /* wc_mldsa.h */; }; 700F0CF52A2FC11300755BA7 /* eccsi.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CDB2A2FC0D500755BA7 /* eccsi.h */; }; 700F0CF62A2FC11300755BA7 /* ed448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CD22A2FC0D500755BA7 /* ed448.h */; }; 700F0CF72A2FC11300755BA7 /* ed25519.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0CE12A2FC0D500755BA7 /* ed25519.h */; }; @@ -280,6 +281,7 @@ 700F0CF22A2FC11300755BA7 /* curve448.h in CopyFiles */, 700F0CF32A2FC11300755BA7 /* curve25519.h in CopyFiles */, 700F0CF42A2FC11300755BA7 /* dilithium.h in CopyFiles */, + 700F0CE52A2FC0D500755BC0 /* wc_mldsa.h in CopyFiles */, 700F0CF52A2FC11300755BA7 /* eccsi.h in CopyFiles */, 700F0CF62A2FC11300755BA7 /* ed448.h in CopyFiles */, 700F0CF72A2FC11300755BA7 /* ed25519.h in CopyFiles */, @@ -583,6 +585,7 @@ 700F0CE22A2FC0D500755BA7 /* ge_448.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ge_448.h; path = ../../wolfssl/wolfcrypt/ge_448.h; sourceTree = ""; }; 700F0CE42A2FC0D500755BA7 /* pkcs12.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = pkcs12.h; path = ../../wolfssl/wolfcrypt/pkcs12.h; sourceTree = ""; }; 700F0CE52A2FC0D500755BA7 /* dilithium.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = dilithium.h; path = ../../wolfssl/wolfcrypt/dilithium.h; sourceTree = ""; }; + 700F0CE52A2FC0D500755BC1 /* wc_mldsa.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_mldsa.h; path = ../../wolfssl/wolfcrypt/wc_mldsa.h; sourceTree = ""; }; 700F0CE62A2FC0D500755BA7 /* sakke.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sakke.h; path = ../../wolfssl/wolfcrypt/sakke.h; sourceTree = ""; }; 700F0CE72A2FC0D500755BA7 /* signature.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = signature.h; path = ../../wolfssl/wolfcrypt/signature.h; sourceTree = ""; }; 700F0CE82A2FC0D500755BA7 /* wc_pkcs11.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_pkcs11.h; path = ../../wolfssl/wolfcrypt/wc_pkcs11.h; sourceTree = ""; }; @@ -634,6 +637,7 @@ 700F0CD32A2FC0D500755BA7 /* curve448.h */, 700F0CC82A2FC0D500755BA7 /* curve25519.h */, 700F0CE52A2FC0D500755BA7 /* dilithium.h */, + 700F0CE52A2FC0D500755BC1 /* wc_mldsa.h */, 700F0CDB2A2FC0D500755BA7 /* eccsi.h */, 700F0CD22A2FC0D500755BA7 /* ed448.h */, 700F0CE12A2FC0D500755BA7 /* ed25519.h */, diff --git a/IDE/XCODE/wolfssl.xcodeproj/project.pbxproj b/IDE/XCODE/wolfssl.xcodeproj/project.pbxproj index 972f46d1cd7..26fcd45e232 100644 --- a/IDE/XCODE/wolfssl.xcodeproj/project.pbxproj +++ b/IDE/XCODE/wolfssl.xcodeproj/project.pbxproj @@ -253,6 +253,7 @@ 700F0C0A2A2FBC5100755BA7 /* curve448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE32A2FBC1500755BA7 /* curve448.h */; }; 700F0C0B2A2FBC5100755BA7 /* curve25519.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BE52A2FBC1500755BA7 /* curve25519.h */; }; 700F0C0C2A2FBC5100755BA7 /* dilithium.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEF2A2FBC1500755BA7 /* dilithium.h */; }; + 700F0BEF2A2FBC1500755BC0 /* wc_mldsa.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BEF2A2FBC1500755BC1 /* wc_mldsa.h */; }; 700F0C0D2A2FBC5100755BA7 /* eccsi.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF72A2FBC1600755BA7 /* eccsi.h */; }; 700F0C0E2A2FBC5100755BA7 /* ed448.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF82A2FBC1600755BA7 /* ed448.h */; }; 700F0C0F2A2FBC5100755BA7 /* ed25519.h in CopyFiles */ = {isa = PBXBuildFile; fileRef = 700F0BF42A2FBC1600755BA7 /* ed25519.h */; }; @@ -617,6 +618,7 @@ 700F0C0A2A2FBC5100755BA7 /* curve448.h in CopyFiles */, 700F0C0B2A2FBC5100755BA7 /* curve25519.h in CopyFiles */, 700F0C0C2A2FBC5100755BA7 /* dilithium.h in CopyFiles */, + 700F0BEF2A2FBC1500755BC0 /* wc_mldsa.h in CopyFiles */, 700F0C0D2A2FBC5100755BA7 /* eccsi.h in CopyFiles */, 700F0C0E2A2FBC5100755BA7 /* ed448.h in CopyFiles */, 700F0C0F2A2FBC5100755BA7 /* ed25519.h in CopyFiles */, @@ -983,6 +985,7 @@ 700F0BED2A2FBC1500755BA7 /* chacha20_poly1305.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = chacha20_poly1305.h; path = ../../wolfssl/wolfcrypt/chacha20_poly1305.h; sourceTree = ""; }; 700F0BEE2A2FBC1500755BA7 /* cryptocb.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cryptocb.h; path = ../../wolfssl/wolfcrypt/cryptocb.h; sourceTree = ""; }; 700F0BEF2A2FBC1500755BA7 /* dilithium.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = dilithium.h; path = ../../wolfssl/wolfcrypt/dilithium.h; sourceTree = ""; }; + 700F0BEF2A2FBC1500755BC1 /* wc_mldsa.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = wc_mldsa.h; path = ../../wolfssl/wolfcrypt/wc_mldsa.h; sourceTree = ""; }; 700F0BF02A2FBC1500755BA7 /* sakke.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sakke.h; path = ../../wolfssl/wolfcrypt/sakke.h; sourceTree = ""; }; 700F0BF12A2FBC1600755BA7 /* cpuid.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cpuid.h; path = ../../wolfssl/wolfcrypt/cpuid.h; sourceTree = ""; }; 700F0BF22A2FBC1600755BA7 /* selftest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = selftest.h; path = ../../wolfssl/wolfcrypt/selftest.h; sourceTree = ""; }; @@ -1144,6 +1147,7 @@ 700F0BE32A2FBC1500755BA7 /* curve448.h */, 700F0BE52A2FBC1500755BA7 /* curve25519.h */, 700F0BEF2A2FBC1500755BA7 /* dilithium.h */, + 700F0BEF2A2FBC1500755BC1 /* wc_mldsa.h */, 700F0BF72A2FBC1600755BA7 /* eccsi.h */, 700F0BF82A2FBC1600755BA7 /* ed448.h */, 700F0BF42A2FBC1600755BA7 /* ed25519.h */, diff --git a/cmake/functions.cmake b/cmake/functions.cmake index a485ebc5e97..c803f072a23 100644 --- a/cmake/functions.cmake +++ b/cmake/functions.cmake @@ -210,8 +210,8 @@ function(generate_build_flags) if(WOLFSSL_MLKEM OR WOLFSSL_USER_SETTINGS) set(BUILD_WC_MLKEM "yes" PARENT_SCOPE) endif() - if(WOLFSSL_DILITHIUM OR WOLFSSL_USER_SETTINGS) - set(BUILD_DILITHIUM "yes" PARENT_SCOPE) + if(WOLFSSL_MLDSA OR WOLFSSL_DILITHIUM OR WOLFSSL_USER_SETTINGS) + set(BUILD_MLDSA "yes" PARENT_SCOPE) endif() if(WOLFSSL_FALCON OR WOLFSSL_USER_SETTINGS) set(BUILD_FALCON "yes" PARENT_SCOPE) @@ -1029,8 +1029,8 @@ function(generate_lib_src_list LIB_SOURCES) list(APPEND LIB_SOURCES wolfcrypt/src/falcon.c) endif() - if(BUILD_DILITHIUM) - list(APPEND LIB_SOURCES wolfcrypt/src/dilithium.c) + if(BUILD_MLDSA) + list(APPEND LIB_SOURCES wolfcrypt/src/wc_mldsa.c) if(BUILD_INTELASM) list(APPEND LIB_SOURCES wolfcrypt/src/wc_mldsa_asm.S) diff --git a/cmake/options.h.in b/cmake/options.h.in index 1fe054b276f..1cc5f6c4850 100644 --- a/cmake/options.h.in +++ b/cmake/options.h.in @@ -96,8 +96,8 @@ extern "C" { #cmakedefine HAVE_CURVE448 #undef HAVE_DH_DEFAULT_PARAMS #cmakedefine HAVE_DH_DEFAULT_PARAMS -#undef HAVE_DILITHIUM -#cmakedefine HAVE_DILITHIUM +#undef WOLFSSL_HAVE_MLDSA +#cmakedefine WOLFSSL_HAVE_MLDSA #undef HAVE_ECC #cmakedefine HAVE_ECC #undef HAVE_ECH diff --git a/configure.ac b/configure.ac index 7a9ec151d13..a7002f80d7c 100644 --- a/configure.ac +++ b/configure.ac @@ -1810,54 +1810,54 @@ AC_ARG_ENABLE([extra-pqc-hybrids], # - SHA3, Shake128 and Shake256 AC_ARG_ENABLE([mldsa], [AS_HELP_STRING([--enable-mldsa],[Enable ML-DSA/Dilithium (default: disabled)])], - [ ENABLED_DILITHIUM=$enableval ], - [ ENABLED_DILITHIUM=no ] + [ ENABLED_MLDSA=$enableval ], + [ ENABLED_MLDSA=no ] ) # note, inherits default from "mldsa" clause above. AC_ARG_ENABLE([dilithium], [AS_HELP_STRING([--enable-dilithium],[Alias for --enable-mldsa])], - [ ENABLED_DILITHIUM=$enableval ] + [ ENABLED_MLDSA=$enableval ] ) -ENABLED_DILITHIUM_OPTS=$ENABLED_DILITHIUM -ENABLED_DILITHIUM_MAKE_KEY=no -ENABLED_DILITHIUM_SIGN=no -ENABLED_DILITHIUM_VERIFY=no -for v in `echo $ENABLED_DILITHIUM_OPTS | tr "," " "` +ENABLED_MLDSA_OPTS=$ENABLED_MLDSA +ENABLED_MLDSA_MAKE_KEY=no +ENABLED_MLDSA_SIGN=no +ENABLED_MLDSA_VERIFY=no +for v in `echo $ENABLED_MLDSA_OPTS | tr "," " "` do case $v in yes) ENABLED_MLDSA44=yes ENABLED_MLDSA65=yes ENABLED_MLDSA87=yes - ENABLED_DILITHIUM_MAKE_KEY=yes - ENABLED_DILITHIUM_SIGN=yes - ENABLED_DILITHIUM_VERIFY=yes + ENABLED_MLDSA_MAKE_KEY=yes + ENABLED_MLDSA_SIGN=yes + ENABLED_MLDSA_VERIFY=yes ;; no) ;; all) - ENABLED_DILITHIUM_MAKE_KEY=yes - ENABLED_DILITHIUM_SIGN=yes - ENABLED_DILITHIUM_VERIFY=yes + ENABLED_MLDSA_MAKE_KEY=yes + ENABLED_MLDSA_SIGN=yes + ENABLED_MLDSA_VERIFY=yes ;; make) - ENABLED_DILITHIUM_MAKE_KEY=yes + ENABLED_MLDSA_MAKE_KEY=yes ;; sign) - ENABLED_DILITHIUM_SIGN=yes + ENABLED_MLDSA_SIGN=yes ;; verify) - ENABLED_DILITHIUM_VERIFY=yes + ENABLED_MLDSA_VERIFY=yes ;; verify-only) - ENABLED_DILITHIUM_MAKE_KEY=no - ENABLED_DILITHIUM_SIGN=no - ENABLED_DILITHIUM_VERIFY=yes - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_VERIFY_ONLY" + ENABLED_MLDSA_MAKE_KEY=no + ENABLED_MLDSA_SIGN=no + ENABLED_MLDSA_VERIFY=yes + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_VERIFY_ONLY" ;; small) - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_SMALL" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_SMALL" ;; 44) ENABLED_MLDSA44=yes @@ -1869,13 +1869,13 @@ do ENABLED_MLDSA87=yes ;; draft|fips204-draft) - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_FIPS204_DRAFT" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_FIPS204_DRAFT" ;; no-ctx) - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_CTX" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_CTX" ;; *) - AC_MSG_ERROR([Invalid choice for DILITHIUM [all,make,sign,verify,verify-only,small,44,65,87,no-ctx]: $ENABLED_DILITHIUM.]) + AC_MSG_ERROR([Invalid choice for ML-DSA [all,make,sign,verify,verify-only,small,44,65,87,no-ctx]: $ENABLED_MLDSA.]) break;; esac done @@ -6265,15 +6265,15 @@ AS_CASE([$FIPS_VERSION], ENABLED_MLKEM_ENCAPSULATE="yes" ENABLED_MLKEM_DECAPSULATE="yes"]) - AS_IF([test "$ENABLED_DILITHIUM" != "yes" && + AS_IF([test "$ENABLED_MLDSA" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_dilithium" != "no")], - [ENABLED_DILITHIUM="yes" + [ENABLED_MLDSA="yes" ENABLED_MLDSA44="yes" ENABLED_MLDSA65="yes" ENABLED_MLDSA87="yes" - ENABLED_DILITHIUM_MAKE_KEY="yes" - ENABLED_DILITHIUM_SIGN="yes" - ENABLED_DILITHIUM_VERIFY="yes"]) + ENABLED_MLDSA_MAKE_KEY="yes" + ENABLED_MLDSA_SIGN="yes" + ENABLED_MLDSA_VERIFY="yes"]) AS_IF([test "$ENABLED_XMSS" != "yes" && (test "$FIPS_VERSION" != "dev" || test "$enable_xmss" != "no")], @@ -7195,7 +7195,7 @@ then ENABLED_SHAKE128=yes ENABLED_SHAKE256=yes fi -if test "$ENABLED_DILITHIUM" != "no" +if test "$ENABLED_MLDSA" != "no" then ENABLED_SHA3=yes ENABLED_SHAKE128=yes @@ -7361,11 +7361,11 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_PQC_HYBRIDS" fi -# Dilithium CFLAG processing (after FIPS section for sandwich pattern) -if test "$ENABLED_DILITHIUM" != "no" +# ML-DSA CFLAG processing (after FIPS section for sandwich pattern) +if test "$ENABLED_MLDSA" != "no" then - AM_CFLAGS="$AM_CFLAGS -DHAVE_DILITHIUM" - AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_DILITHIUM" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAVE_MLDSA" + AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_HAVE_MLDSA" if test "$ENABLED_MLDSA44" = ""; then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_44" @@ -7376,14 +7376,14 @@ then if test "$ENABLED_MLDSA87" = ""; then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_DSA_87" fi - if test "$ENABLED_DILITHIUM_MAKE_KEY" = "no"; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_MAKE_KEY" + if test "$ENABLED_MLDSA_MAKE_KEY" = "no"; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_MAKE_KEY" fi - if test "$ENABLED_DILITHIUM_SIGN" = "no"; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_SIGN" + if test "$ENABLED_MLDSA_SIGN" = "no"; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_SIGN" fi - if test "$ENABLED_DILITHIUM_VERIFY" = "no"; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DILITHIUM_NO_VERIFY" + if test "$ENABLED_MLDSA_VERIFY" = "no"; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_MLDSA_NO_VERIFY" fi test "$enable_sha3" = "" && enable_sha3=yes @@ -12037,7 +12037,7 @@ AM_CONDITIONAL([BUILD_WC_LMS],[test "x$ENABLED_LMS" != "xno" || test "x$ENABLED_ AM_CONDITIONAL([BUILD_WC_XMSS],[test "x$ENABLED_XMSS" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_WC_SLHDSA],[test "x$ENABLED_SLHDSA" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_WC_MLKEM],[test "x$ENABLED_MLKEM" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"]) -AM_CONDITIONAL([BUILD_DILITHIUM],[test "x$ENABLED_DILITHIUM" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"]) +AM_CONDITIONAL([BUILD_MLDSA],[test "x$ENABLED_MLDSA" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_ECCSI],[test "x$ENABLED_ECCSI" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_SAKKE],[test "x$ENABLED_SAKKE" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_MEMORY],[test "x$ENABLED_MEMORY" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) @@ -12590,7 +12590,7 @@ echo " * LMS: $ENABLED_LMS" echo " * XMSS: $ENABLED_XMSS" echo " * SLH-DSA $ENABLED_SLHDSA" echo " * MLKEM: $ENABLED_MLKEM" -echo " * DILITHIUM: $ENABLED_DILITHIUM" +echo " * ML-DSA: $ENABLED_MLDSA" echo " * ECCSI $ENABLED_ECCSI" echo " * SAKKE $ENABLED_SAKKE" echo " * ASN: $ENABLED_ASN" diff --git a/doc/dilithium-to-mldsa-migration.md b/doc/dilithium-to-mldsa-migration.md new file mode 100644 index 00000000000..83f222f2072 --- /dev/null +++ b/doc/dilithium-to-mldsa-migration.md @@ -0,0 +1,192 @@ +# Dilithium → ML-DSA migration guide + +## Background + +The post-quantum signature algorithm originally implemented in wolfSSL +under the pre-standardization name *Dilithium* was standardized by NIST +as **ML-DSA (Module-Lattice-based Digital Signature Algorithm) — FIPS +204** in 2024. This release renames the wolfSSL implementation of that +algorithm to its standardized name, mirroring the earlier Kyber → ML-KEM +migration in `wc_mlkem.{h,c}`. + +For application code written against the legacy `dilithium_key` / +`wc_dilithium_*` / `wc_Dilithium_*` API there is **no immediate change +required**: a temporary compatibility shim translates the legacy names +into the canonical ones at compile time. The shim will be removed in a +future release; new code should adopt the canonical names directly. + +## What changed + +### File renames + +| Old path | New path | +|---------------------------------------|-----------------------------------------| +| `wolfcrypt/src/dilithium.c` | `wolfcrypt/src/wc_mldsa.c` | +| `wolfssl/wolfcrypt/dilithium.h` | `wolfssl/wolfcrypt/wc_mldsa.h` | + +The legacy `` path is now a thin shim +that `#include`s `wc_mldsa.h` and provides macro / inline aliases for +the legacy API. + +### Symbol renames + +| Old | New | +|-------------------------------------------|----------------------------------------------| +| `dilithium_key` | `MlDsaKey` | +| `wc_dilithium_params` | `MlDsaParams` | +| `wc_dilithium_*` (lifecycle / sizing) | `wc_MlDsaKey_*` | +| `wc_Dilithium_*` (DER encode / decode) | `wc_MlDsaKey_*` | +| internal lower-case `dilithium_*` helpers | `mldsa_*` | + +The 16 sign / verify / import / DER-decode entry points were also +re-ordered to put the `MlDsaKey*` first (matching the FIPS 204 / ML-KEM +convention used by `wc_MlKemKey_*`). The legacy parameter order is +preserved through static-inline wrapper functions in the shim header, +so legacy call sites compile unchanged. + +`wc_MlDsaKey_Init` is a 3-argument function (`MlDsaKey*`, `void* heap`, +`int devId`) matching `wc_MlKemKey_Init`. The legacy 1-argument +`wc_dilithium_init(key)` is mapped through the shim to +`wc_MlDsaKey_Init(key, NULL, INVALID_DEVID)`. + +### Build-gate renames + +| Old | New | +|--------------------------------|------------------------------| +| `HAVE_DILITHIUM` | `WOLFSSL_HAVE_MLDSA` | +| `WOLFSSL_DILITHIUM_*` (~25) | `WOLFSSL_MLDSA_*` | +| `WC_DILITHIUM_CACHE_*` | `WC_MLDSA_CACHE_*` | +| `WC_DILITHIUM_FIXED_ARRAY` | `WC_MLDSA_FIXED_ARRAY` | +| `WC_DILITHIUMKEY_TYPE_DEFINED` | `WC_MLDSAKEY_TYPE_DEFINED` | + +The Autotools / CMake configure switches gain canonical aliases: + +| Legacy | Canonical | +|-------------------------|-----------------------| +| `--enable-dilithium` | `--enable-mldsa` | +| `WOLFSSL_DILITHIUM` | `WOLFSSL_MLDSA` | + +Both spellings remain valid; the canonical form is recommended for new +projects. + +The configure summary echoes `ML-DSA: yes` rather than `DILITHIUM: yes`. + +### OpenSSL compatibility + +The OpenSSL-compat enum value `WC_EVP_PKEY_DILITHIUM` and macro +`EVP_PKEY_DILITHIUM` are unchanged in this release. Aligning them with +OpenSSL 3.5+'s actual `NID_ML_DSA_*` values is planned for a follow-up +commit. + +## How to migrate (when you are ready) + +The temporary shim accepts both legacy and canonical names indefinitely +until it is removed. To migrate a consumer to canonical: + +1. Replace `#include ` with + `#include `. +2. Replace `dilithium_key` with `MlDsaKey`. +3. Replace each `wc_dilithium_*` / `wc_Dilithium_*` call with the + `wc_MlDsaKey_*` form, swapping arguments to put the key first + for the 16 affected entry points. +4. Replace `HAVE_DILITHIUM` / `WOLFSSL_DILITHIUM_*` / `WC_DILITHIUM_*` + build-gate references with the canonical names. + +Migration can be done file by file; the two spellings interoperate at +the link level (the shim's static-inline wrappers call into the +canonical exported symbols). + +To suppress the legacy aliases (e.g. to surface stale references during +migration), define one or both of: + +- `WOLFSSL_NO_DILITHIUM_LEGACY_NAMES` — suppresses the legacy + `dilithium_key` / `wc_dilithium_*` / `wc_Dilithium_*` macro / inline + aliases. +- `WOLFSSL_NO_DILITHIUM_LEGACY_GATES` — suppresses the bidirectional + sub-config gate translations (legacy `WOLFSSL_DILITHIUM_*` / + `WC_DILITHIUM_*` ↔ canonical `WOLFSSL_MLDSA_*` / `WC_MLDSA_*`). The + parent gate (`HAVE_DILITHIUM` ↔ `WOLFSSL_HAVE_MLDSA`) forward arm is + always active so that builds using only the legacy parent name still + compile the canonical implementation file; the reverse arm honors + this opt-out. + +> **Note on `WOLFSSL_NO_DILITHIUM_LEGACY_NAMES`:** in this release the +> opt-out is only useful for builds whose consumer code (TLS, ASN.1, +> EVP, tests, benchmark, examples, ...) has already been migrated to +> the canonical names. The standard wolfSSL distribution still uses +> `wc_dilithium_*` and `dilithium_key` in `wolfcrypt/src/asn.c`, +> `src/ssl_load.c`, `src/internal.c`, `wolfcrypt/test/test.c`, and +> elsewhere; suppressing the macro / inline aliases breaks those +> translation units (e.g. `wc_dilithium_verify_ctx_msg` becomes an +> implicit declaration). The flag is intended primarily for downstream +> projects that have completed their own migration; in-tree consumers +> will be migrated in a follow-up PR. + +## Internal infrastructure files migrated to canonical sub-gates + +One wolfSSL-internal file outside the dilithium.h reach had its +`WOLFSSL_DILITHIUM_NO_SIGN` / `WOLFSSL_DILITHIUM_NO_VERIFY` sub-gate +references migrated to canonical `WOLFSSL_MLDSA_*` spellings: + +- `wolfssl/certs_test.h` — auto-generated cert-data buffers, has zero + `#include` directives. Reachable from external TUs (examples, + embedded apps) that pull in only `` and do not + transitively include `dilithium.h`. Reads 11 sub-gate references + (`_NO_SIGN` / `_NO_VERIFY`). + +`wolfssl/wolfcrypt/memory.h` previously branched its static-pool sizing +(`LARGEST_MEM_BUCKET` / `WOLFMEM_BUCKETS` / `WOLFMEM_DIST`) on a +combination of `WOLFSSL_MLDSA_VERIFY_SMALL_MEM` / +`WOLFSSL_MLDSA_SIGN_SMALL_MEM` / `WOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM` / +`WOLFSSL_MLDSA_VERIFY_ONLY`. Those branches were removed: when +`WOLFSSL_HAVE_MLDSA` is defined, the file now picks the larger sizing +unconditionally. The static-pool macros are consumed only by +`wolfcrypt/src/memory.c` and the test harnesses; production deployments +that need different sizing already override `LARGEST_MEM_BUCKET` / +`WOLFMEM_BUCKETS` / `WOLFMEM_DIST` directly. Removing the conditional +gating drops memory.h's dependency on ML-DSA sub-gates entirely. + +To keep the legacy `user_settings.h` path working for `certs_test.h` — +i.e. a build that defines only `WOLFSSL_DILITHIUM_NO_SIGN` / +`WOLFSSL_DILITHIUM_NO_VERIFY` and never reaches `dilithium.h` before +the cert-buffer header is processed — the forward translations for +those two gates live in ``. settings.h is +included transitively by any TU that pulls in `certs_test.h`, so the +canonical sub-gates are always defined before they are read. The +remaining ~30 sub-gates are read only from wc\_mldsa.h / wc\_mldsa.c, +both of which transitively pull in dilithium.h first; their forward +translations stay there to keep settings.h lean. The reverse arm +(canonical → legacy) lives entirely in dilithium.h because it is only +consumed by unmigrated code, which by definition includes dilithium.h. +The generator script (`gencertbuf.pl`) was updated correspondingly. + +`certs_test.h` and the `memory.h` static-pool macros are both +wolfSSL-internal infrastructure (an auto-generated cert-buffer data +file and the static allocator's default sizing), not consumer-facing +API; these changes do not require downstream code changes. + +### Retained internal symbols + +A few internal-only spellings are intentionally **not** renamed in this +PR: + +- `DYNAMIC_TYPE_DILITHIUM` — heap-allocation tag string used by + `WC_ALLOC_VAR` / `WC_FREE_VAR_EX` inside `wc_mldsa.c`. Pure + bookkeeping, never crosses the public API surface. +- `ML_DSA_PCT_E` — internal error code returned only by the FIPS + Pairwise Consistency Test path inside `wc_MlDsaKey_MakeKey`. Not part + of the documented external error-code surface for this algorithm. + +These are scheduled for renaming alongside the eventual removal of the +`dilithium.h` shim. + +## ABI note + +The library's exported linkage symbols are renamed: the `.so` / +`.dylib` / `.dll` now exports `wc_MlDsaKey_*` instead of +`wc_dilithium_*`. Applications that linked dynamically against the +legacy symbol names need to either recompile against the legacy header +path (the shim's static-inline wrappers resolve to the new symbols at +compile time) or switch their sources to the canonical names. Source +code that includes `` continues to build +without modification. diff --git a/doc/include.am b/doc/include.am index 92f2c5b66b7..34a80e20a36 100644 --- a/doc/include.am +++ b/doc/include.am @@ -3,7 +3,8 @@ # All paths should be given relative to the root dist_doc_DATA+= doc/README.txt \ - doc/QUIC.md + doc/QUIC.md \ + doc/dilithium-to-mldsa-migration.md dox-pdf: diff --git a/gencertbuf.pl b/gencertbuf.pl index 39dcd1049bc..65e66895cd6 100755 --- a/gencertbuf.pl +++ b/gencertbuf.pl @@ -287,9 +287,9 @@ print OUT_FILE "#endif /* HAVE_FALCON */\n\n"; -# print dilithium raw keys -print OUT_FILE "#if defined(HAVE_DILITHIUM) -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +# print ML-DSA raw keys +print OUT_FILE "#if defined(WOLFSSL_HAVE_MLDSA) +#ifndef WOLFSSL_MLDSA_NO_SIGN /* raw private key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level2_key.der */ @@ -553,9 +553,9 @@ }; #define sizeof_bench_dilithium_level2_key (sizeof(bench_dilithium_level2_key)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* raw public key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level2_key.der */ @@ -696,9 +696,9 @@ #define sizeof_bench_dilithium_level2_pubkey \\ (sizeof(bench_dilithium_level2_pubkey)) -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN /* raw private key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level3_key.der */ @@ -1110,9 +1110,9 @@ }; #define sizeof_bench_dilithium_level3_key (sizeof(bench_dilithium_level3_key)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* raw public key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level3_key.der */ @@ -1317,9 +1317,9 @@ static const int sizeof_bench_dilithium_level3_pubkey = sizeof(bench_dilithium_level3_pubkey); -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN /* raw private key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level5_key.der */ @@ -1817,9 +1817,9 @@ }; #define sizeof_bench_dilithium_level5_key (sizeof(bench_dilithium_level5_key)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* raw public key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level5_key.der */ @@ -2088,16 +2088,16 @@ #define sizeof_bench_dilithium_level5_pubkey \\ (sizeof(bench_dilithium_level5_pubkey)) -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#endif /* HAVE_DILITHIUM */ +#endif /* WOLFSSL_HAVE_MLDSA */ "; # ML-DSA test key material encoded per the IETF LAMPS WG profile: # SubjectPublicKeyInfo for public keys, PKCS#8 PrivateKeyInfo for # private keys, using the NIST id-ml-dsa-N OIDs. -print OUT_FILE "#if defined(HAVE_DILITHIUM)\n\n"; +print OUT_FILE "#if defined(WOLFSSL_HAVE_MLDSA)\n\n"; for my $L ( [44,"WOLFSSL_NO_ML_DSA_44"], [65,"WOLFSSL_NO_ML_DSA_65"], @@ -2106,15 +2106,15 @@ print OUT_FILE "#if !defined($noLevel)\n\n"; - print OUT_FILE "#ifndef WOLFSSL_DILITHIUM_NO_VERIFY\n"; + print OUT_FILE "#ifndef WOLFSSL_MLDSA_NO_VERIFY\n"; print OUT_FILE "/* ./certs/mldsa/mldsa${n}_pub-spki.der */\n"; print OUT_FILE "static const unsigned char mldsa${n}_pub_spki[] =\n{\n"; file_to_hex("./certs/mldsa/mldsa${n}_pub-spki.der"); print OUT_FILE "};\n"; print OUT_FILE "#define sizeof_mldsa${n}_pub_spki (sizeof(mldsa${n}_pub_spki))\n"; - print OUT_FILE "#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */\n\n"; + print OUT_FILE "#endif /* !WOLFSSL_MLDSA_NO_VERIFY */\n\n"; - print OUT_FILE "#ifndef WOLFSSL_DILITHIUM_NO_SIGN\n"; + print OUT_FILE "#ifndef WOLFSSL_MLDSA_NO_SIGN\n"; print OUT_FILE "/* ./certs/mldsa/mldsa${n}_priv-only.der */\n"; print OUT_FILE "static const unsigned char mldsa${n}_priv_only[] =\n{\n"; file_to_hex("./certs/mldsa/mldsa${n}_priv-only.der"); @@ -2132,12 +2132,12 @@ file_to_hex("./certs/mldsa/mldsa${n}_seed-only.der"); print OUT_FILE "};\n"; print OUT_FILE "#define sizeof_mldsa${n}_seed_only (sizeof(mldsa${n}_seed_only))\n"; - print OUT_FILE "#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */\n\n"; + print OUT_FILE "#endif /* !WOLFSSL_MLDSA_NO_SIGN */\n\n"; print OUT_FILE "#endif /* !$noLevel */\n\n"; } -print OUT_FILE "#endif /* HAVE_DILITHIUM */\n\n"; +print OUT_FILE "#endif /* WOLFSSL_HAVE_MLDSA */\n\n"; # convert and print 256-bit cert/keys print OUT_FILE "#if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256)\n\n"; diff --git a/src/include.am b/src/include.am index dd2527f0845..563a6fa3e8d 100644 --- a/src/include.am +++ b/src/include.am @@ -1137,8 +1137,8 @@ endif !BUILD_ARMASM_INLINE endif BUILD_ARMASM_NEON endif -if BUILD_DILITHIUM -src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/dilithium.c +if BUILD_MLDSA +src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mldsa.c if !BUILD_X86_ASM if BUILD_INTELASM src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mldsa_asm.S @@ -1817,8 +1817,8 @@ endif !BUILD_ARMASM_INLINE endif BUILD_ARMASM_NEON endif -if BUILD_DILITHIUM -src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/dilithium.c +if BUILD_MLDSA +src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mldsa.c if !BUILD_X86_ASM if BUILD_INTELASM src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/wc_mldsa_asm.S diff --git a/tests/api/test_mldsa.c b/tests/api/test_mldsa.c index 7898e110790..a5a1a2bc4cb 100644 --- a/tests/api/test_mldsa.c +++ b/tests/api/test_mldsa.c @@ -19,6 +19,17 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +/* NOTE: this file is named test_mldsa.c (canonical FIPS 204 spelling) but + * the test bodies still gate on legacy WOLFSSL_DILITHIUM_* names and call + * legacy wc_dilithium_* / dilithium_key APIs. That is intentional: the + * provider-side rename (Dilithium -> ML-DSA, see + * and ) keeps in-tree consumers on the + * pre-standardization spelling so the rename PR stays scoped to provider + * code only. A separate follow-up commit will migrate this file's call + * sites and #ifdef gates to canonical WOLFSSL_MLDSA_* / wc_MlDsaKey_* + * spellings; until then both spellings are kept in sync by the temporary + * compatibility shim in . */ + #include #ifdef NO_INLINE @@ -30423,3 +30434,284 @@ int test_mldsa_x509_pubkey_sigtype(void) #endif /* HAVE_DILITHIUM && OPENSSL_EXTRA && !NO_CERTS && !NO_FILESYSTEM */ return EXPECT_RESULT(); } + +/* =========================================================================== + * Compile-time API surface validation. + * + * The two functions below are not runtime tests. Their bodies sit inside + * `if (0)` so the compiler parses every reference without emitting any + * runtime call. Their job is to fail compilation if the canonical + * wc_MlDsaKey_* / MlDsaKey API in or the + * legacy alias surface in drifts in a way + * that would silently break a downstream consumer. They live in this test + * translation unit (rather than wolfcrypt/src/wc_mldsa.c) so the library + * itself has no dependency on the check; the safety net only fires when + * `make check` is run. + * + * Storage class: GCC/Clang get __attribute__((unused, always_inline)) so + * unreferenced static functions don't trip -Werror=unused-function; + * non-GNU compilers fall back to plain static WC_INLINE. + * =========================================================================== + */ +#if defined(HAVE_DILITHIUM) + +#ifdef __GNUC__ + #define WOLFSSL_MLDSA_API_CHECK_INLINE static __inline__ \ + __attribute__((unused, always_inline)) +#else + #define WOLFSSL_MLDSA_API_CHECK_INLINE static WC_INLINE +#endif + +/* Compile-time validation of the canonical wc_MlDsaKey_* / MlDsaKey API. */ +WOLFSSL_MLDSA_API_CHECK_INLINE void wc_mldsa_canonical_api_check(void) +{ + if (0) { + MlDsaKey k; + const MlDsaParams *p; + const byte buf[1] = { 0 }; + word32 sz = 0; + byte level = 0; + int res = 0; + WC_RNG *rng = NULL; + + (void)sizeof(MlDsaKey); + (void)sizeof(MlDsaParams); + + /* Lifecycle / parameters. */ + (void)wc_MlDsaKey_Init(&k, NULL, INVALID_DEVID); + #ifdef WOLF_PRIVATE_KEY_ID + (void)wc_MlDsaKey_InitId(&k, NULL, 0, NULL, INVALID_DEVID); + (void)wc_MlDsaKey_InitLabel(&k, NULL, NULL, INVALID_DEVID); + #endif + #ifndef WC_NO_CONSTRUCTORS + (void)wc_MlDsaKey_New(NULL, INVALID_DEVID); + (void)wc_MlDsaKey_Delete(&k, NULL); + #endif + wc_MlDsaKey_Free(&k); + (void)wc_MlDsaKey_SetParams(&k, level); + (void)wc_MlDsaKey_GetParams(&k, &level); + #ifdef WOLFSSL_MLDSA_PRIVATE_KEY + (void)wc_MlDsaKey_Size(&k); + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_MlDsaKey_PrivSize(&k); + #endif + #endif + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_MlDsaKey_PubSize(&k); + #endif + #if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) + (void)wc_MlDsaKey_SigSize(&k); + #endif + #ifdef WOLFSSL_MLDSA_CHECK_KEY + (void)wc_MlDsaKey_CheckKey(&k); + #endif + + /* Length getters. */ + #ifdef WOLFSSL_MLDSA_PRIVATE_KEY + (void)wc_MlDsaKey_GetPrivLen(&k, NULL); + #endif + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_MlDsaKey_GetPubLen(&k, NULL); + #endif + #if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) + (void)wc_MlDsaKey_GetSigLen(&k, NULL); + #endif + + /* Make / import / export. */ + #ifndef WOLFSSL_MLDSA_VERIFY_ONLY + (void)wc_MlDsaKey_MakeKey(&k, rng); + (void)wc_MlDsaKey_MakeKeyFromSeed(&k, NULL); + #endif + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_MlDsaKey_ImportPubRaw(&k, buf, sz); + (void)wc_MlDsaKey_ExportPubRaw(&k, NULL, &sz); + #endif + #ifdef WOLFSSL_MLDSA_PRIVATE_KEY + (void)wc_MlDsaKey_ImportPrivRaw(&k, buf, sz); + (void)wc_MlDsaKey_ImportKey(&k, buf, sz, buf, sz); + (void)wc_MlDsaKey_ExportPrivRaw(&k, NULL, &sz); + (void)wc_MlDsaKey_ExportKey(&k, NULL, &sz, NULL, &sz); + #endif + + /* Sign side. */ + #ifndef WOLFSSL_MLDSA_VERIFY_ONLY + #ifdef WOLFSSL_MLDSA_NO_CTX + (void)wc_MlDsaKey_Sign(&k, NULL, &sz, buf, sz, rng); + (void)wc_MlDsaKey_SignWithSeed(&k, NULL, &sz, buf, sz, NULL); + #endif + (void)wc_MlDsaKey_SignCtx(&k, NULL, 0, NULL, &sz, buf, sz, rng); + (void)wc_MlDsaKey_SignCtxHash(&k, NULL, 0, NULL, &sz, buf, sz, 0, rng); + (void)wc_MlDsaKey_SignCtxWithSeed(&k, NULL, 0, NULL, &sz, buf, sz, NULL); + (void)wc_MlDsaKey_SignCtxHashWithSeed(&k, NULL, 0, NULL, &sz, buf, sz, 0, + NULL); + (void)wc_MlDsaKey_SignMuWithSeed(&k, NULL, &sz, buf, sz, NULL); + #endif + + /* Verify side. */ + #ifdef WOLFSSL_MLDSA_NO_CTX + (void)wc_MlDsaKey_Verify(&k, buf, sz, buf, sz, &res); + #endif + (void)wc_MlDsaKey_VerifyCtx(&k, buf, sz, NULL, 0, buf, sz, &res); + (void)wc_MlDsaKey_VerifyCtxHash(&k, buf, sz, NULL, 0, buf, sz, 0, &res); + (void)wc_MlDsaKey_VerifyMu(&k, buf, sz, buf, sz, &res); + + /* DER decode / encode. */ + #ifndef WOLFSSL_MLDSA_NO_ASN1 + #ifdef WOLFSSL_MLDSA_PRIVATE_KEY + (void)wc_MlDsaKey_PrivateKeyDecode(&k, buf, sz, &sz); + (void)wc_MlDsaKey_PrivateKeyToDer(&k, NULL, sz); + (void)wc_MlDsaKey_KeyToDer(&k, NULL, sz); + #endif + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_MlDsaKey_PublicKeyDecode(&k, buf, sz, &sz); + #endif + #if defined(WOLFSSL_MLDSA_PUBLIC_KEY) && \ + defined(WC_ENABLE_ASYM_KEY_EXPORT) + (void)wc_MlDsaKey_PublicKeyToDer(&k, NULL, sz, 0); + #endif + #endif + + /* Cross-reference: params struct field on the key. */ + p = k.params; + (void)p; + + (void)res; + (void)rng; + (void)sz; + (void)buf; + (void)level; + } +} + +/* Compile-time validation of the dilithium.h legacy alias shim. */ +#if !defined(WOLFSSL_NO_DILITHIUM_LEGACY_NAMES) + +WOLFSSL_MLDSA_API_CHECK_INLINE void wc_mldsa_legacy_alias_check(void) +{ + if (0) { + MlDsaKey k; + dilithium_key *kp = (dilithium_key *)0; + const wc_dilithium_params *pp = (const wc_dilithium_params *)0; + const byte buf[1] = { 0 }; + word32 sz = 0; + WC_RNG *rng = NULL; + int res = 0; + byte level = 0; + + (void)kp; + (void)pp; + + /* Type aliases. */ + (void)sizeof(dilithium_key); + (void)sizeof(wc_dilithium_params); + + /* No-arg-reorder lifecycle / parameters. */ + (void)wc_dilithium_init(&k); + (void)wc_dilithium_init_ex(&k, NULL, INVALID_DEVID); + #ifdef WOLF_PRIVATE_KEY_ID + (void)wc_dilithium_init_id(&k, NULL, 0, NULL, INVALID_DEVID); + (void)wc_dilithium_init_label(&k, NULL, NULL, INVALID_DEVID); + #endif + #ifndef WC_NO_CONSTRUCTORS + (void)wc_dilithium_new(NULL, INVALID_DEVID); + (void)wc_dilithium_delete(&k, NULL); + #endif + wc_dilithium_free(&k); + (void)wc_dilithium_set_level(&k, level); + (void)wc_dilithium_get_level(&k, &level); + #ifdef WOLFSSL_MLDSA_PRIVATE_KEY + (void)wc_dilithium_size(&k); + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_dilithium_priv_size(&k); + #endif + #endif + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_dilithium_pub_size(&k); + #endif + #if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) + (void)wc_dilithium_sig_size(&k); + #endif + #ifdef WOLFSSL_MLDSA_CHECK_KEY + (void)wc_dilithium_check_key(&k); + #endif + + /* Make / import / export (arg-reorder). */ + #ifndef WOLFSSL_MLDSA_VERIFY_ONLY + (void)wc_dilithium_make_key(&k, rng); + (void)wc_dilithium_make_key_from_seed(&k, NULL); + #endif + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_dilithium_import_public(buf, sz, &k); + (void)wc_dilithium_export_public(&k, NULL, &sz); + #endif + #ifdef WOLFSSL_MLDSA_PRIVATE_KEY + (void)wc_dilithium_import_private(buf, sz, &k); + (void)wc_dilithium_import_private_only(buf, sz, &k); + (void)wc_dilithium_import_key(buf, sz, buf, sz, &k); + (void)wc_dilithium_export_private(&k, NULL, &sz); + (void)wc_dilithium_export_private_only(&k, NULL, &sz); + (void)wc_dilithium_export_key(&k, NULL, &sz, NULL, &sz); + #endif + + /* Sign / verify (arg-reorder). */ + #ifndef WOLFSSL_MLDSA_VERIFY_ONLY + #ifdef WOLFSSL_MLDSA_NO_CTX + (void)wc_dilithium_sign_msg(buf, sz, NULL, &sz, &k, rng); + (void)wc_dilithium_sign_msg_with_seed(buf, sz, NULL, &sz, &k, NULL); + #endif + (void)wc_dilithium_sign_ctx_msg(NULL, 0, buf, sz, NULL, &sz, &k, rng); + (void)wc_dilithium_sign_ctx_hash(NULL, 0, 0, buf, sz, NULL, &sz, &k, + rng); + (void)wc_dilithium_sign_ctx_msg_with_seed(NULL, 0, buf, sz, NULL, &sz, + &k, NULL); + (void)wc_dilithium_sign_ctx_hash_with_seed(NULL, 0, 0, buf, sz, NULL, + &sz, &k, NULL); + (void)wc_dilithium_sign_mu_with_seed(buf, sz, NULL, &sz, &k, NULL); + #endif + #ifdef WOLFSSL_MLDSA_NO_CTX + (void)wc_dilithium_verify_msg(buf, sz, buf, sz, &res, &k); + #endif + (void)wc_dilithium_verify_ctx_msg(buf, sz, NULL, 0, buf, sz, &res, &k); + (void)wc_dilithium_verify_ctx_hash(buf, sz, NULL, 0, 0, buf, sz, &res, + &k); + (void)wc_dilithium_verify_mu(buf, sz, buf, sz, &res, &k); + + /* DER decode / encode (arg-reorder). */ + #ifndef WOLFSSL_MLDSA_NO_ASN1 + #ifdef WOLFSSL_MLDSA_PRIVATE_KEY + (void)wc_Dilithium_PrivateKeyDecode(buf, &sz, &k, sz); + (void)wc_Dilithium_PrivateKeyToDer(&k, NULL, sz); + (void)wc_Dilithium_KeyToDer(&k, NULL, sz); + #endif + #ifdef WOLFSSL_MLDSA_PUBLIC_KEY + (void)wc_Dilithium_PublicKeyDecode(buf, &sz, &k, sz); + #endif + #if defined(WOLFSSL_MLDSA_PUBLIC_KEY) && \ + defined(WC_ENABLE_ASYM_KEY_EXPORT) + (void)wc_Dilithium_PublicKeyToDer(&k, NULL, sz, 0); + #endif + #endif + + /* Internal-helper aliases (see dilithium.h). */ + #ifndef WOLFSSL_MLDSA_NO_ASN1 + (void)dilithium_get_oid_sum(&k, NULL); + #endif + #if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) + #ifndef WOLFSSL_NO_ML_DSA_44 + wc_dilithium_encode_w1_88(NULL, NULL); + #endif + #if !defined(WOLFSSL_NO_ML_DSA_65) || !defined(WOLFSSL_NO_ML_DSA_87) + wc_dilithium_encode_w1_32(NULL, NULL); + #endif + #endif + + (void)res; + (void)rng; + (void)sz; + (void)buf; + (void)level; + } +} +#endif /* !WOLFSSL_NO_DILITHIUM_LEGACY_NAMES */ + +#endif /* HAVE_DILITHIUM */ diff --git a/wolfcrypt/src/sha3_asm.S b/wolfcrypt/src/sha3_asm.S index a0dfc6b8a97..6abc9d851b1 100644 --- a/wolfcrypt/src/sha3_asm.S +++ b/wolfcrypt/src/sha3_asm.S @@ -9928,7 +9928,7 @@ L_sha3_block_n_avx2_rounds: #ifndef __APPLE__ .size sha3_block_n_avx2,.-sha3_block_n_avx2 #endif /* __APPLE__ */ -#if defined(WOLFSSL_HAVE_MLKEM) || defined(HAVE_DILITHIUM) || defined(WOLFSSL_HAVE_SLHDSA) +#if defined(WOLFSSL_HAVE_MLKEM) || defined(WOLFSSL_HAVE_MLDSA) || defined(WOLFSSL_HAVE_SLHDSA) #ifndef __APPLE__ .text .globl sha3_blocksx4_avx2 @@ -20664,7 +20664,7 @@ _sha3_128_blocksx4_seed_avx2: #ifndef __APPLE__ .size sha3_128_blocksx4_seed_avx2,.-sha3_128_blocksx4_seed_avx2 #endif /* __APPLE__ */ -#endif /* defined(WOLFSSL_HAVE_MLKEM) || defined(HAVE_DILITHIUM) || defined(WOLFSSL_HAVE_SLHDSA) */ +#endif /* defined(WOLFSSL_HAVE_MLKEM) || defined(WOLFSSL_HAVE_MLDSA) || defined(WOLFSSL_HAVE_SLHDSA) */ #ifdef WOLFSSL_HAVE_MLKEM #ifndef __APPLE__ .data @@ -26045,7 +26045,7 @@ _sha3_256_blocksx4_seed_avx2: .size sha3_256_blocksx4_seed_avx2,.-sha3_256_blocksx4_seed_avx2 #endif /* __APPLE__ */ #endif /* WOLFSSL_HAVE_MLKEM */ -#ifdef HAVE_DILITHIUM +#ifdef WOLFSSL_HAVE_MLDSA #ifndef __APPLE__ .data #else @@ -31448,7 +31448,7 @@ _sha3_256_blocksx4_seed_64_avx2: #ifndef __APPLE__ .size sha3_256_blocksx4_seed_64_avx2,.-sha3_256_blocksx4_seed_64_avx2 #endif /* __APPLE__ */ -#endif /* HAVE_DILITHIUM */ +#endif /* WOLFSSL_HAVE_MLDSA */ #endif /* HAVE_INTEL_AVX2 */ #if defined(__linux__) && defined(__ELF__) diff --git a/wolfcrypt/src/dilithium.c b/wolfcrypt/src/wc_mldsa.c similarity index 83% rename from wolfcrypt/src/dilithium.c rename to wolfcrypt/src/wc_mldsa.c index 64427504353..2fd10ea36bc 100644 --- a/wolfcrypt/src/dilithium.c +++ b/wolfcrypt/src/wc_mldsa.c @@ -1,4 +1,4 @@ -/* dilithium.c +/* wc_mldsa.c * * Copyright (C) 2006-2026 wolfSSL Inc. * @@ -25,7 +25,7 @@ /* Possible Dilithium/ML-DSA options: * - * HAVE_DILITHIUM Default: OFF + * WOLFSSL_HAVE_MLDSA Default: OFF * Enables the code in this file to be compiled. * * WOLFSSL_NO_ML_DSA_44 Default: OFF @@ -38,79 +38,79 @@ * Does not compile in parameter set ML-DSA-87 and any code specific to that * parameter set. * - * WOLFSSL_DILITHIUM_NO_LARGE_CODE Default: OFF + * WOLFSSL_MLDSA_NO_LARGE_CODE Default: OFF * Compiles smaller, fast code with speed trade-off. - * WOLFSSL_DILITHIUM_SMALL Default: OFF + * WOLFSSL_MLDSA_SMALL Default: OFF * Compiles to small code size with a speed trade-off. - * WOLFSSL_DILITHIUM_VERIFY_ONLY Default: OFF + * WOLFSSL_MLDSA_VERIFY_ONLY Default: OFF * Compiles in only the verification and public key operations. - * WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM Default: OFF + * WOLFSSL_MLDSA_VERIFY_SMALL_MEM Default: OFF * Compiles verification implementation that uses smaller amounts of memory. - * WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC Default: OFF - * Only works with WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM. + * WOLFSSL_MLDSA_VERIFY_NO_MALLOC Default: OFF + * Only works with WOLFSSL_MLDSA_VERIFY_SMALL_MEM. * Don't allocate memory with XMALLOC. Memory is pinned against key. - * WOLFSSL_DILITHIUM_ASSIGN_KEY Default: OFF - * Key data is assigned into Dilithium key rather than copied. - * Life of key data passed in is tightly coupled to life of Dilithium key. + * WOLFSSL_MLDSA_ASSIGN_KEY Default: OFF + * Key data is assigned into ML-DSA key rather than copied. + * Life of key data passed in is tightly coupled to life of ML-DSA key. * Cannot be used when make key is enabled. - * WOLFSSL_DILITHIUM_DYNAMIC_KEYS Default: OFF + * WOLFSSL_MLDSA_DYNAMIC_KEYS Default: OFF * Key buffers (public and private) are dynamically allocated on the heap * instead of being static arrays in the key struct. Buffers are right-sized * for the key's ML-DSA level and only allocated when needed (e.g. no private * key buffer for verify-only keys). Reduces memory footprint significantly. - * Cannot be used with WOLFSSL_DILITHIUM_ASSIGN_KEY. - * WOLFSSL_DILITHIUM_SIGN_SMALL_MEM Default: OFF + * Cannot be used with WOLFSSL_MLDSA_ASSIGN_KEY. + * WOLFSSL_MLDSA_SIGN_SMALL_MEM Default: OFF * Compiles signature implementation that uses smaller amounts of memory but * is considerably slower. - * WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC Default: OFF + * WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC Default: OFF * Compiles signature implementation that uses smaller amounts of memory but * is considerably slower. Allocates vectors and decodes private key data * into them upfront. - * WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A Default: OFF + * WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A Default: OFF * Compiles signature implementation that uses smaller amounts of memory but * is slower. Allocates matrix A and calculates it upfront. - * WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM Default: OFF + * WOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM Default: OFF * Compiles key generation implementation that uses smaller amounts of memory * but is slower. - * WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 Default: OFF + * WOLFSSL_MLDSA_SMALL_MEM_POLY64 Default: OFF * Compiles the small memory implementations to use a 64-bit polynomial. * Uses 2KB of memory but is slightly quicker (2.75-7%). * - * WOLFSSL_DILITHIUM_ALIGNMENT Default: 8 + * WOLFSSL_MLDSA_ALIGNMENT Default: 8 * Use to indicate whether loading and storing of words needs to be aligned. * Default is to use WOLFSSL_GENERAL_ALIGNMENT - should be 4 on some ARM CPUs. * Set this value explicitly if specific Dilithium implementation alignment is * needed. * - * WOLFSSL_DILITHIUM_NO_ASN1 Default: OFF + * WOLFSSL_MLDSA_NO_ASN1 Default: OFF * Disables any ASN.1 encoding or decoding code. - * WOLFSSL_DILITHIUM_REVERSE_HASH_OID Default: OFF + * WOLFSSL_MLDSA_REVERSE_HASH_OID Default: OFF * Reverse the DER encoded hash oid when signing and verifying a pre-hashed * message. * - * WC_DILITHIUM_CACHE_MATRIX_A Default: OFF + * WC_MLDSA_CACHE_MATRIX_A Default: OFF * Enable caching of the A matrix on import. * Less work is required in sign and verify operations. - * WC_DILITHIUM_CACHE_PRIV_VECTORS Default: OFF + * WC_MLDSA_CACHE_PRIV_VECTORS Default: OFF * Enable caching of private key vectors on import. - * Enables WC_DILITHIUM_CACHE_MATRIX_A. + * Enables WC_MLDSA_CACHE_MATRIX_A. * Less work is required in sign operations. - * WC_DILITHIUM_CACHE_PUB_VECTORS Default: OFF + * WC_MLDSA_CACHE_PUB_VECTORS Default: OFF * Enable caching of public key vectors on import. - * Enables WC_DILITHIUM_CACHE_MATRIX_A. + * Enables WC_MLDSA_CACHE_MATRIX_A. * Less work is required in sign operations. - * WC_DILITHIUM_FIXED_ARRAY Default: OFF + * WC_MLDSA_FIXED_ARRAY Default: OFF * Make the matrix and vectors of cached data fixed arrays that have * maximumal sizes for the configured parameters. * Useful in low dynamic memory situations. * - * WOLFSSL_DILITHIUM_SIGN_CHECK_Y Default: OFF + * WOLFSSL_MLDSA_SIGN_CHECK_Y Default: OFF * Check vector y is in required range as an early check on valid vector z. * Falsely reports invalid in approximately 1-2% of checks. * All valid reports are true. * Fast fail gives faster signing times on average. * DO NOT enable this if implementation must be conformant to FIPS 204. - * WOLFSSL_DILITHIUM_SIGN_CHECK_W0 Default: OFF + * WOLFSSL_MLDSA_SIGN_CHECK_W0 Default: OFF * Check vector w0 is in required range as an early check on valid vector r0. * Falsely reports invalid in approximately 3-5% of checks. * All valid reports are true. @@ -141,12 +141,19 @@ #define FIPS_NO_WRAPPERS #endif -#ifndef WOLFSSL_DILITHIUM_NO_ASN1 +#ifndef WOLFSSL_MLDSA_NO_ASN1 #include #endif -#if defined(HAVE_DILITHIUM) +#if defined(WOLFSSL_HAVE_MLDSA) +/* Pull in the legacy compatibility shim. settings.h has already run the + * forward arm of the sub-config gate translation block (legacy + * WOLFSSL_DILITHIUM_* / WC_DILITHIUM_* -> canonical WOLFSSL_MLDSA_* / + * WC_MLDSA_*) so wc_mldsa.h's own conditional declarations read the + * canonical gates regardless of which spelling was used by the build + * system or user_settings.h. This include brings in the reverse arm + * (canonical -> legacy) and the legacy macro / inline aliases. */ #include #include #include @@ -159,14 +166,14 @@ #include #endif -#if defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) - #define WOLFSSL_DILITHIUM_SIGN_SMALL_MEM +#if defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) + #define WOLFSSL_MLDSA_SIGN_SMALL_MEM #endif -#if defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) - #define WOLFSSL_DILITHIUM_SIGN_SMALL_MEM - #ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC +#if defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) + #define WOLFSSL_MLDSA_SIGN_SMALL_MEM + #ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC #error "PRECALC and PRECALC_A are equivalent to non small mem" #endif #endif @@ -213,17 +220,17 @@ void print_data(const char* name, const byte* d, int len) #if defined(WOLFSSL_NO_ML_DSA_44) && defined(WOLFSSL_NO_ML_DSA_65) && \ defined(WOLFSSL_NO_ML_DSA_87) - #error "No Dilithium parameters chosen" + #error "No ML-DSA parameters chosen" #endif -#if defined(WOLFSSL_DILITHIUM_ASSIGN_KEY) && \ - !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) +#if defined(WOLFSSL_MLDSA_ASSIGN_KEY) && \ + !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) #error "Cannot use assign key when making keys" #endif -#if defined(WOLFSSL_DILITHIUM_DYNAMIC_KEYS) && \ - defined(WOLFSSL_DILITHIUM_ASSIGN_KEY) - #error "Cannot use both WOLFSSL_DILITHIUM_DYNAMIC_KEYS and WOLFSSL_DILITHIUM_ASSIGN_KEY" +#if defined(WOLFSSL_MLDSA_DYNAMIC_KEYS) && \ + defined(WOLFSSL_MLDSA_ASSIGN_KEY) + #error "Cannot use both WOLFSSL_MLDSA_DYNAMIC_KEYS and WOLFSSL_MLDSA_ASSIGN_KEY" #endif @@ -264,7 +271,7 @@ void print_data(const char* name, const byte* d, int len) /* The ML-DSA parameters sets. */ -static const wc_dilithium_params dilithium_params[] = { +static const MlDsaParams mldsa_params[] = { #ifndef WOLFSSL_NO_ML_DSA_44 { WC_ML_DSA_44, PARAMS_ML_DSA_44_K, PARAMS_ML_DSA_44_L, PARAMS_ML_DSA_44_ETA, PARAMS_ML_DSA_44_ETA_BITS, @@ -301,7 +308,7 @@ static const wc_dilithium_params dilithium_params[] = { PARAMS_ML_DSA_87_Z_ENC_SIZE, PARAMS_ML_DSA_87_PK_SIZE, PARAMS_ML_DSA_87_SIG_SIZE }, #endif -#if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) +#if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) #ifndef WOLFSSL_NO_ML_DSA_44 { WC_ML_DSA_44_DRAFT, PARAMS_ML_DSA_44_K, PARAMS_ML_DSA_44_L, PARAMS_ML_DSA_44_ETA, PARAMS_ML_DSA_44_ETA_BITS, @@ -342,7 +349,7 @@ static const wc_dilithium_params dilithium_params[] = { }; /* Number of ML-DSA parameter sets compiled in. */ #define DILITHIUM_PARAMS_CNT \ - ((unsigned int)(sizeof(dilithium_params) / sizeof(wc_dilithium_params))) + ((unsigned int)(sizeof(mldsa_params) / sizeof(MlDsaParams))) /* Get the ML-DSA parameters that match the level. * @@ -351,14 +358,14 @@ static const wc_dilithium_params dilithium_params[] = { * @return 0 on success. * @return NOT_COMPILED_IN when parameters at level are not compiled in. */ -static int dilithium_get_params(int level, const wc_dilithium_params** params) +static int mldsa_get_params(int level, const MlDsaParams** params) { unsigned int i; int ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); for (i = 0; i < DILITHIUM_PARAMS_CNT; i++) { - if (dilithium_params[i].level == level) { - *params = &dilithium_params[i]; + if (mldsa_params[i].level == level) { + *params = &mldsa_params[i]; ret = 0; } } @@ -366,18 +373,18 @@ static int dilithium_get_params(int level, const wc_dilithium_params** params) return ret; } -#if defined(WOLFSSL_DILITHIUM_DYNAMIC_KEYS) && \ - defined(WOLFSSL_DILITHIUM_PRIVATE_KEY) +#if defined(WOLFSSL_MLDSA_DYNAMIC_KEYS) && \ + defined(WOLFSSL_MLDSA_PRIVATE_KEY) /* Allocate the private key buffer for the current level if not already - * allocated. Buffer is sized via wc_dilithium_size(key) and the allocated size + * allocated. Buffer is sized via wc_MlDsaKey_Size(key) and the allocated size * is stored in key->kSz for later use (ForceZero, free). On failure key->k may * remain NULL; callers must not inspect it. */ -static int dilithium_alloc_priv_buf(dilithium_key* key) +static int mldsa_alloc_priv_buf(MlDsaKey* key) { int ret = 0; if (key->k == NULL) { - int secSz = wc_dilithium_size(key); + int secSz = wc_MlDsaKey_Size(key); if (secSz < 0) { /* Should not happen, as the level checks have already been * performed, but defense-in-depth. */ @@ -401,17 +408,17 @@ static int dilithium_alloc_priv_buf(dilithium_key* key) } #endif -#if defined(WOLFSSL_DILITHIUM_DYNAMIC_KEYS) && \ - defined(WOLFSSL_DILITHIUM_PUBLIC_KEY) +#if defined(WOLFSSL_MLDSA_DYNAMIC_KEYS) && \ + defined(WOLFSSL_MLDSA_PUBLIC_KEY) /* Allocate the public key buffer for the current level if not already - * allocated. Buffer is sized via wc_dilithium_pub_size(key). On failure, + * allocated. Buffer is sized via wc_MlDsaKey_PubSize(key). On failure, * key->p may remain NULL; callers must not inspect it. */ -static int dilithium_alloc_pub_buf(dilithium_key* key) +static int mldsa_alloc_pub_buf(MlDsaKey* key) { int ret = 0; if (key->p == NULL) { - int pubSz = wc_dilithium_pub_size(key); + int pubSz = wc_MlDsaKey_PubSize(key); if (pubSz < 0) { /* Should not happen, as the level checks have already been * performed, but defense-in-depth. */ @@ -448,7 +455,7 @@ static int dilithium_alloc_pub_buf(dilithium_key* key) * @return 0 on success. * @return Negative on error. */ -static int dilithium_shake256(wc_Shake* shake256, const byte* data, +static int mldsa_shake256(wc_Shake* shake256, const byte* data, word32 dataLen, byte* hash, word32 hashLen) { int ret; @@ -567,7 +574,7 @@ static int dilithium_shake256(wc_Shake* shake256, const byte* data, * @return 0 on success. * @return Negative on error. */ -static int dilithium_hash256(wc_Shake* shake256, const byte* data1, +static int mldsa_hash256(wc_Shake* shake256, const byte* data1, word32 data1Len, const byte* data2, word32 data2Len, byte* hash, word32 hashLen) { @@ -681,7 +688,7 @@ static int dilithium_hash256(wc_Shake* shake256, const byte* data1, return ret; } -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || !defined(WOLFSSL_DILITHIUM_NO_VERIFY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) /* 256-bit hash of context and message using SHAKE-256. * * FIPS 204. 