x.crypto.mldsa: add ML-DSA signature algorithm (#26711)

* sha3: add xof support (streaming)

* x.mldsa: initial port of the golang implementation

* x.mldsa: add NIST's ACVP tests for both keygen and sigver

* x.mldsa: add roundtrip + other tests

* x.mldsa: add README

* x.mldsa: add benchmarks for sig + verif (44, 65, 87)

* x.mldsa: refactor public api to avoid orphan functions, new Kind enum

* x.mldsa: pinpoint each component to the FIPS spec algo/section/appendix

* sha3: comment on the usage of unsafe

* x.mldsa: update README with correct test file paths

* x.mldsa: format all the stuff

* x.mldsa: update README with new api

* x.mldsa: support importing raw key material

* x.mldsa: refactor benchmarks, allocate in bulk + add direct_array_access to relevant funcs

* x.mldsa: add NIST ACVP signing testing

* x.mldsa: add prehash support

* x.mldsa: refactor tests

* x.mldsa: workaround the false positive when copying fixed arrays

* x.mldsa: document panics

* x.mldsa: reformat files

* x.mldsa: move tests to vlang/slower_tests

* x.mldsa: fix markdown too long

* crypto.sha3: add documentation to all public fns

* x.mldsa: make elements type aliases public

* x.mldsa: do not use nested types

* crypto.sha3: prohibit constructing Shake directly

* x.mldsa: add tests against go's impl + roundtrip

* x.mldsa: bound rejection sampling loop in sign

* x.mldsa: add necessary functions to the public api (for testing)

Author: cestef

vlib/crypto/sha3/xof.v

@@ -0,0 +1,135 @@
+// Copyright (c) 2023 Kim Shrier. All rights reserved.
+// Use of this source code is governed by an MIT license
+// that can be found in the LICENSE file.
+
+// streaming shake-128/256 xof per FIPS 202
+// https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf
+
+module sha3
+
+@[noinit]
+pub struct Shake {
+	rate int // bytes per permutation (168 for shake-128, 136 for shake-256)
+mut:
+	s            State
+	input_buffer []u8
+	finalized    bool
+	squeeze_buf  []u8
+}
+
+// new_shake128 returns a new Shake instance for SHAKE-128 extended output function.
+pub fn new_shake128() &Shake {
+	return &Shake{
+		rate: xof_rate_128
+	}
+}
+
+// new_shake256 returns a new Shake instance for SHAKE-256 extended output function.
+pub fn new_shake256() &Shake {
+	return &Shake{
+		rate: xof_rate_256
+	}
+}
+
+// write absorbs more data into the sponge state.
+// Panics if called after `read`.
+@[direct_array_access]
+pub fn (mut s Shake) write(data []u8) {
+	if s.finalized {
+		panic('sha3: write after read on Shake')
+	}
+	if data.len == 0 {
+		return
+	}
+
+	// avoid cloning on each iteration
+	mut remaining := unsafe { data[..] }
+
+	if s.input_buffer.len != 0 {
+		empty_space := s.rate - s.input_buffer.len
+
+		if remaining.len < empty_space {
+			s.input_buffer << remaining
+			return
+		} else {
+			s.input_buffer << remaining[..empty_space]
+			remaining = unsafe { remaining[empty_space..] }
+
+			s.s.xor_bytes(s.input_buffer[..s.rate], s.rate)
+			s.s.kaccak_p_1600_24()
+
+			s.input_buffer = []u8{}
+		}
+	}
+
+	for remaining.len >= s.rate {
+		s.s.xor_bytes(remaining[..s.rate], s.rate)
+		s.s.kaccak_p_1600_24()
+		remaining = unsafe { remaining[s.rate..] }
+	}
+
+	if remaining.len > 0 {
+		s.input_buffer = remaining.clone()
+	}
+}
+
+fn (mut s Shake) finalize() {
+	if s.finalized {
+		return
+	}
+	s.finalized = true
+
+	// pad10*1 with xof domain separator 0x1f (FIPS 202 sec B.2)
+	mut padded := s.input_buffer.clone()
+	if padded.len == s.rate - 1 {
+		padded << u8(0x80 | 0x1f)
+	} else {
+		padded << u8(0x1f)
+		for padded.len < s.rate - 1 {
+			padded << u8(0x00)
+		}
+		padded << u8(0x80)
+	}
+
+	s.s.xor_bytes(padded[..s.rate], s.rate)
+	s.s.kaccak_p_1600_24()
+
+	state_bytes := s.s.to_bytes()
+	s.squeeze_buf = state_bytes[..s.rate].clone()
+	s.input_buffer = []u8{}
+}
+
+// read squeezes `out_len` bytes from the sponge state.
+// Finalizes the sponge on first call; further calls to `write` will panic.
+@[direct_array_access]
+pub fn (mut s Shake) read(out_len int) []u8 {
+	if !s.finalized {
+		s.finalize()
+	}
+
+	mut result := []u8{cap: out_len}
+	mut remaining := out_len
+
+	for remaining > 0 {
+		if s.squeeze_buf.len == 0 {
+			s.s.kaccak_p_1600_24()
+			state_bytes := s.s.to_bytes()
+			s.squeeze_buf = state_bytes[..s.rate].clone()
+		}
+
+		take := if remaining < s.squeeze_buf.len { remaining } else { s.squeeze_buf.len }
+		result << s.squeeze_buf[..take]
+		s.squeeze_buf = s.squeeze_buf[take..].clone()
+		remaining -= take
+	}
+
+	return result
+}
+
+// reset clears the sponge state, allowing the Shake instance to be reused.
+pub fn (mut s Shake) reset() {
+	s.s = State{}
+	s.input_buffer = []u8{}
+	s.finalized = false
+	s.squeeze_buf = []u8{}
+}

