pq-code-package · mkannwischer · Apr 7, 2026
@@ -13,20 +13,20 @@ index be11f20..0000000 100644
 -  kOtcryptoMldsa44WorkBufferVerifyWords = 22464 / sizeof(uint32_t),
 +  kOtcryptoMldsa44WorkBufferKeypairWords = 13600 / sizeof(uint32_t),
 +  kOtcryptoMldsa44WorkBufferSignWords = 13120 / sizeof(uint32_t),
-+  kOtcryptoMldsa44WorkBufferVerifyWords = 13184 / sizeof(uint32_t),
++  kOtcryptoMldsa44WorkBufferVerifyWords = 11168 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa65WorkBufferKeypairWords = 46304 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferSignWords = 44768 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferVerifyWords = 30720 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferKeypairWords = 19744 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferSignWords = 17248 / sizeof(uint32_t),
-+  kOtcryptoMldsa65WorkBufferVerifyWords = 18368 / sizeof(uint32_t),
++  kOtcryptoMldsa65WorkBufferVerifyWords = 15328 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa87WorkBufferKeypairWords = 62688 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferSignWords = 59104 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferVerifyWords = 41216 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferKeypairWords = 25888 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferSignWords = 21344 / sizeof(uint32_t),
-+  kOtcryptoMldsa87WorkBufferVerifyWords = 24768 / sizeof(uint32_t),
++  kOtcryptoMldsa87WorkBufferVerifyWords = 19680 / sizeof(uint32_t),
  };
 
@@ -355,6 +355,9 @@
 #undef mld_polyvec_matrix_pointwise_montgomery_yvec
 #undef mld_polyvec_matrix_pointwise_montgomery_yvec_eager
 #undef mld_polyvec_matrix_pointwise_montgomery_yvec_lazy
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec_eager
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec_lazy
 #undef mld_sk_s1hat
 #undef mld_sk_s1hat_eager
 #undef mld_sk_s1hat_get_poly
@@ -391,6 +394,15 @@
 #undef mld_yvec_init_eager
 #undef mld_yvec_init_lazy
 #undef mld_yvec_lazy
+#undef mld_zvec
+#undef mld_zvec_eager
+#undef mld_zvec_get_poly
+#undef mld_zvec_get_poly_eager
+#undef mld_zvec_get_poly_lazy
+#undef mld_zvec_init
+#undef mld_zvec_init_eager
+#undef mld_zvec_init_lazy
+#undef mld_zvec_lazy
 /* mldsa/src/rounding.h */
 #undef MLD_2_POW_D
 #undef MLD_ROUNDING_H

@@ -942,33 +942,33 @@ int MLD_API_NAMESPACE(pk_from_sk)(
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 48448
 #define MLD_TOTAL_ALLOC_44_PK_FROM_SK 37056
 #define MLD_TOTAL_ALLOC_44_SIGN 44704
-#define MLD_TOTAL_ALLOC_44_VERIFY 25472
+#define MLD_TOTAL_ALLOC_44_VERIFY 26496
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 49408
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 74592
 #define MLD_TOTAL_ALLOC_65_PK_FROM_SK 60608
 #define MLD_TOTAL_ALLOC_65_SIGN 69312
-#define MLD_TOTAL_ALLOC_65_VERIFY 42944
+#define MLD_TOTAL_ALLOC_65_VERIFY 43968
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 82176
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 115456
 #define MLD_TOTAL_ALLOC_87_PK_FROM_SK 97472
 #define MLD_TOTAL_ALLOC_87_SIGN 108224
-#define MLD_TOTAL_ALLOC_87_VERIFY 73920
+#define MLD_TOTAL_ALLOC_87_VERIFY 74944
 #else /* MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM */
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 13600
-#define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 16928
+#define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 16864
 #define MLD_TOTAL_ALLOC_44_PK_FROM_SK 21728
 #define MLD_TOTAL_ALLOC_44_SIGN 13120
-#define MLD_TOTAL_ALLOC_44_VERIFY 13184
+#define MLD_TOTAL_ALLOC_44_VERIFY 11168
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 19744
-#define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 23648
+#define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 22528
 #define MLD_TOTAL_ALLOC_65_PK_FROM_SK 30944
 #define MLD_TOTAL_ALLOC_65_SIGN 17248
-#define MLD_TOTAL_ALLOC_65_VERIFY 18368
+#define MLD_TOTAL_ALLOC_65_VERIFY 15328
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 25888
-#define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 32000
+#define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 28576
 #define MLD_TOTAL_ALLOC_87_PK_FROM_SK 41184
 #define MLD_TOTAL_ALLOC_87_SIGN 21344
-#define MLD_TOTAL_ALLOC_87_VERIFY 24768
+#define MLD_TOTAL_ALLOC_87_VERIFY 19680
 #endif /* !(MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM) */
 /* check-magic: on */
 