5.2: Algorithm 2 ML-DSA.Sign(sk, M, ctx) @@ -709,7 +716,7 @@ static int dilithium_hash256(wc_Shake* shake256, const byte* data1, * @return 0 on success. * @return Negative on error. */ -static int dilithium_hash256_ctx_msg(wc_Shake* shake256, const byte* tr, +static int mldsa_hash256_ctx_msg(wc_Shake* shake256, const byte* tr, byte trLen, byte preHash, const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, byte* hash, word32 hashLen) { @@ -753,17 +760,17 @@ static int dilithium_hash256_ctx_msg(wc_Shake* shake256, const byte* tr, * @return 0 on success. * @return BAD_FUNC_ARG if hash algorithm not known. */ -static int dilithium_get_hash_oid(int hash, byte* oidBuffer, word32* oidLen) +static int mldsa_get_hash_oid(int hash, byte* oidBuffer, word32* oidLen) { int ret = 0; const byte* oid; -#ifndef WOLFSSL_DILITHIUM_NO_ASN1 +#ifndef WOLFSSL_MLDSA_NO_ASN1 oid = OidFromId((word32)wc_HashGetOID((enum wc_HashType)hash), oidHashType, oidLen); if ((oid != NULL) && (*oidLen <= DILITHIUM_HASH_OID_LEN - 2)) { -#ifndef WOLFSSL_DILITHIUM_REVERSE_HASH_OID +#ifndef WOLFSSL_MLDSA_REVERSE_HASH_OID oidBuffer[0] = 0x06; /* ObjectID */ oidBuffer[1] = (byte)*oidLen; /* ObjectID */ oidBuffer += 2; @@ -866,7 +873,7 @@ static int dilithium_get_hash_oid(int hash, byte* oidBuffer, word32* oidLen) } if ((oid != NULL) && (*oidLen <= DILITHIUM_HASH_OID_LEN)) { -#ifndef WOLFSSL_DILITHIUM_REVERSE_HASH_OID +#ifndef WOLFSSL_MLDSA_REVERSE_HASH_OID XMEMCPY(oidBuffer, oid, *oidLen); #else int i; @@ -881,7 +888,7 @@ static int dilithium_get_hash_oid(int hash, byte* oidBuffer, word32* oidLen) } #endif -#ifndef WOLFSSL_DILITHIUM_SMALL +#ifndef WOLFSSL_MLDSA_SMALL /* 128-bit hash using SHAKE-128. * * FIPS 204. 8.3: H128(v,d) <- SHAKE128(v,d) @@ -894,7 +901,7 @@ static int dilithium_get_hash_oid(int hash, byte* oidBuffer, word32* oidLen) * @return 0 on success. * @return Negative on error. */ -static int dilithium_squeeze128(wc_Shake* shake128, const byte* in, +static int mldsa_squeeze128(wc_Shake* shake128, const byte* in, word32 inLen, byte* out, word32 outBlocks) { int ret; @@ -912,11 +919,11 @@ static int dilithium_squeeze128(wc_Shake* shake128, const byte* in, return ret; } -#endif /* WOLFSSL_DILITHIUM_SMALL */ +#endif /* WOLFSSL_MLDSA_SMALL */ -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - (!defined(WOLFSSL_DILITHIUM_SMALL) && \ - !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY)) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || \ + (!defined(WOLFSSL_MLDSA_SMALL) && \ + !defined(WOLFSSL_MLDSA_NO_MAKE_KEY)) /* 256-bit hash using SHAKE-256. * * FIPS 204. 8.3: H(v,d) <- SHAKE256(v,d) @@ -930,7 +937,7 @@ static int dilithium_squeeze128(wc_Shake* shake128, const byte* in, * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_squeeze256(wc_Shake* shake256, const byte* in, +static int mldsa_squeeze256(wc_Shake* shake256, const byte* in, word32 inLen, byte* out, word32 outBlocks) { int ret; @@ -983,7 +990,7 @@ static int dilithium_squeeze256(wc_Shake* shake256, const byte* in, * Encode/Decode operations ******************************************************************************/ -#ifndef WOLFSSL_DILITHIUM_NO_MAKE_KEY +#ifndef WOLFSSL_MLDSA_NO_MAKE_KEY /* Encode vector of polynomials with range -ETA..ETA. * * FIPS 204. 8.2: Algorithm 18 skEncode(rho, K, tr, s1, s2, t0) @@ -1014,7 +1021,7 @@ static int dilithium_squeeze256(wc_Shake* shake256, const byte* in, * @param [in] eta Range specifier of each value. * @param [out] p Buffer to encode into. */ -static void dilthium_vec_encode_eta_bits_c(const sword32* s, byte d, byte eta, +static void mldsa_vec_encode_eta_bits_c(const sword32* s, byte d, byte eta, byte* p) { unsigned int i; @@ -1055,7 +1062,7 @@ static void dilthium_vec_encode_eta_bits_c(const sword32* s, byte d, byte eta, /* -4..4 */ if (eta == DILITHIUM_ETA_4) { for (i = 0; i < d; i++) { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL /* Step 3 or 6. * 4 bits to encode each number. * 2 numbers become 1 bytes. (2 * 4 bits = 1 * 8 bits) */ @@ -1096,7 +1103,7 @@ static void dilthium_vec_encode_eta_bits_c(const sword32* s, byte d, byte eta, * @param [in] eta Range specifier of each value. * @param [out] p Buffer to encode into. */ -static void dilthium_vec_encode_eta_bits(const sword32* s, byte d, byte eta, +static void mldsa_vec_encode_eta_bits(const sword32* s, byte d, byte eta, byte* p) { #ifdef USE_INTEL_SPEEDUP @@ -1117,12 +1124,12 @@ static void dilthium_vec_encode_eta_bits(const sword32* s, byte d, byte eta, else #endif { - dilthium_vec_encode_eta_bits_c(s, d, eta, p); + mldsa_vec_encode_eta_bits_c(s, d, eta, p); } } -#endif /* !WOLFSSL_DILITHIUM_NO_MAKE_KEY */ +#endif /* !WOLFSSL_MLDSA_NO_MAKE_KEY */ -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || defined(WOLFSSL_DILITHIUM_CHECK_KEY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || defined(WOLFSSL_MLDSA_CHECK_KEY) #if !defined(WOLFSSL_NO_ML_DSA_44) || !defined(WOLFSSL_NO_ML_DSA_87) /* Decode polynomial with range -2..2. @@ -1144,7 +1151,7 @@ static void dilthium_vec_encode_eta_bits(const sword32* s, byte d, byte eta, * @param [in] p Buffer of data to decode. * @param [in] s Vector of decoded polynomials. */ -static void dilithium_decode_eta_2_bits_c(const byte* p, sword32* s) +static void mldsa_decode_eta_2_bits_c(const byte* p, sword32* s) { unsigned int j; @@ -1171,7 +1178,7 @@ static void dilithium_decode_eta_2_bits_c(const byte* p, sword32* s) * @param [in] p Buffer of data to decode. * @param [in] s Vector of decoded polynomials. */ -static void dilithium_decode_eta_2_bits(const byte* p, sword32* s) +static void mldsa_decode_eta_2_bits(const byte* p, sword32* s) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -1181,7 +1188,7 @@ static void dilithium_decode_eta_2_bits(const byte* p, sword32* s) else #endif { - dilithium_decode_eta_2_bits_c(p, s); + mldsa_decode_eta_2_bits_c(p, s); } } #endif @@ -1205,11 +1212,11 @@ static void dilithium_decode_eta_2_bits(const byte* p, sword32* s) * @param [in] p Buffer of data to decode. * @param [in] s Vector of decoded polynomials. */ -static void dilithium_decode_eta_4_bits_c(const byte* p, sword32* s) +static void mldsa_decode_eta_4_bits_c(const byte* p, sword32* s) { unsigned int j; -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL /* Step 6 or 9. * 4 bits to encode each number. * 2 numbers from 1 bytes. (2 * 4 bits = 1 * 8 bits) */ @@ -1233,7 +1240,7 @@ static void dilithium_decode_eta_4_bits_c(const byte* p, sword32* s) s[j * 2 + 6] = 4 - (p[j + 3] & 0xf); s[j * 2 + 7] = 4 - (p[j + 3] >> 4); } -#endif /* WOLFSSL_DILITHIUM_SMALL */ +#endif /* WOLFSSL_MLDSA_SMALL */ } /* Decode polynomial with range -4..4. @@ -1241,7 +1248,7 @@ static void dilithium_decode_eta_4_bits_c(const byte* p, sword32* s) * @param [in] p Buffer of data to decode. * @param [in] s Vector of decoded polynomials. */ -static void dilithium_decode_eta_4_bits(const byte* p, sword32* s) +static void mldsa_decode_eta_4_bits(const byte* p, sword32* s) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -1251,15 +1258,15 @@ static void dilithium_decode_eta_4_bits(const byte* p, sword32* s) else #endif { - dilithium_decode_eta_4_bits_c(p, s); + mldsa_decode_eta_4_bits_c(p, s); } } #endif -#if defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - (defined(WC_DILITHIUM_CACHE_PRIV_VECTORS) || \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM))) +#if defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + (defined(WC_MLDSA_CACHE_PRIV_VECTORS) || \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM))) /* Decode vector of polynomials with range -ETA..ETA. * * FIPS 204. 7.2: Algorithm 25 skDecode(sk) @@ -1281,7 +1288,7 @@ static void dilithium_decode_eta_4_bits(const byte* p, sword32* s) * @param [in] s Vector of decoded polynomials. * @param [in] d Dimension of vector. */ -static void dilithium_vec_decode_eta_bits(const byte* p, byte eta, sword32* s, +static void mldsa_vec_decode_eta_bits(const byte* p, byte eta, sword32* s, byte d) { unsigned int i; @@ -1291,7 +1298,7 @@ static void dilithium_vec_decode_eta_bits(const byte* p, byte eta, sword32* s, if (eta == DILITHIUM_ETA_2) { /* Step 5 or 8: For each polynomial of vector */ for (i = 0; i < d; i++) { - dilithium_decode_eta_2_bits(p, s); + mldsa_decode_eta_2_bits(p, s); /* Move to next place to decode from. */ p += DILITHIUM_ETA_2_BITS * DILITHIUM_N / 8; /* Next polynomial. */ @@ -1304,7 +1311,7 @@ static void dilithium_vec_decode_eta_bits(const byte* p, byte eta, sword32* s, if (eta == DILITHIUM_ETA_4) { /* Step 5 or 8: For each polynomial of vector */ for (i = 0; i < d; i++) { - dilithium_decode_eta_4_bits(p, s); + mldsa_decode_eta_4_bits(p, s); /* Move to next place to decode from. */ p += DILITHIUM_N / 2; /* Next polynomial. */ @@ -1314,9 +1321,9 @@ static void dilithium_vec_decode_eta_bits(const byte* p, byte eta, sword32* s, #endif } #endif -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN || WOLFSSL_DILITHIUM_CHECK_KEY */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN || WOLFSSL_MLDSA_CHECK_KEY */ -#ifndef WOLFSSL_DILITHIUM_NO_MAKE_KEY +#ifndef WOLFSSL_MLDSA_NO_MAKE_KEY /* Encode t into t0 and t1. * * FIPS 204. 8.4: Algorithm 29 Power2Round(r) @@ -1341,7 +1348,7 @@ static void dilithium_vec_decode_eta_bits(const byte* p, byte eta, sword32* s, * @param [out] t0 Buffer to encode bottom part of value of t into. * @param [out] t1 Buffer to encode top part of value of t into. */ -static void dilithium_vec_encode_t0_t1_c(const sword32* t, byte d, byte* t0, +static void mldsa_vec_encode_t0_t1_c(const sword32* t, byte d, byte* t0, byte* t1) { unsigned int i; @@ -1389,10 +1396,10 @@ static void dilithium_vec_encode_t0_t1_c(const sword32* t, byte d, byte* t0, /* 13 bits per number. * 8 numbers become 13 bytes. (8 * 13 bits = 13 * 8 bits) */ - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT <= 2) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT <= 2) word32* tp; #endif - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) tp = (word32*)t0; tp[0] = (n0_0 ) | ((word32)n0_1 << 13) | ((word32)n0_2 << 26); tp[1] = (n0_2 >> 6) | ((word32)n0_3 << 7) | ((word32)n0_4 << 20); @@ -1416,7 +1423,7 @@ static void dilithium_vec_encode_t0_t1_c(const sword32* t, byte d, byte* t0, /* 10 bits per number. * 8 bytes become 10 bytes. (8 * 10 bits = 10 * 8 bits) */ - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT <= 2) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT <= 2) tp = (word32*)t1; tp[0] = (n1_0 ) | ((word32)n1_1 << 10) | ((word32)n1_2 << 20) | ((word32)n1_3 << 30); @@ -1452,7 +1459,7 @@ static void dilithium_vec_encode_t0_t1_c(const sword32* t, byte d, byte* t0, * @param [out] t0 Buffer to encode bottom part of value of t into. * @param [out] t1 Buffer to encode top part of value of t into. */ -static void dilithium_vec_encode_t0_t1(const sword32* t, byte d, byte* t0, +static void mldsa_vec_encode_t0_t1(const sword32* t, byte d, byte* t0, byte* t1) { #ifdef USE_INTEL_SPEEDUP @@ -1463,12 +1470,12 @@ static void dilithium_vec_encode_t0_t1(const sword32* t, byte d, byte* t0, else #endif { - dilithium_vec_encode_t0_t1_c(t, d, t0, t1); + mldsa_vec_encode_t0_t1_c(t, d, t0, t1); } } -#endif /* !WOLFSSL_DILITHIUM_NO_MAKE_KEY */ +#endif /* !WOLFSSL_MLDSA_NO_MAKE_KEY */ -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || defined(WOLFSSL_DILITHIUM_CHECK_KEY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || defined(WOLFSSL_MLDSA_CHECK_KEY) /* Decode bottom D bits of t as t0. * * FIPS 204. 7.2: Algorithm 25 skDecode(sk) @@ -1480,7 +1487,7 @@ static void dilithium_vec_encode_t0_t1(const sword32* t, byte d, byte* t0, * @param [in] d Dimensions of vector t0. * @param [out] t Vector of polynomials. */ -static void dilithium_decode_t0_c(const byte* t0, sword32* t) +static void mldsa_decode_t0_c(const byte* t0, sword32* t) { unsigned int j; @@ -1488,7 +1495,7 @@ static void dilithium_decode_t0_c(const byte* t0, sword32* t) for (j = 0; j < DILITHIUM_N; j += 8) { /* 13 bits used per number. * 8 numbers from 13 bytes. (8 * 13 bits = 13 * 8 bits) */ -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) word32 t32_2 = ((const word32*)t0)[2]; #ifdef WC_64BIT_CPU word64 t64 = *(const word64*)t0; @@ -1551,7 +1558,7 @@ static void dilithium_decode_t0_c(const byte* t0, sword32* t) * @param [in] d Dimensions of vector t0. * @param [out] t Vector of polynomials. */ -static void dilithium_decode_t0(const byte* t0, sword32* t) +static void mldsa_decode_t0(const byte* t0, sword32* t) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -1561,14 +1568,14 @@ static void dilithium_decode_t0(const byte* t0, sword32* t) else #endif { - dilithium_decode_t0_c(t0, t); + mldsa_decode_t0_c(t0, t); } } -#if defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - (defined(WC_DILITHIUM_CACHE_PRIV_VECTORS) || \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM))) +#if defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + (defined(WC_MLDSA_CACHE_PRIV_VECTORS) || \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM))) /* Decode bottom D bits of t as t0. * * FIPS 204. 7.2: Algorithm 25 skDecode(sk) @@ -1582,23 +1589,23 @@ static void dilithium_decode_t0(const byte* t0, sword32* t) * @param [in] d Dimensions of vector t0. * @param [out] t Vector of polynomials. */ -static void dilithium_vec_decode_t0(const byte* t0, byte d, sword32* t) +static void mldsa_vec_decode_t0(const byte* t0, byte d, sword32* t) { unsigned int i; /* Step 11. For each polynomial of vector. */ for (i = 0; i < d; i++) { - dilithium_decode_t0(t0, t); + mldsa_decode_t0(t0, t); t0 += DILITHIUM_D * DILITHIUM_N / 8; /* Next polynomial. */ t += DILITHIUM_N; } } #endif -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN || WOLFSSL_DILITHIUM_CHECK_KEY */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN || WOLFSSL_MLDSA_CHECK_KEY */ -#if !defined(WOLFSSL_DILITHIUM_NO_VERIFY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) +#if !defined(WOLFSSL_MLDSA_NO_VERIFY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) /* Decode top bits of t as t1. * * FIPS 204. 7.2: Algorithm 23 pkDecode(pk) @@ -1609,14 +1616,14 @@ static void dilithium_vec_decode_t0(const byte* t0, byte d, sword32* t) * @param [in] t1 Encoded values of t1. * @param [out] t Polynomials. */ -static void dilithium_decode_t1_c(const byte* t1, sword32* t) +static void mldsa_decode_t1_c(const byte* t1, sword32* t) { unsigned int j; /* Step 4. Get 10 bits as a number. */ for (j = 0; j < DILITHIUM_N; j += 8) { /* 10 bits used per number. * 8 numbers from 10 bytes. (8 * 10 bits = 10 * 8 bits) */ -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) #ifdef WC_64BIT_CPU word64 t64 = *(const word64*) t1; word16 t16 = *(const word16*)(t1 + 8); @@ -1682,7 +1689,7 @@ static void dilithium_decode_t1_c(const byte* t1, sword32* t) * @param [in] t1 Encoded values of t1. * @param [out] t Polynomials. */ -static void dilithium_decode_t1(const byte* t1, sword32* t) +static void mldsa_decode_t1(const byte* t1, sword32* t) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -1692,14 +1699,14 @@ static void dilithium_decode_t1(const byte* t1, sword32* t) else #endif { - dilithium_decode_t1_c(t1, t); + mldsa_decode_t1_c(t1, t); } } #endif -#if (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) +#if (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) /* Decode top bits of t as t1. * * FIPS 204. 7.2: Algorithm 23 pkDecode(pk) @@ -1713,13 +1720,13 @@ static void dilithium_decode_t1(const byte* t1, sword32* t) * @param [in] d Dimensions of vector t1. * @param [out] t Vector of polynomials. */ -static void dilithium_vec_decode_t1(const byte* t1, byte d, sword32* t) +static void mldsa_vec_decode_t1(const byte* t1, byte d, sword32* t) { unsigned int i; /* Step 3. For each polynomial of vector. */ for (i = 0; i < d; i++) { - dilithium_decode_t1(t1, t); + mldsa_decode_t1(t1, t); /* Next polynomial. */ t1 += DILITHIUM_U * DILITHIUM_N / 8; t += DILITHIUM_N; @@ -1727,7 +1734,7 @@ static void dilithium_vec_decode_t1(const byte* t1, byte d, sword32* t) } #endif -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN #ifndef WOLFSSL_NO_ML_DSA_44 /* Encode z with range of -(GAMMA1-1)...GAMMA1 @@ -1740,7 +1747,7 @@ static void dilithium_vec_decode_t1(const byte* t1, byte d, sword32* t) * @param [in] z Polynomial to encode. * @param [out] s Buffer to encode into. */ -static void dilithium_encode_gamma1_17_bits_c(const sword32* z, byte* s) +static void mldsa_encode_gamma1_17_bits_c(const sword32* z, byte* s) { unsigned int j; @@ -1753,7 +1760,7 @@ static void dilithium_encode_gamma1_17_bits_c(const sword32* z, byte* s) /* 18 bits per number. * 8 numbers become 9 bytes. (8 * 9 bits = 9 * 8 bits) */ -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) #ifdef WC_64BIT_CPU word64* s64p = (word64*)s; s64p[0] = z0 | ((word64)z1 << 18) | @@ -1784,7 +1791,7 @@ static void dilithium_encode_gamma1_17_bits_c(const sword32* z, byte* s) * @param [in] z Polynomial to encode. * @param [out] s Buffer to encode into. */ -static void dilithium_encode_gamma1_17_bits(const sword32* z, byte* s) +static void mldsa_encode_gamma1_17_bits(const sword32* z, byte* s) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -1794,7 +1801,7 @@ static void dilithium_encode_gamma1_17_bits(const sword32* z, byte* s) else #endif { - dilithium_encode_gamma1_17_bits_c(z, s); + mldsa_encode_gamma1_17_bits_c(z, s); } } #endif @@ -1809,7 +1816,7 @@ static void dilithium_encode_gamma1_17_bits(const sword32* z, byte* s) * @param [in] z Polynomial to encode. * @param [out] s Buffer to encode into. */ -static void dilithium_encode_gamma1_19_bits_c(const sword32* z, byte* s) +static void mldsa_encode_gamma1_19_bits_c(const sword32* z, byte* s) { unsigned int j; @@ -1822,7 +1829,7 @@ static void dilithium_encode_gamma1_19_bits_c(const sword32* z, byte* s) /* 20 bits per number. * 4 numbers become 10 bytes. (4 * 20 bits = 10 * 8 bits) */ -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT <= 2) +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT <= 2) word16* s16p = (word16*)s; #ifdef WC_64BIT_CPU word64* s64p = (word64*)s; @@ -1856,7 +1863,7 @@ static void dilithium_encode_gamma1_19_bits_c(const sword32* z, byte* s) * @param [in] z Polynomial to encode. * @param [out] s Buffer to encode into. */ -static void dilithium_encode_gamma1_19_bits(const sword32* z, byte* s) +static void mldsa_encode_gamma1_19_bits(const sword32* z, byte* s) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -1866,12 +1873,12 @@ static void dilithium_encode_gamma1_19_bits(const sword32* z, byte* s) else #endif { - dilithium_encode_gamma1_19_bits_c(z, s); + mldsa_encode_gamma1_19_bits_c(z, s); } } #endif -#ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM +#ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM /* Encode z with range of -(GAMMA1-1)...GAMMA1 * * FIPS 204. 8.2: Algorithm 20 sigEncode(c_tilde, z, h) @@ -1886,7 +1893,7 @@ static void dilithium_encode_gamma1_19_bits(const sword32* z, byte* s) * @param [in] bits Number of bits used in encoding - GAMMA1 bits. * @param [out] s Buffer to encode into. */ -static void dilithium_vec_encode_gamma1(const sword32* z, byte l, int bits, +static void mldsa_vec_encode_gamma1(const sword32* z, byte l, int bits, byte* s) { unsigned int i; @@ -1897,7 +1904,7 @@ static void dilithium_vec_encode_gamma1(const sword32* z, byte l, int bits, if (bits == DILITHIUM_GAMMA1_BITS_17) { /* Step 2. For each polynomial of vector. */ for (i = 0; i < PARAMS_ML_DSA_44_L; i++) { - dilithium_encode_gamma1_17_bits(z, s); + mldsa_encode_gamma1_17_bits(z, s); /* Move to next place to encode to. */ s += DILITHIUM_GAMMA1_17_ENC_BITS / 2 * DILITHIUM_N / 4; /* Next polynomial. */ @@ -1909,7 +1916,7 @@ static void dilithium_vec_encode_gamma1(const sword32* z, byte l, int bits, if (bits == DILITHIUM_GAMMA1_BITS_19) { /* Step 2. For each polynomial of vector. */ for (i = 0; i < l; i++) { - dilithium_encode_gamma1_19_bits(z, s); + mldsa_encode_gamma1_19_bits(z, s); /* Move to next place to encode to. */ s += DILITHIUM_GAMMA1_19_ENC_BITS / 2 * DILITHIUM_N / 4; /* Next polynomial. */ @@ -1918,11 +1925,11 @@ static void dilithium_vec_encode_gamma1(const sword32* z, byte l, int bits, } #endif } -#endif /* WOLFSSL_DILITHIUM_SIGN_SMALL_MEM */ +#endif /* WOLFSSL_MLDSA_SIGN_SMALL_MEM */ -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || !defined(WOLFSSL_DILITHIUM_NO_VERIFY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) /* Decode polynomial with range -(GAMMA1-1)..GAMMA1. * * FIPS 204. 8.2: Algorithm 21 sigDecode(sigma) @@ -1934,18 +1941,18 @@ static void dilithium_vec_encode_gamma1(const sword32* z, byte l, int bits, * @param [in] bits Number of bits used in encoding - GAMMA1 bits. * @param [out] z Polynomial to fill. */ -static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z) +static void mldsa_decode_gamma1_c(const byte* s, int bits, sword32* z) { unsigned int i; #ifndef WOLFSSL_NO_ML_DSA_44 if (bits == DILITHIUM_GAMMA1_BITS_17) { -#if defined(WOLFSSL_DILITHIUM_NO_LARGE_CODE) || defined(WOLFSSL_DILITHIUM_SMALL) +#if defined(WOLFSSL_MLDSA_NO_LARGE_CODE) || defined(WOLFSSL_MLDSA_SMALL) /* Step 4: Get 18 bits as a number. */ for (i = 0; i < DILITHIUM_N; i += 4) { /* 18 bits per number. * 4 numbers from 9 bytes. (4 * 18 bits = 9 * 8 bits) */ - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) #ifdef WC_64BIT_CPU word64 s64_0 = *(const word64*)(s+0); z[i+0] = (sword32)((word32)DILITHIUM_GAMMA1_17 - @@ -1990,7 +1997,7 @@ static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z) for (i = 0; i < DILITHIUM_N; i += 8) { /* 18 bits per number. * 8 numbers from 9 bytes. (8 * 18 bits = 18 * 8 bits) */ - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) #ifdef WC_64BIT_CPU word64 s64_0 = *(const word64*)(s+0); word64 s64_1 = *(const word64*)(s+9); @@ -2066,12 +2073,12 @@ static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z) #endif #if !defined(WOLFSSL_NO_ML_DSA_65) || !defined(WOLFSSL_NO_ML_DSA_87) if (bits == DILITHIUM_GAMMA1_BITS_19) { -#if defined(WOLFSSL_DILITHIUM_NO_LARGE_CODE) || defined(WOLFSSL_DILITHIUM_SMALL) +#if defined(WOLFSSL_MLDSA_NO_LARGE_CODE) || defined(WOLFSSL_MLDSA_SMALL) /* Step 4: Get 20 bits as a number. */ for (i = 0; i < DILITHIUM_N; i += 4) { /* 20 bits per number. * 4 numbers from 10 bytes. (4 * 20 bits = 10 * 8 bits) */ - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT <= 2) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT <= 2) word16 s16_0 = ((const word16*)s)[4]; #ifdef WC_64BIT_CPU word64 s64_0 = *(const word64*)s; @@ -2112,7 +2119,7 @@ static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z) for (i = 0; i < DILITHIUM_N; i += 8) { /* 20 bits per number. * 8 numbers from 20 bytes. (8 * 20 bits = 20 * 8 bits) */ - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT <= 2) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT <= 2) word16 s16_0 = ((const word16*)s)[4]; word16 s16_1 = ((const word16*)s)[9]; #ifdef WC_64BIT_CPU @@ -2202,7 +2209,7 @@ static void dilithium_decode_gamma1_c(const byte* s, int bits, sword32* z) * @param [in] bits Number of bits used in encoding - GAMMA1 bits. * @param [out] z Polynomial to fill. */ -static void dilithium_decode_gamma1(const byte* s, int bits, sword32* z) +static void mldsa_decode_gamma1(const byte* s, int bits, sword32* z) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -2217,12 +2224,12 @@ static void dilithium_decode_gamma1(const byte* s, int bits, sword32* z) else #endif { - dilithium_decode_gamma1_c(s, bits, z); + mldsa_decode_gamma1_c(s, bits, z); } } #endif -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* Decode polynomial with range -(GAMMA1-1)..GAMMA1. * * FIPS 204. 8.2: Algorithm 21 sigDecode(sigma) @@ -2237,7 +2244,7 @@ static void dilithium_decode_gamma1(const byte* s, int bits, sword32* z) * @param [in] bits Number of bits used in encoding - GAMMA1 bits. * @param [out] z Vector of polynomials. */ -static void dilithium_vec_decode_gamma1(const byte* x, byte l, int bits, +static void mldsa_vec_decode_gamma1(const byte* x, byte l, int bits, sword32* z) { unsigned int i; @@ -2245,7 +2252,7 @@ static void dilithium_vec_decode_gamma1(const byte* x, byte l, int bits, /* Step 3: For each polynomial of vector. */ for (i = 0; i < l; i++) { /* Step 4: Unpack a polynomial. */ - dilithium_decode_gamma1(x, bits, z); + mldsa_decode_gamma1(x, bits, z); /* Move pointers on to next polynomial. */ x += DILITHIUM_N / 8 * (bits + 1); z += DILITHIUM_N; @@ -2253,7 +2260,7 @@ static void dilithium_vec_decode_gamma1(const byte* x, byte l, int bits, } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || !defined(WOLFSSL_DILITHIUM_NO_VERIFY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) #ifndef WOLFSSL_NO_ML_DSA_44 /* Encode w1 with range of 0..((q-1)/(2*GAMMA2)-1). * @@ -2267,7 +2274,7 @@ static void dilithium_vec_decode_gamma1(const byte* x, byte l, int bits, * @param [in] gamma2 Maximum value in range. * @param [out] w1e Buffer to encode into. */ -static void dilithium_encode_w1_88_c(const sword32* w1, byte* w1e) +static void mldsa_encode_w1_88_c(const sword32* w1, byte* w1e) { unsigned int j; @@ -2275,7 +2282,7 @@ static void dilithium_encode_w1_88_c(const sword32* w1, byte* w1e) for (j = 0; j < DILITHIUM_N; j += 16) { /* 6 bits per number. * 16 numbers in 12 bytes. (16 * 6 bits = 12 * 8 bits) */ -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT <= 4) +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT <= 4) word32* w1e32 = (word32*)w1e; w1e32[0] = (word32)( (word32)w1[j+ 0] | ((word32)w1[j+ 1] << 6) | @@ -2320,7 +2327,7 @@ static void dilithium_encode_w1_88_c(const sword32* w1, byte* w1e) * @param [in] gamma2 Maximum value in range. * @param [out] w1e Buffer to encode into. */ -static void dilithium_encode_w1_88(const sword32* w1, byte* w1e) +static void mldsa_encode_w1_88(const sword32* w1, byte* w1e) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -2330,13 +2337,13 @@ static void dilithium_encode_w1_88(const sword32* w1, byte* w1e) else #endif { - dilithium_encode_w1_88_c(w1, w1e); + mldsa_encode_w1_88_c(w1, w1e); } } -WOLFSSL_TEST_VIS void wc_dilithium_encode_w1_88(const sword32* w1, byte* w1e) +WOLFSSL_TEST_VIS void wc_mldsa_encode_w1_88(const sword32* w1, byte* w1e) { - dilithium_encode_w1_88(w1, w1e); + mldsa_encode_w1_88(w1, w1e); } #endif /* !WOLFSSL_NO_ML_DSA_44 */ @@ -2353,7 +2360,7 @@ WOLFSSL_TEST_VIS void wc_dilithium_encode_w1_88(const sword32* w1, byte* w1e) * @param [in] gamma2 Maximum value in range. * @param [out] w1e Buffer to encode into. */ -static void dilithium_encode_w1_32_c(const sword32* w1, byte* w1e) +static void mldsa_encode_w1_32_c(const sword32* w1, byte* w1e) { unsigned int j; @@ -2361,7 +2368,7 @@ static void dilithium_encode_w1_32_c(const sword32* w1, byte* w1e) for (j = 0; j < DILITHIUM_N; j += 16) { /* 4 bits per number. * 16 numbers in 8 bytes. (16 * 4 bits = 8 * 8 bits) */ -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT <= 8) +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT <= 8) word32* w1e32 = (word32*)w1e; w1e32[0] = (word32)(((word32)w1[j + 0] << 0) | ((word32)w1[j + 1] << 4) | @@ -2400,7 +2407,7 @@ static void dilithium_encode_w1_32_c(const sword32* w1, byte* w1e) * @param [in] gamma2 Maximum value in range. * @param [out] w1e Buffer to encode into. */ -static void dilithium_encode_w1_32(const sword32* w1, byte* w1e) +static void mldsa_encode_w1_32(const sword32* w1, byte* w1e) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -2410,20 +2417,20 @@ static void dilithium_encode_w1_32(const sword32* w1, byte* w1e) else #endif { - dilithium_encode_w1_32_c(w1, w1e); + mldsa_encode_w1_32_c(w1, w1e); } } -WOLFSSL_TEST_VIS void wc_dilithium_encode_w1_32(const sword32* w1, byte* w1e) +WOLFSSL_TEST_VIS void wc_mldsa_encode_w1_32(const sword32* w1, byte* w1e) { - dilithium_encode_w1_32(w1, w1e); + mldsa_encode_w1_32(w1, w1e); } #endif #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) /* Encode w1 with range of 0..((q-1)/(2*GAMMA2)-1). * * FIPS 204. 8.2: Algorithm 22 w1Encode(w1) @@ -2439,7 +2446,7 @@ WOLFSSL_TEST_VIS void wc_dilithium_encode_w1_32(const sword32* w1, byte* w1e) * @param [in] gamma2 Maximum value in range. * @param [out] w1e Buffer to encode into. */ -static void dilithium_vec_encode_w1(const sword32* w1, byte k, sword32 gamma2, +static void mldsa_vec_encode_w1(const sword32* w1, byte k, sword32 gamma2, byte* w1e) { unsigned int i; @@ -2450,7 +2457,7 @@ static void dilithium_vec_encode_w1(const sword32* w1, byte k, sword32 gamma2, if (gamma2 == DILITHIUM_Q_LOW_88) { /* Step 2. For each polynomial of vector. */ for (i = 0; i < PARAMS_ML_DSA_44_K; i++) { - dilithium_encode_w1_88(w1, w1e); + mldsa_encode_w1_88(w1, w1e); /* Next polynomial. */ w1 += DILITHIUM_N; w1e += DILITHIUM_Q_HI_88_ENC_BITS * 2 * DILITHIUM_N / 16; @@ -2462,7 +2469,7 @@ static void dilithium_vec_encode_w1(const sword32* w1, byte k, sword32 gamma2, if (gamma2 == DILITHIUM_Q_LOW_32) { /* Step 2. For each polynomial of vector. */ for (i = 0; i < k; i++) { - dilithium_encode_w1_32(w1, w1e); + mldsa_encode_w1_32(w1, w1e); /* Next polynomial. */ w1 += DILITHIUM_N; w1e += DILITHIUM_Q_HI_32_ENC_BITS * 2 * DILITHIUM_N / 16; @@ -2510,14 +2517,14 @@ static void dilithium_vec_encode_w1(const sword32* w1, byte k, sword32 gamma2, * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, +static int mldsa_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, byte* h) { int ret = 0; -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL int j = 0; -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) /* Reading 4 bytes for 3 so need to set 1 past for last read. */ h[DILITHIUM_GEN_A_BLOCK_BYTES] = 0; #endif @@ -2538,7 +2545,7 @@ static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, /* Use triplets until run out or have enough for polynomial. */ for (c = 0; c < DILITHIUM_GEN_A_BLOCK_BYTES; c += 3) { #if defined(LITTLE_ENDIAN_ORDER) && \ - (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + (WOLFSSL_MLDSA_ALIGNMENT == 0) /* Load 32-bit value and mask out 23 bits. */ sword32 t = *((sword32*)(h + c)) & 0x7fffff; #else @@ -2565,18 +2572,18 @@ static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, /* Generate enough SHAKE-128 output blocks to give high probability of * being able to get 256 valid 3-byte, 23-bit values from it. */ - ret = dilithium_squeeze128(shake128, seed, DILITHIUM_GEN_A_SEED_SZ, h, + ret = mldsa_squeeze128(shake128, seed, DILITHIUM_GEN_A_SEED_SZ, h, DILITHIUM_GEN_A_NBLOCKS); if (ret == 0) { - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) /* Reading 4 bytes for 3 so need to set 1 past for last read. */ h[DILITHIUM_GEN_A_BYTES] = 0; #endif /* Use the first 256 triplets and know we won't exceed required. */ - #ifdef WOLFSSL_DILITHIUM_NO_LARGE_CODE + #ifdef WOLFSSL_MLDSA_NO_LARGE_CODE for (c = 0; c < (DILITHIUM_N - 1) * 3; c += 3) { - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) /* Load 32-bit value and mask out 23 bits. */ sword32 t = *((sword32*)(h + c)) & 0x7fffff; #else @@ -2592,7 +2599,7 @@ static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, } /* Use the remaining triplets, checking we have enough. */ for (; c < DILITHIUM_GEN_A_BYTES; c += 3) { - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) /* Load 32-bit value and mask out 23 bits. */ sword32 t = *((sword32*)(h + c)) & 0x7fffff; #else @@ -2613,7 +2620,7 @@ static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, #else /* Do 24 bytes at a time: 256 * 3 / 24 = 32 */ for (c = 0; c < DILITHIUM_N * 3; c += 24) { - #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + #if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) /* Load 32-bit value and mask out 23 bits. */ sword32 t0 = *((sword32*)(h + c + 0)) & 0x7fffff; sword32 t1 = *((sword32*)(h + c + 3)) & 0x7fffff; @@ -2663,7 +2670,7 @@ static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, /* Use the remaining triplets, checking we have enough. */ for (; c < DILITHIUM_GEN_A_BYTES; c += 3) { #if defined(LITTLE_ENDIAN_ORDER) && \ - (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + (WOLFSSL_MLDSA_ALIGNMENT == 0) /* Load 32-bit value and mask out 23 bits. */ sword32 t = *((sword32*)(h + c)) & 0x7fffff; #else @@ -2695,7 +2702,7 @@ static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, /* Use triplets until run out or have enough for polynomial. */ for (c = 0; c < DILITHIUM_GEN_A_BLOCK_BYTES; c += 3) { #if defined(LITTLE_ENDIAN_ORDER) && \ - (WOLFSSL_DILITHIUM_ALIGNMENT == 0) + (WOLFSSL_MLDSA_ALIGNMENT == 0) /* Load 32-bit value and mask out 23 bits. */ sword32 t = *((sword32*)(h + c)) & 0x7fffff; #else @@ -2721,13 +2728,13 @@ static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, return ret; } -#if (!defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) && \ - !defined(WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM)) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM)) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) +#if (!defined(WOLFSSL_MLDSA_NO_MAKE_KEY) && \ + !defined(WOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM)) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM)) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) /* Generate a random polynomial by rejection. * * @param [in, out] shake128 SHAKE-128 object. @@ -2738,7 +2745,7 @@ static int dilithium_rej_ntt_poly_ex(wc_Shake* shake128, byte* seed, sword32* a, * @return MEMORY_E when dynamic memory allocation fails. * @return Negative on hash error. */ -static int dilithium_rej_ntt_poly(wc_Shake* shake128, byte* seed, sword32* a, +static int mldsa_rej_ntt_poly(wc_Shake* shake128, byte* seed, sword32* a, void* heap) { int ret = 0; @@ -2759,7 +2766,7 @@ static int dilithium_rej_ntt_poly(wc_Shake* shake128, byte* seed, sword32* a, #endif if (ret == 0) - ret = dilithium_rej_ntt_poly_ex(shake128, seed, a, h); + ret = mldsa_rej_ntt_poly_ex(shake128, seed, a, h); #if defined(WOLFSSL_SMALL_STACK) XFREE(h, heap, DYNAMIC_TYPE_DILITHIUM); @@ -2769,14 +2776,14 @@ static int dilithium_rej_ntt_poly(wc_Shake* shake128, byte* seed, sword32* a, } #endif -#if (!defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) && \ - !defined(WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM)) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - (!defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) || \ - defined(WC_DILITHIUM_CACHE_MATRIX_A))) +#if (!defined(WOLFSSL_MLDSA_NO_MAKE_KEY) && \ + !defined(WOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM)) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + (!defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) || \ + defined(WC_MLDSA_CACHE_MATRIX_A))) #if defined(USE_INTEL_SPEEDUP) && !defined(WC_SHA3_NO_ASM) #define SHA3_128_BYTES (WC_SHA3_128_COUNT * 8) @@ -3168,7 +3175,7 @@ static int wc_mldsa_gen_matrix_8x7_avx2(sword32* a, byte* seed) * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_expand_a_c(wc_Shake* shake128, const byte* pub_seed, +static int mldsa_expand_a_c(wc_Shake* shake128, const byte* pub_seed, byte k, byte l, sword32* a, void* heap) { int ret = 0; @@ -3187,7 +3194,7 @@ static int dilithium_expand_a_c(wc_Shake* shake128, const byte* pub_seed, /* Put s into buffer to be hashed. */ seed[DILITHIUM_PUB_SEED_SZ + 0] = s; /* Step 3: Create polynomial from hashing seed. */ - ret = dilithium_rej_ntt_poly(shake128, seed, a, heap); + ret = mldsa_rej_ntt_poly(shake128, seed, a, heap); /* Next polynomial. */ a += DILITHIUM_N; } @@ -3216,7 +3223,7 @@ static int dilithium_expand_a_c(wc_Shake* shake128, const byte* pub_seed, * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_expand_a(wc_Shake* shake128, const byte* pub_seed, +static int mldsa_expand_a(wc_Shake* shake128, const byte* pub_seed, byte k, byte l, sword32* a, void* heap) { int ret; @@ -3254,14 +3261,14 @@ static int dilithium_expand_a(wc_Shake* shake128, const byte* pub_seed, #endif #endif { - ret = dilithium_expand_a_c(shake128, pub_seed, k, l, a, heap); + ret = mldsa_expand_a_c(shake128, pub_seed, k, l, a, heap); } return ret; } #endif -#ifndef WOLFSSL_DILITHIUM_NO_MAKE_KEY +#ifndef WOLFSSL_MLDSA_NO_MAKE_KEY #if !defined(WOLFSSL_NO_ML_DSA_44) || !defined(WOLFSSL_NO_ML_DSA_87) /* Check random value is in valid range. @@ -3277,7 +3284,7 @@ static int dilithium_expand_a(wc_Shake* shake128, const byte* pub_seed, #define DILITHIUM_COEFF_S_VALID_ETA2(b) \ ((b) < DILITHIUM_ETA_2_MOD) -static const signed char dilithium_coeff_eta2[] = { +static const signed char mldsa_coeff_eta2[] = { 2, 1, 0, -1, -2, 2, 1, 0, -1, -2, 2, 1, 0, -1, -2 @@ -3291,7 +3298,7 @@ static const signed char dilithium_coeff_eta2[] = { * @return Value in range of -2..2 on success. */ #define DILITHIUM_COEFF_S_ETA2(b) \ - (dilithium_coeff_eta2[b]) + (mldsa_coeff_eta2[b]) #endif #ifndef WOLFSSL_NO_ML_DSA_65 @@ -3480,10 +3487,10 @@ static const signed char dilithium_coeff_eta2[] = { * @param [out] s Polynomial to fill with coefficients. * @param [in, out] cnt Current count of coefficients in polynomial. */ -static void dilithium_extract_coeffs(const byte* z, unsigned int zLen, +static void mldsa_extract_coeffs(const byte* z, unsigned int zLen, byte eta, sword32* s, unsigned int* cnt) { -#ifdef WOLFSSL_DILITHIUM_NO_LARGE_CODE +#ifdef WOLFSSL_MLDSA_NO_LARGE_CODE unsigned int j = *cnt; unsigned int c; @@ -3592,10 +3599,10 @@ static void dilithium_extract_coeffs(const byte* z, unsigned int zLen, * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_rej_bound_poly(wc_Shake* shake256, byte* seed, sword32* s, +static int mldsa_rej_bound_poly(wc_Shake* shake256, byte* seed, sword32* s, byte eta) { -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL int ret; unsigned int j = 0; byte z[DILITHIUM_GEN_S_BLOCK_BYTES]; @@ -3614,7 +3621,7 @@ static int dilithium_rej_bound_poly(wc_Shake* shake256, byte* seed, sword32* s, break; } /* Extract up to the 256 valid coefficients for polynomial. */ - dilithium_extract_coeffs(z, DILITHIUM_GEN_S_BLOCK_BYTES, eta, s, + mldsa_extract_coeffs(z, DILITHIUM_GEN_S_BLOCK_BYTES, eta, s, &j); } /* Check we got enough values to fill polynomial. */ @@ -3631,11 +3638,11 @@ static int dilithium_rej_bound_poly(wc_Shake* shake256, byte* seed, sword32* s, return MEMORY_E); /* Absorb seed and squeeze out some blocks. */ - ret = dilithium_squeeze256(shake256, seed, DILITHIUM_GEN_S_SEED_SZ, z, + ret = mldsa_squeeze256(shake256, seed, DILITHIUM_GEN_S_SEED_SZ, z, DILITHIUM_GEN_S_NBLOCKS); if (ret == 0) { /* Extract up to 256 valid coefficients for polynomial. */ - dilithium_extract_coeffs(z, DILITHIUM_GEN_S_BYTES, eta, s, &j); + mldsa_extract_coeffs(z, DILITHIUM_GEN_S_BYTES, eta, s, &j); /* Check we got enough values to fill polynomial. */ while (j < DILITHIUM_N) { /* Squeeze out another block. */ @@ -3644,7 +3651,7 @@ static int dilithium_rej_bound_poly(wc_Shake* shake256, byte* seed, sword32* s, break; } /* Extract up to the 256 valid coefficients for polynomial. */ - dilithium_extract_coeffs(z, DILITHIUM_GEN_S_BLOCK_BYTES, eta, s, + mldsa_extract_coeffs(z, DILITHIUM_GEN_S_BLOCK_BYTES, eta, s, &j); } } @@ -4090,7 +4097,7 @@ static int wc_mldsa_gen_s_7_8_avx2(sword32* s[2], byte* seed) * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_expand_s_c(wc_Shake* shake256, byte* priv_seed, byte eta, +static int mldsa_expand_s_c(wc_Shake* shake256, byte* priv_seed, byte eta, sword32* s1, byte s1Len, sword32* s2, byte s2Len) { int ret = 0; @@ -4107,7 +4114,7 @@ static int dilithium_expand_s_c(wc_Shake* shake256, byte* priv_seed, byte eta, seed[DILITHIUM_PRIV_SEED_SZ] = r; /* Step 2: Generate polynomial for s1. */ - ret = dilithium_rej_bound_poly(shake256, seed, s1, eta); + ret = mldsa_rej_bound_poly(shake256, seed, s1, eta); /* Next polynomial in s1. */ s1 += DILITHIUM_N; } @@ -4116,7 +4123,7 @@ static int dilithium_expand_s_c(wc_Shake* shake256, byte* priv_seed, byte eta, /* Set bottom 8-bits of r + l into buffer - little endian. */ seed[DILITHIUM_PRIV_SEED_SZ] = (byte)(r + s1Len); /* Step 5: Generate polynomial for s1. */ - ret = dilithium_rej_bound_poly(shake256, seed, s2, eta); + ret = mldsa_rej_bound_poly(shake256, seed, s2, eta); /* Next polynomial in s2. */ s2 += DILITHIUM_N; } @@ -4136,7 +4143,7 @@ static int dilithium_expand_s_c(wc_Shake* shake256, byte* priv_seed, byte eta, * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_expand_s(wc_Shake* shake256, byte* priv_seed, byte eta, +static int mldsa_expand_s(wc_Shake* shake256, byte* priv_seed, byte eta, sword32* s1, byte s1Len, sword32* s2, byte s2Len) { int ret = 0; @@ -4174,15 +4181,15 @@ static int dilithium_expand_s(wc_Shake* shake256, byte* priv_seed, byte eta, #endif #endif /* USE_INTEL_SPEEDUP && !WC_SHA3_NO_ASM */ { - ret = dilithium_expand_s_c(shake256, priv_seed, eta, s1, s1Len, s2, + ret = mldsa_expand_s_c(shake256, priv_seed, eta, s1, s1Len, s2, s2Len); } return ret; } -#endif /* !WOLFSSL_DILITHIUM_NO_MAKE_KEY */ +#endif /* !WOLFSSL_MLDSA_NO_MAKE_KEY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN #if defined(USE_INTEL_SPEEDUP) && !defined(WC_SHA3_NO_ASM) #define SHA3_256_BYTES (WC_SHA3_256_COUNT * 8) @@ -4320,7 +4327,7 @@ static int wc_mldsa_gen_y_5_avx2(sword32* y, byte* seed, word16 kappa, seed[DILITHIUM_PRIV_RAND_SEED_SZ + 0] = (byte)kappa; seed[DILITHIUM_PRIV_RAND_SEED_SZ + 1] = (byte)(kappa >> 8); - ret = dilithium_squeeze256(shake256, seed, DILITHIUM_Y_SEED_SZ, rand, + ret = mldsa_squeeze256(shake256, seed, DILITHIUM_Y_SEED_SZ, rand, DILITHIUM_MAX_V_BLOCKS); if (ret == 0) { wc_mldsa_decode_gamma1_19_avx2(rand, y + 4 * DILITHIUM_N); @@ -4451,7 +4458,7 @@ static int wc_mldsa_gen_y_7_avx2(sword32* y, byte* seed, word16 kappa) * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_vec_expand_mask_c(wc_Shake* shake256, byte* seed, +static int mldsa_vec_expand_mask_c(wc_Shake* shake256, byte* seed, word16 kappa, byte gamma1_bits, sword32* y, byte l) { int ret = 0; @@ -4469,11 +4476,11 @@ static int dilithium_vec_expand_mask_c(wc_Shake* shake256, byte* seed, /* Step 4: Append to seed and squeeze out data. */ seed[DILITHIUM_PRIV_RAND_SEED_SZ + 0] = (byte)n; seed[DILITHIUM_PRIV_RAND_SEED_SZ + 1] = (byte)(n >> 8); - ret = dilithium_squeeze256(shake256, seed, DILITHIUM_Y_SEED_SZ, v, + ret = mldsa_squeeze256(shake256, seed, DILITHIUM_Y_SEED_SZ, v, DILITHIUM_MAX_V_BLOCKS); if (ret == 0) { /* Decode v into polynomial. */ - dilithium_decode_gamma1(v, gamma1_bits, y); + mldsa_decode_gamma1(v, gamma1_bits, y); /* Next polynomial. */ y += DILITHIUM_N; } @@ -4495,7 +4502,7 @@ static int dilithium_vec_expand_mask_c(wc_Shake* shake256, byte* seed, * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_vec_expand_mask(wc_Shake* shake256, byte* seed, +static int mldsa_vec_expand_mask(wc_Shake* shake256, byte* seed, word16 kappa, byte gamma1_bits, sword32* y, byte l) { int ret = 0; @@ -4523,7 +4530,7 @@ static int dilithium_vec_expand_mask(wc_Shake* shake256, byte* seed, else #endif { - ret = dilithium_vec_expand_mask_c(shake256, seed, kappa, gamma1_bits, y, + ret = mldsa_vec_expand_mask_c(shake256, seed, kappa, gamma1_bits, y, l); } @@ -4531,7 +4538,7 @@ static int dilithium_vec_expand_mask(wc_Shake* shake256, byte* seed, } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || !defined(WOLFSSL_DILITHIUM_NO_VERIFY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) /* Expand commit to a polynomial. * * FIPS 204. 8.3: Algorithm 23 SampleInBall(rho) @@ -4557,7 +4564,7 @@ static int dilithium_vec_expand_mask(wc_Shake* shake256, byte* seed, * @return 0 on success. * @return Negative on hash error. */ -static int dilithium_sample_in_ball_ex(int level, wc_Shake* shake256, +static int mldsa_sample_in_ball_ex(int level, wc_Shake* shake256, const byte* seed, word32 seedLen, byte tau, sword32* c, byte* block) { #ifndef USE_INTEL_SPEEDUP @@ -4573,16 +4580,16 @@ static int dilithium_sample_in_ball_ex(int level, wc_Shake* shake256, XMEMSET(c, 0, DILITHIUM_POLY_SIZE); /* Generate a block of data from seed. */ -#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT +#ifdef WOLFSSL_MLDSA_FIPS204_DRAFT if (level >= WC_ML_DSA_DRAFT) { - ret = dilithium_shake256(shake256, seed, DILITHIUM_SEED_SZ, block, + ret = mldsa_shake256(shake256, seed, DILITHIUM_SEED_SZ, block, DILITHIUM_GEN_C_BLOCK_BYTES); } else #endif { (void)level; - ret = dilithium_shake256(shake256, seed, seedLen, block, + ret = mldsa_shake256(shake256, seed, seedLen, block, DILITHIUM_GEN_C_BLOCK_BYTES); } if (ret == 0) { @@ -4635,16 +4642,16 @@ static int dilithium_sample_in_ball_ex(int level, wc_Shake* shake256, XMEMSET(c, 0, DILITHIUM_POLY_SIZE); /* Generate a block of data from seed. */ -#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT +#ifdef WOLFSSL_MLDSA_FIPS204_DRAFT if (level >= WC_ML_DSA_DRAFT) { - ret = dilithium_shake256(shake256, seed, DILITHIUM_SEED_SZ, block, + ret = mldsa_shake256(shake256, seed, DILITHIUM_SEED_SZ, block, DILITHIUM_GEN_C_BLOCK_BYTES); } else #endif { (void)level; - ret = dilithium_shake256(shake256, seed, seedLen, block, + ret = mldsa_shake256(shake256, seed, seedLen, block, DILITHIUM_GEN_C_BLOCK_BYTES); } if (ret == 0) { @@ -4699,10 +4706,10 @@ static int dilithium_sample_in_ball_ex(int level, wc_Shake* shake256, #endif } -#if (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM)) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) +#if (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM)) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) /* Expand commit to a polynomial. * * @param [in] shake256 SHAKE-256 object. @@ -4715,7 +4722,7 @@ static int dilithium_sample_in_ball_ex(int level, wc_Shake* shake256, * @return MEMORY_E when dynamic memory allocation fails. * @return Negative on hash error. */ -static int dilithium_sample_in_ball(int level, wc_Shake* shake256, +static int mldsa_sample_in_ball(int level, wc_Shake* shake256, const byte* seed, word32 seedLen, byte tau, sword32* c, void* heap) { int ret = 0; @@ -4736,7 +4743,7 @@ static int dilithium_sample_in_ball(int level, wc_Shake* shake256, #endif if (ret == 0) { - ret = dilithium_sample_in_ball_ex(level, shake256, seed, seedLen, tau, + ret = mldsa_sample_in_ball_ex(level, shake256, seed, seedLen, tau, c, block); } @@ -4753,7 +4760,7 @@ static int dilithium_sample_in_ball(int level, wc_Shake* shake256, * Decompose operations ******************************************************************************/ -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || !defined(WOLFSSL_DILITHIUM_NO_VERIFY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) #ifndef WOLFSSL_NO_ML_DSA_44 /* Decompose value into high and low based on GAMMA2 being ((q-1) / 88). * @@ -4778,7 +4785,7 @@ static int dilithium_sample_in_ball(int level, wc_Shake* shake256, * @param [out] r0 Low bits. * @param [out] r1 High bits. */ -static void dilithium_decompose_q88(sword32 r, sword32* r0, sword32* r1) +static void mldsa_decompose_q88(sword32 r, sword32* r0, sword32* r1) { sword32 t0; sword32 t1; @@ -4846,7 +4853,7 @@ static void dilithium_decompose_q88(sword32 r, sword32* r0, sword32* r1) * @param [out] r0 Low bits. * @param [out] r1 High bits. */ -static void dilithium_decompose_q32(sword32 r, sword32* r0, sword32* r1) +static void mldsa_decompose_q32(sword32 r, sword32* r0, sword32* r1) { sword32 t0; sword32 t1; @@ -4870,10 +4877,10 @@ static void dilithium_decompose_q32(sword32 r, sword32* r0, sword32* r1) #endif #endif -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN -#if !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) || \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A) +#if !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) || \ + defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A) /* Decompose vector of polynomials into high and low based on GAMMA2. * * @param [in] r Vector of polynomials to decompose. @@ -4882,7 +4889,7 @@ static void dilithium_decompose_q32(sword32 r, sword32* r0, sword32* r1) * @param [out] r0 Low parts in vector of polynomials. * @param [out] r1 High parts in vector of polynomials. */ -static void dilithium_vec_decompose_c(const sword32* r, byte k, sword32 gamma2, +static void mldsa_vec_decompose_c(const sword32* r, byte k, sword32 gamma2, sword32* r0, sword32* r1) { unsigned int i; @@ -4895,7 +4902,7 @@ static void dilithium_vec_decompose_c(const sword32* r, byte k, sword32 gamma2, /* For each value of polynomial. */ for (j = 0; j < DILITHIUM_N; j++) { /* Decompose value into two vectors. */ - dilithium_decompose_q88(r[j], &r0[j], &r1[j]); + mldsa_decompose_q88(r[j], &r0[j], &r1[j]); } /* Next polynomial of vectors. */ r += DILITHIUM_N; @@ -4911,7 +4918,7 @@ static void dilithium_vec_decompose_c(const sword32* r, byte k, sword32 gamma2, /* For each value of polynomial. */ for (j = 0; j < DILITHIUM_N; j++) { /* Decompose value into two vectors. */ - dilithium_decompose_q32(r[j], &r0[j], &r1[j]); + mldsa_decompose_q32(r[j], &r0[j], &r1[j]); } /* Next polynomial of vectors. */ r += DILITHIUM_N; @@ -4930,7 +4937,7 @@ static void dilithium_vec_decompose_c(const sword32* r, byte k, sword32 gamma2, * @param [out] r0 Low parts in vector of polynomials. * @param [out] r1 High parts in vector of polynomials. */ -static void dilithium_vec_decompose(const sword32* r, byte k, sword32 gamma2, +static void mldsa_vec_decompose(const sword32* r, byte k, sword32 gamma2, sword32* r0, sword32* r1) { #ifdef USE_INTEL_SPEEDUP @@ -4950,18 +4957,18 @@ static void dilithium_vec_decompose(const sword32* r, byte k, sword32 gamma2, else #endif { - dilithium_vec_decompose_c(r, k, gamma2, r0, r1); + mldsa_vec_decompose_c(r, k, gamma2, r0, r1); } } #endif -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ /****************************************************************************** * Range check operation ******************************************************************************/ -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || !defined(WOLFSSL_DILITHIUM_NO_VERIFY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) /* Check that the values of the polynomial are in range. * * Many places in FIPS 204. One example from Algorithm 2: @@ -4970,7 +4977,7 @@ static void dilithium_vec_decompose(const sword32* r, byte k, sword32 gamma2, * @param [in] a Polynomial. * @param [in] hi Largest value in range. */ -static int dilithium_check_low(const sword32* a, sword32 hi) +static int mldsa_check_low(const sword32* a, sword32 hi) { int ret = 1; unsigned int j; @@ -4990,9 +4997,9 @@ static int dilithium_check_low(const sword32* a, sword32 hi) return ret; } -#if !defined(WOLFSSL_DILITHIUM_NO_VERIFY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM)) +#if !defined(WOLFSSL_MLDSA_NO_VERIFY) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM)) /* Check that the values of the vector are in range. * * Many places in FIPS 204. One example from Algorithm 2: @@ -5002,14 +5009,14 @@ static int dilithium_check_low(const sword32* a, sword32 hi) * @param [in] l Dimension of vector. * @param [in] hi Largest value in range. */ -static int dilithium_vec_check_low_c(const sword32* a, byte l, sword32 hi) +static int mldsa_vec_check_low_c(const sword32* a, byte l, sword32 hi) { int ret = 1; unsigned int i; /* For each polynomial of vector. */ for (i = 0; (ret == 1) && (i < l); i++) { - ret = dilithium_check_low(a, hi); + ret = mldsa_check_low(a, hi); if (ret == 0) { break; } @@ -5027,7 +5034,7 @@ static int dilithium_vec_check_low_c(const sword32* a, byte l, sword32 hi) * @param [in] l Dimension of vector. * @param [in] hi Largest value in range. */ -static int dilithium_vec_check_low(const sword32* a, byte l, sword32 hi) +static int mldsa_vec_check_low(const sword32* a, byte l, sword32 hi) { int ret; #ifdef USE_INTEL_SPEEDUP @@ -5038,7 +5045,7 @@ static int dilithium_vec_check_low(const sword32* a, byte l, sword32 hi) else #endif { - ret = dilithium_vec_check_low_c(a, l, hi); + ret = mldsa_vec_check_low_c(a, l, hi); } return ret; @@ -5049,7 +5056,7 @@ static int dilithium_vec_check_low(const sword32* a, byte l, sword32 hi) * Hint operations ******************************************************************************/ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN #ifndef WOLFSSL_NO_ML_DSA_44 /* Compute hints indicating whether adding ct0 to w alters high bits of w. @@ -5090,7 +5097,7 @@ static int dilithium_vec_check_low(const sword32* a, byte l, sword32 hi) * return Number of hints on success. * return Falsam of -1 when too many hints. */ -static int dilithium_make_hint_88(const sword32* s, const sword32* w1, byte* h, +static int mldsa_make_hint_88(const sword32* s, const sword32* w1, byte* h, byte *idxp) { unsigned int j; @@ -5162,7 +5169,7 @@ static int dilithium_make_hint_88(const sword32* s, const sword32* w1, byte* h, * return Number of hints on success. * return Falsam of -1 when too many hints. */ -static int dilithium_make_hint_32(const sword32* s, const sword32* w1, +static int mldsa_make_hint_32(const sword32* s, const sword32* w1, byte omega, byte* h, byte *idxp) { unsigned int j; @@ -5197,7 +5204,7 @@ static int dilithium_make_hint_32(const sword32* s, const sword32* w1, } #endif -#ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM +#ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM /* Compute hints indicating whether adding ct0 to w alters high bits of w. * * FIPS 204. 