vlib/crypto/sha3/xof_test.v

@@ -0,0 +1,80 @@
+module sha3
+
+fn test_shake256_streaming_matches_oneshot() {
+	data := 'hello world'.bytes()
+	// oneshot
+	expected := shake256(data, 64)
+
+	// streaming
+	mut s := new_shake256()
+	s.write(data)
+	result := s.read(64)
+
+	assert result == expected, 'streaming SHAKE-256 output differs from one-shot'
+}
+
+fn test_shake128_streaming_matches_oneshot() {
+	data := 'hello world'.bytes()
+	expected := shake128(data, 64)
+
+	mut s := new_shake128()
+	s.write(data)
+	result := s.read(64)
+
+	assert result == expected, 'streaming SHAKE-128 output differs from one-shot'
+}
+
+fn test_shake256_incremental_write() {
+	data := 'the quick brown fox jumps over the lazy dog'.bytes()
+	expected := shake256(data, 128)
+
+	mut s := new_shake256()
+	s.write(data[..10])
+	s.write(data[10..25])
+	s.write(data[25..])
+	result := s.read(128)
+
+	assert result == expected, 'incremental write produced different output'
+}
+
+fn test_shake256_incremental_read() {
+	data := 'test data for incremental reads'.bytes()
+
+	// all at once
+	mut s1 := new_shake256()
+	s1.write(data)
+	all_at_once := s1.read(200)
+
+	// in chunks
+	mut s2 := new_shake256()
+	s2.write(data)
+	mut chunked := []u8{}
+	chunked << s2.read(50)
+	chunked << s2.read(80)
+	chunked << s2.read(70)
+
+	assert chunked == all_at_once, 'incremental read produced different output'
+}
+
+fn test_shake128_large_output() {
+	data := 'large output test'.bytes()
+	mut s := new_shake128()
+	s.write(data)
+	// more than one block (168 bytes in shake128)
+	result := s.read(500)
+	assert result.len == 500
+}
+
+fn test_shake_reset() {
+	data := 'reset test'.bytes()
+
+	mut s := new_shake256()
+	s.write(data)
+	first := s.read(32)
+
+	s.reset()
+	s.write(data)
+	second := s.read(32)
+
+	assert first == second, 'reset did not restore initial state'
+}

vlib/x/crypto/mldsa/LICENSE

@@ -0,0 +1,27 @@
+Copyright 2025 The Go Authors.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google LLC nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vlib/x/crypto/mldsa/README.md

@@ -0,0 +1,33 @@
+# mldsa
+
+Pure V implementation of [ML-DSA](https://csrc.nist.gov/pubs/fips/204/final) (FIPS 204), a post-quantum digital signature algorithm. Supports all three parameter sets (ML-DSA-44, ML-DSA-65, ML-DSA-87).
+
+> **This is still experimental**
+> It is verified against NIST ACVP test vectors for [keygen](./nist_keygen_test.v),
+> [signing](./nist_siggen_test.v), and [verification](./nist_sigver_test.v),
+> but not yet production-ready.
+
+## Example
+
+```v
+import x.crypto.mldsa
+
+fn main() {
+	// generate a new ML-DSA-65 key pair
+	sk := mldsa.PrivateKey.generate(.ml_dsa_65)!
+	pk := sk.public_key()
+
+	// sign a message (with an optional context string)
+	msg := 'Hello ML-DSA'.bytes()
+	sig := sk.sign(msg, context: 'not-a-drill')!
+
+	// verify the signature with the same context
+	verified := pk.verify(msg, sig, context: 'not-a-drill')!
+	assert verified // true
+
+	// deterministic signing is also available
+	sig2 := sk.sign(msg, context: 'not-a-drill', deterministic: true)!
+	verified2 := pk.verify(msg, sig2, context: 'not-a-drill')!
+	assert verified2 // true
+}
+```