Monobuild changes

BIBLIOGRAPHY.md

@@ -48,8 +48,8 @@ source code and documentation.
 * Referenced from:
   - [README.md](README.md)
   - [examples/bring_your_own_fips202/mldsa_native/mldsa_native.h](examples/bring_your_own_fips202/mldsa_native/mldsa_native.h)
-  - [examples/bring_your_own_fips202/mldsa_native/src/common.h](examples/bring_your_own_fips202/mldsa_native/src/common.h)
   - [examples/bring_your_own_fips202/mldsa_native/src/config.h](examples/bring_your_own_fips202/mldsa_native/src/config.h)
+  - [examples/bring_your_own_fips202/mldsa_native/src/ct.h](examples/bring_your_own_fips202/mldsa_native/src/ct.h)
   - [examples/bring_your_own_fips202/mldsa_native/src/ntt.h](examples/bring_your_own_fips202/mldsa_native/src/ntt.h)
   - [examples/bring_your_own_fips202/mldsa_native/src/poly.c](examples/bring_your_own_fips202/mldsa_native/src/poly.c)
   - [examples/bring_your_own_fips202/mldsa_native/src/poly_kl.c](examples/bring_your_own_fips202/mldsa_native/src/poly_kl.c)
@@ -58,8 +58,8 @@ source code and documentation.
   - [examples/bring_your_own_fips202/mldsa_native/src/sign.c](examples/bring_your_own_fips202/mldsa_native/src/sign.c)
   - [examples/bring_your_own_fips202/mldsa_native/src/sign.h](examples/bring_your_own_fips202/mldsa_native/src/sign.h)
   - [mldsa/mldsa_native.h](mldsa/mldsa_native.h)
-  - [mldsa/src/common.h](mldsa/src/common.h)
   - [mldsa/src/config.h](mldsa/src/config.h)
+  - [mldsa/src/ct.h](mldsa/src/ct.h)
   - [mldsa/src/fips202/fips202.c](mldsa/src/fips202/fips202.c)
   - [mldsa/src/fips202/fips202x4.c](mldsa/src/fips202/fips202x4.c)
   - [mldsa/src/ntt.h](mldsa/src/ntt.h)

examples/bring_your_own_fips202/mldsa_native/src/poly_kl.h

@@ -0,0 +1 @@
+../../../../mldsa/src/poly_kl.h

integration/liboqs/ML-DSA-44_META.yml

@@ -31,10 +31,10 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/ntt.c mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h
-    mldsa/src/params.h mldsa/src/poly.c mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c
-    mldsa/src/polyvec.h mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h
-    mldsa/src/reduce.h mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h
-    mldsa/src/sys.h mldsa/src/zetas.inc
+    mldsa/src/params.h mldsa/src/poly.c mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h
+    mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c mldsa/src/prehash.h
+    mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h mldsa/src/sign.c
+    mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -47,10 +47,10 @@ implementations:
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/native/api.h mldsa/src/native/meta.h mldsa/src/ntt.c
     mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h mldsa/src/params.h mldsa/src/poly.c
-    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c
-    mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h
-    mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
-    mldsa/src/native/x86_64
+    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h mldsa/src/polyvec.c mldsa/src/polyvec.h
+    mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h
+    mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h
+    mldsa/src/zetas.inc mldsa/src/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -72,10 +72,10 @@ implementations:
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/native/api.h mldsa/src/native/meta.h mldsa/src/ntt.c
     mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h mldsa/src/params.h mldsa/src/poly.c
-    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c
-    mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h
-    mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
-    mldsa/src/native/aarch64
+    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h mldsa/src/polyvec.c mldsa/src/polyvec.h
+    mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h
+    mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h
+    mldsa/src/zetas.inc mldsa/src/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