6: Algorithm 2 ML-DSA.Sign(sk, M) @@ -5242,7 +5249,7 @@ static int dilithium_make_hint_32(const sword32* s, const sword32* w1, * return Number of hints on success. * return Falsam of -1 when too many hints. */ -static int dilithium_make_hint(const sword32* s, const sword32* w1, byte k, +static int mldsa_make_hint(const sword32* s, const sword32* w1, byte k, sword32 gamma2, byte omega, byte* h) { unsigned int i; @@ -5255,7 +5262,7 @@ static int dilithium_make_hint(const sword32* s, const sword32* w1, byte k, if (gamma2 == DILITHIUM_Q_LOW_88) { /* Alg 14, Step 2: For each polynomial of vector. */ for (i = 0; i < PARAMS_ML_DSA_44_K; i++) { - if (dilithium_make_hint_88(s, w1, h, &idx) == -1) { + if (mldsa_make_hint_88(s, w1, h, &idx) == -1) { return -1; } /* Alg 14, Step 10: Store count of hints for polynomial at end of @@ -5272,7 +5279,7 @@ static int dilithium_make_hint(const sword32* s, const sword32* w1, byte k, if (gamma2 == DILITHIUM_Q_LOW_32) { /* Alg 14, Step 2: For each polynomial of vector. */ for (i = 0; i < k; i++) { - if (dilithium_make_hint_32(s, w1, omega, h, &idx) == -1) { + if (mldsa_make_hint_32(s, w1, omega, h, &idx) == -1) { return -1; } /* Alg 14, Step 10: Store count of hints for polynomial at end of @@ -5292,11 +5299,11 @@ static int dilithium_make_hint(const sword32* s, const sword32* w1, byte k, XMEMSET(h + idx, 0, (size_t)(omega - idx)); return idx; } -#endif /* !WOLFSSL_DILITHIUM_SIGN_SMALL_MEM */ +#endif /* !WOLFSSL_MLDSA_SIGN_SMALL_MEM */ -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* Check that the hints are valid. * * @param [in] h Hints to check @@ -5305,7 +5312,7 @@ static int dilithium_make_hint(const sword32* s, const sword32* w1, byte k, * @return 0 when hints valid. * @return SIG_VERIFY_E when hints invalid. */ -static int dilithium_check_hint(const byte* h, byte k, byte omega) +static int mldsa_check_hint(const byte* h, byte k, byte omega) { int ret = 0; unsigned int o = 0; @@ -5370,7 +5377,7 @@ static int dilithium_check_hint(const byte* h, byte k, byte omega) * @param [in] i Dimension index. * @param [in, out] op Pointer to current offset into hints. */ -static void dilithium_use_hint_88(sword32* w1, const byte* h, unsigned int i, +static void mldsa_use_hint_88(sword32* w1, const byte* h, unsigned int i, byte* op) { byte o = *op; @@ -5391,7 +5398,7 @@ static void dilithium_use_hint_88(sword32* w1, const byte* h, unsigned int i, /* Convert value to positive only range. */ r = w1[j] + ((0 - (((word32)w1[j]) >> 31)) & DILITHIUM_Q); /* Decompose value into low and high parts. */ - dilithium_decompose_q88(r, &r0, &r1); + mldsa_decompose_q88(r, &r0, &r1); /* Make hint positive or negative based on sign of r0. */ hint = (1 - (2 * (((word32)r0) >> 31))) & (0 - hint); /* Make w1 only the top part plus the hint. */ @@ -5405,7 +5412,7 @@ static void dilithium_use_hint_88(sword32* w1, const byte* h, unsigned int i, /* Convert value to positive only range. */ r = w1[j] + (sword32)((0 - (((word32)w1[j]) >> 31)) & DILITHIUM_Q); /* Decompose value into low and high parts. */ - dilithium_decompose_q88(r, &r0, &r1); + mldsa_decompose_q88(r, &r0, &r1); /* Check for hint. */ if ((o < h[PARAMS_ML_DSA_44_OMEGA + i]) && (h[o] == (byte)j)) { /* Add or subtract hint based on sign of r0. */ @@ -5441,7 +5448,7 @@ static void dilithium_use_hint_88(sword32* w1, const byte* h, unsigned int i, * @param [in] i Dimension index. * @param [in, out] op Pointer to current offset into hints. */ -static void dilithium_use_hint_32(sword32* w1, const byte* h, byte omega, +static void mldsa_use_hint_32(sword32* w1, const byte* h, byte omega, unsigned int i, byte* op) { byte o = *op; @@ -5461,7 +5468,7 @@ static void dilithium_use_hint_32(sword32* w1, const byte* h, byte omega, /* Convert value to positive only range. */ r = w1[j] + (sword32)((0 - (((word32)w1[j]) >> 31)) & DILITHIUM_Q); /* Decompose value into low and high parts. */ - dilithium_decompose_q32(r, &r0, &r1); + mldsa_decompose_q32(r, &r0, &r1); /* Make hint positive or negative based on sign of r0. */ hint = (sword32)((1 - (2 * (((word32)r0) >> 31))) & (0 - hint)); /* Make w1 only the top part plus the hint. */ @@ -5473,7 +5480,7 @@ static void dilithium_use_hint_32(sword32* w1, const byte* h, byte omega, /* Convert value to positive only range. */ r = w1[j] + (sword32)((0 - (((word32)w1[j]) >> 31)) & DILITHIUM_Q); /* Decompose value into low and high parts. */ - dilithium_decompose_q32(r, &r0, &r1); + mldsa_decompose_q32(r, &r0, &r1); /* Check for hint. */ if ((o < h[omega + i]) && (h[o] == (byte)j)) { /* Add or subtract hint based on sign of r0. */ @@ -5489,7 +5496,7 @@ static void dilithium_use_hint_32(sword32* w1, const byte* h, byte omega, } #endif -#ifndef WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM +#ifndef WOLFSSL_MLDSA_VERIFY_SMALL_MEM /* Use hints to modify w1. * * FIPS 204. 8.4: Algorithm 34 UseHint(h, r) @@ -5505,7 +5512,7 @@ static void dilithium_use_hint_32(sword32* w1, const byte* h, byte omega, * @param [in] omega Max number of hints. Hint counts after this index. * @param [in] h Hints to apply. In signature encoding. */ -static void dilithium_vec_use_hint(sword32* w1, byte k, sword32 gamma2, +static void mldsa_vec_use_hint(sword32* w1, byte k, sword32 gamma2, byte omega, const byte* h) { unsigned int i; @@ -5526,7 +5533,7 @@ static void dilithium_vec_use_hint(sword32* w1, byte k, sword32 gamma2, { /* For each polynomial of vector. */ for (i = 0; i < PARAMS_ML_DSA_44_K; i++) { - dilithium_use_hint_88(w1, h, i, &o); + mldsa_use_hint_88(w1, h, i, &o); w1 += DILITHIUM_N; } } @@ -5544,7 +5551,7 @@ static void dilithium_vec_use_hint(sword32* w1, byte k, sword32 gamma2, { /* For each polynomial of vector. */ for (i = 0; i < k; i++) { - dilithium_use_hint_32(w1, h, omega, i, &o); + mldsa_use_hint_32(w1, h, omega, i, &o); w1 += DILITHIUM_N; } } @@ -5552,7 +5559,7 @@ static void dilithium_vec_use_hint(sword32* w1, byte k, sword32 gamma2, #endif } #endif -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ /****************************************************************************** * Maths operations @@ -5566,7 +5573,7 @@ static void dilithium_vec_use_hint(sword32* w1, byte k, sword32 gamma2, * @param [in] a 64-bit value to be reduced. * @return Montgomery reduction result. */ -static sword32 dilithium_mont_red(sword64 a) +static sword32 mldsa_mont_red(sword64 a) { #ifndef DILITHIUM_MUL_QINV_SLOW sword64 t = (sword32)((sword32)a * (sword32)DILITHIUM_QINV); @@ -5581,13 +5588,13 @@ static sword32 dilithium_mont_red(sword64 a) #endif } -#if !defined(WOLFSSL_DILITHIUM_SMALL) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - (defined(WOLFSSL_DILITHIUM_SMALL) && \ - (!defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY)))) +#if !defined(WOLFSSL_MLDSA_SMALL) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) || \ + (defined(WOLFSSL_MLDSA_SMALL) && \ + (!defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY)))) /* Reduce 32-bit a modulo q. r = a mod q. * * Barrett reduction. @@ -5595,7 +5602,7 @@ static sword32 dilithium_mont_red(sword64 a) * @param [in] a 32-bit value to be reduced to range of q. * @return Modulo result. */ -static sword32 dilithium_red(sword32 a) +static sword32 mldsa_red(sword32 a) { sword32 t = (sword32)((a + ((sword32)1 << 22)) >> 23); #ifndef DILITHIUM_MUL_Q_SLOW @@ -5642,7 +5649,7 @@ static const sword32 zetas[DILITHIUM_N] = { -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782 }; -#ifndef WOLFSSL_DILITHIUM_SMALL +#ifndef WOLFSSL_MLDSA_SMALL /* Zetas for inverse NTT. */ static const sword32 zetas_inv[DILITHIUM_N] = { -1976782, 846154, -1400424, -3937738, 1362209, 48306, -3919660, 554416, @@ -5680,9 +5687,9 @@ static const sword32 zetas_inv[DILITHIUM_N] = { }; #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - !defined(WOLFSSL_DILITHIUM_NO_VERIFY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_MAKE) && defined(WOLFSSL_DILITHIUM_SMALL)) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || \ + !defined(WOLFSSL_MLDSA_NO_VERIFY) || \ + (!defined(WOLFSSL_MLDSA_NO_MAKE) && defined(WOLFSSL_MLDSA_SMALL)) /* One iteration of Number-Theoretic Transform. * @@ -5694,7 +5701,7 @@ do { \ zeta = zetas[++k]; \ for (j = 0; j < (len); ++j) { \ sword32 t = \ - dilithium_mont_red((sword64)zeta * r[start + j + (len)]); \ + mldsa_mont_red((sword64)zeta * r[start + j + (len)]); \ sword32 rj = r[start + j]; \ r[start + j + (len)] = rj - t; \ r[start + j] = rj + t; \ @@ -5707,9 +5714,9 @@ while (0) * * @param [in, out] r Polynomial to transform. */ -static void dilithium_ntt_c(sword32* r) +static void mldsa_ntt_c(sword32* r) { -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL unsigned int len; unsigned int k; unsigned int j; @@ -5720,14 +5727,14 @@ static void dilithium_ntt_c(sword32* r) for (start = 0; start < DILITHIUM_N; start = j + len) { sword32 zeta = zetas[++k]; for (j = start; j < start + len; ++j) { - sword32 t = dilithium_mont_red((sword64)zeta * r[j + len]); + sword32 t = mldsa_mont_red((sword64)zeta * r[j + len]); sword32 rj = r[j]; r[j + len] = rj - t; r[j] = rj + t; } } } -#elif defined(WOLFSSL_DILITHIUM_NO_LARGE_CODE) +#elif defined(WOLFSSL_MLDSA_NO_LARGE_CODE) unsigned int j; unsigned int k; unsigned int start; @@ -5736,7 +5743,7 @@ static void dilithium_ntt_c(sword32* r) zeta = zetas[1]; for (j = 0; j < DILITHIUM_N / 2; j++) { sword32 t = - dilithium_mont_red((sword64)zeta * r[j + DILITHIUM_N / 2]); + mldsa_mont_red((sword64)zeta * r[j + DILITHIUM_N / 2]); sword32 rj = r[j]; r[j + DILITHIUM_N / 2] = rj - t; r[j] = rj + t; @@ -5751,7 +5758,7 @@ static void dilithium_ntt_c(sword32* r) NTT(2); for (j = 0; j < DILITHIUM_N; j += 2) { - sword32 t = dilithium_mont_red((sword64)zetas[++k] * r[j + 1]); + sword32 t = mldsa_mont_red((sword64)zetas[++k] * r[j + 1]); sword32 rj = r[j]; r[j + 1] = rj - t; r[j] = rj + t; @@ -5771,15 +5778,15 @@ static void dilithium_ntt_c(sword32* r) sword32 r4 = r[j + 128]; sword32 r6 = r[j + 192]; - t0 = dilithium_mont_red((sword64)zeta128 * r4); - t2 = dilithium_mont_red((sword64)zeta128 * r6); + t0 = mldsa_mont_red((sword64)zeta128 * r4); + t2 = mldsa_mont_red((sword64)zeta128 * r6); r4 = r0 - t0; r6 = r2 - t2; r0 += t0; r2 += t2; - t0 = dilithium_mont_red((sword64)zeta640 * r2); - t2 = dilithium_mont_red((sword64)zeta641 * r6); + t0 = mldsa_mont_red((sword64)zeta640 * r2); + t2 = mldsa_mont_red((sword64)zeta641 * r6); r2 = r0 - t0; r6 = r4 - t2; r0 += t0; @@ -5802,15 +5809,15 @@ static void dilithium_ntt_c(sword32* r) sword32 r4 = r[j + i + 32]; sword32 r6 = r[j + i + 48]; - t0 = dilithium_mont_red((sword64)zeta32 * r4); - t2 = dilithium_mont_red((sword64)zeta32 * r6); + t0 = mldsa_mont_red((sword64)zeta32 * r4); + t2 = mldsa_mont_red((sword64)zeta32 * r6); r4 = r0 - t0; r6 = r2 - t2; r0 += t0; r2 += t2; - t0 = dilithium_mont_red((sword64)zeta160 * r2); - t2 = dilithium_mont_red((sword64)zeta161 * r6); + t0 = mldsa_mont_red((sword64)zeta160 * r2); + t2 = mldsa_mont_red((sword64)zeta161 * r6); r2 = r0 - t0; r6 = r4 - t2; r0 += t0; @@ -5834,15 +5841,15 @@ static void dilithium_ntt_c(sword32* r) sword32 r4 = r[j + i + 8]; sword32 r6 = r[j + i + 12]; - t0 = dilithium_mont_red((sword64)zeta8 * r4); - t2 = dilithium_mont_red((sword64)zeta8 * r6); + t0 = mldsa_mont_red((sword64)zeta8 * r4); + t2 = mldsa_mont_red((sword64)zeta8 * r6); r4 = r0 - t0; r6 = r2 - t2; r0 += t0; r2 += t2; - t0 = dilithium_mont_red((sword64)zeta40 * r2); - t2 = dilithium_mont_red((sword64)zeta41 * r6); + t0 = mldsa_mont_red((sword64)zeta40 * r2); + t2 = mldsa_mont_red((sword64)zeta41 * r6); r2 = r0 - t0; r6 = r4 - t2; r0 += t0; @@ -5863,15 +5870,15 @@ static void dilithium_ntt_c(sword32* r) sword32 r4 = r[j + 2]; sword32 r6 = r[j + 3]; - t0 = dilithium_mont_red((sword64)zeta2 * r4); - t2 = dilithium_mont_red((sword64)zeta2 * r6); + t0 = mldsa_mont_red((sword64)zeta2 * r4); + t2 = mldsa_mont_red((sword64)zeta2 * r6); r4 = r0 - t0; r6 = r2 - t2; r0 += t0; r2 += t2; - t0 = dilithium_mont_red((sword64)zetas[k++] * r2); - t2 = dilithium_mont_red((sword64)zetas[k++] * r6); + t0 = mldsa_mont_red((sword64)zetas[k++] * r2); + t2 = mldsa_mont_red((sword64)zetas[k++] * r6); r2 = r0 - t0; r6 = r4 - t2; r0 += t0; @@ -5903,10 +5910,10 @@ static void dilithium_ntt_c(sword32* r) sword32 r6 = r[j + 192]; sword32 r7 = r[j + 224]; - t0 = dilithium_mont_red((sword64)zeta128 * r4); - t1 = dilithium_mont_red((sword64)zeta128 * r5); - t2 = dilithium_mont_red((sword64)zeta128 * r6); - t3 = dilithium_mont_red((sword64)zeta128 * r7); + t0 = mldsa_mont_red((sword64)zeta128 * r4); + t1 = mldsa_mont_red((sword64)zeta128 * r5); + t2 = mldsa_mont_red((sword64)zeta128 * r6); + t3 = mldsa_mont_red((sword64)zeta128 * r7); r4 = r0 - t0; r5 = r1 - t1; r6 = r2 - t2; @@ -5916,10 +5923,10 @@ static void dilithium_ntt_c(sword32* r) r2 += t2; r3 += t3; - t0 = dilithium_mont_red((sword64)zeta640 * r2); - t1 = dilithium_mont_red((sword64)zeta640 * r3); - t2 = dilithium_mont_red((sword64)zeta641 * r6); - t3 = dilithium_mont_red((sword64)zeta641 * r7); + t0 = mldsa_mont_red((sword64)zeta640 * r2); + t1 = mldsa_mont_red((sword64)zeta640 * r3); + t2 = mldsa_mont_red((sword64)zeta641 * r6); + t3 = mldsa_mont_red((sword64)zeta641 * r7); r2 = r0 - t0; r3 = r1 - t1; r6 = r4 - t2; @@ -5958,10 +5965,10 @@ static void dilithium_ntt_c(sword32* r) sword32 r6 = r[j + i + 48]; sword32 r7 = r[j + i + 56]; - t0 = dilithium_mont_red((sword64)zeta32 * r4); - t1 = dilithium_mont_red((sword64)zeta32 * r5); - t2 = dilithium_mont_red((sword64)zeta32 * r6); - t3 = dilithium_mont_red((sword64)zeta32 * r7); + t0 = mldsa_mont_red((sword64)zeta32 * r4); + t1 = mldsa_mont_red((sword64)zeta32 * r5); + t2 = mldsa_mont_red((sword64)zeta32 * r6); + t3 = mldsa_mont_red((sword64)zeta32 * r7); r4 = r0 - t0; r5 = r1 - t1; r6 = r2 - t2; @@ -5971,10 +5978,10 @@ static void dilithium_ntt_c(sword32* r) r2 += t2; r3 += t3; - t0 = dilithium_mont_red((sword64)zeta160 * r2); - t1 = dilithium_mont_red((sword64)zeta160 * r3); - t2 = dilithium_mont_red((sword64)zeta161 * r6); - t3 = dilithium_mont_red((sword64)zeta161 * r7); + t0 = mldsa_mont_red((sword64)zeta160 * r2); + t1 = mldsa_mont_red((sword64)zeta160 * r3); + t2 = mldsa_mont_red((sword64)zeta161 * r6); + t3 = mldsa_mont_red((sword64)zeta161 * r7); r2 = r0 - t0; r3 = r1 - t1; r6 = r4 - t2; @@ -5984,10 +5991,10 @@ static void dilithium_ntt_c(sword32* r) r4 += t2; r5 += t3; - t0 = dilithium_mont_red((sword64)zeta80 * r1); - t1 = dilithium_mont_red((sword64)zeta81 * r3); - t2 = dilithium_mont_red((sword64)zeta82 * r5); - t3 = dilithium_mont_red((sword64)zeta83 * r7); + t0 = mldsa_mont_red((sword64)zeta80 * r1); + t1 = mldsa_mont_red((sword64)zeta81 * r3); + t2 = mldsa_mont_red((sword64)zeta82 * r5); + t3 = mldsa_mont_red((sword64)zeta83 * r7); r1 = r0 - t0; r3 = r2 - t1; r5 = r4 - t2; @@ -6022,10 +6029,10 @@ static void dilithium_ntt_c(sword32* r) sword32 r6 = r[j + 6]; sword32 r7 = r[j + 7]; - t0 = dilithium_mont_red((sword64)zeta4 * r4); - t1 = dilithium_mont_red((sword64)zeta4 * r5); - t2 = dilithium_mont_red((sword64)zeta4 * r6); - t3 = dilithium_mont_red((sword64)zeta4 * r7); + t0 = mldsa_mont_red((sword64)zeta4 * r4); + t1 = mldsa_mont_red((sword64)zeta4 * r5); + t2 = mldsa_mont_red((sword64)zeta4 * r6); + t3 = mldsa_mont_red((sword64)zeta4 * r7); r4 = r0 - t0; r5 = r1 - t1; r6 = r2 - t2; @@ -6035,10 +6042,10 @@ static void dilithium_ntt_c(sword32* r) r2 += t2; r3 += t3; - t0 = dilithium_mont_red((sword64)zeta20 * r2); - t1 = dilithium_mont_red((sword64)zeta20 * r3); - t2 = dilithium_mont_red((sword64)zeta21 * r6); - t3 = dilithium_mont_red((sword64)zeta21 * r7); + t0 = mldsa_mont_red((sword64)zeta20 * r2); + t1 = mldsa_mont_red((sword64)zeta20 * r3); + t2 = mldsa_mont_red((sword64)zeta21 * r6); + t3 = mldsa_mont_red((sword64)zeta21 * r7); r2 = r0 - t0; r3 = r1 - t1; r6 = r4 - t2; @@ -6048,10 +6055,10 @@ static void dilithium_ntt_c(sword32* r) r4 += t2; r5 += t3; - t0 = dilithium_mont_red((sword64)zetas[k++] * r1); - t1 = dilithium_mont_red((sword64)zetas[k++] * r3); - t2 = dilithium_mont_red((sword64)zetas[k++] * r5); - t3 = dilithium_mont_red((sword64)zetas[k++] * r7); + t0 = mldsa_mont_red((sword64)zetas[k++] * r1); + t1 = mldsa_mont_red((sword64)zetas[k++] * r3); + t2 = mldsa_mont_red((sword64)zetas[k++] * r5); + t3 = mldsa_mont_red((sword64)zetas[k++] * r7); r1 = r0 - t0; r3 = r2 - t1; r5 = r4 - t2; @@ -6073,13 +6080,13 @@ static void dilithium_ntt_c(sword32* r) #endif } -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - defined(WC_DILITHIUM_CACHE_PRIV_VECTORS) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || \ + defined(WC_MLDSA_CACHE_PRIV_VECTORS) /* Number-Theoretic Transform. * * @param [in, out] r Polynomial to transform. */ -static void dilithium_ntt(sword32* r) +static void mldsa_ntt(sword32* r) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -6089,23 +6096,23 @@ static void dilithium_ntt(sword32* r) else #endif { - dilithium_ntt_c(r); + mldsa_ntt_c(r); } } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_VERIFY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - (!defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) || \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC))) || \ - (defined(WOLFSSL_DILITHIUM_SMALL) && \ - (!defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY))) +#if !defined(WOLFSSL_MLDSA_NO_VERIFY) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + (!defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) || \ + defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC))) || \ + (defined(WOLFSSL_MLDSA_SMALL) && \ + (!defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY))) /* Number-Theoretic Transform. * * @param [in, out] r Polynomial to transform. */ -static void dilithium_ntt_full(sword32* r) +static void mldsa_ntt_full(sword32* r) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -6115,56 +6122,56 @@ static void dilithium_ntt_full(sword32* r) else #endif { - dilithium_ntt_c(r); + mldsa_ntt_c(r); } } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - (!defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) || \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC) || \ - defined(WC_DILITHIUM_CACHE_PRIV_VECTORS)) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) && \ + (!defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) || \ + defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC) || \ + defined(WC_MLDSA_CACHE_PRIV_VECTORS)) /* Number-Theoretic Transform. * * @param [in, out] r Vector of polynomials to transform. * @param [in] l Dimension of polynomial. */ -static void dilithium_vec_ntt(sword32* r, byte l) +static void mldsa_vec_ntt(sword32* r, byte l) { unsigned int i; for (i = 0; i < l; i++) { - dilithium_ntt(r); + mldsa_ntt(r); r += DILITHIUM_N; } } #endif #endif -#if (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - (!defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) || \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC)))) || \ - (defined(WOLFSSL_DILITHIUM_SMALL) && \ - (!defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY))) +#if (!defined(WOLFSSL_MLDSA_NO_VERIFY) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + (!defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) || \ + defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC)))) || \ + (defined(WOLFSSL_MLDSA_SMALL) && \ + (!defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY))) /* Number-Theoretic Transform. * * @param [in, out] r Vector of polynomials to transform. * @param [in] l Dimension of polynomial. */ -static void dilithium_vec_ntt_full(sword32* r, byte l) +static void mldsa_vec_ntt_full(sword32* r, byte l) { unsigned int i; for (i = 0; i < l; i++) { - dilithium_ntt_full(r); + mldsa_ntt_full(r); r += DILITHIUM_N; } } #endif -#ifndef WOLFSSL_DILITHIUM_SMALL +#ifndef WOLFSSL_MLDSA_SMALL /* Zeta index value 1 not in montgomery form. */ #define DILITHIUM_NTT_ZETA_1 ((sword32)-3572223) @@ -6173,16 +6180,16 @@ static void dilithium_vec_ntt_full(sword32* r, byte l) * * @param [in, out] r Polynomial to transform. */ -static void dilithium_ntt_small_c(sword32* r) +static void mldsa_ntt_small_c(sword32* r) { unsigned int k; unsigned int j; -#ifdef WOLFSSL_DILITHIUM_NO_LARGE_CODE +#ifdef WOLFSSL_MLDSA_NO_LARGE_CODE unsigned int start; sword32 zeta; for (j = 0; j < DILITHIUM_N / 2; ++j) { - sword32 t = dilithium_red(DILITHIUM_NTT_ZETA_1 * + sword32 t = mldsa_red(DILITHIUM_NTT_ZETA_1 * r[j + DILITHIUM_N / 2]); sword32 rj = r[j]; r[j + DILITHIUM_N / 2] = rj - t; @@ -6198,7 +6205,7 @@ static void dilithium_ntt_small_c(sword32* r) NTT(2); for (j = 0; j < DILITHIUM_N; j += 2) { - sword32 t = dilithium_mont_red((sword64)zetas[++k] * r[j + 1]); + sword32 t = mldsa_mont_red((sword64)zetas[++k] * r[j + 1]); sword32 rj = r[j]; r[j + 1] = rj - t; r[j] = rj + t; @@ -6215,15 +6222,15 @@ static void dilithium_ntt_small_c(sword32* r) sword32 r4 = r[j + 128]; sword32 r6 = r[j + 192]; - t0 = dilithium_red(DILITHIUM_NTT_ZETA_1 * r4); - t2 = dilithium_red(DILITHIUM_NTT_ZETA_1 * r6); + t0 = mldsa_red(DILITHIUM_NTT_ZETA_1 * r4); + t2 = mldsa_red(DILITHIUM_NTT_ZETA_1 * r6); r4 = r0 - t0; r6 = r2 - t2; r0 += t0; r2 += t2; - t0 = dilithium_mont_red((sword64)zeta640 * r2); - t2 = dilithium_mont_red((sword64)zeta641 * r6); + t0 = mldsa_mont_red((sword64)zeta640 * r2); + t2 = mldsa_mont_red((sword64)zeta641 * r6); r2 = r0 - t0; r6 = r4 - t2; r0 += t0; @@ -6246,15 +6253,15 @@ static void dilithium_ntt_small_c(sword32* r) sword32 r4 = r[j + i + 32]; sword32 r6 = r[j + i + 48]; - t0 = dilithium_mont_red((sword64)zeta32 * r4); - t2 = dilithium_mont_red((sword64)zeta32 * r6); + t0 = mldsa_mont_red((sword64)zeta32 * r4); + t2 = mldsa_mont_red((sword64)zeta32 * r6); r4 = r0 - t0; r6 = r2 - t2; r0 += t0; r2 += t2; - t0 = dilithium_mont_red((sword64)zeta160 * r2); - t2 = dilithium_mont_red((sword64)zeta161 * r6); + t0 = mldsa_mont_red((sword64)zeta160 * r2); + t2 = mldsa_mont_red((sword64)zeta161 * r6); r2 = r0 - t0; r6 = r4 - t2; r0 += t0; @@ -6278,15 +6285,15 @@ static void dilithium_ntt_small_c(sword32* r) sword32 r4 = r[j + i + 8]; sword32 r6 = r[j + i + 12]; - t0 = dilithium_mont_red((sword64)zeta8 * r4); - t2 = dilithium_mont_red((sword64)zeta8 * r6); + t0 = mldsa_mont_red((sword64)zeta8 * r4); + t2 = mldsa_mont_red((sword64)zeta8 * r6); r4 = r0 - t0; r6 = r2 - t2; r0 += t0; r2 += t2; - t0 = dilithium_mont_red((sword64)zeta40 * r2); - t2 = dilithium_mont_red((sword64)zeta41 * r6); + t0 = mldsa_mont_red((sword64)zeta40 * r2); + t2 = mldsa_mont_red((sword64)zeta41 * r6); r2 = r0 - t0; r6 = r4 - t2; r0 += t0; @@ -6307,15 +6314,15 @@ static void dilithium_ntt_small_c(sword32* r) sword32 r4 = r[j + 2]; sword32 r6 = r[j + 3]; - t0 = dilithium_mont_red((sword64)zeta2 * r4); - t2 = dilithium_mont_red((sword64)zeta2 * r6); + t0 = mldsa_mont_red((sword64)zeta2 * r4); + t2 = mldsa_mont_red((sword64)zeta2 * r6); r4 = r0 - t0; r6 = r2 - t2; r0 += t0; r2 += t2; - t0 = dilithium_mont_red((sword64)zetas[k++] * r2); - t2 = dilithium_mont_red((sword64)zetas[k++] * r6); + t0 = mldsa_mont_red((sword64)zetas[k++] * r2); + t2 = mldsa_mont_red((sword64)zetas[k++] * r6); r2 = r0 - t0; r6 = r4 - t2; r0 += t0; @@ -6343,10 +6350,10 @@ static void dilithium_ntt_small_c(sword32* r) sword32 r6 = r[j + 192]; sword32 r7 = r[j + 224]; - t0 = dilithium_red(DILITHIUM_NTT_ZETA_1 * r4); - t1 = dilithium_red(DILITHIUM_NTT_ZETA_1 * r5); - t2 = dilithium_red(DILITHIUM_NTT_ZETA_1 * r6); - t3 = dilithium_red(DILITHIUM_NTT_ZETA_1 * r7); + t0 = mldsa_red(DILITHIUM_NTT_ZETA_1 * r4); + t1 = mldsa_red(DILITHIUM_NTT_ZETA_1 * r5); + t2 = mldsa_red(DILITHIUM_NTT_ZETA_1 * r6); + t3 = mldsa_red(DILITHIUM_NTT_ZETA_1 * r7); r4 = r0 - t0; r5 = r1 - t1; r6 = r2 - t2; @@ -6356,10 +6363,10 @@ static void dilithium_ntt_small_c(sword32* r) r2 += t2; r3 += t3; - t0 = dilithium_mont_red((sword64)zeta640 * r2); - t1 = dilithium_mont_red((sword64)zeta640 * r3); - t2 = dilithium_mont_red((sword64)zeta641 * r6); - t3 = dilithium_mont_red((sword64)zeta641 * r7); + t0 = mldsa_mont_red((sword64)zeta640 * r2); + t1 = mldsa_mont_red((sword64)zeta640 * r3); + t2 = mldsa_mont_red((sword64)zeta641 * r6); + t3 = mldsa_mont_red((sword64)zeta641 * r7); r2 = r0 - t0; r3 = r1 - t1; r6 = r4 - t2; @@ -6398,10 +6405,10 @@ static void dilithium_ntt_small_c(sword32* r) sword32 r6 = r[j + i + 48]; sword32 r7 = r[j + i + 56]; - t0 = dilithium_mont_red((sword64)zeta32 * r4); - t1 = dilithium_mont_red((sword64)zeta32 * r5); - t2 = dilithium_mont_red((sword64)zeta32 * r6); - t3 = dilithium_mont_red((sword64)zeta32 * r7); + t0 = mldsa_mont_red((sword64)zeta32 * r4); + t1 = mldsa_mont_red((sword64)zeta32 * r5); + t2 = mldsa_mont_red((sword64)zeta32 * r6); + t3 = mldsa_mont_red((sword64)zeta32 * r7); r4 = r0 - t0; r5 = r1 - t1; r6 = r2 - t2; @@ -6411,10 +6418,10 @@ static void dilithium_ntt_small_c(sword32* r) r2 += t2; r3 += t3; - t0 = dilithium_mont_red((sword64)zeta160 * r2); - t1 = dilithium_mont_red((sword64)zeta160 * r3); - t2 = dilithium_mont_red((sword64)zeta161 * r6); - t3 = dilithium_mont_red((sword64)zeta161 * r7); + t0 = mldsa_mont_red((sword64)zeta160 * r2); + t1 = mldsa_mont_red((sword64)zeta160 * r3); + t2 = mldsa_mont_red((sword64)zeta161 * r6); + t3 = mldsa_mont_red((sword64)zeta161 * r7); r2 = r0 - t0; r3 = r1 - t1; r6 = r4 - t2; @@ -6424,10 +6431,10 @@ static void dilithium_ntt_small_c(sword32* r) r4 += t2; r5 += t3; - t0 = dilithium_mont_red((sword64)zeta80 * r1); - t1 = dilithium_mont_red((sword64)zeta81 * r3); - t2 = dilithium_mont_red((sword64)zeta82 * r5); - t3 = dilithium_mont_red((sword64)zeta83 * r7); + t0 = mldsa_mont_red((sword64)zeta80 * r1); + t1 = mldsa_mont_red((sword64)zeta81 * r3); + t2 = mldsa_mont_red((sword64)zeta82 * r5); + t3 = mldsa_mont_red((sword64)zeta83 * r7); r1 = r0 - t0; r3 = r2 - t1; r5 = r4 - t2; @@ -6462,10 +6469,10 @@ static void dilithium_ntt_small_c(sword32* r) sword32 r6 = r[j + 6]; sword32 r7 = r[j + 7]; - t0 = dilithium_mont_red((sword64)zeta4 * r4); - t1 = dilithium_mont_red((sword64)zeta4 * r5); - t2 = dilithium_mont_red((sword64)zeta4 * r6); - t3 = dilithium_mont_red((sword64)zeta4 * r7); + t0 = mldsa_mont_red((sword64)zeta4 * r4); + t1 = mldsa_mont_red((sword64)zeta4 * r5); + t2 = mldsa_mont_red((sword64)zeta4 * r6); + t3 = mldsa_mont_red((sword64)zeta4 * r7); r4 = r0 - t0; r5 = r1 - t1; r6 = r2 - t2; @@ -6475,10 +6482,10 @@ static void dilithium_ntt_small_c(sword32* r) r2 += t2; r3 += t3; - t0 = dilithium_mont_red((sword64)zeta20 * r2); - t1 = dilithium_mont_red((sword64)zeta20 * r3); - t2 = dilithium_mont_red((sword64)zeta21 * r6); - t3 = dilithium_mont_red((sword64)zeta21 * r7); + t0 = mldsa_mont_red((sword64)zeta20 * r2); + t1 = mldsa_mont_red((sword64)zeta20 * r3); + t2 = mldsa_mont_red((sword64)zeta21 * r6); + t3 = mldsa_mont_red((sword64)zeta21 * r7); r2 = r0 - t0; r3 = r1 - t1; r6 = r4 - t2; @@ -6488,10 +6495,10 @@ static void dilithium_ntt_small_c(sword32* r) r4 += t2; r5 += t3; - t0 = dilithium_mont_red((sword64)zetas[k++] * r1); - t1 = dilithium_mont_red((sword64)zetas[k++] * r3); - t2 = dilithium_mont_red((sword64)zetas[k++] * r5); - t3 = dilithium_mont_red((sword64)zetas[k++] * r7); + t0 = mldsa_mont_red((sword64)zetas[k++] * r1); + t1 = mldsa_mont_red((sword64)zetas[k++] * r3); + t2 = mldsa_mont_red((sword64)zetas[k++] * r5); + t3 = mldsa_mont_red((sword64)zetas[k++] * r7); r1 = r0 - t0; r3 = r2 - t1; r5 = r4 - t2; @@ -6513,13 +6520,13 @@ static void dilithium_ntt_small_c(sword32* r) #endif } -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - defined(WC_DILITHIUM_CACHE_PRIV_VECTORS) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || \ + defined(WC_MLDSA_CACHE_PRIV_VECTORS) /* Number-Theoretic Transform. * * @param [in, out] r Polynomial to transform. */ -static void dilithium_ntt_small(sword32* r) +static void mldsa_ntt_small(sword32* r) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -6529,19 +6536,19 @@ static void dilithium_ntt_small(sword32* r) else #endif { - dilithium_ntt_small_c(r); + mldsa_ntt_small_c(r); } } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - !defined(WOLFSSL_DILITHIUM_NO_VERIFY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + !defined(WOLFSSL_MLDSA_NO_VERIFY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) /* Number-Theoretic Transform. * * @param [in, out] r Polynomial to transform. */ -static void dilithium_ntt_small_full(sword32* r) +static void mldsa_ntt_small_full(sword32* r) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -6551,44 +6558,44 @@ static void dilithium_ntt_small_full(sword32* r) else #endif { - dilithium_ntt_small_c(r); + mldsa_ntt_small_c(r); } } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - (!defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) || \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC) || \ - defined(WC_DILITHIUM_CACHE_PRIV_VECTORS)) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) && \ + (!defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) || \ + defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC) || \ + defined(WC_MLDSA_CACHE_PRIV_VECTORS)) /* Number-Theoretic Transform with small initial values. * * @param [in, out] r Vector of polynomials to transform. * @param [in] l Dimension of polynomial. */ -static void dilithium_vec_ntt_small(sword32* r, byte l) +static void mldsa_vec_ntt_small(sword32* r, byte l) { unsigned int i; for (i = 0; i < l; i++) { - dilithium_ntt_small(r); + mldsa_ntt_small(r); r += DILITHIUM_N; } } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) /* Number-Theoretic Transform with small initial values. * * @param [in, out] r Vector of polynomials to transform. * @param [in] l Dimension of polynomial. */ -static void dilithium_vec_ntt_small_full(sword32* r, byte l) +static void mldsa_vec_ntt_small_full(sword32* r, byte l) { unsigned int i; for (i = 0; i < l; i++) { - dilithium_ntt_small_full(r); + mldsa_ntt_small_full(r); r += DILITHIUM_N; } } @@ -6600,27 +6607,27 @@ static void dilithium_vec_ntt_small_full(sword32* r, byte l) * * @param [in, out] r Polynomial to transform. */ -#define dilithium_ntt_small dilithium_ntt +#define mldsa_ntt_small mldsa_ntt /* Number-Theoretic Transform with small initial values. * * @param [in, out] r Polynomial to transform. */ -#define dilithium_ntt_small_full dilithium_ntt_full +#define mldsa_ntt_small_full mldsa_ntt_full /* Number-Theoretic Transform with small initial values. * * @param [in, out] r Vector of polynomials to transform. * @param [in] l Dimension of polynomial. */ -#define dilithium_vec_ntt_small dilithium_vec_ntt +#define mldsa_vec_ntt_small mldsa_vec_ntt /* Number-Theoretic Transform with small initial values. * * @param [in, out] r Vector of polynomials to transform. * @param [in] l Dimension of polynomial. */ -#define dilithium_vec_ntt_small_full dilithium_vec_ntt_full +#define mldsa_vec_ntt_small_full mldsa_vec_ntt_full -#endif /* WOLFSSL_DILITHIUM_SMALL */ +#endif /* WOLFSSL_MLDSA_SMALL */ /* One iteration of Inverse Number-Theoretic Transform. @@ -6637,7 +6644,7 @@ do { \ sword32 t = rj + rjl; \ r[start + j] = t; \ rjl = rj - rjl; \ - r[start + j + (len)] = dilithium_mont_red((sword64)zeta * rjl); \ + r[start + j + (len)] = mldsa_mont_red((sword64)zeta * rjl); \ } \ } \ } \ @@ -6647,9 +6654,9 @@ while (0) * * @param [in, out] r Polynomial to transform. */ -static void dilithium_invntt_c(sword32* r) +static void mldsa_invntt_c(sword32* r) { -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL unsigned int len; unsigned int k; unsigned int j; @@ -6666,16 +6673,16 @@ static void dilithium_invntt_c(sword32* r) sword32 t = rj + rjl; r[j] = t; rjl = rj - rjl; - r[j + len] = dilithium_mont_red((sword64)zeta * rjl); + r[j + len] = mldsa_mont_red((sword64)zeta * rjl); } } } zeta = -zetas[0]; for (j = 0; j < DILITHIUM_N; ++j) { - r[j] = dilithium_mont_red((sword64)zeta * r[j]); + r[j] = mldsa_mont_red((sword64)zeta * r[j]); } -#elif defined(WOLFSSL_DILITHIUM_NO_LARGE_CODE) +#elif defined(WOLFSSL_MLDSA_NO_LARGE_CODE) unsigned int j; unsigned int k = 0; unsigned int start; @@ -6687,7 +6694,7 @@ static void dilithium_invntt_c(sword32* r) sword32 t = rj + rjl; r[j] = t; rjl = rj - rjl; - r[j + 1] = dilithium_mont_red((sword64)zetas_inv[k++] * rjl); + r[j + 1] = mldsa_mont_red((sword64)zetas_inv[k++] * rjl); } INVNTT(2); @@ -6700,7 +6707,7 @@ static void dilithium_invntt_c(sword32* r) zeta = zetas_inv[255]; for (j = 0; j < DILITHIUM_N; ++j) { - r[j] = dilithium_mont_red((sword64)zeta * r[j]); + r[j] = mldsa_mont_red((sword64)zeta * r[j]); } #elif defined(WC_32BIT_CPU) unsigned int j; @@ -6719,15 +6726,15 @@ static void dilithium_invntt_c(sword32* r) sword32 r4 = r[j + 2]; sword32 r6 = r[j + 3]; - t0 = dilithium_mont_red((sword64)zetas_inv[k++] * (r0 - r2)); - t2 = dilithium_mont_red((sword64)zetas_inv[k++] * (r4 - r6)); + t0 = mldsa_mont_red((sword64)zetas_inv[k++] * (r0 - r2)); + t2 = mldsa_mont_red((sword64)zetas_inv[k++] * (r4 - r6)); r0 += r2; r4 += r6; r2 = t0; r6 = t2; - t0 = dilithium_mont_red((sword64)zeta2 * (r0 - r4)); - t2 = dilithium_mont_red((sword64)zeta2 * (r2 - r6)); + t0 = mldsa_mont_red((sword64)zeta2 * (r0 - r4)); + t2 = mldsa_mont_red((sword64)zeta2 * (r2 - r6)); r0 += r4; r2 += r6; r4 = t0; @@ -6750,15 +6757,15 @@ static void dilithium_invntt_c(sword32* r) sword32 r4 = r[j + i + 8]; sword32 r6 = r[j + i + 12]; - t0 = dilithium_mont_red((sword64)zeta40 * (r0 - r2)); - t2 = dilithium_mont_red((sword64)zeta41 * (r4 - r6)); + t0 = mldsa_mont_red((sword64)zeta40 * (r0 - r2)); + t2 = mldsa_mont_red((sword64)zeta41 * (r4 - r6)); r0 += r2; r4 += r6; r2 = t0; r6 = t2; - t0 = dilithium_mont_red((sword64)zeta8 * (r0 - r4)); - t2 = dilithium_mont_red((sword64)zeta8 * (r2 - r6)); + t0 = mldsa_mont_red((sword64)zeta8 * (r0 - r4)); + t2 = mldsa_mont_red((sword64)zeta8 * (r2 - r6)); r0 += r4; r2 += r6; r4 = t0; @@ -6782,15 +6789,15 @@ static void dilithium_invntt_c(sword32* r) sword32 r4 = r[j + i + 32]; sword32 r6 = r[j + i + 48]; - t0 = dilithium_mont_red((sword64)zeta160 * (r0 - r2)); - t2 = dilithium_mont_red((sword64)zeta161 * (r4 - r6)); + t0 = mldsa_mont_red((sword64)zeta160 * (r0 - r2)); + t2 = mldsa_mont_red((sword64)zeta161 * (r4 - r6)); r0 += r2; r4 += r6; r2 = t0; r6 = t2; - t0 = dilithium_mont_red((sword64)zeta32 * (r0 - r4)); - t2 = dilithium_mont_red((sword64)zeta32 * (r2 - r6)); + t0 = mldsa_mont_red((sword64)zeta32 * (r0 - r4)); + t2 = mldsa_mont_red((sword64)zeta32 * (r2 - r6)); r0 += r4; r2 += r6; r4 = t0; @@ -6813,24 +6820,24 @@ static void dilithium_invntt_c(sword32* r) sword32 r4 = r[j + 128]; sword32 r6 = r[j + 192]; - t0 = dilithium_mont_red((sword64)zeta640 * (r0 - r2)); - t2 = dilithium_mont_red((sword64)zeta641 * (r4 - r6)); + t0 = mldsa_mont_red((sword64)zeta640 * (r0 - r2)); + t2 = mldsa_mont_red((sword64)zeta641 * (r4 - r6)); r0 += r2; r4 += r6; r2 = t0; r6 = t2; - t0 = dilithium_mont_red((sword64)zeta128 * (r0 - r4)); - t2 = dilithium_mont_red((sword64)zeta128 * (r2 - r6)); + t0 = mldsa_mont_red((sword64)zeta128 * (r0 - r4)); + t2 = mldsa_mont_red((sword64)zeta128 * (r2 - r6)); r0 += r4; r2 += r6; r4 = t0; r6 = t2; - r0 = dilithium_mont_red((sword64)zeta256 * r0); - r2 = dilithium_mont_red((sword64)zeta256 * r2); - r4 = dilithium_mont_red((sword64)zeta256 * r4); - r6 = dilithium_mont_red((sword64)zeta256 * r6); + r0 = mldsa_mont_red((sword64)zeta256 * r0); + r2 = mldsa_mont_red((sword64)zeta256 * r2); + r4 = mldsa_mont_red((sword64)zeta256 * r4); + r6 = mldsa_mont_red((sword64)zeta256 * r6); r[j + 0] = r0; r[j + 64] = r2; @@ -6862,10 +6869,10 @@ static void dilithium_invntt_c(sword32* r) sword32 r6 = r[j + 6]; sword32 r7 = r[j + 7]; - t0 = dilithium_mont_red((sword64)zetas_inv[k++] * (r0 - r1)); - t1 = dilithium_mont_red((sword64)zetas_inv[k++] * (r2 - r3)); - t2 = dilithium_mont_red((sword64)zetas_inv[k++] * (r4 - r5)); - t3 = dilithium_mont_red((sword64)zetas_inv[k++] * (r6 - r7)); + t0 = mldsa_mont_red((sword64)zetas_inv[k++] * (r0 - r1)); + t1 = mldsa_mont_red((sword64)zetas_inv[k++] * (r2 - r3)); + t2 = mldsa_mont_red((sword64)zetas_inv[k++] * (r4 - r5)); + t3 = mldsa_mont_red((sword64)zetas_inv[k++] * (r6 - r7)); r0 += r1; r2 += r3; r4 += r5; @@ -6875,10 +6882,10 @@ static void dilithium_invntt_c(sword32* r) r5 = t2; r7 = t3; - t0 = dilithium_mont_red((sword64)zeta20 * (r0 - r2)); - t1 = dilithium_mont_red((sword64)zeta20 * (r1 - r3)); - t2 = dilithium_mont_red((sword64)zeta21 * (r4 - r6)); - t3 = dilithium_mont_red((sword64)zeta21 * (r5 - r7)); + t0 = mldsa_mont_red((sword64)zeta20 * (r0 - r2)); + t1 = mldsa_mont_red((sword64)zeta20 * (r1 - r3)); + t2 = mldsa_mont_red((sword64)zeta21 * (r4 - r6)); + t3 = mldsa_mont_red((sword64)zeta21 * (r5 - r7)); r0 += r2; r1 += r3; r4 += r6; @@ -6888,10 +6895,10 @@ static void dilithium_invntt_c(sword32* r) r6 = t2; r7 = t3; - t0 = dilithium_mont_red((sword64)zeta4 * (r0 - r4)); - t1 = dilithium_mont_red((sword64)zeta4 * (r1 - r5)); - t2 = dilithium_mont_red((sword64)zeta4 * (r2 - r6)); - t3 = dilithium_mont_red((sword64)zeta4 * (r3 - r7)); + t0 = mldsa_mont_red((sword64)zeta4 * (r0 - r4)); + t1 = mldsa_mont_red((sword64)zeta4 * (r1 - r5)); + t2 = mldsa_mont_red((sword64)zeta4 * (r2 - r6)); + t3 = mldsa_mont_red((sword64)zeta4 * (r3 - r7)); r0 += r4; r1 += r5; r2 += r6; @@ -6930,10 +6937,10 @@ static void dilithium_invntt_c(sword32* r) sword32 r6 = r[j + i + 48]; sword32 r7 = r[j + i + 56]; - t0 = dilithium_mont_red((sword64)zeta80 * (r0 - r1)); - t1 = dilithium_mont_red((sword64)zeta81 * (r2 - r3)); - t2 = dilithium_mont_red((sword64)zeta82 * (r4 - r5)); - t3 = dilithium_mont_red((sword64)zeta83 * (r6 - r7)); + t0 = mldsa_mont_red((sword64)zeta80 * (r0 - r1)); + t1 = mldsa_mont_red((sword64)zeta81 * (r2 - r3)); + t2 = mldsa_mont_red((sword64)zeta82 * (r4 - r5)); + t3 = mldsa_mont_red((sword64)zeta83 * (r6 - r7)); r0 += r1; r2 += r3; r4 += r5; @@ -6943,10 +6950,10 @@ static void dilithium_invntt_c(sword32* r) r5 = t2; r7 = t3; - t0 = dilithium_mont_red((sword64)zeta160 * (r0 - r2)); - t1 = dilithium_mont_red((sword64)zeta160 * (r1 - r3)); - t2 = dilithium_mont_red((sword64)zeta161 * (r4 - r6)); - t3 = dilithium_mont_red((sword64)zeta161 * (r5 - r7)); + t0 = mldsa_mont_red((sword64)zeta160 * (r0 - r2)); + t1 = mldsa_mont_red((sword64)zeta160 * (r1 - r3)); + t2 = mldsa_mont_red((sword64)zeta161 * (r4 - r6)); + t3 = mldsa_mont_red((sword64)zeta161 * (r5 - r7)); r0 += r2; r1 += r3; r4 += r6; @@ -6956,10 +6963,10 @@ static void dilithium_invntt_c(sword32* r) r6 = t2; r7 = t3; - t0 = dilithium_mont_red((sword64)zeta32 * (r0 - r4)); - t1 = dilithium_mont_red((sword64)zeta32 * (r1 - r5)); - t2 = dilithium_mont_red((sword64)zeta32 * (r2 - r6)); - t3 = dilithium_mont_red((sword64)zeta32 * (r3 - r7)); + t0 = mldsa_mont_red((sword64)zeta32 * (r0 - r4)); + t1 = mldsa_mont_red((sword64)zeta32 * (r1 - r5)); + t2 = mldsa_mont_red((sword64)zeta32 * (r2 - r6)); + t3 = mldsa_mont_red((sword64)zeta32 * (r3 - r7)); r0 += r4; r1 += r5; r2 += r6; @@ -6994,10 +7001,10 @@ static void dilithium_invntt_c(sword32* r) sword32 r6 = r[j + 192]; sword32 r7 = r[j + 224]; - t0 = dilithium_mont_red((sword64)zeta640 * (r0 - r2)); - t1 = dilithium_mont_red((sword64)zeta640 * (r1 - r3)); - t2 = dilithium_mont_red((sword64)zeta641 * (r4 - r6)); - t3 = dilithium_mont_red((sword64)zeta641 * (r5 - r7)); + t0 = mldsa_mont_red((sword64)zeta640 * (r0 - r2)); + t1 = mldsa_mont_red((sword64)zeta640 * (r1 - r3)); + t2 = mldsa_mont_red((sword64)zeta641 * (r4 - r6)); + t3 = mldsa_mont_red((sword64)zeta641 * (r5 - r7)); r0 += r2; r1 += r3; r4 += r6; @@ -7007,10 +7014,10 @@ static void dilithium_invntt_c(sword32* r) r6 = t2; r7 = t3; - t0 = dilithium_mont_red((sword64)zeta128 * (r0 - r4)); - t1 = dilithium_mont_red((sword64)zeta128 * (r1 - r5)); - t2 = dilithium_mont_red((sword64)zeta128 * (r2 - r6)); - t3 = dilithium_mont_red((sword64)zeta128 * (r3 - r7)); + t0 = mldsa_mont_red((sword64)zeta128 * (r0 - r4)); + t1 = mldsa_mont_red((sword64)zeta128 * (r1 - r5)); + t2 = mldsa_mont_red((sword64)zeta128 * (r2 - r6)); + t3 = mldsa_mont_red((sword64)zeta128 * (r3 - r7)); r0 += r4; r1 += r5; r2 += r6; @@ -7020,14 +7027,14 @@ static void dilithium_invntt_c(sword32* r) r6 = t2; r7 = t3; - r0 = dilithium_mont_red((sword64)zeta256 * r0); - r1 = dilithium_mont_red((sword64)zeta256 * r1); - r2 = dilithium_mont_red((sword64)zeta256 * r2); - r3 = dilithium_mont_red((sword64)zeta256 * r3); - r4 = dilithium_mont_red((sword64)zeta256 * r4); - r5 = dilithium_mont_red((sword64)zeta256 * r5); - r6 = dilithium_mont_red((sword64)zeta256 * r6); - r7 = dilithium_mont_red((sword64)zeta256 * r7); + r0 = mldsa_mont_red((sword64)zeta256 * r0); + r1 = mldsa_mont_red((sword64)zeta256 * r1); + r2 = mldsa_mont_red((sword64)zeta256 * r2); + r3 = mldsa_mont_red((sword64)zeta256 * r3); + r4 = mldsa_mont_red((sword64)zeta256 * r4); + r5 = mldsa_mont_red((sword64)zeta256 * r5); + r6 = mldsa_mont_red((sword64)zeta256 * r6); + r7 = mldsa_mont_red((sword64)zeta256 * r7); r[j + 0] = r0; r[j + 32] = r1; @@ -7041,12 +7048,12 @@ static void dilithium_invntt_c(sword32* r) #endif } -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) /* Inverse Number-Theoretic Transform. * * @param [in, out] r Polynomial to transform. */ -static void dilithium_invntt(sword32* r) +static void mldsa_invntt(sword32* r) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -7056,7 +7063,7 @@ static void dilithium_invntt(sword32* r) else #endif { - dilithium_invntt_c(r); + mldsa_invntt_c(r); } } #endif @@ -7065,7 +7072,7 @@ static void dilithium_invntt(sword32* r) * * @param [in, out] r Polynomial to transform. */ -static void dilithium_invntt_full(sword32* r) +static void mldsa_invntt_full(sword32* r) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -7075,38 +7082,38 @@ static void dilithium_invntt_full(sword32* r) else #endif { - dilithium_invntt_c(r); + mldsa_invntt_c(r); } } -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM)) +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM)) /* Inverse Number-Theoretic Transform. * * @param [in, out] r Vector of polynomials to transform. * @param [in] l Dimension of polynomial. */ -static void dilithium_vec_invntt_full(sword32* r, byte l) +static void mldsa_vec_invntt_full(sword32* r, byte l) { unsigned int i; for (i = 0; i < l; i++) { - dilithium_invntt_full(r); + mldsa_invntt_full(r); r += DILITHIUM_N; } } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM)) +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM)) /* Matrix multiplication. * * @param [out] r Vector of polynomials that is result. @@ -7115,7 +7122,7 @@ static void dilithium_vec_invntt_full(sword32* r, byte l) * @param [in] k First dimension of matrix and dimension of result. * @param [in] l Second dimension of matrix and dimension of v. */ -static void dilithium_matrix_mul_c(sword32* r, const sword32* m, +static void mldsa_matrix_mul_c(sword32* r, const sword32* m, const sword32* v, byte k, byte l) { byte i; @@ -7125,20 +7132,20 @@ static void dilithium_matrix_mul_c(sword32* r, const sword32* m, unsigned int e; const sword32* vt = v; -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { - r[e] = dilithium_mont_red((sword64)m[e] * vt[e]); + r[e] = mldsa_mont_red((sword64)m[e] * vt[e]); } m += DILITHIUM_N; vt += DILITHIUM_N; for (j = 1; j < l; j++) { for (e = 0; e < DILITHIUM_N; e++) { - r[e] += dilithium_mont_red((sword64)m[e] * vt[e]); + r[e] += mldsa_mont_red((sword64)m[e] * vt[e]); } m += DILITHIUM_N; vt += DILITHIUM_N; } -#elif defined(WOLFSSL_DILITHIUM_NO_LARGE_CODE) +#elif defined(WOLFSSL_MLDSA_NO_LARGE_CODE) (void)j; if (l == 4) { for (e = 0; e < DILITHIUM_N; e++) { @@ -7146,7 +7153,7 @@ static void dilithium_matrix_mul_c(sword32* r, const sword32* m, ((sword64)m[e + 1 * 256] * vt[e + 1 * 256]) + ((sword64)m[e + 2 * 256] * vt[e + 2 * 256]) + ((sword64)m[e + 3 * 256] * vt[e + 3 * 256]); - r[e] = dilithium_mont_red(t); + r[e] = mldsa_mont_red(t); } m += DILITHIUM_N * 4; } @@ -7157,7 +7164,7 @@ static void dilithium_matrix_mul_c(sword32* r, const sword32* m, ((sword64)m[e + 2 * 256] * vt[e + 2 * 256]) + ((sword64)m[e + 3 * 256] * vt[e + 3 * 256]) + ((sword64)m[e + 4 * 256] * vt[e + 4 * 256]); - r[e] = dilithium_mont_red(t); + r[e] = mldsa_mont_red(t); } m += DILITHIUM_N * 5; } @@ -7170,7 +7177,7 @@ static void dilithium_matrix_mul_c(sword32* r, const sword32* m, ((sword64)m[e + 4 * 256] * vt[e + 4 * 256]) + ((sword64)m[e + 5 * 256] * vt[e + 5 * 256]) + ((sword64)m[e + 6 * 256] * vt[e + 6 * 256]); - r[e] = dilithium_mont_red(t); + r[e] = mldsa_mont_red(t); } m += DILITHIUM_N * 7; } @@ -7202,10 +7209,10 @@ static void dilithium_matrix_mul_c(sword32* r, const sword32* m, ((sword64)m[e + 3 + 1 * 256] * vt[e + 3 + 1 * 256]) + ((sword64)m[e + 3 + 2 * 256] * vt[e + 3 + 2 * 256]) + ((sword64)m[e + 3 + 3 * 256] * vt[e + 3 + 3 * 256]); - r[e + 0] = dilithium_mont_red(t0); - r[e + 1] = dilithium_mont_red(t1); - r[e + 2] = dilithium_mont_red(t2); - r[e + 3] = dilithium_mont_red(t3); + r[e + 0] = mldsa_mont_red(t0); + r[e + 1] = mldsa_mont_red(t1); + r[e + 2] = mldsa_mont_red(t2); + r[e + 3] = mldsa_mont_red(t3); } m += DILITHIUM_N * 4; } @@ -7233,10 +7240,10 @@ static void dilithium_matrix_mul_c(sword32* r, const sword32* m, ((sword64)m[e + 3 + 2 * 256] * vt[e + 3 + 2 * 256]) + ((sword64)m[e + 3 + 3 * 256] * vt[e + 3 + 3 * 256]) + ((sword64)m[e + 3 + 4 * 256] * vt[e + 3 + 4 * 256]); - r[e + 0] = dilithium_mont_red(t0); - r[e + 1] = dilithium_mont_red(t1); - r[e + 2] = dilithium_mont_red(t2); - r[e + 3] = dilithium_mont_red(t3); + r[e + 0] = mldsa_mont_red(t0); + r[e + 1] = mldsa_mont_red(t1); + r[e + 2] = mldsa_mont_red(t2); + r[e + 3] = mldsa_mont_red(t3); } m += DILITHIUM_N * 5; } @@ -7258,8 +7265,8 @@ static void dilithium_matrix_mul_c(sword32* r, const sword32* m, ((sword64)m[e + 1 + 4 * 256] * vt[e + 1 + 4 * 256]) + ((sword64)m[e + 1 + 5 * 256] * vt[e + 1 + 5 * 256]) + ((sword64)m[e + 1 + 6 * 256] * vt[e + 1 + 6 * 256]); - r[e + 0] = dilithium_mont_red(t0); - r[e + 1] = dilithium_mont_red(t1); + r[e + 0] = mldsa_mont_red(t0); + r[e + 1] = mldsa_mont_red(t1); } m += DILITHIUM_N * 7; } @@ -7277,7 +7284,7 @@ static void dilithium_matrix_mul_c(sword32* r, const sword32* m, * @param [in] k First dimension of matrix and dimension of result. * @param [in] l Second dimension of matrix and dimension of v. */ -static void dilithium_matrix_mul(sword32* r, const sword32* m, const sword32* v, +static void mldsa_matrix_mul(sword32* r, const sword32* m, const sword32* v, byte k, byte l) { #ifdef USE_INTEL_SPEEDUP @@ -7309,68 +7316,68 @@ static void dilithium_matrix_mul(sword32* r, const sword32* m, const sword32* v, else #endif { - dilithium_matrix_mul_c(r, m, v, k, l); + mldsa_matrix_mul_c(r, m, v, k, l); } } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) /* Polynomial multiplication. * * @param [out] r Polynomial result. * @param [in] a Polynomial * @param [in] b Polynomial. */ -static void dilithium_mul_c(sword32* r, sword32* a, sword32* b) +static void mldsa_mul_c(sword32* r, sword32* a, sword32* b) { unsigned int e; -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { - r[e] = dilithium_mont_red((sword64)a[e] * b[e]); + r[e] = mldsa_mont_red((sword64)a[e] * b[e]); } -#elif defined(WOLFSSL_DILITHIUM_NO_LARGE_CODE) +#elif defined(WOLFSSL_MLDSA_NO_LARGE_CODE) for (e = 0; e < DILITHIUM_N; e += 8) { - r[e+0] = dilithium_mont_red((sword64)a[e+0] * b[e+0]); - r[e+1] = dilithium_mont_red((sword64)a[e+1] * b[e+1]); - r[e+2] = dilithium_mont_red((sword64)a[e+2] * b[e+2]); - r[e+3] = dilithium_mont_red((sword64)a[e+3] * b[e+3]); - r[e+4] = dilithium_mont_red((sword64)a[e+4] * b[e+4]); - r[e+5] = dilithium_mont_red((sword64)a[e+5] * b[e+5]); - r[e+6] = dilithium_mont_red((sword64)a[e+6] * b[e+6]); - r[e+7] = dilithium_mont_red((sword64)a[e+7] * b[e+7]); + r[e+0] = mldsa_mont_red((sword64)a[e+0] * b[e+0]); + r[e+1] = mldsa_mont_red((sword64)a[e+1] * b[e+1]); + r[e+2] = mldsa_mont_red((sword64)a[e+2] * b[e+2]); + r[e+3] = mldsa_mont_red((sword64)a[e+3] * b[e+3]); + r[e+4] = mldsa_mont_red((sword64)a[e+4] * b[e+4]); + r[e+5] = mldsa_mont_red((sword64)a[e+5] * b[e+5]); + r[e+6] = mldsa_mont_red((sword64)a[e+6] * b[e+6]); + r[e+7] = mldsa_mont_red((sword64)a[e+7] * b[e+7]); } #else for (e = 0; e < DILITHIUM_N; e += 16) { - r[e+ 0] = dilithium_mont_red((sword64)a[e+ 0] * b[e+ 0]); - r[e+ 1] = dilithium_mont_red((sword64)a[e+ 1] * b[e+ 1]); - r[e+ 2] = dilithium_mont_red((sword64)a[e+ 2] * b[e+ 2]); - r[e+ 3] = dilithium_mont_red((sword64)a[e+ 3] * b[e+ 3]); - r[e+ 4] = dilithium_mont_red((sword64)a[e+ 4] * b[e+ 4]); - r[e+ 5] = dilithium_mont_red((sword64)a[e+ 5] * b[e+ 5]); - r[e+ 6] = dilithium_mont_red((sword64)a[e+ 6] * b[e+ 6]); - r[e+ 7] = dilithium_mont_red((sword64)a[e+ 7] * b[e+ 7]); - r[e+ 8] = dilithium_mont_red((sword64)a[e+ 8] * b[e+ 8]); - r[e+ 9] = dilithium_mont_red((sword64)a[e+ 9] * b[e+ 9]); - r[e+10] = dilithium_mont_red((sword64)a[e+10] * b[e+10]); - r[e+11] = dilithium_mont_red((sword64)a[e+11] * b[e+11]); - r[e+12] = dilithium_mont_red((sword64)a[e+12] * b[e+12]); - r[e+13] = dilithium_mont_red((sword64)a[e+13] * b[e+13]); - r[e+14] = dilithium_mont_red((sword64)a[e+14] * b[e+14]); - r[e+15] = dilithium_mont_red((sword64)a[e+15] * b[e+15]); - } -#endif -} - -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) + r[e+ 0] = mldsa_mont_red((sword64)a[e+ 0] * b[e+ 0]); + r[e+ 1] = mldsa_mont_red((sword64)a[e+ 1] * b[e+ 1]); + r[e+ 2] = mldsa_mont_red((sword64)a[e+ 2] * b[e+ 2]); + r[e+ 3] = mldsa_mont_red((sword64)a[e+ 3] * b[e+ 3]); + r[e+ 4] = mldsa_mont_red((sword64)a[e+ 4] * b[e+ 4]); + r[e+ 5] = mldsa_mont_red((sword64)a[e+ 5] * b[e+ 5]); + r[e+ 6] = mldsa_mont_red((sword64)a[e+ 6] * b[e+ 6]); + r[e+ 7] = mldsa_mont_red((sword64)a[e+ 7] * b[e+ 7]); + r[e+ 8] = mldsa_mont_red((sword64)a[e+ 8] * b[e+ 8]); + r[e+ 9] = mldsa_mont_red((sword64)a[e+ 9] * b[e+ 9]); + r[e+10] = mldsa_mont_red((sword64)a[e+10] * b[e+10]); + r[e+11] = mldsa_mont_red((sword64)a[e+11] * b[e+11]); + r[e+12] = mldsa_mont_red((sword64)a[e+12] * b[e+12]); + r[e+13] = mldsa_mont_red((sword64)a[e+13] * b[e+13]); + r[e+14] = mldsa_mont_red((sword64)a[e+14] * b[e+14]); + r[e+15] = mldsa_mont_red((sword64)a[e+15] * b[e+15]); + } +#endif +} + +#if !defined(WOLFSSL_MLDSA_NO_SIGN) /* Polynomial multiplication. * * @param [out] r Polynomial result. * @param [in] a Polynomial * @param [in] b Polynomial. */ -static void dilithium_mul(sword32* r, sword32* a, sword32* b) +static void mldsa_mul(sword32* r, sword32* a, sword32* b) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -7380,13 +7387,13 @@ static void dilithium_mul(sword32* r, sword32* a, sword32* b) else #endif { - dilithium_mul_c(r, a, b); + mldsa_mul_c(r, a, b); } } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM) +#if !defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM) /* Vector multiplication. * * @param [out] r Vector of polynomials that is result. @@ -7394,7 +7401,7 @@ static void dilithium_mul(sword32* r, sword32* a, sword32* b) * @param [in] b Vector of polynomials. * @param [in] l Dimension of vectors. */ -static void dilithium_vec_mul(sword32* r, sword32* a, sword32* b, byte l) +static void mldsa_vec_mul(sword32* r, sword32* a, sword32* b, byte l) { byte i; @@ -7411,7 +7418,7 @@ static void dilithium_vec_mul(sword32* r, sword32* a, sword32* b, byte l) #endif { for (i = 0; i < l; i++) { - dilithium_mul_c(r, a, b); + mldsa_mul_c(r, a, b); r += DILITHIUM_N; b += DILITHIUM_N; } @@ -7420,33 +7427,33 @@ static void dilithium_vec_mul(sword32* r, sword32* a, sword32* b, byte l) #endif #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - (defined(WOLFSSL_DILITHIUM_SMALL) && \ - (!defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY))) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || \ + (defined(WOLFSSL_MLDSA_SMALL) && \ + (!defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY))) /* Modulo reduce values in polynomial. Range (-2^31)..