@@ -360,6 +360,9 @@
 #undef mld_polyvec_matrix_pointwise_montgomery_yvec
 #undef mld_polyvec_matrix_pointwise_montgomery_yvec_eager
 #undef mld_polyvec_matrix_pointwise_montgomery_yvec_lazy
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec_eager
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec_lazy
 #undef mld_sk_s1hat
 #undef mld_sk_s1hat_eager
 #undef mld_sk_s1hat_get_poly
@@ -396,6 +399,15 @@
 #undef mld_yvec_init_eager
 #undef mld_yvec_init_lazy
 #undef mld_yvec_lazy
+#undef mld_zvec
+#undef mld_zvec_eager
+#undef mld_zvec_get_poly
+#undef mld_zvec_get_poly_eager
+#undef mld_zvec_get_poly_lazy
+#undef mld_zvec_init
+#undef mld_zvec_init_eager
+#undef mld_zvec_init_lazy
+#undef mld_zvec_lazy
 /* mldsa/src/rounding.h */
 #undef MLD_2_POW_D
 #undef MLD_ROUNDING_H

@@ -73,8 +73,8 @@ void mld_polyvecl_uniform_gamma1(mld_polyvecl *v,
         */
 
 #if !defined(MLD_CONFIG_NO_KEYPAIR_API) ||                                  \
-    !defined(MLD_CONFIG_NO_VERIFY_API) ||                                   \
-    (!defined(MLD_CONFIG_NO_SIGN_API) &&                                    \
+    ((!defined(MLD_CONFIG_NO_SIGN_API) ||                                   \
+      !defined(MLD_CONFIG_NO_VERIFY_API)) &&                                \
      (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)))
 MLD_INTERNAL_API
 void mld_polyvecl_ntt(mld_polyvecl *v)
@@ -95,8 +95,8 @@ void mld_polyvecl_ntt(mld_polyvecl *v)
 
   mld_assert_abs_bound_2d(v->vec, MLDSA_L, MLDSA_N, MLD_NTT_BOUND);
 }
-#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_NO_VERIFY_API || \
-          (!MLD_CONFIG_NO_SIGN_API && (!MLD_CONFIG_REDUCE_RAM ||     \
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || ((!MLD_CONFIG_NO_SIGN_API || \
+          !MLD_CONFIG_NO_VERIFY_API) && (!MLD_CONFIG_REDUCE_RAM ||   \
           MLD_UNIT_TEST)) */
 
 #if !defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)
@@ -207,7 +207,9 @@ void mld_polyvecl_pointwise_acc_montgomery(mld_poly *w, const mld_polyvecl *u,
 }
 #endif /* !MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
-#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_NO_VERIFY_API) || \
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) ||                                  \
+    (!defined(MLD_CONFIG_NO_VERIFY_API) &&                                  \
+     (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST))) ||        \
     defined(MLD_UNIT_TEST)
 MLD_INTERNAL_API
 uint32_t mld_polyvecl_chknorm(const mld_polyvecl *v, int32_t bound)
@@ -233,8 +235,8 @@ uint32_t mld_polyvecl_chknorm(const mld_polyvecl *v, int32_t bound)
   }
   return t;
 }
-#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_NO_VERIFY_API || \
-          MLD_UNIT_TEST */
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || (!MLD_CONFIG_NO_VERIFY_API && \
+          (!MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST)) || MLD_UNIT_TEST */
 
