pq-code-package
diff --git a/‎integration/opentitan/reduce_alloc.patch‎
Lines changed: 3 additions & 3 deletions b/‎integration/opentitan/reduce_alloc.patch‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎mldsa/mldsa_native.c‎
Lines changed: 12 additions & 0 deletions b/‎mldsa/mldsa_native.c‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎mldsa/mldsa_native.h‎
Lines changed: 6 additions & 6 deletions b/‎mldsa/mldsa_native.h‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎mldsa/mldsa_native_asm.S‎
Lines changed: 12 additions & 0 deletions b/‎mldsa/mldsa_native_asm.S‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎mldsa/src/polyvec_lazy.c‎
Lines changed: 47 additions & 0 deletions b/‎mldsa/src/polyvec_lazy.c‎
Lines changed: 47 additions & 0 deletions
@@ -12,20 +12,20 @@ diff --git a/sw/device/lib/crypto/include/mldsa.h b/sw/device/lib/crypto/include
 -  kOtcryptoMldsa44WorkBufferVerifyWords = 22464 / sizeof(uint32_t),
 +  kOtcryptoMldsa44WorkBufferKeypairWords = 26912 / sizeof(uint32_t),
 +  kOtcryptoMldsa44WorkBufferSignWords = 18208 / sizeof(uint32_t),
-+  kOtcryptoMldsa44WorkBufferVerifyWords = 13216 / sizeof(uint32_t),
++  kOtcryptoMldsa44WorkBufferVerifyWords = 11200 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa65WorkBufferKeypairWords = 46304 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferSignWords = 44768 / sizeof(uint32_t),
 -  kOtcryptoMldsa65WorkBufferVerifyWords = 30720 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferKeypairWords = 37152 / sizeof(uint32_t),
 +  kOtcryptoMldsa65WorkBufferSignWords = 23360 / sizeof(uint32_t),
-+  kOtcryptoMldsa65WorkBufferVerifyWords = 18400 / sizeof(uint32_t),
++  kOtcryptoMldsa65WorkBufferVerifyWords = 15360 / sizeof(uint32_t),
 
 -  kOtcryptoMldsa87WorkBufferKeypairWords = 62688 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferSignWords = 59104 / sizeof(uint32_t),
 -  kOtcryptoMldsa87WorkBufferVerifyWords = 41216 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferKeypairWords = 49440 / sizeof(uint32_t),
 +  kOtcryptoMldsa87WorkBufferSignWords = 29504 / sizeof(uint32_t),
-+  kOtcryptoMldsa87WorkBufferVerifyWords = 24800 / sizeof(uint32_t),
++  kOtcryptoMldsa87WorkBufferVerifyWords = 19712 / sizeof(uint32_t),
  };
 
@@ -351,6 +351,9 @@
 #undef mld_polyvec_matrix_pointwise_montgomery
 #undef mld_polyvec_matrix_pointwise_montgomery_eager
 #undef mld_polyvec_matrix_pointwise_montgomery_lazy
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec_eager
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec_lazy
 #undef mld_sk_s1hat
 #undef mld_sk_s1hat_eager
 #undef mld_sk_s1hat_get_poly
@@ -378,6 +381,15 @@
 #undef mld_unpack_sk_t0hat
 #undef mld_unpack_sk_t0hat_eager
 #undef mld_unpack_sk_t0hat_lazy
+#undef mld_zvec
+#undef mld_zvec_eager
+#undef mld_zvec_get_poly
+#undef mld_zvec_get_poly_eager
+#undef mld_zvec_get_poly_lazy
+#undef mld_zvec_init
+#undef mld_zvec_init_eager
+#undef mld_zvec_init_lazy
+#undef mld_zvec_lazy
 /* mldsa/src/rounding.h */
 #undef MLD_2_POW_D
 #undef MLD_ROUNDING_H
 