(2^31-1). * * @param [in, out] a Polynomial. */ -static void dilithium_poly_red_c(sword32* a) +static void mldsa_poly_red_c(sword32* a) { unsigned int j; -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL for (j = 0; j < DILITHIUM_N; j++) { - a[j] = dilithium_red(a[j]); + a[j] = mldsa_red(a[j]); } #else for (j = 0; j < DILITHIUM_N; j += 8) { - a[j+0] = dilithium_red(a[j+0]); - a[j+1] = dilithium_red(a[j+1]); - a[j+2] = dilithium_red(a[j+2]); - a[j+3] = dilithium_red(a[j+3]); - a[j+4] = dilithium_red(a[j+4]); - a[j+5] = dilithium_red(a[j+5]); - a[j+6] = dilithium_red(a[j+6]); - a[j+7] = dilithium_red(a[j+7]); + a[j+0] = mldsa_red(a[j+0]); + a[j+1] = mldsa_red(a[j+1]); + a[j+2] = mldsa_red(a[j+2]); + a[j+3] = mldsa_red(a[j+3]); + a[j+4] = mldsa_red(a[j+4]); + a[j+5] = mldsa_red(a[j+5]); + a[j+6] = mldsa_red(a[j+6]); + a[j+7] = mldsa_red(a[j+7]); } #endif } @@ -7455,7 +7462,7 @@ static void dilithium_poly_red_c(sword32* a) * * @param [in, out] a Polynomial. */ -static void dilithium_poly_red(sword32* a) +static void mldsa_poly_red(sword32* a) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -7465,47 +7472,47 @@ static void dilithium_poly_red(sword32* a) else #endif { - dilithium_poly_red_c(a); + mldsa_poly_red_c(a); } } -#if (defined(WOLFSSL_DILITHIUM_SMALL) && \ - (!defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY))) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM)) +#if (defined(WOLFSSL_MLDSA_SMALL) && \ + (!defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY))) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM)) /* Modulo reduce values in polynomials of vector. Range (-2^31)..(2^31-1). * * @param [in, out] a Vector of polynomials. * @param [in] l Dimension of vector. */ -static void dilithium_vec_red(sword32* a, byte l) +static void mldsa_vec_red(sword32* a, byte l) { byte i; for (i = 0; i < l; i++) { - dilithium_poly_red(a); + mldsa_poly_red(a); a += DILITHIUM_N; } } #endif #endif -#if (!defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM))) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) +#if (!defined(WOLFSSL_MLDSA_NO_SIGN) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM))) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) /* Subtract polynomials a from r. r -= a. * * @param [out] r Polynomial to subtract from. * @param [in] a Polynomial to subtract. */ -static void dilithium_sub_c(sword32* r, const sword32* a) +static void mldsa_sub_c(sword32* r, const sword32* a) { unsigned int j; -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL for (j = 0; j < DILITHIUM_N; j++) { r[j] -= a[j]; } @@ -7528,7 +7535,7 @@ static void dilithium_sub_c(sword32* r, const sword32* a) * @param [out] r Polynomial to subtract from. * @param [in] a Polynomial to subtract. */ -static void dilithium_sub(sword32* r, const sword32* a) +static void mldsa_sub(sword32* r, const sword32* a) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -7538,25 +7545,25 @@ static void dilithium_sub(sword32* r, const sword32* a) else #endif { - dilithium_sub_c(r, a); + mldsa_sub_c(r, a); } } -#if defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM)) +#if defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM)) /* Subtract vector a from r. r -= a. * * @param [out] r Vector of polynomials that is result. * @param [in] a Vector of polynomials to subtract. * @param [in] l Dimension of vectors. */ -static void dilithium_vec_sub(sword32* r, const sword32* a, byte l) +static void mldsa_vec_sub(sword32* r, const sword32* a, byte l) { byte i; for (i = 0; i < l; i++) { - dilithium_sub(r, a); + mldsa_sub(r, a); r += DILITHIUM_N; a += DILITHIUM_N; } @@ -7564,16 +7571,16 @@ static void dilithium_vec_sub(sword32* r, const sword32* a, byte l) #endif #endif -#ifndef WOLFSSL_DILITHIUM_VERIFY_ONLY +#ifndef WOLFSSL_MLDSA_VERIFY_ONLY /* Add polynomials a to r. r += a. * * @param [out] r Polynomial to add to. * @param [in] a Polynomial to add. */ -static void dilithium_add_c(sword32* r, const sword32* a) +static void mldsa_add_c(sword32* r, const sword32* a) { unsigned int j; -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL for (j = 0; j < DILITHIUM_N; j++) { r[j] += a[j]; } @@ -7596,7 +7603,7 @@ static void dilithium_add_c(sword32* r, const sword32* a) * @param [out] r Polynomial to add to. * @param [in] a Polynomial to add. */ -static void dilithium_add(sword32* r, const sword32* a) +static void mldsa_add(sword32* r, const sword32* a) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -7606,26 +7613,26 @@ static void dilithium_add(sword32* r, const sword32* a) else #endif { - dilithium_add_c(r, a); + mldsa_add_c(r, a); } } -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM)) +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM)) /* Add vector a to r. r += a. * * @param [out] r Vector of polynomials that is result. * @param [in] a Vector of polynomials to add. * @param [in] l Dimension of vectors. */ -static void dilithium_vec_add(sword32* r, const sword32* a, byte l) +static void mldsa_vec_add(sword32* r, const sword32* a, byte l) { byte i; for (i = 0; i < l; i++) { - dilithium_add(r, a); + mldsa_add(r, a); r += DILITHIUM_N; a += DILITHIUM_N; } @@ -7642,10 +7649,10 @@ static void dilithium_vec_add(sword32* r, const sword32* a, byte l) * * @param [in, out] a Polynomial. */ -static void dilithium_make_pos_c(sword32* a) +static void mldsa_make_pos_c(sword32* a) { unsigned int j; -#ifdef WOLFSSL_DILITHIUM_SMALL +#ifdef WOLFSSL_MLDSA_SMALL for (j = 0; j < DILITHIUM_N; j++) { a[j] += DILITHIUM_POS_OFFSET(a[j]); } @@ -7667,7 +7674,7 @@ static void dilithium_make_pos_c(sword32* a) * * @param [in, out] a Polynomial. */ -static void dilithium_make_pos(sword32* a) +static void mldsa_make_pos(sword32* a) { #ifdef USE_INTEL_SPEEDUP if (IS_INTEL_AVX2(cpuid_flags) && (SAVE_VECTOR_REGISTERS2() == 0)) { @@ -7677,35 +7684,35 @@ static void dilithium_make_pos(sword32* a) else #endif { - dilithium_make_pos_c(a); + mldsa_make_pos_c(a); } } -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - defined(WOLFSSL_DILITHIUM_CHECK_KEY) || \ - (!defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM)) +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + defined(WOLFSSL_MLDSA_CHECK_KEY) || \ + (!defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM)) /* Make values in polynomials of vector be in positive range. * * @param [in, out] a Vector of polynomials. * @param [in] l Dimension of vector. */ -static void dilithium_vec_make_pos(sword32* a, byte l) +static void mldsa_vec_make_pos(sword32* a, byte l) { byte i; for (i = 0; i < l; i++) { - dilithium_make_pos(a); + mldsa_make_pos(a); a += DILITHIUM_N; } } #endif -#endif /* !WOLFSSL_DILITHIUM_VERIFY_ONLY */ +#endif /* !WOLFSSL_MLDSA_VERIFY_ONLY */ /******************************************************************************/ -#ifndef WOLFSSL_DILITHIUM_NO_MAKE_KEY +#ifndef WOLFSSL_MLDSA_NO_MAKE_KEY /* Make a key from a random seed. * @@ -7744,17 +7751,17 @@ static void dilithium_vec_make_pos(sword32* a, byte l) * * Public and private key store in key. * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] seed Seed to hash to generate values. * @return 0 on success. * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) +static int mldsa_make_key_from_seed(MlDsaKey* key, const byte* seed) { -#ifndef WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM +#ifndef WOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM int ret = 0; - const wc_dilithium_params* params = key->params; + const MlDsaParams* params = key->params; sword32* a = NULL; sword32* s1 = NULL; sword32* s2 = NULL; @@ -7762,10 +7769,10 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) byte* pub_seed = NULL; byte kl[2]; -#ifdef WOLFSSL_DILITHIUM_DYNAMIC_KEYS - ret = dilithium_alloc_priv_buf(key); +#ifdef WOLFSSL_MLDSA_DYNAMIC_KEYS + ret = mldsa_alloc_priv_buf(key); if (ret == 0) { - ret = dilithium_alloc_pub_buf(key); + ret = mldsa_alloc_pub_buf(key); } #endif @@ -7774,8 +7781,8 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) } /* Allocate memory for large intermediates. */ -#ifdef WC_DILITHIUM_CACHE_MATRIX_A -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_MATRIX_A +#ifndef WC_MLDSA_FIXED_ARRAY if (key->a == NULL) { key->a = (sword32*)XMALLOC(params->aSz, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -7788,8 +7795,8 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) a = key->a; } #endif -#ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_PRIV_VECTORS +#ifndef WC_MLDSA_FIXED_ARRAY if ((ret == 0) && (key->s1 == NULL)) { key->s1 = (sword32*)XMALLOC(params->aSz, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -7812,7 +7819,7 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) unsigned int allocSz; allocSz = (unsigned int)params->s1Sz + params->s2Sz + params->s2Sz; -#ifndef WC_DILITHIUM_CACHE_MATRIX_A +#ifndef WC_MLDSA_CACHE_MATRIX_A allocSz += params->aSz; #endif @@ -7824,7 +7831,7 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) else { s2 = s1 + params->s1Sz / sizeof(*s1); t = s2 + params->s2Sz / sizeof(*s2); -#ifndef WC_DILITHIUM_CACHE_MATRIX_A +#ifndef WC_MLDSA_CACHE_MATRIX_A a = t + params->s2Sz / sizeof(*t); #endif } @@ -7832,12 +7839,12 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) #endif if (ret == 0) { -#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT +#ifdef WOLFSSL_MLDSA_FIPS204_DRAFT if (key->params->level >= WC_ML_DSA_DRAFT) { /* Step 2: Create public seed, private seed and K from seed. * Step 9; Alg 18, Step 1: Public seed is placed into private key. */ - ret = dilithium_shake256(&key->shake, seed, DILITHIUM_SEED_SZ, + ret = mldsa_shake256(&key->shake, seed, DILITHIUM_SEED_SZ, pub_seed, DILITHIUM_SEEDS_SZ); } else @@ -7848,7 +7855,7 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) /* Step 1: Create public seed, private seed and K from seed. * Step 9; Alg 24, Step 1: Public seed is placed into private key. */ - ret = dilithium_hash256(&key->shake, seed, DILITHIUM_SEED_SZ, kl, 2, + ret = mldsa_hash256(&key->shake, seed, DILITHIUM_SEED_SZ, kl, 2, pub_seed, DILITHIUM_SEEDS_SZ); } } @@ -7857,14 +7864,14 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) XMEMCPY(key->p, pub_seed, DILITHIUM_PUB_SEED_SZ); /* Step 3: Expand public seed into a matrix of polynomials. */ - ret = dilithium_expand_a(&key->shake, pub_seed, params->k, params->l, + ret = mldsa_expand_a(&key->shake, pub_seed, params->k, params->l, a, key->heap); } if (ret == 0) { byte* priv_seed = key->k + DILITHIUM_PUB_SEED_SZ; /* Step 4: Expand private seed into to vectors of polynomials. */ - ret = dilithium_expand_s(&key->shake, priv_seed, params->eta, s1, + ret = mldsa_expand_s(&key->shake, priv_seed, params->eta, s1, params->l, s2, params->k); } if (ret == 0) { @@ -7878,59 +7885,59 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) /* Step 9: Move k down to after public seed. */ XMEMCPY(k, k + DILITHIUM_PRIV_SEED_SZ, DILITHIUM_K_SZ); /* Step 9. Alg 24 Steps 2-4: Encode s1 into private key. */ - dilthium_vec_encode_eta_bits(s1, params->l, params->eta, s1p); + mldsa_vec_encode_eta_bits(s1, params->l, params->eta, s1p); /* Step 9. Alg 24 Steps 5-7: Encode s2 into private key. */ - dilthium_vec_encode_eta_bits(s2, params->k, params->eta, s2p); + mldsa_vec_encode_eta_bits(s2, params->k, params->eta, s2p); /* Step 5: t <- NTT-1(A_circum o NTT(s1)) + s2 */ - dilithium_vec_ntt_small_full(s1, params->l); - dilithium_matrix_mul(t, a, s1, params->k, params->l); - #ifdef WOLFSSL_DILITHIUM_SMALL - dilithium_vec_red(t, params->k); + mldsa_vec_ntt_small_full(s1, params->l); + mldsa_matrix_mul(t, a, s1, params->k, params->l); + #ifdef WOLFSSL_MLDSA_SMALL + mldsa_vec_red(t, params->k); #endif - dilithium_vec_invntt_full(t, params->k); - dilithium_vec_add(t, s2, params->k); + mldsa_vec_invntt_full(t, params->k); + mldsa_vec_add(t, s2, params->k); /* Make positive for decomposing. */ - dilithium_vec_make_pos(t, params->k); + mldsa_vec_make_pos(t, params->k); /* Step 6, Step 7, Step 9. Alg 22 Steps 2-4, Alg 24 Steps 8-10. * Decompose t in t0 and t1 and encode into public and private key. */ - dilithium_vec_encode_t0_t1(t, params->k, t0, t1); + mldsa_vec_encode_t0_t1(t, params->k, t0, t1); /* Step 8. Alg 24, Step 1: Hash public key into private key. */ - ret = dilithium_shake256(&key->shake, key->p, params->pkSz, tr, + ret = mldsa_shake256(&key->shake, key->p, params->pkSz, tr, DILITHIUM_TR_SZ); } if (ret == 0) { /* Public key and private key are available. */ key->prvKeySet = 1; key->pubKeySet = 1; -#ifdef WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WC_MLDSA_CACHE_MATRIX_A /* Matrix A is available. */ key->aSet = 1; #endif -#ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS +#ifdef WC_MLDSA_CACHE_PRIV_VECTORS /* Private vectors are not available as they were overwritten. */ key->privVecsSet = 0; #endif -#ifdef WC_DILITHIUM_CACHE_PUB_VECTORS +#ifdef WC_MLDSA_CACHE_PUB_VECTORS /* Public vector, t1, is not available as it was not created. */ key->pubVecSet = 0; #endif } -#ifndef WC_DILITHIUM_CACHE_PRIV_VECTORS +#ifndef WC_MLDSA_CACHE_PRIV_VECTORS XFREE(s1, key->heap, DYNAMIC_TYPE_DILITHIUM); #endif return ret; #else int ret = 0; - const wc_dilithium_params* params = key->params; + const MlDsaParams* params = key->params; sword32* a = NULL; sword32* s1 = NULL; sword32* s2 = NULL; sword32* t = NULL; -#ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 +#ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 sword64* t64 = NULL; #endif byte* h = NULL; @@ -7939,10 +7946,10 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) unsigned int s; byte kl[2]; -#ifdef WOLFSSL_DILITHIUM_DYNAMIC_KEYS - ret = dilithium_alloc_priv_buf(key); +#ifdef WOLFSSL_MLDSA_DYNAMIC_KEYS + ret = mldsa_alloc_priv_buf(key); if (ret == 0) { - ret = dilithium_alloc_pub_buf(key); + ret = mldsa_alloc_pub_buf(key); } #endif @@ -7958,7 +7965,7 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) allocSz = (unsigned int)params->s1Sz + params->s2Sz + params->s2Sz + (unsigned int)DILITHIUM_REJ_NTT_POLY_H_SIZE + (unsigned int)DILITHIUM_POLY_SIZE; - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 /* t64 */ allocSz += (unsigned int)DILITHIUM_POLY_SIZE * 2U; #endif @@ -7971,19 +7978,19 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) t = s2 + params->s2Sz / sizeof(*s2); h = (byte*)(t + params->s2Sz / sizeof(*t)); a = (sword32*)(h + DILITHIUM_REJ_NTT_POLY_H_SIZE); - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 t64 = (sword64*)(a + DILITHIUM_N); #endif } } if (ret == 0) { -#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT +#ifdef WOLFSSL_MLDSA_FIPS204_DRAFT if (key->params->level >= WC_ML_DSA_DRAFT) { /* Step 2: Create public seed, private seed and K from seed. * Step 9; Alg 18, Step 1: Public seed is placed into private key. */ - ret = dilithium_shake256(&key->shake, seed, DILITHIUM_SEED_SZ, + ret = mldsa_shake256(&key->shake, seed, DILITHIUM_SEED_SZ, pub_seed, DILITHIUM_SEEDS_SZ); } else @@ -7994,7 +8001,7 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) /* Step 1: Create public seed, private seed and K from seed. * Step 9; Alg 24, Step 1: Public seed is placed into private key. */ - ret = dilithium_hash256(&key->shake, seed, DILITHIUM_SEED_SZ, kl, 2, + ret = mldsa_hash256(&key->shake, seed, DILITHIUM_SEED_SZ, kl, 2, pub_seed, DILITHIUM_SEEDS_SZ); } } @@ -8005,7 +8012,7 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) XMEMCPY(key->p, pub_seed, DILITHIUM_PUB_SEED_SZ); /* Step 4: Expand private seed into to vectors of polynomials. */ - ret = dilithium_expand_s(&key->shake, priv_seed, params->eta, s1, + ret = mldsa_expand_s(&key->shake, priv_seed, params->eta, s1, params->l, s2, params->k); } if (ret == 0) { @@ -8022,12 +8029,12 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) /* Step 9: Move k down to after public seed. */ XMEMCPY(k, k + DILITHIUM_PRIV_SEED_SZ, DILITHIUM_K_SZ); /* Step 9. Alg 24 Steps 2-4: Encode s1 into private key. */ - dilthium_vec_encode_eta_bits(s1, params->l, params->eta, s1p); + mldsa_vec_encode_eta_bits(s1, params->l, params->eta, s1p); /* Step 9. Alg 24 Steps 5-7: Encode s2 into private key. */ - dilthium_vec_encode_eta_bits(s2, params->k, params->eta, s2p); + mldsa_vec_encode_eta_bits(s2, params->k, params->eta, s2p); /* Step 5: NTT(s1) */ - dilithium_vec_ntt_small_full(s1, params->l); + mldsa_vec_ntt_small_full(s1, params->l); /* Step 5: t <- NTT-1(A_circum o NTT(s1)) + s2 */ XMEMCPY(aseed, pub_seed, DILITHIUM_PUB_SEED_SZ); for (r = 0; (ret == 0) && (r < params->k); r++) { @@ -8040,51 +8047,51 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) /* Put s into buffer to be hashed. */ aseed[DILITHIUM_PUB_SEED_SZ + 0] = (byte)s; /* Step 3: Expand public seed into a matrix of polynomials. */ - ret = dilithium_rej_ntt_poly_ex(&key->shake, aseed, a, h); + ret = mldsa_rej_ntt_poly_ex(&key->shake, aseed, a, h); if (ret != 0) { break; } /* Matrix multiply. */ - #ifndef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifndef WOLFSSL_MLDSA_SMALL_MEM_POLY64 if (s == 0) { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { - tt[e] = dilithium_mont_red((sword64)a[e] * s1t[e]); + tt[e] = mldsa_mont_red((sword64)a[e] * s1t[e]); } #else for (e = 0; e < DILITHIUM_N; e += 8) { - tt[e+0] = dilithium_mont_red((sword64)a[e+0]*s1t[e+0]); - tt[e+1] = dilithium_mont_red((sword64)a[e+1]*s1t[e+1]); - tt[e+2] = dilithium_mont_red((sword64)a[e+2]*s1t[e+2]); - tt[e+3] = dilithium_mont_red((sword64)a[e+3]*s1t[e+3]); - tt[e+4] = dilithium_mont_red((sword64)a[e+4]*s1t[e+4]); - tt[e+5] = dilithium_mont_red((sword64)a[e+5]*s1t[e+5]); - tt[e+6] = dilithium_mont_red((sword64)a[e+6]*s1t[e+6]); - tt[e+7] = dilithium_mont_red((sword64)a[e+7]*s1t[e+7]); + tt[e+0] = mldsa_mont_red((sword64)a[e+0]*s1t[e+0]); + tt[e+1] = mldsa_mont_red((sword64)a[e+1]*s1t[e+1]); + tt[e+2] = mldsa_mont_red((sword64)a[e+2]*s1t[e+2]); + tt[e+3] = mldsa_mont_red((sword64)a[e+3]*s1t[e+3]); + tt[e+4] = mldsa_mont_red((sword64)a[e+4]*s1t[e+4]); + tt[e+5] = mldsa_mont_red((sword64)a[e+5]*s1t[e+5]); + tt[e+6] = mldsa_mont_red((sword64)a[e+6]*s1t[e+6]); + tt[e+7] = mldsa_mont_red((sword64)a[e+7]*s1t[e+7]); } #endif } else { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { - tt[e] += dilithium_mont_red((sword64)a[e] * s1t[e]); + tt[e] += mldsa_mont_red((sword64)a[e] * s1t[e]); } #else for (e = 0; e < DILITHIUM_N; e += 8) { - tt[e+0] += dilithium_mont_red((sword64)a[e+0]*s1t[e+0]); - tt[e+1] += dilithium_mont_red((sword64)a[e+1]*s1t[e+1]); - tt[e+2] += dilithium_mont_red((sword64)a[e+2]*s1t[e+2]); - tt[e+3] += dilithium_mont_red((sword64)a[e+3]*s1t[e+3]); - tt[e+4] += dilithium_mont_red((sword64)a[e+4]*s1t[e+4]); - tt[e+5] += dilithium_mont_red((sword64)a[e+5]*s1t[e+5]); - tt[e+6] += dilithium_mont_red((sword64)a[e+6]*s1t[e+6]); - tt[e+7] += dilithium_mont_red((sword64)a[e+7]*s1t[e+7]); + tt[e+0] += mldsa_mont_red((sword64)a[e+0]*s1t[e+0]); + tt[e+1] += mldsa_mont_red((sword64)a[e+1]*s1t[e+1]); + tt[e+2] += mldsa_mont_red((sword64)a[e+2]*s1t[e+2]); + tt[e+3] += mldsa_mont_red((sword64)a[e+3]*s1t[e+3]); + tt[e+4] += mldsa_mont_red((sword64)a[e+4]*s1t[e+4]); + tt[e+5] += mldsa_mont_red((sword64)a[e+5]*s1t[e+5]); + tt[e+6] += mldsa_mont_red((sword64)a[e+6]*s1t[e+6]); + tt[e+7] += mldsa_mont_red((sword64)a[e+7]*s1t[e+7]); } #endif } #else if (s == 0) { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { t64[e] = (sword64)a[e] * s1t[e]; } @@ -8102,7 +8109,7 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) #endif } else { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { t64[e] += (sword64)a[e] * s1t[e]; } @@ -8123,15 +8130,15 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) /* Next polynomial. */ s1t += DILITHIUM_N; } - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 for (e = 0; e < DILITHIUM_N; e++) { - tt[e] = dilithium_mont_red(t64[e]); + tt[e] = mldsa_mont_red(t64[e]); } #endif - dilithium_invntt_full(tt); - dilithium_add(tt, s2t); + mldsa_invntt_full(tt); + mldsa_add(tt, s2t); /* Make positive for decomposing. */ - dilithium_make_pos(tt); + mldsa_make_pos(tt); tt += DILITHIUM_N; s2t += DILITHIUM_N; @@ -8140,9 +8147,9 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) /* Step 6, Step 7, Step 9. Alg 22 Steps 2-4, Alg 24 Steps 8-10. * Decompose t in t0 and t1 and encode into public and private key. */ - dilithium_vec_encode_t0_t1(t, params->k, t0, t1); + mldsa_vec_encode_t0_t1(t, params->k, t0, t1); /* Step 8. Alg 24, Step 1: Hash public key into private key. */ - ret = dilithium_shake256(&key->shake, key->p, params->pkSz, tr, + ret = mldsa_shake256(&key->shake, key->p, params->pkSz, tr, DILITHIUM_TR_SZ); } if (ret == 0) { @@ -8165,13 +8172,13 @@ static int dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) * 4: end if * 5: return ML-DSA.KeyGen_internal(xi) * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] rng Random number generator. * @return 0 on success. * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_make_key(dilithium_key* key, WC_RNG* rng) +static int mldsa_make_key(MlDsaKey* key, WC_RNG* rng) { int ret; byte seed[DILITHIUM_SEED_SZ]; @@ -8181,19 +8188,19 @@ static int dilithium_make_key(dilithium_key* key, WC_RNG* rng) /* Step 2: Check for error. */ if (ret == 0) { /* Step 5: Make key with random seed. */ - ret = wc_dilithium_make_key_from_seed(key, seed); + ret = wc_MlDsaKey_MakeKeyFromSeed(key, seed); } ForceZero(seed, sizeof(seed)); return ret; } -#endif /* !WOLFSSL_DILITHIUM_NO_MAKE_KEY */ +#endif /* !WOLFSSL_MLDSA_NO_MAKE_KEY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN -#if !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) || \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC) || \ - defined(WC_DILITHIUM_CACHE_PRIV_VECTORS) +#if !defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) || \ + defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC) || \ + defined(WC_MLDSA_CACHE_PRIV_VECTORS) /* Decode, from private key, and NTT private key vectors s1, s2, and t0. * * FIPS 204. 6: Algorithm 2 ML-DSA.Sign(sk, M) @@ -8202,15 +8209,15 @@ static int dilithium_make_key(dilithium_key* key, WC_RNG* rng) * 3: s2_circum <- NTT(s2) * 4: t0_circum <- NTT(t0) * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [out] s1 Vector of polynomials s1. * @param [out] s2 Vector of polynomials s2. * @param [out] t0 Vector of polynomials t0. */ -static void dilithium_make_priv_vecs(dilithium_key* key, sword32* s1, +static void mldsa_make_priv_vecs(MlDsaKey* key, sword32* s1, sword32* s2, sword32* t0) { - const wc_dilithium_params* params = key->params; + const MlDsaParams* params = key->params; const byte* pubSeed = key->k; const byte* k = pubSeed + DILITHIUM_PUB_SEED_SZ; const byte* tr = k + DILITHIUM_K_SZ; @@ -8219,18 +8226,18 @@ static void dilithium_make_priv_vecs(dilithium_key* key, sword32* s1, const byte* t0p = s2p + params->s2EncSz; /* Step 1: Decode s1, s2, t0. */ - dilithium_vec_decode_eta_bits(s1p, params->eta, s1, params->l); - dilithium_vec_decode_eta_bits(s2p, params->eta, s2, params->k); - dilithium_vec_decode_t0(t0p, params->k, t0); + mldsa_vec_decode_eta_bits(s1p, params->eta, s1, params->l); + mldsa_vec_decode_eta_bits(s2p, params->eta, s2, params->k); + mldsa_vec_decode_t0(t0p, params->k, t0); /* Step 2: NTT s1. */ - dilithium_vec_ntt_small(s1, params->l); + mldsa_vec_ntt_small(s1, params->l); /* Step 3: NTT s2. */ - dilithium_vec_ntt_small(s2, params->k); + mldsa_vec_ntt_small(s2, params->k); /* Step 4: NTT t0. */ - dilithium_vec_ntt(t0, params->k); + mldsa_vec_ntt(t0, params->k); -#ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS +#ifdef WC_MLDSA_CACHE_PRIV_VECTORS /* Private key vectors have been created. */ key->privVecsSet = 1; #endif @@ -8283,7 +8290,7 @@ static void dilithium_make_priv_vecs(dilithium_key* key, sword32* s1, * 32: sigma <- sigEncode(c_tilde, z mod +/- q, h) * 33: return sigma * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] seedMu Random seed || mu. * @param [out] sig Buffer to hold signature. * @param [in, out] sigLen On in, length of buffer in bytes. @@ -8294,12 +8301,12 @@ static void dilithium_make_priv_vecs(dilithium_key* key, sword32* s1, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_sign_with_seed_mu(dilithium_key* key, +static int mldsa_sign_with_seed_mu(MlDsaKey* key, const byte* seedMu, byte* sig, word32 *sigLen) { -#ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM +#ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM int ret = 0; - const wc_dilithium_params* params = key->params; + const MlDsaParams* params = key->params; const byte* pub_seed = key->k; const byte* k = pub_seed + DILITHIUM_PUB_SEED_SZ; const byte* mu = seedMu + DILITHIUM_RND_SZ; @@ -8330,8 +8337,8 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, } /* Allocate memory for large intermediates. */ -#ifdef WC_DILITHIUM_CACHE_MATRIX_A -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_MATRIX_A +#ifndef WC_MLDSA_FIXED_ARRAY if ((ret == 0) && (key->a == NULL)) { key->a = (sword32*)XMALLOC((size_t)params->aSz, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -8347,8 +8354,8 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, a = key->a; } #endif -#ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_PRIV_VECTORS +#ifndef WC_MLDSA_FIXED_ARRAY if ((ret == 0) && (key->s1 == NULL)) { key->s1 = (sword32*)XMALLOC(params->aSz, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -8372,11 +8379,11 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, /* y-l, w0-k, w1-k, c-1, z-l, ct0-k */ allocSz = (unsigned int)params->s1Sz + params->s2Sz + params->s2Sz + (unsigned int)DILITHIUM_POLY_SIZE + params->s1Sz + params->s2Sz; -#ifndef WC_DILITHIUM_CACHE_PRIV_VECTORS +#ifndef WC_MLDSA_CACHE_PRIV_VECTORS /* s1-l, s2-k, t0-k */ allocSz += (unsigned int)params->s1Sz + params->s2Sz + params->s2Sz; #endif -#ifndef WC_DILITHIUM_CACHE_MATRIX_A +#ifndef WC_MLDSA_CACHE_MATRIX_A /* A */ allocSz += params->aSz; #endif @@ -8393,43 +8400,43 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, c = w1 + params->s2Sz / sizeof(*w1); z = c + DILITHIUM_N; ct0 = z + params->s1Sz / sizeof(*z); -#ifndef WC_DILITHIUM_CACHE_PRIV_VECTORS +#ifndef WC_MLDSA_CACHE_PRIV_VECTORS s1 = ct0 + params->s2Sz / sizeof(*ct0); s2 = s1 + params->s1Sz / sizeof(*s1); t0 = s2 + params->s2Sz / sizeof(*s2); #endif -#ifndef WC_DILITHIUM_CACHE_MATRIX_A +#ifndef WC_MLDSA_CACHE_MATRIX_A a = t0 + params->s2Sz / sizeof(*s2); #endif } } if (ret == 0) { -#ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS +#ifdef WC_MLDSA_CACHE_PRIV_VECTORS /* Check that we haven't already cached the private vectors. */ if (!key->privVecsSet) #endif { /* Steps 1-4: Decode and NTT vectors s1, s2, and t0. */ - dilithium_make_priv_vecs(key, s1, s2, t0); + mldsa_make_priv_vecs(key, s1, s2, t0); } -#ifdef WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WC_MLDSA_CACHE_MATRIX_A /* Check that we haven't already cached the matrix A. */ if (!key->aSet) #endif { /* Step 5: Create the matrix A from the public seed. */ - ret = dilithium_expand_a(&key->shake, pub_seed, params->k, + ret = mldsa_expand_a(&key->shake, pub_seed, params->k, params->l, a, key->heap); -#ifdef WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WC_MLDSA_CACHE_MATRIX_A key->aSet = (ret == 0); #endif } } if (ret == 0) { /* Step 9: Compute private random using hash. */ - ret = dilithium_hash256(&key->shake, k, DILITHIUM_K_SZ, seedMu, + ret = mldsa_hash256(&key->shake, k, DILITHIUM_K_SZ, seedMu, DILITHIUM_RND_SZ + DILITHIUM_MU_SZ, priv_rand_seed, DILITHIUM_PRIV_RAND_SEED_SZ); } @@ -8446,10 +8453,10 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, byte* commit = sig; /* Step 12: Compute vector y from private random seed and kappa. */ - dilithium_vec_expand_mask(&key->shake, priv_rand_seed, kappa, + mldsa_vec_expand_mask(&key->shake, priv_rand_seed, kappa, params->gamma1_bits, y, params->l); - #ifdef WOLFSSL_DILITHIUM_SIGN_CHECK_Y - valid = dilithium_vec_check_low(y, params->l, + #ifdef WOLFSSL_MLDSA_SIGN_CHECK_Y + valid = mldsa_vec_check_low(y, params->l, ((sword32)1 << params->gamma1_bits) - params->beta); if (valid) #endif @@ -8464,17 +8471,17 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, } if (ret == 0) { #endif - dilithium_vec_ntt_full(y_ntt, params->l); - dilithium_matrix_mul(w, a, y_ntt, params->k, params->l); - #ifdef WOLFSSL_DILITHIUM_SMALL - dilithium_vec_red(w, params->k); + mldsa_vec_ntt_full(y_ntt, params->l); + mldsa_matrix_mul(w, a, y_ntt, params->k, params->l); + #ifdef WOLFSSL_MLDSA_SMALL + mldsa_vec_red(w, params->k); #endif - dilithium_vec_invntt_full(w, params->k); + mldsa_vec_invntt_full(w, params->k); /* Step 14, Step 22: Make values positive and decompose. */ - dilithium_vec_make_pos(w, params->k); - dilithium_vec_decompose(w, params->k, params->gamma2, w0, w1); - #ifdef WOLFSSL_DILITHIUM_SIGN_CHECK_W0 - valid = dilithium_vec_check_low(w0, params->k, + mldsa_vec_make_pos(w, params->k); + mldsa_vec_decompose(w, params->k, params->gamma2, w0, w1); + #ifdef WOLFSSL_MLDSA_SIGN_CHECK_W0 + valid = mldsa_vec_check_low(w0, params->k, params->gamma2 - params->beta); } if (valid) { @@ -8484,15 +8491,15 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, DYNAMIC_TYPE_DILITHIUM, ret=MEMORY_E); if (WC_VAR_OK(w1e)) { - dilithium_vec_encode_w1(w1, params->k, params->gamma2, w1e); + mldsa_vec_encode_w1(w1, params->k, params->gamma2, w1e); /* Step 15: Hash mu and encoded w1. * Step 32: Hash is stored in signature. */ - ret = dilithium_hash256(&key->shake, mu, DILITHIUM_MU_SZ, + ret = mldsa_hash256(&key->shake, mu, DILITHIUM_MU_SZ, w1e, params->w1EncSz, commit, params->lambda / 4); } if (ret == 0) { /* Step 17: Compute c from first 256 bits of commit. */ - ret = dilithium_sample_in_ball(params->level, &key->shake, + ret = mldsa_sample_in_ball(params->level, &key->shake, commit, params->lambda / 4, params->tau, c, key->heap); } if (ret == 0) { @@ -8501,52 +8508,52 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, valid = 1; /* Step 18: NTT(c). */ - dilithium_ntt_small(c); + mldsa_ntt_small(c); hi = params->gamma2 - params->beta; for (i = 0; valid && i < params->k; i++) { /* Step 20: cs2 = NTT-1(c o s2) */ - dilithium_mul(cs2 + i * DILITHIUM_N, c, + mldsa_mul(cs2 + i * DILITHIUM_N, c, s2 + i * DILITHIUM_N); - dilithium_invntt(cs2 + i * DILITHIUM_N); + mldsa_invntt(cs2 + i * DILITHIUM_N); /* Step 22: w0 - cs2 */ - dilithium_sub(w0 + i * DILITHIUM_N, + mldsa_sub(w0 + i * DILITHIUM_N, cs2 + i * DILITHIUM_N); /* Step 23: Check w0 - cs2 has low enough values. */ - valid = dilithium_vec_check_low(w0 + i * DILITHIUM_N, 1, + valid = mldsa_vec_check_low(w0 + i * DILITHIUM_N, 1, hi); } hi = ((sword32)1 << params->gamma1_bits) - params->beta; for (i = 0; valid && i < params->l; i++) { /* Step 19: cs1 = NTT-1(c o s1) */ - dilithium_mul(z + i * DILITHIUM_N, c, + mldsa_mul(z + i * DILITHIUM_N, c, s1 + i * DILITHIUM_N); - dilithium_invntt(z + i * DILITHIUM_N); + mldsa_invntt(z + i * DILITHIUM_N); /* Step 21: z = y + cs1 */ - dilithium_add(z + i * DILITHIUM_N, y + i * DILITHIUM_N); - dilithium_poly_red(z + i * DILITHIUM_N); + mldsa_add(z + i * DILITHIUM_N, y + i * DILITHIUM_N); + mldsa_poly_red(z + i * DILITHIUM_N); /* Step 23: Check z has low enough values. */ - valid = dilithium_vec_check_low(z + i * DILITHIUM_N, 1, + valid = mldsa_vec_check_low(z + i * DILITHIUM_N, 1, hi); } for (i = 0; valid && i < params->k; i++) { /* Step 25: ct0 = NTT-1(c o t0) */ - dilithium_mul(ct0 + i * DILITHIUM_N, c, + mldsa_mul(ct0 + i * DILITHIUM_N, c, t0 + i * DILITHIUM_N); - dilithium_invntt(ct0 + i * DILITHIUM_N); + mldsa_invntt(ct0 + i * DILITHIUM_N); /* Step 27: Check ct0 has low enough values. */ hi = params->gamma2; - valid = dilithium_vec_check_low(ct0 + i * DILITHIUM_N, + valid = mldsa_vec_check_low(ct0 + i * DILITHIUM_N, 1, hi); } if (valid) { /* Step 26: ct0 = ct0 + w0 */ - dilithium_vec_add(ct0, w0, params->k); - dilithium_vec_red(ct0, params->k); + mldsa_vec_add(ct0, w0, params->k); + mldsa_vec_red(ct0, params->k); /* Step 26, 27: Make hint from ct0 and w1 and check * number of hints is valid. * Step 32: h is encoded into signature. */ - valid = (dilithium_make_hint(ct0, w1, params->k, + valid = (mldsa_make_hint(ct0, w1, params->k, params->gamma2, params->omega, h) >= 0); } } @@ -8572,7 +8579,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, byte* ze = sig + params->lambda / 4; /* Step 32: Encode z into signature. * Commit (c) and h already encoded into signature. */ - dilithium_vec_encode_gamma1(z, params->l, params->gamma1_bits, ze); + mldsa_vec_encode_gamma1(z, params->l, params->gamma1_bits, ze); } ForceZero(priv_rand_seed, sizeof(priv_rand_seed)); @@ -8583,7 +8590,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, return ret; #else int ret = 0; - const wc_dilithium_params* params = key->params; + const MlDsaParams* params = key->params; const byte* pub_seed = key->k; const byte* k = pub_seed + DILITHIUM_PUB_SEED_SZ; const byte* tr = k + DILITHIUM_K_SZ; @@ -8602,15 +8609,15 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, sword32* c = NULL; sword32* z = NULL; sword32* ct0 = NULL; -#ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 +#ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 sword64* t64 = NULL; #endif byte* blocks = NULL; byte priv_rand_seed[DILITHIUM_Y_SEED_SZ]; byte* h = sig + params->lambda / 4 + params->zEncSz; unsigned int allocSz = 0; -#ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A - byte maxK = (byte)min(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A, +#ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A + byte maxK = (byte)min(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A, params->k); #endif #ifdef WC_MLDSA_FAULT_HARDEN @@ -8634,13 +8641,13 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, (unsigned int)DILITHIUM_POLY_SIZE + (unsigned int)DILITHIUM_POLY_SIZE + (unsigned int)DILITHIUM_POLY_SIZE; - #ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC + #ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC allocSz += (unsigned int)params->s1Sz + params->s2Sz + params->s2Sz; - #elif defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A) + #elif defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A) allocSz += (unsigned int)maxK * params->l * (unsigned int)DILITHIUM_POLY_SIZE; #endif - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 allocSz += (unsigned int)DILITHIUM_POLY_SIZE * 2U; #endif y = (sword32*)XMALLOC(allocSz, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -8658,20 +8665,20 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, z = c + DILITHIUM_N; a = z + DILITHIUM_N; ct0 = z; - #if defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A) + #if defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A) y_ntt = w0; s1 = z; s2 = z; t0 = z; - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 t64 = (sword64*)(a + (1 + maxK * params->l) * DILITHIUM_N); #endif - #elif defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC) + #elif defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC) y_ntt = z; s1 = a + DILITHIUM_N; s2 = s1 + params->s1Sz / sizeof(*s1); t0 = s2 + params->s2Sz / sizeof(*s2); - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 t64 = (sword64*)(t0 + params->s2Sz / sizeof(*t0)); #endif #else @@ -8679,7 +8686,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, s1 = z; s2 = z; t0 = z; - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 t64 = (sword64*)(a + DILITHIUM_N); #endif #endif @@ -8688,19 +8695,19 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, if (ret == 0) { /* Step 9: Compute private random using hash. */ - ret = dilithium_hash256(&key->shake, k, DILITHIUM_K_SZ, seedMu, + ret = mldsa_hash256(&key->shake, k, DILITHIUM_K_SZ, seedMu, DILITHIUM_RND_SZ + DILITHIUM_MU_SZ, priv_rand_seed, DILITHIUM_PRIV_RAND_SEED_SZ); } -#ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC +#ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC if (ret == 0) { - dilithium_make_priv_vecs(key, s1, s2, t0); + mldsa_make_priv_vecs(key, s1, s2, t0); } #endif -#ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A +#ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A if (ret == 0) { /* Step 5: Create the matrix A from the public seed. */ - ret = dilithium_expand_a(&key->shake, pub_seed, maxK, params->l, a, + ret = mldsa_expand_a(&key->shake, pub_seed, maxK, params->l, a, key->heap); } #endif @@ -8722,41 +8729,41 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, sword32* w1t = w1; sword32* at = a; - #ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A - w0t += WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A * DILITHIUM_N; - w1t += WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A * DILITHIUM_N; - wt += WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A * DILITHIUM_N; - at += WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A * params->l * + #ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A + w0t += WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A * DILITHIUM_N; + w1t += WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A * DILITHIUM_N; + wt += WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A * DILITHIUM_N; + at += WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A * params->l * DILITHIUM_N; #endif valid = 1; /* Step 12: Compute vector y from private random seed and kappa. */ - dilithium_vec_expand_mask(&key->shake, priv_rand_seed, kappa, + mldsa_vec_expand_mask(&key->shake, priv_rand_seed, kappa, params->gamma1_bits, y, params->l); - #ifdef WOLFSSL_DILITHIUM_SIGN_CHECK_Y - valid = dilithium_vec_check_low(y, params->l, + #ifdef WOLFSSL_MLDSA_SIGN_CHECK_Y + valid = mldsa_vec_check_low(y, params->l, ((sword32)1 << params->gamma1_bits) - params->beta); #endif - #ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A + #ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A /* Step 13: NTT-1(A o NTT(y)) */ XMEMCPY(y_ntt, y, params->s1Sz); - dilithium_vec_ntt_full(y_ntt, params->l); - dilithium_matrix_mul(w, a, y_ntt, maxK, params->l); - #ifdef WOLFSSL_DILITHIUM_SMALL - dilithium_vec_red(w, params->k); + mldsa_vec_ntt_full(y_ntt, params->l); + mldsa_matrix_mul(w, a, y_ntt, maxK, params->l); + #ifdef WOLFSSL_MLDSA_SMALL + mldsa_vec_red(w, params->k); #endif - dilithium_vec_invntt_full(w, maxK); + mldsa_vec_invntt_full(w, maxK); /* Step 14, Step 22: Make values positive and decompose. */ - dilithium_vec_make_pos(w, maxK); - dilithium_vec_decompose(w, maxK, params->gamma2, w0, w1); + mldsa_vec_make_pos(w, maxK); + mldsa_vec_decompose(w, maxK, params->gamma2, w0, w1); #endif /* Step 5: Create the matrix A from the public seed. */ /* Copy the seed into a buffer that has space for s and r. */ XMEMCPY(aseed, pub_seed, DILITHIUM_PUB_SEED_SZ); - #ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A - r = WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A; + #ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A + r = WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A; #else r = 0; #endif @@ -8764,7 +8771,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, for (; (ret == 0) && valid && (r < params->k); r++) { unsigned int e; sword32* yt = y; - #ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A + #ifdef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A sword32* y_ntt_t = z; #else sword32* y_ntt_t = y_ntt; @@ -8787,7 +8794,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, /* Put s into buffer to be hashed. */ aseed[DILITHIUM_PUB_SEED_SZ + 0] = s; /* Alg 26. Step 3: Create polynomial from hashing seed. */ - ret = dilithium_rej_ntt_poly_ex(&key->shake, aseed, at, + ret = mldsa_rej_ntt_poly_ex(&key->shake, aseed, at, blocks); if (ret != 0) { break; @@ -8799,66 +8806,66 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, break; } #endif - dilithium_ntt_full(y_ntt_t); + mldsa_ntt_full(y_ntt_t); /* Matrix multiply. */ - #ifndef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifndef WOLFSSL_MLDSA_SMALL_MEM_POLY64 if (s == 0) { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { - wt[e] = dilithium_mont_red((sword64)at[e] * + wt[e] = mldsa_mont_red((sword64)at[e] * y_ntt_t[e]); } #else for (e = 0; e < DILITHIUM_N; e += 8) { - wt[e + 0] = dilithium_mont_red((sword64)at[e + 0] * + wt[e + 0] = mldsa_mont_red((sword64)at[e + 0] * y_ntt_t[e + 0]); - wt[e + 1] = dilithium_mont_red((sword64)at[e + 1] * + wt[e + 1] = mldsa_mont_red((sword64)at[e + 1] * y_ntt_t[e + 1]); - wt[e + 2] = dilithium_mont_red((sword64)at[e + 2] * + wt[e + 2] = mldsa_mont_red((sword64)at[e + 2] * y_ntt_t[e + 2]); - wt[e + 3] = dilithium_mont_red((sword64)at[e + 3] * + wt[e + 3] = mldsa_mont_red((sword64)at[e + 3] * y_ntt_t[e + 3]); - wt[e + 4] = dilithium_mont_red((sword64)at[e + 4] * + wt[e + 4] = mldsa_mont_red((sword64)at[e + 4] * y_ntt_t[e + 4]); - wt[e + 5] = dilithium_mont_red((sword64)at[e + 5] * + wt[e + 5] = mldsa_mont_red((sword64)at[e + 5] * y_ntt_t[e + 5]); - wt[e + 6] = dilithium_mont_red((sword64)at[e + 6] * + wt[e + 6] = mldsa_mont_red((sword64)at[e + 6] * y_ntt_t[e + 6]); - wt[e + 7] = dilithium_mont_red((sword64)at[e + 7] * + wt[e + 7] = mldsa_mont_red((sword64)at[e + 7] * y_ntt_t[e + 7]); } #endif } else { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { - wt[e] += dilithium_mont_red((sword64)at[e] * + wt[e] += mldsa_mont_red((sword64)at[e] * y_ntt_t[e]); } #else for (e = 0; e < DILITHIUM_N; e += 8) { - wt[e + 0] += dilithium_mont_red((sword64)at[e + 0] * + wt[e + 0] += mldsa_mont_red((sword64)at[e + 0] * y_ntt_t[e + 0]); - wt[e + 1] += dilithium_mont_red((sword64)at[e + 1] * + wt[e + 1] += mldsa_mont_red((sword64)at[e + 1] * y_ntt_t[e + 1]); - wt[e + 2] += dilithium_mont_red((sword64)at[e + 2] * + wt[e + 2] += mldsa_mont_red((sword64)at[e + 2] * y_ntt_t[e + 2]); - wt[e + 3] += dilithium_mont_red((sword64)at[e + 3] * + wt[e + 3] += mldsa_mont_red((sword64)at[e + 3] * y_ntt_t[e + 3]); - wt[e + 4] += dilithium_mont_red((sword64)at[e + 4] * + wt[e + 4] += mldsa_mont_red((sword64)at[e + 4] * y_ntt_t[e + 4]); - wt[e + 5] += dilithium_mont_red((sword64)at[e + 5] * + wt[e + 5] += mldsa_mont_red((sword64)at[e + 5] * y_ntt_t[e + 5]); - wt[e + 6] += dilithium_mont_red((sword64)at[e + 6] * + wt[e + 6] += mldsa_mont_red((sword64)at[e + 6] * y_ntt_t[e + 6]); - wt[e + 7] += dilithium_mont_red((sword64)at[e + 7] * + wt[e + 7] += mldsa_mont_red((sword64)at[e + 7] * y_ntt_t[e + 7]); } #endif } #else if (s == 0) { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { t64[e] = (sword64)at[e] * y_ntt_t[e]; } @@ -8876,7 +8883,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, #endif } else { - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { t64[e] += (sword64)at[e] * y_ntt_t[e]; } @@ -8900,20 +8907,20 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, if (ret != 0) { break; } - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 for (e = 0; e < DILITHIUM_N; e++) { - wt[e] = dilithium_mont_red(t64[e]); + wt[e] = mldsa_mont_red(t64[e]); } #endif - dilithium_invntt_full(wt); + mldsa_invntt_full(wt); /* Step 14, Step 22: Make values positive and decompose. */ - dilithium_make_pos(wt); + mldsa_make_pos(wt); #ifndef WOLFSSL_NO_ML_DSA_44 if (params->gamma2 == DILITHIUM_Q_LOW_88) { /* For each value of polynomial. */ for (e = 0; e < DILITHIUM_N; e++) { /* Decompose value into two vectors. */ - dilithium_decompose_q88(wt[e], &w0t[e], &w1t[e]); + mldsa_decompose_q88(wt[e], &w0t[e], &w1t[e]); } } #endif @@ -8922,12 +8929,12 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, /* For each value of polynomial. */ for (e = 0; e < DILITHIUM_N; e++) { /* Decompose value into two vectors. */ - dilithium_decompose_q32(wt[e], &w0t[e], &w1t[e]); + mldsa_decompose_q32(wt[e], &w0t[e], &w1t[e]); } } #endif - #ifdef WOLFSSL_DILITHIUM_SIGN_CHECK_W0 - valid = dilithium_vec_check_low(w0t, + #ifdef WOLFSSL_MLDSA_SIGN_CHECK_W0 + valid = mldsa_vec_check_low(w0t, params->gamma2 - params->beta); #endif wt += DILITHIUM_N; @@ -8936,7 +8943,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, } if ((ret == 0) && valid) { sword32* yt = y; - #ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC + #ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC const byte* s1pt = s1p; #endif byte* ze = sig + params->lambda / 4; @@ -8945,61 +8952,61 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, WC_ALLOC_VAR_EX(w1e, byte, DILITHIUM_MAX_W1_ENC_SZ, key->heap, DYNAMIC_TYPE_DILITHIUM, ret=MEMORY_E); if (WC_VAR_OK(w1e)) { - dilithium_vec_encode_w1(w1, params->k, params->gamma2, + mldsa_vec_encode_w1(w1, params->k, params->gamma2, w1e); /* Step 15: Hash mu and encoded w1. * Step 32: Hash is stored in signature. */ - ret = dilithium_hash256(&key->shake, mu, DILITHIUM_MU_SZ, + ret = mldsa_hash256(&key->shake, mu, DILITHIUM_MU_SZ, w1e, params->w1EncSz, commit, params->lambda / 4); } WC_FREE_VAR_EX(w1e, key->heap, DYNAMIC_TYPE_DILITHIUM); if (ret == 0) { /* Step 17: Compute c from first 256 bits of commit. */ - ret = dilithium_sample_in_ball_ex(params->level, + ret = mldsa_sample_in_ball_ex(params->level, &key->shake, commit, params->lambda / 4, params->tau, c, blocks); } if (ret == 0) { /* Step 18: NTT(c). */ - dilithium_ntt_small(c); + mldsa_ntt_small(c); } for (s = 0; (ret == 0) && valid && (s < params->l); s++) { - #ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC + #ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC #if !defined(WOLFSSL_NO_ML_DSA_44) || \ !defined(WOLFSSL_NO_ML_DSA_87) /* -2..2 */ if (params->eta == DILITHIUM_ETA_2) { - dilithium_decode_eta_2_bits(s1pt, s1); + mldsa_decode_eta_2_bits(s1pt, s1); s1pt += DILITHIUM_ETA_2_BITS * DILITHIUM_N / 8; } #endif #ifndef WOLFSSL_NO_ML_DSA_65 /* -4..4 */ if (params->eta == DILITHIUM_ETA_4) { - dilithium_decode_eta_4_bits(s1pt, s1); + mldsa_decode_eta_4_bits(s1pt, s1); s1pt += DILITHIUM_N / 2; } #endif - dilithium_ntt_small(s1); - dilithium_mul(z, c, s1); + mldsa_ntt_small(s1); + mldsa_mul(z, c, s1); #else - dilithium_mul(z, c, s1 + s * DILITHIUM_N); + mldsa_mul(z, c, s1 + s * DILITHIUM_N); #endif /* Step 19: cs1 = NTT-1(c o s1) */ - dilithium_invntt(z); + mldsa_invntt(z); /* Step 21: z = y + cs1 */ - dilithium_add(z, yt); - dilithium_poly_red(z); + mldsa_add(z, yt); + mldsa_poly_red(z); /* Step 23: Check z has low enough values. */ hi = ((sword32)1 << params->gamma1_bits) - params->beta; - valid = dilithium_check_low(z, hi); + valid = mldsa_check_low(z, hi); if (valid) { /* Step 32: Encode z into signature. * Commit (c) and h already encoded into signature. */ #if !defined(WOLFSSL_NO_ML_DSA_44) if (params->gamma1_bits == DILITHIUM_GAMMA1_BITS_17) { - dilithium_encode_gamma1_17_bits(z, ze); + mldsa_encode_gamma1_17_bits(z, ze); /* Move to next place to encode to. */ ze += DILITHIUM_GAMMA1_17_ENC_BITS / 2 * DILITHIUM_N / 4; @@ -9008,7 +9015,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, #if !defined(WOLFSSL_NO_ML_DSA_65) || \ !defined(WOLFSSL_NO_ML_DSA_87) if (params->gamma1_bits == DILITHIUM_GAMMA1_BITS_19) { - dilithium_encode_gamma1_19_bits(z, ze); + mldsa_encode_gamma1_19_bits(z, ze); /* Move to next place to encode to. */ ze += DILITHIUM_GAMMA1_19_ENC_BITS / 2 * DILITHIUM_N / 4; @@ -9021,7 +9028,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, } if ((ret == 0) && valid) { const byte* t0pt = t0p; - #ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC + #ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC const byte* s2pt = s2p; #endif sword32* cs2 = ct0; @@ -9030,55 +9037,55 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, w1t = w1; for (r = 0; valid && (r < params->k); r++) { - #ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC + #ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC #if !defined(WOLFSSL_NO_ML_DSA_44) || \ !defined(WOLFSSL_NO_ML_DSA_87) /* -2..2 */ if (params->eta == DILITHIUM_ETA_2) { - dilithium_decode_eta_2_bits(s2pt, s2); + mldsa_decode_eta_2_bits(s2pt, s2); s2pt += DILITHIUM_ETA_2_BITS * DILITHIUM_N / 8; } #endif #ifndef WOLFSSL_NO_ML_DSA_65 /* -4..4 */ if (params->eta == DILITHIUM_ETA_4) { - dilithium_decode_eta_4_bits(s2pt, s2); + mldsa_decode_eta_4_bits(s2pt, s2); s2pt += DILITHIUM_N / 2; } #endif - dilithium_ntt_small(s2); + mldsa_ntt_small(s2); /* Step 20: cs2 = NTT-1(c o s2) */ - dilithium_mul(cs2, c, s2); + mldsa_mul(cs2, c, s2); #else /* Step 20: cs2 = NTT-1(c o s2) */ - dilithium_mul(cs2, c, s2 + r * DILITHIUM_N); + mldsa_mul(cs2, c, s2 + r * DILITHIUM_N); #endif - dilithium_invntt(cs2); + mldsa_invntt(cs2); /* Step 22: w0 - cs2 */ - dilithium_sub(w0t, cs2); - dilithium_poly_red(w0t); + mldsa_sub(w0t, cs2); + mldsa_poly_red(w0t); /* Step 23: Check w0 - cs2 has low enough values. */ hi = params->gamma2 - params->beta; - valid = dilithium_check_low(w0t, hi); + valid = mldsa_check_low(w0t, hi); if (valid) { - #ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC - dilithium_decode_t0(t0pt, t0); - dilithium_ntt(t0); + #ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC + mldsa_decode_t0(t0pt, t0); + mldsa_ntt(t0); /* Step 25: ct0 = NTT-1(c o t0) */ - dilithium_mul(ct0, c, t0); + mldsa_mul(ct0, c, t0); #else /* Step 25: ct0 = NTT-1(c o t0) */ - dilithium_mul(ct0, c, t0 + r * DILITHIUM_N); + mldsa_mul(ct0, c, t0 + r * DILITHIUM_N); #endif - dilithium_invntt(ct0); + mldsa_invntt(ct0); /* Step 27: Check ct0 has low enough values. */ - valid = dilithium_check_low(ct0, params->gamma2); + valid = mldsa_check_low(ct0, params->gamma2); } if (valid) { /* Step 26: ct0 = ct0 + w0 */ - dilithium_add(ct0, w0t); - dilithium_poly_red(ct0); + mldsa_add(ct0, w0t); + mldsa_poly_red(ct0); /* Step 26, 27: Make hint from ct0 and w1 and check * number of hints is valid. @@ -9086,7 +9093,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, */ #ifndef WOLFSSL_NO_ML_DSA_44 if (params->gamma2 == DILITHIUM_Q_LOW_88) { - valid = (dilithium_make_hint_88(ct0, w1t, h, + valid = (mldsa_make_hint_88(ct0, w1t, h, &idx) == 0); /* Alg 14, Step 10: Store count of hints for * polynomial at end of list. */ @@ -9096,7 +9103,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, #if !defined(WOLFSSL_NO_ML_DSA_65) || \ !defined(WOLFSSL_NO_ML_DSA_87) if (params->gamma2 == DILITHIUM_Q_LOW_32) { - valid = (dilithium_make_hint_32(ct0, w1t, + valid = (mldsa_make_hint_32(ct0, w1t, params->omega, h, &idx) == 0); /* Alg 14, Step 10: Store count of hints for * polynomial at end of list. */ @@ -9151,7 +9158,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, * 6: mu <- H(BytesToBits(tr)||M', 64) * ... * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] seed Random seed. * @param [in] ctx Context of signature. * @param [in] ctxLen Length of context in bytes. @@ -9166,7 +9173,7 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_sign_ctx_msg_with_seed(dilithium_key* key, +static int mldsa_sign_ctx_msg_with_seed(MlDsaKey* key, const byte* seed, const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, byte* sig, word32 *sigLen) { @@ -9179,10 +9186,10 @@ static int dilithium_sign_ctx_msg_with_seed(dilithium_key* key, XMEMCPY(seedMu, seed, DILITHIUM_RND_SZ); /* Step 6. Calculate mu. */ - ret = dilithium_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 0, + ret = mldsa_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 0, ctx, ctxLen, msg, msgLen, mu, DILITHIUM_MU_SZ); if (ret == 0) { - ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen); + ret = mldsa_sign_with_seed_mu(key, seedMu, sig, sigLen); } ForceZero(seedMu, sizeof(seedMu)); @@ -9203,7 +9210,7 @@ static int dilithium_sign_ctx_msg_with_seed(dilithium_key* key, * 6: mu <- H(BytesToBits(tr)||M', 64) * ... * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] seed Random seed. * @param [in] msg Message data to sign. * @param [in] msgLen Length of message data in bytes. @@ -9216,8 +9223,8 @@ static int dilithium_sign_ctx_msg_with_seed(dilithium_key* key, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -#ifdef WOLFSSL_DILITHIUM_NO_CTX -static int dilithium_sign_msg_with_seed(dilithium_key* key, const byte* seed, +#ifdef WOLFSSL_MLDSA_NO_CTX +static int mldsa_sign_msg_with_seed(MlDsaKey* key, const byte* seed, const byte* msg, word32 msgLen, byte* sig, word32 *sigLen) { int ret; @@ -9229,16 +9236,16 @@ static int dilithium_sign_msg_with_seed(dilithium_key* key, const byte* seed, XMEMCPY(seedMu, seed, DILITHIUM_RND_SZ); /* Step 6. Calculate mu. */ - ret = dilithium_hash256(&key->shake, tr, DILITHIUM_TR_SZ, msg, msgLen, mu, + ret = mldsa_hash256(&key->shake, tr, DILITHIUM_TR_SZ, msg, msgLen, mu, DILITHIUM_MU_SZ); if (ret == 0) { - ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen); + ret = mldsa_sign_with_seed_mu(key, seedMu, sig, sigLen); } ForceZero(seedMu, sizeof(seedMu)); return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ +#endif /* WOLFSSL_MLDSA_NO_CTX */ /* Sign a message with the key and a random number generator. * @@ -9258,7 +9265,7 @@ static int dilithium_sign_msg_with_seed(dilithium_key* key, const byte* seed, * 6: mu <- H(BytesToBits(tr)||M', 64) * ... * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in, out] rng Random number generator. * @param [in] ctx Context of signature. * @param [in] ctxLen Length of context. @@ -9272,7 +9279,7 @@ static int dilithium_sign_msg_with_seed(dilithium_key* key, const byte* seed, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_sign_ctx_msg(dilithium_key* key, WC_RNG* rng, +static int mldsa_sign_ctx_msg(MlDsaKey* key, WC_RNG* rng, const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, byte* sig, word32 *sigLen) { @@ -9294,11 +9301,11 @@ static int dilithium_sign_ctx_msg(dilithium_key* key, WC_RNG* rng, } if (ret == 0) { /* Step 6. Calculate mu. */ - ret = dilithium_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 0, + ret = mldsa_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 0, ctx, ctxLen, msg, msgLen, mu, DILITHIUM_MU_SZ); } if (ret == 0) { - ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen); + ret = mldsa_sign_with_seed_mu(key, seedMu, sig, sigLen); } ForceZero(seedMu, sizeof(seedMu)); @@ -9323,7 +9330,7 @@ static int dilithium_sign_ctx_msg(dilithium_key* key, WC_RNG* rng, * 6: mu <- H(BytesToBits(tr)||M', 64) * ... * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in, out] rng Random number generator. * @param [in] msg Message data to sign. * @param [in] msgLen Length of message data in bytes. @@ -9335,8 +9342,8 @@ static int dilithium_sign_ctx_msg(dilithium_key* key, WC_RNG* rng, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -#ifdef WOLFSSL_DILITHIUM_NO_CTX -static int dilithium_sign_msg(dilithium_key* key, WC_RNG* rng, +#ifdef WOLFSSL_MLDSA_NO_CTX +static int mldsa_sign_msg(MlDsaKey* key, WC_RNG* rng, const byte* msg, word32 msgLen, byte* sig, word32 *sigLen) { int ret = 0; @@ -9357,17 +9364,17 @@ static int dilithium_sign_msg(dilithium_key* key, WC_RNG* rng, } if (ret == 0) { /* Step 6. Calculate mu. */ - ret = dilithium_hash256(&key->shake, tr, DILITHIUM_TR_SZ, msg, msgLen, + ret = mldsa_hash256(&key->shake, tr, DILITHIUM_TR_SZ, msg, msgLen, mu, DILITHIUM_MU_SZ); } if (ret == 0) { - ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen); + ret = mldsa_sign_with_seed_mu(key, seedMu, sig, sigLen); } ForceZero(seedMu, sizeof(seedMu)); return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ +#endif /* WOLFSSL_MLDSA_NO_CTX */ /* Sign a pre-hashed message with the key and a seed. * @@ -9389,7 +9396,7 @@ static int dilithium_sign_msg(dilithium_key* key, WC_RNG* rng, * 6: mu <- H(BytesToBits(tr)||M', 64) * ... * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] seed Random seed. * @param [in] ctx Context of signature. * @param [in] ctxLen Length of context. @@ -9404,7 +9411,7 @@ static int dilithium_sign_msg(dilithium_key* key, WC_RNG* rng, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_sign_ctx_hash_with_seed(dilithium_key* key, +static int mldsa_sign_ctx_hash_with_seed(MlDsaKey* key, const byte* seed, const byte* ctx, byte ctxLen, int hashAlg, const byte* hash, word32 hashLen, byte* sig, word32 *sigLen) { @@ -9425,18 +9432,18 @@ static int dilithium_sign_ctx_hash_with_seed(dilithium_key* key, if (ret == 0) { XMEMCPY(seedMu, seed, DILITHIUM_RND_SZ); - ret = dilithium_get_hash_oid(hashAlg, oidMsgHash, &oidMsgHashLen); + ret = mldsa_get_hash_oid(hashAlg, oidMsgHash, &oidMsgHashLen); } if (ret == 0) { XMEMCPY(oidMsgHash + oidMsgHashLen, hash, hashLen); oidMsgHashLen += hashLen; /* Step 6. Calculate mu. */ - ret = dilithium_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 1, + ret = mldsa_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 1, ctx, ctxLen, oidMsgHash, oidMsgHashLen, mu, DILITHIUM_MU_SZ); } if (ret == 0) { - ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen); + ret = mldsa_sign_with_seed_mu(key, seedMu, sig, sigLen); } ForceZero(seedMu, sizeof(seedMu)); @@ -9453,7 +9460,7 @@ static int dilithium_sign_ctx_hash_with_seed(dilithium_key* key, * 8: end if * ... * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in, out] rng Random number generator. * @param [in] ctx Context of signature. * @param [in] ctxLen Length of context. @@ -9468,7 +9475,7 @@ static int dilithium_sign_ctx_hash_with_seed(dilithium_key* key, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_sign_ctx_hash(dilithium_key* key, WC_RNG* rng, +static int mldsa_sign_ctx_hash(MlDsaKey* key, WC_RNG* rng, const byte* ctx, byte ctxLen, int hashAlg, const byte* hash, word32 hashLen, byte* sig, word32 *sigLen) { @@ -9485,7 +9492,7 @@ static int dilithium_sign_ctx_hash(dilithium_key* key, WC_RNG* rng, } if (ret == 0) { - ret = dilithium_sign_ctx_hash_with_seed(key, seed, ctx, ctxLen, hashAlg, + ret = mldsa_sign_ctx_hash_with_seed(key, seed, ctx, ctxLen, hashAlg, hash, hashLen, sig, sigLen); } @@ -9493,26 +9500,26 @@ static int dilithium_sign_ctx_hash(dilithium_key* key, WC_RNG* rng, return ret; } -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY -#if !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM) || \ - defined(WC_DILITHIUM_CACHE_PUB_VECTORS) +#if !defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM) || \ + defined(WC_MLDSA_CACHE_PUB_VECTORS) /* Make public vector from public key data. * * @param [in, out] key Key with public key data. * @param [out] t1 Vector in NTT form. */ -static void dilithium_make_pub_vec(dilithium_key* key, sword32* t1) +static void mldsa_make_pub_vec(MlDsaKey* key, sword32* t1) { - const wc_dilithium_params* params = key->params; + const MlDsaParams* params = key->params; const byte* t1p = key->p + DILITHIUM_PUB_SEED_SZ; - dilithium_vec_decode_t1(t1p, params->k, t1); - dilithium_vec_ntt_full(t1, params->k); + mldsa_vec_decode_t1(t1p, params->k, t1); + mldsa_vec_ntt_full(t1, params->k); -#ifdef WC_DILITHIUM_CACHE_PUB_VECTORS +#ifdef WC_MLDSA_CACHE_PUB_VECTORS key->pubVecSet = 1; #endif } @@ -9536,7 +9543,7 @@ static void dilithium_make_pub_vec(dilithium_key* key, sword32* t1) * 13: return [[ ||z||inf < GAMMA1 - BETA]] and [[c_tilde = c'_tilde]] and * [[number of 1's in h is <= OMEGA * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] mu Data to verify. * @param [in] sig Signature to verify message. * @param [in] sigLen Length of message in bytes. @@ -9548,12 +9555,12 @@ static void dilithium_make_pub_vec(dilithium_key* key, sword32* t1) * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, +static int mldsa_verify_with_mu(MlDsaKey* key, const byte* mu, const byte* sig, word32 sigLen, int* res) { -#ifndef WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM +#ifndef WOLFSSL_MLDSA_VERIFY_SMALL_MEM int ret = 0; - const wc_dilithium_params* params = key->params; + const MlDsaParams* params = key->params; const byte* pub_seed = key->p; const byte* commit = sig; const byte* ze = sig + params->lambda / 4; @@ -9575,12 +9582,12 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, } if (ret == 0) { /* Step 13: Verify the hint is well-formed. */ - ret = dilithium_check_hint(h, params->k, params->omega); + ret = mldsa_check_hint(h, params->k, params->omega); } /* Allocate memory for large intermediates. */ -#ifdef WC_DILITHIUM_CACHE_MATRIX_A -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_MATRIX_A +#ifndef WC_MLDSA_FIXED_ARRAY if ((ret == 0) && (key->a == NULL)) { key->a = (sword32*)XMALLOC(params->aSz, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -9596,8 +9603,8 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, a = key->a; } #endif -#ifdef WC_DILITHIUM_CACHE_PUB_VECTORS -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_PUB_VECTORS +#ifndef WC_MLDSA_FIXED_ARRAY if ((ret == 0) && (key->t1 == NULL)) { key->t1 = (sword32*)XMALLOC(params->s2Sz, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -9619,7 +9626,7 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, /* z, c, w, t1/t1c */ allocSz = (unsigned int)DILITHIUM_POLY_SIZE + params->s1Sz + params->s2Sz + params->s2Sz; -#ifndef WC_DILITHIUM_CACHE_MATRIX_A +#ifndef WC_MLDSA_CACHE_MATRIX_A /* a */ allocSz += params->aSz; #endif @@ -9632,13 +9639,13 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, XMEMSET(z, 0, allocSz); c = z + params->s1Sz / sizeof(*z); w = c + DILITHIUM_N; -#ifndef WC_DILITHIUM_CACHE_PUB_VECTORS +#ifndef WC_MLDSA_CACHE_PUB_VECTORS t1 = w + params->s2Sz / sizeof(*w); t1c = t1; #else t1c = w + params->s2Sz / sizeof(*w); #endif -#ifndef WC_DILITHIUM_CACHE_MATRIX_A +#ifndef WC_MLDSA_CACHE_MATRIX_A a = t1 + params->s2Sz / sizeof(*t1); #endif w1e = (byte*)c; @@ -9647,30 +9654,30 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, if (ret == 0) { /* Step 2: Decode z from signature. */ - dilithium_vec_decode_gamma1(ze, params->l, params->gamma1_bits, z); + mldsa_vec_decode_gamma1(ze, params->l, params->gamma1_bits, z); /* Step 13: Check z is valid - values are low enough. */ hi = ((sword32)1 << params->gamma1_bits) - params->beta; - valid = dilithium_vec_check_low(z, params->l, hi); + valid = mldsa_vec_check_low(z, params->l, hi); } if ((ret == 0) && valid) { -#ifdef WC_DILITHIUM_CACHE_PUB_VECTORS +#ifdef WC_MLDSA_CACHE_PUB_VECTORS /* Check that we haven't already cached the public vector. */ if (!key->pubVecSet) #endif { /* Step 1: Decode and NTT vector t1. */ - dilithium_make_pub_vec(key, t1); + mldsa_make_pub_vec(key, t1); } -#ifdef WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WC_MLDSA_CACHE_MATRIX_A /* Check that we haven't already cached the matrix A. */ if (!key->aSet) #endif { /* Step 5: Expand pub seed to compute matrix A. */ - ret = dilithium_expand_a(&key->shake, pub_seed, params->k, + ret = mldsa_expand_a(&key->shake, pub_seed, params->k, params->l, a, key->heap); -#ifdef WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WC_MLDSA_CACHE_MATRIX_A /* Whether we have cached A is dependent on success of operation. */ key->aSet = (ret == 0); #endif @@ -9678,26 +9685,26 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, } if ((ret == 0) && valid) { /* Step 9: Compute c from commit. */ - ret = dilithium_sample_in_ball(params->level, &key->shake, commit, + ret = mldsa_sample_in_ball(params->level, &key->shake, commit, params->lambda / 4, params->tau, c, key->heap); } if ((ret == 0) && valid) { /* Step 10: w = NTT-1(A o NTT(z) - NTT(c) o NTT(t1)) */ - dilithium_vec_ntt_full(z, params->l); - dilithium_matrix_mul(w, a, z, params->k, params->l); - #ifdef WOLFSSL_DILITHIUM_SMALL - dilithium_vec_red(w, params->k); + mldsa_vec_ntt_full(z, params->l); + mldsa_matrix_mul(w, a, z, params->k, params->l); + #ifdef WOLFSSL_MLDSA_SMALL + mldsa_vec_red(w, params->k); #endif - dilithium_ntt_small_full(c); - dilithium_vec_mul(t1c, c, t1, params->k); - dilithium_vec_sub(w, t1c, params->k); - dilithium_vec_invntt_full(w, params->k); + mldsa_ntt_small_full(c); + mldsa_vec_mul(t1c, c, t1, params->k); + mldsa_vec_sub(w, t1c, params->k); + mldsa_vec_invntt_full(w, params->k); /* Step 11: Use hint to give full w1. */ - dilithium_vec_use_hint(w, params->k, params->gamma2, params->omega, h); + mldsa_vec_use_hint(w, params->k, params->gamma2, params->omega, h); /* Step 12: Encode w1. */ - dilithium_vec_encode_w1(w, params->k, params->gamma2, w1e); + mldsa_vec_encode_w1(w, params->k, params->gamma2, w1e); /* Step 12: Hash mu and encoded w1. */ - ret = dilithium_hash256(&key->shake, mu, DILITHIUM_MU_SZ, w1e, + ret = mldsa_hash256(&key->shake, mu, DILITHIUM_MU_SZ, w1e, params->w1EncSz, commit_calc, params->lambda / 4); } if ((ret == 0) && valid) { @@ -9710,7 +9717,7 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, return ret; #else int ret = 0; - const wc_dilithium_params* params = key->params; + const MlDsaParams* params = key->params; const byte* pub_seed = key->p; const byte* t1p = pub_seed + DILITHIUM_PUB_SEED_SZ; const byte* commit = sig; @@ -9721,10 +9728,10 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, sword32* c = NULL; sword32* z = NULL; sword32* w = NULL; -#ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 +#ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 sword64* t64 = NULL; #endif -#ifndef WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC +#ifndef WOLFSSL_MLDSA_VERIFY_NO_MALLOC byte* block = NULL; #endif byte* w1e = NULL; @@ -9742,10 +9749,10 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, } if (ret == 0) { /* Step 13: Verify the hint is well-formed. */ - ret = dilithium_check_hint(h, params->k, params->omega); + ret = mldsa_check_hint(h, params->k, params->omega); } -#ifndef WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC +#ifndef WOLFSSL_MLDSA_VERIFY_NO_MALLOC /* Allocate memory for large intermediates. */ if (ret == 0) { /* z, c, w, t1, w1e. */ @@ -9754,7 +9761,7 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, allocSz = (unsigned int)params->s1Sz + params->w1EncSz + 3U * (unsigned int)DILITHIUM_POLY_SIZE + (unsigned int)DILITHIUM_REJ_NTT_POLY_H_SIZE; - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 allocSz += (unsigned int)DILITHIUM_POLY_SIZE * 2U; #endif z = (sword32*)XMALLOC(allocSz, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -9769,7 +9776,7 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, block = (byte*)(t1 + DILITHIUM_N); w1e = block + DILITHIUM_REJ_NTT_POLY_H_SIZE; a = t1; - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 t64 = (sword64*)(w1e + params->w1EncSz); #endif } @@ -9782,7 +9789,7 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, t1 = key->t1; w1e = key->w1e; a = t1; - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 t64 = key->t64; #endif } @@ -9790,26 +9797,26 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, if (ret == 0) { /* Step 2: Decode z from signature. */ - dilithium_vec_decode_gamma1(ze, params->l, params->gamma1_bits, z); + mldsa_vec_decode_gamma1(ze, params->l, params->gamma1_bits, z); /* Step 13: Check z is valid - values are low enough. */ hi = ((sword32)1 << params->gamma1_bits) - params->beta; - valid = dilithium_vec_check_low(z, params->l, hi); + valid = mldsa_vec_check_low(z, params->l, hi); } if ((ret == 0) && valid) { /* Step 10: NTT(z) */ - dilithium_vec_ntt_full(z, params->l); + mldsa_vec_ntt_full(z, params->l); /* Step 9: Compute c from first 256 bits of commit. */ -#ifdef WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC - ret = dilithium_sample_in_ball_ex(params->level, &key->shake, commit, +#ifdef WOLFSSL_MLDSA_VERIFY_NO_MALLOC + ret = mldsa_sample_in_ball_ex(params->level, &key->shake, commit, params->lambda / 4, params->tau, c, key->block); #else - ret = dilithium_sample_in_ball_ex(params->level, &key->shake, commit, + ret = mldsa_sample_in_ball_ex(params->level, &key->shake, commit, params->lambda / 4, params->tau, c, block); #endif } if ((ret == 0) && valid) { - dilithium_ntt_small_full(c); + mldsa_ntt_small_full(c); o = 0; encW1 = w1e; @@ -9823,31 +9830,31 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, const sword32* zt = z; /* Step 1: Decode and NTT vector t1. */ - dilithium_decode_t1(t1p, w); + mldsa_decode_t1(t1p, w); /* Next polynomial. */ t1p += DILITHIUM_U * DILITHIUM_N / 8; /* Step 10: - NTT(c) o NTT(t1)) */ - dilithium_ntt_full(w); - #ifndef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 - #ifdef WOLFSSL_DILITHIUM_SMALL + mldsa_ntt_full(w); + #ifndef WOLFSSL_MLDSA_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { - w[e] = -dilithium_mont_red((sword64)c[e] * w[e]); + w[e] = -mldsa_mont_red((sword64)c[e] * w[e]); } #else for (e = 0; e < DILITHIUM_N; e += 8) { - w[e+0] = -dilithium_mont_red((sword64)c[e+0] * w[e+0]); - w[e+1] = -dilithium_mont_red((sword64)c[e+1] * w[e+1]); - w[e+2] = -dilithium_mont_red((sword64)c[e+2] * w[e+2]); - w[e+3] = -dilithium_mont_red((sword64)c[e+3] * w[e+3]); - w[e+4] = -dilithium_mont_red((sword64)c[e+4] * w[e+4]); - w[e+5] = -dilithium_mont_red((sword64)c[e+5] * w[e+5]); - w[e+6] = -dilithium_mont_red((sword64)c[e+6] * w[e+6]); - w[e+7] = -dilithium_mont_red((sword64)c[e+7] * w[e+7]); + w[e+0] = -mldsa_mont_red((sword64)c[e+0] * w[e+0]); + w[e+1] = -mldsa_mont_red((sword64)c[e+1] * w[e+1]); + w[e+2] = -mldsa_mont_red((sword64)c[e+2] * w[e+2]); + w[e+3] = -mldsa_mont_red((sword64)c[e+3] * w[e+3]); + w[e+4] = -mldsa_mont_red((sword64)c[e+4] * w[e+4]); + w[e+5] = -mldsa_mont_red((sword64)c[e+5] * w[e+5]); + w[e+6] = -mldsa_mont_red((sword64)c[e+6] * w[e+6]); + w[e+7] = -mldsa_mont_red((sword64)c[e+7] * w[e+7]); } #endif #else - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { t64[e] = -(sword64)c[e] * w[e]; } @@ -9872,32 +9879,32 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, /* Put s into buffer to be hashed. */ seed[DILITHIUM_PUB_SEED_SZ + 0] = (byte)s; /* Step 3: Create polynomial from hashing seed. */ - #ifdef WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC - ret = dilithium_rej_ntt_poly_ex(&key->shake, seed, a, key->h); + #ifdef WOLFSSL_MLDSA_VERIFY_NO_MALLOC + ret = mldsa_rej_ntt_poly_ex(&key->shake, seed, a, key->h); #else - ret = dilithium_rej_ntt_poly_ex(&key->shake, seed, a, block); + ret = mldsa_rej_ntt_poly_ex(&key->shake, seed, a, block); #endif /* Step 10: w = A o NTT(z) - NTT(c) o NTT(t1) */ - #ifndef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifndef WOLFSSL_MLDSA_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { - w[e] += dilithium_mont_red((sword64)a[e] * zt[e]); + w[e] += mldsa_mont_red((sword64)a[e] * zt[e]); } #else for (e = 0; e < DILITHIUM_N; e += 8) { - w[e+0] += dilithium_mont_red((sword64)a[e+0] * zt[e+0]); - w[e+1] += dilithium_mont_red((sword64)a[e+1] * zt[e+1]); - w[e+2] += dilithium_mont_red((sword64)a[e+2] * zt[e+2]); - w[e+3] += dilithium_mont_red((sword64)a[e+3] * zt[e+3]); - w[e+4] += dilithium_mont_red((sword64)a[e+4] * zt[e+4]); - w[e+5] += dilithium_mont_red((sword64)a[e+5] * zt[e+5]); - w[e+6] += dilithium_mont_red((sword64)a[e+6] * zt[e+6]); - w[e+7] += dilithium_mont_red((sword64)a[e+7] * zt[e+7]); + w[e+0] += mldsa_mont_red((sword64)a[e+0] * zt[e+0]); + w[e+1] += mldsa_mont_red((sword64)a[e+1] * zt[e+1]); + w[e+2] += mldsa_mont_red((sword64)a[e+2] * zt[e+2]); + w[e+3] += mldsa_mont_red((sword64)a[e+3] * zt[e+3]); + w[e+4] += mldsa_mont_red((sword64)a[e+4] * zt[e+4]); + w[e+5] += mldsa_mont_red((sword64)a[e+5] * zt[e+5]); + w[e+6] += mldsa_mont_red((sword64)a[e+6] * zt[e+6]); + w[e+7] += mldsa_mont_red((sword64)a[e+7] * zt[e+7]); } #endif #else - #ifdef WOLFSSL_DILITHIUM_SMALL + #ifdef WOLFSSL_MLDSA_SMALL for (e = 0; e < DILITHIUM_N; e++) { t64[e] += (sword64)a[e] * zt[e]; } @@ -9917,21 +9924,21 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, /* Next polynomial. */ zt += DILITHIUM_N; } - #ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 for (e = 0; e < DILITHIUM_N; e++) { - w[e] = dilithium_mont_red(t64[e]); + w[e] = mldsa_mont_red(t64[e]); } #endif /* Step 10: w = NTT-1(A o NTT(z) - NTT(c) o NTT(t1)) */ - dilithium_invntt_full(w); + mldsa_invntt_full(w); #ifndef WOLFSSL_NO_ML_DSA_44 if (params->gamma2 == DILITHIUM_Q_LOW_88) { /* Step 11: Use hint to give full w1. */ - dilithium_use_hint_88(w, h, r, &o); + mldsa_use_hint_88(w, h, r, &o); /* Step 12: Encode w1. */ - dilithium_encode_w1_88(w, encW1); + mldsa_encode_w1_88(w, encW1); encW1 += DILITHIUM_Q_HI_88_ENC_BITS * 2 * DILITHIUM_N / 16; } else @@ -9939,9 +9946,9 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, #if !defined(WOLFSSL_NO_ML_DSA_65) || !defined(WOLFSSL_NO_ML_DSA_87) if (params->gamma2 == DILITHIUM_Q_LOW_32) { /* Step 11: Use hint to give full w1. */ - dilithium_use_hint_32(w, h, params->omega, r, &o); + mldsa_use_hint_32(w, h, params->omega, r, &o); /* Step 12: Encode w1. */ - dilithium_encode_w1_32(w, encW1); + mldsa_encode_w1_32(w, encW1); encW1 += DILITHIUM_Q_HI_32_ENC_BITS * 2 * DILITHIUM_N / 16; } else @@ -9952,7 +9959,7 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, } if ((ret == 0) && valid) { /* Step 12: Hash mu and encoded w1. */ - ret = dilithium_hash256(&key->shake, mu, DILITHIUM_MU_SZ, w1e, + ret = mldsa_hash256(&key->shake, mu, DILITHIUM_MU_SZ, w1e, params->w1EncSz, commit_calc, params->lambda / 4); } if ((ret == 0) && valid) { @@ -9961,16 +9968,16 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, } *res = valid; -#ifndef WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC +#ifndef WOLFSSL_MLDSA_VERIFY_NO_MALLOC XFREE(z, key->heap, DYNAMIC_TYPE_DILITHIUM); #endif return ret; -#endif /* !WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM */ +#endif /* !WOLFSSL_MLDSA_VERIFY_SMALL_MEM */ } /* Verify signature of message using public key. * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] ctx Context of verification. * @param [in] ctxLen Length of context in bytes. * @param [in] msg Message to verify. @@ -9985,7 +9992,7 @@ static int dilithium_verify_with_mu(dilithium_key* key, const byte* mu, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_verify_ctx_msg(dilithium_key* key, const byte* ctx, +static int mldsa_verify_ctx_msg(MlDsaKey* key, const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, const byte* sig, word32 sigLen, int* res) { @@ -9999,25 +10006,25 @@ static int dilithium_verify_ctx_msg(dilithium_key* key, const byte* ctx, if (ret == 0) { /* Step 6: Hash public key. */ - ret = dilithium_shake256(&key->shake, key->p, key->params->pkSz, tr, + ret = mldsa_shake256(&key->shake, key->p, key->params->pkSz, tr, DILITHIUM_TR_SZ); } if (ret == 0) { /* Step 6. Calculate mu. */ - ret = dilithium_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 0, + ret = mldsa_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 0, ctx, (byte)ctxLen, msg, msgLen, mu, DILITHIUM_MU_SZ); } if (ret == 0) { - ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res); + ret = mldsa_verify_with_mu(key, mu, sig, sigLen, res); } return ret; } -#ifdef WOLFSSL_DILITHIUM_NO_CTX +#ifdef WOLFSSL_MLDSA_NO_CTX /* Verify signature of message using public key. * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] msg Message to verify. * @param [in] msgLen Length of message in bytes. * @param [in] sig Signature to verify message. @@ -10030,7 +10037,7 @@ static int dilithium_verify_ctx_msg(dilithium_key* key, const byte* ctx, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_verify_msg(dilithium_key* key, const byte* msg, +static int mldsa_verify_msg(MlDsaKey* key, const byte* msg, word32 msgLen, const byte* sig, word32 sigLen, int* res) { int ret = 0; @@ -10043,25 +10050,25 @@ static int dilithium_verify_msg(dilithium_key* key, const byte* msg, if (ret == 0) { /* Step 6: Hash public key. */ - ret = dilithium_shake256(&key->shake, key->p, key->params->pkSz, tr, + ret = mldsa_shake256(&key->shake, key->p, key->params->pkSz, tr, DILITHIUM_TR_SZ); } if (ret == 0) { /* Step 6. Calculate mu. */ - ret = dilithium_hash256(&key->shake, tr, DILITHIUM_TR_SZ, msg, msgLen, + ret = mldsa_hash256(&key->shake, tr, DILITHIUM_TR_SZ, msg, msgLen, mu, DILITHIUM_MU_SZ); } if (ret == 0) { - ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res); + ret = mldsa_verify_with_mu(key, mu, sig, sigLen, res); } return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ +#endif /* WOLFSSL_MLDSA_NO_CTX */ /* Verify signature of message using public key. * - * @param [in, out] key Dilithium key. + * @param [in, out] key ML-DSA key. * @param [in] ctx Context of verification. * @param [in] ctxLen Length of context in bytes. * @param [iu] hashAlg Hash algorithm used on message. @@ -10077,7 +10084,7 @@ static int dilithium_verify_msg(dilithium_key* key, const byte* msg, * @return MEMORY_E when memory allocation fails. * @return Other negative when an error occurs. */ -static int dilithium_verify_ctx_hash(dilithium_key* key, const byte* ctx, +static int mldsa_verify_ctx_hash(MlDsaKey* key, const byte* ctx, byte ctxLen, int hashAlg, const byte* hash, word32 hashLen, const byte* sig, word32 sigLen, int* res) { @@ -10099,30 +10106,30 @@ static int dilithium_verify_ctx_hash(dilithium_key* key, const byte* ctx, if (ret == 0) { /* Step 6: Hash public key. */ - ret = dilithium_shake256(&key->shake, key->p, key->params->pkSz, tr, + ret = mldsa_shake256(&key->shake, key->p, key->params->pkSz, tr, DILITHIUM_TR_SZ); } if (ret == 0) { - ret = dilithium_get_hash_oid(hashAlg, oidMsgHash, &oidMsgHashLen); + ret = mldsa_get_hash_oid(hashAlg, oidMsgHash, &oidMsgHashLen); } if (ret == 0) { XMEMCPY(oidMsgHash + oidMsgHashLen, hash, hashLen); oidMsgHashLen += hashLen; /* Step 6. Calculate mu. */ - ret = dilithium_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 1, + ret = mldsa_hash256_ctx_msg(&key->shake, tr, DILITHIUM_TR_SZ, 1, ctx, (byte)ctxLen, oidMsgHash, oidMsgHashLen, mu, DILITHIUM_MU_SZ); } if (ret == 0) { - ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res); + ret = mldsa_verify_with_mu(key, mu, sig, sigLen, res); } return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* WOLFSSL_MLDSA_NO_VERIFY */ -#ifndef WOLFSSL_DILITHIUM_NO_MAKE_KEY -int wc_dilithium_make_key(dilithium_key* key, WC_RNG* rng) +#ifndef WOLFSSL_MLDSA_NO_MAKE_KEY +int wc_MlDsaKey_MakeKey(MlDsaKey* key, WC_RNG* rng) { int ret = 0; @@ -10154,7 +10161,7 @@ int wc_dilithium_make_key(dilithium_key* key, WC_RNG* rng) } else { /* Make the key. */ - ret = dilithium_make_key(key, rng); + ret = mldsa_make_key(key, rng); } } @@ -10172,13 +10179,11 @@ int wc_dilithium_make_key(dilithium_key* key, WC_RNG* rng) DYNAMIC_TYPE_DILITHIUM, ret = MEMORY_E); if (ret == 0) { - ret = wc_dilithium_sign_ctx_msg(NULL, 0, pct_msg, sizeof(pct_msg), - pct_sig, &pct_sigSz, key, rng); + ret = wc_MlDsaKey_SignCtx(key, NULL, 0, pct_sig, &pct_sigSz, pct_msg, sizeof(pct_msg), rng); } if (ret == 0) - ret = wc_dilithium_verify_ctx_msg(pct_sig, pct_sigSz, - NULL, 0, pct_msg, sizeof(pct_msg), &pct_res, key); + ret = wc_MlDsaKey_VerifyCtx(key, pct_sig, pct_sigSz, NULL, 0, pct_msg, sizeof(pct_msg), &pct_res); if (ret == 0 && pct_res != 1) ret = ML_DSA_PCT_E; @@ -10192,7 +10197,7 @@ int wc_dilithium_make_key(dilithium_key* key, WC_RNG* rng) * must be rendered unusable. Zeroize the generated key material so * a caller that ignores the return value cannot use it. */ if (ret != 0) { - wc_dilithium_free(key); + wc_MlDsaKey_Free(key); } } #endif /* HAVE_FIPS */ @@ -10200,7 +10205,7 @@ int wc_dilithium_make_key(dilithium_key* key, WC_RNG* rng) return ret; } -int wc_dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) +int wc_MlDsaKey_MakeKeyFromSeed(MlDsaKey* key, const byte* seed) { int ret = 0; @@ -10216,18 +10221,18 @@ int wc_dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) } else { /* Make the key. */ - ret = dilithium_make_key_from_seed(key, seed); + ret = mldsa_make_key_from_seed(key, seed); } } - /* Note: PCT is performed in wc_dilithium_make_key() which calls this + /* Note: PCT is performed in wc_MlDsaKey_MakeKey() which calls this * function and has the RNG parameter needed for signing. */ return ret; } #endif -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN /* Sign the message using the dilithium private key. * * ctx [in] Context of signature. @@ -10237,14 +10242,14 @@ int wc_dilithium_make_key_from_seed(dilithium_key* key, const byte* seed) * sig [out] Buffer to write signature into. * sigLen [in/out] On in, size of buffer. * On out, the length of the signature in bytes. - * key [in] Dilithium key to use when signing + * key [in] ML-DSA key to use when signing * returns BAD_FUNC_ARG when a parameter is NULL, public key not set * or ctx is NULL and ctxLen is not 0, * BUFFER_E when outLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. */ -int wc_dilithium_sign_ctx_msg(const byte* ctx, byte ctxLen, const byte* msg, - word32 msgLen, byte* sig, word32 *sigLen, dilithium_key* key, WC_RNG* rng) +int wc_MlDsaKey_SignCtx(MlDsaKey* key, const byte* ctx, byte ctxLen, + byte* sig, word32 *sigLen, const byte* msg, word32 msgLen, WC_RNG* rng) { int ret = 0; @@ -10277,14 +10282,14 @@ int wc_dilithium_sign_ctx_msg(const byte* ctx, byte ctxLen, const byte* msg, if (ret == 0) { /* Sign message. */ - ret = dilithium_sign_ctx_msg(key, rng, ctx, ctxLen, msg, msgLen, sig, + ret = mldsa_sign_ctx_msg(key, rng, ctx, ctxLen, msg, msgLen, sig, sigLen); } return ret; } -#ifdef WOLFSSL_DILITHIUM_NO_CTX +#ifdef WOLFSSL_MLDSA_NO_CTX /* Sign the message using the dilithium private key. * * msg [in] Message to sign. @@ -10292,15 +10297,15 @@ int wc_dilithium_sign_ctx_msg(const byte* ctx, byte ctxLen, const byte* msg, * sig [out] Buffer to write signature into. * sigLen [in/out] On in, size of buffer. * On out, the length of the signature in bytes. - * key [in] Dilithium key to use when signing + * key [in] ML-DSA key to use when signing * returns BAD_FUNC_ARG when a parameter is NULL or public key not set, * BUFFER_E when outLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. * NOTE: This is a pre-FIPS 204 API without context support. New code should - * use wc_dilithium_sign_ctx_msg() with ctx=NULL/ctxLen=0 instead. + * use wc_MlDsaKey_SignCtx() with ctx=NULL/ctxLen=0 instead. */ -int wc_dilithium_sign_msg(const byte* msg, word32 msgLen, byte* sig, - word32 *sigLen, dilithium_key* key, WC_RNG* rng) +int wc_MlDsaKey_Sign(MlDsaKey* key, byte* sig, word32 *sigLen, + const byte* msg, word32 msgLen, WC_RNG* rng) { int ret = 0; @@ -10327,12 +10332,12 @@ int wc_dilithium_sign_msg(const byte* msg, word32 msgLen, byte* sig, if (ret == 0) { /* Sign message. */ - ret = dilithium_sign_msg(key, rng, msg, msgLen, sig, sigLen); + ret = mldsa_sign_msg(key, rng, msg, msgLen, sig, sigLen); } return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ +#endif /* WOLFSSL_MLDSA_NO_CTX */ /* Sign the message hash using the dilithium private key. * @@ -10344,15 +10349,15 @@ int wc_dilithium_sign_msg(const byte* msg, word32 msgLen, byte* sig, * sig [out] Buffer to write signature into. * sigLen [in/out] On in, size of buffer. * On out, the length of the signature in bytes. - * key [in] Dilithium key to use when signing + * key [in] ML-DSA key to use when signing * returns BAD_FUNC_ARG when a parameter is NULL, public key not set * or ctx is NULL and ctxLen is not 0, * BUFFER_E when outLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. */ -int wc_dilithium_sign_ctx_hash(const byte* ctx, byte ctxLen, int hashAlg, - const byte* hash, word32 hashLen, byte* sig, word32 *sigLen, - dilithium_key* key, WC_RNG* rng) +int wc_MlDsaKey_SignCtxHash(MlDsaKey* key, const byte* ctx, byte ctxLen, + byte* sig, word32 *sigLen, const byte* hash, word32 hashLen, + int hashAlg, WC_RNG* rng) { int ret = 0; @@ -10382,7 +10387,7 @@ int wc_dilithium_sign_ctx_hash(const byte* ctx, byte ctxLen, int hashAlg, if (ret == 0) { /* Sign message. */ - ret = dilithium_sign_ctx_hash(key, rng, ctx, ctxLen, hashAlg, hash, + ret = mldsa_sign_ctx_hash(key, rng, ctx, ctxLen, hashAlg, hash, hashLen, sig, sigLen); } @@ -10398,15 +10403,15 @@ int wc_dilithium_sign_ctx_hash(const byte* ctx, byte ctxLen, int hashAlg, * sig [out] Buffer to write signature into. * sigLen [in/out] On in, size of buffer. * On out, the length of the signature in bytes. - * key [in] Dilithium key to use when signing + * key [in] ML-DSA key to use when signing * returns BAD_FUNC_ARG when a parameter is NULL, public key not set * or ctx is NULL and ctxLen is not 0, * BUFFER_E when outLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. */ -int wc_dilithium_sign_ctx_msg_with_seed(const byte* ctx, byte ctxLen, - const byte* msg, word32 msgLen, byte* sig, word32 *sigLen, - dilithium_key* key, const byte* seed) +int wc_MlDsaKey_SignCtxWithSeed(MlDsaKey* key, const byte* ctx, byte ctxLen, + byte* sig, word32 *sigLen, const byte* msg, word32 msgLen, + const byte* seed) { int ret = 0; @@ -10420,14 +10425,14 @@ int wc_dilithium_sign_ctx_msg_with_seed(const byte* ctx, byte ctxLen, if (ret == 0) { /* Sign message. */ - ret = dilithium_sign_ctx_msg_with_seed(key, seed, ctx, ctxLen, msg, + ret = mldsa_sign_ctx_msg_with_seed(key, seed, ctx, ctxLen, msg, msgLen, sig, sigLen); } return ret; } -#ifdef WOLFSSL_DILITHIUM_NO_CTX +#ifdef WOLFSSL_MLDSA_NO_CTX /* Sign the message using the dilithium private key. * * msg [in] Message to sign. @@ -10435,15 +10440,15 @@ int wc_dilithium_sign_ctx_msg_with_seed(const byte* ctx, byte ctxLen, * sig [out] Buffer to write signature into. * sigLen [in/out] On in, size of buffer. * On out, the length of the signature in bytes. - * key [in] Dilithium key to use when signing + * key [in] ML-DSA key to use when signing * returns BAD_FUNC_ARG when a parameter is NULL or public key not set, * BUFFER_E when outLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. * NOTE: This is a pre-FIPS 204 API without context support. New code should - * use wc_dilithium_sign_ctx_msg_with_seed() instead. + * use wc_MlDsaKey_SignCtxWithSeed() instead. */ -int wc_dilithium_sign_msg_with_seed(const byte* msg, word32 msgLen, byte* sig, - word32 *sigLen, dilithium_key* key, const byte* seed) +int wc_MlDsaKey_SignWithSeed(MlDsaKey* key, byte* sig, word32 *sigLen, + const byte* msg, word32 msgLen, const byte* seed) { int ret = 0; @@ -10454,12 +10459,12 @@ int wc_dilithium_sign_msg_with_seed(const byte* msg, word32 msgLen, byte* sig, if (ret == 0) { /* Sign message. */ - ret = dilithium_sign_msg_with_seed(key, seed, msg, msgLen, sig, sigLen); + ret = mldsa_sign_msg_with_seed(key, seed, msg, msgLen, sig, sigLen); } return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ +#endif /* WOLFSSL_MLDSA_NO_CTX */ /* Sign the message using the dilithium private key. * @@ -10471,15 +10476,15 @@ int wc_dilithium_sign_msg_with_seed(const byte* msg, word32 msgLen, byte* sig, * sig [out] Buffer to write signature into. * sigLen [in/out] On in, size of buffer. * On out, the length of the signature in bytes. - * key [in] Dilithium key to use when signing + * key [in] ML-DSA key to use when signing * returns BAD_FUNC_ARG when a parameter is NULL, public key not set * or ctx is NULL and ctxLen is not 0, * BUFFER_E when outLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. */ -int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen, - int hashAlg, const byte* hash, word32 hashLen, byte* sig, word32 *sigLen, - dilithium_key* key, const byte* seed) +int wc_MlDsaKey_SignCtxHashWithSeed(MlDsaKey* key, const byte* ctx, + byte ctxLen, byte* sig, word32 *sigLen, const byte* hash, + word32 hashLen, int hashAlg, const byte* seed) { int ret = 0; @@ -10494,7 +10499,7 @@ int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen, if (ret == 0) { /* Sign message. */ - ret = dilithium_sign_ctx_hash_with_seed(key, seed, ctx, ctxLen, + ret = mldsa_sign_ctx_hash_with_seed(key, seed, ctx, ctxLen, hashAlg, hash, hashLen, sig, sigLen); } @@ -10512,14 +10517,14 @@ int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen, * sig [out] Buffer to write signature into. * sigLen [in/out] On in, size of buffer. * On out, the length of the signature in bytes. - * key [in] Dilithium key to use when signing. + * key [in] ML-DSA key to use when signing. * seed [in] 32-byte random seed (rnd). * returns BAD_FUNC_ARG when a parameter is NULL or muLen is not 64, * BUFFER_E when sigLen is too small, * 0 otherwise. */ -int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen, - byte* sig, word32 *sigLen, dilithium_key* key, const byte* seed) +int wc_MlDsaKey_SignMuWithSeed(MlDsaKey* key, byte* sig, word32 *sigLen, + const byte* mu, word32 muLen, const byte* seed) { int ret = 0; @@ -10537,15 +10542,15 @@ int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen, byte seedMu[DILITHIUM_RND_SZ + DILITHIUM_MU_SZ]; XMEMCPY(seedMu, seed, DILITHIUM_RND_SZ); XMEMCPY(seedMu + DILITHIUM_RND_SZ, mu, DILITHIUM_MU_SZ); - ret = dilithium_sign_with_seed_mu(key, seedMu, sig, sigLen); + ret = mldsa_sign_with_seed_mu(key, seedMu, sig, sigLen); ForceZero(seedMu, sizeof(seedMu)); } return ret; } -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* Verify the message using the dilithium public key. * * sig [in] Signature to verify. @@ -10555,14 +10560,14 @@ int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen, * msg [in] Message to verify. * msgLen [in] Length of the message in bytes. * res [out] *res is set to 1 on successful verification. - * key [in] Dilithium key to use to verify. + * key [in] ML-DSA key to use to verify. * returns BAD_FUNC_ARG when a parameter is NULL, public key not set * or ctx is NULL and ctxLen is not 0, * BUFFER_E when sigLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. */ -int wc_dilithium_verify_ctx_msg(const byte* sig, word32 sigLen, const byte* ctx, - byte ctxLen, const byte* msg, word32 msgLen, int* res, dilithium_key* key) +int wc_MlDsaKey_VerifyCtx(MlDsaKey* key, const byte* sig, word32 sigLen, + const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, int* res) { int ret = 0; @@ -10596,14 +10601,14 @@ int wc_dilithium_verify_ctx_msg(const byte* sig, word32 sigLen, const byte* ctx, if (ret == 0) { /* Verify message with signature. */ - ret = dilithium_verify_ctx_msg(key, ctx, ctxLen, msg, msgLen, sig, + ret = mldsa_verify_ctx_msg(key, ctx, ctxLen, msg, msgLen, sig, sigLen, res); } return ret; } -#ifdef WOLFSSL_DILITHIUM_NO_CTX +#ifdef WOLFSSL_MLDSA_NO_CTX /* Verify the message using the dilithium public key. * * sig [in] Signature to verify. @@ -10611,15 +10616,15 @@ int wc_dilithium_verify_ctx_msg(const byte* sig, word32 sigLen, const byte* ctx, * msg [in] Message to verify. * msgLen [in] Length of the message in bytes. * res [out] *res is set to 1 on successful verification. - * key [in] Dilithium key to use to verify. + * key [in] ML-DSA key to use to verify. * returns BAD_FUNC_ARG when a parameter is NULL or contextLen is zero when and * BUFFER_E when sigLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. * NOTE: This is a pre-FIPS 204 API without context support. New code should - * use wc_dilithium_verify_ctx_msg() with ctx=NULL/ctxLen=0 instead. + * use wc_MlDsaKey_VerifyCtx() with ctx=NULL/ctxLen=0 instead. */ -int wc_dilithium_verify_msg(const byte* sig, word32 sigLen, const byte* msg, - word32 msgLen, int* res, dilithium_key* key) +int wc_MlDsaKey_Verify(MlDsaKey* key, const byte* sig, word32 sigLen, + const byte* msg, word32 msgLen, int* res) { int ret = 0; @@ -10646,12 +10651,12 @@ int wc_dilithium_verify_msg(const byte* sig, word32 sigLen, const byte* msg, if (ret == 0) { /* Verify message with signature. */ - ret = dilithium_verify_msg(key, msg, msgLen, sig, sigLen, res); + ret = mldsa_verify_msg(key, msg, msgLen, sig, sigLen, res); } return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ +#endif /* WOLFSSL_MLDSA_NO_CTX */ /* Verify the message using the dilithium public key. * @@ -10663,15 +10668,15 @@ int wc_dilithium_verify_msg(const byte* sig, word32 sigLen, const byte* msg, * hash [in] Hash of message to verify. * hashLen [in] Length of the message hash in bytes. * res [out] *res is set to 1 on successful verification. - * key [in] Dilithium key to use to verify. + * key [in] ML-DSA key to use to verify. * returns BAD_FUNC_ARG when a parameter is NULL, public key not set * or ctx is NULL and ctxLen is not 0, * BUFFER_E when sigLen is less than DILITHIUM_LEVEL2_SIG_SIZE, * 0 otherwise. */ -int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen, - const byte* ctx, byte ctxLen, int hashAlg, const byte* hash, word32 hashLen, - int* res, dilithium_key* key) +int wc_MlDsaKey_VerifyCtxHash(MlDsaKey* key, const byte* sig, word32 sigLen, + const byte* ctx, byte ctxLen, const byte* hash, word32 hashLen, + int hashAlg, int* res) { int ret = 0; @@ -10701,7 +10706,7 @@ int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen, if (ret == 0) { /* Verify message with signature. */ - ret = dilithium_verify_ctx_hash(key, ctx, ctxLen, hashAlg, hash, + ret = mldsa_verify_ctx_hash(key, ctx, ctxLen, hashAlg, hash, hashLen, sig, sigLen, res); } @@ -10719,12 +10724,12 @@ int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen, * mu [in] Pre-computed mu value (64 bytes). * muLen [in] Length of mu in bytes (must be 64). * res [out] *res is set to 1 on successful verification. - * key [in] Dilithium key to use to verify. + * key [in] ML-DSA key to use to verify. * returns BAD_FUNC_ARG when a parameter is NULL or muLen is not 64, * 0 otherwise. */ -int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu, - word32 muLen, int* res, dilithium_key* key) +int wc_MlDsaKey_VerifyMu(MlDsaKey* key, const byte* sig, word32 sigLen, + const byte* mu, word32 muLen, int* res) { int ret = 0; @@ -10737,12 +10742,12 @@ int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu, } if (ret == 0) { - ret = dilithium_verify_with_mu(key, mu, sig, sigLen, res); + ret = mldsa_verify_with_mu(key, mu, sig, sigLen, res); } return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* WOLFSSL_MLDSA_NO_VERIFY */ #ifndef WC_NO_CONSTRUCTORS /** @@ -10753,13 +10758,13 @@ int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu, * returns MEMORY_E when dynamic memory allocation fails */ -dilithium_key* wc_dilithium_new(void* heap, int devId) +MlDsaKey* wc_MlDsaKey_New(void* heap, int devId) { int ret; - dilithium_key* key = (dilithium_key*)XMALLOC(sizeof(dilithium_key), heap, + MlDsaKey* key = (MlDsaKey*)XMALLOC(sizeof(MlDsaKey), heap, DYNAMIC_TYPE_DILITHIUM); if (key != NULL) { - ret = wc_dilithium_init_ex(key, heap, devId); + ret = wc_MlDsaKey_Init(key, heap, devId); if (ret != 0) { XFREE(key, heap, DYNAMIC_TYPE_DILITHIUM); key = NULL; @@ -10777,13 +10782,13 @@ dilithium_key* wc_dilithium_new(void* heap, int devId) * returns BAD_FUNC_ARG when key is NULL */ -int wc_dilithium_delete(dilithium_key* key, dilithium_key** key_p) +int wc_MlDsaKey_Delete(MlDsaKey* key, MlDsaKey** key_p) { void* heap; if (key == NULL) return BAD_FUNC_ARG; heap = key->heap; - wc_dilithium_free(key); + wc_MlDsaKey_Free(key); XFREE(key, heap, DYNAMIC_TYPE_DILITHIUM); if (key_p != NULL) *key_p = NULL; @@ -10792,24 +10797,14 @@ int wc_dilithium_delete(dilithium_key* key, dilithium_key** key_p) } #endif /* !WC_NO_CONSTRUCTORS */ -/* Initialize the dilithium private/public key. - * - * key [in] Dilithium key. - * returns BAD_FUNC_ARG when key is NULL - */ -int wc_dilithium_init(dilithium_key* key) -{ - return wc_dilithium_init_ex(key, NULL, INVALID_DEVID); -} - -/* Initialize the dilithium private/public key. +/* Initialize the ML-DSA private/public key. * - * key [in] Dilithium key. + * key [in] ML-DSA key. * heap [in] Heap hint. * devId[in] Device ID. * returns BAD_FUNC_ARG when key is NULL */ -int wc_dilithium_init_ex(dilithium_key* key, void* heap, int devId) +int wc_MlDsaKey_Init(MlDsaKey* key, void* heap, int devId) { int ret = 0; @@ -10843,7 +10838,7 @@ int wc_dilithium_init_ex(dilithium_key* key, void* heap, int devId) } #ifdef WOLF_PRIVATE_KEY_ID -int wc_dilithium_init_id(dilithium_key* key, const unsigned char* id, int len, +int wc_MlDsaKey_InitId(MlDsaKey* key, const unsigned char* id, int len, void* heap, int devId) { int ret = 0; @@ -10856,7 +10851,7 @@ int wc_dilithium_init_id(dilithium_key* key, const unsigned char* id, int len, } if (ret == 0) { - ret = wc_dilithium_init_ex(key, heap, devId); + ret = wc_MlDsaKey_Init(key, heap, devId); } if ((ret == 0) && (id != NULL) && (len != 0)) { XMEMCPY(key->id, id, (size_t)len); @@ -10864,12 +10859,12 @@ int wc_dilithium_init_id(dilithium_key* key, const unsigned char* id, int len, } /* Set the maximum level here */ - wc_dilithium_set_level(key, WC_ML_DSA_87); + wc_MlDsaKey_SetParams(key, WC_ML_DSA_87); return ret; } -int wc_dilithium_init_label(dilithium_key* key, const char* label, void* heap, +int wc_MlDsaKey_InitLabel(MlDsaKey* key, const char* label, void* heap, int devId) { int ret = 0; @@ -10886,7 +10881,7 @@ int wc_dilithium_init_label(dilithium_key* key, const char* label, void* heap, } if (ret == 0) { - ret = wc_dilithium_init_ex(key, heap, devId); + ret = wc_MlDsaKey_Init(key, heap, devId); } if (ret == 0) { XMEMCPY(key->label, label, (size_t)labelLen); @@ -10894,7 +10889,7 @@ int wc_dilithium_init_label(dilithium_key* key, const char* label, void* heap, } /* Set the maximum level here */ - wc_dilithium_set_level(key, WC_ML_DSA_87); + wc_MlDsaKey_SetParams(key, WC_ML_DSA_87); return ret; } @@ -10902,11 +10897,11 @@ int wc_dilithium_init_label(dilithium_key* key, const char* label, void* heap, /* Set the level of the dilithium private/public key. * - * key [out] Dilithium key. + * key [out] ML-DSA key. * level [in] Either 2,3 or 5. * returns BAD_FUNC_ARG when key is NULL or level is a bad values. */ -int wc_dilithium_set_level(dilithium_key* key, byte level) +int wc_MlDsaKey_SetParams(MlDsaKey* key, byte level) { int ret = 0; @@ -10918,7 +10913,7 @@ int wc_dilithium_set_level(dilithium_key* key, byte level) (level == WC_ML_DSA_87))) { /* Nothing to do. */ } -#if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) +#if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) else if ((ret == 0) && ((level == WC_ML_DSA_44_DRAFT) || (level == WC_ML_DSA_65_DRAFT) || (level == WC_ML_DSA_87_DRAFT))) { /* Nothing to do. */ @@ -10930,31 +10925,31 @@ int wc_dilithium_set_level(dilithium_key* key, byte level) if (ret == 0) { /* Get the parameters for level into key. */ - ret = dilithium_get_params(level, &key->params); + ret = mldsa_get_params(level, &key->params); } if (ret == 0) { /* Clear any cached items. */ -#ifndef WC_DILITHIUM_FIXED_ARRAY - #ifdef WC_DILITHIUM_CACHE_MATRIX_A +#ifndef WC_MLDSA_FIXED_ARRAY + #ifdef WC_MLDSA_CACHE_MATRIX_A XFREE(key->a, key->heap, DYNAMIC_TYPE_DILITHIUM); key->a = NULL; key->aSet = 0; #endif - #ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS + #ifdef WC_MLDSA_CACHE_PRIV_VECTORS XFREE(key->s1, key->heap, DYNAMIC_TYPE_DILITHIUM); key->s1 = NULL; key->s2 = NULL; key->t0 = NULL; key->privVecsSet = 0; #endif - #ifdef WC_DILITHIUM_CACHE_PUB_VECTORS + #ifdef WC_MLDSA_CACHE_PUB_VECTORS XFREE(key->t1, key->heap, DYNAMIC_TYPE_DILITHIUM); key->t1 = NULL; key->pubVecSet = 0; #endif #endif -#ifdef WOLFSSL_DILITHIUM_DYNAMIC_KEYS +#ifdef WOLFSSL_MLDSA_DYNAMIC_KEYS if (key->k != NULL) { ForceZero(key->k, key->kSz); XFREE(key->k, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -10978,11 +10973,11 @@ int wc_dilithium_set_level(dilithium_key* key, byte level) /* Get the level of the dilithium private/public key. * - * key [in] Dilithium key. + * key [in] ML-DSA key. * level [out] The level. * returns BAD_FUNC_ARG when key is NULL or level has not been set. */ -int wc_dilithium_get_level(dilithium_key* key, byte* level) +int wc_MlDsaKey_GetParams(MlDsaKey* key, byte* level) { int ret = 0; @@ -11005,9 +11000,9 @@ int wc_dilithium_get_level(dilithium_key* key, byte* level) /* Clears the dilithium key data * - * key [in] Dilithium key. + * key [in] ML-DSA key. */ -void wc_dilithium_free(dilithium_key* key) +void wc_MlDsaKey_Free(MlDsaKey* key) { if (key != NULL) { #if defined(WOLF_CRYPTO_CB) && defined(WOLF_CRYPTO_CB_FREE) @@ -11019,15 +11014,15 @@ void wc_dilithium_free(dilithium_key* key) /* always continue to software cleanup */ } #endif -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifndef WC_MLDSA_FIXED_ARRAY /* Dispose of cached items. */ - #ifdef WC_DILITHIUM_CACHE_PUB_VECTORS + #ifdef WC_MLDSA_CACHE_PUB_VECTORS XFREE(key->t1, key->heap, DYNAMIC_TYPE_DILITHIUM); #endif - #ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS + #ifdef WC_MLDSA_CACHE_PRIV_VECTORS XFREE(key->s1, key->heap, DYNAMIC_TYPE_DILITHIUM); #endif - #ifdef WC_DILITHIUM_CACHE_MATRIX_A + #ifdef WC_MLDSA_CACHE_MATRIX_A XFREE(key->a, key->heap, DYNAMIC_TYPE_DILITHIUM); #endif #endif @@ -11036,7 +11031,7 @@ void wc_dilithium_free(dilithium_key* key) /* Free the SHAKE-128/256 object. */ wc_Shake256_Free(&key->shake); #endif -#ifdef WOLFSSL_DILITHIUM_DYNAMIC_KEYS +#ifdef WOLFSSL_MLDSA_DYNAMIC_KEYS if (key->k != NULL) { ForceZero(key->k, key->kSz); XFREE(key->k, key->heap, DYNAMIC_TYPE_DILITHIUM); @@ -11050,19 +11045,19 @@ void wc_dilithium_free(dilithium_key* key) } } -#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY /* Returns the size of a dilithium private key. * * @param [in] key Dilithium private/public key. * @return Private