 /**************************************************************/
 /************ Vectors of polynomials of length MLDSA_K **************/
@@ -633,7 +635,8 @@ void mld_polyvecl_unpack_eta(
 #endif /* !MLD_CONFIG_NO_KEYPAIR_API || (!MLD_CONFIG_NO_SIGN_API && \
           (!MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST)) */
 
-#if !defined(MLD_CONFIG_NO_VERIFY_API)
+#if !defined(MLD_CONFIG_NO_VERIFY_API) && \
+    (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST))
 MLD_INTERNAL_API
 void mld_polyvecl_unpack_z(mld_polyvecl *z,
                            const uint8_t r[MLDSA_L * MLDSA_POLYZ_PACKEDBYTES])
@@ -647,7 +650,8 @@ void mld_polyvecl_unpack_z(mld_polyvecl *z,
   mld_assert_bound_2d(z->vec, MLDSA_L, MLDSA_N, -(MLDSA_GAMMA1 - 1),
                       MLDSA_GAMMA1 + 1);
 }
-#endif /* !MLD_CONFIG_NO_VERIFY_API */
+#endif /* !MLD_CONFIG_NO_VERIFY_API && (!MLD_CONFIG_REDUCE_RAM || \
+          MLD_UNIT_TEST) */
 
 #if !defined(MLD_CONFIG_NO_KEYPAIR_API) ||                                  \
     (!defined(MLD_CONFIG_NO_SIGN_API) &&                                    \

@@ -55,9 +55,9 @@ __contract__(
 #endif /* !MLD_CONFIG_NO_SIGN_API && (!MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST) \
         */
 
-#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || \
-    !defined(MLD_CONFIG_NO_VERIFY_API) ||  \
-    (!defined(MLD_CONFIG_NO_SIGN_API) &&   \
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) ||   \
+    ((!defined(MLD_CONFIG_NO_SIGN_API) ||    \
+      !defined(MLD_CONFIG_NO_VERIFY_API)) && \
      (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)))
 #define mld_polyvecl_ntt MLD_NAMESPACE_KL(polyvecl_ntt)
 /*************************************************
@@ -76,8 +76,8 @@ __contract__(
   assigns(memory_slice(v, sizeof(mld_polyvecl)))
   ensures(forall(k1, 0, MLDSA_L, array_abs_bound(v->vec[k1].coeffs, 0, MLDSA_N, MLD_NTT_BOUND)))
 );
-#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_NO_VERIFY_API || \
-          (!MLD_CONFIG_NO_SIGN_API && (!MLD_CONFIG_REDUCE_RAM ||     \
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || ((!MLD_CONFIG_NO_SIGN_API || \
+          !MLD_CONFIG_NO_VERIFY_API) && (!MLD_CONFIG_REDUCE_RAM ||   \
           MLD_UNIT_TEST)) */
 
 #if !defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)
@@ -120,7 +120,9 @@ __contract__(
 );
 #endif /* !MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
-#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_NO_VERIFY_API)
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || \
+    (!defined(MLD_CONFIG_NO_VERIFY_API) && \
+     (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)))
 #define mld_polyvecl_chknorm MLD_NAMESPACE_KL(polyvecl_chknorm)
 /*************************************************
  * Name:        mld_polyvecl_chknorm
@@ -145,7 +147,8 @@ __contract__(
   ensures(return_value == 0 || return_value == 0xFFFFFFFF)
   ensures((return_value == 0) == forall(k1, 0, MLDSA_L, array_abs_bound(v->vec[k1].coeffs, 0, MLDSA_N, B)))
 );
-#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_NO_VERIFY_API */
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API || (!MLD_CONFIG_NO_VERIFY_API && \
+          (!MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST)) */
 