integration/liboqs/ML-DSA-65_META.yml

@@ -31,10 +31,10 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/ntt.c mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h
-    mldsa/src/params.h mldsa/src/poly.c mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c
-    mldsa/src/polyvec.h mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h
-    mldsa/src/reduce.h mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h
-    mldsa/src/sys.h mldsa/src/zetas.inc
+    mldsa/src/params.h mldsa/src/poly.c mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h
+    mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c mldsa/src/prehash.h
+    mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h mldsa/src/sign.c
+    mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -47,10 +47,10 @@ implementations:
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/native/api.h mldsa/src/native/meta.h mldsa/src/ntt.c
     mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h mldsa/src/params.h mldsa/src/poly.c
-    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c
-    mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h
-    mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
-    mldsa/src/native/x86_64
+    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h mldsa/src/polyvec.c mldsa/src/polyvec.h
+    mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h
+    mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h
+    mldsa/src/zetas.inc mldsa/src/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -72,10 +72,10 @@ implementations:
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/native/api.h mldsa/src/native/meta.h mldsa/src/ntt.c
     mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h mldsa/src/params.h mldsa/src/poly.c
-    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c
-    mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h
-    mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
-    mldsa/src/native/aarch64
+    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h mldsa/src/polyvec.c mldsa/src/polyvec.h
+    mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h
+    mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h
+    mldsa/src/zetas.inc mldsa/src/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

integration/liboqs/ML-DSA-87_META.yml

@@ -31,10 +31,10 @@ implementations:
   sources: integration/liboqs/config_c.h integration/liboqs/fips202_glue.h integration/liboqs/fips202x4_glue.h
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/ntt.c mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h
-    mldsa/src/params.h mldsa/src/poly.c mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c
-    mldsa/src/polyvec.h mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h
-    mldsa/src/reduce.h mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h
-    mldsa/src/sys.h mldsa/src/zetas.inc
+    mldsa/src/params.h mldsa/src/poly.c mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h
+    mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c mldsa/src/prehash.h
+    mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h mldsa/src/sign.c
+    mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
 - name: x86_64
   version: FIPS204
   folder_name: .
@@ -47,10 +47,10 @@ implementations:
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/native/api.h mldsa/src/native/meta.h mldsa/src/ntt.c
     mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h mldsa/src/params.h mldsa/src/poly.c
-    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c
-    mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h
-    mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
-    mldsa/src/native/x86_64
+    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h mldsa/src/polyvec.c mldsa/src/polyvec.h
+    mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h
+    mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h
+    mldsa/src/zetas.inc mldsa/src/native/x86_64
   supported_platforms:
   - architecture: x86_64
     operating_systems:
@@ -71,10 +71,10 @@ implementations:
     mldsa/src/cbmc.h mldsa/src/common.h mldsa/src/ct.c mldsa/src/ct.h mldsa/src/debug.c
     mldsa/src/debug.h mldsa/src/native/api.h mldsa/src/native/meta.h mldsa/src/ntt.c
     mldsa/src/ntt.h mldsa/src/packing.c mldsa/src/packing.h mldsa/src/params.h mldsa/src/poly.c
-    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/polyvec.c mldsa/src/polyvec.h mldsa/src/prehash.c
-    mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h mldsa/src/rounding.h
-    mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h mldsa/src/zetas.inc
-    mldsa/src/native/aarch64
+    mldsa/src/poly.h mldsa/src/poly_kl.c mldsa/src/poly_kl.h mldsa/src/polyvec.c mldsa/src/polyvec.h
+    mldsa/src/prehash.c mldsa/src/prehash.h mldsa/src/randombytes.h mldsa/src/reduce.h
+    mldsa/src/rounding.h mldsa/src/sign.c mldsa/src/sign.h mldsa/src/symmetric.h mldsa/src/sys.h
+    mldsa/src/zetas.inc mldsa/src/native/aarch64
   supported_platforms:
   - architecture: arm_8
     operating_systems:

mldsa/src/common.h

@@ -3,15 +3,6 @@
  * SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
  */
 
-/* References
- * ==========
- *
- * - [FIPS204]
- *   FIPS 204 Module-Lattice-Based Digital Signature Standard
- *   National Institute of Standards and Technology
- *   https://csrc.nist.gov/pubs/fips/204/final
- */
-
 #ifndef MLD_COMMON_H
 #define MLD_COMMON_H
 