key size on success for set level. * @return BAD_FUNC_ARG when key is NULL or level not set, */ -int wc_dilithium_size(dilithium_key* key) +int wc_MlDsaKey_Size(MlDsaKey* key) { int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); if (key != NULL) { - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -11091,19 +11086,19 @@ int wc_dilithium_size(dilithium_key* key) return ret; } -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY /* Returns the size of a dilithium private plus public key. * * @param [in] key Dilithium private/public key. * @return Private key size on success for set level. * @return BAD_FUNC_ARG when key is NULL or level not set, */ -int wc_dilithium_priv_size(dilithium_key* key) +int wc_MlDsaKey_PrivSize(MlDsaKey* key) { int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); if (key != NULL) { - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -11142,29 +11137,29 @@ int wc_MlDsaKey_GetPrivLen(MlDsaKey* key, int* len) { int ret = 0; - *len = wc_dilithium_priv_size(key); + *len = wc_MlDsaKey_PrivSize(key); if (*len < 0) { ret = *len; } return ret; } -#endif /* WOLFSSL_DILITHIUM_PUBLIC_KEY */ -#endif /* WOLFSSL_DILITHIUM_PRIVATE_KEY */ +#endif /* WOLFSSL_MLDSA_PUBLIC_KEY */ +#endif /* WOLFSSL_MLDSA_PRIVATE_KEY */ -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY /* Returns the size of a dilithium public key. * * @param [in] key Dilithium private/public key. * @return Public key size on success for set level. * @return BAD_FUNC_ARG when key is NULL or level not set, */ -int wc_dilithium_pub_size(dilithium_key* key) +int wc_MlDsaKey_PubSize(MlDsaKey* key) { int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); if (key != NULL) { - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -11204,7 +11199,7 @@ int wc_MlDsaKey_GetPubLen(MlDsaKey* key, int* len) { int ret = 0; - *len = wc_dilithium_pub_size(key); + *len = wc_MlDsaKey_PubSize(key); if (*len < 0) { ret = *len; } @@ -11213,19 +11208,19 @@ int wc_MlDsaKey_GetPubLen(MlDsaKey* key, int* len) } #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || !defined(WOLFSSL_DILITHIUM_NO_VERIFY) +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) /* Returns the size of a dilithium signature. * * @param [in] key Dilithium private/public key. * @return Signature size on success for set level. * @return BAD_FUNC_ARG when key is NULL or level not set, */ -int wc_dilithium_sig_size(dilithium_key* key) +int wc_MlDsaKey_SigSize(MlDsaKey* key) { int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); if (key != NULL) { - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -11265,7 +11260,7 @@ int wc_MlDsaKey_GetSigLen(MlDsaKey* key, int* len) { int ret = 0; - *len = wc_dilithium_sig_size(key); + *len = wc_MlDsaKey_SigSize(key); if (*len < 0) { ret = *len; } @@ -11274,7 +11269,7 @@ int wc_MlDsaKey_GetSigLen(MlDsaKey* key, int* len) } #endif -#ifdef WOLFSSL_DILITHIUM_CHECK_KEY +#ifdef WOLFSSL_MLDSA_CHECK_KEY /* Check the public key of the dilithium key matches the private key. * * @param [in] key Dilithium private/public key. @@ -11283,10 +11278,10 @@ int wc_MlDsaKey_GetSigLen(MlDsaKey* key, int* len) * @return PUBLIC_KEY_E when the public key is not set or doesn't match, * @return MEMORY_E when dynamic memory allocation fails. */ -int wc_dilithium_check_key(dilithium_key* key) +int wc_MlDsaKey_CheckKey(MlDsaKey* key) { int ret = 0; - const wc_dilithium_params* params = NULL; + const MlDsaParams* params = NULL; sword32* a = NULL; sword32* s1 = NULL; sword32* s2 = NULL; @@ -11318,7 +11313,7 @@ int wc_dilithium_check_key(dilithium_key* key) /* s1-L, s2-K, t0-K, t-K, t1-K */ allocSz = (unsigned int)params->s1Sz + 4U * params->s2Sz; -#if !defined(WC_DILITHIUM_CACHE_MATRIX_A) +#if !defined(WC_MLDSA_CACHE_MATRIX_A) /* A-KxL */ allocSz += params->aSz; #endif @@ -11334,7 +11329,7 @@ int wc_dilithium_check_key(dilithium_key* key) t0 = s2 + params->s2Sz / sizeof(*s2); t = t0 + params->s2Sz / sizeof(*t0); t1 = t + params->s2Sz / sizeof(*t); -#if !defined(WC_DILITHIUM_CACHE_MATRIX_A) +#if !defined(WC_MLDSA_CACHE_MATRIX_A) a = t1 + params->s2Sz / sizeof(*t1); #else a = key->a; @@ -11343,16 +11338,16 @@ int wc_dilithium_check_key(dilithium_key* key) } if (ret == 0) { -#ifdef WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WC_MLDSA_CACHE_MATRIX_A /* Check that we haven't already cached the matrix A. */ if (!key->aSet) #endif { const byte* pub_seed = key->p; - ret = dilithium_expand_a(&key->shake, pub_seed, params->k, + ret = mldsa_expand_a(&key->shake, pub_seed, params->k, params->l, a, key->heap); -#ifdef WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WC_MLDSA_CACHE_MATRIX_A key->aSet = (ret == 0); #endif } @@ -11369,25 +11364,25 @@ int wc_dilithium_check_key(dilithium_key* key) sword32 x = 0; /* Get s1, s2 and t0 from private key. */ - dilithium_vec_decode_eta_bits(s1p, params->eta, s1, params->l); - dilithium_vec_decode_eta_bits(s2p, params->eta, s2, params->k); - dilithium_vec_decode_t0(t0p, params->k, t0); + mldsa_vec_decode_eta_bits(s1p, params->eta, s1, params->l); + mldsa_vec_decode_eta_bits(s2p, params->eta, s2, params->k); + mldsa_vec_decode_t0(t0p, params->k, t0); /* Get t1 from public key. */ - dilithium_vec_decode_t1(t1p, params->k, t1); + mldsa_vec_decode_t1(t1p, params->k, t1); /* Calcaluate t = NTT-1(A o NTT(s1)) + s2 */ - dilithium_vec_ntt_small_full(s1, params->l); - dilithium_matrix_mul(t, a, s1, params->k, params->l); - #ifdef WOLFSSL_DILITHIUM_SMALL - dilithium_vec_red(t, params->k); + mldsa_vec_ntt_small_full(s1, params->l); + mldsa_matrix_mul(t, a, s1, params->k, params->l); + #ifdef WOLFSSL_MLDSA_SMALL + mldsa_vec_red(t, params->k); #endif - dilithium_vec_invntt_full(t, params->k); - dilithium_vec_add(t, s2, params->k); + mldsa_vec_invntt_full(t, params->k); + mldsa_vec_add(t, s2, params->k); /* Subtract t0 from t. */ - dilithium_vec_sub(t, t0, params->k); + mldsa_vec_sub(t, t0, params->k); /* Make t positive to match t1. */ - dilithium_vec_make_pos(t, params->k); + mldsa_vec_make_pos(t, params->k); /* Check t - t0 and t1 are the same. */ for (i = 0; i < params->k; i++) { @@ -11413,9 +11408,9 @@ int wc_dilithium_check_key(dilithium_key* key) } return ret; } -#endif /* WOLFSSL_DILITHIUM_CHECK_KEY */ +#endif /* WOLFSSL_MLDSA_CHECK_KEY */ -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY /* Export the dilithium public key. * @@ -11427,7 +11422,7 @@ int wc_dilithium_check_key(dilithium_key* key) * @return BAD_FUNC_ARG when a parameter is NULL. * @return BUFFER_E when outLen is less than DILITHIUM_LEVEL2_PUB_KEY_SIZE. */ -int wc_dilithium_export_public(dilithium_key* key, byte* out, word32* outLen) +int wc_MlDsaKey_ExportPubRaw(MlDsaKey* key, byte* out, word32* outLen) { int ret = 0; word32 inLen; @@ -11439,7 +11434,7 @@ int wc_dilithium_export_public(dilithium_key* key, byte* out, word32* outLen) if (ret == 0) { /* Get length passed in for checking. */ inLen = *outLen; - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -11522,7 +11517,7 @@ int wc_dilithium_export_public(dilithium_key* key, byte* out, word32* outLen) * @return 0 on success. * @return BAD_FUNC_ARG when in or key is NULL or key format is not supported. */ -int wc_dilithium_import_public(const byte* in, word32 inLen, dilithium_key* key) +int wc_MlDsaKey_ImportPubRaw(MlDsaKey* key, const byte* in, word32 inLen) { int ret = 0; @@ -11531,7 +11526,7 @@ int wc_dilithium_import_public(const byte* in, word32 inLen, dilithium_key* key) ret = BAD_FUNC_ARG; } if (ret == 0) { - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -11580,22 +11575,22 @@ int wc_dilithium_import_public(const byte* in, word32 inLen, dilithium_key* key) } -#ifdef WOLFSSL_DILITHIUM_DYNAMIC_KEYS +#ifdef WOLFSSL_MLDSA_DYNAMIC_KEYS if (ret == 0) { - ret = dilithium_alloc_pub_buf(key); + ret = mldsa_alloc_pub_buf(key); } #endif if (ret == 0) { /* Copy the private key data in or copy pointer. */ - #ifdef WOLFSSL_DILITHIUM_ASSIGN_KEY + #ifdef WOLFSSL_MLDSA_ASSIGN_KEY key->p = in; #else XMEMCPY(key->p, in, inLen); #endif -#ifdef WC_DILITHIUM_CACHE_PUB_VECTORS - #ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_PUB_VECTORS + #ifndef WC_MLDSA_FIXED_ARRAY /* Allocate t1 if required. */ if (key->t1 == NULL) { key->t1 = (sword32*)XMALLOC(key->params->s2Sz, key->heap, @@ -11611,10 +11606,10 @@ int wc_dilithium_import_public(const byte* in, word32 inLen, dilithium_key* key) } if (ret == 0) { /* Compute t1 from public key data. */ - dilithium_make_pub_vec(key, key->t1); + mldsa_make_pub_vec(key, key->t1); #endif -#ifdef WC_DILITHIUM_CACHE_MATRIX_A - #ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_MATRIX_A + #ifndef WC_MLDSA_FIXED_ARRAY /* Allocate matrix a if required. */ if (key->a == NULL) { key->a = (sword32*)XMALLOC(key->params->aSz, key->heap, @@ -11630,7 +11625,7 @@ int wc_dilithium_import_public(const byte* in, word32 inLen, dilithium_key* key) } if (ret == 0) { /* Compute matrix a from public key data. */ - ret = dilithium_expand_a(&key->shake, key->p, key->params->k, + ret = mldsa_expand_a(&key->shake, key->p, key->params->k, key->params->l, key->a, key->heap); if (ret == 0) { key->aSet = 1; @@ -11645,34 +11640,34 @@ int wc_dilithium_import_public(const byte* in, word32 inLen, dilithium_key* key) return ret; } -#endif /* WOLFSSL_DILITHIUM_PUBLIC_KEY */ +#endif /* WOLFSSL_MLDSA_PUBLIC_KEY */ -#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY /* Set the private key data into key. * * @param [in] priv Private key data. * @param [in] privSz Size of private key data in bytes. - * @param in, out] key Dilithium key to set into. + * @param in, out] key ML-DSA key to set into. * @return 0 on success. * @return BAD_FUNC_ARG when private key size is invalid. * @return MEMORY_E when dynamic memory allocation fails. * @return Other negative on hash error. */ -static int dilithium_set_priv_key(const byte* priv, word32 privSz, - dilithium_key* key) +static int mldsa_set_priv_key(const byte* priv, word32 privSz, + MlDsaKey* key) { int ret = 0; int expPrivSz; -#ifdef WC_DILITHIUM_CACHE_MATRIX_A - const wc_dilithium_params* params = key->params; +#ifdef WC_MLDSA_CACHE_MATRIX_A + const MlDsaParams* params = key->params; #endif /* Validate parameters. privSz must match the expected size for the * level set on the key. This is required so that subsequent code * which reads via key->params stays within the (possibly dynamically * sized) buffer. */ - expPrivSz = wc_dilithium_size(key); + expPrivSz = wc_MlDsaKey_Size(key); if (expPrivSz < 0) { ret = BAD_FUNC_ARG; } @@ -11680,15 +11675,15 @@ static int dilithium_set_priv_key(const byte* priv, word32 privSz, ret = BAD_FUNC_ARG; } -#ifdef WOLFSSL_DILITHIUM_DYNAMIC_KEYS +#ifdef WOLFSSL_MLDSA_DYNAMIC_KEYS if (ret == 0) { - ret = dilithium_alloc_priv_buf(key); + ret = mldsa_alloc_priv_buf(key); } #endif if (ret == 0) { /* Copy the private key data in or copy pointer. */ - #ifdef WOLFSSL_DILITHIUM_ASSIGN_KEY + #ifdef WOLFSSL_MLDSA_ASSIGN_KEY key->k = priv; #else XMEMCPY(key->k, priv, privSz); @@ -11696,8 +11691,8 @@ static int dilithium_set_priv_key(const byte* priv, word32 privSz, } /* Allocate and create cached values. */ -#ifdef WC_DILITHIUM_CACHE_MATRIX_A -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_MATRIX_A +#ifndef WC_MLDSA_FIXED_ARRAY if (ret == 0) { /* Allocate matrix a if required. */ if (key->a == NULL) { @@ -11714,15 +11709,15 @@ static int dilithium_set_priv_key(const byte* priv, word32 privSz, #endif if (ret == 0) { /* Compute matrix a from private key data. */ - ret = dilithium_expand_a(&key->shake, key->k, params->k, params->l, + ret = mldsa_expand_a(&key->shake, key->k, params->k, params->l, key->a, key->heap); if (ret == 0) { key->aSet = 1; } } #endif -#ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS -#ifndef WC_DILITHIUM_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_PRIV_VECTORS +#ifndef WC_MLDSA_FIXED_ARRAY if ((ret == 0) && (key->s1 == NULL)) { /* Allocate L vector s1, K vector s2 and K vector t0 if required. */ key->s1 = (sword32*)XMALLOC((unsigned int)params->s1Sz + params->s2Sz + @@ -11743,7 +11738,7 @@ static int dilithium_set_priv_key(const byte* priv, word32 privSz, #endif if (ret == 0) { /* Compute vectors from private key. */ - dilithium_make_priv_vecs(key, key->s1, key->s2, key->t0); + mldsa_make_priv_vecs(key, key->s1, key->s2, key->t0); } #endif if (ret == 0) { @@ -11763,8 +11758,7 @@ static int dilithium_set_priv_key(const byte* priv, word32 privSz, * @return BAD_FUNC_ARG when a parameter is NULL or privSz is less than size * required for level, */ -int wc_dilithium_import_private(const byte* priv, word32 privSz, - dilithium_key* key) +int wc_MlDsaKey_ImportPrivRaw(MlDsaKey* key, const byte* priv, word32 privSz) { int ret = 0; @@ -11779,13 +11773,13 @@ int wc_dilithium_import_private(const byte* priv, word32 privSz, if (ret == 0) { /* Set the private key data. */ - ret = dilithium_set_priv_key(priv, privSz, key); + ret = mldsa_set_priv_key(priv, privSz, key); } return ret; } -#if defined(WOLFSSL_DILITHIUM_PUBLIC_KEY) +#if defined(WOLFSSL_MLDSA_PUBLIC_KEY) /* Import a dilithium private and public keys from byte array(s). * * @param [in] priv Array holding private key or private+public keys @@ -11797,8 +11791,8 @@ int wc_dilithium_import_private(const byte* priv, word32 privSz, * @return BAD_FUNC_ARG when a required parameter is NULL an invalid * combination of keys/lengths is supplied. */ -int wc_dilithium_import_key(const byte* priv, word32 privSz, - const byte* pub, word32 pubSz, dilithium_key* key) +int wc_MlDsaKey_ImportKey(MlDsaKey* key, const byte* priv, word32 privSz, + const byte* pub, word32 pubSz) { int ret = 0; @@ -11816,15 +11810,15 @@ int wc_dilithium_import_key(const byte* priv, word32 privSz, if ((ret == 0) && (pub != NULL)) { /* Import public key. */ - ret = wc_dilithium_import_public(pub, pubSz, key); + ret = wc_MlDsaKey_ImportPubRaw(key, pub, pubSz); } if (ret == 0) { - ret = dilithium_set_priv_key(priv, privSz, key); + ret = mldsa_set_priv_key(priv, privSz, key); } return ret; } -#endif /* WOLFSSL_DILITHIUM_PUBLIC_KEY */ +#endif /* WOLFSSL_MLDSA_PUBLIC_KEY */ /* Export the dilithium private key. * @@ -11836,7 +11830,7 @@ int wc_dilithium_import_key(const byte* priv, word32 privSz, * @return BAD_FUNC_ARG when a parameter is NULL. * @return BUFFER_E when outLen is less than DILITHIUM_LEVEL2_KEY_SIZE. */ -int wc_dilithium_export_private(dilithium_key* key, byte* out, +int wc_MlDsaKey_ExportPrivRaw(MlDsaKey* key, byte* out, word32* outLen) { int ret = 0; @@ -11855,7 +11849,7 @@ int wc_dilithium_export_private(dilithium_key* key, byte* out, if (ret == 0) { inLen = *outLen; /* check and set up out length */ - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -11898,7 +11892,7 @@ int wc_dilithium_export_private(dilithium_key* key, byte* out, return ret; } -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY /* Export the dilithium private and public key. * * @param [in] key Dilithium private/public key. @@ -11912,25 +11906,25 @@ int wc_dilithium_export_private(dilithium_key* key, byte* out, * @return BAD_FUNC_ARG when a key, priv, privSz, pub or pubSz is NULL. * @return BUFFER_E when privSz or pubSz is less than required size. */ -int wc_dilithium_export_key(dilithium_key* key, byte* priv, word32 *privSz, +int wc_MlDsaKey_ExportKey(MlDsaKey* key, byte* priv, word32 *privSz, byte* pub, word32 *pubSz) { int ret; /* Export private key only. */ - ret = wc_dilithium_export_private(key, priv, privSz); + ret = wc_MlDsaKey_ExportPrivRaw(key, priv, privSz); if (ret == 0) { /* Export public key. */ - ret = wc_dilithium_export_public(key, pub, pubSz); + ret = wc_MlDsaKey_ExportPubRaw(key, pub, pubSz); } return ret; } -#endif /* WOLFSSL_DILITHIUM_PUBLIC_KEY */ +#endif /* WOLFSSL_MLDSA_PUBLIC_KEY */ -#endif /* WOLFSSL_DILITHIUM_PRIVATE_KEY */ +#endif /* WOLFSSL_MLDSA_PRIVATE_KEY */ -#ifndef WOLFSSL_DILITHIUM_NO_ASN1 +#ifndef WOLFSSL_MLDSA_NO_ASN1 /* Maps ASN.1 OID to wolfCrypt security level macros */ static int mapOidToSecLevel(int oid) @@ -11942,7 +11936,7 @@ static int mapOidToSecLevel(int oid) return WC_ML_DSA_65; case ML_DSA_LEVEL5k: return WC_ML_DSA_87; -#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT +#ifdef WOLFSSL_MLDSA_FIPS204_DRAFT case DILITHIUM_LEVEL2k: return WC_ML_DSA_44_DRAFT; case DILITHIUM_LEVEL3k: @@ -11956,10 +11950,10 @@ static int mapOidToSecLevel(int oid) } /* Get OID sum from dilithium key */ -int dilithium_get_oid_sum(dilithium_key* key, int* keyFormat) { +int mldsa_get_oid_sum(MlDsaKey* key, int* keyFormat) { int ret = 0; - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -11973,7 +11967,7 @@ int dilithium_get_oid_sum(dilithium_key* key, int* keyFormat) { *keyFormat = DILITHIUM_LEVEL5k; } else - #endif /* WOLFSSL_DILITHIUM_FIPS204_DRAFT */ + #endif /* WOLFSSL_MLDSA_FIPS204_DRAFT */ if (key->level == WC_ML_DSA_44) { *keyFormat = ML_DSA_LEVEL2k; } @@ -11991,14 +11985,14 @@ int dilithium_get_oid_sum(dilithium_key* key, int* keyFormat) { return ret; } -#if defined(WOLFSSL_DILITHIUM_PRIVATE_KEY) +#if defined(WOLFSSL_MLDSA_PRIVATE_KEY) -/* Decode the DER encoded Dilithium key. +/* Decode the DER encoded ML-DSA key. * * @param [in] input Array holding DER encoded data. * @param [in, out] inOutIdx On in, index into array of start of DER encoding. * On out, index into array after DER encoding. - * @param [in, out] key Dilithium key structure to hold the decoded key. + * @param [in, out] key ML-DSA key structure to hold the decoded key. * If the security level is set in the key structure * on input, the DER key will be decoded as such and * will fail if there is a mismatch. If the level @@ -12013,8 +12007,8 @@ int dilithium_get_oid_sum(dilithium_key* key, int* keyFormat) { * @return BAD_FUNC_ARG when input, inOutIdx or key is NULL or inSz is 0. * @return Other negative on parse error. */ -int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx, - dilithium_key* key, word32 inSz) +int wc_MlDsaKey_PrivateKeyDecode(MlDsaKey* key, const byte* input, + word32 inSz, word32* inOutIdx) { int ret = 0; const byte* seed = NULL; @@ -12038,7 +12032,7 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx, /* Level not set by caller, decode from DER */ keyType = ANONk; } - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) else if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -12086,7 +12080,7 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx, /* Set the security level based on the decoded key. */ ret = mapOidToSecLevel(autoKeyType); if (ret > 0) { - ret = wc_dilithium_set_level(key, (byte)ret); + ret = wc_MlDsaKey_SetParams(key, (byte)ret); } } else if (keyType != ANONk && autoKeyType != ANONk) { @@ -12109,7 +12103,7 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx, if ((ret == 0) && (pubKey == NULL) && (pubKeyLen == 0)) { /* Check if the public key is included in the private key. */ - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -12156,9 +12150,9 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx, if (ret == 0) { /* Generate a key pair if seed exists and decoded key pair is ignored */ if (seedLen != 0) { -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) if (seedLen == DILITHIUM_SEED_SZ) { - ret = wc_dilithium_make_key_from_seed(key, seed); + ret = wc_MlDsaKey_MakeKeyFromSeed(key, seed); } else { ret = ASN_PARSE_E; @@ -12167,18 +12161,17 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx, ret = NOT_COMPILED_IN; #endif } -#if defined(WOLFSSL_DILITHIUM_PUBLIC_KEY) +#if defined(WOLFSSL_MLDSA_PUBLIC_KEY) /* Check whether public key data was found. */ else if (pubKeyLen != 0 && privKeyLen != 0) { /* Import private and public key data. */ - ret = wc_dilithium_import_key(privKey, privKeyLen, pubKey, - pubKeyLen, key); + ret = wc_MlDsaKey_ImportKey(key, privKey, privKeyLen, pubKey, pubKeyLen); } #endif else if (pubKeyLen == 0 && privKeyLen != 0) { /* No public key data, only import private key data. */ - ret = wc_dilithium_import_private(privKey, privKeyLen, key); + ret = wc_MlDsaKey_ImportPrivRaw(key, privKey, privKeyLen); } else { /* Not a problem of ASN.1 structure, but the contents is invalid */ @@ -12192,19 +12185,19 @@ int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx, return ret; } -#endif /* WOLFSSL_DILITHIUM_PRIVATE_KEY */ +#endif /* WOLFSSL_MLDSA_PRIVATE_KEY */ -#endif /* WOLFSSL_DILITHIUM_NO_ASN1 */ +#endif /* WOLFSSL_MLDSA_NO_ASN1 */ -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY -#if defined(WOLFSSL_DILITHIUM_NO_ASN1) +#if defined(WOLFSSL_MLDSA_NO_ASN1) #ifndef WOLFSSL_NO_ML_DSA_44 static unsigned char ml_dsa_oid_44[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x11 }; -#if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) -static unsigned char dilithium_oid_44[] = { +#if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) +static unsigned char mldsa_oid_44[] = { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x02, 0x82, 0x0b, 0x0c, 0x04, 0x04 }; @@ -12214,8 +12207,8 @@ static unsigned char dilithium_oid_44[] = { static unsigned char ml_dsa_oid_65[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x12 }; -#if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) -static unsigned char dilithium_oid_65[] = { +#if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) +static unsigned char mldsa_oid_65[] = { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x02, 0x82, 0x0b, 0x0c, 0x06, 0x05 }; @@ -12225,8 +12218,8 @@ static unsigned char dilithium_oid_65[] = { static unsigned char ml_dsa_oid_87[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x13 }; -#if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) -static unsigned char dilithium_oid_87[] = { +#if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) +static unsigned char mldsa_oid_87[] = { 0x2b, 0x06, 0x01, 0x04, 0x01, 0x02, 0x82, 0x0b, 0x0c, 0x08, 0x07 }; @@ -12284,7 +12277,7 @@ static int dilitihium_get_der_length(const byte* input, word32* inOutIdx, return ret; } -static int dilithium_check_type(const byte* input, word32* inOutIdx, byte type, +static int mldsa_check_type(const byte* input, word32* inOutIdx, byte type, word32 inSz) { int ret = 0; @@ -12304,14 +12297,14 @@ static int dilithium_check_type(const byte* input, word32* inOutIdx, byte type, return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_ASN1 */ +#endif /* WOLFSSL_MLDSA_NO_ASN1 */ /* Decode the DER encoded Dilithium public key. * * @param [in] input Array holding DER encoded data. * @param [in, out] inOutIdx On in, index into array of start of DER encoding. * On out, index into array after DER encoding. - * @param [in, out] key Dilithium key structure to hold the decoded key. + * @param [in, out] key ML-DSA key structure to hold the decoded key. * If the security level is set in the key structure * on input, the DER key will be decoded as such * and will fail if there is a mismatch. If the level @@ -12328,8 +12321,8 @@ static int dilithium_check_type(const byte* input, word32* inOutIdx, byte type, * @return BAD_FUNC_ARG when level not set. * @return Other negative on parse error. */ -int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, - dilithium_key* key, word32 inSz) +int wc_MlDsaKey_PublicKeyDecode(MlDsaKey* key, const byte* input, + word32 inSz, word32* inOutIdx) { int ret = 0; const byte* pubKey = NULL; @@ -12342,9 +12335,9 @@ int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, if (ret == 0) { /* Try to import the key directly. */ - ret = wc_dilithium_import_public(input, inSz, key); + ret = wc_MlDsaKey_ImportPubRaw(key, input, inSz); if (ret != 0) { - #if !defined(WOLFSSL_DILITHIUM_NO_ASN1) + #if !defined(WOLFSSL_MLDSA_NO_ASN1) int keyType = 0; #else int length = 0; @@ -12356,9 +12349,9 @@ int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, /* Start again. */ ret = 0; - #if !defined(WOLFSSL_DILITHIUM_NO_ASN1) + #if !defined(WOLFSSL_MLDSA_NO_ASN1) /* Get OID sum for level. */ - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -12395,35 +12388,35 @@ int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, /* Set the security level based on the decoded key. */ ret = mapOidToSecLevel(keyType); if (ret > 0) { - ret = wc_dilithium_set_level(key, (byte)ret); + ret = wc_MlDsaKey_SetParams(key, (byte)ret); } } } #else /* Get OID sum for level. */ - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } else #ifndef WOLFSSL_NO_ML_DSA_44 if (key->params->level == WC_ML_DSA_44_DRAFT) { - oid = dilithium_oid_44; - oidLen = (word32)sizeof(dilithium_oid_44); + oid = mldsa_oid_44; + oidLen = (word32)sizeof(mldsa_oid_44); } else #endif #ifndef WOLFSSL_NO_ML_DSA_65 if (key->params->level == WC_ML_DSA_65_DRAFT) { - oid = dilithium_oid_65; - oidLen = (word32)sizeof(dilithium_oid_65); + oid = mldsa_oid_65; + oidLen = (word32)sizeof(mldsa_oid_65); } else #endif #ifndef WOLFSSL_NO_ML_DSA_87 if (key->params->level == WC_ML_DSA_87_DRAFT) { - oid = dilithium_oid_87; - oidLen = (word32)sizeof(dilithium_oid_87); + oid = mldsa_oid_87; + oidLen = (word32)sizeof(mldsa_oid_87); } else #endif @@ -12454,19 +12447,19 @@ int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, ret = BAD_FUNC_ARG; } if (ret == 0) { - ret = dilithium_check_type(input, &idx, 0x30, inSz); + ret = mldsa_check_type(input, &idx, 0x30, inSz); } if (ret == 0) { ret = dilitihium_get_der_length(input, &idx, &length, inSz); } if (ret == 0) { - ret = dilithium_check_type(input, &idx, 0x30, inSz); + ret = mldsa_check_type(input, &idx, 0x30, inSz); } if (ret == 0) { ret = dilitihium_get_der_length(input, &idx, &length, inSz); } if (ret == 0) { - ret = dilithium_check_type(input, &idx, 0x06, inSz); + ret = mldsa_check_type(input, &idx, 0x06, inSz); } if (ret == 0) { ret = dilitihium_get_der_length(input, &idx, &length, inSz); @@ -12479,7 +12472,7 @@ int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, idx += oidLen; } if (ret == 0) { - ret = dilithium_check_type(input, &idx, 0x03, inSz); + ret = mldsa_check_type(input, &idx, 0x03, inSz); } if (ret == 0) { ret = dilitihium_get_der_length(input, &idx, &length, inSz); @@ -12501,21 +12494,21 @@ int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, #endif if (ret == 0) { /* Import public key data. */ - ret = wc_dilithium_import_public(pubKey, pubKeyLen, key); + ret = wc_MlDsaKey_ImportPubRaw(key, pubKey, pubKeyLen); } } } return ret; } -#ifndef WOLFSSL_DILITHIUM_NO_ASN1 +#ifndef WOLFSSL_MLDSA_NO_ASN1 #ifdef WC_ENABLE_ASYM_KEY_EXPORT -/* Encode the public part of a Dilithium key in DER. +/* Encode the public part of a ML-DSA key in DER. * * Pass NULL for output to get the size of the encoding. * - * @param [in] key Dilithium key object. + * @param [in] key ML-DSA key object. * @param [out] output Buffer to put encoded data in. * @param [in] len Size of buffer in bytes. * @param [in] withAlg Whether to use SubjectPublicKeyInfo format. @@ -12523,7 +12516,7 @@ int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, * @return BAD_FUNC_ARG when key is NULL. * @return MEMORY_E when dynamic memory allocation failed. */ -int wc_Dilithium_PublicKeyToDer(dilithium_key* key, byte* output, word32 len, +int wc_MlDsaKey_PublicKeyToDer(MlDsaKey* key, byte* output, word32 len, int withAlg) { int ret = 0; @@ -12541,7 +12534,7 @@ int wc_Dilithium_PublicKeyToDer(dilithium_key* key, byte* output, word32 len, if (ret == 0) { /* Get OID and length for level. */ - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -12586,34 +12579,34 @@ int wc_Dilithium_PublicKeyToDer(dilithium_key* key, byte* output, word32 len, } #endif /* WC_ENABLE_ASYM_KEY_EXPORT */ -#endif /* !WOLFSSL_DILITHIUM_NO_ASN1 */ +#endif /* !WOLFSSL_MLDSA_NO_ASN1 */ -#endif /* WOLFSSL_DILITHIUM_PUBLIC_KEY */ +#endif /* WOLFSSL_MLDSA_PUBLIC_KEY */ -#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY -#ifndef WOLFSSL_DILITHIUM_NO_ASN1 +#ifndef WOLFSSL_MLDSA_NO_ASN1 -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY -/* Encode the private and public data of a Dilithium key in DER. +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY +/* Encode the private and public data of a ML-DSA key in DER. * * Pass NULL for output to get the size of the encoding. * - * @param [in] key Dilithium key object. + * @param [in] key ML-DSA key object. * @param [out] output Buffer to put encoded data in. * @param [in] len Size of buffer in bytes. * @return Size of encoded data in bytes on success. * @return BAD_FUNC_ARG when key is NULL. * @return MEMORY_E when dynamic memory allocation failed. */ -int wc_Dilithium_KeyToDer(dilithium_key* key, byte* output, word32 len) +int wc_MlDsaKey_KeyToDer(MlDsaKey* key, byte* output, word32 len) { int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); /* Validate parameters and check public and private key set. */ if ((key != NULL) && key->prvKeySet && key->pubKeySet) { /* Create DER for level. */ - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -12647,27 +12640,27 @@ int wc_Dilithium_KeyToDer(dilithium_key* key, byte* output, word32 len) return ret; } -#endif /* WOLFSSL_DILITHIUM_PUBLIC_KEY */ +#endif /* WOLFSSL_MLDSA_PUBLIC_KEY */ -/* Encode the private data of a Dilithium key in DER. +/* Encode the private data of a ML-DSA key in DER. * * Pass NULL for output to get the size of the encoding. * - * @param [in] key Dilithium key object. + * @param [in] key ML-DSA key object. * @param [out] output Buffer to put encoded data in. * @param [in] len Size of buffer in bytes. * @return Size of encoded data in bytes on success. * @return BAD_FUNC_ARG when key is NULL. * @return MEMORY_E when dynamic memory allocation failed. */ -int wc_Dilithium_PrivateKeyToDer(dilithium_key* key, byte* output, word32 len) +int wc_MlDsaKey_PrivateKeyToDer(MlDsaKey* key, byte* output, word32 len) { int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); /* Validate parameters and check private key set. */ if ((key != NULL) && key->prvKeySet) { /* Create DER for level. */ - #if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) if (key->params == NULL) { ret = BAD_FUNC_ARG; } @@ -12702,8 +12695,9 @@ int wc_Dilithium_PrivateKeyToDer(dilithium_key* key, byte* output, word32 len) return ret; } -#endif /* WOLFSSL_DILITHIUM_NO_ASN1 */ +#endif /* WOLFSSL_MLDSA_NO_ASN1 */ + +#endif /* WOLFSSL_MLDSA_PRIVATE_KEY */ -#endif /* WOLFSSL_DILITHIUM_PRIVATE_KEY */ -#endif /* HAVE_DILITHIUM */ +#endif /* WOLFSSL_HAVE_MLDSA */ diff --git a/wolfcrypt/src/wc_mldsa_asm.S b/wolfcrypt/src/wc_mldsa_asm.S index 7cf4b585697..717986e4a5c 100644 --- a/wolfcrypt/src/wc_mldsa_asm.S +++ b/wolfcrypt/src/wc_mldsa_asm.S @@ -47,7 +47,7 @@ #endif /* HAVE_INTEL_AVX2 */ #endif /* NO_AVX2_SUPPORT */ -#ifdef HAVE_DILITHIUM +#ifdef WOLFSSL_HAVE_MLDSA #ifdef HAVE_INTEL_AVX2 #ifndef __APPLE__ .data @@ -35284,7 +35284,7 @@ _wc_mldsa_poly_make_pos_avx2: .size wc_mldsa_poly_make_pos_avx2,.-wc_mldsa_poly_make_pos_avx2 #endif /* __APPLE__ */ #endif /* HAVE_INTEL_AVX2 */ -#endif /* HAVE_DILITHIUM */ +#endif /* WOLFSSL_HAVE_MLDSA */ #if defined(__linux__) && defined(__ELF__) .section .note.GNU-stack,"",%progbits diff --git a/wolfssl-VS2022.vcxproj b/wolfssl-VS2022.vcxproj index a2c001ca8a5..a4b8d39b196 100644 --- a/wolfssl-VS2022.vcxproj +++ b/wolfssl-VS2022.vcxproj @@ -421,7 +421,7 @@ - + diff --git a/wolfssl.vcproj b/wolfssl.vcproj index 1bcc0248631..a7f12b57e78 100644 --- a/wolfssl.vcproj +++ b/wolfssl.vcproj @@ -244,7 +244,7 @@ > - + diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h index 31a5a2b165d..b0cfe85f5cf 100644 --- a/wolfssl/certs_test.h +++ b/wolfssl/certs_test.h @@ -4107,8 +4107,8 @@ static const unsigned char bench_falcon_level5_key[] = #endif /* HAVE_FALCON */ -#if defined(HAVE_DILITHIUM) -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#if defined(WOLFSSL_HAVE_MLDSA) +#ifndef WOLFSSL_MLDSA_NO_SIGN /* raw private key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level2_key.der */ @@ -4372,9 +4372,9 @@ static const unsigned char bench_dilithium_level2_key[] = { }; #define sizeof_bench_dilithium_level2_key (sizeof(bench_dilithium_level2_key)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* raw public key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level2_key.der */ @@ -4515,9 +4515,9 @@ static const unsigned char bench_dilithium_level2_pubkey[] = { #define sizeof_bench_dilithium_level2_pubkey \ (sizeof(bench_dilithium_level2_pubkey)) -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN /* raw private key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level3_key.der */ @@ -4929,9 +4929,9 @@ static const unsigned char bench_dilithium_level3_key[] = { }; #define sizeof_bench_dilithium_level3_key (sizeof(bench_dilithium_level3_key)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* raw public key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level3_key.der */ @@ -5136,9 +5136,9 @@ static const unsigned char bench_dilithium_level3_pubkey[] = { static const int sizeof_bench_dilithium_level3_pubkey = sizeof(bench_dilithium_level3_pubkey); -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN /* raw private key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level5_key.der */ @@ -5636,9 +5636,9 @@ static const unsigned char bench_dilithium_level5_key[] = { }; #define sizeof_bench_dilithium_level5_key (sizeof(bench_dilithium_level5_key)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* raw public key without ASN1 syntax from * ./certs/dilithium/bench_dilithium_level5_key.der */ @@ -5907,15 +5907,15 @@ static const unsigned char bench_dilithium_level5_pubkey[] = { #define sizeof_bench_dilithium_level5_pubkey \ (sizeof(bench_dilithium_level5_pubkey)) -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#endif /* HAVE_DILITHIUM */ +#endif /* WOLFSSL_HAVE_MLDSA */ -#if defined(HAVE_DILITHIUM) +#if defined(WOLFSSL_HAVE_MLDSA) #if !defined(WOLFSSL_NO_ML_DSA_44) -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* ./certs/mldsa/mldsa44_pub-spki.der */ static const unsigned char mldsa44_pub_spki[] = { @@ -6055,9 +6055,9 @@ static const unsigned char mldsa44_pub_spki[] = 0xDB, 0xAA, 0x5F, 0x71 }; #define sizeof_mldsa44_pub_spki (sizeof(mldsa44_pub_spki)) -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN /* ./certs/mldsa/mldsa44_priv-only.der */ static const unsigned char mldsa44_priv_only[] = { @@ -6601,13 +6601,13 @@ static const unsigned char mldsa44_seed_only[] = 0x80, 0x87, 0xA2, 0x16 }; #define sizeof_mldsa44_seed_only (sizeof(mldsa44_seed_only)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ #endif /* !WOLFSSL_NO_ML_DSA_44 */ #if !defined(WOLFSSL_NO_ML_DSA_65) -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* ./certs/mldsa/mldsa65_pub-spki.der */ static const unsigned char mldsa65_pub_spki[] = { @@ -6811,9 +6811,9 @@ static const unsigned char mldsa65_pub_spki[] = 0x19, 0x0C, 0x44, 0x4C }; #define sizeof_mldsa65_pub_spki (sizeof(mldsa65_pub_spki)) -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN /* ./certs/mldsa/mldsa65_priv-only.der */ static const unsigned char mldsa65_priv_only[] = { @@ -7652,13 +7652,13 @@ static const unsigned char mldsa65_seed_only[] = 0xCB, 0xE4, 0xB1, 0x42 }; #define sizeof_mldsa65_seed_only (sizeof(mldsa65_seed_only)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ #endif /* !WOLFSSL_NO_ML_DSA_65 */ #if !defined(WOLFSSL_NO_ML_DSA_87) -#ifndef WOLFSSL_DILITHIUM_NO_VERIFY +#ifndef WOLFSSL_MLDSA_NO_VERIFY /* ./certs/mldsa/mldsa87_pub-spki.der */ static const unsigned char mldsa87_pub_spki[] = { @@ -7926,9 +7926,9 @@ static const unsigned char mldsa87_pub_spki[] = 0xAE, 0x60, 0x19, 0x5A }; #define sizeof_mldsa87_pub_spki (sizeof(mldsa87_pub_spki)) -#endif /* !WOLFSSL_DILITHIUM_NO_VERIFY */ +#endif /* !WOLFSSL_MLDSA_NO_VERIFY */ -#ifndef WOLFSSL_DILITHIUM_NO_SIGN +#ifndef WOLFSSL_MLDSA_NO_SIGN /* ./certs/mldsa/mldsa87_priv-only.der */ static const unsigned char mldsa87_priv_only[] = { @@ -8940,11 +8940,11 @@ static const unsigned char mldsa87_seed_only[] = 0xB0, 0x87, 0x90, 0x4F }; #define sizeof_mldsa87_seed_only (sizeof(mldsa87_seed_only)) -#endif /* !WOLFSSL_DILITHIUM_NO_SIGN */ +#endif /* !WOLFSSL_MLDSA_NO_SIGN */ #endif /* !WOLFSSL_NO_ML_DSA_87 */ -#endif /* HAVE_DILITHIUM */ +#endif /* WOLFSSL_HAVE_MLDSA */ #if defined(HAVE_ECC) && defined(USE_CERT_BUFFERS_256) diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index fc2a049fd63..c8968cc265f 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -77,8 +77,17 @@ This library defines the interface APIs for X509 certificates. typedef struct falcon_key falcon_key; #define WC_FALCONKEY_TYPE_DEFINED #endif -#ifndef WC_DILITHIUMKEY_TYPE_DEFINED - typedef struct dilithium_key dilithium_key; +#ifndef WC_MLDSAKEY_TYPE_DEFINED + typedef struct MlDsaKey MlDsaKey; + #define WC_MLDSAKEY_TYPE_DEFINED +#endif +/* Legacy typedef alias. Kept until the dilithium.h compatibility shim is + * removed in a future release. Application code that included only + * on master continues to compile. Suppress + * with WOLFSSL_NO_DILITHIUM_LEGACY_NAMES. */ +#if !defined(WOLFSSL_NO_DILITHIUM_LEGACY_NAMES) && \ + !defined(WC_DILITHIUMKEY_TYPE_DEFINED) + typedef struct MlDsaKey dilithium_key; #define WC_DILITHIUMKEY_TYPE_DEFINED #endif #ifndef WC_SLHDSAKEY_TYPE_DEFINED diff --git a/wolfssl/wolfcrypt/dilithium.h b/wolfssl/wolfcrypt/dilithium.h index 24756500756..14531dfd593 100644 --- a/wolfssl/wolfcrypt/dilithium.h +++ b/wolfssl/wolfcrypt/dilithium.h @@ -23,1050 +23,522 @@ \file wolfssl/wolfcrypt/dilithium.h */ -/* Interfaces for Dilithium NIST Level 1 (Dilithium512) and Dilithium NIST Level 5 - * (Dilithium1024). */ +/* TEMPORARY legacy compatibility shim. The pre-standardization Dilithium + * signature algorithm was standardized by NIST as ML-DSA (FIPS 204); the + * canonical implementation lives in . + * + * This file performs two TEMPORARY compatibility services and will be + * removed in a future wolfSSL release: + * + * 1. A sub-config build-gate translation block (legacy + * WOLFSSL_DILITHIUM_* / WC_DILITHIUM_* <-> canonical WOLFSSL_MLDSA_* / + * WC_MLDSA_*). The forward arm runs BEFORE this file's #include of + * wc_mldsa.h so wc_mldsa.h's own conditional declarations always + * read the canonical gate, regardless of which spelling + * user_settings.h or the build system used. The reverse arm runs + * AFTER the include so derived canonical gates that wc_mldsa.h + * computes from WOLFSSL_MLDSA_NO_* (e.g. WOLFSSL_MLDSA_PUBLIC_KEY, + * WOLFSSL_MLDSA_PRIVATE_KEY, WOLFSSL_MLDSA_CHECK_KEY) are visible + * to the reverse propagation. Suppressed by defining + * WOLFSSL_NO_DILITHIUM_LEGACY_GATES. + * + * The parent gate (HAVE_DILITHIUM / WOLFSSL_HAVE_MLDSA) is mapped + * earlier in with an asymmetric + * contract: the forward arm (legacy -> canonical) is unconditional + * because wc_mldsa.h itself reads only the canonical name; the + * reverse arm (canonical -> legacy) honors + * WOLFSSL_NO_DILITHIUM_LEGACY_GATES. In normal builds the two parent + * names are functionally equivalent, since at least one direction + * always fires whenever either is defined; the legacy spelling + * remains as an alias kept around for unmigrated consumer code. + * + * 2. Macro / static-inline aliases for the legacy type and function + * names (dilithium_key, wc_dilithium_params, wc_dilithium_*, + * wc_Dilithium_*) so application code written against the + * pre-standardization API keeps compiling. Suppressed by defining + * WOLFSSL_NO_DILITHIUM_LEGACY_NAMES. + * + * New code must include directly and use + * the MlDsaKey / wc_MlDsaKey_* / WOLFSSL_MLDSA_* names. */ #ifndef WOLF_CRYPT_DILITHIUM_H #define WOLF_CRYPT_DILITHIUM_H -#include +/* === Sub-config build-gate translations =============================== */ -#ifdef WOLF_CRYPTO_CB - #include -#endif +/* The two sub-gates that (auto-generated, no + * #includes) reads -- WOLFSSL_DILITHIUM_NO_SIGN / + * WOLFSSL_DILITHIUM_NO_VERIFY -- are forward-translated in + * so that header sees the canonical + * spelling without going through dilithium.h. The block below covers + * the remaining sub-gates, all of which are read only by wc_mldsa.h / + * wc_mldsa.c (which transitively include this file first). */ -#if defined(HAVE_DILITHIUM) +#ifndef WOLFSSL_NO_DILITHIUM_LEGACY_GATES -#if defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) && \ - defined(WOLFSSL_DILITHIUM_NO_SIGN) && \ - !defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ - !defined(WOLFSSL_DILITHIUM_VERIFY_ONLY) - #define WOLFSSL_DILITHIUM_VERIFY_ONLY +/* Legacy -> canonical (forward arm, remainder). For the gates handled in + * settings.h see the comment block there. */ +#ifdef WOLFSSL_DILITHIUM_NO_MAKE_KEY + #ifndef WOLFSSL_MLDSA_NO_MAKE_KEY + #define WOLFSSL_MLDSA_NO_MAKE_KEY + #endif #endif #ifdef WOLFSSL_DILITHIUM_VERIFY_ONLY - #ifndef WOLFSSL_DILITHIUM_NO_MAKE_KEY - #define WOLFSSL_DILITHIUM_NO_MAKE_KEY + #ifndef WOLFSSL_MLDSA_VERIFY_ONLY + #define WOLFSSL_MLDSA_VERIFY_ONLY #endif - #ifndef WOLFSSL_DILITHIUM_NO_SIGN - #define WOLFSSL_DILITHIUM_NO_SIGN +#endif +#ifdef WOLFSSL_DILITHIUM_NO_CTX + #ifndef WOLFSSL_MLDSA_NO_CTX + #define WOLFSSL_MLDSA_NO_CTX #endif #endif - -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - !defined(WOLFSSL_DILITHIUM_NO_VERIFY) - #define WOLFSSL_DILITHIUM_PUBLIC_KEY +#ifdef WOLFSSL_DILITHIUM_NO_ASN1 + #ifndef WOLFSSL_MLDSA_NO_ASN1 + #define WOLFSSL_MLDSA_NO_ASN1 + #endif #endif -#if !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) || \ - !defined(WOLFSSL_DILITHIUM_NO_SIGN) - #define WOLFSSL_DILITHIUM_PRIVATE_KEY +#ifdef WOLFSSL_DILITHIUM_NO_LARGE_CODE + #ifndef WOLFSSL_MLDSA_NO_LARGE_CODE + #define WOLFSSL_MLDSA_NO_LARGE_CODE + #endif #endif - -#if defined(WOLFSSL_DILITHIUM_PUBLIC_KEY) && \ - defined(WOLFSSL_DILITHIUM_PRIVATE_KEY) && \ - !defined(WOLFSSL_DILITHIUM_NO_CHECK_KEY) && \ - !defined(WOLFSSL_DILITHIUM_CHECK_KEY) - #define WOLFSSL_DILITHIUM_CHECK_KEY +#ifdef WOLFSSL_DILITHIUM_SMALL + #ifndef WOLFSSL_MLDSA_SMALL + #define WOLFSSL_MLDSA_SMALL + #endif #endif - -#include -#ifndef WOLFSSL_DILITHIUM_VERIFY_ONLY - #include +#ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 + #ifndef WOLFSSL_MLDSA_SMALL_MEM_POLY64 + #define WOLFSSL_MLDSA_SMALL_MEM_POLY64 + #endif #endif - -#if defined(WC_DILITHIUM_CACHE_PRIV_VECTORS) && \ - !defined(WC_DILITHIUM_CACHE_MATRIX_A) - #define WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC + #ifndef WOLFSSL_MLDSA_VERIFY_NO_MALLOC + #define WOLFSSL_MLDSA_VERIFY_NO_MALLOC + #endif #endif -#if defined(WC_DILITHIUM_CACHE_PUB_VECTORS) && \ - !defined(WC_DILITHIUM_CACHE_MATRIX_A) - #define WC_DILITHIUM_CACHE_MATRIX_A +#ifdef WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM + #ifndef WOLFSSL_MLDSA_VERIFY_SMALL_MEM + #define WOLFSSL_MLDSA_VERIFY_SMALL_MEM + #endif #endif - -#ifdef __cplusplus - extern "C" { +#ifdef WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM + #ifndef WOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM + #define WOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM + #endif #endif - -/* Macros Definitions */ - -#ifndef WOLFSSL_DILITHIUM_ALIGNMENT - #if defined(__arch64__) - #define WOLFSSL_DILITHIUM_ALIGNMENT 8 - #elif defined(__arm__) - #define WOLFSSL_DILITHIUM_ALIGNMENT 4 - #elif !defined(WOLFSSL_AESNI) && defined(WOLFSSL_GENERAL_ALIGNMENT) - #define WOLFSSL_DILITHIUM_ALIGNMENT WOLFSSL_GENERAL_ALIGNMENT - #else - #define WOLFSSL_DILITHIUM_ALIGNMENT 8 +#ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM + #ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM + #define WOLFSSL_MLDSA_SIGN_SMALL_MEM #endif -#endif /* WOLFSSL_DILITHIUM_ALIGNMENT */ - -#define DILITHIUM_LEVEL2_KEY_SIZE 2560 -#define DILITHIUM_LEVEL2_SIG_SIZE 2420 -#define DILITHIUM_LEVEL2_PUB_KEY_SIZE 1312 -#define DILITHIUM_LEVEL2_PRV_KEY_SIZE \ - (DILITHIUM_LEVEL2_PUB_KEY_SIZE + DILITHIUM_LEVEL2_KEY_SIZE) -/* Buffer sizes large enough to store exported DER encoded keys */ -#define DILITHIUM_LEVEL2_PUB_KEY_DER_SIZE 1334 -#define DILITHIUM_LEVEL2_PRV_KEY_DER_SIZE 2588 -#define DILITHIUM_LEVEL2_BOTH_KEY_DER_SIZE 3904 -/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and - * the footer "-----END PRIVATE KEY-----" */ -#define DILITHIUM_LEVEL2_BOTH_KEY_PEM_SIZE 5344 - -#define DILITHIUM_LEVEL3_KEY_SIZE 4032 -#define DILITHIUM_LEVEL3_SIG_SIZE 3309 -#define DILITHIUM_LEVEL3_PUB_KEY_SIZE 1952 -#define DILITHIUM_LEVEL3_PRV_KEY_SIZE \ - (DILITHIUM_LEVEL3_PUB_KEY_SIZE + DILITHIUM_LEVEL3_KEY_SIZE) -/* Buffer sizes large enough to store exported DER encoded keys */ -#define DILITHIUM_LEVEL3_PUB_KEY_DER_SIZE 1974 -#define DILITHIUM_LEVEL3_PRV_KEY_DER_SIZE 4060 -#define DILITHIUM_LEVEL3_BOTH_KEY_DER_SIZE 6016 -/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and - * the footer "-----END PRIVATE KEY-----" */ -#define DILITHIUM_LEVEL3_BOTH_KEY_PEM_SIZE 8204 - -#define DILITHIUM_LEVEL5_KEY_SIZE 4896 -#define DILITHIUM_LEVEL5_SIG_SIZE 4627 -#define DILITHIUM_LEVEL5_PUB_KEY_SIZE 2592 -#define DILITHIUM_LEVEL5_PRV_KEY_SIZE \ - (DILITHIUM_LEVEL5_PUB_KEY_SIZE + DILITHIUM_LEVEL5_KEY_SIZE) -/* Buffer sizes large enough to store exported DER encoded keys */ -#define DILITHIUM_LEVEL5_PUB_KEY_DER_SIZE 2614 -#define DILITHIUM_LEVEL5_PRV_KEY_DER_SIZE 4924 -#define DILITHIUM_LEVEL5_BOTH_KEY_DER_SIZE 7520 -/* PEM size with the header "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----" and - * the footer "-----END ML_DSA_LEVEL5 PRIVATE KEY-----" */ -#define DILITHIUM_LEVEL5_BOTH_KEY_PEM_SIZE 10267 - -#define ML_DSA_LEVEL2_KEY_SIZE 2560 -#define ML_DSA_LEVEL2_SIG_SIZE 2420 -#define ML_DSA_LEVEL2_PUB_KEY_SIZE 1312 -#define ML_DSA_LEVEL2_PRV_KEY_SIZE \ - (ML_DSA_LEVEL2_PUB_KEY_SIZE + ML_DSA_LEVEL2_KEY_SIZE) -/* Buffer sizes large enough to store exported DER encoded keys */ -#define ML_DSA_LEVEL2_PUB_KEY_DER_SIZE DILITHIUM_LEVEL2_PUB_KEY_DER_SIZE -#define ML_DSA_LEVEL2_PRV_KEY_DER_SIZE DILITHIUM_LEVEL2_PRV_KEY_DER_SIZE -#define ML_DSA_LEVEL2_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL2_BOTH_KEY_DER_SIZE -/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and - * the footer "-----END PRIVATE KEY-----" */ -#define ML_DSA_LEVEL2_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL2_BOTH_KEY_PEM_SIZE - -#define ML_DSA_LEVEL3_KEY_SIZE 4032 -#define ML_DSA_LEVEL3_SIG_SIZE 3309 -#define ML_DSA_LEVEL3_PUB_KEY_SIZE 1952 -#define ML_DSA_LEVEL3_PRV_KEY_SIZE \ - (ML_DSA_LEVEL3_PUB_KEY_SIZE + ML_DSA_LEVEL3_KEY_SIZE) -/* Buffer sizes large enough to store exported DER encoded keys */ -#define ML_DSA_LEVEL3_PUB_KEY_DER_SIZE DILITHIUM_LEVEL3_PUB_KEY_DER_SIZE -#define ML_DSA_LEVEL3_PRV_KEY_DER_SIZE DILITHIUM_LEVEL3_PRV_KEY_DER_SIZE -#define ML_DSA_LEVEL3_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL3_BOTH_KEY_DER_SIZE -/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and - * the footer "-----END PRIVATE KEY-----" */ -#define ML_DSA_LEVEL3_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL3_BOTH_KEY_PEM_SIZE - -#define ML_DSA_LEVEL5_KEY_SIZE 4896 -#define ML_DSA_LEVEL5_SIG_SIZE 4627 -#define ML_DSA_LEVEL5_PUB_KEY_SIZE 2592 -#define ML_DSA_LEVEL5_PRV_KEY_SIZE \ - (ML_DSA_LEVEL5_PUB_KEY_SIZE + ML_DSA_LEVEL5_KEY_SIZE) -/* Buffer sizes large enough to store exported DER encoded keys */ -#define ML_DSA_LEVEL5_PUB_KEY_DER_SIZE DILITHIUM_LEVEL5_PUB_KEY_DER_SIZE -#define ML_DSA_LEVEL5_PRV_KEY_DER_SIZE DILITHIUM_LEVEL5_PRV_KEY_DER_SIZE -#define ML_DSA_LEVEL5_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL5_BOTH_KEY_DER_SIZE -/* PEM size with the header "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----" and - * the footer "-----END ML_DSA_LEVEL5 PRIVATE KEY-----" */ -#define ML_DSA_LEVEL5_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL5_BOTH_KEY_PEM_SIZE - - - -/* Modulus. */ -#define DILITHIUM_Q 0x7fe001 -/* Number of bits in modulus. */ -#define DILITHIUM_Q_BITS 23 -/* Number of elements in polynomial. */ -#define DILITHIUM_N 256 -#define MLDSA_N 256 - -/* Number of dropped bits. */ -#define DILITHIUM_D 13 -/* Maximum value of dropped bits. */ -#define DILITHIUM_D_MAX ((sword32)1 << DILITHIUM_D) -/* Half maximum value. */ -#define DILITHIUM_D_MAX_HALF ((sword32)1 << (DILITHIUM_D - 1)) -/* Number of undropped bits. */ -#define DILITHIUM_U (DILITHIUM_Q_BITS - DILITHIUM_D) - -/* Bits in coefficient range of y, GAMMA1, of 2^17 is 17. */ -#define DILITHIUM_GAMMA1_BITS_17 17 -/* Coefficient range of y, GAMMA1, of 2^17. */ -#define DILITHIUM_GAMMA1_17 ((sword32)1 << 17) -/* # encoding bits of y is GAMMA1 + 1. */ -#define DILITHIUM_GAMMA1_17_ENC_BITS 18 -/* Coefficient range of y, GAMMA1, of 2^17. */ -/* Bits in coefficient range of y, GAMMA1, of 2^19 is 19. */ -#define DILITHIUM_GAMMA1_BITS_19 19 -/* Coefficient range of y, GAMMA1, of 2^19. */ -#define DILITHIUM_GAMMA1_19 ((sword32)1 << 19) -/* # encoding bits of y is GAMMA1 + 1. */ -#define DILITHIUM_GAMMA1_19_ENC_BITS 20 - -/* Low-order rounding range, GAMMA2, is Q divided by 88. */ -#define DILITHIUM_Q_LOW_88 ((DILITHIUM_Q - 1) / 88) -/* Absolute low-order rounding range, GAMMA2, is Q divided by 88. */ -#define DILITHIUM_Q_LOW_88_2 (((DILITHIUM_Q - 1) / 88) * 2) -/* # encoding bits of w1 when range is 88. */ -#define DILITHIUM_Q_HI_88_ENC_BITS 6 -/* Low-order rounding range, GAMMA2, is Q divided by 32. */ -#define DILITHIUM_Q_LOW_32 ((DILITHIUM_Q - 1) / 32) -/* Absolute low-order rounding range, GAMMA2, is Q divided by 32. */ -#define DILITHIUM_Q_LOW_32_2 (((DILITHIUM_Q - 1) / 32) * 2) -/* # encoding bits of w1 when range is 32. */ -#define DILITHIUM_Q_HI_32_ENC_BITS 4 - -/* Private key range, eta, of 2. */ -#define DILITHIUM_ETA_2 2 -/* Bits needed to encode values in range -2..2 as a positive number. */ -#define DILITHIUM_ETA_2_BITS 3 -/* Extract count of valid values. */ -#define DILITHIUM_ETA_2_MOD 15 -/* Private key range, eta, of 4. */ -#define DILITHIUM_ETA_4 4 -/* Bits needed to encode values in range -4..4 as a positive number. */ -#define DILITHIUM_ETA_4_BITS 4 -/* Extract count of valid values. */ -#define DILITHIUM_ETA_4_MOD 9 - -/* Number of bytes in a polynomial in memory. */ -#define DILITHIUM_POLY_SIZE (DILITHIUM_N * sizeof(sword32)) - -#ifndef WOLFSSL_NO_ML_DSA_44 - -/* Fist dimension of A, k, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_K 4 -/* Second dimension of A, l, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_L 4 -/* Private key range, ETA, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_ETA DILITHIUM_ETA_2 -/* Number of bits in private key for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_ETA_BITS DILITHIUM_ETA_2_BITS -/* Collision strength of c-tilde, LAMBDA, in bits for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_LAMBDA 128 -/* # +/-1's in polynomial c, TAU, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_TAU 39 -/* BETA = TAU * ETA for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_BETA \ -(PARAMS_ML_DSA_44_TAU * PARAMS_ML_DSA_44_ETA) -/* Max # 1's in the hint h, OMEGA, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_OMEGA 80 -/* Bits in coefficient range of y, GAMMA1, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_GAMMA1_BITS DILITHIUM_GAMMA1_BITS_17 -/* Ccoefficient range of y, GAMMA1, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_GAMMA1 \ - ((sword32)1 << PARAMS_ML_DSA_44_GAMMA1_BITS) -/* Low-order rounding range, GAMMA2, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_GAMMA2 DILITHIUM_Q_LOW_88 -/* Bits in high-order rounding range, GAMMA2, for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_GAMMA2_HI_BITS 6 -/* Encoding size of w1 in bytes for ML-DSA-44. - * K * N / 8 * 6 - 6 bits as max value is 43 in high bits. */ -#define PARAMS_ML_DSA_44_W1_ENC_SZ \ - (PARAMS_ML_DSA_44_K * DILITHIUM_N / 8 * PARAMS_ML_DSA_44_GAMMA2_HI_BITS) -/* Size