@@ -916,33 +916,33 @@ int MLD_API_NAMESPACE(pk_from_sk)(
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 52544
 #define MLD_TOTAL_ALLOC_44_PK_FROM_SK 45248
 #define MLD_TOTAL_ALLOC_44_SIGN 48800
-#define MLD_TOTAL_ALLOC_44_VERIFY 38816
+#define MLD_TOTAL_ALLOC_44_VERIFY 39840
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 65792
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 79712
 #define MLD_TOTAL_ALLOC_65_PK_FROM_SK 71872
 #define MLD_TOTAL_ALLOC_65_SIGN 74432
-#define MLD_TOTAL_ALLOC_65_VERIFY 62432
+#define MLD_TOTAL_ALLOC_65_VERIFY 63456
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 104704
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 122624
 #define MLD_TOTAL_ALLOC_87_PK_FROM_SK 112832
 #define MLD_TOTAL_ALLOC_87_SIGN 115392
-#define MLD_TOTAL_ALLOC_87_VERIFY 99552
+#define MLD_TOTAL_ALLOC_87_VERIFY 100576
 #else /* MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM */
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_NO_PCT 26912
 #define MLD_TOTAL_ALLOC_44_KEYPAIR_PCT 26912
 #define MLD_TOTAL_ALLOC_44_PK_FROM_SK 30944
 #define MLD_TOTAL_ALLOC_44_SIGN 18208
-#define MLD_TOTAL_ALLOC_44_VERIFY 13216
+#define MLD_TOTAL_ALLOC_44_VERIFY 11200
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_NO_PCT 37152
 #define MLD_TOTAL_ALLOC_65_KEYPAIR_PCT 37152
 #define MLD_TOTAL_ALLOC_65_PK_FROM_SK 43232
 #define MLD_TOTAL_ALLOC_65_SIGN 23360
-#define MLD_TOTAL_ALLOC_65_VERIFY 18400
+#define MLD_TOTAL_ALLOC_65_VERIFY 15360
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_NO_PCT 49440
 #define MLD_TOTAL_ALLOC_87_KEYPAIR_PCT 49440
 #define MLD_TOTAL_ALLOC_87_PK_FROM_SK 57568
 #define MLD_TOTAL_ALLOC_87_SIGN 29504
-#define MLD_TOTAL_ALLOC_87_VERIFY 24800
+#define MLD_TOTAL_ALLOC_87_VERIFY 19712
 #endif /* !(MLD_API_LEGACY_CONFIG || !MLD_CONFIG_REDUCE_RAM) */
 /* check-magic: on */
 
 
@@ -355,6 +355,9 @@
 #undef mld_polyvec_matrix_pointwise_montgomery
 #undef mld_polyvec_matrix_pointwise_montgomery_eager
 #undef mld_polyvec_matrix_pointwise_montgomery_lazy
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec_eager
+#undef mld_polyvec_matrix_pointwise_montgomery_zvec_lazy
 #undef mld_sk_s1hat
 #undef mld_sk_s1hat_eager
 #undef mld_sk_s1hat_get_poly
@@ -382,6 +385,15 @@
 #undef mld_unpack_sk_t0hat
 #undef mld_unpack_sk_t0hat_eager
 #undef mld_unpack_sk_t0hat_lazy
+#undef mld_zvec
+#undef mld_zvec_eager
+#undef mld_zvec_get_poly
+#undef mld_zvec_get_poly_eager
+#undef mld_zvec_get_poly_lazy
+#undef mld_zvec_init
+#undef mld_zvec_init_eager
+#undef mld_zvec_init_lazy
+#undef mld_zvec_lazy
 /* mldsa/src/rounding.h */
 #undef MLD_2_POW_D
 #undef MLD_ROUNDING_H
 
@@ -200,6 +200,19 @@ void mld_polyvec_matrix_pointwise_montgomery_eager(mld_polyveck *t,
   mld_assert_abs_bound_2d(t->vec, MLDSA_K, MLDSA_N, MLDSA_Q);
 }
 
+MLD_INTERNAL_API
+int mld_polyvec_matrix_pointwise_montgomery_zvec_eager(mld_polyveck *w,
+                                                       mld_polymat_eager *mat,
+                                                       mld_zvec_eager *z,
+                                                       mld_poly *scratch)
+{
+  /* The infinity-norm bound check on z and the NTT of z have already
+   * been performed in mld_zvec_init_eager. */
+  (void)scratch;
+  mld_polyvec_matrix_pointwise_montgomery_eager(w, mat, &z->vec);
+  return 0;
+}
+
 #endif /* !MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
 #if defined(MLD_CONFIG_REDUCE_RAM) || defined(MLD_UNIT_TEST)
@@ -232,6 +245,40 @@ void mld_polyvec_matrix_pointwise_montgomery_lazy(mld_polyveck *t,
   }
 }
 
+MLD_INTERNAL_API
+int mld_polyvec_matrix_pointwise_montgomery_zvec_lazy(mld_polyveck *w,
+                                                      mld_polymat_lazy *mat,
+                                                      mld_zvec_lazy *z,
+                                                      mld_poly *scratch)
+{
+  unsigned int k, l;
+
+  for (l = 0; l < MLDSA_L; l++)
+  {
+    /* mld_zvec_get_poly_lazy unpacks z[l], performs the per-poly
+     * infinity-norm bound check, and NTTs scratch in place. */
+    if (mld_zvec_get_poly_lazy(scratch, z, l))
+    {
+      return MLD_ERR_FAIL;
+    }
+    for (k = 0; k < MLDSA_K; k++)
+    {
+      const mld_poly *a_kl = mld_polymat_get_poly_lazy(mat, k, l);
+      if (l == 0)
+      {
+        mld_poly_pointwise_montgomery(&w->vec[k], a_kl, scratch);
+      }
+      else
+      {
+        mld_poly_pointwise_montgomery(&mat->tmp, a_kl, scratch);
+        mld_poly_add(&w->vec[k], &mat->tmp);
+      }
+    }
+  }
+  mld_polyveck_reduce(w);
+  return 0;
+}
+
 #endif /* MLD_CONFIG_REDUCE_RAM || MLD_UNIT_TEST */
 
 /* To facilitate single-compilation-unit (SCU) builds, undefine all macros.