@@ -104,60 +95,12 @@
  * all source files are included, even those that are not needed.
  * Those files are appropriately guarded and will be empty when unneeded.
  * The following is to avoid compilers complaining about this. */
-#define MLD_EMPTY_CU(s) extern int MLD_NAMESPACE(empty_cu_##s);
+#define MLD_EMPTY_CU(s) extern int MLD_NAMESPACE_KL(empty_cu_##s);
 
 #if defined(MLD_CONFIG_USE_NATIVE_BACKEND_FIPS202)
 #include MLD_CONFIG_FIPS202_BACKEND_FILE
 #endif
 
-#if !defined(__ASSEMBLER__)
-#include <string.h>
-
-/*************************************************
- * Name:        mld_zeroize
- *
- * Description: Force-zeroize a buffer.
- *              @[FIPS204, Section 3.6.3] Destruction of intermediate values.
- *
- * Arguments:   void *ptr: pointer to buffer to be zeroed
- *              size_t len: Amount of bytes to be zeroed
- **************************************************/
-static MLD_INLINE void mld_zeroize(void *ptr, size_t len)
-__contract__(
-  requires(memory_no_alias(ptr, len))
-  assigns(memory_slice(ptr, len))
-);
-
-#if defined(MLD_CONFIG_CUSTOM_ZEROIZE)
-static MLD_INLINE void mld_zeroize(void *ptr, size_t len)
-{
-  mld_zeroize_native(ptr, len);
-}
-#elif defined(MLD_SYS_WINDOWS)
-#include <windows.h>
-static MLD_INLINE void mld_zeroize(void *ptr, size_t len)
-{
-  SecureZeroMemory(ptr, len);
-}
-#elif defined(MLD_HAVE_INLINE_ASM)
-static MLD_INLINE void mld_zeroize(void *ptr, size_t len)
-{
-  memset(ptr, 0, len);
-  /* This follows OpenSSL and seems sufficient to prevent the compiler
-   * from optimizing away the memset.
-   *
-   * If there was a reliable way to detect availability of memset_s(),
-   * that would be preferred. */
-  __asm__ __volatile__("" : : "r"(ptr) : "memory");
-}
-#else /* !MLD_CONFIG_CUSTOM_ZEROIZE && !MLD_SYS_WINDOWS && MLD_HAVE_INLINE_ASM \
-       */
-#error No plausibly-secure implementation of mld_zeroize available. Please provide your own using MLD_CONFIG_CUSTOM_ZEROIZE.
-#endif /* !MLD_CONFIG_CUSTOM_ZEROIZE && !MLD_SYS_WINDOWS && \
-          !MLD_HAVE_INLINE_ASM */
-
-#endif /* !__ASSEMBLER__ */
-
 #if !defined(MLD_CONFIG_FIPS202_CUSTOM_HEADER)
 #define MLD_FIPS202_HEADER_FILE "fips202/fips202.h"
 #else

mldsa/src/ct.h

@@ -7,6 +7,11 @@
 /* References
  * ==========
  *
+ * - [FIPS204]
+ *   FIPS 204 Module-Lattice-Based Digital Signature Standard
+ *   National Institute of Standards and Technology
+ *   https://csrc.nist.gov/pubs/fips/204/final
+ *
  * - [libmceliece]
  *   libmceliece implementation of Classic McEliece
  *   Bernstein, Chou
@@ -232,5 +237,54 @@ __contract__(
   return mld_ct_sel_int32(-x, x, mld_ct_cmask_neg_i32(x));
 }
 