of memory used for matrix a in bytes for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_A_SIZE \ - (PARAMS_ML_DSA_44_K * PARAMS_ML_DSA_44_L * DILITHIUM_POLY_SIZE) -/* Size of memory used for vector s1 in bytes for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_S1_SIZE \ - (PARAMS_ML_DSA_44_L * DILITHIUM_POLY_SIZE) -/* Encoding size of s1 in bytes for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_S1_ENC_SIZE \ - (PARAMS_ML_DSA_44_S1_SIZE / sizeof(sword32) * PARAMS_ML_DSA_44_ETA_BITS / 8) -/* Size of memory used for vector s2 in bytes for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_S2_SIZE \ - (PARAMS_ML_DSA_44_K * DILITHIUM_POLY_SIZE) -/* Encoding size of s2 in bytes for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_S2_ENC_SIZE \ - (PARAMS_ML_DSA_44_S2_SIZE / sizeof(sword32) * PARAMS_ML_DSA_44_ETA_BITS / 8) -/* Encoding size of z in bytes for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_Z_ENC_SIZE \ - (PARAMS_ML_DSA_44_S1_SIZE / sizeof(sword32) / 8 * \ - (PARAMS_ML_DSA_44_GAMMA1_BITS + 1)) -/* Encoding size of public key in bytes for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_PK_SIZE \ - (DILITHIUM_PUB_SEED_SZ + PARAMS_ML_DSA_44_K * DILITHIUM_N * DILITHIUM_U / 8) -/* Encoding size of signature in bytes for ML-DSA-44. */ -#define PARAMS_ML_DSA_44_SIG_SIZE \ - ((PARAMS_ML_DSA_44_LAMBDA / 4) + \ - PARAMS_ML_DSA_44_L * DILITHIUM_N/8 * (PARAMS_ML_DSA_44_GAMMA1_BITS + 1) + \ - PARAMS_ML_DSA_44_OMEGA + PARAMS_ML_DSA_44_K) - -#endif /* WOLFSSL_NO_ML_DSA_44 */ - -#ifndef WOLFSSL_NO_ML_DSA_65 - -/* Fist dimension of A, k, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_K 6 -/* Second dimension of A, l, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_L 5 -/* Private key range, ETA, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_ETA DILITHIUM_ETA_4 -/* Number of bits in private key for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_ETA_BITS DILITHIUM_ETA_4_BITS -/* Collision strength of c-tilde, LAMBDA, in bits for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_LAMBDA 192 -/* # +/-1's in polynomial c, TAU, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_TAU 49 -/* BETA = TAU * ETA for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_BETA \ - (PARAMS_ML_DSA_65_TAU * PARAMS_ML_DSA_65_ETA) -/* Max # 1's in the hint h, OMEGA, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_OMEGA 55 -/* Bits in coefficient range of y, GAMMA1, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_GAMMA1_BITS DILITHIUM_GAMMA1_BITS_19 -/* Coefficient range of y, GAMMA1, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_GAMMA1 \ - ((sword32)1 << PARAMS_ML_DSA_65_GAMMA1_BITS) -/* Low-order rounding range, GAMMA2, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_GAMMA2 DILITHIUM_Q_LOW_32 -/* Bits in high-order rounding range, GAMMA2, for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_GAMMA2_HI_BITS 4 -/* Encoding size of w1 in bytes for ML-DSA-65. - * K * N / 8 * 4 - 4 bits as max value is 15 in high bits. */ -#define PARAMS_ML_DSA_65_W1_ENC_SZ \ - (PARAMS_ML_DSA_65_K * DILITHIUM_N / 8 * PARAMS_ML_DSA_65_GAMMA2_HI_BITS) -/* Size of memory used for matrix a in bytes for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_A_SIZE \ - (PARAMS_ML_DSA_65_K * PARAMS_ML_DSA_65_L * DILITHIUM_POLY_SIZE) -/* Size of memory used for vector s1 in bytes for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_S1_SIZE \ - (PARAMS_ML_DSA_65_L * DILITHIUM_POLY_SIZE) -/* Encoding size of s1 in bytes for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_S1_ENC_SIZE \ - (PARAMS_ML_DSA_65_S1_SIZE / sizeof(sword32) * PARAMS_ML_DSA_65_ETA_BITS / 8) -/* Size of memory used for vector s2 in bytes for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_S2_SIZE \ - (PARAMS_ML_DSA_65_K * DILITHIUM_POLY_SIZE) -/* Encoding size of s2 in bytes for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_S2_ENC_SIZE \ - (PARAMS_ML_DSA_65_S2_SIZE / sizeof(sword32) * PARAMS_ML_DSA_65_ETA_BITS / 8) -/* Encoding size of z in bytes for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_Z_ENC_SIZE \ - (PARAMS_ML_DSA_65_S1_SIZE / sizeof(sword32) / 8 * \ - (PARAMS_ML_DSA_65_GAMMA1_BITS + 1)) -/* Encoding size of public key in bytes for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_PK_SIZE \ - (DILITHIUM_PUB_SEED_SZ + PARAMS_ML_DSA_65_K * DILITHIUM_N * DILITHIUM_U / 8) -/* Encoding size of signature in bytes for ML-DSA-65. */ -#define PARAMS_ML_DSA_65_SIG_SIZE \ - ((PARAMS_ML_DSA_65_LAMBDA / 4) + \ - PARAMS_ML_DSA_65_L * DILITHIUM_N/8 * (PARAMS_ML_DSA_65_GAMMA1_BITS + 1) + \ - PARAMS_ML_DSA_65_OMEGA + PARAMS_ML_DSA_65_K) - -#endif /* WOLFSSL_NO_ML_DSA_65 */ - -#ifndef WOLFSSL_NO_ML_DSA_87 - -/* Fist dimension of A, k, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_K 8 -/* Second dimension of A, l, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_L 7 -/* Private key range, ETA, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_ETA DILITHIUM_ETA_2 -/* Number of bits in private key for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_ETA_BITS DILITHIUM_ETA_2_BITS -/* Collision strength of c-tilde, LAMBDA, in bits for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_LAMBDA 256 -/* # +/-1's in polynomial c, TAU, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_TAU 60 -/* BETA = TAU * ETA for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_BETA \ - (PARAMS_ML_DSA_87_TAU * PARAMS_ML_DSA_87_ETA) -/* Max # 1's in the hint h, OMEGA, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_OMEGA 75 -/* Bits in coefficient range of y, GAMMA1, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_GAMMA1_BITS DILITHIUM_GAMMA1_BITS_19 -/* Ccoefficient range of y, GAMMA1, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_GAMMA1 \ - ((sword32)1 << PARAMS_ML_DSA_87_GAMMA1_BITS) -/* Low-order rounding range, GAMMA2, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_GAMMA2 DILITHIUM_Q_LOW_32 -/* Bits in high-order rounding range, GAMMA2, for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_GAMMA2_HI_BITS 4 -/* Encoding size of w1 in bytes for ML-DSA-87. - * K * N / 8 * 4 - 4 bits as max value is 15 in high bits. */ -#define PARAMS_ML_DSA_87_W1_ENC_SZ \ - (PARAMS_ML_DSA_87_K * DILITHIUM_N / 8 * PARAMS_ML_DSA_87_GAMMA2_HI_BITS) -/* Size of memory used for matrix A in bytes for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_A_SIZE \ - (PARAMS_ML_DSA_87_K * PARAMS_ML_DSA_87_L * DILITHIUM_POLY_SIZE) -#define PARAMS_ML_DSA_87_S_SIZE 4 -/* Size of memory used for vector s1 in bytes for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_S1_SIZE \ - (PARAMS_ML_DSA_87_L * DILITHIUM_POLY_SIZE) -/* Encoding size of s1 in bytes for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_S1_ENC_SIZE \ - (PARAMS_ML_DSA_87_S1_SIZE / sizeof(sword32) * PARAMS_ML_DSA_87_ETA_BITS / 8) -/* Size of memory used for vector s2 in bytes for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_S2_SIZE \ - (PARAMS_ML_DSA_87_K * DILITHIUM_POLY_SIZE) -/* Encoding size of s2 in bytes for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_S2_ENC_SIZE \ - (PARAMS_ML_DSA_87_S2_SIZE / sizeof(sword32) * PARAMS_ML_DSA_87_ETA_BITS / 8) -/* Encoding size of z in bytes for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_Z_ENC_SIZE \ - (PARAMS_ML_DSA_87_S1_SIZE / sizeof(sword32) / 8 * \ - (PARAMS_ML_DSA_87_GAMMA1_BITS + 1)) -/* Encoding size of public key in bytes for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_PK_SIZE \ - (DILITHIUM_PUB_SEED_SZ + PARAMS_ML_DSA_87_K * DILITHIUM_N * DILITHIUM_U / 8) -/* Encoding size of signature in bytes for ML-DSA-87. */ -#define PARAMS_ML_DSA_87_SIG_SIZE \ - ((PARAMS_ML_DSA_87_LAMBDA / 4) + \ - PARAMS_ML_DSA_87_L * DILITHIUM_N/8 * (PARAMS_ML_DSA_87_GAMMA1_BITS + 1) + \ - PARAMS_ML_DSA_87_OMEGA + PARAMS_ML_DSA_87_K) - -#endif /* WOLFSSL_NO_ML_DSA_87 */ - - -#ifndef WOLFSSL_NO_ML_DSA_87 - -#define DILITHIUM_MAX_W1_ENC_SZ PARAMS_ML_DSA_87_W1_ENC_SZ -/* Maximum collision strength of c-tilde in bytes. */ -#define DILITHIUM_MAX_LAMBDA PARAMS_ML_DSA_87_LAMBDA - -/* Maximum count of elements of a vector with dimension K. */ -#define DILITHIUM_MAX_K_VECTOR_COUNT \ - (PARAMS_ML_DSA_87_K * DILITHIUM_N) -/* Maximum count of elements of a vector with dimension L. */ -#define DILITHIUM_MAX_L_VECTOR_COUNT \ - (PARAMS_ML_DSA_87_L * DILITHIUM_N) -/* Maximum count of elements of a matrix with dimension KxL. */ -#define DILITHIUM_MAX_MATRIX_COUNT \ - (PARAMS_ML_DSA_87_K * PARAMS_ML_DSA_87_L * DILITHIUM_N) - -#elif !defined(WOLFSSL_NO_ML_DSA_65) - -/* Maximum w1 encoding size in bytes. */ -#define DILITHIUM_MAX_W1_ENC_SZ PARAMS_ML_DSA_65_W1_ENC_SZ -/* Maximum collision strength of c-tilde in bytes. */ -#define DILITHIUM_MAX_LAMBDA PARAMS_ML_DSA_65_LAMBDA - -/* Maximum count of elements of a vector with dimension K. */ -#define DILITHIUM_MAX_K_VECTOR_COUNT \ - (PARAMS_ML_DSA_65_K * DILITHIUM_N) -/* Maximum count of elements of a vector with dimension L. */ -#define DILITHIUM_MAX_L_VECTOR_COUNT \ - (PARAMS_ML_DSA_65_L * DILITHIUM_N) -/* Maximum count of elements of a matrix with dimension KxL. */ -#define DILITHIUM_MAX_MATRIX_COUNT \ - (PARAMS_ML_DSA_65_K * PARAMS_ML_DSA_65_L * DILITHIUM_N) - -#else - -/* Maximum w1 encoding size in bytes. */ -#define DILITHIUM_MAX_W1_ENC_SZ PARAMS_ML_DSA_44_W1_ENC_SZ -/* Maximum collision strength of c-tilde in bytes. */ -#define DILITHIUM_MAX_LAMBDA PARAMS_ML_DSA_44_LAMBDA - -/* Maximum count of elements of a vector with dimension K. */ -#define DILITHIUM_MAX_K_VECTOR_COUNT \ - (PARAMS_ML_DSA_44_K * DILITHIUM_N) -/* Maximum count of elements of a vector with dimension L. */ -#define DILITHIUM_MAX_L_VECTOR_COUNT \ - (PARAMS_ML_DSA_44_L * DILITHIUM_N) -/* Maximum count of elements of a matrix with dimension KxL. */ -#define DILITHIUM_MAX_MATRIX_COUNT \ - (PARAMS_ML_DSA_44_K * PARAMS_ML_DSA_44_L * DILITHIUM_N) - #endif - -/* Length of K in bytes. */ -#define DILITHIUM_K_SZ 32 -/* Length of TR in bytes. */ -#define DILITHIUM_TR_SZ 64 -/* Length of public key seed in bytes when expanding a. */ -#define DILITHIUM_PUB_SEED_SZ 32 -/* Length of private key seed in bytes when generating a key. */ -#define DILITHIUM_PRIV_SEED_SZ 64 - -/* Length of seed when creating vector c. */ -#define DILITHIUM_SEED_SZ 32 -/* Length of seeds created when making a key. */ -#define DILITHIUM_SEEDS_SZ 128 - -/* Length of MU in bytes. */ -#define DILITHIUM_MU_SZ 64 -/* Length of random in bytes when generating a signature. */ -#define DILITHIUM_RND_SZ 32 -/* Length of private random in bytes when generating a signature. */ -#define DILITHIUM_PRIV_RAND_SEED_SZ 64 - -/* 5 blocks, each block 21 * 8 bytes = 840 bytes. - * Minimum required is 256 * 3 = 768. */ -#define DILITHIUM_GEN_A_NBLOCKS 5 -/* Number of bytes to generate with Shake128 when generating A. */ -#define DILITHIUM_GEN_A_BYTES \ - (DILITHIUM_GEN_A_NBLOCKS * WC_SHA3_128_COUNT * 8) -/* Number of bytes to a block of SHAKE-128 when generating A. */ -#define DILITHIUM_GEN_A_BLOCK_BYTES (WC_SHA3_128_COUNT * 8) - -/* Number of bytes to a block of SHAKE-256 when generating c. */ -#define DILITHIUM_GEN_C_BLOCK_BYTES (WC_SHA3_256_COUNT * 8) - - -#ifndef WOLFSSL_DILITHIUM_SMALL -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) - /* A block SHAKE-128 output plus one for reading 4 bytes at a time. */ - #define DILITHIUM_REJ_NTT_POLY_H_SIZE (DILITHIUM_GEN_A_BYTES + 1) -#else - /* A block SHAKE-128 output. */ - #define DILITHIUM_REJ_NTT_POLY_H_SIZE DILITHIUM_GEN_A_BYTES -#endif /* LITTLE_ENDIAN_ORDER && WOLFSSL_DILITHIUM_ALIGNMENT == 0 */ -#else -#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_DILITHIUM_ALIGNMENT == 0) - /* A block SHAKE-128 output plus one for reading 4 bytes at a time. */ - #define DILITHIUM_REJ_NTT_POLY_H_SIZE (DILITHIUM_GEN_A_BLOCK_BYTES + 1) -#else - /* A block SHAKE-128 output. */ - #define DILITHIUM_REJ_NTT_POLY_H_SIZE DILITHIUM_GEN_A_BLOCK_BYTES -#endif /* LITTLE_ENDIAN_ORDER && WOLFSSL_DILITHIUM_ALIGNMENT == 0 */ +#ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC + #ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC + #define WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC + #endif #endif - -#ifndef WOLFSSL_NO_ML_DSA_87 - -#define DILITHIUM_MAX_KEY_SIZE DILITHIUM_LEVEL5_KEY_SIZE -#define DILITHIUM_MAX_SIG_SIZE DILITHIUM_LEVEL5_SIG_SIZE -#define DILITHIUM_MAX_PUB_KEY_SIZE DILITHIUM_LEVEL5_PUB_KEY_SIZE -#define DILITHIUM_MAX_PRV_KEY_SIZE DILITHIUM_LEVEL5_PRV_KEY_SIZE -/* Buffer sizes large enough to store exported DER encoded keys */ -#define DILITHIUM_MAX_PUB_KEY_DER_SIZE DILITHIUM_LEVEL5_PUB_KEY_DER_SIZE -#define DILITHIUM_MAX_PRV_KEY_DER_SIZE DILITHIUM_LEVEL5_PRV_KEY_DER_SIZE -#define DILITHIUM_MAX_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL5_BOTH_KEY_DER_SIZE -/* PEM size with the header "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----" and - * the footer "-----END ML_DSA_LEVEL5 PRIVATE KEY-----" */ -#define DILITHIUM_MAX_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL5_BOTH_KEY_PEM_SIZE - -#elif !defined(WOLFSSL_NO_ML_DSA_65) - -#define DILITHIUM_MAX_KEY_SIZE DILITHIUM_LEVEL3_KEY_SIZE -#define DILITHIUM_MAX_SIG_SIZE DILITHIUM_LEVEL3_SIG_SIZE -#define DILITHIUM_MAX_PUB_KEY_SIZE DILITHIUM_LEVEL3_PUB_KEY_SIZE -#define DILITHIUM_MAX_PRV_KEY_SIZE DILITHIUM_LEVEL3_PRV_KEY_SIZE -/* Buffer sizes large enough to store exported DER encoded keys */ -#define DILITHIUM_MAX_PUB_KEY_DER_SIZE DILITHIUM_LEVEL3_PUB_KEY_DER_SIZE -#define DILITHIUM_MAX_PRV_KEY_DER_SIZE DILITHIUM_LEVEL3_PRV_KEY_DER_SIZE -#define DILITHIUM_MAX_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL3_BOTH_KEY_DER_SIZE -/* PEM size with the header "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----" and - * the footer "-----END ML_DSA_LEVEL5 PRIVATE KEY-----" */ -#define DILITHIUM_MAX_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL3_BOTH_KEY_PEM_SIZE - -#elif !defined(WOLFSSL_NO_ML_DSA_44) - -#define DILITHIUM_MAX_KEY_SIZE DILITHIUM_LEVEL2_KEY_SIZE -#define DILITHIUM_MAX_SIG_SIZE DILITHIUM_LEVEL2_SIG_SIZE -#define DILITHIUM_MAX_PUB_KEY_SIZE DILITHIUM_LEVEL2_PUB_KEY_SIZE -#define DILITHIUM_MAX_PRV_KEY_SIZE DILITHIUM_LEVEL2_PRV_KEY_SIZE -/* Buffer sizes large enough to store exported DER encoded keys */ -#define DILITHIUM_MAX_PUB_KEY_DER_SIZE DILITHIUM_LEVEL2_PUB_KEY_DER_SIZE -#define DILITHIUM_MAX_PRV_KEY_DER_SIZE DILITHIUM_LEVEL2_PRV_KEY_DER_SIZE -#define DILITHIUM_MAX_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL2_BOTH_KEY_DER_SIZE -/* PEM size with the header "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----" and - * the footer "-----END ML_DSA_LEVEL5 PRIVATE KEY-----" */ -#define DILITHIUM_MAX_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL2_BOTH_KEY_PEM_SIZE - -#else - -#error ML-DSA: All levels disabled. - +#ifdef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A + #ifndef WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A + #define WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A \ + WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A + #endif #endif - - -#ifdef WOLF_PRIVATE_KEY_ID -#define DILITHIUM_MAX_ID_LEN 32 -#define DILITHIUM_MAX_LABEL_LEN 32 +#ifdef WOLFSSL_DILITHIUM_SIGN_CHECK_W0 + #ifndef WOLFSSL_MLDSA_SIGN_CHECK_W0 + #define WOLFSSL_MLDSA_SIGN_CHECK_W0 + #endif #endif - -/* Structs */ - -typedef struct wc_dilithium_params { - byte level; - byte k; - byte l; - byte eta; - byte eta_bits; - byte tau; - byte beta; - byte omega; - word16 lambda; - byte gamma1_bits; - sword32 gamma2; - word32 w1EncSz; - word16 aSz; - word16 s1Sz; - word16 s1EncSz; - word16 s2Sz; - word16 s2EncSz; - word16 zEncSz; - word16 pkSz; - word16 sigSz; -} wc_dilithium_params; - -struct dilithium_key { - byte pubKeySet; - byte prvKeySet; - byte level; /* 2,3 or 5 */ -#if defined(WOLFSSL_DILITHIUM_DYNAMIC_KEYS) - word32 kSz; /* allocated size of secret key buffer */ +#ifdef WOLFSSL_DILITHIUM_SIGN_CHECK_Y + #ifndef WOLFSSL_MLDSA_SIGN_CHECK_Y + #define WOLFSSL_MLDSA_SIGN_CHECK_Y + #endif #endif - - void* heap; /* heap hint */ - -#ifdef WOLF_CRYPTO_CB - void* devCtx; - int devId; +#ifdef WOLFSSL_DILITHIUM_CHECK_KEY + #ifndef WOLFSSL_MLDSA_CHECK_KEY + #define WOLFSSL_MLDSA_CHECK_KEY + #endif #endif -#ifdef WOLF_PRIVATE_KEY_ID - byte id[DILITHIUM_MAX_ID_LEN]; - int idLen; - char label[DILITHIUM_MAX_LABEL_LEN]; - int labelLen; +#ifdef WOLFSSL_DILITHIUM_NO_CHECK_KEY + #ifndef WOLFSSL_MLDSA_NO_CHECK_KEY + #define WOLFSSL_MLDSA_NO_CHECK_KEY + #endif #endif - -#if defined(WOLFSSL_DILITHIUM_DYNAMIC_KEYS) - byte* p; /* heap-allocated, right-sized public key */ - byte* k; /* heap-allocated, right-sized secret key */ -#elif !defined(WOLFSSL_DILITHIUM_ASSIGN_KEY) -#ifdef USE_INTEL_SPEEDUP - byte p[DILITHIUM_MAX_PUB_KEY_SIZE+8]; -#if !defined(WOLFSSL_DILITHIUM_VERIFY_ONLY) - byte k[DILITHIUM_MAX_KEY_SIZE+8]; +#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY + #ifndef WOLFSSL_MLDSA_PUBLIC_KEY + #define WOLFSSL_MLDSA_PUBLIC_KEY + #endif #endif -#else - byte p[DILITHIUM_MAX_PUB_KEY_SIZE]; -#if !defined(WOLFSSL_DILITHIUM_VERIFY_ONLY) - byte k[DILITHIUM_MAX_KEY_SIZE]; +#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY + #ifndef WOLFSSL_MLDSA_PRIVATE_KEY + #define WOLFSSL_MLDSA_PRIVATE_KEY + #endif #endif +#ifdef WOLFSSL_DILITHIUM_DYNAMIC_KEYS + #ifndef WOLFSSL_MLDSA_DYNAMIC_KEYS + #define WOLFSSL_MLDSA_DYNAMIC_KEYS + #endif #endif -#else - const byte* p; - const byte* k; +#ifdef WOLFSSL_DILITHIUM_ASSIGN_KEY + #ifndef WOLFSSL_MLDSA_ASSIGN_KEY + #define WOLFSSL_MLDSA_ASSIGN_KEY + #endif #endif - - const wc_dilithium_params* params; - wc_Shake shake; -#ifndef WC_DILITHIUM_FIXED_ARRAY -#ifdef WC_DILITHIUM_CACHE_MATRIX_A - sword32* a; - byte aSet; +#ifdef WOLFSSL_DILITHIUM_ALIGNMENT + #ifndef WOLFSSL_MLDSA_ALIGNMENT + #define WOLFSSL_MLDSA_ALIGNMENT WOLFSSL_DILITHIUM_ALIGNMENT + #endif #endif -#ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS - sword32* s1; - sword32* s2; - sword32* t0; - byte privVecsSet; +#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT + #ifndef WOLFSSL_MLDSA_FIPS204_DRAFT + #define WOLFSSL_MLDSA_FIPS204_DRAFT + #endif #endif -#ifdef WC_DILITHIUM_CACHE_PUB_VECTORS - sword32* t1; - byte pubVecSet; +#ifdef WOLFSSL_DILITHIUM_NO_MAKE + #ifndef WOLFSSL_MLDSA_NO_MAKE + #define WOLFSSL_MLDSA_NO_MAKE + #endif +#endif +#ifdef WOLFSSL_DILITHIUM_REVERSE_HASH_OID + #ifndef WOLFSSL_MLDSA_REVERSE_HASH_OID + #define WOLFSSL_MLDSA_REVERSE_HASH_OID + #endif #endif -#else #ifdef WC_DILITHIUM_CACHE_MATRIX_A - sword32 a[DILITHIUM_MAX_MATRIX_COUNT]; - byte aSet; + #ifndef WC_MLDSA_CACHE_MATRIX_A + #define WC_MLDSA_CACHE_MATRIX_A + #endif #endif #ifdef WC_DILITHIUM_CACHE_PRIV_VECTORS - sword32 s1[DILITHIUM_MAX_L_VECTOR_COUNT]; - sword32 s2[DILITHIUM_MAX_K_VECTOR_COUNT]; - sword32 t0[DILITHIUM_MAX_K_VECTOR_COUNT]; - byte privVecsSet; + #ifndef WC_MLDSA_CACHE_PRIV_VECTORS + #define WC_MLDSA_CACHE_PRIV_VECTORS + #endif #endif #ifdef WC_DILITHIUM_CACHE_PUB_VECTORS - sword32 t1[DILITHIUM_MAX_K_VECTOR_COUNT]; - byte pubVecSet; -#endif + #ifndef WC_MLDSA_CACHE_PUB_VECTORS + #define WC_MLDSA_CACHE_PUB_VECTORS + #endif #endif -#if defined(WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC) && \ - defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM) - sword32 z[DILITHIUM_MAX_L_VECTOR_COUNT]; - sword32 c[DILITHIUM_N]; - sword32 w[DILITHIUM_N]; - sword32 t1[DILITHIUM_N]; - byte w1e[DILITHIUM_MAX_W1_ENC_SZ]; -#ifdef WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 - sword64 t64[DILITHIUM_N]; +#ifdef WC_DILITHIUM_FIXED_ARRAY + #ifndef WC_MLDSA_FIXED_ARRAY + #define WC_MLDSA_FIXED_ARRAY + #endif #endif - byte h[DILITHIUM_REJ_NTT_POLY_H_SIZE]; - byte block[DILITHIUM_GEN_C_BLOCK_BYTES]; -#endif /* WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC && - * WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM */ -}; -#ifndef WC_DILITHIUMKEY_TYPE_DEFINED - typedef struct dilithium_key dilithium_key; - #define WC_DILITHIUMKEY_TYPE_DEFINED -#endif +#endif /* !WOLFSSL_NO_DILITHIUM_LEGACY_GATES */ -/* When WOLFSSL_DILITHIUM_FIPS204_DRAFT is enabled the legacy (pre-FIPS 204) - * no-context sign/verify API is required to handle draft-format signatures. */ -#if defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) && \ - !defined(WOLFSSL_DILITHIUM_NO_CTX) - #define WOLFSSL_DILITHIUM_NO_CTX -#endif - -/* Functions */ +/* === wc_mldsa.h is now reachable with canonical gates correctly set === */ -#ifndef WOLFSSL_DILITHIUM_VERIFY_ONLY -WOLFSSL_API -int wc_dilithium_make_key(dilithium_key* key, WC_RNG* rng); -WOLFSSL_API -int wc_dilithium_make_key_from_seed(dilithium_key* key, const byte* seed); +#include -/* Legacy sign API without context parameter (pre-FIPS 204). - * Only available when WOLFSSL_DILITHIUM_NO_CTX is defined. - * New code should use wc_dilithium_sign_ctx_msg() with ctx=NULL/ctxLen=0 - * for FIPS 204 compliant signing with an empty context. */ -#ifdef WOLFSSL_DILITHIUM_NO_CTX -WOLFSSL_API -int wc_dilithium_sign_msg(const byte* msg, word32 msgLen, byte* sig, - word32* sigLen, dilithium_key* key, WC_RNG* rng); -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ -WOLFSSL_API -int wc_dilithium_sign_ctx_msg(const byte* ctx, byte ctxLen, const byte* msg, - word32 msgLen, byte* sig, word32* sigLen, dilithium_key* key, WC_RNG* rng); -WOLFSSL_API -int wc_dilithium_sign_ctx_hash(const byte* ctx, byte ctxLen, int hashAlg, - const byte* hash, word32 hashLen, byte* sig, word32* sigLen, - dilithium_key* key, WC_RNG* rng); -/* Legacy seed-based sign API without context parameter (pre-FIPS 204). - * Only available when WOLFSSL_DILITHIUM_NO_CTX is defined. - * New code should use wc_dilithium_sign_ctx_msg_with_seed() instead. */ -#ifdef WOLFSSL_DILITHIUM_NO_CTX -WOLFSSL_API -int wc_dilithium_sign_msg_with_seed(const byte* msg, word32 msgLen, byte* sig, - word32 *sigLen, dilithium_key* key, const byte* seed); -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ -WOLFSSL_API -int wc_dilithium_sign_ctx_msg_with_seed(const byte* ctx, byte ctxLen, - const byte* msg, word32 msgLen, byte* sig, word32 *sigLen, - dilithium_key* key, const byte* seed); -WOLFSSL_API -int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen, - int hashAlg, const byte* hash, word32 hashLen, byte* sig, word32 *sigLen, - dilithium_key* key, const byte* seed); -WOLFSSL_API -int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen, - byte* sig, word32 *sigLen, dilithium_key* key, const byte* seed); -#endif /* !WOLFSSL_DILITHIUM_VERIFY_ONLY */ -/* Legacy verify API without context parameter (pre-FIPS 204). - * Only available when WOLFSSL_DILITHIUM_NO_CTX is defined. - * New code should use wc_dilithium_verify_ctx_msg() with ctx=NULL/ctxLen=0 - * for FIPS 204 compliant verification with an empty context. */ -#ifdef WOLFSSL_DILITHIUM_NO_CTX -WOLFSSL_API -int wc_dilithium_verify_msg(const byte* sig, word32 sigLen, const byte* msg, - word32 msgLen, int* res, dilithium_key* key); -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ -WOLFSSL_API -int wc_dilithium_verify_ctx_msg(const byte* sig, word32 sigLen, const byte* ctx, - byte ctxLen, const byte* msg, word32 msgLen, int* res, - dilithium_key* key); -WOLFSSL_API -int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen, - const byte* ctx, byte ctxLen, int hashAlg, const byte* hash, - word32 hashLen, int* res, dilithium_key* key); -WOLFSSL_API -int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu, - word32 muLen, int* res, dilithium_key* key); - -#ifndef WC_NO_CONSTRUCTORS -WOLFSSL_API -dilithium_key* wc_dilithium_new(void* heap, int devId); -WOLFSSL_API -int wc_dilithium_delete(dilithium_key* key, dilithium_key** key_p); -#endif /* !WC_NO_CONSTRUCTORS */ - -WOLFSSL_API -int wc_dilithium_init(dilithium_key* key); - -WOLFSSL_API -int wc_dilithium_init_ex(dilithium_key* key, void* heap, int devId); - -#ifdef WOLF_PRIVATE_KEY_ID -WOLFSSL_API -int wc_dilithium_init_id(dilithium_key* key, const unsigned char* id, int len, - void* heap, int devId); -WOLFSSL_API -int wc_dilithium_init_label(dilithium_key* key, const char* label, void* heap, - int devId); +/* Canonical -> legacy (reverse arm). When the canonical name is defined + * (e.g. by a build system that emits -DWOLFSSL_HAVE_MLDSA), also define + * the legacy gate name so unmigrated consumer code that still gates on + * WOLFSSL_DILITHIUM_* / WC_DILITHIUM_* keeps compiling. The library's own + * sources gate on the canonical names; this arm exists for in-tree + * consumer files that haven't been migrated yet (and for downstream code + * that mixes legacy + canonical references). + * + * Runs AFTER the include of wc_mldsa.h so derived canonical gates that + * are computed inside wc_mldsa.h (WOLFSSL_MLDSA_PUBLIC_KEY, + * WOLFSSL_MLDSA_PRIVATE_KEY, WOLFSSL_MLDSA_CHECK_KEY) are visible to the + * reverse propagation. */ +#ifndef WOLFSSL_NO_DILITHIUM_LEGACY_GATES +#if defined(WOLFSSL_MLDSA_NO_MAKE_KEY) && !defined(WOLFSSL_DILITHIUM_NO_MAKE_KEY) + #define WOLFSSL_DILITHIUM_NO_MAKE_KEY #endif - -WOLFSSL_API -int wc_dilithium_set_level(dilithium_key* key, byte level); -WOLFSSL_API -int wc_dilithium_get_level(dilithium_key* key, byte* level); -WOLFSSL_API -void wc_dilithium_free(dilithium_key* key); - -#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY -WOLFSSL_API -int wc_dilithium_size(dilithium_key* key); +#if defined(WOLFSSL_MLDSA_NO_SIGN) && !defined(WOLFSSL_DILITHIUM_NO_SIGN) + #define WOLFSSL_DILITHIUM_NO_SIGN #endif -#if defined(WOLFSSL_DILITHIUM_PRIVATE_KEY) && \ - defined(WOLFSSL_DILITHIUM_PUBLIC_KEY) -WOLFSSL_API -int wc_dilithium_priv_size(dilithium_key* key); +#if defined(WOLFSSL_MLDSA_NO_VERIFY) && !defined(WOLFSSL_DILITHIUM_NO_VERIFY) + #define WOLFSSL_DILITHIUM_NO_VERIFY #endif -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY -WOLFSSL_API -int wc_dilithium_pub_size(dilithium_key* key); +#if defined(WOLFSSL_MLDSA_VERIFY_ONLY) && !defined(WOLFSSL_DILITHIUM_VERIFY_ONLY) + #define WOLFSSL_DILITHIUM_VERIFY_ONLY #endif -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || !defined(WOLFSSL_DILITHIUM_NO_VERIFY) -WOLFSSL_API -int wc_dilithium_sig_size(dilithium_key* key); +#if defined(WOLFSSL_MLDSA_NO_CTX) && !defined(WOLFSSL_DILITHIUM_NO_CTX) + #define WOLFSSL_DILITHIUM_NO_CTX #endif - -#ifdef WOLFSSL_DILITHIUM_CHECK_KEY -WOLFSSL_API -int wc_dilithium_check_key(dilithium_key* key); +#if defined(WOLFSSL_MLDSA_NO_ASN1) && !defined(WOLFSSL_DILITHIUM_NO_ASN1) + #define WOLFSSL_DILITHIUM_NO_ASN1 #endif - -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY -WOLFSSL_API -int wc_dilithium_import_public(const byte* in, word32 inLen, - dilithium_key* key); +#if defined(WOLFSSL_MLDSA_NO_LARGE_CODE) && !defined(WOLFSSL_DILITHIUM_NO_LARGE_CODE) + #define WOLFSSL_DILITHIUM_NO_LARGE_CODE #endif -#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY -WOLFSSL_API -int wc_dilithium_import_private(const byte* priv, word32 privSz, - dilithium_key* key); -#define wc_dilithium_import_private_only wc_dilithium_import_private -WOLFSSL_API -int wc_dilithium_import_key(const byte* priv, word32 privSz, - const byte* pub, word32 pubSz, dilithium_key* key); +#if defined(WOLFSSL_MLDSA_NO_MAKE) && !defined(WOLFSSL_DILITHIUM_NO_MAKE) + #define WOLFSSL_DILITHIUM_NO_MAKE #endif - -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY -WOLFSSL_API -int wc_dilithium_export_public(dilithium_key* key, byte* out, word32* outLen); +#if defined(WOLFSSL_MLDSA_SMALL) && !defined(WOLFSSL_DILITHIUM_SMALL) + #define WOLFSSL_DILITHIUM_SMALL #endif -#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY -WOLFSSL_API -int wc_dilithium_export_private(dilithium_key* key, byte* out, word32* outLen); -#define wc_dilithium_export_private_only wc_dilithium_export_private +#if defined(WOLFSSL_MLDSA_SMALL_MEM_POLY64) && !defined(WOLFSSL_DILITHIUM_SMALL_MEM_POLY64) + #define WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 #endif -#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY -WOLFSSL_API -int wc_dilithium_export_key(dilithium_key* key, byte* priv, word32 *privSz, - byte* pub, word32 *pubSz); +#if defined(WOLFSSL_MLDSA_VERIFY_NO_MALLOC) && !defined(WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC) + #define WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC #endif - -#ifndef WOLFSSL_DILITHIUM_NO_ASN1 -WOLFSSL_LOCAL int dilithium_get_oid_sum(dilithium_key* key, int* keyFormat); -#endif /* WOLFSSL_DILITHIUM_NO_ASN1 */ - -#ifndef WOLFSSL_DILITHIUM_NO_ASN1 -#if defined(WOLFSSL_DILITHIUM_PRIVATE_KEY) -WOLFSSL_API int wc_Dilithium_PrivateKeyDecode(const byte* input, - word32* inOutIdx, dilithium_key* key, word32 inSz); +#if defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM) && !defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM) + #define WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM #endif -#endif /* WOLFSSL_DILITHIUM_NO_ASN1 */ -#ifdef WOLFSSL_DILITHIUM_PUBLIC_KEY -WOLFSSL_API int wc_Dilithium_PublicKeyDecode(const byte* input, - word32* inOutIdx, dilithium_key* key, word32 inSz); +#if defined(WOLFSSL_MLDSA_MAKE_KEY_SMALL_MEM) && !defined(WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM) + #define WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM #endif - -#ifndef WOLFSSL_DILITHIUM_NO_ASN1 -#ifdef WC_ENABLE_ASYM_KEY_EXPORT -WOLFSSL_API int wc_Dilithium_PublicKeyToDer(dilithium_key* key, byte* output, - word32 inLen, int withAlg); +#if defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM) && !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) + #define WOLFSSL_DILITHIUM_SIGN_SMALL_MEM #endif -#if defined(WOLFSSL_DILITHIUM_PRIVATE_KEY) -WOLFSSL_API int wc_Dilithium_KeyToDer(dilithium_key* key, byte* output, - word32 inLen); +#if defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC) && !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC) + #define WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC #endif -#ifdef WOLFSSL_DILITHIUM_PRIVATE_KEY -WOLFSSL_API int wc_Dilithium_PrivateKeyToDer(dilithium_key* key, byte* output, - word32 inLen); +#if defined(WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A) && !defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A) + #define WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A \ + WOLFSSL_MLDSA_SIGN_SMALL_MEM_PRECALC_A #endif -#endif /* WOLFSSL_DILITHIUM_NO_ASN1 */ - -#ifdef USE_INTEL_SPEEDUP -WOLFSSL_LOCAL void wc_mldsa_poly_red_avx2(sword32* a); - -WOLFSSL_LOCAL void wc_mldsa_ntt_avx2(sword32* r); -WOLFSSL_LOCAL void wc_mldsa_ntt_full_avx2(sword32* r); -WOLFSSL_LOCAL void wc_mldsa_invntt_avx2(sword32* r); -WOLFSSL_LOCAL void wc_mldsa_invntt_full_avx2(sword32* r); - -WOLFSSL_LOCAL void wc_mldsa_mul_avx2(sword32* r, const sword32* a, - const sword32* b); -WOLFSSL_LOCAL void wc_mldsa_mul_vec_4_avx2(sword32* r, const sword32* a, - const sword32* b); -WOLFSSL_LOCAL void wc_mldsa_mul_vec_5_avx2(sword32* r, const sword32* a, - const sword32* b); -WOLFSSL_LOCAL void wc_mldsa_mul_vec_7_avx2(sword32* r, const sword32* a, - const sword32* b); -WOLFSSL_LOCAL void wc_mldsa_matrix_mul_4x4_avx2(sword32* r, const sword32* m, - const sword32* v); -WOLFSSL_LOCAL void wc_mldsa_matrix_mul_6x5_avx2(sword32* r, const sword32* m, - const sword32* v); -WOLFSSL_LOCAL void wc_mldsa_matrix_mul_8x7_avx2(sword32* r, const sword32* m, - const sword32* v); - -WOLFSSL_LOCAL void wc_mldsa_redistribute_21_rand_avx2(word64* s, byte* r0, - byte* r1, byte* r2, byte* r3); -WOLFSSL_LOCAL int wc_mldsa_rej_uniform_n_avx2(sword32* a, word32 len, - const byte* r, word32 rLen); -WOLFSSL_LOCAL int wc_mldsa_rej_uniform_avx2(sword32* a, word32 len, - const byte* r, word32 rLen); - -WOLFSSL_LOCAL void wc_mldsa_redistribute_17_rand_avx2(word64* s, byte* r0, - byte* r1, byte* r2, byte* r3); -WOLFSSL_LOCAL void wc_mldsa_extract_coeffs_eta2_avx2(const byte* z, - unsigned int zLen, sword32* s, unsigned int* cnt); -WOLFSSL_LOCAL void wc_mldsa_extract_coeffs_eta4_avx2(const byte* z, - unsigned int zLen, sword32* s, unsigned int* cnt); - -WOLFSSL_LOCAL void wc_mldsa_vec_encode_eta_2_avx2(const sword32* s, byte d, - byte* p); -WOLFSSL_LOCAL void wc_mldsa_vec_encode_eta_4_avx2(const sword32* t, byte* p); -WOLFSSL_LOCAL void wc_mldsa_decode_eta_2_avx2(const byte* p, sword32* s); -WOLFSSL_LOCAL void wc_mldsa_decode_eta_4_avx2(const byte* p, sword32* s); - -WOLFSSL_LOCAL void wc_mldsa_encode_w1_88_avx2(const sword32* w1, byte* w1e); -WOLFSSL_LOCAL void wc_mldsa_encode_w1_32_avx2(const sword32* w1, byte* w1e); - -WOLFSSL_LOCAL void wc_mldsa_vec_encode_t0_t1_avx2(const sword32* t, byte d, - byte* t0, byte* t1); -WOLFSSL_LOCAL void wc_mldsa_decode_t0_avx2(const byte* t0, sword32* t); -WOLFSSL_LOCAL void wc_mldsa_decode_t1_avx2(const byte* t1, sword32* t); - -WOLFSSL_LOCAL void wc_mldsa_decode_gamma1_17_avx2(const byte* s, sword32* z); -WOLFSSL_LOCAL void wc_mldsa_decode_gamma1_19_avx2(const byte* s, sword32* z); -WOLFSSL_LOCAL void wc_mldsa_encode_gamma1_17_avx2(const sword32* z, byte* s); -WOLFSSL_LOCAL void wc_mldsa_encode_gamma1_19_avx2(const sword32* z, byte* s); - -WOLFSSL_LOCAL void wc_mldsa_decompose_q88_avx2(const sword32* r, sword32* r0, - sword32* r1); -WOLFSSL_LOCAL void wc_mldsa_decompose_q32_avx2(const sword32* r, byte k, - sword32* r0, sword32* r1); - -WOLFSSL_LOCAL void wc_mldsa_use_hint_88_avx2(sword32* w1, const byte* h); -WOLFSSL_LOCAL void wc_mldsa_use_hint_32_avx2(sword32* w1, byte k, - const byte* h); - -WOLFSSL_LOCAL int wc_mldsa_vec_check_low_avx2(const sword32* a, byte l, - sword32 hi); - -WOLFSSL_LOCAL void wc_mldsa_poly_add_avx2(sword32* r, const sword32* a); -WOLFSSL_LOCAL void wc_mldsa_poly_sub_avx2(sword32* r, const sword32* a); -WOLFSSL_LOCAL void wc_mldsa_poly_make_pos_avx2(sword32* a); +#if defined(WOLFSSL_MLDSA_SIGN_CHECK_W0) && !defined(WOLFSSL_DILITHIUM_SIGN_CHECK_W0) + #define WOLFSSL_DILITHIUM_SIGN_CHECK_W0 #endif - - -#define WC_ML_DSA_DRAFT 10 - -#define WC_ML_DSA_44 2 -#define WC_ML_DSA_65 3 -#define WC_ML_DSA_87 5 -#define WC_ML_DSA_44_DRAFT (2 + WC_ML_DSA_DRAFT) -#define WC_ML_DSA_65_DRAFT (3 + WC_ML_DSA_DRAFT) -#define WC_ML_DSA_87_DRAFT (5 + WC_ML_DSA_DRAFT) - -#define DILITHIUM_ML_DSA_44_KEY_SIZE 2560 -#define DILITHIUM_ML_DSA_44_SIG_SIZE 2420 -#define DILITHIUM_ML_DSA_44_PUB_KEY_SIZE 1312 -#define DILITHIUM_ML_DSA_44_PRV_KEY_SIZE \ - (DILITHIUM_ML_DSA_44_PUB_KEY_SIZE + DILITHIUM_ML_DSA_44_KEY_SIZE) - -#define DILITHIUM_ML_DSA_65_KEY_SIZE 4032 -#define DILITHIUM_ML_DSA_65_SIG_SIZE 3309 -#define DILITHIUM_ML_DSA_65_PUB_KEY_SIZE 1952 -#define DILITHIUM_ML_DSA_65_PRV_KEY_SIZE \ - (DILITHIUM_ML_DSA_65_PUB_KEY_SIZE + DILITHIUM_ML_DSA_65_KEY_SIZE) - -#define DILITHIUM_ML_DSA_87_KEY_SIZE 4896 -#define DILITHIUM_ML_DSA_87_SIG_SIZE 4627 -#define DILITHIUM_ML_DSA_87_PUB_KEY_SIZE 2592 -#define DILITHIUM_ML_DSA_87_PRV_KEY_SIZE \ - (DILITHIUM_ML_DSA_87_PUB_KEY_SIZE + DILITHIUM_ML_DSA_87_KEY_SIZE) - - -#define MlDsaKey dilithium_key - - -#define wc_MlDsaKey_Init(key, heap, devId) \ - wc_dilithium_init_ex(key, heap, devId) -#define wc_MlDsaKey_SetParams(key, id) \ - wc_dilithium_set_level(key, id) -#define wc_MlDsaKey_GetParams(key, id) \ - wc_dilithium_get_level(key, id) -#define wc_MlDsaKey_MakeKey(key, rng) \ - wc_dilithium_make_key(key, rng) -#define wc_MlDsaKey_ExportPrivRaw(key, out, outLen) \ - wc_dilithium_export_private_only(key, out, outLen) -#define wc_MlDsaKey_ImportPrivRaw(key, in, inLen) \ - wc_dilithium_import_private_only(in, inLen, key) -/* Legacy no-context sign alias: only available with WOLFSSL_DILITHIUM_NO_CTX. - * Prefer wc_MlDsaKey_SignCtx() with empty context for FIPS 204 compliance. */ -#ifdef WOLFSSL_DILITHIUM_NO_CTX -#define wc_MlDsaKey_Sign(key, sig, sigSz, msg, msgSz, rng) \ - wc_dilithium_sign_msg(msg, msgSz, sig, sigSz, key, rng) -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ -#define wc_MlDsaKey_SignCtx(key, ctx, ctxSz, sig, sigSz, msg, msgSz, rng) \ - wc_dilithium_sign_ctx_msg(ctx, ctxSz, msg, msgSz, sig, sigSz, key, rng) -#define wc_MlDsaKey_SignCtxHash(key, ctx, ctxSz, sig, sigSz, hash, hashSz, \ - hashAlg, rng) \ - wc_dilithium_sign_ctx_hash(ctx, ctxSz, hashAlg, hash, hashSz, sig, sigSz, \ - key, rng) -#define wc_MlDsaKey_Free(key) \ - wc_dilithium_free(key) -#define wc_MlDsaKey_ExportPubRaw(key, out, outLen) \ - wc_dilithium_export_public(key, out, outLen) -#define wc_MlDsaKey_ImportPubRaw(key, in, inLen) \ - wc_dilithium_import_public(in, inLen, key) -/* Legacy no-context verify alias: only available with WOLFSSL_DILITHIUM_NO_CTX. - * Prefer wc_MlDsaKey_VerifyCtx() with empty context for FIPS 204 compliance. */ -#ifdef WOLFSSL_DILITHIUM_NO_CTX -#define wc_MlDsaKey_Verify(key, sig, sigSz, msg, msgSz, res) \ - wc_dilithium_verify_msg(sig, sigSz, msg, msgSz, res, key) -#endif /* WOLFSSL_DILITHIUM_NO_CTX */ -#define wc_MlDsaKey_VerifyCtx(key, sig, sigSz, ctx, ctxSz, msg, msgSz, res) \ - wc_dilithium_verify_ctx_msg(sig, sigSz, ctx, ctxSz, msg, msgSz, res, key) -#define wc_MlDsaKey_VerifyCtxHash(key, sig, sigSz, ctx, ctxSz, hash, hashSz, \ - hashAlg, res) \ - wc_dilithium_verify_ctx_hash(sig, sigSz, ctx, ctxSz, hashAlg, hash, \ - hashSz, res, key) - -#define wc_MlDsaKey_PublicKeyToDer(key, output, len, withAlg) \ - wc_Dilithium_PublicKeyToDer(key, output, len, withAlg) - -#define wc_MlDsaKey_PrivateKeyToDer(key, output, len) \ - wc_Dilithium_PrivateKeyToDer(key, output, len) - -#define wc_MlDsaKey_PrivateKeyDecode(key, input, sz, idx) \ - wc_Dilithium_PrivateKeyDecode(input, idx, key, sz) -#define wc_MlDsaKey_PublicKeyDecode(key, input, sz, idx) \ - wc_Dilithium_PublicKeyDecode(input, idx, key, sz) - - -WOLFSSL_API int wc_MlDsaKey_GetPrivLen(MlDsaKey* key, int* len); -WOLFSSL_API int wc_MlDsaKey_GetPubLen(MlDsaKey* key, int* len); -WOLFSSL_API int wc_MlDsaKey_GetSigLen(MlDsaKey* key, int* len); - -#if !defined(WOLFSSL_DILITHIUM_NO_SIGN) || \ - !defined(WOLFSSL_DILITHIUM_NO_VERIFY) -#ifndef WOLFSSL_NO_ML_DSA_44 -WOLFSSL_TEST_VIS void wc_dilithium_encode_w1_88(const sword32* w1, byte* w1e); +#if defined(WOLFSSL_MLDSA_SIGN_CHECK_Y) && !defined(WOLFSSL_DILITHIUM_SIGN_CHECK_Y) + #define WOLFSSL_DILITHIUM_SIGN_CHECK_Y #endif -#if !defined(WOLFSSL_NO_ML_DSA_65) || !defined(WOLFSSL_NO_ML_DSA_87) -WOLFSSL_TEST_VIS void wc_dilithium_encode_w1_32(const sword32* w1, byte* w1e); +#if defined(WOLFSSL_MLDSA_CHECK_KEY) && !defined(WOLFSSL_DILITHIUM_CHECK_KEY) + #define WOLFSSL_DILITHIUM_CHECK_KEY +#endif +#if defined(WOLFSSL_MLDSA_NO_CHECK_KEY) && !defined(WOLFSSL_DILITHIUM_NO_CHECK_KEY) + #define WOLFSSL_DILITHIUM_NO_CHECK_KEY +#endif +#if defined(WOLFSSL_MLDSA_PUBLIC_KEY) && !defined(WOLFSSL_DILITHIUM_PUBLIC_KEY) + #define WOLFSSL_DILITHIUM_PUBLIC_KEY +#endif +#if defined(WOLFSSL_MLDSA_PRIVATE_KEY) && !defined(WOLFSSL_DILITHIUM_PRIVATE_KEY) + #define WOLFSSL_DILITHIUM_PRIVATE_KEY +#endif +#if defined(WOLFSSL_MLDSA_DYNAMIC_KEYS) && !defined(WOLFSSL_DILITHIUM_DYNAMIC_KEYS) + #define WOLFSSL_DILITHIUM_DYNAMIC_KEYS +#endif +#if defined(WOLFSSL_MLDSA_ASSIGN_KEY) && !defined(WOLFSSL_DILITHIUM_ASSIGN_KEY) + #define WOLFSSL_DILITHIUM_ASSIGN_KEY +#endif +#if defined(WOLFSSL_MLDSA_ALIGNMENT) && !defined(WOLFSSL_DILITHIUM_ALIGNMENT) + #define WOLFSSL_DILITHIUM_ALIGNMENT WOLFSSL_MLDSA_ALIGNMENT +#endif +#if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) && !defined(WOLFSSL_DILITHIUM_FIPS204_DRAFT) + #define WOLFSSL_DILITHIUM_FIPS204_DRAFT +#endif +#if defined(WOLFSSL_MLDSA_REVERSE_HASH_OID) && !defined(WOLFSSL_DILITHIUM_REVERSE_HASH_OID) + #define WOLFSSL_DILITHIUM_REVERSE_HASH_OID +#endif +#if defined(WC_MLDSA_CACHE_MATRIX_A) && !defined(WC_DILITHIUM_CACHE_MATRIX_A) + #define WC_DILITHIUM_CACHE_MATRIX_A +#endif +#if defined(WC_MLDSA_CACHE_PRIV_VECTORS) && !defined(WC_DILITHIUM_CACHE_PRIV_VECTORS) + #define WC_DILITHIUM_CACHE_PRIV_VECTORS #endif +#if defined(WC_MLDSA_CACHE_PUB_VECTORS) && !defined(WC_DILITHIUM_CACHE_PUB_VECTORS) + #define WC_DILITHIUM_CACHE_PUB_VECTORS #endif +#if defined(WC_MLDSA_FIXED_ARRAY) && !defined(WC_DILITHIUM_FIXED_ARRAY) + #define WC_DILITHIUM_FIXED_ARRAY +#endif +#endif /* !WOLFSSL_NO_DILITHIUM_LEGACY_GATES */ + +#if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_NO_DILITHIUM_LEGACY_NAMES) -#ifdef __cplusplus - } /* extern "C" */ +/* Legacy type aliases. WC_DILITHIUMKEY_TYPE_DEFINED is set so that + * does not emit its own + * `typedef struct MlDsaKey dilithium_key;` (which would expand under this + * macro alias to `typedef struct MlDsaKey MlDsaKey;` -- a typedef + * redefinition that strict C99 / older MSVC reject as a constraint + * violation). */ +#define dilithium_key MlDsaKey +#ifndef WC_DILITHIUMKEY_TYPE_DEFINED + #define WC_DILITHIUMKEY_TYPE_DEFINED #endif +#define wc_dilithium_params MlDsaParams + +/* Legacy function aliases - simple symbol redirects. Signature is unchanged + * vs the canonical name, so a #define is sufficient: call sites and `&name` + * expressions both expand token-wise to the canonical symbol. Note that + * `&wc_dilithium_make_key` therefore yields the address of + * wc_MlDsaKey_MakeKey, NOT a distinct legacy export - consumers using + * dlsym() or callback tables that key off the legacy spelling will see the + * canonical name in the resulting pointer. */ +#define wc_dilithium_init_ex wc_MlDsaKey_Init +#define wc_dilithium_init_id wc_MlDsaKey_InitId +#define wc_dilithium_init_label wc_MlDsaKey_InitLabel +#define wc_dilithium_new wc_MlDsaKey_New +#define wc_dilithium_delete wc_MlDsaKey_Delete +#define wc_dilithium_free wc_MlDsaKey_Free +#define wc_dilithium_set_level wc_MlDsaKey_SetParams +#define wc_dilithium_get_level wc_MlDsaKey_GetParams +#define wc_dilithium_make_key wc_MlDsaKey_MakeKey +#define wc_dilithium_make_key_from_seed wc_MlDsaKey_MakeKeyFromSeed +#define wc_dilithium_size wc_MlDsaKey_Size +#define wc_dilithium_priv_size wc_MlDsaKey_PrivSize +#define wc_dilithium_pub_size wc_MlDsaKey_PubSize +#define wc_dilithium_sig_size wc_MlDsaKey_SigSize +#define wc_dilithium_check_key wc_MlDsaKey_CheckKey +#define wc_dilithium_export_public wc_MlDsaKey_ExportPubRaw +#define wc_dilithium_export_private wc_MlDsaKey_ExportPrivRaw +#define wc_dilithium_export_private_only wc_MlDsaKey_ExportPrivRaw +#define wc_dilithium_export_key wc_MlDsaKey_ExportKey +#define wc_Dilithium_PublicKeyToDer wc_MlDsaKey_PublicKeyToDer +#define wc_Dilithium_PrivateKeyToDer wc_MlDsaKey_PrivateKeyToDer +#define wc_Dilithium_KeyToDer wc_MlDsaKey_KeyToDer + +/* Legacy default-args / arg-reorder wrappers. The legacy form takes the key + * pointer last (or near last); the FIPS 204 / ML-KEM convention used by the + * canonical wc_MlDsaKey_* names puts the key first. The wrappers below are + * static inline functions (rather than function-like macros) so that + * (a) `&wc_dilithium_init`-style address-of expressions remain valid in + * source (they yield the inline wrapper's address - note this is a + * translation-unit-local symbol, not the previously-exported library + * symbol) and (b) each wrapper preserves the legacy signature byte-for-byte. + * Each wrapper is gated to match its canonical target's gating so + * unused-on-this-build wrappers don't reference undeclared symbols. */ + +#ifdef __GNUC__ + /* Suppress -Wunused-function for translation units that don't call every + * legacy wrapper. */ + #define WOLFSSL_DILITHIUM_LEGACY_INLINE static __inline__ \ + __attribute__((unused, always_inline)) +#else + #define WOLFSSL_DILITHIUM_LEGACY_INLINE static WC_INLINE +#endif + +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_init(MlDsaKey* key) { + return wc_MlDsaKey_Init(key, NULL, INVALID_DEVID); +} + +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_import_public(const byte* in, word32 inLen, MlDsaKey* key) { + return wc_MlDsaKey_ImportPubRaw(key, in, inLen); +} +#endif + +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_import_private(const byte* priv, word32 privSz, MlDsaKey* key) { + return wc_MlDsaKey_ImportPrivRaw(key, priv, privSz); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_import_private_only(const byte* in, word32 inLen, MlDsaKey* key) { + return wc_MlDsaKey_ImportPrivRaw(key, in, inLen); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_import_key(const byte* priv, word32 privSz, const byte* pub, + word32 pubSz, MlDsaKey* key) { + return wc_MlDsaKey_ImportKey(key, priv, privSz, pub, pubSz); +} +#endif /* WOLFSSL_MLDSA_PRIVATE_KEY */ + +#ifndef WOLFSSL_MLDSA_VERIFY_ONLY +#ifdef WOLFSSL_MLDSA_NO_CTX +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_sign_msg(const byte* msg, word32 msgLen, byte* sig, + word32* sigLen, MlDsaKey* key, WC_RNG* rng) { + return wc_MlDsaKey_Sign(key, sig, sigLen, msg, msgLen, rng); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_sign_msg_with_seed(const byte* msg, word32 msgLen, byte* sig, + word32* sigLen, MlDsaKey* key, + const byte* seed) { + return wc_MlDsaKey_SignWithSeed(key, sig, sigLen, msg, msgLen, seed); +} +#endif /* WOLFSSL_MLDSA_NO_CTX */ +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_sign_ctx_msg(const byte* ctx, byte ctxLen, const byte* msg, + word32 msgLen, byte* sig, word32* sigLen, + MlDsaKey* key, WC_RNG* rng) { + return wc_MlDsaKey_SignCtx(key, ctx, ctxLen, sig, sigLen, msg, msgLen, rng); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_sign_ctx_hash(const byte* ctx, byte ctxLen, int hashAlg, + const byte* hash, word32 hashLen, byte* sig, + word32* sigLen, MlDsaKey* key, WC_RNG* rng) { + return wc_MlDsaKey_SignCtxHash(key, ctx, ctxLen, sig, sigLen, hash, + hashLen, hashAlg, rng); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_sign_ctx_msg_with_seed(const byte* ctx, byte ctxLen, + const byte* msg, word32 msgLen, + byte* sig, word32* sigLen, + MlDsaKey* key, const byte* seed) { + return wc_MlDsaKey_SignCtxWithSeed(key, ctx, ctxLen, sig, sigLen, msg, + msgLen, seed); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_sign_ctx_hash_with_seed(const byte* ctx, byte ctxLen, + int hashAlg, const byte* hash, + word32 hashLen, byte* sig, + word32* sigLen, MlDsaKey* key, + const byte* seed) { + return wc_MlDsaKey_SignCtxHashWithSeed(key, ctx, ctxLen, sig, sigLen, + hash, hashLen, hashAlg, seed); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_sign_mu_with_seed(const byte* mu, word32 muLen, byte* sig, + word32* sigLen, MlDsaKey* key, + const byte* seed) { + return wc_MlDsaKey_SignMuWithSeed(key, sig, sigLen, mu, muLen, seed); +} +#endif /* !WOLFSSL_MLDSA_VERIFY_ONLY */ + +#ifdef WOLFSSL_MLDSA_NO_CTX +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_verify_msg(const byte* sig, word32 sigLen, const byte* msg, + word32 msgLen, int* res, MlDsaKey* key) { + return wc_MlDsaKey_Verify(key, sig, sigLen, msg, msgLen, res); +} +#endif /* WOLFSSL_MLDSA_NO_CTX */ +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_verify_ctx_msg(const byte* sig, word32 sigLen, const byte* ctx, + byte ctxLen, const byte* msg, word32 msgLen, + int* res, MlDsaKey* key) { + return wc_MlDsaKey_VerifyCtx(key, sig, sigLen, ctx, ctxLen, msg, msgLen, + res); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_verify_ctx_hash(const byte* sig, word32 sigLen, const byte* ctx, + byte ctxLen, int hashAlg, const byte* hash, + word32 hashLen, int* res, MlDsaKey* key) { + return wc_MlDsaKey_VerifyCtxHash(key, sig, sigLen, ctx, ctxLen, hash, + hashLen, hashAlg, res); +} +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_dilithium_verify_mu(const byte* sig, word32 sigLen, const byte* mu, + word32 muLen, int* res, MlDsaKey* key) { + return wc_MlDsaKey_VerifyMu(key, sig, sigLen, mu, muLen, res); +} + +#ifndef WOLFSSL_MLDSA_NO_ASN1 +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_Dilithium_PrivateKeyDecode(const byte* input, word32* inOutIdx, + MlDsaKey* key, word32 inSz) { + return wc_MlDsaKey_PrivateKeyDecode(key, input, inSz, inOutIdx); +} +#endif +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY +WOLFSSL_DILITHIUM_LEGACY_INLINE +int wc_Dilithium_PublicKeyDecode(const byte* input, word32* inOutIdx, + MlDsaKey* key, word32 inSz) { + return wc_MlDsaKey_PublicKeyDecode(key, input, inSz, inOutIdx); +} +#endif +#endif /* !WOLFSSL_MLDSA_NO_ASN1 */ + +/* Internal-helper aliases. These cover symbols that are *not* part of the + * public API (WOLFSSL_LOCAL `mldsa_get_oid_sum` and WOLFSSL_TEST_VIS + * `wc_mldsa_encode_w1_*`); they exist only to keep the unmigrated in-tree + * consumers building through this shim (src/ssl_load.c for + * `dilithium_get_oid_sum`, tests/api/test_mldsa.c for the encoders). + * Application code must not rely on them. These aliases live and die with + * the rest of the shim and will be removed when it is. */ +#define dilithium_get_oid_sum mldsa_get_oid_sum +#define wc_dilithium_encode_w1_88 wc_mldsa_encode_w1_88 +#define wc_dilithium_encode_w1_32 wc_mldsa_encode_w1_32 + +#endif /* WOLFSSL_HAVE_MLDSA && !WOLFSSL_NO_DILITHIUM_LEGACY_NAMES */ -#endif /* HAVE_DILITHIUM */ #endif /* WOLF_CRYPT_DILITHIUM_H */ diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index 76cb6e90e77..9635e1a6cfd 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -76,6 +76,7 @@ nobase_include_HEADERS+= \ wolfssl/wolfcrypt/siphash.h \ wolfssl/wolfcrypt/cpuid.h \ wolfssl/wolfcrypt/cryptocb.h \ + wolfssl/wolfcrypt/wc_mldsa.h \ wolfssl/wolfcrypt/wc_mlkem.h \ wolfssl/wolfcrypt/sm2.h \ wolfssl/wolfcrypt/sm3.h \ diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h index 1ea303a4e11..341cdf3e87c 100644 --- a/wolfssl/wolfcrypt/memory.h +++ b/wolfssl/wolfcrypt/memory.h @@ -133,15 +133,8 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb* mf, #ifndef LARGEST_MEM_BUCKET #ifndef SESSION_CERTS - #ifdef HAVE_DILITHIUM - #if defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_VERIFY_ONLY) - #define LARGEST_MEM_BUCKET 14000 /* Dilithium low mem */ - #else - #define LARGEST_MEM_BUCKET 131072 /* Dilithium full mem */ - #endif + #ifdef WOLFSSL_HAVE_MLDSA + #define LARGEST_MEM_BUCKET 131072 #else #define LARGEST_MEM_BUCKET 16128 #endif @@ -162,19 +155,10 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb* mf, #ifndef WOLFMEM_BUCKETS #ifndef SESSION_CERTS - #ifdef HAVE_DILITHIUM - #if defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_VERIFY_ONLY) - /* default size of chunks of memory to separate into */ - #define WOLFMEM_BUCKETS 64,128,256,512,1024,2048,4096,\ - 8192,LARGEST_MEM_BUCKET - #else - /* default size of chunks of memory to separate into */ - #define WOLFMEM_BUCKETS 64,128,256,512,1024,8192,32768,\ - 65536,LARGEST_MEM_BUCKET - #endif + #ifdef WOLFSSL_HAVE_MLDSA + /* default size of chunks of memory to separate into */ + #define WOLFMEM_BUCKETS 64,128,256,512,1024,8192,32768,\ + 65536,LARGEST_MEM_BUCKET #elif defined(WOLFSSL_HAVE_MLKEM) /* extra storage in structs for multiple attributes and order */ #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,4096,8192,\ @@ -204,15 +188,8 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb* mf, #endif #ifndef WOLFMEM_DIST - #ifdef HAVE_DILITHIUM - #if defined(WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_SIGN_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM) && \ - defined(WOLFSSL_DILITHIUM_VERIFY_ONLY) - #define WOLFMEM_DIST 20,8,6,10,8,6,4,2,1 - #else - #define WOLFMEM_DIST 30,10,8,15,8,10,8,5,1 - #endif + #ifdef WOLFSSL_HAVE_MLDSA + #define WOLFMEM_DIST 30,10,8,15,8,10,8,5,1 #elif defined(WOLFSSL_HAVE_MLKEM) #define WOLFMEM_DIST 49,10,6,14,5,6,14,1,1 #elif !defined(WOLFSSL_STATIC_MEMORY_SMALL) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index f055121a304..fe1eaa035a9 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -380,6 +380,54 @@ #endif #endif +/* Forward propagation of the legacy parent gate to the canonical name + * (HAVE_DILITHIUM -> WOLFSSL_HAVE_MLDSA). Always