 /* Vectors of polynomials of length MLDSA_K */
 typedef struct
@@ -584,7 +587,8 @@ __contract__(
 #endif /* !MLD_CONFIG_NO_KEYPAIR_API || (!MLD_CONFIG_NO_SIGN_API && \
           (!MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST)) */
 
-#if !defined(MLD_CONFIG_NO_VERIFY_API)
+#if !defined(MLD_CONFIG_NO_VERIFY_API) && \
+    (!defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST))
 #define mld_polyvecl_unpack_z MLD_NAMESPACE_KL(polyvecl_unpack_z)
 /*************************************************
  * Name:        mld_polyvecl_unpack_z
@@ -606,7 +610,8 @@ __contract__(
   ensures(forall(k1, 0, MLDSA_L,
     array_bound(z->vec[k1].coeffs, 0, MLDSA_N, -(MLDSA_GAMMA1 - 1), MLDSA_GAMMA1 + 1)))
 );
-#endif /* !MLD_CONFIG_NO_VERIFY_API */
+#endif /* !MLD_CONFIG_NO_VERIFY_API && (!MLD_CONFIG_REDUCE_RAM || \
+          MLD_UNIT_TEST) */
 
 #if !defined(MLD_CONFIG_NO_KEYPAIR_API) || \
     (!defined(MLD_CONFIG_NO_SIGN_API) &&   \

@@ -184,6 +184,31 @@ void mld_polyvec_matrix_pointwise_montgomery_yvec_eager(mld_polyveck *w,
 }
 #endif /* !MLD_CONFIG_NO_SIGN_API */
 
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
+MLD_INTERNAL_API
+int mld_polyvec_matrix_pointwise_montgomery_zvec_eager(mld_polyveck *w,
+                                                       mld_polymat_eager *mat,
+                                                       mld_zvec_eager *z)
+{
+  unsigned int i;
+
+  for (i = 0; i < MLDSA_K; ++i)
+  __loop__(
+    assigns(i, memory_slice(w, sizeof(mld_polyveck)))
+    invariant(i <= MLDSA_K)
+    invariant(forall(k0, 0, i,
+                     array_abs_bound(w->vec[k0].coeffs, 0, MLDSA_N, MLDSA_Q)))
+    decreases(MLDSA_K - i)
+  )
+  {
+    mld_polyvec_matrix_pointwise_montgomery_row_eager(&w->vec[i], mat, &z->vec,
+                                                      i);
+  }
+
+  return 0;
+}
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
+
 #endif /* !MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
 #if defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)
@@ -195,7 +220,7 @@ void mld_polyvec_matrix_expand_lazy(mld_polymat_lazy *mat,
   mld_memcpy(mat->rho, rho, MLDSA_SEEDBYTES);
 }
 
-#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_NO_VERIFY_API)
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 MLD_INTERNAL_API
 void mld_polyvec_matrix_pointwise_montgomery_row_lazy(mld_poly *t_row,
                                                       mld_polymat_lazy *mat,
@@ -228,7 +253,7 @@ void mld_polyvec_matrix_pointwise_montgomery_row_lazy(mld_poly *t_row,
   /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
   mld_zeroize(seed_ext, sizeof(seed_ext));
 }
-#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_NO_VERIFY_API */
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API */
 
 #if !defined(MLD_CONFIG_NO_SIGN_API)
 MLD_INTERNAL_API
@@ -305,9 +330,80 @@ void mld_polyvec_matrix_pointwise_montgomery_yvec_lazy(mld_polyveck *w,
 }
 #endif /* !MLD_CONFIG_NO_SIGN_API */
 