+#if !defined(__ASSEMBLER__)
+#include <string.h>
+
+/*************************************************
+ * Name:        mld_zeroize
+ *
+ * Description: Force-zeroize a buffer.
+ *              @[FIPS204, Section 3.6.3] Destruction of intermediate
+ *values.
+ *
+ * Arguments:   void *ptr: pointer to buffer to be zeroed
+ *              size_t len: Amount of bytes to be zeroed
+ **************************************************/
+static MLD_INLINE void mld_zeroize(void *ptr, size_t len)
+__contract__(
+  requires(memory_no_alias(ptr, len))
+  assigns(memory_slice(ptr, len))
+);
+
+#if defined(MLD_CONFIG_CUSTOM_ZEROIZE)
+static MLD_INLINE void mld_zeroize(void *ptr, size_t len)
+{
+  mld_zeroize_native(ptr, len);
+}
+#elif defined(MLD_SYS_WINDOWS)
+#include <windows.h>
+static MLD_INLINE void mld_zeroize(void *ptr, size_t len)
+{
+  SecureZeroMemory(ptr, len);
+}
+#elif defined(MLD_HAVE_INLINE_ASM)
+static MLD_INLINE void mld_zeroize(void *ptr, size_t len)
+{
+  memset(ptr, 0, len);
+  /* This follows OpenSSL and seems sufficient to prevent the compiler
+   * from optimizing away the memset.
+   *
+   * If there was a reliable way to detect availability of memset_s(),
+   * that would be preferred. */
+  __asm__ __volatile__("" : : "r"(ptr) : "memory");
+}
+#else /* !MLD_CONFIG_CUSTOM_ZEROIZE && !MLD_SYS_WINDOWS && MLD_HAVE_INLINE_ASM \
+       */
+#error No plausibly-secure implementation of mld_zeroize available. Please provide your own using MLD_CONFIG_CUSTOM_ZEROIZE.
+#endif /* !MLD_CONFIG_CUSTOM_ZEROIZE && !MLD_SYS_WINDOWS && \
+          !MLD_HAVE_INLINE_ASM */
+
+#endif /* !__ASSEMBLER__ */
+
 
 #endif /* !MLD_CT_H */

mldsa/src/fips202/fips202.c

@@ -34,8 +34,11 @@
 #include <stddef.h>
 #include <stdint.h>
 
+#include "../common.h"
+#include "../ct.h"
 #include "fips202.h"
 #include "keccakf1600.h"
+#if !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
 
 #define NROUNDS 24
 
@@ -259,3 +262,5 @@ void mld_shake256(uint8_t *out, size_t outlen, const uint8_t *in, size_t inlen)
   mld_shake256_squeeze(out, outlen, &state);
   mld_shake256_release(&state);
 }
+
+#endif /* !MLD_CONFIG_MULTILEVEL_NO_SHARED */

mldsa/src/fips202/fips202x4.c

@@ -14,8 +14,10 @@
  */
 
 #include "../common.h"
+#if !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
 
 #include <string.h>
+#include "../ct.h"
 #include "fips202.h"
 #include "fips202x4.h"
 #include "keccakf1600.h"
@@ -163,3 +165,5 @@ void mld_shake256x4_release(mld_shake256x4ctx *state)
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(state, sizeof(mld_shake256x4ctx));
 }
+
+#endif /* !MLD_CONFIG_MULTILEVEL_NO_SHARED */

mldsa/src/packing.c

@@ -9,6 +9,13 @@
 #include "poly.h"
 #include "polyvec.h"
 
+/* Parameter set namespacing
+ * This is to facilitate building multiple instances
+ * of mldsa-native (e.g. with varying parameter sets)
+ * within a single compilation unit. */
+#define mld_unpack_hints MLD_ADD_PARAM_SET(mld_unpack_hints)
+/* End of parameter set namespacing */
+
 MLD_INTERNAL_API
 void mld_pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
                  const uint8_t rho[MLDSA_SEEDBYTES], const mld_polyveck *t1)