active: required so that + * a user_settings.h or build flag using only the legacy spelling still + * compiles the canonical implementation file (wc_mldsa.c) and the + * conditional declarations in wc_mldsa.h. */ +#ifdef HAVE_DILITHIUM + #ifndef WOLFSSL_HAVE_MLDSA + #define WOLFSSL_HAVE_MLDSA + #endif +#endif + +/* Forward propagation of the legacy ML-DSA sub-config gates that are + * read by - the file is auto-generated by + * gencertbuf.pl with zero #include directives, so a TU can pull it in + * (transitively, via etc.) without ever including + * dilithium.h. The remaining ML-DSA sub-gates are read only from + * wc_mldsa.h / wc_mldsa.c, both of which transitively pull in + * dilithium.h first; their forward translations live there. + * Suppressible by defining WOLFSSL_NO_DILITHIUM_LEGACY_GATES. */ +#ifndef WOLFSSL_NO_DILITHIUM_LEGACY_GATES + #ifdef WOLFSSL_DILITHIUM_NO_SIGN + #ifndef WOLFSSL_MLDSA_NO_SIGN + #define WOLFSSL_MLDSA_NO_SIGN + #endif + #endif + #ifdef WOLFSSL_DILITHIUM_NO_VERIFY + #ifndef WOLFSSL_MLDSA_NO_VERIFY + #define WOLFSSL_MLDSA_NO_VERIFY + #endif + #endif +#endif /* !WOLFSSL_NO_DILITHIUM_LEGACY_GATES */ + +/* Reverse propagation (WOLFSSL_HAVE_MLDSA -> HAVE_DILITHIUM). Active by + * default, suppressible via WOLFSSL_NO_DILITHIUM_LEGACY_GATES. + * Required so that and + * (which gate their transitive include of + * on HAVE_DILITHIUM), and unmigrated + * consumer code that #ifdef-gates on HAVE_DILITHIUM, keep working when + * the user enabled ML-DSA via the canonical name only. The reverse arm + * of the sub-config gate translations lives in + * alongside the legacy macro / inline + * shims; that header is reachable through HAVE_DILITHIUM whenever the + * canonical gate is set. */ +#if defined(WOLFSSL_HAVE_MLDSA) && !defined(HAVE_DILITHIUM) && \ + !defined(WOLFSSL_NO_DILITHIUM_LEGACY_GATES) + #define HAVE_DILITHIUM +#endif + /* Ensure WOLFSSL_DEBUG_CERTS is set when DEBUG_WOLFSSL is enabled, unless * expressly requested otherwise. */ diff --git a/wolfssl/wolfcrypt/wc_mldsa.h b/wolfssl/wolfcrypt/wc_mldsa.h new file mode 100644 index 00000000000..564084f7649 --- /dev/null +++ b/wolfssl/wolfcrypt/wc_mldsa.h @@ -0,0 +1,1025 @@ +/* wc_mldsa.h + * + * Copyright (C) 2006-2026 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +/*! + \file wolfssl/wolfcrypt/wc_mldsa.h +*/ + +/* Interfaces for ML-DSA (FIPS 204), the NIST-standardized form of the + * post-quantum signature algorithm formerly known as Dilithium. + * + * This header declares the canonical MlDsaKey / wc_MlDsaKey_* API. New + * code must include this header directly. + * + * Backwards-compatibility for the pre-standardization names is delivered + * by a single TEMPORARY shim, , that will + * be removed in a future release. The shim provides: + * + * - Bi-directional propagation of the legacy / canonical sub-config + * build-gate names (WOLFSSL_DILITHIUM_* <-> WOLFSSL_MLDSA_*, + * WC_DILITHIUM_* <-> WC_MLDSA_*). Suppressible by defining + * WOLFSSL_NO_DILITHIUM_LEGACY_GATES. The parent gate + * (HAVE_DILITHIUM <-> WOLFSSL_HAVE_MLDSA) is mapped earlier in + * and is always active. + * + * - Macro / static-inline aliases for the legacy type and function + * names (dilithium_key, wc_dilithium_params, wc_dilithium_*, + * wc_Dilithium_*). Suppressible by defining + * WOLFSSL_NO_DILITHIUM_LEGACY_NAMES. */ + +#ifndef WOLF_CRYPT_WC_MLDSA_H +#define WOLF_CRYPT_WC_MLDSA_H + +#include + +#ifdef WOLF_CRYPTO_CB + #include +#endif + +#if defined(WOLFSSL_HAVE_MLDSA) + +#if defined(WOLFSSL_MLDSA_NO_MAKE_KEY) && \ + defined(WOLFSSL_MLDSA_NO_SIGN) && \ + !defined(WOLFSSL_MLDSA_NO_VERIFY) && \ + !defined(WOLFSSL_MLDSA_VERIFY_ONLY) + #define WOLFSSL_MLDSA_VERIFY_ONLY +#endif +#ifdef WOLFSSL_MLDSA_VERIFY_ONLY + #ifndef WOLFSSL_MLDSA_NO_MAKE_KEY + #define WOLFSSL_MLDSA_NO_MAKE_KEY + #endif + #ifndef WOLFSSL_MLDSA_NO_SIGN + #define WOLFSSL_MLDSA_NO_SIGN + #endif +#endif + +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + !defined(WOLFSSL_MLDSA_NO_VERIFY) + #define WOLFSSL_MLDSA_PUBLIC_KEY +#endif +#if !defined(WOLFSSL_MLDSA_NO_MAKE_KEY) || \ + !defined(WOLFSSL_MLDSA_NO_SIGN) + #define WOLFSSL_MLDSA_PRIVATE_KEY +#endif + +#if defined(WOLFSSL_MLDSA_PUBLIC_KEY) && \ + defined(WOLFSSL_MLDSA_PRIVATE_KEY) && \ + !defined(WOLFSSL_MLDSA_NO_CHECK_KEY) && \ + !defined(WOLFSSL_MLDSA_CHECK_KEY) + #define WOLFSSL_MLDSA_CHECK_KEY +#endif + +#include +#ifndef WOLFSSL_MLDSA_VERIFY_ONLY + #include +#endif + +#if defined(WC_MLDSA_CACHE_PRIV_VECTORS) && \ + !defined(WC_MLDSA_CACHE_MATRIX_A) + #define WC_MLDSA_CACHE_MATRIX_A +#endif +#if defined(WC_MLDSA_CACHE_PUB_VECTORS) && \ + !defined(WC_MLDSA_CACHE_MATRIX_A) + #define WC_MLDSA_CACHE_MATRIX_A +#endif + +#ifdef __cplusplus + extern "C" { +#endif + +/* Macros Definitions */ + +#ifndef WOLFSSL_MLDSA_ALIGNMENT + #if defined(__arch64__) + #define WOLFSSL_MLDSA_ALIGNMENT 8 + #elif defined(__arm__) + #define WOLFSSL_MLDSA_ALIGNMENT 4 + #elif !defined(WOLFSSL_AESNI) && defined(WOLFSSL_GENERAL_ALIGNMENT) + #define WOLFSSL_MLDSA_ALIGNMENT WOLFSSL_GENERAL_ALIGNMENT + #else + #define WOLFSSL_MLDSA_ALIGNMENT 8 + #endif +#endif /* WOLFSSL_MLDSA_ALIGNMENT */ + +#define DILITHIUM_LEVEL2_KEY_SIZE 2560 +#define DILITHIUM_LEVEL2_SIG_SIZE 2420 +#define DILITHIUM_LEVEL2_PUB_KEY_SIZE 1312 +#define DILITHIUM_LEVEL2_PRV_KEY_SIZE \ + (DILITHIUM_LEVEL2_PUB_KEY_SIZE + DILITHIUM_LEVEL2_KEY_SIZE) +/* Buffer sizes large enough to store exported DER encoded keys */ +#define DILITHIUM_LEVEL2_PUB_KEY_DER_SIZE 1334 +#define DILITHIUM_LEVEL2_PRV_KEY_DER_SIZE 2588 +#define DILITHIUM_LEVEL2_BOTH_KEY_DER_SIZE 3904 +/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and + * the footer "-----END PRIVATE KEY-----" */ +#define DILITHIUM_LEVEL2_BOTH_KEY_PEM_SIZE 5344 + +#define DILITHIUM_LEVEL3_KEY_SIZE 4032 +#define DILITHIUM_LEVEL3_SIG_SIZE 3309 +#define DILITHIUM_LEVEL3_PUB_KEY_SIZE 1952 +#define DILITHIUM_LEVEL3_PRV_KEY_SIZE \ + (DILITHIUM_LEVEL3_PUB_KEY_SIZE + DILITHIUM_LEVEL3_KEY_SIZE) +/* Buffer sizes large enough to store exported DER encoded keys */ +#define DILITHIUM_LEVEL3_PUB_KEY_DER_SIZE 1974 +#define DILITHIUM_LEVEL3_PRV_KEY_DER_SIZE 4060 +#define DILITHIUM_LEVEL3_BOTH_KEY_DER_SIZE 6016 +/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and + * the footer "-----END PRIVATE KEY-----" */ +#define DILITHIUM_LEVEL3_BOTH_KEY_PEM_SIZE 8204 + +#define DILITHIUM_LEVEL5_KEY_SIZE 4896 +#define DILITHIUM_LEVEL5_SIG_SIZE 4627 +#define DILITHIUM_LEVEL5_PUB_KEY_SIZE 2592 +#define DILITHIUM_LEVEL5_PRV_KEY_SIZE \ + (DILITHIUM_LEVEL5_PUB_KEY_SIZE + DILITHIUM_LEVEL5_KEY_SIZE) +/* Buffer sizes large enough to store exported DER encoded keys */ +#define DILITHIUM_LEVEL5_PUB_KEY_DER_SIZE 2614 +#define DILITHIUM_LEVEL5_PRV_KEY_DER_SIZE 4924 +#define DILITHIUM_LEVEL5_BOTH_KEY_DER_SIZE 7520 +/* PEM size with the header "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----" and + * the footer "-----END ML_DSA_LEVEL5 PRIVATE KEY-----" */ +#define DILITHIUM_LEVEL5_BOTH_KEY_PEM_SIZE 10267 + +#define ML_DSA_LEVEL2_KEY_SIZE 2560 +#define ML_DSA_LEVEL2_SIG_SIZE 2420 +#define ML_DSA_LEVEL2_PUB_KEY_SIZE 1312 +#define ML_DSA_LEVEL2_PRV_KEY_SIZE \ + (ML_DSA_LEVEL2_PUB_KEY_SIZE + ML_DSA_LEVEL2_KEY_SIZE) +/* Buffer sizes large enough to store exported DER encoded keys */ +#define ML_DSA_LEVEL2_PUB_KEY_DER_SIZE DILITHIUM_LEVEL2_PUB_KEY_DER_SIZE +#define ML_DSA_LEVEL2_PRV_KEY_DER_SIZE DILITHIUM_LEVEL2_PRV_KEY_DER_SIZE +#define ML_DSA_LEVEL2_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL2_BOTH_KEY_DER_SIZE +/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and + * the footer "-----END PRIVATE KEY-----" */ +#define ML_DSA_LEVEL2_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL2_BOTH_KEY_PEM_SIZE + +#define ML_DSA_LEVEL3_KEY_SIZE 4032 +#define ML_DSA_LEVEL3_SIG_SIZE 3309 +#define ML_DSA_LEVEL3_PUB_KEY_SIZE 1952 +#define ML_DSA_LEVEL3_PRV_KEY_SIZE \ + (ML_DSA_LEVEL3_PUB_KEY_SIZE + ML_DSA_LEVEL3_KEY_SIZE) +/* Buffer sizes large enough to store exported DER encoded keys */ +#define ML_DSA_LEVEL3_PUB_KEY_DER_SIZE DILITHIUM_LEVEL3_PUB_KEY_DER_SIZE +#define ML_DSA_LEVEL3_PRV_KEY_DER_SIZE DILITHIUM_LEVEL3_PRV_KEY_DER_SIZE +#define ML_DSA_LEVEL3_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL3_BOTH_KEY_DER_SIZE +/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and + * the footer "-----END PRIVATE KEY-----" */ +#define ML_DSA_LEVEL3_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL3_BOTH_KEY_PEM_SIZE + +#define ML_DSA_LEVEL5_KEY_SIZE 4896 +#define ML_DSA_LEVEL5_SIG_SIZE 4627 +#define ML_DSA_LEVEL5_PUB_KEY_SIZE 2592 +#define ML_DSA_LEVEL5_PRV_KEY_SIZE \ + (ML_DSA_LEVEL5_PUB_KEY_SIZE + ML_DSA_LEVEL5_KEY_SIZE) +/* Buffer sizes large enough to store exported DER encoded keys */ +#define ML_DSA_LEVEL5_PUB_KEY_DER_SIZE DILITHIUM_LEVEL5_PUB_KEY_DER_SIZE +#define ML_DSA_LEVEL5_PRV_KEY_DER_SIZE DILITHIUM_LEVEL5_PRV_KEY_DER_SIZE +#define ML_DSA_LEVEL5_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL5_BOTH_KEY_DER_SIZE +/* PEM size with the header "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----" and + * the footer "-----END ML_DSA_LEVEL5 PRIVATE KEY-----" */ +#define ML_DSA_LEVEL5_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL5_BOTH_KEY_PEM_SIZE + + + +/* Modulus. */ +#define DILITHIUM_Q 0x7fe001 +/* Number of bits in modulus. */ +#define DILITHIUM_Q_BITS 23 +/* Number of elements in polynomial. */ +#define DILITHIUM_N 256 +#define MLDSA_N 256 + +/* Number of dropped bits. */ +#define DILITHIUM_D 13 +/* Maximum value of dropped bits. */ +#define DILITHIUM_D_MAX ((sword32)1 << DILITHIUM_D) +/* Half maximum value. */ +#define DILITHIUM_D_MAX_HALF ((sword32)1 << (DILITHIUM_D - 1)) +/* Number of undropped bits. */ +#define DILITHIUM_U (DILITHIUM_Q_BITS - DILITHIUM_D) + +/* Bits in coefficient range of y, GAMMA1, of 2^17 is 17. */ +#define DILITHIUM_GAMMA1_BITS_17 17 +/* Coefficient range of y, GAMMA1, of 2^17. */ +#define DILITHIUM_GAMMA1_17 ((sword32)1 << 17) +/* # encoding bits of y is GAMMA1 + 1. */ +#define DILITHIUM_GAMMA1_17_ENC_BITS 18 +/* Coefficient range of y, GAMMA1, of 2^17. */ +/* Bits in coefficient range of y, GAMMA1, of 2^19 is 19. */ +#define DILITHIUM_GAMMA1_BITS_19 19 +/* Coefficient range of y, GAMMA1, of 2^19. */ +#define DILITHIUM_GAMMA1_19 ((sword32)1 << 19) +/* # encoding bits of y is GAMMA1 + 1. */ +#define DILITHIUM_GAMMA1_19_ENC_BITS 20 + +/* Low-order rounding range, GAMMA2, is Q divided by 88. */ +#define DILITHIUM_Q_LOW_88 ((DILITHIUM_Q - 1) / 88) +/* Absolute low-order rounding range, GAMMA2, is Q divided by 88. */ +#define DILITHIUM_Q_LOW_88_2 (((DILITHIUM_Q - 1) / 88) * 2) +/* # encoding bits of w1 when range is 88. */ +#define DILITHIUM_Q_HI_88_ENC_BITS 6 +/* Low-order rounding range, GAMMA2, is Q divided by 32. */ +#define DILITHIUM_Q_LOW_32 ((DILITHIUM_Q - 1) / 32) +/* Absolute low-order rounding range, GAMMA2, is Q divided by 32. */ +#define DILITHIUM_Q_LOW_32_2 (((DILITHIUM_Q - 1) / 32) * 2) +/* # encoding bits of w1 when range is 32. */ +#define DILITHIUM_Q_HI_32_ENC_BITS 4 + +/* Private key range, eta, of 2. */ +#define DILITHIUM_ETA_2 2 +/* Bits needed to encode values in range -2..2 as a positive number. */ +#define DILITHIUM_ETA_2_BITS 3 +/* Extract count of valid values. */ +#define DILITHIUM_ETA_2_MOD 15 +/* Private key range, eta, of 4. */ +#define DILITHIUM_ETA_4 4 +/* Bits needed to encode values in range -4..4 as a positive number. */ +#define DILITHIUM_ETA_4_BITS 4 +/* Extract count of valid values. */ +#define DILITHIUM_ETA_4_MOD 9 + +/* Number of bytes in a polynomial in memory. */ +#define DILITHIUM_POLY_SIZE (DILITHIUM_N * sizeof(sword32)) + +#ifndef WOLFSSL_NO_ML_DSA_44 + +/* Fist dimension of A, k, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_K 4 +/* Second dimension of A, l, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_L 4 +/* Private key range, ETA, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_ETA DILITHIUM_ETA_2 +/* Number of bits in private key for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_ETA_BITS DILITHIUM_ETA_2_BITS +/* Collision strength of c-tilde, LAMBDA, in bits for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_LAMBDA 128 +/* # +/-1's in polynomial c, TAU, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_TAU 39 +/* BETA = TAU * ETA for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_BETA \ +(PARAMS_ML_DSA_44_TAU * PARAMS_ML_DSA_44_ETA) +/* Max # 1's in the hint h, OMEGA, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_OMEGA 80 +/* Bits in coefficient range of y, GAMMA1, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_GAMMA1_BITS DILITHIUM_GAMMA1_BITS_17 +/* Ccoefficient range of y, GAMMA1, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_GAMMA1 \ + ((sword32)1 << PARAMS_ML_DSA_44_GAMMA1_BITS) +/* Low-order rounding range, GAMMA2, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_GAMMA2 DILITHIUM_Q_LOW_88 +/* Bits in high-order rounding range, GAMMA2, for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_GAMMA2_HI_BITS 6 +/* Encoding size of w1 in bytes for ML-DSA-44. + * K * N / 8 * 6 - 6 bits as max value is 43 in high bits. */ +#define PARAMS_ML_DSA_44_W1_ENC_SZ \ + (PARAMS_ML_DSA_44_K * DILITHIUM_N / 8 * PARAMS_ML_DSA_44_GAMMA2_HI_BITS) +/* Size of memory used for matrix a in bytes for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_A_SIZE \ + (PARAMS_ML_DSA_44_K * PARAMS_ML_DSA_44_L * DILITHIUM_POLY_SIZE) +/* Size of memory used for vector s1 in bytes for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_S1_SIZE \ + (PARAMS_ML_DSA_44_L * DILITHIUM_POLY_SIZE) +/* Encoding size of s1 in bytes for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_S1_ENC_SIZE \ + (PARAMS_ML_DSA_44_S1_SIZE / sizeof(sword32) * PARAMS_ML_DSA_44_ETA_BITS / 8) +/* Size of memory used for vector s2 in bytes for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_S2_SIZE \ + (PARAMS_ML_DSA_44_K * DILITHIUM_POLY_SIZE) +/* Encoding size of s2 in bytes for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_S2_ENC_SIZE \ + (PARAMS_ML_DSA_44_S2_SIZE / sizeof(sword32) * PARAMS_ML_DSA_44_ETA_BITS / 8) +/* Encoding size of z in bytes for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_Z_ENC_SIZE \ + (PARAMS_ML_DSA_44_S1_SIZE / sizeof(sword32) / 8 * \ + (PARAMS_ML_DSA_44_GAMMA1_BITS + 1)) +/* Encoding size of public key in bytes for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_PK_SIZE \ + (DILITHIUM_PUB_SEED_SZ + PARAMS_ML_DSA_44_K * DILITHIUM_N * DILITHIUM_U / 8) +/* Encoding size of signature in bytes for ML-DSA-44. */ +#define PARAMS_ML_DSA_44_SIG_SIZE \ + ((PARAMS_ML_DSA_44_LAMBDA / 4) + \ + PARAMS_ML_DSA_44_L * DILITHIUM_N/8 * (PARAMS_ML_DSA_44_GAMMA1_BITS + 1) + \ + PARAMS_ML_DSA_44_OMEGA + PARAMS_ML_DSA_44_K) + +#endif /* WOLFSSL_NO_ML_DSA_44 */ + +#ifndef WOLFSSL_NO_ML_DSA_65 + +/* Fist dimension of A, k, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_K 6 +/* Second dimension of A, l, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_L 5 +/* Private key range, ETA, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_ETA DILITHIUM_ETA_4 +/* Number of bits in private key for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_ETA_BITS DILITHIUM_ETA_4_BITS +/* Collision strength of c-tilde, LAMBDA, in bits for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_LAMBDA 192 +/* # +/-1's in polynomial c, TAU, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_TAU 49 +/* BETA = TAU * ETA for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_BETA \ + (PARAMS_ML_DSA_65_TAU * PARAMS_ML_DSA_65_ETA) +/* Max # 1's in the hint h, OMEGA, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_OMEGA 55 +/* Bits in coefficient range of y, GAMMA1, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_GAMMA1_BITS DILITHIUM_GAMMA1_BITS_19 +/* Coefficient range of y, GAMMA1, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_GAMMA1 \ + ((sword32)1 << PARAMS_ML_DSA_65_GAMMA1_BITS) +/* Low-order rounding range, GAMMA2, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_GAMMA2 DILITHIUM_Q_LOW_32 +/* Bits in high-order rounding range, GAMMA2, for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_GAMMA2_HI_BITS 4 +/* Encoding size of w1 in bytes for ML-DSA-65. + * K * N / 8 * 4 - 4 bits as max value is 15 in high bits. */ +#define PARAMS_ML_DSA_65_W1_ENC_SZ \ + (PARAMS_ML_DSA_65_K * DILITHIUM_N / 8 * PARAMS_ML_DSA_65_GAMMA2_HI_BITS) +/* Size of memory used for matrix a in bytes for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_A_SIZE \ + (PARAMS_ML_DSA_65_K * PARAMS_ML_DSA_65_L * DILITHIUM_POLY_SIZE) +/* Size of memory used for vector s1 in bytes for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_S1_SIZE \ + (PARAMS_ML_DSA_65_L * DILITHIUM_POLY_SIZE) +/* Encoding size of s1 in bytes for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_S1_ENC_SIZE \ + (PARAMS_ML_DSA_65_S1_SIZE / sizeof(sword32) * PARAMS_ML_DSA_65_ETA_BITS / 8) +/* Size of memory used for vector s2 in bytes for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_S2_SIZE \ + (PARAMS_ML_DSA_65_K * DILITHIUM_POLY_SIZE) +/* Encoding size of s2 in bytes for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_S2_ENC_SIZE \ + (PARAMS_ML_DSA_65_S2_SIZE / sizeof(sword32) * PARAMS_ML_DSA_65_ETA_BITS / 8) +/* Encoding size of z in bytes for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_Z_ENC_SIZE \ + (PARAMS_ML_DSA_65_S1_SIZE / sizeof(sword32) / 8 * \ + (PARAMS_ML_DSA_65_GAMMA1_BITS + 1)) +/* Encoding size of public key in bytes for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_PK_SIZE \ + (DILITHIUM_PUB_SEED_SZ + PARAMS_ML_DSA_65_K * DILITHIUM_N * DILITHIUM_U / 8) +/* Encoding size of signature in bytes for ML-DSA-65. */ +#define PARAMS_ML_DSA_65_SIG_SIZE \ + ((PARAMS_ML_DSA_65_LAMBDA / 4) + \ + PARAMS_ML_DSA_65_L * DILITHIUM_N/8 * (PARAMS_ML_DSA_65_GAMMA1_BITS + 1) + \ + PARAMS_ML_DSA_65_OMEGA + PARAMS_ML_DSA_65_K) + +#endif /* WOLFSSL_NO_ML_DSA_65 */ + +#ifndef WOLFSSL_NO_ML_DSA_87 + +/* Fist dimension of A, k, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_K 8 +/* Second dimension of A, l, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_L 7 +/* Private key range, ETA, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_ETA DILITHIUM_ETA_2 +/* Number of bits in private key for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_ETA_BITS DILITHIUM_ETA_2_BITS +/* Collision strength of c-tilde, LAMBDA, in bits for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_LAMBDA 256 +/* # +/-1's in polynomial c, TAU, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_TAU 60 +/* BETA = TAU * ETA for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_BETA \ + (PARAMS_ML_DSA_87_TAU * PARAMS_ML_DSA_87_ETA) +/* Max # 1's in the hint h, OMEGA, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_OMEGA 75 +/* Bits in coefficient range of y, GAMMA1, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_GAMMA1_BITS DILITHIUM_GAMMA1_BITS_19 +/* Ccoefficient range of y, GAMMA1, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_GAMMA1 \ + ((sword32)1 << PARAMS_ML_DSA_87_GAMMA1_BITS) +/* Low-order rounding range, GAMMA2, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_GAMMA2 DILITHIUM_Q_LOW_32 +/* Bits in high-order rounding range, GAMMA2, for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_GAMMA2_HI_BITS 4 +/* Encoding size of w1 in bytes for ML-DSA-87. + * K * N / 8 * 4 - 4 bits as max value is 15 in high bits. */ +#define PARAMS_ML_DSA_87_W1_ENC_SZ \ + (PARAMS_ML_DSA_87_K * DILITHIUM_N / 8 * PARAMS_ML_DSA_87_GAMMA2_HI_BITS) +/* Size of memory used for matrix A in bytes for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_A_SIZE \ + (PARAMS_ML_DSA_87_K * PARAMS_ML_DSA_87_L * DILITHIUM_POLY_SIZE) +#define PARAMS_ML_DSA_87_S_SIZE 4 +/* Size of memory used for vector s1 in bytes for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_S1_SIZE \ + (PARAMS_ML_DSA_87_L * DILITHIUM_POLY_SIZE) +/* Encoding size of s1 in bytes for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_S1_ENC_SIZE \ + (PARAMS_ML_DSA_87_S1_SIZE / sizeof(sword32) * PARAMS_ML_DSA_87_ETA_BITS / 8) +/* Size of memory used for vector s2 in bytes for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_S2_SIZE \ + (PARAMS_ML_DSA_87_K * DILITHIUM_POLY_SIZE) +/* Encoding size of s2 in bytes for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_S2_ENC_SIZE \ + (PARAMS_ML_DSA_87_S2_SIZE / sizeof(sword32) * PARAMS_ML_DSA_87_ETA_BITS / 8) +/* Encoding size of z in bytes for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_Z_ENC_SIZE \ + (PARAMS_ML_DSA_87_S1_SIZE / sizeof(sword32) / 8 * \ + (PARAMS_ML_DSA_87_GAMMA1_BITS + 1)) +/* Encoding size of public key in bytes for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_PK_SIZE \ + (DILITHIUM_PUB_SEED_SZ + PARAMS_ML_DSA_87_K * DILITHIUM_N * DILITHIUM_U / 8) +/* Encoding size of signature in bytes for ML-DSA-87. */ +#define PARAMS_ML_DSA_87_SIG_SIZE \ + ((PARAMS_ML_DSA_87_LAMBDA / 4) + \ + PARAMS_ML_DSA_87_L * DILITHIUM_N/8 * (PARAMS_ML_DSA_87_GAMMA1_BITS + 1) + \ + PARAMS_ML_DSA_87_OMEGA + PARAMS_ML_DSA_87_K) + +#endif /* WOLFSSL_NO_ML_DSA_87 */ + + +#ifndef WOLFSSL_NO_ML_DSA_87 + +#define DILITHIUM_MAX_W1_ENC_SZ PARAMS_ML_DSA_87_W1_ENC_SZ +/* Maximum collision strength of c-tilde in bytes. */ +#define DILITHIUM_MAX_LAMBDA PARAMS_ML_DSA_87_LAMBDA + +/* Maximum count of elements of a vector with dimension K. */ +#define DILITHIUM_MAX_K_VECTOR_COUNT \ + (PARAMS_ML_DSA_87_K * DILITHIUM_N) +/* Maximum count of elements of a vector with dimension L. */ +#define DILITHIUM_MAX_L_VECTOR_COUNT \ + (PARAMS_ML_DSA_87_L * DILITHIUM_N) +/* Maximum count of elements of a matrix with dimension KxL. */ +#define DILITHIUM_MAX_MATRIX_COUNT \ + (PARAMS_ML_DSA_87_K * PARAMS_ML_DSA_87_L * DILITHIUM_N) + +#elif !defined(WOLFSSL_NO_ML_DSA_65) + +/* Maximum w1 encoding size in bytes. */ +#define DILITHIUM_MAX_W1_ENC_SZ PARAMS_ML_DSA_65_W1_ENC_SZ +/* Maximum collision strength of c-tilde in bytes. */ +#define DILITHIUM_MAX_LAMBDA PARAMS_ML_DSA_65_LAMBDA + +/* Maximum count of elements of a vector with dimension K. */ +#define DILITHIUM_MAX_K_VECTOR_COUNT \ + (PARAMS_ML_DSA_65_K * DILITHIUM_N) +/* Maximum count of elements of a vector with dimension L. */ +#define DILITHIUM_MAX_L_VECTOR_COUNT \ + (PARAMS_ML_DSA_65_L * DILITHIUM_N) +/* Maximum count of elements of a matrix with dimension KxL. */ +#define DILITHIUM_MAX_MATRIX_COUNT \ + (PARAMS_ML_DSA_65_K * PARAMS_ML_DSA_65_L * DILITHIUM_N) + +#else + +/* Maximum w1 encoding size in bytes. */ +#define DILITHIUM_MAX_W1_ENC_SZ PARAMS_ML_DSA_44_W1_ENC_SZ +/* Maximum collision strength of c-tilde in bytes. */ +#define DILITHIUM_MAX_LAMBDA PARAMS_ML_DSA_44_LAMBDA + +/* Maximum count of elements of a vector with dimension K. */ +#define DILITHIUM_MAX_K_VECTOR_COUNT \ + (PARAMS_ML_DSA_44_K * DILITHIUM_N) +/* Maximum count of elements of a vector with dimension L. */ +#define DILITHIUM_MAX_L_VECTOR_COUNT \ + (PARAMS_ML_DSA_44_L * DILITHIUM_N) +/* Maximum count of elements of a matrix with dimension KxL. */ +#define DILITHIUM_MAX_MATRIX_COUNT \ + (PARAMS_ML_DSA_44_K * PARAMS_ML_DSA_44_L * DILITHIUM_N) + +#endif + +/* Length of K in bytes. */ +#define DILITHIUM_K_SZ 32 +/* Length of TR in bytes. */ +#define DILITHIUM_TR_SZ 64 +/* Length of public key seed in bytes when expanding a. */ +#define DILITHIUM_PUB_SEED_SZ 32 +/* Length of private key seed in bytes when generating a key. */ +#define DILITHIUM_PRIV_SEED_SZ 64 + +/* Length of seed when creating vector c. */ +#define DILITHIUM_SEED_SZ 32 +/* Length of seeds created when making a key. */ +#define DILITHIUM_SEEDS_SZ 128 + +/* Length of MU in bytes. */ +#define DILITHIUM_MU_SZ 64 +/* Length of random in bytes when generating a signature. */ +#define DILITHIUM_RND_SZ 32 +/* Length of private random in bytes when generating a signature. */ +#define DILITHIUM_PRIV_RAND_SEED_SZ 64 + +/* 5 blocks, each block 21 * 8 bytes = 840 bytes. + * Minimum required is 256 * 3 = 768. */ +#define DILITHIUM_GEN_A_NBLOCKS 5 +/* Number of bytes to generate with Shake128 when generating A. */ +#define DILITHIUM_GEN_A_BYTES \ + (DILITHIUM_GEN_A_NBLOCKS * WC_SHA3_128_COUNT * 8) +/* Number of bytes to a block of SHAKE-128 when generating A. */ +#define DILITHIUM_GEN_A_BLOCK_BYTES (WC_SHA3_128_COUNT * 8) + +/* Number of bytes to a block of SHAKE-256 when generating c. */ +#define DILITHIUM_GEN_C_BLOCK_BYTES (WC_SHA3_256_COUNT * 8) + + +#ifndef WOLFSSL_MLDSA_SMALL +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) + /* A block SHAKE-128 output plus one for reading 4 bytes at a time. */ + #define DILITHIUM_REJ_NTT_POLY_H_SIZE (DILITHIUM_GEN_A_BYTES + 1) +#else + /* A block SHAKE-128 output. */ + #define DILITHIUM_REJ_NTT_POLY_H_SIZE DILITHIUM_GEN_A_BYTES +#endif /* LITTLE_ENDIAN_ORDER && WOLFSSL_MLDSA_ALIGNMENT == 0 */ +#else +#if defined(LITTLE_ENDIAN_ORDER) && (WOLFSSL_MLDSA_ALIGNMENT == 0) + /* A block SHAKE-128 output plus one for reading 4 bytes at a time. */ + #define DILITHIUM_REJ_NTT_POLY_H_SIZE (DILITHIUM_GEN_A_BLOCK_BYTES + 1) +#else + /* A block SHAKE-128 output. */ + #define DILITHIUM_REJ_NTT_POLY_H_SIZE DILITHIUM_GEN_A_BLOCK_BYTES +#endif /* LITTLE_ENDIAN_ORDER && WOLFSSL_MLDSA_ALIGNMENT == 0 */ +#endif + +#ifndef WOLFSSL_NO_ML_DSA_87 + +#define DILITHIUM_MAX_KEY_SIZE DILITHIUM_LEVEL5_KEY_SIZE +#define DILITHIUM_MAX_SIG_SIZE DILITHIUM_LEVEL5_SIG_SIZE +#define DILITHIUM_MAX_PUB_KEY_SIZE DILITHIUM_LEVEL5_PUB_KEY_SIZE +#define DILITHIUM_MAX_PRV_KEY_SIZE DILITHIUM_LEVEL5_PRV_KEY_SIZE +/* Buffer sizes large enough to store exported DER encoded keys */ +#define DILITHIUM_MAX_PUB_KEY_DER_SIZE DILITHIUM_LEVEL5_PUB_KEY_DER_SIZE +#define DILITHIUM_MAX_PRV_KEY_DER_SIZE DILITHIUM_LEVEL5_PRV_KEY_DER_SIZE +#define DILITHIUM_MAX_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL5_BOTH_KEY_DER_SIZE +/* PEM size with the header "-----BEGIN ML_DSA_LEVEL5 PRIVATE KEY-----" and + * the footer "-----END ML_DSA_LEVEL5 PRIVATE KEY-----" */ +#define DILITHIUM_MAX_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL5_BOTH_KEY_PEM_SIZE + +#elif !defined(WOLFSSL_NO_ML_DSA_65) + +#define DILITHIUM_MAX_KEY_SIZE DILITHIUM_LEVEL3_KEY_SIZE +#define DILITHIUM_MAX_SIG_SIZE DILITHIUM_LEVEL3_SIG_SIZE +#define DILITHIUM_MAX_PUB_KEY_SIZE DILITHIUM_LEVEL3_PUB_KEY_SIZE +#define DILITHIUM_MAX_PRV_KEY_SIZE DILITHIUM_LEVEL3_PRV_KEY_SIZE +/* Buffer sizes large enough to store exported DER encoded keys */ +#define DILITHIUM_MAX_PUB_KEY_DER_SIZE DILITHIUM_LEVEL3_PUB_KEY_DER_SIZE +#define DILITHIUM_MAX_PRV_KEY_DER_SIZE DILITHIUM_LEVEL3_PRV_KEY_DER_SIZE +#define DILITHIUM_MAX_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL3_BOTH_KEY_DER_SIZE +/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and + * the footer "-----END PRIVATE KEY-----" */ +#define DILITHIUM_MAX_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL3_BOTH_KEY_PEM_SIZE + +#elif !defined(WOLFSSL_NO_ML_DSA_44) + +#define DILITHIUM_MAX_KEY_SIZE DILITHIUM_LEVEL2_KEY_SIZE +#define DILITHIUM_MAX_SIG_SIZE DILITHIUM_LEVEL2_SIG_SIZE +#define DILITHIUM_MAX_PUB_KEY_SIZE DILITHIUM_LEVEL2_PUB_KEY_SIZE +#define DILITHIUM_MAX_PRV_KEY_SIZE DILITHIUM_LEVEL2_PRV_KEY_SIZE +/* Buffer sizes large enough to store exported DER encoded keys */ +#define DILITHIUM_MAX_PUB_KEY_DER_SIZE DILITHIUM_LEVEL2_PUB_KEY_DER_SIZE +#define DILITHIUM_MAX_PRV_KEY_DER_SIZE DILITHIUM_LEVEL2_PRV_KEY_DER_SIZE +#define DILITHIUM_MAX_BOTH_KEY_DER_SIZE DILITHIUM_LEVEL2_BOTH_KEY_DER_SIZE +/* PEM size with the header "-----BEGIN PRIVATE KEY-----" and + * the footer "-----END PRIVATE KEY-----" */ +#define DILITHIUM_MAX_BOTH_KEY_PEM_SIZE DILITHIUM_LEVEL2_BOTH_KEY_PEM_SIZE + +#else + +#error ML-DSA: All levels disabled. + +#endif + + +#ifdef WOLF_PRIVATE_KEY_ID +#define DILITHIUM_MAX_ID_LEN 32 +#define DILITHIUM_MAX_LABEL_LEN 32 +#endif + +/* Structs */ + +typedef struct MlDsaParams { + byte level; + byte k; + byte l; + byte eta; + byte eta_bits; + byte tau; + byte beta; + byte omega; + word16 lambda; + byte gamma1_bits; + sword32 gamma2; + word32 w1EncSz; + word16 aSz; + word16 s1Sz; + word16 s1EncSz; + word16 s2Sz; + word16 s2EncSz; + word16 zEncSz; + word16 pkSz; + word16 sigSz; +} MlDsaParams; + +struct MlDsaKey { + byte pubKeySet; + byte prvKeySet; + byte level; /* 2,3 or 5 */ +#if defined(WOLFSSL_MLDSA_DYNAMIC_KEYS) + word32 kSz; /* allocated size of secret key buffer */ +#endif + + void* heap; /* heap hint */ + +#ifdef WOLF_CRYPTO_CB + void* devCtx; + int devId; +#endif +#ifdef WOLF_PRIVATE_KEY_ID + byte id[DILITHIUM_MAX_ID_LEN]; + int idLen; + char label[DILITHIUM_MAX_LABEL_LEN]; + int labelLen; +#endif + +#if defined(WOLFSSL_MLDSA_DYNAMIC_KEYS) + byte* p; /* heap-allocated, right-sized public key */ + byte* k; /* heap-allocated, right-sized secret key */ +#elif !defined(WOLFSSL_MLDSA_ASSIGN_KEY) +#ifdef USE_INTEL_SPEEDUP + byte p[DILITHIUM_MAX_PUB_KEY_SIZE+8]; +#if !defined(WOLFSSL_MLDSA_VERIFY_ONLY) + byte k[DILITHIUM_MAX_KEY_SIZE+8]; +#endif +#else + byte p[DILITHIUM_MAX_PUB_KEY_SIZE]; +#if !defined(WOLFSSL_MLDSA_VERIFY_ONLY) + byte k[DILITHIUM_MAX_KEY_SIZE]; +#endif +#endif +#else + const byte* p; + const byte* k; +#endif + + const MlDsaParams* params; + wc_Shake shake; +#ifndef WC_MLDSA_FIXED_ARRAY +#ifdef WC_MLDSA_CACHE_MATRIX_A + sword32* a; + byte aSet; +#endif +#ifdef WC_MLDSA_CACHE_PRIV_VECTORS + sword32* s1; + sword32* s2; + sword32* t0; + byte privVecsSet; +#endif +#ifdef WC_MLDSA_CACHE_PUB_VECTORS + sword32* t1; + byte pubVecSet; +#endif +#else +#ifdef WC_MLDSA_CACHE_MATRIX_A + sword32 a[DILITHIUM_MAX_MATRIX_COUNT]; + byte aSet; +#endif +#ifdef WC_MLDSA_CACHE_PRIV_VECTORS + sword32 s1[DILITHIUM_MAX_L_VECTOR_COUNT]; + sword32 s2[DILITHIUM_MAX_K_VECTOR_COUNT]; + sword32 t0[DILITHIUM_MAX_K_VECTOR_COUNT]; + byte privVecsSet; +#endif +#ifdef WC_MLDSA_CACHE_PUB_VECTORS + sword32 t1[DILITHIUM_MAX_K_VECTOR_COUNT]; + byte pubVecSet; +#endif +#endif +#if defined(WOLFSSL_MLDSA_VERIFY_NO_MALLOC) && \ + defined(WOLFSSL_MLDSA_VERIFY_SMALL_MEM) + sword32 z[DILITHIUM_MAX_L_VECTOR_COUNT]; + sword32 c[DILITHIUM_N]; + sword32 w[DILITHIUM_N]; + sword32 t1[DILITHIUM_N]; + byte w1e[DILITHIUM_MAX_W1_ENC_SZ]; +#ifdef WOLFSSL_MLDSA_SMALL_MEM_POLY64 + sword64 t64[DILITHIUM_N]; +#endif + byte h[DILITHIUM_REJ_NTT_POLY_H_SIZE]; + byte block[DILITHIUM_GEN_C_BLOCK_BYTES]; +#endif /* WOLFSSL_MLDSA_VERIFY_NO_MALLOC && + * WOLFSSL_MLDSA_VERIFY_SMALL_MEM */ +}; + +#ifndef WC_MLDSAKEY_TYPE_DEFINED + typedef struct MlDsaKey MlDsaKey; + #define WC_MLDSAKEY_TYPE_DEFINED +#endif + +/* When WOLFSSL_MLDSA_FIPS204_DRAFT is enabled the legacy (pre-FIPS 204) + * no-context sign/verify API is required to handle draft-format signatures. */ +#if defined(WOLFSSL_MLDSA_FIPS204_DRAFT) && \ + !defined(WOLFSSL_MLDSA_NO_CTX) + #define WOLFSSL_MLDSA_NO_CTX +#endif + +/* Functions */ + +#ifndef WOLFSSL_MLDSA_VERIFY_ONLY +WOLFSSL_API +int wc_MlDsaKey_MakeKey(MlDsaKey* key, WC_RNG* rng); +WOLFSSL_API +int wc_MlDsaKey_MakeKeyFromSeed(MlDsaKey* key, const byte* seed); + +/* Legacy sign API without context parameter (pre-FIPS 204). + * Only available when WOLFSSL_MLDSA_NO_CTX is defined. + * New code should use wc_MlDsaKey_SignCtx() with ctx=NULL/ctxLen=0 + * for FIPS 204 compliant signing with an empty context. */ +#ifdef WOLFSSL_MLDSA_NO_CTX +WOLFSSL_API +int wc_MlDsaKey_Sign(MlDsaKey* key, byte* sig, word32* sigLen, + const byte* msg, word32 msgLen, WC_RNG* rng); +#endif /* WOLFSSL_MLDSA_NO_CTX */ +WOLFSSL_API +int wc_MlDsaKey_SignCtx(MlDsaKey* key, const byte* ctx, byte ctxLen, + byte* sig, word32* sigLen, const byte* msg, word32 msgLen, WC_RNG* rng); +WOLFSSL_API +int wc_MlDsaKey_SignCtxHash(MlDsaKey* key, const byte* ctx, byte ctxLen, + byte* sig, word32* sigLen, const byte* hash, word32 hashLen, + int hashAlg, WC_RNG* rng); +/* Legacy seed-based sign API without context parameter (pre-FIPS 204). + * Only available when WOLFSSL_MLDSA_NO_CTX is defined. + * New code should use wc_MlDsaKey_SignCtxWithSeed() instead. */ +#ifdef WOLFSSL_MLDSA_NO_CTX +WOLFSSL_API +int wc_MlDsaKey_SignWithSeed(MlDsaKey* key, byte* sig, word32* sigLen, + const byte* msg, word32 msgLen, const byte* seed); +#endif /* WOLFSSL_MLDSA_NO_CTX */ +WOLFSSL_API +int wc_MlDsaKey_SignCtxWithSeed(MlDsaKey* key, const byte* ctx, byte ctxLen, + byte* sig, word32* sigLen, const byte* msg, word32 msgLen, + const byte* seed); +WOLFSSL_API +int wc_MlDsaKey_SignCtxHashWithSeed(MlDsaKey* key, const byte* ctx, + byte ctxLen, byte* sig, word32* sigLen, const byte* hash, + word32 hashLen, int hashAlg, const byte* seed); +WOLFSSL_API +int wc_MlDsaKey_SignMuWithSeed(MlDsaKey* key, byte* sig, word32* sigLen, + const byte* mu, word32 muLen, const byte* seed); +#endif /* !WOLFSSL_MLDSA_VERIFY_ONLY */ +/* Legacy verify API without context parameter (pre-FIPS 204). + * Only available when WOLFSSL_MLDSA_NO_CTX is defined. + * New code should use wc_MlDsaKey_VerifyCtx() with ctx=NULL/ctxLen=0 + * for FIPS 204 compliant verification with an empty context. */ +#ifdef WOLFSSL_MLDSA_NO_CTX +WOLFSSL_API +int wc_MlDsaKey_Verify(MlDsaKey* key, const byte* sig, word32 sigLen, + const byte* msg, word32 msgLen, int* res); +#endif /* WOLFSSL_MLDSA_NO_CTX */ +WOLFSSL_API +int wc_MlDsaKey_VerifyCtx(MlDsaKey* key, const byte* sig, word32 sigLen, + const byte* ctx, byte ctxLen, const byte* msg, word32 msgLen, int* res); +WOLFSSL_API +int wc_MlDsaKey_VerifyCtxHash(MlDsaKey* key, const byte* sig, word32 sigLen, + const byte* ctx, byte ctxLen, const byte* hash, word32 hashLen, + int hashAlg, int* res); +WOLFSSL_API +int wc_MlDsaKey_VerifyMu(MlDsaKey* key, const byte* sig, word32 sigLen, + const byte* mu, word32 muLen, int* res); + +#ifndef WC_NO_CONSTRUCTORS +WOLFSSL_API +MlDsaKey* wc_MlDsaKey_New(void* heap, int devId); +WOLFSSL_API +int wc_MlDsaKey_Delete(MlDsaKey* key, MlDsaKey** key_p); +#endif /* !WC_NO_CONSTRUCTORS */ + +WOLFSSL_API +int wc_MlDsaKey_Init(MlDsaKey* key, void* heap, int devId); + +#ifdef WOLF_PRIVATE_KEY_ID +WOLFSSL_API +int wc_MlDsaKey_InitId(MlDsaKey* key, const unsigned char* id, int len, + void* heap, int devId); +WOLFSSL_API +int wc_MlDsaKey_InitLabel(MlDsaKey* key, const char* label, void* heap, + int devId); +#endif + +WOLFSSL_API +int wc_MlDsaKey_SetParams(MlDsaKey* key, byte level); +WOLFSSL_API +int wc_MlDsaKey_GetParams(MlDsaKey* key, byte* level); +WOLFSSL_API +void wc_MlDsaKey_Free(MlDsaKey* key); + +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY +WOLFSSL_API +int wc_MlDsaKey_Size(MlDsaKey* key); +#endif +#if defined(WOLFSSL_MLDSA_PRIVATE_KEY) && \ + defined(WOLFSSL_MLDSA_PUBLIC_KEY) +WOLFSSL_API +int wc_MlDsaKey_PrivSize(MlDsaKey* key); +#endif +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY +WOLFSSL_API +int wc_MlDsaKey_PubSize(MlDsaKey* key); +#endif +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || !defined(WOLFSSL_MLDSA_NO_VERIFY) +WOLFSSL_API +int wc_MlDsaKey_SigSize(MlDsaKey* key); +#endif + +#ifdef WOLFSSL_MLDSA_CHECK_KEY +WOLFSSL_API +int wc_MlDsaKey_CheckKey(MlDsaKey* key); +#endif + +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY +WOLFSSL_API +int wc_MlDsaKey_ImportPubRaw(MlDsaKey* key, const byte* in, word32 inLen); +#endif +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY +WOLFSSL_API +int wc_MlDsaKey_ImportPrivRaw(MlDsaKey* key, const byte* priv, word32 privSz); +WOLFSSL_API +int wc_MlDsaKey_ImportKey(MlDsaKey* key, const byte* priv, word32 privSz, + const byte* pub, word32 pubSz); +#endif + +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY +WOLFSSL_API +int wc_MlDsaKey_ExportPubRaw(MlDsaKey* key, byte* out, word32* outLen); +#endif +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY +WOLFSSL_API +int wc_MlDsaKey_ExportPrivRaw(MlDsaKey* key, byte* out, word32* outLen); +#endif +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY +WOLFSSL_API +int wc_MlDsaKey_ExportKey(MlDsaKey* key, byte* priv, word32 *privSz, + byte* pub, word32 *pubSz); +#endif + +#ifndef WOLFSSL_MLDSA_NO_ASN1 +WOLFSSL_LOCAL int mldsa_get_oid_sum(MlDsaKey* key, int* keyFormat); +#endif /* WOLFSSL_MLDSA_NO_ASN1 */ + +#ifndef WOLFSSL_MLDSA_NO_ASN1 +#if defined(WOLFSSL_MLDSA_PRIVATE_KEY) +WOLFSSL_API int wc_MlDsaKey_PrivateKeyDecode(MlDsaKey* key, const byte* input, + word32 inSz, word32* inOutIdx); +#endif +#endif /* WOLFSSL_MLDSA_NO_ASN1 */ +#ifdef WOLFSSL_MLDSA_PUBLIC_KEY +WOLFSSL_API int wc_MlDsaKey_PublicKeyDecode(MlDsaKey* key, const byte* input, + word32 inSz, word32* inOutIdx); +#endif + +#ifndef WOLFSSL_MLDSA_NO_ASN1 +#ifdef WC_ENABLE_ASYM_KEY_EXPORT +WOLFSSL_API int wc_MlDsaKey_PublicKeyToDer(MlDsaKey* key, byte* output, + word32 inLen, int withAlg); +#endif +#if defined(WOLFSSL_MLDSA_PRIVATE_KEY) +WOLFSSL_API int wc_MlDsaKey_KeyToDer(MlDsaKey* key, byte* output, + word32 inLen); +#endif +#ifdef WOLFSSL_MLDSA_PRIVATE_KEY +WOLFSSL_API int wc_MlDsaKey_PrivateKeyToDer(MlDsaKey* key, byte* output, + word32 inLen); +#endif +#endif /* WOLFSSL_MLDSA_NO_ASN1 */ + +#ifdef USE_INTEL_SPEEDUP +WOLFSSL_LOCAL void wc_mldsa_poly_red_avx2(sword32* a); + +WOLFSSL_LOCAL void wc_mldsa_ntt_avx2(sword32* r); +WOLFSSL_LOCAL void wc_mldsa_ntt_full_avx2(sword32* r); +WOLFSSL_LOCAL void wc_mldsa_invntt_avx2(sword32* r); +WOLFSSL_LOCAL void wc_mldsa_invntt_full_avx2(sword32* r); + +WOLFSSL_LOCAL void wc_mldsa_mul_avx2(sword32* r, const sword32* a, + const sword32* b); +WOLFSSL_LOCAL void wc_mldsa_mul_vec_4_avx2(sword32* r, const sword32* a, + const sword32* b); +WOLFSSL_LOCAL void wc_mldsa_mul_vec_5_avx2(sword32* r, const sword32* a, + const sword32* b); +WOLFSSL_LOCAL void wc_mldsa_mul_vec_7_avx2(sword32* r, const sword32* a, + const sword32* b); +WOLFSSL_LOCAL void wc_mldsa_matrix_mul_4x4_avx2(sword32* r, const sword32* m, + const sword32* v); +WOLFSSL_LOCAL void wc_mldsa_matrix_mul_6x5_avx2(sword32* r, const sword32* m, + const sword32* v); +WOLFSSL_LOCAL void wc_mldsa_matrix_mul_8x7_avx2(sword32* r, const sword32* m, + const sword32* v); + +WOLFSSL_LOCAL void wc_mldsa_redistribute_21_rand_avx2(word64* s, byte* r0, + byte* r1, byte* r2, byte* r3); +WOLFSSL_LOCAL int wc_mldsa_rej_uniform_n_avx2(sword32* a, word32 len, + const byte* r, word32 rLen); +WOLFSSL_LOCAL int wc_mldsa_rej_uniform_avx2(sword32* a, word32 len, + const byte* r, word32 rLen); + +WOLFSSL_LOCAL void wc_mldsa_redistribute_17_rand_avx2(word64* s, byte* r0, + byte* r1, byte* r2, byte* r3); +WOLFSSL_LOCAL void wc_mldsa_extract_coeffs_eta2_avx2(const byte* z, + unsigned int zLen, sword32* s, unsigned int* cnt); +WOLFSSL_LOCAL void wc_mldsa_extract_coeffs_eta4_avx2(const byte* z, + unsigned int zLen, sword32* s, unsigned int* cnt); + +WOLFSSL_LOCAL void wc_mldsa_vec_encode_eta_2_avx2(const sword32* s, byte d, + byte* p); +WOLFSSL_LOCAL void wc_mldsa_vec_encode_eta_4_avx2(const sword32* t, byte* p); +WOLFSSL_LOCAL void wc_mldsa_decode_eta_2_avx2(const byte* p, sword32* s); +WOLFSSL_LOCAL void wc_mldsa_decode_eta_4_avx2(const byte* p, sword32* s); + +WOLFSSL_LOCAL void wc_mldsa_encode_w1_88_avx2(const sword32* w1, byte* w1e); +WOLFSSL_LOCAL void wc_mldsa_encode_w1_32_avx2(const sword32* w1, byte* w1e); + +WOLFSSL_LOCAL void wc_mldsa_vec_encode_t0_t1_avx2(const sword32* t, byte d, + byte* t0, byte* t1); +WOLFSSL_LOCAL void wc_mldsa_decode_t0_avx2(const byte* t0, sword32* t); +WOLFSSL_LOCAL void wc_mldsa_decode_t1_avx2(const byte* t1, sword32* t); + +WOLFSSL_LOCAL void wc_mldsa_decode_gamma1_17_avx2(const byte* s, sword32* z); +WOLFSSL_LOCAL void wc_mldsa_decode_gamma1_19_avx2(const byte* s, sword32* z); +WOLFSSL_LOCAL void wc_mldsa_encode_gamma1_17_avx2(const sword32* z, byte* s); +WOLFSSL_LOCAL void wc_mldsa_encode_gamma1_19_avx2(const sword32* z, byte* s); + +WOLFSSL_LOCAL void wc_mldsa_decompose_q88_avx2(const sword32* r, sword32* r0, + sword32* r1); +WOLFSSL_LOCAL void wc_mldsa_decompose_q32_avx2(const sword32* r, byte k, + sword32* r0, sword32* r1); + +WOLFSSL_LOCAL void wc_mldsa_use_hint_88_avx2(sword32* w1, const byte* h); +WOLFSSL_LOCAL void wc_mldsa_use_hint_32_avx2(sword32* w1, byte k, + const byte* h); + +WOLFSSL_LOCAL int wc_mldsa_vec_check_low_avx2(const sword32* a, byte l, + sword32 hi); + +WOLFSSL_LOCAL void wc_mldsa_poly_add_avx2(sword32* r, const sword32* a); +WOLFSSL_LOCAL void wc_mldsa_poly_sub_avx2(sword32* r, const sword32* a); +WOLFSSL_LOCAL void wc_mldsa_poly_make_pos_avx2(sword32* a); +#endif + + +#define WC_ML_DSA_DRAFT 10 + +#define WC_ML_DSA_44 2 +#define WC_ML_DSA_65 3 +#define WC_ML_DSA_87 5 +#define WC_ML_DSA_44_DRAFT (2 + WC_ML_DSA_DRAFT) +#define WC_ML_DSA_65_DRAFT (3 + WC_ML_DSA_DRAFT) +#define WC_ML_DSA_87_DRAFT (5 + WC_ML_DSA_DRAFT) + +#define DILITHIUM_ML_DSA_44_KEY_SIZE 2560 +#define DILITHIUM_ML_DSA_44_SIG_SIZE 2420 +#define DILITHIUM_ML_DSA_44_PUB_KEY_SIZE 1312 +#define DILITHIUM_ML_DSA_44_PRV_KEY_SIZE \ + (DILITHIUM_ML_DSA_44_PUB_KEY_SIZE + DILITHIUM_ML_DSA_44_KEY_SIZE) + +#define DILITHIUM_ML_DSA_65_KEY_SIZE 4032 +#define DILITHIUM_ML_DSA_65_SIG_SIZE 3309 +#define DILITHIUM_ML_DSA_65_PUB_KEY_SIZE 1952 +#define DILITHIUM_ML_DSA_65_PRV_KEY_SIZE \ + (DILITHIUM_ML_DSA_65_PUB_KEY_SIZE + DILITHIUM_ML_DSA_65_KEY_SIZE) + +#define DILITHIUM_ML_DSA_87_KEY_SIZE 4896 +#define DILITHIUM_ML_DSA_87_SIG_SIZE 4627 +#define DILITHIUM_ML_DSA_87_PUB_KEY_SIZE 2592 +#define DILITHIUM_ML_DSA_87_PRV_KEY_SIZE \ + (DILITHIUM_ML_DSA_87_PUB_KEY_SIZE + DILITHIUM_ML_DSA_87_KEY_SIZE) + + +WOLFSSL_API int wc_MlDsaKey_GetPrivLen(MlDsaKey* key, int* len); +WOLFSSL_API int wc_MlDsaKey_GetPubLen(MlDsaKey* key, int* len); +WOLFSSL_API int wc_MlDsaKey_GetSigLen(MlDsaKey* key, int* len); + +#if !defined(WOLFSSL_MLDSA_NO_SIGN) || \ + !defined(WOLFSSL_MLDSA_NO_VERIFY) +#ifndef WOLFSSL_NO_ML_DSA_44 +WOLFSSL_TEST_VIS void wc_mldsa_encode_w1_88(const sword32* w1, byte* w1e); +#endif +#if !defined(WOLFSSL_NO_ML_DSA_65) || !defined(WOLFSSL_NO_ML_DSA_87) +WOLFSSL_TEST_VIS void wc_mldsa_encode_w1_32(const sword32* w1, byte* w1e); +#endif +#endif + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* WOLFSSL_HAVE_MLDSA */ +#endif /* WOLF_CRYPT_WC_MLDSA_H */ diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs index 9355d1137c8..82442207283 100644 --- a/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs +++ b/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs @@ -504,25 +504,25 @@ public class wolfcrypt */ #if WindowsCE [DllImport(wolfssl_dll)] - private static extern IntPtr wc_dilithium_new(IntPtr heap, int devId); + private static extern IntPtr wc_MlDsaKey_New(IntPtr heap, int devId); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_delete(IntPtr key, IntPtr key_p); + private static extern int wc_MlDsaKey_Delete(IntPtr key, IntPtr key_p); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_set_level(IntPtr key, byte level); + private static extern int wc_MlDsaKey_SetParams(IntPtr key, byte level); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_make_key(IntPtr key, IntPtr rng); + private static extern int wc_MlDsaKey_MakeKey(IntPtr key, IntPtr rng); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_export_private(IntPtr key, byte[] output, ref uint outLen); + private static extern int wc_MlDsaKey_ExportPrivRaw(IntPtr key, byte[] output, ref uint outLen); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_import_private(byte[] priv, uint privSz, IntPtr key); + private static extern int wc_MlDsaKey_ImportPrivRaw(IntPtr key, byte[] priv, uint privSz); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_export_public(IntPtr key, byte[] output, ref uint outLen); + private static extern int wc_MlDsaKey_ExportPubRaw(IntPtr key, byte[] output, ref uint outLen); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_import_public(byte[] input, uint inputLen, IntPtr key); + private static extern int wc_MlDsaKey_ImportPubRaw(IntPtr key, byte[] input, uint inputLen); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_sign_ctx_msg(byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng); + private static extern int wc_MlDsaKey_SignCtx(IntPtr key, byte[] ctx, byte ctxLen, byte[] sig, ref uint sigLen, byte[] msg, uint msgLen, IntPtr rng); [DllImport(wolfssl_dll)] - private static extern int wc_dilithium_verify_ctx_msg(byte[] sig, uint sigLen, byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, ref int res, IntPtr key); + private static extern int wc_MlDsaKey_VerifyCtx(IntPtr key, byte[] sig, uint sigLen, byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, ref int res); [DllImport(wolfssl_dll)] private static extern int wc_MlDsaKey_GetPrivLen(IntPtr key, ref int len); [DllImport(wolfssl_dll)] @@ -531,25 +531,25 @@ public class wolfcrypt private static extern int wc_MlDsaKey_GetSigLen(IntPtr key, ref int len); #else [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern IntPtr wc_dilithium_new(IntPtr heap, int devId); + private static extern IntPtr wc_MlDsaKey_New(IntPtr heap, int devId); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_delete(IntPtr key, IntPtr key_p); + private static extern int wc_MlDsaKey_Delete(IntPtr key, IntPtr key_p); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_set_level(IntPtr key, byte level); + private static extern int wc_MlDsaKey_SetParams(IntPtr key, byte level); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_make_key(IntPtr key, IntPtr rng); + private static extern int wc_MlDsaKey_MakeKey(IntPtr key, IntPtr rng); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_export_private(IntPtr key, byte[] output, ref uint outLen); + private static extern int wc_MlDsaKey_ExportPrivRaw(IntPtr key, byte[] output, ref uint outLen); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_import_private(byte[] priv, uint privSz, IntPtr key); + private static extern int wc_MlDsaKey_ImportPrivRaw(IntPtr key, byte[] priv, uint privSz); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_export_public(IntPtr key, byte[] output, ref uint outLen); + private static extern int wc_MlDsaKey_ExportPubRaw(IntPtr key, byte[] output, ref uint outLen); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_import_public(byte[] input, uint inputLen, IntPtr key); + private static extern int wc_MlDsaKey_ImportPubRaw(IntPtr key, byte[] input, uint inputLen); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_sign_ctx_msg(byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, byte[] sig, ref uint sigLen, IntPtr key, IntPtr rng); + private static extern int wc_MlDsaKey_SignCtx(IntPtr key, byte[] ctx, byte ctxLen, byte[] sig, ref uint sigLen, byte[] msg, uint msgLen, IntPtr rng); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - private static extern int wc_dilithium_verify_ctx_msg(byte[] sig, uint sigLen, byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, ref int res, IntPtr key); + private static extern int wc_MlDsaKey_VerifyCtx(IntPtr key, byte[] sig, uint sigLen, byte[] ctx, byte ctxLen, byte[] msg, uint msgLen, ref int res); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] private static extern int wc_MlDsaKey_GetPrivLen(IntPtr key, ref int len); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] @@ -3370,14 +3370,14 @@ public static IntPtr MlDsaNew(IntPtr heap, int devId, MlDsaLevels level) try { - key = wc_dilithium_new(heap, devId); + key = wc_MlDsaKey_New(heap, devId); if (key == IntPtr.Zero) { log(ERROR_LOG, "Failed to allocate and initialize ML-DSA key."); return IntPtr.Zero; } - int ret = wc_dilithium_set_level(key, (byte)level); + int ret = wc_MlDsaKey_SetParams(key, (byte)level); if (ret != 0) { log(ERROR_LOG, "Failed to set ML-DSA level. Error code: " + ret); @@ -3421,14 +3421,14 @@ public static IntPtr MlDsaMakeKey(IntPtr heap, int devId, MlDsaLevels level) try { - key = wc_dilithium_new(heap, devId); + key = wc_MlDsaKey_New(heap, devId); if (key == IntPtr.Zero) { log(ERROR_LOG, "Failed to allocate and initialize ML-DSA key."); return IntPtr.Zero; } - ret = wc_dilithium_set_level(key, (byte)level); + ret = wc_MlDsaKey_SetParams(key, (byte)level); if (ret != 0) { log(ERROR_LOG, "Failed to set ML-DSA level. Error code: " + ret); @@ -3442,7 +3442,7 @@ public static IntPtr MlDsaMakeKey(IntPtr heap, int devId, MlDsaLevels level) return IntPtr.Zero; } - ret = wc_dilithium_make_key(key, rng); + ret = wc_MlDsaKey_MakeKey(key, rng); if (ret != 0) { log(ERROR_LOG, "Failed to make ML-DSA key. Error code: " + ret); @@ -3488,7 +3488,7 @@ public static int MlDsaFreeKey(ref IntPtr key) return BAD_FUNC_ARG; } - ret = wc_dilithium_delete(key, IntPtr.Zero); + ret = wc_MlDsaKey_Delete(key, IntPtr.Zero); key = IntPtr.Zero; return ret; } @@ -3508,7 +3508,7 @@ public static int MlDsaImportPublicKey(byte[] publicKey, IntPtr key) try { - return wc_dilithium_import_public(publicKey, (uint)publicKey.Length, key); + return wc_MlDsaKey_ImportPubRaw(key, publicKey, (uint)publicKey.Length); } catch (Exception e) { @@ -3532,7 +3532,7 @@ public static int MlDsaImportPrivateKey(byte[] privateKey, IntPtr key) try { - return wc_dilithium_import_private(privateKey, (uint)privateKey.Length, key); + return wc_MlDsaKey_ImportPrivRaw(key, privateKey, (uint)privateKey.Length); } catch (Exception e) { @@ -3570,7 +3570,7 @@ public static int MlDsaExportPrivateKey(IntPtr key, out byte[] privateKey) privateKey = new byte[privLen]; outLen = (uint)privLen; - ret = wc_dilithium_export_private(key, privateKey, ref outLen); + ret = wc_MlDsaKey_ExportPrivRaw(key, privateKey, ref outLen); if (ret != 0) { log(ERROR_LOG, "Failed to export ML-DSA private key. Error code: " + ret); @@ -3620,7 +3620,7 @@ public static int MlDsaExportPublicKey(IntPtr key, out byte[] publicKey) publicKey = new byte[pubLen]; outLen = (uint)pubLen; - ret = wc_dilithium_export_public(key, publicKey, ref outLen); + ret = wc_MlDsaKey_ExportPubRaw(key, publicKey, ref outLen); if (ret != 0) { log(ERROR_LOG, "Failed to export ML-DSA public key. Error code: " + ret); @@ -3679,7 +3679,7 @@ public static int MlDsaSignMsg(IntPtr key, byte[] msg, out byte[] sig) return MEMORY_E; } /* FIPS 204 sign with empty context (ctx=null, ctxLen=0). */ - ret = wc_dilithium_sign_ctx_msg(null, 0, msg, (uint)msg.Length, sig, ref outLen, key, rng); + ret = wc_MlDsaKey_SignCtx(key, null, 0, sig, ref outLen, msg, (uint)msg.Length, rng); if (ret != 0) { log(ERROR_LOG, "Failed to sign message with ML-DSA key. Error code: " + ret); @@ -3724,7 +3724,7 @@ public static int MlDsaVerifyMsg(IntPtr key, byte[] msg, byte[] sig) try { /* FIPS 204 verify with empty context (ctx=null, ctxLen=0). */ - ret = wc_dilithium_verify_ctx_msg(sig, (uint)sig.Length, null, 0, msg, (uint)msg.Length, ref res, key); + ret = wc_MlDsaKey_VerifyCtx(key, sig, (uint)sig.Length, null, 0, msg, (uint)msg.Length, ref res); if (ret != 0) { log(ERROR_LOG, "Failed to verify message with ML-DSA key. Error code: " + ret); diff --git a/wrapper/CSharp/wolfssl.vcxproj b/wrapper/CSharp/wolfssl.vcxproj index 391b5c9eb91..66694f76438 100644 --- a/wrapper/CSharp/wolfssl.vcxproj +++ b/wrapper/CSharp/wolfssl.vcxproj @@ -301,7 +301,7 @@ - + diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt index 7332865b751..b4603df6058 100644 --- a/zephyr/CMakeLists.txt +++ b/zephyr/CMakeLists.txt @@ -71,7 +71,7 @@ if(CONFIG_WOLFSSL) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/curve25519.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/curve448.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/des3.c) - zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dilithium.c) + zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/wc_mldsa.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/dsa.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/ecc_fp.c) zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/wolfcrypt/src/eccsi.c)