+#if !defined(MLD_CONFIG_NO_VERIFY_API)
+MLD_INTERNAL_API
+int mld_polyvec_matrix_pointwise_montgomery_zvec_lazy(mld_polyveck *w,
+                                                      mld_polymat_lazy *mat,
+                                                      mld_zvec_lazy *z)
+{
+  unsigned int k, l;
+  MLD_ALIGN uint8_t seed_ext[MLD_ALIGN_UP(MLDSA_SEEDBYTES + 2)];
+
+  mld_memcpy(seed_ext, mat->rho, MLDSA_SEEDBYTES);
+
+  for (l = 0; l < MLDSA_L; l++)
+  __loop__(
+    assigns(k, l, object_whole(seed_ext),
+            memory_slice(w, sizeof(mld_polyveck)),
+            memory_slice(mat, sizeof(mld_polymat_lazy)),
+            memory_slice(&z->scratch, sizeof(mld_poly)))
+    invariant(l <= MLDSA_L)
+    invariant(l == 0 ||
+              forall(k0, 0, MLDSA_K,
+                     array_abs_bound(w->vec[k0].coeffs, 0, MLDSA_N,
+                                     (int)l * MLDSA_Q)))
+    decreases(MLDSA_L - l)
+  )
+  {
+    if (mld_zvec_get_poly_lazy(&z->scratch, z, l))
+    {
+      mld_zeroize(seed_ext, sizeof(seed_ext));
+      return MLD_ERR_FAIL;
+    }
+    for (k = 0; k < MLDSA_K; k++)
+    __loop__(
+      assigns(k, object_whole(seed_ext),
+              memory_slice(w, sizeof(mld_polyveck)),
+              memory_slice(mat, sizeof(mld_polymat_lazy)))
+      invariant(k <= MLDSA_K)
+      invariant(l != 0 ||
+                forall(k1, 0, k,
+                       array_abs_bound(w->vec[k1].coeffs, 0, MLDSA_N, MLDSA_Q)))
+      invariant(l == 0 ||
+                forall(k2, 0, k,
+                       array_abs_bound(w->vec[k2].coeffs, 0, MLDSA_N,
+                                       ((int)l + 1) * MLDSA_Q)))
+      invariant(l == 0 ||
+                forall(k3, k, MLDSA_K,
+                       array_abs_bound(w->vec[k3].coeffs, 0, MLDSA_N,
+                                       (int)l * MLDSA_Q)))
+      decreases(MLDSA_K - k)
+    )
+    {
+      if (l == 0)
+      {
+        mld_polymat_expand_entry(&w->vec[k], seed_ext, 0, (uint8_t)k);
+        mld_poly_pointwise_montgomery(&w->vec[k], &z->scratch);
+      }
+      else
+      {
+        mld_polymat_expand_entry(&mat->cur, seed_ext, (uint8_t)l, (uint8_t)k);
+        mld_poly_pointwise_montgomery(&mat->cur, &z->scratch);
+        mld_poly_add(&w->vec[k], &mat->cur);
+      }
+    }
+  }
+
+  /* @[FIPS204, Section 3.6.3] Destruction of intermediate values. */
+  mld_zeroize(seed_ext, sizeof(seed_ext));
+  mld_polyveck_reduce(w);
+  return 0;
+}
+#endif /* !MLD_CONFIG_NO_VERIFY_API */
+
 #endif /* MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
-#if !defined(MLD_CONFIG_NO_KEYPAIR_API) || !defined(MLD_CONFIG_NO_VERIFY_API)
+#if !defined(MLD_CONFIG_NO_KEYPAIR_API)
 MLD_INTERNAL_API
 void mld_polyvec_matrix_pointwise_montgomery(mld_polyveck *t, mld_polymat *mat,
                                              const mld_polyvecl *v)
@@ -329,7 +425,7 @@ void mld_polyvec_matrix_pointwise_montgomery(mld_polyveck *t, mld_polymat *mat,
     mld_polyvec_matrix_pointwise_montgomery_row(&t->vec[i], mat, v, i);
   }
 }
-#endif /* !MLD_CONFIG_NO_KEYPAIR_API || !MLD_CONFIG_NO_VERIFY_API */
+#endif /* !MLD_CONFIG_NO_KEYPAIR_API */
 
 /* To facilitate single-compilation-unit (SCU) builds, undefine all macros.
  * Don't modify by hand -- this is auto-generated by scripts/autogen. */